Jump to content

Welcome to Geeks to Go - Register now for FREE

Need help with your computer or device? Want to learn new tech skills? You're in the right place!
Geeks to Go is a friendly community of tech experts who can solve any problem you have. Just create a free account and post your question. Our volunteers will reply quickly and guide you through the steps. Don't let tech troubles stop you. Join Geeks to Go now and get the support you need!

How it Works Create Account
Photo

My internet's gone turtle! help [RESOLVED]

Started by MISTERSTALKER , Aug 29 2005 10:56 AM

  • This topic is locked This topic is locked

#1
MISTERSTALKER
Posted 29 August 2005 - 10:56 AM

MISTERSTALKER

    Member

  • Member
  • PipPip
  • 63 posts
Logfile of HijackThis v1.99.1
Scan saved at ?? 9:35:07, on 2005-08-29
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\csrss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Stardock\Object Desktop\WindowBlinds\wbload.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_FATI9AA.EXE
C:\Program Files\Java\jre1.5.0_01\bin\jusched.exe
C:\Program Files\PestPatrol\PPControl.exe
C:\PROGRA~1\PESTPA~1\PPMemCheck.exe
C:\PROGRA~1\PESTPA~1\CookiePatrol.exe
C:\Program Files\WildTangent\Apps\CDA\GameDrvr.exe
C:\Program Files\Viewpoint\Viewpoint Manager\ViewMgr.exe
C:\Program Files\CA\eTrust EZ Armor\eTrust EZ Antivirus\CAVTray.exe
C:\Program Files\CA\eTrust EZ Armor\eTrust EZ Antivirus\CAVRID.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\AIM\aim.exe
C:\Program Files\AVPersonal\AVWUPSRV.EXE
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\Program Files\Norton Internet Security\NISUM.EXE
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\wdfmgr.exe
C:\Program Files\CA\eTrust EZ Armor\eTrust EZ Antivirus\VetMsg.exe
C:\Program Files\Norton Internet Security\ccPxySvc.exe
C:\WINDOWS\System32\alg.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\AVPersonal\AVWIN.EXE
C:\Documents and Settings\David Lim\Desktop\DiceAroo\DiceAroo.exe
C:\Documents and Settings\David Lim\Desktop\hijackthis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\WINDOWS\system32\ykprq.dll/sp.html#28129
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = res://C:\WINDOWS\ihtnx.dll/sp.html#28129
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINDOWS\ihtnx.dll/sp.html#28129
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page =
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = res://C:\WINDOWS\ihtnx.dll/sp.html#28129
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
R3 - Default URLSearchHook is missing
O2 - BHO: Viewpoint Toolbar BHO - {A7327C09-B521-4EDB-8509-7D2660C9EC98} - C:\Program Files\Viewpoint\Viewpoint Toolbar\ViewBarBHO.dll
O2 - BHO: Class - {FC7FFD6E-0897-B7D0-A319-768F3DA452CD} - C:\WINDOWS\system32\iptr32.dll (file missing)
O3 - Toolbar: Viewpoint Toolbar - {F8AD5AA5-D966-4667-9DAF-2561D68B2012} - C:\Program Files\Viewpoint\Viewpoint Toolbar\ViewBar.dll
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [ccRegVfy] "C:\Program Files\Common Files\Symantec Shared\ccRegVfy.exe"
O4 - HKLM\..\Run: [EPSON Stylus CX4600 Series] C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_FATI9AA.EXE /P26 "EPSON Stylus CX4600 Series" /O6 "USB001" /M "Stylus CX4600"
O4 - HKLM\..\Run: [Symantec NetDriver Monitor] C:\PROGRA~1\SYMNET~1\SNDMon.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_01\bin\jusched.exe
O4 - HKLM\..\Run: [Picasa Media Detector] C:\Program Files\Picasa2\PicasaMediaDetector.exe
O4 - HKLM\..\Run: [Jgflhqg] C:\Program Files\Xewm\Ojxqkz.exe
O4 - HKLM\..\Run: [iexplore.exe] C:\Program Files\Internet Explorer\iexplore.exe
O4 - HKLM\..\Run: [PestPatrol Control Center] C:\Program Files\PestPatrol\PPControl.exe
O4 - HKLM\..\Run: [PPMemCheck] C:\PROGRA~1\PESTPA~1\PPMemCheck.exe
O4 - HKLM\..\Run: [CookiePatrol] C:\PROGRA~1\PESTPA~1\CookiePatrol.exe
O4 - HKLM\..\Run: [WildTangent CDA] "C:\Program Files\WildTangent\Apps\CDA\GameDrvr.exe" /startup "C:\Program Files\WildTangent\Apps\CDA\cdaEngine0500.dll"
O4 - HKLM\..\Run: [netiu.exe] C:\WINDOWS\netiu.exe
O4 - HKLM\..\Run: [iptq32.exe] C:\WINDOWS\iptq32.exe
O4 - HKLM\..\Run: [ViewMgr] C:\Program Files\Viewpoint\Viewpoint Manager\ViewMgr.exe
O4 - HKLM\..\Run: [CaAvTray] "C:\Program Files\CA\eTrust EZ Armor\eTrust EZ Antivirus\CAVTray.exe"
O4 - HKLM\..\Run: [CAVRID] "C:\Program Files\CA\eTrust EZ Armor\eTrust EZ Antivirus\CAVRID.exe"
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [NeroCheck] C:\WINDOWS\system32\\NeroCheck.exe
O4 - HKLM\..\Run: [gcasServ] "C:\Program Files\Microsoft AntiSpyware\gcasServ.exe"
O4 - HKLM\..\Run: [winsync] C:\WINDOWS\system32\klsdgg.exe reg_run
O4 - HKLM\..\Run: [THGuard] "C:\Program Files\TrojanHunter 4.2\THGuard.exe"
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [EZ Smileys] "C:\Program Files\EZ Smileys For AOL Instant Messenger\EZSmileys.exe"
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [DNS] C:\Program Files\Common Files\mc-58-12-0000079-d.exe
O4 - HKCU\..\Run: [Google Desktop Search] "C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe" /startup
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O4 - Global Startup: Personal Coach.lnk = ?
O8 - Extra context menu item: &AOL Toolbar Search - res://c:\program files\aol\aol toolbar 2.0\aoltbhtml.dll/search.html
O8 - Extra context menu item: &Google Search - res://C:\Program Files\Google\GoogleToolbar1.dll/cmsearch.html
O8 - Extra context menu item: &Viewpoint Search - res://C:\Program Files\Viewpoint\Viewpoint Toolbar\ViewBar.dll/CXTSEARCH.HTML
O8 - Extra context menu item: Backward Links - res://C:\Program Files\Google\GoogleToolbar1.dll/cmbacklinks.html
O8 - Extra context menu item: Cached Snapshot of Page - res://C:\Program Files\Google\GoogleToolbar1.dll/cmcache.html
O8 - Extra context menu item: Similar Pages - res://C:\Program Files\Google\GoogleToolbar1.dll/cmsimilar.html
O8 - Extra context menu item: Translate into English - res://C:\Program Files\Google\GoogleToolbar1.dll/cmtrans.html
O9 - Extra button: AOL Toolbar - {3369AF0D-62E9-4bda-8103-B4C75499B578} - C:\WINDOWS\System32\shdocvw.dll
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O15 - Trusted Zone: http://www.neededware.com
O16 - DPF: NDWCab - http://www.neededware.com/ndw2.cab
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage) - http://go.microsoft....467&clcid=0x409
O16 - DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} (MSN Photo Upload Tool) - http://by107fd.bay10...es/MsnPUpld.cab
O16 - DPF: {6FC8738C-1723-4990-BD6E-5633AD3BC6E8} - http://down.c-zero.c...1/CZInstall.CAB
O16 - DPF: {88D969C0-F192-11D4-A65F-0040963251E5} (XML DOM Document 4.0) - file://C:\TempEI4\EI40_\msxml4.cab
O16 - DPF: {938527D1-CDB7-4147-998A-B20FCA5CC976} (Cdmcco Class) - http://cafeimg.hanma...ab9_1/dmcc2.cab
O16 - DPF: {9BED3AC7-E6D4-43E7-B8A1-1FA502F639E1} (XTools Control) - http://player.bugs.c...l/mv/XTools.cab
O16 - DPF: {AD08A7E2-BA60-4733-92E3-A7AA0C0A39E2} (butterple Control) - http://blogfile.para..._butterplay.cab
O16 - DPF: {B8BE5E93-A60C-4D26-A2DC-220313175592} (ZoneIntro Class) - http://zone.msn.com/...ro.cab34246.cab
O16 - DPF: {BF628973-1E86-4D0E-B42C-EDDECFFABDBC} (Bugs AoD Class) - http://player.bugs.c...der20041018.cab
O16 - DPF: {E5D419D6-A846-4514-9FAD-97E826C84822} (HeartbeatCtl Class) - http://fdl.msn.com/z...s/heartbeat.cab
O20 - Winlogon Notify: WB - C:\PROGRA~1\Stardock\OBJECT~1\WINDOW~1\fastload.dll
O23 - Service: AntiVir Update (AVWUpSrv) - H+BEDV Datentechnik GmbH, Germany - C:\Program Files\AVPersonal\AVWUPSRV.EXE
O23 - Service: CAISafe - Computer Associates International, Inc. - C:\Program Files\CA\eTrust EZ Armor\eTrust EZ Antivirus\ISafe.exe
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Password Validation Service (ccPwdSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
O23 - Service: Symantec Proxy Service (ccPxySvc) - Symantec Corporation - C:\Program Files\Norton Internet Security\ccPxySvc.exe
O23 - Service: Norton Internet Security Accounts Manager (NISUM) - Symantec Corporation - C:\Program Files\Norton Internet Security\NISUM.EXE
O23 - Service: NVIDIA Driver Helper Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: VET Message Service (VETMSGNT) - Computer Associates International, Inc. - C:\Program Files\CA\eTrust EZ Armor\eTrust EZ Antivirus\VetMsg.exe

:/
  • 0

Advertisements

#2
tampabelle
Posted 29 August 2005 - 03:39 PM

tampabelle

    Member 5k

  • Retired Staff
  • 6,363 posts
Please read this post completely, it may make it easier for you if you copy and paste this post to a new text document or print it for reference later.

This will likely be a few step process in removing the malware that has infected your system. I encourage you to stick with it and follow my directions as closely as possible so as to avoid complicating the problem further.

You have a nasty CoolWebSearch infection. First we will need to download a few tools that will help us in the removal of your problem.

Download about:buster by RubbeRDuckY Here.
Download CWShredder Here.
Download SpSeHjfix Here.
Download and install CleanUp! Here

Save all of these files somewhere you will remember like to the Desktop.

Unzip SpSeHjfix to its own folder (ie c:\SpSeHjfix)

Run the CleanUp! installer. You dont need to do anything with it right now.

Update About:Buster
  • Unzip the contents of AboutBuster.zip and an AboutBuster directory will be created.
  • Navigate to the AboutBuster directory and double-click on AboutBuster.exe.
  • Click "OK" at the prompt with instructions.
  • Click "Update" and then "Check For Update" to begin the update process.
  • If any updates exist please download them by clicking "Download Update" then click the X to close that window.
  • Now close About:Buster
Update CWShredder
  • Open CWShredder and click I AGREE
  • Click Check For Update
  • Close CWShredder
Boot into Safe Mode:
Restart your computer and as soon as it starts booting up again continuously tap F8. A menu should come up where you will be given the option to enter Safe Mode.

Please run about:buster by RubbeRDuckY:
  • Click Start and then OK to allow AboutBuster to scan for Alternate Data Streams.
  • Click Yes to allow it to shutdown explorer.exe.
  • It will begin to check your computer for malicious files. If it asks if you would like to do a second pass, allow it to do so.
  • When it has finished, click Save Log. Make sure you save it as I may need a copy of it later.
  • Reboot your computer into safe mode again
Run about:buster again following the same instructions as above, this time without the restart at the end

Now run CWShredder. Click I Agree, then Fix and then Next, let it fix everything it asks about.

Now run SpSeHjfix. A log will be saved in the same folder that you put the exe into. Please post the results of that log in your next reply.

Now run CleanUp!. Click CleanUp and allow it to delete all the temporary files.Reboot your computer into normal windows.

Please run an on-line virus scan at Kaspersky OnLine Scan or if that doesnt work, you can use TrendMicro or BitDefender. (Please post the results of the scan(s) in your next reply)

After all that, please post back with how things went as well as the logs requested and a new HiJackThis log.
  • 0

#3
MISTERSTALKER
Posted 03 September 2005 - 11:08 PM

MISTERSTALKER

    Member

  • Topic Starter
  • Member
  • PipPip
  • 63 posts
I didn' t really understand the part about clicking start on AboutBuster and then OK bcuz when I started up AboutBlaster, It didn't say anthing but "look for updates" or "Start Removal"... Can you reply ASAP.? ty :tazz:

Edited by MISTERSTALKER, 04 September 2005 - 01:26 AM.

  • 0

#4
tampabelle
Posted 04 September 2005 - 09:25 AM

tampabelle

    Member 5k

  • Retired Staff
  • 6,363 posts
Click on "Update" first and wait for the message that update completed or that the program is upto date.

Now click on Begin Removal.

