Jump to content

Welcome to Geeks to Go - Register now for FREE

Geeks To Go is a helpful hub, where thousands of volunteer geeks quickly serve friendly answers and support. Check out the forums and get free advice from the experts. Register now to gain access to all of our features, it's FREE and only takes one minute. Once registered and logged in, you will be able to create topics, post replies to existing threads, give reputation to your fellow members, get your own private messenger, post status updates, manage your profile and so much more.

Create Account How it Works
Photo

Winfixer has Got me Good [CLOSED]


  • This topic is locked This topic is locked

#1
Kirshna

Kirshna

    New Member

  • Member
  • Pip
  • 7 posts
Like many others I can't get Winfixer to go away.
I've done as your sticky says inregards to preparation.
1) Turned on all items that I turned off in Msconfig startup
1) Cleaned Temporary files
2) Scaned with Ad-adware SE
3) Ran CwShredder
4) Ran Spybot S&D
5) Ran "Auto Clean" via Trendmirco housecall
6) Updated windows service package
7) Posting HijackThis Here>
Please Help Me
Thank you Stacy

Logfile of HijackThis v1.99.1
Scan saved at 10:24:08 AM, on 10/23/2005
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\System32\kbdus.exe
C:\WINDOWS\System32\nvsvc32.exe
C:\PROGRA~1\TRENDM~1\INTERN~1\PcCtlCom.exe
C:\WINDOWS\System32\RioMSC.exe
C:\WINDOWS\System32\svchost.exe
C:\PROGRA~1\TRENDM~1\INTERN~1\Tmntsrv.exe
C:\PROGRA~1\TRENDM~1\INTERN~1\tmproxy.exe
C:\PROGRA~1\TRENDM~1\INTERN~1\TmPfw.exe
C:\WINDOWS\Explorer.EXE
C:\windows\system\hpsysdrv.exe
C:\HP\KBD\KBD.EXE
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\HP\Digital Imaging\Unload\hpqcmon.exe
C:\PROGRA~1\TRENDM~1\INTERN~1\PccGuide.exe
C:\Program Files\Multimedia Card Reader\shwicon2k.exe
C:\WINDOWS\LTMSG.exe
C:\WINDOWS\System32\hphmon05.exe
C:\WINDOWS\System32\spool\drivers\w32x86\3\hpztsb10.exe
C:\Program Files\HP\hpcoretech\hpcmpmgr.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\HP\HP Software Update\HPWuSchd2.exe
C:\WINDOWS\SOUNDMAN.EXE
C:\Palm\HOTSYNC.EXE
C:\Program Files\Internet\Internet Explorer\IEXPLORE.EXE
C:\Documents and Settings\Owner\Desktop\HIjackme\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://us10.hpwis.com/
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://srch-us10.hpwis.com/
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.ebay.com/
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://us10.hpwis.com/
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://channels.aimt.../aimtoolbar.jsp
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch =
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = localhost
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: MSEvents Object - {6DD0BC06-4719-4BA3-BEBC-FBAE6A448152} - C:\WINDOWS\System32\awvvs.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar1.dll
O3 - Toolbar: HP View - {B2847E28-5D7D-4DEB-8B67-05D28BCF79F5} - c:\Program Files\HP\Digital Imaging\bin\hpdtlk02.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll
O4 - HKLM\..\Run: [hpsysdrv] c:\windows\system\hpsysdrv.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\System32\hkcmd.exe
O4 - HKLM\..\Run: [KBD] C:\HP\KBD\KBD.EXE
O4 - HKLM\..\Run: [UpdateManager] "C:\Program Files\Common Files\Sonic\Update Manager\sgtray.exe" /r
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [ccRegVfy] "c:\Program Files\Common Files\Symantec Shared\ccRegVfy.exe"
O4 - HKLM\..\Run: [ccApp] "c:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [CamMonitor] c:\Program Files\HP\Digital Imaging\Unload\hpqcmon.exe
O4 - HKLM\..\Run: [AutoTKit] C:\hp\bin\AUTOTKIT.EXE
O4 - HKLM\..\Run: [AlcxMonitor] ALCXMNTR.EXE
O4 - HKLM\..\Run: [pccguide.exe] "C:\Program Files\Trend Micro\Internet Security 2005\pccguide.exe"
O4 - HKLM\..\Run: [VTTimer] VTTimer.exe
O4 - HKLM\..\Run: [Sunkist2k] C:\Program Files\Multimedia Card Reader\shwicon2k.exe
O4 - HKLM\..\Run: [Recguard] C:\WINDOWS\SMINST\RECGUARD.EXE
O4 - HKLM\..\Run: [r7mh3pi] dcoqhm.exe
O4 - HKLM\..\Run: [PS2] C:\WINDOWS\system32\ps2.exe
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [LTMSG] LTMSG.exe 7
O4 - HKLM\..\Run: [ISUSPM Startup] C:\PROGRA~1\COMMON~1\INSTAL~1\UPDATE~1\ISUSPM.exe -startup
O4 - HKLM\..\Run: [HPHUPD05] c:\Program Files\HP\{45B6180B-DCAB-4093-8EE8-6164457517F0}\hphupd05.exe
O4 - HKLM\..\Run: [HPHmon05] C:\WINDOWS\System32\hphmon05.exe
O4 - HKLM\..\Run: [HPDJ Taskbar Utility] C:\WINDOWS\System32\spool\drivers\w32x86\3\hpztsb10.exe
O4 - HKLM\..\Run: [HP Component Manager] "C:\Program Files\HP\hpcoretech\hpcmpmgr.exe"
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\System32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [HP Software Update] C:\Program Files\HP\HP Software Update\HPWuSchd2.exe
O4 - HKLM\..\Run: [Spam Blocker for Outlook Express] C:\PROGRA~1\Hotbar\bin\451~1.0\SBInst.exe
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [LimeShop] C:\Program Files\LimeShop\LimeShoprun.exe /cp:p "C:\Program Files\LimeShop\System\Code" Main lp: "C:\Program Files\LimeShop"
O4 - HKLM\..\Run: [ClamWin] "C:\Program Files\ClamWin\bin\ClamTray.exe" --logon
O4 - HKCU\..\Run: [BackupNotify] c:\Program Files\HP\Digital Imaging\bin\backupnotify.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [MoneyAgent] "C:\Program Files\Microsoft Money\System\mnyexpr.exe"
O4 - HKCU\..\Run: [aw5nRfGEU] danic.exe
O4 - HKCU\..\Run: [Desktop Weather 3] C:\PROGRA~1\THEWEA~1\THEWEA~1.EXE
O4 - Global Startup: HotSync Manager.lnk = C:\Palm\HOTSYNC.EXE
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O4 - Global Startup: winlogin.exe
O8 - Extra context menu item: &Google Search - res://c:\program files\google\GoogleToolbar1.dll/cmsearch.html
O8 - Extra context menu item: &Translate English Word - res://c:\program files\google\GoogleToolbar1.dll/cmwordtrans.html
O8 - Extra context menu item: Backward Links - res://c:\program files\google\GoogleToolbar1.dll/cmbacklinks.html
O8 - Extra context menu item: Cached Snapshot of Page - res://c:\program files\google\GoogleToolbar1.dll/cmcache.html
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MI1933~1\OFFICE11\EXCEL.EXE/3000
O8 - Extra context menu item: Similar Pages - res://c:\program files\google\GoogleToolbar1.dll/cmsimilar.html
O8 - Extra context menu item: Translate Page into English - res://c:\program files\google\GoogleToolbar1.dll/cmtrans.html
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\System32\msjava.dll (file missing)
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\System32\msjava.dll (file missing)
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MI1933~1\OFFICE11\REFIEBAR.DLL
O16 - DPF: {04E214E5-63AF-4236-83C6-A7ADCBF9BD02} (HouseCall Control) - http://housecall60.t...all/xscan60.cab
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage) - http://go.microsoft....204&clcid=0x409
O16 - DPF: {31E68DE2-5548-4B23-88F0-C51E6A0F695E} (Microsoft PID Sniffer) - https://support.micr...ActiveX/odc.cab
O16 - DPF: {4C39376E-FA9D-4349-BACC-D305C1750EF3} (EPUImageControl Class) - http://tools.ebayimg...l_v1-0-3-24.cab
O16 - DPF: {56336BCB-3D8A-11D6-A00B-0050DA18DE71} - http://software-dl.r...ip/RdxIE601.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.micros...b?1129999022578
O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai...all/xscan53.cab
O16 - DPF: {AB29A544-D6B4-4E36-A1F8-D3E34FC7B00A} - http://install.wildt...nce/install.cab
O16 - DPF: {AB86CE53-AC9F-449F-9399-D8ABCA09EC09} (Get_ActiveX Control) - https://h17000.www1....loadManager.ocx
O16 - DPF: {D1ACD2D8-7312-4D06-BECD-90EB094D2277} - http://mediaplayer.w...ler/install.cab
O16 - DPF: {EB387D2F-E27B-4D36-979E-847D1036C65D} (QDiagHUpdateObj Class) - http://h30043.www3.h.../qdiagh.cab?326
O20 - Winlogon Notify: awvvs - C:\WINDOWS\System32\awvvs.dll
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1050\Intel 32\IDriverT.exe
O23 - Service: kbdus - Unknown owner - C:\WINDOWS\System32\kbdus.exe
O23 - Service: License Management Service ESD - element5 - C:\Program Files\Common Files\element5 Shared\Service\Licence Manager ESD.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe
O23 - Service: Trend Micro Central Control Component (PcCtlCom) - Trend Micro Incorporated. - C:\PROGRA~1\TRENDM~1\INTERN~1\PcCtlCom.exe
O23 - Service: Rio MSC Manager (RioMSC) - Digital Networks North America, Inc. - C:\WINDOWS\System32\RioMSC.exe
O23 - Service: Trend Micro Real-time Service (Tmntsrv) - Trend Micro Incorporated. - C:\PROGRA~1\TRENDM~1\INTERN~1\Tmntsrv.exe
O23 - Service: Trend Micro Personal Firewall (TmPfw) - Trend Micro Inc. - C:\PROGRA~1\TRENDM~1\INTERN~1\TmPfw.exe
O23 - Service: Trend Micro Proxy Service (tmproxy) - Trend Micro Inc. - C:\PROGRA~1\TRENDM~1\INTERN~1\tmproxy.exe

:tazz:
  • 0

Advertisements


#2
skate_punk_21

skate_punk_21

    Malware Removal Expert

  • Retired Staff
  • 1,049 posts
Please print these instructions out for use in Safe Mode.

Please download VundoFix.exe to your desktop.
  • Double-click VundoFix.exe to extract the files
  • This will create a VundoFix folder on your desktop.
  • After the files are extracted, please reboot your computer into Safe Mode. You can do this by restarting your computer and continually tapping the F8 key until a menu appears. Use your up arrow key to highlight Safe Mode then hit enter.
  • Once in safe mode open the VundoFix folder and doubleclick on KillVundo.bat
  • You will first be presented with a warning.
    It should look like this

    VundoFix V2.15 by Atri
    By using VundoFix you agree that you are doing so at your own risk
    Press enter to continue....

  • At this point press enter one time.
  • Next you will see:

    Please Type in the filepath as instructed by the forum staff
    and then press enter:

  • At this point please type the following file path (make sure to enter it exactly as below!):
    • C:\WINDOWS\System32\awvvs.dll
  • Press Enter to continue with the fix.
  • Next you will see:

    Please type in the second filepath as instructed by the forum
    staff then press enter:

  • At this point please type the following file path (make sure to enter it exactly as below!):C:\WINDOWS\System32\svvwa.*
  • Press Enter to continue with the fix.
  • The fix will run then HijackThis will open, if it does not open automatically please open it manually.
  • In HiJackThis, please place a check next to the following items and click FIX CHECKED:R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch =
    R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
    O2 - BHO: MSEvents Object - {6DD0BC06-4719-4BA3-BEBC-FBAE6A448152} - C:\WINDOWS\System32\awvvs.dll
    O20 - Winlogon Notify: awvvs - C:\WINDOWS\System32\awvvs.dll
  • After you have fixed these items, close Hijackthis.
  • Press enter to exit the program then manually reboot your computer.
  • Once your machine reboots please continue with the instructions below.
Download and install CleanUp!

Open Cleanup! by double-clicking the icon on your desktop (or from the Start > All Programs menu).
Set the program up as follows:
Click "Options..."
Move the arrow down to "Custom CleanUp!"
Put a check next to the following (Make sure nothing else is checked!):
  • Empty Recycle Bins
  • Delete Cookies
  • Delete Prefetch files
  • Cleanup! All Users
Click OK
Press the CleanUp! button to start the program.

It may ask you to reboot at the end, click NO.

