Jump to content

Welcome to Geeks to Go - Register now for FREE

Need help with your computer or device? Want to learn new tech skills? You're in the right place!
Geeks to Go is a friendly community of tech experts who can solve any problem you have. Just create a free account and post your question. Our volunteers will reply quickly and guide you through the steps. Don't let tech troubles stop you. Join Geeks to Go now and get the support you need!

How it Works Create Account
Photo

System32 Folder Pop-up on start of Windows and IE [RESOLVED]

Started by Meetloaf13 , Jun 11 2005 03:54 PM

  • This topic is locked This topic is locked

#1
Meetloaf13
Posted 11 June 2005 - 03:54 PM

Meetloaf13

    Member

  • Member
  • PipPip
  • 27 posts
OK, first off, this computer has some major issues. When I first got my hands on it, I ran Ad-Aware SE and deleted upwards of 800 files/entries. I also installed Symantec Anti-Virus and got rid of (quarantined 5 viruses...virii). Yesterday, I ran the virus scan and quarantined another...some kind of java installer and trojan. And then I installed the new microsoft Antispyware and cleaned a bunch more junk yet again. So here's my log file, if you can help me clean the registry and get this window to stop popping up that would be wunderbar! Here she is!...she is loaded with garbage. Thanks! Oh yes, typically I use Mozilla FireFox, not IE, I find it helps quell the entourage of adware.

Logfile of HijackThis v1.99.1
Scan saved at 5:39:58 PM, on 6/11/2005
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\MUSICMATCH\MUSICMATCH Jukebox\mm_tray.exe
C:\Program Files\Common Files\Dell\EUSW\Support.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\Program Files\Java\j2re1.4.2_01\bin\jusched.exe
C:\WINDOWS\System32\DSentry.exe
C:\Program Files\Dell\QuickSet\quickset.exe
C:\Program Files\Dell\AccessDirect\dadapp.exe
C:\Program Files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\Program Files\Dell\AccessDirect\DadTray.exe
C:\WINDOWS\system32\cisvc.exe
C:\Program Files\Viewpoint\Viewpoint Manager\ViewMgr.exe
C:\Program Files\Symantec AntiVirus\DefWatch.exe
C:\Program Files\Symantec AntiVirus\Rtvscan.exe
C:\Program Files\Microsoft AntiSpyware\gcasServ.exe
C:\Program Files\AIM\aim.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Linksys\Wireless-B Notebook Adapter\WPC11Cfg.exe
C:\WINDOWS\wanmpsvc.exe
C:\Program Files\Microsoft AntiSpyware\gcasDtServ.exe
C:\WINDOWS\system32\cidaemon.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\HiJackThis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.dellnet.com/
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.byu.edu
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.byu.edu
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch =
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = http://localhost
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {A70F8123-9E66-AA0C-ACEC-CD69B6D68D4F} - C:\WINDOWS\system32\buvyzaod.dll
O2 - BHO: (no name) - {DACCA194-E9FE-B59B-EB96-A96CC5761937} - C:\WINDOWS\system32\ltiwxqso.dll
O2 - BHO: cnt Class - {E10959A2-8862-4582-973A-05BDAF4E0FE9} - C:\WINDOWS\System32\ctcnt1.dll
O4 - HKLM\..\Run: [MMTray] C:\Program Files\MUSICMATCH\MUSICMATCH Jukebox\mm_tray.exe
O4 - HKLM\..\Run: [DwlClient] C:\Program Files\Common Files\Dell\EUSW\Support.exe
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [SynTPLpr] C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
O4 - HKLM\..\Run: [SynTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\j2re1.4.2_01\bin\jusched.exe
O4 - HKLM\..\Run: [iehelper] C:\Program Files\syslaunch.exe
O4 - HKLM\..\Run: [DVDSentry] C:\WINDOWS\System32\DSentry.exe
O4 - HKLM\..\Run: [Dell QuickSet] C:\Program Files\Dell\QuickSet\quickset.exe
O4 - HKLM\..\Run: [DadApp] C:\Program Files\Dell\AccessDirect\dadapp.exe
O4 - HKLM\..\Run: [AdaptecDirectCD] "C:\Program Files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe"
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [<h] c:\WINDOWS\System32\<head>
O4 - HKLM\..\Run: [] c:\WINDOWS\System32\
O4 - HKLM\..\Run: [<meta http-equiv="Content-Type" content="text/html; charset=iso-8859] c:\WINDOWS\System32\<meta http-equiv="Content-Type" content="text/html; charset=iso-8859-1">
O4 - HKLM\..\Run: [<title>Off Campus Telecommunications Internet Signup</ti] c:\WINDOWS\System32\<title>Off Campus Telecommunications Internet Signup</title>
O4 - HKLM\..\Run: [<style type="text/c] c:\WINDOWS\System32\<style type="text/css">
O4 - HKLM\..\Run: [ ] c:\WINDOWS\System32\ <!--
O4 - HKLM\..\Run: [ <center><font face='Verdana, Arial, Helvetica, sans-serif' size='2'><br><B>Search of the Day</B></font>] c:\WINDOWS\System32\ <center><font face='Verdana, Arial, Helvetica, sans-serif' size='2'><br><B>Search of the Day</B></font><br>
O4 - HKLM\..\Run: [ <font face='Verdana, Arial, Helvetica, sans-serif' size='2'><A href="direc.asp?keywords=hobbies home recording dvds&chnl=1&t=r&pb=1207">hobbies home recording dvds</a></font></cen] c:\WINDOWS\System32\ <font face='Verdana, Arial, Helvetica, sans-serif' size='2'><A href="direc.asp?keywords=hobbies home recording dvds&chnl=1&t=r&pb=1207">hobbies home recording dvds</a></font></center>
O4 - HKLM\..\Run: [ <script id="kmpScript" src="http://ads.kmpads.co...at=1207"></scr] c:\WINDOWS\System32\ <script id="kmpScript" src="http://ads.kmpads.co...1207"></script>
O4 - HKLM\..\Run: [var strT] c:\WINDOWS\System32\var strTemp;
O4 - HKLM\..\Run: [top.location.replace(strTe] c:\WINDOWS\System32\top.location.replace(strTemp);
O4 - HKLM\..\Run: [ <font face='Verdana, Arial, Helvetica, sans-serif' size='2'><A href="direc.asp?keywords=hobbies jewelry making&chnl=1&t=r&pb=1208">hobbies jewelry making</a></font></cen] c:\WINDOWS\System32\ <font face='Verdana, Arial, Helvetica, sans-serif' size='2'><A href="direc.asp?keywords=hobbies jewelry making&chnl=1&t=r&pb=1208">hobbies jewelry making</a></font></center>
O4 - HKLM\..\Run: [ <script id="kmpScript" src="http://ads.kmpads.co...at=1208"></scr] c:\WINDOWS\System32\ <script id="kmpScript" src="http://ads.kmpads.co...1208"></script>
O4 - HKLM\..\Run: [ViewMgr] C:\Program Files\Viewpoint\Viewpoint Manager\ViewMgr.exe
O4 - HKLM\..\Run: [ TOOL4AME] c:\WINDOWS\System32\ TOOL4AME.COM
O4 - HKLM\..\Run: [<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.0 Frameset//] c:\WINDOWS\System32\<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.0 Frameset//EN">
O4 - HKLM\..\Run: [ <h] c:\WINDOWS\System32\ <head>
O4 - HKLM\..\Run: [ <title>tool4ame.com</ti] c:\WINDOWS\System32\ <title>tool4ame.com</title>
O4 - HKLM\..\Run: [ <meta name="GENERATOR" Content="Microsoft Visual Studio .NET 7] c:\WINDOWS\System32\ <meta name="GENERATOR" Content="Microsoft Visual Studio .NET 7.1">
O4 - HKLM\..\Run: [ <meta name="CODE_LANGUAGE" Content="] c:\WINDOWS\System32\ <meta name="CODE_LANGUAGE" Content="C#">
O4 - HKLM\..\Run: [ <meta name="vs_defaultClientScript" content="JavaScri] c:\WINDOWS\System32\ <meta name="vs_defaultClientScript" content="JavaScript">
O4 - HKLM\..\Run: [ <meta name="vs_targetSchema" content="http://schemas.micro...intellisense/i] c:\WINDOWS\System32\ <meta name="vs_targetSchema" content="http://schemas.micro...ellisense/ie5">
O4 - HKLM\..\Run: [ <nofra] c:\WINDOWS\System32\ <noframes>
O4 - HKLM\..\Run: [ <b] c:\WINDOWS\System32\ <body>
O4 - HKLM\..\Run: [ <a href='www1.eta.us/default.aspx?a=tool4ame.c] c:\WINDOWS\System32\ <a href='www1.eta.us/default.aspx?a=tool4ame.com'>
O4 - HKLM\..\Run: [ </b] c:\WINDOWS\System32\ </body>
O4 - HKLM\..\Run: [ </nofra] c:\WINDOWS\System32\ </noframes>
O4 - HKLM\..\Run: [ </h] c:\WINDOWS\System32\ </head>
O4 - HKLM\..\Run: [ <frameset rows=] c:\WINDOWS\System32\ <frameset rows="*">
O4 - HKLM\..\Run: [ <frame src='http://www1.eta.us/default.aspx?a=tool4ame.com&ref=*&rs=&doc=p] c:\WINDOWS\System32\ <frame src='http://www1.eta.us/default.aspx?a=tool4ame.com&ref=*&rs=&doc=php'>
O4 - HKLM\..\Run: [ </frame] c:\WINDOWS\System32\ </frameset>
O4 - HKLM\..\Run: [ <!-- #15] c:\WINDOWS\System32\ <!-- #15 -->
O4 - HKLM\..\Run: [</h] c:\WINDOWS\System32\</html>
O4 - HKLM\..\Run: [<title>beneditutti.com</title><meta name="keywords" content="beneditutti.com"><meta name="description" content="Search the web at beneditutti.com"><meta name="robots" content="INDEX, FOLLOW"><meta name="revisit-after" content="10"><meta http-equiv="Content-Type" content="text/html; charset=iso-8859] c:\WINDOWS\System32\<title>beneditutti.com</title><meta name="keywords" content="beneditutti.com"><meta name="description" content="Search the web at beneditutti.com"><meta name="robots" content="INDEX, FOLLOW"><meta name="revisit-after" content="10"><meta http-equiv="Content-Type" content="text/html; charset=iso-8859-1">
O4 - HKLM\..\Run: [<frame src="http://landing.domai...&adultfilter=o] c:\WINDOWS\System32\<frame src="http://landing.domai...ultfilter=off">
O4 - HKLM\..\Run: [</frame] c:\WINDOWS\System32\</frameset>
O4 - HKLM\..\Run: [<nofra] c:\WINDOWS\System32\<noframes>
O4 - HKLM\..\Run: [<body bgcolor="#ffffff" text="#0000] c:\WINDOWS\System32\<body bgcolor="#ffffff" text="#000000">
O4 - HKLM\..\Run: [<a href="http://landing.domai...lter=off">Click here to go to beneditutti.com<] c:\WINDOWS\System32\<a href="http://landing.domai...lter=off">Click here to go to beneditutti.com</a>.
O4 - HKLM\..\Run: [</b] c:\WINDOWS\System32\</body>
O4 - HKLM\..\Run: [</nofra] c:\WINDOWS\System32\</noframes>
O4 - HKLM\..\Run: [gcasServ] "C:\Program Files\Microsoft AntiSpyware\gcasServ.exe"
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [AIM] C:\Program Files\AIM\aim.exe -cnetwait.odl
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [var strT] c:\WINDOWS\System32\var strTemp;
O4 - HKCU\..\Run: [<h] c:\WINDOWS\System32\<head>
O4 - HKCU\..\Run: [<meta http-equiv="Content-Type" content="text/html; charset=iso-8859] c:\WINDOWS\System32\<meta http-equiv="Content-Type" content="text/html; charset=iso-8859-1">
O4 - HKCU\..\Run: [<title>Off Campus Telecommunications Internet Signup</ti] c:\WINDOWS\System32\<title>Off Campus Telecommunications Internet Signup</title>
O4 - HKCU\..\Run: [<style type="text/c] c:\WINDOWS\System32\<style type="text/css">
O4 - HKCU\..\Run: [ <center><font face='Verdana, Arial, Helvetica, sans-serif' size='2'><br><B>Search of the Day</B></font>] c:\WINDOWS\System32\ <center><font face='Verdana, Arial, Helvetica, sans-serif' size='2'><br><B>Search of the Day</B></font><br>
O4 - HKCU\..\Run: [ <font face='Verdana, Arial, Helvetica, sans-serif' size='2'><A href="direc.asp?keywords=hobbies home recording dvds&chnl=1&t=r&pb=1207">hobbies home recording dvds</a></font></cen] c:\WINDOWS\System32\ <font face='Verdana, Arial, Helvetica, sans-serif' size='2'><A href="direc.asp?keywords=hobbies home recording dvds&chnl=1&t=r&pb=1207">hobbies home recording dvds</a></font></center>
O4 - HKCU\..\Run: [ <script id="kmpScript" src="http://ads.kmpads.co...at=1207"></scr] c:\WINDOWS\System32\ <script id="kmpScript" src="http://ads.kmpads.co...1207"></script>
O4 - HKCU\..\Run: [top.location.replace(strTe] c:\WINDOWS\System32\top.location.replace(strTemp);
O4 - HKCU\..\Run: [ <font face='Verdana, Arial, Helvetica, sans-serif' size='2'><A href="direc.asp?keywords=hobbies jewelry making&chnl=1&t=r&pb=1208">hobbies jewelry making</a></font></cen] c:\WINDOWS\System32\ <font face='Verdana, Arial, Helvetica, sans-serif' size='2'><A href="direc.asp?keywords=hobbies jewelry making&chnl=1&t=r&pb=1208">hobbies jewelry making</a></font></center>
O4 - HKCU\..\Run: [ <script id="kmpScript" src="http://ads.kmpads.co...at=1208"></scr] c:\WINDOWS\System32\ <script id="kmpScript" src="http://ads.kmpads.co...1208"></script>
O4 - HKCU\..\Run: [ TOOL4AME] c:\WINDOWS\System32\ TOOL4AME.COM
O4 - HKCU\..\Run: [<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.0 Frameset//] c:\WINDOWS\System32\<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.0 Frameset//EN">
O4 - HKCU\..\Run: [ <h] c:\WINDOWS\System32\ <head>
O4 - HKCU\..\Run: [ <title>tool4ame.com</ti] c:\WINDOWS\System32\ <title>tool4ame.com</title>
O4 - HKCU\..\Run: [ <meta name="GENERATOR" Content="Microsoft Visual Studio .NET 7] c:\WINDOWS\System32\ <meta name="GENERATOR" Content="Microsoft Visual Studio .NET 7.1">
O4 - HKCU\..\Run: [ <meta name="CODE_LANGUAGE" Content="] c:\WINDOWS\System32\ <meta name="CODE_LANGUAGE" Content="C#">
O4 - HKCU\..\Run: [ <meta name="vs_defaultClientScript" content="JavaScri] c:\WINDOWS\System32\ <meta name="vs_defaultClientScript" content="JavaScript">
O4 - HKCU\..\Run: [ <meta name="vs_targetSchema" content="http://schemas.micro...intellisense/i] c:\WINDOWS\System32\ <meta name="vs_targetSchema" content="http://schemas.micro...ellisense/ie5">
O4 - HKCU\..\Run: [ <nofra] c:\WINDOWS\System32\ <noframes>
O4 - HKCU\..\Run: [ <b] c:\WINDOWS\System32\ <body>
O4 - HKCU\..\Run: [ <a href='www1.eta.us/default.aspx?a=tool4ame.c] c:\WINDOWS\System32\ <a href='www1.eta.us/default.aspx?a=tool4ame.com'>
O4 - HKCU\..\Run: [ </b] c:\WINDOWS\System32\ </body>
O4 - HKCU\..\Run: [ </nofra] c:\WINDOWS\System32\ </noframes>
O4 - HKCU\..\Run: [ </h] c:\WINDOWS\System32\ </head>
O4 - HKCU\..\Run: [ <frameset rows=] c:\WINDOWS\System32\ <frameset rows="*">
O4 - HKCU\..\Run: [ <frame src='http://www1.eta.us/default.aspx?a=tool4ame.com&ref=*&rs=&doc=p] c:\WINDOWS\System32\ <frame src='http://www1.eta.us/default.aspx?a=tool4ame.com&ref=*&rs=&doc=php'>
O4 - HKCU\..\Run: [ </frame] c:\WINDOWS\System32\ </frameset>
O4 - HKCU\..\Run: [ <!-- #15] c:\WINDOWS\System32\ <!-- #15 -->
O4 - HKCU\..\Run: [</h] c:\WINDOWS\System32\</html>
O4 - HKCU\..\Run: [<title>beneditutti.com</title><meta name="keywords" content="beneditutti.com"><meta name="description" content="Search the web at beneditutti.com"><meta name="robots" content="INDEX, FOLLOW"><meta name="revisit-after" content="10"><meta http-equiv="Content-Type" content="text/html; charset=iso-8859] c:\WINDOWS\System32\<title>beneditutti.com</title><meta name="keywords" content="beneditutti.com"><meta name="description" content="Search the web at beneditutti.com"><meta name="robots" content="INDEX, FOLLOW"><meta name="revisit-after" content="10"><meta http-equiv="Content-Type" content="text/html; charset=iso-8859-1">
O4 - HKCU\..\Run: [<frame src="http://landing.domai...&adultfilter=o] c:\WINDOWS\System32\<frame src="http://landing.domai...ultfilter=off">
O4 - HKCU\..\Run: [</frame] c:\WINDOWS\System32\</frameset>
O4 - HKCU\..\Run: [<nofra] c:\WINDOWS\System32\<noframes>
O4 - HKCU\..\Run: [<body bgcolor="#ffffff" text="#0000] c:\WINDOWS\System32\<body bgcolor="#ffffff" text="#000000">
O4 - HKCU\..\Run: [<a href="http://landing.domai...lter=off">Click here to go to beneditutti.com<] c:\WINDOWS\System32\<a href="http://landing.domai...lter=off">Click here to go to beneditutti.com</a>.
O4 - HKCU\..\Run: [</b] c:\WINDOWS\System32\</body>
O4 - HKCU\..\Run: [</nofra] c:\WINDOWS\System32\</noframes>
O4 - Global Startup: Wireless-B Notebook Adapter Utility.lnk = C:\Program Files\Linksys\Wireless-B Notebook Adapter\WPC11Cfg.exe
O8 - Extra context menu item: LimeShop Preferences - file://C:\Program Files\LimeShop\System\Temp\limeshop_script0.htm
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\System32\msjava.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\System32\msjava.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\System32\Shdocvw.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O12 - Plugin for .mid: C:\Program Files\Internet Explorer\PLUGINS\npqtplugin2.dll
O12 - Plugin for .mov: C:\Program Files\Internet Explorer\PLUGINS\npqtplugin.dll
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft....204&clcid=0x409
O20 - Winlogon Notify: igfxcui - C:\WINDOWS\SYSTEM32\igfxsrvc.dll
O20 - Winlogon Notify: NavLogon - C:\WINDOWS\system32\NavLogon.dll
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Password Validation (ccPwdSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
O23 - Service: Symantec AntiVirus Definition Watcher (DefWatch) - Symantec Corporation - C:\Program Files\Symantec AntiVirus\DefWatch.exe
O23 - Service: SAVRoam (SavRoam) - symantec - C:\Program Files\Symantec AntiVirus\SavRoam.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: Symantec AntiVirus - Symantec Corporation - C:\Program Files\Symantec AntiVirus\Rtvscan.exe
O23 - Service: SymWMI Service (SymWSC) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\Security Center\SymWSC.exe
O23 - Service: WAN Miniport (ATW) Service (WANMiniportService) - America Online, Inc. - C:\WINDOWS\wanmpsvc.exe

Edited by Meetloaf13, 11 June 2005 - 03:57 PM.

  • 0

Advertisements

#2
Guest_thatman_*
Posted 15 June 2005 - 04:05 AM

Guest_thatman_*
  • Guest
Hi Meetloaf13

Please read through the instructions before you start (you may want to print this out).

Please set your system to show all files; please see here if you're unsure how to do this.

Please download and install AD-Aware.
Check Here on how setup and use it - please make sure you update it first. Don't run yet.

Download Pocket Killbox and unzip it; save it to your Desktop. We may need it later.

Download Ewido Trojan’s and malware remover http://www.ewido.net/en/download/
This setup contains the free as well as the plus-version of the ewido security suite. After the installation, a free 14-day test version containing all the extensions of the plus-version will be activated. At the end of the test phase, the extensions of the plus version are deactivated and the freeware version can be used unlimited times. The purchased license code of the plus version can be entered at any time.
Ewido will auto-udate. Don't run yet

Download CW-Shredder at the link below:
CWShredder

Please download sphjfix Save it to your desktop, dont run it yet

Reboot into Safe Mode: please see here if you are not sure how to do this.

Run Ewido full scan. Save the scan.log.

Run the spifix

Clear out the files in the Prefetch folder. Go to start> run> type into the box Prefetch and delete all the files in that folder.

Run Ad-aware se let remove all it finds

Clean out temporary and TIF files. Go to Start > Run and type in the box: cleanmgr. Let it scan your system for files to remove. Make sure all are checked and then press *ok* to remove:

Run CW-Shredder - Hit the FIX button - let it run and fix what it finds.

