Jump to content

Welcome to Geeks to Go - Register now for FREE

Geeks To Go is a helpful hub, where thousands of volunteer geeks quickly serve friendly answers and support. Check out the forums and get free advice from the experts. Register now to gain access to all of our features, it's FREE and only takes one minute. Once registered and logged in, you will be able to create topics, post replies to existing threads, give reputation to your fellow members, get your own private messenger, post status updates, manage your profile and so much more.

Create Account How it Works
Photo

ad.yieldmanager.com [RESOLVED]


  • This topic is locked This topic is locked

#31
Crustyoldbloke

Crustyoldbloke

    Old Malware Surgeon with a shaky scalpel

  • Retired Staff
  • 15,130 posts
Hello Cyra

I am sorry not to have introduced Michelle to you before you received replies from her. She is brilliant and much better at RootKits than I am.

I have invited her into this thread to assist, whilst I get over the last Meniere's attack on Monday evening.

I hope you understand.
  • 0

Advertisements


#32
cyrawhite

cyrawhite

    Member

  • Topic Starter
  • Member
  • PipPip
  • 96 posts
Phil--it's okay. i appreciate all the help you gave me

Here is the startup list, it's really long
StartupList report, 9/6/2005, 5:06:34 PM
StartupList version: 1.52.2
Started from : C:\Documents and Settings\cyramitchell\My Documents\HijackThis.EXE
Detected: Windows XP SP2 (WinNT 5.01.2600)
Detected: Internet Explorer v6.00 SP2 (6.00.2900.2180)
* Using default options
* Including empty and uninteresting sections
* Showing rarely important sections
==================================================

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\NOTEPAD.EXE
C:\Documents and Settings\cyramitchell\My Documents\HijackThis.exe

--------------------------------------------------

Listing of startup folders:

Shell folders Startup:
[C:\Documents and Settings\cyramitchell\Start Menu\Programs\Startup]
*No files*

Shell folders AltStartup:
*Folder not found*

User shell folders Startup:
*Folder not found*

User shell folders AltStartup:
*Folder not found*

Shell folders Common Startup:
[C:\Documents and Settings\All Users\Start Menu\Programs\Startup]
*No files*

Shell folders Common AltStartup:
*Folder not found*

User shell folders Common Startup:
*Folder not found*

User shell folders Alternate Common Startup:
*Folder not found*

--------------------------------------------------
Checking Windows NT UserInit:

[HKLM\Software\Microsoft\Windows NT\CurrentVersion\Winlogon]
UserInit = C:\WINDOWS\system32\userinit.exe,C:\WINDOWS\SYSTEM\Userinit.exe

[HKLM\Software\Microsoft\Windows\CurrentVersion\Winlogon]
*Registry key not found*

[HKCU\Software\Microsoft\Windows NT\CurrentVersion\Winlogon]
*Registry value not found*

[HKCU\Software\Microsoft\Windows\CurrentVersion\Winlogon]
*Registry key not found*

--------------------------------------------------

Autorun entries from Registry:
HKLM\Software\Microsoft\Windows\CurrentVersion\Run

SystemTray = SysTray.Exe
VSOCheckTask = "c:\PROGRA~1\mcafee.com\vso\mcmnhdlr.exe" /checktask
MCAgentExe = c:\PROGRA~1\mcafee.com\agent\mcagent.exe
MCUpdateExe = C:\PROGRA~1\mcafee.com\agent\mcupdate.exe
VirusScan Online = "c:\PROGRA~1\mcafee.com\vso\mcvsshld.exe"
TkBellExe = "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
cQpGQ11w = C:\PROGRA~1\voqxsqxv\ZYwCE8hM.exe
Microsoft Works Update Detection = C:\Program Files\Common Files\Microsoft Shared\Works Shared\WkUFind.exe
SunJavaUpdateSched = C:\Program Files\Java\jre1.5.0_04\bin\jusched.exe
HP Software Update = C:\Program Files\HP\HP Software Update\HPWuSchd2.exe
HP Component Manager = "C:\Program Files\HP\hpcoretech\hpcmpmgr.exe"
gcasServ = "C:\Program Files\Microsoft AntiSpyware\gcasServ.exe"
McRegWiz = c:\PROGRA~1\mcafee.com\agent\mcregwiz.exe /autorun

--------------------------------------------------
Autorun entries from Registry:
HKLM\Software\Microsoft\Windows\CurrentVersion\RunOnce

*No values found*

--------------------------------------------------

Autorun entries from Registry:
HKLM\Software\Microsoft\Windows\CurrentVersion\RunOnceEx

*No values found*

--------------------------------------------------

Autorun entries from Registry:
HKLM\Software\Microsoft\Windows\CurrentVersion\RunServices

*Registry key not found*

--------------------------------------------------

Autorun entries from Registry:
HKLM\Software\Microsoft\Windows\CurrentVersion\RunServicesOnce

*Registry key not found*

--------------------------------------------------

Autorun entries from Registry:
HKCU\Software\Microsoft\Windows\CurrentVersion\Run

Yahoo! Pager = C:\Program Files\Yahoo!\Messenger\ypager.exe -quiet
Spyware Begone = c:\freescan\freescan.exe -FastScan

--------------------------------------------------

Autorun entries from Registry:
HKCU\Software\Microsoft\Windows\CurrentVersion\RunOnce

*No values found*

--------------------------------------------------
Autorun entries from Registry:
HKCU\Software\Microsoft\Windows\CurrentVersion\RunOnceEx

*Registry key not found*

--------------------------------------------------

Autorun entries from Registry:
HKCU\Software\Microsoft\Windows\CurrentVersion\RunServices

*No values found*

--------------------------------------------------

Autorun entries from Registry:
HKCU\Software\Microsoft\Windows\CurrentVersion\RunServicesOnce

*Registry key not found*

--------------------------------------------------

Autorun entries from Registry:
HKLM\Software\Microsoft\Windows NT\CurrentVersion\Run

*Registry key not found*

--------------------------------------------------

Autorun entries from Registry:
HKCU\Software\Microsoft\Windows NT\CurrentVersion\Run

*Registry key not found*

--------------------------------------------------

Autorun entries in Registry subkeys of:
HKLM\Software\Microsoft\Windows\CurrentVersion\Run
*No subkeys found*

--------------------------------------------------

Autorun entries in Registry subkeys of:
HKLM\Software\Microsoft\Windows\CurrentVersion\RunOnce
*No subkeys found*

--------------------------------------------------

Autorun entries in Registry subkeys of:
HKLM\Software\Microsoft\Windows\CurrentVersion\RunOnceEx
*No subkeys found*

--------------------------------------------------
Autorun entries in Registry subkeys of:
HKLM\Software\Microsoft\Windows\CurrentVersion\RunServices
*Registry key not found*

--------------------------------------------------

Autorun entries in Registry subkeys of:
HKLM\Software\Microsoft\Windows\CurrentVersion\RunServicesOnce
*Registry key not found*

--------------------------------------------------

Autorun entries in Registry subkeys of:
HKCU\Software\Microsoft\Windows\CurrentVersion\Run
*No subkeys found*

--------------------------------------------------

Autorun entries in Registry subkeys of:
HKCU\Software\Microsoft\Windows\CurrentVersion\RunOnce
*No subkeys found*

--------------------------------------------------

Autorun entries in Registry subkeys of:
HKCU\Software\Microsoft\Windows\CurrentVersion\RunOnceEx
*Registry key not found*

--------------------------------------------------

Autorun entries in Registry subkeys of:
HKCU\Software\Microsoft\Windows\CurrentVersion\RunServices
*No subkeys found*

--------------------------------------------------

Autorun entries in Registry subkeys of:
HKCU\Software\Microsoft\Windows\CurrentVersion\RunServicesOnce
*Registry key not found*

--------------------------------------------------

Autorun entries in Registry subkeys of:
HKLM\Software\Microsoft\Windows NT\CurrentVersion\Run
*Registry key not found*

--------------------------------------------------
Autorun entries in Registry subkeys of:
HKCU\Software\Microsoft\Windows NT\CurrentVersion\Run
*Registry key not found*

--------------------------------------------------

File association entry for .EXE:
HKEY_CLASSES_ROOT\exefile\shell\open\command

(Default) = "%1" %*

--------------------------------------------------

File association entry for .COM:
HKEY_CLASSES_ROOT\comfile\shell\open\command

(Default) = "%1" %*

--------------------------------------------------

File association entry for .BAT:
HKEY_CLASSES_ROOT\batfile\shell\open\command

(Default) = "%1" %*

--------------------------------------------------

File association entry for .PIF:
HKEY_CLASSES_ROOT\piffile\shell\open\command

(Default) = "%1" %*

--------------------------------------------------

File association entry for .SCR:
HKEY_CLASSES_ROOT\scrfile\shell\open\command

(Default) = "%1" /S

--------------------------------------------------

File association entry for .HTA:
HKEY_CLASSES_ROOT\htafile\shell\open\command

(Default) = C:\WINDOWS\System32\mshta.exe "%1" %*

--------------------------------------------------

File association entry for .TXT:
HKEY_CLASSES_ROOT\txtfile\shell\open\command

(Default) = %SystemRoot%\system32\NOTEPAD.EXE %1

--------------------------------------------------

Enumerating Active Setup stub paths:
HKLM\Software\Microsoft\Active Setup\Installed Components
(* = disabled by HKCU twin)

[>IEPerUser] *
StubPath = RUNDLL32.EXE IEDKCS32.DLL,BrandIE4 SIGNUP

[>{22d6f312-b0f6-11d0-94ab-0080c74c7e95}]
StubPath = C:\WINDOWS\inf\unregmp2.exe /ShowWMP

[>{26923b43-4d38-484f-9b9e-de460746276c}] *
StubPath = %systemroot%\system32\shmgrate.exe OCInstallUserConfigIE

[>{47211518-E92E-471E-AD32-9052A4906E30}] *
StubPath = RunDLL32 IEDKCS32.DLL,BrandIE4 SIGNUP

[>{60B49E34-C7CC-11D0-8953-00A0C90347FF}MICROS] *
StubPath = RunDLL32 IEDKCS32.DLL,BrandIE4 SIGNUP

[>{881dd1c5-3dcf-431b-b061-f3f88e8be88a}] *
StubPath = %systemroot%\system32\shmgrate.exe OCInstallUserConfigOE
[{2C7339CF-2B09-4501-B3F3-F3508C9228ED}] *
StubPath = %SystemRoot%\system32\regsvr32.exe /s /n /i:/UserInstall %SystemRoot%\system32\themeui.dll

[{44BBA840-CC51-11CF-AAFA-00AA00B6015C}] *
StubPath = "%ProgramFiles%\Outlook Express\setup50.exe" /APP:OE /CALLER:WINNT /user /install

[{44BBA842-CC51-11CF-AAFA-00AA00B6015B}] *
StubPath = rundll32.exe advpack.dll,LaunchINFSection C:\WINDOWS\INF\msnetmtg.inf,NetMtg.Install.PerUser.NT

[{44BBA851-CC51-11CF-AAFA-00AA00B6015C}] *
StubPath = rundll32.exeadvpack.dll

[{4b218e3e-bc98-4770-93d3-2731b9329278}] *
StubPath = %SystemRoot%\System32\rundll32.exe setupapi,InstallHinfSection MarketplaceLinkInstall 896 %systemroot%\inf\ie.inf

[{5945c046-1e7d-11d1-bc44-00c04fd912be}] *
StubPath = rundll32.exe advpack.dll,LaunchINFSection C:\WINDOWS\INF\msmsgs.inf,BLC.QuietInstall.PerUser

