Jump to content

Welcome to Geeks to Go - Register now for FREE

Need help with your computer or device? Want to learn new tech skills? You're in the right place!
Geeks to Go is a friendly community of tech experts who can solve any problem you have. Just create a free account and post your question. Our volunteers will reply quickly and guide you through the steps. Don't let tech troubles stop you. Join Geeks to Go now and get the support you need!

How it Works Create Account
Photo

Popup/Virii Troubles [RESOLVED]

Started by teegttahb725 , Nov 13 2005 02:58 PM

  • This topic is locked This topic is locked

#1
teegttahb725
Posted 13 November 2005 - 02:58 PM

teegttahb725

    New Member

  • Member
  • Pip
  • 8 posts
Hi!

My computer is running really slow and is devasted by popups upon popups!
What should i do?
Attached is my HijackThis! log

R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = www.google.com
O4 - HKLM\..\Run: [gcasServ] "C:\Program Files\Microsoft AntiSpyware\gcasServ.exe"
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [vptray] C:\PROGRA~1\SYMANT~1\SYMANT~2\VPTray.exe
O4 - HKLM\..\Run: [MSConfig] C:\WINDOWS\PCHealth\HelpCtr\Binaries\MSConfig.exe /auto
O4 - HKCU\..\Run: [AIM] C:\Program Files\AIM\aim.exe -cnetwait.odl
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe
O16 - DPF: Yahoo! Pool 2 - http://download.game...ts/y/pote_x.cab
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft....k/?linkid=39204
O16 - DPF: {4AD73894-A895-4FC2-B233-299867E08753} (Cadwkzctl Object) - http://apps.deskwizz.../ax/adwerkz.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{B2764014-E367-4B64-90D4-5F13EF3B2E55}: NameServer = 12.102.244.2 204.127.129.4
O20 - Winlogon Notify: Installer - C:\WINDOWS\system32\lvpo0973e.dll
O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - Unknown owner - C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
O23 - Service: avast! Antivirus - Unknown owner - C:\Program Files\Alwil Software\Avast4\ashServ.exe
O23 - Service: avast! Mail Scanner - Unknown owner - C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe" /service (file missing)
O23 - Service: avast! Web Scanner - Unknown owner - C:\Program Files\Alwil Software\Avast4\ashWebSv.exe" /service (file missing)
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Network Proxy (ccProxy) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccProxy.exe
O23 - Service: Symantec Password Validation (ccPwdSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
O23 - Service: Symantec Client Firewall Configuration (CfgWzSvc) - Symantec Corporation - C:\Program Files\Symantec Client Security\Symantec Client Firewall\CfgWzSvc.exe
O23 - Service: Command Service (cmdService) - Unknown owner - C:\WINDOWS\R2VldCBCaGF0dAAA\command.exe (file missing)
O23 - Service: Symantec AntiVirus Definition Watcher (DefWatch) - Symantec Corporation - C:\Program Files\Symantec Client Security\Symantec AntiVirus\DefWatch.exe
O23 - Service: greenstdsystem32 - Unknown owner - C:\WINDOWS\system32\greenstd.exe (file missing)
O23 - Service: iPod Service (iPodService) - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: NVIDIA Driver Helper Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\system32\HPZipm12.exe
O23 - Service: SAVRoam (SavRoam) - symantec - C:\Program Files\Symantec Client Security\Symantec AntiVirus\SavRoam.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: Symantec AntiVirus - Symantec Corporation - C:\Program Files\Symantec Client Security\Symantec AntiVirus\Rtvscan.exe
O23 - Service: Symantec SecurePort (SymSecurePort) - Symantec Corporation - C:\Program Files\Symantec Client Security\Symantec Client Firewall\SymSPort.exe
O23 - Service: SymWMI Service (SymWSC) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\Security Center\SymWSC.exe
O23 - Service: Win32 Configuration (Windows Manage) - Unknown owner - C:\WINDOWS\System32\videosd32.exe" -netsvcs (file missing)
  • 0

Advertisements

#2
OwNt
Posted 15 November 2005 - 07:27 AM

OwNt

    Malware Expert

  • Retired Staff
  • 7,457 posts
Hello, teegttahb725.

Please go to Start > Run

Type Msconfig and hit enter.

Under the General tab, put a checkmark by Normal Startup

Reboot.

Also, please DELETE your current HJT program from its present location.

Download and run the following HijackThis autoinstall program from Here . Please choose the default location of C:\Program Files\ as the destination. HJT needs to be in its own folder so that the program itself isn't deleted by accident

Run HijackThis

Click SCAN and SAVE LOG. (a notepad window will open with the log in it when you click Save Log) (Ctrl-A to'select all', Ctrl-C to 'copy')

POST the log into this thread using 'Add Reply' (Ctrl-V to 'paste')
  • 0

#3
teegttahb725
Posted 15 November 2005 - 02:32 PM

teegttahb725

    New Member

  • Topic Starter
  • Member
  • Pip
  • 8 posts
Hey!

This is my new logfile

Logfile of HijackThis v1.99.1
Scan saved at 3:28:49 PM, on 11/15/2005
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
C:\Program Files\Alwil Software\Avast4\ashServ.exe
C:\WINDOWS\system32\rundll32.exe
C:\Program Files\Symantec Client Security\Symantec Client Firewall\CfgWzSvc.exe
C:\Program Files\Symantec Client Security\Symantec AntiVirus\DefWatch.exe
C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
C:\WINDOWS\System32\nvsvc32.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Symantec Client Security\Symantec AntiVirus\Rtvscan.exe
C:\Program Files\Symantec Client Security\Symantec Client Firewall\SymSPort.exe
C:\WINDOWS\System32\MsPMSPSv.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
C:\Program Files\Microsoft AntiSpyware\gcasServ.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\PROGRA~1\SYMANT~1\SYMANT~2\VPTray.exe
C:\Program Files\Microsoft AntiSpyware\gcasDtServ.exe
C:\WINDOWS\system32\DllHost.exe
C:\Program Files\HighCriteria\TotalRecorder\TotRecSched.exe
C:\Program Files\Microsoft AntiSpyware\gcasServAlert.exe
C:\WINDOWS\system32\uowfajm\crflq.exe
C:\Program Files\AIM\aim.exe
C:\Program Files\Microsoft AntiSpyware\gcasServAlert.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
C:\Program Files\Real\RealPlayer\RealPlay.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\AT&T\WnClient\Programs\WNConnect.exe
C:\PROGRA~1\AT&T\WnClient\Programs\WNCSMS~1.EXE
C:\Program Files\Hijackthis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = www.google.com
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = www.google.com
O4 - HKLM\..\Run: [gcasServ] "C:\Program Files\Microsoft AntiSpyware\gcasServ.exe"
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [vptray] C:\PROGRA~1\SYMANT~1\SYMANT~2\VPTray.exe
O4 - HKLM\..\Run: [ACTX1] C:\WINDOWS\system32\actx1.exe
O4 - HKLM\..\Run: [yXJWA4] "C:\WINDOWS\system32\cxtpls_loader.EXE" /PC=CP.AOP2
O4 - HKLM\..\Run: [yvqbjlw] C:\WINDOWS\system32\wbsofjh\yvqbjlw.exe
O4 - HKLM\..\Run: [ydxaim] C:\WINDOWS\system32\kjhjkbvp\ydxaim.exe
O4 - HKLM\..\Run: [xxcaith] C:\WINDOWS\system32\kvtsr\xxcaith.exe
O4 - HKLM\..\Run: [xhqfmpcf] C:\WINDOWS\system32\pjhtxinm\xhqfmpcf.exe
O4 - HKLM\..\Run: [xcuev] C:\WINDOWS\system32\cmvluj\xcuev.exe
O4 - HKLM\..\Run: [wtbqn] C:\WINDOWS\system32\ctbynb\wtbqn.exe
O4 - HKLM\..\Run: [woojx] C:\WINDOWS\system32\nqpi\woojx.exe
O4 - HKLM\..\Run: [wmgmin] C:\WINDOWS\system32\w130713.Stub.EXE
O4 - HKLM\..\Run: [winsync] C:\WINDOWS\system32\lglldg.exe reg_run
O4 - HKLM\..\Run: [windows auto update] msblast.exe
O4 - HKLM\..\Run: [wincin] C:\WINDOWS\TEMP\w181609.Stub.exe
O4 - HKLM\..\Run: [wgapcr] C:\WINDOWS\system32\yaojhxg.exe r
O4 - HKLM\..\Run: [walqdniu] C:\WINDOWS\system32\qvkps\walqdniu.exe
O4 - HKLM\..\Run: [vidmon] C:\WINDOWS\system32\vidmon\vidmon.exe
O4 - HKLM\..\Run: [vfplvej] C:\WINDOWS\system32\msbjftx\vfplvej.exe
O4 - HKLM\..\Run: [utgupfsr] C:\WINDOWS\system32\evxldh\utgupfsr.exe
O4 - HKLM\..\Run: [urhqy] C:\WINDOWS\system32\yfhy\urhqy.exe
O4 - HKLM\..\Run: [UpdReg] C:\WINDOWS\UpdReg.EXE
O4 - HKLM\..\Run: [ukialh] C:\WINDOWS\system32\jamsxbxw\ukialh.exe
O4 - HKLM\..\Run: [uhwwohd] C:\WINDOWS\system32\mnnua\uhwwohd.exe
O4 - HKLM\..\Run: [ttmefoie] C:\WINDOWS\system32\rjskxhum\ttmefoie.exe
O4 - HKLM\..\Run: [tqqibb] C:\WINDOWS\system32\fvdxwv\tqqibb.exe
O4 - HKLM\..\Run: [TotalRecorderScheduler] "C:\Program Files\HighCriteria\TotalRecorder\TotRecSched.exe"
O4 - HKLM\..\Run: [tjrpsv] C:\WINDOWS\system32\yjspw\tjrpsv.exe
O4 - HKLM\..\Run: [System service75] C:\WINDOWS\etb\pokapoka75.exe
O4 - HKLM\..\Run: [snss Launcher] "C:\Program Files\snss\snss.exe"
O4 - HKLM\..\Run: [seli] C:\WINDOWS\exe81.exe
O4 - HKLM\..\Run: [rnhoqxto] C:\WINDOWS\system32\yqaljnd\rnhoqxto.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [qfiuur] C:\WINDOWS\system32\ucwq\qfiuur.exe
O4 - HKLM\..\Run: [psujj] C:\WINDOWS\system32\osng\psujj.exe
O4 - HKLM\..\Run: [ppfx] C:\WINDOWS\system32\fywolh\ppfx.exe
O4 - HKLM\..\Run: [oqrxoepx] C:\WINDOWS\system32\dtxbxdr\oqrxoepx.exe
O4 - HKLM\..\Run: [obwlpysu] C:\WINDOWS\system32\drqiyf\obwlpysu.exe
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [Nsv] C:\WINDOWS\system32\nsvsvc\nsvsvc.exe
O4 - HKLM\..\Run: [nrtphpa] C:\WINDOWS\system32\uqmxxyj\nrtphpa.exe
O4 - HKLM\..\Run: [NI.UWFX5LP_0001_0802] "C:\WINDOWS\Downloaded Program Files\UWFX5LP_0001_0802NetInstaller.exe"
O4 - HKLM\..\Run: [NI.UWFX5LP_0001_0715] "C:\WINDOWS\Downloaded Program Files\UWFX5LP_0001_0715NetInstaller.exe"
O4 - HKLM\..\Run: [ngubiv] C:\WINDOWS\system32\loowwyru\ngubiv.exe
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [NAV CfgWiz] C:\PROGRA~1\NORTON~1\Cfgwiz.exe /R
O4 - HKLM\..\Run: [MyWebSearch Email Plugin] C:\PROGRA~1\MYWEBS~1\bar\2.bin\mwsoemon.exe
O4 - HKLM\..\Run: [msst] C:\Documents and Settings\All Users\Application Data\msst\mssts.exe
O4 - HKLM\..\Run: [MSNMSGR5] MSNMSGR5.exe
O4 - HKLM\..\Run: [Microsoft Works Update Detection] C:\Program Files\Common Files\Microsoft Shared\Works Shared\WkUFind.exe
O4 - HKLM\..\Run: [Microsoft Update] hyqgwxy.exe
O4 - HKLM\..\Run: [Microsoft Inet Xp..] teekids.exe
O4 - HKLM\..\Run: [ltgbaco] C:\WINDOWS\system32\eykfq\ltgbaco.exe
O4 - HKLM\..\Run: [losq] C:\WINDOWS\system32\xaebuq\losq.exe
O4 - HKLM\..\Run: [lefes] C:\WINDOWS\system32\kyqr\lefes.exe
O4 - HKLM\..\Run: [kbdjkk] C:\WINDOWS\system32\oimlipe\kbdjkk.exe
O4 - HKLM\..\Run: [jhsgo] C:\WINDOWS\system32\bxppxtt\jhsgo.exe
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [irqsacwv] C:\WINDOWS\system32\wempjrtp\irqsacwv.exe
O4 - HKLM\..\Run: [ipyi] C:\WINDOWS\system32\feiufj\ipyi.exe
O4 - HKLM\..\Run: [inwmg] C:\WINDOWS\system32\w130713.Stub.EXE
O4 - HKLM\..\Run: [gutf] C:\WINDOWS\system32\pqjd\gutf.exe
O4 - HKLM\..\Run: [gpdlaho] C:\WINDOWS\system32\wxlhwbg\gpdlaho.exe
O4 - HKLM\..\Run: [F-Secure TNB] "C:\Program Files\F-Secure\TNB\TNBUtil.exe" /CHECKALL /WAITFORSW
O4 - HKLM\..\Run: [F-Secure Manager] "C:\Program Files\F-Secure\Common\FSM32.EXE" /splash
O4 - HKLM\..\Run: [eteqrqyg] C:\WINDOWS\system32\aogwc\eteqrqyg.exe
O4 - HKLM\..\Run: [eqhr] C:\WINDOWS\system32\avqf\eqhr.exe
O4 - HKLM\..\Run: [eoeuba] C:\WINDOWS\system32\arhf\eoeuba.exe
O4 - HKLM\..\Run: [dmocbn] C:\WINDOWS\system32\kslyga\dmocbn.exe
O4 - HKLM\..\Run: [diagent] "C:\Program Files\Creative\SBLive\Diagnostics\diagent.exe" startup
O4 - HKLM\..\Run: [dchgrc] C:\WINDOWS\system32\xwbqgox\dchgrc.exe
O4 - HKLM\..\Run: [cxtto] C:\WINDOWS\system32\iahy\cxtto.exe
O4 - HKLM\..\Run: [cvrb] C:\WINDOWS\system32\nxtguh\cvrb.exe
O4 - HKLM\..\Run: [Cryptographic Service] C:\WINDOWS\System32\mchfzkdr.exe
O4 - HKLM\..\Run: [cfgmgr52] RunDLL32.EXE C:\WINDOWS\cfgmgr52.dll,DllRun
O4 - HKLM\..\Run: [ccRegVfy] C:\Program Files\Common Files\Symantec Shared\ccRegVfy.exe
O4 - HKLM\..\Run: [bnxup] C:\WINDOWS\system32\qpdld\bnxup.exe
O4 - HKLM\..\Run: [ayduiq] C:\WINDOWS\system32\fceyk\ayduiq.exe
O4 - HKLM\..\Run: [avast!] C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
O4 - HKLM\..\Run: [aown] C:\WINDOWS\system32\qmsc\aown.exe
O4 - HKLM\..\Run: [agxumaqk] C:\WINDOWS\system32\kgrdydf\agxumaqk.exe
O4 - HKLM\..\Run: [AdaptecDirectCD] "C:\Program Files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe"
O4 - HKLM\..\Run: [9020] C:\WINDOWS\exe81.exe
O4 - HKLM\..\Run: [enomokx] C:\WINDOWS\system32\axmmxmbm\enomokx.exe
O4 - HKLM\..\Run: [efjq] C:\WINDOWS\system32\sram\efjq.exe
O4 - HKLM\..\Run: [vstchgu] C:\WINDOWS\system32\ufxjldw\vstchgu.exe
O4 - HKLM\..\Run: [crflq] C:\WINDOWS\system32\uowfajm\crflq.exe
O4 - HKLM\..\Run: [xvja] C:\WINDOWS\system32\vtmoyix\xvja.exe
O4 - HKLM\..\Run: [pmlxstgl] C:\WINDOWS\system32\ioaaver\pmlxstgl.exe
O4 - HKLM\..\Run: [qdkis] C:\WINDOWS\system32\rtbsnpi\qdkis.exe
O4 - HKLM\..\Run: [oivkbwmj] C:\WINDOWS\system32\ibcx\oivkbwmj.exe
O4 - HKCU\..\Run: [AIM] C:\Program Files\AIM\aim.exe -cnetwait.odl
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [Win32 Configuration] videosd32.exe
O4 - HKCU\..\Run: [wiasld] C:\WINDOWS\system32\wiasld.exe
O4 - HKCU\..\Run: [starter] scvhosting.exe
O4 - HKCU\..\Run: [msnmsgr] "C:\Program Files\MSN Messenger\msnmsgr.exe" /background
O4 - HKCU\..\Run: [DNS] C:\Program Files\Common Files\mc-58-12-0000158.exe
O4 - HKCU\..\Run: [Controlled Resource System Service] crss.exe
O4 - HKCU\..\Run: [cfgpgr] C:\WINDOWS\system32\cfgpgr.exe
O4 - HKCU\..\RunOnce: [cfgpgr] C:\WINDOWS\system32\cfgpgr.exe
O4 - Startup: MyWebSearch Email Plugin.lnk = C:\Program Files\MyWebSearch\bar\2.bin\MWSOEMON.EXE
O4 - Global Startup: hpoddt01.exe.lnk = ?
O4 - Global Startup: MyWebSearch Email Plugin.lnk = C:\Program Files\MyWebSearch\bar\2.bin\MWSOEMON.EXE
O4 - Global Startup: nknn.exe
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe
O12 - Plugin for .wav: C:\Program Files\Internet Explorer\PLUGINS\npqtplugin.dll
O16 - DPF: Yahoo! Pool 2 - http://download.game...ts/y/pote_x.cab
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft....k/?linkid=39204
O16 - DPF: {4AD73894-A895-4FC2-B233-299867E08753} (Cadwkzctl Object) - http://apps.deskwizz.../ax/adwerkz.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{B2764014-E367-4B64-90D4-5F13EF3B2E55}: NameServer = 204.127.129.4 12.102.244.2
O20 - Winlogon Notify: SideBySide - C:\WINDOWS\system32\k880lilm18qa.dll
O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - Unknown owner - C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
O23 - Service: avast! Antivirus - Unknown owner - C:\Program Files\Alwil Software\Avast4\ashServ.exe
O23 - Service: avast! Mail Scanner - Unknown owner - C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe" /service (file missing)
O23 - Service: avast! Web Scanner - Unknown owner - C:\Program Files\Alwil Software\Avast4\ashWebSv.exe" /service (file missing)
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Network Proxy (ccProxy) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccProxy.exe
O23 - Service: Symantec Password Validation (ccPwdSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
O23 - Service: Symantec Client Firewall Configuration (CfgWzSvc) - Symantec Corporation - C:\Program Files\Symantec Client Security\Symantec Client Firewall\CfgWzSvc.exe
O23 - Service: Command Service (cmdService) - Unknown owner - C:\WINDOWS\R2VldCBCaGF0dAAA\command.exe (file missing)
O23 - Service: crflquowfajm - Unknown owner - C:\WINDOWS\system32\uowfajm\crflq.exe
O23 - Service: Symantec AntiVirus Definition Watcher (DefWatch) - Symantec Corporation - C:\Program Files\Symantec Client Security\Symantec AntiVirus\DefWatch.exe
O23 - Service: greenstdsystem32 - Unknown owner - C:\WINDOWS\system32\greenstd.exe (file missing)
O23 - Service: iPod Service (iPodService) - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: ltgbacoeykfq - Unknown owner - C:\WINDOWS\system32\eykfq\ltgbaco.exe
O23 - Service: NVIDIA Driver Helper Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\system32\HPZipm12.exe
O23 - Service: SAVRoam (SavRoam) - symantec - C:\Program Files\Symantec Client Security\Symantec AntiVirus\SavRoam.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: Symantec AntiVirus - Symantec Corporation - C:\Program Files\Symantec Client Security\Symantec AntiVirus\Rtvscan.exe
O23 - Service: Symantec SecurePort (SymSecurePort) - Symantec Corporation - C:\Program Files\Symantec Client Security\Symantec Client Firewall\SymSPort.exe
O23 - Service: SymWMI Service (SymWSC) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\Security Center\SymWSC.exe
O23 - Service: Win32 Configuration (Windows Manage) - Unknown owner - C:\WINDOWS\System32\videosd32.exe" -netsvcs (file missing)
  • 0

#4
OwNt
Posted 15 November 2005 - 06:19 PM

OwNt

    Malware Expert

  • Retired Staff
  • 7,457 posts
Hello, teegttahb725.

