[cato1978]

First, thanks again...Ok, I deleted and reinstalled ewido with the directions you gave me. During the ewido scan it gave me a weird option to delete something I wasn't sure about that it said was embedded. I of course selected no because I didn't know which I should do. I took a screen shot and will post it first from the link my webpage. Following that is the ewido log and then the hijack this log. Thanks again!!!





---------------------------------------------------------
ewido security suite - Scan report
---------------------------------------------------------

+ Created on: 6:45:55 PM, 7/28/2005
+ Report-Checksum: 69C703D

+ Scan result:

C:\Documents and Settings\Owner\Cookies\[email protected][2].txt -> Spyware.Cookie.2o7 : Cleaned with backup
C:\Documents and Settings\Owner\Cookies\owner@2o7[1].txt -> Spyware.Cookie.2o7 : Cleaned with backup
C:\Documents and Settings\Owner\Cookies\[email protected][2].txt -> Spyware.Cookie.Yieldmanager : Cleaned with backup
C:\Documents and Settings\Owner\Cookies\owner@advertising[2].txt -> Spyware.Cookie.Advertising : Cleaned with backup
C:\Documents and Settings\Owner\Cookies\[email protected][1].txt -> Spyware.Cookie.Falkag : Cleaned with backup
C:\Documents and Settings\Owner\Cookies\owner@atdmt[1].txt -> Spyware.Cookie.Atdmt : Cleaned with backup
C:\Documents and Settings\Owner\Cookies\owner@bluestreak[2].txt -> Spyware.Cookie.Bluestreak : Cleaned with backup
C:\Documents and Settings\Owner\Cookies\[email protected][2].txt -> Spyware.Cookie.Serving-sys : Cleaned with backup
C:\Documents and Settings\Owner\Cookies\owner@casalemedia[1].txt -> Spyware.Cookie.Casalemedia : Cleaned with backup
C:\Documents and Settings\Owner\Cookies\[email protected][1].txt -> Spyware.Cookie.Coremetrics : Cleaned with backup
C:\Documents and Settings\Owner\Cookies\owner@doubleclick[1].txt -> Spyware.Cookie.Doubleclick : Cleaned with backup
C:\Documents and Settings\Owner\Cookies\[email protected][1].txt -> Spyware.Cookie.Esomniture : Cleaned with backup
C:\Documents and Settings\Owner\Cookies\[email protected][1].txt -> Spyware.Cookie.Esomniture : Cleaned with backup
C:\Documents and Settings\Owner\Cookies\[email protected][2].txt -> Spyware.Cookie.Esomniture : Cleaned with backup
C:\Documents and Settings\Owner\Cookies\[email protected][2].txt -> Spyware.Cookie.Hitbox : Cleaned with backup
C:\Documents and Settings\Owner\Cookies\owner@fastclick[1].txt -> Spyware.Cookie.Fastclick : Cleaned with backup
C:\Documents and Settings\Owner\Cookies\owner@hitbox[1].txt -> Spyware.Cookie.Hitbox : Cleaned with backup
C:\Documents and Settings\Owner\Cookies\owner@mediaplex[1].txt -> Spyware.Cookie.Mediaplex : Cleaned with backup
C:\Documents and Settings\Owner\Cookies\[email protected][1].txt -> Spyware.Cookie.Overture : Cleaned with backup
C:\Documents and Settings\Owner\Cookies\owner@qksrv[2].txt -> Spyware.Cookie.Qksrv : Cleaned with backup
C:\Documents and Settings\Owner\Cookies\owner@questionmarket[1].txt -> Spyware.Cookie.Questionmarket : Cleaned with backup
C:\Documents and Settings\Owner\Cookies\[email protected][2].txt -> Spyware.Cookie.Advertising : Cleaned with backup
C:\Documents and Settings\Owner\Cookies\[email protected][2].txt -> Spyware.Cookie.Liveperson : Cleaned with backup
C:\Documents and Settings\Owner\Cookies\owner@serving-sys[1].txt -> Spyware.Cookie.Serving-sys : Cleaned with backup
C:\Documents and Settings\Owner\Cookies\owner@trafficmp[2].txt -> Spyware.Cookie.Trafficmp : Cleaned with backup
C:\Documents and Settings\Owner\Cookies\owner@tribalfusion[1].txt -> Spyware.Cookie.Tribalfusion : Cleaned with backup
C:\Documents and Settings\Owner\Cookies\owner@valueclick[2].txt -> Spyware.Cookie.Valueclick : Cleaned with backup
C:\Documents and Settings\Owner\Cookies\[email protected][1].txt -> Spyware.Cookie.Adserver : Cleaned with backup
C:\Documents and Settings\Owner\Local Settings\Temporary Internet Files\Content.IE5\4XIBODUR\popcaploader_v6[1].cab/PopCapLoader.dll -> Not-A-Virus.PornWare.PopCap.b : Error during cleaning
C:\WINDOWS\fgtygsa.exe -> Adware.BetterInternet : Cleaned with backup


