Jump to content

Welcome to Geeks to Go - Register now for FREE

Geeks To Go is a helpful hub, where thousands of volunteer geeks quickly serve friendly answers and support. Check out the forums and get free advice from the experts. Register now to gain access to all of our features, it's FREE and only takes one minute. Once registered and logged in, you will be able to create topics, post replies to existing threads, give reputation to your fellow members, get your own private messenger, post status updates, manage your profile and so much more.

Create Account How it Works
Photo

Lost Outlook Exp and Norton AV auto protect


  • Please log in to reply

#1
mtsrunner

mtsrunner

    Member

  • Member
  • PipPip
  • 13 posts
Help! lost my settings on 8/4 and can't retrieve. Have run all malware programs and tried a system restore. Something has disabled my Norton AV auto-protect and has wiped away my MS Outlook Express account. This happened once before and a system restore corrected, but not this time. Here is my Hijack this log file:
Logfile of HijackThis v1.99.1
Scan saved at 2:25:04 PM, on 8/5/2005
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINNT\System32\smss.exe
C:\WINNT\system32\winlogon.exe
C:\WINNT\system32\services.exe
C:\WINNT\system32\lsass.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\System32\svchost.exe
C:\Program Files\STOPzilla!\szntsvc.exe
C:\WINNT\Explorer.EXE
C:\WINNT\system32\spoolsv.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\WINNT\System32\CTSvcCDA.EXE
C:\Program Files\ewido\security suite\ewidoctrl.exe
C:\WINNT\system32\drivers\KodakCCS.exe
C:\Program Files\Norton AntiVirus\navapsvc.exe
C:\WINNT\System32\nvsvc32.exe
C:\WINNT\System32\svchost.exe
C:\WINNT\System32\MsPMSPSv.exe
C:\Program Files\Common Files\Symantec Shared\Security Center\SymWSC.exe
C:\WINNT\system32\SK9910DM.EXE
C:\WINNT\GWMDMMSG.exe
C:\WINNT\system32\PROMon.exe
C:\WINNT\system32\CTHELPER.EXE
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\Program Files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe
C:\Program Files\BroadJump\Client Foundation\CFD.exe
C:\Program Files\Hewlett-Packard\HP Share-to-Web\hpgs2wnd.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\STOPzilla!\Stopzilla.exe
C:\PROGRA~1\HEWLET~1\HPSHAR~1\hpgs2wnf.exe
C:\Program Files\Java\j2re1.4.2_08\bin\jusched.exe
C:\WINNT\System32\NMSSvc.exe
C:\WINNT\system32\rulakp.exe
C:\Program Files\Rebate Retriever\RebateRetriever.exe
C:\WINNT\etb\pokapoka62.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\KODAK\Kodak EasyShare software\bin\EasyShare.exe
C:\WINNT\system32\wuauclt.exe
C:\Documents and Settings\Owner\Desktop\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.foxnews.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://websearch.sho...h.cgi?uid=&id=0
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://websearch.sho...h.cgi?uid=&id=0
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://server.person...8-42695AAD4341}
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
R3 - Default URLSearchHook is missing
O1 - Hosts: 216.177.73.139 auto.search.msn.com
O1 - Hosts: 216.177.73.139 search.netscape.com
O1 - Hosts: 216.177.73.139 ieautosearch
O2 - BHO: STOPzilla Browser Helper Object - {E3215F20-3212-11D6-9F8B-00D0B743919D} - (no file)
O4 - HKLM\..\Run: [Hot Key Kbd 9910 Daemon] SK9910DM.EXE
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE NvQTwk,NvCplDaemon initialize
O4 - HKLM\..\Run: [GWMDMMSG] GWMDMMSG.exe
O4 - HKLM\..\Run: [Keyboard Preload Check] C:\OEMDRVRS\KEYB\Preload.exe /DEVID: /CLASS:Keyboard /RunValue:"Keyboard Preload Check"
O4 - HKLM\..\Run: [GWMDMpi] C:\WINNT\GWMDMpi.exe
O4 - HKLM\..\Run: [PROMon.exe] PROMon.exe
O4 - HKLM\..\Run: [CTHelper] CTHELPER.EXE
O4 - HKLM\..\Run: [Jet Detection] C:\Program Files\Creative\SBAudigy\PROGRAM\ADGJDet.exe
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [ccRegVfy] "C:\Program Files\Common Files\Symantec Shared\ccRegVfy.exe"
O4 - HKLM\..\Run: [AdaptecDirectCD] "C:\Program Files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe"
O4 - HKLM\..\Run: [BJCFD] C:\Program Files\BroadJump\Client Foundation\CFD.exe
O4 - HKLM\..\Run: [Share-to-Web Namespace Daemon] C:\Program Files\Hewlett-Packard\HP Share-to-Web\hpgs2wnd.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [STOPzilla] "C:\Program Files\STOPzilla!\Stopzilla.exe" /autorun
O4 - HKLM\..\Run: [Symantec NetDriver Monitor] C:\PROGRA~1\SYMNET~1\SNDMon.exe
O4 - HKLM\..\Run: [KAZAA] C:\Program Files\Kazaa\kazaa.exe /SYSTRAY
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\j2re1.4.2_08\bin\jusched.exe
O4 - HKLM\..\Run: [_28599c] C:\WINNT\system32\_28599c.exe
O4 - HKLM\..\Run: [abu] abu.exe
O4 - HKLM\..\Run: [anmanl] C:\WINNT\system32\anmanl.exe
O4 - HKLM\..\Run: [asdlgr] C:\WINNT\system32\asdlgr.exe
O4 - HKLM\..\Run: [asradr] C:\WINNT\system32\asradr.exe
O4 - HKLM\..\Run: [ataD] C:\WINNT\system32\ataD.exe
O4 - HKLM\..\Run: [AUNPS2] RUNDLL32 AUNPS2.DLL,_Run@16
O4 - HKLM\..\Run: [bchkb] C:\WINNT\system32\bchkb.exe
O4 - HKLM\..\Run: [bdbuk] C:\WINNT\system32\bdbuk.exe
O4 - HKLM\..\Run: [bdcrk] C:\WINNT\system32\bdcrk.exe
O4 - HKLM\..\Run: [bdesk] C:\WINNT\system32\bdesk.exe
O4 - HKLM\..\Run: [cbalqd] C:\WINNT\cbalqd.exe
O4 - HKLM\..\Run: [checkrun] C:\winnt\system32\elitexzn32.exe
O4 - HKLM\..\Run: [CIQTENUM] C:\WINNT\system32\CIQTENUM.exe
O4 - HKLM\..\Run: [ddenb32n] C:\WINNT\system32\ddenb32n.exe
O4 - HKLM\..\Run: [drmuxv] C:\WINNT\system32\drmuxv.exe
O4 - HKLM\..\Run: [esktopd] C:\WINNT\system32\esktopd.exe
O4 - HKLM\..\Run: [fc70um] C:\WINNT\system32\fc70um.exe
O4 - HKLM\..\Run: [fcsubsm] C:\WINNT\system32\fcsubsm.exe
O4 - HKLM\..\Run: [hares] C:\WINNT\system32\hares.exe
O4 - HKLM\..\Run: [hcpd] C:\WINNT\system32\hcpd.exe
O4 - HKLM\..\Run: [iasfw] C:\WINNT\system32\iasfw.exe
O4 - HKLM\..\Run: [icmgr10l] C:\WINNT\system32\icmgr10l.exe
O4 - HKLM\..\Run: [ingp] C:\WINNT\system32\ingp.exe
O4 - HKLM\..\Run: [inshfhcw] C:\WINNT\system32\inshfhcw.exe
O4 - HKLM\..\Run: [iskpartd] C:\WINNT\system32\iskpartd.exe
O4 - HKLM\..\Run: [jabber] C:\WINNT\system32\jabber.exe
O4 - HKLM\..\Run: [jcvsx] C:\WINNT\jcvsx.exe
O4 - HKLM\..\Run: [krodmh] C:\WINNT\krodmh.exe
O4 - HKLM\..\Run: [lastclnb] C:\WINNT\system32\lastclnb.exe
O4 - HKLM\..\Run: [le32o] C:\WINNT\system32\le32o.exe
O4 - HKLM\..\Run: [lsgiyhq] c:\winnt\system32\wvjesn.exe r
O4 - HKLM\..\Run: [mdl32c] C:\WINNT\system32\mdl32c.exe
O4 - HKLM\..\Run: [mmon32c] C:\WINNT\system32\mmon32c.exe
O4 - HKLM\..\Run: [mplocw] C:\WINNT\system32\mplocw.exe
O4 - HKLM\..\Run: [MSMsgN] C:\WINNT\system32\MSMsgN.exe
O4 - HKLM\..\Run: [mtorzqy] c:\winnt\system32\axygzro.exe r
O4 - HKLM\..\Run: [mvdmodw] C:\WINNT\system32\mvdmodw.exe
O4 - HKLM\..\Run: [ocatorl] C:\WINNT\system32\ocatorl.exe
O4 - HKLM\..\Run: [ontrolc] C:\WINNT\system32\ontrolc.exe
O4 - HKLM\..\Run: [oriconsm] C:\WINNT\system32\oriconsm.exe
O4 - HKLM\..\Run: [ourstartt] C:\WINNT\system32\ourstartt.exe
O4 - HKLM\..\Run: [pnmodemd] C:\WINNT\system32\pnmodemd.exe
O4 - HKLM\..\Run: [pousd07h] C:\WINNT\system32\pousd07h.exe
O4 - HKLM\..\Run: [RunDLL] rundll32.exe "C:\WINNT\Downloaded Program Files\bridge.dll",Load
O4 - HKLM\..\Run: [ryhqx] C:\WINNT\ryhqx.exe
O4 - HKLM\..\Run: [S3HttpI] C:\WINNT\system32\S3HttpI.exe
O4 - HKLM\..\Run: [sasrvl] C:\WINNT\system32\sasrvl.exe
O4 - HKLM\..\Run: [satmat] C:\WINNT\satmat.exe
O4 - HKLM\..\Run: [sctfimem] C:\WINNT\system32\sctfimem.exe
O4 - HKLM\..\Run: [sentutle] C:\WINNT\system32\sentutle.exe
O4 - HKLM\..\Run: [sg723m] C:\WINNT\system32\sg723m.exe
O4 - HKLM\..\Run: [sjet40m] C:\WINNT\system32\sjet40m.exe
O4 - HKLM\..\Run: [slabelst] C:\WINNT\system32\slabelst.exe
O4 - HKLM\..\Run: [smypicss] C:\WINNT\system32\smypicss.exe
O4 - HKLM\..\Run: [spmspm] C:\WINNT\system32\spmspm.exe
O4 - HKLM\..\Run: [stext40m] C:\WINNT\system32\stext40m.exe
O4 - HKLM\..\Run: [tfmonc] C:\WINNT\system32\tfmonc.exe
O4 - HKLM\..\Run: [tmsmgrn] C:\WINNT\system32\tmsmgrn.exe
O4 - HKLM\..\Run: [tNmBResC] C:\WINNT\system32\tNmBResC.exe
O4 - HKLM\..\Run: [trmdlls] C:\WINNT\system32\trmdlls.exe
O4 - HKLM\..\Run: [tsbas2wc] C:\WINNT\system32\tsbas2wc.exe
O4 - HKLM\..\Run: [uickTimeQ] C:\WINNT\system32\uickTimeQ.exe
O4 - HKLM\..\Run: [UpdReg] C:\WINNT\UpdReg.EXE
O4 - HKLM\..\Run: [vrsfrn] C:\WINNT\system32\vrsfrn.exe
O4 - HKLM\..\Run: [vsvex] C:\WINNT\vsvex.exe
O4 - HKLM\..\Run: [VVSN] C:\Program Files\VVSN\VVSN.exe
O4 - HKLM\..\Run: [vwrsesn] C:\WINNT\system32\vwrsesn.exe
O4 - HKLM\..\Run: [WinFixer 2005] C:\Program Files\WinFixer 2005\wfx5.exe
O4 - HKLM\..\Run: [xeyaoh] c:\winnt\system32\yyhzmw.exe r
O4 - HKLM\..\Run: [mscin] C:\WINNT\system32\m190309.EXE
O4 - HKLM\..\Run: [a08cb8ca5c87] C:\WINNT\system32\avwav837.exe
O4 - HKLM\..\Run: [cfgmgr52] RunDLL32.EXE C:\WINNT\cfgmgr52.dll,DllRun
O4 - HKLM\..\Run: [ttupt] C:\WINNT\ttupt.exe
O4 - HKLM\..\Run: [WinTask driver] C:\WINNT\system32\wintask.exe
O4 - HKLM\..\Run: [A70F6A1D-0195-42a2-934C-D8AC0F7C08EB] rundll32.exe E6F1873B.DLL,D9EBC318C
O4 - HKLM\..\Run: [KavSvc] C:\WINNT\system32\rulakp.exe reg_run
O4 - HKLM\..\Run: [Rebate Retriever] C:\Program Files\Rebate Retriever\RebateRetriever.exe
O4 - HKLM\..\Run: [System service62] C:\WINNT\etb\pokapoka62.exe
O4 - HKLM\..\Run: [Microsoft Works Update Detection] C:\Program Files\Common Files\Microsoft Shared\Works Shared\WkUFind.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - Startup: PowerReg Scheduler V3.exe
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: HPAiODevice(hp psc 700 series) - 1.lnk = C:\Program Files\Hewlett-Packard\AiO\hp psc 700 series\Bin\hpobrt07.exe
O4 - Global Startup: Kodak EasyShare software.lnk = C:\Program Files\KODAK\Kodak EasyShare software\bin\EasyShare.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINNT\System32\msjava.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINNT\System32\msjava.dll
O9 - Extra button: Create Mobile Favorite - {2EAF5BB1-070F-11D3-9307-00C04FAE2D4F} - C:\PROGRA~1\MICROS~2\inetrepl.dll
O9 - Extra button: (no name) - {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - C:\PROGRA~1\MICROS~2\inetrepl.dll
O9 - Extra 'Tools' menuitem: Create Mobile Favorite... - {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - C:\PROGRA~1\MICROS~2\inetrepl.dll
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINNT\System32\Shdocvw.dll
O9 - Extra button: MoneySide - {E023F504-0C5A-4750-A1E7-A9046DEA8A21} - C:\Program Files\Microsoft Money\System\mnyside.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O16 - DPF: {08D390AE-5101-4701-A89F-6C6DADCCC402} (MSN Photo Select Tool) - http://photos.msn.co....cab?10,0,910,0
O16 - DPF: {0F04992B-E661-4DB9-B223-903AB628225D} (DoMoreRunExe.DoMoreRun) - file://C:\Program Files\Gateway\Do More\DoMoreRunExe.CAB
O16 - DPF: {4208FB4D-4E53-4F5A-BF7A-3E047DDB5281} (ActiveX Control) - http://www.icannnews.../ST/ActiveX.ocx
O16 - DPF: {42C9E5EE-DA49-49B4-8ECC-1CAB1C51A2AB} (HomePrintingCtrl Class) - http://www.ofoto.com..._1/axhomepr.cab
O16 - DPF: {511073AD-BE56-4D43-AE68-93390514385E} (TechToolsActivex.TechTools) - hcp://system/TechTools.CAB
O16 - DPF: {6F750200-1362-4815-A476-88533DE61D0C} (Ofoto Upload Manager Class) - http://www.ofoto.com..._1/axofupld.cab
O16 - DPF: {739E8D90-2F4C-43AD-A1B8-66C356FCEA35} (RunExeActiveX.RunExe) - hcp://system/RunExeActiveX.CAB
O16 - DPF: {77E32299-629F-43C6-AB77-6A1E6D7663F6} - http://www.nick.com/.../GrooveAX27.cab
O16 - DPF: {9522B3FB-7A2B-4646-8AF6-36E7F593073C} (cpbrkpie Control) - http://a19.g.akamai....23/cpbrkpie.cab
O16 - DPF: {9600F64D-755F-11D4-A47F-0001023E6D5A} (Shutterfly Picture Upload Plugin) - http://web1.shutterf...ds/Uploader.cab
O16 - DPF: {99CDFD87-F97A-42E1-9C13-D18220D90AD1} (StartFirstControl.CheckFirst) - hcp://system/StartFirstControl.CAB
O16 - DPF: {A8683C98-5341-421B-B23C-8514C05354F1} (FujifilmUploader Class) - http://photo.walmart...ploadClient.cab
O16 - DPF: {CA034DCC-A580-4333-B52F-15F98C42E04C} (Downloader Class) - http://www.stopzilla...ller/dwnldr.cab
O16 - DPF: {E855A2D4-987E-4F3B-A51C-64D10A7E2479} (EPSImageControl Class) - http://tools.ebayimg...ol_v1-0-3-0.cab
O18 - Filter: text/html - {8293D547-38DD-4325-B35A-F1817EDFA5FC} - C:\Program Files\Cas\Client\casmf.dll
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Password Validation Service (ccPwdSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
O23 - Service: Creative Service for CDROM Access - Creative Technology Ltd - C:\WINNT\System32\CTSvcCDA.EXE
O23 - Service: ewido security suite control - ewido networks - C:\Program Files\ewido\security suite\ewidoctrl.exe
O23 - Service: Kodak Camera Connection Software (KodakCCS) - Eastman Kodak Company - C:\WINNT\system32\drivers\KodakCCS.exe
O23 - Service: Norton AntiVirus Auto Protect Service (navapsvc) - Symantec Corporation - C:\Program Files\Norton AntiVirus\navapsvc.exe
O23 - Service: Intel® NMS (NMSSvc) - Intel Corporation - C:\WINNT\System32\NMSSvc.exe
O23 - Service: NVIDIA Driver Helper Service (NVSvc) - NVIDIA Corporation - C:\WINNT\System32\nvsvc32.exe
O23 - Service: ScriptBlocking Service (SBService) - Symantec Corporation - C:\PROGRA~1\COMMON~1\SYMANT~1\SCRIPT~1\SBServ.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: STOPzilla Local Service - International Software Systems Solutions - C:\Program Files\STOPzilla!\szntsvc.exe
O23 - Service: SymWMI Service (SymWSC) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\Security Center\SymWSC.exe