This is a very badly infected system. :tazz:

Please try to bear with me as we clean it. :)

Download APT
Open apt and search in the window for the yaojhxg.exe.
Open your C:\Windows\system32 folder and search for yaojhxg.exe
Don't delete it yet, just leave the system32 folder open so you can see the bad file.
In APT again, Select yaojhxg.exe and Click Kill3

Then immediately delete yaojhxg.exe from your system32 folder.

Run HiJackThis. Place a check next to this item and click FIX CHECKED:

O4 - HKLM\..\Run: [wgapcr] C:\WINDOWS\system32\yaojhxg.exe r


Then download LQfix.exe from one of the following locations:
  • http://www.downloads.subratam.org/LQfix.exe
    http://miekiemoes.geekstogo.com/tools/LQfix.exe

  • Save it to your desktop.
  • Double-Click LQfix.exe and click Next > Next > Install.
  • Leave the default settings, if you change them, the fix will Fail!
  • You need an active Internet Connection, so make sure your you're not blocking any connection now.
  • Now make sure the "Launch LQfix" box is checked.
  • Click the Finish button, after clicking the Finish button the fix will start.
  • Follow the on-screen prompts.
  • Your system will reboot afterwards.
  • Please be patient after the reboot, there is a script running in the background that needs to complete.
You also have the latest version of VX2. Download L2mfix from one of these two locations:

http://www.atribune....oads/l2mfix.exe
http://www.downloads....org/l2mfix.exe

Save the file to your desktop and double click l2mfix.exe. Click the Install button to extract the files and follow the prompts, then open the newly added l2mfix folder on your desktop. Double click l2mfix.bat and select option #1 for Run Find Log by typing 1 and then pressing enter. This will scan your computer and it may appear nothing is happening, then, after a minute or 2, notepad will open with a log. Copy the contents of that log and paste it into this thread.

IMPORTANT: Do NOT run option #2 OR any other files in the l2mfix folder until you are asked to do so!

if you receive, while running option #1, an error similar like: ''C:\windows\system32\cmd.exe
C:\windows\system32\autoexec.nt the system file is not suitable for running ms-dos and microsoft windows applications. choose close to terminate the application.."...then please use option 5 or the web page link in the l2mfix folder to solve this error condition. do not run the fix portion without fixing this first.

Please post back the logs from LQFix, L2MFix, and a fresh Hijackthis log.

Edited by OwNt, 15 November 2005 - 06:19 PM.

  • 0

#5
teegttahb725
Posted 15 November 2005 - 07:22 PM

teegttahb725

    New Member

  • Topic Starter
  • Member
  • Pip
  • 8 posts
Hey Buddy!

I downloaded the APT program, but then I searched for the yaojhxg.exe file and could not find it anywhere!
Am I doing something wrong?


--Teegttahb725

This is my most recent HJT scan log

Logfile of HijackThis v1.99.1
Scan saved at 8:21:01 PM, on 11/15/2005
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
C:\Program Files\Alwil Software\Avast4\ashServ.exe
C:\WINDOWS\system32\rundll32.exe
C:\Program Files\Symantec Client Security\Symantec Client Firewall\CfgWzSvc.exe
C:\Program Files\Symantec Client Security\Symantec AntiVirus\DefWatch.exe
C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
C:\WINDOWS\System32\nvsvc32.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Symantec Client Security\Symantec AntiVirus\Rtvscan.exe
C:\Program Files\Symantec Client Security\Symantec Client Firewall\SymSPort.exe
C:\WINDOWS\System32\MsPMSPSv.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
C:\Program Files\Microsoft AntiSpyware\gcasServ.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\PROGRA~1\SYMANT~1\SYMANT~2\VPTray.exe
C:\Program Files\Microsoft AntiSpyware\gcasDtServ.exe
C:\WINDOWS\system32\DllHost.exe
C:\Program Files\HighCriteria\TotalRecorder\TotRecSched.exe
C:\WINDOWS\system32\uowfajm\crflq.exe
C:\Program Files\AIM\aim.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
C:\WINDOWS\system32\ctfmon.exe
C:\PROGRA~1\AT&T\WnClient\Programs\WNCSMS~1.EXE
C:\Program Files\AT&T\WnClient\Programs\WNConnect.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Microsoft Office\Office10\WINWORD.EXE
C:\WINDOWS\system32\wuauclt.exe
C:\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = www.google.com
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = www.google.com
O4 - HKLM\..\Run: [gcasServ] "C:\Program Files\Microsoft AntiSpyware\gcasServ.exe"
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [vptray] C:\PROGRA~1\SYMANT~1\SYMANT~2\VPTray.exe
O4 - HKLM\..\Run: [ACTX1] C:\WINDOWS\system32\actx1.exe
O4 - HKLM\..\Run: [yXJWA4] "C:\WINDOWS\system32\cxtpls_loader.EXE" /PC=CP.AOP2
O4 - HKLM\..\Run: [yvqbjlw] C:\WINDOWS\system32\wbsofjh\yvqbjlw.exe
O4 - HKLM\..\Run: [ydxaim] C:\WINDOWS\system32\kjhjkbvp\ydxaim.exe
O4 - HKLM\..\Run: [xxcaith] C:\WINDOWS\system32\kvtsr\xxcaith.exe
O4 - HKLM\..\Run: [xhqfmpcf] C:\WINDOWS\system32\pjhtxinm\xhqfmpcf.exe
O4 - HKLM\..\Run: [xcuev] C:\WINDOWS\system32\cmvluj\xcuev.exe
O4 - HKLM\..\Run: [wtbqn] C:\WINDOWS\system32\ctbynb\wtbqn.exe
O4 - HKLM\..\Run: [woojx] C:\WINDOWS\system32\nqpi\woojx.exe
O4 - HKLM\..\Run: [wmgmin] C:\WINDOWS\system32\w130713.Stub.EXE
O4 - HKLM\..\Run: [winsync] C:\WINDOWS\system32\lglldg.exe reg_run
O4 - HKLM\..\Run: [windows auto update] msblast.exe
O4 - HKLM\..\Run: [wincin] C:\WINDOWS\TEMP\w181609.Stub.exe
O4 - HKLM\..\Run: [wgapcr] C:\WINDOWS\system32\yaojhxg.exe r
O4 - HKLM\..\Run: [walqdniu] C:\WINDOWS\system32\qvkps\walqdniu.exe
O4 - HKLM\..\Run: [vidmon] C:\WINDOWS\system32\vidmon\vidmon.exe
O4 - HKLM\..\Run: [vfplvej] C:\WINDOWS\system32\msbjftx\vfplvej.exe
O4 - HKLM\..\Run: [utgupfsr] C:\WINDOWS\system32\evxldh\utgupfsr.exe
O4 - HKLM\..\Run: [urhqy] C:\WINDOWS\system32\yfhy\urhqy.exe
O4 - HKLM\..\Run: [UpdReg] C:\WINDOWS\UpdReg.EXE
O4 - HKLM\..\Run: [ukialh] C:\WINDOWS\system32\jamsxbxw\ukialh.exe
O4 - HKLM\..\Run: [uhwwohd] C:\WINDOWS\system32\mnnua\uhwwohd.exe
O4 - HKLM\..\Run: [ttmefoie] C:\WINDOWS\system32\rjskxhum\ttmefoie.exe
O4 - HKLM\..\Run: [tqqibb] C:\WINDOWS\system32\fvdxwv\tqqibb.exe
O4 - HKLM\..\Run: [TotalRecorderScheduler] "C:\Program Files\HighCriteria\TotalRecorder\TotRecSched.exe"
O4 - HKLM\..\Run: [tjrpsv] C:\WINDOWS\system32\yjspw\tjrpsv.exe
O4 - HKLM\..\Run: [System service75] C:\WINDOWS\etb\pokapoka75.exe
O4 - HKLM\..\Run: [snss Launcher] "C:\Program Files\snss\snss.exe"
O4 - HKLM\..\Run: [seli] C:\WINDOWS\exe81.exe
O4 - HKLM\..\Run: [rnhoqxto] C:\WINDOWS\system32\yqaljnd\rnhoqxto.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [qfiuur] C:\WINDOWS\system32\ucwq\qfiuur.exe
O4 - HKLM\..\Run: [psujj] C:\WINDOWS\system32\osng\psujj.exe
O4 - HKLM\..\Run: [ppfx] C:\WINDOWS\system32\fywolh\ppfx.exe
O4 - HKLM\..\Run: [oqrxoepx] C:\WINDOWS\system32\dtxbxdr\oqrxoepx.exe
O4 - HKLM\..\Run: [obwlpysu] C:\WINDOWS\system32\drqiyf\obwlpysu.exe
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [Nsv] C:\WINDOWS\system32\nsvsvc\nsvsvc.exe
O4 - HKLM\..\Run: [nrtphpa] C:\WINDOWS\system32\uqmxxyj\nrtphpa.exe
O4 - HKLM\..\Run: [NI.UWFX5LP_0001_0802] "C:\WINDOWS\Downloaded Program Files\UWFX5LP_0001_0802NetInstaller.exe"
O4 - HKLM\..\Run: [NI.UWFX5LP_0001_0715] "C:\WINDOWS\Downloaded Program Files\UWFX5LP_0001_0715NetInstaller.exe"
O4 - HKLM\..\Run: [ngubiv] C:\WINDOWS\system32\loowwyru\ngubiv.exe
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [NAV CfgWiz] C:\PROGRA~1\NORTON~1\Cfgwiz.exe /R
O4 - HKLM\..\Run: [MyWebSearch Email Plugin] C:\PROGRA~1\MYWEBS~1\bar\2.bin\mwsoemon.exe
O4 - HKLM\..\Run: [msst] C:\Documents and Settings\All Users\Application Data\msst\mssts.exe
O4 - HKLM\..\Run: [MSNMSGR5] MSNMSGR5.exe
O4 - HKLM\..\Run: [Microsoft Works Update Detection] C:\Program Files\Common Files\Microsoft Shared\Works Shared\WkUFind.exe
O4 - HKLM\..\Run: [Microsoft Update] hyqgwxy.exe
O4 - HKLM\..\Run: [Microsoft Inet Xp..] teekids.exe
O4 - HKLM\..\Run: [ltgbaco] C:\WINDOWS\system32\eykfq\ltgbaco.exe
O4 - HKLM\..\Run: [losq] C:\WINDOWS\system32\xaebuq\losq.exe
O4 - HKLM\..\Run: [lefes] C:\WINDOWS\system32\kyqr\lefes.exe
O4 - HKLM\..\Run: [kbdjkk] C:\WINDOWS\system32\oimlipe\kbdjkk.exe
O4 - HKLM\..\Run: [jhsgo] C:\WINDOWS\system32\bxppxtt\jhsgo.exe
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [irqsacwv] C:\WINDOWS\system32\wempjrtp\irqsacwv.exe
O4 - HKLM\..\Run: [ipyi] C:\WINDOWS\system32\feiufj\ipyi.exe
O4 - HKLM\..\Run: [inwmg] C:\WINDOWS\system32\w130713.Stub.EXE
O4 - HKLM\..\Run: [gutf] C:\WINDOWS\system32\pqjd\gutf.exe
O4 - HKLM\..\Run: [gpdlaho] C:\WINDOWS\system32\wxlhwbg\gpdlaho.exe
O4 - HKLM\..\Run: [F-Secure TNB] "C:\Program Files\F-Secure\TNB\TNBUtil.exe" /CHECKALL /WAITFORSW
O4 - HKLM\..\Run: [F-Secure Manager] "C:\Program Files\F-Secure\Common\FSM32.EXE" /splash
O4 - HKLM\..\Run: [eteqrqyg] C:\WINDOWS\system32\aogwc\eteqrqyg.exe
O4 - HKLM\..\Run: [eqhr] C:\WINDOWS\system32\avqf\eqhr.exe
O4 - HKLM\..\Run: [eoeuba] C:\WINDOWS\system32\arhf\eoeuba.exe
O4 - HKLM\..\Run: [dmocbn] C:\WINDOWS\system32\kslyga\dmocbn.exe
O4 - HKLM\..\Run: [diagent] "C:\Program Files\Creative\SBLive\Diagnostics\diagent.exe" startup
O4 - HKLM\..\Run: [dchgrc] C:\WINDOWS\system32\xwbqgox\dchgrc.exe
O4 - HKLM\..\Run: [cxtto] C:\WINDOWS\system32\iahy\cxtto.exe
O4 - HKLM\..\Run: [cvrb] C:\WINDOWS\system32\nxtguh\cvrb.exe
O4 - HKLM\..\Run: [Cryptographic Service] C:\WINDOWS\System32\mchfzkdr.exe
O4 - HKLM\..\Run: [cfgmgr52] RunDLL32.EXE C:\WINDOWS\cfgmgr52.dll,DllRun
O4 - HKLM\..\Run: [ccRegVfy] C:\Program Files\Common Files\Symantec Shared\ccRegVfy.exe
O4 - HKLM\..\Run: [bnxup] C:\WINDOWS\system32\qpdld\bnxup.exe
O4 - HKLM\..\Run: [ayduiq] C:\WINDOWS\system32\fceyk\ayduiq.exe
O4 - HKLM\..\Run: [avast!] C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
O4 - HKLM\..\Run: [aown] C:\WINDOWS\system32\qmsc\aown.exe
O4 - HKLM\..\Run: [agxumaqk] C:\WINDOWS\system32\kgrdydf\agxumaqk.exe
O4 - HKLM\..\Run: [AdaptecDirectCD] "C:\Program Files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe"
O4 - HKLM\..\Run: [9020] C:\WINDOWS\exe81.exe
O4 - HKLM\..\Run: [enomokx] C:\WINDOWS\system32\axmmxmbm\enomokx.exe
O4 - HKLM\..\Run: [efjq] C:\WINDOWS\system32\sram\efjq.exe
O4 - HKLM\..\Run: [vstchgu] C:\WINDOWS\system32\ufxjldw\vstchgu.exe
O4 - HKLM\..\Run: [crflq] C:\WINDOWS\system32\uowfajm\crflq.exe
O4 - HKLM\..\Run: [xvja] C:\WINDOWS\system32\vtmoyix\xvja.exe
O4 - HKLM\..\Run: [pmlxstgl] C:\WINDOWS\system32\ioaaver\pmlxstgl.exe
O4 - HKLM\..\Run: [qdkis] C:\WINDOWS\system32\rtbsnpi\qdkis.exe
O4 - HKLM\..\Run: [oivkbwmj] C:\WINDOWS\system32\ibcx\oivkbwmj.exe
O4 - HKCU\..\Run: [AIM] C:\Program Files\AIM\aim.exe -cnetwait.odl
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [Win32 Configuration] videosd32.exe
O4 - HKCU\..\Run: [wiasld] C:\WINDOWS\system32\wiasld.exe
O4 - HKCU\..\Run: [starter] scvhosting.exe
O4 - HKCU\..\Run: [msnmsgr] "C:\Program Files\MSN Messenger\msnmsgr.exe" /background
O4 - HKCU\..\Run: [DNS] C:\Program Files\Common Files\mc-58-12-0000158.exe
O4 - HKCU\..\Run: [Controlled Resource System Service] crss.exe
O4 - HKCU\..\Run: [cfgpgr] C:\WINDOWS\system32\cfgpgr.exe
O4 - HKCU\..\RunOnce: [cfgpgr] C:\WINDOWS\system32\cfgpgr.exe
O4 - Startup: MyWebSearch Email Plugin.lnk = C:\Program Files\MyWebSearch\bar\2.bin\MWSOEMON.EXE
O4 - Global Startup: hpoddt01.exe.lnk = ?
O4 - Global Startup: MyWebSearch Email Plugin.lnk = C:\Program Files\MyWebSearch\bar\2.bin\MWSOEMON.EXE
O4 - Global Startup: nknn.exe
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe
O12 - Plugin for .wav: C:\Program Files\Internet Explorer\PLUGINS\npqtplugin.dll
O16 - DPF: Yahoo! Pool 2 - http://download.game...ts/y/pote_x.cab
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft....k/?linkid=39204
O16 - DPF: {4AD73894-A895-4FC2-B233-299867E08753} (Cadwkzctl Object) - http://apps.deskwizz.../ax/adwerkz.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{B2764014-E367-4B64-90D4-5F13EF3B2E55}: NameServer = 204.127.160.3 12.102.240.1
O20 - Winlogon Notify: SideBySide - C:\WINDOWS\system32\k880lilm18qa.dll
O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - Unknown owner - C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
O23 - Service: avast! Antivirus - Unknown owner - C:\Program Files\Alwil Software\Avast4\ashServ.exe
O23 - Service: avast! Mail Scanner - Unknown owner - C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe" /service (file missing)
O23 - Service: avast! Web Scanner - Unknown owner - C:\Program Files\Alwil Software\Avast4\ashWebSv.exe" /service (file missing)
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Network Proxy (ccProxy) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccProxy.exe
O23 - Service: Symantec Password Validation (ccPwdSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
O23 - Service: Symantec Client Firewall Configuration (CfgWzSvc) - Symantec Corporation - C:\Program Files\Symantec Client Security\Symantec Client Firewall\CfgWzSvc.exe
O23 - Service: Command Service (cmdService) - Unknown owner - C:\WINDOWS\R2VldCBCaGF0dAAA\command.exe (file missing)
O23 - Service: crflquowfajm - Unknown owner - C:\WINDOWS\system32\uowfajm\crflq.exe
O23 - Service: Symantec AntiVirus Definition Watcher (DefWatch) - Symantec Corporation - C:\Program Files\Symantec Client Security\Symantec AntiVirus\DefWatch.exe
O23 - Service: greenstdsystem32 - Unknown owner - C:\WINDOWS\system32\greenstd.exe (file missing)
O23 - Service: iPod Service (iPodService) - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: ltgbacoeykfq - Unknown owner - C:\WINDOWS\system32\eykfq\ltgbaco.exe
O23 - Service: NVIDIA Driver Helper Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\system32\HPZipm12.exe
O23 - Service: SAVRoam (SavRoam) - symantec - C:\Program Files\Symantec Client Security\Symantec AntiVirus\SavRoam.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: Symantec AntiVirus - Symantec Corporation - C:\Program Files\Symantec Client Security\Symantec AntiVirus\Rtvscan.exe
O23 - Service: Symantec SecurePort (SymSecurePort) - Symantec Corporation - C:\Program Files\Symantec Client Security\Symantec Client Firewall\SymSPort.exe
O23 - Service: SymWMI Service (SymWSC) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\Security Center\SymWSC.exe
O23 - Service: Win32 Configuration (Windows Manage) - Unknown owner - C:\WINDOWS\System32\videosd32.exe" -netsvcs (file missing)
  • 0

#6
OwNt
Posted 15 November 2005 - 07:28 PM

OwNt

    Malware Expert

  • Retired Staff
  • 7,457 posts
Hello, teegttahb725.

This line here,

O4 - HKLM\..\Run: [wgapcr] C:\WINDOWS\system32\yaojhxg.exe r

Do you noticed the r at the end? This signifies the file you must remove. It will change names each time you remove it incorrectly or reboot.

You must substitute the name for the new one each time it changes or wait for new instructions, whichever you feel more comfortable with.

Your newest Hijackthis log shows the file has not changed names, are you sure you can't find it?
  • 0

#7
teegttahb725
Posted 15 November 2005 - 08:04 PM

teegttahb725

    New Member

  • Topic Starter
  • Member
  • Pip
  • 8 posts
Hey again:

I checked it over 12 times and i am positive it is not there
what should i do?

Also, i downloaded LQfix.exe but it didnt create a log or anything, all it did was aske me to restart and that is what i did

This is the most recent HJT log.

