Jump to content

Welcome to Geeks to Go - Register now for FREE

Need help with your computer or device? Want to learn new tech skills? You're in the right place!
Geeks to Go is a friendly community of tech experts who can solve any problem you have. Just create a free account and post your question. Our volunteers will reply quickly and guide you through the steps. Don't let tech troubles stop you. Join Geeks to Go now and get the support you need!

How it Works Create Account
Photo

Aurora help

Started by jbrown7441 , Sep 23 2005 02:27 PM

  • Please log in to reply

#1
jbrown7441
Posted 23 September 2005 - 02:27 PM

jbrown7441

    Member

  • Member
  • PipPip
  • 25 posts
I'm pretty new to this sight, so don't crucify me if I don't get things exactly right. I have done all that was asked before posting my logs here, and still have popups, although my Symantec has stopped catching anything. I don't know if that's good or bad.

The last post I submitted sat there for 4 days with no reply. Hopefully this falls on more caring hearts :) :tazz:

PPPPlease help!!!!!!


Logfile of HijackThis v1.99.1
Scan saved at 2:24:33 PM, on 9/23/2005
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\csrss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\basfipm.exe
C:\Program Files\Symantec AntiVirus\DefWatch.exe
C:\Program Files\ewido\security suite\ewidoctrl.exe
C:\Program Files\ewido\security suite\ewidoguard.exe
C:\WINDOWS\system32\inetsrv\inetinfo.exe
C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
C:\Program Files\Symantec AntiVirus\SavRoam.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Symantec AntiVirus\Rtvscan.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\System32\alg.exe
C:\Program Files\Java\jre1.5.0_04\bin\jusched.exe
C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
C:\Program Files\CyberLink\PowerDVD\DVDLauncher.exe
C:\Program Files\Adobe\Acrobat 7.0\Distillr\Acrotray.exe
C:\WINDOWS\System32\spool\DRIVERS\W32X86\hpoopm07.exe
C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe
C:\Program Files\Common Files\Microsoft Shared\Works Shared\WkUFind.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\PROGRA~1\SYMANT~2\VPTray.exe
C:\Program Files\Microsoft AntiSpyware\gcasServ.exe
C:\Program Files\Symantec AntiVirus\DoScan.exe
C:\Program Files\Microsoft AntiSpyware\gcasDtServ.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Microsoft ActiveSync\WCESCOMM.EXE
C:\Program Files\Hewlett-Packard\AiO\hp officejet g series\Bin\hpoavn07.exe
C:\Program Files\WinZip\WZQKPICK.EXE
C:\PROGRA~1\HEWLET~1\AiO\Shared\Bin\hpoevm07.exe
C:\WINDOWS\system32\hpoipm07.exe
C:\Program Files\Hewlett-Packard\AiO\Shared\bin\hpOSTS07.exe
C:\Program Files\Hewlett-Packard\AiO\Shared\bin\hpOFXM07.exe
C:\Program Files\eDonkey2000\edonkey2000.exe
C:\WINDOWS\system32\vrnhg\icayfq.exe
C:\Program Files\Microsoft Office\Office10\WINWORD.EXE
C:\Program Files\Microsoft Office\Office10\OUTLOOK.EXE
C:\Program Files\FranklinCovey\PlanPlus for Microsoft Outlook\PowerNotes.exe
C:\Program Files\Common Files\InstallShield\UpdateService\agent.exe
C:\WINDOWS\msagent\AgentSvr.exe
C:\Program Files\AutoCAD 2006\acad.exe
C:\DOCUME~1\jbrown\LOCALS~1\Temp\AdskCleanup.0001
C:\Program Files\Common Files\Autodesk Shared\WSCommCntr1.exe
C:\WINDOWS\system32\dllhost.exe
C:\WINDOWS\system32\dllhost.exe
C:\WINDOWS\system32\msdtc.exe
C:\Documents and Settings\jbrown\Desktop\Temp\HHSpdHck.exe
C:\Program Files\Microsoft ActiveSync\WCESMgr.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\Documents and Settings\jbrown\Desktop\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.dell.com
O1 - Hosts: 216.39.69.102 view.atdmt.com
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: Internet Explorer Web Content Catcher - {FFF4E223-7019-4ce7-BE03-D7D3C8CCE884} - C:\Program Files\DNS\Catcher.dll (file missing)
O3 - Toolbar: Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\system32\msdxm.ocx
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_04\bin\jusched.exe
O4 - HKLM\..\Run: [ATIPTA] C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
O4 - HKLM\..\Run: [DVDLauncher] "C:\Program Files\CyberLink\PowerDVD\DVDLauncher.exe"
O4 - HKLM\..\Run: [Acrobat Assistant 7.0] "C:\Program Files\Adobe\Acrobat 7.0\Distillr\Acrotray.exe"
O4 - HKLM\..\Run: [HPAIO_PrintFolderMgr] C:\WINDOWS\System32\spool\DRIVERS\W32X86\hpoopm07.exe
O4 - HKLM\..\Run: [ISUSPM Startup] C:\PROGRA~1\COMMON~1\INSTAL~1\UPDATE~1\ISUSPM.exe -startup
O4 - HKLM\..\Run: [ISUSScheduler] "C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe" -start
O4 - HKLM\..\Run: [Microsoft Works Update Detection] C:\Program Files\Common Files\Microsoft Shared\Works Shared\WkUFind.exe
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [vptray] C:\PROGRA~1\SYMANT~2\VPTray.exe
O4 - HKLM\..\Run: [gcasServ] "C:\Program Files\Microsoft AntiSpyware\gcasServ.exe"
O4 - HKLM\..\Run: [mrxltgb] C:\WINDOWS\system32\oteutebu\mrxltgb.exe
O4 - HKLM\..\Run: [cplkm] C:\WINDOWS\system32\kxpqfx\cplkm.exe
O4 - HKLM\..\Run: [THGuard] "C:\Program Files\TrojanHunter 4.2\THGuard.exe"
O4 - HKLM\..\Run: [cgpq] C:\WINDOWS\system32\qmktjj\cgpq.exe
O4 - HKLM\..\Run: [jjccfhum] C:\WINDOWS\system32\ovsq\jjccfhum.exe
O4 - HKLM\..\Run: [icayfq] C:\WINDOWS\system32\vrnhg\icayfq.exe
O4 - HKLM\..\RunOnce: [HP_AIO_SETUP_MUTEX] C:\DOCUME~1\JBROWN\LOCALS~1\TEMP\HP OFFICEJET G SERIES\CDIMAGE\setup.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [services32] C:\Program Files\Common Files\Windows\mc-110-12-0000079.exe
O4 - HKCU\..\Run: [H/PC Connection Agent] "C:\Program Files\Microsoft ActiveSync\WCESCOMM.EXE"
O4 - Global Startup: Adobe Acrobat Speed Launcher.lnk = ?
O4 - Global Startup: AutoCAD Startup Accelerator.lnk = C:\Program Files\Common Files\Autodesk Shared\acstart16.exe
O4 - Global Startup: HPAiODevice(hp officejet g series) - 1.lnk = C:\Program Files\Hewlett-Packard\AiO\hp officejet g series\Bin\hpoavn07.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O4 - Global Startup: WinZip Quick Pick.lnk = C:\Program Files\WinZip\WZQKPICK.EXE
O8 - Extra context menu item: Convert link target to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: Convert link target to existing PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: Convert selected links to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECaptureSelLinks.html
O8 - Extra context menu item: Convert selected links to existing PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppendSelLinks.html
O8 - Extra context menu item: Convert selection to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: Convert selection to existing PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: Convert to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: Convert to existing PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_04\bin\npjpi150_04.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_04\bin\npjpi150_04.dll
O9 - Extra button: Create Mobile Favorite - {2EAF5BB1-070F-11D3-9307-00C04FAE2D4F} - C:\Program Files\Microsoft ActiveSync\INETREPL.DLL
O9 - Extra button: (no name) - {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - C:\Program Files\Microsoft ActiveSync\INETREPL.DLL
O9 - Extra 'Tools' menuitem: Create Mobile Favorite... - {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - C:\Program Files\Microsoft ActiveSync\INETREPL.DLL
O9 - Extra button: Freeprod Toolbar - {77FBF9B8-1D37-4FF2-9CED-192D8E3ABA6F} - (no file)
O9 - Extra 'Tools' menuitem: Freeprod Toolbar - {77FBF9B8-1D37-4FF2-9CED-192D8E3ABA6F} - (no file)
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft....k/?linkid=39204
O16 - DPF: {56336BCB-3D8A-11D6-A00B-0050DA18DE71} - http://software-dl.r...tzip/RdxIE2.cab
O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai...all/xscan53.cab
O16 - DPF: {B38870E4-7ECB-40DA-8C6A-595F0A5519FF} (MsnMessengerSetupDownloadControl Class) - http://messenger.msn...pDownloader.cab
O16 - DPF: {E06E2E99-0AA1-11D4-ABA6-0060082AA75C} (GpcContainer Class) - https://mathsoft.web...ent/ieatgpc.cab
O16 - DPF: {EB387D2F-E27B-4D36-979E-847D1036C65D} (QDiagHUpdateObj Class) - http://h30043.www3.h.../qdiagh.cab?326
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: Domain = silvereaglerefining.com
O17 - HKLM\Software\..\Telephony: DomainName = silvereaglerefining.com
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: Domain = silvereaglerefining.com
O23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: Ati HotKey Poller - Unknown owner - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: Autodesk Licensing Service - Autodesk - C:\Program Files\Common Files\Autodesk Shared\Service\AdskScSrv.exe
O23 - Service: Broadcom ASF IP monitoring service v6.0.4 (BAsfIpM) - Broadcom Corp. - C:\WINDOWS\system32\basfipm.exe
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Password Validation (ccPwdSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
O23 - Service: cgpqqmktjj - Unknown owner - C:\WINDOWS\system32\qmktjj\cgpq.exe
O23 - Service: Command Service (cmdService) - Unknown owner - C:\WINDOWS\amJyb3du\command.exe (file missing)
O23 - Service: cplkmkxpqfx - Unknown owner - C:\WINDOWS\system32\kxpqfx\cplkm.exe
O23 - Service: CWShredder Service - InterMute, Inc. - c:\program files\InterMute\SpySubtract\CWShredder.exe
O23 - Service: Symantec AntiVirus Definition Watcher (DefWatch) - Symantec Corporation - C:\Program Files\Symantec AntiVirus\DefWatch.exe
O23 - Service: ewido security suite control - ewido networks - C:\Program Files\ewido\security suite\ewidoctrl.exe
O23 - Service: ewido security suite guard - ewido networks - C:\Program Files\ewido\security suite\ewidoguard.exe
O23 - Service: icayfqvrnhg - Unknown owner - C:\WINDOWS\system32\vrnhg\icayfq.exe
O23 - Service: ivxprhhjnjfe - Unknown owner - C:\WINDOWS\system32\hhjnjfe\ivxpr.exe
O23 - Service: jjccfhumovsq - Unknown owner - C:\WINDOWS\system32\ovsq\jjccfhum.exe
O23 - Service: mrxltgboteutebu - Unknown owner - C:\WINDOWS\system32\oteutebu\mrxltgb.exe
O23 - Service: msymrqbvpoy - Unknown owner - C:\WINDOWS\system32\rqbvpoy\msym.exe
O23 - Service: SAVRoam (SavRoam) - symantec - C:\Program Files\Symantec AntiVirus\SavRoam.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: Symantec SPBBCSvc (SPBBCSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
O23 - Service: Symantec AntiVirus - Symantec Corporation - C:\Program Files\Symantec AntiVirus\Rtvscan.exe
  • 0

Advertisements

#2
ukbiker
Posted 28 September 2005 - 04:34 AM

ukbiker

    Rest in Peace, ukbiker

  • Retired Staff
  • 2,014 posts
Hello and welcome to Geeks To Go.

I am UKBiker and will be helping you with this log.

Lets start out with some general scans and see if we cant clean things up a little.

+++++ Step 1 +++++

Please download Ewido security suite it is a trial version of the program.
  • Install Ewido security suite
  • Launch Ewido, there should be an icon on your desktop double-click it.
  • The program will prompt you to update click the OK button
  • The program will now go to the main screen
You will need to update ewido to the latest definition files.
  • On the left hand side of the main screen click update
  • Click on Start
The update will start and a progress bar will show the updates being installed.
Once the updates are installed do the following:
  • Click on scanner
  • Make sure the following boxes are checked before scanning:
    • Binder
    • Crypter
    • Archives
  • Click on Start Scan
  • Let the program scan the machine
While the scan is in progress you will be prompted to clean files, click OK

Once the scan has completed, there will be a button located on the bottom of the screen named Save report
  • Click Save report
  • Save the report to your desktop
+++++ Step 2 +++++

Please run an on-line virus scan at Kaspersky OnLine Scan or if that doesnt work, you can use TrendMicro or BitDefender. (Please post the results of the scan(s) in your next reply)

+++++ Step 3 +++++

After that, I will need to see two different logs from HiJackThis. The first is the normal log like you posted here. To get the other one, follow these directions.

Open HijackThis, click Config, click Misc Tools
Click "Open Uninstall Manager"
Click "Save List" (generates uninstall_list.txt)
Click Save, copy and paste the results in your next post.

Post back with those logs and we can continue from there.

If you have recieved help elsewhere or no longer need our assistance, please let us know.
  • 0

#3
jbrown7441
Posted 28 September 2005 - 11:43 AM

jbrown7441

    Member

  • Topic Starter
  • Member
  • PipPip
  • 25 posts
Thanks UKBiker, I do still have popup problems. I have already downloaded ewido, and tried to update it, and it gave me the following, "Request Failed: 400 HTTP/ 1.0 400 Request Denied".

So I ran a scan anyway, and posted all 4 scans you requested below.

---------------------------------------------------------
ewido security suite - Scan report
---------------------------------------------------------

+ Created on: 9:55:42 AM, 9/28/2005
+ Report-Checksum: 5A1DD5B4

+ Scan result:

C:\Documents and Settings\LocalService\Cookies\system@casalemedia[2].txt -> Spyware.Cookie.Casalemedia : Cleaned with backup
C:\Documents and Settings\LocalService\Cookies\system@overture[2].txt -> Spyware.Cookie.Overture : Cleaned with backup
C:\Documents and Settings\LocalService\Cookies\[email protected][1].txt -> Spyware.Cookie.Epilot : Cleaned with backup
C:\WINDOWS\SYSTEM32\sav2.exe -> TrojanDownloader.Apropo.aj : Cleaned with backup
C:\WINDOWS\SYSTEM32\VB3.exe -> TrojanDropper.Agent.hl : Cleaned with backup


::Report End



-------------------------------------------------------------------------------
KASPERSKY ON-LINE SCANNER REPORT
Wednesday, September 28, 2005 11:28:33
Operating System: Microsoft Windows XP Professional, Service Pack 2 (Build 2600)
Kaspersky On-line Scanner version: 5.0.67.0
Kaspersky Anti-Virus database last update: 28/09/2005
Kaspersky Anti-Virus database records: 151562
-------------------------------------------------------------------------------

Scan Settings:
Scan using the following antivirus database: extended
Scan Archives: true
Scan Mail Bases: true

Scan Target - Folders:
C:\

Scan Statistics:
Total number of scanned objects: 86268
Number of viruses found: 21
Number of infected objects: 58
Number of suspicious objects: 1
Duration of the scan process: 3823 sec

