Jump to content

Welcome to Geeks to Go - Register now for FREE

Need help with your computer or device? Want to learn new tech skills? You're in the right place!
Geeks to Go is a friendly community of tech experts who can solve any problem you have. Just create a free account and post your question. Our volunteers will reply quickly and guide you through the steps. Don't let tech troubles stop you. Join Geeks to Go now and get the support you need!

How it Works Create Account
Photo

WinFixer Removal [resolved]

Started by beerman , Aug 12 2005 12:41 PM

  • This topic is locked This topic is locked

#1
beerman
Posted 12 August 2005 - 12:41 PM

beerman

    Member

  • Member
  • PipPipPip
  • 188 posts
As is the case with many others, I need help removing WinFixer. I have completed all the required steps before posting a hijackthis log.

Listed below are the ewido scan report and the hijackthis log:

---------------------------------------------------------
ewido security suite - Scan report
---------------------------------------------------------

+ Created on: 2:38:30 PM, 8/12/2005
+ Report-Checksum: 9EBD8D3

+ Scan result:

[1056] VM_024E0000 -> Adware.BetterInternet : Error during cleaning
C:\WINNT\od-matr31.exe -> Dialer.Generic : Cleaned with backup
C:\WINNT\od-stnd567.exe -> Dialer.Generic : Cleaned with backup
C:\WINNT\jughit.exe -> Adware.BetterInternet : Cleaned with backup
C:\Documents and Settings\brock\Cookies\brock@abetterinternet[1].txt -> Spyware.Cookie.Abetterinternet : Cleaned with backup


::Report End



Logfile of HijackThis v1.99.1
Scan saved at 2:42:27 PM, on 8/12/2005
Platform: Windows 2000 SP2 (WinNT 5.00.2195)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINNT\System32\smss.exe
C:\WINNT\system32\csrss.exe
C:\WINNT\system32\winlogon.exe
C:\WINNT\system32\services.exe
C:\WINNT\system32\lsass.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\system32\spoolsv.exe
C:\Program Files\Symantec\pcAnywhere\awhost32.exe
C:\PROGRA~1\SYMANT~1\SYMANT~1\DefWatch.exe
C:\WINNT\System32\svchost.exe
C:\Program Files\ewido\security suite\ewidoctrl.exe
C:\PROGRA~1\Iomega\System32\AppServices.exe
C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
C:\PROGRA~1\SYMANT~1\SYMANT~1\Rtvscan.exe
C:\WINNT\system32\regsvc.exe
C:\WINNT\system32\MSTask.exe
C:\WINNT\System32\mspmspsv.exe
C:\Program Files\Iomega\AutoDisk\ADService.exe
C:\WINNT\Explorer.exe
C:\WINNT\System32\Promon.exe
C:\Program Files\Microsoft Hardware\Mouse\point32.exe
C:\WINNT\loadqm.exe
C:\Program Files\Iomega\AutoDisk\ADUserMon.exe
C:\Program Files\Iomega\DriveIcons\ImgIcon.exe
C:\PROGRA~1\SYMANT~1\SYMANT~1\vptray.exe
C:\Program Files\Common Files\Microsoft Shared\Works Shared\WkUFind.exe
C:\Program Files\MSN Apps\Updater\01.03.0000.1005\en-us\msnappau.exe
C:\WINNT\System32\ctfmon.exe
C:\WINNT\system32\NOTEPAD.EXE
C:\HiJack This\HijackThis1991.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page_bak = about:blank
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = server1:80
F2 - REG:system.ini: Shell=Explorer.exe C:\WINNT\Nail.exe
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O2 - BHO: Solid Converter PDF - {259F616C-A300-44F5-B04A-ED001A26C85C} - C:\Program Files\SolidDocuments\SolidConverterPDF\SCPDF\ExploreExtPDF.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINNT\System32\msdxm.ocx
O3 - Toolbar: MSN Toolbar - {BDAD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\MSN Toolbar\01.01.2607.0\en-us\msntb.dll
O3 - Toolbar: Solid Converter PDF - {259F616C-A300-44F5-B04A-ED001A26C85C} - C:\Program Files\SolidDocuments\SolidConverterPDF\SCPDF\ExploreExtPDF.dll
O4 - HKLM\..\Run: [Synchronization Manager] mobsync.exe /logon
O4 - HKLM\..\Run: [Promon.exe] Promon.exe
O4 - HKLM\..\Run: [POINTER] C:\Program Files\Microsoft Hardware\Mouse\point32.exe
O4 - HKLM\..\Run: [LoadQM] loadqm.exe
O4 - HKLM\..\Run: [ADUserMon] C:\Program Files\Iomega\AutoDisk\ADUserMon.exe
O4 - HKLM\..\Run: [Iomega Drive Icons] C:\Program Files\Iomega\DriveIcons\ImgIcon.exe
O4 - HKLM\..\Run: [Deskup] C:\Program Files\Iomega\DriveIcons\deskup.exe /IMGSTART
O4 - HKLM\..\Run: [vptray] C:\PROGRA~1\SYMANT~1\SYMANT~1\vptray.exe
O4 - HKLM\..\Run: [Microsoft Works Update Detection] C:\Program Files\Common Files\Microsoft Shared\Works Shared\WkUFind.exe
O4 - HKLM\..\Run: [msnappau] "C:\Program Files\MSN Apps\Updater\01.03.0000.1005\en-us\msnappau.exe"
O4 - HKLM\..\Run: [krzipo] c:\winnt\system32\gfjqrgh.exe r
O4 - HKLM\..\Run: [NI.UWFX5LP_0001_0803] "C:\WINNT\Downloaded Program Files\CONFLICT.2\UWFX5LP_0001_0803NetInstaller.exe"/BEFOREINSTALL
O4 - HKCU\..\Run: [ctfmon.exe] ctfmon.exe
O4 - HKCU\..\Run: [newbreed] KeywordFinder.exe
O4 - HKCU\..\Run: [LOPTCON] SYSTRAV.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~3\Office10\EXCEL.EXE/3000
O9 - Extra button: (no name) - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - (no file)
O9 - Extra button: (no name) - SolidConverterPDF - (no file) (HKCU)
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.micros...b?1123854203461
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: Domain = Dayton.Local
O17 - HKLM\System\CCS\Services\Tcpip\..\{590F35C5-8B3A-45F6-97D5-D15168EBA8D4}: NameServer = 69.50.176.198,85.255.112.12
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: Domain = Dayton.Local
O17 - HKLM\System\CS2\Services\Tcpip\Parameters: Domain = Dayton.Local
O20 - Winlogon Notify: NavLogon - C:\WINNT\System32\NavLogon.dll
O23 - Service: Ati HotKey Poller - Unknown owner - C:\WINNT\System32\Ati2evxx.exe (file missing)
O23 - Service: pcAnywhere Host Service (awhost32) - Symantec Corporation - C:\Program Files\Symantec\pcAnywhere\awhost32.exe
O23 - Service: DefWatch - Symantec Corporation - C:\PROGRA~1\SYMANT~1\SYMANT~1\DefWatch.exe
O23 - Service: Logical Disk Manager Administrative Service (dmadmin) - VERITAS Software Corp. - C:\WINNT\System32\dmadmin.exe
O23 - Service: ewido security suite control - ewido networks - C:\Program Files\ewido\security suite\ewidoctrl.exe
O23 - Service: ewido security suite guard - ewido networks - C:\Program Files\ewido\security suite\ewidoguard.exe
O23 - Service: Iomega App Services - Iomega Corporation - C:\PROGRA~1\Iomega\System32\AppServices.exe
O23 - Service: Symantec AntiVirus Client (Norton AntiVirus Server) - Symantec Corporation - C:\PROGRA~1\SYMANT~1\SYMANT~1\Rtvscan.exe
O23 - Service: Iomega Active Disk (_IOMEGA_ACTIVE_DISK_SERVICE_) - Iomega Corporation - C:\Program Files\Iomega\AutoDisk\ADService.exe


