Jump to content

Welcome to Geeks to Go - Register now for FREE

Geeks To Go is a helpful hub, where thousands of volunteer geeks quickly serve friendly answers and support. Check out the forums and get free advice from the experts. Register now to gain access to all of our features, it's FREE and only takes one minute. Once registered and logged in, you will be able to create topics, post replies to existing threads, give reputation to your fellow members, get your own private messenger, post status updates, manage your profile and so much more.

Create Account How it Works
Photo

Aurora/ABI Network Popups [RESOLVED]

Started by perf68 , Jul 16 2005 05:51 AM

  • This topic is locked This topic is locked

#1
perf68
Posted 16 July 2005 - 05:51 AM

perf68

    Member

  • Member
  • PipPip
  • 11 posts
Currently having Aurora/ABI network popups. I am also getting random internet link icons placed on my desktop. I have completed all of the preliminary steps found on this website, although i am not sure that ewido is working properly because, although it seems to be running (it has self updated and seems to have blocked some things), i get no main ewido screen as desribed in your preliminary thread. As such, i have no ewido log.

Anyway, here is my hijack this log.

Logfile of HijackThis v1.99.1
Scan saved at 7:49:35 AM, on 7/16/2005
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\WINDOWS\system32\LEXBCES.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\ewido\security suite\ewidoctrl.exe
C:\Program Files\Norton AntiVirus\navapsvc.exe
C:\Program Files\Norton AntiVirus\IWP\NPFMntor.exe
C:\Program Files\Norton AntiVirus\AdvTools\NPROTECT.EXE
C:\WINDOWS\System32\nvsvc32.exe
C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\Program Files\HPQ\Quick Launch Buttons\EabServr.exe
C:\Program Files\Musicmatch\Musicmatch Jukebox\mm_tray.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\PROGRA~1\LEXMAR~1\ACMonitor_X73.exe
C:\PROGRA~1\LEXMAR~1\AcBtnMgr_X73.exe
C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\printray.exe
C:\Program Files\Java\j2re1.4.2_06\bin\jusched.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\DIGStream\digstream.exe
C:\WINDOWS\System32\wuauclt.exe
C:\Program Files\ESPNRunTime\DIGServices.exe
C:\Program Files\BillP Studios\WinPatrol\winpatrol.exe
C:\Program Files\Musicmatch\Musicmatch Jukebox\mim.exe
C:\Program Files\Musicmatch\Musicmatch Jukebox\MMDiag.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\Cas\Client\casclient.exe
C:\Program Files\Microsoft Office\Office\FINDFAST.EXE
C:\Program Files\Nikon\NkView6\NkvMon.exe
C:\Program Files\Microsoft Office\Office\OSA.EXE
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Yahoo!\Messenger\ymsgr_tray.exe
C:\Program Files\Common Files\Intuit\QuickBooks\QBUpdate\qbupdate.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Documents and Settings\Brian Dietrich\Desktop\HJT\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://us8l.hpwis.com/
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://us8l.hpwis.com/
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O4 - HKLM\..\Run: [UpdateManager] "C:\Program Files\Common Files\Sonic\Update Manager\sgtray.exe" /r
O4 - HKLM\..\Run: [SynTPLpr] C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
O4 - HKLM\..\Run: [SynTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /installquiet
O4 - HKLM\..\Run: [Cpqset] C:\Program Files\HPQ\Default Settings\cpqset.exe
O4 - HKLM\..\Run: [eabconfg.cpl] C:\Program Files\HPQ\Quick Launch Buttons\EabServr.exe /Start
O4 - HKLM\..\Run: [MMTray] "C:\Program Files\Musicmatch\Musicmatch Jukebox\mm_tray.exe"
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [Lexmark X73 Button Monitor] C:\PROGRA~1\LEXMAR~1\ACMonitor_X73.exe
O4 - HKLM\..\Run: [Lexmark X73 Button Manager] C:\PROGRA~1\LEXMAR~1\AcBtnMgr_X73.exe
O4 - HKLM\..\Run: [PrinTray] C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\printray.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\j2re1.4.2_06\bin\jusched.exe
O4 - HKLM\..\Run: [iTunesHelper] C:\Program Files\iTunes\iTunesHelper.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [SSC_UserPrompt] C:\Program Files\Common Files\Symantec Shared\Security Center\UsrPrmpt.exe
O4 - HKLM\..\Run: [Advanced Tools Check] C:\PROGRA~1\NORTON~1\AdvTools\ADVCHK.EXE
O4 - HKLM\..\Run: [MimBoot] C:\PROGRA~1\MUSICM~1\MUSICM~2\mimboot.exe
O4 - HKLM\..\Run: [DIGStream] C:\Program Files\DIGStream\digstream.exe
O4 - HKLM\..\Run: [DIGServices] C:\Program Files\ESPNRunTime\DIGServices.exe /brand=ESPN /priority=0 /poll=24
O4 - HKLM\..\Run: [PSof1] C:\WINDOWS\System32\PSof1.exe
O4 - HKLM\..\Run: [exp.exe] C:\WINDOWS\System32\exp.exe
O4 - HKLM\..\Run: [WinTask driver] C:\WINDOWS\System32\wintask.exe
O4 - HKLM\..\Run: [cfgmgr52] RunDLL32.EXE C:\WINDOWS\cfgmgr52.dll,DllRun
O4 - HKLM\..\Run: [checkrun] C:\windows\system32\elitevml32.exe
O4 - HKLM\..\Run: [sFng33O] accca12n.exe
O4 - HKLM\..\Run: [WinPatrol] C:\Program Files\BillP Studios\WinPatrol\winpatrol.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [Yahoo! Pager] C:\Program Files\Yahoo!\Messenger\ypager.exe -quiet
O4 - HKCU\..\Run: [do4mRTi3Q] wsntus40.exe
O4 - HKCU\..\Run: [CAS Client] "C:\Program Files\Cas\Client\casclient.exe"
O4 - HKCU\..\Run: [180ClientStubInstall] "C:\temp\stubinstaller6480.exe"
O4 - Startup: Registration Brothers In Arms.LNK = D:\Support\Register\RegistrationReminder.exe
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: Microsoft Find Fast.lnk = C:\Program Files\Microsoft Office\Office\FINDFAST.EXE
O4 - Global Startup: NkvMon.exe.lnk = C:\Program Files\Nikon\NkView6\NkvMon.exe
O4 - Global Startup: Office Startup.lnk = C:\Program Files\Microsoft Office\Office\OSA.EXE
O4 - Global Startup: QuickBooks Update Agent.lnk = C:\Program Files\Common Files\Intuit\QuickBooks\QBUpdate\qbupdate.exe
O8 - Extra context menu item: &Yahoo! Search - file:///C:\Program Files\Yahoo!\Common/ycsrch.htm
O8 - Extra context menu item: Yahoo! &Dictionary - file:///C:\Program Files\Yahoo!\Common/ycdict.htm
O8 - Extra context menu item: Yahoo! &Maps - file:///C:\Program Files\Yahoo!\Common/ycdict.htm
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\System32\msjava.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\System32\msjava.dll
O9 - Extra button: Messenger - {4528BBE0-4E08-11D5-AD55-00010333D0AD} - C:\Program Files\Yahoo!\Messenger\yhexbmes0521.dll
O9 - Extra 'Tools' menuitem: Yahoo! Messenger - {4528BBE0-4E08-11D5-AD55-00010333D0AD} - C:\Program Files\Yahoo!\Messenger\yhexbmes0521.dll
O9 - Extra button: PartyPoker.com - {B7FE5D70-9AA2-40F1-9C6B-12A255F085E1} - C:\Program Files\PartyPoker\PartyPoker.exe
O9 - Extra 'Tools' menuitem: PartyPoker.com - {B7FE5D70-9AA2-40F1-9C6B-12A255F085E1} - C:\Program Files\PartyPoker\PartyPoker.exe
O9 - Extra button: WeatherBug - {AF6CABAB-61F9-4f12-A198-B7D41EF1CB52} - C:\Program Files\AWS\WeatherBug\Weather.exe (file missing) (HKCU)
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft....467&clcid=0x409
O16 - DPF: {41F17733-B041-4099-A042-B518BB6A408C} - http://appldnld.m7z....iTunesSetup.exe
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.micros...b?1121129824406
O16 - DPF: {85D1F3B2-2A21-11D7-97B9-0010DC2A6243} (SecureLogin class) - http://secure2.comne...login-devel.cab
O16 - DPF: {FE0BD779-44EE-4A4B-AA2E-743C63F2E5E6} (IWinAmpActiveX Class) - http://pdl.stream.ao.../ampx_en_dl.cab
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Password Validation (ccPwdSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
O23 - Service: ewido security suite control - ewido networks - C:\Program Files\ewido\security suite\ewidoctrl.exe
O23 - Service: ewido security suite guard - ewido networks - C:\Program Files\ewido\security suite\ewidoguard.exe
O23 - Service: iPod Service (iPodService) - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: LexBce Server (LexBceS) - Lexmark International, Inc. - C:\WINDOWS\system32\LEXBCES.EXE
O23 - Service: Norton AntiVirus Auto-Protect Service (navapsvc) - Symantec Corporation - C:\Program Files\Norton AntiVirus\navapsvc.exe
O23 - Service: Norton AntiVirus Firewall Monitor Service (NPFMntor) - Symantec Corporation - C:\Program Files\Norton AntiVirus\IWP\NPFMntor.exe
O23 - Service: Norton Unerase Protection (NProtectService) - Symantec Corporation - C:\Program Files\Norton AntiVirus\AdvTools\NPROTECT.EXE
O23 - Service: NVIDIA Driver Helper Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe
O23 - Service: SAVScan - Symantec Corporation - C:\Program Files\Norton AntiVirus\SAVScan.exe
O23 - Service: ScriptBlocking Service (SBService) - Symantec Corporation - C:\PROGRA~1\COMMON~1\SYMANT~1\SCRIPT~1\SBServ.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: Symantec SPBBCSvc (SPBBCSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
O23 - Service: Symantec Core LC - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe


Thanks for any help!
  • 0

Advertisements

#2
Buckeye_Sam
Posted 17 July 2005 - 09:14 AM

Buckeye_Sam

    Malware Expert

  • Member
  • PipPipPipPipPipPipPipPip
  • 10,019 posts
Hi and welcome to GeeksToGo! My name is Sam and I will be helping you.

Please download LQfix batch here:
http://users.pandora...atchy/LQfix.zip
Unzip it to the desktop but do NOT run it yet.

Reboot your computer into SAFE MODE

Once in Safe Mode, please run LQfix.bat. When finished, restart your computer in normal mode and please post a new HijackThis log.
  • 0

#3
perf68
Posted 17 July 2005 - 10:41 AM

perf68

    Member

  • Topic Starter
  • Member
  • PipPip
  • 11 posts
Sam,

Not sure if LQfix did anything or not. When I ran the program from the Safe Mode, It opened a MSDOS window for a second or two, and that was it. I wasn't sure what to expect, maybe that was it, so I posted a new HJT log anyway.

