Jump to content

Welcome to Geeks to Go - Register now for FREE

Geeks To Go is a helpful hub, where thousands of volunteer geeks quickly serve friendly answers and support. Check out the forums and get free advice from the experts. Register now to gain access to all of our features, it's FREE and only takes one minute. Once registered and logged in, you will be able to create topics, post replies to existing threads, give reputation to your fellow members, get your own private messenger, post status updates, manage your profile and so much more.

Create Account How it Works
Photo

I think Trevuren can help me.. Thank You!


  • Please log in to reply

#1
kusash

kusash

    New Member

  • Member
  • Pip
  • 2 posts
hi..

i realise that someone has already post up a request to remove oneclicksearches spyware.

http://www.geekstogo...VED-t41883.html

However my log file is alot different from him (his name is Wazoo). i tried the method posted and while scanning with HJT i can only check this:

O2 - BHO: VMHomepage Class - {FFFFFFFF-FFFF-FFFF-FFFF-FFFFFFFFFFFA} - C:\WINNT\system32\hpA011.tmp

The above is the only thing similar. I proceed to do the rest as posted.

i have use Ewido Security Suite to scan and remove further spyware and adware.

The following is my report.

---------------------------------------------------------
ewido security suite - Scan report
---------------------------------------------------------

+ Created on: 4:09:35 PM, 7/18/2005
+ Report-Checksum: 37185CA0

+ Scan result:

