Jump to content

Welcome to Geeks to Go - Register now for FREE

Need help with your computer or device? Want to learn new tech skills? You're in the right place!
Geeks to Go is a friendly community of tech experts who can solve any problem you have. Just create a free account and post your question. Our volunteers will reply quickly and guide you through the steps. Don't let tech troubles stop you. Join Geeks to Go now and get the support you need!

How it Works Create Account
Photo

continuous pop ups and nail.exe in my computer

Started by mln , Sep 17 2005 05:29 PM

  • Please log in to reply

#1
mln
Posted 17 September 2005 - 05:29 PM

mln

    Member

  • Member
  • PipPip
  • 19 posts
I guess my computer is infected by nail, aurora and surfsidekick. Below is the Hijackthis log and ewido scan log. Please help me with this! I don't know what else to do. Thanks!

Logfile of HijackThis v1.99.1
Scan saved at 9:44:28 PM, on 9/16/2005
Platform: Windows 2000 SP4 (WinNT 5.00.2195)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\WBEM\WinMgmt.exe
C:\WINDOWS\system32\rundll32.exe
C:\Program Files\Norton AntiVirus\navw32.exe
C:\WINDOWS\explorer.exe
C:\WINDOWS\system32\rundll32.exe
C:\WINDOWS\system32\sgiche.exe
C:\WINDOWS\system32\sgiche.exe
C:\DOCUME~1\default\LOCALS~1\Temp\ei.exe
C:\WINDOWS\system32\xrcwayv.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\My Documents\Hijackthis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer,SearchURL = http://www.clicktoma...rch.com/sp2.php
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://home.sina.com
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = file://C:\WINDOWS\system32\Searchx.htm
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://home.sina.com/
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://www.clicktoma...rch.com/sp2.php
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Microsoft Internet Explorer provided by BellSouth
R3 - Default URLSearchHook is missing
F2 - REG:system.ini: Shell=Explorer.exe C:\WINDOWS\Nail.exe
O2 - BHO: SDWin32 Class - {0CEEA5A3-7C49-4638-A2FF-8E1EC964D1FA} - C:\WINDOWS\system32\dehnc.dll (file missing)
O2 - BHO: CControl Object - {3643ABC2-21BF-46B9-B230-F247DB0C6FD6} - C:\Program Files\E2G\IeBHOs.dll
O2 - BHO: SDWin32 Class - {438B5726-500E-476F-B5C7-4F15BA6BE235} - C:\WINDOWS\System32\khiqj.dll (file missing)
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: SDWin32 Class - {662FC70C-5F57-4CED-A9F1-F7F2805BD25A} - C:\WINDOWS\system32\chngs.dll (file missing)
O2 - BHO: LinkTracker Class - {8B6DA27E-7F64-4694-8F8F-DC87AB8C6B22} - C:\WINDOWS\system32\qlink32.dll
O2 - BHO: SDWin32 Class - {9A5DB8B2-E3C9-4549-AE2B-F665BC2FECBD} - C:\WINDOWS\system32\wojeo.dll (file missing)
O2 - BHO: MSNToolBandBHO - {BDBD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\MSN Apps\MSN Toolbar\01.02.3000.1001\en-us\msntb.dll
O2 - BHO: SDWin32 Class - {CDD9DD86-D904-40C7-BDD5-4FF021D473CE} - C:\WINDOWS\system32\smnoy.dll (file missing)
O2 - BHO: Internet Explorer Web Content Catcher - {FFF4E223-7019-4ce7-BE03-D7D3C8CCE884} - C:\Program Files\DNS\Catcher.dll
O3 - Toolbar: MSN - {BDAD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\MSN Apps\MSN Toolbar\01.02.3000.1001\en-us\msntb.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\system32\msdxm.ocx
O4 - HKLM\..\Run: [Synchronization Manager] mobsync.exe /logon
O4 - HKLM\..\Run: [gcasServ] "C:\Program Files\Microsoft AntiSpyware\gcasServ.exe"
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [vkdih] C:\WINDOWS\vkdih.exe
O4 - HKLM\..\Run: [RecoverFromReboot] C:\WINDOWS\Temp\RecoverFromReboot.exe
O4 - HKLM\..\Run: [NeroCheck] C:\WINDOWS\System32\NeroCheck.exe
O4 - HKLM\..\Run: [MedGS] C:\WINDOWS\system32\medgs1.exe
O4 - HKLM\..\Run: [BJCFD] C:\Program Files\BroadJump\Client Foundation\CFD.exe
O4 - HKLM\..\Run: [ahml8aa] C:\WINDOWS\rgwggcth.exe
O4 - HKLM\..\Run: [Media Access] C:\Program Files\Media Access\MediaAccK.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [RealTray] C:\Program Files\Real\RealPlayer\RealPlay.exe SYSTEMBOOTHIDEPLAYER
O4 - HKLM\..\Run: [SSC_UserPrompt] C:\Program Files\Common Files\Symantec Shared\Security Center\UsrPrmpt.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0\bin\jusched.exe
O4 - HKLM\..\Run: [wrwvebih] C:\WINDOWS\wrwvebih.exe
O4 - HKLM\..\Run: [Windows Incontext] C:\DOCUME~1\default\LOCALS~1\Temp\InSearch.exe
O4 - HKLM\..\Run: [WinampAgent] "C:\Program Files\Winamp\Winampa.exe"
O4 - HKLM\..\Run: [uzofqr] C:\WINDOWS\uzofqr.exe
O4 - HKLM\..\Run: [unqdup] C:\WINDOWS\unqdup.exe
O4 - HKLM\..\Run: [System service65] C:\WINDOWS\etb\pokapoka65.exe
O4 - HKLM\..\Run: [Symantec NetDriver Monitor] C:\PROGRA~1\SYMNET~1\SNDMon.exe /Consumer
O4 - HKLM\..\Run: [opr] C:\WINDOWS\system32\opr.exe
O4 - HKLM\..\Run: [MSConfig] C:\Documents and Settings\default\Desktop\msconfig.exe /auto
O4 - HKLM\..\Run: [virus 09-13-2005 TV Media] C:\Program Files\TV Media\Tvm.exe
O4 - HKLM\..\Run: [ntdll.dll] C:\WINDOWS\system32\apaida.exe reg_run
O4 - HKLM\..\Run: [winsync] C:\WINDOWS\system32\apaida.exe reg_run
O4 - HKLM\..\Run: [AUNPS2] RUNDLL32 AUNPS2.DLL,_Run@16
O4 - HKLM\..\Run: [umnwsu] C:\WINDOWS\system32\xrcwayv.exe r
O4 - HKCU\..\Run: [services32] C:\Program Files\Common Files\Windows\mc-58-12-0000106.exe
O4 - HKCU\..\Run: [MoneyAgent] "C:\Program Files\Microsoft Money\System\Money Express.exe"
O4 - HKCU\..\Run: [Juno_uoltray] C:\Program Files\Juno\exec.exe regrun
O4 - HKCU\..\Run: [CAS Client] "C:\Program Files\Cas\Client\casclient.exe"
O4 - HKCU\..\Run: [DNS] C:\Program Files\Common Files\mc-58-12-0000106.exe
O4 - HKCU\..\Run: [Microsoft Works Update Detection] C:\Program Files\Microsoft Works\WkDetect.exe
O4 - HKCU\..\Run: [Rnus] C:\Program Files\aeao\ucaw.exe
O4 - HKCU\..\Run: [ntdll.dll] C:\Program Files\Juno\exec.exe regrun
O4 - HKCU\..\Run: [sgiche] C:\WINDOWS\system32\sgiche.exe
O4 - HKCU\..\RunOnce: [sgiche] C:\WINDOWS\system32\sgiche.exe
O4 - Startup: Adobe Gamma Loader.exe.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O4 - Global Startup: Adobe Gamma Loader.exe.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: Canon MultiPASS Status Monitor.lnk = C:\Program Files\Canon\MultiPASS\monitr32.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O4 - Global Startup: Microsoft Works Calendar Reminders.lnk = C:\Program Files\Common Files\Microsoft Shared\Works Shared\wkcalrem.exe
O4 - Global Startup: virus nkni.exe
O8 - Extra context menu item: &Define - C:\Program Files\Common Files\Microsoft Shared\Reference 2001\A\ERS_DEF.HTM
O8 - Extra context menu item: Look Up in &Encyclopedia - C:\Program Files\Common Files\Microsoft Shared\Reference 2001\A\ERS_ENC.HTM
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0\bin\npjpi150.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0\bin\npjpi150.dll
O9 - Extra button: Encarta Encyclopedia - {2FDEF853-0759-11D4-A92E-006097DBED37} - C:\Program Files\Common Files\Microsoft Shared\Reference 2001\A\ERS_ENC.HTM
O9 - Extra 'Tools' menuitem: Encarta Encyclopedia - {2FDEF853-0759-11D4-A92E-006097DBED37} - C:\Program Files\Common Files\Microsoft Shared\Reference 2001\A\ERS_ENC.HTM
O9 - Extra button: Define - {5DA9DE80-097A-11D4-A92E-006097DBED37} - C:\Program Files\Common Files\Microsoft Shared\Reference 2001\A\ERS_DEF.HTM
O9 - Extra 'Tools' menuitem: Define - {5DA9DE80-097A-11D4-A92E-006097DBED37} - C:\Program Files\Common Files\Microsoft Shared\Reference 2001\A\ERS_DEF.HTM
O9 - Extra button: (no name) - {9E248641-0E24-4DDB-9A1F-705087832AD6} - (no file)
O9 - Extra 'Tools' menuitem: Java - {9E248641-0E24-4DDB-9A1F-705087832AD6} - (no file)
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\System32\Shdocvw.dll
O9 - Extra button: Dell Home - {EE117DAA-A30B-40FC-945C-38AE1B80C1FA} - http://www.dellnet.com (file missing) (HKCU)
O12 - Plugin for .spop: C:\PROGRA~1\INTERN~1\Plugins\NPDocBox.dll
O16 - DPF: {01113300-3E00-11D2-8470-0060089874ED} (Support.com Configuration Class) - http://support.fasta...oad/tgctlcm.cab
O16 - DPF: {64696FB5-BA15-4920-B789-F35D3FC0A36A} - http://www.icannnews.com/app/ST/ax.ocx
O16 - DPF: {972BB342-14A7-4660-83C1-51DDBEE171DB} - http://www.pacimedia...ll/pcs_0006.exe
O16 - DPF: {F04A8AE2-A59D-11D2-8792-00C04F8EF29D} (Hotmail Attachments Control) - http://by102fd.bay10...ex/HMAtchmt.ocx
O18 - Filter: text/html - {3551784B-E99A-474f-B782-3EC814442918} - C:\WINDOWS\system32\qlink32.dll
O20 - Winlogon Notify: Run - C:\WINDOWS\system32\twpmonui.dll
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Password Validation (ccPwdSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
O23 - Service: Command Service (cmdService) - Unknown owner - C:\WINDOWS\ZGVmYXVsdAAA\command.exe
O23 - Service: Logical Disk Manager Administrative Service (dmadmin) - VERITAS Software Corp. - C:\WINDOWS\System32\dmadmin.exe
O23 - Service: MPService - Unknown owner - C:\Program Files\Canon\MultiPASS\mpservic.exe
O23 - Service: Norton AntiVirus Auto-Protect Service (navapsvc) - Symantec Corporation - C:\Program Files\Norton AntiVirus\navapsvc.exe
O23 - Service: Norton AntiVirus Firewall Monitor Service (NPFMntor) - Symantec Corporation - C:\Program Files\Norton AntiVirus\IWP\NPFMntor.exe
O23 - Service: SAVScan - Symantec Corporation - C:\Program Files\Norton AntiVirus\SAVScan.exe
O23 - Service: ScriptBlocking Service (SBService) - Symantec Corporation - C:\PROGRA~1\COMMON~1\SYMANT~1\SCRIPT~1\SBServ.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: Symantec SPBBCSvc (SPBBCSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
O23 - Service: Symantec Core LC - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe


***************************
---------------------------------------------------------
ewido security suite - Scan report
---------------------------------------------------------

+ Created on: 11:11:55 PM, 9/16/2005
+ Report-Checksum: 159754E9

+ Scan result:

HKLM\SOFTWARE\Classes\Applications\funcade.exe -> Spyware.BargainBuddy : Cleaned with backup
HKLM\SOFTWARE\Classes\Applications\funcade.exe\shell -> Spyware.BargainBuddy : Cleaned with backup
HKLM\SOFTWARE\Classes\CLSID\{2CDE1A7D-A478-4291-BF31-E1B4C16F92EB} -> Spyware.ISTBar : Cleaned with backup
HKLM\SOFTWARE\Classes\CLSID\{3643ABC2-21BF-46B9-B230-F247DB0C6FD6} -> Spyware.E2Give : Cleaned with backup
HKLM\SOFTWARE\Classes\IeBHOs.Control -> Spyware.E2G : Cleaned with backup
HKLM\SOFTWARE\Classes\IeBHOs.Control\CLSID -> Spyware.E2G : Cleaned with backup
HKLM\SOFTWARE\Classes\IeBHOs.Control\CurVer -> Spyware.E2G : Cleaned with backup
HKLM\SOFTWARE\Microsoft\Internet Explorer\Main\ins -> Spyware.WebRebates : Cleaned with backup
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\App Management\ARPCache\ISTbarISTbar -> Spyware.HotBar : Cleaned with backup
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{3643ABC2-21BF-46B9-B230-F247DB0C6FD6} -> Spyware.E2Give : Cleaned with backup
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\DisplayUtility -> Spyware.Delfin : Cleaned with backup
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\WinDH -> Spyware.DealHelper : Cleaned with backup
HKLM\SOFTWARE\SecureWin -> Spyware.Adlogix : Cleaned with backup
[572] C:\WINDOWS\system32\itpeers.dll -> Spyware.Look2Me : Cleaned with backup
[656] C:\WINDOWS\system32\fefwk.dll -> TrojanDownloader.Qoologic.ac : Cleaned with backup
[568] C:\WINDOWS\system32\mlcms.dll -> Spyware.Look2Me : Cleaned with backup
[788] C:\DOCUME~1\default\LOCALS~1\Temp\ei.exe -> TrojanDownloader.Small.bgl : Cleaned with backup
[760] C:\WINDOWS\system32\xrcwayv.exe -> Trojan.Agent.cp : Cleaned with backup
:mozilla.35:C:\Documents and Settings\default\Application Data\Mozilla\Firefox\Profiles\yw198mai.default\cookies-1.txt -> Spyware.Cookie.Linksynergy : Cleaned with backup
:mozilla.36:C:\Documents and Settings\default\Application Data\Mozilla\Firefox\Profiles\yw198mai.default\cookies-1.txt -> Spyware.Cookie.Linksynergy : Cleaned with backup
:mozilla.37:C:\Documents and Settings\default\Application Data\Mozilla\Firefox\Profiles\yw198mai.default\cookies-1.txt -> Spyware.Cookie.Linksynergy : Cleaned with backup
:mozilla.65:C:\Documents and Settings\default\Application Data\Mozilla\Firefox\Profiles\yw198mai.default\cookies-1.txt -> Spyware.Cookie.Advertising : Cleaned with backup
:mozilla.67:C:\Documents and Settings\default\Application Data\Mozilla\Firefox\Profiles\yw198mai.default\cookies-1.txt -> Spyware.Cookie.Atdmt : Cleaned with backup
:mozilla.70:C:\Documents and Settings\default\Application Data\Mozilla\Firefox\Profiles\yw198mai.default\cookies-1.txt -> Spyware.Cookie.Advertising : Cleaned with backup
:mozilla.71:C:\Documents and Settings\default\Application Data\Mozilla\Firefox\Profiles\yw198mai.default\cookies-1.txt -> Spyware.Cookie.Advertising : Cleaned with backup
:mozilla.72:C:\Documents and Settings\default\Application Data\Mozilla\Firefox\Profiles\yw198mai.default\cookies-1.txt -> Spyware.Cookie.Advertising : Cleaned with backup
:mozilla.73:C:\Documents and Settings\default\Application Data\Mozilla\Firefox\Profiles\yw198mai.default\cookies-1.txt -> Spyware.Cookie.Advertising : Cleaned with backup
:mozilla.74:C:\Documents and Settings\default\Application Data\Mozilla\Firefox\Profiles\yw198mai.default\cookies-1.txt -> Spyware.Cookie.Advertising : Cleaned with backup
:mozilla.75:C:\Documents and Settings\default\Application Data\Mozilla\Firefox\Profiles\yw198mai.default\cookies-1.txt -> Spyware.Cookie.Advertising : Cleaned with backup
:mozilla.76:C:\Documents and Settings\default\Application Data\Mozilla\Firefox\Profiles\yw198mai.default\cookies-1.txt -> Spyware.Cookie.Advertising : Cleaned with backup
:mozilla.77:C:\Documents and Settings\default\Application Data\Mozilla\Firefox\Profiles\yw198mai.default\cookies-1.txt -> Spyware.Cookie.Advertising : Cleaned with backup
:mozilla.78:C:\Documents and Settings\default\Application Data\Mozilla\Firefox\Profiles\yw198mai.default\cookies-1.txt -> Spyware.Cookie.Advertising : Cleaned with backup
:mozilla.79:C:\Documents and Settings\default\Application Data\Mozilla\Firefox\Profiles\yw198mai.default\cookies-1.txt -> Spyware.Cookie.Advertising : Cleaned with backup
:mozilla.80:C:\Documents and Settings\default\Application Data\Mozilla\Firefox\Profiles\yw198mai.default\cookies-1.txt -> Spyware.Cookie.Advertising : Cleaned with backup
:mozilla.81:C:\Documents and Settings\default\Application Data\Mozilla\Firefox\Profiles\yw198mai.default\cookies-1.txt -> Spyware.Cookie.Advertising : Cleaned with backup
:mozilla.82:C:\Documents and Settings\default\Application Data\Mozilla\Firefox\Profiles\yw198mai.default\cookies-1.txt -> Spyware.Cookie.Advertising : Cleaned with backup
:mozilla.83:C:\Documents and Settings\default\Application Data\Mozilla\Firefox\Profiles\yw198mai.default\cookies-1.txt -> Spyware.Cookie.Advertising : Cleaned with backup
:mozilla.84:C:\Documents and Settings\default\Application Data\Mozilla\Firefox\Profiles\yw198mai.default\cookies-1.txt -> Spyware.Cookie.Advertising : Cleaned with backup
:mozilla.85:C:\Documents and Settings\default\Application Data\Mozilla\Firefox\Profiles\yw198mai.default\cookies-1.txt -> Spyware.Cookie.Advertising : Cleaned with backup
:mozilla.86:C:\Documents and Settings\default\Application Data\Mozilla\Firefox\Profiles\yw198mai.default\cookies-1.txt -> Spyware.Cookie.Advertising : Cleaned with backup
:mozilla.87:C:\Documents and Settings\default\Application Data\Mozilla\Firefox\Profiles\yw198mai.default\cookies-1.txt -> Spyware.Cookie.Advertising : Cleaned with backup
:mozilla.88:C:\Documents and Settings\default\Application Data\Mozilla\Firefox\Profiles\yw198mai.default\cookies-1.txt -> Spyware.Cookie.Advertising : Cleaned with backup
:mozilla.89:C:\Documents and Settings\default\Application Data\Mozilla\Firefox\Profiles\yw198mai.default\cookies-1.txt -> Spyware.Cookie.Advertising : Cleaned with backup
:mozilla.90:C:\Documents and Settings\default\Application Data\Mozilla\Firefox\Profiles\yw198mai.default\cookies-1.txt -> Spyware.Cookie.Advertising : Cleaned with backup
:mozilla.91:C:\Documents and Settings\default\Application Data\Mozilla\Firefox\Profiles\yw198mai.default\cookies-1.txt -> Spyware.Cookie.Advertising : Cleaned with backup
:mozilla.92:C:\Documents and Settings\default\Application Data\Mozilla\Firefox\Profiles\yw198mai.default\cookies-1.txt -> Spyware.Cookie.Advertising : Cleaned with backup
:mozilla.93:C:\Documents and Settings\default\Application Data\Mozilla\Firefox\Profiles\yw198mai.default\cookies-1.txt -> Spyware.Cookie.Advertising : Cleaned with backup
:mozilla.94:C:\Documents and Settings\default\Application Data\Mozilla\Firefox\Profiles\yw198mai.default\cookies-1.txt -> Spyware.Cookie.Advertising : Cleaned with backup
:mozilla.95:C:\Documents and Settings\default\Application Data\Mozilla\Firefox\Profiles\yw198mai.default\cookies-1.txt -> Spyware.Cookie.Advertising : Cleaned with backup
:mozilla.96:C:\Documents and Settings\default\Application Data\Mozilla\Firefox\Profiles\yw198mai.default\cookies-1.txt -> Spyware.Cookie.Advertising : Cleaned with backup
:mozilla.97:C:\Documents and Settings\default\Application Data\Mozilla\Firefox\Profiles\yw198mai.default\cookies-1.txt -> Spyware.Cookie.Advertising : Cleaned with backup
:mozilla.98:C:\Documents and Settings\default\Application Data\Mozilla\Firefox\Profiles\yw198mai.default\cookies-1.txt -> Spyware.Cookie.Advertising : Cleaned with backup
:mozilla.99:C:\Documents and Settings\default\Application Data\Mozilla\Firefox\Profiles\yw198mai.default\cookies-1.txt -> Spyware.Cookie.Advertising : Cleaned with backup
:mozilla.101:C:\Documents and Settings\default\Application Data\Mozilla\Firefox\Profiles\yw198mai.default\cookies-1.txt -> Spyware.Cookie.Advertising : Cleaned with backup
:mozilla.102:C:\Documents and Settings\default\Application Data\Mozilla\Firefox\Profiles\yw198mai.default\cookies-1.txt -> Spyware.Cookie.Advertising : Cleaned with backup
:mozilla.120:C:\Documents and Settings\default\Application Data\Mozilla\Firefox\Profiles\yw198mai.default\cookies-1.txt -> Spyware.Cookie.Doubleclick : Cleaned with backup
:mozilla.129:C:\Documents and Settings\default\Application Data\Mozilla\Firefox\Profiles\yw198mai.default\cookies-1.txt -> Spyware.Cookie.Overture : Cleaned with backup
:mozilla.130:C:\Documents and Settings\default\Application Data\Mozilla\Firefox\Profiles\yw198mai.default\cookies-1.txt -> Spyware.Cookie.Overture : Cleaned with backup
:mozilla.132:C:\Documents and Settings\default\Application Data\Mozilla\Firefox\Profiles\yw198mai.default\cookies-1.txt -> Spyware.Cookie.2o7 : Cleaned with backup
:mozilla.133:C:\Documents and Settings\default\Application Data\Mozilla\Firefox\Profiles\yw198mai.default\cookies-1.txt -> Spyware.Cookie.2o7 : Cleaned with backup
:mozilla.134:C:\Documents and Settings\default\Application Data\Mozilla\Firefox\Profiles\yw198mai.default\cookies-1.txt -> Spyware.Cookie.2o7 : Cleaned with backup
:mozilla.135:C:\Documents and Settings\default\Application Data\Mozilla\Firefox\Profiles\yw198mai.default\cookies-1.txt -> Spyware.Cookie.2o7 : Cleaned with backup
:mozilla.136:C:\Documents and Settings\default\Application Data\Mozilla\Firefox\Profiles\yw198mai.default\cookies-1.txt -> Spyware.Cookie.2o7 : Cleaned with backup
:mozilla.137:C:\Documents and Settings\default\Application Data\Mozilla\Firefox\Profiles\yw198mai.default\cookies-1.txt -> Spyware.Cookie.2o7 : Cleaned with backup
:mozilla.138:C:\Documents and Settings\default\Application Data\Mozilla\Firefox\Profiles\yw198mai.default\cookies-1.txt -> Spyware.Cookie.2o7 : Cleaned with backup
:mozilla.139:C:\Documents and Settings\default\Application Data\Mozilla\Firefox\Profiles\yw198mai.default\cookies-1.txt -> Spyware.Cookie.2o7 : Cleaned with backup
:mozilla.140:C:\Documents and Settings\default\Application Data\Mozilla\Firefox\Profiles\yw198mai.default\cookies-1.txt -> Spyware.Cookie.2o7 : Cleaned with backup
:mozilla.141:C:\Documents and Settings\default\Application Data\Mozilla\Firefox\Profiles\yw198mai.default\cookies-1.txt -> Spyware.Cookie.2o7 : Cleaned with backup
:mozilla.142:C:\Documents and Settings\default\Application Data\Mozilla\Firefox\Profiles\yw198mai.default\cookies-1.txt -> Spyware.Cookie.2o7 : Cleaned with backup
:mozilla.143:C:\Documents and Settings\default\Application Data\Mozilla\Firefox\Profiles\yw198mai.default\cookies-1.txt -> Spyware.Cookie.2o7 : Cleaned with backup
:mozilla.144:C:\Documents and Settings\default\Application Data\Mozilla\Firefox\Profiles\yw198mai.default\cookies-1.txt -> Spyware.Cookie.2o7 : Cleaned with backup
:mozilla.145:C:\Documents and Settings\default\Application Data\Mozilla\Firefox\Profiles\yw198mai.default\cookies-1.txt -> Spyware.Cookie.2o7 : Cleaned with backup
:mozilla.146:C:\Documents and Settings\default\Application Data\Mozilla\Firefox\Profiles\yw198mai.default\cookies-1.txt -> Spyware.Cookie.2o7 : Cleaned with backup
:mozilla.147:C:\Documents and Settings\default\Application Data\Mozilla\Firefox\Profiles\yw198mai.default\cookies-1.txt -> Spyware.Cookie.2o7 : Cleaned with backup
:mozilla.148:C:\Documents and Settings\default\Application Data\Mozilla\Firefox\Profiles\yw198mai.default\cookies-1.txt -> Spyware.Cookie.2o7 : Cleaned with backup
:mozilla.149:C:\Documents and Settings\default\Application Data\Mozilla\Firefox\Profiles\yw198mai.default\cookies-1.txt -> Spyware.Cookie.2o7 : Cleaned with backup
:mozilla.150:C:\Documents and Settings\default\Application Data\Mozilla\Firefox\Profiles\yw198mai.default\cookies-1.txt -> Spyware.Cookie.2o7 : Cleaned with backup
:mozilla.170:C:\Documents and Settings\default\Application Data\Mozilla\Firefox\Profiles\yw198mai.default\cookies-1.txt -> Spyware.Cookie.Qksrv : Cleaned with backup
:mozilla.171:C:\Documents and Settings\default\Application Data\Mozilla\Firefox\Profiles\yw198mai.default\cookies-1.txt -> Spyware.Cookie.Qksrv : Cleaned with backup
:mozilla.175:C:\Documents and Settings\default\Application Data\Mozilla\Firefox\Profiles\yw198mai.default\cookies-1.txt -> Spyware.Cookie.Ru4 : Cleaned with backup
:mozilla.176:C:\Documents and Settings\default\Application Data\Mozilla\Firefox\Profiles\yw198mai.default\cookies-1.txt -> Spyware.Cookie.Ru4 : Cleaned with backup
:mozilla.177:C:\Documents and Settings\default\Application Data\Mozilla\Firefox\Profiles\yw198mai.default\cookies-1.txt -> Spyware.Cookie.Ru4 : Cleaned with backup
:mozilla.178:C:\Documents and Settings\default\Application Data\Mozilla\Firefox\Profiles\yw198mai.default\cookies-1.txt -> Spyware.Cookie.Ru4 : Cleaned with backup
:mozilla.181:C:\Documents and Settings\default\Application Data\Mozilla\Firefox\Profiles\yw198mai.default\cookies-1.txt -> Spyware.Cookie.Mediaplex : Cleaned with backup
:mozilla.182:C:\Documents and Settings\default\Application Data\Mozilla\Firefox\Profiles\yw198mai.default\cookies-1.txt -> Spyware.Cookie.Mediaplex : Cleaned with backup
:mozilla.183:C:\Documents and Settings\default\Application Data\Mozilla\Firefox\Profiles\yw198mai.default\cookies-1.txt -> Spyware.Cookie.Bluestreak : Cleaned with backup
:mozilla.203:C:\Documents and Settings\default\Application Data\Mozilla\Firefox\Profiles\yw198mai.default\cookies-1.txt -> Spyware.Cookie.Fastclick : Cleaned with backup
:mozilla.204:C:\Documents and Settings\default\Application Data\Mozilla\Firefox\Profiles\yw198mai.default\cookies-1.txt -> Spyware.Cookie.Fastclick : Cleaned with backup
:mozilla.205:C:\Documents and Settings\default\Application Data\Mozilla\Firefox\Profiles\yw198mai.default\cookies-1.txt -> Spyware.Cookie.Fastclick : Cleaned with backup
:mozilla.209:C:\Documents and Settings\default\Application Data\Mozilla\Firefox\Profiles\yw198mai.default\cookies-1.txt -> Spyware.Cookie.Hitbox : Cleaned with backup
:mozilla.210:C:\Documents and Settings\default\Application Data\Mozilla\Firefox\Profiles\yw198mai.default\cookies-1.txt -> Spyware.Cookie.Hitbox : Cleaned with backup
:mozilla.211:C:\Documents and Settings\default\Application Data\Mozilla\Firefox\Profiles\yw198mai.default\cookies-1.txt -> Spyware.Cookie.Hitbox : Cleaned with backup
:mozilla.212:C:\Documents and Settings\default\Application Data\Mozilla\Firefox\Profiles\yw198mai.default\cookies-1.txt -> Spyware.Cookie.Hitbox : Cleaned with backup
:mozilla.213:C:\Documents and Settings\default\Application Data\Mozilla\Firefox\Profiles\yw198mai.default\cookies-1.txt -> Spyware.Cookie.Hitbox : Cleaned with backup
:mozilla.215:C:\Documents and Settings\default\Application Data\Mozilla\Firefox\Profiles\yw198mai.default\cookies-1.txt -> Spyware.Cookie.Hitbox : Cleaned with backup
:mozilla.219:C:\Documents and Settings\default\Application Data\Mozilla\Firefox\Profiles\yw198mai.default\cookies-1.txt -> Spyware.Cookie.2o7 : Cleaned with backup
:mozilla.220:C:\Documents and Settings\default\Application Data\Mozilla\Firefox\Profiles\yw198mai.default\cookies-1.txt -> Spyware.Cookie.Webtrendslive : Cleaned with backup
:mozilla.226:C:\Documents and Settings\default\Application Data\Mozilla\Firefox\Profiles\yw198mai.default\cookies-1.txt -> Spyware.Cookie.Adserver : Cleaned with backup
:mozilla.227:C:\Documents and Settings\default\Application Data\Mozilla\Firefox\Profiles\yw198mai.default\cookies-1.txt -> Spyware.Cookie.Adserver : Cleaned with backup
:mozilla.228:C:\Documents and Settings\default\Application Data\Mozilla\Firefox\Profiles\yw198mai.default\cookies-1.txt -> Spyware.Cookie.Adserver : Cleaned with backup
:mozilla.229:C:\Documents and Settings\default\Application Data\Mozilla\Firefox\Profiles\yw198mai.default\cookies-1.txt -> Spyware.Cookie.Adserver : Cleaned with backup
:mozilla.230:C:\Documents and Settings\default\Application Data\Mozilla\Firefox\Profiles\yw198mai.default\cookies-1.txt -> Spyware.Cookie.Adserver : Cleaned with backup
:mozilla.231:C:\Documents and Settings\default\Application Data\Mozilla\Firefox\Profiles\yw198mai.default\cookies-1.txt -> Spyware.Cookie.Adserver : Cleaned with backup
:mozilla.232:C:\Documents and Settings\default\Application Data\Mozilla\Firefox\Profiles\yw198mai.default\cookies-1.txt -> Spyware.Cookie.Adserver : Cleaned with backup
:mozilla.234:C:\Documents and Settings\default\Application Data\Mozilla\Firefox\Profiles\yw198mai.default\cookies-1.txt -> Spyware.Cookie.Findwhat : Cleaned with backup
:mozilla.251:C:\Documents and Settings\default\Application Data\Mozilla\Firefox\Profiles\yw198mai.default\cookies-1.txt -> Spyware.Cookie.Questionmarket : Cleaned with backup
:mozilla.253:C:\Documents and Settings\default\Application Data\Mozilla\Firefox\Profiles\yw198mai.default\cookies-1.txt -> Spyware.Cookie.Questionmarket : Cleaned with backup
:mozilla.276:C:\Documents and Settings\default\Application Data\Mozilla\Firefox\Profiles\yw198mai.default\cookies-1.txt -> Spyware.Cookie.Centrport : Cleaned with backup
:mozilla.277:C:\Documents and Settings\default\Application Data\Mozilla\Firefox\Profiles\yw198mai.default\cookies-1.txt -> Spyware.Cookie.Centrport : Cleaned with backup
:mozilla.278:C:\Documents and Settings\default\Application Data\Mozilla\Firefox\Profiles\yw198mai.default\cookies-1.txt -> Spyware.Cookie.Centrport : Cleaned with backup
:mozilla.279:C:\Documents and Settings\default\Application Data\Mozilla\Firefox\Profiles\yw198mai.default\cookies-1.txt -> Spyware.Cookie.Centrport : Cleaned with backup
:mozilla.286:C:\Documents and Settings\default\Application Data\Mozilla\Firefox\Profiles\yw198mai.default\cookies-1.txt -> Spyware.Cookie.Hitbox : Cleaned with backup
:mozilla.287:C:\Documents and Settings\default\Application Data\Mozilla\Firefox\Profiles\yw198mai.default\cookies-1.txt -> Spyware.Cookie.Hitbox : Cleaned with backup
:mozilla.288:C:\Documents and Settings\default\Application Data\Mozilla\Firefox\Profiles\yw198mai.default\cookies-1.txt -> Spyware.Cookie.Hitbox : Cleaned with backup
-> : Error during cleaning
:mozilla.312:C:\Documents and Settings\default\Application Data\Mozilla\Firefox\Profiles\yw198mai.default\cookies-1.txt -> Spyware.Cookie.Coremetrics : Cleaned with backup
:mozilla.329:C:\Documents and Settings\default\Application Data\Mozilla\Firefox\Profiles\yw198mai.default\cookies-1.txt -> Spyware.Cookie.Bridgetrack : Cleaned with backup
:mozilla.330:C:\Documents and Settings\default\Application Data\Mozilla\Firefox\Profiles\yw198mai.default\cookies-1.txt -> Spyware.Cookie.Bridgetrack : Cleaned with backup
:mozilla.331:C:\Documents and Settings\default\Application Data\Mozilla\Firefox\Profiles\yw198mai.default\cookies-1.txt -> Spyware.Cookie.Liveperson : Cleaned with backup
:mozilla.333:C:\Documents and Settings\default\Application Data\Mozilla\Firefox\Profiles\yw198mai.default\cookies-1.txt -> Spyware.Cookie.Liveperson : Cleaned with backup
:mozilla.334:C:\Documents and Settings\default\Application Data\Mozilla\Firefox\Profiles\yw198mai.default\cookies-1.txt -> Spyware.Cookie.Liveperson : Cleaned with backup
:mozilla.337:C:\Documents and Settings\default\Application Data\Mozilla\Firefox\Profiles\yw198mai.default\cookies-1.txt -> Spyware.Cookie.Yieldmanager : Cleaned with backup
:mozilla.338:C:\Documents and Settings\default\Application Data\Mozilla\Firefox\Profiles\yw198mai.default\cookies-1.txt -> Spyware.Cookie.Yieldmanager : Cleaned with backup
:mozilla.340:C:\Documents and Settings\default\Application Data\Mozilla\Firefox\Profiles\yw198mai.default\cookies-1.txt -> Spyware.Cookie.Trafficmp : Cleaned with backup
:mozilla.341:C:\Documents and Settings\default\Application Data\Mozilla\Firefox\Profiles\yw198mai.default\cookies-1.txt -> Spyware.Cookie.Valueclick : Cleaned with backup
:mozilla.342:C:\Documents and Settings\default\Application Data\Mozilla\Firefox\Profiles\yw198mai.default\cookies-1.txt -> Spyware.Cookie.Tribalfusion : Cleaned with backup
:mozilla.344:C:\Documents and Settings\default\Application Data\Mozilla\Firefox\Profiles\yw198mai.default\cookies-1.txt -> Spyware.Cookie.Valueclick : Cleaned with backup
:mozilla.346:C:\Documents and Settings\default\Application Data\Mozilla\Firefox\Profiles\yw198mai.default\cookies-1.txt -> Spyware.Cookie.Hitbox : Cleaned with backup
:mozilla.376:C:\Documents and Settings\default\Application Data\Mozilla\Firefox\Profiles\yw198mai.default\cookies-1.txt -> Spyware.Cookie.Serving-sys : Cleaned with backup
:mozilla.377:C:\Documents and Settings\default\Application Data\Mozilla\Firefox\Profiles\yw198mai.default\cookies-1.txt -> Spyware.Cookie.Serving-sys : Cleaned with backup
:mozilla.378:C:\Documents and Settings\default\Application Data\Mozilla\Firefox\Profiles\yw198mai.default\cookies-1.txt -> Spyware.Cookie.Serving-sys : Cleaned with backup
:mozilla.379:C:\Documents and Settings\default\Application Data\Mozilla\Firefox\Profiles\yw198mai.default\cookies-1.txt -> Spyware.Cookie.Serving-sys : Cleaned with backup
:mozilla.380:C:\Documents and Settings\default\Application Data\Mozilla\Firefox\Profiles\yw198mai.default\cookies-1.txt -> Spyware.Cookie.Serving-sys : Cleaned with backup
:mozilla.384:C:\Documents and Settings\default\Application Data\Mozilla\Firefox\Profiles\yw198mai.default\cookies-1.txt -> Spyware.Cookie.Clickagents : Cleaned with backup
:mozilla.385:C:\Documents and Settings\default\Application Data\Mozilla\Firefox\Profiles\yw198mai.default\cookies-1.txt -> Spyware.Cookie.Clickagents : Cleaned with backup
:mozilla.386:C:\Documents and Settings\default\Application Data\Mozilla\Firefox\Profiles\yw198mai.default\cookies-1.txt -> Spyware.Cookie.Clickagents : Cleaned with backup
:mozilla.387:C:\Documents and Settings\default\Application Data\Mozilla\Firefox\Profiles\yw198mai.default\cookies-1.txt -> Spyware.Cookie.Clickagents : Cleaned with backup
-> : Error during cleaning
:mozilla.401:C:\Documents and Settings\default\Application Data\Mozilla\Firefox\Profiles\yw198mai.default\cookies-1.txt -> Spyware.Cookie.Hitbox : Cleaned with backup
:mozilla.427:C:\Documents and Settings\default\Application Data\Mozilla\Firefox\Profiles\yw198mai.default\cookies-1.txt -> Spyware.Cookie.Overture : Cleaned with backup
:mozilla.472:C:\Documents and Settings\default\Application Data\Mozilla\Firefox\Profiles\yw198mai.default\cookies-1.txt -> Spyware.Cookie.Bridgetrack : Cleaned with backup
:mozilla.473:C:\Documents and Settings\default\Application Data\Mozilla\Firefox\Profiles\yw198mai.default\cookies-1.txt -> Spyware.Cookie.Bridgetrack : Cleaned with backup
:mozilla.474:C:\Documents and Settings\default\Application Data\Mozilla\Firefox\Profiles\yw198mai.default\cookies-1.txt -> Spyware.Cookie.Bridgetrack : Cleaned with backup
:mozilla.484:C:\Documents and Settings\default\Application Data\Mozilla\Firefox\Profiles\yw198mai.default\cookies-1.txt -> Spyware.Cookie.Hitbox : Cleaned with backup
:mozilla.500:C:\Documents and Settings\default\Application Data\Mozilla\Firefox\Profiles\yw198mai.default\cookies-1.txt -> Spyware.Cookie.Webtrendslive : Cleaned with backup
:mozilla.501:C:\Documents and Settings\default\Application Data\Mozilla\Firefox\Profiles\yw198mai.default\cookies-1.txt -> Spyware.Cookie.Webtrendslive : Cleaned with backup
:mozilla.503:C:\Documents and Settings\default\Application Data\Mozilla\Firefox\Profiles\yw198mai.default\cookies-1.txt -> Spyware.Cookie.Liveperson : Cleaned with backup
:mozilla.504:C:\Documents and Settings\default\Application Data\Mozilla\Firefox\Profiles\yw198mai.default\cookies-1.txt -> Spyware.Cookie.Liveperson : Cleaned with backup
:mozilla.513:C:\Documents and Settings\default\Application Data\Mozilla\Firefox\Profiles\yw198mai.default\cookies-1.txt -> Spyware.Cookie.Revenue : Cleaned with backup
:mozilla.514:C:\Documents and Settings\default\Application Data\Mozilla\Firefox\Profiles\yw198mai.default\cookies-1.txt -> Spyware.Cookie.Revenue : Cleaned with backup
:mozilla.515:C:\Documents and Settings\default\Application Data\Mozilla\Firefox\Profiles\yw198mai.default\cookies-1.txt -> Spyware.Cookie.Revenue : Cleaned with backup
:mozilla.544:C:\Documents and Settings\default\Application Data\Mozilla\Firefox\Profiles\yw198mai.default\cookies-1.txt -> Spyware.Cookie.Statcounter : Cleaned with backup
:mozilla.545:C:\Documents and Settings\default\Application Data\Mozilla\Firefox\Profiles\yw198mai.default\cookies-1.txt -> Spyware.Cookie.Statcounter : Cleaned with backup
:mozilla.562:C:\Documents and Settings\default\Application Data\Mozilla\Firefox\Profiles\yw198mai.default\cookies-1.txt -> Spyware.Cookie.Hitslink : Cleaned with backup
:mozilla.563:C:\Documents and Settings\default\Application Data\Mozilla\Firefox\Profiles\yw198mai.default\cookies-1.txt -> Spyware.Cookie.Hitslink : Cleaned with backup
:mozilla.564:C:\Documents and Settings\default\Application Data\Mozilla\Firefox\Profiles\yw198mai.default\cookies-1.txt -> Spyware.Cookie.Hitslink : Cleaned with backup
:mozilla.565:C:\Documents and Settings\default\Application Data\Mozilla\Firefox\Profiles\yw198mai.default\cookies-1.txt -> Spyware.Cookie.Hitslink : Cleaned with backup
:mozilla.569:C:\Documents and Settings\default\Application Data\Mozilla\Firefox\Profiles\yw198mai.default\cookies-1.txt -> Spyware.Cookie.Hitbox : Cleaned with backup
:mozilla.582:C:\Documents and Settings\default\Application Data\Mozilla\Firefox\Profiles\yw198mai.default\cookies-1.txt -> Spyware.Cookie.Hitbox : Cleaned with backup
:mozilla.583:C:\Documents and Settings\default\Application Data\Mozilla\Firefox\Profiles\yw198mai.default\cookies-1.txt -> Spyware.Cookie.Hitbox : Cleaned with backup
:mozilla.585:C:\Documents and Settings\default\Application Data\Mozilla\Firefox\Profiles\yw198mai.default\cookies-1.txt -> Spyware.Cookie.Hitbox : Cleaned with backup
:mozilla.586:C:\Documents and Settings\default\Application Data\Mozilla\Firefox\Profiles\yw198mai.default\cookies-1.txt -> Spyware.Cookie.Hitbox : Cleaned with backup
:mozilla.587:C:\Documents and Settings\default\Application Data\Mozilla\Firefox\Profiles\yw198mai.default\cookies-1.txt -> Spyware.Cookie.Hitbox : Cleaned with backup
:mozilla.588:C:\Documents and Settings\default\Application Data\Mozilla\Firefox\Profiles\yw198mai.default\cookies-1.txt -> Spyware.Cookie.Hitbox : Cleaned with backup
:mozilla.590:C:\Documents and Settings\default\Application Data\Mozilla\Firefox\Profiles\yw198mai.default\cookies-1.txt -> Spyware.Cookie.Hitbox : Cleaned with backup
:mozilla.591:C:\Documents and Settings\default\Application Data\Mozilla\Firefox\Profiles\yw198mai.default\cookies-1.txt -> Spyware.Cookie.Hitbox : Cleaned with backup
:mozilla.592:C:\Documents and Settings\default\Application Data\Mozilla\Firefox\Profiles\yw198mai.default\cookies-1.txt -> Spyware.Cookie.Hitbox : Cleaned with backup
:mozilla.598:C:\Documents and Settings\default\Application Data\Mozilla\Firefox\Profiles\yw198mai.default\cookies-1.txt -> Spyware.Cookie.Hitbox : Cleaned with backup
:mozilla.599:C:\Documents and Settings\default\Application Data\Mozilla\Firefox\Profiles\yw198mai.default\cookies-1.txt -> Spyware.Cookie.Hitbox : Cleaned with backup
:mozilla.600:C:\Documents and Settings\default\Application Data\Mozilla\Firefox\Profiles\yw198mai.default\cookies-1.txt -> Spyware.Cookie.Hitbox : Cleaned with backup
:mozilla.621:C:\Documents and Settings\default\Application Data\Mozilla\Firefox\Profiles\yw198mai.default\cookies-1.txt -> Spyware.Cookie.Liveperson : Cleaned with backup
:mozilla.626:C:\Documents and Settings\default\Application Data\Mozilla\Firefox\Profiles\yw198mai.default\cookies-1.txt -> Spyware.Cookie.Liveperson : Cleaned with backup
:mozilla.634:C:\Documents and Settings\default\Application Data\Mozilla\Firefox\Profiles\yw198mai.default\cookies-1.txt -> Spyware.Cookie.Hitbox : Cleaned with backup
:mozilla.643:C:\Documents and Settings\default\Application Data\Mozilla\Firefox\Profiles\yw198mai.default\cookies-1.txt -> Spyware.Cookie.Coremetrics : Cleaned with backup
:mozilla.650:C:\Documents and Settings\default\Application Data\Mozilla\Firefox\Profiles\yw198mai.default\cookies-1.txt -> Spyware.Cookie.Esomniture : Cleaned with backup
:mozilla.657:C:\Documents and Settings\default\Application Data\Mozilla\Firefox\Profiles\yw198mai.default\cookies-1.txt -> Spyware.Cookie.Webtrendslive : Cleaned with backup
:mozilla.665:C:\Documents and Settings\default\Application Data\Mozilla\Firefox\Profiles\yw198mai.default\cookies-1.txt -> Spyware.Cookie.Webtrendslive : Cleaned with backup
:mozilla.681:C:\Documents and Settings\default\Application Data\Mozilla\Firefox\Profiles\yw198mai.default\cookies-1.txt -> Spyware.Cookie.Hitbox : Cleaned with backup
:mozilla.682:C:\Documents and Settings\default\Application Data\Mozilla\Firefox\Profiles\yw198mai.default\cookies-1.txt -> Spyware.Cookie.Hitbox : Cleaned with backup
:mozilla.683:C:\Documents and Settings\default\Application Data\Mozilla\Firefox\Profiles\yw198mai.default\cookies-1.txt -> Spyware.Cookie.Hitbox : Cleaned with backup
:mozilla.684:C:\Documents and Settings\default\Application Data\Mozilla\Firefox\Profiles\yw198mai.default\cookies-1.txt -> Spyware.Cookie.Hitbox : Cleaned with backup
:mozilla.687:C:\Documents and Settings\default\Application Data\Mozilla\Firefox\Profiles\yw198mai.default\cookies-1.txt -> Spyware.Cookie.Hitbox : Cleaned with backup
:mozilla.694:C:\Documents and Settings\default\Application Data\Mozilla\Firefox\Profiles\yw198mai.default\cookies-1.txt -> Spyware.Cookie.Com : Cleaned with backup
:mozilla.695:C:\Documents and Settings\default\Application Data\Mozilla\Firefox\Profiles\yw198mai.default\cookies-1.txt -> Spyware.Cookie.Com : Cleaned with backup
:mozilla.733:C:\Documents and Settings\default\Application Data\Mozilla\Firefox\Profiles\yw198mai.default\cookies-1.txt -> Spyware.Cookie.Hitbox : Cleaned with backup
:mozilla.734:C:\Documents and Settings\default\Application Data\Mozilla\Firefox\Profiles\yw198mai.default\cookies-1.txt -> Spyware.Cookie.Hitbox : Cleaned with backup
:mozilla.735:C:\Documents and Settings\default\Application Data\Mozilla\Firefox\Profiles\yw198mai.default\cookies-1.txt -> Spyware.Cookie.Hitbox : Cleaned with backup
:mozilla.845:C:\Documents and Settings\default\Application Data\Mozilla\Firefox\Profiles\yw198mai.default\cookies-1.txt -> Spyware.Cookie.Shopathomeselect : Cleaned with backup
:mozilla.846:C:\Documents and Settings\default\Application Data\Mozilla\Firefox\Profiles\yw198mai.default\cookies-1.txt -> Spyware.Cookie.Shopathomeselect : Cleaned with backup
:mozilla.851:C:\Documents and Settings\default\Application Data\Mozilla\Firefox\Profiles\yw198mai.default\cookies-1.txt -> Spyware.Cookie.Myaffiliateprogram : Cleaned with backup
:mozilla.11:C:\Documents and Settings\default\Application Data\Mozilla\Firefox\Profiles\yw198mai.default\cookies.txt -> Spyware.Cookie.Atdmt : Cleaned with backup
:mozilla.12:C:\Documents and Settings\default\Application Data\Mozilla\Firefox\Profiles\yw198mai.default\cookies.txt -> Spyware.Cookie.Questionmarket : Cleaned with backup
:mozilla.13:C:\Documents and Settings\default\Application Data\Mozilla\Firefox\Profiles\yw198mai.default\cookies.txt -> Spyware.Cookie.Questionmarket : Cleaned with backup
:mozilla.15:C:\Documents and Settings\default\Application Data\Mozilla\Firefox\Profiles\yw198mai.default\cookies.txt -> Spyware.Cookie.Com : Cleaned with backup
:mozilla.16:C:\Documents and Settings\default\Application Data\Mozilla\Firefox\Profiles\yw198mai.default\cookies.txt -> Spyware.Cookie.Com : Cleaned with backup
:mozilla.19:C:\Documents and Settings\default\Application Data\Mozilla\Firefox\Profiles\yw198mai.default\cookies.txt -> Spyware.Cookie.2o7 : Cleaned with backup
:mozilla.20:C:\Documents and Settings\default\Application Data\Mozilla\Firefox\Profiles\yw198mai.default\cookies.txt -> Spyware.Cookie.2o7 : Cleaned with backup
:mozilla.21:C:\Documents and Settings\default\Application Data\Mozilla\Firefox\Profiles\yw198mai.default\cookies.txt -> Spyware.Cookie.2o7 : Cleaned with backup
:mozilla.22:C:\Documents and Settings\default\Application Data\Mozilla\Firefox\Profiles\yw198mai.default\cookies.txt -> Spyware.Cookie.2o7 : Cleaned with backup
:mozilla.23:C:\Documents and Settings\default\Application Data\Mozilla\Firefox\Profiles\yw198mai.default\cookies.txt -> Spyware.Cookie.2o7 : Cleaned with backup
:mozilla.24:C:\Documents and Settings\default\Application Data\Mozilla\Firefox\Profiles\yw198mai.default\cookies.txt -> Spyware.Cookie.2o7 : Cleaned with backup
:mozilla.25:C:\Documents and Settings\default\Application Data\Mozilla\Firefox\Profiles\yw198mai.default\cookies.txt -> Spyware.Cookie.2o7 : Cleaned with backup
:mozilla.26:C:\Documents and Settings\default\Application Data\Mozilla\Firefox\Profiles\yw198mai.default\cookies.txt -> Spyware.Cookie.2o7 : Cleaned with backup
:mozilla.27:C:\Documents and Settings\default\Application Data\Mozilla\Firefox\Profiles\yw198mai.default\cookies.txt -> Spyware.Cookie.2o7 : Cleaned with backup
:mozilla.28:C:\Documents and Settings\default\Application Data\Mozilla\Firefox\Profiles\yw198mai.default\cookies.txt -> Spyware.Cookie.2o7 : Cleaned with backup
:mozilla.29:C:\Documents and Settings\default\Application Data\Mozilla\Firefox\Profiles\yw198mai.default\cookies.txt -> Spyware.Cookie.2o7 : Cleaned with backup
:mozilla.30:C:\Documents and Settings\default\Application Data\Mozilla\Firefox\Profiles\yw198mai.default\cookies.txt -> Spyware.Cookie.2o7 : Cleaned with backup
:mozilla.31:C:\Documents and Settings\default\Application Data\Mozilla\Firefox\Profiles\yw198mai.default\cookies.txt -> Spyware.Cookie.2o7 : Cleaned with backup
:mozilla.32:C:\Documents and Settings\default\Application Data\Mozilla\Firefox\Profiles\yw198mai.default\cookies.txt -> Spyware.Cookie.2o7 : Cleaned with backup
:mozilla.33:C:\Documents and Settings\default\Application Data\Mozilla\Firefox\Profiles\yw198mai.default\cookies.txt -> Spyware.Cookie.2o7 : Cleaned with backup
:mozilla.34:C:\Documents and Settings\default\Application Data\Mozilla\Firefox\Profiles\yw198mai.default\cookies.txt -> Spyware.Cookie.2o7 : Cleaned with backup
:mozilla.35:C:\Documents and Settings\default\Application Data\Mozilla\Firefox\Profiles\yw198mai.default\cookies.txt -> Spyware.Cookie.2o7 : Cleaned with backup
:mozilla.36:C:\Documents and Settings\default\Application Data\Mozilla\Firefox\Profiles\yw198mai.default\cookies.txt -> Spyware.Cookie.2o7 : Cleaned with backup
:mozilla.37:C:\Documents and Settings\default\Application Data\Mozilla\Firefox\Profiles\yw198mai.default\cookies.txt -> Spyware.Cookie.2o7 : Cleaned with backup
:mozilla.38:C:\Documents and Settings\default\Application Data\Mozilla\Firefox\Profiles\yw198mai.default\cookies.txt -> Spyware.Cookie.2o7 : Cleaned with backup
:mozilla.61:C:\Documents and Settings\default\Application Data\Mozilla\Firefox\Profiles\yw198mai.default\cookies.txt -> Spyware.Cookie.Falkag : Cleaned with backup
:mozilla.62:C:\Documents and Settings\default\Application Data\Mozilla\Firefox\Profiles\yw198mai.default\cookies.txt -> Spyware.Cookie.Falkag : Cleaned with backup
:mozilla.63:C:\Documents and Settings\default\Application Data\Mozilla\Firefox\Profiles\yw198mai.default\cookies.txt -> Spyware.Cookie.Falkag : Cleaned with backup
:mozilla.64:C:\Documents and Settings\default\Application Data\Mozilla\Firefox\Profiles\yw198mai.default\cookies.txt -> Spyware.Cookie.Falkag : Cleaned with backup
:mozilla.98:C:\Documents and Settings\default\Application Data\Mozilla\Firefox\Profiles\yw198mai.default\cookies.txt -> Spyware.Cookie.Centrport : Cleaned with backup
:mozilla.99:C:\Documents and Settings\default\Application Data\Mozilla\Firefox\Profiles\yw198mai.default\cookies.txt -> Spyware.Cookie.Centrport : Cleaned with backup
:mozilla.100:C:\Documents and Settings\default\Application Data\Mozilla\Firefox\Profiles\yw198mai.default\cookies.txt -> Spyware.Cookie.Centrport : Cleaned with backup
:mozilla.101:C:\Documents and Settings\default\Application Data\Mozilla\Firefox\Profiles\yw198mai.default\cookies.txt -> Spyware.Cookie.Centrport : Cleaned with backup
:mozilla.128:C:\Documents and Settings\default\Application Data\Mozilla\Firefox\Profiles\yw198mai.default\cookies.txt -> Spyware.Cookie.Esomniture : Cleaned with backup
:mozilla.133:C:\Documents and Settings\default\Application Data\Mozilla\Firefox\Profiles\yw198mai.default\cookies.txt -> Spyware.Cookie.Ru4 : Cleaned with backup
:mozilla.134:C:\Documents and Settings\default\Application Data\Mozilla\Firefox\Profiles\yw198mai.default\cookies.txt -> Spyware.Cookie.Ru4 : Cleaned with backup
:mozilla.135:C:\Documents and Settings\default\Application Data\Mozilla\Firefox\Profiles\yw198mai.default\cookies.txt -> Spyware.Cookie.Ru4 : Cleaned with backup
:mozilla.152:C:\Documents and Settings\default\Application Data\Mozilla\Firefox\Profiles\yw198mai.default\cookies.txt -> Spyware.Cookie.Findwhat : Cleaned with backup
:mozilla.254:C:\Documents and Settings\default\Application Data\Mozilla\Firefox\Profiles\yw198mai.default\cookies.txt -> Spyware.Cookie.2o7 : Cleaned with backup
:mozilla.281:C:\Documents and Settings\default\Application Data\Mozilla\Firefox\Profiles\yw198mai.default\cookies.txt -> Spyware.Cookie.Overture : Cleaned with backup
:mozilla.282:C:\Documents and Settings\default\Application Data\Mozilla\Firefox\Profiles\yw198mai.default\cookies.txt -> Spyware.Cookie.Overture : Cleaned with backup
:mozilla.302:C:\Documents and Settings\default\Application Data\Mozilla\Firefox\Profiles\yw198mai.default\cookies.txt -> Spyware.Cookie.Overture : Cleaned with backup
:mozilla.305:C:\Documents and Settings\default\Application Data\Mozilla\Firefox\Profiles\yw198mai.default\cookies.txt -> Spyware.Cookie.Qksrv : Cleaned with backup
:mozilla.306:C:\Documents and Settings\default\Application Data\Mozilla\Firefox\Profiles\yw198mai.default\cookies.txt -> Spyware.Cookie.Qksrv : Cleaned with backup
:mozilla.319:C:\Documents and Settings\default\Application Data\Mozilla\Firefox\Profiles\yw198mai.default\cookies.txt -> Spyware.Cookie.Revenue : Cleaned with backup
:mozilla.320:C:\Documents and Settings\default\Application Data\Mozilla\Firefox\Profiles\yw198mai.default\cookies.txt -> Spyware.Cookie.Revenue : Cleaned with backup
:mozilla.321:C:\Documents and Settings\default\Application Data\Mozilla\Firefox\Profiles\yw198mai.default\cookies.txt -> Spyware.Cookie.Revenue : Cleaned with backup
:mozilla.334:C:\Documents and Settings\default\Application Data\Mozilla\Firefox\Profiles\yw198mai.default\cookies.txt -> Spyware.Cookie.Liveperson : Cleaned with backup
:mozilla.335:C:\Documents and Settings\default\Application Data\Mozilla\Firefox\Profiles\yw198mai.default\cookies.txt -> Spyware.Cookie.Serving-sys : Cleaned with backup
:mozilla.336:C:\Documents and Settings\default\Application Data\Mozilla\Firefox\Profiles\yw198mai.default\cookies.txt -> Spyware.Cookie.Serving-sys : Cleaned with backup
:mozilla.337:C:\Documents and Settings\default\Application Data\Mozilla\Firefox\Profiles\yw198mai.default\cookies.txt -> Spyware.Cookie.Serving-sys : Cleaned with backup
:mozilla.338:C:\Documents and Settings\default\Application Data\Mozilla\Firefox\Profiles\yw198mai.default\cookies.txt -> Spyware.Cookie.Serving-sys : Cleaned with backup
:mozilla.354:C:\Documents and Settings\default\Application Data\Mozilla\Firefox\Profiles\yw198mai.default\cookies.txt -> Spyware.Cookie.Statcounter : Cleaned with backup
:mozilla.355:C:\Documents and Settings\default\Application Data\Mozilla\Firefox\Profiles\yw198mai.default\cookies.txt -> Spyware.Cookie.Statcounter : Cleaned with backup
:mozilla.380:C:\Documents and Settings\default\Application Data\Mozilla\Firefox\Profiles\yw198mai.default\cookies.txt -> Spyware.Cookie.Trafficmp : Cleaned with backup
:mozilla.382:C:\Documents and Settings\default\Application Data\Mozilla\Firefox\Profiles\yw198mai.default\cookies.txt -> Spywa
  • 0

