Jump to content

Welcome to Geeks to Go - Register now for FREE

Geeks To Go is a helpful hub, where thousands of volunteer geeks quickly serve friendly answers and support. Check out the forums and get free advice from the experts. Register now to gain access to all of our features, it's FREE and only takes one minute. Once registered and logged in, you will be able to create topics, post replies to existing threads, give reputation to your fellow members, get your own private messenger, post status updates, manage your profile and so much more.

Create Account How it Works
Photo

Still getting slower and slower after cleanning [RESOLVED]


  • This topic is locked This topic is locked

#1
thomasdqt

thomasdqt

    Member

  • Member
  • PipPip
  • 33 posts
Hi GTG expert:

My friend sent me his computer to clean after heard that I am cleaning mine. And his problem is no easy as mine! Please help.

Actually, I have worked on this computer for two days and still have no luck yet.

I have loaded and scanned the computer with all of the software recommended by your website. Norton Anti-Virus is loaded but its LiveUpdate said it failed. So, I manually installed the most current definition file from symantec.com and scanned and cleanned the virus. But the problems keep on coming back.

Waiting for your help. Please don't let me die :tazz:

I am very much appreciate your help.



The followings are the HJT log file content:

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

Logfile of HijackThis v1.99.1
Scan saved at 6:25:29 PM, on 6/23/2005
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\windows\system\hpsysdrv.exe
C:\Program Files\HP\Digital Imaging\Unload\hpqcmon.exe
C:\WINDOWS\System32\hphmon05.exe
C:\HP\KBD\KBD.EXE
C:\WINDOWS\system32\VTTimer.exe
C:\WINDOWS\LTMSG.exe
C:\WINDOWS\System32\spool\drivers\w32x86\3\hpztsb08.exe
C:\Program Files\MUSICMATCH\MUSICMATCH Jukebox\mmtask.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\Program Files\WildTangent\Apps\GameChannel.exe
C:\Program Files\Optimum Online\Netsurf.exe
C:\Program Files\WildTangent\Apps\CDA\GameDrvr.exe
C:\WINDOWS\ALCXMNTR.EXE
C:\Program Files\Microsoft AntiSpyware\gcasServ.exe
C:\Program Files\Common Files\Symantec Shared\ccProxy.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
C:\Program Files\Norton AntiVirus\navapsvc.exe
C:\Program Files\Norton AntiVirus\SAVScan.exe
C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
C:\Program Files\Microsoft AntiSpyware\gcasDtServ.exe
C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\WINDOWS\system32\wscntfy.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\HJT\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://qus10.hpwis.com/
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://srch-qus10.hpwis.com/
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://qus10.hpwis.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://srch-qus10.hpwis.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = about:blank
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page =
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = about:blank
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = localhost
R3 - Default URLSearchHook is missing
O2 - BHO: (no name) - SOFTWARE - (no file)
O2 - BHO: Yahoo! Companion BHO - {02478D38-C3F9-4efb-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Common\ycomp5,1,1,0.dll
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {2A19BC2E-3C4F-4454-A2C8-A2D2A55AD957} - C:\WINDOWS\system32\klchba.dll (file missing)
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: (no name) - {5499AE64-CDA5-8C48-BD87-CCEA2018466E} - C:\WINDOWS\System32\inscdm\bkjiahpykd.dll (file missing)
O2 - BHO: (no name) - {549B5CA7-4A86-11D7-A4DF-000874180BB3} - (no file)
O2 - BHO: Web assistant - {9ECB9560-04F9-4bbc-943D-298DDF1699E1} - C:\Program Files\Common Files\Symantec Shared\AdBlocking\NISShExt.dll
O2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O2 - BHO: (no name) - {FDD3B846-8D59-4ffb-8758-209B6AD74ACC} - (no file)
O3 - Toolbar: &Yahoo! Companion - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Common\ycomp5,1,1,0.dll
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: Web assistant - {0B53EAC3-8D69-4b9e-9B19-A37C9A5676A7} - C:\Program Files\Common Files\Symantec Shared\AdBlocking\NISShExt.dll
O4 - HKLM\..\Run: [hpsysdrv] c:\windows\system\hpsysdrv.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\System32\hkcmd.exe
O4 - HKLM\..\Run: [CamMonitor] c:\Program Files\HP\Digital Imaging\Unload\hpqcmon.exe
O4 - HKLM\..\Run: [HPHUPD05] c:\Program Files\HP\{45B6180B-DCAB-4093-8EE8-6164457517F0}\hphupd05.exe
O4 - HKLM\..\Run: [HPHmon05] C:\WINDOWS\System32\hphmon05.exe
O4 - HKLM\..\Run: [KBD] C:\HP\KBD\KBD.EXE
O4 - HKLM\..\Run: [UpdateManager] "C:\Program Files\Common Files\Sonic\Update Manager\sgtray.exe" /r
O4 - HKLM\..\Run: [Recguard] C:\WINDOWS\SMINST\RECGUARD.EXE
O4 - HKLM\..\Run: [VTTimer] VTTimer.exe
O4 - HKLM\..\Run: [LTMSG] LTMSG.exe 7
O4 - HKLM\..\Run: [PS2] C:\WINDOWS\system32\ps2.exe
O4 - HKLM\..\Run: [HPDJ Taskbar Utility] C:\WINDOWS\System32\spool\drivers\w32x86\3\hpztsb08.exe
O4 - HKLM\..\Run: [mmtask] C:\Program Files\MUSICMATCH\MUSICMATCH Jukebox\mmtask.exe
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [WT GameChannel] C:\Program Files\WildTangent\Apps\GameChannel.exe
O4 - HKLM\..\Run: [0Smtqan] C:\documents and settings\owner\local settings\temp\0Smtqan.exe
O4 - HKLM\..\Run: [ikHCC7u7x] C:\documents and settings\owner\local settings\temp\ikHCC7u7x.exe
O4 - HKLM\..\Run: [IS CfgWiz] C:\Program Files\Common Files\Symantec Shared\cfgwiz.exe /GUID NIS /CMDLINE "REBOOT"
O4 - HKLM\..\Run: [2P6WFAX43ZHE7C] C:\WINDOWS\System32\Szep85ln.exe
O4 - HKLM\..\Run: [Bakra] C:\WINDOWS\System32\IEHost.exe
O4 - HKLM\..\Run: [tYfa] C:\documents and settings\owner\local settings\temp\tYfa.exe
O4 - HKLM\..\Run: [A70F6A1D-0195-42a2-934C-D8AC0F7C08EB] rundll32.exe E6F1873B.DLL,D9EBC318C
O4 - HKLM\..\Run: [Nsv] C:\WINDOWS\System32\nsvsvc\nsvsvc.exe
O4 - HKLM\..\Run: [picsvr] C:\WINDOWS\System32\picsvr\picsvr.exe
O4 - HKLM\..\Run: [98D0CE0C16B1] rundll32.exe D0CE0C16B1,D0CE0C16B1
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [Optimum Online net guide] "C:\Program Files\Optimum Online\Netsurf.exe" -trayicon
O4 - HKLM\..\Run: [e661564b0523] C:\WINDOWS\System32\catsrvps.exe
O4 - HKLM\..\Run: [msmc] C:\WINDOWS\system32\msmc.exe
O4 - HKLM\..\Run: [WildTangent CDA] "C:\Program Files\WildTangent\Apps\CDA\GameDrvr.exe" /startup "C:\Program Files\WildTangent\Apps\CDA\cdaEngine0500.dll"
O4 - HKLM\..\Run: [oFrW3EW] jav1_qc.exe
O4 - HKLM\..\Run: [TempLoader] C:\DOCUME~1\Owner\LOCALS~1\Temp\Loader.EXE
O4 - HKLM\..\Run: [mjclutg] c:\windows\system32\zdgodkq.exe
O4 - HKLM\..\Run: [clgntfys] C:\WINDOWS\System32\clgntfys.exe
O4 - HKLM\..\Run: [exp] C:\WINDOWS\System32\exp
O4 - HKLM\..\Run: [AlcxMonitor] ALCXMNTR.EXE
O4 - HKLM\..\Run: [gfkhkfx] c:\windows\system32\qnsblp.exe r
O4 - HKLM\..\Run: [gcasServ] "C:\Program Files\Microsoft AntiSpyware\gcasServ.exe"
O4 - HKCU\..\Run: [NVIEW] rundll32.exe nview.dll,nViewLoadHook
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [ClockSync] C:\PROGRA~1\CLOCKS~1\Sync.exe /q
O4 - HKCU\..\Run: [Zo06ROa7g] cc3hept.exe
O4 - Global Startup: HP Digital Imaging Monitor.lnk = C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
O4 - Global Startup: Quicken Scheduled Updates.lnk = C:\Program Files\Quicken\bagent.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MI1933~1\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\System32\msjava.dll (file missing)
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\System32\msjava.dll (file missing)
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MI1933~1\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {1F2F4C9E-6F09-47BC-970D-3C54734667FE} (LSSupCtl Class) - https://www-secure.s...sa/LSSupCtl.cab
O16 - DPF: {CE28D5D2-60CF-4C7D-9FE8-0F47A3308078} (ActiveDataInfo Class) - https://www-secure.s...sa/SymAData.cab
O20 - Winlogon Notify: igfxcui - C:\WINDOWS\SYSTEM32\igfxsrvc.dll
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Network Proxy (ccProxy) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccProxy.exe
O23 - Service: Symantec Password Validation (ccPwdSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
O23 - Service: Norton AntiVirus Auto Protect Service (navapsvc) - Symantec Corporation - C:\Program Files\Norton AntiVirus\navapsvc.exe
O23 - Service: NVIDIA Driver Helper Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe
O23 - Service: SAVScan - Symantec Corporation - C:\Program Files\Norton AntiVirus\SAVScan.exe
O23 - Service: ScriptBlocking Service (SBService) - Symantec Corporation - C:\PROGRA~1\COMMON~1\SYMANT~1\SCRIPT~1\SBServ.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: Symantec Core LC - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
  • 0

Advertisements


#2
Guest_thatman_*

Guest_thatman_*
  • Guest
Hi thomasdqt

Please read through the instructions before you start (you may want to print this out).

Please set your system to show all files; please see here if you're unsure how to do this.

Please download and install AD-Aware.
Check Here on how setup and use it - please make sure you update it first. Don't run yet.

Download Pocket Killbox and unzip it; save it to your Desktop. We may need it later.

Download Ewido Trojan’s and malware remover http://www.ewido.net/en/download/
This setup contains the free as well as the plus-version of the ewido security suite. After the installation, a free 14-day test version containing all the extensions of the plus-version will be activated. At the end of the test phase, the extensions of the plus version are deactivated and the freeware version can be used unlimited times. The purchased license code of the plus version can be entered at any time.
Ewido will auto-udate. Don't run yet

Download and unzip cwsserviceremove to your desktop. use either link below:
cwsserviceremove
cwsserviceremove.zip

Download CW-Shredder at the link below:
CWShredder

Please download sphjfix Save it to your desktop, dont run it yet

Reboot into Safe Mode: please see here if you are not sure how to do this.