Then, please run this online virus scan: ActiveScan

Copy the results of the ActiveScan and paste them here along with a new HiJackThis log and the vundofix.txt file from the vundofix folder into this topic.
  • 0

#3
Kirshna

Kirshna

    New Member

  • Topic Starter
  • Member
  • Pip
  • 7 posts
Hello Skate_Punk_21
Thanks for responding
I accessed VundoFix.bat from Safemode with Command Promt, because my desktop wouldn't load in Safemode. Anyway I did as you instructed 1)Ran VundoFix.bat 2) Ran and Fixed HiJackThis 3) Rebooted 4)Ran CleanUp 5)Ran ActiveScan
When I went to the ActiveScan sight I got this pop-up> Windows Security Updated Mircosoft Internet Explorer (http:\\winantispyware.com) I don't know if this and Winfixer are related or not. Anyway I closed that window and ran ActiveScan.
Also when I got online to post back to you Winfixer pop-up again.


REPORTS HiJackThis and ActiveScan

Logfile of HijackThis v1.99.1
Scan saved at 10:17:50 AM, on 10/30/2005
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\System32\kbdus.exe
C:\WINDOWS\System32\nvsvc32.exe
C:\PROGRA~1\TRENDM~1\INTERN~1\PcCtlCom.exe
C:\WINDOWS\System32\RioMSC.exe
C:\WINDOWS\System32\svchost.exe
C:\PROGRA~1\TRENDM~1\INTERN~1\Tmntsrv.exe
C:\PROGRA~1\TRENDM~1\INTERN~1\tmproxy.exe
C:\PROGRA~1\TRENDM~1\INTERN~1\TmPfw.exe
C:\WINDOWS\Explorer.EXE
C:\PROGRA~1\TRENDM~1\INTERN~1\PccGuide.exe
C:\windows\system\hpsysdrv.exe
C:\HP\KBD\KBD.EXE
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\HP\Digital Imaging\Unload\hpqcmon.exe
C:\Program Files\Multimedia Card Reader\shwicon2k.exe
C:\WINDOWS\LTMSG.exe
C:\WINDOWS\System32\hphmon05.exe
C:\WINDOWS\System32\spool\drivers\w32x86\3\hpztsb10.exe
C:\Program Files\HP\hpcoretech\hpcmpmgr.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\HP\HP Software Update\HPWuSchd2.exe
C:\WINDOWS\SOUNDMAN.EXE
C:\Palm\HOTSYNC.EXE
C:\Program Files\Internet\Internet Explorer\IEXPLORE.EXE
C:\Documents and Settings\Owner\Desktop\HIjackme\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://us10.hpwis.com/
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://srch-us10.hpwis.com/
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.ebay.com/
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://us10.hpwis.com/
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://channels.aimt.../aimtoolbar.jsp
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = localhost
O2 - BHO: MSEvents Object - {6DD0BC06-4719-4BA3-BEBC-FBAE6A448152} - C:\WINDOWS\System32\awvvs.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar1.dll
O3 - Toolbar: HP View - {B2847E28-5D7D-4DEB-8B67-05D28BCF79F5} - c:\Program Files\HP\Digital Imaging\bin\hpdtlk02.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll
O4 - HKLM\..\Run: [hpsysdrv] c:\windows\system\hpsysdrv.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\System32\hkcmd.exe
O4 - HKLM\..\Run: [KBD] C:\HP\KBD\KBD.EXE
O4 - HKLM\..\Run: [UpdateManager] "C:\Program Files\Common Files\Sonic\Update Manager\sgtray.exe" /r
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [ccRegVfy] "c:\Program Files\Common Files\Symantec Shared\ccRegVfy.exe"
O4 - HKLM\..\Run: [ccApp] "c:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [CamMonitor] c:\Program Files\HP\Digital Imaging\Unload\hpqcmon.exe
O4 - HKLM\..\Run: [AutoTKit] C:\hp\bin\AUTOTKIT.EXE
O4 - HKLM\..\Run: [AlcxMonitor] ALCXMNTR.EXE
O4 - HKLM\..\Run: [pccguide.exe] "C:\Program Files\Trend Micro\Internet Security 2005\pccguide.exe"
O4 - HKLM\..\Run: [VTTimer] VTTimer.exe
O4 - HKLM\..\Run: [Sunkist2k] C:\Program Files\Multimedia Card Reader\shwicon2k.exe
O4 - HKLM\..\Run: [Recguard] C:\WINDOWS\SMINST\RECGUARD.EXE
O4 - HKLM\..\Run: [r7mh3pi] dcoqhm.exe
O4 - HKLM\..\Run: [PS2] C:\WINDOWS\system32\ps2.exe
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [LTMSG] LTMSG.exe 7
O4 - HKLM\..\Run: [ISUSPM Startup] C:\PROGRA~1\COMMON~1\INSTAL~1\UPDATE~1\ISUSPM.exe -startup
O4 - HKLM\..\Run: [HPHUPD05] c:\Program Files\HP\{45B6180B-DCAB-4093-8EE8-6164457517F0}\hphupd05.exe
O4 - HKLM\..\Run: [HPHmon05] C:\WINDOWS\System32\hphmon05.exe
O4 - HKLM\..\Run: [HPDJ Taskbar Utility] C:\WINDOWS\System32\spool\drivers\w32x86\3\hpztsb10.exe
O4 - HKLM\..\Run: [HP Component Manager] "C:\Program Files\HP\hpcoretech\hpcmpmgr.exe"
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\System32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [HP Software Update] C:\Program Files\HP\HP Software Update\HPWuSchd2.exe
O4 - HKLM\..\Run: [Spam Blocker for Outlook Express] C:\PROGRA~1\Hotbar\bin\451~1.0\SBInst.exe
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [LimeShop] C:\Program Files\LimeShop\LimeShoprun.exe /cp:p "C:\Program Files\LimeShop\System\Code" Main lp: "C:\Program Files\LimeShop"
O4 - HKLM\..\Run: [ClamWin] "C:\Program Files\ClamWin\bin\ClamTray.exe" --logon
O4 - HKLM\..\RunOnce: [Panda_cleaner_196695] C:\WINDOWS\System32\ActiveScan\pavdr.exe 196695
O4 - HKCU\..\Run: [BackupNotify] c:\Program Files\HP\Digital Imaging\bin\backupnotify.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [MoneyAgent] "C:\Program Files\Microsoft Money\System\mnyexpr.exe"
O4 - HKCU\..\Run: [aw5nRfGEU] danic.exe
O4 - HKCU\..\Run: [Desktop Weather 3] C:\PROGRA~1\THEWEA~1\THEWEA~1.EXE
O4 - Global Startup: HotSync Manager.lnk = C:\Palm\HOTSYNC.EXE
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O4 - Global Startup: winlogin.exe
O8 - Extra context menu item: &Google Search - res://c:\program files\google\GoogleToolbar1.dll/cmsearch.html
O8 - Extra context menu item: &Translate English Word - res://c:\program files\google\GoogleToolbar1.dll/cmwordtrans.html
O8 - Extra context menu item: Backward Links - res://c:\program files\google\GoogleToolbar1.dll/cmbacklinks.html
O8 - Extra context menu item: Cached Snapshot of Page - res://c:\program files\google\GoogleToolbar1.dll/cmcache.html
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MI1933~1\OFFICE11\EXCEL.EXE/3000
O8 - Extra context menu item: Similar Pages - res://c:\program files\google\GoogleToolbar1.dll/cmsimilar.html
O8 - Extra context menu item: Translate Page into English - res://c:\program files\google\GoogleToolbar1.dll/cmtrans.html
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\System32\msjava.dll (file missing)
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\System32\msjava.dll (file missing)
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MI1933~1\OFFICE11\REFIEBAR.DLL
O16 - DPF: {04E214E5-63AF-4236-83C6-A7ADCBF9BD02} (HouseCall Control) - http://housecall60.t...all/xscan60.cab
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage) - http://go.microsoft....204&clcid=0x409
O16 - DPF: {31E68DE2-5548-4B23-88F0-C51E6A0F695E} (Microsoft PID Sniffer) - https://support.micr...ActiveX/odc.cab
O16 - DPF: {4C39376E-FA9D-4349-BACC-D305C1750EF3} (EPUImageControl Class) - http://tools.ebayimg...l_v1-0-3-24.cab
O16 - DPF: {56336BCB-3D8A-11D6-A00B-0050DA18DE71} - http://software-dl.r...ip/RdxIE601.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.micros...b?1129999022578
O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai...all/xscan53.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoft...free/asinst.cab
O16 - DPF: {AB29A544-D6B4-4E36-A1F8-D3E34FC7B00A} - http://install.wildt...nce/install.cab
O16 - DPF: {AB86CE53-AC9F-449F-9399-D8ABCA09EC09} (Get_ActiveX Control) - https://h17000.www1....loadManager.ocx
O16 - DPF: {D1ACD2D8-7312-4D06-BECD-90EB094D2277} - http://mediaplayer.w...ler/install.cab
O16 - DPF: {EB387D2F-E27B-4D36-979E-847D1036C65D} (QDiagHUpdateObj Class) - http://h30043.www3.h.../qdiagh.cab?326
O16 - DPF: {EF791A6B-FC12-4C68-99EF-FB9E207A39E6} (McFreeScan Class) - http://download.mcaf...613/mcfscan.cab
O20 - Winlogon Notify: awvvs - C:\WINDOWS\System32\awvvs.dll
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1050\Intel 32\IDriverT.exe
O23 - Service: kbdus - Unknown owner - C:\WINDOWS\System32\kbdus.exe
O23 - Service: License Management Service ESD - element5 - C:\Program Files\Common Files\element5 Shared\Service\Licence Manager ESD.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe
O23 - Service: Trend Micro Central Control Component (PcCtlCom) - Trend Micro Incorporated. - C:\PROGRA~1\TRENDM~1\INTERN~1\PcCtlCom.exe
O23 - Service: Rio MSC Manager (RioMSC) - Digital Networks North America, Inc. - C:\WINDOWS\System32\RioMSC.exe
O23 - Service: Trend Micro Real-time Service (Tmntsrv) - Trend Micro Incorporated. - C:\PROGRA~1\TRENDM~1\INTERN~1\Tmntsrv.exe
O23 - Service: Trend Micro Personal Firewall (TmPfw) - Trend Micro Inc. - C:\PROGRA~1\TRENDM~1\INTERN~1\TmPfw.exe
O23 - Service: Trend Micro Proxy Service (tmproxy) - Trend Micro Inc. - C:\PROGRA~1\TRENDM~1\INTERN~1\tmproxy.exe