Advertisements

#2
loophole
Posted 20 September 2005 - 06:31 PM

loophole

    Malware Expert

  • Retired Staff
  • 9,798 posts
Hello :tazz:

Sorry for the delayed response, it has been very busy lately.

If you still require help please post a new Hijack log in this
thread and I will help you. If your problem has been fixed please
respond and let us know.

Thanks
  • 0

#3
mln
Posted 20 September 2005 - 07:16 PM

mln

    Member

  • Topic Starter
  • Member
  • PipPip
  • 19 posts
Thanks! New Hijack scan result as below.
Logfile of HijackThis v1.99.1
Scan saved at 9:07:16 PM, on 9/20/2005
Platform: Windows 2000 SP4 (WinNT 5.00.2195)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\WINDOWS\system32\cisvc.exe
C:\WINDOWS\ZGVmYXVsdAAA\command.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\ewido\security suite\ewidoctrl.exe
C:\Program Files\ewido\security suite\ewidoguard.exe
C:\Program Files\Canon\MultiPASS\mpservic.exe
C:\Program Files\Norton AntiVirus\navapsvc.exe
C:\Program Files\Norton AntiVirus\IWP\NPFMntor.exe
C:\WINDOWS\system32\regsvc.exe
C:\WINDOWS\system32\MSTask.exe
C:\WINDOWS\system32\rundll32.exe
C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
C:\WINDOWS\Explorer.exe
C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
C:\WINDOWS\System32\WBEM\WinMgmt.exe
C:\WINDOWS\System32\mspmspsv.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\WINDOWS\system32\medgs1.exe
C:\Program Files\BroadJump\Client Foundation\CFD.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\Microsoft AntiSpyware\gcasDtServ.exe
C:\Program Files\Real\RealPlayer\RealPlay.exe
C:\Program Files\Java\jre1.5.0\bin\jusched.exe
C:\Program Files\Java\jre1.5.0\bin\jucheck.exe
C:\Program Files\Winamp\Winampa.exe
C:\WINDOWS\win32073221617317.exe
C:\WINDOWS\system32\zyxgcix.exe
C:\Program Files\aeao\ucaw.exe
C:\Program Files\Canon\MultiPASS\monitr32.exe
C:\Program Files\Common Files\Microsoft Shared\Works Shared\wkcalrem.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\cidaemon.exe
C:\Program Files\ewido\security suite\SecuritySuite.exe
C:\Program Files\Netscape\Netscape 6\netscp6.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\My Documents\Hijackthis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer,SearchURL = http://www.clicktoma...rch.com/sp2.php
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://home.sina.com
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://home.sina.com/
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://www.clicktoma...rch.com/sp2.php
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Microsoft Internet Explorer provided by BellSouth
R3 - URLSearchHook: (no name) - {4552D449-FCD2-992A-6A3A-CCF06BB534A1} - C:\WINDOWS\Ejauktwx.dll
F2 - REG:system.ini: Shell=Explorer.exe C:\WINDOWS\Nail.exe
O2 - BHO: SDWin32 Class - {0CEEA5A3-7C49-4638-A2FF-8E1EC964D1FA} - C:\WINDOWS\system32\dehnc.dll (file missing)
O2 - BHO: SDWin32 Class - {438B5726-500E-476F-B5C7-4F15BA6BE235} - C:\WINDOWS\System32\khiqj.dll (file missing)
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: SDWin32 Class - {662FC70C-5F57-4CED-A9F1-F7F2805BD25A} - C:\WINDOWS\system32\chngs.dll (file missing)
O2 - BHO: LinkTracker Class - {8B6DA27E-7F64-4694-8F8F-DC87AB8C6B22} - C:\WINDOWS\system32\qlink32.dll
O2 - BHO: SDWin32 Class - {9A5DB8B2-E3C9-4549-AE2B-F665BC2FECBD} - C:\WINDOWS\system32\wojeo.dll (file missing)
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar1.dll
O2 - BHO: MSNToolBandBHO - {BDBD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\MSN Apps\MSN Toolbar\01.02.3000.1001\en-us\msntb.dll
O2 - BHO: SDWin32 Class - {CDD9DD86-D904-40C7-BDD5-4FF021D473CE} - C:\WINDOWS\system32\smnoy.dll (file missing)
O2 - BHO: (no name) - {FC458B08-B687-4397-A7DE-2976E2CAA911} - C:\WINDOWS\Ejauktwx.dll
O2 - BHO: Internet Explorer Web Content Catcher - {FFF4E223-7019-4ce7-BE03-D7D3C8CCE884} - C:\Program Files\DNS\Catcher.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\system32\msdxm.ocx
O3 - Toolbar: IEWebCatcher Class - {FFF4E223-7019-4CE7-BE03-D7D3C8CCE884} - C:\Program Files\DNS\Catcher.dll
O3 - Toolbar: Search - {DEE594EE-7C5E-5D12-6FBF-DBFAF8443B0B} - C:\WINDOWS\Ejauktwx.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll
O4 - HKLM\..\Run: [Synchronization Manager] mobsync.exe /logon
O4 - HKLM\..\Run: [gcasServ] "C:\Program Files\Microsoft AntiSpyware\gcasServ.exe"
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [vkdih] C:\WINDOWS\vkdih.exe
O4 - HKLM\..\Run: [RecoverFromReboot] C:\WINDOWS\Temp\RecoverFromReboot.exe
O4 - HKLM\..\Run: [NeroCheck] C:\WINDOWS\System32\NeroCheck.exe
O4 - HKLM\..\Run: [MedGS] C:\WINDOWS\system32\medgs1.exe
O4 - HKLM\..\Run: [BJCFD] C:\Program Files\BroadJump\Client Foundation\CFD.exe
O4 - HKLM\..\Run: [ahml8aa] C:\WINDOWS\rgwggcth.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [RealTray] C:\Program Files\Real\RealPlayer\RealPlay.exe SYSTEMBOOTHIDEPLAYER
O4 - HKLM\..\Run: [SSC_UserPrompt] C:\Program Files\Common Files\Symantec Shared\Security Center\UsrPrmpt.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0\bin\jusched.exe
O4 - HKLM\..\Run: [wrwvebih] C:\WINDOWS\wrwvebih.exe
O4 - HKLM\..\Run: [WinampAgent] "C:\Program Files\Winamp\Winampa.exe"
O4 - HKLM\..\Run: [uzofqr] C:\WINDOWS\uzofqr.exe
O4 - HKLM\..\Run: [unqdup] C:\WINDOWS\unqdup.exe
O4 - HKLM\..\Run: [System service65] C:\WINDOWS\etb\pokapoka65.exe
O4 - HKLM\..\Run: [Symantec NetDriver Monitor] C:\PROGRA~1\SYMNET~1\SNDMon.exe /Consumer
O4 - HKLM\..\Run: [opr] C:\WINDOWS\system32\opr.exe
O4 - HKLM\..\Run: [virus 09-13-2005 TV Media] C:\Program Files\TV Media\Tvm.exe
O4 - HKLM\..\Run: [AUNPS2] RUNDLL32 AUNPS2.DLL,_Run@16
O4 - HKLM\..\Run: [testit.exe] C:\WINDOWS\system32\testit.exe
O4 - HKLM\..\Run: [win32073221617317] C:\WINDOWS\win32073221617317.exe
O4 - HKLM\..\Run: [TagASaurus] C:\Program Files\TagASaurus\TagASaurus
O4 - HKLM\..\Run: [ntdll.dll] C:\WINDOWS\system32\zyxgcix.exe r
O4 - HKLM\..\Run: [Windows Incontext] C:\DOCUME~1\default\LOCALS~1\Temp\InSearch.exe
O4 - HKLM\..\Run: [zqbgqv] C:\WINDOWS\system32\zyxgcix.exe r
O4 - HKCU\..\Run: [services32] C:\Program Files\Common Files\Windows\mc-58-12-0000106.exe
O4 - HKCU\..\Run: [MoneyAgent] "C:\Program Files\Microsoft Money\System\Money Express.exe"
O4 - HKCU\..\Run: [Juno_uoltray] C:\Program Files\Juno\exec.exe regrun
O4 - HKCU\..\Run: [CAS Client] "C:\Program Files\Cas\Client\casclient.exe"
O4 - HKCU\..\Run: [DNS] C:\Program Files\Common Files\mc-58-12-0000106.exe
O4 - HKCU\..\Run: [Microsoft Works Update Detection] C:\Program Files\Microsoft Works\WkDetect.exe
O4 - HKCU\..\Run: [Rnus] C:\Program Files\aeao\ucaw.exe
O4 - HKCU\..\Run: [ntdll.dll] C:\Program Files\Juno\exec.exe regrun
O4 - HKCU\..\Run: [morr] C:\PROGRA~1\COMMON~1\morr\morrm.exe
O4 - Startup: Adobe Gamma Loader.exe.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O4 - Global Startup: Adobe Gamma Loader.exe.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: Canon MultiPASS Status Monitor.lnk = C:\Program Files\Canon\MultiPASS\monitr32.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O4 - Global Startup: Microsoft Works Calendar Reminders.lnk = C:\Program Files\Common Files\Microsoft Shared\Works Shared\wkcalrem.exe
O8 - Extra context menu item: &Define - C:\Program Files\Common Files\Microsoft Shared\Reference 2001\A\ERS_DEF.HTM
O8 - Extra context menu item: &Google Search - res://C:\Program Files\Google\GoogleToolbar1.dll/cmsearch.html
O8 - Extra context menu item: &Translate English Word - res://C:\Program Files\Google\GoogleToolbar1.dll/cmwordtrans.html
O8 - Extra context menu item: Backward Links - res://C:\Program Files\Google\GoogleToolbar1.dll/cmbacklinks.html
O8 - Extra context menu item: Cached Snapshot of Page - res://C:\Program Files\Google\GoogleToolbar1.dll/cmcache.html
O8 - Extra context menu item: Look Up in &Encyclopedia - C:\Program Files\Common Files\Microsoft Shared\Reference 2001\A\ERS_ENC.HTM
O8 - Extra context menu item: Similar Pages - res://C:\Program Files\Google\GoogleToolbar1.dll/cmsimilar.html
O8 - Extra context menu item: Translate Page into English - res://C:\Program Files\Google\GoogleToolbar1.dll/cmtrans.html
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0\bin\npjpi150.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0\bin\npjpi150.dll
O9 - Extra button: Encarta Encyclopedia - {2FDEF853-0759-11D4-A92E-006097DBED37} - C:\Program Files\Common Files\Microsoft Shared\Reference 2001\A\ERS_ENC.HTM
O9 - Extra 'Tools' menuitem: Encarta Encyclopedia - {2FDEF853-0759-11D4-A92E-006097DBED37} - C:\Program Files\Common Files\Microsoft Shared\Reference 2001\A\ERS_ENC.HTM
O9 - Extra button: Define - {5DA9DE80-097A-11D4-A92E-006097DBED37} - C:\Program Files\Common Files\Microsoft Shared\Reference 2001\A\ERS_DEF.HTM
O9 - Extra 'Tools' menuitem: Define - {5DA9DE80-097A-11D4-A92E-006097DBED37} - C:\Program Files\Common Files\Microsoft Shared\Reference 2001\A\ERS_DEF.HTM
O9 - Extra button: (no name) - {9E248641-0E24-4DDB-9A1F-705087832AD6} - (no file)
O9 - Extra 'Tools' menuitem: Java - {9E248641-0E24-4DDB-9A1F-705087832AD6} - (no file)
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\System32\Shdocvw.dll
O9 - Extra button: Dell Home - {EE117DAA-A30B-40FC-945C-38AE1B80C1FA} - http://www.dellnet.com (file missing) (HKCU)
O12 - Plugin for .spop: C:\PROGRA~1\INTERN~1\Plugins\NPDocBox.dll
O16 - DPF: {01113300-3E00-11D2-8470-0060089874ED} (Support.com Configuration Class) - http://support.fasta...oad/tgctlcm.cab
O16 - DPF: {15589FA1-C456-11CE-BF01-00AA0055595A} - http://ax.web-nexus....3/installer.exe
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft....k/?linkid=39204
O16 - DPF: {64696FB5-BA15-4920-B789-F35D3FC0A36A} - http://www.icannnews.com/app/ST/ax.ocx
O16 - DPF: {972BB342-14A7-4660-83C1-51DDBEE171DB} - http://www.pacimedia...ll/pcs_0006.exe
O16 - DPF: {F04A8AE2-A59D-11D2-8792-00C04F8EF29D} (Hotmail Attachments Control) - http://by102fd.bay10...ex/HMAtchmt.ocx
O18 - Filter: text/html - {3551784B-E99A-474f-B782-3EC814442918} - C:\WINDOWS\system32\qlink32.dll
O20 - Winlogon Notify: OpenGLDrivers - C:\WINDOWS\system32\twpmonui.dll
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Password Validation (ccPwdSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
O23 - Service: Command Service (cmdService) - Unknown owner - C:\WINDOWS\ZGVmYXVsdAAA\command.exe
O23 - Service: Logical Disk Manager Administrative Service (dmadmin) - VERITAS Software Corp. - C:\WINDOWS\System32\dmadmin.exe
O23 - Service: ewido security suite control - ewido networks - C:\Program Files\ewido\security suite\ewidoctrl.exe
O23 - Service: ewido security suite guard - ewido networks - C:\Program Files\ewido\security suite\ewidoguard.exe
O23 - Service: MPService - Unknown owner - C:\Program Files\Canon\MultiPASS\mpservic.exe
O23 - Service: Norton AntiVirus Auto-Protect Service (navapsvc) - Symantec Corporation - C:\Program Files\Norton AntiVirus\navapsvc.exe
O23 - Service: Norton AntiVirus Firewall Monitor Service (NPFMntor) - Symantec Corporation - C:\Program Files\Norton AntiVirus\IWP\NPFMntor.exe
O23 - Service: SAVScan - Symantec Corporation - C:\Program Files\Norton AntiVirus\SAVScan.exe
O23 - Service: ScriptBlocking Service (SBService) - Symantec Corporation - C:\PROGRA~1\COMMON~1\SYMANT~1\SCRIPT~1\SBServ.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: Symantec SPBBCSvc (SPBBCSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
O23 - Service: System Startup Service (SvcProc) - Unknown owner - C:\WINDOWS\svcproc.exe
O23 - Service: Symantec Core LC - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
  • 0

#4
loophole
Posted 20 September 2005 - 09:30 PM

loophole

    Malware Expert

  • Retired Staff
  • 9,798 posts
I see you have been infected by malware. This will take a at least a few steps to remove
Please follow the directions as closely as you can .

Please download ewido security suite it is a free version of the program.
  • Install ewido security suite
  • When installing, under "Additional Options" uncheck..
    • Install background guard
    • Install scan via context menu
  • Launch ewido, there should be an icon on your desktop, double-click it.
  • The program will now open to the main screen.
  • When you run ewido for the first time, you may get a warning "Database could not be found!". Click OK. We will fix this in a moment.
  • You will need to update ewido to the latest definition files.
    • On the left hand side of the main screen click update.
    • Then click on Start Update.
  • The update will start and a progress bar will show the updates being installed.
    (the status bar at the bottom will display ("Update successful")
If you are having problems with the updater, you can use this link to manually update ewido.
ewido manual updates

Once the updates are installed Close Ewido

Download and install CleanUp! Here
but do not run it yet.
*NOTE* Cleanup deletes EVERYTHING out of temp/temporary folders and does not make backups.

1.Download the latest version of Ad-Aware (Ad-Aware SE Build 1.06r1) from here.

Install Ad-Aware using the default options


2. Download the VX2 Cleaner Plug-in Here

Then install vx2cleaner, using all the defaults there as well.

3. Run Ad-Aware
*Update to the latest definitions
*Then click on Add-ons in the lefthand column.
*Select VX2 Cleaner V2.0 and click Run Tool. Click "OK".
*If something is found, click "Clean" as in the directions given.
*Click "Close", and EXIT Ad-Aware.
4. Reboot your PC and run Ad-Aware again.
*This time, click on the Start button in Ad-Aware
*Select "Perform smart system scan" and click Next.
*Once the scan finishes, click "Next" again.
*Select all objects found ("right click anywhere in the list of found objects and *click "Select All Objects").
*Click "Next" one more time, then "OK" to confirm the removal.
*You will be prompted to set Ad-Aware to run on reboot, click "OK".
*Exit Ad-Aware
Please reboot into safe mode Safe mode(continually tap the F8 key while your system is starting, select Safe Mode from the menu).