Logfile of HijackThis v1.99.1
Scan saved at 9:02:58 PM, on 11/15/2005
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
C:\Program Files\Alwil Software\Avast4\ashServ.exe
C:\Program Files\Symantec Client Security\Symantec Client Firewall\CfgWzSvc.exe
C:\WINDOWS\system32\uowfajm\crflq.exe
C:\Program Files\Symantec Client Security\Symantec AntiVirus\DefWatch.exe
C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
C:\WINDOWS\System32\nvsvc32.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Symantec Client Security\Symantec AntiVirus\Rtvscan.exe
C:\Program Files\Symantec Client Security\Symantec Client Firewall\SymSPort.exe
C:\WINDOWS\System32\MsPMSPSv.exe
C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
C:\Program Files\Microsoft AntiSpyware\gcasServ.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\PROGRA~1\SYMANT~1\SYMANT~2\VPTray.exe
C:\WINDOWS\system32\DllHost.exe
C:\Program Files\HighCriteria\TotalRecorder\TotRecSched.exe
C:\Program Files\Microsoft AntiSpyware\gcasDtServ.exe
C:\WINDOWS\system32\kyqr\lefes.exe
C:\WINDOWS\system32\oimlipe\kbdjkk.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\WINDOWS\system32\ibcx\oivkbwmj.exe
C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpotdd01.exe
C:\PROGRA~1\AT&T\WnClient\Programs\WNCSMS~1.EXE
C:\Program Files\AT&T\WnClient\Programs\WNConnect.exe
C:\WINDOWS\system32\ctfmon.exe
C:\DOCUME~1\GEETBH~1\LOCALS~1\Temp\rsjldjvk.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\WINDOWS\system32\nsvsvc\nsvsvc.exe
C:\WINDOWS\system32\vidctrl\vidctrl.exe
C:\Program Files\Microsoft AntiSpyware\gcasServAlert.exe
C:\Program Files\Hijackthis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = www.google.com
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = www.google.com
O4 - HKLM\..\Run: [gcasServ] "C:\Program Files\Microsoft AntiSpyware\gcasServ.exe"
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [vptray] C:\PROGRA~1\SYMANT~1\SYMANT~2\VPTray.exe
O4 - HKLM\..\Run: [ACTX1] C:\WINDOWS\system32\actx1.exe
O4 - HKLM\..\Run: [yXJWA4] "C:\WINDOWS\system32\cxtpls_loader.EXE" /PC=CP.AOP2
O4 - HKLM\..\Run: [yvqbjlw] C:\WINDOWS\system32\wbsofjh\yvqbjlw.exe
O4 - HKLM\..\Run: [ydxaim] C:\WINDOWS\system32\kjhjkbvp\ydxaim.exe
O4 - HKLM\..\Run: [xxcaith] C:\WINDOWS\system32\kvtsr\xxcaith.exe
O4 - HKLM\..\Run: [xhqfmpcf] C:\WINDOWS\system32\pjhtxinm\xhqfmpcf.exe
O4 - HKLM\..\Run: [xcuev] C:\WINDOWS\system32\cmvluj\xcuev.exe
O4 - HKLM\..\Run: [wtbqn] C:\WINDOWS\system32\ctbynb\wtbqn.exe
O4 - HKLM\..\Run: [woojx] C:\WINDOWS\system32\nqpi\woojx.exe
O4 - HKLM\..\Run: [wmgmin] C:\WINDOWS\system32\w130713.Stub.EXE
O4 - HKLM\..\Run: [winsync] C:\WINDOWS\system32\lglldg.exe reg_run
O4 - HKLM\..\Run: [windows auto update] msblast.exe
O4 - HKLM\..\Run: [wincin] C:\WINDOWS\TEMP\w181609.Stub.exe
O4 - HKLM\..\Run: [wgapcr] C:\WINDOWS\system32\yaojhxg.exe r
O4 - HKLM\..\Run: [walqdniu] C:\WINDOWS\system32\qvkps\walqdniu.exe
O4 - HKLM\..\Run: [vidmon] C:\WINDOWS\system32\vidmon\vidmon.exe
O4 - HKLM\..\Run: [vfplvej] C:\WINDOWS\system32\msbjftx\vfplvej.exe
O4 - HKLM\..\Run: [utgupfsr] C:\WINDOWS\system32\evxldh\utgupfsr.exe
O4 - HKLM\..\Run: [urhqy] C:\WINDOWS\system32\yfhy\urhqy.exe
O4 - HKLM\..\Run: [UpdReg] C:\WINDOWS\UpdReg.EXE
O4 - HKLM\..\Run: [ukialh] C:\WINDOWS\system32\jamsxbxw\ukialh.exe
O4 - HKLM\..\Run: [uhwwohd] C:\WINDOWS\system32\mnnua\uhwwohd.exe
O4 - HKLM\..\Run: [ttmefoie] C:\WINDOWS\system32\rjskxhum\ttmefoie.exe
O4 - HKLM\..\Run: [tqqibb] C:\WINDOWS\system32\fvdxwv\tqqibb.exe
O4 - HKLM\..\Run: [TotalRecorderScheduler] "C:\Program Files\HighCriteria\TotalRecorder\TotRecSched.exe"
O4 - HKLM\..\Run: [tjrpsv] C:\WINDOWS\system32\yjspw\tjrpsv.exe
O4 - HKLM\..\Run: [System service75] C:\WINDOWS\etb\pokapoka75.exe
O4 - HKLM\..\Run: [snss Launcher] "C:\Program Files\snss\snss.exe"
O4 - HKLM\..\Run: [seli] C:\WINDOWS\exe81.exe
O4 - HKLM\..\Run: [rnhoqxto] C:\WINDOWS\system32\yqaljnd\rnhoqxto.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [qfiuur] C:\WINDOWS\system32\ucwq\qfiuur.exe
O4 - HKLM\..\Run: [psujj] C:\WINDOWS\system32\osng\psujj.exe
O4 - HKLM\..\Run: [ppfx] C:\WINDOWS\system32\fywolh\ppfx.exe
O4 - HKLM\..\Run: [oqrxoepx] C:\WINDOWS\system32\dtxbxdr\oqrxoepx.exe
O4 - HKLM\..\Run: [obwlpysu] C:\WINDOWS\system32\drqiyf\obwlpysu.exe
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [Nsv] C:\WINDOWS\system32\nsvsvc\nsvsvc.exe
O4 - HKLM\..\Run: [nrtphpa] C:\WINDOWS\system32\uqmxxyj\nrtphpa.exe
O4 - HKLM\..\Run: [NI.UWFX5LP_0001_0802] "C:\WINDOWS\Downloaded Program Files\UWFX5LP_0001_0802NetInstaller.exe"
O4 - HKLM\..\Run: [NI.UWFX5LP_0001_0715] "C:\WINDOWS\Downloaded Program Files\UWFX5LP_0001_0715NetInstaller.exe"
O4 - HKLM\..\Run: [ngubiv] C:\WINDOWS\system32\loowwyru\ngubiv.exe
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [NAV CfgWiz] C:\PROGRA~1\NORTON~1\Cfgwiz.exe /R
O4 - HKLM\..\Run: [MyWebSearch Email Plugin] C:\PROGRA~1\MYWEBS~1\bar\2.bin\mwsoemon.exe
O4 - HKLM\..\Run: [msst] C:\Documents and Settings\All Users\Application Data\msst\mssts.exe
O4 - HKLM\..\Run: [MSNMSGR5] MSNMSGR5.exe
O4 - HKLM\..\Run: [Microsoft Works Update Detection] C:\Program Files\Common Files\Microsoft Shared\Works Shared\WkUFind.exe
O4 - HKLM\..\Run: [Microsoft Update] hyqgwxy.exe
O4 - HKLM\..\Run: [Microsoft Inet Xp..] teekids.exe
O4 - HKLM\..\Run: [ltgbaco] C:\WINDOWS\system32\eykfq\ltgbaco.exe
O4 - HKLM\..\Run: [losq] C:\WINDOWS\system32\xaebuq\losq.exe
O4 - HKLM\..\Run: [lefes] C:\WINDOWS\system32\kyqr\lefes.exe
O4 - HKLM\..\Run: [kbdjkk] C:\WINDOWS\system32\oimlipe\kbdjkk.exe
O4 - HKLM\..\Run: [jhsgo] C:\WINDOWS\system32\bxppxtt\jhsgo.exe
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [irqsacwv] C:\WINDOWS\system32\wempjrtp\irqsacwv.exe
O4 - HKLM\..\Run: [ipyi] C:\WINDOWS\system32\feiufj\ipyi.exe
O4 - HKLM\..\Run: [inwmg] C:\WINDOWS\system32\w130713.Stub.EXE
O4 - HKLM\..\Run: [gutf] C:\WINDOWS\system32\pqjd\gutf.exe
O4 - HKLM\..\Run: [gpdlaho] C:\WINDOWS\system32\wxlhwbg\gpdlaho.exe
O4 - HKLM\..\Run: [F-Secure TNB] "C:\Program Files\F-Secure\TNB\TNBUtil.exe" /CHECKALL /WAITFORSW
O4 - HKLM\..\Run: [F-Secure Manager] "C:\Program Files\F-Secure\Common\FSM32.EXE" /splash
O4 - HKLM\..\Run: [eteqrqyg] C:\WINDOWS\system32\aogwc\eteqrqyg.exe
O4 - HKLM\..\Run: [eqhr] C:\WINDOWS\system32\avqf\eqhr.exe
O4 - HKLM\..\Run: [eoeuba] C:\WINDOWS\system32\arhf\eoeuba.exe
O4 - HKLM\..\Run: [dmocbn] C:\WINDOWS\system32\kslyga\dmocbn.exe
O4 - HKLM\..\Run: [diagent] "C:\Program Files\Creative\SBLive\Diagnostics\diagent.exe" startup
O4 - HKLM\..\Run: [dchgrc] C:\WINDOWS\system32\xwbqgox\dchgrc.exe
O4 - HKLM\..\Run: [cxtto] C:\WINDOWS\system32\iahy\cxtto.exe
O4 - HKLM\..\Run: [cvrb] C:\WINDOWS\system32\nxtguh\cvrb.exe
O4 - HKLM\..\Run: [Cryptographic Service] C:\WINDOWS\System32\mchfzkdr.exe
O4 - HKLM\..\Run: [cfgmgr52] RunDLL32.EXE C:\WINDOWS\cfgmgr52.dll,DllRun
O4 - HKLM\..\Run: [ccRegVfy] C:\Program Files\Common Files\Symantec Shared\ccRegVfy.exe
O4 - HKLM\..\Run: [bnxup] C:\WINDOWS\system32\qpdld\bnxup.exe
O4 - HKLM\..\Run: [ayduiq] C:\WINDOWS\system32\fceyk\ayduiq.exe
O4 - HKLM\..\Run: [avast!] C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
O4 - HKLM\..\Run: [aown] C:\WINDOWS\system32\qmsc\aown.exe
O4 - HKLM\..\Run: [agxumaqk] C:\WINDOWS\system32\kgrdydf\agxumaqk.exe
O4 - HKLM\..\Run: [AdaptecDirectCD] "C:\Program Files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe"
O4 - HKLM\..\Run: [9020] C:\WINDOWS\exe81.exe
O4 - HKLM\..\Run: [enomokx] C:\WINDOWS\system32\axmmxmbm\enomokx.exe
O4 - HKLM\..\Run: [efjq] C:\WINDOWS\system32\sram\efjq.exe
O4 - HKLM\..\Run: [vstchgu] C:\WINDOWS\system32\ufxjldw\vstchgu.exe
O4 - HKLM\..\Run: [crflq] C:\WINDOWS\system32\uowfajm\crflq.exe
O4 - HKLM\..\Run: [xvja] C:\WINDOWS\system32\vtmoyix\xvja.exe
O4 - HKLM\..\Run: [pmlxstgl] C:\WINDOWS\system32\ioaaver\pmlxstgl.exe
O4 - HKLM\..\Run: [qdkis] C:\WINDOWS\system32\rtbsnpi\qdkis.exe
O4 - HKLM\..\Run: [oivkbwmj] C:\WINDOWS\system32\ibcx\oivkbwmj.exe
O4 - HKLM\..\Run: [version] C:\WINDOWS\system32\rsjldjvk.exe
O4 - HKLM\..\Run: [shnin] C:\DOCUME~1\GEETBH~1\LOCALS~1\Temp\cixbc.exe
O4 - HKLM\..\Run: [vidctrl] C:\WINDOWS\system32\vidctrl\vidctrl.exe
O4 - HKCU\..\Run: [AIM] C:\Program Files\AIM\aim.exe -cnetwait.odl
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [Win32 Configuration] videosd32.exe
O4 - HKCU\..\Run: [wiasld] C:\WINDOWS\system32\wiasld.exe
O4 - HKCU\..\Run: [starter] scvhosting.exe
O4 - HKCU\..\Run: [msnmsgr] "C:\Program Files\MSN Messenger\msnmsgr.exe" /background
O4 - HKCU\..\Run: [DNS] C:\Program Files\Common Files\mc-58-12-0000158.exe
O4 - HKCU\..\Run: [Controlled Resource System Service] crss.exe
O4 - HKCU\..\Run: [cfgpgr] C:\WINDOWS\system32\cfgpgr.exe
O4 - HKCU\..\RunOnce: [Web Offer] C:\DOCUME~1\GEETBH~1\LOCALS~1\Temp\whiexk.exe
O4 - Startup: MyWebSearch Email Plugin.lnk = C:\Program Files\MyWebSearch\bar\2.bin\MWSOEMON.EXE
O4 - Global Startup: hpoddt01.exe.lnk = ?
O4 - Global Startup: MyWebSearch Email Plugin.lnk = C:\Program Files\MyWebSearch\bar\2.bin\MWSOEMON.EXE
O4 - Global Startup: nknn.exe
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe
O12 - Plugin for .wav: C:\Program Files\Internet Explorer\PLUGINS\npqtplugin.dll
O16 - DPF: Yahoo! Pool 2 - http://download.game...ts/y/pote_x.cab
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft....k/?linkid=39204
O16 - DPF: {4AD73894-A895-4FC2-B233-299867E08753} (Cadwkzctl Object) - http://apps.deskwizz.../ax/adwerkz.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{B2764014-E367-4B64-90D4-5F13EF3B2E55}: NameServer = 204.127.129.4 12.102.244.2
O20 - Winlogon Notify: Unimodem - C:\WINDOWS\system32\k880lilm18qa.dll (file missing)
O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - Unknown owner - C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
O23 - Service: avast! Antivirus - Unknown owner - C:\Program Files\Alwil Software\Avast4\ashServ.exe
O23 - Service: avast! Mail Scanner - Unknown owner - C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe" /service (file missing)
O23 - Service: avast! Web Scanner - Unknown owner - C:\Program Files\Alwil Software\Avast4\ashWebSv.exe" /service (file missing)
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Network Proxy (ccProxy) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccProxy.exe
O23 - Service: Symantec Password Validation (ccPwdSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
O23 - Service: Symantec Client Firewall Configuration (CfgWzSvc) - Symantec Corporation - C:\Program Files\Symantec Client Security\Symantec Client Firewall\CfgWzSvc.exe
O23 - Service: Command Service (cmdService) - Unknown owner - C:\WINDOWS\R2VldCBCaGF0dAAA\command.exe (file missing)
O23 - Service: crflquowfajm - Unknown owner - C:\WINDOWS\system32\uowfajm\crflq.exe
O23 - Service: Symantec AntiVirus Definition Watcher (DefWatch) - Symantec Corporation - C:\Program Files\Symantec Client Security\Symantec AntiVirus\DefWatch.exe
O23 - Service: greenstdsystem32 - Unknown owner - C:\WINDOWS\system32\greenstd.exe (file missing)
O23 - Service: iPod Service (iPodService) - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: ltgbacoeykfq - Unknown owner - C:\WINDOWS\system32\eykfq\ltgbaco.exe
O23 - Service: NVIDIA Driver Helper Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\system32\HPZipm12.exe
O23 - Service: SAVRoam (SavRoam) - symantec - C:\Program Files\Symantec Client Security\Symantec AntiVirus\SavRoam.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: Symantec AntiVirus - Symantec Corporation - C:\Program Files\Symantec Client Security\Symantec AntiVirus\Rtvscan.exe
O23 - Service: Symantec SecurePort (SymSecurePort) - Symantec Corporation - C:\Program Files\Symantec Client Security\Symantec Client Firewall\SymSPort.exe
O23 - Service: SymWMI Service (SymWSC) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\Security Center\SymWSC.exe
O23 - Service: Win32 Configuration (Windows Manage) - Unknown owner - C:\WINDOWS\System32\videosd32.exe" -netsvcs (file missing)
  • 0

#8
OwNt
Posted 16 November 2005 - 11:18 AM

OwNt

    Malware Expert

  • Retired Staff
  • 7,457 posts
Hello, teegttahb725.

You will need to print these instructions out for use in safe mode. It may help if you also familiarize yourself with them first.

Download the following tools to assist us in removing this infection!
  • Download WinPFind
    • Right Click the Zip Folder and Select "Extract All"
    • Extract it somewhere you will remember like the Desktop
    • Dont do anything with it yet!
  • Download Track qoo
    • Save it somewhere you will remember like the Desktop
Also download the Killbox.
Unzip it to the desktop but do NOT run it yet.

Then go to Start > Run

Only enter one line at a time, and press enter after EACH line.

Type sc stop cmdService

Type sc delete cmdService

Type sc stop crflquowfajm

Type sc delete crflquowfajm

Type sc stop greenstdsystem32

Type sc delete greenstdsystem32

Type sc stop ltgbacoeykfq

Type sc delete ltgbacoeykfq

Then reboot into Safe Mode by tapping the F8 key when you turn on your computer, select safe mode from the list that appears. If you see the windows loading screen you went to far.