Infected Object Name - Virus Name
C:\Documents and Settings\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\Quarantine\02300001.VBN/gui.exe Infected: not-a-virus:AdWare.Win32.Maxifiles.a
C:\Documents and Settings\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\Quarantine\02300001.VBN Infected: not-a-virus:AdWare.Win32.Maxifiles.a
C:\Documents and Settings\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\Quarantine\02300002.VBN/gui.exe Infected: not-a-virus:AdWare.Win32.Maxifiles.a
C:\Documents and Settings\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\Quarantine\02300002.VBN Infected: not-a-virus:AdWare.Win32.Maxifiles.a
C:\Documents and Settings\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\Quarantine\02300003.VBN Infected: Trojan.Win32.EliteBar.a
C:\Documents and Settings\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\Quarantine\02300004.VBN Infected: Trojan-Downloader.Win32.Small.abd
C:\Documents and Settings\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\Quarantine\07140000.VBN Infected: Trojan-Downloader.Win32.Agent.tv
C:\Documents and Settings\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\Quarantine\07140001.VBN Infected: Trojan.Win32.EliteBar.a
C:\Documents and Settings\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\Quarantine\07A00000\47AEF389.VBN Infected: Trojan.Win32.Stervis.f
C:\Documents and Settings\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\Quarantine\07A00000\47AEF38A.VBN Infected: not-a-virus:AdWare.Win32.BetterInternet
C:\Documents and Settings\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\Quarantine\07A00000\47AEF38B.VBN Infected: Trojan.Win32.Agent.ay
C:\Documents and Settings\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\Quarantine\07A00001\47AF02F2.VBN Infected: not-a-virus:AdWare.Win32.Maxifiles.f
C:\Documents and Settings\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\Quarantine\09480000\4B69F57B.VBN/data0006 Infected: Backdoor.Win32.HacDef.bo
C:\Documents and Settings\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\Quarantine\09480000\4B69F57B.VBN Infected: Backdoor.Win32.HacDef.bo
C:\Documents and Settings\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\Quarantine\0A0C0000.VBN Infected: Trojan.Win32.EliteBar.a
C:\Documents and Settings\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\Quarantine\0A0C0001.VBN Infected: Trojan.Win32.EliteBar.a
C:\Documents and Settings\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\Quarantine\0A0C0002.VBN Infected: Trojan.Win32.EliteBar.a
C:\Documents and Settings\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\Quarantine\0A0C0003.VBN Infected: Trojan.Win32.EliteBar.a
C:\Documents and Settings\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\Quarantine\0A340000.VBN Infected: Trojan-Downloader.Win32.Agent.mw
C:\Documents and Settings\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\Quarantine\0C500000.VBN Infected: Trojan.Win32.Stervis.f
C:\Documents and Settings\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\Quarantine\0C500001.VBN Infected: Trojan.Win32.Agent.db
C:\Documents and Settings\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\Quarantine\0C500002.VBN Infected: Trojan.Win32.Stervis.f
C:\Documents and Settings\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\Quarantine\0C500003.VBN Infected: not-a-virus:AdWare.Win32.BetterInternet
C:\Documents and Settings\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\Quarantine\0C500004.VBN Infected: not-a-virus:AdWare.Win32.Maxifiles.f
C:\Documents and Settings\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\Quarantine\0C500005.VBN Infected: Trojan.Win32.Agent.ay
C:\Documents and Settings\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\Quarantine\0C500006.VBN Infected: not-a-virus:AdWare.Win32.BetterInternet.aa
C:\Documents and Settings\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\Quarantine\0CAC0000\4FACC7C0.VBN/data0006 Infected: Backdoor.Win32.HacDef.bo
C:\Documents and Settings\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\Quarantine\0CAC0000\4FACC7C0.VBN Infected: Backdoor.Win32.HacDef.bo
C:\Documents and Settings\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\Quarantine\0CAC0001\4FACC7CD.VBN Infected: Trojan-Downloader.Win32.Agent.tv
C:\Documents and Settings\jbrown\Desktop\Extractions\Keymaker.exe Suspicious: Type_Win32
C:\Documents and Settings\jbrown\Desktop\Temp\Laptop Backup\Trial Software\incredifinduninstall.exe/data0002 Infected: Trojan-Downloader.Win32.Keenval.b
C:\Documents and Settings\jbrown\Desktop\Temp\Laptop Backup\Trial Software\incredifinduninstall.exe Infected: Trojan-Downloader.Win32.Keenval.b
C:\Documents and Settings\jbrown\Desktop\Temp\Laptop Backup\Trial Software\zrnb.exe/data0002/NHInstall.exe Infected: not-a-virus:AdWare.Win32.NavExcel
C:\Documents and Settings\jbrown\Desktop\Temp\Laptop Backup\Trial Software\zrnb.exe/data0002/v2.0.2.cab/NHUninstaller.exe Infected: not-a-virus:AdWare.Win32.NavExcel
C:\Documents and Settings\jbrown\Desktop\Temp\Laptop Backup\Trial Software\zrnb.exe/data0002/v2.0.2.cab/NHUpdater.exe Infected: not-a-virus:AdWare.Win32.NavExcel
C:\Documents and Settings\jbrown\Desktop\Temp\Laptop Backup\Trial Software\zrnb.exe/data0002/v2.0.2.cab/NHelper.dll Infected: not-a-virus:AdWare.Win32.NavExcel
C:\Documents and Settings\jbrown\Desktop\Temp\Laptop Backup\Trial Software\zrnb.exe/data0002/v2.0.2.cab Infected: not-a-virus:AdWare.Win32.NavExcel
C:\Documents and Settings\jbrown\Desktop\Temp\Laptop Backup\Trial Software\zrnb.exe/data0002 Infected: not-a-virus:AdWare.Win32.NavExcel
C:\Documents and Settings\jbrown\Desktop\Temp\Laptop Backup\Trial Software\zrnb.exe/data0003/data0139 Infected: not-a-virus:AdWare.Win32.HelpExpress
C:\Documents and Settings\jbrown\Desktop\Temp\Laptop Backup\Trial Software\zrnb.exe/data0003 Infected: not-a-virus:AdWare.Win32.HelpExpress
C:\Documents and Settings\jbrown\Desktop\Temp\Laptop Backup\Trial Software\zrnb.exe Infected: not-a-virus:AdWare.Win32.HelpExpress
C:\Documents and Settings\jbrown\My Documents\eDonkey2000 Downloads\WinRAR Password Cracker v4.12+Crack.zip/RAR Password Cracker v4.12+Crack/Crack/rpc.exe Infected: not-a-virus:PSWTool.Win32.RARPassCrack.a
C:\Documents and Settings\jbrown\My Documents\eDonkey2000 Downloads\WinRAR Password Cracker v4.12+Crack.zip Infected: not-a-virus:PSWTool.Win32.RARPassCrack.a
C:\Documents and Settings\jbrown\My Documents\Trial Software\incredifinduninstall.exe/data0002 Infected: Trojan-Downloader.Win32.Keenval.b
C:\Documents and Settings\jbrown\My Documents\Trial Software\incredifinduninstall.exe Infected: Trojan-Downloader.Win32.Keenval.b
C:\Documents and Settings\jbrown\My Documents\Trial Software\zrnb.exe/data0002/NHInstall.exe Infected: not-a-virus:AdWare.Win32.NavExcel
C:\Documents and Settings\jbrown\My Documents\Trial Software\zrnb.exe/data0002/v2.0.2.cab/NHUninstaller.exe Infected: not-a-virus:AdWare.Win32.NavExcel
C:\Documents and Settings\jbrown\My Documents\Trial Software\zrnb.exe/data0002/v2.0.2.cab/NHUpdater.exe Infected: not-a-virus:AdWare.Win32.NavExcel
C:\Documents and Settings\jbrown\My Documents\Trial Software\zrnb.exe/data0002/v2.0.2.cab/NHelper.dll Infected: not-a-virus:AdWare.Win32.NavExcel
C:\Documents and Settings\jbrown\My Documents\Trial Software\zrnb.exe/data0002/v2.0.2.cab Infected: not-a-virus:AdWare.Win32.NavExcel
C:\Documents and Settings\jbrown\My Documents\Trial Software\zrnb.exe/data0002 Infected: not-a-virus:AdWare.Win32.NavExcel
C:\Documents and Settings\jbrown\My Documents\Trial Software\zrnb.exe/data0003/data0139 Infected: not-a-virus:AdWare.Win32.HelpExpress
C:\Documents and Settings\jbrown\My Documents\Trial Software\zrnb.exe/data0003 Infected: not-a-virus:AdWare.Win32.HelpExpress
C:\Documents and Settings\jbrown\My Documents\Trial Software\zrnb.exe Infected: not-a-virus:AdWare.Win32.HelpExpress
C:\Documents and Settings\jbrown\My Documents\Work Files\tcantrell\Library 2\Stansbury\Lucadia-Terracor.htm Infected: Trojan.JS.Relink.b
C:\System Volume Information\_restore{46DE8921-1D39-44D2-A9E9-64119261F211}\RP168\A0015707.exe Infected: Trojan-Downloader.Win32.Apropo.aj
C:\System Volume Information\_restore{46DE8921-1D39-44D2-A9E9-64119261F211}\RP168\A0015708.exe Infected: Trojan-Dropper.Win32.Agent.hl
C:\WINDOWS\SYSTEM32\bqrinaeg\cqucfbxi.dll Infected: Trojan-Downloader.Win32.Agent.lg
C:\WINDOWS\SYSTEM32\rcruhwff\bnbjyxcj.dll Infected: Trojan-Downloader.Win32.Agent.lg

Scan process completed.


Logfile of HijackThis v1.99.1
Scan saved at 11:35:20 AM, on 9/28/2005
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\csrss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\basfipm.exe
C:\WINDOWS\system32\fhlpnxy\guycrm.exe
C:\Program Files\Symantec AntiVirus\DefWatch.exe
C:\WINDOWS\system32\inetsrv\inetinfo.exe
C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
C:\Program Files\Symantec AntiVirus\SavRoam.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Symantec AntiVirus\Rtvscan.exe
C:\WINDOWS\System32\alg.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Java\jre1.5.0_04\bin\jusched.exe
C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
C:\Program Files\CyberLink\PowerDVD\DVDLauncher.exe
C:\Program Files\Adobe\Acrobat 7.0\Distillr\Acrotray.exe
C:\WINDOWS\System32\spool\DRIVERS\W32X86\hpoopm07.exe
C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe
C:\Program Files\Common Files\Microsoft Shared\Works Shared\WkUFind.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\PROGRA~1\SYMANT~2\VPTray.exe
C:\Program Files\Symantec AntiVirus\DoScan.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Microsoft ActiveSync\WCESCOMM.EXE
C:\Program Files\Hewlett-Packard\AiO\hp officejet g series\Bin\hpoavn07.exe
C:\Program Files\WinZip\WZQKPICK.EXE
C:\PROGRA~1\HEWLET~1\AiO\Shared\Bin\hpoevm07.exe
C:\WINDOWS\system32\hpoipm07.exe
C:\Program Files\Hewlett-Packard\AiO\Shared\bin\hpOSTS07.exe
C:\Program Files\Hewlett-Packard\AiO\Shared\bin\hpOFXM07.exe
C:\Program Files\ewido\security suite\ewidoguard.exe
C:\Program Files\ewido\security suite\ewidoctrl.exe
C:\Program Files\Microsoft Office\Office10\OUTLOOK.EXE
C:\Program Files\FranklinCovey\PlanPlus for Microsoft Outlook\PowerNotes.exe
C:\Program Files\Microsoft Office\Office10\WINWORD.EXE
C:\Program Files\Common Files\InstallShield\UpdateService\agent.exe
C:\PROGRA~1\MOZILL~1\FIREFOX.EXE
C:\Documents and Settings\jbrown\Desktop\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.dell.com
O1 - Hosts: 216.39.69.102 view.atdmt.com
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: Internet Explorer Web Content Catcher - {FFF4E223-7019-4ce7-BE03-D7D3C8CCE884} - C:\Program Files\DNS\Catcher.dll (file missing)
O3 - Toolbar: Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\system32\msdxm.ocx
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_04\bin\jusched.exe
O4 - HKLM\..\Run: [ATIPTA] C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
O4 - HKLM\..\Run: [DVDLauncher] "C:\Program Files\CyberLink\PowerDVD\DVDLauncher.exe"
O4 - HKLM\..\Run: [Acrobat Assistant 7.0] "C:\Program Files\Adobe\Acrobat 7.0\Distillr\Acrotray.exe"
O4 - HKLM\..\Run: [HPAIO_PrintFolderMgr] C:\WINDOWS\System32\spool\DRIVERS\W32X86\hpoopm07.exe
O4 - HKLM\..\Run: [ISUSPM Startup] C:\PROGRA~1\COMMON~1\INSTAL~1\UPDATE~1\ISUSPM.exe -startup
O4 - HKLM\..\Run: [ISUSScheduler] "C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe" -start
O4 - HKLM\..\Run: [Microsoft Works Update Detection] C:\Program Files\Common Files\Microsoft Shared\Works Shared\WkUFind.exe
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [vptray] C:\PROGRA~1\SYMANT~2\VPTray.exe
O4 - HKLM\..\Run: [gcasServ] "C:\Program Files\Microsoft AntiSpyware\gcasServ.exe"
O4 - HKLM\..\Run: [mrxltgb] C:\WINDOWS\system32\oteutebu\mrxltgb.exe
O4 - HKLM\..\Run: [cplkm] C:\WINDOWS\system32\kxpqfx\cplkm.exe
O4 - HKLM\..\Run: [THGuard] "C:\Program Files\TrojanHunter 4.2\THGuard.exe"
O4 - HKLM\..\Run: [cgpq] C:\WINDOWS\system32\qmktjj\cgpq.exe
O4 - HKLM\..\Run: [jjccfhum] C:\WINDOWS\system32\ovsq\jjccfhum.exe
O4 - HKLM\..\Run: [icayfq] C:\WINDOWS\system32\vrnhg\icayfq.exe
O4 - HKLM\..\Run: [guycrm] C:\WINDOWS\system32\fhlpnxy\guycrm.exe
O4 - HKLM\..\RunOnce: [HP_AIO_SETUP_MUTEX] C:\DOCUME~1\JBROWN\LOCALS~1\TEMP\HP OFFICEJET G SERIES\CDIMAGE\setup.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [services32] C:\Program Files\Common Files\Windows\mc-110-12-0000079.exe
O4 - HKCU\..\Run: [H/PC Connection Agent] "C:\Program Files\Microsoft ActiveSync\WCESCOMM.EXE"
O4 - Global Startup: Adobe Acrobat Speed Launcher.lnk = ?
O4 - Global Startup: AutoCAD Startup Accelerator.lnk = C:\Program Files\Common Files\Autodesk Shared\acstart16.exe
O4 - Global Startup: HPAiODevice(hp officejet g series) - 1.lnk = C:\Program Files\Hewlett-Packard\AiO\hp officejet g series\Bin\hpoavn07.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O4 - Global Startup: WinZip Quick Pick.lnk = C:\Program Files\WinZip\WZQKPICK.EXE
O8 - Extra context menu item: Convert link target to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: Convert link target to existing PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: Convert selected links to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECaptureSelLinks.html
O8 - Extra context menu item: Convert selected links to existing PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppendSelLinks.html
O8 - Extra context menu item: Convert selection to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: Convert selection to existing PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: Convert to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: Convert to existing PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_04\bin\npjpi150_04.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_04\bin\npjpi150_04.dll
O9 - Extra button: Create Mobile Favorite - {2EAF5BB1-070F-11D3-9307-00C04FAE2D4F} - C:\Program Files\Microsoft ActiveSync\INETREPL.DLL
O9 - Extra button: (no name) - {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - C:\Program Files\Microsoft ActiveSync\INETREPL.DLL
O9 - Extra 'Tools' menuitem: Create Mobile Favorite... - {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - C:\Program Files\Microsoft ActiveSync\INETREPL.DLL
O9 - Extra button: Freeprod Toolbar - {77FBF9B8-1D37-4FF2-9CED-192D8E3ABA6F} - (no file)
O9 - Extra 'Tools' menuitem: Freeprod Toolbar - {77FBF9B8-1D37-4FF2-9CED-192D8E3ABA6F} - (no file)
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky...can_unicode.cab
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft....k/?linkid=39204
O16 - DPF: {56336BCB-3D8A-11D6-A00B-0050DA18DE71} - http://software-dl.r...tzip/RdxIE2.cab
O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai...all/xscan53.cab
O16 - DPF: {B38870E4-7ECB-40DA-8C6A-595F0A5519FF} (MsnMessengerSetupDownloadControl Class) - http://messenger.msn...pDownloader.cab
O16 - DPF: {E06E2E99-0AA1-11D4-ABA6-0060082AA75C} (GpcContainer Class) - https://mathsoft.web...ent/ieatgpc.cab
O16 - DPF: {EB387D2F-E27B-4D36-979E-847D1036C65D} (QDiagHUpdateObj Class) - http://h30043.www3.h.../qdiagh.cab?326
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: Domain = silvereaglerefining.com
O17 - HKLM\Software\..\Telephony: DomainName = silvereaglerefining.com
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: Domain = silvereaglerefining.com
O23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: Ati HotKey Poller - Unknown owner - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: Autodesk Licensing Service - Autodesk - C:\Program Files\Common Files\Autodesk Shared\Service\AdskScSrv.exe
O23 - Service: Broadcom ASF IP monitoring service v6.0.4 (BAsfIpM) - Broadcom Corp. - C:\WINDOWS\system32\basfipm.exe
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Password Validation (ccPwdSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
O23 - Service: cgpqqmktjj - Unknown owner - C:\WINDOWS\system32\qmktjj\cgpq.exe
O23 - Service: Command Service (cmdService) - Unknown owner - C:\WINDOWS\amJyb3du\command.exe (file missing)
O23 - Service: cplkmkxpqfx - Unknown owner - C:\WINDOWS\system32\kxpqfx\cplkm.exe
O23 - Service: CWShredder Service - InterMute, Inc. - c:\program files\InterMute\SpySubtract\CWShredder.exe
O23 - Service: Symantec AntiVirus Definition Watcher (DefWatch) - Symantec Corporation - C:\Program Files\Symantec AntiVirus\DefWatch.exe
O23 - Service: ewido security suite control - ewido networks - C:\Program Files\ewido\security suite\ewidoctrl.exe
O23 - Service: ewido security suite guard - ewido networks - C:\Program Files\ewido\security suite\ewidoguard.exe
O23 - Service: guycrmfhlpnxy - Unknown owner - C:\WINDOWS\system32\fhlpnxy\guycrm.exe
O23 - Service: icayfqvrnhg - Unknown owner - C:\WINDOWS\system32\vrnhg\icayfq.exe
O23 - Service: ivxprhhjnjfe - Unknown owner - C:\WINDOWS\system32\hhjnjfe\ivxpr.exe
O23 - Service: jjccfhumovsq - Unknown owner - C:\WINDOWS\system32\ovsq\jjccfhum.exe
O23 - Service: mrxltgboteutebu - Unknown owner - C:\WINDOWS\system32\oteutebu\mrxltgb.exe
O23 - Service: msymrqbvpoy - Unknown owner - C:\WINDOWS\system32\rqbvpoy\msym.exe
O23 - Service: SAVRoam (SavRoam) - symantec - C:\Program Files\Symantec AntiVirus\SavRoam.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: Symantec SPBBCSvc (SPBBCSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
O23 - Service: Symantec AntiVirus - Symantec Corporation - C:\Program Files\Symantec AntiVirus\Rtvscan.exe



Activ8
Ad-Aware SE Personal
Adobe Acrobat 7.0 Professional
Adobe Acrobat 7.0.1 and Reader 7.0.1 Update
Adobe Acrobat 7.0.2 and Reader 7.0.2 Update
Adobe Acrobat 7.0.3 and Reader 7.0.3 Update
AFT Fathom 6.0 Demo
ATI Control Panel
ATI Display Driver
AutoCAD 2006 - English
AutoCAD R14.0
Autodesk DWF Viewer
Belarc Advisor 7.0
Broadcom Advanced Control Suite 2
Broadcom ASF Management Applications
CleanUp!
Command
COMThermo DK 1.1.8
Crystal Reporting Tool
Dex Yellow & White Pages v4.5.4
DivX 4.11 Codec
eDonkey2000
ewido security suite
Flow Calculator
FranklinCovey PlanPlus for Microsoft Outlook
FranklinCovey PlanPlus for the Pocket PC
HazardReview LEADER
HijackThis 1.99.1
hp officejet g series
Huffyuv AVI lossless video codec (Remove Only)
HYSYS 3.1 Build 4815
J2SE Runtime Environment 5.0 Update 2
J2SE Runtime Environment 5.0 Update 4
Java 2 Runtime Environment, SE v1.4.2_03
Kaspersky On-line Scanner
Lavasoft VX2 Cleaner
LiveUpdate 2.6 (Symantec Corporation)
MathPlayer
Microsoft .NET Framework 1.1
Microsoft .NET Framework 1.1
Microsoft .NET Framework 1.1 Hotfix (KB886903)
Microsoft ActiveSync 3.7
Microsoft AntiSpyware
Microsoft Office Outlook Connector for MSN
Microsoft Office XP Professional
Microsoft Picture It! Express 9
Microsoft Picture It! Library 9
MooreGames
Mozilla Firefox (1.0)
MSN
MSN Encarta Plus Support Files
MSN Messenger 7.0
Peachtree Complete Accounting 2003
Perry's Chemical Engineers' Handbook on CD-ROM
PIPESYS 1.60
PowerDVD 5.1
PSAT 2004
PShow
Security Update for Step By Step Interactive Training (KB898458)
Security Update for Windows XP (KB883939)
Security Update for Windows XP (KB890046)
Security Update for Windows XP (KB893756)
Security Update for Windows XP (KB896358)
Security Update for Windows XP (KB896422)
Security Update for Windows XP (KB896423)
Security Update for Windows XP (KB896428)
Security Update for Windows XP (KB899587)
Security Update for Windows XP (KB899588)
Security Update for Windows XP (KB899591)
Security Update for Windows XP (KB901214)
Security Update for Windows XP (KB903235)
Sentinel Protection Installer 7.0.0
Spybot - Search & Destroy 1.3.1 TX
SSAT
STX
SulSim Extension
Symantec AntiVirus
Tokuoitu
TrojanHunter 4.2
Twu Property Packages
Update for Windows XP (KB894391)
Update for Windows XP (KB896727)
Update for Windows XP (KB898461)
VobSub v2.05 (Remove Only)
WebEx
WinAce Archiver
Windows Installer 3.1 (KB893803)
Windows Installer 3.1 (KB893803)
Windows XP Hotfix - KB834707
Windows XP Hotfix - KB867282
Windows XP Hotfix - KB873333
Windows XP Hotfix - KB873339
Windows XP Hotfix - KB885250
Windows XP Hotfix - KB885835
Windows XP Hotfix - KB885836
Windows XP Hotfix - KB885884
Windows XP Hotfix - KB886185
Windows XP Hotfix - KB887472
Windows XP Hotfix - KB887742
Windows XP Hotfix - KB888113
Windows XP Hotfix - KB888302
Windows XP Hotfix - KB890047
Windows XP Hotfix - KB890175
Windows XP Hotfix - KB890859
Windows XP Hotfix - KB890923
Windows XP Hotfix - KB891781
Windows XP Hotfix - KB893066
Windows XP Hotfix - KB893086
WinRAR archiver
WinZip
  • 0

#4
ukbiker
Posted 28 September 2005 - 01:01 PM

ukbiker

    Rest in Peace, ukbiker

  • Retired Staff
  • 2,014 posts
Hi There

please carry out the following steps

Download the Hoster.
  • Unzip Hoster to a convenient folder such as C:\Hoster.
  • Run Hoster.exe from its new home
  • Click "Make Hosts Writable?" in the upper right corner (If available).
  • Click Restore Original Hosts and then click OK.
  • Click the X to exit the program.
  • Note: If you were using a custom Hosts file you will need to replace any of those entries yourself.
After doing this, please try to update Ewido. Let me know what happens.

Whether Ewido updates or not, would you please run another Ewido scan for me, but run it in SAFE mode.

Please post the Ewido scan results and a new HJT log (HJT log from Normal mode)
  • 0

#5
jbrown7441
Posted 28 September 2005 - 03:59 PM

jbrown7441

    Member

  • Topic Starter
  • Member
  • PipPip
  • 25 posts
When I ran ewido after reloading it, it said, "Updating or installing the services failed. Please uninstall, reboot & install again. So I did, and came up with the same problem when trying to update ("Request Failed: 400 HTTP/ 1.0 400 Request Denied").