Run Ewido full scan. Save the scan.log.

Run the spifix

Clear out the files in the Prefetch folder. Go to start> run> type into the box Prefetch and delete all the files in that folder.

Please go offline, close all browsers and any open Windows, making sure that only HijackThis is open. Scan and when it finishes, put an X in the boxes, only next to these following items:
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = about:blank
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page =
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = about:blank
R3 - Default URLSearchHook is missing
O2 - BHO: (no name) - SOFTWARE - (no file)
O2 - BHO: (no name) - {2A19BC2E-3C4F-4454-A2C8-A2D2A55AD957} - C:\WINDOWS\system32\klchba.dll (file missing)
O2 - BHO: (no name) - {5499AE64-CDA5-8C48-BD87-CCEA2018466E} - C:\WINDOWS\System32\inscdm\bkjiahpykd.dll (file missing)
O2 - BHO: (no name) - {549B5CA7-4A86-11D7-A4DF-000874180BB3} - (no file)
O2 - BHO: (no name) - {FDD3B846-8D59-4ffb-8758-209B6AD74ACC} - (no file)
O4 - HKLM\..\Run: [2P6WFAX43ZHE7C] C:\WINDOWS\System32\Szep85ln.exe
O4 - HKLM\..\Run: [Bakra] C:\WINDOWS\System32\IEHost.exe
O4 - HKLM\..\Run: [tYfa] C:\documents and settings\owner\local settings\temp\tYfa.exe
O4 - HKLM\..\Run: [A70F6A1D-0195-42a2-934C-D8AC0F7C08EB] rundll32.exe E6F1873B.DLL,D9EBC318C
O4 - HKLM\..\Run: [Nsv] C:\WINDOWS\System32\nsvsvc\nsvsvc.exe
O4 - HKLM\..\Run: [picsvr] C:\WINDOWS\System32\picsvr\picsvr.exe
O4 - HKLM\..\Run: [98D0CE0C16B1] rundll32.exe D0CE0C16B1,D0CE0C16B1
O4 - HKLM\..\Run: [e661564b0523] C:\WINDOWS\System32\catsrvps.exe
O4 - HKLM\..\Run: [msmc] C:\WINDOWS\system32\msmc.exe
O4 - HKLM\..\Run: [oFrW3EW] jav1_qc.exe
O4 - HKLM\..\Run: [TempLoader] C:\DOCUME~1\Owner\LOCALS~1\Temp\Loader.EXE
O4 - HKLM\..\Run: [mjclutg] c:\windows\system32\zdgodkq.exe
O4 - HKLM\..\Run: [clgntfys] C:\WINDOWS\System32\clgntfys.exe
O4 - HKLM\..\Run: [exp] C:\WINDOWS\System32\exp
O4 - HKLM\..\Run: [AlcxMonitor] ALCXMNTR.EXE
O4 - HKLM\..\Run: [gfkhkfx] c:\windows\system32\qnsblp.exe r
O4 - HKCU\..\Run: [ClockSync] C:\PROGRA~1\CLOCKS~1\Sync.exe /q
O4 - HKCU\..\Run: [Zo06ROa7g] cc3hept.exe

Click on Fix Checked when finished and exit HijackThis.

Run Ad-aware se let remove all it finds

Clean out temporary and TIF files. Go to Start > Run and type in the box: cleanmgr. Let it scan your system for files to remove. Make sure all are checked and then press *ok* to remove:

Double click on the cwsserviceremove and when asked to merge say yes

Run CW-Shredder - Hit the FIX button - let it run and fix what it finds.

Run killbox and click the radio button that says Delete a file on reboot. For each of the files you could not delete, paste them one at a time into the full path of file to delete box and click the red circle with a white cross in it.
The program will ask you if you want to reboot; say No each time until the last one has been pasted in whereupon you should answer Yes.
C:\WINDOWS\System32\Szep85ln.exe
C:\WINDOWS\System32\IEHost.exe
C:\documents and settings\owner\local settings\temp\tYfa.exe
C:\WINDOWS\system32\ E6F1873B.DLL,D9EBC318C
C:\WINDOWS\System32\nsvsvc\nsvsvc.exe
C:\WINDOWS\System32\picsvr\picsvr.exe
C:\WINDOWS\system32\D0CE0C16B1,D0CE0C16B1
C:\WINDOWS\System32\catsrvps.exe
C:\WINDOWS\system32\msmc.exe
C:\WINDOWS\system32\jav1_qc.exe
C:\DOCUME~1\Owner\LOCALS~1\Temp\Loader.EXE
c:\windows\system32\zdgodkq.exe
C:\WINDOWS\System32\clgntfys.exe
c:\windows\system32\qnsblp.exe r
C:\PROGRA~1\CLOCKS~1\Sync.exe /q
C:\WINDOWS\system32\cc3hept.exe
C:\WINDOWS\System32\exp

Let the system reboot.

Please download, install and run this disk cleanup utility called Cleanup version 4.0!: http://downloads.ste...p/CleanUp40.exe
It will get rid of any malware which may be hiding in your temp folders ( a common hiding place). You will also regain a massive amount of disk space. Here is a tutorial which describes its usage: http://www.bleepingc...tutorial93.html
Check the custom settings to your liking under options, but be sure to delete temporary files and temporary internet files for all user profiles. Also, cleanout the prefetch folder and the recycle bin.When the scan has finnished click the close button
When prompted the system will log off to let it clean out the remaining files. when the log screen shows log back on and continue the fix.

Please run the following free, online virus scans.
http://www.pandasoft...n_principal.htm
http://housecall.tre.../start_corp.asp
Please post the logs From Panda, Ewido and HJT.logWe will need them to remove previous infections that have left files on your system.

Kc :tazz:
  • 0

#3
thomasdqt

thomasdqt

    Member

  • Topic Starter
  • Member
  • PipPip
  • 33 posts
4:00pm EST, 6/25/05.
I forgot the ewido report. I just Edited this message instead of posting a new one. Please see the last one. Hope not confusing. Thanks.

Hi Thatman,

I very much appreciate your help. Sorry it took that long time to post. I couldn't do what your said in one time and smoothly but did finish them after couple of trials.

Well, it took more than 8 hrs scanning and cleaning in total. Had cleaned the computer per your instruction until it reached the online scaning step---Panda Software. Then some virus and spyware come back again---that was what Norton Anti-Virus reported this morning. Not only did Panda take extremely long hours, it also reported 400k files scanned, much more than 150k files reported by AD-aware & Norton Anti-Virus. Which one told the truth, Panda or Adaware & Norton? Do I have to scan the computer with ewido and HJT now?

Anyway, the Panda report is as the following, followed by the HJT report:
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