Thanks for your help!
  • 0

Advertisements

#2
beerman
Posted 12 August 2005 - 02:39 PM

beerman

    Member

  • Topic Starter
  • Member
  • PipPipPip
  • 188 posts
I haven't seen any reply. If it helps, here is the most recent logfile:

Logfile of HijackThis v1.99.1
Scan saved at 4:48:51 PM, on 8/12/2005
Platform: Windows 2000 SP2 (WinNT 5.00.2195)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINNT\System32\smss.exe
C:\WINNT\system32\csrss.exe
C:\WINNT\system32\winlogon.exe
C:\WINNT\system32\services.exe
C:\WINNT\system32\lsass.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\system32\spoolsv.exe
C:\Program Files\Symantec\pcAnywhere\awhost32.exe
C:\PROGRA~1\SYMANT~1\SYMANT~1\DefWatch.exe
C:\WINNT\System32\svchost.exe
C:\Program Files\ewido\security suite\ewidoctrl.exe
C:\Program Files\ewido\security suite\ewidoguard.exe
C:\PROGRA~1\Iomega\System32\AppServices.exe
C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
C:\PROGRA~1\SYMANT~1\SYMANT~1\Rtvscan.exe
C:\WINNT\system32\regsvc.exe
C:\WINNT\system32\MSTask.exe
C:\WINNT\System32\mspmspsv.exe
C:\Program Files\Iomega\AutoDisk\ADService.exe
C:\WINNT\Explorer.exe
C:\WINNT\System32\Promon.exe
C:\Program Files\Microsoft Hardware\Mouse\point32.exe
C:\WINNT\loadqm.exe
C:\Program Files\Iomega\AutoDisk\ADUserMon.exe
C:\Program Files\Iomega\DriveIcons\ImgIcon.exe
C:\PROGRA~1\SYMANT~1\SYMANT~1\vptray.exe
C:\Program Files\Common Files\Microsoft Shared\Works Shared\WkUFind.exe
C:\Program Files\MSN Apps\Updater\01.03.0000.1005\en-us\msnappau.exe
C:\WINNT\System32\ctfmon.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\Documents and Settings\brock.DAYTON\Desktop\HijackThis1991.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Search,(Default) = http://www.martfinder.com
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,SearchURL = http://ie.search.psn.cn/
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page_bak = about:blank
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = server1:80
R3 - URLSearchHook: (no name) - _{DD1BCA06-F674-424D-A08E-42DA97C4D5DD} - (no file)
R3 - URLSearchHook: (no name) - _{CFBFAE00-17A6-11D0-99CB-00C04FD64497} - (no file)
F2 - REG:system.ini: Shell=Explorer.exe C:\WINNT\Nail.exe
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O2 - BHO: Solid Converter PDF - {259F616C-A300-44F5-B04A-ED001A26C85C} - C:\Program Files\SolidDocuments\SolidConverterPDF\SCPDF\ExploreExtPDF.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINNT\System32\msdxm.ocx
O3 - Toolbar: MSN Toolbar - {BDAD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\MSN Toolbar\01.01.2607.0\en-us\msntb.dll
O3 - Toolbar: Solid Converter PDF - {259F616C-A300-44F5-B04A-ED001A26C85C} - C:\Program Files\SolidDocuments\SolidConverterPDF\SCPDF\ExploreExtPDF.dll
O4 - HKLM\..\Run: [Synchronization Manager] mobsync.exe /logon
O4 - HKLM\..\Run: [Promon.exe] Promon.exe
O4 - HKLM\..\Run: [POINTER] C:\Program Files\Microsoft Hardware\Mouse\point32.exe
O4 - HKLM\..\Run: [LoadQM] loadqm.exe
O4 - HKLM\..\Run: [ADUserMon] C:\Program Files\Iomega\AutoDisk\ADUserMon.exe
O4 - HKLM\..\Run: [Iomega Drive Icons] C:\Program Files\Iomega\DriveIcons\ImgIcon.exe
O4 - HKLM\..\Run: [Deskup] C:\Program Files\Iomega\DriveIcons\deskup.exe /IMGSTART
O4 - HKLM\..\Run: [vptray] C:\PROGRA~1\SYMANT~1\SYMANT~1\vptray.exe
O4 - HKLM\..\Run: [Microsoft Works Update Detection] C:\Program Files\Common Files\Microsoft Shared\Works Shared\WkUFind.exe
O4 - HKLM\..\Run: [msnappau] "C:\Program Files\MSN Apps\Updater\01.03.0000.1005\en-us\msnappau.exe"
O4 - HKLM\..\Run: [krzipo] c:\winnt\system32\gfjqrgh.exe r
O4 - HKLM\..\Run: [WinFixer 2005] C:\Program Files\WinFixer 2005\wfx5.exe
O4 - HKCU\..\Run: [WipeItOff] C:\Program Files\Browser Cleanser\browsercleanser.exe
O4 - HKCU\..\Run: [od-matr31] c:\program files\Webdialer\od-matr31.exe -m
O4 - HKCU\..\Run: [ctfmon.exe] ctfmon.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~3\Office10\EXCEL.EXE/3000
O9 - Extra button: (no name) - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - (no file)
O9 - Extra button: (no name) - SolidConverterPDF - (no file) (HKCU)
O16 - DPF: {1754A1BA-A1DF-4F10-B199-AA55AA1A120F} (InstallerBehaviorFactory Class) - https://signup.msn.c...es/MsnInstC.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.micros...b?1123854203461
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: Domain = Dayton.Local
O17 - HKLM\System\CCS\Services\Tcpip\..\{590F35C5-8B3A-45F6-97D5-D15168EBA8D4}: NameServer = 69.50.176.198,85.255.112.12
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: Domain = Dayton.Local
O17 - HKLM\System\CS2\Services\Tcpip\Parameters: Domain = Dayton.Local
O19 - User stylesheet: c:\winnt\my.css (file missing)
O20 - Winlogon Notify: NavLogon - C:\WINNT\System32\NavLogon.dll
O23 - Service: Ati HotKey Poller - Unknown owner - C:\WINNT\System32\Ati2evxx.exe (file missing)
O23 - Service: pcAnywhere Host Service (awhost32) - Symantec Corporation - C:\Program Files\Symantec\pcAnywhere\awhost32.exe
O23 - Service: DefWatch - Symantec Corporation - C:\PROGRA~1\SYMANT~1\SYMANT~1\DefWatch.exe
O23 - Service: Logical Disk Manager Administrative Service (dmadmin) - VERITAS Software Corp. - C:\WINNT\System32\dmadmin.exe
O23 - Service: ewido security suite control - ewido networks - C:\Program Files\ewido\security suite\ewidoctrl.exe
O23 - Service: ewido security suite guard - ewido networks - C:\Program Files\ewido\security suite\ewidoguard.exe
O23 - Service: Iomega App Services - Iomega Corporation - C:\PROGRA~1\Iomega\System32\AppServices.exe
O23 - Service: Symantec AntiVirus Client (Norton AntiVirus Server) - Symantec Corporation - C:\PROGRA~1\SYMANT~1\SYMANT~1\Rtvscan.exe
O23 - Service: Iomega Active Disk (_IOMEGA_ACTIVE_DISK_SERVICE_) - Iomega Corporation - C:\Program Files\Iomega\AutoDisk\ADService.exe

Hope I can get some help. :tazz:
  • 0

#3
g2i2r4
Posted 25 August 2005 - 11:08 AM

g2i2r4

    retired HiJack Helper

  • Retired Staff
  • 5,080 posts
Hi Beerman,

As promised in your topic under username 'beerman2' I'll help you on this computer too.

I'll post a reply later.
  • 0

#4
beerman
Posted 25 August 2005 - 12:00 PM

beerman

    Member

  • Topic Starter
  • Member
  • PipPipPip
  • 188 posts
g2i2r4:

Thanks for the follow up. Do I need to re-run the preliminary steps as I did on the date of my first post? It has been 2 weeks so who knows what else is on there. I also need to update to SP4 from SP2. Should I do that now or wait?

I look forward to your reply. :tazz:
  • 0

#5
g2i2r4
Posted 25 August 2005 - 04:36 PM

g2i2r4

    retired HiJack Helper

  • Retired Staff
  • 5,080 posts
Please post me a fresh HijackThis log. There's more then just winfixer in here.
  • 0

#6
beerman
Posted 26 August 2005 - 08:25 AM

beerman

    Member

  • Topic Starter
  • Member
  • PipPipPip
  • 188 posts
I have re-run CleanUp! and Ad-aware and then rebooted. Here is the HJT log:

Logfile of HijackThis v1.99.1
Scan saved at 10:37:07 AM, on 8/26/2005
Platform: Windows 2000 SP2 (WinNT 5.00.2195)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINNT\System32\smss.exe
C:\WINNT\system32\csrss.exe
C:\WINNT\system32\winlogon.exe
C:\WINNT\system32\services.exe
C:\WINNT\system32\lsass.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\system32\spoolsv.exe
C:\Program Files\Symantec\pcAnywhere\awhost32.exe
C:\PROGRA~1\SYMANT~1\SYMANT~1\DefWatch.exe
C:\WINNT\System32\svchost.exe
C:\Program Files\ewido\security suite\ewidoctrl.exe
C:\Program Files\ewido\security suite\ewidoguard.exe
C:\PROGRA~1\Iomega\System32\AppServices.exe
C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
C:\PROGRA~1\SYMANT~1\SYMANT~1\Rtvscan.exe
C:\WINNT\system32\regsvc.exe
C:\WINNT\system32\MSTask.exe
C:\WINNT\System32\mspmspsv.exe
C:\Program Files\Iomega\AutoDisk\ADService.exe
C:\WINNT\Explorer.EXE
C:\WINNT\System32\Promon.exe
C:\Program Files\Microsoft Hardware\Mouse\point32.exe
C:\WINNT\loadqm.exe
C:\Program Files\Iomega\AutoDisk\ADUserMon.exe
C:\Program Files\Iomega\DriveIcons\ImgIcon.exe
C:\PROGRA~1\SYMANT~1\SYMANT~1\vptray.exe
C:\Program Files\Common Files\Microsoft Shared\Works Shared\WkUFind.exe
C:\Program Files\MSN Apps\Updater\01.03.0000.1005\en-us\msnappau.exe
C:\Program Files\WinFixer 2005\wfx5.exe
C:\WINNT\System32\ctfmon.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\HiJack This\HijackThis1991.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page_bak = about:blank
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = server1:80
R3 - URLSearchHook: (no name) - _{DD1BCA06-F674-424D-A08E-42DA97C4D5DD} - (no file)
R3 - URLSearchHook: (no name) - _{CFBFAE00-17A6-11D0-99CB-00C04FD64497} - (no file)
O1 - Hosts: localhost 127.0.0.1
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O2 - BHO: Solid Converter PDF - {259F616C-A300-44F5-B04A-ED001A26C85C} - C:\Program Files\SolidDocuments\SolidConverterPDF\SCPDF\ExploreExtPDF.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINNT\System32\msdxm.ocx
O3 - Toolbar: MSN Toolbar - {BDAD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\MSN Toolbar\01.01.2607.0\en-us\msntb.dll
O3 - Toolbar: Solid Converter PDF - {259F616C-A300-44F5-B04A-ED001A26C85C} - C:\Program Files\SolidDocuments\SolidConverterPDF\SCPDF\ExploreExtPDF.dll
O4 - HKLM\..\Run: [Synchronization Manager] mobsync.exe /logon
O4 - HKLM\..\Run: [Promon.exe] Promon.exe
O4 - HKLM\..\Run: [POINTER] C:\Program Files\Microsoft Hardware\Mouse\point32.exe
O4 - HKLM\..\Run: [LoadQM] loadqm.exe
O4 - HKLM\..\Run: [ADUserMon] C:\Program Files\Iomega\AutoDisk\ADUserMon.exe
O4 - HKLM\..\Run: [Iomega Drive Icons] C:\Program Files\Iomega\DriveIcons\ImgIcon.exe
O4 - HKLM\..\Run: [Deskup] C:\Program Files\Iomega\DriveIcons\deskup.exe /IMGSTART
O4 - HKLM\..\Run: [vptray] C:\PROGRA~1\SYMANT~1\SYMANT~1\vptray.exe
O4 - HKLM\..\Run: [Microsoft Works Update Detection] C:\Program Files\Common Files\Microsoft Shared\Works Shared\WkUFind.exe
O4 - HKLM\..\Run: [msnappau] "C:\Program Files\MSN Apps\Updater\01.03.0000.1005\en-us\msnappau.exe"
O4 - HKLM\..\Run: [krzipo] c:\winnt\system32\gfjqrgh.exe r
O4 - HKLM\..\Run: [WinFixer 2005] C:\Program Files\WinFixer 2005\wfx5.exe
O4 - HKCU\..\Run: [WipeItOff] C:\Program Files\Browser Cleanser\browsercleanser.exe
O4 - HKCU\..\Run: [od-matr31] c:\program files\Webdialer\od-matr31.exe -m
O4 - HKCU\..\Run: [ctfmon.exe] ctfmon.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~3\Office10\EXCEL.EXE/3000
O9 - Extra button: (no name) - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - (no file)
O9 - Extra button: (no name) - SolidConverterPDF - (no file) (HKCU)
O16 - DPF: {1754A1BA-A1DF-4F10-B199-AA55AA1A120F} (InstallerBehaviorFactory Class) - https://signup.msn.c...es/MsnInstC.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.micros...b?1123854203461
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: Domain = Dayton.Local
O17 - HKLM\System\CCS\Services\Tcpip\..\{590F35C5-8B3A-45F6-97D5-D15168EBA8D4}: NameServer = 69.50.176.198,85.255.112.12
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: Domain = Dayton.Local
O17 - HKLM\System\CS2\Services\Tcpip\Parameters: Domain = Dayton.Local
O19 - User stylesheet: c:\winnt\my.css (file missing)
O20 - Winlogon Notify: NavLogon - C:\WINNT\System32\NavLogon.dll
O23 - Service: Ati HotKey Poller - Unknown owner - C:\WINNT\System32\Ati2evxx.exe (file missing)
O23 - Service: pcAnywhere Host Service (awhost32) - Symantec Corporation - C:\Program Files\Symantec\pcAnywhere\awhost32.exe
O23 - Service: DefWatch - Symantec Corporation - C:\PROGRA~1\SYMANT~1\SYMANT~1\DefWatch.exe
O23 - Service: Logical Disk Manager Administrative Service (dmadmin) - VERITAS Software Corp. - C:\WINNT\System32\dmadmin.exe
O23 - Service: ewido security suite control - ewido networks - C:\Program Files\ewido\security suite\ewidoctrl.exe
O23 - Service: Iomega App Services - Iomega Corporation - C:\PROGRA~1\Iomega\System32\AppServices.exe
O23 - Service: Symantec AntiVirus Client (Norton AntiVirus Server) - Symantec Corporation - C:\PROGRA~1\SYMANT~1\SYMANT~1\Rtvscan.exe
O23 - Service: Iomega Active Disk (_IOMEGA_ACTIVE_DISK_SERVICE_) - Iomega Corporation - C:\Program Files\Iomega\AutoDisk\ADService.exe

This one may take a little longer than the last. :tazz: It is running real slow.
Thanks for your help.
  • 0

#7
g2i2r4
Posted 26 August 2005 - 01:44 PM

g2i2r4

    retired HiJack Helper

  • Retired Staff
  • 5,080 posts
I don't have any plans right now. :tazz:

Please disable SpybotSD’s protection, as it may hinder the removal of the infection. You can enable it after you're clean.

