Jump to content

Welcome to Geeks to Go - Register now for FREE

Geeks To Go is a helpful hub, where thousands of volunteer geeks quickly serve friendly answers and support. Check out the forums and get free advice from the experts. Register now to gain access to all of our features, it's FREE and only takes one minute. Once registered and logged in, you will be able to create topics, post replies to existing threads, give reputation to your fellow members, get your own private messenger, post status updates, manage your profile and so much more.

Create Account How it Works
Photo

Can't start up in Safe Mode


  • This topic is locked This topic is locked

#1
RDow

RDow

    New Member

  • Member
  • Pip
  • 8 posts
Winfixer was installed on my computer a few days ago. I uninstalled it a couple of times but it keeps coming back. I found your website and have been following your startup instructions to download and run all the helper apps. I've also tried to follow the instructions that you've given other people about using vundo.

My problem is that I can't start up in Safe Mode. After booting, pressing f8, selecting safe mode I get just the safe mode black screen. What should I do?
  • 0

Advertisements


#2
g2i2r4

g2i2r4

    retired HiJack Helper

  • Retired Staff
  • 5,080 posts
Welcome RDow to Geeks to Go!

I can only advise you based on a HijackThis log. Please post back to this topic with a HijackThis log.
  • 0

#3
RDow

RDow

    New Member

  • Topic Starter
  • Member
  • Pip
  • 8 posts
Thanks for responding.

Here is the HiJackThis log.

Logfile of HijackThis v1.99.1
Scan saved at 9:11:25 AM, on 10/16/2005
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\windows\system\hpsysdrv.exe
C:\WINDOWS\System32\hkcmd.exe
C:\HP\KBD\KBD.EXE
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\Program Files\Java\j2re1.4.2_04\bin\jusched.exe
C:\PROGRA~1\PESTPA~1\PPControl.exe
C:\PROGRA~1\PESTPA~1\PPMemCheck.exe
C:\PROGRA~1\PESTPA~1\CookiePatrol.exe
C:\Program Files\MUSICMATCH\MUSICMATCH Jukebox\mmtask.exe
C:\Program Files\MUSICMATCH\MUSICMATCH Jukebox\mm_tray.exe
C:\Program Files\Logitech\Video\LogiTray.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\QuickTime\qttask.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
C:\WINDOWS\system32\ysyswu6d.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
C:\Program Files\Messenger\msmsgs.exe
C:\WINDOWS\System32\ctfmon.exe
C:\Documents and Settings\Owner\Start Menu\Programs\Startup\pow.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
C:\Program Files\ewido\security suite\ewidoctrl.exe
C:\Program Files\ewido\security suite\ewidoguard.exe
C:\Program Files\Logitech\MouseWare\system\em_exec.exe
C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
c:\Program Files\Norton AntiVirus\navapsvc.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\ZoneLabs\vsmon.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\iPod\bin\iPodService.exe
c:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\Program Files\AIM\aim.exe
C:\Program Files\LimeWire\LimeWire.exe
C:\Program Files\Common Files\Real\Update_OB\rnathchk.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgw.exe
C:\Program Files\Outlook Express\msimn.exe
C:\PROGRA~1\Logitech\Video\FxSvr2.exe
C:\temp\hijackthis\HijackThis.exe

O2 - BHO: MSEvents Object - {827DC836-DD9F-4A68-A602-5812EB50A834} - C:\WINDOWS\System32\ddabb.dll
O4 - HKLM\..\Run: [hpsysdrv] c:\windows\system\hpsysdrv.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\System32\hkcmd.exe
O4 - HKLM\..\Run: [KBD] C:\HP\KBD\KBD.EXE
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [ccApp] "c:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [ccRegVfy] "c:\Program Files\Common Files\Symantec Shared\ccRegVfy.exe"
O4 - HKLM\..\Run: [PS2] C:\WINDOWS\system32\ps2.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\j2re1.4.2_04\bin\jusched.exe
O4 - HKLM\..\Run: [PestPatrol Control Center] C:\PROGRA~1\PESTPA~1\PPControl.exe
O4 - HKLM\..\Run: [PPMemCheck] C:\PROGRA~1\PESTPA~1\PPMemCheck.exe
O4 - HKLM\..\Run: [CookiePatrol] C:\PROGRA~1\PESTPA~1\CookiePatrol.exe
O4 - HKLM\..\Run: [Logitech Utility] Logi_MwX.Exe
O4 - HKLM\..\Run: [mmtask] C:\Program Files\MUSICMATCH\MUSICMATCH Jukebox\mmtask.exe
O4 - HKLM\..\Run: [MMTray] C:\Program Files\MUSICMATCH\MUSICMATCH Jukebox\mm_tray.exe
O4 - HKLM\..\Run: [LogitechVideoRepair] C:\Program Files\Logitech\Video\ISStart.exe
O4 - HKLM\..\Run: [LogitechVideoTray] C:\Program Files\Logitech\Video\LogiTray.exe
O4 - HKLM\..\Run: [LogitechGalleryRepair] C:\Program Files\Logitech\Video\ISStart.exe
O4 - HKLM\..\Run: [iTunesHelper] C:\Program Files\iTunes\iTunesHelper.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [AVG7_EMC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
O4 - HKLM\..\Run: [Zone Labs Client] C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
O4 - HKLM\..\Run: [BrowserUpdateSched] C:\WINDOWS\system32\ysyswu6d.exe DO0605
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\System32\ctfmon.exe
O4 - HKCU\..\Run: [AIM] C:\Program Files\AIM\aim.exe -cnetwait.odl
O4 - Startup: pow.exe
O4 - Startup: Zeno.lnk = C:\WINDOWS\system32\ysyswu6d.exe
O4 - Startup: Zstart.lnk = C:\WINDOWS\system32\cxdxregt.exe
O4 - Global Startup: Logitech Desktop Messenger.lnk = C:\Program Files\Logitech\Desktop Messenger\8876480\Program\LDMConf.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O4 - Global Startup: Quicken Scheduled Updates.lnk = C:\Program Files\Quicken\bagent.exe
O4 - Global Startup: stamp.dat
O8 - Extra context menu item: &Yahoo! Search - file:///C:\Program Files\Yahoo!\Common/ycsrch.htm
O8 - Extra context menu item: Yahoo! &Dictionary - file:///C:\Program Files\Yahoo!\Common/ycdict.htm
O8 - Extra context menu item: Yahoo! &Maps - file:///C:\Program Files\Yahoo!\Common/ycdict.htm
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe
O9 - Extra button: PartyPoker.net - {F4430FE8-2638-42e5-B849-800749B94EED} - C:\Program Files\PartyPoker.net\partypokernet.exe
O9 - Extra 'Tools' menuitem: PartyPoker.net - {F4430FE8-2638-42e5-B849-800749B94EED} - C:\Program Files\PartyPoker.net\partypokernet.exe
O15 - Trusted Zone: http://www.123games.dk
O15 - Trusted Zone: http://www.925jackfm.com
O15 - Trusted Zone: http://www.adultswim.com
O15 - Trusted Zone: http://*.checkreorderexpress.com
O15 - Trusted Zone: http://webmail.west.cox.net
O15 - Trusted Zone: http://www.cox.net
O15 - Trusted Zone: http://www.dressupgames.com
O15 - Trusted Zone: http://www.ebaumsworld.com
O15 - Trusted Zone: http://www.eharmony.com
O15 - Trusted Zone: http://www.fanfiction.net
O15 - Trusted Zone: *.finefind.nettraffic2cash.biz
O15 - Trusted Zone: *.media-motor.net
O15 - Trusted Zone: www.benefits.ml.com
O15 - Trusted Zone: http://bulletin.myspace.com
O15 - Trusted Zone: http://corner.nationalreview.com
O15 - Trusted Zone: http://media.nationalreview.com
O15 - Trusted Zone: http://www.nationalreview.com
O15 - Trusted Zone: http://www.neopets.com
O15 - Trusted Zone: http://www.nuthinbutnet.net
O16 - DPF: {B8BE5E93-A60C-4D26-A2DC-220313175592} (ZoneIntro Class) - http://zone.msn.com/...ro.cab34246.cab
O16 - DPF: {DF780F87-FF2B-4DF8-92D0-73DB16A1543A} (PopCapLoader Object) - http://zone.msn.com/...aploader_v6.cab
O20 - Winlogon Notify: ddabb - C:\WINDOWS\System32\ddabb.dll
O20 - Winlogon Notify: ddabx - ddabx.dll (file missing)
O23 - Service: .NET Framework Service (.NET Connection Service) - Unknown owner - C:\WINDOWS\svchost.exe (file missing)
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - c:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Password Validation Service (ccPwdSvc) - Symantec Corporation - c:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
O23 - Service: ewido security suite control - ewido networks - C:\Program Files\ewido\security suite\ewidoctrl.exe
O23 - Service: ewido security suite guard - ewido networks - C:\Program Files\ewido\security suite\ewidoguard.exe
O23 - Service: iPod Service (iPodService) - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Norton AntiVirus Auto Protect Service (navapsvc) - Symantec Corporation - c:\Program Files\Norton AntiVirus\navapsvc.exe
O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs, LLC - C:\WINDOWS\system32\ZoneLabs\vsmon.exe
  • 0

#4
g2i2r4

g2i2r4

    retired HiJack Helper

  • Retired Staff
  • 5,080 posts
I notice that you are using more than one antivirus program. This is very dangerous, as multiple AVs can interfere with one another and actually allow MORE viruses to get through.
I strongly suggest you either:(1) configure only one antivirus program to enable automatic realtime scanning, and leave the rest disabled most of the time, or
(2) go to Start -> Control Panel -> Add/Remove Programs and uninstall all but one antivirus program.
***

HijackThis is being run from a temporary folder.
Please create a new folder for it and place the program into that new folder.

***

Remove ZenoSearch / Zeno Toolbar and PartyPoker:
Move to Start > Settings > Control Panel
Double click Add/Remove Programs.
Within Add/Remove programs click the "Install/Uninstall" tab or click the "Change or Remove Programs" button.
Within this section you will see a listing of programs that are currently installed that support this feature. If the program I’m advising you to uninstall is listed within this list, highlight it and click the Add/Remove or uninstall option or button.

***

Go to Start->Run and type "Services.msc" (without quotes) then hit Ok
Scroll down and find the service called:

.NET Framework Service

When you find it, double-click on it. In the next window that opens, click the Stop button, then click on properties and under the General Tab, change the Startup Type to Disabled. Now hit Apply and then Ok and close any open windows. If you don´t find this service listed go ahead with the next steps.

***

Open HijackThis
click on "None of the above, just start the program".
click on the "Config" button (bottom right),
click on "Misc Tools"
click on "Delete an NT Service" (a window will pop up)
Enter the below item into that field (make sure there are NO spaces before or after the name):

.NET Connection Service

Click OK.

It should pull up information about the service, then ask if you want to reboot. Click YES.

***

Download the Killbox.
Unzip it to the desktop

Double-click on Killbox.exe to run it. Place the following lines (complete paths) in bold in the "Full Path of File to Delete" box in Killbox, and click the red button with the white X on it after each

C:\WINDOWS\system32\ysyswu6d.exe
C:\WINDOWS\system32\cxdxregt.exe
C:\WINDOWS\svchost.exe

For these files, put a mark next to "Delete on Reboot". Copy and paste each file into the file name box, then click the red button with the X after each. It will ask you if you want to reboot each time you click it, answer NO until after you've pasted the last file name, at which time you should answer Yes.
Click "No" at the Pending Operations prompt.

If your computer does not restart automatically, please restart it manually.