Incident Status Location

Adware:Adware/SaveNow No disinfected Windows Registry
Spyware:Spyware/BargainBuddy No disinfected C:\Program Files\Bargain Buddy
Adware:Adware/MyWay No disinfected C:\Program Files\MySearch
Spyware:Spyware/Dyfuca No disinfected C:\Program Files\Internet Optimizer
Adware:Adware/MemoryWatcher No disinfected Windows Registry
Adware:Adware/SAHAgent No disinfected C:\WINDOWS\Downloaded Program Files\sporder_.dll
Adware:Adware/Apropos No disinfected Windows Registry
Adware:Adware/Startpage.CCM No disinfected C:\WINDOWS\win32.dat
Adware:Adware/DelFinMedia No disinfected C:\Program Files\Common Files\remove_tools.html
Adware:Adware/SideSearch No disinfected Windows Registry
Adware:Adware/IEDriver No disinfected C:\WINDOWS\system32\Searchx.htm
Adware:Adware/IPInsight No disinfected C:\WINDOWS\inf\alchem.in?
Spyware:Spyware/Media-motor No disinfected Windows Registry
Adware:Adware/PowerSearch No disinfected C:\WINDOWS\system32\stlb2.xml
Virus:Trj/Spabot.E Disinfected Operating system
Adware:Adware/Novo No disinfected Windows Registry
Adware:Adware/Weirdontheweb No disinfected C:\Documents and Settings\Owner\Favorites\WeirdOnTheWeb.url
Adware:Adware/IEDriver No disinfected C:\Documents and Settings\Owner\Favorites\Get out of Debt!.url
Adware:Adware/Weirdontheweb No disinfected C:\Documents and Settings\Owner\Favorites\WeirdOnTheWeb.url
Adware:Adware/Apropos No disinfected C:\Program Files\Aprps\ProxyStub.dll
Adware:Adware/DelFinMedia No disinfected C:\Program Files\Common Files\remove_tools.html
Adware:Adware/MoeMoney No disinfected C:\Program Files\Microsoft AntiSpyware\Quarantine\A7B000DE-50E3-4245-9615-4D9C4C\05412889-72FE-4464-AA73-011B4A
Adware:Adware/MoeMoney No disinfected C:\Program Files\Microsoft AntiSpyware\Quarantine\A7B000DE-50E3-4245-9615-4D9C4C\06334277-810D-443A-AFB3-61293A
Adware:Adware/TopMoxie No disinfected C:\Program Files\Microsoft AntiSpyware\Quarantine\A7B000DE-50E3-4245-9615-4D9C4C\071133B3-F7D3-43CA-A45F-E26DE1
Adware:Adware/MoeMoney No disinfected C:\Program Files\Microsoft AntiSpyware\Quarantine\A7B000DE-50E3-4245-9615-4D9C4C\07594568-3361-48DF-9592-2193CC
Adware:Adware/TopMoxie No disinfected C:\Program Files\Microsoft AntiSpyware\Quarantine\A7B000DE-50E3-4245-9615-4D9C4C\0766B68F-3D57-4803-BC02-400723
Adware:Adware/TopMoxie No disinfected C:\Program Files\Microsoft AntiSpyware\Quarantine\A7B000DE-50E3-4245-9615-4D9C4C\080EB755-5B95-4E8C-9D41-1FFB85
Adware:Adware/MoeMoney No disinfected C:\Program Files\Microsoft AntiSpyware\Quarantine\A7B000DE-50E3-4245-9615-4D9C4C\0C9A43B0-B07C-4775-BBAA-275CCE
Adware:Adware/TopMoxie No disinfected C:\Program Files\Microsoft AntiSpyware\Quarantine\A7B000DE-50E3-4245-9615-4D9C4C\0E97FAA9-9880-44A7-BA74-C5BCAD
Adware:Adware/MoeMoney No disinfected C:\Program Files\Microsoft AntiSpyware\Quarantine\A7B000DE-50E3-4245-9615-4D9C4C\0FD18F35-1B3D-49FC-897F-20E5D2
Adware:Adware/MoeMoney No disinfected C:\Program Files\Microsoft AntiSpyware\Quarantine\A7B000DE-50E3-4245-9615-4D9C4C\138D8281-752F-4F7B-B3FE-FC98BA
Adware:Adware/TopMoxie No disinfected C:\Program Files\Microsoft AntiSpyware\Quarantine\A7B000DE-50E3-4245-9615-4D9C4C\1AF7B413-3AD0-4455-A22B-36F6E9
Adware:Adware/MoeMoney No disinfected C:\Program Files\Microsoft AntiSpyware\Quarantine\A7B000DE-50E3-4245-9615-4D9C4C\1B9E28E1-F9B1-44D1-8209-95FEAA
Adware:Adware/MoeMoney No disinfected C:\Program Files\Microsoft AntiSpyware\Quarantine\A7B000DE-50E3-4245-9615-4D9C4C\1BD09F9B-4FCB-45D6-BAD4-B26ECA
Adware:Adware/MoeMoney No disinfected C:\Program Files\Microsoft AntiSpyware\Quarantine\A7B000DE-50E3-4245-9615-4D9C4C\1C6D3AC9-7721-432D-81A5-F38D43
Adware:Adware/MoeMoney No disinfected C:\Program Files\Microsoft AntiSpyware\Quarantine\A7B000DE-50E3-4245-9615-4D9C4C\1D6BFC10-332F-4C9F-9464-1B0891
Adware:Adware/MoeMoney No disinfected C:\Program Files\Microsoft AntiSpyware\Quarantine\A7B000DE-50E3-4245-9615-4D9C4C\22F642B0-7313-4654-82A4-D5E420
Adware:Adware/MoeMoney No disinfected C:\Program Files\Microsoft AntiSpyware\Quarantine\A7B000DE-50E3-4245-9615-4D9C4C\23797A29-A6A6-4AF5-98B5-711228
Adware:Adware/MoeMoney No disinfected C:\Program Files\Microsoft AntiSpyware\Quarantine\A7B000DE-50E3-4245-9615-4D9C4C\239767AE-145A-46B6-BCF4-B0A09E
Adware:Adware/MoeMoney No disinfected C:\Program Files\Microsoft AntiSpyware\Quarantine\A7B000DE-50E3-4245-9615-4D9C4C\24729D4C-90DC-4D54-ADC3-9DF018
Adware:Adware/MoeMoney No disinfected C:\Program Files\Microsoft AntiSpyware\Quarantine\A7B000DE-50E3-4245-9615-4D9C4C\28FAF251-13D7-4481-9BBC-CCE51F
Adware:Adware/MoeMoney No disinfected C:\Program Files\Microsoft AntiSpyware\Quarantine\A7B000DE-50E3-4245-9615-4D9C4C\2AA6CB7E-51D6-44B1-BA14-D8E21B
Adware:Adware/MoeMoney No disinfected C:\Program Files\Microsoft AntiSpyware\Quarantine\A7B000DE-50E3-4245-9615-4D9C4C\2BB19216-3F43-4A32-A09E-F9AD55
Adware:Adware/TopMoxie No disinfected C:\Program Files\Microsoft AntiSpyware\Quarantine\A7B000DE-50E3-4245-9615-4D9C4C\2D6B63D8-C1A7-4280-9B1C-0ED3A2
Adware:Adware/MoeMoney No disinfected C:\Program Files\Microsoft AntiSpyware\Quarantine\A7B000DE-50E3-4245-9615-4D9C4C\2FD158FC-444B-45B7-93ED-6A2BCF
Adware:Adware/MoeMoney No disinfected C:\Program Files\Microsoft AntiSpyware\Quarantine\A7B000DE-50E3-4245-9615-4D9C4C\30728B36-0B6E-4877-83B4-1E0C45
Adware:Adware/MoeMoney No disinfected C:\Program Files\Microsoft AntiSpyware\Quarantine\A7B000DE-50E3-4245-9615-4D9C4C\334C13B4-B2E8-4E8A-BF82-7ED89A
Adware:Adware/MoeMoney No disinfected C:\Program Files\Microsoft AntiSpyware\Quarantine\A7B000DE-50E3-4245-9615-4D9C4C\340112CC-39CD-4B3B-BEC1-BE6EF3
Adware:Adware/MoeMoney No disinfected C:\Program Files\Microsoft AntiSpyware\Quarantine\A7B000DE-50E3-4245-9615-4D9C4C\3559D49A-18B3-4908-B8D9-8399F1
Adware:Adware/MoeMoney No disinfected C:\Program Files\Microsoft AntiSpyware\Quarantine\A7B000DE-50E3-4245-9615-4D9C4C\36B3FF1F-F052-4808-AE8B-F00EE9
Adware:Adware/MoeMoney No disinfected C:\Program Files\Microsoft AntiSpyware\Quarantine\A7B000DE-50E3-4245-9615-4D9C4C\37A228AC-954D-4CEF-9545-CC47B3
Adware:Adware/MoeMoney No disinfected C:\Program Files\Microsoft AntiSpyware\Quarantine\A7B000DE-50E3-4245-9615-4D9C4C\3BF1BC27-D3A9-4F52-A2C6-CFD250
Adware:Adware/TopMoxie No disinfected C:\Program Files\Microsoft AntiSpyware\Quarantine\A7B000DE-50E3-4245-9615-4D9C4C\3D227BF6-7718-4869-BE6A-A13405
Adware:Adware/MoeMoney No disinfected C:\Program Files\Microsoft AntiSpyware\Quarantine\A7B000DE-50E3-4245-9615-4D9C4C\417D9A0E-0A5C-45DD-B3EB-EE9930
Adware:Adware/MoeMoney No disinfected C:\Program Files\Microsoft AntiSpyware\Quarantine\A7B000DE-50E3-4245-9615-4D9C4C\44D2EBF8-E6D7-4455-AEBC-C59147
Adware:Adware/MoeMoney No disinfected C:\Program Files\Microsoft AntiSpyware\Quarantine\A7B000DE-50E3-4245-9615-4D9C4C\47E7E687-BAF2-450C-96AC-C34137
Adware:Adware/MoeMoney No disinfected C:\Program Files\Microsoft AntiSpyware\Quarantine\A7B000DE-50E3-4245-9615-4D9C4C\481052AC-9C53-40AD-99E2-BE019C
Adware:Adware/MoeMoney No disinfected C:\Program Files\Microsoft AntiSpyware\Quarantine\A7B000DE-50E3-4245-9615-4D9C4C\4A211017-E492-4566-8871-4E2F26
Adware:Adware/TopMoxie No disinfected C:\Program Files\Microsoft AntiSpyware\Quarantine\A7B000DE-50E3-4245-9615-4D9C4C\4B34CC81-78A5-4F89-ABAF-4F9BF4
Adware:Adware/MoeMoney No disinfected C:\Program Files\Microsoft AntiSpyware\Quarantine\A7B000DE-50E3-4245-9615-4D9C4C\4C222B11-7731-4FBA-AD70-38F7E8
Adware:Adware/TopMoxie No disinfected C:\Program Files\Microsoft AntiSpyware\Quarantine\A7B000DE-50E3-4245-9615-4D9C4C\4FB71470-1415-4189-BF69-E6F9EA
Adware:Adware/TopMoxie No disinfected C:\Program Files\Microsoft AntiSpyware\Quarantine\A7B000DE-50E3-4245-9615-4D9C4C\4FCF2922-2E61-455B-B690-D71153
Adware:Adware/MoeMoney No disinfected C:\Program Files\Microsoft AntiSpyware\Quarantine\A7B000DE-50E3-4245-9615-4D9C4C\50CCF333-3C79-44D7-ADF0-652F9B
Adware:Adware/MoeMoney No disinfected C:\Program Files\Microsoft AntiSpyware\Quarantine\A7B000DE-50E3-4245-9615-4D9C4C\51B50073-F377-4A89-8E5A-9B8C3E
Adware:Adware/MoeMoney No disinfected C:\Program Files\Microsoft AntiSpyware\Quarantine\A7B000DE-50E3-4245-9615-4D9C4C\539E22FC-9C64-4003-9198-7F4531
Adware:Adware/TopMoxie No disinfected C:\Program Files\Microsoft AntiSpyware\Quarantine\A7B000DE-50E3-4245-9615-4D9C4C\5AC0082C-693A-42A9-A07B-EA29EA
Adware:Adware/TopMoxie No disinfected C:\Program Files\Microsoft AntiSpyware\Quarantine\A7B000DE-50E3-4245-9615-4D9C4C\5AE73F3F-90A6-475A-B37E-1987B1
Adware:Adware/MoeMoney No disinfected C:\Program Files\Microsoft AntiSpyware\Quarantine\A7B000DE-50E3-4245-9615-4D9C4C\5BDE2E3F-C025-4F4E-A5E4-AB3FF1
Adware:Adware/TopMoxie No disinfected C:\Program Files\Microsoft AntiSpyware\Quarantine\A7B000DE-50E3-4245-9615-4D9C4C\5EB37302-B4BC-4A05-ACD9-A62056
Adware:Adware/MoeMoney No disinfected C:\Program Files\Microsoft AntiSpyware\Quarantine\A7B000DE-50E3-4245-9615-4D9C4C\5EF307D0-CC5D-4475-96F4-BBBEB3
