Jump to content

Welcome to Geeks to Go - Register now for FREE

Need help with your computer or device? Want to learn new tech skills? You're in the right place!
Geeks to Go is a friendly community of tech experts who can solve any problem you have. Just create a free account and post your question. Our volunteers will reply quickly and guide you through the steps. Don't let tech troubles stop you. Join Geeks to Go now and get the support you need!

How it Works Create Account
Photo

Desktop Trouble [CLOSED]

Started by Coruth , Aug 08 2005 10:11 PM

  • This topic is locked This topic is locked

#1
Coruth
Posted 08 August 2005 - 10:11 PM

Coruth

    New Member

  • Member
  • Pip
  • 3 posts
Winfixer has been popping up on my computer frequently and spysherriff just started tonight. I restarted my computer earlier and upon reboot it changed my background to a message saying "Your system is infected..(etc..)" I've tried adaware/smitrem/panda, but the problem hasnt been solved. The only thing that grants temporary relief is the smitrem file which lets me have my normal functionability, until restart or logging off..then it's back to the spysherriff deal. Here is my hijackthis log file:

Logfile of HijackThis v1.99.1
Scan saved at 11:12:55 PM, on 8/8/2005
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\SOUNDMAN.EXE
C:\WINDOWS\System32\P2P Networking\P2P Networking.exe
C:\WINDOWS\system32\rundll32.exe
C:\Program Files\Java\j2re1.4.2_03\bin\jusched.exe
C:\WINDOWS\System32\LzioMediaUpdater.exe
C:\Program Files\AutoUpdate\AutoUpdate.exe
C:\WINDOWS\System32\adsnds37.exe
C:\WINDOWS\System32\dp-him.exe
C:\documents and settings\owner\local settings\temp\emscN.exe
C:\WINDOWS\system32\svhost32.exe
C:\windows\system32\YXt.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\WINDOWS\system32\keyolss.exe
C:\WINDOWS\system32\kernels32.exe
C:\WINDOWS\system32\lbralb.exe
C:\WINDOWS\system32\kd1redir.exe
C:\WINDOWS\System32\NDrv.exe
C:\WINDOWS\system32\symcsvc.exe
C:\winstall.exe
C:\WINDOWS\system32\vxh8jkdq2.exe
C:\WINDOWS\system32\vxh8jkdq2.exe
C:\WINDOWS\svchost.exe
C:\WINDOWS\System32\nvsvc32.exe
C:\Program Files\Efficient Networks\Tango Manager\app\TangoService.exe
C:\WINDOWS\System32\ups.exe
C:\WINDOWS\system32\vxgame2.exe
C:\WINDOWS\system32\vxgame3.exe
C:\WINDOWS\system32\vxgame4.exe
C:\WINDOWS\system32\vxgame6.exe
C:\WINDOWS\system32\vxgame4.exe
C:\WINDOWS\system32\rundll32.exe
C:\Program Files\Ventrilo\Ventrilo.exe
C:\WINDOWS\system32\vxgamet2.exe
C:\WINDOWS\explorer.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\Documents and Settings\owner\Desktop\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.garveyproductions.com/
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
R3 - URLSearchHook: (no name) - {707E6F76-9FFB-4920-A976-EA101271BC25} - (no file)
R3 - URLSearchHook: (no name) - {00D6A7E7-4A97-456F-848A-3B75BF7554D7} - (no file)
R3 - URLSearchHook: (no name) - {B8CD6E55-A607-53EF-DDD3-36ECB6B04B99} - C:\WINDOWS\Wzywglip.dll
F2 - REG:system.ini: Shell=Explorer.exe init32m.exe
O1 - Hosts: 12.129.205.209 search.netscape.com12.129.205.209 sitefinder.verisign.com
O2 - BHO: (no name) - {00000000-0000-41a3-98CF-00000000168B} - C:\WINDOWS\System32\wmcbaaca.dll
O2 - BHO: (no name) - {00000000-0000-47c5-A90F-2CDE8F7638DB} - (no file)
O2 - BHO: (no name) - {00000000-10D6-4e5f-8F7F-29B32C1C0FC4} - C:\WINDOWS\System32\icddefff.dll
O2 - BHO: (no name) - {00000000-167B-41bc-95FF-86A07B14712C} - C:\WINDOWS\System32\he3bbcff.dll
O2 - BHO: (no name) - {00000000-64C4-4a64-9767-895AB4921E41} - C:\WINDOWS\System32\ielcaabe.dll
O2 - BHO: CExtension Object - {0019C3E2-DD48-4A6D-ABCD-8D32436323D9} - C:\WINDOWS\cfgmgr52.dll
O2 - BHO: (no name) - {0026AD90-C86F-4269-97F3-DAB4897C6D06} - (no file)
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: Loader Class - {2E246FAE-8420-11D9-870D-000C2917DE7F} - C:\WINDOWS\SYSTEM\Loader.dll
O2 - BHO: (no name) - {A63EF918-615D-378E-CCB8-37C549AB4132} - C:\WINDOWS\Wzywglip.dll
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [NeroCheck] C:\WINDOWS\System32\\NeroCheck.exe
O4 - HKLM\..\Run: [P2P Networking] C:\WINDOWS\System32\P2P Networking\P2P Networking.exe /AUTOSTART
O4 - HKLM\..\Run: [BluetoothAuthenticationAgent] rundll32.exe bthprops.cpl,,BluetoothAuthenticationAgent
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\j2re1.4.2_03\bin\jusched.exe
O4 - HKLM\..\Run: [LzioMediaUpdater] C:\WINDOWS\System32\LzioMediaUpdater.exe
O4 - HKLM\..\Run: [he3bbcff] rundll32.exe C:\WINDOWS\System32\he3bbcff.dll,EnableRunDLL32
O4 - HKLM\..\Run: [wmcbaaca] rundll32.exe C:\WINDOWS\System32\wmcbaaca.dll,EnableRunDLL32
O4 - HKLM\..\Run: [icddefff] rundll32.exe C:\WINDOWS\System32\icddefff.dll,EnableRunDLL32
O4 - HKLM\..\Run: [ielcaabe] rundll32.exe C:\WINDOWS\System32\ielcaabe.dll,EnableRunDLL32
O4 - HKLM\..\Run: [iel2cde8] rundll32.exe C:\WINDOWS\System32\ielcaabe.dll,EnableRunDLL32
O4 - HKLM\..\Run: [wm41a398] rundll32.exe C:\WINDOWS\System32\wmcbaaca.dll,EnableRunDLL32
O4 - HKLM\..\Run: [gplbaitboobdoes] C:\Documents and Settings\All Users\Application Data\GRIMMEMOGPLBAIT\MathSoft.exe
O4 - HKLM\..\Run: [STOPzilla] "C:\Program Files\STOPzilla!\Stopzilla.exe" /autorun
O4 - HKLM\..\Run: [alchem] C:\WINDOWS\alchem.exe
O4 - HKLM\..\Run: [AutoUpdater] "C:\Program Files\AutoUpdate\AutoUpdate.exe"
O4 - HKLM\..\Run: [b14daff23b6c] C:\WINDOWS\System32\adsnds37.exe
O4 - HKLM\..\Run: [Dsi] C:\WINDOWS\System32\dp-him.exe
O4 - HKLM\..\Run: [emscN] C:\documents and settings\owner\local settings\temp\emscN.exe
O4 - HKLM\..\Run: [UsbD] C:\WINDOWS\system32\svhost32.exe
O4 - HKLM\..\Run: [Power Scan] C:\Program Files\Power Scan\powerscan.exe
O4 - HKLM\..\Run: [YXt] C:\windows\system32\YXt.exe
O4 - HKLM\..\Run: [cfgmgr52] RunDLL32.EXE C:\WINDOWS\cfgmgr52.dll,DllRun
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [q39f3qO] keyolss.exe
O4 - HKLM\..\Run: [System] C:\WINDOWS\system32\kernels32.exe
O4 - HKLM\..\Run: [WindowsUpdate] C:\WINDOWS\System\svchost.exe /s
O4 - HKLM\..\Run: [winsync] C:\WINDOWS\system32\lbralb.exe reg_run
O4 - HKCU\..\Run: [b0qpRki9e] kd1redir.exe
O4 - HKCU\..\Run: [NDrv] C:\WINDOWS\System32\NDrv.exe
O4 - HKCU\..\Run: [aupd] C:\WINDOWS\system32\symcsvc.exe
O4 - HKCU\..\Run: [SNInstall] C:\WINDOWS\system32\vxh8jkdq2.exe
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O8 - Extra context menu item: &iSearch The Web - res://C:\WINDOWS\System32\toolbar.dll/SEARCH.HTML
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\j2re1.4.2_03\bin\npjpi142_03.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\j2re1.4.2_03\bin\npjpi142_03.dll
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O15 - Trusted Zone: *.blazefind.com
O15 - Trusted Zone: *.clickspring.net
O15 - Trusted Zone: *.flingstone.com
O15 - Trusted Zone: *.mt-download.com
O15 - Trusted Zone: *.my-internet.info
O15 - Trusted Zone: *.searchbarcash.com
O15 - Trusted Zone: *.searchmiracle.com
O15 - Trusted Zone: *.skoobidoo.com
O15 - Trusted Zone: *.slotch.com
O15 - Trusted Zone: *.slotchbar.com
O15 - Trusted Zone: *.windupdates.com
O15 - Trusted Zone: *.xxxtoolbar.com
O15 - Trusted Zone: *.ysbweb.com
O15 - Trusted Zone: *.blazefind.com (HKLM)
O15 - Trusted Zone: *.clickspring.net (HKLM)
O15 - Trusted Zone: *.flingstone.com (HKLM)
O15 - Trusted Zone: *.mt-download.com (HKLM)
O15 - Trusted Zone: *.my-internet.info (HKLM)
O15 - Trusted Zone: *.searchbarcash.com (HKLM)
O15 - Trusted Zone: *.searchmiracle.com (HKLM)
O15 - Trusted Zone: *.skoobidoo.com (HKLM)
O15 - Trusted Zone: *.slotch.com (HKLM)
O15 - Trusted Zone: *.slotchbar.com (HKLM)
O15 - Trusted Zone: *.windupdates.com (HKLM)
O15 - Trusted Zone: *.xxxtoolbar.com (HKLM)
O15 - Trusted Zone: *.ysbweb.com (HKLM)
O15 - Trusted IP range: 67.19.178.84
O15 - Trusted IP range: 67.19.178.84 (HKLM)
O16 - DPF: {1D4DB7D2-6EC9-47A3-BD87-1E41684E07BB} - http://ak.imgfarm.co...etup1.0.0.6.cab
O16 - DPF: {1D6711C8-7154-40BB-8380-3DEA45B69CBF} (Web P2P Installer) -
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.micros...b?1123559049703
O16 - DPF: {99802379-7362-40E2-9D28-8A3B9AF880B7} - http://hotsearchbar....r2/winhot32.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://www.pandasoft...free/asinst.cab
O16 - DPF: {F04A8AE2-A59D-11D2-8792-00C04F8EF29D} (Hotmail Attachments Control) - http://by24fd.bay24....ex/HMAtchmt.ocx
O21 - SSODL: System - {7631D6CB-DA0C-4C21-83C2-450B75DF36E4} - vr_sys.dll (file missing)
O23 - Service: svchost.exe (moto) - Unknown owner - C:\WINDOWS\svchost.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe
O23 - Service: Tango Service (TangoService) - Unknown owner - C:\Program Files\Efficient Networks\Tango Manager\app\TangoService.exe

