Jump to content

Welcome to Geeks to Go - Register now for FREE

Need help with your computer or device? Want to learn new tech skills? You're in the right place!
Geeks to Go is a friendly community of tech experts who can solve any problem you have. Just create a free account and post your question. Our volunteers will reply quickly and guide you through the steps. Don't let tech troubles stop you. Join Geeks to Go now and get the support you need!

How it Works Create Account
Photo

winfixer pop up [resolved]

Started by nettexmel , Aug 15 2005 07:06 PM

  • This topic is locked This topic is locked

#31
nettexmel
Posted 11 September 2005 - 12:20 AM

nettexmel

    Member

  • Topic Starter
  • Member
  • PipPip
  • 62 posts
I haven't been able to post the lm2 (domain) log that you asked me to post in your last post. It appears that I've done all of these steps before. I already have all of this stuff downloaded and have run them all before. Why are we continuing to run the same stuff? I've done all of these steps, are we not getting rid of the virus or am I getting more stuff on my pc. I have some many icons on my desktop and so much stuff loaded on my pc, that it running at a snails pace. Are we getting any closer to the end? :) I couldn't post the domain log, because it was too big. Maybe I could send it to you in an email or something. Anyway, I guess I will run this stuff that you asked again. :tazz:
  • 0

Advertisements

#32
nettexmel
Posted 11 September 2005 - 12:42 AM

nettexmel

    Member

  • Topic Starter
  • Member
  • PipPip
  • 62 posts
Here are the logs that you requested:

WARNING: not all files found by this scanner are bad. Consult with a knowledgable person before proceeding.

If you see a message in the titlebar saying "Not responding..." you can ignore it. Windows somethimes displays this message due to the high volume of disk I/O. As long as the hard disk light is flashing, the program is still working properly.

»»»»»»»»»»»»»»»»» Windows OS and Versions »»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»
Product Name: Microsoft Windows XP Current Build: Service Pack 1 Current Build Number: 2600
Internet Explorer Version: 6.0.2800.1106

»»»»»»»»»»»»»»»»» Checking Selected Standard Folders »»»»»»»»»»»»»»»»»»»»

Checking %SystemDrive% folder...

Checking %ProgramFilesDir% folder...

Checking %WinDir% folder...

Checking %System% folder...
PEC2 8/18/2001 7:00:00 AM 41397 C:\WINDOWS\SYSTEM32\dfrg.msc
Umonitor 8/29/2002 5:41:10 AM 631808 C:\WINDOWS\SYSTEM32\rasdlg.dll
winsync 8/18/2001 7:00:00 AM 1309184 C:\WINDOWS\SYSTEM32\wbdbase.deu

Checking %System%\Drivers folder and sub-folders...

Items found in C:\WINDOWS\SYSTEM32\drivers\etc\hosts


Checking the Windows folder and sub-folders for system and hidden files within the last 60 days...
S 9/11/2005 1:28:16 AM 2048 C:\WINDOWS\bootstat.dat
H 9/11/2005 1:26:56 AM 54156 C:\WINDOWS\QTFont.qfn
SH 8/15/2005 10:47:50 PM 70111 C:\WINDOWS\PCHEALTH\HELPCTR\PackageStore\package_8.cab
SH 8/8/2005 8:26:36 AM 401408 C:\WINDOWS\system32\??anregw.exe
H 9/11/2005 1:28:08 AM 8192 C:\WINDOWS\system32\config\default.LOG
H 9/11/2005 1:28:30 AM 1024 C:\WINDOWS\system32\config\SAM.LOG
H 9/11/2005 1:28:18 AM 12288 C:\WINDOWS\system32\config\SECURITY.LOG
H 9/11/2005 1:32:28 AM 86016 C:\WINDOWS\system32\config\software.LOG
H 9/11/2005 1:28:16 AM 753664 C:\WINDOWS\system32\config\system.LOG
H 8/15/2005 2:56:24 AM 1024 C:\WINDOWS\system32\config\userdiff.LOG
H 8/18/2005 2:48:26 PM 0 C:\WINDOWS\system32\config\systemprofile\ntuser.dat.LOG
SH 8/21/2005 5:50:02 AM 67 C:\WINDOWS\system32\config\systemprofile\Local Settings\Temporary Internet Files\Content.IE5\09238LI3\desktop.ini
SH 8/21/2005 5:50:02 AM 67 C:\WINDOWS\system32\config\systemprofile\Local Settings\Temporary Internet Files\Content.IE5\8M19BGY6\desktop.ini
SH 8/21/2005 5:50:02 AM 67 C:\WINDOWS\system32\config\systemprofile\Local Settings\Temporary Internet Files\Content.IE5\JG8NV1YX\desktop.ini
SH 8/21/2005 5:50:02 AM 67 C:\WINDOWS\system32\config\systemprofile\Local Settings\Temporary Internet Files\Content.IE5\KFC7ZNBJ\desktop.ini
SH 8/15/2005 12:08:52 AM 184 C:\WINDOWS\system32\config\systemprofile\My Documents\My Pictures\Desktop.ini
H 9/11/2005 1:27:34 AM 6 C:\WINDOWS\Tasks\SA.DAT

Checking for CPL files...
Microsoft Corporation 8/18/2001 7:00:00 AM 66048 C:\WINDOWS\SYSTEM32\access.cpl
Microsoft Corporation 8/29/2002 5:41:28 AM 578560 C:\WINDOWS\SYSTEM32\appwiz.cpl
8/25/2005 8:45:24 AM 56 C:\WINDOWS\SYSTEM32\conres.cpl
Microsoft Corporation 8/29/2002 5:41:28 AM 129024 C:\WINDOWS\SYSTEM32\desk.cpl
Microsoft Corporation 8/18/2001 7:00:00 AM 150016 C:\WINDOWS\SYSTEM32\hdwwiz.cpl
Microsoft Corporation 8/29/2002 5:41:28 AM 292352 C:\WINDOWS\SYSTEM32\inetcpl.cpl
Microsoft Corporation 8/29/2002 5:41:28 AM 121856 C:\WINDOWS\SYSTEM32\intl.cpl
Microsoft Corporation 8/29/2002 5:41:28 AM 65536 C:\WINDOWS\SYSTEM32\joy.cpl
Sun Microsystems, Inc. 6/3/2005 3:52:54 AM 49265 C:\WINDOWS\SYSTEM32\jpicpl32.cpl
Microsoft Corporation 8/18/2001 7:00:00 AM 187904 C:\WINDOWS\SYSTEM32\main.cpl
Microsoft Corporation 8/18/2001 7:00:00 AM 559616 C:\WINDOWS\SYSTEM32\mmsys.cpl
Microsoft Corporation 8/18/2001 7:00:00 AM 35840 C:\WINDOWS\SYSTEM32\ncpa.cpl
Microsoft Corporation 8/18/2001 7:00:00 AM 256000 C:\WINDOWS\SYSTEM32\nusrmgr.cpl
Microsoft Corporation 8/18/2001 7:00:00 AM 36864 C:\WINDOWS\SYSTEM32\odbccp32.cpl
Microsoft Corporation 8/18/2001 7:00:00 AM 109056 C:\WINDOWS\SYSTEM32\powercfg.cpl
RealNetworks, Inc. 7/3/2005 11:02:44 PM 24576 C:\WINDOWS\SYSTEM32\prefscpl.cpl
Apple Computer, Inc. 1/6/2004 4:02:36 PM 323072 C:\WINDOWS\SYSTEM32\QuickTime.cpl
Microsoft Corporation 8/29/2002 5:41:28 AM 268288 C:\WINDOWS\SYSTEM32\sysdm.cpl
Microsoft Corporation 8/18/2001 7:00:00 AM 28160 C:\WINDOWS\SYSTEM32\telephon.cpl
Microsoft Corporation 8/18/2001 7:00:00 AM 90112 C:\WINDOWS\SYSTEM32\timedate.cpl
The Weather Channel Interactive8/4/2005 9:33:42 AM 3010560 C:\WINDOWS\SYSTEM32\wxfw.cpl
Microsoft Corporation 8/18/2001 7:00:00 AM 66048 C:\WINDOWS\SYSTEM32\dllcache\access.cpl
Microsoft Corporation 8/18/2001 7:00:00 AM 150016 C:\WINDOWS\SYSTEM32\dllcache\hdwwiz.cpl
Microsoft Corporation 8/18/2001 7:00:00 AM 187904 C:\WINDOWS\SYSTEM32\dllcache\main.cpl
Microsoft Corporation 8/18/2001 7:00:00 AM 559616 C:\WINDOWS\SYSTEM32\dllcache\mmsys.cpl
Microsoft Corporation 8/18/2001 7:00:00 AM 35840 C:\WINDOWS\SYSTEM32\dllcache\ncpa.cpl
Microsoft Corporation 8/18/2001 7:00:00 AM 256000 C:\WINDOWS\SYSTEM32\dllcache\nusrmgr.cpl
Microsoft Corporation 8/18/2001 7:00:00 AM 36864 C:\WINDOWS\SYSTEM32\dllcache\odbccp32.cpl
Microsoft Corporation 8/18/2001 7:00:00 AM 109056 C:\WINDOWS\SYSTEM32\dllcache\powercfg.cpl
Microsoft Corporation 8/18/2001 7:00:00 AM 28160 C:\WINDOWS\SYSTEM32\dllcache\telephon.cpl
Microsoft Corporation 8/18/2001 7:00:00 AM 90112 C:\WINDOWS\SYSTEM32\dllcache\timedate.cpl

»»»»»»»»»»»»»»»»» Checking Selected Startup Folders »»»»»»»»»»»»»»»»»»»»»

Checking files in %ALLUSERSPROFILE%\Startup folder...
7/23/2005 2:39:38 PM 1757 C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Adobe Reader Speed Launch.lnk
7/3/2005 11:03:56 PM 831 C:\Documents and Settings\All Users\Start Menu\Programs\Startup\America Online 9.0 Tray Icon.lnk
7/3/2005 4:25:04 PM 1821 C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Camio Viewer.lnk
7/3/2005 10:39:36 PM 893 C:\Documents and Settings\All Users\Start Menu\Programs\Startup\EPSON Status Monitor 3 Environment Check 2.lnk
7/8/2005 5:13:42 PM 848 C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Event Reminder.lnk
7/3/2005 10:31:36 PM 1811 C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Kodak EasyShare software.lnk
7/3/2005 10:32:24 PM 1023 C:\Documents and Settings\All Users\Start Menu\Programs\Startup\KODAK Software Updater.lnk
7/3/2005 10:59:00 PM 1725 C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Microsoft Office.lnk
7/3/2005 10:09:58 PM 875 C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Microsoft Works Calendar Reminders.lnk

Checking files in %ALLUSERSPROFILE%\Application Data folder...

Checking files in %USERPROFILE%\Startup folder...

Checking files in %USERPROFILE%\Application Data folder...
7/23/2005 2:37:56 PM 1558 C:\Documents and Settings\Jeanette Alexander\Application Data\AdobeDLM.log
7/23/2005 2:37:56 PM 0 C:\Documents and Settings\Jeanette Alexander\Application Data\dm.ini
8/25/2005 8:45:38 AM 56 C:\Documents and Settings\Jeanette Alexander\Application Data\Sskdmns.dll

»»»»»»»»»»»»»»»»» Checking Selected Registry Keys »»»»»»»»»»»»»»»»»»»»»»»

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\User Agent\Post Platform]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved]

[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved]

[HKEY_CLASSES_ROOT\*\shellex\ContextMenuHandlers]
HKEY_CLASSES_ROOT\*\shellex\ContextMenuHandlers\fqystsks
{f19326c9-6530-43f7-a276-848377c9a428} =
HKEY_CLASSES_ROOT\*\shellex\ContextMenuHandlers\Offline Files
{750fdf0e-2a26-11d1-a3ea-080036587f03} = %SystemRoot%\System32\cscui.dll
HKEY_CLASSES_ROOT\*\shellex\ContextMenuHandlers\Open With
{09799AFB-AD67-11d1-ABCD-00C04FC30936} = %SystemRoot%\system32\SHELL32.dll
HKEY_CLASSES_ROOT\*\shellex\ContextMenuHandlers\Open With EncryptionMenu
{A470F8CF-A1E8-4f65-8335-227475AA5C46} = %SystemRoot%\system32\SHELL32.dll
HKEY_CLASSES_ROOT\*\shellex\ContextMenuHandlers\Symantec.Norton.Antivirus.IEContextMenu
{5345A4D5-41EB-4A2F-9616-CE1D4F6C35B2} = C:\Program Files\Norton AntiVirus\NavShExt.dll
HKEY_CLASSES_ROOT\*\shellex\ContextMenuHandlers\Yahoo! Mail
{5464D816-CF16-4784-B9F3-75C0DB52B499} = C:\PROGRA~1\Yahoo!\Common\ymmapi20041123.dll
HKEY_CLASSES_ROOT\*\shellex\ContextMenuHandlers\{a2a9545d-a0c2-42b4-9708-a0b2badd77c8}
Start Menu Pin = %SystemRoot%\system32\SHELL32.dll

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Folder\shellex\ContextMenuHandlers]
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Folder\shellex\ContextMenuHandlers\Symantec.Norton.Antivirus.IEContextMenu
{5345A4D5-41EB-4A2F-9616-CE1D4F6C35B2} = C:\Program Files\Norton AntiVirus\NavShExt.dll

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Directory\shellex\ContextMenuHandlers]
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Directory\shellex\ContextMenuHandlers\EncryptionMenu
{A470F8CF-A1E8-4f65-8335-227475AA5C46} = %SystemRoot%\system32\SHELL32.dll
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Directory\shellex\ContextMenuHandlers\Offline Files
{750fdf0e-2a26-11d1-a3ea-080036587f03} = %SystemRoot%\System32\cscui.dll
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Directory\shellex\ContextMenuHandlers\Sharing
{f81e9010-6ea4-11ce-a7ff-00aa003ca9f6} = ntshrui.dll

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Folder\shellex\ColumnHandlers]
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Folder\shellex\ColumnHandlers\{0D2E74C4-3C34-11d2-A27E-00C04FC30871}
= %SystemRoot%\system32\SHELL32.dll
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Folder\shellex\ColumnHandlers\{24F14F01-7B1C-11d1-838f-0000F80461CF}
= %SystemRoot%\system32\SHELL32.dll
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Folder\shellex\ColumnHandlers\{24F14F02-7B1C-11d1-838f-0000F80461CF}
= %SystemRoot%\system32\SHELL32.dll
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Folder\shellex\ColumnHandlers\{66742402-F9B9-11D1-A202-0000F81FEDEE}
= %SystemRoot%\system32\SHELL32.dll
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Folder\shellex\ColumnHandlers\{6EC11407-5B2E-4E25-8BDF-77445B52AB37}
=
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Folder\shellex\ColumnHandlers\{F9DB5320-233E-11D1-9F84-707F02C10627}
= C:\Program Files\Adobe\Acrobat 7.0\ActiveX\PDFShell.dll

[HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects]
HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{15C9938F-CB96-496D-800A-B827F2E34EA1}
BlspcHlpr Class = C:\Program Files\BellSouth Internet Tools\blspc.dll
HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{53707962-6F74-2D53-2644-206D7942484F}
= C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897}
UberButton Class = C:\Program Files\Yahoo!\Common\yiesrvc.dll
HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{65D886A2-7CA7-479B-BB95-14D1EFB7946A}
YahooTaggedBM Class = C:\Program Files\Yahoo!\Common\YIeTagBm.dll

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Explorer Bars]
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Explorer Bars\{4528BBE0-4E08-11D5-AD55-00010333D0AD}
&Yahoo! Messenger = C:\PROGRA~1\Yahoo!\Common\yhexbmesus.dll
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Explorer Bars\{4D5C8C25-D075-11d0-B416-00C04FB90376}
&Tip of the Day = %SystemRoot%\System32\shdocvw.dll
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Explorer Bars\{FE54FA40-D68C-11d2-98FA-00C0F0318AFE}
Real.com = C:\WINDOWS\System32\Shdocvw.dll

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\ToolBar]
{EF99BD32-C1FB-11D2-892F-0090271D4F88} = Yahoo! Toolbar : C:\Program Files\Yahoo!\Companion\Installs\cpn0\yt.dll