Adware:Adware/MoeMoney No disinfected C:\Program Files\Microsoft AntiSpyware\Quarantine\A7B000DE-50E3-4245-9615-4D9C4C\5F340042-5686-4FCA-9564-90AA92
Adware:Adware/MoeMoney No disinfected C:\Program Files\Microsoft AntiSpyware\Quarantine\A7B000DE-50E3-4245-9615-4D9C4C\5F59B285-F4E0-47C1-8C4D-A46B00
Adware:Adware/MoeMoney No disinfected C:\Program Files\Microsoft AntiSpyware\Quarantine\A7B000DE-50E3-4245-9615-4D9C4C\60FB3DB1-49A7-4420-9061-0C2E5C
Adware:Adware/MoeMoney No disinfected C:\Program Files\Microsoft AntiSpyware\Quarantine\A7B000DE-50E3-4245-9615-4D9C4C\6261A932-5AFC-4A52-A43B-D5857E
Adware:Adware/MoeMoney No disinfected C:\Program Files\Microsoft AntiSpyware\Quarantine\A7B000DE-50E3-4245-9615-4D9C4C\63C36C8D-905D-498B-9CC6-7350F1
Adware:Adware/MoeMoney No disinfected C:\Program Files\Microsoft AntiSpyware\Quarantine\A7B000DE-50E3-4245-9615-4D9C4C\6E917259-C909-4289-95EA-B515EC
Adware:Adware/MoeMoney No disinfected C:\Program Files\Microsoft AntiSpyware\Quarantine\A7B000DE-50E3-4245-9615-4D9C4C\7082299C-022E-4C7F-89D3-9D440A
Adware:Adware/MoeMoney No disinfected C:\Program Files\Microsoft AntiSpyware\Quarantine\A7B000DE-50E3-4245-9615-4D9C4C\7306135D-702A-4763-9533-ECAE70
Adware:Adware/MoeMoney No disinfected C:\Program Files\Microsoft AntiSpyware\Quarantine\A7B000DE-50E3-4245-9615-4D9C4C\77457F50-BD22-441F-886B-E0D36D
Adware:Adware/MoeMoney No disinfected C:\Program Files\Microsoft AntiSpyware\Quarantine\A7B000DE-50E3-4245-9615-4D9C4C\7778A2F3-8083-4028-B83C-9C7763
Adware:Adware/MoeMoney No disinfected C:\Program Files\Microsoft AntiSpyware\Quarantine\A7B000DE-50E3-4245-9615-4D9C4C\78D3367F-AB7D-4039-9562-74615E
Adware:Adware/MoeMoney No disinfected C:\Program Files\Microsoft AntiSpyware\Quarantine\A7B000DE-50E3-4245-9615-4D9C4C\7DD1295C-67D0-4656-AA48-89D54C
Adware:Adware/MoeMoney No disinfected C:\Program Files\Microsoft AntiSpyware\Quarantine\A7B000DE-50E3-4245-9615-4D9C4C\81CCEDA2-92E0-4433-8CBA-DA41BA
Adware:Adware/MoeMoney No disinfected C:\Program Files\Microsoft AntiSpyware\Quarantine\A7B000DE-50E3-4245-9615-4D9C4C\82E74D0A-B549-43A6-896B-A1FE6A
Adware:Adware/MoeMoney No disinfected C:\Program Files\Microsoft AntiSpyware\Quarantine\A7B000DE-50E3-4245-9615-4D9C4C\86EE29EA-DE1D-48A2-820C-508F62
Adware:Adware/MoeMoney No disinfected C:\Program Files\Microsoft AntiSpyware\Quarantine\A7B000DE-50E3-4245-9615-4D9C4C\8E30634C-6B69-4E50-AF5B-3F686C
Adware:Adware/MoeMoney No disinfected C:\Program Files\Microsoft AntiSpyware\Quarantine\A7B000DE-50E3-4245-9615-4D9C4C\8E387161-A179-4DC2-8500-EC80AA
Adware:Adware/MoeMoney No disinfected C:\Program Files\Microsoft AntiSpyware\Quarantine\A7B000DE-50E3-4245-9615-4D9C4C\90667189-18FA-4038-9244-CC5732
Adware:Adware/MoeMoney No disinfected C:\Program Files\Microsoft AntiSpyware\Quarantine\A7B000DE-50E3-4245-9615-4D9C4C\90909221-BFE3-46EF-A4BB-F12786
Adware:Adware/MoeMoney No disinfected C:\Program Files\Microsoft AntiSpyware\Quarantine\A7B000DE-50E3-4245-9615-4D9C4C\933B9A2B-7DA0-431F-A989-42F9F8
Adware:Adware/TopMoxie No disinfected C:\Program Files\Microsoft AntiSpyware\Quarantine\A7B000DE-50E3-4245-9615-4D9C4C\94E5F555-FF74-434C-85B7-B37F5B
Adware:Adware/MoeMoney No disinfected C:\Program Files\Microsoft AntiSpyware\Quarantine\A7B000DE-50E3-4245-9615-4D9C4C\96B7AF4C-14A0-45D8-8548-5A583E
Adware:Adware/MoeMoney No disinfected C:\Program Files\Microsoft AntiSpyware\Quarantine\A7B000DE-50E3-4245-9615-4D9C4C\96C165CA-F217-453A-B8C3-695F92
Adware:Adware/MoeMoney No disinfected C:\Program Files\Microsoft AntiSpyware\Quarantine\A7B000DE-50E3-4245-9615-4D9C4C\9707BE00-AB29-41E2-9226-165268
Adware:Adware/MoeMoney No disinfected C:\Program Files\Microsoft AntiSpyware\Quarantine\A7B000DE-50E3-4245-9615-4D9C4C\99E62944-0F82-4EFC-B0DF-2EA985
Adware:Adware/TopMoxie No disinfected C:\Program Files\Microsoft AntiSpyware\Quarantine\A7B000DE-50E3-4245-9615-4D9C4C\A08F3ED9-14A0-4061-B005-35F753
Adware:Adware/MoeMoney No disinfected C:\Program Files\Microsoft AntiSpyware\Quarantine\A7B000DE-50E3-4245-9615-4D9C4C\A55172CA-5F37-4D21-B144-F9A95E
Adware:Adware/TopMoxie No disinfected C:\Program Files\Microsoft AntiSpyware\Quarantine\A7B000DE-50E3-4245-9615-4D9C4C\A5A988A5-262C-4D34-BD35-B16DA4
Adware:Adware/MoeMoney No disinfected C:\Program Files\Microsoft AntiSpyware\Quarantine\A7B000DE-50E3-4245-9615-4D9C4C\AB48E442-68D6-40B9-9D0F-F7CC38
Adware:Adware/MoeMoney No disinfected C:\Program Files\Microsoft AntiSpyware\Quarantine\A7B000DE-50E3-4245-9615-4D9C4C\ADDA0897-6C64-497C-93E1-D3E298
Adware:Adware/MoeMoney No disinfected C:\Program Files\Microsoft AntiSpyware\Quarantine\A7B000DE-50E3-4245-9615-4D9C4C\B256820C-E845-4BF4-ACE6-1B4690
Adware:Adware/MoeMoney No disinfected C:\Program Files\Microsoft AntiSpyware\Quarantine\A7B000DE-50E3-4245-9615-4D9C4C\B7F43AB0-9FE1-4B25-93BD-FB010E
Adware:Adware/MoeMoney No disinfected C:\Program Files\Microsoft AntiSpyware\Quarantine\A7B000DE-50E3-4245-9615-4D9C4C\B9BFAED9-7A32-4300-AAED-4CD0A2
Adware:Adware/MoeMoney No disinfected C:\Program Files\Microsoft AntiSpyware\Quarantine\A7B000DE-50E3-4245-9615-4D9C4C\C0DEC95A-DB10-4F1C-9EAA-DDE290
Adware:Adware/MoeMoney No disinfected C:\Program Files\Microsoft AntiSpyware\Quarantine\A7B000DE-50E3-4245-9615-4D9C4C\C64C6EAF-EDD3-4223-9C99-3C1B70
Adware:Adware/TopMoxie No disinfected C:\Program Files\Microsoft AntiSpyware\Quarantine\A7B000DE-50E3-4245-9615-4D9C4C\C882E726-C3FD-4E68-834D-04C05C
Adware:Adware/TopMoxie No disinfected C:\Program Files\Microsoft AntiSpyware\Quarantine\A7B000DE-50E3-4245-9615-4D9C4C\C8F8EAF4-2752-4279-BA7E-35B374
Adware:Adware/MoeMoney No disinfected C:\Program Files\Microsoft AntiSpyware\Quarantine\A7B000DE-50E3-4245-9615-4D9C4C\C98C183D-7169-4F08-9F73-5A9CCE
Adware:Adware/MoeMoney No disinfected C:\Program Files\Microsoft AntiSpyware\Quarantine\A7B000DE-50E3-4245-9615-4D9C4C\D1A8D4EC-BE63-49E4-ACB3-DC3D10
Adware:Adware/MoeMoney No disinfected C:\Program Files\Microsoft AntiSpyware\Quarantine\A7B000DE-50E3-4245-9615-4D9C4C\D97A82EF-9F60-4FCC-8244-21EE3D
Adware:Adware/MoeMoney No disinfected C:\Program Files\Microsoft AntiSpyware\Quarantine\A7B000DE-50E3-4245-9615-4D9C4C\DB51A406-3E50-4310-A2DD-D920C0
Adware:Adware/MoeMoney No disinfected C:\Program Files\Microsoft AntiSpyware\Quarantine\A7B000DE-50E3-4245-9615-4D9C4C\DCC51E03-C37A-4A5A-88A2-6E09B2
Adware:Adware/MoeMoney No disinfected C:\Program Files\Microsoft AntiSpyware\Quarantine\A7B000DE-50E3-4245-9615-4D9C4C\DDF927F7-9C95-4D84-81C2-9E38D2
Adware:Adware/MoeMoney No disinfected C:\Program Files\Microsoft AntiSpyware\Quarantine\A7B000DE-50E3-4245-9615-4D9C4C\E368A497-DD37-405F-A457-F6AEDD
Adware:Adware/TopMoxie No disinfected C:\Program Files\Microsoft AntiSpyware\Quarantine\A7B000DE-50E3-4245-9615-4D9C4C\E7D8C8DA-A00A-48CA-9554-22EB52
Adware:Adware/TopMoxie No disinfected C:\Program Files\Microsoft AntiSpyware\Quarantine\A7B000DE-50E3-4245-9615-4D9C4C\E9E37DD6-C5F4-4B58-9554-40226B
Adware:Adware/TopMoxie No disinfected C:\Program Files\Microsoft AntiSpyware\Quarantine\A7B000DE-50E3-4245-9615-4D9C4C\F0AC300E-DE3C-41AA-A44F-F8042D
Adware:Adware/TopMoxie No disinfected C:\Program Files\Microsoft AntiSpyware\Quarantine\A7B000DE-50E3-4245-9615-4D9C4C\F3F8D021-8441-4E74-B810-EADD9A
Adware:Adware/TopMoxie No disinfected C:\Program Files\Microsoft AntiSpyware\Quarantine\A7B000DE-50E3-4245-9615-4D9C4C\F5C67A4A-BF6A-41B6-A64D-4DBFB7
Adware:Adware/TopMoxie No disinfected C:\Program Files\Microsoft AntiSpyware\Quarantine\A7B000DE-50E3-4245-9615-4D9C4C\FAE9408F-D854-4631-9743-64BB9B
Adware:Adware/TopMoxie No disinfected C:\Program Files\Microsoft AntiSpyware\Quarantine\A7B000DE-50E3-4245-9615-4D9C4C\FE6B8E1D-6AE8-479E-8411-A8FF24
Adware:Adware/MoeMoney No disinfected C:\Program Files\Microsoft AntiSpyware\Quarantine\A7B000DE-50E3-4245-9615-4D9C4C\FE9B24D7-A558-4D67-933B-7336F5
Adware:Adware/TopMoxie No disinfected C:\Program Files\Microsoft AntiSpyware\Quarantine\A7B000DE-50E3-4245-9615-4D9C4C\FFBBD974-FEB8-4EB6-B34E-62A3DF
Adware:Adware/WebHancer No disinfected C:\Program Files\SpyKiller\,mnk\whAgent.inf
Adware:Adware/SAHAgent No disinfected C:\Program Files\SpyKiller\,mnk\xmlparse_.dll
Adware:Adware/SAHAgent No disinfected C:\Program Files\SpyKiller\,mnk\xmltok_.dll
Virus:Trj/Downloader.BZD Disinfected C:\WINDOWS\Downloaded Program Files\roing17.INF
Adware:Adware/SAHAgent No disinfected C:\WINDOWS\Downloaded Program Files\sporder_.dll
Adware:Adware/IPInsight No disinfected C:\WINDOWS\inf\alchem.inf
Adware:Adware/SideSearch No disinfected C:\WINDOWS\sepsd.bin
Adware:Adware/SaveNow No disinfected C:\WINDOWS\system32\datastore.dll
Adware:Adware/IEDriver No disinfected C:\WINDOWS\system32\Searchx.htm
Adware:Adware/PowerSearch No disinfected C:\WINDOWS\system32\stlb2.xml
Adware:Adware/IEDriver No disinfected C:\WINDOWS\system32\sub.dll
Spyware:Spyware/ShopNav No disinfected C:\WINDOWS\unist2.exe
Adware:Adware/Startpage.CCM No disinfected C:\WINDOWS\win32.dat
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~