Here is my new ewido and HJT log.

---------------------------------------------------------
ewido security suite - Scan report
---------------------------------------------------------

+ Created on: 3:51:14 PM, 9/28/2005
+ Report-Checksum: BABF52B6

+ Scan result:

No infected objects found.


::Report End


Logfile of HijackThis v1.99.1
Scan saved at 3:58:14 PM, on 9/28/2005
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\csrss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\basfipm.exe
C:\WINDOWS\system32\fhlpnxy\guycrm.exe
C:\Program Files\Symantec AntiVirus\DefWatch.exe
C:\Program Files\ewido\security suite\ewidoctrl.exe
C:\Program Files\ewido\security suite\ewidoguard.exe
C:\WINDOWS\system32\inetsrv\inetinfo.exe
C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
C:\Program Files\Symantec AntiVirus\SavRoam.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Symantec AntiVirus\Rtvscan.exe
C:\WINDOWS\System32\alg.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Java\jre1.5.0_04\bin\jusched.exe
C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
C:\Program Files\CyberLink\PowerDVD\DVDLauncher.exe
C:\Program Files\Adobe\Acrobat 7.0\Distillr\Acrotray.exe
C:\WINDOWS\System32\spool\DRIVERS\W32X86\hpoopm07.exe
C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe
C:\Program Files\Common Files\Microsoft Shared\Works Shared\WkUFind.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\Program Files\Adobe\Acrobat 7.0\Distillr\AcroDist.exe
C:\PROGRA~1\SYMANT~2\VPTray.exe
C:\Program Files\TrojanHunter 4.2\THGuard.exe
C:\Program Files\Symantec AntiVirus\DoScan.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Microsoft AntiSpyware\gcasDtServ.exe
C:\Program Files\Microsoft ActiveSync\WCESCOMM.EXE
C:\Program Files\Adobe\Acrobat 7.0\Acrobat\acrobat_sl.exe
C:\Program Files\Microsoft Office\Office10\OUTLOOK.EXE
C:\Program Files\Hewlett-Packard\AiO\hp officejet g series\Bin\hpoavn07.exe
C:\Program Files\WinZip\WZQKPICK.EXE
C:\WINDOWS\system32\wuauclt.exe
C:\PROGRA~1\HEWLET~1\AiO\Shared\Bin\hpoevm07.exe
C:\WINDOWS\system32\hpoipm07.exe
C:\Program Files\FranklinCovey\PlanPlus for Microsoft Outlook\PowerNotes.exe
C:\Program Files\Microsoft Office\Office10\WINWORD.EXE
C:\Program Files\Hewlett-Packard\AiO\Shared\bin\hpOSTS07.exe
C:\Program Files\Hewlett-Packard\AiO\Shared\bin\hpOFXM07.exe
C:\Program Files\Common Files\InstallShield\UpdateService\agent.exe
C:\Program Files\eDonkey2000\edonkey2000.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\Documents and Settings\jbrown\Desktop\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.dell.com
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: Internet Explorer Web Content Catcher - {FFF4E223-7019-4ce7-BE03-D7D3C8CCE884} - C:\Program Files\DNS\Catcher.dll (file missing)
O3 - Toolbar: Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\system32\msdxm.ocx
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_04\bin\jusched.exe
O4 - HKLM\..\Run: [ATIPTA] C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
O4 - HKLM\..\Run: [DVDLauncher] "C:\Program Files\CyberLink\PowerDVD\DVDLauncher.exe"
O4 - HKLM\..\Run: [Acrobat Assistant 7.0] "C:\Program Files\Adobe\Acrobat 7.0\Distillr\Acrotray.exe"
O4 - HKLM\..\Run: [HPAIO_PrintFolderMgr] C:\WINDOWS\System32\spool\DRIVERS\W32X86\hpoopm07.exe
O4 - HKLM\..\Run: [ISUSPM Startup] C:\PROGRA~1\COMMON~1\INSTAL~1\UPDATE~1\ISUSPM.exe -startup
O4 - HKLM\..\Run: [ISUSScheduler] "C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe" -start
O4 - HKLM\..\Run: [Microsoft Works Update Detection] C:\Program Files\Common Files\Microsoft Shared\Works Shared\WkUFind.exe
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [vptray] C:\PROGRA~1\SYMANT~2\VPTray.exe
O4 - HKLM\..\Run: [gcasServ] "C:\Program Files\Microsoft AntiSpyware\gcasServ.exe"
O4 - HKLM\..\Run: [mrxltgb] C:\WINDOWS\system32\oteutebu\mrxltgb.exe
O4 - HKLM\..\Run: [cplkm] C:\WINDOWS\system32\kxpqfx\cplkm.exe
O4 - HKLM\..\Run: [THGuard] "C:\Program Files\TrojanHunter 4.2\THGuard.exe"
O4 - HKLM\..\Run: [cgpq] C:\WINDOWS\system32\qmktjj\cgpq.exe
O4 - HKLM\..\Run: [jjccfhum] C:\WINDOWS\system32\ovsq\jjccfhum.exe
O4 - HKLM\..\Run: [icayfq] C:\WINDOWS\system32\vrnhg\icayfq.exe
O4 - HKLM\..\Run: [guycrm] C:\WINDOWS\system32\fhlpnxy\guycrm.exe
O4 - HKLM\..\RunOnce: [HP_AIO_SETUP_MUTEX] C:\DOCUME~1\JBROWN\LOCALS~1\TEMP\HP OFFICEJET G SERIES\CDIMAGE\setup.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [services32] C:\Program Files\Common Files\Windows\mc-110-12-0000079.exe
O4 - HKCU\..\Run: [H/PC Connection Agent] "C:\Program Files\Microsoft ActiveSync\WCESCOMM.EXE"
O4 - Global Startup: Adobe Acrobat Speed Launcher.lnk = ?
O4 - Global Startup: AutoCAD Startup Accelerator.lnk = C:\Program Files\Common Files\Autodesk Shared\acstart16.exe
O4 - Global Startup: HPAiODevice(hp officejet g series) - 1.lnk = C:\Program Files\Hewlett-Packard\AiO\hp officejet g series\Bin\hpoavn07.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O4 - Global Startup: WinZip Quick Pick.lnk = C:\Program Files\WinZip\WZQKPICK.EXE
O8 - Extra context menu item: Convert link target to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: Convert link target to existing PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: Convert selected links to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECaptureSelLinks.html
O8 - Extra context menu item: Convert selected links to existing PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppendSelLinks.html
O8 - Extra context menu item: Convert selection to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: Convert selection to existing PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: Convert to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: Convert to existing PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_04\bin\npjpi150_04.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_04\bin\npjpi150_04.dll
O9 - Extra button: Create Mobile Favorite - {2EAF5BB1-070F-11D3-9307-00C04FAE2D4F} - C:\Program Files\Microsoft ActiveSync\INETREPL.DLL
O9 - Extra button: (no name) - {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - C:\Program Files\Microsoft ActiveSync\INETREPL.DLL
O9 - Extra 'Tools' menuitem: Create Mobile Favorite... - {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - C:\Program Files\Microsoft ActiveSync\INETREPL.DLL
O9 - Extra button: Freeprod Toolbar - {77FBF9B8-1D37-4FF2-9CED-192D8E3ABA6F} - (no file)
O9 - Extra 'Tools' menuitem: Freeprod Toolbar - {77FBF9B8-1D37-4FF2-9CED-192D8E3ABA6F} - (no file)
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky...can_unicode.cab
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft....k/?linkid=39204
O16 - DPF: {56336BCB-3D8A-11D6-A00B-0050DA18DE71} - http://software-dl.r...tzip/RdxIE2.cab
O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai...all/xscan53.cab
O16 - DPF: {B38870E4-7ECB-40DA-8C6A-595F0A5519FF} (MsnMessengerSetupDownloadControl Class) - http://messenger.msn...pDownloader.cab
O16 - DPF: {E06E2E99-0AA1-11D4-ABA6-0060082AA75C} (GpcContainer Class) - https://mathsoft.web...ent/ieatgpc.cab
O16 - DPF: {EB387D2F-E27B-4D36-979E-847D1036C65D} (QDiagHUpdateObj Class) - http://h30043.www3.h.../qdiagh.cab?326
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: Domain = silvereaglerefining.com
O17 - HKLM\Software\..\Telephony: DomainName = silvereaglerefining.com
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: Domain = silvereaglerefining.com
O23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: Ati HotKey Poller - Unknown owner - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: Autodesk Licensing Service - Autodesk - C:\Program Files\Common Files\Autodesk Shared\Service\AdskScSrv.exe
O23 - Service: Broadcom ASF IP monitoring service v6.0.4 (BAsfIpM) - Broadcom Corp. - C:\WINDOWS\system32\basfipm.exe
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Password Validation (ccPwdSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
O23 - Service: cgpqqmktjj - Unknown owner - C:\WINDOWS\system32\qmktjj\cgpq.exe
O23 - Service: Command Service (cmdService) - Unknown owner - C:\WINDOWS\amJyb3du\command.exe (file missing)
O23 - Service: cplkmkxpqfx - Unknown owner - C:\WINDOWS\system32\kxpqfx\cplkm.exe
O23 - Service: CWShredder Service - InterMute, Inc. - c:\program files\InterMute\SpySubtract\CWShredder.exe
O23 - Service: Symantec AntiVirus Definition Watcher (DefWatch) - Symantec Corporation - C:\Program Files\Symantec AntiVirus\DefWatch.exe
O23 - Service: ewido security suite control - ewido networks - C:\Program Files\ewido\security suite\ewidoctrl.exe
O23 - Service: ewido security suite guard - ewido networks - C:\Program Files\ewido\security suite\ewidoguard.exe
O23 - Service: guycrmfhlpnxy - Unknown owner - C:\WINDOWS\system32\fhlpnxy\guycrm.exe
O23 - Service: icayfqvrnhg - Unknown owner - C:\WINDOWS\system32\vrnhg\icayfq.exe
O23 - Service: ivxprhhjnjfe - Unknown owner - C:\WINDOWS\system32\hhjnjfe\ivxpr.exe
O23 - Service: jjccfhumovsq - Unknown owner - C:\WINDOWS\system32\ovsq\jjccfhum.exe
O23 - Service: mrxltgboteutebu - Unknown owner - C:\WINDOWS\system32\oteutebu\mrxltgb.exe
O23 - Service: msymrqbvpoy - Unknown owner - C:\WINDOWS\system32\rqbvpoy\msym.exe
O23 - Service: SAVRoam (SavRoam) - symantec - C:\Program Files\Symantec AntiVirus\SavRoam.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: Symantec SPBBCSvc (SPBBCSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
O23 - Service: Symantec AntiVirus - Symantec Corporation - C:\Program Files\Symantec AntiVirus\Rtvscan.exe
  • 0

#6
ukbiker
Posted 28 September 2005 - 04:07 PM

ukbiker

    Rest in Peace, ukbiker

  • Retired Staff
  • 2,014 posts
Hi There

hmmm, im surprised that Ewido isnt co operating, however we will use this instead.

Please download WebRoot SpySweeper from HERE (It's a 2 week trial):
  • Click the Free Trial link under to "SpySweeper" to download the program.
  • Install it.
  • Once the program is installed, it will open.
  • It will prompt you to update to the latest definitions, click Yes.
  • Once the definitions are installed, click Sweep Now on the left side.
  • Click the Start button.
  • When it's done scanning, click the Next button.
  • Make sure everything has a check next to it, then click the Next button.
  • It will remove all of the items found.
  • Click Session Log in the upper right corner, copy everything in that window.
  • Click the Summary tab and click Finish.
  • Paste the contents of the session log you copied into your next reply.
After Spysweeper has run, please reboot and post a fresh HJT log and the spysweeper log.
  • 0

#7
jbrown7441
Posted 28 September 2005 - 05:11 PM

jbrown7441

    Member

  • Topic Starter
  • Member
  • PipPip
  • 25 posts
I did that and everything seemed to work allright until the end when it found something running from registry or something like that, and asked me to close all applications and click ok to remove it. I did that and it then asked me to reboot which I did, and it found something called guycrm which it asked me if I wanted to delete it, I said yes, but it kept returning to the same alert 'guycrm' and asking me if I want to delete it. The following is the dialogue box at the bottom of spysweep as I was trying to delete 'guycrm'. I finally said no I didn't want to delete it and was able to proceed I ran a fresh spysweep and got the log below, also ran a fresh HJT log.

Thanks,


Spy Sweeper will provide you with detailed information about the operations being performed in this area.
Spy News is provided to help you get the most out of Spy Sweeper by providing you with real-time information such as usability tips and news regarding the latest threats.
Processing Startup Alerts
Removed Startup entry: guycrm
Processing Startup Alerts
Removed Startup entry: guycrm
Processing Startup Alerts
Removed Startup entry: guycrm
Processing Startup Alerts
Removed Startup entry: guycrm
Processing Startup Alerts
Removed Startup entry: guycrm
Processing Startup Alerts
Removed Startup entry: guycrm
Automated check for new spyware definitions now underway.
Your definitions are up to date.
Automated check for program update in progress.
Your Spy Sweeper application is up to date.
Automated check for news in progress.
... news is ready for your viewing.
Processing Startup Alerts
Removed Startup entry: guycrm
Processing Startup Alerts
Removed Startup entry: guycrm
Processing Startup Alerts
Removed Startup entry: guycrm
Processing Startup Alerts
Removed Startup entry: guycrm
Processing Startup Alerts
Removed Startup entry: guycrm
Processing Startup Alerts
Removed Startup entry: guycrm
Processing Startup Alerts
Removed Startup entry: guycrm
Processing Startup Alerts
Removed Startup entry: guycrm
Processing Startup Alerts
Removed Startup entry: guycrm
Processing Startup Alerts
Removed Startup entry: guycrm
Processing Startup Alerts
Removed Startup entry: guycrm
Processing Startup Alerts
Removed Startup entry: guycrm
Processing Startup Alerts
Removed Startup entry: guycrm
Processing Startup Alerts
Removed Startup entry: guycrm
Processing Startup Alerts
Removed Startup entry: guycrm
Processing Startup Alerts
Removed Startup entry: guycrm
Processing Startup Alerts
Removed Startup entry: guycrm
Processing Startup Alerts
Removed Startup entry: guycrm
Processing Startup Alerts
Removed Startup entry: guycrm
Processing Startup Alerts
Removed Startup entry: guycrm
Processing Startup Alerts
Removed Startup entry: guycrm
Processing Startup Alerts
Allowed Startup entry: guycrm


