Jump to content

Welcome to Geeks to Go - Register now for FREE

Need help with your computer or device? Want to learn new tech skills? You're in the right place!
Geeks to Go is a friendly community of tech experts who can solve any problem you have. Just create a free account and post your question. Our volunteers will reply quickly and guide you through the steps. Don't let tech troubles stop you. Join Geeks to Go now and get the support you need!

How it Works Create Account
Photo

Problems After Smitfraud Removal [RESOLVED]

Started by amongstthestars , Sep 08 2005 07:28 PM

  • This topic is locked This topic is locked

#16
Trevuren
Posted 09 September 2005 - 05:19 PM

Trevuren

    Old Dog

  • Retired Staff
  • 18,699 posts
1. Download the following program HOSTER.

2. Unzip and run the program.

3. You will be presented with a screen where you will find the following option:Restore Microsoft Original Hosts. Press it and Close the program.

4. Reboot your system.

5. We want to stop, disable and delete an added service (023)

A. To stop a service and set to 'disabled'
  • Go to Start > Run and type in Services.msc then click OK
  • Click the Extended tab.
  • Scroll down until you find the service.
    ===> Command Service
  • Click once on the service to highlight it.
  • Click Stop
  • Right-Click on the service.
  • Click on 'Properties'
  • Select the 'General' tab
  • Click the Arrow-down tab on the right-hand side on the 'Start-up Type' box
  • From the drop-down menu, click on 'Disabled'
  • Click the 'Apply' tab, then click 'OK'
The service is now stopped and disabled.


B. We will now delete the service:
  • Open HJT
  • Click on Config>>Misc Tools>>Delete an NT Service
  • Copy/Paste cmdService in the space provided and click OK
  • The program will ask you to REBOOT --- Accept
  • REBOOT into SAFE MODE
  • Using Windows Explorer, locate and DELETE the following file (if it still is present):

    C:\WINDOWS\T3duZXIA<===Folder

  • REBOOT back into Normal Mode
6. Run HijackThis, click SCAN, place a checkmark beside the following items:

All the 016 entries

After all the items have been checked, with all windows closed, click Fix Checked, and EXIT the program.

7. Reboot your system

8. Finally, run HijackThis, click SCAN, produce a LOG and POST it in this thread for review.

Regards,

Trevuren
  • 0

Advertisements

#17
amongstthestars
Posted 09 September 2005 - 06:02 PM

amongstthestars

    Member

  • Topic Starter
  • Member
  • PipPip
  • 30 posts
Here you go! It must be getting better, since I am now booting in normal without automatic reboots and just one error msg.


Logfile of HijackThis v1.99.1
Scan saved at 7:59:57 PM, on 9/9/2005
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINNT\System32\smss.exe
C:\WINNT\system32\winlogon.exe
C:\WINNT\system32\services.exe
C:\WINNT\system32\lsass.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\System32\svchost.exe
C:\WINNT\Explorer.EXE
C:\WINNT\system32\spoolsv.exe
C:\WINNT\System32\SK9910DM.EXE
C:\WINNT\GWMDMMSG.exe
C:\WINNT\System32\CTHELPER.EXE
C:\Program Files\Roxio\Easy CD Creator 6\DragToDisc\DrgToDsc.exe
C:\Program Files\Roxio\Easy CD Creator 6\AudioCentral\RxMon.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\Common Files\Symantec Shared\Security Center\UsrPrmpt.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\Java\j2re1.4.2_05\bin\jusched.exe
C:\WINNT\System32\apisvc.exe
C:\WINNT\System32\medgs1.exe
C:\WINNT\System32\gms2.exe
C:\Program Files\Java\j2re1.4.2_05\bin\jucheck.exe
C:\WINNT\System32\apisvc.exe
C:\DOCUME~1\Owner\LOCALS~1\Temp\InSearch.exe
C:\WINNT\System32\eatxow.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\WINNT\System32\NMSSvc.exe
C:\WINNT\System32\nvsvc32.exe
C:\Program Files\Roxio\Easy CD Creator 6\AudioCentral\Playlist.exe
C:\Program Files\winCMAPP\wincmapp.exe
C:\WINNT\system32\cmd.exe
C:\Program Files\Common Files\services.exe
C:\Program Files\WinZip\WZQKPICK.EXE
C:\Program Files\iPod\bin\iPodService.exe
C:\WINNT\System32\wuauclt.exe
C:\Internet\HiJackThis\Hijackthis\HijackThis.exe
C:\Program Files\Messenger\msmsgs.exe

R1 - HKCU\Software\Microsoft\Internet Explorer,SearchURL = http://www.globalefinder.com/sp2.php
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://www.globalefinder.com/sp2.php
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://www.globalefinder.com/sp2.php
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.pogo.com/
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://www.globalefinder.com/sp2.php
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://red.clientapp...//www.yahoo.com
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://www.gateway.net/
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Microsoft Internet Explorer provided by Comcast
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = :0
R3 - URLSearchHook: (no name) - {02EE5B04-F144-47BB-83FB-A60BD91B74A9} - (no file)
N3 - Netscape 7: user_pref("browser.startup.homepage", "http://home.netscape.../7_0/home.html"); (C:\Documents and Settings\Owner\Application Data\Mozilla\Profiles\default\iq1c8tpz.slt\prefs.js)
N3 - Netscape 7: user_pref("browser.search.defaultengine", "engine://C%3A%5CInternet%5CNetscape%5Csearchplugins%5CSBWeb_01.src"); (C:\Documents and Settings\Owner\Application Data\Mozilla\Profiles\default\iq1c8tpz.slt\prefs.js)
O2 - BHO: CCHelper - {0CF0B8EE-6596-11D5-A98E-0003470BB48E} - C:\Program Files\Panicware\Pop-Up Stopper\CCHelper.dll
O2 - BHO: (no name) - {14513AA9-FF3E-F8C5-4833-AF2FF1E3FBE4} - C:\WINNT\System32\jvwmpf.dll
O2 - BHO: SDWin32 Class - {349938C6-11A5-4A70-BBFA-88710BE6FDCF} - C:\WINNT\System32\ivosj.dll
O2 - BHO: Scriptlet.Tools - {3E4563A4-2A9B-4912-BE38-906A0CB702CC} - C:\DOCUME~1\ALLUSE~1\APPLIC~1\Tools\tools.dll
O2 - BHO: PicShow Class - {4487598C-2EC7-43A2-870E-6D8D720FDD9F} - C:\WINNT\System32\pkshgdwj.dll
O2 - BHO: (no name) - {4FA2B39B-A7DA-983C-68E6-5B095A4118FD} - C:\DOCUME~1\Owner\LOCALS~1\Temp\urodkvajehw.dll (file missing)
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Internet\SPYBOT~1\SDHelper.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - C:\Program Files\Google\GoogleToolbar1.dll
O2 - BHO: Internet Explorer Web Content Catcher - {FFF4E223-7019-4ce7-BE03-D7D3C8CCE884} - C:\Program Files\DNS\Catcher.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - C:\Program Files\Google\GoogleToolbar1.dll
O3 - Toolbar: Pa&nicware Pop-Up Stopper - {7E82235C-F31E-46CB-AF9F-1ADD94C585FF} - C:\Program Files\Panicware\Pop-Up Stopper\pstopper.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINNT\System32\msdxm.ocx
O4 - HKLM\..\Run: [Hot Key Kbd 9910 Daemon] SK9910DM.EXE
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE NvQTwk,NvCplDaemon initialize
O4 - HKLM\..\Run: [GWMDMMSG] GWMDMMSG.exe
O4 - HKLM\..\Run: [Keyboard Preload Check] C:\OEMDRVRS\KEYB\Preload.exe /DEVID: /CLASS:Keyboard /RunValue:"Keyboard Preload Check"
O4 - HKLM\..\Run: [GWMDMpi] C:\WINNT\GWMDMpi.exe
O4 - HKLM\..\Run: [PROMon.exe] PROMon.exe
O4 - HKLM\..\Run: [CTHelper] CTHELPER.EXE
O4 - HKLM\..\Run: [UpdReg] C:\WINNT\UpdReg.EXE
O4 - HKLM\..\Run: [Jet Detection] C:\Program Files\Creative\SBAudigy\PROGRAM\ADGJDet.exe
O4 - HKLM\..\Run: [StartAOL] "C:\Program Files\America Online 7.0\AOL.EXE"
O4 - HKLM\..\Run: [KAZAA] \\Homer\c\INTERNET\KaZaA Lite\Kazaa.exe /SYSTRAY
O4 - HKLM\..\Run: [RoxioEngineUtility] "C:\Program Files\Common Files\Roxio Shared\System\EngUtil.exe"
O4 - HKLM\..\Run: [RoxioDragToDisc] "C:\Program Files\Roxio\Easy CD Creator 6\DragToDisc\DrgToDsc.exe"
O4 - HKLM\..\Run: [RoxioAudioCentral] "C:\Program Files\Roxio\Easy CD Creator 6\AudioCentral\RxMon.exe"
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [ccRegVfy] "C:\Program Files\Common Files\Symantec Shared\ccRegVfy.exe"
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [Symantec NetDriver Monitor] C:\PROGRA~1\SYMNET~1\SNDMon.exe /Consumer
O4 - HKLM\..\Run: [SSC_UserPrompt] C:\Program Files\Common Files\Symantec Shared\Security Center\UsrPrmpt.exe
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [\tools.exe] C:\DOCUME~1\ALLUSE~1\APPLIC~1\Tools\tools.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\j2re1.4.2_05\bin\jusched.exe
O4 - HKLM\..\Run: [PSof1] C:\WINNT\System32\PSof1.exe
O4 - HKLM\..\Run: [exp.exe] C:\WINNT\System32\exp.exe
O4 - HKLM\..\Run: [apisvc.exe] C:\WINNT\System32\apisvc.exe
O4 - HKLM\..\Run: [MedGS] C:\WINNT\System32\medgs1.exe
O4 - HKLM\..\Run: [GsAds] C:\WINNT\System32\gms2.exe
O4 - HKLM\..\Run: [opr] C:\WINNT\System32\opr.exe
O4 - HKLM\..\Run: [Windows Incontext] C:\DOCUME~1\Owner\LOCALS~1\Temp\InSearch.exe
O4 - HKLM\..\Run: [winsync] C:\WINNT\System32\ngprig.exe reg_run
O4 - HKLM\..\Run: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k
O4 - HKLM\..\Run: [AUNPS2] RUNDLL32 AUNPS2.DLL,_Run@16
O4 - HKLM\..\Run: [dnam] C:\WINNT\system32\d140113.a.Stub.EXE
O4 - HKLM\..\Run: [znprecc] C:\WINNT\System32\eatxow.exe r
O4 - HKLM\..\RunServices: [\tools.exe] C:\DOCUME~1\ALLUSE~1\APPLIC~1\Tools\tools.exe
O4 - HKCU\..\Run: [Microsoft Works Update Detection] C:\Program Files\Microsoft Works\WkDetect.exe
O4 - HKCU\..\Run: [\tools.exe] C:\DOCUME~1\ALLUSE~1\APPLIC~1\Tools\tools.exe
O4 - HKCU\..\Run: [pshower] C:\WINNT\System32\pshwr.exe
O4 - HKCU\..\Run: [SurfSideKick 3] C:\Program Files\SurfSideKick 3\Ssk.exe
O4 - HKCU\..\Run: [CAS Client] "C:\Program Files\Cas\Client\casclient.exe"
O4 - HKCU\..\Run: [services32] C:\Program Files\Common Files\Windows\mc-58-12-0000120.exe
O4 - HKCU\..\Run: [DNS] C:\Program Files\Common Files\mc-58-12-0000120.exe
O4 - HKCU\..\Run: [wincmap] "C:\Program Files\winCMAPP\wincmapp.exe"
O4 - HKCU\..\Run: [CMAPP] "C:\Program Files\CMAPP\Client\cmappclient.exe"
O4 - Startup: RollerCoaster Tycoon 3_ Cape Typhoon Registration.lnk = C:\Documents and Settings\Owner\Local Settings\Temp\{3C6D9666-2D87-4333-926A-283B5215A0C5}\{EA926717-CE5A-4CB4-AB21-9E6E9565A458}\ATR1.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O4 - Global Startup: WinZip Quick Pick.lnk = C:\Program Files\WinZip\WZQKPICK.EXE
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINNT\System32\msjava.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINNT\System32\msjava.dll
O9 - Extra button: ComcastHSI - {669B269B-0D4E-41FB-A3D8-FD67CA94F646} - http://www.comcast.net/ (file missing)
O9 - Extra button: Support - {8828075D-D097-4055-AA02-2DBFA9D85E8A} - http://www.comcastsupport.com/ (file missing)
O9 - Extra button: Help - {97809617-3937-4F84-B335-9BB05EF1A8D4} - http://online.comcast.net/help/ (file missing)
O9 - Extra button: (no name) - {9E248641-0E24-4DDB-9A1F-705087832AD6} - (no file)
O9 - Extra 'Tools' menuitem: Java - {9E248641-0E24-4DDB-9A1F-705087832AD6} - (no file)
O9 - Extra button: (no name) - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - (no file)
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Password Validation Service (ccPwdSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
O23 - Service: CWShredder Service - Unknown owner - C:\Internet\cwshredder.exe (file missing)
O23 - Service: iPod Service (iPodService) - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Norton AntiVirus Auto Protect Service (navapsvc) - Symantec Corporation - C:\Program Files\Norton AntiVirus\navapsvc.exe
O23 - Service: Intel® NMS (NMSSvc) - Intel Corporation - C:\WINNT\System32\NMSSvc.exe
O23 - Service: NVIDIA Driver Helper Service (NVSvc) - NVIDIA Corporation - C:\WINNT\System32\nvsvc32.exe
O23 - Service: ScriptBlocking Service (SBService) - Symantec Corporation - C:\PROGRA~1\COMMON~1\SYMANT~1\SCRIPT~1\SBServ.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: SymWMI Service (SymWSC) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\Security Center\SymWSC.exe
  • 0

#18
Trevuren
Posted 09 September 2005 - 06:21 PM

Trevuren

    Old Dog

  • Retired Staff
  • 18,699 posts
I want all these services cleaned up before we proceed.

We want to stop, disable and delete an added service (023)

A. To stop a service and set to 'disabled'
  • Go to Start > Run and type in Services.msc then click OK
  • Click the Extended tab.
  • Scroll down until you find the service.
    ===>CWShredder Service
  • Click once on the service to highlight it.
  • Click Stop
  • Right-Click on the service.
  • Click on 'Properties'
  • Select the 'General' tab
  • Click the Arrow-down tab on the right-hand side on the 'Start-up Type' box
  • From the drop-down menu, click on 'Disabled'
  • Click the 'Apply' tab, then click 'OK'
The service is now stopped and disabled.