The followings are HJT report:
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

Logfile of HijackThis v1.99.1
Scan saved at 1:14:44 PM, on 6/24/2005
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\HJT\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://qus10.hpwis.com/
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://srch-qus10.hpwis.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://qus10.hpwis.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://srch-qus10.hpwis.com/
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page =
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant =
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = localhost
R3 - Default URLSearchHook is missing
O2 - BHO: (no name) - SOFTWARE - (no file)
O2 - BHO: Yahoo! Companion BHO - {02478D38-C3F9-4efb-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Common\ycomp5,1,1,0.dll
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {2A19BC2E-3C4F-4454-A2C8-A2D2A55AD957} - C:\WINDOWS\system32\klchba.dll (file missing)
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: (no name) - {5499AE64-CDA5-8C48-BD87-CCEA2018466E} - C:\WINDOWS\System32\inscdm\bkjiahpykd.dll (file missing)
O2 - BHO: (no name) - {549B5CA7-4A86-11D7-A4DF-000874180BB3} - (no file)
O2 - BHO: Web assistant - {9ECB9560-04F9-4bbc-943D-298DDF1699E1} - C:\Program Files\Common Files\Symantec Shared\AdBlocking\NISShExt.dll
O2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O2 - BHO: (no name) - {FDD3B846-8D59-4ffb-8758-209B6AD74ACC} - (no file)
O3 - Toolbar: &Yahoo! Companion - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Common\ycomp5,1,1,0.dll
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: Web assistant - {0B53EAC3-8D69-4b9e-9B19-A37C9A5676A7} - C:\Program Files\Common Files\Symantec Shared\AdBlocking\NISShExt.dll
O4 - HKLM\..\Run: [hpsysdrv] c:\windows\system\hpsysdrv.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\System32\hkcmd.exe
O4 - HKLM\..\Run: [CamMonitor] c:\Program Files\HP\Digital Imaging\Unload\hpqcmon.exe
O4 - HKLM\..\Run: [HPHUPD05] c:\Program Files\HP\{45B6180B-DCAB-4093-8EE8-6164457517F0}\hphupd05.exe
O4 - HKLM\..\Run: [HPHmon05] C:\WINDOWS\System32\hphmon05.exe
O4 - HKLM\..\Run: [KBD] C:\HP\KBD\KBD.EXE
O4 - HKLM\..\Run: [UpdateManager] "C:\Program Files\Common Files\Sonic\Update Manager\sgtray.exe" /r
O4 - HKLM\..\Run: [Recguard] C:\WINDOWS\SMINST\RECGUARD.EXE
O4 - HKLM\..\Run: [VTTimer] VTTimer.exe
O4 - HKLM\..\Run: [LTMSG] LTMSG.exe 7
O4 - HKLM\..\Run: [PS2] C:\WINDOWS\system32\ps2.exe
O4 - HKLM\..\Run: [HPDJ Taskbar Utility] C:\WINDOWS\System32\spool\drivers\w32x86\3\hpztsb08.exe
O4 - HKLM\..\Run: [mmtask] C:\Program Files\MUSICMATCH\MUSICMATCH Jukebox\mmtask.exe
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [WT GameChannel] C:\Program Files\WildTangent\Apps\GameChannel.exe
O4 - HKLM\..\Run: [0Smtqan] C:\documents and settings\owner\local settings\temp\0Smtqan.exe
O4 - HKLM\..\Run: [ikHCC7u7x] C:\documents and settings\owner\local settings\temp\ikHCC7u7x.exe
O4 - HKLM\..\Run: [IS CfgWiz] C:\Program Files\Common Files\Symantec Shared\cfgwiz.exe /GUID NIS /CMDLINE "REBOOT"
O4 - HKLM\..\Run: [2P6WFAX43ZHE7C] C:\WINDOWS\System32\Szep85ln.exe
O4 - HKLM\..\Run: [Bakra] C:\WINDOWS\System32\IEHost.exe
O4 - HKLM\..\Run: [tYfa] C:\documents and settings\owner\local settings\temp\tYfa.exe
O4 - HKLM\..\Run: [A70F6A1D-0195-42a2-934C-D8AC0F7C08EB] rundll32.exe E6F1873B.DLL,D9EBC318C
O4 - HKLM\..\Run: [Nsv] C:\WINDOWS\System32\nsvsvc\nsvsvc.exe
O4 - HKLM\..\Run: [picsvr] C:\WINDOWS\System32\picsvr\picsvr.exe
O4 - HKLM\..\Run: [98D0CE0C16B1] rundll32.exe D0CE0C16B1,D0CE0C16B1
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [Optimum Online net guide] "C:\Program Files\Optimum Online\Netsurf.exe" -trayicon
O4 - HKLM\..\Run: [e661564b0523] C:\WINDOWS\System32\catsrvps.exe
O4 - HKLM\..\Run: [msmc] C:\WINDOWS\system32\msmc.exe
O4 - HKLM\..\Run: [WildTangent CDA] "C:\Program Files\WildTangent\Apps\CDA\GameDrvr.exe" /startup "C:\Program Files\WildTangent\Apps\CDA\cdaEngine0500.dll"
O4 - HKLM\..\Run: [oFrW3EW] jav1_qc.exe
O4 - HKLM\..\Run: [TempLoader] C:\DOCUME~1\Owner\LOCALS~1\Temp\Loader.EXE
O4 - HKLM\..\Run: [mjclutg] c:\windows\system32\zdgodkq.exe
O4 - HKLM\..\Run: [clgntfys] C:\WINDOWS\System32\clgntfys.exe
O4 - HKLM\..\Run: [exp] C:\WINDOWS\System32\exp
O4 - HKLM\..\Run: [AlcxMonitor] ALCXMNTR.EXE
O4 - HKLM\..\Run: [gfkhkfx] c:\windows\system32\qnsblp.exe r
O4 - HKLM\..\Run: [gcasServ] "C:\Program Files\Microsoft AntiSpyware\gcasServ.exe"
O4 - HKCU\..\Run: [NVIEW] rundll32.exe nview.dll,nViewLoadHook
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [ClockSync] C:\PROGRA~1\CLOCKS~1\Sync.exe /q
O4 - HKCU\..\Run: [Zo06ROa7g] cc3hept.exe
O4 - Global Startup: HP Digital Imaging Monitor.lnk = C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
O4 - Global Startup: Quicken Scheduled Updates.lnk = C:\Program Files\Quicken\bagent.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MI1933~1\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\System32\msjava.dll (file missing)
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\System32\msjava.dll (file missing)
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MI1933~1\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {1F2F4C9E-6F09-47BC-970D-3C54734667FE} (LSSupCtl Class) - https://www-secure.s...sa/LSSupCtl.cab
O16 - DPF: {CE28D5D2-60CF-4C7D-9FE8-0F47A3308078} (ActiveDataInfo Class) - https://www-secure.s...sa/SymAData.cab
O20 - Winlogon Notify: igfxcui - C:\WINDOWS\SYSTEM32\igfxsrvc.dll
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Network Proxy (ccProxy) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccProxy.exe
O23 - Service: Symantec Password Validation (ccPwdSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
O23 - Service: ewido security suite control - ewido networks - C:\Program Files\ewido\security suite\ewidoctrl.exe
O23 - Service: ewido security suite guard - ewido networks - C:\Program Files\ewido\security suite\ewidoguard.exe
O23 - Service: Norton AntiVirus Auto Protect Service (navapsvc) - Symantec Corporation - C:\Program Files\Norton AntiVirus\navapsvc.exe
O23 - Service: NVIDIA Driver Helper Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe
O23 - Service: SAVScan - Symantec Corporation - C:\Program Files\Norton AntiVirus\SAVScan.exe
O23 - Service: ScriptBlocking Service (SBService) - Symantec Corporation - C:\PROGRA~1\COMMON~1\SYMANT~1\SCRIPT~1\SBServ.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: Symantec Core LC - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~



Again, heartily appreciate your help and your time.

Now, what I suppose to do next?



Continued:

Well, I forgot to post the ewido report. Here comes the report:
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

---------------------------------------------------------
ewido security suite - Scan report
---------------------------------------------------------

+ Created on: 10:49:18 AM, 6/24/2005
+ Report-Checksum: DF6415C7

+ Date of database: 6/24/2005
+ Version of scan engine: v3.0

+ Duration: 104 min
+ Scanned Files: 94234
+ Speed: 14.99 Files/Second
+ Infected files: 13
+ Removed files: 13
+ Files put in quarantine: 13
+ Files that could not be opened: 0
+ Files that could not be cleaned: 0

+ Binder: Yes
+ Crypter: Yes
+ Archives: Yes

+ Scanned items:
C:\
D:\

+ Scan result:
C:\Program Files\SpyKiller\,mnk\Bargain Buddy\bbchk.exe -> Spyware.Bargainbuddy -> Cleaned with backup
C:\Program Files\SpyKiller\,mnk\WT\wtupdates\wtwebdriver\files\3.3.0.002\npwthost.dll -> Spyware.WildTangent.b -> Cleaned with backup
C:\Program Files\SpyKiller\,mnk\WT\wtupdates\wtwebdriver\files\3.3.0.002\wtvh.dll -> Spyware.WildTangent.b -> Cleaned with backup
C:\Program Files\SpyKiller\,mnk\WT\wtvh.dll -> Spyware.WildTangent.b -> Cleaned with backup
C:\Program Files\SpyKiller\,mnk\wtvh.dll -> Spyware.WildTangent.b -> Cleaned with backup
C:\WINDOWS\setup.exe -> TrojanDropper.Siboco.a -> Cleaned with backup
C:\WINDOWS\system32\inscdm\bkjiahpykd.exe -> Spyware.SmartPops -> Cleaned with backup
C:\WINDOWS\system32\msdioo.exe -> Trojan.Small.i -> Cleaned with backup
C:\WINDOWS\wt\wtupdates\webd\4.1.1\files\wtvh.dll -> Spyware.WildTangent.b -> Cleaned with backup
C:\WINDOWS\wt\wtupdates\wtwebdriver\files\3.3.0.002\npwthost.dll -> Spyware.WildTangent.b -> Cleaned with backup
C:\WINDOWS\wt\wtupdates\wtwebdriver\files\3.3.0.002\wtvh.dll -> Spyware.WildTangent.b -> Cleaned with backup
C:\WINDOWS\wt\wtvh.dll -> Spyware.WildTangent.b -> Cleaned with backup
C:\WINDOWS\wupdsnff.exe -> Spyware.BetterInternet.f -> Cleaned with backup


::Report End
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

Edited by thomasdqt, 25 June 2005 - 01:57 PM.