Any advice would be appreciated, thank you :tazz:
  • 0

Advertisements

#2
Snickets
Posted 10 August 2005 - 03:26 PM

Snickets

    Visiting Staff

  • Member
  • PipPipPip
  • 425 posts
Hello Coruth,

Welcome to GeekstoGo my name is Snickets and I will be helping you today!!!

Please print this page out or copy and paste this into a notepad so that you will have access to this while working offline.

Yes I see that you have run into some trouble let's take out the serious infections first and then work our way down the list.

Step 1- Downloading Necessary Programs

1.Please go here and download the free 30 day trial for trojan hunter. Install trojanhunter but do not run it yet.

2.Download smitRem.exe and save the file to your desktop.

3.Please download the trial version of Ewido Security Suite here:
http://www.ewido.net/en/download/

Please read Ewido Setup Instructions
Install it, and update the definitions to the newest files. Do NOT run a scan yet.

4.If you have not already installed Ad-Aware SE 1.06, follow these download and setup instructions, otherwise, check for updates:
Ad-Aware SE Setup
Don't run it yet!

5.Download DellDomains from here but do not run it yet.

Step 2 - The Fix

1.Go to Start > Run and type in Services.msc then click OK
Click the Extended tab.
Scroll down until you find the service moto.
Click once on the service to highlight it.
Click Stop
Right-Click on the service.
Click on 'Properties'
Select the 'General' tab
Click the Arrow-down tab on the right-hand side on the 'Start-up Type' box
From the drop-down menu, click on 'Disabled'
Click the 'Apply' tab, then click 'OK'
The service is now stopped and disabled.
***
Open HijackThis
click on "None of the above, just start the program".
click on the "Config" button (bottom right),
click on "Misc Tools"
click on "Delete an NT Service" (a window will pop up)
Enter the below item into that field (make sure there are NO spaces before or after the name): moto
Click OK.
It should pull up information about the service, then ask if you want to reboot. Click YES.
***
2.Next, please reboot your computer in SafeMode by doing the following:
  • Restart your computer
  • After hearing your computer beep once during startup, but before the Windows icon appears, press F8.
  • Instead of Windows loading as normal, a menu should appear
  • Select the first option, to run Windows in Safe Mode.
3.Once in safe mode run trojan hunter and do the following.
Push the full scan button at the top left hand corner of the program.
Then once the scan completes, please remove all trojans found on the system by checking the individual infections, then clicking on clean.

4.Now scan with HJT and place a checkmark next to each of the following items:
===================================================
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
R3 - URLSearchHook: (no name) - {707E6F76-9FFB-4920-A976-EA101271BC25} - (no file)
R3 - URLSearchHook: (no name) - {00D6A7E7-4A97-456F-848A-3B75BF7554D7} - (no file)
R3 - URLSearchHook: (no name) - {B8CD6E55-A607-53EF-DDD3-36ECB6B04B99} - C:\WINDOWS\Wzywglip.dll
F2 - REG:system.ini: Shell=Explorer.exe init32m.exe
O2 - BHO: (no name) - {00000000-0000-41a3-98CF-00000000168B} - C:\WINDOWS\System32\wmcbaaca.dll
O2 - BHO: (no name) - {00000000-0000-47c5-A90F-2CDE8F7638DB} - (no file)
O2 - BHO: (no name) - {00000000-10D6-4e5f-8F7F-29B32C1C0FC4} - C:\WINDOWS\System32\icddefff.dll
O2 - BHO: (no name) - {00000000-167B-41bc-95FF-86A07B14712C} - C:\WINDOWS\System32\he3bbcff.dll
O2 - BHO: (no name) - {00000000-64C4-4a64-9767-895AB4921E41} - C:\WINDOWS\System32\ielcaabe.dll
O2 - BHO: CExtension Object - {0019C3E2-DD48-4A6D-ABCD-8D32436323D9} - C:\WINDOWS\cfgmgr52.dll
O2 - BHO: (no name) - {0026AD90-C86F-4269-97F3-DAB4897C6D06} - (no file)
O2 - BHO: Loader Class - {2E246FAE-8420-11D9-870D-000C2917DE7F} - C:\WINDOWS\SYSTEM\Loader.dll
O2 - BHO: (no name) - {A63EF918-615D-378E-CCB8-37C549AB4132} - C:\WINDOWS\Wzywglip.dll
O4 - HKLM\..\Run: [he3bbcff] rundll32.exe C:\WINDOWS\System32\he3bbcff.dll,EnableRunDLL32
O4 - HKLM\..\Run: [wmcbaaca] rundll32.exe C:\WINDOWS\System32\wmcbaaca.dll,EnableRunDLL32
O4 - HKLM\..\Run: [icddefff] rundll32.exe C:\WINDOWS\System32\icddefff.dll,EnableRunDLL32
O4 - HKLM\..\Run: [ielcaabe] rundll32.exe C:\WINDOWS\System32\ielcaabe.dll,EnableRunDLL32
O4 - HKLM\..\Run: [iel2cde8] rundll32.exe C:\WINDOWS\System32\ielcaabe.dll,EnableRunDLL32
O4 - HKLM\..\Run: [wm41a398] rundll32.exe C:\WINDOWS\System32\wmcbaaca.dll,EnableRunDLL32
O4 - HKLM\..\Run: [gplbaitboobdoes] C:\Documents and Settings\All Users\Application Data\GRIMMEMOGPLBAIT\MathSoft.exe
O4 - HKLM\..\Run: [alchem] C:\WINDOWS\alchem.exe
O4 - HKLM\..\Run: [AutoUpdater] "C:\Program Files\AutoUpdate\AutoUpdate.exe"
O4 - HKLM\..\Run: [b14daff23b6c] C:\WINDOWS\System32\adsnds37.exe
O4 - HKLM\..\Run: [Dsi] C:\WINDOWS\System32\dp-him.exe
O4 - HKLM\..\Run: [emscN] C:\documents and settings\owner\local settings\temp\emscN.exe
O4 - HKLM\..\Run: [UsbD] C:\WINDOWS\system32\svhost32.exe
O4 - HKLM\..\Run: [Power Scan] C:\Program Files\Power Scan\powerscan.exe
O4 - HKLM\..\Run: [YXt] C:\windows\system32\YXt.exe
O4 - HKLM\..\Run: [cfgmgr52] RunDLL32.EXE C:\WINDOWS\cfgmgr52.dll,DllRun
O4 - HKLM\..\Run: [q39f3qO] keyolss.exe
O4 - HKLM\..\Run: [WindowsUpdate] C:\WINDOWS\System\svchost.exe /s
O4 - HKLM\..\Run: [winsync] C:\WINDOWS\system32\lbralb.exe reg_run
O4 - HKCU\..\Run: [b0qpRki9e] kd1redir.exe
O4 - HKCU\..\Run: [NDrv] C:\WINDOWS\System32\NDrv.exe
O4 - HKCU\..\Run: [aupd] C:\WINDOWS\system32\symcsvc.exe
O4 - HKCU\..\Run: [SNInstall] C:\WINDOWS\system32\vxh8jkdq2.exe
O8 - Extra context menu item: &iSearch The Web - res://C:\WINDOWS\System32\toolbar.dll/SEARCH.HTML
O16 - DPF: {1D4DB7D2-6EC9-47A3-BD87-1E41684E07BB} - http://ak.imgfarm.co...etup1.0.0.6.cab
O16 - DPF: {99802379-7362-40E2-9D28-8A3B9AF880B7} - http://hotsearchbar....r2/winhot32.cab
O21 - SSODL: System - {7631D6CB-DA0C-4C21-83C2-450B75DF36E4} - vr_sys.dll (file missing)
O23 - Service: svchost.exe (moto) - Unknown owner - C:\WINDOWS\svchost.exe

