Jump to content

Welcome to Geeks to Go - Register now for FREE

Geeks To Go is a helpful hub, where thousands of volunteer geeks quickly serve friendly answers and support. Check out the forums and get free advice from the experts. Register now to gain access to all of our features, it's FREE and only takes one minute. Once registered and logged in, you will be able to create topics, post replies to existing threads, give reputation to your fellow members, get your own private messenger, post status updates, manage your profile and so much more.

Create Account How it Works
Photo

trojan.desktophijack and related [resolved]


  • This topic is locked This topic is locked

#16
glennc007

glennc007

    Member

  • Topic Starter
  • Member
  • PipPip
  • 41 posts
OK. Thank you so much. I'm definitely making a donation when this is all done. Here is my latest Hijack This log for reference:

Logfile of HijackThis v1.99.1
Scan saved at 10:54:56 AM, on 7/12/2005
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\PCHealth\HelpCtr\Binaries\HelpSvc.exe
C:\WINDOWS\System32\taskmgr.exe
C:\Program Files\HijackThis.exe

O2 - BHO: XMLDP Class - {60371670-81B9-4d06-9C42-4DEC1AABE62B} - C:\WINDOWS\xmllib.dll (file missing)
O3 - Toolbar: (no name) - {0E1230F8-EA50-42A9-983C-D22ABC2EED3B} - (no file)
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /installquiet
O4 - HKLM\..\Run: [CPQEASYACC] C:\Program Files\COMPAQ\Easy Access Button Support\StartEAK.exe
O4 - HKLM\..\Run: [srmclean] C:\Cpqs\Scom\srmclean.exe
O4 - HKLM\..\Run: [NeroCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [AdaptecDirectCD] "C:\Program Files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [ADUserMon] C:\Program Files\Iomega\AutoDisk\ADUserMon.exe
O4 - HKLM\..\Run: [Iomega Drive Icons] C:\Program Files\Iomega\DriveIcons\ImgIcon.exe
O4 - HKLM\..\Run: [Deskup] C:\Program Files\Iomega\DriveIcons\deskup.exe /IMGSTART
O4 - HKLM\..\Run: [MediaFace Integration] C:\Program Files\Fellowes\MediaFACE 4.0\SetHook.exe
O4 - HKLM\..\Run: [PSof1] C:\WINDOWS\System32\PSof1.exe
O4 - HKLM\..\Run: [exp.exe] C:\WINDOWS\System32\exp.exe
O4 - HKLM\..\Run: [WinTask driver] C:\WINDOWS\System32\wintask.exe
O4 - HKLM\..\Run: [cfgmgr52] RunDLL32.EXE C:\WINDOWS\cfgmgr52.dll,DllRun
O4 - HKLM\..\Run: [C:\WINDOWS\VCMnet11.exe] C:\WINDOWS\VCMnet11.exe
O4 - HKLM\..\Run: [imouovf] c:\windows\system32\imouovf.exe
O4 - HKLM\..\Run: [checkrun] C:\windows\system32\elitejna32.exe
O4 - HKLM\..\Run: [tF6Q3nX] imgrssk.exe
O4 - HKLM\..\Run: [WeirdOnTheWeb] "C:\Program Files\WeirdOnTheWeb\WeirdOnTheWeb.exe"
O4 - HKLM\..\Run: [AutoUpdater] "C:\Program Files\AutoUpdate\AutoUpdate.exe"
O4 - HKLM\..\Run: [Media Access] C:\Program Files\Media Access\MediaAccK.exe
O4 - HKLM\..\Run: [VBouncer] C:\PROGRA~1\VBouncer\VirtualBouncer.exe
O4 - HKLM\..\Run: [version] C:\WINDOWS\System32\Hswnfc.exe
O4 - HKLM\..\Run: [secure] C:\WINDOWS\System32\Kaqqsp.exe
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [SSC_UserPrompt] C:\Program Files\Common Files\Symantec Shared\Security Center\UsrPrmpt.exe
O4 - HKLM\..\Run: [NAV CfgWiz] "C:\Program Files\Norton AntiVirus\CfgWiz.exe" /GUID {0D7956A2-5A08-4ec2-A72C-DF8495A66016} /MODE CfgWiz /CMDLINE "REBOOT"
O4 - HKLM\..\Run: [Symantec NetDriver Monitor] C:\PROGRA~1\SYMNET~1\SNDMon.exe /Consumer
O4 - HKLM\..\Run: [SpybotSnD] "C:\Program Files\Spybot - Search & Destroy\SpybotSD.exe" /autoclose
O4 - HKLM\..\Run: [KavSvc] C:\WINDOWS\System32\vrzanp.exe reg_run
O4 - HKLM\..\RunOnce: [LUSETUP-LT] C:\PROGRA~1\Symantec\LIVEUP~1\LUSETU~1.EXE -s -a -q -log
O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O4 - Global Startup: ndac.exe
O16 - DPF: {11120607-1001-1111-1000-110199901123} - ms-its:mhtml:file://c:default.mht!http://www.globolook...m::/dropper.exe
O16 - DPF: {E7DBFB6C-113A-47CF-B278-F5C6AF4DE1BD} - http://download.abac...abasetup155.cab
O23 - Service: Adobe LM Service - Unknown owner - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: Avid SDM Service (AvidSDMService) - Avid Technology, Inc. - C:\WINDOWS\system32\AvidSDMService.exe
O23 - Service: Avid Startup (AvidStartup) - Unknown owner - C:\WINDOWS\system32\AvidStartup.exe
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Password Validation (ccPwdSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
O23 - Service: Iomega App Services - Iomega Corporation - C:\PROGRA~1\Iomega\System32\AppServices.exe
O23 - Service: Lsdiorw - Logiciels & Services Duhem, Paris, France - C:\Program Files\mac disk\lsdiorw\lsdiorw2.exe
O23 - Service: Macromedia Licensing Service - Unknown owner - C:\Program Files\Common Files\Macromedia Shared\Service\Macromedia Licensing.exe
O23 - Service: Norton AntiVirus Auto-Protect Service (navapsvc) - Symantec Corporation - C:\Program Files\Norton AntiVirus\navapsvc.exe
O23 - Service: Intel® NMS (NMSSvc) - Intel Corporation - C:\WINDOWS\System32\NMSSvc.exe
O23 - Service: Norton AntiVirus Firewall Monitor Service (NPFMntor) - Symantec Corporation - C:\Program Files\Norton AntiVirus\IWP\NPFMntor.exe
O23 - Service: NVIDIA Driver Helper Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe
O23 - Service: SAVScan - Symantec Corporation - C:\Program Files\Norton AntiVirus\SAVScan.exe
O23 - Service: ScriptBlocking Service (SBService) - Symantec Corporation - C:\PROGRA~1\COMMON~1\SYMANT~1\SCRIPT~1\SBServ.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: Symantec SPBBCSvc (SPBBCSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
O23 - Service: Symantec Core LC - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
O23 - Service: Iomega Active Disk (_IOMEGA_ACTIVE_DISK_SERVICE_) - Iomega Corporation - C:\Program Files\Iomega\AutoDisk\ADService.exe
  • 0

Advertisements


#17
g2i2r4

g2i2r4

    retired HiJack Helper

  • Retired Staff
  • 5,080 posts
Let's clean up first. There's still a lot of work to be done.

Download panda's trial version.
Register to be able to use the trail. Run this on the infected machine and then post the results of the scan.
  • 0

#18
glennc007

glennc007

    Member

  • Topic Starter
  • Member
  • PipPip
  • 41 posts
OK. Here is the panda log. After reboot, still just a blue screen w/o icons, start button, etc. However it seemed to fix a lot of stuff - hopefully we're on the good path.....pls advise on next steps