Please proceed with the fix with these modifications
  • 0

#5
MISTERSTALKER
Posted 07 September 2005 - 09:37 PM

MISTERSTALKER

    Member

  • Topic Starter
  • Member
  • PipPip
  • 63 posts
the SpSeHjfix112 log:

(9-5-05 ?? 3:55:12) SPSeHjFix started v1.1.2
(9-5-05 ?? 3:55:12) OS: WinXP Service Pack 2 (5.1.2600)
(9-5-05 ?? 3:55:12) Language: çñ±¹¾î
(9-5-05 ?? 3:55:12) Win-Path: C:\WINDOWS
(9-5-05 ?? 3:55:12) System-Path: C:\WINDOWS\system32
(9-5-05 ?? 3:55:12) Temp-Path: C:\DOCUME~1\DAVIDL~1\LOCALS~1\Temp\
(9-5-05 ?? 3:55:13) Disinfection started
(9-5-05 ?? 3:55:13) Bad-Dll(IEP): c:\windows\system32\ykprq.dll
(9-5-05 ?? 3:55:13) UBF: 7 - UBB: 2 - UBR: 33
(9-5-05 ?? 3:55:13) UBF: 7 - UBB: 2 - UBR: 33
(9-5-05 ?? 3:55:13) Bad IE-pages:
deleted: HKCU\Software\Microsoft\Internet Explorer\Main, Search Bar: res://c:\windows\system32\ykprq.dll/sp.html#28129
deleted: HKLM\Software\Microsoft\Internet Explorer\Main, Start Page:
deleted: HKLM\Software\Microsoft\Internet Explorer\Main, Default_Page_URL: about:blank
(9-5-05 ?? 3:55:13) Stealth-String not found
(9-5-05 ?? 3:55:13) No locked Files to delete. End without Reboot
(9-5-05 ?? 3:55:16) Disinfection started
(9-5-05 ?? 3:55:16) Bad-Dll(IEP): c:\windows\ihtnx.dll
(9-5-05 ?? 3:55:16) UBF: 7 - UBB: 2 - UBR: 33
(9-5-05 ?? 3:55:16) UBF: 7 - UBB: 2 - UBR: 33
(9-5-05 ?? 3:55:16) Bad IE-pages:
deleted: HKLM\Software\Microsoft\Internet Explorer\Main, Search Page: res://c:\windows\ihtnx.dll/sp.html#28129
deleted: HKLM\Software\Microsoft\Internet Explorer\Main, Default_Search_URL: res://c:\windows\ihtnx.dll/sp.html#28129
(9-5-05 ?? 3:55:16) Stealth-String not found
(9-5-05 ?? 3:55:16) No locked Files to delete. End without Reboot


(9-5-05 ?? 9:08:01) SPSeHjFix started v1.1.2
(9-5-05 ?? 9:08:01) OS: WinXP Service Pack 2 (5.1.2600)
(9-5-05 ?? 9:08:01) Language: çñ±¹¾î
(9-5-05 ?? 9:08:01) Win-Path: C:\WINDOWS
(9-5-05 ?? 9:08:01) System-Path: C:\WINDOWS\system32
(9-5-05 ?? 9:08:01) Temp-Path: C:\DOCUME~1\DAVIDL~1\LOCALS~1\Temp\
(9-5-05 ?? 9:08:02) Disinfection started
(9-5-05 ?? 9:08:02) Bad-Dll(IEP): (not found)
(9-5-05 ?? 9:08:02) Bad-Dll(IEP) in BHO: (not found)
(9-5-05 ?? 9:08:02) UBF: 7 - UBB: 2 - UBR: 33
(9-5-05 ?? 9:08:02) UBF: 7 - UBB: 2 - UBR: 33
(9-5-05 ?? 9:08:02) Bad IE-pages: (none)
(9-5-05 ?? 9:08:02) Stealth-String not found
(9-5-05 ?? 9:08:02) Not infected->END


(9-7-05 ?? 8:36:48) SPSeHjFix started v1.1.2
(9-7-05 ?? 8:36:48) OS: WinXP Service Pack 2 (5.1.2600)
(9-7-05 ?? 8:36:48) Language: çñ±¹¾î
(9-7-05 ?? 8:36:48) Win-Path: C:\WINDOWS
(9-7-05 ?? 8:36:48) System-Path: C:\WINDOWS\system32
(9-7-05 ?? 8:36:48) Temp-Path: C:\DOCUME~1\DAVIDL~1\LOCALS~1\Temp\
  • 0

#6
tampabelle
Posted 08 September 2005 - 02:57 PM

tampabelle

    Member 5k

  • Retired Staff
  • 6,363 posts
Hi,

can you post the About Buster log as well as a fresh HJT log please ???
  • 0

#7
MISTERSTALKER
Posted 09 September 2005 - 04:50 PM

MISTERSTALKER

    Member

  • Topic Starter
  • Member
  • PipPip
  • 63 posts
AboutBuster log:

AboutBuster 5.0 reference file 31
Scan started on [2005-09-03] at [?? 10:03:06]
------------------------------------------------
Removed Stream! C:\WINDOWS\ixgdx.dat:cyrnuv
Removed Stream! C:\WINDOWS\ixgdx.dat:zhdvxi
Removed Stream! C:\WINDOWS\jautoexp.dat:aloymv
Removed Stream! C:\WINDOWS\jautoexp.dat:gvbghy
Removed Stream! C:\WINDOWS\jjcdj.log:uzksog
Removed Stream! C:\WINDOWS\jname.log:yvuljj
Removed Stream! C:\WINDOWS\jtdri.dat:joeqdl
Removed Stream! C:\WINDOWS\KB828741.log:bpxegv
Removed Stream! C:\WINDOWS\KB828741.log:rorhce
Removed Stream! C:\WINDOWS\KB835732.log:hhgzp
Removed Stream! C:\WINDOWS\KB842773.log:nvqnze
Removed Stream! C:\WINDOWS\KB873333.log:jojnxg
Removed Stream! C:\WINDOWS\KB885835.log:gwiaug
Removed Stream! C:\WINDOWS\KB885835.log:nmpgxx
Removed Stream! C:\WINDOWS\KB888113.log:djafj
Removed Stream! C:\WINDOWS\KB888302.log:yxtfoq
Removed Stream! C:\WINDOWS\KB890175.log:xmhmzh
Removed Stream! C:\WINDOWS\KB891781.log:krwvas
Removed Stream! C:\WINDOWS\KB893066.log:apbtjb
Removed Stream! C:\WINDOWS\KB893066.log:qnartr
Removed Stream! C:\WINDOWS\kbyvz.dat:drpavd
Removed Stream! C:\WINDOWS\kbyvz.dat:emyhcs
Removed Stream! C:\WINDOWS\kfsmk.txt:wnjvwc
Removed Stream! C:\WINDOWS\khgia.txt:tiuydl
Removed Stream! C:\WINDOWS\kiftc.dat:nsagpf
Removed Stream! C:\WINDOWS\kiocc.log:pnbaym
Removed Stream! C:\WINDOWS\kmycp.log:gtslrp
Removed Stream! C:\WINDOWS\kocim.dat:zgufsp
Removed Stream! C:\WINDOWS\kqhwc.dat:jnsqup
Removed Stream! C:\WINDOWS\lexit.dat:ljnmfw
Removed Stream! C:\WINDOWS\lhcyb.log:iolevu
Removed Stream! C:\WINDOWS\lhcyb.log:znxahf
Removed Stream! C:\WINDOWS\LUINSTALL.LOG:ekxray
Removed Stream! C:\WINDOWS\LUINSTALL.LOG:kuwzrg
Removed Stream! C:\WINDOWS\LUINSTALL.LOG:sopfjq
Removed Stream! C:\WINDOWS\mfgtx.dat:culals
Removed Stream! C:\WINDOWS\mibzy.txt:koalda
Removed Stream! C:\WINDOWS\mkyuf.txt:uvenfc
Removed Stream! C:\WINDOWS\mnije.txt:kiocck
Removed Stream! C:\WINDOWS\mrmqn.dat:zgzvgd
Removed Stream! C:\WINDOWS\msdfmap.ini:dptyfc
Removed Stream! C:\WINDOWS\mtvmv.txt:kzrbif
Removed Stream! C:\WINDOWS\mtvmv.txt:vjhheu
Removed Stream! C:\WINDOWS\mtvmv.txt:wtcjnj
Removed Stream! C:\WINDOWS\mxkgv.log:dlqdjw
Removed Stream! C:\WINDOWS\mxkgv.log:fwhycp
Removed Stream! C:\WINDOWS\nhmfg.dat:cakodq
Removed Stream! C:\WINDOWS\nlejt.log:wljqdg
Removed Stream! C:\WINDOWS\nsshx.log:zunuke
Removed Stream! C:\WINDOWS\nsw.log:gkkaah
Removed Stream! C:\WINDOWS\nsw.log:vactfa
Removed Stream! C:\WINDOWS\ntdtcsetup.log:omtvfq
Removed Stream! C:\WINDOWS\ntdtcsetup.log:vnhjns
Removed Stream! C:\WINDOWS\nurdt.txt:nreanf
Removed Stream! C:\WINDOWS\n_bzynlb.log:tomodx
Removed Stream! C:\WINDOWS\n_bzynlb.log:uzzhb
Removed Stream! C:\WINDOWS\n_egmdkl.txt:psptjs
Removed Stream! C:\WINDOWS\n_erbxcp.dat:lpftxh
Removed Stream! C:\WINDOWS\n_foaigt.dat:itaylc
Removed Stream! C:\WINDOWS\n_gkvmli.txt:eqqyzs
Removed Stream! C:\WINDOWS\n_hfbkpt.log:hhnfwo
Removed Stream! C:\WINDOWS\n_hhcjwx.dat:gofiz
Removed Stream! C:\WINDOWS\ocmsn.log:mvxtid
Removed Stream! C:\WINDOWS\Prairie Wind.bmp:ypicfa
Removed Stream! C:\WINDOWS\prmhf.txt:hgdkle
Removed Stream! C:\WINDOWS\Rhododendron.bmp:flqbtc
Removed Stream! C:\WINDOWS\Rhododendron.bmp:ribihl
Removed Stream! C:\WINDOWS\Santa Fe Stucco.bmp:ffesom
Removed Stream! C:\WINDOWS\Santa Fe Stucco.bmp:xmapne
Removed Stream! C:\WINDOWS\sessmgr.setup.log:jitnbn
Removed Stream! C:\WINDOWS\setupact.log:cjeadx
Removed Stream! C:\WINDOWS\setupact.log:oyliic
Removed Stream! C:\WINDOWS\setupapi.log:phplly
Removed Stream! C:\WINDOWS\setuplog.txt:hzdncm
Removed Stream! C:\WINDOWS\setuplog.txt:jqxsaw
Removed Stream! C:\WINDOWS\SetupPestPatrolCorporate.mif:vvxhxt
Removed Stream! C:\WINDOWS\sfhwi.log:cqhyuh
Removed Stream! C:\WINDOWS\smfxn.dat:rbwwyg
Removed Stream! C:\WINDOWS\Soap Bubbles.bmp:ihiqnj
Removed Stream! C:\WINDOWS\Soap Bubbles.bmp:uralxj
Removed Stream! C:\WINDOWS\Soap Bubbles.bmp:vdehay
Removed Stream! C:\WINDOWS\Soap Bubbles.bmp:zzoaeo
Removed Stream! C:\WINDOWS\suboo.dat:kcojsr
Removed Stream! C:\WINDOWS\svcav.log:nexmub
Removed Stream! C:\WINDOWS\svcav.log:nstqru
Removed Stream! C:\WINDOWS\svqle.dat:cdhpnb
Removed Stream! C:\WINDOWS\svqle.dat:prkssm
Removed Stream! C:\WINDOWS\svqle.dat:saggyz
Removed Stream! C:\WINDOWS\SYMEVENT.LOG:gfpzxl
Removed Stream! C:\WINDOWS\tgzia.dat:hsdyuw
Removed Stream! C:\WINDOWS\tgzia.dat:udrupd
Removed Stream! C:\WINDOWS\tsoc.log:zibxi
Removed Stream! C:\WINDOWS\tswuk.dat:alndoz
Removed Stream! C:\WINDOWS\tswuk.dat:nemlml
Removed Stream! C:\WINDOWS\tyfny.log:zklcoc
Removed Stream! C:\WINDOWS\ukvyj.log:slepjm
Removed Stream! C:\WINDOWS\updspapi.log:kewvlw
Removed Stream! C:\WINDOWS\uvxtf.txt:dfhafz
Removed Stream! C:\WINDOWS\vb.ini:gfeyho
Removed Stream! C:\WINDOWS\vb.ini:wrrfxc
Removed Stream! C:\WINDOWS\vbaddin.ini:ggtic
Removed Stream! C:\WINDOWS\vustg.log:fcfji
Removed Stream! C:\WINDOWS\wiaservc.log:eludlw
Removed Stream! C:\WINDOWS\Windows Update.log:iyyrwa
Removed Stream! C:\WINDOWS\Windows Update.log:wefqng
Removed Stream! C:\WINDOWS\winnt.bmp:btxbxg
Removed Stream! C:\WINDOWS\winnt.bmp:nydbtv
Removed Stream! C:\WINDOWS\winnt256.bmp:azrfyl
Removed Stream! C:\WINDOWS\winnt256.bmp:hfxwhr
Removed Stream! C:\WINDOWS\winnt256.bmp:yxtfoq
Removed Stream! C:\WINDOWS\wmsetup.log:lexrps
Removed Stream! C:\WINDOWS\wmsetup.log:utqgri
Removed Stream! C:\WINDOWS\wmsetup.log:xlixtp
Removed Stream! C:\WINDOWS\WMSysPrx.prx:expxrd
Removed Stream! C:\WINDOWS\WMSysPrx.prx:kahqhn
Removed Stream! C:\WINDOWS\WMSysPrx.prx:qdbkvs
Removed Stream! C:\WINDOWS\WORDPAD.INI:muallt
Removed Stream! C:\WINDOWS\wplra.txt:dcjffe
Removed Stream! C:\WINDOWS\wplra.txt:kkamyn
Removed Stream! C:\WINDOWS\xgmta.txt:vculzp
Removed Stream! C:\WINDOWS\xjicz.dat:ndpcwp
Removed Stream! C:\WINDOWS\xjicz.dat:vbsida
Removed Stream! C:\WINDOWS\ylzni.txt:fdiqys
Removed Stream! C:\WINDOWS\yntzd.log:gefvwb
Removed Stream! C:\WINDOWS\yofdu.dat:hamvvh
Removed Stream! C:\WINDOWS\yofdu.dat:kuhphk
Removed Stream! C:\WINDOWS\yzafx.txt:yfwbkf
Removed Stream! C:\WINDOWS\zabjh.dat:bdjwl
Removed Stream! C:\WINDOWS\Zapotec.bmp:sbfapj
Removed Stream! C:\WINDOWS\Zapotec.bmp:uvacbu
Removed Stream! C:\WINDOWS\zcmea.dat:rghpeq
Removed Stream! C:\WINDOWS\_default.pif:chszbd
------------------------------------------------
Removed File! : C:\Windows\iyetp.dat
Removed File! : C:\Windows\josqg.dat
Removed File! : C:\Windows\jqild.dat
Removed File! : C:\Windows\jtdri.dat
Removed File! : C:\Windows\kbyvz.dat
Removed File! : C:\Windows\kiftc.dat
Removed File! : C:\Windows\kkwkb.dat
Removed File! : C:\Windows\kocim.dat
Removed File! : C:\Windows\kojuk.dat
Removed File! : C:\Windows\kqhwc.dat
Removed File! : C:\Windows\kyuca.dat
Removed File! : C:\Windows\lexit.dat
Removed File! : C:\Windows\lkccv.dat
Removed File! : C:\Windows\lpoub.dat
Removed File! : C:\Windows\mfgtx.dat
Removed File! : C:\Windows\mrmqn.dat
Removed File! : C:\Windows\mwiyh.dat
Removed File! : C:\Windows\nhmfg.dat
Removed File! : C:\Windows\osqfq.dat
Removed File! : C:\Windows\phvvv.dat
Removed File! : C:\Windows\rdltl.dat
Removed File! : C:\Windows\rieqe.dat
Removed File! : C:\Windows\rmada.dat
Removed File! : C:\Windows\rtnzt.dat
Removed File! : C:\Windows\rvkja.dat
Removed File! : C:\Windows\smfxn.dat
Removed File! : C:\Windows\suboo.dat
Removed File! : C:\Windows\svqle.dat
Removed File! : C:\Windows\tswuk.dat
Removed File! : C:\Windows\ttnjj.dat
Removed File! : C:\Windows\uojmi.dat
Removed File! : C:\Windows\vdzeq.dat
Removed File! : C:\Windows\wvtxa.dat
Removed File! : C:\Windows\xjicz.dat
Removed File! : C:\Windows\yofdu.dat
Removed File! : C:\Windows\zabjh.dat
Removed File! : C:\Windows\zcmea.dat
Removed File! : C:\Windows\System32\amjqr.dat
Removed File! : C:\Windows\System32\aqjrz.dat
Removed File! : C:\Windows\System32\bdvab.dat
Removed File! : C:\Windows\System32\bgxrq.dat
Removed File! : C:\Windows\System32\bjpaa.dat
Removed File! : C:\Windows\System32\cjpzj.dat
Removed File! : C:\Windows\System32\dbgcc.dat
Removed File! : C:\Windows\System32\dyzjm.dat
Removed File! : C:\Windows\System32\eecih.dat
Removed File! : C:\Windows\System32\egjlc.dat
Removed File! : C:\Windows\System32\egjoc.dat
Removed File! : C:\Windows\System32\ehcbw.dat
Removed File! : C:\Windows\System32\eoycu.dat
Removed File! : C:\Windows\System32\epogk.dat
Removed File! : C:\Windows\System32\fdctd.dat
Removed File! : C:\Windows\System32\fjpwx.dat
Removed File! : C:\Windows\System32\gzuqk.dat
Removed File! : C:\Windows\System32\hrxkw.dat
Removed File! : C:\Windows\System32\hspds.dat
Removed File! : C:\Windows\System32\ituvp.dat
Removed File! : C:\Windows\System32\ivsxt.dat
Removed File! : C:\Windows\System32\ixcvc.dat
Removed File! : C:\Windows\System32\jerft.dat
Removed File! : C:\Windows\System32\jfkre.dat
Removed File! : C:\Windows\System32\kfmio.dat
Removed File! : C:\Windows\System32\kjuvy.dat
Removed File! : C:\Windows\System32\lcaqx.dat
Removed File! : C:\Windows\System32\ldspa.dat
Removed File! : C:\Windows\System32\lyojm.dat
Removed File! : C:\Windows\System32\mgnja.dat
Removed File! : C:\Windows\System32\nmzvp.dat
Removed File! : C:\Windows\System32\nzdrm.dat
Removed File! : C:\Windows\System32\nzqew.dat
Removed File! : C:\Windows\System32\oajjs.dat
Removed File! : C:\Windows\System32\oavze.dat
Removed File! : C:\Windows\System32\ooboh.dat
Removed File! : C:\Windows\System32\oxgze.dat
Removed File! : C:\Windows\System32\ozdiv.dat
Removed File! : C:\Windows\System32\pbony.dat
Removed File! : C:\Windows\System32\pbuuw.dat
Removed File! : C:\Windows\System32\pvuoq.dat
Removed File! : C:\Windows\System32\qneex.dat
Removed File! : C:\Windows\System32\qpyjp.dat
Removed File! : C:\Windows\System32\qyhma.dat
Removed File! : C:\Windows\System32\tcpdd.dat
Removed File! : C:\Windows\System32\tdese.dat
Removed File! : C:\Windows\System32\tqfdx.dat
Removed File! : C:\Windows\System32\tuelr.dat
Removed File! : C:\Windows\System32\tvqje.dat
Removed File! : C:\Windows\System32\uedxn.dat
Removed File! : C:\Windows\System32\ujuah.dat
Removed File! : C:\Windows\System32\viktp.dat
Removed File! : C:\Windows\System32\vlcek.dat
Removed File! : C:\Windows\System32\vpavs.dat
Removed File! : C:\Windows\System32\wfvhw.dat
Removed File! : C:\Windows\System32\wrgro.dat
Removed File! : C:\Windows\System32\wzypi.dat
Removed File! : C:\Windows\System32\xontb.dat
Removed File! : C:\Windows\System32\xqgsz.dat
Removed File! : C:\Windows\System32\yifjh.dat
Removed File! : C:\Windows\System32\ymlzl.dat
Removed File! : C:\Windows\System32\ynqgj.dat
Removed File! : C:\Windows\System32\yqszh.dat
Removed File! : C:\Windows\System32\ysutr.dat
Removed File! : C:\Windows\System32\ywjfy.dat
Removed File! : C:\Windows\System32\zuzqq.dat
Removed File! : C:\Windows\System32\zvrvs.dat
------------------------------------------------
Scan was COMPLETED SUCCESSFULLY at ?? 10:04:41


