I tried removing the backdoor.nibu using instructions from Symantec AV's site, but to no avail. Any help with this HiJackThis log would be much appreciated.
Thx,
Paul
Attached Files
-
hijackthis_log.txt 17.43KB
247 downloads
Backdoor.Nibu Problems (Win Xp Home) [CLOSED]
Started by
AlphaBITS
, Nov 15 2005 06:26 PM
-
This topic is locked
#1
Posted 15 November 2005 - 06:26 PM
AlphaBITS
-
- Member
-
- 4 posts
New Member
I tried removing the backdoor.nibu using instructions from Symantec AV's site, but to no avail. Any help with this HiJackThis log would be much appreciated.
Thx,
Paul
#2
Posted 18 November 2005 - 09:17 AM
infaddict
-
- Member
-
- 734 posts
Visiting Staff
Hi AlphaBITS and welcome to Geeks to Go 
.
My name is infaddict and I will be helping you with your problem. Please can you post back with a fresh HijackThis log as it is a while since your last log - the infections may have changed.
Note, please simply paste in your log in your reply, do not attach files.
Thanks
.My name is infaddict and I will be helping you with your problem. Please can you post back with a fresh HijackThis log as it is a while since your last log - the infections may have changed.
Note, please simply paste in your log in your reply, do not attach files.
Thanks
Edited by infaddict, 18 November 2005 - 09:17 AM.
#3
Posted 18 November 2005 - 09:27 AM
AlphaBITS
- Topic Starter
-
- Member
-
- 4 posts
New Member
infaddict, thank you. Here is the same log pasted directly instead of attached. It will not have changed, as the machine was disconnected and shut down just after generating the log.
Thanks again, look forward to hearing from you.
Paul
Logfile of HijackThis v1.99.1
Scan saved at 6:04:56 PM, on 11/15/2005
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\csrss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\QuickTime\qttask.exe
C:\WINDOWS\System32\winldra.exe
C:\PROGRA~1\PESTPA~1\PPControl.exe
C:\PROGRA~1\PESTPA~1\PPMemCheck.exe
C:\PROGRA~1\PESTPA~1\CookiePatrol.exe
C:\Program Files\Symantec_Client_Security\Symantec AntiVirus\vptray.exe
C:\Program Files\Dell Support\DSAgnt.exe
C:\Documents and Settings\All Users\Start Menu\Programs\Startup\start.exe
C:\WINDOWS\system32\cisvc.exe
C:\PROGRA~1\SYMANT~1\SYMANT~1\DefWatch.exe
C:\PROGRA~1\SYMANT~1\SYMANT~1\Rtvscan.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\WINDOWS\System32\wuauclt.exe
C:\WINDOWS\system32\cidaemon.exe
C:\Program Files\Hijack This\HijackThis.exe