Open Spybot and click on Mode and check Advanced Mode
Check yes to next window.
Click on Tools in bottom left hand corner.
Click on Resident icon.
Uncheck Teatimer box and/or Uncheck Resident.
Close Spybot.

***

On of the infections in there is a namechanger.
In the current HijackThis log posted here it's the line in red:

O4 - HKLM\..\Run: [msnappau] "C:\Program Files\MSN Apps\Updater\01.03.0000.1005\en-us\msnappau.exe"
O4 - HKLM\..\Run: [krzipo] c:\winnt\system32\gfjqrgh.exe r
O4 - HKLM\..\Run: [WinFixer 2005] C:\Program Files\WinFixer 2005\wfx5.exe

There's a special way to remove it, but since the file changes names so often, the name we see here will have changed. We are looking for a random name (makes absolutly no sense), in the system32 folder.

So, I used this information:
O4 - HKLM\..\Run: [krzipo] c:\winnt\system32\gfjqrgh.exe r


Download APT
Open apt and search in the window for the krzipo.
Open your C:\Windows\system32 folder and search for gfjqrgh.exe. Don't delete it yet, just leave the system32 folder open so you can see gfjqrgh.exe.
In apt again, Select krzipo and Click Kill3

Then immediately delete the bad file from your system32 folder.

***

Download the Killbox.
Unzip it to the desktop

Double-click on Killbox.exe to run it. Place the following lines (complete paths) in bold in the "Full Path of File to Delete" box in Killbox, and click the red button with the white X on it after each

c:\program files\Webdialer\od-matr31.exe
C:\Program Files\WinFixer 2005\wfx5.exe

For these file, put a mark next to "Delete on Reboot". Copy and paste each file into the file name box, then click the red button with the X after each. It will ask you if you want to reboot each time you click it, answer NO until after you've pasted the last file name, at which time you should answer Yes.
Click "No" at the Pending Operations prompt.

If your computer does not restart automatically, please restart it manually.

***

Reboot to safe mode.

***

Run HiJackThis. Place a check next to this item and click FIX CHECKED:

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page_bak = about:blank

R3 - URLSearchHook: (no name) - _{DD1BCA06-F674-424D-A08E-42DA97C4D5DD} - (no file)

R3 - URLSearchHook: (no name) - _{CFBFAE00-17A6-11D0-99CB-00C04FD64497} - (no file)

O4 - HKLM\..\Run: [krzipo] c:\winnt\system32\gfjqrgh.exe r

O4 - HKLM\..\Run: [WinFixer 2005] C:\Program Files\WinFixer 2005\wfx5.exe

O4 - HKCU\..\Run: [od-matr31] c:\program files\Webdialer\od-matr31.exe -m

O9 - Extra button: (no name) - SolidConverterPDF - (no file) (HKCU)

O17 - HKLM\System\CCS\Services\Tcpip\..\{590F35C5-8B3A-45F6-97D5-D15168EBA8D4}: NameServer = 69.50.176.198,85.255.112.12

O19 - User stylesheet: c:\winnt\my.css (file missing)

***

Use Windows Explorer to remove these folders:

C:\Program Files\WinFixer 2005\
c:\program files\Webdialer\

Close Windows Explorer when you are done.

***

Reboot back to normal mode.

***

Run Panda online scan.
Save the report in the end.

Post me the panda report and a fresh HijackThis log.
  • 0

#8
beerman
Posted 26 August 2005 - 02:41 PM

beerman

    Member

  • Topic Starter
  • Member
  • PipPipPip
  • 188 posts
:)

I don't see krzipo in the APT window nor can I find gfjqrgh.exe in C:\WINNT\system32. Here are some of the others that are listed in the APT window:

smss
csrss
lsass
mspmspsv
promon
ctfmon

Others appear to be legitimate.

Maybe I'm not understanding your instructions on what to look for. :tazz:
  • 0

#9
g2i2r4
Posted 26 August 2005 - 04:32 PM

g2i2r4

    retired HiJack Helper

  • Retired Staff
  • 5,080 posts
It's a nasty one.

In the HijackThis log you can find it because it looks like this one:
O4 - HKLM\..\Run: [krzipo] c:\winnt\system32\gfjqrgh.exe r

random name between the brackets, random filename and the r and the end.
  • 0

#10
beerman
Posted 29 August 2005 - 06:57 AM

beerman

    Member

  • Topic Starter
  • Member
  • PipPipPip
  • 188 posts
I see it in the HJT log. Is it going to look different in APT? As I understand your instructions "krizipo" and the system 32 filename will be different but the syntax will be similar. Is that right? :tazz: Is there any reason it wouldn't be showing up in the system 32 directory even though it shows up in HJT? Does the R at the end change the file type from an application to something else? I ask because I sorted the system 32 folder by file type to help in finding the file.
  • 0

Advertisements

#11
g2i2r4
Posted 29 August 2005 - 12:32 PM

g2i2r4

    retired HiJack Helper

  • Retired Staff
  • 5,080 posts
It changes names every once in a while.

It will remain in the c:\winnt\system32\ folder.

It will have a random name like gfjqrgh.exe

In the HijackThis log it will have a random process name, the one between the brackets.
And a random file name like gfjqrgh.exe

In APT it should look like the one in the HijackThis log unless it changed names.


Let's try it in another way.

Please read completely through the instructions below and download the files from the links provided. You may want to save or print out these instructions for easier reference.