Once in safe mode open Hijackthis, scan, and place a checkmark by the following entries:

O4 - HKLM\..\Run: [ACTX1] C:\WINDOWS\system32\actx1.exe
O4 - HKLM\..\Run: [yXJWA4] "C:\WINDOWS\system32\cxtpls_loader.EXE" /PC=CP.AOP2
O4 - HKLM\..\Run: [yvqbjlw] C:\WINDOWS\system32\wbsofjh\yvqbjlw.exe
O4 - HKLM\..\Run: [ydxaim] C:\WINDOWS\system32\kjhjkbvp\ydxaim.exe
O4 - HKLM\..\Run: [xxcaith] C:\WINDOWS\system32\kvtsr\xxcaith.exe
O4 - HKLM\..\Run: [xhqfmpcf] C:\WINDOWS\system32\pjhtxinm\xhqfmpcf.exe
O4 - HKLM\..\Run: [xcuev] C:\WINDOWS\system32\cmvluj\xcuev.exe
O4 - HKLM\..\Run: [wtbqn] C:\WINDOWS\system32\ctbynb\wtbqn.exe
O4 - HKLM\..\Run: [woojx] C:\WINDOWS\system32\nqpi\woojx.exe
O4 - HKLM\..\Run: [wmgmin] C:\WINDOWS\system32\w130713.Stub.EXE
O4 - HKLM\..\Run: [winsync] C:\WINDOWS\system32\lglldg.exe reg_run
O4 - HKLM\..\Run: [windows auto update] msblast.exe
O4 - HKLM\..\Run: [wincin] C:\WINDOWS\TEMP\w181609.Stub.exe
O4 - HKLM\..\Run: [walqdniu] C:\WINDOWS\system32\qvkps\walqdniu.exe
O4 - HKLM\..\Run: [vidmon] C:\WINDOWS\system32\vidmon\vidmon.exe
O4 - HKLM\..\Run: [vfplvej] C:\WINDOWS\system32\msbjftx\vfplvej.exe
O4 - HKLM\..\Run: [utgupfsr] C:\WINDOWS\system32\evxldh\utgupfsr.exe
O4 - HKLM\..\Run: [urhqy] C:\WINDOWS\system32\yfhy\urhqy.exe
O4 - HKLM\..\Run: [UpdReg] C:\WINDOWS\UpdReg.EXE
O4 - HKLM\..\Run: [ukialh] C:\WINDOWS\system32\jamsxbxw\ukialh.exe
O4 - HKLM\..\Run: [uhwwohd] C:\WINDOWS\system32\mnnua\uhwwohd.exe
O4 - HKLM\..\Run: [ttmefoie] C:\WINDOWS\system32\rjskxhum\ttmefoie.exe
O4 - HKLM\..\Run: [tqqibb] C:\WINDOWS\system32\fvdxwv\tqqibb.exe
O4 - HKLM\..\Run: [tjrpsv] C:\WINDOWS\system32\yjspw\tjrpsv.exe
O4 - HKLM\..\Run: [System service75] C:\WINDOWS\etb\pokapoka75.exe
O4 - HKLM\..\Run: [snss Launcher] "C:\Program Files\snss\snss.exe"
O4 - HKLM\..\Run: [seli] C:\WINDOWS\exe81.exe
O4 - HKLM\..\Run: [rnhoqxto] C:\WINDOWS\system32\yqaljnd\rnhoqxto.exe
O4 - HKLM\..\Run: [qfiuur] C:\WINDOWS\system32\ucwq\qfiuur.exe
O4 - HKLM\..\Run: [psujj] C:\WINDOWS\system32\osng\psujj.exe
O4 - HKLM\..\Run: [ppfx] C:\WINDOWS\system32\fywolh\ppfx.exe
O4 - HKLM\..\Run: [oqrxoepx] C:\WINDOWS\system32\dtxbxdr\oqrxoepx.exe
O4 - HKLM\..\Run: [obwlpysu] C:\WINDOWS\system32\drqiyf\obwlpysu.exe
O4 - HKLM\..\Run: [Nsv] C:\WINDOWS\system32\nsvsvc\nsvsvc.exe
O4 - HKLM\..\Run: [nrtphpa] C:\WINDOWS\system32\uqmxxyj\nrtphpa.exe
O4 - HKLM\..\Run: [NI.UWFX5LP_0001_0802] "C:\WINDOWS\Downloaded Program Files\UWFX5LP_0001_0802NetInstaller.exe"
O4 - HKLM\..\Run: [NI.UWFX5LP_0001_0715] "C:\WINDOWS\Downloaded Program Files\UWFX5LP_0001_0715NetInstaller.exe"
O4 - HKLM\..\Run: [ngubiv] C:\WINDOWS\system32\loowwyru\ngubiv.exe
O4 - HKLM\..\Run: [MyWebSearch Email Plugin] C:\PROGRA~1\MYWEBS~1\bar\2.bin\mwsoemon.exe
O4 - HKLM\..\Run: [msst] C:\Documents and Settings\All Users\Application Data\msst\mssts.exe
O4 - HKLM\..\Run: [MSNMSGR5] MSNMSGR5.exe
O4 - HKLM\..\Run: [Microsoft Update] hyqgwxy.exe
O4 - HKLM\..\Run: [Microsoft Inet Xp..] teekids.exe
O4 - HKLM\..\Run: [ltgbaco] C:\WINDOWS\system32\eykfq\ltgbaco.exe
O4 - HKLM\..\Run: [losq] C:\WINDOWS\system32\xaebuq\losq.exe
O4 - HKLM\..\Run: [lefes] C:\WINDOWS\system32\kyqr\lefes.exe
O4 - HKLM\..\Run: [kbdjkk] C:\WINDOWS\system32\oimlipe\kbdjkk.exe
O4 - HKLM\..\Run: [jhsgo] C:\WINDOWS\system32\bxppxtt\jhsgo.exe
O4 - HKLM\..\Run: [irqsacwv] C:\WINDOWS\system32\wempjrtp\irqsacwv.exe
O4 - HKLM\..\Run: [ipyi] C:\WINDOWS\system32\feiufj\ipyi.exe
O4 - HKLM\..\Run: [inwmg] C:\WINDOWS\system32\w130713.Stub.EXE
O4 - HKLM\..\Run: [gutf] C:\WINDOWS\system32\pqjd\gutf.exe
O4 - HKLM\..\Run: [gpdlaho] C:\WINDOWS\system32\wxlhwbg\gpdlaho.exe
O4 - HKLM\..\Run: [eteqrqyg] C:\WINDOWS\system32\aogwc\eteqrqyg.exe
O4 - HKLM\..\Run: [eqhr] C:\WINDOWS\system32\avqf\eqhr.exe
O4 - HKLM\..\Run: [eoeuba] C:\WINDOWS\system32\arhf\eoeuba.exe
O4 - HKLM\..\Run: [dmocbn] C:\WINDOWS\system32\kslyga\dmocbn.exe
O4 - HKLM\..\Run: [dchgrc] C:\WINDOWS\system32\xwbqgox\dchgrc.exe
O4 - HKLM\..\Run: [cxtto] C:\WINDOWS\system32\iahy\cxtto.exe
O4 - HKLM\..\Run: [cvrb] C:\WINDOWS\system32\nxtguh\cvrb.exe
O4 - HKLM\..\Run: [Cryptographic Service] C:\WINDOWS\System32\mchfzkdr.exe
O4 - HKLM\..\Run: [cfgmgr52] RunDLL32.EXE C:\WINDOWS\cfgmgr52.dll,DllRun
O4 - HKLM\..\Run: [bnxup] C:\WINDOWS\system32\qpdld\bnxup.exe
O4 - HKLM\..\Run: [ayduiq] C:\WINDOWS\system32\fceyk\ayduiq.exe
O4 - HKLM\..\Run: [aown] C:\WINDOWS\system32\qmsc\aown.exe
O4 - HKLM\..\Run: [agxumaqk] C:\WINDOWS\system32\kgrdydf\agxumaqk.exe
O4 - HKLM\..\Run: [9020] C:\WINDOWS\exe81.exe
O4 - HKLM\..\Run: [enomokx] C:\WINDOWS\system32\axmmxmbm\enomokx.exe
O4 - HKLM\..\Run: [efjq] C:\WINDOWS\system32\sram\efjq.exe
O4 - HKLM\..\Run: [vstchgu] C:\WINDOWS\system32\ufxjldw\vstchgu.exe
O4 - HKLM\..\Run: [crflq] C:\WINDOWS\system32\uowfajm\crflq.exe
O4 - HKLM\..\Run: [xvja] C:\WINDOWS\system32\vtmoyix\xvja.exe
O4 - HKLM\..\Run: [pmlxstgl] C:\WINDOWS\system32\ioaaver\pmlxstgl.exe
O4 - HKLM\..\Run: [qdkis] C:\WINDOWS\system32\rtbsnpi\qdkis.exe
O4 - HKLM\..\Run: [oivkbwmj] C:\WINDOWS\system32\ibcx\oivkbwmj.exe
O4 - HKLM\..\Run: [version] C:\WINDOWS\system32\rsjldjvk.exe
O4 - HKLM\..\Run: [shnin] C:\DOCUME~1\GEETBH~1\LOCALS~1\Temp\cixbc.exe
O4 - HKLM\..\Run: [vidctrl] C:\WINDOWS\system32\vidctrl\vidctrl.exe
O4 - HKCU\..\Run: [Win32 Configuration] videosd32.exe
O4 - HKCU\..\Run: [wiasld] C:\WINDOWS\system32\wiasld.exe
O4 - HKCU\..\Run: [starter] scvhosting.exe
O4 - HKCU\..\Run: [DNS] C:\Program Files\Common Files\mc-58-12-0000158.exe
O4 - HKCU\..\Run: [Controlled Resource System Service] crss.exe
O4 - HKCU\..\Run: [cfgpgr] C:\WINDOWS\system32\cfgpgr.exe
O4 - HKCU\..\RunOnce: [Web Offer] C:\DOCUME~1\GEETBH~1\LOCALS~1\Temp\whiexk.exe
O4 - Startup: MyWebSearch Email Plugin.lnk = C:\Program Files\MyWebSearch\bar\2.bin\MWSOEMON.EXE
O4 - Global Startup: MyWebSearch Email Plugin.lnk = C:\Program Files\MyWebSearch\bar\2.bin\MWSOEMON.EXE
O4 - Global Startup: nknn.exe
O20 - Winlogon Notify: Unimodem - C:\WINDOWS\system32\k880lilm18qa.dll (file missing)

Close ALL open windows/browsers and click Fix Checked.

Exit Hijackthis.

Doubleclick WinPFind.exe
  • Click "Start Scan"
  • It will scan the entire System, so please be patient!
  • Once the Scan is Complete
  • Go to the WinPFind folder
  • Locate WinPFind.txt
  • Place those results in the next post!
You will need to show hidden files and folders.
Click Start.
Open My Computer.
Select the Tools menu and click Folder Options.
Select the View Tab.
Under the Hidden files and folders heading select Show hidden files and folders.
Uncheck the Hide protected operating system files (recommended) option.
Click Yes to confirm.
Click OK.

Using Windows Search, please delete the following files:
(Start > Search > For Files or Folders - Make sure it is set to search hidden files)

MSNMSGR5.exe
msblast.exe
hyqgwxy.exe
teekids.exe
nknn.exe
crss.exe
scvhosting.exe

1) Please run Killbox.

2) Select "Delete on Reboot".

3) Open the text file with these instructions in it, and copy the file names below to the clipboard by highlighting them and pressing Control-C:

C:\WINDOWS\system32\actx1.exe
C:\WINDOWS\system32\cxtpls_loader.EXE
C:\WINDOWS\system32\wbsofjh\yvqbjlw.exe
C:\WINDOWS\system32\kjhjkbvp\ydxaim.exe
C:\WINDOWS\system32\kvtsr\xxcaith.exe
C:\WINDOWS\system32\pjhtxinm\xhqfmpcf.exe
C:\WINDOWS\system32\cmvluj\xcuev.exe
C:\WINDOWS\system32\ctbynb\wtbqn.exe
C:\WINDOWS\system32\nqpi\woojx.exe
C:\WINDOWS\system32\w130713.Stub.EXE
C:\WINDOWS\system32\lglldg.exe
C:\WINDOWS\TEMP\w181609.Stub.exe
C:\WINDOWS\system32\qvkps\walqdniu.exe
C:\WINDOWS\system32\vidmon\vidmon.exe
C:\WINDOWS\system32\msbjftx\vfplvej.exe
C:\WINDOWS\system32\evxldh\utgupfsr.exe
C:\WINDOWS\system32\yfhy\urhqy.exe
C:\WINDOWS\system32\jamsxbxw\ukialh.exe
C:\WINDOWS\system32\mnnua\uhwwohd.exe
C:\WINDOWS\system32\rjskxhum\ttmefoie.exe
C:\WINDOWS\system32\fvdxwv\tqqibb.exe
C:\WINDOWS\system32\yjspw\tjrpsv.exe
C:\WINDOWS\etb\pokapoka75.exe
C:\Program Files\snss\snss.exe
C:\WINDOWS\exe81.exe
C:\WINDOWS\system32\yqaljnd\rnhoqxto.exe
C:\WINDOWS\system32\ucwq\qfiuur.exe
C:\WINDOWS\system32\osng\psujj.exe
C:\WINDOWS\system32\fywolh\ppfx.exe
C:\WINDOWS\system32\dtxbxdr\oqrxoepx.exe
C:\WINDOWS\system32\drqiyf\obwlpysu.exe
C:\WINDOWS\system32\nsvsvc\nsvsvc.exe
C:\WINDOWS\system32\uqmxxyj\nrtphpa.exe
C:\WINDOWS\Downloaded Program Files\UWFX5LP_0001_0802NetInstaller.exe
C:\WINDOWS\Downloaded Program Files\UWFX5LP_0001_0715NetInstaller.exe
C:\WINDOWS\system32\loowwyru\ngubiv.exe
C:\PROGRA~1\MYWEBS~1\bar\2.bin\mwsoemon.exe
C:\Documents and Settings\All Users\Application Data\msst\mssts.exe
C:\WINDOWS\system32\eykfq\ltgbaco.exe
C:\WINDOWS\system32\xaebuq\losq.exe
C:\WINDOWS\system32\kyqr\lefes.exe
C:\WINDOWS\system32\oimlipe\kbdjkk.exe
C:\WINDOWS\system32\bxppxtt\jhsgo.exe
C:\WINDOWS\system32\wempjrtp\irqsacwv.exe
C:\WINDOWS\system32\feiufj\ipyi.exe
C:\WINDOWS\system32\pqjd\gutf.exe
C:\WINDOWS\system32\wxlhwbg\gpdlaho.exe
C:\WINDOWS\system32\aogwc\eteqrqyg.exe
C:\WINDOWS\system32\avqf\eqhr.exe
C:\WINDOWS\system32\arhf\eoeuba.exe
C:\WINDOWS\system32\kslyga\dmocbn.exe
C:\WINDOWS\system32\xwbqgox\dchgrc.exe
C:\WINDOWS\system32\iahy\cxtto.exe
C:\WINDOWS\system32\nxtguh\cvrb.exe
C:\WINDOWS\System32\mchfzkdr.exe
RunDLL32.EXE C:\WINDOWS\cfgmgr52.dll,DllRun
C:\WINDOWS\system32\qpdld\bnxup.exe
C:\WINDOWS\system32\fceyk\ayduiq.exe
C:\WINDOWS\system32\qmsc\aown.exe
C:\WINDOWS\system32\kgrdydf\agxumaqk.exe
C:\WINDOWS\system32\axmmxmbm\enomokx.exe
C:\WINDOWS\system32\sram\efjq.exe
C:\WINDOWS\system32\ufxjldw\vstchgu.exe
C:\WINDOWS\system32\uowfajm\crflq.exe
C:\WINDOWS\system32\vtmoyix\xvja.exe
C:\WINDOWS\system32\ioaaver\pmlxstgl.exe
C:\WINDOWS\system32\rtbsnpi\qdkis.exe
C:\WINDOWS\system32\ibcx\oivkbwmj.exe
C:\WINDOWS\system32\rsjldjvk.exe
C:\DOCUME~1\GEETBH~1\LOCALS~1\Temp\cixbc.exe
C:\WINDOWS\system32\vidctrl\vidctrl.exe
C:\WINDOWS\system32\wiasld.exe
C:\Program Files\Common Files\mc-58-12-0000158.exe
C:\WINDOWS\system32\cfgpgr.exe
C:\DOCUME~1\GEETBH~1\LOCALS~1\Temp\whiexk.exe
C:\Program Files\MyWebSearch\bar\2.bin\MWSOEMON.EXE
C:\Program Files\MyWebSearch\bar\2.bin\MWSOEMON.EXE
C:\WINDOWS\System32\videosd32.exe


4) Return to Killbox, go to the File menu, and choose "Paste from Clipboard".

5) Click the red-and-white "Delete File" button. Click "Yes" at the Delete on Reboot prompt. Click "No" at the Pending Operations prompt.

If you receive a message such as: "Component 'MsComCtl.ocx' or one of its dependencies not correctly registered: a file is missing or invalid." when trying to run TheKillbox, click here to download and run missingfilesetup.exe. Then try TheKillbox again..

Let the system reboot.

Once in normal mode again double click on "Track qoo.vbs"

Note - If you Antivirus has Script Blocking, you will get a Pop Up Windows asking you what to do. Allow this Entire Script to Run, its harmless!

We also need to run a virus scan at Kaspersky.

Please do an online scan with Kaspersky WebScanner

Click on Kaspersky Online Scanner

You will be promted to install an ActiveX component from Kaspersky, Click Yes.
  • The program will launch and then begin downloading the latest definition files:
  • Once the files have been downloaded click on NEXT
  • Now click on Scan Settings
  • In the scan settings make that the following are selected:
    • Scan using the following Anti-Virus database:
    Extended (if available otherwise Standard)
    • Scan Options:
    Scan Archives
    Scan Mail Bases
  • Click OK
  • Now under select a target to scan:Select My Computer
  • This will program will start and scan your system.
  • The scan will take a while so be patient and let it run.
  • Once the scan is complete it will display if your system has been infected.
    • Now click on the Save as Text button:
  • Save the file to your desktop.
  • Copy and paste that information in your next post.
Wait a few seconds and a notepad page will pop up, Copy & Paste those results and place them in the next post along with the results of WinPFind, Track qoo, Kaspersky, and a fresh Hijackthis log.
  • 0

#9
teegttahb725
Posted 17 November 2005 - 02:33 PM

teegttahb725

    New Member

  • Topic Starter
  • Member
  • Pip
  • 8 posts
Hey There

Attached are all the logs you requested:

WARNING: not all files found by this scanner are bad. Consult with a knowledgable person before proceeding.

If you see a message in the titlebar saying "Not responding..." you can ignore it. Windows somethimes displays this message due to the high volume of disk I/O. As long as the hard disk light is flashing, the program is still working properly.

»»»»»»»»»»»»»»»»» Windows OS and Versions »»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»
Product Name: Microsoft Windows XP Current Build: Service Pack 2 Current Build Number: 2600
Internet Explorer Version: 6.0.2900.2180

»»»»»»»»»»»»»»»»» Checking Selected Standard Folders »»»»»»»»»»»»»»»»»»»»

Checking %SystemDrive% folder...

Checking %ProgramFilesDir% folder...

Checking %WinDir% folder...
UPX! 11/2/2005 5:28:36 PM 42736 C:\WINDOWS\icont.exe
UPX! 9/6/2005 7:04:14 AM 86528 C:\WINDOWS\io2uns.exe
ad-w-a-r-e.com 11/15/2005 8:53:28 PM 315948 C:\WINDOWS\setupapi.log
UPX! 11/7/2005 4:40:38 PM 55223 C:\WINDOWS\whCC-GIANT.exe