After checking these entries CLOSE ALL open windows [browsers and programs] EXCEPT HijackThis and click "Fix Checked."
===================================================

5.Open the smitRem folder, then double click the RunThis.bat file to start the tool. Follow the prompts on screen.
Wait for the tool to complete and disk cleanup to finish.

The tool will create a log named smitfiles.txt in the root of your drive, eg; Local Disk C: or partition where your operating system is installed. Please post that log along with all others requested in your next reply.

6.Open Ad-aware and do a full scan. Remove all it finds.

7.Run Ewido:
  • Click on scanner
  • Click on Complete System Scan and the scan will begin.
  • NOTE: During some scans with ewido it is finding cases of false positives.
  • You will need to step through the process of cleaning files one-by-one.
  • If ewido detects a file you KNOW to be legitimate, select none as the action.
  • DO NOT select "Perform action on all infections"
  • If you are unsure of any entry found select none for now.
  • When the scan is finished, click the Save report button at the bottom of the screen.
  • Save the report to your desktop
Close Ewido

8.Next go to Control Panel click Display > Desktop > Customize Desktop > Web > Uncheck "Security Info" if present.

Reboot back into normal Windows and click the Panda ActiveScan shortcut, then do a full system scan. Make sure the autoclean box is checked!
Save the scan log and post it along with a new HijackThis Log, the contents of the smitfiles.txt log and the Ewido Log by using Add Reply.
Let us know if any problems persist.

Now please run DellDomains.inf by doing the following.
To use: right-click and select: Install (no need to restart)
Should the link above display the text instead of downloading the file, then copy & paste the text into notepad and save the file as DellDomains.inf
Note: This will remove all entries in the "Trusted Zone" and "Ranges" also.

Please rescan with hijack this and post a new log into this thread for me to continue the cleaning process.

Thank you,

Snickets

:tazz:
  • 0

#3
Snickets
Posted 18 August 2005 - 01:50 PM

Snickets

    Visiting Staff

  • Member
  • PipPipPip
  • 425 posts
Due to lack of feedback, this topic has been closed.

If you need this topic reopened, please contact a staff member. This applies only to the original topic starter. Everyone else please begin a New Topic.
  • 0

#4
Snickets
Posted 19 August 2005 - 07:51 AM

Snickets

    Visiting Staff

  • Member
  • PipPipPip
  • 425 posts
User has requested this thread be reopened, I have pasted the new log in here for easy review.



Logfile of HijackThis v1.99.1
Scan saved at 7:56:27 PM, on 8/18/2005
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\csrss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\SOUNDMAN.EXE
C:\WINDOWS\system32\rundll32.exe
C:\Program Files\Java\j2re1.4.2_03\bin\jusched.exe
C:\WINDOWS\System32\LzioMediaUpdater.exe
C:\WINDOWS\system32\rundll32.exe
C:\WINDOWS\system32\RUNDLL32.EXE
C:\WINDOWS\system32\svchost.exe
C:\Program Files\ewido\security suite\ewidoctrl.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\Program Files\Efficient Networks\Tango Manager\app\TangoService.exe
C:\WINDOWS\system32\wdfmgr.exe
C:\WINDOWS\System32\ups.exe
C:\WINDOWS\system32\wuauclt.exe
C:\WINDOWS\system32\wuauclt.exe
C:\WINDOWS\system32\ciles\fklimo.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Documents and Settings\owner\Desktop\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.savewealth.com
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.savewealth.com
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {77217950-5848-1F49-DD8E-2AADDB98E2A8} - C:\WINDOWS\system32\hbpkoppx\lsjerycu.dll
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [NeroCheck] C:\WINDOWS\System32\\NeroCheck.exe
O4 - HKLM\..\Run: [BluetoothAuthenticationAgent] rundll32.exe bthprops.cpl,,BluetoothAuthenticationAgent
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\j2re1.4.2_03\bin\jusched.exe
O4 - HKLM\..\Run: [LzioMediaUpdater] C:\WINDOWS\System32\LzioMediaUpdater.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [THGuard] "C:\Program Files\TrojanHunter 4.2\THGuard.exe"
O4 - HKLM\..\Run: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k
O4 - HKLM\..\Run: [fklimo] C:\WINDOWS\system32\ciles\fklimo.exe
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: cikp.exe
O21 - SSODL: System - {7631D6CB-DA0C-4C21-83C2-450B75DF36E4} - vr_sys.dll (file missing)
O23 - Service: ewido security suite control - ewido networks - C:\Program Files\ewido\security suite\ewidoctrl.exe
O23 - Service: ewido security suite guard - ewido networks - C:\Program Files\ewido\security suite\ewidoguard.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: Tango Service (TangoService) - Unknown owner - C:\Program Files\Efficient Networks\Tango Manager\app\TangoService.exe
  • 0

#5
Snickets
Posted 19 August 2005 - 07:55 AM

Snickets

    Visiting Staff

  • Member
  • PipPipPip
  • 425 posts
Hello Coruth,

1. Please reboot your computer in SafeMode by doing the following:
  • Restart your computer
  • After hearing your computer beep once during startup, but before the Windows icon appears, press F8.
  • Instead of Windows loading as normal, a menu should appear
  • Select the first option, to run Windows in Safe Mode.
2. Run Ewido:
  • Click on scanner
  • Click on Complete System Scan and the scan will begin.
  • NOTE: During some scans with ewido it is finding cases of false positives.
  • You will need to step through the process of cleaning files one-by-one.
  • If ewido detects a file you KNOW to be legitimate, select none as the action.
  • DO NOT select "Perform action on all infections"
  • If you are unsure of any entry found select none for now.
  • When the scan is finished, click the Save report button at the bottom of the screen.
  • Save the report to your desktop
Close Ewido

3. Please reboot into normal windows.

4. Please rescan with hijackthis and then post a fresh log in here for me to review, also please post the scan log from ewido so that I may review it as well.

Thank you,

Snickets

:tazz:
  • 0

#6
Coruth
Posted 21 August 2005 - 10:29 AM

Coruth

    New Member

  • Topic Starter
  • Member
  • Pip
  • 3 posts
Here is my Ewido Log,

---------------------------------------------------------
ewido security suite - Scan report
---------------------------------------------------------

+ Created on: 8:07:10 PM, 8/16/2005
+ Report-Checksum: 79D7FF4

+ Scan result:

HKLM\SOFTWARE\Classes\Interface\{EEE4A2E5-9F56-432F-A6ED-F6F625B551E0} -> Dialer.Generic : Ignored
HKLM\SOFTWARE\Classes\TypeLib\{09CA52B3-703C-4B17-9690-C13F736E3DCD} -> Dialer.Generic : Ignored
HKLM\SOFTWARE\Classes\CLSID\{014DA6C9-189F-421a-88CD-07CFE51CFF10} -> Spyware.MySearch : Cleaned with backup
HKLM\SOFTWARE\Classes\CLSID\{0273F826-C153-4293-A001-2412221726BC} -> Spyware.LZIO : Cleaned with backup
HKLM\SOFTWARE\Classes\CLSID\{2B96D5CC-C5B5-49A5-A69D-CC0A30F9028C} -> Spyware.MiniBug : Cleaned with backup
HKLM\SOFTWARE\Classes\CLSID\{7F6828CA-9E42-462C-BC60-418C8144012C} -> Dialer.Generic : Cleaned with backup
HKLM\SOFTWARE\Classes\CLSID\{A78CC2FF-6E4E-4556-B27C-D7C3A70D7A50} -> Spyware.Clickspring : Cleaned with backup
HKLM\SOFTWARE\Classes\Interface\{339D8AFF-0B42-4260-AD82-78CE605A9543} -> Spyware.SideFind : Cleaned with backup
HKLM\SOFTWARE\Classes\Interface\{A36A5936-CFD9-4B41-86BD-319A1931887F} -> Spyware.SideFind : Cleaned with backup
HKLM\SOFTWARE\Classes\Interface\{AA4939C3-DECA-4A48-A454-97CD587C0EF5} -> Spyware.ISTBar : Cleaned with backup
HKLM\SOFTWARE\Classes\PROTOCOLS\Name-Space Handler\res -> Spyware.WebSearch : Cleaned with backup
HKLM\SOFTWARE\Classes\TypeLib\{127ACE33-7EA8-45F0-8B55-EFE8B8068BEF} -> Spyware.CommonName : Cleaned with backup
HKLM\SOFTWARE\Microsoft\Internet Explorer\Main\ins -> Spyware.WebRebates : Cleaned with backup
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{7F6828CA-9E42-462C-BC60-418C8144012C} -> Dialer.Generic : Cleaned with backup
HKLM\SOFTWARE\PerfectNav -> Spyware.KeenValue : Cleaned with backup
HKU\S-1-5-21-2000478354-162531612-725345543-1003\Software\hsb -> Spyware.Hotsearchbar : Cleaned with backup
HKU\S-1-5-21-2000478354-162531612-725345543-1003\Software\hsb\ccc -> Spyware.Hotsearchbar : Cleaned with backup
HKU\S-1-5-21-2000478354-162531612-725345543-1003\Software\hsb\eee -> Spyware.Hotsearchbar : Cleaned with backup
HKU\S-1-5-21-2000478354-162531612-725345543-1003\Software\hsb\rrr -> Spyware.Hotsearchbar : Cleaned with backup
HKU\S-1-5-21-2000478354-162531612-725345543-1003\Software\hsb\ttt -> Spyware.Hotsearchbar : Cleaned with backup
HKU\S-1-5-21-2000478354-162531612-725345543-1003\Software\hsb\www -> Spyware.Hotsearchbar : Cleaned with backup
HKU\S-1-5-21-2000478354-162531612-725345543-1003\Software\Microsoft\Windows\CurrentVersion\Ext\Settings\{00000000-10D6-4E5F-8F7F-29B32C1C0FC4} -> Spyware.LZIO : Cleaned with backup
HKU\S-1-5-21-2000478354-162531612-725345543-1003\Software\Microsoft\Windows\CurrentVersion\Ext\Settings\{00000000-167B-41BC-95FF-86A07B14712C} -> Spyware.LZIO : Cleaned with backup
HKU\S-1-5-21-2000478354-162531612-725345543-1003\Software\Microsoft\Windows\CurrentVersion\Ext\Settings\{00000000-2565-4C5B-A455-A74C8A2247AB} -> Spyware.LZIO : Cleaned with backup
HKU\S-1-5-21-2000478354-162531612-725345543-1003\Software\Microsoft\Windows\CurrentVersion\Ext\Settings\{00000000-64C4-4A64-9767-895AB4921E41} -> Spyware.LZIO : Cleaned with backup
HKU\S-1-5-21-2000478354-162531612-725345543-1003\Software\Microsoft\Windows\CurrentVersion\Ext\Settings\{00000EF1-0786-4633-87C6-1AA7A44296DA} -> Spyware.FavoriteMan : Cleaned with backup
HKU\S-1-5-21-2000478354-162531612-725345543-1003\Software\Microsoft\Windows\CurrentVersion\Ext\Settings\{0000607D-D204-42C7-8E46-216055BF9918} -> Spyware.TwainTech : Cleaned with backup
HKU\S-1-5-21-2000478354-162531612-725345543-1003\Software\Microsoft\Windows\CurrentVersion\Ext\Settings\{0019C3E2-DD48-4A6D-ABCD-8D32436323D9} -> Spyware.BookedSpace : Cleaned with backup
HKU\S-1-5-21-2000478354-162531612-725345543-1003\Software\Microsoft\Windows\CurrentVersion\Ext\Settings\{00D6A7E7-4A97-456F-848A-3B75BF7554D7} -> Spyware.KeenValue : Cleaned with backup
HKU\S-1-5-21-2000478354-162531612-725345543-1003\Software\Microsoft\Windows\CurrentVersion\Ext\Settings\{0199DF25-9820-4BD5-9FEE-5A765AB4371E} -> Spyware.KeenValue : Cleaned with backup
HKU\S-1-5-21-2000478354-162531612-725345543-1003\Software\Microsoft\Windows\CurrentVersion\Ext\Settings\{01F44A8A-8C97-4325-A378-76E68DC4AB2E} -> Spyware.IEPlugin : Cleaned with backup
HKU\S-1-5-21-2000478354-162531612-725345543-1003\Software\Microsoft\Windows\CurrentVersion\Ext\Settings\{086CEFD5-A88D-4981-8915-D51F04360ED1} -> Spyware.TrafficHog : Cleaned with backup
HKU\S-1-5-21-2000478354-162531612-725345543-1003\Software\Microsoft\Windows\CurrentVersion\Ext\Settings\{1C78AB3F-A857-482E-80C0-3A1E5238A565} -> Spyware.iSearch : Cleaned with backup
HKU\S-1-5-21-2000478354-162531612-725345543-1003\Software\Microsoft\Windows\CurrentVersion\Ext\Settings\{8B224779-3B0E-4FEA-8AE1-B66C20DD840F} -> Spyware.HotBar : Cleaned with backup
HKU\S-1-5-21-2000478354-162531612-725345543-1003\Software\Microsoft\Windows\CurrentVersion\Ext\Settings\{D848A3CA-0BFB-4DE0-BA9E-A57F0CCA1C13} -> Spyware.DealHelper : Cleaned with backup
HKU\S-1-5-21-2000478354-162531612-725345543-1003\Software\Microsoft\Windows\CurrentVersion\Ext\Settings\{E8EAEB34-F7B5-4C55-87FF-720FAF53D841} -> Spyware.MidAddle : Cleaned with backup
HKU\S-1-5-21-2000478354-162531612-725345543-1003\Software\Microsoft\Windows\CurrentVersion\Ext\Settings\{F4E04583-354E-4076-BE7D-ED6A80FD66DA} -> Spyware.BargainBuddy : Cleaned with backup
HKU\S-1-5-21-2000478354-162531612-725345543-1003\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{00000000-0000-47C5-A90F-2CDE8F7638DB} -> Spyware.LZIO : Cleaned with backup
HKU\S-1-5-21-2000478354-162531612-725345543-1003\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{00000000-10D6-4E5F-8F7F-29B32C1C0FC4} -> Spyware.LZIO : Cleaned with backup
HKU\S-1-5-21-2000478354-162531612-725345543-1003\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{00000000-167B-41BC-95FF-86A07B14712C} -> Spyware.LZIO : Cleaned with backup
HKU\S-1-5-21-2000478354-162531612-725345543-1003\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{00000000-2565-4C5B-A455-A74C8A2247AB} -> Spyware.LZIO : Cleaned with backup
HKU\S-1-5-21-2000478354-162531612-725345543-1003\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{00000000-64C4-4A64-9767-895AB4921E41} -> Spyware.LZIO : Cleaned with backup
HKU\S-1-5-21-2000478354-162531612-725345543-1003\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{00000EF1-0786-4633-87C6-1AA7A44296DA} -> Spyware.FavoriteMan : Cleaned with backup
HKU\S-1-5-21-2000478354-162531612-725345543-1003\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{0000607D-D204-42C7-8E46-216055BF9918} -> Spyware.TwainTech : Cleaned with backup
HKU\S-1-5-21-2000478354-162531612-725345543-1003\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{0019C3E2-DD48-4A6D-ABCD-8D32436323D9} -> Spyware.BookedSpace : Cleaned with backup
HKU\S-1-5-21-2000478354-162531612-725345543-1003\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{0026AD90-C86F-4269-97F3-DAB4897C6D06} -> Spyware.KeenValue : Cleaned with backup
HKU\S-1-5-21-2000478354-162531612-725345543-1003\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{00D6A7E7-4A97-456F-848A-3B75BF7554D7} -> Spyware.KeenValue : Cleaned with backup