-G

Panda Titanium Antivirus 2005 incident report


EVENT DATE RESULTS ADDITIONAL INFORMATION
------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------
Scan completed 07/12/05 17:01:55 Scan: All My Computer
Virus detected: Trj/Qoologic.D 07/12/05 17:01:53 Disinfected Location: C:\WINDOWS\system32\zpxbgrz.dll
Virus detected: Trj/Downloader.BJG 07/12/05 17:01:50 Disinfected Location: C:\WINDOWS\system32\weird.exe
Adware detected: Adware/AdBehavior 07/12/05 17:01:46 Eliminated Location: C:\WINDOWS\system32\urkvn.dll
Virus detected: Trj/Downloader.BJG 07/12/05 17:01:41 Disinfected Location: C:\WINDOWS\system32\uci.exe
Virus detected: Trj/Downloader.BJG 07/12/05 17:01:39 Disinfected Location: C:\WINDOWS\system32\SSK3_B5 Seedcorn 4.exe
Adware detected: Adware/AdBehavior 07/12/05 17:01:31 Eliminated Location: C:\WINDOWS\system32\pquyv.dat
Adware detected: Adware/DownloadWare 07/12/05 17:00:46 Eliminated Location: C:\WINDOWS\system32\cdapp\phblgjsmiu.exe
Adware detected: Adware/Novo 07/12/05 17:00:43 Eliminated Location: C:\WINDOWS\system32\cdapp\phblgjsmiu.dll
Virus detected: Trj/Clicker.FV 07/12/05 17:00:34 Disinfected Location: C:\WINDOWS\system\ugmgoe.exe
Spyware detected: Spyware/BetterInet 07/12/05 17:00:33 Eliminated Location: C:\WINDOWS\system\QBUninstaller.exe
Adware detected: Adware/AdBehavior 07/12/05 17:00:16 Eliminated Location: c:\windows\system32\rkaump.exe
Adware detected: Adware/BookedSpace 07/12/05 17:00:10 Eliminated Location: C:\WINDOWS\ldzpgsif.exe
Adware detected: Adware/AdBehavior 07/12/05 17:00:04 Eliminated Location: c:\windows\system32\rekcuir.dll
Virus detected: W32/Smitfraud.A 07/12/05 16:58:57 Disinfected Location: C:\RECYCLER\S-1-5-21-825722390-3549862705-862503612-500\Dc1.dll
Virus detected: Trj/Qoologic.F 07/12/05 16:58:11 Disinfected Location: c:\windows\system32\pcmqd.dll
Adware detected: Adware/EliteBar 07/12/05 16:57:56 Eliminated Location: C:\Program Files\sdf.exe
Adware detected: Adware/ConsumerAlertSystem 07/12/05 16:54:07 Eliminated Location: C:\Program Files\CasStub\casstub.exe
Adware detected: Adware/ConsumerAlertSystem 07/12/05 16:54:07 Eliminated Location: C:\Program Files\Cas\Client\Uninstall.exe
Virus detected: Trj/Downloader.BJG 07/12/05 16:48:03 Disinfected Location: c:\windows\system32\leisureboxinst_ppi1a.exe
Spyware detected: Spyware/BargainBuddy 07/12/05 16:47:42 Eliminated Location: C:\Documents and Settings\Sean\Local Settings\Temporary Internet Files\Content.IE5\V6O77TGD\marketing32[1].htm
Adware detected: Adware/Apropos 07/12/05 16:47:36 Eliminated Location: C:\Documents and Settings\Sean\Local Settings\Temporary Internet Files\Content.IE5\V6O77TGD\auto_update[1]
Adware detected: Adware/Pacimedia 07/12/05 16:47:31 Eliminated Location: C:\Documents and Settings\Sean\Local Settings\Temporary Internet Files\Content.IE5\QRABUDEX\trk_0009[1].exe
Adware detected: Adware/Pacimedia 07/12/05 16:47:26 Eliminated Location: C:\Documents and Settings\Sean\Local Settings\Temporary Internet Files\Content.IE5\QRABUDEX\pcs_0009[1].exe
Virus detected: Trj/Multidropper.AOT 07/12/05 16:47:20 Disinfected Location: C:\Documents and Settings\Sean\Local Settings\Temporary Internet Files\Content.IE5\QRABUDEX\dropper[1].chm
Adware detected: Adware/Look2Me 07/12/05 16:47:13 Eliminated Location: C:\Documents and Settings\Sean\Local Settings\Temporary Internet Files\Content.IE5\Q7WFEH61\nsh_118[1].exe
Adware detected: Adware/TopConvert 07/12/05 16:47:00 Eliminated Location: C:\Documents and Settings\Sean\Local Settings\Temporary Internet Files\Content.IE5\C3TR22VP\website[1].ocx
Spyware detected: Spyware/BargainBuddy 07/12/05 16:46:54 Eliminated Location: C:\Documents and Settings\Sean\Local Settings\Temporary Internet Files\Content.IE5\C3TR22VP\marketing32[1].htm
Virus detected: VBS/Psyme.C 07/12/05 16:46:47 Renamed Location: C:\Documents and Settings\Sean\Local Settings\Temporary Internet Files\Content.IE5\BE8FZLOP\TRACK9[1].CHM
Virus detected: Exploit/URLSpoof 07/12/05 16:46:47 Disinfected Location: C:\Documents and Settings\Sean\Local Settings\Temporary Internet Files\Content.IE5\C3TR22VP\%68%70[1][Content]
Virus detected: Exploit/URLSpoof 07/12/05 16:46:47 Disinfected Location: C:\Documents and Settings\Sean\Local Settings\Temporary Internet Files\Content.IE5\C3TR22VP\%68%70[2]
Virus detected: VBS/Psyme.C 07/12/05 16:46:47 Notified Location: C:\Documents and Settings\Sean\Local Settings\Temporary Internet Files\Content.IE5\BE8FZLOP\TRACK9[1].CHM[track9.htm]
Adware detected: Adware/Look2Me 07/12/05 16:46:46 Eliminated Location: C:\Documents and Settings\Sean\Local Settings\Temporary Internet Files\Content.IE5\BE8FZLOP\nsh_115[1].exe
Spyware detected: Spyware/BargainBuddy 07/12/05 16:46:41 Eliminated Location: C:\Documents and Settings\Sean\Local Settings\Temporary Internet Files\Content.IE5\BE8FZLOP\marketing32[1].htm
Virus detected: Exploit/Mhtredir.gen 07/12/05 16:46:34 Disinfected Location: C:\Documents and Settings\Sean\Local Settings\Temporary Internet Files\Content.IE5\BE8FZLOP\CA85WX4J.HTM
Virus detected: VBS/Psyme.C 07/12/05 16:46:28 Notified Location: C:\Documents and Settings\Sean\Local Settings\Temporary Internet Files\Content.IE5\8ZT7U6JP\TRACK6[1].CHM[track6.htm]
Virus detected: VBS/Psyme.C 07/12/05 16:46:28 Renamed Location: C:\Documents and Settings\Sean\Local Settings\Temporary Internet Files\Content.IE5\8ZT7U6JP\TRACK6[1].CHM
Spyware detected: Spyware/BargainBuddy 07/12/05 16:46:26 Eliminated Location: C:\Documents and Settings\Sean\Local Settings\Temporary Internet Files\Content.IE5\8ZT7U6JP\marketing32[1].htm
Adware detected: Adware/Apropos 07/12/05 16:46:19 Eliminated Location: C:\Documents and Settings\Sean\Local Settings\Temporary Internet Files\Content.IE5\8ZT7U6JP\auto_update[1]
Adware detected: Adware/Pacimedia 07/12/05 16:46:09 Eliminated Location: C:\Documents and Settings\Sean\Local Settings\Temporary Internet Files\Content.IE5\2LXANI5G\trk_0006[1].exe
Adware detected: Adware/Pacimedia 07/12/05 16:46:03 Eliminated Location: C:\Documents and Settings\Sean\Local Settings\Temporary Internet Files\Content.IE5\2LXANI5G\pcs_0006[1].exe
Adware detected: Adware/EasySearch 07/12/05 16:45:58 Notified Location: C:\Documents and Settings\Sean\Local Settings\Temporary Internet Files\Content.IE5\2LXANI5G\index[1].chm[index.exe]
Spyware detected: Spyware/Media-motor 07/12/05 16:45:57 Eliminated Location: C:\Documents and Settings\Sean\Local Settings\Temporary Internet Files\Content.IE5\2LXANI5G\diamond[1].cab
Adware detected: Adware/Pacimedia 07/12/05 16:45:51 Eliminated Location: C:\Documents and Settings\Sean\Local Settings\Temporary Internet Files\Content.IE5\012L456P\trk_0009[1].exe
Virus detected: Exploit/URLSpoof 07/12/05 16:45:51 Disinfected Location: C:\Documents and Settings\Sean\Local Settings\Temporary Internet Files\Content.IE5\2LXANI5G\%68%70[4]
Virus detected: VBS/Psyme.C 07/12/05 16:45:46 Notified Location: C:\Documents and Settings\Sean\Local Settings\Temporary Internet Files\Content.IE5\012L456P\TRACK9[1].CHM[track9.htm]
Virus detected: VBS/Psyme.C 07/12/05 16:45:46 Renamed Location: C:\Documents and Settings\Sean\Local Settings\Temporary Internet Files\Content.IE5\012L456P\TRACK9[1].CHM
Spyware detected: Spyware/BargainBuddy 07/12/05 16:45:44 Eliminated Location: C:\Documents and Settings\Sean\Local Settings\Temporary Internet Files\Content.IE5\012L456P\marketing32[1].htm
Spyware detected: Spyware/BetterInet 07/12/05 16:45:37 Eliminated Location: C:\Documents and Settings\Sean\Local Settings\Temporary Internet Files\Content.IE5\012L456P\banner[1].cab[banner.dll]
Spyware detected: Spyware/BetterInet 07/12/05 16:45:37 Eliminated Location: C:\Documents and Settings\Sean\Local Settings\Temporary Internet Files\Content.IE5\012L456P\banner[1].cab[banner.inf]
Spyware detected: Spyware/SafeSurf 07/12/05 16:45:21 Eliminated Location: c:\windows\system32\installerv3.exe
Virus detected: W32/Smitfraud.A 07/12/05 16:41:40 Disinfected Location: C:\Documents and Settings\Administrator\My Documents\wininet.OLD
Spyware detected: Cookie/Zedo 07/12/05 16:41:26 Eliminated Location: C:\Documents and Settings\Sean\Cookies\sean@zedo[1].txt
Spyware detected: Cookie/Adserver 07/12/05 16:41:26 Eliminated Location: C:\Documents and Settings\Sean\Cookies\sean@z1.adserver[1].txt
Spyware detected: Cookie/YieldManager 07/12/05 16:41:25 Eliminated Location: C:\Documents and Settings\Sean\Cookies\sean@ad.yieldmanager[2].txt
Spyware detected: Cookie/adultfriendfinder 07/12/05 16:41:25 Eliminated Location: C:\Documents and Settings\Sean\Cookies\sean@adultfriendfinder[1].txt
Spyware detected: Cookie/Azjmp 07/12/05 16:41:25 Eliminated Location: C:\Documents and Settings\Sean\Cookies\sean@azjmp[2].txt
Spyware detected: Cookie/Enhance 07/12/05 16:41:25 Eliminated Location: C:\Documents and Settings\Sean\Cookies\sean@c.enhance[1].txt
Spyware detected: Cookie/Belnk 07/12/05 16:41:25 Eliminated Location: C:\Documents and Settings\Sean\Cookies\sean@dist.belnk[2].txt
Spyware detected: Cookie/Overture 07/12/05 16:41:25 Eliminated Location: C:\Documents and Settings\Sean\Cookies\sean@overture[1].txt
Spyware detected: Cookie/Paypopup 07/12/05 16:41:25 Eliminated Location: C:\Documents and Settings\Sean\Cookies\sean@paypopup[1].txt
Spyware detected: Cookie/Overture 07/12/05 16:41:25 Eliminated Location: C:\Documents and Settings\Sean\Cookies\sean@perf.overture[1].txt
Spyware detected: Cookie/SpyLog 07/12/05 16:41:25 Eliminated Location: C:\Documents and Settings\Sean\Cookies\sean@spylog[1].txt
Spyware detected: Cookie/QuestionMarket 07/12/05 16:41:25 Eliminated Location: C:\Documents and Settings\Sean\Cookies\sean@questionmarket[1].txt
Adware detected: Adware/PsGuard 07/12/05 16:41:22 Eliminated Location: C:\Documents and Settings\Sean\Application Data\PSGuard.com
Adware detected: Adware/BigTrafficNet 07/12/05 16:41:16 Eliminated Location: C:\WINDOWS\System32\nsi4C.dll
Adware detected: Adware/Novo 07/12/05 16:41:07 Eliminated Location: Windows Registry
Adware detected: Adware/XmlLib 07/12/05 16:41:03 Eliminated Location: Windows Registry
Adware detected: Adware/BlueScreenWarning 07/12/05 16:40:56 Eliminated Location: Windows Registry
Scan started 07/12/05 16:39:48 Scan: All My Computer
Adware detected: Adware/ConsumerAlertSystem 07/12/05 16:33:59 Eliminated Location: c:\windows\system32\dist001.exe
Adware detected: Adware/DealHelper 07/12/05 16:31:44 Eliminated Location: c:\windows\system32\chdboo.exe
Virus detected: Trj/Qoologic.E 07/12/05 16:30:54 Disinfected Location: c:\windows\system32\bcaqomb.exe
Adware detected: Adware/Look2Me 07/12/05 16:29:55 Eliminated Location: c:\windows\system32\adlinstallwin32.exe
Adware detected: Adware/Hotoffers 07/12/05 16:26:51 Eliminated Location: c:\windows\system32\guninst.exe
Update 07/12/05 16:26:13 OK New virus signatures: 7581
  • 0

#19
g2i2r4

g2i2r4

    retired HiJack Helper

  • Retired Staff
  • 5,080 posts
Let's first clean whatever else is there. Then we'll try to get a grip on that wininet infection.

I'm not gonna ask for another log. I made this advise based on the 'old' log. So some items may already be gone due to the steps we just did. Just move on to the next if you cannot find something. Do as much as you can and let me know how this went.

Go to start - run
Copy and paste the coloured line:
regsvr32 /u C:\WINDOWS\cfgmgr52.dll
press OK.
Grant permission to add it to the Registry. Wait for the 'merge succesfull'.

***

Open HijackThis
Go to ‘config’
Go to ‘misc tools’
Press the button ‘open uninstall manager’
In the list find:
VirtualBouncer
Media Pass
POP!
Windows AFA Internet Enhancement
AdDestroyer
Apropos Media
Elitebar
Shop At Home
TopConverting
BullsEye
CashBack
NaviSearch

Press ‘delete this entry’. Don't worry if one or more are not there. We'll take them on another way.
Close HijackThis.

***

Download LQfiz by Miekemoes.
Unzip it to your desktop.
Don't use it yet.

***

Please download the Killbox.
Unzip it to the desktop.
Don't use it yet.

***

Please download ewido security suite it is a trial version of the program.
  • Install ewido security suite
  • When installing, under "Additional Options" uncheck "Install background guard" and "Install scan via context menu".
  • Launch ewido, there should be an icon on your desktop double-click it.
  • The program will prompt you to update click the OK button
  • The program will now go to the main screen
You will need to update ewido to the latest definition files.
  • On the left hand side of the main screen click update
  • Click on Start
The update will start and a progress bar will show the updates being installed.

***

Next, please reboot your computer in Safe Mode by doing the following:
1) Restart your computer
2) After hearing your computer beep once during startup, but before the Windows icon appears, press F8.
3) Instead of Windows loading as normal, a menu should appear
4) Select the first option, to run Windows in Safe Mode.

For additional help in booting into Safe Mode, see the following site:
http://www.pchell.co.../safemode.shtml

***

Run LQfix.

***

Open HijackThis
Place a check against each of the following, making sure you get them all and not any others by mistake:

O2 - BHO: XMLDP Class - {60371670-81B9-4d06-9C42-4DEC1AABE62B} - C:\WINDOWS\xmllib.dll (file missing)

O3 - Toolbar: (no name) - {0E1230F8-EA50-42A9-983C-D22ABC2EED3B} - (no file)

O4 - HKLM\..\Run: [PSof1] C:\WINDOWS\System32\PSof1.exe

O4 - HKLM\..\Run: [exp.exe] C:\WINDOWS\System32\exp.exe

O4 - HKLM\..\Run: [WinTask driver] C:\WINDOWS\System32\wintask.exe

O4 - HKLM\..\Run: [cfgmgr52] RunDLL32.EXE C:\WINDOWS\cfgmgr52.dll,DllRun

O4 - HKLM\..\Run: [C:\WINDOWS\VCMnet11.exe] C:\WINDOWS\VCMnet11.exe

O4 - HKLM\..\Run: [imouovf] c:\windows\system32\imouovf.exe

O4 - HKLM\..\Run: [checkrun] C:\windows\system32\elitejna32.exe

O4 - HKLM\..\Run: [tF6Q3nX] imgrssk.exe

O4 - HKLM\..\Run: [WeirdOnTheWeb] "C:\Program Files\WeirdOnTheWeb\WeirdOnTheWeb.exe"

O4 - HKLM\..\Run: [AutoUpdater] "C:\Program Files\AutoUpdate\AutoUpdate.exe"

O4 - HKLM\..\Run: [Media Access] C:\Program Files\Media Access\MediaAccK.exe

O4 - HKLM\..\Run: [VBouncer] C:\PROGRA~1\VBouncer\VirtualBouncer.exe

O4 - HKLM\..\Run: [version] C:\WINDOWS\System32\Hswnfc.exe

O4 - HKLM\..\Run: [secure] C:\WINDOWS\System32\Kaqqsp.exe

O4 - Global Startup: ndac.exe

O16 - DPF: {11120607-1001-1111-1000-110199901123} - ms-its:mhtml:file://c:default.mht!http://www.globolook...m::/dropper.exe

Close all programs leaving only HijackThis running.
Click on Fix Checked when finished and exit HijackThis.

***

Use Windows Explorer to remove these folders (if present):
C:\Program Files\VBouncer\
C:\Program Files\Media Access\
C:\Program Files\AutoUpdate\
C:\Program Files\WeirdOnTheWeb\
Close Windows Explorer.

***

Double-click on Killbox.exe to run it. Place the following lines (complete paths) in bold in the "Full Path of File to Delete" box in Killbox, and click the red button with the white X on it after each

C:\WINDOWS\System32\PSof1.exe
C:\WINDOWS\System32\exp.exe
C:\WINDOWS\System32\wintask.exe
C:\WINDOWS\cfgmgr52.dll
C:\WINDOWS\VCMnet11.exe
c:\windows\system32\imouovf.exe
C:\windows\system32\elitejna32.exe
c:\windows\system32\imgrssk.exe
C:\WINDOWS\System32\Hswnfc.exe
C:\WINDOWS\System32\Kaqqsp.exe
C:\Documents and Settings\All Users\Start Menu\Programs\Startup\ndac.exe

For these file, put a mark next to "Delete on Reboot". Copy and paste each file into the file name box, then click the red button with the X after each. It will ask you if you want to reboot each time you click it, answer NO until after you've pasted the last file name, at which time you should answer Yes.

If your computer does not restart automatically, please restart it manually.

Make sure to reboot back to safe mode.

***

Run Ewido:* Click on scanner
* Click Complete System Scan and the scan will begin.
* During the scan it will prompt you to clean files, click OK
* When the scan is finished, look at the bottom of the screen and click the Save report button.
* Save the report to your desktop
Reboot your machine to normal mode.
Post back a new HJT log and the ewido.txt log file you saved.
  • 0

#20
glennc007

glennc007

    Member

  • Topic Starter
  • Member
  • PipPip
  • 41 posts
OK. Completed the instructions you provided. As you mentioned, certain items were not there. Here are the HJT and ewido logs. Still have the blue screen w/ no icons, etc etc.