::Report End



Logfile of HijackThis v1.99.1
Scan saved at 6:49:27 PM, on 7/28/2005
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\csrss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
C:\WINDOWS\System32\alg.exe
C:\Program Files\Common Files\Symantec Shared\Security Center\UsrPrmpt.exe
C:\Program Files\Digital Media Reader\shwicon2k.exe
C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe
C:\PROGRA~1\COMMON~1\AOL\ACS\AOLacsd.exe
C:\Program Files\Common Files\Microsoft Shared\Works Shared\WkUFind.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\Program Files\Canon\BJPV\TVMon.exe
C:\PROGRA~1\COMMON~1\AOL\AOLSPY~1\AOLSP Scheduler.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\ewido\security suite\ewidoctrl.exe
C:\Program Files\MUSICMATCH\MUSICMATCH Jukebox\mm_tray.exe
C:\WINDOWS\system32\drivers\KodakCCS.exe
C:\Program Files\MusicMatch\MusicMatch Jukebox\mmtask.exe
C:\WINDOWS\System32\ctfmon.exe
C:\Program Files\Cas\Client\casclient.exe
C:\Program Files\Norton AntiVirus\navapsvc.exe
C:\Program Files\BigFix\BigFix.exe
C:\Program Files\Kodak\Kodak EasyShare software\bin\EasyShare.exe
C:\Program Files\Common Files\New Boundary\PrismXL\PRISMXL.SYS
C:\Program Files\Palm\HOTSYNC.EXE
C:\WINDOWS\System32\ScsiAccess.EXE
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\wdfmgr.exe
C:\WINDOWS\System32\wltrysvc.exe
C:\WINDOWS\System32\bcmwltry.exe
C:\Program Files\Yahoo!\Messenger\ymsgr_tray.exe
C:\WINDOWS\System32\wuauclt.exe
C:\Documents and Settings\Owner\Desktop\hijack this\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://red.clientapp...//www.yahoo.com
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://red.clientapp...//www.yahoo.com
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = wmplayer.exe //ICWLaunch
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = localhost
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O2 - BHO: PCTools Site Guard - {5C8B2A36-3DB1-42A4-A3CB-D426709BBFEB} - C:\PROGRA~1\SPYWAR~1\tools\iesdsg.dll
O2 - BHO: PCTools Browser Monitor - {B56A7D7D-6927-48C8-A975-17DF180C71AC} - C:\PROGRA~1\SPYWAR~1\tools\iesdpb.dll
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn2\yt.dll
O4 - HKLM\..\Run: [SynTPLpr] C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
O4 - HKLM\..\Run: [SynTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
O4 - HKLM\..\Run: [ATIModeChange] Ati2mdxx.exe
O4 - HKLM\..\Run: [ATIPTA] C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
O4 - HKLM\..\Run: [Symantec NetDriver Monitor] C:\PROGRA~1\SYMNET~1\SNDMon.exe /Consumer
O4 - HKLM\..\Run: [SSC_UserPrompt] C:\Program Files\Common Files\Symantec Shared\Security Center\UsrPrmpt.exe
O4 - HKLM\..\Run: [SunKist] C:\Program Files\Digital Media Reader\shwicon2k.exe
O4 - HKLM\..\Run: [RemoteControl] "C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe"
O4 - HKLM\..\Run: [NAV CfgWiz] C:\Program Files\Common Files\Symantec Shared\CfgWiz.exe /GUID NAV /CMDLINE "REBOOT"
O4 - HKLM\..\Run: [Microsoft Works Update Detection] C:\Program Files\Common Files\Microsoft Shared\Works Shared\WkUFind.exe
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [BJPD HID Control] C:\Program Files\Canon\BJPV\TVMon.exe
O4 - HKLM\..\Run: [AOL Spyware Protection] "C:\PROGRA~1\COMMON~1\AOL\AOLSPY~1\AOLSP Scheduler.exe"
O4 - HKLM\..\Run: [TkBellExe] C:\Program Files\Common Files\Real\Update_OB\realsched.exe -osboot
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [MMTray] C:\Program Files\MUSICMATCH\MUSICMATCH Jukebox\mm_tray.exe
O4 - HKLM\..\Run: [mmtask] c:\Program Files\MusicMatch\MusicMatch Jukebox\mmtask.exe
O4 - HKLM\..\Run: [Gateway Extended Warranty] "C:\Program Files\Gateway\GWCares\GWCares.exe"
O4 - HKLM\..\Run: [winsync] C:\WINDOWS\System32\ojnapn.exe reg_run
O4 - HKCU\..\Run: [Yahoo! Pager] C:\Program Files\Yahoo!\Messenger\ypager.exe -quiet
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\System32\ctfmon.exe
O4 - HKCU\..\Run: [CAS Client] "C:\Program Files\Cas\Client\casclient.exe"
O4 - Startup: HotSync Manager.lnk = C:\Program Files\Palm\HOTSYNC.EXE
O4 - Global Startup: BigFix.lnk = C:\Program Files\BigFix\BigFix.exe
O4 - Global Startup: Kodak EasyShare software.lnk = C:\Program Files\Kodak\Kodak EasyShare software\bin\EasyShare.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O8 - Extra context menu item: &AOL Toolbar search - res://C:\Program Files\AOL Toolbar\toolbar.dll/SEARCH.HTML
O8 - Extra context menu item: &Google Search - res://c:\program files\google\GoogleToolbar1.dll/cmsearch.html
O8 - Extra context menu item: &Yahoo! Search - file:///C:\Program Files\Yahoo!\Common/ycsrch.htm
O8 - Extra context menu item: Backward Links - res://c:\program files\google\GoogleToolbar1.dll/cmbacklinks.html
O8 - Extra context menu item: Cached Snapshot of Page - res://c:\program files\google\GoogleToolbar1.dll/cmcache.html
O8 - Extra context menu item: Similar Pages - res://c:\program files\google\GoogleToolbar1.dll/cmsimilar.html
O8 - Extra context menu item: Translate into English - res://c:\program files\google\GoogleToolbar1.dll/cmtrans.html
O8 - Extra context menu item: Yahoo! &Dictionary - file:///C:\Program Files\Yahoo!\Common/ycdict.htm
O8 - Extra context menu item: Yahoo! &Maps - file:///C:\Program Files\Yahoo!\Common/ycdict.htm
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\j2re1.4.2\bin\npjpi142.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\j2re1.4.2\bin\npjpi142.dll
O9 - Extra button: Spyware Doctor - {2D663D1A-8670-49D9-A1A5-4C56B4E14E84} - C:\PROGRA~1\SPYWAR~1\tools\iesdpb.dll
O9 - Extra button: Messenger - {4528BBE0-4E08-11D5-AD55-00010333D0AD} - C:\Program Files\Yahoo!\Messenger\yhexbmes0521.dll
O9 - Extra 'Tools' menuitem: Yahoo! Messenger - {4528BBE0-4E08-11D5-AD55-00010333D0AD} - C:\Program Files\Yahoo!\Messenger\yhexbmes0521.dll
O9 - Extra button: AOL Toolbar - {4982D40A-C53B-4615-B15B-B5B5E98D167C} - C:\Program Files\AOL Toolbar\toolbar.dll
O9 - Extra 'Tools' menuitem: AOL Toolbar - {4982D40A-C53B-4615-B15B-B5B5E98D167C} - C:\Program Files\AOL Toolbar\toolbar.dll
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\System32\Shdocvw.dll
O16 - DPF: {30528230-99F7-4BB4-88D8-FA1D4F56A2AB} (YInstStarter Class) - http://us.dl1.yimg.c...nst20040510.cab
O16 - DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} (MSN Photo Upload Tool) - http://by107fd.bay10...es/MsnPUpld.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.micros...b?1121748673693
O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai...all/xscan53.cab
O16 - DPF: {7E980B9B-8AE5-466A-B6D6-DA8CF814E78A} (MJLauncherCtrl Class) - http://www.shockwave...mjolauncher.cab
O16 - DPF: {DF780F87-FF2B-4DF8-92D0-73DB16A1543A} (PopCapLoader Object) - http://download.game...aploader_v6.cab
O23 - Service: AOL Connectivity Service (AOL ACS) - America Online, Inc. - C:\PROGRA~1\COMMON~1\AOL\ACS\AOLacsd.exe
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Password Validation (ccPwdSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
O23 - Service: ewido security suite control - ewido networks - C:\Program Files\ewido\security suite\ewidoctrl.exe
O23 - Service: Kodak Camera Connection Software (KodakCCS) - Eastman Kodak Company - C:\WINDOWS\system32\drivers\KodakCCS.exe
O23 - Service: Norton AntiVirus Auto Protect Service (navapsvc) - Symantec Corporation - C:\Program Files\Norton AntiVirus\navapsvc.exe
O23 - Service: PrismXL - New Boundary Technologies, Inc. - C:\Program Files\Common Files\New Boundary\PrismXL\PRISMXL.SYS
O23 - Service: SAVScan - Symantec Corporation - C:\Program Files\Norton AntiVirus\SAVScan.exe
O23 - Service: ScriptBlocking Service (SBService) - Symantec Corporation - C:\PROGRA~1\COMMON~1\SYMANT~1\SCRIPT~1\SBServ.exe
O23 - Service: ScsiAccess - Unknown owner - C:\WINDOWS\System32\ScsiAccess.EXE
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: SymWMI Service (SymWSC) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\Security Center\SymWSC.exe
O23 - Service: WLTRYSVC - Unknown owner - C:\WINDOWS\System32\wltrysvc.exe



There you go!!!