AboutBuster 5.0 reference file 31
Scan started on [2005-09-05] at [?? 3:52:08]
------------------------------------------------
Removed Stream! C:\WINDOWS\KB888113.log:tpuazr
Removed Stream! C:\WINDOWS\vustg.log:ygxejy
Removed Stream! C:\WINDOWS\WMSysPrx.prx:vdpnnx
------------------------------------------------
No Files Found!
------------------------------------------------
Scan was COMPLETED SUCCESSFULLY at ?? 3:53:18


AboutBuster 5.0 reference file 31
Scan started on [2005-09-05] at [?? 9:06:33]
------------------------------------------------
No Ads Found!
------------------------------------------------
No Files Found!
------------------------------------------------
Scan was COMPLETED SUCCESSFULLY at ?? 9:07:25


and Hijackthis log:
Logfile of HijackThis v1.99.1
Scan saved at ?? 3:50:00, on 2005-09-09
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\csrss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Stardock\Object Desktop\WindowBlinds\wbload.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\AVPersonal\AVWUPSRV.EXE
C:\Program Files\CA\eTrust EZ Armor\eTrust EZ Antivirus\ISafe.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\Program Files\IP Monitor\IPMonSvc.exe
C:\Program Files\Norton Internet Security\NISUM.EXE
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_FATI9AA.EXE
C:\Program Files\Java\jre1.5.0_01\bin\jusched.exe
C:\Program Files\Picasa2\PicasaMediaDetector.exe
C:\Program Files\PestPatrol\PPControl.exe
C:\PROGRA~1\PESTPA~1\PPMemCheck.exe
C:\PROGRA~1\PESTPA~1\CookiePatrol.exe
C:\Program Files\WildTangent\Apps\CDA\GameDrvr.exe
C:\Program Files\Viewpoint\Viewpoint Manager\ViewMgr.exe
C:\Program Files\CA\eTrust EZ Armor\eTrust EZ Antivirus\CAVTray.exe
C:\Program Files\CA\eTrust EZ Armor\eTrust EZ Antivirus\CAVRID.exe
C:\WINDOWS\system32\ctfmon.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe
C:\Program Files\AIM\aim.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\MimarSinan Rubber Ducky\RubberDucky.exe
C:\WINDOWS\System32\wdfmgr.exe
C:\Program Files\Broderbund\Mavis Beacon Teaches Typing 15\minimavis.exe
C:\Program Files\Norton Internet Security\ccPxySvc.exe
C:\WINDOWS\System32\alg.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Microsoft AntiSpyware\gcasDtServ.exe
C:\Program Files\CA\eTrust EZ Armor\eTrust EZ Antivirus\VetMsg.exe
C:\PROGRA~1\MOZILL~1\FIREFOX.EXE
C:\Documents and Settings\David Lim\Desktop\NP STUFF\NAdvanced by Drew\NAdvanced by Drew\NadvancedRefresher.exe
C:\Documents and Settings\David Lim\Desktop\NP STUFF\NAdvanced by Drew\NAdvanced by Drew\NadvancedRefresher.exe
C:\Program Files\Google\Google Desktop Search\GoogleDesktopIndex.exe
C:\Program Files\Google\Google Desktop Search\GoogleDesktopCrawl.exe
C:\Documents and Settings\David Lim\Desktop\hijackthis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.istarthere.com/
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page =
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://www.softomate.com/defultsearch/
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
R3 - Default URLSearchHook is missing
O2 - BHO: XBTB06823 - {8D91EEF6-070C-4a47-B186-86F882463A53} - C:\PROGRA~1\ISTART~1\setup.dll
O2 - BHO: Viewpoint Toolbar BHO - {A7327C09-B521-4EDB-8509-7D2660C9EC98} - C:\Program Files\Viewpoint\Viewpoint Toolbar\ViewBarBHO.dll
O2 - BHO: Class - {FC7FFD6E-0897-B7D0-A319-768F3DA452CD} - C:\WINDOWS\system32\iptr32.dll (file missing)
O3 - Toolbar: Viewpoint Toolbar - {F8AD5AA5-D966-4667-9DAF-2561D68B2012} - C:\Program Files\Viewpoint\Viewpoint Toolbar\ViewBar.dll
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [ccRegVfy] "C:\Program Files\Common Files\Symantec Shared\ccRegVfy.exe"
O4 - HKLM\..\Run: [EPSON Stylus CX4600 Series] C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_FATI9AA.EXE /P26 "EPSON Stylus CX4600 Series" /O6 "USB001" /M "Stylus CX4600"
O4 - HKLM\..\Run: [Symantec NetDriver Monitor] C:\PROGRA~1\SYMNET~1\SNDMon.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_01\bin\jusched.exe
O4 - HKLM\..\Run: [Picasa Media Detector] C:\Program Files\Picasa2\PicasaMediaDetector.exe
O4 - HKLM\..\Run: [Jgflhqg] C:\Program Files\Xewm\Ojxqkz.exe
O4 - HKLM\..\Run: [iexplore.exe] C:\Program Files\Internet Explorer\iexplore.exe
O4 - HKLM\..\Run: [PestPatrol Control Center] C:\Program Files\PestPatrol\PPControl.exe
O4 - HKLM\..\Run: [PPMemCheck] C:\PROGRA~1\PESTPA~1\PPMemCheck.exe
O4 - HKLM\..\Run: [CookiePatrol] C:\PROGRA~1\PESTPA~1\CookiePatrol.exe
O4 - HKLM\..\Run: [WildTangent CDA] "C:\Program Files\WildTangent\Apps\CDA\GameDrvr.exe" /startup "C:\Program Files\WildTangent\Apps\CDA\cdaEngine0500.dll"
O4 - HKLM\..\Run: [netiu.exe] C:\WINDOWS\netiu.exe
O4 - HKLM\..\Run: [iptq32.exe] C:\WINDOWS\iptq32.exe
O4 - HKLM\..\Run: [ViewMgr] C:\Program Files\Viewpoint\Viewpoint Manager\ViewMgr.exe
O4 - HKLM\..\Run: [CaAvTray] "C:\Program Files\CA\eTrust EZ Armor\eTrust EZ Antivirus\CAVTray.exe"
O4 - HKLM\..\Run: [CAVRID] "C:\Program Files\CA\eTrust EZ Armor\eTrust EZ Antivirus\CAVRID.exe"
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [NeroCheck] C:\WINDOWS\system32\\NeroCheck.exe
O4 - HKLM\..\Run: [gcasServ] "C:\Program Files\Microsoft AntiSpyware\gcasServ.exe"
O4 - HKLM\..\Run: [THGuard] "C:\Program Files\TrojanHunter 4.2\THGuard.exe"
O4 - HKLM\..\Run: [IP Monitor] C:\PROGRA~1\IPMONI~1\IPMonitor.exe
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [winsync] C:\WINDOWS\system32\naiupp.exe reg_run
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [EZ Smileys] "C:\Program Files\EZ Smileys For AOL Instant Messenger\EZSmileys.exe"
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [DNS] C:\Program Files\Common Files\mc-58-12-0000079-d.exe
O4 - HKCU\..\Run: [Google Desktop Search] "C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe" /startup
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O4 - Global Startup: Personal Coach.lnk = ?
O8 - Extra context menu item: &AOL Toolbar Search - res://c:\program files\aol\aol toolbar 2.0\aoltbhtml.dll/search.html
O8 - Extra context menu item: &Google Search - res://C:\Program Files\Google\GoogleToolbar1.dll/cmsearch.html
O8 - Extra context menu item: &Viewpoint Search - res://C:\Program Files\Viewpoint\Viewpoint Toolbar\ViewBar.dll/CXTSEARCH.HTML
O8 - Extra context menu item: Backward Links - res://C:\Program Files\Google\GoogleToolbar1.dll/cmbacklinks.html
O8 - Extra context menu item: Cached Snapshot of Page - res://C:\Program Files\Google\GoogleToolbar1.dll/cmcache.html
O8 - Extra context menu item: Similar Pages - res://C:\Program Files\Google\GoogleToolbar1.dll/cmsimilar.html
O8 - Extra context menu item: Translate into English - res://C:\Program Files\Google\GoogleToolbar1.dll/cmtrans.html
O9 - Extra button: AOL Toolbar - {3369AF0D-62E9-4bda-8103-B4C75499B578} - C:\WINDOWS\System32\shdocvw.dll
O9 - Extra button: (no name) - {9E248641-0E24-4DDB-9A1F-705087832AD6} - C:\WINDOWS\system32\wuauclt.dll
O9 - Extra 'Tools' menuitem: Java - {9E248641-0E24-4DDB-9A1F-705087832AD6} - C:\WINDOWS\system32\wuauclt.dll
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O15 - Trusted Zone: http://www.neededware.com
O16 - DPF: NDWCab - http://www.neededware.com/ndw2.cab
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage) - http://go.microsoft....467&clcid=0x409
O16 - DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} (MSN Photo Upload Tool) - http://by107fd.bay10...es/MsnPUpld.cab
O16 - DPF: {6FC8738C-1723-4990-BD6E-5633AD3BC6E8} - http://down.c-zero.c...1/CZInstall.CAB
O16 - DPF: {88D969C0-F192-11D4-A65F-0040963251E5} (XML DOM Document 4.0) - file://C:\TempEI4\EI40_\msxml4.cab
O16 - DPF: {938527D1-CDB7-4147-998A-B20FCA5CC976} (Cdmcco Class) - http://cafeimg.hanma...ab9_1/dmcc2.cab
O16 - DPF: {9BED3AC7-E6D4-43E7-B8A1-1FA502F639E1} (XTools Control) - http://player.bugs.c...l/mv/XTools.cab
O16 - DPF: {AD08A7E2-BA60-4733-92E3-A7AA0C0A39E2} (butterple Control) - http://blogfile.para..._butterplay.cab
O16 - DPF: {B8BE5E93-A60C-4D26-A2DC-220313175592} (ZoneIntro Class) - http://zone.msn.com/...ro.cab34246.cab
O16 - DPF: {BF628973-1E86-4D0E-B42C-EDDECFFABDBC} (Bugs AoD Class) - http://player.bugs.c...der20041018.cab
O16 - DPF: {E5D419D6-A846-4514-9FAD-97E826C84822} (HeartbeatCtl Class) - http://fdl.msn.com/z...s/heartbeat.cab
O20 - Winlogon Notify: WB - C:\PROGRA~1\Stardock\OBJECT~1\WINDOW~1\fastload.dll
O23 - Service: AntiVir Update (AVWUpSrv) - H+BEDV Datentechnik GmbH, Germany - C:\Program Files\AVPersonal\AVWUPSRV.EXE
O23 - Service: CAISafe - Computer Associates International, Inc. - C:\Program Files\CA\eTrust EZ Armor\eTrust EZ Antivirus\ISafe.exe
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Password Validation Service (ccPwdSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
O23 - Service: Symantec Proxy Service (ccPxySvc) - Symantec Corporation - C:\Program Files\Norton Internet Security\ccPxySvc.exe
O23 - Service: IP Monitor Network Address Monitor (IP Monitor) - Barefoot Productions, Inc. - C:\Program Files\IP Monitor\IPMonSvc.exe
O23 - Service: Norton Internet Security Accounts Manager (NISUM) - Symantec Corporation - C:\Program Files\Norton Internet Security\NISUM.EXE
O23 - Service: NVIDIA Driver Helper Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: VET Message Service (VETMSGNT) - Computer Associates International, Inc. - C:\Program Files\CA\eTrust EZ Armor\eTrust EZ Antivirus\VetMsg.exe
  • 0