Thanks
-G

---------------------------------------------------------
ewido security suite - Scan report
---------------------------------------------------------

+ Created on: 11:03:44 AM, 7/14/2005
+ Report-Checksum: 671236EC

+ Scan result:

HKLM\SOFTWARE\Classes\CLSID\{6EC11407-5B2E-4E25-8BDF-77445B52AB37} -> Spyware.VX2 : Cleaned with backup
HKLM\SOFTWARE\Classes\Folder\shellex\ColumnHandlers\{6EC11407-5B2E-4E25-8BDF-77445B52AB37} -> Spyware.VX2 : Cleaned with backup
HKLM\SOFTWARE\Microsoft\Internet Explorer\Main\HTASSstp -> Spyware.CoolWebSearch : Cleaned with backup
HKLM\SOFTWARE\Microsoft\Internet Explorer\Main\WTLBAstp -> Spyware.CoolWebSearch : Cleaned with backup
C:\Documents and Settings\Sean\Cookies\sean@adopt.specificclick[2].txt -> Spyware.Cookie.Specificclick : Cleaned with backup
C:\Documents and Settings\Sean\Cookies\sean@ads.addynamix[2].txt -> Spyware.Cookie.Addynamix : Cleaned with backup
C:\Documents and Settings\Sean\Cookies\sean@ads.x10[1].txt -> Spyware.Cookie.X10 : Cleaned with backup
C:\Documents and Settings\Sean\Cookies\sean@edge.ru4[2].txt -> Spyware.Cookie.Ru4 : Cleaned with backup
C:\Documents and Settings\Sean\Cookies\sean@mt.valueclick[1].txt -> Spyware.Cookie.Valueclick : Cleaned with backup
C:\Documents and Settings\Sean\Cookies\sean@premiumnetworkrocks.valuead[2].txt -> Spyware.Cookie.Valuead : Cleaned with backup
C:\Documents and Settings\Sean\Cookies\sean@valueclick[2].txt -> Spyware.Cookie.Valueclick : Cleaned with backup
C:\System Volume Information\_restore{4617D869-6DFF-4342-BE3F-6D5D37A05BC1}\RP546\A0059752.exe -> Spyware.Pacer : Cleaned with backup
C:\System Volume Information\_restore{4617D869-6DFF-4342-BE3F-6D5D37A05BC1}\RP546\A0059768.exe -> TrojanDownloader.Qoologic.v : Cleaned with backup
C:\System Volume Information\_restore{4617D869-6DFF-4342-BE3F-6D5D37A05BC1}\RP547\A0059793.exe -> Spyware.Pacer : Cleaned with backup
C:\System Volume Information\_restore{4617D869-6DFF-4342-BE3F-6D5D37A05BC1}\RP547\A0060795.exe -> Spyware.Pacer : Cleaned with backup
C:\System Volume Information\_restore{4617D869-6DFF-4342-BE3F-6D5D37A05BC1}\RP547\A0060807.exe -> Spyware.Pacer : Cleaned with backup
C:\System Volume Information\_restore{4617D869-6DFF-4342-BE3F-6D5D37A05BC1}\RP547\A0061771.exe -> TrojanDropper.Small.yd : Cleaned with backup
C:\System Volume Information\_restore{4617D869-6DFF-4342-BE3F-6D5D37A05BC1}\RP547\A0061772.EXE -> TrojanDropper.Small.yd : Cleaned with backup
C:\System Volume Information\_restore{4617D869-6DFF-4342-BE3F-6D5D37A05BC1}\RP547\A0061773.EXE -> TrojanDropper.Small.yd : Cleaned with backup
C:\System Volume Information\_restore{4617D869-6DFF-4342-BE3F-6D5D37A05BC1}\RP547\A0061788.exe -> TrojanDropper.Small.yd : Cleaned with backup
C:\System Volume Information\_restore{4617D869-6DFF-4342-BE3F-6D5D37A05BC1}\RP547\A0061789.exe -> Spyware.Hijacker.Generic : Cleaned with backup
C:\System Volume Information\_restore{4617D869-6DFF-4342-BE3F-6D5D37A05BC1}\RP547\A0061792.exe -> Heuristic.Win32.Hijacker1 : Cleaned with backup
C:\System Volume Information\_restore{4617D869-6DFF-4342-BE3F-6D5D37A05BC1}\RP547\A0061796.exe -> TrojanDropper.Small.yd : Cleaned with backup
C:\System Volume Information\_restore{4617D869-6DFF-4342-BE3F-6D5D37A05BC1}\RP547\A0061797.EXE -> TrojanDropper.Small.yd : Cleaned with backup
C:\System Volume Information\_restore{4617D869-6DFF-4342-BE3F-6D5D37A05BC1}\RP547\A0061798.EXE -> TrojanDropper.Small.yd : Cleaned with backup
C:\System Volume Information\_restore{4617D869-6DFF-4342-BE3F-6D5D37A05BC1}\RP547\A0061803.exe -> Spyware.VirtualBouncer : Cleaned with backup
C:\System Volume Information\_restore{4617D869-6DFF-4342-BE3F-6D5D37A05BC1}\RP547\A0061809.exe -> Spyware.AproposMedia : Cleaned with backup
C:\System Volume Information\_restore{4617D869-6DFF-4342-BE3F-6D5D37A05BC1}\RP547\A0061810.exe -> TrojanDownloader.Apropo.g : Cleaned with backup
C:\System Volume Information\_restore{4617D869-6DFF-4342-BE3F-6D5D37A05BC1}\RP547\A0061814.dll -> Spyware.VirtualBouncer : Cleaned with backup
C:\System Volume Information\_restore{4617D869-6DFF-4342-BE3F-6D5D37A05BC1}\RP547\A0061815.dll -> Spyware.VirtualBouncer : Cleaned with backup
C:\System Volume Information\_restore{4617D869-6DFF-4342-BE3F-6D5D37A05BC1}\RP547\A0061816.dll -> Spyware.VirtualBouncer : Cleaned with backup
C:\System Volume Information\_restore{4617D869-6DFF-4342-BE3F-6D5D37A05BC1}\RP547\A0061817.dll -> Spyware.VirtualBouncer : Cleaned with backup
C:\System Volume Information\_restore{4617D869-6DFF-4342-BE3F-6D5D37A05BC1}\RP547\A0061818.exe -> TrojanDropper.Agent.hl : Cleaned with backup
C:\System Volume Information\_restore{4617D869-6DFF-4342-BE3F-6D5D37A05BC1}\RP547\A0061819.exe -> TrojanDownloader.Small.abd : Cleaned with backup
C:\System Volume Information\_restore{4617D869-6DFF-4342-BE3F-6D5D37A05BC1}\RP547\A0061820.exe -> TrojanDownloader.Agent.hw : Cleaned with backup
C:\System Volume Information\_restore{4617D869-6DFF-4342-BE3F-6D5D37A05BC1}\RP547\A0061821.exe -> TrojanDownloader.Small.abd : Cleaned with backup
C:\System Volume Information\_restore{4617D869-6DFF-4342-BE3F-6D5D37A05BC1}\RP547\A0061822.exe -> Spyware.DealHelper : Cleaned with backup
C:\System Volume Information\_restore{4617D869-6DFF-4342-BE3F-6D5D37A05BC1}\RP547\A0061823.dll -> Spyware.DealHelper : Cleaned with backup
C:\System Volume Information\_restore{4617D869-6DFF-4342-BE3F-6D5D37A05BC1}\RP547\A0061824.exe -> Spyware.VirtualBouncer : Cleaned with backup
C:\System Volume Information\_restore{4617D869-6DFF-4342-BE3F-6D5D37A05BC1}\RP547\A0061825.EXE -> Spyware.VirtualBouncer : Cleaned with backup
C:\System Volume Information\_restore{4617D869-6DFF-4342-BE3F-6D5D37A05BC1}\RP547\A0061826.EXE -> Spyware.VirtualBouncer.j : Cleaned with backup
C:\System Volume Information\_restore{4617D869-6DFF-4342-BE3F-6D5D37A05BC1}\RP547\A0061827.EXE -> Spyware.VirtualBouncer.j : Cleaned with backup
C:\System Volume Information\_restore{4617D869-6DFF-4342-BE3F-6D5D37A05BC1}\RP547\A0061837.exe -> TrojanDropper.Small.yd : Cleaned with backup
C:\System Volume Information\_restore{4617D869-6DFF-4342-BE3F-6D5D37A05BC1}\RP547\A0061838.EXE -> TrojanDropper.Small.yd : Cleaned with backup
C:\System Volume Information\_restore{4617D869-6DFF-4342-BE3F-6D5D37A05BC1}\RP547\A0061839.EXE -> TrojanDropper.Small.yd : Cleaned with backup
C:\System Volume Information\_restore{4617D869-6DFF-4342-BE3F-6D5D37A05BC1}\RP547\A0061848.exe -> TrojanDropper.Small.yd : Cleaned with backup
C:\System Volume Information\_restore{4617D869-6DFF-4342-BE3F-6D5D37A05BC1}\RP547\A0061850.exe -> Spyware.Hijacker.Generic : Cleaned with backup
C:\System Volume Information\_restore{4617D869-6DFF-4342-BE3F-6D5D37A05BC1}\RP547\A0061851.exe -> TrojanDownloader.Qoologic.u : Cleaned with backup
C:\System Volume Information\_restore{4617D869-6DFF-4342-BE3F-6D5D37A05BC1}\RP547\A0061856.exe -> TrojanDropper.Small.yd : Cleaned with backup
C:\System Volume Information\_restore{4617D869-6DFF-4342-BE3F-6D5D37A05BC1}\RP547\A0061857.EXE -> TrojanDropper.Small.yd : Cleaned with backup
C:\System Volume Information\_restore{4617D869-6DFF-4342-BE3F-6D5D37A05BC1}\RP547\A0061858.EXE -> TrojanDropper.Small.yd : Cleaned with backup
C:\System Volume Information\_restore{4617D869-6DFF-4342-BE3F-6D5D37A05BC1}\RP547\A0061870.exe -> Spyware.Hijacker.Generic : Cleaned with backup
C:\System Volume Information\_restore{4617D869-6DFF-4342-BE3F-6D5D37A05BC1}\RP547\A0061877.exe -> TrojanDropper.Small.yd : Cleaned with backup
C:\System Volume Information\_restore{4617D869-6DFF-4342-BE3F-6D5D37A05BC1}\RP547\A0061878.EXE -> TrojanDropper.Small.yd : Cleaned with backup
C:\System Volume Information\_restore{4617D869-6DFF-4342-BE3F-6D5D37A05BC1}\RP547\A0061879.EXE -> TrojanDropper.Small.yd : Cleaned with backup
C:\System Volume Information\_restore{4617D869-6DFF-4342-BE3F-6D5D37A05BC1}\RP547\A0061892.exe -> Spyware.Hijacker.Generic : Cleaned with backup
C:\System Volume Information\_restore{4617D869-6DFF-4342-BE3F-6D5D37A05BC1}\RP547\A0061920.exe -> TrojanDropper.Small.yd : Cleaned with backup
C:\System Volume Information\_restore{4617D869-6DFF-4342-BE3F-6D5D37A05BC1}\RP548\A0062048.exe -> Trojan.Agent.eo : Cleaned with backup
C:\System Volume Information\_restore{4617D869-6DFF-4342-BE3F-6D5D37A05BC1}\RP548\A0062058.exe -> TrojanDropper.Small.yd : Cleaned with backup
C:\System Volume Information\_restore{4617D869-6DFF-4342-BE3F-6D5D37A05BC1}\RP548\A0062059.exe -> TrojanDropper.Small.yd : Cleaned with backup
C:\System Volume Information\_restore{4617D869-6DFF-4342-BE3F-6D5D37A05BC1}\RP548\A0062060.exe -> TrojanDownloader.VB.hg : Cleaned with backup
C:\System Volume Information\_restore{4617D869-6DFF-4342-BE3F-6D5D37A05BC1}\RP548\A0062061.EXE -> TrojanDropper.Small.yd : Cleaned with backup
C:\System Volume Information\_restore{4617D869-6DFF-4342-BE3F-6D5D37A05BC1}\RP548\A0062062.EXE -> TrojanDropper.Small.yd : Cleaned with backup
C:\System Volume Information\_restore{4617D869-6DFF-4342-BE3F-6D5D37A05BC1}\RP548\A0062063.exe -> Trojan.Agent.ct : Cleaned with backup
C:\System Volume Information\_restore{4617D869-6DFF-4342-BE3F-6D5D37A05BC1}\RP548\A0062064.dll -> TrojanDownloader.Small.atc : Cleaned with backup
C:\System Volume Information\_restore{4617D869-6DFF-4342-BE3F-6D5D37A05BC1}\RP548\A0062065.exe -> Spyware.Hijacker.Generic : Cleaned with backup
C:\System Volume Information\_restore{4617D869-6DFF-4342-BE3F-6D5D37A05BC1}\RP548\A0062066.dll -> TrojanDownloader.Small.atc : Cleaned with backup
C:\System Volume Information\_restore{4617D869-6DFF-4342-BE3F-6D5D37A05BC1}\RP548\A0062067.exe -> Spyware.AdBox : Cleaned with backup
C:\System Volume Information\_restore{4617D869-6DFF-4342-BE3F-6D5D37A05BC1}\RP548\A0062077.exe -> Spyware.AproposMedia : Cleaned with backup
C:\System Volume Information\_restore{4617D869-6DFF-4342-BE3F-6D5D37A05BC1}\RP548\A0062078.exe -> TrojanDownloader.Apropo.g : Cleaned with backup
C:\System Volume Information\_restore{4617D869-6DFF-4342-BE3F-6D5D37A05BC1}\RP548\A0062082.exe -> Spyware.DealHelper : Cleaned with backup
C:\System Volume Information\_restore{4617D869-6DFF-4342-BE3F-6D5D37A05BC1}\RP548\A0062083.dll -> Spyware.DealHelper : Cleaned with backup
C:\System Volume Information\_restore{4617D869-6DFF-4342-BE3F-6D5D37A05BC1}\RP548\A0062085.dll -> TrojanDownloader.Agent.le : Cleaned with backup
C:\System Volume Information\_restore{4617D869-6DFF-4342-BE3F-6D5D37A05BC1}\RP548\A0062099.exe -> Spyware.AproposMedia : Cleaned with backup
C:\System Volume Information\_restore{4617D869-6DFF-4342-BE3F-6D5D37A05BC1}\RP548\A0062108.exe -> Trojan.Agent.ay : Cleaned with backup
C:\System Volume Information\_restore{4617D869-6DFF-4342-BE3F-6D5D37A05BC1}\RP548\A0062160.exe -> TrojanDownloader.Qoologic.n : Cleaned with backup
C:\System Volume Information\_restore{4617D869-6DFF-4342-BE3F-6D5D37A05BC1}\RP548\A0062169.exe -> Spyware.WinAD : Cleaned with backup
C:\System Volume Information\_restore{4617D869-6DFF-4342-BE3F-6D5D37A05BC1}\RP548\A0062174.EXE -> Spyware.SmartPops : Cleaned with backup
C:\System Volume Information\_restore{4617D869-6DFF-4342-BE3F-6D5D37A05BC1}\RP548\A0062177.exe -> Spyware.Pacer : Cleaned with backup
C:\System Volume Information\_restore{4617D869-6DFF-4342-BE3F-6D5D37A05BC1}\RP548\A0062178.exe -> Spyware.Pacer : Cleaned with backup
C:\System Volume Information\_restore{4617D869-6DFF-4342-BE3F-6D5D37A05BC1}\RP548\A0062179.exe -> Spyware.Pacer : Cleaned with backup
C:\System Volume Information\_restore{4617D869-6DFF-4342-BE3F-6D5D37A05BC1}\RP548\A0062180.exe -> Spyware.Pacer : Cleaned with backup
C:\System Volume Information\_restore{4617D869-6DFF-4342-BE3F-6D5D37A05BC1}\RP548\A0062184.exe -> TrojanDropper.Small.qn : Cleaned with backup
C:\System Volume Information\_restore{4617D869-6DFF-4342-BE3F-6D5D37A05BC1}\RP548\A0062274.exe -> Spyware.Pacer : Cleaned with backup
C:\System Volume Information\_restore{4617D869-6DFF-4342-BE3F-6D5D37A05BC1}\RP548\A0062276.exe -> Adware.BetterInternet : Cleaned with backup
C:\System Volume Information\_restore{4617D869-6DFF-4342-BE3F-6D5D37A05BC1}\RP548\A0062277.exe -> Spyware.Pacer : Cleaned with backup
C:\System Volume Information\_restore{4617D869-6DFF-4342-BE3F-6D5D37A05BC1}\RP548\A0062281.exe -> Spyware.Hijacker.Generic : Cleaned with backup
C:\System Volume Information\_restore{4617D869-6DFF-4342-BE3F-6D5D37A05BC1}\RP548\A0062286.exe -> TrojanDownloader.Apropo.g : Cleaned with backup
C:\System Volume Information\_restore{4617D869-6DFF-4342-BE3F-6D5D37A05BC1}\RP548\A0062287.exe -> Trojan.Agent.ay : Cleaned with backup
C:\System Volume Information\_restore{4617D869-6DFF-4342-BE3F-6D5D37A05BC1}\RP548\A0062291.exe -> Adware.BetterInternet : Cleaned with backup
C:\System Volume Information\_restore{4617D869-6DFF-4342-BE3F-6D5D37A05BC1}\RP548\A0062295.exe -> Spyware.DealHelper : Cleaned with backup
C:\System Volume Information\_restore{4617D869-6DFF-4342-BE3F-6D5D37A05BC1}\RP548\A0062299.exe -> Spyware.DealHelper : Cleaned with backup
C:\System Volume Information\_restore{4617D869-6DFF-4342-BE3F-6D5D37A05BC1}\RP548\A0062300.exe -> TrojanDownloader.Qoologic.n : Cleaned with backup
C:\System Volume Information\_restore{4617D869-6DFF-4342-BE3F-6D5D37A05BC1}\RP548\A0063363.dll -> Heuristic.Win32.Hijacker1 : Cleaned with backup
C:\System Volume Information\_restore{4617D869-6DFF-4342-BE3F-6D5D37A05BC1}\RP549\A0063639.exe -> Spyware.DealHelper : Cleaned with backup
C:\System Volume Information\_restore{4617D869-6DFF-4342-BE3F-6D5D37A05BC1}\RP549\A0063672.exe -> Spyware.Pacer : Cleaned with backup
C:\System Volume Information\_restore{4617D869-6DFF-4342-BE3F-6D5D37A05BC1}\RP549\A0063673.exe -> Trojan.Agent.ay : Cleaned with backup
C:\System Volume Information\_restore{4617D869-6DFF-4342-BE3F-6D5D37A05BC1}\RP549\A0063674.dll -> Spyware.EliteBar : Cleaned with backup
C:\System Volume Information\_restore{4617D869-6DFF-4342-BE3F-6D5D37A05BC1}\RP549\A0063675.exe -> Spyware.Hijacker.Generic : Cleaned with backup
C:\System Volume Information\_restore{4617D869-6DFF-4342-BE3F-6D5D37A05BC1}\RP549\A0063676.exe -> Spyware.Hijacker.Generic : Cleaned with backup
C:\System Volume Information\_restore{4617D869-6DFF-4342-BE3F-6D5D37A05BC1}\RP549\A0063677.exe -> TrojanDownloader.Apropo.ac : Cleaned with backup
C:\System Volume Information\_restore{4617D869-6DFF-4342-BE3F-6D5D37A05BC1}\RP549\A0063678.exe -> Spyware.WeirWeb : Cleaned with backup
C:\System Volume Information\_restore{4617D869-6DFF-4342-BE3F-6D5D37A05BC1}\RP549\A0063679.exe -> Spyware.Serpo : Cleaned with backup
C:\System Volume Information\_restore{4617D869-6DFF-4342-BE3F-6D5D37A05BC1}\RP549\A0063680.exe -> Spyware.WinAD : Cleaned with backup
C:\System Volume Information\_restore{4617D869-6DFF-4342-BE3F-6D5D37A05BC1}\RP549\A0063681.exe -> Trojan.Popmon.a : Cleaned with backup
C:\System Volume Information\_restore{4617D869-6DFF-4342-BE3F-6D5D37A05BC1}\RP549\A0063682.exe -> TrojanDownloader.Qoologic.n : Cleaned with backup
C:\System Volume Information\_restore{4617D869-6DFF-4342-BE3F-6D5D37A05BC1}\RP549\A0063683.exe -> TrojanDownloader.Agent.ed : Cleaned with backup
C:\System Volume Information\_restore{4617D869-6DFF-4342-BE3F-6D5D37A05BC1}\RP549\A0063686.dll -> TrojanDownloader.Qoologic.p : Cleaned with backup
C:\System Volume Information\_restore{4617D869-6DFF-4342-BE3F-6D5D37A05BC1}\RP549\A0063694.exe -> TrojanDownloader.Qoologic.u : Cleaned with backup
C:\System Volume Information\_restore{4617D869-6DFF-4342-BE3F-6D5D37A05BC1}\RP549\A0063696.exe -> TrojanDownloader.Qoologic.q : Cleaned with backup
C:\System Volume Information\_restore{4617D869-6DFF-4342-BE3F-6D5D37A05BC1}\RP549\A0063698.dll -> Spyware.BookedSpace : Cleaned with backup
C:\System Volume Information\_restore{4617D869-6DFF-4342-BE3F-6D5D37A05BC1}\RP549\A0063699.dll -> Heuristic.Win32.Hijacker1 : Cleaned with backup
C:\System Volume Information\_restore{4617D869-6DFF-4342-BE3F-6D5D37A05BC1}\RP549\A0063707.exe -> Trojan.Popmon.a : Cleaned with backup
C:\System Volume Information\_restore{4617D869-6DFF-4342-BE3F-6D5D37A05BC1}\RP549\A0063708.dll -> Spyware.WinAD : Cleaned with backup
C:\System Volume Information\_restore{4617D869-6DFF-4342-BE3F-6D5D37A05BC1}\RP549\A0063709.exe -> Spyware.WinAD : Cleaned with backup
C:\System Volume Information\_restore{4617D869-6DFF-4342-BE3F-6D5D37A05BC1}\RP549\A0063710.exe -> Spyware.Hijacker.Generic : Cleaned with backup
C:\System Volume Information\_restore{4617D869-6DFF-4342-BE3F-6D5D37A05BC1}\RP549\A0063711.dll -> Spyware.Serpo : Cleaned with backup
C:\System Volume Information\_restore{4617D869-6DFF-4342-BE3F-6D5D37A05BC1}\RP549\A0063712.dll -> TrojanDownloader.WarSpy.e : Cleaned with backup
C:\System Volume Information\_restore{4617D869-6DFF-4342-BE3F-6D5D37A05BC1}\RP549\A0063731.exe -> TrojanDownloader.Agent.qg : Cleaned with backup
C:\System Volume Information\_restore{4617D869-6DFF-4342-BE3F-6D5D37A05BC1}\RP549\A0063739.dll -> Spyware.HotSearchBar : Cleaned with backup
C:\System Volume Information\_restore{4617D869-6DFF-4342-BE3F-6D5D37A05BC1}\RP549\A0063746.exe -> TrojanDropper.Agent.hl : Cleaned with backup
C:\System Volume Information\_restore{4617D869-6DFF-4342-BE3F-6D5D37A05BC1}\RP549\A0063748.exe -> TrojanDownloader.Agent.qg : Cleaned with backup
C:\System Volume Information\_restore{4617D869-6DFF-4342-BE3F-6D5D37A05BC1}\RP549\A0063749.exe -> Spyware.Hijacker.Generic : Cleaned with backup
C:\System Volume Information\_restore{4617D869-6DFF-4342-BE3F-6D5D37A05BC1}\RP549\A0063750.dll -> TrojanDownloader.Qoologic.q : Cleaned with backup
C:\System Volume Information\_restore{4617D869-6DFF-4342-BE3F-6D5D37A05BC1}\RP549\A0063752.dll -> TrojanDownloader.Qoologic.s : Cleaned with backup
C:\System Volume Information\_restore{4617D869-6DFF-4342-BE3F-6D5D37A05BC1}\RP549\A0063753.exe -> Spyware.BookedSpace : Cleaned with backup
C:\System Volume Information\_restore{4617D869-6DFF-4342-BE3F-6D5D37A05BC1}\RP549\A0063754.exe -> TrojanDownloader.Qoologic.u : Cleaned with backup
C:\System Volume Information\_restore{4617D869-6DFF-4342-BE3F-6D5D37A05BC1}\RP549\A0063756.exe -> TrojanDownloader.Small.ayh : Cleaned with backup
C:\System Volume Information\_restore{4617D869-6DFF-4342-BE3F-6D5D37A05BC1}\RP549\A0063757.dll -> Spyware.SmartPops : Cleaned with backup
C:\System Volume Information\_restore{4617D869-6DFF-4342-BE3F-6D5D37A05BC1}\RP549\A0063758.exe -> Spyware.SmartPops : Cleaned with backup
C:\System Volume Information\_restore{4617D869-6DFF-4342-BE3F-6D5D37A05BC1}\RP549\A0063759.exe -> TrojanDropper.Agent.hl : Cleaned with backup
C:\System Volume Information\_restore{4617D869-6DFF-4342-BE3F-6D5D37A05BC1}\RP549\A0063760.exe -> TrojanDropper.Agent.hl : Cleaned with backup
C:\System Volume Information\_restore{4617D869-6DFF-4342-BE3F-6D5D37A05BC1}\RP549\A0063761.dll -> TrojanDownloader.Qoologic.t : Cleaned with backup
C:\System Volume Information\_restore{4617D869-6DFF-4342-BE3F-6D5D37A05BC1}\RP549\A0063762.exe -> TrojanDropper.Agent.hl : Cleaned with backup
C:\System Volume Information\_restore{4617D869-6DFF-4342-BE3F-6D5D37A05BC1}\RP549\A0063763.dll -> TrojanDownloader.Qoologic.q : Cleaned with backup
C:\WINDOWS\dload.exe -> Trojan.LowZones.bn : Cleaned with backup
C:\WINDOWS\system32\redit.cpl -> TrojanDownloader.Qoologic.p : Cleaned with backup
C:\WINDOWS\win32res.exe -> Trojan.Agent.fl : Cleaned with backup


