Javascript Disabled Detected

You currently have javascript disabled. Several functions may not work. Please re-enable javascript to access full functionality.

Alright, I can't put this off any longer. [RESOLVED]

Started by nick_mi , Sep 28 2005 05:31 PM

This topic is locked

#1
nick_mi

Posted 28 September 2005 - 05:31 PM

Member

Member
272 posts

Alright, all I need to know right away is, should any of my problems have anything to do with my cd drive not working? I know there are a lot of things I need to fix, and I will, but if you do not have time to help me with my log, at least see if anything is effecting my cd drive. I am about to install the cd to run a diagnostics on my cd drive, and if it's not fixxable, I need to call Dell about my warrenty. ~_~

Logfile of HijackThis v1.99.1
Scan saved at 6:29:11 PM, on 9/28/2005
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.exe
C:\PROGRA~1\COMMON~1\AOL\ACS\acsd.exe
C:\Program Files\ewido\security suite\ewidoctrl.exe
C:\WINDOWS\wanmpsvc.exe
C:\WINDOWS\System32\pmekwe.exe
C:\Program Files\Apoint\Apoint.exe
C:\WINDOWS\AGRSMMSG.exe
C:\Program Files\Java\j2re1.4.2_03\bin\jusched.exe
C:\WINDOWS\System32\keyhook.exe
C:\WINDOWS\system32\dla\tfswctrl.exe
C:\Program Files\CyberLink\PowerDVD\DVDLauncher.exe
C:\Program Files\MUSICMATCH\Musicmatch Jukebox\mm_tray.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\Apoint\Apntex.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\MUSICMATCH\Musicmatch Jukebox\mmtask.exe
C:\WINDOWS\System32\efd30ok4.exe
C:\Program Files\Viewpoint\Viewpoint Manager\ViewMgr.exe
C:\Program Files\AIM\aim.exe
C:\Program Files\Skype\Phone\Skype.exe
C:\Program Files\FCEngine\FCEngine.exe
C:\WINDOWS\SYSTEM32\sistray.exe
C:\Program Files\WinZip\WZQKPICK.EXE
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\CMSystem\CMSystem.exe
C:\Program Files\Yahoo!\Messenger\ymsgr_tray.exe
C:\Program Files\WinFixer 2005\WFX5.exe
C:\Documents and Settings\Nick\Desktop\Set ups\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.dell4me.com/myway
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://websearch.drs...esearch.cgi?id=
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://websearch.drs...esearch.cgi?id=
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.dell4me.com/myway
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://websearch.drs...esearch.cgi?id=
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://websearch.drs...esearch.cgi?id=
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.dell4me.com/myway
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://websearch.drs...esearch.cgi?id=
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch = http://websearch.drs...esearch.cgi?id=
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = websearch.drsnsrch.com/q.cgi?q=
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://www.dell4me.com/myway
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
F2 - REG:system.ini: Shell=Explorer.exe C:\WINDOWS\Nail.exe
O2 - BHO: Band Class - {00F1D395-4744-40f0-A611-980F61AE2C59} - C:\WINDOWS\dsr.dll
O2 - BHO: Yahoo! Companion BHO - {02478D38-C3F9-4efb-9B51-7695ECA05670} - C:\PROGRA~1\Yahoo!\COMPAN~1\Installs\cpn\ycomp5_5_7_0.dll
O2 - BHO: ts - {4006DCA3-433D-4FC8-AC36-42DA7797DCB7} - C:\WINDOWS\System32\bho.dll
O2 - BHO: PicShow Class - {4487598C-2EC7-43A2-870E-6D8D720FDD9F} - C:\WINDOWS\System32\pkshqfiq.dll
O2 - BHO: DriveLetterAccess - {5CA3D70E-1895-11CF-8E15-001234567890} - C:\WINDOWS\system32\dla\tfswshx.dll
O2 - BHO: TalMgr Class - {70230839-555C-4862-8D42-BB1E2352502C} - C:\WINDOWS\System32\italukfx.dll
O2 - BHO: ohb - {9ADE0443-2AB2-4B23-A3F8-AC520773DE12} - C:\WINDOWS\System32\nsm146.dll
O3 - Toolbar: AIM Search - {40D41A8B-D79B-43d7-99A7-9EE0F344C385} - C:\Program Files\AIM Toolbar\AIMBar.dll
O3 - Toolbar: MSN Toolbar - {BDAD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\MSN Toolbar\01.01.1601.0\en-us\msntb.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O3 - Toolbar: &Yahoo! Companion - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\PROGRA~1\Yahoo!\COMPAN~1\Installs\cpn\ycomp5_5_7_0.dll
O4 - HKLM\..\Run: [Apoint] C:\Program Files\Apoint\Apoint.exe
O4 - HKLM\..\Run: [AGRSMMSG] AGRSMMSG.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\j2re1.4.2_03\bin\jusched.exe
O4 - HKLM\..\Run: [SiS Windows KeyHook] C:\WINDOWS\System32\keyhook.exe
O4 - HKLM\..\Run: [dla] C:\WINDOWS\system32\dla\tfswctrl.exe
O4 - HKLM\..\Run: [DVDLauncher] "C:\Program Files\CyberLink\PowerDVD\DVDLauncher.exe"
O4 - HKLM\..\Run: [MMTray] "C:\Program Files\MUSICMATCH\Musicmatch Jukebox\mm_tray.exe"
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [mmtask] "C:\Program Files\MUSICMATCH\Musicmatch Jukebox\mmtask.exe"
O4 - HKLM\..\Run: [Dinst] C:\WINDOWS\dinst.exe
O4 - HKLM\..\Run: [efd30ok4] C:\WINDOWS\System32\efd30ok4.exe
O4 - HKLM\..\Run: [ViewMgr] C:\Program Files\Viewpoint\Viewpoint Manager\ViewMgr.exe
O4 - HKLM\..\Run: [idbfbrl] C:\WINDOWS\System32\pmekwe.exe r
O4 - HKCU\..\Run: [MsnMsgr] C:\Program Files\MSN Messenger\MsnMsgr.Exe /background
O4 - HKCU\..\Run: [AIM] C:\Program Files\AIM\aim.exe -cnetwait.odl
O4 - HKCU\..\Run: [Yahoo! Pager] C:\Program Files\Yahoo!\Messenger\ypager.exe -quiet
O4 - HKCU\..\Run: [Skype] "C:\Program Files\Skype\Phone\Skype.exe" /nosplash /minimized
O4 - HKCU\..\Run: [pshower] C:\WINDOWS\System32\pshwr.exe
O4 - HKCU\..\Run: [CMAPP] "C:\Program Files\CMAPP\Client\cmappclient.exe"
O4 - HKCU\..\Run: [CMSystem] "C:\Program Files\CMSystem\CMSystem.exe"
O4 - HKCU\..\Run: [FCEngine] "C:\Program Files\FCEngine\FCEngine.exe"
O4 - HKCU\..\Run: [ichckupd] C:\WINDOWS\System32\ichckupd.exe
O4 - HKCU\..\Run: [Utopia Angel] "C:\Utopia\Angel\Angel.exe"
O4 - HKCU\..\Run: [WinFixer 2005] "C:\Program Files\WinFixer 2005\WFX5.exe" /scan
O4 - Global Startup: America Online 9.0 Tray Icon.lnk = C:\Program Files\America Online 9.0\aoltray.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O4 - Global Startup: Utility Tray.lnk = C:\WINDOWS\SYSTEM32\sistray.exe
O4 - Global Startup: WinZip Quick Pick.lnk = C:\Program Files\WinZip\WZQKPICK.EXE
O8 - Extra context menu item: &AIM Search - res://C:\Program Files\AIM Toolbar\AIMBar.dll/aimsearch.htm
O8 - Extra context menu item: &Yahoo! Search - file:///C:\Program Files\Yahoo!\Common/ycsrch.htm
O8 - Extra context menu item: Yahoo! &Dictionary - file:///C:\Program Files\Yahoo!\Common/ycdict.htm
O8 - Extra context menu item: Yahoo! &Maps - file:///C:\Program Files\Yahoo!\Common/ycdict.htm
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\System32\msjava.dll (file missing)
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\System32\msjava.dll (file missing)
O9 - Extra button: Messenger - {4528BBE0-4E08-11D5-AD55-00010333D0AD} - C:\Program Files\Yahoo!\Messenger\yhexbmes0521.dll
O9 - Extra 'Tools' menuitem: Yahoo! Messenger - {4528BBE0-4E08-11D5-AD55-00010333D0AD} - C:\Program Files\Yahoo!\Messenger\yhexbmes0521.dll
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\System32\Shdocvw.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O9 - Extra 'Tools' menuitem: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O16 - DPF: {4ED9DDF0-7479-4BBE-9335-5A1EDB1D8A21} - http://download.mcaf...84/mcinsctl.cab
O16 - DPF: {B38870E4-7ECB-40DA-8C6A-595F0A5519FF} (MsnMessengerSetupDownloadControl Class) - http://messenger.msn...pDownloader.cab
O16 - DPF: {BCC0FF27-31D9-4614-A68E-C18E1ADA4389} - http://download.mcaf...,21/mcgdmgr.cab
O18 - Filter: text/html - {8293D547-38DD-4325-B35A-F1817EDFA5FC} - C:\Program Files\CMSystem\plugin.dll
O23 - Service: AOL Connectivity Service (AOL ACS) - America Online, Inc. - C:\PROGRA~1\COMMON~1\AOL\ACS\acsd.exe
O23 - Service: ewido security suite control - ewido networks - C:\Program Files\ewido\security suite\ewidoctrl.exe
O23 - Service: iPod Service (iPodService) - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: System Startup Service (SvcProc) - Unknown owner - C:\WINDOWS\svcproc.exe
O23 - Service: WAN Miniport (ATW) Service (WANMiniportService) - America Online, Inc. - C:\WINDOWS\wanmpsvc.exe

#2
nick_mi

Posted 28 September 2005 - 06:03 PM

Member

Topic Starter
Member
272 posts

k, something definately wrong with my cd drive. Gonna call dell now, so just do the log whenever you can. =/ :tazz:

#3
nick_mi

Posted 28 September 2005 - 07:37 PM

Member

Topic Starter
Member
272 posts

After an hour and a half later of Dell people who can barely speak English and running diagnostic tests I've already ran, they've come to the conclusion that it is indeed spyware that is preventing my cd player. >_<

The funny thing is, I'm like oh, well I have a topic up at a forum where people like that help me. She then tried to tell me that you guys probably do not have a clue as to what you're doing, and I should go with their certified technician. When I said I'd rather stay with you guys she replied "So would you like to just be charged once, or would you like a year membership."