[Advertisements]

Please download CleanUp! - Download - HomePage
Install it, but don't run it yet.

Please run a free online virus scan here from:

http://www.pandasoftware.com/activescan/com/activescan_principal.htm

Don't run it yet. You will have to use IE to download it.

Please download:

http://www.sysintern...e/procexp.shtml

and double click on

ojnapn.exe reg_runthen> Click Strings-> Put a tick by Memory and Save that report and post it here along with a new hijack this log and a trackqoo log.

gave me a weird option to delete something I wasn't sure about that it said was embedded

Please delete it.

Run the Panda scan and post the results here.

Click on the button labeled CleanUp!.

When it finishes it will prompt you to restart Windows - there will be one or two files it cannot delete when Windows is running - however, they will be deleted next time Windows starts up.

[coachwife6]

Please download CleanUp! - Download - HomePage
Install it, but don't run it yet.

Please run a free online virus scan here from:

http://www.pandasoftware.com/activescan/com/activescan_principal.htm

Don't run it yet. You will have to use IE to download it.

Please download:

http://www.sysintern...e/procexp.shtml

and double click on

ojnapn.exe reg_runthen> Click Strings-> Put a tick by Memory and Save that report and post it here along with a new hijack this log and a trackqoo log.

gave me a weird option to delete something I wasn't sure about that it said was embedded

Please delete it.

Run the Panda scan and post the results here.

Click on the button labeled CleanUp!.

When it finishes it will prompt you to restart Windows - there will be one or two files it cannot delete when Windows is running - however, they will be deleted next time Windows starts up.

[cato1978]

I'm sorry, I don't totally understand how to use this program (procexp) and when I open it I don't see any file labeled ojn_apn. Am I looking in this program or should I be looking somewhere else? Also, I don't see it anymore popping up and I didn't see it when I ran ewido. I'll go ahead and do everything else if you'd like, just let me know.

BTW, my system keeps getting bogged down and things stop responding. This is getting more frequent and pop ups and desktop icons are seemingly increasing a bit. Let me know what logs you'd like or where I'm supposed to look for that file.

Thanks,

Cato

[coachwife6]

Download Process Explorer from here
http://www.sysintern...sExplorerNt.zip

Right Click the Zip file and Select "Extract All"

Next download Track Qoo from here
http://webpages.char...Track qoo 1.zip

Right Click the Zip file and Select "Extract All"

Double Click on "Track qoo.vbs"

If you Antivirus has Script Blocking,you will get a Pop Up Windows asking you what to do

Allow this Entire Script to Run,its harmless!

Wait a few seconds and a notepad page will pop up,Copy&Paste those results in the next post!


Now go to Process ExplorerNT folder-> Open it and double click on "procexp.exe"

Dont pay any attention to the box that just popped up,just click OK!

Once Process Explorer is Open,Scroll towards the bottom and look for this entry

ojnapn.exe

Double Click ojnapn.exe> Now Click on Strings-> Put a tick by Memory and Click Save

Save it to the Desktop!

If you see another process in there thats all goobly gobbed looking like the one above,follow the same process to Save a strings log as well!

After this,please dont restart the PC!

Post both logs back here along with a fresh HijackThis log!

[cato1978]

Hey, I have got several logs to look at. I also did an screen capture of the program so if you see anything that looks suspect I can add the log file for that as well. Here are the images first, followed by the different log files I thought were of importance. Thanks so much for your patience. and help. There are 2 screen captures so that you can see all the things running.






REGEDIT4

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"SynTPLpr"="C:\\Program Files\\Synaptics\\SynTP\\SynTPLpr.exe"
"SynTPEnh"="C:\\Program Files\\Synaptics\\SynTP\\SynTPEnh.exe"
"ATIModeChange"="Ati2mdxx.exe"
"ATIPTA"="C:\\Program Files\\ATI Technologies\\ATI Control Panel\\atiptaxx.exe"
@=""
"Symantec NetDriver Monitor"="C:\\PROGRA~1\\SYMNET~1\\SNDMon.exe /Consumer"
"SSC_UserPrompt"="C:\\Program Files\\Common Files\\Symantec Shared\\Security Center\\UsrPrmpt.exe"
"SunKist"="C:\\Program Files\\Digital Media Reader\\shwicon2k.exe"
"RemoteControl"="\"C:\\Program Files\\CyberLink\\PowerDVD\\PDVDServ.exe\""
"NAV CfgWiz"="C:\\Program Files\\Common Files\\Symantec Shared\\CfgWiz.exe /GUID NAV /CMDLINE \"REBOOT\""
"Microsoft Works Update Detection"="C:\\Program Files\\Common Files\\Microsoft Shared\\Works Shared\\WkUFind.exe"
"ccApp"="\"C:\\Program Files\\Common Files\\Symantec Shared\\ccApp.exe\""
"BJPD HID Control"="C:\\Program Files\\Canon\\BJPV\\TVMon.exe"
"AOL Spyware Protection"="\"C:\\PROGRA~1\\COMMON~1\\AOL\\AOLSPY~1\\AOLSP Scheduler.exe\""
"TkBellExe"="C:\\Program Files\\Common Files\\Real\\Update_OB\\realsched.exe -osboot"
"QuickTime Task"="\"C:\\Program Files\\QuickTime\\qttask.exe\" -atboottime"
"NeroFilterCheck"="C:\\WINDOWS\\system32\\NeroCheck.exe"
"MMTray"="C:\\Program Files\\MUSICMATCH\\MUSICMATCH Jukebox\\mm_tray.exe"
"mmtask"="c:\\Program Files\\MusicMatch\\MusicMatch Jukebox\\mmtask.exe"
"Gateway Extended Warranty"="\"C:\\Program Files\\Gateway\\GWCares\\GWCares.exe\""
"winsync"="C:\\WINDOWS\\System32\\ojnapn.exe reg_run"

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\OptionalComponents]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\OptionalComponents\IMAIL]
"Installed"="1"

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\OptionalComponents\MAPI]
"NoChange"="1"
"Installed"="1"

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\OptionalComponents\MSFS]
"Installed"="1"

-----------------
HKEY_CLASSES_ROOT\*\shellex\ContextMenuHandlers


Subkey --- Offline Files
{750fdf0e-2a26-11d1-a3ea-080036587f03}
C:\WINDOWS\System32\cscui.dll