[{6BF52A52-394A-11d3-B153-00C04F79FAA6}] *
StubPath = rundll32.exe advpack.dll,LaunchINFSection C:\WINDOWS\INF\wmp.inf,PerUserStub

[{7790769C-0471-11d2-AF11-00C04FA35D02}] *
StubPath = "%ProgramFiles%\Outlook Express\setup50.exe" /APP:WAB /CALLER:WINNT /user /install

[{89820200-ECBD-11cf-8B85-00AA005B4340}] *
StubPath = regsvr32.exe /s /n /i:U shell32.dll

[{89820200-ECBD-11cf-8B85-00AA005B4383}] *
StubPath = %SystemRoot%\system32\ie4uinit.exe

[{89820200-ECBD-11cf-8B85-00AA005B4383}.Restore]
StubPath = rundll32.exe advpack.dll,UserUnInstStubWrapper {89820200-ECBD-11cf-8B85-00AA005B4383}

[{89B4C1CD-B018-4511-B0A1-5476DBF70820}] *
StubPath = C:\WINDOWS\System32\Rundll32.exe C:\WINDOWS\System32\mscories.dll,Install

[{9EF0045A-CDD9-438e-95E6-02B9AFEC8E11}] *
StubPath = C:\WINDOWS\SYSTEM32\UPDCRL.EXE -e -u C:\WINDOWS\SYSTEM\verisignpub1.crl

[{CA0A4247-44BE-11d1-A005-00805F8ABE06}] *
StubPath = RunDLL setupx.dll,InstallHinfSection PowerCfg.user 0 powercfg.inf

--------------------------------------------------

Enumerating ICQ Agent Autostart apps:
HKCU\Software\Mirabilis\ICQ\Agent\Apps

*Registry key not found*
Load/Run keys from C:\WINDOWS\WIN.INI:

load=*INI section not found*
run=*INI section not found*

Load/Run keys from Registry:

HKLM\..\Windows NT\CurrentVersion\WinLogon: load=*Registry value not found*
HKLM\..\Windows NT\CurrentVersion\WinLogon: run=*Registry value not found*
HKLM\..\Windows\CurrentVersion\WinLogon: load=*Registry key not found*
HKLM\..\Windows\CurrentVersion\WinLogon: run=*Registry key not found*
HKCU\..\Windows NT\CurrentVersion\WinLogon: load=*Registry value not found*
HKCU\..\Windows NT\CurrentVersion\WinLogon: run=*Registry value not found*
HKCU\..\Windows\CurrentVersion\WinLogon: load=*Registry key not found*
HKCU\..\Windows\CurrentVersion\WinLogon: run=*Registry key not found*
HKCU\..\Windows NT\CurrentVersion\Windows: load=
HKCU\..\Windows NT\CurrentVersion\Windows: run=*Registry value not found*
HKLM\..\Windows NT\CurrentVersion\Windows: load=*Registry value not found*
HKLM\..\Windows NT\CurrentVersion\Windows: run=*Registry value not found*
HKLM\..\Windows NT\CurrentVersion\Windows: AppInit_DLLs=

--------------------------------------------------

Shell & screensaver key from C:\WINDOWS\SYSTEM.INI:

Shell=*INI section not found*
SCRNSAVE.EXE=*INI section not found*
drivers=*INI section not found*

Shell & screensaver key from Registry:

Shell=explorer.exe
SCRNSAVE.EXE=C:\WINDOWS\System32\ssmyst.scr
drivers=*Registry value not found*

Policies Shell key:

HKCU\..\Policies: Shell=*Registry key not found*
HKLM\..\Policies: Shell=*Registry value not found*

--------------------------------------------------
Checking for EXPLORER.EXE instances:

C:\WINDOWS\Explorer.exe: PRESENT!

C:\Explorer.exe: not present
C:\WINDOWS\Explorer\Explorer.exe: not present
C:\WINDOWS\System\Explorer.exe: not present
C:\WINDOWS\System32\Explorer.exe: not present
C:\WINDOWS\Command\Explorer.exe: not present
C:\WINDOWS\Fonts\Explorer.exe: not present

--------------------------------------------------

Checking for superhidden extensions:

.lnk: HIDDEN! (arrow overlay: yes)
.pif: HIDDEN! (arrow overlay: yes)
.exe: not hidden
.com: not hidden
.bat: not hidden
.hta: not hidden
.scr: not hidden
.shs: HIDDEN!
.shb: HIDDEN!
.vbs: not hidden
.vbe: not hidden
.wsh: not hidden
.scf: HIDDEN! (arrow overlay: NO!)
.url: HIDDEN! (arrow overlay: yes)
.js: not hidden
.jse: not hidden

--------------------------------------------------

Verifying REGEDIT.EXE integrity:

- Regedit.exe found in C:\WINDOWS
- .reg open command is normal (regedit.exe %1)
- Company name OK: 'Microsoft Corporation'
- Original filename OK: 'REGEDIT.EXE'
- File description: 'Registry Editor'

Registry check passed

--------------------------------------------------

Enumerating Browser Helper Objects:

*No BHO's found*

--------------------------------------------------
Enumerating Task Scheduler jobs:

AFFB914B91840283.job
Tune-up Application Start.job
Maintenance-Defragment programs.job
Maintenance-Disk cleanup.job
McAfee.com Update Check (PAVILION-cyramitchell).job
McAfee.com Update Check (PAVILION-Gene).job
McAfee.com Update Check (PAVILION-Guest).job
McAfee.com Update Check ().job
A972B66B902D2843.job
McAfee.com Update Check (PAVILION-Geno).job
E036D59597659BA5.job

--------------------------------------------------

Enumerating Download Program Files:

[DirectAnimation Java Classes]
CODEBASE = file://c:\windows\SYSTEM\dajava.cab
OSD = C:\WINDOWS\Downloaded Program Files\DirectAnimation Java Classes.osd

[Internet Explorer Classes for Java]
CODEBASE = file://c:\windows\SYSTEM\iejava.cab
OSD = C:\WINDOWS\Downloaded Program Files\Internet Explorer Classes for Java.osd

[Microsoft XML Parser for Java]
CODEBASE = file://C:\WINDOWS\Java\classes\xmldso.cab
OSD = C:\WINDOWS\Downloaded Program Files\Microsoft XML Parser for Java.osd

[CKAVWebScan Object]
InProcServer32 = C:\WINDOWS\system32\Kaspersky Lab\Kaspersky On-line Scanner\kavwebscan.dll
CODEBASE = http://www.kaspersky...can_unicode.cab

[Windows Genuine Advantage Validation Tool]
InProcServer32 = C:\WINDOWS\Downloaded Program Files\LegitCheckControl.DLL
CODEBASE = http://go.microsoft....k/?linkid=39204

[Word Cubes Control]
InProcServer32 = C:\WINDOWS\DOWNLO~1\wordcube.ocx
CODEBASE = http://www.worldwinn...be/wordcube.cab

[Wwlaunch Control]
InProcServer32 = C:\WINDOWS\DOWNLO~1\wwlaunch.ocx
CODEBASE = http://www.worldwinn...ed/wwlaunch.cab

[Java Plug-in 1.5.0_04]
InProcServer32 = C:\Program Files\Java\jre1.5.0_04\bin\npjpi150_04.dll
CODEBASE = http://java.sun.com/...indows-i586.cab

[WordMojo Control]
InProcServer32 = C:\WINDOWS\DOWNLO~1\wordmojo.ocx
CODEBASE = http://www.worldwinn...jo/wordmojo.cab

[SwapIt Control]
InProcServer32 = C:\WINDOWS\DOWNLO~1\swapit.ocx
CODEBASE = http://www.worldwinn...apit/swapit.cab

[ZoneIntro Class]
InProcServer32 = C:\WINDOWS\Downloaded Program Files\ZIntro.ocx
CODEBASE = http://zone.msn.com/...ro.cab34246.cab

[Java Plug-in 1.5.0_04]
InProcServer32 = C:\Program Files\Java\jre1.5.0_04\bin\npjpi150_04.dll
CODEBASE = http://java.sun.com/...indows-i586.cab

[Shockwave Flash Object]
InProcServer32 = C:\WINDOWS\System32\macromed\flash\Flash.ocx
CODEBASE = http://download.macr...ash/swflash.cab

--------------------------------------------------

Enumerating Winsock LSP files:

NameSpace #1: C:\WINDOWS\System32\mswsock.dll
NameSpace #2: C:\WINDOWS\System32\winrnr.dll
NameSpace #3: C:\WINDOWS\System32\mswsock.dll
Protocol #1: C:\WINDOWS\system32\mswsock.dll
Protocol #2: C:\WINDOWS\system32\mswsock.dll
Protocol #3: C:\WINDOWS\system32\mswsock.dll
Protocol #4: C:\WINDOWS\system32\rsvpsp.dll
Protocol #5: C:\WINDOWS\system32\rsvpsp.dll
Protocol #6: C:\WINDOWS\system32\mswsock.dll
Protocol #7: C:\WINDOWS\system32\mswsock.dll
Protocol #8: C:\WINDOWS\system32\mswsock.dll
Protocol #9: C:\WINDOWS\system32\mswsock.dll
Protocol #10: C:\WINDOWS\system32\mswsock.dll
Protocol #11: C:\WINDOWS\system32\mswsock.dll
Protocol #12: C:\WINDOWS\system32\mswsock.dll
Protocol #13: C:\WINDOWS\system32\mswsock.dll
Protocol #14: C:\WINDOWS\system32\mswsock.dll
Protocol #15: C:\WINDOWS\system32\mswsock.dll
Protocol #16: C:\WINDOWS\system32\mswsock.dll
Protocol #17: C:\WINDOWS\system32\mswsock.dll