ACTIVESCAN


Incident Status Location

Spyware:Spyware/Virtumonde No disinfected C:\WINDOWS\System32\awvvs.dll
Adware:adware/superspider No disinfected C:\PROGRAM FILES\q330994.exe
Adware:adware/shoppingcommunityNo disinfected C:\WINDOWS\SYSTEM32\moconfig.exe
Adware:adware/tvmedia No disinfected C:\Documents and Settings\Owner\Application Data\tvmcwrd.dll
Adware:adware/cws.searchmeup No disinfected C:\WINDOWS\mstasks1.exe
Adware:adware/msxmidi No disinfected C:\WINDOWS\msxmidi.exe
Adware:adware/ezula No disinfected C:\WINDOWS\woinstall.exe
Adware:adware/sidesearch No disinfected C:\PROGRAM FILES\Lycos
Spyware:spyware/virtumonde No disinfected Windows Registry
Spyware:Spyware/Virtumonde No disinfected C:\Documents and Settings\Owner\Desktop\HIjackme\backups\backup-20051007-094042-962.dll
Spyware:Spyware/Virtumonde No disinfected C:\Documents and Settings\Owner\Desktop\HIjackme\backups\backup-20051025-094156-858.dll
Spyware:Spyware/Virtumonde No disinfected C:\Documents and Settings\Owner\Desktop\HIjackme\backups\backup-20051030-083645-411.dll
Adware:Adware/TopMoxie No disinfected C:\Program Files\LimeShop\LimeShop.exe
Adware:Adware/TopMoxie No disinfected C:\Program Files\LimeShop\LimeShoprun.exe
Adware:Adware/TopMoxie No disinfected C:\Program Files\LimeShop\System\Code\a.class
Adware:Adware/MoeMoney No disinfected C:\Program Files\LimeShop\System\Code\bf.class
Adware:Adware/TopMoxie No disinfected C:\Program Files\LimeShop\System\Code\bq.class
Adware:Adware/MoeMoney No disinfected C:\Program Files\LimeShop\System\Code\bs.class
Adware:Adware/TopMoxie No disinfected C:\Program Files\LimeShop\System\Code\dc.class
Adware:Adware/TopMoxie No disinfected C:\Program Files\LimeShop\System\Code\dm.class
Adware:Adware/TopMoxie No disinfected C:\Program Files\LimeShop\System\Code\du.class
Adware:Adware/TopMoxie No disinfected C:\Program Files\LimeShop\System\Code\dx.class
Adware:Adware/TopMoxie No disinfected C:\Program Files\LimeShop\System\Code\i.class
Adware:Adware/TopMoxie No disinfected C:\Program Files\LimeShop\System\Code\j.class
Adware:Adware/TopMoxie No disinfected C:\Program Files\LimeShop\System\Code\p.class
Adware:Adware/TopMoxie No disinfected C:\Program Files\LimeShop\System\Code\q.class
Adware:Adware/TopMoxie No disinfected C:\Program Files\LimeShop\System\Code\s.class
Adware:Adware/TopMoxie No disinfected C:\Program Files\LimeShop\System\Code\t.class
Adware:Adware/TopMoxie No disinfected C:\Program Files\LimeShop\System\Code\u.class
Adware:Adware/Look2Me No disinfected C:\WINDOWS\system\UpdInst.exe
Spyware:Spyware/Virtumonde No disinfected C:\WINDOWS\system32\awvvs.dll
Adware:Adware/Apropos No disinfected C:\WINDOWS\system32\config\systemprofile\Local Settings\Temp\AutoUpdate0\setup.inf
Adware:Adware/Twain-Tech No disinfected C:\WINDOWS\system32\config\systemprofile\Local Settings\Temp\THI1381.tmp\twaintec.inf
Adware:Adware/Twain-Tech No disinfected C:\WINDOWS\system32\config\systemprofile\Local Settings\Temp\THI5B73.tmp\twaintec.inf
Adware:Adware/Twain-Tech No disinfected C:\WINDOWS\system32\config\systemprofile\Local Settings\Temp\THI60A4.tmp\twaintec.inf
Adware:Adware/Twain-Tech No disinfected C:\WINDOWS\system32\config\systemprofile\Local Settings\Temp\THIA58.tmp\twaintec.inf
Adware:Adware/Twain-Tech No disinfected C:\WINDOWS\system32\config\systemprofile\Local Settings\Temp\THIE56.tmp\twaintec.inf
Adware:Adware/DelFinMedia No disinfected C:\WINDOWS\system32\delfin.dll
Adware:Adware/Look2Me No disinfected C:\WINDOWS\system32\dgraw.dll
Adware:Adware/Look2Me No disinfected C:\WINDOWS\system32\dn4201hoe.dll
Spyware:Spyware/CouponAge No disinfected C:\WINDOWS\system32\docore.dll
Spyware:Spyware/CouponAge No disinfected C:\WINDOWS\system32\dosync.dll
Virus:Trj/Qhost.Y Disinfected C:\WINDOWS\system32\drivers\etc\hosts
Adware:Adware/Look2Me No disinfected C:\WINDOWS\system32\duime.dll
Adware:Adware/Look2Me No disinfected C:\WINDOWS\system32\gp00l3dm1.dll
Adware:Adware/Look2Me No disinfected C:\WINDOWS\system32\h8l20i3oe8.dll
Adware:Adware/Look2Me No disinfected C:\WINDOWS\system32\j02q0af5ed2.dll
Adware:Adware/Look2Me No disinfected C:\WINDOWS\system32\k6pmlg7116.dll
Virus:Trj/Agent.AFM Disinfected C:\WINDOWS\system32\kbdus.exe
Adware:Adware/Look2Me No disinfected C:\WINDOWS\system32\ktlql7351.dll
Adware:Adware/ShoppingCommunityNo disinfected C:\WINDOWS\system32\moconfig.exe
Adware:Adware/Look2Me No disinfected C:\WINDOWS\system32\npwddi.dll
Adware:Adware/Look2Me No disinfected C:\WINDOWS\system32\OfmInfo.dll
Adware:Adware/Look2Me No disinfected C:\WINDOWS\system32\paflbmsg.dll
Adware:Adware/Apropos No disinfected C:\WINDOWS\system32\pop317.dll
Adware:Adware/Look2Me No disinfected C:\WINDOWS\system32\PTDrJNI_1_1.dll
Adware:Adware/Look2Me No disinfected C:\WINDOWS\system32\q8rq0i95e8.dll
Adware:Adware/Look2Me No disinfected C:\WINDOWS\system32\s288lclu1fq8.dll
Adware:Adware/WurldMedia No disinfected C:\WINDOWS\system32\tnujym.dll
  • 0

#4
skate_punk_21

skate_punk_21

    Malware Removal Expert

  • Retired Staff
  • 1,049 posts
You have numerous infections so lets see what crap we can get rid of...

Download, install & launch - Webroot SpySweeper (Trial) (8.3 MB Download)

When SpySweeper starts, please accept any prompts to update definitions.

Then configure it as followed:
  • From the left pane, click Options
  • Select the Sweep Options tab & ensure the following are ticked:
    • Sweep Memory
    • Sweep Registry
    • Sweep Cookies
    • Sweep All Users accounts
    • Do Not Sweep System Restore Folder
    • Enable Direct Disk Sweeping
    • Sweep For Rootkits
  • After that's done, select Sweep from the left pane & click on the Start button
  • Allow Spysweeper to reboot your machine to remove the infected files.
After rebooting, launch SpySweeper & select Results from the left pane
Click the 'Session Log' tab & choose Save to File to create a log.

Post that in your next reply along with a new HJT log.

Edited by skate_punk_21, 31 October 2005 - 06:01 AM.

  • 0

#5
Kirshna

Kirshna

    New Member

  • Topic Starter
  • Member
  • Pip
  • 7 posts
Hello Skate_Punk_21
I'm back with my reports.