#8
tampabelle
Posted 09 September 2005 - 08:00 PM

tampabelle

    Member 5k

  • Retired Staff
  • 6,363 posts
Please print out these instructions or copy them into a text file on your Desktop for easy access.

During the fix, u will be asked to fix some entries, delete some files or uninstall some programs. If in case, you do not see those entries / files / programs, please make a note of it. Continue with the fix and in your next post please inform me of all deviations from the fix prescribed.

1. Download Programs

Please download these programs and save them in a new folder on your desktop -

CleanUp
Killbox

Copy everything in the quote box below (Starting with REGEDIT4) and paste it into notepad. Go up to "File > Save As" and click the drop-down box to change the 'Save As Type' to 'All Files'. Save it as fixme.reg on your desktop.

REGEDIT4

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\policies\Explorer\Run]
"netiu"=-
"iptq32"=-

  • Download WinPFind
    • Right Click the Zip Folder and Select "Extract All"
    • Extract it somewhere you will remember like the Desktop
    • Dont do anything with it yet!
  • Download Track qoo
    • Save it somewhere you will remember like the Desktop

2. Run Hijack This

Run Hijack This and click on scan. The following items need to be fixed -

R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page =
R3 - Default URLSearchHook is missing
O2 - BHO: XBTB06823 - {8D91EEF6-070C-4a47-B186-86F882463A53} - C:\PROGRA~1\ISTART~1\setup.dll
O2 - BHO: Class - {FC7FFD6E-0897-B7D0-A319-768F3DA452CD} - C:\WINDOWS\system32\iptr32.dll (file missing)
O4 - HKLM\..\Run: [Jgflhqg] C:\Program Files\Xewm\Ojxqkz.exe
O4 - HKLM\..\Run: [netiu.exe] C:\WINDOWS\netiu.exe
O4 - HKLM\..\Run: [iptq32.exe] C:\WINDOWS\iptq32.exe
O4 - HKCU\..\Run: [DNS] C:\Program Files\Common Files\mc-58-12-0000079-d.exe
O15 - Trusted Zone: http://www.neededware.com
O16 - DPF: NDWCab - http://www.neededware.com/ndw2.cab

Close all windows other than Hijack This. Check the boxes next to above items and click on Fix checked.

Restart the PC in Safe Mode (repeatedly tap the F8 key when the PC is starting up).

3. Delete Rogue files

Double click on fixme.reg and let it merge with your registry.

Run CleanUp and delete all temp files including temporary internet files

Open Windows Explorer (right click on Start and then click on explore). Locate and delete the following folders and files -

Folders
C:\Program Files\Xewm

Files
C:\WINDOWS\netiu.exe
C:\WINDOWS\iptq32.exe
C:\Program Files\Common Files\mc-58-12-0000079-d.exe

Clear out the files in the Prefetch folder. Go to start> run> type into the box Prefetch. It will open the folder Prefetch. Delete all the files in that folder. Dont delete the folder, only the files in it !!!!!!!!

Doubleclick WinPFind.exe
  • Click "Start Scan"
  • It will scan the entire System, so please be patient!
  • Once the Scan is Complete
  • Go to the WinPFind folder
  • Locate WinPFind.txt
  • Place those results in the next post!

Reboot the PC in Normal Mode.

Post a fresh HJT log.

Double Click on "Track qoo.vbs"

Note - If you Antivirus has Script Blocking, you will get a Pop Up Windows asking you what to do. Allow this Entire Script to Run, its harmless!

Wait a few seconds and a notepad page will pop up, Copy & Paste those results and place them in the next post along with the results of WinPFind!
  • 0

#9
MISTERSTALKER
Posted 10 September 2005 - 12:01 PM

MISTERSTALKER

    Member

  • Topic Starter
  • Member
  • PipPip
  • 63 posts
Trackqoo results::

REGEDIT4

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ccApp"="\"C:\\Program Files\\Common Files\\Symantec Shared\\ccApp.exe\""
"ccRegVfy"="\"C:\\Program Files\\Common Files\\Symantec Shared\\ccRegVfy.exe\""
"EPSON Stylus CX4600 Series"="C:\\WINDOWS\\System32\\spool\\DRIVERS\\W32X86\\3\\E_FATI9AA.EXE /P26 \"EPSON Stylus CX4600 Series\" /O6 \"USB001\" /M \"Stylus CX4600\""
"Symantec NetDriver Monitor"="C:\\PROGRA~1\\SYMNET~1\\SNDMon.exe"
"SunJavaUpdateSched"="C:\\Program Files\\Java\\jre1.5.0_01\\bin\\jusched.exe"
"Picasa Media Detector"="C:\\Program Files\\Picasa2\\PicasaMediaDetector.exe"
"iexplore.exe"="C:\\Program Files\\Internet Explorer\\iexplore.exe"
"PestPatrol Control Center"="C:\\Program Files\\PestPatrol\\PPControl.exe"
"PPMemCheck"="C:\\PROGRA~1\\PESTPA~1\\PPMemCheck.exe"
"CookiePatrol"="C:\\PROGRA~1\\PESTPA~1\\CookiePatrol.exe"
"WildTangent CDA"="\"C:\\Program Files\\WildTangent\\Apps\\CDA\\GameDrvr.exe\" /startup \"C:\\Program Files\\WildTangent\\Apps\\CDA\\cdaEngine0500.dll\""
"ViewMgr"="C:\\Program Files\\Viewpoint\\Viewpoint Manager\\ViewMgr.exe"
"CaAvTray"="\"C:\\Program Files\\CA\\eTrust EZ Armor\\eTrust EZ Antivirus\\CAVTray.exe\""
"CAVRID"="\"C:\\Program Files\\CA\\eTrust EZ Armor\\eTrust EZ Antivirus\\CAVRID.exe\""
"NvCplDaemon"="RUNDLL32.EXE C:\\WINDOWS\\system32\\NvCpl.dll,NvStartup"
"nwiz"="nwiz.exe /install"
"NeroCheck"="C:\\WINDOWS\\system32\\\\NeroCheck.exe"
"gcasServ"="\"C:\\Program Files\\Microsoft AntiSpyware\\gcasServ.exe\""
"THGuard"="\"C:\\Program Files\\TrojanHunter 4.2\\THGuard.exe\""
"IP Monitor"="C:\\PROGRA~1\\IPMONI~1\\IPMonitor.exe"
"SoundMan"="SOUNDMAN.EXE"
"winsync"="C:\\WINDOWS\\system32\\naiupp.exe reg_run"

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\OptionalComponents]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\OptionalComponents\IMAIL]
"Installed"="1"

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\OptionalComponents\MAPI]
"NoChange"="1"
"Installed"="1"

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\OptionalComponents\MSFS]
"Installed"="1"

-----------------
HKEY_CLASSES_ROOT\*\shellex\ContextMenuHandlers


Subkey --- CA_AntiVirus
{1CE2AA40-1317-11D3-9922-00104B0AD431}
C:\WINDOWS\avshlext.dll

Subkey --- gfxqnnsx
{f81cef23-bc60-491e-a1a6-a3f37abf4c3d}
C:\WINDOWS\system32\gfwle.dll

Subkey --- Offline Files
{750fdf0e-2a26-11d1-a3ea-080036587f03}
C:\WINDOWS\System32\cscui.dll

Subkey --- Open With
{09799AFB-AD67-11d1-ABCD-00C04FC30936}
C:\WINDOWS\system32\SHELL32.dll

Subkey --- Open With EncryptionMenu
{A470F8CF-A1E8-4f65-8335-227475AA5C46}
C:\WINDOWS\system32\SHELL32.dll

Subkey --- TrojanHunter
{EBDF1F20-C829-11D1-8233-FF20AF3E97A9}
C:\PROGRA~1\TROJAN~1.2\contmenu.dll

Subkey --- WinRAR
{B41DB860-8EE4-11D2-9906-E49FADC173CA}
C:\Program Files\WinRAR\rarext.dll

Subkey --- {a2a9545d-a0c2-42b4-9708-a0b2badd77c8}
Start Menu Pin
C:\WINDOWS\system32\SHELL32.dll

=====================

HKEY_CLASSES_ROOT\Folder\shellex\ColumnHandlers


Subkey --- {0D2E74C4-3C34-11d2-A27E-00C04FC30871}
C:\WINDOWS\system32\SHELL32.dll