HKU\S-1-5-21-2000478354-162531612-725345543-1003\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{016235BE-59D4-4CEB-ADD5-E2378282A1D9} -> Spyware.AproposMedia : Cleaned with backup
HKU\S-1-5-21-2000478354-162531612-725345543-1003\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{0199DF25-9820-4BD5-9FEE-5A765AB4371E} -> Spyware.KeenValue : Cleaned with backup
HKU\S-1-5-21-2000478354-162531612-725345543-1003\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{01F44A8A-8C97-4325-A378-76E68DC4AB2E} -> Spyware.IEPlugin : Cleaned with backup
HKU\S-1-5-21-2000478354-162531612-725345543-1003\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{086CEFD5-A88D-4981-8915-D51F04360ED1} -> Spyware.TrafficHog : Cleaned with backup
HKU\S-1-5-21-2000478354-162531612-725345543-1003\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{1C78AB3F-A857-482E-80C0-3A1E5238A565} -> Spyware.iSearch : Cleaned with backup
HKU\S-1-5-21-2000478354-162531612-725345543-1003\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{7F6828CA-9E42-462C-BC60-418C8144012C} -> Dialer.Generic : Cleaned with backup
HKU\S-1-5-21-2000478354-162531612-725345543-1003\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{8B224779-3B0E-4FEA-8AE1-B66C20DD840F} -> Spyware.HotBar : Cleaned with backup
HKU\S-1-5-21-2000478354-162531612-725345543-1003\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{D848A3CA-0BFB-4DE0-BA9E-A57F0CCA1C13} -> Spyware.DealHelper : Cleaned with backup
HKU\S-1-5-21-2000478354-162531612-725345543-1003\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{E8EAEB34-F7B5-4C55-87FF-720FAF53D841} -> Spyware.MidAddle : Cleaned with backup
HKU\S-1-5-21-2000478354-162531612-725345543-1003\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{F4E04583-354E-4076-BE7D-ED6A80FD66DA} -> Spyware.BargainBuddy : Cleaned with backup
HKU\S-1-5-21-2000478354-162531612-725345543-1003\Software\PowerScan -> Spyware.PowerScan : Cleaned with backup
[1048] C:\WINDOWS\system32\whgjwhs.dll -> TrojanDownloader.Qoologic.n : Cleaned with backup
[1280] C:\WINDOWS\system32\lbralb.exe -> TrojanDownloader.Qoologic.n : Cleaned with backup
[1300] C:\WINDOWS\system32\whgjwhs.dll -> TrojanDownloader.Qoologic.n : Error during cleaning
[792] C:\WINDOWS\system32\kanok.dll -> TrojanDownloader.Qoologic.n : Cleaned with backup
:mozilla.10:C:\Documents and Settings\owner\Application Data\Mozilla\Firefox\Profiles\w4qxrv72.default\cookies.txt -> Spyware.Cookie.Hitbox : Cleaned with backup
:mozilla.12:C:\Documents and Settings\owner\Application Data\Mozilla\Firefox\Profiles\w4qxrv72.default\cookies.txt -> Spyware.Cookie.Hitbox : Cleaned with backup
:mozilla.14:C:\Documents and Settings\owner\Application Data\Mozilla\Firefox\Profiles\w4qxrv72.default\cookies.txt -> Spyware.Cookie.Hitbox : Cleaned with backup
:mozilla.15:C:\Documents and Settings\owner\Application Data\Mozilla\Firefox\Profiles\w4qxrv72.default\cookies.txt -> Spyware.Cookie.Atdmt : Cleaned with backup
:mozilla.17:C:\Documents and Settings\owner\Application Data\Mozilla\Firefox\Profiles\w4qxrv72.default\cookies.txt -> Spyware.Cookie.Googleadservices : Cleaned with backup
:mozilla.21:C:\Documents and Settings\owner\Application Data\Mozilla\Firefox\Profiles\w4qxrv72.default\cookies.txt -> Spyware.Cookie.Mediaplex : Cleaned with backup
:mozilla.22:C:\Documents and Settings\owner\Application Data\Mozilla\Firefox\Profiles\w4qxrv72.default\cookies.txt -> Spyware.Cookie.Googleadservices : Cleaned with backup
:mozilla.9:C:\Documents and Settings\owner\Application Data\Phoenix\Profiles\default\654y2gsg.slt\cookies.txt -> Spyware.Cookie.Doubleclick : Cleaned with backup
:mozilla.12:C:\Documents and Settings\owner\Application Data\Phoenix\Profiles\default\654y2gsg.slt\cookies.txt -> Spyware.Cookie.Ru4 : Cleaned with backup
:mozilla.13:C:\Documents and Settings\owner\Application Data\Phoenix\Profiles\default\654y2gsg.slt\cookies.txt -> Spyware.Cookie.Ru4 : Cleaned with backup
:mozilla.18:C:\Documents and Settings\owner\Application Data\Phoenix\Profiles\default\654y2gsg.slt\cookies.txt -> Spyware.Cookie.Advertising : Cleaned with backup
:mozilla.19:C:\Documents and Settings\owner\Application Data\Phoenix\Profiles\default\654y2gsg.slt\cookies.txt -> Spyware.Cookie.Advertising : Cleaned with backup
:mozilla.20:C:\Documents and Settings\owner\Application Data\Phoenix\Profiles\default\654y2gsg.slt\cookies.txt -> Spyware.Cookie.Advertising : Cleaned with backup
:mozilla.21:C:\Documents and Settings\owner\Application Data\Phoenix\Profiles\default\654y2gsg.slt\cookies.txt -> Spyware.Cookie.Advertising : Cleaned with backup
:mozilla.22:C:\Documents and Settings\owner\Application Data\Phoenix\Profiles\default\654y2gsg.slt\cookies.txt -> Spyware.Cookie.Advertising : Cleaned with backup
:mozilla.23:C:\Documents and Settings\owner\Application Data\Phoenix\Profiles\default\654y2gsg.slt\cookies.txt -> Spyware.Cookie.Advertising : Cleaned with backup
:mozilla.24:C:\Documents and Settings\owner\Application Data\Phoenix\Profiles\default\654y2gsg.slt\cookies.txt -> Spyware.Cookie.Advertising : Cleaned with backup
:mozilla.25:C:\Documents and Settings\owner\Application Data\Phoenix\Profiles\default\654y2gsg.slt\cookies.txt -> Spyware.Cookie.2o7 : Cleaned with backup
:mozilla.26:C:\Documents and Settings\owner\Application Data\Phoenix\Profiles\default\654y2gsg.slt\cookies.txt -> Spyware.Cookie.Atdmt : Cleaned with backup
:mozilla.28:C:\Documents and Settings\owner\Application Data\Phoenix\Profiles\default\654y2gsg.slt\cookies.txt -> Spyware.Cookie.Paycounter : Cleaned with backup
C:\Documents and Settings\owner\Application Data\Sun\Java\Deployment\cache\javapi\v1.0\file\Dummy.class-dbb525f-41cf39d0.class -> Trojan.ClassLoader.Dummy.d : Cleaned with backup
C:\Documents and Settings\owner\Application Data\Sun\Java\Deployment\cache\javapi\v1.0\file\GetAccess.class-197aa512-1c1f18a3.class -> Trojan.ClassLoader.c : Cleaned with backup
C:\Documents and Settings\owner\Application Data\Sun\Java\Deployment\cache\javapi\v1.0\file\Gummy.class-3c42fb6b-5b9896ce.class -> Trojan.Java.Femad : Cleaned with backup
C:\Documents and Settings\owner\Application Data\Sun\Java\Deployment\cache\javapi\v1.0\file\VerifierBug.class-4b9315b5-5ba08112.class -> Trojan.Byteverify : Cleaned with backup
C:\Documents and Settings\owner\Application Data\Sun\Java\Deployment\cache\javapi\v1.0\file\VerifierBug.class-6b57f17e-16d9c315.class -> Trojan.Java.Femad : Cleaned with backup
C:\RECYCLER\S-1-5-21-2000478354-162531612-725345543-1003\Dc3\backup-20050816-191144-701.dll -> TrojanDownloader.Vivia.f : Cleaned with backup
C:\WINDOWS\bsx32 -> Spyware.BookedSpace : Cleaned with backup
C:\WINDOWS\bsx32\ADBN1.bsx -> Spyware.BookedSpace : Cleaned with backup
C:\WINDOWS\bsx32\ADTMI1.bsx -> Spyware.BookedSpace : Cleaned with backup
C:\WINDOWS\bsx32\ADVC5.bsx -> Spyware.BookedSpace : Cleaned with backup
C:\WINDOWS\bsx32\ADVCTX2.bsx -> Spyware.BookedSpace : Cleaned with backup
C:\WINDOWS\bsx32\ASI2.bsx -> Spyware.BookedSpace : Cleaned with backup
C:\WINDOWS\bsx32\ASI50.bsx -> Spyware.BookedSpace : Cleaned with backup
C:\WINDOWS\bsx32\ASIB9894.bsx -> Spyware.BookedSpace : Cleaned with backup