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Extensions]
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Extensions\{08B0E5C0-4FCB-11CF-AAA5-00401C608501}
MenuText = Sun Java Console : C:\Program Files\Java\jre1.5.0_04\bin\npjpi150_04.dll
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Extensions\{4982D40A-C53B-4615-B15B-B5B5E98D167C}
ButtonText = AOL Toolbar :
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Extensions\{5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897}
ButtonText = Yahoo! Services :
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Extensions\{CD67F990-D8E9-11d2-98FE-00C0F0318AFE}
ButtonText = Real.com :
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Extensions\{E023F504-0C5A-4750-A1E7-A9046DEA8A21}
ButtonText = MoneySide :

[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Explorer Bars]
HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Explorer Bars\{4528BBE0-4E08-11D5-AD55-00010333D0AD}
&Yahoo! Messenger = C:\PROGRA~1\Yahoo!\Common\yhexbmesus.dll
HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Explorer Bars\{C4EE31F3-4768-11D2-BE5C-00A0C9A83DA1}
File Search Explorer Band = %SystemRoot%\system32\SHELL32.dll
HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Explorer Bars\{EFA24E64-B078-11D0-89E4-00C04FC9E26E}
Explorer Band = %SystemRoot%\System32\shdocvw.dll

[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Toolbar]
HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Toolbar\ShellBrowser
HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser
{01E04581-4EEE-11D0-BFE9-00AA005B4383} = &Address : %SystemRoot%\System32\browseui.dll
{0E5CBF21-D15F-11D0-8301-00AA005B4383} = &Links : %SystemRoot%\system32\SHELL32.dll
{EF99BD32-C1FB-11D2-892F-0090271D4F88} = Yahoo! Toolbar : C:\Program Files\Yahoo!\Companion\Installs\cpn0\yt.dll

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
NvCplDaemon RUNDLL32.EXE NvQTwk,NvCplDaemon initialize
NAV Agent C:\PROGRA~1\NORTON~1\navapw32.exe
MMTray C:\Program Files\MUSICMATCH\MUSICMATCH Jukebox\mm_tray.exe
AdaptecDirectCD "C:\Program Files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe"
WorksFUD C:\Program Files\Microsoft Works\wkfud.exe
Microsoft Works Portfolio C:\Program Files\Microsoft Works\WksSb.exe /AllUsers
Microsoft Works Update Detection C:\Program Files\Common Files\Microsoft Shared\Works Shared\WkUFind.exe
MoneyStartUp10.0 "C:\Program Files\Microsoft Money\System\Activation.exe"

AOLDialer C:\Program Files\Common Files\AOL\ACS\AOLDial.exe
RealTray C:\Program Files\Real\RealPlayer\RealPlay.exe SYSTEMBOOTHIDEPLAYER
AOL Spyware Protection "C:\PROGRA~1\COMMON~1\AOL\AOLSPY~1\AOLSP Scheduler.exe"
QuickTime Task "C:\Program Files\QuickTime\qttask.exe" -atboottime
Symantec NetDriver Monitor C:\PROGRA~1\SYMNET~1\SNDMon.exe /Consumer
SSC_UserPrompt C:\Program Files\Common Files\Symantec Shared\Security Center\UsrPrmpt.exe
blspcloader "C:\Program Files\BellSouth Internet Tools\blsloader.exe"
gcasServ "C:\Program Files\Microsoft AntiSpyware\gcasServ.exe"
SunJavaUpdateSched C:\Program Files\Java\jre1.5.0_04\bin\jusched.exe
winsync C:\WINDOWS\System32\ldpx4x.exe reg_run

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\OptionalComponents]
IMAIL Installed = 1
MAPI Installed = 1
MSFS Installed = 1

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnceEx]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunServices]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunServicesOnce]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
MSMSGS "C:\Program Files\Messenger\msmsgs.exe" /background

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\RunServices]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\RunServicesOnce]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows\load]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows\run]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies]

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\NonEnum
{BDEADF00-C265-11D0-BCED-00A0C90AB50F} = C:\PROGRA~1\COMMON~1\MICROS~1\WEBFOL~1\MSONSEXT.DLL
{6DFD7C5C-2451-11d3-A299-00C04F8EF6AF} =
{0DF44EAA-FF21-4412-828E-260A8728E7F1} =


HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Ratings

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\system
dontdisplaylastusername 0
legalnoticecaption
legalnoticetext
shutdownwithoutlogon 1
undockwithoutlogon 1


[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\policies]

HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer
NoDriveTypeAutoRun 145


[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad]
PostBootReminder {7849596a-48ea-486e-8937-a2a3009f31a9} = %SystemRoot%\system32\SHELL32.dll
CDBurn {fbeb8a05-beee-4442-804e-409d6c4515e9} = %SystemRoot%\system32\SHELL32.dll
WebCheck {E6FB5E20-DE35-11CF-9C87-00AA005127ED} = %SystemRoot%\System32\webcheck.dll
SysTray {35CEC8A3-2BE6-11D2-8773-92E220524153} = C:\WINDOWS\System32\stobject.dll

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon]
UserInit = C:\WINDOWS\system32\userinit.exe,
Shell = Explorer.exe
System =

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\crypt32chain
= crypt32.dll

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\cryptnet
= cryptnet.dll

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\cscdll
= cscdll.dll

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\ScCertProp
= wlnotify.dll

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\Schedule
= wlnotify.dll

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\sclgntfy
= sclgntfy.dll

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\SensLogn
= WlNotify.dll

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\termsrv
= wlnotify.dll

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\wlballoon
= wlnotify.dll

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\wzcnotif
= wzcdlg.dll

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options]
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Your Image File Name Here without a path
Debugger = ntsd -d

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows]
AppInit_DLLs


»»»»»»»»»»»»»»»»»»»»»»»» Scan Complete »»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»
WinPFind v1.3.0 - Log file written to "WinPFind.Txt" in the WinPFind folder.
Scan completed on 9/11/2005 1:34:41 AM

Here is the trackgoo log:
REGEDIT4

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"NvCplDaemon"="RUNDLL32.EXE NvQTwk,NvCplDaemon initialize"
"NAV Agent"="C:\\PROGRA~1\\NORTON~1\\navapw32.exe"
"MMTray"="C:\\Program Files\\MUSICMATCH\\MUSICMATCH Jukebox\\mm_tray.exe"
"AdaptecDirectCD"="\"C:\\Program Files\\Roxio\\Easy CD Creator 5\\DirectCD\\DirectCD.exe\""
"WorksFUD"="C:\\Program Files\\Microsoft Works\\wkfud.exe"
"Microsoft Works Portfolio"="C:\\Program Files\\Microsoft Works\\WksSb.exe /AllUsers"
"Microsoft Works Update Detection"="C:\\Program Files\\Common Files\\Microsoft Shared\\Works Shared\\WkUFind.exe"
"MoneyStartUp10.0"="\"C:\\Program Files\\Microsoft Money\\System\\Activation.exe\""
@=""
"AOLDialer"="C:\\Program Files\\Common Files\\AOL\\ACS\\AOLDial.exe"
"RealTray"="C:\\Program Files\\Real\\RealPlayer\\RealPlay.exe SYSTEMBOOTHIDEPLAYER"
"AOL Spyware Protection"="\"C:\\PROGRA~1\\COMMON~1\\AOL\\AOLSPY~1\\AOLSP Scheduler.exe\""
"QuickTime Task"="\"C:\\Program Files\\QuickTime\\qttask.exe\" -atboottime"
"Symantec NetDriver Monitor"="C:\\PROGRA~1\\SYMNET~1\\SNDMon.exe /Consumer"
"SSC_UserPrompt"="C:\\Program Files\\Common Files\\Symantec Shared\\Security Center\\UsrPrmpt.exe"
"blspcloader"="\"C:\\Program Files\\BellSouth Internet Tools\\blsloader.exe\""
"gcasServ"="\"C:\\Program Files\\Microsoft AntiSpyware\\gcasServ.exe\""
"SunJavaUpdateSched"="C:\\Program Files\\Java\\jre1.5.0_04\\bin\\jusched.exe"
"winsync"="C:\\WINDOWS\\System32\\ldpx4x.exe reg_run"

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\OptionalComponents]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\OptionalComponents\IMAIL]
"Installed"="1"

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\OptionalComponents\MAPI]
"Installed"="1"
"NoChange"="1"

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\OptionalComponents\MSFS]
"Installed"="1"

-----------------
HKEY_CLASSES_ROOT\*\shellex\ContextMenuHandlers


Subkey --- fqystsks
{f19326c9-6530-43f7-a276-848377c9a428}
0

Subkey --- Offline Files
{750fdf0e-2a26-11d1-a3ea-080036587f03}
C:\WINDOWS\System32\cscui.dll

Subkey --- Open With
{09799AFB-AD67-11d1-ABCD-00C04FC30936}
C:\WINDOWS\system32\SHELL32.dll

Subkey --- Open With EncryptionMenu
{A470F8CF-A1E8-4f65-8335-227475AA5C46}
C:\WINDOWS\system32\SHELL32.dll

Subkey --- Symantec.Norton.Antivirus.IEContextMenu
{5345A4D5-41EB-4A2F-9616-CE1D4F6C35B2}
C:\Program Files\Norton AntiVirus\NavShExt.dll

Subkey --- Yahoo! Mail
{5464D816-CF16-4784-B9F3-75C0DB52B499}
C:\PROGRA~1\Yahoo!\Common\ymmapi20041123.dll

Subkey --- {a2a9545d-a0c2-42b4-9708-a0b2badd77c8}
Start Menu Pin
C:\WINDOWS\system32\SHELL32.dll

=====================

HKEY_CLASSES_ROOT\Folder\shellex\ColumnHandlers


Subkey --- {0D2E74C4-3C34-11d2-A27E-00C04FC30871}
C:\WINDOWS\system32\SHELL32.dll

Subkey --- {24F14F01-7B1C-11d1-838f-0000F80461CF}
C:\WINDOWS\system32\SHELL32.dll

Subkey --- {24F14F02-7B1C-11d1-838f-0000F80461CF}
C:\WINDOWS\system32\SHELL32.dll

Subkey --- {66742402-F9B9-11D1-A202-0000F81FEDEE}
C:\WINDOWS\system32\SHELL32.dll

Subkey --- {6EC11407-5B2E-4E25-8BDF-77445B52AB37}


Subkey --- {F9DB5320-233E-11D1-9F84-707F02C10627}
C:\Program Files\Adobe\Acrobat 7.0\ActiveX\PDFShell.dll

==============================
C:\Documents and Settings\All Users\Start Menu\Programs\Startup

Adobe Reader Speed Launch.lnk
America Online 9.0 Tray Icon.lnk
Camio Viewer.lnk
desktop.ini
EPSON Status Monitor 3 Environment Check 2.lnk
Event Reminder.lnk
Kodak EasyShare software.lnk
KODAK Software Updater.lnk
Microsoft Office.lnk
Microsoft Works Calendar Reminders.lnk
==============================
C:\Documents and Settings\Jeanette Alexander\Start Menu\Programs\Startup

Adobe Reader Speed Launch.lnk
America Online 9.0 Tray Icon.lnk
Camio Viewer.lnk
desktop.ini
EPSON Status Monitor 3 Environment Check 2.lnk
Event Reminder.lnk
Kodak EasyShare software.lnk
KODAK Software Updater.lnk
Microsoft Office.lnk
Microsoft Works Calendar Reminders.lnk
desktop.ini
==============================
C:\WINDOWS\system32 cpl files


access.cpl Microsoft Corporation
appwiz.cpl Microsoft Corporation
conres.cpl
desk.cpl Microsoft Corporation
hdwwiz.cpl Microsoft Corporation
inetcpl.cpl Microsoft Corporation
intl.cpl Microsoft Corporation
joy.cpl Microsoft Corporation
jpicpl32.cpl Sun Microsystems, Inc.
main.cpl Microsoft Corporation
mmsys.cpl Microsoft Corporation
ncpa.cpl Microsoft Corporation
nusrmgr.cpl Microsoft Corporation
odbccp32.cpl Microsoft Corporation
powercfg.cpl Microsoft Corporation
prefscpl.cpl RealNetworks, Inc.
QuickTime.cpl Apple Computer, Inc.
sysdm.cpl Microsoft Corporation
telephon.cpl Microsoft Corporation
timedate.cpl Microsoft Corporation
wxfw.cpl The Weather Channel Interactive
  • 0

#33
g2i2r4
Posted 11 September 2005 - 05:52 AM

g2i2r4

    retired HiJack Helper

  • Retired Staff
  • 5,080 posts
I'm just as disappointed as you are. Looking back I see things I already had you remove still present. Infections that should have been gone are still very much there.
We will redo what I think went wrong somehow.

We need to disable your Microsoft AntiSpyware Real-time Protection as it may interfere with the fixes that we need to make.

Open Microsoft AntiSpyware.
Click on Tools, Settings.
In the left pane, click on Real-time Protection.
Under Startup Options uncheck Enable the Microsoft AntiSpyware Security Agents on startup (recommended).
Under Real-time spyware threat protection uncheck Enable real-time spyware threat protection (recommended).
After you uncheck these, click on the Save button and close Microsoft AntiSpyware.
Right click on the Microsoft AntiSpyware icon on the taskbar and select Shutdown Microsoft AntiSpyware.
Reverse the process when you’ve carried out the advise.

***

Please disable SpybotSD’s protection, as it may hinder the removal of the infection. You can enable it after you're clean.

Open Spybot and click on Mode and check Advanced Mode
Check yes to next window.
Click on Tools in bottom left hand corner.
Click on Resident icon.
Uncheck Teatimer box and/or Uncheck Resident.
Close Spybot.

***

Please run Notepad and paste the following text into a new file:

REGEDIT4

[-HKEY_LOCAL_MACHINE\SOFTWARE\Classes\*\shellex\ContextMenuHandlers\ fqystsks]

[-HKEY_CLASSES_ROOT\CLSID\{f19326c9-6530-43f7-a276-848377c9a428}]

Save the file to the desktop as fix1.reg and make sure the "Save as Type" field says "All Files". Then please go to the desktop and double-click on fix1.reg, and click Yes to merge it with the registry.

***
  • please reboot into Safe Mode by restarting your computer and pressing F8 as your computer is booting up. Then select the Safe Mode option.
  • Once in Safe Mode, please run Killbox.
  • Click "Replace on Reboot" and check the "Use Dummy" box.
  • Paste the following into the top "Full Path of File to Delete" box.
    • C:\WINDOWS\Tasks\RUTASK.job
  • Click the red-and-white "Delete File".
  • Click "Yes" at the Replace on Reboot prompt.
  • Click "No" at the Pending Operations prompt.
  • Repeat steps 5-9 above for these files:C:\WINDOWS\jknrh.dll
    C:\WINDOWS\SYSTEM32\7kg92lj5.ini
    C:\WINDOWS\SYSTEM32\cp8387ic.ini
    C:\WINDOWS\SYSTEM32\oklvdi5n.ini
    C:\WINDOWS\SYSTEM32\conres.cpl
    C:\Documents and Settings\Jeanette Alexander\Application Data\Sskdmns.dll
    C:\WINDOWS\System32\jbaro.dll
    C:\WINDOWS\SYSTEM32\sgsfkfd.dll
    C:\WINDOWS\System32\ldpx4x.exe
    C:\WINDOWS\QTFont.qfn
    C:\WINDOWS\Tasks\SA.DAT
  • Click "Replace on Reboot" and check the "Use Dummy" box.
  • Paste the following file into the top "Full Path of File to Delete" box.C:\WINDOWS\System32\ldpx4x.exe
  • Click the red-and-white "Delete File" button.
  • Click "Yes" at the Replace on Reboot prompt.
  • Click "Yes" at the Pending Operations prompt to restart your computer. You do not need to reboot into Safe Mode this time.
***

Reboot the computer to safe mode again.

***

Open Killbox again. This time choose "Delete all Dummy Files".

***

Rerun Panda and safe the report. Post the report along with a fresh HijackThis log.
  • 0

#34
nettexmel
Posted 17 September 2005 - 09:17 AM

nettexmel

    Member

  • Topic Starter
  • Member
  • PipPip
  • 62 posts
I did follow your instructions as best I could. For step number 8, I wasn't sure if I was supposed to continue check the dummy box for all of those files or not. It wasn't clear, so I just check the dummy box for all of them and then deleted the dummy files at the end. Step number 10 was actually the same as one of the files listed in step 8, but I just repeated the process again. I then rebooted to safe mode, and deleted all of the dummy files. I wasn't sure if i was susposed to run panda in safe or regular mode, so I just ran it in regular mode. I'm still getting the black box that I mention in an earlier post. I can't seem to get rid of it, even after you told me to do the killbox on it earlier. Listed below are the scans that you requested.