__________________________________________



********
4:52 PM: |··· Start of Session, Wednesday, September 28, 2005 ···|
4:52 PM: Spy Sweeper started
4:52 PM: Sweep initiated using definitions version 545
4:52 PM: Starting Memory Sweep
4:52 PM: Warning: Failed to check file "C:\WINDOWS\SYSTEM32\fhlpnxy\guycrm.exe". Cannot open file "C:\WINDOWS\SYSTEM32\fhlpnxy\guycrm.exe". The process cannot access the file because it is being used by another process
4:52 PM: Found Trojan Horse: lzio
4:52 PM: Detected running threat: C:\WINDOWS\SYSTEM32\fhlpnxy\guycrm.exe (ID = 48)
4:52 PM: HKLM\Software\Microsoft\Windows\CurrentVersion\Run || guycrm (ID = 0)
4:54 PM: Memory Sweep Complete, Elapsed Time: 00:02:36
4:54 PM: Starting Registry Sweep
4:54 PM: Registry Sweep Complete, Elapsed Time:00:00:06
4:54 PM: Starting Cookie Sweep
4:55 PM: Cookie Sweep Complete, Elapsed Time: 00:00:00
4:55 PM: Starting File Sweep
5:03 PM: Warning: Failed to read file "c:\documents and settings\jbrown\local settings\temp\~dfc074.tmp". System Error. Code: 32.
The process cannot access the file because it is being used by another process
5:03 PM: File Sweep Complete, Elapsed Time: 00:08:04
5:03 PM: Full Sweep has completed. Elapsed time 00:10:52
5:03 PM: Traces Found: 2
5:03 PM: Removal process initiated
5:03 PM: Quarantining All Traces: lzio
5:03 PM: Removal process completed. Elapsed time 00:00:26
********
4:19 PM: |··· Start of Session, Wednesday, September 28, 2005 ···|
4:19 PM: Spy Sweeper started
4:19 PM: Sweep initiated using definitions version 545
4:19 PM: Starting Memory Sweep
4:19 PM: Warning: Failed to check file "C:\WINDOWS\SYSTEM32\fhlpnxy\guycrm.exe". Cannot open file "C:\WINDOWS\SYSTEM32\fhlpnxy\guycrm.exe". The process cannot access the file because it is being used by another process
4:19 PM: Found Trojan Horse: lzio
4:19 PM: Detected running threat: C:\WINDOWS\SYSTEM32\fhlpnxy\guycrm.exe (ID = 48)
4:19 PM: HKLM\Software\Microsoft\Windows\CurrentVersion\Run || guycrm (ID = 0)
4:22 PM: Memory Sweep Complete, Elapsed Time: 00:03:03
4:22 PM: Starting Registry Sweep
4:22 PM: HKLM\software\microsoft\windows\currentversion\uninstall\tokuoitu\ (2 subtraces) (ID = 702138)
4:22 PM: Found Adware: safesurf
4:22 PM: HKCR\funtools.picshow\ (5 subtraces) (ID = 730902)
4:22 PM: HKCR\funtools.picshow.1\ (3 subtraces) (ID = 730908)
4:22 PM: HKCR\clsid\{4487598c-2ec7-43a2-870e-6d8d720fdd9f}\ (11 subtraces) (ID = 730912)
4:22 PM: HKCR\typelib\{7638761f-0ce1-4e68-9692-d623527a6b7b}\ (9 subtraces) (ID = 730924)
4:22 PM: HKLM\software\classes\funtools.picshow\ (5 subtraces) (ID = 730957)
4:22 PM: HKLM\software\classes\funtools.picshow.1\ (3 subtraces) (ID = 730963)
4:22 PM: HKLM\software\classes\clsid\{4487598c-2ec7-43a2-870e-6d8d720fdd9f}\ (11 subtraces) (ID = 730967)
4:22 PM: HKLM\software\classes\typelib\{7638761f-0ce1-4e68-9692-d623527a6b7b}\ (9 subtraces) (ID = 730979)
4:22 PM: HKLM\software\picshow\ (14 subtraces) (ID = 730989)
4:22 PM: Found Adware: maxifiles
4:22 PM: HKCR\iecatcher.iewebcatcher\ (5 subtraces) (ID = 829231)
4:22 PM: HKCR\iecatcher.iewebcatcher.1\ (3 subtraces) (ID = 829237)
4:22 PM: HKCR\clsid\{fff4e223-7019-4ce7-be03-d7d3c8cce884}\ (11 subtraces) (ID = 829241)
4:22 PM: HKCR\typelib\{fff24f28-3ae2-46cd-aebe-2f625133a1ca}\ (9 subtraces) (ID = 829253)
4:22 PM: HKLM\software\classes\typelib\{fff24f28-3ae2-46cd-aebe-2f625133a1ca}\ (9 subtraces) (ID = 829282)
4:22 PM: HKLM\software\classes\iecatcher.iewebcatcher\ (5 subtraces) (ID = 829292)
4:22 PM: HKLM\software\classes\iecatcher.iewebcatcher.1\ (3 subtraces) (ID = 829298)
4:22 PM: HKLM\software\classes\clsid\{fff4e223-7019-4ce7-be03-d7d3c8cce884}\ (11 subtraces) (ID = 829302)
4:22 PM: HKLM\software\microsoft\windows\currentversion\explorer\browser helper objects\{fff4e223-7019-4ce7-be03-d7d3c8cce884}\ (2 subtraces) (ID = 829305)
4:22 PM: Registry Sweep Complete, Elapsed Time:00:00:10
4:22 PM: Starting Cookie Sweep
4:22 PM: Found Spy Cookie: about cookie
4:22 PM: jbrown@about[1].txt (ID = 2037)
4:22 PM: [email protected][1].txt (ID = 2038)
4:22 PM: Found Spy Cookie: com.com cookie
4:22 PM: [email protected][1].txt (ID = 2446)
4:22 PM: Found Spy Cookie: exitexchange cookie
4:22 PM: system@exitexchange[1].txt (ID = 2633)
4:22 PM: Found Spy Cookie: videodome cookie
4:22 PM: [email protected][1].txt (ID = 3639)
4:22 PM: Found Spy Cookie: rednova cookie
4:22 PM: system@rednova[2].txt (ID = 3245)
4:22 PM: system@videodome[1].txt (ID = 3638)
4:22 PM: system@exitexchange[1].txt (ID = 2633)
4:22 PM: [email protected][1].txt (ID = 3639)
4:22 PM: system@rednova[2].txt (ID = 3245)
4:22 PM: system@videodome[1].txt (ID = 3638)
4:22 PM: Cookie Sweep Complete, Elapsed Time: 00:00:02
4:22 PM: Starting File Sweep
4:22 PM: 2.tmp (ID = 155880)
4:22 PM: 3.tmp (ID = 155880)
4:22 PM: 9.tmp (ID = 155880)
4:22 PM: Warning: Failed to read file "c:\windows\system32\fhlpnxy\guycrm.exe". System Error. Code: 32.
The process cannot access the file because it is being used by another process
4:23 PM: Found Trojan Horse: trojan downloader matcash
4:23 PM: autoit3.exe (ID = 119348)
4:27 PM: cqucfbxi.dll (ID = 155404)
4:28 PM: Found Adware: begin2search
4:28 PM: bingo_big3123.ico (ID = 51022)
4:29 PM: Found Trojan Horse: trojan downloader pops-stop
4:29 PM: norisuni.exe (ID = 138284)
4:30 PM: ytudus.exe (ID = 156382)
4:30 PM: Warning: Failed to read file "c:\program files\edonkey2000\temp\stacy valentine - [bleep]ed in pink latex thong.avi\1.4.part". System Error. Code: 3.
The system cannot find the path specified
4:30 PM: Warning: Failed to read file "c:\program files\edonkey2000\temp\stacy valentine - [bleep]ed in pink latex thong.avi\1.2.part". System Error. Code: 3.
The system cannot find the path specified
4:30 PM: awtkxdcr.exe (ID = 156382)
4:30 PM: bnbjyxcj.dll (ID = 155404)
4:30 PM: io2uns.exe (ID = 155403)
4:31 PM: mrxltgb.exe (ID = 155880)
4:31 PM: HKLM\Software\Microsoft\Windows\CurrentVersion\Run || mrxltgb (ID = 0)
4:31 PM: cgpq.exe (ID = 155880)
4:31 PM: HKLM\Software\Microsoft\Windows\CurrentVersion\Run || cgpq (ID = 0)
4:31 PM: icayfq.exe (ID = 155880)
4:31 PM: HKLM\Software\Microsoft\Windows\CurrentVersion\Run || icayfq (ID = 0)
4:31 PM: jjccfhum.exe (ID = 155880)
4:31 PM: HKLM\Software\Microsoft\Windows\CurrentVersion\Run || jjccfhum (ID = 0)
4:32 PM: Warning: Failed to read file "c:\documents and settings\jbrown\local settings\temp\~df3bd6.tmp". System Error. Code: 32.
The process cannot access the file because it is being used by another process
4:32 PM: File Sweep Complete, Elapsed Time: 00:09:43
4:32 PM: Full Sweep has completed. Elapsed time 00:13:02
4:32 PM: Traces Found: 181
4:32 PM: Removal process initiated
4:44 PM: Quarantining All Traces: lzio
4:44 PM: Quarantining All Traces: safesurf
4:44 PM: Quarantining All Traces: maxifiles
4:44 PM: Quarantining All Traces: about cookie
4:44 PM: Quarantining All Traces: com.com cookie
4:44 PM: Quarantining All Traces: exitexchange cookie
4:44 PM: Quarantining All Traces: videodome cookie
4:44 PM: Quarantining All Traces: rednova cookie
4:44 PM: Quarantining All Traces: trojan downloader matcash
4:44 PM: Quarantining All Traces: begin2search
4:44 PM: Quarantining All Traces: trojan downloader pops-stop
4:45 PM: Preparing to restart your computer. Please wait...
4:45 PM: Removal process completed. Elapsed time 00:12:16
4:47 PM: Warning: Failed to check file "C:\WINDOWS\system32\fhlpnxy\guycrm.exe". Cannot open file "C:\WINDOWS\system32\fhlpnxy\guycrm.exe". The process cannot access the file because it is being used by another process
4:47 PM: Processing Startup Alerts
4:47 PM: Removed Startup entry: guycrm
4:47 PM: Warning: Failed to check file "C:\WINDOWS\system32\fhlpnxy\guycrm.exe". Cannot open file "C:\WINDOWS\system32\fhlpnxy\guycrm.exe". The process cannot access the file because it is being used by another process
4:47 PM: Processing Startup Alerts
4:47 PM: Removed Startup entry: guycrm
4:47 PM: Warning: Failed to check file "C:\WINDOWS\system32\fhlpnxy\guycrm.exe". Cannot open file "C:\WINDOWS\system32\fhlpnxy\guycrm.exe". The process cannot access the file because it is being used by another process
4:47 PM: Processing Startup Alerts
4:47 PM: Removed Startup entry: guycrm
4:47 PM: Warning: Failed to check file "C:\WINDOWS\system32\fhlpnxy\guycrm.exe". Cannot open file "C:\WINDOWS\system32\fhlpnxy\guycrm.exe". The process cannot access the file because it is being used by another process
4:47 PM: Processing Startup Alerts
4:47 PM: Removed Startup entry: guycrm
4:47 PM: Warning: Failed to check file "C:\WINDOWS\system32\fhlpnxy\guycrm.exe". Cannot open file "C:\WINDOWS\system32\fhlpnxy\guycrm.exe". The process cannot access the file because it is being used by another process
4:48 PM: Processing Startup Alerts
4:48 PM: Removed Startup entry: guycrm
4:48 PM: Warning: Failed to check file "C:\WINDOWS\system32\fhlpnxy\guycrm.exe". Cannot open file "C:\WINDOWS\system32\fhlpnxy\guycrm.exe". The process cannot access the file because it is being used by another process
4:48 PM: Processing Startup Alerts
4:48 PM: Removed Startup entry: guycrm
4:48 PM: Warning: Failed to check file "C:\WINDOWS\system32\fhlpnxy\guycrm.exe". Cannot open file "C:\WINDOWS\system32\fhlpnxy\guycrm.exe". The process cannot access the file because it is being used by another process
4:48 PM: Processing Startup Alerts
4:48 PM: Removed Startup entry: guycrm
4:48 PM: Warning: Failed to check file "C:\WINDOWS\system32\fhlpnxy\guycrm.exe". Cannot open file "C:\WINDOWS\system32\fhlpnxy\guycrm.exe". The process cannot access the file because it is being used by another process
4:48 PM: Processing Startup Alerts
4:48 PM: Removed Startup entry: guycrm
4:48 PM: Warning: Failed to check file "C:\WINDOWS\system32\fhlpnxy\guycrm.exe". Cannot open file "C:\WINDOWS\system32\fhlpnxy\guycrm.exe". The process cannot access the file because it is being used by another process
4:48 PM: Processing Startup Alerts
4:48 PM: Removed Startup entry: guycrm
4:48 PM: Warning: Failed to check file "C:\WINDOWS\system32\fhlpnxy\guycrm.exe". Cannot open file "C:\WINDOWS\system32\fhlpnxy\guycrm.exe". The process cannot access the file because it is being used by another process
4:48 PM: Processing Startup Alerts
4:48 PM: Removed Startup entry: guycrm
4:48 PM: Warning: Failed to check file "C:\WINDOWS\system32\fhlpnxy\guycrm.exe". Cannot open file "C:\WINDOWS\system32\fhlpnxy\guycrm.exe". The process cannot access the file because it is being used by another process
4:48 PM: Processing Startup Alerts
4:48 PM: Removed Startup entry: guycrm
4:48 PM: Warning: Failed to check file "C:\WINDOWS\system32\fhlpnxy\guycrm.exe". Cannot open file "C:\WINDOWS\system32\fhlpnxy\guycrm.exe". The process cannot access the file because it is being used by another process
4:48 PM: Processing Startup Alerts
4:48 PM: Removed Startup entry: guycrm
4:48 PM: Warning: Failed to check file "C:\WINDOWS\system32\fhlpnxy\guycrm.exe". Cannot open file "C:\WINDOWS\system32\fhlpnxy\guycrm.exe". The process cannot access the file because it is being used by another process
4:48 PM: Processing Startup Alerts
4:48 PM: Removed Startup entry: guycrm
4:48 PM: Warning: Failed to check file "C:\WINDOWS\system32\fhlpnxy\guycrm.exe". Cannot open file "C:\WINDOWS\system32\fhlpnxy\guycrm.exe". The process cannot access the file because it is being used by another process
4:48 PM: Processing Startup Alerts
4:48 PM: Removed Startup entry: guycrm
4:48 PM: Warning: Failed to check file "C:\WINDOWS\system32\fhlpnxy\guycrm.exe". Cannot open file "C:\WINDOWS\system32\fhlpnxy\guycrm.exe". The process cannot access the file because it is being used by another process
4:48 PM: Processing Startup Alerts
4:48 PM: Removed Startup entry: guycrm
4:48 PM: Warning: Failed to check file "C:\WINDOWS\system32\fhlpnxy\guycrm.exe". Cannot open file "C:\WINDOWS\system32\fhlpnxy\guycrm.exe". The process cannot access the file because it is being used by another process
4:48 PM: Processing Startup Alerts
4:48 PM: Removed Startup entry: guycrm
4:48 PM: Warning: Failed to check file "C:\WINDOWS\system32\fhlpnxy\guycrm.exe". Cannot open file "C:\WINDOWS\system32\fhlpnxy\guycrm.exe". The process cannot access the file because it is being used by another process
4:48 PM: Processing Startup Alerts
4:48 PM: Removed Startup entry: guycrm
4:48 PM: Warning: Failed to check file "C:\WINDOWS\system32\fhlpnxy\guycrm.exe". Cannot open file "C:\WINDOWS\system32\fhlpnxy\guycrm.exe". The process cannot access the file because it is being used by another process
4:48 PM: Processing Startup Alerts
4:48 PM: Removed Startup entry: guycrm
4:48 PM: Warning: Failed to check file "C:\WINDOWS\system32\fhlpnxy\guycrm.exe". Cannot open file "C:\WINDOWS\system32\fhlpnxy\guycrm.exe". The process cannot access the file because it is being used by another process
4:48 PM: Processing Startup Alerts
4:48 PM: Removed Startup entry: guycrm
4:48 PM: Warning: Failed to check file "C:\WINDOWS\system32\fhlpnxy\guycrm.exe". Cannot open file "C:\WINDOWS\system32\fhlpnxy\guycrm.exe". The process cannot access the file because it is being used by another process
4:48 PM: Processing Startup Alerts
4:48 PM: Removed Startup entry: guycrm
4:48 PM: Warning: Failed to check file "C:\WINDOWS\system32\fhlpnxy\guycrm.exe". Cannot open file "C:\WINDOWS\system32\fhlpnxy\guycrm.exe". The process cannot access the file because it is being used by another process
4:48 PM: Processing Startup Alerts
4:48 PM: Removed Startup entry: guycrm
4:48 PM: Warning: Failed to check file "C:\WINDOWS\system32\fhlpnxy\guycrm.exe". Cannot open file "C:\WINDOWS\system32\fhlpnxy\guycrm.exe". The process cannot access the file because it is being used by another process
4:48 PM: Processing Startup Alerts
4:48 PM: Removed Startup entry: guycrm
4:48 PM: Warning: Failed to check file "C:\WINDOWS\system32\fhlpnxy\guycrm.exe". Cannot open file "C:\WINDOWS\system32\fhlpnxy\guycrm.exe". The process cannot access the file because it is being used by another process
4:48 PM: Processing Startup Alerts
4:48 PM: Removed Startup entry: guycrm
4:48 PM: Warning: Failed to check file "C:\WINDOWS\system32\fhlpnxy\guycrm.exe". Cannot open file "C:\WINDOWS\system32\fhlpnxy\guycrm.exe". The process cannot access the file because it is being used by another process
4:48 PM: Processing Startup Alerts
4:48 PM: Removed Startup entry: guycrm
4:48 PM: Warning: Failed to check file "C:\WINDOWS\system32\fhlpnxy\guycrm.exe". Cannot open file "C:\WINDOWS\system32\fhlpnxy\guycrm.exe". The process cannot access the file because it is being used by another process
4:48 PM: Processing Startup Alerts
4:48 PM: Removed Startup entry: guycrm
4:48 PM: Warning: Failed to check file "C:\WINDOWS\system32\fhlpnxy\guycrm.exe". Cannot open file "C:\WINDOWS\system32\fhlpnxy\guycrm.exe". The process cannot access the file because it is being used by another process
4:48 PM: Processing Startup Alerts
4:48 PM: Removed Startup entry: guycrm
4:48 PM: Warning: Failed to check file "C:\WINDOWS\system32\fhlpnxy\guycrm.exe". Cannot open file "C:\WINDOWS\system32\fhlpnxy\guycrm.exe". The process cannot access the file because it is being used by another process
4:48 PM: Processing Startup Alerts
4:48 PM: Removed Startup entry: guycrm
4:48 PM: Warning: Failed to check file "C:\WINDOWS\system32\fhlpnxy\guycrm.exe". Cannot open file "C:\WINDOWS\system32\fhlpnxy\guycrm.exe". The process cannot access the file because it is being used by another process
4:50 PM: Processing Startup Alerts
4:50 PM: Allowed Startup entry: guycrm
4:52 PM: Warning: Failed to check file "C:\WINDOWS\SYSTEM32\fhlpnxy\guycrm.exe". Cannot open file "C:\WINDOWS\SYSTEM32\fhlpnxy\guycrm.exe". The process cannot access the file because it is being used by another process
4:52 PM: |··· End of Session, Wednesday, September 28, 2005 ···|
********
4:18 PM: |··· Start of Session, Wednesday, September 28, 2005 ···|
4:18 PM: Spy Sweeper started
4:19 PM: |··· End of Session, Wednesday, September 28, 2005 ···|



____________________________________




Logfile of HijackThis v1.99.1
Scan saved at 5:10:42 PM, on 9/28/2005
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\csrss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\basfipm.exe
C:\Program Files\Symantec AntiVirus\DefWatch.exe
C:\Program Files\ewido\security suite\ewidoguard.exe
C:\WINDOWS\system32\inetsrv\inetinfo.exe
C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
C:\Program Files\Symantec AntiVirus\SavRoam.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Webroot\Spy Sweeper\WRSSSDK.exe
C:\Program Files\Symantec AntiVirus\Rtvscan.exe
C:\WINDOWS\System32\alg.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Java\jre1.5.0_04\bin\jusched.exe
C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
C:\Program Files\CyberLink\PowerDVD\DVDLauncher.exe
C:\Program Files\Adobe\Acrobat 7.0\Distillr\Acrotray.exe
C:\WINDOWS\System32\spool\DRIVERS\W32X86\hpoopm07.exe
C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe
C:\Program Files\Common Files\Microsoft Shared\Works Shared\WkUFind.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\PROGRA~1\SYMANT~2\VPTray.exe
C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe
C:\Program Files\Symantec AntiVirus\DoScan.exe
C:\Program Files\Microsoft AntiSpyware\gcasDtServ.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Microsoft ActiveSync\WCESCOMM.EXE
C:\Program Files\Hewlett-Packard\AiO\hp officejet g series\Bin\hpoavn07.exe
C:\Program Files\WinZip\WZQKPICK.EXE
C:\PROGRA~1\HEWLET~1\AiO\Shared\Bin\hpoevm07.exe
C:\WINDOWS\system32\hpoipm07.exe
C:\Program Files\Hewlett-Packard\AiO\Shared\bin\hpOSTS07.exe
C:\Program Files\Hewlett-Packard\AiO\Shared\bin\hpOFXM07.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\Program Files\Microsoft Office\Office10\OUTLOOK.EXE
C:\Program Files\FranklinCovey\PlanPlus for Microsoft Outlook\PowerNotes.exe
C:\Program Files\Common Files\InstallShield\UpdateService\agent.exe
C:\Program Files\Microsoft Office\Office10\WINWORD.EXE
C:\Documents and Settings\jbrown\Desktop\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.dell.com
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O3 - Toolbar: Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\system32\msdxm.ocx
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_04\bin\jusched.exe
O4 - HKLM\..\Run: [ATIPTA] C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
O4 - HKLM\..\Run: [DVDLauncher] "C:\Program Files\CyberLink\PowerDVD\DVDLauncher.exe"
O4 - HKLM\..\Run: [Acrobat Assistant 7.0] "C:\Program Files\Adobe\Acrobat 7.0\Distillr\Acrotray.exe"
O4 - HKLM\..\Run: [HPAIO_PrintFolderMgr] C:\WINDOWS\System32\spool\DRIVERS\W32X86\hpoopm07.exe
O4 - HKLM\..\Run: [ISUSPM Startup] C:\PROGRA~1\COMMON~1\INSTAL~1\UPDATE~1\ISUSPM.exe -startup
O4 - HKLM\..\Run: [ISUSScheduler] "C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe" -start
O4 - HKLM\..\Run: [Microsoft Works Update Detection] C:\Program Files\Common Files\Microsoft Shared\Works Shared\WkUFind.exe
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [vptray] C:\PROGRA~1\SYMANT~2\VPTray.exe
O4 - HKLM\..\Run: [gcasServ] "C:\Program Files\Microsoft AntiSpyware\gcasServ.exe"
O4 - HKLM\..\Run: [cplkm] C:\WINDOWS\system32\kxpqfx\cplkm.exe
O4 - HKLM\..\Run: [THGuard] "C:\Program Files\TrojanHunter 4.2\THGuard.exe"
O4 - HKLM\..\Run: [SpySweeper] "C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe" /startintray
O4 - HKLM\..\RunOnce: [HP_AIO_SETUP_MUTEX] C:\DOCUME~1\JBROWN\LOCALS~1\TEMP\HP OFFICEJET G SERIES\CDIMAGE\setup.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [services32] C:\Program Files\Common Files\Windows\mc-110-12-0000079.exe
O4 - HKCU\..\Run: [H/PC Connection Agent] "C:\Program Files\Microsoft ActiveSync\WCESCOMM.EXE"
O4 - Global Startup: Adobe Acrobat Speed Launcher.lnk = ?
O4 - Global Startup: AutoCAD Startup Accelerator.lnk = C:\Program Files\Common Files\Autodesk Shared\acstart16.exe
O4 - Global Startup: HPAiODevice(hp officejet g series) - 1.lnk = C:\Program Files\Hewlett-Packard\AiO\hp officejet g series\Bin\hpoavn07.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O4 - Global Startup: WinZip Quick Pick.lnk = C:\Program Files\WinZip\WZQKPICK.EXE
O8 - Extra context menu item: Convert link target to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: Convert link target to existing PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: Convert selected links to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECaptureSelLinks.html
O8 - Extra context menu item: Convert selected links to existing PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppendSelLinks.html
O8 - Extra context menu item: Convert selection to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: Convert selection to existing PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: Convert to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: Convert to existing PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_04\bin\npjpi150_04.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_04\bin\npjpi150_04.dll
O9 - Extra button: Create Mobile Favorite - {2EAF5BB1-070F-11D3-9307-00C04FAE2D4F} - C:\Program Files\Microsoft ActiveSync\INETREPL.DLL
O9 - Extra button: (no name) - {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - C:\Program Files\Microsoft ActiveSync\INETREPL.DLL
O9 - Extra 'Tools' menuitem: Create Mobile Favorite... - {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - C:\Program Files\Microsoft ActiveSync\INETREPL.DLL
O9 - Extra button: Freeprod Toolbar - {77FBF9B8-1D37-4FF2-9CED-192D8E3ABA6F} - (no file)
O9 - Extra 'Tools' menuitem: Freeprod Toolbar - {77FBF9B8-1D37-4FF2-9CED-192D8E3ABA6F} - (no file)
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky...can_unicode.cab
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft....k/?linkid=39204
O16 - DPF: {56336BCB-3D8A-11D6-A00B-0050DA18DE71} - http://software-dl.r...tzip/RdxIE2.cab
O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai...all/xscan53.cab
O16 - DPF: {B38870E4-7ECB-40DA-8C6A-595F0A5519FF} (MsnMessengerSetupDownloadControl Class) - http://messenger.msn...pDownloader.cab
O16 - DPF: {E06E2E99-0AA1-11D4-ABA6-0060082AA75C} (GpcContainer Class) - https://mathsoft.web...ent/ieatgpc.cab
O16 - DPF: {EB387D2F-E27B-4D36-979E-847D1036C65D} (QDiagHUpdateObj Class) - http://h30043.www3.h.../qdiagh.cab?326
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: Domain = silvereaglerefining.com
O17 - HKLM\Software\..\Telephony: DomainName = silvereaglerefining.com
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: Domain = silvereaglerefining.com
O23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: Ati HotKey Poller - Unknown owner - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: Autodesk Licensing Service - Autodesk - C:\Program Files\Common Files\Autodesk Shared\Service\AdskScSrv.exe
O23 - Service: Broadcom ASF IP monitoring service v6.0.4 (BAsfIpM) - Broadcom Corp. - C:\WINDOWS\system32\basfipm.exe
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Password Validation (ccPwdSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
O23 - Service: Command Service (cmdService) - Unknown owner - C:\WINDOWS\amJyb3du\command.exe (file missing)
O23 - Service: cplkmkxpqfx - Unknown owner - C:\WINDOWS\system32\kxpqfx\cplkm.exe
O23 - Service: CWShredder Service - InterMute, Inc. - c:\program files\InterMute\SpySubtract\CWShredder.exe
O23 - Service: Symantec AntiVirus Definition Watcher (DefWatch) - Symantec Corporation - C:\Program Files\Symantec AntiVirus\DefWatch.exe
O23 - Service: ewido security suite control - ewido networks - C:\Program Files\ewido\security suite\ewidoctrl.exe
O23 - Service: ewido security suite guard - ewido networks - C:\Program Files\ewido\security suite\ewidoguard.exe
O23 - Service: ivxprhhjnjfe - Unknown owner - C:\WINDOWS\system32\hhjnjfe\ivxpr.exe
O23 - Service: msymrqbvpoy - Unknown owner - C:\WINDOWS\system32\rqbvpoy\msym.exe
O23 - Service: SAVRoam (SavRoam) - symantec - C:\Program Files\Symantec AntiVirus\SavRoam.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: Symantec SPBBCSvc (SPBBCSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
O23 - Service: Webroot Spy Sweeper Engine (svcWRSSSDK) - Webroot Software, Inc. - C:\Program Files\Webroot\Spy Sweeper\WRSSSDK.exe
O23 - Service: Symantec AntiVirus - Symantec Corporation - C:\Program Files\Symantec AntiVirus\Rtvscan.exe
  • 0