B. We will now delete the service:

1. Open HJT

2. Click on Config>>Misc Tools>>Delete an NT Service

3. Copy/Paste CWShredder Service in the space provided and click OK

4. The program will ask you to REBOOT --- Accept

5. REBOOT into SAFE MODE

6. Using Windows Explorer, locate and DELETE the following file (if it still is present):

C:\Internet\cwshredder.exe

7. REBOOT back into Normal Mode

8. Finally, run HijackThis, click SCAN, produce a LOG and POST it in this thread for review.

Regards,

Trevuren
  • 0

#19
amongstthestars
Posted 09 September 2005 - 06:33 PM

amongstthestars

    Member

  • Topic Starter
  • Member
  • PipPip
  • 30 posts
After removing cwshredder


Logfile of HijackThis v1.99.1
Scan saved at 8:32:05 PM, on 9/9/2005
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINNT\System32\smss.exe
C:\WINNT\system32\winlogon.exe
C:\WINNT\system32\services.exe
C:\WINNT\system32\lsass.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\System32\svchost.exe
C:\WINNT\system32\spoolsv.exe
C:\WINNT\Explorer.exe
C:\WINNT\System32\SK9910DM.EXE
C:\WINNT\GWMDMMSG.exe
C:\WINNT\System32\CTHELPER.EXE
C:\WINNT\System32\azhuer.exe
C:\Program Files\Roxio\Easy CD Creator 6\DragToDisc\DrgToDsc.exe
C:\Program Files\Roxio\Easy CD Creator 6\AudioCentral\RxMon.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\Common Files\Symantec Shared\Security Center\UsrPrmpt.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\Java\j2re1.4.2_05\bin\jusched.exe
C:\WINNT\System32\apisvc.exe
C:\WINNT\System32\medgs1.exe
C:\WINNT\System32\gms2.exe
C:\Program Files\Java\j2re1.4.2_05\bin\jucheck.exe
C:\WINNT\System32\opr.exe
C:\WINNT\System32\apisvc.exe
C:\DOCUME~1\Owner\LOCALS~1\Temp\InSearch.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\WINNT\System32\NMSSvc.exe
C:\Program Files\Roxio\Easy CD Creator 6\AudioCentral\Playlist.exe
C:\Program Files\winCMAPP\wincmapp.exe
C:\WINNT\System32\nvsvc32.exe
C:\WINNT\system32\cmd.exe
C:\Program Files\WinZip\WZQKPICK.EXE
C:\Program Files\Common Files\services.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Internet\HiJackThis\Hijackthis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer,SearchURL = http://www.globalefinder.com/sp2.php
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://www.globalefinder.com/sp2.php
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://www.globalefinder.com/sp2.php
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.pogo.com/
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://www.globalefinder.com/sp2.php
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://red.clientapp...//www.yahoo.com
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://www.gateway.net/
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Microsoft Internet Explorer provided by Comcast
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = :0
R3 - URLSearchHook: (no name) - {02EE5B04-F144-47BB-83FB-A60BD91B74A9} - (no file)
F2 - REG:system.ini: Shell=Explorer.exe C:\WINNT\Nail.exe
N3 - Netscape 7: user_pref("browser.startup.homepage", "http://home.netscape.../7_0/home.html"); (C:\Documents and Settings\Owner\Application Data\Mozilla\Profiles\default\iq1c8tpz.slt\prefs.js)
N3 - Netscape 7: user_pref("browser.search.defaultengine", "engine://C%3A%5CInternet%5CNetscape%5Csearchplugins%5CSBWeb_01.src"); (C:\Documents and Settings\Owner\Application Data\Mozilla\Profiles\default\iq1c8tpz.slt\prefs.js)
O2 - BHO: CCHelper - {0CF0B8EE-6596-11D5-A98E-0003470BB48E} - C:\Internet\Pop-Up Stopper\CCHelper.dll
O2 - BHO: (no name) - {14513AA9-FF3E-F8C5-4833-AF2FF1E3FBE4} - C:\WINNT\System32\jvwmpf.dll
O2 - BHO: SDWin32 Class - {349938C6-11A5-4A70-BBFA-88710BE6FDCF} - C:\WINNT\System32\ivosj.dll
O2 - BHO: Scriptlet.Tools - {3E4563A4-2A9B-4912-BE38-906A0CB702CC} - C:\DOCUME~1\ALLUSE~1\APPLIC~1\Tools\tools.dll
O2 - BHO: PicShow Class - {4487598C-2EC7-43A2-870E-6D8D720FDD9F} - C:\WINNT\System32\pkshgdwj.dll
O2 - BHO: (no name) - {4FA2B39B-A7DA-983C-68E6-5B095A4118FD} - C:\DOCUME~1\Owner\LOCALS~1\Temp\urodkvajehw.dll (file missing)
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Internet\SPYBOT~1\SDHelper.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar2.dll
O2 - BHO: Internet Explorer Web Content Catcher - {FFF4E223-7019-4ce7-BE03-D7D3C8CCE884} - C:\Program Files\DNS\Catcher.dll
O3 - Toolbar: Pa&nicware Pop-Up Stopper - {7E82235C-F31E-46CB-AF9F-1ADD94C585FF} - C:\Internet\Pop-Up Stopper\pstopper.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINNT\System32\msdxm.ocx
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar2.dll
O4 - HKLM\..\Run: [Hot Key Kbd 9910 Daemon] SK9910DM.EXE
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE NvQTwk,NvCplDaemon initialize
O4 - HKLM\..\Run: [GWMDMMSG] GWMDMMSG.exe
O4 - HKLM\..\Run: [Keyboard Preload Check] C:\OEMDRVRS\KEYB\Preload.exe /DEVID: /CLASS:Keyboard /RunValue:"Keyboard Preload Check"
O4 - HKLM\..\Run: [GWMDMpi] C:\WINNT\GWMDMpi.exe
O4 - HKLM\..\Run: [PROMon.exe] PROMon.exe
O4 - HKLM\..\Run: [CTHelper] CTHELPER.EXE
O4 - HKLM\..\Run: [UpdReg] C:\WINNT\UpdReg.EXE
O4 - HKLM\..\Run: [Jet Detection] C:\Program Files\Creative\SBAudigy\PROGRAM\ADGJDet.exe
O4 - HKLM\..\Run: [StartAOL] "C:\Program Files\America Online 7.0\AOL.EXE"
O4 - HKLM\..\Run: [KAZAA] \\Homer\c\INTERNET\KaZaA Lite\Kazaa.exe /SYSTRAY
O4 - HKLM\..\Run: [RoxioEngineUtility] "C:\Program Files\Common Files\Roxio Shared\System\EngUtil.exe"
O4 - HKLM\..\Run: [RoxioDragToDisc] "C:\Program Files\Roxio\Easy CD Creator 6\DragToDisc\DrgToDsc.exe"
O4 - HKLM\..\Run: [RoxioAudioCentral] "C:\Program Files\Roxio\Easy CD Creator 6\AudioCentral\RxMon.exe"
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [ccRegVfy] "C:\Program Files\Common Files\Symantec Shared\ccRegVfy.exe"
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [Symantec NetDriver Monitor] C:\PROGRA~1\SYMNET~1\SNDMon.exe /Consumer
O4 - HKLM\..\Run: [SSC_UserPrompt] C:\Program Files\Common Files\Symantec Shared\Security Center\UsrPrmpt.exe
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [\tools.exe] C:\DOCUME~1\ALLUSE~1\APPLIC~1\Tools\tools.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\j2re1.4.2_05\bin\jusched.exe
O4 - HKLM\..\Run: [PSof1] C:\WINNT\System32\PSof1.exe
O4 - HKLM\..\Run: [exp.exe] C:\WINNT\System32\exp.exe
O4 - HKLM\..\Run: [apisvc.exe] C:\WINNT\System32\apisvc.exe
O4 - HKLM\..\Run: [MedGS] C:\WINNT\System32\medgs1.exe
O4 - HKLM\..\Run: [GsAds] C:\WINNT\System32\gms2.exe
O4 - HKLM\..\Run: [opr] C:\WINNT\System32\opr.exe
O4 - HKLM\..\Run: [Windows Incontext] C:\DOCUME~1\Owner\LOCALS~1\Temp\InSearch.exe
O4 - HKLM\..\Run: [winsync] C:\WINNT\System32\ngprig.exe reg_run
O4 - HKLM\..\Run: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k
O4 - HKLM\..\Run: [AUNPS2] RUNDLL32 AUNPS2.DLL,_Run@16
O4 - HKLM\..\Run: [dnam] C:\WINNT\system32\d140113.a.Stub.EXE
O4 - HKLM\..\Run: [dbpypy] C:\WINNT\System32\azhuer.exe r
O4 - HKLM\..\RunServices: [\tools.exe] C:\DOCUME~1\ALLUSE~1\APPLIC~1\Tools\tools.exe
O4 - HKCU\..\Run: [Microsoft Works Update Detection] C:\Program Files\Microsoft Works\WkDetect.exe
O4 - HKCU\..\Run: [\tools.exe] C:\DOCUME~1\ALLUSE~1\APPLIC~1\Tools\tools.exe
O4 - HKCU\..\Run: [pshower] C:\WINNT\System32\pshwr.exe
O4 - HKCU\..\Run: [SurfSideKick 3] C:\Program Files\SurfSideKick 3\Ssk.exe
O4 - HKCU\..\Run: [CAS Client] "C:\Program Files\Cas\Client\casclient.exe"
O4 - HKCU\..\Run: [services32] C:\Program Files\Common Files\Windows\mc-58-12-0000120.exe
O4 - HKCU\..\Run: [DNS] C:\Program Files\Common Files\mc-58-12-0000120.exe
O4 - HKCU\..\Run: [wincmap] "C:\Program Files\winCMAPP\wincmapp.exe"
O4 - HKCU\..\Run: [CMAPP] "C:\Program Files\CMAPP\Client\cmappclient.exe"
O4 - Startup: RollerCoaster Tycoon 3_ Cape Typhoon Registration.lnk = C:\Documents and Settings\Owner\Local Settings\Temp\{3C6D9666-2D87-4333-926A-283B5215A0C5}\{EA926717-CE5A-4CB4-AB21-9E6E9565A458}\ATR1.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O4 - Global Startup: WinZip Quick Pick.lnk = C:\Program Files\WinZip\WZQKPICK.EXE
O8 - Extra context menu item: &Google Search - res://c:\program files\google\GoogleToolbar2.dll/cmsearch.html
O8 - Extra context menu item: &Translate English Word - res://c:\program files\google\GoogleToolbar2.dll/cmwordtrans.html
O8 - Extra context menu item: Backward Links - res://c:\program files\google\GoogleToolbar2.dll/cmbacklinks.html
O8 - Extra context menu item: Cached Snapshot of Page - res://c:\program files\google\GoogleToolbar2.dll/cmcache.html
O8 - Extra context menu item: Similar Pages - res://c:\program files\google\GoogleToolbar2.dll/cmsimilar.html
O8 - Extra context menu item: Translate Page into English - res://c:\program files\google\GoogleToolbar2.dll/cmtrans.html
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINNT\System32\msjava.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINNT\System32\msjava.dll
O9 - Extra button: ComcastHSI - {669B269B-0D4E-41FB-A3D8-FD67CA94F646} - http://www.comcast.net/ (file missing)
O9 - Extra button: Support - {8828075D-D097-4055-AA02-2DBFA9D85E8A} - http://www.comcastsupport.com/ (file missing)
O9 - Extra button: Help - {97809617-3937-4F84-B335-9BB05EF1A8D4} - http://online.comcast.net/help/ (file missing)
O9 - Extra button: (no name) - {9E248641-0E24-4DDB-9A1F-705087832AD6} - (no file)
O9 - Extra 'Tools' menuitem: Java - {9E248641-0E24-4DDB-9A1F-705087832AD6} - (no file)
O9 - Extra button: (no name) - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - (no file)
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O16 - DPF: {972BB342-14A7-4660-83C1-51DDBEE171DB} - http://www.pacimedia...ll/pcs_0012.exe
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Password Validation Service (ccPwdSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
O23 - Service: iPod Service (iPodService) - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Norton AntiVirus Auto Protect Service (navapsvc) - Symantec Corporation - C:\Program Files\Norton AntiVirus\navapsvc.exe
O23 - Service: Intel® NMS (NMSSvc) - Intel Corporation - C:\WINNT\System32\NMSSvc.exe
O23 - Service: NVIDIA Driver Helper Service (NVSvc) - NVIDIA Corporation - C:\WINNT\System32\nvsvc32.exe
O23 - Service: ScriptBlocking Service (SBService) - Symantec Corporation - C:\PROGRA~1\COMMON~1\SYMANT~1\SCRIPT~1\SBServ.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: System Startup Service (SvcProc) - Unknown owner - C:\WINNT\svcproc.exe
O23 - Service: SymWMI Service (SymWSC) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\Security Center\SymWSC.exe
  • 0

#20
Trevuren
Posted 09 September 2005 - 06:42 PM

Trevuren

    Old Dog

  • Retired Staff
  • 18,699 posts
BEFORE BEGINNING, Please read completely through the instructions below and download the files from the links provided. You may want to save or print out these instructions for easier reference.

1. Download Ewido Security Suite.

2. Download Lavasoft's Ad-Aware and the VX2 Cleaner Plug-in.
  • Install Ad-Aware using the default options.
  • Then install vx2cleaner_inst.exe, using all the defaults there as well.
3. Run Ad-Aware
  • Update to the latest definitions
  • Then click on Add-ons in the lefthand column.
  • Select VX2 Cleaner V2.0 and click Run Tool. Click "OK".
  • If something is found, click "Clean" as in the directions given.
  • Click "Close", and EXIT Ad-Aware.
4. Reboot your PC and run Ad-Aware again.
  • This time, click on the Start button in Ad-Aware
  • Select "Perform smart system scan" and click Next.
  • Once the scan finishes, click "Next" again.
  • Select all objects found ("right click anywhere in the list of found objects and click "Select All Objects").
  • Click "Next" one more time, then "OK" to confirm the removal.
  • You will be prompted to set Ad-Aware to run on reboot, click "OK".
  • Exit Ad-Aware
  • REBOOT your PC
  • When Ad-Aware starts up, click on "Start", then "Next".
  • Follow the steps above if anything is found, or click "Finish", then EXIT Ad-Aware.
5. For a final cleanup, please install and run Ewido.
  • When installing, under "Additional Options" uncheck "Install background guard" and "Install scan via context menu".
  • When you run ewido for the first time, you may get a warning "Database could not be found!". Click OK. We will fix this in a moment.
  • From the main ewido screen, click on update in the left menu, then click the Start update button.
  • After the update finishes (the status bar at the bottom will display "Update successful")
  • Click on the Scanner button in the left menu, then click on Complete System Scan. This scan can take quite a while to run.
  • If ewido finds anything, it will pop up a notification. We have been finding some cases of false positives with the new version of Ewido, so we need to step through the fixes one-by-one. If Ewido finds something that you KNOW is legitimate (for example, parts of AVG Antivirus, pcAnywhere and the game "Risk" have been flagged), select "none" as the action. DO NOT check "Perform action with all infections". If you are unsure of an entry, select "none" for the time being. I'll see that in the log you will post later and let you know if ewido needs to be run again.
  • When the scan finishes, click on "Save Report". This will create a text file. Make sure you know where to find this file again.
6. Please finish up by rebooting your system once more, and posting a new HijackThis log and the log from the Ewido scan.

Regards,

Trevuren
  • 0

#21
amongstthestars
Posted 09 September 2005 - 08:56 PM

amongstthestars

    Member

  • Topic Starter
  • Member
  • PipPip
  • 30 posts
This took me a while because I ran into some complications. When I tried to run Ewido in normal mode, it scanned for about 15 minutes when I got a blue screen stating that windows encountered an error and shut down to protect the computer. After a second fail, I ran Ewido in Safe Mode. However, upon reboot, I got a msg stating that the file C:\WINNT\Nail.exe could not be found.




The first log is the Ewido, followed by the Hijack



---------------------------------------------------------
ewido security suite - Scan report
---------------------------------------------------------

+ Created on: 10:49:25 PM, 9/9/2005
+ Report-Checksum: BCE3F68C

+ Scan result:

HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\DisplayUtility -> Spyware.Delfin : Cleaned without backup
HKLM\SOFTWARE\SecureWin -> Spyware.Adlogix : Cleaned without backup
[1744] C:\WINNT\System32\wvjtje.exe -> Trojan.Agent.cp : Error during cleaning
C:\backup.zip/DzPMon.dll -> Spyware.Look2Me : Cleaned without backup
C:\backup.zip/il32_32.dll -> Spyware.Look2Me : Cleaned without backup
C:\backup.zip/ppotowiz.dll -> Spyware.Look2Me : Cleaned without backup
C:\backup.zip/smcfiles.dll -> Spyware.Look2Me : Cleaned with backup
C:\backup.zip/guard.tmp -> Spyware.Look2Me : Cleaned with backup
:mozilla.14:C:\Documents and Settings\Administrator\Application Data\Mozilla\Profiles\default\aw1ccmz5.slt\cookies.txt -> Spyware.Cookie.Linkbuddies : Cleaned with backup
:mozilla.21:C:\Documents and Settings\Administrator\Application Data\Mozilla\Profiles\default\aw1ccmz5.slt\cookies.txt -> Spyware.Cookie.Overture : Cleaned with backup
:mozilla.22:C:\Documents and Settings\Administrator\Application Data\Mozilla\Profiles\default\aw1ccmz5.slt\cookies.txt -> Spyware.Cookie.Overture : Cleaned with backup
:mozilla.33:C:\Documents and Settings\Administrator\Application Data\Mozilla\Profiles\default\aw1ccmz5.slt\cookies.txt -> Spyware.Cookie.Tribalfusion : Cleaned with backup
:mozilla.34:C:\Documents and Settings\Administrator\Application Data\Mozilla\Profiles\default\aw1ccmz5.slt\cookies.txt -> Spyware.Cookie.Tribalfusion : Cleaned with backup
:mozilla.40:C:\Documents and Settings\Administrator\Application Data\Mozilla\Profiles\default\aw1ccmz5.slt\cookies.txt -> Spyware.Cookie.2o7 : Cleaned with backup
:mozilla.47:C:\Documents and Settings\Administrator\Application Data\Mozilla\Profiles\default\aw1ccmz5.slt\cookies.txt -> Spyware.Cookie.Liveperson : Cleaned with backup
:mozilla.48:C:\Documents and Settings\Administrator\Application Data\Mozilla\Profiles\default\aw1ccmz5.slt\cookies.txt -> Spyware.Cookie.2o7 : Cleaned with backup
:mozilla.78:C:\Documents and Settings\Administrator\Application Data\Mozilla\Profiles\default\aw1ccmz5.slt\cookies.txt -> Spyware.Cookie.Atdmt : Cleaned with backup
:mozilla.96:C:\Documents and Settings\Administrator\Application Data\Mozilla\Profiles\default\aw1ccmz5.slt\cookies.txt -> Spyware.Cookie.Liveperson : Cleaned with backup
:mozilla.97:C:\Documents and Settings\Administrator\Application Data\Mozilla\Profiles\default\aw1ccmz5.slt\cookies.txt -> Spyware.Cookie.Googleadservices : Cleaned with backup
:mozilla.98:C:\Documents and Settings\Administrator\Application Data\Mozilla\Profiles\default\aw1ccmz5.slt\cookies.txt -> Spyware.Cookie.Advertising : Cleaned with backup
:mozilla.99:C:\Documents and Settings\Administrator\Application Data\Mozilla\Profiles\default\aw1ccmz5.slt\cookies.txt -> Spyware.Cookie.Advertising : Cleaned with backup
:mozilla.100:C:\Documents and Settings\Administrator\Application Data\Mozilla\Profiles\default\aw1ccmz5.slt\cookies.txt -> Spyware.Cookie.Advertising : Cleaned with backup
:mozilla.101:C:\Documents and Settings\Administrator\Application Data\Mozilla\Profiles\default\aw1ccmz5.slt\cookies.txt -> Spyware.Cookie.Doubleclick : Cleaned with backup
:mozilla.103:C:\Documents and Settings\Administrator\Application Data\Mozilla\Profiles\default\aw1ccmz5.slt\cookies.txt -> Spyware.Cookie.Hitbox : Cleaned with backup
:mozilla.104:C:\Documents and Settings\Administrator\Application Data\Mozilla\Profiles\default\aw1ccmz5.slt\cookies.txt -> Spyware.Cookie.Hitbox : Cleaned with backup
:mozilla.105:C:\Documents and Settings\Administrator\Application Data\Mozilla\Profiles\default\aw1ccmz5.slt\cookies.txt -> Spyware.Cookie.Hitbox : Cleaned with backup
:mozilla.106:C:\Documents and Settings\Administrator\Application Data\Mozilla\Profiles\default\aw1ccmz5.slt\cookies.txt -> Spyware.Cookie.Excite : Cleaned with backup
:mozilla.107:C:\Documents and Settings\Administrator\Application Data\Mozilla\Profiles\default\aw1ccmz5.slt\cookies.txt -> Spyware.Cookie.Excite : Cleaned with backup
:mozilla.108:C:\Documents and Settings\Administrator\Application Data\Mozilla\Profiles\default\aw1ccmz5.slt\cookies.txt -> Spyware.Cookie.Excite : Cleaned with backup
:mozilla.109:C:\Documents and Settings\Administrator\Application Data\Mozilla\Profiles\default\aw1ccmz5.slt\cookies.txt -> Spyware.Cookie.Advertising : Cleaned with backup
:mozilla.110:C:\Documents and Settings\Administrator\Application Data\Mozilla\Profiles\default\aw1ccmz5.slt\cookies.txt -> Spyware.Cookie.Excite : Cleaned with backup
:mozilla.113:C:\Documents and Settings\Administrator\Application Data\Mozilla\Profiles\default\aw1ccmz5.slt\cookies.txt -> Spyware.Cookie.Mediaplex : Cleaned with backup
:mozilla.114:C:\Documents and Settings\Administrator\Application Data\Mozilla\Profiles\default\aw1ccmz5.slt\cookies.txt -> Spyware.Cookie.Com : Cleaned with backup
:mozilla.115:C:\Documents and Settings\Administrator\Application Data\Mozilla\Profiles\default\aw1ccmz5.slt\cookies.txt -> Spyware.Cookie.Com : Cleaned with backup
:mozilla.116:C:\Documents and Settings\Administrator\Application Data\Mozilla\Profiles\default\aw1ccmz5.slt\cookies.txt -> Spyware.Cookie.Googleadservices : Cleaned with backup
C:\Documents and Settings\Administrator\Cookies\administrator@abetterinternet[2].txt -> Spyware.Cookie.Abetterinternet : Cleaned with backup
C:\Documents and Settings\Administrator\Cookies\[email protected][1].txt -> Spyware.Cookie.Yieldmanager : Cleaned with backup
C:\Documents and Settings\Administrator\Cookies\[email protected][2].txt -> Spyware.Cookie.Specificclick : Cleaned with backup
C:\Documents and Settings\Administrator\Cookies\administrator@paypopup[2].txt -> Spyware.Cookie.Paypopup : Cleaned with backup
C:\Documents and Settings\Administrator\Cookies\administrator@yieldmanager[1].txt -> Spyware.Cookie.Yieldmanager : Cleaned with backup
C:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\X8ZCLUPR\rcverlib[1].exe -> Trojan.Pakes : Cleaned with backup
C:\Documents and Settings\All Users\Application Data\Tools\tools.dll -> Spyware.MediaBack : Cleaned with backup
C:\Documents and Settings\All Users\Application Data\Tools\tools.exe -> Spyware.MediaBack : Cleaned with backup
C:\Documents and Settings\All Users\Start Menu\Programs\Startup\dukp.exe -> Trojan.Pakes : Cleaned with backup
:mozilla.6:C:\Documents and Settings\Owner\Application Data\Mozilla\Profiles\default\iq1c8tpz.slt\cookies.txt -> Spyware.Cookie.2o7 : Cleaned with backup
:mozilla.7:C:\Documents and Settings\Owner\Application Data\Mozilla\Profiles\default\iq1c8tpz.slt\cookies.txt -> Spyware.Cookie.Advertising : Cleaned with backup
:mozilla.8:C:\Documents and Settings\Owner\Application Data\Mozilla\Profiles\default\iq1c8tpz.slt\cookies.txt -> Spyware.Cookie.Advertising : Cleaned with backup
:mozilla.9:C:\Documents and Settings\Owner\Application Data\Mozilla\Profiles\default\iq1c8tpz.slt\cookies.txt -> Spyware.Cookie.2o7 : Cleaned with backup
:mozilla.10:C:\Documents and Settings\Owner\Application Data\Mozilla\Profiles\default\iq1c8tpz.slt\cookies.txt -> Spyware.Cookie.2o7 : Cleaned with backup
:mozilla.11:C:\Documents and Settings\Owner\Application Data\Mozilla\Profiles\default\iq1c8tpz.slt\cookies.txt -> Spyware.Cookie.2o7 : Cleaned with backup
:mozilla.12:C:\Documents and Settings\Owner\Application Data\Mozilla\Profiles\default\iq1c8tpz.slt\cookies.txt -> Spyware.Cookie.Atdmt : Cleaned with backup
:mozilla.13:C:\Documents and Settings\Owner\Application Data\Mozilla\Profiles\default\iq1c8tpz.slt\cookies.txt -> Spyware.Cookie.Doubleclick : Cleaned with backup
:mozilla.14:C:\Documents and Settings\Owner\Application Data\Mozilla\Profiles\default\iq1c8tpz.slt\cookies.txt -> Spyware.Cookie.Hitbox : Cleaned with backup
:mozilla.15:C:\Documents and Settings\Owner\Application Data\Mozilla\Profiles\default\iq1c8tpz.slt\cookies.txt -> Spyware.Cookie.Advertising : Cleaned with backup
:mozilla.16:C:\Documents and Settings\Owner\Application Data\Mozilla\Profiles\default\iq1c8tpz.slt\cookies.txt -> Spyware.Cookie.2o7 : Cleaned with backup
:mozilla.17:C:\Documents and Settings\Owner\Application Data\Mozilla\Profiles\default\iq1c8tpz.slt\cookies.txt -> Spyware.Cookie.Excite : Cleaned with backup
:mozilla.19:C:\Documents and Settings\Owner\Application Data\Mozilla\Profiles\default\iq1c8tpz.slt\cookies.txt -> Spyware.Cookie.Excite : Cleaned with backup
:mozilla.21:C:\Documents and Settings\Owner\Application Data\Mozilla\Profiles\default\iq1c8tpz.slt\cookies.txt -> Spyware.Cookie.Excite : Cleaned with backup
:mozilla.23:C:\Documents and Settings\Owner\Application Data\Mozilla\Profiles\default\iq1c8tpz.slt\cookies.txt -> Spyware.Cookie.Excite : Cleaned with backup
:mozilla.24:C:\Documents and Settings\Owner\Application Data\Mozilla\Profiles\default\iq1c8tpz.slt\cookies.txt -> Spyware.Cookie.2o7 : Cleaned with backup
:mozilla.25:C:\Documents and Settings\Owner\Application Data\Mozilla\Profiles\default\iq1c8tpz.slt\cookies.txt -> Spyware.Cookie.Hitbox : Cleaned with backup
:mozilla.26:C:\Documents and Settings\Owner\Application Data\Mozilla\Profiles\default\iq1c8tpz.slt\cookies.txt -> Spyware.Cookie.2o7 : Cleaned with backup
:mozilla.29:C:\Documents and Settings\Owner\Application Data\Mozilla\Profiles\default\iq1c8tpz.slt\cookies.txt -> Spyware.Cookie.Mediaplex : Cleaned with backup
:mozilla.30:C:\Documents and Settings\Owner\Application Data\Mozilla\Profiles\default\iq1c8tpz.slt\cookies.txt -> Spyware.Cookie.Excite : Cleaned with backup
:mozilla.31:C:\Documents and Settings\Owner\Application Data\Mozilla\Profiles\default\iq1c8tpz.slt\cookies.txt -> Spyware.Cookie.Advertising : Cleaned with backup
:mozilla.32:C:\Documents and Settings\Owner\Application Data\Mozilla\Profiles\default\iq1c8tpz.slt\cookies.txt -> Spyware.Cookie.2o7 : Cleaned with backup
:mozilla.33:C:\Documents and Settings\Owner\Application Data\Mozilla\Profiles\default\iq1c8tpz.slt\cookies.txt -> Spyware.Cookie.Hitbox : Cleaned with backup
:mozilla.35:C:\Documents and Settings\Owner\Application Data\Mozilla\Profiles\default\iq1c8tpz.slt\cookies.txt -> Spyware.Cookie.Fastclick : Cleaned with backup
:mozilla.36:C:\Documents and Settings\Owner\Application Data\Mozilla\Profiles\default\iq1c8tpz.slt\cookies.txt -> Spyware.Cookie.Fastclick : Cleaned with backup
:mozilla.39:C:\Documents and Settings\Owner\Application Data\Mozilla\Profiles\default\iq1c8tpz.slt\cookies.txt -> Spyware.Cookie.Bfast : Cleaned with backup
:mozilla.40:C:\Documents and Settings\Owner\Application Data\Mozilla\Profiles\default\iq1c8tpz.slt\cookies.txt -> Spyware.Cookie.Casalemedia : Cleaned with backup
:mozilla.41:C:\Documents and Settings\Owner\Application Data\Mozilla\Profiles\default\iq1c8tpz.slt\cookies.txt -> Spyware.Cookie.Casalemedia : Cleaned with backup
:mozilla.50:C:\Documents and Settings\Owner\Application Data\Mozilla\Profiles\default\iq1c8tpz.slt\cookies.txt -> Spyware.Cookie.Trafficmp : Cleaned with backup
:mozilla.51:C:\Documents and Settings\Owner\Application Data\Mozilla\Profiles\default\iq1c8tpz.slt\cookies.txt -> Spyware.Cookie.Trafficmp : Cleaned with backup
:mozilla.52:C:\Documents and Settings\Owner\Application Data\Mozilla\Profiles\default\iq1c8tpz.slt\cookies.txt -> Spyware.Cookie.Trafficmp : Cleaned with backup
:mozilla.53:C:\Documents and Settings\Owner\Application Data\Mozilla\Profiles\default\iq1c8tpz.slt\cookies.txt -> Spyware.Cookie.Trafficmp : Cleaned with backup
:mozilla.54:C:\Documents and Settings\Owner\Application Data\Mozilla\Profiles\default\iq1c8tpz.slt\cookies.txt -> Spyware.Cookie.Trafficmp : Cleaned with backup
:mozilla.55:C:\Documents and Settings\Owner\Application Data\Mozilla\Profiles\default\iq1c8tpz.slt\cookies.txt -> Spyware.Cookie.Trafficmp : Cleaned with backup
:mozilla.56:C:\Documents and Settings\Owner\Application Data\Mozilla\Profiles\default\iq1c8tpz.slt\cookies.txt -> Spyware.Cookie.Valueclick : Cleaned with backup
:mozilla.57:C:\Documents and Settings\Owner\Application Data\Mozilla\Profiles\default\iq1c8tpz.slt\cookies.txt -> Spyware.Cookie.Valueclick : Cleaned with backup
:mozilla.58:C:\Documents and Settings\Owner\Application Data\Mozilla\Profiles\default\iq1c8tpz.slt\cookies.txt -> Spyware.Cookie.Casalemedia : Cleaned with backup
:mozilla.65:C:\Documents and Settings\Owner\Application Data\Mozilla\Profiles\default\iq1c8tpz.slt\cookies.txt -> Spyware.Cookie.Questionmarket : Cleaned with backup
:mozilla.66:C:\Documents and Settings\Owner\Application Data\Mozilla\Profiles\default\iq1c8tpz.slt\cookies.txt -> Spyware.Cookie.Tribalfusion : Cleaned with backup
:mozilla.67:C:\Documents and Settings\Owner\Application Data\Mozilla\Profiles\default\iq1c8tpz.slt\cookies.txt -> Spyware.Cookie.Adserver : Cleaned with backup
:mozilla.68:C:\Documents and Settings\Owner\Application Data\Mozilla\Profiles\default\iq1c8tpz.slt\cookies.txt -> Spyware.Cookie.Adserver : Cleaned with backup
:mozilla.70:C:\Documents and Settings\Owner\Application Data\Mozilla\Profiles\default\iq1c8tpz.slt\cookies.txt -> Spyware.Cookie.Burstnet : Cleaned with backup
:mozilla.71:C:\Documents and Settings\Owner\Application Data\Mozilla\Profiles\default\iq1c8tpz.slt\cookies.txt -> Spyware.Cookie.Burstnet : Cleaned with backup
:mozilla.73:C:\Documents and Settings\Owner\Application Data\Mozilla\Profiles\default\iq1c8tpz.slt\cookies.txt -> Spyware.Cookie.Tribalfusion : Cleaned with backup
:mozilla.74:C:\Documents and Settings\Owner\Application Data\Mozilla\Profiles\default\iq1c8tpz.slt\cookies.txt -> Spyware.Cookie.Burstbeacon : Cleaned with backup
:mozilla.75:C:\Documents and Settings\Owner\Application Data\Mozilla\Profiles\default\iq1c8tpz.slt\cookies.txt -> Spyware.Cookie.Tribalfusion : Cleaned with backup
:mozilla.76:C:\Documents and Settings\Owner\Application Data\Mozilla\Profiles\default\iq1c8tpz.slt\cookies.txt -> Spyware.Cookie.Burstnet : Cleaned with backup
:mozilla.77:C:\Documents and Settings\Owner\Application Data\Mozilla\Profiles\default\iq1c8tpz.slt\cookies.txt -> Spyware.Cookie.2o7 : Cleaned with backup
:mozilla.78:C:\Documents and Settings\Owner\Application Data\Mozilla\Profiles\default\iq1c8tpz.slt\cookies.txt -> Spyware.Cookie.Excite : Cleaned with backup
:mozilla.82:C:\Documents and Settings\Owner\Application Data\Mozilla\Profiles\default\iq1c8tpz.slt\cookies.txt -> Spyware.Cookie.2o7 : Cleaned with backup
:mozilla.85:C:\Documents and Settings\Owner\Application Data\Mozilla\Profiles\default\iq1c8tpz.slt\cookies.txt -> Spyware.Cookie.Excite : Cleaned with backup
:mozilla.86:C:\Documents and Settings\Owner\Application Data\Mozilla\Profiles\default\iq1c8tpz.slt\cookies.txt -> Spyware.Cookie.2o7 : Cleaned with backup
:mozilla.87:C:\Documents and Settings\Owner\Application Data\Mozilla\Profiles\default\iq1c8tpz.slt\cookies.txt -> Spyware.Cookie.2o7 : Cleaned with backup
:mozilla.88:C:\Documents and Settings\Owner\Application Data\Mozilla\Profiles\default\iq1c8tpz.slt\cookies.txt -> Spyware.Cookie.2o7 : Cleaned with backup
:mozilla.89:C:\Documents and Settings\Owner\Application Data\Mozilla\Profiles\default\iq1c8tpz.slt\cookies.txt -> Spyware.Cookie.2o7 : Cleaned with backup
:mozilla.93:C:\Documents and Settings\Owner\Application Data\Mozilla\Profiles\default\iq1c8tpz.slt\cookies.txt -> Spyware.Cookie.Mediaplex : Cleaned with backup
:mozilla.94:C:\Documents and Settings\Owner\Application Data\Mozilla\Profiles\default\iq1c8tpz.slt\cookies.txt -> Spyware.Cookie.Trafficmp : Cleaned with backup
:mozilla.95:C:\Documents and Settings\Owner\Application Data\Mozilla\Profiles\default\iq1c8tpz.slt\cookies.txt -> Spyware.Cookie.Fastclick : Cleaned with backup
:mozilla.98:C:\Documents and Settings\Owner\Application Data\Mozilla\Profiles\default\iq1c8tpz.slt\cookies.txt -> Spyware.Cookie.Tribalfusion : Cleaned with backup
:mozilla.99:C:\Documents and Settings\Owner\Application Data\Mozilla\Profiles\default\iq1c8tpz.slt\cookies.txt -> Spyware.Cookie.Adserver : Cleaned with backup
:mozilla.109:C:\Documents and Settings\Owner\Application Data\Mozilla\Profiles\default\iq1c8tpz.slt\cookies.txt -> Spyware.Cookie.Tribalfusion : Cleaned with backup
:mozilla.110:C:\Documents and Settings\Owner\Application Data\Mozilla\Profiles\default\iq1c8tpz.slt\cookies.txt -> Spyware.Cookie.Fastclick : Cleaned with backup
:mozilla.111:C:\Documents and Settings\Owner\Application Data\Mozilla\Profiles\default\iq1c8tpz.slt\cookies.txt -> Spyware.Cookie.Fastclick : Cleaned with backup
:mozilla.112:C:\Documents and Settings\Owner\Application Data\Mozilla\Profiles\default\iq1c8tpz.slt\cookies.txt -> Spyware.Cookie.Fastclick : Cleaned with backup
:mozilla.113:C:\Documents and Settings\Owner\Application Data\Mozilla\Profiles\default\iq1c8tpz.slt\cookies.txt -> Spyware.Cookie.Fastclick : Cleaned with backup
:mozilla.122:C:\Documents and Settings\Owner\Application Data\Mozilla\Profiles\default\iq1c8tpz.slt\cookies.txt -> Spyware.Cookie.2o7 : Cleaned with backup
:mozilla.123:C:\Documents and Settings\Owner\Application Data\Mozilla\Profiles\default\iq1c8tpz.slt\cookies.txt -> Spyware.Cookie.Yieldmanager : Cleaned with backup
:mozilla.124:C:\Documents and Settings\Owner\Application Data\Mozilla\Profiles\default\iq1c8tpz.slt\cookies.txt -> Spyware.Cookie.Yieldmanager : Cleaned with backup
:mozilla.125:C:\Documents and Settings\Owner\Application Data\Mozilla\Profiles\default\iq1c8tpz.slt\cookies.txt -> Spyware.Cookie.Yieldmanager : Cleaned with backup
:mozilla.126:C:\Documents and Settings\Owner\Application Data\Mozilla\Profiles\default\iq1c8tpz.slt\cookies.txt -> Spyware.Cookie.Yieldmanager : Cleaned with backup
:mozilla.127:C:\Documents and Settings\Owner\Application Data\Mozilla\Profiles\default\iq1c8tpz.slt\cookies.txt -> Spyware.Cookie.Yieldmanager : Cleaned with backup
:mozilla.139:C:\Documents and Settings\Owner\Application Data\Mozilla\Profiles\default\iq1c8tpz.slt\cookies.txt -> Spyware.Cookie.Ru4 : Cleaned with backup
:mozilla.140:C:\Documents and Settings\Owner\Application Data\Mozilla\Profiles\default\iq1c8tpz.slt\cookies.txt -> Spyware.Cookie.Ru4 : Cleaned with backup
:mozilla.141:C:\Documents and Settings\Owner\Application Data\Mozilla\Profiles\default\iq1c8tpz.slt\cookies.txt -> Spyware.Cookie.Pointroll : Cleaned with backup