Panda scan:

Incident Status Location

Adware:adware program No disinfected C:\WINDOWS\SYSTEM32\cache32dsrf4535dfs
Adware:adware/pacimedia No disinfected C:\Documents and Settings\Jeanette Alexander\Favorites\1111
Virus:Exploit/ByteVerify Disinfected C:\Documents and Settings\Jeanette Alexander\Application Data\Sun\Java\Deployment\cache\javapi\v1.0\jar\archive.jar-271e6c1-471131fc.zip[A.class]
Virus:Exploit/ByteVerify Disinfected C:\Documents and Settings\Jeanette Alexander\Application Data\Sun\Java\Deployment\cache\javapi\v1.0\jar\archive.jar-271e6c1-471131fc.zip[BlackBox.class]
Virus:Exploit/ByteVerify Disinfected C:\Documents and Settings\Jeanette Alexander\Application Data\Sun\Java\Deployment\cache\javapi\v1.0\jar\archive.jar-673a3d9c-192c5bfe.zip[A.class]
Virus:Exploit/ByteVerify Disinfected C:\Documents and Settings\Jeanette Alexander\Application Data\Sun\Java\Deployment\cache\javapi\v1.0\jar\archive.jar-673a3d9c-192c5bfe.zip[BlackBox.class]
Adware:Adware/QoolShown No disinfected C:\Program Files\Microsoft AntiSpyware\DeactivatedItems\01E4B37A-5964-4E38-883D-4F0EA5.asq
Adware:Adware/QoolShown No disinfected C:\Program Files\Microsoft AntiSpyware\DeactivatedItems\3C35EB1E-2BAE-474B-9CB8-6F8037.asq
Adware:Adware/AdBehavior No disinfected C:\Program Files\Microsoft AntiSpyware\DeactivatedItems\3EC67018-CF41-48BE-BFD2-7593FF.asq
Adware:Adware/QoolShown No disinfected C:\Program Files\Microsoft AntiSpyware\DeactivatedItems\4028A292-1311-4144-8DF2-4F08E0.asq
Adware:Adware/QoolShown No disinfected C:\Program Files\Microsoft AntiSpyware\DeactivatedItems\4840786E-D21B-495B-BB08-9629F1.asq
Adware:Adware/QoolShown No disinfected C:\Program Files\Microsoft AntiSpyware\DeactivatedItems\4FCFC5DF-E286-4AE5-B158-FE36CE.asq
Adware:Adware/QoolShown No disinfected C:\Program Files\Microsoft AntiSpyware\DeactivatedItems\7FBF7016-2091-41BA-B557-20BE26.asq
Adware:Adware/QoolShown No disinfected C:\Program Files\Microsoft AntiSpyware\DeactivatedItems\80D7F63B-A7A0-444C-9088-9F91CA.asq
Adware:Adware/QoolShown No disinfected C:\Program Files\Microsoft AntiSpyware\DeactivatedItems\89153E10-4145-44D2-A8BF-652A05.asq
Adware:Adware/QoolShown No disinfected C:\Program Files\Microsoft AntiSpyware\DeactivatedItems\9CB52026-D550-4EEA-8E85-F4572D.asq
Adware:Adware/QoolShown No disinfected C:\Program Files\Microsoft AntiSpyware\DeactivatedItems\A55098F0-2270-42D4-89F3-3C6421.asq
Adware:Adware/QoolShown No disinfected C:\Program Files\Microsoft AntiSpyware\DeactivatedItems\AD5EAFCC-F7A8-4A8D-A18C-653365.asq
Adware:Adware/QoolShown No disinfected C:\Program Files\Microsoft AntiSpyware\DeactivatedItems\E52C3910-C3F4-4CDB-AF0F-091D8A.asq
Adware:Adware/QoolShown No disinfected C:\Program Files\Microsoft AntiSpyware\DeactivatedItems\ECFAD66F-3840-498D-AAB0-DFF0C3.asq
Adware:Adware/QoolShown No disinfected C:\Program Files\Microsoft AntiSpyware\DeactivatedItems\F0410D5D-215B-4EF5-93D7-58C221.asq
Adware:Adware/ClkOptimizer No disinfected C:\Program Files\Microsoft AntiSpyware\Quarantine\27DF0365-5F0E-45E7-BFD6-02FE5F\25801A16-B035-43B8-9957-6E7A2C
Adware:Adware/QoolShown No disinfected C:\WINDOWS\system32\boaxrxq.exe
Here is the hijackthis scan:

Logfile of HijackThis v1.99.1
Scan saved at 10:11:33 AM, on 9/17/2005
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\PROGRA~1\NORTON~1\navapw32.exe
C:\Program Files\MUSICMATCH\MUSICMATCH Jukebox\mm_tray.exe
C:\Program Files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe
C:\Program Files\Common Files\Microsoft Shared\Works Shared\WkUFind.exe
C:\Program Files\Common Files\AOL\ACS\AOLDial.exe
C:\Program Files\Real\RealPlayer\RealPlay.exe
C:\PROGRA~1\COMMON~1\AOL\AOLSPY~1\AOLSP Scheduler.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\BellSouth Internet Tools\blsloader.exe
C:\Program Files\Java\jre1.5.0_04\bin\jusched.exe
C:\Program Files\Messenger\msmsgs.exe
C:\WINDOWS\System32\devldr32.exe
C:\Program Files\Dell Computer\Dell Image Expert\IXApplet.exe
C:\Program Files\KODAK\Kodak EasyShare software\bin\EasyShare.exe
C:\Program Files\KODAK\KODAK Software Updater\7288971\Program\backWeb-7288971.exe
C:\Program Files\Common Files\Microsoft Shared\Works Shared\wkcalrem.exe
C:\PROGRA~1\COMMON~1\AOL\ACS\AOLacsd.exe
C:\WINDOWS\system32\drivers\dcfssvc.exe
C:\Program Files\Common Files\EPSON\EBAPI\SAgent2.exe
C:\Program Files\ewido\security suite\ewidoctrl.exe
C:\Program Files\Norton AntiVirus\navapsvc.exe
C:\WINDOWS\System32\nvsvc32.exe
C:\Program Files\Microsoft AntiSpyware\gcasDtServ.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\wuauclt.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\hijackthis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.home.bellsouth.net/
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = localhost
O2 - BHO: BlspcHlpr Class - {15C9938F-CB96-496D-800A-B827F2E34EA1} - C:\Program Files\BellSouth Internet Tools\blspc.dll
O2 - BHO: UberButton Class - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\Program Files\Yahoo!\Common\yiesrvc.dll
O2 - BHO: YahooTaggedBM Class - {65D886A2-7CA7-479B-BB95-14D1EFB7946A} - C:\Program Files\Yahoo!\Common\YIeTagBm.dll
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn0\yt.dll
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE NvQTwk,NvCplDaemon initialize
O4 - HKLM\..\Run: [NAV Agent] C:\PROGRA~1\NORTON~1\navapw32.exe
O4 - HKLM\..\Run: [MMTray] C:\Program Files\MUSICMATCH\MUSICMATCH Jukebox\mm_tray.exe
O4 - HKLM\..\Run: [AdaptecDirectCD] "C:\Program Files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe"
O4 - HKLM\..\Run: [WorksFUD] C:\Program Files\Microsoft Works\wkfud.exe
O4 - HKLM\..\Run: [Microsoft Works Portfolio] C:\Program Files\Microsoft Works\WksSb.exe /AllUsers
O4 - HKLM\..\Run: [Microsoft Works Update Detection] C:\Program Files\Common Files\Microsoft Shared\Works Shared\WkUFind.exe
O4 - HKLM\..\Run: [MoneyStartUp10.0] "C:\Program Files\Microsoft Money\System\Activation.exe"
O4 - HKLM\..\Run: [AOLDialer] C:\Program Files\Common Files\AOL\ACS\AOLDial.exe
O4 - HKLM\..\Run: [RealTray] C:\Program Files\Real\RealPlayer\RealPlay.exe SYSTEMBOOTHIDEPLAYER
O4 - HKLM\..\Run: [AOL Spyware Protection] "C:\PROGRA~1\COMMON~1\AOL\AOLSPY~1\AOLSP Scheduler.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [Symantec NetDriver Monitor] C:\PROGRA~1\SYMNET~1\SNDMon.exe /Consumer
O4 - HKLM\..\Run: [SSC_UserPrompt] C:\Program Files\Common Files\Symantec Shared\Security Center\UsrPrmpt.exe
O4 - HKLM\..\Run: [blspcloader] "C:\Program Files\BellSouth Internet Tools\blsloader.exe"
O4 - HKLM\..\Run: [gcasServ] "C:\Program Files\Microsoft AntiSpyware\gcasServ.exe"
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_04\bin\jusched.exe
O4 - HKLM\..\Run: [winsync] C:\WINDOWS\System32\ldpx4x.exe reg_run
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: America Online 9.0 Tray Icon.lnk = C:\Program Files\America Online 9.0\aoltray.exe
O4 - Global Startup: Camio Viewer.lnk = C:\Program Files\Dell Computer\Dell Image Expert\IXApplet.exe
O4 - Global Startup: EPSON Status Monitor 3 Environment Check 2.lnk = C:\WINDOWS\system32\spool\drivers\w32x86\3\E_SRCV02.EXE
O4 - Global Startup: Event Reminder.lnk = C:\Program Files\Broderbund\PrintMaster\PMremind.exe
O4 - Global Startup: Kodak EasyShare software.lnk = C:\Program Files\KODAK\Kodak EasyShare software\bin\EasyShare.exe
O4 - Global Startup: KODAK Software Updater.lnk = C:\Program Files\KODAK\KODAK Software Updater\7288971\Program\backWeb-7288971.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O4 - Global Startup: Microsoft Works Calendar Reminders.lnk = ?
O8 - Extra context menu item: &Yahoo! Search - file:///C:\Program Files\Yahoo!\Common/ycsrch.htm
O8 - Extra context menu item: Yahoo! &Dictionary - file:///C:\Program Files\Yahoo!\Common/ycdict.htm
O8 - Extra context menu item: Yahoo! &Maps - file:///C:\Program Files\Yahoo!\Common/ycmap.htm
O8 - Extra context menu item: Yahoo! &SMS - file:///C:\Program Files\Yahoo!\Common/ycsms.htm
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_04\bin\npjpi150_04.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_04\bin\npjpi150_04.dll
O9 - Extra button: AOL Toolbar - {4982D40A-C53B-4615-B15B-B5B5E98D167C} - C:\Program Files\AOL Toolbar\toolbar.dll
O9 - Extra 'Tools' menuitem: AOL Toolbar - {4982D40A-C53B-4615-B15B-B5B5E98D167C} - C:\Program Files\AOL Toolbar\toolbar.dll
O9 - Extra button: Yahoo! Services - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\Program Files\Yahoo!\Common\yiesrvc.dll
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\System32\Shdocvw.dll
O9 - Extra button: MoneySide - {E023F504-0C5A-4750-A1E7-A9046DEA8A21} - C:\Program Files\Microsoft Money\System\mnyviewer.dll
O16 - DPF: {1F2F4C9E-6F09-47BC-970D-3C54734667FE} (LSSupCtl Class) - https://www-secure.s...sa/LSSupCtl.cab
O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (YInstStarter Class) - C:\Program Files\Yahoo!\Common\yinsthelper.dll
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://www.pandasoft...free/asinst.cab
O16 - DPF: {CE28D5D2-60CF-4C7D-9FE8-0F47A3308078} (ActiveDataInfo Class) - https://www-secure.s...rl/SymAData.cab
O23 - Service: AOL Connectivity Service (AOL ACS) - America Online, Inc. - C:\PROGRA~1\COMMON~1\AOL\ACS\AOLacsd.exe
O23 - Service: Dcfssvc - Eastman Kodak Company - C:\WINDOWS\system32\drivers\dcfssvc.exe
O23 - Service: EPSON Printer Status Agent2 (EPSONStatusAgent2) - SEIKO EPSON CORPORATION - C:\Program Files\Common Files\EPSON\EBAPI\SAgent2.exe
O23 - Service: ewido security suite control - ewido networks - C:\Program Files\ewido\security suite\ewidoctrl.exe
O23 - Service: MGOEMABTSY - Sysinternals - www.sysinternals.com - C:\DOCUME~1\JEANET~1\LOCALS~1\Temp\MGOEMABTSY.exe
O23 - Service: Norton AntiVirus Auto Protect Service (navapsvc) - Symantec Corporation - C:\Program Files\Norton AntiVirus\navapsvc.exe
O23 - Service: NVIDIA Driver Helper Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe
O23 - Service: ScriptBlocking Service (SBService) - Symantec Corporation - C:\PROGRA~1\COMMON~1\SYMANT~1\SCRIPT~1\SBServ.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: SymWMI Service (SymWSC) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\Security Center\SymWSC.exe

I hope we're getting close. :tazz:
  • 0

#35
g2i2r4
Posted 17 September 2005 - 12:20 PM

g2i2r4

    retired HiJack Helper

  • Retired Staff
  • 5,080 posts
Again disable Spybot and AntiSpyware.

Use Windows Explorer to remove these folders:

C:\WINDOWS\SYSTEM32\cache32dsrf4535dfs
C:\Documents and Settings\Jeanette Alexander\Favorites\1111

***

I made a mistake on the fix1.reg
It's only one space to many, but it make to much of a difference.

Please run Notepad and paste the following text into a new file:


REGEDIT4

[-HKEY_LOCAL_MACHINE\SOFTWARE\Classes\*\shellex\ContextMenuHandlers\fqystsks]

[-HKEY_CLASSES_ROOT\CLSID\{f19326c9-6530-43f7-a276-848377c9a428}]


Save the file to the desktop as fix1.reg (overwrite the other file) and make sure the "Save as Type" field says "All Files". Then please go to the desktop and double-click on fix1.reg, and click Yes to merge it with the registry.

***

Double-click Killbox.exe to run it.

Select "Delete on Reboot".
Place the following line (complete path) in bold in the "Full Path of File to Delete" box in Killbox:

C:\WINDOWS\system32\boaxrxq.exe

Put a mark next to "Delete on Reboot"
Click the red-and-white "Delete File" button. Click "Yes" at the Delete on Reboot prompt. Click "No" at the Pending Operations prompt.
If your computer does not restart automatically, please restart it manually.

***

I see some items in the Quarantine box of AntiSpyware and some in the 'DeactivatedItems' box. Please empty both boxes.

***

Reboot the computer.

***

Norton may prompt you on 'malicious scripts' for the below mentioned programs. Be sure to 'allow the entire script'.