C:\WINDOWS\system32\config\systemprofile\Cookies\administrator@2o7[1].txt -> Spyware.Cookie.2o7 : Cleaned with backup
C:\WINDOWS\system32\config\systemprofile\Cookies\administrator@atdmt[2].txt -> Spyware.Cookie.Atdmt : Cleaned with backup
C:\Documents and Settings\marcus.lok.2004\Local Settings\Temporary Internet Files\Content.IE5\3D5W11C3\input[1].php -> Not-A-Virus.Exploit.HTML.DragDrop : Cleaned with backup
C:\Program Files\Microsoft AntiSpyware\Quarantine\251C3E49-CABD-4BD2-B1B6-C8CB26\F88F182C-3067-4A1B-BBFD-B10ADD -> Trojan.Agent.ay : Cleaned with backup
C:\System Volume Information\_restore{6C7570DF-347B-468C-827D-CC7BA11C38CA}\RP99\A0015667.exe -> Trojan.Puper.ab : Cleaned with backup
C:\System Volume Information\_restore{6C7570DF-347B-468C-827D-CC7BA11C38CA}\RP99\A0015668.exe -> Trojan.Puper.aa : Cleaned with backup
C:\System Volume Information\_restore{6C7570DF-347B-468C-827D-CC7BA11C38CA}\RP99\A0015669.dll -> Trojan.Puper.t : Cleaned with backup
C:\System Volume Information\_restore{6C7570DF-347B-468C-827D-CC7BA11C38CA}\RP99\A0015671.EXE -> Trojan.Agent.ay : Cleaned with backup
C:\System Volume Information\_restore{6C7570DF-347B-468C-827D-CC7BA11C38CA}\RP99\A0015672.dll -> Spyware.BiSpy : Cleaned with backup
C:\System Volume Information\_restore{6C7570DF-347B-468C-827D-CC7BA11C38CA}\RP99\A0015673.dll -> Spyware.BiSpy : Cleaned with backup
C:\System Volume Information\_restore{6C7570DF-347B-468C-827D-CC7BA11C38CA}\RP99\A0015680.exe -> Trojan.Puper.ab : Cleaned with backup
C:\System Volume Information\_restore{6C7570DF-347B-468C-827D-CC7BA11C38CA}\RP99\A0015681.exe -> Trojan.Puper.aa : Cleaned with backup
C:\System Volume Information\_restore{6C7570DF-347B-468C-827D-CC7BA11C38CA}\RP99\A0015682.dll -> Trojan.Puper.t : Cleaned with backup
C:\System Volume Information\_restore{6C7570DF-347B-468C-827D-CC7BA11C38CA}\RP99\A0015699.exe -> Trojan.Puper.ab : Cleaned with backup
C:\System Volume Information\_restore{6C7570DF-347B-468C-827D-CC7BA11C38CA}\RP99\A0015700.exe -> Trojan.Puper.aa : Cleaned with backup
C:\System Volume Information\_restore{6C7570DF-347B-468C-827D-CC7BA11C38CA}\RP99\A0015701.dll -> Trojan.Puper.t : Cleaned with backup
C:\System Volume Information\_restore{6C7570DF-347B-468C-827D-CC7BA11C38CA}\RP99\A0015711.exe -> Trojan.Puper.ab : Cleaned with backup
C:\System Volume Information\_restore{6C7570DF-347B-468C-827D-CC7BA11C38CA}\RP99\A0015713.exe -> Trojan.Puper.aa : Cleaned with backup
C:\System Volume Information\_restore{6C7570DF-347B-468C-827D-CC7BA11C38CA}\RP99\A0015714.dll -> Trojan.Puper.t : Cleaned with backup
C:\System Volume Information\_restore{6C7570DF-347B-468C-827D-CC7BA11C38CA}\RP101\A0015759.exe -> Trojan.Puper.ab : Cleaned with backup
C:\System Volume Information\_restore{6C7570DF-347B-468C-827D-CC7BA11C38CA}\RP101\A0015760.exe -> Trojan.Puper.aa : Cleaned with backup
C:\System Volume Information\_restore{6C7570DF-347B-468C-827D-CC7BA11C38CA}\RP101\A0015761.dll -> Trojan.Puper.t : Cleaned with backup
C:\System Volume Information\_restore{6C7570DF-347B-468C-827D-CC7BA11C38CA}\RP102\A0015811.exe -> Trojan.Puper.ab : Cleaned with backup