Logfile of HijackThis v1.99.1
Scan saved at 12:40:19 PM, on 7/17/2005
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\WINDOWS\system32\LEXBCES.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\ewido\security suite\ewidoctrl.exe
C:\Program Files\ewido\security suite\ewidoguard.exe
C:\Program Files\Norton AntiVirus\navapsvc.exe
C:\Program Files\Norton AntiVirus\IWP\NPFMntor.exe
C:\Program Files\Norton AntiVirus\AdvTools\NPROTECT.EXE
C:\WINDOWS\System32\nvsvc32.exe
C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\Program Files\HPQ\Quick Launch Buttons\EabServr.exe
C:\Program Files\Musicmatch\Musicmatch Jukebox\mm_tray.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\PROGRA~1\LEXMAR~1\ACMonitor_X73.exe
C:\PROGRA~1\LEXMAR~1\AcBtnMgr_X73.exe
C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\printray.exe
C:\Program Files\Java\j2re1.4.2_06\bin\jusched.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\DIGStream\digstream.exe
C:\Program Files\ESPNRunTime\DIGServices.exe
C:\Program Files\Musicmatch\Musicmatch Jukebox\mim.exe
C:\Program Files\BillP Studios\WinPatrol\winpatrol.exe
C:\WINDOWS\System32\wuauclt.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\Musicmatch\Musicmatch Jukebox\MMDiag.exe
C:\Program Files\Cas\Client\casclient.exe
C:\Program Files\Microsoft Office\Office\FINDFAST.EXE
C:\Program Files\Nikon\NkView6\NkvMon.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Microsoft Office\Office\OSA.EXE
C:\Program Files\Yahoo!\Messenger\ymsgr_tray.exe
C:\Program Files\Common Files\Intuit\QuickBooks\QBUpdate\qbupdate.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Documents and Settings\Brian Dietrich\Desktop\HJT\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://us8l.hpwis.com/
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://us8l.hpwis.com/
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O4 - HKLM\..\Run: [UpdateManager] "C:\Program Files\Common Files\Sonic\Update Manager\sgtray.exe" /r
O4 - HKLM\..\Run: [SynTPLpr] C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
O4 - HKLM\..\Run: [SynTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /installquiet
O4 - HKLM\..\Run: [Cpqset] C:\Program Files\HPQ\Default Settings\cpqset.exe
O4 - HKLM\..\Run: [eabconfg.cpl] C:\Program Files\HPQ\Quick Launch Buttons\EabServr.exe /Start
O4 - HKLM\..\Run: [MMTray] "C:\Program Files\Musicmatch\Musicmatch Jukebox\mm_tray.exe"
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [Lexmark X73 Button Monitor] C:\PROGRA~1\LEXMAR~1\ACMonitor_X73.exe
O4 - HKLM\..\Run: [Lexmark X73 Button Manager] C:\PROGRA~1\LEXMAR~1\AcBtnMgr_X73.exe
O4 - HKLM\..\Run: [PrinTray] C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\printray.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\j2re1.4.2_06\bin\jusched.exe
O4 - HKLM\..\Run: [iTunesHelper] C:\Program Files\iTunes\iTunesHelper.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [SSC_UserPrompt] C:\Program Files\Common Files\Symantec Shared\Security Center\UsrPrmpt.exe
O4 - HKLM\..\Run: [Advanced Tools Check] C:\PROGRA~1\NORTON~1\AdvTools\ADVCHK.EXE
O4 - HKLM\..\Run: [MimBoot] C:\PROGRA~1\MUSICM~1\MUSICM~2\mimboot.exe
O4 - HKLM\..\Run: [DIGStream] C:\Program Files\DIGStream\digstream.exe
O4 - HKLM\..\Run: [DIGServices] C:\Program Files\ESPNRunTime\DIGServices.exe /brand=ESPN /priority=0 /poll=24
O4 - HKLM\..\Run: [PSof1] C:\WINDOWS\System32\PSof1.exe
O4 - HKLM\..\Run: [exp.exe] C:\WINDOWS\System32\exp.exe
O4 - HKLM\..\Run: [WinTask driver] C:\WINDOWS\System32\wintask.exe
O4 - HKLM\..\Run: [cfgmgr52] RunDLL32.EXE C:\WINDOWS\cfgmgr52.dll,DllRun
O4 - HKLM\..\Run: [sFng33O] accca12n.exe
O4 - HKLM\..\Run: [WinPatrol] C:\Program Files\BillP Studios\WinPatrol\winpatrol.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [Yahoo! Pager] C:\Program Files\Yahoo!\Messenger\ypager.exe -quiet
O4 - HKCU\..\Run: [do4mRTi3Q] wsntus40.exe
O4 - HKCU\..\Run: [CAS Client] "C:\Program Files\Cas\Client\casclient.exe"
O4 - HKCU\..\Run: [180ClientStubInstall] "C:\temp\stubinstaller6480.exe"
O4 - Startup: Registration Brothers In Arms.LNK = D:\Support\Register\RegistrationReminder.exe
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: Microsoft Find Fast.lnk = C:\Program Files\Microsoft Office\Office\FINDFAST.EXE
O4 - Global Startup: NkvMon.exe.lnk = C:\Program Files\Nikon\NkView6\NkvMon.exe
O4 - Global Startup: Office Startup.lnk = C:\Program Files\Microsoft Office\Office\OSA.EXE
O4 - Global Startup: QuickBooks Update Agent.lnk = C:\Program Files\Common Files\Intuit\QuickBooks\QBUpdate\qbupdate.exe
O8 - Extra context menu item: &Yahoo! Search - file:///C:\Program Files\Yahoo!\Common/ycsrch.htm
O8 - Extra context menu item: Yahoo! &Dictionary - file:///C:\Program Files\Yahoo!\Common/ycdict.htm
O8 - Extra context menu item: Yahoo! &Maps - file:///C:\Program Files\Yahoo!\Common/ycdict.htm
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\System32\msjava.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\System32\msjava.dll
O9 - Extra button: Messenger - {4528BBE0-4E08-11D5-AD55-00010333D0AD} - C:\Program Files\Yahoo!\Messenger\yhexbmes0521.dll
O9 - Extra 'Tools' menuitem: Yahoo! Messenger - {4528BBE0-4E08-11D5-AD55-00010333D0AD} - C:\Program Files\Yahoo!\Messenger\yhexbmes0521.dll
O9 - Extra button: PartyPoker.com - {B7FE5D70-9AA2-40F1-9C6B-12A255F085E1} - C:\Program Files\PartyPoker\PartyPoker.exe
O9 - Extra 'Tools' menuitem: PartyPoker.com - {B7FE5D70-9AA2-40F1-9C6B-12A255F085E1} - C:\Program Files\PartyPoker\PartyPoker.exe
O9 - Extra button: WeatherBug - {AF6CABAB-61F9-4f12-A198-B7D41EF1CB52} - C:\Program Files\AWS\WeatherBug\Weather.exe (file missing) (HKCU)
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft....467&clcid=0x409
O16 - DPF: {41F17733-B041-4099-A042-B518BB6A408C} - http://appldnld.m7z....iTunesSetup.exe
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.micros...b?1121129824406
O16 - DPF: {85D1F3B2-2A21-11D7-97B9-0010DC2A6243} (SecureLogin class) - http://secure2.comne...login-devel.cab
O16 - DPF: {FE0BD779-44EE-4A4B-AA2E-743C63F2E5E6} (IWinAmpActiveX Class) - http://pdl.stream.ao.../ampx_en_dl.cab
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Password Validation (ccPwdSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
O23 - Service: ewido security suite control - ewido networks - C:\Program Files\ewido\security suite\ewidoctrl.exe
O23 - Service: ewido security suite guard - ewido networks - C:\Program Files\ewido\security suite\ewidoguard.exe
O23 - Service: iPod Service (iPodService) - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: LexBce Server (LexBceS) - Lexmark International, Inc. - C:\WINDOWS\system32\LEXBCES.EXE
O23 - Service: Norton AntiVirus Auto-Protect Service (navapsvc) - Symantec Corporation - C:\Program Files\Norton AntiVirus\navapsvc.exe
O23 - Service: Norton AntiVirus Firewall Monitor Service (NPFMntor) - Symantec Corporation - C:\Program Files\Norton AntiVirus\IWP\NPFMntor.exe
O23 - Service: Norton Unerase Protection (NProtectService) - Symantec Corporation - C:\Program Files\Norton AntiVirus\AdvTools\NPROTECT.EXE
O23 - Service: NVIDIA Driver Helper Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe
O23 - Service: SAVScan - Symantec Corporation - C:\Program Files\Norton AntiVirus\SAVScan.exe
O23 - Service: ScriptBlocking Service (SBService) - Symantec Corporation - C:\PROGRA~1\COMMON~1\SYMANT~1\SCRIPT~1\SBServ.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: Symantec SPBBCSvc (SPBBCSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
O23 - Service: Symantec Core LC - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe

Thanks for your help.
  • 0

#4
Buckeye_Sam
Posted 17 July 2005 - 10:45 AM

Buckeye_Sam

    Malware Expert

  • Member
  • PipPipPipPipPipPipPipPip
  • 10,019 posts
Yep, that was it. It did a lot more than it looked like. :tazz:

Run Hijackthis. Click on "Open the Misc Tools section". Next click on "Open uninstall manager".
Press the button 'save list'. It will open a Notepad file. Place the content of that file here in your in your next post.
  • 0

#5
perf68
Posted 17 July 2005 - 11:10 AM

perf68

    Member

  • Topic Starter
  • Member
  • PipPip
  • 11 posts
Here is the list.

Ad-Aware SE Personal
Adobe Download Manager 2.0 (Remove Only)
Adobe Reader 7.0
AnyTime Organizer 9.2
ArcSoft Software Suite
Battlefield 1942
Battlefield 1942: Secret Weapons of WWII
Battlefield 1942: The Road To Rome
Broadcom 802.11 Driver
Call of Duty - United Offensive
Call of Duty Game of the Year Edition
Canon i860
ccCommon
Conexant 56K ACLink Modem
Conexant AC-Link Audio
DivX
DivX Player
ESPN RunTime
ewido security suite
Gangsters
HijackThis 1.99.1
Internet Worm Protection
InterVideo WinDVD
iTunes
Java 2 Runtime Environment, SE v1.4.2
Java 2 Runtime Environment, SE v1.4.2_06
Lexmark X73
LiveReg (Symantec Corporation)
LiveUpdate 2.6 (Symantec Corporation)
Macromedia Shockwave Player
Medal of Honor Pacific Assault™
Medal of Honor Pacific Assault™ Patch
Microsoft .NET Framework 1.1
Microsoft Excel 97
Microsoft Outlook 98
Microsoft Word 97
MSN Music Assistant
Musicmatch® Jukebox
NASCAR® Racing 3
Nikon View 6
Norton AntiVirus 2005
Norton AntiVirus 2005 (Symantec Corporation)
Norton AntiVirus Help
Norton AntiVirus Parent MSI
Norton AntiVirus SCSSDist MSI
Norton AntiVirus SYMLT MSI
Norton WMI Update
PartyPoker
Poker Superstars
Poker Tracker Version 2.06.05c
Punch! 5 in 1 Home Design
Punch! Professional Home Design
PunkBuster for Battlefield 1942
Quick Launch Buttons 4.20 B3
QuickBooks Basic 2005
QuickTime
RealPlayer
REALTEK Gigabit and Fast Ethernet NIC Driver
RecordNow!
Sonic Update Manager
SPBBC
Spybot - Search & Destroy 1.4
SpywareBlaster v3.4
Symantec
Symantec Script Blocking Installer
SymNet
Synaptics Pointing Device Driver
Tax Forms Helper 2004 6.5
Tiger Woods PGA TOUR 2005
TurboTax Basic 2004
WexTech AnswerWorks
Windows Installer 3.1 (KB893803)
Windows Media Format Runtime
Windows Media Player 10
Windows XP Hotfix - KB823980
Windows XP Hotfix - KB835732
Windows XP Hotfix - KB842773
WinPatrol 9.5
Yahoo! Anti-Spy
Yahoo! extras
Yahoo! Install Manager
Yahoo! Internet Mail
Yahoo! Messenger
Yahoo! Messenger Explorer Bar
Yahoo! Toolbar

Thanks
  • 0

#6
Buckeye_Sam
Posted 17 July 2005 - 02:02 PM

Buckeye_Sam

    Malware Expert

  • Member
  • PipPipPipPipPipPipPipPip
  • 10,019 posts
Please make sure that you can VIEW ALL HIDDEN FILES.

Place a checkmark next to these entries, close all browsers and windows, and have HijackThis fix them by clicking Fix Checked:

O4 - HKLM\..\Run: [PSof1] C:\WINDOWS\System32\PSof1.exe
O4 - HKLM\..\Run: [exp.exe] C:\WINDOWS\System32\exp.exe
O4 - HKLM\..\Run: [WinTask driver] C:\WINDOWS\System32\wintask.exe
O4 - HKLM\..\Run: [cfgmgr52] RunDLL32.EXE C:\WINDOWS\cfgmgr52.dll,DllRun
O4 - HKLM\..\Run: [sFng33O] accca12n.exe
O4 - HKCU\..\Run: [do4mRTi3Q] wsntus40.exe
O4 - HKCU\..\Run: [CAS Client] "C:\Program Files\Cas\Client\casclient.exe"
O4 - HKCU\..\Run: [180ClientStubInstall] "C:\temp\stubinstaller6480.exe"


Reboot your computer into SAFE MODE

Then delete these files or directories (Do not be concerned if they do not exist):

C:\WINDOWS\System32\PSof1.exe
C:\WINDOWS\System32\exp.exe
C:\WINDOWS\System32\wintask.exe
C:\WINDOWS\cfgmgr52.dll
accca12n.exe <-- you'll have to search for this file
wsntus40.exe <-- you'll have to search for this file
C:\Program Files\Cas


Delete temp files

Navigate to the C:\Windows\Temp folder. Open the Temp folder and go to Edit > Select All then Edit > Delete to delete the entire contents of the Temp folder.

Navigate to the C:\Windows\Prefetch folder. Open the Prefetch folder and go to Edit > Select All then Edit > Delete to delete the entire contents of the Prefetch folder.

Go to Start > Run and type %temp% in the Run box. The Temp folder will open. Click Edit > Select All then Edit > Delete to delete the entire contents of the Temp folder.

Finally go to Control Panel > Internet Options. On the General tab under "Temporary Internet Files" Click "Delete Files". Put a check by "Delete Offline Content" and click OK. Click on the Programs tab then click the "Reset Web Settings" button. Click Apply then OK.

Empty the Recycle Bin.


Reboot your computer to go back to normal mode.


Please run at least two of these online scans.
Make sure they are set to clean automatically

Panda Virus Scan

Bit Defender

TrendMicro Housecall

There will be files that these scans will not remove. Please include that information in your next post.


Reboot and post a new hijackthis log and the info from your virus scans.
  • 0

#7
perf68
Posted 18 July 2005 - 05:30 AM

perf68

    Member

  • Topic Starter
  • Member
  • PipPip
  • 11 posts
Sam,

Thanks for all of your help so far. I think I've completed everything as directed.

First, a couple of notes, don't know whether they are important or not.
When I reboot in safe mode, I am logging in under my user name, not as administrator. I am the only user on the computer, so I hope this is correct.
I found none of the files to delete (although there was a cfgmgr52.ini, which i did not delete, but not a .dll), but i did delete the \Cas directory.