***

Please print these instructions out for use in Safe Mode.
Please note: your AntiVirus program may prompt you to a malicious program running. Allow the entire script to run.

Please download VundoFix.exe to your desktop.
  • Double-click VundoFix.exe to extract the files
  • This will create a VundoFix folder on your desktop.
  • After the files are extracted, please reboot your computer into Safe Mode. You can do this by restarting your computer and continually tapping the F8 key until a menu appears. Use your up arrow key to highlight Safe Mode then hit enter.
  • Once in safe mode open the VundoFix folder and doubleclick on KillVundo.bat
  • You will first be presented with a warning and a list of forums to seek help at.
    it should look like this

    VundoFix V2.1 by Atri
    By using VundoFix you agree that you are doing so at your own risk
    This list of forums is provided as an example of where to go to obtain help!!
    http://www.atribune.org/forums
    http://www.247fixes.com/forums
    http://www.geekstogo.com/forum
    http://forums.net-integration.net
    http://castlecops.com/forums.html
    http://www.besttechie.net/forums
    Press enter to continue....

  • At this point press enter one time.
  • Next you will see:

    Type in the filepath as instructed by the forum staff
    Then Press Enter, Then F6, Then Enter Again to continue with the fix.

  • At this point please type the following file path (make sure to enter it exactly as below!):
    • C:\WINDOWS\System32\ddabb.dll
  • Press Enter, then press the F6 key, then press Enter one more time to continue with the fix.
  • Next you will see:

    Please type in the second filepath as instructed by the forum staff
    Then Press Enter, Then F6, Then Enter Again to continue with the fix.

  • At this point please type the following file path (make sure to enter it exactly as below!):C:\WINDOWS\System32\bbadd.*
  • Press Enter, then press the F6 key, then press Enter one more time to continue with the fix.
  • The fix will run then HijackThis will open.
  • In HijackThis, please place a check next to the following items and click FIX CHECKED:O2 - BHO: MSEvents Object - {827DC836-DD9F-4A68-A602-5812EB50A834} - C:\WINDOWS\System32\ddabb.dll

    O4 - HKLM\..\Run: [BrowserUpdateSched] C:\WINDOWS\system32\ysyswu6d.exe DO0605

    O4 - Startup: Zeno.lnk = C:\WINDOWS\system32\ysyswu6d.exe

    O4 - Startup: Zstart.lnk = C:\WINDOWS\system32\cxdxregt.exe

    O9 - Extra button: PartyPoker.net - {F4430FE8-2638-42e5-B849-800749B94EED} - C:\Program Files\PartyPoker.net\partypokernet.exe

    O9 - Extra 'Tools' menuitem: PartyPoker.net - {F4430FE8-2638-42e5-B849-800749B94EED} - C:\Program Files\PartyPoker.net\partypokernet.exe

    O20 - Winlogon Notify: ddabb - C:\WINDOWS\System32\ddabb.dll

    O20 - Winlogon Notify: ddabx - ddabx.dll (file missing)
  • After you have fixed these items, close Hijackthis and Press any key to Force a reboot of your computer.
  • Pressing any key will cause a "Blue Screen of Death" this is normal, do not worry!
  • Once your machine reboots please continue with the instructions below.
***

Use Windows Explorer to remove this folder:

C:\Program Files\PartyPoker.net\

***

Download and install Cleanup from here (Alternate site if the above is not working, go Here)

Open Cleanup! by double-clicking the icon on your desktop (or from the Start > All Programs menu).
Set the program up as follows:
Click "Options..."
Move the arrow down to "Custom CleanUp!"
Put a check next to the following (Make sure nothing else is checked!):
  • Empty Recycle Bins
  • Delete Cookies
  • Delete Prefetch files
  • Cleanup! All Users
Click OK
Press the CleanUp! button to start the program.

It may ask you to reboot at the end, click NO.

***

Then, please run this online virus scan: ActiveScan

Copy the results of the ActiveScan and paste them here along with a new HijackThis log and the vundofix.txt file from the vundofix folder into this topic.
  • 0

#5
RDow

RDow

    New Member

  • Topic Starter
  • Member
  • Pip
  • 8 posts
I've gotten to the part of you instructions where I'm directed to print the instructions and then boot up in Safe Mode. When I try to get into safe mode the desktop won't load up. All I can see is the black screen with Safe Mode written at the corners. I've tried using the task manager to load the desktop. I see the explorer process start up in the task manager processes window but then it terminates.
  • 0

#6
g2i2r4

g2i2r4

    retired HiJack Helper

  • Retired Staff
  • 5,080 posts
Then try running it in normal mode. We'll check later to see how it goes.
  • 0

#7
RDow

RDow

    New Member

  • Topic Starter
  • Member
  • Pip
  • 8 posts
Here are the logs that you requested.

Logfile of HijackThis v1.99.1
Scan saved at 4:03:02 PM, on 10/16/2005
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\windows\system\hpsysdrv.exe
C:\WINDOWS\System32\hkcmd.exe
C:\HP\KBD\KBD.EXE
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\Java\j2re1.4.2_04\bin\jusched.exe
C:\PROGRA~1\PESTPA~1\PPControl.exe
C:\PROGRA~1\PESTPA~1\PPMemCheck.exe
C:\PROGRA~1\PESTPA~1\CookiePatrol.exe
C:\Program Files\Common Files\Real\Update_OB\rnathchk.exe
C:\Program Files\MUSICMATCH\MUSICMATCH Jukebox\mmtask.exe
C:\Program Files\MUSICMATCH\MUSICMATCH Jukebox\mm_tray.exe
C:\Program Files\Logitech\Video\LogiTray.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\QuickTime\qttask.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
C:\Program Files\Messenger\msmsgs.exe
C:\WINDOWS\System32\ctfmon.exe
C:\Documents and Settings\Owner\Start Menu\Programs\Startup\pow.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
C:\Program Files\Logitech\MouseWare\system\em_exec.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\ZoneLabs\vsmon.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\HiJackThis\HijackThis.exe

O2 - BHO: MSEvents Object - {827DC836-DD9F-4A68-A602-5812EB50A834} - C:\WINDOWS\System32\ddabb.dll
O4 - HKLM\..\Run: [hpsysdrv] c:\windows\system\hpsysdrv.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\System32\hkcmd.exe
O4 - HKLM\..\Run: [KBD] C:\HP\KBD\KBD.EXE
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [PS2] C:\WINDOWS\system32\ps2.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\j2re1.4.2_04\bin\jusched.exe
O4 - HKLM\..\Run: [PestPatrol Control Center] C:\PROGRA~1\PESTPA~1\PPControl.exe
O4 - HKLM\..\Run: [PPMemCheck] C:\PROGRA~1\PESTPA~1\PPMemCheck.exe
O4 - HKLM\..\Run: [CookiePatrol] C:\PROGRA~1\PESTPA~1\CookiePatrol.exe
O4 - HKLM\..\Run: [Logitech Utility] Logi_MwX.Exe
O4 - HKLM\..\Run: [mmtask] C:\Program Files\MUSICMATCH\MUSICMATCH Jukebox\mmtask.exe
O4 - HKLM\..\Run: [MMTray] C:\Program Files\MUSICMATCH\MUSICMATCH Jukebox\mm_tray.exe
O4 - HKLM\..\Run: [LogitechVideoRepair] C:\Program Files\Logitech\Video\ISStart.exe
O4 - HKLM\..\Run: [LogitechVideoTray] C:\Program Files\Logitech\Video\LogiTray.exe
O4 - HKLM\..\Run: [LogitechGalleryRepair] C:\Program Files\Logitech\Video\ISStart.exe
O4 - HKLM\..\Run: [iTunesHelper] C:\Program Files\iTunes\iTunesHelper.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [AVG7_EMC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
O4 - HKLM\..\Run: [Zone Labs Client] C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
O4 - HKLM\..\RunOnce: [Panda_cleaner_209623] C:\WINDOWS\System32\ActiveScan\pavdr.exe 209623
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\System32\ctfmon.exe
O4 - HKCU\..\Run: [AIM] C:\Program Files\AIM\aim.exe -cnetwait.odl
O4 - Startup: pow.exe
O4 - Global Startup: Logitech Desktop Messenger.lnk = C:\Program Files\Logitech\Desktop Messenger\8876480\Program\LDMConf.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O4 - Global Startup: Quicken Scheduled Updates.lnk = C:\Program Files\Quicken\bagent.exe
O4 - Global Startup: stamp.dat
O8 - Extra context menu item: &Yahoo! Search - file:///C:\Program Files\Yahoo!\Common/ycsrch.htm
O8 - Extra context menu item: Yahoo! &Dictionary - file:///C:\Program Files\Yahoo!\Common/ycdict.htm
O8 - Extra context menu item: Yahoo! &Maps - file:///C:\Program Files\Yahoo!\Common/ycdict.htm
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe
O15 - Trusted Zone: http://www.123games.dk
O15 - Trusted Zone: http://www.925jackfm.com
O15 - Trusted Zone: http://www.adultswim.com
O15 - Trusted Zone: http://*.checkreorderexpress.com
O15 - Trusted Zone: http://webmail.west.cox.net
O15 - Trusted Zone: http://www.cox.net
O15 - Trusted Zone: http://www.dressupgames.com
O15 - Trusted Zone: http://www.ebaumsworld.com
O15 - Trusted Zone: http://www.eharmony.com
O15 - Trusted Zone: http://www.fanfiction.net
O15 - Trusted Zone: *.finefind.nettraffic2cash.biz
O15 - Trusted Zone: *.media-motor.net
O15 - Trusted Zone: www.benefits.ml.com
O15 - Trusted Zone: http://bulletin.myspace.com
O15 - Trusted Zone: http://corner.nationalreview.com
O15 - Trusted Zone: http://media.nationalreview.com
O15 - Trusted Zone: http://www.nationalreview.com
O15 - Trusted Zone: http://www.neopets.com
O15 - Trusted Zone: http://www.nuthinbutnet.net
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoft...free/asinst.cab
O16 - DPF: {B8BE5E93-A60C-4D26-A2DC-220313175592} (ZoneIntro Class) - http://zone.msn.com/...ro.cab34246.cab
O16 - DPF: {DF780F87-FF2B-4DF8-92D0-73DB16A1543A} (PopCapLoader Object) - http://zone.msn.com/...aploader_v6.cab
O16 - DPF: {F919FBD3-A96B-4679-AF26-F551439BB5FD} - http://winfixer.com/...es/WFXScanR.cab
O20 - Winlogon Notify: ddabb - C:\WINDOWS\System32\ddabb.dll
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
O23 - Service: iPod Service (iPodService) - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs, LLC - C:\WINDOWS\system32\ZoneLabs\vsmon.exe

*********************************************************************
*********************************************************************
**********************************************************************