C:\System Volume Information\_restore{6C7570DF-347B-468C-827D-CC7BA11C38CA}\RP102\A0015812.exe -> Trojan.Puper.aa : Cleaned with backup
C:\System Volume Information\_restore{6C7570DF-347B-468C-827D-CC7BA11C38CA}\RP102\A0015813.dll -> Trojan.Puper.t : Cleaned with backup
C:\System Volume Information\_restore{6C7570DF-347B-468C-827D-CC7BA11C38CA}\RP102\A0015815.dll -> Trojan.Puper.m : Cleaned with backup
C:\System Volume Information\_restore{6C7570DF-347B-468C-827D-CC7BA11C38CA}\RP102\A0015835.dll -> Trojan.Puper.m : Cleaned with backup
C:\System Volume Information\_restore{6C7570DF-347B-468C-827D-CC7BA11C38CA}\RP102\A0015844.exe -> Trojan.Puper.ab : Cleaned with backup
C:\System Volume Information\_restore{6C7570DF-347B-468C-827D-CC7BA11C38CA}\RP102\A0015845.exe -> Trojan.Puper.aa : Cleaned with backup
C:\System Volume Information\_restore{6C7570DF-347B-468C-827D-CC7BA11C38CA}\RP102\A0015846.dll -> Trojan.Puper.t : Cleaned with backup
C:\System Volume Information\_restore{6C7570DF-347B-468C-827D-CC7BA11C38CA}\RP102\A0015870.exe -> Trojan.Puper.ab : Cleaned with backup
C:\System Volume Information\_restore{6C7570DF-347B-468C-827D-CC7BA11C38CA}\RP102\A0015871.exe -> Trojan.Puper.aa : Cleaned with backup
C:\System Volume Information\_restore{6C7570DF-347B-468C-827D-CC7BA11C38CA}\RP102\A0015872.dll -> Trojan.Puper.t : Cleaned with backup
C:\System Volume Information\_restore{6C7570DF-347B-468C-827D-CC7BA11C38CA}\RP102\A0015883.exe -> Trojan.Puper.ab : Cleaned with backup
C:\System Volume Information\_restore{6C7570DF-347B-468C-827D-CC7BA11C38CA}\RP102\A0015884.exe -> Trojan.Puper.aa : Cleaned with backup
C:\System Volume Information\_restore{6C7570DF-347B-468C-827D-CC7BA11C38CA}\RP102\A0015885.dll -> Trojan.Puper.t : Cleaned with backup
C:\System Volume Information\_restore{6C7570DF-347B-468C-827D-CC7BA11C38CA}\RP102\A0015893.exe -> Trojan.Puper.ab : Cleaned with backup
C:\System Volume Information\_restore{6C7570DF-347B-468C-827D-CC7BA11C38CA}\RP102\A0015894.exe -> Trojan.Puper.aa : Cleaned with backup
C:\System Volume Information\_restore{6C7570DF-347B-468C-827D-CC7BA11C38CA}\RP102\A0015895.dll -> Trojan.Puper.t : Cleaned with backup
C:\System Volume Information\_restore{6C7570DF-347B-468C-827D-CC7BA11C38CA}\RP102\A0015907.exe -> Trojan.Puper.aa : Cleaned with backup
C:\System Volume Information\_restore{6C7570DF-347B-468C-827D-CC7BA11C38CA}\RP102\A0015908.dll -> Trojan.Puper.t : Cleaned with backup
C:\System Volume Information\_restore{6C7570DF-347B-468C-827D-CC7BA11C38CA}\RP102\A0015909.exe -> Trojan.Puper.ab : Cleaned with backup
C:\System Volume Information\_restore{6C7570DF-347B-468C-827D-CC7BA11C38CA}\RP103\A0015960.exe -> Trojan.Puper.ab : Cleaned with backup
C:\System Volume Information\_restore{6C7570DF-347B-468C-827D-CC7BA11C38CA}\RP103\A0015961.exe -> Trojan.Puper.aa : Cleaned with backup
C:\System Volume Information\_restore{6C7570DF-347B-468C-827D-CC7BA11C38CA}\RP103\A0015962.dll -> Trojan.Puper.t : Cleaned with backup
C:\System Volume Information\_restore{6C7570DF-347B-468C-827D-CC7BA11C38CA}\RP103\A0015978.exe -> Trojan.Puper.ab : Cleaned with backup
