Jump to content

Welcome to Geeks to Go - Register now for FREE

Need help with your computer or device? Want to learn new tech skills? You're in the right place!
Geeks to Go is a friendly community of tech experts who can solve any problem you have. Just create a free account and post your question. Our volunteers will reply quickly and guide you through the steps. Don't let tech troubles stop you. Join Geeks to Go now and get the support you need!

How it Works Create Account
Photo

winfixer 2005 [RESOLVED]

Started by clemsongal2984 , Aug 12 2005 04:32 PM

  • This topic is locked This topic is locked

#1
clemsongal2984
Posted 12 August 2005 - 04:32 PM

clemsongal2984

    New Member

  • Member
  • Pip
  • 7 posts
I'm having a lot of trouble with winfixer 2005. It keeps downloading itself onto my computer and won't go away!! I have tried adaware, updating my Windows XP, and ewido. Nothing is helping! Any help would be GREATLY appreciated!! :tazz: Here is my HijackThis log:

Logfile of HijackThis v1.99.1
Scan saved at 6:23:46 PM, on 8/12/2005
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\ewido\security suite\ewidoctrl.exe
C:\Program Files\ewido\security suite\ewidoguard.exe
C:\WINDOWS\Explorer.exe
c:\PROGRA~1\mcafee.com\vso\mcvsrte.exe
C:\Program Files\Compaq\Easy Access Button Support\StartEAK.exe
C:\Program Files\Microsoft Works\WksSb.exe
C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\WINDOWS\System32\dpmw32.exe
C:\WINDOWS\system32\NWTRAY.EXE
C:\WINDOWS\System32\spool\drivers\w32x86\3\hpztsb04.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Adaptec\Easy CD Creator 5\DirectCD\DirectCD.exe
C:\WINDOWS\system32\S3tray2.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\WINDOWS\System32\MsPMSPSv.exe
C:\Program Files\Compaq\Easy Access Button Support\CPQEADM.EXE
C:\COMPAQ\CPQINET\CPQInet.exe
C:\Compaq\EAKDRV\EAUSBKBD.EXE
C:\PROGRA~1\Compaq\EASYAC~1\BttnServ.exe
c:\PROGRA~1\mcafee.com\vso\mcshield.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\QuickTime\qttask.exe
C:\PROGRA~1\mcafee.com\vso\mcvsshld.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\PROGRA~1\mcafee.com\agent\mcagent.exe
C:\Program Files\WildTangent\Apps\CDA\GameDrvr.exe
c:\progra~1\mcafee.com\vso\mcvsescn.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\AIM95\aim.exe
c:\progra~1\mcafee.com\vso\mcvsftsn.exe
C:\Program Files\Yahoo!\Messenger\ypager.exe
C:\PROGRA~1\PANICW~1\POP-UP~1\PSFree.exe
C:\Program Files\Common Files\Microsoft Shared\Works Shared\wkcalrem.exe
C:\Program Files\Sony Corporation\Picture Package\Picture Package Menu\SonyTray.exe
C:\Program Files\Sony Corporation\Picture Package\Picture Package Applications\Residence.exe
C:\Program Files\3M\PSNLite\PsnLite.exe
C:\Program Files\Webshots\WebshotsTray.exe
C:\PROGRA~1\3M\PSNLite\PSNGive.exe
C:\WINDOWS\system32\sfbiuuu.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Documents and Settings\Harriet Spires.000\My Documents\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.clemson.edu/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://store.presari...&c=3c01&lc=0409
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://rd.yahoo.com/...://my.yahoo.com
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://store.presari...&c=3c01&lc=0409
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Microsoft Internet Explorer provided by Compaq
F2 - REG:system.ini: Shell=Explorer.exe C:\WINDOWS\Nail.exe
O2 - BHO: Band Class - {00F1D395-4744-40f0-A611-980F61AE2C59} - C:\WINDOWS\dsr.dll (file missing)
O2 - BHO: Yahoo! Companion BHO - {02478D38-C3F9-4efb-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn\ycomp5_5_7_1.dll
O2 - BHO: (no name) - {4E61BA3A-4AEE-AF4A-DB24-20564BFDFB94} - C:\WINDOWS\system32\sdkbmmsp.dll (file missing)
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll (file missing)
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar2.dll
O3 - Toolbar: (no name) - {ACB1E670-3217-45C4-A021-6B829A8A27CB} - (no file)
O3 - Toolbar: (no name) - {2CDE1A7D-A478-4291-BF31-E1B4C16F92EB} - (no file)
O3 - Toolbar: AIM Search - {40D41A8B-D79B-43d7-99A7-9EE0F344C385} - C:\Program Files\AIM Toolbar\AIMBar.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar2.dll
O3 - Toolbar: McAfee VirusScan - {BA52B914-B692-46c4-B683-905236F6F655} - c:\progra~1\mcafee.com\vso\mcvsshl.dll
O3 - Toolbar: Yahoo! Companion - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\ycomp5_5_7_1.dll
O4 - HKLM\..\Run: [CPQEASYACC] C:\Program Files\Compaq\Easy Access Button Support\StartEAK.exe
O4 - HKLM\..\Run: [Microsoft Works Portfolio] C:\Program Files\Microsoft Works\WksSb.exe /AllUsers
O4 - HKLM\..\Run: [SynTPLpr] C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
O4 - HKLM\..\Run: [SynTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
O4 - HKLM\..\Run: [srmclean] C:\Cpqs\Scom\srmclean.exe
O4 - HKLM\..\Run: [NDPS] C:\WINDOWS\System32\dpmw32.exe
O4 - HKLM\..\Run: [NWTRAY] NWTRAY.EXE
O4 - HKLM\..\Run: [HPDJ Taskbar Utility] C:\WINDOWS\System32\spool\drivers\w32x86\3\hpztsb04.exe
O4 - HKLM\..\Run: [AdaptecDirectCD] "C:\Program Files\Adaptec\Easy CD Creator 5\DirectCD\DirectCD.exe"
O4 - HKLM\..\Run: [l] C:\WINDOWS\System32\cqmxrk.exe
O4 - HKLM\..\Run: [S3TRAY2] S3tray2.exe
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [// Browser Detec] c:\WINDOWS\System32\// Browser Detection
O4 - HKLM\..\Run: [NS4 = (document.layers) ? true : fa] c:\WINDOWS\System32\NS4 = (document.layers) ? true : false;
O4 - HKLM\..\Run: [IEmac = ((document.all)&&(isMac)) ? true : fa] c:\WINDOWS\System32\IEmac = ((document.all)&&(isMac)) ? true : false;
O4 - HKLM\..\Run: [IE4plus = (document.all) ? true : fa] c:\WINDOWS\System32\IE4plus = (document.all) ? true : false;
O4 - HKLM\..\Run: [ver4 = (NS4 || IE4plus) ? true : fa] c:\WINDOWS\System32\ver4 = (NS4 || IE4plus) ? true : false;
O4 - HKLM\..\Run: [NS6 = (!document.layers) && (navigator.userAgent.indexOf('Netscape')!=-1)?true:fa] c:\WINDOWS\System32\NS6 = (!document.layers) && (navigator.userAgent.indexOf('Netscape')!=-1)?true:false;
O4 - HKLM\..\Run: [IE5plus = IE5 || ] c:\WINDOWS\System32\IE5plus = IE5 || IE6;
O4 - HKLM\..\Run: [IEMajor ] c:\WINDOWS\System32\IEMajor = 0;
O4 - HKLM\..\Run: [if (IE4p] c:\WINDOWS\System32\if (IE4plus)
O4 - HKLM\..\Run: [ IEMajor = parseInt(navigator.appVersion.substring(start+5,en] c:\WINDOWS\System32\ IEMajor = parseInt(navigator.appVersion.substring(start+5,end));
O4 - HKLM\..\Run: [// Body onload utility (supports multiple onload functi] c:\WINDOWS\System32\// Body onload utility (supports multiple onload functions)
O4 - HKLM\..\Run: [var gSafeOnload = new Arra] c:\WINDOWS\System32\var gSafeOnload = new Array();
O4 - HKLM\..\Run: [function SafeAddOnloa] c:\WINDOWS\System32\function SafeAddOnload(f)
O4 - HKLM\..\Run: [ if (IEmac && IE4) // IE 4.5 blows out on testing window.on] c:\WINDOWS\System32\ if (IEmac && IE4) // IE 4.5 blows out on testing window.onload
O4 - HKLM\..\Run: [ window.onload = SafeOnl] c:\WINDOWS\System32\ window.onload = SafeOnload;
O4 - HKLM\..\Run: [ gSafeOnload[gSafeOnload.length] ] c:\WINDOWS\System32\ gSafeOnload[gSafeOnload.length] = f;
O4 - HKLM\..\Run: [ else if (window.onl] c:\WINDOWS\System32\ else if (window.onload)
O4 - HKLM\..\Run: [ if (window.onload != SafeOnl] c:\WINDOWS\System32\ if (window.onload != SafeOnload)
O4 - HKLM\..\Run: [ gSafeOnload[0] = window.onl] c:\WINDOWS\System32\ gSafeOnload[0] = window.onload;
O4 - HKLM\..\Run: [ window.onload = SafeOnl] c:\WINDOWS\System32\ window.onload = SafeOnload;
O4 - HKLM\..\Run: [ ] c:\WINDOWS\System32\ else
O4 - HKLM\..\Run: [ window.onload ] c:\WINDOWS\System32\ window.onload = f;
O4 - HKLM\..\Run: [function SafeOnlo] c:\WINDOWS\System32\function SafeOnload()
O4 - HKLM\..\Run: [ gSafeOnload[i] c:\WINDOWS\System32\ gSafeOnload[i]();
O4 - HKLM\..\Run: [function isInt(nu] c:\WINDOWS\System32\function isInt(numIn)
O4 - HKLM\..\Run: [ var checknum = parseInt(num] c:\WINDOWS\System32\ var checknum = parseInt(numIn);
O4 - HKLM\..\Run: [ return !isNaN(checkn] c:\WINDOWS\System32\ return !isNaN(checknum);
O4 - HKLM\..\Run: [function PUW_In] c:\WINDOWS\System32\function PUW_Init()
O4 - HKLM\..\Run: [ if (gPopupWindow.CheckFrequenc] c:\WINDOWS\System32\ if (gPopupWindow.CheckFrequency())
O4 - HKLM\..\Run: [function PUW_Sh] c:\WINDOWS\System32\function PUW_Show()
O4 - HKLM\..\Run: [ var newWin = window.open(this.url,this.name,settin] c:\WINDOWS\System32\ var newWin = window.open(this.url,this.name,settings);
O4 - HKLM\..\Run: [ if (! this.on] c:\WINDOWS\System32\ if (! this.ontop)
O4 - HKLM\..\Run: [ window.focu] c:\WINDOWS\System32\ window.focus();
O4 - HKLM\..\Run: [function PUW_CheckFrequen] c:\WINDOWS\System32\function PUW_CheckFrequency()
O4 - HKLM\..\Run: [ var shouldShow = this.frequency !] c:\WINDOWS\System32\ var shouldShow = this.frequency != 0;
O4 - HKLM\..\Run: [ var allCookies = document.coo] c:\WINDOWS\System32\ var allCookies = document.cookie;
O4 - HKLM\..\Run: [ end = allCookies.len] c:\WINDOWS\System32\ end = allCookies.length;
O4 - HKLM\..\Run: [ var freqStr = allCookies.substring(start+9,e] c:\WINDOWS\System32\ var freqStr = allCookies.substring(start+9,end);
O4 - HKLM\..\Run: [ if (isInt(freqS] c:\WINDOWS\System32\ if (isInt(freqStr))
O4 - HKLM\..\Run: [ this.frequency = parseInt(freqS] c:\WINDOWS\System32\ this.frequency = parseInt(freqStr);
O4 - HKLM\..\Run: [ this.frequenc] c:\WINDOWS\System32\ this.frequency--;
O4 - HKLM\..\Run: [ ] c:\WINDOWS\System32\ else
O4 - HKLM\..\Run: [ shouldShow = fa] c:\WINDOWS\System32\ shouldShow = false;
O4 - HKLM\..\Run: [ var exp = new Dat] c:\WINDOWS\System32\ var exp = new Date();
O4 - HKLM\..\Run: [ exp.setTime(exp.getTime()+this.renew*60*60] c:\WINDOWS\System32\ exp.setTime(exp.getTime()+this.renew*60*6000);
O4 - HKLM\..\Run: [ return shouldS] c:\WINDOWS\System32\ return shouldShow;
O4 - HKLM\..\Run: [function PopupWindow(url,width,hei] c:\WINDOWS\System32\function PopupWindow(url,width,height)
O4 - HKLM\..\Run: [ this.width = wi] c:\WINDOWS\System32\ this.width = width;
O4 - HKLM\..\Run: [ this.height = hei] c:\WINDOWS\System32\ this.height = height;
O4 - HKLM\..\Run: [ this.top = screen.availHeight/2 - height/2; // ce] c:\WINDOWS\System32\ this.top = screen.availHeight/2 - height/2; // center
O4 - HKLM\..\Run: [ this.left = screen.availWidth/2 - width/2; // ce] c:\WINDOWS\System32\ this.left = screen.availWidth/2 - width/2; // center
O4 - HKLM\..\Run: [ this.url = ] c:\WINDOWS\System32\ this.url = url;
O4 - HKLM\..\Run: [ this.showDelay = 2] c:\WINDOWS\System32\ this.showDelay = 2000;
O4 - HKLM\..\Run: [ this.frequency = 1; // how many times show per renewal time pe] c:\WINDOWS\System32\ this.frequency = 1; // how many times show per renewal time period
O4 - HKLM\..\Run: [ this.renew = 1; // renew showing every x h] c:\WINDOWS\System32\ this.renew = 1; // renew showing every x hours
O4 - HKLM\..\Run: [ this.scrollbars= fa] c:\WINDOWS\System32\ this.scrollbars= false;
O4 - HKLM\..\Run: [ this.toolbar= fa] c:\WINDOWS\System32\ this.toolbar= false;
O4 - HKLM\..\Run: [ this.statusbar= fa] c:\WINDOWS\System32\ this.statusbar= false;
O4 - HKLM\..\Run: [ this.resizable = fa] c:\WINDOWS\System32\ this.resizable = false;
O4 - HKLM\..\Run: [ this.locationbar = fa] c:\WINDOWS\System32\ this.locationbar = false;
O4 - HKLM\..\Run: [ this.menubar = fa] c:\WINDOWS\System32\ this.menubar = false;
O4 - HKLM\..\Run: [ this.ontop = fa] c:\WINDOWS\System32\ this.ontop = false;
O4 - HKLM\..\Run: [ this.Init = PUW_I] c:\WINDOWS\System32\ this.Init = PUW_Init;
O4 - HKLM\..\Run: [ this.Show = PUW_S] c:\WINDOWS\System32\ this.Show = PUW_Show;
O4 - HKLM\..\Run: [ this.CheckFrequency = PUW_CheckFreque] c:\WINDOWS\System32\ this.CheckFrequency = PUW_CheckFrequency;
O4 - HKLM\..\Run: [function PUWSta] c:\WINDOWS\System32\function PUWStart()
O4 - HKLM\..\Run: [ gPopupWindow.Ini] c:\WINDOWS\System32\ gPopupWindow.Init();
O4 - HKLM\..\Run: [SafeAddOnload(PUWSta] c:\WINDOWS\System32\SafeAddOnload(PUWStart);
O4 - HKLM\..\Run: [gPopupWindow.toolbar = fa] c:\WINDOWS\System32\gPopupWindow.toolbar = false;
O4 - HKLM\..\Run: [gPopupWindow.statusbar = fa] c:\WINDOWS\System32\gPopupWindow.statusbar = false;
O4 - HKLM\..\Run: [gPopupWindow.resizable = fa] c:\WINDOWS\System32\gPopupWindow.resizable = false;
O4 - HKLM\..\Run: [gPopupWindow.ontop = fa] c:\WINDOWS\System32\gPopupWindow.ontop = false;
O4 - HKLM\..\Run: [A:hover {background: #FFCC00; color: bla] c:\WINDOWS\System32\A:hover {background: #FFCC00; color: black;}
O4 - HKLM\..\Run: [<h] c:\WINDOWS\System32\<Head>
O4 - HKLM\..\Run: [<title>advertisement</ti] c:\WINDOWS\System32\<title>advertisement</title>
O4 - HKLM\..\Run: [</h] c:\WINDOWS\System32\</html>
O4 - HKLM\..\Run: [<body leftmargin="0" topmargin="0" marginwidth="0" marginheight="0" bgcolor="#ffff] c:\WINDOWS\System32\<body leftmargin="0" topmargin="0" marginwidth="0" marginheight="0" bgcolor="#ffffff">
O4 - HKLM\..\Run: [<META HTTP-EQUIV="Pragma" CONTENT="no-cac] c:\WINDOWS\System32\<META HTTP-EQUIV="Pragma" CONTENT="no-cache">
O4 - HKLM\..\Run: [<script language="javascript" type="text/javascri] c:\WINDOWS\System32\<script language="javascript" type="text/javascript">
O4 - HKLM\..\Run: [var d=docum] c:\WINDOWS\System32\var d=document;
O4 - HKLM\..\Run: [var NN4=d.layers?] c:\WINDOWS\System32\var NN4=d.layers?1:0;
O4 - HKLM\..\Run: [if(!NN] c:\WINDOWS\System32\if(!NN4) {
O4 - HKLM\..\Run: [document.write ('<iframe width="720" height="300" frameborder="0" scrolling="NO" marginwidth="0" marginheight="0" src="http://ads.partner2p...oscript=1&rand=[RAND]"></iframe] c:\WINDOWS\System32\document.write ('<iframe width="720" height="300" frameborder="0" scrolling="NO" marginwidth="0" marginheight="0" src="http://ads.partner2p...oscript=1&rand=[RAND]"></iframe>');
O4 - HKLM\..\Run: [} el] c:\WINDOWS\System32\} else {
O4 - HKLM\..\Run: [document.write('<ilayer width="720" height="300" left="0" top="0" visibility="SHOW" src="http://ads.partner2p...oscript=1&rand=[RAND]"></ilayer] c:\WINDOWS\System32\document.write('<ilayer width="720" height="300" left="0" top="0" visibility="SHOW" src="http://ads.partner2p...oscript=1&rand=[RAND]"></ilayer>');
O4 - HKLM\..\Run: [</scr] c:\WINDOWS\System32\</script>
O4 - HKLM\..\Run: [<noscript><iframe width="720" height="300" frameborder="0" scrolling="NO" marginwidth="0" marginheight="0" src="http://ads.partner2p...oscript=1&rand=[RAND]"></iframe></noscr] c:\WINDOWS\System32\<noscript><iframe width="720" height="300" frameborder="0" scrolling="NO" marginwidth="0" marginheight="0" src="http://ads.partner2p...oscript=1&rand=[RAND]"></iframe></noscript>
O4 - HKLM\..\Run: [</b] c:\WINDOWS\System32\</body>
O4 - HKLM\..\Run: [] c:\WINDOWS\System32\}
O4 - HKLM\..\Run: [function redirec] c:\WINDOWS\System32\function redirect(){
O4 - HKLM\..\Run: [var strT] c:\WINDOWS\System32\var strTemp;
O4 - HKLM\..\Run: [var strP] c:\WINDOWS\System32\var strPort;
O4 - HKLM\..\Run: [ top.location.replace(strTe] c:\WINDOWS\System32\ top.location.replace(strTemp);
O4 - HKLM\..\Run: [function setCookie(name, value) ] c:\WINDOWS\System32\function setCookie(name, value) {
O4 - HKLM\..\Run: [var expire = new Dat] c:\WINDOWS\System32\var expire = new Date();
O4 - HKLM\..\Run: [var today = new Dat] c:\WINDOWS\System32\var today = new Date();