Subkey --- Open With
{09799AFB-AD67-11d1-ABCD-00C04FC30936}
C:\WINDOWS\system32\SHELL32.dll

Subkey --- Open With EncryptionMenu
{A470F8CF-A1E8-4f65-8335-227475AA5C46}
C:\WINDOWS\system32\SHELL32.dll

Subkey --- qfygmynx
{a488158a-faf1-4dd0-9fc2-303709594e97}
C:\WINDOWS\System32\bjade.dll

Subkey --- Symantec.Norton.Antivirus.IEContextMenu
{5345A4D5-41EB-4A2F-9616-CE1D4F6C35B2}
C:\Program Files\Norton AntiVirus\NavShExt.dll

Subkey --- Yahoo! Mail
{5464D816-CF16-4784-B9F3-75C0DB52B499}
C:\PROGRA~1\Yahoo!\Common\ymmapi.dll

Subkey --- {a2a9545d-a0c2-42b4-9708-a0b2badd77c8}
Start Menu Pin
C:\WINDOWS\system32\SHELL32.dll

=====================

HKEY_CLASSES_ROOT\Folder\shellex\ColumnHandlers


Subkey --- {0D2E74C4-3C34-11d2-A27E-00C04FC30871}
C:\WINDOWS\system32\SHELL32.dll

Subkey --- {24F14F01-7B1C-11d1-838f-0000F80461CF}
C:\WINDOWS\system32\SHELL32.dll

Subkey --- {24F14F02-7B1C-11d1-838f-0000F80461CF}
C:\WINDOWS\system32\SHELL32.dll

Subkey --- {66742402-F9B9-11D1-A202-0000F81FEDEE}
C:\WINDOWS\system32\SHELL32.dll

==============================
C:\Documents and Settings\All Users\Start Menu\Programs\Startup

BigFix.lnk
desktop.ini
Kodak EasyShare software.lnk
Microsoft Office.lnk
==============================
C:\Documents and Settings\Owner\Start Menu\Programs\Startup

BigFix.lnk
desktop.ini
Kodak EasyShare software.lnk
Microsoft Office.lnk
desktop.ini
HotSync Manager.lnk
==============================
C:\WINDOWS\system32 cpl files


access.cpl Microsoft Corporation
agcpl.cpl iAnywhere Solutions, Inc.
appwiz.cpl Microsoft Corporation
BCMWLCPL.CPL Broadcom Corporation
desk.cpl Microsoft Corporation
hdwwiz.cpl Microsoft Corporation
inetcpl.cpl Microsoft Corporation
intl.cpl Microsoft Corporation
joy.cpl Microsoft Corporation
jpicpl32.cpl Sun Microsystems
main.cpl Microsoft Corporation
mmsys.cpl Microsoft Corporation
ncpa.cpl Microsoft Corporation
NeroBurnRights.cpl Ahead Software AG
nusrmgr.cpl Microsoft Corporation
odbccp32.cpl Microsoft Corporation
powercfg.cpl Microsoft Corporation
QuickTime.cpl Apple Computer, Inc.
sysdm.cpl Microsoft Corporation
telephon.cpl Microsoft Corporation
timedate.cpl Microsoft Corporation
wuaucpl.cpl Microsoft Corporation


wltrysvc.exe
jjjjjjj
jjj
jjj
(null)
!This program cannot be run in DOS mode.
Rich
.text
`.rdata
@.data
.rsrc
RPS
F<QPW
PRh
PQh
SPQ
VhR
VdR
V`RP
FTR
VPP
FHR
PQRU
PQh
Rhx
Phh
PhL
SUW3
Phx
SUW3
UUV
PRh
QPR
(SVW
PhH
D$4Rj
tAj
QhX
SUVW
RWj
QUj
SUV
L$(PQh
RPPP
L$ PSQj
D$(Ph
URj@
T$(QU
QSRj
SUVW
tLh
(SUVWj
PQj
L$$PQj
FpWS
DSV
VRj
PRh
UVW
ShR
SdR
S`RP
CTR
SPP
CHR
PQRW
hhx@
7t'It
SVW
WsR
WsU
Yu!j
QSVW
QQSVWd
SVW
PPP
4SVW
SVW
QSV
SVWUj
SVW
t.;t$$t(
SVW
Ytw
ucj
SVW
HHt
HHtpHHtl
HtQ
RPWV
KVW
SVW3
SUV3
DSUVWh
YYh0
u+Vj
VWj
uij
8csm
csm
VWt!
sO;>|C;~
u Vj
SVW
8csm
u SW
SVW
?csm
8csm
SVW
YYPW
tVj
YYP
YYP
QQSVW
QQSVW
QQSVW
VWu
t9UW
QQS3
VWu
PSSW
PVW
SS@SSPVSS
t#SSUP
t$$VSS
UWV
VC20XC00U
SVWU
tEVU
ulSj
pD#U
SVW
NCu
Wtd
WPS
_WPS
GIu
GJu
8csm
YYj
SVW
UAA
Wj@Y3
t7SW
VPj
VPV
VPh
VWuBh
tPh
tzVS
GIt%
t/Ku
GKu
VWss
tVP
SUVW
tiW
HHtYHHtF
SVW
uFWWj
"WWSh
E WW
tfS
tMWWS
WWu
VSh
SVW
PVh
WSV
EEE
ppxxxx
(null)
runtime error
TLOSS error
SING error
DOMAIN error
- unable to initialize heap
- not enough space for lowio initialization
- not enough space for stdio initialization
- pure virtual function call
- not enough space for _onexit/atexit table
- unable to open console device
- unexpected heap error
- unexpected multithread lock error
- not enough space for thread data
abnormal program termination
- not enough space for environment
- not enough space for arguments
- floating point not loaded
Microsoft Visual C++ Runtime Library
Runtime Error!
Program:
<program name unknown>
GetLastActivePopup
GetActiveWindow
MessageBoxA
user32.dll
DestroyWindow
DefWindowProcA
CreateWindowExA
RegisterClassA
BroadcastSystemMessageA
RegisterWindowMessageA
USER32.dll
CopySid
GetLengthSid
IsValidSid
LookupAccountNameA
GetUserNameA
StartServiceCtrlDispatcherA
CloseServiceHandle
CreateServiceA
OpenSCManagerA
RegCloseKey
RegSetValueExA
RegCreateKeyA
DeleteService
QueryServiceStatus
ControlService
OpenServiceA
RegDeleteValueA
StartServiceA
RegisterServiceCtrlHandlerA
SetServiceStatus
DeregisterEventSource
ReportEventA
RegisterEventSourceA
RegQueryValueExA
RegOpenKeyExA
RegDeleteKeyA
ADVAPI32.dll
GetVersionExA
GetModuleFileNameA
Sleep
GetProcAddress
GetModuleHandleA
SetConsoleCtrlHandler
GetLastError
LocalFree
FormatMessageA
GlobalFree
GlobalAlloc
GetStdHandle
AllocConsole
OutputDebugStringA
CloseHandle
WaitForMultipleObjects
CreateEventA
SetEvent
CreateProcessA
SetErrorMode
SetStdHandle
GetFileType
RtlUnwind
GetCommandLineA
GetVersion
ExitProcess
HeapAlloc
HeapFree
SetHandleCount
GetStartupInfoA
TerminateProcess
GetCurrentProcess
UnhandledExceptionFilter
FreeEnvironmentStringsA
FreeEnvironmentStringsW
WideCharToMultiByte
GetEnvironmentStrings
GetEnvironmentStringsW
HeapDestroy
HeapCreate
VirtualFree
WriteFile
VirtualAlloc
HeapReAlloc
IsBadWritePtr
FlushFileBuffers
SetUnhandledExceptionFilter
IsBadReadPtr
IsBadCodePtr
GetCPInfo
GetACP
GetOEMCP
LoadLibraryA
SetFilePointer
MultiByteToWideChar
LCMapStringA
LCMapStringW
GetStringTypeA
GetStringTypeW
KERNEL32.dll
Software\Microsoft\Windows\CurrentVersion\RunServices
SYSTEM\CurrentControlSet\Services\EventLog\Application\
OpenSCManager failed - %s
Service installed
CreateService failed - %s
%s installed.
Unable to install %s - %s
OpenService failed - %s
DeleteService failed - %s
%s removed.
%s failed to stop.
%s stopped.
Stopping %s.
%s failed to start: %s
%s failed to start.
%s started.
Starting up %s.
RegisterServiceProcess
kernel32.dll
RRL__FacelessWndProc_
Debugging %s.
Stopping %s.
SetServiceStatus() failed
Sources
TypesSupported
EventMessageFile
WLTRYSVC
WL_TRAYAPP_MSG
wltray service is spinning!
ExitCode
SOFTWARE\Broadcom\802.11
%SystemRoot%\System32\bcmwltry.exe
%SystemRoot%\System32\