:mozilla.142:C:\Documents and Settings\Owner\Application Data\Mozilla\Profiles\default\iq1c8tpz.slt\cookies.txt -> Spyware.Cookie.Pointroll : Cleaned with backup
:mozilla.143:C:\Documents and Settings\Owner\Application Data\Mozilla\Profiles\default\iq1c8tpz.slt\cookies.txt -> Spyware.Cookie.Pointroll : Cleaned with backup
:mozilla.144:C:\Documents and Settings\Owner\Application Data\Mozilla\Profiles\default\iq1c8tpz.slt\cookies.txt -> Spyware.Cookie.Adorigin : Cleaned with backup
:mozilla.145:C:\Documents and Settings\Owner\Application Data\Mozilla\Profiles\default\iq1c8tpz.slt\cookies.txt -> Spyware.Cookie.Adorigin : Cleaned with backup
:mozilla.146:C:\Documents and Settings\Owner\Application Data\Mozilla\Profiles\default\iq1c8tpz.slt\cookies.txt -> Spyware.Cookie.Adorigin : Cleaned with backup
:mozilla.147:C:\Documents and Settings\Owner\Application Data\Mozilla\Profiles\default\iq1c8tpz.slt\cookies.txt -> Spyware.Cookie.Adorigin : Cleaned with backup
:mozilla.159:C:\Documents and Settings\Owner\Application Data\Mozilla\Profiles\default\iq1c8tpz.slt\cookies.txt -> Spyware.Cookie.Bridgetrack : Cleaned with backup
:mozilla.160:C:\Documents and Settings\Owner\Application Data\Mozilla\Profiles\default\iq1c8tpz.slt\cookies.txt -> Spyware.Cookie.Bridgetrack : Cleaned with backup
:mozilla.161:C:\Documents and Settings\Owner\Application Data\Mozilla\Profiles\default\iq1c8tpz.slt\cookies.txt -> Spyware.Cookie.Bridgetrack : Cleaned with backup
:mozilla.162:C:\Documents and Settings\Owner\Application Data\Mozilla\Profiles\default\iq1c8tpz.slt\cookies.txt -> Spyware.Cookie.Bridgetrack : Cleaned with backup
:mozilla.163:C:\Documents and Settings\Owner\Application Data\Mozilla\Profiles\default\iq1c8tpz.slt\cookies.txt -> Spyware.Cookie.Ru4 : Cleaned with backup
:mozilla.165:C:\Documents and Settings\Owner\Application Data\Mozilla\Profiles\default\iq1c8tpz.slt\cookies.txt -> Spyware.Cookie.Ru4 : Cleaned with backup
:mozilla.188:C:\Documents and Settings\Owner\Application Data\Mozilla\Profiles\default\iq1c8tpz.slt\cookies.txt -> Spyware.Cookie.Targetnet : Cleaned with backup
:mozilla.192:C:\Documents and Settings\Owner\Application Data\Mozilla\Profiles\default\iq1c8tpz.slt\cookies.txt -> Spyware.Cookie.Advertising : Cleaned with backup
:mozilla.195:C:\Documents and Settings\Owner\Application Data\Mozilla\Profiles\default\iq1c8tpz.slt\cookies.txt -> Spyware.Cookie.Advertising : Cleaned with backup
:mozilla.196:C:\Documents and Settings\Owner\Application Data\Mozilla\Profiles\default\iq1c8tpz.slt\cookies.txt -> Spyware.Cookie.Advertising : Cleaned with backup
:mozilla.197:C:\Documents and Settings\Owner\Application Data\Mozilla\Profiles\default\iq1c8tpz.slt\cookies.txt -> Spyware.Cookie.Advertising : Cleaned with backup
:mozilla.198:C:\Documents and Settings\Owner\Application Data\Mozilla\Profiles\default\iq1c8tpz.slt\cookies.txt -> Spyware.Cookie.Advertising : Cleaned with backup
:mozilla.199:C:\Documents and Settings\Owner\Application Data\Mozilla\Profiles\default\iq1c8tpz.slt\cookies.txt -> Spyware.Cookie.Advertising : Cleaned with backup
:mozilla.200:C:\Documents and Settings\Owner\Application Data\Mozilla\Profiles\default\iq1c8tpz.slt\cookies.txt -> Spyware.Cookie.Advertising : Cleaned with backup
:mozilla.201:C:\Documents and Settings\Owner\Application Data\Mozilla\Profiles\default\iq1c8tpz.slt\cookies.txt -> Spyware.Cookie.Advertising : Cleaned with backup
:mozilla.202:C:\Documents and Settings\Owner\Application Data\Mozilla\Profiles\default\iq1c8tpz.slt\cookies.txt -> Spyware.Cookie.Advertising : Cleaned with backup
:mozilla.203:C:\Documents and Settings\Owner\Application Data\Mozilla\Profiles\default\iq1c8tpz.slt\cookies.txt -> Spyware.Cookie.Advertising : Cleaned with backup
:mozilla.204:C:\Documents and Settings\Owner\Application Data\Mozilla\Profiles\default\iq1c8tpz.slt\cookies.txt -> Spyware.Cookie.Advertising : Cleaned with backup
:mozilla.205:C:\Documents and Settings\Owner\Application Data\Mozilla\Profiles\default\iq1c8tpz.slt\cookies.txt -> Spyware.Cookie.Advertising : Cleaned with backup
:mozilla.206:C:\Documents and Settings\Owner\Application Data\Mozilla\Profiles\default\iq1c8tpz.slt\cookies.txt -> Spyware.Cookie.Advertising : Cleaned with backup
:mozilla.207:C:\Documents and Settings\Owner\Application Data\Mozilla\Profiles\default\iq1c8tpz.slt\cookies.txt -> Spyware.Cookie.Advertising : Cleaned with backup
:mozilla.208:C:\Documents and Settings\Owner\Application Data\Mozilla\Profiles\default\iq1c8tpz.slt\cookies.txt -> Spyware.Cookie.Advertising : Cleaned with backup
:mozilla.209:C:\Documents and Settings\Owner\Application Data\Mozilla\Profiles\default\iq1c8tpz.slt\cookies.txt -> Spyware.Cookie.Advertising : Cleaned with backup
:mozilla.210:C:\Documents and Settings\Owner\Application Data\Mozilla\Profiles\default\iq1c8tpz.slt\cookies.txt -> Spyware.Cookie.Advertising : Cleaned with backup
:mozilla.211:C:\Documents and Settings\Owner\Application Data\Mozilla\Profiles\default\iq1c8tpz.slt\cookies.txt -> Spyware.Cookie.Advertising : Cleaned with backup
:mozilla.212:C:\Documents and Settings\Owner\Application Data\Mozilla\Profiles\default\iq1c8tpz.slt\cookies.txt -> Spyware.Cookie.Advertising : Cleaned with backup
:mozilla.220:C:\Documents and Settings\Owner\Application Data\Mozilla\Profiles\default\iq1c8tpz.slt\cookies.txt -> Spyware.Cookie.Falkag : Cleaned with backup
:mozilla.222:C:\Documents and Settings\Owner\Application Data\Mozilla\Profiles\default\iq1c8tpz.slt\cookies.txt -> Spyware.Cookie.Advertising : Cleaned with backup
:mozilla.223:C:\Documents and Settings\Owner\Application Data\Mozilla\Profiles\default\iq1c8tpz.slt\cookies.txt -> Spyware.Cookie.Coremetrics : Cleaned with backup
C:\Documents and Settings\Owner\Cookies\owner@247realmedia[1].txt -> Spyware.Cookie.247realmedia : Cleaned with backup
C:\Documents and Settings\Owner\Cookies\[email protected][1].txt -> Spyware.Cookie.Shopathomeselect : Cleaned with backup
C:\Documents and Settings\Owner\Cookies\owner@abetterinternet[1].txt -> Spyware.Cookie.Abetterinternet : Cleaned with backup
C:\Documents and Settings\Owner\Cookies\[email protected][2].txt -> Spyware.Cookie.Yieldmanager : Cleaned with backup
C:\Documents and Settings\Owner\Cookies\[email protected][2].txt -> Spyware.Cookie.Specificclick : Cleaned with backup
C:\Documents and Settings\Owner\Cookies\[email protected][2].txt -> Spyware.Cookie.Addynamix : Cleaned with backup
C:\Documents and Settings\Owner\Cookies\[email protected][1].txt -> Spyware.Cookie.Com : Cleaned with backup
C:\Documents and Settings\Owner\Cookies\owner@advertising[1].txt -> Spyware.Cookie.Advertising : Cleaned with backup
C:\Documents and Settings\Owner\Cookies\owner@atdmt[2].txt -> Spyware.Cookie.Atdmt : Cleaned with backup
C:\Documents and Settings\Owner\Cookies\owner@bfast[2].txt -> Spyware.Cookie.Bfast : Cleaned with backup
C:\Documents and Settings\Owner\Cookies\owner@burstnet[2].txt -> Spyware.Cookie.Burstnet : Cleaned with backup
C:\Documents and Settings\Owner\Cookies\owner@casalemedia[1].txt -> Spyware.Cookie.Casalemedia : Cleaned with backup
C:\Documents and Settings\Owner\Cookies\owner@com[2].txt -> Spyware.Cookie.Com : Cleaned with backup
C:\Documents and Settings\Owner\Cookies\[email protected][1].txt -> Spyware.Cookie.Esomniture : Cleaned with backup
C:\Documents and Settings\Owner\Cookies\[email protected][2].txt -> Spyware.Cookie.Esomniture : Cleaned with backup
C:\Documents and Settings\Owner\Cookies\[email protected][2].txt -> Spyware.Cookie.Esomniture : Cleaned with backup
C:\Documents and Settings\Owner\Cookies\[email protected][2].txt -> Spyware.Cookie.Esomniture : Cleaned with backup
C:\Documents and Settings\Owner\Cookies\[email protected][2].txt -> Spyware.Cookie.Esomniture : Cleaned with backup
C:\Documents and Settings\Owner\Cookies\[email protected][2].txt -> Spyware.Cookie.Esomniture : Cleaned with backup
C:\Documents and Settings\Owner\Cookies\[email protected][2].txt -> Spyware.Cookie.Esomniture : Cleaned with backup
C:\Documents and Settings\Owner\Cookies\owner@fastclick[1].txt -> Spyware.Cookie.Fastclick : Cleaned with backup
C:\Documents and Settings\Owner\Cookies\owner@findwhat[1].txt -> Spyware.Cookie.Findwhat : Cleaned with backup
C:\Documents and Settings\Owner\Cookies\owner@hypertracker[1].txt -> Spyware.Cookie.Hypertracker : Cleaned with backup
C:\Documents and Settings\Owner\Cookies\owner@mediaplex[1].txt -> Spyware.Cookie.Mediaplex : Cleaned with backup
C:\Documents and Settings\Owner\Cookies\[email protected][2].txt -> Spyware.Cookie.Excite : Cleaned with backup
C:\Documents and Settings\Owner\Cookies\owner@overture[1].txt -> Spyware.Cookie.Overture : Cleaned with backup
C:\Documents and Settings\Owner\Cookies\owner@qksrv[2].txt -> Spyware.Cookie.Qksrv : Cleaned with backup
C:\Documents and Settings\Owner\Cookies\[email protected][2].txt -> Spyware.Cookie.Adjuggler : Cleaned with backup
C:\Documents and Settings\Owner\Cookies\owner@shopathomeselect[2].txt -> Spyware.Cookie.Shopathomeselect : Cleaned with backup
C:\Documents and Settings\Owner\Cookies\owner@targetnet[1].txt -> Spyware.Cookie.Targetnet : Cleaned with backup
C:\Documents and Settings\Owner\Cookies\owner@trafficmp[2].txt -> Spyware.Cookie.Trafficmp : Cleaned with backup
C:\Documents and Settings\Owner\Cookies\[email protected][1].txt -> Spyware.Cookie.Burstbeacon : Cleaned with backup
C:\Documents and Settings\Owner\Cookies\[email protected][2].txt -> Spyware.Cookie.Burstnet : Cleaned with backup
C:\Documents and Settings\Owner\Cookies\[email protected][2].txt -> Spyware.Cookie.Shopathomeselect : Cleaned with backup
C:\Documents and Settings\Owner\Local Settings\Temp\bwf1003.exe -> Adware.Saha : Cleaned with backup
C:\Documents and Settings\Owner\Local Settings\Temp\DelAB.tmp -> Spyware.180Solutions : Cleaned with backup
C:\Documents and Settings\Owner\Local Settings\Temp\i61.tmp -> Spyware.SurfSide : Cleaned with backup
C:\Documents and Settings\Owner\Local Settings\Temp\MediaAccessInstPack.exe -> Spyware.WinAD : Cleaned with backup
C:\Documents and Settings\Owner\Local Settings\Temp\nsh_104.exe -> Spyware.Downloadware : Cleaned with backup
C:\Documents and Settings\Owner\Local Settings\Temp\nsh_110.exe -> Spyware.Downloadware : Cleaned with backup
C:\Documents and Settings\Owner\Local Settings\Temp\pcs_0009.exe -> Spyware.Pacer : Cleaned with backup
C:\Documents and Settings\Owner\Local Settings\Temp\pcs_0022.exe -> Spyware.Pacer : Cleaned with backup
C:\Documents and Settings\Owner\Local Settings\Temp\ptf_0002.exe -> Spyware.Pacer : Cleaned with backup
C:\Documents and Settings\Owner\Local Settings\Temp\ptf_0006.exe -> Spyware.Pacer : Cleaned with backup
C:\Documents and Settings\Owner\Local Settings\Temp\ptf_0009.exe -> Spyware.Pacer : Cleaned with backup
C:\Documents and Settings\Owner\Local Settings\Temp\ptf_0016.exe -> Spyware.Pacer : Cleaned with backup
C:\Documents and Settings\Owner\Local Settings\Temp\ptf_0022.exe -> Spyware.Pacer : Cleaned with backup
C:\Documents and Settings\Owner\Local Settings\Temp\resA2.tmp -> Spyware.180Solutions : Cleaned with backup
C:\Documents and Settings\Owner\Local Settings\Temp\sntaudio.tmp -> Spyware.SafeSurfing : Cleaned with backup
C:\Documents and Settings\Owner\Local Settings\Temp\Stb.exe -> TrojanDownloader.Agent.tf : Cleaned with backup
C:\Documents and Settings\Owner\Local Settings\Temp\TP04RUD8.dll -> Adware.SAHA : Cleaned with backup
C:\Documents and Settings\Owner\Local Settings\Temporary Internet Files\Content.IE5\6JU3M56N\pcs_0009[1].exe -> Spyware.Pacer : Cleaned with backup
C:\Documents and Settings\Owner\Local Settings\Temporary Internet Files\Content.IE5\6JU3M56N\protector[1].exe -> Spyware.Hijacker.Generic : Cleaned with backup
C:\Documents and Settings\Owner\Local Settings\Temporary Internet Files\Content.IE5\6JU3M56N\trk_0002[1].exe -> Spyware.Pacer : Cleaned with backup
C:\Documents and Settings\Owner\Local Settings\Temporary Internet Files\Content.IE5\8PKT63GT\trk_0009[1].exe -> Spyware.Pacer : Cleaned with backup
C:\Documents and Settings\Owner\Local Settings\Temporary Internet Files\Content.IE5\9SQ9MN3P\pcs_0022[1].exe -> Spyware.Pacer : Cleaned with backup
C:\Documents and Settings\Owner\Local Settings\Temporary Internet Files\Content.IE5\9SQ9MN3P\trk_0006[1].exe -> Spyware.Pacer : Cleaned with backup
C:\Documents and Settings\Owner\Local Settings\Temporary Internet Files\Content.IE5\BBXNV50W\CAQVSXA7 -> TrojanDownloader.IstBar.j : Cleaned with backup
C:\Documents and Settings\Owner\Local Settings\Temporary Internet Files\Content.IE5\BBXNV50W\inst10[1].exe -> TrojanDownloader.Small.bem : Cleaned with backup
C:\Documents and Settings\Owner\Local Settings\Temporary Internet Files\Content.IE5\BBXNV50W\inst4[1].exe -> TrojanDownloader.Small.bem : Cleaned with backup
C:\Documents and Settings\Owner\Local Settings\Temporary Internet Files\Content.IE5\BBXNV50W\Poller[1].exe -> Trojan.Agent.ay : Cleaned with backup
C:\Documents and Settings\Owner\Local Settings\Temporary Internet Files\Content.IE5\BUD2UY29\index[1].exe -> Backdoor.Lamebot.c : Cleaned with backup
C:\Documents and Settings\Owner\Local Settings\Temporary Internet Files\Content.IE5\BUD2UY29\trk_0022[1].exe -> Spyware.Pacer : Cleaned with backup
C:\Documents and Settings\Owner\Local Settings\Temporary Internet Files\Content.IE5\DZZY353P\pcs_0012[1].exe -> Spyware.Pacer : Cleaned with backup
C:\Documents and Settings\Owner\Local Settings\Temporary Internet Files\Content.IE5\GZJBUSLP\aurora[1].exe -> Spyware.Hijacker.Generic : Cleaned with backup
C:\Documents and Settings\Owner\Local Settings\Temporary Internet Files\Content.IE5\GZJBUSLP\installer_PIVOTAL_5_DB[1].cab/installer_PIVOTAL_5_DB.exe -> TrojanDownloader.Adload.a : Cleaned with backup
C:\Documents and Settings\Owner\Local Settings\Temporary Internet Files\Content.IE5\HSGJ5109\abiuninst[1].exe -> Adware.BetterInternet : Cleaned with backup
C:\Documents and Settings\Owner\Local Settings\Temporary Internet Files\Content.IE5\MERJ8XPQ\nsh_104[1].exe -> Spyware.Downloadware : Cleaned with backup
C:\Documents and Settings\Owner\Local Settings\Temporary Internet Files\Content.IE5\ODI741UR\maxifilesdns[1].zip/gui.exe -> TrojanDownloader.Agent.rv : Cleaned with backup
C:\Documents and Settings\Owner\Local Settings\Temporary Internet Files\Content.IE5\S1CZ8FGZ\DrPMon[1].dll -> Trojan.Agent.db : Cleaned with backup
C:\Documents and Settings\Owner\Local Settings\Temporary Internet Files\Content.IE5\S1CZ8FGZ\nsh_110[1].exe -> Spyware.Downloadware : Cleaned with backup
C:\Documents and Settings\Owner\Local Settings\Temporary Internet Files\Content.IE5\W9MJGTYN\Nail[1].exe -> Adware.BetterInternet : Cleaned with backup
C:\Documents and Settings\Owner\Local Settings\Temporary Internet Files\Content.IE5\W9MJGTYN\trk_0016[1].exe -> Spyware.Pacer : Cleaned with backup
C:\Documents and Settings\Owner\Local Settings\Temporary Internet Files\Content.IE5\Y97WH03U\dnscatcher[1].exe -> TrojanDownloader.Agent.rv : Cleaned with backup
C:\Internet\HiJackThis\Hijackthis\backups\backup-20050909-195429-890.dll -> Not-A-Virus.PornWare.PopCap.b : Cleaned without backup
C:\Internet\Netscape\plugins\npzango.dll -> Spyware.WinAD : Cleaned without backup
C:\Program Files\CMAPP\Client\cmappclient.exe -> Spyware.CASClient : Cleaned without backup
C:\Program Files\CMAPP\cmappstub.exe -> TrojanDownloader.Agent.tf : Cleaned without backup
C:\Program Files\Common Files\mc-58-12-0000120.exe -> TrojanDownloader.Agent.rv : Cleaned without backup
C:\Program Files\Common Files\system32.dll/gui.exe -> TrojanDownloader.Agent.rv : Cleaned without backup
C:\Program Files\DNS\gui.exe -> TrojanDownloader.Agent.rv : Cleaned without backup
C:\RECYCLER\S-1-5-21-1072085832-1002326630-3632376074-500\Dc62\Installer.exe -> Spyware.Look2Me : Cleaned without backup
C:\WINNT\Downloaded Program Files\CONFLICT.1\index.exe -> Backdoor.Lamebot.c : Cleaned without backup
C:\WINNT\Downloaded Program Files\index.exe -> Backdoor.Lamebot.c : Cleaned without backup
C:\WINNT\NDNuninstall6_38.exe -> Spyware.NewDotNet : Cleaned without backup
C:\WINNT\system32\adupdater.exe -> Spyware.Adstart : Cleaned without backup
C:\WINNT\system32\apisvc.exe -> Backdoor.Lamebot.c : Cleaned without backup
C:\WINNT\system32\dfjksfd.dll -> TrojanDownloader.Qoologic.ac : Cleaned without backup
C:\WINNT\system32\drnoa.dll -> TrojanDownloader.Qoologic.ac : Cleaned without backup
C:\WINNT\system32\dun.exe -> Spyware.DealHelper : Cleaned without backup
C:\WINNT\system32\ivosjd.exe -> Spyware.Adstart : Cleaned without backup
C:\WINNT\system32\ivosjf.exe -> Spyware.Adstart : Cleaned without backup
C:\WINNT\system32\jvwmpf.dll -> Spyware.PurityScan : Cleaned without backup
C:\WINNT\system32\kxg4sx.exe -> TrojanDownloader.Qoologic.ac : Cleaned without backup
C:\WINNT\system32\kxrtoxk.dll -> TrojanDownloader.Qoologic.af : Cleaned without backup
C:\WINNT\system32\MTE2ODM6ODoxNg.exe -> Spyware.ISearch : Cleaned without backup
C:\WINNT\system32\netlanm.dll -> Spyware.SafeSurfing : Cleaned without backup
C:\WINNT\system32\ngprig.exe -> Trojan.Pakes : Cleaned without backup
C:\WINNT\system32\NNSCAA638.EXE -> Spyware.NewDotNet : Cleaned without backup
C:\WINNT\system32\nso44.dll -> Spyware.HotSearchBar : Cleaned without backup
C:\WINNT\system32\pkshgdwj.dll -> Spyware.SafeSurfing : Cleaned without backup
C:\WINNT\system32\pshwr.exe -> Spyware.SafeSurfing : Cleaned without backup
C:\WINNT\system32\qgabk.dat -> TrojanDownloader.Qoologic.ac : Cleaned without backup
C:\WINNT\system32\Sriwzn.exe -> Spyware.DealHelper : Cleaned without backup
C:\WINNT\system32\SSK3_B5 Seedcorn 4.exe -> TrojanDropper.Agent.hl : Cleaned without backup
C:\WINNT\system32\uci.exe -> TrojanDropper.Agent.hl : Cleaned without backup
C:\WINNT\system32\vgactl.cpl -> TrojanDownloader.Qoologic.ad : Cleaned without backup
C:\WINNT\system32\wuauclt.dll -> TrojanDownloader.Small : Cleaned without backup
C:\WINNT\system32\wvjtje.exe -> Trojan.Agent.ay : Cleaned without backup