Run killbox and click the radio button that says Delete a file on reboot. For each of the files you could not delete, paste them one at a time into the full path of file to delete box and click the red circle with a white cross in it.
The program will ask you if you want to reboot; say No each time until the last one has been pasted in whereupon you should answer Yes.
C:\WINDOWS\system32\buvyzaod.dll
C:\WINDOWS\system32\ltiwxqso.dll
C:\WINDOWS\System32\ctcnt1.dll
C:\Program Files\syslaunch.exe[/B]
Let the system reboot.

Please download, install and run this disk cleanup utility called Cleanup version 4.0!: http://downloads.ste...p/CleanUp40.exe
It will get rid of any malware which may be hiding in your temp folders ( a common hiding place). You will also regain a massive amount of disk space. Here is a tutorial which describes its usage: http://www.bleepingc...tutorial93.html
Check the custom settings to your liking under options, but be sure to delete temporary files and temporary internet files for all user profiles. Also, cleanout the prefetch folder and the recycle bin.When the scan has finnished click the close button
When prompted the system will log off to let it clean out the remaining files. when the log screen shows log back on and continue the fix.

Please run the following free, online virus scans.
http://www.pandasoft...n_principal.htm
http://housecall.tre.../start_corp.asp
Please post the logs From Panda, Ewido and HJT.logWe will need them to remove previous infections that have left files on your system.

Kc :tazz:
  • 0

#3
Guest_thatman_*
Posted 21 June 2005 - 03:12 PM

Guest_thatman_*
  • Guest
Due to lack of feedback, this topic has been closed.

If you need this topic reopened, please contact a staff member with address of this thread. This applies only to the original topic starter. Everyone else please begin a New Topic.
  • 0

#4
admin
Posted 10 July 2005 - 11:17 PM

admin

    Founder Geek

  • Community Leader
  • 24,639 posts
Opened per Meetloaf13's PM request.
  • 0

#5
Meetloaf13
Posted 10 July 2005 - 11:56 PM

Meetloaf13

    Member

  • Topic Starter
  • Member
  • PipPip
  • 27 posts
Thank you tons for re-opening the post. HEre's all of the logs you requested, I am even including the latest hijackthis log as well (...in case it changed at all). I noticed that the system32 folder still pops up at windows startup. I hope we can get this all resolved! Thanks

SPSeHjFix Log:



(7/9/05 1:26:53 AM) SPSeHjFix started v1.1.2
(7/9/05 1:26:53 AM) OS: WinXP Service Pack 2 (5.1.2600)
(7/9/05 1:26:53 AM) Language: english
(7/9/05 1:26:53 AM) Win-Path: C:\WINDOWS
(7/9/05 1:26:53 AM) System-Path: C:\WINDOWS\system32
(7/9/05 1:26:53 AM) Temp-Path: C:\DOCUME~1\Whitney\LOCALS~1\Temp\


(7/9/05 4:09:21 AM) SPSeHjFix started v1.1.2
(7/9/05 4:09:21 AM) OS: WinXP Service Pack 2 (5.1.2600)
(7/9/05 4:09:21 AM) Language: english
(7/9/05 4:09:21 AM) Win-Path: C:\WINDOWS
(7/9/05 4:09:21 AM) System-Path: C:\WINDOWS\system32
(7/9/05 4:09:21 AM) Temp-Path: C:\DOCUME~1\Whitney\LOCALS~1\Temp\
(7/9/05 4:09:31 AM) Disinfection started
(7/9/05 4:09:31 AM) Bad-Dll(IEP): (not found)
(7/9/05 4:09:31 AM) Bad-Dll(IEP) in BHO: (not found)
(7/9/05 4:09:31 AM) UBF: 8 - UBB: 3 - UBR: 92
(7/9/05 4:09:31 AM) UBF: 8 - UBB: 3 - UBR: 92
(7/9/05 4:09:31 AM) Bad IE-pages: (none)
(7/9/05 4:09:31 AM) Stealth-String not found
(7/9/05 4:09:31 AM) Not infected->END

---------------------------------------------------------
ewido security suite - Scan report
---------------------------------------------------------

+ Created on: 4:07:13 AM, 7/9/2005
+ Report-Checksum: 9706AF94

+ Scan result:

HKLM\SOFTWARE\Classes\AdultBar.AdultBar -> Spyware.AdultLinks : Cleaned with backup
HKLM\SOFTWARE\Classes\AdultBar.AdultBar\CLSID -> Spyware.AdultLinks : Cleaned with backup
HKLM\SOFTWARE\Classes\AdultBar.AdultBar\CurVer -> Spyware.AdultLinks : Cleaned with backup
HKLM\SOFTWARE\Classes\AdultSearch.AdultSearch -> Spyware.AdultLinks : Cleaned with backup
HKLM\SOFTWARE\Classes\AdultSearch.AdultSearch\CLSID -> Spyware.AdultLinks : Cleaned with backup
HKLM\SOFTWARE\Classes\AdultSearch.AdultSearch\CurVer -> Spyware.AdultLinks : Cleaned with backup
HKLM\SOFTWARE\Classes\CLSID\{3646C2BD-3554-49CA-8125-44DEEFB881DE} -> Spyware.Altnet : Cleaned with backup
HKLM\SOFTWARE\Classes\Interface\{16097036-894C-4C00-A61F-93CA0D49A70E} -> Spyware.TOPicks : Cleaned with backup
HKLM\SOFTWARE\Classes\Interface\{1740E1C8-2504-4472-A458-4B6C31A26F5E} -> Spyware.EzSearchBar : Cleaned with backup
HKLM\SOFTWARE\Classes\Interface\{20F36AF3-3486-4BB6-8BCB-F1F8ABE74D07} -> Spyware.NavExcel : Cleaned with backup
HKLM\SOFTWARE\Classes\Interface\{2ED5AF98-9258-45BA-B79B-06625C92F662} -> Spyware.TOPicks : Cleaned with backup
HKLM\SOFTWARE\Classes\Interface\{700DC0DD-F409-42E0-9DE5-21EE1A2BA9FD} -> Spyware.TOPicks : Cleaned with backup
HKLM\SOFTWARE\Classes\Interface\{C91E8926-D4BE-4685-99F4-0D996B96BAC0} -> Spyware.P2PNetworking : Cleaned with backup
HKLM\SOFTWARE\Classes\Interface\{D273D427-57C6-4B12-860F-BBB8195F6E2A} -> Spyware.TOPicks : Cleaned with backup
HKLM\SOFTWARE\Classes\Interface\{FD42F6D3-7AB1-470C-979B-7996EDC99099} -> Spyware.TOPicks : Cleaned with backup
HKLM\SOFTWARE\Classes\TypeLib\{F720B40F-3A38-4B22-B30D-DCF095D42498} -> Spyware.P2PNetworking : Cleaned with backup
HKLM\SOFTWARE\Classes\TypeLib\{FA4DE133-D3C3-4ED4-92D1-CD4DDE839AB3} -> Spyware.NavExcel : Cleaned with backup
HKU\S-1-5-21-2284095636-2942888322-2251389636-1007\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{C1E58A84-95B3-4630-B8C2-D06B77B7A0FC} -> Spyware.NavExcel : Cleaned with backup
:mozilla.6:C:\Documents and Settings\Whitney\Application Data\Mozilla\Firefox\Profiles\au474r7g.default\cookies.txt -> Spyware.Cookie.Spylog : Cleaned with backup
:mozilla.23:C:\Documents and Settings\Whitney\Application Data\Mozilla\Firefox\Profiles\au474r7g.default\cookies.txt -> Spyware.Cookie.2o7 : Cleaned with backup
:mozilla.24:C:\Documents and Settings\Whitney\Application Data\Mozilla\Firefox\Profiles\au474r7g.default\cookies.txt -> Spyware.Cookie.2o7 : Cleaned with backup
:mozilla.25:C:\Documents and Settings\Whitney\Application Data\Mozilla\Firefox\Profiles\au474r7g.default\cookies.txt -> Spyware.Cookie.2o7 : Cleaned with backup
:mozilla.26:C:\Documents and Settings\Whitney\Application Data\Mozilla\Firefox\Profiles\au474r7g.default\cookies.txt -> Spyware.Cookie.2o7 : Cleaned with backup
:mozilla.27:C:\Documents and Settings\Whitney\Application Data\Mozilla\Firefox\Profiles\au474r7g.default\cookies.txt -> Spyware.Cookie.2o7 : Cleaned with backup
:mozilla.28:C:\Documents and Settings\Whitney\Application Data\Mozilla\Firefox\Profiles\au474r7g.default\cookies.txt -> Spyware.Cookie.2o7 : Cleaned with backup
:mozilla.29:C:\Documents and Settings\Whitney\Application Data\Mozilla\Firefox\Profiles\au474r7g.default\cookies.txt -> Spyware.Cookie.2o7 : Cleaned with backup
:mozilla.30:C:\Documents and Settings\Whitney\Application Data\Mozilla\Firefox\Profiles\au474r7g.default\cookies.txt -> Spyware.Cookie.2o7 : Cleaned with backup
:mozilla.31:C:\Documents and Settings\Whitney\Application Data\Mozilla\Firefox\Profiles\au474r7g.default\cookies.txt -> Spyware.Cookie.2o7 : Cleaned with backup
:mozilla.32:C:\Documents and Settings\Whitney\Application Data\Mozilla\Firefox\Profiles\au474r7g.default\cookies.txt -> Spyware.Cookie.2o7 : Cleaned with backup
:mozilla.33:C:\Documents and Settings\Whitney\Application Data\Mozilla\Firefox\Profiles\au474r7g.default\cookies.txt -> Spyware.Cookie.2o7 : Cleaned with backup
:mozilla.34:C:\Documents and Settings\Whitney\Application Data\Mozilla\Firefox\Profiles\au474r7g.default\cookies.txt -> Spyware.Cookie.2o7 : Cleaned with backup
:mozilla.35:C:\Documents and Settings\Whitney\Application Data\Mozilla\Firefox\Profiles\au474r7g.default\cookies.txt -> Spyware.Cookie.2o7 : Cleaned with backup
:mozilla.36:C:\Documents and Settings\Whitney\Application Data\Mozilla\Firefox\Profiles\au474r7g.default\cookies.txt -> Spyware.Cookie.2o7 : Cleaned with backup
:mozilla.37:C:\Documents and Settings\Whitney\Application Data\Mozilla\Firefox\Profiles\au474r7g.default\cookies.txt -> Spyware.Cookie.2o7 : Cleaned with backup
:mozilla.38:C:\Documents and Settings\Whitney\Application Data\Mozilla\Firefox\Profiles\au474r7g.default\cookies.txt -> Spyware.Cookie.2o7 : Cleaned with backup
:mozilla.39:C:\Documents and Settings\Whitney\Application Data\Mozilla\Firefox\Profiles\au474r7g.default\cookies.txt -> Spyware.Cookie.2o7 : Cleaned with backup
:mozilla.40:C:\Documents and Settings\Whitney\Application Data\Mozilla\Firefox\Profiles\au474r7g.default\cookies.txt -> Spyware.Cookie.2o7 : Cleaned with backup
:mozilla.41:C:\Documents and Settings\Whitney\Application Data\Mozilla\Firefox\Profiles\au474r7g.default\cookies.txt -> Spyware.Cookie.2o7 : Cleaned with backup
:mozilla.42:C:\Documents and Settings\Whitney\Application Data\Mozilla\Firefox\Profiles\au474r7g.default\cookies.txt -> Spyware.Cookie.2o7 : Cleaned with backup
:mozilla.43:C:\Documents and Settings\Whitney\Application Data\Mozilla\Firefox\Profiles\au474r7g.default\cookies.txt -> Spyware.Cookie.2o7 : Cleaned with backup
:mozilla.44:C:\Documents and Settings\Whitney\Application Data\Mozilla\Firefox\Profiles\au474r7g.default\cookies.txt -> Spyware.Cookie.2o7 : Cleaned with backup
:mozilla.45:C:\Documents and Settings\Whitney\Application Data\Mozilla\Firefox\Profiles\au474r7g.default\cookies.txt -> Spyware.Cookie.2o7 : Cleaned with backup
:mozilla.46:C:\Documents and Settings\Whitney\Application Data\Mozilla\Firefox\Profiles\au474r7g.default\cookies.txt -> Spyware.Cookie.2o7 : Cleaned with backup
:mozilla.47:C:\Documents and Settings\Whitney\Application Data\Mozilla\Firefox\Profiles\au474r7g.default\cookies.txt -> Spyware.Cookie.2o7 : Cleaned with backup
:mozilla.48:C:\Documents and Settings\Whitney\Application Data\Mozilla\Firefox\Profiles\au474r7g.default\cookies.txt -> Spyware.Cookie.2o7 : Cleaned with backup
:mozilla.49:C:\Documents and Settings\Whitney\Application Data\Mozilla\Firefox\Profiles\au474r7g.default\cookies.txt -> Spyware.Cookie.2o7 : Cleaned with backup
:mozilla.50:C:\Documents and Settings\Whitney\Application Data\Mozilla\Firefox\Profiles\au474r7g.default\cookies.txt -> Spyware.Cookie.2o7 : Cleaned with backup
:mozilla.51:C:\Documents and Settings\Whitney\Application Data\Mozilla\Firefox\Profiles\au474r7g.default\cookies.txt -> Spyware.Cookie.2o7 : Cleaned with backup
:mozilla.52:C:\Documents and Settings\Whitney\Application Data\Mozilla\Firefox\Profiles\au474r7g.default\cookies.txt -> Spyware.Cookie.2o7 : Cleaned with backup
:mozilla.53:C:\Documents and Settings\Whitney\Application Data\Mozilla\Firefox\Profiles\au474r7g.default\cookies.txt -> Spyware.Cookie.2o7 : Cleaned with backup
:mozilla.54:C:\Documents and Settings\Whitney\Application Data\Mozilla\Firefox\Profiles\au474r7g.default\cookies.txt -> Spyware.Cookie.2o7 : Cleaned with backup
:mozilla.55:C:\Documents and Settings\Whitney\Application Data\Mozilla\Firefox\Profiles\au474r7g.default\cookies.txt -> Spyware.Cookie.2o7 : Cleaned with backup
:mozilla.56:C:\Documents and Settings\Whitney\Application Data\Mozilla\Firefox\Profiles\au474r7g.default\cookies.txt -> Spyware.Cookie.2o7 : Cleaned with backup
:mozilla.57:C:\Documents and Settings\Whitney\Application Data\Mozilla\Firefox\Profiles\au474r7g.default\cookies.txt -> Spyware.Cookie.2o7 : Cleaned with backup
:mozilla.58:C:\Documents and Settings\Whitney\Application Data\Mozilla\Firefox\Profiles\au474r7g.default\cookies.txt -> Spyware.Cookie.2o7 : Cleaned with backup
:mozilla.59:C:\Documents and Settings\Whitney\Application Data\Mozilla\Firefox\Profiles\au474r7g.default\cookies.txt -> Spyware.Cookie.2o7 : Cleaned with backup
:mozilla.60:C:\Documents and Settings\Whitney\Application Data\Mozilla\Firefox\Profiles\au474r7g.default\cookies.txt -> Spyware.Cookie.2o7 : Cleaned with backup
:mozilla.61:C:\Documents and Settings\Whitney\Application Data\Mozilla\Firefox\Profiles\au474r7g.default\cookies.txt -> Spyware.Cookie.2o7 : Cleaned with backup
:mozilla.62:C:\Documents and Settings\Whitney\Application Data\Mozilla\Firefox\Profiles\au474r7g.default\cookies.txt -> Spyware.Cookie.2o7 : Cleaned with backup
:mozilla.63:C:\Documents and Settings\Whitney\Application Data\Mozilla\Firefox\Profiles\au474r7g.default\cookies.txt -> Spyware.Cookie.2o7 : Cleaned with backup
:mozilla.64:C:\Documents and Settings\Whitney\Application Data\Mozilla\Firefox\Profiles\au474r7g.default\cookies.txt -> Spyware.Cookie.2o7 : Cleaned with backup
:mozilla.65:C:\Documents and Settings\Whitney\Application Data\Mozilla\Firefox\Profiles\au474r7g.default\cookies.txt -> Spyware.Cookie.2o7 : Cleaned with backup
:mozilla.66:C:\Documents and Settings\Whitney\Application Data\Mozilla\Firefox\Profiles\au474r7g.default\cookies.txt -> Spyware.Cookie.2o7 : Cleaned with backup
:mozilla.67:C:\Documents and Settings\Whitney\Application Data\Mozilla\Firefox\Profiles\au474r7g.default\cookies.txt -> Spyware.Cookie.2o7 : Cleaned with backup
:mozilla.68:C:\Documents and Settings\Whitney\Application Data\Mozilla\Firefox\Profiles\au474r7g.default\cookies.txt -> Spyware.Cookie.2o7 : Cleaned with backup
:mozilla.69:C:\Documents and Settings\Whitney\Application Data\Mozilla\Firefox\Profiles\au474r7g.default\cookies.txt -> Spyware.Cookie.2o7 : Cleaned with backup
:mozilla.70:C:\Documents and Settings\Whitney\Application Data\Mozilla\Firefox\Profiles\au474r7g.default\cookies.txt -> Spyware.Cookie.2o7 : Cleaned with backup
:mozilla.71:C:\Documents and Settings\Whitney\Application Data\Mozilla\Firefox\Profiles\au474r7g.default\cookies.txt -> Spyware.Cookie.2o7 : Cleaned with backup
:mozilla.72:C:\Documents and Settings\Whitney\Application Data\Mozilla\Firefox\Profiles\au474r7g.default\cookies.txt -> Spyware.Cookie.2o7 : Cleaned with backup
:mozilla.73:C:\Documents and Settings\Whitney\Application Data\Mozilla\Firefox\Profiles\au474r7g.default\cookies.txt -> Spyware.Cookie.2o7 : Cleaned with backup
:mozilla.74:C:\Documents and Settings\Whitney\Application Data\Mozilla\Firefox\Profiles\au474r7g.default\cookies.txt -> Spyware.Cookie.2o7 : Cleaned with backup
:mozilla.79:C:\Documents and Settings\Whitney\Application Data\Mozilla\Firefox\Profiles\au474r7g.default\cookies.txt -> Spyware.Cookie.Doubleclick : Cleaned with backup
:mozilla.83:C:\Documents and Settings\Whitney\Application Data\Mozilla\Firefox\Profiles\au474r7g.default\cookies.txt -> Spyware.Cookie.Mediaplex : Cleaned with backup
:mozilla.84:C:\Documents and Settings\Whitney\Application Data\Mozilla\Firefox\Profiles\au474r7g.default\cookies.txt -> Spyware.Cookie.Mediaplex : Cleaned with backup
:mozilla.88:C:\Documents and Settings\Whitney\Application Data\Mozilla\Firefox\Profiles\au474r7g.default\cookies.txt -> Spyware.Cookie.Hitbox : Cleaned with backup
:mozilla.89:C:\Documents and Settings\Whitney\Application Data\Mozilla\Firefox\Profiles\au474r7g.default\cookies.txt -> Spyware.Cookie.Hitbox : Cleaned with backup
:mozilla.91:C:\Documents and Settings\Whitney\Application Data\Mozilla\Firefox\Profiles\au474r7g.default\cookies.txt -> Spyware.Cookie.Hitbox : Cleaned with backup
:mozilla.108:C:\Documents and Settings\Whitney\Application Data\Mozilla\Firefox\Profiles\au474r7g.default\cookies.txt -> Spyware.Cookie.Atdmt : Cleaned with backup
:mozilla.109:C:\Documents and Settings\Whitney\Application Data\Mozilla\Firefox\Profiles\au474r7g.default\cookies.txt -> Spyware.Cookie.Coremetrics : Cleaned with backup
:mozilla.111:C:\Documents and Settings\Whitney\Application Data\Mozilla\Firefox\Profiles\au474r7g.default\cookies.txt -> Spyware.Cookie.Bluestreak : Cleaned with backup
:mozilla.116:C:\Documents and Settings\Whitney\Application Data\Mozilla\Firefox\Profiles\au474r7g.default\cookies.txt -> Spyware.Cookie.Adserver : Cleaned with backup
:mozilla.117:C:\Documents and Settings\Whitney\Application Data\Mozilla\Firefox\Profiles\au474r7g.default\cookies.txt -> Spyware.Cookie.Adserver : Cleaned with backup
:mozilla.118:C:\Documents and Settings\Whitney\Application Data\Mozilla\Firefox\Profiles\au474r7g.default\cookies.txt -> Spyware.Cookie.Fastclick : Cleaned with backup
:mozilla.119:C:\Documents and Settings\Whitney\Application Data\Mozilla\Firefox\Profiles\au474r7g.default\cookies.txt -> Spyware.Cookie.Adserver : Cleaned with backup
:mozilla.120:C:\Documents and Settings\Whitney\Application Data\Mozilla\Firefox\Profiles\au474r7g.default\cookies.txt -> Spyware.Cookie.Adserver : Cleaned with backup
:mozilla.121:C:\Documents and Settings\Whitney\Application Data\Mozilla\Firefox\Profiles\au474r7g.default\cookies.txt -> Spyware.Cookie.Adserver : Cleaned with backup
:mozilla.122:C:\Documents and Settings\Whitney\Application Data\Mozilla\Firefox\Profiles\au474r7g.default\cookies.txt -> Spyware.Cookie.Fastclick : Cleaned with backup
:mozilla.133:C:\Documents and Settings\Whitney\Application Data\Mozilla\Firefox\Profiles\au474r7g.default\cookies.txt -> Spyware.Cookie.Qksrv : Cleaned with backup
:mozilla.134:C:\Documents and Settings\Whitney\Application Data\Mozilla\Firefox\Profiles\au474r7g.default\cookies.txt -> Spyware.Cookie.Qksrv : Cleaned with backup
:mozilla.154:C:\Documents and Settings\Whitney\Application Data\Mozilla\Firefox\Profiles\au474r7g.default\cookies.txt -> Spyware.Cookie.Trafficmp : Cleaned with backup
:mozilla.155:C:\Documents and Settings\Whitney\Application Data\Mozilla\Firefox\Profiles\au474r7g.default\cookies.txt -> Spyware.Cookie.Trafficmp : Cleaned with backup
:mozilla.156:C:\Documents and Settings\Whitney\Application Data\Mozilla\Firefox\Profiles\au474r7g.default\cookies.txt -> Spyware.Cookie.Trafficmp : Cleaned with backup
:mozilla.157:C:\Documents and Settings\Whitney\Application Data\Mozilla\Firefox\Profiles\au474r7g.default\cookies.txt -> Spyware.Cookie.Trafficmp : Cleaned with backup
:mozilla.158:C:\Documents and Settings\Whitney\Application Data\Mozilla\Firefox\Profiles\au474r7g.default\cookies.txt -> Spyware.Cookie.Trafficmp : Cleaned with backup
:mozilla.203:C:\Documents and Settings\Whitney\Application Data\Mozilla\Firefox\Profiles\au474r7g.default\cookies.txt -> Spyware.Cookie.Coremetrics : Cleaned with backup
:mozilla.204:C:\Documents and Settings\Whitney\Application Data\Mozilla\Firefox\Profiles\au474r7g.default\cookies.txt -> Spyware.Cookie.Questionmarket : Cleaned with backup
:mozilla.214:C:\Documents and Settings\Whitney\Application Data\Mozilla\Firefox\Profiles\au474r7g.default\cookies.txt -> Spyware.Cookie.Ru4 : Cleaned with backup
:mozilla.215:C:\Documents and Settings\Whitney\Application Data\Mozilla\Firefox\Profiles\au474r7g.default\cookies.txt -> Spyware.Cookie.Ru4 : Cleaned with backup
:mozilla.216:C:\Documents and Settings\Whitney\Application Data\Mozilla\Firefox\Profiles\au474r7g.default\cookies.txt -> Spyware.Cookie.Serving-sys : Cleaned with backup
:mozilla.217:C:\Documents and Settings\Whitney\Application Data\Mozilla\Firefox\Profiles\au474r7g.default\cookies.txt -> Spyware.Cookie.Serving-sys : Cleaned with backup
:mozilla.218:C:\Documents and Settings\Whitney\Application Data\Mozilla\Firefox\Profiles\au474r7g.default\cookies.txt -> Spyware.Cookie.Serving-sys : Cleaned with backup
:mozilla.219:C:\Documents and Settings\Whitney\Application Data\Mozilla\Firefox\Profiles\au474r7g.default\cookies.txt -> Spyware.Cookie.Serving-sys : Cleaned with backup
:mozilla.220:C:\Documents and Settings\Whitney\Application Data\Mozilla\Firefox\Profiles\au474r7g.default\cookies.txt -> Spyware.Cookie.Serving-sys : Cleaned with backup
:mozilla.221:C:\Documents and Settings\Whitney\Application Data\Mozilla\Firefox\Profiles\au474r7g.default\cookies.txt -> Spyware.Cookie.Ru4 : Cleaned with backup
:mozilla.222:C:\Documents and Settings\Whitney\Application Data\Mozilla\Firefox\Profiles\au474r7g.default\cookies.txt -> Spyware.Cookie.Ru4 : Cleaned with backup
:mozilla.223:C:\Documents and Settings\Whitney\Application Data\Mozilla\Firefox\Profiles\au474r7g.default\cookies.txt -> Spyware.Cookie.Ru4 : Cleaned with backup
:mozilla.224:C:\Documents and Settings\Whitney\Application Data\Mozilla\Firefox\Profiles\au474r7g.default\cookies.txt -> Spyware.Cookie.Ru4 : Cleaned with backup
:mozilla.225:C:\Documents and Settings\Whitney\Application Data\Mozilla\Firefox\Profiles\au474r7g.default\cookies.txt -> Spyware.Cookie.Ru4 : Cleaned with backup
:mozilla.227:C:\Documents and Settings\Whitney\Application Data\Mozilla\Firefox\Profiles\au474r7g.default\cookies.txt -> Spyware.Cookie.Specificclick : Cleaned with backup
:mozilla.231:C:\Documents and Settings\Whitney\Application Data\Mozilla\Firefox\Profiles\au474r7g.default\cookies.txt -> Spyware.Cookie.Advertising : Cleaned with backup
:mozilla.232:C:\Documents and Settings\Whitney\Application Data\Mozilla\Firefox\Profiles\au474r7g.default\cookies.txt -> Spyware.Cookie.Advertising : Cleaned with backup
:mozilla.233:C:\Documents and Settings\Whitney\Application Data\Mozilla\Firefox\Profiles\au474r7g.default\cookies.txt -> Spyware.Cookie.Advertising : Cleaned with backup
:mozilla.234:C:\Documents and Settings\Whitney\Application Data\Mozilla\Firefox\Profiles\au474r7g.default\cookies.txt -> Spyware.Cookie.Advertising : Cleaned with backup
:mozilla.235:C:\Documents and Settings\Whitney\Application Data\Mozilla\Firefox\Profiles\au474r7g.default\cookies.txt -> Spyware.Cookie.Advertising : Cleaned with backup
:mozilla.236:C:\Documents and Settings\Whitney\Application Data\Mozilla\Firefox\Profiles\au474r7g.default\cookies.txt -> Spyware.Cookie.Advertising : Cleaned with backup
:mozilla.237:C:\Documents and Settings\Whitney\Application Data\Mozilla\Firefox\Profiles\au474r7g.default\cookies.txt -> Spyware.Cookie.Advertising : Cleaned with backup
:mozilla.238:C:\Documents and Settings\Whitney\Application Data\Mozilla\Firefox\Profiles\au474r7g.default\cookies.txt -> Spyware.Cookie.Advertising : Cleaned with backup
:mozilla.239:C:\Documents and Settings\Whitney\Application Data\Mozilla\Firefox\Profiles\au474r7g.default\cookies.txt -> Spyware.Cookie.Advertising : Cleaned with backup
:mozilla.240:C:\Documents and Settings\Whitney\Application Data\Mozilla\Firefox\Profiles\au474r7g.default\cookies.txt -> Spyware.Cookie.Advertising : Cleaned with backup
:mozilla.241:C:\Documents and Settings\Whitney\Application Data\Mozilla\Firefox\Profiles\au474r7g.default\cookies.txt -> Spyware.Cookie.Advertising : Cleaned with backup
:mozilla.242:C:\Documents and Settings\Whitney\Application Data\Mozilla\Firefox\Profiles\au474r7g.default\cookies.txt -> Spyware.Cookie.Advertising : Cleaned with backup
:mozilla.243:C:\Documents and Settings\Whitney\Application Data\Mozilla\Firefox\Profiles\au474r7g.default\cookies.txt -> Spyware.Cookie.Advertising : Cleaned with backup
:mozilla.244:C:\Documents and Settings\Whitney\Application Data\Mozilla\Firefox\Profiles\au474r7g.default\cookies.txt -> Spyware.Cookie.Advertising : Cleaned with backup
:mozilla.245:C:\Documents and Settings\Whitney\Application Data\Mozilla\Firefox\Profiles\au474r7g.default\cookies.txt -> Spyware.Cookie.Advertising : Cleaned with backup
:mozilla.246:C:\Documents and Settings\Whitney\Application Data\Mozilla\Firefox\Profiles\au474r7g.default\cookies.txt -> Spyware.Cookie.Advertising : Cleaned with backup
:mozilla.247:C:\Documents and Settings\Whitney\Application Data\Mozilla\Firefox\Profiles\au474r7g.default\cookies.txt -> Spyware.Cookie.Advertising : Cleaned with backup
:mozilla.248:C:\Documents and Settings\Whitney\Application Data\Mozilla\Firefox\Profiles\au474r7g.default\cookies.txt -> Spyware.Cookie.Advertising : Cleaned with backup
:mozilla.249:C:\Documents and Settings\Whitney\Application Data\Mozilla\Firefox\Profiles\au474r7g.default\cookies.txt -> Spyware.Cookie.Advertising : Cleaned with backup
:mozilla.250:C:\Documents and Settings\Whitney\Application Data\Mozilla\Firefox\Profiles\au474r7g.default\cookies.txt -> Spyware.Cookie.Advertising : Cleaned with backup
:mozilla.251:C:\Documents and Settings\Whitney\Application Data\Mozilla\Firefox\Profiles\au474r7g.default\cookies.txt -> Spyware.Cookie.Advertising : Cleaned with backup
:mozilla.252:C:\Documents and Settings\Whitney\Application Data\Mozilla\Firefox\Profiles\au474r7g.default\cookies.txt -> Spyware.Cookie.Advertising : Cleaned with backup
:mozilla.279:C:\Documents and Settings\Whitney\Application Data\Mozilla\Firefox\Profiles\au474r7g.default\cookies.txt -> Spyware.Cookie.Overture : Cleaned with backup
:mozilla.280:C:\Documents and Settings\Whitney\Application Data\Mozilla\Firefox\Profiles\au474r7g.default\cookies.txt -> Spyware.Cookie.Overture : Cleaned with backup
:mozilla.281:C:\Documents and Settings\Whitney\Application Data\Mozilla\Firefox\Profiles\au474r7g.default\cookies.txt -> Spyware.Cookie.Overture : Cleaned with backup
:mozilla.287:C:\Documents and Settings\Whitney\Application Data\Mozilla\Firefox\Profiles\au474r7g.default\cookies.txt -> Spyware.Cookie.Tradedoubler : Cleaned with backup
:mozilla.289:C:\Documents and Settings\Whitney\Application Data\Mozilla\Firefox\Profiles\au474r7g.default\cookies.txt -> Spyware.Cookie.Linksynergy : Cleaned with backup
:mozilla.290:C:\Documents and Settings\Whitney\Application Data\Mozilla\Firefox\Profiles\au474r7g.default\cookies.txt -> Spyware.Cookie.Linksynergy : Cleaned with backup
:mozilla.291:C:\Documents and Settings\Whitney\Application Data\Mozilla\Firefox\Profiles\au474r7g.default\cookies.txt -> Spyware.Cookie.Bfast : Cleaned with backup
:mozilla.295:C:\Documents and Settings\Whitney\Application Data\Mozilla\Firefox\Profiles\au474r7g.default\cookies.txt -> Spyware.Cookie.Realtracker : Cleaned with backup
:mozilla.341:C:\Documents and Settings\Whitney\Application Data\Mozilla\Firefox\Profiles\au474r7g.default\cookies.txt -> Spyware.Cookie.Hitbox : Cleaned with backup
:mozilla.342:C:\Documents and Settings\Whitney\Application Data\Mozilla\Firefox\Profiles\au474r7g.default\cookies.txt -> Spyware.Cookie.Hitbox : Cleaned with backup
:mozilla.343:C:\Documents and Settings\Whitney\Application Data\Mozilla\Firefox\Profiles\au474r7g.default\cookies.txt -> Spyware.Cookie.Hitbox : Cleaned with backup
:mozilla.344:C:\Documents and Settings\Whitney\Application Data\Mozilla\Firefox\Profiles\au474r7g.default\cookies.txt -> Spyware.Cookie.Hitbox : Cleaned with backup
:mozilla.345:C:\Documents and Settings\Whitney\Application Data\Mozilla\Firefox\Profiles\au474r7g.default\cookies.txt -> Spyware.Cookie.Hitbox : Cleaned with backup
:mozilla.346:C:\Documents and Settings\Whitney\Application Data\Mozilla\Firefox\Profiles\au474r7g.default\cookies.txt -> Spyware.Cookie.Hitbox : Cleaned with backup
:mozilla.414:C:\Documents and Settings\Whitney\Application Data\Mozilla\Firefox\Profiles\au474r7g.default\cookies.txt -> Spyware.Cookie.247realmedia : Cleaned with backup
:mozilla.446:C:\Documents and Settings\Whitney\Application Data\Mozilla\Firefox\Profiles\au474r7g.default\cookies.txt -> Spyware.Cookie.Webtrendslive : Cleaned with backup
:mozilla.464:C:\Documents and Settings\Whitney\Application Data\Mozilla\Firefox\Profiles\au474r7g.default\cookies.txt -> Spyware.Cookie.Hitslink : Cleaned with backup
:mozilla.465:C:\Documents and Settings\Whitney\Application Data\Mozilla\Firefox\Profiles\au474r7g.default\cookies.txt -> Spyware.Cookie.Hitslink : Cleaned with backup
:mozilla.466:C:\Documents and Settings\Whitney\Application Data\Mozilla\Firefox\Profiles\au474r7g.default\cookies.txt -> Spyware.Cookie.Hitslink : Cleaned with backup
:mozilla.467:C:\Documents and Settings\Whitney\Application Data\Mozilla\Firefox\Profiles\au474r7g.default\cookies.txt -> Spyware.Cookie.Hitslink : Cleaned with backup
:mozilla.518:C:\Documents and Settings\Whitney\Application Data\Mozilla\Firefox\Profiles\au474r7g.default\cookies.txt -> Spyware.Cookie.Valueclick : Cleaned with backup
:mozilla.519:C:\Documents and Settings\Whitney\Application Data\Mozilla\Firefox\Profiles\au474r7g.default\cookies.txt -> Spyware.Cookie.Valueclick : Cleaned with backup
:mozilla.552:C:\Documents and Settings\Whitney\Application Data\Mozilla\Firefox\Profiles\au474r7g.default\cookies.txt -> Spyware.Cookie.Webtrendslive : Cleaned with backup
:mozilla.568:C:\Documents and Settings\Whitney\Application Data\Mozilla\Firefox\Profiles\au474r7g.default\cookies.txt -> Spyware.Cookie.Hitbox : Cleaned with backup
:mozilla.569:C:\Documents and Settings\Whitney\Application Data\Mozilla\Firefox\Profiles\au474r7g.default\cookies.txt -> Spyware.Cookie.Hitbox : Cleaned with backup
:mozilla.591:C:\Documents and Settings\Whitney\Application Data\Mozilla\Firefox\Profiles\au474r7g.default\cookies.txt -> Spyware.Cookie.Targetnet : Cleaned with backup
:mozilla.592:C:\Documents and Settings\Whitney\Application Data\Mozilla\Firefox\Profiles\au474r7g.default\cookies.txt -> Spyware.Cookie.Targetnet : Cleaned with backup
:mozilla.626:C:\Documents and Settings\Whitney\Application Data\Mozilla\Firefox\Profiles\au474r7g.default\cookies.txt -> Spyware.Cookie.Adorigin : Cleaned with backup
:mozilla.627:C:\Documents and Settings\Whitney\Application Data\Mozilla\Firefox\Profiles\au474r7g.default\cookies.txt -> Spyware.Cookie.Adorigin : Cleaned with backup
:mozilla.628:C:\Documents and Settings\Whitney\Application Data\Mozilla\Firefox\Profiles\au474r7g.default\cookies.txt -> Spyware.Cookie.Adorigin : Cleaned with backup
:mozilla.629:C:\Documents and Settings\Whitney\Application Data\Mozilla\Firefox\Profiles\au474r7g.default\cookies.txt -> Spyware.Cookie.Adorigin : Cleaned with backup
:mozilla.630:C:\Documents and Settings\Whitney\Application Data\Mozilla\Firefox\Profiles\au474r7g.default\cookies.txt -> Spyware.Cookie.Tribalfusion : Cleaned with backup
:mozilla.658:C:\Documents and Settings\Whitney\Application Data\Mozilla\Firefox\Profiles\au474r7g.default\cookies.txt -> Spyware.Cookie.Addynamix : Cleaned with backup
:mozilla.661:C:\Documents and Settings\Whitney\Application Data\Mozilla\Firefox\Profiles\au474r7g.default\cookies.txt -> Spyware.Cookie.Valueclick : Cleaned with backup
:mozilla.684:C:\Documents and Settings\Whitney\Application Data\Mozilla\Firefox\Profiles\au474r7g.default\cookies.txt -> Spyware.Cookie.Hitbox : Cleaned with backup
:mozilla.693:C:\Documents and Settings\Whitney\Application Data\Mozilla\Firefox\Profiles\au474r7g.default\cookies.txt -> Spyware.Cookie.Pointroll : Cleaned with backup
:mozilla.694:C:\Documents and Settings\Whitney\Application Data\Mozilla\Firefox\Profiles\au474r7g.default\cookies.txt -> Spyware.Cookie.Pointroll : Cleaned with backup
:mozilla.695:C:\Documents and Settings\Whitney\Application Data\Mozilla\Firefox\Profiles\au474r7g.default\cookies.txt -> Spyware.Cookie.Pointroll : Cleaned with backup
:mozilla.696:C:\Documents and Settings\Whitney\Application Data\Mozilla\Firefox\Profiles\au474r7g.default\cookies.txt -> Spyware.Cookie.Pointroll : Cleaned with backup
:mozilla.697:C:\Documents and Settings\Whitney\Application Data\Mozilla\Firefox\Profiles\au474r7g.default\cookies.txt -> Spyware.Cookie.Pointroll : Cleaned with backup
:mozilla.725:C:\Documents and Settings\Whitney\Application Data\Mozilla\Firefox\Profiles\au474r7g.default\cookies.txt -> Spyware.Cookie.Hitbox : Cleaned with backup
:mozilla.742:C:\Documents and Settings\Whitney\Application Data\Mozilla\Firefox\Profiles\au474r7g.default\cookies.txt -> Spyware.Cookie.Hitbox : Cleaned with backup
:mozilla.774:C:\Documents and Settings\Whitney\Application Data\Mozilla\Firefox\Profiles\au474r7g.default\cookies.txt -> Spyware.Cookie.Centrport : Cleaned with backup
:mozilla.775:C:\Documents and Settings\Whitney\Application Data\Mozilla\Firefox\Profiles\au474r7g.default\cookies.txt -> Spyware.Cookie.Centrport : Cleaned with backup
:mozilla.776:C:\Documents and Settings\Whitney\Application Data\Mozilla\Firefox\Profiles\au474r7g.default\cookies.txt -> Spyware.Cookie.Centrport : Cleaned with backup
:mozilla.777:C:\Documents and Settings\Whitney\Application Data\Mozilla\Firefox\Profiles\au474r7g.default\cookies.txt -> Spyware.Cookie.Centrport : Cleaned with backup
:mozilla.786:C:\Documents and Settings\Whitney\Application Data\Mozilla\Firefox\Profiles\au474r7g.default\cookies.txt -> Spyware.Cookie.Hitbox : Cleaned with backup
:mozilla.805:C:\Documents and Settings\Whitney\Application Data\Mozilla\Firefox\Profiles\au474r7g.default\cookies.txt -> Spyware.Cookie.Ad-logics : Cleaned with backup
:mozilla.818:C:\Documents and Settings\Whitney\Application Data\Mozilla\Firefox\Profiles\au474r7g.default\cookies.txt -> Spyware.Cookie.Webtrendslive : Cleaned with backup
:mozilla.831:C:\Documents and Settings\Whitney\Application Data\Mozilla\Firefox\Profiles\au474r7g.default\cookies.txt -> Spyware.Cookie.Dbbsrv : Cleaned with backup
:mozilla.868:C:\Documents and Settings\Whitney\Application Data\Mozilla\Firefox\Profiles\au474r7g.default\cookies.txt -> Spyware.Cookie.Hitbox : Cleaned with backup
:mozilla.869:C:\Documents and Settings\Whitney\Application Data\Mozilla\Firefox\Profiles\au474r7g.default\cookies.txt -> Spyware.Cookie.Webtrendslive : Cleaned with backup
:mozilla.870:C:\Documents and Settings\Whitney\Application Data\Mozilla\Firefox\Profiles\au474r7g.default\cookies.txt -> Spyware.Cookie.Webtrendslive : Cleaned with backup
:mozilla.872:C:\Documents and Settings\Whitney\Application Data\Mozilla\Firefox\Profiles\au474r7g.default\cookies.txt -> Spyware.Cookie.Hitbox : Cleaned with backup
C:\Documents and Settings\Whitney\Cookies\whitney@2o7[2].txt -> Spyware.Cookie.2o7 : Cleaned with backup
C:\Documents and Settings\Whitney\Cookies\whitney@advertising[1].txt -> Spyware.Cookie.Advertising : Cleaned with backup
C:\Documents and Settings\Whitney\Cookies\whitney@atdmt[2].txt -> Spyware.Cookie.Atdmt : Cleaned with backup
C:\Documents and Settings\Whitney\Cookies\whitney@doubleclick[2].txt -> Spyware.Cookie.Doubleclick : Cleaned with backup
C:\Documents and Settings\Whitney\Cookies\whitney@mediaplex[1].txt -> Spyware.Cookie.Mediaplex : Cleaned with backup
C:\Documents and Settings\Whitney\Cookies\[email protected][2].txt -> Spyware.Cookie.Advertising : Cleaned with backup
C:\Documents and Settings\Whitney\Local Settings\Temp\asmfiles.cab/asm.exe -> Spyware.Altnet : Cleaned with backup
C:\Documents and Settings\Whitney\Local Settings\Temp\DrTemp\thin-140-1-x-x.exe -> Adware.BetterInternet : Cleaned with backup
C:\Documents and Settings\Whitney\Local Settings\Temp\msg5.tmp10691932235808.exe -> Heuristic.Win32.Hijacker1 : Cleaned with backup
C:\Documents and Settings\Whitney\Local Settings\Temp\msgB.tmp10693657463153.exe -> TrojanDownloader.IstBar.co : Cleaned with backup
C:\Documents and Settings\Whitney\Local Settings\Temp\msgC.tmp10693657461909.exe -> TrojanDownloader.IstBar.co : Cleaned with backup
C:\Documents and Settings\Whitney\Local Settings\Temp\msgD.tmp10693657475749.exe -> TrojanDownloader.IstBar.co : Cleaned with backup
C:\Documents and Settings\Whitney\Local Settings\Temp\temp.fr5A16\NavHelper\v2.0.4d\navapp.exe -> Spyware.NavExcel : Cleaned with backup
C:\Documents and Settings\Whitney\Local Settings\Temp\temp.fr5A16\NavHelper\v2.0.4d\NHelper.dll -> Spyware.NavExcel : Cleaned with backup
C:\Documents and Settings\Whitney\Local Settings\Temp\temp.fr5A16\NavHelper\v2.0.4d\NHUninstaller.exe -> Spyware.NavExcel : Cleaned with backup
C:\Documents and Settings\Whitney\Local Settings\Temp\temp.fr5A16\NavHelper\v2.0.4d\v2.0.4d.cab/NHelper.dll -> Spyware.NavExcel : Cleaned with backup
C:\Documents and Settings\Whitney\Local Settings\Temp\temp.fr5A16\NavHelper\v2.0.4d\v2.0.4d.cab/NHUninstaller.exe -> Spyware.NavExcel : Cleaned with backup
C:\Documents and Settings\Whitney\Local Settings\Temp\temp.fr5A16\NavHelper\v2.0.4d\v2.0.4d.cab/navapp.exe -> Spyware.NavExcel : Cleaned with backup
C:\Program Files\LimeShop\LimeShop.exe -> Spyware.TopMoxie : Cleaned with backup
C:\Program Files\Microsoft AntiSpyware\Quarantine\1A546AF5-E082-4BEE-B821-F8CB65\4353A7D8-AB1F-44D5-8E2D-C66A93 -> Spyware.NavExcel : Cleaned with backup
C:\Program Files\Microsoft AntiSpyware\Quarantine\1A546AF5-E082-4BEE-B821-F8CB65\F570100E-E3A5-4B50-A987-BDD89D/NHUpdater.exe -> Spyware.NavExcel : Cleaned with backup
C:\WINDOWS\ccc.exe -> TrojanDownloader.MlFree : Cleaned with backup
C:\WINDOWS\SYSTEM32\ltiwxqso.dll -> Trojan.Golid.b : Cleaned with backup
C:\WINDOWS\SYSTEM32\test3a.dll -> Spyware.Hijacker.Generic : Cleaned with backup
C:\WINDOWS\ttil_sbc.exe -> Adware.eZula : Cleaned with backup