Please remove these entries from Add/Remove Programs in the Control Panel(if present):
aeao
Cas
TV Media


Please note any other programs that you dont recognize in that list in your next response

Please delete these folders using Windows Explorer(if present):

Folders to delete go here

C:\program files\aeao
C:\program files\Cas
C:\program files\TV Media

Now open Ad-Aware, click on "Start", then "Next".
Follow the steps above if anything is found, or click "Finish", then EXIT Ad-Aware.

Now run cleanup

Open Ewido
:
  • Click on scanner
  • Click on Complete System Scan and the scan will begin.
  • You will be prompted to clean the first infection.
  • Select "Perform action on all infections", then proceed.
  • Once the scan has completed, there will be a button located on the bottom of the screen named Save report
  • Click Save report.
  • Save the report .txt file to your desktop or a location where you can find it easily.
Please re-open HiJackThis and scan. Check the boxes next to all the entries listed below.

F2 - REG:system.ini: Shell=Explorer.exe C:\WINDOWS\Nail.exe
O2 - BHO: SDWin32 Class - {0CEEA5A3-7C49-4638-A2FF-8E1EC964D1FA} - C:\WINDOWS\system32\dehnc.dll (file missing)
O2 - BHO: SDWin32 Class - {438B5726-500E-476F-B5C7-4F15BA6BE235} - C:\WINDOWS\System32\khiqj.dll (file missing)
O2 - BHO: SDWin32 Class - {662FC70C-5F57-4CED-A9F1-F7F2805BD25A} - C:\WINDOWS\system32\chngs.dll (file missing)
O2 - BHO: LinkTracker Class - {8B6DA27E-7F64-4694-8F8F-DC87AB8C6B22} - C:\WINDOWS\system32\qlink32.dll
O2 - BHO: SDWin32 Class - {9A5DB8B2-E3C9-4549-AE2B-F665BC2FECBD} - C:\WINDOWS\system32\wojeo.dll (file missing)


Now close all windows other than HiJackThis, then click Fix Checked.

Reboot and post the Ewido log and a New Hijack log to review .

Thanks :tazz:
  • 0

#5
mln
Posted 21 September 2005 - 08:16 PM

mln

    Member

  • Topic Starter
  • Member
  • PipPip
  • 19 posts
While I was removing programs in Control Panel, I found these unfamiliar programs. Don't know if these are trash!

Customizable Alerts
Golden Tiger Casino
Monitor 1.0
Set Browser (Remove only)
Viewpoint Media player
Wex Tech AnswerWorks
Winhancer 1.0
YourEnhance 1.0

New Hijackthis log and ewido log:

Logfile of HijackThis v1.99.1
Scan saved at 9:45:58 PM, on 9/21/2005
Platform: Windows 2000 SP4 (WinNT 5.00.2195)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\WBEM\WinMgmt.exe
C:\WINDOWS\system32\rundll32.exe
C:\WINDOWS\Explorer.EXE
C:\PROGRA~1\CleanUp!\cleanup.exe
C:\Program Files\ewido\security suite\SecuritySuite.exe
C:\My Documents\Hijackthis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer,SearchURL = http://www.clicktoma...rch.com/sp2.php
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://home.sina.com
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://home.sina.com/
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Microsoft Internet Explorer provided by BellSouth
R3 - URLSearchHook: (no name) - {4552D449-FCD2-992A-6A3A-CCF06BB534A1} - C:\WINDOWS\Ejauktwx.dll
O2 - BHO: SDWin32 Class - {0CEEA5A3-7C49-4638-A2FF-8E1EC964D1FA} - C:\WINDOWS\system32\dehnc.dll (file missing)
O2 - BHO: SDWin32 Class - {438B5726-500E-476F-B5C7-4F15BA6BE235} - C:\WINDOWS\System32\khiqj.dll (file missing)
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: SDWin32 Class - {662FC70C-5F57-4CED-A9F1-F7F2805BD25A} - C:\WINDOWS\system32\chngs.dll (file missing)
O2 - BHO: LinkTracker Class - {8B6DA27E-7F64-4694-8F8F-DC87AB8C6B22} - C:\WINDOWS\system32\qlink32.dll
O2 - BHO: SDWin32 Class - {9A5DB8B2-E3C9-4549-AE2B-F665BC2FECBD} - C:\WINDOWS\system32\wojeo.dll (file missing)
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar1.dll
O2 - BHO: MSNToolBandBHO - {BDBD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\MSN Apps\MSN Toolbar\01.02.3000.1001\en-us\msntb.dll
O2 - BHO: SDWin32 Class - {CDD9DD86-D904-40C7-BDD5-4FF021D473CE} - C:\WINDOWS\system32\smnoy.dll (file missing)
O2 - BHO: (no name) - {FC458B08-B687-4397-A7DE-2976E2CAA911} - C:\WINDOWS\Ejauktwx.dll
O2 - BHO: Internet Explorer Web Content Catcher - {FFF4E223-7019-4ce7-BE03-D7D3C8CCE884} - C:\Program Files\DNS\Catcher.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\system32\msdxm.ocx
O3 - Toolbar: IEWebCatcher Class - {FFF4E223-7019-4CE7-BE03-D7D3C8CCE884} - C:\Program Files\DNS\Catcher.dll
O3 - Toolbar: Search - {DEE594EE-7C5E-5D12-6FBF-DBFAF8443B0B} - C:\WINDOWS\Ejauktwx.dll
O4 - HKLM\..\Run: [Synchronization Manager] mobsync.exe /logon
O4 - HKLM\..\Run: [gcasServ] "C:\Program Files\Microsoft AntiSpyware\gcasServ.exe"
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [vkdih] C:\WINDOWS\vkdih.exe
O4 - HKLM\..\Run: [RecoverFromReboot] C:\WINDOWS\Temp\RecoverFromReboot.exe
O4 - HKLM\..\Run: [NeroCheck] C:\WINDOWS\System32\NeroCheck.exe
O4 - HKLM\..\Run: [MedGS] C:\WINDOWS\system32\medgs1.exe
O4 - HKLM\..\Run: [BJCFD] C:\Program Files\BroadJump\Client Foundation\CFD.exe
O4 - HKLM\..\Run: [ahml8aa] C:\WINDOWS\rgwggcth.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [RealTray] C:\Program Files\Real\RealPlayer\RealPlay.exe SYSTEMBOOTHIDEPLAYER
O4 - HKLM\..\Run: [SSC_UserPrompt] C:\Program Files\Common Files\Symantec Shared\Security Center\UsrPrmpt.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0\bin\jusched.exe
O4 - HKLM\..\Run: [wrwvebih] C:\WINDOWS\wrwvebih.exe
O4 - HKLM\..\Run: [WinampAgent] "C:\Program Files\Winamp\Winampa.exe"
O4 - HKLM\..\Run: [uzofqr] C:\WINDOWS\uzofqr.exe
O4 - HKLM\..\Run: [unqdup] C:\WINDOWS\unqdup.exe
O4 - HKLM\..\Run: [System service65] C:\WINDOWS\etb\pokapoka65.exe
O4 - HKLM\..\Run: [Symantec NetDriver Monitor] C:\PROGRA~1\SYMNET~1\SNDMon.exe /Consumer
O4 - HKLM\..\Run: [opr] C:\WINDOWS\system32\opr.exe
O4 - HKLM\..\Run: [virus 09-13-2005 TV Media] C:\Program Files\TV Media\Tvm.exe
O4 - HKLM\..\Run: [AUNPS2] RUNDLL32 AUNPS2.DLL,_Run@16
O4 - HKLM\..\Run: [testit.exe] C:\WINDOWS\system32\testit.exe
O4 - HKLM\..\Run: [win32073221617317] C:\WINDOWS\win32073221617317.exe
O4 - HKLM\..\Run: [TagASaurus] C:\Program Files\TagASaurus\TagASaurus
O4 - HKLM\..\Run: [Windows Incontext] C:\DOCUME~1\default\LOCALS~1\Temp\InSearch.exe
O4 - HKLM\..\Run: [ntdll.dll] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [sys021731732216] C:\WINDOWS\sys021731732216.exe
O4 - HKLM\..\Run: [YourMonitor] C:\WINDOWS\YourMonitor
O4 - HKCU\..\Run: [services32] C:\Program Files\Common Files\Windows\mc-58-12-0000106.exe
O4 - HKCU\..\Run: [MoneyAgent] "C:\Program Files\Microsoft Money\System\Money Express.exe"
O4 - HKCU\..\Run: [Juno_uoltray] C:\Program Files\Juno\exec.exe regrun
O4 - HKCU\..\Run: [CAS Client] "C:\Program Files\Cas\Client\casclient.exe"
O4 - HKCU\..\Run: [DNS] C:\Program Files\Common Files\mc-58-12-0000106.exe
O4 - HKCU\..\Run: [Microsoft Works Update Detection] C:\Program Files\Microsoft Works\WkDetect.exe
O4 - HKCU\..\Run: [Rnus] C:\Program Files\aeao\ucaw.exe
O4 - HKCU\..\Run: [morr] C:\PROGRA~1\COMMON~1\morr\morrm.exe
O4 - HKCU\..\Run: [YourMonitor] C:\WINDOWS\YourMonitor.exe
O4 - HKCU\..\Run: [ntdll.dll] C:\Program Files\Juno\exec.exe regrun
O4 - Startup: Adobe Gamma Loader.exe.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O4 - Global Startup: Adobe Gamma Loader.exe.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: Canon MultiPASS Status Monitor.lnk = C:\Program Files\Canon\MultiPASS\monitr32.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O4 - Global Startup: Microsoft Works Calendar Reminders.lnk = C:\Program Files\Common Files\Microsoft Shared\Works Shared\wkcalrem.exe
O8 - Extra context menu item: &Define - C:\Program Files\Common Files\Microsoft Shared\Reference 2001\A\ERS_DEF.HTM
O8 - Extra context menu item: &Google Search - res://C:\Program Files\Google\GoogleToolbar1.dll/cmsearch.html
O8 - Extra context menu item: &Translate English Word - res://C:\Program Files\Google\GoogleToolbar1.dll/cmwordtrans.html
O8 - Extra context menu item: Backward Links - res://C:\Program Files\Google\GoogleToolbar1.dll/cmbacklinks.html
O8 - Extra context menu item: Cached Snapshot of Page - res://C:\Program Files\Google\GoogleToolbar1.dll/cmcache.html
O8 - Extra context menu item: Look Up in &Encyclopedia - C:\Program Files\Common Files\Microsoft Shared\Reference 2001\A\ERS_ENC.HTM
O8 - Extra context menu item: Similar Pages - res://C:\Program Files\Google\GoogleToolbar1.dll/cmsimilar.html
O8 - Extra context menu item: Translate Page into English - res://C:\Program Files\Google\GoogleToolbar1.dll/cmtrans.html
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0\bin\npjpi150.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0\bin\npjpi150.dll
O9 - Extra button: Encarta Encyclopedia - {2FDEF853-0759-11D4-A92E-006097DBED37} - C:\Program Files\Common Files\Microsoft Shared\Reference 2001\A\ERS_ENC.HTM
O9 - Extra 'Tools' menuitem: Encarta Encyclopedia - {2FDEF853-0759-11D4-A92E-006097DBED37} - C:\Program Files\Common Files\Microsoft Shared\Reference 2001\A\ERS_ENC.HTM
O9 - Extra button: Define - {5DA9DE80-097A-11D4-A92E-006097DBED37} - C:\Program Files\Common Files\Microsoft Shared\Reference 2001\A\ERS_DEF.HTM
O9 - Extra 'Tools' menuitem: Define - {5DA9DE80-097A-11D4-A92E-006097DBED37} - C:\Program Files\Common Files\Microsoft Shared\Reference 2001\A\ERS_DEF.HTM
O9 - Extra button: (no name) - {9E248641-0E24-4DDB-9A1F-705087832AD6} - (no file)
O9 - Extra 'Tools' menuitem: Java - {9E248641-0E24-4DDB-9A1F-705087832AD6} - (no file)
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\System32\Shdocvw.dll
O9 - Extra button: Dell Home - {EE117DAA-A30B-40FC-945C-38AE1B80C1FA} - http://www.dellnet.com (file missing) (HKCU)
O12 - Plugin for .spop: C:\PROGRA~1\INTERN~1\Plugins\NPDocBox.dll
O16 - DPF: {01113300-3E00-11D2-8470-0060089874ED} (Support.com Configuration Class) - http://support.fasta...oad/tgctlcm.cab
O16 - DPF: {15589FA1-C456-11CE-BF01-00AA0055595A} - http://ax.web-nexus....4/installer.exe
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft....k/?linkid=39204
O16 - DPF: {64696FB5-BA15-4920-B789-F35D3FC0A36A} - http://www.icannnews.com/app/ST/ax.ocx
O16 - DPF: {972BB342-14A7-4660-83C1-51DDBEE171DB} - http://www.pacimedia...ll/pcs_0006.exe
O16 - DPF: {F04A8AE2-A59D-11D2-8792-00C04F8EF29D} (Hotmail Attachments Control) - http://by102fd.bay10...ex/HMAtchmt.ocx
O20 - Winlogon Notify: ShellExtensions - C:\WINDOWS\system32\twpmonui.dll
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Password Validation (ccPwdSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
O23 - Service: Command Service (cmdService) - Unknown owner - C:\WINDOWS\ZGVmYXVsdAAA\command.exe
O23 - Service: Logical Disk Manager Administrative Service (dmadmin) - VERITAS Software Corp. - C:\WINDOWS\System32\dmadmin.exe
O23 - Service: ewido security suite control - ewido networks - C:\Program Files\ewido\security suite\ewidoctrl.exe
O23 - Service: MPService - Unknown owner - C:\Program Files\Canon\MultiPASS\mpservic.exe
O23 - Service: Norton AntiVirus Auto-Protect Service (navapsvc) - Symantec Corporation - C:\Program Files\Norton AntiVirus\navapsvc.exe
O23 - Service: Norton AntiVirus Firewall Monitor Service (NPFMntor) - Symantec Corporation - C:\Program Files\Norton AntiVirus\IWP\NPFMntor.exe
O23 - Service: SAVScan - Symantec Corporation - C:\Program Files\Norton AntiVirus\SAVScan.exe
O23 - Service: ScriptBlocking Service (SBService) - Symantec Corporation - C:\PROGRA~1\COMMON~1\SYMANT~1\SCRIPT~1\SBServ.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: Symantec SPBBCSvc (SPBBCSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
O23 - Service: Symantec Core LC - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe

EWIDO LOG:


---------------------------------------------------------
ewido security suite - Scan report
---------------------------------------------------------

+ Created on: 9:45:01 PM, 9/21/2005
+ Report-Checksum: 7EF27DA6

+ Scan result:

[136] C:\WINDOWS\system32\twpmonui.dll -> Spyware.Look2Me : Error during cleaning
[244] C:\WINDOWS\system32\ndtdet.dll -> Spyware.Look2Me : Error during cleaning
[452] C:\WINDOWS\system32\ndtdet.dll -> Spyware.Look2Me : Error during cleaning
:mozilla.267:C:\Documents and Settings\default\Application Data\Mozilla\Firefox\Profiles\yw198mai.default\cookies-1.txt -> Spyware.Cookie.Clickagents : Cleaned with backup
:mozilla.200:C:\Documents and Settings\default\Application Data\Mozilla\Profiles\minlinar\rz2e4x9r.slt\cookies.txt -> Spyware.Cookie.2o7 : Cleaned with backup
:mozilla.201:C:\Documents and Settings\default\Application Data\Mozilla\Profiles\minlinar\rz2e4x9r.slt\cookies.txt -> Spyware.Cookie.2o7 : Cleaned with backup
:mozilla.202:C:\Documents and Settings\default\Application Data\Mozilla\Profiles\minlinar\rz2e4x9r.slt\cookies.txt -> Spyware.Cookie.Atdmt : Cleaned with backup
:mozilla.203:C:\Documents and Settings\default\Application Data\Mozilla\Profiles\minlinar\rz2e4x9r.slt\cookies.txt -> Spyware.Cookie.Ru4 : Cleaned with backup
:mozilla.204:C:\Documents and Settings\default\Application Data\Mozilla\Profiles\minlinar\rz2e4x9r.slt\cookies.txt -> Spyware.Cookie.Ru4 : Cleaned with backup
:mozilla.205:C:\Documents and Settings\default\Application Data\Mozilla\Profiles\minlinar\rz2e4x9r.slt\cookies.txt -> Spyware.Cookie.Ru4 : Cleaned with backup
:mozilla.206:C:\Documents and Settings\default\Application Data\Mozilla\Profiles\minlinar\rz2e4x9r.slt\cookies.txt -> Spyware.Cookie.Advertising : Cleaned with backup
:mozilla.207:C:\Documents and Settings\default\Application Data\Mozilla\Profiles\minlinar\rz2e4x9r.slt\cookies.txt -> Spyware.Cookie.Advertising : Cleaned with backup
:mozilla.208:C:\Documents and Settings\default\Application Data\Mozilla\Profiles\minlinar\rz2e4x9r.slt\cookies.txt -> Spyware.Cookie.Advertising : Cleaned with backup
:mozilla.210:C:\Documents and Settings\default\Application Data\Mozilla\Profiles\minlinar\rz2e4x9r.slt\cookies.txt -> Spyware.Cookie.2o7 : Cleaned with backup
C:\Program Files\Common Files\services.exe -> Spyware.Maxifiles : Cleaned with backup
C:\Program Files\Common Files\Windows\services32.exe -> Spyware.Maxifiles : Cleaned with backup
:mozilla.89:C:\WINDOWS\Application Data\Mozilla\Profiles\minlinar\ph6t5aau.slt\cookies.txt -> Spyware.Cookie.Admonitor : Cleaned with backup
C:\WINDOWS\SYSTEM32\DrPMon.dll_tobedeleted -> Trojan.Agent.iw : Cleaned with backup
D:\virus 09-15-05 DrPMon.dll_tobedeleted -> Trojan.Agent.iw : Cleaned with backup


::Report End---------------------------------------------------------
ewido security suite - Scan report
---------------------------------------------------------

+ Created on: 9:45:01 PM, 9/21/2005
+ Report-Checksum: 7EF27DA6

+ Scan result:

[136] C:\WINDOWS\system32\twpmonui.dll -> Spyware.Look2Me : Error during cleaning
[244] C:\WINDOWS\system32\ndtdet.dll -> Spyware.Look2Me : Error during cleaning
[452] C:\WINDOWS\system32\ndtdet.dll -> Spyware.Look2Me : Error during cleaning
:mozilla.267:C:\Documents and Settings\default\Application Data\Mozilla\Firefox\Profiles\yw198mai.default\cookies-1.txt -> Spyware.Cookie.Clickagents : Cleaned with backup
:mozilla.200:C:\Documents and Settings\default\Application Data\Mozilla\Profiles\minlinar\rz2e4x9r.slt\cookies.txt -> Spyware.Cookie.2o7 : Cleaned with backup
:mozilla.201:C:\Documents and Settings\default\Application Data\Mozilla\Profiles\minlinar\rz2e4x9r.slt\cookies.txt -> Spyware.Cookie.2o7 : Cleaned with backup
:mozilla.202:C:\Documents and Settings\default\Application Data\Mozilla\Profiles\minlinar\rz2e4x9r.slt\cookies.txt -> Spyware.Cookie.Atdmt : Cleaned with backup
:mozilla.203:C:\Documents and Settings\default\Application Data\Mozilla\Profiles\minlinar\rz2e4x9r.slt\cookies.txt -> Spyware.Cookie.Ru4 : Cleaned with backup
:mozilla.204:C:\Documents and Settings\default\Application Data\Mozilla\Profiles\minlinar\rz2e4x9r.slt\cookies.txt -> Spyware.Cookie.Ru4 : Cleaned with backup
:mozilla.205:C:\Documents and Settings\default\Application Data\Mozilla\Profiles\minlinar\rz2e4x9r.slt\cookies.txt -> Spyware.Cookie.Ru4 : Cleaned with backup
:mozilla.206:C:\Documents and Settings\default\Application Data\Mozilla\Profiles\minlinar\rz2e4x9r.slt\cookies.txt -> Spyware.Cookie.Advertising : Cleaned with backup
:mozilla.207:C:\Documents and Settings\default\Application Data\Mozilla\Profiles\minlinar\rz2e4x9r.slt\cookies.txt -> Spyware.Cookie.Advertising : Cleaned with backup
:mozilla.208:C:\Documents and Settings\default\Application Data\Mozilla\Profiles\minlinar\rz2e4x9r.slt\cookies.txt -> Spyware.Cookie.Advertising : Cleaned with backup
:mozilla.210:C:\Documents and Settings\default\Application Data\Mozilla\Profiles\minlinar\rz2e4x9r.slt\cookies.txt -> Spyware.Cookie.2o7 : Cleaned with backup
C:\Program Files\Common Files\services.exe -> Spyware.Maxifiles : Cleaned with backup
C:\Program Files\Common Files\Windows\services32.exe -> Spyware.Maxifiles : Cleaned with backup
:mozilla.89:C:\WINDOWS\Application Data\Mozilla\Profiles\minlinar\ph6t5aau.slt\cookies.txt -> Spyware.Cookie.Admonitor : Cleaned with backup
C:\WINDOWS\SYSTEM32\DrPMon.dll_tobedeleted -> Trojan.Agent.iw : Cleaned with backup
D:\virus 09-15-05 DrPMon.dll_tobedeleted -> Trojan.Agent.iw : Cleaned with backup


::Report End
  • 0

#6
loophole
Posted 22 September 2005 - 10:13 PM

loophole

    Malware Expert

  • Retired Staff
  • 9,798 posts
Download L2mfix from one of these two locations:

http://www.atribune....oads/l2mfix.exe
http://www.downloads....org/l2mfix.exe

Save the file to your desktop and double click l2mfix.exe. Click the Install button to extract the files and follow the prompts, then open the newly added l2mfix folder on your desktop. Double click l2mfix.bat and select option #1 for Run Find Log by typing 1 and then pressing enter. This will scan your computer and it may appear nothing is happening, then, after a minute or 2, notepad will open with a log. Copy the contents of that log and paste it into this thread.

IMPORTANT: Do NOT run option #2 OR any other files in the l2mfix folder until you are asked to do so!

if you receive, while running option #1, an error similar like: ''C:\windows\system32\cmd.exe
C:\windows\system32\autoexec.nt the system file is not suitable for running ms-dos and microsoft windows applications. choose close to terminate the application.."...then please use option 5 or the web page link in the l2mfix folder to solve this error condition. do not run the fix portion without fixing this first.
  • 0

#7
mln
Posted 23 September 2005 - 05:31 PM

mln

    Member

  • Topic Starter
  • Member
  • PipPip
  • 19 posts
Thanks a lot for your help!
please see the l2mfix scan result below.
(By the way I couldn't start my computer in normal mode after last fix. This new scan is performed in safe mode with network mode.)

L2MFIX find log 1.04a
These are the registry keys present
**********************************************************************************
Winlogon/notify:
Windows Registry Editor Version 5.00

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify]
"Asynchronous"=dword:00000000
"DllName"=""
"Impersonate"=dword:00000000
"Logon"="WinLogon"
"Logoff"="WinLogoff"
"Shutdown"="WinShutdown"

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\Controls Folder]
"Asynchronous"=dword:00000000
"DllName"="C:\\WINDOWS\\system32\\oeffilt.dll"
"Impersonate"=dword:00000000
"Logon"="WinLogon"
"Logoff"="WinLogoff"
"Shutdown"="WinShutdown"

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\Uninstall]
"Asynchronous"=dword:00000000
"DllName"="C:\\WINDOWS\\system32\\twpmonui.dll"
"Impersonate"=dword:00000000
"Logon"="WinLogon"
"Logoff"="WinLogoff"
"Shutdown"="WinShutdown"


RegDACL 5.1 - Permissions Manager for Registry keys for Windows NT 4 and above
Copyright © 1999-2001 Frank Heyne Software (http://www.heysoft.de)
This program is Freeware, use it on your own risk!