Okay, first the Panda results:

Incident Status Location

Adware:adware/apropos No disinfected C:\PROGRAM FILES\Aprps
Adware:adware/elitebar No disinfected C:\DOCUMENTS AND SETTINGS\BRIAN DIETRICH\FAVORITES\Casino & Carrers
Spyware:spyware/surfsidekick No disinfected HKEY_LOCAL_MACHINE\SOFTWARE\SURFSIDEKICK3
Adware:adware/bigtrafficnet No disinfected HKEY_CLASSES_ROOT\Interface\{FA6FA7A5-2C49-4567-BA74-6DD1C36099EE}
Adware:adware/brilliantdigitalNo disinfected HKEY_CLASSES_ROOT\Interface\{48E59292-9880-11CF-9754-00AA00C00908}
Adware:Adware/Apropos No disinfected C:\Program Files\Aprps\ProxyStub.dll
Adware:Adware/ConsumerAlertSystemNo disinfected C:\Program Files\CasStub\casstub.exe
Adware:Adware/AdDestroyer No disinfected C:\Program Files\Yahoo!\YPSR\Quarantine\ppq3D2E.tmp\AdDestroyer.exe
Adware:Adware/AdDestroyer No disinfected C:\Program Files\Yahoo!\YPSR\Quarantine\ppq3D2F.tmp
Adware:Adware/AdDestroyer No disinfected C:\Program Files\Yahoo!\YPSR\Quarantine\ppq3D30.tmp
Adware:Adware/AdDestroyer No disinfected C:\Program Files\Yahoo!\YPSR\Quarantine\ppq3D31.tmp
Adware:Adware/AdDestroyer No disinfected C:\Program Files\Yahoo!\YPSR\Quarantine\ppq3D32.tmp
Adware:Adware/AdDestroyer No disinfected C:\Program Files\Yahoo!\YPSR\Quarantine\ppq3D34.tmp
Adware:Adware/AdDestroyer No disinfected C:\Program Files\Yahoo!\YPSR\Quarantine\ppq3D35.tmp
Possible Virus. No disinfected C:\WINDOWS\AuroraHandler.dll
Adware:Adware/ConsumerAlertSystemNo disinfected C:\WINDOWS\system32\dist001.exe
Adware:Adware/BigTrafficNet No disinfected C:\WINDOWS\system32\nsv3D29.dll
Adware:Adware/AdBehavior No disinfected C:\WINDOWS\system32\redit.cpl
Virus:Trj/Downloader.BJG Disinfected C:\WINDOWS\system32\SSK3_B5 Seedcorn 4.exe
Adware:Adware/AdBehavior No disinfected C:\WINDOWS\system32\supdate.dll
Virus:Trj/Downloader.BJG Disinfected C:\WINDOWS\system32\uci.exe
Adware:Adware/BookedSpace No disinfected C:\WINDOWS\ycbbuirz.exe
And now the bit defender. (note: it never gave me any kind of list of files that could not be removed, so i'm not sure if you need this or not.)

BitDefender Online Scanner



Scan report generated at: Mon, Jul 18, 2005 - 07:01:38





Scan path: C:\;D:\;







Statistics

Time
00:35:51

Files
127328

Folders
3506

Boot Sectors
2

Archives
950

Packed Files
21016




Results

Identified Viruses
14

Infected Files
56

Suspect Files
0

Warnings
0

Disinfected
0

Deleted Files
69




Engines Info

Virus Definitions
196227

Engine build
AVCORE v1.0 (build 2292) (i386) (Mar 3 2005 11:57:29)

Scan plugins
13

Archive plugins
39

Unpack plugins
4

E-mail plugins
6

System plugins
1




Scan Settings

First Action
Disinfect

Second Action
Delete

Heuristics
Yes

Enable Warnings
Yes

Scanned Extensions
exe;com;dll;ocx;scr;bin;dat;386;vxd;sys;wdm;cla;class;ovl;ole;hlp;doc;dot;xls;ppt;wbk;wiz;pot;ppa;xla;xlt;vbs;vbe;mdb;rtf;htm;hta;html;xml;xtp;php;asp;js;shs;chm;lnk;pif;prc;url;smm;pfd;msi;ini;csc;cmd;bas;

Exclude Extensions


Scan Emails
Yes

Scan Archives
Yes

Scan Packed
Yes

Scan Files
Yes

Scan Boot
Yes




Scanned File
Status

C:\Program Files\CasStub\casstub.exe
Infected with: Trojan.Downloader.Agent.QG

C:\Program Files\CasStub\casstub.exe
Disinfection failed

C:\Program Files\CasStub\casstub.exe
Deleted

C:\Program Files\Norton AntiVirus\Quarantine\0CD61DEB.exe=>(Quarantine-2)
Infected with: Trojan.Dloader.OS

C:\Program Files\Norton AntiVirus\Quarantine\0CD61DEB.exe=>(Quarantine-2)
Disinfection failed

C:\Program Files\Norton AntiVirus\Quarantine\0CD61DEB.exe=>(Quarantine-2)
Deleted

C:\Program Files\Norton AntiVirus\Quarantine\1F1E23CD.exe=>(Quarantine-2)
Detected with: Adware.POP.dl

C:\Program Files\Norton AntiVirus\Quarantine\1F1E23CD.exe=>(Quarantine-2)
Disinfection failed

C:\Program Files\Norton AntiVirus\Quarantine\1F1E23CD.exe=>(Quarantine-2)
Deleted

C:\Program Files\Norton AntiVirus\Quarantine\35AC392C.sys=>(Quarantine-2)
Infected with: Trojan.Kolweb.A

C:\Program Files\Norton AntiVirus\Quarantine\35AC392C.sys=>(Quarantine-2)
Disinfection failed

C:\Program Files\Norton AntiVirus\Quarantine\35AC392C.sys=>(Quarantine-2)
Deleted

C:\Program Files\Norton AntiVirus\Quarantine\35AF6328.exe=>(Quarantine-2)
Infected with: Trojan.Downloader.Delf.GO

C:\Program Files\Norton AntiVirus\Quarantine\35AF6328.exe=>(Quarantine-2)
Disinfection failed

C:\Program Files\Norton AntiVirus\Quarantine\35AF6328.exe=>(Quarantine-2)
Deleted

C:\Program Files\Norton AntiVirus\Quarantine\35B30D25.exe=>(Quarantine-2)
Infected with: Trojan.Downloader.Delf.GO

C:\Program Files\Norton AntiVirus\Quarantine\35B30D25.exe=>(Quarantine-2)
Disinfection failed

C:\Program Files\Norton AntiVirus\Quarantine\35B30D25.exe=>(Quarantine-2)
Deleted

C:\Program Files\Norton AntiVirus\Quarantine\39826FF1.sys=>(Quarantine-2)
Infected with: Trojan.Kolweb.A

C:\Program Files\Norton AntiVirus\Quarantine\39826FF1.sys=>(Quarantine-2)
Disinfection failed

C:\Program Files\Norton AntiVirus\Quarantine\39826FF1.sys=>(Quarantine-2)
Deleted

C:\Program Files\Norton AntiVirus\Quarantine\45122BF0.exe=>(Quarantine-2)
Infected with: Trojan.Kolweb.A

C:\Program Files\Norton AntiVirus\Quarantine\45122BF0.exe=>(Quarantine-2)
Disinfection failed

C:\Program Files\Norton AntiVirus\Quarantine\45122BF0.exe=>(Quarantine-2)
Deleted

C:\Program Files\Norton AntiVirus\Quarantine\575A5893.sys=>(Quarantine-2)
Infected with: Trojan.Kolweb.A

C:\Program Files\Norton AntiVirus\Quarantine\575A5893.sys=>(Quarantine-2)
Disinfection failed

C:\Program Files\Norton AntiVirus\Quarantine\575A5893.sys=>(Quarantine-2)
Deleted

C:\Program Files\Norton AntiVirus\Quarantine\5E8274A1.sys=>(Quarantine-2)
Infected with: Trojan.Kolweb.A

C:\Program Files\Norton AntiVirus\Quarantine\5E8274A1.sys=>(Quarantine-2)
Disinfection failed

C:\Program Files\Norton AntiVirus\Quarantine\5E8274A1.sys=>(Quarantine-2)
Deleted

C:\Program Files\Norton AntiVirus\Quarantine\5EE01742.sys=>(Quarantine-2)
Infected with: Trojan.Kolweb.A

C:\Program Files\Norton AntiVirus\Quarantine\5EE01742.sys=>(Quarantine-2)
Disinfection failed

C:\Program Files\Norton AntiVirus\Quarantine\5EE01742.sys=>(Quarantine-2)
Deleted

C:\Program Files\Norton AntiVirus\Quarantine\60D275AF.exe=>(Quarantine-2)
Infected with: Trojan.Kolweb.A

C:\Program Files\Norton AntiVirus\Quarantine\60D275AF.exe=>(Quarantine-2)
Disinfection failed

C:\Program Files\Norton AntiVirus\Quarantine\60D275AF.exe=>(Quarantine-2)
Deleted

C:\Program Files\Norton AntiVirus\Quarantine\60D51FAC.sys=>(Quarantine-2)
Infected with: Trojan.Kolweb.A

C:\Program Files\Norton AntiVirus\Quarantine\60D51FAC.sys=>(Quarantine-2)
Disinfection failed

C:\Program Files\Norton AntiVirus\Quarantine\60D51FAC.sys=>(Quarantine-2)
Deleted

C:\Program Files\Norton AntiVirus\Quarantine\60D849A8.sys=>(Quarantine-2)
Infected with: Trojan.Kolweb.A

C:\Program Files\Norton AntiVirus\Quarantine\60D849A8.sys=>(Quarantine-2)
Disinfection failed

C:\Program Files\Norton AntiVirus\Quarantine\60D849A8.sys=>(Quarantine-2)
Deleted

C:\System Volume Information\_restore{BCB42CE0-127D-4B0B-8EE7-06F955E05E54}\RP141\A0019472.exe
Infected with: Trojan.Downloader.Delf.GO

C:\System Volume Information\_restore{BCB42CE0-127D-4B0B-8EE7-06F955E05E54}\RP141\A0019472.exe
Disinfection failed

C:\System Volume Information\_restore{BCB42CE0-127D-4B0B-8EE7-06F955E05E54}\RP141\A0019472.exe
Deleted

C:\System Volume Information\_restore{BCB42CE0-127D-4B0B-8EE7-06F955E05E54}\RP141\A0019481.exe
Infected with: Trojan.Downloader.Delf.GO

C:\System Volume Information\_restore{BCB42CE0-127D-4B0B-8EE7-06F955E05E54}\RP141\A0019481.exe
Disinfection failed

C:\System Volume Information\_restore{BCB42CE0-127D-4B0B-8EE7-06F955E05E54}\RP141\A0019481.exe
Deleted

C:\System Volume Information\_restore{BCB42CE0-127D-4B0B-8EE7-06F955E05E54}\RP142\A0019498.sys
Infected with: Trojan.Kolweb.A

C:\System Volume Information\_restore{BCB42CE0-127D-4B0B-8EE7-06F955E05E54}\RP142\A0019498.sys
Disinfection failed

C:\System Volume Information\_restore{BCB42CE0-127D-4B0B-8EE7-06F955E05E54}\RP142\A0019498.sys
Deleted

C:\System Volume Information\_restore{BCB42CE0-127D-4B0B-8EE7-06F955E05E54}\RP142\A0019499.sys
Infected with: Trojan.Kolweb.A

C:\System Volume Information\_restore{BCB42CE0-127D-4B0B-8EE7-06F955E05E54}\RP142\A0019499.sys
Disinfection failed

C:\System Volume Information\_restore{BCB42CE0-127D-4B0B-8EE7-06F955E05E54}\RP142\A0019499.sys
Deleted

C:\System Volume Information\_restore{BCB42CE0-127D-4B0B-8EE7-06F955E05E54}\RP142\A0019501.exe
Infected with: Trojan.Downloader.Delf.GO

C:\System Volume Information\_restore{BCB42CE0-127D-4B0B-8EE7-06F955E05E54}\RP142\A0019501.exe
Disinfection failed

C:\System Volume Information\_restore{BCB42CE0-127D-4B0B-8EE7-06F955E05E54}\RP142\A0019501.exe
Deleted

C:\System Volume Information\_restore{BCB42CE0-127D-4B0B-8EE7-06F955E05E54}\RP142\A0019502.exe
Infected with: Trojan.Kolweb.A

C:\System Volume Information\_restore{BCB42CE0-127D-4B0B-8EE7-06F955E05E54}\RP142\A0019502.exe
Disinfection failed

C:\System Volume Information\_restore{BCB42CE0-127D-4B0B-8EE7-06F955E05E54}\RP142\A0019502.exe
Deleted

C:\System Volume Information\_restore{BCB42CE0-127D-4B0B-8EE7-06F955E05E54}\RP142\A0019523.exe
Infected with: Trojan.Kolweb.A

C:\System Volume Information\_restore{BCB42CE0-127D-4B0B-8EE7-06F955E05E54}\RP142\A0019523.exe
Disinfection failed

C:\System Volume Information\_restore{BCB42CE0-127D-4B0B-8EE7-06F955E05E54}\RP142\A0019523.exe
Deleted

C:\System Volume Information\_restore{BCB42CE0-127D-4B0B-8EE7-06F955E05E54}\RP142\A0019525.sys
Infected with: Trojan.Kolweb.A

C:\System Volume Information\_restore{BCB42CE0-127D-4B0B-8EE7-06F955E05E54}\RP142\A0019525.sys
Disinfection failed

C:\System Volume Information\_restore{BCB42CE0-127D-4B0B-8EE7-06F955E05E54}\RP142\A0019525.sys
Deleted

C:\System Volume Information\_restore{BCB42CE0-127D-4B0B-8EE7-06F955E05E54}\RP142\A0019526.sys
Infected with: Trojan.Kolweb.A