  • 0

#4
Guest_thatman_*

Guest_thatman_*
  • Guest
Hi thomasdqt

You have the Peper trojan.
Download the Peperfix Tool and save it to your Desktop.
Make sure you are connected to the Internet and run it; reboot afterwards. Repeat the procedure as it has to be run twice to ensure its effectiveness.

When completed start the fix below thank you.

Please read through the instructions before you start (you may want to print this out).

Please set your system to show all files; please see here if you're unsure how to do this.

Reboot into Safe Mode: please see here if you are not sure how to do this.

Please go offline, close all browsers and any open Windows, making sure that only HijackThis is open. Scan and when it finishes, put an X in the boxes, only next to these following items:
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page =
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant =
R3 - Default URLSearchHook is missing
O2 - BHO: (no name) - SOFTWARE - (no file)
O2 - BHO: (no name) - {2A19BC2E-3C4F-4454-A2C8-A2D2A55AD957} - C:\WINDOWS\system32\klchba.dll (file missing)
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: (no name) - {5499AE64-CDA5-8C48-BD87-CCEA2018466E} - C:\WINDOWS\System32\inscdm\bkjiahpykd.dll (file missing)
O2 - BHO: (no name) - {549B5CA7-4A86-11D7-A4DF-000874180BB3} - (no file)
O4 - HKLM\..\Run: [2P6WFAX43ZHE7C] C:\WINDOWS\System32\Szep85ln.exe
O4 - HKLM\..\Run: [Bakra] C:\WINDOWS\System32\IEHost.exe
O4 - HKLM\..\Run: [tYfa] C:\documents and settings\owner\local settings\temp\tYfa.exe
O4 - HKLM\..\Run: [A70F6A1D-0195-42a2-934C-D8AC0F7C08EB] rundll32.exe E6F1873B.DLL,D9EBC318C
O4 - HKLM\..\Run: [Nsv] C:\WINDOWS\System32\nsvsvc\nsvsvc.exe
O4 - HKLM\..\Run: [picsvr] C:\WINDOWS\System32\picsvr\picsvr.exe
O4 - HKLM\..\Run: [98D0CE0C16B1] rundll32.exe D0CE0C16B1,D0CE0C16B1
O4 - HKLM\..\Run: [e661564b0523] C:\WINDOWS\System32\catsrvps.exe
O4 - HKLM\..\Run: [msmc] C:\WINDOWS\system32\msmc.exe
O4 - HKLM\..\Run: [oFrW3EW] jav1_qc.exe
O4 - HKLM\..\Run: [TempLoader] C:\DOCUME~1\Owner\LOCALS~1\Temp\Loader.EXE
O4 - HKLM\..\Run: [mjclutg] c:\windows\system32\zdgodkq.exe
O4 - HKLM\..\Run: [clgntfys] C:\WINDOWS\System32\clgntfys.exe
O4 - HKLM\..\Run: [exp] C:\WINDOWS\System32\exp
O4 - HKCU\..\Run: [ClockSync] C:\PROGRA~1\CLOCKS~1\Sync.exe /q
O4 - HKCU\..\Run: [Zo06ROa7g] cc3hept.exe

Click on Fix Checked when finished and exit HijackThis.

Using Windows Explorer, locate the following files/folders, and delete them:
C:\Program Files\Microsoft AntiSpyware\Quarantine\<--Delete all items in the Quarantined area
C:\Program Files\Bargain Buddy<--Delete the whole folder
C:\Program Files\MySearch<--Delete the whole folder
C:\Program Files\[B]Internet Optimizer[B]<--Delete the whole folder
C:\Program Files\[B]Aprps[B]<--Delete the whole folder
C:\Program Files\[B]SpyKiller[B]<--Delete the whole folder
C:\WINDOWS\System32\[B]Szep85ln.exe[b]<--Delete this file
C:\WINDOWS\System32\[B]IEHost.exe[b]<--Delete this file
C:\documents and settings\owner\local settings\temp\[B]tYfa.exe[b]<--Delete this file
[B]rundll32.exe E6F1873B.DLL,D9EBC318C[b]<--Delete this file >---------------------------------Do not delete c:\windows\system32\rundll32.exe
C:\WINDOWS\System32\[B]nsvsvc[B]<--Delete the whole folder
C:\PROGRA~1\[B]CLOCKS~1[B]<--Delete the whole folder
[B]jav1_qc.exe[b]<--Delete this file
[B]cc3hept.exe

Exit Explorer.Reboot as normal.

Download Pocket Killbox and unzip it; save it to your Desktop.
Run killbox and click the radio button that says [b]Delete a file on reboot
. Paste the file's one at a time into the [b]full path of file to delete
box and click the red circle with a white cross in it.
The program will ask you if you want to reboot; say No each time until the last one has been pasted in whereupon you should answer Yes.
[b]C:\WINDOWS\win32.dat
C:\WINDOWS\system32\Searchx.htm
C:\WINDOWS\inf\alchem.in?
C:\WINDOWS\system32\stlb2.xml
C:\Program Files\Common Files\remove_tools.html
C:\Documents and Settings\Owner\Favorites\WeirdOnTheWeb.url
C:\Documents and Settings\Owner\Favorites\Get out of Debt!.url
C:\Documents and Settings\Owner\Favorites\WeirdOnTheWeb.url
C:\WINDOWS\Downloaded Program Files\roing17.INF
C:\WINDOWS\Downloaded Program Files\sporder_.dll
C:\WINDOWS\inf\alchem.inf
C:\WINDOWS\sepsd.bin
C:\WINDOWS\system32\datastore.dll
C:\WINDOWS\system32\Searchx.htm
C:\WINDOWS\system32\stlb2.xml
C:\WINDOWS\system32\sub.dll
C:\WINDOWS\unist2.exe
C:\WINDOWS\win32.dat
C:\WINDOWS\System32\picsvr\picsvr.exe
C:\WINDOWS\System32\catsrvps.exe
C:\WINDOWS\system32\msmc.exe
C:\DOCUME~1\Owner\LOCALS~1\Temp\Loader.EXE
c:\windows\system32\zdgodkq.exe
C:\WINDOWS\System32\clgntfys.exe
C:\WINDOWS\System32\exp

Let the system reboot.

Please run the following free, online virus scans.
http://www.pandasoft...n_principal.htm
[b]Please post the logs From Panda virus scan and HJT.logWe will need them to remove previous infections that have left files on your system.

Kc :tazz:
  • 0

#5
thomasdqt

thomasdqt

    Member

  • Topic Starter
  • Member
  • PipPip
  • 33 posts
Hi thatman,

Have downloaded the Peperfix Tool and run it twice. Both said "No Peper files were detected."

What else too can I use and shall I continue to the next step in your instruction?

Waiting for your instruction.

Thanks,

Thomas
  • 0

#6
Guest_thatman_*

Guest_thatman_*
  • Guest
Hi thomasdqt

Yes please continue with the rest of the fix.

Kc :tazz:
  • 0

#7
thomasdqt

thomasdqt

    Member

  • Topic Starter
  • Member
  • PipPip
  • 33 posts
Hi thatman,

Thank you for your instruction.

Here is the Panda report followed by the HJT report:
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

Incident Status Location

Adware:Adware/IPInsight No disinfected C:\!Submit\alchem.inf
Adware:Adware/DelFinMedia No disinfected C:\!Submit\remove_tools.html
Spyware:Spyware/ShopNav No disinfected C:\!Submit\unist2.exe
Adware:Adware/SAHAgent No disinfected C:\WINDOWS\Downloaded Program Files\sporder_.dll
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~