::Report End








Logfile of HijackThis v1.99.1
Scan saved at 10:52:48 PM, on 9/9/2005
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINNT\System32\smss.exe
C:\WINNT\system32\winlogon.exe
C:\WINNT\system32\services.exe
C:\WINNT\system32\lsass.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\System32\svchost.exe
C:\WINNT\Explorer.exe
C:\Internet\HiJackThis\Hijackthis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.gateway.net/
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://www.psguard.com/?aff=27&sub=0
R3 - Default URLSearchHook is missing
F2 - REG:system.ini: Shell=Explorer.exe C:\WINNT\Nail.exe
O2 - BHO: CCHelper - {0CF0B8EE-6596-11D5-A98E-0003470BB48E} - C:\Internet\Pop-Up Stopper\CCHelper.dll
O2 - BHO: (no name) - {14513AA9-FF3E-F8C5-4833-AF2FF1E3FBE4} - C:\WINNT\System32\jvwmpf.dll (file missing)
O2 - BHO: SDWin32 Class - {349938C6-11A5-4A70-BBFA-88710BE6FDCF} - C:\WINNT\System32\ivosj.dll
O2 - BHO: Scriptlet.Tools - {3E4563A4-2A9B-4912-BE38-906A0CB702CC} - C:\DOCUME~1\ALLUSE~1\APPLIC~1\Tools\tools.dll (file missing)
O2 - BHO: PicShow Class - {4487598C-2EC7-43A2-870E-6D8D720FDD9F} - C:\WINNT\System32\pkshgdwj.dll (file missing)
O2 - BHO: (no name) - {4FA2B39B-A7DA-983C-68E6-5B095A4118FD} - C:\DOCUME~1\Owner\LOCALS~1\Temp\urodkvajehw.dll (file missing)
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Internet\SPYBOT~1\SDHelper.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar2.dll
O2 - BHO: Internet Explorer Web Content Catcher - {FFF4E223-7019-4ce7-BE03-D7D3C8CCE884} - C:\Program Files\DNS\Catcher.dll
O3 - Toolbar: Pa&nicware Pop-Up Stopper - {7E82235C-F31E-46CB-AF9F-1ADD94C585FF} - C:\Internet\Pop-Up Stopper\pstopper.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINNT\System32\msdxm.ocx
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar2.dll
O4 - HKLM\..\Run: [Hot Key Kbd 9910 Daemon] SK9910DM.EXE
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE NvQTwk,NvCplDaemon initialize
O4 - HKLM\..\Run: [GWMDMMSG] GWMDMMSG.exe
O4 - HKLM\..\Run: [Keyboard Preload Check] C:\OEMDRVRS\KEYB\Preload.exe /DEVID: /CLASS:Keyboard /RunValue:"Keyboard Preload Check"
O4 - HKLM\..\Run: [GWMDMpi] C:\WINNT\GWMDMpi.exe
O4 - HKLM\..\Run: [PROMon.exe] PROMon.exe
O4 - HKLM\..\Run: [CTHelper] CTHELPER.EXE
O4 - HKLM\..\Run: [UpdReg] C:\WINNT\UpdReg.EXE
O4 - HKLM\..\Run: [Jet Detection] C:\Program Files\Creative\SBAudigy\PROGRAM\ADGJDet.exe
O4 - HKLM\..\Run: [StartAOL] "C:\Program Files\America Online 7.0\AOL.EXE"
O4 - HKLM\..\Run: [KAZAA] \\Homer\c\INTERNET\KaZaA Lite\Kazaa.exe /SYSTRAY
O4 - HKLM\..\Run: [RoxioEngineUtility] "C:\Program Files\Common Files\Roxio Shared\System\EngUtil.exe"
O4 - HKLM\..\Run: [RoxioDragToDisc] "C:\Program Files\Roxio\Easy CD Creator 6\DragToDisc\DrgToDsc.exe"
O4 - HKLM\..\Run: [RoxioAudioCentral] "C:\Program Files\Roxio\Easy CD Creator 6\AudioCentral\RxMon.exe"
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [ccRegVfy] "C:\Program Files\Common Files\Symantec Shared\ccRegVfy.exe"
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [Symantec NetDriver Monitor] C:\PROGRA~1\SYMNET~1\SNDMon.exe /Consumer
O4 - HKLM\..\Run: [SSC_UserPrompt] C:\Program Files\Common Files\Symantec Shared\Security Center\UsrPrmpt.exe
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\j2re1.4.2_05\bin\jusched.exe
O4 - HKLM\..\Run: [PSof1] C:\WINNT\System32\PSof1.exe
O4 - HKLM\..\Run: [exp.exe] C:\WINNT\System32\exp.exe
O4 - HKLM\..\Run: [MedGS] C:\WINNT\System32\medgs1.exe
O4 - HKLM\..\Run: [GsAds] C:\WINNT\System32\gms2.exe
O4 - HKLM\..\Run: [opr] C:\WINNT\System32\opr.exe
O4 - HKLM\..\Run: [Windows Incontext] C:\DOCUME~1\Owner\LOCALS~1\Temp\InSearch.exe
O4 - HKLM\..\Run: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k
O4 - HKLM\..\Run: [AUNPS2] RUNDLL32 AUNPS2.DLL,_Run@16
O4 - HKLM\..\Run: [dnam] C:\WINNT\system32\d140113.a.Stub.EXE
O4 - HKLM\..\Run: [kapezod] C:\WINNT\System32\wexhrwm.exe r
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O4 - Global Startup: WinZip Quick Pick.lnk = C:\Program Files\WinZip\WZQKPICK.EXE
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINNT\System32\msjava.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINNT\System32\msjava.dll
O9 - Extra button: ComcastHSI - {669B269B-0D4E-41FB-A3D8-FD67CA94F646} - http://www.comcast.net/ (file missing)
O9 - Extra button: Support - {8828075D-D097-4055-AA02-2DBFA9D85E8A} - http://www.comcastsupport.com/ (file missing)
O9 - Extra button: Help - {97809617-3937-4F84-B335-9BB05EF1A8D4} - http://online.comcast.net/help/ (file missing)
O9 - Extra button: (no name) - {9E248641-0E24-4DDB-9A1F-705087832AD6} - (no file)
O9 - Extra 'Tools' menuitem: Java - {9E248641-0E24-4DDB-9A1F-705087832AD6} - (no file)
O9 - Extra button: (no name) - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - (no file)
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O16 - DPF: {972BB342-14A7-4660-83C1-51DDBEE171DB} - http://www.pacimedia...ll/pcs_0022.exe
O20 - Winlogon Notify: LavasoftStartupCleaner - C:\WINNT\vx2cleaner.dlx (file missing)
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Password Validation Service (ccPwdSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
O23 - Service: ewido security suite control - ewido networks - C:\Internet\HiJackThis\security suite\ewidoctrl.exe
O23 - Service: iPod Service (iPodService) - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Norton AntiVirus Auto Protect Service (navapsvc) - Symantec Corporation - C:\Program Files\Norton AntiVirus\navapsvc.exe
O23 - Service: Intel® NMS (NMSSvc) - Intel Corporation - C:\WINNT\System32\NMSSvc.exe
O23 - Service: NVIDIA Driver Helper Service (NVSvc) - NVIDIA Corporation - C:\WINNT\System32\nvsvc32.exe
O23 - Service: ScriptBlocking Service (SBService) - Symantec Corporation - C:\PROGRA~1\COMMON~1\SYMANT~1\SCRIPT~1\SBServ.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: System Startup Service (SvcProc) - Unknown owner - C:\WINNT\svcproc.exe (file missing)
O23 - Service: SymWMI Service (SymWSC) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\Security Center\SymWSC.exe
  • 0

#22
Trevuren
Posted 09 September 2005 - 09:13 PM

Trevuren

    Old Dog

  • Retired Staff
  • 18,699 posts
We want to stop, disable and delete an added service (023)

A. To stop a service and set to 'disabled'
  • Go to Start > Run and type in Services.msc then click OK
  • Click the Extended tab.
  • Scroll down until you find the service.
    ===>System Startup Service
  • Click once on the service to highlight it.
  • Click Stop
  • Right-Click on the service.
  • Click on 'Properties'
  • Select the 'General' tab
  • Click the Arrow-down tab on the right-hand side on the 'Start-up Type' box
  • From the drop-down menu, click on 'Disabled'
  • Click the 'Apply' tab, then click 'OK'
The service is now stopped and disabled.