::Report End
----------------


Logfile of HijackThis v1.99.1
Scan saved at 11:21:30 AM, on 7/14/2005
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\csrss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\Program Files\Panda Software\Panda Titanium Antivirus 2005\PavProt.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\AvidSDMService.exe
C:\Program Files\ewido\security suite\ewidoctrl.exe
C:\PROGRA~1\Iomega\System32\AppServices.exe
C:\Program Files\mac disk\lsdiorw\lsdiorw2.exe
C:\WINDOWS\System32\nvsvc32.exe
C:\Program Files\Panda Software\Panda Titanium Antivirus 2005\Firewall\PavFires.exe
C:\Program Files\Panda Software\Panda Titanium Antivirus 2005\PavFnSvr.exe
C:\Program Files\Panda Software\Panda Titanium Antivirus 2005\Pavkre.exe
C:\Program Files\Common Files\Panda Software\PavShld\pavprsrv.exe
C:\Program Files\Panda Software\Panda Titanium Antivirus 2005\pavsrv51.exe
C:\Program Files\Panda Software\Panda Titanium Antivirus 2005\prevsrv.exe
C:\Program Files\Panda Software\Panda Titanium Antivirus 2005\PsImSvc.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Panda Software\Panda Titanium Antivirus 2005\AVENGINE.EXE
C:\Program Files\Iomega\AutoDisk\ADService.exe
C:\Program Files\Panda Software\Panda Titanium Antivirus 2005\apvxdwin.exe
C:\Program Files\Panda Software\Panda Titanium Antivirus 2005\WebProxy.exe
C:\WINDOWS\System32\taskmgr.exe
C:\Program Files\HijackThis.exe