C:\WINDOWS\bsx32\ASIC29667.bsx -> Spyware.BookedSpace : Cleaned with backup
C:\WINDOWS\bsx32\ASICLRE.bsx -> Spyware.BookedSpace : Cleaned with backup
C:\WINDOWS\bsx32\ASICLV.bsx -> Spyware.BookedSpace : Cleaned with backup
C:\WINDOWS\bsx32\ASICP.bsx -> Spyware.BookedSpace : Cleaned with backup
C:\WINDOWS\bsx32\ASID12180.bsx -> Spyware.BookedSpace : Cleaned with backup
C:\WINDOWS\bsx32\ASIE17070.bsx -> Spyware.BookedSpace : Cleaned with backup
C:\WINDOWS\bsx32\ASIEP.bsx -> Spyware.BookedSpace : Cleaned with backup
C:\WINDOWS\bsx32\ASIEPRE.bsx -> Spyware.BookedSpace : Cleaned with backup
C:\WINDOWS\bsx32\ASIEZ.bsx -> Spyware.BookedSpace : Cleaned with backup
C:\WINDOWS\bsx32\ASIF29819.bsx -> Spyware.BookedSpace : Cleaned with backup
C:\WINDOWS\bsx32\ASIF4502.bsx -> Spyware.BookedSpace : Cleaned with backup
C:\WINDOWS\bsx32\ASIFA15376.bsx -> Spyware.BookedSpace : Cleaned with backup
C:\WINDOWS\bsx32\ASIFWH29233.bsx -> Spyware.BookedSpace : Cleaned with backup
C:\WINDOWS\bsx32\ASIG21943.bsx -> Spyware.BookedSpace : Cleaned with backup
C:\WINDOWS\bsx32\ASIGT10102.bsx -> Spyware.BookedSpace : Cleaned with backup
C:\WINDOWS\bsx32\ASIH21180.bsx -> Spyware.BookedSpace : Cleaned with backup
C:\WINDOWS\bsx32\ASIH7853.bsx -> Spyware.BookedSpace : Cleaned with backup
C:\WINDOWS\bsx32\ASIHD.bsx -> Spyware.BookedSpace : Cleaned with backup
C:\WINDOWS\bsx32\ASII21469.bsx -> Spyware.BookedSpace : Cleaned with backup
C:\WINDOWS\bsx32\ASIKAB.bsx -> Spyware.BookedSpace : Cleaned with backup
C:\WINDOWS\bsx32\ASIKAB2.bsx -> Spyware.BookedSpace : Cleaned with backup
C:\WINDOWS\bsx32\ASIL18549.bsx -> Spyware.BookedSpace : Cleaned with backup
C:\WINDOWS\bsx32\ASILS29399.bsx -> Spyware.BookedSpace : Cleaned with backup
C:\WINDOWS\bsx32\ASIM9740.bsx -> Spyware.BookedSpace : Cleaned with backup
C:\WINDOWS\bsx32\ASIMBC.bsx -> Spyware.BookedSpace : Cleaned with backup
C:\WINDOWS\bsx32\ASIOG19375.bsx -> Spyware.BookedSpace : Cleaned with backup
C:\WINDOWS\bsx32\ASIOT25456.bsx -> Spyware.BookedSpace : Cleaned with backup
C:\WINDOWS\bsx32\ASIPF1965.bsx -> Spyware.BookedSpace : Cleaned with backup
C:\WINDOWS\bsx32\ASIR21184.bsx -> Spyware.BookedSpace : Cleaned with backup
C:\WINDOWS\bsx32\ASIRCP.bsx -> Spyware.BookedSpace : Cleaned with backup
C:\WINDOWS\bsx32\ASIRCPRE.bsx -> Spyware.BookedSpace : Cleaned with backup
C:\WINDOWS\bsx32\ASIRE20082.bsx -> Spyware.BookedSpace : Cleaned with backup
C:\WINDOWS\bsx32\ASIS24110.bsx -> Spyware.BookedSpace : Cleaned with backup
C:\WINDOWS\bsx32\ASIS31590.bsx -> Spyware.BookedSpace : Cleaned with backup
C:\WINDOWS\bsx32\ASISS.bsx -> Spyware.BookedSpace : Cleaned with backup
C:\WINDOWS\bsx32\ASISS2.bsx -> Spyware.BookedSpace : Cleaned with backup
C:\WINDOWS\bsx32\ASISS2RE.bsx -> Spyware.BookedSpace : Cleaned with backup
C:\WINDOWS\bsx32\ASISSRE.bsx -> Spyware.BookedSpace : Cleaned with backup
C:\WINDOWS\bsx32\ASIT17011.bsx -> Spyware.BookedSpace : Cleaned with backup
C:\WINDOWS\bsx32\ASIT26116.bsx -> Spyware.BookedSpace : Cleaned with backup
C:\WINDOWS\bsx32\ASIW11211.bsx -> Spyware.BookedSpace : Cleaned with backup
C:\WINDOWS\bsx32\ASIWS3.bsx -> Spyware.BookedSpace : Cleaned with backup
C:\WINDOWS\bsx32\AUTOS2.bsx -> Spyware.BookedSpace : Cleaned with backup
C:\WINDOWS\bsx32\BID1.bsx -> Spyware.BookedSpace : Cleaned with backup
C:\WINDOWS\bsx32\BingoRoom1.bsx -> Spyware.BookedSpace : Cleaned with backup
C:\WINDOWS\bsx32\bspace.html -> Spyware.BookedSpace : Cleaned with backup
C:\WINDOWS\bsx32\CARD2.bsx -> Spyware.BookedSpace : Cleaned with backup
C:\WINDOWS\bsx32\CARS3.bsx -> Spyware.BookedSpace : Cleaned with backup
C:\WINDOWS\bsx32\CASH2.bsx -> Spyware.BookedSpace : Cleaned with backup
C:\WINDOWS\bsx32\CW.bsx -> Spyware.BookedSpace : Cleaned with backup
C:\WINDOWS\bsx32\CW2.bsx -> Spyware.BookedSpace : Cleaned with backup
C:\WINDOWS\bsx32\DATE4.bsx -> Spyware.BookedSpace : Cleaned with backup
C:\WINDOWS\bsx32\DEBT1.bsx -> Spyware.BookedSpace : Cleaned with backup
C:\WINDOWS\bsx32\DENT1.bsx -> Spyware.BookedSpace : Cleaned with backup
C:\WINDOWS\bsx32\EECH1.bsx -> Spyware.BookedSpace : Cleaned with backup
C:\WINDOWS\bsx32\EML1.bsx -> Spyware.BookedSpace : Cleaned with backup
C:\WINDOWS\bsx32\FAST1.bsx -> Spyware.BookedSpace : Cleaned with backup
C:\WINDOWS\bsx32\FINC3.bsx -> Spyware.BookedSpace : Cleaned with backup
C:\WINDOWS\bsx32\FINC5.bsx -> Spyware.BookedSpace : Cleaned with backup
C:\WINDOWS\bsx32\FLWR1.bsx -> Spyware.BookedSpace : Cleaned with backup
C:\WINDOWS\bsx32\FMND1.bsx -> Spyware.BookedSpace : Cleaned with backup
C:\WINDOWS\bsx32\HEAL5.bsx -> Spyware.BookedSpace : Cleaned with backup
C:\WINDOWS\bsx32\HEBE2.bsx -> Spyware.BookedSpace : Cleaned with backup
C:\WINDOWS\bsx32\HERBS1.bsx -> Spyware.BookedSpace : Cleaned with backup
C:\WINDOWS\bsx32\HOGAR2.bsx -> Spyware.BookedSpace : Cleaned with backup
C:\WINDOWS\bsx32\HOMES3.bsx -> Spyware.BookedSpace : Cleaned with backup
C:\WINDOWS\bsx32\INK1.bsx -> Spyware.BookedSpace : Cleaned with backup
C:\WINDOWS\bsx32\INSUR4.bsx -> Spyware.BookedSpace : Cleaned with backup
C:\WINDOWS\bsx32\JOBS4.bsx -> Spyware.BookedSpace : Cleaned with backup
C:\WINDOWS\bsx32\MORT3.bsx -> Spyware.BookedSpace : Cleaned with backup
C:\WINDOWS\bsx32\MOVS2.bsx -> Spyware.BookedSpace : Cleaned with backup
C:\WINDOWS\bsx32\NEWS2.bsx -> Spyware.BookedSpace : Cleaned with backup
C:\WINDOWS\bsx32\OPPR2.bsx -> Spyware.BookedSpace : Cleaned with backup
C:\WINDOWS\bsx32\SHOP2.bsx -> Spyware.BookedSpace : Cleaned with backup
C:\WINDOWS\bsx32\SPEC1.bsx -> Spyware.BookedSpace : Cleaned with backup
C:\WINDOWS\bsx32\SPZ3.bsx -> Spyware.BookedSpace : Cleaned with backup
C:\WINDOWS\bsx32\TECH2.bsx -> Spyware.BookedSpace : Cleaned with backup
C:\WINDOWS\bsx32\TMP1.bsx -> Spyware.BookedSpace : Cleaned with backup
C:\WINDOWS\bsx32\TMPC.bsx -> Spyware.BookedSpace : Cleaned with backup
C:\WINDOWS\bsx32\TMPD.bsx -> Spyware.BookedSpace : Cleaned with backup
C:\WINDOWS\bsx32\TMPE.bsx -> Spyware.BookedSpace : Cleaned with backup
C:\WINDOWS\bsx32\TMPET.bsx -> Spyware.BookedSpace : Cleaned with backup
C:\WINDOWS\bsx32\TMPF.bsx -> Spyware.BookedSpace : Cleaned with backup
C:\WINDOWS\bsx32\TMPFAM.bsx -> Spyware.BookedSpace : Cleaned with backup
C:\WINDOWS\bsx32\TMPFI.bsx -> Spyware.BookedSpace : Cleaned with backup
C:\WINDOWS\bsx32\TMPFIN.bsx -> Spyware.BookedSpace : Cleaned with backup
C:\WINDOWS\bsx32\TMPG.bsx -> Spyware.BookedSpace : Cleaned with backup
C:\WINDOWS\bsx32\TMPH.bsx -> Spyware.BookedSpace : Cleaned with backup
C:\WINDOWS\bsx32\TMPHL.bsx -> Spyware.BookedSpace : Cleaned with backup
C:\WINDOWS\bsx32\TMPJ.bsx -> Spyware.BookedSpace : Cleaned with backup
C:\WINDOWS\bsx32\TMPM.bsx -> Spyware.BookedSpace : Cleaned with backup
C:\WINDOWS\bsx32\TMPMTV.bsx -> Spyware.BookedSpace : Cleaned with backup
C:\WINDOWS\bsx32\TMPN.bsx -> Spyware.BookedSpace : Cleaned with backup
C:\WINDOWS\bsx32\TMPP.bsx -> Spyware.BookedSpace : Cleaned with backup
C:\WINDOWS\bsx32\TMPR.bsx -> Spyware.BookedSpace : Cleaned with backup
C:\WINDOWS\bsx32\TMPS.bsx -> Spyware.BookedSpace : Cleaned with backup
C:\WINDOWS\bsx32\TMPSHOP.bsx -> Spyware.BookedSpace : Cleaned with backup