::Report End

********************************************************************

PANDA SCAN LOG

Incident Status Location

Spyware:Spyware/AdClicker No disinfected Windows Registry
Adware:Adware/TalkStocks No disinfected C:\WINDOWS\system32\mstbl.ocx
Adware:Adware/PowerScan No disinfected Windows Registry
Adware:Adware/CWS No disinfected c:\documents and settings\whitney\favorites\Health
Adware:Adware/TopMoxie No disinfected C:\Program Files\LimeShop\System\Code\a.class
Adware:Adware/MoeMoney No disinfected C:\Program Files\LimeShop\System\Code\bf.class
Adware:Adware/TopMoxie No disinfected C:\Program Files\LimeShop\System\Code\bq.class
Adware:Adware/MoeMoney No disinfected C:\Program Files\LimeShop\System\Code\bs.class
Adware:Adware/TopMoxie No disinfected C:\Program Files\LimeShop\System\Code\dc.class
Adware:Adware/TopMoxie No disinfected C:\Program Files\LimeShop\System\Code\dm.class
Adware:Adware/TopMoxie No disinfected C:\Program Files\LimeShop\System\Code\du.class
Adware:Adware/TopMoxie No disinfected C:\Program Files\LimeShop\System\Code\dx.class
Adware:Adware/TopMoxie No disinfected C:\Program Files\LimeShop\System\Code\i.class
Adware:Adware/TopMoxie No disinfected C:\Program Files\LimeShop\System\Code\j.class
Adware:Adware/TopMoxie No disinfected C:\Program Files\LimeShop\System\Code\p.class
Adware:Adware/TopMoxie No disinfected C:\Program Files\LimeShop\System\Code\q.class
Adware:Adware/TopMoxie No disinfected C:\Program Files\LimeShop\System\Code\s.class
Adware:Adware/TopMoxie No disinfected C:\Program Files\LimeShop\System\Code\t.class
Adware:Adware/TopMoxie No disinfected C:\Program Files\LimeShop\System\Code\u.class
Adware:Adware/NavHelper No disinfected C:\Program Files\Microsoft AntiSpyware\Quarantine\1A546AF5-E082-4BEE-B821-F8CB65\3B30285C-D298-4548-9E45-42A49F
Adware:Adware/NavHelper No disinfected C:\Program Files\Microsoft AntiSpyware\Quarantine\1A546AF5-E082-4BEE-B821-F8CB65\6E10E78E-0684-4611-AE42-15F185
Adware:Adware/TalkStocks No disinfected C:\WINDOWS\SYSTEM32\mstbl.ocx
Adware:Adware/P2PNetworking No disinfected C:\WINDOWS\SYSTEM32\P2P Networking v124.cpl
Adware:Adware/Iagold No disinfected C:\WINDOWS\SYSTEM32\rgwhwxfv.dll
Virus:Trj/Downloader.CYQ Disinfected C:\WINDOWS\SYSTEM32\rsd.exe
Adware:Adware/Iagold No disinfected C:\WINDOWS\SYSTEM32\usvzuaus.dll

**********************************************************************

And last but not least Hijackthis:

Logfile of HijackThis v1.99.1
Scan saved at 1:48:35 AM, on 7/11/2005
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\cisvc.exe
C:\Program Files\Symantec AntiVirus\DefWatch.exe
C:\Program Files\ewido\security suite\ewidoctrl.exe
C:\Program Files\Symantec AntiVirus\Rtvscan.exe
C:\WINDOWS\wanmpsvc.exe
C:\Program Files\Common Files\Dell\EUSW\Support.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\Program Files\Java\j2re1.4.2_01\bin\jusched.exe
C:\WINDOWS\System32\DSentry.exe
C:\Program Files\Dell\QuickSet\quickset.exe
C:\Program Files\Dell\AccessDirect\dadapp.exe
C:\Program Files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe
C:\Program Files\Dell\AccessDirect\DadTray.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\Program Files\Microsoft AntiSpyware\gcasServ.exe
C:\WINDOWS\system32\wuauclt.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Linksys\Wireless-B Notebook Adapter\WPC11Cfg.exe
C:\Program Files\Microsoft AntiSpyware\gcasDtServ.exe
C:\WINDOWS\system32\cidaemon.exe
C:\Program Files\HiJackThis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.dellnet.com/
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.byu.edu
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.byu.edu
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch =
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = http://localhost
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {A70F8123-9E66-AA0C-ACEC-CD69B6D68D4F} - C:\WINDOWS\system32\buvyzaod.dll (file missing)
O2 - BHO: (no name) - {DACCA194-E9FE-B59B-EB96-A96CC5761937} - C:\WINDOWS\system32\ltiwxqso.dll (file missing)
O2 - BHO: cnt Class - {E10959A2-8862-4582-973A-05BDAF4E0FE9} - C:\WINDOWS\System32\ctcnt1.dll (file missing)
O4 - HKLM\..\Run: [DwlClient] C:\Program Files\Common Files\Dell\EUSW\Support.exe
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [SynTPLpr] C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
O4 - HKLM\..\Run: [SynTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\j2re1.4.2_01\bin\jusched.exe
O4 - HKLM\..\Run: [iehelper] C:\Program Files\syslaunch.exe
O4 - HKLM\..\Run: [DVDSentry] C:\WINDOWS\System32\DSentry.exe
O4 - HKLM\..\Run: [Dell QuickSet] C:\Program Files\Dell\QuickSet\quickset.exe
O4 - HKLM\..\Run: [DadApp] C:\Program Files\Dell\AccessDirect\dadapp.exe
O4 - HKLM\..\Run: [AdaptecDirectCD] "C:\Program Files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe"
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [] c:\WINDOWS\System32\
O4 - HKLM\..\Run: [<meta http-equiv="Content-Type" content="text/html; charset=iso-8859] c:\WINDOWS\System32\<meta http-equiv="Content-Type" content="text/html; charset=iso-8859-1">
O4 - HKLM\..\Run: [<title>Off Campus Telecommunications Internet Signup</ti] c:\WINDOWS\System32\<title>Off Campus Telecommunications Internet Signup</title>
O4 - HKLM\..\Run: [<style type="text/c] c:\WINDOWS\System32\<style type="text/css">
O4 - HKLM\..\Run: [ ] c:\WINDOWS\System32\ <!--
O4 - HKLM\..\Run: [ <center><font face='Verdana, Arial, Helvetica, sans-serif' size='2'><br><B>Search of the Day</B></font>] c:\WINDOWS\System32\ <center><font face='Verdana, Arial, Helvetica, sans-serif' size='2'><br><B>Search of the Day</B></font><br>
O4 - HKLM\..\Run: [ <font face='Verdana, Arial, Helvetica, sans-serif' size='2'><A href="direc.asp?keywords=hobbies home recording dvds&chnl=1&t=r&pb=1207">hobbies home recording dvds</a></font></cen] c:\WINDOWS\System32\ <font face='Verdana, Arial, Helvetica, sans-serif' size='2'><A href="direc.asp?keywords=hobbies home recording dvds&chnl=1&t=r&pb=1207">hobbies home recording dvds</a></font></center>
O4 - HKLM\..\Run: [ <script id="kmpScript" src="http://ads.kmpads.co...at=1207"></scr] c:\WINDOWS\System32\ <script id="kmpScript" src="http://ads.kmpads.co...1207"></script>
O4 - HKLM\..\Run: [var strT] c:\WINDOWS\System32\var strTemp;
O4 - HKLM\..\Run: [top.location.replace(strTe] c:\WINDOWS\System32\top.location.replace(strTemp);
O4 - HKLM\..\Run: [ <font face='Verdana, Arial, Helvetica, sans-serif' size='2'><A href="direc.asp?keywords=hobbies jewelry making&chnl=1&t=r&pb=1208">hobbies jewelry making</a></font></cen] c:\WINDOWS\System32\ <font face='Verdana, Arial, Helvetica, sans-serif' size='2'><A href="direc.asp?keywords=hobbies jewelry making&chnl=1&t=r&pb=1208">hobbies jewelry making</a></font></center>
O4 - HKLM\..\Run: [ <script id="kmpScript" src="http://ads.kmpads.co...at=1208"></scr] c:\WINDOWS\System32\ <script id="kmpScript" src="http://ads.kmpads.co...1208"></script>
O4 - HKLM\..\Run: [ TOOL4AME] c:\WINDOWS\System32\ TOOL4AME.COM
O4 - HKLM\..\Run: [<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.0 Frameset//] c:\WINDOWS\System32\<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.0 Frameset//EN">
O4 - HKLM\..\Run: [ <title>tool4ame.com</ti] c:\WINDOWS\System32\ <title>tool4ame.com</title>
O4 - HKLM\..\Run: [ <meta name="GENERATOR" Content="Microsoft Visual Studio .NET 7] c:\WINDOWS\System32\ <meta name="GENERATOR" Content="Microsoft Visual Studio .NET 7.1">
O4 - HKLM\..\Run: [ <meta name="CODE_LANGUAGE" Content="] c:\WINDOWS\System32\ <meta name="CODE_LANGUAGE" Content="C#">
O4 - HKLM\..\Run: [ <meta name="vs_defaultClientScript" content="JavaScri] c:\WINDOWS\System32\ <meta name="vs_defaultClientScript" content="JavaScript">
O4 - HKLM\..\Run: [ <meta name="vs_targetSchema" content="http://schemas.micro...intellisense/i] c:\WINDOWS\System32\ <meta name="vs_targetSchema" content="http://schemas.micro...ellisense/ie5">
O4 - HKLM\..\Run: [ <nofra] c:\WINDOWS\System32\ <noframes>
O4 - HKLM\..\Run: [ <b] c:\WINDOWS\System32\ <body>
O4 - HKLM\..\Run: [ <a href='www1.eta.us/default.aspx?a=tool4ame.c] c:\WINDOWS\System32\ <a href='www1.eta.us/default.aspx?a=tool4ame.com'>
O4 - HKLM\..\Run: [ </b] c:\WINDOWS\System32\ </body>
O4 - HKLM\..\Run: [ </nofra] c:\WINDOWS\System32\ </noframes>
O4 - HKLM\..\Run: [ <frameset rows=] c:\WINDOWS\System32\ <frameset rows="*">
O4 - HKLM\..\Run: [ <frame src='http://www1.eta.us/default.aspx?a=tool4ame.com&ref=*&rs=&doc=p] c:\WINDOWS\System32\ <frame src='http://www1.eta.us/default.aspx?a=tool4ame.com&ref=*&rs=&doc=php'>
O4 - HKLM\..\Run: [ </frame] c:\WINDOWS\System32\ </frameset>
O4 - HKLM\..\Run: [ <!-- #15] c:\WINDOWS\System32\ <!-- #15 -->
O4 - HKLM\..\Run: [<title>beneditutti.com</title><meta name="keywords" content="beneditutti.com"><meta name="description" content="Search the web at beneditutti.com"><meta name="robots" content="INDEX, FOLLOW"><meta name="revisit-after" content="10"><meta http-equiv="Content-Type" content="text/html; charset=iso-8859] c:\WINDOWS\System32\<title>beneditutti.com</title><meta name="keywords" content="beneditutti.com"><meta name="description" content="Search the web at beneditutti.com"><meta name="robots" content="INDEX, FOLLOW"><meta name="revisit-after" content="10"><meta http-equiv="Content-Type" content="text/html; charset=iso-8859-1">
O4 - HKLM\..\Run: [<frame src="http://landing.domai...&adultfilter=o] c:\WINDOWS\System32\<frame s
  • 0

#6
Guest_thatman_*
Posted 23 July 2005 - 03:08 PM

Guest_thatman_*
  • Guest
Hi Meetloaf13

Please read through the instructions before you start (you may want to print this out).

Please set your system to show all files; please see here if you're unsure how to do this.

Please go offline, close all browsers and any open Windows, making sure that only HijackThis is open. Scan and when it finishes, put an X in the boxes, only next to these following items:
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch =
O2 - BHO: (no name) - {A70F8123-9E66-AA0C-ACEC-CD69B6D68D4F} - C:\WINDOWS\system32\buvyzaod.dll (file missing)
O2 - BHO: (no name) - {DACCA194-E9FE-B59B-EB96-A96CC5761937} - C:\WINDOWS\system32\ltiwxqso.dll (file missing)
O2 - BHO: cnt Class - {E10959A2-8862-4582-973A-05BDAF4E0FE9} - C:\WINDOWS\System32\ctcnt1.dll (file missing)
O4 - HKLM\..\Run: [iehelper] C:\Program Files\syslaunch.exe
Click on Fix Checked when finished and exit HijackThis.

Reboot into Safe Mode: please see here if you are not sure how to do this.

Using Windows Explorer, locate the following files/folders, and delete them:
C:\Program Files\syslaunch.exe<--Delete this folder
C:\WINDOWS\system32\mstbl.ocx<--Delete this folder
c:\documents and settings\whitney\favorites\Health<--Delete this folder
C:\Program Files\LimeShop<--Delete this folder
C:\WINDOWS\SYSTEM32\mstbl.ocx<--Delete this folder
C:\WINDOWS\SYSTEM32\P2P Networking v124.cpl<--Delete this folder
C:\WINDOWS\SYSTEM32\rgwhwxfv.dll<--Delete this folder
C:\WINDOWS\SYSTEM32\rsd.exe<--Delete this folder
C:\WINDOWS\SYSTEM32\usvzuaus.dll<--Delete this folder

Let the system reboot as normal.

Please run the following free, online virus scans.
http://www.pandasoft...n_principal.htm
http://housecall.tre.../start_corp.asp
Please post the logs From Panda virus scan and HJT.logWe will need them to remove previous infections that have left files on your system.

Kc :tazz:
  • 0

#7
Meetloaf13
Posted 24 July 2005 - 04:42 PM

Meetloaf13

    Member

  • Topic Starter
  • Member
  • PipPip
  • 27 posts
Hello friend... i have completed the tasks...a few things to report, here's some info in case it helps. I still get the system32 window popping up at start. When I tried to delete syslaunch.exe in the programfiles folder, I found that it wasn't there, as well as the rgwhwxfv.dll and the rsd.exe in the system32 folder. I searched my harddrive for each of these files and they were not there...yes I have it set to see all, even hidden files and folders. Anyhow, here are the logs.

PANDA:

Incident Status Location

Spyware:spyware/betterinet No disinfected C:\WINDOWS\INF\biini.inf
Adware:adware/powerscan No disinfected HKEY_CURRENT_USER\SOFTWARE\MICROSOFT\INTERNET EXPLORER\MAIN\BANDREST
Adware:adware/p2pnetworking No disinfected HKEY_CLASSES_ROOT\Interface\{1B540D44-3F61-4394-AE30-25FDC3649405}
Spyware:spyware/altnet No disinfected HKEY_CLASSES_ROOT\Interface\{CE9B37EC-D243-47A2-83DB-3A8350175193}
Adware:Adware/NavHelper No disinfected C:\Program Files\Microsoft AntiSpyware\Quarantine\1A546AF5-E082-4BEE-B821-F8CB65\3B30285C-D298-4548-9E45-42A49F
Adware:Adware/NavHelper No disinfected C:\Program Files\Microsoft AntiSpyware\Quarantine\1A546AF5-E082-4BEE-B821-F8CB65\6E10E78E-0684-4611-AE42-15F185