Access Control List for Registry key HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify:
(NI) ALLOW Full access NT AUTHORITY\SYSTEM
(IO) ALLOW Full access NT AUTHORITY\SYSTEM
(NI) ALLOW Full access NT AUTHORITY\SYSTEM
(IO) ALLOW Full access NT AUTHORITY\SYSTEM
(ID-NI) ALLOW Read BUILTIN\Users
(ID-IO) ALLOW Read BUILTIN\Users
(ID-NI) ALLOW Read BUILTIN\Power Users
(ID-IO) ALLOW Read BUILTIN\Power Users
(ID-NI) ALLOW Full access BUILTIN\Administrators
(ID-IO) ALLOW Full access BUILTIN\Administrators
(ID-NI) ALLOW Full access NT AUTHORITY\SYSTEM
(ID-IO) ALLOW Full access NT AUTHORITY\SYSTEM
(ID-IO) ALLOW Full access CREATOR OWNER


**********************************************************************************
useragent:
Windows Registry Editor Version 5.00

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\User Agent\Post Platform]
"{50190B7A-D3FA-F559-49D8-495A1E8D5435}"=""

**********************************************************************************
Shell Extension key:
Invalid switch
**********************************************************************************
HKEY ROOT CLASSIDS:
**********************************************************************************
Files Found are not all bad files:

C:\WINDOWS\SYSTEM32\
atmtd.dll Sat Sep 3 2005 11:23:34p A.... 687,592 671.48 K
dplayx.dll Sun Sep 18 2005 11:25:16a A.... 220,432 215.27 K
dpwsockx.dll Sun Sep 18 2005 11:25:16a A.... 44,304 43.27 K
faxui.dll Wed Jul 13 2005 12:22:02a A.... 138,000 134.77 K
fefwk.dll Thu Sep 22 2005 8:38:20p A.... 133,120 130.00 K
gwfspi~1.dll Mon Aug 29 2005 1:27:06p A.... 23,304 22.76 K
icm32.dll Tue Jun 28 2005 9:30:56p A.... 246,032 240.27 K
iriolio.dll Fri Sep 23 2005 7:14:58p A.... 181,760 177.50 K
legitc~1.dll Mon Aug 29 2005 1:27:12p A.... 520,968 508.76 K
mldet.dll Fri Sep 23 2005 11:54:08a ..S.R 417,792 408.00 K
mscms.dll Tue Jun 28 2005 9:30:56p A.... 69,904 68.27 K
mshtml.dll Mon Jul 18 2005 4:22:12p A.... 2,699,264 2.57 M
oeffilt.dll Thu Sep 22 2005 8:31:14p ..S.R 417,792 408.00 K
s32evnt1.dll Thu Jul 28 2005 2:52:18p A.... 91,856 89.70 K
sjtupapi.dll Fri Sep 23 2005 6:35:44p ..S.R 417,792 408.00 K
spoolss.dll Wed Jul 13 2005 12:22:02a A.... 81,168 79.27 K
tapisrv.dll Sat Jul 2 2005 1:30:14a A.... 175,888 171.77 K
umpnpmgr.dll Tue Jun 28 2005 11:45:16p A.... 89,360 87.27 K
win32spl.dll Wed Jul 13 2005 12:22:02a A.... 88,848 86.77 K

19 items found: 19 files (3 H/S), 0 directories.
Total of file sizes: 6,745,176 bytes 6.43 M
Locate .tmp files:

No matches found.
**********************************************************************************
Directory Listing of system files:
Volume in drive C has no label.
Volume Serial Number is 6066-4DCA

Directory of C:\WINDOWS\System32

09/23/2005 06:35p 417,792 SJTUPAPI.DLL
09/23/2005 11:54a 417,792 mldet.dll
09/22/2005 08:31p 417,792 oeffilt.dll
09/22/2005 07:46p <DIR> dllcache
3 File(s) 1,253,376 bytes
1 Dir(s) 11,679,819,776 bytes free
  • 0

#8
loophole
Posted 24 September 2005 - 12:51 AM

loophole

    Malware Expert

  • Retired Staff
  • 9,798 posts
Not sure about the normal mode problem bbut we will figure it out

Close any programs you have open since this step requires a reboot.

From the l2mfix folder on your desktop, double click l2mfix.bat and select option #2 for Run Fix by typing 2 and then pressing enter, then press any key to reboot your computer. After a reboot, your desktop and icons will appear, then disappear (this is normal). L2mfix will continue to scan your computer and when it's finished, notepad will open with a log. Copy the contents of that log and paste it back into this thread, along with a new hijackthis log.

IMPORTANT: Do NOT run any other files in the l2mfix folder unless you are asked to do so!

If after the reboot the desktop icons dont dissappear or the log does not pop up then in the l2mfix folder double click the second.bat file to continue with the fix.
  • 0

#9
mln
Posted 24 September 2005 - 07:20 AM

mln

    Member

  • Topic Starter
  • Member
  • PipPip
  • 19 posts
Thanks!
Below is the new Hijackthis scan result and l2mfix report.

Logfile of HijackThis v1.99.1
Scan saved at 9:10:56 AM, on 9/24/2005
Platform: Windows 2000 SP4 (WinNT 5.00.2195)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\WBEM\WinMgmt.exe
C:\WINDOWS\explorer.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\WINDOWS\system32\NOTEPAD.EXE
C:\My Documents\Hijackthis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer,SearchURL = http://www.clicktoma...rch.com/sp2.php
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://home.sina.com
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://home.sina.com/
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Microsoft Internet Explorer provided by BellSouth
R3 - URLSearchHook: (no name) - {4552D449-FCD2-992A-6A3A-CCF06BB534A1} - C:\WINDOWS\Ejauktwx.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar1.dll
O2 - BHO: MSNToolBandBHO - {BDBD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\MSN Apps\MSN Toolbar\01.02.3000.1001\en-us\msntb.dll
O2 - BHO: SDWin32 Class - {CDD9DD86-D904-40C7-BDD5-4FF021D473CE} - C:\WINDOWS\system32\smnoy.dll (file missing)
O2 - BHO: (no name) - {FC458B08-B687-4397-A7DE-2976E2CAA911} - C:\WINDOWS\Ejauktwx.dll
O2 - BHO: Internet Explorer Web Content Catcher - {FFF4E223-7019-4ce7-BE03-D7D3C8CCE884} - C:\Program Files\DNS\Catcher.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\system32\msdxm.ocx
O3 - Toolbar: IEWebCatcher Class - {FFF4E223-7019-4CE7-BE03-D7D3C8CCE884} - C:\Program Files\DNS\Catcher.dll
O3 - Toolbar: Search - {DEE594EE-7C5E-5D12-6FBF-DBFAF8443B0B} - C:\WINDOWS\Ejauktwx.dll
O4 - HKLM\..\Run: [YourMonitor] C:\WINDOWS\YourMonitor
O4 - HKLM\..\Run: [wrwvebih] C:\WINDOWS\wrwvebih.exe
O4 - HKLM\..\Run: [Windows Incontext] C:\DOCUME~1\default\LOCALS~1\Temp\InSearch.exe
O4 - HKLM\..\Run: [WinampAgent] "C:\Program Files\Winamp\Winampa.exe"
O4 - HKLM\..\Run: [win32073221617317] C:\WINDOWS\win32073221617317.exe
O4 - HKLM\..\Run: [vkdih] C:\WINDOWS\vkdih.exe
O4 - HKLM\..\Run: [uzofqr] C:\WINDOWS\uzofqr.exe
O4 - HKLM\..\Run: [unqdup] C:\WINDOWS\unqdup.exe
O4 - HKLM\..\Run: [testit.exe] C:\WINDOWS\system32\testit.exe
O4 - HKLM\..\Run: [System service65] C:\WINDOWS\etb\pokapoka65.exe
O4 - HKLM\..\Run: [sys021731732216] C:\WINDOWS\sys021731732216.exe
O4 - HKLM\..\Run: [Synchronization Manager] mobsync.exe /logon
O4 - HKLM\..\Run: [Symantec NetDriver Monitor] C:\PROGRA~1\SYMNET~1\SNDMon.exe /Consumer
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0\bin\jusched.exe
O4 - HKLM\..\Run: [SSC_UserPrompt] C:\Program Files\Common Files\Symantec Shared\Security Center\UsrPrmpt.exe
O4 - HKLM\..\Run: [RecoverFromReboot] C:\WINDOWS\Temp\RecoverFromReboot.exe
O4 - HKLM\..\Run: [RealTray] C:\Program Files\Real\RealPlayer\RealPlay.exe SYSTEMBOOTHIDEPLAYER
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [opr] C:\WINDOWS\system32\opr.exe
O4 - HKLM\..\Run: [NeroCheck] C:\WINDOWS\System32\NeroCheck.exe
O4 - HKLM\..\Run: [ms043173221617] C:\WINDOWS\ms043173221617.exe
O4 - HKLM\..\Run: [MedGS] C:\WINDOWS\system32\medgs1.exe
O4 - HKLM\..\Run: [gcasServ] "C:\Program Files\Microsoft AntiSpyware\gcasServ.exe"
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [BJCFD] C:\Program Files\BroadJump\Client Foundation\CFD.exe
O4 - HKLM\..\Run: [ahml8aa] C:\WINDOWS\rgwggcth.exe
O4 - HKLM\..\Run: [winsync] C:\WINDOWS\system32\apaida.exe reg_run
O4 - HKLM\..\Run: [virus 09-13-2005 TV Media] C:\Program Files\TV Media\Tvm.exe
O4 - HKLM\..\Run: [TagASaurus] C:\Program Files\TagASaurus\TagASaurus
O4 - HKLM\..\Run: [AUNPS2] RUNDLL32 AUNPS2.DLL,_Run@16
O4 - HKCU\..\Run: [Sys98] C:\WINDOWS\Sys98.exe
O4 - HKCU\..\Run: [services32] C:\Program Files\Common Files\Windows\mc-58-12-0000106.exe
O4 - HKCU\..\Run: [Rnus] C:\Program Files\aeao\ucaw.exe
O4 - HKCU\..\Run: [morr] C:\PROGRA~1\COMMON~1\morr\morrm.exe
O4 - HKCU\..\Run: [MoneyAgent] "C:\Program Files\Microsoft Money\System\Money Express.exe"
O4 - HKCU\..\Run: [Microsoft Works Update Detection] C:\Program Files\Microsoft Works\WkDetect.exe
O4 - HKCU\..\Run: [DNS] C:\Program Files\Common Files\mc-58-12-0000106.exe
O4 - HKCU\..\Run: [CAS Client] "C:\Program Files\Cas\Client\casclient.exe"
O4 - HKCU\..\Run: [Juno_uoltray] C:\Program Files\Juno\exec.exe regrun
O4 - Startup: Adobe Gamma Loader.exe.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O4 - Global Startup: Adobe Gamma Loader.exe.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: Canon MultiPASS Status Monitor.lnk = C:\Program Files\Canon\MultiPASS\monitr32.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O4 - Global Startup: Microsoft Works Calendar Reminders.lnk = C:\Program Files\Common Files\Microsoft Shared\Works Shared\wkcalrem.exe
O4 - Global Startup: nkni.exe
O8 - Extra context menu item: &Define - C:\Program Files\Common Files\Microsoft Shared\Reference 2001\A\ERS_DEF.HTM
O8 - Extra context menu item: &Google Search - res://C:\Program Files\Google\GoogleToolbar1.dll/cmsearch.html
O8 - Extra context menu item: &Translate English Word - res://C:\Program Files\Google\GoogleToolbar1.dll/cmwordtrans.html
O8 - Extra context menu item: Backward Links - res://C:\Program Files\Google\GoogleToolbar1.dll/cmbacklinks.html
O8 - Extra context menu item: Cached Snapshot of Page - res://C:\Program Files\Google\GoogleToolbar1.dll/cmcache.html
O8 - Extra context menu item: Look Up in &Encyclopedia - C:\Program Files\Common Files\Microsoft Shared\Reference 2001\A\ERS_ENC.HTM
O8 - Extra context menu item: Similar Pages - res://C:\Program Files\Google\GoogleToolbar1.dll/cmsimilar.html
O8 - Extra context menu item: Translate Page into English - res://C:\Program Files\Google\GoogleToolbar1.dll/cmtrans.html
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0\bin\npjpi150.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0\bin\npjpi150.dll
O9 - Extra button: Encarta Encyclopedia - {2FDEF853-0759-11D4-A92E-006097DBED37} - C:\Program Files\Common Files\Microsoft Shared\Reference 2001\A\ERS_ENC.HTM
O9 - Extra 'Tools' menuitem: Encarta Encyclopedia - {2FDEF853-0759-11D4-A92E-006097DBED37} - C:\Program Files\Common Files\Microsoft Shared\Reference 2001\A\ERS_ENC.HTM
O9 - Extra button: Define - {5DA9DE80-097A-11D4-A92E-006097DBED37} - C:\Program Files\Common Files\Microsoft Shared\Reference 2001\A\ERS_DEF.HTM
O9 - Extra 'Tools' menuitem: Define - {5DA9DE80-097A-11D4-A92E-006097DBED37} - C:\Program Files\Common Files\Microsoft Shared\Reference 2001\A\ERS_DEF.HTM
O9 - Extra button: (no name) - {9E248641-0E24-4DDB-9A1F-705087832AD6} - (no file)
O9 - Extra 'Tools' menuitem: Java - {9E248641-0E24-4DDB-9A1F-705087832AD6} - (no file)
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\System32\Shdocvw.dll
O9 - Extra button: Dell Home - {EE117DAA-A30B-40FC-945C-38AE1B80C1FA} - http://www.dellnet.com (file missing) (HKCU)
O12 - Plugin for .spop: C:\PROGRA~1\INTERN~1\Plugins\NPDocBox.dll
O16 - DPF: {01113300-3E00-11D2-8470-0060089874ED} (Support.com Configuration Class) - http://support.fasta...oad/tgctlcm.cab
O16 - DPF: {15589FA1-C456-11CE-BF01-00AA0055595A} - http://ax.web-nexus....4/installer.exe
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft....k/?linkid=39204
O16 - DPF: {64696FB5-BA15-4920-B789-F35D3FC0A36A} - http://www.icannnews.com/app/ST/ax.ocx
O16 - DPF: {972BB342-14A7-4660-83C1-51DDBEE171DB} - http://www.pacimedia...ll/pcs_0009.exe
O16 - DPF: {F04A8AE2-A59D-11D2-8792-00C04F8EF29D} (Hotmail Attachments Control) - http://by102fd.bay10...ex/HMAtchmt.ocx
O20 - Winlogon Notify: Uninstall - C:\WINDOWS\system32\twpmonui.dll (file missing)
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Password Validation (ccPwdSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
O23 - Service: Command Service (cmdService) - Unknown owner - C:\WINDOWS\ZGVmYXVsdAAA\command.exe
O23 - Service: Logical Disk Manager Administrative Service (dmadmin) - VERITAS Software Corp. - C:\WINDOWS\System32\dmadmin.exe
O23 - Service: ewido security suite control - ewido networks - C:\Program Files\ewido\security suite\ewidoctrl.exe
O23 - Service: MPService - Unknown owner - C:\Program Files\Canon\MultiPASS\mpservic.exe
O23 - Service: Norton AntiVirus Auto-Protect Service (navapsvc) - Symantec Corporation - C:\Program Files\Norton AntiVirus\navapsvc.exe
O23 - Service: Norton AntiVirus Firewall Monitor Service (NPFMntor) - Symantec Corporation - C:\Program Files\Norton AntiVirus\IWP\NPFMntor.exe
O23 - Service: SAVScan - Symantec Corporation - C:\Program Files\Norton AntiVirus\SAVScan.exe
O23 - Service: ScriptBlocking Service (SBService) - Symantec Corporation - C:\PROGRA~1\COMMON~1\SYMANT~1\SCRIPT~1\SBServ.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: Symantec SPBBCSvc (SPBBCSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
O23 - Service: Symantec Core LC - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe


L2MFIX REPORT

Setting Directory
C:\
C:\
System Rebooted!

Running From:
C:\

killing explorer and rundll32.exe

Command Line Process Viewer/Killer/Suspender for Windows NT/2000/XP V2.03
Copyright© 2002-2003 [email protected]
Killing PID 644 'explorer.exe'

Command Line Process Viewer/Killer/Suspender for Windows NT/2000/XP V2.03
Copyright© 2002-2003 [email protected]
Error, Cannot find a process with an image name of rundll32.exe

Scanning First Pass. Please Wait!

First Pass Completed

Second Pass Scanning

Second pass Completed!
Backing Up: C:\WINDOWS\system32\ihctl.dll
1 file(s) copied.
Backing Up: C:\WINDOWS\system32\ihctl.dll
1 file(s) copied.
Backing Up: C:\WINDOWS\system32\mldet.dll
1 file(s) copied.
Backing Up: C:\WINDOWS\system32\mldet.dll
1 file(s) copied.
Backing Up: C:\WINDOWS\system32\oeffilt.dll
1 file(s) copied.
Backing Up: C:\WINDOWS\system32\oeffilt.dll
1 file(s) copied.
deleting: C:\WINDOWS\system32\ihctl.dll
Successfully Deleted: C:\WINDOWS\system32\ihctl.dll
deleting: C:\WINDOWS\system32\ihctl.dll
Successfully Deleted: C:\WINDOWS\system32\ihctl.dll
deleting: C:\WINDOWS\system32\mldet.dll
Successfully Deleted: C:\WINDOWS\system32\mldet.dll
deleting: C:\WINDOWS\system32\mldet.dll
Successfully Deleted: C:\WINDOWS\system32\mldet.dll
deleting: C:\WINDOWS\system32\oeffilt.dll
Successfully Deleted: C:\WINDOWS\system32\oeffilt.dll
deleting: C:\WINDOWS\system32\oeffilt.dll
Successfully Deleted: C:\WINDOWS\system32\oeffilt.dll


Zipping up files for submission:
adding: comnevnt.dll (124 bytes security) (deflated 65%)
adding: DrPMon.dll_tobedeleted.dll (92 bytes security) (deflated 93%)
adding: ihctl.dll (92 bytes security) (deflated 48%)
adding: mldet.dll (92 bytes security) (deflated 48%)
adding: npdrmv2.dll (124 bytes security) (deflated 51%)
adding: oeffilt.dll (92 bytes security) (deflated 48%)
adding: BellSouthIW.reg (92 bytes security) (deflated 93%)
adding: canon00028.reg (92 bytes security) (deflated 93%)
adding: clear.reg (92 bytes security) (deflated 2%)
adding: export rasman key.reg (92 bytes security) (deflated 90%)
adding: registry file.reg (92 bytes security) (deflated 70%)
adding: Dumplog.txt (124 bytes security) (stored 0%)
adding: EULA.txt (124 bytes security) (deflated 55%)
adding: lo2.txt (92 bytes security) (deflated 75%)
adding: LuResult.txt (92 bytes security) (deflated 14%)
adding: readme.txt (124 bytes security) (deflated 72%)
adding: Rescued document 1.txt (92 bytes security) (deflated 95%)
adding: Rescued document 2.txt (92 bytes security) (deflated 98%)
adding: Rescued document.txt (124 bytes security) (deflated 94%)
adding: test.txt (92 bytes security) (deflated 76%)
adding: test2.txt (92 bytes security) (stored 0%)
adding: test3.txt (92 bytes security) (stored 0%)
adding: test5.txt (92 bytes security) (stored 0%)
adding: vx2logs.txt (92 bytes security) (stored 0%)
adding: xfind.txt (92 bytes security) (deflated 73%)

Restoring Registry Permissions:


RegDACL 5.1 - Permissions Manager for Registry keys for Windows NT 4 and above
Copyright © 1999-2001 Frank Heyne Software (http://www.heysoft.de)
This program is Freeware, use it on your own risk!


Revoking access for predefined group "Administrators"
Inherited ACE can not be revoked here!
Inherited ACE can not be revoked here!


Registry permissions set too:

RegDACL 5.1 - Permissions Manager for Registry keys for Windows NT 4 and above
Copyright © 1999-2001 Frank Heyne Software (http://www.heysoft.de)
This program is Freeware, use it on your own risk!

Access Control List for Registry key HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify:
(NI) ALLOW Full access NT AUTHORITY\SYSTEM
(IO) ALLOW Full access NT AUTHORITY\SYSTEM
(NI) ALLOW Full access NT AUTHORITY\SYSTEM
(IO) ALLOW Full access NT AUTHORITY\SYSTEM
(ID-NI) ALLOW Read BUILTIN\Users
(ID-IO) ALLOW Read BUILTIN\Users
(ID-NI) ALLOW Read BUILTIN\Power Users
(ID-IO) ALLOW Read BUILTIN\Power Users
(ID-NI) ALLOW Full access BUILTIN\Administrators
(ID-IO) ALLOW Full access BUILTIN\Administrators
(ID-NI) ALLOW Full access NT AUTHORITY\SYSTEM
(ID-IO) ALLOW Full access NT AUTHORITY\SYSTEM
(ID-IO) ALLOW Full access CREATOR OWNER


Restoring Sedebugprivilege:

Granting SeDebugPrivilege to Administrators ... successful

Restoring Windows Update Certificates.:

deleting local copy: ihctl.dll
deleting local copy: ihctl.dll
deleting local copy: mldet.dll
deleting local copy: mldet.dll
deleting local copy: oeffilt.dll
deleting local copy: oeffilt.dll

The following Is the Current Export of the Winlogon notify key:
****************************************************************************
Windows Registry Editor Version 5.00

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify]

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\crypt32chain]
"Asynchronous"=dword:00000000
"Impersonate"=dword:00000000
"DllName"=hex(2):63,00,72,00,79,00,70,00,74,00,33,00,32,00,2e,00,64,00,6c,00,\
6c,00,00,00
"Logoff"="ChainWlxLogoffEvent"

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\cryptnet]
"Asynchronous"=dword:00000000
"Impersonate"=dword:00000000
"DllName"=hex(2):63,00,72,00,79,00,70,00,74,00,6e,00,65,00,74,00,2e,00,64,00,\
6c,00,6c,00,00,00
"Logoff"="CryptnetWlxLogoffEvent"

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\cscdll]
"DLLName"="cscdll.dll"
"Logon"="WinlogonLogonEvent"
"Logoff"="WinlogonLogoffEvent"
"ScreenSaver"="WinlogonScreenSaverEvent"
"Startup"="WinlogonStartupEvent"
"Shutdown"="WinlogonShutdownEvent"
"StartShell"="WinlogonStartShellEvent"
"Impersonate"=dword:00000000
"Asynchronous"=dword:00000001

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\ScCertProp]
"DLLName"="wlnotify.dll"
"Logon"="SCardStartCertProp"
"Logoff"="SCardStopCertProp"
"Lock"="SCardSuspendCertProp"
"Unlock"="SCardResumeCertProp"
"Enabled"=dword:00000001
"Impersonate"=dword:00000001
"Asynchronous"=dword:00000001

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\Schedule]
"Asynchronous"=dword:00000000
"DllName"=hex(2):77,00,6c,00,6e,00,6f,00,74,00,69,00,66,00,79,00,2e,00,64,00,\
6c,00,6c,00,00,00
"Impersonate"=dword:00000000
"StartShell"="SchedStartShell"
"Logoff"="SchedEventLogOff"

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\sclgntfy]
"Logoff"="WLEventLogoff"
"Impersonate"=dword:00000000
"Asynchronous"=dword:00000001
"DllName"=hex(2):73,00,63,00,6c,00,67,00,6e,00,74,00,66,00,79,00,2e,00,64,00,\
6c,00,6c,00,00,00

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\SensLogn]
"DLLName"="WlNotify.dll"
"Lock"="SensLockEvent"
"Logon"="SensLogonEvent"
"Logoff"="SensLogoffEvent"
"Safe"=dword:00000001
"MaxWait"=dword:00000258
"StartScreenSaver"="SensStartScreenSaverEvent"
"StopScreenSaver"="SensStopScreenSaverEvent"
"Startup"="SensStartupEvent"
"Shutdown"="SensShutdownEvent"
"StartShell"="SensStartShellEvent"
"PostShell"="SensPostShellEvent"
"Disconnect"="SensDisconnectEvent"
"Reconnect"="SensReconnectEvent"
"Unlock"="SensUnlockEvent"
"Impersonate"=dword:00000001
"Asynchronous"=dword:00000001

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\termsrv]
"Asynchronous"=dword:00000000
"DllName"=hex(2):77,00,6c,00,6e,00,6f,00,74,00,69,00,66,00,79,00,2e,00,64,00,\
6c,00,6c,00,00,00
"Impersonate"=dword:00000000
"Logoff"="TSEventLogoff"
"Logon"="TSEventLogon"
"PostShell"="TSEventPostShell"
"Shutdown"="TSEventShutdown"
"StartShell"="TSEventStartShell"
"Startup"="TSEventStartup"
"MaxWait"=dword:00000258
"Reconnect"="TSEventReconnect"
"Disconnect"="TSEventDisconnect"

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\Uninstall]
"Asynchronous"=dword:00000000
"DllName"="C:\\WINDOWS\\system32\\twpmonui.dll"
"Impersonate"=dword:00000000
"Logon"="WinLogon"
"Logoff"="WinLogoff"
"Shutdown"="WinShutdown"

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\wlballoon]
"DLLName"="wlnotify.dll"
"Logon"="RegisterTicketExpiredNotificationEvent"
"Logoff"="UnregisterTicketExpiredNotificationEvent"
"Impersonate"=dword:00000001
"Asynchronous"=dword:00000001

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\wzcnotif]
"DLLName"="wzcdlg.dll"
"Logon"="WZCEventLogon"
"Logoff"="WZCEventLogoff"
"Impersonate"=dword:00000000
"Asynchronous"=dword:00000000


The following are the files found:
****************************************************************************
C:\WINDOWS\system32\ihctl.dll
C:\WINDOWS\system32\ihctl.dll
C:\WINDOWS\system32\mldet.dll
C:\WINDOWS\system32\mldet.dll
C:\WINDOWS\system32\oeffilt.dll
C:\WINDOWS\system32\oeffilt.dll

Registry Entries that were Deleted:
Please verify that the listing looks ok.
If there was something deleted wrongly there are backups in the backreg folder.
****************************************************************************
REGEDIT4

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved]
REGEDIT4

[-HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\User Agent\Post Platform]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\User Agent\Post Platform]
****************************************************************************
Desktop.ini Contents:
****************************************************************************
****************************************************************************

  • 0

#10
loophole
Posted 25 September 2005 - 02:18 AM

loophole

    Malware Expert

  • Retired Staff
  • 9,798 posts
Ok lets start cleaning :tazz:

Click here to download Pocket Killbox by Option^Explicit

Download and install CleanUp! Here
but do not run it yet.
*NOTE* Cleanup deletes EVERYTHING out of temp/temporary folders and does not make backups

You may wish to print out a copy of these instructions to follow while you complete this procedure

Please re-open HiJackThis and scan. Check the boxes next to all the entries listed below.