C:\System Volume Information\_restore{6C7570DF-347B-468C-827D-CC7BA11C38CA}\RP103\A0015979.exe -> Trojan.Puper.aa : Cleaned with backup
C:\System Volume Information\_restore{6C7570DF-347B-468C-827D-CC7BA11C38CA}\RP103\A0015980.dll -> Trojan.Puper.t : Cleaned with backup
C:\System Volume Information\_restore{6C7570DF-347B-468C-827D-CC7BA11C38CA}\RP103\A0016002.exe -> Trojan.Puper.aa : Cleaned with backup
C:\System Volume Information\_restore{6C7570DF-347B-468C-827D-CC7BA11C38CA}\RP103\A0016003.exe -> Trojan.Puper.ab : Cleaned with backup
C:\System Volume Information\_restore{6C7570DF-347B-468C-827D-CC7BA11C38CA}\RP103\A0016004.dll -> Trojan.Puper.t : Cleaned with backup
C:\System Volume Information\_restore{6C7570DF-347B-468C-827D-CC7BA11C38CA}\RP103\A0016026.exe -> Trojan.Puper.ab : Cleaned with backup
C:\System Volume Information\_restore{6C7570DF-347B-468C-827D-CC7BA11C38CA}\RP103\A0016027.exe -> Trojan.Puper.aa : Cleaned with backup
C:\System Volume Information\_restore{6C7570DF-347B-468C-827D-CC7BA11C38CA}\RP103\A0016028.dll -> Trojan.Puper.t : Cleaned with backup
C:\System Volume Information\_restore{6C7570DF-347B-468C-827D-CC7BA11C38CA}\RP103\A0016053.exe -> Trojan.Puper.ab : Cleaned with backup
C:\System Volume Information\_restore{6C7570DF-347B-468C-827D-CC7BA11C38CA}\RP103\A0016054.exe -> Trojan.Puper.aa : Cleaned with backup
C:\System Volume Information\_restore{6C7570DF-347B-468C-827D-CC7BA11C38CA}\RP103\A0016055.dll -> Trojan.Puper.t : Cleaned with backup
C:\System Volume Information\_restore{6C7570DF-347B-468C-827D-CC7BA11C38CA}\RP103\A0016070.exe -> Trojan.Puper.aa : Cleaned with backup
C:\System Volume Information\_restore{6C7570DF-347B-468C-827D-CC7BA11C38CA}\RP103\A0016071.exe -> Trojan.Puper.ab : Cleaned with backup
C:\System Volume Information\_restore{6C7570DF-347B-468C-827D-CC7BA11C38CA}\RP103\A0016072.dll -> Trojan.Puper.t : Cleaned with backup
C:\System Volume Information\_restore{6C7570DF-347B-468C-827D-CC7BA11C38CA}\RP103\A0017116.exe -> Trojan.Puper.ab : Cleaned with backup
C:\System Volume Information\_restore{6C7570DF-347B-468C-827D-CC7BA11C38CA}\RP103\A0017117.exe -> Trojan.Puper.aa : Cleaned with backup
C:\System Volume Information\_restore{6C7570DF-347B-468C-827D-CC7BA11C38CA}\RP103\A0017118.dll -> Trojan.Puper.t : Cleaned with backup
C:\System Volume Information\_restore{6C7570DF-347B-468C-827D-CC7BA11C38CA}\RP103\A0017124.exe -> Trojan.Puper.ab : Cleaned with backup
C:\System Volume Information\_restore{6C7570DF-347B-468C-827D-CC7BA11C38CA}\RP103\A0017126.exe -> Spyware.Hijacker.Generic : Cleaned with backup
C:\System Volume Information\_restore{6C7570DF-347B-468C-827D-CC7BA11C38CA}\RP103\A0017127.exe -> Trojan.Puper.aa : Cleaned with backup
C:\System Volume Information\_restore{6C7570DF-347B-468C-827D-CC7BA11C38CA}\RP103\A0017128.exe -> Trojan.Puper.aa : Cleaned with backup
C:\System Volume Information\_restore{6C7570DF-347B-468C-827D-CC7BA11C38CA}\RP103\A0017129.dll -> Trojan.Puper.t : Cleaned with backup
C:\System Volume Information\_restore{6C7570DF-347B-468C-827D-CC7BA11C38CA}\RP103\A0017131.exe -> Trojan.Puper.w : Cleaned with backup