HJT report:
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Logfile of HijackThis v1.99.1
Scan saved at 7:59:22 AM, on 6/27/2005
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\Symantec Shared\ccProxy.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\Program Files\ewido\security suite\ewidoctrl.exe
C:\Program Files\ewido\security suite\ewidoguard.exe
C:\Program Files\Norton AntiVirus\navapsvc.exe
C:\windows\system\hpsysdrv.exe
C:\Program Files\Norton AntiVirus\SAVScan.exe
C:\Program Files\HP\Digital Imaging\Unload\hpqcmon.exe
C:\WINDOWS\System32\hphmon05.exe
C:\HP\KBD\KBD.EXE
C:\Program Files\Common Files\Sonic\Update Manager\sgtray.exe
C:\WINDOWS\system32\VTTimer.exe
C:\WINDOWS\LTMSG.exe
C:\WINDOWS\System32\spool\drivers\w32x86\3\hpztsb08.exe
C:\Program Files\MUSICMATCH\MUSICMATCH Jukebox\mmtask.exe
C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\Program Files\WildTangent\Apps\GameChannel.exe
C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
C:\Program Files\Optimum Online\Netsurf.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\Program Files\WildTangent\Apps\CDA\GameDrvr.exe
C:\Program Files\Microsoft AntiSpyware\gcasServ.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
C:\Program Files\Microsoft AntiSpyware\gcasDtServ.exe
C:\WINDOWS\system32\wscntfy.exe
C:\WINDOWS\system32\wuauclt.exe
C:\HJT\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://qus10.hpwis.com/
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://srch-qus10.hpwis.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://qus10.hpwis.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://srch-qus10.hpwis.com/
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = localhost
O2 - BHO: Yahoo! Companion BHO - {02478D38-C3F9-4efb-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Common\ycomp5,1,1,0.dll
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O2 - BHO: Web assistant - {9ECB9560-04F9-4bbc-943D-298DDF1699E1} - C:\Program Files\Common Files\Symantec Shared\AdBlocking\NISShExt.dll
O2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: &Yahoo! Companion - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Common\ycomp5,1,1,0.dll
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: Web assistant - {0B53EAC3-8D69-4b9e-9B19-A37C9A5676A7} - C:\Program Files\Common Files\Symantec Shared\AdBlocking\NISShExt.dll
O4 - HKLM\..\Run: [hpsysdrv] c:\windows\system\hpsysdrv.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\System32\hkcmd.exe
O4 - HKLM\..\Run: [CamMonitor] c:\Program Files\HP\Digital Imaging\Unload\hpqcmon.exe
O4 - HKLM\..\Run: [HPHUPD05] c:\Program Files\HP\{45B6180B-DCAB-4093-8EE8-6164457517F0}\hphupd05.exe
O4 - HKLM\..\Run: [HPHmon05] C:\WINDOWS\System32\hphmon05.exe
O4 - HKLM\..\Run: [KBD] C:\HP\KBD\KBD.EXE
O4 - HKLM\..\Run: [UpdateManager] "C:\Program Files\Common Files\Sonic\Update Manager\sgtray.exe" /r
O4 - HKLM\..\Run: [Recguard] C:\WINDOWS\SMINST\RECGUARD.EXE
O4 - HKLM\..\Run: [VTTimer] VTTimer.exe
O4 - HKLM\..\Run: [LTMSG] LTMSG.exe 7
O4 - HKLM\..\Run: [PS2] C:\WINDOWS\system32\ps2.exe
O4 - HKLM\..\Run: [HPDJ Taskbar Utility] C:\WINDOWS\System32\spool\drivers\w32x86\3\hpztsb08.exe
O4 - HKLM\..\Run: [mmtask] C:\Program Files\MUSICMATCH\MUSICMATCH Jukebox\mmtask.exe
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [WT GameChannel] C:\Program Files\WildTangent\Apps\GameChannel.exe
O4 - HKLM\..\Run: [0Smtqan] C:\documents and settings\owner\local settings\temp\0Smtqan.exe
O4 - HKLM\..\Run: [ikHCC7u7x] C:\documents and settings\owner\local settings\temp\ikHCC7u7x.exe
O4 - HKLM\..\Run: [IS CfgWiz] C:\Program Files\Common Files\Symantec Shared\cfgwiz.exe /GUID NIS /CMDLINE "REBOOT"
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [Optimum Online net guide] "C:\Program Files\Optimum Online\Netsurf.exe" -trayicon
O4 - HKLM\..\Run: [WildTangent CDA] "C:\Program Files\WildTangent\Apps\CDA\GameDrvr.exe" /startup "C:\Program Files\WildTangent\Apps\CDA\cdaEngine0500.dll"
O4 - HKLM\..\Run: [gcasServ] "C:\Program Files\Microsoft AntiSpyware\gcasServ.exe"
O4 - HKCU\..\Run: [NVIEW] rundll32.exe nview.dll,nViewLoadHook
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - Global Startup: HP Digital Imaging Monitor.lnk = C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
O4 - Global Startup: Quicken Scheduled Updates.lnk = C:\Program Files\Quicken\bagent.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MI1933~1\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\System32\msjava.dll (file missing)
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\System32\msjava.dll (file missing)
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MI1933~1\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {1F2F4C9E-6F09-47BC-970D-3C54734667FE} (LSSupCtl Class) - https://www-secure.s...sa/LSSupCtl.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://www.pandasoft.../as5/asinst.cab
O16 - DPF: {CE28D5D2-60CF-4C7D-9FE8-0F47A3308078} (ActiveDataInfo Class) - https://www-secure.s...sa/SymAData.cab
O20 - Winlogon Notify: igfxcui - C:\WINDOWS\SYSTEM32\igfxsrvc.dll
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Network Proxy (ccProxy) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccProxy.exe
O23 - Service: Symantec Password Validation (ccPwdSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
O23 - Service: ewido security suite control - ewido networks - C:\Program Files\ewido\security suite\ewidoctrl.exe
O23 - Service: ewido security suite guard - ewido networks - C:\Program Files\ewido\security suite\ewidoguard.exe
O23 - Service: Norton AntiVirus Auto Protect Service (navapsvc) - Symantec Corporation - C:\Program Files\Norton AntiVirus\navapsvc.exe
O23 - Service: NVIDIA Driver Helper Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe
O23 - Service: SAVScan - Symantec Corporation - C:\Program Files\Norton AntiVirus\SAVScan.exe
O23 - Service: ScriptBlocking Service (SBService) - Symantec Corporation - C:\PROGRA~1\COMMON~1\SYMANT~1\SCRIPT~1\SBServ.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: Symantec Core LC - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~



Heartily appreciate your help and time.

Thomas

Edited by thomasdqt, 27 June 2005 - 06:05 AM.

  • 0

#8
Guest_thatman_*

Guest_thatman_*
  • Guest
Hi thomasdqt

How is the system running now, what problems have you still got.

C:\!Submit\<--This folder is created by killbox when we have cleaned your system we will delete the folder

Please read through the instructions before you start (you may want to print this out).

Please set your system to show all files; please see here if you're unsure how to do this.

Please go offline, close all browsers and any open Windows, making sure that only HijackThis is open. Scan and when it finishes, put an X in the boxes, only next to these following items:
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://qus10.hpwis.com/
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://srch-qus10.hpwis.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://qus10.hpwis.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://srch-qus10.hpwis.com/
O4 - HKLM\..\Run: [0Smtqan] C:\documents and settings\owner\local settings\temp\0Smtqan.exe
O4 - HKLM\..\Run: [ikHCC7u7x] C:\documents and settings\owner\local settings\temp\ikHCC7u7x.exe

Click on Fix Checked when finished and exit HijackThis.

Reboot into Safe Mode: please see here if you are not sure how to do this.

Using Windows Explorer, locate the following files/folders, and delete them:

Download Pocket Killbox and unzip it; save it to your Desktop.
Run killbox and click the radio button that says Delete a file on reboot. Paste the file's one at a time into the full path of file to delete box and click the red circle with a white cross in it.
The program will ask you if you want to reboot; say No each time until the last one has been pasted in whereupon you should answer Yes.
C:\documents and settings\owner\local settings\temp\0Smtqan.exe
C:\documents and settings\owner\local settings\temp\ikHCC7u7x.exe
C:\WINDOWS\Downloaded Program Files\sporder_.dll

Let the system reboot.

Please run the following free, online virus scans.
http://www.pandasoft...n_principal.htm
http://housecall.tre.../start_corp.asp
Please post the logs From Panda virus scan and HJT.logWe will need them to remove previous infections that have left files on your system.

Kc :tazz:
  • 0

#9
thomasdqt

thomasdqt

    Member

  • Topic Starter
  • Member
  • PipPip
  • 33 posts
Yes, thatman,

Have deleted 4x R1 + 2x O4 by HJT. When running Killbox, it said the files not existing. And, Panda detected 3 infected right in first minute, exactly the same as its last time.

What and where are those 3 infected files?

Now, the Panda is scanning; will then Trendmicro.

BTW, the computer runs, thanks to your help, much, much, much smoother than before --- no popups at all! :tazz: Brought it in to my office to use our LAN. But its web browsering is noticeably slower than my workstation (OS: Win 2000). Is it because of its Win XP Home?

Sincerely appreciate your help like always.

Thomas


Add-on:

Now the Panda says 4 infected detected, the same as it last time. I guess there won't be more than 4.

Edited by thomasdqt, 27 June 2005 - 08:16 AM.

  • 0

#10
Guest_thatman_*

Guest_thatman_*
  • Guest
Hi thomasdqt

Is this what panda is finding:C:\!Submit\alchem.inf

Can I have a new HJT.log just to make sure.

Kc :tazz:
  • 0

Advertisements


#11
thomasdqt

thomasdqt

    Member

  • Topic Starter
  • Member
  • PipPip
  • 33 posts
Yes, thatman,

Here is the HJT report generated right before those 4x R1 + 2X O4 were deleted:
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

Logfile of HijackThis v1.99.1
Scan saved at 9:25:42 AM, on 6/27/2005
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Common Files\Symantec Shared\ccProxy.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\Program Files\ewido\security suite\ewidoctrl.exe
C:\Program Files\ewido\security suite\ewidoguard.exe
C:\Program Files\Norton AntiVirus\navapsvc.exe
C:\Program Files\Norton AntiVirus\SAVScan.exe
C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
C:\windows\system\hpsysdrv.exe
C:\Program Files\HP\Digital Imaging\Unload\hpqcmon.exe
C:\WINDOWS\System32\hphmon05.exe
C:\HP\KBD\KBD.EXE
C:\Program Files\Common Files\Sonic\Update Manager\sgtray.exe
C:\WINDOWS\system32\VTTimer.exe
C:\WINDOWS\LTMSG.exe
C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
C:\WINDOWS\System32\spool\drivers\w32x86\3\hpztsb08.exe
C:\Program Files\MUSICMATCH\MUSICMATCH Jukebox\mmtask.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\Program Files\WildTangent\Apps\GameChannel.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\Program Files\Optimum Online\Netsurf.exe
C:\Program Files\WildTangent\Apps\CDA\GameDrvr.exe
C:\Program Files\Microsoft AntiSpyware\gcasServ.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
C:\Program Files\Microsoft AntiSpyware\gcasDtServ.exe
C:\WINDOWS\system32\wscntfy.exe
C:\WINDOWS\system32\wuauclt.exe
C:\WINDOWS\system32\rundll32.exe
C:\HJT\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://qus10.hpwis.com/
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://srch-qus10.hpwis.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://qus10.hpwis.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://srch-qus10.hpwis.com/
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = localhost
O2 - BHO: Yahoo! Companion BHO - {02478D38-C3F9-4efb-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Common\ycomp5,1,1,0.dll
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O2 - BHO: Web assistant - {9ECB9560-04F9-4bbc-943D-298DDF1699E1} - C:\Program Files\Common Files\Symantec Shared\AdBlocking\NISShExt.dll
O2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: &Yahoo! Companion - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Common\ycomp5,1,1,0.dll
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: Web assistant - {0B53EAC3-8D69-4b9e-9B19-A37C9A5676A7} - C:\Program Files\Common Files\Symantec Shared\AdBlocking\NISShExt.dll
O4 - HKLM\..\Run: [hpsysdrv] c:\windows\system\hpsysdrv.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\System32\hkcmd.exe
O4 - HKLM\..\Run: [CamMonitor] c:\Program Files\HP\Digital Imaging\Unload\hpqcmon.exe
O4 - HKLM\..\Run: [HPHUPD05] c:\Program Files\HP\{45B6180B-DCAB-4093-8EE8-6164457517F0}\hphupd05.exe
O4 - HKLM\..\Run: [HPHmon05] C:\WINDOWS\System32\hphmon05.exe
O4 - HKLM\..\Run: [KBD] C:\HP\KBD\KBD.EXE
O4 - HKLM\..\Run: [UpdateManager] "C:\Program Files\Common Files\Sonic\Update Manager\sgtray.exe" /r
O4 - HKLM\..\Run: [Recguard] C:\WINDOWS\SMINST\RECGUARD.EXE
O4 - HKLM\..\Run: [VTTimer] VTTimer.exe
O4 - HKLM\..\Run: [LTMSG] LTMSG.exe 7
O4 - HKLM\..\Run: [PS2] C:\WINDOWS\system32\ps2.exe
O4 - HKLM\..\Run: [HPDJ Taskbar Utility] C:\WINDOWS\System32\spool\drivers\w32x86\3\hpztsb08.exe
O4 - HKLM\..\Run: [mmtask] C:\Program Files\MUSICMATCH\MUSICMATCH Jukebox\mmtask.exe
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [WT GameChannel] C:\Program Files\WildTangent\Apps\GameChannel.exe
O4 - HKLM\..\Run: [0Smtqan] C:\documents and settings\owner\local settings\temp\0Smtqan.exe
O4 - HKLM\..\Run: [ikHCC7u7x] C:\documents and settings\owner\local settings\temp\ikHCC7u7x.exe
O4 - HKLM\..\Run: [IS CfgWiz] C:\Program Files\Common Files\Symantec Shared\cfgwiz.exe /GUID NIS /CMDLINE "REBOOT"
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [Optimum Online net guide] "C:\Program Files\Optimum Online\Netsurf.exe" -trayicon
O4 - HKLM\..\Run: [WildTangent CDA] "C:\Program Files\WildTangent\Apps\CDA\GameDrvr.exe" /startup "C:\Program Files\WildTangent\Apps\CDA\cdaEngine0500.dll"
O4 - HKLM\..\Run: [gcasServ] "C:\Program Files\Microsoft AntiSpyware\gcasServ.exe"
O4 - HKCU\..\Run: [NVIEW] rundll32.exe nview.dll,nViewLoadHook
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - Global Startup: HP Digital Imaging Monitor.lnk = C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
O4 - Global Startup: Quicken Scheduled Updates.lnk = C:\Program Files\Quicken\bagent.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MI1933~1\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\System32\msjava.dll (file missing)
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\System32\msjava.dll (file missing)
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MI1933~1\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {1F2F4C9E-6F09-47BC-970D-3C54734667FE} (LSSupCtl Class) - https://www-secure.s...sa/LSSupCtl.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://www.pandasoft.../as5/asinst.cab
O16 - DPF: {CE28D5D2-60CF-4C7D-9FE8-0F47A3308078} (ActiveDataInfo Class) - https://www-secure.s...sa/SymAData.cab
O20 - Winlogon Notify: igfxcui - C:\WINDOWS\SYSTEM32\igfxsrvc.dll
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Network Proxy (ccProxy) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccProxy.exe
O23 - Service: Symantec Password Validation (ccPwdSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
O23 - Service: ewido security suite control - ewido networks - C:\Program Files\ewido\security suite\ewidoctrl.exe
O23 - Service: ewido security suite guard - ewido networks - C:\Program Files\ewido\security suite\ewidoguard.exe
O23 - Service: Norton AntiVirus Auto Protect Service (navapsvc) - Symantec Corporation - C:\Program Files\Norton AntiVirus\navapsvc.exe
O23 - Service: NVIDIA Driver Helper Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe
O23 - Service: SAVScan - Symantec Corporation - C:\Program Files\Norton AntiVirus\SAVScan.exe
O23 - Service: ScriptBlocking Service (SBService) - Symantec Corporation - C:\PROGRA~1\COMMON~1\SYMANT~1\SCRIPT~1\SBServ.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: Symantec Core LC - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