R1 - HKCU\Software\Microsoft\Internet Explorer,SearchURL = http://s-redirect.com/?a=2&b=enc
R1 - HKLM\Software\Microsoft\Internet Explorer,SearchURL = http://s-redirect.com/?a=2&b=enc
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.dell4me.com/myway
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://websearch.drs...esearch.cgi?id=
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = C:\WINDOWS\System32\msblank.html
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://websearch.drs...esearch.cgi?id=
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://websearch.drs...esearch.cgi?id=
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://s-redirect.com/?a=2&b=enc
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch = http://websearch.drs...esearch.cgi?id=
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = websearch.drsnsrch.com/q.cgi?q=
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,SearchURL = http://s-redirect.com/?a=2&b=enc
R1 - HKLM\Software\Microsoft\Internet Explorer\SearchURL,SearchURL = http://s-redirect.com/?a=2&b=enc
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://adshttp.com/s...L?zone=enternet
O2 - BHO: C:\WINDOWS\adsldpbd.dll - {826B2228-BC09-49F2-B5F8-42CE26B1B712} - C:\WINDOWS\adsldpbd.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O4 - HKLM\..\Run: [Disk Keeper] C:\DOCUME~1\Bryan\LOCALS~1\Temp\keep.exe
O4 - HKLM\..\Run: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k
O4 - HKLM\..\Run: [Jch] C:\WINDOWS\Erk.exe
O4 - HKLM\..\Run: [Mgm] C:\WINDOWS\Hdp.exe
O4 - HKLM\..\Run: [Hhs] C:\WINDOWS\Ftj.exe
O4 - HKLM\..\Run: [Vng] C:\WINDOWS\Sac.exe
O4 - HKLM\..\Run: [Seb] C:\WINDOWS\System32\Alp.exe
O4 - HKLM\..\Run: [Ois] C:\WINDOWS\System32\Asj.exe
O4 - HKLM\..\Run: [Caj] C:\WINDOWS\System32\Dke.exe
O4 - HKLM\..\Run: [Pnb] C:\WINDOWS\Kfk.exe
O4 - HKLM\..\Run: [Ngu] C:\WINDOWS\System32\Ftd.exe
O4 - HKLM\..\Run: [Tck] C:\WINDOWS\System32\Ivo.exe
O4 - HKLM\..\Run: [Ung] C:\WINDOWS\Ern.exe
O4 - HKLM\..\Run: [Sgc] C:\WINDOWS\Vgq.exe
O4 - HKLM\..\Run: [Ses] C:\WINDOWS\System32\Cll.exe
O4 - HKLM\..\Run: [Hlp] C:\WINDOWS\System32\Bto.exe
O4 - HKLM\..\Run: [Qks] C:\WINDOWS\Ptr.exe
O4 - HKLM\..\Run: [Mkd] C:\WINDOWS\System32\Jjq.exe
O4 - HKLM\..\Run: [Nfq] C:\WINDOWS\Bnt.exe
O4 - HKLM\..\Run: [Cvn] C:\WINDOWS\System32\Btp.exe
O4 - HKLM\..\Run: [Fmk] C:\WINDOWS\Vkq.exe
O4 - HKLM\..\Run: [Nks] C:\WINDOWS\Lbu.exe
O4 - HKLM\..\Run: [Edl] C:\WINDOWS\System32\Ftv.exe
O4 - HKLM\..\Run: [Rsa] C:\WINDOWS\System32\Abk.exe
O4 - HKLM\..\Run: [Diq] C:\WINDOWS\Thi.exe