GG Dell thinks you guys don't know crap :tazz:

Show them how wrong you are! <3

Thanks for the person who helps me.

#4
Excal

Posted 28 September 2005 - 07:50 PM

Malware Slayer Extraordinaire!

Retired Staff
12,739 posts

Hi and welcome to GeeksToGo! My name is Excal and I will be helping you.

I can see that you have some malware issues. This maybe a few step process in removing it. I encourage you to stick with it and follow my directions as closely as possible so as to avoid complicating the problem further. thanks :tazz:

DOWNLOAD PROGRAMS

Please download Nailfix from Here
please do NOT run it yet.

Download and install CleanUp! Here*NOTE* Cleanup deletes EVERYTHING out of temp/temporary folders and does not make backups.
We will use this program later.

THE FIX

Please read this post completely, it may make it easier for you if you copy and paste this post to a new text document or print it for reference later.

1. Click this link to be sure you can view hidden files.

2. Ensure you are NOT connected to the internet.

3. Reboot into safe mode.

Restart your computer and as soon as it starts booting up again continuously tap F8. A menu should come up where you will be given the option to enter Safe Mode.

4. Once in Safe Mode, please double-click on
Nailfix.exe on your desktop. Click next, then finished. Your desktop and icons will disappear and reappear, and a window should open and close very quickly --- this is normal.

5. Now open and run Ewido:

Click on scanner
Click Complete System Scan and the scan will begin.
During the scan when it ask if you want to clean the first file, put a check in the lower left corner of the box that says "Perform action on all infections" then choose clean and click OK
When the scan is finished, look at the bottom of the screen and click the Save report button.
Save the report to your desktop

Close Ewido

6. Close all browsers, windows and unneeded programs.

7. Open HiJack and do a scan.

8. Put a Check next to the following items:

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://websearch.drs...esearch.cgi?id=
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://websearch.drs...esearch.cgi?id=
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://websearch.drs...esearch.cgi?id=
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://websearch.drs...esearch.cgi?id=
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://websearch.drs...esearch.cgi?id=
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch = http://websearch.drs...esearch.cgi?id=
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = websearch.drsnsrch.com/q.cgi?q=
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
F2 - REG:system.ini: Shell=Explorer.exe C:\WINDOWS\Nail.exe
O2 - BHO: Band Class - {00F1D395-4744-40f0-A611-980F61AE2C59} - C:\WINDOWS\dsr.dll
O2 - BHO: ts - {4006DCA3-433D-4FC8-AC36-42DA7797DCB7} - C:\WINDOWS\System32\bho.dll
O2 - BHO: PicShow Class - {4487598C-2EC7-43A2-870E-6D8D720FDD9F} - C:\WINDOWS\System32\pkshqfiq.dll
O2 - BHO: TalMgr Class - {70230839-555C-4862-8D42-BB1E2352502C} - C:\WINDOWS\System32\italukfx.dll
O2 - BHO: ohb - {9ADE0443-2AB2-4B23-A3F8-AC520773DE12} - C:\WINDOWS\System32\nsm146.dll
O4 - HKLM\..\Run: [Dinst] C:\WINDOWS\dinst.exe
O4 - HKLM\..\Run: [efd30ok4] C:\WINDOWS\System32\efd30ok4.exe
O4 - HKLM\..\Run: [idbfbrl] C:\WINDOWS\System32\pmekwe.exe r
O4 - HKCU\..\Run: [pshower] C:\WINDOWS\System32\pshwr.exe
O4 - HKCU\..\Run: [CMAPP] "C:\Program Files\CMAPP\Client\cmappclient.exe"
O4 - HKCU\..\Run: [CMSystem] "C:\Program Files\CMSystem\CMSystem.exe"
O4 - HKCU\..\Run: [FCEngine] "C:\Program Files\FCEngine\FCEngine.exe"
O4 - HKCU\..\Run: [ichckupd] C:\WINDOWS\System32\ichckupd.exe
O4 - HKCU\..\Run: [WinFixer 2005] "C:\Program Files\WinFixer 2005\WFX5.exe" /scan
O23 - Service: System Startup Service (SvcProc) - Unknown owner - C:\WINDOWS\svcproc.exe

9. click the Fix Checked box

10. Please remove these entries from Add/Remove Programs in the Control Panel(if present):

WinFixer 2005

11. Please remove the following folders using Windows Explorer (if present):

C:\Program Files\CMAPP
C:\Program Files\CMSystem
C:\Program Files\FCEngine
C:\Program Files\WinFixer 2005

12. Please remove just the files from the following paths using Windows Explorer (if present):

C:\WINDOWS\dinst.exe
C:\WINDOWS\System32\efd30ok4.exe
C:\WINDOWS\System32\pmekwe.exe
C:\WINDOWS\System32\pshwr.exe
C:\WINDOWS\System32\ichckupd.exe

13. Run the program CleanUp!

14. Reboot into normal mode and please run this online virus scan: ActiveScan - Save the results from the scan!

15. Please post an Active scan log , Ewido Scan log and a fresh HiJackThis log. Let me know how your computer is running.

#5
nick_mi

Posted 01 October 2005 - 03:48 PM

Member

Topic Starter
Member
272 posts

Yo, I couldn't delete the .exe files because whenever I'd right click on them, my screen would go black, I'd get a beep and it's pop up a message asking if I wanted to do a system restore from last date. So I am running cleanup. Then rebooting, then trying to delete them, then posting my logs.

I'm on my dads comp right now FYI.

#6
nick_mi

Posted 01 October 2005 - 04:05 PM

Member

Topic Starter
Member
272 posts

the scan found nothing

Logfile of HijackThis v1.99.1
Scan saved at 5:04:49 PM, on 10/1/2005
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\PROGRA~1\COMMON~1\AOL\ACS\acsd.exe
C:\Program Files\ewido\security suite\ewidoctrl.exe
C:\WINDOWS\wanmpsvc.exe
C:\Program Files\Apoint\Apoint.exe
C:\WINDOWS\AGRSMMSG.exe
C:\Program Files\Java\j2re1.4.2_03\bin\jusched.exe
C:\WINDOWS\System32\keyhook.exe
C:\WINDOWS\system32\dla\tfswctrl.exe
C:\Program Files\CyberLink\PowerDVD\DVDLauncher.exe
C:\Program Files\MUSICMATCH\Musicmatch Jukebox\mm_tray.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\MUSICMATCH\Musicmatch Jukebox\mmtask.exe
C:\Program Files\Viewpoint\Viewpoint Manager\ViewMgr.exe
C:\WINDOWS\System32\deinkxn.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\Apoint\Apntex.exe
C:\Program Files\AIM\aim.exe
C:\Program Files\Yahoo!\Messenger\ypager.exe
C:\Program Files\Skype\Phone\Skype.exe
C:\WINDOWS\SYSTEM32\sistray.exe
C:\Program Files\WinZip\WZQKPICK.EXE
C:\WINDOWS\explorer.exe
C:\PROGRA~1\MOZILL~1\FIREFOX.EXE
C:\Documents and Settings\Nick\Desktop\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.dell4me.com/myway
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.dell4me.com/myway
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.dell4me.com/myway
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://www.dell4me.com/myway
F2 - REG:system.ini: Shell=Explorer.exe C:\WINDOWS\Nail.exe
O2 - BHO: Yahoo! Companion BHO - {02478D38-C3F9-4efb-9B51-7695ECA05670} - C:\PROGRA~1\Yahoo!\COMPAN~1\Installs\cpn\ycomp5_5_7_0.dll
O2 - BHO: DriveLetterAccess - {5CA3D70E-1895-11CF-8E15-001234567890} - C:\WINDOWS\system32\dla\tfswshx.dll
O3 - Toolbar: AIM Search - {40D41A8B-D79B-43d7-99A7-9EE0F344C385} - C:\Program Files\AIM Toolbar\AIMBar.dll
O3 - Toolbar: MSN Toolbar - {BDAD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\MSN Toolbar\01.01.1601.0\en-us\msntb.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O3 - Toolbar: &Yahoo! Companion - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\PROGRA~1\Yahoo!\COMPAN~1\Installs\cpn\ycomp5_5_7_0.dll
O4 - HKLM\..\Run: [Apoint] C:\Program Files\Apoint\Apoint.exe
O4 - HKLM\..\Run: [AGRSMMSG] AGRSMMSG.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\j2re1.4.2_03\bin\jusched.exe
O4 - HKLM\..\Run: [SiS Windows KeyHook] C:\WINDOWS\System32\keyhook.exe
O4 - HKLM\..\Run: [dla] C:\WINDOWS\system32\dla\tfswctrl.exe
O4 - HKLM\..\Run: [DVDLauncher] "C:\Program Files\CyberLink\PowerDVD\DVDLauncher.exe"
O4 - HKLM\..\Run: [MMTray] "C:\Program Files\MUSICMATCH\Musicmatch Jukebox\mm_tray.exe"
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [mmtask] "C:\Program Files\MUSICMATCH\Musicmatch Jukebox\mmtask.exe"
O4 - HKLM\..\Run: [ViewMgr] C:\Program Files\Viewpoint\Viewpoint Manager\ViewMgr.exe
O4 - HKLM\..\Run: [uocihig] C:\WINDOWS\System32\deinkxn.exe r
O4 - HKCU\..\Run: [MsnMsgr] C:\Program Files\MSN Messenger\MsnMsgr.Exe /background
O4 - HKCU\..\Run: [AIM] C:\Program Files\AIM\aim.exe -cnetwait.odl
O4 - HKCU\..\Run: [Yahoo! Pager] C:\Program Files\Yahoo!\Messenger\ypager.exe -quiet
O4 - HKCU\..\Run: [Skype] "C:\Program Files\Skype\Phone\Skype.exe" /nosplash /minimized
O4 - HKCU\..\Run: [Utopia Angel] "C:\Utopia\Angel\Angel.exe"
O4 - Global Startup: America Online 9.0 Tray Icon.lnk = C:\Program Files\America Online 9.0\aoltray.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O4 - Global Startup: Utility Tray.lnk = C:\WINDOWS\SYSTEM32\sistray.exe
O4 - Global Startup: WinZip Quick Pick.lnk = C:\Program Files\WinZip\WZQKPICK.EXE
O8 - Extra context menu item: &AIM Search - res://C:\Program Files\AIM Toolbar\AIMBar.dll/aimsearch.htm
O8 - Extra context menu item: &Yahoo! Search - file:///C:\Program Files\Yahoo!\Common/ycsrch.htm
O8 - Extra context menu item: Yahoo! &Dictionary - file:///C:\Program Files\Yahoo!\Common/ycdict.htm
O8 - Extra context menu item: Yahoo! &Maps - file:///C:\Program Files\Yahoo!\Common/ycdict.htm
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\System32\msjava.dll (file missing)
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\System32\msjava.dll (file missing)
O9 - Extra button: Messenger - {4528BBE0-4E08-11D5-AD55-00010333D0AD} - C:\Program Files\Yahoo!\Messenger\yhexbmes0521.dll
O9 - Extra 'Tools' menuitem: Yahoo! Messenger - {4528BBE0-4E08-11D5-AD55-00010333D0AD} - C:\Program Files\Yahoo!\Messenger\yhexbmes0521.dll
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\System32\Shdocvw.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O9 - Extra 'Tools' menuitem: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O16 - DPF: {4ED9DDF0-7479-4BBE-9335-5A1EDB1D8A21} - http://download.mcaf...84/mcinsctl.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://www.pandasoft...free/asinst.cab
O16 - DPF: {B38870E4-7ECB-40DA-8C6A-595F0A5519FF} (MsnMessengerSetupDownloadControl Class) - http://messenger.msn...pDownloader.cab
O16 - DPF: {BCC0FF27-31D9-4614-A68E-C18E1ADA4389} - http://download.mcaf...,21/mcgdmgr.cab
O18 - Filter: text/html - {8293D547-38DD-4325-B35A-F1817EDFA5FC} - C:\Program Files\CMSystem\plugin.dll
O23 - Service: AOL Connectivity Service (AOL ACS) - America Online, Inc. - C:\PROGRA~1\COMMON~1\AOL\ACS\acsd.exe
O23 - Service: ewido security suite control - ewido networks - C:\Program Files\ewido\security suite\ewidoctrl.exe
O23 - Service: iPod Service (iPodService) - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: System Startup Service (SvcProc) - Unknown owner - C:\WINDOWS\svcproc.exe
O23 - Service: WAN Miniport (ATW) Service (WANMiniportService) - America Online, Inc. - C:\WINDOWS\wanmpsvc.exe