Subkey --- {24F14F01-7B1C-11d1-838f-0000F80461CF}
C:\WINDOWS\system32\SHELL32.dll

Subkey --- {24F14F02-7B1C-11d1-838f-0000F80461CF}
C:\WINDOWS\system32\SHELL32.dll

Subkey --- {66742402-F9B9-11D1-A202-0000F81FEDEE}
C:\WINDOWS\system32\SHELL32.dll

Subkey --- {6EC11407-5B2E-4E25-8BDF-77445B52AB37}
C:\WINDOWS\system32\wuauclt.dll

==============================
C:\Documents and Settings\All Users\Start Menu\Programs\Startup

desktop.ini
dnit.exe
Microsoft Office.lnk
Personal Coach.lnk
==============================
C:\Documents and Settings\David Lim\Start Menu\Programs\Startup

desktop.ini
dnit.exe
Microsoft Office.lnk
Personal Coach.lnk
desktop.ini
==============================
C:\WINDOWS\system32 cpl files


ac3filter.cpl
access.cpl Microsoft Corporation
ALSNDMGR.CPL Realtek Semiconductor Corp.
appwiz.cpl Microsoft Corporation
bthprops.cpl Microsoft Corporation
desk.cpl Microsoft Corporation
firewall.cpl Microsoft Corporation
hdwwiz.cpl Microsoft Corporation
inetcpl.cpl Microsoft Corporation
intl.cpl Microsoft Corporation
irprops.cpl Microsoft Corporation
joy.cpl Microsoft Corporation
jpicpl32.cpl Sun Microsystems, Inc.
main.cpl Microsoft Corporation
mmsys.cpl Microsoft Corporation
ncpa.cpl Microsoft Corporation
netsetup.cpl Microsoft Corporation
nusrmgr.cpl Microsoft Corporation
nvtuicpl.cpl NVIDIA Corporation
odbccp32.cpl Microsoft Corporation
powercfg.cpl Microsoft Corporation
sysdm.cpl Microsoft Corporation
telephon.cpl Microsoft Corporation
timedate.cpl Microsoft Corporation
vgactl.cpl
wscui.cpl Microsoft Corporation
wuaucpl.cpl Microsoft Corporation

WinPFind results::[COLOR=red]

WARNING: not all files found by this scanner are bad. Consult with a knowledgable person before proceeding.

If you see a message in the titlebar saying "Not responding..." you can ignore it. Windows somethimes displays this message due to the high volume of disk I/O. As long as the hard disk light is flashing, the program is still working properly.

»»»»»»»»»»»»»»»»» Windows OS and Versions »»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»
Product Name: Microsoft Windows XP Current Build: Service Pack 2 Current Build Number: 2600
Internet Explorer Version: 6.0.2900.2180

»»»»»»»»»»»»»»»»» Checking Selected Standard Folders »»»»»»»»»»»»»»»»»»»»

Checking %SystemDrive% folder...

Checking %ProgramFilesDir% folder...

Checking %WinDir% folder...

Checking %System% folder...
UPX! 2004-04-20 ¿ÀÈÄ 9:58:22 10342 C:\WINDOWS\SYSTEM32\123.45
PEC2 2002-08-29 ¿ÀÀü 5:00:00 41397 C:\WINDOWS\SYSTEM32\dfrg.msc
69.59.186.63 2005-09-10 ¿ÀÀü 8:52:44 133120 C:\WINDOWS\SYSTEM32\gfwle.dll
209.66.67.134 2005-09-10 ¿ÀÀü 8:52:44 133120 C:\WINDOWS\SYSTEM32\gfwle.dll
web-nex 2005-09-10 ¿ÀÀü 8:52:44 133120 C:\WINDOWS\SYSTEM32\gfwle.dll
winsync 2005-09-10 ¿ÀÀü 8:52:44 133120 C:\WINDOWS\SYSTEM32\gfwle.dll
69.59.186.63 2005-09-10 ¿ÀÀü 10:42:46 181760 C:\WINDOWS\SYSTEM32\kioorrx.dll
209.66.67.134 2005-09-10 ¿ÀÀü 10:42:46 181760 C:\WINDOWS\SYSTEM32\kioorrx.dll
web-nex 2005-09-10 ¿ÀÀü 10:42:46 181760 C:\WINDOWS\SYSTEM32\kioorrx.dll
winsync 2005-09-10 ¿ÀÀü 10:42:46 181760 C:\WINDOWS\SYSTEM32\kioorrx.dll
UPX! 2005-05-24 ¿ÀÈÄ 4:40:58 RH 195269 C:\WINDOWS\SYSTEM32\LC.exe
PTech 2005-07-12 ¿ÀÈÄ 6:04:22 520456 C:\WINDOWS\SYSTEM32\LegitCheckControl.dll
PECompact2 2005-08-04 ¿ÀÈÄ 6:31:38 1449304 C:\WINDOWS\SYSTEM32\MRT.exe
aspack 2005-08-04 ¿ÀÈÄ 6:31:38 1449304 C:\WINDOWS\SYSTEM32\MRT.exe
aspack 2004-08-04 ¿ÀÀü 12:56:38 708096 C:\WINDOWS\SYSTEM32\ntdll.dll
Umonitor 2004-08-04 ¿ÀÀü 12:56:46 657920 C:\WINDOWS\SYSTEM32\rasdlg.dll
winsync 2002-08-29 ¿ÀÀü 5:00:00 1309184 C:\WINDOWS\SYSTEM32\wbdbase.deu
69.59.186.63 2005-08-30 ¿ÀÀü 9:47:36 30720 C:\WINDOWS\SYSTEM32\wuauclt.dll
209.66.67.134 2005-08-30 ¿ÀÀü 9:47:36 30720 C:\WINDOWS\SYSTEM32\wuauclt.dll
66.63.167.97 2005-08-30 ¿ÀÀü 9:47:36 30720 C:\WINDOWS\SYSTEM32\wuauclt.dll
66.63.167.77 2005-08-30 ¿ÀÀü 9:47:36 30720 C:\WINDOWS\SYSTEM32\wuauclt.dll
web-nex 2005-08-30 ¿ÀÀü 9:47:36 30720 C:\WINDOWS\SYSTEM32\wuauclt.dll
winsync 2005-08-30 ¿ÀÀü 9:47:36 30720 C:\WINDOWS\SYSTEM32\wuauclt.dll
rec2_run 2005-08-30 ¿ÀÀü 9:47:36 30720 C:\WINDOWS\SYSTEM32\wuauclt.dll

Checking %System%\Drivers folder and sub-folders...
PTech 2004-08-03 ¿ÀÈÄ 10:41:38 1309184 C:\WINDOWS\SYSTEM32\drivers\mtlstrm.sys

Checking the Windows folder and sub-folders for system and hidden files within the last 60 days...
2005-07-19 ¿ÀÈÄ 7:18:10 S 18913 C:\WINDOWS\system32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\KB896727.cat
2005-09-10 ¿ÀÀü 10:34:38 H 8192 C:\WINDOWS\system32\config\default.LOG
2005-09-10 ¿ÀÀü 10:38:18 H 1024 C:\WINDOWS\system32\config\SAM.LOG
2005-09-10 ¿ÀÀü 10:34:44 H 16384 C:\WINDOWS\system32\config\SECURITY.LOG
2005-09-10 ¿ÀÀü 10:40:20 H 73728 C:\WINDOWS\system32\config\software.LOG
2005-09-10 ¿ÀÀü 10:36:36 H 917504 C:\WINDOWS\system32\config\system.LOG
2005-08-13 ¿ÀÀü 12:20:58 H 1024 C:\WINDOWS\system32\config\systemprofile\ntuser.dat.LOG
2005-08-15 ¿ÀÈÄ 7:18:12 S 688 C:\WINDOWS\system32\config\systemprofile\Application Data\Microsoft\CryptnetUrlCache\Content\60E31627FDA0A46932B0E5948949F2A5
2005-09-05 ¿ÀÈÄ 12:21:16 S 18154 C:\WINDOWS\system32\config\systemprofile\Application Data\Microsoft\CryptnetUrlCache\Content\A8FABA189DB7D25FBA7CAC806625FD30
2005-09-05 ¿ÀÀü 9:26:46 S 7652 C:\WINDOWS\system32\config\systemprofile\Application Data\Microsoft\CryptnetUrlCache\Content\E891C648621A40AC7F773694A17FE76C
2005-08-15 ¿ÀÈÄ 7:18:12 S 94 C:\WINDOWS\system32\config\systemprofile\Application Data\Microsoft\CryptnetUrlCache\MetaData\60E31627FDA0A46932B0E5948949F2A5
2005-09-05 ¿ÀÈÄ 12:21:16 S 124 C:\WINDOWS\system32\config\systemprofile\Application Data\Microsoft\CryptnetUrlCache\MetaData\A8FABA189DB7D25FBA7CAC806625FD30
2005-09-05 ¿ÀÀü 9:26:46 S 134 C:\WINDOWS\system32\config\systemprofile\Application Data\Microsoft\CryptnetUrlCache\MetaData\E891C648621A40AC7F773694A17FE76C
2005-08-24 ¿ÀÀü 1:33:04 HS 388 C:\WINDOWS\system32\Microsoft\Protect\S-1-5-18\User\01673532-5989-4ef4-b9ce-0aef32b9c70f
2005-08-24 ¿ÀÀü 1:33:04 HS 24 C:\WINDOWS\system32\Microsoft\Protect\S-1-5-18\User\Preferred
2005-07-22 ¿ÀÈÄ 9:40:46 H 8628 C:\WINDOWS\system32\spool\drivers\w32x86\3\E_QI021E.GID
2005-09-10 ¿ÀÀü 10:34:08 H 6 C:\WINDOWS\Tasks\SA.DAT

Checking for CPL files...
2004-05-25 ¿ÀÀü 8:06:58 417792 C:\WINDOWS\SYSTEM32\ac3filter.cpl
Microsoft Corporation 2004-08-04 ¿ÀÀü 12:56:58 68608 C:\WINDOWS\SYSTEM32\access.cpl
Realtek Semiconductor Corp. 2003-04-24 ¿ÀÈÄ 4:53:22 6842880 C:\WINDOWS\SYSTEM32\ALSNDMGR.CPL
Microsoft Corporation 2004-08-04 ¿ÀÀü 12:56:58 549888 C:\WINDOWS\SYSTEM32\appwiz.cpl
Microsoft Corporation 2004-08-04 ¿ÀÀü 12:56:58 110592 C:\WINDOWS\SYSTEM32\bthprops.cpl
Microsoft Corporation 2004-08-04 ¿ÀÀü 12:56:58 135168 C:\WINDOWS\SYSTEM32\desk.cpl
Microsoft Corporation 2004-08-04 ¿ÀÀü 12:56:58 80384 C:\WINDOWS\SYSTEM32\firewall.cpl
Microsoft Corporation 2004-08-04 ¿ÀÀü 12:56:58 155136 C:\WINDOWS\SYSTEM32\hdwwiz.cpl
Microsoft Corporation 2004-08-04 ¿ÀÀü 12:56:58 358400 C:\WINDOWS\SYSTEM32\inetcpl.cpl
Microsoft Corporation 2004-08-04 ¿ÀÀü 12:56:58 129536 C:\WINDOWS\SYSTEM32\intl.cpl
Microsoft Corporation 2004-08-04 ¿ÀÀü 12:56:58 380416 C:\WINDOWS\SYSTEM32\irprops.cpl
Microsoft Corporation 2004-08-04 ¿ÀÀü 12:56:58 68608 C:\WINDOWS\SYSTEM32\joy.cpl
Sun Microsystems, Inc. 2004-12-06 ¿ÀÈÄ 9:31:48 49265 C:\WINDOWS\SYSTEM32\jpicpl32.cpl
Microsoft Corporation 2002-08-29 ¿ÀÀü 5:00:00 187904 C:\WINDOWS\SYSTEM32\main.cpl
Microsoft Corporation 2004-08-04 ¿ÀÀü 12:56:58 618496 C:\WINDOWS\SYSTEM32\mmsys.cpl
Microsoft Corporation 2002-08-29 ¿ÀÀü 5:00:00 35840 C:\WINDOWS\SYSTEM32\ncpa.cpl
Microsoft Corporation 2004-08-04 ¿ÀÀü 12:56:58 25600 C:\WINDOWS\SYSTEM32\netsetup.cpl
Microsoft Corporation 2004-08-04 ¿ÀÀü 12:56:58 257024 C:\WINDOWS\SYSTEM32\nusrmgr.cpl
NVIDIA Corporation 2003-07-28 ¿ÀÈÄ 2:19:00 143360 C:\WINDOWS\SYSTEM32\nvtuicpl.cpl
Microsoft Corporation 2004-08-04 ¿ÀÀü 12:56:58 32768 C:\WINDOWS\SYSTEM32\odbccp32.cpl
Microsoft Corporation 2004-08-04 ¿ÀÀü 12:56:58 114688 C:\WINDOWS\SYSTEM32\powercfg.cpl
Microsoft Corporation 2004-08-04 ¿ÀÀü 12:56:58 298496 C:\WINDOWS\SYSTEM32\sysdm.cpl
Microsoft Corporation 2002-08-29 ¿ÀÀü 5:00:00 28160 C:\WINDOWS\SYSTEM32\telephon.cpl
Microsoft Corporation 2004-08-04 ¿ÀÀü 12:56:58 94208 C:\WINDOWS\SYSTEM32\timedate.cpl
2005-08-30 ¿ÀÀü 9:47:36 31744 C:\WINDOWS\SYSTEM32\vgactl.cpl
Microsoft Corporation 2004-08-04 ¿ÀÀü 12:56:58 148480 C:\WINDOWS\SYSTEM32\wscui.cpl
Microsoft Corporation 2005-05-26 ¿ÀÀü 4:16:30 174360 C:\WINDOWS\SYSTEM32\wuaucpl.cpl
Microsoft Corporation 2002-08-29 ¿ÀÀü 5:00:00 187904 C:\WINDOWS\SYSTEM32\dllcache\main.cpl
Microsoft Corporation 2002-08-29 ¿ÀÀü 5:00:00 35840 C:\WINDOWS\SYSTEM32\dllcache\ncpa.cpl
Microsoft Corporation 2002-08-29 ¿ÀÀü 5:00:00 28160 C:\WINDOWS\SYSTEM32\dllcache\telephon.cpl
Microsoft Corporation 2005-05-26 ¿ÀÀü 4:16:30 174360 C:\WINDOWS\SYSTEM32\dllcache\wuaucpl.cpl
Realtek Semiconductor Corp. 2003-04-24 ¿ÀÈÄ 4:53:22 6842880 C:\WINDOWS\SYSTEM32\ReinstallBackups\0014\DriverFiles\ALSNDMGR.CPL

