Javascript Disabled Detected

You currently have javascript disabled. Several functions may not work. Please re-enable javascript to access full functionality.

Aurora ABI popups/rundll errors when booting [RESOLVED]

Started by LdyLuv , Jul 19 2005 07:46 PM

This topic is locked

#1
LdyLuv

Posted 19 July 2005 - 07:46 PM

Member

Member
10 posts

Hello there,

This is my first time trying this for PC help. I've spent the day going through the intial programs to fix and remove malware/spyware. When I get booted to my desktop I got 3 rundll errors from items that were deleted when using the intial list of programs before posting. Not sure if anyone is able to help me or not. So here is my hijackthis log. Any help is appreciated. PS just so you know I do not have any system restore disks.

Logfile of HijackThis v1.99.1
Scan saved at 9:36:18 PM, on 7/19/2005
Platform: Windows XP (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 (6.00.2600.0000)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.exe
C:\Program Files\ewido\security suite\ewidoctrl.exe
C:\Program Files\ewido\security suite\ewidoguard.exe
C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
C:\Program Files\Common Files\Microsoft Shared\Media Manager\airsvcu.exe
C:\Program Files\StompSoft\Virus X-terminator\bin\ZANDA.EXE
C:\Program Files\StompSoft\Virus X-terminator\bin\NJEEVES.EXE
C:\Program Files\StompSoft\Virus X-terminator\Nvc\BIN\NVCSCHED.EXE
C:\Program Files\Roxio\Easy CD Creator 6\DragToDisc\DrgToDsc.exe
C:\Program Files\Roxio\Easy CD Creator 6\AudioCentral\RxMon.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\StompSoft\Virus X-terminator\Nvc\BIN\nipsvc.exe
C:\Program Files\BellSouth\Application Center\BsnAppCenter.exe
C:\Program Files\BellSouth Internet Tools\blsloader.exe
C:\Program Files\Java\jre1.5.0_02\bin\jusched.exe
C:\Program Files\WildTangent\Apps\CDA\GameDrvr.exe
C:\Program Files\StompSoft\Virus X-terminator\bin\ZLH.EXE
C:\WINDOWS\System32\ctfmon.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\PCI Audio Applications\Bin\WDM\Full\Mixer.exe
C:\Program Files\cunm\sola.exe
C:\WINDOWS\System32\j?vaw.exe
C:\Program Files\StompSoft\Virus X-terminator\Nvc\BIN\NIP.EXE
C:\Program Files\Roxio\Easy CD Creator 6\AudioCentral\Playlist.exe
C:\Program Files\Hitware Popup Killer Lite 3\HitwarePKLite.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\Program Files\Support.com\bin\tgcmd.exe
C:\Documents and Settings\Tucker\Desktop\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.bellsouth.net/
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/?.home=ytie
R3 - URLSearchHook: (no name) - _{00A6FAF6-072E-44cf-8957-5838F569A31D} - (no file)
R3 - URLSearchHook: (no name) - {00A6FAF6-072E-44cf-8957-5838F569A31D} - C:\Program Files\MyWebSearch\SrchAstt\3.bin\MWSSRCAS.DLL
F2 - REG:system.ini: Shell=Explorer.exe C:\WINDOWS\Nail.exe
F2 - REG:system.ini: UserInit=C:\WINDOWS\System32\Userinit.exe
O1 - Hosts: 64.91.255.87 www.dcsresearch.com
O2 - BHO: Yahoo! Companion BHO - {02478D38-C3F9-4efb-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn2\ycomp5_5_7_0.dll
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: BlspcHlpr Class - {15C9938F-CB96-496D-800A-B827F2E34EA1} - C:\Program Files\BellSouth Internet Tools\blspc.dll
O2 - BHO: (no name) - {30438EF1-6564-1EB7-6955-4B31B4CBFFEF} - C:\WINDOWS\System32\dpachj.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: RUPK - {604B283A-4E26-4504-98E7-72859F949547} - C:\PROGRA~1\HITWAR~1\sypcms.dll
O2 - BHO: ST - {9394EDE7-C8B5-483E-8773-474BF36AF6E4} - C:\Program Files\MSN Apps\ST\01.03.0000.1005\en-xu\stmain.dll
O2 - BHO: MSNToolBandBHO - {BDBD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\MSN Apps\MSN Toolbar\01.02.3000.1001\en-us\msntb.dll
O2 - BHO: (no name) - {BDF3E430-B101-42AD-A544-FADC6B084872} - (no file)
O3 - Toolbar: (no name) - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - (no file)
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O3 - Toolbar: (no name) - {34A44FCF-50E3-63A5-A8DA-7835752B9571} - (no file)
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn2\ycomp5_5_7_0.dll
O3 - Toolbar: MSN - {BDAD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\MSN Apps\MSN Toolbar\01.02.3000.1001\en-us\msntb.dll
O4 - HKLM\..\Run: [C-Media Mixer] C:\Program Files\PCI Audio Applications\Bin\AudioRack.exe /MixerStartup
O4 - HKLM\..\Run: [RoxioEngineUtility] "C:\Program Files\Common Files\Roxio Shared\System\EngUtil.exe"
O4 - HKLM\..\Run: [RoxioDragToDisc] "C:\Program Files\Roxio\Easy CD Creator 6\DragToDisc\DrgToDsc.exe"
O4 - HKLM\..\Run: [RoxioAudioCentral] "C:\Program Files\Roxio\Easy CD Creator 6\AudioCentral\RxMon.exe"
O4 - HKLM\..\Run: [ccRegVfy] "C:\Program Files\Common Files\Symantec Shared\ccRegVfy.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] C:\Program Files\iTunes\iTunesHelper.exe
O4 - HKLM\..\Run: [tgcmd] "C:\Program Files\Support.com\BellSouth\hcenter.exe" /starthidden /tgcmdwrapper
O4 - HKLM\..\Run: [Symantec NetDriver Monitor] C:\PROGRA~1\SYMNET~1\SNDMon.exe
O4 - HKLM\..\Run: [BellSouthSyn] C:\Program Files\BellSouth\Application Center\BsnAppCenter.exe /Synchronize
O4 - HKLM\..\Run: [BellSouthScheduler] C:\Program Files\BellSouth\Application Center\BsnAppCenter.exe /Scheduler
O4 - HKLM\..\Run: [blspcloader] "C:\Program Files\BellSouth Internet Tools\blsloader.exe"
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_02\bin\jusched.exe
O4 - HKLM\..\Run: [WildTangent CDA] "C:\Program Files\WildTangent\Apps\CDA\GameDrvr.exe" /startup "C:\Program Files\WildTangent\Apps\CDA\cdaEngine0500.dll"
O4 - HKLM\..\Run: [Norman ZANDA] C:\Program Files\StompSoft\Virus X-terminator\bin\ZLH.EXE /LOAD /SPLASH
O4 - HKLM\..\Run: [cfgmgr52] RunDLL32.EXE ,DllRun
O4 - HKLM\..\Run: [exp.exe] C:\WINDOWS\System32\exp.exe
O4 - HKLM\..\Run: [WinTask driver] C:\WINDOWS\System32\wintask.exe
O4 - HKLM\..\Run: [AUNPS2] RUNDLL32 AUNPS2.DLL,_Run@16
O4 - HKLM\..\Run: [Nsv] C:\WINDOWS\System32\nsvsvc\nsvsvc.exe
O4 - HKLM\..\Run: [vidctrl] C:\WINDOWS\System32\vidctrl\vidctrl.exe
O4 - HKLM\..\Run: [A70F6A1D-0195-42a2-934C-D8AC0F7C08EB] rundll32.exe E6F1873B.DLL,D9EBC318C
O4 - HKLM\..\Run: [winsync] C:\WINDOWS\System32\jnboob.exe reg_run
O4 - HKLM\..\Run: [MyWebSearch Email Plugin] C:\PROGRA~1\MYWEBS~1\bar\3.bin\mwsoemon.exe
O4 - HKLM\..\Run: [StopSignStatus] Rundll32.exe "C:\Program Files\Common Files\eAcceleration\Installer\stopsinfo.dll",VerifyStatus
O4 - HKLM\..\Run: [miwgttp] c:\windows\system32\pczpqtn.exe r
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\System32\ctfmon.exe
O4 - HKCU\..\Run: [MyWebSearch Email Plugin] C:\PROGRA~1\MYWEBS~1\bar\3.bin\mwsoemon.exe
O4 - HKCU\..\Run: [_SystemBoot] C:\WINDOWS\Help\Help\services.exe
O4 - HKCU\..\Run: [fwmo] C:\PROGRA~1\COMMON~1\fwmo\fwmom.exe
O4 - HKCU\..\Run: [Inou] C:\Program Files\cunm\sola.exe
O4 - HKCU\..\Run: [Bnvzj] C:\WINDOWS\System32\j?vaw.exe
O4 - HKCU\..\Run: [HitwarePKLite] C:\Program Files\Hitware Popup Killer Lite 3\HitwarePKLite.exe
O4 - Startup: MyWebSearch Email Plugin.lnk = C:\Program Files\MyWebSearch\bar\3.bin\MWSOEMON.EXE
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O4 - Global Startup: MyWebSearch Email Plugin.lnk = C:\Program Files\MyWebSearch\bar\3.bin\MWSOEMON.EXE
O8 - Extra context menu item: &AIM Search - res://C:\Program Files\AIM Toolbar\AIMBar.dll/aimsearch.htm
O8 - Extra context menu item: Download with GetRight - C:\Program Files\GetRight\GRdownload.htm
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O8 - Extra context menu item: Open with GetRight Browser - C:\Program Files\GetRight\GRbrowse.htm
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_02\bin\npjpi150_02.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_02\bin\npjpi150_02.dll
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe
O9 - Extra button: Messenger - {DECDBEEF-D3AD-B3EF-DE4D-B3EFDEADB3EF} - C:\Program Files\BellSouth\Communications Suite\BstMessenger.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O9 - Extra 'Tools' menuitem: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O9 - Extra button: WeatherBug - {AF6CABAB-61F9-4f12-A198-B7D41EF1CB52} - C:\Program Files\AWS\WeatherBug\Weather.exe (file missing) (HKCU)
O16 - DPF: {30528230-99F7-4BB4-88D8-FA1D4F56A2AB} (YInstStarter Class) - http://us.dl1.yimg.c...nst20040510.cab
O16 - DPF: {4208FB4D-4E53-4F5A-BF7A-3E047DDB5281} (ActiveX Control) - http://www.icannnews.../ST/ActiveX.ocx
O16 - DPF: {4E7BD74F-2B8D-469E-DEFA-EB76B1D5FA7D} - http://www.ez-tracks...itial/eztdl.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.micros...b?1121821414957
O16 - DPF: {BB21F850-63F4-4EC9-BF9D-565BD30C9AE9} (ASquaredScanForm Element) - http://www.windowsec...scan/axscan.cab
O16 - DPF: {FA3662C3-B8E8-11D6-A667-0010B556D978} (IWinAmpActiveX Class) - http://cdn.digitalci...illama/ampx.cab
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Password Validation (ccPwdSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
O23 - Service: ewido security suite control - ewido networks - C:\Program Files\ewido\security suite\ewidoctrl.exe
O23 - Service: ewido security suite guard - ewido networks - C:\Program Files\ewido\security suite\ewidoguard.exe
O23 - Service: iPod Service (iPodService) - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Norman API-hooking helper (NipSvc) - Unknown owner - C:\Program Files\StompSoft\Virus X-terminator\Nvc\BIN\nipsvc.exe
O23 - Service: Norman NJeeves - Unknown owner - C:\Program Files\StompSoft\Virus X-terminator\bin\NJEEVES.EXE
O23 - Service: Norman ZANDA - Unknown owner - C:\Program Files\StompSoft\Virus X-terminator\bin\ZANDA.EXE
O23 - Service: Norman Virus Control on-access component (nvcoas) - Norman ASA - C:\Program Files\StompSoft\Virus X-terminator\Nvc\bin\nvcoas.exe
O23 - Service: Norman Virus Control Scheduler (NVCScheduler) - Norman Data Defense Systems - C:\Program Files\StompSoft\Virus X-terminator\Nvc\BIN\NVCSCHED.EXE
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: System Startup Service (SvcProc) - Unknown owner - C:\WINDOWS\svcproc.exe (file missing)

Thanks for all help received

~Ldy~

#2
Buckeye_Sam

Posted 24 July 2005 - 10:27 AM

Malware Expert

Member
10,019 posts

Hi and welcome to GeeksToGo! My name is Sam and I will be helping you.

I apologize for the delay getting to your log, the helpers here are very busy.
If you still need help, please post a fresh Hijack log, in this thread, so I can help you with your Malware Problems.

If you have resolved this issue please let us know.

#3
LdyLuv

Posted 24 July 2005 - 02:53 PM

Member

Topic Starter
Member
10 posts

Here you go a new HJT log. I don't seem to be having the ABI pop up problem but still have several dll errors when I boot to desktop. They are as followed:

Windows can not find C:Windows\Nail.exe. Make sure you typed the name correctly, and then try again. To search for a file, click Start button, and then click search.

Error Loading: "It's Blank" the specified module could not be found.

Error Loading: AUNPS2.DLL the specified module could not be found.

Error Loading: E6F1873B.DLL the specified module could not be found.

The HJT Log was done before clicking ok on those errors. So I hope they show for you to help me. :tazz:

Logfile of HijackThis v1.99.1
Scan saved at 4:43:03 PM, on 7/24/2005
Platform: Windows XP (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 (6.00.2600.0000)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\ewido\security suite\ewidoctrl.exe
C:\Program Files\ewido\security suite\ewidoguard.exe
C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
C:\Program Files\Common Files\Microsoft Shared\Media Manager\airsvcu.exe
C:\Program Files\StompSoft\Virus X-terminator\bin\ZANDA.EXE
C:\Program Files\StompSoft\Virus X-terminator\bin\NJEEVES.EXE
C:\Program Files\StompSoft\Virus X-terminator\Nvc\bin\nvcoas.exe
C:\Program Files\StompSoft\Virus X-terminator\Nvc\BIN\nipsvc.exe
C:\Program Files\StompSoft\Virus X-terminator\Nvc\BIN\NVCSCHED.EXE
C:\WINDOWS\Explorer.exe
C:\Program Files\Roxio\Easy CD Creator 6\DragToDisc\DrgToDsc.exe
C:\Program Files\Roxio\Easy CD Creator 6\AudioCentral\RxMon.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\BellSouth\Application Center\BsnAppCenter.exe
C:\Program Files\PCI Audio Applications\Bin\WDM\Full\Mixer.exe
C:\Program Files\BellSouth Internet Tools\blsloader.exe
C:\Program Files\Java\jre1.5.0_02\bin\jusched.exe
C:\Program Files\WildTangent\Apps\CDA\GameDrvr.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\StompSoft\Virus X-terminator\bin\ZLH.EXE
C:\WINDOWS\System32\RunDLL32.EXE
C:\WINDOWS\System32\RUNDLL32.exe
C:\WINDOWS\System32\rundll32.exe
C:\WINDOWS\System32\ctfmon.exe
C:\Program Files\StompSoft\Virus X-terminator\Nvc\BIN\NIP.EXE
C:\Program Files\cunm\sola.exe
C:\Program Files\StompSoft\Virus X-terminator\Nvc\bin\cclaw.exe
C:\WINDOWS\System32\j?vaw.exe
C:\Program Files\Roxio\Easy CD Creator 6\AudioCentral\Playlist.exe
C:\Program Files\Hitware Popup Killer Lite 3\HitwarePKLite.exe
C:\Program Files\Support.com\bin\tgcmd.exe
C:\Program Files\Outlook Express\msimn.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\PC Cleaners\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.bellsouth.net/
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/?.home=ytie
R3 - URLSearchHook: (no name) - _{00A6FAF6-072E-44cf-8957-5838F569A31D} - (no file)
R3 - URLSearchHook: (no name) - {00A6FAF6-072E-44cf-8957-5838F569A31D} - C:\Program Files\MyWebSearch\SrchAstt\3.bin\MWSSRCAS.DLL
F2 - REG:system.ini: Shell=Explorer.exe C:\WINDOWS\Nail.exe
F2 - REG:system.ini: UserInit=C:\WINDOWS\System32\Userinit.exe
O1 - Hosts: 64.91.255.87 www.dcsresearch.com
O2 - BHO: (no name) - {00A6FAF1-072E-44cf-8957-5838F569A31D} - (no file)
O2 - BHO: Yahoo! Companion BHO - {02478D38-C3F9-4efb-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn2\ycomp5_5_7_0.dll
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: BlspcHlpr Class - {15C9938F-CB96-496D-800A-B827F2E34EA1} - C:\Program Files\BellSouth Internet Tools\blspc.dll
O2 - BHO: (no name) - {30438EF1-6564-1EB7-6955-4B31B4CBFFEF} - C:\WINDOWS\System32\dpachj.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: RUPK - {604B283A-4E26-4504-98E7-72859F949547} - C:\PROGRA~1\HITWAR~1\sypcms.dll
O2 - BHO: ST - {9394EDE7-C8B5-483E-8773-474BF36AF6E4} - C:\Program Files\MSN Apps\ST\01.03.0000.1005\en-xu\stmain.dll
O2 - BHO: MSNToolBandBHO - {BDBD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\MSN Apps\MSN Toolbar\01.02.3000.1001\en-us\msntb.dll
O2 - BHO: (no name) - {BDF3E430-B101-42AD-A544-FADC6B084872} - (no file)
O3 - Toolbar: (no name) - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - (no file)
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O3 - Toolbar: (no name) - {34A44FCF-50E3-63A5-A8DA-7835752B9571} - (no file)
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn2\ycomp5_5_7_0.dll
O3 - Toolbar: MSN - {BDAD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\MSN Apps\MSN Toolbar\01.02.3000.1001\en-us\msntb.dll
O4 - HKLM\..\Run: [C-Media Mixer] C:\Program Files\PCI Audio Applications\Bin\AudioRack.exe /MixerStartup
O4 - HKLM\..\Run: [RoxioEngineUtility] "C:\Program Files\Common Files\Roxio Shared\System\EngUtil.exe"
O4 - HKLM\..\Run: [RoxioDragToDisc] "C:\Program Files\Roxio\Easy CD Creator 6\DragToDisc\DrgToDsc.exe"
O4 - HKLM\..\Run: [RoxioAudioCentral] "C:\Program Files\Roxio\Easy CD Creator 6\AudioCentral\RxMon.exe"
O4 - HKLM\..\Run: [ccRegVfy] "C:\Program Files\Common Files\Symantec Shared\ccRegVfy.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] C:\Program Files\iTunes\iTunesHelper.exe
O4 - HKLM\..\Run: [tgcmd] "C:\Program Files\Support.com\BellSouth\hcenter.exe" /starthidden /tgcmdwrapper
O4 - HKLM\..\Run: [Symantec NetDriver Monitor] C:\PROGRA~1\SYMNET~1\SNDMon.exe
O4 - HKLM\..\Run: [BellSouthSyn] C:\Program Files\BellSouth\Application Center\BsnAppCenter.exe /Synchronize
O4 - HKLM\..\Run: [BellSouthScheduler] C:\Program Files\BellSouth\Application Center\BsnAppCenter.exe /Scheduler
O4 - HKLM\..\Run: [blspcloader] "C:\Program Files\BellSouth Internet Tools\blsloader.exe"
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_02\bin\jusched.exe
O4 - HKLM\..\Run: [WildTangent CDA] "C:\Program Files\WildTangent\Apps\CDA\GameDrvr.exe" /startup "C:\Program Files\WildTangent\Apps\CDA\cdaEngine0500.dll"
O4 - HKLM\..\Run: [Norman ZANDA] C:\Program Files\StompSoft\Virus X-terminator\bin\ZLH.EXE /LOAD /SPLASH
O4 - HKLM\..\Run: [cfgmgr52] RunDLL32.EXE ,DllRun
O4 - HKLM\..\Run: [exp.exe] C:\WINDOWS\System32\exp.exe
O4 - HKLM\..\Run: [WinTask driver] C:\WINDOWS\System32\wintask.exe
O4 - HKLM\..\Run: [AUNPS2] RUNDLL32 AUNPS2.DLL,_Run@16
O4 - HKLM\..\Run: [Nsv] C:\WINDOWS\System32\nsvsvc\nsvsvc.exe
O4 - HKLM\..\Run: [vidctrl] C:\WINDOWS\System32\vidctrl\vidctrl.exe
O4 - HKLM\..\Run: [A70F6A1D-0195-42a2-934C-D8AC0F7C08EB] rundll32.exe E6F1873B.DLL,D9EBC318C
O4 - HKLM\..\Run: [winsync] C:\WINDOWS\System32\jnboob.exe reg_run
O4 - HKLM\..\Run: [MyWebSearch Email Plugin] C:\PROGRA~1\MYWEBS~1\bar\3.bin\mwsoemon.exe
O4 - HKLM\..\Run: [miwgttp] c:\windows\system32\pczpqtn.exe r
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\System32\ctfmon.exe
O4 - HKCU\..\Run: [MyWebSearch Email Plugin] C:\PROGRA~1\MYWEBS~1\bar\3.bin\mwsoemon.exe
O4 - HKCU\..\Run: [_SystemBoot] C:\WINDOWS\Help\Help\services.exe
O4 - HKCU\..\Run: [fwmo] C:\PROGRA~1\COMMON~1\fwmo\fwmom.exe
O4 - HKCU\..\Run: [Inou] C:\Program Files\cunm\sola.exe
O4 - HKCU\..\Run: [Bnvzj] C:\WINDOWS\System32\j?vaw.exe
O4 - HKCU\..\Run: [HitwarePKLite] C:\Program Files\Hitware Popup Killer Lite 3\HitwarePKLite.exe
O4 - Startup: MyWebSearch Email Plugin.lnk = C:\Program Files\MyWebSearch\bar\3.bin\MWSOEMON.EXE
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O4 - Global Startup: MyWebSearch Email Plugin.lnk = C:\Program Files\MyWebSearch\bar\3.bin\MWSOEMON.EXE
O8 - Extra context menu item: &AIM Search - res://C:\Program Files\AIM Toolbar\AIMBar.dll/aimsearch.htm
O8 - Extra context menu item: Download with GetRight - C:\Program Files\GetRight\GRdownload.htm
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O8 - Extra context menu item: Open with GetRight Browser - C:\Program Files\GetRight\GRbrowse.htm
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_02\bin\npjpi150_02.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_02\bin\npjpi150_02.dll
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe
O9 - Extra button: Messenger - {DECDBEEF-D3AD-B3EF-DE4D-B3EFDEADB3EF} - C:\Program Files\BellSouth\Communications Suite\BstMessenger.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O9 - Extra 'Tools' menuitem: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O9 - Extra button: WeatherBug - {AF6CABAB-61F9-4f12-A198-B7D41EF1CB52} - C:\Program Files\AWS\WeatherBug\Weather.exe (file missing) (HKCU)
O16 - DPF: {30528230-99F7-4BB4-88D8-FA1D4F56A2AB} (YInstStarter Class) - http://us.dl1.yimg.c...nst20040510.cab
O16 - DPF: {4208FB4D-4E53-4F5A-BF7A-3E047DDB5281} (ActiveX Control) - http://www.icannnews.../ST/ActiveX.ocx
O16 - DPF: {4E7BD74F-2B8D-469E-DEFA-EB76B1D5FA7D} - http://www.ez-tracks...itial/eztdl.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.micros...b?1121821414957
O16 - DPF: {BB21F850-63F4-4EC9-BF9D-565BD30C9AE9} (ASquaredScanForm Element) - http://www.windowsec...scan/axscan.cab
O16 - DPF: {FA3662C3-B8E8-11D6-A667-0010B556D978} (IWinAmpActiveX Class) - http://cdn.digitalci...illama/ampx.cab
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Password Validation (ccPwdSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
O23 - Service: ewido security suite control - ewido networks - C:\Program Files\ewido\security suite\ewidoctrl.exe
O23 - Service: ewido security suite guard - ewido networks - C:\Program Files\ewido\security suite\ewidoguard.exe
O23 - Service: iPod Service (iPodService) - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Norman API-hooking helper (NipSvc) - Unknown owner - C:\Program Files\StompSoft\Virus X-terminator\Nvc\BIN\nipsvc.exe
O23 - Service: Norman NJeeves - Unknown owner - C:\Program Files\StompSoft\Virus X-terminator\bin\NJEEVES.EXE
O23 - Service: Norman ZANDA - Unknown owner - C:\Program Files\StompSoft\Virus X-terminator\bin\ZANDA.EXE
O23 - Service: Norman Virus Control on-access component (nvcoas) - Norman ASA - C:\Program Files\StompSoft\Virus X-terminator\Nvc\bin\nvcoas.exe
O23 - Service: Norman Virus Control Scheduler (NVCScheduler) - Norman Data Defense Systems - C:\Program Files\StompSoft\Virus X-terminator\Nvc\BIN\NVCSCHED.EXE
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: System Startup Service (SvcProc) - Unknown owner - C:\WINDOWS\svcproc.exe (file missing)

Thanks again,

Edited by LdyLuv, 24 July 2005 - 02:58 PM.

#4
Buckeye_Sam

Posted 24 July 2005 - 03:54 PM

Malware Expert

Member
10,019 posts

Those errors are actually good news! It means some of your problems are half fixed. Now we will fix all of your problems completely. :tazz:

First I need you to download and prepare some tools that we will need to remove the infection that you have.

Please make sure Ewido is fully updated.
- Launch ewido, there should be an icon on your desktop, double-click it.
- You will need to update ewido to the latest definition files.
  - On the left hand side of the main screen click update.
  - Then click on Start Update.
- The update will start and a progress bar will show the updates being installed.
  (the status bar at the bottom will display "Update successful")
- Exit ewido. DO NOT scan yet.
If you are having problems with the updater, you can use this link to manually update ewido.
Ewido Manual Updates
Please download CCleaner
Install it, but do not run it yet.
Please download Nailfix Utility
Save it to your desktop, but do not run it yet.

==============

Now that you have the right tools we can start fixing your problem.
Please print out these instructions as the rest of this fix must be done in Safe mode and you won't be able to access the Internet.

Please reboot your computer in SafeMode by doing the following:

Restart your computer
After hearing your computer beep once during startup, but before the Windows icon appears, press F8.
Instead of Windows loading as normal, a menu should appear
Select the first option, to run Windows in Safe Mode.

* if you have trouble getting into Safe mode go here for more info.

==============

Once in Safe mode, please follow these steps:

Please uninstall these programs by going to Control Panel -> Add/Remove Programs:

My Web Search
Wild Tangent
Double-click on nailfix.exe.
Click "Next" in the setup, then make sure "Run Nailfix" is checked and click "Finish".
Your desktop and icons will disappear and reappear, and a window should open and close very quickly --- this is normal.
Now open ewido and do a scan of your system.
- Click on scanner
- Click on Complete System Scan and the scan will begin.
- You will need to step through the process of cleaning files one-by-one.
- If ewido detects a file you KNOW to be legitimate, select none as the action.
- DO NOT select "Perform action on all infections"
- If you are unsure of any entry found select none for now as the action.
- Once the scan has completed, there will be a button located on the bottom of the screen named Save report
- Click Save report.
- Save the report .txt file to your desktop or a location where you can find it easily.
Run Hijackthis again, click scan, and Put a checkmark next to each of these. Then close all other windows--you should only see HijackThis on your Desktop--and click the Fix Checked button.

R3 - URLSearchHook: (no name) - _{00A6FAF6-072E-44cf-8957-5838F569A31D} - (no file)
R3 - URLSearchHook: (no name) - {00A6FAF6-072E-44cf-8957-5838F569A31D} - C:\Program Files\MyWebSearch\SrchAstt\3.bin\MWSSRCAS.DLL
F2 - REG:system.ini: Shell=Explorer.exe C:\WINDOWS\Nail.exe
O1 - Hosts: 64.91.255.87 www.dcsresearch.com
O2 - BHO: (no name) - {00A6FAF1-072E-44cf-8957-5838F569A31D} - (no file)
O2 - BHO: (no name) - {30438EF1-6564-1EB7-6955-4B31B4CBFFEF} - C:\WINDOWS\System32\dpachj.dll
O2 - BHO: (no name) - {BDF3E430-B101-42AD-A544-FADC6B084872} - (no file)
O3 - Toolbar: (no name) - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - (no file)
O3 - Toolbar: (no name) - {34A44FCF-50E3-63A5-A8DA-7835752B9571} - (no file)
O4 - HKLM\..\Run: [WildTangent CDA] "C:\Program Files\WildTangent\Apps\CDA\GameDrvr.exe" /startup "C:\Program Files\WildTangent\Apps\CDA\cdaEngine0500.dll"
O4 - HKLM\..\Run: [cfgmgr52] RunDLL32.EXE ,DllRun
O4 - HKLM\..\Run: [exp.exe] C:\WINDOWS\System32\exp.exe
O4 - HKLM\..\Run: [WinTask driver] C:\WINDOWS\System32\wintask.exe
O4 - HKLM\..\Run: [AUNPS2] RUNDLL32 AUNPS2.DLL,_Run@16
O4 - HKLM\..\Run: [Nsv] C:\WINDOWS\System32\nsvsvc\nsvsvc.exe
O4 - HKLM\..\Run: [vidctrl] C:\WINDOWS\System32\vidctrl\vidctrl.exe
O4 - HKLM\..\Run: [A70F6A1D-0195-42a2-934C-D8AC0F7C08EB] rundll32.exe E6F1873B.DLL,D9EBC318C
O4 - HKLM\..\Run: [winsync] C:\WINDOWS\System32\jnboob.exe reg_run
O4 - HKLM\..\Run: [MyWebSearch Email Plugin] C:\PROGRA~1\MYWEBS~1\bar\3.bin\mwsoemon.exe
O4 - HKLM\..\Run: [miwgttp] c:\windows\system32\pczpqtn.exe r
O4 - HKCU\..\Run: [MyWebSearch Email Plugin] C:\PROGRA~1\MYWEBS~1\bar\3.bin\mwsoemon.exe
O4 - HKCU\..\Run: [_SystemBoot] C:\WINDOWS\Help\Help\services.exe
O4 - HKCU\..\Run: [fwmo] C:\PROGRA~1\COMMON~1\fwmo\fwmom.exe
O4 - HKCU\..\Run: [Inou] C:\Program Files\cunm\sola.exe
O4 - HKCU\..\Run: [Bnvzj] C:\WINDOWS\System32\j?vaw.exe
O4 - Startup: MyWebSearch Email Plugin.lnk = C:\Program Files\MyWebSearch\bar\3.bin\MWSOEMON.EXE
O4 - Global Startup: MyWebSearch Email Plugin.lnk = C:\Program Files\MyWebSearch\bar\3.bin\MWSOEMON.EXE
O9 - Extra button: WeatherBug - {AF6CABAB-61F9-4f12-A198-B7D41EF1CB52} - C:\Program Files\AWS\WeatherBug\Weather.exe (file missing) (HKCU)
O23 - Service: System Startup Service (SvcProc) - Unknown owner - C:\WINNT\svcproc.exe
Delete these files/folders, if found.

C:\WINDOWS\Nail.exe
C:\WINNT\svcproc.exe
C:\WINDOWS\System32\dpachj.dll
C:\WINDOWS\System32\exp.exe
C:\WINDOWS\System32\wintask.exe
C:\WINDOWS\System32\AUNPS2.DLL
C:\WINDOWS\System32\nsvsvc
C:\WINDOWS\System32\vidctrl
C:\WINDOWS\System32\jnboob.exe
C:\WINDOWS\System32\pczpqtn.exe
C:\WINDOWS\System32\j?vaw.exe
C:\WINDOWS\Help\Help\services.exe
C:\Program Files\WildTangent
C:\Program Files\cunm
C:\Program Files\\MYWEBSEARCH
C:\PROGRAM FILES\COMMON FILES\fwmo
Now run CCleaner.
- Uncheck "Cookies" under "Internet Explorer".
- If running Firefox: click on the "Applications" tab and uncheck "Cookies" under "Firefox".
- Click on Run Cleaner in the lower right-hand corner. This can take quite a while to run.

Finally, restart your computer in normal mode and please post a new HijackThis log, as well as the report log from the Ewido scan by using Add Reply

#5
LdyLuv

Posted 24 July 2005 - 11:13 PM

Member

Topic Starter
Member
10 posts

Hi Sam,

Just finished the list. I noticed that some of the items I needed to check didn't show up in safe mode but I saw on HJT log. I just got a pop up from ewido about an infection sola.exe. Is that something we can get rid of? However I did not get any DLL errors.