wdfmgr.exe
NULL
WdfHostProcessImagePath
WdfHostProcessExitTimeout
WdfHostProcessStartTimeout
SOFTWARE\Microsoft\Windows NT\CurrentVersion\WDF\Services
foo
-iDeviceEndpoint:
-iFrameworkEndpoint:
-regPath:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\WDF\Services\
-clientName:
DP_TRACE_API DP_TRACE_DDI DP_TRACE_GENERAL DP_TRACE_OBJECT DP_TRACE_POOL DP_TRACE_DRIVER DP_TRACE_DEVICE DP_TRACE_REQUEST DP_TRACE_FILEOBJECT DP_TRACE_IO DP_TRACE_PNP DP_TRACE_MEMORY DP_TRACE_IOTARGET DP_TRACE_FUNC DP_TRACE_STRING
DriverProcessTraceGuid
PROCHELP_TRACE_EVENT PROCHELP_TRACE_QUERY
ProcessHelperTraceGuid
TEST_TRACE_GENERAL TEST_TRACE_APP TEST_TRACE_TSTDRIVER TEST_TRACE_FLTRDRIVER
TestTraceGuid
MGR_TRACE_MGR MGR_TRACE_SERVICE_KEY MGR_TRACE_DEVNODE MGR_TRACE_PROCESS
MgrTraceGuid
API_TRACE_IO
ApiTraceGuid
RPC_TRACE_AUTHENTICATION RPC_TRACE_SERVER RPC_TRACE_CLIENT RPC_TRACE_GENERAL
RpcTraceGuid
Query
DeviceInterfaces
Isolated
Exclusive
DriverCredential
UnloadMode
StartMode
DriverList
WDFU
{xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx}
ListObjectNoName
ImagePath
WdfHostProcessGUID
WdfLogLevel
WdfLogkd
WdfLogger
WdfLogName
WdfLogEnable
WdfHealthMonitorTimerPeriod
WdfNumDeviceInterfacesMax
WdfNumDeviceStacksMax
WdfHostProcessExitTimeoutMax
WdfHostProcessStartTimeoutMax
SOFTWARE\Microsoft\Windows NT\CurrentVersion\WDF
#WDF#DriverManager
WdfDrvMgr
0123456789abcdef
BitNames
Guid
ControlFlags
Active
LogSessionName
stdout
SOFTWARE\Microsoft\Windows NT\CurrentVersion\Tracing
D:(A;OICI;GA;;;SY)(A;OICI;GRGW;;;LS)(A;OICI;GRGW;;;NS)(A;OICI;GA;;;BA)
WDF Driver Manager Service
ncalrpc
VS_VERSION_INFO
StringFileInfo
CompanyName
Microsoft Corporation
FileDescription
Windows User Mode Driver Manager
FileVersion
5.2.3790.1230 built by: DNSRV(bld4act)
InternalName
WdfMgr
LegalCopyright
Microsoft Corporation. All rights reserved.
OriginalFilename
WdfMgr.exe
ProductName
Microsoft
Windows
Operating System
ProductVersion
VarFileInfo
Translation
!This program cannot be run in DOS mode.
Rich
.text
`.data
.rsrc
K\HI
K\HI
PPTP00
PPTP00
PPTP00
PPTP00
PPTP00
PPTP00N
RSDS
WdfMgr.pdb
QPV
SSSS
SVW
QSj
;Xtv8
;Xxv
rqSh
r6Wh
FDt
sLV
CHP
sDVW
sLVW
sHVW
s0VW
CPP
PVVj
VVVWV
Chi
RVQP
Nli
Fli
;Qdu
VSh
~PjDW
SVW
w0Vj>
wPVj?
wTVj@
wXVjA
w\VjB
w|VjC
SVjD
pDVjE
p0VjF
p@VjG
VjH
SVW
tEjP
SVW
tEjx
PSSS
;AHu
SVW3
QWP
PWWW
FHj
~DWSj
PSh
FLu8
FPP
FTP
FXP
FdW
9^dvlf
HLj
yDu
YYt
FhC;^d
vdh
vhh
;Fdr
YYt
YYtbG;~dr
thV
rBWh
9FTu
FhH
SVW
FPP
9FLt*
I9FDt
r0Sj8
9FHt
PSj:
SVW
^Lt,9^ t'
NtV
QSVW
NtV
9^pYt)3
G;~dr
Y9^ltT9^h
;Fhr
jTh
9~hvs
9Fhv03
G;~dr
QQSVW3
YtVF
PVS
VVVj
PVV
YtbVV
SSSSV
QPVS
VWj
YYt'
rPf
SVW
SVW
tHh
FDu$
NHV
NHW
NDW
vpj
PWh
FxP
vxWj
PWj
v|Wj"
PWj#
PWj&
PWj)
PhP"
SVW
NHj
vHWW
tTS
t7SVP
IHVj
QVW
GXP
OHj
OHV
Spu8
CpV
Cpj
CPu%
PVShkV
Cdu%
SVW
F\9^\uzj
PPVh
FTP
HtwHt&
rzh8$
BHy
FDP
SSSh
PSh
SSS
PSh
SSS
jWX
tmVWj
VVf
PSh
PhH$
PhH$
QSVW
WhH$
r{Vj
rmVj
r_Vj
rQVj
rCVj
r5Vj
r'Vj
r=Vj
VVj
VVS
SVW3
u@SSj
WhH$
SSj
uMV
MZu(
SVW
BBFF
BBNu
PVW
QSV
QVW
WWW
rdVh<&
WVj#
WVj$
QQVj
PVj
tyW
SVP
SVj
YYt/
SVj
PVh<&
YYt5
SVW
VWj
3SPj
VWj
uqj
VWj
QPPj
EnterCriticalSection
LeaveCriticalSection
InitializeCriticalSectionAndSpinCount
DeleteCriticalSection
CreateEventW
SetEvent
InterlockedIncrement
Sleep
GetLastError
CreateProcessW
TerminateProcess
WaitForSingleObject
CloseHandle
InterlockedDecrement
ExpandEnvironmentStringsW
DeleteTimerQueueTimer
SleepEx
SearchPathW
GetSystemDirectoryW
DeleteTimerQueueEx
WaitForSingleObjectEx
QueueUserAPC
CreateThread
CreateTimerQueue
CreateTimerQueueTimer
ResetEvent
LocalFree
QueryPerformanceCounter
GetTickCount
GetCurrentThreadId
GetCurrentProcessId
GetSystemTimeAsFileTime
GetCurrentProcess
UnhandledExceptionFilter
SetUnhandledExceptionFilter
KERNEL32.dll
wcslen
_purecall
??2@YAPAXI@Z
??3@YAXPAX@Z
wcscmp
free
_except_handler3
memmove
malloc
_c_exit
_exit
_XcptFilter
_cexit
exit
__initenv
__getmainargs
_initterm
__setusermatherr
_adjust_fdiv
__p__commode
__p__fmode
__set_app_type
msvcrt.dll
_controlfp
TraceMessage
RegCloseKey
RegQueryValueExW
RegOpenKeyExW
RegOpenKeyW
StopTraceW
EnableTrace
StartTraceW
ControlTraceW
RegSetValueExW
RegCreateKeyExW
ConvertStringSecurityDescriptorToSecurityDescriptorW
GetTraceEnableFlags
GetTraceEnableLevel
GetTraceLoggerHandle
RegisterTraceGuidsW
UnregisterTraceGuids
StartServiceCtrlDispatcherW
SetServiceStatus
RegisterServiceCtrlHandlerExW
ADVAPI32.dll
NdrServerCall2
NdrClientCall2
NdrAsyncClientCall
UuidToStringW
UuidCreate
RpcStringFreeW
RpcAsyncInitializeHandle
RpcAsyncCompleteCall
UuidFromStringW
RpcServerInqCallAttributesW
RPCRT4.dll
UnregisterDeviceNotification
RegisterDeviceNotificationW
USER32.dll
SetupDiDestroyDeviceInfoList
SetupDiGetDeviceInterfaceDetailW
SetupDiOpenDeviceInterfaceW
SetupDiCreateDeviceInfoList
SetupDiOpenDevRegKey
SetupDiEnumDeviceInterfaces
SetupDiGetClassDevsExW
SETUPAPI.dll
GetUserNameExW
Secur32.dll
lstrcmpiW
GetCurrentThread
GetTokenInformation
OpenThreadToken
LookupAccountSidW
CreateWellKnownSid
RpcStringBindingParseW
RpcBindingToStringBindingW
RpcMgmtWaitServerListen
RpcMgmtStopServerListening
RpcServerUnregisterIf
RpcRevertToSelf
RpcImpersonateClient
RpcBindingFree
RpcServerListen
RpcServerRegisterIfEx
RpcServerUseProtseqEpW
RpcBindingSetAuthInfoExW
RpcBindingFromStringBindingW
RpcStringBindingComposeW