Sincerely, Kirshna
********
3:25 PM: | Start of Session, Monday, October 31, 2005 |
3:25 PM: Spy Sweeper started
3:25 PM: Sweep initiated using definitions version 564
3:25 PM: Starting Memory Sweep
3:25 PM: Found Adware: virtumonde
3:25 PM: Detected running threat: C:\WINDOWS\system32\awvvs.dll (ID = 77)
3:27 PM: Memory Sweep Complete, Elapsed Time: 00:01:40
3:27 PM: Starting Registry Sweep
3:27 PM: Found Adware: aksoft
3:27 PM: HKLM\software\aksoft\.support\ (10 subtraces) (ID = 103365)
3:27 PM: HKLM\software\aksoft\.target\ (80 subtraces) (ID = 103366)
3:27 PM: Found Adware: delfin
3:27 PM: HKLM\software\nsvcin\ (2 subtraces) (ID = 124886)
3:27 PM: Found Adware: hotbar
3:27 PM: HKCR\clsid\{d9882035-7745-47c7-8d5e-c11178f9c553}\ (11 subtraces) (ID = 127270)
3:27 PM: HKLM\software\classes\clsid\{d9882035-7745-47c7-8d5e-c11178f9c553}\ (11 subtraces) (ID = 127434)
3:27 PM: HKLM\software\classes\spamblockerconfig.application\ (3 subtraces) (ID = 127536)
3:27 PM: HKLM\software\microsoft\windows\currentversion\run\ || spam blocker for outlook express (ID = 127615)
3:27 PM: HKLM\software\spam blocker\ (28 subtraces) (ID = 127633)
3:27 PM: HKCR\spamblockerconfig.application\ (3 subtraces) (ID = 127634)
3:27 PM: Found Adware: isearch desktop search
3:27 PM: HKCR\mfiltis\ (3 subtraces) (ID = 129007)
3:27 PM: HKLM\software\classes\mfiltis\ (3 subtraces) (ID = 129010)
3:27 PM: HKLM\software\system updater\ (ID = 129016)
3:27 PM: Found Adware: limeshop
3:27 PM: HKLM\software\microsoft\windows\currentversion\run\ || limeshop (ID = 129726)
3:27 PM: Found Adware: websearch toolbar
3:27 PM: HKLM\software\microsoft\windows\currentversion\uninstall\wintools_esies\ (4 subtraces) (ID = 146511)
3:27 PM: HKLM\system\currentcontrolset\enum\root\legacy_wintoolssvc\ (7 subtraces) (ID = 146518)
3:27 PM: Found Adware: wurldmedia
3:27 PM: HKCR\appid\sostatatl.exe\ (1 subtraces) (ID = 147535)
3:27 PM: HKCR\appid\{dee5d795-a276-43b5-a04a-511149a354f0}\ (1 subtraces) (ID = 147536)
3:27 PM: HKCR\interface\{9603a736-05b9-4d78-bdd5-bdcb0914e522}\ (8 subtraces) (ID = 147565)
3:27 PM: HKCR\interface\{bc12b055-c9f5-407d-9b66-1851973f32af}\ (8 subtraces) (ID = 147569)
3:27 PM: HKLM\software\aksoft\ (34346 subtraces) (ID = 639132)
3:27 PM: Found Adware: couponage
3:27 PM: HKLM\software\dealsonline\.data\ (2858 subtraces) (ID = 639276)
3:27 PM: HKCR\msevents.msevents\ (5 subtraces) (ID = 749130)
3:27 PM: HKCR\msevents.msevents.1\ (3 subtraces) (ID = 749136)
3:27 PM: HKLM\software\classes\msevents.msevents\ (5 subtraces) (ID = 749153)
3:27 PM: HKLM\software\classes\msevents.msevents.1\ (3 subtraces) (ID = 749157)
3:27 PM: Registry Sweep Complete, Elapsed Time:00:00:17
3:27 PM: Starting Cookie Sweep
3:27 PM: Found Spy Cookie: 2o7.net cookie
3:27 PM: owner@2o7[2].txt (ID = 1957)
3:27 PM: Found Spy Cookie: apmebf cookie
3:27 PM: owner@apmebf[1].txt (ID = 2229)
3:27 PM: Found Spy Cookie: azjmp cookie
3:27 PM: owner@azjmp[2].txt (ID = 2270)
3:27 PM: Found Spy Cookie: qksrv cookie
3:27 PM: owner@qksrv[1].txt (ID = 3213)
3:27 PM: Found Spy Cookie: reliablestats cookie
3:27 PM: owner@stats1.reliablestats[2].txt (ID = 3254)
3:27 PM: Found Spy Cookie: tribalfusion cookie
3:27 PM: owner@tribalfusion[1].txt (ID = 3589)
3:27 PM: Found Spy Cookie: 123count cookie
3:27 PM: owner@www.123count[2].txt (ID = 1928)
3:27 PM: Found Spy Cookie: winantiviruspro cookie
3:27 PM: owner@www.winantiviruspro[2].txt (ID = 3690)
3:27 PM: Cookie Sweep Complete, Elapsed Time: 00:00:00
3:27 PM: Starting File Sweep
3:27 PM: Found Adware: apropos
3:27 PM: c:\windows\system32\config\systemprofile\local settings\temp\~compoundinst0 (ID = -2147481413)
3:27 PM: c:\windows\system32\config\systemprofile\local settings\temp\~apropos0 (3 subtraces) (ID = -2147481414)
3:27 PM: c:\windows\system32\config\systemprofile\local settings\temp\autoupdate0 (1 subtraces) (ID = -2147481415)
3:27 PM: Found Adware: powerscan
3:27 PM: c:\documents and settings\administrator\start menu\programs\power scan (1 subtraces) (ID = -2147480462)
3:27 PM: Found Adware: ezula ilookup
3:27 PM: c:\documents and settings\administrator\start menu\programs\earn (2 subtraces) (ID = -2147481004)
3:27 PM: c:\program files\limeshop (131 subtraces) (ID = -2147480733)
3:27 PM: c:\documents and settings\kids\start menu\programs\power scan (1 subtraces) (ID = -2147480462)
3:27 PM: c:\documents and settings\kids\start menu\programs\earn (2 subtraces) (ID = -2147481004)
3:27 PM: Found Adware: bho_sep
3:27 PM: c:\program files\sep (ID = -2147480335)
3:27 PM: c:\windows\system32\config\systemprofile\start menu\programs\earn (2 subtraces) (ID = -2147481004)
3:27 PM: c:\windows\system32\config\systemprofile\start menu\programs\power scan (1 subtraces) (ID = -2147480462)
3:28 PM: limeshop.inf (ID = 65527)
3:28 PM: moconfig.exe (ID = 90743)
3:28 PM: limeshop.exe (ID = 65525)
3:29 PM: power scan.lnk (ID = 72676)
3:29 PM: Found Adware: tvmedia
3:29 PM: tvmknwrd.dll (ID = 81726)
3:29 PM: limeshop_readme.txt (ID = 65532)
3:29 PM: limeshop_preferences0.htm (ID = 65531)
3:29 PM: limeshop_offer0.htm (ID = 65530)
3:29 PM: limeshop_confirm0.htm (ID = 65529)
3:29 PM: dosync.dll (ID = 54703)
3:30 PM: docore.dll (ID = 54701)
3:30 PM: tvmknwrd.dll (ID = 81726)
3:30 PM: tvmknwrd.dll (ID = 81726)
3:30 PM: Found Adware: look2me
3:30 PM: ptdrjni_1_1.dll (ID = 65904)
3:31 PM: power scan.lnk (ID = 72676)
3:31 PM: Found Adware: virtualbouncer
3:31 PM: delfin.dll (ID = 82799)
3:31 PM: power scan.lnk (ID = 72676)
3:31 PM: updinst.exe (ID = 65966)
3:31 PM: setup.inf (ID = 50156)
3:32 PM: setup.inf (ID = 50158)
3:32 PM: Found Adware: ebates money maker
3:32 PM: ce.class (ID = 59510)
3:32 PM: bi.class (ID = 59463)
3:32 PM: bl.class (ID = 59469)
3:32 PM: bo.class (ID = 59475)
3:32 PM: r.class (ID = 59694)
3:32 PM: tvmknwrd.dll (ID = 81726)
3:32 PM: bt.class (ID = 59485)
3:32 PM: b.class (ID = 59446)
3:32 PM: d.class (ID = 59555)
3:32 PM: f.class (ID = 59660)
3:32 PM: l.class (ID = 59673)
3:32 PM: n.class (ID = 59687)
3:32 PM: bu.class (ID = 59487)
3:32 PM: bz.class (ID = 59498)
3:32 PM: bb.class (ID = 59451)
3:32 PM: be.class (ID = 59457)
3:32 PM: bf.class (ID = 59458)
3:32 PM: bh.class (ID = 59461)
3:32 PM: cb.class (ID = 59504)
3:32 PM: cf.class (ID = 59511)
3:32 PM: bm.class (ID = 59471)
3:32 PM: bp.class (ID = 59478)
3:32 PM: br.class (ID = 59482)
3:32 PM: bc.class (ID = 59453)
3:32 PM: ch.class (ID = 59516)
3:32 PM: bw.class (ID = 59492)
3:32 PM: ea.class (ID = 59611)
3:32 PM: bx.class (ID = 59494)
3:32 PM: ca.class (ID = 59501)
3:32 PM: cj.class (ID = 59519)
3:32 PM: cc.class (ID = 59506)
3:32 PM: cd.class (ID = 59507)
3:32 PM: cl.class (ID = 59524)
3:32 PM: cn.class (ID = 59528)
3:32 PM: main.class (ID = 59681)
3:32 PM: cu.class (ID = 59543)
3:32 PM: ck.class (ID = 59521)
3:32 PM: cv.class (ID = 59545)
3:32 PM: cx.class (ID = 59548)
3:33 PM: bg.class (ID = 59460)
3:34 PM: tvmknwrd.dll (ID = 81726)
3:34 PM: cs.class (ID = 59539)
3:34 PM: cp.class (ID = 59533)
3:34 PM: cq.class (ID = 59534)
3:34 PM: da.class (ID = 59557)
3:34 PM: dg.class (ID = 59568)
3:34 PM: db.class (ID = 59559)
3:34 PM: dv.class (ID = 59600)
3:34 PM: dj.class (ID = 59576)
3:34 PM: di.class (ID = 59573)
3:34 PM: dw.class (ID = 59603)
3:34 PM: dl.class (ID = 59582)
3:34 PM: dq.class (ID = 59588)
3:34 PM: dx.class (ID = 59604)
3:34 PM: dm.class (ID = 59583)
3:34 PM: dn.class (ID = 59584)
3:34 PM: dy.class (ID = 59605)
3:34 PM: dr.class (ID = 59591)
3:34 PM: dz.class (ID = 59608)
3:34 PM: ed.class (ID = 59657)
3:35 PM: ezula[1].css (ID = 60546)
3:36 PM: q8rq0i95e8.dll (ID = 65904)
3:37 PM: woinstall.exe (ID = 60678)
3:38 PM: duime.dll (ID = 65904)
3:39 PM: power scan.lnk (ID = 72676)
3:39 PM: earn website.url (ID = 60442)
3:39 PM: about earn.lnk (ID = 111342)
3:39 PM: Found Adware: xpehbam dialer
3:39 PM: seksdialer.exe (ID = 90847)
3:39 PM: earn website.url (ID = 60442)
3:39 PM: about earn.lnk (ID = 111342)
3:39 PM: earn website.url (ID = 60442)
3:39 PM: about earn.lnk (ID = 111342)
3:39 PM: Found Adware: cws_hputi
3:39 PM: dc51.url (ID = 55966)
3:39 PM: dc54.url (ID = 55961)
3:39 PM: dc50.url (ID = 55965)
3:39 PM: dc52.url (ID = 55942)
3:39 PM: dc53.url (ID = 55946)
3:39 PM: Found Adware: twain-tech
3:39 PM: twtini.inf (ID = 81896)
3:39 PM: twaintec.inf (ID = 81888)
3:39 PM: mxtarget.inf (ID = 81843)
3:39 PM: twaintec.inf (ID = 81888)
3:39 PM: mxtarget.inf (ID = 81843)
3:39 PM: twaintec.inf (ID = 81888)
3:39 PM: twaintec.inf (ID = 81888)
3:39 PM: mxtarget.inf (ID = 81843)
3:39 PM: mxtarget.inf (ID = 81843)
3:39 PM: mxtarget.inf (ID = 81843)
3:39 PM: mxtarget.inf (ID = 81843)
3:39 PM: twaintec.inf (ID = 81888)
3:39 PM: mxtarget.inf (ID = 81843)
3:39 PM: polmx3.inf (ID = 81859)
3:39 PM: eb.class (ID = 59614)
3:39 PM: q.class (ID = 59693)
3:39 PM: e.class (ID = 59610)
3:39 PM: g.class (ID = 59663)
3:39 PM: ec.class (ID = 59654)
3:39 PM: i.class (ID = 59665)
3:39 PM: k.class (ID = 59671)
3:39 PM: s.class (ID = 59698)
3:39 PM: a.class (ID = 59443)
3:39 PM: m.class (ID = 59678)
3:39 PM: j.class (ID = 59670)
3:39 PM: p.class (ID = 59689)
3:39 PM: v.class (ID = 59718)
3:39 PM: x.class (ID = 59729)
3:39 PM: ba.class (ID = 59449)
3:39 PM: bd.class (ID = 59455)
3:39 PM: bj.class (ID = 59466)
3:39 PM: bq.class (ID = 59480)
3:39 PM: bs.class (ID = 59484)
3:39 PM: bv.class (ID = 59490)
3:39 PM: t.class (ID = 59708)
3:39 PM: cg.class (ID = 59513)
3:39 PM: ci.class (ID = 59517)
3:39 PM: cm.class (ID = 59526)
3:39 PM: co.class (ID = 59530)
3:39 PM: earn website.url (ID = 60442)
3:39 PM: about earn.lnk (ID = 111342)
3:39 PM: cw.class (ID = 59547)
3:39 PM: cy.class (ID = 59551)
3:39 PM: dc.class (ID = 59561)
3:39 PM: u.class (ID = 59715)
3:39 PM: dh.class (ID = 59570)
3:39 PM: dk.class (ID = 59579)
3:39 PM: du.class (ID = 59596)
3:39 PM: limeshop_script0.htm (ID = 65533)
3:41 PM: File Sweep Complete, Elapsed Time: 00:14:24
3:41 PM: Full Sweep has completed. Elapsed time 00:16:26
3:41 PM: Traces Found: 37738
10:07 AM: Removal process initiated
10:08 AM: Quarantining All Traces: look2me
10:08 AM: Quarantining All Traces: websearch toolbar
10:08 AM: Quarantining All Traces: aksoft
10:08 AM: Quarantining All Traces: apropos
10:08 AM: Quarantining All Traces: bho_sep
10:08 AM: Quarantining All Traces: couponage
10:08 AM: Quarantining All Traces: cws_hputi
10:08 AM: Quarantining All Traces: delfin
10:08 AM: Quarantining All Traces: ebates money maker
10:08 AM: Quarantining All Traces: ezula ilookup
10:08 AM: Quarantining All Traces: hotbar
10:08 AM: Quarantining All Traces: isearch desktop search
10:08 AM: Quarantining All Traces: limeshop
10:08 AM: Quarantining All Traces: powerscan
10:08 AM: Quarantining All Traces: tvmedia
10:08 AM: Quarantining All Traces: twain-tech
10:08 AM: Quarantining All Traces: virtualbouncer
10:08 AM: Quarantining All Traces: virtumonde
10:08 AM: virtumonde is in use. It will be removed on reboot.
10:08 AM: C:\WINDOWS\system32\awvvs.dll is in use. It will be removed on reboot.
10:08 AM: Quarantining All Traces: wurldmedia
10:08 AM: Quarantining All Traces: xpehbam dialer
10:08 AM: Quarantining All Traces: 123count cookie
10:08 AM: Quarantining All Traces: 2o7.net cookie
10:08 AM: Quarantining All Traces: apmebf cookie
10:08 AM: Quarantining All Traces: azjmp cookie
10:08 AM: Quarantining All Traces: qksrv cookie
10:08 AM: Quarantining All Traces: reliablestats cookie
10:08 AM: Quarantining All Traces: tribalfusion cookie
10:08 AM: Quarantining All Traces: winantiviruspro cookie
10:08 AM: Warning: Launched explorer.exe
10:08 AM: Warning: Quarantine process could not restart Explorer.
********
3:23 PM: | Start of Session, Monday, October 31, 2005 |
3:23 PM: Spy Sweeper started
3:24 PM: Your spyware definitions have been updated.
3:25 PM: | End of Session, Monday, October 31, 2005 |