Ok new HJT log

Logfile of HijackThis v1.99.1
Scan saved at 1:03:51 AM, on 7/25/2005
Platform: Windows XP (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 (6.00.2600.0000)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\ewido\security suite\ewidoctrl.exe
C:\Program Files\ewido\security suite\ewidoguard.exe
C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
C:\Program Files\Common Files\Microsoft Shared\Media Manager\airsvcu.exe
C:\Program Files\StompSoft\Virus X-terminator\bin\ZANDA.EXE
C:\Program Files\Roxio\Easy CD Creator 6\DragToDisc\DrgToDsc.exe
C:\Program Files\Roxio\Easy CD Creator 6\AudioCentral\RxMon.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\BellSouth\Application Center\BsnAppCenter.exe
C:\Program Files\BellSouth Internet Tools\blsloader.exe
C:\Program Files\Java\jre1.5.0_02\bin\jusched.exe
C:\Program Files\StompSoft\Virus X-terminator\bin\ZLH.EXE
C:\WINDOWS\System32\ctfmon.exe
C:\WINDOWS\System32\j?vaw.exe
C:\Program Files\Hitware Popup Killer Lite 3\HitwarePKLite.exe
C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
C:\Program Files\StompSoft\Virus X-terminator\Nvc\BIN\NIP.EXE
C:\Program Files\Roxio\Easy CD Creator 6\AudioCentral\Playlist.exe
C:\Program Files\PCI Audio Applications\Bin\WDM\Full\Mixer.exe
C:\WINDOWS\System32\wuauclt.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\StompSoft\Virus X-terminator\bin\NJEEVES.EXE
C:\Program Files\StompSoft\Virus X-terminator\Nvc\BIN\nipsvc.exe
C:\Program Files\StompSoft\Virus X-terminator\Nvc\BIN\NVCSCHED.EXE
C:\Program Files\StompSoft\Virus X-terminator\Nvc\bin\nvcoas.exe
C:\Program Files\StompSoft\Virus X-terminator\Nvc\BIN\NVCOD.EXE
C:\Program Files\StompSoft\Virus X-terminator\Nvc\bin\cclaw.exe
C:\Program Files\Support.com\bin\tgcmd.exe
C:\PC Cleaners\HijackThis.exe
C:\Program Files\cunm\sola.exe
C:\WINDOWS\System32\wbem\wmiapsrv.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.bellsouth.net/
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/?.home=ytie
R3 - URLSearchHook: (no name) - _{00A6FAF6-072E-44cf-8957-5838F569A31D} - (no file)
R3 - URLSearchHook: (no name) - {00A6FAF6-072E-44cf-8957-5838F569A31D} - (no file)
F2 - REG:system.ini: UserInit=C:\WINDOWS\System32\Userinit.exe
O2 - BHO: Yahoo! Companion BHO - {02478D38-C3F9-4efb-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn2\ycomp5_5_7_0.dll
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: BlspcHlpr Class - {15C9938F-CB96-496D-800A-B827F2E34EA1} - C:\Program Files\BellSouth Internet Tools\blspc.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: RUPK - {604B283A-4E26-4504-98E7-72859F949547} - C:\PROGRA~1\HITWAR~1\sypcms.dll
O2 - BHO: ST - {9394EDE7-C8B5-483E-8773-474BF36AF6E4} - C:\Program Files\MSN Apps\ST\01.03.0000.1005\en-xu\stmain.dll
O2 - BHO: MSNToolBandBHO - {BDBD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\MSN Apps\MSN Toolbar\01.02.3000.1001\en-us\msntb.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn2\ycomp5_5_7_0.dll
O3 - Toolbar: MSN - {BDAD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\MSN Apps\MSN Toolbar\01.02.3000.1001\en-us\msntb.dll
O4 - HKLM\..\Run: [C-Media Mixer] C:\Program Files\PCI Audio Applications\Bin\AudioRack.exe /MixerStartup
O4 - HKLM\..\Run: [RoxioEngineUtility] "C:\Program Files\Common Files\Roxio Shared\System\EngUtil.exe"
O4 - HKLM\..\Run: [RoxioDragToDisc] "C:\Program Files\Roxio\Easy CD Creator 6\DragToDisc\DrgToDsc.exe"
O4 - HKLM\..\Run: [RoxioAudioCentral] "C:\Program Files\Roxio\Easy CD Creator 6\AudioCentral\RxMon.exe"
O4 - HKLM\..\Run: [ccRegVfy] "C:\Program Files\Common Files\Symantec Shared\ccRegVfy.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] C:\Program Files\iTunes\iTunesHelper.exe
O4 - HKLM\..\Run: [tgcmd] "C:\Program Files\Support.com\BellSouth\hcenter.exe" /starthidden /tgcmdwrapper
O4 - HKLM\..\Run: [Symantec NetDriver Monitor] C:\PROGRA~1\SYMNET~1\SNDMon.exe
O4 - HKLM\..\Run: [BellSouthSyn] C:\Program Files\BellSouth\Application Center\BsnAppCenter.exe /Synchronize
O4 - HKLM\..\Run: [BellSouthScheduler] C:\Program Files\BellSouth\Application Center\BsnAppCenter.exe /Scheduler
O4 - HKLM\..\Run: [blspcloader] "C:\Program Files\BellSouth Internet Tools\blsloader.exe"
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_02\bin\jusched.exe
O4 - HKLM\..\Run: [Norman ZANDA] C:\Program Files\StompSoft\Virus X-terminator\bin\ZLH.EXE /LOAD /SPLASH
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\System32\ctfmon.exe
O4 - HKCU\..\Run: [MyWebSearch Email Plugin] C:\PROGRA~1\MYWEBS~1\bar\3.bin\mwsoemon.exe
O4 - HKCU\..\Run: [_SystemBoot] C:\WINDOWS\Help\Help\services.exe
O4 - HKCU\..\Run: [fwmo] C:\PROGRA~1\COMMON~1\fwmo\fwmom.exe
O4 - HKCU\..\Run: [Inou] C:\Program Files\cunm\sola.exe
O4 - HKCU\..\Run: [Bnvzj] C:\WINDOWS\System32\j?vaw.exe
O4 - HKCU\..\Run: [HitwarePKLite] C:\Program Files\Hitware Popup Killer Lite 3\HitwarePKLite.exe
O4 - Startup: MyWebSearch Email Plugin.lnk = C:\Program Files\MyWebSearch\bar\3.bin\MWSOEMON.EXE
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O8 - Extra context menu item: &AIM Search - res://C:\Program Files\AIM Toolbar\AIMBar.dll/aimsearch.htm
O8 - Extra context menu item: Download with GetRight - C:\Program Files\GetRight\GRdownload.htm
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O8 - Extra context menu item: Open with GetRight Browser - C:\Program Files\GetRight\GRbrowse.htm
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_02\bin\npjpi150_02.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_02\bin\npjpi150_02.dll
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe
O9 - Extra button: Messenger - {DECDBEEF-D3AD-B3EF-DE4D-B3EFDEADB3EF} - C:\Program Files\BellSouth\Communications Suite\BstMessenger.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O9 - Extra 'Tools' menuitem: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O9 - Extra button: WeatherBug - {AF6CABAB-61F9-4f12-A198-B7D41EF1CB52} - C:\Program Files\AWS\WeatherBug\Weather.exe (file missing) (HKCU)
O16 - DPF: {30528230-99F7-4BB4-88D8-FA1D4F56A2AB} (YInstStarter Class) - http://us.dl1.yimg.c...nst20040510.cab
O16 - DPF: {4208FB4D-4E53-4F5A-BF7A-3E047DDB5281} (ActiveX Control) - http://www.icannnews.../ST/ActiveX.ocx
O16 - DPF: {4E7BD74F-2B8D-469E-DEFA-EB76B1D5FA7D} - http://www.ez-tracks...itial/eztdl.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.micros...b?1121821414957
O16 - DPF: {BB21F850-63F4-4EC9-BF9D-565BD30C9AE9} (ASquaredScanForm Element) - http://www.windowsec...scan/axscan.cab
O16 - DPF: {FA3662C3-B8E8-11D6-A667-0010B556D978} (IWinAmpActiveX Class) - http://cdn.digitalci...illama/ampx.cab
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Password Validation (ccPwdSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
O23 - Service: ewido security suite control - ewido networks - C:\Program Files\ewido\security suite\ewidoctrl.exe
O23 - Service: ewido security suite guard - ewido networks - C:\Program Files\ewido\security suite\ewidoguard.exe
O23 - Service: iPod Service (iPodService) - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Norman API-hooking helper (NipSvc) - Unknown owner - C:\Program Files\StompSoft\Virus X-terminator\Nvc\BIN\nipsvc.exe
O23 - Service: Norman NJeeves - Unknown owner - C:\Program Files\StompSoft\Virus X-terminator\bin\NJEEVES.EXE
O23 - Service: Norman ZANDA - Unknown owner - C:\Program Files\StompSoft\Virus X-terminator\bin\ZANDA.EXE
O23 - Service: Norman Virus Control on-access component (nvcoas) - Norman ASA - C:\Program Files\StompSoft\Virus X-terminator\Nvc\bin\nvcoas.exe
O23 - Service: Norman Virus Control Scheduler (NVCScheduler) - Norman Data Defense Systems - C:\Program Files\StompSoft\Virus X-terminator\Nvc\BIN\NVCSCHED.EXE
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe

ewido log
---------------------------------------------------------
ewido security suite - Scan report
---------------------------------------------------------

+ Created on: 12:01:26 AM, 7/25/2005
+ Report-Checksum: 103BD079

+ Scan result:

C:\Documents and Settings\Tucker\Cookies\tucker@2o7[1].txt -> Spyware.Cookie.2o7 : Cleaned with backup
C:\Documents and Settings\Tucker\Cookies\tucker@abetterinternet[1].txt -> Spyware.Cookie.Abetterinternet : Cleaned with backup
C:\Documents and Settings\Tucker\Cookies\[email protected][2].txt -> Spyware.Cookie.Yieldmanager : Cleaned with backup
C:\Documents and Settings\Tucker\Cookies\[email protected][1].txt -> Spyware.Cookie.Addynamix : Cleaned with backup
C:\Documents and Settings\Tucker\Cookies\[email protected][1].txt -> Spyware.Cookie.Pointroll : Cleaned with backup
C:\Documents and Settings\Tucker\Cookies\tucker@bluestreak[2].txt -> Spyware.Cookie.Bluestreak : Cleaned with backup
C:\Documents and Settings\Tucker\Cookies\[email protected][2].txt -> Spyware.Cookie.Serving-sys : Cleaned with backup
C:\Documents and Settings\Tucker\Cookies\tucker@casalemedia[1].txt -> Spyware.Cookie.Casalemedia : Cleaned with backup
C:\Documents and Settings\Tucker\Cookies\tucker@centrport[1].txt -> Spyware.Cookie.Centrport : Cleaned with backup
C:\Documents and Settings\Tucker\Cookies\tucker@paypopup[1].txt -> Spyware.Cookie.Paypopup : Cleaned with backup
C:\Documents and Settings\Tucker\Cookies\[email protected][1].txt -> Spyware.Cookie.Overture : Cleaned with backup
C:\Documents and Settings\Tucker\Cookies\tucker@qksrv[2].txt -> Spyware.Cookie.Qksrv : Cleaned with backup
C:\Documents and Settings\Tucker\Cookies\tucker@questionmarket[2].txt -> Spyware.Cookie.Questionmarket : Cleaned with backup
C:\Documents and Settings\Tucker\Cookies\tucker@revenue[1].txt -> Spyware.Cookie.Revenue : Cleaned with backup
C:\Documents and Settings\Tucker\Cookies\[email protected][1].txt -> Spyware.Cookie.Liveperson : Cleaned with backup
C:\Documents and Settings\Tucker\Cookies\tucker@serving-sys[1].txt -> Spyware.Cookie.Serving-sys : Cleaned with backup
C:\Documents and Settings\Tucker\Cookies\tucker@tribalfusion[2].txt -> Spyware.Cookie.Tribalfusion : Cleaned with backup
C:\Documents and Settings\Tucker\Local Settings\Temp\!update.exe -> TrojanDownloader.Agent.df : Cleaned with backup
C:\Program Files\cunm\sola.exe -> TrojanDownloader.Agent.df : Cleaned with backup
C:\RECYCLER\NPROTECT\00099787.TXT -> Spyware.Cookie.Casalemedia : Cleaned with backup
C:\RECYCLER\NPROTECT\00099788.TXT -> Spyware.Cookie.Casalemedia : Cleaned with backup
C:\RECYCLER\NPROTECT\00099789.TXT -> Spyware.Cookie.Casalemedia : Cleaned with backup
C:\RECYCLER\NPROTECT\00099807.TXT -> Spyware.Cookie.Casalemedia : Cleaned with backup
C:\RECYCLER\NPROTECT\00099808.TXT -> Spyware.Cookie.Casalemedia : Cleaned with backup
C:\RECYCLER\NPROTECT\00099809.TXT -> Spyware.Cookie.Casalemedia : Cleaned with backup
C:\RECYCLER\NPROTECT\00099811.TXT -> Spyware.Cookie.Casalemedia : Cleaned with backup
C:\RECYCLER\NPROTECT\00099814.TXT -> Spyware.Cookie.Casalemedia : Cleaned with backup
C:\RECYCLER\NPROTECT\00099815.TXT -> Spyware.Cookie.Casalemedia : Cleaned with backup
C:\RECYCLER\NPROTECT\00099816.TXT -> Spyware.Cookie.Casalemedia : Cleaned with backup
C:\RECYCLER\NPROTECT\00099818.TXT -> Spyware.Cookie.Casalemedia : Cleaned with backup
C:\RECYCLER\NPROTECT\00099819.TXT -> Spyware.Cookie.Casalemedia : Cleaned with backup
C:\RECYCLER\NPROTECT\00099820.TXT -> Spyware.Cookie.Casalemedia : Cleaned with backup
C:\WINDOWS\cbarlzdzbl.exe -> Adware.BetterInternet : Cleaned with backup
C:\WINDOWS\icont.exe -> Spyware.AdURL : Cleaned with backup
C:\WINDOWS\system32\dshllhs.dll -> TrojanDownloader.Qoologic.n : Cleaned with backup

::Report End

You've been the best help :tazz:

Thanks so much

#6
Buckeye_Sam

Posted 25 July 2005 - 06:18 PM

Malware Expert

Member
10,019 posts

We're getting there. :tazz:

Still a few more hanging around though.

Please make sure that you can VIEW ALL HIDDEN FILES.

Run Hijackthis again, click scan, and Put a checkmark next to each of these. Then close all other windows--you should only see HijackThis on your Desktop--and click the Fix Checked button.

R3 - URLSearchHook: (no name) - _{00A6FAF6-072E-44cf-8957-5838F569A31D} - (no file)
R3 - URLSearchHook: (no name) - {00A6FAF6-072E-44cf-8957-5838F569A31D} - (no file)
O4 - HKCU\..\Run: [MyWebSearch Email Plugin] C:\PROGRA~1\MYWEBS~1\bar\3.bin\mwsoemon.exe
O4 - HKCU\..\Run: [_SystemBoot] C:\WINDOWS\Help\Help\services.exe
O4 - HKCU\..\Run: [fwmo] C:\PROGRA~1\COMMON~1\fwmo\fwmom.exe
O4 - HKCU\..\Run: [Inou] C:\Program Files\cunm\sola.exe
O4 - HKCU\..\Run: [Bnvzj] C:\WINDOWS\System32\j?vaw.exe

Please reboot your computer in SafeMode by doing the following:

Restart your computer
After hearing your computer beep once during startup, but before the Windows icon appears, press F8.
Instead of Windows loading as normal, a menu should appear
Select the first option, to run Windows in Safe Mode.

* if you have trouble getting into Safe mode go here for more info.

Once in Safe mode, delete these files or directories (Do not be concerned if they do not exist):

C:\WINDOWS\Help\Help\services.exe
C:\Program Files\Common Files\fwmo
C:\Program Files\cunm

Reboot your computer to go back to normal mode.

Launch Notepad, and copy/paste the box below into a new text file. Save it as FindFile.bat and save it on your Desktop.

dir C:\WINDOWS\System32\j?vaw.exe /a h > files.txt
notepad files.txt

Locate FindFile.bat on your Desktop and double-click on it. It will open Notepad with some text in it. Please post the text in your next reply.