C:\System Volume Information\_restore{BCB42CE0-127D-4B0B-8EE7-06F955E05E54}\RP142\A0019526.sys
Disinfection failed

C:\System Volume Information\_restore{BCB42CE0-127D-4B0B-8EE7-06F955E05E54}\RP142\A0019526.sys
Deleted

C:\System Volume Information\_restore{BCB42CE0-127D-4B0B-8EE7-06F955E05E54}\RP143\A0019532.exe
Infected with: Trojan.Dropper.Delf.EV

C:\System Volume Information\_restore{BCB42CE0-127D-4B0B-8EE7-06F955E05E54}\RP143\A0019532.exe
Disinfection failed

C:\System Volume Information\_restore{BCB42CE0-127D-4B0B-8EE7-06F955E05E54}\RP143\A0019532.exe
Deleted

C:\System Volume Information\_restore{BCB42CE0-127D-4B0B-8EE7-06F955E05E54}\RP143\A0019578.EXE
Infected with: Trojan.Kolweb.A

C:\System Volume Information\_restore{BCB42CE0-127D-4B0B-8EE7-06F955E05E54}\RP143\A0019578.EXE
Disinfection failed

C:\System Volume Information\_restore{BCB42CE0-127D-4B0B-8EE7-06F955E05E54}\RP143\A0019578.EXE
Deleted

C:\System Volume Information\_restore{BCB42CE0-127D-4B0B-8EE7-06F955E05E54}\RP145\A0019616.exe
Infected with: Trojan.Dropper.Delf.EV

C:\System Volume Information\_restore{BCB42CE0-127D-4B0B-8EE7-06F955E05E54}\RP145\A0019616.exe
Disinfection failed

C:\System Volume Information\_restore{BCB42CE0-127D-4B0B-8EE7-06F955E05E54}\RP145\A0019616.exe
Deleted

C:\System Volume Information\_restore{BCB42CE0-127D-4B0B-8EE7-06F955E05E54}\RP145\A0019617.sys
Infected with: Trojan.Kolweb.A

C:\System Volume Information\_restore{BCB42CE0-127D-4B0B-8EE7-06F955E05E54}\RP145\A0019617.sys
Disinfection failed

C:\System Volume Information\_restore{BCB42CE0-127D-4B0B-8EE7-06F955E05E54}\RP145\A0019617.sys
Deleted

C:\System Volume Information\_restore{BCB42CE0-127D-4B0B-8EE7-06F955E05E54}\RP145\A0019619.exe
Infected with: Trojan.Kolweb.A

C:\System Volume Information\_restore{BCB42CE0-127D-4B0B-8EE7-06F955E05E54}\RP145\A0019619.exe
Disinfection failed

C:\System Volume Information\_restore{BCB42CE0-127D-4B0B-8EE7-06F955E05E54}\RP145\A0019619.exe
Deleted

C:\System Volume Information\_restore{BCB42CE0-127D-4B0B-8EE7-06F955E05E54}\RP145\A0019620.sys
Infected with: Trojan.Kolweb.A

C:\System Volume Information\_restore{BCB42CE0-127D-4B0B-8EE7-06F955E05E54}\RP145\A0019620.sys
Disinfection failed

C:\System Volume Information\_restore{BCB42CE0-127D-4B0B-8EE7-06F955E05E54}\RP145\A0019620.sys
Deleted

C:\System Volume Information\_restore{BCB42CE0-127D-4B0B-8EE7-06F955E05E54}\RP145\A0019621.EXE
Infected with: Trojan.Kolweb.A

C:\System Volume Information\_restore{BCB42CE0-127D-4B0B-8EE7-06F955E05E54}\RP145\A0019621.EXE
Disinfection failed

C:\System Volume Information\_restore{BCB42CE0-127D-4B0B-8EE7-06F955E05E54}\RP145\A0019621.EXE
Deleted

C:\System Volume Information\_restore{BCB42CE0-127D-4B0B-8EE7-06F955E05E54}\RP145\A0019622.exe
Infected with: Trojan.Dropper.Delf.EV

C:\System Volume Information\_restore{BCB42CE0-127D-4B0B-8EE7-06F955E05E54}\RP145\A0019622.exe
Disinfection failed

C:\System Volume Information\_restore{BCB42CE0-127D-4B0B-8EE7-06F955E05E54}\RP145\A0019622.exe
Deleted

C:\System Volume Information\_restore{BCB42CE0-127D-4B0B-8EE7-06F955E05E54}\RP145\A0019623.sys
Infected with: Trojan.Kolweb.A

C:\System Volume Information\_restore{BCB42CE0-127D-4B0B-8EE7-06F955E05E54}\RP145\A0019623.sys
Disinfection failed

C:\System Volume Information\_restore{BCB42CE0-127D-4B0B-8EE7-06F955E05E54}\RP145\A0019623.sys
Deleted

C:\System Volume Information\_restore{BCB42CE0-127D-4B0B-8EE7-06F955E05E54}\RP145\A0019624.sys
Infected with: Trojan.Kolweb.A

C:\System Volume Information\_restore{BCB42CE0-127D-4B0B-8EE7-06F955E05E54}\RP145\A0019624.sys
Disinfection failed

C:\System Volume Information\_restore{BCB42CE0-127D-4B0B-8EE7-06F955E05E54}\RP145\A0019624.sys
Deleted

C:\System Volume Information\_restore{BCB42CE0-127D-4B0B-8EE7-06F955E05E54}\RP145\A0019626.exe
Infected with: Trojan.Kolweb.A

C:\System Volume Information\_restore{BCB42CE0-127D-4B0B-8EE7-06F955E05E54}\RP145\A0019626.exe
Disinfection failed

C:\System Volume Information\_restore{BCB42CE0-127D-4B0B-8EE7-06F955E05E54}\RP145\A0019626.exe
Deleted

C:\System Volume Information\_restore{BCB42CE0-127D-4B0B-8EE7-06F955E05E54}\RP145\A0019628.EXE
Infected with: Trojan.Kolweb.A

C:\System Volume Information\_restore{BCB42CE0-127D-4B0B-8EE7-06F955E05E54}\RP145\A0019628.EXE
Disinfection failed

C:\System Volume Information\_restore{BCB42CE0-127D-4B0B-8EE7-06F955E05E54}\RP145\A0019628.EXE
Deleted

C:\System Volume Information\_restore{BCB42CE0-127D-4B0B-8EE7-06F955E05E54}\RP145\A0019641.EXE
Infected with: Trojan.Kolweb.A

C:\System Volume Information\_restore{BCB42CE0-127D-4B0B-8EE7-06F955E05E54}\RP145\A0019641.EXE
Disinfection failed

C:\System Volume Information\_restore{BCB42CE0-127D-4B0B-8EE7-06F955E05E54}\RP145\A0019641.EXE
Deleted

C:\System Volume Information\_restore{BCB42CE0-127D-4B0B-8EE7-06F955E05E54}\RP210\A0029607.exe
Infected with: Trojan.Downloader.Small.ABD

C:\System Volume Information\_restore{BCB42CE0-127D-4B0B-8EE7-06F955E05E54}\RP210\A0029607.exe
Disinfection failed

C:\System Volume Information\_restore{BCB42CE0-127D-4B0B-8EE7-06F955E05E54}\RP210\A0029607.exe
Deleted

C:\System Volume Information\_restore{BCB42CE0-127D-4B0B-8EE7-06F955E05E54}\RP210\A0029608.exe
Infected with: Trojan.Downloader.Small.ABD

C:\System Volume Information\_restore{BCB42CE0-127D-4B0B-8EE7-06F955E05E54}\RP210\A0029608.exe
Disinfection failed

C:\System Volume Information\_restore{BCB42CE0-127D-4B0B-8EE7-06F955E05E54}\RP210\A0029608.exe
Deleted

C:\System Volume Information\_restore{BCB42CE0-127D-4B0B-8EE7-06F955E05E54}\RP213\A0029768.exe
Infected with: Trojan.Downloader.Small.ABD

C:\System Volume Information\_restore{BCB42CE0-127D-4B0B-8EE7-06F955E05E54}\RP213\A0029768.exe
Disinfection failed

C:\System Volume Information\_restore{BCB42CE0-127D-4B0B-8EE7-06F955E05E54}\RP213\A0029768.exe
Deleted

C:\System Volume Information\_restore{BCB42CE0-127D-4B0B-8EE7-06F955E05E54}\RP213\A0029969.exe
Infected with: Trojan.Dropper.Agent.HH

C:\System Volume Information\_restore{BCB42CE0-127D-4B0B-8EE7-06F955E05E54}\RP213\A0029969.exe
Disinfection failed

C:\System Volume Information\_restore{BCB42CE0-127D-4B0B-8EE7-06F955E05E54}\RP213\A0029969.exe
Deleted

C:\System Volume Information\_restore{BCB42CE0-127D-4B0B-8EE7-06F955E05E54}\RP213\A0029971.exe
Infected with: Trojan.Startpage.NK

C:\System Volume Information\_restore{BCB42CE0-127D-4B0B-8EE7-06F955E05E54}\RP213\A0029971.exe
Disinfection failed

C:\System Volume Information\_restore{BCB42CE0-127D-4B0B-8EE7-06F955E05E54}\RP213\A0029971.exe
Deleted

C:\System Volume Information\_restore{BCB42CE0-127D-4B0B-8EE7-06F955E05E54}\RP213\A0029972.exe
Infected with: Trojan.Dropper.Agent.KD

C:\System Volume Information\_restore{BCB42CE0-127D-4B0B-8EE7-06F955E05E54}\RP213\A0029972.exe
Disinfection failed

C:\System Volume Information\_restore{BCB42CE0-127D-4B0B-8EE7-06F955E05E54}\RP213\A0029972.exe
Deleted

C:\System Volume Information\_restore{BCB42CE0-127D-4B0B-8EE7-06F955E05E54}\RP213\A0029974.EXE
Infected with: Trojan.Startpage.NK

C:\System Volume Information\_restore{BCB42CE0-127D-4B0B-8EE7-06F955E05E54}\RP213\A0029974.EXE
Disinfection failed

C:\System Volume Information\_restore{BCB42CE0-127D-4B0B-8EE7-06F955E05E54}\RP213\A0029974.EXE
Deleted

C:\System Volume Information\_restore{BCB42CE0-127D-4B0B-8EE7-06F955E05E54}\RP213\A0030035.exe
Infected with: Trojan.Downloader.Intexp.C

C:\System Volume Information\_restore{BCB42CE0-127D-4B0B-8EE7-06F955E05E54}\RP213\A0030035.exe
Disinfection failed

C:\System Volume Information\_restore{BCB42CE0-127D-4B0B-8EE7-06F955E05E54}\RP213\A0030035.exe
Deleted

C:\System Volume Information\_restore{BCB42CE0-127D-4B0B-8EE7-06F955E05E54}\RP213\A0030036.EXE
Infected with: Trojan.Dropper.Agent.HL

C:\System Volume Information\_restore{BCB42CE0-127D-4B0B-8EE7-06F955E05E54}\RP213\A0030036.EXE
Disinfection failed

C:\System Volume Information\_restore{BCB42CE0-127D-4B0B-8EE7-06F955E05E54}\RP213\A0030036.EXE
Deleted

C:\System Volume Information\_restore{BCB42CE0-127D-4B0B-8EE7-06F955E05E54}\RP213\A0030039.exe
Infected with: Trojan.Agent.AY

C:\System Volume Information\_restore{BCB42CE0-127D-4B0B-8EE7-06F955E05E54}\RP213\A0030039.exe
Deleted

C:\System Volume Information\_restore{BCB42CE0-127D-4B0B-8EE7-06F955E05E54}\RP213\A0030040.exe
Infected with: Trojan.Agent.AY

C:\System Volume Information\_restore{BCB42CE0-127D-4B0B-8EE7-06F955E05E54}\RP213\A0030040.exe
Deleted

C:\System Volume Information\_restore{BCB42CE0-127D-4B0B-8EE7-06F955E05E54}\RP214\A0030102.exe
Infected with: Trojan.Agent.AY

C:\System Volume Information\_restore{BCB42CE0-127D-4B0B-8EE7-06F955E05E54}\RP214\A0030102.exe
Deleted

C:\System Volume Information\_restore{BCB42CE0-127D-4B0B-8EE7-06F955E05E54}\RP214\A0030103.exe
Infected with: Trojan.Agent.AY

C:\System Volume Information\_restore{BCB42CE0-127D-4B0B-8EE7-06F955E05E54}\RP214\A0030103.exe
Deleted

C:\System Volume Information\_restore{BCB42CE0-127D-4B0B-8EE7-06F955E05E54}\RP214\A0030111.exe
Infected with: Trojan.Agent.AY

C:\System Volume Information\_restore{BCB42CE0-127D-4B0B-8EE7-06F955E05E54}\RP214\A0030111.exe
Deleted

C:\System Volume Information\_restore{BCB42CE0-127D-4B0B-8EE7-06F955E05E54}\RP214\A0030135.exe
Infected with: Trojan.Startpage.NK

C:\System Volume Information\_restore{BCB42CE0-127D-4B0B-8EE7-06F955E05E54}\RP214\A0030135.exe
Disinfection failed

C:\System Volume Information\_restore{BCB42CE0-127D-4B0B-8EE7-06F955E05E54}\RP214\A0030135.exe
Deleted

C:\System Volume Information\_restore{BCB42CE0-127D-4B0B-8EE7-06F955E05E54}\RP214\A0030221.EXE
Detected with: Adware.POP.dl

C:\System Volume Information\_restore{BCB42CE0-127D-4B0B-8EE7-06F955E05E54}\RP214\A0030221.EXE
Disinfection failed

C:\System Volume Information\_restore{BCB42CE0-127D-4B0B-8EE7-06F955E05E54}\RP214\A0030221.EXE
Deleted

C:\System Volume Information\_restore{BCB42CE0-127D-4B0B-8EE7-06F955E05E54}\RP214\A0030335.EXE
Infected with: Trojan.Downloader.Small.ABD

C:\System Volume Information\_restore{BCB42CE0-127D-4B0B-8EE7-06F955E05E54}\RP214\A0030335.EXE
Disinfection failed

C:\System Volume Information\_restore{BCB42CE0-127D-4B0B-8EE7-06F955E05E54}\RP214\A0030335.EXE
Deleted

C:\System Volume Information\_restore{BCB42CE0-127D-4B0B-8EE7-06F955E05E54}\RP214\A0030337.EXE
Infected with: Trojan.Downloader.Small.ABD

C:\System Volume Information\_restore{BCB42CE0-127D-4B0B-8EE7-06F955E05E54}\RP214\A0030337.EXE
Disinfection failed

C:\System Volume Information\_restore{BCB42CE0-127D-4B0B-8EE7-06F955E05E54}\RP214\A0030337.EXE
Deleted

C:\WINDOWS\system32\dist001.exe
Infected with: Trojan.Downloader.Agent.QG

C:\WINDOWS\system32\dist001.exe
Disinfection failed

C:\WINDOWS\system32\dist001.exe
Deleted

C:\WINDOWS\system32\supdate.dll
Infected with: Trojan.Downloader.Qoologic.P

C:\WINDOWS\system32\supdate.dll
Deleted

And now the new hjt log.