HIJACK THIS:
Logfile of HijackThis v1.99.1
Scan saved at 5:37:01 PM, on 7/24/2005
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Common Files\Dell\EUSW\Support.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\Program Files\Java\j2re1.4.2_01\bin\jusched.exe
C:\WINDOWS\System32\DSentry.exe
C:\Program Files\Dell\QuickSet\quickset.exe
C:\Program Files\Dell\AccessDirect\dadapp.exe
C:\Program Files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\Program Files\Dell\AccessDirect\DadTray.exe
C:\Program Files\Microsoft AntiSpyware\gcasServ.exe
C:\WINDOWS\system32\ctfmon.exe
C:\WINDOWS\system32\cisvc.exe
C:\Program Files\Symantec AntiVirus\DefWatch.exe
C:\Program Files\Microsoft AntiSpyware\gcasDtServ.exe
C:\Program Files\ewido\security suite\ewidoctrl.exe
C:\Program Files\Symantec AntiVirus\Rtvscan.exe
C:\WINDOWS\wanmpsvc.exe
C:\Program Files\Linksys\Wireless-B Notebook Adapter\WPC11Cfg.exe
C:\WINDOWS\system32\cidaemon.exe
C:\Program Files\Java\j2re1.4.2_01\bin\jucheck.exe
C:\Program Files\HiJackThis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.dellnet.com/
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.byu.edu/
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.byu.edu
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = http://localhost
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O4 - HKLM\..\Run: [DwlClient] C:\Program Files\Common Files\Dell\EUSW\Support.exe
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [SynTPLpr] C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
O4 - HKLM\..\Run: [SynTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\j2re1.4.2_01\bin\jusched.exe
O4 - HKLM\..\Run: [DVDSentry] C:\WINDOWS\System32\DSentry.exe
O4 - HKLM\..\Run: [Dell QuickSet] C:\Program Files\Dell\QuickSet\quickset.exe
O4 - HKLM\..\Run: [DadApp] C:\Program Files\Dell\AccessDirect\dadapp.exe
O4 - HKLM\..\Run: [AdaptecDirectCD] "C:\Program Files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe"
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [] c:\WINDOWS\System32\
O4 - HKLM\..\Run: [<meta http-equiv="Content-Type" content="text/html; charset=iso-8859] c:\WINDOWS\System32\<meta http-equiv="Content-Type" content="text/html; charset=iso-8859-1">
O4 - HKLM\..\Run: [<title>Off Campus Telecommunications Internet Signup</ti] c:\WINDOWS\System32\<title>Off Campus Telecommunications Internet Signup</title>
O4 - HKLM\..\Run: [<style type="text/c] c:\WINDOWS\System32\<style type="text/css">
O4 - HKLM\..\Run: [ ] c:\WINDOWS\System32\ <!--
O4 - HKLM\..\Run: [ <center><font face='Verdana, Arial, Helvetica, sans-serif' size='2'><br><B>Search of the Day</B></font>] c:\WINDOWS\System32\ <center><font face='Verdana, Arial, Helvetica, sans-serif' size='2'><br><B>Search of the Day</B></font><br>
O4 - HKLM\..\Run: [ <font face='Verdana, Arial, Helvetica, sans-serif' size='2'><A href="direc.asp?keywords=hobbies home recording dvds&chnl=1&t=r&pb=1207">hobbies home recording dvds</a></font></cen] c:\WINDOWS\System32\ <font face='Verdana, Arial, Helvetica, sans-serif' size='2'><A href="direc.asp?keywords=hobbies home recording dvds&chnl=1&t=r&pb=1207">hobbies home recording dvds</a></font></center>
O4 - HKLM\..\Run: [ <script id="kmpScript" src="http://ads.kmpads.co...at=1207"></scr] c:\WINDOWS\System32\ <script id="kmpScript" src="http://ads.kmpads.co...1207"></script>
O4 - HKLM\..\Run: [var strT] c:\WINDOWS\System32\var strTemp;
O4 - HKLM\..\Run: [top.location.replace(strTe] c:\WINDOWS\System32\top.location.replace(strTemp);
O4 - HKLM\..\Run: [ <font face='Verdana, Arial, Helvetica, sans-serif' size='2'><A href="direc.asp?keywords=hobbies jewelry making&chnl=1&t=r&pb=1208">hobbies jewelry making</a></font></cen] c:\WINDOWS\System32\ <font face='Verdana, Arial, Helvetica, sans-serif' size='2'><A href="direc.asp?keywords=hobbies jewelry making&chnl=1&t=r&pb=1208">hobbies jewelry making</a></font></center>
O4 - HKLM\..\Run: [ <script id="kmpScript" src="http://ads.kmpads.co...at=1208"></scr] c:\WINDOWS\System32\ <script id="kmpScript" src="http://ads.kmpads.co...1208"></script>
O4 - HKLM\..\Run: [ TOOL4AME] c:\WINDOWS\System32\ TOOL4AME.COM
O4 - HKLM\..\Run: [<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.0 Frameset//] c:\WINDOWS\System32\<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.0 Frameset//EN">
O4 - HKLM\..\Run: [ <title>tool4ame.com</ti] c:\WINDOWS\System32\ <title>tool4ame.com</title>
O4 - HKLM\..\Run: [ <meta name="GENERATOR" Content="Microsoft Visual Studio .NET 7] c:\WINDOWS\System32\ <meta name="GENERATOR" Content="Microsoft Visual Studio .NET 7.1">
O4 - HKLM\..\Run: [ <meta name="CODE_LANGUAGE" Content="] c:\WINDOWS\System32\ <meta name="CODE_LANGUAGE" Content="C#">
O4 - HKLM\..\Run: [ <meta name="vs_defaultClientScript" content="JavaScri] c:\WINDOWS\System32\ <meta name="vs_defaultClientScript" content="JavaScript">
O4 - HKLM\..\Run: [ <meta name="vs_targetSchema" content="http://schemas.micro...intellisense/i] c:\WINDOWS\System32\ <meta name="vs_targetSchema" content="http://schemas.micro...ellisense/ie5">
O4 - HKLM\..\Run: [ <nofra] c:\WINDOWS\System32\ <noframes>
O4 - HKLM\..\Run: [ <b] c:\WINDOWS\System32\ <body>
O4 - HKLM\..\Run: [ <a href='www1.eta.us/default.aspx?a=tool4ame.c] c:\WINDOWS\System32\ <a href='www1.eta.us/default.aspx?a=tool4ame.com'>
O4 - HKLM\..\Run: [ </b] c:\WINDOWS\System32\ </body>
O4 - HKLM\..\Run: [ </nofra] c:\WINDOWS\System32\ </noframes>
O4 - HKLM\..\Run: [ <frameset rows=] c:\WINDOWS\System32\ <frameset rows="*">
O4 - HKLM\..\Run: [ <frame src='http://www1.eta.us/default.aspx?a=tool4ame.com&ref=*&rs=&doc=p] c:\WINDOWS\System32\ <frame src='http://www1.eta.us/default.aspx?a=tool4ame.com&ref=*&rs=&doc=php'>
O4 - HKLM\..\Run: [ </frame] c:\WINDOWS\System32\ </frameset>
O4 - HKLM\..\Run: [ <!-- #15] c:\WINDOWS\System32\ <!-- #15 -->
O4 - HKLM\..\Run: [<title>beneditutti.com</title><meta name="keywords" content="beneditutti.com"><meta name="description" content="Search the web at beneditutti.com"><meta name="robots" content="INDEX, FOLLOW"><meta name="revisit-after" content="10"><meta http-equiv="Content-Type" content="text/html; charset=iso-8859] c:\WINDOWS\System32\<title>beneditutti.com</title><meta name="keywords" content="beneditutti.com"><meta name="description" content="Search the web at beneditutti.com"><meta name="robots" content="INDEX, FOLLOW"><meta name="revisit-after" content="10"><meta http-equiv="Content-Type" content="text/html; charset=iso-8859-1">
O4 - HKLM\..\Run: [<frame src="http://landing.domai...&adultfilter=o] c:\WINDOWS\System32\<frame src="http://landing.domai...ultfilter=off">
O4 - HKLM\..\Run: [</frame] c:\WINDOWS\System32\</frameset>
O4 - HKLM\..\Run: [<nofra] c:\WINDOWS\System32\<noframes>
O4 - HKLM\..\Run: [<body bgcolor="#ffffff" text="#0000] c:\WINDOWS\System32\<body bgcolor="#ffffff" text="#000000">
O4 - HKLM\..\Run: [<a href="http://landing.domai...lter=off">Click here to go to beneditutti.com<] c:\WINDOWS\System32\<a href="http://landing.domai...lter=off">Click here to go to beneditutti.com</a>.
O4 - HKLM\..\Run: [</b] c:\WINDOWS\System32\</body>
O4 - HKLM\..\Run: [</nofra] c:\WINDOWS\System32\</noframes>
O4 - HKLM\..\Run: [gcasServ] "C:\Program Files\Microsoft AntiSpyware\gcasServ.exe"
O4 - HKLM\..\Run: [<h] c:\WINDOWS\System32\<head>
O4 - HKLM\..\Run: [</h] c:\WINDOWS\System32\</head>
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [AIM] C:\Program Files\AIM\aim.exe -cnetwait.odl
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [var strT] c:\WINDOWS\System32\var strTemp;
O4 - HKCU\..\Run: [<h] c:\WINDOWS\System32\<head>
O4 - HKCU\..\Run: [<meta http-equiv="Content-Type" content="text/html; charset=iso-8859] c:\WINDOWS\System32\<meta http-equiv="Content-Type" content="text/html; charset=iso-8859-1">
O4 - HKCU\..\Run: [<title>Off Campus Telecommunications Internet Signup</ti] c:\WINDOWS\System32\<title>Off Campus Telecommunications Internet Signup</title>
O4 - HKCU\..\Run: [<style type="text/c] c:\WINDOWS\System32\<style type="text/css">
O4 - HKCU\..\Run: [ <center><font face='Verdana, Arial, Helvetica, sans-serif' size='2'><br><B>Search of the Day</B></font>] c:\WINDOWS\System32\ <center><font face='Verdana, Arial, Helvetica, sans-serif' size='2'><br><B>Search of the Day</B></font><br>
O4 - HKCU\..\Run: [ <font face='Verdana, Arial, Helvetica, sans-serif' size='2'><A href="direc.asp?keywords=hobbies home recording dvds&chnl=1&t=r&pb=1207">hobbies home recording dvds</a></font></cen] c:\WINDOWS\System32\ <font face='Verdana, Arial, Helvetica, sans-serif' size='2'><A href="direc.asp?keywords=hobbies home recording dvds&chnl=1&t=r&pb=1207">hobbies home recording dvds</a></font></center>
O4 - HKCU\..\Run: [ <script id="kmpScript" src="http://ads.kmpads.co...at=1207"></scr] c:\WINDOWS\System32\ <script id="kmpScript" src="http://ads.kmpads.co...1207"></script>
O4 - HKCU\..\Run: [top.location.replace(strTe] c:\WINDOWS\System32\top.location.replace(strTemp);
O4 - HKCU\..\Run: [ <font face='Verdana, Arial, Helvetica, sans-serif' size='2'><A href="direc.asp?keywords=hobbies jewelry making&chnl=1&t=r&pb=1208">hobbies jewelry making</a></font></cen] c:\WINDOWS\System32\ <font face='Verdana, Arial, Helvetica, sans-serif' size='2'><A href="direc.asp?keywords=hobbies jewelry making&chnl=1&t=r&pb=1208">hobbies jewelry making</a></font></center>
O4 - HKCU\..\Run: [ <script id="kmpScript" src="http://ads.kmpads.co...at=1208"></scr] c:\WINDOWS\System32\ <script id="kmpScript" src="http://ads.kmpads.co...1208"></script>
O4 - HKCU\..\Run: [ TOOL4AME] c:\WINDOWS\System32\ TOOL4AME.COM
O4 - HKCU\..\Run: [<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.0 Frameset//] c:\WINDOWS\System32\<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.0 Frameset//EN">
O4 - HKCU\..\Run: [ <h] c:\WINDOWS\System32\ <head>
O4 - HKCU\..\Run: [ <title>tool4ame.com</ti] c:\WINDOWS\System32\ <title>tool4ame.com</title>
O4 - HKCU\..\Run: [ <meta name="GENERATOR" Content="Microsoft Visual Studio .NET 7] c:\WINDOWS\System32\ <meta name="GENERATOR" Content="Microsoft Visual Studio .NET 7.1">
O4 - HKCU\..\Run: [ <meta name="CODE_LANGUAGE" Content="] c:\WINDOWS\System32\ <meta name="CODE_LANGUAGE" Content="C#">
O4 - HKCU\..\Run: [ <meta name="vs_defaultClientScript" content="JavaScri] c:\WINDOWS\System32\ <meta name="vs_defaultClientScript" content="JavaScript">
O4 - HKCU\..\Run: [ <meta name="vs_targetSchema" content="http://schemas.micro...intellisense/i] c:\WINDOWS\System32\ <meta name="vs_targetSchema" content="http://schemas.micro...ellisense/ie5">
O4 - HKCU\..\Run: [ <nofra] c:\WINDOWS\System32\ <noframes>
O4 - HKCU\..\Run: [ <b] c:\WINDOWS\System32\ <body>
O4 - HKCU\..\Run: [ <a href='www1.eta.us/default.aspx?a=tool4ame.c] c:\WINDOWS\System32\ <a href='www1.eta.us/default.aspx?a=tool4ame.com'>
O4 - HKCU\..\Run: [ </b] c:\WINDOWS\System32\ </body>
O4 - HKCU\..\Run: [ </nofra] c:\WINDOWS\System32\ </noframes>
O4 - HKCU\..\Run: [ </h] c:\WINDOWS\System32\ </head>
O4 - HKCU\..\Run: [ <frameset rows=] c:\WINDOWS\System32\ <frameset rows="*">
O4 - HKCU\..\Run: [ <frame src='http://www1.eta.us/default.aspx?a=tool4ame.com&ref=*&rs=&doc=p] c:\WINDOWS\System32\ <frame src='http://www1.eta.us/default.aspx?a=tool4ame.com&ref=*&rs=&doc=php'>
O4 - HKCU\..\Run: [ </frame] c:\WINDOWS\System32\ </frameset>
O4 - HKCU\..\Run: [ <!-- #15] c:\WINDOWS\System32\ <!-- #15 -->
O4 - HKCU\..\Run: [</h] c:\WINDOWS\System32\</head>
O4 - HKCU\..\Run: [<title>beneditutti.com</title><meta name="keywords" content="beneditutti.com"><meta name="description" content="Search the web at beneditutti.com"><meta name="robots" content="INDEX, FOLLOW"><meta name="revisit-after" content="10"><meta http-equiv="Content-Type" content="text/html; charset=iso-8859] c:\WINDOWS\System32\<title>beneditutti.com</title><meta name="keywords" content="beneditutti.com"><meta name="description" content="Search the web at beneditutti.com"><meta name="robots" content="INDEX, FOLLOW"><meta name="revisit-after" content="10"><meta http-equiv="Content-Type" content="text/html; charset=iso-8859-1">
O4 - HKCU\..\Run: [<frame src="http://landing.domai...&adultfilter=o] c:\WINDOWS\System32\<frame src="http://landing.domai...ultfilter=off">
O4 - HKCU\..\Run: [</frame] c:\WINDOWS\System32\</frameset>
O4 - HKCU\..\Run: [<nofra] c:\WINDOWS\System32\<noframes>
O4 - HKCU\..\Run: [<body bgcolor="#ffffff" text="#0000] c:\WINDOWS\System32\<body bgcolor="#ffffff" text="#000000">
O4 - HKCU\..\Run: [<a href="http://landing.domai...lter=off">Click here to go to beneditutti.com<] c:\WINDOWS\System32\<a href="http://landing.domai...lter=off">Click here to go to beneditutti.com</a>.
O4 - HKCU\..\Run: [</b] c:\WINDOWS\System32\</body>
O4 - HKCU\..\Run: [</nofra] c:\WINDOWS\System32\</noframes>
O4 - HKCU\..\Run: [] c:\WINDOWS\System32\
O4 - Global Startup: Wireless-B Notebook Adapter Utility.lnk = C:\Program Files\Linksys\Wireless-B Notebook Adapter\WPC11Cfg.exe
O8 - Extra context menu item: LimeShop Preferences - file://C:\Program Files\LimeShop\System\Temp\limeshop_script0.htm
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\System32\msjava.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\System32\msjava.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\System32\Shdocvw.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O12 - Plugin for .mid: C:\Program Files\Internet Explorer\PLUGINS\npqtplugin2.dll
O12 - Plugin for .mov: C:\Program Files\Internet Explorer\PLUGINS\npqtplugin.dll
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft....204&clcid=0x409
O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai...all/xscan53.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://www.pandasoft.../as5/asinst.cab
O16 - DPF: {A8683C98-5341-421B-B23C-8514C05354F1} (FujifilmUploader Class) - http://photo.walmart...ploadClient.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{19895DA8-FB11-4989-9546-A5B15534DBEF}: NameServer = 192.168.2.1
O17 - HKLM\System\CCS\Services\Tcpip\..\{F942E047-DF68-4145-B0AE-E23AC2145F2F}: NameServer = 192.168.2.1
O17 - HKLM\System\CS1\Services\Tcpip\..\{19895DA8-FB11-4989-9546-A5B15534DBEF}: NameServer = 192.168.2.1
O17 - HKLM\System\CS2\Services\Tcpip\..\{19895DA8-FB11-4989-9546-A5B15534DBEF}: NameServer = 192.168.2.1
O20 - Winlogon Notify: igfxcui - C:\WINDOWS\SYSTEM32\igfxsrvc.dll
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Password Validation (ccPwdSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
O23 - Service: CWShredder Service - Unknown owner - C:\Documents and Settings\Whitney\Desktop\CWShredder.exe (file missing)
O23 - Service: Symantec AntiVirus Definition Watcher (DefWatch) - Symantec Corporation - C:\Program Files\Symantec AntiVirus\DefWatch.exe
O23 - Service: ewido security suite control - ewido networks - C:\Program Files\ewido\security suite\ewidoctrl.exe
O23 - Service: SAVRoam (SavRoam) - symantec - C:\Program Files\Symantec AntiVirus\SavRoam.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: Symantec AntiVirus - Symantec Corporation - C:\Program Files\Symantec AntiVirus\Rtvscan.exe
O23 - Service: SymWMI Service (SymWSC) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\Security Center\SymWSC.exe
O23 - Service: WAN Miniport (ATW) Service (WANMiniportService) - America Online, Inc. - C:\WINDOWS\wanmpsvc.exe


There you are, thanks for your HELP! Let me know what I need to do next. Until next time...
  • 0

#8
Guest_thatman_*
Posted 25 July 2005 - 05:15 AM

Guest_thatman_*
  • Guest
Hi Meetloaf13

Please read through the instructions before you start (you may want to print this out).

Please set your system to show all files; please see here if you're unsure how to do this.

Please go offline, close all browsers and any open Windows, making sure that only HijackThis is open. Scan and when it finishes, put an X in the boxes, only next to these following items:
O8 - Extra context menu item: LimeShop Preferences - file://C:\Program Files\LimeShop\System\Temp\limeshop_script0.htm
Click on Fix Checked when finished and exit HijackThis.

Reboot into Safe Mode: please see here if you are not sure how to do this.

Using Windows Explorer, locate the following files/folders, and delete them:
C:\Program Files\LimeShop\System<--Delete the whole folder
C:\WINDOWS\INF\biini.inf<--Delete this file
C:\Program Files\Microsoft AntiSpyware\Quarantine\1A546AF5-E082-4BEE-B821-F8CB65\3B30285C-D298-4548-9E45-42A49F
C:\Program Files\Microsoft AntiSpyware\Quarantine\1A546AF5-E082-4BEE-B821-F8CB65\6E10E78E-0684-4611-AE42-15F185
Exit Explorer.

Open regedit and delete the following value's only:
HKEY_CURRENT_USER\SOFTWARE\MICROSOFT\INTERNET EXPLORER\MAIN\BANDREST<--Delete this value only
HKEY_CLASSES_ROOT\Interface\{1B540D44-3F61-4394-AE30-25FDC3649405}<--Delete this value only
HKEY_CLASSES_ROOT\Interface\{CE9B37EC-D243-47A2-83DB-3A8350175193}<--Delete this value only

Reboot as normal.

Please run the following free, online virus scans.
http://www.pandasoft...n_principal.htm
http://housecall.tre.../start_corp.asp
Please post the logs From Panda virus scan and HJT.logWe will need them to remove previous infections that have left files on your system.

Kc :tazz:
  • 0

#9
Meetloaf13
Posted 26 July 2005 - 01:48 PM

Meetloaf13

    Member

  • Topic Starter
  • Member
  • PipPip
  • 27 posts
Here's the new logs. STill have System32 Popping up, and the Limeshop folder had already been deleted from the stop before. The Bandreast entry is back I think. Here you go:

Panda:


Incident Status Location

Adware:adware/powerscan No disinfected HKEY_LOCAL_MACHINE\SOFTWARE\MICROSOFT\INTERNET EXPLORER\MAIN\BANDREST


HJT:

Logfile of HijackThis v1.99.1
Scan saved at 3:45:11 PM, on 7/26/2005
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\cisvc.exe
C:\Program Files\Symantec AntiVirus\DefWatch.exe
C:\Program Files\ewido\security suite\ewidoctrl.exe
C:\Program Files\Symantec AntiVirus\Rtvscan.exe
C:\WINDOWS\wanmpsvc.exe
C:\Program Files\Common Files\Dell\EUSW\Support.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\Program Files\Java\j2re1.4.2_01\bin\jusched.exe
C:\WINDOWS\System32\DSentry.exe
C:\Program Files\Dell\QuickSet\quickset.exe
C:\Program Files\Dell\AccessDirect\dadapp.exe
C:\Program Files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\Program Files\Dell\AccessDirect\DadTray.exe
C:\Program Files\Microsoft AntiSpyware\gcasServ.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Microsoft AntiSpyware\gcasDtServ.exe
C:\WINDOWS\system32\cidaemon.exe
C:\Program Files\HiJackThis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.dellnet.com/
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.byu.edu/
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.byu.edu
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = http://localhost
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O4 - HKLM\..\Run: [DwlClient] C:\Program Files\Common Files\Dell\EUSW\Support.exe
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [SynTPLpr] C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
O4 - HKLM\..\Run: [SynTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\j2re1.4.2_01\bin\jusched.exe
O4 - HKLM\..\Run: [DVDSentry] C:\WINDOWS\System32\DSentry.exe
O4 - HKLM\..\Run: [Dell QuickSet] C:\Program Files\Dell\QuickSet\quickset.exe
O4 - HKLM\..\Run: [DadApp] C:\Program Files\Dell\AccessDirect\dadapp.exe
O4 - HKLM\..\Run: [AdaptecDirectCD] "C:\Program Files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe"
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [] c:\WINDOWS\System32\
O4 - HKLM\..\Run: [<meta http-equiv="Content-Type" content="text/html; charset=iso-8859] c:\WINDOWS\System32\<meta http-equiv="Content-Type" content="text/html; charset=iso-8859-1">
O4 - HKLM\..\Run: [<title>Off Campus Telecommunications Internet Signup</ti] c:\WINDOWS\System32\<title>Off Campus Telecommunications Internet Signup</title>
O4 - HKLM\..\Run: [<style type="text/c] c:\WINDOWS\System32\<style type="text/css">
O4 - HKLM\..\Run: [ ] c:\WINDOWS\System32\ <!--
O4 - HKLM\..\Run: [ <center><font face='Verdana, Arial, Helvetica, sans-serif' size='2'><br><B>Search of the Day</B></font>] c:\WINDOWS\System32\ <center><font face='Verdana, Arial, Helvetica, sans-serif' size='2'><br><B>Search of the Day</B></font><br>
O4 - HKLM\..\Run: [ <font face='Verdana, Arial, Helvetica, sans-serif' size='2'><A href="direc.asp?keywords=hobbies home recording dvds&chnl=1&t=r&pb=1207">hobbies home recording dvds</a></font></cen] c:\WINDOWS\System32\ <font face='Verdana, Arial, Helvetica, sans-serif' size='2'><A href="direc.asp?keywords=hobbies home recording dvds&chnl=1&t=r&pb=1207">hobbies home recording dvds</a></font></center>
O4 - HKLM\..\Run: [ <script id="kmpScript" src="http://ads.kmpads.co...at=1207"></scr] c:\WINDOWS\System32\ <script id="kmpScript" src="http://ads.kmpads.co...1207"></script>
O4 - HKLM\..\Run: [var strT] c:\WINDOWS\System32\var strTemp;
O4 - HKLM\..\Run: [top.location.replace(strTe] c:\WINDOWS\System32\top.location.replace(strTemp);
O4 - HKLM\..\Run: [ <font face='Verdana, Arial, Helvetica, sans-serif' size='2'><A href="direc.asp?keywords=hobbies jewelry making&chnl=1&t=r&pb=1208">hobbies jewelry making</a></font></cen] c:\WINDOWS\System32\ <font face='Verdana, Arial, Helvetica, sans-serif' size='2'><A href="direc.asp?keywords=hobbies jewelry making&chnl=1&t=r&pb=1208">hobbies jewelry making</a></font></center>
O4 - HKLM\..\Run: [ <script id="kmpScript" src="http://ads.kmpads.co...at=1208"></scr] c:\WINDOWS\System32\ <script id="kmpScript" src="http://ads.kmpads.co...1208"></script>
O4 - HKLM\..\Run: [ TOOL4AME] c:\WINDOWS\System32\ TOOL4AME.COM
O4 - HKLM\..\Run: [<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.0 Frameset//] c:\WINDOWS\System32\<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.0 Frameset//EN">
O4 - HKLM\..\Run: [ <title>tool4ame.com</ti] c:\WINDOWS\System32\ <title>tool4ame.com</title>
O4 - HKLM\..\Run: [ <meta name="GENERATOR" Content="Microsoft Visual Studio .NET 7] c:\WINDOWS\System32\ <meta name="GENERATOR" Content="Microsoft Visual Studio .NET 7.1">
O4 - HKLM\..\Run: [ <meta name="CODE_LANGUAGE" Content="] c:\WINDOWS\System32\ <meta name="CODE_LANGUAGE" Content="C#">
O4 - HKLM\..\Run: [ <meta name="vs_defaultClientScript" content="JavaScri] c:\WINDOWS\System32\ <meta name="vs_defaultClientScript" content="JavaScript">
O4 - HKLM\..\Run: [ <meta name="vs_targetSchema" content="http://schemas.micro...intellisense/i] c:\WINDOWS\System32\ <meta name="vs_targetSchema" content="http://schemas.micro...ellisense/ie5">
O4 - HKLM\..\Run: [ <nofra] c:\WINDOWS\System32\ <noframes>
O4 - HKLM\..\Run: [ <b] c:\WINDOWS\System32\ <body>
O4 - HKLM\..\Run: [ <a href='www1.eta.us/default.aspx?a=tool4ame.c] c:\WINDOWS\System32\ <a href='www1.eta.us/default.aspx?a=tool4ame.com'>
O4 - HKLM\..\Run: [ </b] c:\WINDOWS\System32\ </body>
O4 - HKLM\..\Run: [ </nofra] c:\WINDOWS\System32\ </noframes>
O4 - HKLM\..\Run: [ <frameset rows=] c:\WINDOWS\System32\ <frameset rows="*">
O4 - HKLM\..\Run: [ <frame src='http://www1.eta.us/default.aspx?a=tool4ame.com&ref=*&rs=&doc=p] c:\WINDOWS\System32\ <frame src='http://www1.eta.us/default.aspx?a=tool4ame.com&ref=*&rs=&doc=php'>
O4 - HKLM\..\Run: [ </frame] c:\WINDOWS\System32\ </frameset>
O4 - HKLM\..\Run: [ <!-- #15] c:\WINDOWS\System32\ <!-- #15 -->
O4 - HKLM\..\Run: [<title>beneditutti.com</title><meta name="keywords" content="beneditutti.com"><meta name="description" content="Search the web at beneditutti.com"><meta name="robots" content="INDEX, FOLLOW"><meta name="revisit-after" content="10"><meta http-equiv="Content-Type" content="text/html; charset=iso-8859] c:\WINDOWS\System32\<title>beneditutti.com</title><meta name="keywords" content="beneditutti.com"><meta name="description" content="Search the web at beneditutti.com"><meta name="robots" content="INDEX, FOLLOW"><meta name="revisit-after" content="10"><meta http-equiv="Content-Type" content="text/html; charset=iso-8859-1">
O4 - HKLM\..\Run: [<frame src="http://landing.domai...&adultfilter=o] c:\WINDOWS\System32\<frame src="http://landing.domai...ultfilter=off">
O4 - HKLM\..\Run: [</frame] c:\WINDOWS\System32\</frameset>
O4 - HKLM\..\Run: [<nofra] c:\WINDOWS\System32\<noframes>
O4 - HKLM\..\Run: [<body bgcolor="#ffffff" text="#0000] c:\WINDOWS\System32\<body bgcolor="#ffffff" text="#000000">
O4 - HKLM\..\Run: [<a href="http://landing.domai...lter=off">Click here to go to beneditutti.com<] c:\WINDOWS\System32\<a href="http://landing.domai...lter=off">Click here to go to beneditutti.com</a>.
O4 - HKLM\..\Run: [</b] c:\WINDOWS\System32\</body>
O4 - HKLM\..\Run: [</nofra] c:\WINDOWS\System32\</noframes>
O4 - HKLM\..\Run: [gcasServ] "C:\Program Files\Microsoft AntiSpyware\gcasServ.exe"
O4 - HKLM\..\Run: [<h] c:\WINDOWS\System32\<head>
O4 - HKLM\..\Run: [</h] c:\WINDOWS\System32\</head>
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [AIM] C:\Program Files\AIM\aim.exe -cnetwait.odl
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [var strT] c:\WINDOWS\System32\var strTemp;
O4 - HKCU\..\Run: [<h] c:\WINDOWS\System32\<head>
O4 - HKCU\..\Run: [<meta http-equiv="Content-Type" content="text/html; charset=iso-8859] c:\WINDOWS\System32\<meta http-equiv="Content-Type" content="text/html; charset=iso-8859-1">
O4 - HKCU\..\Run: [<title>Off Campus Telecommunications Internet Signup</ti] c:\WINDOWS\System32\<title>Off Campus Telecommunications Internet Signup</title>
O4 - HKCU\..\Run: [<style type="text/c] c:\WINDOWS\System32\<style type="text/css">
O4 - HKCU\..\Run: [ <center><font face='Verdana, Arial, Helvetica, sans-serif' size='2'><br><B>Search of the Day</B></font>] c:\WINDOWS\System32\ <center><font face='Verdana, Arial, Helvetica, sans-serif' size='2'><br><B>Search of the Day</B></font><br>
O4 - HKCU\..\Run: [ <font face='Verdana, Arial, Helvetica, sans-serif' size='2'><A href="direc.asp?keywords=hobbies home recording dvds&chnl=1&t=r&pb=1207">hobbies home recording dvds</a></font></cen] c:\WINDOWS\System32\ <font face='Verdana, Arial, Helvetica, sans-serif' size='2'><A href="direc.asp?keywords=hobbies home recording dvds&chnl=1&t=r&pb=1207">hobbies home recording dvds</a></font></center>
O4 - HKCU\..\Run: [ <script id="kmpScript" src="http://ads.kmpads.co...at=1207"></scr] c:\WINDOWS\System32\ <script id="kmpScript" src="http://ads.kmpads.co...1207"></script>
O4 - HKCU\..\Run: [top.location.replace(strTe] c:\WINDOWS\System32\top.location.replace(strTemp);
O4 - HKCU\..\Run: [ <font face='Verdana, Arial, Helvetica, sans-serif' size='2'><A href="direc.asp?keywords=hobbies jewelry making&chnl=1&t=r&pb=1208">hobbies jewelry making</a></font></cen] c:\WINDOWS\System32\ <font face='Verdana, Arial, Helvetica, sans-serif' size='2'><A href="direc.asp?keywords=hobbies jewelry making&chnl=1&t=r&pb=1208">hobbies jewelry making</a></font></center>
O4 - HKCU\..\Run: [ <script id="kmpScript" src="http://ads.kmpads.co...at=1208"></scr] c:\WINDOWS\System32\ <script id="kmpScript" src="http://ads.kmpads.co...1208"></script>
O4 - HKCU\..\Run: [ TOOL4AME] c:\WINDOWS\System32\ TOOL4AME.COM
O4 - HKCU\..\Run: [<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.0 Frameset//] c:\WINDOWS\System32\<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.0 Frameset//EN">
O4 - HKCU\..\Run: [ <h] c:\WINDOWS\System32\ <head>
O4 - HKCU\..\Run: [ <title>tool4ame.com</ti] c:\WINDOWS\System32\ <title>tool4ame.com</title>
O4 - HKCU\..\Run: [ <meta name="GENERATOR" Content="Microsoft Visual Studio .NET 7] c:\WINDOWS\System32\ <meta name="GENERATOR" Content="Microsoft Visual Studio .NET 7.1">
O4 - HKCU\..\Run: [ <meta name="CODE_LANGUAGE" Content="] c:\WINDOWS\System32\ <meta name="CODE_LANGUAGE" Content="C#">
O4 - HKCU\..\Run: [ <meta name="vs_defaultClientScript" content="JavaScri] c:\WINDOWS\System32\ <meta name="vs_defaultClientScript" content="JavaScript">
O4 - HKCU\..\Run: [ <meta name="vs_targetSchema" content="http://schemas.micro...intellisense/i] c:\WINDOWS\System32\ <meta name="vs_targetSchema" content="http://schemas.micro...ellisense/ie5">
O4 - HKCU\..\Run: [ <nofra] c:\WINDOWS\System32\ <noframes>
O4 - HKCU\..\Run: [ <b] c:\WINDOWS\System32\ <body>
O4 - HKCU\..\Run: [ <a href='www1.eta.us/default.aspx?a=tool4ame.c] c:\WINDOWS\System32\ <a href='www1.eta.us/default.aspx?a=tool4ame.com'>
O4 - HKCU\..\Run: [ </b] c:\WINDOWS\System32\ </body>
O4 - HKCU\..\Run: [ </nofra] c:\WINDOWS\System32\ </noframes>
O4 - HKCU\..\Run: [ </h] c:\WINDOWS\System32\ </head>
O4 - HKCU\..\Run: [ <frameset rows=] c:\WINDOWS\System32\ <frameset rows="*">
O4 - HKCU\..\Run: [ <frame src='http://www1.eta.us/default.aspx?a=tool4ame.com&ref=*&rs=&doc=p] c:\WINDOWS\System32\ <frame src='http://www1.eta.us/default.aspx?a=tool4ame.com&ref=*&rs=&doc=php'>
O4 - HKCU\..\Run: [ </frame] c:\WINDOWS\System32\ </frameset>
O4 - HKCU\..\Run: [ <!-- #15] c:\WINDOWS\System32\ <!-- #15 -->
O4 - HKCU\..\Run: [</h] c:\WINDOWS\System32\</head>
O4 - HKCU\..\Run: [<title>beneditutti.com</title><meta name="keywords" content="beneditutti.com"><meta name="description" content="Search the web at beneditutti.com"><meta name="robots" content="INDEX, FOLLOW"><meta name="revisit-after" content="10"><meta http-equiv="Content-Type" content="text/html; charset=iso-8859] c:\WINDOWS\System32\<title>beneditutti.com</title><meta name="keywords" content="beneditutti.com"><meta name="description" content="Search the web at beneditutti.com"><meta name="robots" content="INDEX, FOLLOW"><meta name="revisit-after" content="10"><meta http-equiv="Content-Type" content="text/html; charset=iso-8859-1">
O4 - HKCU\..\Run: [<frame src="http://landing.domai...&adultfilter=o] c:\WINDOWS\System32\<frame src="http://landing.domai...ultfilter=off">
O4 - HKCU\..\Run: [</frame] c:\WINDOWS\System32\</frameset>
O4 - HKCU\..\Run: [<nofra] c:\WINDOWS\System32\<noframes>
O4 - HKCU\..\Run: [<body bgcolor="#ffffff" text="#0000] c:\WINDOWS\System32\<body bgcolor="#ffffff" text="#000000">
O4 - HKCU\..\Run: [<a href="http://landing.domai...lter=off">Click here to go to beneditutti.com<] c:\WINDOWS\System32\<a href="http://landing.domai...lter=off">Click here to go to beneditutti.com</a>.
O4 - HKCU\..\Run: [</b] c:\WINDOWS\System32\</body>
O4 - HKCU\..\Run: [</nofra] c:\WINDOWS\System32\</noframes>
O4 - HKCU\..\Run: [] c:\WINDOWS\System32\
O4 - Global Startup: Wireless-B Notebook Adapter Utility.lnk = C:\Program Files\Linksys\Wireless-B Notebook Adapter\WPC11Cfg.exe
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\System32\msjava.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\System32\msjava.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\System32\Shdocvw.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O12 - Plugin for .mid: C:\Program Files\Internet Explorer\PLUGINS\npqtplugin2.dll
O12 - Plugin for .mov: C:\Program Files\Internet Explorer\PLUGINS\npqtplugin.dll
O16 - DPF: {04E214E5-63AF-4236-83C6-A7ADCBF9BD02} (HouseCall Control) - http://housecall60.t...all/xscan60.cab
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft....204&clcid=0x409
O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai...all/xscan53.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://www.pandasoft.../as5/asinst.cab
O16 - DPF: {A8683C98-5341-421B-B23C-8514C05354F1} (FujifilmUploader Class) - http://photo.walmart...ploadClient.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{19895DA8-FB11-4989-9546-A5B15534DBEF}: NameServer = 192.168.2.1
O17 - HKLM\System\CCS\Services\Tcpip\..\{F942E047-DF68-4145-B0AE-E23AC2145F2F}: NameServer = 192.168.2.1
O17 - HKLM\System\CS1\Services\Tcpip\..\{19895DA8-FB11-4989-9546-A5B15534DBEF}: NameServer = 192.168.2.1
O17 - HKLM\System\CS2\Services\Tcpip\..\{19895DA8-FB11-4989-9546-A5B15534DBEF}: NameServer = 192.168.2.1
O20 - Winlogon Notify: igfxcui - C:\WINDOWS\SYSTEM32\igfxsrvc.dll
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Password Validation (ccPwdSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
O23 - Service: CWShredder Service - Unknown owner - C:\Documents and Settings\Whitney\Desktop\CWShredder.exe (file missing)
O23 - Service: Symantec AntiVirus Definition Watcher (DefWatch) - Symantec Corporation - C:\Program Files\Symantec AntiVirus\DefWatch.exe
O23 - Service: ewido security suite control - ewido networks - C:\Program Files\ewido\security suite\ewidoctrl.exe
O23 - Service: SAVRoam (SavRoam) - symantec - C:\Program Files\Symantec AntiVirus\SavRoam.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: Symantec AntiVirus - Symantec Corporation - C:\Program Files\Symantec AntiVirus\Rtvscan.exe
O23 - Service: SymWMI Service (SymWSC) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\Security Center\SymWSC.exe
O23 - Service: WAN Miniport (ATW) Service (WANMiniportService) - America Online, Inc. - C:\WINDOWS\wanmpsvc.exe
  • 0

#10
Guest_thatman_*
Posted 27 July 2005 - 08:10 AM

Guest_thatman_*
  • Guest
Hi Meetloaf13

Please download SilentRunners from here:
http://www.silentrun...ent Runners.vbs
Save it to the desktop and double-click on it. If you get any kind of warning message about scripts, please choose to allow the script to run. When the scan is finished, it will create a logfile on the desktop. Please post the entire contents of this logfile for me to see.

You need to tell me what you need to keep from the 04 items in your Hijackthis.log.

Kc :tazz:
  • 0

#11
Meetloaf13
Posted 27 July 2005 - 08:31 AM

Meetloaf13

    Member

  • Topic Starter
  • Member
  • PipPip
  • 27 posts
Here's the Silent Runner's script:

"Silent Runners.vbs", revision 39, http://www.silentrunners.org/
Operating System: Windows XP SP2
Output limited to non-default values, except where indicated by "{++}"


Startup items buried in registry:
---------------------------------

HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ {++}
"MSMSGS" = ""C:\Program Files\Messenger\msmsgs.exe" /background" [MS]
"AIM" = "C:\Program Files\AIM\aim.exe -cnetwait.odl" ["America Online, Inc."]
"ctfmon.exe" = "C:\WINDOWS\system32\ctfmon.exe" [MS]
"var strT" = "c:\WINDOWS\System32\var strTemp;" [null data]
"<h" = "c:\WINDOWS\System32\<head>" [file not found]
"<meta http-equiv="Content-Type" content="text/html; charset=iso-8859" = "c:\WINDOWS\System32\<meta http-equiv="Content-Type" content="text/html; charset=iso-8859-1">" [file not found]
"<title>Off Campus Telecommunications Internet Signup</ti" = "c:\WINDOWS\System32\<title>Off Campus Telecommunications Internet Signup</title>" [file not found]
"<style type="text/c" = "c:\WINDOWS\System32\<style type="text/css">" [file not found]
" <center><font face='Verdana, Arial, Helvetica, sans-serif' size='2'><br><B>Search of the Day</B></font>" = "c:\WINDOWS\System32\ <center><font face='Verdana, Arial, Helvetica, sans-serif' size='2'><br><B>Search of the Day</B></font><br>" [file not found]
" <font face='Verdana, Arial, Helvetica, sans-serif' size='2'><A href="direc.asp?keywords=hobbies home recording dvds&chnl=1&t=r&pb=1207">hobbies home recording dvds</a></font></cen" = "c:\WINDOWS\System32\ <font face='Verdana, Arial, Helvetica, sans-serif' size='2'><A href="direc.asp?keywords=hobbies home recording dvds&chnl=1&t=r&pb=1207">hobbies home recording dvds</a></font></center>" [file not found]
" <script id="kmpScript" src="http://ads.kmpads.co...at=1207"></scr" = "c:\WINDOWS\System32\ <script id="kmpScript" src="http://ads.kmpads.co...207"></script>" [file not found]
"top.location.replace(strTe" = "c:\WINDOWS\System32\top.location.replace(strTemp);" [null data]
" <font face='Verdana, Arial, Helvetica, sans-serif' size='2'><A href="direc.asp?keywords=hobbies jewelry making&chnl=1&t=r&pb=1208">hobbies jewelry making</a></font></cen" = "c:\WINDOWS\System32\ <font face='Verdana, Arial, Helvetica, sans-serif' size='2'><A href="direc.asp?keywords=hobbies jewelry making&chnl=1&t=r&pb=1208">hobbies jewelry making</a></font></center>" [file not found]
" <script id="kmpScript" src="http://ads.kmpads.co...at=1208"></scr" = "c:\WINDOWS\System32\ <script id="kmpScript" src="http://ads.kmpads.co...208"></script>" [file not found]
" TOOL4AME" = "c:\WINDOWS\System32\ TOOL4AME.COM" [file not found]
"<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.0 Frameset//" = "c:\WINDOWS\System32\<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.0 Frameset//EN">" [file not found]
" <h" = "c:\WINDOWS\System32\ <head>" [file not found]
" <title>tool4ame.com</ti" = "c:\WINDOWS\System32\ <title>tool4ame.com</title>" [file not found]
" <meta name="GENERATOR" Content="Microsoft Visual Studio .NET 7" = "c:\WINDOWS\System32\ <meta name="GENERATOR" Content="Microsoft Visual Studio .NET 7.1">" [file not found]
" <meta name="CODE_LANGUAGE" Content="" = "c:\WINDOWS\System32\ <meta name="CODE_LANGUAGE" Content="C#">" [file not found]
" <meta name="vs_defaultClientScript" content="JavaScri" = "c:\WINDOWS\System32\ <meta name="vs_defaultClientScript" content="JavaScript">" [file not found]
" <meta name="vs_targetSchema" content="http://schemas.micro...intellisense/i" = "c:\WINDOWS\System32\ <meta name="vs_targetSchema" content="http://schemas.micro...llisense/ie5">" [file not found]
" <nofra" = "c:\WINDOWS\System32\ <noframes>" [file not found]
" <b" = "c:\WINDOWS\System32\ <body>" [file not found]
" <a href='www1.eta.us/default.aspx?a=tool4ame.c" = "c:\WINDOWS\System32\ <a href='www1.eta.us/default.aspx?a=tool4ame.com'>" [file not found]
" </b" = "c:\WINDOWS\System32\ </body>" [file not found]
" </nofra" = "c:\WINDOWS\System32\ </noframes>" [file not found]
" </h" = "c:\WINDOWS\System32\ </head>" [file not found]
" <frameset rows=" = "c:\WINDOWS\System32\ <frameset rows="*">" [file not found]
" <frame src='http://www1.eta.us/default.aspx?a=tool4ame.com&ref=*&rs=&doc=p" = "c:\WINDOWS\System32\ <frame src='http://www1.eta.us/default.aspx?a=tool4ame.com&ref=*&rs=&doc=php'>" [file not found]
" </frame" = "c:\WINDOWS\System32\ </frameset>" [file not found]
" <!-- #15" = "c:\WINDOWS\System32\ <!-- #15 -->" [file not found]
"</h" = "c:\WINDOWS\System32\</head>" [file not found]
"<title>beneditutti.com</title><meta name="keywords" content="beneditutti.com"><meta name="description" content="Search the web at beneditutti.com"><meta name="robots" content="INDEX, FOLLOW"><meta name="revisit-after" content="10"><meta http-equiv="Content-Type" content="text/html; charset=iso-8859" = "c:\WINDOWS\System32\<title>beneditutti.com</title><meta name="keywords" content="beneditutti.com"><meta name="description" content="Search the web at beneditutti.com"><meta name="robots" content="INDEX, FOLLOW"><meta name="revisit-after" content="10"><meta http-equiv="Content-Type" content="text/html; charset=iso-8859-1">" [file not found]
"<frame src="http://landing.domai...&adultfilter=o" = "c:\WINDOWS\System32\<frame src="http://landing.domai...ltfilter=off">" [file not found]
"</frame" = "c:\WINDOWS\System32\</frameset>" [file not found]
"<nofra" = "c:\WINDOWS\System32\<noframes>" [file not found]
"<body bgcolor="#ffffff" text="#0000" = "c:\WINDOWS\System32\<body bgcolor="#ffffff" text="#000000">" [file not found]
"<a href="http://landing.domai...lter=off">Click here to go to beneditutti.com<" = "c:\WINDOWS\System32\<a href="http://landing.domai...lter=off">Click here to go to beneditutti.com</a>." [file not found]
"</b" = "c:\WINDOWS\System32\</body>" [file not found]
"</nofra" = "c:\WINDOWS\System32\</noframes>" [file not found]
"(Default)" = "c:\WINDOWS\System32\" [file not found]

HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ {++}
"DwlClient" = "C:\Program Files\Common Files\Dell\EUSW\Support.exe" ["Dell"]
"TkBellExe" = ""C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot" ["RealNetworks, Inc."]
"SynTPLpr" = "C:\Program Files\Synaptics\SynTP\SynTPLpr.exe" ["Synaptics, Inc."]
"SynTPEnh" = "C:\Program Files\Synaptics\SynTP\SynTPEnh.exe" ["Synaptics, Inc."]
"SunJavaUpdateSched" = "C:\Program Files\Java\j2re1.4.2_01\bin\jusched.exe" [null data]
"DVDSentry" = "C:\WINDOWS\System32\DSentry.exe" ["Dell - Advanced Desktop Engineering"]
"Dell QuickSet" = "C:\Program Files\Dell\QuickSet\quickset.exe" [empty string]
"DadApp" = "C:\Program Files\Dell\AccessDirect\dadapp.exe" [null data]
"AdaptecDirectCD" = ""C:\Program Files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe"" ["Roxio"]
"ccApp" = ""C:\Program Files\Common Files\Symantec Shared\ccApp.exe"" ["Symantec Corporation"]
"(Default)" = "c:\WINDOWS\System32\" [file not found]
"<meta http-equiv="Content-Type" content="text/html; charset=iso-8859" = "c:\WINDOWS\System32\<meta http-equiv="Content-Type" content="text/html; charset=iso-8859-1">" [file not found]
"<title>Off Campus Telecommunications Internet Signup</ti" = "c:\WINDOWS\System32\<title>Off Campus Telecommunications Internet Signup</title>" [file not found]
"<style type="text/c" = "c:\WINDOWS\System32\<style type="text/css">" [file not found]
" " = "c:\WINDOWS\System32\ <!--" [file not found]
" <center><font face='Verdana, Arial, Helvetica, sans-serif' size='2'><br><B>Search of the Day</B></font>" = "c:\WINDOWS\System32\ <center><font face='Verdana, Arial, Helvetica, sans-serif' size='2'><br><B>Search of the Day</B></font><br>" [file not found]
" <font face='Verdana, Arial, Helvetica, sans-serif' size='2'><A href="direc.asp?keywords=hobbies home recording dvds&chnl=1&t=r&pb=1207">hobbies home recording dvds</a></font></cen" = "c:\WINDOWS\System32\ <font face='Verdana, Arial, Helvetica, sans-serif' size='2'><A href="direc.asp?keywords=hobbies home recording dvds&chnl=1&t=r&pb=1207">hobbies home recording dvds</a></font></center>" [file not found]
" <script id="kmpScript" src="http://ads.kmpads.co...at=1207"></scr" = "c:\WINDOWS\System32\ <script id="kmpScript" src="http://ads.kmpads.co...207"></script>" [file not found]
"var strT" = "c:\WINDOWS\System32\var strTemp;" [null data]
"top.location.replace(strTe" = "c:\WINDOWS\System32\top.location.replace(strTemp);" [null data]
" <font face='Verdana, Arial, Helvetica, sans-serif' size='2'><A href="direc.asp?keywords=hobbies jewelry making&chnl=1&t=r&pb=1208">hobbies jewelry making</a></font></cen" = "c:\WINDOWS\System32\ <font face='Verdana, Arial, Helvetica, sans-serif' size='2'><A href="direc.asp?keywords=hobbies jewelry making&chnl=1&t=r&pb=1208">hobbies jewelry making</a></font></center>" [file not found]
" <script id="kmpScript" src="http://ads.kmpads.co...at=1208"></scr" = "c:\WINDOWS\System32\ <script id="kmpScript" src="http://ads.kmpads.co...208"></script>" [file not found]
" TOOL4AME" = "c:\WINDOWS\System32\ TOOL4AME.COM" [file not found]
"<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.0 Frameset//" = "c:\WINDOWS\System32\<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.0 Frameset//EN">" [file not found]
" <title>tool4ame.com</ti" = "c:\WINDOWS\System32\ <title>tool4ame.com</title>" [file not found]
" <meta name="GENERATOR" Content="Microsoft Visual Studio .NET 7" = "c:\WINDOWS\System32\ <meta name="GENERATOR" Content="Microsoft Visual Studio .NET 7.1">" [file not found]
" <meta name="CODE_LANGUAGE" Content="" = "c:\WINDOWS\System32\ <meta name="CODE_LANGUAGE" Content="C#">" [file not found]
" <meta name="vs_defaultClientScript" content="JavaScri" = "c:\WINDOWS\System32\ <meta name="vs_defaultClientScript" content="JavaScript">" [file not found]
" <meta name="vs_targetSchema" content="http://schemas.micro...intellisense/i" = "c:\WINDOWS\System32\ <meta name="vs_targetSchema" content="http://schemas.micro...llisense/ie5">" [file not found]
" <nofra" = "c:\WINDOWS\System32\ <noframes>" [file not found]
" <b" = "c:\WINDOWS\System32\ <body>" [file not found]
" <a href='www1.eta.us/default.aspx?a=tool4ame.c" = "c:\WINDOWS\System32\ <a href='www1.eta.us/default.aspx?a=tool4ame.com'>" [file not found]
" </b" = "c:\WINDOWS\System32\ </body>" [file not found]
" </nofra" = "c:\WINDOWS\System32\ </noframes>" [file not found]
" <frameset rows=" = "c:\WINDOWS\System32\ <frameset rows="*">" [file not found]
" <frame src='http://www1.eta.us/default.aspx?a=tool4ame.com&ref=*&rs=&doc=p" = "c:\WINDOWS\System32\ <frame src='http://www1.eta.us/default.aspx?a=tool4ame.com&ref=*&rs=&doc=php'>" [file not found]
" </frame" = "c:\WINDOWS\System32\ </frameset>" [file not found]
" <!-- #15" = "c:\WINDOWS\System32\ <!-- #15 -->" [file not found]
"<title>beneditutti.com</title><meta name="keywords" content="beneditutti.com"><meta name="description" content="Search the web at beneditutti.com"><meta name="robots" content="INDEX, FOLLOW"><meta name="revisit-after" content="10"><meta http-equiv="Content-Type" content="text/html; charset=iso-8859" = "c:\WINDOWS\System32\<title>beneditutti.com</title><meta name="keywords" content="beneditutti.com"><meta name="description" content="Search the web at beneditutti.com"><meta name="robots" content="INDEX, FOLLOW"><meta name="revisit-after" content="10"><meta http-equiv="Content-Type" content="text/html; charset=iso-8859-1">" [file not found]
"<frame src="http://landing.domai...&adultfilter=o" = "c:\WINDOWS\System32\<frame src="http://landing.domai...ltfilter=off">" [file not found]
"</frame" = "c:\WINDOWS\System32\</frameset>" [file not found]
"<nofra" = "c:\WINDOWS\System32\<noframes>" [file not found]
"<body bgcolor="#ffffff" text="#0000" = "c:\WINDOWS\System32\<body bgcolor="#ffffff" text="#000000">" [file not found]
"<a href="http://landing.domai...lter=off">Click here to go to beneditutti.com<" = "c:\WINDOWS\System32\<a href="http://landing.domai...lter=off">Click here to go to beneditutti.com</a>." [file not found]
"</b" = "c:\WINDOWS\System32\</body>" [file not found]
"</nofra" = "c:\WINDOWS\System32\</noframes>" [file not found]
"gcasServ" = ""C:\Program Files\Microsoft AntiSpyware\gcasServ.exe"" [MS]
"<h" = "c:\WINDOWS\System32\<head>" [file not found]
"</h" = "c:\WINDOWS\System32\</head>" [file not found]

HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\Setup\ {++}
EXECUTION UNLIKELY: "Registrando Panda ActiveX" = "C:\WINDOWS\system32\regsvr32.exe /s C:\WINDOWS\system32\ActiveScan\as.dll" [MS]
EXECUTION UNLIKELY: "Registrando Panda Almacen" = "C:\WINDOWS\system32\regsvr32.exe /s C:\WINDOWS\system32\ActiveScan\pavpz.dll" [MS]
EXECUTION UNLIKELY: "Registering ActiveScan controles" = "C:\WINDOWS\system32\regsvr32.exe /s C:\WINDOWS\system32\ActiveScan\ascontrol.dll" [MS]

HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\
{06849E9F-C8D7-4D59-B87D-784B7D6BE0B3}\(Default) = "AcroIEHlprObj Class" [from CLSID]
-> {CLSID}\InProcServer32\(Default) = "C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll" ["Adobe Systems Incorporated"]

HKLM\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved\
"{42071714-76d4-11d1-8b24-00a0c9068ff3}" = "Display Panning CPL Extension"
-> {CLSID}\InProcServer32\(Default) = "deskpan.dll" [file not found]
"{88895560-9AA2-1069-930E-00AA0030EBC8}" = "HyperTerminal Icon Ext"
-> {CLSID}\InProcServer32\(Default) = "C:\WINDOWS\System32\hticons.dll" ["Hilgraeve, Inc."]
"{F0CB00CD-5A07-4D91-97F5-A8C92CDA93E4}" = "Shell Extensions for RealOne Player"
-> {CLSID}\InProcServer32\(Default) = "C:\Program Files\Real\RealPlayer\rpshellext.dll" ["RealNetworks"]
"{5E44E225-A408-11CF-B581-008029601108}" = "Adaptec DirectCD Shell Extension"
-> {CLSID}\InProcServer32\(Default) = "C:\PROGRA~1\Roxio\EASYCD~1\DirectCD\Shellex.dll" ["Roxio"]
"{955B7B84-5308-419c-8ED8-0B9CA3C56985}" = "6 Months of AOL Included"
-> {CLSID}\InProcServer32\(Default) = "C:\Program Files\Common Files\aolshare\shell\us\shellext.dll" ["America Online, Inc."]
"{42042206-2D85-11D3-8CFF-005004838597}" = "Microsoft Office HTML Icon Handler"
-> {CLSID}\InProcServer32\(Default) = "C:\Program Files\Microsoft Office\OFFICE11\msohev.dll" [MS]
"{1C311AAA-D8B1-4A0A-BEE5-2387FEC583DA}" = "ShellPlusContextMenu"
-> {CLSID}\InProcServer32\(Default) = "C:\WINDOWS\SYSTEM32\B4FM.dll" [null data]
"{BDA77241-42F6-11d0-85E2-00AA001FE28C}" = "LDVP Shell Extensions"
-> {CLSID}\InProcServer32\(Default) = "C:\Program Files\Common Files\Symantec Shared\SSC\vpshell2.dll" ["Symantec Corporation"]

HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\ShellExecuteHooks\
INFECTION WARNING! "{9EF34FF2-3396-4527-9D27-04C8C1C67806}" = "Microsoft AntiSpyware Service Hook"
-> {CLSID}\InProcServer32\(Default) = "C:\Program Files\Microsoft AntiSpyware\shellextension.dll" [MS]
INFECTION WARNING! "{54D9498B-CF93-414F-8984-8CE7FDE0D391}" = "ewido shell guard"
-> {CLSID}\InProcServer32\(Default) = "C:\Program Files\ewido\security suite\shellhook.dll" ["TODO: <Firmenname>"]

HKLM\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\
INFECTION WARNING! igfxcui\DLLName = "igfxsrvc.dll" ["Intel Corporation"]

HKLM\Software\Classes\PROTOCOLS\Filter\
INFECTION WARNING! text/xml\CLSID = "{807553E5-5146-11D5-A672-00B0D022E945}"
-> {CLSID}\InProcServer32\(Default) = "C:\Program Files\Common Files\Microsoft Shared\OFFICE11\MSOXMLMF.DLL" [MS]

HKLM\Software\Classes\*\shellex\ContextMenuHandlers\
ewido\(Default) = "{57BD36D7-CE32-4600-9B1C-1A0C47EFC02E}"
-> {CLSID}\InProcServer32\(Default) = "C:\Program Files\ewido\security suite\context.dll" ["ewido networks"]
LDVPMenu\(Default) = "{BDA77241-42F6-11d0-85E2-00AA001FE28C}"
-> {CLSID}\InProcServer32\(Default) = "C:\Program Files\Common Files\Symantec Shared\SSC\vpshell2.dll" ["Symantec Corporation"]

HKLM\Software\Classes\Directory\shellex\ContextMenuHandlers\
ewido\(Default) = "{57BD36D7-CE32-4600-9B1C-1A0C47EFC02E}"
-> {CLSID}\InProcServer32\(Default) = "C:\Program Files\ewido\security suite\context.dll" ["ewido networks"]
QuickFinderMenu\(Default) = "{C0E10002-0028-0004-C0E1-C0E1C0E1C0E1}"
-> {CLSID}\InProcServer32\(Default) = "c:\Program Files\WordPerfect Office 11\Programs\PFSE110.DLL" ["Novell, Inc., c/o Corel Corporation Limited"]

HKLM\Software\Classes\Folder\shellex\ContextMenuHandlers\
LDVPMenu\(Default) = "{BDA77241-42F6-11d0-85E2-00AA001FE28C}"
-> {CLSID}\InProcServer32\(Default) = "C:\Program Files\Common Files\Symantec Shared\SSC\vpshell2.dll" ["Symantec Corporation"]


Active Desktop and Wallpaper:
-----------------------------

Active Desktop is disabled at this entry:
HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\ShellState

HKCU\Control Panel\Desktop\
"Wallpaper" = "C:\Documents and Settings\Whitney\Local Settings\Application Data\Microsoft\Wallpaper1.bmp"


Enabled Screen Saver:
---------------------

HKCU\Control Panel\Desktop\
"SCRNSAVE.EXE" = "C:\WINDOWS\System32\sstext3d.scr" [MS]


Startup items in "Whitney" & "All Users" startup folders:
---------------------------------------------------------

C:\Documents and Settings\All Users\Start Menu\Programs\Startup
"Wireless-B Notebook Adapter Utility" -> shortcut to: "C:\Program Files\Linksys\Wireless-B Notebook Adapter\WPC11Cfg.exe" ["Cisco-Linksys, LLC."]


Winsock2 Service Provider DLLs:
-------------------------------

Namespace Service Providers

HKLM\System\CurrentControlSet\Services\Winsock2\Parameters\NameSpace_Catalog5\Catalog_Entries\ {++}
000000000001\LibraryPath = "%SystemRoot%\System32\mswsock.dll" [MS]
000000000002\LibraryPath = "%SystemRoot%\System32\winrnr.dll" [MS]
000000000003\LibraryPath = "%SystemRoot%\System32\mswsock.dll" [MS]

Transport Service Providers

HKLM\System\CurrentControlSet\Services\Winsock2\Parameters\Protocol_Catalog9\Catalog_Entries\ {++}
0000000000##\PackedCatalogItem (contains) DLL [Company Name], (at) ## range:
%SystemRoot%\system32\mswsock.dll [MS], 01 - 03, 06 - 19
%SystemRoot%\system32\rsvpsp.dll [MS], 04 - 05


Toolbars, Explorer Bars, Extensions:
------------------------------------

Explorer Bars

HKLM\Software\Microsoft\Internet Explorer\Explorer Bars\
{FE54FA40-D68C-11D2-98FA-00C0F0318AFE}\ = "Real.com" [from CLSID]
-> {CLSID}\InProcServer32\(Default) = "C:\WINDOWS\System32\Shdocvw.dll" [MS]

Dormant Explorer Bars in "View, Explorer Bar" menu

HKLM\Software\Classes\CLSID\{FF059E31-CC5A-4E2E-BF3B-96E929D65503}\ = "&Research"
Implemented Categories\{00021493-0000-0000-C000-000000000046}\ [vertical bar]
InProcServer32\(Default) = "C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL" [MS]

Extensions (Tools menu items, main toolbar menu buttons)

HKLM\Software\Microsoft\Internet Explorer\Extensions\
{08B0E5C0-4FCB-11CF-AAA5-00401C608501}\
"MenuText" = "Sun Java Console"
"CLSIDExtension" = "{08B0E5C0-4FCB-11CF-AAA5-00401C608501}"
-> {CLSID}\InProcServer32\(Default) = "C:\WINDOWS\System32\msjava.dll" [MS]

{92780B25-18CC-41C8-B9BE-3C9C571A8263}\
"ButtonText" = "Research"

{AC9E2541-2814-11D5-BC6D-00B0D0A1DE45}\
"ButtonText" = "AIM"
"Exec" = "C:\Program Files\AIM\aim.exe" ["America Online, Inc."]

{CD67F990-D8E9-11D2-98FE-00C0F0318AFE}\
"ButtonText" = "Real.com"

{FB5F1910-F110-11D2-BB9E-00C04F795683}\
"ButtonText" = "Messenger"
"MenuText" = "Windows Messenger"
"Exec" = "C:\Program Files\Messenger\msmsgs.exe" [MS]


Running Services (Display Name, Service Name, Path {Service DLL}):
------------------------------------------------------------------

ewido security suite control, ewido security suite control, "C:\Program Files\ewido\security suite\ewidoctrl.exe" ["ewido networks"]
Symantec AntiVirus, Symantec AntiVirus, ""C:\Program Files\Symantec AntiVirus\Rtvscan.exe"" ["Symantec Corporation"]
Symantec AntiVirus Definition Watcher, DefWatch, ""C:\Program Files\Symantec AntiVirus\DefWatch.exe"" ["Symantec Corporation"]
Symantec Event Manager, ccEvtMgr, ""C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe"" ["Symantec Corporation"]
Symantec Settings Manager, ccSetMgr, ""C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe"" ["Symantec Corporation"]
WAN Miniport (ATW) Service, WANMiniportService, ""C:\WINDOWS\wanmpsvc.exe"" ["America Online, Inc."]


----------
+ This report excludes default entries except where indicated.
+ To see *everywhere* the script checks and *everything* it finds,
launch it from a command prompt or a shortcut with the -all parameter.
+ The search for DESKTOP.INI DLL launch points on all local fixed drives
took 72 seconds.
+ The search for all Registry CLSIDs containing dormant Explorer Bars
took 31 seconds.
---------- (total run time: 159 seconds)


...and to my knowledge I need the following 04 items...I suspect the rest are all garbage:

O4 - HKLM\..\Run: [DwlClient] C:\Program Files\Common Files\Dell\EUSW\Support.exe
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [SynTPLpr] C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
O4 - HKLM\..\Run: [SynTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\j2re1.4.2_01\bin\jusched.exe
O4 - HKLM\..\Run: [DVDSentry] C:\WINDOWS\System32\DSentry.exe
O4 - HKLM\..\Run: [Dell QuickSet] C:\Program Files\Dell\QuickSet\quickset.exe
O4 - HKLM\..\Run: [DadApp] C:\Program Files\Dell\AccessDirect\dadapp.exe
O4 - HKLM\..\Run: [AdaptecDirectCD] "C:\Program Files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe"
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [gcasServ] "C:\Program Files\Microsoft AntiSpyware\gcasServ.exe"
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [AIM] C:\Program Files\AIM\aim.exe -cnetwait.odl
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - Global Startup: Wireless-B Notebook Adapter Utility.lnk = C:\Program Files\Linksys\Wireless-B Notebook Adapter\WPC11Cfg.exe



There they are...now I am no genius, but all the other stuff looks like garbage. I am sure you'll let me know if anything I want to keep is bunk or if anything I don't want to keep isn't. Also, if there are any toolbats or IE strings that don't NEED to be on my system we can get rid of those, like old tool bar value. IE is only used on this PC when it has to be, I run Firefox. Anywho, thanks a million.
  • 0

#12
Guest_thatman_*
Posted 27 July 2005 - 09:47 AM

Guest_thatman_*
  • Guest
Hi Meetloaf13

Please read through the instructions before you start (you may want to print this out).

Please set your system to show all files; please see here if you're unsure how to do this.