B. We will now delete the service:

1. Open HJT

2. Click on Config>>Misc Tools>>Delete an NT Service

3. Copy/Paste SvcProc in the space provided and click OK

4. The program will ask you to REBOOT --- Accept

5. REBOOT into SAFE MODE

6. Using Windows Explorer, locate and DELETE the following file (if it still is present):

C:\WINDOWS\svcproc.exe

7. REBOOT back into Normal Mode

8. Finally, run HijackThis, click SCAN, produce a LOG and POST it in this thread for review.

Regards,

Trevuren
  • 0

#23
amongstthestars
Posted 09 September 2005 - 09:23 PM

amongstthestars

    Member

  • Topic Starter
  • Member
  • PipPip
  • 30 posts
Logfile of HijackThis v1.99.1
Scan saved at 11:22:05 PM, on 9/9/2005
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINNT\System32\smss.exe
C:\WINNT\system32\winlogon.exe
C:\WINNT\system32\services.exe
C:\WINNT\system32\lsass.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\System32\svchost.exe
C:\WINNT\Explorer.exe
C:\WINNT\system32\spoolsv.exe
C:\WINNT\System32\SK9910DM.EXE
C:\WINNT\GWMDMMSG.exe
C:\WINNT\System32\CTHELPER.EXE
C:\Program Files\Roxio\Easy CD Creator 6\DragToDisc\DrgToDsc.exe
C:\Program Files\Roxio\Easy CD Creator 6\AudioCentral\RxMon.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\Common Files\Symantec Shared\Security Center\UsrPrmpt.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\Java\j2re1.4.2_05\bin\jusched.exe
C:\WINNT\System32\medgs1.exe
C:\WINNT\System32\gms2.exe
C:\DOCUME~1\Owner\LOCALS~1\Temp\InSearch.exe
C:\Program Files\winCMAPP\wincmapp.exe
C:\WINNT\System32\bqzefcf.exe
C:\Program Files\Java\j2re1.4.2_05\bin\jucheck.exe
C:\Program Files\Roxio\Easy CD Creator 6\AudioCentral\Playlist.exe
C:\Program Files\WinZip\WZQKPICK.EXE
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\Internet\HiJackThis\security suite\ewidoctrl.exe
C:\Program Files\Messenger\msmsgs.exe
C:\WINNT\System32\NMSSvc.exe
C:\WINNT\System32\nvsvc32.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\WINNT\System32\wuauclt.exe
C:\Internet\HiJackThis\Hijackthis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer,SearchURL = http://www.globalefinder.com/sp2.php
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://www.globalefinder.com/sp2.php
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://www.globalefinder.com/sp2.php
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.pogo.com/
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://www.globalefinder.com/sp2.php
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://red.clientapp...//www.yahoo.com
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://www.gateway.net/
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Microsoft Internet Explorer provided by Comcast
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = :0
R3 - URLSearchHook: (no name) - {02EE5B04-F144-47BB-83FB-A60BD91B74A9} - (no file)
F2 - REG:system.ini: Shell=Explorer.exe C:\WINNT\Nail.exe
N3 - Netscape 7: user_pref("browser.startup.homepage", "http://home.netscape.../7_0/home.html"); (C:\Documents and Settings\Owner\Application Data\Mozilla\Profiles\default\iq1c8tpz.slt\prefs.js)
N3 - Netscape 7: user_pref("browser.search.defaultengine", "engine://C%3A%5CInternet%5CNetscape%5Csearchplugins%5CSBWeb_01.src"); (C:\Documents and Settings\Owner\Application Data\Mozilla\Profiles\default\iq1c8tpz.slt\prefs.js)
O2 - BHO: CCHelper - {0CF0B8EE-6596-11D5-A98E-0003470BB48E} - C:\Internet\Pop-Up Stopper\CCHelper.dll
O2 - BHO: (no name) - {14513AA9-FF3E-F8C5-4833-AF2FF1E3FBE4} - C:\WINNT\System32\jvwmpf.dll (file missing)
O2 - BHO: SDWin32 Class - {349938C6-11A5-4A70-BBFA-88710BE6FDCF} - C:\WINNT\System32\ivosj.dll
O2 - BHO: Scriptlet.Tools - {3E4563A4-2A9B-4912-BE38-906A0CB702CC} - C:\DOCUME~1\ALLUSE~1\APPLIC~1\Tools\tools.dll (file missing)
O2 - BHO: PicShow Class - {4487598C-2EC7-43A2-870E-6D8D720FDD9F} - C:\WINNT\System32\pkshgdwj.dll (file missing)
O2 - BHO: (no name) - {4FA2B39B-A7DA-983C-68E6-5B095A4118FD} - C:\DOCUME~1\Owner\LOCALS~1\Temp\urodkvajehw.dll (file missing)
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Internet\SPYBOT~1\SDHelper.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar2.dll
O2 - BHO: Internet Explorer Web Content Catcher - {FFF4E223-7019-4ce7-BE03-D7D3C8CCE884} - C:\Program Files\DNS\Catcher.dll
O3 - Toolbar: Pa&nicware Pop-Up Stopper - {7E82235C-F31E-46CB-AF9F-1ADD94C585FF} - C:\Internet\Pop-Up Stopper\pstopper.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINNT\System32\msdxm.ocx
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar2.dll
O4 - HKLM\..\Run: [Hot Key Kbd 9910 Daemon] SK9910DM.EXE
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE NvQTwk,NvCplDaemon initialize
O4 - HKLM\..\Run: [GWMDMMSG] GWMDMMSG.exe
O4 - HKLM\..\Run: [Keyboard Preload Check] C:\OEMDRVRS\KEYB\Preload.exe /DEVID: /CLASS:Keyboard /RunValue:"Keyboard Preload Check"
O4 - HKLM\..\Run: [GWMDMpi] C:\WINNT\GWMDMpi.exe
O4 - HKLM\..\Run: [PROMon.exe] PROMon.exe
O4 - HKLM\..\Run: [CTHelper] CTHELPER.EXE
O4 - HKLM\..\Run: [UpdReg] C:\WINNT\UpdReg.EXE
O4 - HKLM\..\Run: [Jet Detection] C:\Program Files\Creative\SBAudigy\PROGRAM\ADGJDet.exe
O4 - HKLM\..\Run: [StartAOL] "C:\Program Files\America Online 7.0\AOL.EXE"
O4 - HKLM\..\Run: [KAZAA] \\Homer\c\INTERNET\KaZaA Lite\Kazaa.exe /SYSTRAY
O4 - HKLM\..\Run: [RoxioEngineUtility] "C:\Program Files\Common Files\Roxio Shared\System\EngUtil.exe"
O4 - HKLM\..\Run: [RoxioDragToDisc] "C:\Program Files\Roxio\Easy CD Creator 6\DragToDisc\DrgToDsc.exe"
O4 - HKLM\..\Run: [RoxioAudioCentral] "C:\Program Files\Roxio\Easy CD Creator 6\AudioCentral\RxMon.exe"
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [ccRegVfy] "C:\Program Files\Common Files\Symantec Shared\ccRegVfy.exe"
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [Symantec NetDriver Monitor] C:\PROGRA~1\SYMNET~1\SNDMon.exe /Consumer
O4 - HKLM\..\Run: [SSC_UserPrompt] C:\Program Files\Common Files\Symantec Shared\Security Center\UsrPrmpt.exe
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\j2re1.4.2_05\bin\jusched.exe
O4 - HKLM\..\Run: [PSof1] C:\WINNT\System32\PSof1.exe
O4 - HKLM\..\Run: [exp.exe] C:\WINNT\System32\exp.exe
O4 - HKLM\..\Run: [MedGS] C:\WINNT\System32\medgs1.exe
O4 - HKLM\..\Run: [GsAds] C:\WINNT\System32\gms2.exe
O4 - HKLM\..\Run: [opr] C:\WINNT\System32\opr.exe
O4 - HKLM\..\Run: [Windows Incontext] C:\DOCUME~1\Owner\LOCALS~1\Temp\InSearch.exe
O4 - HKLM\..\Run: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k
O4 - HKLM\..\Run: [AUNPS2] RUNDLL32 AUNPS2.DLL,_Run@16
O4 - HKLM\..\Run: [dnam] C:\WINNT\system32\d140113.a.Stub.EXE
O4 - HKLM\..\Run: [vcuecm] C:\WINNT\System32\bqzefcf.exe r
O4 - HKCU\..\Run: [Microsoft Works Update Detection] C:\Program Files\Microsoft Works\WkDetect.exe
O4 - HKCU\..\Run: [\tools.exe] C:\DOCUME~1\ALLUSE~1\APPLIC~1\Tools\tools.exe
O4 - HKCU\..\Run: [pshower] C:\WINNT\System32\pshwr.exe
O4 - HKCU\..\Run: [SurfSideKick 3] C:\Program Files\SurfSideKick 3\Ssk.exe
O4 - HKCU\..\Run: [CAS Client] "C:\Program Files\Cas\Client\casclient.exe"
O4 - HKCU\..\Run: [services32] C:\Program Files\Common Files\Windows\mc-58-12-0000120.exe
O4 - HKCU\..\Run: [DNS] C:\Program Files\Common Files\mc-58-12-0000120.exe
O4 - HKCU\..\Run: [wincmap] "C:\Program Files\winCMAPP\wincmapp.exe"
O4 - HKCU\..\Run: [CMAPP] "C:\Program Files\CMAPP\Client\cmappclient.exe"
O4 - Startup: RollerCoaster Tycoon 3_ Cape Typhoon Registration.lnk = C:\Documents and Settings\Owner\Local Settings\Temp\{3C6D9666-2D87-4333-926A-283B5215A0C5}\{EA926717-CE5A-4CB4-AB21-9E6E9565A458}\ATR1.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O4 - Global Startup: WinZip Quick Pick.lnk = C:\Program Files\WinZip\WZQKPICK.EXE
O8 - Extra context menu item: &Google Search - res://c:\program files\google\GoogleToolbar2.dll/cmsearch.html
O8 - Extra context menu item: &Translate English Word - res://c:\program files\google\GoogleToolbar2.dll/cmwordtrans.html
O8 - Extra context menu item: Backward Links - res://c:\program files\google\GoogleToolbar2.dll/cmbacklinks.html
O8 - Extra context menu item: Cached Snapshot of Page - res://c:\program files\google\GoogleToolbar2.dll/cmcache.html
O8 - Extra context menu item: Similar Pages - res://c:\program files\google\GoogleToolbar2.dll/cmsimilar.html
O8 - Extra context menu item: Translate Page into English - res://c:\program files\google\GoogleToolbar2.dll/cmtrans.html
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINNT\System32\msjava.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINNT\System32\msjava.dll
O9 - Extra button: ComcastHSI - {669B269B-0D4E-41FB-A3D8-FD67CA94F646} - http://www.comcast.net/ (file missing)
O9 - Extra button: Support - {8828075D-D097-4055-AA02-2DBFA9D85E8A} - http://www.comcastsupport.com/ (file missing)
O9 - Extra button: Help - {97809617-3937-4F84-B335-9BB05EF1A8D4} - http://online.comcast.net/help/ (file missing)
O9 - Extra button: (no name) - {9E248641-0E24-4DDB-9A1F-705087832AD6} - (no file)
O9 - Extra 'Tools' menuitem: Java - {9E248641-0E24-4DDB-9A1F-705087832AD6} - (no file)
O9 - Extra button: (no name) - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - (no file)
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O16 - DPF: {972BB342-14A7-4660-83C1-51DDBEE171DB} - http://www.pacimedia...ll/pcs_0022.exe
O20 - Winlogon Notify: LavasoftStartupCleaner - C:\WINNT\vx2cleaner.dlx (file missing)
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Password Validation Service (ccPwdSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
O23 - Service: ewido security suite control - ewido networks - C:\Internet\HiJackThis\security suite\ewidoctrl.exe
O23 - Service: iPod Service (iPodService) - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Norton AntiVirus Auto Protect Service (navapsvc) - Symantec Corporation - C:\Program Files\Norton AntiVirus\navapsvc.exe
O23 - Service: Intel® NMS (NMSSvc) - Intel Corporation - C:\WINNT\System32\NMSSvc.exe
O23 - Service: NVIDIA Driver Helper Service (NVSvc) - NVIDIA Corporation - C:\WINNT\System32\nvsvc32.exe
O23 - Service: ScriptBlocking Service (SBService) - Symantec Corporation - C:\PROGRA~1\COMMON~1\SYMANT~1\SCRIPT~1\SBServ.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: SymWMI Service (SymWSC) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\Security Center\SymWSC.exe
  • 0

#24
Trevuren
Posted 09 September 2005 - 09:38 PM

Trevuren

    Old Dog

  • Retired Staff
  • 18,699 posts
Please print out or copy this page to Notepad. Make sure to work through the fixes in the exact order in which they are mentioned below. If there's anything that you don't understand, ask your question(s) before proceeding with the fixes.

We need to make sure all hidden files are showing so please:
* Open My Computer.
* Select the Tools menu and click Folder Options.
* Select the View Tab.
* Under the Hidden files and folders heading select Show hidden files and folders.
* Uncheck the Hide protected operating system files (recommended) option.
* Click Yes to confirm.
* Click OK.
* Click Start, Programs and Accessories and open Windows Explorer.
* Select a hard drive from the left hand side of the Windows Explorer window.
* Select View the Entire contents of this drive


Please RUN HijackThis.
. Click the SCAN button to produce a log.

Place a check mark beside each one of the following items:

R1 - HKCU\Software\Microsoft\Internet Explorer,SearchURL = http://www.globalefinder.com/sp2.php
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://www.globalefinder.com/sp2.php
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://www.globalefinder.com/sp2.php
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.pogo.com/
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://www.globalefinder.com/sp2.php
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://red.clientapp...//www.yahoo.com
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = :0
R3 - URLSearchHook: (no name) - {02EE5B04-F144-47BB-83FB-A60BD91B74A9} - (no file)
F2 - REG:system.ini: Shell=Explorer.exe C:\WINNT\Nail.exe
O2 - BHO: (no name) - {14513AA9-FF3E-F8C5-4833-AF2FF1E3FBE4} - C:\WINNT\System32\jvwmpf.dll (file missing)
O2 - BHO: SDWin32 Class - {349938C6-11A5-4A70-BBFA-88710BE6FDCF} - C:\WINNT\System32\ivosj.dll
O2 - BHO: Scriptlet.Tools - {3E4563A4-2A9B-4912-BE38-906A0CB702CC} - C:\DOCUME~1\ALLUSE~1\APPLIC~1\Tools\tools.dll (file missing)
O2 - BHO: PicShow Class - {4487598C-2EC7-43A2-870E-6D8D720FDD9F} - C:\WINNT\System32\pkshgdwj.dll (file missing)
O2 - BHO: Internet Explorer Web Content Catcher - {FFF4E223-7019-4ce7-BE03-D7D3C8CCE884} - C:\Program Files\DNS\Catcher.dll
O4 - HKLM\..\Run: [PSof1] C:\WINNT\System32\PSof1.exe
O4 - HKLM\..\Run: [exp.exe] C:\WINNT\System32\exp.exe
O4 - HKLM\..\Run: [MedGS] C:\WINNT\System32\medgs1.exe
O4 - HKLM\..\Run: [GsAds] C:\WINNT\System32\gms2.exe
O4 - HKLM\..\Run: [opr] C:\WINNT\System32\opr.exe
O4 - HKLM\..\Run: [Windows Incontext] C:\DOCUME~1\Owner\LOCALS~1\Temp\InSearch.exe
O4 - HKLM\..\Run: [AUNPS2] RUNDLL32 AUNPS2.DLL,_Run@16
O4 - HKLM\..\Run: [dnam] C:\WINNT\system32\d140113.a.Stub.EXE
O4 - HKLM\..\Run: [vcuecm] C:\WINNT\System32\bqzefcf.exe r
O4 - HKCU\..\Run: [\tools.exe] C:\DOCUME~1\ALLUSE~1\APPLIC~1\Tools\tools.exe
O4 - HKCU\..\Run: [pshower] C:\WINNT\System32\pshwr.exe
O4 - HKCU\..\Run: [SurfSideKick 3] C:\Program Files\SurfSideKick 3\Ssk.exe
O4 - HKCU\..\Run: [CAS Client] "C:\Program Files\Cas\Client\casclient.exe"
O4 - HKCU\..\Run: [services32] C:\Program Files\Common Files\Windows\mc-58-12-0000120.exe
O4 - HKCU\..\Run: [DNS] C:\Program Files\Common Files\mc-58-12-0000120.exe
O4 - HKCU\..\Run: [wincmap] "C:\Program Files\winCMAPP\wincmapp.exe"
O4 - HKCU\..\Run: [CMAPP] "C:\Program Files\CMAPP\Client\cmappclient.exe"
O4 - Startup: RollerCoaster Tycoon 3_ Cape Typhoon Registration.lnk = C:\Documents and Settings\Owner\Local Settings\Temp\{3C6D9666-2D87-4333-926A-283B5215A0C5}\{EA926717-CE5A-4CB4-AB21-9E6E9565A458}\ATR1.exe
O9 - Extra button: (no name) - {9E248641-0E24-4DDB-9A1F-705087832AD6} - (no file)
O9 - Extra 'Tools' menuitem: Java - {9E248641-0E24-4DDB-9A1F-705087832AD6} - (no file)
O9 - Extra button: (no name) - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - (no file)
O16 - DPF: {972BB342-14A7-4660-83C1-51DDBEE171DB} - http://www.pacimedia...ll/pcs_0022.exe
O20 - Winlogon Notify: LavasoftStartupCleaner - C:\WINNT\vx2cleaner.dlx (file missing)