::Report End

Next i use Panda ActiveScan to do a scan and there appears to be still some more spyware and adware.

Incident Status Location

Adware:adware/transponder No disinfected C:\WINDOWS\LASTGOOD\INF\speer.inf
Spyware:spyware/betterinet No disinfected C:\WINDOWS\Buddy.exe
Adware:adware/savenow No disinfected HKEY_LOCAL_MACHINE\SOFTWARE\CLASSES\MAGNET
Adware:adware/exactsearch No disinfected HKEY_LOCAL_MACHINE\SOFTWARE\MICROSOFT\INTERNET EXPLORER\ACTIVEX COMPATIBILITY\{53F066F0-A4C0-4F46-83EB-2DFD03F938CF}
Adware:adware/popuper No disinfected HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Main\Local Page
Adware:adware/brilliantdigitalNo disinfected HKEY_CLASSES_ROOT\Interface\{48E59292-9880-11CF-9754-00AA00C00908}
Adware:Adware/Transponder No disinfected C:\WINDOWS\inf\sprnopol.inf
Spyware:Spyware/BetterInet No disinfected C:\WINDOWS\inf\adrmsper.inf
Adware:Adware/Transponder No disinfected C:\WINDOWS\inf\speer.inf
Spyware:Spyware/BetterInet No disinfected C:\WINDOWS\Buddy.exe
Virus:HackTool/Gendel.A No disinfected C:\gendel32.exe
They coulIncident Status Location

Adware:adware/transponder No disinfected C:\WINDOWS\LASTGOOD\INF\speer.inf
Spyware:spyware/betterinet No disinfected C:\WINDOWS\Buddy.exe
Adware:adware/savenow No disinfected HKEY_LOCAL_MACHINE\SOFTWARE\CLASSES\MAGNET
Adware:adware/exactsearch No disinfected HKEY_LOCAL_MACHINE\SOFTWARE\MICROSOFT\INTERNET EXPLORER\ACTIVEX COMPATIBILITY\{53F066F0-A4C0-4F46-83EB-2DFD03F938CF}
Adware:adware/popuper No disinfected HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Main\Local Page
Adware:adware/brilliantdigitalNo disinfected HKEY_CLASSES_ROOT\Interface\{48E59292-9880-11CF-9754-00AA00C00908}
Adware:Adware/Transponder No disinfected C:\WINDOWS\inf\sprnopol.inf
Spyware:Spyware/BetterInet No disinfected C:\WINDOWS\inf\adrmsper.inf
Adware:Adware/Transponder No disinfected C:\WINDOWS\inf\speer.inf
Spyware:Spyware/BetterInet No disinfected C:\WINDOWS\Buddy.exe
Virus:HackTool/Gendel.A No disinfected C:\gendel32.exe
They could not be remove. Can someone help me?
  • 0