--------------------------------------------------

Enumerating Windows NT/2000/XP services
Microsoft ACPI Driver: System32\DRIVERS\ACPI.sys (system)
Microsoft Kernel Acoustic Echo Canceller: system32\drivers\aec.sys (manual start)
AFD Networking Support Environment: \SystemRoot\System32\drivers\afd.sys (system)
Alerter: %SystemRoot%\System32\svchost.exe -k LocalService (disabled)
Application Layer Gateway Service: %SystemRoot%\System32\alg.exe (manual start)
Application Management: %SystemRoot%\system32\svchost.exe -k netsvcs (manual start)
ASP.NET State Service: %SystemRoot%\Microsoft.NET\Framework\v1.1.4322\aspnet_state.exe (manual start)
RAS Asynchronous Media Driver: System32\DRIVERS\asyncmac.sys (manual start)
Standard IDE/ESDI Hard Disk Controller: System32\DRIVERS\atapi.sys (system)
ATM ARP Client Protocol: System32\DRIVERS\atmarpc.sys (manual start)
Windows Audio: %SystemRoot%\System32\svchost.exe -k netsvcs (autostart)
Audio Stub Driver: System32\DRIVERS\audstub.sys (manual start)
basic2: System32\DRIVERS\HSF_BSC2.sys (manual start)
Background Intelligent Transfer Service: %SystemRoot%\System32\svchost.exe -k netsvcs (manual start)
Computer Browser: %SystemRoot%\System32\svchost.exe -k netsvcs (manual start)
CD-ROM Driver: System32\DRIVERS\cdrom.sys (system)
Indexing Service: %SystemRoot%\system32\cisvc.exe (manual start)
ClipBook: %SystemRoot%\system32\clipsrv.exe (disabled)
COM+ System Application: C:\WINDOWS\System32\dllhost.exe /Processid:{02D4B3F1-FD88-11D1-960D-00805FC79235} (manual start)
Conexant Riptide WDM Audio Driver: system32\drivers\crtaud.sys (manual start)
Cryptographic Services: %SystemRoot%\system32\svchost.exe -k netsvcs (autostart)
DCOM Server Process Launcher: %SystemRoot%\system32\svchost -k DcomLaunch (autostart)
DHCP Client: %SystemRoot%\System32\svchost.exe -k netsvcs (autostart)
Disk Driver: System32\DRIVERS\disk.sys (system)
Logical Disk Manager Administrative Service: %SystemRoot%\System32\dmadmin.exe /com (manual start)
dmboot: System32\drivers\dmboot.sys (disabled)
dmio: System32\drivers\dmio.sys (disabled)
dmload: System32\drivers\dmload.sys (disabled)
Logical Disk Manager: %SystemRoot%\System32\svchost.exe -k netsvcs (manual start)
Microsoft Kernel DLS Syntheiszer: system32\drivers\DMusic.sys (manual start)
DNS Client: %SystemRoot%\System32\svchost.exe -k NetworkService (autostart)
Microsoft Kernel DRM Audio Descrambler: system32\drivers\drmkaud.sys (manual start)
Error Reporting Service: %SystemRoot%\System32\svchost.exe -k netsvcs (autostart)
Event Log: %SystemRoot%\system32\services.exe (autostart)
COM+ Event System: C:\WINDOWS\System32\svchost.exe -k netsvcs (manual start)
ewido security suite control: C:\Program Files\ewido\security suite\ewidoctrl.exe (autostart)
ewido security suite driver: \??\C:\Program Files\ewido\security suite\guard.sys (system)
ewido security suite guard: C:\Program Files\ewido\security suite\ewidoguard.exe (autostart)
Fallback: System32\DRIVERS\HSF_FALL.sys (autostart)
Fast User Switching Compatibility: %SystemRoot%\System32\svchost.exe -k netsvcs (manual start)
Floppy Disk Controller Driver: System32\DRIVERS\fdc.sys (manual start)
Floppy Disk Driver: System32\DRIVERS\flpydisk.sys (manual start)
FltMgr: system32\drivers\fltmgr.sys (system)
Fsks: System32\DRIVERS\HSF_FSKS.sys (autostart)
Volume Manager Driver: System32\DRIVERS\ftdisk.sys (system)
Conexant Riptide Joystick Driver: system32\drivers\gameenum.sys (manual start)
Generic Packet Classifier: System32\DRIVERS\msgpc.sys (manual start)
Help and Support: %SystemRoot%\System32\svchost.exe -k netsvcs (autostart)
Human Interface Device Access: %SystemRoot%\System32\svchost.exe -k netsvcs (disabled)
IEEE-1284.4 Driver HPZid412: System32\DRIVERS\HPZid412.sys (manual start)
Print Class Driver for IEEE-1284.4 HPZipr12: System32\DRIVERS\HPZipr12.sys (manual start)
USB to IEEE-1284.4 Translation Driver HPZius12: System32\DRIVERS\HPZius12.sys (manual start)
HSFHWBS2: System32\DRIVERS\HSFBS2S2.sys (manual start)
HSF_DP: System32\DRIVERS\HSFDPSP2.sys (manual start)
hsf_msft: System32\DRIVERS\HSF_MSFT.sys (manual start)
HTTP: System32\Drivers\HTTP.sys (manual start)
HTTP SSL: %SystemRoot%\System32\svchost.exe -k HTTPFilter (manual start)
i8042 Keyboard and PS/2 Mouse Port Driver: System32\DRIVERS\i8042prt.sys (system)
i81x: System32\DRIVERS\i81xnt5.sys (manual start)
iAimFP0: System32\DRIVERS\wADV01nt.sys (manual start)
iAimFP1: System32\DRIVERS\wADV02NT.sys (manual start)
iAimFP2: System32\DRIVERS\wADV05NT.sys (manual start)
iAimFP3: System32\DRIVERS\wSiINTxx.sys (manual start)
iAimFP4: System32\DRIVERS\wVchNTxx.sys (manual start)
iAimFP5: system32\DRIVERS\wADV07nt.sys (manual start)
iAimFP6: system32\DRIVERS\wADV08nt.sys (manual start)
iAimFP7: system32\DRIVERS\wADV09nt.sys (manual start)
iAimTV0: System32\DRIVERS\wATV01nt.sys (manual start)
iAimTV1: System32\DRIVERS\wATV02NT.sys (manual start)
iAimTV2: System32\DRIVERS\wATV03nt.sys (manual start)
iAimTV3: System32\DRIVERS\wATV04nt.sys (manual start)
iAimTV4: System32\DRIVERS\wCh7xxNT.sys (manual start)
iAimTV5: system32\DRIVERS\wATV10nt.sys (manual start)
iAimTV6: system32\DRIVERS\wATV06nt.sys (manual start)
CD-Burning Filter Driver: System32\DRIVERS\imapi.sys (system)
IMAPI CD-Burning COM Service: C:\WINDOWS\System32\imapi.exe (manual start)
IntelIde: System32\DRIVERS\intelide.sys (system)
IPv6 Windows Firewall Driver: system32\drivers\ip6fw.sys (manual start)
IP Traffic Filter Driver: System32\DRIVERS\ipfltdrv.sys (manual start)
IP in IP Tunnel Driver: System32\DRIVERS\ipinip.sys (manual start)
IP Network Address Translator: System32\DRIVERS\ipnat.sys (manual start)
IPSEC driver: System32\DRIVERS\ipsec.sys (system)
IR Enumerator Service: System32\DRIVERS\irenum.sys (manual start)
PnP ISA/EISA Bus Driver: System32\DRIVERS\isapnp.sys (system)
K56: System32\DRIVERS\HSF_K56K.sys (autostart)
Keyboard Class Driver: System32\DRIVERS\kbdclass.sys (system)
Microsoft Kernel Wave Audio Mixer: system32\drivers\kmixer.sys (manual start)
Server: %SystemRoot%\System32\svchost.exe -k netsvcs (autostart)
Workstation: %SystemRoot%\System32\svchost.exe -k netsvcs (autostart)
TCP/IP NetBIOS Helper: %SystemRoot%\System32\svchost.exe -k LocalService (autostart)
McAfee.com McShield: c:\PROGRA~1\mcafee.com\vso\mcshield.exe (manual start)
McAfee SecurityCenter Update Manager: C:\PROGRA~1\McAfee.com\Agent\mcupdmgr.exe (manual start)
McAfee.com VirusScan Online Realtime Engine: c:\PROGRA~1\mcafee.com\vso\mcvsrte.exe /Embedding (autostart)
mdmxsdk: System32\DRIVERS\mdmxsdk.sys (autostart)
Messenger: %SystemRoot%\System32\svchost.exe -k netsvcs (disabled)
NetMeeting Remote Desktop Sharing: C:\WINDOWS\System32\mnmsrvc.exe (manual start)
Unimodem Streaming Filter Device: system32\drivers\MODEMCSA.sys (manual start)
Mouse Class Driver: System32\DRIVERS\mouclass.sys (system)
WebDav Client Redirector: System32\DRIVERS\mrxdav.sys (manual start)
MRXSMB: System32\DRIVERS\mrxsmb.sys (system)
Distributed Transaction Coordinator: C:\WINDOWS\System32\msdtc.exe (manual start)
Windows Installer: C:\WINDOWS\System32\msiexec.exe /V (manual start)
Microsoft Streaming Service Proxy: system32\drivers\MSKSSRV.sys (manual start)
Microsoft Streaming Clock Proxy: system32\drivers\MSPCLOCK.sys (manual start)
Microsoft Streaming Quality Manager Proxy: system32\drivers\MSPQM.sys (manual start)
Microsoft System Management BIOS Driver: System32\DRIVERS\mssmbios.sys (manual start)
NaiFiltr: System32\DRIVERS\NaiFiltr.sys (manual start)
Remote Access NDIS TAPI Driver: System32\DRIVERS\ndistapi.sys (manual start)
NDIS Usermode I/O Protocol: System32\DRIVERS\ndisuio.sys (manual start)
Remote Access NDIS WAN Driver: System32\DRIVERS\ndiswan.sys (manual start)
NetBIOS Interface: System32\DRIVERS\netbios.sys (system)
NetBios over Tcpip: System32\DRIVERS\netbt.sys (system)
Network DDE: %SystemRoot%\system32\netdde.exe (disabled)
Network DDE DSDM: %SystemRoot%\system32\netdde.exe (disabled)
Net Logon: %SystemRoot%\System32\lsass.exe (manual start)
Network Connections: %SystemRoot%\System32\svchost.exe -k netsvcs (manual start)
Network Location Awareness (NLA): %SystemRoot%\System32\svchost.exe -k netsvcs (manual start)
NT LM Security Support Provider: %SystemRoot%\System32\lsass.exe (manual start)
Removable Storage: %SystemRoot%\system32\svchost.exe -k netsvcs (manual start)
IPX Traffic Filter Driver: System32\DRIVERS\nwlnkflt.sys (manual start)
IPX Traffic Forwarder Driver: System32\DRIVERS\nwlnkfwd.sys (manual start)
Parallel port driver: System32\DRIVERS\parport.sys (manual start)
PCI Bus Driver: System32\DRIVERS\pci.sys (system)
Plug and Play: %SystemRoot%\system32\services.exe (autostart)
Pml Driver HPZ12: C:\WINDOWS\System32\HPZipm12.exe (manual start)
IPSEC Services: %SystemRoot%\System32\lsass.exe (autostart)
WAN Miniport (PPTP): System32\DRIVERS\raspptp.sys (manual start)
Processor Driver: System32\DRIVERS\processr.sys (system)
Protected Storage: %SystemRoot%\system32\lsass.exe (autostart)
Direct Parallel Link Driver: System32\DRIVERS\ptilink.sys (manual start)
Remote Access Auto Connection Driver: System32\DRIVERS\rasacd.sys (system)
Remote Access Auto Connection Manager: %SystemRoot%\System32\svchost.exe -k netsvcs (manual start)
WAN Miniport (L2TP): System32\DRIVERS\rasl2tp.sys (manual start)
Remote Access Connection Manager: %SystemRoot%\System32\svchost.exe -k netsvcs (manual start)
Remote Access PPPOE Driver: System32\DRIVERS\raspppoe.sys (manual start)
Direct Parallel: System32\DRIVERS\raspti.sys (manual start)
Rdbss: System32\DRIVERS\rdbss.sys (system)
RDPCDD: System32\DRIVERS\RDPCDD.sys (system)
Remote Desktop Help Session Manager: C:\WINDOWS\system32\sessmgr.exe (manual start)
Digital CD Audio Playback Filter Driver: System32\DRIVERS\redbook.sys (system)
Routing and Remote Access: %SystemRoot%\System32\svchost.exe -k netsvcs (disabled)
Rksample: System32\DRIVERS\HSF_SAMP.sys (manual start)
Remote Procedure Call (RPC) Locator: %SystemRoot%\System32\locator.exe (manual start)
Remote Procedure Call (RPC): %SystemRoot%\system32\svchost -k rpcss (autostart)
Conexant Riptide Dummy Driver: system32\drivers\rpfun.sys (manual start)
QoS RSVP: %SystemRoot%\System32\rsvp.exe (manual start)
Conexant Riptide Bus / Firmware Downloader: system32\drivers\rthwcls.sys (manual start)
Realtek RTL8139(A/B/C)-based PCI Fast Ethernet Adapter NT Driver: System32\DRIVERS\RTL8139.SYS (manual start)
Security Accounts Manager: %SystemRoot%\system32\lsass.exe (autostart)
Smart Card: %SystemRoot%\System32\SCardSvr.exe (manual start)
Task Scheduler: %SystemRoot%\System32\svchost.exe -k netsvcs (autostart)
Secdrv: System32\DRIVERS\secdrv.sys (autostart)
Secondary Logon: %SystemRoot%\System32\svchost.exe -k netsvcs (autostart)
System Event Notification: %SystemRoot%\system32\svchost.exe -k netsvcs (autostart)
Serenum Filter Driver: System32\DRIVERS\serenum.sys (manual start)
Serial port driver: System32\DRIVERS\serial.sys (system)
Windows Firewall/Internet Connection Sharing (ICS): %SystemRoot%\System32\svchost.exe -k netsvcs (autostart)
Shell Hardware Detection: %SystemRoot%\System32\svchost.exe -k netsvcs (autostart)
SoftFax: System32\DRIVERS\HSF_FAXX.sys (autostart)
SpeakerPhone: System32\DRIVERS\HSF_SPKP.sys (autostart)
Microsoft Kernel Audio Splitter: system32\drivers\splitter.sys (manual start)
Print Spooler: %SystemRoot%\system32\spoolsv.exe (autostart)
System Restore Filter Driver: System32\DRIVERS\sr.sys (system)
System Restore Service: %SystemRoot%\System32\svchost.exe -k netsvcs (autostart)
Srv: System32\DRIVERS\srv.sys (manual start)
SSDP Discovery Service: %SystemRoot%\System32\svchost.exe -k LocalService (manual start)
Windows Image Acquisition (WIA): %SystemRoot%\System32\svchost.exe -k imgsvc (autostart)
Software Bus Driver: System32\DRIVERS\swenum.sys (manual start)
Microsoft Kernel GS Wavetable Synthesizer: system32\drivers\swmidi.sys (manual start)
MS Software Shadow Copy Provider: C:\WINDOWS\System32\dllhost.exe /Processid:{DBE0C441-74D3-4116-A7FA-9032A027FDDE} (manual start)
Microsoft Kernel System Audio Device: system32\drivers\sysaudio.sys (manual start)
Performance Logs and Alerts: %SystemRoot%\system32\smlogsvc.exe (manual start)
Telephony: %SystemRoot%\System32\svchost.exe -k netsvcs (manual start)
TCP/IP Protocol Driver: System32\DRIVERS\tcpip.sys (system)
Terminal Device Driver: System32\DRIVERS\termdd.sys (system)
Terminal Services: %SystemRoot%\System32\svchost -k DComLaunch (manual start)
Themes: %SystemRoot%\System32\svchost.exe -k netsvcs (autostart)
Tones: System32\DRIVERS\HSF_TONE.sys (autostart)
Distributed Link Tracking Client: %SystemRoot%\system32\svchost.exe -k netsvcs (autostart)
Windows User Mode Driver Framework: C:\WINDOWS\System32\wdfmgr.exe (autostart)
Microcode Update Driver: System32\DRIVERS\update.sys (manual start)
Universal Plug and Play Device Host: %SystemRoot%\System32\svchost.exe -k LocalService (manual start)
Uninterruptible Power Supply: %SystemRoot%\System32\ups.exe (manual start)
Microsoft USB Generic Parent Driver: System32\DRIVERS\usbccgp.sys (manual start)
USB2 Enabled Hub: System32\DRIVERS\usbhub.sys (manual start)
Microsoft USB PRINTER Class: System32\DRIVERS\usbprint.sys (manual start)
USB Scanner Driver: System32\DRIVERS\usbscan.sys (manual start)
USB Mass Storage Driver: System32\DRIVERS\USBSTOR.SYS (manual start)
Microsoft USB Universal Host Controller Miniport Driver: System32\DRIVERS\usbuhci.sys (manual start)
USB Remote NDIS Network Device Driver: System32\DRIVERS\usb8023.sys (manual start)
V124: System32\DRIVERS\HSF_V124.sys (autostart)
VGA Display Controller.: \SystemRoot\System32\drivers\vga.sys (system)
Volume Shadow Copy: %SystemRoot%\System32\vssvc.exe (manual start)
Windows Time: %SystemRoot%\System32\svchost.exe -k netsvcs (autostart)
Remote Access IP ARP Driver: System32\DRIVERS\wanarp.sys (manual start)
WAN Network Driver: System32\DRIVERS\wandrv.sys (manual start)
Microsoft WINMM WDM Audio Compatibility Driver: system32\drivers\wdmaud.sys (manual start)
WebClient: %SystemRoot%\System32\svchost.exe -k LocalService (autostart)
winachsf: System32\DRIVERS\HSFCXTS2.sys (manual start)
WinIK: System32\Drivers\WinIK.sys (system)
Windows Management Instrumentation: %systemroot%\system32\svchost.exe -k netsvcs (autostart)
Portable Media Serial Number Service: %SystemRoot%\System32\svchost.exe -k netsvcs (manual start)
WMI Performance Adapter: C:\WINDOWS\System32\wbem\wmiapsrv.exe (manual start)
Windows Socket 2.0 Non-IFS Service Provider Support Environment: \SystemRoot\System32\drivers\ws2ifsl.sys (system)
Security Center: %SystemRoot%\System32\svchost.exe -k netsvcs (autostart)
Automatic Updates: %systemroot%\system32\svchost.exe -k netsvcs (autostart)
Wireless Zero Configuration: %SystemRoot%\System32\svchost.exe -k netsvcs (autostart)
Network Provisioning Service: %SystemRoot%\System32\svchost.exe -k netsvcs (manual start)