---------------------------------------------------------
ewido security suite - Scan report
---------------------------------------------------------

+ Created on: 4:39:22 PM, 10/1/2005
+ Report-Checksum: 408C7076

+ Date of database: 6/29/2005
+ Version of scan engine: v3.0

+ Duration: 42 min
+ Scanned Files: 52188
+ Speed: 20.44 Files/Second
+ Infected files: 75
+ Removed files: 75
+ Files put in quarantine: 75
+ Files that could not be opened: 0
+ Files that could not be cleaned: 0

+ Binder: Yes
+ Crypter: Yes
+ Archives: No

+ Scanned items:
C:\

+ Scan result:
C:\Documents and Settings\Nick\Cookies\[email protected][2].txt -> Spyware.Tracking-Cookie -> Cleaned with backup
C:\Documents and Settings\Nick\Cookies\nick@abcsearch[1].txt -> Spyware.Tracking-Cookie -> Cleaned with backup
C:\Documents and Settings\Nick\Cookies\nick@adknowledge[2].txt -> Spyware.Tracking-Cookie -> Cleaned with backup
C:\Documents and Settings\Nick\Cookies\[email protected][1].txt -> Spyware.Tracking-Cookie -> Cleaned with backup
C:\Documents and Settings\Nick\Cookies\[email protected][2].txt -> Spyware.Tracking-Cookie -> Cleaned with backup
C:\Documents and Settings\Nick\Cookies\nick@advertising[1].txt -> Spyware.Tracking-Cookie -> Cleaned with backup
C:\Documents and Settings\Nick\Cookies\nick@atdmt[2].txt -> Spyware.Tracking-Cookie -> Cleaned with backup
C:\Documents and Settings\Nick\Cookies\nick@bfast[1].txt -> Spyware.Tracking-Cookie -> Cleaned with backup
C:\Documents and Settings\Nick\Cookies\nick@bluestreak[1].txt -> Spyware.Tracking-Cookie -> Cleaned with backup
C:\Documents and Settings\Nick\Cookies\nick@burstnet[1].txt -> Spyware.Tracking-Cookie -> Cleaned with backup
C:\Documents and Settings\Nick\Cookies\nick@cgi-bin[2].txt -> Spyware.Tracking-Cookie -> Cleaned with backup
C:\Documents and Settings\Nick\Cookies\[email protected][1].txt -> Spyware.Tracking-Cookie -> Cleaned with backup
C:\Documents and Settings\Nick\Cookies\nick@com[2].txt -> Spyware.Tracking-Cookie -> Cleaned with backup
C:\Documents and Settings\Nick\Cookies\[email protected][1].txt -> Spyware.Tracking-Cookie -> Cleaned with backup
C:\Documents and Settings\Nick\Cookies\[email protected][1].txt -> Spyware.Tracking-Cookie -> Cleaned with backup
C:\Documents and Settings\Nick\Cookies\[email protected][2].txt -> Spyware.Tracking-Cookie -> Cleaned with backup
C:\Documents and Settings\Nick\Cookies\[email protected][2].txt -> Spyware.Tracking-Cookie -> Cleaned with backup
C:\Documents and Settings\Nick\Cookies\[email protected][1].txt -> Spyware.Tracking-Cookie -> Cleaned with backup
C:\Documents and Settings\Nick\Cookies\nick@doubleclick[1].txt -> Spyware.Tracking-Cookie -> Cleaned with backup
C:\Documents and Settings\Nick\Cookies\[email protected][1].txt -> Spyware.Tracking-Cookie -> Cleaned with backup
C:\Documents and Settings\Nick\Cookies\[email protected][1].txt -> Spyware.Tracking-Cookie -> Cleaned with backup
C:\Documents and Settings\Nick\Cookies\nick@fastclick[1].txt -> Spyware.Tracking-Cookie -> Cleaned with backup
C:\Documents and Settings\Nick\Cookies\[email protected][2].txt -> Spyware.Tracking-Cookie -> Cleaned with backup
C:\Documents and Settings\Nick\Cookies\nick@hitbox[2].txt -> Spyware.Tracking-Cookie -> Cleaned with backup
C:\Documents and Settings\Nick\Cookies\[email protected][1].txt -> Spyware.Tracking-Cookie -> Cleaned with backup
C:\Documents and Settings\Nick\Cookies\nick@linksynergy[2].txt -> Spyware.Tracking-Cookie -> Cleaned with backup
C:\Documents and Settings\Nick\Cookies\nick@mediaplex[1].txt -> Spyware.Tracking-Cookie -> Cleaned with backup
C:\Documents and Settings\Nick\Cookies\nick@overture[2].txt -> Spyware.Tracking-Cookie -> Cleaned with backup
C:\Documents and Settings\Nick\Cookies\[email protected][1].txt -> Spyware.Tracking-Cookie -> Cleaned with backup
C:\Documents and Settings\Nick\Cookies\nick@p[2].txt -> Spyware.Tracking-Cookie -> Cleaned with backup
C:\Documents and Settings\Nick\Cookies\nick@realmedia[1].txt -> Spyware.Tracking-Cookie -> Cleaned with backup
C:\Documents and Settings\Nick\Cookies\nick@real[1].txt -> Spyware.Tracking-Cookie -> Cleaned with backup
C:\Documents and Settings\Nick\Cookies\[email protected][2].txt -> Spyware.Tracking-Cookie -> Cleaned with backup
C:\Documents and Settings\Nick\Cookies\[email protected][1].txt -> Spyware.Tracking-Cookie -> Cleaned with backup
C:\Documents and Settings\Nick\Cookies\nick@sexlist[1].txt -> Spyware.Tracking-Cookie -> Cleaned with backup
C:\Documents and Settings\Nick\Cookies\nick@sextracker[1].txt -> Spyware.Tracking-Cookie -> Cleaned with backup
C:\Documents and Settings\Nick\Cookies\nick@targetnet[1].txt -> Spyware.Tracking-Cookie -> Cleaned with backup
C:\Documents and Settings\Nick\Cookies\nick@tradedoubler[2].txt -> Spyware.Tracking-Cookie -> Cleaned with backup
C:\Documents and Settings\Nick\Cookies\nick@tribalfusion[1].txt -> Spyware.Tracking-Cookie -> Cleaned with backup
C:\Documents and Settings\Nick\Cookies\nick@valueclick[1].txt -> Spyware.Tracking-Cookie -> Cleaned with backup
C:\Documents and Settings\Nick\Cookies\[email protected][1].txt -> Spyware.Tracking-Cookie -> Cleaned with backup
C:\Documents and Settings\Nick\Cookies\[email protected][1].txt -> Spyware.Tracking-Cookie -> Cleaned with backup
C:\Documents and Settings\Nick\Cookies\nick@zedo[1].txt -> Spyware.Tracking-Cookie -> Cleaned with backup
C:\Documents and Settings\Nick\Local Settings\Temp\AutoUpdate0\AutoUpdate.exe -> TrojanDownloader.Apropo.g -> Cleaned with backup
C:\Documents and Settings\Nick\Local Settings\Temp\AutoUpdate0\auto_update_uninstall.exe -> Spyware.Apropos -> Cleaned with backup
C:\Program Files\CasStub\casstub.exe -> TrojanDownloader.Agent.qg -> Cleaned with backup
C:\WINDOWS\dsr.exe -> Trojan.Imiserv.c -> Cleaned with backup
C:\WINDOWS\SYSTEM32\1r5g5l8p.exe -> Spyware.SAHA -> Cleaned with backup
C:\WINDOWS\SYSTEM32\bmedalvh.dll -> Spyware.SAHA -> Cleaned with backup
C:\WINDOWS\SYSTEM32\dist001.exe -> TrojanDownloader.Agent.qg -> Cleaned with backup
C:\WINDOWS\SYSTEM32\flsmngr.dll -> Spyware.Searcher -> Cleaned with backup
C:\WINDOWS\SYSTEM32\nskAF.dll -> Spyware.HotSearchBar -> Cleaned with backup
C:\WINDOWS\SYSTEM32\nsm146.dll -> Spyware.HotSearchBar -> Cleaned with backup
C:\WINDOWS\SYSTEM32\scombo.exe -> Worm.Bagz.j -> Cleaned with backup
C:\WINDOWS\SYSTEM32\thin-138-1-x-x.exe -> Spyware.BetterInternet -> Cleaned with backup
C:\WINDOWS\SYSTEM32\thun32.dll -> TrojanProxy.Small.bk -> Cleaned with backup
C:\WINDOWS\SYSTEM32\uci.exe -> TrojanDropper.Agent.hl -> Cleaned with backup
C:\WINDOWS\SYSTEM32\vxgame1.exe -> TrojanProxy.Small.bk -> Cleaned with backup
C:\WINDOWS\SYSTEM32\vxgame2.dll -> TrojanProxy.Agent.ex -> Cleaned with backup
C:\WINDOWS\SYSTEM32\vxgame2.exe -> TrojanDropper.Agent.kz -> Cleaned with backup
C:\WINDOWS\SYSTEM32\vxgame3.exe -> TrojanDownloader.Agent.ho -> Cleaned with backup
C:\WINDOWS\SYSTEM32\vxgame4.exe -> TrojanDownloader.Small.aqu -> Cleaned with backup
C:\WINDOWS\SYSTEM32\vxgamet1.exe -> TrojanDownloader.Small.aqt -> Cleaned with backup
C:\WINDOWS\SYSTEM32\vxgamet2.exe -> Trojan.LowZones.y -> Cleaned with backup
C:\WINDOWS\SYSTEM32\vxh8jkdq1.exe -> TrojanDownloader.Small.aqu -> Cleaned with backup
C:\WINDOWS\SYSTEM32\vxh8jkdq2.exe -> Not-A-Virus.Hoax.Renos.a -> Cleaned with backup
C:\WINDOWS\SYSTEM32\vxh8jkdq5.exe -> TrojanDownloader.Small.awa -> Cleaned with backup
C:\WINDOWS\SYSTEM32\vxh8jkdq6.exe -> TrojanDownloader.Small.aux -> Cleaned with backup
C:\WINDOWS\SYSTEM32\vxh8jkdq7.exe -> TrojanDownloader.Small.awa -> Cleaned with backup
C:\WINDOWS\SYSTEM32\vxh8jkdq8.exe -> TrojanDownloader.Small.aqu -> Cleaned with backup
C:\WINDOWS\SYSTEM32\wmnhe.exe -> TrojanDownloader.Agent.ed -> Cleaned with backup
C:\WINDOWS\SYSTEM32\wrapperouter.exe -> TrojanDropper.Agent.hl -> Cleaned with backup
C:\WINDOWS\SYSTEM32\yfsiaaaa.exe -> TrojanProxy.Small.bk -> Cleaned with backup
C:\WINDOWS\SYSTEM32\ехplorer.exe -> Spyware.PurityScan -> Cleaned with backup
C:\WINDOWS\t1965m9c.exe -> Spyware.SAHA -> Cleaned with backup