[cato1978]

And here were the new hijack this and panda logs in addition to the previous posts info...thanks

PANDA LOG

Incident Status Location

Adware:Adware/ConsumerAlertSystemNo disinfected C:\Program Files\Cas\Client\casclient.exe
Adware:adware/apropos No disinfected C:\PROGRAM FILES\Aprps
Adware:adware/consumeralertsystemNo disinfected C:\PROGRAM FILES\CasStub
Virus:Exploit/ByteVerify Disinfected C:\Documents and Settings\Owner\Application Data\Sun\Java\Deployment\cache\javapi\v1.0\jar\counter.jpg-33ed7e78-5eb8ff5e.RB0[Gummy.class]
Virus:Trj/Downloader.CHD Disinfected C:\Documents and Settings\Owner\Application Data\Sun\Java\Deployment\cache\javapi\v1.0\jar\counter.jpg-33ed7e78-5eb8ff5e.RB0[web.exe]
Adware:Adware/Apropos No disinfected C:\Program Files\Aprps\ProxyStub.dll
Adware:Adware/ConsumerAlertSystemNo disinfected C:\Program Files\Cas\Client\casclient.exe
Adware:Adware/ConsumerAlertSystemNo disinfected C:\Program Files\Cas\Client\Uninstall.exe
Virus:Trj/Qoologic.G Disinfected C:\WINDOWS\system32\vpuqw.dat
END PANDA LOG