Attached Files


Edited by mtsrunner, 05 August 2005 - 12:31 PM.

  • 0

Advertisements


#2
Metallica

Metallica

    Spyware Veteran

  • GeekU Moderator
  • 31,675 posts
Download LQ fix from here: http://users.pandora...atchy/LQfix.zip
Run HijackThis and put check marks next to the following entries:

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://websearch.sho...h.cgi?uid=&id=0
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://websearch.sho...h.cgi?uid=&id=0

R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://server.person...8-42695AAD4341}

R3 - Default URLSearchHook is missing
O1 - Hosts: 216.177.73.139 auto.search.msn.com
O1 - Hosts: 216.177.73.139 search.netscape.com
O1 - Hosts: 216.177.73.139 ieautosearch
O2 - BHO: STOPzilla Browser Helper Object - {E3215F20-3212-11D6-9F8B-00D0B743919D} - (no file)

O4 - HKLM\..\Run: [KAZAA] C:\Program Files\Kazaa\kazaa.exe /SYSTRAY

O4 - HKLM\..\Run: [_28599c] C:\WINNT\system32\_28599c.exe
O4 - HKLM\..\Run: [abu] abu.exe
O4 - HKLM\..\Run: [anmanl] C:\WINNT\system32\anmanl.exe
O4 - HKLM\..\Run: [asdlgr] C:\WINNT\system32\asdlgr.exe
O4 - HKLM\..\Run: [asradr] C:\WINNT\system32\asradr.exe
O4 - HKLM\..\Run: [ataD] C:\WINNT\system32\ataD.exe
O4 - HKLM\..\Run: [AUNPS2] RUNDLL32 AUNPS2.DLL,_Run@16
O4 - HKLM\..\Run: [bchkb] C:\WINNT\system32\bchkb.exe
O4 - HKLM\..\Run: [bdbuk] C:\WINNT\system32\bdbuk.exe
O4 - HKLM\..\Run: [bdcrk] C:\WINNT\system32\bdcrk.exe
O4 - HKLM\..\Run: [bdesk] C:\WINNT\system32\bdesk.exe
O4 - HKLM\..\Run: [cbalqd] C:\WINNT\cbalqd.exe
O4 - HKLM\..\Run: [checkrun] C:\winnt\system32\elitexzn32.exe
O4 - HKLM\..\Run: [CIQTENUM] C:\WINNT\system32\CIQTENUM.exe
O4 - HKLM\..\Run: [ddenb32n] C:\WINNT\system32\ddenb32n.exe
O4 - HKLM\..\Run: [drmuxv] C:\WINNT\system32\drmuxv.exe
O4 - HKLM\..\Run: [esktopd] C:\WINNT\system32\esktopd.exe
O4 - HKLM\..\Run: [fc70um] C:\WINNT\system32\fc70um.exe
O4 - HKLM\..\Run: [fcsubsm] C:\WINNT\system32\fcsubsm.exe
O4 - HKLM\..\Run: [hares] C:\WINNT\system32\hares.exe
O4 - HKLM\..\Run: [hcpd] C:\WINNT\system32\hcpd.exe
O4 - HKLM\..\Run: [iasfw] C:\WINNT\system32\iasfw.exe
O4 - HKLM\..\Run: [icmgr10l] C:\WINNT\system32\icmgr10l.exe
O4 - HKLM\..\Run: [ingp] C:\WINNT\system32\ingp.exe
O4 - HKLM\..\Run: [inshfhcw] C:\WINNT\system32\inshfhcw.exe
O4 - HKLM\..\Run: [iskpartd] C:\WINNT\system32\iskpartd.exe
O4 - HKLM\..\Run: [jabber] C:\WINNT\system32\jabber.exe
O4 - HKLM\..\Run: [jcvsx] C:\WINNT\jcvsx.exe
O4 - HKLM\..\Run: [krodmh] C:\WINNT\krodmh.exe
O4 - HKLM\..\Run: [lastclnb] C:\WINNT\system32\lastclnb.exe
O4 - HKLM\..\Run: [le32o] C:\WINNT\system32\le32o.exe
O4 - HKLM\..\Run: [lsgiyhq] c:\winnt\system32\wvjesn.exe r
O4 - HKLM\..\Run: [mdl32c] C:\WINNT\system32\mdl32c.exe
O4 - HKLM\..\Run: [mmon32c] C:\WINNT\system32\mmon32c.exe
O4 - HKLM\..\Run: [mplocw] C:\WINNT\system32\mplocw.exe
O4 - HKLM\..\Run: [MSMsgN] C:\WINNT\system32\MSMsgN.exe
O4 - HKLM\..\Run: [mtorzqy] c:\winnt\system32\axygzro.exe r
O4 - HKLM\..\Run: [mvdmodw] C:\WINNT\system32\mvdmodw.exe
O4 - HKLM\..\Run: [ocatorl] C:\WINNT\system32\ocatorl.exe
O4 - HKLM\..\Run: [ontrolc] C:\WINNT\system32\ontrolc.exe
O4 - HKLM\..\Run: [oriconsm] C:\WINNT\system32\oriconsm.exe
O4 - HKLM\..\Run: [ourstartt] C:\WINNT\system32\ourstartt.exe
O4 - HKLM\..\Run: [pnmodemd] C:\WINNT\system32\pnmodemd.exe
O4 - HKLM\..\Run: [pousd07h] C:\WINNT\system32\pousd07h.exe
O4 - HKLM\..\Run: [RunDLL] rundll32.exe "C:\WINNT\Downloaded Program Files\bridge.dll",Load
O4 - HKLM\..\Run: [ryhqx] C:\WINNT\ryhqx.exe
O4 - HKLM\..\Run: [S3HttpI] C:\WINNT\system32\S3HttpI.exe
O4 - HKLM\..\Run: [sasrvl] C:\WINNT\system32\sasrvl.exe
O4 - HKLM\..\Run: [satmat] C:\WINNT\satmat.exe
O4 - HKLM\..\Run: [sctfimem] C:\WINNT\system32\sctfimem.exe
O4 - HKLM\..\Run: [sentutle] C:\WINNT\system32\sentutle.exe
O4 - HKLM\..\Run: [sg723m] C:\WINNT\system32\sg723m.exe
O4 - HKLM\..\Run: [sjet40m] C:\WINNT\system32\sjet40m.exe
O4 - HKLM\..\Run: [slabelst] C:\WINNT\system32\slabelst.exe
O4 - HKLM\..\Run: [smypicss] C:\WINNT\system32\smypicss.exe
O4 - HKLM\..\Run: [spmspm] C:\WINNT\system32\spmspm.exe
O4 - HKLM\..\Run: [stext40m] C:\WINNT\system32\stext40m.exe
O4 - HKLM\..\Run: [tfmonc] C:\WINNT\system32\tfmonc.exe
O4 - HKLM\..\Run: [tmsmgrn] C:\WINNT\system32\tmsmgrn.exe
O4 - HKLM\..\Run: [tNmBResC] C:\WINNT\system32\tNmBResC.exe
O4 - HKLM\..\Run: [trmdlls] C:\WINNT\system32\trmdlls.exe
O4 - HKLM\..\Run: [tsbas2wc] C:\WINNT\system32\tsbas2wc.exe
O4 - HKLM\..\Run: [uickTimeQ] C:\WINNT\system32\uickTimeQ.exe
O4 - HKLM\..\Run: [UpdReg] C:\WINNT\UpdReg.EXE
O4 - HKLM\..\Run: [vrsfrn] C:\WINNT\system32\vrsfrn.exe
O4 - HKLM\..\Run: [vsvex] C:\WINNT\vsvex.exe
O4 - HKLM\..\Run: [VVSN] C:\Program Files\VVSN\VVSN.exe
O4 - HKLM\..\Run: [vwrsesn] C:\WINNT\system32\vwrsesn.exe
O4 - HKLM\..\Run: [WinFixer 2005] C:\Program Files\WinFixer 2005\wfx5.exe
O4 - HKLM\..\Run: [xeyaoh] c:\winnt\system32\yyhzmw.exe r
O4 - HKLM\..\Run: [mscin] C:\WINNT\system32\m190309.EXE
O4 - HKLM\..\Run: [a08cb8ca5c87] C:\WINNT\system32\avwav837.exe
O4 - HKLM\..\Run: [cfgmgr52] RunDLL32.EXE C:\WINNT\cfgmgr52.dll,DllRun
O4 - HKLM\..\Run: [ttupt] C:\WINNT\ttupt.exe
O4 - HKLM\..\Run: [WinTask driver] C:\WINNT\system32\wintask.exe
O4 - HKLM\..\Run: [A70F6A1D-0195-42a2-934C-D8AC0F7C08EB] rundll32.exe E6F1873B.DLL,D9EBC318C
O4 - HKLM\..\Run: [KavSvc] C:\WINNT\system32\rulakp.exe reg_run
O4 - HKLM\..\Run: [Rebate Retriever] C:\Program Files\Rebate Retriever\RebateRetriever.exe
O4 - HKLM\..\Run: [System service62] \pokapoka62.exe

O4 - Startup: PowerReg Scheduler V3.exe

O16 - DPF: {4208FB4D-4E53-4F5A-BF7A-3E047DDB5281} (ActiveX Control) - http://www.icannnews.../ST/ActiveX.ocx

O16 - DPF: {9522B3FB-7A2B-4646-8AF6-36E7F593073C} (cpbrkpie Control) - http://a19.g.akamai....23/cpbrkpie.cab

O18 - Filter: text/html - {8293D547-38DD-4325-B35A-F1817EDFA5FC} - C:\Program Files\Cas\Client\casmf.dll

Close all Open Windows and click "fix checked"
Boot into Safe Mode by rebooting your computer and tapping f8 during the boot process. Select Safe Mode when it prompts you.
Unzip the file, and run LQFix.bat
Next, Open up My Computer and delete the following files:
C:\WINNT\etb <= entire folder
C:\WINNT\system32\wintask.exe
C:\Program Files\VVSN <= entire folder
C:\WINNT\satmat.exe
C:\winnt\system32\elitexzn32.exe
C:\Program Files\Cas <= entire folder

Reboot and post a fresh HijackThis log

I would also like you to execute this command from the Start > Run dialog

regedit.exe /e C:\whatchanged.txt "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies"

Doing so will c reate the file C:\whatchanged.txt
Post the content of that file as well.

Regards,
  • 0

#3
mtsrunner

mtsrunner

    Member

  • Topic Starter
  • Member
  • PipPip
  • 13 posts
I tried to do as you suggested, However, I was unable to delete the files beginning with "Host". I also ran into trouble when it came to opening My Computer and deleting the files you mentioned. I did a file search in My Computer and put in the file names and none of them were found. Last but not least, it would not let me execute the run command "regedit.exe......."so I'm unable to post the content of the file.