::Report End

Bad news, whenever I right click on ANY .exe, it's almost like a reboot. Everything but my background goes blank, then my desktop comes back, and everything is closed.

#7
Excal

Posted 01 October 2005 - 04:10 PM

Malware Slayer Extraordinaire!

Retired Staff
12,739 posts

hmmm, lets try to get rid of the nail infection first.

Download Process Explorer from http://www.sysintern...ssExplorer.html

Run Process Explorer and find the Process in the list of Processes.
Select this process and click Process > Suspend.

deinkxn.exe

Then in HijackThis click Config > Misc Tools > Delete a file on reboot...
In the explorer Window select the file C:\WINDOWS\System32\deinkxn.exe
When prompted if you want to reboot click YES
Leave Process explorer running with the process suspended.

After the reboot check the following items in HijackThis.
Close all windows except HijackThis and click Fix checked:

O4 - HKLM\..\Run: [uocihig] C:\WINDOWS\System32\deinkxn.exe r

Please post a fresh HiJackthis log

#8
nick_mi

Posted 01 October 2005 - 04:36 PM

Member

Topic Starter
Member
272 posts

Logfile of HijackThis v1.99.1
Scan saved at 5:35:22 PM, on 10/1/2005
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\PROGRA~1\COMMON~1\AOL\ACS\acsd.exe
C:\Program Files\ewido\security suite\ewidoctrl.exe
C:\WINDOWS\wanmpsvc.exe
C:\Program Files\Apoint\Apoint.exe
C:\WINDOWS\AGRSMMSG.exe
C:\Program Files\Java\j2re1.4.2_03\bin\jusched.exe
C:\WINDOWS\System32\keyhook.exe
C:\WINDOWS\system32\dla\tfswctrl.exe
C:\Program Files\CyberLink\PowerDVD\DVDLauncher.exe
C:\Program Files\MUSICMATCH\Musicmatch Jukebox\mm_tray.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\MUSICMATCH\Musicmatch Jukebox\mmtask.exe
C:\Program Files\Viewpoint\Viewpoint Manager\ViewMgr.exe
C:\Program Files\Apoint\Apntex.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\AIM\aim.exe
C:\Program Files\Skype\Phone\Skype.exe
C:\WINDOWS\SYSTEM32\sistray.exe
C:\Program Files\WinZip\WZQKPICK.EXE
C:\WINDOWS\Explorer.exe
C:\Program Files\Yahoo!\Messenger\ymsgr_tray.exe
C:\Documents and Settings\Nick\Desktop\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.dell4me.com/myway
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.dell4me.com/myway
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.dell4me.com/myway
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://www.dell4me.com/myway
F2 - REG:system.ini: Shell=Explorer.exe C:\WINDOWS\Nail.exe
O2 - BHO: Band Class - {00F1D395-4744-40f0-A611-980F61AE2C59} - C:\WINDOWS\dsr.dll
O2 - BHO: Yahoo! Companion BHO - {02478D38-C3F9-4efb-9B51-7695ECA05670} - C:\PROGRA~1\Yahoo!\COMPAN~1\Installs\cpn\ycomp5_5_7_0.dll
O2 - BHO: DriveLetterAccess - {5CA3D70E-1895-11CF-8E15-001234567890} - C:\WINDOWS\system32\dla\tfswshx.dll
O3 - Toolbar: AIM Search - {40D41A8B-D79B-43d7-99A7-9EE0F344C385} - C:\Program Files\AIM Toolbar\AIMBar.dll
O3 - Toolbar: MSN Toolbar - {BDAD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\MSN Toolbar\01.01.1601.0\en-us\msntb.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O3 - Toolbar: &Yahoo! Companion - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\PROGRA~1\Yahoo!\COMPAN~1\Installs\cpn\ycomp5_5_7_0.dll
O4 - HKLM\..\Run: [Apoint] C:\Program Files\Apoint\Apoint.exe
O4 - HKLM\..\Run: [AGRSMMSG] AGRSMMSG.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\j2re1.4.2_03\bin\jusched.exe
O4 - HKLM\..\Run: [SiS Windows KeyHook] C:\WINDOWS\System32\keyhook.exe
O4 - HKLM\..\Run: [dla] C:\WINDOWS\system32\dla\tfswctrl.exe
O4 - HKLM\..\Run: [DVDLauncher] "C:\Program Files\CyberLink\PowerDVD\DVDLauncher.exe"
O4 - HKLM\..\Run: [MMTray] "C:\Program Files\MUSICMATCH\Musicmatch Jukebox\mm_tray.exe"
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [mmtask] "C:\Program Files\MUSICMATCH\Musicmatch Jukebox\mmtask.exe"
O4 - HKLM\..\Run: [ViewMgr] C:\Program Files\Viewpoint\Viewpoint Manager\ViewMgr.exe
O4 - HKLM\..\Run: [Dinst] C:\WINDOWS\dinst.exe
O4 - HKCU\..\Run: [MsnMsgr] C:\Program Files\MSN Messenger\MsnMsgr.Exe /background
O4 - HKCU\..\Run: [AIM] C:\Program Files\AIM\aim.exe -cnetwait.odl
O4 - HKCU\..\Run: [Yahoo! Pager] C:\Program Files\Yahoo!\Messenger\ypager.exe -quiet
O4 - HKCU\..\Run: [Skype] "C:\Program Files\Skype\Phone\Skype.exe" /nosplash /minimized
O4 - HKCU\..\Run: [Utopia Angel] "C:\Utopia\Angel\Angel.exe"
O4 - Global Startup: America Online 9.0 Tray Icon.lnk = C:\Program Files\America Online 9.0\aoltray.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O4 - Global Startup: Utility Tray.lnk = C:\WINDOWS\SYSTEM32\sistray.exe
O4 - Global Startup: WinZip Quick Pick.lnk = C:\Program Files\WinZip\WZQKPICK.EXE
O8 - Extra context menu item: &AIM Search - res://C:\Program Files\AIM Toolbar\AIMBar.dll/aimsearch.htm
O8 - Extra context menu item: &Yahoo! Search - file:///C:\Program Files\Yahoo!\Common/ycsrch.htm
O8 - Extra context menu item: Yahoo! &Dictionary - file:///C:\Program Files\Yahoo!\Common/ycdict.htm
O8 - Extra context menu item: Yahoo! &Maps - file:///C:\Program Files\Yahoo!\Common/ycdict.htm
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\System32\msjava.dll (file missing)
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\System32\msjava.dll (file missing)
O9 - Extra button: Messenger - {4528BBE0-4E08-11D5-AD55-00010333D0AD} - C:\Program Files\Yahoo!\Messenger\yhexbmes0521.dll
O9 - Extra 'Tools' menuitem: Yahoo! Messenger - {4528BBE0-4E08-11D5-AD55-00010333D0AD} - C:\Program Files\Yahoo!\Messenger\yhexbmes0521.dll
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\System32\Shdocvw.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O9 - Extra 'Tools' menuitem: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O16 - DPF: {4ED9DDF0-7479-4BBE-9335-5A1EDB1D8A21} - http://download.mcaf...84/mcinsctl.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://www.pandasoft...free/asinst.cab
O16 - DPF: {B38870E4-7ECB-40DA-8C6A-595F0A5519FF} (MsnMessengerSetupDownloadControl Class) - http://messenger.msn...pDownloader.cab
O16 - DPF: {BCC0FF27-31D9-4614-A68E-C18E1ADA4389} - http://download.mcaf...,21/mcgdmgr.cab
O18 - Filter: text/html - {8293D547-38DD-4325-B35A-F1817EDFA5FC} - C:\Program Files\CMSystem\plugin.dll
O23 - Service: AOL Connectivity Service (AOL ACS) - America Online, Inc. - C:\PROGRA~1\COMMON~1\AOL\ACS\acsd.exe
O23 - Service: ewido security suite control - ewido networks - C:\Program Files\ewido\security suite\ewidoctrl.exe
O23 - Service: iPod Service (iPodService) - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: System Startup Service (SvcProc) - Unknown owner - C:\WINDOWS\svcproc.exe
O23 - Service: WAN Miniport (ATW) Service (WANMiniportService) - America Online, Inc. - C:\WINDOWS\wanmpsvc.exe