Advertisements


#2
kusash

kusash

    New Member

  • Topic Starter
  • Member
  • Pip
  • 2 posts
and by the way.. after i reboot from safe mode.. and run a scan on HJT i get the following..

Logfile of HijackThis v1.99.1
Scan saved at 8:28:11 PM, on 7/18/2005
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\SYSTEM32\WISPTIS.EXE
C:\WINDOWS\System32\tabbtnu.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\System32\ctfmon.exe
C:\Program Files\mobile PhoneTools\WatchDog.exe
C:\PROGRA~1\COMMON~1\PCSuite\DATALA~1\DATALA~1.EXE
C:\Program Files\Common Files\microsoft shared\ink\TabTip.exe
C:\Program Files\Nokia\Nokia PC Suite 6\Launch Application 2.exe
C:\WINDOWS\System32\spool\drivers\w32x86\3\hpztsb07.exe
C:\Program Files\Hewlett-Packard\HP Software Update\HPWuSchd.exe
C:\Program Files\HP\hpcoretech\hpcmpmgr.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\Microsoft AntiSpyware\gcasServ.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\QuickTime\qttask.exe
C:\Symbol Commander\Sensiva.exe
C:\WINDOWS\System32\TFNF5.exe
C:\Program Files\TOSHIBA\Wireless Hotkey\TosHKCW.exe
C:\Program Files\TOSHIBA\TOSHIBA Rotation Utility\TRot.exe
C:\WINDOWS\System32\TPSMain.exe
C:\Program Files\TOSHIBA\TouchED\TouchED.Exe
C:\WINDOWS\LTSMMSG.exe
C:\Program Files\TOSHIBA\TME3\TMERzCtl.EXE
C:\Program Files\Toshiba\TapButton\TapButt.exe
C:\Program Files\Toshiba\CrossMenu\CrossMenu.exe
C:\WINDOWS\System32\00THotkey.exe
C:\Program Files\TOSHIBA\Acceleration Utilities\Shaker\TSkrMain.exe
C:\Program Files\TOSHIBA\Acceleration Utilities\TAcelMgr\TAcelMgr.exe
C:\PROGRA~1\SYMANT~1\SYMANT~1\vptray.exe
C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpohmr08.exe
C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpotdd01.exe
C:\Program Files\WinZip\WZQKPICK.EXE
C:\PROGRA~1\COMMON~1\PCSuite\Services\SERVIC~1.EXE
C:\Program Files\Common Files\microsoft shared\ink\TPA.exe
C:\WINDOWS\system32\RAMASST.exe
C:\WINDOWS\System32\TPSBattM.exe
C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpoevm08.exe
C:\Program Files\Microsoft AntiSpyware\gcasDtServ.exe
C:\Program Files\TOSHIBA\ConfigFree\CFSvcs.exe
C:\Program Files\SMU-VPN\cvpnd.exe
C:\PROGRA~1\SYMANT~1\SYMANT~1\DefWatch.exe
C:\WINDOWS\System32\DVDRAMSV.exe
C:\Program Files\ewido\security suite\ewidoctrl.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\PROGRA~1\SYMANT~1\SYMANT~1\Rtvscan.exe
C:\WINDOWS\System32\nvsvc32.exe
C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\TOSHIBA\TME3\Tmesrv31.exe
C:\Program Files\TOSHIBA\TME3\TMETEMNU.EXE
C:\WINDOWS\System32\UAService7.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\Hewlett-Packard\Digital Imaging\Bin\hpoSTS08.exe
C:\HijackThis.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\Program Files\MSN Messenger\msnmsgr.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = about:blank
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://www.oneclicks...earch.php?qq=%1
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://www.oneclicks...es.com/bar.html
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://www.oneclicks...earch.php?qq=%1
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://www.oneclicks...earch.php?qq=%1
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,CustomizeSearch = http://www.oneclicks...earch.php?qq=%1
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://www.oneclicks...earch.php?qq=%1
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page = http://www.oneclicksearches.com/
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://www.smu.edu.sg/
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = 127.0.0.1
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar2.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O4 - HKLM\..\Run: [WatchDog] C:\Program Files\mobile PhoneTools\WatchDog.exe
O4 - HKLM\..\Run: [DataLayer] C:\PROGRA~1\COMMON~1\PCSuite\DATALA~1\DATALA~1.EXE
O4 - HKLM\..\Run: [PCSuiteTrayApplication] C:\Program Files\Nokia\Nokia PC Suite 6\Launch Application 2.exe -onlytray
O4 - HKLM\..\Run: [HPDJ Taskbar Utility] C:\WINDOWS\System32\spool\drivers\w32x86\3\hpztsb07.exe
O4 - HKLM\..\Run: [HP Software Update] "C:\Program Files\Hewlett-Packard\HP Software Update\HPWuSchd.exe"
O4 - HKLM\..\Run: [HP Component Manager] "C:\Program Files\HP\hpcoretech\hpcmpmgr.exe"
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [gcasServ] "C:\Program Files\Microsoft AntiSpyware\gcasServ.exe"
O4 - HKLM\..\Run: [iTunesHelper] C:\Program Files\iTunes\iTunesHelper.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [IMEKRMIG6.1] C:\WINDOWS\ime\imkr6_1\IMEKRMIG.EXE
O4 - HKLM\..\Run: [Sensiva] "C:\Symbol Commander\Sensiva.exe"
O4 - HKLM\..\Run: [TFNF5] TFNF5.exe
O4 - HKLM\..\Run: [TosHKCW.exe] "C:\Program Files\TOSHIBA\Wireless Hotkey\TosHKCW.exe"
O4 - HKLM\..\Run: [TosRotation] "C:\Program Files\TOSHIBA\TOSHIBA Rotation Utility\TRot.exe"
O4 - HKLM\..\Run: [TPSMain] TPSMain.exe