#8
ukbiker
Posted 28 September 2005 - 05:28 PM

ukbiker

    Rest in Peace, ukbiker

  • Retired Staff
  • 2,014 posts
Hi There

Thanks for doing that. :) It looks like you have got one of the latest, top of the range, no expense spared infections there. I am asking some of our resident Guru's to have a look at this before we go any further, so please bare with us. :tazz:
  • 0

#9
ukbiker
Posted 28 September 2005 - 05:45 PM

ukbiker

    Rest in Peace, ukbiker

  • Retired Staff
  • 2,014 posts
Hi There again :tazz:

We would like you to get some more information for us, so could you please do the following -

Step 1

Please download Rootkit Revealer (link is at the very bottom of the page)
  • Unzip it to your desktop.
  • Open the rootkitrevealer folder and double-click rootkitrevealer.exe
  • Click the Scan button (bottom right)
  • It may take a while to scan (don't do anything while it's running)
  • When it's done, go up to File > Save. Choose to save it to your desktop.
  • Open rootkitrevealer.txt on your desktop and copy the entire contents and paste them here
Step 2

Reboot into Safe Mode[/u]
  • Open HiJackThis
  • Click on the "Config..." button on the bottom right
  • Click on the tab "Misc Tools"
  • Check off the 2 boxes next to the Box that says "Generate StartupList log"
  • Click on the button "Generate StartupList log"
  • Copy and past the StartupList from the notepad into your next post
Reboot into normal mode and post those 2 logs for me please.
  • 0

#10
jbrown7441
Posted 29 September 2005 - 11:21 AM

jbrown7441

    Member

  • Topic Starter
  • Member
  • PipPip
  • 25 posts
SHEEEEESH it took me the better part of all morning to do this. I had to scan 4 times because everytime I tried to save a log for rootkeeper, it gave me some line about how the destination to where I wanted to save it was not available or busy or full, and then rootkeeper froze on me when I tried to save it there anyway. I finally was able to save a file that looked somewhat diminished from the first log file by saving it to its default location in system 32 file. The two logs asked for are below. I also through in a fresh HJT file just for fun.

Thanks a ton gentlemen, goodluck!!!!


HKLM\SOFTWARE\Classes\CLSID\{D630FC68-F1BF-82DA-FD15-B67BFF7B6C28}\pi 9/29/2005 10:21 AM 22 bytes Data mismatch between Windows API and raw hive data.
HKLM\SOFTWARE\Classes\CLSID\{D630FC68-F1BF-82DA-FD15-B67BFF7B6C28}\od 9/29/2005 10:21 AM 70 bytes Data mismatch between Windows API and raw hive data.
HKLM\SOFTWARE\Intel\LANDesk\VirusProtect6\CurrentVersion\Status 9/29/2005 10:20 AM 4 bytes Data mismatch between Windows API and raw hive data.
HKLM\SOFTWARE\Microsoft\Cryptography\RNG\Seed 9/29/2005 10:22 AM 80 bytes Data mismatch between Windows API and raw hive data.
HKLM\SOFTWARE\Microsoft\Direct3D\MostRecentApplication\Name 9/29/2005 10:18 AM 26 bytes Data mismatch between Windows API and raw hive data.
C:\Documents and Settings\jbrown\Local Settings\Temporary Internet Files\Content.IE5\0JKLM5O7\Ping[1].asp 9/29/2005 10:39 AM 3 bytes Hidden from Windows API.
C:\Documents and Settings\jbrown\Local Settings\Temporary Internet Files\Content.IE5\9723AT6V\GetMessages[2].xml 9/29/2005 9:36 AM 108 bytes Visible in Windows API, but not in MFT or directory index.
C:\Documents and Settings\jbrown\Local Settings\Temporary Internet Files\Content.IE5\9723AT6V\msgopen[1].htm 9/28/2005 11:50 AM 42 bytes Visible in Windows API, but not in MFT or directory index.
C:\Documents and Settings\jbrown\Local Settings\Temporary Internet Files\Content.IE5\9723AT6V\msgopen[2].htm 9/29/2005 10:40 AM 42 bytes Hidden from Windows API.
C:\Documents and Settings\jbrown\Local Settings\Temporary Internet Files\Content.IE5\9723AT6V\Reval_logo[1].gif 9/29/2005 10:40 AM 1.00 KB Hidden from Windows API.
C:\Documents and Settings\jbrown\Local Settings\Temporary Internet Files\Content.IE5\N1ZEK6TJ\comerica_logo[1].gif 9/29/2005 10:40 AM 2.78 KB Hidden from Windows API.
C:\Documents and Settings\jbrown\Local Settings\Temporary Internet Files\Content.IE5\N1ZEK6TJ\GetMessages[1].xml 9/29/2005 10:39 AM 108 bytes Hidden from Windows API.
C:\Documents and Settings\jbrown\Local Settings\Temporary Internet Files\Content.IE5\N1ZEK6TJ\Ping[1].asp 9/29/2005 9:36 AM 3 bytes Visible in Windows API, but not in MFT or directory index.
C:\Program Files\Common Files\Symantec Shared\VirusDefs\20050928.007\vscanmsx.dat 9/29/2005 10:34 AM 2.02 KB Hidden from Windows API.



___________________________________




StartupList report, 9/29/2005, 11:10:16 AM
StartupList version: 1.52.2
Started from : C:\Documents and Settings\jbrown\Desktop\HijackThis.EXE
Detected: Windows XP SP2 (WinNT 5.01.2600)
Detected: Internet Explorer v6.00 SP2 (6.00.2900.2180)
* Using default options
* Including empty and uninteresting sections
* Showing rarely important sections
==================================================

Running processes:

C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Webroot\Spy Sweeper\WRSSSDK.exe
C:\WINDOWS\Explorer.EXE
C:\Documents and Settings\jbrown\Desktop\HijackThis.exe

--------------------------------------------------

Listing of startup folders:

Shell folders Startup:
[C:\Documents and Settings\jbrown\Start Menu\Programs\Startup]
*No files*

Shell folders AltStartup:
*Folder not found*

User shell folders Startup:
*Folder not found*

User shell folders AltStartup:
*Folder not found*

Shell folders Common Startup:
[C:\Documents and Settings\All Users\Start Menu\Programs\Startup]
Adobe Acrobat Speed Launcher.lnk = ?
AutoCAD Startup Accelerator.lnk = C:\Program Files\Common Files\Autodesk Shared\acstart16.exe
HPAiODevice(hp officejet g series) - 1.lnk = C:\Program Files\Hewlett-Packard\AiO\hp officejet g series\Bin\hpoavn07.exe
Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
WinZip Quick Pick.lnk = C:\Program Files\WinZip\WZQKPICK.EXE

Shell folders Common AltStartup:
*Folder not found*

User shell folders Common Startup:
*Folder not found*

User shell folders Alternate Common Startup:
*Folder not found*

--------------------------------------------------

Checking Windows NT UserInit:

[HKLM\Software\Microsoft\Windows NT\CurrentVersion\Winlogon]
UserInit = C:\WINDOWS\system32\userinit.exe,

[HKLM\Software\Microsoft\Windows\CurrentVersion\Winlogon]
*Registry key not found*

[HKCU\Software\Microsoft\Windows NT\CurrentVersion\Winlogon]
*Registry value not found*

[HKCU\Software\Microsoft\Windows\CurrentVersion\Winlogon]
*Registry key not found*

--------------------------------------------------

Autorun entries from Registry:
HKLM\Software\Microsoft\Windows\CurrentVersion\Run

SunJavaUpdateSched = C:\Program Files\Java\jre1.5.0_04\bin\jusched.exe
ATIPTA = C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
DVDLauncher = "C:\Program Files\CyberLink\PowerDVD\DVDLauncher.exe"
Acrobat Assistant 7.0 = "C:\Program Files\Adobe\Acrobat 7.0\Distillr\Acrotray.exe"
(Default) =
HPAIO_PrintFolderMgr = C:\WINDOWS\System32\spool\DRIVERS\W32X86\hpoopm07.exe
ISUSPM Startup = C:\PROGRA~1\COMMON~1\INSTAL~1\UPDATE~1\ISUSPM.exe -startup
ISUSScheduler = "C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe" -start
Microsoft Works Update Detection = C:\Program Files\Common Files\Microsoft Shared\Works Shared\WkUFind.exe
ccApp = "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
vptray = C:\PROGRA~1\SYMANT~2\VPTray.exe
gcasServ = "C:\Program Files\Microsoft AntiSpyware\gcasServ.exe"
cplkm = C:\WINDOWS\system32\kxpqfx\cplkm.exe
THGuard = "C:\Program Files\TrojanHunter 4.2\THGuard.exe"
SpySweeper = "C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe" /startintray
guycrm = C:\WINDOWS\system32\fhlpnxy\guycrm.exe
babfk = C:\WINDOWS\system32\vljhvq\babfk.exe

--------------------------------------------------

Autorun entries from Registry:
HKLM\Software\Microsoft\Windows\CurrentVersion\RunOnce

*No values found*

--------------------------------------------------

Autorun entries from Registry:
HKLM\Software\Microsoft\Windows\CurrentVersion\RunOnceEx

*No values found*

--------------------------------------------------

Autorun entries from Registry:
HKLM\Software\Microsoft\Windows\CurrentVersion\RunServices

*Registry key not found*

--------------------------------------------------

Autorun entries from Registry:
HKLM\Software\Microsoft\Windows\CurrentVersion\RunServicesOnce

*Registry key not found*

--------------------------------------------------

Autorun entries from Registry:
HKCU\Software\Microsoft\Windows\CurrentVersion\Run

ctfmon.exe = C:\WINDOWS\system32\ctfmon.exe
services32 = C:\Program Files\Common Files\Windows\mc-110-12-0000079.exe
H/PC Connection Agent = "C:\Program Files\Microsoft ActiveSync\WCESCOMM.EXE"

--------------------------------------------------

Autorun entries from Registry:
HKCU\Software\Microsoft\Windows\CurrentVersion\RunOnce

*Registry key not found*

--------------------------------------------------

Autorun entries from Registry:
HKCU\Software\Microsoft\Windows\CurrentVersion\RunOnceEx

*Registry key not found*

--------------------------------------------------

Autorun entries from Registry:
HKCU\Software\Microsoft\Windows\CurrentVersion\RunServices

*Registry key not found*

--------------------------------------------------

Autorun entries from Registry:
HKCU\Software\Microsoft\Windows\CurrentVersion\RunServicesOnce

*Registry key not found*

--------------------------------------------------

Autorun entries from Registry:
HKLM\Software\Microsoft\Windows NT\CurrentVersion\Run

*Registry key not found*

--------------------------------------------------

Autorun entries from Registry:
HKCU\Software\Microsoft\Windows NT\CurrentVersion\Run

*Registry key not found*

--------------------------------------------------

Autorun entries in Registry subkeys of:
HKLM\Software\Microsoft\Windows\CurrentVersion\Run

[OptionalComponents]
*No values found*

--------------------------------------------------

Autorun entries in Registry subkeys of:
HKLM\Software\Microsoft\Windows\CurrentVersion\RunOnce
*No subkeys found*

--------------------------------------------------

Autorun entries in Registry subkeys of:
HKLM\Software\Microsoft\Windows\CurrentVersion\RunOnceEx
*No subkeys found*

--------------------------------------------------

Autorun entries in Registry subkeys of:
HKLM\Software\Microsoft\Windows\CurrentVersion\RunServices
*Registry key not found*

--------------------------------------------------

Autorun entries in Registry subkeys of:
HKLM\Software\Microsoft\Windows\CurrentVersion\RunServicesOnce
*Registry key not found*

--------------------------------------------------

Autorun entries in Registry subkeys of:
HKCU\Software\Microsoft\Windows\CurrentVersion\Run
*No subkeys found*

--------------------------------------------------

Autorun entries in Registry subkeys of:
HKCU\Software\Microsoft\Windows\CurrentVersion\RunOnce
*Registry key not found*

--------------------------------------------------

Autorun entries in Registry subkeys of:
HKCU\Software\Microsoft\Windows\CurrentVersion\RunOnceEx
*Registry key not found*

--------------------------------------------------

Autorun entries in Registry subkeys of:
HKCU\Software\Microsoft\Windows\CurrentVersion\RunServices
*Registry key not found*

--------------------------------------------------

Autorun entries in Registry subkeys of:
HKCU\Software\Microsoft\Windows\CurrentVersion\RunServicesOnce
*Registry key not found*

--------------------------------------------------

Autorun entries in Registry subkeys of:
HKLM\Software\Microsoft\Windows NT\CurrentVersion\Run
*Registry key not found*

--------------------------------------------------

Autorun entries in Registry subkeys of:
HKCU\Software\Microsoft\Windows NT\CurrentVersion\Run
*Registry key not found*

--------------------------------------------------

File association entry for .EXE:
HKEY_CLASSES_ROOT\exefile\shell\open\command

(Default) = "%1" %*

--------------------------------------------------

File association entry for .COM:
HKEY_CLASSES_ROOT\comfile\shell\open\command

(Default) = "%1" %*

--------------------------------------------------

File association entry for .BAT:
HKEY_CLASSES_ROOT\batfile\shell\open\command

(Default) = "%1" %*

--------------------------------------------------

File association entry for .PIF:
HKEY_CLASSES_ROOT\piffile\shell\open\command

(Default) = "%1" %*

--------------------------------------------------

File association entry for .SCR:
HKEY_CLASSES_ROOT\AutoCADScriptFile\shell\open\command

(Default) = "C:\WINDOWS\system32\notepad.exe" "%1"

--------------------------------------------------

File association entry for .HTA:
HKEY_CLASSES_ROOT\htafile\shell\open\command

(Default) = C:\WINDOWS\system32\mshta.exe "%1" %*

--------------------------------------------------

File association entry for .TXT:
HKEY_CLASSES_ROOT\txtfile\shell\open\command

(Default) = %SystemRoot%\system32\NOTEPAD.EXE %1

--------------------------------------------------

Enumerating Active Setup stub paths:
HKLM\Software\Microsoft\Active Setup\Installed Components
(* = disabled by HKCU twin)

[>{22d6f312-b0f6-11d0-94ab-0080c74c7e95}]
StubPath = C:\WINDOWS\inf\unregmp2.exe /ShowWMP

[>{26923b43-4d38-484f-9b9e-de460746276c}] *
StubPath = %systemroot%\system32\shmgrate.exe OCInstallUserConfigIE

[>{60B49E34-C7CC-11D0-8953-00A0C90347FF}MICROS] *
StubPath = RunDLL32 IEDKCS32.DLL,BrandIE4 SIGNUP

[>{881dd1c5-3dcf-431b-b061-f3f88e8be88a}]
StubPath = %systemroot%\system32\shmgrate.exe OCInstallUserConfigOE

[{2C7339CF-2B09-4501-B3F3-F3508C9228ED}] *
StubPath = %SystemRoot%\system32\regsvr32.exe /s /n /i:/UserInstall %SystemRoot%\system32\themeui.dll

[{44BBA840-CC51-11CF-AAFA-00AA00B6015C}] *
StubPath = "%ProgramFiles%\Outlook Express\setup50.exe" /APP:OE /CALLER:WINNT /user /install

[{44BBA842-CC51-11CF-AAFA-00AA00B6015B}] *
StubPath = rundll32.exe advpack.dll,LaunchINFSection C:\WINDOWS\INF\msnetmtg.inf,NetMtg.Install.PerUser.NT

[{4b218e3e-bc98-4770-93d3-2731b9329278}] *
StubPath = %SystemRoot%\System32\rundll32.exe setupapi,InstallHinfSection MarketplaceLinkInstall 896 %systemroot%\inf\ie.inf

[{5945c046-1e7d-11d1-bc44-00c04fd912be}] *
StubPath = rundll32.exe advpack.dll,LaunchINFSection C:\WINDOWS\INF\msmsgs.inf,BLC.QuietInstall.PerUser

[{6BF52A52-394A-11d3-B153-00C04F79FAA6}] *
StubPath = rundll32.exe advpack.dll,LaunchINFSection C:\WINDOWS\INF\wmp.inf,PerUserStub

[{7790769C-0471-11d2-AF11-00C04FA35D02}] *
StubPath = "%ProgramFiles%\Outlook Express\setup50.exe" /APP:WAB /CALLER:WINNT /user /install

[{89820200-ECBD-11cf-8B85-00AA005B4340}] *
StubPath = regsvr32.exe /s /n /i:U shell32.dll

[{89820200-ECBD-11cf-8B85-00AA005B4383}] *
StubPath = %SystemRoot%\system32\ie4uinit.exe

[{89B4C1CD-B018-4511-B0A1-5476DBF70820}] *
StubPath = C:\WINDOWS\system32\Rundll32.exe C:\WINDOWS\system32\mscories.dll,Install

[{8b15971b-5355-4c82-8c07-7e181ea07608}] *
StubPath = rundll32.exe advpack.dll,LaunchINFSection C:\WINDOWS\INF\fxsocm.inf,Fax.Install.PerUser

--------------------------------------------------

Enumerating ICQ Agent Autostart apps:
HKCU\Software\Mirabilis\ICQ\Agent\Apps

*Registry key not found*

--------------------------------------------------

Load/Run keys from C:\WINDOWS\WIN.INI:

load=*INI section not found*
run=*INI section not found*

Load/Run keys from Registry:

HKLM\..\Windows NT\CurrentVersion\WinLogon: load=*Registry value not found*
HKLM\..\Windows NT\CurrentVersion\WinLogon: run=*Registry value not found*
HKLM\..\Windows\CurrentVersion\WinLogon: load=*Registry key not found*
HKLM\..\Windows\CurrentVersion\WinLogon: run=*Registry key not found*
HKCU\..\Windows NT\CurrentVersion\WinLogon: load=*Registry value not found*
HKCU\..\Windows NT\CurrentVersion\WinLogon: run=*Registry value not found*
HKCU\..\Windows\CurrentVersion\WinLogon: load=*Registry key not found*
HKCU\..\Windows\CurrentVersion\WinLogon: run=*Registry key not found*
HKCU\..\Windows NT\CurrentVersion\Windows: load=
HKCU\..\Windows NT\CurrentVersion\Windows: run=*Registry value not found*
HKLM\..\Windows NT\CurrentVersion\Windows: load=*Registry value not found*
HKLM\..\Windows NT\CurrentVersion\Windows: run=*Registry value not found*
HKLM\..\Windows NT\CurrentVersion\Windows: AppInit_DLLs=

--------------------------------------------------

Shell & screensaver key from C:\WINDOWS\SYSTEM.INI:

Shell=*INI section not found*
SCRNSAVE.EXE=*INI section not found*
drivers=*INI section not found*

Shell & screensaver key from Registry:

Shell=Explorer.exe
SCRNSAVE.EXE=C:\WINDOWS\System32\logon.scr
drivers=*Registry value not found*

Policies Shell key:

HKCU\..\Policies: Shell=*Registry value not found*
HKLM\..\Policies: Shell=*Registry value not found*

--------------------------------------------------

Checking for EXPLORER.EXE instances:

C:\WINDOWS\Explorer.exe: PRESENT!