Checking %System% folder...
UPX! 9/19/2005 7:07:38 PM 53248 C:\WINDOWS\SYSTEM32\2bundle.exe
SAHAgent 9/2/2005 9:05:24 PM 524 C:\WINDOWS\SYSTEM32\a675e1ucu.ini
UPX! 7/9/2005 4:03:06 AM 433152 C:\WINDOWS\SYSTEM32\aswBoot.exe
UPX! 8/30/2005 12:06:46 PM 68096 C:\WINDOWS\SYSTEM32\cfgpgr.exe
UPX! 8/30/2005 11:16:50 AM 68096 C:\WINDOWS\SYSTEM32\cluvie.exe
UPX! 8/30/2005 12:06:46 PM 68096 C:\WINDOWS\SYSTEM32\cordsa.exe
PEC2 9/3/2002 11:30:40 AM 41397 C:\WINDOWS\SYSTEM32\dfrg.msc
WinShutDown 11/10/2005 11:20:44 AM R S 235712 C:\WINDOWS\SYSTEM32\dtrgui.dll
ad-w-a-r-e.com 11/10/2005 11:20:44 AM R S 235712 C:\WINDOWS\SYSTEM32\dtrgui.dll
WinShutDown 11/11/2005 8:30:14 AM R S 235712 C:\WINDOWS\SYSTEM32\dtsapi.dll
ad-w-a-r-e.com 11/11/2005 8:30:14 AM R S 235712 C:\WINDOWS\SYSTEM32\dtsapi.dll
PEC2 2/14/1997 10:24:14 PM 197171 C:\WINDOWS\SYSTEM32\Dwapilib.tlb
WinShutDown 11/10/2005 11:09:44 PM R S 236666 C:\WINDOWS\SYSTEM32\enl2l13o1.dll
ad-w-a-r-e.com 11/10/2005 11:09:44 PM R S 236666 C:\WINDOWS\SYSTEM32\enl2l13o1.dll
69.59.186.63 9/4/2005 2:54:16 PM 133632 C:\WINDOWS\SYSTEM32\feffl.dll
209.66.67.134 9/4/2005 2:54:16 PM 133632 C:\WINDOWS\SYSTEM32\feffl.dll
web-nex 9/4/2005 2:54:16 PM 133632 C:\WINDOWS\SYSTEM32\feffl.dll
winsync 9/4/2005 2:54:16 PM 133632 C:\WINDOWS\SYSTEM32\feffl.dll
WinShutDown 11/6/2005 6:33:36 PM R S 234122 C:\WINDOWS\SYSTEM32\fp4o03h3e.dll
ad-w-a-r-e.com 11/6/2005 6:33:36 PM R S 234122 C:\WINDOWS\SYSTEM32\fp4o03h3e.dll
WinShutDown 11/10/2005 2:00:10 PM R S 236265 C:\WINDOWS\SYSTEM32\fpn6035se.dll
ad-w-a-r-e.com 11/10/2005 2:00:10 PM R S 236265 C:\WINDOWS\SYSTEM32\fpn6035se.dll
WinShutDown 11/6/2005 3:31:56 PM R S 237157 C:\WINDOWS\SYSTEM32\g4lmle311h.dll
ad-w-a-r-e.com 11/6/2005 3:31:56 PM R S 237157 C:\WINDOWS\SYSTEM32\g4lmle311h.dll
UPX! 11/15/2005 3:19:04 PM 33792 C:\WINDOWS\SYSTEM32\gkcielq.exe
WinShutDown 11/15/2005 8:29:58 PM R S 235712 C:\WINDOWS\SYSTEM32\guard.tmp
ad-w-a-r-e.com 11/15/2005 8:29:58 PM R S 235712 C:\WINDOWS\SYSTEM32\guard.tmp
SAHAgent 7/19/2005 9:35:18 AM 36 C:\WINDOWS\SYSTEM32\hmw8eo1vp.ini
WinShutDown 11/13/2005 11:01:16 PM R S 236454 C:\WINDOWS\SYSTEM32\hrjm0511e.dll
ad-w-a-r-e.com 11/13/2005 11:01:16 PM R S 236454 C:\WINDOWS\SYSTEM32\hrjm0511e.dll
WinShutDown 11/10/2005 2:03:00 PM R S 237221 C:\WINDOWS\SYSTEM32\hrn2055oe.dll
ad-w-a-r-e.com 11/10/2005 2:03:00 PM R S 237221 C:\WINDOWS\SYSTEM32\hrn2055oe.dll
UPX! 8/30/2005 9:31:26 AM 68096 C:\WINDOWS\SYSTEM32\htt16g.exe
WinShutDown 11/3/2005 3:08:06 PM R S 234518 C:\WINDOWS\SYSTEM32\i6420ghoe64c0.dll
ad-w-a-r-e.com 11/3/2005 3:08:06 PM R S 234518 C:\WINDOWS\SYSTEM32\i6420ghoe64c0.dll
69.59.186.63 9/4/2005 2:54:16 PM 180736 C:\WINDOWS\SYSTEM32\iriiorr.dll
209.66.67.134 9/4/2005 2:54:16 PM 180736 C:\WINDOWS\SYSTEM32\iriiorr.dll
web-nex 9/4/2005 2:54:16 PM 180736 C:\WINDOWS\SYSTEM32\iriiorr.dll
winsync 9/4/2005 2:54:16 PM 180736 C:\WINDOWS\SYSTEM32\iriiorr.dll
aspack 9/23/2005 7:51:10 PM 34304 C:\WINDOWS\SYSTEM32\jjqxptu.exe
WinShutDown 11/4/2005 5:47:48 PM R S 235763 C:\WINDOWS\SYSTEM32\jt2u07f9e.dll
ad-w-a-r-e.com 11/4/2005 5:47:48 PM R S 235763 C:\WINDOWS\SYSTEM32\jt2u07f9e.dll
WinShutDown 11/5/2005 11:47:44 PM R S 234836 C:\WINDOWS\SYSTEM32\k4pmle711h.dll
ad-w-a-r-e.com 11/5/2005 11:47:44 PM R S 234836 C:\WINDOWS\SYSTEM32\k4pmle711h.dll
WinShutDown 11/10/2005 11:20:44 AM R S 236250 C:\WINDOWS\SYSTEM32\k8lq0i35e8.dll
ad-w-a-r-e.com 11/10/2005 11:20:44 AM R S 236250 C:\WINDOWS\SYSTEM32\k8lq0i35e8.dll
PTech 8/3/2005 9:33:42 AM 520456 C:\WINDOWS\SYSTEM32\LegitCheckControl.DLL
UPX! 11/14/2005 3:23:04 PM 168484 C:\WINDOWS\SYSTEM32\mc-110-12-0000122.exe
WinShutDown 11/14/2005 6:27:42 AM R S 235712 C:\WINDOWS\SYSTEM32\mjratelc.dll
ad-w-a-r-e.com 11/14/2005 6:27:42 AM R S 235712 C:\WINDOWS\SYSTEM32\mjratelc.dll
WinShutDown 11/15/2005 3:11:58 PM R S 235712 C:\WINDOWS\SYSTEM32\mqrd3x40.dll
ad-w-a-r-e.com 11/15/2005 3:11:58 PM R S 235712 C:\WINDOWS\SYSTEM32\mqrd3x40.dll
PECompact2 11/2/2005 12:34:18 AM 2368864 C:\WINDOWS\SYSTEM32\MRT.exe
aspack 11/2/2005 12:34:18 AM 2368864 C:\WINDOWS\SYSTEM32\MRT.exe
UPX! 8/30/2005 8:28:36 AM 68096 C:\WINDOWS\SYSTEM32\msaclt.exe
UPX! 9/19/2005 7:07:40 PM 25105 C:\WINDOWS\SYSTEM32\MTE2ODI6ODoxNg.exe
WinShutDown 11/7/2005 3:54:38 PM R S 234122 C:\WINDOWS\SYSTEM32\mv0sl9d71.dll
ad-w-a-r-e.com 11/7/2005 3:54:38 PM R S 234122 C:\WINDOWS\SYSTEM32\mv0sl9d71.dll
WinShutDown 11/6/2005 4:41:34 PM R S 234504 C:\WINDOWS\SYSTEM32\n28o0cl3efq.dll
ad-w-a-r-e.com 11/6/2005 4:41:34 PM R S 234504 C:\WINDOWS\SYSTEM32\n28o0cl3efq.dll
WinShutDown 11/10/2005 1:53:40 PM R S 235712 C:\WINDOWS\SYSTEM32\n2n6lc5s1f.dll
ad-w-a-r-e.com 11/10/2005 1:53:40 PM R S 235712 C:\WINDOWS\SYSTEM32\n2n6lc5s1f.dll
WinShutDown 11/8/2005 10:52:10 PM R S 234779 C:\WINDOWS\SYSTEM32\n8r2li9o18.dll
ad-w-a-r-e.com 11/8/2005 10:52:10 PM R S 234779 C:\WINDOWS\SYSTEM32\n8r2li9o18.dll
aspack 8/4/2004 2:56:36 AM 708096 C:\WINDOWS\SYSTEM32\ntdll.dll
WinShutDown 11/15/2005 3:11:58 PM R S 236552 C:\WINDOWS\SYSTEM32\o0480ahued480.dll
ad-w-a-r-e.com 11/15/2005 3:11:58 PM R S 236552 C:\WINDOWS\SYSTEM32\o0480ahued480.dll
WinShutDown 11/11/2005 8:30:20 AM R S 236174 C:\WINDOWS\SYSTEM32\p4n80e5ueh.dll
ad-w-a-r-e.com 11/11/2005 8:30:20 AM R S 236174 C:\WINDOWS\SYSTEM32\p4n80e5ueh.dll
WinShutDown 11/6/2005 12:03:32 AM R S 235586 C:\WINDOWS\SYSTEM32\pplstore.dll
ad-w-a-r-e.com 11/6/2005 12:03:32 AM R S 235586 C:\WINDOWS\SYSTEM32\pplstore.dll
UPX! 10/2/2005 3:07:58 PM 134144 C:\WINDOWS\SYSTEM32\pre.exe
UPX! 8/30/2005 11:28:02 AM 68096 C:\WINDOWS\SYSTEM32\psbplo.exe
WinShutDown 11/8/2005 7:28:14 PM R S 234779 C:\WINDOWS\SYSTEM32\pWqsp.dll
ad-w-a-r-e.com 11/8/2005 7:28:14 PM R S 234779 C:\WINDOWS\SYSTEM32\pWqsp.dll
UPX! 11/15/2005 8:39:54 PM 149504 C:\WINDOWS\SYSTEM32\quaj.exe
Umonitor 8/4/2004 2:56:44 AM 657920 C:\WINDOWS\SYSTEM32\rasdlg.dll
WinShutDown 11/6/2005 12:55:48 AM R S 236835 C:\WINDOWS\SYSTEM32\sdrmdll.dll
ad-w-a-r-e.com 11/6/2005 12:55:48 AM R S 236835 C:\WINDOWS\SYSTEM32\sdrmdll.dll
WinShutDown 11/2/2005 9:58:54 PM R S 235256 C:\WINDOWS\SYSTEM32\t48u0el9ehq.dll
ad-w-a-r-e.com 11/2/2005 9:58:54 PM R S 235256 C:\WINDOWS\SYSTEM32\t48u0el9ehq.dll
WinShutDown 11/13/2005 11:54:06 AM R S 235712 C:\WINDOWS\SYSTEM32\u8ruli9918.dll
ad-w-a-r-e.com 11/13/2005 11:54:06 AM R S 235712 C:\WINDOWS\SYSTEM32\u8ruli9918.dll
SAHAgent 7/19/2005 9:35:18 AM 36 C:\WINDOWS\SYSTEM32\ued5amx7i.ini
winsync 9/3/2002 12:10:48 PM 1309184 C:\WINDOWS\SYSTEM32\wbdbase.deu
UPX! 11/15/2005 3:19:12 PM 33792 C:\WINDOWS\SYSTEM32\whiexk.exe
UPX! 9/16/2005 4:19:52 PM 68096 C:\WINDOWS\SYSTEM32\wing4c.exe
WinShutDown 11/6/2005 11:31:12 AM R S 234122 C:\WINDOWS\SYSTEM32\wkigest.dll
ad-w-a-r-e.com 11/6/2005 11:31:12 AM R S 234122 C:\WINDOWS\SYSTEM32\wkigest.dll
69.59.186.63 11/1/2005 7:11:24 PM 30720 C:\WINDOWS\SYSTEM32\wuauclt.dll
209.66.67.134 11/1/2005 7:11:24 PM 30720 C:\WINDOWS\SYSTEM32\wuauclt.dll
66.63.167.97 11/1/2005 7:11:24 PM 30720 C:\WINDOWS\SYSTEM32\wuauclt.dll
66.63.167.77 11/1/2005 7:11:24 PM 30720 C:\WINDOWS\SYSTEM32\wuauclt.dll
web-nex 11/1/2005 7:11:24 PM 30720 C:\WINDOWS\SYSTEM32\wuauclt.dll
winsync 11/1/2005 7:11:24 PM 30720 C:\WINDOWS\SYSTEM32\wuauclt.dll
rec2_run 11/1/2005 7:11:24 PM 30720 C:\WINDOWS\SYSTEM32\wuauclt.dll

Checking %System%\Drivers folder and sub-folders...
PTech 8/4/2004 12:41:38 AM 1309184 C:\WINDOWS\SYSTEM32\drivers\mtlstrm.sys

Items found in C:\WINDOWS\SYSTEM32\drivers\etc\hosts
127.0.0.1 www.qoologic.com
127.0.0.1 www.urllogic.com


Checking the Windows folder and sub-folders for system and hidden files within the last 60 days...
11/16/2005 4:05:34 PM S 2048 C:\WINDOWS\bootstat.dat
10/11/2005 7:03:48 PM H 24 C:\WINDOWS\ptYpH
11/10/2005 11:20:44 AM R S 235712 C:\WINDOWS\system32\dtrgui.dll
11/11/2005 8:30:14 AM R S 235712 C:\WINDOWS\system32\dtsapi.dll
11/10/2005 11:09:44 PM R S 236666 C:\WINDOWS\system32\enl2l13o1.dll
11/6/2005 6:33:36 PM R S 234122 C:\WINDOWS\system32\fp4o03h3e.dll
11/10/2005 2:00:10 PM R S 236265 C:\WINDOWS\system32\fpn6035se.dll
11/6/2005 3:31:56 PM R S 237157 C:\WINDOWS\system32\g4lmle311h.dll
11/15/2005 8:29:58 PM R S 235712 C:\WINDOWS\system32\guard.tmp
11/13/2005 11:01:16 PM R S 236454 C:\WINDOWS\system32\hrjm0511e.dll
11/10/2005 2:03:00 PM R S 237221 C:\WINDOWS\system32\hrn2055oe.dll
11/3/2005 3:08:06 PM R S 234518 C:\WINDOWS\system32\i6420ghoe64c0.dll
11/4/2005 5:47:48 PM R S 235763 C:\WINDOWS\system32\jt2u07f9e.dll
11/5/2005 11:47:44 PM R S 234836 C:\WINDOWS\system32\k4pmle711h.dll
11/10/2005 11:20:44 AM R S 236250 C:\WINDOWS\system32\k8lq0i35e8.dll
11/14/2005 6:27:42 AM R S 235712 C:\WINDOWS\system32\mjratelc.dll
11/15/2005 3:11:58 PM R S 235712 C:\WINDOWS\system32\mqrd3x40.dll
11/7/2005 3:54:38 PM R S 234122 C:\WINDOWS\system32\mv0sl9d71.dll
11/6/2005 4:41:34 PM R S 234504 C:\WINDOWS\system32\n28o0cl3efq.dll
11/10/2005 1:53:40 PM R S 235712 C:\WINDOWS\system32\n2n6lc5s1f.dll
11/8/2005 10:52:10 PM R S 234779 C:\WINDOWS\system32\n8r2li9o18.dll
11/15/2005 3:11:58 PM R S 236552 C:\WINDOWS\system32\o0480ahued480.dll
11/11/2005 8:30:20 AM R S 236174 C:\WINDOWS\system32\p4n80e5ueh.dll
11/6/2005 12:03:32 AM R S 235586 C:\WINDOWS\system32\pplstore.dll
11/8/2005 7:28:14 PM R S 234779 C:\WINDOWS\system32\pWqsp.dll
11/6/2005 12:55:48 AM R S 236835 C:\WINDOWS\system32\sdrmdll.dll
11/2/2005 9:58:54 PM R S 235256 C:\WINDOWS\system32\t48u0el9ehq.dll
11/13/2005 11:54:06 AM R S 235712 C:\WINDOWS\system32\u8ruli9918.dll
11/6/2005 11:31:12 AM R S 234122 C:\WINDOWS\system32\wkigest.dll
10/5/2005 8:33:38 PM S 12849 C:\WINDOWS\system32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\KB896424.cat
10/4/2005 8:17:40 PM S 21737 C:\WINDOWS\system32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\KB896688.cat
9/28/2005 10:53:30 AM S 17402 C:\WINDOWS\system32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\KB900725.cat
11/16/2005 4:04:34 PM H 6 C:\WINDOWS\Tasks\SA.DAT
11/5/2005 9:34:24 AM HS 67 C:\WINDOWS\Temp\Temporary Internet Files\Content.IE5\desktop.ini
11/15/2005 3:02:32 PM HS 67 C:\WINDOWS\Temp\Temporary Internet Files\Content.IE5\01234567\desktop.ini
11/15/2005 3:02:32 PM HS 67 C:\WINDOWS\Temp\Temporary Internet Files\Content.IE5\GXEVCH6N\desktop.ini
11/15/2005 3:02:32 PM HS 67 C:\WINDOWS\Temp\Temporary Internet Files\Content.IE5\KPUFOTUZ\desktop.ini
11/15/2005 3:02:32 PM HS 67 C:\WINDOWS\Temp\Temporary Internet Files\Content.IE5\W92JSPIJ\desktop.ini

Checking for CPL files...
Microsoft Corporation 8/4/2004 2:56:58 AM 68608 C:\WINDOWS\SYSTEM32\access.cpl
Microsoft Corporation 8/4/2004 2:56:58 AM 549888 C:\WINDOWS\SYSTEM32\appwiz.cpl
Microsoft Corporation 8/4/2004 2:56:58 AM 110592 C:\WINDOWS\SYSTEM32\bthprops.cpl
Creative Technology Ltd. 3/30/2001 1:00:00 AM 230912 C:\WINDOWS\SYSTEM32\CTDetect.cpl
Creative Technology Ltd. 2/21/2002 212992 C:\WINDOWS\SYSTEM32\CTDevCtrl.cpl
Microsoft Corporation 8/4/2004 2:56:58 AM 135168 C:\WINDOWS\SYSTEM32\desk.cpl
Microsoft Corporation 8/4/2004 2:56:58 AM 80384 C:\WINDOWS\SYSTEM32\firewall.cpl
Microsoft Corporation 8/4/2004 2:56:58 AM 155136 C:\WINDOWS\SYSTEM32\hdwwiz.cpl
Microsoft Corporation 8/4/2004 2:56:58 AM 358400 C:\WINDOWS\SYSTEM32\inetcpl.cpl
Microsoft Corporation 8/4/2004 2:56:58 AM 129536 C:\WINDOWS\SYSTEM32\intl.cpl
Microsoft Corporation 8/4/2004 2:56:58 AM 380416 C:\WINDOWS\SYSTEM32\irprops.cpl
Microsoft Corporation 8/4/2004 2:56:58 AM 68608 C:\WINDOWS\SYSTEM32\joy.cpl
Sun Microsystems, Inc. 12/6/2004 8:31:48 PM 49265 C:\WINDOWS\SYSTEM32\jpicpl32.cpl
Microsoft Corporation 9/3/2002 11:40:02 AM 187904 C:\WINDOWS\SYSTEM32\main.cpl
Microsoft Corporation 8/4/2004 2:56:58 AM 618496 C:\WINDOWS\SYSTEM32\mmsys.cpl
Microsoft Corporation 9/3/2002 11:47:04 AM 35840 C:\WINDOWS\SYSTEM32\ncpa.cpl
Microsoft Corporation 8/4/2004 2:56:58 AM 25600 C:\WINDOWS\SYSTEM32\netsetup.cpl
Microsoft Corporation 8/4/2004 2:56:58 AM 257024 C:\WINDOWS\SYSTEM32\nusrmgr.cpl
Microsoft Corporation 8/4/2004 2:56:58 AM 32768 C:\WINDOWS\SYSTEM32\odbccp32.cpl
Microsoft Corporation 8/4/2004 2:56:58 AM 114688 C:\WINDOWS\SYSTEM32\powercfg.cpl
Apple Computer, Inc. 9/23/2004 5:57:40 PM 323072 C:\WINDOWS\SYSTEM32\QuickTime.cpl
Microsoft Corporation 8/4/2004 2:56:58 AM 298496 C:\WINDOWS\SYSTEM32\sysdm.cpl
Microsoft Corporation 9/3/2002 12:06:38 PM 28160 C:\WINDOWS\SYSTEM32\telephon.cpl
Texas Instruments Incorporated 7/9/2004 9:29:08 PM 32768 C:\WINDOWS\SYSTEM32\TIControlPanel.cpl
Microsoft Corporation 8/4/2004 2:56:58 AM 94208 C:\WINDOWS\SYSTEM32\timedate.cpl
10/31/2005 10:49:02 PM 31744 C:\WINDOWS\SYSTEM32\vgactl.cpl
Microsoft Corporation 8/4/2004 2:56:58 AM 148480 C:\WINDOWS\SYSTEM32\wscui.cpl
Microsoft Corporation 5/26/2005 3:16:30 AM 174360 C:\WINDOWS\SYSTEM32\wuaucpl.cpl
Microsoft Corporation 9/3/2002 11:40:02 AM 187904 C:\WINDOWS\SYSTEM32\dllcache\main.cpl
Microsoft Corporation 9/3/2002 11:47:04 AM 35840 C:\WINDOWS\SYSTEM32\dllcache\ncpa.cpl
Microsoft Corporation 9/3/2002 12:06:38 PM 28160 C:\WINDOWS\SYSTEM32\dllcache\telephon.cpl
Microsoft Corporation 5/26/2005 3:16:30 AM 174360 C:\WINDOWS\SYSTEM32\dllcache\wuaucpl.cpl

»»»»»»»»»»»»»»»»» Checking Selected Startup Folders »»»»»»»»»»»»»»»»»»»»»

Checking files in %ALLUSERSPROFILE%\Startup folder...
9/1/2004 6:50:36 PM HS 84 C:\Documents and Settings\All Users\Start Menu\Programs\Startup\desktop.ini
6/14/2005 3:27:52 PM 779 C:\Documents and Settings\All Users\Start Menu\Programs\Startup\hpoddt01.exe.lnk

Checking files in %ALLUSERSPROFILE%\Application Data folder...
9/1/2004 2:41:14 PM HS 62 C:\Documents and Settings\All Users\Application Data\desktop.ini
1/26/2005 9:20:52 PM 10 C:\Documents and Settings\All Users\Application Data\DirectCDUserNameE.txt
10/2/2005 5:40:40 PM 11 C:\Documents and Settings\All Users\Application Data\DragToDiscUserNameE.txt
6/14/2005 3:32:36 PM 733 C:\Documents and Settings\All Users\Application Data\hpzinstall.log

Checking files in %USERPROFILE%\Startup folder...
9/1/2004 6:50:36 PM HS 84 C:\Documents and Settings\Geet Bhatt\Start Menu\Programs\Startup\desktop.ini

Checking files in %USERPROFILE%\Application Data folder...
9/1/2004 2:41:14 PM HS 62 C:\Documents and Settings\Geet Bhatt\Application Data\desktop.ini
11/7/2005 6:10:28 PM 46976 C:\Documents and Settings\Geet Bhatt\Application Data\GDIPFONTCACHEV1.DAT