O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /installquiet
O4 - HKLM\..\Run: [CPQEASYACC] C:\Program Files\COMPAQ\Easy Access Button Support\StartEAK.exe
O4 - HKLM\..\Run: [srmclean] C:\Cpqs\Scom\srmclean.exe
O4 - HKLM\..\Run: [NeroCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [AdaptecDirectCD] "C:\Program Files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [ADUserMon] C:\Program Files\Iomega\AutoDisk\ADUserMon.exe
O4 - HKLM\..\Run: [Iomega Drive Icons] C:\Program Files\Iomega\DriveIcons\ImgIcon.exe
O4 - HKLM\..\Run: [Deskup] C:\Program Files\Iomega\DriveIcons\deskup.exe /IMGSTART
O4 - HKLM\..\Run: [MediaFace Integration] C:\Program Files\Fellowes\MediaFACE 4.0\SetHook.exe
O4 - HKLM\..\Run: [Symantec NetDriver Monitor] C:\PROGRA~1\SYMNET~1\SNDMon.exe /Consumer
O4 - HKLM\..\Run: [SpybotSnD] "C:\Program Files\Spybot - Search & Destroy\SpybotSD.exe" /autoclose
O4 - HKLM\..\Run: [APVXDWIN] "C:\Program Files\Panda Software\Panda Titanium Antivirus 2005\APVXDWIN.EXE" /s
O4 - HKCU\..\Run: [NVIEW] rundll32.exe nview.dll,nViewLoadHook
O4 - HKCU\..\Run: [Win32res] C:\WINDOWS\win32res.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - Startup: AVE122001_CD.exe
O4 - Startup: PowerReg Scheduler V3.exe
O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O8 - Extra context menu item: &Google Search - res://c:\program files\google\GoogleToolbar1.dll/cmsearch.html
O8 - Extra context menu item: Backward Links - res://c:\program files\google\GoogleToolbar1.dll/cmbacklinks.html
O8 - Extra context menu item: Cached Snapshot of Page - res://c:\program files\google\GoogleToolbar1.dll/cmcache.html
O8 - Extra context menu item: Similar Pages - res://c:\program files\google\GoogleToolbar1.dll/cmsimilar.html
O8 - Extra context menu item: Translate into English - res://c:\program files\google\GoogleToolbar1.dll/cmtrans.html
O16 - DPF: {E7DBFB6C-113A-47CF-B278-F5C6AF4DE1BD} - http://download.abac...abasetup155.cab
O23 - Service: Adobe LM Service - Unknown owner - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: Avid SDM Service (AvidSDMService) - Avid Technology, Inc. - C:\WINDOWS\system32\AvidSDMService.exe
O23 - Service: Avid Startup (AvidStartup) - Unknown owner - C:\WINDOWS\system32\AvidStartup.exe
O23 - Service: ewido security suite control - ewido networks - C:\Program Files\ewido\security suite\ewidoctrl.exe
O23 - Service: Iomega App Services - Iomega Corporation - C:\PROGRA~1\Iomega\System32\AppServices.exe
O23 - Service: Lsdiorw - Logiciels & Services Duhem, Paris, France - C:\Program Files\mac disk\lsdiorw\lsdiorw2.exe
O23 - Service: Macromedia Licensing Service - Unknown owner - C:\Program Files\Common Files\Macromedia Shared\Service\Macromedia Licensing.exe
O23 - Service: Intel® NMS (NMSSvc) - Intel Corporation - C:\WINDOWS\System32\NMSSvc.exe
O23 - Service: NVIDIA Driver Helper Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe
O23 - Service: Panda Firewall Service (PAVFIRES) - Panda Software - C:\Program Files\Panda Software\Panda Titanium Antivirus 2005\Firewall\PavFires.exe
O23 - Service: Panda Function Service (PAVFNSVR) - Panda Software - C:\Program Files\Panda Software\Panda Titanium Antivirus 2005\PavFnSvr.exe
O23 - Service: Panda Pavkre (Pavkre) - Panda Software - C:\Program Files\Panda Software\Panda Titanium Antivirus 2005\Pavkre.exe
O23 - Service: Panda PavProt (PavProt) - Panda Software - C:\Program Files\Panda Software\Panda Titanium Antivirus 2005\PavProt.exe
O23 - Service: Panda Process Protection Service (PavPrSrv) - Panda Software - C:\Program Files\Common Files\Panda Software\PavShld\pavprsrv.exe
O23 - Service: Panda anti-virus service (PAVSRV) - Panda Software - C:\Program Files\Panda Software\Panda Titanium Antivirus 2005\pavsrv51.exe
O23 - Service: Panda Preventium+ Service (PREVSRV) - Panda Software - C:\Program Files\Panda Software\Panda Titanium Antivirus 2005\prevsrv.exe
O23 - Service: Panda IManager Service (PSIMSVC) - Panda Software Internacional - C:\Program Files\Panda Software\Panda Titanium Antivirus 2005\PsImSvc.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: Iomega Active Disk (_IOMEGA_ACTIVE_DISK_SERVICE_) - Iomega Corporation - C:\Program Files\Iomega\AutoDisk\ADService.exe
  • 0

#21
g2i2r4

g2i2r4

    retired HiJack Helper

  • Retired Staff
  • 5,080 posts
Weldone so far. Let's make sure there's nothing to interfere with cleaning the bigest problem.

Open HijackThis
Place a check against each of the following, making sure you get them all and not any others by mistake:

O4 - HKCU\..\Run: [Win32res] C:\WINDOWS\win32res.exe

Close all programs leaving only HijackThis running.
Click on Fix Checked when finished and exit HijackThis.

***

Please download Pfind by Grinler.

Download WinPFind.zip and extract it to your C:\ folder. This will create a folder called WinPFind in the C:\ folder. Inside c:\WinPFind is a file called WinPFind.exe. Double-click on this file to launch the program. Once it is launched, click on the Start Scan button and wait for it to finish. This program will scan large amounts of files on your computer for known patterns so please be patient while it works as it can take a while, upwards to 30 minutes or more.

When it is done, it will show the results of the scan. Click on the Copy to Clipboard button and then paste the contents of the log in your clipboard here in your reply.
  • 0

#22
glennc007

glennc007

    Member

  • Topic Starter
  • Member
  • PipPip
  • 41 posts
OK, done. Thanks for the words of encouragement. Here is winpfind results:

WARNING: not all files found by this scanner are bad. Consult with a knowledgable person before proceeding.

If you see a message in the titlebar saying "not responding" you can ignore it. Windows is throwing this message up even though the program is still running. As long as the hard disk is working then the program is running.

»»»»»»»»»»»»»»»»»»»»»»»» Files found »»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»

Checking %SystemDrive% folder...
qoologic C:\071205 pandalog.txt
UPX! C:\cachefile0.sys
KavSvc C:\hijackthis.log
KavSvc C:\hijackthis2.txt
qoologic C:\PANDA.RPT

Checking %ProgramFilesDir% folder...
UPX! C:\Program Files\HijackThis.exe

Checking %WinDir% folder...
abetterinternet.com C:\WINDOWS\abiuninst.htm
abetterinternet.com C:\WINDOWS\janvk.dll
web-nex C:\WINDOWS\janvk.dll
UPX! C:\WINDOWS\loadasp.exe
UPX! C:\WINDOWS\winadvt.dll

Checking %System% folder...
FSG! C:\WINDOWS\system32\Chdbook1.xml
PEC2 C:\WINDOWS\system32\dfrg.msc
Umonitor C:\WINDOWS\system32\rasdlg.dll

Checking %System%\Drivers folder and sub-folders...

Checking the Windows folder for system and hidden files within the last 60 days...
7/7/2005 C:\WINDOWS\QTFont.qfn
7/14/2005 C:\WINDOWS\system32\config\default.LOG
7/14/2005 C:\WINDOWS\system32\config\SAM.LOG
7/14/2005 C:\WINDOWS\system32\config\SECURITY.LOG
7/14/2005 C:\WINDOWS\system32\config\software.LOG
7/14/2005 C:\WINDOWS\system32\config\system.LOG
7/12/2005 C:\WINDOWS\system32\config\systemprofile\Local Settings\Temporary Internet Files\Content.IE5\desktop.ini
7/12/2005 C:\WINDOWS\system32\config\systemprofile\Local Settings\Temporary Internet Files\Content.IE5\AFEVKHEJ\desktop.ini
7/12/2005 C:\WINDOWS\system32\config\systemprofile\Local Settings\Temporary Internet Files\Content.IE5\ETWH8DUV\desktop.ini
7/12/2005 C:\WINDOWS\system32\config\systemprofile\Local Settings\Temporary Internet Files\Content.IE5\UVIPU5CN\desktop.ini
7/12/2005 C:\WINDOWS\system32\config\systemprofile\Local Settings\Temporary Internet Files\Content.IE5\Y9YHC5OX\desktop.ini
6/24/2005 C:\WINDOWS\system32\Microsoft\Protect\S-1-5-18\User\4dab5f0f-9ed6-4a1f-bb1c-6f37b381c939
6/24/2005 C:\WINDOWS\system32\Microsoft\Protect\S-1-5-18\User\Preferred
7/14/2005 C:\WINDOWS\Tasks\SA.DAT

»»»»»»»»»»»»»»»»»»»»»»»» Checking Global Startup »»»»»»»»»»»»»»»»»»»»»»

Checking %ALLUSERSPROFILE%\Startup folder...

Checking %ALLUSERSPROFILE%\Application Data folder...

Checking %USERPROFILE%\Startup folder...

Checking %USERPROFILE%\Application Data folder...

»»»»»»»»»»»»»»»»»»»»»»»» Registry Entries Found »»»»»»»»»»»»»»»»»»»»»»»

*\shellex\ContextMenuHandlers
*\shellex\ContextMenuHandlers\fgykqxfs
{69487403-db56-41fe-be36-f6af40c2c4d0} = C:\WINDOWS\System32\pcmqd.dll
*\shellex\ContextMenuHandlers\MediaFaceExtension
{6E3C607A-B99C-4FA8-98F5-1AC1ADF7F5B9} = C:\Program Files\Fellowes\MediaFACE 4.0\MFShlExt.dll
*\shellex\ContextMenuHandlers\Offline Files
{750fdf0e-2a26-11d1-a3ea-080036587f03} = %SystemRoot%\System32\cscui.dll
*\shellex\ContextMenuHandlers\Open With
{09799AFB-AD67-11d1-ABCD-00C04FC30936} = %SystemRoot%\system32\SHELL32.dll
*\shellex\ContextMenuHandlers\Open With EncryptionMenu
{A470F8CF-A1E8-4f65-8335-227475AA5C46} = %SystemRoot%\system32\SHELL32.dll
*\shellex\ContextMenuHandlers\Panda Antivirus
{65756541-C65C-11CD-0000-4B656E696100} = C:\Program Files\Panda Software\Panda Titanium Antivirus 2005\ShellTit.DLL
*\shellex\ContextMenuHandlers\StuffIt Context Menu
{2E336DC0-54F8-11D1-ABD5-447270537467} = C:\Program Files\Aladdin Systems\StuffIt Standard\StuffItMenu.dll
*\shellex\ContextMenuHandlers\WinRAR
{B41DB860-8EE4-11D2-9906-E49FADC173CA} = C:\Program Files\WinRAR\rarext.dll
*\shellex\ContextMenuHandlers\WinZip
{E0D79304-84BE-11CE-9641-444553540000} = C:\PROGRA~1\WINZIP\WZSHLSTB.DLL
*\shellex\ContextMenuHandlers\{a2a9545d-a0c2-42b4-9708-a0b2badd77c8}
Start Menu Pin =

SOFTWARE\Classes\Folder\shellex\ColumnHandlers
SOFTWARE\Classes\Folder\shellex\ColumnHandlers\{0D2E74C4-3C34-11d2-A27E-00C04FC30871}
= %SystemRoot%\system32\SHELL32.dll
SOFTWARE\Classes\Folder\shellex\ColumnHandlers\{24F14F01-7B1C-11d1-838f-0000F80461CF}
= %SystemRoot%\system32\SHELL32.dll
SOFTWARE\Classes\Folder\shellex\ColumnHandlers\{24F14F02-7B1C-11d1-838f-0000F80461CF}
= %SystemRoot%\system32\SHELL32.dll
SOFTWARE\Classes\Folder\shellex\ColumnHandlers\{66742402-F9B9-11D1-A202-0000F81FEDEE}
= %SystemRoot%\system32\SHELL32.dll

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
NvCplDaemon RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup
nwiz nwiz.exe /installquiet
CPQEASYACC C:\Program Files\COMPAQ\Easy Access Button Support\StartEAK.exe
PROMon.exe
srmclean C:\Cpqs\Scom\srmclean.exe
NeroCheck C:\WINDOWS\system32\NeroCheck.exe
AdaptecDirectCD "C:\Program Files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe"
QuickTime Task "C:\Program Files\QuickTime\qttask.exe" -atboottime
TkBellExe "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
ADUserMon C:\Program Files\Iomega\AutoDisk\ADUserMon.exe
Iomega Drive Icons C:\Program Files\Iomega\DriveIcons\ImgIcon.exe
Deskup C:\Program Files\Iomega\DriveIcons\deskup.exe /IMGSTART
MediaFace Integration C:\Program Files\Fellowes\MediaFACE 4.0\SetHook.exe
Symantec NetDriver Monitor C:\PROGRA~1\SYMNET~1\SNDMon.exe /Consumer
SpybotSnD "C:\Program Files\Spybot - Search & Destroy\SpybotSD.exe" /autoclose
APVXDWIN "C:\Program Files\Panda Software\Panda Titanium Antivirus 2005\APVXDWIN.EXE" /s

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\OptionalComponents
IMAIL
MAPI
MSFS

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnceEx

HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
NVIEW rundll32.exe nview.dll,nViewLoadHook

MSMSGS "C:\Program Files\Messenger\msmsgs.exe" /background

HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\crypt32chain
= crypt32.dll
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\cryptnet
= cryptnet.dll
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\cscdll
= cscdll.dll
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\ScCertProp
= wlnotify.dll
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\Schedule
= wlnotify.dll
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\sclgntfy
= sclgntfy.dll
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\SensLogn
= WlNotify.dll
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\termsrv
= wlnotify.dll
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\wlballoon
= wlnotify.dll

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\PostBootReminder
{7849596a-48ea-486e-8937-a2a3009f31a9} = %SystemRoot%\system32\SHELL32.dll
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\CDBurn
{fbeb8a05-beee-4442-804e-409d6c4515e9} = %SystemRoot%\system32\SHELL32.dll
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\WebCheck
{E6FB5E20-DE35-11CF-9C87-00AA005127ED} = %SystemRoot%\System32\webcheck.dll
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\SysTray
{35CEC8A3-2BE6-11D2-8773-92E220524153} = C:\WINDOWS\System32\stobject.dll

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\cqw32.exe
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\enc98.EXE
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\explorer.exe
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\front.exe
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\iexplore.exe
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\install.exe
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\mngreg32.exe
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\photohse.EXE
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\printhse.EXE
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\prwin8.EXE
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\ps80.EXE
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\psdmt.exe
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\qfinder.EXE
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\qpw.EXE
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\setup.exe
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\setup32.dll
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\sevinst.exe
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\ua80.EXE
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\wpwin8.EXE
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\xwsetup.EXE
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Your Image File Name Here without a path
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\_INSTPGM.EXE

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon
UserInit C:\WINDOWS\system32\userinit.exe,
Shell Explorer.exe

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows
AppInit_DLLs

»»»»»»»»»»»»»»»»»»»»»»»» Scan Complete »»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»
WinPFind v1.0.0.8 - Log file written to "WinPFind.Txt" in the WinPFind folder.
  • 0

#23
g2i2r4

g2i2r4

    retired HiJack Helper

  • Retired Staff
  • 5,080 posts
Please run Notepad and paste the following text into a new file:

REGEDIT4

[-HKEY_LOCAL_MACHINE\SOFTWARE\Classes\*\shellex\ContextMenuHandlers\ fgykqxfs]

[-HKEY_CLASSES_ROOT\CLSID\{69487403-db56-41fe-be36-f6af40c2c4d0}]


Save the file to the desktop as fix.reg and make sure the "Save as Type" field says "All Files". Then please go to the desktop and double-click on fix.reg, and click Yes to merge it with the registry.