C:\WINDOWS\bsx32\TMPSP.bsx -> Spyware.BookedSpace : Cleaned with backup
C:\WINDOWS\bsx32\TMPW.bsx -> Spyware.BookedSpace : Cleaned with backup
C:\WINDOWS\bsx32\TRVL4.bsx -> Spyware.BookedSpace : Cleaned with backup
C:\WINDOWS\bsx32\TRVL6.bsx -> Spyware.BookedSpace : Cleaned with backup
C:\WINDOWS\bsx32\TV1.bsx -> Spyware.BookedSpace : Cleaned with backup
C:\WINDOWS\bsx32\TVEN1.bsx -> Spyware.BookedSpace : Cleaned with backup
C:\WINDOWS\bsx32\TVEN2.bsx -> Spyware.BookedSpace : Cleaned with backup
C:\WINDOWS\bsx32\TVMX.bsx -> Spyware.BookedSpace : Cleaned with backup
C:\WINDOWS\bsx32\UTONE2.bsx -> Spyware.BookedSpace : Cleaned with backup
C:\WINDOWS\bsx32\UTONE3.bsx -> Spyware.BookedSpace : Cleaned with backup
C:\WINDOWS\bsx32\VENUE1.bsx -> Spyware.BookedSpace : Cleaned with backup
C:\WINDOWS\bsx32\WEBS1.bsx -> Spyware.BookedSpace : Cleaned with backup
C:\WINDOWS\bsx32\WEBS2.bsx -> Spyware.BookedSpace : Cleaned with backup
C:\WINDOWS\bsx32\WOMEN2.bsx -> Spyware.BookedSpace : Cleaned with backup
C:\WINDOWS\bsx32\WWW3.bsx -> Spyware.BookedSpace : Cleaned with backup
C:\WINDOWS\bsx32\XTFL2.bsx -> Spyware.BookedSpace : Cleaned with backup
C:\WINDOWS\bsx32\ZNETGP.bsx -> Spyware.BookedSpace : Cleaned with backup
C:\WINDOWS\cfgmgr52\EECH1.bsx -> Spyware.BookedSpace : Cleaned with backup
C:\WINDOWS\cfgmgr52\SPZ3.bsx -> Spyware.BookedSpace : Cleaned with backup
C:\WINDOWS\cfgmgr52.dll -> Spyware.BookedSpace : Cleaned with backup
C:\WINDOWS\dhp2.dll -> Spyware.DealHelper : Cleaned with backup
C:\WINDOWS\Downloaded Program Files\CONFLICT.1\gdnUS2108.exe -> TrojanDownloader.Small.ayl : Cleaned with backup
C:\WINDOWS\Downloaded Program Files\gdnUS2108.exe -> TrojanDownloader.Small.ayl : Cleaned with backup
C:\WINDOWS\NDNuninstall6_30.exe -> Spyware.NewDotNet : Cleaned with backup
C:\WINDOWS\nxpqsuxe.exe -> Spyware.BookedSpace : Cleaned with backup
C:\WINDOWS\sys2749.exe -> Trojan.Crypt.i : Cleaned with backup
C:\WINDOWS\sys2750.exe -> Trojan.Crypt.i : Cleaned with backup
C:\WINDOWS\sys3737.exe -> Trojan.Crypt.i : Cleaned with backup
C:\WINDOWS\sys3741.exe -> Trojan.Crypt.i : Cleaned with backup
C:\WINDOWS\sys3744.exe -> Trojan.Crypt.i : Cleaned with backup
C:\WINDOWS\sys3745.exe -> Trojan.Crypt.i : Cleaned with backup
C:\WINDOWS\sys3746.exe -> Trojan.Crypt.i : Cleaned with backup
C:\WINDOWS\sys3747.exe -> Trojan.Crypt.i : Cleaned with backup
C:\WINDOWS\sys3748.exe -> Trojan.Crypt.i : Cleaned with backup
C:\WINDOWS\sys3749.exe -> Trojan.Crypt.i : Cleaned with backup
C:\WINDOWS\sys4231.exe -> Trojan.Crypt.i : Cleaned with backup
C:\WINDOWS\sys4245.exe -> Trojan.Crypt.i : Cleaned with backup
C:\WINDOWS\sys4249.exe -> Trojan.Crypt.i : Cleaned with backup
C:\WINDOWS\sys425.exe -> Trojan.Crypt.i : Cleaned with backup
C:\WINDOWS\sys426.exe -> Trojan.Crypt.i : Cleaned with backup
C:\WINDOWS\sys726.exe -> Trojan.Crypt.i : Cleaned with backup
C:\WINDOWS\sys83.exe -> Trojan.Crypt.i : Cleaned with backup
C:\WINDOWS\sys85.exe -> Trojan.Crypt.i : Cleaned with backup
C:\WINDOWS\systb.exe.tcf -> Trojan.Imiserv.c : Cleaned with backup
C:\WINDOWS\system\Loader.dll -> TrojanDownloader.Agent.li : Cleaned with backup
C:\WINDOWS\system\svchost.dll -> Backdoor.Agent.iw : Cleaned with backup
C:\WINDOWS\system\svchost.exe -> Backdoor.Agent.iw : Cleaned with backup
C:\WINDOWS\system\svchosthook.dll -> Backdoor.Agent.iw : Cleaned with backup
C:\WINDOWS\system32\110328.exe -> TrojanDropper.Small.abx : Cleaned with backup
C:\WINDOWS\system32\149531.exe -> TrojanDropper.Small.aad : Cleaned with backup
C:\WINDOWS\system32\64wu86rd.exe.tcf -> Spyware.F1Organizer : Cleaned with backup
C:\WINDOWS\system32\9300_up.exe -> Worm.Sasser.D : Cleaned with backup
C:\WINDOWS\system32\abc.exe -> TrojanSpy.LdPinch.os : Cleaned with backup
C:\WINDOWS\system32\abirvalg32.dll -> TrojanProxy.Small.cn : Cleaned with backup
C:\WINDOWS\system32\adsnds37.exe.tcf -> Spyware.IEDriver : Cleaned with backup
C:\WINDOWS\system32\amstauth.exe -> TrojanDownloader.Agent.ro : Cleaned with backup
C:\WINDOWS\system32\augre.exe.tcf -> TrojanDownloader.Agent.lg : Cleaned with backup
C:\WINDOWS\system32\axpfbho.exe -> Spyware.NoName.e : Cleaned with backup
C:\WINDOWS\system32\bKs.dll -> Adware.eZula : Cleaned with backup
C:\WINDOWS\system32\bo.exe.tcf -> Adware.BetterInternet : Cleaned with backup
C:\WINDOWS\system32\conres.cpl -> TrojanDownloader.Qoologic.p : Cleaned with backup
C:\WINDOWS\system32\cssrs.exe -> TrojanSpy.PdPinch : Cleaned with backup
C:\WINDOWS\system32\datadx.dll -> TrojanDownloader.Qoologic.p : Cleaned with backup
C:\WINDOWS\system32\date.exe -> Backdoor.SdBot.md : Cleaned with backup
C:\WINDOWS\system32\gawyebn.exe.tcf -> TrojanDownloader.Vivia.l : Cleaned with backup
C:\WINDOWS\system32\init32m.exe.tcf -> TrojanDownloader.Agent.ho : Cleaned with backup
C:\WINDOWS\system32\istinstall_145938.exe.tcf -> TrojanDownloader.IstBar.er : Cleaned with backup
C:\WINDOWS\system32\latest.exe -> Trojan.Crypt.i : Cleaned with backup
C:\WINDOWS\system32\mamma-ibis-ss.exe.tcf -> TrojanDownloader.Vivia.o : Cleaned with backup
C:\WINDOWS\system32\maxd1.exe -> Dialer.Generic : Cleaned with backup
C:\WINDOWS\system32\ms.exe -> TrojanDownloader.Vb.Cw : Cleaned with backup
C:\WINDOWS\system32\NDrv.exe.tcf -> Spyware.PurityScan : Cleaned with backup
C:\WINDOWS\system32\playa.exe -> Spyware.WinFetcher.b : Cleaned with backup
C:\WINDOWS\system32\protect1.exe.tcf -> Spyware.WinComm : Cleaned with backup
C:\WINDOWS\system32\SHAgentNew.dll -> Spyware.BargainBuddy : Cleaned with backup
C:\WINDOWS\system32\supdate.dll -> TrojanDownloader.Qoologic.p : Cleaned with backup
C:\WINDOWS\system32\svhost32.exe -> TrojanProxy.Agent.cj : Cleaned with backup
C:\WINDOWS\system32\symcsvc.exe -> Trojan.Crypt.i : Cleaned with backup
C:\WINDOWS\system32\sztoice.exe.tcf -> TrojanDownloader.Apropo.k : Cleaned with backup
C:\WINDOWS\system32\thin-75-1-x-x.exe.tcf -> Adware.BetterInternet : Cleaned with backup
C:\WINDOWS\system32\tmp.dat -> TrojanDownloader.Murlo.ar : Cleaned with backup
C:\WINDOWS\system32\vxgame1.exe -> TrojanDropper.Small.acg : Cleaned with backup
C:\WINDOWS\system32\vxgame2.exe -> Trojan.Crypt.i : Cleaned with backup
C:\WINDOWS\system32\vxgame3.exe.tcf -> TrojanDownloader.Agent.ho : Cleaned with backup
C:\WINDOWS\system32\vxgame4.exe -> Spyware.Hijacker.Generic : Cleaned with backup
C:\WINDOWS\system32\vxgamet2.exe -> Trojan.LowZones.y : Cleaned with backup
C:\WINDOWS\system32\vxh8jkdq1.exe -> TrojanDownloader.Small.bdz : Cleaned with backup
C:\WINDOWS\system32\vxh8jkdq5.exe -> TrojanDownloader.Small.awa : Cleaned with backup
C:\WINDOWS\system32\vxh8jkdq6.exe -> TrojanDownloader.Small.aux : Cleaned with backup
C:\WINDOWS\system32\vxh8jkdq7.exe -> TrojanDownloader.Small.atl : Cleaned with backup
C:\WINDOWS\system32\vxh8jkdq8.exe -> TrojanDownloader.Small.bdz : Cleaned with backup
C:\WINDOWS\system32\ykaby.dat -> TrojanDownloader.Qoologic.n : Cleaned with backup
C:\WINDOWS\system32\~update.exe -> Trojan.Crypt.i : Cleaned with backup
C:\WINDOWS\vr_sys.dll -> TrojanSpy.LdPinch.os : Cleaned with backup
C:\WINDOWS\yhiymkmj.exe -> Spyware.BookedSpace : Cleaned with backup