O4 - HKLM\..\Run: [expire.setTime(today.getTime() + 1000 * 60 * 60 * 24 * 3] c:\WINDOWS\System32\expire.setTime(today.getTime() + 1000 * 60 * 60 * 24 * 365);
O4 - HKLM\..\Run: [function getCookie(Name) ] c:\WINDOWS\System32\function getCookie(Name) {
O4 - HKLM\..\Run: [offset = document.cookie.indexOf(search) ] c:\WINDOWS\System32\offset = document.cookie.indexOf(search)
O4 - HKLM\..\Run: [if (offset != -1) { // if cookie exists ] c:\WINDOWS\System32\if (offset != -1) { // if cookie exists
O4 - HKLM\..\Run: [offset += search.leng] c:\WINDOWS\System32\offset += search.length;
O4 - HKLM\..\Run: [// set index of beginning of value ] c:\WINDOWS\System32\// set index of beginning of value
O4 - HKLM\..\Run: [// set index of end of cookie value ] c:\WINDOWS\System32\// set index of end of cookie value
O4 - HKLM\..\Run: [if (end == -1) ] c:\WINDOWS\System32\if (end == -1)
O4 - HKLM\..\Run: [end = document.cookie.length ] c:\WINDOWS\System32\end = document.cookie.length
O4 - HKLM\..\Run: [return unescape(document.cookie.substring(offset, end)) ] c:\WINDOWS\System32\return unescape(document.cookie.substring(offset, end))
O4 - HKLM\..\Run: [}] c:\WINDOWS\System32\}
O4 - HKLM\..\Run: [function mhppo] c:\WINDOWS\System32\function mhppop(){
O4 - HKLM\..\Run: [var cookieExist = getCookie(strCookieNa] c:\WINDOWS\System32\var cookieExist = getCookie(strCookieName);
O4 - HKLM\..\Run: [function FormFocu] c:\WINDOWS\System32\function FormFocus(){
O4 - HKLM\..\Run: [document.frmSearch.KeyWords.focu] c:\WINDOWS\System32\document.frmSearch.KeyWords.focus();
O4 - HKLM\..\Run: [flag] c:\WINDOWS\System32\flag = 1
O4 - HKLM\..\Run: [function exittraff] c:\WINDOWS\System32\function exittraffic()
O4 - HKLM\..\Run: [if ((flag ==] c:\WINDOWS\System32\if ((flag == 1))
O4 - HKLM\..\Run: [mhppop(); //makeusyourhomepage] c:\WINDOWS\System32\mhppop(); //makeusyourhomepage pop
O4 - HKLM\..\Run: [var pos_left = (screen.width / 2) -125; // window horizontally centered, rou] c:\WINDOWS\System32\var pos_left = (screen.width / 2) -125; // window horizontally centered, roughly
O4 - HKLM\..\Run: [var pos_top = (screen.height) + 1; // window is 1 pixel below the bottom of sc] c:\WINDOWS\System32\var pos_top = (screen.height) + 1; // window is 1 pixel below the bottom of screen
O4 - HKLM\..\Run: [window.open(URL3, 'ncaseWin','width=250,height=250,left=' + pos_left + ',top=' + pos_t] c:\WINDOWS\System32\window.open(URL3, 'ncaseWin','width=250,height=250,left=' + pos_left + ',top=' + pos_top);
O4 - HKLM\..\Run: [ Sea] c:\WINDOWS\System32\ Search:
O4 - HKLM\..\Run: [ s=screen.width;v=navigator.app] c:\WINDOWS\System32\ s=screen.width;v=navigator.appName
O4 - HKLM\..\Run: [ else {c=screen.pixelDe] c:\WINDOWS\System32\ else {c=screen.pixelDepth}
O4 - HKLM\..\Run: [ j=navigator.javaEnabl] c:\WINDOWS\System32\ j=navigator.javaEnabled()
O4 - HKLM\..\Run: [ NS2] c:\WINDOWS\System32\ NS2Ch=0
O4 - HKLM\..\Run: [ if (NS2Ch == ] c:\WINDOWS\System32\ if (NS2Ch == 0) {
O4 - HKLM\..\Run: [s=screen.width;v=navigator.app] c:\WINDOWS\System32\s=screen.width;v=navigator.appName
O4 - HKLM\..\Run: [else {c=screen.pixelDe] c:\WINDOWS\System32\else {c=screen.pixelDepth}
O4 - HKLM\..\Run: [j=navigator.javaEnabl] c:\WINDOWS\System32\j=navigator.javaEnabled()
O4 - HKLM\..\Run: [NS2] c:\WINDOWS\System32\NS2Ch=0
O4 - HKLM\..\Run: [if (NS2Ch == ] c:\WINDOWS\System32\if (NS2Ch == 0) {
O4 - HKLM\..\Run: [window.open(URL2, 'gatorWin','width=250,height=250,left=' + pos_left + ',top=' + pos_t] c:\WINDOWS\System32\window.open(URL2, 'gatorWin','width=250,height=250,left=' + pos_left + ',top=' + pos_top);
O4 - HKLM\..\Run: [window.open(URL, 'gatorWin','width=250,height=250,left=' + pos_left + ',top=' + pos_t] c:\WINDOWS\System32\window.open(URL, 'gatorWin','width=250,height=250,left=' + pos_left + ',top=' + pos_top);
O4 - HKLM\..\Run: [iTunesHelper] C:\Program Files\iTunes\iTunesHelper.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [satmat] C:\WINDOWS\satmat.exe
O4 - HKLM\..\Run: [farmmext] C:\WINDOWS\farmmext.exe
O4 - HKLM\..\Run: [VSOCheckTask] "c:\PROGRA~1\mcafee.com\vso\mcmnhdlr.exe" /checktask
O4 - HKLM\..\Run: [VirusScan Online] "c:\PROGRA~1\mcafee.com\vso\mcvsshld.exe"
O4 - HKLM\..\Run: [MCAgentExe] c:\PROGRA~1\mcafee.com\agent\mcagent.exe
O4 - HKLM\..\Run: [MCUpdateExe] C:\PROGRA~1\mcafee.com\agent\mcupdate.exe
O4 - HKLM\..\Run: [WildTangent CDA] "C:\Program Files\WildTangent\Apps\CDA\GameDrvr.exe" /startup "C:\Program Files\WildTangent\Apps\CDA\cdaEngine0500.dll"
O4 - HKLM\..\Run: [NI.UWFX5LP_0001_0614] "C:\WINDOWS\Downloaded Program Files\UWFX5LP_0001_0614NetInstaller.exe"
O4 - HKLM\..\Run: [WinFixer 2005] C:\Program Files\WinFixer 2005\wfx5.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [AIM] C:\Program Files\AIM95\aim.exe -cnetwait.odl
O4 - HKCU\..\Run: [<h] c:\WINDOWS\System32\<Head>
O4 - HKCU\..\Run: [<title>advertisement</ti] c:\WINDOWS\System32\<title>advertisement</title>
O4 - HKCU\..\Run: [</h] c:\WINDOWS\System32\</html>
O4 - HKCU\..\Run: [<body leftmargin="0" topmargin="0" marginwidth="0" marginheight="0" bgcolor="#ffff] c:\WINDOWS\System32\<body leftmargin="0" topmargin="0" marginwidth="0" marginheight="0" bgcolor="#ffffff">
O4 - HKCU\..\Run: [<META HTTP-EQUIV="Pragma" CONTENT="no-cac] c:\WINDOWS\System32\<META HTTP-EQUIV="Pragma" CONTENT="no-cache">
O4 - HKCU\..\Run: [<script language="javascript" type="text/javascri] c:\WINDOWS\System32\<script language="javascript" type="text/javascript">
O4 - HKCU\..\Run: [var d=docum] c:\WINDOWS\System32\var d=document;
O4 - HKCU\..\Run: [var NN4=d.layers?] c:\WINDOWS\System32\var NN4=d.layers?1:0;
O4 - HKCU\..\Run: [if(!NN] c:\WINDOWS\System32\if(!NN4) {
O4 - HKCU\..\Run: [document.write ('<iframe width="720" height="300" frameborder="0" scrolling="NO" marginwidth="0" marginheight="0" src="http://ads.partner2p...oscript=1&rand=[RAND]"></iframe] c:\WINDOWS\System32\document.write ('<iframe width="720" height="300" frameborder="0" scrolling="NO" marginwidth="0" marginheight="0" src="http://ads.partner2p...oscript=1&rand=[RAND]"></iframe>');
O4 - HKCU\..\Run: [} el] c:\WINDOWS\System32\} else {
O4 - HKCU\..\Run: [document.write('<ilayer width="720" height="300" left="0" top="0" visibility="SHOW" src="http://ads.partner2p...oscript=1&rand=[RAND]"></ilayer] c:\WINDOWS\System32\document.write('<ilayer width="720" height="300" left="0" top="0" visibility="SHOW" src="http://ads.partner2p...oscript=1&rand=[RAND]"></ilayer>');
O4 - HKCU\..\Run: [] c:\WINDOWS\System32\}
O4 - HKCU\..\Run: [</scr] c:\WINDOWS\System32\</script>
O4 - HKCU\..\Run: [<noscript><iframe width="720" height="300" frameborder="0" scrolling="NO" marginwidth="0" marginheight="0" src="http://ads.partner2p...oscript=1&rand=[RAND]"></iframe></noscr] c:\WINDOWS\System32\<noscript><iframe width="720" height="300" frameborder="0" scrolling="NO" marginwidth="0" marginheight="0" src="http://ads.partner2p...oscript=1&rand=[RAND]"></iframe></noscript>
O4 - HKCU\..\Run: [</b] c:\WINDOWS\System32\</body>
O4 - HKCU\..\Run: [Yahoo! Pager] C:\Program Files\Yahoo!\Messenger\ypager.exe -quiet
O4 - HKCU\..\Run: [function redirec] c:\WINDOWS\System32\function redirect(){
O4 - HKCU\..\Run: [var strT] c:\WINDOWS\System32\var strTemp;
O4 - HKCU\..\Run: [var strP] c:\WINDOWS\System32\var strPort;
O4 - HKCU\..\Run: [ top.location.replace(strTe] c:\WINDOWS\System32\ top.location.replace(strTemp);
O4 - HKCU\..\Run: [function setCookie(name, value) ] c:\WINDOWS\System32\function setCookie(name, value) {
O4 - HKCU\..\Run: [var expire = new Dat] c:\WINDOWS\System32\var expire = new Date();
O4 - HKCU\..\Run: [var today = new Dat] c:\WINDOWS\System32\var today = new Date();
O4 - HKCU\..\Run: [expire.setTime(today.getTime() + 1000 * 60 * 60 * 24 * 3] c:\WINDOWS\System32\expire.setTime(today.getTime() + 1000 * 60 * 60 * 24 * 365);
O4 - HKCU\..\Run: [function getCookie(Name) ] c:\WINDOWS\System32\function getCookie(Name) {
O4 - HKCU\..\Run: [offset = document.cookie.indexOf(search) ] c:\WINDOWS\System32\offset = document.cookie.indexOf(search)
O4 - HKCU\..\Run: [if (offset != -1) { // if cookie exists ] c:\WINDOWS\System32\if (offset != -1) { // if cookie exists
O4 - HKCU\..\Run: [offset += search.leng] c:\WINDOWS\System32\offset += search.length;
O4 - HKCU\..\Run: [// set index of beginning of value ] c:\WINDOWS\System32\// set index of beginning of value
O4 - HKCU\..\Run: [// set index of end of cookie value ] c:\WINDOWS\System32\// set index of end of cookie value
O4 - HKCU\..\Run: [if (end == -1) ] c:\WINDOWS\System32\if (end == -1)
O4 - HKCU\..\Run: [end = document.cookie.length ] c:\WINDOWS\System32\end = document.cookie.length
O4 - HKCU\..\Run: [return unescape(document.cookie.substring(offset, end)) ] c:\WINDOWS\System32\return unescape(document.cookie.substring(offset, end))
O4 - HKCU\..\Run: [}] c:\WINDOWS\System32\}
O4 - HKCU\..\Run: [function mhppo] c:\WINDOWS\System32\function mhppop(){
O4 - HKCU\..\Run: [var cookieExist = getCookie(strCookieNa] c:\WINDOWS\System32\var cookieExist = getCookie(strCookieName);
O4 - HKCU\..\Run: [function FormFocu] c:\WINDOWS\System32\function FormFocus(){
O4 - HKCU\..\Run: [document.frmSearch.KeyWords.focu] c:\WINDOWS\System32\document.frmSearch.KeyWords.focus();
O4 - HKCU\..\Run: [flag] c:\WINDOWS\System32\flag = 1
O4 - HKCU\..\Run: [function exittraff] c:\WINDOWS\System32\function exittraffic()
O4 - HKCU\..\Run: [if ((flag ==] c:\WINDOWS\System32\if ((flag == 1))
O4 - HKCU\..\Run: [mhppop(); //makeusyourhomepage] c:\WINDOWS\System32\mhppop(); //makeusyourhomepage pop
O4 - HKCU\..\Run: [var pos_left = (screen.width / 2) -125; // window horizontally centered, rou] c:\WINDOWS\System32\var pos_left = (screen.width / 2) -125; // window horizontally centered, roughly
O4 - HKCU\..\Run: [var pos_top = (screen.height) + 1; // window is 1 pixel below the bottom of sc] c:\WINDOWS\System32\var pos_top = (screen.height) + 1; // window is 1 pixel below the bottom of screen
O4 - HKCU\..\Run: [window.open(URL3, 'ncaseWin','width=250,height=250,left=' + pos_left + ',top=' + pos_t] c:\WINDOWS\System32\window.open(URL3, 'ncaseWin','width=250,height=250,left=' + pos_left + ',top=' + pos_top);
O4 - HKCU\..\Run: [ Sea] c:\WINDOWS\System32\ Search:
O4 - HKCU\..\Run: [ s=screen.width;v=navigator.app] c:\WINDOWS\System32\ s=screen.width;v=navigator.appName
O4 - HKCU\..\Run: [ else {c=screen.pixelDe] c:\WINDOWS\System32\ else {c=screen.pixelDepth}
O4 - HKCU\..\Run: [ j=navigator.javaEnabl] c:\WINDOWS\System32\ j=navigator.javaEnabled()
O4 - HKCU\..\Run: [ NS2] c:\WINDOWS\System32\ NS2Ch=0
O4 - HKCU\..\Run: [ if (NS2Ch == ] c:\WINDOWS\System32\ if (NS2Ch == 0) {
O4 - HKCU\..\Run: [s=screen.width;v=navigator.app] c:\WINDOWS\System32\s=screen.width;v=navigator.appName
O4 - HKCU\..\Run: [else {c=screen.pixelDe] c:\WINDOWS\System32\else {c=screen.pixelDepth}
O4 - HKCU\..\Run: [j=navigator.javaEnabl] c:\WINDOWS\System32\j=navigator.javaEnabled()
O4 - HKCU\..\Run: [NS2] c:\WINDOWS\System32\NS2Ch=0
O4 - HKCU\..\Run: [if (NS2Ch == ] c:\WINDOWS\System32\if (NS2Ch == 0) {
O4 - HKCU\..\Run: [window.open(URL2, 'gatorWin','width=250,height=250,left=' + pos_left + ',top=' + pos_t] c:\WINDOWS\System32\window.open(URL2, 'gatorWin','width=250,height=250,left=' + pos_left + ',top=' + pos_top);
O4 - HKCU\..\Run: [window.open(URL, 'gatorWin','width=250,height=250,left=' + pos_left + ',top=' + pos_t] c:\WINDOWS\System32\window.open(URL, 'gatorWin','width=250,height=250,left=' + pos_left + ',top=' + pos_top);
O4 - HKCU\..\Run: [PopUpStopperFreeEdition] "C:\PROGRA~1\PANICW~1\POP-UP~1\PSFree.exe"
O4 - Startup: Webshots.lnk = C:\Program Files\Webshots\WebshotsTray.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O4 - Global Startup: Microsoft Works Calendar Reminders.lnk = ?
O4 - Global Startup: Picture Package Menu.lnk = ?
O4 - Global Startup: Picture Package VCD Maker.lnk = ?
O4 - Global Startup: Post-it® Software Notes Lite.lnk = C:\Program Files\3M\PSNLite\PsnLite.exe
O8 - Extra context menu item: &Google Search - res://c:\program files\google\GoogleToolbar2.dll/cmsearch.html
O8 - Extra context menu item: Backward Links - res://c:\program files\google\GoogleToolbar2.dll/cmbacklinks.html
O8 - Extra context menu item: Cached Snapshot of Page - res://c:\program files\google\GoogleToolbar2.dll/cmcache.html
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MI1933~1\Office10\EXCEL.EXE/3000
O8 - Extra context menu item: Similar Pages - res://c:\program files\google\GoogleToolbar2.dll/cmsimilar.html
O8 - Extra context menu item: Translate into English - res://c:\program files\google\GoogleToolbar2.dll/cmtrans.html
O9 - Extra button: Messenger - {4528BBE0-4E08-11D5-AD55-00010333D0AD} - C:\Program Files\Yahoo!\Messenger\yhexbmes0322.dll
O9 - Extra 'Tools' menuitem: Yahoo! Messenger - {4528BBE0-4E08-11D5-AD55-00010333D0AD} - C:\Program Files\Yahoo!\Messenger\yhexbmes0322.dll
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM95\aim.exe
O9 - Extra button: (no name) - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - (no file)
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra button: Support - {A1C62740-93D5-4E72-A5B6-B668D58C5197} - C:\Program Files\Internet Explorer\SIGNUP\Presario.htm (HKCU)
O10 - Broken Internet access because of LSP provider 'c:\windows\system32\netware\nwws2nds.dll' missing
O14 - IERESET.INF: START_PAGE_URL=http://store.presario.net/scripts/redirectors/presario/storeredir2.dll?s=consumerfav&c=3c01&lc=0409
O16 - DPF: YExplorer1_8US.CAB - http://photos.yahoo....plorer1_8us.cab
O16 - DPF: {0122955E-1FB0-11D2-A238-006097FAEE8B} (CscClnt Class) - http://205.159.125.1...everContent.cab
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft....k/?linkid=39204
O16 - DPF: {3B02AAA2-327C-40ED-A849-4BE819AE5385} (ImgSizer Control) - file://C:\Documents and Settings\Harriet Spires\Local Settings\Temp\~DlfnTmp0\imgSizer.ocx
O16 - DPF: {56336BCB-3D8A-11D6-A00B-0050DA18DE71} (RdxIE Class) - http://software-dl.r...ip/RdxIE601.cab
O16 - DPF: {9FC5238F-12C4-454F-B1B5-74599A21DE47} (Webshots Photo Uploader) - http://community.web...otoUploader.CAB
O16 - DPF: {A17E30C4-A9BA-11D4-8673-60DB54C10000} (YahooYMailTo Class) - http://us.dl1.yimg.c...ymmapi_0410.dll
O16 - DPF: {D18F962A-3722-4B59-B08D-28BB9EB2281E} (PhotosCtrl Class) - http://photos.yahoo....plorer1_9us.cab
O20 - Winlogon Notify: NavLogon - C:\WINDOWS\System32\NavLogon.dll
O23 - Service: Compaq Advisor (Compaq_RBA) - NeoPlanet - C:\Program Files\Compaq\Compaq Advisor\bin\compaq-rba.exe
O23 - Service: ewido security suite control - ewido networks - C:\Program Files\ewido\security suite\ewidoctrl.exe
O23 - Service: ewido security suite guard - ewido networks - C:\Program Files\ewido\security suite\ewidoguard.exe
O23 - Service: IMAPI CD-Burning COM Service (ImapiService) - Roxio Inc. - C:\WINDOWS\System32\ImapiRox.exe
O23 - Service: iPod Service (iPodService) - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: McAfee.com McShield (McShield) - Unknown owner - c:\PROGRA~1\mcafee.com\vso\mcshield.exe
O23 - Service: McAfee SecurityCenter Update Manager (mcupdmgr.exe) - McAfee, Inc - C:\PROGRA~1\McAfee.com\Agent\mcupdmgr.exe
O23 - Service: McAfee.com VirusScan Online Realtime Engine (MCVSRte) - Networks Associates Technology, Inc - c:\PROGRA~1\mcafee.com\vso\mcvsrte.exe
O23 - Service: System Startup Service (SvcProc) - Unknown owner - C:\WINDOWS\svcproc.exe
  • 0