***
  • Reboot into Safe Mode by restarting your computer and pressing F8 as your computer is booting up. Then select the Safe Mode option.
  • Once in Safe Mode, please run Killbox.
  • Click "Replace on Reboot" and check the "Use Dummy" box.
  • Paste the following into the top "Full Path of File to Delete" box.
    • C:\WINDOWS\abiuninst.htm
  • Click the red-and-white "Delete File".
  • Click "Yes" at the Replace on Reboot prompt.
  • Click "No" at the Pending Operations prompt.
  • Repeat steps 5-9 above for these files:
    • C:\WINDOWS\System32\pcmqd.dll
    • C:\WINDOWS\janvk.dll
    • C:\WINDOWS\winadvt.dll
  • Click the red-and-white "Delete File" button.
  • Click "Yes" at the Replace on Reboot prompt.
  • Click "Yes" at the Pending Operations prompt to restart your computer. You do not need to reboot into Safe Mode this time.
  • When your computer reboots, please run winpfind again and post the new log here.

  • 0

#24
glennc007

glennc007

    Member

  • Topic Starter
  • Member
  • PipPip
  • 41 posts
on reboot, still just the blue screen. Here is the new winpfind log:


WARNING: not all files found by this scanner are bad. Consult with a knowledgable person before proceeding.

If you see a message in the titlebar saying "not responding" you can ignore it. Windows is throwing this message up even though the program is still running. As long as the hard disk is working then the program is running.

»»»»»»»»»»»»»»»»»»»»»»»» Files found »»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»

Checking %SystemDrive% folder...
qoologic C:\071205 pandalog.txt
UPX! C:\cachefile0.sys
KavSvc C:\hijackthis.log
KavSvc C:\hijackthis2.txt
qoologic C:\PANDA.RPT

Checking %ProgramFilesDir% folder...
UPX! C:\Program Files\HijackThis.exe

Checking %WinDir% folder...
UPX! C:\WINDOWS\loadasp.exe

Checking %System% folder...
FSG! C:\WINDOWS\system32\Chdbook1.xml
PEC2 C:\WINDOWS\system32\dfrg.msc
Umonitor C:\WINDOWS\system32\rasdlg.dll

Checking %System%\Drivers folder and sub-folders...

Checking the Windows folder for system and hidden files within the last 60 days...
7/7/2005 C:\WINDOWS\QTFont.qfn
7/14/2005 C:\WINDOWS\system32\config\default.LOG
7/14/2005 C:\WINDOWS\system32\config\SAM.LOG
7/14/2005 C:\WINDOWS\system32\config\SECURITY.LOG
7/14/2005 C:\WINDOWS\system32\config\software.LOG
7/14/2005 C:\WINDOWS\system32\config\system.LOG
7/12/2005 C:\WINDOWS\system32\config\systemprofile\Local Settings\Temporary Internet Files\Content.IE5\desktop.ini
7/12/2005 C:\WINDOWS\system32\config\systemprofile\Local Settings\Temporary Internet Files\Content.IE5\AFEVKHEJ\desktop.ini
7/12/2005 C:\WINDOWS\system32\config\systemprofile\Local Settings\Temporary Internet Files\Content.IE5\ETWH8DUV\desktop.ini
7/12/2005 C:\WINDOWS\system32\config\systemprofile\Local Settings\Temporary Internet Files\Content.IE5\UVIPU5CN\desktop.ini
7/12/2005 C:\WINDOWS\system32\config\systemprofile\Local Settings\Temporary Internet Files\Content.IE5\Y9YHC5OX\desktop.ini
6/24/2005 C:\WINDOWS\system32\Microsoft\Protect\S-1-5-18\User\4dab5f0f-9ed6-4a1f-bb1c-6f37b381c939
6/24/2005 C:\WINDOWS\system32\Microsoft\Protect\S-1-5-18\User\Preferred
7/14/2005 C:\WINDOWS\Tasks\SA.DAT

»»»»»»»»»»»»»»»»»»»»»»»» Checking Global Startup »»»»»»»»»»»»»»»»»»»»»»

Checking %ALLUSERSPROFILE%\Startup folder...

Checking %ALLUSERSPROFILE%\Application Data folder...

Checking %USERPROFILE%\Startup folder...

Checking %USERPROFILE%\Application Data folder...

»»»»»»»»»»»»»»»»»»»»»»»» Registry Entries Found »»»»»»»»»»»»»»»»»»»»»»»

*\shellex\ContextMenuHandlers
*\shellex\ContextMenuHandlers\fgykqxfs
{69487403-db56-41fe-be36-f6af40c2c4d0} =
*\shellex\ContextMenuHandlers\MediaFaceExtension
{6E3C607A-B99C-4FA8-98F5-1AC1ADF7F5B9} = C:\Program Files\Fellowes\MediaFACE 4.0\MFShlExt.dll
*\shellex\ContextMenuHandlers\Offline Files
{750fdf0e-2a26-11d1-a3ea-080036587f03} = %SystemRoot%\System32\cscui.dll
*\shellex\ContextMenuHandlers\Open With
{09799AFB-AD67-11d1-ABCD-00C04FC30936} = %SystemRoot%\system32\SHELL32.dll
*\shellex\ContextMenuHandlers\Open With EncryptionMenu
{A470F8CF-A1E8-4f65-8335-227475AA5C46} = %SystemRoot%\system32\SHELL32.dll
*\shellex\ContextMenuHandlers\Panda Antivirus
{65756541-C65C-11CD-0000-4B656E696100} = C:\Program Files\Panda Software\Panda Titanium Antivirus 2005\ShellTit.DLL
*\shellex\ContextMenuHandlers\StuffIt Context Menu
{2E336DC0-54F8-11D1-ABD5-447270537467} = C:\Program Files\Aladdin Systems\StuffIt Standard\StuffItMenu.dll
*\shellex\ContextMenuHandlers\WinRAR
{B41DB860-8EE4-11D2-9906-E49FADC173CA} = C:\Program Files\WinRAR\rarext.dll
*\shellex\ContextMenuHandlers\WinZip
{E0D79304-84BE-11CE-9641-444553540000} = C:\PROGRA~1\WINZIP\WZSHLSTB.DLL
*\shellex\ContextMenuHandlers\{a2a9545d-a0c2-42b4-9708-a0b2badd77c8}
Start Menu Pin =

SOFTWARE\Classes\Folder\shellex\ColumnHandlers
SOFTWARE\Classes\Folder\shellex\ColumnHandlers\{0D2E74C4-3C34-11d2-A27E-00C04FC30871}
= %SystemRoot%\system32\SHELL32.dll
SOFTWARE\Classes\Folder\shellex\ColumnHandlers\{24F14F01-7B1C-11d1-838f-0000F80461CF}
= %SystemRoot%\system32\SHELL32.dll
SOFTWARE\Classes\Folder\shellex\ColumnHandlers\{24F14F02-7B1C-11d1-838f-0000F80461CF}
= %SystemRoot%\system32\SHELL32.dll
SOFTWARE\Classes\Folder\shellex\ColumnHandlers\{66742402-F9B9-11D1-A202-0000F81FEDEE}
= %SystemRoot%\system32\SHELL32.dll

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
NvCplDaemon RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup
nwiz nwiz.exe /installquiet
CPQEASYACC C:\Program Files\COMPAQ\Easy Access Button Support\StartEAK.exe
PROMon.exe
srmclean C:\Cpqs\Scom\srmclean.exe
NeroCheck C:\WINDOWS\system32\NeroCheck.exe
AdaptecDirectCD "C:\Program Files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe"
QuickTime Task "C:\Program Files\QuickTime\qttask.exe" -atboottime
TkBellExe "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
ADUserMon C:\Program Files\Iomega\AutoDisk\ADUserMon.exe
Iomega Drive Icons C:\Program Files\Iomega\DriveIcons\ImgIcon.exe
Deskup C:\Program Files\Iomega\DriveIcons\deskup.exe /IMGSTART
MediaFace Integration C:\Program Files\Fellowes\MediaFACE 4.0\SetHook.exe
Symantec NetDriver Monitor C:\PROGRA~1\SYMNET~1\SNDMon.exe /Consumer
SpybotSnD "C:\Program Files\Spybot - Search & Destroy\SpybotSD.exe" /autoclose
APVXDWIN "C:\Program Files\Panda Software\Panda Titanium Antivirus 2005\APVXDWIN.EXE" /s

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\OptionalComponents
IMAIL
MAPI
MSFS

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnceEx

HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
NVIEW rundll32.exe nview.dll,nViewLoadHook

MSMSGS "C:\Program Files\Messenger\msmsgs.exe" /background

HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\crypt32chain
= crypt32.dll
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\cryptnet
= cryptnet.dll
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\cscdll
= cscdll.dll
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\ScCertProp
= wlnotify.dll
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\Schedule
= wlnotify.dll
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\sclgntfy
= sclgntfy.dll
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\SensLogn
= WlNotify.dll
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\termsrv
= wlnotify.dll
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\wlballoon
= wlnotify.dll

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\PostBootReminder
{7849596a-48ea-486e-8937-a2a3009f31a9} = %SystemRoot%\system32\SHELL32.dll
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\CDBurn
{fbeb8a05-beee-4442-804e-409d6c4515e9} = %SystemRoot%\system32\SHELL32.dll
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\WebCheck
{E6FB5E20-DE35-11CF-9C87-00AA005127ED} = %SystemRoot%\System32\webcheck.dll
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\SysTray
{35CEC8A3-2BE6-11D2-8773-92E220524153} = C:\WINDOWS\System32\stobject.dll

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\cqw32.exe
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\enc98.EXE
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\explorer.exe
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\front.exe
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\iexplore.exe
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\install.exe
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\mngreg32.exe
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\photohse.EXE
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\printhse.EXE
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\prwin8.EXE
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\ps80.EXE
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\psdmt.exe
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\qfinder.EXE
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\qpw.EXE
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\setup.exe
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\setup32.dll
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\sevinst.exe
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\ua80.EXE
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\wpwin8.EXE
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\xwsetup.EXE
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Your Image File Name Here without a path
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\_INSTPGM.EXE

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon
UserInit C:\WINDOWS\system32\userinit.exe,
Shell Explorer.exe

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows
AppInit_DLLs

»»»»»»»»»»»»»»»»»»»»»»»» Scan Complete »»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»
WinPFind v1.0.0.8 - Log file written to "WinPFind.Txt" in the WinPFind folder.
  • 0

#25
g2i2r4

g2i2r4

    retired HiJack Helper

  • Retired Staff
  • 5,080 posts
Did you do the fix.reg and reboot?

We need to clean this up first, then we will take on the blue screen.1. Reboot into Safe Mode by restarting your computer and pressing F8 as your computer is booting up. Then select the Safe Mode option.
2. Once in Safe Mode, please run Killbox.
3. Click "Replace on Reboot" and check the "Use Dummy" box.
4. Paste the following into the top "Full Path of File to Delete" box.* C:\WINDOWS\abiuninst.htm
5. Click the red-and-white "Delete File".
6. Click "Yes" at the Replace on Reboot prompt.
7. Click "No" at the Pending Operations prompt.
8. Repeat steps 5-9 above for these files:* C:\WINDOWS\System32\pcmqd.dll
* C:\WINDOWS\janvk.dll
* C:\WINDOWS\winadvt.dll
* C:\WINDOWS\loadasp.exe
9. Click the red-and-white "Delete File" button.
10. Click "Yes" at the Replace on Reboot prompt.
11. Click "Yes" at the Pending Operations prompt to restart your computer. You do not need to reboot into Safe Mode this time.
12. When your computer reboots, please run winpfind again and post the new log here.
[/list]
  • 0

Advertisements


#26
glennc007

glennc007

    Member

  • Topic Starter
  • Member
  • PipPip
  • 41 posts
I did run the fix.reg before. I ran it again before I rebooted this time and did the killbox stuff. Here is the new winpfind log:

WARNING: not all files found by this scanner are bad. Consult with a knowledgable person before proceeding.