Logfile of HijackThis v1.99.1
Scan saved at 7:28:05 AM, on 7/18/2005
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\WINDOWS\system32\LEXBCES.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\ewido\security suite\ewidoctrl.exe
C:\Program Files\ewido\security suite\ewidoguard.exe
C:\Program Files\Norton AntiVirus\navapsvc.exe
C:\Program Files\Norton AntiVirus\IWP\NPFMntor.exe
C:\Program Files\Norton AntiVirus\AdvTools\NPROTECT.EXE
C:\WINDOWS\System32\nvsvc32.exe
C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\Program Files\HPQ\Quick Launch Buttons\EabServr.exe
C:\Program Files\Musicmatch\Musicmatch Jukebox\mm_tray.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\PROGRA~1\LEXMAR~1\ACMonitor_X73.exe
C:\PROGRA~1\LEXMAR~1\AcBtnMgr_X73.exe
C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\printray.exe
C:\Program Files\Java\j2re1.4.2_06\bin\jusched.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\WINDOWS\System32\wuauclt.exe
C:\Program Files\DIGStream\digstream.exe
C:\Program Files\ESPNRunTime\DIGServices.exe
C:\Program Files\Musicmatch\Musicmatch Jukebox\mim.exe
C:\Program Files\Musicmatch\Musicmatch Jukebox\MMDiag.exe
C:\Program Files\BillP Studios\WinPatrol\winpatrol.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\Microsoft Office\Office\FINDFAST.EXE
C:\Program Files\Nikon\NkView6\NkvMon.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Microsoft Office\Office\OSA.EXE
C:\Program Files\Common Files\Intuit\QuickBooks\QBUpdate\qbupdate.exe
C:\Program Files\Yahoo!\Messenger\ymsgr_tray.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Documents and Settings\Brian Dietrich\Desktop\HJT\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://us8l.hpwis.com/
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O4 - HKLM\..\Run: [UpdateManager] "C:\Program Files\Common Files\Sonic\Update Manager\sgtray.exe" /r
O4 - HKLM\..\Run: [SynTPLpr] C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
O4 - HKLM\..\Run: [SynTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /installquiet
O4 - HKLM\..\Run: [Cpqset] C:\Program Files\HPQ\Default Settings\cpqset.exe
O4 - HKLM\..\Run: [eabconfg.cpl] C:\Program Files\HPQ\Quick Launch Buttons\EabServr.exe /Start
O4 - HKLM\..\Run: [MMTray] "C:\Program Files\Musicmatch\Musicmatch Jukebox\mm_tray.exe"
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [Lexmark X73 Button Monitor] C:\PROGRA~1\LEXMAR~1\ACMonitor_X73.exe
O4 - HKLM\..\Run: [Lexmark X73 Button Manager] C:\PROGRA~1\LEXMAR~1\AcBtnMgr_X73.exe
O4 - HKLM\..\Run: [PrinTray] C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\printray.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\j2re1.4.2_06\bin\jusched.exe
O4 - HKLM\..\Run: [iTunesHelper] C:\Program Files\iTunes\iTunesHelper.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [SSC_UserPrompt] C:\Program Files\Common Files\Symantec Shared\Security Center\UsrPrmpt.exe
O4 - HKLM\..\Run: [Advanced Tools Check] C:\PROGRA~1\NORTON~1\AdvTools\ADVCHK.EXE
O4 - HKLM\..\Run: [MimBoot] C:\PROGRA~1\MUSICM~1\MUSICM~2\mimboot.exe
O4 - HKLM\..\Run: [DIGStream] C:\Program Files\DIGStream\digstream.exe
O4 - HKLM\..\Run: [DIGServices] C:\Program Files\ESPNRunTime\DIGServices.exe /brand=ESPN /priority=0 /poll=24
O4 - HKLM\..\Run: [WinPatrol] C:\Program Files\BillP Studios\WinPatrol\winpatrol.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [Yahoo! Pager] C:\Program Files\Yahoo!\Messenger\ypager.exe -quiet
O4 - Startup: Registration Brothers In Arms.LNK = D:\Support\Register\RegistrationReminder.exe
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: Microsoft Find Fast.lnk = C:\Program Files\Microsoft Office\Office\FINDFAST.EXE
O4 - Global Startup: NkvMon.exe.lnk = C:\Program Files\Nikon\NkView6\NkvMon.exe
O4 - Global Startup: Office Startup.lnk = C:\Program Files\Microsoft Office\Office\OSA.EXE
O4 - Global Startup: QuickBooks Update Agent.lnk = C:\Program Files\Common Files\Intuit\QuickBooks\QBUpdate\qbupdate.exe
O8 - Extra context menu item: &Yahoo! Search - file:///C:\Program Files\Yahoo!\Common/ycsrch.htm
O8 - Extra context menu item: Yahoo! &Dictionary - file:///C:\Program Files\Yahoo!\Common/ycdict.htm
O8 - Extra context menu item: Yahoo! &Maps - file:///C:\Program Files\Yahoo!\Common/ycdict.htm
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\System32\msjava.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\System32\msjava.dll
O9 - Extra button: Messenger - {4528BBE0-4E08-11D5-AD55-00010333D0AD} - C:\Program Files\Yahoo!\Messenger\yhexbmes0521.dll
O9 - Extra 'Tools' menuitem: Yahoo! Messenger - {4528BBE0-4E08-11D5-AD55-00010333D0AD} - C:\Program Files\Yahoo!\Messenger\yhexbmes0521.dll
O9 - Extra button: (no name) - {85d1f590-48f4-11d9-9669-0800200c9a66} - %windir%\bdoscandel.exe (file missing)
O9 - Extra 'Tools' menuitem: Uninstall BitDefender Online Scanner v8 - {85d1f590-48f4-11d9-9669-0800200c9a66} - %windir%\bdoscandel.exe (file missing)
O9 - Extra button: PartyPoker.com - {B7FE5D70-9AA2-40F1-9C6B-12A255F085E1} - C:\Program Files\PartyPoker\PartyPoker.exe
O9 - Extra 'Tools' menuitem: PartyPoker.com - {B7FE5D70-9AA2-40F1-9C6B-12A255F085E1} - C:\Program Files\PartyPoker\PartyPoker.exe
O9 - Extra button: WeatherBug - {AF6CABAB-61F9-4f12-A198-B7D41EF1CB52} - C:\Program Files\AWS\WeatherBug\Weather.exe (file missing) (HKCU)
O16 - DPF: {04E214E5-63AF-4236-83C6-A7ADCBF9BD02} (HouseCall Control) - http://housecall60.t...all/xscan60.cab
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft....467&clcid=0x409
O16 - DPF: {41F17733-B041-4099-A042-B518BB6A408C} - http://appldnld.m7z....iTunesSetup.exe
O16 - DPF: {5D86DDB5-BDF9-441B-9E9E-D4730F4EE499} (BDSCANONLINE Control) - http://www.bitdefend...can8/oscan8.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.micros...b?1121129824406
O16 - DPF: {85D1F3B2-2A21-11D7-97B9-0010DC2A6243} (SecureLogin class) - http://secure2.comne...login-devel.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://www.pandasoft.../as5/asinst.cab
O16 - DPF: {FE0BD779-44EE-4A4B-AA2E-743C63F2E5E6} (IWinAmpActiveX Class) - http://pdl.stream.ao.../ampx_en_dl.cab
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Password Validation (ccPwdSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
O23 - Service: ewido security suite control - ewido networks - C:\Program Files\ewido\security suite\ewidoctrl.exe
O23 - Service: ewido security suite guard - ewido networks - C:\Program Files\ewido\security suite\ewidoguard.exe
O23 - Service: iPod Service (iPodService) - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: LexBce Server (LexBceS) - Lexmark International, Inc. - C:\WINDOWS\system32\LEXBCES.EXE
O23 - Service: Norton AntiVirus Auto-Protect Service (navapsvc) - Symantec Corporation - C:\Program Files\Norton AntiVirus\navapsvc.exe
O23 - Service: Norton AntiVirus Firewall Monitor Service (NPFMntor) - Symantec Corporation - C:\Program Files\Norton AntiVirus\IWP\NPFMntor.exe
O23 - Service: Norton Unerase Protection (NProtectService) - Symantec Corporation - C:\Program Files\Norton AntiVirus\AdvTools\NPROTECT.EXE
O23 - Service: NVIDIA Driver Helper Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe
O23 - Service: SAVScan - Symantec Corporation - C:\Program Files\Norton AntiVirus\SAVScan.exe
O23 - Service: ScriptBlocking Service (SBService) - Symantec Corporation - C:\PROGRA~1\COMMON~1\SYMANT~1\SCRIPT~1\SBServ.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: Symantec SPBBCSvc (SPBBCSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
O23 - Service: Symantec Core LC - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe

Thanks.
  • 0

#8
Buckeye_Sam
Posted 18 July 2005 - 04:45 PM

Buckeye_Sam

    Malware Expert

  • Member
  • PipPipPipPipPipPipPipPip
  • 10,019 posts
Normally you would want to log in as the administrator, but it doesn't sound like you had any problems so that's ok.


Let's delete a few files that Panda found but couldn't do anything with.
Delete these files/folders:

C:\PROGRAM FILES\Aprps
C:\DOCUMENTS AND SETTINGS\BRIAN DIETRICH\FAVORITES\Casino & Carrers
C:\Program Files\Aprps\ProxyStub.dll
C:\Program Files\CasStub\casstub.exe
C:\WINDOWS\AuroraHandler.dll
C:\WINDOWS\system32\dist001.exe
C:\WINDOWS\system32\nsv3D29.dll
C:\WINDOWS\system32\redit.cpl
C:\WINDOWS\system32\SSK3_B5 Seedcorn 4.exe
C:\WINDOWS\system32\supdate.dll
C:\WINDOWS\system32\uci.exe
C:\WINDOWS\ycbbuirz.exe


========


The virus scans showed signs of a qoologic trojan. We need to look at a couple different logs to see if that trojan is present.

Please download the following tools.
  • Download WinPFind
    • Right Click the Zip Folder and Select "Extract All"
    • Extract it somewhere you will remember like the Desktop
    • Dont do anything with it yet!
  • Download Track qoo
    • Save it somewhere you will remember like the Desktop
Reboot into Safe Mode
Restart your computer and as soon as it starts booting up again continuously tap F8. A menu should come up where you will be given the option to enter Safe Mode.

Doubleclick WinPFind.exe
  • Click "Start Scan"
  • It will scan the entire System, so please be patient!
  • Once the Scan is Complete
  • Go to the WinPFind folder
  • Locate WinPFind.txt
  • Place those results in the next post!
Reboot back to Normal Mode!

Double Click on "Track qoo.vbs"

Note - If you Antivirus has Script Blocking, you will get a Pop Up Windows asking you what to do. Allow this Entire Script to Run, its harmless!

Wait a few seconds and a notepad page will pop up, Copy & Paste those results and place them in the next post along with the results of WinPFind!

Also post a new hijackthis log.
  • 0

#9
perf68
Posted 18 July 2005 - 06:12 PM

perf68

    Member

  • Topic Starter
  • Member
  • PipPip
  • 11 posts
Sam,

The Track qoo link from your last post is giving me this message:

Board Message
Sorry, an error occurred. If you are unsure on how to use a feature, or don't know why you got this error message, try looking through the help files for more information.

The error returned was:
Sorry, but you do not have permission to use this feature. If you are not logged in, you may do so using the form below if available.


The top of the same screen giving me that error message shows me logged in as perf68.