--------------------------------------------------
Enumerating Windows NT logon/logoff scripts:
*No scripts set to run*

Windows NT checkdisk command:
BootExecute = autocheck autochk *

Windows NT 'Wininit.ini':
PendingFileRenameOperations: *Registry value not found*

--------------------------------------------------

Enumerating ShellServiceObjectDelayLoad items:

PostBootReminder: C:\WINDOWS\system32\SHELL32.dll
CDBurn: C:\WINDOWS\system32\SHELL32.dll
WebCheck: C:\WINDOWS\System32\webcheck.dll
SysTray: C:\WINDOWS\System32\stobject.dll

--------------------------------------------------
Autorun entries from Registry:
HKCU\Software\Microsoft\Windows\CurrentVersion\policies\Explorer\Run

*Registry key not found*

--------------------------------------------------

Autorun entries from Registry:
HKLM\Software\Microsoft\Windows\CurrentVersion\policies\Explorer\Run

*No values found*

--------------------------------------------------

End of report, 34,883 bytes
Report generated in 0.420 seconds

Command line options:
/verbose - to add additional info on each section
/complete - to include empty sections and unsuspicious data
/full - to include several rarely-important sections
/force9x - to include Win9x-only startups even if running on WinNT
/forcent - to include WinNT-only startups even if running on Win9x
/forceall - to include all Win9x and WinNT startups, regardless of platform
/history - to list version history only
  • 0

#33
Michelle

Michelle

    Malware Removal Goddess

  • Retired Staff
  • 8,928 posts
Download winik.zip from here: Attached File  winik.zip   323bytes   45 downloads
Unzip it to your desktop, but do not run it yet.

Reboot into Safe Mode. You can do this by restarting your computer and continually tapping the F8 key until a menu appears. Use your up arrow key to highlight Safe Mode then hit enter.

Once in safe mode, go into the winik folder and double-click winik.bat A window will open for a few seconds then close, that's normal.

Then double-click fixme.reg that's on your desktop (the first one that you made) and when asked if you want to merge with registry click YES.

Reboot into normal mode.

Please download and install CleanUp!

Open Cleanup! by double-clicking the icon on your desktop (or from the Start > All Programs menu).
Set the program up as follows:
Click "Options..."
Move the arrow down to "Custom CleanUp!"
Put a check next to the following (Make sure nothing else is checked!):
  • Empty Recycle Bins
  • Delete Cookies
  • Delete Prefetch files
  • Cleanup! All Users
Click OK
Press the CleanUp! button to start the program.

It may ask you to reboot at the end, if it does click NO.

Then, please run this online virus scan:
ActiveScan

Copy the results of the ActiveScan and paste them here along with a new HiJackThis log.
  • 0