Logfile of HijackThis v1.99.1
Scan saved at 2:14:25 PM, on 11/1/2005
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\System32\nvsvc32.exe
C:\PROGRA~1\TRENDM~1\INTERN~1\PcCtlCom.exe
C:\WINDOWS\System32\RioMSC.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Webroot\Spy Sweeper\WRSSSDK.exe
C:\PROGRA~1\TRENDM~1\INTERN~1\Tmntsrv.exe
C:\PROGRA~1\TRENDM~1\INTERN~1\tmproxy.exe
C:\PROGRA~1\TRENDM~1\INTERN~1\TmPfw.exe
C:\WINDOWS\Explorer.EXE
C:\windows\system\hpsysdrv.exe
C:\HP\KBD\KBD.EXE
C:\Program Files\Common Files\Sonic\Update Manager\sgtray.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\HP\Digital Imaging\Unload\hpqcmon.exe
C:\Program Files\Trend Micro\Internet Security 2005\pccguide.exe
C:\Program Files\Multimedia Card Reader\shwicon2k.exe
C:\WINDOWS\LTMSG.exe
C:\WINDOWS\System32\hphmon05.exe
C:\WINDOWS\System32\spool\drivers\w32x86\3\hpztsb10.exe
C:\Program Files\HP\hpcoretech\hpcmpmgr.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\HP\HP Software Update\HPWuSchd2.exe
C:\WINDOWS\SOUNDMAN.EXE
C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe
C:\Palm\HOTSYNC.EXE
C:\Documents and Settings\Owner\Desktop\HIjackme\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://us10.hpwis.com/
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://srch-us10.hpwis.com/
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://us10.hpwis.com/
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = localhost
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar1.dll
O3 - Toolbar: HP View - {B2847E28-5D7D-4DEB-8B67-05D28BCF79F5} - c:\Program Files\HP\Digital Imaging\bin\hpdtlk02.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll
O4 - HKLM\..\Run: [hpsysdrv] c:\windows\system\hpsysdrv.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\System32\hkcmd.exe
O4 - HKLM\..\Run: [KBD] C:\HP\KBD\KBD.EXE
O4 - HKLM\..\Run: [UpdateManager] "C:\Program Files\Common Files\Sonic\Update Manager\sgtray.exe" /r
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [ccRegVfy] "c:\Program Files\Common Files\Symantec Shared\ccRegVfy.exe"
O4 - HKLM\..\Run: [ccApp] "c:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [CamMonitor] c:\Program Files\HP\Digital Imaging\Unload\hpqcmon.exe
O4 - HKLM\..\Run: [AutoTKit] C:\hp\bin\AUTOTKIT.EXE
O4 - HKLM\..\Run: [AlcxMonitor] ALCXMNTR.EXE
O4 - HKLM\..\Run: [pccguide.exe] "C:\Program Files\Trend Micro\Internet Security 2005\pccguide.exe"
O4 - HKLM\..\Run: [VTTimer] VTTimer.exe
O4 - HKLM\..\Run: [Sunkist2k] C:\Program Files\Multimedia Card Reader\shwicon2k.exe
O4 - HKLM\..\Run: [Recguard] C:\WINDOWS\SMINST\RECGUARD.EXE
O4 - HKLM\..\Run: [r7mh3pi] dcoqhm.exe
O4 - HKLM\..\Run: [PS2] C:\WINDOWS\system32\ps2.exe
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [LTMSG] LTMSG.exe 7
O4 - HKLM\..\Run: [ISUSPM Startup] C:\PROGRA~1\COMMON~1\INSTAL~1\UPDATE~1\ISUSPM.exe -startup
O4 - HKLM\..\Run: [HPHUPD05] c:\Program Files\HP\{45B6180B-DCAB-4093-8EE8-6164457517F0}\hphupd05.exe
O4 - HKLM\..\Run: [HPHmon05] C:\WINDOWS\System32\hphmon05.exe
O4 - HKLM\..\Run: [HPDJ Taskbar Utility] C:\WINDOWS\System32\spool\drivers\w32x86\3\hpztsb10.exe
O4 - HKLM\..\Run: [HP Component Manager] "C:\Program Files\HP\hpcoretech\hpcmpmgr.exe"
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\System32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [HP Software Update] C:\Program Files\HP\HP Software Update\HPWuSchd2.exe
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [ClamWin] "C:\Program Files\ClamWin\bin\ClamTray.exe" --logon
O4 - HKLM\..\Run: [SpySweeper] "C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe" /startintray
O4 - HKCU\..\Run: [BackupNotify] c:\Program Files\HP\Digital Imaging\bin\backupnotify.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [MoneyAgent] "C:\Program Files\Microsoft Money\System\mnyexpr.exe"
O4 - HKCU\..\Run: [aw5nRfGEU] danic.exe
O4 - HKCU\..\Run: [Desktop Weather 3] C:\PROGRA~1\THEWEA~1\THEWEA~1.EXE
O4 - Global Startup: HotSync Manager.lnk = C:\Palm\HOTSYNC.EXE
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O4 - Global Startup: winlogin.exe
O8 - Extra context menu item: &Google Search - res://c:\program files\google\GoogleToolbar1.dll/cmsearch.html
O8 - Extra context menu item: &Translate English Word - res://c:\program files\google\GoogleToolbar1.dll/cmwordtrans.html
O8 - Extra context menu item: Backward Links - res://c:\program files\google\GoogleToolbar1.dll/cmbacklinks.html
O8 - Extra context menu item: Cached Snapshot of Page - res://c:\program files\google\GoogleToolbar1.dll/cmcache.html
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MI1933~1\OFFICE11\EXCEL.EXE/3000
O8 - Extra context menu item: Similar Pages - res://c:\program files\google\GoogleToolbar1.dll/cmsimilar.html
O8 - Extra context menu item: Translate Page into English - res://c:\program files\google\GoogleToolbar1.dll/cmtrans.html
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\System32\msjava.dll (file missing)
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\System32\msjava.dll (file missing)
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MI1933~1\OFFICE11\REFIEBAR.DLL
O16 - DPF: {04E214E5-63AF-4236-83C6-A7ADCBF9BD02} (HouseCall Control) - http://housecall60.t...all/xscan60.cab
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage) - http://go.microsoft....204&clcid=0x409
O16 - DPF: {31E68DE2-5548-4B23-88F0-C51E6A0F695E} (Microsoft PID Sniffer) - https://support.micr...ActiveX/odc.cab
O16 - DPF: {4C39376E-FA9D-4349-BACC-D305C1750EF3} (EPUImageControl Class) - http://tools.ebayimg...l_v1-0-3-24.cab
O16 - DPF: {56336BCB-3D8A-11D6-A00B-0050DA18DE71} - http://software-dl.r...ip/RdxIE601.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.micros...b?1129999022578
O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai...all/xscan53.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoft...free/asinst.cab
O16 - DPF: {AB29A544-D6B4-4E36-A1F8-D3E34FC7B00A} - http://install.wildt...nce/install.cab
O16 - DPF: {AB86CE53-AC9F-449F-9399-D8ABCA09EC09} (Get_ActiveX Control) - https://h17000.www1....loadManager.ocx
O16 - DPF: {D1ACD2D8-7312-4D06-BECD-90EB094D2277} - http://mediaplayer.w...ler/install.cab
O16 - DPF: {EB387D2F-E27B-4D36-979E-847D1036C65D} (QDiagHUpdateObj Class) - http://h30043.www3.h.../qdiagh.cab?326
O16 - DPF: {EF791A6B-FC12-4C68-99EF-FB9E207A39E6} (McFreeScan Class) - http://download.mcaf...613/mcfscan.cab
O20 - Winlogon Notify: WRNotifier - C:\WINDOWS\SYSTEM32\WRLogonNTF.dll
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1050\Intel 32\IDriverT.exe
O23 - Service: kbdus - Unknown owner - C:\WINDOWS\System32\kbdus.exe (file missing)
O23 - Service: License Management Service ESD - element5 - C:\Program Files\Common Files\element5 Shared\Service\Licence Manager ESD.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe
O23 - Service: Trend Micro Central Control Component (PcCtlCom) - Trend Micro Incorporated. - C:\PROGRA~1\TRENDM~1\INTERN~1\PcCtlCom.exe
O23 - Service: Rio MSC Manager (RioMSC) - Digital Networks North America, Inc. - C:\WINDOWS\System32\RioMSC.exe
O23 - Service: Webroot Spy Sweeper Engine (svcWRSSSDK) - Webroot Software, Inc. - C:\Program Files\Webroot\Spy Sweeper\WRSSSDK.exe
O23 - Service: Trend Micro Real-time Service (Tmntsrv) - Trend Micro Incorporated. - C:\PROGRA~1\TRENDM~1\INTERN~1\Tmntsrv.exe
O23 - Service: Trend Micro Personal Firewall (TmPfw) - Trend Micro Inc. - C:\PROGRA~1\TRENDM~1\INTERN~1\TmPfw.exe
O23 - Service: Trend Micro Proxy Service (tmproxy) - Trend Micro Inc. - C:\PROGRA~1\TRENDM~1\INTERN~1\tmproxy.exe
  • 0

#6
skate_punk_21

skate_punk_21

    Malware Removal Expert

  • Retired Staff
  • 1,049 posts
Please print out or save this page to your desktop in order to assist you when carrying out the following instructions.

Boot Into Safe Mode
Restart your computer and boot into Safe Mode by hitting the F8 key repeatedly until a menu shows up (and choose Safe Mode from the list). In some systems, this may be the F5 key, so try that if F8 doesn't work.


View Hidden Files and Folders
Go to My Computer >Tools >Folder Options >View tab and make sure that Show hidden files and folders is enabled. Also make sure that the System Files and Folders are showing / visible. Uncheck the Hide protected operating system files option.


Start HijackThis Fix
Open Hijack This and click on Scan. Check the following entries (make sure you do not miss any)

O4 - HKLM\..\Run: [AlcxMonitor] ALCXMNTR.EXE
O4 - HKLM\..\Run: [r7mh3pi] dcoqhm.exe
O4 - HKCU\..\Run: [aw5nRfGEU] danic.exe
O16 - DPF: {56336BCB-3D8A-11D6-A00B-0050DA18DE71} - http://software-dl.r...ip/RdxIE601.cab
O16 - DPF: {AB29A544-D6B4-4E36-A1F8-D3E34FC7B00A} - http://install.wildt...nce/install.cab
O16 - DPF: {D1ACD2D8-7312-4D06-BECD-90EB094D2277} - http://mediaplayer.w...ler/install.cab

Please remember to close all other windows, including browsers then click Fix checked.


File/Folder Deletions
Delete the following Folders indicated in BLUE if they still exist.
You will have to run a search for these files,
go to Start | search | For files and folders, then under more advanced options check the first 3 boxes. Now commence the search.

ALCXMNTR.EXE
dcoqhm.exe
danic.exe



Reboot your system in Normal Mode.


Perform an online scan with Internet Explorer with Panda ActiveScan
  • Click Scan your PC & a 'pop up' window shall appear. *ensure that your pop up blocker doesn't block it
  • Click Scan Now
  • Enter your e-mail address & click Scan Now ...begins downloading 8 MB Panda's ActiveX controls
Begin the scan by selecting My Computer
  • If it finds any malware, it will offer you a report.
  • Click on see report. Then click Save report
Post the contents of the report in your next reply along with a new HJT log

*You needn't remain online while it's doing the scan but you have to re-connect after it has finished to see the report.
*Turn off the real time scanner of any existing antivirus program while performing the online scan


Please post a fresh HijackThis log & the Log from Panda so that we can check if your system is clean.

Edited by skate_punk_21, 02 November 2005 - 01:57 PM.

  • 0

#7
Kirshna

Kirshna

    New Member

  • Topic Starter
  • Member
  • Pip
  • 7 posts
Hello Again, i'm back for more.

On the Step "View Hidden Files and Folders" I was unable to locate >System Files and Folders<, showing/visible.

On the Step Panda ActiveScan
Scan> My Computer Panda ActiveScan stopped at my K: drive, which is a removable storage MS/MS pro:
So I hit the stop button and recived a report anyway. Yes, I gave ActiveScan plenty of time to run and hopeful relize that there was nothing in K:

Other Wise all other steps went just fine and here's the lastest.