O4 - HKLM\..\Run: [Tmf] C:\WINDOWS\System32\Vge.exe
O4 - HKLM\..\Run: [Bvs] C:\WINDOWS\Lpe.exe
O4 - HKLM\..\Run: [Lem] C:\WINDOWS\Gnk.exe
O4 - HKLM\..\Run: [Jdt] C:\WINDOWS\Ctf.exe
O4 - HKLM\..\Run: [Dkf] C:\WINDOWS\System32\Qqb.exe
O4 - HKLM\..\Run: [Bfd] C:\WINDOWS\System32\Nmf.exe
O4 - HKLM\..\Run: [Otj] C:\WINDOWS\System32\Aog.exe
O4 - HKLM\..\Run: [Eph] C:\WINDOWS\Qio.exe
O4 - HKLM\..\Run: [Rco] C:\WINDOWS\System32\Fbn.exe
O4 - HKLM\..\Run: [Egp] C:\WINDOWS\Mml.exe
O4 - HKLM\..\Run: [Kvl] C:\WINDOWS\System32\Fgo.exe
O4 - HKLM\..\Run: [Ajh] C:\WINDOWS\Bcc.exe
O4 - HKLM\..\Run: [Bra] C:\WINDOWS\System32\Ldi.exe
O4 - HKLM\..\Run: [Tkc] C:\WINDOWS\Lle.exe
O4 - HKLM\..\Run: [Tei] C:\WINDOWS\System32\Bef.exe
O4 - HKLM\..\Run: [Gml] C:\WINDOWS\Egh.exe
O4 - HKLM\..\Run: [Elf] C:\WINDOWS\Rpc.exe
O4 - HKLM\..\Run: [Rla] C:\WINDOWS\Uid.exe
O4 - HKLM\..\Run: [Lqb] C:\WINDOWS\Ejr.exe
O4 - HKLM\..\Run: [Vef] C:\WINDOWS\Qql.exe
O4 - HKLM\..\Run: [Cer] C:\WINDOWS\System32\Cjo.exe
O4 - HKLM\..\Run: [Fdj] C:\WINDOWS\Hlg.exe
O4 - HKLM\..\Run: [Gef] C:\WINDOWS\System32\Laa.exe
O4 - HKLM\..\Run: [Ujg] C:\WINDOWS\Rjt.exe
O4 - HKLM\..\Run: [Til] C:\WINDOWS\Tjm.exe
O4 - HKLM\..\Run: [Drp] C:\WINDOWS\Bbd.exe
O4 - HKLM\..\Run: [Efa] C:\WINDOWS\Pmo.exe
O4 - HKLM\..\Run: [Gjb] C:\WINDOWS\Hrl.exe
O4 - HKLM\..\Run: [Osu] C:\WINDOWS\Euj.exe
O4 - HKLM\..\Run: [Fhs] C:\WINDOWS\System32\Dgi.exe
O4 - HKLM\..\Run: [Ltb] C:\WINDOWS\Omd.exe
O4 - HKLM\..\Run: [Ifn] C:\WINDOWS\Rld.exe
O4 - HKLM\..\Run: [Amd] C:\WINDOWS\System32\Jrq.exe
O4 - HKLM\..\Run: [Jtp] C:\WINDOWS\System32\Mnq.exe
O4 - HKLM\..\Run: [Spa] C:\WINDOWS\System32\Jls.exe
O4 - HKLM\..\Run: [Oos] C:\WINDOWS\System32\Brs.exe
O4 - HKLM\..\Run: [Qtp] C:\WINDOWS\Sca.exe
O4 - HKLM\..\Run: [Ora] C:\WINDOWS\Peq.exe
O4 - HKLM\..\Run: [Hdo] C:\WINDOWS\Ivl.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [Bfb] C:\WINDOWS\System32\Kba.exe
O4 - HKLM\..\Run: [Eve] C:\WINDOWS\Foe.exe
O4 - HKLM\..\Run: [Fih] C:\WINDOWS\System32\Lgf.exe
O4 - HKLM\..\Run: [Dmi] C:\WINDOWS\System32\Glu.exe
O4 - HKLM\..\Run: [Oht] C:\WINDOWS\System32\Ksj.exe
O4 - HKLM\..\Run: [Qsb] C:\WINDOWS\System32\Tja.exe
O4 - HKLM\..\Run: [Vjk] C:\WINDOWS\Lsi.exe
O4 - HKLM\..\Run: [Pkn] C:\WINDOWS\System32\Mdj.exe
O4 - HKLM\..\Run: [Dnu] C:\WINDOWS\Hvg.exe
O4 - HKLM\..\Run: [Jbf] C:\WINDOWS\System32\Rjh.exe
O4 - HKLM\..\Run: [Gpn] C:\WINDOWS\Mcu.exe
O4 - HKLM\..\Run: [Opu] C:\WINDOWS\Dvs.exe
O4 - HKLM\..\Run: [Nqa] C:\WINDOWS\System32\Gkc.exe