Here is my latest HijackThis log:

Logfile of HijackThis v1.99.1
Scan saved at 11:25:26 PM, on 8/5/2005
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINNT\System32\smss.exe
C:\WINNT\system32\winlogon.exe
C:\WINNT\system32\services.exe
C:\WINNT\system32\lsass.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\System32\svchost.exe
C:\Program Files\STOPzilla!\szntsvc.exe
C:\WINNT\Explorer.EXE
C:\WINNT\system32\spoolsv.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\WINNT\System32\CTSvcCDA.EXE
C:\Program Files\ewido\security suite\ewidoctrl.exe
C:\WINNT\system32\drivers\KodakCCS.exe
C:\Program Files\Norton AntiVirus\navapsvc.exe
C:\WINNT\System32\NMSSvc.exe
C:\WINNT\System32\nvsvc32.exe
C:\WINNT\System32\svchost.exe
C:\WINNT\System32\MsPMSPSv.exe
C:\Program Files\Common Files\Symantec Shared\Security Center\SymWSC.exe
C:\WINNT\system32\SK9910DM.EXE
C:\WINNT\GWMDMMSG.exe
C:\WINNT\system32\PROMon.exe
C:\WINNT\system32\CTHELPER.EXE
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\Program Files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe
C:\Program Files\BroadJump\Client Foundation\CFD.exe
C:\Program Files\Hewlett-Packard\HP Share-to-Web\hpgs2wnd.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\STOPzilla!\Stopzilla.exe
C:\Program Files\Java\j2re1.4.2_08\bin\jusched.exe
C:\WINNT\system32\rulakp.exe
C:\Program Files\Messenger\msmsgs.exe
C:\PROGRA~1\HEWLET~1\HPSHAR~1\hpgs2wnf.exe
C:\Program Files\KODAK\Kodak EasyShare software\bin\EasyShare.exe
C:\WINNT\system32\wuauclt.exe
C:\Documents and Settings\Owner\Desktop\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer,SearchURL = http://searchmiracle.com/sp.php
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://searchmiracle.com/sp.php
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://searchmiracle.com/sp.php
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.foxnews.com/
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
O1 - Hosts: 216.177.73.139 auto.search.msn.com
O1 - Hosts: 216.177.73.139 search.netscape.com
O1 - Hosts: 216.177.73.139 ieautosearch
O2 - BHO: (no name) - {E3215F20-3212-11D6-9F8B-00D0B743919D} - (no file)
O4 - HKLM\..\Run: [Hot Key Kbd 9910 Daemon] SK9910DM.EXE
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE NvQTwk,NvCplDaemon initialize
O4 - HKLM\..\Run: [GWMDMMSG] GWMDMMSG.exe
O4 - HKLM\..\Run: [Keyboard Preload Check] C:\OEMDRVRS\KEYB\Preload.exe /DEVID: /CLASS:Keyboard /RunValue:"Keyboard Preload Check"
O4 - HKLM\..\Run: [GWMDMpi] C:\WINNT\GWMDMpi.exe
O4 - HKLM\..\Run: [PROMon.exe] PROMon.exe
O4 - HKLM\..\Run: [CTHelper] CTHELPER.EXE
O4 - HKLM\..\Run: [Jet Detection] C:\Program Files\Creative\SBAudigy\PROGRAM\ADGJDet.exe
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [ccRegVfy] "C:\Program Files\Common Files\Symantec Shared\ccRegVfy.exe"
O4 - HKLM\..\Run: [AdaptecDirectCD] "C:\Program Files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe"
O4 - HKLM\..\Run: [BJCFD] C:\Program Files\BroadJump\Client Foundation\CFD.exe
O4 - HKLM\..\Run: [Share-to-Web Namespace Daemon] C:\Program Files\Hewlett-Packard\HP Share-to-Web\hpgs2wnd.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [STOPzilla] "C:\Program Files\STOPzilla!\Stopzilla.exe" /autorun
O4 - HKLM\..\Run: [Symantec NetDriver Monitor] C:\PROGRA~1\SYMNET~1\SNDMon.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\j2re1.4.2_08\bin\jusched.exe
O4 - HKLM\..\Run: [Microsoft Works Update Detection] C:\Program Files\Common Files\Microsoft Shared\Works Shared\WkUFind.exe
O4 - HKLM\..\Run: [KavSvc] C:\WINNT\system32\rulakp.exe reg_run
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: HPAiODevice(hp psc 700 series) - 1.lnk = C:\Program Files\Hewlett-Packard\AiO\hp psc 700 series\Bin\hpobrt07.exe
O4 - Global Startup: Kodak EasyShare software.lnk = C:\Program Files\KODAK\Kodak EasyShare software\bin\EasyShare.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINNT\System32\msjava.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINNT\System32\msjava.dll
O9 - Extra button: Create Mobile Favorite - {2EAF5BB1-070F-11D3-9307-00C04FAE2D4F} - C:\PROGRA~1\MICROS~2\inetrepl.dll
O9 - Extra button: (no name) - {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - C:\PROGRA~1\MICROS~2\inetrepl.dll
O9 - Extra 'Tools' menuitem: Create Mobile Favorite... - {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - C:\PROGRA~1\MICROS~2\inetrepl.dll
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINNT\System32\Shdocvw.dll
O9 - Extra button: MoneySide - {E023F504-0C5A-4750-A1E7-A9046DEA8A21} - C:\Program Files\Microsoft Money\System\mnyside.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O16 - DPF: {08D390AE-5101-4701-A89F-6C6DADCCC402} (MSN Photo Select Tool) - http://photos.msn.co....cab?10,0,910,0
O16 - DPF: {0F04992B-E661-4DB9-B223-903AB628225D} (DoMoreRunExe.DoMoreRun) - file://C:\Program Files\Gateway\Do More\DoMoreRunExe.CAB
O16 - DPF: {42C9E5EE-DA49-49B4-8ECC-1CAB1C51A2AB} (HomePrintingCtrl Class) - http://www.ofoto.com..._1/axhomepr.cab
O16 - DPF: {511073AD-BE56-4D43-AE68-93390514385E} (TechToolsActivex.TechTools) - hcp://system/TechTools.CAB
O16 - DPF: {6F750200-1362-4815-A476-88533DE61D0C} (Ofoto Upload Manager Class) - http://www.ofoto.com..._1/axofupld.cab
O16 - DPF: {739E8D90-2F4C-43AD-A1B8-66C356FCEA35} (RunExeActiveX.RunExe) - hcp://system/RunExeActiveX.CAB
O16 - DPF: {77E32299-629F-43C6-AB77-6A1E6D7663F6} - http://www.nick.com/.../GrooveAX27.cab
O16 - DPF: {9600F64D-755F-11D4-A47F-0001023E6D5A} (Shutterfly Picture Upload Plugin) - http://web1.shutterf...ds/Uploader.cab
O16 - DPF: {99CDFD87-F97A-42E1-9C13-D18220D90AD1} (StartFirstControl.CheckFirst) - hcp://system/StartFirstControl.CAB
O16 - DPF: {A8683C98-5341-421B-B23C-8514C05354F1} (FujifilmUploader Class) - http://photo.walmart...ploadClient.cab
O16 - DPF: {CA034DCC-A580-4333-B52F-15F98C42E04C} (Downloader Class) - http://www.stopzilla...ller/dwnldr.cab
O16 - DPF: {E855A2D4-987E-4F3B-A51C-64D10A7E2479} (EPSImageControl Class) - http://tools.ebayimg...ol_v1-0-3-0.cab
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Password Validation Service (ccPwdSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
O23 - Service: Creative Service for CDROM Access - Creative Technology Ltd - C:\WINNT\System32\CTSvcCDA.EXE
O23 - Service: ewido security suite control - ewido networks - C:\Program Files\ewido\security suite\ewidoctrl.exe
O23 - Service: Kodak Camera Connection Software (KodakCCS) - Eastman Kodak Company - C:\WINNT\system32\drivers\KodakCCS.exe
O23 - Service: Norton AntiVirus Auto Protect Service (navapsvc) - Symantec Corporation - C:\Program Files\Norton AntiVirus\navapsvc.exe
O23 - Service: Intel® NMS (NMSSvc) - Intel Corporation - C:\WINNT\System32\NMSSvc.exe
O23 - Service: NVIDIA Driver Helper Service (NVSvc) - NVIDIA Corporation - C:\WINNT\System32\nvsvc32.exe
O23 - Service: ScriptBlocking Service (SBService) - Symantec Corporation - C:\PROGRA~1\COMMON~1\SYMANT~1\SCRIPT~1\SBServ.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: STOPzilla Local Service - International Software Systems Solutions - C:\Program Files\STOPzilla!\szntsvc.exe
O23 - Service: SymWMI Service (SymWSC) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\Security Center\SymWSC.exe

Extremely frustrated,
mtsrunner :tazz:
  • 0

#4
Metallica

Metallica

    Spyware Veteran

  • GeekU Moderator
  • 31,675 posts
First find this file:
C:\WINNT\System32\drivers\etc\hosts
rightclick it and rename it to hosts.bak

*Click Here to download Killbox by Option^Explicit.
*Extract the program to your desktop and double-click on its folder, then double-click on Killbox.exe to start the program.
*In the killbox program, select the Delete on Reboot option.
*Copy the file name below to the "Full Path for File to be Deleted" box

C:\WINNT\system32\rulakp.exe

*Return to Killbox, go to the File menu, and choose "Paste from Clipboard".
*Click the red-and-white "Delete File" button. Click "Yes" at the Delete on Reboot prompt. Click "No" at the Pending Operations prompt.

While your computer is restarting, tap the F8 key continually until a menu appears. Use your up arrow key to highlight Safe Mode, then hit enter.

Run HijackThis and put checkmarks in front of he following items.
Close all windows except HijackThis and click Fix checked:

R1 - HKCU\Software\Microsoft\Internet Explorer,SearchURL = http://searchmiracle.com/sp.php
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://searchmiracle.com/sp.php
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://searchmiracle.com/sp.php

O2 - BHO: (no name) - {E3215F20-3212-11D6-9F8B-00D0B743919D} - (no file)

O4 - HKLM\..\Run: [KavSvc] C:\WINNT\system32\rulakp.exe reg_run

Boot back to normal and update Ewido.
Run a full system scan and post the log.
Also post a new HijackThis log and let me know if you can use regedit.exe at all from the Run box, Command Prompt or by doubleclicking the file.
If neither works find and doubleclick C:\WINDOWS\system32\regedt32.exe and let me know what happens then.

Regards,
  • 0

#5
mtsrunner

mtsrunner

    Member

  • Topic Starter
  • Member
  • PipPip
  • 13 posts
Can't even get past the first step...computer will not let me rename that file, it says already in use. There apppears to be several backup files in the folder C:\WINNT\system32\drivers\etc\
for example:

hosts
hosts.20050716-102405.backup
hosts.20050724-204610.backup
...
hosts.20050805-002621.backup
hosts.new
lmhosts
networks
protocol
services

Could any of this be the problem????
  • 0

#6
Metallica

Metallica

    Spyware Veteran

  • GeekU Moderator
  • 31,675 posts
Yes. It might be.