Incident Status Location

Adware:Adware/Lop No disinfected C:\Documents and Settings\Administrator.SAXAMAPHONE.001\Application Data\fatvtrgth.lib
Adware:adware/imgiant No disinfected C:\Documents and Settings\All Users\Desktop\IMGiant Instant Messenger.url
Adware:Adware/Lop No disinfected C:\Documents and Settings\Default User\Application Data\fatvtrgth.lib
Virus:Exploit/ByteVerify Disinfected C:\Documents and Settings\Owner\Application Data\Sun\Java\Deployment\cache\javapi\v1.0\jar\arc.zip-22321fe3-5b0877ef.zip[VerifierBug.class]
Virus:Exploit/ByteVerify Disinfected C:\Documents and Settings\Owner\Application Data\Sun\Java\Deployment\cache\javapi\v1.0\jar\arc.zip-22321fe3-5b0877ef.zip[Counter.class]
Virus:Exploit/ByteVerify Disinfected C:\Documents and Settings\Owner\Application Data\Sun\Java\Deployment\cache\javapi\v1.0\jar\arc.zip-22321fe3-5b0877ef.zip[Gummy.class]
Virus:Exploit/ByteVerify Disinfected C:\Documents and Settings\Owner\Application Data\Sun\Java\Deployment\cache\javapi\v1.0\jar\arc.zip-22321fe3-5b0877ef.zip[Beyond.class]
Virus:Exploit/ByteVerify Disinfected C:\Documents and Settings\Owner\Application Data\Sun\Java\Deployment\cache\javapi\v1.0\jar\arc.zip-22321fe3-5b0877ef.zip[Worker.class]
Virus:Exploit/ByteVerify Disinfected C:\Documents and Settings\Owner\Application Data\Sun\Java\Deployment\cache\javapi\v1.0\jar\archive.jar-5adc93bd-4e4595c5.zip[Mein.class]
Virus:Exploit/ByteVerify Disinfected C:\Documents and Settings\Owner\Application Data\Sun\Java\Deployment\cache\javapi\v1.0\jar\archive.jar-5adc93bd-4e4595c5.zip[ProbeLoader.class]
Virus:Exploit/ByteVerify Disinfected C:\Documents and Settings\Owner\Application Data\Sun\Java\Deployment\cache\javapi\v1.0\jar\archive.jar-5adc93bd-4e4595c5.zip[Dummy.class]
Virus:Trojan Horse Disinfected C:\Documents and Settings\Owner\Application Data\Sun\Java\Deployment\cache\javapi\v1.0\jar\archive.jar-5adc93bd-4e4595c5.zip[Beyond.class]
Virus:Exploit/ByteVerify Disinfected C:\Documents and Settings\Owner\Application Data\Sun\Java\Deployment\cache\javapi\v1.0\jar\archive.jar-6c48cfe4-621e7131.zip[Mein.class]
Virus:Exploit/ByteVerify Disinfected C:\Documents and Settings\Owner\Application Data\Sun\Java\Deployment\cache\javapi\v1.0\jar\archive.jar-6c48cfe4-621e7131.zip[ProbeLoader.class]
Virus:Exploit/ByteVerify Disinfected C:\Documents and Settings\Owner\Application Data\Sun\Java\Deployment\cache\javapi\v1.0\jar\archive.jar-6c48cfe4-621e7131.zip[Dummy.class]
Virus:Trojan Horse Disinfected C:\Documents and Settings\Owner\Application Data\Sun\Java\Deployment\cache\javapi\v1.0\jar\archive.jar-6c48cfe4-621e7131.zip[Beyond.class]
Virus:Trj/Shinwow.D Disinfected C:\Documents and Settings\Owner\Application Data\Sun\Java\Deployment\cache\javapi\v1.0\jar\archive.jar-6c48cfe4-621e7131.zip[binny.class]
Virus:Exploit/ByteVerify Disinfected C:\Documents and Settings\Owner\Application Data\Sun\Java\Deployment\cache\javapi\v1.0\jar\classload.jar-2fdafaa7-2baac1b7.zip[GetAccess.class]
Virus:Exploit/ByteVerify Disinfected C:\Documents and Settings\Owner\Application Data\Sun\Java\Deployment\cache\javapi\v1.0\jar\classload.jar-2fdafaa7-2baac1b7.zip[InsecureClassLoader.class]
Virus:Exploit/ByteVerify Disinfected C:\Documents and Settings\Owner\Application Data\Sun\Java\Deployment\cache\javapi\v1.0\jar\classload.jar-2fdafaa7-2baac1b7.zip[Dummy.class]
Virus:Exploit/ByteVerify Disinfected C:\Documents and Settings\Owner\Application Data\Sun\Java\Deployment\cache\javapi\v1.0\jar\classload.jar-2fdafaa7-2baac1b7.zip[Installer.class]
Virus:Exploit/ByteVerify Disinfected C:\Documents and Settings\Owner\Application Data\Sun\Java\Deployment\cache\javapi\v1.0\jar\count.jar-21d871b-78a90633.zip[BlackBox.class]
Virus:Exploit/ByteVerify Disinfected C:\Documents and Settings\Owner\Application Data\Sun\Java\Deployment\cache\javapi\v1.0\jar\count.jar-21d871b-78a90633.zip[VerifierBug.class]
Virus:Exploit/ByteVerify Disinfected C:\Documents and Settings\Owner\Application Data\Sun\Java\Deployment\cache\javapi\v1.0\jar\count.jar-21d871b-78a90633.zip[Dummy.class]
Virus:Exploit/ByteVerify Disinfected C:\Documents and Settings\Owner\Application Data\Sun\Java\Deployment\cache\javapi\v1.0\jar\count.jar-21d871b-78a90633.zip[Beyond.class]
Adware:adware/tvmedia No disinfected C:\Documents and Settings\Owner\Application Data\tvmcwrd.dll
Adware:adware/cws No disinfected C:\Documents and Settings\Owner\Favorites\! Smart Security.url
Adware:Adware/ISearch No disinfected C:\install.cab
Adware:Adware/ISearch No disinfected C:\install.cab[initial.inf]
Virus:Exploit/CodeBase.A Disinfected C:\install.htm
Adware:adware/delfinmedia No disinfected C:\keys.ini
Virus:Trj/Downloader.JH Disinfected C:\Program Files\HiJackThis\backups\backup-20050309-181312-524.inf
Adware:Adware/IST.ISTBar No disinfected C:\Program Files\HiJackThis\backups\backup-20050309-181315-967.inf
Adware:Adware/ISearch No disinfected C:\Program Files\HiJackThis\backups\backup-20050309-181316-722.inf
Adware:Adware/IST.ISTBar No disinfected C:\Program Files\HiJackThis\backups\backup-20050309-181320-214.inf
Virus:Trj/Downloader.MO Disinfected C:\Program Files\HiJackThis\backups\backup-20050309-181325-694.inf
Spyware:Spyware/Media-motor No disinfected C:\Program Files\HiJackThis\backups\backup-20050315-190743-316.inf
Spyware:Spyware/Petro-Line No disinfected C:\Program Files\HiJackThis\backups\backup-20050319-090342-506.inf
Spyware:Spyware/Media-motor No disinfected C:\Program Files\HiJackThis\backups\backup-20050319-090343-498.inf
Spyware:Spyware/Petro-Line No disinfected C:\Program Files\HiJackThis\backups\backup-20050320-203029-199.inf
Spyware:Spyware/Media-motor No disinfected C:\Program Files\HiJackThis\backups\backup-20050418-194013-275.inf
Spyware:Spyware/Media-motor No disinfected C:\Program Files\HiJackThis\backups\backup-20050427-075930-202.inf
Spyware:Spyware/Media-motor No disinfected C:\Program Files\HiJackThis\backups\backup-20050522-074635-803.inf
Adware:Adware/NetPals No disinfected C:\Program Files\HiJackThis\backups\backup-20050615-212640-663.inf
Spyware:Spyware/Media-motor No disinfected C:\Program Files\HiJackThis\backups\backup-20050615-212640-964.inf
Adware:Adware/MyBHOSpy No disinfected C:\Program Files\HiJackThis\backups\backup-20050626-222806-787.dll
Spyware:Spyware/Virtumonde No disinfected C:\Program Files\HiJackThis\backups\backup-20051015-174110-818.dll
Spyware:Spyware/Virtumonde No disinfected C:\Program Files\HiJackThis\backups\backup-20051016-143621-851.dll
Adware:adware/ilookup No disinfected C:\Program Files\Internet Explorer\Iesearch.exe
Virus:Eicar.Mod No disinfected C:\Program Files\PestPatrol\Help.chm[HowCanITestDetection.html]
Spyware:Spyware/ShopNav No disinfected C:\Program Files\PestPatrol\Quarantine\20041113091233218.zip[srng.exe]
Adware:Adware/eZula No disinfected C:\Program Files\PestPatrol\Quarantine\20041113091233218.zip[ezstub.exe]
Spyware:Spyware/ShopNav No disinfected C:\Program Files\PestPatrol\Quarantine\20041221211318046.zip[srng.exe]
Spyware:Spyware/ShopNav No disinfected C:\Program Files\PestPatrol\Quarantine\20050221204137484.zip[srng.exe]
Spyware:Spyware/ShopNav No disinfected C:\Program Files\PestPatrol\Quarantine\20050305085106640.zip[srng.exe]
Spyware:Spyware/ShopNav No disinfected C:\Program Files\PestPatrol\Quarantine\20051003173711312.zip[srng.exe]
Adware:Adware/WebHancer No disinfected C:\Program Files\whInstall\whAgent.inf
Spyware:Spyware/BetterInet No disinfected C:\RECYCLER\S-1-5-21-3335985676-3018353177-414340288-1003\Dc18\data2.dat
Adware:adware/ipinsight No disinfected C:\WINDOWS\alchem.ini
Adware:adware/exact.bargainbuddyNo disinfected C:\WINDOWS\bargain.exe
Spyware:spyware/virtumonde No disinfected C:\WINDOWS\bsx32.ini
Adware:Adware/ISearch No disinfected C:\WINDOWS\delprot.ini
Adware:adware/isearch No disinfected C:\WINDOWS\deskbar.ini
Adware:Adware/Gator No disinfected C:\WINDOWS\Downloaded Program Files\CONFLICT.10\HDPlugin1019.inf
Adware:Adware/Gator No disinfected C:\WINDOWS\Downloaded Program Files\CONFLICT.8\HDPlugin1019.inf
Adware:Adware/Gator No disinfected C:\WINDOWS\Downloaded Program Files\CONFLICT.9\HDPlugin1019.inf
Adware:Adware/MediaTickets No disinfected C:\WINDOWS\Downloaded Program Files\MediaTicketsInstaller.INF
Spyware:Spyware/BetterInet No disinfected C:\WINDOWS\Downloaded Program Files\turbo.inf
Adware:adware/savenow No disinfected C:\WINDOWS\Downloaded Program Files\WUInst.inf
Adware:adware/gator No disinfected C:\WINDOWS\GatorHDPlugin.log-old.log
Adware:Adware/IPInsight No disinfected C:\WINDOWS\inf\alchem.inf
Adware:Adware/SAHAgent No disinfected C:\WINDOWS\inf\bi6.inf
Adware:Adware/SAHAgent No disinfected C:\WINDOWS\inf\bi9.inf
Spyware:Spyware/BetterInet No disinfected C:\WINDOWS\inf\biini.inf
Spyware:Spyware/BetterInet No disinfected C:\WINDOWS\inf\biO.inf
Adware:Adware/Transponder No disinfected C:\WINDOWS\inf\ceres.inf
Virus:Trj/Keyhost.A Disinfected C:\WINDOWS\inf\host.inf
Adware:Adware/Transponder No disinfected C:\WINDOWS\inf\polmx2.inf
Adware:Adware/WinTools No disinfected C:\WINDOWS\Key2.txt
Adware:adware/cws.searchmeup No disinfected C:\WINDOWS\ms1.exe
Adware:adware/spywad No disinfected C:\WINDOWS\ms2.exe
Adware:Adware/ImGiant No disinfected C:\WINDOWS\myurlff.exe
Adware:adware/navipromo No disinfected C:\WINDOWS\sdkkv32.exe
Adware:adware/igetnet No disinfected C:\WINDOWS\system\rules.dat
Adware:Adware/VirtualBouncer No disinfected C:\WINDOWS\system32\BO2802040113.exe
Spyware:Spyware/ClearSearch No disinfected C:\WINDOWS\system32\ClrSchP012.dll
Possible Virus. No disinfected C:\WINDOWS\system32\cmd32.exe
Adware:Adware/Lop No disinfected C:\WINDOWS\system32\config\systemprofile\Application Data\fatvtrgth.lib
Adware:Adware/IPInsight No disinfected C:\WINDOWS\system32\config\systemprofile\Local Settings\Temp\Belt.ini
Adware:Adware/SAHAgent No disinfected C:\WINDOWS\system32\config\systemprofile\Local Settings\Temp\bi.inf
Adware:Adware/SAHAgent No disinfected C:\WINDOWS\system32\config\systemprofile\Local Settings\Temp\bi6.inf
Adware:Adware/SAHAgent No disinfected C:\WINDOWS\system32\config\systemprofile\Local Settings\Temp\bi9.inf
Spyware:Spyware/BetterInet No disinfected C:\WINDOWS\system32\config\systemprofile\Local Settings\Temp\biini.cab
Spyware:Spyware/BetterInet No disinfected C:\WINDOWS\system32\config\systemprofile\Local Settings\Temp\biini.cab[biini.inf]
Spyware:Spyware/BetterInet No disinfected C:\WINDOWS\system32\config\systemprofile\Local Settings\Temp\biini.inf
Virus:Trj/Keyhost.A Disinfected C:\WINDOWS\system32\config\systemprofile\Local Settings\Temp\host.inf
Spyware:Spyware/BetterInet No disinfected C:\WINDOWS\system32\config\systemprofile\Local Settings\Temp\ICD2.tmp\turbo.inf
Adware:Adware/WinTools No disinfected C:\WINDOWS\system32\config\systemprofile\Local Settings\Temp\temp.cab[toolbar.dll]
Adware:Adware/eZula No disinfected C:\WINDOWS\system32\config\systemprofile\Local Settings\Temp\TopTextiLookup.htm
Spyware:Spyware/Virtumonde No disinfected C:\WINDOWS\system32\ddabb.dll
Adware:adware/keenvalue No disinfected C:\WINDOWS\system32\drivers\etc\hosts.bho
Adware:Adware/eZula No disinfected C:\WINDOWS\system32\ezStub3.dll
Spyware:spyware/whazit No disinfected C:\WINDOWS\system32\fiz1
Adware:adware/virtualbouncer No disinfected C:\WINDOWS\system32\INNERADINSTALL.LOG
Adware:Adware/nCase No disinfected C:\WINDOWS\system32\msbb321.dll
Spyware:spyware/petro-line No disinfected C:\WINDOWS\system32\msfl32.exe
Adware:Adware/Look2Me No disinfected C:\WINDOWS\system32\msg116.dll
Adware:Adware/Look2Me No disinfected C:\WINDOWS\system32\msg120.cpy.dll
Adware:Adware/Look2Me No disinfected C:\WINDOWS\system32\msg120.dll
Possible Virus. No disinfected C:\WINDOWS\system32\msmfdl.dll
Spyware:Spyware/ClientMan No disinfected C:\WINDOWS\system32\msmkmi.dll
Adware:adware/getup No disinfected C:\WINDOWS\system32\MyExplore.exe
Adware:Adware/nCase No disinfected C:\WINDOWS\system32\nC5594Om3.dll
Adware:Adware/StatBlaster No disinfected C:\WINDOWS\system32\O
Adware:Adware/StatBlaster No disinfected C:\WINDOWS\system32\O.BAT
Adware:adware/pacimedia No disinfected C:\WINDOWS\system32\pacis.exe
Dialer:dialer.xc No disinfected C:\WINDOWS\system32\paydial.exe
Spyware:Spyware/RXToolbar No disinfected C:\WINDOWS\system32\RXBarsetupV2.dll
Spyware:Spyware/RXToolbar No disinfected C:\WINDOWS\system32\RXToolbar.exe
Adware:Adware/404Search No disinfected C:\WINDOWS\system32\s404Search.dll
Adware:adware/sahagent No disinfected C:\WINDOWS\system32\sahagent1004.exe
Adware:adware/ncase No disinfected C:\WINDOWS\system32\saie.log
Adware:Adware/KeenValue No disinfected C:\WINDOWS\system32\setup_incred_9.exe
Adware:Adware/nCase No disinfected C:\WINDOWS\system32\SplWbr.dll
Adware:Adware/BHO No disinfected C:\WINDOWS\system32\ss_ABC3_setup.exe
Dialer:dialer.bb No disinfected C:\WINDOWS\system32\tibs.exe
Adware:Adware/ILookup No disinfected C:\WINDOWS\system32\windec32.to_be_deleted
Adware:Adware/Alexa-Toolbar No disinfected C:\WINDOWS\system32\WinExplore.exe
Adware:Adware/nCase No disinfected C:\WINDOWS\system32\Xcite.exe
Adware:Adware/Getup No disinfected C:\WINDOWS\system32\xm2s.dll
Adware:adware/twain-tech No disinfected C:\WINDOWS\twaintec.ini
Spyware:Spyware/Media-motor No disinfected C:\WINDOWS\unstall.exe
Spyware:spyware/adclicker No disinfected C:\WINDOWS\usta33.ini
Adware:adware/startpage.ccm No disinfected C:\WINDOWS\win32.bmp
************************************************************************
************************************************************************
************************************************************************