Incident Status Location

Adware:adware/superspider No disinfected C:\PROGRAM FILES\q330994.exe
Adware:adware/tvmedia No disinfected C:\Documents and Settings\Owner\Application Data\tvmcwrd.dll
Adware:adware/cws.searchmeup No disinfected C:\WINDOWS\mstasks1.exe
Adware:adware/msxmidi No disinfected C:\WINDOWS\msxmidi.exe
Adware:adware/sidesearch No disinfected C:\PROGRAM FILES\Lycos
Adware:adware/gator No disinfected Windows Registry
Spyware:Spyware/Virtumonde No disinfected C:\Documents and Settings\Owner\Desktop\HIjackme\backups\backup-20051007-094042-962.dll
Spyware:Spyware/Virtumonde No disinfected C:\Documents and Settings\Owner\Desktop\HIjackme\backups\backup-20051025-094156-858.dll
Spyware:Spyware/Virtumonde No disinfected C:\Documents and Settings\Owner\Desktop\HIjackme\backups\backup-20051030-083645-411.dll
Spyware:Spyware/Virtumonde No disinfected C:\Documents and Settings\Owner\Desktop\HIjackme\backups\backup-20051030-170127-720.dll
Adware:Adware/Look2Me No disinfected C:\WINDOWS\system32\dgraw.dll
Adware:Adware/Look2Me No disinfected C:\WINDOWS\system32\dn4201hoe.dll
Adware:Adware/Look2Me No disinfected C:\WINDOWS\system32\gp00l3dm1.dll
Adware:Adware/Look2Me No disinfected C:\WINDOWS\system32\h8l20i3oe8.dll
Adware:Adware/Look2Me No disinfected C:\WINDOWS\system32\j02q0af5ed2.dll
Adware:Adware/Look2Me No disinfected C:\WINDOWS\system32\k6pmlg7116.dll
Adware:Adware/Look2Me No disinfected C:\WINDOWS\system32\ktlql7351.dll
Adware:Adware/Look2Me No disinfected C:\WINDOWS\system32\npwddi.dll
Adware:Adware/Look2Me No disinfected C:\WINDOWS\system32\OfmInfo.dll
Adware:Adware/Look2Me No disinfected C:\WINDOWS\system32\paflbmsg.dll
Adware:Adware/Apropos No disinfected C:\WINDOWS\system32\pop317.dll
Adware:Adware/Look2Me No disinfected C:\WINDOWS\system32\s288lclu1fq8.dll
Adware:Adware/WurldMedia No disinfected C:\WINDOWS\system32\tnujym.dll
Logfile of HijackThis v1.99.1
Scan saved at 6:57:38 PM, on 11/2/2005
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\System32\nvsvc32.exe
C:\WINDOWS\System32\RioMSC.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Webroot\Spy Sweeper\WRSSSDK.exe
C:\WINDOWS\Explorer.EXE
C:\windows\system\hpsysdrv.exe
C:\HP\KBD\KBD.EXE
C:\Program Files\HP\Digital Imaging\Unload\hpqcmon.exe
C:\Program Files\Multimedia Card Reader\shwicon2k.exe
C:\WINDOWS\LTMSG.exe
C:\WINDOWS\System32\hphmon05.exe
C:\Program Files\HP\hpcoretech\hpcmpmgr.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\HP\HP Software Update\HPWuSchd2.exe
C:\WINDOWS\SOUNDMAN.EXE
C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe
C:\Palm\HOTSYNC.EXE
C:\Documents and Settings\Owner\Desktop\HIjackme\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://us10.hpwis.com/
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://srch-us10.hpwis.com/
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://us10.hpwis.com/
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = localhost
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar1.dll
O3 - Toolbar: HP View - {B2847E28-5D7D-4DEB-8B67-05D28BCF79F5} - c:\Program Files\HP\Digital Imaging\bin\hpdtlk02.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll
O4 - HKLM\..\Run: [hpsysdrv] c:\windows\system\hpsysdrv.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\System32\hkcmd.exe
O4 - HKLM\..\Run: [KBD] C:\HP\KBD\KBD.EXE
O4 - HKLM\..\Run: [UpdateManager] "C:\Program Files\Common Files\Sonic\Update Manager\sgtray.exe" /r
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [ccRegVfy] "c:\Program Files\Common Files\Symantec Shared\ccRegVfy.exe"
O4 - HKLM\..\Run: [ccApp] "c:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [CamMonitor] c:\Program Files\HP\Digital Imaging\Unload\hpqcmon.exe
O4 - HKLM\..\Run: [AutoTKit] C:\hp\bin\AUTOTKIT.EXE
O4 - HKLM\..\Run: [pccguide.exe] "C:\Program Files\Trend Micro\Internet Security 2005\pccguide.exe"
O4 - HKLM\..\Run: [VTTimer] VTTimer.exe
O4 - HKLM\..\Run: [Sunkist2k] C:\Program Files\Multimedia Card Reader\shwicon2k.exe
O4 - HKLM\..\Run: [Recguard] C:\WINDOWS\SMINST\RECGUARD.EXE
O4 - HKLM\..\Run: [PS2] C:\WINDOWS\system32\ps2.exe
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [LTMSG] LTMSG.exe 7
O4 - HKLM\..\Run: [ISUSPM Startup] C:\PROGRA~1\COMMON~1\INSTAL~1\UPDATE~1\ISUSPM.exe -startup
O4 - HKLM\..\Run: [HPHUPD05] c:\Program Files\HP\{45B6180B-DCAB-4093-8EE8-6164457517F0}\hphupd05.exe
O4 - HKLM\..\Run: [HPHmon05] C:\WINDOWS\System32\hphmon05.exe
O4 - HKLM\..\Run: [HPDJ Taskbar Utility] C:\WINDOWS\System32\spool\drivers\w32x86\3\hpztsb10.exe
O4 - HKLM\..\Run: [HP Component Manager] "C:\Program Files\HP\hpcoretech\hpcmpmgr.exe"
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\System32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [HP Software Update] C:\Program Files\HP\HP Software Update\HPWuSchd2.exe
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [SpySweeper] "C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe" /startintray
O4 - HKCU\..\Run: [BackupNotify] c:\Program Files\HP\Digital Imaging\bin\backupnotify.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [MoneyAgent] "C:\Program Files\Microsoft Money\System\mnyexpr.exe"
O4 - HKCU\..\Run: [Desktop Weather 3] C:\PROGRA~1\THEWEA~1\THEWEA~1.EXE
O4 - Global Startup: HotSync Manager.lnk = C:\Palm\HOTSYNC.EXE
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O4 - Global Startup: winlogin.exe
O8 - Extra context menu item: &Google Search - res://c:\program files\google\GoogleToolbar1.dll/cmsearch.html
O8 - Extra context menu item: &Translate English Word - res://c:\program files\google\GoogleToolbar1.dll/cmwordtrans.html
O8 - Extra context menu item: Backward Links - res://c:\program files\google\GoogleToolbar1.dll/cmbacklinks.html
O8 - Extra context menu item: Cached Snapshot of Page - res://c:\program files\google\GoogleToolbar1.dll/cmcache.html
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MI1933~1\OFFICE11\EXCEL.EXE/3000
O8 - Extra context menu item: Similar Pages - res://c:\program files\google\GoogleToolbar1.dll/cmsimilar.html
O8 - Extra context menu item: Translate Page into English - res://c:\program files\google\GoogleToolbar1.dll/cmtrans.html
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\System32\msjava.dll (file missing)
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\System32\msjava.dll (file missing)
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MI1933~1\OFFICE11\REFIEBAR.DLL
O16 - DPF: {04E214E5-63AF-4236-83C6-A7ADCBF9BD02} (HouseCall Control) - http://housecall60.t...all/xscan60.cab
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage) - http://go.microsoft....204&clcid=0x409
O16 - DPF: {31E68DE2-5548-4B23-88F0-C51E6A0F695E} (Microsoft PID Sniffer) - https://support.micr...ActiveX/odc.cab
O16 - DPF: {4C39376E-FA9D-4349-BACC-D305C1750EF3} (EPUImageControl Class) - http://tools.ebayimg...l_v1-0-3-24.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.micros...b?1129999022578
O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai...all/xscan53.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoft...free/asinst.cab
O16 - DPF: {AB86CE53-AC9F-449F-9399-D8ABCA09EC09} (Get_ActiveX Control) - https://h17000.www1....loadManager.ocx
O16 - DPF: {EB387D2F-E27B-4D36-979E-847D1036C65D} (QDiagHUpdateObj Class) - http://h30043.www3.h.../qdiagh.cab?326
O16 - DPF: {EF791A6B-FC12-4C68-99EF-FB9E207A39E6} (McFreeScan Class) - http://download.mcaf...613/mcfscan.cab
O20 - Winlogon Notify: WRNotifier - C:\WINDOWS\SYSTEM32\WRLogonNTF.dll
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1050\Intel 32\IDriverT.exe
O23 - Service: kbdus - Unknown owner - C:\WINDOWS\System32\kbdus.exe (file missing)
O23 - Service: License Management Service ESD - element5 - C:\Program Files\Common Files\element5 Shared\Service\Licence Manager ESD.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe
O23 - Service: Trend Micro Central Control Component (PcCtlCom) - Trend Micro Incorporated. - C:\PROGRA~1\TRENDM~1\INTERN~1\PcCtlCom.exe
O23 - Service: Rio MSC Manager (RioMSC) - Digital Networks North America, Inc. - C:\WINDOWS\System32\RioMSC.exe
O23 - Service: Webroot Spy Sweeper Engine (svcWRSSSDK) - Webroot Software, Inc. - C:\Program Files\Webroot\Spy Sweeper\WRSSSDK.exe
O23 - Service: Trend Micro Real-time Service (Tmntsrv) - Trend Micro Incorporated. - C:\PROGRA~1\TRENDM~1\INTERN~1\Tmntsrv.exe
O23 - Service: Trend Micro Personal Firewall (TmPfw) - Trend Micro Inc. - C:\PROGRA~1\TRENDM~1\INTERN~1\TmPfw.exe
O23 - Service: Trend Micro Proxy Service (tmproxy) - Trend Micro Inc. - C:\PROGRA~1\TRENDM~1\INTERN~1\tmproxy.exe

-Kirshna
  • 0

#8
skate_punk_21

skate_punk_21

    Malware Removal Expert

  • Retired Staff
  • 1,049 posts
Download L2mfix from one of these two locations:

http://www.atribune....oads/l2mfix.exe
http://www.downloads....org/l2mfix.exe

Close any programs you have open since this step requires a reboot.

From the l2mfix folder on your desktop, double click l2mfix.bat and select option #2 for Run Fix by typing 2 and then pressing enter, then press any key to reboot your computer. After a reboot, your desktop and icons will appear, then disappear (this is normal). L2mfix will continue to scan your computer and when it's finished, notepad will open with a log. Copy the contents of that log and paste it back into this thread, along with a new hijackthis log.

IMPORTANT: Do NOT run any other files in the l2mfix folder unless you are asked to do so!

If after the reboot the desktop icons dont dissappear or the log does not pop up then in the l2mfix folder double click the second.bat file to continue with the fix.
  • 0

#9
Kirshna

Kirshna

    New Member

  • Topic Starter
  • Member
  • Pip
  • 7 posts
After Launching the 12mix.bat and option #2
I recived these two pop-up
1st Window) C:\WINDOWS\System32\cmd.exe
Killing explorer and Rund1132.exe
The system cannot find the path specified 0 file(s) copied
2nd Window) Registry Editor
Cannot export backregs\22B66291-61B4-4778-A6EE-55DB83AB2A79.reg:Error opening the file. There may be a disk or file system error.

*I click OK and get one more

3rd Window)Registy Editor
Cannot export 1AF2BB05-20C2-4191-895E-E015625AC3EF.reg:Error opening the file. There may be a disk or file system error.

*I click Ok and scan contiues with no more pop-ups :tazz:

Setting Directory
C:\
C:\
System Rebooted!

Running From:
C:\

killing explorer and rundll32.exe

Command Line Process Viewer/Killer/Suspender for Windows NT/2000/XP V2.03
Copyright© 2002-2003 Craig.Peacock@beyondlogic.org
Killing PID 1952 'explorer.exe'

Command Line Process Viewer/Killer/Suspender for Windows NT/2000/XP V2.03
Copyright© 2002-2003 Craig.Peacock@beyondlogic.org
Killing PID 2016 'rundll32.exe'

Scanning First Pass. Please Wait!

First Pass Completed

Second Pass Scanning

Second pass Completed!
Backing Up: C:\WINDOWS\system32\dgraw.dll
1 file(s) copied.
Backing Up: C:\WINDOWS\system32\dn4201hoe.dll
1 file(s) copied.
Backing Up: C:\WINDOWS\system32\gp00l3dm1.dll
1 file(s) copied.
Backing Up: C:\WINDOWS\system32\h8l20i3oe8.dll
1 file(s) copied.
Backing Up: C:\WINDOWS\system32\j02q0af5ed2.dll
1 file(s) copied.
Backing Up: C:\WINDOWS\system32\k6pmlg7116.dll
1 file(s) copied.
Backing Up: C:\WINDOWS\system32\ktlql7351.dll
1 file(s) copied.
Backing Up: C:\WINDOWS\system32\npwddi.dll
1 file(s) copied.
Backing Up: C:\WINDOWS\system32\OfmInfo.dll
1 file(s) copied.
Backing Up: C:\WINDOWS\system32\paflbmsg.dll
1 file(s) copied.
Backing Up: C:\WINDOWS\system32\s288lclu1fq8.dll
1 file(s) copied.
deleting: C:\WINDOWS\system32\dgraw.dll
Successfully Deleted: C:\WINDOWS\system32\dgraw.dll
deleting: C:\WINDOWS\system32\dn4201hoe.dll
Successfully Deleted: C:\WINDOWS\system32\dn4201hoe.dll
deleting: C:\WINDOWS\system32\gp00l3dm1.dll
Successfully Deleted: C:\WINDOWS\system32\gp00l3dm1.dll
deleting: C:\WINDOWS\system32\h8l20i3oe8.dll
Successfully Deleted: C:\WINDOWS\system32\h8l20i3oe8.dll
deleting: C:\WINDOWS\system32\j02q0af5ed2.dll
Successfully Deleted: C:\WINDOWS\system32\j02q0af5ed2.dll
deleting: C:\WINDOWS\system32\k6pmlg7116.dll
Successfully Deleted: C:\WINDOWS\system32\k6pmlg7116.dll
deleting: C:\WINDOWS\system32\ktlql7351.dll
Successfully Deleted: C:\WINDOWS\system32\ktlql7351.dll
deleting: C:\WINDOWS\system32\npwddi.dll
Successfully Deleted: C:\WINDOWS\system32\npwddi.dll
deleting: C:\WINDOWS\system32\OfmInfo.dll
Successfully Deleted: C:\WINDOWS\system32\OfmInfo.dll
deleting: C:\WINDOWS\system32\paflbmsg.dll
Successfully Deleted: C:\WINDOWS\system32\paflbmsg.dll
deleting: C:\WINDOWS\system32\s288lclu1fq8.dll
Successfully Deleted: C:\WINDOWS\system32\s288lclu1fq8.dll


Zipping up files for submission:
adding: dgraw.dll (188 bytes security) (deflated 5%)
adding: dn4201hoe.dll (188 bytes security) (deflated 5%)
adding: gp00l3dm1.dll (188 bytes security) (deflated 4%)
adding: h8l20i3oe8.dll (188 bytes security) (deflated 4%)
adding: j02q0af5ed2.dll (188 bytes security) (deflated 5%)
adding: k6pmlg7116.dll (188 bytes security) (deflated 5%)
adding: ktlql7351.dll (188 bytes security) (deflated 4%)
adding: npwddi.dll (188 bytes security) (deflated 4%)
adding: OfmInfo.dll (188 bytes security) (deflated 4%)
adding: paflbmsg.dll (188 bytes security) (deflated 4%)
adding: s288lclu1fq8.dll (188 bytes security) (deflated 4%)
adding: clear.reg (188 bytes security) (deflated 36%)
adding: dvdlog.txt (188 bytes security) (deflated 63%)
adding: graph.txt (188 bytes security) (deflated 69%)
adding: lo2.txt (188 bytes security) (deflated 80%)
adding: test.txt (188 bytes security) (deflated 71%)
adding: test2.txt (188 bytes security) (deflated 16%)
adding: test3.txt (188 bytes security) (deflated 16%)
adding: test5.txt (188 bytes security) (deflated 16%)
adding: usblog.txt (188 bytes security) (stored 0%)
adding: xfind.txt (188 bytes security) (deflated 64%)

Restoring Registry Permissions:


RegDACL 5.1 - Permissions Manager for Registry keys for Windows NT 4 and above
Copyright © 1999-2001 Frank Heyne Software (http://www.heysoft.de)
This program is Freeware, use it on your own risk!