Please run at least two of these online scans.
Make sure they are set to clean automatically

Panda Virus Scan

Bit Defender

TrendMicro Housecall

There will be files that these scans will not remove. Please include that information in your next post.

Reboot and post a new hijackthis log, the log from find.bat, and the info from your virus scans.

#7
LdyLuv

Posted 26 July 2005 - 12:00 PM

Member

Topic Starter
Member
10 posts

Okies... Here are the reports you asked for.

New HJT Log:

Logfile of HijackThis v1.99.1
Scan saved at 2:12:45 PM, on 7/26/2005
Platform: Windows XP (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 (6.00.2600.0000)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\ewido\security suite\ewidoctrl.exe
C:\Program Files\ewido\security suite\ewidoguard.exe
C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
C:\Program Files\Common Files\Microsoft Shared\Media Manager\airsvcu.exe
C:\Program Files\Roxio\Easy CD Creator 6\DragToDisc\DrgToDsc.exe
C:\Program Files\Roxio\Easy CD Creator 6\AudioCentral\RxMon.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\BellSouth\Application Center\BsnAppCenter.exe
C:\Program Files\BellSouth Internet Tools\blsloader.exe
C:\Program Files\Java\jre1.5.0_02\bin\jusched.exe
C:\Program Files\StompSoft\Virus X-terminator\bin\ZLH.EXE
C:\WINDOWS\System32\ctfmon.exe
C:\Program Files\StompSoft\Virus X-terminator\bin\ZANDA.EXE
C:\Program Files\Hitware Popup Killer Lite 3\HitwarePKLite.exe
C:\Program Files\Roxio\Easy CD Creator 6\AudioCentral\Playlist.exe
C:\Program Files\PCI Audio Applications\Bin\WDM\Full\Mixer.exe
C:\Program Files\StompSoft\Virus X-terminator\Nvc\BIN\NIP.EXE
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\StompSoft\Virus X-terminator\bin\NJEEVES.EXE
C:\Program Files\StompSoft\Virus X-terminator\Nvc\BIN\nipsvc.exe
C:\Program Files\StompSoft\Virus X-terminator\Nvc\BIN\NVCSCHED.EXE
C:\Program Files\StompSoft\Virus X-terminator\Nvc\bin\nvcoas.exe
C:\Program Files\StompSoft\Virus X-terminator\Nvc\bin\cclaw.exe
C:\Program Files\Support.com\bin\tgcmd.exe
C:\Program Files\Support.com\bin\jobcheck.exe
C:\Program Files\Support.com\bin\tgshell.exe
C:\Documents and Settings\Tucker\Desktop\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.bellsouth.net/
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/?.home=ytie
F2 - REG:system.ini: UserInit=C:\WINDOWS\System32\Userinit.exe
O2 - BHO: Yahoo! Companion BHO - {02478D38-C3F9-4efb-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn2\ycomp5_5_7_0.dll
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: BlspcHlpr Class - {15C9938F-CB96-496D-800A-B827F2E34EA1} - C:\Program Files\BellSouth Internet Tools\blspc.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: RUPK - {604B283A-4E26-4504-98E7-72859F949547} - C:\PROGRA~1\HITWAR~1\sypcms.dll
O2 - BHO: ST - {9394EDE7-C8B5-483E-8773-474BF36AF6E4} - C:\Program Files\MSN Apps\ST\01.03.0000.1005\en-xu\stmain.dll
O2 - BHO: MSNToolBandBHO - {BDBD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\MSN Apps\MSN Toolbar\01.02.3000.1001\en-us\msntb.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn2\ycomp5_5_7_0.dll
O3 - Toolbar: MSN - {BDAD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\MSN Apps\MSN Toolbar\01.02.3000.1001\en-us\msntb.dll
O4 - HKLM\..\Run: [C-Media Mixer] C:\Program Files\PCI Audio Applications\Bin\AudioRack.exe /MixerStartup
O4 - HKLM\..\Run: [RoxioEngineUtility] "C:\Program Files\Common Files\Roxio Shared\System\EngUtil.exe"
O4 - HKLM\..\Run: [RoxioDragToDisc] "C:\Program Files\Roxio\Easy CD Creator 6\DragToDisc\DrgToDsc.exe"
O4 - HKLM\..\Run: [RoxioAudioCentral] "C:\Program Files\Roxio\Easy CD Creator 6\AudioCentral\RxMon.exe"
O4 - HKLM\..\Run: [ccRegVfy] "C:\Program Files\Common Files\Symantec Shared\ccRegVfy.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] C:\Program Files\iTunes\iTunesHelper.exe
O4 - HKLM\..\Run: [tgcmd] "C:\Program Files\Support.com\BellSouth\hcenter.exe" /starthidden /tgcmdwrapper
O4 - HKLM\..\Run: [Symantec NetDriver Monitor] C:\PROGRA~1\SYMNET~1\SNDMon.exe
O4 - HKLM\..\Run: [BellSouthSyn] C:\Program Files\BellSouth\Application Center\BsnAppCenter.exe /Synchronize
O4 - HKLM\..\Run: [BellSouthScheduler] C:\Program Files\BellSouth\Application Center\BsnAppCenter.exe /Scheduler
O4 - HKLM\..\Run: [blspcloader] "C:\Program Files\BellSouth Internet Tools\blsloader.exe"
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_02\bin\jusched.exe
O4 - HKLM\..\Run: [Norman ZANDA] C:\Program Files\StompSoft\Virus X-terminator\bin\ZLH.EXE /LOAD /SPLASH
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\System32\ctfmon.exe
O4 - HKCU\..\Run: [HitwarePKLite] C:\Program Files\Hitware Popup Killer Lite 3\HitwarePKLite.exe
O4 - Startup: MyWebSearch Email Plugin.lnk = C:\Program Files\MyWebSearch\bar\3.bin\MWSOEMON.EXE
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O8 - Extra context menu item: &AIM Search - res://C:\Program Files\AIM Toolbar\AIMBar.dll/aimsearch.htm
O8 - Extra context menu item: Download with GetRight - C:\Program Files\GetRight\GRdownload.htm
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O8 - Extra context menu item: Open with GetRight Browser - C:\Program Files\GetRight\GRbrowse.htm
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_02\bin\npjpi150_02.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_02\bin\npjpi150_02.dll
O9 - Extra button: (no name) - {85d1f590-48f4-11d9-9669-0800200c9a66} - %windir%\bdoscandel.exe (file missing)
O9 - Extra 'Tools' menuitem: Uninstall BitDefender Online Scanner v8 - {85d1f590-48f4-11d9-9669-0800200c9a66} - %windir%\bdoscandel.exe (file missing)
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe
O9 - Extra button: Messenger - {DECDBEEF-D3AD-B3EF-DE4D-B3EFDEADB3EF} - C:\Program Files\BellSouth\Communications Suite\BstMessenger.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O9 - Extra 'Tools' menuitem: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O9 - Extra button: WeatherBug - {AF6CABAB-61F9-4f12-A198-B7D41EF1CB52} - C:\Program Files\AWS\WeatherBug\Weather.exe (file missing) (HKCU)
O16 - DPF: {30528230-99F7-4BB4-88D8-FA1D4F56A2AB} (YInstStarter Class) - http://us.dl1.yimg.c...nst20040510.cab
O16 - DPF: {4208FB4D-4E53-4F5A-BF7A-3E047DDB5281} (ActiveX Control) - http://www.icannnews.../ST/ActiveX.ocx
O16 - DPF: {4E7BD74F-2B8D-469E-DEFA-EB76B1D5FA7D} - http://www.ez-tracks...itial/eztdl.cab
O16 - DPF: {5D86DDB5-BDF9-441B-9E9E-D4730F4EE499} (BDSCANONLINE Control) - http://www.bitdefend...can8/oscan8.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.micros...b?1121821414957
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://www.pandasoft.../as5/asinst.cab
O16 - DPF: {BB21F850-63F4-4EC9-BF9D-565BD30C9AE9} (ASquaredScanForm Element) - http://www.windowsec...scan/axscan.cab
O16 - DPF: {FA3662C3-B8E8-11D6-A667-0010B556D978} (IWinAmpActiveX Class) - http://cdn.digitalci...illama/ampx.cab
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Password Validation (ccPwdSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
O23 - Service: ewido security suite control - ewido networks - C:\Program Files\ewido\security suite\ewidoctrl.exe
O23 - Service: ewido security suite guard - ewido networks - C:\Program Files\ewido\security suite\ewidoguard.exe
O23 - Service: iPod Service (iPodService) - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Norman API-hooking helper (NipSvc) - Unknown owner - C:\Program Files\StompSoft\Virus X-terminator\Nvc\BIN\nipsvc.exe
O23 - Service: Norman NJeeves - Unknown owner - C:\Program Files\StompSoft\Virus X-terminator\bin\NJEEVES.EXE
O23 - Service: Norman ZANDA - Unknown owner - C:\Program Files\StompSoft\Virus X-terminator\bin\ZANDA.EXE
O23 - Service: Norman Virus Control on-access component (nvcoas) - Norman ASA - C:\Program Files\StompSoft\Virus X-terminator\Nvc\bin\nvcoas.exe
O23 - Service: Norman Virus Control Scheduler (NVCScheduler) - Norman Data Defense Systems - C:\Program Files\StompSoft\Virus X-terminator\Nvc\BIN\NVCSCHED.EXE
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe

Volume in drive C is Windows-XP
Volume Serial Number is 400B-1D1D

Directory of C:\WINDOWS\System32

07/13/2005 04:03 PM 401,408 j?vaw.exe
1 File(s) 401,408 bytes

Directory of C:\Documents and Settings\Tucker\Desktop

Bit Defender Report

BitDefender Online Scanner

Scan report generated at: Tue, Jul 26, 2005 - 01:14:17

Scan path: A:\;C:\;D:\;E:\;

Statistics

Time
02:48:31

Files
192549

Folders
5376

Boot Sectors
2

Archives
1207

Packed Files
26071

Results

Identified Viruses
15

Infected Files
48

Suspect Files
1

Warnings
0

Disinfected
0

Deleted Files
49

Engines Info

Virus Definitions
196867

Engine build
AVCORE v1.0 (build 2292) (i386) (Mar 3 2005 11:57:29)

Scan plugins
13

Archive plugins
39

Unpack plugins
4

E-mail plugins
6

System plugins
1

Scan Settings

First Action
Disinfect

Second Action
Delete

Heuristics
Yes

Enable Warnings
Yes

Scanned Extensions
exe;com;dll;ocx;scr;bin;dat;386;vxd;sys;wdm;cla;class;ovl;ole;hlp;doc;dot;xls;ppt;wbk;wiz;pot;ppa;xla;xlt;vbs;vbe;mdb;rtf;htm;hta;html;xml;xtp;php;asp;js;shs;chm;lnk;pif;prc;url;smm;pfd;msi;ini;csc;cmd;bas;

Exclude Extensions

Scan Emails
Yes

Scan Archives
Yes

Scan Packed
Yes

Scan Files
Yes

Scan Boot
Yes

Scanned File
Status

C:\Downloads\Install_AIM.exe=>wise0038=>wise0008
Detected with: Adware.Wheaterbug.A

C:\Downloads\Install_AIM.exe=>wise0038=>wise0008
Disinfection failed

C:\Downloads\Install_AIM.exe=>wise0038=>wise0008
Deleted

C:\Downloads\Install_AIM.exe=>wise0038
Update failed

C:\Program Files\AIM\Sysfiles\WxBug.EXE=>wise0008
Detected with: Adware.Wheaterbug.A

C:\Program Files\AIM\Sysfiles\WxBug.EXE=>wise0008
Disinfection failed

C:\Program Files\AIM\Sysfiles\WxBug.EXE=>wise0008
Deleted

C:\Program Files\AIM\Sysfiles\WxBug.EXE
Update failed

C:\System Volume Information\_restore{E9A2D0CD-B510-4BC6-9DB2-7D7F179FC89D}\RP404\A0105118.exe
Infected with: Trojan.Downloader.Intexp.C

C:\System Volume Information\_restore{E9A2D0CD-B510-4BC6-9DB2-7D7F179FC89D}\RP404\A0105118.exe
Disinfection failed

C:\System Volume Information\_restore{E9A2D0CD-B510-4BC6-9DB2-7D7F179FC89D}\RP404\A0105118.exe
Deleted

C:\System Volume Information\_restore{E9A2D0CD-B510-4BC6-9DB2-7D7F179FC89D}\RP418\A0106877.exe
Suspected of: Dropped:Trojan.Downloader.Gen

C:\System Volume Information\_restore{E9A2D0CD-B510-4BC6-9DB2-7D7F179FC89D}\RP418\A0106877.exe
Disinfection failed

C:\System Volume Information\_restore{E9A2D0CD-B510-4BC6-9DB2-7D7F179FC89D}\RP418\A0106877.exe
Deleted

C:\System Volume Information\_restore{E9A2D0CD-B510-4BC6-9DB2-7D7F179FC89D}\RP423\A0111355.exe
Infected with: Trojan.Downloader.2669.B

C:\System Volume Information\_restore{E9A2D0CD-B510-4BC6-9DB2-7D7F179FC89D}\RP423\A0111355.exe
Disinfection failed

C:\System Volume Information\_restore{E9A2D0CD-B510-4BC6-9DB2-7D7F179FC89D}\RP423\A0111355.exe
Deleted

C:\System Volume Information\_restore{E9A2D0CD-B510-4BC6-9DB2-7D7F179FC89D}\RP434\A0114867.dll
Infected with: Trojan.Downloader.Qoologic.P

C:\System Volume Information\_restore{E9A2D0CD-B510-4BC6-9DB2-7D7F179FC89D}\RP434\A0114867.dll
Deleted

C:\System Volume Information\_restore{E9A2D0CD-B510-4BC6-9DB2-7D7F179FC89D}\RP434\A0114871.exe
Infected with: Trojan.Dloader.OT

C:\System Volume Information\_restore{E9A2D0CD-B510-4BC6-9DB2-7D7F179FC89D}\RP434\A0114871.exe
Disinfection failed

C:\System Volume Information\_restore{E9A2D0CD-B510-4BC6-9DB2-7D7F179FC89D}\RP434\A0114871.exe
Deleted

C:\System Volume Information\_restore{E9A2D0CD-B510-4BC6-9DB2-7D7F179FC89D}\RP434\A0114878.dll
Infected with: Trojan.Clicker.Small.EZ

C:\System Volume Information\_restore{E9A2D0CD-B510-4BC6-9DB2-7D7F179FC89D}\RP434\A0114878.dll
Disinfection failed

C:\System Volume Information\_restore{E9A2D0CD-B510-4BC6-9DB2-7D7F179FC89D}\RP434\A0114878.dll
Deleted

C:\System Volume Information\_restore{E9A2D0CD-B510-4BC6-9DB2-7D7F179FC89D}\RP436\A0116112.exe=>wise0008
Infected with: Trojan.Downloader.TSUpdate.J

C:\System Volume Information\_restore{E9A2D0CD-B510-4BC6-9DB2-7D7F179FC89D}\RP436\A0116112.exe=>wise0008
Deleted

C:\System Volume Information\_restore{E9A2D0CD-B510-4BC6-9DB2-7D7F179FC89D}\RP436\A0116112.exe
Update failed

C:\System Volume Information\_restore{E9A2D0CD-B510-4BC6-9DB2-7D7F179FC89D}\RP437\A0116174.exe
Infected with: Trojan.Downloader.TSUpdate.K

C:\System Volume Information\_restore{E9A2D0CD-B510-4BC6-9DB2-7D7F179FC89D}\RP437\A0116174.exe
Deleted

C:\System Volume Information\_restore{E9A2D0CD-B510-4BC6-9DB2-7D7F179FC89D}\RP437\A0116175.exe
Infected with: Trojan.Downloader.TSUpdate.J

C:\System Volume Information\_restore{E9A2D0CD-B510-4BC6-9DB2-7D7F179FC89D}\RP437\A0116175.exe
Deleted

C:\System Volume Information\_restore{E9A2D0CD-B510-4BC6-9DB2-7D7F179FC89D}\RP437\A0116176.exe
Infected with: Trojan.Downloader.Tsupdate.L

C:\System Volume Information\_restore{E9A2D0CD-B510-4BC6-9DB2-7D7F179FC89D}\RP437\A0116176.exe
Disinfection failed

C:\System Volume Information\_restore{E9A2D0CD-B510-4BC6-9DB2-7D7F179FC89D}\RP437\A0116176.exe
Deleted