O4 - HKLM\..\Run: [Pov] C:\WINDOWS\Cuu.exe
O4 - HKLM\..\Run: [Kan] C:\WINDOWS\System32\Fsh.exe
O4 - HKLM\..\Run: [Btc] C:\WINDOWS\Vde.exe
O4 - HKLM\..\Run: [Dpv] C:\WINDOWS\System32\Qnl.exe
O4 - HKLM\..\Run: [Bsc] C:\WINDOWS\System32\Hol.exe
O4 - HKLM\..\Run: [Kih] C:\WINDOWS\Kai.exe
O4 - HKLM\..\Run: [Lrv] C:\WINDOWS\Sue.exe
O4 - HKLM\..\Run: [Jdo] C:\WINDOWS\Lth.exe
O4 - HKLM\..\Run: [Ook] C:\WINDOWS\Iav.exe
O4 - HKLM\..\Run: [Fsa] C:\WINDOWS\System32\Fci.exe
O4 - HKLM\..\Run: [Ceo] C:\WINDOWS\Pds.exe
O4 - HKLM\..\Run: [Vvo] C:\WINDOWS\System32\Smh.exe
O4 - HKLM\..\Run: [Mkh] C:\WINDOWS\System32\Vqg.exe
O4 - HKLM\..\Run: [Djd] C:\WINDOWS\Qkl.exe
O4 - HKLM\..\Run: [Pja] C:\WINDOWS\System32\Mlq.exe
O4 - HKLM\..\Run: [Sut] C:\WINDOWS\System32\Eob.exe
O4 - HKLM\..\Run: [Lfr] C:\WINDOWS\System32\Pbd.exe
O4 - HKLM\..\Run: [Fjc] C:\WINDOWS\Kkv.exe
O4 - HKLM\..\Run: [Bsd] C:\WINDOWS\System32\Cds.exe
O4 - HKLM\..\Run: [Tjn] C:\WINDOWS\Nif.exe
O4 - HKLM\..\Run: [Qst] C:\WINDOWS\Bie.exe
O4 - HKLM\..\Run: [Dcg] C:\WINDOWS\System32\Unf.exe
O4 - HKLM\..\Run: [Lpd] C:\WINDOWS\System32\Qro.exe
O4 - HKLM\..\Run: [Quo] C:\WINDOWS\System32\Uqk.exe
O4 - HKLM\..\Run: [Itc] C:\WINDOWS\Ito.exe
O4 - HKLM\..\Run: [Ivp] C:\WINDOWS\Ilf.exe
O4 - HKLM\..\Run: [Iru] C:\WINDOWS\System32\Gte.exe
O4 - HKLM\..\Run: [Jpf] C:\WINDOWS\System32\Mnk.exe
O4 - HKLM\..\Run: [Moe] C:\WINDOWS\Bls.exe
O4 - HKLM\..\Run: [Ecm] C:\WINDOWS\System32\Mot.exe
O4 - HKLM\..\Run: [Nfj] C:\WINDOWS\System32\Jbg.exe
O4 - HKLM\..\Run: [Ssk] C:\WINDOWS\Bpu.exe
O4 - HKLM\..\Run: [Csn] C:\WINDOWS\System32\Pva.exe
O4 - HKLM\..\Run: [Jlf] C:\WINDOWS\System32\Tve.exe
O4 - HKLM\..\Run: [Ojj] C:\WINDOWS\Nrq.exe
O4 - HKLM\..\Run: [Vka] C:\WINDOWS\Lgn.exe
O4 - HKLM\..\Run: [Hhc] C:\WINDOWS\Rsv.exe
O4 - HKLM\..\Run: [Nbh] C:\WINDOWS\Aqu.exe
O4 - HKLM\..\Run: [Hde] C:\WINDOWS\Dur.exe
O4 - HKLM\..\Run: [Pft] C:\WINDOWS\Bfc.exe
O4 - HKLM\..\Run: [Hfp] C:\WINDOWS\Cbr.exe
O4 - HKLM\..\Run: [Vrt] C:\WINDOWS\System32\Lec.exe
O4 - HKLM\..\Run: [Hps] C:\WINDOWS\Tgv.exe
O4 - HKLM\..\Run: [Ofi] C:\WINDOWS\Fdg.exe
O4 - HKLM\..\Run: [Bop] C:\WINDOWS\System32\Hpg.exe
O4 - HKLM\..\Run: [Mqk] C:\WINDOWS\System32\Jus.exe
O4 - HKLM\..\Run: [Cpm] C:\WINDOWS\Ene.exe
O4 - HKLM\..\Run: [Krr] C:\WINDOWS\System32\Lbs.exe
O4 - HKLM\..\Run: [Fau] C:\WINDOWS\System32\Mem.exe
O4 - HKLM\..\Run: [Epp] C:\WINDOWS\She.exe
O4 - HKLM\..\Run: [Fgf] C:\WINDOWS\Sus.exe
O4 - HKLM\..\Run: [Npm] C:\WINDOWS\System32\Rtm.exe
O4 - HKLM\..\Run: [Pev] C:\WINDOWS\Tqh.exe