The keyhook looks malicious, what is that? Btw, I'm still getting pop ups named "the best offer" THe icon is six different colored circles making a one circle by touching each other.

#9
Excal

Posted 01 October 2005 - 05:14 PM

Malware Slayer Extraordinaire!

Retired Staff
12,739 posts

This will work now :tazz:

THE FIX

Please read this post completely, it may make it easier for you if you copy and paste this post to a new text document or print it for reference later.

1. Click this link to be sure you can view hidden files.

2. Ensure you are NOT connected to the internet.

3. Reboot into safe mode.

Restart your computer and as soon as it starts booting up again continuously tap F8. A menu should come up where you will be given the option to enter Safe Mode.

4. Once in Safe Mode, please double-click on
Nailfix.exe on your desktop. Click next, then finished. Your desktop and icons will disappear and reappear, and a window should open and close very quickly --- this is normal.

5. Now open and run Ewido:

Click on scanner
Click Complete System Scan and the scan will begin.
During the scan when it ask if you want to clean the first file, put a check in the lower left corner of the box that says "Perform action on all infections" then choose clean and click OK
When the scan is finished, look at the bottom of the screen and click the Save report button.
Save the report to your desktop

Close Ewido

6. Close all browsers, windows and unneeded programs.

7. Open HiJack and do a scan.

8. Put a Check next to the following items:

F2 - REG:system.ini: Shell=Explorer.exe C:\WINDOWS\Nail.exe
O2 - BHO: Band Class - {00F1D395-4744-40f0-A611-980F61AE2C59} - C:\WINDOWS\dsr.dll
O4 - HKLM\..\Run: [Dinst] C:\WINDOWS\dinst.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O23 - Service: System Startup Service (SvcProc) - Unknown owner - C:\WINDOWS\svcproc.exe

9. click the Fix Checked box

10. Please remove just the files from the following paths using Windows Explorer (if present):

C:\WINDOWS\dinst.exe

11. Run the program CleanUp!

12. Reboot into normal mode and please run this online virus scan: ActiveScan - Save the results from the scan!

13. Please post an Active scan log , Ewido Scan log and a fresh HiJackThis log. Let me know how your computer is running.

#10
nick_mi

Posted 01 October 2005 - 07:43 PM

Member

Topic Starter
Member
272 posts

---------------------------------------------------------
ewido security suite - Scan report
---------------------------------------------------------

+ Created on: 8:31:18 PM, 10/1/2005
+ Report-Checksum: 664B377A

+ Date of database: 6/29/2005
+ Version of scan engine: v3.0

+ Duration: 37 min
+ Scanned Files: 43149
+ Speed: 19.27 Files/Second
+ Infected files: 35
+ Removed files: 35
+ Files put in quarantine: 0
+ Files that could not be opened: 0
+ Files that could not be cleaned: 0

+ Binder: Yes
+ Crypter: Yes
+ Archives: No

+ Scanned items:
C:\

+ Scan result:
C:\Documents and Settings\Nick\Cookies\nick@advertising[2].txt -> Spyware.Tracking-Cookie -> Cleaned without backup
C:\Documents and Settings\Nick\Cookies\nick@atdmt[2].txt -> Spyware.Tracking-Cookie -> Cleaned without backup
C:\Documents and Settings\Nick\Cookies\nick@doubleclick[1].txt -> Spyware.Tracking-Cookie -> Cleaned without backup
C:\Documents and Settings\Nick\Cookies\[email protected][2].txt -> Spyware.Tracking-Cookie -> Cleaned without backup
C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP113\A0037786.exe -> TrojanDownloader.Agent.qg -> Cleaned without backup
C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP113\A0037787.exe -> Trojan.Imiserv.c -> Cleaned without backup
C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP113\A0037788.exe -> Spyware.SAHA -> Cleaned without backup
C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP113\A0037789.dll -> Spyware.SAHA -> Cleaned without backup
C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP113\A0037790.exe -> TrojanDownloader.Agent.qg -> Cleaned without backup
C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP113\A0037791.dll -> Spyware.Searcher -> Cleaned without backup
C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP113\A0037792.dll -> Spyware.HotSearchBar -> Cleaned without backup
C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP113\A0037793.dll -> Spyware.HotSearchBar -> Cleaned without backup
C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP113\A0037794.exe -> Worm.Bagz.j -> Cleaned without backup
C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP113\A0037795.exe -> Spyware.BetterInternet -> Cleaned without backup
C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP113\A0037796.dll -> TrojanProxy.Small.bk -> Cleaned without backup
C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP113\A0037797.exe -> TrojanDropper.Agent.hl -> Cleaned without backup
C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP113\A0037798.exe -> TrojanProxy.Small.bk -> Cleaned without backup
C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP113\A0037799.dll -> TrojanProxy.Agent.ex -> Cleaned without backup
C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP113\A0037800.exe -> TrojanDropper.Agent.kz -> Cleaned without backup
C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP113\A0037801.exe -> TrojanDownloader.Agent.ho -> Cleaned without backup
C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP113\A0037802.exe -> TrojanDownloader.Small.aqu -> Cleaned without backup
C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP113\A0037803.exe -> TrojanDownloader.Small.aqt -> Cleaned without backup
C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP113\A0037804.exe -> Trojan.LowZones.y -> Cleaned without backup
C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP113\A0037805.exe -> TrojanDownloader.Small.aqu -> Cleaned without backup
C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP113\A0037806.exe -> Not-A-Virus.Hoax.Renos.a -> Cleaned without backup
C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP113\A0037807.exe -> TrojanDownloader.Small.awa -> Cleaned without backup
C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP113\A0037808.exe -> TrojanDownloader.Small.aux -> Cleaned without backup
C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP113\A0037809.exe -> TrojanDownloader.Small.awa -> Cleaned without backup
C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP113\A0037810.exe -> TrojanDownloader.Small.aqu -> Cleaned without backup
C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP113\A0037811.exe -> TrojanDownloader.Agent.ed -> Cleaned without backup
C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP113\A0037812.exe -> TrojanDropper.Agent.hl -> Cleaned without backup
C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP113\A0037813.exe -> TrojanProxy.Small.bk -> Cleaned without backup
C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP113\A0037814.exe -> Spyware.PurityScan -> Cleaned without backup
C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP113\A0037815.exe -> Spyware.SAHA -> Cleaned without backup
C:\WINDOWS\dsr.exe -> Trojan.Imiserv.c -> Cleaned without backup