Command Line Process Viewer/Killer/Suspender for Windows NT/2000/XP V2.03
Copyright© 2002-2003 Craig.Peacock@beyondlogic.org
Suspending PID 440 'smss.exe'
Threads [444][456][460]

Command Line Process Viewer/Killer/Suspender for Windows NT/2000/XP V2.03
Copyright© 2002-2003 Craig.Peacock@beyondlogic.org
Killing PID 1216 'explorer.exe'

Command Line Process Viewer/Killer/Suspender for Windows NT/2000/XP V2.03
Copyright© 2002-2003 Craig.Peacock@beyondlogic.org
Error, Cannot find a process with an image name of rundll32.exe

Command Line Process Viewer/Killer/Suspender for Windows NT/2000/XP V2.03
Copyright© 2002-2003 Craig.Peacock@beyondlogic.org
Killing PID 520 'winlogon.exe'
Killing PID 520 'winlogon.exe'
Could not delete file.
Files Deleted sucessfully.
  • 0

#8
g2i2r4

g2i2r4

    retired HiJack Helper

  • Retired Staff
  • 5,080 posts
:tazz: wow

Let's put in some more firepower.

***

Move to Start > Settings > Control Panel
Set the view to 'classic'
Open Java Consol
Clear the cache or remove the temporary files (depending on the version you use)
Close Java Consol
Reset the view to 'category'
Close all windows.

***

Empty the quarantine box for Pestpatrol from within the program.

***

Update and run AdAware SE 1.06 and Spybot S&D 1.4 and have them remove what they can find.

***

Please download, install, and update the free version of Ewido trojan scanner:
  • When installing, under "Additional Options" uncheck "Install background guard" and "Install scan via context menu".
  • Run Ewido --- When you run it for the first time, you will get a warning "Database could not be found!". Click OK. We will fix this in a moment.
  • From the main ewido screen, click on update in the left menu, then click the Start update button.
  • After the update finishes (the status bar at the bottom will display "Update successful")
  • Exit Ewido. DO NOT scan yet.
***

Next, please reboot your computer in Safe Mode by doing the following:
1) Restart your computer
2) After hearing your computer beep once during startup, but before the Windows icon appears, press F8.
3) Instead of Windows loading as normal, a menu should appear
4) Select the first option, to run Windows in Safe Mode.

For additional help in booting into Safe Mode, see the following site:
http://www.pchell.co.../safemode.shtml

***

Next, run Ewido again.
  • Click on the Scanner button in the left menu, then click on Complete System Scan. This scan can take quite a while to run.
  • If ewido finds anything, it will pop up a notification. We have been finding some cases of false positives with the new version of Ewido, so we need to step through the fixes one-by-one. If Ewido finds something that you KNOW is legitimate (for example, parts of AVG Antivirus, pcAnywhere and the game "Risk" have been flagged), select "none" as the action. DO NOT check "Perform action with all infections". If you are unsure of an entry, select "none" for the time being. I'll see that in the log you will post later and let you know if ewido needs to be run again.
  • When the scan finishes, click on "Save Report". This will create a text file. Make sure you know where to find this file again.
***

Reboot back to normal mode.

***

Download: deldomains.
To use: right-click and select: Install (no need to restart)
Should the link above display the text instead of downloading the file, then copy & paste the text into notepad and save the file as DellDomains.inf
Note: This will remove all entries in the "Trusted Zone" and "Ranges" also.

***
  • Open HijackThis
  • Click on the configure button on the bottom right
  • Click on the tab "BackUps"
  • Place a check next to the items you want to remove
  • Click the delete button
  • Click "Yes"
***
  • Open HijackThis
  • Click on the configure button on the bottom right
  • Click on the tab "Misc Tools"
  • Click on the Box that says "Uninstall Manager"
  • Click on the button "Save list"
  • Copy and past the List from notepad into your post
***

Rerun Panda to see what's left.

Post me:
the Ewido log
the HijackThis uninstall list
the new Panda report.

Edited by g2i2r4, 17 October 2005 - 01:29 PM.

  • 0

#9
RDow

RDow

    New Member

  • Topic Starter
  • Member
  • Pip
  • 8 posts
I'm not sure that I'll be able to get to this today. I'll try to get this done before Wednesday.
  • 0

#10
g2i2r4

g2i2r4

    retired HiJack Helper

  • Retired Staff
  • 5,080 posts
Take you time, I'll be around somewhere.
  • 0

Advertisements


#11
RDow

RDow

    New Member

  • Topic Starter
  • Member
  • Pip
  • 8 posts
I was finally able to get into Safe Mode.

Here are the three fiels that you asked for.