Now with all the items selected and all windows closed except for HJT, delete them by clicking the FIX checked button. Close the HijackThis window and Reboot Your System in Safe Mode

How to Start To Safe Mode Using the F8 method in Windows 98/98SE/ME

To start your computer in Safe Mode:
*turn the computer on
*as the computer restarts, press and hold down the Ctrl key until the Windows 98 startup menu appears. (This also works with the F8 key following the same steps)
*Choose Safe mode from the startup menu,
*press Enter
*Windows starts in Safe mode.
*Restart your computer when finished troubleshooting

Using Windows Explorer, locate the following files/folders (with all their content), and DELETE them (if they are present):

C:\WINNT\System32\medgs1.exe
C:\WINNT\System32\gms2.exe
C:\DOCUME~1\Owner\LOCALS~1\Temp\InSearch.exe
C:\Program Files\winCMAPP<==Folder
C:\WINNT\System32\bqzefcf.exe
C:\WINNT\Nail.exe
C:\WINNT\System32\jvwmpf.dll
C:\WINNT\System32\ivosj.dll
C:\DOCUME~1\ALLUSE~1\APPLIC~1\Tools<==Folder
C:\WINNT\System32\pkshgdwj.dll
C:\Program Files\DNS\Catcher.dll
C:\WINNT\System32\PSof1.exe
C:\WINNT\System32\exp.exe
C:\WINNT\System32\opr.exe
AUNPS2.DLL<==You will have to Search for this one
C:\WINNT\system32\d140113.a.Stub.EXE
C:\WINNT\System32\pshwr.exe
C:\Program Files\SurfSideKick 3<==Folder
C:\Program Files\Cas<==Folder
C:\Program Files\Common Files\Windows\mc-58-12-0000120.exe
C:\Program Files\Common Files\mc-58-12-0000120.exe
C:\Program Files\CMAPP<==Folder
C:\Documents and Settings\Owner\Local Settings\Temp\ATR1.exe
C:\WINNT\vx2cleaner.dlx

Exit Explorer, and REBOOT BACK INTO NORMAL MODE

Finally, RUN Hijackthis again and produce a new HJT log. Post it in the forum so we can check how everything looks now.

Regards,

Trevuren
  • 0

#25
amongstthestars
Posted 09 September 2005 - 10:27 PM

amongstthestars

    Member

  • Topic Starter
  • Member
  • PipPip
  • 30 posts
Logfile of HijackThis v1.99.1
Scan saved at 12:26:36 AM, on 9/10/2005
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINNT\System32\smss.exe
C:\WINNT\system32\winlogon.exe
C:\WINNT\system32\services.exe
C:\WINNT\system32\lsass.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\System32\svchost.exe
C:\WINNT\Explorer.exe
C:\WINNT\system32\spoolsv.exe
C:\WINNT\System32\SK9910DM.EXE
C:\WINNT\GWMDMMSG.exe
C:\WINNT\System32\CTHELPER.EXE
C:\WINNT\System32\plfdncu.exe
C:\Program Files\Roxio\Easy CD Creator 6\DragToDisc\DrgToDsc.exe
C:\Program Files\Roxio\Easy CD Creator 6\AudioCentral\RxMon.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\Common Files\Symantec Shared\Security Center\UsrPrmpt.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\Java\j2re1.4.2_05\bin\jusched.exe
C:\Program Files\Java\j2re1.4.2_05\bin\jucheck.exe
C:\Program Files\Roxio\Easy CD Creator 6\AudioCentral\Playlist.exe
C:\Program Files\WinZip\WZQKPICK.EXE
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\Internet\HiJackThis\security suite\ewidoctrl.exe
C:\WINNT\System32\NMSSvc.exe
C:\WINNT\System32\nvsvc32.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Internet\HiJackThis\Hijackthis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://www.gateway.net/
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Microsoft Internet Explorer provided by Comcast
F2 - REG:system.ini: Shell=Explorer.exe C:\WINNT\Nail.exe
N3 - Netscape 7: user_pref("browser.startup.homepage", "http://home.netscape.../7_0/home.html"); (C:\Documents and Settings\Owner\Application Data\Mozilla\Profiles\default\iq1c8tpz.slt\prefs.js)
N3 - Netscape 7: user_pref("browser.search.defaultengine", "engine://C%3A%5CInternet%5CNetscape%5Csearchplugins%5CSBWeb_01.src"); (C:\Documents and Settings\Owner\Application Data\Mozilla\Profiles\default\iq1c8tpz.slt\prefs.js)
O2 - BHO: CCHelper - {0CF0B8EE-6596-11D5-A98E-0003470BB48E} - C:\Internet\Pop-Up Stopper\CCHelper.dll
O2 - BHO: (no name) - {4FA2B39B-A7DA-983C-68E6-5B095A4118FD} - C:\DOCUME~1\Owner\LOCALS~1\Temp\urodkvajehw.dll (file missing)
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Internet\SPYBOT~1\SDHelper.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar2.dll
O3 - Toolbar: Pa&nicware Pop-Up Stopper - {7E82235C-F31E-46CB-AF9F-1ADD94C585FF} - C:\Internet\Pop-Up Stopper\pstopper.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINNT\System32\msdxm.ocx
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar2.dll
O4 - HKLM\..\Run: [Hot Key Kbd 9910 Daemon] SK9910DM.EXE
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE NvQTwk,NvCplDaemon initialize
O4 - HKLM\..\Run: [GWMDMMSG] GWMDMMSG.exe
O4 - HKLM\..\Run: [Keyboard Preload Check] C:\OEMDRVRS\KEYB\Preload.exe /DEVID: /CLASS:Keyboard /RunValue:"Keyboard Preload Check"
O4 - HKLM\..\Run: [GWMDMpi] C:\WINNT\GWMDMpi.exe
O4 - HKLM\..\Run: [PROMon.exe] PROMon.exe
O4 - HKLM\..\Run: [CTHelper] CTHELPER.EXE
O4 - HKLM\..\Run: [UpdReg] C:\WINNT\UpdReg.EXE
O4 - HKLM\..\Run: [Jet Detection] C:\Program Files\Creative\SBAudigy\PROGRAM\ADGJDet.exe
O4 - HKLM\..\Run: [StartAOL] "C:\Program Files\America Online 7.0\AOL.EXE"
O4 - HKLM\..\Run: [KAZAA] \\Homer\c\INTERNET\KaZaA Lite\Kazaa.exe /SYSTRAY
O4 - HKLM\..\Run: [RoxioEngineUtility] "C:\Program Files\Common Files\Roxio Shared\System\EngUtil.exe"
O4 - HKLM\..\Run: [RoxioDragToDisc] "C:\Program Files\Roxio\Easy CD Creator 6\DragToDisc\DrgToDsc.exe"
O4 - HKLM\..\Run: [RoxioAudioCentral] "C:\Program Files\Roxio\Easy CD Creator 6\AudioCentral\RxMon.exe"
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [ccRegVfy] "C:\Program Files\Common Files\Symantec Shared\ccRegVfy.exe"
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [Symantec NetDriver Monitor] C:\PROGRA~1\SYMNET~1\SNDMon.exe /Consumer
O4 - HKLM\..\Run: [SSC_UserPrompt] C:\Program Files\Common Files\Symantec Shared\Security Center\UsrPrmpt.exe
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\j2re1.4.2_05\bin\jusched.exe
O4 - HKLM\..\Run: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k
O4 - HKLM\..\Run: [qnmubo] C:\WINNT\System32\plfdncu.exe r
O4 - HKCU\..\Run: [Microsoft Works Update Detection] C:\Program Files\Microsoft Works\WkDetect.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O4 - Global Startup: WinZip Quick Pick.lnk = C:\Program Files\WinZip\WZQKPICK.EXE
O8 - Extra context menu item: &Google Search - res://c:\program files\google\GoogleToolbar2.dll/cmsearch.html
O8 - Extra context menu item: &Translate English Word - res://c:\program files\google\GoogleToolbar2.dll/cmwordtrans.html
O8 - Extra context menu item: Backward Links - res://c:\program files\google\GoogleToolbar2.dll/cmbacklinks.html
O8 - Extra context menu item: Cached Snapshot of Page - res://c:\program files\google\GoogleToolbar2.dll/cmcache.html
O8 - Extra context menu item: Similar Pages - res://c:\program files\google\GoogleToolbar2.dll/cmsimilar.html
O8 - Extra context menu item: Translate Page into English - res://c:\program files\google\GoogleToolbar2.dll/cmtrans.html
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINNT\System32\msjava.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINNT\System32\msjava.dll
O9 - Extra button: ComcastHSI - {669B269B-0D4E-41FB-A3D8-FD67CA94F646} - http://www.comcast.net/ (file missing)
O9 - Extra button: Support - {8828075D-D097-4055-AA02-2DBFA9D85E8A} - http://www.comcastsupport.com/ (file missing)
O9 - Extra button: Help - {97809617-3937-4F84-B335-9BB05EF1A8D4} - http://online.comcast.net/help/ (file missing)
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Password Validation Service (ccPwdSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
O23 - Service: ewido security suite control - ewido networks - C:\Internet\HiJackThis\security suite\ewidoctrl.exe
O23 - Service: iPod Service (iPodService) - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Norton AntiVirus Auto Protect Service (navapsvc) - Symantec Corporation - C:\Program Files\Norton AntiVirus\navapsvc.exe
O23 - Service: Intel® NMS (NMSSvc) - Intel Corporation - C:\WINNT\System32\NMSSvc.exe
O23 - Service: NVIDIA Driver Helper Service (NVSvc) - NVIDIA Corporation - C:\WINNT\System32\nvsvc32.exe
O23 - Service: ScriptBlocking Service (SBService) - Symantec Corporation - C:\PROGRA~1\COMMON~1\SYMANT~1\SCRIPT~1\SBServ.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: System Startup Service (SvcProc) - Unknown owner - C:\WINNT\svcproc.exe
O23 - Service: SymWMI Service (SymWSC) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\Security Center\SymWSC.exe
  • 0

Advertisements

#26
Trevuren
Posted 09 September 2005 - 10:30 PM

Trevuren

    Old Dog

  • Retired Staff
  • 18,699 posts
BEFORE BEGINNING, Please read completely through the instructions below and download the files from the links provided. You may want to save or print out these instructions for easier reference.

1. Download Ewido Security Suite.

2. Download Lavasoft's Ad-Aware and the VX2 Cleaner Plug-in.
  • Install Ad-Aware using the default options.
  • Then install vx2cleaner_inst.exe, using all the defaults there as well.
3. Run Ad-Aware
  • Update to the latest definitions
  • Then click on Add-ons in the lefthand column.
  • Select VX2 Cleaner V2.0 and click Run Tool. Click "OK".
  • If something is found, click "Clean" as in the directions given.
  • Click "Close", and EXIT Ad-Aware.
4. Reboot your PC and run Ad-Aware again.
  • This time, click on the Start button in Ad-Aware
  • Select "Perform smart system scan" and click Next.
  • Once the scan finishes, click "Next" again.
  • Select all objects found ("right click anywhere in the list of found objects and click "Select All Objects").
  • Click "Next" one more time, then "OK" to confirm the removal.
  • You will be prompted to set Ad-Aware to run on reboot, click "OK".
  • Exit Ad-Aware
  • REBOOT your PC
  • When Ad-Aware starts up, click on "Start", then "Next".
  • Follow the steps above if anything is found, or click "Finish", then EXIT Ad-Aware.
5. For a final cleanup, please install and run Ewido.
  • When installing, under "Additional Options" uncheck "Install background guard" and "Install scan via context menu".
  • When you run ewido for the first time, you may get a warning "Database could not be found!". Click OK. We will fix this in a moment.
  • From the main ewido screen, click on update in the left menu, then click the Start update button.
  • After the update finishes (the status bar at the bottom will display "Update successful")
  • Click on the Scanner button in the left menu, then click on Complete System Scan. This scan can take quite a while to run.
  • If ewido finds anything, it will pop up a notification. We have been finding some cases of false positives with the new version of Ewido, so we need to step through the fixes one-by-one. If Ewido finds something that you KNOW is legitimate (for example, parts of AVG Antivirus, pcAnywhere and the game "Risk" have been flagged), select "none" as the action. DO NOT check "Perform action with all infections". If you are unsure of an entry, select "none" for the time being. I'll see that in the log you will post later and let you know if ewido needs to be run again.
  • When the scan finishes, click on "Save Report". This will create a text file. Make sure you know where to find this file again.
6. Please finish up by rebooting your system once more, and posting a new HijackThis log and the log from the Ewido scan.

Regards,

Trevuren
  • 0

#27
amongstthestars
Posted 10 September 2005 - 04:34 PM

amongstthestars

    Member

  • Topic Starter
  • Member
  • PipPip
  • 30 posts
Here is the log for Hijack and Ewido. I wanted to let you know that during my scans, I got several popups for ms.repair.com, cleantheregistry.com, fixyourregistry.com and cleanitup.com They pose as error messages. Also, when I boot down, I am getting an error message about a missing stirfnet.exe. I was hoping that would clear up by now, but it hasn't.



---------------------------------------------------------
ewido security suite - Scan report
---------------------------------------------------------

+ Created on: 6:26:22 PM, 9/10/2005
+ Report-Checksum: 7F2B5400

+ Scan result:

HKLM\SOFTWARE\SecureWin -> Spyware.Adlogix : Cleaned without backup
HKU\S-1-5-21-1072085832-1002326630-3632376074-1003\Software\Mvu -> Spyware.Delfin : Cleaned without backup
:mozilla.84:C:\Documents and Settings\Administrator\Application Data\Mozilla\Profiles\default\aw1ccmz5.slt\cookies.txt -> Spyware.Cookie.Atdmt : Cleaned without backup
C:\Documents and Settings\Administrator\Cookies\administrator@abetterinternet[2].txt -> Spyware.Cookie.Abetterinternet : Cleaned without backup
:mozilla.122:C:\Documents and Settings\Owner\Application Data\Mozilla\Profiles\default\iq1c8tpz.slt\cookies.txt -> Spyware.Cookie.Atdmt : Cleaned without backup
C:\Documents and Settings\Owner\Cookies\owner@abetterinternet[1].txt -> Spyware.Cookie.Abetterinternet : Cleaned without backup
C:\Documents and Settings\Owner\Cookies\[email protected][2].txt -> Spyware.Cookie.Yieldmanager : Cleaned without backup
C:\Documents and Settings\Owner\Cookies\owner@shopathomeselect[2].txt -> Spyware.Cookie.Shopathomeselect : Cleaned without backup
C:\Documents and Settings\Owner\Local Settings\Temp\nsh_104.exe -> Spyware.Downloadware : Cleaned without backup
C:\Documents and Settings\Owner\Local Settings\Temporary Internet Files\Content.IE5\6P036165\nsh_104[1].exe -> Spyware.Downloadware : Cleaned without backup
C:\Documents and Settings\Owner\Local Settings\Temporary Internet Files\Content.IE5\AH3GHWBA\inst4[1].exe -> TrojanDownloader.Small.bem : Cleaned without backup
C:\Documents and Settings\Owner\Local Settings\Temporary Internet Files\Content.IE5\AH3GHWBA\installer_PIVOTAL_5_DB[1].cab/installer_PIVOTAL_5_DB.exe -> TrojanDownloader.Adload.a : Cleaned without backup
C:\Documents and Settings\Owner\Local Settings\Temporary Internet Files\Content.IE5\BBXNV50W\trk_0012[1].exe -> Spyware.Pacer : Cleaned without backup
C:\Documents and Settings\Owner\Local Settings\Temporary Internet Files\Content.IE5\HSGJ5109\installer_MARKETING37[1].cab/installer_MARKETING37.exe -> TrojanDownloader.Adload.a : Cleaned without backup
C:\Documents and Settings\Owner\Local Settings\Temporary Internet Files\Content.IE5\MERJ8XPQ\pcs_0012[1].exe -> Spyware.Pacer : Cleaned without backup
C:\Documents and Settings\Owner\Local Settings\Temporary Internet Files\Content.IE5\X0SFHHK5\inst10[1].exe -> TrojanDownloader.Small.bem : Cleaned without backup
C:\Program Files\Windows Media Player\wmplayer.exe.tmp -> TrojanDownloader.Small.bem : Cleaned without backup
C:\WINNT\system32\adlinstallwin32.exe -> Spyware.Downloadware : Cleaned without backup