Logfile of HijackThis v1.99.1
Scan saved at 2:42:09 PM, on 7/30/2005
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\csrss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\System32\alg.exe
C:\PROGRA~1\COMMON~1\AOL\ACS\AOLacsd.exe
C:\Program Files\ewido\security suite\ewidoctrl.exe
C:\WINDOWS\system32\drivers\KodakCCS.exe
C:\Program Files\Norton AntiVirus\navapsvc.exe
C:\Program Files\Common Files\New Boundary\PrismXL\PRISMXL.SYS
C:\WINDOWS\System32\ScsiAccess.EXE
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\wdfmgr.exe
C:\WINDOWS\System32\wltrysvc.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\System32\bcmwltry.exe
C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
C:\Program Files\Common Files\Symantec Shared\Security Center\UsrPrmpt.exe
C:\Program Files\Digital Media Reader\shwicon2k.exe
C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe
C:\Program Files\Common Files\Microsoft Shared\Works Shared\WkUFind.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\Program Files\Canon\BJPV\TVMon.exe
C:\WINDOWS\System32\wuauclt.exe
C:\PROGRA~1\COMMON~1\AOL\AOLSPY~1\AOLSP Scheduler.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\MUSICMATCH\MUSICMATCH Jukebox\mm_tray.exe
C:\Program Files\MusicMatch\MusicMatch Jukebox\mmtask.exe
C:\WINDOWS\System32\ctfmon.exe
C:\Program Files\Cas\Client\casclient.exe
C:\Program Files\BigFix\BigFix.exe
C:\Program Files\Kodak\Kodak EasyShare software\bin\EasyShare.exe
C:\Program Files\Palm\HOTSYNC.EXE
C:\Program Files\Yahoo!\Messenger\ymsgr_tray.exe
C:\Documents and Settings\Owner\Desktop\hijack this\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://red.clientapp...//www.yahoo.com
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://red.clientapp...//www.yahoo.com
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = wmplayer.exe //ICWLaunch
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = localhost
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O2 - BHO: PCTools Site Guard - {5C8B2A36-3DB1-42A4-A3CB-D426709BBFEB} - C:\PROGRA~1\SPYWAR~1\tools\iesdsg.dll
O2 - BHO: PCTools Browser Monitor - {B56A7D7D-6927-48C8-A975-17DF180C71AC} - C:\PROGRA~1\SPYWAR~1\tools\iesdpb.dll
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn2\yt.dll
O4 - HKLM\..\Run: [SynTPLpr] C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
O4 - HKLM\..\Run: [SynTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
O4 - HKLM\..\Run: [ATIModeChange] Ati2mdxx.exe
O4 - HKLM\..\Run: [ATIPTA] C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
O4 - HKLM\..\Run: [Symantec NetDriver Monitor] C:\PROGRA~1\SYMNET~1\SNDMon.exe /Consumer
O4 - HKLM\..\Run: [SSC_UserPrompt] C:\Program Files\Common Files\Symantec Shared\Security Center\UsrPrmpt.exe
O4 - HKLM\..\Run: [SunKist] C:\Program Files\Digital Media Reader\shwicon2k.exe
O4 - HKLM\..\Run: [RemoteControl] "C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe"
O4 - HKLM\..\Run: [NAV CfgWiz] C:\Program Files\Common Files\Symantec Shared\CfgWiz.exe /GUID NAV /CMDLINE "REBOOT"
O4 - HKLM\..\Run: [Microsoft Works Update Detection] C:\Program Files\Common Files\Microsoft Shared\Works Shared\WkUFind.exe
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [BJPD HID Control] C:\Program Files\Canon\BJPV\TVMon.exe
O4 - HKLM\..\Run: [AOL Spyware Protection] "C:\PROGRA~1\COMMON~1\AOL\AOLSPY~1\AOLSP Scheduler.exe"
O4 - HKLM\..\Run: [TkBellExe] C:\Program Files\Common Files\Real\Update_OB\realsched.exe -osboot
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [MMTray] C:\Program Files\MUSICMATCH\MUSICMATCH Jukebox\mm_tray.exe
O4 - HKLM\..\Run: [mmtask] c:\Program Files\MusicMatch\MusicMatch Jukebox\mmtask.exe
O4 - HKLM\..\Run: [Gateway Extended Warranty] "C:\Program Files\Gateway\GWCares\GWCares.exe"
O4 - HKLM\..\Run: [winsync] C:\WINDOWS\System32\ojnapn.exe reg_run
O4 - HKCU\..\Run: [Yahoo! Pager] C:\Program Files\Yahoo!\Messenger\ypager.exe -quiet
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\System32\ctfmon.exe
O4 - HKCU\..\Run: [CAS Client] "C:\Program Files\Cas\Client\casclient.exe"
O4 - Startup: HotSync Manager.lnk = C:\Program Files\Palm\HOTSYNC.EXE
O4 - Global Startup: BigFix.lnk = C:\Program Files\BigFix\BigFix.exe
O4 - Global Startup: Kodak EasyShare software.lnk = C:\Program Files\Kodak\Kodak EasyShare software\bin\EasyShare.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O8 - Extra context menu item: &AOL Toolbar search - res://C:\Program Files\AOL Toolbar\toolbar.dll/SEARCH.HTML
O8 - Extra context menu item: &Google Search - res://c:\program files\google\GoogleToolbar1.dll/cmsearch.html
O8 - Extra context menu item: &Yahoo! Search - file:///C:\Program Files\Yahoo!\Common/ycsrch.htm
O8 - Extra context menu item: Backward Links - res://c:\program files\google\GoogleToolbar1.dll/cmbacklinks.html
O8 - Extra context menu item: Cached Snapshot of Page - res://c:\program files\google\GoogleToolbar1.dll/cmcache.html
O8 - Extra context menu item: Similar Pages - res://c:\program files\google\GoogleToolbar1.dll/cmsimilar.html
O8 - Extra context menu item: Translate into English - res://c:\program files\google\GoogleToolbar1.dll/cmtrans.html
O8 - Extra context menu item: Yahoo! &Dictionary - file:///C:\Program Files\Yahoo!\Common/ycdict.htm
O8 - Extra context menu item: Yahoo! &Maps - file:///C:\Program Files\Yahoo!\Common/ycdict.htm
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\j2re1.4.2\bin\npjpi142.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\j2re1.4.2\bin\npjpi142.dll
O9 - Extra button: Spyware Doctor - {2D663D1A-8670-49D9-A1A5-4C56B4E14E84} - C:\PROGRA~1\SPYWAR~1\tools\iesdpb.dll
O9 - Extra button: Messenger - {4528BBE0-4E08-11D5-AD55-00010333D0AD} - C:\Program Files\Yahoo!\Messenger\yhexbmes0521.dll
O9 - Extra 'Tools' menuitem: Yahoo! Messenger - {4528BBE0-4E08-11D5-AD55-00010333D0AD} - C:\Program Files\Yahoo!\Messenger\yhexbmes0521.dll
O9 - Extra button: AOL Toolbar - {4982D40A-C53B-4615-B15B-B5B5E98D167C} - C:\Program Files\AOL Toolbar\toolbar.dll
O9 - Extra 'Tools' menuitem: AOL Toolbar - {4982D40A-C53B-4615-B15B-B5B5E98D167C} - C:\Program Files\AOL Toolbar\toolbar.dll
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\System32\Shdocvw.dll
O16 - DPF: {30528230-99F7-4BB4-88D8-FA1D4F56A2AB} (YInstStarter Class) - http://us.dl1.yimg.c...nst20040510.cab
O16 - DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} (MSN Photo Upload Tool) - http://by107fd.bay10...es/MsnPUpld.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.micros...b?1121748673693
O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai...all/xscan53.cab
O16 - DPF: {7E980B9B-8AE5-466A-B6D6-DA8CF814E78A} (MJLauncherCtrl Class) - http://www.shockwave...mjolauncher.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://www.pandasoft.../as5/asinst.cab
O16 - DPF: {DF780F87-FF2B-4DF8-92D0-73DB16A1543A} (PopCapLoader Object) - http://download.game...aploader_v6.cab
O23 - Service: AOL Connectivity Service (AOL ACS) - America Online, Inc. - C:\PROGRA~1\COMMON~1\AOL\ACS\AOLacsd.exe
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Password Validation (ccPwdSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
O23 - Service: ewido security suite control - ewido networks - C:\Program Files\ewido\security suite\ewidoctrl.exe
O23 - Service: Kodak Camera Connection Software (KodakCCS) - Eastman Kodak Company - C:\WINDOWS\system32\drivers\KodakCCS.exe
O23 - Service: Norton AntiVirus Auto Protect Service (navapsvc) - Symantec Corporation - C:\Program Files\Norton AntiVirus\navapsvc.exe
O23 - Service: PrismXL - New Boundary Technologies, Inc. - C:\Program Files\Common Files\New Boundary\PrismXL\PRISMXL.SYS
O23 - Service: SAVScan - Symantec Corporation - C:\Program Files\Norton AntiVirus\SAVScan.exe
O23 - Service: ScriptBlocking Service (SBService) - Symantec Corporation - C:\PROGRA~1\COMMON~1\SYMANT~1\SCRIPT~1\SBServ.exe
O23 - Service: ScsiAccess - Unknown owner - C:\WINDOWS\System32\ScsiAccess.EXE
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: SymWMI Service (SymWSC) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\Security Center\SymWSC.exe
O23 - Service: WLTRYSVC - Unknown owner - C:\WINDOWS\System32\wltrysvc.exe