Download trackQ, extract the file inside also to the desktop. Double left click Track qoo 1.vbs (This script is by Mosiac1)
http://forums.subrat...e=post&id=39295


Download FindQoologic.zip save it to your Desktop.
http://forums.net-in...=post&id=134981
Extract (unzip) the files inside Preferably here to C:\
Open the FindQoologic folder.
Locate and double-click the Find-Qoologic.bat file to run it.
wait until a text opens, post it in your reply.
  • 0

#36
nettexmel
Posted 25 September 2005 - 01:14 PM

nettexmel

    Member

  • Topic Starter
  • Member
  • PipPip
  • 62 posts
I am in big big trouble. I can't even complete the stuff you asked me to do. It looks live I have more stuff on my pc. I think maybe my daughter inadvertantly downloaded something, although she denies it. When I try to run microsoft antispyware or spybot. I cant get thru the entire run, when I just get all of these pop ups and my pc just restarts. :) :tazz: :)

I want to block her from some of this, but I was trying to clean my pc before we put this stuff in place. Please help me!! Here's a Hijackthis:

Logfile of HijackThis v1.99.1
Scan saved at 2:09:47 PM, on 9/25/2005
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\rundll32.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.exe
C:\PROGRA~1\NORTON~1\navapw32.exe
C:\WINDOWS\System32\qoftpb.exe
C:\Program Files\MUSICMATCH\MUSICMATCH Jukebox\mm_tray.exe
C:\Program Files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe
C:\Program Files\Common Files\Microsoft Shared\Works Shared\WkUFind.exe
C:\Program Files\Common Files\AOL\ACS\AOLDial.exe
C:\Program Files\Real\RealPlayer\RealPlay.exe
C:\PROGRA~1\COMMON~1\AOL\AOLSPY~1\AOLSP Scheduler.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\Common Files\Symantec Shared\Security Center\UsrPrmpt.exe
C:\Program Files\BellSouth Internet Tools\blsloader.exe
C:\Program Files\Microsoft AntiSpyware\gcasServ.exe
C:\Program Files\Java\jre1.5.0_04\bin\jusched.exe
C:\WINDOWS\System32\devldr32.exe
C:\WINDOWS\win32087814095989.exe
C:\WINDOWS\Sys98.exe
C:\WINDOWS\sys101409598978.exe
C:\PROGRA~1\COMMON~1\AOL\ACS\AOLacsd.exe
C:\WINDOWS\SysCheckBop32.exe
C:\WINDOWS\System32\RUNDLL32.exe
C:\WINDOWS\System32\nvwedl.exe
C:\Program Files\Messenger\msmsgs.exe
C:\WINDOWS\System32\nvwedl.exe
C:\WINDOWS\Sys98.exe
C:\WINDOWS\SysCheckBop32.exe
C:\Program Files\Dell Computer\Dell Image Expert\IXApplet.exe
C:\Program Files\KODAK\Kodak EasyShare software\bin\EasyShare.exe
C:\Program Files\KODAK\KODAK Software Updater\7288971\Program\backWeb-7288971.exe
C:\Program Files\Common Files\Microsoft Shared\Works Shared\wkcalrem.exe
C:\WINDOWS\system32\drivers\dcfssvc.exe
C:\Program Files\Common Files\EPSON\EBAPI\SAgent2.exe
C:\Program Files\ewido\security suite\ewidoctrl.exe
C:\Program Files\Norton AntiVirus\navapsvc.exe
C:\WINDOWS\System32\nvsvc32.exe
C:\Program Files\Common Files\Windows\services32.exe
C:\Program Files\Microsoft AntiSpyware\gcasDtServ.exe
C:\WINDOWS\system32\cmd.exe
C:\Program Files\Common Files\services.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\WINDOWS\System32\wuauclt.exe
C:\hijackthis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.home.bellsouth.net/
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = localhost
R3 - Default URLSearchHook is missing
F2 - REG:system.ini: Shell=Explorer.exe C:\WINDOWS\Nail.exe
O2 - BHO: BlspcHlpr Class - {15C9938F-CB96-496D-800A-B827F2E34EA1} - C:\Program Files\BellSouth Internet Tools\blspc.dll
O2 - BHO: CControl Object - {3643ABC2-21BF-46B9-B230-F247DB0C6FD6} - C:\Program Files\E2G\IeBHOs.dll
O2 - BHO: UberButton Class - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\Program Files\Yahoo!\Common\yiesrvc.dll
O2 - BHO: YahooTaggedBM Class - {65D886A2-7CA7-479B-BB95-14D1EFB7946A} - C:\Program Files\Yahoo!\Common\YIeTagBm.dll
O2 - BHO: SDWin32 Class - {696FE4B8-DB14-4E0A-BE00-CD1244133CEF} - C:\WINDOWS\System32\truud.dll
O2 - BHO: Internet Explorer Web Content Catcher - {FFF4E223-7019-4ce7-BE03-D7D3C8CCE884} - C:\Program Files\DNS\Catcher.dll
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn0\yt.dll
O3 - Toolbar: Search - {EDBD47A2-41DC-E8F5-23B5-32AE1EBD5E62} - C:\WINDOWS\Ktfguibf.dll
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE NvQTwk,NvCplDaemon initialize
O4 - HKLM\..\Run: [NAV Agent] C:\PROGRA~1\NORTON~1\navapw32.exe
O4 - HKLM\..\Run: [MMTray] C:\Program Files\MUSICMATCH\MUSICMATCH Jukebox\mm_tray.exe
O4 - HKLM\..\Run: [AdaptecDirectCD] "C:\Program Files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe"
O4 - HKLM\..\Run: [WorksFUD] C:\Program Files\Microsoft Works\wkfud.exe
O4 - HKLM\..\Run: [Microsoft Works Portfolio] C:\Program Files\Microsoft Works\WksSb.exe /AllUsers
O4 - HKLM\..\Run: [Microsoft Works Update Detection] C:\Program Files\Common Files\Microsoft Shared\Works Shared\WkUFind.exe
O4 - HKLM\..\Run: [MoneyStartUp10.0] "C:\Program Files\Microsoft Money\System\Activation.exe"
O4 - HKLM\..\Run: [AOLDialer] C:\Program Files\Common Files\AOL\ACS\AOLDial.exe
O4 - HKLM\..\Run: [RealTray] C:\Program Files\Real\RealPlayer\RealPlay.exe SYSTEMBOOTHIDEPLAYER
O4 - HKLM\..\Run: [AOL Spyware Protection] "C:\PROGRA~1\COMMON~1\AOL\AOLSPY~1\AOLSP Scheduler.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [Symantec NetDriver Monitor] C:\PROGRA~1\SYMNET~1\SNDMon.exe /Consumer
O4 - HKLM\..\Run: [SSC_UserPrompt] C:\Program Files\Common Files\Symantec Shared\Security Center\UsrPrmpt.exe
O4 - HKLM\..\Run: [blspcloader] "C:\Program Files\BellSouth Internet Tools\blsloader.exe"
O4 - HKLM\..\Run: [gcasServ] "C:\Program Files\Microsoft AntiSpyware\gcasServ.exe"
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_04\bin\jusched.exe
O4 - HKLM\..\Run: [winsync] C:\WINDOWS\System32\ldpx4x.exe reg_run
O4 - HKLM\..\Run: [win32087814095989] C:\WINDOWS\win32087814095989.exe
O4 - HKLM\..\Run: [YourMonitor] C:\WINDOWS\Sys98
O4 - HKLM\..\Run: [sys101409598978] C:\WINDOWS\sys101409598978.exe
O4 - HKLM\..\Run: [SystemCheck] C:\WINDOWS\SysCheckBop32
O4 - HKLM\..\Run: [TagASaurus] C:\Program Files\TagASaurus\TagASaurus
O4 - HKLM\..\Run: [AUNPS2] RUNDLL32 AUNPS2.DLL,_Run@16
O4 - HKLM\..\Run: [ogicjfr] C:\WINDOWS\System32\qoftpb.exe r
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [nvwedl] C:\WINDOWS\System32\nvwedl.exe
O4 - HKCU\..\Run: [services32] C:\Program Files\Common Files\Windows\mc-58-12-0000106.exe
O4 - HKCU\..\Run: [DNS] C:\Program Files\Common Files\mc-58-12-0000106.exe
O4 - HKCU\..\Run: [Sys98] C:\WINDOWS\Sys98.exe
O4 - HKCU\..\Run: [SysCheck32] C:\WINDOWS\SysCheckBop32.exe
O4 - HKCU\..\RunOnce: [nvwedl] C:\WINDOWS\System32\nvwedl.exe
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: America Online 9.0 Tray Icon.lnk = C:\Program Files\America Online 9.0\aoltray.exe
O4 - Global Startup: Camio Viewer.lnk = C:\Program Files\Dell Computer\Dell Image Expert\IXApplet.exe
O4 - Global Startup: EPSON Status Monitor 3 Environment Check 2.lnk = C:\WINDOWS\system32\spool\drivers\w32x86\3\E_SRCV02.EXE
O4 - Global Startup: Event Reminder.lnk = C:\Program Files\Broderbund\PrintMaster\PMremind.exe
O4 - Global Startup: Kodak EasyShare software.lnk = C:\Program Files\KODAK\Kodak EasyShare software\bin\EasyShare.exe
O4 - Global Startup: KODAK Software Updater.lnk = C:\Program Files\KODAK\KODAK Software Updater\7288971\Program\backWeb-7288971.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O4 - Global Startup: Microsoft Works Calendar Reminders.lnk = ?
O8 - Extra context menu item: &Yahoo! Search - file:///C:\Program Files\Yahoo!\Common/ycsrch.htm
O8 - Extra context menu item: Yahoo! &Dictionary - file:///C:\Program Files\Yahoo!\Common/ycdict.htm
O8 - Extra context menu item: Yahoo! &Maps - file:///C:\Program Files\Yahoo!\Common/ycmap.htm
O8 - Extra context menu item: Yahoo! &SMS - file:///C:\Program Files\Yahoo!\Common/ycsms.htm
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_04\bin\npjpi150_04.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_04\bin\npjpi150_04.dll
O9 - Extra button: AOL Toolbar - {4982D40A-C53B-4615-B15B-B5B5E98D167C} - C:\Program Files\AOL Toolbar\toolbar.dll
O9 - Extra 'Tools' menuitem: AOL Toolbar - {4982D40A-C53B-4615-B15B-B5B5E98D167C} - C:\Program Files\AOL Toolbar\toolbar.dll
O9 - Extra button: Yahoo! Services - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\Program Files\Yahoo!\Common\yiesrvc.dll
O9 - Extra button: (no name) - {9E248641-0E24-4DDB-9A1F-705087832AD6} - C:\WINDOWS\System32\wuauclt.dll
O9 - Extra 'Tools' menuitem: Java - {9E248641-0E24-4DDB-9A1F-705087832AD6} - C:\WINDOWS\System32\wuauclt.dll
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\System32\Shdocvw.dll
O9 - Extra button: MoneySide - {E023F504-0C5A-4750-A1E7-A9046DEA8A21} - C:\Program Files\Microsoft Money\System\mnyviewer.dll
O16 - DPF: {1F2F4C9E-6F09-47BC-970D-3C54734667FE} (LSSupCtl Class) - https://www-secure.s...sa/LSSupCtl.cab
O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (YInstStarter Class) - C:\Program Files\Yahoo!\Common\yinsthelper.dll
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://www.pandasoft...free/asinst.cab
O16 - DPF: {CE28D5D2-60CF-4C7D-9FE8-0F47A3308078} (ActiveDataInfo Class) - https://www-secure.s...rl/SymAData.cab
O20 - Winlogon Notify: App Management - C:\WINDOWS\system32\mzwdat10.dll
O23 - Service: AOL Connectivity Service (AOL ACS) - America Online, Inc. - C:\PROGRA~1\COMMON~1\AOL\ACS\AOLacsd.exe
O23 - Service: Dcfssvc - Eastman Kodak Company - C:\WINDOWS\system32\drivers\dcfssvc.exe
O23 - Service: EPSON Printer Status Agent2 (EPSONStatusAgent2) - SEIKO EPSON CORPORATION - C:\Program Files\Common Files\EPSON\EBAPI\SAgent2.exe
O23 - Service: ewido security suite control - ewido networks - C:\Program Files\ewido\security suite\ewidoctrl.exe
O23 - Service: MGOEMABTSY - Sysinternals - www.sysinternals.com - C:\DOCUME~1\JEANET~1\LOCALS~1\Temp\MGOEMABTSY.exe
O23 - Service: Norton AntiVirus Auto Protect Service (navapsvc) - Symantec Corporation - C:\Program Files\Norton AntiVirus\navapsvc.exe
O23 - Service: NVIDIA Driver Helper Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe
O23 - Service: ScriptBlocking Service (SBService) - Symantec Corporation - C:\PROGRA~1\COMMON~1\SYMANT~1\SCRIPT~1\SBServ.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: System Startup Service (SvcProc) - Unknown owner - C:\WINDOWS\svcproc.exe
O23 - Service: SymWMI Service (SymWSC) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\Security Center\SymWSC.exe
  • 0

#37
nettexmel
Posted 25 September 2005 - 02:24 PM

nettexmel

    Member

  • Topic Starter
  • Member
  • PipPip
  • 62 posts
I'm trying to finish your original instructions. Here is the trackgoo post:

REGEDIT4

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"NvCplDaemon"="RUNDLL32.EXE NvQTwk,NvCplDaemon initialize"
"NAV Agent"="C:\\PROGRA~1\\NORTON~1\\navapw32.exe"
"MMTray"="C:\\Program Files\\MUSICMATCH\\MUSICMATCH Jukebox\\mm_tray.exe"
"AdaptecDirectCD"="\"C:\\Program Files\\Roxio\\Easy CD Creator 5\\DirectCD\\DirectCD.exe\""
"WorksFUD"="C:\\Program Files\\Microsoft Works\\wkfud.exe"
"Microsoft Works Portfolio"="C:\\Program Files\\Microsoft Works\\WksSb.exe /AllUsers"
"Microsoft Works Update Detection"="C:\\Program Files\\Common Files\\Microsoft Shared\\Works Shared\\WkUFind.exe"
"MoneyStartUp10.0"="\"C:\\Program Files\\Microsoft Money\\System\\Activation.exe\""
@=""
"AOLDialer"="C:\\Program Files\\Common Files\\AOL\\ACS\\AOLDial.exe"
"RealTray"="C:\\Program Files\\Real\\RealPlayer\\RealPlay.exe SYSTEMBOOTHIDEPLAYER"
"AOL Spyware Protection"="\"C:\\PROGRA~1\\COMMON~1\\AOL\\AOLSPY~1\\AOLSP Scheduler.exe\""
"QuickTime Task"="\"C:\\Program Files\\QuickTime\\qttask.exe\" -atboottime"
"Symantec NetDriver Monitor"="C:\\PROGRA~1\\SYMNET~1\\SNDMon.exe /Consumer"
"SSC_UserPrompt"="C:\\Program Files\\Common Files\\Symantec Shared\\Security Center\\UsrPrmpt.exe"
"blspcloader"="\"C:\\Program Files\\BellSouth Internet Tools\\blsloader.exe\""
"gcasServ"="\"C:\\Program Files\\Microsoft AntiSpyware\\gcasServ.exe\""
"SunJavaUpdateSched"="C:\\Program Files\\Java\\jre1.5.0_04\\bin\\jusched.exe"
"winsync"="C:\\WINDOWS\\System32\\ldpx4x.exe reg_run"
"win32087814095989"="C:\\WINDOWS\\win32087814095989.exe"
"YourMonitor"="C:\\WINDOWS\\Sys98"
"sys101409598978"="C:\\WINDOWS\\sys101409598978.exe"
"SystemCheck"="C:\\WINDOWS\\SysCheckBop32"
"TagASaurus"="C:\\Program Files\\TagASaurus\\TagASaurus"
"AUNPS2"="RUNDLL32 AUNPS2.DLL,_Run@16"
"kdsnkf"="C:\\WINDOWS\\System32\\tfbqiqj.exe r"

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\OptionalComponents]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\OptionalComponents\IMAIL]
"Installed"="1"

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\OptionalComponents\MAPI]
"Installed"="1"
"NoChange"="1"

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\OptionalComponents\MSFS]
"Installed"="1"

-----------------
HKEY_CLASSES_ROOT\*\shellex\ContextMenuHandlers


Subkey --- Offline Files
{750fdf0e-2a26-11d1-a3ea-080036587f03}
C:\WINDOWS\System32\cscui.dll

Subkey --- Open With
{09799AFB-AD67-11d1-ABCD-00C04FC30936}
C:\WINDOWS\system32\SHELL32.dll

Subkey --- Open With EncryptionMenu
{A470F8CF-A1E8-4f65-8335-227475AA5C46}
C:\WINDOWS\system32\SHELL32.dll

Subkey --- Symantec.Norton.Antivirus.IEContextMenu
{5345A4D5-41EB-4A2F-9616-CE1D4F6C35B2}
C:\Program Files\Norton AntiVirus\NavShExt.dll

Subkey --- Yahoo! Mail
{5464D816-CF16-4784-B9F3-75C0DB52B499}
C:\PROGRA~1\Yahoo!\Common\ymmapi20041123.dll

Subkey --- {a2a9545d-a0c2-42b4-9708-a0b2badd77c8}
Start Menu Pin
C:\WINDOWS\system32\SHELL32.dll

=====================

HKEY_CLASSES_ROOT\Folder\shellex\ColumnHandlers


Subkey --- {0D2E74C4-3C34-11d2-A27E-00C04FC30871}
C:\WINDOWS\system32\SHELL32.dll

Subkey --- {24F14F01-7B1C-11d1-838f-0000F80461CF}
C:\WINDOWS\system32\SHELL32.dll

Subkey --- {24F14F02-7B1C-11d1-838f-0000F80461CF}
C:\WINDOWS\system32\SHELL32.dll

Subkey --- {66742402-F9B9-11D1-A202-0000F81FEDEE}
C:\WINDOWS\system32\SHELL32.dll

Subkey --- {6EC11407-5B2E-4E25-8BDF-77445B52AB37}
C:\WINDOWS\System32\wuauclt.dll

Subkey --- {F9DB5320-233E-11D1-9F84-707F02C10627}
C:\Program Files\Adobe\Acrobat 7.0\ActiveX\PDFShell.dll

==============================
C:\Documents and Settings\All Users\Start Menu\Programs\Startup