Please advise, thanks!
  • 0

#10
Buckeye_Sam
Posted 19 July 2005 - 03:40 PM

Buckeye_Sam

    Malware Expert

  • Member
  • PipPipPipPipPipPipPipPip
  • 10,019 posts
That's ok, skip Track qoo and just post the log from WinPFind.
  • 0

Advertisements

#11
perf68
Posted 19 July 2005 - 04:18 PM

perf68

    Member

  • Topic Starter
  • Member
  • PipPip
  • 11 posts
Sam,

Here is the WinPFind report (yikes!):

WARNING: not all files found by this scanner are bad. Consult with a knowledgable person before proceeding.

If you see a message in the titlebar saying "not responding" you can ignore it. Windows is throwing this message up even though the program is still running. As long as the hard disk is working then the program is running.

»»»»»»»»»»»»»»»»»»»»»»»» Files found »»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»

Checking %SystemDrive% folder...
UPX! C:\HJT.exe

Checking %ProgramFilesDir% folder...

Checking %WinDir% folder...
web-nex C:\WINDOWS\IE4 Error Log.txt
abetterinternet.com C:\WINDOWS\jkran.dll
web-nex C:\WINDOWS\jkran.dll
PECompact2 C:\WINDOWS\LPT$VPN.731
qoologic C:\WINDOWS\LPT$VPN.731
SAHAgent C:\WINDOWS\LPT$VPN.731
UPX! C:\WINDOWS\onkwjbhlq.exe
buddy.exe C:\WINDOWS\onkwjbhlq.exe
UPX! C:\WINDOWS\RMAgentOutput.dll
UPX! C:\WINDOWS\tsc.exe
PECompact2 C:\WINDOWS\VPTNFILE.731
qoologic C:\WINDOWS\VPTNFILE.731
SAHAgent C:\WINDOWS\VPTNFILE.731
UPX! C:\WINDOWS\vsapi32.dll
aspack C:\WINDOWS\vsapi32.dll

Checking %System% folder...
PEC2 C:\WINDOWS\system32\dfrg.msc
PEC2 C:\WINDOWS\system32\DivX.dll
PECompact2 C:\WINDOWS\system32\DivX.dll
Umonitor C:\WINDOWS\system32\rasdlg.dll
winsync C:\WINDOWS\system32\wbdbase.deu

Checking %System%\Drivers folder and sub-folders...

Checking the Windows folder for system and hidden files within the last 60 days...
7/18/2005 C:\WINDOWS\QTFont.qfn
7/11/2005 C:\WINDOWS\inf\oem12.inf
7/19/2005 C:\WINDOWS\system32\FFASTLOG.TXT
7/19/2005 C:\WINDOWS\system32\config\default.LOG
7/19/2005 C:\WINDOWS\system32\config\SAM.LOG
7/19/2005 C:\WINDOWS\system32\config\SECURITY.LOG
7/19/2005 C:\WINDOWS\system32\config\software.LOG
7/19/2005 C:\WINDOWS\system32\config\system.LOG
7/11/2005 C:\WINDOWS\system32\config\systemprofile\Local Settings\Temporary Internet Files\Content.IE5\desktop.ini
7/11/2005 C:\WINDOWS\system32\config\systemprofile\Local Settings\Temporary Internet Files\Content.IE5\45MVO5EN\desktop.ini
7/11/2005 C:\WINDOWS\system32\config\systemprofile\Local Settings\Temporary Internet Files\Content.IE5\8LMZOP23\desktop.ini
7/11/2005 C:\WINDOWS\system32\config\systemprofile\Local Settings\Temporary Internet Files\Content.IE5\O1QFSTUV\desktop.ini
7/11/2005 C:\WINDOWS\system32\config\systemprofile\Local Settings\Temporary Internet Files\Content.IE5\SHU78XAN\desktop.ini
6/26/2005 C:\WINDOWS\system32\Microsoft\Protect\S-1-5-18\User\5ad12907-d496-4461-a1eb-f7f80adb81d0
6/26/2005 C:\WINDOWS\system32\Microsoft\Protect\S-1-5-18\User\Preferred
7/19/2005 C:\WINDOWS\Tasks\SA.DAT

»»»»»»»»»»»»»»»»»»»»»»»» Checking Startup Folders »»»»»»»»»»»»»»»»»»»»»

Checking files in %ALLUSERSPROFILE%\Startup folder...
C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Adobe Reader Speed Launch.lnk
C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Microsoft Find Fast.lnk
C:\Documents and Settings\All Users\Start Menu\Programs\Startup\NkvMon.exe.lnk
C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Office Startup.lnk
C:\Documents and Settings\All Users\Start Menu\Programs\Startup\QuickBooks Update Agent.lnk

Checking files in %ALLUSERSPROFILE%\Application Data folder...

Checking files in %USERPROFILE%\Startup folder...
C:\Documents and Settings\Brian Dietrich\Start Menu\Programs\Startup\Registration Brothers In Arms.LNK

Checking files in %USERPROFILE%\Application Data folder...
C:\Documents and Settings\Brian Dietrich\Application Data\AdobeDLM.log
C:\Documents and Settings\Brian Dietrich\Application Data\dm.ini

»»»»»»»»»»»»»»»»»»»»»»»» Registry Entries Found »»»»»»»»»»»»»»»»»»»»»»»

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\User Agent\Post Platform
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\User Agent\Post Platform\iebar
iebar =

HKEY_CLASSES_ROOT\*\shellex\ContextMenuHandlers
HKEY_CLASSES_ROOT\*\shellex\ContextMenuHandlers\ewido
{57BD36D7-CE32-4600-9B1C-1A0C47EFC02E} = C:\Program Files\ewido\security suite\context.dll
HKEY_CLASSES_ROOT\*\shellex\ContextMenuHandlers\fqsgyffy
{69c88624-07a6-4018-aa11-2f984ff95586} =
HKEY_CLASSES_ROOT\*\shellex\ContextMenuHandlers\Offline Files
{750fdf0e-2a26-11d1-a3ea-080036587f03} = %SystemRoot%\System32\cscui.dll
HKEY_CLASSES_ROOT\*\shellex\ContextMenuHandlers\Open With
{09799AFB-AD67-11d1-ABCD-00C04FC30936} = %SystemRoot%\system32\SHELL32.dll
HKEY_CLASSES_ROOT\*\shellex\ContextMenuHandlers\Open With EncryptionMenu
{A470F8CF-A1E8-4f65-8335-227475AA5C46} = %SystemRoot%\system32\SHELL32.dll
HKEY_CLASSES_ROOT\*\shellex\ContextMenuHandlers\Symantec.Norton.Antivirus.IEContextMenu
{5345A4D5-41EB-4A2F-9616-CE1D4F6C35B2} = C:\Program Files\Norton AntiVirus\NavShExt.dll
HKEY_CLASSES_ROOT\*\shellex\ContextMenuHandlers\Yahoo! Mail
{5464D816-CF16-4784-B9F3-75C0DB52B499} = C:\PROGRA~1\Yahoo!\Common\ymmapi.dll
HKEY_CLASSES_ROOT\*\shellex\ContextMenuHandlers\{a2a9545d-a0c2-42b4-9708-a0b2badd77c8}
Start Menu Pin = %SystemRoot%\system32\SHELL32.dll

HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Folder\shellex\ContextMenuHandlers
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Folder\shellex\ContextMenuHandlers\Symantec.Norton.Antivirus.IEContextMenu
{5345A4D5-41EB-4A2F-9616-CE1D4F6C35B2} = C:\Program Files\Norton AntiVirus\NavShExt.dll

HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Folder\shellex\ColumnHandlers
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Folder\shellex\ColumnHandlers\{0D2E74C4-3C34-11d2-A27E-00C04FC30871}
= %SystemRoot%\system32\SHELL32.dll
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Folder\shellex\ColumnHandlers\{24F14F01-7B1C-11d1-838f-0000F80461CF}
= %SystemRoot%\system32\SHELL32.dll
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Folder\shellex\ColumnHandlers\{24F14F02-7B1C-11d1-838f-0000F80461CF}
= %SystemRoot%\system32\SHELL32.dll
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Folder\shellex\ColumnHandlers\{66742402-F9B9-11D1-A202-0000F81FEDEE}
= %SystemRoot%\system32\SHELL32.dll
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Folder\shellex\ColumnHandlers\{6EC11407-5B2E-4E25-8BDF-77445B52AB37}
= C:\WINDOWS\System32\supdate.dll
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Folder\shellex\ColumnHandlers\{F9DB5320-233E-11D1-9F84-707F02C10627}
= C:\Program Files\Adobe\Acrobat 7.0\ActiveX\PDFShell.dll

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
UpdateManager "C:\Program Files\Common Files\Sonic\Update Manager\sgtray.exe" /r
SynTPLpr C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
SynTPEnh C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
NvCplDaemon RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup
nwiz nwiz.exe /installquiet
Cpqset C:\Program Files\HPQ\Default Settings\cpqset.exe
eabconfg.cpl C:\Program Files\HPQ\Quick Launch Buttons\EabServr.exe /Start
MMTray "C:\Program Files\Musicmatch\Musicmatch Jukebox\mm_tray.exe"
TkBellExe "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
Lexmark X73 Button Monitor C:\PROGRA~1\LEXMAR~1\ACMonitor_X73.exe
Lexmark X73 Button Manager C:\PROGRA~1\LEXMAR~1\AcBtnMgr_X73.exe
PrinTray C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\printray.exe
SunJavaUpdateSched C:\Program Files\Java\j2re1.4.2_06\bin\jusched.exe
iTunesHelper C:\Program Files\iTunes\iTunesHelper.exe
QuickTime Task "C:\Program Files\QuickTime\qttask.exe" -atboottime
ccApp "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
SSC_UserPrompt C:\Program Files\Common Files\Symantec Shared\Security Center\UsrPrmpt.exe
Advanced Tools Check C:\PROGRA~1\NORTON~1\AdvTools\ADVCHK.EXE
MimBoot C:\PROGRA~1\MUSICM~1\MUSICM~2\mimboot.exe
DIGStream C:\Program Files\DIGStream\digstream.exe
DIGServices C:\Program Files\ESPNRunTime\DIGServices.exe /brand=ESPN /priority=0 /poll=24
WinPatrol C:\Program Files\BillP Studios\WinPatrol\winpatrol.exe

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\OptionalComponents

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnceEx

HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
RecordNow!
MSMSGS "C:\Program Files\Messenger\msmsgs.exe" /background
Yahoo! Pager C:\Program Files\Yahoo!\Messenger\ypager.exe -quiet
AnyTime Organizer
AnyTime Deluxe

HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\NonEnum
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\NonEnum\{BDEADF00-C265-11D0-BCED-00A0C90AB50F}
= C:\PROGRA~1\COMMON~1\MICROS~1\WEBFOL~1\MSONSEXT.DLL
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\NonEnum\{6DFD7C5C-2451-11d3-A299-00C04F8EF6AF}
=
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\NonEnum\{0DF44EAA-FF21-4412-828E-260A8728E7F1}
=
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Ratings
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\system
dontdisplaylastusername 0
legalnoticecaption
legalnoticetext
shutdownwithoutlogon 1
undockwithoutlogon 1

HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\policies
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer
NoDriveTypeAutoRun 145


HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon
UserInit C:\WINDOWS\system32\userinit.exe,
Shell explorer.exe

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\crypt32chain
= crypt32.dll
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\cryptnet
= cryptnet.dll
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\cscdll
= cscdll.dll
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\ScCertProp
= wlnotify.dll
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\Schedule
= wlnotify.dll
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\sclgntfy
= sclgntfy.dll
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\SensLogn
= WlNotify.dll
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\termsrv
= wlnotify.dll
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\wlballoon
= wlnotify.dll

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\PostBootReminder
{7849596a-48ea-486e-8937-a2a3009f31a9} = %SystemRoot%\system32\SHELL32.dll
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\CDBurn
{fbeb8a05-beee-4442-804e-409d6c4515e9} = %SystemRoot%\system32\SHELL32.dll
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\WebCheck
{E6FB5E20-DE35-11CF-9C87-00AA005127ED} = %SystemRoot%\System32\webcheck.dll
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\SysTray
{35CEC8A3-2BE6-11D2-8773-92E220524153} = C:\WINDOWS\System32\stobject.dll

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\cqw32.exe
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\enc98.EXE
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\front.exe
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\install.exe
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\mngreg32.exe
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\photohse.EXE
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\printhse.EXE
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\prwin8.EXE
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\ps80.EXE
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\psdmt.exe
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\qfinder.EXE
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\qpw.EXE
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\setup.exe
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\setup32.dll
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\sevinst.exe
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\ua80.EXE
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\wpwin8.EXE
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\xwsetup.EXE
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Your Image File Name Here without a path
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\_INSTPGM.EXE

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows
AppInit_DLLs

»»»»»»»»»»»»»»»»»»»»»»»» Scan Complete »»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»
WinPFind v1.0.0.14 - Log file written to "WinPFind.Txt" in the WinPFind folder.