»»»»»»»»»»»»»»»»» Checking Selected Registry Keys »»»»»»»»»»»»»»»»»»»»»»»

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\User Agent\Post Platform]
=

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved]
{47C34B9E-FA94-4FBD-A6E5-706970A7E0A2} = C:\WINDOWS\system32\mjiseq.dll
{6FE9017C-7FCF-4CCD-9603-8E4C309A7FF1} = C:\WINDOWS\system32\pddx5032.dll
{8A7B74FA-92EE-4ACF-94BB-87764AAAB94A} = C:\WINDOWS\system32\mjjet35.dll
{2E6A998E-C1B1-40BC-8EB3-330370267F31} = C:\WINDOWS\system32\mtwmdmsp.dll
{DB47102E-87C4-44A2-BA68-FB40EE3822AA} = C:\WINDOWS\system32\kddtat.dll
{D0E0F69B-D9CF-4450-942E-16E1540F72F1} = C:\WINDOWS\system32\mdhtmler.dll
{343697AA-52DD-4D10-8138-B69A668CB4E7} = C:\WINDOWS\system32\rbgsvc.dll
{69280650-C484-4A07-978D-7F9E2A558150} = C:\WINDOWS\system32\mnpmsp.dll
{74853CA4-9C69-4324-8876-A209C6E7A136} = C:\WINDOWS\system32\sampsnap.dll
{0F1392A8-FCDE-49F1-95A7-C75F759CADFE} = C:\WINDOWS\system32\tmpmonui.dll
{11DFF443-AC89-4EF8-A8C2-C43E030F6CAB} = C:\WINDOWS\system32\dqvvox.dll
{0B18DC5F-86A0-4BAC-8E86-8F1576F3BEED} = C:\WINDOWS\system32\dfsetup.dll
{59A2DDCD-E854-4240-A206-0D236E5389D5} = C:\WINDOWS\system32\ipsutil.dll
{BE1A505C-343B-4330-9CFE-1C05A0F84F43} = C:\WINDOWS\system32\cortcli.dll
{976DCE11-5BC3-4E1F-91DF-FDC2E92D80EF} = C:\WINDOWS\system32\jqmd400.dll
{4A4634E0-CC46-42C8-96A7-DEC0A604D353} = C:\WINDOWS\system32\mbexcl35.dll
{8EAD56E1-D4AA-4BD6-9DCC-B2CC7DF591D1} = C:\WINDOWS\system32\ikencode.dll
{2C2C6A42-650C-4819-81B3-781C81F25FA7} = C:\WINDOWS\system32\dxmstor.dll
{7A4056F6-A7BD-408D-A5EA-855CD614ECD6} = C:\WINDOWS\system32\nstmsg.dll
{C5D09F81-B7E0-401B-8717-7A346BD9EA67} = C:\WINDOWS\system32\qogrprxy.dll
{0259DDD8-43D9-4592-9335-77FEEEDF35AA} = C:\WINDOWS\system32\igaksie.dll
{841640B7-F931-4BD9-B6C6-F0BDA7D3D968} = C:\WINDOWS\system32\disenh.dll
{B0C0B72C-0AAF-437E-A11D-2E8811D2EB4A} = C:\WINDOWS\system32\kedblr.dll
{C97A3CC1-36DE-4D0E-89AE-36BA2B99D36E} = C:\WINDOWS\system32\acrsvc.dll
{A3BD0D14-99CD-4287-A1E1-23514EA4C7B7} = C:\WINDOWS\system32\mporc32r.dll
{E766F45B-C197-45A6-AE6C-E3FDBFA268E3} = C:\WINDOWS\system32\mitlsapi.dll
{0E655FA1-1F2B-47DB-A3C8-0538B2B41CF5} = C:\WINDOWS\system32\whsdmoe2.dll
{D2AE5D5C-81F7-48A7-864D-A8CB2D22963C} =
{FB49A882-FD42-428F-886B-DB64A2A24DE3} =
{B4BC1C09-EE2E-44AE-AF9F-3A7A36C7B2D2} = C:\WINDOWS\system32\dacpsapi.dll
{A101F39C-34EE-4BBF-91AD-5FADEAB57B67} = C:\WINDOWS\system32\elcdec.dll
{A058F102-7EAA-4587-856D-B9B4B95EBD06} = C:\WINDOWS\system32\phrfos.dll
{4FE4682D-4192-4962-8899-34C3FCDBBAA7} = C:\WINDOWS\system32\me43dmod.dll
{55FF6AE2-DCCB-43FD-AEB9-6FB9E7F112CC} =
{1BB4C302-7738-49BC-BF8B-F4CFB6D68C76} = C:\WINDOWS\system32\gClmle311h.dll
{10EC2E23-15AF-40A1-9077-23DA27E37B7A} =
{3572C617-EF88-4E59-BCC5-20718B6367AB} =
{D4369F2C-B414-468A-8A33-22EC9697C703} =
{B44463E4-3BEC-426B-861C-0DEB637834E7} =
{DF7FDD31-DF9A-4FAF-8CDE-0A4C47F8639D} =
{75EADC79-ECF6-4D54-ACF1-A38703EEBBFF} =
{59EEF0C1-8C38-4780-8F15-58FFE48B3D68} = C:\WINDOWS\system32\tzolhelp.dll
{1D1B1623-6382-46B2-A54F-AEE8B63695AA} = C:\WINDOWS\system32\wkigest.dll
{D37458ED-187B-41BC-B1EB-618445A19689} = C:\WINDOWS\system32\dtrgui.dll
{8904F2B0-A24A-47E1-8E8B-1E2D0BB253E9} = C:\WINDOWS\system32\dtsapi.dll
{59B0DFFC-862C-41FD-8461-13568F9C8C19} = C:\WINDOWS\system32\mjratelc.dll
{BA4D0AAC-D89E-4FB6-A5D6-3E5A92840413} = C:\WINDOWS\system32\mqrd3x40.dll

[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved]

[HKEY_CLASSES_ROOT\*\shellex\ContextMenuHandlers]
HKEY_CLASSES_ROOT\*\shellex\ContextMenuHandlers\avast
{472083B0-C522-11CF-8763-00608CC02F24} = C:\Program Files\Alwil Software\Avast4\ashShell.dll
HKEY_CLASSES_ROOT\*\shellex\ContextMenuHandlers\LDVPMenu
{BDA77241-42F6-11d0-85E2-00AA001FE28C} = C:\Program Files\Common Files\Symantec Shared\SSC\vpshell2.dll
HKEY_CLASSES_ROOT\*\shellex\ContextMenuHandlers\Offline Files
{750fdf0e-2a26-11d1-a3ea-080036587f03} = %SystemRoot%\System32\cscui.dll
HKEY_CLASSES_ROOT\*\shellex\ContextMenuHandlers\Open With
{09799AFB-AD67-11d1-ABCD-00C04FC30936} = %SystemRoot%\system32\SHELL32.dll
HKEY_CLASSES_ROOT\*\shellex\ContextMenuHandlers\Open With EncryptionMenu
{A470F8CF-A1E8-4f65-8335-227475AA5C46} = %SystemRoot%\system32\SHELL32.dll
HKEY_CLASSES_ROOT\*\shellex\ContextMenuHandlers\{a2a9545d-a0c2-42b4-9708-a0b2badd77c8}
Start Menu Pin = %SystemRoot%\system32\SHELL32.dll

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Folder\shellex\ContextMenuHandlers]
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Folder\shellex\ContextMenuHandlers\avast
{472083B0-C522-11CF-8763-00608CC02F24} = C:\Program Files\Alwil Software\Avast4\ashShell.dll
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Folder\shellex\ContextMenuHandlers\LDVPMenu
{BDA77241-42F6-11d0-85E2-00AA001FE28C} = C:\Program Files\Common Files\Symantec Shared\SSC\vpshell2.dll

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Directory\shellex\ContextMenuHandlers]
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Directory\shellex\ContextMenuHandlers\EncryptionMenu
{A470F8CF-A1E8-4f65-8335-227475AA5C46} = %SystemRoot%\system32\SHELL32.dll
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Directory\shellex\ContextMenuHandlers\Offline Files
{750fdf0e-2a26-11d1-a3ea-080036587f03} = %SystemRoot%\System32\cscui.dll
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Directory\shellex\ContextMenuHandlers\Sharing
{f81e9010-6ea4-11ce-a7ff-00aa003ca9f6} = ntshrui.dll

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Folder\shellex\ColumnHandlers]
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Folder\shellex\ColumnHandlers\{0D2E74C4-3C34-11d2-A27E-00C04FC30871}
= %SystemRoot%\system32\SHELL32.dll
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Folder\shellex\ColumnHandlers\{24F14F01-7B1C-11d1-838f-0000F80461CF}
= %SystemRoot%\system32\SHELL32.dll
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Folder\shellex\ColumnHandlers\{24F14F02-7B1C-11d1-838f-0000F80461CF}
= %SystemRoot%\system32\SHELL32.dll
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Folder\shellex\ColumnHandlers\{66742402-F9B9-11D1-A202-0000F81FEDEE}
= %SystemRoot%\system32\SHELL32.dll
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Folder\shellex\ColumnHandlers\{F9DB5320-233E-11D1-9F84-707F02C10627}
= C:\Program Files\Adobe\Acrobat 7.0\ActiveX\PDFShell.dll

[HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Explorer Bars]
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Explorer Bars\{3EA5C408-2437-4c40-ADAC-DFDA9AEEEA96}
ActiveShopper SideBar = SHDOCVW.DLL
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Explorer Bars\{4D5C8C25-D075-11d0-B416-00C04FB90376}
&Tip of the Day = %SystemRoot%\System32\shdocvw.dll

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\ToolBar]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Extensions]
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Extensions\{AC9E2541-2814-11d5-BC6D-00B0D0A1DE45}
ButtonText = AIM : C:\Program Files\AIM\aim.exe

[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Explorer Bars]
HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Explorer Bars\{32683183-48a0-441b-a342-7c2a440a9478}
=
HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Explorer Bars\{3EA5C408-2437-4C40-ADAC-DFDA9AEEEA96}
ActiveShopper SideBar = SHDOCVW.DLL
HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Explorer Bars\{C4EE31F3-4768-11D2-BE5C-00A0C9A83DA1}
File Search Explorer Band = %SystemRoot%\system32\SHELL32.dll
HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Explorer Bars\{EFA24E61-B078-11D0-89E4-00C04FC9E26E}
Favorites Band = %SystemRoot%\System32\shdocvw.dll
HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Explorer Bars\{EFA24E62-B078-11D0-89E4-00C04FC9E26E}
History Band = %SystemRoot%\System32\shdocvw.dll
HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Explorer Bars\{EFA24E64-B078-11D0-89E4-00C04FC9E26E}
Explorer Band = %SystemRoot%\System32\shdocvw.dll

[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Toolbar]
HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Toolbar\ShellBrowser
{2318C2B1-4965-11D4-9B18-009027A5CD4F} = :
HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser
{01E04581-4EEE-11D0-BFE9-00AA005B4383} = &Address : %SystemRoot%\System32\browseui.dll
{EF99BD32-C1FB-11D2-892F-0090271D4F88} = Yahoo! Companion : C:\Program Files\Yahoo!\Companion\Installs\cpn\ycomp5_5_7_0.dll
{4E7BD74F-2B8D-469E-D0FC-E57AF4D5FA7D} = :
{2318C2B1-4965-11D4-9B18-009027A5CD4F} = :
{0E5CBF21-D15F-11D0-8301-00AA005B4383} = &Links : %SystemRoot%\system32\SHELL32.dll

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
gcasServ "C:\Program Files\Microsoft AntiSpyware\gcasServ.exe"
TkBellExe "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
ccApp "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
vptray C:\PROGRA~1\SYMANT~1\SYMANT~2\VPTray.exe
wgapcr C:\WINDOWS\system32\yaojhxg.exe r
TotalRecorderScheduler "C:\Program Files\HighCriteria\TotalRecorder\TotRecSched.exe"
QuickTime Task "C:\Program Files\QuickTime\qttask.exe" -atboottime
NvCplDaemon RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup
NeroFilterCheck C:\WINDOWS\system32\NeroCheck.exe
NAV CfgWiz C:\PROGRA~1\NORTON~1\Cfgwiz.exe /R
Microsoft Works Update Detection C:\Program Files\Common Files\Microsoft Shared\Works Shared\WkUFind.exe
iTunesHelper "C:\Program Files\iTunes\iTunesHelper.exe"
F-Secure TNB "C:\Program Files\F-Secure\TNB\TNBUtil.exe" /CHECKALL /WAITFORSW
F-Secure Manager "C:\Program Files\F-Secure\Common\FSM32.EXE" /splash
diagent "C:\Program Files\Creative\SBLive\Diagnostics\diagent.exe" startup
cfgmgr52 RunDLL32.EXE C:\WINDOWS\cfgmgr52.dll,DllRun
ccRegVfy C:\Program Files\Common Files\Symantec Shared\ccRegVfy.exe
avast! C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
AdaptecDirectCD "C:\Program Files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe"

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\OptionalComponents]
IMAIL Installed = 1
MAPI Installed = 1
MSFS Installed = 1

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnceEx]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunServices]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunServicesOnce]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
AIM C:\Program Files\AIM\aim.exe -cnetwait.odl
ctfmon.exe C:\WINDOWS\system32\ctfmon.exe
msnmsgr "C:\Program Files\MSN Messenger\msnmsgr.exe" /background
Controlled Resource System Service crss.exe

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\RunServices]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\RunServicesOnce]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows\load]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows\run]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSConfig]

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSConfig\services

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSConfig\startupfolder

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSConfig\startupreg

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSConfig\state
system.ini 0
win.ini 0
bootini 0
services 0
startup 0


[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies]

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer

NoDriveTypeAutoRun _
AllowLegacyWebView 1
AllowUnhashedWebView 1

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\NonEnum
{BDEADF00-C265-11D0-BCED-00A0C90AB50F} = C:\PROGRA~1\COMMON~1\MICROS~1\WEBFOL~1\MSONSEXT.DLL
{6DFD7C5C-2451-11d3-A299-00C04F8EF6AF} =
{0DF44EAA-FF21-4412-828E-260A8728E7F1} =


HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Ratings

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\system
dontdisplaylastusername 0
legalnoticecaption
legalnoticetext
shutdownwithoutlogon 1
undockwithoutlogon 1


[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\policies]

HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Associations
LowRiskFileTypes .zip;.rar;.cab;.txt;.exe;.reg;.msi;.htm;.html;.gif;.bmp;.jpg;.avi;.mov;.mp3;.wav

HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer
NoDriveTypeAutoRun 145

HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer\Run
wiasld C:\WINDOWS\system32\wiasld.exe
cfgpgr C:\WINDOWS\system32\cfgpgr.exe

HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System
DisableRegistryTools 0


[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad]
PostBootReminder {7849596a-48ea-486e-8937-a2a3009f31a9} = %SystemRoot%\system32\SHELL32.dll
CDBurn {fbeb8a05-beee-4442-804e-409d6c4515e9} = %SystemRoot%\system32\SHELL32.dll
WebCheck {E6FB5E20-DE35-11CF-9C87-00AA005127ED} = %SystemRoot%\System32\webcheck.dll
SysTray {35CEC8A3-2BE6-11D2-8773-92E220524153} = C:\WINDOWS\System32\stobject.dll

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon]
UserInit = C:\WINDOWS\system32\userinit.exe,
Shell = explorer.exe
System =

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options]
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Your Image File Name Here without a path
Debugger = ntsd -d

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows]
AppInit_DLLs


»»»»»»»»»»»»»»»»»»»»»»»» Scan Complete »»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»
WinPFind v1.4.1 - Log file written to "WinPFind.Txt" in the WinPFind folder.
Scan completed on 11/16/2005 4:23:59 PM


REGEDIT4

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"gcasServ"="\"C:\\Program Files\\Microsoft AntiSpyware\\gcasServ.exe\""
"TkBellExe"="\"C:\\Program Files\\Common Files\\Real\\Update_OB\\realsched.exe\" -osboot"
"ccApp"="\"C:\\Program Files\\Common Files\\Symantec Shared\\ccApp.exe\""
"vptray"="C:\\PROGRA~1\\SYMANT~1\\SYMANT~2\\VPTray.exe"
"wgapcr"="C:\\WINDOWS\\system32\\yaojhxg.exe r"
"TotalRecorderScheduler"="\"C:\\Program Files\\HighCriteria\\TotalRecorder\\TotRecSched.exe\""
"QuickTime Task"="\"C:\\Program Files\\QuickTime\\qttask.exe\" -atboottime"
"NvCplDaemon"="RUNDLL32.EXE C:\\WINDOWS\\System32\\NvCpl.dll,NvStartup"
"NeroFilterCheck"="C:\\WINDOWS\\system32\\NeroCheck.exe"
"NAV CfgWiz"="C:\\PROGRA~1\\NORTON~1\\Cfgwiz.exe /R"
"Microsoft Works Update Detection"="C:\\Program Files\\Common Files\\Microsoft Shared\\Works Shared\\WkUFind.exe"
"iTunesHelper"="\"C:\\Program Files\\iTunes\\iTunesHelper.exe\""
"F-Secure TNB"="\"C:\\Program Files\\F-Secure\\TNB\\TNBUtil.exe\" /CHECKALL /WAITFORSW"
"F-Secure Manager"="\"C:\\Program Files\\F-Secure\\Common\\FSM32.EXE\" /splash"
"diagent"="\"C:\\Program Files\\Creative\\SBLive\\Diagnostics\\diagent.exe\" startup"
"cfgmgr52"="RunDLL32.EXE C:\\WINDOWS\\cfgmgr52.dll,DllRun"
"ccRegVfy"="C:\\Program Files\\Common Files\\Symantec Shared\\ccRegVfy.exe"
"avast!"="C:\\PROGRA~1\\ALWILS~1\\Avast4\\ashDisp.exe"
"AdaptecDirectCD"="\"C:\\Program Files\\Roxio\\Easy CD Creator 5\\DirectCD\\DirectCD.exe\""

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\OptionalComponents]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\OptionalComponents\IMAIL]
"Installed"="1"

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\OptionalComponents\MAPI]
"Installed"="1"
"NoChange"="1"

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\OptionalComponents\MSFS]
"Installed"="1"

-----------------
HKEY_CLASSES_ROOT\*\shellex\ContextMenuHandlers


Subkey --- avast
{472083B0-C522-11CF-8763-00608CC02F24}
C:\Program Files\Alwil Software\Avast4\ashShell.dll

Subkey --- LDVPMenu
{BDA77241-42F6-11d0-85E2-00AA001FE28C}
C:\Program Files\Common Files\Symantec Shared\SSC\vpshell2.dll

Subkey --- Offline Files
{750fdf0e-2a26-11d1-a3ea-080036587f03}
C:\WINDOWS\System32\cscui.dll

Subkey --- Open With
{09799AFB-AD67-11d1-ABCD-00C04FC30936}
C:\WINDOWS\system32\SHELL32.dll

Subkey --- Open With EncryptionMenu
{A470F8CF-A1E8-4f65-8335-227475AA5C46}
C:\WINDOWS\system32\SHELL32.dll

Subkey --- {a2a9545d-a0c2-42b4-9708-a0b2badd77c8}
Start Menu Pin
C:\WINDOWS\system32\SHELL32.dll

=====================

HKEY_CLASSES_ROOT\Folder\shellex\ColumnHandlers


Subkey --- {0D2E74C4-3C34-11d2-A27E-00C04FC30871}
C:\WINDOWS\system32\SHELL32.dll

Subkey --- {24F14F01-7B1C-11d1-838f-0000F80461CF}
C:\WINDOWS\system32\SHELL32.dll

Subkey --- {24F14F02-7B1C-11d1-838f-0000F80461CF}
C:\WINDOWS\system32\SHELL32.dll

Subkey --- {66742402-F9B9-11D1-A202-0000F81FEDEE}
C:\WINDOWS\system32\SHELL32.dll

Subkey --- {F9DB5320-233E-11D1-9F84-707F02C10627}
C:\Program Files\Adobe\Acrobat 7.0\ActiveX\PDFShell.dll