Revoking access for predefined group "Administrators"
Inherited ACE can not be revoked here!
Inherited ACE can not be revoked here!


Registry permissions set too:

RegDACL 5.1 - Permissions Manager for Registry keys for Windows NT 4 and above
Copyright © 1999-2001 Frank Heyne Software (http://www.heysoft.de)
This program is Freeware, use it on your own risk!

Access Control List for Registry key HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify:
(NI) ALLOW Full access NT AUTHORITY\SYSTEM
(IO) ALLOW Full access NT AUTHORITY\SYSTEM
(NI) ALLOW Full access NT AUTHORITY\SYSTEM
(IO) ALLOW Full access NT AUTHORITY\SYSTEM
(ID-NI) ALLOW Read BUILTIN\Users
(ID-IO) ALLOW Read BUILTIN\Users
(ID-NI) ALLOW Full access BUILTIN\Administrators
(ID-IO) ALLOW Full access BUILTIN\Administrators
(ID-NI) ALLOW Full access NT AUTHORITY\SYSTEM
(ID-IO) ALLOW Full access NT AUTHORITY\SYSTEM
(ID-IO) ALLOW Full access CREATOR OWNER


Restoring Sedebugprivilege:

Granting SeDebugPrivilege to Administrators ... successful

Restoring Windows Update Certificates.:

deleting local copy: dgraw.dll
deleting local copy: dn4201hoe.dll
deleting local copy: gp00l3dm1.dll
deleting local copy: h8l20i3oe8.dll
deleting local copy: j02q0af5ed2.dll
deleting local copy: k6pmlg7116.dll
deleting local copy: ktlql7351.dll
deleting local copy: npwddi.dll
deleting local copy: OfmInfo.dll
deleting local copy: paflbmsg.dll
deleting local copy: s288lclu1fq8.dll

The following Is the Current Export of the Winlogon notify key:
****************************************************************************
Windows Registry Editor Version 5.00

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify]

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\crypt32chain]
"Asynchronous"=dword:00000000
"Impersonate"=dword:00000000
"DllName"=hex(2):63,00,72,00,79,00,70,00,74,00,33,00,32,00,2e,00,64,00,6c,00,\
6c,00,00,00
"Logoff"="ChainWlxLogoffEvent"

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\cryptnet]
"Asynchronous"=dword:00000000
"Impersonate"=dword:00000000
"DllName"=hex(2):63,00,72,00,79,00,70,00,74,00,6e,00,65,00,74,00,2e,00,64,00,\
6c,00,6c,00,00,00
"Logoff"="CryptnetWlxLogoffEvent"

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\cscdll]
"DLLName"="cscdll.dll"
"Logon"="WinlogonLogonEvent"
"Logoff"="WinlogonLogoffEvent"
"ScreenSaver"="WinlogonScreenSaverEvent"
"Startup"="WinlogonStartupEvent"
"Shutdown"="WinlogonShutdownEvent"
"StartShell"="WinlogonStartShellEvent"
"Impersonate"=dword:00000000
"Asynchronous"=dword:00000001

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\ScCertProp]
"DLLName"="wlnotify.dll"
"Logon"="SCardStartCertProp"
"Logoff"="SCardStopCertProp"
"Lock"="SCardSuspendCertProp"
"Unlock"="SCardResumeCertProp"
"Enabled"=dword:00000001
"Impersonate"=dword:00000001
"Asynchronous"=dword:00000001

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\Schedule]
"Asynchronous"=dword:00000000
"DllName"=hex(2):77,00,6c,00,6e,00,6f,00,74,00,69,00,66,00,79,00,2e,00,64,00,\
6c,00,6c,00,00,00
"Impersonate"=dword:00000000
"StartShell"="SchedStartShell"
"Logoff"="SchedEventLogOff"

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\sclgntfy]
"Logoff"="WLEventLogoff"
"Impersonate"=dword:00000000
"Asynchronous"=dword:00000001
"DllName"=hex(2):73,00,63,00,6c,00,67,00,6e,00,74,00,66,00,79,00,2e,00,64,00,\
6c,00,6c,00,00,00

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\SensLogn]
"DLLName"="WlNotify.dll"
"Lock"="SensLockEvent"
"Logon"="SensLogonEvent"
"Logoff"="SensLogoffEvent"
"Safe"=dword:00000001
"MaxWait"=dword:00000258
"StartScreenSaver"="SensStartScreenSaverEvent"
"StopScreenSaver"="SensStopScreenSaverEvent"
"Startup"="SensStartupEvent"
"Shutdown"="SensShutdownEvent"
"StartShell"="SensStartShellEvent"
"PostShell"="SensPostShellEvent"
"Disconnect"="SensDisconnectEvent"
"Reconnect"="SensReconnectEvent"
"Unlock"="SensUnlockEvent"
"Impersonate"=dword:00000001
"Asynchronous"=dword:00000001

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\termsrv]
"Asynchronous"=dword:00000000
"DllName"=hex(2):77,00,6c,00,6e,00,6f,00,74,00,69,00,66,00,79,00,2e,00,64,00,\
6c,00,6c,00,00,00
"Impersonate"=dword:00000000
"Logoff"="TSEventLogoff"
"Logon"="TSEventLogon"
"PostShell"="TSEventPostShell"
"Shutdown"="TSEventShutdown"
"StartShell"="TSEventStartShell"
"Startup"="TSEventStartup"
"MaxWait"=dword:00000258
"Reconnect"="TSEventReconnect"
"Disconnect"="TSEventDisconnect"

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\wlballoon]
"DLLName"="wlnotify.dll"
"Logon"="RegisterTicketExpiredNotificationEvent"
"Logoff"="UnregisterTicketExpiredNotificationEvent"
"Impersonate"=dword:00000001
"Asynchronous"=dword:00000001

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\WRNotifier]
"Asynchronous"=dword:00000000
"DllName"="WRLogonNTF.dll"
"Impersonate"=dword:00000001
"Lock"="WRLock"
"StartScreenSaver"="WRStartScreenSaver"
"StartShell"="WRStartShell"
"Startup"="WRStartup"
"StopScreenSaver"="WRStopScreenSaver"
"Unlock"="WRUnlock"
"Shutdown"="WRShutdown"
"Logoff"="WRLogoff"
"Logon"="WRLogon"

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\wzcnotif]
"DLLName"="wzcdlg.dll"
"Logon"="WZCEventLogon"
"Logoff"="WZCEventLogoff"
"Impersonate"=dword:00000000
"Asynchronous"=dword:00000000


The following are the files found:
****************************************************************************
C:\WINDOWS\system32\dgraw.dll
C:\WINDOWS\system32\dn4201hoe.dll
C:\WINDOWS\system32\gp00l3dm1.dll
C:\WINDOWS\system32\h8l20i3oe8.dll
C:\WINDOWS\system32\j02q0af5ed2.dll
C:\WINDOWS\system32\k6pmlg7116.dll
C:\WINDOWS\system32\ktlql7351.dll
C:\WINDOWS\system32\npwddi.dll
C:\WINDOWS\system32\OfmInfo.dll
C:\WINDOWS\system32\paflbmsg.dll
C:\WINDOWS\system32\s288lclu1fq8.dll

Registry Entries that were Deleted:
Please verify that the listing looks ok.
If there was something deleted wrongly there are backups in the backreg folder.
****************************************************************************
REGEDIT4

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved]
"{22B66291-61B4-4778-A6EE-55DB83AB2A79}"=-
"{AF24BB05-20C2-4191-895E-E015625AC3EF}"=-
[-HKEY_CLASSES_ROOT\CLSID\{22B66291-61B4-4778-A6EE-55DB83AB2A79}]
[-HKEY_CLASSES_ROOT\CLSID\{AF24BB05-20C2-4191-895E-E015625AC3EF}]
REGEDIT4

[-HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\User Agent\Post Platform]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\User Agent\Post Platform]
"SV1"=""
****************************************************************************
Desktop.ini Contents:
****************************************************************************
****************************************************************************


Logfile of HijackThis v1.99.1
Scan saved at 10:22:33 AM, on 11/3/2005
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\System32\nvsvc32.exe
C:\PROGRA~1\TRENDM~1\INTERN~1\PcCtlCom.exe
C:\WINDOWS\System32\RioMSC.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Webroot\Spy Sweeper\WRSSSDK.exe
C:\PROGRA~1\TRENDM~1\INTERN~1\Tmntsrv.exe
C:\PROGRA~1\TRENDM~1\INTERN~1\tmproxy.exe
C:\PROGRA~1\TRENDM~1\INTERN~1\TmPfw.exe
C:\PROGRA~1\TRENDM~1\INTERN~1\PccGuide.exe
C:\WINDOWS\explorer.exe
C:\Documents and Settings\Owner\Desktop\HIjackme\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://us10.hpwis.com/
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://srch-us10.hpwis.com/
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://us10.hpwis.com/
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = localhost
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar1.dll
O3 - Toolbar: HP View - {B2847E28-5D7D-4DEB-8B67-05D28BCF79F5} - c:\Program Files\HP\Digital Imaging\bin\hpdtlk02.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll
O4 - HKLM\..\Run: [hpsysdrv] c:\windows\system\hpsysdrv.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\System32\hkcmd.exe
O4 - HKLM\..\Run: [KBD] C:\HP\KBD\KBD.EXE
O4 - HKLM\..\Run: [UpdateManager] "C:\Program Files\Common Files\Sonic\Update Manager\sgtray.exe" /r
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [ccRegVfy] "c:\Program Files\Common Files\Symantec Shared\ccRegVfy.exe"
O4 - HKLM\..\Run: [ccApp] "c:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [CamMonitor] c:\Program Files\HP\Digital Imaging\Unload\hpqcmon.exe
O4 - HKLM\..\Run: [AutoTKit] C:\hp\bin\AUTOTKIT.EXE
O4 - HKLM\..\Run: [pccguide.exe] "C:\Program Files\Trend Micro\Internet Security 2005\pccguide.exe"
O4 - HKLM\..\Run: [VTTimer] VTTimer.exe
O4 - HKLM\..\Run: [Sunkist2k] C:\Program Files\Multimedia Card Reader\shwicon2k.exe
O4 - HKLM\..\Run: [Recguard] C:\WINDOWS\SMINST\RECGUARD.EXE
O4 - HKLM\..\Run: [PS2] C:\WINDOWS\system32\ps2.exe
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [LTMSG] LTMSG.exe 7
O4 - HKLM\..\Run: [ISUSPM Startup] C:\PROGRA~1\COMMON~1\INSTAL~1\UPDATE~1\ISUSPM.exe -startup
O4 - HKLM\..\Run: [HPHUPD05] c:\Program Files\HP\{45B6180B-DCAB-4093-8EE8-6164457517F0}\hphupd05.exe
O4 - HKLM\..\Run: [HPHmon05] C:\WINDOWS\System32\hphmon05.exe
O4 - HKLM\..\Run: [HPDJ Taskbar Utility] C:\WINDOWS\System32\spool\drivers\w32x86\3\hpztsb10.exe
O4 - HKLM\..\Run: [HP Component Manager] "C:\Program Files\HP\hpcoretech\hpcmpmgr.exe"
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\System32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [HP Software Update] C:\Program Files\HP\HP Software Update\HPWuSchd2.exe
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [SpySweeper] "C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe" /startintray
O4 - HKCU\..\Run: [BackupNotify] c:\Program Files\HP\Digital Imaging\bin\backupnotify.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [MoneyAgent] "C:\Program Files\Microsoft Money\System\mnyexpr.exe"
O4 - HKCU\..\Run: [Desktop Weather 3] C:\PROGRA~1\THEWEA~1\THEWEA~1.EXE
O4 - Global Startup: winlogin.exe
O8 - Extra context menu item: &Google Search - res://c:\program files\google\GoogleToolbar1.dll/cmsearch.html
O8 - Extra context menu item: &Translate English Word - res://c:\program files\google\GoogleToolbar1.dll/cmwordtrans.html
O8 - Extra context menu item: Backward Links - res://c:\program files\google\GoogleToolbar1.dll/cmbacklinks.html
O8 - Extra context menu item: Cached Snapshot of Page - res://c:\program files\google\GoogleToolbar1.dll/cmcache.html
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MI1933~1\OFFICE11\EXCEL.EXE/3000
O8 - Extra context menu item: Similar Pages - res://c:\program files\google\GoogleToolbar1.dll/cmsimilar.html
O8 - Extra context menu item: Translate Page into English - res://c:\program files\google\GoogleToolbar1.dll/cmtrans.html
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\System32\msjava.dll (file missing)
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\System32\msjava.dll (file missing)
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MI1933~1\OFFICE11\REFIEBAR.DLL
O16 - DPF: {04E214E5-63AF-4236-83C6-A7ADCBF9BD02} (HouseCall Control) - http://housecall60.t...all/xscan60.cab
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage) - http://go.microsoft....204&clcid=0x409
O16 - DPF: {31E68DE2-5548-4B23-88F0-C51E6A0F695E} (Microsoft PID Sniffer) - https://support.micr...ActiveX/odc.cab
O16 - DPF: {4C39376E-FA9D-4349-BACC-D305C1750EF3} (EPUImageControl Class) - http://tools.ebayimg...l_v1-0-3-24.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.micros...b?1129999022578
O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai...all/xscan53.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoft...free/asinst.cab
O16 - DPF: {AB86CE53-AC9F-449F-9399-D8ABCA09EC09} (Get_ActiveX Control) - https://h17000.www1....loadManager.ocx
O16 - DPF: {EB387D2F-E27B-4D36-979E-847D1036C65D} (QDiagHUpdateObj Class) - http://h30043.www3.h.../qdiagh.cab?326
O16 - DPF: {EF791A6B-FC12-4C68-99EF-FB9E207A39E6} (McFreeScan Class) - http://download.mcaf...613/mcfscan.cab
O20 - Winlogon Notify: WRNotifier - C:\WINDOWS\SYSTEM32\WRLogonNTF.dll
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1050\Intel 32\IDriverT.exe
O23 - Service: kbdus - Unknown owner - C:\WINDOWS\System32\kbdus.exe (file missing)
O23 - Service: License Management Service ESD - element5 - C:\Program Files\Common Files\element5 Shared\Service\Licence Manager ESD.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe
O23 - Service: Trend Micro Central Control Component (PcCtlCom) - Trend Micro Incorporated. - C:\PROGRA~1\TRENDM~1\INTERN~1\PcCtlCom.exe
O23 - Service: Rio MSC Manager (RioMSC) - Digital Networks North America, Inc. - C:\WINDOWS\System32\RioMSC.exe
O23 - Service: Webroot Spy Sweeper Engine (svcWRSSSDK) - Webroot Software, Inc. - C:\Program Files\Webroot\Spy Sweeper\WRSSSDK.exe
O23 - Service: Trend Micro Real-time Service (Tmntsrv) - Trend Micro Incorporated. - C:\PROGRA~1\TRENDM~1\INTERN~1\Tmntsrv.exe
O23 - Service: Trend Micro Personal Firewall (TmPfw) - Trend Micro Inc. - C:\PROGRA~1\TRENDM~1\INTERN~1\TmPfw.exe
O23 - Service: Trend Micro Proxy Service (tmproxy) - Trend Micro Inc. - C:\PROGRA~1\TRENDM~1\INTERN~1\tmproxy.exe