And Now the HJT log:

Logfile of HijackThis v1.99.1
Scan saved at 6:15:21 PM, on 7/19/2005
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\WINDOWS\system32\LEXBCES.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\ewido\security suite\ewidoctrl.exe
C:\Program Files\ewido\security suite\ewidoguard.exe
C:\Program Files\Norton AntiVirus\navapsvc.exe
C:\Program Files\Norton AntiVirus\IWP\NPFMntor.exe
C:\Program Files\Norton AntiVirus\AdvTools\NPROTECT.EXE
C:\WINDOWS\System32\nvsvc32.exe
C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\Program Files\HPQ\Quick Launch Buttons\EabServr.exe
C:\Program Files\Musicmatch\Musicmatch Jukebox\mm_tray.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\PROGRA~1\LEXMAR~1\ACMonitor_X73.exe
C:\PROGRA~1\LEXMAR~1\AcBtnMgr_X73.exe
C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\printray.exe
C:\Program Files\Java\j2re1.4.2_06\bin\jusched.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\WINDOWS\System32\wuauclt.exe
C:\Program Files\DIGStream\digstream.exe
C:\Program Files\ESPNRunTime\DIGServices.exe
C:\Program Files\Musicmatch\Musicmatch Jukebox\mim.exe
C:\Program Files\Musicmatch\Musicmatch Jukebox\MMDiag.exe
C:\Program Files\BillP Studios\WinPatrol\winpatrol.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\Microsoft Office\Office\FINDFAST.EXE
C:\Program Files\Nikon\NkView6\NkvMon.exe
C:\Program Files\Microsoft Office\Office\OSA.EXE
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Intuit\QuickBooks\QBUpdate\qbupdate.exe
C:\Program Files\Yahoo!\Messenger\ymsgr_tray.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\WINDOWS\system32\notepad.exe
C:\Documents and Settings\Brian Dietrich\Desktop\HJT\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://us8l.hpwis.com/
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O4 - HKLM\..\Run: [UpdateManager] "C:\Program Files\Common Files\Sonic\Update Manager\sgtray.exe" /r
O4 - HKLM\..\Run: [SynTPLpr] C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
O4 - HKLM\..\Run: [SynTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /installquiet
O4 - HKLM\..\Run: [Cpqset] C:\Program Files\HPQ\Default Settings\cpqset.exe
O4 - HKLM\..\Run: [eabconfg.cpl] C:\Program Files\HPQ\Quick Launch Buttons\EabServr.exe /Start
O4 - HKLM\..\Run: [MMTray] "C:\Program Files\Musicmatch\Musicmatch Jukebox\mm_tray.exe"
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [Lexmark X73 Button Monitor] C:\PROGRA~1\LEXMAR~1\ACMonitor_X73.exe
O4 - HKLM\..\Run: [Lexmark X73 Button Manager] C:\PROGRA~1\LEXMAR~1\AcBtnMgr_X73.exe
O4 - HKLM\..\Run: [PrinTray] C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\printray.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\j2re1.4.2_06\bin\jusched.exe
O4 - HKLM\..\Run: [iTunesHelper] C:\Program Files\iTunes\iTunesHelper.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [SSC_UserPrompt] C:\Program Files\Common Files\Symantec Shared\Security Center\UsrPrmpt.exe
O4 - HKLM\..\Run: [Advanced Tools Check] C:\PROGRA~1\NORTON~1\AdvTools\ADVCHK.EXE
O4 - HKLM\..\Run: [MimBoot] C:\PROGRA~1\MUSICM~1\MUSICM~2\mimboot.exe
O4 - HKLM\..\Run: [DIGStream] C:\Program Files\DIGStream\digstream.exe
O4 - HKLM\..\Run: [DIGServices] C:\Program Files\ESPNRunTime\DIGServices.exe /brand=ESPN /priority=0 /poll=24
O4 - HKLM\..\Run: [WinPatrol] C:\Program Files\BillP Studios\WinPatrol\winpatrol.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [Yahoo! Pager] C:\Program Files\Yahoo!\Messenger\ypager.exe -quiet
O4 - Startup: Registration Brothers In Arms.LNK = D:\Support\Register\RegistrationReminder.exe
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: Microsoft Find Fast.lnk = C:\Program Files\Microsoft Office\Office\FINDFAST.EXE
O4 - Global Startup: NkvMon.exe.lnk = C:\Program Files\Nikon\NkView6\NkvMon.exe
O4 - Global Startup: Office Startup.lnk = C:\Program Files\Microsoft Office\Office\OSA.EXE
O4 - Global Startup: QuickBooks Update Agent.lnk = C:\Program Files\Common Files\Intuit\QuickBooks\QBUpdate\qbupdate.exe
O8 - Extra context menu item: &Yahoo! Search - file:///C:\Program Files\Yahoo!\Common/ycsrch.htm
O8 - Extra context menu item: Yahoo! &Dictionary - file:///C:\Program Files\Yahoo!\Common/ycdict.htm
O8 - Extra context menu item: Yahoo! &Maps - file:///C:\Program Files\Yahoo!\Common/ycdict.htm
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\System32\msjava.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\System32\msjava.dll
O9 - Extra button: Messenger - {4528BBE0-4E08-11D5-AD55-00010333D0AD} - C:\Program Files\Yahoo!\Messenger\yhexbmes0521.dll
O9 - Extra 'Tools' menuitem: Yahoo! Messenger - {4528BBE0-4E08-11D5-AD55-00010333D0AD} - C:\Program Files\Yahoo!\Messenger\yhexbmes0521.dll
O9 - Extra button: (no name) - {85d1f590-48f4-11d9-9669-0800200c9a66} - %windir%\bdoscandel.exe (file missing)
O9 - Extra 'Tools' menuitem: Uninstall BitDefender Online Scanner v8 - {85d1f590-48f4-11d9-9669-0800200c9a66} - %windir%\bdoscandel.exe (file missing)
O9 - Extra button: PartyPoker.com - {B7FE5D70-9AA2-40F1-9C6B-12A255F085E1} - C:\Program Files\PartyPoker\PartyPoker.exe
O9 - Extra 'Tools' menuitem: PartyPoker.com - {B7FE5D70-9AA2-40F1-9C6B-12A255F085E1} - C:\Program Files\PartyPoker\PartyPoker.exe
O9 - Extra button: WeatherBug - {AF6CABAB-61F9-4f12-A198-B7D41EF1CB52} - C:\Program Files\AWS\WeatherBug\Weather.exe (file missing) (HKCU)
O16 - DPF: {04E214E5-63AF-4236-83C6-A7ADCBF9BD02} (HouseCall Control) - http://housecall60.t...all/xscan60.cab
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft....467&clcid=0x409
O16 - DPF: {41F17733-B041-4099-A042-B518BB6A408C} - http://appldnld.m7z....iTunesSetup.exe
O16 - DPF: {5D86DDB5-BDF9-441B-9E9E-D4730F4EE499} (BDSCANONLINE Control) - http://www.bitdefend...can8/oscan8.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.micros...b?1121129824406
O16 - DPF: {85D1F3B2-2A21-11D7-97B9-0010DC2A6243} (SecureLogin class) - http://secure2.comne...login-devel.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://www.pandasoft.../as5/asinst.cab
O16 - DPF: {FE0BD779-44EE-4A4B-AA2E-743C63F2E5E6} (IWinAmpActiveX Class) - http://pdl.stream.ao.../ampx_en_dl.cab
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Password Validation (ccPwdSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
O23 - Service: ewido security suite control - ewido networks - C:\Program Files\ewido\security suite\ewidoctrl.exe
O23 - Service: ewido security suite guard - ewido networks - C:\Program Files\ewido\security suite\ewidoguard.exe
O23 - Service: iPod Service (iPodService) - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: LexBce Server (LexBceS) - Lexmark International, Inc. - C:\WINDOWS\system32\LEXBCES.EXE
O23 - Service: Norton AntiVirus Auto-Protect Service (navapsvc) - Symantec Corporation - C:\Program Files\Norton AntiVirus\navapsvc.exe
O23 - Service: Norton AntiVirus Firewall Monitor Service (NPFMntor) - Symantec Corporation - C:\Program Files\Norton AntiVirus\IWP\NPFMntor.exe
O23 - Service: Norton Unerase Protection (NProtectService) - Symantec Corporation - C:\Program Files\Norton AntiVirus\AdvTools\NPROTECT.EXE
O23 - Service: NVIDIA Driver Helper Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe
O23 - Service: SAVScan - Symantec Corporation - C:\Program Files\Norton AntiVirus\SAVScan.exe
O23 - Service: ScriptBlocking Service (SBService) - Symantec Corporation - C:\PROGRA~1\COMMON~1\SYMANT~1\SCRIPT~1\SBServ.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: Symantec SPBBCSvc (SPBBCSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
O23 - Service: Symantec Core LC - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe

Thanks, as always, for your help.
  • 0

#12
Buckeye_Sam
Posted 19 July 2005 - 07:01 PM

Buckeye_Sam

    Malware Expert

  • Member
  • PipPipPipPipPipPipPipPip
  • 10,019 posts
Download the Pocket Killbox.

Unzip the contents of KillBox.zip to a convenient location and then double-click on KillBox.exe to launch the program.
  • Highlight the lines below and press the Ctrl key and the C key at the same time to copy them to the clipboard:

    • C:\WINDOWS\jkran.dll
      C:\WINDOWS\onkwjbhlq.exe

  • Now go to the Killbox application and click on the File menu and then the Paste from Clipboard menu item. In the Full Path of File to Delete box you should see the first file. If you dropdown that box you should see the rest of them. Make sure that they are all there.
  • Click on the Delete on Reboot option and then click on the red circle with a white 'X' in to to delete the files. Killbox will tell you that all listed files will be deleted on next reboot, click YES. When it asks if you would like to Reboot now, click YES. If you get a "PendingFileRenameOperations Registry Data has been Removed by External Process!" message then just restart manually.
Your system will reboot now.



Please post a new WinPFind log. Let me know how things feel on your end. Any problems?
  • 0

#13
perf68
Posted 19 July 2005 - 07:53 PM

perf68

    Member

  • Topic Starter
  • Member
  • PipPip
  • 11 posts
Sam,

System is performing much better (virtually no popups) since completing the first few steps with you. I haven't spent any time online after this last step yet.

The internet links that the spyware/adware/AGGRAVATINGware put on my desktop; can I just drag those to the recycle bin to get rid of them, or is there a more thorough removal for those?

Thanks for your help.

Here is the WinPFind log:

WARNING: not all files found by this scanner are bad. Consult with a knowledgable person before proceeding.

If you see a message in the titlebar saying "not responding" you can ignore it. Windows is throwing this message up even though the program is still running. As long as the hard disk is working then the program is running.

»»»»»»»»»»»»»»»»»»»»»»»» Files found »»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»

Checking %SystemDrive% folder...
UPX! C:\HJT.exe

Checking %ProgramFilesDir% folder...

Checking %WinDir% folder...
web-nex C:\WINDOWS\IE4 Error Log.txt
PECompact2 C:\WINDOWS\LPT$VPN.731
qoologic C:\WINDOWS\LPT$VPN.731
SAHAgent C:\WINDOWS\LPT$VPN.731
UPX! C:\WINDOWS\RMAgentOutput.dll
UPX! C:\WINDOWS\tsc.exe
PECompact2 C:\WINDOWS\VPTNFILE.731
qoologic C:\WINDOWS\VPTNFILE.731
SAHAgent C:\WINDOWS\VPTNFILE.731
UPX! C:\WINDOWS\vsapi32.dll
aspack C:\WINDOWS\vsapi32.dll

Checking %System% folder...
PEC2 C:\WINDOWS\system32\dfrg.msc
PEC2 C:\WINDOWS\system32\DivX.dll
PECompact2 C:\WINDOWS\system32\DivX.dll
Umonitor C:\WINDOWS\system32\rasdlg.dll
winsync C:\WINDOWS\system32\wbdbase.deu

Checking %System%\Drivers folder and sub-folders...

Checking the Windows folder for system and hidden files within the last 60 days...
7/18/2005 C:\WINDOWS\QTFont.qfn
7/11/2005 C:\WINDOWS\inf\oem12.inf
7/19/2005 C:\WINDOWS\system32\FFASTLOG.TXT
7/19/2005 C:\WINDOWS\system32\config\default.LOG
7/19/2005 C:\WINDOWS\system32\config\SAM.LOG
7/19/2005 C:\WINDOWS\system32\config\SECURITY.LOG
7/19/2005 C:\WINDOWS\system32\config\software.LOG
7/19/2005 C:\WINDOWS\system32\config\system.LOG
7/11/2005 C:\WINDOWS\system32\config\systemprofile\Local Settings\Temporary Internet Files\Content.IE5\desktop.ini
7/11/2005 C:\WINDOWS\system32\config\systemprofile\Local Settings\Temporary Internet Files\Content.IE5\45MVO5EN\desktop.ini
7/11/2005 C:\WINDOWS\system32\config\systemprofile\Local Settings\Temporary Internet Files\Content.IE5\8LMZOP23\desktop.ini
7/11/2005 C:\WINDOWS\system32\config\systemprofile\Local Settings\Temporary Internet Files\Content.IE5\O1QFSTUV\desktop.ini
7/11/2005 C:\WINDOWS\system32\config\systemprofile\Local Settings\Temporary Internet Files\Content.IE5\SHU78XAN\desktop.ini
6/26/2005 C:\WINDOWS\system32\Microsoft\Protect\S-1-5-18\User\5ad12907-d496-4461-a1eb-f7f80adb81d0
6/26/2005 C:\WINDOWS\system32\Microsoft\Protect\S-1-5-18\User\Preferred
7/19/2005 C:\WINDOWS\Tasks\SA.DAT

»»»»»»»»»»»»»»»»»»»»»»»» Checking Startup Folders »»»»»»»»»»»»»»»»»»»»»

Checking files in %ALLUSERSPROFILE%\Startup folder...
C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Adobe Reader Speed Launch.lnk
C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Microsoft Find Fast.lnk
C:\Documents and Settings\All Users\Start Menu\Programs\Startup\NkvMon.exe.lnk
C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Office Startup.lnk
C:\Documents and Settings\All Users\Start Menu\Programs\Startup\QuickBooks Update Agent.lnk

Checking files in %ALLUSERSPROFILE%\Application Data folder...