Incident Status Location

Adware:Adware/Lop No disinfected C:\Documents and Settings\Administrator.SAXAMAPHONE.001\Application Data\fatvtrgth.lib
Adware:adware/imgiant No disinfected C:\Documents and Settings\All Users\Desktop\IMGiant Instant Messenger.url
Adware:Adware/Lop No disinfected C:\Documents and Settings\Default User\Application Data\fatvtrgth.lib
Adware:adware/tvmedia No disinfected C:\Documents and Settings\Owner\Application Data\tvmcwrd.dll
Adware:adware/cws No disinfected C:\Documents and Settings\Owner\Favorites\! Smart Security.url
Adware:Adware/ISearch No disinfected C:\install.cab
Adware:Adware/ISearch No disinfected C:\install.cab[initial.inf]
Adware:adware/delfinmedia No disinfected C:\keys.ini
Adware:Adware/IST.ISTBar No disinfected C:\Program Files\HiJackThis\backups\backup-20050309-181315-967.inf
Adware:Adware/ISearch No disinfected C:\Program Files\HiJackThis\backups\backup-20050309-181316-722.inf
Adware:Adware/IST.ISTBar No disinfected C:\Program Files\HiJackThis\backups\backup-20050309-181320-214.inf
Spyware:Spyware/Media-motor No disinfected C:\Program Files\HiJackThis\backups\backup-20050315-190743-316.inf
Spyware:Spyware/Petro-Line No disinfected C:\Program Files\HiJackThis\backups\backup-20050319-090342-506.inf
Spyware:Spyware/Media-motor No disinfected C:\Program Files\HiJackThis\backups\backup-20050319-090343-498.inf
Spyware:Spyware/Petro-Line No disinfected C:\Program Files\HiJackThis\backups\backup-20050320-203029-199.inf
Spyware:Spyware/Media-motor No disinfected C:\Program Files\HiJackThis\backups\backup-20050418-194013-275.inf
Spyware:Spyware/Media-motor No disinfected C:\Program Files\HiJackThis\backups\backup-20050427-075930-202.inf
Spyware:Spyware/Media-motor No disinfected C:\Program Files\HiJackThis\backups\backup-20050522-074635-803.inf
Adware:Adware/NetPals No disinfected C:\Program Files\HiJackThis\backups\backup-20050615-212640-663.inf
Spyware:Spyware/Media-motor No disinfected C:\Program Files\HiJackThis\backups\backup-20050615-212640-964.inf
Adware:Adware/MyBHOSpy No disinfected C:\Program Files\HiJackThis\backups\backup-20050626-222806-787.dll
Spyware:Spyware/Virtumonde No disinfected C:\Program Files\HiJackThis\backups\backup-20051015-174110-818.dll
Spyware:Spyware/Virtumonde No disinfected C:\Program Files\HiJackThis\backups\backup-20051016-143621-851.dll
Adware:adware/ilookup No disinfected C:\Program Files\Internet Explorer\Iesearch.exe
Virus:Eicar.Mod No disinfected C:\Program Files\PestPatrol\Help.chm[HowCanITestDetection.html]
Spyware:Spyware/ShopNav No disinfected C:\Program Files\PestPatrol\Quarantine\20041113091233218.zip[srng.exe]
Adware:Adware/eZula No disinfected C:\Program Files\PestPatrol\Quarantine\20041113091233218.zip[ezstub.exe]
Spyware:Spyware/ShopNav No disinfected C:\Program Files\PestPatrol\Quarantine\20041221211318046.zip[srng.exe]
Spyware:Spyware/ShopNav No disinfected C:\Program Files\PestPatrol\Quarantine\20050221204137484.zip[srng.exe]
Spyware:Spyware/ShopNav No disinfected C:\Program Files\PestPatrol\Quarantine\20050305085106640.zip[srng.exe]
Spyware:Spyware/ShopNav No disinfected C:\Program Files\PestPatrol\Quarantine\20051003173711312.zip[srng.exe]
Adware:Adware/WebHancer No disinfected C:\Program Files\whInstall\whAgent.inf
Spyware:Spyware/BetterInet No disinfected C:\RECYCLER\S-1-5-21-3335985676-3018353177-414340288-1003\Dc18\data2.dat
Adware:adware/ipinsight No disinfected C:\WINDOWS\alchem.ini
Adware:adware/exact.bargainbuddyNo disinfected C:\WINDOWS\bargain.exe
Spyware:spyware/virtumonde No disinfected C:\WINDOWS\bsx32.ini
Adware:Adware/ISearch No disinfected C:\WINDOWS\delprot.ini
Adware:adware/isearch No disinfected C:\WINDOWS\deskbar.ini
Adware:Adware/Gator No disinfected C:\WINDOWS\Downloaded Program Files\CONFLICT.10\HDPlugin1019.inf
Adware:Adware/Gator No disinfected C:\WINDOWS\Downloaded Program Files\CONFLICT.8\HDPlugin1019.inf
Adware:Adware/Gator No disinfected C:\WINDOWS\Downloaded Program Files\CONFLICT.9\HDPlugin1019.inf
Adware:Adware/MediaTickets No disinfected C:\WINDOWS\Downloaded Program Files\MediaTicketsInstaller.INF
Spyware:Spyware/BetterInet No disinfected C:\WINDOWS\Downloaded Program Files\turbo.inf
Adware:adware/savenow No disinfected C:\WINDOWS\Downloaded Program Files\WUInst.inf
Adware:adware/gator No disinfected C:\WINDOWS\GatorHDPlugin.log-old.log
Adware:Adware/IPInsight No disinfected C:\WINDOWS\inf\alchem.inf
Adware:Adware/SAHAgent No disinfected C:\WINDOWS\inf\bi6.inf
Adware:Adware/SAHAgent No disinfected C:\WINDOWS\inf\bi9.inf
Spyware:Spyware/BetterInet No disinfected C:\WINDOWS\inf\biini.inf
Spyware:Spyware/BetterInet No disinfected C:\WINDOWS\inf\biO.inf
Adware:Adware/Transponder No disinfected C:\WINDOWS\inf\ceres.inf
Adware:Adware/Transponder No disinfected C:\WINDOWS\inf\polmx2.inf
Adware:Adware/WinTools No disinfected C:\WINDOWS\Key2.txt
Adware:adware/cws.searchmeup No disinfected C:\WINDOWS\ms1.exe
Adware:adware/spywad No disinfected C:\WINDOWS\ms2.exe
Adware:Adware/ImGiant No disinfected C:\WINDOWS\myurlff.exe
Adware:adware/navipromo No disinfected C:\WINDOWS\sdkkv32.exe
Adware:adware/igetnet No disinfected C:\WINDOWS\system\rules.dat
Adware:Adware/VirtualBouncer No disinfected C:\WINDOWS\system32\BO2802040113.exe
Spyware:Spyware/ClearSearch No disinfected C:\WINDOWS\system32\ClrSchP012.dll
Possible Virus. No disinfected C:\WINDOWS\system32\cmd32.exe
Adware:Adware/Lop No disinfected C:\WINDOWS\system32\config\systemprofile\Application Data\fatvtrgth.lib
Adware:Adware/IPInsight No disinfected C:\WINDOWS\system32\config\systemprofile\Local Settings\Temp\Belt.ini
Adware:Adware/SAHAgent No disinfected C:\WINDOWS\system32\config\systemprofile\Local Settings\Temp\bi.inf
Adware:Adware/SAHAgent No disinfected C:\WINDOWS\system32\config\systemprofile\Local Settings\Temp\bi6.inf
Adware:Adware/SAHAgent No disinfected C:\WINDOWS\system32\config\systemprofile\Local Settings\Temp\bi9.inf
Spyware:Spyware/BetterInet No disinfected C:\WINDOWS\system32\config\systemprofile\Local Settings\Temp\biini.cab
Spyware:Spyware/BetterInet No disinfected C:\WINDOWS\system32\config\systemprofile\Local Settings\Temp\biini.cab[biini.inf]
Spyware:Spyware/BetterInet No disinfected C:\WINDOWS\system32\config\systemprofile\Local Settings\Temp\biini.inf
Spyware:Spyware/BetterInet No disinfected C:\WINDOWS\system32\config\systemprofile\Local Settings\Temp\ICD2.tmp\turbo.inf
Adware:Adware/WinTools No disinfected C:\WINDOWS\system32\config\systemprofile\Local Settings\Temp\temp.cab[toolbar.dll]
Adware:Adware/eZula No disinfected C:\WINDOWS\system32\config\systemprofile\Local Settings\Temp\TopTextiLookup.htm
Adware:adware/keenvalue No disinfected C:\WINDOWS\system32\drivers\etc\hosts.bho
Adware:Adware/eZula No disinfected C:\WINDOWS\system32\ezStub3.dll
Spyware:spyware/whazit No disinfected C:\WINDOWS\system32\fiz1
Adware:adware/virtualbouncer No disinfected C:\WINDOWS\system32\INNERADINSTALL.LOG
Adware:Adware/nCase No disinfected C:\WINDOWS\system32\msbb321.dll
Spyware:spyware/petro-line No disinfected C:\WINDOWS\system32\msfl32.exe
Adware:Adware/Look2Me No disinfected C:\WINDOWS\system32\msg116.dll
Adware:Adware/Look2Me No disinfected C:\WINDOWS\system32\msg120.cpy.dll
Adware:Adware/Look2Me No disinfected C:\WINDOWS\system32\msg120.dll
Possible Virus. No disinfected C:\WINDOWS\system32\msmfdl.dll
Spyware:Spyware/ClientMan No disinfected C:\WINDOWS\system32\msmkmi.dll
Adware:adware/getup No disinfected C:\WINDOWS\system32\MyExplore.exe
Adware:Adware/nCase No disinfected C:\WINDOWS\system32\nC5594Om3.dll
Adware:Adware/StatBlaster No disinfected C:\WINDOWS\system32\O
Adware:Adware/StatBlaster No disinfected C:\WINDOWS\system32\O.BAT
Adware:adware/pacimedia No disinfected C:\WINDOWS\system32\pacis.exe
Dialer:dialer.xc No disinfected C:\WINDOWS\system32\paydial.exe
Spyware:Spyware/RXToolbar No disinfected C:\WINDOWS\system32\RXBarsetupV2.dll
Spyware:Spyware/RXToolbar No disinfected C:\WINDOWS\system32\RXToolbar.exe
Adware:Adware/404Search No disinfected C:\WINDOWS\system32\s404Search.dll
Adware:adware/sahagent No disinfected C:\WINDOWS\system32\sahagent1004.exe
Adware:adware/ncase No disinfected C:\WINDOWS\system32\saie.log
Adware:Adware/KeenValue No disinfected C:\WINDOWS\system32\setup_incred_9.exe
Adware:Adware/nCase No disinfected C:\WINDOWS\system32\SplWbr.dll
Adware:Adware/BHO No disinfected C:\WINDOWS\system32\ss_ABC3_setup.exe
Dialer:dialer.bb No disinfected C:\WINDOWS\system32\tibs.exe
Adware:Adware/ILookup No disinfected C:\WINDOWS\system32\windec32.to_be_deleted
Adware:Adware/Alexa-Toolbar No disinfected C:\WINDOWS\system32\WinExplore.exe
Adware:Adware/nCase No disinfected C:\WINDOWS\system32\Xcite.exe
Adware:Adware/Getup No disinfected C:\WINDOWS\system32\xm2s.dll
Adware:adware/twain-tech No disinfected C:\WINDOWS\twaintec.ini
Spyware:Spyware/Media-motor No disinfected C:\WINDOWS\unstall.exe
Spyware:spyware/adclicker No disinfected C:\WINDOWS\usta33.ini
Adware:adware/startpage.ccm No disinfected C:\WINDOWS\win32.bmp
********************************************************************************
********************************************************************************
********************************************************************************
VundoFix V2.15 by Atri
--------------------------------------------------------------------------------------

Listing files contained in the vundofix folder.
--------------------------------------------------------------------------------------

killvundo.bat
process.exe
ReadMe.txt
vundo.reg
vundofix.txt

--------------------------------------------------------------------------------------

Filepaths entered
--------------------------------------------------------------------------------------

The filepath entered was C:\WINDOWS\System32\ddabb.dll

The second filepath entered was

--------------------------------------------------------------------------------------

Log from Process
--------------------------------------------------------------------------------------


Killing PID 136 'smss.exe'

Killing PID 708 'explorer.exe'
Killing PID 708 'explorer.exe'


Killing PID 208 'winlogon.exe'
--------------------------------------------------------------------------------------

C:\WINDOWS\System32\ddabb.dll Deleted sucessfully.