Rightclick hosts without any extension and Open with... Notepad

Post the content.
Do the same for hosts.new and the most recent .backup

Also proceed with the second part of my previous post.
The Qoologic trojan should be independent of the hosts puzzle, but it's also something we want to get rid of asap.

Regards,
  • 0

#7
mtsrunner

mtsrunner

    Member

  • Topic Starter
  • Member
  • PipPip
  • 13 posts
Here is hosts:# Copyright © 1993-1999 Microsoft Corp.
#
# This is a sample HOSTS file used by Microsoft TCP/IP for Windows.
#
# This file contains the mappings of IP addresses to host names. Each
# entry should be kept on an individual line. The IP address should
# be placed in the first column followed by the corresponding host name.
# The IP address and the host name should be separated by at least one
# space.
#
# Additionally, comments (such as these) may be inserted on individual
# lines or following the machine name denoted by a '#' symbol.
#
# For example:
#
# 102.54.94.97 rhino.acme.com # source server
# 38.25.63.10 x.acme.com # x client host

127.0.0.1 localhost

216.177.73.139 auto.search.msn.com
216.177.73.139 search.netscape.com
216.177.73.139 ieautosearch

And hosts.new:
# Copyright © 1993-1999 Microsoft Corp.
#
# This is a sample HOSTS file used by Microsoft TCP/IP for Windows.
#
# This file contains the mappings of IP addresses to host names. Each
# entry should be kept on an individual line. The IP address should
# be placed in the first column followed by the corresponding host name.
# The IP address and the host name should be separated by at least one
# space.
#
# Additionally, comments (such as these) may be inserted on individual
# lines or following the machine name denoted by a '#' symbol.
#
# For example:
#
# 102.54.94.97 rhino.acme.com # source server
# 38.25.63.10 x.acme.com # x client host

127.0.0.1 localhost

And my most recent .backup:


# Copyright © 1993-1999 Microsoft Corp.
#
# This is a sample HOSTS file used by Microsoft TCP/IP for Windows.
#
# This file contains the mappings of IP addresses to host names. Each
# entry should be kept on an individual line. The IP address should
# be placed in the first column followed by the corresponding host name.
# The IP address and the host name should be separated by at least one
# space.
#
# Additionally, comments (such as these) may be inserted on individual
# lines or following the machine name denoted by a '#' symbol.
#
# For example:
#
# 102.54.94.97 rhino.acme.com # source server
# 38.25.63.10 x.acme.com # x client host

127.0.0.1 localhost

216.177.73.139 auto.search.msn.com
216.177.73.139 search.netscape.com
216.177.73.139 ieautosearch



I will wait for my next move...Thanks.
mtsrunner
  • 0

#8
mtsrunner

mtsrunner

    Member

  • Topic Starter
  • Member
  • PipPip
  • 13 posts
Here is the full system scan log from Ewido after Killbox and booting in safe mode:

---------------------------------------------------------
ewido security suite - Scan report
---------------------------------------------------------

+ Created on: 8:06:19 PM, 8/7/2005
+ Report-Checksum: 15C545CF

+ Scan result:

HKLM\SOFTWARE\Classes\CLSID\{12EE7A5E-0674-42f9-A76A-000000004D00} -> Spyware.BrowserAid : Cleaned with backup
HKLM\SOFTWARE\Classes\CLSID\{12EE7A5E-0674-42f9-A76B-000000004D00} -> Spyware.BrowserAid : Cleaned with backup
HKLM\SOFTWARE\SecureWin -> Spyware.Adlogix : Cleaned with backup
[1172] C:\Program Files\sder\dees.exe -> TrojanDownloader.PurityScan.aa : Cleaned with backup
C:\Documents and Settings\Owner\Cookies\owner@ad.yieldmanager[1].txt -> Spyware.Cookie.Yieldmanager : Cleaned with backup
C:\Documents and Settings\Owner\Cookies\owner@adopt.specificclick[2].txt -> Spyware.Cookie.Specificclick : Cleaned with backup
C:\Documents and Settings\Owner\Cookies\owner@ads.addynamix[1].txt -> Spyware.Cookie.Addynamix : Cleaned with backup
C:\Documents and Settings\Owner\Cookies\owner@e-2dj6wfkokmdjocp.stats.esomniture[2].txt -> Spyware.Cookie.Esomniture : Cleaned with backup
C:\Documents and Settings\Owner\Cookies\owner@qksrv[2].txt -> Spyware.Cookie.Qksrv : Cleaned with backup
C:\Documents and Settings\Owner\Cookies\owner@z1.adserver[1].txt -> Spyware.Cookie.Adserver : Cleaned with backup
C:\Program Files\sder\dees.exe -> TrojanDownloader.PurityScan.aa : Cleaned with backup
C:\System Volume Information\_restore{30F71744-7195-4A81-BC43-76AFE6B4AF0F}\RP836\A0065302.exe -> TrojanDropper.Small.qn : Cleaned with backup
C:\System Volume Information\_restore{30F71744-7195-4A81-BC43-76AFE6B4AF0F}\RP836\A0065303.exe -> TrojanDownloader.Agent.qg : Cleaned with backup
C:\System Volume Information\_restore{30F71744-7195-4A81-BC43-76AFE6B4AF0F}\RP836\A0065304.exe -> Spyware.UrlSpy : Cleaned with backup
C:\System Volume Information\_restore{30F71744-7195-4A81-BC43-76AFE6B4AF0F}\RP836\A0065305.cpl -> TrojanDownloader.Qoologic.p : Cleaned with backup
C:\System Volume Information\_restore{30F71744-7195-4A81-BC43-76AFE6B4AF0F}\RP836\A0065306.exe -> TrojanDropper.Agent.lu : Cleaned with backup
C:\System Volume Information\_restore{30F71744-7195-4A81-BC43-76AFE6B4AF0F}\RP836\A0065307.exe -> Spyware.Adstart : Cleaned with backup
C:\System Volume Information\_restore{30F71744-7195-4A81-BC43-76AFE6B4AF0F}\RP837\A0065353.dll -> TrojanDownloader.Braidupdate.d : Cleaned with backup
C:\System Volume Information\_restore{30F71744-7195-4A81-BC43-76AFE6B4AF0F}\RP837\A0066293.exe -> Spyware.MediaTickets : Cleaned with backup
C:\System Volume Information\_restore{30F71744-7195-4A81-BC43-76AFE6B4AF0F}\RP838\A0066305.dll -> Spyware.EliteBar : Cleaned with backup
C:\System Volume Information\_restore{30F71744-7195-4A81-BC43-76AFE6B4AF0F}\RP838\A0066306.dll -> Spyware.EliteBar : Cleaned with backup
C:\System Volume Information\_restore{30F71744-7195-4A81-BC43-76AFE6B4AF0F}\RP838\A0066307.exe -> Spyware.EliteBar : Cleaned with backup
C:\System Volume Information\_restore{30F71744-7195-4A81-BC43-76AFE6B4AF0F}\RP838\A0066332.exe -> TrojanDownloader.PurityScan.aa : Cleaned with backup
C:\System Volume Information\_restore{30F71744-7195-4A81-BC43-76AFE6B4AF0F}\RP838\A0066358.dll -> Spyware.EliteBar : Cleaned with backup
C:\System Volume Information\_restore{30F71744-7195-4A81-BC43-76AFE6B4AF0F}\RP838\A0066359.dll -> Spyware.EliteBar : Cleaned with backup
C:\System Volume Information\_restore{30F71744-7195-4A81-BC43-76AFE6B4AF0F}\RP838\A0066385.dll -> Spyware.EliteBar : Cleaned with backup
C:\System Volume Information\_restore{30F71744-7195-4A81-BC43-76AFE6B4AF0F}\RP838\A0066386.dll -> Spyware.EliteBar : Cleaned with backup
C:\System Volume Information\_restore{30F71744-7195-4A81-BC43-76AFE6B4AF0F}\RP839\A0066390.dll -> Spyware.EliteBar : Cleaned with backup
C:\System Volume Information\_restore{30F71744-7195-4A81-BC43-76AFE6B4AF0F}\RP839\A0066391.dll -> Spyware.EliteBar : Cleaned with backup
C:\System Volume Information\_restore{30F71744-7195-4A81-BC43-76AFE6B4AF0F}\RP839\A0066419.exe -> Spyware.EliteBar : Cleaned with backup
C:\System Volume Information\_restore{30F71744-7195-4A81-BC43-76AFE6B4AF0F}\RP839\A0066438.exe -> TrojanDownloader.PurityScan.aa : Cleaned with backup
C:\System Volume Information\_restore{30F71744-7195-4A81-BC43-76AFE6B4AF0F}\RP839\A0066448.dll -> Spyware.EliteBar : Cleaned with backup
C:\System Volume Information\_restore{30F71744-7195-4A81-BC43-76AFE6B4AF0F}\RP839\A0066449.dll -> Spyware.EliteBar : Cleaned with backup
C:\System Volume Information\_restore{30F71744-7195-4A81-BC43-76AFE6B4AF0F}\RP841\A0066453.dll -> Spyware.EliteBar : Cleaned with backup
C:\System Volume Information\_restore{30F71744-7195-4A81-BC43-76AFE6B4AF0F}\RP841\A0066454.dll -> Spyware.EliteBar : Cleaned with backup
C:\System Volume Information\_restore{30F71744-7195-4A81-BC43-76AFE6B4AF0F}\RP841\A0066483.exe -> Spyware.EliteBar : Cleaned with backup
C:\System Volume Information\_restore{30F71744-7195-4A81-BC43-76AFE6B4AF0F}\RP841\A0066502.exe -> TrojanDownloader.PurityScan.aa : Cleaned with backup
C:\System Volume Information\_restore{30F71744-7195-4A81-BC43-76AFE6B4AF0F}\RP841\A0066529.dll -> Spyware.EliteBar : Cleaned with backup
C:\System Volume Information\_restore{30F71744-7195-4A81-BC43-76AFE6B4AF0F}\RP841\A0066530.dll -> Spyware.EliteBar : Cleaned with backup
C:\System Volume Information\_restore{30F71744-7195-4A81-BC43-76AFE6B4AF0F}\RP841\A0066557.dll -> Spyware.EliteBar : Cleaned with backup
C:\System Volume Information\_restore{30F71744-7195-4A81-BC43-76AFE6B4AF0F}\RP841\A0066558.dll -> Spyware.EliteBar : Cleaned with backup
C:\System Volume Information\_restore{30F71744-7195-4A81-BC43-76AFE6B4AF0F}\RP842\A0066563.dll -> Spyware.EliteBar : Cleaned with backup
C:\System Volume Information\_restore{30F71744-7195-4A81-BC43-76AFE6B4AF0F}\RP842\A0066564.dll -> Spyware.EliteBar : Cleaned with backup
C:\System Volume Information\_restore{30F71744-7195-4A81-BC43-76AFE6B4AF0F}\RP842\A0066598.exe -> Spyware.EliteBar : Cleaned with backup
C:\System Volume Information\_restore{30F71744-7195-4A81-BC43-76AFE6B4AF0F}\RP842\A0066617.exe -> TrojanDownloader.PurityScan.aa : Cleaned with backup
C:\System Volume Information\_restore{30F71744-7195-4A81-BC43-76AFE6B4AF0F}\RP842\A0066627.dll -> Spyware.EliteBar : Cleaned with backup
C:\System Volume Information\_restore{30F71744-7195-4A81-BC43-76AFE6B4AF0F}\RP842\A0066628.dll -> Spyware.EliteBar : Cleaned with backup
C:\System Volume Information\_restore{30F71744-7195-4A81-BC43-76AFE6B4AF0F}\RP843\A0066643.dll -> Spyware.EliteBar : Cleaned with backup
C:\System Volume Information\_restore{30F71744-7195-4A81-BC43-76AFE6B4AF0F}\RP843\A0066645.dll -> Spyware.EliteBar : Cleaned with backup
C:\System Volume Information\_restore{30F71744-7195-4A81-BC43-76AFE6B4AF0F}\RP843\A0066680.exe -> Spyware.EliteBar : Cleaned with backup
C:\System Volume Information\_restore{30F71744-7195-4A81-BC43-76AFE6B4AF0F}\RP843\A0066697.exe -> TrojanDownloader.PurityScan.aa : Cleaned with backup
C:\System Volume Information\_restore{30F71744-7195-4A81-BC43-76AFE6B4AF0F}\RP844\A0066724.dll -> Spyware.EliteBar : Cleaned with backup
C:\System Volume Information\_restore{30F71744-7195-4A81-BC43-76AFE6B4AF0F}\RP844\A0066726.dll -> Spyware.EliteBar : Cleaned with backup
C:\System Volume Information\_restore{30F71744-7195-4A81-BC43-76AFE6B4AF0F}\RP844\A0066751.exe -> Spyware.EliteBar : Cleaned with backup
C:\System Volume Information\_restore{30F71744-7195-4A81-BC43-76AFE6B4AF0F}\RP844\A0066768.exe -> TrojanDownloader.PurityScan.aa : Cleaned with backup
C:\System Volume Information\_restore{30F71744-7195-4A81-BC43-76AFE6B4AF0F}\RP844\A0066791.dll -> Spyware.EliteBar : Cleaned with backup
C:\System Volume Information\_restore{30F71744-7195-4A81-BC43-76AFE6B4AF0F}\RP844\A0066792.dll -> Spyware.EliteBar : Cleaned with backup
C:\System Volume Information\_restore{30F71744-7195-4A81-BC43-76AFE6B4AF0F}\RP844\A0066804.exe -> TrojanDropper.Agent.pb : Cleaned with backup
C:\System Volume Information\_restore{30F71744-7195-4A81-BC43-76AFE6B4AF0F}\RP844\A0066814.dll -> Spyware.EliteBar : Cleaned with backup
C:\System Volume Information\_restore{30F71744-7195-4A81-BC43-76AFE6B4AF0F}\RP844\A0066815.dll -> Spyware.EliteBar : Cleaned with backup
C:\System Volume Information\_restore{30F71744-7195-4A81-BC43-76AFE6B4AF0F}\RP844\A0067814.dll -> Spyware.EliteBar : Cleaned with backup
C:\System Volume Information\_restore{30F71744-7195-4A81-BC43-76AFE6B4AF0F}\RP844\A0067815.dll -> Spyware.EliteBar : Cleaned with backup
C:\System Volume Information\_restore{30F71744-7195-4A81-BC43-76AFE6B4AF0F}\RP844\A0067846.dll -> Spyware.EliteBar : Cleaned with backup
C:\System Volume Information\_restore{30F71744-7195-4A81-BC43-76AFE6B4AF0F}\RP844\A0067847.dll -> Spyware.EliteBar : Cleaned with backup
C:\System Volume Information\_restore{30F71744-7195-4A81-BC43-76AFE6B4AF0F}\RP845\A0067854.dll -> Spyware.EliteBar : Cleaned with backup
C:\System Volume Information\_restore{30F71744-7195-4A81-BC43-76AFE6B4AF0F}\RP845\A0067855.dll -> Spyware.EliteBar : Cleaned with backup
C:\System Volume Information\_restore{30F71744-7195-4A81-BC43-76AFE6B4AF0F}\RP845\A0067929.exe -> Spyware.EliteBar : Cleaned with backup
C:\System Volume Information\_restore{30F71744-7195-4A81-BC43-76AFE6B4AF0F}\RP845\A0067941.exe -> TrojanDownloader.PurityScan.aa : Cleaned with backup
C:\System Volume Information\_restore{30F71744-7195-4A81-BC43-76AFE6B4AF0F}\RP845\A0067951.dll -> Spyware.EliteBar : Cleaned with backup
C:\System Volume Information\_restore{30F71744-7195-4A81-BC43-76AFE6B4AF0F}\RP845\A0067952.dll -> Spyware.EliteBar : Cleaned with backup
C:\System Volume Information\_restore{30F71744-7195-4A81-BC43-76AFE6B4AF0F}\RP845\A0067963.dll -> Spyware.EliteBar : Cleaned with backup
C:\System Volume Information\_restore{30F71744-7195-4A81-BC43-76AFE6B4AF0F}\RP845\A0067964.dll -> Spyware.EliteBar : Cleaned with backup
C:\System Volume Information\_restore{30F71744-7195-4A81-BC43-76AFE6B4AF0F}\RP845\A0067993.dll -> Spyware.EliteBar : Cleaned with backup
C:\System Volume Information\_restore{30F71744-7195-4A81-BC43-76AFE6B4AF0F}\RP845\A0068003.dll -> Spyware.EliteBar : Cleaned with backup
C:\System Volume Information\_restore{30F71744-7195-4A81-BC43-76AFE6B4AF0F}\RP845\A0068010.dll -> Spyware.EliteBar : Cleaned with backup
C:\System Volume Information\_restore{30F71744-7195-4A81-BC43-76AFE6B4AF0F}\RP845\A0068011.exe -> Spyware.EliteBar : Cleaned with backup
C:\System Volume Information\_restore{30F71744-7195-4A81-BC43-76AFE6B4AF0F}\RP845\A0068012.dll -> Spyware.EliteBar : Cleaned with backup
C:\System Volume Information\_restore{30F71744-7195-4A81-BC43-76AFE6B4AF0F}\RP847\A0068138.exe -> TrojanDownloader.PurityScan.aa : Cleaned with backup
C:\WINNT\system32\lѕ[bleep].exe -> Spyware.PurityScan : Cleaned with backup


::Report End

and here is the subsequent hijack this log:

Logfile of HijackThis v1.99.1
Scan saved at 8:08:16 PM, on 8/7/2005
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINNT\System32\smss.exe
C:\WINNT\system32\winlogon.exe
C:\WINNT\system32\services.exe
C:\WINNT\system32\lsass.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\System32\svchost.exe
C:\Program Files\STOPzilla!\szntsvc.exe
C:\WINNT\Explorer.EXE
C:\WINNT\system32\spoolsv.exe
C:\WINNT\system32\SK9910DM.EXE
C:\WINNT\GWMDMMSG.exe
C:\WINNT\system32\PROMon.exe
C:\WINNT\system32\CTHELPER.EXE
C:\Program Files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe
C:\Program Files\BroadJump\Client Foundation\CFD.exe
C:\Program Files\Hewlett-Packard\HP Share-to-Web\hpgs2wnd.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\STOPzilla!\Stopzilla.exe
C:\Program Files\Java\j2re1.4.2_08\bin\jusched.exe
C:\Program Files\Java\j2re1.4.2_08\bin\jucheck.exe
C:\Program Files\Rebate Retriever\RebateRetriever.exe
C:\PROGRA~1\HEWLET~1\HPSHAR~1\hpgs2wnf.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\AWS\WeatherBug\Weather.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\Program Files\KODAK\Kodak EasyShare software\bin\EasyShare.exe
C:\Documents and Settings\All Users\Start Menu\Programs\Startup\ncua.exe
C:\WINNT\System32\CTSvcCDA.EXE
C:\Program Files\ewido\security suite\ewidoctrl.exe
C:\WINNT\system32\drivers\KodakCCS.exe
C:\WINNT\System32\NMSSvc.exe
C:\WINNT\System32\nvsvc32.exe
C:\WINNT\System32\svchost.exe
C:\WINNT\System32\MsPMSPSv.exe
C:\Program Files\Common Files\Symantec Shared\Security Center\SymWSC.exe
C:\Documents and Settings\Owner\Desktop\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.foxnews.com/
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
O1 - Hosts: 216.177.73.139 auto.search.msn.com
O1 - Hosts: 216.177.73.139 search.netscape.com
O1 - Hosts: 216.177.73.139 ieautosearch
O2 - BHO: (no name) - {E3215F20-3212-11D6-9F8B-00D0B743919D} - (no file)
O4 - HKLM\..\Run: [Hot Key Kbd 9910 Daemon] SK9910DM.EXE
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE NvQTwk,NvCplDaemon initialize
O4 - HKLM\..\Run: [GWMDMMSG] GWMDMMSG.exe
O4 - HKLM\..\Run: [Keyboard Preload Check] C:\OEMDRVRS\KEYB\Preload.exe /DEVID: /CLASS:Keyboard /RunValue:"Keyboard Preload Check"
O4 - HKLM\..\Run: [GWMDMpi] C:\WINNT\GWMDMpi.exe
O4 - HKLM\..\Run: [PROMon.exe] PROMon.exe
O4 - HKLM\..\Run: [CTHelper] CTHELPER.EXE
O4 - HKLM\..\Run: [Jet Detection] C:\Program Files\Creative\SBAudigy\PROGRAM\ADGJDet.exe
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [ccRegVfy] "C:\Program Files\Common Files\Symantec Shared\ccRegVfy.exe"
O4 - HKLM\..\Run: [AdaptecDirectCD] "C:\Program Files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe"
O4 - HKLM\..\Run: [BJCFD] C:\Program Files\BroadJump\Client Foundation\CFD.exe
O4 - HKLM\..\Run: [Share-to-Web Namespace Daemon] C:\Program Files\Hewlett-Packard\HP Share-to-Web\hpgs2wnd.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [STOPzilla] "C:\Program Files\STOPzilla!\Stopzilla.exe" /autorun
O4 - HKLM\..\Run: [Symantec NetDriver Monitor] C:\PROGRA~1\SYMNET~1\SNDMon.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\j2re1.4.2_08\bin\jusched.exe
O4 - HKLM\..\Run: [Microsoft Works Update Detection] C:\Program Files\Common Files\Microsoft Shared\Works Shared\WkUFind.exe
O4 - HKLM\..\Run: [_28599c] C:\WINNT\system32\_28599c.exe
O4 - HKLM\..\Run: [a08cb8ca5c87] C:\WINNT\system32\avwav837.exe
O4 - HKLM\..\Run: [A70F6A1D-0195-42a2-934C-D8AC0F7C08EB] rundll32.exe E6F1873B.DLL,D9EBC318C
O4 - HKLM\..\Run: [abu] abu.exe
O4 - HKLM\..\Run: [alchem] C:\WINNT\alchem.exe
O4 - HKLM\..\Run: [anmanl] C:\WINNT\system32\anmanl.exe
O4 - HKLM\..\Run: [asdlgr] C:\WINNT\system32\asdlgr.exe
O4 - HKLM\..\Run: [asradr] C:\WINNT\system32\asradr.exe
O4 - HKLM\..\Run: [ataD] C:\WINNT\system32\ataD.exe
O4 - HKLM\..\Run: [AUNPS2] RUNDLL32 AUNPS2.DLL,_Run@16
O4 - HKLM\..\Run: [bchkb] C:\WINNT\system32\bchkb.exe
O4 - HKLM\..\Run: [bdbuk] C:\WINNT\system32\bdbuk.exe
O4 - HKLM\..\Run: [bdcrk] C:\WINNT\system32\bdcrk.exe
O4 - HKLM\..\Run: [bdesk] C:\WINNT\system32\bdesk.exe
O4 - HKLM\..\Run: [cbalqd] C:\WINNT\cbalqd.exe
O4 - HKLM\..\Run: [cfgmgr52] RunDLL32.EXE C:\WINNT\cfgmgr52.dll,DllRun
O4 - HKLM\..\Run: [checkrun] C:\winnt\system32\elitexzn32.exe
O4 - HKLM\..\Run: [chhuzc] C:\WINNT\system32\chhuzc.exe
O4 - HKLM\..\Run: [CIQTENUM] C:\WINNT\system32\CIQTENUM.exe
O4 - HKLM\..\Run: [ddenb32n] C:\WINNT\system32\ddenb32n.exe
O4 - HKLM\..\Run: [drmuxv] C:\WINNT\system32\drmuxv.exe
O4 - HKLM\..\Run: [EbatesMoeMoneyMaker0] C:\Program Files\Ebates_MoeMoneyMaker\EbatesMoeMoneyMaker0.exe
O4 - HKLM\..\Run: [esktopd] C:\WINNT\system32\esktopd.exe
O4 - HKLM\..\Run: [fc70um] C:\WINNT\system32\fc70um.exe
O4 - HKLM\..\Run: [fcsubsm] C:\WINNT\system32\fcsubsm.exe
O4 - HKLM\..\Run: [hares] C:\WINNT\system32\hares.exe
O4 - HKLM\..\Run: [hcpd] C:\WINNT\system32\hcpd.exe
O4 - HKLM\..\Run: [iasfw] C:\WINNT\system32\iasfw.exe
O4 - HKLM\..\Run: [icmgr10l] C:\WINNT\system32\icmgr10l.exe
O4 - HKLM\..\Run: [ingp] C:\WINNT\system32\ingp.exe
O4 - HKLM\..\Run: [inshfhcw] C:\WINNT\system32\inshfhcw.exe
O4 - HKLM\..\Run: [Internet Optimizer] "C:\Program Files\Internet Optimizer\optimize.exe"
O4 - HKLM\..\Run: [iskpartd] C:\WINNT\system32\iskpartd.exe
O4 - HKLM\..\Run: [jabber] C:\WINNT\system32\jabber.exe
O4 - HKLM\..\Run: [jcvsx] C:\WINNT\jcvsx.exe
O4 - HKLM\..\Run: [KAZAA] C:\Program Files\Kazaa\kazaa.exe /SYSTRAY
O4 - HKLM\..\Run: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k
O4 - HKLM\..\Run: [krodmh] C:\WINNT\krodmh.exe
O4 - HKLM\..\Run: [lastclnb] C:\WINNT\system32\lastclnb.exe
O4 - HKLM\..\Run: [le32o] C:\WINNT\system32\le32o.exe
O4 - HKLM\..\Run: [lsgiyhq] c:\winnt\system32\wvjesn.exe r
O4 - HKLM\..\Run: [mdl32c] C:\WINNT\system32\mdl32c.exe
O4 - HKLM\..\Run: [mmon32c] C:\WINNT\system32\mmon32c.exe
O4 - HKLM\..\Run: [mplocw] C:\WINNT\system32\mplocw.exe
O4 - HKLM\..\Run: [mqkwbc] C:\WINNT\system32\mqkwbc.exe
O4 - HKLM\..\Run: [mscin] C:\WINNT\system32\m190309.EXE
O4 - HKLM\..\Run: [MSMsgN] C:\WINNT\system32\MSMsgN.exe
O4 - HKLM\..\Run: [msxct] msxct.exe
O4 - HKLM\..\Run: [mtorzqy] c:\winnt\system32\axygzro.exe r
O4 - HKLM\..\Run: [mvdmodw] C:\WINNT\system32\mvdmodw.exe
O4 - HKLM\..\Run: [Nsv] C:\WINNT\system32\nsvsvc\nsvsvc.exe
O4 - HKLM\..\Run: [ocatorl] C:\WINNT\system32\ocatorl.exe
O4 - HKLM\..\Run: [ontrolc] C:\WINNT\system32\ontrolc.exe
O4 - HKLM\..\Run: [oriconsm] C:\WINNT\system32\oriconsm.exe