::Report End

Logfile of HijackThis v1.99.1
Scan saved at 8:42:11 PM, on 10/1/2005
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\PROGRA~1\COMMON~1\AOL\ACS\acsd.exe
C:\Program Files\ewido\security suite\ewidoctrl.exe
C:\WINDOWS\wanmpsvc.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Apoint\Apoint.exe
C:\WINDOWS\AGRSMMSG.exe
C:\Program Files\Java\j2re1.4.2_03\bin\jusched.exe
C:\WINDOWS\System32\keyhook.exe
C:\WINDOWS\system32\dla\tfswctrl.exe
C:\Program Files\CyberLink\PowerDVD\DVDLauncher.exe
C:\Program Files\MUSICMATCH\Musicmatch Jukebox\mm_tray.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\MUSICMATCH\Musicmatch Jukebox\mmtask.exe
C:\Program Files\Viewpoint\Viewpoint Manager\ViewMgr.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\Apoint\Apntex.exe
C:\Program Files\AIM\aim.exe
C:\Program Files\Yahoo!\Messenger\ypager.exe
C:\WINDOWS\SYSTEM32\sistray.exe
C:\Program Files\WinZip\WZQKPICK.EXE
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Documents and Settings\Nick\Desktop\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.dell4me.com/myway
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.dell4me.com/myway
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.dell4me.com/myway
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://www.dell4me.com/myway
O2 - BHO: Yahoo! Companion BHO - {02478D38-C3F9-4efb-9B51-7695ECA05670} - C:\PROGRA~1\Yahoo!\COMPAN~1\Installs\cpn\ycomp5_5_7_0.dll
O2 - BHO: DriveLetterAccess - {5CA3D70E-1895-11CF-8E15-001234567890} - C:\WINDOWS\system32\dla\tfswshx.dll
O3 - Toolbar: AIM Search - {40D41A8B-D79B-43d7-99A7-9EE0F344C385} - C:\Program Files\AIM Toolbar\AIMBar.dll
O3 - Toolbar: MSN Toolbar - {BDAD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\MSN Toolbar\01.01.1601.0\en-us\msntb.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O3 - Toolbar: &Yahoo! Companion - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\PROGRA~1\Yahoo!\COMPAN~1\Installs\cpn\ycomp5_5_7_0.dll
O4 - HKLM\..\Run: [Apoint] C:\Program Files\Apoint\Apoint.exe
O4 - HKLM\..\Run: [AGRSMMSG] AGRSMMSG.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\j2re1.4.2_03\bin\jusched.exe
O4 - HKLM\..\Run: [SiS Windows KeyHook] C:\WINDOWS\System32\keyhook.exe
O4 - HKLM\..\Run: [dla] C:\WINDOWS\system32\dla\tfswctrl.exe
O4 - HKLM\..\Run: [DVDLauncher] "C:\Program Files\CyberLink\PowerDVD\DVDLauncher.exe"
O4 - HKLM\..\Run: [MMTray] "C:\Program Files\MUSICMATCH\Musicmatch Jukebox\mm_tray.exe"
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [mmtask] "C:\Program Files\MUSICMATCH\Musicmatch Jukebox\mmtask.exe"
O4 - HKLM\..\Run: [ViewMgr] C:\Program Files\Viewpoint\Viewpoint Manager\ViewMgr.exe
O4 - HKCU\..\Run: [MsnMsgr] C:\Program Files\MSN Messenger\MsnMsgr.Exe /background
O4 - HKCU\..\Run: [AIM] C:\Program Files\AIM\aim.exe -cnetwait.odl
O4 - HKCU\..\Run: [Yahoo! Pager] C:\Program Files\Yahoo!\Messenger\ypager.exe -quiet
O4 - HKCU\..\Run: [Skype] "C:\Program Files\Skype\Phone\Skype.exe" /nosplash /minimized
O4 - HKCU\..\Run: [Utopia Angel] "C:\Utopia\Angel\Angel.exe"
O4 - Global Startup: America Online 9.0 Tray Icon.lnk = C:\Program Files\America Online 9.0\aoltray.exe
O4 - Global Startup: Utility Tray.lnk = C:\WINDOWS\SYSTEM32\sistray.exe
O4 - Global Startup: WinZip Quick Pick.lnk = C:\Program Files\WinZip\WZQKPICK.EXE
O8 - Extra context menu item: &AIM Search - res://C:\Program Files\AIM Toolbar\AIMBar.dll/aimsearch.htm
O8 - Extra context menu item: &Yahoo! Search - file:///C:\Program Files\Yahoo!\Common/ycsrch.htm
O8 - Extra context menu item: Yahoo! &Dictionary - file:///C:\Program Files\Yahoo!\Common/ycdict.htm
O8 - Extra context menu item: Yahoo! &Maps - file:///C:\Program Files\Yahoo!\Common/ycdict.htm
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\System32\msjava.dll (file missing)
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\System32\msjava.dll (file missing)
O9 - Extra button: Messenger - {4528BBE0-4E08-11D5-AD55-00010333D0AD} - C:\Program Files\Yahoo!\Messenger\yhexbmes0521.dll
O9 - Extra 'Tools' menuitem: Yahoo! Messenger - {4528BBE0-4E08-11D5-AD55-00010333D0AD} - C:\Program Files\Yahoo!\Messenger\yhexbmes0521.dll
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\System32\Shdocvw.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O9 - Extra 'Tools' menuitem: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O16 - DPF: {4ED9DDF0-7479-4BBE-9335-5A1EDB1D8A21} - http://download.mcaf...84/mcinsctl.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://www.pandasoft...free/asinst.cab
O16 - DPF: {B38870E4-7ECB-40DA-8C6A-595F0A5519FF} (MsnMessengerSetupDownloadControl Class) - http://messenger.msn...pDownloader.cab
O16 - DPF: {BCC0FF27-31D9-4614-A68E-C18E1ADA4389} - http://download.mcaf...,21/mcgdmgr.cab
O18 - Filter: text/html - {8293D547-38DD-4325-B35A-F1817EDFA5FC} - C:\Program Files\CMSystem\plugin.dll
O23 - Service: AOL Connectivity Service (AOL ACS) - America Online, Inc. - C:\PROGRA~1\COMMON~1\AOL\ACS\acsd.exe
O23 - Service: ewido security suite control - ewido networks - C:\Program Files\ewido\security suite\ewidoctrl.exe
O23 - Service: iPod Service (iPodService) - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: WAN Miniport (ATW) Service (WANMiniportService) - America Online, Inc. - C:\WINDOWS\wanmpsvc.exe

K, the bottom file that I was supposed to delete out of HJT could not be found.
I still could not right click and delete, so I used some commen sense and dragged it into the recyle bin and cleared that, so hopefully that deleted it.

Still can't open my cd games. =/
>_>

Edited by nick_mi, 01 October 2005 - 07:43 PM.

#11
Excal

Posted 02 October 2005 - 09:11 AM

Malware Slayer Extraordinaire!

Retired Staff
12,739 posts

Sorry about not answering you before, i just saw that question:

The keyhook is: SIS graphics cards related: "Super VGA Keyboard Daemon" - hooks into the keyboard processing chain in order to enable hotkey settings

It looks like the malware is gone off your system and I am thinking that maybe the rest is not malware realted. Let me see the results of the Activescan first.

Thanks,

:tazz:

Excal

#12
nick_mi

Posted 02 October 2005 - 01:55 PM

Member

Topic Starter
Member
272 posts

Incident Status Location

Adware:adware/pacimedia No disinfected C:\Documents and Settings\Nick\Favorites\1111\1111.url
Spyware:spyware/safesurf No disinfected C:\WINDOWS\SYSTEM32\InstallerV3.exe
Dialer:dialer.xc No disinfected C:\WINDOWS\SYSTEM32\paydial.exe
Adware:adware/cws.searchmeup No disinfected C:\WINDOWS\SYSTEM32\paytime.exe
Adware:adware/adsmart No disinfected C:\WINDOWS\SYSTEM32\thun.dll
Adware:adware/mediatickets No disinfected C:\WINDOWS\SYSTEM32\winttr.exe
Adware:adware/afaenhance No disinfected C:\WINDOWS\SYSTEM\QBUninstaller.exe
Adware:adware/favoriteman No disinfected C:\WINDOWS\DOWNLOADED PROGRAM FILES\ATPartners.inf
Adware:adware/findspy No disinfected C:\Documents and Settings\Nick\Favorites\ FREE Access to 800 Paid sites.url
Adware:adware/weirdontheweb No disinfected C:\Documents and Settings\Nick\Favorites\WeirdOnTheWeb.url
Spyware:spyware/betterinet No disinfected C:\WINDOWS\INF\banner.inf
Adware:adware/wintools No disinfected C:\WINDOWS\hisistheurls.exe
Adware:adware/spywad No disinfected C:\WINDOWS\ms2.exe
Adware:adware/ucmore No disinfected C:\WINDOWS\ucmoreiex.exe
Adware:adware/sahagent No disinfected C:\WINDOWS\unstall.exe
Adware:adware/wupd No disinfected C:\PROGRAM FILES\Admilli Service
Adware:adware/consumeralertsystemNo disinfected C:\PROGRAM FILES\CasStub
Adware:adware/fizzle No disinfected C:\PROGRAM FILES\FwBarTemp
Adware:adware/imgiant No disinfected C:\PROGRAM FILES\joystick networks
Adware:adware/spywareno No disinfected C:\PROGRAM FILES\SpywareNo
Adware:adware program No disinfected C:\WINDOWS\SYSTEM32\cache32dsrf4535dfs
Adware:adware/beginto No disinfected C:\WINDOWS\SYSTEM32\cache32_rtneg4
Adware:adware/savenow No disinfected C:\DOCUMENTS AND SETTINGS\ALL USERS\APPLICATION DATA\nsv
Adware:adware/delfinmedia No disinfected C:\DOCUMENTS AND SETTINGS\ALL USERS\APPLICATION DATA\vidctrl
Spyware:spyware/media-motor No disinfected Windows Registry
Adware:Adware/BigTrafficNet No disinfected C:\1.exe
Virus:Trj/Downloader.EGF Disinfected C:\asdf.exe
Virus:Trj/Downloader.EGF Disinfected C:\Documents and Settings\Nick\Application Data\Sun\Java\Deployment\cache\javapi\v1.0\file\time.class-50c9903d-30964075.class
Virus:Exploit/ByteVerify Disinfected C:\Documents and Settings\Nick\Application Data\Sun\Java\Deployment\cache\javapi\v1.0\jar\loaderadv780.jar-431d9150-1297f752.zip[Matrix.class]
Virus:Exploit/ByteVerify Disinfected C:\Documents and Settings\Nick\Application Data\Sun\Java\Deployment\cache\javapi\v1.0\jar\loaderadv780.jar-431d9150-1297f752.zip[Counter.class]
Virus:Exploit/ByteVerify Disinfected C:\Documents and Settings\Nick\Application Data\Sun\Java\Deployment\cache\javapi\v1.0\jar\loaderadv780.jar-431d9150-1297f752.zip[Dummy.class]
Virus:Exploit/ByteVerify Disinfected C:\Documents and Settings\Nick\Application Data\Sun\Java\Deployment\cache\javapi\v1.0\jar\loaderadv780.jar-431d9150-1297f752.zip[Parser.class]
Adware:Adware/NavHelper No disinfected C:\Documents and Settings\Nick\Desktop\backups\backup-20050513-172157-532.dll
Adware:Adware/Apropos No disinfected C:\Documents and Settings\Nick\Desktop\backups\backup-20050513-172157-558.dll
Spyware:Spyware/BargainBuddy No disinfected C:\Documents and Settings\Nick\Desktop\backups\backup-20050615-143833-351
Spyware:Spyware/Media-motor No disinfected C:\Documents and Settings\Nick\Desktop\backups\backup-20050615-143834-519.inf
Adware:Adware/EnhSrch No disinfected C:\Documents and Settings\Nick\Desktop\backups\backup-20051001-203322-307.dll
Virus:W95/CIH Disinfected C:\Documents and Settings\Nick\Desktop\New Folder\fatalrelations\fatalrelation\RELATION.VIR
Virus:W95/CIH Disinfected C:\Documents and Settings\Nick\Desktop\New Folder\fatalrelations.zip[RELATION.VIR]
Adware:Adware/EnhSrch No disinfected C:\Documents and Settings\Nick\Desktop\Set ups\backups\backup-20051001-164301-435.dll
Spyware:Spyware/SafeSurf No disinfected C:\Documents and Settings\Nick\Desktop\Set ups\backups\backup-20051001-164302-746.dll
Spyware:Spyware/SafeSurf No disinfected C:\Documents and Settings\Nick\Desktop\Set ups\backups\backup-20051001-164302-754.dll
Adware:Adware/Thecoolbar No disinfected C:\Program Files\FwBarTemp\cohelper.exe
Adware:Adware/Transponder No disinfected C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP113\A0037759.exe
Adware:Adware/Transponder No disinfected C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP113\A0037766.exe
Virus:Bck/HacDef.DT Disinfected C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP113\A0037776.sys
Adware:Adware/Transponder No disinfected C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP113\A0037779.exe
Adware:Adware/Transponder No disinfected C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP113\A0037780.exe
Spyware:Spyware/BetterInet No disinfected C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP113\A0037783.exe
Virus:Trj/Stervis.D Disinfected C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP113\A0037784.exe
Adware:Adware/EnhSrch No disinfected C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP113\A0037817.dll
Spyware:Spyware/SafeSurf No disinfected C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP113\A0037819.dll
Spyware:Spyware/SafeSurf No disinfected C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP113\A0037820.dll
Adware:Adware/Transponder No disinfected C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP113\A0037848.exe
Virus:W32/Oscarbot.CG.worm Disinfected C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP113\A0038009.exe
Adware:Adware/ConsumerAlertSystemNo disinfected C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP113\A0038088.dll
Adware:Adware/ConsumerAlertSystemNo disinfected C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP113\A0038092.dll
Adware:Adware/Apropos No disinfected C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP113\A0038113.dll
Adware:Adware/Aurora No disinfected C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP113\A0038117.exe
Adware:Adware/Transponder No disinfected C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP113\A0038120.exe
Virus:Bck/HacDef.DT Disinfected C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP113\A0038136.sys
Adware:Adware/EnhSrch No disinfected C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP113\A0038145.dll
Virus:Trj/Downloader.EIK Disinfected C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP113\A0038147.exe
Virus:Trj/Downloader.EGF Disinfected C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP113\A0038230.exe
Adware:Adware/NetPals No disinfected C:\WINDOWS\Downloaded Program Files\ATPartners.inf
Adware:Adware/Popper No disinfected C:\WINDOWS\evtzjvq.exe
Virus:Trj/Dropper.ME Disinfected C:\WINDOWS\hwixpht.exe
Spyware:Spyware/BetterInet No disinfected C:\WINDOWS\INF\banner.inf
Spyware:Spyware/BetterInet No disinfected C:\WINDOWS\SYSTEM\QBUninstaller.exe
Adware:Adware/SAHAgent No disinfected C:\WINDOWS\SYSTEM32\efd30ok4.exe
Adware:Adware/Apropos No disinfected C:\WINDOWS\SYSTEM32\exdemui.exe
Spyware:Spyware/SafeSurf No disinfected C:\WINDOWS\SYSTEM32\ichckupd.exe
Virus:Bck/HacDef.DT Disinfected C:\WINDOWS\SYSTEM32\mxdefdrv.sys
Virus:Trj/Ppdoor.EK Disinfected C:\WINDOWS\SYSTEM32\nlsfrv32.dll
Spyware:Spyware/SafeSurf No disinfected C:\WINDOWS\SYSTEM32\pshwr.exe
Virus:Bck/Combo.B Disinfected C:\WINDOWS\SYSTEM32\scombop.exe
Adware:Adware/PurityScan No disinfected C:\WINDOWS\SYSTEM32\Shex.exe
Virus:Trj/Ppdoor.EL Disinfected C:\WINDOWS\SYSTEM32\sortover.dll
Adware:Adware/Ucmore No disinfected C:\WINDOWS\ucmoreiex.exe
Spyware:Spyware/Media-motor No disinfected C:\WINDOWS\unstall.exe