==============================
C:\Documents and Settings\All Users\Start Menu\Programs\Startup

desktop.ini
hpoddt01.exe.lnk
==============================
C:\Documents and Settings\Geet Bhatt\Start Menu\Programs\Startup

desktop.ini
hpoddt01.exe.lnk
desktop.ini
==============================
C:\WINDOWS\system32 cpl files


access.cpl Microsoft Corporation
appwiz.cpl Microsoft Corporation
bthprops.cpl Microsoft Corporation
CTDetect.cpl Creative Technology Ltd.
CTDevCtrl.cpl Creative Technology Ltd.
desk.cpl Microsoft Corporation
firewall.cpl Microsoft Corporation
hdwwiz.cpl Microsoft Corporation
inetcpl.cpl Microsoft Corporation
intl.cpl Microsoft Corporation
irprops.cpl Microsoft Corporation
joy.cpl Microsoft Corporation
jpicpl32.cpl Sun Microsystems, Inc.
main.cpl Microsoft Corporation
mmsys.cpl Microsoft Corporation
ncpa.cpl Microsoft Corporation
netsetup.cpl Microsoft Corporation
nusrmgr.cpl Microsoft Corporation
odbccp32.cpl Microsoft Corporation
powercfg.cpl Microsoft Corporation
QuickTime.cpl Apple Computer, Inc.
sysdm.cpl Microsoft Corporation
telephon.cpl Microsoft Corporation
TIControlPanel.cpl Texas Instruments Incorporated
timedate.cpl Microsoft Corporation
vgactl.cpl
wscui.cpl Microsoft Corporation
wuaucpl.cpl Microsoft Corporation


-------------------------------------------------------------------------------
KASPERSKY ON-LINE SCANNER REPORT
Wednesday, November 16, 2005 19:24:31
Operating System: Microsoft Windows XP Home Edition, Service Pack 2 (Build 2600)
Kaspersky On-line Scanner version: 5.0.67.0
Kaspersky Anti-Virus database last update: 16/11/2005
Kaspersky Anti-Virus database records: 150448
-------------------------------------------------------------------------------

Scan Settings:
Scan using the following antivirus database: standard
Scan Archives: true
Scan Mail Bases: true

Scan Target - My Computer:
A:\
C:\
D:\
E:\
F:\

Scan Statistics:
Total number of scanned objects: 78637
Number of viruses found: 46
Number of infected objects: 662
Number of suspicious objects: 0
Duration of the scan process: 3405 sec

Infected Object Name - Virus Name
C:\!KillBox\actx1.exe Infected: Trojan-Clicker.Win32.VB.is
C:\Documents and Settings\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\Quarantine\06980000.VBN Infected: Exploit.HTML.Mht
C:\Documents and Settings\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\Quarantine\08180000.VBN Infected: Exploit.HTML.Mht
C:\Documents and Settings\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\Quarantine\08180001.VBN Infected: Exploit.HTML.Mht
C:\Documents and Settings\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\Quarantine\0A600000.VBN Infected: Trojan.Win32.EliteBar.a
C:\Documents and Settings\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\Quarantine\0A600001.VBN Infected: Trojan.Win32.EliteBar.a
C:\Documents and Settings\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\Quarantine\0B640000.VBN Infected: Exploit.HTML.Mht
C:\Documents and Settings\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\Quarantine\0C180000.VBN Infected: Exploit.HTML.Mht
C:\Documents and Settings\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\Quarantine\0C180001.VBN Infected: Exploit.HTML.Mht
C:\Documents and Settings\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\Quarantine\0C180002.VBN Infected: Exploit.HTML.Mht
C:\Documents and Settings\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\Quarantine\0E900004.VBN Infected: Trojan-Downloader.Win32.Agent.tv
C:\Documents and Settings\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\Quarantine\0E900005.VBN Infected: Trojan-Downloader.Win32.Agent.tv
C:\Documents and Settings\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\Quarantine\0E900006.VBN Infected: Trojan-Downloader.Win32.Agent.tv
C:\Documents and Settings\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\Quarantine\0E900007.VBN Infected: Trojan-Downloader.Win32.Agent.tv
C:\Documents and Settings\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\Quarantine\0E900008.VBN Infected: Trojan-Downloader.Win32.Agent.tv
C:\Documents and Settings\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\Quarantine\0E900009.VBN Infected: Trojan-Downloader.Win32.Agent.tv
C:\Documents and Settings\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\Quarantine\0E90000A.VBN Infected: Trojan-Downloader.Win32.Agent.tv
C:\Documents and Settings\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\Quarantine\0E90000B.VBN Infected: Trojan-Downloader.Win32.Agent.tv
C:\Documents and Settings\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\Quarantine\0E90000C.VBN Infected: Trojan-Downloader.Win32.Agent.tv
C:\Documents and Settings\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\Quarantine\0E90000D.VBN Infected: Trojan-Downloader.Win32.Agent.tv
C:\Documents and Settings\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\Quarantine\0E90000E.VBN Infected: Trojan-Downloader.Win32.Agent.tv
C:\Documents and Settings\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\Quarantine\0E90000F.VBN Infected: Trojan-Downloader.Win32.Agent.tv
C:\Documents and Settings\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\Quarantine\0E900010.VBN Infected: Trojan-Downloader.Win32.Agent.tv
C:\Documents and Settings\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\Quarantine\0E900011.VBN Infected: Trojan-Downloader.Win32.Agent.tv
C:\Documents and Settings\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\Quarantine\0E900012.VBN Infected: Trojan-Downloader.Win32.Agent.tv
C:\Documents and Settings\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\Quarantine\0E900013.VBN Infected: Trojan-Downloader.Win32.Agent.tv
C:\Documents and Settings\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\Quarantine\0E900014.VBN Infected: Trojan-Downloader.Win32.Agent.tv
C:\Documents and Settings\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\Quarantine\0E900015.VBN Infected: Trojan-Downloader.Win32.Agent.tv
C:\Documents and Settings\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\Quarantine\0E900016.VBN Infected: Trojan-Downloader.Win32.Agent.tv
C:\Documents and Settings\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\Quarantine\0E900017.VBN Infected: Trojan-Downloader.Win32.Agent.tv
C:\Documents and Settings\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\Quarantine\0E900018.VBN Infected: Trojan-Downloader.Win32.Agent.tv
C:\Documents and Settings\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\Quarantine\0E900019.VBN Infected: Trojan-Downloader.Win32.Agent.tv
C:\Documents and Settings\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\Quarantine\0E90001A.VBN Infected: Trojan-Downloader.Win32.Agent.tv
C:\Documents and Settings\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\Quarantine\0E90001B.VBN Infected: Trojan-Downloader.Win32.Agent.tv
C:\Documents and Settings\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\Quarantine\0E90001C.VBN Infected: Trojan-Downloader.Win32.Agent.tv
C:\Documents and Settings\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\Quarantine\0E90001D.VBN Infected: Trojan-Downloader.Win32.Agent.tv
C:\Documents and Settings\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\Quarantine\0E90001E.VBN Infected: Trojan-Downloader.Win32.Agent.tv
C:\Documents and Settings\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\Quarantine\0E90001F.VBN Infected: Trojan-Downloader.Win32.Agent.tv
C:\Documents and Settings\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\Quarantine\0E900020.VBN Infected: Trojan-Downloader.Win32.Agent.tv
C:\Documents and Settings\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\Quarantine\0E900021.VBN Infected: Trojan-Downloader.Win32.Agent.tv
C:\Documents and Settings\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\Quarantine\0E900022.VBN Infected: Trojan-Downloader.Win32.Agent.tv
C:\Documents and Settings\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\Quarantine\0E900023.VBN Infected: Trojan-Downloader.Win32.Agent.tv
C:\Documents and Settings\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\Quarantine\0E900024.VBN Infected: Trojan-Downloader.Win32.Agent.tv
C:\Documents and Settings\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\Quarantine\0E900025.VBN Infected: Trojan-Downloader.Win32.Agent.tv
C:\Documents and Settings\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\Quarantine\0E900026.VBN Infected: Trojan-Downloader.Win32.Agent.tv
C:\Documents and Settings\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\Quarantine\0E900027.VBN Infected: Trojan-Downloader.Win32.Agent.tv
C:\Documents and Settings\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\Quarantine\0E900028.VBN Infected: Trojan-Downloader.Win32.Agent.tv
C:\Documents and Settings\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\Quarantine\0E900029.VBN Infected: Trojan-Downloader.Win32.Agent.tv
C:\Documents and Settings\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\Quarantine\0E90002A.VBN Infected: Trojan-Downloader.Win32.Agent.tv
C:\Documents and Settings\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\Quarantine\0E90002B.VBN Infected: Trojan-Downloader.Win32.Agent.tv
C:\Documents and Settings\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\Quarantine\0E90002C.VBN Infected: Trojan-Downloader.Win32.Agent.tv
C:\Documents and Settings\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\Quarantine\0E90002D.VBN Infected: Trojan-Downloader.Win32.Agent.tv
C:\Documents and Settings\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\Quarantine\0E90002E.VBN Infected: Trojan-Downloader.Win32.Agent.tv
C:\Documents and Settings\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\Quarantine\0E90002F.VBN Infected: Trojan-Downloader.Win32.Agent.tv
C:\Documents and Settings\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\Quarantine\0E900030.VBN Infected: Trojan-Downloader.Win32.Agent.tv
C:\Documents and Settings\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\Quarantine\0E900031.VBN Infected: Trojan-Downloader.Win32.Agent.tv
C:\Documents and Settings\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\Quarantine\0E900032.VBN Infected: Trojan-Downloader.Win32.Agent.tv
C:\Documents and Settings\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\Quarantine\0E900033.VBN Infected: Trojan-Downloader.Win32.Agent.tv
C:\Documents and Settings\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\Quarantine\0E900034.VBN Infected: Trojan-Downloader.Win32.Agent.tv
C:\Documents and Settings\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\Quarantine\0E900035.VBN Infected: Trojan-Downloader.Win32.Agent.tv
C:\Documents and Settings\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\Quarantine\0E900036.VBN Infected: Trojan-Downloader.Win32.Agent.tv
C:\Documents and Settings\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\Quarantine\0E900037.VBN Infected: Trojan-Downloader.Win32.Agent.tv
C:\Documents and Settings\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\Quarantine\0E900038.VBN Infected: Trojan-Downloader.Win32.Agent.tv
C:\Documents and Settings\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\Quarantine\0E900039.VBN Infected: Trojan-Downloader.Win32.Agent.tv
C:\Documents and Settings\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\Quarantine\0E90003A.VBN Infected: Trojan-Downloader.Win32.Agent.tv
C:\Documents and Settings\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\Quarantine\0E90003B.VBN Infected: Trojan-Downloader.Win32.Agent.tv
C:\Documents and Settings\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\Quarantine\0E90003C.VBN Infected: Trojan-Downloader.Win32.Agent.tv
C:\Documents and Settings\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\Quarantine\0E90003D.VBN Infected: Trojan-Downloader.Win32.Agent.tv
C:\Documents and Settings\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\Quarantine\0E90003E.VBN Infected: Trojan-Downloader.Win32.Agent.tv
C:\Documents and Settings\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\Quarantine\0E90003F.VBN Infected: Trojan-Downloader.Win32.Agent.tv
C:\Documents and Settings\All Users\Application Data\Symantec\Symantec AntiVirus Corporate E
  • 0

#10
teegttahb725
Posted 17 November 2005 - 02:46 PM

teegttahb725

    New Member

  • Topic Starter
  • Member
  • Pip
  • 8 posts
Hey again

Sorry, i forgot to attach the HJT log

Here it is

3:45 PM 11/17/20053:45 PM 11/17/2005Logfile of HijackThis v1.99.1
Scan saved at 3:45:27 PM, on 11/17/2005
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
C:\Program Files\Alwil Software\Avast4\ashServ.exe
C:\Program Files\Symantec Client Security\Symantec Client Firewall\CfgWzSvc.exe
C:\Program Files\Symantec Client Security\Symantec AntiVirus\DefWatch.exe
C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
C:\WINDOWS\System32\nvsvc32.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Symantec Client Security\Symantec AntiVirus\Rtvscan.exe
C:\Program Files\Symantec Client Security\Symantec Client Firewall\SymSPort.exe
C:\WINDOWS\System32\MsPMSPSv.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Microsoft AntiSpyware\gcasServ.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\PROGRA~1\SYMANT~1\SYMANT~2\VPTray.exe
C:\Program Files\HighCriteria\TotalRecorder\TotRecSched.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
C:\Program Files\AIM\aim.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpotdd01.exe
C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\Creative\SBLive\Diagnostics\diagent.exe
C:\Program Files\Microsoft AntiSpyware\gcasDtServ.exe
C:\WINDOWS\system32\DllHost.exe
C:\Program Files\AT&T\WnClient\Programs\WNConnect.exe
C:\PROGRA~1\AT&T\WnClient\Programs\WNCSMS~1.EXE
C:\Program Files\Microsoft Office\Office10\WINWORD.EXE
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Hijackthis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = www.google.com
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = www.google.com
O4 - HKLM\..\Run: [gcasServ] "C:\Program Files\Microsoft AntiSpyware\gcasServ.exe"
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [vptray] C:\PROGRA~1\SYMANT~1\SYMANT~2\VPTray.exe
O4 - HKLM\..\Run: [wgapcr] C:\WINDOWS\system32\yaojhxg.exe r
O4 - HKLM\..\Run: [TotalRecorderScheduler] "C:\Program Files\HighCriteria\TotalRecorder\TotRecSched.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [NAV CfgWiz] C:\PROGRA~1\NORTON~1\Cfgwiz.exe /R
O4 - HKLM\..\Run: [Microsoft Works Update Detection] C:\Program Files\Common Files\Microsoft Shared\Works Shared\WkUFind.exe
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [F-Secure TNB] "C:\Program Files\F-Secure\TNB\TNBUtil.exe" /CHECKALL /WAITFORSW
O4 - HKLM\..\Run: [F-Secure Manager] "C:\Program Files\F-Secure\Common\FSM32.EXE" /splash
O4 - HKLM\..\Run: [diagent] "C:\Program Files\Creative\SBLive\Diagnostics\diagent.exe" startup
O4 - HKLM\..\Run: [cfgmgr52] RunDLL32.EXE C:\WINDOWS\cfgmgr52.dll,DllRun
O4 - HKLM\..\Run: [ccRegVfy] C:\Program Files\Common Files\Symantec Shared\ccRegVfy.exe
O4 - HKLM\..\Run: [avast!] C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
O4 - HKLM\..\Run: [AdaptecDirectCD] "C:\Program Files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe"
O4 - HKCU\..\Run: [AIM] C:\Program Files\AIM\aim.exe -cnetwait.odl
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [msnmsgr] "C:\Program Files\MSN Messenger\msnmsgr.exe" /background
O4 - HKCU\..\Run: [Controlled Resource System Service] crss.exe
O4 - Global Startup: hpoddt01.exe.lnk = ?
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe
O12 - Plugin for .wav: C:\Program Files\Internet Explorer\PLUGINS\npqtplugin.dll
O16 - DPF: Yahoo! Pool 2 - http://download.game...ts/y/pote_x.cab
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky...can_unicode.cab
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft....k/?linkid=39204
O16 - DPF: {4AD73894-A895-4FC2-B233-299867E08753} (Cadwkzctl Object) - http://apps.deskwizz.../ax/adwerkz.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{B2764014-E367-4B64-90D4-5F13EF3B2E55}: NameServer = 204.127.129.4 12.102.244.2
O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - Unknown owner - C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
O23 - Service: avast! Antivirus - Unknown owner - C:\Program Files\Alwil Software\Avast4\ashServ.exe
O23 - Service: avast! Mail Scanner - Unknown owner - C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe" /service (file missing)
O23 - Service: avast! Web Scanner - Unknown owner - C:\Program Files\Alwil Software\Avast4\ashWebSv.exe" /service (file missing)
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Network Proxy (ccProxy) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccProxy.exe
O23 - Service: Symantec Password Validation (ccPwdSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
O23 - Service: Symantec Client Firewall Configuration (CfgWzSvc) - Symantec Corporation - C:\Program Files\Symantec Client Security\Symantec Client Firewall\CfgWzSvc.exe
O23 - Service: Symantec AntiVirus Definition Watcher (DefWatch) - Symantec Corporation - C:\Program Files\Symantec Client Security\Symantec AntiVirus\DefWatch.exe
O23 - Service: greenstdsystem32 - Unknown owner - C:\WINDOWS\system32\greenstd.exe (file missing)
O23 - Service: iPod Service (iPodService) - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: NVIDIA Driver Helper Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\system32\HPZipm12.exe
O23 - Service: SAVRoam (SavRoam) - symantec - C:\Program Files\Symantec Client Security\Symantec AntiVirus\SavRoam.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: Symantec AntiVirus - Symantec Corporation - C:\Program Files\Symantec Client Security\Symantec AntiVirus\Rtvscan.exe
O23 - Service: Symantec SecurePort (SymSecurePort) - Symantec Corporation - C:\Program Files\Symantec Client Security\Symantec Client Firewall\SymSPort.exe
O23 - Service: SymWMI Service (SymWSC) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\Security Center\SymWSC.exe
O23 - Service: Win32 Configuration (Windows Manage) - Unknown owner - C:\WINDOWS\System32\videosd32.exe" -netsvcs (file missing)
  • 0

#11
OwNt
Posted 19 November 2005 - 03:26 AM

OwNt

    Malware Expert

  • Retired Staff
  • 7,457 posts
Hello, teegttahb725.

You will need to print these instructions out or save them in notepad for use in Safe Mode. It may help if you also familiarize yourself with them first.

Please download the Killbox.
Unzip it to the desktop but do NOT run it yet.

Then reboot into Safe Mode by restarting your computer and pressing F8 as your computer is booting up. Then select the Safe Mode option.

Once in safe mode please open Hijackthis, scan, and place a checkmark by the following entries:

O4 - HKLM\..\Run: [wgapcr] C:\WINDOWS\system32\yaojhxg.exe r
O4 - HKLM\..\Run: [cfgmgr52] RunDLL32.EXE C:\WINDOWS\cfgmgr52.dll,DllRun
O4 - HKCU\..\Run: [Controlled Resource System Service] crss.exe
O23 - Service: greenstdsystem32 - Unknown owner - C:\WINDOWS\system32\greenstd.exe (file missing)
O23 - Service: Win32 Configuration (Windows Manage) - Unknown owner - C:\WINDOWS\System32\videosd32.exe" -netsvcs (file missing)

Close all open windows/browsers and click Fix Checked.

Please go to Start > Search > For Files or Folders and search for crss.exe Make sure it is set to search hidden files and folders. Please post back the locations found.

1) Then please run Killbox.

2) Select "Delete on Reboot".