Adobe Reader Speed Launch.lnk
America Online 9.0 Tray Icon.lnk
Camio Viewer.lnk
desktop.ini
EPSON Status Monitor 3 Environment Check 2.lnk
Event Reminder.lnk
Kodak EasyShare software.lnk
KODAK Software Updater.lnk
Microsoft Office.lnk
Microsoft Works Calendar Reminders.lnk
==============================
C:\Documents and Settings\Jeanette Alexander\Start Menu\Programs\Startup

Adobe Reader Speed Launch.lnk
America Online 9.0 Tray Icon.lnk
Camio Viewer.lnk
desktop.ini
EPSON Status Monitor 3 Environment Check 2.lnk
Event Reminder.lnk
Kodak EasyShare software.lnk
KODAK Software Updater.lnk
Microsoft Office.lnk
Microsoft Works Calendar Reminders.lnk
desktop.ini
==============================
C:\WINDOWS\system32 cpl files


access.cpl Microsoft Corporation
appwiz.cpl Microsoft Corporation
desk.cpl Microsoft Corporation
hdwwiz.cpl Microsoft Corporation
inetcpl.cpl Microsoft Corporation
intl.cpl Microsoft Corporation
joy.cpl Microsoft Corporation
jpicpl32.cpl Sun Microsystems, Inc.
main.cpl Microsoft Corporation
mmsys.cpl Microsoft Corporation
ncpa.cpl Microsoft Corporation
nusrmgr.cpl Microsoft Corporation
odbccp32.cpl Microsoft Corporation
powercfg.cpl Microsoft Corporation
prefscpl.cpl RealNetworks, Inc.
QuickTime.cpl Apple Computer, Inc.
sysdm.cpl Microsoft Corporation
telephon.cpl Microsoft Corporation
timedate.cpl Microsoft Corporation
vgactl.cpl
wxfw.cpl The Weather Channel Interactive


I hope this is correct. This is the find-Qoologic file:

Find Qoologic last edited 9/02/2005
PLEASE NOTE THAT ALL FILES FOUND BY THIS METHOD ARE NOT BAD FILES, There WILL be LEGIT FILES LISTED PLEASE BE CAREFUL WHILE FIXING. IF YOU ARE UNSURE OF WHAT IT IS LEAVE THEM ALONE.
some examples are MRT.EXE NTDLL.DLL.
»»»»»»»»»»»»»»»»»»»»»»»» Files found »»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»

»»»»»»»»»»»»»»»»»»»»»»»» startup files»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»


»»»»»»»»»»»»»»»»»»»»»»»» Checking Global Startup »»»»»»»»»»»»»»»»»»»»»»

(fstarts by IMM - test ver. 0.001) NOT using address check -- 0x77f75fae

Global Startup:
C:\Documents and Settings\All Users\Start Menu\Programs\Startup
.
..
Adobe Reader Speed Launch.lnk
America Online 9.0 Tray Icon.lnk
Camio Viewer.lnk
desktop.ini
EPSON Status Monitor 3 Environment Check 2.lnk
Event Reminder.lnk
Kodak EasyShare software.lnk
KODAK Software Updater.lnk
Microsoft Office.lnk
Microsoft Works Calendar Reminders.lnk
ntau.exe

User Startup:
C:\Documents and Settings\Jeanette Alexander\Start Menu\Programs\Startup
.
..
desktop.ini

»»»»» Search by size and name...
»»»»» Files found by this method are not necessarily bad...
»»»»» Example PNGFILT.DLL ctl3d32.dll are windows files...

Edited by nettexmel, 25 September 2005 - 02:31 PM.

  • 0

#38
g2i2r4
Posted 26 September 2005 - 01:34 PM

g2i2r4

    retired HiJack Helper

  • Retired Staff
  • 5,080 posts
We will get there eventually, just hang in there.

You have several infections, just try to do this one part at the time. No problem if you can't do it in one run. Try to do the parts and let me know what you were able to do. I will seperate the part by putting *** between them.

***

You need to disable AntiSpyware again. It will stand in the way of us cleaning this computer.

***

Double-click Killbox.exe to run it.

Select "Delete on Reboot".
Place the following line (complete path) in bold in the "Full Path of File to Delete" box in Killbox:

C:\Documents and Settings\All Users\Start Menu\Programs\Startup\ntau.exe
C:\Program Files\Common Files\services.exe
C:\Program Files\Common Files\Windows\services32.exe
C:\WINDOWS\sys101409598978.exe
C:\WINDOWS\Sys98.exe
C:\WINDOWS\SysCheckBop32.exe
C:\WINDOWS\System32\ldpx4x.exe
C:\WINDOWS\System32\nvwedl.exe
C:\WINDOWS\System32\qoftpb.exe
C:\WINDOWS\win32087814095989.exe

Put a mark next to "Delete on Reboot"
Click the red-and-white "Delete File" button. Click "Yes" at the Delete on Reboot prompt. Click "No" at the Pending Operations prompt.
If your computer does not restart automatically, please restart it manually.

***

BEFORE BEGINNING, Please read completely through the instructions below and download the files from the links provided. You may want to save or print out these instructions for easier reference.

***

First, download Ewido Security Suite.

***

Next, download Lavasoft's Ad-Aware and the VX2 Cleaner Plug-in. Install Ad-Aware using the default options, then install vx2cleaner_inst.exe, taking all the defaults there as well.

***

Before running the VX2 Cleaner, make sure other anti-virus or anti-spyware applications are closed

***

Run Ad-Aware, update to the latest definitions, then click on Add-ons in the lefthand column.
Select VX2 Cleaner V2.0 and click Run Tool. Click "OK", then, if something is found, click "Clean" as in the directions given. Click "Close", and exit Ad-Aware.

***

Reboot your PC and run Ad-Aware again. This time, click on the Start button in Ad-Aware, select "Perform smart system scan" and click Next. Once the scan finishes, click "Next" again. Select all objects found (right click anywhere in the list of found objects and click "Select All Objects"). Click "Next" one more time, then "OK" to confirm the removal.

You will be prompted to set Ad-Aware to run on reboot, click "OK". Exit Ad-Aware and restart your PC once again.

***

When Ad-Aware starts up, click on "Start", then "Next". Follow the steps above if anything is found, or click "Finish", then exit Ad-Aware.

***

For a final cleanup, please install and run Ewido.
  • When installing, under "Additional Options" uncheck "Install background guard" and "Install scan via context menu".
  • When you run ewido for the first time, you may get a warning "Database could not be found!". Click OK. We will fix this in a moment.
  • From the main ewido screen, click on update in the left menu, then click the Start update button.
  • After the update finishes (the status bar at the bottom will display "Update successful")
  • Click on the Scanner button in the left menu, then click on Complete System Scan. This scan can take quite a while to run.
  • If ewido finds anything, it will pop up a notification. We have been finding some cases of false positives with the new version of Ewido, so we need to step through the fixes one-by-one. If Ewido finds something that you KNOW is legitimate (for example, parts of AVG Antivirus, pcAnywhere and the game "Risk" have been flagged), select "none" as the action. DO NOT check "Perform action with all infections". If you are unsure of an entry, select "none" for the time being. I'll see that in the log you will post later and let you know if ewido needs to be run again.
  • When the scan finishes, click on "Save Report". This will create a text file. Make sure you know where to find this file again.
***

Please finish up by rebooting your system once more, and posting a new HijackThis log and the log from the Ewido scan.

Mind you, we are not done yet!

Edited by g2i2r4, 26 September 2005 - 01:35 PM.

  • 0

#39
nettexmel
Posted 26 September 2005 - 06:40 PM

nettexmel

    Member

  • Topic Starter
  • Member
  • PipPip
  • 62 posts
I tried to do the vx2 add on cleaning, but i got a pop up box that says unable to clean. I just closed the box and went ahead with your instructions.

Here is the ewido scan:

ewido security suite - Scan report
---------------------------------------------------------

+ Created on: 7:26:55 PM, 9/26/2005
+ Report-Checksum: FF7567D0

+ Scan result:

HKLM\SOFTWARE\Classes\CLSID\\ -> Spyware.AproposMedia : Cleaned with backup
HKLM\SOFTWARE\Classes\CLSID\{3643ABC2-21BF-46B9-B230-F247DB0C6FD6} -> Spyware.E2Give : Cleaned with backup
HKLM\SOFTWARE\Classes\IeBHOs.Control -> Spyware.E2G : Cleaned with backup
HKLM\SOFTWARE\Classes\IeBHOs.Control\CLSID -> Spyware.E2G : Cleaned with backup
HKLM\SOFTWARE\Classes\IeBHOs.Control\CLSID\\ -> Spyware.E2Give : Cleaned with backup
HKLM\SOFTWARE\Classes\IeBHOs.Control\CurVer -> Spyware.E2G : Cleaned with backup
HKLM\SOFTWARE\Classes\IeBHOs.Control.1 -> Spyware.E2G : Cleaned with backup
HKLM\SOFTWARE\Classes\IeBHOs.Control.1\CLSID\\ -> Spyware.E2Give : Cleaned with backup
HKLM\SOFTWARE\Microsoft\Internet Explorer\Extensions\{9E248641-0E24-4DDB-9A1F-705087832AD6}\\CLSID -> Spyware.VX2 : Cleaned with backup
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{3643ABC2-21BF-46B9-B230-F247DB0C6FD6} -> Spyware.E2Give : Cleaned with backup
HKLM\SOFTWARE\SecureWin -> Spyware.Adlogix : Cleaned with backup
HKLM\SYSTEM\CurrentControlSet\Control\Print\Monitors\ZepMon -> Spyware.BetterInternet : Cleaned with backup
HKU\.DEFAULT\Software\Microsoft\Internet Explorer\Extensions\CmdMapping\\{10E42047-DEB9-4535-A118-B3F6EC39B807} -> Spyware.SideFind : Cleaned with backup
HKU\S-1-5-21-515967899-73586283-725345543-1004\Software\GIANTCompany\AntiSpyware\Alerts\09E38758-4B96-4D62-9E2D-4E93B4\\RegistryKey -> Spyware.SideFind : Cleaned with backup
HKU\S-1-5-21-515967899-73586283-725345543-1004\Software\GIANTCompany\AntiSpyware\Alerts\81FBC95A-26A9-47FD-BFD2-29F269\\RegistryKey -> Spyware.E2Give : Cleaned with backup
HKU\S-1-5-21-515967899-73586283-725345543-1004\Software\GIANTCompany\AntiSpyware\Alerts\F7BF331D-C448-4F49-9808-06F503\\RegistryKey -> Spyware.E2Give : Cleaned with backup
HKU\S-1-5-18\Software\Microsoft\Internet Explorer\Extensions\CmdMapping\\{10E42047-DEB9-4535-A118-B3F6EC39B807} -> Spyware.SideFind : Error during cleaning
[1864] C:\WINDOWS\System32\jxqdow.exe -> Trojan.Agent.cp : Cleaned with backup
[1412] C:\Program Files\Common Files\Windows\services32.exe -> Spyware.Maxifiles : Cleaned with backup
C:\Documents and Settings\Jeanette Alexander\Cookies\jeanette alexander@abetterinternet[2].txt -> Spyware.Cookie.Abetterinternet : Cleaned with backup
C:\Documents and Settings\Jeanette Alexander\Cookies\jeanette alexander@com[2].txt -> Spyware.Cookie.Com : Cleaned with backup
C:\Documents and Settings\Jeanette Alexander\Cookies\jeanette [email protected][2].txt -> Spyware.Cookie.Adjuggler : Cleaned with backup
C:\Documents and Settings\Jeanette Alexander\Cookies\jeanette [email protected][2].txt -> Spyware.Cookie.Burstbeacon : Cleaned with backup
C:\Documents and Settings\Jeanette Alexander\Local Settings\Temp\180SAInstallerAdPerform.exe/clientax.dll -> Spyware.180Solutions : Cleaned with backup
C:\Documents and Settings\Jeanette Alexander\Local Settings\Temp\180SAInstallerAdPerform.exe/clientax.dll -> Spyware.180Solutions : Cleaned with backup
C:\Documents and Settings\Jeanette Alexander\Local Settings\Temp\b.com -> TrojanDropper.Agent.pb : Cleaned with backup
C:\Documents and Settings\Jeanette Alexander\Local Settings\Temp\DelF.tmp -> TrojanDownloader.Small.asf : Cleaned with backup
C:\Documents and Settings\Jeanette Alexander\Local Settings\Temp\ei.exe -> TrojanDownloader.Small.bgl : Cleaned with backup
C:\Documents and Settings\Jeanette Alexander\Local Settings\Temp\iB.tmp -> Spyware.SurfSide : Cleaned with backup
C:\Documents and Settings\Jeanette Alexander\Local Settings\Temp\jfghjfgudk.exe -> TrojanDownloader.IstBar.lq : Cleaned with backup
C:\Documents and Settings\Jeanette Alexander\Local Settings\Temp\nsh_110.exe -> Spyware.Downloadware : Cleaned with backup
C:\Documents and Settings\Jeanette Alexander\Local Settings\Temp\res10.tmp -> Spyware.180Solutions : Cleaned with backup
C:\Documents and Settings\Jeanette Alexander\Local Settings\Temp\tm4833.exe -> Trojan.Pakes : Cleaned with backup
C:\Documents and Settings\Jeanette Alexander\MTE2NzY6ODoxNg.exe -> Spyware.ISearch : Cleaned with backup
C:\Documents and Settings\Jeanette Alexander\SSK39.exe -> TrojanDropper.Small.qn : Cleaned with backup
:mozilla.6:C:\Documents and Settings\LocalService\Application Data\Netscape\NSB\Profiles\cvk8r74v.default\cookies.txt -> Spyware.Cookie.Bluestreak : Cleaned with backup
C:\Documents and Settings\LocalService\Cookies\system@bluestreak[1].txt -> Spyware.Cookie.Bluestreak : Cleaned with backup
C:\Documents and Settings\LocalService\Cookies\[email protected][2].txt -> Spyware.Cookie.Liveperson : Cleaned with backup
C:\Program Files\Common Files\services.exe -> Spyware.Maxifiles : Cleaned with backup
C:\Program Files\Common Files\system32.dll/gui.exe -> TrojanDownloader.Agent.rv : Error during cleaning
C:\Program Files\Common Files\Windows\services32.exe -> Spyware.Maxifiles : Cleaned with backup
C:\Program Files\E2G\IeBHOs.dll -> Spyware.E2Give : Cleaned with backup
C:\Program Files\Microsoft AntiSpyware\DeactivatedItems\01E4B37A-5964-4E38-883D-4F0EA5.asq -> TrojanDownloader.Qoologic.ac : Cleaned with backup
C:\Program Files\Microsoft AntiSpyware\DeactivatedItems\0675D813-B6FD-412F-8F64-4DB1F7.asq -> TrojanDownloader.Qoologic.ac : Cleaned with backup
C:\Program Files\Microsoft AntiSpyware\DeactivatedItems\3C35EB1E-2BAE-474B-9CB8-6F8037.asq -> TrojanDownloader.Qoologic.ac : Cleaned with backup
C:\Program Files\Microsoft AntiSpyware\DeactivatedItems\3EC67018-CF41-48BE-BFD2-7593FF.asq -> TrojanDownloader.Qoologic.ac : Cleaned with backup
C:\Program Files\Microsoft AntiSpyware\DeactivatedItems\3F4BAEDB-7DC5-4388-AB2B-703E5D.asq -> TrojanDownloader.Qoologic.ac : Cleaned with backup
C:\Program Files\Microsoft AntiSpyware\DeactivatedItems\4028A292-1311-4144-8DF2-4F08E0.asq -> TrojanDownloader.Qoologic.ac : Cleaned with backup
C:\Program Files\Microsoft AntiSpyware\DeactivatedItems\4840786E-D21B-495B-BB08-9629F1.asq -> TrojanDownloader.Qoologic.ac : Cleaned with backup
C:\Program Files\Microsoft AntiSpyware\DeactivatedItems\4FCFC5DF-E286-4AE5-B158-FE36CE.asq -> TrojanDownloader.Qoologic.ac : Cleaned with backup
C:\Program Files\Microsoft AntiSpyware\DeactivatedItems\6F855C2D-3AC5-4AC5-8E68-B1D192.asq -> TrojanDownloader.Qoologic.ac : Cleaned with backup
C:\Program Files\Microsoft AntiSpyware\DeactivatedItems\7ADD8860-69F5-4FA5-8CAE-09F914.asq -> TrojanDownloader.Qoologic.ac : Cleaned with backup
C:\Program Files\Microsoft AntiSpyware\DeactivatedItems\7FBF7016-2091-41BA-B557-20BE26.asq -> TrojanDownloader.Qoologic.ac : Cleaned with backup
C:\Program Files\Microsoft AntiSpyware\DeactivatedItems\80D7F63B-A7A0-444C-9088-9F91CA.asq -> TrojanDownloader.Qoologic.ac : Cleaned with backup
C:\Program Files\Microsoft AntiSpyware\DeactivatedItems\89153E10-4145-44D2-A8BF-652A05.asq -> TrojanDownloader.Qoologic.ac : Cleaned with backup
C:\Program Files\Microsoft AntiSpyware\DeactivatedItems\9CB52026-D550-4EEA-8E85-F4572D.asq -> TrojanDownloader.Qoologic.ac : Cleaned with backup
C:\Program Files\Microsoft AntiSpyware\DeactivatedItems\A55098F0-2270-42D4-89F3-3C6421.asq -> TrojanDownloader.Qoologic.ac : Cleaned with backup
C:\Program Files\Microsoft AntiSpyware\DeactivatedItems\AD5EAFCC-F7A8-4A8D-A18C-653365.asq -> TrojanDownloader.Qoologic.ac : Cleaned with backup
C:\Program Files\Microsoft AntiSpyware\DeactivatedItems\BA001907-CD7C-4D0C-9B01-0E765D.asq -> TrojanDownloader.Qoologic.ac : Cleaned with backup
C:\Program Files\Microsoft AntiSpyware\DeactivatedItems\BF4D5615-4610-4D47-BA1D-BD7D72.asq -> TrojanDownloader.Qoologic.ac : Cleaned with backup
C:\Program Files\Microsoft AntiSpyware\DeactivatedItems\D4C14050-DF0D-4D1A-898C-D52817.asq -> TrojanDownloader.Qoologic.ac : Cleaned with backup
C:\Program Files\Microsoft AntiSpyware\DeactivatedItems\E52C3910-C3F4-4CDB-AF0F-091D8A.asq -> TrojanDownloader.Qoologic.ac : Cleaned with backup
C:\Program Files\Microsoft AntiSpyware\DeactivatedItems\ECFAD66F-3840-498D-AAB0-DFF0C3.asq -> TrojanDownloader.Qoologic.ac : Cleaned with backup
C:\Program Files\Microsoft AntiSpyware\DeactivatedItems\F0410D5D-215B-4EF5-93D7-58C221.asq -> TrojanDownloader.Qoologic.ac : Cleaned with backup
C:\Program Files\Microsoft AntiSpyware\DeactivatedItems\F22E77B8-A57D-4EDD-8F95-0231AA.asq -> TrojanDownloader.Qoologic.ac : Cleaned with backup
C:\Program Files\Microsoft AntiSpyware\DeactivatedItems\F821DBBB-F35F-4C16-B33A-6AAD9A.asq -> TrojanDownloader.Qoologic.ac : Cleaned with backup
C:\Program Files\Microsoft AntiSpyware\Quarantine\1FF05EC8-5392-4BC7-B207-3F73BC\10D5909D-29F3-4EDB-A44F-01ADAE -> Spyware.E2Give : Cleaned with backup
C:\Program Files\Microsoft AntiSpyware\Quarantine\27DF0365-5F0E-45E7-BFD6-02FE5F\25801A16-B035-43B8-9957-6E7A2C -> TrojanDownloader.Qoologic.ad : Cleaned with backup
C:\Program Files\Microsoft AntiSpyware\Quarantine\3F3CB188-EB33-41B7-93FB-DE1ED6\94FB02E7-BB0C-487F-8635-28ABC2 -> Spyware.SideFind : Cleaned with backup
C:\Program Files\Microsoft AntiSpyware\Quarantine\C1720C5D-B84E-44E3-A467-DF2663\6BA6EC03-1CC2-4856-9683-4244CA -> TrojanDownloader.Small : Cleaned with backup
C:\Program Files\Uninstall My Web Search.dll -> Spyware.MyWebSearch : Cleaned with backup
C:\Program Files\Windows Media Player\wmplayer.exe.tmp -> TrojanDownloader.Small.bem : Cleaned with backup
C:\Temp\Installer.exe -> Spyware.Look2Me : Cleaned with backup
C:\WINDOWS\immdlf.exe -> Adware.BetterInternet : Cleaned with backup
C:\WINDOWS\system32\2bundle.exe -> TrojanDropper.Agent.hl : Cleaned with backup
C:\WINDOWS\system32\boaxrxq.exe -> TrojanDownloader.Qoologic.ac : Cleaned with backup
C:\WINDOWS\system32\jbaro.dll -> TrojanDownloader.Qoologic.ac : Cleaned with backup
C:\WINDOWS\system32\jxqdow.exe -> Trojan.Agent.ay : Cleaned with backup
C:\WINDOWS\system32\pvugb.dat -> TrojanDownloader.Qoologic.ac : Cleaned with backup
C:\WINDOWS\system32\rjggtd.exe -> Spyware.Adstart : Cleaned with backup
C:\WINDOWS\system32\sgsfkfd.dll -> TrojanDownloader.Qoologic.ac : Cleaned with backup
C:\WINDOWS\system32\truud.dll -> Spyware.Adstart : Cleaned with backup
C:\WINDOWS\system32\truudd.exe -> Spyware.Adstart : Cleaned with backup
C:\WINDOWS\system32\vgactl.cpl -> TrojanDownloader.Qoologic.ad : Cleaned with backup
C:\WINDOWS\system32\wirelanb.dll -> Spyware.SafeSurfing : Cleaned with backup
C:\WINDOWS\system32\wuauclt.dll -> TrojanDownloader.Small : Cleaned with backup
C:\WINDOWS\Temp\b.com -> TrojanDropper.Agent.pb : Cleaned with backup