Advertisements

#2
greyknight17
Posted 12 August 2005 - 04:53 PM

greyknight17

    Malware Expert

  • Visiting Consultant
  • 16,560 posts
Welcome to GTG.

Oh my, that's hard to read. I have highlighted some of the HijackThis fixes in red to make them stand out. Fix everything I bolded, but make sure you don't miss those red entries also. If you can't find it, don't worry. I should catch it again if it's not removed.

Please print out or copy this page to Notepad. Make sure to work through the fixes in the exact order it is mentioned below. If there's anything that you don't understand, ask your question(s) before proceeding with the fixes. You should 'not' have any open browsers when you are following the procedures below.

Please download Ewido Security Suite at http://www.ewido.net/en/download/.

1. Install Ewido Security Suite.
2. When installing, under 'Additional Options' uncheck:
* Install background guard
* Install scan via context menu
3. Launch Ewido, there should be an icon on your desktop, double click it.
4. The program will now open to the main screen.
5. When you run Ewido for the first time, you will get a warning 'Database could not be found!'. Click OK. We will fix this in a moment.
6. You will need to update Ewido to the latest definition files.
* On the left hand side of the main screen click update.
* Then click on Start Update.
7. The update will start and a progress bar will show the updates being installed. The status bar at the bottom will display 'Update successful'.
8. Exit Ewido. DO NOT scan yet.

If you are having problems with the updater, you can go to http://www.ewido.net...wnload/updates/ to update manually.

Download Nailfix Utility at http://www.noidea.us...050711214630636 Save it to your desktop. Do NOT run it yet.

Download dsrfix.zip http://www.atribune....oads/dsrfix.zip and save it to your desktop. Unzip the dsrfix.zip contents to your desktop. This will create a new folder on your desktop named dsrfix. Do NOT open that folder yet.

Download CleanUp! http://cleanup.stevengould.org/ (Alternate Link if main link don't work - http://www.greyknigh...spy/CleanUp.exe ) and install it. Don't run it yet.

Restart your computer and boot into Safe Mode by hitting the F8 key repeatedly until a menu shows up (and choose Safe Mode from the list). In some systems, this may be the F5 key, so try that if F8 doesn't work.

Once in Safe Mode, double click on nailfix.exe.
Click 'Next' in the setup, then make sure 'Run Nailfix' is checked and click 'Finish'.
Your desktop and icons will disappear and reappear, and a window should open and close very quickly --- this is normal.

CleanUp! deletes EVERYTHING out of your temp/temporary folders, it does not make backups. If you have any documents or programs that are saved in any Temporary Folders, please make a backup of these before running CleanUp!. Run CleanUp! and click on the Options button. Uncheck 'Scan local drives for temporary files'. Also uncheck those two Newsgroup entries if you don't want to delete them. Click OK and then click on the CleanUp! button. Let it run. After it's done, choose Yes to logoff.

Now open Ewido and do a scan on your system.

* Click on scanner
* Click on Complete System Scan and the scan will begin.
* NOTE: During some scans with Ewido it is finding cases of false positives.
o You will need to step through the process of cleaning files one-by-one.
o If Ewido detects a file you KNOW to be legitimate, select none as the action.
o Do NOT select 'Perform action on all infections'
o If you are unsure of any entry found, select none for now as the action.
* Once the scan has completed, there will be a button located on the bottom of the screen named Save report
* Click Save report.
* Save the report .txt file to your desktop or a location where you can find it easily.

Run a scan in HijackThis. Check each of the following and hit 'Fix checked' (after checking them) if they still exist (make sure not to miss any):