O4 - HKLM\..\Run: [ourstartt] C:\WINNT\system32\ourstartt.exe
O4 - HKLM\..\Run: [pnmodemd] C:\WINNT\system32\pnmodemd.exe
O4 - HKLM\..\Run: [pousd07h] C:\WINNT\system32\pousd07h.exe
O4 - HKLM\..\Run: [Rebate Retriever] C:\Program Files\Rebate Retriever\RebateRetriever.exe
O4 - HKLM\..\Run: [RunDLL] rundll32.exe "C:\WINNT\Downloaded Program Files\bridge.dll",Load
O4 - HKLM\..\Run: [ryhqx] C:\WINNT\ryhqx.exe
O4 - HKLM\..\Run: [S3HttpI] C:\WINNT\system32\S3HttpI.exe
O4 - HKLM\..\Run: [saap] c:\winnt\saap.exe
O4 - HKLM\..\Run: [sasrvl] C:\WINNT\system32\sasrvl.exe
O4 - HKLM\..\Run: [satmat] C:\WINNT\satmat.exe
O4 - HKLM\..\Run: [sctfimem] C:\WINNT\system32\sctfimem.exe
O4 - HKLM\..\Run: [sentutle] C:\WINNT\system32\sentutle.exe
O4 - HKLM\..\Run: [sg723m] C:\WINNT\system32\sg723m.exe
O4 - HKLM\..\Run: [sjet40m] C:\WINNT\system32\sjet40m.exe
O4 - HKLM\..\Run: [slabelst] C:\WINNT\system32\slabelst.exe
O4 - HKLM\..\Run: [smypicss] C:\WINNT\system32\smypicss.exe
O4 - HKLM\..\Run: [spmspm] C:\WINNT\system32\spmspm.exe
O4 - HKLM\..\Run: [stext40m] C:\WINNT\system32\stext40m.exe
O4 - HKLM\..\Run: [System service62] C:\WINNT\etb\pokapoka62.exe
O4 - HKLM\..\Run: [SystemService] C:\WINNT\etb\pokapoka62.exe
O4 - HKLM\..\Run: [tfmonc] C:\WINNT\system32\tfmonc.exe
O4 - HKLM\..\Run: [tmsmgrn] C:\WINNT\system32\tmsmgrn.exe
O4 - HKLM\..\Run: [tNmBResC] C:\WINNT\system32\tNmBResC.exe
O4 - HKLM\..\Run: [trmdlls] C:\WINNT\system32\trmdlls.exe
O4 - HKLM\..\Run: [tsbas2wc] C:\WINNT\system32\tsbas2wc.exe
O4 - HKLM\..\Run: [ttupt] C:\WINNT\ttupt.exe
O4 - HKLM\..\Run: [uickTimeQ] C:\WINNT\system32\uickTimeQ.exe
O4 - HKLM\..\Run: [UpdReg] C:\WINNT\UpdReg.EXE
O4 - HKLM\..\Run: [vidctrl] C:\WINNT\system32\vidctrl\vidctrl.exe
O4 - HKLM\..\Run: [vrsfrn] C:\WINNT\system32\vrsfrn.exe
O4 - HKLM\..\Run: [vsvex] C:\WINNT\vsvex.exe
O4 - HKLM\..\Run: [VVSN] C:\Program Files\VVSN\VVSN.exe
O4 - HKLM\..\Run: [vwrsesn] C:\WINNT\system32\vwrsesn.exe
O4 - HKLM\..\Run: [WebRebates0] "C:\Program Files\Web_Rebates\WebRebates0.exe"
O4 - HKLM\..\Run: [Windows SA] C:\Program Files\WindowsSA\omniscient.exe
O4 - HKLM\..\Run: [WinFixer 2005] C:\Program Files\WinFixer 2005\wfx5.exe
O4 - HKLM\..\Run: [WinTask driver] C:\WINNT\system32\wintask.exe
O4 - HKLM\..\Run: [xeyaoh] c:\winnt\system32\yyhzmw.exe r
O4 - HKLM\..\Run: [{12EE7A5E-0674-42f9-A76B-000000004D00}] rundll32.exe stlb2.dll,DllRunMain
O4 - HKLM\..\Run: [KavSvc] C:\WINNT\system32\rulakp.exe reg_run
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [eZmmod] C:\PROGRA~1\ezula\mmod.exe
O4 - HKCU\..\Run: [eZWO] C:\PROGRA~1\Web Offer\wo.exe
O4 - HKCU\..\Run: [Jirks] C:\WINNT\system32\?hkdsk.exe
O4 - HKCU\..\Run: [Ltho] C:\Program Files\sder\dees.exe
O4 - HKCU\..\Run: [MoneyAgent] "C:\Program Files\Microsoft Money\System\mnyexpr.exe"
O4 - HKCU\..\Run: [msmc] C:\WINNT\System32\msmc.exe
O4 - HKCU\..\Run: [Weather] C:\Program Files\AWS\WeatherBug\Weather.exe 1
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: HPAiODevice(hp psc 700 series) - 1.lnk = C:\Program Files\Hewlett-Packard\AiO\hp psc 700 series\Bin\hpobrt07.exe
O4 - Global Startup: Kodak EasyShare software.lnk = C:\Program Files\KODAK\Kodak EasyShare software\bin\EasyShare.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINNT\System32\msjava.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINNT\System32\msjava.dll
O9 - Extra button: Create Mobile Favorite - {2EAF5BB1-070F-11D3-9307-00C04FAE2D4F} - C:\PROGRA~1\MICROS~2\inetrepl.dll
O9 - Extra button: (no name) - {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - C:\PROGRA~1\MICROS~2\inetrepl.dll
O9 - Extra 'Tools' menuitem: Create Mobile Favorite... - {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - C:\PROGRA~1\MICROS~2\inetrepl.dll
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINNT\System32\Shdocvw.dll
O9 - Extra button: MoneySide - {E023F504-0C5A-4750-A1E7-A9046DEA8A21} - C:\Program Files\Microsoft Money\System\mnyside.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O16 - DPF: {08D390AE-5101-4701-A89F-6C6DADCCC402} (MSN Photo Select Tool) - http://photos.msn.co....cab?10,0,910,0
O16 - DPF: {0F04992B-E661-4DB9-B223-903AB628225D} (DoMoreRunExe.DoMoreRun) - file://C:\Program Files\Gateway\Do More\DoMoreRunExe.CAB
O16 - DPF: {42C9E5EE-DA49-49B4-8ECC-1CAB1C51A2AB} (HomePrintingCtrl Class) - http://www.ofoto.com..._1/axhomepr.cab
O16 - DPF: {511073AD-BE56-4D43-AE68-93390514385E} (TechToolsActivex.TechTools) - hcp://system/TechTools.CAB
O16 - DPF: {6F750200-1362-4815-A476-88533DE61D0C} (Ofoto Upload Manager Class) - http://www.ofoto.com..._1/axofupld.cab
O16 - DPF: {739E8D90-2F4C-43AD-A1B8-66C356FCEA35} (RunExeActiveX.RunExe) - hcp://system/RunExeActiveX.CAB
O16 - DPF: {77E32299-629F-43C6-AB77-6A1E6D7663F6} - http://www.nick.com/.../GrooveAX27.cab
O16 - DPF: {9600F64D-755F-11D4-A47F-0001023E6D5A} (Shutterfly Picture Upload Plugin) - http://web1.shutterf...ds/Uploader.cab
O16 - DPF: {99CDFD87-F97A-42E1-9C13-D18220D90AD1} (StartFirstControl.CheckFirst) - hcp://system/StartFirstControl.CAB
O16 - DPF: {A8683C98-5341-421B-B23C-8514C05354F1} (FujifilmUploader Class) - http://photo.walmart...ploadClient.cab
O16 - DPF: {CA034DCC-A580-4333-B52F-15F98C42E04C} (Downloader Class) - http://www.stopzilla...ller/dwnldr.cab
O16 - DPF: {E855A2D4-987E-4F3B-A51C-64D10A7E2479} (EPSImageControl Class) - http://tools.ebayimg...ol_v1-0-3-0.cab
O18 - Filter: text/html - {8293D547-38DD-4325-B35A-F1817EDFA5FC} - C:\Program Files\Cas\Client\casmf.dll
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Password Validation Service (ccPwdSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
O23 - Service: Creative Service for CDROM Access - Creative Technology Ltd - C:\WINNT\System32\CTSvcCDA.EXE
O23 - Service: ewido security suite control - ewido networks - C:\Program Files\ewido\security suite\ewidoctrl.exe
O23 - Service: Kodak Camera Connection Software (KodakCCS) - Eastman Kodak Company - C:\WINNT\system32\drivers\KodakCCS.exe
O23 - Service: Intel® NMS (NMSSvc) - Intel Corporation - C:\WINNT\System32\NMSSvc.exe
O23 - Service: NVIDIA Driver Helper Service (NVSvc) - NVIDIA Corporation - C:\WINNT\System32\nvsvc32.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: STOPzilla Local Service - International Software Systems Solutions - C:\Program Files\STOPzilla!\szntsvc.exe
O23 - Service: SymWMI Service (SymWSC) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\Security Center\SymWSC.exe