C:\Explorer.exe: not present
C:\WINDOWS\Explorer\Explorer.exe: not present
C:\WINDOWS\System\Explorer.exe: not present
C:\WINDOWS\System32\Explorer.exe: not present
C:\WINDOWS\Command\Explorer.exe: not present
C:\WINDOWS\Fonts\Explorer.exe: not present

--------------------------------------------------

Checking for superhidden extensions:

.lnk: HIDDEN! (arrow overlay: yes)
.pif: HIDDEN! (arrow overlay: yes)
.exe: not hidden
.com: not hidden
.bat: not hidden
.hta: not hidden
.scr: not hidden
.shs: HIDDEN!
.shb: HIDDEN!
.vbs: not hidden
.vbe: not hidden
.wsh: not hidden
.scf: HIDDEN! (arrow overlay: NO!)
.url: HIDDEN! (arrow overlay: yes)
.js: not hidden
.jse: not hidden

--------------------------------------------------

Verifying REGEDIT.EXE integrity:

- Regedit.exe found in C:\WINDOWS
- .reg open command is normal (regedit.exe %1)
- Company name OK: 'Microsoft Corporation'
- Original filename OK: 'REGEDIT.EXE'
- File description: 'Registry Editor'

Registry check passed

--------------------------------------------------

Enumerating Browser Helper Objects:

(no name) - C:\PROGRA~1\SPYBOT~1\SDHelper.dll - {53707962-6F74-2D53-2644-206D7942484F}

--------------------------------------------------

Enumerating Task Scheduler jobs:

*No jobs found*

--------------------------------------------------

Enumerating Download Program Files:

[CKAVWebScan Object]
InProcServer32 = C:\WINDOWS\system32\Kaspersky Lab\Kaspersky On-line Scanner\kavwebscan.dll
CODEBASE = http://www.kaspersky...can_unicode.cab

[Windows Genuine Advantage Validation Tool]
InProcServer32 = C:\WINDOWS\system32\LegitCheckControl.DLL
CODEBASE = http://go.microsoft....k/?linkid=39204

[Office Update Installation Engine]
InProcServer32 = C:\WINDOWS\opuc.dll
CODEBASE = http://office.micros...ntent/opuc2.cab

[{56336BCB-3D8A-11D6-A00B-0050DA18DE71}]
CODEBASE = http://software-dl.r...tzip/RdxIE2.cab

[HouseCall Control]
InProcServer32 = C:\WINDOWS\DOWNLO~1\xscan53.ocx
CODEBASE = http://a840.g.akamai...all/xscan53.cab

[Java Plug-in 1.5.0_04]
InProcServer32 = C:\Program Files\Java\jre1.5.0_04\bin\npjpi150_04.dll
CODEBASE = http://java.sun.com/...indows-i586.cab

[MsnMessengerSetupDownloadControl Class]
InProcServer32 = C:\WINDOWS\Downloaded Program Files\MsnMessengerSetupDownloader.ocx
CODEBASE = http://messenger.msn...pDownloader.cab

[Java Plug-in 1.4.2_03]
InProcServer32 = C:\Program Files\Java\j2re1.4.2_03\bin\npjpi142_03.dll
CODEBASE = http://java.sun.com/...indows-i586.cab

[Java Plug-in 1.5.0_02]
InProcServer32 = C:\Program Files\Java\jre1.5.0_02\bin\npjpi150_02.dll
CODEBASE = http://java.sun.com/...indows-i586.cab

[Java Plug-in 1.5.0_04]
InProcServer32 = C:\Program Files\Java\jre1.5.0_04\bin\npjpi150_04.dll
CODEBASE = http://java.sun.com/...indows-i586.cab

[Shockwave Flash Object]
InProcServer32 = C:\WINDOWS\system32\macromed\flash\Flash.ocx
CODEBASE = http://download.macr...ash/swflash.cab

[GpcContainer Class]
InProcServer32 = C:\WINDOWS\Downloaded Program Files\ieatgpc.dll
CODEBASE = https://mathsoft.web...ent/ieatgpc.cab

[QDiagHUpdateObj Class]
InProcServer32 = C:\WINDOWS\system32\qdiagh.ocx
CODEBASE = http://h30043.www3.h.../qdiagh.cab?326

--------------------------------------------------

Enumerating Winsock LSP files:

NameSpace #1: C:\WINDOWS\System32\mswsock.dll
NameSpace #2: C:\WINDOWS\System32\winrnr.dll
NameSpace #3: C:\WINDOWS\System32\mswsock.dll
Protocol #1: C:\WINDOWS\system32\mswsock.dll
Protocol #2: C:\WINDOWS\system32\mswsock.dll
Protocol #3: C:\WINDOWS\system32\mswsock.dll
Protocol #4: C:\WINDOWS\system32\rsvpsp.dll
Protocol #5: C:\WINDOWS\system32\rsvpsp.dll
Protocol #6: C:\WINDOWS\system32\mswsock.dll
Protocol #7: C:\WINDOWS\system32\mswsock.dll
Protocol #8: C:\WINDOWS\system32\mswsock.dll
Protocol #9: C:\WINDOWS\system32\mswsock.dll
Protocol #10: C:\WINDOWS\system32\mswsock.dll
Protocol #11: C:\WINDOWS\system32\mswsock.dll

--------------------------------------------------

Enumerating Windows NT/2000/XP services

abp480n5: system32\DRIVERS\ABP480N5.SYS (system)
Microsoft ACPI Driver: system32\DRIVERS\ACPI.sys (system)
Adobe LM Service: "C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe" (manual start)
adpu160m: system32\DRIVERS\adpu160m.sys (system)
aeaudio: system32\drivers\aeaudio.sys (manual start)
Microsoft Kernel Acoustic Echo Canceller: system32\drivers\aec.sys (manual start)
AFD: \SystemRoot\System32\drivers\afd.sys (system)
Intel AGP Bus Filter: system32\DRIVERS\agp440.sys (system)
Compaq AGP Bus Filter: system32\DRIVERS\agpCPQ.sys (system)
Aha154x: system32\DRIVERS\aha154x.sys (system)
aic78u2: system32\DRIVERS\aic78u2.sys (system)
aic78xx: system32\DRIVERS\aic78xx.sys (system)
Alerter: %SystemRoot%\system32\svchost.exe -k LocalService (disabled)
Application Layer Gateway Service: %SystemRoot%\System32\alg.exe (manual start)
AliIde: system32\DRIVERS\aliide.sys (system)
ALI AGP Bus Filter: system32\DRIVERS\alim1541.sys (system)
AMD AGP Bus Filter Driver: system32\DRIVERS\amdagp.sys (system)
amsint: system32\DRIVERS\amsint.sys (system)
aokxlhk: \??\C:\WINDOWS\system32\jsjdflb\aokxlhk (manual start)
Application Management: %SystemRoot%\system32\svchost.exe -k netsvcs (manual start)
asc: system32\DRIVERS\asc.sys (system)
asc3350p: system32\DRIVERS\asc3350p.sys (system)
asc3550: system32\DRIVERS\asc3550.sys (system)
ASP.NET State Service: %SystemRoot%\Microsoft.NET\Framework\v1.1.4322\aspnet_state.exe (manual start)
RAS Asynchronous Media Driver: system32\DRIVERS\asyncmac.sys (manual start)
Standard IDE/ESDI Hard Disk Controller: system32\DRIVERS\atapi.sys (system)
Ati HotKey Poller: %SystemRoot%\system32\Ati2evxx.exe (autostart)
ati2mtag: system32\DRIVERS\ati2mtag.sys (manual start)
ATM ARP Client Protocol: system32\DRIVERS\atmarpc.sys (manual start)
Windows Audio: %SystemRoot%\System32\svchost.exe -k netsvcs (autostart)
Audio Stub Driver: system32\DRIVERS\audstub.sys (manual start)
Autodesk Licensing Service: "C:\Program Files\Common Files\Autodesk Shared\Service\AdskScSrv.exe" (manual start)
Broadcom NetXtreme 57xx Gigabit Controller: system32\DRIVERS\b57xp32.sys (manual start)
babfkvljhvq: C:\WINDOWS\system32\vljhvq\babfk.exe (autostart)
Belarc SMBios Access: \SystemRoot\System32\Drivers\BANTExt.sys (system)
Broadcom ASF IP monitoring service v6.0.4: C:\WINDOWS\system32\basfipm.exe (autostart)
BASFND: \??\C:\WINDOWS\system32\Drivers\BASFND.sys (autostart)
Background Intelligent Transfer Service: %SystemRoot%\system32\svchost.exe -k netsvcs (manual start)
Computer Browser: %SystemRoot%\system32\svchost.exe -k netsvcs (autostart)
cbidf: system32\DRIVERS\cbidf2k.sys (system)
Symantec Event Manager: "C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe" (autostart)
Symantec Password Validation: "C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe" (manual start)
Symantec Settings Manager: "C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe" (autostart)
cd20xrnt: system32\DRIVERS\cd20xrnt.sys (system)
CD-ROM Driver: system32\DRIVERS\cdrom.sys (system)
Indexing Service: %SystemRoot%\system32\cisvc.exe (manual start)
ClipBook: %SystemRoot%\system32\clipsrv.exe (disabled)
CmdIde: system32\DRIVERS\cmdide.sys (system)
Command Service: C:\WINDOWS\amJyb3du\command.exe (autostart)
COM+ System Application: C:\WINDOWS\system32\dllhost.exe /Processid:{02D4B3F1-FD88-11D1-960D-00805FC79235} (manual start)
cplkmkxpqfx: C:\WINDOWS\system32\kxpqfx\cplkm.exe (autostart)
Cpqarray: system32\DRIVERS\cpqarray.sys (system)
Cryptographic Services: %SystemRoot%\system32\svchost.exe -k netsvcs (autostart)
CWShredder Service: c:\program files\InterMute\SpySubtract\CWShredder.exe service (autostart)
dac2w2k: system32\DRIVERS\dac2w2k.sys (system)
dac960nt: system32\DRIVERS\dac960nt.sys (system)
DCOM Server Process Launcher: %SystemRoot%\system32\svchost -k DcomLaunch (autostart)
Symantec AntiVirus Definition Watcher: "C:\Program Files\Symantec AntiVirus\DefWatch.exe" (autostart)
DHCP Client: %SystemRoot%\system32\svchost.exe -k netsvcs (autostart)
Disk Driver: system32\DRIVERS\disk.sys (system)
Logical Disk Manager Administrative Service: %SystemRoot%\System32\dmadmin.exe /com (manual start)
dmboot: System32\drivers\dmboot.sys (disabled)
Logical Disk Manager Driver: System32\drivers\dmio.sys (system)
dmload: System32\drivers\dmload.sys (system)
Logical Disk Manager: %SystemRoot%\System32\svchost.exe -k netsvcs (autostart)
Microsoft Kernel DLS Syntheiszer: system32\drivers\DMusic.sys (manual start)
DNS Client: %SystemRoot%\system32\svchost.exe -k NetworkService (manual start)
MS IEEE-1284.4 Driver: system32\DRIVERS\Dot4.sys (manual start)
Print Class Driver for IEEE-1284.4: system32\DRIVERS\Dot4Prt.sys (manual start)
Scan Class Driver for IEEE-1284.4: system32\DRIVERS\Dot4Scan.sys (manual start)
Dot4USB Filter Dot4USB Filter: system32\DRIVERS\dot4usb.sys (manual start)
dpti2o: system32\DRIVERS\dpti2o.sys (system)
Microsoft Kernel DRM Audio Descrambler: system32\drivers\drmkaud.sys (manual start)
Intel® PRO Adapter Driver: system32\DRIVERS\e100b325.sys (manual start)
Error Reporting Service: %SystemRoot%\System32\svchost.exe -k netsvcs (autostart)
Event Log: %SystemRoot%\system32\services.exe (autostart)
COM+ Event System: C:\WINDOWS\system32\svchost.exe -k netsvcs (manual start)
ewido security suite control: C:\Program Files\ewido\security suite\ewidoctrl.exe (autostart)
ewido security suite driver: \??\C:\Program Files\ewido\security suite\guard.sys (system)
ewido security suite guard: C:\Program Files\ewido\security suite\ewidoguard.exe (autostart)
Fast User Switching Compatibility: %SystemRoot%\System32\svchost.exe -k netsvcs (manual start)
Fax: %systemroot%\system32\fxssvc.exe (autostart)
Floppy Disk Controller Driver: system32\DRIVERS\fdc.sys (manual start)
Floppy Disk Driver: system32\DRIVERS\flpydisk.sys (manual start)
FltMgr: system32\DRIVERS\fltMgr.sys (system)
Volume Manager Driver: system32\DRIVERS\ftdisk.sys (system)
GATXKBZI: C:\DOCUME~1\jbrown\LOCALS~1\Temp\GATXKBZI.exe (manual start)
GLNHHZOO: C:\DOCUME~1\jbrown\LOCALS~1\Temp\GLNHHZOO.exe (manual start)
Generic Packet Classifier: system32\DRIVERS\msgpc.sys (manual start)
guycrmfhlpnxy: C:\WINDOWS\system32\fhlpnxy\guycrm.exe (autostart)
Help and Support: %SystemRoot%\System32\svchost.exe -k netsvcs (autostart)
HID Input Service: %SystemRoot%\System32\svchost.exe -k netsvcs (autostart)
Microsoft HID Class Driver: system32\DRIVERS\hidusb.sys (manual start)
hpn: system32\DRIVERS\hpn.sys (system)
HTTP: System32\Drivers\HTTP.sys (manual start)
HTTP SSL: %SystemRoot%\System32\svchost.exe -k HTTPFilter (manual start)
i2omp: system32\DRIVERS\i2omp.sys (system)
i8042 Keyboard and PS/2 Mouse Port Driver: system32\DRIVERS\i8042prt.sys (system)
ialm: system32\DRIVERS\ialmnt5.sys (manual start)
IIS Admin: C:\WINDOWS\system32\inetsrv\inetinfo.exe (autostart)
CD-Burning Filter Driver: system32\DRIVERS\imapi.sys (system)
IMAPI CD-Burning COM Service: C:\WINDOWS\system32\imapi.exe (manual start)
ini910u: system32\DRIVERS\ini910u.sys (system)
IntelIde: system32\DRIVERS\intelide.sys (system)
Intel Processor Driver: system32\DRIVERS\intelppm.sys (system)
IPv6 Windows Firewall Driver: system32\DRIVERS\Ip6Fw.sys (manual start)
IP Traffic Filter Driver: system32\DRIVERS\ipfltdrv.sys (manual start)
IP in IP Tunnel Driver: system32\DRIVERS\ipinip.sys (manual start)
IP Network Address Translator: system32\DRIVERS\ipnat.sys (manual start)
IPSEC driver: system32\DRIVERS\ipsec.sys (system)
IR Enumerator Service: system32\DRIVERS\irenum.sys (manual start)
PnP ISA/EISA Bus Driver: system32\DRIVERS\isapnp.sys (system)
ivxprhhjnjfe: C:\WINDOWS\system32\hhjnjfe\ivxpr.exe (autostart)
Keyboard Class Driver: system32\DRIVERS\kbdclass.sys (system)
Keyboard HID Driver: system32\DRIVERS\kbdhid.sys (system)
Microsoft Kernel Wave Audio Mixer: system32\drivers\kmixer.sys (manual start)
Server: %SystemRoot%\system32\svchost.exe -k netsvcs (autostart)
Workstation: %SystemRoot%\system32\svchost.exe -k netsvcs (autostart)
TCP/IP NetBIOS Helper: %SystemRoot%\system32\svchost.exe -k LocalService (autostart)
Machine Debug Manager: "C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe" (autostart)
Messenger: %SystemRoot%\system32\svchost.exe -k netsvcs (disabled)
NetMeeting Remote Desktop Sharing: C:\WINDOWS\system32\mnmsrvc.exe (manual start)
Mouse Class Driver: system32\DRIVERS\mouclass.sys (system)
Mouse HID Driver: system32\DRIVERS\mouhid.sys (manual start)
mraid35x: system32\DRIVERS\mraid35x.sys (system)
WebDav Client Redirector: system32\DRIVERS\mrxdav.sys (manual start)
MRXSMB: system32\DRIVERS\mrxsmb.sys (system)
Distributed Transaction Coordinator: C:\WINDOWS\system32\msdtc.exe (manual start)
FTP Publishing: %SystemRoot%\system32\inetsrv\inetinfo.exe (autostart)
Windows Installer: C:\WINDOWS\system32\msiexec.exe /V (manual start)
Microsoft Streaming Service Proxy: system32\drivers\MSKSSRV.sys (manual start)
Microsoft Streaming Clock Proxy: system32\drivers\MSPCLOCK.sys (manual start)
Microsoft Streaming Quality Manager Proxy: system32\drivers\MSPQM.sys (manual start)
Microsoft System Management BIOS Driver: system32\DRIVERS\mssmbios.sys (manual start)
msymrqbvpoy: C:\WINDOWS\system32\rqbvpoy\msym.exe (autostart)
NAVENG: \??\C:\PROGRA~1\COMMON~1\SYMANT~1\VIRUSD~1\20050928.007\naveng.sys (manual start)
NAVEX15: \??\C:\PROGRA~1\COMMON~1\SYMANT~1\VIRUSD~1\20050928.007\navex15.sys (manual start)
Remote Access NDIS TAPI Driver: system32\DRIVERS\ndistapi.sys (manual start)
NDIS Usermode I/O Protocol: system32\DRIVERS\ndisuio.sys (manual start)
Remote Access NDIS WAN Driver: system32\DRIVERS\ndiswan.sys (manual start)
NetBIOS Interface: system32\DRIVERS\netbios.sys (system)
NetBios over Tcpip: system32\DRIVERS\netbt.sys (system)
Network DDE: %SystemRoot%\system32\netdde.exe (disabled)
Network DDE DSDM: %SystemRoot%\system32\netdde.exe (disabled)
Net Logon: %SystemRoot%\system32\lsass.exe (autostart)
Network Connections: %SystemRoot%\System32\svchost.exe -k netsvcs (manual start)
Network Location Awareness (NLA): %SystemRoot%\system32\svchost.exe -k netsvcs (manual start)
NT LM Security Support Provider: %SystemRoot%\system32\lsass.exe (manual start)
Removable Storage: %SystemRoot%\system32\svchost.exe -k netsvcs (manual start)
nv: system32\DRIVERS\nv4_mini.sys (manual start)
IPX Traffic Filter Driver: system32\DRIVERS\nwlnkflt.sys (manual start)
IPX Traffic Forwarder Driver: system32\DRIVERS\nwlnkfwd.sys (manual start)
Parallel port driver: system32\DRIVERS\parport.sys (manual start)
PCI Bus Driver: system32\DRIVERS\pci.sys (system)
PCIIde: system32\DRIVERS\pciide.sys (system)
perc2: system32\DRIVERS\perc2.sys (system)
perc2hib: system32\DRIVERS\perc2hib.sys (system)
Plug and Play: %SystemRoot%\system32\services.exe (autostart)
IPSEC Services: %SystemRoot%\system32\lsass.exe (autostart)
WAN Miniport (PPTP): system32\DRIVERS\raspptp.sys (manual start)
Protected Storage: %SystemRoot%\system32\lsass.exe (autostart)
QoS Packet Scheduler: system32\DRIVERS\psched.sys (manual start)
Direct Parallel Link Driver: system32\DRIVERS\ptilink.sys (manual start)
PxHelp20: system32\DRIVERS\PxHelp20.sys (system)
ql1080: system32\DRIVERS\ql1080.sys (system)
Ql10wnt: system32\DRIVERS\ql10wnt.sys (system)
ql12160: system32\DRIVERS\ql12160.sys (system)
ql1240: system32\DRIVERS\ql1240.sys (system)
ql1280: system32\DRIVERS\ql1280.sys (system)
Remote Access Auto Connection Driver: system32\DRIVERS\rasacd.sys (system)
Remote Access Auto Connection Manager: %SystemRoot%\system32\svchost.exe -k netsvcs (manual start)
WAN Miniport (L2TP): system32\DRIVERS\rasl2tp.sys (manual start)
Remote Access Connection Manager: %SystemRoot%\system32\svchost.exe -k netsvcs (manual start)
Remote Access PPPOE Driver: system32\DRIVERS\raspppoe.sys (manual start)
Direct Parallel: system32\DRIVERS\raspti.sys (manual start)
Rdbss: system32\DRIVERS\rdbss.sys (system)
RDPCDD: System32\DRIVERS\RDPCDD.sys (system)
Terminal Server Device Redirector Driver: system32\DRIVERS\rdpdr.sys (manual start)
Remote Desktop Help Session Manager: C:\WINDOWS\system32\sessmgr.exe (manual start)
Digital CD Audio Playback Filter Driver: system32\DRIVERS\redbook.sys (system)
Routing and Remote Access: %SystemRoot%\system32\svchost.exe -k netsvcs (disabled)
Remote Registry: %SystemRoot%\system32\svchost.exe -k LocalService (autostart)
Remote Procedure Call (RPC) Locator: %SystemRoot%\system32\locator.exe (manual start)
Remote Procedure Call (RPC): %SystemRoot%\system32\svchost -k rpcss (autostart)
QoS RSVP: %SystemRoot%\system32\rsvp.exe (manual start)
Security Accounts Manager: %SystemRoot%\system32\lsass.exe (autostart)
SAVRoam: "C:\Program Files\Symantec AntiVirus\SavRoam.exe" (autostart)
SAVRT: \??\C:\Program Files\Symantec AntiVirus\savrt.sys (system)
SAVRTPEL: \??\C:\Program Files\Symantec AntiVirus\Savrtpel.sys (system)
Smart Card: %SystemRoot%\System32\SCardSvr.exe (manual start)
Task Scheduler: %SystemRoot%\System32\svchost.exe -k netsvcs (autostart)
Secdrv: system32\DRIVERS\secdrv.sys (manual start)
Secondary Logon: %SystemRoot%\System32\svchost.exe -k netsvcs (autostart)
System Event Notification: %SystemRoot%\system32\svchost.exe -k netsvcs (autostart)
Sentinel: \SystemRoot\System32\Drivers\SENTINEL.SYS (autostart)
Serenum Filter Driver: system32\DRIVERS\serenum.sys (manual start)
Serial port driver: system32\DRIVERS\serial.sys (system)
Windows Firewall/Internet Connection Sharing (ICS): %SystemRoot%\system32\svchost.exe -k netsvcs (autostart)
Shell Hardware Detection: %SystemRoot%\System32\svchost.exe -k netsvcs (autostart)
SIS AGP Bus Filter: system32\DRIVERS\sisagp.sys (system)
Simple Mail Transfer Protocol (SMTP): C:\WINDOWS\system32\inetsrv\inetinfo.exe (autostart)
smwdm: system32\drivers\smwdm.sys (manual start)
Symantec Network Drivers Service: "C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe" (manual start)
Rainbow USB SuperPro: system32\DRIVERS\SNTNLUSB.SYS (manual start)
Sparrow: system32\DRIVERS\sparrow.sys (system)
SPBBCDrv: \??\C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCDrv.sys (manual start)
Symantec SPBBCSvc: "C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe" (manual start)
Microsoft Kernel Audio Splitter: system32\drivers\splitter.sys (manual start)
Print Spooler: %SystemRoot%\system32\spoolsv.exe (autostart)
System Restore Filter Driver: system32\DRIVERS\sr.sys (system)
System Restore Service: %SystemRoot%\system32\svchost.exe -k netsvcs (autostart)
Srv: system32\DRIVERS\srv.sys (manual start)
SSDP Discovery Service: %SystemRoot%\system32\svchost.exe -k LocalService (manual start)
Windows Image Acquisition (WIA): %SystemRoot%\system32\svchost.exe -k imgsvc (autostart)
Webroot Spy Sweeper Engine: C:\Program Files\Webroot\Spy Sweeper\WRSSSDK.exe (autostart)
Software Bus Driver: system32\DRIVERS\swenum.sys (manual start)
Microsoft Kernel GS Wavetable Synthesizer: system32\drivers\swmidi.sys (manual start)
MS Software Shadow Copy Provider: C:\WINDOWS\system32\dllhost.exe /Processid:{2F130D52-0BDB-47EB-AF81-1E09BA7E21E7} (manual start)
Symantec AntiVirus: "C:\Program Files\Symantec AntiVirus\Rtvscan.exe" (autostart)
symc810: system32\DRIVERS\symc810.sys (system)
symc8xx: system32\DRIVERS\symc8xx.sys (system)
SymEvent: \??\C:\Program Files\Symantec\SYMEVENT.SYS (disabled)
SYMREDRV: \SystemRoot\System32\Drivers\SYMREDRV.SYS (manual start)
SYMTDI: \SystemRoot\System32\Drivers\SYMTDI.SYS (system)
sym_hi: system32\DRIVERS\sym_hi.sys (system)
sym_u3: system32\DRIVERS\sym_u3.sys (system)
Microsoft Kernel System Audio Device: system32\drivers\sysaudio.sys (manual start)
Performance Logs and Alerts: %SystemRoot%\system32\smlogsvc.exe (manual start)
Telephony: %SystemRoot%\System32\svchost.exe -k netsvcs (manual start)
TCP/IP Protocol Driver: system32\DRIVERS\tcpip.sys (system)
Terminal Device Driver: system32\DRIVERS\termdd.sys (system)
Terminal Services: %SystemRoot%\System32\svchost -k DComLaunch (manual start)
Themes: %SystemRoot%\System32\svchost.exe -k netsvcs (autostart)
Telnet: C:\WINDOWS\system32\tlntsvr.exe (disabled)
TosIde: system32\DRIVERS\toside.sys (system)
Distributed Link Tracking Client: %SystemRoot%\system32\svchost.exe -k netsvcs (autostart)
ultra: system32\DRIVERS\ultra.sys (system)
uosfngi: \??\C:\WINDOWS\system32\flpiqev\uosfngi (manual start)
Microcode Update Driver: system32\DRIVERS\update.sys (manual start)
Universal Plug and Play Device Host: %SystemRoot%\system32\svchost.exe -k LocalService (manual start)
Uninterruptible Power Supply: %SystemRoot%\System32\ups.exe (manual start)
Microsoft USB Generic Parent Driver: system32\DRIVERS\usbccgp.sys (manual start)
Microsoft USB 2.0 Enhanced Host Controller Miniport Driver: system32\DRIVERS\usbehci.sys (manual start)
USB2 Enabled Hub: system32\DRIVERS\usbhub.sys (manual start)
USB Scanner Driver: system32\DRIVERS\usbscan.sys (manual start)
USB Mass Storage Driver: system32\DRIVERS\USBSTOR.SYS (manual start)
Microsoft USB Universal Host Controller Miniport Driver: system32\DRIVERS\usbuhci.sys (manual start)
VgaSave: \SystemRoot\System32\drivers\vga.sys (system)
VIA AGP Bus Filter: system32\DRIVERS\viaagp.sys (system)
ViaIde: system32\DRIVERS\viaide.sys (system)
Volume Shadow Copy: %SystemRoot%\System32\vssvc.exe (manual start)
Windows Time: %SystemRoot%\system32\svchost.exe -k netsvcs (autostart)
World Wide Web Publishing: %SystemRoot%\system32\inetsrv\inetinfo.exe (autostart)
Remote Access IP ARP Driver: system32\DRIVERS\wanarp.sys (manual start)
Windows CE USB Serial Host Driver: system32\DRIVERS\wceusbsh.sys (manual start)
Microsoft WINMM WDM Audio Compatibility Driver: system32\drivers\wdmaud.sys (manual start)
WebClient: %SystemRoot%\system32\svchost.exe -k LocalService (autostart)
Windows Management Instrumentation: %systemroot%\system32\svchost.exe -k netsvcs (autostart)
Portable Media Serial Number Service: %SystemRoot%\System32\svchost.exe -k netsvcs (manual start)
Windows Management Instrumentation Driver Extensions: %SystemRoot%\System32\svchost.exe -k netsvcs (manual start)
WMI Performance Adapter: C:\WINDOWS\system32\wbem\wmiapsrv.exe (manual start)
Security Center: %SystemRoot%\System32\svchost.exe -k netsvcs (autostart)
Automatic Updates: %systemroot%\system32\svchost.exe -k netsvcs (autostart)
Wireless Zero Configuration: %SystemRoot%\System32\svchost.exe -k netsvcs (autostart)
Network Provisioning Service: %SystemRoot%\System32\svchost.exe -k netsvcs (manual start)
XWC: C:\DOCUME~1\jbrown\LOCALS~1\Temp\XWC.exe (manual start)
NTPort Library Driver: \??\C:\WINDOWS\system32\zntport.sys (autostart)