»»»»»»»»»»»»»»»»» Checking Selected Startup Folders »»»»»»»»»»»»»»»»»»»»»

Checking files in %ALLUSERSPROFILE%\Startup folder...
2005-04-08 ¿ÀÈÄ 1:42:48 HS 84 C:\Documents and Settings\All Users\Start Menu\Programs\Startup\desktop.ini
2005-09-10 ¿ÀÀü 10:42:46 417792 C:\Documents and Settings\All Users\Start Menu\Programs\Startup\dnit.exe
2004-05-09 ¿ÀÈÄ 10:11:18 1725 C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Microsoft Office.lnk
2005-06-18 ¿ÀÈÄ 1:50:36 681 C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Personal Coach.lnk

Checking files in %ALLUSERSPROFILE%\Application Data folder...
2005-04-08 ¿ÀÀü 6:34:00 HS 62 C:\Documents and Settings\All Users\Application Data\desktop.ini

Checking files in %USERPROFILE%\Startup folder...
2005-04-08 ¿ÀÈÄ 1:42:48 HS 84 C:\Documents and Settings\David Lim\Start Menu\Programs\Startup\desktop.ini

Checking files in %USERPROFILE%\Application Data folder...
2005-04-08 ¿ÀÀü 6:34:00 HS 62 C:\Documents and Settings\David Lim\Application Data\desktop.ini

»»»»»»»»»»»»»»»»» Checking Selected Registry Keys »»»»»»»»»»»»»»»»»»»»»»»

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\User Agent\Post Platform]
SV1 =
Istarhere.com Toolbar =

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved]

[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved]

[HKEY_CLASSES_ROOT\*\shellex\ContextMenuHandlers]
HKEY_CLASSES_ROOT\*\shellex\ContextMenuHandlers\CA_AntiVirus
{1CE2AA40-1317-11D3-9922-00104B0AD431} = C:\WINDOWS\avshlext.dll
HKEY_CLASSES_ROOT\*\shellex\ContextMenuHandlers\gfxqnnsx
{f81cef23-bc60-491e-a1a6-a3f37abf4c3d} = C:\WINDOWS\system32\gfwle.dll
HKEY_CLASSES_ROOT\*\shellex\ContextMenuHandlers\Offline Files
{750fdf0e-2a26-11d1-a3ea-080036587f03} = %SystemRoot%\System32\cscui.dll
HKEY_CLASSES_ROOT\*\shellex\ContextMenuHandlers\Open With
{09799AFB-AD67-11d1-ABCD-00C04FC30936} = %SystemRoot%\system32\SHELL32.dll
HKEY_CLASSES_ROOT\*\shellex\ContextMenuHandlers\Open With EncryptionMenu
{A470F8CF-A1E8-4f65-8335-227475AA5C46} = %SystemRoot%\system32\SHELL32.dll
HKEY_CLASSES_ROOT\*\shellex\ContextMenuHandlers\TrojanHunter
{EBDF1F20-C829-11D1-8233-FF20AF3E97A9} = C:\PROGRA~1\TROJAN~1.2\contmenu.dll
HKEY_CLASSES_ROOT\*\shellex\ContextMenuHandlers\WinRAR
{B41DB860-8EE4-11D2-9906-E49FADC173CA} = C:\Program Files\WinRAR\rarext.dll
HKEY_CLASSES_ROOT\*\shellex\ContextMenuHandlers\{a2a9545d-a0c2-42b4-9708-a0b2badd77c8}
Start Menu Pin = %SystemRoot%\system32\SHELL32.dll

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Folder\shellex\ContextMenuHandlers]
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Folder\shellex\ContextMenuHandlers\CA_AntiVirus
{1CE2AA40-1317-11D3-9922-00104B0AD431} = C:\WINDOWS\avshlext.dll
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Folder\shellex\ContextMenuHandlers\TrojanHunter
{EBDF1F20-C829-11D1-8233-FF20AF3E97A9} = C:\PROGRA~1\TROJAN~1.2\contmenu.dll
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Folder\shellex\ContextMenuHandlers\WinRAR
{B41DB860-8EE4-11D2-9906-E49FADC173CA} = C:\Program Files\WinRAR\rarext.dll

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Directory\shellex\ContextMenuHandlers]
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Directory\shellex\ContextMenuHandlers\EncryptionMenu
{A470F8CF-A1E8-4f65-8335-227475AA5C46} = %SystemRoot%\system32\SHELL32.dll
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Directory\shellex\ContextMenuHandlers\Offline Files
{750fdf0e-2a26-11d1-a3ea-080036587f03} = %SystemRoot%\System32\cscui.dll
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Directory\shellex\ContextMenuHandlers\Sharing
{f81e9010-6ea4-11ce-a7ff-00aa003ca9f6} = ntshrui.dll
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Directory\shellex\ContextMenuHandlers\TrojanHunter
{EBDF1F20-C829-11D1-8233-FF20AF3E97A9} = C:\PROGRA~1\TROJAN~1.2\contmenu.dll
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Directory\shellex\ContextMenuHandlers\WinRAR
{B41DB860-8EE4-11D2-9906-E49FADC173CA} = C:\Program Files\WinRAR\rarext.dll

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Folder\shellex\ColumnHandlers]
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Folder\shellex\ColumnHandlers\{0D2E74C4-3C34-11d2-A27E-00C04FC30871}
= %SystemRoot%\system32\SHELL32.dll
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Folder\shellex\ColumnHandlers\{24F14F01-7B1C-11d1-838f-0000F80461CF}
= %SystemRoot%\system32\SHELL32.dll
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Folder\shellex\ColumnHandlers\{24F14F02-7B1C-11d1-838f-0000F80461CF}
= %SystemRoot%\system32\SHELL32.dll
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Folder\shellex\ColumnHandlers\{66742402-F9B9-11D1-A202-0000F81FEDEE}
= %SystemRoot%\system32\SHELL32.dll
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Folder\shellex\ColumnHandlers\{6EC11407-5B2E-4E25-8BDF-77445B52AB37}
= C:\WINDOWS\system32\wuauclt.dll

[HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects]
HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{A7327C09-B521-4EDB-8509-7D2660C9EC98}
Viewpoint Toolbar BHO = C:\Program Files\Viewpoint\Viewpoint Toolbar\ViewBarBHO.dll

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Explorer Bars]
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Explorer Bars\{4D5C8C25-D075-11d0-B416-00C04FB90376}
&Tip of the Day = %SystemRoot%\System32\shdocvw.dll

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\ToolBar]
{F8AD5AA5-D966-4667-9DAF-2561D68B2012} = Viewpoint Toolbar : C:\Program Files\Viewpoint\Viewpoint Toolbar\ViewBar.dll

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Extensions]
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Extensions\{3369AF0D-62E9-4bda-8103-B4C75499B578}
ButtonText = AOL Toolbar :
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Extensions\{9E248641-0E24-4DDB-9A1F-705087832AD6}
MenuText = Java :
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Extensions\{AC9E2541-2814-11d5-BC6D-00B0D0A1DE45}
ButtonText = AIM : C:\Program Files\AIM\aim.exe
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Extensions\{FB5F1910-F110-11d2-BB9E-00C04F795683}
ButtonText = Messenger : C:\Program Files\Messenger\msmsgs.exe

[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Explorer Bars]
HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Explorer Bars\{32683183-48a0-441b-a342-7c2a440a9478}
=
HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Explorer Bars\{EFA24E61-B078-11D0-89E4-00C04FC9E26E}
Favorites Band = %SystemRoot%\System32\shdocvw.dll
HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Explorer Bars\{EFA24E62-B078-11D0-89E4-00C04FC9E26E}
History Band = %SystemRoot%\System32\shdocvw.dll
HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Explorer Bars\{EFA24E64-B078-11D0-89E4-00C04FC9E26E}
Explorer Band = %SystemRoot%\System32\shdocvw.dll

[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Toolbar]
HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Toolbar\ShellBrowser
HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser
{01E04581-4EEE-11D0-BFE9-00AA005B4383} = &Address : %SystemRoot%\System32\browseui.dll
{D940F380-49C7-4A05-9E33-53930AF5768F} = IstartHere Toolbar : C:\Program Files\IstartHere Toolbar\setup.dll

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
ccApp "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
ccRegVfy "C:\Program Files\Common Files\Symantec Shared\ccRegVfy.exe"
EPSON Stylus CX4600 Series C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_FATI9AA.EXE /P26 "EPSON Stylus CX4600 Series" /O6 "USB001" /M "Stylus CX4600"
Symantec NetDriver Monitor C:\PROGRA~1\SYMNET~1\SNDMon.exe
SunJavaUpdateSched C:\Program Files\Java\jre1.5.0_01\bin\jusched.exe
Picasa Media Detector C:\Program Files\Picasa2\PicasaMediaDetector.exe
iexplore.exe C:\Program Files\Internet Explorer\iexplore.exe
PestPatrol Control Center C:\Program Files\PestPatrol\PPControl.exe
PPMemCheck C:\PROGRA~1\PESTPA~1\PPMemCheck.exe
CookiePatrol C:\PROGRA~1\PESTPA~1\CookiePatrol.exe
WildTangent CDA "C:\Program Files\WildTangent\Apps\CDA\GameDrvr.exe" /startup "C:\Program Files\WildTangent\Apps\CDA\cdaEngine0500.dll"
ViewMgr C:\Program Files\Viewpoint\Viewpoint Manager\ViewMgr.exe
CaAvTray "C:\Program Files\CA\eTrust EZ Armor\eTrust EZ Antivirus\CAVTray.exe"
CAVRID "C:\Program Files\CA\eTrust EZ Armor\eTrust EZ Antivirus\CAVRID.exe"
NvCplDaemon RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
nwiz nwiz.exe /install
NeroCheck C:\WINDOWS\system32\\NeroCheck.exe
gcasServ "C:\Program Files\Microsoft AntiSpyware\gcasServ.exe"
THGuard "C:\Program Files\TrojanHunter 4.2\THGuard.exe"
IP Monitor C:\PROGRA~1\IPMONI~1\IPMonitor.exe
SoundMan SOUNDMAN.EXE
winsync C:\WINDOWS\system32\naiupp.exe reg_run

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\OptionalComponents]
IMAIL Installed = 1
MAPI Installed = 1
MSFS Installed = 1

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnceEx]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunServices]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunServicesOnce]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
MSMSGS "C:\Program Files\Messenger\msmsgs.exe" /background
EZ Smileys "C:\Program Files\EZ Smileys For AOL Instant Messenger\EZSmileys.exe"
ctfmon.exe C:\WINDOWS\system32\ctfmon.exe
Google Desktop Search "C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe" /startup
EPSON Stylus CX4600 Series C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_FATI9AA.EXE /P26 "EPSON Stylus CX4600 Series" /M "Stylus CX4600" /EF "HKCU"
AIM C:\Program Files\AIM\aim.exe -cnetwait.odl
IPMonitor
MimarSinan Rubber Ducky "C:\Program Files\MimarSinan Rubber Ducky\RubberDucky.exe"

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\RunServices]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\RunServicesOnce]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows\load]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows\run]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies]

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer\Run
mxz C:\WINDOWS\System32\mxz.exe

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\NonEnum
{BDEADF00-C265-11D0-BCED-00A0C90AB50F} = C:\PROGRA~1\COMMON~1\MICROS~1\WEBFOL~1\MSONSEXT.DLL
{6DFD7C5C-2451-11d3-A299-00C04F8EF6AF} =
{0DF44EAA-FF21-4412-828E-260A8728E7F1} =


HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Ratings

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\system
dontdisplaylastusername 0
shutdownwithoutlogon 1
undockwithoutlogon 1
LegalNoticeText
LegalNoticeCaption


[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\policies]

HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer
NoDriveTypeAutoRun 145

HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer\Run
lfnis.exe C:\WINDOWS\system\lfnis.exe

HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System
DisableRegistryTools 0


[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad]
PostBootReminder {7849596a-48ea-486e-8937-a2a3009f31a9} = %SystemRoot%\system32\SHELL32.dll
CDBurn {fbeb8a05-beee-4442-804e-409d6c4515e9} = %SystemRoot%\system32\SHELL32.dll
WebCheck {E6FB5E20-DE35-11CF-9C87-00AA005127ED} = %SystemRoot%\System32\webcheck.dll
SysTray {35CEC8A3-2BE6-11D2-8773-92E220524153} = C:\WINDOWS\System32\stobject.dll