3) Open the text file with these instructions in it, and copy the file names below to the clipboard by highlighting them and pressing Control-C:

C:\WINDOWS\icont.exe
C:\WINDOWS\io2uns.exe
C:\WINDOWS\setupapi.log
C:\WINDOWS\whCC-GIANT.exe
C:\WINDOWS\system32\yaojhxg.exe
C:\WINDOWS\SYSTEM32\2bundle.exe
C:\WINDOWS\SYSTEM32\a675e1ucu.ini
C:\WINDOWS\SYSTEM32\cfgpgr.exe
C:\WINDOWS\SYSTEM32\cluvie.exe
C:\WINDOWS\SYSTEM32\cordsa.exe
C:\WINDOWS\SYSTEM32\dtrgui.dll
C:\WINDOWS\SYSTEM32\dtsapi.dll
C:\WINDOWS\SYSTEM32\Dwapilib.tlb
C:\WINDOWS\SYSTEM32\enl2l13o1.dll
C:\WINDOWS\SYSTEM32\feffl.dll
C:\WINDOWS\cfgmgr52.dll
C:\WINDOWS\SYSTEM32\fp4o03h3e.dll
C:\WINDOWS\SYSTEM32\fpn6035se.dll
C:\WINDOWS\SYSTEM32\g4lmle311h.dll
C:\WINDOWS\SYSTEM32\gkcielq.exe
C:\WINDOWS\SYSTEM32\guard.tmp
C:\WINDOWS\SYSTEM32\hmw8eo1vp.ini
:\WINDOWS\SYSTEM32\hrjm0511e.dll
C:\WINDOWS\SYSTEM32\hrn2055oe.dll
C:\WINDOWS\SYSTEM32\htt16g.exe
C:\WINDOWS\SYSTEM32\i6420ghoe64c0.dll
C:\WINDOWS\SYSTEM32\iriiorr.dll
C:\WINDOWS\SYSTEM32\jjqxptu.exe
C:\WINDOWS\SYSTEM32\k4pmle711h.dll
C:\WINDOWS\SYSTEM32\k8lq0i35e8.dll
C:\WINDOWS\SYSTEM32\mc-110-12-0000122.exe
C:\WINDOWS\SYSTEM32\mjratelc.dll
C:\WINDOWS\SYSTEM32\mqrd3x40.dll
C:\WINDOWS\SYSTEM32\msaclt.exe
C:\WINDOWS\SYSTEM32\MTE2ODI6ODoxNg.exe
C:\WINDOWS\SYSTEM32\mv0sl9d71.dll
C:\WINDOWS\SYSTEM32\n28o0cl3efq.dll
C:\WINDOWS\SYSTEM32\n2n6lc5s1f.dll
C:\WINDOWS\SYSTEM32\n8r2li9o18.dll
C:\WINDOWS\SYSTEM32\o0480ahued480.dll
C:\WINDOWS\SYSTEM32\p4n80e5ueh.dll
C:\WINDOWS\SYSTEM32\pplstore.dll
C:\WINDOWS\SYSTEM32\psbplo.exe
C:\WINDOWS\SYSTEM32\pWqsp.dll
C:\WINDOWS\SYSTEM32\quaj.exe
C:\WINDOWS\SYSTEM32\sdrmdll.dll
C:\WINDOWS\SYSTEM32\t48u0el9ehq.dll
C:\WINDOWS\SYSTEM32\u8ruli9918.dll
C:\WINDOWS\SYSTEM32\ued5amx7i.ini
C:\WINDOWS\SYSTEM32\whiexk.exe
C:\WINDOWS\SYSTEM32\wing4c.exe
C:\WINDOWS\SYSTEM32\wkigest.dll
C:\WINDOWS\SYSTEM32\wuauclt.dll
C:\WINDOWS\system32\enl2l13o1.dll
C:\WINDOWS\system32\fp4o03h3e.dll
C:\WINDOWS\system32\fpn6035se.dll
C:\WINDOWS\system32\g4lmle311h.dll
C:\WINDOWS\system32\hrjm0511e.dll
C:\WINDOWS\system32\hrn2055oe.dll
C:\WINDOWS\system32\i6420ghoe64c0.dll
C:\WINDOWS\system32\jt2u07f9e.dll
C:\WINDOWS\system32\k4pmle711h.dll
C:\WINDOWS\system32\k8lq0i35e8.dll
C:\WINDOWS\system32\mjratelc.dll
C:\WINDOWS\system32\mqrd3x40.dll
C:\WINDOWS\system32\mv0sl9d71.dll
C:\WINDOWS\system32\n28o0cl3efq.dll
C:\WINDOWS\system32\n2n6lc5s1f.dll
C:\WINDOWS\system32\o0480ahued480.dll
C:\WINDOWS\system32\p4n80e5ueh.dll
C:\WINDOWS\system32\pplstore.dll
C:\WINDOWS\system32\pWqsp.dll
C:\WINDOWS\system32\sdrmdll.dll
C:\WINDOWS\system32\t48u0el9ehq.dll
C:\WINDOWS\system32\u8ruli9918.dll
C:\WINDOWS\system32\wkigest.dll
C:\WINDOWS\SYSTEM32\vgactl.cpl
C:\WINDOWS\system32\mjiseq.dll
C:\WINDOWS\system32\pddx5032.dll
C:\WINDOWS\system32\mjjet35.dll
C:\WINDOWS\system32\mtwmdmsp.dll
C:\WINDOWS\system32\kddtat.dll
C:\WINDOWS\system32\mdhtmler.dll
C:\WINDOWS\system32\rbgsvc.dll
C:\WINDOWS\system32\mnpmsp.dll
C:\WINDOWS\system32\sampsnap.dll
C:\WINDOWS\system32\tmpmonui.dll
C:\WINDOWS\system32\dqvvox.dll
C:\WINDOWS\system32\dfsetup.dll
C:\WINDOWS\system32\ipsutil.dll
C:\WINDOWS\system32\cortcli.dll
C:\WINDOWS\system32\jqmd400.dll
C:\WINDOWS\system32\mbexcl35.dll
C:\WINDOWS\system32\ikencode.dll
C:\WINDOWS\system32\dxmstor.dll
C:\WINDOWS\system32\nstmsg.dll
C:\WINDOWS\system32\qogrprxy.dll
C:\WINDOWS\system32\igaksie.dll
C:\WINDOWS\system32\disenh.dll
C:\WINDOWS\system32\kedblr.dll
C:\WINDOWS\system32\acrsvc.dll
C:\WINDOWS\system32\mporc32r.dll
C:\WINDOWS\system32\mitlsapi.dll
C:\WINDOWS\system32\whsdmoe2.dll
C:\WINDOWS\system32\dacpsapi.dll
C:\WINDOWS\system32\elcdec.dll
C:\WINDOWS\system32\phrfos.dll
C:\WINDOWS\system32\me43dmod.dll
C:\WINDOWS\system32\gClmle311h.dll
{5C:\WINDOWS\system32\tzolhelp.dll
C:\WINDOWS\system32\wkigest.dll
C:\WINDOWS\system32\dtrgui.dll
C:\WINDOWS\system32\dtsapi.dll
C:\WINDOWS\system32\mjratelc.dll
C:\WINDOWS\system32\mqrd3x40.dll
C:\WINDOWS\ptYpH

4) Return to Killbox, go to the File menu, and choose "Paste from Clipboard".

5) Click the red-and-white "Delete File" button. Click "Yes" at the Delete on Reboot prompt. Click "No" at the Pending Operations prompt.

If you receive a message such as: "Component 'MsComCtl.ocx' or one of its dependencies not correctly registered: a file is missing or invalid." when trying to run TheKillbox, click here to download and run missingfilesetup.exe. Then try TheKillbox again..

Let the system reboot.

Once in normal mode again please run a scan with SpySweeper.

Please download WebRoot SpySweeper from HERE (It's a 2 week trial):
  • Click the Free Trial link under to "SpySweeper" to download the program.
  • Install it. Once the program is installed, it will open.
  • It will prompt you to update to the latest definitions, click Yes.
  • Once the definitions are installed, click Options on the left side.
  • Click the Sweep Options tab.
  • Under What to Sweep please put a check next to the following:
    • Sweep Memory
    • Sweep Registry
    • Sweep Cookies
    • Sweep All User Accounts
    • Enable Direct Disk Sweeping
    • Sweep Contents of Compressed Files
    • Sweep for Rootkits
    • Please UNCHECK Do not Sweep System Restore Folder.
  • Click Sweep Now on the left side.
  • Click the Start button.
  • When it's done scanning, click the Next button.
  • Make sure everything has a check next to it, then click the Next button.
  • It will remove all of the items found.
  • Click Session Log in the upper right corner, copy everything in that window.
  • Click the Summary tab and click Finish.
  • Paste the contents of the session log you copied into your next reply.
Reboot into Safe Mode
Restart your computer and as soon as it starts booting up again continuously tap F8. A menu should come up where you will be given the option to enter Safe Mode.

Doubleclick WinPFind.exe
  • Click "Start Scan"
  • It will scan the entire System, so please be patient!
  • Once the Scan is Complete
  • Go to the WinPFind folder
  • Locate WinPFind.txt
  • Place those results in the next post!
Reboot back to Normal Mode!

Double Click on "Track qoo.vbs"

Note - If you Antivirus has Script Blocking, you will get a Pop Up Windows asking you what to do. Allow this Entire Script to Run, its harmless!

Wait a few seconds and a notepad page will pop up, Copy & Paste those results and place them in the next post along with the results of WinPFind!

Please post a new Hijackthis log, the SpySweeper log, the WinPFind log, and the Track qoo log.
  • 0

#12
teegttahb725
Posted 23 November 2005 - 12:28 PM

teegttahb725

    New Member

  • Topic Starter
  • Member
  • Pip
  • 8 posts
Hey Buddy

My computer is acutally getting worse
The popups are gone, but my computer is tremendously slower
Spysweeper will not download bcuz it says my time has expired
and everytiem i try WinPFind, my comp freezes and then shuts down saying IRQL not less then or equal to
what should i do?

Here is my HJT log


Logfile of HijackThis v1.99.1
Scan saved at 1:28:12 PM, on 11/23/2005
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
C:\Program Files\Alwil Software\Avast4\ashServ.exe
C:\Program Files\Symantec Client Security\Symantec Client Firewall\CfgWzSvc.exe
C:\Program Files\Symantec Client Security\Symantec AntiVirus\DefWatch.exe
C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
C:\WINDOWS\System32\nvsvc32.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Symantec Client Security\Symantec AntiVirus\Rtvscan.exe
C:\Program Files\Symantec Client Security\Symantec Client Firewall\SymSPort.exe
C:\WINDOWS\System32\MsPMSPSv.exe
C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Microsoft AntiSpyware\gcasServ.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\PROGRA~1\SYMANT~1\SYMANT~2\VPTray.exe
C:\Program Files\Microsoft AntiSpyware\gcasDtServ.exe
C:\Program Files\HighCriteria\TotalRecorder\TotRecSched.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
C:\Program Files\Creative\SBLive\Diagnostics\diagent.exe
C:\Program Files\AIM\aim.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpotdd01.exe
C:\Program Files\AT&T\WnClient\Programs\WNConnect.exe
C:\PROGRA~1\AT&T\WnClient\Programs\WNCSMS~1.EXE
C:\Program Files\Internet Explorer\iexplore.exe
C:\WINDOWS\system32\DllHost.exe
C:\Program Files\Hijackthis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = www.google.com
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = www.google.com
O4 - HKLM\..\Run: [gcasServ] "C:\Program Files\Microsoft AntiSpyware\gcasServ.exe"
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [vptray] C:\PROGRA~1\SYMANT~1\SYMANT~2\VPTray.exe
O4 - HKLM\..\Run: [TotalRecorderScheduler] "C:\Program Files\HighCriteria\TotalRecorder\TotRecSched.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [NAV CfgWiz] C:\PROGRA~1\NORTON~1\Cfgwiz.exe /R
O4 - HKLM\..\Run: [Microsoft Works Update Detection] C:\Program Files\Common Files\Microsoft Shared\Works Shared\WkUFind.exe
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [F-Secure TNB] "C:\Program Files\F-Secure\TNB\TNBUtil.exe" /CHECKALL /WAITFORSW
O4 - HKLM\..\Run: [F-Secure Manager] "C:\Program Files\F-Secure\Common\FSM32.EXE" /splash
O4 - HKLM\..\Run: [diagent] "C:\Program Files\Creative\SBLive\Diagnostics\diagent.exe" startup
O4 - HKLM\..\Run: [ccRegVfy] C:\Program Files\Common Files\Symantec Shared\ccRegVfy.exe
O4 - HKLM\..\Run: [avast!] C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
O4 - HKLM\..\Run: [AdaptecDirectCD] "C:\Program Files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe"
O4 - HKCU\..\Run: [AIM] C:\Program Files\AIM\aim.exe -cnetwait.odl
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [msnmsgr] "C:\Program Files\MSN Messenger\msnmsgr.exe" /background
O4 - Global Startup: hpoddt01.exe.lnk = ?
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe
O12 - Plugin for .wav: C:\Program Files\Internet Explorer\PLUGINS\npqtplugin.dll
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky...can_unicode.cab
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft....k/?linkid=39204
O16 - DPF: {4AD73894-A895-4FC2-B233-299867E08753} (Cadwkzctl Object) - http://apps.deskwizz.../ax/adwerkz.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{B2764014-E367-4B64-90D4-5F13EF3B2E55}: NameServer = 204.127.129.3 12.102.244.1
O20 - Winlogon Notify: WRNotifier - WRLogonNTF.dll (file missing)
O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - Unknown owner - C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
O23 - Service: avast! Antivirus - Unknown owner - C:\Program Files\Alwil Software\Avast4\ashServ.exe
O23 - Service: avast! Mail Scanner - Unknown owner - C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe" /service (file missing)
O23 - Service: avast! Web Scanner - Unknown owner - C:\Program Files\Alwil Software\Avast4\ashWebSv.exe" /service (file missing)
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Network Proxy (ccProxy) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccProxy.exe
O23 - Service: Symantec Password Validation (ccPwdSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
O23 - Service: Symantec Client Firewall Configuration (CfgWzSvc) - Symantec Corporation - C:\Program Files\Symantec Client Security\Symantec Client Firewall\CfgWzSvc.exe
O23 - Service: Symantec AntiVirus Definition Watcher (DefWatch) - Symantec Corporation - C:\Program Files\Symantec Client Security\Symantec AntiVirus\DefWatch.exe
O23 - Service: iPod Service (iPodService) - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: NVIDIA Driver Helper Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\system32\HPZipm12.exe
O23 - Service: SAVRoam (SavRoam) - symantec - C:\Program Files\Symantec Client Security\Symantec AntiVirus\SavRoam.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: Symantec AntiVirus - Symantec Corporation - C:\Program Files\Symantec Client Security\Symantec AntiVirus\Rtvscan.exe
O23 - Service: Symantec SecurePort (SymSecurePort) - Symantec Corporation - C:\Program Files\Symantec Client Security\Symantec Client Firewall\SymSPort.exe
O23 - Service: SymWMI Service (SymWSC) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\Security Center\SymWSC.exe
O23 - Service: Win32 Configuration (Windows Manage) - Unknown owner - C:\WINDOWS\System32\videosd32.exe" -netsvcs (file missing)
  • 0

#13
teegttahb725
Posted 23 November 2005 - 12:31 PM

teegttahb725

    New Member

  • Topic Starter
  • Member
  • Pip
  • 8 posts
Sorry, i forgot to attach my trackqoo file

here it is:

REGEDIT4

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"gcasServ"="\"C:\\Program Files\\Microsoft AntiSpyware\\gcasServ.exe\""
"TkBellExe"="\"C:\\Program Files\\Common Files\\Real\\Update_OB\\realsched.exe\" -osboot"
"ccApp"="\"C:\\Program Files\\Common Files\\Symantec Shared\\ccApp.exe\""
"vptray"="C:\\PROGRA~1\\SYMANT~1\\SYMANT~2\\VPTray.exe"
"TotalRecorderScheduler"="\"C:\\Program Files\\HighCriteria\\TotalRecorder\\TotRecSched.exe\""
"QuickTime Task"="\"C:\\Program Files\\QuickTime\\qttask.exe\" -atboottime"
"NvCplDaemon"="RUNDLL32.EXE C:\\WINDOWS\\System32\\NvCpl.dll,NvStartup"
"NeroFilterCheck"="C:\\WINDOWS\\system32\\NeroCheck.exe"
"NAV CfgWiz"="C:\\PROGRA~1\\NORTON~1\\Cfgwiz.exe /R"
"Microsoft Works Update Detection"="C:\\Program Files\\Common Files\\Microsoft Shared\\Works Shared\\WkUFind.exe"
"iTunesHelper"="\"C:\\Program Files\\iTunes\\iTunesHelper.exe\""
"F-Secure TNB"="\"C:\\Program Files\\F-Secure\\TNB\\TNBUtil.exe\" /CHECKALL /WAITFORSW"
"F-Secure Manager"="\"C:\\Program Files\\F-Secure\\Common\\FSM32.EXE\" /splash"
"diagent"="\"C:\\Program Files\\Creative\\SBLive\\Diagnostics\\diagent.exe\" startup"
"ccRegVfy"="C:\\Program Files\\Common Files\\Symantec Shared\\ccRegVfy.exe"
"avast!"="C:\\PROGRA~1\\ALWILS~1\\Avast4\\ashDisp.exe"
"AdaptecDirectCD"="\"C:\\Program Files\\Roxio\\Easy CD Creator 5\\DirectCD\\DirectCD.exe\""

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\OptionalComponents]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\OptionalComponents\IMAIL]
"Installed"="1"

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\OptionalComponents\MAPI]
"Installed"="1"
"NoChange"="1"

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\OptionalComponents\MSFS]
"Installed"="1"

-----------------
HKEY_CLASSES_ROOT\*\shellex\ContextMenuHandlers


Subkey --- avast
{472083B0-C522-11CF-8763-00608CC02F24}
C:\Program Files\Alwil Software\Avast4\ashShell.dll

Subkey --- LDVPMenu
{BDA77241-42F6-11d0-85E2-00AA001FE28C}
C:\Program Files\Common Files\Symantec Shared\SSC\vpshell2.dll

Subkey --- Offline Files
{750fdf0e-2a26-11d1-a3ea-080036587f03}
C:\WINDOWS\System32\cscui.dll

Subkey --- Open With
{09799AFB-AD67-11d1-ABCD-00C04FC30936}
C:\WINDOWS\system32\SHELL32.dll

Subkey --- Open With EncryptionMenu
{A470F8CF-A1E8-4f65-8335-227475AA5C46}
C:\WINDOWS\system32\SHELL32.dll

Subkey --- {a2a9545d-a0c2-42b4-9708-a0b2badd77c8}
Start Menu Pin
C:\WINDOWS\system32\SHELL32.dll

=====================

HKEY_CLASSES_ROOT\Folder\shellex\ColumnHandlers


Subkey --- {0D2E74C4-3C34-11d2-A27E-00C04FC30871}
C:\WINDOWS\system32\SHELL32.dll

Subkey --- {24F14F01-7B1C-11d1-838f-0000F80461CF}
C:\WINDOWS\system32\SHELL32.dll

Subkey --- {24F14F02-7B1C-11d1-838f-0000F80461CF}
C:\WINDOWS\system32\SHELL32.dll

Subkey --- {66742402-F9B9-11D1-A202-0000F81FEDEE}
C:\WINDOWS\system32\SHELL32.dll

Subkey --- {F9DB5320-233E-11D1-9F84-707F02C10627}
C:\Program Files\Adobe\Acrobat 7.0\ActiveX\PDFShell.dll

==============================
C:\Documents and Settings\All Users\Start Menu\Programs\Startup

desktop.ini
hpoddt01.exe.lnk
==============================
C:\Documents and Settings\Geet Bhatt\Start Menu\Programs\Startup

desktop.ini
hpoddt01.exe.lnk
desktop.ini
==============================
C:\WINDOWS\system32 cpl files


access.cpl Microsoft Corporation
appwiz.cpl Microsoft Corporation
bthprops.cpl Microsoft Corporation
CTDetect.cpl Creative Technology Ltd.
CTDevCtrl.cpl Creative Technology Ltd.
desk.cpl Microsoft Corporation
firewall.cpl Microsoft Corporation
hdwwiz.cpl Microsoft Corporation
inetcpl.cpl Microsoft Corporation
intl.cpl Microsoft Corporation
irprops.cpl Microsoft Corporation
joy.cpl Microsoft Corporation
jpicpl32.cpl Sun Microsystems, Inc.
main.cpl Microsoft Corporation
mmsys.cpl Microsoft Corporation
ncpa.cpl Microsoft Corporation
netsetup.cpl Microsoft Corporation
nusrmgr.cpl Microsoft Corporation
odbccp32.cpl Microsoft Corporation
powercfg.cpl Microsoft Corporation
QuickTime.cpl Apple Computer, Inc.
sysdm.cpl Microsoft Corporation
telephon.cpl Microsoft Corporation
TIControlPanel.cpl Texas Instruments Incorporated
timedate.cpl Microsoft Corporation
wscui.cpl Microsoft Corporation
wuaucpl.cpl Microsoft Corporation
  • 0

#14
OwNt
Posted 24 November 2005 - 12:06 AM

OwNt

    Malware Expert

  • Retired Staff
  • 7,457 posts
Hello, teegttahb725.

It looks like you have 2 anti-viruses, this could definitely be one reason for the massive slowdown. More than one is a huge no-no, they always attack each other.

Please uninstall one.

Also, SpySweeper is still showing in your log, please make sure to uninstall the expired version.

Then post a fresh Hijackthis log for analysis.
  • 0

#15
OwNt
Posted 04 December 2005 - 09:13 PM

OwNt

    Malware Expert

  • Retired Staff
  • 7,457 posts
Since this issue appears to be resolved ... this Topic has been closed. Glad we could help. :tazz:

If you're the topic starter, and need this topic reopened, please contact a staff member with the address of the thread.

Everyone else please begin a New Topic.
  • 0
Back to Virus, Spyware, Malware Removal · Next Unread Topic →




Similar Topics

0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users

  1. Geeks to Go Community
  2. Security
  3. Virus, Spyware, Malware Removal

As Featured On:

Microsoft Yahoo BBC MSN PC Magazine Washington Post HP