R1 - HKCU\Software\Microsoft\Internet Explorer,SearchURL = http://www.clicktoma...rch.com/sp2.php
R3 - URLSearchHook: (no name) - {4552D449-FCD2-992A-6A3A-CCF06BB534A1} - C:\WINDOWS\Ejauktwx.dll
O2 - BHO: SDWin32 Class - {CDD9DD86-D904-40C7-BDD5-4FF021D473CE} - C:\WINDOWS\system32\smnoy.dll (file missing)
O2 - BHO: (no name) - {FC458B08-B687-4397-A7DE-2976E2CAA911} - C:\WINDOWS\Ejauktwx.dll
O2 - BHO: Internet Explorer Web Content Catcher - {FFF4E223-7019-4ce7-BE03-D7D3C8CCE884} - C:\Program Files\DNS\Catcher.dll
O3 - Toolbar: IEWebCatcher Class - {FFF4E223-7019-4CE7-BE03-D7D3C8CCE884} - C:\Program Files\DNS\Catcher.dll
O3 - Toolbar: Search - {DEE594EE-7C5E-5D12-6FBF-DBFAF8443B0B} - C:\WINDOWS\Ejauktwx.dll
O4 - HKLM\..\Run: [wrwvebih] C:\WINDOWS\wrwvebih.exe
O4 - HKLM\..\Run: [Windows Incontext] C:\DOCUME~1\default\LOCALS~1\Temp\InSearch.exe
O4 - HKLM\..\Run: [win32073221617317] C:\WINDOWS\win32073221617317.exe
O4 - HKLM\..\Run: [vkdih] C:\WINDOWS\vkdih.exe
O4 - HKLM\..\Run: [uzofqr] C:\WINDOWS\uzofqr.exe
O4 - HKLM\..\Run: [unqdup] C:\WINDOWS\unqdup.exe
O4 - HKLM\..\Run: [sys021731732216] C:\WINDOWS\sys021731732216.exe
O4 - HKLM\..\Run: [opr] C:\WINDOWS\system32\opr.exe
O4 - HKLM\..\Run: [ms043173221617] C:\WINDOWS\ms043173221617.exe
O4 - HKLM\..\Run: [MedGS] C:\WINDOWS\system32\medgs1.exe
O4 - HKLM\..\Run: [ahml8aa] C:\WINDOWS\rgwggcth.exe
O4 - HKLM\..\Run: [virus 09-13-2005 TV Media] C:\Program Files\TV Media\Tvm.exe
O4 - HKLM\..\Run: [AUNPS2] RUNDLL32 AUNPS2.DLL,_Run@16
O4 - HKCU\..\Run: [services32] C:\Program Files\Common Files\Windows\mc-58-12-0000106.exe
O4 - HKCU\..\Run: [Rnus] C:\Program Files\aeao\ucaw.exe
O4 - HKCU\..\Run: [morr] C:\PROGRA~1\COMMON~1\morr\morrm.exe
O4 - HKCU\..\Run: [DNS] C:\Program Files\Common Files\mc-58-12-0000106.exe
O4 - HKCU\..\Run: [CAS Client] "C:\Program Files\Cas\Client\casclient.exe"
O16 - DPF: {15589FA1-C456-11CE-BF01-00AA0055595A} - http://ax.web-nexus....4/installer.exe
O16 - DPF: {64696FB5-BA15-4920-B789-F35D3FC0A36A} - http://www.icannnews.com/app/ST/ax.ocx
O16 - DPF: {972BB342-14A7-4660-83C1-51DDBEE171DB} - http://www.pacimedia...ll/pcs_0009.exe
O20 - Winlogon Notify: Uninstall - C:\WINDOWS\system32\twpmonui.dll (file missing)

Now close all windows other than HiJackThis, then click Fix Checked.

Now open pocketkillbox Select the option "Delete on reboot".
Now highlight and 'copy' (Ctrl + C) the entire list of filepaths below:
Click 'File' on the killbox menu at the top and choose 'Paste from clipboard'
The entire list should now be in the "Full Path of File to Delete"
field.To check, click on the dropdown-arrow next to that field.
If you expand it, these lines should all be there. dont worry if they are not all there . just delete the files that are in there

C:\WINDOWS\wrwvebih.exe
C:\WINDOWS\win32073221617317.exe
C:\WINDOWS\vkdih.exe
C:\WINDOWS\uzofqr.exe
C:\WINDOWS\unqdup.exe
C:\WINDOWS\sys021731732216.exe
C:\WINDOWS\system32\opr.exe
C:\WINDOWS\ms043173221617.exe
C:\WINDOWS\system32\medgs1.exe
C:\WINDOWS\rgwggcth.exe
C:\Program Files\Common Files\mc-58-12-0000106.exe
C:\WINDOWS\Ejauktwx.dll

Then press the red button with a white X in it.
Killbox will tell you that all listed files will be deleted on next reboot, click YES.When it asks if you would like to Reboot now, click YES.*NOTE* You will be rebooting into safemode

Please reboot into safe mode Safe mode(continually tap the F8 key while your system is starting, select Safe Mode from the menu).

Please click start >>>>> run and type in sc stop cmdService

Please remove these entries from Add/Remove Programs in the Control Panel(if present):

DNS
aeao
Cas
TV Media


Please note any other programs that you dont recognize in that list in your next response

Please delete these folders using Windows Explorer(if present):

C:\Program Files\aeao
C:\Program Files\TV Media
C:\Program Files\Cas
C:\Program Files\DNS
C:\WINDOWS\ZGVmYXVsdAAA


Please click start >>>>> run and type in sc delete cmdService

Open Cleanup! by double-clicking the icon on your desktop (or from the Start > All Programs menu).
Set the program up as follows:
Click "Options..."
Move the arrow down to "Custom CleanUp!"
Put a check next to the following (Make sure nothing else is checked!):
  • Empty Recycle Bins
  • Delete Cookies
  • Delete Prefetch files
  • Cleanup! All Users
Click OK
Press the CleanUp! button to start the program

Reboot to Normal mode

Please Download the following tools to assist us in removing this infection!
  • Download WinPFind
    • Right Click the Zip Folder and Select "Extract All"
    • Extract it somewhere you will remember like the Desktop
    • Dont do anything with it yet!
  • Download Track qoo
    • Save it somewhere you will remember like the Desktop
Reboot into Safe Mode
Restart your computer and as soon as it starts booting up again continuously tap F8. A menu should come up where you will be given the option to enter Safe Mode.

Doubleclick WinPFind.exe
  • Click "Start Scan"
  • It will scan the entire System, so please be patient!
  • Once the Scan is Complete
  • Go to the WinPFind folder
  • Locate WinPFind.txt
  • Place those results in the next post!
Reboot back to Normal Mode!

Double Click on "Track qoo.vbs"

Note - If you Antivirus has Script Blocking, you will get a Pop Up Windows asking you what to do. Allow this Entire Script to Run, its harmless!

Wait a few seconds and a notepad page will pop up, Copy & Paste those results and place them in the next post along with the results of WinPFind and a new Hijack log
Thanks :)

Edited by loophole, 25 September 2005 - 02:23 AM.

  • 0

Advertisements

#11
mln
Posted 26 September 2005 - 07:05 AM

mln

    Member

  • Topic Starter
  • Member
  • PipPip
  • 19 posts
Hi, I have some processes that I couldn't perform.
1. when I type in sc stop/delete cmdService as instructed, I got the following in message "Cannot find the file "SC"(or one of its components) Make sure the path and filename are correct and that all required libraires are available.
2. At clean up , the delete prefetch file option is disabled.
3. After the clean up I am suppose to run in normal mode, but I got the stop 0x0000001E blue screen, so I do the rest under safe mode with networking and safe mode.
4. When I run WinPfind, the application freeze after I got the following error message. " Virtual memory minimun too low. Your system is low in virtual memory, windows is increasing the size of your virtual memory paging file. During this process, Memory requests for some applications may be denied. " Even though I keep the application running after this error message for a whole night, I still didn't get any result.
The followings are the two scan results that I got before the application freeze!
winshutdown 09/24/2005 9:04:40pm 10096 C:\log.txt
Upx! 05/19/2003 12:18:56pm 343103505 c:\ms2000.zip

I also posted the new Hijackthis result and the Track qoo scan result. I don't know if this would provide you enough info since I couldn't run the winpfind. Please let me know what should i do. I really appreciate your help!

Logfile of HijackThis v1.99.1
Scan saved at 7:22:37 AM, on 9/26/2005
Platform: Windows 2000 SP4 (WinNT 5.00.2195)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\WBEM\WinMgmt.exe
C:\WINDOWS\Explorer.EXE
C:\PROGRA~1\MOZILL~1\FIREFOX.EXE
C:\My Documents\Hijackthis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://home.sina.com
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://home.sina.com/
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Microsoft Internet Explorer provided by BellSouth
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar1.dll
O2 - BHO: MSNToolBandBHO - {BDBD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\MSN Apps\MSN Toolbar\01.02.3000.1001\en-us\msntb.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\system32\msdxm.ocx
O4 - HKLM\..\Run: [YourMonitor] C:\WINDOWS\YourMonitor
O4 - HKLM\..\Run: [WinampAgent] "C:\Program Files\Winamp\Winampa.exe"
O4 - HKLM\..\Run: [unqdup] C:\WINDOWS\unqdup.exe
O4 - HKLM\..\Run: [testit.exe] C:\WINDOWS\system32\testit.exe
O4 - HKLM\..\Run: [System service65] C:\WINDOWS\etb\pokapoka65.exe
O4 - HKLM\..\Run: [Synchronization Manager] mobsync.exe /logon
O4 - HKLM\..\Run: [Symantec NetDriver Monitor] C:\PROGRA~1\SYMNET~1\SNDMon.exe /Consumer
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0\bin\jusched.exe
O4 - HKLM\..\Run: [SSC_UserPrompt] C:\Program Files\Common Files\Symantec Shared\Security Center\UsrPrmpt.exe
O4 - HKLM\..\Run: [RecoverFromReboot] C:\WINDOWS\Temp\RecoverFromReboot.exe
O4 - HKLM\..\Run: [RealTray] C:\Program Files\Real\RealPlayer\RealPlay.exe SYSTEMBOOTHIDEPLAYER
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [NeroCheck] C:\WINDOWS\System32\NeroCheck.exe
O4 - HKLM\..\Run: [gcasServ] "C:\Program Files\Microsoft AntiSpyware\gcasServ.exe"
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [BJCFD] C:\Program Files\BroadJump\Client Foundation\CFD.exe
O4 - HKLM\..\Run: [winsync] C:\WINDOWS\system32\apaida.exe reg_run
O4 - HKLM\..\Run: [TagASaurus] C:\Program Files\TagASaurus\TagASaurus
O4 - HKCU\..\Run: [Sys98] C:\WINDOWS\Sys98.exe
O4 - HKCU\..\Run: [MoneyAgent] "C:\Program Files\Microsoft Money\System\Money Express.exe"
O4 - HKCU\..\Run: [Microsoft Works Update Detection] C:\Program Files\Microsoft Works\WkDetect.exe
O4 - HKCU\..\Run: [Juno_uoltray] C:\Program Files\Juno\exec.exe regrun
O4 - Startup: Adobe Gamma Loader.exe.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O4 - Global Startup: Adobe Gamma Loader.exe.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: Canon MultiPASS Status Monitor.lnk = C:\Program Files\Canon\MultiPASS\monitr32.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O4 - Global Startup: Microsoft Works Calendar Reminders.lnk = C:\Program Files\Common Files\Microsoft Shared\Works Shared\wkcalrem.exe
O8 - Extra context menu item: &Define - C:\Program Files\Common Files\Microsoft Shared\Reference 2001\A\ERS_DEF.HTM
O8 - Extra context menu item: &Google Search - res://C:\Program Files\Google\GoogleToolbar1.dll/cmsearch.html
O8 - Extra context menu item: &Translate English Word - res://C:\Program Files\Google\GoogleToolbar1.dll/cmwordtrans.html
O8 - Extra context menu item: Backward Links - res://C:\Program Files\Google\GoogleToolbar1.dll/cmbacklinks.html
O8 - Extra context menu item: Cached Snapshot of Page - res://C:\Program Files\Google\GoogleToolbar1.dll/cmcache.html
O8 - Extra context menu item: Look Up in &Encyclopedia - C:\Program Files\Common Files\Microsoft Shared\Reference 2001\A\ERS_ENC.HTM
O8 - Extra context menu item: Similar Pages - res://C:\Program Files\Google\GoogleToolbar1.dll/cmsimilar.html
O8 - Extra context menu item: Translate Page into English - res://C:\Program Files\Google\GoogleToolbar1.dll/cmtrans.html
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0\bin\npjpi150.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0\bin\npjpi150.dll
O9 - Extra button: Encarta Encyclopedia - {2FDEF853-0759-11D4-A92E-006097DBED37} - C:\Program Files\Common Files\Microsoft Shared\Reference 2001\A\ERS_ENC.HTM
O9 - Extra 'Tools' menuitem: Encarta Encyclopedia - {2FDEF853-0759-11D4-A92E-006097DBED37} - C:\Program Files\Common Files\Microsoft Shared\Reference 2001\A\ERS_ENC.HTM
O9 - Extra button: Define - {5DA9DE80-097A-11D4-A92E-006097DBED37} - C:\Program Files\Common Files\Microsoft Shared\Reference 2001\A\ERS_DEF.HTM
O9 - Extra 'Tools' menuitem: Define - {5DA9DE80-097A-11D4-A92E-006097DBED37} - C:\Program Files\Common Files\Microsoft Shared\Reference 2001\A\ERS_DEF.HTM
O9 - Extra button: (no name) - {9E248641-0E24-4DDB-9A1F-705087832AD6} - (no file)
O9 - Extra 'Tools' menuitem: Java - {9E248641-0E24-4DDB-9A1F-705087832AD6} - (no file)
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\System32\Shdocvw.dll
O9 - Extra button: Dell Home - {EE117DAA-A30B-40FC-945C-38AE1B80C1FA} - http://www.dellnet.com (file missing) (HKCU)
O12 - Plugin for .spop: C:\PROGRA~1\INTERN~1\Plugins\NPDocBox.dll
O16 - DPF: {01113300-3E00-11D2-8470-0060089874ED} (Support.com Configuration Class) - http://support.fasta...oad/tgctlcm.cab
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft....k/?linkid=39204
O16 - DPF: {F04A8AE2-A59D-11D2-8792-00C04F8EF29D} (Hotmail Attachments Control) - http://by102fd.bay10...ex/HMAtchmt.ocx
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Password Validation (ccPwdSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
O23 - Service: Command Service (cmdService) - Unknown owner - C:\WINDOWS\ZGVmYXVsdAAA\command.exe (file missing)
O23 - Service: Logical Disk Manager Administrative Service (dmadmin) - VERITAS Software Corp. - C:\WINDOWS\System32\dmadmin.exe
O23 - Service: ewido security suite control - ewido networks - C:\Program Files\ewido\security suite\ewidoctrl.exe
O23 - Service: MPService - Unknown owner - C:\Program Files\Canon\MultiPASS\mpservic.exe
O23 - Service: Norton AntiVirus Auto-Protect Service (navapsvc) - Symantec Corporation - C:\Program Files\Norton AntiVirus\navapsvc.exe
O23 - Service: Norton AntiVirus Firewall Monitor Service (NPFMntor) - Symantec Corporation - C:\Program Files\Norton AntiVirus\IWP\NPFMntor.exe
O23 - Service: SAVScan - Symantec Corporation - C:\Program Files\Norton AntiVirus\SAVScan.exe
O23 - Service: ScriptBlocking Service (SBService) - Symantec Corporation - C:\PROGRA~1\COMMON~1\SYMANT~1\SCRIPT~1\SBServ.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: Symantec SPBBCSvc (SPBBCSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
O23 - Service: Symantec Core LC - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe


REGEDIT4

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"YourMonitor"="C:\\WINDOWS\\YourMonitor"
"WinampAgent"="\"C:\\Program Files\\Winamp\\Winampa.exe\""
"unqdup"="C:\\WINDOWS\\unqdup.exe"
"testit.exe"="C:\\WINDOWS\\system32\\testit.exe"
"System service65"="C:\\WINDOWS\\etb\\pokapoka65.exe"
"Synchronization Manager"="mobsync.exe /logon"
"Symantec NetDriver Monitor"="C:\\PROGRA~1\\SYMNET~1\\SNDMon.exe /Consumer"
"SunJavaUpdateSched"="C:\\Program Files\\Java\\jre1.5.0\\bin\\jusched.exe"
"SSC_UserPrompt"="C:\\Program Files\\Common Files\\Symantec Shared\\Security Center\\UsrPrmpt.exe"
"RecoverFromReboot"="C:\\WINDOWS\\Temp\\RecoverFromReboot.exe"
"RealTray"="C:\\Program Files\\Real\\RealPlayer\\RealPlay.exe SYSTEMBOOTHIDEPLAYER"
"QuickTime Task"="\"C:\\Program Files\\QuickTime\\qttask.exe\" -atboottime"
"NeroCheck"="C:\\WINDOWS\\System32\\NeroCheck.exe"
"gcasServ"="\"C:\\Program Files\\Microsoft AntiSpyware\\gcasServ.exe\""
"ccApp"="\"C:\\Program Files\\Common Files\\Symantec Shared\\ccApp.exe\""
"BJCFD"="C:\\Program Files\\BroadJump\\Client Foundation\\CFD.exe"
"winsync"="C:\\WINDOWS\\system32\\apaida.exe reg_run"
"TagASaurus"="C:\\Program Files\\TagASaurus\\TagASaurus"

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\OptionalComponents]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\OptionalComponents\IMAIL]
"Installed"="1"

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\OptionalComponents\MAPI]
"NoChange"="1"
"Installed"="1"

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\OptionalComponents\MSFS]
"Installed"="1"

-----------------
HKEY_CLASSES_ROOT\*\shellex\ContextMenuHandlers


Subkey --- BriefcaseMenu
{85BBD920-42A0-1069-A2E4-08002B30309D}
syncui.dll

Subkey --- fnfxmfxm
{1bb4e0e9-72b3-4fc9-9ef6-27585504dde9}
C:\WINDOWS\system32\fefwk.dll

Subkey --- Offline Files
{750fdf0e-2a26-11d1-a3ea-080036587f03}
cscui.dll

Subkey --- Open With
{09799AFB-AD67-11d1-ABCD-00C04FC30936}
C:\WINDOWS\system32\shell32.dll

Subkey --- Open With EncryptionMenu
{A470F8CF-A1E8-4f65-8335-227475AA5C46}
C:\WINDOWS\system32\shell32.dll

Subkey --- Symantec.Norton.Antivirus.IEContextMenu
{5345A4D5-41EB-4A2F-9616-CE1D4F6C35B2}
C:\Program Files\Norton AntiVirus\NavShExt.dll

Subkey --- WinZip
{E0D79304-84BE-11CE-9641-444553540000}
C:\PROGRA~1\WINZIP\WZSHLSTB.DLL

=====================

HKEY_CLASSES_ROOT\Folder\shellex\ColumnHandlers


Subkey --- {0D2E74C4-3C34-11d2-A27E-00C04FC30871}
C:\WINDOWS\system32\shell32.dll

Subkey --- {24F14F01-7B1C-11d1-838f-0000F80461CF}
C:\WINDOWS\system32\shell32.dll

Subkey --- {24F14F02-7B1C-11d1-838f-0000F80461CF}
C:\WINDOWS\system32\shell32.dll

Subkey --- {66742402-F9B9-11D1-A202-0000F81FEDEE}
C:\WINDOWS\System32\docprop2.dll

Subkey --- {7ab770c7-0e23-4d7a-8aa2-19bfad479829}
C:\WINDOWS\system32\SHELL32.DLL

Subkey --- {7f9609be-af9a-11d1-83e0-00c04fb6e984}
C:\WINDOWS\system32\faxshell.dll

Subkey --- {884EA37B-37C0-11d2-BE3F-00A0C9A83DA1}
C:\WINDOWS\System32\docprop2.dll

==============================
C:\Documents and Settings\All Users\Start Menu\Programs\Startup

Adobe Gamma Loader.exe.lnk
Canon MultiPASS Status Monitor.lnk
Microsoft Office.lnk
Microsoft Works Calendar Reminders.lnk
==============================
C:\Documents and Settings\default\Start Menu\Programs\Startup

Adobe Gamma Loader.exe.lnk
Canon MultiPASS Status Monitor.lnk
Microsoft Office.lnk
Microsoft Works Calendar Reminders.lnk
Adobe Gamma Loader.exe.lnk
Microsoft Office.lnk
==============================
C:\WINDOWS\SYSTEM32 cpl files


access.cpl Microsoft Corporation
appwiz.cpl Microsoft Corporation
CAMCPL.CPL FotoNation inc.
csacpl.cpl Conexant Systems
DESK.CPL Microsoft Corporation
fax.cpl Microsoft Corporation
hdwwiz.cpl Microsoft Corporation
inetcpl.cpl Microsoft Corporation
intl.cpl Microsoft Corporation
irprops.cpl Microsoft Corporation
joy.cpl Microsoft Corporation
jpicpl32.cpl Sun Microsystems, Inc.
main.cpl Microsoft Corporation
mmsys.cpl Microsoft Corporation
ncpa.cpl Microsoft Corporation
nwc.cpl Microsoft Corporation
odbccp32.cpl Microsoft Corporation
powercfg.cpl Microsoft Corporation
prefscpl.cpl RealNetworks, Inc.
QuickTime.cpl Apple Computer, Inc.
S32LUCP1.CPL Symantec Corporation
sticpl.cpl Microsoft Corporation
SYSDM.CPL Microsoft Corporation
telephon.cpl Microsoft Corporation
telephon.old.cpl Microsoft Corporation
THEMES.CPL Microsoft Corporation
timedate.cpl Microsoft Corporation
wuaucpl.cpl Microsoft Corporation

Edited by mln, 26 September 2005 - 07:09 AM.

  • 0

#12
loophole
Posted 26 September 2005 - 05:33 PM

loophole

    Malware Expert

  • Retired Staff
  • 9,798 posts
OK so yo cant get to normal windows? :tazz:

download FindQoologic from here
http://forums.net-in...=post&id=134981
Save it to the desktop and run Find-Qoologic2.bat. This will generate a log file; please post the entire contents of the log file here for me to see.

Thanks
  • 0

#13
mln
Posted 26 September 2005 - 06:29 PM

mln

    Member

  • Topic Starter
  • Member
  • PipPip
  • 19 posts
I couldn't run the findqoologic.bat. get "bad command or file name" message. But I was able to run in the normal mode after uninstall some window hotfix updates. Below please sees the new WIMPFIND, HIJACKTHIS AND TRACKQOO SCAN RESULT. Thank you so much for your patient and help!

WINPFIND SCAN RESULT
==================
WARNING: not all files found by this scanner are bad. Consult with a knowledgable person before proceeding.

If you see a message in the titlebar saying "Not responding..." you can ignore it. Windows somethimes displays this message due to the high volume of disk I/O. As long as the hard disk light is flashing, the program is still working properly.