C:\System Volume Information\_restore{E9A2D0CD-B510-4BC6-9DB2-7D7F179FC89D}\RP437\A0116251.exe
Infected with: Trojan.Downloader.TSUpdate.J

C:\System Volume Information\_restore{E9A2D0CD-B510-4BC6-9DB2-7D7F179FC89D}\RP437\A0116251.exe
Deleted

C:\System Volume Information\_restore{E9A2D0CD-B510-4BC6-9DB2-7D7F179FC89D}\RP437\A0116252.exe
Infected with: Trojan.Downloader.Tsupdate.L

C:\System Volume Information\_restore{E9A2D0CD-B510-4BC6-9DB2-7D7F179FC89D}\RP437\A0116252.exe
Disinfection failed

C:\System Volume Information\_restore{E9A2D0CD-B510-4BC6-9DB2-7D7F179FC89D}\RP437\A0116252.exe
Deleted

C:\System Volume Information\_restore{E9A2D0CD-B510-4BC6-9DB2-7D7F179FC89D}\RP437\A0116273.exe
Infected with: Trojan.Downloader.TSUpdate.K

C:\System Volume Information\_restore{E9A2D0CD-B510-4BC6-9DB2-7D7F179FC89D}\RP437\A0116273.exe
Deleted

C:\System Volume Information\_restore{E9A2D0CD-B510-4BC6-9DB2-7D7F179FC89D}\RP438\A0116367.exe
Infected with: Trojan.Downloader.Intexp.C

C:\System Volume Information\_restore{E9A2D0CD-B510-4BC6-9DB2-7D7F179FC89D}\RP438\A0116367.exe
Disinfection failed

C:\System Volume Information\_restore{E9A2D0CD-B510-4BC6-9DB2-7D7F179FC89D}\RP438\A0116367.exe
Deleted

C:\System Volume Information\_restore{E9A2D0CD-B510-4BC6-9DB2-7D7F179FC89D}\RP440\A0117440.exe
Infected with: Trojan.Downloader.Intexp.C

C:\System Volume Information\_restore{E9A2D0CD-B510-4BC6-9DB2-7D7F179FC89D}\RP440\A0117440.exe
Disinfection failed

C:\System Volume Information\_restore{E9A2D0CD-B510-4BC6-9DB2-7D7F179FC89D}\RP440\A0117440.exe
Deleted

C:\System Volume Information\_restore{E9A2D0CD-B510-4BC6-9DB2-7D7F179FC89D}\RP440\A0117460.exe
Infected with: Trojan.Downloader.2669.B

C:\System Volume Information\_restore{E9A2D0CD-B510-4BC6-9DB2-7D7F179FC89D}\RP440\A0117460.exe
Disinfection failed

C:\System Volume Information\_restore{E9A2D0CD-B510-4BC6-9DB2-7D7F179FC89D}\RP440\A0117460.exe
Deleted

C:\System Volume Information\_restore{E9A2D0CD-B510-4BC6-9DB2-7D7F179FC89D}\RP440\A0117465.exe
Infected with: Trojan.Downloader.2669.B

C:\System Volume Information\_restore{E9A2D0CD-B510-4BC6-9DB2-7D7F179FC89D}\RP440\A0117465.exe
Disinfection failed

C:\System Volume Information\_restore{E9A2D0CD-B510-4BC6-9DB2-7D7F179FC89D}\RP440\A0117465.exe
Deleted

C:\System Volume Information\_restore{E9A2D0CD-B510-4BC6-9DB2-7D7F179FC89D}\RP440\A0117466.exe
Infected with: Trojan.Downloader.2669.B

C:\System Volume Information\_restore{E9A2D0CD-B510-4BC6-9DB2-7D7F179FC89D}\RP440\A0117466.exe
Disinfection failed

C:\System Volume Information\_restore{E9A2D0CD-B510-4BC6-9DB2-7D7F179FC89D}\RP440\A0117466.exe
Deleted

C:\System Volume Information\_restore{E9A2D0CD-B510-4BC6-9DB2-7D7F179FC89D}\RP441\A0119512.dll
Detected with: Adware.Look2me.AG

C:\System Volume Information\_restore{E9A2D0CD-B510-4BC6-9DB2-7D7F179FC89D}\RP441\A0119512.dll
Disinfection failed

C:\System Volume Information\_restore{E9A2D0CD-B510-4BC6-9DB2-7D7F179FC89D}\RP441\A0119512.dll
Deleted

C:\System Volume Information\_restore{E9A2D0CD-B510-4BC6-9DB2-7D7F179FC89D}\RP441\A0119532.exe
Infected with: Trojan.Downloader.Intexp.C

C:\System Volume Information\_restore{E9A2D0CD-B510-4BC6-9DB2-7D7F179FC89D}\RP441\A0119532.exe
Disinfection failed

C:\System Volume Information\_restore{E9A2D0CD-B510-4BC6-9DB2-7D7F179FC89D}\RP441\A0119532.exe
Deleted

C:\System Volume Information\_restore{E9A2D0CD-B510-4BC6-9DB2-7D7F179FC89D}\RP442\A0119577.dll
Detected with: Adware.Look2me.AG

C:\System Volume Information\_restore{E9A2D0CD-B510-4BC6-9DB2-7D7F179FC89D}\RP442\A0119577.dll
Disinfection failed

C:\System Volume Information\_restore{E9A2D0CD-B510-4BC6-9DB2-7D7F179FC89D}\RP442\A0119577.dll
Deleted

C:\System Volume Information\_restore{E9A2D0CD-B510-4BC6-9DB2-7D7F179FC89D}\RP443\A0120569.dll
Detected with: Adware.Look2me.AG

C:\System Volume Information\_restore{E9A2D0CD-B510-4BC6-9DB2-7D7F179FC89D}\RP443\A0120569.dll
Disinfection failed

C:\System Volume Information\_restore{E9A2D0CD-B510-4BC6-9DB2-7D7F179FC89D}\RP443\A0120569.dll
Deleted

C:\System Volume Information\_restore{E9A2D0CD-B510-4BC6-9DB2-7D7F179FC89D}\RP444\A0121569.dll
Detected with: Adware.Look2me.AG

C:\System Volume Information\_restore{E9A2D0CD-B510-4BC6-9DB2-7D7F179FC89D}\RP444\A0121569.dll
Disinfection failed

C:\System Volume Information\_restore{E9A2D0CD-B510-4BC6-9DB2-7D7F179FC89D}\RP444\A0121569.dll
Deleted

C:\System Volume Information\_restore{E9A2D0CD-B510-4BC6-9DB2-7D7F179FC89D}\RP445\A0121601.dll
Detected with: Adware.Look2me.AG

C:\System Volume Information\_restore{E9A2D0CD-B510-4BC6-9DB2-7D7F179FC89D}\RP445\A0121601.dll
Disinfection failed

C:\System Volume Information\_restore{E9A2D0CD-B510-4BC6-9DB2-7D7F179FC89D}\RP445\A0121601.dll
Deleted

C:\System Volume Information\_restore{E9A2D0CD-B510-4BC6-9DB2-7D7F179FC89D}\RP445\A0121618.dll
Detected with: Adware.Look2me.AG

C:\System Volume Information\_restore{E9A2D0CD-B510-4BC6-9DB2-7D7F179FC89D}\RP445\A0121618.dll
Disinfection failed

C:\System Volume Information\_restore{E9A2D0CD-B510-4BC6-9DB2-7D7F179FC89D}\RP445\A0121618.dll
Deleted

C:\System Volume Information\_restore{E9A2D0CD-B510-4BC6-9DB2-7D7F179FC89D}\RP445\A0121645.exe
Infected with: Trojan.Downloader.Intexp.C

C:\System Volume Information\_restore{E9A2D0CD-B510-4BC6-9DB2-7D7F179FC89D}\RP445\A0121645.exe
Disinfection failed

C:\System Volume Information\_restore{E9A2D0CD-B510-4BC6-9DB2-7D7F179FC89D}\RP445\A0121645.exe
Deleted

C:\System Volume Information\_restore{E9A2D0CD-B510-4BC6-9DB2-7D7F179FC89D}\RP445\A0121646.exe
Infected with: Trojan.Downloader.Adload.A

C:\System Volume Information\_restore{E9A2D0CD-B510-4BC6-9DB2-7D7F179FC89D}\RP445\A0121646.exe
Disinfection failed

C:\System Volume Information\_restore{E9A2D0CD-B510-4BC6-9DB2-7D7F179FC89D}\RP445\A0121646.exe
Deleted

C:\System Volume Information\_restore{E9A2D0CD-B510-4BC6-9DB2-7D7F179FC89D}\RP445\A0121658.dll
Detected with: Adware.Look2me.AG

C:\System Volume Information\_restore{E9A2D0CD-B510-4BC6-9DB2-7D7F179FC89D}\RP445\A0121658.dll
Disinfection failed

C:\System Volume Information\_restore{E9A2D0CD-B510-4BC6-9DB2-7D7F179FC89D}\RP445\A0121658.dll
Deleted

C:\System Volume Information\_restore{E9A2D0CD-B510-4BC6-9DB2-7D7F179FC89D}\RP446\A0121703.dll
Detected with: Adware.Look2me.AG

C:\System Volume Information\_restore{E9A2D0CD-B510-4BC6-9DB2-7D7F179FC89D}\RP446\A0121703.dll
Disinfection failed

C:\System Volume Information\_restore{E9A2D0CD-B510-4BC6-9DB2-7D7F179FC89D}\RP446\A0121703.dll
Deleted

C:\System Volume Information\_restore{E9A2D0CD-B510-4BC6-9DB2-7D7F179FC89D}\RP446\A0121736.dll
Detected with: Adware.Look2me.AG

C:\System Volume Information\_restore{E9A2D0CD-B510-4BC6-9DB2-7D7F179FC89D}\RP446\A0121736.dll
Disinfection failed

C:\System Volume Information\_restore{E9A2D0CD-B510-4BC6-9DB2-7D7F179FC89D}\RP446\A0121736.dll
Deleted

C:\System Volume Information\_restore{E9A2D0CD-B510-4BC6-9DB2-7D7F179FC89D}\RP446\A0121757.dll
Detected with: Adware.Look2me.AG

C:\System Volume Information\_restore{E9A2D0CD-B510-4BC6-9DB2-7D7F179FC89D}\RP446\A0121757.dll
Disinfection failed

C:\System Volume Information\_restore{E9A2D0CD-B510-4BC6-9DB2-7D7F179FC89D}\RP446\A0121757.dll
Deleted

C:\System Volume Information\_restore{E9A2D0CD-B510-4BC6-9DB2-7D7F179FC89D}\RP446\A0122760.dll
Detected with: Adware.Look2me.AG

C:\System Volume Information\_restore{E9A2D0CD-B510-4BC6-9DB2-7D7F179FC89D}\RP446\A0122760.dll
Disinfection failed

C:\System Volume Information\_restore{E9A2D0CD-B510-4BC6-9DB2-7D7F179FC89D}\RP446\A0122760.dll
Deleted

C:\System Volume Information\_restore{E9A2D0CD-B510-4BC6-9DB2-7D7F179FC89D}\RP446\A0123763.dll
Detected with: Adware.Look2me.AG

C:\System Volume Information\_restore{E9A2D0CD-B510-4BC6-9DB2-7D7F179FC89D}\RP446\A0123763.dll
Disinfection failed

C:\System Volume Information\_restore{E9A2D0CD-B510-4BC6-9DB2-7D7F179FC89D}\RP446\A0123763.dll
Deleted

C:\System Volume Information\_restore{E9A2D0CD-B510-4BC6-9DB2-7D7F179FC89D}\RP446\A0123783.dll
Detected with: Adware.Look2me.AG

C:\System Volume Information\_restore{E9A2D0CD-B510-4BC6-9DB2-7D7F179FC89D}\RP446\A0123783.dll
Disinfection failed

C:\System Volume Information\_restore{E9A2D0CD-B510-4BC6-9DB2-7D7F179FC89D}\RP446\A0123783.dll
Deleted

C:\System Volume Information\_restore{E9A2D0CD-B510-4BC6-9DB2-7D7F179FC89D}\RP446\A0124071.exe
Infected with: Trojan.Agent.AY

C:\System Volume Information\_restore{E9A2D0CD-B510-4BC6-9DB2-7D7F179FC89D}\RP446\A0124071.exe
Deleted

C:\System Volume Information\_restore{E9A2D0CD-B510-4BC6-9DB2-7D7F179FC89D}\RP446\A0124075.exe
Infected with: Trojan.Imiserv.C

C:\System Volume Information\_restore{E9A2D0CD-B510-4BC6-9DB2-7D7F179FC89D}\RP446\A0124075.exe
Disinfection failed

C:\System Volume Information\_restore{E9A2D0CD-B510-4BC6-9DB2-7D7F179FC89D}\RP446\A0124075.exe
Deleted

C:\System Volume Information\_restore{E9A2D0CD-B510-4BC6-9DB2-7D7F179FC89D}\RP446\A0124079.exe
Infected with: Trojan.Downloader.Intexp.C

C:\System Volume Information\_restore{E9A2D0CD-B510-4BC6-9DB2-7D7F179FC89D}\RP446\A0124079.exe
Disinfection failed

C:\System Volume Information\_restore{E9A2D0CD-B510-4BC6-9DB2-7D7F179FC89D}\RP446\A0124079.exe
Deleted

C:\System Volume Information\_restore{E9A2D0CD-B510-4BC6-9DB2-7D7F179FC89D}\RP446\A0124089.exe
Infected with: Trojan.Agent.AY

C:\System Volume Information\_restore{E9A2D0CD-B510-4BC6-9DB2-7D7F179FC89D}\RP446\A0124089.exe
Deleted

C:\System Volume Information\_restore{E9A2D0CD-B510-4BC6-9DB2-7D7F179FC89D}\RP446\A0124104.dll
Detected with: Adware.Look2me.AG

C:\System Volume Information\_restore{E9A2D0CD-B510-4BC6-9DB2-7D7F179FC89D}\RP446\A0124104.dll
Disinfection failed

C:\System Volume Information\_restore{E9A2D0CD-B510-4BC6-9DB2-7D7F179FC89D}\RP446\A0124104.dll
Deleted

C:\System Volume Information\_restore{E9A2D0CD-B510-4BC6-9DB2-7D7F179FC89D}\RP446\A0124111.exe
Infected with: Trojan.Agent.AY

C:\System Volume Information\_restore{E9A2D0CD-B510-4BC6-9DB2-7D7F179FC89D}\RP446\A0124111.exe
Deleted

C:\System Volume Information\_restore{E9A2D0CD-B510-4BC6-9DB2-7D7F179FC89D}\RP446\A0124157.dll
Detected with: Adware.Look2me.AG

C:\System Volume Information\_restore{E9A2D0CD-B510-4BC6-9DB2-7D7F179FC89D}\RP446\A0124157.dll
Disinfection failed

C:\System Volume Information\_restore{E9A2D0CD-B510-4BC6-9DB2-7D7F179FC89D}\RP446\A0124157.dll
Deleted

C:\System Volume Information\_restore{E9A2D0CD-B510-4BC6-9DB2-7D7F179FC89D}\RP446\A0124158.dll
Detected with: Adware.Look2me.AG

C:\System Volume Information\_restore{E9A2D0CD-B510-4BC6-9DB2-7D7F179FC89D}\RP446\A0124158.dll
Disinfection failed

C:\System Volume Information\_restore{E9A2D0CD-B510-4BC6-9DB2-7D7F179FC89D}\RP446\A0124158.dll
Deleted

C:\System Volume Information\_restore{E9A2D0CD-B510-4BC6-9DB2-7D7F179FC89D}\RP446\A0124159.dll
Infected with: Trojan.Downloader.Qoologic.P

C:\System Volume Information\_restore{E9A2D0CD-B510-4BC6-9DB2-7D7F179FC89D}\RP446\A0124159.dll
Deleted

C:\System Volume Information\_restore{E9A2D0CD-B510-4BC6-9DB2-7D7F179FC89D}\RP446\A0124161.exe
Infected with: Trojan.Dloader.OT

C:\System Volume Information\_restore{E9A2D0CD-B510-4BC6-9DB2-7D7F179FC89D}\RP446\A0124161.exe
Disinfection failed

C:\System Volume Information\_restore{E9A2D0CD-B510-4BC6-9DB2-7D7F179FC89D}\RP446\A0124161.exe
Deleted