O4 - HKLM\..\Run: [Rme] C:\WINDOWS\System32\Obj.exe
O4 - HKLM\..\Run: [Iue] C:\WINDOWS\System32\Glq.exe
O4 - HKLM\..\Run: [Epg] C:\WINDOWS\System32\Cab.exe
O4 - HKLM\..\Run: [Aai] C:\WINDOWS\Jre.exe
O4 - HKLM\..\Run: [Msg] C:\WINDOWS\Ahq.exe
O4 - HKLM\..\Run: [Nfn] C:\WINDOWS\System32\Ivj.exe
O4 - HKLM\..\Run: [Tro] C:\WINDOWS\System32\Psb.exe
O4 - HKLM\..\Run: [Mjr] C:\WINDOWS\Fvb.exe
O4 - HKLM\..\Run: [Ark] C:\WINDOWS\Cjn.exe
O4 - HKLM\..\Run: [Rqj] C:\WINDOWS\Pih.exe
O4 - HKLM\..\Run: [Qtd] C:\WINDOWS\System32\Nkj.exe
O4 - HKLM\..\Run: [Pqj] C:\WINDOWS\Khn.exe
O4 - HKLM\..\Run: [Lll] C:\WINDOWS\Ugn.exe
O4 - HKLM\..\Run: [Ato] C:\WINDOWS\Cbv.exe
O4 - HKLM\..\Run: [Toa] C:\WINDOWS\Chi.exe
O4 - HKLM\..\Run: [Kdg] C:\WINDOWS\Cte.exe
O4 - HKLM\..\Run: [Fdi] C:\WINDOWS\Vbl.exe
O4 - HKLM\..\Run: [Vug] C:\WINDOWS\System32\Jhi.exe
O4 - HKLM\..\Run: [Hpa] C:\WINDOWS\Tcj.exe
O4 - HKLM\..\Run: [Dvr] C:\WINDOWS\Hef.exe
O4 - HKLM\..\Run: [Ntr] C:\WINDOWS\Opf.exe
O4 - HKLM\..\Run: [Tom] C:\WINDOWS\System32\Vai.exe
O4 - HKLM\..\Run: [Dka] C:\WINDOWS\Ttk.exe
O4 - HKLM\..\Run: [load32] C:\WINDOWS\System32\winldra.exe
O4 - HKLM\..\Run: [Odb] C:\WINDOWS\System32\Ivr.exe
O4 - HKLM\..\Run: [Sgp] C:\WINDOWS\System32\Hpu.exe
O4 - HKLM\..\Run: [Ibl] C:\WINDOWS\System32\Mrt.exe
O4 - HKLM\..\Run: [Fqg] C:\WINDOWS\Bal.exe
O4 - HKLM\..\Run: [ControlPanel] C:\WINDOWS\System32\popcorn72.exe rundll.dll,LoadMouseProfile
O4 - HKLM\..\Run: [Jlv] C:\WINDOWS\Mfd.exe
O4 - HKLM\..\Run: [Phf] C:\WINDOWS\Bkj.exe
O4 - HKLM\..\Run: [Nuv] C:\WINDOWS\Der.exe
O4 - HKLM\..\Run: [Mpj] C:\WINDOWS\Vla.exe
O4 - HKLM\..\Run: [Cfh] C:\WINDOWS\Ijj.exe
O4 - HKLM\..\Run: [Uth] C:\WINDOWS\System32\Aiq.exe
O4 - HKLM\..\Run: [Ome] C:\WINDOWS\System32\Dbn.exe
O4 - HKLM\..\Run: [Rts] C:\WINDOWS\System32\Tlv.exe
O4 - HKLM\..\Run: [Cgv] C:\WINDOWS\Nuf.exe
O4 - HKLM\..\Run: [Gvb] C:\WINDOWS\System32\Hsn.exe
O4 - HKLM\..\Run: [Cso] C:\WINDOWS\System32\Usp.exe
O4 - HKLM\..\Run: [Qba] C:\WINDOWS\Fal.exe
O4 - HKLM\..\Run: [Qmr] C:\WINDOWS\System32\Qdn.exe
O4 - HKLM\..\Run: [Kpr] C:\WINDOWS\System32\Sbs.exe
O4 - HKLM\..\Run: [Rjn] C:\WINDOWS\Uam.exe
O4 - HKLM\..\Run: [Kdn] C:\WINDOWS\Nlc.exe
O4 - HKLM\..\Run: [Qou] C:\WINDOWS\Lmq.exe
O4 - HKLM\..\Run: [Cun] C:\WINDOWS\Ckl.exe
O4 - HKLM\..\Run: [Knn] C:\WINDOWS\Kvs.exe
O4 - HKLM\..\Run: [Gfp] C:\WINDOWS\Vsn.exe
O4 - HKLM\..\Run: [Rfm] C:\WINDOWS\Ttl.exe
O4 - HKLM\..\Run: [Ina] C:\WINDOWS\Psm.exe
O4 - HKLM\..\Run: [Aep] C:\WINDOWS\Hda.exe