#13
Excal

Posted 02 October 2005 - 02:32 PM

Malware Slayer Extraordinaire!

Retired Staff
12,739 posts

It almost feels like we are taking 2 steps back everytime we take a step foward!

Please remove the following folders using Windows Explorer (if present):

C:\Documents and Settings\Nick\Favorites\1111
C:\Documents and Settings\Nick\Favorites\ FREE Access to 800 Paid sites.url
C:\Documents and Settings\Nick\Favorites\WeirdOnTheWeb.url
C:\PROGRAM FILES\joystick networks
C:\PROGRAM FILES\SpywareNo
C:\WINDOWS\SYSTEM32\cache32dsrf4535dfs
C:\WINDOWS\SYSTEM32\cache32_rtneg4
C:\DOCUMENTS AND SETTINGS\ALL USERS\APPLICATION DATA\nsv
C:\DOCUMENTS AND SETTINGS\ALL USERS\APPLICATION DATA\vidctrl
C:\PROGRAM FILES\Admilli Service
C:\PROGRAM FILES\CasStub
C:\Documents and Settings\Nick\Desktop\New Folder\fatalrelations
C:\Program Files\FwBarTemp

Please download the Killbox.

Please run Killbox.

Select "Delete on Reboot".
Copy the file names below to the clipboard by highlighting them and pressing Control-C:

C:\WINDOWS\SYSTEM32\InstallerV3.exe
C:\WINDOWS\SYSTEM32\paydial.exe
C:\WINDOWS\SYSTEM32\paytime.exe
C:\WINDOWS\SYSTEM32\thun.dll
C:\WINDOWS\SYSTEM32\winttr.exe
C:\WINDOWS\SYSTEM\QBUninstaller.exe
C:\WINDOWS\DOWNLOADED PROGRAM FILES\ATPartners.inf
C:\WINDOWS\INF\banner.inf
C:\WINDOWS\hisistheurls.exe
C:\WINDOWS\ms2.exe
C:\WINDOWS\ucmoreiex.exe
C:\WINDOWS\unstall.exe
C:\1.exe
C:\Documents and Settings\Nick\Desktop\New Folder\fatalrelations.zip
C:\WINDOWS\Downloaded Program Files\ATPartners.inf
C:\WINDOWS\evtzjvq.exe
C:\WINDOWS\hwixpht.exe
C:\WINDOWS\INF\banner.inf
C:\WINDOWS\SYSTEM\QBUninstaller.exe
:\WINDOWS\SYSTEM32\efd30ok4.exe
C:\WINDOWS\SYSTEM32\exdemui.exe
C:\WINDOWS\SYSTEM32\ichckupd.exe
C:\WINDOWS\SYSTEM32\pshwr.exe
C:\WINDOWS\SYSTEM32\Shex.exe
Return to Killbox, go to the File menu, and choose "Paste from Clipboard".
Click the red-and-white "Delete File" button. Click "Yes" at the Delete on Reboot prompt. Click "No" at the Pending Operations prompt.

If you receive a message such as: "Component 'MsComCtl.ocx' or one of its dependencies not correctly registered: a file is missing or invalid." when trying to run TheKillbox, click here to download and run missingfilesetup.exe. Then try TheKillbox again..
Let the system reboot.

after reboot, please post a fresh HiJackthis log and a fresh activescan log.

#14
nick_mi

Posted 02 October 2005 - 02:49 PM

Member

Topic Starter
Member
272 posts

What the... is this clipboard? Everytime I copy that set of lines, and then go to file and hit paste for clipboard, it has a runtime error and self closes.