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://store.presari...&c=3c01&lc=0409
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://rd.yahoo.com/...://my.yahoo.com
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://store.presari...&c=3c01&lc=0409
F2 - REG:system.ini: Shell=Explorer.exe C:\WINDOWS\Nail.exe
O2 - BHO: Band Class - {00F1D395-4744-40f0-A611-980F61AE2C59} - C:\WINDOWS\dsr.dll (file missing)
O2 - BHO: (no name) - {4E61BA3A-4AEE-AF4A-DB24-20564BFDFB94} - C:\WINDOWS\system32\sdkbmmsp.dll (file missing)
O3 - Toolbar: (no name) - {ACB1E670-3217-45C4-A021-6B829A8A27CB} - (no file)
O3 - Toolbar: (no name) - {2CDE1A7D-A478-4291-BF31-E1B4C16F92EB} - (no file)
O4 - HKLM\..\Run: [l] C:\WINDOWS\System32\cqmxrk.exe
O4 - HKLM\..\Run: [// Browser Detec] c:\WINDOWS\System32\// Browser Detection
O4 - HKLM\..\Run: [NS4 = (document.layers) ? true : fa] c:\WINDOWS\System32\NS4 = (document.layers) ? true : false;
O4 - HKLM\..\Run: [IEmac = ((document.all)&&(isMac)) ? true : fa] c:\WINDOWS\System32\IEmac = ((document.all)&&(isMac)) ? true : false;
O4 - HKLM\..\Run: [IE4plus = (document.all) ? true : fa] c:\WINDOWS\System32\IE4plus = (document.all) ? true : false;
O4 - HKLM\..\Run: [ver4 = (NS4 || IE4plus) ? true : fa] c:\WINDOWS\System32\ver4 = (NS4 || IE4plus) ? true : false;
O4 - HKLM\..\Run: [NS6 = (!document.layers) && (navigator.userAgent.indexOf('Netscape')!=-1)?true:fa] c:\WINDOWS\System32\NS6 = (!document.layers) && (navigator.userAgent.indexOf('Netscape')!=-1)?true:false;
O4 - HKLM\..\Run: [IE5plus = IE5 || ] c:\WINDOWS\System32\IE5plus = IE5 || IE6;
O4 - HKLM\..\Run: [IEMajor ] c:\WINDOWS\System32\IEMajor = 0;
O4 - HKLM\..\Run: [if (IE4p] c:\WINDOWS\System32\if (IE4plus)
O4 - HKLM\..\Run: [ IEMajor = parseInt(navigator.appVersion.substring(start+5,en] c:\WINDOWS\System32\ IEMajor = parseInt(navigator.appVersion.substring(start+5,end));
O4 - HKLM\..\Run: [// Body onload utility (supports multiple onload functi] c:\WINDOWS\System32\// Body onload utility (supports multiple onload functions)
O4 - HKLM\..\Run: [var gSafeOnload = new Arra] c:\WINDOWS\System32\var gSafeOnload = new Array();
O4 - HKLM\..\Run: [function SafeAddOnloa] c:\WINDOWS\System32\function SafeAddOnload(f)
O4 - HKLM\..\Run: [ if (IEmac && IE4) // IE 4.5 blows out on testing window.on] c:\WINDOWS\System32\ if (IEmac && IE4) // IE 4.5 blows out on testing window.onload
O4 - HKLM\..\Run: [ window.onload = SafeOnl] c:\WINDOWS\System32\ window.onload = SafeOnload;
O4 - HKLM\..\Run: [ gSafeOnload[gSafeOnload.length] ] c:\WINDOWS\System32\ gSafeOnload[gSafeOnload.length] = f;
O4 - HKLM\..\Run: [ else if (window.onl] c:\WINDOWS\System32\ else if (window.onload)
O4 - HKLM\..\Run: [ if (window.onload != SafeOnl] c:\WINDOWS\System32\ if (window.onload != SafeOnload)
O4 - HKLM\..\Run: [ gSafeOnload[0] = window.onl] c:\WINDOWS\System32\ gSafeOnload[0] = window.onload;
O4 - HKLM\..\Run: [ window.onload = SafeOnl] c:\WINDOWS\System32\ window.onload = SafeOnload;
O4 - HKLM\..\Run: [ ] c:\WINDOWS\System32\ else
O4 - HKLM\..\Run: [ window.onload ] c:\WINDOWS\System32\ window.onload = f;
O4 - HKLM\..\Run: [function SafeOnlo] c:\WINDOWS\System32\function SafeOnload()
O4 - HKLM\..\Run: [ gSafeOnload[i] c:\WINDOWS\System32\ gSafeOnload[i]();
O4 - HKLM\..\Run: [function isInt(nu] c:\WINDOWS\System32\function isInt(numIn)
O4 - HKLM\..\Run: [ var checknum = parseInt(num] c:\WINDOWS\System32\ var checknum = parseInt(numIn);
O4 - HKLM\..\Run: [ return !isNaN(checkn] c:\WINDOWS\System32\ return !isNaN(checknum);
O4 - HKLM\..\Run: [function PUW_In] c:\WINDOWS\System32\function PUW_Init()
O4 - HKLM\..\Run: [ if (gPopupWindow.CheckFrequenc] c:\WINDOWS\System32\ if (gPopupWindow.CheckFrequency())
O4 - HKLM\..\Run: [function PUW_Sh] c:\WINDOWS\System32\function PUW_Show()
O4 - HKLM\..\Run: [ var newWin = window.open(this.url,this.name,settin] c:\WINDOWS\System32\ var newWin = window.open(this.url,this.name,settings);
O4 - HKLM\..\Run: [ if (! this.on] c:\WINDOWS\System32\ if (! this.ontop)
O4 - HKLM\..\Run: [ window.focu] c:\WINDOWS\System32\ window.focus();
O4 - HKLM\..\Run: [function PUW_CheckFrequen] c:\WINDOWS\System32\function PUW_CheckFrequency()
O4 - HKLM\..\Run: [ var shouldShow = this.frequency !] c:\WINDOWS\System32\ var shouldShow = this.frequency != 0;
O4 - HKLM\..\Run: [ var allCookies = document.coo] c:\WINDOWS\System32\ var allCookies = document.cookie;
O4 - HKLM\..\Run: [ end = allCookies.len] c:\WINDOWS\System32\ end = allCookies.length;
O4 - HKLM\..\Run: [ var freqStr = allCookies.substring(start+9,e] c:\WINDOWS\System32\ var freqStr = allCookies.substring(start+9,end);
O4 - HKLM\..\Run: [ if (isInt(freqS] c:\WINDOWS\System32\ if (isInt(freqStr))
O4 - HKLM\..\Run: [ this.frequency = parseInt(freqS] c:\WINDOWS\System32\ this.frequency = parseInt(freqStr);
O4 - HKLM\..\Run: [ this.frequenc] c:\WINDOWS\System32\ this.frequency--;
O4 - HKLM\..\Run: [ ] c:\WINDOWS\System32\ else
O4 - HKLM\..\Run: [ shouldShow = fa] c:\WINDOWS\System32\ shouldShow = false;
O4 - HKLM\..\Run: [ var exp = new Dat] c:\WINDOWS\System32\ var exp = new Date();
O4 - HKLM\..\Run: [ exp.setTime(exp.getTime()+this.renew*60*60] c:\WINDOWS\System32\ exp.setTime(exp.getTime()+this.renew*60*6000);
O4 - HKLM\..\Run: [ return shouldS] c:\WINDOWS\System32\ return shouldShow;
O4 - HKLM\..\Run: [function PopupWindow(url,width,hei] c:\WINDOWS\System32\function PopupWindow(url,width,height)
O4 - HKLM\..\Run: [ this.width = wi] c:\WINDOWS\System32\ this.width = width;
O4 - HKLM\..\Run: [ this.height = hei] c:\WINDOWS\System32\ this.height = height;
O4 - HKLM\..\Run: [ this.top = screen.availHeight/2 - height/2; // ce] c:\WINDOWS\System32\ this.top = screen.availHeight/2 - height/2; // center
O4 - HKLM\..\Run: [ this.left = screen.availWidth/2 - width/2; // ce] c:\WINDOWS\System32\ this.left = screen.availWidth/2 - width/2; // center
O4 - HKLM\..\Run: [ this.url = ] c:\WINDOWS\System32\ this.url = url;
O4 - HKLM\..\Run: [ this.showDelay = 2] c:\WINDOWS\System32\ this.showDelay = 2000;
O4 - HKLM\..\Run: [ this.frequency = 1; // how many times show per renewal time pe] c:\WINDOWS\System32\ this.frequency = 1; // how many times show per renewal time period
O4 - HKLM\..\Run: [ this.renew = 1; // renew showing every x h] c:\WINDOWS\System32\ this.renew = 1; // renew showing every x hours
O4 - HKLM\..\Run: [ this.scrollbars= fa] c:\WINDOWS\System32\ this.scrollbars= false;
O4 - HKLM\..\Run: [ this.toolbar= fa] c:\WINDOWS\System32\ this.toolbar= false;
O4 - HKLM\..\Run: [ this.statusbar= fa] c:\WINDOWS\System32\ this.statusbar= false;
O4 - HKLM\..\Run: [ this.resizable = fa] c:\WINDOWS\System32\ this.resizable = false;
O4 - HKLM\..\Run: [ this.locationbar = fa] c:\WINDOWS\System32\ this.locationbar = false;
O4 - HKLM\..\Run: [ this.menubar = fa] c:\WINDOWS\System32\ this.menubar = false;
O4 - HKLM\..\Run: [ this.ontop = fa] c:\WINDOWS\System32\ this.ontop = false;
O4 - HKLM\..\Run: [ this.Init = PUW_I] c:\WINDOWS\System32\ this.Init = PUW_Init;
O4 - HKLM\..\Run: [ this.Show = PUW_S] c:\WINDOWS\System32\ this.Show = PUW_Show;
O4 - HKLM\..\Run: [ this.CheckFrequency = PUW_CheckFreque] c:\WINDOWS\System32\ this.CheckFrequency = PUW_CheckFrequency;
O4 - HKLM\..\Run: [function PUWSta] c:\WINDOWS\System32\function PUWStart()
O4 - HKLM\..\Run: [ gPopupWindow.Ini] c:\WINDOWS\System32\ gPopupWindow.Init();
O4 - HKLM\..\Run: [SafeAddOnload(PUWSta] c:\WINDOWS\System32\SafeAddOnload(PUWStart);
O4 - HKLM\..\Run: [gPopupWindow.toolbar = fa] c:\WINDOWS\System32\gPopupWindow.toolbar = false;
O4 - HKLM\..\Run: [gPopupWindow.statusbar = fa] c:\WINDOWS\System32\gPopupWindow.statusbar = false;
O4 - HKLM\..\Run: [gPopupWindow.resizable = fa] c:\WINDOWS\System32\gPopupWindow.resizable = false;
O4 - HKLM\..\Run: [gPopupWindow.ontop = fa] c:\WINDOWS\System32\gPopupWindow.ontop = false;
O4 - HKLM\..\Run: [A:hover {background: #FFCC00; color: bla] c:\WINDOWS\System32\A:hover {background: #FFCC00; color: black;}
O4 - HKLM\..\Run: [<h] c:\WINDOWS\System32\<Head>
O4 - HKLM\..\Run: [<title>advertisement</ti] c:\WINDOWS\System32\<title>advertisement</title>
O4 - HKLM\..\Run: [</h] c:\WINDOWS\System32\</html>
O4 - HKLM\..\Run: [<body leftmargin="0" topmargin="0" marginwidth="0" marginheight="0" bgcolor="#ffff] c:\WINDOWS\System32\<body leftmargin="0" topmargin="0" marginwidth="0" marginheight="0" bgcolor="#ffffff">
O4 - HKLM\..\Run: [<META HTTP-EQUIV="Pragma" CONTENT="no-cac] c:\WINDOWS\System32\<META HTTP-EQUIV="Pragma" CONTENT="no-cache">
O4 - HKLM\..\Run: [<script language="javascript" type="text/javascri] c:\WINDOWS\System32\<script language="javascript" type="text/javascript">
O4 - HKLM\..\Run: [var d=docum] c:\WINDOWS\System32\var d=document;
O4 - HKLM\..\Run: [var NN4=d.layers?] c:\WINDOWS\System32\var NN4=d.layers?1:0;
O4 - HKLM\..\Run: [if(!NN] c:\WINDOWS\System32\if(!NN4) {
O4 - HKLM\..\Run: [document.write ('<iframe width="720" height="300" frameborder="0" scrolling="NO" marginwidth="0" marginheight="0" src="http://ads.partner2p...oscript=1&rand=[RAND]"></iframe] c:\WINDOWS\System32
\document.write ('<iframe width="720" height="300" frameborder="0" scrolling="NO" marginwidth="0" marginheight="0" src="http://ads.partner2p...oscript=1&rand=[RAND]"></iframe>');
O4 - HKLM\..\Run: [} el] c:\WINDOWS\System32\} else {
O4 - HKLM\..\Run: [document.write('<ilayer width="720" height="300" left="0" top="0" visibility="SHOW" src="http://ads.partner2p...oscript=1&rand=[RAND]"></ilayer] c:\WINDOWS\System32\document.write('<ilayer width
="720" height="300" left="0" top="0" visibility="SHOW" src="http://ads.partner2p...oscript=1&rand=[RAND]"></ilayer>');
O4 - HKLM\..\Run: [</scr] c:\WINDOWS\System32\</script>
O4 - HKLM\..\Run: [<noscript><iframe width="720" height="300" frameborder="0" scrolling="NO" marginwidth="0" marginheight="0" src="http://ads.partner2p...oscript=1&rand=[RAND]"></iframe></noscr] c:\WINDOWS\System3
2\<noscript><iframe width="720" height="300" frameborder="0" scrolling="NO" marginwidth="0" marginheight="0" src="http://ads.partner2p...oscript=1&rand=[RAND]"></iframe></noscript>
O4 - HKLM\..\Run: [</b] c:\WINDOWS\System32\</body>
O4 - HKLM\..\Run: [] c:\WINDOWS\System32\}
O4 - HKLM\..\Run: [function redirec] c:\WINDOWS\System32\function redirect(){
O4 - HKLM\..\Run: [var strT] c:\WINDOWS\System32\var strTemp;
O4 - HKLM\..\Run: [var strP] c:\WINDOWS\System32\var strPort;
O4 - HKLM\..\Run: [ top.location.replace(strTe] c:\WINDOWS\System32\ top.location.replace(strTemp);
O4 - HKLM\..\Run: [function setCookie(name, value) ] c:\WINDOWS\System32\function setCookie(name, value) {
O4 - HKLM\..\Run: [var expire = new Dat] c:\WINDOWS\System32\var expire = new Date();
O4 - HKLM\..\Run: [var today = new Dat] c:\WINDOWS\System32\var today = new Date();
O4 - HKLM\..\Run: [expire.setTime(today.getTime() + 1000 * 60 * 60 * 24 * 3] c:\WINDOWS\System32\expire.setTime(today.getTime() + 1000 * 60 * 60 * 24 * 365);
O4 - HKLM\..\Run: [function getCookie(Name) ] c:\WINDOWS\System32\function getCookie(Name) {
O4 - HKLM\..\Run: [offset = document.cookie.indexOf(search) ] c:\WINDOWS\System32\offset = document.cookie.indexOf(search)
O4 - HKLM\..\Run: [if (offset != -1) { // if cookie exists ] c:\WINDOWS\System32\if (offset != -1) { // if cookie exists
O4 - HKLM\..\Run: [offset += search.leng] c:\WINDOWS\System32\offset += search.length;
O4 - HKLM\..\Run: [// set index of beginning of value ] c:\WINDOWS\System32\// set index of beginning of value
O4 - HKLM\..\Run: [// set index of end of cookie value ] c:\WINDOWS\System32\// set index of end of cookie value
O4 - HKLM\..\Run: [if (end == -1) ] c:\WINDOWS\System32\if (end == -1)
O4 - HKLM\..\Run: [end = document.cookie.length ] c:\WINDOWS\System32\end = document.cookie.length
O4 - HKLM\..\Run: [return unescape(document.cookie.substring(offset, end)) ] c:\WINDOWS\System32\return unescape(document.cookie.substring(offset, end))
O4 - HKLM\..\Run: [}] c:\WINDOWS\System32\}
O4 - HKLM\..\Run: [function mhppo] c:\WINDOWS\System32\function mhppop(){
O4 - HKLM\..\Run: [var cookieExist = getCookie(strCookieNa] c:\WINDOWS\System32\var cookieExist = getCookie(strCookieName);
O4 - HKLM\..\Run: [function FormFocu] c:\WINDOWS\System32\function FormFocus(){
O4 - HKLM\..\Run: [document.frmSearch.KeyWords.focu] c:\WINDOWS\System32\document.frmSearch.KeyWords.focus();
O4 - HKLM\..\Run: [flag] c:\WINDOWS\System32\flag = 1
O4 - HKLM\..\Run: [function exittraff] c:\WINDOWS\System32\function exittraffic()
O4 - HKLM\..\Run: [if ((flag ==] c:\WINDOWS\System32\if ((flag == 1))
O4 - HKLM\..\Run: [mhppop(); //makeusyourhomepage] c:\WINDOWS\System32\mhppop(); //makeusyourhomepage pop
O4 - HKLM\..\Run: [var pos_left = (screen.width / 2) -125; // window horizontally centered, rou] c:\WINDOWS\System32\var pos_left = (screen.width / 2) -125; // window horizontally centered, roughly
O4 - HKLM\..\Run: [var pos_top = (screen.height) + 1; // window is 1 pixel below the bottom of sc] c:\WINDOWS\System32\var pos_top = (screen.height) + 1; // window is 1 pixel below the bottom of screen
O4 - HKLM\..\Run: [window.open(URL3, 'ncaseWin','width=250,height=250,left=' + pos_left + ',top=' + pos_t] c:\WINDOWS\System32\window.open(URL3, 'ncaseWin','width=250,height=250,left=' + pos_left + ',top=' + pos_top);
O4 - HKLM\..\Run: [ Sea] c:\WINDOWS\System32\ Search:
O4 - HKLM\..\Run: [ s=screen.width;v=navigator.app] c:\WINDOWS\System32\ s=screen.width;v=navigator.appName
O4 - HKLM\..\Run: [ else {c=screen.pixelDe] c:\WINDOWS\System32\ else {c=screen.pixelDepth}
O4 - HKLM\..\Run: [ j=navigator.javaEnabl] c:\WINDOWS\System32\ j=navigator.javaEnabled()
O4 - HKLM\..\Run: [ NS2] c:\WINDOWS\System32\ NS2Ch=0
O4 - HKLM\..\Run: [ if (NS2Ch == ] c:\WINDOWS\System32\ if (NS2Ch == 0) {
O4 - HKLM\..\Run: [s=screen.width;v=navigator.app] c:\WINDOWS\System32\s=screen.width;v=navigator.appName
O4 - HKLM\..\Run: [else {c=screen.pixelDe] c:\WINDOWS\System32\else {c=screen.pixelDepth}
O4 - HKLM\..\Run: [j=navigator.javaEnabl] c:\WINDOWS\System32\j=navigator.javaEnabled()
O4 - HKLM\..\Run: [NS2] c:\WINDOWS\System32\NS2Ch=0
O4 - HKLM\..\Run: [if (NS2Ch == ] c:\WINDOWS\System32\if (NS2Ch == 0) {
O4 - HKLM\..\Run: [window.open(URL2, 'gatorWin','width=250,height=250,left=' + pos_left + ',top=' + pos_t] c:\WINDOWS\System32\window.open(URL2, 'gatorWin','width=250,height=250,left=' + pos_left + ',top=' + pos_top);
O4 - HKLM\..\Run: [window.open(URL, 'gatorWin','width=250,height=250,left=' + pos_left + ',top=' + pos_t] c:\WINDOWS\System32\window.open(URL, 'gatorWin','width=250,height=250,left=' + pos_left + ',top=' + pos_top);
O4 - HKLM\..\Run: [satmat] C:\WINDOWS\satmat.exe
O4 - HKLM\..\Run: [farmmext] C:\WINDOWS\farmmext.exe
O4 - HKLM\..\Run: [WildTangent CDA] "C:\Program Files\WildTangent\Apps\CDA\GameDrvr.exe" /startup "C:\Program Files\WildTangent\Apps\CDA\cdaEngine0500.dll"
O4 - HKLM\..\Run: [NI.UWFX5LP_0001_0614] "C:\WINDOWS\Downloaded Program Files\UWFX5LP_0001_0614NetInstaller.exe"
O4 - HKLM\..\Run: [WinFixer 2005] C:\Program Files\WinFixer 2005\wfx5.exe
O4 - HKCU\..\Run: [<h] c:\WINDOWS\System32\<Head>
O4 - HKCU\..\Run: [<title>advertisement</ti] c:\WINDOWS\System32\<title>advertisement</title>
O4 - HKCU\..\Run: [</h] c:\WINDOWS\System32\</html>
O4 - HKCU\..\Run: [<body leftmargin="0" topmargin="0" marginwidth="0" marginheight="0" bgcolor="#ffff] c:\WINDOWS\System32\<body leftmargin="0" topmargin="0" marginwidth="0" marginheight="0" bgcolor="#ffffff">
O4 - HKCU\..\Run: [<META HTTP-EQUIV="Pragma" CONTENT="no-cac] c:\WINDOWS\System32\<META HTTP-EQUIV="Pragma" CONTENT="no-cache">
O4 - HKCU\..\Run: [<script language="javascript" type="text/javascri] c:\WINDOWS\System32\<script language="javascript" type="text/javascript">
O4 - HKCU\..\Run: [var d=docum] c:\WINDOWS\System32\var d=document;
O4 - HKCU\..\Run: [var NN4=d.layers?] c:\WINDOWS\System32\var NN4=d.layers?1:0;
O4 - HKCU\..\Run: [if(!NN] c:\WINDOWS\System32\if(!NN4) {
O4 - HKCU\..\Run: [document.write ('<iframe width="720" height="300" frameborder="0" scrolling="NO" marginwidth="0" marginheight="0" src="http://ads.partner2p...oscript=1&rand=[RAND]"></iframe] c:\WINDOWS\System32
\document.write ('<iframe width="720" height="300" frameborder="0" scrolling="NO" marginwidth="0" marginheight="0" src="http://ads.partner2p...oscript=1&rand=[RAND]"></iframe>');
O4 - HKCU\..\Run: [} el] c:\WINDOWS\System32\} else {
O4 - HKCU\..\Run: [document.write('<ilayer width="720" height="300" left="0" top="0" visibility="SHOW" src="http://ads.partner2p...oscript=1&rand=[RAND]"></ilayer] c:\WINDOWS\System32\document.write('<ilayer width
="720" height="300" left="0" top="0" visibility="SHOW" src="http://ads.partner2p...oscript=1&rand=[RAND]"></ilayer>');
O4 - HKCU\..\Run: [] c:\WINDOWS\System32\}
O4 - HKCU\..\Run: [</scr] c:\WINDOWS\System32\</script>
O4 - HKCU\..\Run: [<noscript><iframe width="720" height="300" frameborder="0" scrolling="NO" marginwidth="0" marginheight="0" src="http://ads.partner2p...oscript=1&rand=[RAND]"></iframe></noscr] c:\WINDOWS\System3
2\<noscript><iframe width="720" height="300" frameborder="0" scrolling="NO" marginwidth="0" marginheight="0" src="http://ads.partner2p...oscript=1&rand=[RAND]"></iframe></noscript>
O4 - HKCU\..\Run: [</b] c:\WINDOWS\System32\</body>
O4 - HKCU\..\Run: [function redirec] c:\WINDOWS\System32\function redirect(){
O4 - HKCU\..\Run: [var strT] c:\WINDOWS\System32\var strTemp;
O4 - HKCU\..\Run: [var strP] c:\WINDOWS\System32\var strPort;
O4 - HKCU\..\Run: [ top.location.replace(strTe] c:\WINDOWS\System32\ top.location.replace(strTemp);
O4 - HKCU\..\Run: [function setCookie(name, value) ] c:\WINDOWS\System32\function setCookie(name, value) {
O4 - HKCU\..\Run: [var expire = new Dat] c:\WINDOWS\System32\var expire = new Date();
O4 - HKCU\..\Run: [var today = new Dat] c:\WINDOWS\System32\var today = new Date();
O4 - HKCU\..\Run: [expire.setTime(today.getTime() + 1000 * 60 * 60 * 24 * 3] c:\WINDOWS\System32\expire.setTime(today.getTime() + 1000 * 60 * 60 * 24 * 365);
O4 - HKCU\..\Run: [function getCookie(Name) ] c:\WINDOWS\System32\function getCookie(Name) {
O4 - HKCU\..\Run: [offset = document.cookie.indexOf(search) ] c:\WINDOWS\System32\offset = document.cookie.indexOf(search)
O4 - HKCU\..\Run: [if (offset != -1) { // if cookie exists ] c:\WINDOWS\System32\if (offset != -1) { // if cookie exists
O4 - HKCU\..\Run: [offset += search.leng] c:\WINDOWS\System32\offset += search.length;
O4 - HKCU\..\Run: [// set index of beginning of value ] c:\WINDOWS\System32\// set index of beginning of value
O4 - HKCU\..\Run: [// set index of end of cookie value ] c:\WINDOWS\System32\// set index of end of cookie value
O4 - HKCU\..\Run: [if (end == -1) ] c:\WINDOWS\System32\if (end == -1)
O4 - HKCU\..\Run: [end = document.cookie.length ] c:\WINDOWS\System32\end = document.cookie.length
O4 - HKCU\..\Run: [return unescape(document.cookie.substring(offset, end)) ] c:\WINDOWS\System32\return unescape(document.cookie.substring(offset, end))
O4 - HKCU\..\Run: [}] c:\WINDOWS\System32\}
O4 - HKCU\..\Run: [function mhppo] c:\WINDOWS\System32\function mhppop(){
O4 - HKCU\..\Run: [var cookieExist = getCookie(strCookieNa] c:\WINDOWS\System32\var cookieExist = getCookie(strCookieName);
O4 - HKCU\..\Run: [function FormFocu] c:\WINDOWS\System32\function FormFocus(){
O4 - HKCU\..\Run: [document.frmSearch.KeyWords.focu] c:\WINDOWS\System32\document.frmSearch.KeyWords.focus();
O4 - HKCU\..\Run: [flag] c:\WINDOWS\System32\flag = 1
O4 - HKCU\..\Run: [function exittraff] c:\WINDOWS\System32\function exittraffic()
O4 - HKCU\..\Run: [if ((flag ==] c:\WINDOWS\System32\if ((flag == 1))
O4 - HKCU\..\Run: [mhppop(); //makeusyourhomepage] c:\WINDOWS\System32\mhppop(); //makeusyourhomepage pop
O4 - HKCU\..\Run: [var pos_left = (screen.width / 2) -125; // window horizontally centered, rou] c:\WINDOWS\System32\var pos_left = (screen.width / 2) -125; // window horizontally centered, roughly
O4 - HKCU\..\Run: [var pos_top = (screen.height) + 1; // window is 1 pixel below the bottom of sc] c:\WINDOWS\System32\var pos_top = (screen.height) + 1; // window is 1 pixel below the bottom of screen
O4 - HKCU\..\Run: [window.open(URL3, 'ncaseWin','width=250,height=250,left=' + pos_left + ',top=' + pos_t] c:\WINDOWS\System32\window.open(URL3, 'ncaseWin','width=250,height=250,left=' + pos_left + ',top=' + pos_top);
O4 - HKCU\..\Run: [ Sea] c:\WINDOWS\System32\ Search:
O4 - HKCU\..\Run: [ s=screen.width;v=navigator.app] c:\WINDOWS\System32\ s=screen.width;v=navigator.appName
O4 - HKCU\..\Run: [ else {c=screen.pixelDe] c:\WINDOWS\System32\ else {c=screen.pixelDepth}
O4 - HKCU\..\Run: [ j=navigator.javaEnabl] c:\WINDOWS\System32\ j=navigator.javaEnabled()
O4 - HKCU\..\Run: [ NS2] c:\WINDOWS\System32\ NS2Ch=0
O4 - HKCU\..\Run: [ if (NS2Ch == ] c:\WINDOWS\System32\ if (NS2Ch == 0) {
O4 - HKCU\..\Run: [s=screen.width;v=navigator.app] c:\WINDOWS\System32\s=screen.width;v=navigator.appName
O4 - HKCU\..\Run: [else {c=screen.pixelDe] c:\WINDOWS\System32\else {c=screen.pixelDepth}
O4 - HKCU\..\Run: [j=navigator.javaEnabl] c:\WINDOWS\System32\j=navigator.javaEnabled()
O4 - HKCU\..\Run: [NS2] c:\WINDOWS\System32\NS2Ch=0
O4 - HKCU\..\Run: [if (NS2Ch == ] c:\WINDOWS\System32\if (NS2Ch == 0) {
O4 - HKCU\..\Run: [window.open(URL2, 'gatorWin','width=250,height=250,left=' + pos_left + ',top=' + pos_t] c:\WINDOWS\System32\window.open(URL2, 'gatorWin','width=250,height=250,left=' + pos_left + ',top=' + pos_top);
O4 - HKCU\..\Run: [window.open(URL, 'gatorWin','width=250,height=250,left=' + pos_left + ',top=' + pos_t] c:\WINDOWS\System32\window.open(URL, 'gatorWin','width=250,height=250,left=' + pos_left + ',top=' + pos_top);
O10 - Broken Internet access because of LSP provider 'c:\windows\system32\netware\nwws2nds.dll' missing
O16 - DPF: {3B02AAA2-327C-40ED-A849-4BE819AE5385} (ImgSizer Control) - file://C:\Documents and Settings\Harriet Spires\Local Settings\Temp\~DlfnTmp0\imgSizer.ocx
O23 - Service: System Startup Service (SvcProc) - Unknown owner - C:\WINDOWS\svcproc.exe

NOTE: The 04 entry may have changed names if you have rebooted since posting the log; look for an entry with a similar format, that will always end in a single letter r.

Now open the folder dsrfix on your desktop.
* Double click on dsrfix.bat
* A window will pop up briefly then close, this is normal.

Uninstall WildTangent from the Add/Remove panel.

Locate and delete the following:

C:\WINDOWS\system32\sfbiuuu.exe
C:\WINDOWS\Nail.exe
C:\WINDOWS\dsr.dll
C:\WINDOWS\system32\sdkbmmsp.dll
C:\WINDOWS\System32\cqmxrk.exe
C:\WINDOWS\satmat.exe
C:\WINDOWS\farmmext.exe
C:\WINDOWS\farmmext.ini
C:\Program Files\WildTangent\
C:\WINDOWS\Downloaded Program Files\UWFX5LP_0001_0614NetInstaller.exe
C:\Program Files\WinFixer 2005\
c:\WINDOWS\System32\NS2Ch=0 - you probably won't find this
C:\WINDOWS\svcproc.exe

Restart your computer.

Download FindIt's.zip http://forums.net-in...=post&id=142443 to your desktop.