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon]
UserInit = C:\WINDOWS\system32\userinit.exe,
Shell = Explorer.exe
System =

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\crypt32chain
= crypt32.dll

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\cryptnet
= cryptnet.dll

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\cscdll
= cscdll.dll

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\ScCertProp
= wlnotify.dll

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\Schedule
= wlnotify.dll

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\sclgntfy
= sclgntfy.dll

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\SensLogn
= WlNotify.dll

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\termsrv
= wlnotify.dll

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\WB
= C:\PROGRA~1\Stardock\OBJECT~1\WINDOW~1\fastload.dll

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\wlballoon
= wlnotify.dll

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options]
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Your Image File Name Here without a path
Debugger = ntsd -d

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows]
AppInit_DLLs


»»»»»»»»»»»»»»»»»»»»»»»» Scan Complete »»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»
WinPFind v1.3.9 - Log file written to "WinPFind.Txt" in the WinPFind folder.
Scan completed on 2005-09-10 ¿ÀÀü 10:50:33

New Fresh HiJackThis log::[COLOR=red]

Logfile of HijackThis v1.99.1
Scan saved at ?? 11:01:08, on 2005-09-10
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\csrss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\AVPersonal\AVWUPSRV.EXE
C:\Program Files\CA\eTrust EZ Armor\eTrust EZ Antivirus\ISafe.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\Program Files\IP Monitor\IPMonSvc.exe
C:\Program Files\Norton Internet Security\NISUM.EXE
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\wdfmgr.exe
C:\Program Files\CA\eTrust EZ Armor\eTrust EZ Antivirus\VetMsg.exe
C:\Program Files\Norton Internet Security\ccPxySvc.exe
C:\WINDOWS\System32\alg.exe
C:\Program Files\Stardock\Object Desktop\WindowBlinds\wbload.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_FATI9AA.EXE
C:\Program Files\Java\jre1.5.0_01\bin\jusched.exe
C:\Program Files\Picasa2\PicasaMediaDetector.exe
C:\Program Files\PestPatrol\PPControl.exe
C:\PROGRA~1\PESTPA~1\PPMemCheck.exe
C:\Program Files\WildTangent\Apps\CDA\GameDrvr.exe
C:\Program Files\Viewpoint\Viewpoint Manager\ViewMgr.exe
C:\Program Files\CA\eTrust EZ Armor\eTrust EZ Antivirus\CAVTray.exe
C:\Program Files\CA\eTrust EZ Armor\eTrust EZ Antivirus\CAVRID.exe
C:\WINDOWS\system32\ctfmon.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe
C:\Program Files\AIM\aim.exe
C:\Program Files\MimarSinan Rubber Ducky\RubberDucky.exe
C:\Program Files\Broderbund\Mavis Beacon Teaches Typing 15\minimavis.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\Microsoft AntiSpyware\gcasDtServ.exe
C:\Program Files\Google\Google Desktop Search\GoogleDesktopIndex.exe
C:\Program Files\Google\Google Desktop Search\GoogleDesktopCrawl.exe
C:\PROGRA~1\MOZILL~1\FIREFOX.EXE
C:\Documents and Settings\David Lim\Desktop\hijackthis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.istarthere.com/
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://www.softomate.com/defultsearch/
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
O2 - BHO: Viewpoint Toolbar BHO - {A7327C09-B521-4EDB-8509-7D2660C9EC98} - C:\Program Files\Viewpoint\Viewpoint Toolbar\ViewBarBHO.dll
O3 - Toolbar: Viewpoint Toolbar - {F8AD5AA5-D966-4667-9DAF-2561D68B2012} - C:\Program Files\Viewpoint\Viewpoint Toolbar\ViewBar.dll
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [ccRegVfy] "C:\Program Files\Common Files\Symantec Shared\ccRegVfy.exe"
O4 - HKLM\..\Run: [EPSON Stylus CX4600 Series] C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_FATI9AA.EXE /P26 "EPSON Stylus CX4600 Series" /O6 "USB001" /M "Stylus CX4600"
O4 - HKLM\..\Run: [Symantec NetDriver Monitor] C:\PROGRA~1\SYMNET~1\SNDMon.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_01\bin\jusched.exe
O4 - HKLM\..\Run: [Picasa Media Detector] C:\Program Files\Picasa2\PicasaMediaDetector.exe
O4 - HKLM\..\Run: [iexplore.exe] C:\Program Files\Internet Explorer\iexplore.exe
O4 - HKLM\..\Run: [PestPatrol Control Center] C:\Program Files\PestPatrol\PPControl.exe
O4 - HKLM\..\Run: [PPMemCheck] C:\PROGRA~1\PESTPA~1\PPMemCheck.exe
O4 - HKLM\..\Run: [CookiePatrol] C:\PROGRA~1\PESTPA~1\CookiePatrol.exe
O4 - HKLM\..\Run: [WildTangent CDA] "C:\Program Files\WildTangent\Apps\CDA\GameDrvr.exe" /startup "C:\Program Files\WildTangent\Apps\CDA\cdaEngine0500.dll"
O4 - HKLM\..\Run: [ViewMgr] C:\Program Files\Viewpoint\Viewpoint Manager\ViewMgr.exe
O4 - HKLM\..\Run: [CaAvTray] "C:\Program Files\CA\eTrust EZ Armor\eTrust EZ Antivirus\CAVTray.exe"
O4 - HKLM\..\Run: [CAVRID] "C:\Program Files\CA\eTrust EZ Armor\eTrust EZ Antivirus\CAVRID.exe"
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [NeroCheck] C:\WINDOWS\system32\\NeroCheck.exe
O4 - HKLM\..\Run: [gcasServ] "C:\Program Files\Microsoft AntiSpyware\gcasServ.exe"
O4 - HKLM\..\Run: [THGuard] "C:\Program Files\TrojanHunter 4.2\THGuard.exe"
O4 - HKLM\..\Run: [IP Monitor] C:\PROGRA~1\IPMONI~1\IPMonitor.exe
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [winsync] C:\WINDOWS\system32\naiupp.exe reg_run
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [EZ Smileys] "C:\Program Files\EZ Smileys For AOL Instant Messenger\EZSmileys.exe"
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [Google Desktop Search] "C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe" /startup
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O4 - Global Startup: Personal Coach.lnk = ?
O8 - Extra context menu item: &AOL Toolbar Search - res://c:\program files\aol\aol toolbar 2.0\aoltbhtml.dll/search.html
O8 - Extra context menu item: &Google Search - res://C:\Program Files\Google\GoogleToolbar1.dll/cmsearch.html
O8 - Extra context menu item: &Viewpoint Search - res://C:\Program Files\Viewpoint\Viewpoint Toolbar\ViewBar.dll/CXTSEARCH.HTML
O8 - Extra context menu item: Backward Links - res://C:\Program Files\Google\GoogleToolbar1.dll/cmbacklinks.html
O8 - Extra context menu item: Cached Snapshot of Page - res://C:\Program Files\Google\GoogleToolbar1.dll/cmcache.html
O8 - Extra context menu item: Similar Pages - res://C:\Program Files\Google\GoogleToolbar1.dll/cmsimilar.html
O8 - Extra context menu item: Translate into English - res://C:\Program Files\Google\GoogleToolbar1.dll/cmtrans.html
O9 - Extra button: AOL Toolbar - {3369AF0D-62E9-4bda-8103-B4C75499B578} - C:\WINDOWS\System32\shdocvw.dll
O9 - Extra button: (no name) - {9E248641-0E24-4DDB-9A1F-705087832AD6} - C:\WINDOWS\system32\wuauclt.dll
O9 - Extra 'Tools' menuitem: Java - {9E248641-0E24-4DDB-9A1F-705087832AD6} - C:\WINDOWS\system32\wuauclt.dll
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage) - http://go.microsoft....467&clcid=0x409
O16 - DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} (MSN Photo Upload Tool) - http://by107fd.bay10...es/MsnPUpld.cab
O16 - DPF: {6FC8738C-1723-4990-BD6E-5633AD3BC6E8} - http://down.c-zero.c...1/CZInstall.CAB
O16 - DPF: {88D969C0-F192-11D4-A65F-0040963251E5} (XML DOM Document 4.0) - file://C:\TempEI4\EI40_\msxml4.cab
O16 - DPF: {938527D1-CDB7-4147-998A-B20FCA5CC976} (Cdmcco Class) - http://cafeimg.hanma...ab9_1/dmcc2.cab
O16 - DPF: {9BED3AC7-E6D4-43E7-B8A1-1FA502F639E1} (XTools Control) - http://player.bugs.c...l/mv/XTools.cab
O16 - DPF: {AD08A7E2-BA60-4733-92E3-A7AA0C0A39E2} (butterple Control) - http://blogfile.para..._butterplay.cab
O16 - DPF: {B8BE5E93-A60C-4D26-A2DC-220313175592} (ZoneIntro Class) - http://zone.msn.com/...ro.cab34246.cab
O16 - DPF: {BF628973-1E86-4D0E-B42C-EDDECFFABDBC} (Bugs AoD Class) - http://player.bugs.c...der20041018.cab
O16 - DPF: {E5D419D6-A846-4514-9FAD-97E826C84822} (HeartbeatCtl Class) - http://fdl.msn.com/z...s/heartbeat.cab
O20 - Winlogon Notify: WB - C:\PROGRA~1\Stardock\OBJECT~1\WINDOW~1\fastload.dll
O23 - Service: AntiVir Update (AVWUpSrv) - H+BEDV Datentechnik GmbH, Germany - C:\Program Files\AVPersonal\AVWUPSRV.EXE
O23 - Service: CAISafe - Computer Associates International, Inc. - C:\Program Files\CA\eTrust EZ Armor\eTrust EZ Antivirus\ISafe.exe
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Password Validation Service (ccPwdSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
O23 - Service: Symantec Proxy Service (ccPxySvc) - Symantec Corporation - C:\Program Files\Norton Internet Security\ccPxySvc.exe
O23 - Service: IP Monitor Network Address Monitor (IP Monitor) - Barefoot Productions, Inc. - C:\Program Files\IP Monitor\IPMonSvc.exe
O23 - Service: Norton Internet Security Accounts Manager (NISUM) - Symantec Corporation - C:\Program Files\Norton Internet Security\NISUM.EXE
O23 - Service: NVIDIA Driver Helper Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: VET Message Service (VETMSGNT) - Computer Associates International, Inc. - C:\Program Files\CA\eTrust EZ Armor\eTrust EZ Antivirus\VetMsg.exe

thanks
  • 0

#10
tampabelle
Posted 11 September 2005 - 07:22 AM

tampabelle

    Member 5k

  • Retired Staff
  • 6,363 posts
Download Pocket KillBox from here. There is a Direct Download and a description of what the Program does inside this link.

Please open Notepad, and copy/paste the code in the box below into a new text file. Save it as KillQoo.reg (set Filetype to "All Files") and save it on your Desktop.

REGEDIT4
[-HKEY_LOCAL_MACHINE\SOFTWARE\Classes\*\shellex\ContextMenuHandlers\gfxqnnsx]

[-HKEY_CLASSES_ROOT\CLSID\{f81cef23-bc60-491e-a1a6-a3f37abf4c3d}]

[-HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Folder\shellex\ColumnHandlers\{6EC11407-5B2E-4E25-8BDF-77445B52AB37}]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer\Run]
"mxz"=-

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer\Run]
"lfnis.exe"=-


Open Pocket Killbox and Copy & Paste the entries below into the "Full Path of File to Delete"

C:\WINDOWS\system32\naiupp.exe
C:\WINDOWS\system32\gfwle.dll
C:\Documents and Settings\All Users\Start Menu\Programs\Startup\dnit.exe
C:\Documents and Settings\David Lim\Start Menu\Programs\Startup\dnit.exe
C:\WINDOWS\SYSTEM32\123.45
C:\WINDOWS\SYSTEM32\kioorrx.dll
C:\WINDOWS\SYSTEM32\wuauclt.dll
C:\WINDOWS\System32\mxz.exe
C:\WINDOWS\system\lfnis.exe
C:\WINDOWS\system32\vgactl.cpl

As you Paste each entry into Killbox,place a tick by any of these Selections available

"Delete on Reboot"
"Unregister .dll before Deleting"

Click the Red Circle with the White X in the Middle to Delete!

Restart in Safe Mode and Run those files through Killbox once more to be sure nothing survived.

This time place a tick by any of these selections available

"Standard File Kill"
"End Explorer Shell while Killing File"
"Unregister .dll before Deleting"

Now Locate and DoubleClick KillQoo.reg-> Allow it to merge into the Registry!

Please re-open HiJackThis and scan. Check the boxes next to all the entries listed below.

O4 - HKLM\..\Run: [iexplore.exe] C:\Program Files\Internet Explorer\iexplore.exe
O4 - HKLM\..\Run: [winsync] C:\WINDOWS\system32\naiupp.exe reg_run

Now close all windows other than HiJackThis, then click Fix Checked.

Restart back in Normal Mode and Post a fresh HijackThis log!
  • 0

#11
MISTERSTALKER
Posted 14 September 2005 - 09:50 PM

MISTERSTALKER

    Member

  • Topic Starter
  • Member
  • PipPip
  • 63 posts
NEW HiJackThis log!!