Update Ewido to the latest definitions.

Next, download Lavasoft's Ad-Aware and the VX2 Cleaner Plug-in. Install Ad-Aware using the default options, then install vx2cleaner_inst.exe, taking all the defaults there as well.

Run Ad-Aware, update to the latest definitions, then click on Add-ons in the lefthand column. Select VX2 Cleaner V2.0 and click Run Tool. Click "OK", then, if something is found, click "Clean" as in the directions given. Click "Close", and exit Ad-Aware.

***

Reboot your PC and run Ad-Aware again. This time, click on the Start button in Ad-Aware, select "Perform smart system scan" and click Next. Once the scan finishes, click "Next" again. Select all objects found (right click anywhere in the list of found objects and click "Select All Objects"). Click "Next" one more time, then "OK" to confirm the removal.

***

You will be prompted to set Ad-Aware to run on reboot, click "OK". Exit Ad-Aware and restart your PC once again.

***

When Ad-Aware starts up, click on "Start", then "Next". Follow the steps above if anything is found, or click "Finish", then exit Ad-Aware.

***

For a final cleanup, please run Ewido.
  • If ewido finds anything, it will pop up a notification. We have been finding some cases of false positives with the new version of Ewido, so we need to step through the fixes one-by-one. If Ewido finds something that you KNOW is legitimate (for example, parts of AVG Antivirus, pcAnywhere and the game "Risk" have been flagged), select "none" as the action. DO NOT check "Perform action with all infections". If you are unsure of an entry, select "none" for the time being. I'll see that in the log you will post later and let you know if ewido needs to be run again.
  • When the scan finishes, click on "Save Report". This will create a text file. Make sure you know where to find this file again.
Please finish up by rebooting your system once more, and posting a new HijackThis log and the log from the Ewido scan.
  • 0

#12
beerman
Posted 30 August 2005 - 08:25 AM

beerman

    Member

  • Topic Starter
  • Member
  • PipPipPip
  • 188 posts
Here is the latest. On the re-boot after running Ad-aware I was not prompted to run on re-boot.

Here are the logs:

---------------------------------------------------------
ewido security suite - Scan report
---------------------------------------------------------

+ Created on: 10:30:11 AM, 8/30/2005
+ Report-Checksum: 3F842120

+ Scan result:

C:\WINNT\Downloaded Program Files\UWFX5LP_0001_0803NetInstaller.exe -> Not-A-Virus.Downloader.Agent.c : Cleaned with backup
C:\WINNT\Downloaded Program Files\CONFLICT.1\UWFX5LP_0001_0803NetInstaller.exe -> Not-A-Virus.Downloader.Agent.c : Cleaned with backup
C:\WINNT\Downloaded Program Files\CONFLICT.2\UWFX5LP_0001_0803NetInstaller.exe -> Not-A-Virus.Downloader.Agent.c : Cleaned with backup
C:\WINNT\Downloaded Program Files\CONFLICT.3\UWFX5LP_0001_0803NetInstaller.exe -> Not-A-Virus.Downloader.Agent.c : Cleaned with backup
C:\WINNT\biysdaiou.exe -> Adware.BetterInternet : Cleaned with backup