C:\System Volume Information\_restore{E9A2D0CD-B510-4BC6-9DB2-7D7F179FC89D}\RP446\A0124171.DLL
Infected with: Trojan.Clicker.Small.EZ

C:\System Volume Information\_restore{E9A2D0CD-B510-4BC6-9DB2-7D7F179FC89D}\RP446\A0124171.DLL
Disinfection failed

C:\System Volume Information\_restore{E9A2D0CD-B510-4BC6-9DB2-7D7F179FC89D}\RP446\A0124171.DLL
Deleted

C:\System Volume Information\_restore{E9A2D0CD-B510-4BC6-9DB2-7D7F179FC89D}\RP446\A0124173.DLL
Infected with: Trojan.Downloader.Braidupdate.D

C:\System Volume Information\_restore{E9A2D0CD-B510-4BC6-9DB2-7D7F179FC89D}\RP446\A0124173.DLL
Disinfection failed

C:\System Volume Information\_restore{E9A2D0CD-B510-4BC6-9DB2-7D7F179FC89D}\RP446\A0124173.DLL
Deleted

C:\WINDOWS\trebates.exe
Infected with: Dropped:Application.ProcKill.Jk

C:\WINDOWS\trebates.exe
Disinfection failed

C:\WINDOWS\trebates.exe
Deleted

Panda Virus Scan Report:

Incident Status Location

Adware:adware/purityscan No disinfected C:\DOCUMENTS AND SETTINGS\TUCKER\LOCAL SETTINGS\TEMP\!update.exe
Adware:adware/mywebsearch No disinfected C:\DOCUMENTS AND SETTINGS\TUCKER\START MENU\PROGRAMS\STARTUP\MyWebSearch Email Plugin.lnk
Spyware:spyware/bridge No disinfected C:\WINDOWS\SYSTEM32\bridge.txt
Adware:adware/look2me No disinfected C:\WINDOWS\SYSTEM32\guard.tmp
Adware:adware/powersearch No disinfected C:\WINDOWS\SYSTEM32\stlb2.xml
Adware:adware/funweb No disinfected C:\WINDOWS\DOWNLOADED PROGRAM FILES\f3initialsetup1.0.0.8-2.inf
Adware:adware/ipinsight No disinfected C:\WINDOWS\INF\alchem.inf
Adware:adware/bookedspace No disinfected C:\WINDOWS\cfgmgr52.ini
Adware:adware/ncase No disinfected C:\WINDOWS\msbb.exe.temp
Adware:adware/twain-tech No disinfected C:\WINDOWS\satmat.ini
Adware:adware/transponder No disinfected C:\DOCUMENTS AND SETTINGS\TUCKER\LOCAL SETTINGS\TEMP\DrTemp
Adware:adware/addestroyer No disinfected C:\DOCUMENTS AND SETTINGS\ALL USERS\APPLICATION DATA\AdDestroyer
Adware:adware/savenow No disinfected C:\DOCUMENTS AND SETTINGS\ALL USERS\APPLICATION DATA\nsv
Adware:adware/virtualbouncer No disinfected C:\DOCUMENTS AND SETTINGS\ALL USERS\APPLICATION DATA\VBouncer
Spyware:spyware/betterinet No disinfected HKEY_LOCAL_MACHINE\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\UNINSTALL\TMU
Adware:adware/sidefind No disinfected HKEY_LOCAL_MACHINE\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\UNINSTALL\TSL INSTALLER
Adware:adware/aurora No disinfected HKEY_CURRENT_USER\SOFTWARE\AURORA
Adware:adware/consumeralertsystemNo disinfected HKEY_CURRENT_USER\SOFTWARE\CAS
Adware:adware/sqwire No disinfected HKEY_CURRENT_USER\SOFTWARE\TSL2
Adware:adware/myway No disinfected HKEY_LOCAL_MACHINE\SOFTWARE\CLASSES\MYWAYTOOLBAR.SETTINGSPLUGIN
Adware:adware/delfinmedia No disinfected HKEY_LOCAL_MACHINE\SOFTWARE\VIDCTRL
Adware:adware/exactsearch No disinfected HKEY_LOCAL_MACHINE\SOFTWARE\MICROSOFT\INTERNET EXPLORER\ACTIVEX COMPATIBILITY\{53F066F0-A4C0-4F46-83EB-2DFD03F938CF}
Spyware:spyware/dyfuca No disinfected HKEY_LOCAL_MACHINE\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\APP MANAGEMENT\ARPCACHE\INTERNET OPTIMIZER
Adware:adware/blazefind No disinfected HKEY_LOCAL_MACHINE\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\RUN\RUNDLL
Adware:adware/seeqbar No disinfected HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\extensions\CmdMapping\{34A44FCF-50E3-63A5-A8DA-7835752B9571}
Adware:adware/topmoxie No disinfected HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\extensions\CmdMapping\{6685509E-B47B-4f47-8E16-9A5F3A62F683}
Adware:Adware/PurityScan No disinfected C:\PC Cleaners\backups\backup-20050725-001454-175.dll
Adware:Adware/Sqwire No disinfected C:\Program Files\Yahoo!\YPSR\Quarantine\20041126122747.zip[classify.dll]
Adware:Adware/Sqwire No disinfected C:\Program Files\Yahoo!\YPSR\Quarantine\20041126122747.zip[tsuninst.exe]
Virus:W32/Sober.V.worm Disinfected C:\WINDOWS\Connection Wizard\Status\packed1.sbr
Adware:Adware/FunWeb No disinfected C:\WINDOWS\Downloaded Program Files\f3initialsetup1.0.0.8-2.inf
Adware:Adware/IPInsight No disinfected C:\WINDOWS\inf\alchem.inf
Adware:Adware/IPInsight No disinfected C:\WINDOWS\inf\conscorr.inf
Adware:Adware/Transponder No disinfected C:\WINDOWS\inf\polall1r.inf
Spyware:Spyware/BetterInet No disinfected C:\WINDOWS\inf\satmat.inf
Adware:Adware/IPInsight No disinfected C:\WINDOWS\satmat.ini
Adware:Adware/Look2Me No disinfected C:\WINDOWS\system32\guard.tmp
Virus:Trj/Qoologic.G Disinfected C:\WINDOWS\system32\pukvv.dat
Adware:Adware/PurityScan No disinfected C:\WINDOWS\system32\Shex.exe
I can't believe that I've still finding stuff on my system... Look forward to getting the set of instructions. BTW is there any way to remove the restore files from my system? I just wonder if those restore points could be reinfecting my system. :tazz:

Edited by LdyLuv, 26 July 2005 - 12:27 PM.

#8
Buckeye_Sam

Posted 26 July 2005 - 01:43 PM

Malware Expert

Member
10,019 posts

Let's just turn off System Restore now and then once you are clean you can flush it again and set a new restore point.

Turn off System Restore:

On the Desktop, right-click My Computer.
Click Properties.
Click the System Restore tab.
Check Turn off System Restore.
Click Apply, and then click OK.

=========

Fix these lines with Hijackthis.

O4 - Startup: MyWebSearch Email Plugin.lnk = C:\Program Files\MyWebSearch\bar\3.bin\MWSOEMON.EXE
O9 - Extra button: WeatherBug - {AF6CABAB-61F9-4f12-A198-B7D41EF1CB52} - C:\Program Files\AWS\WeatherBug\Weather.exe (file missing) (HKCU)

=========

Find this file and delete it. The ? could represent any character, but the file is around 401kb and is dated 7/13/05.

C:\WINDOWS\System32\j?vaw.exe

Delete these folders:

C:\DOCUMENTS AND SETTINGS\ALL USERS\APPLICATION DATA\AdDestroyer
C:\DOCUMENTS AND SETTINGS\ALL USERS\APPLICATION DATA\nsv
C:\DOCUMENTS AND SETTINGS\ALL USERS\APPLICATION DATA\VBouncer

=========

Run CCleaner to remove temp files.

=========

Open Notepad, and copy everything in the code box below and paste it into a new notepad file. Change the "Save As Type" to "All Files". Save it as fixme.reg on your Desktop. Make sure there is NO blank line above "REGEDIT4"!

REGEDIT4

[-HKEY_LOCAL_MACHINE\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\UNINSTALL\TMU]

[-HKEY_LOCAL_MACHINE\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\UNINSTALL\TSL INSTALLER]

[-HKEY_CURRENT_USER\SOFTWARE\AURORA]

[-HKEY_CURRENT_USER\SOFTWARE\CAS]

[-HKEY_CURRENT_USER\SOFTWARE\TSL2]

[-HKEY_LOCAL_MACHINE\SOFTWARE\CLASSES\MYWAYTOOLBAR.SETTINGSPLUGIN]

[-HKEY_LOCAL_MACHINE\SOFTWARE\VIDCTRL]

[-HKEY_LOCAL_MACHINE\SOFTWARE\MICROSOFT\INTERNET EXPLORER\ACTIVEX COMPATIBILITY\{53F066F0-A4C0-4F46-83EB-2DFD03F938CF}]

[-HKEY_LOCAL_MACHINE\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\APP MANAGEMENT\ARPCACHE\INTERNET OPTIMIZER]

[-HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\extensions\CmdMapping\{34A44FCF-50E3-63A5-A8DA-7835752B9571}]

[-HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\extensions\CmdMapping\{6685509E-B47B-4f47-8E16-9A5F3A62F683}]

Locate fixme.reg on your Desktop and double-click on it. When it asks if you want to merge with the registry, click YES.

Download the Pocket Killbox.

Unzip the contents of KillBox.zip to a convenient location and then double-click on KillBox.exe to launch the program.

Highlight the lines below and press the Ctrl key and the C key at the same time to copy them to the clipboard:
- C:\DOCUMENTS AND SETTINGS\TUCKER\START MENU\PROGRAMS\STARTUP\MyWebSearch Email Plugin.lnk
  C:\WINDOWS\SYSTEM32\bridge.txt
  C:\WINDOWS\SYSTEM32\guard.tmp
  C:\WINDOWS\SYSTEM32\stlb2.xml
  C:\WINDOWS\DOWNLOADED PROGRAM FILES\f3initialsetup1.0.0.8-2.inf
  C:\WINDOWS\INF\alchem.inf
  C:\WINDOWS\cfgmgr52.ini
  C:\WINDOWS\msbb.exe.temp
  C:\WINDOWS\satmat.ini
  C:\WINDOWS\inf\conscorr.inf
  C:\WINDOWS\inf\polall1r.inf
  C:\WINDOWS\inf\satmat.inf
  C:\WINDOWS\system32\pukvv.dat
  C:\WINDOWS\system32\Shex.exe
Now go to the Killbox application and click on the File menu and then the Paste from Clipboard menu item. In the Full Path of File to Delete box you should see the first file. If you dropdown that box you should see the rest of them. Make sure that they are all there.
Click on the Delete on Reboot option and then click on the red circle with a white 'X' in to to delete the files. Killbox will tell you that all listed files will be deleted on next reboot, click YES. When it asks if you would like to Reboot now, click YES. If you get a "PendingFileRenameOperations Registry Data has been Removed by External Process!" message then just restart manually.

Your system will reboot now.

Hang in there, we're getting close to the end. :tazz:

I need to see a different log to check for another infection that showed in up in your virus scan log.

Download L2mfix from one of these two locations:

http://www.atribune....oads/l2mfix.exe
http://www.downloads....org/l2mfix.exe

Save the file to your desktop and double click l2mfix.exe. Click the Install button to extract the files and follow the prompts, then open the newly added l2mfix folder on your desktop. Double click l2mfix.bat and select option #1 for Run Find Log by typing 1 and then pressing enter. This will scan your computer and it may appear nothing is happening, then, after a minute or 2, notepad will open with a log. Copy the contents of that log and paste it into this thread.

IMPORTANT: Do NOT run option #2 OR any other files in the l2mfix folder until you are asked to do so!

#9
LdyLuv

Posted 26 July 2005 - 02:58 PM

Member

Topic Starter
Member
10 posts

Finished that list... however when I was running option #1 I kept messages about .DLL not running but I selected ignore on all of them instead of close. So this is the log that I got afterwards.

L2mfix Log:

L2MFIX find log 1.03
These are the registry keys present
**********************************************************************************
Winlogon/notify:
Windows Registry Editor Version 5.00

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify]

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\crypt32chain]
"Asynchronous"=dword:00000000
"Impersonate"=dword:00000000
"DllName"=hex(2):63,00,72,00,79,00,70,00,74,00,33,00,32,00,2e,00,64,00,6c,00,\
6c,00,00,00
"Logoff"="ChainWlxLogoffEvent"

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\cryptnet]
"Asynchronous"=dword:00000000
"Impersonate"=dword:00000000
"DllName"=hex(2):63,00,72,00,79,00,70,00,74,00,6e,00,65,00,74,00,2e,00,64,00,\
6c,00,6c,00,00,00
"Logoff"="CryptnetWlxLogoffEvent"

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\cscdll]
"DLLName"="cscdll.dll"
"Logon"="WinlogonLogonEvent"
"Logoff"="WinlogonLogoffEvent"
"ScreenSaver"="WinlogonScreenSaverEvent"
"Startup"="WinlogonStartupEvent"
"Shutdown"="WinlogonShutdownEvent"
"StartShell"="WinlogonStartShellEvent"
"Impersonate"=dword:00000000
"Asynchronous"=dword:00000001

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\ScCertProp]
"DLLName"="wlnotify.dll"
"Logon"="SCardStartCertProp"
"Logoff"="SCardStopCertProp"
"Lock"="SCardSuspendCertProp"
"Unlock"="SCardResumeCertProp"
"Enabled"=dword:00000001
"Impersonate"=dword:00000001
"Asynchronous"=dword:00000001

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\Schedule]
"Asynchronous"=dword:00000000
"DllName"=hex(2):77,00,6c,00,6e,00,6f,00,74,00,69,00,66,00,79,00,2e,00,64,00,\
6c,00,6c,00,00,00
"Impersonate"=dword:00000000
"StartShell"="SchedStartShell"
"Logoff"="SchedEventLogOff"

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\sclgntfy]
"Logoff"="WLEventLogoff"
"Impersonate"=dword:00000000
"Asynchronous"=dword:00000001
"DllName"=hex(2):73,00,63,00,6c,00,67,00,6e,00,74,00,66,00,79,00,2e,00,64,00,\
6c,00,6c,00,00,00

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\SensLogn]
"DLLName"="WlNotify.dll"
"Lock"="SensLockEvent"
"Logon"="SensLogonEvent"
"Logoff"="SensLogoffEvent"
"Safe"=dword:00000001
"MaxWait"=dword:00000258
"StartScreenSaver"="SensStartScreenSaverEvent"
"StopScreenSaver"="SensStopScreenSaverEvent"
"Startup"="SensStartupEvent"
"Shutdown"="SensShutdownEvent"
"StartShell"="SensStartShellEvent"
"PostShell"="SensPostShellEvent"
"Disconnect"="SensDisconnectEvent"
"Reconnect"="SensReconnectEvent"
"Unlock"="SensUnlockEvent"
"Impersonate"=dword:00000001
"Asynchronous"=dword:00000001

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\termsrv]
"Asynchronous"=dword:00000000
"DllName"=hex(2):77,00,6c,00,6e,00,6f,00,74,00,69,00,66,00,79,00,2e,00,64,00,\
6c,00,6c,00,00,00
"Impersonate"=dword:00000000
"Logoff"="TSEventLogoff"
"Logon"="TSEventLogon"
"PostShell"="TSEventPostShell"
"Shutdown"="TSEventShutdown"
"StartShell"="TSEventStartShell"
"Startup"="TSEventStartup"
"MaxWait"=dword:00000258
"Reconnect"="TSEventReconnect"
"Disconnect"="TSEventDisconnect"

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\wlballoon]
"DLLName"="wlnotify.dll"
"Logon"="RegisterTicketExpiredNotificationEvent"
"Logoff"="UnregisterTicketExpiredNotificationEvent"
"Impersonate"=dword:00000001
"Asynchronous"=dword:00000001

**********************************************************************************
useragent:
Windows Registry Editor Version 5.00

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\User Agent\Post Platform]
"{27793554-43B1-3BAA-D96E-AEA3CDE97E76}"=""

**********************************************************************************
Shell Extension key:
Windows Registry Editor Version 5.00