::Report End

Here is the hijackthis:

Logfile of HijackThis v1.99.1
Scan saved at 7:36:07 PM, on 9/26/2005
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\rundll32.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.exe
C:\WINDOWS\System32\ixsbyb.exe
C:\PROGRA~1\NORTON~1\navapw32.exe
C:\Program Files\MUSICMATCH\MUSICMATCH Jukebox\mm_tray.exe
C:\Program Files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe
C:\Program Files\Common Files\Microsoft Shared\Works Shared\WkUFind.exe
C:\Program Files\Common Files\AOL\ACS\AOLDial.exe
C:\Program Files\Real\RealPlayer\RealPlay.exe
C:\PROGRA~1\COMMON~1\AOL\AOLSPY~1\AOLSP Scheduler.exe
C:\Program Files\QuickTime\qttask.exe
C:\PROGRA~1\COMMON~1\AOL\ACS\AOLacsd.exe
C:\Program Files\Common Files\Symantec Shared\Security Center\UsrPrmpt.exe
C:\WINDOWS\system32\drivers\dcfssvc.exe
C:\Program Files\BellSouth Internet Tools\blsloader.exe
C:\Program Files\Common Files\EPSON\EBAPI\SAgent2.exe
C:\Program Files\ewido\security suite\ewidoctrl.exe
C:\Program Files\Java\jre1.5.0_04\bin\jusched.exe
C:\WINDOWS\System32\nvsvc32.exe
C:\WINDOWS\System32\devldr32.exe
C:\WINDOWS\System32\umanmp.exe
C:\Program Files\Messenger\msmsgs.exe
C:\WINDOWS\System32\umanmp.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Dell Computer\Dell Image Expert\IXApplet.exe
C:\Program Files\KODAK\Kodak EasyShare software\bin\EasyShare.exe
C:\Program Files\KODAK\KODAK Software Updater\7288971\Program\backWeb-7288971.exe
C:\Program Files\Common Files\Microsoft Shared\Works Shared\wkcalrem.exe
C:\Program Files\Common Files\Windows\services32.exe
C:\WINDOWS\system32\cmd.exe
C:\Program Files\Common Files\services.exe
C:\Program Files\Microsoft AntiSpyware\gcasDtServ.exe
C:\Program Files\Norton AntiVirus\navapsvc.exe
C:\WINDOWS\System32\wuauclt.exe
C:\hijackthis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.home.bellsouth.net/
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = localhost
R3 - Default URLSearchHook is missing
F2 - REG:system.ini: Shell=Explorer.exe C:\WINDOWS\Nail.exe
O2 - BHO: BlspcHlpr Class - {15C9938F-CB96-496D-800A-B827F2E34EA1} - C:\Program Files\BellSouth Internet Tools\blspc.dll
O2 - BHO: CControl Object - {3643ABC2-21BF-46B9-B230-F247DB0C6FD6} - C:\Program Files\E2G\IeBHOs.dll
O2 - BHO: UberButton Class - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\Program Files\Yahoo!\Common\yiesrvc.dll
O2 - BHO: YahooTaggedBM Class - {65D886A2-7CA7-479B-BB95-14D1EFB7946A} - C:\Program Files\Yahoo!\Common\YIeTagBm.dll
O2 - BHO: SDWin32 Class - {696FE4B8-DB14-4E0A-BE00-CD1244133CEF} - C:\WINDOWS\System32\truud.dll (file missing)
O2 - BHO: Internet Explorer Web Content Catcher - {FFF4E223-7019-4ce7-BE03-D7D3C8CCE884} - C:\Program Files\DNS\Catcher.dll
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn0\yt.dll
O3 - Toolbar: Search - {EDBD47A2-41DC-E8F5-23B5-32AE1EBD5E62} - C:\WINDOWS\Ktfguibf.dll
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE NvQTwk,NvCplDaemon initialize
O4 - HKLM\..\Run: [NAV Agent] C:\PROGRA~1\NORTON~1\navapw32.exe
O4 - HKLM\..\Run: [MMTray] C:\Program Files\MUSICMATCH\MUSICMATCH Jukebox\mm_tray.exe
O4 - HKLM\..\Run: [AdaptecDirectCD] "C:\Program Files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe"
O4 - HKLM\..\Run: [WorksFUD] C:\Program Files\Microsoft Works\wkfud.exe
O4 - HKLM\..\Run: [Microsoft Works Portfolio] C:\Program Files\Microsoft Works\WksSb.exe /AllUsers
O4 - HKLM\..\Run: [Microsoft Works Update Detection] C:\Program Files\Common Files\Microsoft Shared\Works Shared\WkUFind.exe
O4 - HKLM\..\Run: [MoneyStartUp10.0] "C:\Program Files\Microsoft Money\System\Activation.exe"
O4 - HKLM\..\Run: [AOLDialer] C:\Program Files\Common Files\AOL\ACS\AOLDial.exe
O4 - HKLM\..\Run: [RealTray] C:\Program Files\Real\RealPlayer\RealPlay.exe SYSTEMBOOTHIDEPLAYER
O4 - HKLM\..\Run: [AOL Spyware Protection] "C:\PROGRA~1\COMMON~1\AOL\AOLSPY~1\AOLSP Scheduler.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [Symantec NetDriver Monitor] C:\PROGRA~1\SYMNET~1\SNDMon.exe /Consumer
O4 - HKLM\..\Run: [SSC_UserPrompt] C:\Program Files\Common Files\Symantec Shared\Security Center\UsrPrmpt.exe
O4 - HKLM\..\Run: [blspcloader] "C:\Program Files\BellSouth Internet Tools\blsloader.exe"
O4 - HKLM\..\Run: [gcasServ] "C:\Program Files\Microsoft AntiSpyware\gcasServ.exe"
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_04\bin\jusched.exe
O4 - HKLM\..\Run: [win32087814095989] C:\WINDOWS\win32087814095989.exe
O4 - HKLM\..\Run: [YourMonitor] C:\WINDOWS\Sys98
O4 - HKLM\..\Run: [sys101409598978] C:\WINDOWS\sys101409598978.exe
O4 - HKLM\..\Run: [TagASaurus] C:\Program Files\TagASaurus\TagASaurus
O4 - HKLM\..\Run: [AUNPS2] RUNDLL32 AUNPS2.DLL,_Run@16
O4 - HKLM\..\Run: [ojtncw] C:\WINDOWS\System32\ixsbyb.exe r
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [nvwedl] C:\WINDOWS\System32\nvwedl.exe
O4 - HKCU\..\Run: [services32] C:\Program Files\Common Files\Windows\mc-58-12-0000106.exe
O4 - HKCU\..\Run: [DNS] C:\Program Files\Common Files\mc-58-12-0000106.exe
O4 - HKCU\..\Run: [Sys98] C:\WINDOWS\Sys98.exe
O4 - HKCU\..\Run: [umanmp] C:\WINDOWS\System32\umanmp.exe
O4 - HKCU\..\RunOnce: [umanmp] C:\WINDOWS\System32\umanmp.exe
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: America Online 9.0 Tray Icon.lnk = C:\Program Files\America Online 9.0\aoltray.exe
O4 - Global Startup: Camio Viewer.lnk = C:\Program Files\Dell Computer\Dell Image Expert\IXApplet.exe
O4 - Global Startup: EPSON Status Monitor 3 Environment Check 2.lnk = C:\WINDOWS\system32\spool\drivers\w32x86\3\E_SRCV02.EXE
O4 - Global Startup: Event Reminder.lnk = C:\Program Files\Broderbund\PrintMaster\PMremind.exe
O4 - Global Startup: Kodak EasyShare software.lnk = C:\Program Files\KODAK\Kodak EasyShare software\bin\EasyShare.exe
O4 - Global Startup: KODAK Software Updater.lnk = C:\Program Files\KODAK\KODAK Software Updater\7288971\Program\backWeb-7288971.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O4 - Global Startup: Microsoft Works Calendar Reminders.lnk = ?
O8 - Extra context menu item: &Yahoo! Search - file:///C:\Program Files\Yahoo!\Common/ycsrch.htm
O8 - Extra context menu item: Yahoo! &Dictionary - file:///C:\Program Files\Yahoo!\Common/ycdict.htm
O8 - Extra context menu item: Yahoo! &Maps - file:///C:\Program Files\Yahoo!\Common/ycmap.htm
O8 - Extra context menu item: Yahoo! &SMS - file:///C:\Program Files\Yahoo!\Common/ycsms.htm
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_04\bin\npjpi150_04.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_04\bin\npjpi150_04.dll
O9 - Extra button: AOL Toolbar - {4982D40A-C53B-4615-B15B-B5B5E98D167C} - C:\Program Files\AOL Toolbar\toolbar.dll
O9 - Extra 'Tools' menuitem: AOL Toolbar - {4982D40A-C53B-4615-B15B-B5B5E98D167C} - C:\Program Files\AOL Toolbar\toolbar.dll
O9 - Extra button: Yahoo! Services - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\Program Files\Yahoo!\Common\yiesrvc.dll
O9 - Extra button: (no name) - {9E248641-0E24-4DDB-9A1F-705087832AD6} - (no file)
O9 - Extra 'Tools' menuitem: Java - {9E248641-0E24-4DDB-9A1F-705087832AD6} - (no file)
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\System32\Shdocvw.dll
O9 - Extra button: MoneySide - {E023F504-0C5A-4750-A1E7-A9046DEA8A21} - C:\Program Files\Microsoft Money\System\mnyviewer.dll
O16 - DPF: {1F2F4C9E-6F09-47BC-970D-3C54734667FE} (LSSupCtl Class) - https://www-secure.s...sa/LSSupCtl.cab
O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (YInstStarter Class) - C:\Program Files\Yahoo!\Common\yinsthelper.dll
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://www.pandasoft...free/asinst.cab
O16 - DPF: {CE28D5D2-60CF-4C7D-9FE8-0F47A3308078} (ActiveDataInfo Class) - https://www-secure.s...rl/SymAData.cab
O20 - Winlogon Notify: Reliability - C:\WINDOWS\system32\mzwdat10.dll
O23 - Service: AOL Connectivity Service (AOL ACS) - America Online, Inc. - C:\PROGRA~1\COMMON~1\AOL\ACS\AOLacsd.exe
O23 - Service: Dcfssvc - Eastman Kodak Company - C:\WINDOWS\system32\drivers\dcfssvc.exe
O23 - Service: EPSON Printer Status Agent2 (EPSONStatusAgent2) - SEIKO EPSON CORPORATION - C:\Program Files\Common Files\EPSON\EBAPI\SAgent2.exe
O23 - Service: ewido security suite control - ewido networks - C:\Program Files\ewido\security suite\ewidoctrl.exe
O23 - Service: MGOEMABTSY - Sysinternals - www.sysinternals.com - C:\DOCUME~1\JEANET~1\LOCALS~1\Temp\MGOEMABTSY.exe
O23 - Service: Norton AntiVirus Auto Protect Service (navapsvc) - Symantec Corporation - C:\Program Files\Norton AntiVirus\navapsvc.exe
O23 - Service: NVIDIA Driver Helper Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe
O23 - Service: ScriptBlocking Service (SBService) - Symantec Corporation - C:\PROGRA~1\COMMON~1\SYMANT~1\SCRIPT~1\SBServ.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: System Startup Service (SvcProc) - Unknown owner - C:\WINDOWS\svcproc.exe
O23 - Service: SymWMI Service (SymWSC) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\Security Center\SymWSC.exe
  • 0

#40
g2i2r4
Posted 27 September 2005 - 11:32 AM

g2i2r4

    retired HiJack Helper

  • Retired Staff
  • 5,080 posts
Just checking!
Did you do the killbox part?
  • 0

Advertisements

#41
nettexmel
Posted 30 September 2005 - 11:43 AM

nettexmel

    Member

  • Topic Starter
  • Member
  • PipPip
  • 62 posts
Yes, I did the killbox part, but I don't think that i'm doing it properly. I never get the pending operations prompt. I'm should be copying one line into the full path box, then clicking yes to all files should be deleted on reboot, and no to do you want to reboot now. Then on the last line that I copy into full path, that's when I answer yes to do you want to reboot now.