::Report End

Logfile of HijackThis v1.99.1
Scan saved at 10:34:38 AM, on 8/30/2005
Platform: Windows 2000 SP2 (WinNT 5.00.2195)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINNT\System32\smss.exe
C:\WINNT\system32\csrss.exe
C:\WINNT\system32\winlogon.exe
C:\WINNT\system32\services.exe
C:\WINNT\system32\lsass.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\system32\spoolsv.exe
C:\Program Files\Symantec\pcAnywhere\awhost32.exe
C:\PROGRA~1\SYMANT~1\SYMANT~1\DefWatch.exe
C:\WINNT\System32\svchost.exe
C:\Program Files\ewido\security suite\ewidoctrl.exe
C:\PROGRA~1\Iomega\System32\AppServices.exe
C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
C:\PROGRA~1\SYMANT~1\SYMANT~1\Rtvscan.exe
C:\WINNT\system32\regsvc.exe
C:\WINNT\system32\MSTask.exe
C:\WINNT\System32\mspmspsv.exe
C:\Program Files\Iomega\AutoDisk\ADService.exe
C:\WINNT\Explorer.EXE
C:\WINNT\System32\Promon.exe
C:\Program Files\Microsoft Hardware\Mouse\point32.exe
C:\WINNT\loadqm.exe
C:\Program Files\Iomega\AutoDisk\ADUserMon.exe
C:\Program Files\Iomega\DriveIcons\ImgIcon.exe
C:\PROGRA~1\SYMANT~1\SYMANT~1\vptray.exe
C:\Program Files\Common Files\Microsoft Shared\Works Shared\WkUFind.exe
C:\Program Files\MSN Apps\Updater\01.03.0000.1005\en-us\msnappau.exe
C:\Program Files\WinFixer 2005\wfx5.exe
C:\WINNT\System32\ctfmon.exe
C:\HiJack This\HijackThis1991.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page_bak = about:blank
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = server1:80
R3 - URLSearchHook: (no name) - _{DD1BCA06-F674-424D-A08E-42DA97C4D5DD} - (no file)
R3 - URLSearchHook: (no name) - _{CFBFAE00-17A6-11D0-99CB-00C04FD64497} - (no file)
O1 - Hosts: localhost 127.0.0.1
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O2 - BHO: Solid Converter PDF - {259F616C-A300-44F5-B04A-ED001A26C85C} - C:\Program Files\SolidDocuments\SolidConverterPDF\SCPDF\ExploreExtPDF.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINNT\System32\msdxm.ocx
O3 - Toolbar: MSN Toolbar - {BDAD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\MSN Toolbar\01.01.2607.0\en-us\msntb.dll
O3 - Toolbar: Solid Converter PDF - {259F616C-A300-44F5-B04A-ED001A26C85C} - C:\Program Files\SolidDocuments\SolidConverterPDF\SCPDF\ExploreExtPDF.dll
O4 - HKLM\..\Run: [Synchronization Manager] mobsync.exe /logon
O4 - HKLM\..\Run: [Promon.exe] Promon.exe
O4 - HKLM\..\Run: [POINTER] C:\Program Files\Microsoft Hardware\Mouse\point32.exe
O4 - HKLM\..\Run: [LoadQM] loadqm.exe
O4 - HKLM\..\Run: [ADUserMon] C:\Program Files\Iomega\AutoDisk\ADUserMon.exe
O4 - HKLM\..\Run: [Iomega Drive Icons] C:\Program Files\Iomega\DriveIcons\ImgIcon.exe
O4 - HKLM\..\Run: [Deskup] C:\Program Files\Iomega\DriveIcons\deskup.exe /IMGSTART
O4 - HKLM\..\Run: [vptray] C:\PROGRA~1\SYMANT~1\SYMANT~1\vptray.exe
O4 - HKLM\..\Run: [Microsoft Works Update Detection] C:\Program Files\Common Files\Microsoft Shared\Works Shared\WkUFind.exe
O4 - HKLM\..\Run: [msnappau] "C:\Program Files\MSN Apps\Updater\01.03.0000.1005\en-us\msnappau.exe"
O4 - HKLM\..\Run: [WinFixer 2005] C:\Program Files\WinFixer 2005\wfx5.exe
O4 - HKCU\..\Run: [WipeItOff] C:\Program Files\Browser Cleanser\browsercleanser.exe
O4 - HKCU\..\Run: [od-matr31] c:\program files\Webdialer\od-matr31.exe -m
O4 - HKCU\..\Run: [ctfmon.exe] ctfmon.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~3\Office10\EXCEL.EXE/3000
O9 - Extra button: (no name) - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - (no file)