Fixing Registry
--------------------------------------------------------------------------------------

*********************************************************************
*********************************************************************
*********************************************************************
Logfile of HijackThis v1.99.1
Scan saved at 7:27:37 PM, on 10/18/2005
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\windows\system\hpsysdrv.exe
C:\WINDOWS\System32\hkcmd.exe
C:\HP\KBD\KBD.EXE
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\Java\j2re1.4.2_04\bin\jusched.exe
C:\PROGRA~1\PESTPA~1\PPControl.exe
C:\PROGRA~1\PESTPA~1\PPMemCheck.exe
C:\Program Files\Common Files\Real\Update_OB\rnathchk.exe
C:\PROGRA~1\PESTPA~1\CookiePatrol.exe
C:\Program Files\MUSICMATCH\MUSICMATCH Jukebox\mmtask.exe
C:\Program Files\MUSICMATCH\MUSICMATCH Jukebox\mm_tray.exe
C:\Program Files\Logitech\Video\LogiTray.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\QuickTime\qttask.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
C:\Program Files\Logitech\MouseWare\system\em_exec.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Messenger\msmsgs.exe
C:\WINDOWS\System32\ctfmon.exe
C:\WINDOWS\system32\ZoneLabs\vsmon.exe
C:\Documents and Settings\Owner\Start Menu\Programs\Startup\pow.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\Outlook Express\msimn.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\WINDOWS\notepad.exe
C:\WINDOWS\notepad.exe
C:\Program Files\HiJackThis\HijackThis.exe

O4 - HKLM\..\Run: [hpsysdrv] c:\windows\system\hpsysdrv.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\System32\hkcmd.exe
O4 - HKLM\..\Run: [KBD] C:\HP\KBD\KBD.EXE
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [PS2] C:\WINDOWS\system32\ps2.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\j2re1.4.2_04\bin\jusched.exe
O4 - HKLM\..\Run: [PestPatrol Control Center] C:\PROGRA~1\PESTPA~1\PPControl.exe
O4 - HKLM\..\Run: [PPMemCheck] C:\PROGRA~1\PESTPA~1\PPMemCheck.exe
O4 - HKLM\..\Run: [CookiePatrol] C:\PROGRA~1\PESTPA~1\CookiePatrol.exe
O4 - HKLM\..\Run: [Logitech Utility] Logi_MwX.Exe
O4 - HKLM\..\Run: [mmtask] C:\Program Files\MUSICMATCH\MUSICMATCH Jukebox\mmtask.exe
O4 - HKLM\..\Run: [MMTray] C:\Program Files\MUSICMATCH\MUSICMATCH Jukebox\mm_tray.exe
O4 - HKLM\..\Run: [LogitechVideoRepair] C:\Program Files\Logitech\Video\ISStart.exe
O4 - HKLM\..\Run: [LogitechVideoTray] C:\Program Files\Logitech\Video\LogiTray.exe
O4 - HKLM\..\Run: [LogitechGalleryRepair] C:\Program Files\Logitech\Video\ISStart.exe
O4 - HKLM\..\Run: [iTunesHelper] C:\Program Files\iTunes\iTunesHelper.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [AVG7_EMC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
O4 - HKLM\..\Run: [Zone Labs Client] C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\System32\ctfmon.exe
O4 - HKCU\..\Run: [AIM] C:\Program Files\AIM\aim.exe -cnetwait.odl
O4 - Startup: pow.exe
O4 - Global Startup: Logitech Desktop Messenger.lnk = C:\Program Files\Logitech\Desktop Messenger\8876480\Program\LDMConf.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O4 - Global Startup: Quicken Scheduled Updates.lnk = C:\Program Files\Quicken\bagent.exe
O4 - Global Startup: stamp.dat
O8 - Extra context menu item: &Yahoo! Search - file:///C:\Program Files\Yahoo!\Common/ycsrch.htm
O8 - Extra context menu item: Yahoo! &Dictionary - file:///C:\Program Files\Yahoo!\Common/ycdict.htm
O8 - Extra context menu item: Yahoo! &Maps - file:///C:\Program Files\Yahoo!\Common/ycdict.htm
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe
O15 - Trusted Zone: http://www.123games.dk
O15 - Trusted Zone: http://www.925jackfm.com
O15 - Trusted Zone: http://www.adultswim.com
O15 - Trusted Zone: http://*.checkreorderexpress.com
O15 - Trusted Zone: http://webmail.west.cox.net
O15 - Trusted Zone: http://www.cox.net
O15 - Trusted Zone: http://www.dressupgames.com
O15 - Trusted Zone: http://www.ebaumsworld.com
O15 - Trusted Zone: http://www.eharmony.com
O15 - Trusted Zone: http://www.fanfiction.net
O15 - Trusted Zone: *.finefind.nettraffic2cash.biz
O15 - Trusted Zone: *.media-motor.net
O15 - Trusted Zone: www.benefits.ml.com
O15 - Trusted Zone: http://bulletin.myspace.com
O15 - Trusted Zone: http://corner.nationalreview.com
O15 - Trusted Zone: http://media.nationalreview.com
O15 - Trusted Zone: http://www.nationalreview.com
O15 - Trusted Zone: http://www.neopets.com
O15 - Trusted Zone: http://www.nuthinbutnet.net
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoft...free/asinst.cab
O16 - DPF: {B8BE5E93-A60C-4D26-A2DC-220313175592} (ZoneIntro Class) - http://zone.msn.com/...ro.cab34246.cab
O16 - DPF: {DF780F87-FF2B-4DF8-92D0-73DB16A1543A} (PopCapLoader Object) - http://zone.msn.com/...aploader_v6.cab
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
O23 - Service: iPod Service (iPodService) - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs, LLC - C:\WINDOWS\system32\ZoneLabs\vsmon.exe
  • 0

#12
g2i2r4

g2i2r4

    retired HiJack Helper

  • Retired Staff
  • 5,080 posts
okay, that's a whole bunch of trouble in there. :tazz:

Redo the deldomain part.

Then, move on with the next step.

Update and run AdAware SE 1.06 and Spybot S&D 1.4. Remove what they can find.

***

Please download WebRoot SpySweeper from HERE (It's a 2 week trial):
  • Click the Free Trial link on the right - next to "SpySweeper for Home Computers" to download the program.
  • Install it.
  • Once the program is installed, it will open.
  • It will prompt you to update to the latest definitions, click Yes.
  • Once the definitions are installed, close SpySweeper.

    Reboot to safe mode.
    Open SpySweeper again.
  • click Sweep Now on the left side.
  • Click the Start button.
  • When it's done scanning, click the Next button.
  • Make sure everything has a check next to it, then click the Next button.
  • It will remove all of the items found.
  • Click Session Log in the upper right corner, copy everything in that window.
  • Click the Summary tab and click Finish.
  • Paste the contents of the session log you copied into your next reply.