[coachwife6]

Before I delve into this: did you run ewido in safe mode making sure no windows or other programs were running? If not, I need you to run it again. That takes care of most of the infection. Get rid of everything it detects

[cato1978]

Yes, I ran it in safe mode, I make sure that I do since it takes so long I don't want it to be for nothing. I can run it again if you'd like.

[coachwife6]

NO, that's OK. I'm just about to look at it.

[coachwife6]

Bananafanafo looked at this (she's my hero )

She suggests that you run Ewido in safe mode again.

Make sure you do not open any windows or run any other programs.

----------

1. Click Start > Control Panel.

2. Double-click the Java icon (coffee cup) in the control panel. It will say "Java Plug-in" under the icon - please find the update button or tab in that Java control panel. Update your Java, and reboot.

After reboot, go back into the Control Panel and double-click the Java icon.

3. Under Temporary Internet Files, click the Delete Files button.

There are three options on this window to clear the cache - leave ALL 3 checked.
1. Downloaded Applets
2. Downloaded Applications
3. Other Files

4. Click OK on Delete Temporary Files window.
Note: This deletes ALL the Downloaded Applications and Applets from the CACHE.

5. Click OK to leave the Java Control Panel.

---------------

Please find this

agcpl.cpl<<right click on it and tell me it's properties.

Lets play it Safe and have you download Pocket Killbox
http://www.bleepingc...les/killbox.php
There is a Direct Download and a description of what the Program does inside this link.

Please copy everything in the code box below and paste it into notepad. Go up to "File > Save As" then click the drop-down box to change the "Save As Type" to "All Files". Save it as remv.reg on your desktop.

REGEDIT4

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"winsync"=-

[-HKEY_CLASSES_ROOT\*\shellex\ContextMenuHandlers\qfygmynx]

[-HKEY_CLASSES_ROOT\CLSID\{a488158a-faf1-4dd0-9fc2-303709594e97}]

Save it to your Desktop (save as type to all files) as Remv.reg


Open Pocket KillBox and Copy&Paste these 2 entries below into the "Full Path of File to Delete"

C:\WINDOWS\System32\bjade.dll
C:\WINDOWS\System32\ojnapn.exe

Click the Red Circle with the White X in the Middle to Delete!


As you paste each in,place a tick by these selections

"Delete on Reboot"
"Unregister .dll before Deleting"

Click "Yes" to Confirm

Click "No" to Reboot

Once at the last file

Click "Yes" to Confirm

Click "Yes" to Reboot


If you get a PendingFileRenameOperations Registry Data has been Removed by External Process! message then just restart manually.


Reboot into Safe Mode!

Run those files through Killbox again to ensure none survived,this time make these seelctions

"Standard File Kill"
"End Explorer Shell while Killing File"
"Unregister .dll before Deleting"

Now Locate the Reg File you made and doubleclick to execute-> Allow it to merge into the registry!

Restart Normal and Have the PC scanned here
http://www.freedom.n...viruscheck.html

Reboot.

Go to task manager (hit control>>alt>delete) and stop this process if is there:

C:\Program Files\Cas\Client\casclient.exe

Please run hijack this and put check marks next to these making sure no other windows are open.


R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://red.clientapp...//www.yahoo.com
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://red.clientapp...//www.yahoo.com
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = wmplayer.exe //ICWLaunch

O4 - HKLM\..\Run: [winsync] C:\WINDOWS\System32\ojnapn.exe reg_run
O4 - HKCU\..\Run: [CAS Client] "C:\Program Files\Cas\Client\casclient.exe"
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE<<resource hog (optional)

O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\j2re1.4.2\bin\npjpi142.dll
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\System32\Shdocvw.dll

Reboot into safe mode and find these folders and delete them.


C:\Program Files\Cas<<entire folder
C:\PROGRAM FILES\Aprps <<entire folder
C:\PROGRAM FILES\CasStub<<entire folder

Run Panda again and post the results here.

Run CleanUp! and tell me how it's running.

Edited by coachwife6, 01 August 2005 - 02:43 AM.

[cato1978]

Ok, that will take me a bit and I'm stepping out. I'll get it done this evening and post new logs and results. *crosses his fingers* Thanks again so much for your patience.

Cato

[coachwife6]

I'm having someone more familiar with the infection following this too. I will have her check it and add any changes beofre you get back tonight. Have fun.

[cato1978]

My Java does not have an update button. I took a screen shot to show you. I assume that by deleting java's temporary internet files you meant to delete the cache, so that's what I did. If I'm doing something wrong, please let me know, if that's fine the just give me the word and I'll continue following the directions that you've given me where I've left off.

One last question, There's a large block of info in the center of the directions that I wasn't sure what I was supposed to do with. It goes:

START QUOTE

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://red.clientapp...//www.yahoo.com
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://red.clientapp...//www.yahoo.com
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = wmplayer.exe //ICWLaunch

O4 - HKLM\..\Run: [winsync] C:\WINDOWS\System32\ojnapn.exe reg_run
O4 - HKCU\..\Run: [CAS Client] "C:\Program Files\Cas\Client\casclient.exe"
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE<<resource hog (optional)

O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\j2re1.4.2\bin\npjpi142.dll
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\System32\Shdocvw.dll

END QUOTE

If this bit of info is something I'm supposed to paste somewhere just tell me...thanks ya'll.

Below is the java photo.

Thanks,

Cato

[coachwife6]

There's a large block of info in the center of the directions that I wasn't sure what I was supposed to do with. It goes:

I added directions. I apologize. You are doing great.

[cato1978]

Sorry it's taking me so long, I'm still working on doing it but I've had a lot of class and work to bring home the last two days. I hope to have it completed Wednesday night with the results and reports. Thanks so much for your patience.

Cato