If you see a message in the titlebar saying "not responding" you can ignore it. Windows is throwing this message up even though the program is still running. As long as the hard disk is working then the program is running.

»»»»»»»»»»»»»»»»»»»»»»»» Files found »»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»

Checking %SystemDrive% folder...
qoologic C:\071205 pandalog.txt
UPX! C:\cachefile0.sys
KavSvc C:\hijackthis.log
KavSvc C:\hijackthis2.txt
qoologic C:\PANDA.RPT

Checking %ProgramFilesDir% folder...
UPX! C:\Program Files\HijackThis.exe

Checking %WinDir% folder...

Checking %System% folder...
FSG! C:\WINDOWS\system32\Chdbook1.xml
PEC2 C:\WINDOWS\system32\dfrg.msc
Umonitor C:\WINDOWS\system32\rasdlg.dll

Checking %System%\Drivers folder and sub-folders...

Checking the Windows folder for system and hidden files within the last 60 days...
7/7/2005 C:\WINDOWS\QTFont.qfn
7/14/2005 C:\WINDOWS\system32\config\default.LOG
7/14/2005 C:\WINDOWS\system32\config\SAM.LOG
7/14/2005 C:\WINDOWS\system32\config\SECURITY.LOG
7/14/2005 C:\WINDOWS\system32\config\software.LOG
7/14/2005 C:\WINDOWS\system32\config\system.LOG
7/12/2005 C:\WINDOWS\system32\config\systemprofile\Local Settings\Temporary Internet Files\Content.IE5\desktop.ini
7/12/2005 C:\WINDOWS\system32\config\systemprofile\Local Settings\Temporary Internet Files\Content.IE5\AFEVKHEJ\desktop.ini
7/12/2005 C:\WINDOWS\system32\config\systemprofile\Local Settings\Temporary Internet Files\Content.IE5\ETWH8DUV\desktop.ini
7/12/2005 C:\WINDOWS\system32\config\systemprofile\Local Settings\Temporary Internet Files\Content.IE5\UVIPU5CN\desktop.ini
7/12/2005 C:\WINDOWS\system32\config\systemprofile\Local Settings\Temporary Internet Files\Content.IE5\Y9YHC5OX\desktop.ini
6/24/2005 C:\WINDOWS\system32\Microsoft\Protect\S-1-5-18\User\4dab5f0f-9ed6-4a1f-bb1c-6f37b381c939
6/24/2005 C:\WINDOWS\system32\Microsoft\Protect\S-1-5-18\User\Preferred
7/14/2005 C:\WINDOWS\Tasks\SA.DAT

»»»»»»»»»»»»»»»»»»»»»»»» Checking Global Startup »»»»»»»»»»»»»»»»»»»»»»

Checking %ALLUSERSPROFILE%\Startup folder...

Checking %ALLUSERSPROFILE%\Application Data folder...

Checking %USERPROFILE%\Startup folder...

Checking %USERPROFILE%\Application Data folder...

»»»»»»»»»»»»»»»»»»»»»»»» Registry Entries Found »»»»»»»»»»»»»»»»»»»»»»»

*\shellex\ContextMenuHandlers
*\shellex\ContextMenuHandlers\fgykqxfs
{69487403-db56-41fe-be36-f6af40c2c4d0} =
*\shellex\ContextMenuHandlers\MediaFaceExtension
{6E3C607A-B99C-4FA8-98F5-1AC1ADF7F5B9} = C:\Program Files\Fellowes\MediaFACE 4.0\MFShlExt.dll
*\shellex\ContextMenuHandlers\Offline Files
{750fdf0e-2a26-11d1-a3ea-080036587f03} = %SystemRoot%\System32\cscui.dll
*\shellex\ContextMenuHandlers\Open With
{09799AFB-AD67-11d1-ABCD-00C04FC30936} = %SystemRoot%\system32\SHELL32.dll
*\shellex\ContextMenuHandlers\Open With EncryptionMenu
{A470F8CF-A1E8-4f65-8335-227475AA5C46} = %SystemRoot%\system32\SHELL32.dll
*\shellex\ContextMenuHandlers\Panda Antivirus
{65756541-C65C-11CD-0000-4B656E696100} = C:\Program Files\Panda Software\Panda Titanium Antivirus 2005\ShellTit.DLL
*\shellex\ContextMenuHandlers\StuffIt Context Menu
{2E336DC0-54F8-11D1-ABD5-447270537467} = C:\Program Files\Aladdin Systems\StuffIt Standard\StuffItMenu.dll
*\shellex\ContextMenuHandlers\WinRAR
{B41DB860-8EE4-11D2-9906-E49FADC173CA} = C:\Program Files\WinRAR\rarext.dll
*\shellex\ContextMenuHandlers\WinZip
{E0D79304-84BE-11CE-9641-444553540000} = C:\PROGRA~1\WINZIP\WZSHLSTB.DLL
*\shellex\ContextMenuHandlers\{a2a9545d-a0c2-42b4-9708-a0b2badd77c8}
Start Menu Pin =

SOFTWARE\Classes\Folder\shellex\ColumnHandlers
SOFTWARE\Classes\Folder\shellex\ColumnHandlers\{0D2E74C4-3C34-11d2-A27E-00C04FC30871}
= %SystemRoot%\system32\SHELL32.dll
SOFTWARE\Classes\Folder\shellex\ColumnHandlers\{24F14F01-7B1C-11d1-838f-0000F80461CF}
= %SystemRoot%\system32\SHELL32.dll
SOFTWARE\Classes\Folder\shellex\ColumnHandlers\{24F14F02-7B1C-11d1-838f-0000F80461CF}
= %SystemRoot%\system32\SHELL32.dll
SOFTWARE\Classes\Folder\shellex\ColumnHandlers\{66742402-F9B9-11D1-A202-0000F81FEDEE}
= %SystemRoot%\system32\SHELL32.dll

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
NvCplDaemon RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup
nwiz nwiz.exe /installquiet
CPQEASYACC C:\Program Files\COMPAQ\Easy Access Button Support\StartEAK.exe
PROMon.exe
srmclean C:\Cpqs\Scom\srmclean.exe
NeroCheck C:\WINDOWS\system32\NeroCheck.exe
AdaptecDirectCD "C:\Program Files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe"
QuickTime Task "C:\Program Files\QuickTime\qttask.exe" -atboottime
TkBellExe "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
ADUserMon C:\Program Files\Iomega\AutoDisk\ADUserMon.exe
Iomega Drive Icons C:\Program Files\Iomega\DriveIcons\ImgIcon.exe
Deskup C:\Program Files\Iomega\DriveIcons\deskup.exe /IMGSTART
MediaFace Integration C:\Program Files\Fellowes\MediaFACE 4.0\SetHook.exe
Symantec NetDriver Monitor C:\PROGRA~1\SYMNET~1\SNDMon.exe /Consumer
SpybotSnD "C:\Program Files\Spybot - Search & Destroy\SpybotSD.exe" /autoclose
APVXDWIN "C:\Program Files\Panda Software\Panda Titanium Antivirus 2005\APVXDWIN.EXE" /s

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\OptionalComponents
IMAIL
MAPI
MSFS

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnceEx

HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
NVIEW rundll32.exe nview.dll,nViewLoadHook

MSMSGS "C:\Program Files\Messenger\msmsgs.exe" /background

HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\crypt32chain
= crypt32.dll
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\cryptnet
= cryptnet.dll
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\cscdll
= cscdll.dll
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\ScCertProp
= wlnotify.dll
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\Schedule
= wlnotify.dll
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\sclgntfy
= sclgntfy.dll
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\SensLogn
= WlNotify.dll
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\termsrv
= wlnotify.dll
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\wlballoon
= wlnotify.dll

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\PostBootReminder
{7849596a-48ea-486e-8937-a2a3009f31a9} = %SystemRoot%\system32\SHELL32.dll
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\CDBurn
{fbeb8a05-beee-4442-804e-409d6c4515e9} = %SystemRoot%\system32\SHELL32.dll
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\WebCheck
{E6FB5E20-DE35-11CF-9C87-00AA005127ED} = %SystemRoot%\System32\webcheck.dll
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\SysTray
{35CEC8A3-2BE6-11D2-8773-92E220524153} = C:\WINDOWS\System32\stobject.dll

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\cqw32.exe
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\enc98.EXE
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\explorer.exe
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\front.exe
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\iexplore.exe
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\install.exe
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\mngreg32.exe
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\photohse.EXE
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\printhse.EXE
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\prwin8.EXE
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\ps80.EXE
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\psdmt.exe
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\qfinder.EXE
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\qpw.EXE
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\setup.exe
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\setup32.dll
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\sevinst.exe
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\ua80.EXE
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\wpwin8.EXE
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\xwsetup.EXE
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Your Image File Name Here without a path
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\_INSTPGM.EXE

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon
UserInit C:\WINDOWS\system32\userinit.exe,
Shell Explorer.exe

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows
AppInit_DLLs

»»»»»»»»»»»»»»»»»»»»»»»» Scan Complete »»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»
WinPFind v1.0.0.8 - Log file written to "WinPFind.Txt" in the WinPFind folder.
  • 0

#27
g2i2r4

g2i2r4

    retired HiJack Helper

  • Retired Staff
  • 5,080 posts
~Mark saw what I mist (thanks Mark). There is a space to much in the reg file.

Can you edit it, or else created a new one to replace the current one.

REGEDIT4

[-HKEY_LOCAL_MACHINE\SOFTWARE\Classes\*\shellex\ContextMenuHandlers\fgykqxfs]

[-HKEY_CLASSES_ROOT\CLSID\{69487403-db56-41fe-be36-f6af40c2c4d0}]


Double click it to merge.

Then do the winpfind one more time. Also post me a fresh HijackThis log this time.
  • 0

#28
glennc007

glennc007

    Member

  • Topic Starter
  • Member
  • PipPip
  • 41 posts
OK done. here's the new winpfind and HJT logs:

WARNING: not all files found by this scanner are bad. Consult with a knowledgable person before proceeding.

If you see a message in the titlebar saying "not responding" you can ignore it. Windows is throwing this message up even though the program is still running. As long as the hard disk is working then the program is running.

»»»»»»»»»»»»»»»»»»»»»»»» Files found »»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»

Checking %SystemDrive% folder...
qoologic C:\071205 pandalog.txt
UPX! C:\cachefile0.sys
KavSvc C:\hijackthis.log
KavSvc C:\hijackthis2.txt
qoologic C:\PANDA.RPT

Checking %ProgramFilesDir% folder...
UPX! C:\Program Files\HijackThis.exe

Checking %WinDir% folder...

Checking %System% folder...
FSG! C:\WINDOWS\system32\Chdbook1.xml
PEC2 C:\WINDOWS\system32\dfrg.msc
Umonitor C:\WINDOWS\system32\rasdlg.dll

Checking %System%\Drivers folder and sub-folders...

Checking the Windows folder for system and hidden files within the last 60 days...
7/7/2005 C:\WINDOWS\QTFont.qfn
7/14/2005 C:\WINDOWS\system32\config\default.LOG
7/14/2005 C:\WINDOWS\system32\config\SAM.LOG
7/14/2005 C:\WINDOWS\system32\config\SECURITY.LOG
7/14/2005 C:\WINDOWS\system32\config\software.LOG
7/14/2005 C:\WINDOWS\system32\config\system.LOG
7/12/2005 C:\WINDOWS\system32\config\systemprofile\Local Settings\Temporary Internet Files\Content.IE5\desktop.ini
7/12/2005 C:\WINDOWS\system32\config\systemprofile\Local Settings\Temporary Internet Files\Content.IE5\AFEVKHEJ\desktop.ini
7/12/2005 C:\WINDOWS\system32\config\systemprofile\Local Settings\Temporary Internet Files\Content.IE5\ETWH8DUV\desktop.ini
7/12/2005 C:\WINDOWS\system32\config\systemprofile\Local Settings\Temporary Internet Files\Content.IE5\UVIPU5CN\desktop.ini
7/12/2005 C:\WINDOWS\system32\config\systemprofile\Local Settings\Temporary Internet Files\Content.IE5\Y9YHC5OX\desktop.ini
6/24/2005 C:\WINDOWS\system32\Microsoft\Protect\S-1-5-18\User\4dab5f0f-9ed6-4a1f-bb1c-6f37b381c939
6/24/2005 C:\WINDOWS\system32\Microsoft\Protect\S-1-5-18\User\Preferred
7/14/2005 C:\WINDOWS\Tasks\SA.DAT

»»»»»»»»»»»»»»»»»»»»»»»» Checking Global Startup »»»»»»»»»»»»»»»»»»»»»»

Checking %ALLUSERSPROFILE%\Startup folder...

Checking %ALLUSERSPROFILE%\Application Data folder...

Checking %USERPROFILE%\Startup folder...

Checking %USERPROFILE%\Application Data folder...