  • 0

#13
RDow

RDow

    New Member

  • Topic Starter
  • Member
  • Pip
  • 8 posts
Here is the SpySweeper log file

********
7:50 PM: | Start of Session, Thursday, October 20, 2005 |
7:50 PM: Spy Sweeper started
7:50 PM: Sweep initiated using definitions version 559
7:50 PM: Starting Memory Sweep
7:51 PM: Memory Sweep Complete, Elapsed Time: 00:00:53
7:51 PM: Starting Registry Sweep
7:51 PM: Found Adware: blazefind
7:51 PM: HKLM\software\microsoft\windows\currentversion\shareddlls\ || c:\windows\downloaded program files\bridge.dll (ID = 104541)
7:51 PM: HKLM\software\microsoft\windows\currentversion\uninstall\windows sr 2.0\ (4 subtraces) (ID = 104552)
7:51 PM: HKLM\software\windupdates\ (5 subtraces) (ID = 104559)
7:51 PM: Found Adware: cws_analyzeie
7:51 PM: HKLM\software\microsoft\internet explorer\main\msmsgsvc\ (ID = 116919)
7:51 PM: Found Adware: delfin
7:51 PM: HKLM\software\microsoft\windows\currentversion\uninstall\dmvlite\ (2 subtraces) (ID = 124880)
7:51 PM: Found Adware: elitebar
7:51 PM: HKLM\software\microsoft\windows\currentversion\shareddlls\ || c:\windows\downloaded program files\v2.dll (ID = 125763)
7:51 PM: Found Adware: isearch desktop search
7:51 PM: HKCR\mfiltis\ (3 subtraces) (ID = 129007)
7:51 PM: HKLM\software\classes\mfiltis\ (3 subtraces) (ID = 129010)
7:51 PM: HKLM\software\system updater\ (ID = 129016)
7:51 PM: Found Adware: isearch toolbar
7:51 PM: HKLM\software\microsoft\windows\currentversion\shareddlls\ || c:\windows\system32\toolbar.dll (ID = 129040)
7:51 PM: HKLM\software\microsoft\windows\currentversion\shareddlls\ || c:\windows\system32\version.txt (ID = 129041)
7:51 PM: Found Adware: ist istbar
7:51 PM: HKLM\software\microsoft\windows\currentversion\shareddlls\ || c:\windows\downloaded program files\conflict.1\istactivex.dll (ID = 129171)
7:51 PM: Found Adware: linkmaker
7:51 PM: HKLM\software\uvcep\ (2 subtraces) (ID = 129749)
7:51 PM: Found Adware: media-motor
7:51 PM: HKLM\software\classes\typelib\{466c63ac-f26e-49f1-861a-e07da768a46a}\ (9 subtraces) (ID = 140131)
7:51 PM: HKLM\software\microsoft\windows\currentversion\shareddlls\ || c:\windows\downloaded program files\m67m.ocx (ID = 140199)
7:51 PM: HKLM\software\mm\ (1 subtraces) (ID = 140211)
7:51 PM: HKCR\typelib\{466c63ac-f26e-49f1-861a-e07da768a46a}\ (9 subtraces) (ID = 140223)
7:51 PM: Found Adware: smart-browser
7:51 PM: HKLM\software\classes\winsuck.bho.1\ (3 subtraces) (ID = 141863)
7:51 PM: HKLM\software\classes\winsuck.bho\ (5 subtraces) (ID = 141864)
7:51 PM: HKCR\winsuck.bho.1\ (3 subtraces) (ID = 141875)
7:51 PM: HKCR\winsuck.bho\ (5 subtraces) (ID = 141876)
7:51 PM: Found Adware: tibs dialer
7:51 PM: HKLM\software\microsoft\windows\currentversion\policies\explorer\run\ || ibs (ID = 143744)
7:51 PM: Found Trojan Horse: topconverting downloader
7:51 PM: HKLM\software\microsoft\windows\currentversion\shareddlls\ || c:\windows\downloaded program files\conflict.1\loader2.ocx (ID = 143821)
7:51 PM: HKLM\software\microsoft\windows\currentversion\shareddlls\ || c:\windows\downloaded program files\loader2.ocx (ID = 143829)
7:51 PM: Found Trojan Horse: trojan-backdoor-soundcheck
7:51 PM: HKLM\system\currentcontrolset\services\msdirectx\ (7 subtraces) (ID = 144200)
7:51 PM: Found Adware: websearch toolbar
7:51 PM: HKLM\software\microsoft\windows\currentversion\shareddlls\ || c:\windows\downloaded program files\qdow.dll (ID = 146496)
7:51 PM: HKLM\software\microsoft\windows\currentversion\shareddlls\ || c:\windows\downloaded program files\qdow_as2.dll (ID = 146497)
7:51 PM: Found Adware: ist yoursitebar
7:51 PM: HKLM\software\microsoft\windows\currentversion\shareddlls\ || c:\windows\downloaded program files\ysbactivex.dll (ID = 147857)
7:51 PM: Found Adware: shopathomeselect
7:51 PM: HKLM\software\microsoft\windows\currentversion\moduleusage\c:/windows/downloaded program files/grinstall6.dll\ (2 subtraces) (ID = 509618)
7:51 PM: Found Adware: winantispyware 2005
7:51 PM: HKCR\checkproduct2.checkproduct\ (5 subtraces) (ID = 527503)
7:51 PM: HKCR\checkproduct2.checkproduct.1\ (3 subtraces) (ID = 527509)
7:51 PM: HKLM\software\microsoft\windows\currentversion\shareddlls\ || c:\program files\common files\winsoftware\crxml.dll (ID = 528187)
7:51 PM: HKLM\software\microsoft\windows\currentversion\shareddlls\ || c:\program files\common files\winsoftware\pcheck.dll (ID = 528188)
7:51 PM: HKLM\software\classes\checkproduct2.checkproduct\ (5 subtraces) (ID = 528199)
7:51 PM: HKLM\software\classes\checkproduct2.checkproduct.1\ (3 subtraces) (ID = 528205)
7:51 PM: HKCR\vapfm.creationnotifier\ (5 subtraces) (ID = 795157)
7:51 PM: HKCR\vapfm.creationnotifier.1\ (3 subtraces) (ID = 795163)
7:51 PM: HKLM\software\classes\vapfm.creationnotifier\ (5 subtraces) (ID = 795286)
7:51 PM: HKLM\software\classes\vapfm.creationnotifier.1\ (3 subtraces) (ID = 795292)
7:51 PM: HKLM\software\classes\appid\filecreationfilter.dll\ (1 subtraces) (ID = 795298)
7:51 PM: HKLM\system\currentcontrolset\control\class\{29ae0e04-08b8-4d2f-bfbe-83fb0ec73bb7}\ (3 subtraces) (ID = 795420)
7:51 PM: Found Adware: cws_cassandra
7:51 PM: HKU\S-1-5-21-2193637888-2215148824-1045807821-1003\software\microsoft\internet explorer\main\ || hpded (ID = 117048)
7:51 PM: HKU\S-1-5-21-2193637888-2215148824-1045807821-1003\software\microsoft\internet explorer\main\ || spded (ID = 117049)
7:51 PM: Found Trojan Horse: trojan-downloader-pacisoft
7:51 PM: HKU\S-1-5-21-2193637888-2215148824-1045807821-1003\software\pacisoft\ (ID = 136528)
7:51 PM: Found Adware: cws-aboutblank
7:51 PM: HKU\S-1-5-21-2193637888-2215148824-1045807821-1003\software\microsoft\internet explorer\main\ || start page (ID = 911091)
7:51 PM: Registry Sweep Complete, Elapsed Time:00:00:39
7:51 PM: Starting Cookie Sweep
7:51 PM: Found Spy Cookie: adrevolver cookie
7:51 PM: owner@adrevolver[1].txt (ID = 2088)
7:51 PM: Found Spy Cookie: banner cookie
7:51 PM: owner@banner[1].txt (ID = 2276)
7:51 PM: Found Spy Cookie: incredifind cookie
7:51 PM: owner@incredifind[1].txt (ID = 2849)
7:51 PM: Found Spy Cookie: offeroptimizer cookie
7:51 PM: owner@offeroptimizer[1].txt (ID = 3087)
7:51 PM: Cookie Sweep Complete, Elapsed Time: 00:00:05
7:51 PM: Starting File Sweep
7:53 PM: c:\program files\winantispyware 2005 (ID = -2147472152)
7:53 PM: c:\windows\system32\sahimages (4 subtraces) (ID = -2147480329)
7:53 PM: Found Adware: webhancer
7:53 PM: c:\program files\whinstall (6 subtraces) (ID = -2147480064)
7:53 PM: Found Adware: bookedspace
7:53 PM: c:\windows\system32\config\systemprofile\local settings\temp\vupd (1 subtraces) (ID = -2147481347)
7:53 PM: c:\windows\system32\config\systemprofile\local settings\temp\~dlfntmp1 (1 subtraces) (ID = -2147481125)
7:53 PM: Found Adware: apropos
7:53 PM: c:\windows\system32\config\systemprofile\local settings\temp\~compoundinst0 (ID = -2147481413)
7:53 PM: c:\windows\system32\config\systemprofile\local settings\temp\~dlfntmp2 (1 subtraces) (ID = -2147481124)
7:53 PM: c:\windows\system32\config\systemprofile\local settings\temp\~apropos0 (1 subtraces) (ID = -2147481414)
7:53 PM: c:\program files\common files\wintools (1 subtraces) (ID = -2147480046)
7:53 PM: c:\documents and settings\all users\application data\wsxs (15 subtraces) (ID = -2147481131)
7:53 PM: Found Adware: winmovie dialer
7:53 PM: c:\windows\downloaded program files\conflict.1 (7 subtraces) (ID = -2147476814)
7:53 PM: Found Adware: 180search assistant/zango
7:53 PM: c:\windows\system32\fleok (ID = -2147480556)
7:53 PM: Found Adware: surebar
7:53 PM: c:\windows\system32\surepics (124 subtraces) (ID = -2147480189)
7:53 PM: Found Adware: directrevenue-abetterinternet
7:53 PM: c:\windows\inst (ID = -2147480086)
7:53 PM: Found Adware: cws iesearch
7:53 PM: securityclassloader.class-22dce32-20622137.class (ID = 55971)
7:53 PM: Found Adware: superbar
7:53 PM: superbarinstall.exe (ID = 77507)
7:53 PM: securityclassloader.class-6160a682-1408438f.class (ID = 55971)
7:53 PM: key2.txt (ID = 51468)
7:53 PM: Found Adware: zenosearchassistant
7:53 PM: ysyswu6d.exe (ID = 164110)
7:54 PM: grinstall6.dll (ID = 75775)
7:54 PM: iesearch.exe (ID = 55971)
7:54 PM: Found Adware: gain-supported software
7:54 PM: hdplugin1015.inf (ID = 61471)
7:54 PM: Found Adware: ilookup
7:54 PM: windec32.to_be_deleted (ID = 63566)
7:54 PM: unstall.exe (ID = 74180)
7:54 PM: saap.log (ID = 70593)
7:55 PM: Found Adware: statblaster
7:55 PM: host.ini (ID = 77091)
7:56 PM: securityclassloader.class-66d53de6-15b0053f.class (ID = 55971)
7:56 PM: biini.cab (ID = 83198)
7:56 PM: Found Adware: ebates money maker
7:56 PM: gd165.tmp (ID = 59615)
7:57 PM: bw.exe (ID = 83237)
7:57 PM: wff.sys (ID = 150595)
7:57 PM: delprot.ini (ID = 64354)
7:57 PM: delfinad.ebd (ID = 57676)
7:57 PM: delfinlo.ebd (ID = 57688)
7:57 PM: delfintg.ebd (ID = 57693)
7:57 PM: delfinst.ebd (ID = 57692)
7:57 PM: bio.inf (ID = 83206)
7:57 PM: whinstaller.ini (ID = 83848)
7:57 PM: readme.txt (ID = 83804)
7:58 PM: Found Adware: coolwebsearch (cws)
7:58 PM: bl.dat (ID = 53986)
7:58 PM: license.txt (ID = 83802)
7:58 PM: whagent.inf (ID = 83822)
7:58 PM: b.html (ID = 77520)
7:58 PM: Found Adware: tvmedia
7:58 PM: tvmknwrd.dll (ID = 81726)
7:58 PM: grinstall6.dll (ID = 75775)
7:58 PM: nc5594om3.dll (ID = 113393)
7:58 PM: Found Adware: lopdotcom
7:58 PM: fatvtrgth.lib (ID = 66989)
7:59 PM: hdplugin1019.inf (ID = 61473)
7:59 PM: hdplugin1019.inf (ID = 61473)
7:59 PM: securityclassloader.class-66d53de6-15b0053f.class (ID = 55971)
7:59 PM: hdplugin1019.inf (ID = 61473)
7:59 PM: Found Adware: spyblast
7:59 PM: sbfull.ocx (ID = 76556)
7:59 PM: securityclassloader.class-23d54215-4f612511.class (ID = 55971)
8:00 PM: Found Adware: twain-tech
8:00 PM: bi.ini (ID = 81893)
8:01 PM: host.ini (ID = 77091)
8:01 PM: Found Adware: ezula ilookup
8:01 PM: ezstub3.dll (ID = 60533)
8:02 PM: bi9.inf (ID = 83186)
8:02 PM: hdplugin1015.inf (ID = 61471)
8:02 PM: securityclassloader.class-66d53de6-15b0053f.class (ID = 55971)
8:02 PM: ncase.ini (ID = 70576)
8:02 PM: securityclassloader.class-66d53de6-15b0053f.class (ID = 55971)
8:03 PM: bi9.inf (ID = 83186)
8:03 PM: Found Adware: purityscan
8:03 PM: mediaticketsinstaller.inf (ID = 73158)
8:03 PM: Found Adware: powerstrip
8:03 PM: psi.ocx (ID = 114494)
8:03 PM: Found Adware: targetsoft
8:03 PM: inetadpt.to_be_deleted (ID = 78290)
8:04 PM: Found Adware: searchant
8:04 PM: sasync.dll (ID = 74854)
8:04 PM: toptextilookup.htm (ID = 60652)
8:04 PM: delfinbd.edx (ID = 57680)
8:04 PM: credit counseling.url (ID = 130668)
8:04 PM: insurance home.url (ID = 130676)
8:04 PM: mortgage life insurance.url (ID = 130681)
8:04 PM: help desk software.url (ID = 130675)
8:04 PM: ab scissor.url (ID = 130666)
8:04 PM: videos.url (ID = 130694)
8:04 PM: what is hydrocodone.url (ID = 130695)
8:04 PM: online gambling casino.url (ID = 130684)
8:04 PM: refinancing my mortgage.url (ID = 130691)
8:04 PM: debt credit card.url (ID = 130671)
8:04 PM: fha.url (ID = 130673)
8:04 PM: loan for debt consolidation.url (ID = 130677)
8:04 PM: health insurance.url (ID = 130674)
8:04 PM: personal loans online.url (ID = 130688)
8:04 PM: payroll advance.url (ID = 130687)
8:04 PM: marketing email.url (ID = 130679)
8:04 PM: prescription drugs rx online.url (ID = 130690)
8:04 PM: credit report.url (ID = 130669)
8:04 PM: tahoe vacation rental.url (ID = 130692)
8:04 PM: escorts.url (ID = 130672)
8:04 PM: order phentermine.url (ID = 130686)
8:04 PM: mortgage insurance.url (ID = 130680)
8:04 PM: personal loans with bad credit.url (ID = 130689)
8:04 PM: crm software.url (ID = 130670)
8:04 PM: nevada corporations.url (ID = 130682)
8:04 PM: unsecured bad credit loans.url (ID = 130693)
8:04 PM: loan for people with bad credit.url (ID = 130678)
8:04 PM: broadband comparison.url (ID = 130667)
8:04 PM: online betting site.url (ID = 130683)
8:04 PM: online instant loan.url (ID = 130685)
8:04 PM: delfined.edx (ID = 57680)
8:04 PM: delfinid.edx (ID = 57691)
8:04 PM: delfindl.edx (ID = 57680)
8:04 PM: delfinaf.edx (ID = 57679)
8:04 PM: delfinco.edx (ID = 57680)
8:04 PM: delfinld.edx (ID = 57680)
8:04 PM: delfinky.edx (ID = 57685)
8:04 PM: delfinsi.edx (ID = 57691)
8:04 PM: Found Adware: netpal
8:04 PM: gamehouse games.url (ID = 70891)
8:04 PM: flyordie games.url (ID = 70890)
8:04 PM: deskbar.ini (ID = 64321)
8:04 PM: flyordie games.url (ID = 70890)
8:04 PM: Found Adware: ignkeys
8:04 PM: rules.dat (ID = 63478)
8:04 PM: big fish games.url (ID = 70885)
8:04 PM: Found Adware: whenu
8:04 PM: wuinst.inf (ID = 74480)
8:04 PM: windec32.inf (ID = 63568)
8:04 PM: Found Adware: addestroyer
8:04 PM: inneradinstall.log (ID = 49035)
8:04 PM: tvmuknwrd.dll (ID = 81759)
8:04 PM: bsx32.ini (ID = 51653)
8:04 PM: whagent.ini (ID = 83826)
8:04 PM: Found Adware: desktop hijacker
8:04 PM: ! smart security.url (ID = 57876)
8:04 PM: wuinst.inf (ID = 74480)
8:04 PM: gamehouse games.url (ID = 70891)
8:04 PM: big fish games.url (ID = 70885)
8:04 PM: flyordie games.url (ID = 70890)
8:04 PM: Found Adware: keenvalue/perfectnav
8:04 PM: data2.dat (ID = 64871)
8:04 PM: wuinst.inf (ID = 74480)
8:04 PM: belt.inf (ID = 83154)
8:04 PM: biini.inf (ID = 83199)
8:04 PM: bundle.inf (ID = 61287)
8:04 PM: biini.inf (ID = 83199)
8:04 PM: belt.ini (ID = 83156)
8:04 PM: belt.inf (ID = 83154)
8:04 PM: gamehouse games.url (ID = 70891)
8:04 PM: big fish games.url (ID = 70885)
8:04 PM: polmx2.inf (ID = 83430)
8:04 PM: twtini.inf (ID = 81897)
8:04 PM: alchem.inf (ID = 83109)
8:04 PM: polmx.inf (ID = 81856)
8:04 PM: gamehouse games.url (ID = 70891)
8:04 PM: flyordie games.url (ID = 70890)
8:04 PM: big fish games.url (ID = 70885)
8:04 PM: ceres.inf (ID = 83250)
8:06 PM: File Sweep Complete, Elapsed Time: 00:15:08
8:06 PM: Full Sweep has completed. Elapsed time 00:16:52
8:06 PM: Traces Found: 450
8:09 PM: Removal process initiated
8:09 PM: Quarantining All Traces: lopdotcom
8:09 PM: Quarantining All Traces: cws-aboutblank
8:09 PM: Quarantining All Traces: directrevenue-abetterinternet
8:09 PM: Quarantining All Traces: elitebar
8:09 PM: Quarantining All Traces: websearch toolbar
8:09 PM: Quarantining All Traces: cws_analyzeie
8:09 PM: Quarantining All Traces: cws_cassandra
8:09 PM: Quarantining All Traces: purityscan
8:09 PM: Quarantining All Traces: topconverting downloader
8:09 PM: Quarantining All Traces: trojan-backdoor-soundcheck
8:09 PM: Quarantining All Traces: trojan-downloader-pacisoft
8:09 PM: Quarantining All Traces: 180search assistant/zango
8:09 PM: Quarantining All Traces: addestroyer
8:09 PM: Quarantining All Traces: apropos
8:09 PM: Quarantining All Traces: blazefind
8:09 PM: Quarantining All Traces: bookedspace
8:09 PM: Quarantining All Traces: coolwebsearch (cws)
8:09 PM: Quarantining All Traces: cws iesearch
8:09 PM: Quarantining All Traces: delfin
8:09 PM: Quarantining All Traces: desktop hijacker
8:09 PM: Quarantining All Traces: ebates money maker
8:09 PM: Quarantining All Traces: ezula ilookup
8:09 PM: Quarantining All Traces: gain-supported software
8:09 PM: Quarantining All Traces: ignkeys
8:09 PM: Quarantining All Traces: ilookup
8:09 PM: Quarantining All Traces: isearch desktop search
8:09 PM: Quarantining All Traces: isearch toolbar
8:09 PM: Quarantining All Traces: ist istbar
8:09 PM: Quarantining All Traces: ist yoursitebar
8:09 PM: Quarantining All Traces: keenvalue/perfectnav
8:09 PM: Quarantining All Traces: linkmaker
8:09 PM: Quarantining All Traces: media-motor
8:09 PM: Quarantining All Traces: netpal
8:09 PM: Quarantining All Traces: powerstrip
8:09 PM: Quarantining All Traces: searchant
8:09 PM: Quarantining All Traces: shopathomeselect
8:09 PM: Quarantining All Traces: smart-browser
8:09 PM: Quarantining All Traces: spyblast
8:09 PM: Quarantining All Traces: statblaster
8:09 PM: Quarantining All Traces: superbar
8:10 PM: Quarantining All Traces: surebar
8:10 PM: Quarantining All Traces: targetsoft
8:10 PM: Quarantining All Traces: tibs dialer
8:10 PM: Quarantining All Traces: tvmedia
8:10 PM: Quarantining All Traces: twain-tech
8:10 PM: Quarantining All Traces: webhancer
8:10 PM: Quarantining All Traces: whenu
8:10 PM: Quarantining All Traces: winantispyware 2005
8:10 PM: Quarantining All Traces: winmovie dialer
8:10 PM: Quarantining All Traces: zenosearchassistant
8:10 PM: Quarantining All Traces: adrevolver cookie
8:10 PM: Quarantining All Traces: banner cookie
8:10 PM: Quarantining All Traces: incredifind cookie
8:10 PM: Quarantining All Traces: offeroptimizer cookie
8:10 PM: Removal process completed. Elapsed time 00:01:18
********
7:45 PM: | Start of Session, Thursday, October 20, 2005 |
7:45 PM: Spy Sweeper started
7:45 PM: Messenger service has been disabled.
7:46 PM: Your spyware definitions have been updated.
  • 0