Checking files in %USERPROFILE%\Startup folder...
C:\Documents and Settings\Brian Dietrich\Start Menu\Programs\Startup\Registration Brothers In Arms.LNK

Checking files in %USERPROFILE%\Application Data folder...
C:\Documents and Settings\Brian Dietrich\Application Data\AdobeDLM.log
C:\Documents and Settings\Brian Dietrich\Application Data\dm.ini

»»»»»»»»»»»»»»»»»»»»»»»» Registry Entries Found »»»»»»»»»»»»»»»»»»»»»»»

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\User Agent\Post Platform
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\User Agent\Post Platform\iebar
iebar =

HKEY_CLASSES_ROOT\*\shellex\ContextMenuHandlers
HKEY_CLASSES_ROOT\*\shellex\ContextMenuHandlers\ewido
{57BD36D7-CE32-4600-9B1C-1A0C47EFC02E} = C:\Program Files\ewido\security suite\context.dll
HKEY_CLASSES_ROOT\*\shellex\ContextMenuHandlers\fqsgyffy
{69c88624-07a6-4018-aa11-2f984ff95586} =
HKEY_CLASSES_ROOT\*\shellex\ContextMenuHandlers\Offline Files
{750fdf0e-2a26-11d1-a3ea-080036587f03} = %SystemRoot%\System32\cscui.dll
HKEY_CLASSES_ROOT\*\shellex\ContextMenuHandlers\Open With
{09799AFB-AD67-11d1-ABCD-00C04FC30936} = %SystemRoot%\system32\SHELL32.dll
HKEY_CLASSES_ROOT\*\shellex\ContextMenuHandlers\Open With EncryptionMenu
{A470F8CF-A1E8-4f65-8335-227475AA5C46} = %SystemRoot%\system32\SHELL32.dll
HKEY_CLASSES_ROOT\*\shellex\ContextMenuHandlers\Symantec.Norton.Antivirus.IEContextMenu
{5345A4D5-41EB-4A2F-9616-CE1D4F6C35B2} = C:\Program Files\Norton AntiVirus\NavShExt.dll
HKEY_CLASSES_ROOT\*\shellex\ContextMenuHandlers\Yahoo! Mail
{5464D816-CF16-4784-B9F3-75C0DB52B499} = C:\PROGRA~1\Yahoo!\Common\ymmapi.dll
HKEY_CLASSES_ROOT\*\shellex\ContextMenuHandlers\{a2a9545d-a0c2-42b4-9708-a0b2badd77c8}
Start Menu Pin = %SystemRoot%\system32\SHELL32.dll

HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Folder\shellex\ContextMenuHandlers
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Folder\shellex\ContextMenuHandlers\Symantec.Norton.Antivirus.IEContextMenu
{5345A4D5-41EB-4A2F-9616-CE1D4F6C35B2} = C:\Program Files\Norton AntiVirus\NavShExt.dll

HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Folder\shellex\ColumnHandlers
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Folder\shellex\ColumnHandlers\{0D2E74C4-3C34-11d2-A27E-00C04FC30871}
= %SystemRoot%\system32\SHELL32.dll
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Folder\shellex\ColumnHandlers\{24F14F01-7B1C-11d1-838f-0000F80461CF}
= %SystemRoot%\system32\SHELL32.dll
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Folder\shellex\ColumnHandlers\{24F14F02-7B1C-11d1-838f-0000F80461CF}
= %SystemRoot%\system32\SHELL32.dll
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Folder\shellex\ColumnHandlers\{66742402-F9B9-11D1-A202-0000F81FEDEE}
= %SystemRoot%\system32\SHELL32.dll
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Folder\shellex\ColumnHandlers\{6EC11407-5B2E-4E25-8BDF-77445B52AB37}
= C:\WINDOWS\System32\supdate.dll
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Folder\shellex\ColumnHandlers\{F9DB5320-233E-11D1-9F84-707F02C10627}
= C:\Program Files\Adobe\Acrobat 7.0\ActiveX\PDFShell.dll

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
UpdateManager "C:\Program Files\Common Files\Sonic\Update Manager\sgtray.exe" /r
SynTPLpr C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
SynTPEnh C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
NvCplDaemon RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup
nwiz nwiz.exe /installquiet
Cpqset C:\Program Files\HPQ\Default Settings\cpqset.exe
eabconfg.cpl C:\Program Files\HPQ\Quick Launch Buttons\EabServr.exe /Start
MMTray "C:\Program Files\Musicmatch\Musicmatch Jukebox\mm_tray.exe"
TkBellExe "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
Lexmark X73 Button Monitor C:\PROGRA~1\LEXMAR~1\ACMonitor_X73.exe
Lexmark X73 Button Manager C:\PROGRA~1\LEXMAR~1\AcBtnMgr_X73.exe
PrinTray C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\printray.exe
SunJavaUpdateSched C:\Program Files\Java\j2re1.4.2_06\bin\jusched.exe
iTunesHelper C:\Program Files\iTunes\iTunesHelper.exe
QuickTime Task "C:\Program Files\QuickTime\qttask.exe" -atboottime
ccApp "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
SSC_UserPrompt C:\Program Files\Common Files\Symantec Shared\Security Center\UsrPrmpt.exe
Advanced Tools Check C:\PROGRA~1\NORTON~1\AdvTools\ADVCHK.EXE
MimBoot C:\PROGRA~1\MUSICM~1\MUSICM~2\mimboot.exe
DIGStream C:\Program Files\DIGStream\digstream.exe
DIGServices C:\Program Files\ESPNRunTime\DIGServices.exe /brand=ESPN /priority=0 /poll=24
WinPatrol C:\Program Files\BillP Studios\WinPatrol\winpatrol.exe

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\OptionalComponents

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnceEx

HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
RecordNow!
MSMSGS "C:\Program Files\Messenger\msmsgs.exe" /background
Yahoo! Pager C:\Program Files\Yahoo!\Messenger\ypager.exe -quiet
AnyTime Organizer
AnyTime Deluxe

HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\NonEnum
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\NonEnum\{BDEADF00-C265-11D0-BCED-00A0C90AB50F}
= C:\PROGRA~1\COMMON~1\MICROS~1\WEBFOL~1\MSONSEXT.DLL
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\NonEnum\{6DFD7C5C-2451-11d3-A299-00C04F8EF6AF}
=
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\NonEnum\{0DF44EAA-FF21-4412-828E-260A8728E7F1}
=
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Ratings
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\system
dontdisplaylastusername 0
legalnoticecaption
legalnoticetext
shutdownwithoutlogon 1
undockwithoutlogon 1

HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\policies
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer
NoDriveTypeAutoRun 145


HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon
UserInit C:\WINDOWS\system32\userinit.exe,
Shell explorer.exe

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\crypt32chain
= crypt32.dll
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\cryptnet
= cryptnet.dll
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\cscdll
= cscdll.dll
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\ScCertProp
= wlnotify.dll
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\Schedule
= wlnotify.dll
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\sclgntfy
= sclgntfy.dll
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\SensLogn
= WlNotify.dll
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\termsrv
= wlnotify.dll
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\wlballoon
= wlnotify.dll

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\PostBootReminder
{7849596a-48ea-486e-8937-a2a3009f31a9} = %SystemRoot%\system32\SHELL32.dll
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\CDBurn
{fbeb8a05-beee-4442-804e-409d6c4515e9} = %SystemRoot%\system32\SHELL32.dll
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\WebCheck
{E6FB5E20-DE35-11CF-9C87-00AA005127ED} = %SystemRoot%\System32\webcheck.dll
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\SysTray
{35CEC8A3-2BE6-11D2-8773-92E220524153} = C:\WINDOWS\System32\stobject.dll

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\cqw32.exe
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\enc98.EXE
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\front.exe
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\install.exe
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\mngreg32.exe
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\photohse.EXE
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\printhse.EXE
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\prwin8.EXE
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\ps80.EXE
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\psdmt.exe
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\qfinder.EXE
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\qpw.EXE
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\setup.exe
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\setup32.dll
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\sevinst.exe
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\ua80.EXE
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\wpwin8.EXE
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\xwsetup.EXE
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Your Image File Name Here without a path
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\_INSTPGM.EXE

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows
AppInit_DLLs

»»»»»»»»»»»»»»»»»»»»»»»» Scan Complete »»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»
WinPFind v1.0.0.14 - Log file written to "WinPFind.Txt" in the WinPFind folder.
  • 0

#14
Buckeye_Sam
Posted 20 July 2005 - 05:26 AM

Buckeye_Sam

    Malware Expert

  • Member
  • PipPipPipPipPipPipPipPip
  • 10,019 posts
Yes, now that the underlying infection is gone you should be able to just delete any of the desktop icons that you don't want.

Your logs are clean my friend! :tazz:

Now that you are clean, please follow these simple steps in order to keep your computer clean and secure:
  • Disable and Enable System Restore. - If you are using Windows ME or XP then you should disable and reenable system restore to make sure there are no infected files found in a restore point left over from what we have just cleaned.

    You can find instructions on how to enable and reenable system restore here:

    Managing Windows Millenium System Restore

    or

    Windows XP System Restore Guide

    Renable system restore with instructions from tutorial above

  • Make your Internet Explorer more secure - This can be done by following these simple instructions:
    • From within Internet Explorer click on the Tools menu and then click on Options.
    • Click once on the Security tab
    • Click once on the Internet icon so it becomes highlighted.
    • Click once on the Custom Level button.
      • Change the Download signed ActiveX controls to Prompt
      • Change the Download unsigned ActiveX controls to Disable
      • Change the Initialize and script ActiveX controls not marked as safe to Disable
      • Change the Installation of desktop items to Prompt
      • Change the Launching programs and files in an IFRAME to Prompt
      • Change the Navigate sub-frames across different domains to Prompt
      • When all these settings have been made, click on the OK button.
      • If it prompts you as to whether or not you want to save the settings, press the Yes button.
    • Next press the Apply button and then the OK to exit the Internet Properties page.
  • Use an AntiVirus Software - It is very important that your computer has an anti-virus software running on your machine. This alone can save you a lot of trouble with malware in the future.

    See this link for a listing of some online & their stand-alone antivirus programs:

    Virus, Spyware, and Malware Protection and Removal Resources

  • Update your AntiVirus Software - It is imperitive that you update your Antivirus software at least once a week (Even more if you wish). If you do not update your antivirus software then it will not be able to catch any of the new variants that may come out.

  • Use a Firewall - I can not stress how important it is that you use a Firewall on your computer. Without a firewall your computer is succeptible to being hacked and taken over. I am very serious about this and see it happen almost every day with my clients. Simply using a Firewall in its default configuration can lower your risk greatly.

    For a tutorial on Firewalls and a listing of some available ones see the link below:

    Understanding and Using Firewalls

  • Visit Microsoft's Windows Update Site Frequently - It is important that you visit http://www.windowsupdate.com regularly. This will ensure your computer has always the latest security updates available installed on your computer. If there are new updates to install, install them immediately, reboot your computer, and revisit the site until there are no more critical updates.

  • Install Spybot - Search and Destroy - Install and download Spybot - Search and Destroy with its TeaTimer option. This will provide realtime spyware & hijacker protection on your computer alongside your virus protection. You should also scan your computer with program on a regular basis just as you would an antivirus software.

    A tutorial on installing & using this product can be found here:

    Using Spybot - Search & Destroy to remove Spyware , Malware, and Hijackers

  • Install Ad-Aware - Install and download Ad-Aware. ou should also scan your computer with program on a regular basis just as you would an antivirus software in conjunction with Spybot.

    A tutorial on installing & using this product can be found here:

    Using Ad-aware to remove Spyware, Malware, & Hijackers from Your Computer

  • Install SpywareBlaster - SpywareBlaster will added a large list of programs and sites into your Internet Explorer settings that will protect you from running and downloading known malicious programs.

    A tutorial on installing & using this product can be found here:

    Using SpywareBlaster to protect your computer from Spyware and Malware

  • Update all these programs regularly - Make sure you update all the programs I have listed regularly. Without regular updates you WILL NOT be protected when new malicious programs are released.
Follow this list and your potential for being infected again will reduce dramatically.
  • 0

#15
perf68
Posted 20 July 2005 - 10:25 AM

perf68

    Member

  • Topic Starter
  • Member
  • PipPip
  • 11 posts
Sam,

Thanks so much for all of your help. I'll root for the Buckeyes to do well this year in your honor. As long as OSU doesn't meet South Carolina in another bowl, that is!!!

One final (famous last words) question. I installed a firewall (ZoneAlarm) per your last recommendations, and,

One program trying to access the internet was msmsgs.exe located in C:\Programfiles\Messenger\

I went to the Messneger program on my desktop, unchecked the box to automatically run at startup, rebooted, and the same program tried to access the internet again. Is this a virus of some sort? If so, now what?

Apologies if this is posted in the wrong place.

Thanks
  • 0
Back to Virus, Spyware, Malware Removal · Next Unread Topic →




Similar Topics

0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users

  1. Geeks to Go Forum
  2. Security
  3. Virus, Spyware, Malware Removal

As Featured On:

Microsoft Yahoo BBC MSN PC Magazine Washington Post HP