Logfile of HijackThis v1.99.1
Scan saved at ?? 8:49:23, on 2005-09-14
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Stardock\Object Desktop\WindowBlinds\wbload.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_FATI9AA.EXE
C:\Program Files\Java\jre1.5.0_01\bin\jusched.exe
C:\Program Files\Picasa2\PicasaMediaDetector.exe
C:\Program Files\PestPatrol\PPControl.exe
C:\PROGRA~1\PESTPA~1\PPMemCheck.exe
C:\PROGRA~1\PESTPA~1\CookiePatrol.exe
C:\Program Files\WildTangent\Apps\CDA\GameDrvr.exe
C:\Program Files\Viewpoint\Viewpoint Manager\ViewMgr.exe
C:\Program Files\CA\eTrust EZ Armor\eTrust EZ Antivirus\CAVTray.exe
C:\Program Files\CA\eTrust EZ Armor\eTrust EZ Antivirus\CAVRID.exe
C:\Program Files\AVPersonal\AVWUPSRV.EXE
C:\Program Files\CA\eTrust EZ Armor\eTrust EZ Antivirus\ISafe.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\IP Monitor\IPMonSvc.exe
C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe
C:\Program Files\AIM\aim.exe
C:\Program Files\MimarSinan Rubber Ducky\RubberDucky.exe
C:\Program Files\Norton Internet Security\NISUM.EXE
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\CA\eTrust EZ Armor\eTrust EZ Antivirus\VetMsg.exe
C:\Program Files\Norton Internet Security\ccPxySvc.exe
C:\Program Files\Microsoft AntiSpyware\gcasDtServ.exe
C:\WINDOWS\System32\svchost.exe
C:\Documents and Settings\David Lim\Desktop\hijackthis\HijackThis.exe
C:\WINDOWS\system32\wuauclt.exe

R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://www.softomate.com/defultsearch/
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
O2 - BHO: Viewpoint Toolbar BHO - {A7327C09-B521-4EDB-8509-7D2660C9EC98} - C:\Program Files\Viewpoint\Viewpoint Toolbar\ViewBarBHO.dll
O3 - Toolbar: Viewpoint Toolbar - {F8AD5AA5-D966-4667-9DAF-2561D68B2012} - C:\Program Files\Viewpoint\Viewpoint Toolbar\ViewBar.dll
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [ccRegVfy] "C:\Program Files\Common Files\Symantec Shared\ccRegVfy.exe"
O4 - HKLM\..\Run: [EPSON Stylus CX4600 Series] C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_FATI9AA.EXE /P26 "EPSON Stylus CX4600 Series" /O6 "USB001" /M "Stylus CX4600"
O4 - HKLM\..\Run: [Symantec NetDriver Monitor] C:\PROGRA~1\SYMNET~1\SNDMon.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_01\bin\jusched.exe
O4 - HKLM\..\Run: [Picasa Media Detector] C:\Program Files\Picasa2\PicasaMediaDetector.exe
O4 - HKLM\..\Run: [PestPatrol Control Center] C:\Program Files\PestPatrol\PPControl.exe
O4 - HKLM\..\Run: [PPMemCheck] C:\PROGRA~1\PESTPA~1\PPMemCheck.exe
O4 - HKLM\..\Run: [CookiePatrol] C:\PROGRA~1\PESTPA~1\CookiePatrol.exe
O4 - HKLM\..\Run: [WildTangent CDA] "C:\Program Files\WildTangent\Apps\CDA\GameDrvr.exe" /startup "C:\Program Files\WildTangent\Apps\CDA\cdaEngine0500.dll"
O4 - HKLM\..\Run: [ViewMgr] C:\Program Files\Viewpoint\Viewpoint Manager\ViewMgr.exe
O4 - HKLM\..\Run: [CaAvTray] "C:\Program Files\CA\eTrust EZ Armor\eTrust EZ Antivirus\CAVTray.exe"
O4 - HKLM\..\Run: [CAVRID] "C:\Program Files\CA\eTrust EZ Armor\eTrust EZ Antivirus\CAVRID.exe"
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [NeroCheck] C:\WINDOWS\system32\\NeroCheck.exe
O4 - HKLM\..\Run: [gcasServ] "C:\Program Files\Microsoft AntiSpyware\gcasServ.exe"
O4 - HKLM\..\Run: [IP Monitor] C:\PROGRA~1\IPMONI~1\IPMonitor.exe
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [EZ Smileys] "C:\Program Files\EZ Smileys For AOL Instant Messenger\EZSmileys.exe"
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [Google Desktop Search] "C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe" /startup
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O4 - Global Startup: Personal Coach.lnk = ?
O8 - Extra context menu item: &AOL Toolbar Search - res://c:\program files\aol\aol toolbar 2.0\aoltbhtml.dll/search.html
O8 - Extra context menu item: &Google Search - res://C:\Program Files\Google\GoogleToolbar1.dll/cmsearch.html
O8 - Extra context menu item: &Viewpoint Search - res://C:\Program Files\Viewpoint\Viewpoint Toolbar\ViewBar.dll/CXTSEARCH.HTML
O8 - Extra context menu item: Backward Links - res://C:\Program Files\Google\GoogleToolbar1.dll/cmbacklinks.html
O8 - Extra context menu item: Cached Snapshot of Page - res://C:\Program Files\Google\GoogleToolbar1.dll/cmcache.html
O8 - Extra context menu item: Similar Pages - res://C:\Program Files\Google\GoogleToolbar1.dll/cmsimilar.html
O8 - Extra context menu item: Translate into English - res://C:\Program Files\Google\GoogleToolbar1.dll/cmtrans.html
O9 - Extra button: AOL Toolbar - {3369AF0D-62E9-4bda-8103-B4C75499B578} - C:\WINDOWS\System32\shdocvw.dll
O9 - Extra button: (no name) - {9E248641-0E24-4DDB-9A1F-705087832AD6} - (no file)
O9 - Extra 'Tools' menuitem: Java - {9E248641-0E24-4DDB-9A1F-705087832AD6} - (no file)
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage) - http://go.microsoft....467&clcid=0x409
O16 - DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} (MSN Photo Upload Tool) - http://by107fd.bay10...es/MsnPUpld.cab
O16 - DPF: {6FC8738C-1723-4990-BD6E-5633AD3BC6E8} - http://down.c-zero.c...1/CZInstall.CAB
O16 - DPF: {88D969C0-F192-11D4-A65F-0040963251E5} (XML DOM Document 4.0) - file://C:\TempEI4\EI40_\msxml4.cab
O16 - DPF: {938527D1-CDB7-4147-998A-B20FCA5CC976} (Cdmcco Class) - http://cafeimg.hanma...ab9_1/dmcc2.cab
O16 - DPF: {9BED3AC7-E6D4-43E7-B8A1-1FA502F639E1} (XTools Control) - http://player.bugs.c...l/mv/XTools.cab
O16 - DPF: {AD08A7E2-BA60-4733-92E3-A7AA0C0A39E2} (butterple Control) - http://blogfile.para..._butterplay.cab
O16 - DPF: {B8BE5E93-A60C-4D26-A2DC-220313175592} (ZoneIntro Class) - http://zone.msn.com/...ro.cab34246.cab
O16 - DPF: {BF628973-1E86-4D0E-B42C-EDDECFFABDBC} (Bugs AoD Class) - http://player.bugs.c...der20041018.cab
O16 - DPF: {E5D419D6-A846-4514-9FAD-97E826C84822} (HeartbeatCtl Class) - http://fdl.msn.com/z...s/heartbeat.cab
O20 - Winlogon Notify: WB - C:\PROGRA~1\Stardock\OBJECT~1\WINDOW~1\fastload.dll
O23 - Service: AntiVir Update (AVWUpSrv) - H+BEDV Datentechnik GmbH, Germany - C:\Program Files\AVPersonal\AVWUPSRV.EXE
O23 - Service: CAISafe - Computer Associates International, Inc. - C:\Program Files\CA\eTrust EZ Armor\eTrust EZ Antivirus\ISafe.exe
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Password Validation Service (ccPwdSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
O23 - Service: Symantec Proxy Service (ccPxySvc) - Symantec Corporation - C:\Program Files\Norton Internet Security\ccPxySvc.exe
O23 - Service: IP Monitor Network Address Monitor (IP Monitor) - Barefoot Productions, Inc. - C:\Program Files\IP Monitor\IPMonSvc.exe
O23 - Service: Norton Internet Security Accounts Manager (NISUM) - Symantec Corporation - C:\Program Files\Norton Internet Security\NISUM.EXE
O23 - Service: NVIDIA Driver Helper Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: VET Message Service (VETMSGNT) - Computer Associates International, Inc. - C:\Program Files\CA\eTrust EZ Armor\eTrust EZ Antivirus\VetMsg.exe
  • 0

#12
tampabelle
Posted 15 September 2005 - 08:16 AM

tampabelle

    Member 5k

  • Retired Staff
  • 6,363 posts
Your log looks clean.

How is your PC behaving now ???
  • 0

#13
MISTERSTALKER
Posted 15 September 2005 - 07:18 PM

MISTERSTALKER

    Member

  • Topic Starter
  • Member
  • PipPip
  • 63 posts
extremely well :tazz: thanks so much :) :) :) :ph34r: :ph34r: :tazz: :tazz:
  • 0

#14
tampabelle
Posted 16 September 2005 - 10:36 AM

tampabelle

    Member 5k

  • Retired Staff
  • 6,363 posts
Hi David,


CONGRATULATIONS !!!!!!!!!!! Your PC is clean now :tazz:



I would recommend the following steps to keep your PC clean (especially Step 1 to install critical Windows patches including Service Pack 2 or SP2 if not already installed and Step 8 now that your PC is clean) –

PREVENTIVE MEASURES FOR FUTURE

Operating System
1. Keep the Windows and Internet Explorer updated with the latest fixes. These fixes are available free from Microsoft. Click on Tools in the IE menu bar and then on Windows update. You can also use the following links

Windows security and critical updates
Internet Explorer security and critical updates

Also ensure that automatic updates are enabled for faster updation of the system.
(Right click on My Computer on your desktop, properties and Automatic Updates tab.


Anti-Virus Software
2. Keep your Anti-virus program updated with the latest definitions. Some of the common anti-virus programs in use are :

Norton Anti-Virus
McAfee Anti-Virus
AVG Anti-Virus --- freeware
Avast Home Edition --- freeware

Use only one anti-virus program as multiple such programs can create conflicts between themselves and severely hamper the performance of your PC.


Firewall
3. You should also have a good firewall. Here are 3 free ones available for personal use:
Sygate Personal Firewall, Kerio Personal Firewall, ZoneAlarm


Internet Browsers
4. Have robust explorer settings. It is preferable to use an internet browser other that IE as most of the malware is targetted at IE. In case you prefer to use IE, then download a list of innocent looking but harmful websites from IE-Spyad and install it on ur PC. IE-SPYAD puts over 5000 sites in your internet explorer's restricted zone, so you'll be protected when you visit innocent-looking sites that aren't really innocent at all.

Some alternate browsers I suggest are Firefox Mozilla Browser and Opera

Ensure that Security level, irrespective of whichever browser you use, is set at Medium or higher, restrict the usage of cookies and activeX components.


Spyware Protection
5. Have a wall of protection against spyware / adware by installing SpywareBlaster and SpywareGuard.

SpywareBlaster and SpywareGuard are by JavaCool and both are free programs.
SpywareBlaster will prevent spyware from being installed and consumes no system resources.
SpywareGuard offers realtime protection from spyware installation and browser hijack attempts. Both have free ongoing updates.


Spyware Removers
6. Install programs for scanning for malware and uninstalling them. Two of the best programs, both are freeware, are :

Spybot Search & Destroy - A powerful tool which can search and annhilate nasties that make it onto your system. Now with an Immunize section that will help prevent future infections.

AdAware SE Personal Edition - Another very powerful tool which searches and kills nasties that infect your system. AdAware and Spybot Search & Destroy compliment each other very well.


Regular Maintenance of PC
7. Finally, invest some time for regular maintenance of your PC. Delete the temporary Internet files, temporary files, cookies etc. Click on Start button, Programs, Accessories, System Tools and run the program Disk Cleanup. Follow the instructions.

An alternate freeware software which can be used is CleanUp.

Keep your Registry clean. My favourite software is Registry First Aid. This is not a freeware but a trial version can be downloaded.


System Restore Points
8. Since your PC is currently clean, create a system restore point. A system restore would enable you to revert to the settings on the PC when the restore point was created. It is also a good idea to flush all earlier system restore points which may be containing infected files.

A. Turn off System Restore.
On the Desktop, right-click My Computer.
Click Properties.
Click the System Restore tab.
Check Turn off System Restore.
Click Apply, and then click OK.

B. Restart your computer.

C. Turn ON System Restore.
On the Desktop, right-click My Computer.
Click Properties.
Click the System Restore tab.
UN-Check Turn off System Restore.
Click Apply, and then click OK.

System Restore will now be active again.


Go ahead and enjoy a clean PC !!!!!!!!!!!!!
  • 0

#15
tampabelle
Posted 16 September 2005 - 10:37 AM

tampabelle

    Member 5k

  • Retired Staff
  • 6,363 posts
Since this issue appears to be resolved ... this Topic has been closed. Glad we could help. :tazz:

If you're the topic starter, and need this topic reopened, please contact a staff member with the address of the thread.

Everyone else please begin a New Topic.
  • 0
Back to Virus, Spyware, Malware Removal · Next Unread Topic →




Similar Topics

0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users

  1. Geeks to Go Community
  2. Security
  3. Virus, Spyware, Malware Removal

As Featured On:

Microsoft Yahoo BBC MSN PC Magazine Washington Post HP