Please go offline, close all browsers and any open Windows, making sure that only HijackThis is open. Scan and when it finishes, put an X in the boxes, only next to these following items:
O4 - HKLM\..\Run: [] c:\WINDOWS\System32\
O4 - HKLM\..\Run: [<meta http-equiv="Content-Type" content="text/html; charset=iso-8859] c:\WINDOWS\System32\<meta http-equiv="Content-Type" content="text/html; charset=iso-8859-1">
O4 - HKLM\..\Run: [<title>Off Campus Telecommunications Internet Signup</ti] c:\WINDOWS\System32\<title>Off Campus Telecommunications Internet Signup</title>
O4 - HKLM\..\Run: [<style type="text/c] c:\WINDOWS\System32\<style type="text/css">
O4 - HKLM\..\Run: [ ] c:\WINDOWS\System32\ <!--
O4 - HKLM\..\Run: [ <center><font face='Verdana, Arial, Helvetica, sans-serif' size='2'><br><B>Search of the Day</B></font>] c:\WINDOWS\System32\ <center><font face='Verdana, Arial, Helvetica, sans-serif' size='2'><br><B>Search of the Day</B></font><br>
O4 - HKLM\..\Run: [ <font face='Verdana, Arial, Helvetica, sans-serif' size='2'><A href="direc.asp?keywords=hobbies home recording dvds&chnl=1&t=r&pb=1207">hobbies home recording dvds</a></font></cen] c:\WINDOWS\System32\ <font face='Verdana, Arial, Helvetica, sans-serif' size='2'><A href="direc.asp?keywords=hobbies home recording dvds&chnl=1&t=r&pb=1207">hobbies home recording dvds</a></font></center>
O4 - HKLM\..\Run: [ <script id="kmpScript" src="http://ads.kmpads.co...at=1207"></scr] c:\WINDOWS\System32\ <script id="kmpScript" src="http://ads.kmpads.co...1207"></script>
O4 - HKLM\..\Run: [var strT] c:\WINDOWS\System32\var strTemp;
O4 - HKLM\..\Run: [top.location.replace(strTe] c:\WINDOWS\System32\top.location.replace(strTemp);
O4 - HKLM\..\Run: [ <font face='Verdana, Arial, Helvetica, sans-serif' size='2'><A href="direc.asp?keywords=hobbies jewelry making&chnl=1&t=r&pb=1208">hobbies jewelry making</a></font></cen] c:\WINDOWS\System32\ <font face='Verdana, Arial, Helvetica, sans-serif' size='2'><A href="direc.asp?keywords=hobbies jewelry making&chnl=1&t=r&pb=1208">hobbies jewelry making</a></font></center>
O4 - HKLM\..\Run: [ <script id="kmpScript" src="http://ads.kmpads.co...at=1208"></scr] c:\WINDOWS\System32\ <script id="kmpScript" src="http://ads.kmpads.co...1208"></script>
O4 - HKLM\..\Run: [ TOOL4AME] c:\WINDOWS\System32\ TOOL4AME.COM
O4 - HKLM\..\Run: [<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.0 Frameset//] c:\WINDOWS\System32\<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.0 Frameset//EN">
O4 - HKLM\..\Run: [ <title>tool4ame.com</ti] c:\WINDOWS\System32\ <title>tool4ame.com</title>
O4 - HKLM\..\Run: [ <meta name="GENERATOR" Content="Microsoft Visual Studio .NET 7] c:\WINDOWS\System32\ <meta name="GENERATOR" Content="Microsoft Visual Studio .NET 7.1">
O4 - HKLM\..\Run: [ <meta name="CODE_LANGUAGE" Content="] c:\WINDOWS\System32\ <meta name="CODE_LANGUAGE" Content="C#">
O4 - HKLM\..\Run: [ <meta name="vs_defaultClientScript" content="JavaScri] c:\WINDOWS\System32\ <meta name="vs_defaultClientScript" content="JavaScript">
O4 - HKLM\..\Run: [ <meta name="vs_targetSchema" content="http://schemas.micro...intellisense/i] c:\WINDOWS\System32\ <meta name="vs_targetSchema" content="http://schemas.micro...ellisense/ie5">
O4 - HKLM\..\Run: [ <nofra] c:\WINDOWS\System32\ <noframes>
O4 - HKLM\..\Run: [ <b] c:\WINDOWS\System32\ <body>
O4 - HKLM\..\Run: [ <a href='www1.eta.us/default.aspx?a=tool4ame.c] c:\WINDOWS\System32\ <a href='www1.eta.us/default.aspx?a=tool4ame.com'>
O4 - HKLM\..\Run: [ </b] c:\WINDOWS\System32\ </body>
O4 - HKLM\..\Run: [ </nofra] c:\WINDOWS\System32\ </noframes>
O4 - HKLM\..\Run: [ <frameset rows=] c:\WINDOWS\System32\ <frameset rows="*">
O4 - HKLM\..\Run: [ <frame src='http://www1.eta.us/default.aspx?a=tool4ame.com&ref=*&rs=&doc=p] c:\WINDOWS\System32\ <frame src='http://www1.eta.us/default.aspx?a=tool4ame.com&ref=*&rs=&doc=php'>
O4 - HKLM\..\Run: [ </frame] c:\WINDOWS\System32\ </frameset>
O4 - HKLM\..\Run: [ <!-- #15] c:\WINDOWS\System32\ <!-- #15 -->
O4 - HKLM\..\Run: [<title>beneditutti.com</title><meta name="keywords" content="beneditutti.com"><meta name="description" content="Search the web at beneditutti.com"><meta name="robots" content="INDEX, FOLLOW"><meta name="revisit-after" content="10"><meta http-equiv="Content-Type" content="text/html; charset=iso-8859] c:\WINDOWS\System32\<title>beneditutti.com</title><meta name="keywords" content="beneditutti.com"><meta name="description" content="Search the web at beneditutti.com"><meta name="robots" content="INDEX, FOLLOW"><meta name="revisit-after" content="10"><meta http-equiv="Content-Type" content="text/html; charset=iso-8859-1">
O4 - HKLM\..\Run: [<frame src="http://landing.domai...&adultfilter=o] c:\WINDOWS\System32\<frame src="http://landing.domai...ultfilter=off">
O4 - HKLM\..\Run: [</frame] c:\WINDOWS\System32\</frameset>
O4 - HKLM\..\Run: [<nofra] c:\WINDOWS\System32\<noframes>
O4 - HKLM\..\Run: [<body bgcolor="#ffffff" text="#0000] c:\WINDOWS\System32\<body bgcolor="#ffffff" text="#000000">
O4 - HKLM\..\Run: [<a href="http://landing.domai...lter=off">Click here to go to beneditutti.com<] c:\WINDOWS\System32\<a href="http://landing.domai...lter=off">Click here to go to beneditutti.com</a>.
O4 - HKLM\..\Run: [</b] c:\WINDOWS\System32\</body>
O4 - HKLM\..\Run: [</nofra] c:\WINDOWS\System32\</noframes>
O4 - HKLM\..\Run: [<h] c:\WINDOWS\System32\<head>
O4 - HKLM\..\Run: [</h] c:\WINDOWS\System32\</head>
O4 - HKCU\..\Run: [var strT] c:\WINDOWS\System32\var strTemp;
O4 - HKCU\..\Run: [<h] c:\WINDOWS\System32\<head>
O4 - HKCU\..\Run: [<meta http-equiv="Content-Type" content="text/html; charset=iso-8859] c:\WINDOWS\System32\<meta http-equiv="Content-Type" content="text/html; charset=iso-8859-1">
O4 - HKCU\..\Run: [<title>Off Campus Telecommunications Internet Signup</ti] c:\WINDOWS\System32\<title>Off Campus Telecommunications Internet Signup</title>
O4 - HKCU\..\Run: [<style type="text/c] c:\WINDOWS\System32\<style type="text/css">
O4 - HKCU\..\Run: [ <center><font face='Verdana, Arial, Helvetica, sans-serif' size='2'><br><B>Search of the Day</B></font>] c:\WINDOWS\System32\ <center><font face='Verdana, Arial, Helvetica, sans-serif' size='2'><br><B>Search of the Day</B></font><br>
O4 - HKCU\..\Run: [ <font face='Verdana, Arial, Helvetica, sans-serif' size='2'><A href="direc.asp?keywords=hobbies home recording dvds&chnl=1&t=r&pb=1207">hobbies home recording dvds</a></font></cen] c:\WINDOWS\System32\ <font face='Verdana, Arial, Helvetica, sans-serif' size='2'><A href="direc.asp?keywords=hobbies home recording dvds&chnl=1&t=r&pb=1207">hobbies home recording dvds</a></font></center>
O4 - HKCU\..\Run: [ <script id="kmpScript" src="http://ads.kmpads.co...at=1207"></scr] c:\WINDOWS\System32\ <script id="kmpScript" src="http://ads.kmpads.co...1207"></script>
O4 - HKCU\..\Run: [top.location.replace(strTe] c:\WINDOWS\System32\top.location.replace(strTemp);
O4 - HKCU\..\Run: [ <font face='Verdana, Arial, Helvetica, sans-serif' size='2'><A href="direc.asp?keywords=hobbies jewelry making&chnl=1&t=r&pb=1208">hobbies jewelry making</a></font></cen] c:\WINDOWS\System32\ <font face='Verdana, Arial, Helvetica, sans-serif' size='2'><A href="direc.asp?keywords=hobbies jewelry making&chnl=1&t=r&pb=1208">hobbies jewelry making</a></font></center>
O4 - HKCU\..\Run: [ <script id="kmpScript" src="http://ads.kmpads.co...at=1208"></scr] c:\WINDOWS\System32\ <script id="kmpScript" src="http://ads.kmpads.co...1208"></script>
O4 - HKCU\..\Run: [ TOOL4AME] c:\WINDOWS\System32\ TOOL4AME.COM
O4 - HKCU\..\Run: [<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.0 Frameset//] c:\WINDOWS\System32\<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.0 Frameset//EN">
O4 - HKCU\..\Run: [ <h] c:\WINDOWS\System32\ <head>
O4 - HKCU\..\Run: [ <title>tool4ame.com</ti] c:\WINDOWS\System32\ <title>tool4ame.com</title>
O4 - HKCU\..\Run: [ <meta name="GENERATOR" Content="Microsoft Visual Studio .NET 7] c:\WINDOWS\System32\ <meta name="GENERATOR" Content="Microsoft Visual Studio .NET 7.1">
O4 - HKCU\..\Run: [ <meta name="CODE_LANGUAGE" Content="] c:\WINDOWS\System32\ <meta name="CODE_LANGUAGE" Content="C#">
O4 - HKCU\..\Run: [ <meta name="vs_defaultClientScript" content="JavaScri] c:\WINDOWS\System32\ <meta name="vs_defaultClientScript" content="JavaScript">
O4 - HKCU\..\Run: [ <meta name="vs_targetSchema" content="http://schemas.micro...intellisense/i] c:\WINDOWS\System32\ <meta name="vs_targetSchema" content="http://schemas.micro...ellisense/ie5">
O4 - HKCU\..\Run: [ <nofra] c:\WINDOWS\System32\ <noframes>
O4 - HKCU\..\Run: [ <b] c:\WINDOWS\System32\ <body>
O4 - HKCU\..\Run: [ <a href='www1.eta.us/default.aspx?a=tool4ame.c] c:\WINDOWS\System32\ <a href='www1.eta.us/default.aspx?a=tool4ame.com'>
O4 - HKCU\..\Run: [ </b] c:\WINDOWS\System32\ </body>
O4 - HKCU\..\Run: [ </nofra] c:\WINDOWS\System32\ </noframes>
O4 - HKCU\..\Run: [ </h] c:\WINDOWS\System32\ </head>
O4 - HKCU\..\Run: [ <frameset rows=] c:\WINDOWS\System32\ <frameset rows="*">
O4 - HKCU\..\Run: [ <frame src='http://www1.eta.us/default.aspx?a=tool4ame.com&ref=*&rs=&doc=p] c:\WINDOWS\System32\ <frame src='http://www1.eta.us/default.aspx?a=tool4ame.com&ref=*&rs=&doc=php'>
O4 - HKCU\..\Run: [ </frame] c:\WINDOWS\System32\ </frameset>
O4 - HKCU\..\Run: [ <!-- #15] c:\WINDOWS\System32\ <!-- #15 -->
O4 - HKCU\..\Run: [</h] c:\WINDOWS\System32\</head>
O4 - HKCU\..\Run: [<title>beneditutti.com</title><meta name="keywords" content="beneditutti.com"><meta name="description" content="Search the web at beneditutti.com"><meta name="robots" content="INDEX, FOLLOW"><meta name="revisit-after" content="10"><meta http-equiv="Content-Type" content="text/html; charset=iso-8859] c:\WINDOWS\System32\<title>beneditutti.com</title><meta name="keywords" content="beneditutti.com"><meta name="description" content="Search the web at beneditutti.com"><meta name="robots" content="INDEX, FOLLOW"><meta name="revisit-after" content="10"><meta http-equiv="Content-Type" content="text/html; charset=iso-8859-1">
O4 - HKCU\..\Run: [<frame src="http://landing.domai...&adultfilter=o] c:\WINDOWS\System32\<frame src="http://landing.domai...ultfilter=off">
O4 - HKCU\..\Run: [</frame] c:\WINDOWS\System32\</frameset>
O4 - HKCU\..\Run: [<nofra] c:\WINDOWS\System32\<noframes>
O4 - HKCU\..\Run: [<body bgcolor="#ffffff" text="#0000] c:\WINDOWS\System32\<body bgcolor="#ffffff" text="#000000">
O4 - HKCU\..\Run: [<a href="http://landing.domai...lter=off">Click here to go to beneditutti.com<] c:\WINDOWS\System32\<a href="http://landing.domai...lter=off">Click here to go to beneditutti.com</a>.
O4 - HKCU\..\Run: [</b] c:\WINDOWS\System32\</body>
O4 - HKCU\..\Run: [</nofra] c:\WINDOWS\System32\</noframes>
O4 - HKCU\..\Run: [] c:\WINDOWS\System32\
Click on Fix Checked when finished and exit HijackThis.

Using Windows Explorer, locate the following files/folders, and delete them:
c:\WINDOWS\System32\var strTemp;
c:\WINDOWS\System32\top.location.replace(strTemp);
Exit Explorer.

Reboot as normal.

Please run the following free, online virus scans.
http://www.pandasoft...n_principal.htm
http://housecall.tre.../start_corp.asp
Please post the logs From Panda virus scan and HJT.logWe will need them to remove previous infections that have left files on your system.

Kc :tazz:
  • 0

#13
Meetloaf13
Posted 28 July 2005 - 08:22 AM

Meetloaf13

    Member

  • Topic Starter
  • Member
  • PipPip
  • 27 posts
Hello!

HJT log:

Logfile of HijackThis v1.99.1
Scan saved at 10:20:14 AM, on 7/28/2005
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\cisvc.exe
C:\Program Files\Symantec AntiVirus\DefWatch.exe
C:\Program Files\ewido\security suite\ewidoctrl.exe
C:\Program Files\Symantec AntiVirus\Rtvscan.exe
C:\WINDOWS\wanmpsvc.exe
C:\Program Files\Common Files\Dell\EUSW\Support.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\Program Files\Java\j2re1.4.2_01\bin\jusched.exe
C:\WINDOWS\System32\DSentry.exe
C:\Program Files\Dell\QuickSet\quickset.exe
C:\Program Files\Dell\AccessDirect\dadapp.exe
C:\Program Files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\Program Files\Dell\AccessDirect\DadTray.exe
C:\Program Files\Microsoft AntiSpyware\gcasServ.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Microsoft AntiSpyware\gcasDtServ.exe
C:\WINDOWS\system32\cidaemon.exe
C:\Program Files\HiJackThis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.dellnet.com/
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.byu.edu/
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.byu.edu
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = http://localhost
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O4 - HKLM\..\Run: [DwlClient] C:\Program Files\Common Files\Dell\EUSW\Support.exe
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [SynTPLpr] C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
O4 - HKLM\..\Run: [SynTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\j2re1.4.2_01\bin\jusched.exe
O4 - HKLM\..\Run: [DVDSentry] C:\WINDOWS\System32\DSentry.exe
O4 - HKLM\..\Run: [Dell QuickSet] C:\Program Files\Dell\QuickSet\quickset.exe
O4 - HKLM\..\Run: [DadApp] C:\Program Files\Dell\AccessDirect\dadapp.exe
O4 - HKLM\..\Run: [AdaptecDirectCD] "C:\Program Files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe"
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [gcasServ] "C:\Program Files\Microsoft AntiSpyware\gcasServ.exe"
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [AIM] C:\Program Files\AIM\aim.exe -cnetwait.odl
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - Global Startup: Wireless-B Notebook Adapter Utility.lnk = C:\Program Files\Linksys\Wireless-B Notebook Adapter\WPC11Cfg.exe
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\System32\msjava.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\System32\msjava.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\System32\Shdocvw.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O12 - Plugin for .mid: C:\Program Files\Internet Explorer\PLUGINS\npqtplugin2.dll
O12 - Plugin for .mov: C:\Program Files\Internet Explorer\PLUGINS\npqtplugin.dll
O16 - DPF: {04E214E5-63AF-4236-83C6-A7ADCBF9BD02} (HouseCall Control) - http://housecall60.t...all/xscan60.cab
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft....204&clcid=0x409
O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai...all/xscan53.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://www.pandasoft.../as5/asinst.cab
O16 - DPF: {A8683C98-5341-421B-B23C-8514C05354F1} (FujifilmUploader Class) - http://photo.walmart...ploadClient.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{19895DA8-FB11-4989-9546-A5B15534DBEF}: NameServer = 192.168.2.1
O17 - HKLM\System\CCS\Services\Tcpip\..\{F942E047-DF68-4145-B0AE-E23AC2145F2F}: NameServer = 192.168.2.1
O17 - HKLM\System\CS1\Services\Tcpip\..\{19895DA8-FB11-4989-9546-A5B15534DBEF}: NameServer = 192.168.2.1
O17 - HKLM\System\CS2\Services\Tcpip\..\{19895DA8-FB11-4989-9546-A5B15534DBEF}: NameServer = 192.168.2.1
O20 - Winlogon Notify: igfxcui - C:\WINDOWS\SYSTEM32\igfxsrvc.dll
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Password Validation (ccPwdSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
O23 - Service: CWShredder Service - Unknown owner - C:\Documents and Settings\Whitney\Desktop\CWShredder.exe (file missing)
O23 - Service: Symantec AntiVirus Definition Watcher (DefWatch) - Symantec Corporation - C:\Program Files\Symantec AntiVirus\DefWatch.exe
O23 - Service: ewido security suite control - ewido networks - C:\Program Files\ewido\security suite\ewidoctrl.exe
O23 - Service: SAVRoam (SavRoam) - symantec - C:\Program Files\Symantec AntiVirus\SavRoam.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: Symantec AntiVirus - Symantec Corporation - C:\Program Files\Symantec AntiVirus\Rtvscan.exe
O23 - Service: SymWMI Service (SymWSC) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\Security Center\SymWSC.exe
O23 - Service: WAN Miniport (ATW) Service (WANMiniportService) - America Online, Inc. - C:\WINDOWS\wanmpsvc.exe



PANDA log:


Incident Status Location

Adware:adware/powerscan No disinfected HKEY_LOCAL_MACHINE\SOFTWARE\MICROSOFT\INTERNET EXPLORER\MAIN\BANDREST


Here they are...everything is working great! No more window popping up! Thanks again.
  • 0

#14
Guest_thatman_*
Posted 28 July 2005 - 09:26 AM

Guest_thatman_*
  • Guest
Hi Meetloaf13

Please read through the instructions before you start (you may want to print this out).

Please set your system to show all files; please see here if you're unsure how to do this.

Open regedit and delete the following rigistery key:
HKEY_LOCAL_MACHINE\SOFTWARE\MICROSOFT\INTERNET EXPLORER\MAIN\BANDREST

Important Step
Go to Start->Run and type "Services.msc" (without quotes) then hit Ok
Scroll down and find the service called:
Service: CWShredder Service - Unknown owner
When you find it, double-click on it. In the next window that opens, click the Stop button, then click on properties and under the General Tab, change the Startup Type to Disabled. Now hit Apply and then Ok and close any open windows. If you don´t find this service listed go ahead with the next steps.


Please go offline, close all browsers and any open Windows, making sure that only HijackThis is open. Scan and when it finishes, put an X in the boxes, only next to these following items:
O23 - Service: CWShredder Service - Unknown owner - C:\Documents and Settings\Whitney\Desktop\CWShredder.exe (file missing)
Click on Fix Checked when finished and exit HijackThis.

Please run the following free, online virus scans.
http://www.pandasoft...n_principal.htm
Please post the logs From Panda virus scan and HJT.logWe will need them to remove previous infections that have left files on your system.

Kc :tazz:
  • 0

#15
Guest_thatman_*
Posted 17 August 2005 - 04:15 AM

Guest_thatman_*
  • Guest
Since this issue appears to be resolved ... this Topic has been closed. Glad we could help. :tazz:

If you're the topic starter, and need this topic reopened, please contact a staff member with the address of the thread.

Everyone else please begin a New Topic.
  • 0
Back to Virus, Spyware, Malware Removal · Next Unread Topic →




Similar Topics

0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users

  1. Geeks to Go Community
  2. Security
  3. Virus, Spyware, Malware Removal

As Featured On:

Microsoft Yahoo BBC MSN PC Magazine Washington Post HP