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved]
"{00022613-0000-0000-C000-000000000046}"="Multimedia File Property Sheet"
"{176d6597-26d3-11d1-b350-080036a75b03}"="ICM Scanner Management"
"{1F2E5C40-9550-11CE-99D2-00AA006E086C}"="NTFS Security Page"
"{3EA48300-8CF6-101B-84FB-666CCB9BCD32}"="OLE Docfile Property Page"
"{40dd6e20-7c17-11ce-a804-00aa003ca9f6}"="Shell extensions for sharing"
"{41E300E0-78B6-11ce-849B-444553540000}"="PlusPack CPL Extension"
"{42071712-76d4-11d1-8b24-00a0c9068ff3}"="Display Adapter CPL Extension"
"{42071713-76d4-11d1-8b24-00a0c9068ff3}"="Display Monitor CPL Extension"
"{42071714-76d4-11d1-8b24-00a0c9068ff3}"="Display Panning CPL Extension"
"{4E40F770-369C-11d0-8922-00A024AB2DBB}"="DS Security Page"
"{513D916F-2A8E-4F51-AEAB-0CBC76FB1AF8}"="Compatibility Page"
"{56117100-C0CD-101B-81E2-00AA004AE837}"="Shell Scrap DataHandler"
"{59099400-57FF-11CE-BD94-0020AF85B590}"="Disk Copy Extension"
"{59be4990-f85c-11ce-aff7-00aa003ca9f6}"="Shell extensions for Microsoft Windows Network objects"
"{5DB2625A-54DF-11D0-B6C4-0800091AA605}"="ICM Monitor Management"
"{675F097E-4C4D-11D0-B6C1-0800091AA605}"="ICM Printer Management"
"{764BF0E1-F219-11ce-972D-00AA00A14F56}"="Shell extensions for file compression"
"{77597368-7b15-11d0-a0c2-080036af3f03}"="Web Printer Shell Extension"
"{7988B573-EC89-11cf-9C00-00AA00A14F56}"="Disk Quota UI"
"{853FE2B1-B769-11d0-9C4E-00C04FB6C6FA}"="Encryption Context Menu"
"{85BBD920-42A0-1069-A2E4-08002B30309D}"="Briefcase"
"{88895560-9AA2-1069-930E-00AA0030EBC8}"="HyperTerminal Icon Ext"
"{BD84B380-8CA2-1069-AB1D-08000948F534}"="Fonts"
"{DBCE2480-C732-101B-BE72-BA78E9AD5B27}"="ICC Profile"
"{F37C5810-4D3F-11d0-B4BF-00AA00BBB723}"="Printers Security Page"
"{f81e9010-6ea4-11ce-a7ff-00aa003ca9f6}"="Shell extensions for sharing"
"{f92e8c40-3d33-11d2-b1aa-080036a75b03}"="Display TroubleShoot CPL Extension"
"{7444C717-39BF-11D1-8CD9-00C04FC29D45}"="Crypto PKO Extension"
"{7444C719-39BF-11D1-8CD9-00C04FC29D45}"="Crypto Sign Extension"
"{7007ACC7-3202-11D1-AAD2-00805FC1270E}"="Network Connections"
"{992CFFA0-F557-101A-88EC-00DD010CCC48}"="Network Connections"
"{E211B736-43FD-11D1-9EFB-0000F8757FCD}"="Scanners & Cameras"
"{FB0C9C8A-6C50-11D1-9F1D-0000F8757FCD}"="Scanners & Cameras"
"{905667aa-acd6-11d2-8080-00805f6596d2}"="Scanners & Cameras"
"{3F953603-1008-4f6e-A73A-04AAC7A992F1}"="Scanners & Cameras"
"{83bbcbf3-b28a-4919-a5aa-73027445d672}"="Scanners & Cameras"
"{F0152790-D56E-4445-850E-4F3117DB740C}"="Remote Sessions CPL Extension"
"{60254CA5-953B-11CF-8C96-00AA00B8708C}"="Shell extensions for Windows Script Host"
"{2206CDB2-19C1-11D1-89E0-00C04FD7A829}"="Microsoft Data Link"
"{DD2110F0-9EEF-11cf-8D8E-00AA0060F5BF}"="Tasks Folder Icon Handler"
"{797F1E90-9EDD-11cf-8D8E-00AA0060F5BF}"="Tasks Folder Shell Extension"
"{D6277990-4C6A-11CF-8D87-00AA0060F5BF}"="Scheduled Tasks"
"{0DF44EAA-FF21-4412-828E-260A8728E7F1}"="Taskbar and Start Menu"
"{2559a1f0-21d7-11d4-bdaf-00c04f60b9f0}"="Search"
"{2559a1f1-21d7-11d4-bdaf-00c04f60b9f0}"="Help and Support"
"{2559a1f2-21d7-11d4-bdaf-00c04f60b9f0}"="Help and Support"
"{2559a1f3-21d7-11d4-bdaf-00c04f60b9f0}"="Run..."
"{2559a1f4-21d7-11d4-bdaf-00c04f60b9f0}"="Internet"
"{2559a1f5-21d7-11d4-bdaf-00c04f60b9f0}"="E-mail"
"{D20EA4E1-3957-11d2-A40B-0C5020524152}"="Fonts"
"{D20EA4E1-3957-11d2-A40B-0C5020524153}"="Administrative Tools"
"{875CB1A1-0F29-45de-A1AE-CFB4950D0B78}"="Audio Media Properties Handler"
"{40C3D757-D6E4-4b49-BB41-0E5BBEA28817}"="Video Media Properties Handler"
"{E4B29F9D-D390-480b-92FD-7DDB47101D71}"="Wav Properties Handler"
"{87D62D94-71B3-4b9a-9489-5FE6850DC73E}"="Avi Properties Handler"
"{A6FD9E45-6E44-43f9-8644-08598F5A74D9}"="Midi Properties Handler"
"{c5a40261-cd64-4ccf-84cb-c394da41d590}"="Video Thumbnail Extractor"
"{5E6AB780-7743-11CF-A12B-00AA004AE837}"="Microsoft Internet Toolbar"
"{22BF0C20-6DA7-11D0-B373-00A0C9034938}"="Download Status"
"{91EA3F8B-C99B-11d0-9815-00C04FD91972}"="Augmented Shell Folder"
"{6413BA2C-B461-11d1-A18A-080036B11A03}"="Augmented Shell Folder 2"
"{F61FFEC1-754F-11d0-80CA-00AA005B4383}"="BandProxy"
"{7BA4C742-9E81-11CF-99D3-00AA004AE837}"="Microsoft BrowserBand"
"{30D02401-6A81-11d0-8274-00C04FD5AE38}"="Search Band"
"{32683183-48a0-441b-a342-7c2a440a9478}"="Media Band"
"{169A0691-8DF9-11d1-A1C4-00C04FD75D13}"="In-pane search"
"{07798131-AF23-11d1-9111-00A0C98BA67D}"="Web Search"
"{AF4F6510-F982-11d0-8595-00AA004CD6D8}"="Registry Tree Options Utility"
"{01E04581-4EEE-11d0-BFE9-00AA005B4383}"="&Address"
"{A08C11D2-A228-11d0-825B-00AA005B4383}"="Address EditBox"
"{00BB2763-6A77-11D0-A535-00C04FD7D062}"="Microsoft AutoComplete"
"{7376D660-C583-11d0-A3A5-00C04FD706EC}"="TridentImageExtractor"
"{6756A641-DE71-11d0-831B-00AA005B4383}"="MRU AutoComplete List"
"{6935DB93-21E8-4ccc-BEB9-9FE3C77A297A}"="Custom MRU AutoCompleted List"
"{7e653215-fa25-46bd-a339-34a2790f3cb7}"="Accessible"
"{acf35015-526e-4230-9596-becbe19f0ac9}"="Track Popup Bar"
"{E0E11A09-5CB8-4B6C-8332-E00720A168F2}"="Address Bar Parser"
"{00BB2764-6A77-11D0-A535-00C04FD7D062}"="Microsoft History AutoComplete List"
"{03C036F1-A186-11D0-824A-00AA005B4383}"="Microsoft Shell Folder AutoComplete List"
"{00BB2765-6A77-11D0-A535-00C04FD7D062}"="Microsoft Multiple AutoComplete List Container"
"{ECD4FC4E-521C-11D0-B792-00A0C90312E1}"="Shell Band Site Menu"
"{3CCF8A41-5C85-11d0-9796-00AA00B90ADF}"="Shell DeskBarApp"
"{ECD4FC4C-521C-11D0-B792-00A0C90312E1}"="Shell DeskBar"
"{ECD4FC4D-521C-11D0-B792-00A0C90312E1}"="Shell Rebar BandSite"
"{DD313E04-FEFF-11d1-8ECD-0000F87A470C}"="User Assist"
"{EF8AD2D1-AE36-11D1-B2D2-006097DF8C11}"="Global Folder Settings"
"{EFA24E61-B078-11d0-89E4-00C04FC9E26E}"="Favorites Band"
"{0A89A860-D7B1-11CE-8350-444553540000}"="Shell Automation Inproc Service"
"{E7E4BC40-E76A-11CE-A9BB-00AA004AE837}"="Shell DocObject Viewer"
"{A5E46E3A-8849-11D1-9D8C-00C04FC99D61}"="Microsoft Browser Architecture"
"{FBF23B40-E3F0-101B-8488-00AA003E56F8}"="InternetShortcut"
"{3C374A40-BAE4-11CF-BF7D-00AA006946EE}"="Microsoft Url History Service"
"{FF393560-C2A7-11CF-BFF4-444553540000}"="History"
"{7BD29E00-76C1-11CF-9DD0-00A0C9034933}"="Temporary Internet Files"
"{7BD29E01-76C1-11CF-9DD0-00A0C9034933}"="Temporary Internet Files"
"{CFBFAE00-17A6-11D0-99CB-00C04FD64497}"="Microsoft Url Search Hook"
"{A2B0DD40-CC59-11d0-A3A5-00C04FD706EC}"="IE4 Suite Splash Screen"
"{67EA19A0-CCEF-11d0-8024-00C04FD75D13}"="CDF Extension Copy Hook"
"{131A6951-7F78-11D0-A979-00C04FD705A2}"="ISFBand OC"
"{9461b922-3c5a-11d2-bf8b-00c04fb93661}"="Search Assistant OC"
"{3DC7A020-0ACD-11CF-A9BB-00AA004AE837}"="The Internet"
"{871C5380-42A0-1069-A2EA-08002B30309D}"="Internet Name Space"
"{EFA24E64-B078-11d0-89E4-00C04FC9E26E}"="Explorer Band"
"{9E56BE60-C50F-11CF-9A2C-00A0C90A90CE}"="Sendmail service"
"{9E56BE61-C50F-11CF-9A2C-00A0C90A90CE}"="Sendmail service"
"{88C6C381-2E85-11D0-94DE-444553540000}"="ActiveX Cache Folder"
"{E6FB5E20-DE35-11CF-9C87-00AA005127ED}"="WebCheck"
"{ABBE31D0-6DAE-11D0-BECA-00C04FD940BE}"="Subscription Mgr"
"{F5175861-2688-11d0-9C5E-00AA00A45957}"="Subscription Folder"
"{08165EA0-E946-11CF-9C87-00AA005127ED}"="WebCheckWebCrawler"
"{E3A8BDE6-ABCE-11d0-BC4B-00C04FD929DB}"="WebCheckChannelAgent"
"{E8BB6DC0-6B4E-11d0-92DB-00A0C90C2BD7}"="TrayAgent"
"{7D559C10-9FE9-11d0-93F7-00AA0059CE02}"="Code Download Agent"
"{E6CC6978-6B6E-11D0-BECA-00C04FD940BE}"="ConnectionAgent"
"{D8BD2030-6FC9-11D0-864F-00AA006809D9}"="PostAgent"
"{7FC0B86E-5FA7-11d1-BC7C-00C04FD929DB}"="WebCheck SyncMgr Handler"
"{352EC2B7-8B9A-11D1-B8AE-006008059382}"="Shell Application Manager"
"{0B124F8F-91F0-11D1-B8B5-006008059382}"="Installed Apps Enumerator"
"{CFCCC7A0-A282-11D1-9082-006008059382}"="Darwin App Publisher"
"{e84fda7c-1d6a-45f6-b725-cb260c236066}"="Shell Image Verbs"
"{66e4e4fb-f385-4dd0-8d74-a2efd1bc6178}"="Shell Image Data Factory"
"{3F30C968-480A-4C6C-862D-EFC0897BB84B}"="GDI+ file thumbnail extractor"
"{9DBD2C50-62AD-11d0-B806-00C04FD706EC}"="Summary Info Thumbnail handler (DOCFILES)"
"{EAB841A0-9550-11cf-8C16-00805F1408F3}"="HTML Thumbnail Extractor"
"{eb9b1153-3b57-4e68-959a-a3266bc3d7fe}"="Shell Image Property Handler"
"{CC6EEFFB-43F6-46c5-9619-51D571967F7D}"="Web Publishing Wizard"
"{add36aa8-751a-4579-a266-d66f5202ccbb}"="Print Ordering via the Web"
"{6b33163c-76a5-4b6c-bf21-45de9cd503a1}"="Shell Publishing Wizard Object"
"{58f1f272-9240-4f51-b6d4-fd63d1618591}"="Get a Passport Wizard"
"{7A9D77BD-5403-11d2-8785-2E0420524153}"="User Accounts"
"{BD472F60-27FA-11cf-B8B4-444553540000}"="Compressed (zipped) Folder Right Drag Handler"
"{888DCA60-FC0A-11CF-8F0F-00C04FD7D062}"="Compressed (zipped) Folder SendTo Target"
"{f39a0dc0-9cc8-11d0-a599-00c04fd64433}"="Channel File"
"{f3aa0dc0-9cc8-11d0-a599-00c04fd64434}"="Channel Shortcut"
"{f3ba0dc0-9cc8-11d0-a599-00c04fd64435}"="Channel Handler Object"
"{f3da0dc0-9cc8-11d0-a599-00c04fd64437}"="Channel Menu"
"{f3ea0dc0-9cc8-11d0-a599-00c04fd64438}"="Channel Properties"
"{63da6ec0-2e98-11cf-8d82-444553540000}"="FTP Folders Webview"
"{883373C3-BF89-11D1-BE35-080036B11A03}"="Microsoft DocProp Shell Ext"
"{A9CF0EAE-901A-4739-A481-E35B73E47F6D}"="Microsoft DocProp Inplace Edit Box Control"
"{8EE97210-FD1F-4B19-91DA-67914005F020}"="Microsoft DocProp Inplace ML Edit Box Control"
"{0EEA25CC-4362-4A12-850B-86EE61B0D3EB}"="Microsoft DocProp Inplace Droplist Combo Control"
"{6A205B57-2567-4A2C-B881-F787FAB579A3}"="Microsoft DocProp Inplace Calendar Control"
"{28F8A4AC-BBB3-4D9B-B177-82BFC914FA33}"="Microsoft DocProp Inplace Time Control"
"{8A23E65E-31C2-11d0-891C-00A024AB2DBB}"="Directory Query UI"
"{9E51E0D0-6E0F-11d2-9601-00C04FA31A86}"="Shell properties for a DS object"
"{163FDC20-2ABC-11d0-88F0-00A024AB2DBB}"="Directory Object Find"
"{F020E586-5264-11d1-A532-0000F8757D7E}"="Directory Start/Search Find"
"{0D45D530-764B-11d0-A1CA-00AA00C16E65}"="Directory Property UI"
"{62AE1F9A-126A-11D0-A14B-0800361B1103}"="Directory Context Menu Verbs"
"{ECF03A33-103D-11d2-854D-006008059367}"="MyDocs Copy Hook"
"{ECF03A32-103D-11d2-854D-006008059367}"="MyDocs Drop Target"
"{4a7ded0a-ad25-11d0-98a8-0800361b1103}"="MyDocs Properties"
"{750fdf0e-2a26-11d1-a3ea-080036587f03}"="Offline Files Menu"
"{10CFC467-4392-11d2-8DB4-00C04FA31A66}"="Offline Files Folder Options"
"{AFDB1F70-2A4C-11d2-9039-00C04F8EEB3E}"="Offline Files Folder"
"{143A62C8-C33B-11D1-84FE-00C04FA34A14}"="Microsoft Agent Character Property Sheet Handler"
"{ECCDF543-45CC-11CE-B9BF-0080C87CDBA6}"="DfsShell"
"{60fd46de-f830-4894-a628-6fa81bc0190d}"="%DESC_PublishDropTarget%"
"{7A80E4A8-8005-11D2-BCF8-00C04F72C717}"="MMC Icon Handler"
"{0CD7A5C0-9F37-11CE-AE65-08002B2E1262}"=".CAB file viewer"
"{32714800-2E5F-11d0-8B85-00AA0044F941}"="For &People..."
"{8DD448E6-C188-4aed-AF92-44956194EB1F}"="Windows Media Player Play as Playlist Context Menu Handler"
"{CE3FB1D1-02AE-4a5f-A6E9-D9F1B4073E6C}"="Windows Media Player Burn Audio CD Context Menu Handler"
"{F1B9284F-E9DC-4e68-9D7E-42362A59F0FD}"="Windows Media Player Add to Playlist Context Menu Handler"
"{BDEADF00-C265-11D0-BCED-00A0C90AB50F}"="Web Folders"
"{0006F045-0000-0000-C000-000000000046}"="Microsoft Outlook Custom Icon Handler"
"{42042206-2D85-11D3-8CFF-005004838597}"="Microsoft Office HTML Icon Handler"
"{5E44E225-A408-11CF-B581-008029601108}"="Roxio DragToDisc Shell Extension"
"{A44D5ACC-3411-40DE-9AD3-214FFB2ED7AC}"="My Media"
"{5464D816-CF16-4784-B9F3-75C0DB52B499}"="Yahoo! Mail"
"{5F327514-6C5E-4d60-8F16-D07FA08A78ED}"="Auto Update Property Sheet Extension"
"{aec64940-59e9-11cf-b3ef-00805f1408f3}"="Asset Storage CopyHook Extension"
"{E0D79304-84BE-11CE-9641-444553540000}"="WinZip"
"{E0D79305-84BE-11CE-9641-444553540000}"="WinZip"
"{E0D79306-84BE-11CE-9641-444553540000}"="WinZip"
"{E0D79307-84BE-11CE-9641-444553540000}"="WinZip"
"{1D2680C9-0E2A-469d-B787-065558BC7D43}"="Fusion Cache"
"{B41DB860-8EE4-11D2-9906-E49FADC173CA}"="WinRAR shell extension"
"{AB77609F-2178-4E6F-9C4B-44AC179D937A}"="aý Context Menu Shell Extension"
"{0873D142-79EF-49fa-81B5-211AAC0B0A7F}"="Target Finder Shell Extension"