#34
cyrawhite

cyrawhite

    Member

  • Topic Starter
  • Member
  • PipPip
  • 96 posts
Incident Status Location

Adware:adware/getup No disinfected C:\WINDOWS\SYSTEM32\BPV2t.dll
Adware:adware/powersearch No disinfected C:\WINDOWS\SYSTEM32\stlb2.xml
Adware:adware/sahagent No disinfected C:\WINDOWS\DOWNLOADED PROGRAM FILES\sporder_.dll
Hacktool:hacktool/rootkit.m No disinfected C:\WINDOWS\SYSTEM32\DRIVERS\winik.sys
Adware:adware/delfinmedia No disinfected C:\keys.ini
Adware:adware/ezula No disinfected C:\WINDOWS\woinstall.exe
Spyware:spyware/dyfuca No disinfected C:\DOCUMENTS AND SETTINGS\CYRAMITCHELL\Internet Optimizer
Adware:adware/esyndicate No disinfected Windows Registry
Dialer:dialer generic No disinfected HKEY_CLASSES_ROOT\TypeLib\{E47CAEE0-DEEA-464A-9326-3F2801535A4D}
Hacktool:Hacktool/Rootkit.M No disinfected C:\WINDOWS\SYSTEM32\DRIVERS\winik.sys
Spyware:Spyware/CommonName No disinfected C:\WINDOWS\SYSTEM32\inetkw.exe
Adware:Adware/P2PNetworking No disinfected C:\WINDOWS\SYSTEM32\P2P Networking v123.cpl.disabled
Adware:Adware/P2PNetworking No disinfected C:\WINDOWS\SYSTEM32\P2P Networking v124.cpl.disabled
Adware:Adware/Getup No disinfected C:\WINDOWS\SYSTEM32\BPV2t.dll
Adware:Adware/SAHAgent No disinfected C:\WINDOWS\Downloaded Program Files\setup.inf
Spyware:Spyware/CommonName No disinfected C:\Program Files\voqxsqxv\cnml.exe
Adware:Adware/eZula No disinfected C:\Program Files\Microsoft AntiSpyware\Quarantine\85300453-BC12-4A98-99C1-9D7675\CCA4E652-928F-4C43-A877-815C54
Adware:Adware/eZula No disinfected C:\Program Files\Microsoft AntiSpyware\Quarantine\85300453-BC12-4A98-99C1-9D7675\67D934F4-97CB-418D-8960-CAC914
Adware:Adware/eZula No disinfected C:\Program Files\Microsoft AntiSpyware\Quarantine\85300453-BC12-4A98-99C1-9D7675\E829DE6D-A8AA-4DBC-99F3-B1462D
Adware:Adware/Lop No disinfected C:\Documents and Settings\All Users\Application Data\INTRA DALE DELETE MAIL\MessMfcd.exe
Adware:Adware/Lop No disinfected C:\Documents and Settings\All Users\Application Data\INTRA DALE DELETE MAIL\NEW 1.exe
Adware:Adware/Lop No disinfected C:\Documents and Settings\All Users\Application Data\INTRA DALE DELETE MAIL\LISTDUPE.exe
Adware:Adware/Lop No disinfected C:\Documents and Settings\All Users\Application Data\INTRA DALE DELETE MAIL\gramaxis.exe
Adware:Adware/Lop No disinfected C:\Documents and Settings\All Users\Application Data\INTRA DALE DELETE MAIL\eachanti.exe
Adware:Adware/Lop No disinfected C:\Documents and Settings\All Users\Application Data\INTRA DALE DELETE MAIL\cool slow.exe
Adware:Adware/Lop No disinfected C:\Documents and Settings\All Users\Application Data\INTRA DALE DELETE MAIL\NameWindow.exe
Adware:Adware/Lop No disinfected C:\Documents and Settings\All Users\Application Data\INTRA DALE DELETE MAIL\DALE STUPID.exe
Adware:Adware/Lop No disinfected C:\Documents and Settings\All Users\Application Data\INTRA DALE DELETE MAIL\FILE WINDOW.exe
Adware:Adware/Lop No disinfected C:\Documents and Settings\All Users\Application Data\INTRA DALE DELETE MAIL\castshow.exe
Adware:Adware/Lop No disinfected C:\Documents and Settings\All Users\Application Data\INTRA DALE DELETE MAIL\remote hope.exe
Adware:Adware/Lop No disinfected C:\Documents and Settings\All Users\Application Data\Greatgreycakeroam\morebias.exe
Adware:Adware/Lop No disinfected C:\Documents and Settings\All Users\Application Data\Greatgreycakeroam\amok heart.exe
Adware:Adware/Lop No disinfected C:\Documents and Settings\All Users\Application Data\Greatgreycakeroam\baitphone.exe
Adware:Adware/Lop No disinfected C:\Documents and Settings\All Users\Application Data\Greatgreycakeroam\comp iso.exe
Adware:Adware/Lop No disinfected C:\Documents and Settings\All Users\Application Data\Greatgreycakeroam\Keepvga.exe
Adware:Adware/Lop No disinfected C:\Documents and Settings\All Users\Application Data\Greatgreycakeroam\date owns.exe
Adware:Adware/Lop No disinfected C:\Documents and Settings\All Users\Application Data\Greatgreycakeroam\Ante Safe.exe
Adware:Adware/Lop No disinfected C:\Documents and Settings\cyramitchell\Application Data\Jump Cdrom\Regs4.exe
Adware:Adware/Lop No disinfected C:\Documents and Settings\LocalService\Application Data\greatdupehole\16 Web Third.exe
Adware:Adware/Lop No disinfected C:\System Volume Information\_restore{2C909C53-C6EB-42C6-9777-424DC05E7DE9}\RP594\A0100878.exe
Adware:Adware/Lop No disinfected C:\System Volume Information\_restore{2C909C53-C6EB-42C6-9777-424DC05E7DE9}\RP595\A0101496.exe
Adware:Adware/Lop No disinfected C:\System Volume Information\_restore{2C909C53-C6EB-42C6-9777-424DC05E7DE9}\RP595\A0101497.exe
Adware:Adware/Lop No disinfected C:\System Volume Information\_restore{2C909C53-C6EB-42C6-9777-424DC05E7DE9}\RP595\A0101498.exe
Adware:Adware/PurityScan No disinfected C:\System Volume Information\_restore{2C909C53-C6EB-42C6-9777-424DC05E7DE9}\RP598\A0101578.exe
Adware:Adware/Lop No disinfected C:\System Volume Information\_restore{2C909C53-C6EB-42C6-9777-424DC05E7DE9}\RP612\A0104842.exe
Adware:Adware/Lop No disinfected C:\System Volume Information\_restore{2C909C53-C6EB-42C6-9777-424DC05E7DE9}\RP612\A0104843.exe
Adware:Adware/Lop No disinfected C:\System Volume Information\_restore{2C909C53-C6EB-42C6-9777-424DC05E7DE9}\RP612\A0104844.exe
Adware:Adware/Lop No disinfected C:\System Volume Information\_restore{2C909C53-C6EB-42C6-9777-424DC05E7DE9}\RP612\A0104845.exe
Adware:Adware/Lop No disinfected C:\System Volume Information\_restore{2C909C53-C6EB-42C6-9777-424DC05E7DE9}\RP613\A0104859.exe
Adware:Adware/Lop No disinfected C:\System Volume Information\_restore{2C909C53-C6EB-42C6-9777-424DC05E7DE9}\RP613\A0104860.exe
Adware:Adware/Lop No disinfected C:\System Volume Information\_restore{2C909C53-C6EB-42C6-9777-424DC05E7DE9}\RP613\A0104861.exe
Adware:Adware/Lop No disinfected C:\System Volume Information\_restore{2C909C53-C6EB-42C6-9777-424DC05E7DE9}\RP613\A0104862.exe
Adware:Adware/Lop No disinfected C:\System Volume Information\_restore{2C909C53-C6EB-42C6-9777-424DC05E7DE9}\RP613\A0104863.exe
Adware:Adware/PurityScan No disinfected C:\System Volume Information\_restore{2C909C53-C6EB-42C6-9777-424DC05E7DE9}\RP636\A0108440.exe
Adware:Adware/Look2Me No disinfected C:\System Volume Information\_restore{2C909C53-C6EB-42C6-9777-424DC05E7DE9}\RP636\A0108441.DLL
Adware:Adware/Look2Me No disinfected C:\System Volume Information\_restore{2C909C53-C6EB-42C6-9777-424DC05E7DE9}\RP636\A0108442.dll
Adware:Adware/Look2Me No disinfected C:\System Volume Information\_restore{2C909C53-C6EB-42C6-9777-424DC05E7DE9}\RP636\A0108443.DLL
Adware:Adware/Look2Me No disinfected C:\System Volume Information\_restore{2C909C53-C6EB-42C6-9777-424DC05E7DE9}\RP636\A0108444.dll
Adware:Adware/nCase No disinfected C:\System Volume Information\_restore{2C909C53-C6EB-42C6-9777-424DC05E7DE9}\RP636\A0108446.exe
Adware:Adware/WUpd No disinfected C:\System Volume Information\_restore{2C909C53-C6EB-42C6-9777-424DC05E7DE9}\RP636\A0108448.exe
Adware:Adware/KeenValue No disinfected C:\System Volume Information\_restore{2C909C53-C6EB-42C6-9777-424DC05E7DE9}\RP636\A0108449.exe
Adware:Adware/Lop No disinfected C:\System Volume Information\_restore{2C909C53-C6EB-42C6-9777-424DC05E7DE9}\RP636\A0108487.exe
Adware:Adware/Lop No disinfected C:\System Volume Information\_restore{2C909C53-C6EB-42C6-9777-424DC05E7DE9}\RP637\A0108538.exe
Adware:Adware/Lop No disinfected C:\System Volume Information\_restore{2C909C53-C6EB-42C6-9777-424DC05E7DE9}\RP637\A0108539.exe
Adware:Adware/Lop No disinfected C:\System Volume Information\_restore{2C909C53-C6EB-42C6-9777-424DC05E7DE9}\RP637\A0108540.exe
Adware:Adware/Lop No disinfected C:\System Volume Information\_restore{2C909C53-C6EB-42C6-9777-424DC05E7DE9}\RP637\A0108541.exe
Adware:Adware/Lop No disinfected C:\System Volume Information\_restore{2C909C53-C6EB-42C6-9777-424DC05E7DE9}\RP637\A0108542.exe
Adware:Adware/Lop No disinfected C:\System Volume Information\_restore{2C909C53-C6EB-42C6-9777-424DC05E7DE9}\RP637\A0108543.exe
Adware:Adware/Lop No disinfected C:\System Volume Information\_restore{2C909C53-C6EB-42C6-9777-424DC05E7DE9}\RP637\A0108544.exe
Adware:Adware/Lop No disinfected C:\System Volume Information\_restore{2C909C53-C6EB-42C6-9777-424DC05E7DE9}\RP637\A0108545.exe
Adware:Adware/Lop No disinfected C:\System Volume Information\_restore{2C909C53-C6EB-42C6-9777-424DC05E7DE9}\RP637\A0108546.exe
Adware:Adware/Lop No disinfected C:\System Volume Information\_restore{2C909C53-C6EB-42C6-9777-424DC05E7DE9}\RP637\A0108547.exe
Adware:Adware/Lop No disinfected C:\System Volume Information\_restore{2C909C53-C6EB-42C6-9777-424DC05E7DE9}\RP637\A0108548.exe
Adware:Adware/Lop No disinfected C:\System Volume Information\_restore{2C909C53-C6EB-42C6-9777-424DC05E7DE9}\RP637\A0108549.exe
Adware:Adware/Lop No disinfected C:\System Volume Information\_restore{2C909C53-C6EB-42C6-9777-424DC05E7DE9}\RP637\A0108550.exe
Adware:Adware/Lop No disinfected C:\System Volume Information\_restore{2C909C53-C6EB-42C6-9777-424DC05E7DE9}\RP637\A0108551.exe
Adware:Adware/Lop No disinfected C:\System Volume Information\_restore{2C909C53-C6EB-42C6-9777-424DC05E7DE9}\RP637\A0108552.exe
Adware:Adware/Lop No disinfected C:\System Volume Information\_restore{2C909C53-C6EB-42C6-9777-424DC05E7DE9}\RP637\A0108553.exe
Adware:Adware/Lop No disinfected C:\System Volume Information\_restore{2C909C53-C6EB-42C6-9777-424DC05E7DE9}\RP637\A0108554.exe
Adware:Adware/Lop No disinfected C:\System Volume Information\_restore{2C909C53-C6EB-42C6-9777-424DC05E7DE9}\RP637\A0108555.exe
Adware:Adware/Lop No disinfected C:\System Volume Information\_restore{2C909C53-C6EB-42C6-9777-424DC05E7DE9}\RP637\A0108556.exe
Adware:Adware/Lop No disinfected C:\System Volume Information\_restore{2C909C53-C6EB-42C6-9777-424DC05E7DE9}\RP637\A0108557.exe
Adware:Adware/Lop No disinfected C:\System Volume Information\_restore{2C909C53-C6EB-42C6-9777-424DC05E7DE9}\RP637\A0108558.exe
Adware:Adware/Lop No disinfected C:\System Volume Information\_restore{2C909C53-C6EB-42C6-9777-424DC05E7DE9}\RP637\A0108559.exe
Adware:Adware/Lop No disinfected C:\System Volume Information\_restore{2C909C53-C6EB-42C6-9777-424DC05E7DE9}\RP637\A0108560.exe
Adware:Adware/Lop No disinfected C:\System Volume Information\_restore{2C909C53-C6EB-42C6-9777-424DC05E7DE9}\RP637\A0108561.exe
Adware:Adware/Lop No disinfected C:\System Volume Information\_restore{2C909C53-C6EB-42C6-9777-424DC05E7DE9}\RP637\A0108562.exe
Adware:Adware/Lop No disinfected C:\System Volume Information\_restore{2C909C53-C6EB-42C6-9777-424DC05E7DE9}\RP637\A0108563.exe
Adware:Adware/Lop No disinfected C:\System Volume Information\_restore{2C909C53-C6EB-42C6-9777-424DC05E7DE9}\RP637\A0108564.exe
Adware:Adware/Lop No disinfected C:\System Volume Information\_restore{2C909C53-C6EB-42C6-9777-424DC05E7DE9}\RP637\A0108565.exe
Adware:Adware/Lop No disinfected C:\System Volume Information\_restore{2C909C53-C6EB-42C6-9777-424DC05E7DE9}\RP637\A0108566.exe
Adware:Adware/Lop No disinfected C:\System Volume Information\_restore{2C909C53-C6EB-42C6-9777-424DC05E7DE9}\RP637\A0108567.exe
Adware:Adware/Lop No disinfected C:\System Volume Information\_restore{2C909C53-C6EB-42C6-9777-424DC05E7DE9}\RP637\A0108568.exe
Adware:Adware/Lop No disinfected C:\System Volume Information\_restore{2C909C53-C6EB-42C6-9777-424DC05E7DE9}\RP637\A0108569.exe
Adware:Adware/Getup No disinfected C:\System Volume Information\_restore{2C909C53-C6EB-42C6-9777-424DC05E7DE9}\RP638\A0108645.exe
Adware:Adware/Getup No disinfected C:\System Volume Information\_restore{2C909C53-C6EB-42C6-9777-424DC05E7DE9}\RP638\A0108646.exe
Spyware:Spyware/Systemcheck No disinfected C:\System Volume Information\_restore{2C909C53-C6EB-42C6-9777-424DC05E7DE9}\RP638\A0108648.exe
Adware:Adware/PurityScan No disinfected C:\System Volume Information\_restore{2C909C53-C6EB-42C6-9777-424DC05E7DE9}\RP611\A0104827.exe
Adware:Adware/Lop No disinfected C:\System Volume Information\_restore{2C909C53-C6EB-42C6-9777-424DC05E7DE9}\RP617\A0105049.exe
Adware:Adware/Lop No disinfected C:\System Volume Information\_restore{2C909C53-C6EB-42C6-9777-424DC05E7DE9}\RP617\A0105050.exe
Adware:Adware/Lop No disinfected C:\System Volume Information\_restore{2C909C53-C6EB-42C6-9777-424DC05E7DE9}\RP617\A0105051.exe
Adware:Adware/Lop No disinfected C:\System Volume Information\_restore{2C909C53-C6EB-42C6-9777-424DC05E7DE9}\RP617\A0105052.exe
Adware:Adware/Lop No disinfected C:\System Volume Information\_restore{2C909C53-C6EB-42C6-9777-424DC05E7DE9}\RP617\A0105053.exe
Adware:Adware/Lop No disinfected C:\System Volume Information\_restore{2C909C53-C6EB-42C6-9777-424DC05E7DE9}\RP617\A0105069.exe
Adware:Adware/Lop No disinfected C:\System Volume Information\_restore{2C909C53-C6EB-42C6-9777-424DC05E7DE9}\RP617\A0105070.exe
Adware:Adware/PurityScan No disinfected C:\System Volume Information\_restore{2C909C53-C6EB-42C6-9777-424DC05E7DE9}\RP618\A0105086.exe
Adware:Adware/Lop No disinfected C:\System Volume Information\_restore{2C909C53-C6EB-42C6-9777-424DC05E7DE9}\RP621\A0105114.exe
Adware:Adware/Lop No disinfected C:\System Volume Information\_restore{2C909C53-C6EB-42C6-9777-424DC05E7DE9}\RP621\A0105115.exe
Adware:Adware/Lop No disinfected C:\System Volume Information\_restore{2C909C53-C6EB-42C6-9777-424DC05E7DE9}\RP621\A0105116.exe
Adware:Adware/Lop No disinfected C:\System Volume Information\_restore{2C909C53-C6EB-42C6-9777-424DC05E7DE9}\RP621\A0105117.exe
Adware:Adware/Lop No disinfected C:\System Volume Information\_restore{2C909C53-C6EB-42C6-9777-424DC05E7DE9}\RP621\A0105118.exe
Adware:Adware/Lop No disinfected C:\System Volume Information\_restore{2C909C53-C6EB-42C6-9777-424DC05E7DE9}\RP621\A0105119.exe
Adware:Adware/Lop No disinfected C:\System Volume Information\_restore{2C909C53-C6EB-42C6-9777-424DC05E7DE9}\RP630\A0107270.exe
Adware:Adware/Lop No disinfected C:\System Volume Information\_restore{2C909C53-C6EB-42C6-9777-424DC05E7DE9}\RP630\A0107271.exe
Adware:Adware/Lop No disinfected C:\System Volume Information\_restore{2C909C53-C6EB-42C6-9777-424DC05E7DE9}\RP630\A0107272.exe
Adware:Adware/Lop No disinfected C:\System Volume Information\_restore{2C909C53-C6EB-42C6-9777-424DC05E7DE9}\RP630\A0107273.exe
Adware:Adware/Lop No disinfected C:\System Volume Information\_restore{2C909C53-C6EB-42C6-9777-424DC05E7DE9}\RP630\A0107274.exe
Adware:Adware/Lop No disinfected C:\System Volume Information\_restore{2C909C53-C6EB-42C6-9777-424DC05E7DE9}\RP630\A0107275.exe
Adware:Adware/Lop No disinfected C:\System Volume Information\_restore{2C909C53-C6EB-42C6-9777-424DC05E7DE9}\RP630\A0107276.exe
Adware:Adware/Lop No disinfected C:\System Volume Information\_restore{2C909C53-C6EB-42C6-9777-424DC05E7DE9}\RP630\A0107277.exe
Adware:Adware/Lop No disinfected C:\System Volume Information\_restore{2C909C53-C6EB-42C6-9777-424DC05E7DE9}\RP631\A0107283.exe
Adware:Adware/Lop No disinfected C:\System Volume Information\_restore{2C909C53-C6EB-42C6-9777-424DC05E7DE9}\RP631\A0107284.exe
Adware:Adware/Lop No disinfected C:\System Volume Information\_restore{2C909C53-C6EB-42C6-9777-424DC05E7DE9}\RP631\A0107285.exe
Adware:Adware/Lop No disinfected C:\System Volume Information\_restore{2C909C53-C6EB-42C6-9777-424DC05E7DE9}\RP631\A0107286.exe
Adware:Adware/Lop No disinfected C:\System Volume Information\_restore{2C909C53-C6EB-42C6-9777-424DC05E7DE9}\RP631\A0107287.exe
Adware:Adware/Lop No disinfected C:\System Volume Information\_restore{2C909C53-C6EB-42C6-9777-424DC05E7DE9}\RP631\A0107288.exe
Adware:Adware/Lop No disinfected C:\System Volume Information\_restore{2C909C53-C6EB-42C6-9777-424DC05E7DE9}\RP631\A0107289.exe
Adware:Adware/Lop No disinfected C:\System Volume Information\_restore{2C909C53-C6EB-42C6-9777-424DC05E7DE9}\RP631\A0107290.exe
Adware:Adware/Lop No disinfected C:\System Volume Information\_restore{2C909C53-C6EB-42C6-9777-424DC05E7DE9}\RP631\A0107291.exe
Spyware:Spyware/CommonName No disinfected C:\System Volume Information\_restore{2C909C53-C6EB-42C6-9777-424DC05E7DE9}\RP641\A0108761.exe