O4 - HKLM\..\Run: [Kma] C:\WINDOWS\System32\Lve.exe
O4 - HKLM\..\Run: [Kqo] C:\WINDOWS\Ggq.exe
O4 - HKLM\..\Run: [Dev] C:\WINDOWS\System32\Dsu.exe
O4 - HKLM\..\Run: [Dlr] C:\WINDOWS\Irn.exe
O4 - HKLM\..\Run: [Tee] C:\WINDOWS\System32\Bku.exe
O4 - HKLM\..\Run: [Aql] C:\WINDOWS\Rrt.exe
O4 - HKLM\..\Run: [Ulb] C:\WINDOWS\System32\Tjh.exe
O4 - HKLM\..\Run: [Hmb] C:\WINDOWS\System32\Bdm.exe
O4 - HKLM\..\Run: [Snd] C:\WINDOWS\Fsb.exe
O4 - HKLM\..\Run: [Mnp] C:\WINDOWS\Tss.exe
O4 - HKLM\..\Run: [Qjf] C:\WINDOWS\System32\Efe.exe
O4 - HKLM\..\Run: [Cct] C:\WINDOWS\System32\Hmq.exe
O4 - HKLM\..\Run: [Clq] C:\WINDOWS\Tpa.exe
O4 - HKLM\..\Run: [Lnj] C:\WINDOWS\Mnd.exe
O4 - HKLM\..\Run: [Nae] C:\WINDOWS\System32\Obn.exe
O4 - HKLM\..\Run: [Iij] C:\WINDOWS\Gjp.exe
O4 - HKLM\..\Run: [Rlr] C:\WINDOWS\System32\Fna.exe
O4 - HKLM\..\Run: [Aqk] C:\WINDOWS\Naf.exe
O4 - HKLM\..\Run: [Jko] C:\WINDOWS\Kpq.exe
O4 - HKLM\..\Run: [Lir] C:\WINDOWS\System32\Elc.exe
O4 - HKLM\..\Run: [Ftg] C:\WINDOWS\Bsl.exe
O4 - HKLM\..\Run: [Hlo] C:\WINDOWS\Tll.exe
O4 - HKLM\..\Run: [Ijf] C:\WINDOWS\System32\Fgl.exe
O4 - HKLM\..\Run: [Kbp] C:\WINDOWS\Gfj.exe
O4 - HKLM\..\Run: [Avj] C:\WINDOWS\Smh.exe
O4 - HKLM\..\Run: [Icn] C:\WINDOWS\Jbb.exe
O4 - HKLM\..\Run: [Skh] C:\WINDOWS\System32\Tjr.exe
O4 - HKLM\..\Run: [Gel] C:\WINDOWS\Pqj.exe
O4 - HKLM\..\Run: [Mfn] C:\WINDOWS\Lsr.exe
O4 - HKLM\..\Run: [Lqu] C:\WINDOWS\System32\Vuu.exe
O4 - HKLM\..\Run: [Qru] C:\WINDOWS\Sqr.exe
O4 - HKLM\..\Run: [Jqj] C:\WINDOWS\System32\Jts.exe
O4 - HKLM\..\Run: [Bus] C:\WINDOWS\System32\Dbf.exe
O4 - HKLM\..\Run: [Sbg] C:\WINDOWS\Riu.exe
O4 - HKLM\..\Run: [Vcd] C:\WINDOWS\Fid.exe
O4 - HKLM\..\Run: [Thm] C:\WINDOWS\Fim.exe
O4 - HKLM\..\Run: [Shr] C:\WINDOWS\System32\Dgq.exe
O4 - HKLM\..\Run: [Sre] C:\WINDOWS\Deh.exe
O4 - HKLM\..\Run: [Fkj] C:\WINDOWS\Rdp.exe
O4 - HKLM\..\Run: [Ihk] C:\WINDOWS\System32\Qem.exe
O4 - HKLM\..\Run: [Bpg] C:\WINDOWS\Ucn.exe
O4 - HKLM\..\Run: [Gja] C:\WINDOWS\System32\Nmm.exe
O4 - HKLM\..\Run: [Hqq] C:\WINDOWS\Gqv.exe
O4 - HKLM\..\Run: [Ufq] C:\WINDOWS\System32\Esb.exe
O4 - HKLM\..\Run: [Hkm] C:\WINDOWS\System32\Sva.exe
O4 - HKLM\..\Run: [Cbs] C:\WINDOWS\Ucl.exe
O4 - HKLM\..\Run: [PestPatrol Control Center] C:\PROGRA~1\PESTPA~1\PPControl.exe
O4 - HKLM\..\Run: [PPMemCheck] C:\PROGRA~1\PESTPA~1\PPMemCheck.exe
O4 - HKLM\..\Run: [CookiePatrol] C:\PROGRA~1\PESTPA~1\CookiePatrol.exe
O4 - HKLM\..\Run: [Eho] C:\WINDOWS\System32\Jfr.exe
O4 - HKLM\..\Run: [Bji] C:\WINDOWS\System32\Nko.exe