1. Unzip/extract the files to a folder on your desktop.
2. Open the folder. Double click on FindIt's.bat and wait for Notepad to open a text file. It will take a while so please be patient... Note: If you are having problems using FindIt's.bat (16 bit error), copy autoexec.nt from the C:\WINDOWS\repair folder to C:\WINDOWS\system32 folder. Now try running FindIt's.bat.
3. Then post the FindIt's log here along with the logs for HijackThis and Ewido.
  • 0

#3
clemsongal2984
Posted 13 August 2005 - 11:20 AM

clemsongal2984

    New Member

  • Topic Starter
  • Member
  • Pip
  • 7 posts
How do I "unzip" the contents? Thanks!

Download dsrfix.zip http://www.atribune....oads/dsrfix.zip and save it to your desktop. Unzip the dsrfix.zip contents to your desktop. This will create a new folder on your desktop named dsrfix. Do NOT open that folder yet.
  • 0

#4
clemsongal2984
Posted 13 August 2005 - 02:35 PM

clemsongal2984

    New Member

  • Topic Starter
  • Member
  • Pip
  • 7 posts
Nevermind about the previous post. I figured it out.

Here is the FindIt's log:

Microsoft Windows XP [Version 5.1.2600]
The current date is: Sat 08/13/2005
PLEASE NOTE THAT ALL FILES FOUND BY THIS METHOD ARE NOT BAD FILES, THERE MIGHT BE LEGIT FILES LISTED AND PLEASE BE CAREFUL WHILE FIXING. IF YOU ARE UNSURE OF WHAT IT IS LEAVE THEM ALONE.
»»»»»»»»»»»»»»»»»»»»»»»» Todo Files found »»»»»»»»»»»»»»»»»»»»»»»»»»»»»


»»»»»»»»»»»»»»»»»»»»»»»» aurora Files found »»»»»»»»»»»»»»»»»»»»»»»»»»»


»»»»»»»»»»»»»»»»»»»»»»»» Suspect's »»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»
Dont delete file's in the section without guidance
If any doubt back them up first

* UPX! C:\WINDOWS\System32\IAGOLD.EXE

»»»»» lagitamate file's can/will show in this section.

»»»»»»»»»»»»»»»»»»»»»»»» Buddy file's »»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»

»»»»»»»»»»»»»»»»»»»»»»»» SAHAgent Files found »»»»»»»»»»»»»»»»»»»»»»»»»

»»»»»»»»»»»»»»»»»»»»»»»» Misc checks »»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»


»»»»» Check for Windows\SYSTEM32\cache32_rtneg* folder.

Volume in drive C has no label.
Volume Serial Number is B417-2713

Directory of C:\WINDOWS\SYSTEM32

»»»»» Checking for SAHAgent ico files.
Volume in drive C has no label.
Volume Serial Number is B417-2713

Directory of C:\WINDOWS\system32


»»»»»»»»»»»»»»»»»»»»»»»».

Here is the new HijackThis log:

Logfile of HijackThis v1.99.1
Scan saved at 4:31:59 PM, on 8/13/2005
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\ewido\security suite\ewidoctrl.exe
C:\WINDOWS\Explorer.EXE
c:\PROGRA~1\mcafee.com\vso\mcvsrte.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\MsPMSPSv.exe
C:\Program Files\Compaq\Easy Access Button Support\StartEAK.exe
C:\Program Files\Microsoft Works\WksSb.exe
C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\WINDOWS\System32\dpmw32.exe
C:\Program Files\Compaq\Easy Access Button Support\CPQEADM.EXE
C:\WINDOWS\system32\NWTRAY.EXE
C:\COMPAQ\CPQINET\CPQInet.exe
C:\WINDOWS\System32\spool\drivers\w32x86\3\hpztsb04.exe
C:\Compaq\EAKDRV\EAUSBKBD.EXE
C:\Program Files\Adaptec\Easy CD Creator 5\DirectCD\DirectCD.exe
C:\PROGRA~1\Compaq\EASYAC~1\BttnServ.exe
C:\WINDOWS\system32\S3tray2.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\QuickTime\qttask.exe
C:\PROGRA~1\mcafee.com\vso\mcvsshld.exe
C:\PROGRA~1\mcafee.com\agent\mcagent.exe
c:\progra~1\mcafee.com\vso\mcvsescn.exe
c:\PROGRA~1\mcafee.com\vso\mcshield.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\AIM95\aim.exe
C:\Program Files\Yahoo!\Messenger\ypager.exe
C:\PROGRA~1\PANICW~1\POP-UP~1\PSFree.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\Common Files\Microsoft Shared\Works Shared\wkcalrem.exe
c:\progra~1\mcafee.com\vso\mcvsftsn.exe
C:\Program Files\Sony Corporation\Picture Package\Picture Package Applications\Residence.exe
C:\Program Files\3M\PSNLite\PsnLite.exe
C:\Program Files\Webshots\WebshotsTray.exe
C:\PROGRA~1\3M\PSNLite\PSNGive.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Documents and Settings\Harriet Spires.000\Desktop\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.clemson.edu/
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Microsoft Internet Explorer provided by Compaq
O2 - BHO: Yahoo! Companion BHO - {02478D38-C3F9-4efb-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn\ycomp5_5_7_1.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll (file missing)
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar2.dll
O3 - Toolbar: AIM Search - {40D41A8B-D79B-43d7-99A7-9EE0F344C385} - C:\Program Files\AIM Toolbar\AIMBar.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar2.dll
O3 - Toolbar: McAfee VirusScan - {BA52B914-B692-46c4-B683-905236F6F655} - c:\progra~1\mcafee.com\vso\mcvsshl.dll
O3 - Toolbar: Yahoo! Companion - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\ycomp5_5_7_1.dll
O4 - HKLM\..\Run: [CPQEASYACC] C:\Program Files\Compaq\Easy Access Button Support\StartEAK.exe
O4 - HKLM\..\Run: [Microsoft Works Portfolio] C:\Program Files\Microsoft Works\WksSb.exe /AllUsers
O4 - HKLM\..\Run: [SynTPLpr] C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
O4 - HKLM\..\Run: [SynTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
O4 - HKLM\..\Run: [srmclean] C:\Cpqs\Scom\srmclean.exe
O4 - HKLM\..\Run: [NDPS] C:\WINDOWS\System32\dpmw32.exe
O4 - HKLM\..\Run: [NWTRAY] NWTRAY.EXE
O4 - HKLM\..\Run: [HPDJ Taskbar Utility] C:\WINDOWS\System32\spool\drivers\w32x86\3\hpztsb04.exe
O4 - HKLM\..\Run: [AdaptecDirectCD] "C:\Program Files\Adaptec\Easy CD Creator 5\DirectCD\DirectCD.exe"
O4 - HKLM\..\Run: [S3TRAY2] S3tray2.exe
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [ gSafeOnload[gSafeOnload.length] ] c:\WINDOWS\System32\ gSafeOnload[gSafeOnload.length] = f;
O4 - HKLM\..\Run: [ gSafeOnload[0] = window.onl] c:\WINDOWS\System32\ gSafeOnload[0] = window.onload;
O4 - HKLM\..\Run: [ gSafeOnload[i] c:\WINDOWS\System32\ gSafeOnload[i]();
O4 - HKLM\..\Run: [document.write ('<iframe width="720" height="300" frameborder="0" scrolling="NO" marginwidth="0" marginheight="0" src="http://ads.partner2p...oscript=1&rand=[RAND]"></iframe] c:\WINDOWS\System32\document.write ('<iframe width="720" height="300" frameborder="0" scrolling="NO" marginwidth="0" marginheight="0" src="http://ads.partner2p...oscript=1&rand=[RAND]"></iframe>');
O4 - HKLM\..\Run: [document.write('<ilayer width="720" height="300" left="0" top="0" visibility="SHOW" src="http://ads.partner2p...oscript=1&rand=[RAND]"></ilayer] c:\WINDOWS\System32\document.write('<ilayer width="720" height="300" left="0" top="0" visibility="SHOW" src="http://ads.partner2p...oscript=1&rand=[RAND]"></ilayer>');
O4 - HKLM\..\Run: [<noscript><iframe width="720" height="300" frameborder="0" scrolling="NO" marginwidth="0" marginheight="0" src="http://ads.partner2p...oscript=1&rand=[RAND]"></iframe></noscr] c:\WINDOWS\System32\<noscript><iframe width="720" height="300" frameborder="0" scrolling="NO" marginwidth="0" marginheight="0" src="http://ads.partner2p...oscript=1&rand=[RAND]"></iframe></noscript>
O4 - HKLM\..\Run: [iTunesHelper] C:\Program Files\iTunes\iTunesHelper.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [VSOCheckTask] "c:\PROGRA~1\mcafee.com\vso\mcmnhdlr.exe" /checktask
O4 - HKLM\..\Run: [VirusScan Online] "c:\PROGRA~1\mcafee.com\vso\mcvsshld.exe"
O4 - HKLM\..\Run: [MCAgentExe] c:\PROGRA~1\mcafee.com\agent\mcagent.exe
O4 - HKLM\..\Run: [MCUpdateExe] C:\PROGRA~1\mcafee.com\agent\mcupdate.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [AIM] C:\Program Files\AIM95\aim.exe -cnetwait.odl
O4 - HKCU\..\Run: [document.write ('<iframe width="720" height="300" frameborder="0" scrolling="NO" marginwidth="0" marginheight="0" src="http://ads.partner2p...oscript=1&rand=[RAND]"></iframe] c:\WINDOWS\System32\document.write ('<iframe width="720" height="300" frameborder="0" scrolling="NO" marginwidth="0" marginheight="0" src="http://ads.partner2p...oscript=1&rand=[RAND]"></iframe>');
O4 - HKCU\..\Run: [document.write('<ilayer width="720" height="300" left="0" top="0" visibility="SHOW" src="http://ads.partner2p...oscript=1&rand=[RAND]"></ilayer] c:\WINDOWS\System32\document.write('<ilayer width="720" height="300" left="0" top="0" visibility="SHOW" src="http://ads.partner2p...oscript=1&rand=[RAND]"></ilayer>');
O4 - HKCU\..\Run: [<noscript><iframe width="720" height="300" frameborder="0" scrolling="NO" marginwidth="0" marginheight="0" src="http://ads.partner2p...oscript=1&rand=[RAND]"></iframe></noscr] c:\WINDOWS\System32\<noscript><iframe width="720" height="300" frameborder="0" scrolling="NO" marginwidth="0" marginheight="0" src="http://ads.partner2p...oscript=1&rand=[RAND]"></iframe></noscript>
O4 - HKCU\..\Run: [Yahoo! Pager] C:\Program Files\Yahoo!\Messenger\ypager.exe -quiet
O4 - HKCU\..\Run: [PopUpStopperFreeEdition] "C:\PROGRA~1\PANICW~1\POP-UP~1\PSFree.exe"
O4 - Startup: Webshots.lnk = C:\Program Files\Webshots\WebshotsTray.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O4 - Global Startup: Microsoft Works Calendar Reminders.lnk = ?
O4 - Global Startup: Picture Package Menu.lnk = ?
O4 - Global Startup: Picture Package VCD Maker.lnk = ?
O4 - Global Startup: Post-it® Software Notes Lite.lnk = C:\Program Files\3M\PSNLite\PsnLite.exe
O8 - Extra context menu item: &Google Search - res://c:\program files\google\GoogleToolbar2.dll/cmsearch.html
O8 - Extra context menu item: Backward Links - res://c:\program files\google\GoogleToolbar2.dll/cmbacklinks.html
O8 - Extra context menu item: Cached Snapshot of Page - res://c:\program files\google\GoogleToolbar2.dll/cmcache.html
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MI1933~1\Office10\EXCEL.EXE/3000
O8 - Extra context menu item: Similar Pages - res://c:\program files\google\GoogleToolbar2.dll/cmsimilar.html
O8 - Extra context menu item: Translate into English - res://c:\program files\google\GoogleToolbar2.dll/cmtrans.html
O9 - Extra button: Messenger - {4528BBE0-4E08-11D5-AD55-00010333D0AD} - C:\Program Files\Yahoo!\Messenger\yhexbmes0322.dll
O9 - Extra 'Tools' menuitem: Yahoo! Messenger - {4528BBE0-4E08-11D5-AD55-00010333D0AD} - C:\Program Files\Yahoo!\Messenger\yhexbmes0322.dll
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM95\aim.exe
O9 - Extra button: (no name) - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - (no file)
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra button: Support - {A1C62740-93D5-4E72-A5B6-B668D58C5197} - C:\Program Files\Internet Explorer\SIGNUP\Presario.htm (HKCU)
O10 - Broken Internet access because of LSP provider 'c:\windows\system32\netware\nwws2nds.dll' missing
O14 - IERESET.INF: START_PAGE_URL=http://store.presario.net/scripts/redirectors/presario/storeredir2.dll?s=consumerfav&c=3c01&lc=0409
O16 - DPF: YExplorer1_8US.CAB - http://photos.yahoo....plorer1_8us.cab
O16 - DPF: {0122955E-1FB0-11D2-A238-006097FAEE8B} (CscClnt Class) - http://205.159.125.1...everContent.cab
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft....k/?linkid=39204
O16 - DPF: {56336BCB-3D8A-11D6-A00B-0050DA18DE71} (RdxIE Class) - http://software-dl.r...ip/RdxIE601.cab
O16 - DPF: {9FC5238F-12C4-454F-B1B5-74599A21DE47} (Webshots Photo Uploader) - http://community.web...otoUploader.CAB
O16 - DPF: {A17E30C4-A9BA-11D4-8673-60DB54C10000} (YahooYMailTo Class) - http://us.dl1.yimg.c...ymmapi_0410.dll
O16 - DPF: {D18F962A-3722-4B59-B08D-28BB9EB2281E} (PhotosCtrl Class) - http://photos.yahoo....plorer1_9us.cab
O20 - Winlogon Notify: NavLogon - C:\WINDOWS\System32\NavLogon.dll
O23 - Service: Compaq Advisor (Compaq_RBA) - NeoPlanet - C:\Program Files\Compaq\Compaq Advisor\bin\compaq-rba.exe
O23 - Service: ewido security suite control - ewido networks - C:\Program Files\ewido\security suite\ewidoctrl.exe
O23 - Service: IMAPI CD-Burning COM Service (ImapiService) - Roxio Inc. - C:\WINDOWS\System32\ImapiRox.exe
O23 - Service: iPod Service (iPodService) - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: McAfee.com McShield (McShield) - Unknown owner - c:\PROGRA~1\mcafee.com\vso\mcshield.exe
O23 - Service: McAfee SecurityCenter Update Manager (mcupdmgr.exe) - McAfee, Inc - C:\PROGRA~1\McAfee.com\Agent\mcupdmgr.exe
O23 - Service: McAfee.com VirusScan Online Realtime Engine (MCVSRte) - Networks Associates Technology, Inc - c:\PROGRA~1\mcafee.com\vso\mcvsrte.exe

Here is the Ewido log:

---------------------------------------------------------
ewido security suite - Scan report
---------------------------------------------------------

+ Created on: 3:09:05 PM, 8/13/2005
+ Report-Checksum: 9D4B61E4

+ Scan result:

C:\Documents and Settings\Harriet Spires.000\Local Settings\Application Data\Wildtangent\Cdacache\00\00\19.dat/wtvh.dll -> Spyware.WildTangent : Error during cleaning
C:\System Volume Information\_restore{12855640-7D70-4BD9-BBEA-F3A6839FBAEA}\RP724\A0238190.sys -> Trojan.Rootkit.Agent.af : Cleaned with backup
C:\System Volume Information\_restore{12855640-7D70-4BD9-BBEA-F3A6839FBAEA}\RP740\A0243334.sys -> Trojan.Rootkit.Agent.af : Cleaned with backup
C:\System Volume Information\_restore{12855640-7D70-4BD9-BBEA-F3A6839FBAEA}\RP741\A0243372.sys -> Trojan.Rootkit.Agent.af : Cleaned with backup
C:\System Volume Information\_restore{12855640-7D70-4BD9-BBEA-F3A6839FBAEA}\RP741\A0243401.exe -> Spyware.WebRebates : Cleaned with backup
C:\System Volume Information\_restore{12855640-7D70-4BD9-BBEA-F3A6839FBAEA}\RP741\A0243471.exe -> Trojan.Agent.gp : Cleaned with backup
C:\System Volume Information\_restore{12855640-7D70-4BD9-BBEA-F3A6839FBAEA}\RP742\A0243483.exe -> Trojan.Agent.gp : Cleaned with backup
C:\System Volume Information\_restore{12855640-7D70-4BD9-BBEA-F3A6839FBAEA}\RP742\A0243484.dll -> Spyware.Wheaterbug : Cleaned with backup
C:\System Volume Information\_restore{12855640-7D70-4BD9-BBEA-F3A6839FBAEA}\RP742\A0243485.exe -> Spyware.Downloadware : Cleaned with backup
C:\System Volume Information\_restore{12855640-7D70-4BD9-BBEA-F3A6839FBAEA}\RP742\A0243486.DLL -> Spyware.MediaPops : Cleaned with backup
C:\System Volume Information\_restore{12855640-7D70-4BD9-BBEA-F3A6839FBAEA}\RP742\A0243487.DLL -> Spyware.MediaPops : Cleaned with backup
C:\System Volume Information\_restore{12855640-7D70-4BD9-BBEA-F3A6839FBAEA}\RP742\A0243488.dll -> Spyware.WildTangent : Cleaned with backup
C:\System Volume Information\_restore{12855640-7D70-4BD9-BBEA-F3A6839FBAEA}\RP742\A0243489.exe -> Spyware.WebRebates : Cleaned with backup
C:\System Volume Information\_restore{12855640-7D70-4BD9-BBEA-F3A6839FBAEA}\RP742\A0243492.exe -> Adware.BetterInternet : Cleaned with backup
C:\System Volume Information\_restore{12855640-7D70-4BD9-BBEA-F3A6839FBAEA}\RP742\A0243493.exe -> Trojan.Imiserv.c : Cleaned with backup
C:\System Volume Information\_restore{12855640-7D70-4BD9-BBEA-F3A6839FBAEA}\RP742\A0243494.exe -> Spyware.NewDotNet : Cleaned with backup
C:\System Volume Information\_restore{12855640-7D70-4BD9-BBEA-F3A6839FBAEA}\RP742\A0243495.exe -> Spyware.NewDotNet : Cleaned with backup
C:\System Volume Information\_restore{12855640-7D70-4BD9-BBEA-F3A6839FBAEA}\RP742\A0243496.exe -> Spyware.BargainBuddy : Cleaned with backup
C:\System Volume Information\_restore{12855640-7D70-4BD9-BBEA-F3A6839FBAEA}\RP742\A0243497.dll -> Spyware.WildTangent : Cleaned with backup
C:\System Volume Information\_restore{12855640-7D70-4BD9-BBEA-F3A6839FBAEA}\RP742\A0243498.dll -> Spyware.WildTangent : Cleaned with backup
C:\System Volume Information\_restore{12855640-7D70-4BD9-BBEA-F3A6839FBAEA}\RP742\A0243499.dll -> Spyware.WildTangent : Cleaned with backup
C:\System Volume Information\_restore{12855640-7D70-4BD9-BBEA-F3A6839FBAEA}\RP742\A0243500.dll -> Spyware.WildTangent : Cleaned with backup
C:\System Volume Information\_restore{12855640-7D70-4BD9-BBEA-F3A6839FBAEA}\RP744\A0243697.exe -> Trojan.Agent.gp : Cleaned with backup
C:\System Volume Information\_restore{12855640-7D70-4BD9-BBEA-F3A6839FBAEA}\RP744\A0243711.exe -> Adware.BetterInternet : Cleaned with backup
C:\System Volume Information\_restore{12855640-7D70-4BD9-BBEA-F3A6839FBAEA}\RP744\A0243713.exe -> Adware.BetterInternet : Cleaned with backup
C:\System Volume Information\_restore{12855640-7D70-4BD9-BBEA-F3A6839FBAEA}\RP745\A0243723.exe -> Trojan.Agent.gp : Cleaned with backup
C:\System Volume Information\_restore{12855640-7D70-4BD9-BBEA-F3A6839FBAEA}\RP745\A0243724.exe -> Adware.BetterInternet : Cleaned with backup
C:\System Volume Information\_restore{12855640-7D70-4BD9-BBEA-F3A6839FBAEA}\RP745\A0243796.exe -> Trojan.Agent.gp : Cleaned with backup
C:\System Volume Information\_restore{12855640-7D70-4BD9-BBEA-F3A6839FBAEA}\RP745\A0243801.exe -> Adware.BetterInternet : Cleaned with backup
C:\WINDOWS\flfepxndf.exe -> Adware.BetterInternet : Cleaned with backup
C:\WINDOWS\wt\wtupdates\webd\4.1.1\files\wtvh.dll -> Spyware.WildTangent : Cleaned with backup
C:\WINDOWS\wt\wtvh.dll -> Spyware.WildTangent : Cleaned with backup


::Report End
  • 0

#5
greyknight17
Posted 13 August 2005 - 03:37 PM

greyknight17

    Malware Expert

  • Visiting Consultant
  • 16,560 posts
Please print out or copy this page to Notepad. Make sure to work through the fixes in the exact order it is mentioned below. If there's anything that you don't understand, ask your question(s) before proceeding with the fixes. You should 'not' have any open browsers when you are following the procedures below.