#15
nick_mi

Posted 02 October 2005 - 03:37 PM

Member

Topic Starter
Member
272 posts

Incident Status Location

Dialer:dialer.xc No disinfected C:\WINDOWS\SYSTEM32\paydial.exe
Adware:adware/cws.searchmeup No disinfected C:\WINDOWS\SYSTEM32\paytime.exe
Spyware:spyware/safesurf No disinfected C:\WINDOWS\SYSTEM32\pshwr.exe
Adware:adware/adsmart No disinfected C:\WINDOWS\SYSTEM32\thun.dll
Adware:adware/mediatickets No disinfected C:\WINDOWS\SYSTEM32\winttr.exe
Adware:adware/afaenhance No disinfected C:\WINDOWS\SYSTEM\QBUninstaller.exe
Adware:adware/favoriteman No disinfected C:\WINDOWS\DOWNLOADED PROGRAM FILES\ATPartners.inf
Adware:adware/findspy No disinfected C:\Documents and Settings\Nick\Favorites\ Free Hidden Cams World - Realtime.url
Spyware:spyware/betterinet No disinfected C:\WINDOWS\INF\banner.inf
Adware:adware/wintools No disinfected C:\WINDOWS\hisistheurls.exe
Adware:adware/spywad No disinfected C:\WINDOWS\ms2.exe
Adware:adware/ucmore No disinfected C:\WINDOWS\ucmoreiex.exe
Adware:adware/sahagent No disinfected C:\WINDOWS\unstall.exe
Adware:adware/wupd No disinfected C:\PROGRAM FILES\Media Access
Spyware:spyware/media-motor No disinfected Windows Registry
Adware:Adware/BigTrafficNet No disinfected C:\1.exe
Adware:Adware/NavHelper No disinfected C:\Documents and Settings\Nick\Desktop\backups\backup-20050513-172157-532.dll
Adware:Adware/Apropos No disinfected C:\Documents and Settings\Nick\Desktop\backups\backup-20050513-172157-558.dll
Spyware:Spyware/BargainBuddy No disinfected C:\Documents and Settings\Nick\Desktop\backups\backup-20050615-143833-351
Spyware:Spyware/Media-motor No disinfected C:\Documents and Settings\Nick\Desktop\backups\backup-20050615-143834-519.inf
Adware:Adware/EnhSrch No disinfected C:\Documents and Settings\Nick\Desktop\backups\backup-20051001-203322-307.dll
Adware:Adware/EnhSrch No disinfected C:\Documents and Settings\Nick\Desktop\Set ups\backups\backup-20051001-164301-435.dll
Spyware:Spyware/SafeSurf No disinfected C:\Documents and Settings\Nick\Desktop\Set ups\backups\backup-20051001-164302-746.dll
Spyware:Spyware/SafeSurf No disinfected C:\Documents and Settings\Nick\Desktop\Set ups\backups\backup-20051001-164302-754.dll
Adware:Adware/Thecoolbar No disinfected C:\RECYCLER\S-1-5-21-1314181311-2351726761-851918075-1006\Dc40\cohelper.exe
Adware:Adware/Transponder No disinfected C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP113\A0037759.exe
Adware:Adware/Transponder No disinfected C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP113\A0037766.exe
Adware:Adware/Transponder No disinfected C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP113\A0037779.exe
Adware:Adware/Transponder No disinfected C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP113\A0037780.exe
Spyware:Spyware/BetterInet No disinfected C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP113\A0037783.exe
Adware:Adware/EnhSrch No disinfected C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP113\A0037817.dll
Spyware:Spyware/SafeSurf No disinfected C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP113\A0037819.dll
Spyware:Spyware/SafeSurf No disinfected C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP113\A0037820.dll
Adware:Adware/Transponder No disinfected C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP113\A0037848.exe
Adware:Adware/ConsumerAlertSystemNo disinfected C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP113\A0038088.dll
Adware:Adware/ConsumerAlertSystemNo disinfected C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP113\A0038092.dll
Adware:Adware/Apropos No disinfected C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP113\A0038113.dll
Adware:Adware/Aurora No disinfected C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP113\A0038117.exe
Adware:Adware/Transponder No disinfected C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP113\A0038120.exe
Adware:Adware/EnhSrch No disinfected C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP113\A0038145.dll
Virus:Trj/Dropper.ME Disinfected C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP113\A0038234.exe
Virus:Bck/HacDef.DT Disinfected C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP113\A0038235.sys
Virus:Trj/Ppdoor.EK Disinfected C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP113\A0038236.dll
Virus:Bck/Combo.B Disinfected C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP113\A0038237.exe
Virus:Trj/Ppdoor.EL Disinfected C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP113\A0038238.dll
Adware:Adware/NetPals No disinfected C:\WINDOWS\Downloaded Program Files\ATPartners.inf
Adware:Adware/Popper No disinfected C:\WINDOWS\evtzjvq.exe
Spyware:Spyware/BetterInet No disinfected C:\WINDOWS\INF\banner.inf
Spyware:Spyware/BetterInet No disinfected C:\WINDOWS\SYSTEM\QBUninstaller.exe
Adware:Adware/SAHAgent No disinfected C:\WINDOWS\SYSTEM32\efd30ok4.exe
Adware:Adware/Apropos No disinfected C:\WINDOWS\SYSTEM32\exdemui.exe
Spyware:Spyware/SafeSurf No disinfected C:\WINDOWS\SYSTEM32\ichckupd.exe
Virus:Bck/HacDef.DT Disinfected C:\WINDOWS\SYSTEM32\mxdefdrv.sys
Spyware:Spyware/SafeSurf No disinfected C:\WINDOWS\SYSTEM32\pshwr.exe
Adware:Adware/PurityScan No disinfected C:\WINDOWS\SYSTEM32\Shex.exe
Adware:Adware/Ucmore No disinfected C:\WINDOWS\ucmoreiex.exe
Spyware:Spyware/Media-motor No disinfected C:\WINDOWS\unstall.exe

Logfile of HijackThis v1.99.1
Scan saved at 4:37:01 PM, on 10/2/2005
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\PROGRA~1\COMMON~1\AOL\ACS\acsd.exe
C:\Program Files\ewido\security suite\ewidoctrl.exe
C:\WINDOWS\wanmpsvc.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Apoint\Apoint.exe
C:\WINDOWS\AGRSMMSG.exe
C:\Program Files\Java\j2re1.4.2_03\bin\jusched.exe
C:\WINDOWS\System32\keyhook.exe
C:\WINDOWS\system32\dla\tfswctrl.exe
C:\Program Files\CyberLink\PowerDVD\DVDLauncher.exe
C:\Program Files\MUSICMATCH\Musicmatch Jukebox\mm_tray.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\MUSICMATCH\Musicmatch Jukebox\mmtask.exe
C:\Program Files\Apoint\Apntex.exe
C:\Program Files\Viewpoint\Viewpoint Manager\ViewMgr.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\AIM\aim.exe
C:\Program Files\Skype\Phone\Skype.exe
C:\WINDOWS\SYSTEM32\sistray.exe
C:\Program Files\WinZip\WZQKPICK.EXE
C:\Program Files\Yahoo!\Messenger\ymsgr_tray.exe
C:\PROGRA~1\MOZILL~1\FIREFOX.EXE
C:\Documents and Settings\Nick\Desktop\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.dell4me.com/myway
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.dell4me.com/myway
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.dell4me.com/myway
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://www.dell4me.com/myway
O2 - BHO: Yahoo! Companion BHO - {02478D38-C3F9-4efb-9B51-7695ECA05670} - C:\PROGRA~1\Yahoo!\COMPAN~1\Installs\cpn\ycomp5_5_7_0.dll
O2 - BHO: DriveLetterAccess - {5CA3D70E-1895-11CF-8E15-001234567890} - C:\WINDOWS\system32\dla\tfswshx.dll
O3 - Toolbar: AIM Search - {40D41A8B-D79B-43d7-99A7-9EE0F344C385} - C:\Program Files\AIM Toolbar\AIMBar.dll
O3 - Toolbar: MSN Toolbar - {BDAD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\MSN Toolbar\01.01.1601.0\en-us\msntb.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O3 - Toolbar: &Yahoo! Companion - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\PROGRA~1\Yahoo!\COMPAN~1\Installs\cpn\ycomp5_5_7_0.dll
O4 - HKLM\..\Run: [Apoint] C:\Program Files\Apoint\Apoint.exe
O4 - HKLM\..\Run: [AGRSMMSG] AGRSMMSG.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\j2re1.4.2_03\bin\jusched.exe
O4 - HKLM\..\Run: [SiS Windows KeyHook] C:\WINDOWS\System32\keyhook.exe
O4 - HKLM\..\Run: [dla] C:\WINDOWS\system32\dla\tfswctrl.exe
O4 - HKLM\..\Run: [DVDLauncher] "C:\Program Files\CyberLink\PowerDVD\DVDLauncher.exe"
O4 - HKLM\..\Run: [MMTray] "C:\Program Files\MUSICMATCH\Musicmatch Jukebox\mm_tray.exe"
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [mmtask] "C:\Program Files\MUSICMATCH\Musicmatch Jukebox\mmtask.exe"
O4 - HKLM\..\Run: [ViewMgr] C:\Program Files\Viewpoint\Viewpoint Manager\ViewMgr.exe
O4 - HKCU\..\Run: [MsnMsgr] C:\Program Files\MSN Messenger\MsnMsgr.Exe /background
O4 - HKCU\..\Run: [AIM] C:\Program Files\AIM\aim.exe -cnetwait.odl
O4 - HKCU\..\Run: [Yahoo! Pager] C:\Program Files\Yahoo!\Messenger\ypager.exe -quiet
O4 - HKCU\..\Run: [Skype] "C:\Program Files\Skype\Phone\Skype.exe" /nosplash /minimized
O4 - HKCU\..\Run: [Utopia Angel] "C:\Utopia\Angel\Angel.exe"
O4 - Global Startup: America Online 9.0 Tray Icon.lnk = C:\Program Files\America Online 9.0\aoltray.exe
O4 - Global Startup: Utility Tray.lnk = C:\WINDOWS\SYSTEM32\sistray.exe
O4 - Global Startup: WinZip Quick Pick.lnk = C:\Program Files\WinZip\WZQKPICK.EXE
O8 - Extra context menu item: &AIM Search - res://C:\Program Files\AIM Toolbar\AIMBar.dll/aimsearch.htm
O8 - Extra context menu item: &Yahoo! Search - file:///C:\Program Files\Yahoo!\Common/ycsrch.htm
O8 - Extra context menu item: Yahoo! &Dictionary - file:///C:\Program Files\Yahoo!\Common/ycdict.htm
O8 - Extra context menu item: Yahoo! &Maps - file:///C:\Program Files\Yahoo!\Common/ycdict.htm
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\System32\msjava.dll (file missing)
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\System32\msjava.dll (file missing)
O9 - Extra button: Messenger - {4528BBE0-4E08-11D5-AD55-00010333D0AD} - C:\Program Files\Yahoo!\Messenger\yhexbmes0521.dll
O9 - Extra 'Tools' menuitem: Yahoo! Messenger - {4528BBE0-4E08-11D5-AD55-00010333D0AD} - C:\Program Files\Yahoo!\Messenger\yhexbmes0521.dll
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\System32\Shdocvw.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O9 - Extra 'Tools' menuitem: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O16 - DPF: {4ED9DDF0-7479-4BBE-9335-5A1EDB1D8A21} - http://download.mcaf...84/mcinsctl.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://www.pandasoft...free/asinst.cab
O16 - DPF: {B38870E4-7ECB-40DA-8C6A-595F0A5519FF} (MsnMessengerSetupDownloadControl Class) - http://messenger.msn...pDownloader.cab
O16 - DPF: {BCC0FF27-31D9-4614-A68E-C18E1ADA4389} - http://download.mcaf...,21/mcgdmgr.cab
O18 - Filter: text/html - {8293D547-38DD-4325-B35A-F1817EDFA5FC} - C:\Program Files\CMSystem\plugin.dll
O23 - Service: AOL Connectivity Service (AOL ACS) - America Online, Inc. - C:\PROGRA~1\COMMON~1\AOL\ACS\acsd.exe
O23 - Service: ewido security suite control - ewido networks - C:\Program Files\ewido\security suite\ewidoctrl.exe
O23 - Service: iPod Service (iPodService) - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: WAN Miniport (ATW) Service (WANMiniportService) - America Online, Inc. - C:\WINDOWS\wanmpsvc.exe