HJT log
Logfile of HijackThis v1.99.1
Scan saved at 4:55:55 AM, on 9/7/2005
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\PROGRA~1\mcafee.com\agent\mcagent.exe
C:\PROGRA~1\mcafee.com\vso\mcvsshld.exe
c:\progra~1\mcafee.com\vso\mcvsescn.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\Java\jre1.5.0_04\bin\jusched.exe
C:\Program Files\HP\HP Software Update\HPWuSchd2.exe
C:\Program Files\HP\hpcoretech\hpcmpmgr.exe
C:\Program Files\ewido\security suite\ewidoctrl.exe
c:\PROGRA~1\mcafee.com\vso\mcvsrte.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\HP\hpcoretech\comp\hptskmgr.exe
c:\PROGRA~1\mcafee.com\vso\mcshield.exe
C:\Program Files\MSN\MSNCoreFiles\msn.exe
C:\Program Files\MSN Messenger\msnmsgr.exe
c:\progra~1\mcafee.com\vso\mcvsftsn.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Documents and Settings\cyramitchell\My Documents\HijackThis.exe

F2 - REG:system.ini: UserInit=C:\WINDOWS\system32\userinit.exe,C:\WINDOWS\SYSTEM\Userinit.exe
N3 - Netscape 7: user_pref("browser.startup.homepage", "http://home.netscape.com/"); (C:\Documents and Settings\cyramitchell\Application Data\Mozilla\Profiles\default\U0UGEP0T.SLT\prefs.js)
O3 - Toolbar: McAfee VirusScan - {BA52B914-B692-46c4-B683-905236F6F655} - c:\progra~1\mcafee.com\vso\mcvsshl.dll
O4 - HKLM\..\Run: [SystemTray] SysTray.Exe
O4 - HKLM\..\Run: [VSOCheckTask] "c:\PROGRA~1\mcafee.com\vso\mcmnhdlr.exe" /checktask
O4 - HKLM\..\Run: [MCAgentExe] c:\PROGRA~1\mcafee.com\agent\mcagent.exe
O4 - HKLM\..\Run: [MCUpdateExe] C:\PROGRA~1\mcafee.com\agent\mcupdate.exe
O4 - HKLM\..\Run: [VirusScan Online] "c:\PROGRA~1\mcafee.com\vso\mcvsshld.exe"
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [cQpGQ11w] C:\PROGRA~1\voqxsqxv\ZYwCE8hM.exe
O4 - HKLM\..\Run: [Microsoft Works Update Detection] C:\Program Files\Common Files\Microsoft Shared\Works Shared\WkUFind.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_04\bin\jusched.exe
O4 - HKLM\..\Run: [HP Software Update] C:\Program Files\HP\HP Software Update\HPWuSchd2.exe
O4 - HKLM\..\Run: [HP Component Manager] "C:\Program Files\HP\hpcoretech\hpcmpmgr.exe"
O4 - HKLM\..\Run: [gcasServ] "C:\Program Files\Microsoft AntiSpyware\gcasServ.exe"
O4 - HKCU\..\Run: [Yahoo! Pager] C:\Program Files\Yahoo!\Messenger\ypager.exe -quiet
O4 - HKCU\..\Run: [Spyware Begone] c:\freescan\freescan.exe -FastScan
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_04\bin\npjpi150_04.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_04\bin\npjpi150_04.dll
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\System32\Shdocvw.dll
O9 - Extra button: Yahoo! Messenger - {E5D12C4E-7B4F-11D3-B5C9-0050045C3C96} - C:\PROGRA~1\YAHOO!\MESSEN~1\YPAGER.EXE
O9 - Extra 'Tools' menuitem: Yahoo! Messenger - {E5D12C4E-7B4F-11D3-B5C9-0050045C3C96} - C:\PROGRA~1\YAHOO!\MESSEN~1\YPAGER.EXE
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O12 - Plugin for .png: C:\Program Files\Internet Explorer\PLUGINS\npqtplugin4.dll
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky...can_unicode.cab
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft....k/?linkid=39204
O16 - DPF: {6F6DBC29-7A0C-4AC0-A42D-10EC70678526} (Word Cubes Control) - http://www.worldwinn...be/wordcube.cab
O16 - DPF: {8A94C905-FF9D-43B6-8708-F0F22D22B1CB} (Wwlaunch Control) - http://www.worldwinn...ed/wwlaunch.cab
O16 - DPF: {94299420-321F-4FF9-A247-62A23EBB640B} (WordMojo Control) - http://www.worldwinn...jo/wordmojo.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://www.pandasoft...free/asinst.cab
O16 - DPF: {AC2881FD-5760-46DB-83AE-20A5C6432A7E} (SwapIt Control) - http://www.worldwinn...apit/swapit.cab
O16 - DPF: {B8BE5E93-A60C-4D26-A2DC-220313175592} (ZoneIntro Class) - http://zone.msn.com/...ro.cab34246.cab
O23 - Service: ewido security suite control - ewido networks - C:\Program Files\ewido\security suite\ewidoctrl.exe
O23 - Service: ewido security suite guard - ewido networks - C:\Program Files\ewido\security suite\ewidoguard.exe
O23 - Service: McAfee.com McShield (McShield) - Unknown owner - c:\PROGRA~1\mcafee.com\vso\mcshield.exe
O23 - Service: McAfee SecurityCenter Update Manager (mcupdmgr.exe) - McAfee, Inc - C:\PROGRA~1\McAfee.com\Agent\mcupdmgr.exe
O23 - Service: McAfee.com VirusScan Online Realtime Engine (MCVSRte) - Networks Associates Technology, Inc - c:\PROGRA~1\mcafee.com\vso\mcvsrte.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\System32\HPZipm12.exe
  • 0

#35
Michelle

Michelle

    Malware Removal Goddess

  • Retired Staff
  • 8,928 posts
Go head a delete the winik.zip and winik folder that you downloaded previously. I've got a new one for you to download. :tazz:

Please download remwinik.zip from here: Attached File  remwinik.zip   551bytes   34 downloads

Unzip it to your desktop, but don't run it yet.