::Report End


And here is my HJT Log as of this morning:

Logfile of HijackThis v1.99.1
Scan saved at 11:31:41 AM, on 8/21/2005
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\csrss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\SOUNDMAN.EXE
C:\WINDOWS\system32\rundll32.exe
C:\Program Files\Java\j2re1.4.2_03\bin\jusched.exe
C:\WINDOWS\System32\LzioMediaUpdater.exe
C:\WINDOWS\system32\RUNDLL32.EXE
C:\WINDOWS\system32\tsimc\yoqw.exe
C:\DOCUME~1\owner\LOCALS~1\Temp\cxte.exe
C:\DOCUME~1\owner\LOCALS~1\Temp\AdNW.exe
C:\WINDOWS\system32\rundll32.exe
C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\ewido\security suite\ewidoctrl.exe
C:\WINDOWS\system32\bkobjkxe\gxxau.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\Program Files\Efficient Networks\Tango Manager\app\TangoService.exe
C:\WINDOWS\system32\wdfmgr.exe
C:\WINDOWS\System32\ups.exe
C:\WINDOWS\system32\wuauclt.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Documents and Settings\owner\Desktop\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.savewealth.com
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.savewealth.com
O1 - Hosts: 216.39.69.102 view.atdmt.com
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {77217950-5848-1F49-DD8E-2AADDB98E2A8} - C:\WINDOWS\system32\hbpkoppx\lsjerycu.dll (file missing)
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [NeroCheck] C:\WINDOWS\System32\\NeroCheck.exe
O4 - HKLM\..\Run: [BluetoothAuthenticationAgent] rundll32.exe bthprops.cpl,,BluetoothAuthenticationAgent
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\j2re1.4.2_03\bin\jusched.exe
O4 - HKLM\..\Run: [LzioMediaUpdater] C:\WINDOWS\System32\LzioMediaUpdater.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [THGuard] "C:\Program Files\TrojanHunter 4.2\THGuard.exe"
O4 - HKLM\..\Run: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k
O4 - HKLM\..\Run: [fklimo] C:\WINDOWS\system32\ciles\fklimo.exe
O4 - HKLM\..\Run: [lmrem] C:\WINDOWS\system32\hqovra\lmrem.exe
O4 - HKLM\..\Run: [WebRebates0] "C:\Program Files\Web_Rebates\WebRebates0.exe"
O4 - HKLM\..\Run: [yoqw] C:\WINDOWS\system32\tsimc\yoqw.exe
O4 - HKLM\..\Run: [ffjwhhv] C:\WINDOWS\system32\xnysuox\ffjwhhv.exe
O4 - HKLM\..\Run: [gxxau] C:\WINDOWS\system32\bkobjkxe\gxxau.exe
O4 - HKLM\..\Run: [daha] C:\WINDOWS\system32\bffivn\daha.exe
O4 - HKLM\..\Run: [shnin] C:\DOCUME~1\owner\LOCALS~1\Temp\cxte.exe
O4 - HKLM\..\Run: [SkyH2] C:\DOCUME~1\owner\LOCALS~1\Temp\yucjr.exe
O4 - HKLM\..\Run: [WindowsAds] C:\DOCUME~1\owner\LOCALS~1\Temp\AdNW.exe
O4 - HKLM\..\Run: [winsync] C:\WINDOWS\system32\dsg4ds.exe reg_run
O4 - HKLM\..\Run: [version] C:\WINDOWS\system32\dlpcbeja.exe
O4 - HKCU\..\Run: [eZmmod] C:\PROGRA~1\ezula\mmod.exe
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O21 - SSODL: System - {7631D6CB-DA0C-4C21-83C2-450B75DF36E4} - vr_sys.dll (file missing)
O23 - Service: ewido security suite control - ewido networks - C:\Program Files\ewido\security suite\ewidoctrl.exe
O23 - Service: ewido security suite guard - ewido networks - C:\Program Files\ewido\security suite\ewidoguard.exe
O23 - Service: gxxaubkobjkxe - Unknown owner - C:\WINDOWS\system32\bkobjkxe\gxxau.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: Tango Service (TangoService) - Unknown owner - C:\Program Files\Efficient Networks\Tango Manager\app\TangoService.exe

TY again
  • 0

#7
Snickets
Posted 22 August 2005 - 01:09 PM

Snickets

    Visiting Staff

  • Member
  • PipPipPip
  • 425 posts
Hello Coruth,

We seem to be moving into another infection, let's see if we can't get all the files at once and take out this little nasty.

Please Download the following tools to assist us in removing this infection!
  • Download WinPFind
    • Right Click the Zip Folder and Select "Extract All"
    • Extract it somewhere you will remember like the Desktop
    • Dont do anything with it yet!
  • Download Track qoo
    • Save it somewhere you will remember like the Desktop
Reboot into Safe Mode
Restart your computer and as soon as it starts booting up again continuously tap F8. A menu should come up where you will be given the option to enter Safe Mode.

Doubleclick WinPFind.exe
  • Click "Start Scan"
  • It will scan the entire System, so please be patient!
  • Once the Scan is Complete
  • Go to the WinPFind folder
  • Locate WinPFind.txt
  • Place those results in the next post!
Reboot back to Normal Mode!

Double Click on "Track qoo.vbs"

Note - If you Antivirus has Script Blocking, you will get a Pop Up Windows asking you what to do. Allow this Entire Script to Run, its harmless!

Wait a few seconds and a notepad page will pop up, Copy & Paste those results and place them in the next post along with the results of WinPFind!

Thank you,

Snickets

:tazz:
  • 0

#8
Snickets
Posted 29 August 2005 - 12:58 PM

Snickets

    Visiting Staff

  • Member
  • PipPipPip
  • 425 posts
Due to lack of feedback, this topic has been closed.

If you need this topic reopened, please contact a staff member. This applies only to the original topic starter. Everyone else please begin a New Topic.
  • 0
Back to Virus, Spyware, Malware Removal · Next Unread Topic →




Similar Topics

0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users

  1. Geeks to Go Community
  2. Security
  3. Virus, Spyware, Malware Removal

As Featured On:

Microsoft Yahoo BBC MSN PC Magazine Washington Post HP