Thank you.

Thomas
  • 0

#12
Guest_thatman_*

Guest_thatman_*
  • Guest
Hi thomasdqt

Please read through the instructions before you start (you may want to print this out).

Please set your system to show all files; please see here if you're unsure how to do this.

Please go offline, close all browsers and any open Windows, making sure that only HijackThis is open. Scan and when it finishes, put an X in the boxes, only next to these following items:
O4 - HKLM\..\Run: [0Smtqan] C:\documents and settings\owner\local settings\temp\0Smtqan.exe
O4 - HKLM\..\Run: [ikHCC7u7x] C:\documents and settings\owner\local settings\temp\ikHCC7u7x.exe
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\System32\msjava.dll (file missing)
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\System32\msjava.dll (file missing)

Click on Fix Checked when finished and exit HijackThis.

Reboot into Safe Mode: please see here if you are not sure how to do this.

Using Windows Explorer, locate the following files/folders, and delete them:
C:\!Submit<--Delete the whole folder
Exit Explorer.

Download Pocket Killbox and unzip it; save it to your Desktop.
Run killbox and click the radio button that says Delete a file on reboot. Paste the file's one at a time into the full path of file to delete box and click the red circle with a white cross in it.
The program will ask you if you want to reboot; say No each time until the last one has been pasted in whereupon you should answer Yes.
C:\documents and settings\owner\local settings\temp\0Smtqan.exe
C:\documents and settings\owner\local settings\temp\ikHCC7u7x.exe

Let the system reboot.

[COLOR=RED]Please post the HJT.log

Kc :tazz:
  • 0

#13
thomasdqt

thomasdqt

    Member

  • Topic Starter
  • Member
  • PipPip
  • 33 posts
Ok, thatman,

I'm to do what you said right now.

Meanwhile, I am posting the HJT report created minutes ago:
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~


Incident Status Location

Adware:Adware/IPInsight No disinfected C:\!Submit\alchem.inf
Adware:Adware/DelFinMedia No disinfected C:\!Submit\remove_tools.html
Spyware:Spyware/ShopNav No disinfected C:\!Submit\unist2.exe
Adware:Adware/SAHAgent No disinfected C:\WINDOWS\Downloaded Program Files\sporder_.dll
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~


Thanks,
Thomas
  • 0

#14
thomasdqt

thomasdqt

    Member

  • Topic Starter
  • Member
  • PipPip
  • 33 posts
Hi thatman,

Did what you instructed in your last message.
Please see the following HJT report generated after deleted the two O4 and two O9 items:

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Logfile of HijackThis v1.99.1
Scan saved at 10:58:12 AM, on 6/27/2005
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\HJT\HijackThis.exe

R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = localhost
O2 - BHO: Yahoo! Companion BHO - {02478D38-C3F9-4efb-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Common\ycomp5,1,1,0.dll
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O2 - BHO: Web assistant - {9ECB9560-04F9-4bbc-943D-298DDF1699E1} - C:\Program Files\Common Files\Symantec Shared\AdBlocking\NISShExt.dll
O2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: &Yahoo! Companion - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Common\ycomp5,1,1,0.dll
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: Web assistant - {0B53EAC3-8D69-4b9e-9B19-A37C9A5676A7} - C:\Program Files\Common Files\Symantec Shared\AdBlocking\NISShExt.dll
O4 - HKLM\..\Run: [hpsysdrv] c:\windows\system\hpsysdrv.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\System32\hkcmd.exe
O4 - HKLM\..\Run: [CamMonitor] c:\Program Files\HP\Digital Imaging\Unload\hpqcmon.exe
O4 - HKLM\..\Run: [HPHUPD05] c:\Program Files\HP\{45B6180B-DCAB-4093-8EE8-6164457517F0}\hphupd05.exe
O4 - HKLM\..\Run: [HPHmon05] C:\WINDOWS\System32\hphmon05.exe
O4 - HKLM\..\Run: [KBD] C:\HP\KBD\KBD.EXE
O4 - HKLM\..\Run: [UpdateManager] "C:\Program Files\Common Files\Sonic\Update Manager\sgtray.exe" /r
O4 - HKLM\..\Run: [Recguard] C:\WINDOWS\SMINST\RECGUARD.EXE
O4 - HKLM\..\Run: [VTTimer] VTTimer.exe
O4 - HKLM\..\Run: [LTMSG] LTMSG.exe 7
O4 - HKLM\..\Run: [PS2] C:\WINDOWS\system32\ps2.exe
O4 - HKLM\..\Run: [HPDJ Taskbar Utility] C:\WINDOWS\System32\spool\drivers\w32x86\3\hpztsb08.exe
O4 - HKLM\..\Run: [mmtask] C:\Program Files\MUSICMATCH\MUSICMATCH Jukebox\mmtask.exe
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [WT GameChannel] C:\Program Files\WildTangent\Apps\GameChannel.exe
O4 - HKLM\..\Run: [IS CfgWiz] C:\Program Files\Common Files\Symantec Shared\cfgwiz.exe /GUID NIS /CMDLINE "REBOOT"
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [Optimum Online net guide] "C:\Program Files\Optimum Online\Netsurf.exe" -trayicon
O4 - HKLM\..\Run: [WildTangent CDA] "C:\Program Files\WildTangent\Apps\CDA\GameDrvr.exe" /startup "C:\Program Files\WildTangent\Apps\CDA\cdaEngine0500.dll"
O4 - HKLM\..\Run: [gcasServ] "C:\Program Files\Microsoft AntiSpyware\gcasServ.exe"
O4 - HKCU\..\Run: [NVIEW] rundll32.exe nview.dll,nViewLoadHook
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - Global Startup: HP Digital Imaging Monitor.lnk = C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
O4 - Global Startup: Quicken Scheduled Updates.lnk = C:\Program Files\Quicken\bagent.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MI1933~1\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MI1933~1\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {1F2F4C9E-6F09-47BC-970D-3C54734667FE} (LSSupCtl Class) - https://www-secure.s...sa/LSSupCtl.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://www.pandasoft.../as5/asinst.cab
O16 - DPF: {CE28D5D2-60CF-4C7D-9FE8-0F47A3308078} (ActiveDataInfo Class) - https://www-secure.s...sa/SymAData.cab
O20 - Winlogon Notify: igfxcui - C:\WINDOWS\SYSTEM32\igfxsrvc.dll
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Network Proxy (ccProxy) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccProxy.exe
O23 - Service: Symantec Password Validation (ccPwdSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
O23 - Service: ewido security suite control - ewido networks - C:\Program Files\ewido\security suite\ewidoctrl.exe
O23 - Service: ewido security suite guard - ewido networks - C:\Program Files\ewido\security suite\ewidoguard.exe
O23 - Service: Norton AntiVirus Auto Protect Service (navapsvc) - Symantec Corporation - C:\Program Files\Norton AntiVirus\navapsvc.exe
O23 - Service: NVIDIA Driver Helper Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe
O23 - Service: SAVScan - Symantec Corporation - C:\Program Files\Norton AntiVirus\SAVScan.exe
O23 - Service: ScriptBlocking Service (SBService) - Symantec Corporation - C:\PROGRA~1\COMMON~1\SYMANT~1\SCRIPT~1\SBServ.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: Symantec Core LC - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~



How is that one looked like, clean now?

BTW, haven't executed the Trendmicro yet.

Let me do it now.



appreciate your help. :tazz:

Thomas


Add-on:

The OSmtwan.exe and ikHCC7u7x.exe files could not be found by the killbox. So, the have already been deleted?

Edited by thomasdqt, 27 June 2005 - 09:15 AM.

  • 0

#15
Guest_thatman_*

Guest_thatman_*
  • Guest
Hi thomasdqt

Your Hjt.log was clean very clean

Will wait for the trend scan

Let me know

Kc :tazz:
  • 0






Similar Topics

0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users

As Featured On:

Microsoft Yahoo BBC MSN PC Magazine Washington Post HP