After I do all of the lines, I get a prompt that says verifying registries, and then nothing happens. I have to reboot my computer on my own. I'm not sure if what I just did was effective or not. Maybe I'm missing a step. I can do it again if you like. Just tell me if the procedure that I'm following is missing something.

Thanks,
Jeanette
  • 0

#42
g2i2r4
Posted 30 September 2005 - 12:41 PM

g2i2r4

    retired HiJack Helper

  • Retired Staff
  • 5,080 posts
You did it like it's supposed to be done. I was just checking because you have multiple infections and I want to be sure we completed a part.

***

Please disable AntiSpyware Again!
See if you can disable AOL Spyware protection.

***

Double-click on Killbox.exe to run it. Place the following lines (complete paths) in bold in the "Full Path of File to Delete" box in Killbox, and click the red button with the white X on it after each

C:\Program Files\Common Files\services.exe
C:\Program Files\Common Files\Windows\mc-58-12-0000106.exe
C:\Program Files\Common Files\Windows\services32.exe
C:\WINDOWS\sys101409598978.exe
C:\WINDOWS\Sys98.exe
C:\WINDOWS\System32\AUNPS2.DLL
C:\WINDOWS\System32\ InstallAPS.exe
C:\WINDOWS\System32\ixsbyb.exe
C:\WINDOWS\system32\mzwdat10.dll
C:\WINDOWS\System32\nvwedl.exe
C:\WINDOWS\System32\umanmp.exe
C:\WINDOWS\win32087814095989.exe

For these file, put a mark next to "Delete on Reboot". Copy and paste each file into the file name box, then click the red button with the X after each. It will ask you if you want to reboot each time you click it, answer NO until after you've pasted the last file name, at which time you should answer Yes.
Click "No" at the Pending Operations prompt.

If your computer does not restart automatically, please restart it manually.

***

Reboot the computer to safe mode.

***

Open HijackThis
Place a check against each of the following, making sure you get them all and not any others by mistake:

R3 - Default URLSearchHook is missing
F2 - REG:system.ini: Shell=Explorer.exe C:\WINDOWS\Nail.exe
O2 - BHO: CControl Object - {3643ABC2-21BF-46B9-B230-F247DB0C6FD6} - C:\Program Files\E2G\IeBHOs.dll
O2 - BHO: SDWin32 Class - {696FE4B8-DB14-4E0A-BE00-CD1244133CEF} - C:\WINDOWS\System32\truud.dll (file missing)
O2 - BHO: Internet Explorer Web Content Catcher - {FFF4E223-7019-4ce7-BE03-D7D3C8CCE884} - C:\Program Files\DNS\Catcher.dll
O3 - Toolbar: Search - {EDBD47A2-41DC-E8F5-23B5-32AE1EBD5E62} - C:\WINDOWS\Ktfguibf.dll
O4 - HKLM\..\Run: [win32087814095989] C:\WINDOWS\win32087814095989.exe
O4 - HKLM\..\Run: [YourMonitor] C:\WINDOWS\Sys98
O4 - HKLM\..\Run: [sys101409598978] C:\WINDOWS\sys101409598978.exe
O4 - HKLM\..\Run: [AUNPS2] RUNDLL32 AUNPS2.DLL,_Run@16
O4 - HKLM\..\Run: [ojtncw] C:\WINDOWS\System32\ixsbyb.exe r
O4 - HKCU\..\Run: [nvwedl] C:\WINDOWS\System32\nvwedl.exe
O4 - HKCU\..\Run: [services32] C:\Program Files\Common Files\Windows\mc-58-12-0000106.exe
O4 - HKCU\..\Run: [Sys98] C:\WINDOWS\Sys98.exe
O4 - HKCU\..\Run: [umanmp] C:\WINDOWS\System32\umanmp.exe
O4 - HKCU\..\RunOnce: [umanmp] C:\WINDOWS\System32\umanmp.exe
O20 - Winlogon Notify: Reliability - C:\WINDOWS\system32\mzwdat10.dll

Close all programs leaving only HijackThis running.
Click on Fix Checked when finished and exit HijackThis.

***

Please rerun Ewido and save the log.

***

Before running the VX2 Cleaner, make sure other anti-virus or anti-spyware applications are closed

Run Ad-Aware, click on Add-ons in the lefthand column.
Select VX2 Cleaner V2.0 and click Run Tool. Click "OK", then, if something is found, click "Clean" as in the directions given. Click "Close", and exit Ad-Aware.

***

Post back to this topic with a fresh HijackThis log. Let me know what happend.
  • 0

#43
nettexmel
Posted 01 October 2005 - 09:52 AM

nettexmel

    Member

  • Topic Starter
  • Member
  • PipPip
  • 62 posts
I think I figured out what the problem was with the killbox. I didn't have the microsoft antispyware complete shutdown. As soon as I did that I did get the pending operations prompt, however there is no way to select no. You can either hit the ok button or hit the red x in the corner. I chose the red x in the corner.

Also, I wanted to let you know. As per you instructions, I rebooted the computer to safe mode and completed the rest of your instructions. No where in the post did you say, that I should go back to regular mode. I did however run the hijackthis log in regular mode.

I know that I'm still infected, because I have some casino and poker icons on my desktop, which definitely is not something I downloaded.



Here is the hijackthis log:


Logfile of HijackThis v1.99.1
Scan saved at 10:46:07 AM, on 10/1/2005
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\PROGRA~1\NORTON~1\navapw32.exe
C:\Program Files\MUSICMATCH\MUSICMATCH Jukebox\mm_tray.exe
C:\Program Files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe
C:\Program Files\Common Files\Microsoft Shared\Works Shared\WkUFind.exe
C:\Program Files\Real\RealPlayer\RealPlay.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\BellSouth Internet Tools\blsloader.exe
C:\Program Files\Java\jre1.5.0_04\bin\jusched.exe
C:\Documents and Settings\All Users\Application Data\msst\mssts.exe
C:\Program Files\Messenger\msmsgs.exe
C:\DOCUME~1\ALLUSE~1\APPLIC~1\msst\msst.exe
C:\WINDOWS\System32\devldr32.exe
C:\WINDOWS\SmVhbmV0dGUgQWxleGFuZGVy\command.exe
C:\Program Files\Dell Computer\Dell Image Expert\IXApplet.exe
C:\WINDOWS\system32\drivers\dcfssvc.exe
C:\Program Files\Common Files\EPSON\EBAPI\SAgent2.exe
C:\Program Files\KODAK\Kodak EasyShare software\bin\EasyShare.exe
C:\Program Files\ewido\security suite\ewidoctrl.exe
C:\WINDOWS\System32\nvsvc32.exe
C:\Program Files\KODAK\KODAK Software Updater\7288971\Program\backWeb-7288971.exe
C:\Program Files\Common Files\Microsoft Shared\Works Shared\wkcalrem.exe
C:\WINDOWS\system32\cmd.exe
C:\Program Files\Common Files\Windows\services32.exe
C:\Program Files\Common Files\services.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\wuauclt.exe
C:\WINDOWS\explorer.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\hijackthis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.home.bellsouth.net/
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = localhost
O2 - BHO: Band Class - {00F1D395-4744-40f0-A611-980F61AE2C59} - C:\WINDOWS\dsr.dll (file missing)
O2 - BHO: BlspcHlpr Class - {15C9938F-CB96-496D-800A-B827F2E34EA1} - C:\Program Files\BellSouth Internet Tools\blspc.dll
O2 - BHO: UberButton Class - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\Program Files\Yahoo!\Common\yiesrvc.dll
O2 - BHO: YahooTaggedBM Class - {65D886A2-7CA7-479B-BB95-14D1EFB7946A} - C:\Program Files\Yahoo!\Common\YIeTagBm.dll
O2 - BHO: AdCom - {D7950AB4-67F5-458e-A37D-9F2DE7F250AC} - C:\WINDOWS\system32\AdCom.dll
O2 - BHO: Internet Explorer Web Content Catcher - {FFF4E223-7019-4ce7-BE03-D7D3C8CCE884} - C:\Program Files\DNS\Catcher.dll
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn0\yt.dll
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE NvQTwk,NvCplDaemon initialize
O4 - HKLM\..\Run: [NAV Agent] C:\PROGRA~1\NORTON~1\navapw32.exe
O4 - HKLM\..\Run: [MMTray] C:\Program Files\MUSICMATCH\MUSICMATCH Jukebox\mm_tray.exe
O4 - HKLM\..\Run: [AdaptecDirectCD] "C:\Program Files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe"
O4 - HKLM\..\Run: [WorksFUD] C:\Program Files\Microsoft Works\wkfud.exe
O4 - HKLM\..\Run: [Microsoft Works Portfolio] C:\Program Files\Microsoft Works\WksSb.exe /AllUsers
O4 - HKLM\..\Run: [Microsoft Works Update Detection] C:\Program Files\Common Files\Microsoft Shared\Works Shared\WkUFind.exe
O4 - HKLM\..\Run: [MoneyStartUp10.0] "C:\Program Files\Microsoft Money\System\Activation.exe"
O4 - HKLM\..\Run: [RealTray] C:\Program Files\Real\RealPlayer\RealPlay.exe SYSTEMBOOTHIDEPLAYER
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [Symantec NetDriver Monitor] C:\PROGRA~1\SYMNET~1\SNDMon.exe /Consumer
O4 - HKLM\..\Run: [SSC_UserPrompt] C:\Program Files\Common Files\Symantec Shared\Security Center\UsrPrmpt.exe
O4 - HKLM\..\Run: [blspcloader] "C:\Program Files\BellSouth Internet Tools\blsloader.exe"
O4 - HKLM\..\Run: [gcasServ] "C:\Program Files\Microsoft AntiSpyware\gcasServ.exe"
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_04\bin\jusched.exe
O4 - HKLM\..\Run: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k
O4 - HKLM\..\Run: [msst] C:\Documents and Settings\All Users\Application Data\msst\mssts.exe
O4 - HKLM\..\Run: [inwmg] C:\WINDOWS\system32\w130713.Stub.EXE
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [services32] C:\Program Files\Common Files\Windows\mc-58-12-0000106.exe
O4 - HKCU\..\Run: [DNS] C:\Program Files\Common Files\mc-58-12-0000106.exe
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: Camio Viewer.lnk = C:\Program Files\Dell Computer\Dell Image Expert\IXApplet.exe
O4 - Global Startup: EPSON Status Monitor 3 Environment Check 2.lnk = C:\WINDOWS\system32\spool\drivers\w32x86\3\E_SRCV02.EXE
O4 - Global Startup: Event Reminder.lnk = C:\Program Files\Broderbund\PrintMaster\PMremind.exe
O4 - Global Startup: Kodak EasyShare software.lnk = C:\Program Files\KODAK\Kodak EasyShare software\bin\EasyShare.exe
O4 - Global Startup: KODAK Software Updater.lnk = C:\Program Files\KODAK\KODAK Software Updater\7288971\Program\backWeb-7288971.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O4 - Global Startup: Microsoft Works Calendar Reminders.lnk = ?
O8 - Extra context menu item: &Yahoo! Search - file:///C:\Program Files\Yahoo!\Common/ycsrch.htm
O8 - Extra context menu item: Yahoo! &Dictionary - file:///C:\Program Files\Yahoo!\Common/ycdict.htm
O8 - Extra context menu item: Yahoo! &Maps - file:///C:\Program Files\Yahoo!\Common/ycmap.htm
O8 - Extra context menu item: Yahoo! &SMS - file:///C:\Program Files\Yahoo!\Common/ycsms.htm
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_04\bin\npjpi150_04.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_04\bin\npjpi150_04.dll
O9 - Extra button: AOL Toolbar - {4982D40A-C53B-4615-B15B-B5B5E98D167C} - C:\Program Files\AOL Toolbar\toolbar.dll
O9 - Extra 'Tools' menuitem: AOL Toolbar - {4982D40A-C53B-4615-B15B-B5B5E98D167C} - C:\Program Files\AOL Toolbar\toolbar.dll
O9 - Extra button: Yahoo! Services - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\Program Files\Yahoo!\Common\yiesrvc.dll
O9 - Extra button: (no name) - {9E248641-0E24-4DDB-9A1F-705087832AD6} - (no file)
O9 - Extra 'Tools' menuitem: Java - {9E248641-0E24-4DDB-9A1F-705087832AD6} - (no file)
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\System32\Shdocvw.dll
O9 - Extra button: MoneySide - {E023F504-0C5A-4750-A1E7-A9046DEA8A21} - C:\Program Files\Microsoft Money\System\mnyviewer.dll
O16 - DPF: {1F2F4C9E-6F09-47BC-970D-3C54734667FE} (LSSupCtl Class) - https://www-secure.s...sa/LSSupCtl.cab
O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (YInstStarter Class) - C:\Program Files\Yahoo!\Common\yinsthelper.dll
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://www.pandasoft...free/asinst.cab
O16 - DPF: {CE28D5D2-60CF-4C7D-9FE8-0F47A3308078} (ActiveDataInfo Class) - https://www-secure.s...rl/SymAData.cab
O23 - Service: Command Service (cmdService) - Unknown owner - C:\WINDOWS\SmVhbmV0dGUgQWxleGFuZGVy\command.exe
O23 - Service: Dcfssvc - Eastman Kodak Company - C:\WINDOWS\system32\drivers\dcfssvc.exe
O23 - Service: EPSON Printer Status Agent2 (EPSONStatusAgent2) - SEIKO EPSON CORPORATION - C:\Program Files\Common Files\EPSON\EBAPI\SAgent2.exe
O23 - Service: ewido security suite control - ewido networks - C:\Program Files\ewido\security suite\ewidoctrl.exe
O23 - Service: MGOEMABTSY - Sysinternals - www.sysinternals.com - C:\DOCUME~1\JEANET~1\LOCALS~1\Temp\MGOEMABTSY.exe
O23 - Service: Norton AntiVirus Auto Protect Service (navapsvc) - Symantec Corporation - C:\Program Files\Norton AntiVirus\navapsvc.exe
O23 - Service: NVIDIA Driver Helper Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe
O23 - Service: ScriptBlocking Service (SBService) - Symantec Corporation - C:\PROGRA~1\COMMON~1\SYMANT~1\SCRIPT~1\SBServ.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: SymWMI Service (SymWSC) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\Security Center\SymWSC.exe
  • 0

#44
g2i2r4
Posted 01 October 2005 - 11:22 AM

g2i2r4

    retired HiJack Helper

  • Retired Staff
  • 5,080 posts
I'm sorry I forgot to let you reboot back to normal mode. I'm glad you found out yourself.

***

Please disable AntiSpyware Again!
See if you can disable AOL Spyware protection.

***

Go to Start->Run and type "Services.msc" (without quotes) then hit Ok
Scroll down and find the service called:

Command Service

When you find it, double-click on it. In the next window that opens, click the Stop button, then click on properties and under the General Tab, change the Startup Type to Disabled. Now hit Apply and then Ok and close any open windows. If you don´t find this service listed go ahead with the next steps.

***

Open HijackThis
click on "None of the above, just start the program".
click on the "Config" button (bottom right),
click on "Misc Tools"
click on "Delete an NT Service" (a window will pop up)
Enter the below item into that field (make sure there are NO spaces before or after the name):

cmdService

Click OK.

It should pull up information about the service, then ask if you want to reboot. Click YES.

***

Open Ewido and update it to the latest definitions. Close Ewido for now when you are done.