Reboot into Safe Mode.

Once in Safe Mode, go into the remwinik folder and double-click remwinik.bat.

Then, please use Windows Explorer and DELETE the following folders in bold:

C:\PROGRAM FILES\voqxsqxv <-let me know if this one was still there and if you have any problems deleting it, please!

C:\Documents and Settings\LocalService\Application Data\greatdupehole
C:\Documents and Settings\cyramitchell\Application Data\Jump Cdrom
C:\Documents and Settings\All Users\Application Data\Greatgreycakeroam
C:\Documents and Settings\All Users\Application Data\INTRA DALE DELETE MAIL
C:\DOCUMENTS AND SETTINGS\CYRAMITCHELL\Internet Optimizer

Reboot into normal mode and post a new HiJackThis log please :)
  • 0

#36
cyrawhite

cyrawhite

    Member

  • Topic Starter
  • Member
  • PipPip
  • 96 posts
It wouldn't let me delete the folder there is a file i there that I can't delete. cnml.exe, with internet explorer icon. here is my latest HJT log

Logfile of HijackThis v1.99.1
Scan saved at 5:58:17 PM, on 9/7/2005
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\ewido\security suite\ewidoctrl.exe
C:\PROGRA~1\mcafee.com\vso\mcvsshld.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\Java\jre1.5.0_04\bin\jusched.exe
c:\progra~1\mcafee.com\vso\mcvsescn.exe
C:\Program Files\HP\HP Software Update\HPWuSchd2.exe
C:\Program Files\HP\hpcoretech\hpcmpmgr.exe
C:\Program Files\Microsoft AntiSpyware\gcasDtServ.exe
c:\PROGRA~1\mcafee.com\vso\mcvsrte.exe
C:\WINDOWS\System32\svchost.exe
c:\progra~1\mcafee.com\vso\mcvsftsn.exe
C:\WINDOWS\System32\imapi.exe
C:\Program Files\Microsoft AntiSpyware\GIANTAntiSpywareUpdater.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Documents and Settings\cyramitchell\My Documents\HijackThis.exe
C:\WINDOWS\system32\wuauclt.exe
c:\PROGRA~1\mcafee.com\vso\mcshield.exe

F2 - REG:system.ini: UserInit=C:\WINDOWS\system32\userinit.exe,C:\WINDOWS\SYSTEM\Userinit.exe
N3 - Netscape 7: user_pref("browser.startup.homepage", "http://home.netscape.com/"); (C:\Documents and Settings\cyramitchell\Application Data\Mozilla\Profiles\default\U0UGEP0T.SLT\prefs.js)
O3 - Toolbar: McAfee VirusScan - {BA52B914-B692-46c4-B683-905236F6F655} - c:\progra~1\mcafee.com\vso\mcvsshl.dll
O4 - HKLM\..\Run: [SystemTray] SysTray.Exe
O4 - HKLM\..\Run: [VSOCheckTask] "c:\PROGRA~1\mcafee.com\vso\mcmnhdlr.exe" /checktask
O4 - HKLM\..\Run: [MCAgentExe] c:\PROGRA~1\mcafee.com\agent\mcagent.exe
O4 - HKLM\..\Run: [MCUpdateExe] C:\PROGRA~1\mcafee.com\agent\mcupdate.exe
O4 - HKLM\..\Run: [VirusScan Online] "c:\PROGRA~1\mcafee.com\vso\mcvsshld.exe"
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [cQpGQ11w] C:\PROGRA~1\voqxsqxv\ZYwCE8hM.exe
O4 - HKLM\..\Run: [Microsoft Works Update Detection] C:\Program Files\Common Files\Microsoft Shared\Works Shared\WkUFind.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_04\bin\jusched.exe
O4 - HKLM\..\Run: [HP Software Update] C:\Program Files\HP\HP Software Update\HPWuSchd2.exe
O4 - HKLM\..\Run: [HP Component Manager] "C:\Program Files\HP\hpcoretech\hpcmpmgr.exe"
O4 - HKLM\..\Run: [gcasServ] "C:\Program Files\Microsoft AntiSpyware\gcasServ.exe"
O4 - HKLM\..\Run: [McRegWiz] c:\PROGRA~1\mcafee.com\agent\mcregwiz.exe /autorun
O4 - HKCU\..\Run: [Yahoo! Pager] C:\Program Files\Yahoo!\Messenger\ypager.exe -quiet
O4 - HKCU\..\Run: [Spyware Begone] c:\freescan\freescan.exe -FastScan
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_04\bin\npjpi150_04.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_04\bin\npjpi150_04.dll
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\System32\Shdocvw.dll
O9 - Extra button: Yahoo! Messenger - {E5D12C4E-7B4F-11D3-B5C9-0050045C3C96} - C:\PROGRA~1\YAHOO!\MESSEN~1\YPAGER.EXE
O9 - Extra 'Tools' menuitem: Yahoo! Messenger - {E5D12C4E-7B4F-11D3-B5C9-0050045C3C96} - C:\PROGRA~1\YAHOO!\MESSEN~1\YPAGER.EXE
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O12 - Plugin for .png: C:\Program Files\Internet Explorer\PLUGINS\npqtplugin4.dll
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky...can_unicode.cab
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft....k/?linkid=39204
O16 - DPF: {6F6DBC29-7A0C-4AC0-A42D-10EC70678526} (Word Cubes Control) - http://www.worldwinn...be/wordcube.cab
O16 - DPF: {8A94C905-FF9D-43B6-8708-F0F22D22B1CB} (Wwlaunch Control) - http://www.worldwinn...ed/wwlaunch.cab
O16 - DPF: {94299420-321F-4FF9-A247-62A23EBB640B} (WordMojo Control) - http://www.worldwinn...jo/wordmojo.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://www.pandasoft...free/asinst.cab
O16 - DPF: {AC2881FD-5760-46DB-83AE-20A5C6432A7E} (SwapIt Control) - http://www.worldwinn...apit/swapit.cab
O16 - DPF: {B8BE5E93-A60C-4D26-A2DC-220313175592} (ZoneIntro Class) - http://zone.msn.com/...ro.cab34246.cab
O23 - Service: ewido security suite control - ewido networks - C:\Program Files\ewido\security suite\ewidoctrl.exe
O23 - Service: ewido security suite guard - ewido networks - C:\Program Files\ewido\security suite\ewidoguard.exe
O23 - Service: McAfee.com McShield (McShield) - Unknown owner - c:\PROGRA~1\mcafee.com\vso\mcshield.exe
O23 - Service: McAfee SecurityCenter Update Manager (mcupdmgr.exe) - McAfee, Inc - C:\PROGRA~1\McAfee.com\Agent\mcupdmgr.exe
O23 - Service: McAfee.com VirusScan Online Realtime Engine (MCVSRte) - Networks Associates Technology, Inc - c:\PROGRA~1\mcafee.com\vso\mcvsrte.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\System32\HPZipm12.exe
  • 0

#37
Michelle

Michelle

    Malware Removal Goddess

  • Retired Staff
  • 8,928 posts
Please reboot into Safe Mode again.

See if this file still exists:

C:\Windows\System32\Drivers\WinIK.sys

If it does, right-click on it and select "rename". Rename it to winik.old

If you can't rename it that's fine, but please let me know :tazz:

Locate the folder:

C:\PROGRAM FILES\voqxsqxv

Don't do anything to it, yet.

Press CTRL ALT DELETE and locate the following process:

cnml.exe

If found, click to highlight it then click "End Task", then please try deleting that folder again. If you do not see that in processes, please use the instructions below instead.

If you are unable to delete the folder still, then while still in Safe Mode, do this please:

Double-click on Killbox.exe to start the program.
In the killbox program, select the Delete on Reboot option
In the field labeled Full Path of File to Delete copy the file path listed below and paste it in the field:

C:\Program Files\voqxsqxv\cnml.exe

Press the button that looks like a red circle with a white X in it. When it asks if you would like to delete on reboot, press the YES button, when it asks if you want to reboot now, press the YES button.

Please let me know if you received any kind of error message.

After reboot, try to delete the folder again. Please let me know how it goes :)
  • 0

#38
cyrawhite

cyrawhite

    Member

  • Topic Starter
  • Member
  • PipPip
  • 96 posts
It wouldn't let me rename the file winik.
when i tired to delete the file cnml.exe it wouldn't let me, it wasn't under processes. I can't seem to figure out what it is. I tried killbox, don't think it worked either, i didn't get any error messages.
  • 0

#39
Michelle

Michelle

    Malware Removal Goddess

  • Retired Staff
  • 8,928 posts
You said you don't think killbox worked, but you didn't receive an error message. Did you go into that folder after reboot to see if the cnml.exe was still present in the folder?
  • 0

#40
cyrawhite

cyrawhite

    Member

  • Topic Starter
  • Member
  • PipPip
  • 96 posts
it's gone, nowthere is a icon, that says profile.dat, that will not delete
  • 0

Advertisements


#41
Michelle

Michelle

    Malware Removal Goddess

  • Retired Staff
  • 8,928 posts
Let's see if we can kill that one too! :tazz:

Reboot into Safe Mode.

Double-click on Killbox.exe to start the program.
In the killbox program, select the Delete on Reboot option
In the field labeled Full Path of File to Delete copy the file path listed below and paste it in the field:

C:\Program Files\voqxsqxv\profile.dat

Press the button that looks like a red circle with a white X in it. When it asks if you would like to delete on reboot, press the YES button, when it asks if you want to reboot now, press the YES button.

Please let me know if you received any kind of error message.