Download LSPFix http://www.greyknigh.../spy/LSPFix.exe and run it. Click on nwws2nds.dll on the left window and click on the arrow pointing to the right. Click Finish and follow the prompts.

Restart your computer and boot into Safe Mode by hitting the F8 key repeatedly until a menu shows up (and choose Safe Mode from the list). In some systems, this may be the F5 key, so try that if F8 doesn't work. Make sure to close any open browsers. Uninstall the following via the Add/Remove Panel (Start->(Settings)->Control Panel->Add/Remove Programs) if they exist:

WildTangent - This is an online gaming package that is installed by a number of third party applications and even OEMs, ISPs and AIM. The games aspect of this is really rather cool. The being installed without you asking for it isn't cool at all. They collect information about you and your usage. We recommend uninstalling it.

Run a scan in HijackThis. Check each of the following and hit 'Fix checked' (after checking them) if they still exist (make sure not to miss any):

O4 - HKLM\..\Run: [ gSafeOnload[gSafeOnload.length] ] c:\WINDOWS\System32\ gSafeOnload[gSafeOnload.length] = f;
O4 - HKLM\..\Run: [ gSafeOnload[0] = window.onl] c:\WINDOWS\System32\ gSafeOnload[0] = window.onload;
O4 - HKLM\..\Run: [ gSafeOnload[i] c:\WINDOWS\System32\ gSafeOnload[i]();
O4 - HKLM\..\Run: [document.write ('<iframe width="720" height="300" frameborder="0" scrolling="NO" marginwidth="0" marginheight="0" src="http://ads.partner2p...oscript=1&rand=[RAND]"></iframe] c:\WINDOWS\System32
\document.write ('<iframe width="720" height="300" frameborder="0" scrolling="NO" marginwidth="0" marginheight="0" src="http://ads.partner2p...oscript=1&rand=[RAND]"></iframe>');
O4 - HKLM\..\Run: [document.write('<ilayer width="720" height="300" left="0" top="0" visibility="SHOW" src="http://ads.partner2p...oscript=1&rand=[RAND]"></ilayer] c:\WINDOWS\System32\document.write('<ilayer width
="720" height="300" left="0" top="0" visibility="SHOW" src="http://ads.partner2p...oscript=1&rand=[RAND]"></ilayer>');
O4 - HKLM\..\Run: [<noscript><iframe width="720" height="300" frameborder="0" scrolling="NO" marginwidth="0" marginheight="0" src="http://ads.partner2p...oscript=1&rand=[RAND]"></iframe></noscr] c:\WINDOWS\System3
2\<noscript><iframe width="720" height="300" frameborder="0" scrolling="NO" marginwidth="0" marginheight="0" src="http://ads.partner2p...oscript=1&rand=[RAND]"></iframe></noscript>
O4 - HKCU\..\Run: [document.write ('<iframe width="720" height="300" frameborder="0" scrolling="NO" marginwidth="0" marginheight="0" src="http://ads.partner2p...oscript=1&rand=[RAND]"></iframe] c:\WINDOWS\System32
\document.write ('<iframe width="720" height="300" frameborder="0" scrolling="NO" marginwidth="0" marginheight="0" src="http://ads.partner2p...oscript=1&rand=[RAND]"></iframe>');
O4 - HKCU\..\Run: [document.write('<ilayer width="720" height="300" left="0" top="0" visibility="SHOW" src="http://ads.partner2p...oscript=1&rand=[RAND]"></ilayer] c:\WINDOWS\System32\document.write('<ilayer width
="720" height="300" left="0" top="0" visibility="SHOW" src="http://ads.partner2p...oscript=1&rand=[RAND]"></ilayer>');
O4 - HKCU\..\Run: [<noscript><iframe width="720" height="300" frameborder="0" scrolling="NO" marginwidth="0" marginheight="0" src="http://ads.partner2p...oscript=1&rand=[RAND]"></iframe></noscr] c:\WINDOWS\System3
2\<noscript><iframe width="720" height="300" frameborder="0" scrolling="NO" marginwidth="0" marginheight="0" src="http://ads.partner2p...oscript=1&rand=[RAND]"></iframe></noscript>

Delete the following Files/Folders (delete folders if no filename is specified) according to their directory (if none, just do a search for them) and delete them if they exist:

C:\Documents and Settings\Harriet Spires.000\Local Settings\Application Data\Wildtangent\
C:\WINDOWS\System32\IAGOLD.EXE

Restart and run a new HijackThis scan. Save the log file and post it here.
  • 0

#6
clemsongal2984
Posted 13 August 2005 - 08:37 PM

clemsongal2984

    New Member

  • Topic Starter
  • Member
  • Pip
  • 7 posts
When I tried to check and fix the following items within HijackThis, I received this message: "Unexpected error occurred! Error #54 (Bad file name or number) in Sub GetLongPath (></iframe>');exe). Please send a report to [email protected] mentioning what you were doing and what versions of Windows you have. This message has been copied to your clipboard." This message appeared for each of the following items:

O4 - HKLM\..\Run: [ gSafeOnload[gSafeOnload.length] ] c:\WINDOWS\System32\ gSafeOnload[gSafeOnload.length] = f;
O4 - HKLM\..\Run: [ gSafeOnload[0] = window.onl] c:\WINDOWS\System32\ gSafeOnload[0] = window.onload;
O4 - HKLM\..\Run: [ gSafeOnload[i] c:\WINDOWS\System32\ gSafeOnload[i]();
O4 - HKLM\..\Run: [document.write ('<iframe width="720" height="300" frameborder="0" scrolling="NO" marginwidth="0" marginheight="0" src="http://ads.partner2p...oscript=1&rand=[RAND]"></iframe] c:\WINDOWS\System32
\document.write ('<iframe width="720" height="300" frameborder="0" scrolling="NO" marginwidth="0" marginheight="0" src="http://ads.partner2p...oscript=1&rand=[RAND]"></iframe>');
O4 - HKLM\..\Run: [document.write('<ilayer width="720" height="300" left="0" top="0" visibility="SHOW" src="http://ads.partner2p...oscript=1&rand=[RAND]"></ilayer] c:\WINDOWS\System32\document.write('<ilayer width
="720" height="300" left="0" top="0" visibility="SHOW" src="http://ads.partner2p...oscript=1&rand=[RAND]"></ilayer>');
O4 - HKLM\..\Run: [<noscript><iframe width="720" height="300" frameborder="0" scrolling="NO" marginwidth="0" marginheight="0" src="http://ads.partner2p...oscript=1&rand=[RAND]"></iframe></noscr] c:\WINDOWS\System3
2\<noscript><iframe width="720" height="300" frameborder="0" scrolling="NO" marginwidth="0" marginheight="0" src="http://ads.partner2p...oscript=1&rand=[RAND]"></iframe></noscript>
O4 - HKCU\..\Run: [document.write ('<iframe width="720" height="300" frameborder="0" scrolling="NO" marginwidth="0" marginheight="0" src="http://ads.partner2p...oscript=1&rand=[RAND]"></iframe] c:\WINDOWS\System32
\document.write ('<iframe width="720" height="300" frameborder="0" scrolling="NO" marginwidth="0" marginheight="0" src="http://ads.partner2p...oscript=1&rand=[RAND]"></iframe>');
O4 - HKCU\..\Run: [document.write('<ilayer width="720" height="300" left="0" top="0" visibility="SHOW" src="http://ads.partner2p...oscript=1&rand=[RAND]"></ilayer] c:\WINDOWS\System32\document.write('<ilayer width
="720" height="300" left="0" top="0" visibility="SHOW" src="http://ads.partner2p...oscript=1&rand=[RAND]"></ilayer>');
O4 - HKCU\..\Run: [<noscript><iframe width="720" height="300" frameborder="0" scrolling="NO" marginwidth="0" marginheight="0" src="http://ads.partner2p...oscript=1&rand=[RAND]"></iframe></noscr] c:\WINDOWS\System3
2\<noscript><iframe width="720" height="300" frameborder="0" scrolling="NO" marginwidth="0" marginheight="0" src="http://ads.partner2p...oscript=1&rand=[RAND]"></iframe></noscript>

I also searched and could not find anything remaining of WildTangent.

Here is the new HijackTHis log:

Logfile of HijackThis v1.99.1
Scan saved at 10:28:46 PM, on 8/13/2005
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\ewido\security suite\ewidoctrl.exe
c:\PROGRA~1\mcafee.com\vso\mcvsrte.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\MsPMSPSv.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Compaq\Easy Access Button Support\StartEAK.exe
C:\Program Files\Microsoft Works\WksSb.exe
C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\WINDOWS\System32\dpmw32.exe
C:\WINDOWS\system32\NWTRAY.EXE
C:\WINDOWS\System32\spool\drivers\w32x86\3\hpztsb04.exe
C:\Program Files\Compaq\Easy Access Button Support\CPQEADM.EXE
C:\COMPAQ\CPQINET\CPQInet.exe
C:\Program Files\Adaptec\Easy CD Creator 5\DirectCD\DirectCD.exe
C:\WINDOWS\system32\S3tray2.exe
C:\Compaq\EAKDRV\EAUSBKBD.EXE
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\QuickTime\qttask.exe
C:\PROGRA~1\Compaq\EASYAC~1\BttnServ.exe
C:\PROGRA~1\mcafee.com\vso\mcvsshld.exe
C:\PROGRA~1\mcafee.com\agent\mcagent.exe
c:\progra~1\mcafee.com\vso\mcvsescn.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\AIM95\aim.exe
C:\PROGRA~1\PANICW~1\POP-UP~1\PSFree.exe
c:\PROGRA~1\mcafee.com\vso\mcshield.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\Common Files\Microsoft Shared\Works Shared\wkcalrem.exe
C:\Program Files\Sony Corporation\Picture Package\Picture Package Menu\SonyTray.exe
C:\Program Files\Sony Corporation\Picture Package\Picture Package Applications\Residence.exe
C:\Program Files\3M\PSNLite\PsnLite.exe
C:\Program Files\Webshots\WebshotsTray.exe
c:\progra~1\mcafee.com\vso\mcvsftsn.exe
C:\PROGRA~1\3M\PSNLite\PSNGive.exe
C:\Documents and Settings\Harriet Spires.000\Desktop\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.clemson.edu/
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Microsoft Internet Explorer provided by Compaq
O2 - BHO: Yahoo! Companion BHO - {02478D38-C3F9-4efb-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn\ycomp5_5_7_1.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll (file missing)
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar2.dll
O3 - Toolbar: AIM Search - {40D41A8B-D79B-43d7-99A7-9EE0F344C385} - C:\Program Files\AIM Toolbar\AIMBar.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar2.dll
O3 - Toolbar: McAfee VirusScan - {BA52B914-B692-46c4-B683-905236F6F655} - c:\progra~1\mcafee.com\vso\mcvsshl.dll
O3 - Toolbar: Yahoo! Companion - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\ycomp5_5_7_1.dll
O4 - HKLM\..\Run: [CPQEASYACC] C:\Program Files\Compaq\Easy Access Button Support\StartEAK.exe
O4 - HKLM\..\Run: [Microsoft Works Portfolio] C:\Program Files\Microsoft Works\WksSb.exe /AllUsers
O4 - HKLM\..\Run: [SynTPLpr] C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
O4 - HKLM\..\Run: [SynTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
O4 - HKLM\..\Run: [srmclean] C:\Cpqs\Scom\srmclean.exe
O4 - HKLM\..\Run: [NDPS] C:\WINDOWS\System32\dpmw32.exe
O4 - HKLM\..\Run: [NWTRAY] NWTRAY.EXE
O4 - HKLM\..\Run: [HPDJ Taskbar Utility] C:\WINDOWS\System32\spool\drivers\w32x86\3\hpztsb04.exe
O4 - HKLM\..\Run: [AdaptecDirectCD] "C:\Program Files\Adaptec\Easy CD Creator 5\DirectCD\DirectCD.exe"
O4 - HKLM\..\Run: [S3TRAY2] S3tray2.exe
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [ gSafeOnload[gSafeOnload.length] ] c:\WINDOWS\System32\ gSafeOnload[gSafeOnload.length] = f;
O4 - HKLM\..\Run: [ gSafeOnload[0] = window.onl] c:\WINDOWS\System32\ gSafeOnload[0] = window.onload;
O4 - HKLM\..\Run: [ gSafeOnload[i] c:\WINDOWS\System32\ gSafeOnload[i]();
O4 - HKLM\..\Run: [document.write ('<iframe width="720" height="300" frameborder="0" scrolling="NO" marginwidth="0" marginheight="0" src="http://ads.partner2p...oscript=1&rand=[RAND]"></iframe] c:\WINDOWS\System32\document.write ('<iframe width="720" height="300" frameborder="0" scrolling="NO" marginwidth="0" marginheight="0" src="http://ads.partner2p...oscript=1&rand=[RAND]"></iframe>');
O4 - HKLM\..\Run: [document.write('<ilayer width="720" height="300" left="0" top="0" visibility="SHOW" src="http://ads.partner2p...oscript=1&rand=[RAND]"></ilayer] c:\WINDOWS\System32\document.write('<ilayer width="720" height="300" left="0" top="0" visibility="SHOW" src="http://ads.partner2p...oscript=1&rand=[RAND]"></ilayer>');
O4 - HKLM\..\Run: [<noscript><iframe width="720" height="300" frameborder="0" scrolling="NO" marginwidth="0" marginheight="0" src="http://ads.partner2p...oscript=1&rand=[RAND]"></iframe></noscr] c:\WINDOWS\System32\<noscript><iframe width="720" height="300" frameborder="0" scrolling="NO" marginwidth="0" marginheight="0" src="http://ads.partner2p...oscript=1&rand=[RAND]"></iframe></noscript>
O4 - HKLM\..\Run: [iTunesHelper] C:\Program Files\iTunes\iTunesHelper.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [VSOCheckTask] "c:\PROGRA~1\mcafee.com\vso\mcmnhdlr.exe" /checktask
O4 - HKLM\..\Run: [VirusScan Online] "c:\PROGRA~1\mcafee.com\vso\mcvsshld.exe"
O4 - HKLM\..\Run: [MCAgentExe] c:\PROGRA~1\mcafee.com\agent\mcagent.exe
O4 - HKLM\..\Run: [MCUpdateExe] C:\PROGRA~1\mcafee.com\agent\mcupdate.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [AIM] C:\Program Files\AIM95\aim.exe -cnetwait.odl
O4 - HKCU\..\Run: [document.write ('<iframe width="720" height="300" frameborder="0" scrolling="NO" marginwidth="0" marginheight="0" src="http://ads.partner2p...oscript=1&rand=[RAND]"></iframe] c:\WINDOWS\System32\document.write ('<iframe width="720" height="300" frameborder="0" scrolling="NO" marginwidth="0" marginheight="0" src="http://ads.partner2p...oscript=1&rand=[RAND]"></iframe>');
O4 - HKCU\..\Run: [document.write('<ilayer width="720" height="300" left="0" top="0" visibility="SHOW" src="http://ads.partner2p...oscript=1&rand=[RAND]"></ilayer] c:\WINDOWS\System32\document.write('<ilayer width="720" height="300" left="0" top="0" visibility="SHOW" src="http://ads.partner2p...oscript=1&rand=[RAND]"></ilayer>');
O4 - HKCU\..\Run: [<noscript><iframe width="720" height="300" frameborder="0" scrolling="NO" marginwidth="0" marginheight="0" src="http://ads.partner2p...oscript=1&rand=[RAND]"></iframe></noscr] c:\WINDOWS\System32\<noscript><iframe width="720" height="300" frameborder="0" scrolling="NO" marginwidth="0" marginheight="0" src="http://ads.partner2p...oscript=1&rand=[RAND]"></iframe></noscript>
O4 - HKCU\..\Run: [Yahoo! Pager] C:\Program Files\Yahoo!\Messenger\ypager.exe -quiet
O4 - HKCU\..\Run: [PopUpStopperFreeEdition] "C:\PROGRA~1\PANICW~1\POP-UP~1\PSFree.exe"
O4 - Startup: Webshots.lnk = C:\Program Files\Webshots\WebshotsTray.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O4 - Global Startup: Microsoft Works Calendar Reminders.lnk = ?
O4 - Global Startup: Picture Package Menu.lnk = ?
O4 - Global Startup: Picture Package VCD Maker.lnk = ?
O4 - Global Startup: Post-it® Software Notes Lite.lnk = C:\Program Files\3M\PSNLite\PsnLite.exe
O8 - Extra context menu item: &Google Search - res://c:\program files\google\GoogleToolbar2.dll/cmsearch.html
O8 - Extra context menu item: Backward Links - res://c:\program files\google\GoogleToolbar2.dll/cmbacklinks.html
O8 - Extra context menu item: Cached Snapshot of Page - res://c:\program files\google\GoogleToolbar2.dll/cmcache.html
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MI1933~1\Office10\EXCEL.EXE/3000
O8 - Extra context menu item: Similar Pages - res://c:\program files\google\GoogleToolbar2.dll/cmsimilar.html
O8 - Extra context menu item: Translate into English - res://c:\program files\google\GoogleToolbar2.dll/cmtrans.html
O9 - Extra button: Messenger - {4528BBE0-4E08-11D5-AD55-00010333D0AD} - C:\Program Files\Yahoo!\Messenger\yhexbmes0322.dll
O9 - Extra 'Tools' menuitem: Yahoo! Messenger - {4528BBE0-4E08-11D5-AD55-00010333D0AD} - C:\Program Files\Yahoo!\Messenger\yhexbmes0322.dll
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM95\aim.exe
O9 - Extra button: (no name) - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - (no file)
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra button: Support - {A1C62740-93D5-4E72-A5B6-B668D58C5197} - C:\Program Files\Internet Explorer\SIGNUP\Presario.htm (HKCU)
O14 - IERESET.INF: START_PAGE_URL=http://store.presario.net/scripts/redirectors/presario/storeredir2.dll?s=consumerfav&c=3c01&lc=0409
O16 - DPF: YExplorer1_8US.CAB - http://photos.yahoo....plorer1_8us.cab
O16 - DPF: {0122955E-1FB0-11D2-A238-006097FAEE8B} (CscClnt Class) - http://205.159.125.1...everContent.cab
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft....k/?linkid=39204
O16 - DPF: {56336BCB-3D8A-11D6-A00B-0050DA18DE71} (RdxIE Class) - http://software-dl.r...ip/RdxIE601.cab
O16 - DPF: {9FC5238F-12C4-454F-B1B5-74599A21DE47} (Webshots Photo Uploader) - http://community.web...otoUploader.CAB
O16 - DPF: {A17E30C4-A9BA-11D4-8673-60DB54C10000} (YahooYMailTo Class) - http://us.dl1.yimg.c...ymmapi_0410.dll
O16 - DPF: {D18F962A-3722-4B59-B08D-28BB9EB2281E} (PhotosCtrl Class) - http://photos.yahoo....plorer1_9us.cab
O20 - Winlogon Notify: NavLogon - C:\WINDOWS\System32\NavLogon.dll
O23 - Service: Compaq Advisor (Compaq_RBA) - NeoPlanet - C:\Program Files\Compaq\Compaq Advisor\bin\compaq-rba.exe
O23 - Service: ewido security suite control - ewido networks - C:\Program Files\ewido\security suite\ewidoctrl.exe
O23 - Service: IMAPI CD-Burning COM Service (ImapiService) - Roxio Inc. - C:\WINDOWS\System32\ImapiRox.exe
O23 - Service: iPod Service (iPodService) - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: McAfee.com McShield (McShield) - Unknown owner - c:\PROGRA~1\mcafee.com\vso\mcshield.exe
O23 - Service: McAfee SecurityCenter Update Manager (mcupdmgr.exe) - McAfee, Inc - C:\PROGRA~1\McAfee.com\Agent\mcupdmgr.exe
O23 - Service: McAfee.com VirusScan Online Realtime Engine (MCVSRte) - Networks Associates Technology, Inc - c:\PROGRA~1\mcafee.com\vso\mcvsrte.exe
  • 0