O4 - HKLM\..\Run: [TouchED] C:\Program Files\TOSHIBA\TouchED\TouchED.Exe
O4 - HKLM\..\Run: [LTSMMSG] LTSMMSG.exe
O4 - HKLM\..\Run: [TMERzCtl.EXE] C:\Program Files\TOSHIBA\TME3\TMERzCtl.EXE /Service
O4 - HKLM\..\Run: [TMESRV.EXE] C:\Program Files\TOSHIBA\TME3\TMESRV31.EXE /Logon
O4 - HKLM\..\Run: [PHIME2002A] C:\WINDOWS\System32\IME\TINTLGNT\TINTSETP.EXE /IMEName
O4 - HKLM\..\Run: [PHIME2002ASync] C:\WINDOWS\System32\IME\TINTLGNT\TINTSETP.EXE /SYNC
O4 - HKLM\..\Run: [MSPY2002] C:\WINDOWS\System32\IME\PINTLGNT\ImScInst.exe /SYNC
O4 - HKLM\..\Run: [IMJPMIG8.1] "C:\WINDOWS\IME\imjp8_1\IMJPMIG.EXE" /Spoil /RemAdvDef /Migration32
O4 - HKLM\..\Run: [000StTHK] 000StTHK.exe
O4 - HKLM\..\Run: [TapButt] C:\Program Files\Toshiba\TapButton\TapButt.exe
O4 - HKLM\..\Run: [CrossMenu] C:\Program Files\Toshiba\CrossMenu\CrossMenu.exe
O4 - HKLM\..\Run: [00THotkey] C:\WINDOWS\System32\00THotkey.exe
O4 - HKLM\..\Run: [TSkrMain] C:\Program Files\TOSHIBA\Acceleration Utilities\Shaker\TSkrMain.exe
O4 - HKLM\..\Run: [TAcelMgr] C:\Program Files\TOSHIBA\Acceleration Utilities\TAcelMgr\TAcelMgr.exe
O4 - HKLM\..\Run: [vptray] C:\PROGRA~1\SYMANT~1\SYMANT~1\vptray.exe
O4 - HKLM\..\Run: [nwiz] nwiz.exe /installquiet
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [TabletTip] "C:\Program Files\Common Files\microsoft shared\ink\tabtip.exe" /resume
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\System32\ctfmon.exe
O4 - Global Startup: hp psc 1000 series.lnk = ?
O4 - Global Startup: hpoddt01.exe.lnk = ?
O4 - Global Startup: WinZip Quick Pick.lnk = C:\Program Files\WinZip\WZQKPICK.EXE
O4 - Global Startup: SMU VPN Client.lnk = C:\Program Files\SMU-VPN\ipsecdialer.exe
O4 - Global Startup: PC Health.lnk = C:\Program Files\TOSHIBA\TOSHIBA Management Console\TOSHealthLocalS.vbs
O4 - Global Startup: RAMASST.lnk = C:\WINDOWS\system32\RAMASST.exe
O4 - Global Startup: Microsoft Office OneNote 2003 Quick Launch.lnk = C:\Program Files\Microsoft Office\OFFICE11\ONENOTEM.EXE
O8 - Extra context menu item: &Google Search - res://c:\program files\google\GoogleToolbar2.dll/cmsearch.html
O8 - Extra context menu item: Backward Links - res://c:\program files\google\GoogleToolbar2.dll/cmbacklinks.html
O8 - Extra context menu item: Cached Snapshot of Page - res://c:\program files\google\GoogleToolbar2.dll/cmcache.html
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O8 - Extra context menu item: Similar Pages - res://c:\program files\google\GoogleToolbar2.dll/cmsimilar.html
O8 - Extra context menu item: Translate into English - res://c:\program files\google\GoogleToolbar2.dll/cmtrans.html
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.micros...b?1121407672833
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://www.pandasoft.../as5/asinst.cab
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: Domain = student.smu.edu.sg
O17 - HKLM\Software\..\Telephony: DomainName = student.smu.edu.sg
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: Domain = student.smu.edu.sg
O17 - HKLM\System\CS2\Services\Tcpip\Parameters: Domain = student.smu.edu.sg
O20 - Winlogon Notify: loginkey - C:\WINDOWS\System32\loginkey.dll
O20 - Winlogon Notify: NavLogon - C:\WINDOWS\System32\NavLogon.dll
O20 - Winlogon Notify: TabBtnWL - C:\WINDOWS\SYSTEM32\TabBtnWL.dll
O20 - Winlogon Notify: tpgwlnotify - C:\WINDOWS\SYSTEM32\tpgwlnot.dll
O23 - Service: ConfigFree Service (CFSvcs) - TOSHIBA CORPORATION - C:\Program Files\TOSHIBA\ConfigFree\CFSvcs.exe
O23 - Service: Cisco Systems, Inc. VPN Service (CVPND) - Cisco Systems, Inc. - C:\Program Files\SMU-VPN\cvpnd.exe
O23 - Service: DefWatch - Symantec Corporation - C:\PROGRA~1\SYMANT~1\SYMANT~1\DefWatch.exe
O23 - Service: DVD-RAM_Service - Matsushita Electric Industrial Co., Ltd. - C:\WINDOWS\System32\DVDRAMSV.exe
O23 - Service: ewido security suite control - ewido networks - C:\Program Files\ewido\security suite\ewidoctrl.exe
O23 - Service: iPod Service (iPodService) - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Symantec AntiVirus Client (Norton AntiVirus Server) - Symantec Corporation - C:\PROGRA~1\SYMANT~1\SYMANT~1\Rtvscan.exe
O23 - Service: NVIDIA Driver Helper Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\System32\HPZipm12.exe
O23 - Service: SoundMAX Agent Service (SoundMAX Agent Service (default)) - Analog Devices, Inc. - C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe
O23 - Service: Tmesrv3 (Tmesrv) - Unknown owner - C:\Program Files\TOSHIBA\TME3\Tmesrv31.exe" /Service (file missing)
O23 - Service: SecuROM User Access Service (V7) (UserAccess7) - Unknown owner - C:\WINDOWS\System32\UAService7.exe

The thing is when i run it under safe mode the log file is very different. It doesn't detect the oneclicksearches.com stuff.

how???
  • 0






Similar Topics

0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users

As Featured On:

Microsoft Yahoo BBC MSN PC Magazine Washington Post HP