***

Double-click on Killbox.exe to run it. Place the following lines (complete paths) in bold in the "Full Path of File to Delete" box in Killbox, and click the red button with the white X on it after each.

C:\Documents and Settings\All Users\Application Data\msst\mssts.exe
C:\Program Files\Common Files\mc-58-12-0000106.exe
C:\Program Files\Common Files\services.exe
C:\Program Files\Common Files\Windows\mc-58-12-0000106.exe
C:\Program Files\Common Files\Windows\services32.exe
C:\WINDOWS\SmVhbmV0dGUgQWxleGFuZGVy\command.exe
C:\WINDOWS\system32\w130713.Stub.EXE


For these file, put a mark next to "Delete on Reboot". Copy and paste each file into the file name box, then click the red button with the X after each. It will ask you if you want to reboot each time you click it, answer NO until after you've pasted the last file name, at which time you should answer Yes.
Click "No" at the Pending Operations prompt.

If your computer does not restart automatically, please restart it manually.

***

Next, please reboot your computer in Safe Mode by doing the following:
1) Restart your computer
2) After hearing your computer beep once during startup, but before the Windows icon appears, press F8.
3) Instead of Windows loading as normal, a menu should appear
4) Select the first option, to run Windows in Safe Mode.

For additional help in booting into Safe Mode, see the following site:
http://www.pchell.co.../safemode.shtml

***

Open HijackThis
Place a check against each of the following, making sure you get them all and not any others by mistake:

O2 - BHO: Band Class - {00F1D395-4744-40f0-A611-980F61AE2C59} - C:\WINDOWS\dsr.dll (file missing)

O2 - BHO: AdCom - {D7950AB4-67F5-458e-A37D-9F2DE7F250AC} - C:\WINDOWS\system32\AdCom.dll

O2 - BHO: Internet Explorer Web Content Catcher - {FFF4E223-7019-4ce7-BE03-D7D3C8CCE884} - C:\Program Files\DNS\Catcher.dll

O4 - HKLM\..\Run: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k

O4 - HKLM\..\Run: [msst] C:\Documents and Settings\All Users\Application Data\msst\mssts.exe

O4 - HKLM\..\Run: [inwmg] C:\WINDOWS\system32\w130713.Stub.EXE

O4 - HKCU\..\Run: [services32] C:\Program Files\Common Files\Windows\mc-58-12-0000106.exe

O4 - HKCU\..\Run: [DNS] C:\Program Files\Common Files\mc-58-12-0000106.exe

Close all programs leaving only HijackThis running.
Click on Fix Checked when finished and exit HijackThis.

***

Next, run Ewido again.
  • Click on the Scanner button in the left menu, then click on Complete System Scan. This scan can take quite a while to run.
  • If ewido finds anything, it will pop up a notification. We have been finding some cases of false positives with the new version of Ewido, so we need to step through the fixes one-by-one. If Ewido finds something that you KNOW is legitimate (for example, parts of AVG Antivirus, pcAnywhere and the game "Risk" have been flagged), select "none" as the action. DO NOT check "Perform action with all infections". If you are unsure of an entry, select "none" for the time being. I'll see that in the log you will post later and let you know if ewido needs to be run again.
  • When the scan finishes, click on "Save Report". This will create a text file. Make sure you know where to find this file again.
***

Use Windows Explorer to remove these folders:
C:\WINDOWS\SmVhbmV0dGUgQWxleGFuZGVy\
C:\Documents and Settings\All Users\Application Data\msst\
Close Windows Explorer when you are done.

***

Reboot back to normal mode.

***

Please do an online virus scan with Panda ActiveScan Here. You need to use Internet Explorer for this scan.
  • Once you get to the Panda site, scroll down a bit and click on Scan your PC
  • A new window will appear; click on Check Now!
  • A new window will appear; fill in the boxes (Country, State, email addy)
  • Click on Scan Now! >
    If you have never used ActiveScan before, you will be prompted to install an ActiveX control (asinst.cab) : click on Install. Panda will install the component, and then install the latest signature files.
  • From "Select a device to scan...", choose "My Computer"
  • Allow the scan to run. It'll take a while.
  • When complete, click on "See Report", and then on "Save report"; save it to a convenient location.
  • I will need you to post that report in your next reply; simply open the text file, then copy/paste the content here.
***

Also post me a fresh HijackThis log and the Ewido log.
  • 0

#45
nettexmel
Posted 04 October 2005 - 06:25 AM

nettexmel

    Member

  • Topic Starter
  • Member
  • PipPip
  • 62 posts
The only step that I was not able to complete was removing this file: C:\Documents and Settings\All Users\Application Data\msst\. I could not find it. I did however remove the other file in that step. The most annoying problem that I'm experiencing is that my computer keeps rebooting by itself. I hope we can get that stopped soon. Anyway, here are the logs that you requested:

Logfile of HijackThis v1.99.1
Scan saved at 7:21:04 AM, on 10/4/2005
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\PROGRA~1\NORTON~1\navapw32.exe
C:\Program Files\MUSICMATCH\MUSICMATCH Jukebox\mm_tray.exe
C:\Program Files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe
C:\Program Files\Common Files\Microsoft Shared\Works Shared\WkUFind.exe
C:\Program Files\Real\RealPlayer\RealPlay.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\BellSouth Internet Tools\blsloader.exe
C:\Program Files\Java\jre1.5.0_04\bin\jusched.exe
C:\WINDOWS\System32\devldr32.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\Dell Computer\Dell Image Expert\IXApplet.exe
C:\Program Files\KODAK\Kodak EasyShare software\bin\EasyShare.exe
C:\Program Files\KODAK\KODAK Software Updater\7288971\Program\backWeb-7288971.exe
C:\Program Files\Common Files\Microsoft Shared\Works Shared\wkcalrem.exe
C:\WINDOWS\system32\drivers\dcfssvc.exe
C:\Program Files\Common Files\EPSON\EBAPI\SAgent2.exe
C:\Program Files\ewido\security suite\ewidoctrl.exe
C:\WINDOWS\System32\nvsvc32.exe
C:\Program Files\Microsoft AntiSpyware\gcasDtServ.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\wuauclt.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\hijackthis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.home.bellsouth.net/
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = localhost
O2 - BHO: BlspcHlpr Class - {15C9938F-CB96-496D-800A-B827F2E34EA1} - C:\Program Files\BellSouth Internet Tools\blspc.dll
O2 - BHO: UberButton Class - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\Program Files\Yahoo!\Common\yiesrvc.dll
O2 - BHO: YahooTaggedBM Class - {65D886A2-7CA7-479B-BB95-14D1EFB7946A} - C:\Program Files\Yahoo!\Common\YIeTagBm.dll
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn0\yt.dll
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE NvQTwk,NvCplDaemon initialize
O4 - HKLM\..\Run: [NAV Agent] C:\PROGRA~1\NORTON~1\navapw32.exe
O4 - HKLM\..\Run: [MMTray] C:\Program Files\MUSICMATCH\MUSICMATCH Jukebox\mm_tray.exe
O4 - HKLM\..\Run: [AdaptecDirectCD] "C:\Program Files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe"
O4 - HKLM\..\Run: [WorksFUD] C:\Program Files\Microsoft Works\wkfud.exe
O4 - HKLM\..\Run: [Microsoft Works Portfolio] C:\Program Files\Microsoft Works\WksSb.exe /AllUsers
O4 - HKLM\..\Run: [Microsoft Works Update Detection] C:\Program Files\Common Files\Microsoft Shared\Works Shared\WkUFind.exe
O4 - HKLM\..\Run: [MoneyStartUp10.0] "C:\Program Files\Microsoft Money\System\Activation.exe"
O4 - HKLM\..\Run: [RealTray] C:\Program Files\Real\RealPlayer\RealPlay.exe SYSTEMBOOTHIDEPLAYER
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [Symantec NetDriver Monitor] C:\PROGRA~1\SYMNET~1\SNDMon.exe /Consumer
O4 - HKLM\..\Run: [SSC_UserPrompt] C:\Program Files\Common Files\Symantec Shared\Security Center\UsrPrmpt.exe
O4 - HKLM\..\Run: [blspcloader] "C:\Program Files\BellSouth Internet Tools\blsloader.exe"
O4 - HKLM\..\Run: [gcasServ] "C:\Program Files\Microsoft AntiSpyware\gcasServ.exe"
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_04\bin\jusched.exe
O4 - HKLM\..\Run: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: Camio Viewer.lnk = C:\Program Files\Dell Computer\Dell Image Expert\IXApplet.exe
O4 - Global Startup: EPSON Status Monitor 3 Environment Check 2.lnk = C:\WINDOWS\system32\spool\drivers\w32x86\3\E_SRCV02.EXE
O4 - Global Startup: Event Reminder.lnk = C:\Program Files\Broderbund\PrintMaster\PMremind.exe
O4 - Global Startup: Kodak EasyShare software.lnk = C:\Program Files\KODAK\Kodak EasyShare software\bin\EasyShare.exe
O4 - Global Startup: KODAK Software Updater.lnk = C:\Program Files\KODAK\KODAK Software Updater\7288971\Program\backWeb-7288971.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O4 - Global Startup: Microsoft Works Calendar Reminders.lnk = ?
O8 - Extra context menu item: &Yahoo! Search - file:///C:\Program Files\Yahoo!\Common/ycsrch.htm
O8 - Extra context menu item: Yahoo! &Dictionary - file:///C:\Program Files\Yahoo!\Common/ycdict.htm
O8 - Extra context menu item: Yahoo! &Maps - file:///C:\Program Files\Yahoo!\Common/ycmap.htm
O8 - Extra context menu item: Yahoo! &SMS - file:///C:\Program Files\Yahoo!\Common/ycsms.htm
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_04\bin\npjpi150_04.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_04\bin\npjpi150_04.dll
O9 - Extra button: AOL Toolbar - {4982D40A-C53B-4615-B15B-B5B5E98D167C} - C:\Program Files\AOL Toolbar\toolbar.dll
O9 - Extra 'Tools' menuitem: AOL Toolbar - {4982D40A-C53B-4615-B15B-B5B5E98D167C} - C:\Program Files\AOL Toolbar\toolbar.dll
O9 - Extra button: Yahoo! Services - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\Program Files\Yahoo!\Common\yiesrvc.dll
O9 - Extra button: (no name) - {9E248641-0E24-4DDB-9A1F-705087832AD6} - (no file)
O9 - Extra 'Tools' menuitem: Java - {9E248641-0E24-4DDB-9A1F-705087832AD6} - (no file)
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\System32\Shdocvw.dll
O9 - Extra button: MoneySide - {E023F504-0C5A-4750-A1E7-A9046DEA8A21} - C:\Program Files\Microsoft Money\System\mnyviewer.dll
O16 - DPF: {1F2F4C9E-6F09-47BC-970D-3C54734667FE} (LSSupCtl Class) - https://www-secure.s...sa/LSSupCtl.cab
O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (YInstStarter Class) - C:\Program Files\Yahoo!\Common\yinsthelper.dll
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoft...free/asinst.cab
O16 - DPF: {CE28D5D2-60CF-4C7D-9FE8-0F47A3308078} (ActiveDataInfo Class) - https://www-secure.s...rl/SymAData.cab
O23 - Service: Dcfssvc - Eastman Kodak Company - C:\WINDOWS\system32\drivers\dcfssvc.exe
O23 - Service: EPSON Printer Status Agent2 (EPSONStatusAgent2) - SEIKO EPSON CORPORATION - C:\Program Files\Common Files\EPSON\EBAPI\SAgent2.exe
O23 - Service: ewido security suite control - ewido networks - C:\Program Files\ewido\security suite\ewidoctrl.exe
O23 - Service: MGOEMABTSY - Sysinternals - www.sysinternals.com - C:\DOCUME~1\JEANET~1\LOCALS~1\Temp\MGOEMABTSY.exe
O23 - Service: Norton AntiVirus Auto Protect Service (navapsvc) - Symantec Corporation - C:\Program Files\Norton AntiVirus\navapsvc.exe
O23 - Service: NVIDIA Driver Helper Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe
O23 - Service: ScriptBlocking Service (SBService) - Symantec Corporation - C:\PROGRA~1\COMMON~1\SYMANT~1\SCRIPT~1\SBServ.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: SymWMI Service (SymWSC) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\Security Center\SymWSC.exe

Here is the ewido log:


---------------------------------------------------------
ewido security suite - Scan report
---------------------------------------------------------

+ Created on: 11:21:18 PM, 10/3/2005
+ Report-Checksum: C0C949AD

+ Scan result:

HKU\S-1-5-21-515967899-73586283-725345543-1004\Software\DNS -> Adware.Shorty : Cleaned with backup
C:\Documents and Settings\Jeanette Alexander\Cookies\jeanette [email protected][2].txt -> Spyware.Cookie.Yieldmanager : Cleaned with backup
C:\Documents and Settings\Jeanette Alexander\Cookies\jeanette alexander@advertising[1].txt -> Spyware.Cookie.Advertising : Cleaned with backup
C:\Documents and Settings\Jeanette Alexander\Cookies\jeanette alexander@atdmt[2].txt -> Spyware.Cookie.Atdmt : Cleaned with backup
C:\Documents and Settings\Jeanette Alexander\Cookies\jeanette alexander@doubleclick[2].txt -> Spyware.Cookie.Doubleclick : Cleaned with backup
C:\Documents and Settings\Jeanette Alexander\Cookies\jeanette [email protected][1].txt -> Spyware.Cookie.Advertising : Cleaned with backup
C:\Documents and Settings\Jeanette Alexander\Cookies\jeanette [email protected][2].txt -> Spyware.Cookie.Liveperson : Cleaned with backup
C:\Documents and Settings\Jeanette Alexander\Cookies\jeanette alexander@trafficmp[2].txt -> Spyware.Cookie.Trafficmp : Cleaned with backup
C:\Documents and Settings\Jeanette Alexander\Cookies\jeanette alexander@yieldmanager[2].txt -> Spyware.Cookie.Yieldmanager : Cleaned with backup
C:\Documents and Settings\Jeanette Alexander\Local Settings\Temp\jfghjfgudk.exe -> TrojanDownloader.IstBar.lq : Cleaned with backup
C:\Program Files\Common Files\system32.dll/gui.exe -> TrojanDownloader.Agent.rv : Error during cleaning


::Report End


Here is the Panda scan log:

Incident Status Location

Spyware:spyware/dyfuca No disinfected C:\Documents and Settings\Jeanette Alexander\Local Settings\Temp\cfout.txt
Adware:adware/maxifiles No disinfected C:\PROGRAM FILES\COMMON FILES\system32.dll
Adware:adware/look2me No disinfected C:\WINDOWS\SYSTEM32\guard.tmp
Spyware:spyware/surfsidekick No disinfected C:\Documents and Settings\Jeanette Alexander\Local Settings\Temporary Internet Files\Ssk.log
Adware:adware/searchtheweb No disinfected C:\Documents and Settings\Jeanette Alexander\Desktop\Search The Web.LNK
Adware:adware/adurl No disinfected C:\WINDOWS\icont.exe
Adware:adware/sahagent No disinfected C:\WINDOWS\unstall.exe
Spyware:spyware/safesurf No disinfected Windows Registry
Adware:Adware/ISearch No disinfected C:\Documents and Settings\Jeanette Alexander\Local Settings\Temp\cmdinst.exe
Adware:Adware/Maxifiles No disinfected C:\Program Files\Common Files\InetGet\mc-58-12-0000106.exe
Adware:Adware/Maxifiles No disinfected C:\Program Files\Common Files\system32.dll[gui.exe]
Adware:Adware/Maxifiles No disinfected C:\Program Files\Common Files\system32.dll[cwebpage.dll]
Adware:Adware/Maxifiles No disinfected C:\Program Files\DNS\cwebpage.dll
Spyware:Spyware/BetterInet No disinfected C:\Program Files\Microsoft AntiSpyware\Quarantine\F03747C6-86A8-4785-8702-A6CF9C\38B9A468-05C3-4B66-8471-4D25A7
Adware:Adware/StartPage.AHW No disinfected C:\WINDOWS\Ktfguibf.dll
Virus:Trj/Agent.APG Disinfected C:\WINDOWS\system32\nmp_32.dll
Virus:Trj/Agent.APG Disinfected C:\WINDOWS\system32\nmp_32.exe
  • 0
Back to Virus, Spyware, Malware Removal · Next Unread Topic →




Similar Topics

0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users

  1. Geeks to Go Community
  2. Security
  3. Virus, Spyware, Malware Removal

As Featured On:

Microsoft Yahoo BBC MSN PC Magazine Washington Post HP