#14
g2i2r4

g2i2r4

    retired HiJack Helper

  • Retired Staff
  • 5,080 posts
You may want to print out these instructions for reference, since you will have to restart your computer during the fix.

Please download AproposFix

Save it to your desktop but do NOT run it yet.

Then please reboot your computer in Safe Mode by doing the following:
1) Restart your computer
2) After hearing your computer beep once during startup, but before the Windows icon appears, press F8.
3) Instead of Windows loading as normal, a menu should appear
4) Select the first option, to run Windows in Safe Mode.


Once in Safe Mode, please double-click aproposfix.exe and unzip it to the desktop. Open the aproposfix folder on your desktop and run RunThis.bat. Follow the prompts.

When the tool is finished, please reboot back into normal mode, and post a new HijackThis log, along with the entire contents of the log.txt file in the aproposfix folder.
  • 0

#15
RDow

RDow

    New Member

  • Topic Starter
  • Member
  • Pip
  • 8 posts
Here is the latest.

Logfile of HijackThis v1.99.1
Scan saved at 6:39:20 PM, on 10/23/2005
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\windows\system\hpsysdrv.exe
C:\WINDOWS\System32\hkcmd.exe
C:\HP\KBD\KBD.EXE
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\Java\j2re1.4.2_04\bin\jusched.exe
C:\PROGRA~1\PESTPA~1\PPControl.exe
C:\PROGRA~1\PESTPA~1\PPMemCheck.exe
C:\PROGRA~1\PESTPA~1\CookiePatrol.exe
C:\Program Files\MUSICMATCH\MUSICMATCH Jukebox\mmtask.exe
C:\Program Files\MUSICMATCH\MUSICMATCH Jukebox\mm_tray.exe
C:\Program Files\Common Files\Real\Update_OB\rnathchk.exe
C:\Program Files\Logitech\Video\LogiTray.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\QuickTime\qttask.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
C:\Program Files\Messenger\msmsgs.exe
C:\WINDOWS\System32\ctfmon.exe
C:\Documents and Settings\Owner\Start Menu\Programs\Startup\pow.exe
C:\Program Files\Logitech\MouseWare\system\em_exec.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
C:\Program Files\ewido\security suite\ewidoctrl.exe
C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\ZoneLabs\vsmon.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\PROGRA~1\Logitech\Video\FxSvr2.exe
C:\WINDOWS\System32\wuauclt.exe
C:\Program Files\HiJackThis\HijackThis.exe

O4 - HKLM\..\Run: [hpsysdrv] c:\windows\system\hpsysdrv.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\System32\hkcmd.exe
O4 - HKLM\..\Run: [KBD] C:\HP\KBD\KBD.EXE
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [PS2] C:\WINDOWS\system32\ps2.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\j2re1.4.2_04\bin\jusched.exe
O4 - HKLM\..\Run: [PestPatrol Control Center] C:\PROGRA~1\PESTPA~1\PPControl.exe
O4 - HKLM\..\Run: [PPMemCheck] C:\PROGRA~1\PESTPA~1\PPMemCheck.exe
O4 - HKLM\..\Run: [CookiePatrol] C:\PROGRA~1\PESTPA~1\CookiePatrol.exe
O4 - HKLM\..\Run: [Logitech Utility] Logi_MwX.Exe
O4 - HKLM\..\Run: [mmtask] C:\Program Files\MUSICMATCH\MUSICMATCH Jukebox\mmtask.exe
O4 - HKLM\..\Run: [MMTray] C:\Program Files\MUSICMATCH\MUSICMATCH Jukebox\mm_tray.exe
O4 - HKLM\..\Run: [LogitechVideoRepair] C:\Program Files\Logitech\Video\ISStart.exe
O4 - HKLM\..\Run: [LogitechVideoTray] C:\Program Files\Logitech\Video\LogiTray.exe
O4 - HKLM\..\Run: [LogitechGalleryRepair] C:\Program Files\Logitech\Video\ISStart.exe
O4 - HKLM\..\Run: [iTunesHelper] C:\Program Files\iTunes\iTunesHelper.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [AVG7_EMC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
O4 - HKLM\..\Run: [Zone Labs Client] C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\System32\ctfmon.exe
O4 - HKCU\..\Run: [AIM] C:\Program Files\AIM\aim.exe -cnetwait.odl
O4 - Startup: pow.exe
O4 - Global Startup: Logitech Desktop Messenger.lnk = C:\Program Files\Logitech\Desktop Messenger\8876480\Program\LDMConf.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O4 - Global Startup: Quicken Scheduled Updates.lnk = C:\Program Files\Quicken\bagent.exe
O4 - Global Startup: stamp.dat
O8 - Extra context menu item: &Yahoo! Search - file:///C:\Program Files\Yahoo!\Common/ycsrch.htm
O8 - Extra context menu item: Yahoo! &Dictionary - file:///C:\Program Files\Yahoo!\Common/ycdict.htm
O8 - Extra context menu item: Yahoo! &Maps - file:///C:\Program Files\Yahoo!\Common/ycdict.htm
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe
O15 - Trusted Zone: http://www.geekstogo.com
O15 - Trusted Zone: http://corner.nationalreview.com
O15 - Trusted Zone: http://www.nationalreview.com
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoft...free/asinst.cab
O16 - DPF: {B8BE5E93-A60C-4D26-A2DC-220313175592} (ZoneIntro Class) - http://zone.msn.com/...ro.cab34246.cab
O16 - DPF: {DF780F87-FF2B-4DF8-92D0-73DB16A1543A} (PopCapLoader Object) - http://zone.msn.com/...aploader_v6.cab
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
O23 - Service: ewido security suite control - ewido networks - C:\Program Files\ewido\security suite\ewidoctrl.exe
O23 - Service: iPod Service (iPodService) - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs, LLC - C:\WINDOWS\system32\ZoneLabs\vsmon.exe



*******************************************************************************************
*****************************************************************************************

Log of AproposFix v1

************

Running from directory:
C:\Documents and Settings\Owner\Desktop\aproposfix

************

Registry entries found:


************

No service found!

Removing hidden folder:
No folder found!

Deleting files:


Backing up files:
Done!

Removing registry entries:

REGEDIT4


Done!

Finished!
  • 0






Similar Topics

0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users

As Featured On:

Microsoft Yahoo BBC MSN PC Magazine Washington Post HP