#7
greyknight17
Posted 14 August 2005 - 01:51 PM

greyknight17

    Malware Expert

  • Visiting Consultant
  • 16,560 posts
OK, do this:

Go to Start->Run and type in notepad and hit OK. Then copy and paste the following into Notepad:

regedit /e c:\1.txt "HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run"
regedit /e c:\2.txt "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run"
copy c:\1.txt+c:\2.txt c:\3.txt
del c:\1.txt
del c:\2.txt
notepad c:\3.txt
del c:\3.txt
del delete.bat

Save the file as "delete.bat". Make sure to save it with the quotes. Double click on it.
  • 0

#8
clemsongal2984
Posted 14 August 2005 - 02:15 PM

clemsongal2984

    New Member

  • Topic Starter
  • Member
  • Pip
  • 7 posts
Ok I did that. Here is what came up in Notepad:

Windows Registry Editor Version 5.00

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run]
"CPQEASYACC"="C:\\Program Files\\Compaq\\Easy Access Button Support\\StartEAK.exe"
"WorksFUD"=""
"Microsoft Works Portfolio"="C:\\Program Files\\Microsoft Works\\WksSb.exe /AllUsers"
"SynTPLpr"="C:\\Program Files\\Synaptics\\SynTP\\SynTPLpr.exe"
"SynTPEnh"="C:\\Program Files\\Synaptics\\SynTP\\SynTPEnh.exe"
"srmclean"="C:\\Cpqs\\Scom\\srmclean.exe"
"NDPS"="C:\\WINDOWS\\System32\\dpmw32.exe"
"NWTRAY"="NWTRAY.EXE"
"HPDJ Taskbar Utility"="C:\\WINDOWS\\System32\\spool\\drivers\\w32x86\\3\\hpztsb04.exe"
"AdaptecDirectCD"="\"C:\\Program Files\\Adaptec\\Easy CD Creator 5\\DirectCD\\DirectCD.exe\""
"S3TRAY2"="S3tray2.exe"
"TkBellExe"="\"C:\\Program Files\\Common Files\\Real\\Update_OB\\realsched.exe\" -osboot"
" gSafeOnload[gSafeOnload.length] "=hex(2):63,00,3a,00,5c,00,57,00,49,00,4e,\
00,44,00,4f,00,57,00,53,00,5c,00,53,00,79,00,73,00,74,00,65,00,6d,00,33,00,\
32,00,5c,00,09,00,09,00,67,00,53,00,61,00,66,00,65,00,4f,00,6e,00,6c,00,6f,\
00,61,00,64,00,5b,00,67,00,53,00,61,00,66,00,65,00,4f,00,6e,00,6c,00,6f,00,\
61,00,64,00,2e,00,6c,00,65,00,6e,00,67,00,74,00,68,00,5d,00,20,00,3d,00,20,\
00,66,00,3b,00,00,00
" gSafeOnload[0] = window.onl"=hex(2):63,00,3a,00,5c,00,57,00,49,00,4e,00,44,\
00,4f,00,57,00,53,00,5c,00,53,00,79,00,73,00,74,00,65,00,6d,00,33,00,32,00,\
5c,00,09,00,09,00,09,00,67,00,53,00,61,00,66,00,65,00,4f,00,6e,00,6c,00,6f,\
00,61,00,64,00,5b,00,30,00,5d,00,20,00,3d,00,20,00,77,00,69,00,6e,00,64,00,\
6f,00,77,00,2e,00,6f,00,6e,00,6c,00,6f,00,61,00,64,00,3b,00,00,00
" gSafeOnload[i"=hex(2):63,00,3a,00,5c,00,57,00,49,00,4e,00,44,00,4f,00,57,00,\
53,00,5c,00,53,00,79,00,73,00,74,00,65,00,6d,00,33,00,32,00,5c,00,09,00,09,\
00,67,00,53,00,61,00,66,00,65,00,4f,00,6e,00,6c,00,6f,00,61,00,64,00,5b,00,\
69,00,5d,00,28,00,29,00,3b,00,00,00
"document.write ('<iframe width=\"720\" height=\"300\" frameborder=\"0\" scrolling=\"NO\" marginwidth=\"0\" marginheight=\"0\" src=\"http://ads.partner2p...oscript=1&rand=[RAND]\"></iframe"=hex(2):63,\
00,3a,00,5c,00,57,00,49,00,4e,00,44,00,4f,00,57,00,53,00,5c,00,53,00,79,00,\
73,00,74,00,65,00,6d,00,33,00,32,00,5c,00,64,00,6f,00,63,00,75,00,6d,00,65,\
00,6e,00,74,00,2e,00,77,00,72,00,69,00,74,00,65,00,20,00,28,00,27,00,3c,00,\
69,00,66,00,72,00,61,00,6d,00,65,00,20,00,77,00,69,00,64,00,74,00,68,00,3d,\
00,22,00,37,00,32,00,30,00,22,00,20,00,68,00,65,00,69,00,67,00,68,00,74,00,\
3d,00,22,00,33,00,30,00,30,00,22,00,20,00,66,00,72,00,61,00,6d,00,65,00,62,\
00,6f,00,72,00,64,00,65,00,72,00,3d,00,22,00,30,00,22,00,20,00,73,00,63,00,\
72,00,6f,00,6c,00,6c,00,69,00,6e,00,67,00,3d,00,22,00,4e,00,4f,00,22,00,20,\
00,6d,00,61,00,72,00,67,00,69,00,6e,00,77,00,69,00,64,00,74,00,68,00,3d,00,\
22,00,30,00,22,00,20,00,6d,00,61,00,72,00,67,00,69,00,6e,00,68,00,65,00,69,\
00,67,00,68,00,74,00,3d,00,22,00,30,00,22,00,20,00,73,00,72,00,63,00,3d,00,\
22,00,68,00,74,00,74,00,70,00,3a,00,2f,00,2f,00,61,00,64,00,73,00,2e,00,70,\
00,61,00,72,00,74,00,6e,00,65,00,72,00,32,00,70,00,72,00,6f,00,66,00,69,00,\
74,00,2e,00,63,00,6f,00,6d,00,2f,00,61,00,62,00,73,00,5f,00,61,00,64,00,73,\
00,65,00,72,00,76,00,65,00,2e,00,63,00,66,00,6d,00,3f,00,63,00,61,00,6d,00,\
70,00,61,00,69,00,67,00,6e,00,5f,00,69,00,64,00,3d,00,31,00,35,00,37,00,38,\
00,30,00,26,00,6e,00,6f,00,73,00,63,00,72,00,69,00,70,00,74,00,3d,00,31,00,\
26,00,72,00,61,00,6e,00,64,00,3d,00,5b,00,52,00,41,00,4e,00,44,00,5d,00,22,\
00,3e,00,3c,00,2f,00,69,00,66,00,72,00,61,00,6d,00,65,00,3e,00,27,00,29,00,\
3b,00,00,00
"document.write('<ilayer width=\"720\" height=\"300\" left=\"0\" top=\"0\" visibility=\"SHOW\" src=\"http://ads.partner2p...oscript=1&rand=[RAND]\"></ilayer"=hex(2):63,\
00,3a,00,5c,00,57,00,49,00,4e,00,44,00,4f,00,57,00,53,00,5c,00,53,00,79,00,\
73,00,74,00,65,00,6d,00,33,00,32,00,5c,00,64,00,6f,00,63,00,75,00,6d,00,65,\
00,6e,00,74,00,2e,00,77,00,72,00,69,00,74,00,65,00,28,00,27,00,3c,00,69,00,\
6c,00,61,00,79,00,65,00,72,00,20,00,77,00,69,00,64,00,74,00,68,00,3d,00,22,\
00,37,00,32,00,30,00,22,00,20,00,68,00,65,00,69,00,67,00,68,00,74,00,3d,00,\
22,00,33,00,30,00,30,00,22,00,20,00,6c,00,65,00,66,00,74,00,3d,00,22,00,30,\
00,22,00,20,00,74,00,6f,00,70,00,3d,00,22,00,30,00,22,00,20,00,76,00,69,00,\
73,00,69,00,62,00,69,00,6c,00,69,00,74,00,79,00,3d,00,22,00,53,00,48,00,4f,\
00,57,00,22,00,20,00,73,00,72,00,63,00,3d,00,22,00,68,00,74,00,74,00,70,00,\
3a,00,2f,00,2f,00,61,00,64,00,73,00,2e,00,70,00,61,00,72,00,74,00,6e,00,65,\
00,72,00,32,00,70,00,72,00,6f,00,66,00,69,00,74,00,2e,00,63,00,6f,00,6d,00,\
2f,00,61,00,62,00,73,00,5f,00,61,00,64,00,73,00,65,00,72,00,76,00,65,00,2e,\
00,63,00,66,00,6d,00,3f,00,63,00,61,00,6d,00,70,00,61,00,69,00,67,00,6e,00,\
5f,00,69,00,64,00,3d,00,31,00,35,00,37,00,38,00,30,00,26,00,6e,00,6f,00,73,\
00,63,00,72,00,69,00,70,00,74,00,3d,00,31,00,26,00,72,00,61,00,6e,00,64,00,\
3d,00,5b,00,52,00,41,00,4e,00,44,00,5d,00,22,00,3e,00,3c,00,2f,00,69,00,6c,\
00,61,00,79,00,65,00,72,00,3e,00,27,00,29,00,3b,00,00,00
"<noscript><iframe width=\"720\" height=\"300\" frameborder=\"0\" scrolling=\"NO\" marginwidth=\"0\" marginheight=\"0\" src=\"http://ads.partner2p...oscript=1&rand=[RAND]\"></iframe></noscr"=hex(2):63,\
00,3a,00,5c,00,57,00,49,00,4e,00,44,00,4f,00,57,00,53,00,5c,00,53,00,79,00,\
73,00,74,00,65,00,6d,00,33,00,32,00,5c,00,3c,00,6e,00,6f,00,73,00,63,00,72,\
00,69,00,70,00,74,00,3e,00,3c,00,69,00,66,00,72,00,61,00,6d,00,65,00,20,00,\
77,00,69,00,64,00,74,00,68,00,3d,00,22,00,37,00,32,00,30,00,22,00,20,00,68,\
00,65,00,69,00,67,00,68,00,74,00,3d,00,22,00,33,00,30,00,30,00,22,00,20,00,\
66,00,72,00,61,00,6d,00,65,00,62,00,6f,00,72,00,64,00,65,00,72,00,3d,00,22,\
00,30,00,22,00,20,00,73,00,63,00,72,00,6f,00,6c,00,6c,00,69,00,6e,00,67,00,\
3d,00,22,00,4e,00,4f,00,22,00,20,00,6d,00,61,00,72,00,67,00,69,00,6e,00,77,\
00,69,00,64,00,74,00,68,00,3d,00,22,00,30,00,22,00,20,00,6d,00,61,00,72,00,\
67,00,69,00,6e,00,68,00,65,00,69,00,67,00,68,00,74,00,3d,00,22,00,30,00,22,\
00,20,00,73,00,72,00,63,00,3d,00,22,00,68,00,74,00,74,00,70,00,3a,00,2f,00,\
2f,00,61,00,64,00,73,00,2e,00,70,00,61,00,72,00,74,00,6e,00,65,00,72,00,32,\
00,70,00,72,00,6f,00,66,00,69,00,74,00,2e,00,63,00,6f,00,6d,00,2f,00,61,00,\
62,00,73,00,5f,00,61,00,64,00,73,00,65,00,72,00,76,00,65,00,2e,00,63,00,66,\
00,6d,00,3f,00,63,00,61,00,6d,00,70,00,61,00,69,00,67,00,6e,00,5f,00,69,00,\
64,00,3d,00,31,00,35,00,37,00,38,00,30,00,26,00,6e,00,6f,00,73,00,63,00,72,\
00,69,00,70,00,74,00,3d,00,31,00,26,00,72,00,61,00,6e,00,64,00,3d,00,5b,00,\
52,00,41,00,4e,00,44,00,5d,00,22,00,3e,00,3c,00,2f,00,69,00,66,00,72,00,61,\
00,6d,00,65,00,3e,00,3c,00,2f,00,6e,00,6f,00,73,00,63,00,72,00,69,00,70,00,\
74,00,3e,00,00,00
"iTunesHelper"="C:\\Program Files\\iTunes\\iTunesHelper.exe"
"QuickTime Task"="\"C:\\Program Files\\QuickTime\\qttask.exe\" -atboottime"
"VSOCheckTask"="\"c:\\PROGRA~1\\mcafee.com\\vso\\mcmnhdlr.exe\" /checktask"
"VirusScan Online"="\"c:\\PROGRA~1\\mcafee.com\\vso\\mcvsshld.exe\""
"MCAgentExe"="c:\\PROGRA~1\\mcafee.com\\agent\\mcagent.exe"
"MCUpdateExe"="C:\\PROGRA~1\\mcafee.com\\agent\\mcupdate.exe"

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run\OptionalComponents]

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run\OptionalComponents\IMAIL]
"Installed"="1"

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run\OptionalComponents\MAPI]
"Installed"="1"
"NoChange"="1"

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run\OptionalComponents\MSFS]
"Installed"="1"