»»»»»»»»»»»»»»»»»»»»»»»» Registry Entries Found »»»»»»»»»»»»»»»»»»»»»»»

*\shellex\ContextMenuHandlers
*\shellex\ContextMenuHandlers\MediaFaceExtension
{6E3C607A-B99C-4FA8-98F5-1AC1ADF7F5B9} = C:\Program Files\Fellowes\MediaFACE 4.0\MFShlExt.dll
*\shellex\ContextMenuHandlers\Offline Files
{750fdf0e-2a26-11d1-a3ea-080036587f03} = %SystemRoot%\System32\cscui.dll
*\shellex\ContextMenuHandlers\Open With
{09799AFB-AD67-11d1-ABCD-00C04FC30936} = %SystemRoot%\system32\SHELL32.dll
*\shellex\ContextMenuHandlers\Open With EncryptionMenu
{A470F8CF-A1E8-4f65-8335-227475AA5C46} = %SystemRoot%\system32\SHELL32.dll
*\shellex\ContextMenuHandlers\Panda Antivirus
{65756541-C65C-11CD-0000-4B656E696100} = C:\Program Files\Panda Software\Panda Titanium Antivirus 2005\ShellTit.DLL
*\shellex\ContextMenuHandlers\StuffIt Context Menu
{2E336DC0-54F8-11D1-ABD5-447270537467} = C:\Program Files\Aladdin Systems\StuffIt Standard\StuffItMenu.dll
*\shellex\ContextMenuHandlers\WinRAR
{B41DB860-8EE4-11D2-9906-E49FADC173CA} = C:\Program Files\WinRAR\rarext.dll
*\shellex\ContextMenuHandlers\WinZip
{E0D79304-84BE-11CE-9641-444553540000} = C:\PROGRA~1\WINZIP\WZSHLSTB.DLL
*\shellex\ContextMenuHandlers\{a2a9545d-a0c2-42b4-9708-a0b2badd77c8}
Start Menu Pin =

SOFTWARE\Classes\Folder\shellex\ColumnHandlers
SOFTWARE\Classes\Folder\shellex\ColumnHandlers\{0D2E74C4-3C34-11d2-A27E-00C04FC30871}
= %SystemRoot%\system32\SHELL32.dll
SOFTWARE\Classes\Folder\shellex\ColumnHandlers\{24F14F01-7B1C-11d1-838f-0000F80461CF}
= %SystemRoot%\system32\SHELL32.dll
SOFTWARE\Classes\Folder\shellex\ColumnHandlers\{24F14F02-7B1C-11d1-838f-0000F80461CF}
= %SystemRoot%\system32\SHELL32.dll
SOFTWARE\Classes\Folder\shellex\ColumnHandlers\{66742402-F9B9-11D1-A202-0000F81FEDEE}
= %SystemRoot%\system32\SHELL32.dll

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
NvCplDaemon RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup
nwiz nwiz.exe /installquiet
CPQEASYACC C:\Program Files\COMPAQ\Easy Access Button Support\StartEAK.exe
PROMon.exe
srmclean C:\Cpqs\Scom\srmclean.exe
NeroCheck C:\WINDOWS\system32\NeroCheck.exe
AdaptecDirectCD "C:\Program Files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe"
QuickTime Task "C:\Program Files\QuickTime\qttask.exe" -atboottime
TkBellExe "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
ADUserMon C:\Program Files\Iomega\AutoDisk\ADUserMon.exe
Iomega Drive Icons C:\Program Files\Iomega\DriveIcons\ImgIcon.exe
Deskup C:\Program Files\Iomega\DriveIcons\deskup.exe /IMGSTART
MediaFace Integration C:\Program Files\Fellowes\MediaFACE 4.0\SetHook.exe
Symantec NetDriver Monitor C:\PROGRA~1\SYMNET~1\SNDMon.exe /Consumer
SpybotSnD "C:\Program Files\Spybot - Search & Destroy\SpybotSD.exe" /autoclose
APVXDWIN "C:\Program Files\Panda Software\Panda Titanium Antivirus 2005\APVXDWIN.EXE" /s

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\OptionalComponents
IMAIL
MAPI
MSFS

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnceEx

HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
NVIEW rundll32.exe nview.dll,nViewLoadHook

MSMSGS "C:\Program Files\Messenger\msmsgs.exe" /background

HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\crypt32chain
= crypt32.dll
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\cryptnet
= cryptnet.dll
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\cscdll
= cscdll.dll
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\ScCertProp
= wlnotify.dll
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\Schedule
= wlnotify.dll
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\sclgntfy
= sclgntfy.dll
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\SensLogn
= WlNotify.dll
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\termsrv
= wlnotify.dll
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\wlballoon
= wlnotify.dll

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\PostBootReminder
{7849596a-48ea-486e-8937-a2a3009f31a9} = %SystemRoot%\system32\SHELL32.dll
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\CDBurn
{fbeb8a05-beee-4442-804e-409d6c4515e9} = %SystemRoot%\system32\SHELL32.dll
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\WebCheck
{E6FB5E20-DE35-11CF-9C87-00AA005127ED} = %SystemRoot%\System32\webcheck.dll
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\SysTray
{35CEC8A3-2BE6-11D2-8773-92E220524153} = C:\WINDOWS\System32\stobject.dll

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\cqw32.exe
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\enc98.EXE
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\explorer.exe
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\front.exe
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\iexplore.exe
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\install.exe
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\mngreg32.exe
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\photohse.EXE
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\printhse.EXE
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\prwin8.EXE
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\ps80.EXE
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\psdmt.exe
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\qfinder.EXE
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\qpw.EXE
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\setup.exe
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\setup32.dll
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\sevinst.exe
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\ua80.EXE
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\wpwin8.EXE
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\xwsetup.EXE
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Your Image File Name Here without a path
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\_INSTPGM.EXE

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon
UserInit C:\WINDOWS\system32\userinit.exe,
Shell Explorer.exe

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows
AppInit_DLLs

»»»»»»»»»»»»»»»»»»»»»»»» Scan Complete »»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»
WinPFind v1.0.0.8 - Log file written to "WinPFind.Txt" in the WinPFind folder.


-----------

Logfile of HijackThis v1.99.1
Scan saved at 5:18:31 PM, on 7/14/2005
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\csrss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\Program Files\Panda Software\Panda Titanium Antivirus 2005\PavProt.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\AvidSDMService.exe
C:\Program Files\ewido\security suite\ewidoctrl.exe
C:\PROGRA~1\Iomega\System32\AppServices.exe
C:\Program Files\mac disk\lsdiorw\lsdiorw2.exe
C:\WINDOWS\System32\nvsvc32.exe
C:\Program Files\Panda Software\Panda Titanium Antivirus 2005\Firewall\PavFires.exe
C:\Program Files\Panda Software\Panda Titanium Antivirus 2005\PavFnSvr.exe
C:\Program Files\Panda Software\Panda Titanium Antivirus 2005\Pavkre.exe
C:\Program Files\Common Files\Panda Software\PavShld\pavprsrv.exe
C:\Program Files\Panda Software\Panda Titanium Antivirus 2005\pavsrv51.exe
C:\Program Files\Panda Software\Panda Titanium Antivirus 2005\prevsrv.exe
C:\Program Files\Panda Software\Panda Titanium Antivirus 2005\PsImSvc.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Panda Software\Panda Titanium Antivirus 2005\AVENGINE.EXE
C:\Program Files\Iomega\AutoDisk\ADService.exe
C:\Program Files\Panda Software\Panda Titanium Antivirus 2005\apvxdwin.exe
C:\Program Files\Panda Software\Panda Titanium Antivirus 2005\WebProxy.exe
C:\WINDOWS\System32\taskmgr.exe
C:\Program Files\HijackThis.exe

O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /installquiet
O4 - HKLM\..\Run: [CPQEASYACC] C:\Program Files\COMPAQ\Easy Access Button Support\StartEAK.exe
O4 - HKLM\..\Run: [srmclean] C:\Cpqs\Scom\srmclean.exe
O4 - HKLM\..\Run: [NeroCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [AdaptecDirectCD] "C:\Program Files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [ADUserMon] C:\Program Files\Iomega\AutoDisk\ADUserMon.exe
O4 - HKLM\..\Run: [Iomega Drive Icons] C:\Program Files\Iomega\DriveIcons\ImgIcon.exe
O4 - HKLM\..\Run: [Deskup] C:\Program Files\Iomega\DriveIcons\deskup.exe /IMGSTART
O4 - HKLM\..\Run: [MediaFace Integration] C:\Program Files\Fellowes\MediaFACE 4.0\SetHook.exe
O4 - HKLM\..\Run: [Symantec NetDriver Monitor] C:\PROGRA~1\SYMNET~1\SNDMon.exe /Consumer
O4 - HKLM\..\Run: [SpybotSnD] "C:\Program Files\Spybot - Search & Destroy\SpybotSD.exe" /autoclose
O4 - HKLM\..\Run: [APVXDWIN] "C:\Program Files\Panda Software\Panda Titanium Antivirus 2005\APVXDWIN.EXE" /s
O4 - HKCU\..\Run: [NVIEW] rundll32.exe nview.dll,nViewLoadHook
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - Startup: AVE122001_CD.exe
O4 - Startup: PowerReg Scheduler V3.exe
O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O8 - Extra context menu item: &Google Search - res://c:\program files\google\GoogleToolbar1.dll/cmsearch.html
O8 - Extra context menu item: Backward Links - res://c:\program files\google\GoogleToolbar1.dll/cmbacklinks.html
O8 - Extra context menu item: Cached Snapshot of Page - res://c:\program files\google\GoogleToolbar1.dll/cmcache.html
O8 - Extra context menu item: Similar Pages - res://c:\program files\google\GoogleToolbar1.dll/cmsimilar.html
O8 - Extra context menu item: Translate into English - res://c:\program files\google\GoogleToolbar1.dll/cmtrans.html
O16 - DPF: {E7DBFB6C-113A-47CF-B278-F5C6AF4DE1BD} - http://download.abac...abasetup155.cab
O23 - Service: Adobe LM Service - Unknown owner - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: Avid SDM Service (AvidSDMService) - Avid Technology, Inc. - C:\WINDOWS\system32\AvidSDMService.exe
O23 - Service: Avid Startup (AvidStartup) - Unknown owner - C:\WINDOWS\system32\AvidStartup.exe
O23 - Service: ewido security suite control - ewido networks - C:\Program Files\ewido\security suite\ewidoctrl.exe
O23 - Service: Iomega App Services - Iomega Corporation - C:\PROGRA~1\Iomega\System32\AppServices.exe
O23 - Service: Lsdiorw - Logiciels & Services Duhem, Paris, France - C:\Program Files\mac disk\lsdiorw\lsdiorw2.exe
O23 - Service: Macromedia Licensing Service - Unknown owner - C:\Program Files\Common Files\Macromedia Shared\Service\Macromedia Licensing.exe
O23 - Service: Intel® NMS (NMSSvc) - Intel Corporation - C:\WINDOWS\System32\NMSSvc.exe
O23 - Service: NVIDIA Driver Helper Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe
O23 - Service: Panda Firewall Service (PAVFIRES) - Panda Software - C:\Program Files\Panda Software\Panda Titanium Antivirus 2005\Firewall\PavFires.exe
O23 - Service: Panda Function Service (PAVFNSVR) - Panda Software - C:\Program Files\Panda Software\Panda Titanium Antivirus 2005\PavFnSvr.exe
O23 - Service: Panda Pavkre (Pavkre) - Panda Software - C:\Program Files\Panda Software\Panda Titanium Antivirus 2005\Pavkre.exe
O23 - Service: Panda PavProt (PavProt) - Panda Software - C:\Program Files\Panda Software\Panda Titanium Antivirus 2005\PavProt.exe
O23 - Service: Panda Process Protection Service (PavPrSrv) - Panda Software - C:\Program Files\Common Files\Panda Software\PavShld\pavprsrv.exe
O23 - Service: Panda anti-virus service (PAVSRV) - Panda Software - C:\Program Files\Panda Software\Panda Titanium Antivirus 2005\pavsrv51.exe
O23 - Service: Panda Preventium+ Service (PREVSRV) - Panda Software - C:\Program Files\Panda Software\Panda Titanium Antivirus 2005\prevsrv.exe
O23 - Service: Panda IManager Service (PSIMSVC) - Panda Software Internacional - C:\Program Files\Panda Software\Panda Titanium Antivirus 2005\PsImSvc.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: Iomega Active Disk (_IOMEGA_ACTIVE_DISK_SERVICE_) - Iomega Corporation - C:\Program Files\Iomega\AutoDisk\ADService.exe
  • 0

#29
g2i2r4

g2i2r4

    retired HiJack Helper

  • Retired Staff
  • 5,080 posts
Again, you are doing great. This is a very nasty infection on it's own and you have it along with some friends. The friends are gone now :tazz:

The tool got updated so I need you to download the new version. Throw away the smitrem you have there now.



We'll need to transport some files from the computer you are now using, to your infected computer.

Download smitRem.zip updated and save the file to your desktop.
Right click on the file and extract it to it's own folder on the desktop.
So you'll get a new folder called smitrem on your desktop.
I want you to put that folder on cd, floppy or usb-stick.

On your infected computer, boot again in safe mode and open your task manager again.
Now insert the cd, floppy or usb-stick where you saved the smitrem folder in your infected computer.

In your Task Manager, click 'applications' (first tab).
Click the New Task button.
Cick browse.

Now browse to the drive where your floppy, usb-stick or cd is present (could be A or D or E or F.. you'll see..)
Search for that smitrem folder.
Right click on the smitrem folder and choose: Copy

Now browse again via Task Manager to My Documents or Program Files.
Right click somewhere in there, right click and choose: Paste
Now open the smitrem folder you just copied and pasted and click the file: RunThis.bat
Then click open.
In the window where it says 'Create new task', click OK.

Normally, you'll have to drag the different windows you'll see to left or to right, because normally they will open on top of each other and you wont see the command window the tool starts that is under it.
You'll see a blue window now.
Follow the prompts on screen.
Wait for the tool to complete.

When done, in Task Manager, click 'shut down' from the menu on top and click restart. Your computer will reboot now.

The tool will create a log named smitfiles.txt in the root of your drive, eg; Local Disk C: or partition where your operating system is installed.
Post me the contents of the smitfiles.txt log as you post back (I hope it's there somewhere now).
  • 0

#30
glennc007

glennc007

    Member

  • Topic Starter
  • Member
  • PipPip
  • 41 posts
Alrighty. Here is the smitfiles.txt log:

May I say, again and again, thank you so much.


Pre-run Files Present


~~~ Program Files ~~~



~~~ Shortcuts ~~~



~~~ Favorites ~~~



~~~ system32 folder ~~~



~~~ Windows directory ~~~



~~~ Drive root ~~~

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~


Post-run Files Present


~~~ Program Files ~~~



~~~ Shortcuts ~~~



~~~ Favorites ~~~



~~~ system32 folder ~~~



~~~ Windows directory ~~~



~~~ Drive root ~~~



~~~ Wininet.dll ~~~

CLEAN!
  • 0






Similar Topics

0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users

As Featured On:

Microsoft Yahoo BBC MSN PC Magazine Washington Post HP