--------------------------------------------------

Enumerating Windows NT logon/logoff scripts:
*No scripts set to run*

Windows NT checkdisk command:
BootExecute = autocheck autochk *

Windows NT 'Wininit.ini':
PendingFileRenameOperations: *Registry value not found*

--------------------------------------------------

Enumerating ShellServiceObjectDelayLoad items:

PostBootReminder: C:\WINDOWS\system32\SHELL32.dll
CDBurn: C:\WINDOWS\system32\SHELL32.dll
WebCheck: C:\WINDOWS\system32\webcheck.dll
SysTray: C:\WINDOWS\system32\stobject.dll

--------------------------------------------------
Autorun entries from Registry:
HKCU\Software\Microsoft\Windows\CurrentVersion\policies\Explorer\Run

jxbvilxg.exe = C:\WINDOWS\system\jxbvilxg.exe

--------------------------------------------------

Autorun entries from Registry:
HKLM\Software\Microsoft\Windows\CurrentVersion\policies\Explorer\Run

*Registry key not found*

--------------------------------------------------

End of report, 38,543 bytes
Report generated in 0.079 seconds

Command line options:
/verbose - to add additional info on each section
/complete - to include empty sections and unsuspicious data
/full - to include several rarely-important sections
/force9x - to include Win9x-only startups even if running on WinNT
/forcent - to include WinNT-only startups even if running on Win9x
/forceall - to include all Win9x and WinNT startups, regardless of platform
/history - to list version history only



___________________________________





Logfile of HijackThis v1.99.1
Scan saved at 11:19:49 AM, on 9/29/2005
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\csrss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\basfipm.exe
C:\Program Files\Symantec AntiVirus\DefWatch.exe
C:\Program Files\ewido\security suite\ewidoctrl.exe
C:\Program Files\ewido\security suite\ewidoguard.exe
C:\WINDOWS\system32\fhlpnxy\guycrm.exe
C:\WINDOWS\system32\inetsrv\inetinfo.exe
C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
C:\Program Files\Symantec AntiVirus\SavRoam.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Webroot\Spy Sweeper\WRSSSDK.exe
C:\Program Files\Symantec AntiVirus\Rtvscan.exe
C:\WINDOWS\System32\alg.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Java\jre1.5.0_04\bin\jusched.exe
C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
C:\Program Files\CyberLink\PowerDVD\DVDLauncher.exe
C:\Program Files\Adobe\Acrobat 7.0\Distillr\Acrotray.exe
C:\WINDOWS\System32\spool\DRIVERS\W32X86\hpoopm07.exe
C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe
C:\Program Files\Common Files\Microsoft Shared\Works Shared\WkUFind.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\PROGRA~1\SYMANT~2\VPTray.exe
C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe
C:\Program Files\Microsoft AntiSpyware\gcasDtServ.exe
C:\Program Files\Symantec AntiVirus\DoScan.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Microsoft ActiveSync\WCESCOMM.EXE
C:\Program Files\Hewlett-Packard\AiO\hp officejet g series\Bin\hpoavn07.exe
C:\PROGRA~1\MICROS~2\Office10\OUTLOOK.EXE
C:\Program Files\WinZip\WZQKPICK.EXE
C:\PROGRA~1\HEWLET~1\AiO\Shared\Bin\hpoevm07.exe
C:\WINDOWS\system32\hpoipm07.exe
C:\Program Files\Hewlett-Packard\AiO\Shared\bin\hpOSTS07.exe
C:\Program Files\Hewlett-Packard\AiO\Shared\bin\hpOFXM07.exe
C:\Program Files\FranklinCovey\PlanPlus for Microsoft Outlook\PowerNotes.exe
C:\Program Files\Microsoft Office\Office10\WINWORD.EXE
C:\Program Files\Common Files\InstallShield\UpdateService\agent.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\WINDOWS\system32\NOTEPAD.EXE
C:\WINDOWS\system32\NOTEPAD.EXE
C:\Documents and Settings\jbrown\Desktop\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.dell.com
O1 - Hosts: 216.39.69.102 view.atdmt.com
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O3 - Toolbar: Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\system32\msdxm.ocx
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_04\bin\jusched.exe
O4 - HKLM\..\Run: [ATIPTA] C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
O4 - HKLM\..\Run: [DVDLauncher] "C:\Program Files\CyberLink\PowerDVD\DVDLauncher.exe"
O4 - HKLM\..\Run: [Acrobat Assistant 7.0] "C:\Program Files\Adobe\Acrobat 7.0\Distillr\Acrotray.exe"
O4 - HKLM\..\Run: [HPAIO_PrintFolderMgr] C:\WINDOWS\System32\spool\DRIVERS\W32X86\hpoopm07.exe
O4 - HKLM\..\Run: [ISUSPM Startup] C:\PROGRA~1\COMMON~1\INSTAL~1\UPDATE~1\ISUSPM.exe -startup
O4 - HKLM\..\Run: [ISUSScheduler] "C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe" -start
O4 - HKLM\..\Run: [Microsoft Works Update Detection] C:\Program Files\Common Files\Microsoft Shared\Works Shared\WkUFind.exe
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [vptray] C:\PROGRA~1\SYMANT~2\VPTray.exe
O4 - HKLM\..\Run: [gcasServ] "C:\Program Files\Microsoft AntiSpyware\gcasServ.exe"
O4 - HKLM\..\Run: [cplkm] C:\WINDOWS\system32\kxpqfx\cplkm.exe
O4 - HKLM\..\Run: [THGuard] "C:\Program Files\TrojanHunter 4.2\THGuard.exe"
O4 - HKLM\..\Run: [SpySweeper] "C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe" /startintray
O4 - HKLM\..\Run: [guycrm] C:\WINDOWS\system32\fhlpnxy\guycrm.exe
O4 - HKLM\..\RunOnce: [HP_AIO_SETUP_MUTEX] C:\DOCUME~1\JBROWN\LOCALS~1\TEMP\HP OFFICEJET G SERIES\CDIMAGE\setup.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [services32] C:\Program Files\Common Files\Windows\mc-110-12-0000079.exe
O4 - HKCU\..\Run: [H/PC Connection Agent] "C:\Program Files\Microsoft ActiveSync\WCESCOMM.EXE"
O4 - Global Startup: Adobe Acrobat Speed Launcher.lnk = ?
O4 - Global Startup: AutoCAD Startup Accelerator.lnk = C:\Program Files\Common Files\Autodesk Shared\acstart16.exe
O4 - Global Startup: HPAiODevice(hp officejet g series) - 1.lnk = C:\Program Files\Hewlett-Packard\AiO\hp officejet g series\Bin\hpoavn07.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O4 - Global Startup: WinZip Quick Pick.lnk = C:\Program Files\WinZip\WZQKPICK.EXE
O8 - Extra context menu item: Convert link target to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: Convert link target to existing PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: Convert selected links to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECaptureSelLinks.html
O8 - Extra context menu item: Convert selected links to existing PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppendSelLinks.html
O8 - Extra context menu item: Convert selection to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: Convert selection to existing PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: Convert to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: Convert to existing PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_04\bin\npjpi150_04.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_04\bin\npjpi150_04.dll
O9 - Extra button: Create Mobile Favorite - {2EAF5BB1-070F-11D3-9307-00C04FAE2D4F} - C:\Program Files\Microsoft ActiveSync\INETREPL.DLL
O9 - Extra button: (no name) - {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - C:\Program Files\Microsoft ActiveSync\INETREPL.DLL
O9 - Extra 'Tools' menuitem: Create Mobile Favorite... - {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - C:\Program Files\Microsoft ActiveSync\INETREPL.DLL
O9 - Extra button: Freeprod Toolbar - {77FBF9B8-1D37-4FF2-9CED-192D8E3ABA6F} - (no file)
O9 - Extra 'Tools' menuitem: Freeprod Toolbar - {77FBF9B8-1D37-4FF2-9CED-192D8E3ABA6F} - (no file)
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky...can_unicode.cab
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft....k/?linkid=39204
O16 - DPF: {56336BCB-3D8A-11D6-A00B-0050DA18DE71} - http://software-dl.r...tzip/RdxIE2.cab
O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai...all/xscan53.cab
O16 - DPF: {B38870E4-7ECB-40DA-8C6A-595F0A5519FF} (MsnMessengerSetupDownloadControl Class) - http://messenger.msn...pDownloader.cab
O16 - DPF: {E06E2E99-0AA1-11D4-ABA6-0060082AA75C} (GpcContainer Class) - https://mathsoft.web...ent/ieatgpc.cab
O16 - DPF: {EB387D2F-E27B-4D36-979E-847D1036C65D} (QDiagHUpdateObj Class) - http://h30043.www3.h.../qdiagh.cab?326
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: Domain = silvereaglerefining.com
O17 - HKLM\Software\..\Telephony: DomainName = silvereaglerefining.com
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: Domain = silvereaglerefining.com
O23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: Ati HotKey Poller - Unknown owner - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: Autodesk Licensing Service - Autodesk - C:\Program Files\Common Files\Autodesk Shared\Service\AdskScSrv.exe
O23 - Service: babfkvljhvq - Unknown owner - C:\WINDOWS\system32\vljhvq\babfk.exe
O23 - Service: Broadcom ASF IP monitoring service v6.0.4 (BAsfIpM) - Broadcom Corp. - C:\WINDOWS\system32\basfipm.exe
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:&
  • 0

Advertisements

#11
ukbiker
Posted 29 September 2005 - 07:15 PM

ukbiker

    Rest in Peace, ukbiker

  • Retired Staff
  • 2,014 posts
Hi again :)

Thanks for that information. It will take me a while to go through it all, but in the meantime, I need some more (sorry :tazz: )

Please print this out for reference.