Edited by Kirshna, 03 November 2005 - 12:33 PM.

  • 0

#10
skate_punk_21

skate_punk_21

    Malware Removal Expert

  • Retired Staff
  • 1,049 posts
Run KillBox and check the box that says 'End Explorer Shell While Killing File'. Next click on 'Delete on Reboot'. For each of the following files below, check the box that says 'Unregister .dll Before Deleting' if it's not grayed out. Copy and paste each of the following into KillBox (hitting the X button for each file - choose NO when it asks if you want to reboot) Click Yes at the 'Pending Operations prompt'. if you see it:

C:\PROGRAM FILES\q330994.exe
C:\Documents and Settings\Owner\Application Data\tvmcwrd.dll
C:\WINDOWS\mstasks1.exe
C:\WINDOWS\msxmidi.exe
C:\WINDOWS\system32\tnujym.dll
C:\PROGRAM FILES\Lycos
C:\Documents and Settings\Owner\start menu\programs\startup\winlogin.exe

* If you received a message such as: "PendingFileRenameOperations registry data has been removed by external process", you have to restart Windows manually .

* If you receive a message such as: "Component 'MsComCtl.ocx' or one of its dependencies not correctly registered: a file is missing or invalid." when trying to run TheKillbox, download and run missingfilesetup.exe. Then try Killbox again.


REBOOT NOW and post a fresh HijackThis Log.
  • 0

#11
Kirshna

Kirshna

    New Member

  • Topic Starter
  • Member
  • Pip
  • 7 posts
Hope you had a nice weekend

Logfile of HijackThis v1.99.1
Scan saved at 5:50:37 PM, on 11/6/2005
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\System32\nvsvc32.exe
C:\PROGRA~1\TRENDM~1\INTERN~1\PcCtlCom.exe
C:\WINDOWS\System32\RioMSC.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Webroot\Spy Sweeper\WRSSSDK.exe
C:\PROGRA~1\TRENDM~1\INTERN~1\Tmntsrv.exe
C:\PROGRA~1\TRENDM~1\INTERN~1\tmproxy.exe
C:\PROGRA~1\TRENDM~1\INTERN~1\TmPfw.exe
C:\WINDOWS\Explorer.EXE
C:\windows\system\hpsysdrv.exe
C:\HP\KBD\KBD.EXE
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\HP\Digital Imaging\Unload\hpqcmon.exe
C:\Program Files\Trend Micro\Internet Security 2005\pccguide.exe
C:\Program Files\Multimedia Card Reader\shwicon2k.exe
C:\WINDOWS\LTMSG.exe
C:\WINDOWS\System32\hphmon05.exe
C:\Program Files\HP\hpcoretech\hpcmpmgr.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\HP\HP Software Update\HPWuSchd2.exe
C:\WINDOWS\SOUNDMAN.EXE
C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe
C:\Program Files\Real\RealOne Player\RealPlay.exe
C:\HIjackme\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://us10.hpwis.com/
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://srch-us10.hpwis.com/
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://us10.hpwis.com/
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = localhost
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar1.dll
O3 - Toolbar: HP View - {B2847E28-5D7D-4DEB-8B67-05D28BCF79F5} - c:\Program Files\HP\Digital Imaging\bin\hpdtlk02.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll
O4 - HKLM\..\Run: [hpsysdrv] c:\windows\system\hpsysdrv.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\System32\hkcmd.exe
O4 - HKLM\..\Run: [KBD] C:\HP\KBD\KBD.EXE
O4 - HKLM\..\Run: [UpdateManager] "C:\Program Files\Common Files\Sonic\Update Manager\sgtray.exe" /r
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [ccRegVfy] "c:\Program Files\Common Files\Symantec Shared\ccRegVfy.exe"
O4 - HKLM\..\Run: [ccApp] "c:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [CamMonitor] c:\Program Files\HP\Digital Imaging\Unload\hpqcmon.exe
O4 - HKLM\..\Run: [AutoTKit] C:\hp\bin\AUTOTKIT.EXE
O4 - HKLM\..\Run: [pccguide.exe] "C:\Program Files\Trend Micro\Internet Security 2005\pccguide.exe"
O4 - HKLM\..\Run: [VTTimer] VTTimer.exe
O4 - HKLM\..\Run: [Sunkist2k] C:\Program Files\Multimedia Card Reader\shwicon2k.exe
O4 - HKLM\..\Run: [Recguard] C:\WINDOWS\SMINST\RECGUARD.EXE
O4 - HKLM\..\Run: [PS2] C:\WINDOWS\system32\ps2.exe
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [LTMSG] LTMSG.exe 7
O4 - HKLM\..\Run: [ISUSPM Startup] C:\PROGRA~1\COMMON~1\INSTAL~1\UPDATE~1\ISUSPM.exe -startup
O4 - HKLM\..\Run: [HPHUPD05] c:\Program Files\HP\{45B6180B-DCAB-4093-8EE8-6164457517F0}\hphupd05.exe
O4 - HKLM\..\Run: [HPHmon05] C:\WINDOWS\System32\hphmon05.exe
O4 - HKLM\..\Run: [HPDJ Taskbar Utility] C:\WINDOWS\System32\spool\drivers\w32x86\3\hpztsb10.exe
O4 - HKLM\..\Run: [HP Component Manager] "C:\Program Files\HP\hpcoretech\hpcmpmgr.exe"
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\System32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [HP Software Update] C:\Program Files\HP\HP Software Update\HPWuSchd2.exe
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [SpySweeper] "C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe" /startintray
O4 - HKCU\..\Run: [BackupNotify] c:\Program Files\HP\Digital Imaging\bin\backupnotify.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [MoneyAgent] "C:\Program Files\Microsoft Money\System\mnyexpr.exe"
O4 - Global Startup: winlogin.exe
O8 - Extra context menu item: &Google Search - res://c:\program files\google\GoogleToolbar1.dll/cmsearch.html
O8 - Extra context menu item: &Translate English Word - res://c:\program files\google\GoogleToolbar1.dll/cmwordtrans.html
O8 - Extra context menu item: Backward Links - res://c:\program files\google\GoogleToolbar1.dll/cmbacklinks.html
O8 - Extra context menu item: Cached Snapshot of Page - res://c:\program files\google\GoogleToolbar1.dll/cmcache.html
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MI1933~1\OFFICE11\EXCEL.EXE/3000
O8 - Extra context menu item: Similar Pages - res://c:\program files\google\GoogleToolbar1.dll/cmsimilar.html
O8 - Extra context menu item: Translate Page into English - res://c:\program files\google\GoogleToolbar1.dll/cmtrans.html
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\System32\msjava.dll (file missing)
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\System32\msjava.dll (file missing)
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MI1933~1\OFFICE11\REFIEBAR.DLL
O16 - DPF: {04E214E5-63AF-4236-83C6-A7ADCBF9BD02} (HouseCall Control) - http://housecall60.t...all/xscan60.cab
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage) - http://go.microsoft....204&clcid=0x409
O16 - DPF: {31E68DE2-5548-4B23-88F0-C51E6A0F695E} (Microsoft PID Sniffer) - https://support.micr...ActiveX/odc.cab
O16 - DPF: {4C39376E-FA9D-4349-BACC-D305C1750EF3} (EPUImageControl Class) - http://tools.ebayimg...l_v1-0-3-24.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.micros...b?1129999022578
O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai...all/xscan53.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoft...free/asinst.cab
O16 - DPF: {AB86CE53-AC9F-449F-9399-D8ABCA09EC09} (Get_ActiveX Control) - https://h17000.www1....loadManager.ocx
O16 - DPF: {EB387D2F-E27B-4D36-979E-847D1036C65D} (QDiagHUpdateObj Class) - http://h30043.www3.h.../qdiagh.cab?326
O16 - DPF: {EF791A6B-FC12-4C68-99EF-FB9E207A39E6} (McFreeScan Class) - http://download.mcaf...613/mcfscan.cab
O20 - Winlogon Notify: WRNotifier - C:\WINDOWS\SYSTEM32\WRLogonNTF.dll
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1050\Intel 32\IDriverT.exe
O23 - Service: kbdus - Unknown owner - C:\WINDOWS\System32\kbdus.exe (file missing)
O23 - Service: License Management Service ESD - element5 - C:\Program Files\Common Files\element5 Shared\Service\Licence Manager ESD.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe
O23 - Service: Trend Micro Central Control Component (PcCtlCom) - Trend Micro Incorporated. - C:\PROGRA~1\TRENDM~1\INTERN~1\PcCtlCom.exe
O23 - Service: Rio MSC Manager (RioMSC) - Digital Networks North America, Inc. - C:\WINDOWS\System32\RioMSC.exe
O23 - Service: Webroot Spy Sweeper Engine (svcWRSSSDK) - Webroot Software, Inc. - C:\Program Files\Webroot\Spy Sweeper\WRSSSDK.exe
O23 - Service: Trend Micro Real-time Service (Tmntsrv) - Trend Micro Incorporated. - C:\PROGRA~1\TRENDM~1\INTERN~1\Tmntsrv.exe
O23 - Service: Trend Micro Personal Firewall (TmPfw) - Trend Micro Inc. - C:\PROGRA~1\TRENDM~1\INTERN~1\TmPfw.exe
O23 - Service: Trend Micro Proxy Service (tmproxy) - Trend Micro Inc. - C:\PROGRA~1\TRENDM~1\INTERN~1\tmproxy.exe

-KIRSHNA
  • 0

#12
skate_punk_21

skate_punk_21

    Malware Removal Expert

  • Retired Staff
  • 1,049 posts
Boot into safe mode please
Search for this file via Start || Search || for files and folders
Under More advanced options, check the first 3 boxes.

Search for this file and delete it when found --> winlogin.exe

Must be this file as it CLOSELY resembles a legit windows FILE

If you are unsure of the file, mark its location and post it here, i will let you know if its the right one.

when finished reboot back to normal mode and post a fresh HijackThis log
  • 0

#13
skate_punk_21

skate_punk_21

    Malware Removal Expert

  • Retired Staff
  • 1,049 posts
Due to lack of feedback, this topic has been closed.

If you need this topic reopened, please contact a staff member. This applies only to the original topic starter. Everyone else please begin a New Topic.
  • 0






Similar Topics

0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users

As Featured On:

Microsoft Yahoo BBC MSN PC Magazine Washington Post HP