»»»»»»»»»»»»»»»»» Windows OS and Versions »»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»
Product Name: Microsoft Windows 2000 Current Build: Service Pack 4 Current Build Number: 2195
Internet Explorer Version: 6.0.2800.1106

»»»»»»»»»»»»»»»»» Checking Selected Standard Folders »»»»»»»»»»»»»»»»»»»»

Checking %SystemDrive% folder...
WinShutDown 9/24/2005 9:04:40 AM 10096 C:\log.txt
UPX! 5/19/2003 12:18:56 PM 343103505 C:\ms 2000.zip
PEC2 5/19/2003 12:18:56 PM 343103505 C:\ms 2000.zip
UPX! 11/22/2003 2:22:46 AM 26084439 C:\NAV10ESD.exe
PEC2 11/6/2001 11:51:44 AM 10236296 C:\rp500enu(acrobat 5).exe
aspack 6/13/2002 12:19:34 PM 276185 C:\sinaisp_dialup.exe
UPX! 6/10/2001 4:59:48 AM 342232792 C:\SQL2000.zip
UPX! 1/12/2005 9:53:08 PM 43285 C:\stbrws14.exe
qoologic 9/26/2005 11:35:14 PM 1482677 C:\winzip.log

Checking %ProgramFilesDir% folder...
UPX! 1/10/2005 3:06:10 PM 4918270 C:\Program Files\Firefox Setup 1.0.exe

Checking %WinDir% folder...
UPX! 8/26/2002 11:58:50 AM 84480 C:\WINDOWS\cptcnsysk.exe
UPX! 9/26/2005 11:30:18 PM 266719232 C:\WINDOWS\MEMORY.DMP
FSG! 9/26/2005 11:30:18 PM 266719232 C:\WINDOWS\MEMORY.DMP
PEC2 9/26/2005 11:30:18 PM 266719232 C:\WINDOWS\MEMORY.DMP
PECompact2 9/26/2005 11:30:18 PM 266719232 C:\WINDOWS\MEMORY.DMP
Umonitor 9/26/2005 11:30:18 PM 266719232 C:\WINDOWS\MEMORY.DMP
qoologic 9/26/2005 11:30:18 PM 266719232 C:\WINDOWS\MEMORY.DMP
aspack 9/26/2005 11:30:18 PM 266719232 C:\WINDOWS\MEMORY.DMP
PTech 9/26/2005 11:30:18 PM 266719232 C:\WINDOWS\MEMORY.DMP
urllogic 9/26/2005 11:30:18 PM 266719232 C:\WINDOWS\MEMORY.DMP
ad-beh 9/26/2005 11:30:18 PM 266719232 C:\WINDOWS\MEMORY.DMP
ad-behNior.com 9/26/2005 11:30:18 PM 266719232 C:\WINDOWS\MEMORY.DMP
sYVLLSAKY 9/26/2005 11:30:18 PM 266719232 C:\WINDOWS\MEMORY.DMP
_rtneg3 9/26/2005 11:30:18 PM 266719232 C:\WINDOWS\MEMORY.DMP
SAHAgent 9/26/2005 11:30:18 PM 266719232 C:\WINDOWS\MEMORY.DMP
buddy.exe 9/26/2005 11:30:18 PM 266719232 C:\WINDOWS\MEMORY.DMP
ZepMon 9/26/2005 11:30:18 PM 266719232 C:\WINDOWS\MEMORY.DMP
aurora.exe 9/26/2005 11:30:18 PM 266719232 C:\WINDOWS\MEMORY.DMP
;2x(V]@BMD 9/26/2005 11:30:18 PM 266719232 C:\WINDOWS\MEMORY.DMP
Tlji7Mk 9/26/2005 11:30:18 PM 266719232 C:\WINDOWS\MEMORY.DMP
KavSvc 9/26/2005 11:30:18 PM 266719232 C:\WINDOWS\MEMORY.DMP
69.59.186.63 9/26/2005 11:30:18 PM 266719232 C:\WINDOWS\MEMORY.DMP
209.66.67.134 9/26/2005 11:30:18 PM 266719232 C:\WINDOWS\MEMORY.DMP
66.63.167.97 9/26/2005 11:30:18 PM 266719232 C:\WINDOWS\MEMORY.DMP
66.63.167.77 9/26/2005 11:30:18 PM 266719232 C:\WINDOWS\MEMORY.DMP
abetterinternet.com 9/26/2005 11:30:18 PM 266719232 C:\WINDOWS\MEMORY.DMP
8B!7F\(T 9/26/2005 11:30:18 PM 266719232 C:\WINDOWS\MEMORY.DMP
testpopup 9/26/2005 11:30:18 PM 266719232 C:\WINDOWS\MEMORY.DMP
web-nex 9/26/2005 11:30:18 PM 266719232 C:\WINDOWS\MEMORY.DMP
yourkey 9/26/2005 11:30:18 PM 266719232 C:\WINDOWS\MEMORY.DMP
winsync 9/26/2005 11:30:18 PM 266719232 C:\WINDOWS\MEMORY.DMP
rec2_run 9/26/2005 11:30:18 PM 266719232 C:\WINDOWS\MEMORY.DMP
WinShutDown 9/26/2005 11:30:18 PM 266719232 C:\WINDOWS\MEMORY.DMP
ad-w-a-r-e.com 9/26/2005 11:30:18 PM 266719232 C:\WINDOWS\MEMORY.DMP
UPX! 11/16/2003 4:38:10 PM 965632 C:\WINDOWS\vsapi32.dll
aspack 11/16/2003 4:38:10 PM 965632 C:\WINDOWS\vsapi32.dll

Checking %System% folder...
69.59.186.63 9/26/2005 11:30:22 PM 133120 C:\WINDOWS\SYSTEM32\fefwk.dll
209.66.67.134 9/26/2005 11:30:22 PM 133120 C:\WINDOWS\SYSTEM32\fefwk.dll
web-nex 9/26/2005 11:30:22 PM 133120 C:\WINDOWS\SYSTEM32\fefwk.dll
winsync 9/26/2005 11:30:22 PM 133120 C:\WINDOWS\SYSTEM32\fefwk.dll
69.59.186.63 9/26/2005 11:30:20 PM 181760 C:\WINDOWS\SYSTEM32\iriolio.dll
209.66.67.134 9/26/2005 11:30:20 PM 181760 C:\WINDOWS\SYSTEM32\iriolio.dll
web-nex 9/26/2005 11:30:20 PM 181760 C:\WINDOWS\SYSTEM32\iriolio.dll
winsync 9/26/2005 11:30:20 PM 181760 C:\WINDOWS\SYSTEM32\iriolio.dll
FSG! 9/3/2005 10:06:32 AM 398742 C:\WINDOWS\SYSTEM32\Kfeqlsk1.xml
PTech 8/29/2005 1:27:12 PM 520968 C:\WINDOWS\SYSTEM32\LegitCheckControl.DLL
PECompact2 9/8/2005 9:36:32 PM 1997664 C:\WINDOWS\SYSTEM32\MRT.exe
aspack 9/8/2005 9:36:32 PM 1997664 C:\WINDOWS\SYSTEM32\MRT.exe
Umonitor 6/19/2003 9:05:04 AM 529168 C:\WINDOWS\SYSTEM32\rasdlg.dll
UPX! 9/29/2004 9:30:04 AM 72704 C:\WINDOWS\SYSTEM32\thinInstOIT61MegaV2s.dlltmp
aspack 9/29/2004 9:30:04 AM 72704 C:\WINDOWS\SYSTEM32\thinInstOIT61MegaV2s.dlltmp
UPX! 4/4/2000 4:19:12 AM 91136 C:\WINDOWS\SYSTEM32\uxecre.exe
winsync 12/7/1999 10:00:00 AM 1309184 C:\WINDOWS\SYSTEM32\wbdbase.deu

Checking %System%\Drivers folder and sub-folders...

Items found in C:\WINDOWS\SYSTEM32\drivers\etc\hosts


Checking the Windows folder and sub-folders for system and hidden files within the last 60 days...
9/7/2005 8:59:58 PM H 271 C:\WINDOWS\desktop.ini
9/7/2005 8:59:58 PM H 21692 C:\WINDOWS\FOLDER.HTT
9/27/2005 7:18:40 AM H 24 C:\WINDOWS\ptYvb
9/26/2005 11:30:28 PM H 54156 C:\WINDOWS\QTFont.qfn
9/26/2005 11:20:58 PM H 830596 C:\WINDOWS\ShellIconCache
9/22/2005 8:12:18 PM H 118784 C:\WINDOWS\Application Data\Microsoft\Windows\UsrClass.dat
9/22/2005 8:12:18 PM H 1024 C:\WINDOWS\Application Data\Microsoft\Windows\UsrClass.dat.LOG
9/26/2005 11:28:56 PM S 64 C:\WINDOWS\CSC\00000001
9/26/2005 11:28:56 PM S 64 C:\WINDOWS\CSC\00000002
9/14/2005 11:07:40 PM S 64 C:\WINDOWS\CSC\csc1.tmp
9/20/2005 2:57:14 PM H 65 C:\WINDOWS\Downloaded Program Files\desktop.ini
9/7/2005 9:00:16 PM HS 67 C:\WINDOWS\FONTS\desktop.ini
9/18/2005 10:19:02 PM H 10820 C:\WINDOWS\HELP\nocontnt.GID
9/22/2005 7:25:48 PM H 0 C:\WINDOWS\inf\oem11.inf
8/20/2005 11:14:08 PM H 0 C:\WINDOWS\inf\oem8.inf
9/5/2005 10:49:26 AM H 0 C:\WINDOWS\inf\oem9.inf
9/20/2005 2:57:14 PM H 65 C:\WINDOWS\Offline Web Pages\desktop.ini
9/7/2005 9:17:00 PM H 1318912 C:\WINDOWS\repair\ntuser.dat
9/7/2005 8:59:58 PM H 271 C:\WINDOWS\SYSTEM32\desktop.ini
9/7/2005 8:59:58 PM H 21692 C:\WINDOWS\SYSTEM32\folder.htt
9/27/2005 2:20:20 AM H 1024 C:\WINDOWS\SYSTEM32\config\DEFAULT.LOG
9/26/2005 11:29:00 PM H 1024 C:\WINDOWS\SYSTEM32\config\SAM.LOG
9/26/2005 11:29:02 PM H 1024 C:\WINDOWS\SYSTEM32\config\SECURITY.LOG
9/27/2005 7:18:46 AM H 1024 C:\WINDOWS\SYSTEM32\config\SOFTWARE.LOG
9/7/2005 10:50:04 AM H 1024 C:\WINDOWS\SYSTEM32\config\system.LOG
9/7/2005 10:50:02 AM H 1024 C:\WINDOWS\SYSTEM32\config\userdiff.LOG
9/7/2005 9:17:32 PM H 1024 C:\WINDOWS\SYSTEM32\config\userdifr.LOG
9/3/2005 9:52:52 AM HS 336 C:\WINDOWS\SYSTEM32\Microsoft\Protect\S-1-5-18\User\4f192a26-5945-48ec-9954-be553e73f93b
9/3/2005 9:52:52 AM HS 24 C:\WINDOWS\SYSTEM32\Microsoft\Protect\S-1-5-18\User\Preferred
9/26/2005 11:29:14 PM H 6 C:\WINDOWS\TASKS\SA.DAT
9/7/2005 8:59:58 PM H 842 C:\WINDOWS\WEB\BULLET.GIF
9/7/2005 8:59:58 PM H 90056 C:\WINDOWS\WEB\CLASSIC.BMP
9/7/2005 8:59:58 PM H 634 C:\WINDOWS\WEB\CLASSIC.HTT
9/7/2005 8:59:58 PM H 4659 C:\WINDOWS\WEB\CONTROLP.HTT
9/7/2005 8:59:58 PM H 5296 C:\WINDOWS\WEB\DEFAULT.HTT
9/7/2005 8:59:58 PM H 830 C:\WINDOWS\WEB\DESKMOVR.HTT
9/7/2005 8:59:58 PM H 8898 C:\WINDOWS\WEB\DIALUP.HTT
9/7/2005 8:59:58 PM H 2642 C:\WINDOWS\WEB\EXCLAM.GIF
9/7/2005 8:59:58 PM H 31080 C:\WINDOWS\WEB\FOLDER.BMP
9/7/2005 8:59:58 PM H 3210 C:\WINDOWS\WEB\FOLDER.HTT
9/7/2005 8:59:58 PM H 19355 C:\WINDOWS\WEB\FSRESULT.HTT
9/20/2005 2:57:20 PM H 11083 C:\WINDOWS\WEB\ftp.htt
9/7/2005 8:59:58 PM H 56 C:\WINDOWS\WEB\MINCOLD.GIF
9/7/2005 8:59:58 PM H 77 C:\WINDOWS\WEB\MINHOT.GIF
9/7/2005 8:59:58 PM H 59 C:\WINDOWS\WEB\PLUSCOLD.GIF
9/7/2005 8:59:58 PM H 80 C:\WINDOWS\WEB\PLUSHOT.GIF
9/7/2005 8:59:58 PM H 31080 C:\WINDOWS\WEB\PREVIEW.BMP
9/7/2005 8:59:58 PM H 13798 C:\WINDOWS\WEB\PRINTERS.HTT
9/7/2005 8:59:58 PM H 11149 C:\WINDOWS\WEB\RECYCLE.HTT
9/7/2005 8:59:58 PM H 2913 C:\WINDOWS\WEB\SAFEMODE.HTT
9/7/2005 8:59:58 PM H 6489 C:\WINDOWS\WEB\SCHEDULE.HTT
9/7/2005 8:59:58 PM H 28565 C:\WINDOWS\WEB\STANDARD.HTT
9/7/2005 8:59:58 PM H 31080 C:\WINDOWS\WEB\STARTER.BMP
9/7/2005 8:59:58 PM H 1024 C:\WINDOWS\WEB\STARTER.HTT
9/7/2005 8:59:58 PM H 1316 C:\WINDOWS\WEB\WEBVIEW.CSS
9/7/2005 8:59:58 PM H 31438 C:\WINDOWS\WEB\WEBVIEW.JS
9/7/2005 8:59:58 PM H 8248 C:\WINDOWS\WEB\WVLEFT.BMP
9/7/2005 8:59:58 PM H 54 C:\WINDOWS\WEB\WVLINE.GIF
9/7/2005 8:59:58 PM H 14865 C:\WINDOWS\WEB\WVLOGO.GIF
9/7/2005 8:59:58 PM H 12403 C:\WINDOWS\WEB\wvnet.gif

Checking for CPL files...
Microsoft Corporation 12/7/1999 10:00:00 AM 67344 C:\WINDOWS\SYSTEM32\access.cpl
Microsoft Corporation 6/19/2003 9:05:04 AM 301328 C:\WINDOWS\SYSTEM32\appwiz.cpl
FotoNation inc. 10/26/1998 8:26:20 PM 26624 C:\WINDOWS\SYSTEM32\CAMCPL.CPL
Conexant Systems 1/30/2002 11:52:54 PM 316928 C:\WINDOWS\SYSTEM32\csacpl.cpl
Microsoft Corporation 6/19/2003 9:05:04 AM 237328 C:\WINDOWS\SYSTEM32\DESK.CPL
Microsoft Corporation 12/7/1999 10:00:00 AM 31504 C:\WINDOWS\SYSTEM32\fax.cpl
Microsoft Corporation 12/7/1999 10:00:00 AM 128272 C:\WINDOWS\SYSTEM32\hdwwiz.cpl
Microsoft Corporation 8/29/2002 7:14:40 AM 292352 C:\WINDOWS\SYSTEM32\inetcpl.cpl
Microsoft Corporation 12/7/1999 10:00:00 AM 118032 C:\WINDOWS\SYSTEM32\intl.cpl
Microsoft Corporation 12/7/1999 10:00:00 AM 36112 C:\WINDOWS\SYSTEM32\irprops.cpl
Microsoft Corporation 12/7/1999 10:00:00 AM 60688 C:\WINDOWS\SYSTEM32\joy.cpl
Sun Microsystems, Inc. 1/16/2005 1:14:52 PM 49262 C:\WINDOWS\SYSTEM32\jpicpl32.cpl
Microsoft Corporation 12/7/1999 10:00:00 AM 122128 C:\WINDOWS\SYSTEM32\main.cpl
Microsoft Corporation 12/7/1999 10:00:00 AM 303888 C:\WINDOWS\SYSTEM32\mmsys.cpl
Microsoft Corporation 12/7/1999 10:00:00 AM 17168 C:\WINDOWS\SYSTEM32\ncpa.cpl
Microsoft Corporation 12/7/1999 10:00:00 AM 41232 C:\WINDOWS\SYSTEM32\nwc.cpl
Microsoft Corporation 6/19/2003 9:05:04 AM 41232 C:\WINDOWS\SYSTEM32\odbccp32.cpl
Microsoft Corporation 6/19/2003 9:05:04 AM 90896 C:\WINDOWS\SYSTEM32\powercfg.cpl
RealNetworks, Inc. 10/13/2002 5:08:26 PM 24576 C:\WINDOWS\SYSTEM32\prefscpl.cpl
Apple Computer, Inc. 12/14/2003 9:20:50 AM 323072 C:\WINDOWS\SYSTEM32\QuickTime.cpl
Symantec Corporation 6/15/2000 1:43:14 AM 32768 C:\WINDOWS\SYSTEM32\S32LUCP1.CPL
Microsoft Corporation 6/19/2003 9:05:04 AM 83216 C:\WINDOWS\SYSTEM32\sticpl.cpl
Microsoft Corporation 6/19/2003 9:05:04 AM 125712 C:\WINDOWS\SYSTEM32\SYSDM.CPL
Microsoft Corporation 12/7/1999 10:00:00 AM 5904 C:\WINDOWS\SYSTEM32\telephon.cpl
Microsoft Corporation 12/7/1999 10:00:00 AM 5904 C:\WINDOWS\SYSTEM32\telephon.old.cpl
Microsoft Corporation 6/8/2000 7:00:00 AM 15360 C:\WINDOWS\SYSTEM32\THEMES.CPL
Microsoft Corporation 12/7/1999 10:00:00 AM 61200 C:\WINDOWS\SYSTEM32\timedate.cpl
Microsoft Corporation 5/26/2005 4:16:30 AM 174360 C:\WINDOWS\SYSTEM32\wuaucpl.cpl
Microsoft Corporation 8/29/2002 7:14:40 AM 292352 C:\WINDOWS\SYSTEM32\dllcache\inetcpl.cpl
IBM Corporation 9/23/1999 6:44:36 PM 94208 C:\WINDOWS\SYSTEM32\dllcache\mwcpa32.cpl
Microsoft Corporation 12/7/1999 10:00:00 AM 41232 C:\WINDOWS\SYSTEM32\dllcache\nwc.cpl

»»»»»»»»»»»»»»»»» Checking Selected Startup Folders »»»»»»»»»»»»»»»»»»»»»

Checking files in %ALLUSERSPROFILE%\Startup folder...
4/28/2002 12:54:46 PM 703 C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Adobe Gamma Loader.exe.lnk
3/28/2003 8:11:08 AM 1454 C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Canon MultiPASS Status Monitor.lnk
3/10/2003 7:27:58 AM 1572 C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Microsoft Office.lnk
4/10/2002 8:29:24 PM 849 C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Microsoft Works Calendar Reminders.lnk
9/26/2005 11:30:20 PM 417792 C:\Documents and Settings\All Users\Start Menu\Programs\Startup\nkni.exe

Checking files in %ALLUSERSPROFILE%\Application Data folder...

Checking files in %USERPROFILE%\Startup folder...
4/28/2002 12:57:26 PM 703 C:\Documents and Settings\default\Start Menu\Programs\Startup\Adobe Gamma Loader.exe.lnk
9/8/2005 9:28:58 PM 1672 C:\Documents and Settings\default\Start Menu\Programs\Startup\Microsoft Office.lnk

Checking files in %USERPROFILE%\Application Data folder...
4/4/2004 7:21:42 AM 0 C:\Documents and Settings\default\Application Data\dm.ini
UPX! 1/10/2005 3:48:12 PM 184680 C:\Documents and Settings\default\Application Data\shb.dat
9/13/2005 5:21:22 PM 30 C:\Documents and Settings\default\Application Data\tvmcwrd.dll
9/11/2005 10:04:04 PM 452888 C:\Documents and Settings\default\Application Data\tvmknwrd.dll

»»»»»»»»»»»»»»»»» Checking Selected Registry Keys »»»»»»»»»»»»»»»»»»»»»»»

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\User Agent\Post Platform]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved]
{FEF10FA2-355E-4e06-9381-9B24D7F7CC88} = C:\WINDOWS\system32\SHELL32.DLL
{53C74826-AB99-4d33-ACA4-3117F51D3788} = C:\WINDOWS\system32\SHELL32.DLL
{E4FBEFFA-A1B6-4C75-A36F-000BCF78FC1E} = C:\WINDOWS\system32\DM210V204_32.dll
{0011F633-4D16-40F5-A36A-6691F55814CE} = C:\WINDOWS\system32\dCdim.dll
{FF56D1C7-3B05-4680-8D70-30FD720F1740} = C:\WINDOWS\system32\svorprop.dll
{B6B58A45-9983-4F43-B64E-57E022B17AA7} = C:\WINDOWS\system32\iqlogmsg.dll
{731FD87F-1E13-4134-9515-6C2B14366312} = C:\WINDOWS\system32\effpixaudio.dll
{A2EDF8BE-5A4F-4C30-B9F0-DF918777940E} = C:\WINDOWS\system32\DVomExt.dll
{B02207F6-84F3-4DD1-BAB8-24ED123A15D8} = C:\WINDOWS\system32\LLADPERF.DLL
{936C5084-D286-4B89-A1BC-CDFF77584325} = C:\WINDOWS\system32\xelehlp.dll
{59157EE0-B375-4C92-A984-29BD446E1625} = C:\WINDOWS\system32\exfpixpsets.dll
{83BC23E3-97DF-4F24-B99D-CAD32E039F44} = C:\WINDOWS\system32\LCADPERF.DLL
{30E82AB2-C3EB-433D-A062-08CC2A793703} = C:\WINDOWS\system32\ptrfdisk.dll
{02B4BEFB-63B6-4F19-B031-8E3AAD21D36C} = C:\WINDOWS\system32\eufpixaudio.dll
{B1C37748-D7AC-4A17-8F78-55F9AE388E18} = C:\WINDOWS\system32\sfndmail.dll
{E4EED7EB-1482-4CD6-8AAC-98A47C587BD8} = C:\WINDOWS\system32\MUC30.DLL
{4A49EB32-6A27-463E-A025-80867CE04438} = C:\WINDOWS\system32\wpw32.dll
{DEE8F949-9F4C-45FD-B95F-38EAEF720BB4} = C:\WINDOWS\system32\kgdes.dll
{3C82A44D-2E47-4F7C-9749-C23DA0EF473F} = C:\WINDOWS\system32\inlogmsg.dll
{448B7376-7BA3-4DAC-AAC3-E09B12F561F7} = C:\WINDOWS\system32\ihctl.dll

[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved]

[HKEY_CLASSES_ROOT\*\shellex\ContextMenuHandlers]
HKEY_CLASSES_ROOT\*\shellex\ContextMenuHandlers\BriefcaseMenu
{85BBD920-42A0-1069-A2E4-08002B30309D} = syncui.dll
HKEY_CLASSES_ROOT\*\shellex\ContextMenuHandlers\fnfxmfxm
{1bb4e0e9-72b3-4fc9-9ef6-27585504dde9} = C:\WINDOWS\system32\fefwk.dll
HKEY_CLASSES_ROOT\*\shellex\ContextMenuHandlers\Offline Files
{750fdf0e-2a26-11d1-a3ea-080036587f03} = cscui.dll
HKEY_CLASSES_ROOT\*\shellex\ContextMenuHandlers\Open With
{09799AFB-AD67-11d1-ABCD-00C04FC30936} = %SystemRoot%\system32\shell32.dll
HKEY_CLASSES_ROOT\*\shellex\ContextMenuHandlers\Open With EncryptionMenu
{A470F8CF-A1E8-4f65-8335-227475AA5C46} = %SystemRoot%\system32\shell32.dll
HKEY_CLASSES_ROOT\*\shellex\ContextMenuHandlers\Symantec.Norton.Antivirus.IEContextMenu
{5345A4D5-41EB-4A2F-9616-CE1D4F6C35B2} = C:\Program Files\Norton AntiVirus\NavShExt.dll
HKEY_CLASSES_ROOT\*\shellex\ContextMenuHandlers\WinZip
{E0D79304-84BE-11CE-9641-444553540000} = C:\PROGRA~1\WINZIP\WZSHLSTB.DLL

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Folder\shellex\ContextMenuHandlers]
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Folder\shellex\ContextMenuHandlers\BriefcaseMenu
{85BBD920-42A0-1069-A2E4-08002B30309D} = syncui.dll
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Folder\shellex\ContextMenuHandlers\NortonAntivirus
{067DF822-EAB6-11cf-B56E-00A0244D5087} =
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Folder\shellex\ContextMenuHandlers\Symantec.Norton.Antivirus.IEContextMenu
{5345A4D5-41EB-4A2F-9616-CE1D4F6C35B2} = C:\Program Files\Norton AntiVirus\NavShExt.dll
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Folder\shellex\ContextMenuHandlers\WinZip
{E0D79304-84BE-11CE-9641-444553540000} = C:\PROGRA~1\WINZIP\WZSHLSTB.DLL

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Directory\shellex\ContextMenuHandlers]
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Directory\shellex\ContextMenuHandlers\Offline Files
{750fdf0e-2a26-11d1-a3ea-080036587f03} = cscui.dll
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Directory\shellex\ContextMenuHandlers\Open With EncryptionMenu
{A470F8CF-A1E8-4f65-8335-227475AA5C46} = %SystemRoot%\system32\shell32.dll
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Directory\shellex\ContextMenuHandlers\Sharing
{f81e9010-6ea4-11ce-a7ff-00aa003ca9f6} = ntshrui.dll
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Directory\shellex\ContextMenuHandlers\WinZip
{E0D79304-84BE-11CE-9641-444553540000} = C:\PROGRA~1\WINZIP\WZSHLSTB.DLL

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Folder\shellex\ColumnHandlers]
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Folder\shellex\ColumnHandlers\{0D2E74C4-3C34-11d2-A27E-00C04FC30871}
= %SystemRoot%\system32\shell32.dll
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Folder\shellex\ColumnHandlers\{24F14F01-7B1C-11d1-838f-0000F80461CF}
= %SystemRoot%\system32\shell32.dll
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Folder\shellex\ColumnHandlers\{24F14F02-7B1C-11d1-838f-0000F80461CF}
= %SystemRoot%\system32\shell32.dll
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Folder\shellex\ColumnHandlers\{66742402-F9B9-11D1-A202-0000F81FEDEE}
= C:\WINDOWS\System32\docprop2.dll
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Folder\shellex\ColumnHandlers\{7ab770c7-0e23-4d7a-8aa2-19bfad479829}
= C:\WINDOWS\system32\SHELL32.DLL
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Folder\shellex\ColumnHandlers\{7f9609be-af9a-11d1-83e0-00c04fb6e984}
= %SystemRoot%\system32\faxshell.dll
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Folder\shellex\ColumnHandlers\{884EA37B-37C0-11d2-BE3F-00A0C9A83DA1}
= C:\WINDOWS\System32\docprop2.dll

[HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects]
HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{53707962-6F74-2D53-2644-206D7942484F}
= C:\PROGRA~1\SPYBOT~1\SDHelper.dll
HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{AA58ED58-01DD-4d91-8333-CF10577473F7}
Google Toolbar Helper = c:\program files\google\googletoolbar1.dll
HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{BDBD1DAD-C946-4A17-ADC1-64B5B4FF55D0}
MSNToolBandBHO = C:\Program Files\MSN Apps\MSN Toolbar\01.02.3000.1001\en-us\msntb.dll