O9 - Extra button: (no name) - SolidConverterPDF - (no file) (HKCU)
O16 - DPF: {1754A1BA-A1DF-4F10-B199-AA55AA1A120F} (InstallerBehaviorFactory Class) - https://signup.msn.c...es/MsnInstC.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.micros...b?1123854203461
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: Domain = Dayton.Local
O17 - HKLM\System\CCS\Services\Tcpip\..\{590F35C5-8B3A-45F6-97D5-D15168EBA8D4}: NameServer = 69.50.176.198,85.255.112.12
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: Domain = Dayton.Local
O17 - HKLM\System\CS2\Services\Tcpip\Parameters: Domain = Dayton.Local
O19 - User stylesheet: c:\winnt\my.css (file missing)
O20 - Winlogon Notify: NavLogon - C:\WINNT\System32\NavLogon.dll
O23 - Service: Ati HotKey Poller - Unknown owner - C:\WINNT\System32\Ati2evxx.exe (file missing)
O23 - Service: pcAnywhere Host Service (awhost32) - Symantec Corporation - C:\Program Files\Symantec\pcAnywhere\awhost32.exe
O23 - Service: DefWatch - Symantec Corporation - C:\PROGRA~1\SYMANT~1\SYMANT~1\DefWatch.exe
O23 - Service: Logical Disk Manager Administrative Service (dmadmin) - VERITAS Software Corp. - C:\WINNT\System32\dmadmin.exe
O23 - Service: ewido security suite control - ewido networks - C:\Program Files\ewido\security suite\ewidoctrl.exe
O23 - Service: Iomega App Services - Iomega Corporation - C:\PROGRA~1\Iomega\System32\AppServices.exe
O23 - Service: Symantec AntiVirus Client (Norton AntiVirus Server) - Symantec Corporation - C:\PROGRA~1\SYMANT~1\SYMANT~1\Rtvscan.exe
O23 - Service: Iomega Active Disk (_IOMEGA_ACTIVE_DISK_SERVICE_) - Iomega Corporation - C:\Program Files\Iomega\AutoDisk\ADService.exe


Thanks again for your help. :tazz:
  • 0

#13
g2i2r4
Posted 30 August 2005 - 09:09 AM

g2i2r4

    retired HiJack Helper

  • Retired Staff
  • 5,080 posts
Double-click on Killbox.exe to run it. Place the following lines (complete paths) in bold in the "Full Path of File to Delete" box in Killbox, and click the red button with the white X on it after each

c:\program files\Webdialer\od-matr31.exe
C:\Program Files\WinFixer 2005\wfx5.exe

For these file, put a mark next to "Delete on Reboot". Copy and paste each file into the file name box, then click the red button with the X after each. It will ask you if you want to reboot each time you click it, answer NO until after you've pasted the last file name, at which time you should answer Yes.
Click "No" at the Pending Operations prompt.

If your computer does not restart automatically, please restart it manually.

***

Reboot to safe mode.

***

Run HiJackThis. Place a check next to this item and click FIX CHECKED:

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page_bak = about:blank

R3 - URLSearchHook: (no name) - _{DD1BCA06-F674-424D-A08E-42DA97C4D5DD} - (no file)

R3 - URLSearchHook: (no name) - _{CFBFAE00-17A6-11D0-99CB-00C04FD64497} - (no file)

O4 - HKLM\..\Run: [WinFixer 2005] C:\Program Files\WinFixer 2005\wfx5.exe

O4 - HKCU\..\Run: [od-matr31] c:\program files\Webdialer\od-matr31.exe -m

O9 - Extra button: (no name) - SolidConverterPDF - (no file) (HKCU)

O17 - HKLM\System\CCS\Services\Tcpip\..\{590F35C5-8B3A-45F6-97D5-D15168EBA8D4}: NameServer = 69.50.176.198,85.255.112.12

O19 - User stylesheet: c:\winnt\my.css (file missing)

***

Use Windows Explorer to remove these folders:

C:\Program Files\WinFixer 2005\
c:\program files\Webdialer\

Close Windows Explorer when you are done.