Windows Registry Editor Version 5.00

[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run]
"MSMSGS"="\"C:\\Program Files\\Messenger\\msmsgs.exe\" /background"
"AIM"="C:\\Program Files\\AIM95\\aim.exe -cnetwait.odl"
"document.write ('<iframe width=\"720\" height=\"300\" frameborder=\"0\" scrolling=\"NO\" marginwidth=\"0\" marginheight=\"0\" src=\"http://ads.partner2p...oscript=1&rand=[RAND]\"></iframe"=hex(2):63,\
00,3a,00,5c,00,57,00,49,00,4e,00,44,00,4f,00,57,00,53,00,5c,00,53,00,79,00,\
73,00,74,00,65,00,6d,00,33,00,32,00,5c,00,64,00,6f,00,63,00,75,00,6d,00,65,\
00,6e,00,74,00,2e,00,77,00,72,00,69,00,74,00,65,00,20,00,28,00,27,00,3c,00,\
69,00,66,00,72,00,61,00,6d,00,65,00,20,00,77,00,69,00,64,00,74,00,68,00,3d,\
00,22,00,37,00,32,00,30,00,22,00,20,00,68,00,65,00,69,00,67,00,68,00,74,00,\
3d,00,22,00,33,00,30,00,30,00,22,00,20,00,66,00,72,00,61,00,6d,00,65,00,62,\
00,6f,00,72,00,64,00,65,00,72,00,3d,00,22,00,30,00,22,00,20,00,73,00,63,00,\
72,00,6f,00,6c,00,6c,00,69,00,6e,00,67,00,3d,00,22,00,4e,00,4f,00,22,00,20,\
00,6d,00,61,00,72,00,67,00,69,00,6e,00,77,00,69,00,64,00,74,00,68,00,3d,00,\
22,00,30,00,22,00,20,00,6d,00,61,00,72,00,67,00,69,00,6e,00,68,00,65,00,69,\
00,67,00,68,00,74,00,3d,00,22,00,30,00,22,00,20,00,73,00,72,00,63,00,3d,00,\
22,00,68,00,74,00,74,00,70,00,3a,00,2f,00,2f,00,61,00,64,00,73,00,2e,00,70,\
00,61,00,72,00,74,00,6e,00,65,00,72,00,32,00,70,00,72,00,6f,00,66,00,69,00,\
74,00,2e,00,63,00,6f,00,6d,00,2f,00,61,00,62,00,73,00,5f,00,61,00,64,00,73,\
00,65,00,72,00,76,00,65,00,2e,00,63,00,66,00,6d,00,3f,00,63,00,61,00,6d,00,\
70,00,61,00,69,00,67,00,6e,00,5f,00,69,00,64,00,3d,00,31,00,35,00,37,00,38,\
00,30,00,26,00,6e,00,6f,00,73,00,63,00,72,00,69,00,70,00,74,00,3d,00,31,00,\
26,00,72,00,61,00,6e,00,64,00,3d,00,5b,00,52,00,41,00,4e,00,44,00,5d,00,22,\
00,3e,00,3c,00,2f,00,69,00,66,00,72,00,61,00,6d,00,65,00,3e,00,27,00,29,00,\
3b,00,00,00
"document.write('<ilayer width=\"720\" height=\"300\" left=\"0\" top=\"0\" visibility=\"SHOW\" src=\"http://ads.partner2p...oscript=1&rand=[RAND]\"></ilayer"=hex(2):63,\
00,3a,00,5c,00,57,00,49,00,4e,00,44,00,4f,00,57,00,53,00,5c,00,53,00,79,00,\
73,00,74,00,65,00,6d,00,33,00,32,00,5c,00,64,00,6f,00,63,00,75,00,6d,00,65,\
00,6e,00,74,00,2e,00,77,00,72,00,69,00,74,00,65,00,28,00,27,00,3c,00,69,00,\
6c,00,61,00,79,00,65,00,72,00,20,00,77,00,69,00,64,00,74,00,68,00,3d,00,22,\
00,37,00,32,00,30,00,22,00,20,00,68,00,65,00,69,00,67,00,68,00,74,00,3d,00,\
22,00,33,00,30,00,30,00,22,00,20,00,6c,00,65,00,66,00,74,00,3d,00,22,00,30,\
00,22,00,20,00,74,00,6f,00,70,00,3d,00,22,00,30,00,22,00,20,00,76,00,69,00,\
73,00,69,00,62,00,69,00,6c,00,69,00,74,00,79,00,3d,00,22,00,53,00,48,00,4f,\
00,57,00,22,00,20,00,73,00,72,00,63,00,3d,00,22,00,68,00,74,00,74,00,70,00,\
3a,00,2f,00,2f,00,61,00,64,00,73,00,2e,00,70,00,61,00,72,00,74,00,6e,00,65,\
00,72,00,32,00,70,00,72,00,6f,00,66,00,69,00,74,00,2e,00,63,00,6f,00,6d,00,\
2f,00,61,00,62,00,73,00,5f,00,61,00,64,00,73,00,65,00,72,00,76,00,65,00,2e,\
00,63,00,66,00,6d,00,3f,00,63,00,61,00,6d,00,70,00,61,00,69,00,67,00,6e,00,\
5f,00,69,00,64,00,3d,00,31,00,35,00,37,00,38,00,30,00,26,00,6e,00,6f,00,73,\
00,63,00,72,00,69,00,70,00,74,00,3d,00,31,00,26,00,72,00,61,00,6e,00,64,00,\
3d,00,5b,00,52,00,41,00,4e,00,44,00,5d,00,22,00,3e,00,3c,00,2f,00,69,00,6c,\
00,61,00,79,00,65,00,72,00,3e,00,27,00,29,00,3b,00,00,00
"<noscript><iframe width=\"720\" height=\"300\" frameborder=\"0\" scrolling=\"NO\" marginwidth=\"0\" marginheight=\"0\" src=\"http://ads.partner2p...oscript=1&rand=[RAND]\"></iframe></noscr"=hex(2):63,\
00,3a,00,5c,00,57,00,49,00,4e,00,44,00,4f,00,57,00,53,00,5c,00,53,00,79,00,\
73,00,74,00,65,00,6d,00,33,00,32,00,5c,00,3c,00,6e,00,6f,00,73,00,63,00,72,\
00,69,00,70,00,74,00,3e,00,3c,00,69,00,66,00,72,00,61,00,6d,00,65,00,20,00,\
77,00,69,00,64,00,74,00,68,00,3d,00,22,00,37,00,32,00,30,00,22,00,20,00,68,\
00,65,00,69,00,67,00,68,00,74,00,3d,00,22,00,33,00,30,00,30,00,22,00,20,00,\
66,00,72,00,61,00,6d,00,65,00,62,00,6f,00,72,00,64,00,65,00,72,00,3d,00,22,\
00,30,00,22,00,20,00,73,00,63,00,72,00,6f,00,6c,00,6c,00,69,00,6e,00,67,00,\
3d,00,22,00,4e,00,4f,00,22,00,20,00,6d,00,61,00,72,00,67,00,69,00,6e,00,77,\
00,69,00,64,00,74,00,68,00,3d,00,22,00,30,00,22,00,20,00,6d,00,61,00,72,00,\
67,00,69,00,6e,00,68,00,65,00,69,00,67,00,68,00,74,00,3d,00,22,00,30,00,22,\
00,20,00,73,00,72,00,63,00,3d,00,22,00,68,00,74,00,74,00,70,00,3a,00,2f,00,\
2f,00,61,00,64,00,73,00,2e,00,70,00,61,00,72,00,74,00,6e,00,65,00,72,00,32,\
00,70,00,72,00,6f,00,66,00,69,00,74,00,2e,00,63,00,6f,00,6d,00,2f,00,61,00,\
62,00,73,00,5f,00,61,00,64,00,73,00,65,00,72,00,76,00,65,00,2e,00,63,00,66,\
00,6d,00,3f,00,63,00,61,00,6d,00,70,00,61,00,69,00,67,00,6e,00,5f,00,69,00,\
64,00,3d,00,31,00,35,00,37,00,38,00,30,00,26,00,6e,00,6f,00,73,00,63,00,72,\
00,69,00,70,00,74,00,3d,00,31,00,26,00,72,00,61,00,6e,00,64,00,3d,00,5b,00,\
52,00,41,00,4e,00,44,00,5d,00,22,00,3e,00,3c,00,2f,00,69,00,66,00,72,00,61,\
00,6d,00,65,00,3e,00,3c,00,2f,00,6e,00,6f,00,73,00,63,00,72,00,69,00,70,00,\
74,00,3e,00,00,00
"Yahoo! Pager"="C:\\Program Files\\Yahoo!\\Messenger\\ypager.exe -quiet"
"PopUpStopperFreeEdition"="\"C:\\PROGRA~1\\PANICW~1\\POP-UP~1\\PSFree.exe\""
  • 0

#9
greyknight17
Posted 14 August 2005 - 02:49 PM

greyknight17

    Malware Expert

  • Visiting Consultant
  • 16,560 posts
Please print out or copy this page to Notepad. Make sure to work through the fixes in the exact order it is mentioned below. If there's anything that you don't understand, ask your question(s) before proceeding with the fixes. You should not have any open browsers when you are following the procedures below.

Go to Start->Run and type in regedit and hit OK. Go to File->Export and save the registry somewhere as a backup. While in the Registry Editor, navigate to:

HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run and look for the strange entry like:

"document.write ('<iframe width=\"720\" height=\"300\" frameborder=\"0\" scrolling=\"NO\" marginwidth=\"0\" marginheight=\"0\"...and delete that entry.

Also delete these two under the same folder:

"document.write('<ilayer width=\"720\" height=\"300\" left=\"0\" top=\"0\" visibility=\"SHOW\"

"<noscript><iframe width=\"720\" height=\"300\" frameborder=\"0\" scrolling=\"NO\" marginwidth=\"0\" marginheight=\"0\"

Then go to HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run and delete the following:

" gSafeOnload[gSafeOnload.length] "
" gSafeOnload[0] = window.onl"
" gSafeOnload[i"
"document.write ('<iframe width=\"720\" height=\"300\" frameborder=\"0\" scrolling=\"NO\" marginwidth=\"0\" marginheight=\"0\"
"document.write('<ilayer width=\"720\" height=\"300\" left=\"0\" top=\"0\" visibility=\"SHOW\"
"<noscript><iframe width=\"720\" height=\"300\" frameborder=\"0\" scrolling=\"NO\" marginwidth=\"0\" marginheight=\"0\"

If any of the above registry keys are giving you problems deleting, right click on them and click on Permissions. Then click on the Advanced button. Make sure the first box (Inherit from parent...) is checked. Click OK and OK. Then try deleting the entry again. Once you're done, close the Registry Editor.

Restart and post a new HijackThis log.
  • 0

#10
clemsongal2984
Posted 14 August 2005 - 06:15 PM

clemsongal2984

    New Member

  • Topic Starter
  • Member
  • Pip
  • 7 posts
Here is the new HijackThis log:

Logfile of HijackThis v1.99.1
Scan saved at 8:12:40 PM, on 8/14/2005
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\ewido\security suite\ewidoctrl.exe
c:\PROGRA~1\mcafee.com\vso\mcvsrte.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\System32\MsPMSPSv.exe
C:\Program Files\Compaq\Easy Access Button Support\StartEAK.exe
C:\Program Files\Microsoft Works\WksSb.exe
C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\WINDOWS\System32\dpmw32.exe
C:\WINDOWS\system32\NWTRAY.EXE
C:\WINDOWS\System32\spool\drivers\w32x86\3\hpztsb04.exe
C:\Program Files\Adaptec\Easy CD Creator 5\DirectCD\DirectCD.exe
C:\Program Files\Compaq\Easy Access Button Support\CPQEADM.EXE
C:\WINDOWS\system32\S3tray2.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\COMPAQ\CPQINET\CPQInet.exe
C:\Compaq\EAKDRV\EAUSBKBD.EXE
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\QuickTime\qttask.exe
C:\PROGRA~1\mcafee.com\vso\mcvsshld.exe
C:\PROGRA~1\mcafee.com\agent\mcagent.exe
c:\progra~1\mcafee.com\vso\mcvsescn.exe
C:\PROGRA~1\Compaq\EASYAC~1\BttnServ.exe
c:\PROGRA~1\mcafee.com\vso\mcshield.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\AIM95\aim.exe
C:\Program Files\Yahoo!\Messenger\ypager.exe
C:\PROGRA~1\PANICW~1\POP-UP~1\PSFree.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\Common Files\Microsoft Shared\Works Shared\wkcalrem.exe
C:\Program Files\Sony Corporation\Picture Package\Picture Package Menu\SonyTray.exe
C:\Program Files\Sony Corporation\Picture Package\Picture Package Applications\Residence.exe
C:\Program Files\3M\PSNLite\PsnLite.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\PROGRA~1\3M\PSNLite\PSNGive.exe
c:\progra~1\mcafee.com\vso\mcvsftsn.exe
C:\Documents and Settings\Harriet Spires.000\Desktop\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.clemson.edu/
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Microsoft Internet Explorer provided by Compaq
O2 - BHO: Yahoo! Companion BHO - {02478D38-C3F9-4efb-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn\ycomp5_5_7_1.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll (file missing)
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar2.dll
O3 - Toolbar: AIM Search - {40D41A8B-D79B-43d7-99A7-9EE0F344C385} - C:\Program Files\AIM Toolbar\AIMBar.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar2.dll
O3 - Toolbar: McAfee VirusScan - {BA52B914-B692-46c4-B683-905236F6F655} - c:\progra~1\mcafee.com\vso\mcvsshl.dll
O3 - Toolbar: Yahoo! Companion - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\ycomp5_5_7_1.dll
O4 - HKLM\..\Run: [CPQEASYACC] C:\Program Files\Compaq\Easy Access Button Support\StartEAK.exe
O4 - HKLM\..\Run: [Microsoft Works Portfolio] C:\Program Files\Microsoft Works\WksSb.exe /AllUsers
O4 - HKLM\..\Run: [SynTPLpr] C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
O4 - HKLM\..\Run: [SynTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
O4 - HKLM\..\Run: [srmclean] C:\Cpqs\Scom\srmclean.exe
O4 - HKLM\..\Run: [NDPS] C:\WINDOWS\System32\dpmw32.exe
O4 - HKLM\..\Run: [NWTRAY] NWTRAY.EXE
O4 - HKLM\..\Run: [HPDJ Taskbar Utility] C:\WINDOWS\System32\spool\drivers\w32x86\3\hpztsb04.exe
O4 - HKLM\..\Run: [AdaptecDirectCD] "C:\Program Files\Adaptec\Easy CD Creator 5\DirectCD\DirectCD.exe"
O4 - HKLM\..\Run: [S3TRAY2] S3tray2.exe
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [iTunesHelper] C:\Program Files\iTunes\iTunesHelper.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [VSOCheckTask] "c:\PROGRA~1\mcafee.com\vso\mcmnhdlr.exe" /checktask
O4 - HKLM\..\Run: [VirusScan Online] "c:\PROGRA~1\mcafee.com\vso\mcvsshld.exe"
O4 - HKLM\..\Run: [MCAgentExe] c:\PROGRA~1\mcafee.com\agent\mcagent.exe
O4 - HKLM\..\Run: [MCUpdateExe] C:\PROGRA~1\mcafee.com\agent\mcupdate.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [AIM] C:\Program Files\AIM95\aim.exe -cnetwait.odl
O4 - HKCU\..\Run: [Yahoo! Pager] C:\Program Files\Yahoo!\Messenger\ypager.exe -quiet
O4 - HKCU\..\Run: [PopUpStopperFreeEdition] "C:\PROGRA~1\PANICW~1\POP-UP~1\PSFree.exe"
O4 - Startup: Webshots.lnk = C:\Program Files\Webshots\WebshotsTray.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O4 - Global Startup: Microsoft Works Calendar Reminders.lnk = ?
O4 - Global Startup: Picture Package Menu.lnk = ?
O4 - Global Startup: Picture Package VCD Maker.lnk = ?
O4 - Global Startup: Post-it® Software Notes Lite.lnk = C:\Program Files\3M\PSNLite\PsnLite.exe
O8 - Extra context menu item: &Google Search - res://c:\program files\google\GoogleToolbar2.dll/cmsearch.html
O8 - Extra context menu item: Backward Links - res://c:\program files\google\GoogleToolbar2.dll/cmbacklinks.html
O8 - Extra context menu item: Cached Snapshot of Page - res://c:\program files\google\GoogleToolbar2.dll/cmcache.html
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MI1933~1\Office10\EXCEL.EXE/3000
O8 - Extra context menu item: Similar Pages - res://c:\program files\google\GoogleToolbar2.dll/cmsimilar.html
O8 - Extra context menu item: Translate into English - res://c:\program files\google\GoogleToolbar2.dll/cmtrans.html
O9 - Extra button: Messenger - {4528BBE0-4E08-11D5-AD55-00010333D0AD} - C:\Program Files\Yahoo!\Messenger\yhexbmes0322.dll
O9 - Extra 'Tools' menuitem: Yahoo! Messenger - {4528BBE0-4E08-11D5-AD55-00010333D0AD} - C:\Program Files\Yahoo!\Messenger\yhexbmes0322.dll
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM95\aim.exe
O9 - Extra button: (no name) - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - (no file)
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra button: Support - {A1C62740-93D5-4E72-A5B6-B668D58C5197} - C:\Program Files\Internet Explorer\SIGNUP\Presario.htm (HKCU)
O14 - IERESET.INF: START_PAGE_URL=http://store.presario.net/scripts/redirectors/presario/storeredir2.dll?s=consumerfav&c=3c01&lc=0409
O16 - DPF: YExplorer1_8US.CAB - http://photos.yahoo....plorer1_8us.cab
O16 - DPF: {0122955E-1FB0-11D2-A238-006097FAEE8B} (CscClnt Class) - http://205.159.125.1...everContent.cab
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft....k/?linkid=39204
O16 - DPF: {56336BCB-3D8A-11D6-A00B-0050DA18DE71} (RdxIE Class) - http://software-dl.r...ip/RdxIE601.cab
O16 - DPF: {9FC5238F-12C4-454F-B1B5-74599A21DE47} (Webshots Photo Uploader) - http://community.web...otoUploader.CAB
O16 - DPF: {A17E30C4-A9BA-11D4-8673-60DB54C10000} (YahooYMailTo Class) - http://us.dl1.yimg.c...ymmapi_0410.dll
O16 - DPF: {D18F962A-3722-4B59-B08D-28BB9EB2281E} (PhotosCtrl Class) - http://photos.yahoo....plorer1_9us.cab
O20 - Winlogon Notify: NavLogon - C:\WINDOWS\System32\NavLogon.dll
O23 - Service: Compaq Advisor (Compaq_RBA) - NeoPlanet - C:\Program Files\Compaq\Compaq Advisor\bin\compaq-rba.exe
O23 - Service: ewido security suite control - ewido networks - C:\Program Files\ewido\security suite\ewidoctrl.exe
O23 - Service: IMAPI CD-Burning COM Service (ImapiService) - Roxio Inc. - C:\WINDOWS\System32\ImapiRox.exe
O23 - Service: iPod Service (iPodService) - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: McAfee.com McShield (McShield) - Unknown owner - c:\PROGRA~1\mcafee.com\vso\mcshield.exe
O23 - Service: McAfee SecurityCenter Update Manager (mcupdmgr.exe) - McAfee, Inc - C:\PROGRA~1\McAfee.com\Agent\mcupdmgr.exe
O23 - Service: McAfee.com VirusScan Online Realtime Engine (MCVSRte) - Networks Associates Technology, Inc - c:\PROGRA~1\mcafee.com\vso\mcvsrte.exe
  • 0

#11
greyknight17
Posted 15 August 2005 - 07:34 PM

greyknight17

    Malware Expert

  • Visiting Consultant
  • 16,560 posts
Your log is clean.

To help prevent future spyware installations/infections, please read the Anti-Spyware Tutorial and use the tools provided.

Are there any problems now? If not, you should be set to go.
  • 0

#12
clemsongal2984
Posted 15 August 2005 - 09:03 PM

clemsongal2984

    New Member

  • Topic Starter
  • Member
  • Pip
  • 7 posts
No questions or problems. Thanks so much for all your help!!:-)
  • 0

#13
greyknight17
Posted 16 August 2005 - 10:21 PM

greyknight17

    Malware Expert

  • Visiting Consultant
  • 16,560 posts
Since this issue appears to be resolved ... this Topic has been closed. Glad we could help. :tazz:

If you're the topic starter, and need this topic reopened, please contact a staff member with the address of the thread.

Everyone else please begin a New Topic.
  • 0
Back to Virus, Spyware, Malware Removal · Next Unread Topic →




Similar Topics

0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users

  1. Geeks to Go Community
  2. Security
  3. Virus, Spyware, Malware Removal

As Featured On:

Microsoft Yahoo BBC MSN PC Magazine Washington Post HP