Go to your dektop and Right-Click on the MyComputer Icon
Select properties
Open the Hardware tab
Select Device Manager
Click on View
Select Show Hidden Devices
Navigate Down the list and expand Non-Plug and Play Devices
Maximise that Widow so that all of the entries under Non-Plug and Play Devices is visible, then post a screenshot here for me please. If you cannot post a screenshot, then look through the list and make a note of any entries named something like guycrm or jjccfhju or similar random names.
Do NOT do anything to them, just let me know what you find please.

Thanks for your help and patience here. This infection is a real swine, but we will get this sorted out. :)
  • 0

#12
jbrown7441
Posted 30 September 2005 - 10:01 AM

jbrown7441

    Member

  • Topic Starter
  • Member
  • PipPip
  • 25 posts
Don't be sorry, I am just glad for the help. I have posted a resource summary report from the device manager just in case that helped. I have added a word document with the screen shot you wanted. Let me know if it doesn't work. I'll email it or something.

Thanks






Resource Summary Report - Page: 1
******************** SYSTEM SUMMARY ********************
Windows Version: Windows 5.1 Service Pack 2 (Build 2600)
Registered Owner: Tom
Registered Organization:
Computer Name: TOM1
Machine Type: AT/AT COMPATIBLE
System BIOS Version: DELL - 7
System BIOS Date: 09/17/04
Processor Type: x86 Family 15 Model 3 Stepping 4
Processor Vendor: GenuineIntel
Number of Processors: 1
Physical Memory: 1023 MB
******************** DISK DRIVE INFO ********************
Drive A:
Type: 3.5" 1.44MB floppy disk drive
Total Space: 1,474,560 bytes
Heads: 2
Cylinders: 80
Sectors Per Track: 18
Bytes Per Sector: 512
Drive C:
Type: Fixed disk drive
Total Space: 159,981,694,976 bytes
Free Space: 122,157,096,960 bytes
Heads: 255
Cylinders: 19457
Sectors Per Track: 63
Bytes Per Sector: 512
******************** IRQ SUMMARY ********************
IRQ Usage Summary:
(ISA) 0 System timer
(ISA) 4 Communications Port (COM1)
(ISA) 6 Standard floppy disk controller
(ISA) 8 System CMOS/real time clock
(ISA) 9 Microsoft ACPI-Compliant System
(PCI) 10 Intel® 82801FB/FBM SMBus Controller - 266A
(ISA) 13 Numeric data processor
(ISA) 14 Primary IDE Channel
(PCI) 16 Intel® 915G/P/GV PCI Express Root Port - 2581
(PCI) 16 RADEON X300 Series
(PCI) 16 Intel® 82801FB/FBM PCI Express Root Port - 2660
(PCI) 16 Broadcom NetXtreme 57xx Gigabit Controller
(PCI) 17 Intel® 82801FB/FBM PCI Express Root Port - 2662
(PCI) 18 Intel® 82801FB/FBM USB Universal Host Controller - 265A
(PCI) 20 Intel® 82801FB Ultra ATA Storage Controllers - 2651
(PCI) 21 Intel® 82801FB/FBM USB Universal Host Controller - 2658
(PCI) 21 Intel® 82801FB/FBM USB2 Enhanced Host Controller - 265C
(PCI) 22 Intel® 82801FB/FBM USB Universal Host Controller - 2659
(PCI) 23 Intel® 82801FB/FBM USB Universal Host Controller - 265B
(PCI) 23 SoundMAX Integrated Digital Audio
******************** DMA USAGE SUMMARY ********************
DMA Usage Summary:
2 Standard floppy disk controller
4 Direct memory access controller
******************** MEMORY SUMMARY ********************
Memory Usage Summary:
[00000000 - 0009FFFF] System board
[000A0000 - 000BFFFF] PCI bus
[000A0000 - 000BFFFF] Intel® 915G/P/GV PCI Express Root Port - 2581
[000A0000 - 000BFFFF] RADEON X300 Series
[000C0000 - 000FFFFF] System board
Resource Summary Report - Page: 2
[00100000 - 00FFFFFF] System board
[01000000 - 3FE86BFF] System board
[80000000 - DFFFFFFF] PCI bus
[D0000000 - D7FFFFFF] Intel® 915G/P/GV PCI Express Root Port - 2581
[D0000000 - D7FFFFFF] RADEON X300 Series
[DFB00000 - DFBFFFFF] Intel® 82801FB/FBM PCI Express Root Port - 2662
[DFC00000 - DFCFFFFF] Intel® 82801FB/FBM PCI Express Root Port - 2660
[DFCF0000 - DFCFFFFF] Broadcom NetXtreme 57xx Gigabit Controller
[DFD00000 - DFEFFFFF] Intel® 915G/P/GV PCI Express Root Port - 2581
[DFDE0000 - DFDEFFFF] RADEON X300 Series
[DFDF0000 - DFDFFFFF] RADEON X300 Series Secondary
[DFFFFD00 - DFFFFDFF] SoundMAX Integrated Digital Audio
[DFFFFE00 - DFFFFFFF] SoundMAX Integrated Digital Audio
[E0000000 - EFFFFFFF] Motherboard resources
[F0000000 - FEBFFFFF] PCI bus
[FEBFFC00 - FEBFFFFF] Intel® 82801FB/FBM USB2 Enhanced Host Controller - 265C
[FEC00000 - FECFFFFF] System board
[FED00000 - FED003FF] High Precision Event Timer
[FED20000 - FED9FFFF] System board
[FEDA0000 - FEDACFFF] Motherboard resources
[FEE00000 - FEEFFFFF] System board
[FFB00000 - FFBFFFFF] System board
[FFC00000 - FFFFFFFF] System board
******************** IO PORT SUMMARY ********************
I/O Ports Usage Summary:
[00000000 - 00000CF7] PCI bus
[00000000 - 0000001F] Direct memory access controller
[00000020 - 0000003F] Programmable interrupt controller
[00000040 - 0000005F] System timer
[00000060 - 00000060] System board
[00000061 - 00000061] System speaker
[00000062 - 00000063] System board
[00000064 - 00000064] System board
[00000065 - 0000006F] System board
[00000070 - 0000007F] System CMOS/real time clock
[00000080 - 0000009F] Direct memory access controller
[000000A0 - 000000BF] Programmable interrupt controller
[000000C0 - 000000DF] Direct memory access controller
[000000E0 - 000000EF] System board
[000000F0 - 000000FF] Numeric data processor
[00000100 - 000001FE] Motherboard resources
[000001F0 - 000001F7] Primary IDE Channel
[00000200 - 00000277] Motherboard resources
[00000274 - 00000277] ISAPNP Read Data Port
[00000279 - 00000279] ISAPNP Read Data Port
[00000280 - 000002E7] Motherboard resources
[000002F0 - 000002F7] Motherboard resources
[00000300 - 00000377] Motherboard resources
[00000378 - 0000037F] ECP Printer Port (LPT1)
[00000380 - 000003BB] Motherboard resources
[000003B0 - 000003BB] Intel® 915G/P/GV PCI Express Root Port - 2581
[000003B0 - 000003BB] RADEON X300 Series
[000003C0 - 000003E7] Motherboard resources
[000003C0 - 000003DF] Intel® 915G/P/GV PCI Express Root Port - 2581
[000003C0 - 000003DF] RADEON X300 Series
[000003F0 - 000003F5] Standard floppy disk controller
[000003F6 - 000003F7] Motherboard resources
[000003F6 - 000003F6] Primary IDE Channel
[000003F7 - 000003F7] Standard floppy disk controller
[000003F8 - 000003FF] Communications Port (COM1)
[00000400 - 000004CF] Motherboard resources
[000004D0 - 000004D1] Programmable interrupt controller
[000004D2 - 0000057F] Motherboard resources
[00000580 - 00000677] Motherboard resources
[00000680 - 00000777] Motherboard resources
[00000778 - 0000077F] ECP Printer Port (LPT1)
[00000780 - 000007BB] Motherboard resources
[000007C0 - 000007FF] Motherboard resources
[00000800 - 0000085F] System board
Resource Summary Report - Page: 3
[00000860 - 000008FF] System board
[000008E0 - 000008FF] Motherboard resources
[00000900 - 000009FE] Motherboard resources
[00000A00 - 00000AFE] Motherboard resources
[00000A79 - 00000A79] ISAPNP Read Data Port
[00000B00 - 00000BFE] Motherboard resources
[00000C00 - 00000C7F] System board
[00000C80 - 00000CAF] Motherboard resources
[00000CC0 - 00000CF7] Motherboard resources
[00000D00 - 0000FFFF] PCI bus
[00000D00 - 00000DFE] Motherboard resources
[00000E00 - 00000EFE] Motherboard resources
[00000F00 - 00000FFE] Motherboard resources
[00002000 - 000020FE] Motherboard resources
[00002100 - 000021FE] Motherboard resources
[00002200 - 000022FE] Motherboard resources
[00002300 - 000023FE] Motherboard resources
[00002400 - 000024FE] Motherboard resources
[00002500 - 000025FE] Motherboard resources
[00002600 - 000026FE] Motherboard resources
[00002700 - 000027FE] Motherboard resources
[00002800 - 000028FE] Motherboard resources
[00002900 - 000029FE] Motherboard resources
[00002A00 - 00002AFE] Motherboard resources
[00002B00 - 00002BFE] Motherboard resources
[00002C00 - 00002CFE] Motherboard resources
[00002D00 - 00002DFE] Motherboard resources
[00002E00 - 00002EFE] Motherboard resources
[00002F00 - 00002FFE] Motherboard resources
[00005000 - 000050FE] Motherboard resources
[00005100 - 000051FE] Motherboard resources
[00005200 - 000052FE] Motherboard resources
[00005300 - 000053FE] Motherboard resources
[00005400 - 000054FE] Motherboard resources
[00005500 - 000055FE] Motherboard resources
[00005600 - 000056FE] Motherboard resources
[00005700 - 000057FE] Motherboard resources
[00005800 - 000058FE] Motherboard resources
[00005900 - 000059FE] Motherboard resources
[00005A00 - 00005AFE] Motherboard resources
[00005B00 - 00005BFE] Motherboard resources
[00005C00 - 00005CFE] Motherboard resources
[00005D00 - 00005DFE] Motherboard resources
[00005E00 - 00005EFE] Motherboard resources
[00005F00 - 00005FFE] Motherboard resources
[00006000 - 000060FE] Motherboard resources
[00006100 - 000061FE] Motherboard resources
[00006200 - 000062FE] Motherboard resources
[00006300 - 000063FE] Motherboard resources
[00006400 - 000064FE] Motherboard resources
[00006500 - 000065FE] Motherboard resources
[00006600 - 000066FE] Motherboard resources
[00006700 - 000067FE] Motherboard resources
[00006800 - 000068FE] Motherboard resources
[00006900 - 000069FE] Motherboard resources
[00006A00 - 00006AFE] Motherboard resources
[00006B00 - 00006BFE] Motherboard resources
[00006C00 - 00006CFE] Motherboard resources
[00006D00 - 00006DFE] Motherboard resources
[00006E00 - 00006EFE] Motherboard resources
[00006F00 - 00006FFE] Motherboard resources
[0000A000 - 0000A0FE] Motherboard resources
[0000A100 - 0000A1FE] Motherboard resources
[0000A200 - 0000A2FE] Motherboard resources
[0000A300 - 0000A3FE] Motherboard resources
[0000A400 - 0000A4FE] Motherboard resources
[0000A500 - 0000A5FE] Motherboard resources
[0000A600 - 0000A6FE] Motherboard resources
[0000A700 - 0000A7FE] Motherboard resources
[0000A800 - 0000A8FE] Motherboard resources
[0000A900 - 0000A9FE] Motherboard resources
Resource Summary Report - Page: 4
[0000AA00 - 0000AAFE] Motherboard resources
[0000AB00 - 0000ABFE] Motherboard resources
[0000AC00 - 0000ACFE] Motherboard resources
[0000AD00 - 0000ADFE] Motherboard resources
[0000AE00 - 0000AEFE] Motherboard resources
[0000AF00 - 0000AFFE] Motherboard resources
[0000D000 - 0000DFFF] Intel® 915G/P/GV PCI Express Root Port - 2581
[0000DC00 - 0000DCFF] RADEON X300 Series
[0000E8A0 - 0000E8BF] Intel® 82801FB/FBM SMBus Controller - 266A
[0000E8C0 - 0000E8FF] SoundMAX Integrated Digital Audio
[0000EC00 - 0000ECFF] SoundMAX Integrated Digital Audio
[0000FE00 - 0000FE07] Intel® 82801FB Ultra ATA Storage Controllers - 2651
[0000FE10 - 0000FE13] Intel® 82801FB Ultra ATA Storage Controllers - 2651
[0000FE20 - 0000FE27] Intel® 82801FB Ultra ATA Storage Controllers - 2651
[0000FE30 - 0000FE33] Intel® 82801FB Ultra ATA Storage Controllers - 2651
[0000FEA0 - 0000FEAF] Intel® 82801FB Ultra ATA Storage Controllers - 2651
[0000FF20 - 0000FF3F] Intel® 82801FB/FBM USB Universal Host Controller - 265B
[0000FF40 - 0000FF5F] Intel® 82801FB/FBM USB Universal Host Controller - 265A
[0000FF60 - 0000FF7F] Intel® 82801FB/FBM USB Universal Host Controller - 2659
[0000FF80 - 0000FF9F] Intel® 82801FB/FBM USB Universal Host Controller - 2658
[0000FFA0 - 0000FFAF] Intel® 82801FB/FBM Ultra ATA Storage Controllers - 266F

Attached Files


  • 0

#13
jbrown7441
Posted 30 September 2005 - 10:03 AM

jbrown7441

    Member

  • Topic Starter
  • Member
  • PipPip
  • 25 posts
here is the screen shot

Attached File  screenshot.doc   137.5KB   43 downloads
  • 0

#14
ukbiker
Posted 01 October 2005 - 12:17 AM

ukbiker

    Rest in Peace, ukbiker

  • Retired Staff
  • 2,014 posts
Hi There :)

Ok then. Thanks for your patience here, I have gone through all the logs and data now and i think I have tracked everything down. I am writing up a fix for you, but before I post it, i want to get a second opinion, just to make sure.

In the meantime, can you tell me if you can see these files on your PC please?

C:\DOCUME~1\jbrown\LOCALS~1\Temp\GATXKBZI.exe
C:\DOCUME~1\jbrown\LOCALS~1\Temp\GLNHHZOO.exe
C:\DOCUME~1\jbrown\LOCALS~1\Temp\XWC.exe

Dont click on them or do anything with them at all, I just want to know if they are there. :tazz:
  • 0

#15
ukbiker
Posted 02 October 2005 - 04:31 AM

ukbiker

    Rest in Peace, ukbiker

  • Retired Staff
  • 2,014 posts
Hi There :)


Please read this through thoroughly before you start. I must advise you that this infection that you have is utilising new methods of protecting and hiding itself, hence the delay in finding the best way to remove it. Although we are confident that this remedy will be successful, it may not be and is therefore used at your own risk. Any questions you may have, ask them now please.

Before you start, ensure that your PC is set so as to view all files, including hidden and system files.

You MUST print these instructions out for reference as most of this will be done in safe mode, where you will have no net access.


Ok, On with the Fix


Copy everything inside the quote box below and paste it into Notepad. Save it as killfiles.txt on your desktop.

C:\WINDOWS\system32\vljhvq\babfk.exe
C:\WINDOWS\amJyb3du\command.exe
C:\WINDOWS\system32\kxpqfx\cplkm.exe
C:\WINDOWS\system32\fhlpnxy\guycrm.exe
C:\WINDOWS\system32\hhjnjfe\ivxpr.exe
C:\WINDOWS\system32\rqbvpoy\msym.exe
C:\WINDOWS\system\jxbvilxg.exe
C:\DOCUME~1\jbrown\LOCALS~1\Temp\GATXKBZI.exe
C:\DOCUME~1\jbrown\LOCALS~1\Temp\GLNHHZOO.exe
C:\DOCUME~1\jbrown\LOCALS~1\Temp\XWC.exe


Copy everything inside the quote box below and paste it into Notepad. Go up to File > Save As, then click the drop-down box to change the "Save As Type" to "All Files". Save it as delserv.bat on your desktop.

@echo off
sc stop babfkvljhvq
sc delete babfkvljhvq
sc stop "Command Service"
sc delete "Command Service"
sc stop cplkmkxpqfx
sc delete cplkmkxpqfx
sc stop guycrmfhlpnxy
sc delete guycrmfhlpnxy
sc stop ivxprhhjnjfe
sc delete ivxprhhjnjfe
sc stop msymrqbvpoy
sc delete msymrqbvpoy
sc stop GATXKBZI
sc delete GATXKBZI
sc stop GLNHHZOO
sc delete GLNHHZOO
sc stop XWC
sc delete XWC






1) Please download the Killbox here.
Unzip it to the desktop but do NOT run it yet.

2) Then please reboot into Safe Mode by restarting your computer and pressing F8 as your computer is booting up. Then select the Safe Mode option.

3) Once in Safemode, Double-click delserv.bat.

4) Still in Safe Mode, please run Killbox.

5) Select "Delete on Reboot".

6) Open the text file you made earlier (Killfiles.txt), and copy the file names to the clipboard by highlighting them and pressing Control-C:

7) Return to Killbox, go to the File menu, and choose "Paste from Clipboard".

8) Click the red-and-white "Delete File" button. Click "Yes" at the Delete on Reboot prompt. Click "No" at the Pending Operations prompt.

If you receive a message such as: "Component 'MsComCtl.ocx' or one of its dependencies not correctly registered: a file is missing or invalid." when trying to run TheKillbox, click here to download and run missingfilesetup.exe. Then try TheKillbox again..



Let the system reboot but ensure it boots into Safe Mode by pressing F8 as your computer is booting up. Then select the Safe Mode option.



9) Once in Safemode, Open the Device Manager and select View Hidden Devices from The View Menu. Navigate to Non PnP Devices and expand that line.

10) Click on the entry labelled aokxlhk, then in the Actions menu, select Disable.Repeat this for the entry labelled uosfngi

11) Click on the entry labelled aokxlhk, then in the Actions menu, select Uninstall.Repeat this for the entry labelled uosfngi

12) Using Widows Explorer, locate and delete the following folders

C:\WINDOWS\system32\jsjdflb
C:\WINDOWS\system32\vljhvq
C:\WINDOWS\amJyb3du
C:\WINDOWS\system32\kxpqfx
C:\WINDOWS\system32\fhlpnxy
C:\WINDOWS\system32\hhjnjfe
C:\WINDOWS\system32\rqbvpoy
C:\WINDOWS\system32\flpiqev

13) Boot into Normal mode

14) Once in Normal Mode, copy the part in bold below into notepad. Save it as regfix.reg (set filetype to "All Files")


REGEDIT4

[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\policies\Explorer\Run]
"jxbvilxg.exe"=-

Doubleclick the file you made (regfix.reg) and confirm you want to merge it with the registry.

15) Reboot into safe Mode and rescan with Spysweeper, save the log it creates.

16) Reboot once more into Normal Mode, Rescan with HJT and post a new HiJackThis log, as well as the Spysweeper Log..


Good Luck :tazz:
  • 0
Back to Virus, Spyware, Malware Removal · Next Unread Topic →




Similar Topics

0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users

  1. Geeks to Go Community
  2. Security
  3. Virus, Spyware, Malware Removal

As Featured On:

Microsoft Yahoo BBC MSN PC Magazine Washington Post HP