After reboot, try to delete the folder again. Please let me know how it goes :)
  • 0

#42
cyrawhite

cyrawhite

    Member

  • Topic Starter
  • Member
  • PipPip
  • 96 posts
the folder is gone. i have also posted a fresh HJT log
Logfile of HijackThis v1.99.1
Scan saved at 11:27:53 AM, on 9/8/2005
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\PROGRA~1\mcafee.com\vso\mcvsshld.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
c:\progra~1\mcafee.com\vso\mcvsescn.exe
C:\Program Files\Java\jre1.5.0_04\bin\jusched.exe
C:\Program Files\HP\HP Software Update\HPWuSchd2.exe
C:\Program Files\HP\hpcoretech\hpcmpmgr.exe
C:\Program Files\ewido\security suite\ewidoctrl.exe
c:\PROGRA~1\mcafee.com\vso\mcvsrte.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\HP\hpcoretech\comp\hptskmgr.exe
c:\PROGRA~1\mcafee.com\vso\mcshield.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\MSN\MSNCoreFiles\msn.exe
C:\Documents and Settings\cyramitchell\My Documents\HijackThis.exe
C:\Program Files\MSN Messenger\msnmsgr.exe
c:\progra~1\mcafee.com\vso\mcvsftsn.exe
C:\Program Files\Messenger\msmsgs.exe

F2 - REG:system.ini: UserInit=C:\WINDOWS\system32\userinit.exe,C:\WINDOWS\SYSTEM\Userinit.exe
N3 - Netscape 7: user_pref("browser.startup.homepage", "http://home.netscape.com/"); (C:\Documents and Settings\cyramitchell\Application Data\Mozilla\Profiles\default\U0UGEP0T.SLT\prefs.js)
O3 - Toolbar: McAfee VirusScan - {BA52B914-B692-46c4-B683-905236F6F655} - c:\progra~1\mcafee.com\vso\mcvsshl.dll
O4 - HKLM\..\Run: [SystemTray] SysTray.Exe
O4 - HKLM\..\Run: [VSOCheckTask] "c:\PROGRA~1\mcafee.com\vso\mcmnhdlr.exe" /checktask
O4 - HKLM\..\Run: [MCAgentExe] c:\PROGRA~1\mcafee.com\agent\mcagent.exe
O4 - HKLM\..\Run: [MCUpdateExe] C:\PROGRA~1\mcafee.com\agent\mcupdate.exe
O4 - HKLM\..\Run: [VirusScan Online] "c:\PROGRA~1\mcafee.com\vso\mcvsshld.exe"
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [cQpGQ11w] C:\PROGRA~1\voqxsqxv\ZYwCE8hM.exe
O4 - HKLM\..\Run: [Microsoft Works Update Detection] C:\Program Files\Common Files\Microsoft Shared\Works Shared\WkUFind.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_04\bin\jusched.exe
O4 - HKLM\..\Run: [HP Software Update] C:\Program Files\HP\HP Software Update\HPWuSchd2.exe
O4 - HKLM\..\Run: [HP Component Manager] "C:\Program Files\HP\hpcoretech\hpcmpmgr.exe"
O4 - HKLM\..\Run: [gcasServ] "C:\Program Files\Microsoft AntiSpyware\gcasServ.exe"
O4 - HKLM\..\Run: [McRegWiz] c:\PROGRA~1\mcafee.com\agent\mcregwiz.exe /autorun
O4 - HKCU\..\Run: [Yahoo! Pager] C:\Program Files\Yahoo!\Messenger\ypager.exe -quiet
O4 - HKCU\..\Run: [Spyware Begone] c:\freescan\freescan.exe -FastScan
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_04\bin\npjpi150_04.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_04\bin\npjpi150_04.dll
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\System32\Shdocvw.dll
O9 - Extra button: Yahoo! Messenger - {E5D12C4E-7B4F-11D3-B5C9-0050045C3C96} - C:\PROGRA~1\YAHOO!\MESSEN~1\YPAGER.EXE
O9 - Extra 'Tools' menuitem: Yahoo! Messenger - {E5D12C4E-7B4F-11D3-B5C9-0050045C3C96} - C:\PROGRA~1\YAHOO!\MESSEN~1\YPAGER.EXE
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O12 - Plugin for .png: C:\Program Files\Internet Explorer\PLUGINS\npqtplugin4.dll
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky...can_unicode.cab
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft....k/?linkid=39204
O16 - DPF: {6F6DBC29-7A0C-4AC0-A42D-10EC70678526} (Word Cubes Control) - http://www.worldwinn...be/wordcube.cab
O16 - DPF: {8A94C905-FF9D-43B6-8708-F0F22D22B1CB} (Wwlaunch Control) - http://www.worldwinn...ed/wwlaunch.cab
O16 - DPF: {94299420-321F-4FF9-A247-62A23EBB640B} (WordMojo Control) - http://www.worldwinn...jo/wordmojo.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://www.pandasoft...free/asinst.cab
O16 - DPF: {AC2881FD-5760-46DB-83AE-20A5C6432A7E} (SwapIt Control) - http://www.worldwinn...apit/swapit.cab
O16 - DPF: {B8BE5E93-A60C-4D26-A2DC-220313175592} (ZoneIntro Class) - http://zone.msn.com/...ro.cab34246.cab
O23 - Service: ewido security suite control - ewido networks - C:\Program Files\ewido\security suite\ewidoctrl.exe
O23 - Service: ewido security suite guard - ewido networks - C:\Program Files\ewido\security suite\ewidoguard.exe
O23 - Service: McAfee.com McShield (McShield) - Unknown owner - c:\PROGRA~1\mcafee.com\vso\mcshield.exe
O23 - Service: McAfee SecurityCenter Update Manager (mcupdmgr.exe) - McAfee, Inc - C:\PROGRA~1\McAfee.com\Agent\mcupdmgr.exe
O23 - Service: McAfee.com VirusScan Online Realtime Engine (MCVSRte) - Networks Associates Technology, Inc - c:\PROGRA~1\mcafee.com\vso\mcvsrte.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\System32\HPZipm12.exe
  • 0

#43
Michelle

Michelle

    Malware Removal Goddess

  • Retired Staff
  • 8,928 posts
Ok, great! :tazz:

Please delete remwinik.zip and remwinik folder I had you download previously. I have updated it, so please be sure to use this new one!

Please download remwinik.zip from here: Attached File  remwinik.zip   25.37KB   37 downloads

Unzip it to your desktop but don't do anything with it yet.

Reboot into Safe Mode.

Once in safe mode go into the remwinik folder and double-click remwinik.bat. (Don't do anything with process.exe). A window will open for a few seconds and your desktop will disappear and reappear, this is all normal.

After that, while still in Safe Mode, run HiJackThis. Place a check next to this item, if found, and click FIX CHECKED (let me know whether or not it was there please):

O4 - HKLM\..\Run: [cQpGQ11w] C:\PROGRA~1\voqxsqxv\ZYwCE8hM.exe

Close HiJackThis.

Reboot into normal mode, rescan with HiJackThis and post the new HiJackThis log please.
  • 0

#44
cyrawhite

cyrawhite

    Member

  • Topic Starter
  • Member
  • PipPip
  • 96 posts
Logfile of HijackThis v1.99.1
Scan saved at 6:04:18 PM, on 9/8/2005
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\PROGRA~1\mcafee.com\agent\mcagent.exe
C:\PROGRA~1\mcafee.com\vso\mcvsshld.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
c:\progra~1\mcafee.com\vso\mcvsescn.exe
C:\Program Files\Java\jre1.5.0_04\bin\jusched.exe
C:\Program Files\HP\HP Software Update\HPWuSchd2.exe
C:\Program Files\HP\hpcoretech\hpcmpmgr.exe
C:\Program Files\ewido\security suite\ewidoctrl.exe
c:\PROGRA~1\mcafee.com\vso\mcvsrte.exe
C:\WINDOWS\System32\svchost.exe
c:\PROGRA~1\mcafee.com\vso\mcshield.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\ewido\security suite\ewidoguard.exe
C:\Documents and Settings\cyramitchell\My Documents\HijackThis.exe

F2 - REG:system.ini: UserInit=C:\WINDOWS\system32\userinit.exe,C:\WINDOWS\SYSTEM\Userinit.exe
N3 - Netscape 7: user_pref("browser.startup.homepage", "http://home.netscape.com/"); (C:\Documents and Settings\cyramitchell\Application Data\Mozilla\Profiles\default\U0UGEP0T.SLT\prefs.js)
O3 - Toolbar: McAfee VirusScan - {BA52B914-B692-46c4-B683-905236F6F655} - c:\progra~1\mcafee.com\vso\mcvsshl.dll
O4 - HKLM\..\Run: [SystemTray] SysTray.Exe
O4 - HKLM\..\Run: [VSOCheckTask] "c:\PROGRA~1\mcafee.com\vso\mcmnhdlr.exe" /checktask
O4 - HKLM\..\Run: [MCAgentExe] c:\PROGRA~1\mcafee.com\agent\mcagent.exe
O4 - HKLM\..\Run: [MCUpdateExe] C:\PROGRA~1\mcafee.com\agent\mcupdate.exe
O4 - HKLM\..\Run: [VirusScan Online] "c:\PROGRA~1\mcafee.com\vso\mcvsshld.exe"
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [Microsoft Works Update Detection] C:\Program Files\Common Files\Microsoft Shared\Works Shared\WkUFind.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_04\bin\jusched.exe
O4 - HKLM\..\Run: [HP Software Update] C:\Program Files\HP\HP Software Update\HPWuSchd2.exe
O4 - HKLM\..\Run: [HP Component Manager] "C:\Program Files\HP\hpcoretech\hpcmpmgr.exe"
O4 - HKLM\..\Run: [gcasServ] "C:\Program Files\Microsoft AntiSpyware\gcasServ.exe"
O4 - HKCU\..\Run: [Yahoo! Pager] C:\Program Files\Yahoo!\Messenger\ypager.exe -quiet
O4 - HKCU\..\Run: [Spyware Begone] c:\freescan\freescan.exe -FastScan
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_04\bin\npjpi150_04.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_04\bin\npjpi150_04.dll
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\System32\Shdocvw.dll
O9 - Extra button: Yahoo! Messenger - {E5D12C4E-7B4F-11D3-B5C9-0050045C3C96} - C:\PROGRA~1\YAHOO!\MESSEN~1\YPAGER.EXE
O9 - Extra 'Tools' menuitem: Yahoo! Messenger - {E5D12C4E-7B4F-11D3-B5C9-0050045C3C96} - C:\PROGRA~1\YAHOO!\MESSEN~1\YPAGER.EXE
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O12 - Plugin for .png: C:\Program Files\Internet Explorer\PLUGINS\npqtplugin4.dll
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky...can_unicode.cab
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft....k/?linkid=39204
O16 - DPF: {8A94C905-FF9D-43B6-8708-F0F22D22B1CB} (Wwlaunch Control) - http://www.worldwinn...ed/wwlaunch.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://www.pandasoft...free/asinst.cab
O16 - DPF: {B8BE5E93-A60C-4D26-A2DC-220313175592} (ZoneIntro Class) - http://zone.msn.com/...ro.cab34246.cab
O23 - Service: ewido security suite control - ewido networks - C:\Program Files\ewido\security suite\ewidoctrl.exe
O23 - Service: ewido security suite guard - ewido networks - C:\Program Files\ewido\security suite\ewidoguard.exe
O23 - Service: McAfee.com McShield (McShield) - Unknown owner - c:\PROGRA~1\mcafee.com\vso\mcshield.exe
O23 - Service: McAfee SecurityCenter Update Manager (mcupdmgr.exe) - McAfee, Inc - C:\PROGRA~1\McAfee.com\Agent\mcupdmgr.exe
O23 - Service: McAfee.com VirusScan Online Realtime Engine (MCVSRte) - Networks Associates Technology, Inc - c:\PROGRA~1\mcafee.com\vso\mcvsrte.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\System32\HPZipm12.exe
  • 0

#45
Michelle

Michelle

    Malware Removal Goddess

  • Retired Staff
  • 8,928 posts
Hello cyra :)

You'll be happy to know that it's finally gone from your log :tazz:

Now, please make sure this file is gone:

C:\Windows\System32\Drivers\WinIK.sys

Let me know whether or not it's still there, please :)

Also, please let me know if you're having any other problems!
  • 0






Similar Topics

0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users

As Featured On:

Microsoft Yahoo BBC MSN PC Magazine Washington Post HP