I did not really understand what I was supposed to do regarding regedit.exe???

thanks again,
mtsrunner
  • 0

#9
Metallica

Metallica

    Spyware Veteran

  • GeekU Moderator
  • 31,675 posts
Let's first try and find out why regedit isnt working.

Open notepad and copy and paste the next part in bold into it:

type search.txt>>look.txt
del search.txt
dir %SystemDrive%\regedit.* /a h /s >> look.txt
start notepad look.txt


Save this as look.bat
Choose to save as all files and place it on your desktop.
Now doubleclick on look.bat and it will scan.
Notepad will open afterwards with some txt in it, so copy and paste this in your next reply.

Regards,
  • 0

#10
mtsrunner

mtsrunner

    Member

  • Topic Starter
  • Member
  • PipPip
  • 13 posts
Volume in drive C has no label.
Volume Serial Number is 70AB-5BF3

Directory of C:\I386

08/29/2002 09:00 AM 39,702 REGEDIT.CH_
08/29/2002 09:00 AM 134,144 REGEDIT.EXE
08/29/2002 09:00 AM 2,512 REGEDIT.HL_
3 File(s) 176,358 bytes

Directory of C:\WINNT

08/04/2004 03:56 AM 146,432 regedit.exe
1 File(s) 146,432 bytes

Directory of C:\WINNT\$NtServicePackUninstall$

08/29/2002 09:00 AM 134,144 regedit.exe
1 File(s) 134,144 bytes

Directory of C:\WINNT\Help

08/29/2002 09:00 AM 46,684 regedit.chm
08/29/2002 09:00 AM 12,886 regedit.hlp
2 File(s) 59,570 bytes

Directory of C:\WINNT\Prefetch

08/08/2005 07:59 AM 19,132 REGEDIT.EXE-1296D1F9.pf
1 File(s) 19,132 bytes

Directory of C:\WINNT\ServicePackFiles\i386

08/04/2004 03:56 AM 146,432 regedit.exe
1 File(s) 146,432 bytes
  • 0

#11
Metallica

Metallica

    Spyware Veteran

  • GeekU Moderator
  • 31,675 posts
Regedit.exe is present and the correct filesize.
There are no other files intercepting the command, so probably something wrong with the permissions.

Please do this:

Click Start > Run > copy&paste EXPLORER.EXE /n,/e,/select, C:\WINNT\system32\regedt32.exe

That will open your System32 folder with the file regedt32.exe selected.

Doubleclick that file and the registry-editor will open.
By clicking the + signs navigate to:
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies
Once you have that selected click File > Export.

Name the file whatchanged.txt and post what is inside that file.

Regards,
  • 0

#12
mtsrunner

mtsrunner

    Member

  • Topic Starter
  • Member
  • PipPip
  • 13 posts
here it is:

Windows Registry Editor Version 5.00

[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies]

[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer]
"NoDriveTypeAutoRun"=dword:00000091


Thanks,
mtsrunner
  • 0

#13
Metallica

Metallica

    Spyware Veteran

  • GeekU Moderator
  • 31,675 posts
Good job. :tazz:

Please Download the following tools to assist us in removing this infection!
  • Download WinPFind
    • Right Click the Zip Folder and Select "Extract All"
    • Extract it somewhere you will remember like the Desktop
    • Dont do anything with it yet!
  • Download Track qoo
    • Save it somewhere you will remember like the Desktop
Reboot into Safe Mode
Restart your computer and as soon as it starts booting up again continuously tap F8. A menu should come up where you will be given the option to enter Safe Mode.

Doubleclick WinPFind.exe
  • Click "Start Scan"
  • It will scan the entire System, so please be patient!
  • Once the Scan is Complete
  • Go to the WinPFind folder
  • Locate WinPFind.txt
  • Place those results in the next post!
Reboot back to Normal Mode!

Double Click on "Track qoo.vbs"

Note - If you Antivirus has Script Blocking, you will get a Pop Up Windows asking you what to do. Allow this Entire Script to Run, its harmless!

Wait a few seconds and a notepad page will pop up, Copy & Paste those results and place them in the next post along with the results of WinPFind!

Regards,
  • 0






Similar Topics

0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users

As Featured On:

Microsoft Yahoo BBC MSN PC Magazine Washington Post HP