***

Reboot back to normal mode.

***

Post me a fresh HijackThis log to check.
  • 0

#14
beerman
Posted 30 August 2005 - 09:51 AM

beerman

    Member

  • Topic Starter
  • Member
  • PipPipPip
  • 188 posts
:) Problems.

On final reboot back into normal mode the computer was extremely slow in bringing back the desktop (about 2 minutes). When it did, all icons were missing (the link was there but the image wasn't). Also, nothing worked. I opened task manager and nothing seemed to be running. When I did a restart, first "cftmon.exe" was shown to be shutting down and then "explorer.exe" hung and would not shut down. I again tried rebooting and the same thing happened.

I again brought the machine back up in safe mode and here is the HJT log (from safe mode):


Logfile of HijackThis v1.99.1
Scan saved at 11:52:46 AM, on 8/30/2005
Platform: Windows 2000 SP2 (WinNT 5.00.2195)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINNT\System32\smss.exe
C:\WINNT\system32\csrss.exe
C:\WINNT\system32\winlogon.exe
C:\WINNT\system32\services.exe
C:\WINNT\system32\lsass.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\system32\userinit.exe
C:\WINNT\Explorer.EXE
C:\HiJack This\HijackThis1991.exe

R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = server1:80
O1 - Hosts: localhost 127.0.0.1
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O2 - BHO: Solid Converter PDF - {259F616C-A300-44F5-B04A-ED001A26C85C} - C:\Program Files\SolidDocuments\SolidConverterPDF\SCPDF\ExploreExtPDF.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINNT\System32\msdxm.ocx
O3 - Toolbar: MSN Toolbar - {BDAD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\MSN Toolbar\01.01.2607.0\en-us\msntb.dll
O3 - Toolbar: Solid Converter PDF - {259F616C-A300-44F5-B04A-ED001A26C85C} - C:\Program Files\SolidDocuments\SolidConverterPDF\SCPDF\ExploreExtPDF.dll
O4 - HKLM\..\Run: [Synchronization Manager] mobsync.exe /logon
O4 - HKLM\..\Run: [Promon.exe] Promon.exe
O4 - HKLM\..\Run: [POINTER] C:\Program Files\Microsoft Hardware\Mouse\point32.exe
O4 - HKLM\..\Run: [LoadQM] loadqm.exe
O4 - HKLM\..\Run: [ADUserMon] C:\Program Files\Iomega\AutoDisk\ADUserMon.exe
O4 - HKLM\..\Run: [Iomega Drive Icons] C:\Program Files\Iomega\DriveIcons\ImgIcon.exe
O4 - HKLM\..\Run: [Deskup] C:\Program Files\Iomega\DriveIcons\deskup.exe /IMGSTART
O4 - HKLM\..\Run: [vptray] C:\PROGRA~1\SYMANT~1\SYMANT~1\vptray.exe
O4 - HKLM\..\Run: [Microsoft Works Update Detection] C:\Program Files\Common Files\Microsoft Shared\Works Shared\WkUFind.exe
O4 - HKLM\..\Run: [msnappau] "C:\Program Files\MSN Apps\Updater\01.03.0000.1005\en-us\msnappau.exe"
O4 - HKCU\..\Run: [WipeItOff] C:\Program Files\Browser Cleanser\browsercleanser.exe
O4 - HKCU\..\Run: [ctfmon.exe] ctfmon.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~3\Office10\EXCEL.EXE/3000
O9 - Extra button: (no name) - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - (no file)
O16 - DPF: {1754A1BA-A1DF-4F10-B199-AA55AA1A120F} (InstallerBehaviorFactory Class) - https://signup.msn.c...es/MsnInstC.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.micros...b?1123854203461
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: Domain = Dayton.Local
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: Domain = Dayton.Local
O17 - HKLM\System\CS2\Services\Tcpip\Parameters: Domain = Dayton.Local
O20 - Winlogon Notify: NavLogon - C:\WINNT\System32\NavLogon.dll
O23 - Service: Ati HotKey Poller - Unknown owner - C:\WINNT\System32\Ati2evxx.exe (file missing)
O23 - Service: pcAnywhere Host Service (awhost32) - Symantec Corporation - C:\Program Files\Symantec\pcAnywhere\awhost32.exe
O23 - Service: DefWatch - Symantec Corporation - C:\PROGRA~1\SYMANT~1\SYMANT~1\DefWatch.exe
O23 - Service: Logical Disk Manager Administrative Service (dmadmin) - VERITAS Software Corp. - C:\WINNT\System32\dmadmin.exe
O23 - Service: ewido security suite control - ewido networks - C:\Program Files\ewido\security suite\ewidoctrl.exe
O23 - Service: Iomega App Services - Iomega Corporation - C:\PROGRA~1\Iomega\System32\AppServices.exe
O23 - Service: Symantec AntiVirus Client (Norton AntiVirus Server) - Symantec Corporation - C:\PROGRA~1\SYMANT~1\SYMANT~1\Rtvscan.exe
O23 - Service: Iomega Active Disk (_IOMEGA_ACTIVE_DISK_SERVICE_) - Iomega Corporation - C:\Program Files\Iomega\AutoDisk\ADService.exe

Also, webdialer did not appear in the HJT window and it seems that "solidconverterpdf" appears is several places.

Help! :tazz:
  • 0

#15
g2i2r4
Posted 30 August 2005 - 10:00 AM

g2i2r4

    retired HiJack Helper

  • Retired Staff
  • 5,080 posts
Can you run a panda scan and post me the report?
  • 0
Back to Virus, Spyware, Malware Removal · Next Unread Topic →




Similar Topics

0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users

  1. Geeks to Go Community
  2. Security
  3. Virus, Spyware, Malware Removal

As Featured On:

Microsoft Yahoo BBC MSN PC Magazine Washington Post HP