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Explorer Bars]
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Explorer Bars\{4D5C8C25-D075-11d0-B416-00C04FB90376}
&Tip of the Day = %SystemRoot%\system32\shdocvw.dll
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Explorer Bars\{FE54FA40-D68C-11d2-98FA-00C0F0318AFE}
Real.com = C:\WINDOWS\System32\Shdocvw.dll

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\ToolBar]
{8E718888-423F-11D2-876E-00A0C9082467} = &Radio : C:\WINDOWS\system32\msdxm.ocx

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Extensions]
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Extensions\{08B0E5C0-4FCB-11CF-AAA5-00401C608501}
MenuText = Sun Java Console : C:\Program Files\Java\jre1.5.0\bin\npjpi150.dll
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Extensions\{2FDEF853-0759-11D4-A92E-006097DBED37}
ButtonText = Encarta Encyclopedia :
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Extensions\{5DA9DE80-097A-11D4-A92E-006097DBED37}
ButtonText = Define :
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Extensions\{9E248641-0E24-4DDB-9A1F-705087832AD6}
MenuText = Java :
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Extensions\{CD67F990-D8E9-11d2-98FE-00C0F0318AFE}
ButtonText = Real.com :

[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Explorer Bars]
HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Explorer Bars\{30D02401-6A81-11D0-8274-00C04FD5AE38}
Search Band = %SystemRoot%\system32\browseui.dll
HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Explorer Bars\{32683183-48a0-441b-a342-7c2a440a9478}
Media Band = %SystemRoot%\system32\browseui.dll
HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Explorer Bars\{C4EE31F3-4768-11D2-BE5C-00A0C9A83DA1}
File and Folders Search ActiveX Control = C:\WINDOWS\system32\shell32.dll
HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Explorer Bars\{EFA24E61-B078-11D0-89E4-00C04FC9E26E}
Favorites Band = %SystemRoot%\system32\shdocvw.dll
HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Explorer Bars\{EFA24E62-B078-11D0-89E4-00C04FC9E26E}
History Band = %SystemRoot%\system32\shdocvw.dll
HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Explorer Bars\{EFA24E64-B078-11D0-89E4-00C04FC9E26E}
Explorer Band = %SystemRoot%\system32\shdocvw.dll

[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Toolbar]
HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Toolbar\ShellBrowser
{01E04581-4EEE-11D0-BFE9-00AA005B4383} = &Address : %SystemRoot%\system32\browseui.dll
{0E5CBF21-D15F-11D0-8301-00AA005B4383} = &Links : %SystemRoot%\system32\browseui.dll
{42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} = Norton AntiVirus : C:\Program Files\Norton AntiVirus\NavShExt.dll
{8E718888-423F-11D2-876E-00A0C9082467} = &Radio : C:\WINDOWS\system32\msdxm.ocx
HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser
{42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} = Norton AntiVirus : C:\Program Files\Norton AntiVirus\NavShExt.dll
{F5735C15-1FB2-41FE-BA12-242757E69DDE} = JunoBar : C:\Program Files\Juno\toolbar.dll
{8E718888-423F-11D2-876E-00A0C9082467} = &Radio : C:\WINDOWS\system32\msdxm.ocx
{2318C2B1-4965-11D4-9B18-009027A5CD4F} = &Google : c:\program files\google\googletoolbar1.dll
{01E04581-4EEE-11D0-BFE9-00AA005B4383} = &Address : %SystemRoot%\system32\browseui.dll
{BDAD1DAD-C946-4A17-ADC1-64B5B4FF55D0} = :
{0E5CBF21-D15F-11D0-8301-00AA005B4383} = &Links : %SystemRoot%\system32\browseui.dll

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
YourMonitor C:\WINDOWS\YourMonitor
WinampAgent "C:\Program Files\Winamp\Winampa.exe"
unqdup C:\WINDOWS\unqdup.exe
testit.exe C:\WINDOWS\system32\testit.exe
System service65 C:\WINDOWS\etb\pokapoka65.exe
Synchronization Manager mobsync.exe /logon
Symantec NetDriver Monitor C:\PROGRA~1\SYMNET~1\SNDMon.exe /Consumer
SunJavaUpdateSched C:\Program Files\Java\jre1.5.0\bin\jusched.exe
SSC_UserPrompt C:\Program Files\Common Files\Symantec Shared\Security Center\UsrPrmpt.exe
RecoverFromReboot C:\WINDOWS\Temp\RecoverFromReboot.exe
RealTray C:\Program Files\Real\RealPlayer\RealPlay.exe SYSTEMBOOTHIDEPLAYER
QuickTime Task "C:\Program Files\QuickTime\qttask.exe" -atboottime
NeroCheck C:\WINDOWS\System32\NeroCheck.exe
gcasServ "C:\Program Files\Microsoft AntiSpyware\gcasServ.exe"
ccApp "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
BJCFD C:\Program Files\BroadJump\Client Foundation\CFD.exe
winsync C:\WINDOWS\system32\apaida.exe reg_run
TagASaurus C:\Program Files\TagASaurus\TagASaurus

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\OptionalComponents]
IMAIL Installed = 1
MAPI Installed = 1
MSFS Installed = 1

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnceEx]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunServices]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunServicesOnce]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
Sys98 C:\WINDOWS\Sys98.exe
MoneyAgent "C:\Program Files\Microsoft Money\System\Money Express.exe"
Microsoft Works Update Detection C:\Program Files\Microsoft Works\WkDetect.exe
Juno_uoltray C:\Program Files\Juno\exec.exe regrun

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\RunServices]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\RunServicesOnce]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows\load]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows\run]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSConfig]

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSConfig\ExpandFrom

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSConfig\ExpandTo

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSConfig\services

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSConfig\startupfolder

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSConfig\startupreg

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSConfig\startupreg\ah$vùõš/‚²95ß

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSConfig\startupreg\ah$vùõš/‚²95ß\ÏrbþC:

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSConfig\startupreg\ah$vùõš/‚²‘ÆßfÏNb‰C:

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSConfig\startupreg\ah$vùõš/‚²‘ÆßfÏNb‰C:\Program Files

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSConfig\startupreg\C:

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSConfig\startupreg\C:\WINDOWS

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSConfig\state
system.ini 0
win.ini 0
bootini 0
services 0
startup 0


[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies]

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\ActiveDesktop

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\ActiveDesktop\AdminComponent

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Network

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\NonEnum
{BDEADF00-C265-11D0-BCED-00A0C90AB50F} = C:\PROGRA~1\COMMON~1\MICROS~1\WEBFOL~1\MSONSEXT.DLL
{6DFD7C5C-2451-11d3-A299-00C04F8EF6AF} =
{0DF44EAA-FF21-4412-828E-260A8728E7F1} =


HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Ratings

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\system
dontdisplaylastusername 0
legalnoticecaption
legalnoticetext
shutdownwithoutlogon 1


HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\WinOldApp
NoRealMode 1


[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\policies]

HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\ActiveDesktop

HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\ActiveDesktop\AdminComponent

HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Associations
LowRiskFileTypes .zip;.rar;.cab;.txt;.exe;.reg;.msi;.htm;.html;.gif;.bmp;.jpg;.avi;.mov;.mp3;.wav

HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer
NoDriveTypeAutoRun 149
CDRAutoRun 0

HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer\Run
ndndgeqbw.exe C:\WINDOWS\system\ndndgeqbw.exe
sgiche C:\WINDOWS\system32\sgiche.exe

HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System
DisableRegistryTools 0


[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad]
Network.ConnectionTray {7007ACCF-3202-11D1-AAD2-00805FC1270E} = C:\WINDOWS\system32\NETSHELL.dll
SysTray {35CEC8A3-2BE6-11D2-8773-92E220524153} = stobject.dll
WebCheck {E6FB5E20-DE35-11CF-9C87-00AA005127ED} = %SystemRoot%\system32\webcheck.dll

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon]
UserInit = C:\WINDOWS\system32\userinit.exe,
Shell = Explorer.exe
System =

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\crypt32chain
= crypt32.dll

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\cryptnet
= cryptnet.dll

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\cscdll
= cscdll.dll

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\ScCertProp
= wlnotify.dll

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\Schedule
= wlnotify.dll

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\sclgntfy
= sclgntfy.dll

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\SensLogn
= WlNotify.dll

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\termsrv
= wlnotify.dll

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\wlballoon
= wlnotify.dll

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\wzcnotif
= wzcdlg.dll

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options]
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Your Image File Name Here without a path
Debugger = ntsd -d

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows]
AppInit_DLLs


»»»»»»»»»»»»»»»»»»»»»»»» Scan Complete »»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»
WinPFind v1.4.1 - Log file written to "WinPFind.Txt" in the WinPFind folder.
Scan completed on 9/27/2005 7:19:21 AM


HIJACKTHIS RESULT
==============
Logfile of HijackThis v1.99.1
Scan saved at 7:34:08 AM, on 9/27/2005
Platform: Windows 2000 SP4 (WinNT 5.00.2195)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\WINDOWS\system32\cisvc.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\ewido\security suite\ewidoctrl.exe
C:\Program Files\Canon\MultiPASS\mpservic.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Norton AntiVirus\navapsvc.exe
C:\Program Files\Norton AntiVirus\IWP\NPFMntor.exe
C:\WINDOWS\system32\regsvc.exe
C:\WINDOWS\system32\MSTask.exe
C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
C:\WINDOWS\System32\WBEM\WinMgmt.exe
C:\WINDOWS\System32\mspmspsv.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\WINDOWS\YourMonitor.exe
C:\Program Files\Winamp\Winampa.exe
C:\Program Files\Java\jre1.5.0\bin\jusched.exe
C:\Program Files\Real\RealPlayer\RealPlay.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\Program Files\BroadJump\Client Foundation\CFD.exe
C:\WINDOWS\system32\apaida.exe
C:\WINDOWS\Sys98.exe
C:\Program Files\Microsoft AntiSpyware\gcasDtServ.exe
C:\Program Files\Juno\exec.exe
C:\Program Files\Canon\MultiPASS\monitr32.exe
C:\Program Files\Common Files\Microsoft Shared\Works Shared\wkcalrem.exe
C:\WINDOWS\System32\SCardSvr.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\cidaemon.exe
C:\My Documents\Downloads for geeks to go\WinPFind\winpfind.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\WINDOWS\system32\NOTEPAD.EXE
C:\My Documents\Hijackthis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://home.sina.com
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://home.sina.com/
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Microsoft Internet Explorer provided by BellSouth
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar1.dll
O2 - BHO: MSNToolBandBHO - {BDBD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\MSN Apps\MSN Toolbar\01.02.3000.1001\en-us\msntb.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\system32\msdxm.ocx
O4 - HKLM\..\Run: [YourMonitor] C:\WINDOWS\YourMonitor
O4 - HKLM\..\Run: [WinampAgent] "C:\Program Files\Winamp\Winampa.exe"
O4 - HKLM\..\Run: [unqdup] C:\WINDOWS\unqdup.exe
O4 - HKLM\..\Run: [testit.exe] C:\WINDOWS\system32\testit.exe
O4 - HKLM\..\Run: [System service65] C:\WINDOWS\etb\pokapoka65.exe
O4 - HKLM\..\Run: [Synchronization Manager] mobsync.exe /logon
O4 - HKLM\..\Run: [Symantec NetDriver Monitor] C:\PROGRA~1\SYMNET~1\SNDMon.exe /Consumer
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0\bin\jusched.exe
O4 - HKLM\..\Run: [SSC_UserPrompt] C:\Program Files\Common Files\Symantec Shared\Security Center\UsrPrmpt.exe
O4 - HKLM\..\Run: [RecoverFromReboot] C:\WINDOWS\Temp\RecoverFromReboot.exe
O4 - HKLM\..\Run: [RealTray] C:\Program Files\Real\RealPlayer\RealPlay.exe SYSTEMBOOTHIDEPLAYER
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [NeroCheck] C:\WINDOWS\System32\NeroCheck.exe
O4 - HKLM\..\Run: [gcasServ] "C:\Program Files\Microsoft AntiSpyware\gcasServ.exe"
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [BJCFD] C:\Program Files\BroadJump\Client Foundation\CFD.exe
O4 - HKLM\..\Run: [winsync] C:\WINDOWS\system32\apaida.exe reg_run
O4 - HKLM\..\Run: [TagASaurus] C:\Program Files\TagASaurus\TagASaurus
O4 - HKCU\..\Run: [Sys98] C:\WINDOWS\Sys98.exe
O4 - HKCU\..\Run: [MoneyAgent] "C:\Program Files\Microsoft Money\System\Money Express.exe"
O4 - HKCU\..\Run: [Microsoft Works Update Detection] C:\Program Files\Microsoft Works\WkDetect.exe
O4 - HKCU\..\Run: [Juno_uoltray] C:\Program Files\Juno\exec.exe regrun
O4 - Startup: Adobe Gamma Loader.exe.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O4 - Global Startup: Adobe Gamma Loader.exe.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: Canon MultiPASS Status Monitor.lnk = C:\Program Files\Canon\MultiPASS\monitr32.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O4 - Global Startup: Microsoft Works Calendar Reminders.lnk = C:\Program Files\Common Files\Microsoft Shared\Works Shared\wkcalrem.exe
O4 - Global Startup: nkni.exe
O8 - Extra context menu item: &Define - C:\Program Files\Common Files\Microsoft Shared\Reference 2001\A\ERS_DEF.HTM
O8 - Extra context menu item: &Google Search - res://C:\Program Files\Google\GoogleToolbar1.dll/cmsearch.html
O8 - Extra context menu item: &Translate English Word - res://C:\Program Files\Google\GoogleToolbar1.dll/cmwordtrans.html
O8 - Extra context menu item: Backward Links - res://C:\Program Files\Google\GoogleToolbar1.dll/cmbacklinks.html
O8 - Extra context menu item: Cached Snapshot of Page - res://C:\Program Files\Google\GoogleToolbar1.dll/cmcache.html
O8 - Extra context menu item: Look Up in &Encyclopedia - C:\Program Files\Common Files\Microsoft Shared\Reference 2001\A\ERS_ENC.HTM
O8 - Extra context menu item: Similar Pages - res://C:\Program Files\Google\GoogleToolbar1.dll/cmsimilar.html
O8 - Extra context menu item: Translate Page into English - res://C:\Program Files\Google\GoogleToolbar1.dll/cmtrans.html
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0\bin\npjpi150.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0\bin\npjpi150.dll
O9 - Extra button: Encarta Encyclopedia - {2FDEF853-0759-11D4-A92E-006097DBED37} - C:\Program Files\Common Files\Microsoft Shared\Reference 2001\A\ERS_ENC.HTM
O9 - Extra 'Tools' menuitem: Encarta Encyclopedia - {2FDEF853-0759-11D4-A92E-006097DBED37} - C:\Program Files\Common Files\Microsoft Shared\Reference 2001\A\ERS_ENC.HTM
O9 - Extra button: Define - {5DA9DE80-097A-11D4-A92E-006097DBED37} - C:\Program Files\Common Files\Microsoft Shared\Reference 2001\A\ERS_DEF.HTM
O9 - Extra 'Tools' menuitem: Define - {5DA9DE80-097A-11D4-A92E-006097DBED37} - C:\Program Files\Common Files\Microsoft Shared\Reference 2001\A\ERS_DEF.HTM
O9 - Extra button: (no name) - {9E248641-0E24-4DDB-9A1F-705087832AD6} - (no file)
O9 - Extra 'Tools' menuitem: Java - {9E248641-0E24-4DDB-9A1F-705087832AD6} - (no file)
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\System32\Shdocvw.dll
O9 - Extra button: Dell Home - {EE117DAA-A30B-40FC-945C-38AE1B80C1FA} - http://www.dellnet.com (file missing) (HKCU)
O12 - Plugin for .spop: C:\PROGRA~1\INTERN~1\Plugins\NPDocBox.dll
O16 - DPF: {01113300-3E00-11D2-8470-0060089874ED} (Support.com Configuration Class) - http://support.fasta...oad/tgctlcm.cab
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft....k/?linkid=39204
O16 - DPF: {F04A8AE2-A59D-11D2-8792-00C04F8EF29D} (Hotmail Attachments Control) - http://by102fd.bay10...ex/HMAtchmt.ocx
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Password Validation (ccPwdSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
O23 - Service: Command Service (cmdService) - Unknown owner - C:\WINDOWS\ZGVmYXVsdAAA\command.exe (file missing)
O23 - Service: Logical Disk Manager Administrative Service (dmadmin) - VERITAS Software Corp. - C:\WINDOWS\System32\dmadmin.exe
O23 - Service: ewido security suite control - ewido networks - C:\Program Files\ewido\security suite\ewidoctrl.exe
O23 - Service: MPService - Unknown owner - C:\Program Files\Canon\MultiPASS\mpservic.exe
O23 - Service: Norton AntiVirus Auto-Protect Service (navapsvc) - Symantec Corporation - C:\Program Files\Norton AntiVirus\navapsvc.exe
O23 - Service: Norton AntiVirus Firewall Monitor Service (NPFMntor) - Symantec Corporation - C:\Program Files\Norton AntiVirus\IWP\NPFMntor.exe
O23 - Service: SAVScan - Symantec Corporation - C:\Program Files\Norton AntiVirus\SAVScan.exe
O23 - Service: ScriptBlocking Service (SBService) - Symantec Corporation - C:\PROGRA~1\COMMON~1\SYMANT~1\SCRIPT~1\SBServ.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: Symantec SPBBCSvc (SPBBCSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
O23 - Service: Symantec Core LC - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe


TRACKQOO SCAN RESULT
===================
REGEDIT4

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"YourMonitor"="C:\\WINDOWS\\YourMonitor"
"WinampAgent"="\"C:\\Program Files\\Winamp\\Winampa.exe\""
"unqdup"="C:\\WINDOWS\\unqdup.exe"
"testit.exe"="C:\\WINDOWS\\system32\\testit.exe"
"System service65"="C:\\WINDOWS\\etb\\pokapoka65.exe"
"Synchronization Manager"="mobsync.exe /logon"
"Symantec NetDriver Monitor"="C:\\PROGRA~1\\SYMNET~1\\SNDMon.exe /Consumer"
"SunJavaUpdateSched"="C:\\Program Files\\Java\\jre1.5.0\\bin\\jusched.exe"
"SSC_UserPrompt"="C:\\Program Files\\Common Files\\Symantec Shared\\Security Center\\UsrPrmpt.exe"
"RecoverFromReboot"="C:\\WINDOWS\\Temp\\RecoverFromReboot.exe"
"RealTray"="C:\\Program Files\\Real\\RealPlayer\\RealPlay.exe SYSTEMBOOTHIDEPLAYER"
"QuickTime Task"="\"C:\\Program Files\\QuickTime\\qttask.exe\" -atboottime"
"NeroCheck"="C:\\WINDOWS\\System32\\NeroCheck.exe"
"gcasServ"="\"C:\\Program Files\\Microsoft AntiSpyware\\gcasServ.exe\""
"ccApp"="\"C:\\Program Files\\Common Files\\Symantec Shared\\ccApp.exe\""
"BJCFD"="C:\\Program Files\\BroadJump\\Client Foundation\\CFD.exe"
"winsync"="C:\\WINDOWS\\system32\\apaida.exe reg_run"
"TagASaurus"="C:\\Program Files\\TagASaurus\\TagASaurus"

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\OptionalComponents]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\OptionalComponents\IMAIL]
"Installed"="1"

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\OptionalComponents\MAPI]
"NoChange"="1"
"Installed"="1"

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\OptionalComponents\MSFS]
"Installed"="1"

-----------------
HKEY_CLASSES_ROOT\*\shellex\ContextMenuHandlers


Subkey --- BriefcaseMenu
{85BBD920-42A0-1069-A2E4-08002B30309D}
syncui.dll

Subkey --- fnfxmfxm
{1bb4e0e9-72b3-4fc9-9ef6-27585504dde9}
C:\WINDOWS\system32\fefwk.dll

Subkey --- Offline Files
{750fdf0e-2a26-11d1-a3ea-080036587f03}
cscui.dll

Subkey --- Open With
{09799AFB-AD67-11d1-ABCD-00C04FC30936}
C:\WINDOWS\system32\shell32.dll

Subkey --- Open With EncryptionMenu
{A470F8CF-A1E8-4f65-8335-227475AA5C46}
C:\WINDOWS\system32\shell32.dll

Subkey --- Symantec.Norton.Antivirus.IEContextMenu
{5345A4D5-41EB-4A2F-9616-CE1D4F6C35B2}
C:\Program Files\Norton AntiVirus\NavShExt.dll

Subkey --- WinZip
{E0D79304-84BE-11CE-9641-444553540000}
C:\PROGRA~1\WINZIP\WZSHLSTB.DLL

=====================

HKEY_CLASSES_ROOT\Folder\shellex\ColumnHandlers


Subkey --- {0D2E74C4-3C34-11d2-A27E-00C04FC30871}
C:\WINDOWS\system32\shell32.dll

Subkey --- {24F14F01-7B1C-11d1-838f-0000F80461CF}
C:\WINDOWS\system32\shell32.dll

Subkey --- {24F14F02-7B1C-11d1-838f-0000F80461CF}
C:\WINDOWS\system32\shell32.dll

Subkey --- {66742402-F9B9-11D1-A202-0000F81FEDEE}
C:\WINDOWS\System32\docprop2.dll

Subkey --- {7ab770c7-0e23-4d7a-8aa2-19bfad479829}
C:\WINDOWS\system32\SHELL32.DLL

Subkey --- {7f9609be-af9a-11d1-83e0-00c04fb6e984}
C:\WINDOWS\system32\faxshell.dll

Subkey --- {884EA37B-37C0-11d2-BE3F-00A0C9A83DA1}
C:\WINDOWS\System32\docprop2.dll

==============================
C:\Documents and Settings\All Users\Start Menu\Programs\Startup

Adobe Gamma Loader.exe.lnk
Canon MultiPASS Status Monitor.lnk
Microsoft Office.lnk
Microsoft Works Calendar Reminders.lnk
nkni.exe
==============================
C:\Documents and Settings\default\Start Menu\Programs\Startup

Adobe Gamma Loader.exe.lnk
Canon MultiPASS Status Monitor.lnk
Microsoft Office.lnk
Microsoft Works Calendar Reminders.lnk
nkni.exe
Adobe Gamma Loader.exe.lnk
Microsoft Office.lnk
==============================
C:\WINDOWS\SYSTEM32 cpl files


access.cpl Microsoft Corporation
appwiz.cpl Microsoft Corporation
CAMCPL.CPL FotoNation inc.
csacpl.cpl Conexant Systems
DESK.CPL Microsoft Corporation
fax.cpl Microsoft Corporation
hdwwiz.cpl Microsoft Corporation

Edited by mln, 27 September 2005 - 05:42 AM.

  • 0

#14
loophole
Posted 27 September 2005 - 03:05 PM

loophole

    Malware Expert

  • Retired Staff
  • 9,798 posts
Good :tazz:

Please save these directions to notepad for use in safemode

Download Pocket KillBox from here. There is a Direct Download and a description of what the Program does inside this link.

Please open Notepad, and copy/paste the code in the box below into a new text file. Save it as KillQoo.reg (set Filetype to "All Files") and save it on your Desktop.

REGEDIT4

[-HKEY_CLASSES_ROOT\*\shellex\ContextMenuHandlers\fnfxmfxm]

[-HKEY_CLASSES_ROOT\CLSID\{1bb4e0e9-72b3-4fc9-9ef6-27585504dde9}]


Open Pocket Killbox and Copy & Paste the entries below into the "Full Path of File to Delete"

C:\WINDOWS\SYSTEM32\fefwk.dll
C:\WINDOWS\SYSTEM32\iriolio.dll
C:\WINDOWS\SYSTEM32\Kfeqlsk1.xml
C:\Documents and Settings\All Users\Start Menu\Programs\Startup\nkni.exe
C:\WINDOWS\unqdup.exe
C:\WINDOWS\system32\apaida.exe



As you Paste each entry into Killbox,place a tick by any of these Selections available

"Delete on Reboot"
"Unregister .dll before Deleting"

Click the Red Circle with the White X in the Middle to Delete!

Restart in Safe Mode and Run those files through Killbox once more to be sure nothing survived.

This time place a tick by any of these selections available

"Standard File Kill"
"End Explorer Shell while Killing File"
"Unregister .dll before Deleting"

Now Locate and DoubleClick KillQoo.reg-> Allow it to merge into the Registry!

Please re-open HiJackThis and scan. Check the boxes next to all the entries listed below.

O4 - HKLM\..\Run: [unqdup] C:\WINDOWS\unqdup.exe
O4 - HKLM\..\Run: [winsync] C:\WINDOWS\system32\apaida.exe reg_run

Now close all windows other than HiJackThis, then click Fix Checked.

Restart back in Normal Mode and Post a fresh HijackThis log!

Edited by loophole, 27 September 2005 - 03:05 PM.

  • 0

#15
mln
Posted 28 September 2005 - 07:09 AM

mln

    Member

  • Topic Starter
  • Member
  • PipPip
  • 19 posts
HELP!!!
I can't start my computer, even the safe mode. I run the scandisk by using emergency disk, but nothing's wrong. I also try to run the registry scan and get bad command or file name error.

The error message that I got when I start the computer is:"STOP: 0x0000007b (0x8187e670. 0xc0000032, 0x000000, 0x000000) INACCESSABLE_BOOT_DEVICE

THANKS!
  • 0
Back to Virus, Spyware, Malware Removal · Next Unread Topic →




Similar Topics

0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users

  1. Geeks to Go Community
  2. Security
  3. Virus, Spyware, Malware Removal

As Featured On:

Microsoft Yahoo BBC MSN PC Magazine Washington Post HP