::Report End



Logfile of HijackThis v1.99.1
Scan saved at 6:27:15 PM, on 9/10/2005
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINNT\System32\smss.exe
C:\WINNT\system32\winlogon.exe
C:\WINNT\system32\services.exe
C:\WINNT\system32\lsass.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\System32\svchost.exe
C:\WINNT\Explorer.EXE
C:\WINNT\system32\spoolsv.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\Internet\HiJackThis\security suite\ewidoctrl.exe
C:\WINNT\System32\NMSSvc.exe
C:\WINNT\System32\nvsvc32.exe
C:\WINNT\System32\SK9910DM.EXE
C:\WINNT\GWMDMMSG.exe
C:\WINNT\System32\CTHELPER.EXE
C:\Program Files\Roxio\Easy CD Creator 6\DragToDisc\DrgToDsc.exe
C:\Program Files\Roxio\Easy CD Creator 6\AudioCentral\RxMon.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\Roxio\Easy CD Creator 6\AudioCentral\Playlist.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\Java\j2re1.4.2_05\bin\jusched.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\Java\j2re1.4.2_05\bin\jucheck.exe
C:\Program Files\WinZip\WZQKPICK.EXE
C:\Program Files\Messenger\msmsgs.exe
C:\Internet\HiJackThis\Hijackthis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://www.gateway.net/
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Microsoft Internet Explorer provided by Comcast
N3 - Netscape 7: user_pref("browser.startup.homepage", "http://home.netscape.../7_0/home.html"); (C:\Documents and Settings\Owner\Application Data\Mozilla\Profiles\default\iq1c8tpz.slt\prefs.js)
N3 - Netscape 7: user_pref("browser.search.defaultengine", "engine://C%3A%5CInternet%5CNetscape%5Csearchplugins%5CSBWeb_01.src"); (C:\Documents and Settings\Owner\Application Data\Mozilla\Profiles\default\iq1c8tpz.slt\prefs.js)
O2 - BHO: CCHelper - {0CF0B8EE-6596-11D5-A98E-0003470BB48E} - C:\Internet\Pop-Up Stopper\CCHelper.dll
O2 - BHO: (no name) - {4FA2B39B-A7DA-983C-68E6-5B095A4118FD} - C:\DOCUME~1\Owner\LOCALS~1\Temp\urodkvajehw.dll (file missing)
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Internet\SPYBOT~1\SDHelper.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar2.dll
O3 - Toolbar: Pa&nicware Pop-Up Stopper - {7E82235C-F31E-46CB-AF9F-1ADD94C585FF} - C:\Internet\Pop-Up Stopper\pstopper.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINNT\System32\msdxm.ocx
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar2.dll
O4 - HKLM\..\Run: [Hot Key Kbd 9910 Daemon] SK9910DM.EXE
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE NvQTwk,NvCplDaemon initialize
O4 - HKLM\..\Run: [GWMDMMSG] GWMDMMSG.exe
O4 - HKLM\..\Run: [Keyboard Preload Check] C:\OEMDRVRS\KEYB\Preload.exe /DEVID: /CLASS:Keyboard /RunValue:"Keyboard Preload Check"
O4 - HKLM\..\Run: [GWMDMpi] C:\WINNT\GWMDMpi.exe
O4 - HKLM\..\Run: [PROMon.exe] PROMon.exe
O4 - HKLM\..\Run: [CTHelper] CTHELPER.EXE
O4 - HKLM\..\Run: [UpdReg] C:\WINNT\UpdReg.EXE
O4 - HKLM\..\Run: [Jet Detection] C:\Program Files\Creative\SBAudigy\PROGRAM\ADGJDet.exe
O4 - HKLM\..\Run: [StartAOL] "C:\Program Files\America Online 7.0\AOL.EXE"
O4 - HKLM\..\Run: [KAZAA] \\Homer\c\INTERNET\KaZaA Lite\Kazaa.exe /SYSTRAY
O4 - HKLM\..\Run: [RoxioEngineUtility] "C:\Program Files\Common Files\Roxio Shared\System\EngUtil.exe"
O4 - HKLM\..\Run: [RoxioDragToDisc] "C:\Program Files\Roxio\Easy CD Creator 6\DragToDisc\DrgToDsc.exe"
O4 - HKLM\..\Run: [RoxioAudioCentral] "C:\Program Files\Roxio\Easy CD Creator 6\AudioCentral\RxMon.exe"
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [ccRegVfy] "C:\Program Files\Common Files\Symantec Shared\ccRegVfy.exe"
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [Symantec NetDriver Monitor] C:\PROGRA~1\SYMNET~1\SNDMon.exe /Consumer
O4 - HKLM\..\Run: [SSC_UserPrompt] C:\Program Files\Common Files\Symantec Shared\Security Center\UsrPrmpt.exe
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\j2re1.4.2_05\bin\jusched.exe
O4 - HKLM\..\Run: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k
O4 - HKCU\..\Run: [Microsoft Works Update Detection] C:\Program Files\Microsoft Works\WkDetect.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O4 - Global Startup: WinZip Quick Pick.lnk = C:\Program Files\WinZip\WZQKPICK.EXE
O8 - Extra context menu item: &Google Search - res://c:\program files\google\GoogleToolbar2.dll/cmsearch.html
O8 - Extra context menu item: &Translate English Word - res://c:\program files\google\GoogleToolbar2.dll/cmwordtrans.html
O8 - Extra context menu item: Backward Links - res://c:\program files\google\GoogleToolbar2.dll/cmbacklinks.html
O8 - Extra context menu item: Cached Snapshot of Page - res://c:\program files\google\GoogleToolbar2.dll/cmcache.html
O8 - Extra context menu item: Similar Pages - res://c:\program files\google\GoogleToolbar2.dll/cmsimilar.html
O8 - Extra context menu item: Translate Page into English - res://c:\program files\google\GoogleToolbar2.dll/cmtrans.html
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINNT\System32\msjava.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINNT\System32\msjava.dll
O9 - Extra button: ComcastHSI - {669B269B-0D4E-41FB-A3D8-FD67CA94F646} - http://www.comcast.net/ (file missing)
O9 - Extra button: Support - {8828075D-D097-4055-AA02-2DBFA9D85E8A} - http://www.comcastsupport.com/ (file missing)
O9 - Extra button: Help - {97809617-3937-4F84-B335-9BB05EF1A8D4} - http://online.comcast.net/help/ (file missing)
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Password Validation Service (ccPwdSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
O23 - Service: ewido security suite control - ewido networks - C:\Internet\HiJackThis\security suite\ewidoctrl.exe
O23 - Service: iPod Service (iPodService) - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Norton AntiVirus Auto Protect Service (navapsvc) - Symantec Corporation - C:\Program Files\Norton AntiVirus\navapsvc.exe
O23 - Service: Intel® NMS (NMSSvc) - Intel Corporation - C:\WINNT\System32\NMSSvc.exe
O23 - Service: NVIDIA Driver Helper Service (NVSvc) - NVIDIA Corporation - C:\WINNT\System32\nvsvc32.exe
O23 - Service: ScriptBlocking Service (SBService) - Symantec Corporation - C:\PROGRA~1\COMMON~1\SYMANT~1\SCRIPT~1\SBServ.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: SymWMI Service (SymWSC) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\Security Center\SymWSC.exe
  • 0

#28
Trevuren
Posted 10 September 2005 - 05:13 PM

Trevuren

    Old Dog

  • Retired Staff
  • 18,699 posts
Please print out or copy this page to Notepad. Make sure to work through the fixes in the exact order in which they are mentioned below. If there's anything that you don't understand, ask your question(s) before proceeding with the fixes.
  • First we need to make all files and folders VISIBLE:
    • Go to start>control panel>folder options>view (tab)
    • Choose to "show hidden files and folders,"
    • Uncheck the "hide protected operating system files" and the "hide extensions for know file types" boxes.
    • Close the window with ok
  • Please RUN HijackThis.
    . Click the SCAN button to produce a log.

  • Place a check mark beside each one of the following items:

    O2 - BHO: (no name) - {4FA2B39B-A7DA-983C-68E6-5B095A4118FD} - C:\DOCUME~1\Owner\LOCALS~1\Temp\urodkvajehw.dll (file missing)

  • Now with all the items selected, and all windows closed except for HJT, delete them by clicking the FIX checked button. Close the HijackThis window.

  • Reboot Your System in Safe Mode

    How to use the F8 method to Start Your Computer in Safe Mode

    • Restart the computer.
    • As soon as BIOS is loaded begin tapping the F8 key until the Advanced Options menu appears.
    • Use the arrow keys to select the Safe mode menu item
    • Press Enter.
  • Using Windows Explorer, locate the following files/folders, and DELETE them (if they are present):

    C:\DOCUME~1\Owner\LOCALS~1\Temp\urodkvajehw.dll

  • Exit Explorer, and REBOOT BACK INTO NORMAL MODE

  • Finally, RUN Hijackthis again and produce a new HJT log. Post it in the forum so we can check how everything looks now.
Regards,

Trevuren
  • 0

#29
amongstthestars
Posted 10 September 2005 - 05:39 PM

amongstthestars

    Member

  • Topic Starter
  • Member
  • PipPip
  • 30 posts
Logfile of HijackThis v1.99.1
Scan saved at 7:38:13 PM, on 9/10/2005
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINNT\System32\smss.exe
C:\WINNT\system32\winlogon.exe
C:\WINNT\system32\services.exe
C:\WINNT\system32\lsass.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\System32\svchost.exe
C:\WINNT\Explorer.EXE
C:\WINNT\system32\spoolsv.exe
C:\WINNT\System32\SK9910DM.EXE
C:\WINNT\GWMDMMSG.exe
C:\WINNT\System32\CTHELPER.EXE
C:\Program Files\Roxio\Easy CD Creator 6\DragToDisc\DrgToDsc.exe
C:\Program Files\Roxio\Easy CD Creator 6\AudioCentral\RxMon.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\Java\j2re1.4.2_05\bin\jusched.exe
C:\Program Files\WinZip\WZQKPICK.EXE
C:\Program Files\Java\j2re1.4.2_05\bin\jucheck.exe
C:\Program Files\Roxio\Easy CD Creator 6\AudioCentral\Playlist.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\Internet\HiJackThis\security suite\ewidoctrl.exe
C:\WINNT\System32\NMSSvc.exe
C:\WINNT\System32\nvsvc32.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Internet\HiJackThis\Hijackthis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://www.gateway.net/
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Microsoft Internet Explorer provided by Comcast
N3 - Netscape 7: user_pref("browser.startup.homepage", "http://home.netscape.../7_0/home.html"); (C:\Documents and Settings\Owner\Application Data\Mozilla\Profiles\default\iq1c8tpz.slt\prefs.js)
N3 - Netscape 7: user_pref("browser.search.defaultengine", "engine://C%3A%5CInternet%5CNetscape%5Csearchplugins%5CSBWeb_01.src"); (C:\Documents and Settings\Owner\Application Data\Mozilla\Profiles\default\iq1c8tpz.slt\prefs.js)
O2 - BHO: CCHelper - {0CF0B8EE-6596-11D5-A98E-0003470BB48E} - C:\Internet\Pop-Up Stopper\CCHelper.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Internet\SPYBOT~1\SDHelper.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar2.dll
O3 - Toolbar: Pa&nicware Pop-Up Stopper - {7E82235C-F31E-46CB-AF9F-1ADD94C585FF} - C:\Internet\Pop-Up Stopper\pstopper.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINNT\System32\msdxm.ocx
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar2.dll
O4 - HKLM\..\Run: [Hot Key Kbd 9910 Daemon] SK9910DM.EXE
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE NvQTwk,NvCplDaemon initialize
O4 - HKLM\..\Run: [GWMDMMSG] GWMDMMSG.exe
O4 - HKLM\..\Run: [Keyboard Preload Check] C:\OEMDRVRS\KEYB\Preload.exe /DEVID: /CLASS:Keyboard /RunValue:"Keyboard Preload Check"
O4 - HKLM\..\Run: [GWMDMpi] C:\WINNT\GWMDMpi.exe
O4 - HKLM\..\Run: [PROMon.exe] PROMon.exe
O4 - HKLM\..\Run: [CTHelper] CTHELPER.EXE
O4 - HKLM\..\Run: [UpdReg] C:\WINNT\UpdReg.EXE
O4 - HKLM\..\Run: [Jet Detection] C:\Program Files\Creative\SBAudigy\PROGRAM\ADGJDet.exe
O4 - HKLM\..\Run: [StartAOL] "C:\Program Files\America Online 7.0\AOL.EXE"
O4 - HKLM\..\Run: [KAZAA] \\Homer\c\INTERNET\KaZaA Lite\Kazaa.exe /SYSTRAY
O4 - HKLM\..\Run: [RoxioEngineUtility] "C:\Program Files\Common Files\Roxio Shared\System\EngUtil.exe"
O4 - HKLM\..\Run: [RoxioDragToDisc] "C:\Program Files\Roxio\Easy CD Creator 6\DragToDisc\DrgToDsc.exe"
O4 - HKLM\..\Run: [RoxioAudioCentral] "C:\Program Files\Roxio\Easy CD Creator 6\AudioCentral\RxMon.exe"
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [ccRegVfy] "C:\Program Files\Common Files\Symantec Shared\ccRegVfy.exe"
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [Symantec NetDriver Monitor] C:\PROGRA~1\SYMNET~1\SNDMon.exe /Consumer
O4 - HKLM\..\Run: [SSC_UserPrompt] C:\Program Files\Common Files\Symantec Shared\Security Center\UsrPrmpt.exe
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\j2re1.4.2_05\bin\jusched.exe
O4 - HKLM\..\Run: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k
O4 - HKCU\..\Run: [Microsoft Works Update Detection] C:\Program Files\Microsoft Works\WkDetect.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O4 - Global Startup: WinZip Quick Pick.lnk = C:\Program Files\WinZip\WZQKPICK.EXE
O8 - Extra context menu item: &Google Search - res://c:\program files\google\GoogleToolbar2.dll/cmsearch.html
O8 - Extra context menu item: &Translate English Word - res://c:\program files\google\GoogleToolbar2.dll/cmwordtrans.html
O8 - Extra context menu item: Backward Links - res://c:\program files\google\GoogleToolbar2.dll/cmbacklinks.html
O8 - Extra context menu item: Cached Snapshot of Page - res://c:\program files\google\GoogleToolbar2.dll/cmcache.html
O8 - Extra context menu item: Similar Pages - res://c:\program files\google\GoogleToolbar2.dll/cmsimilar.html
O8 - Extra context menu item: Translate Page into English - res://c:\program files\google\GoogleToolbar2.dll/cmtrans.html
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINNT\System32\msjava.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINNT\System32\msjava.dll
O9 - Extra button: ComcastHSI - {669B269B-0D4E-41FB-A3D8-FD67CA94F646} - http://www.comcast.net/ (file missing)
O9 - Extra button: Support - {8828075D-D097-4055-AA02-2DBFA9D85E8A} - http://www.comcastsupport.com/ (file missing)
O9 - Extra button: Help - {97809617-3937-4F84-B335-9BB05EF1A8D4} - http://online.comcast.net/help/ (file missing)
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Password Validation Service (ccPwdSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
O23 - Service: ewido security suite control - ewido networks - C:\Internet\HiJackThis\security suite\ewidoctrl.exe
O23 - Service: iPod Service (iPodService) - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Norton AntiVirus Auto Protect Service (navapsvc) - Symantec Corporation - C:\Program Files\Norton AntiVirus\navapsvc.exe
O23 - Service: Intel® NMS (NMSSvc) - Intel Corporation - C:\WINNT\System32\NMSSvc.exe
O23 - Service: NVIDIA Driver Helper Service (NVSvc) - NVIDIA Corporation - C:\WINNT\System32\nvsvc32.exe
O23 - Service: ScriptBlocking Service (SBService) - Symantec Corporation - C:\PROGRA~1\COMMON~1\SYMANT~1\SCRIPT~1\SBServ.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: SymWMI Service (SymWSC) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\Security Center\SymWSC.exe
  • 0

#30
Trevuren
Posted 10 September 2005 - 06:15 PM

Trevuren

    Old Dog

  • Retired Staff
  • 18,699 posts
Your log looks good. If you have no more malware-related problems that you are aware of, just give me the OK and we can start the final but essential cleanup procedures.

Trevuren
  • 0
Back to Virus, Spyware, Malware Removal · Next Unread Topic →




Similar Topics

0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users

  1. Geeks to Go Community
  2. Security
  3. Virus, Spyware, Malware Removal

As Featured On:

Microsoft Yahoo BBC MSN PC Magazine Washington Post HP