**********************************************************************************
HKEY ROOT CLASSIDS:
**********************************************************************************
Files Found are not all bad files:
Locate .tmp files:
Directory Listing of system files:
Volume in drive C is Windows-XP
Volume Serial Number is 400B-1D1D

Directory of C:\WINDOWS\System32

07/19/2005 09:10 PM <DIR> dllcache
10/25/2004 03:57 PM <DIR> Microsoft
06/21/2004 06:35 PM 32 {88F13222-9B7E-4E33-89E9-CCFD2F6750A2}.dat
06/21/2004 06:35 PM 32 {0DAF22B0-6E1D-4EAE-8179-FD1056C62F78}.dat
06/21/2004 06:35 PM 32 {F70AB84E-E4AA-432E-9A36-37D3FBAA5DBF}.dat
06/21/2004 06:35 PM 32 {62612652-BEA6-4060-880E-5CC3A7DF8289}.dat
4 File(s) 128 bytes
2 Dir(s) 23,435,603,968 bytes free

#10
Buckeye_Sam

Posted 26 July 2005 - 04:15 PM

Malware Expert

Member
10,019 posts

Good, that log came back clean. Please post a new hijackthis log.

How are things running on your end?

#11
LdyLuv

Posted 26 July 2005 - 04:36 PM

Member

Topic Starter
Member
10 posts

Here's the new log. Well so far so good with my system. Looks like even my CPU usage isn't stuck at 100%. How long should I wait until I restart my restore points?

Logfile of HijackThis v1.99.1
Scan saved at 6:32:38 PM, on 7/26/2005
Platform: Windows XP (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 (6.00.2600.0000)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\ewido\security suite\ewidoctrl.exe
C:\Program Files\ewido\security suite\ewidoguard.exe
C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
C:\Program Files\Common Files\Microsoft Shared\Media Manager\airsvcu.exe
C:\Program Files\Roxio\Easy CD Creator 6\DragToDisc\DrgToDsc.exe
C:\Program Files\Roxio\Easy CD Creator 6\AudioCentral\RxMon.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\BellSouth\Application Center\BsnAppCenter.exe
C:\Program Files\BellSouth Internet Tools\blsloader.exe
C:\Program Files\Java\jre1.5.0_02\bin\jusched.exe
C:\Program Files\StompSoft\Virus X-terminator\bin\ZLH.EXE
C:\WINDOWS\System32\ctfmon.exe
C:\Program Files\Hitware Popup Killer Lite 3\HitwarePKLite.exe
C:\Program Files\StompSoft\Virus X-terminator\bin\ZANDA.EXE
C:\Program Files\Roxio\Easy CD Creator 6\AudioCentral\Playlist.exe
C:\Program Files\StompSoft\Virus X-terminator\Nvc\BIN\NIP.EXE
C:\Program Files\PCI Audio Applications\Bin\WDM\Full\Mixer.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\Program Files\StompSoft\Virus X-terminator\Nvc\BIN\NVCSCHED.EXE
C:\Program Files\StompSoft\Virus X-terminator\bin\NJEEVES.EXE
C:\Program Files\StompSoft\Virus X-terminator\Nvc\BIN\nipsvc.exe
C:\Program Files\StompSoft\Virus X-terminator\Nvc\bin\nvcoas.exe
C:\Program Files\StompSoft\Virus X-terminator\Nvc\bin\cclaw.exe
C:\Program Files\Support.com\bin\tgcmd.exe
C:\Program Files\Outlook Express\msimn.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Documents and Settings\Tucker\Desktop\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.bellsouth.net/
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/?.home=ytie
F2 - REG:system.ini: UserInit=C:\WINDOWS\System32\Userinit.exe
O2 - BHO: Yahoo! Companion BHO - {02478D38-C3F9-4efb-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn2\ycomp5_5_7_0.dll
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: BlspcHlpr Class - {15C9938F-CB96-496D-800A-B827F2E34EA1} - C:\Program Files\BellSouth Internet Tools\blspc.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: RUPK - {604B283A-4E26-4504-98E7-72859F949547} - C:\PROGRA~1\HITWAR~1\sypcms.dll
O2 - BHO: ST - {9394EDE7-C8B5-483E-8773-474BF36AF6E4} - C:\Program Files\MSN Apps\ST\01.03.0000.1005\en-xu\stmain.dll
O2 - BHO: MSNToolBandBHO - {BDBD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\MSN Apps\MSN Toolbar\01.02.3000.1001\en-us\msntb.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn2\ycomp5_5_7_0.dll
O3 - Toolbar: MSN - {BDAD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\MSN Apps\MSN Toolbar\01.02.3000.1001\en-us\msntb.dll
O4 - HKLM\..\Run: [C-Media Mixer] C:\Program Files\PCI Audio Applications\Bin\AudioRack.exe /MixerStartup
O4 - HKLM\..\Run: [RoxioEngineUtility] "C:\Program Files\Common Files\Roxio Shared\System\EngUtil.exe"
O4 - HKLM\..\Run: [RoxioDragToDisc] "C:\Program Files\Roxio\Easy CD Creator 6\DragToDisc\DrgToDsc.exe"
O4 - HKLM\..\Run: [RoxioAudioCentral] "C:\Program Files\Roxio\Easy CD Creator 6\AudioCentral\RxMon.exe"
O4 - HKLM\..\Run: [ccRegVfy] "C:\Program Files\Common Files\Symantec Shared\ccRegVfy.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] C:\Program Files\iTunes\iTunesHelper.exe
O4 - HKLM\..\Run: [tgcmd] "C:\Program Files\Support.com\BellSouth\hcenter.exe" /starthidden /tgcmdwrapper
O4 - HKLM\..\Run: [Symantec NetDriver Monitor] C:\PROGRA~1\SYMNET~1\SNDMon.exe
O4 - HKLM\..\Run: [BellSouthSyn] C:\Program Files\BellSouth\Application Center\BsnAppCenter.exe /Synchronize
O4 - HKLM\..\Run: [BellSouthScheduler] C:\Program Files\BellSouth\Application Center\BsnAppCenter.exe /Scheduler
O4 - HKLM\..\Run: [blspcloader] "C:\Program Files\BellSouth Internet Tools\blsloader.exe"
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_02\bin\jusched.exe
O4 - HKLM\..\Run: [Norman ZANDA] C:\Program Files\StompSoft\Virus X-terminator\bin\ZLH.EXE /LOAD /SPLASH
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\System32\ctfmon.exe
O4 - HKCU\..\Run: [HitwarePKLite] C:\Program Files\Hitware Popup Killer Lite 3\HitwarePKLite.exe
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O8 - Extra context menu item: &AIM Search - res://C:\Program Files\AIM Toolbar\AIMBar.dll/aimsearch.htm
O8 - Extra context menu item: Download with GetRight - C:\Program Files\GetRight\GRdownload.htm
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O8 - Extra context menu item: Open with GetRight Browser - C:\Program Files\GetRight\GRbrowse.htm
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_02\bin\npjpi150_02.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_02\bin\npjpi150_02.dll
O9 - Extra button: (no name) - {85d1f590-48f4-11d9-9669-0800200c9a66} - %windir%\bdoscandel.exe (file missing)
O9 - Extra 'Tools' menuitem: Uninstall BitDefender Online Scanner v8 - {85d1f590-48f4-11d9-9669-0800200c9a66} - %windir%\bdoscandel.exe (file missing)
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe
O9 - Extra button: Messenger - {DECDBEEF-D3AD-B3EF-DE4D-B3EFDEADB3EF} - C:\Program Files\BellSouth\Communications Suite\BstMessenger.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O9 - Extra 'Tools' menuitem: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O16 - DPF: {30528230-99F7-4BB4-88D8-FA1D4F56A2AB} (YInstStarter Class) - http://us.dl1.yimg.c...nst20040510.cab
O16 - DPF: {4208FB4D-4E53-4F5A-BF7A-3E047DDB5281} (ActiveX Control) - http://www.icannnews.../ST/ActiveX.ocx
O16 - DPF: {4E7BD74F-2B8D-469E-DEFA-EB76B1D5FA7D} - http://www.ez-tracks...itial/eztdl.cab
O16 - DPF: {5D86DDB5-BDF9-441B-9E9E-D4730F4EE499} (BDSCANONLINE Control) - http://www.bitdefend...can8/oscan8.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.micros...b?1121821414957
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://www.pandasoft.../as5/asinst.cab
O16 - DPF: {BB21F850-63F4-4EC9-BF9D-565BD30C9AE9} (ASquaredScanForm Element) - http://www.windowsec...scan/axscan.cab
O16 - DPF: {FA3662C3-B8E8-11D6-A667-0010B556D978} (IWinAmpActiveX Class) - http://cdn.digitalci...illama/ampx.cab
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Password Validation (ccPwdSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
O23 - Service: ewido security suite control - ewido networks - C:\Program Files\ewido\security suite\ewidoctrl.exe
O23 - Service: ewido security suite guard - ewido networks - C:\Program Files\ewido\security suite\ewidoguard.exe
O23 - Service: iPod Service (iPodService) - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Norman API-hooking helper (NipSvc) - Unknown owner - C:\Program Files\StompSoft\Virus X-terminator\Nvc\BIN\nipsvc.exe
O23 - Service: Norman NJeeves - Unknown owner - C:\Program Files\StompSoft\Virus X-terminator\bin\NJEEVES.EXE
O23 - Service: Norman ZANDA - Unknown owner - C:\Program Files\StompSoft\Virus X-terminator\bin\ZANDA.EXE
O23 - Service: Norman Virus Control on-access component (nvcoas) - Norman ASA - C:\Program Files\StompSoft\Virus X-terminator\Nvc\bin\nvcoas.exe
O23 - Service: Norman Virus Control Scheduler (NVCScheduler) - Norman Data Defense Systems - C:\Program Files\StompSoft\Virus X-terminator\Nvc\BIN\NVCSCHED.EXE
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe

You've been great with helping me. :tazz:

Can the programs I D/L to fix this be uninstalled after a clean bill of health?

Edited by LdyLuv, 26 July 2005 - 04:40 PM.

#12
Buckeye_Sam

Posted 26 July 2005 - 06:02 PM

Malware Expert

Member
10,019 posts

Your log is clean! :tazz:

You can turn System Restore back on and set a new restore point now. Here's some other preventative measures that you can take.

Now that you are clean, please follow these simple steps in order to keep your computer clean and secure:

Disable and Enable System Restore. - If you are using Windows ME or XP then you should disable and reenable system restore to make sure there are no infected files found in a restore point left over from what we have just cleaned.

You can find instructions on how to enable and reenable system restore here:

Managing Windows Millenium System Restore

or

Windows XP System Restore Guide

Renable system restore with instructions from tutorial above
Make your Internet Explorer more secure - This can be done by following these simple instructions:
- From within Internet Explorer click on the Tools menu and then click on Options.
- Click once on the Security tab
- Click once on the Internet icon so it becomes highlighted.
- Click once on the Custom Level button.
  - Change the Download signed ActiveX controls to Prompt
  - Change the Download unsigned ActiveX controls to Disable
  - Change the Initialize and script ActiveX controls not marked as safe to Disable
  - Change the Installation of desktop items to Prompt
  - Change the Launching programs and files in an IFRAME to Prompt
  - Change the Navigate sub-frames across different domains to Prompt
  - When all these settings have been made, click on the OK button.
  - If it prompts you as to whether or not you want to save the settings, press the Yes button.
- Next press the Apply button and then the OK to exit the Internet Properties page.
Use an AntiVirus Software - It is very important that your computer has an anti-virus software running on your machine. This alone can save you a lot of trouble with malware in the future.

See this link for a listing of some online & their stand-alone antivirus programs:

Virus, Spyware, and Malware Protection and Removal Resources
Update your AntiVirus Software - It is imperitive that you update your Antivirus software at least once a week (Even more if you wish). If you do not update your antivirus software then it will not be able to catch any of the new variants that may come out.
Use a Firewall - I can not stress how important it is that you use a Firewall on your computer. Without a firewall your computer is succeptible to being hacked and taken over. I am very serious about this and see it happen almost every day with my clients. Simply using a Firewall in its default configuration can lower your risk greatly.

For a tutorial on Firewalls and a listing of some available ones see the link below:

Understanding and Using Firewalls
Visit Microsoft's Windows Update Site Frequently - It is important that you visit http://www.windowsupdate.com regularly. This will ensure your computer has always the latest security updates available installed on your computer. If there are new updates to install, install them immediately, reboot your computer, and revisit the site until there are no more critical updates.
Install Spybot - Search and Destroy - Install and download Spybot - Search and Destroy with its TeaTimer option. This will provide realtime spyware & hijacker protection on your computer alongside your virus protection. You should also scan your computer with program on a regular basis just as you would an antivirus software.

A tutorial on installing & using this product can be found here:

Using Spybot - Search & Destroy to remove Spyware , Malware, and Hijackers
Install Ad-Aware - Install and download Ad-Aware. ou should also scan your computer with program on a regular basis just as you would an antivirus software in conjunction with Spybot.

A tutorial on installing & using this product can be found here:

Using Ad-aware to remove Spyware, Malware, & Hijackers from Your Computer
Install SpywareBlaster - SpywareBlaster will added a large list of programs and sites into your Internet Explorer settings that will protect you from running and downloading known malicious programs.

A tutorial on installing & using this product can be found here:

Using SpywareBlaster to protect your computer from Spyware and Malware
Update all these programs regularly - Make sure you update all the programs I have listed regularly. Without regular updates you WILL NOT be protected when new malicious programs are released.

Follow this list and your potential for being infected again will reduce dramatically.

#13
Buckeye_Sam

Posted 26 July 2005 - 06:05 PM

Malware Expert

Member
10,019 posts

Yes, you can certainly delete nailfix and uninstall CCleaner and Ewido now if you wish. Although I do want to let you know that Ewido is an outstanding program that will detect and remove a lot of malware that your antivirus program will not.

#14
Buckeye_Sam

Posted 07 August 2005 - 07:46 PM

Malware Expert

Member
10,019 posts

Since this issue appears to be resolved ... this Topic has been closed. Glad we could help. :tazz:

If you're the topic starter, and need this topic reopened, please contact a staff member with the address of the thread.

Everyone else please begin a New Topic.