O4 - HKLM\..\Run: [vptray] C:\Program Files\Symantec_Client_Security\Symantec AntiVirus\vptray.exe
O4 - HKLM\..\Run: [Jvq] C:\WINDOWS\Uor.exe
O4 - HKLM\..\Run: [Nkf] C:\WINDOWS\System32\Hdr.exe
O4 - HKLM\..\Run: [Ufb] C:\WINDOWS\System32\Nop.exe
O4 - HKLM\..\Run: [Lpm] C:\WINDOWS\Mqq.exe
O4 - HKLM\..\Run: [Frc] C:\WINDOWS\Bas.exe
O4 - HKLM\..\Run: [Iva] C:\WINDOWS\Mik.exe
O4 - HKLM\..\Run: [System service79] C:\WINDOWS\etb\pokapoka79.exe
O4 - HKLM\..\RunOnce: [Pest Cleaning] "C:\PROGRA~1\PESTPA~1\ppclean.exe" "clean" "ts:20051115170247" "cws" "2"
O4 - HKCU\..\Run: [DellSupport] "C:\Program Files\Dell Support\DSAgnt.exe" /startup
O4 - HKCU\..\Run: [Frc] C:\WINDOWS\Bas.exe
O4 - HKCU\..\Run: [Iva] C:\WINDOWS\Mik.exe
O4 - Global Startup: start.exe
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\System32\msjava.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\System32\msjava.dll
O9 - Extra button: Yahoo! Login - {2499216C-4BA5-11D5-BD9C-000103C116D5} - C:\Program Files\Yahoo!\Common\ylogin.dll
O9 - Extra 'Tools' menuitem: Yahoo! Login - {2499216C-4BA5-11D5-BD9C-000103C116D5} - C:\Program Files\Yahoo!\Common\ylogin.dll
O9 - Extra button: Messenger - {4528BBE0-4E08-11D5-AD55-00010333D0AD} - C:\Program Files\Yahoo!\Messenger\yhexbmes.dll
O9 - Extra 'Tools' menuitem: Yahoo! Messenger - {4528BBE0-4E08-11D5-AD55-00010333D0AD} - C:\Program Files\Yahoo!\Messenger\yhexbmes.dll
O9 - Extra button: (no name) - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - (no file)
O9 - Extra button: MUSICMATCH MX Web Player - {d81ca86b-ef63-42af-bee3-4502d9a03c2d} - http://wwws.musicmat...enWebRadio.html (file missing)
O15 - Trusted Zone: *.coolwebsearch.com
O15 - Trusted Zone: *.searchmeup.com
O15 - Trusted Zone: *.musicmatch.com (HKLM)
O16 - DPF: {10000000-1000-0000-1000-000000000000} - file://C:\windows\system32\cm.exe
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft....k/?linkid=39204
O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} - C:\Program Files\Yahoo!\common\yinsthelper.dll
O16 - DPF: {CC05BC12-2AA2-4AC7-AC81-0E40F83B1ADF} (Live365Player Class) - http://www.live365.c...ers/play365.cab
O16 - DPF: {D18F962A-3722-4B59-B08D-28BB9EB2281E} (PhotosCtrl Class) - http://photos.yahoo....plorer1_9us.cab
O16 - DPF: {FC67BB52-AAB6-4282-9D51-2DAFFE73AFD0} - http://download.spys...erInstall_2.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{B0FCE2FB-4CB0-4B65-BCDF-40D4EC314841}: NameServer = 85.255.115.69,85.255.112.12
O20 - Winlogon Notify: drct16 - C:\WINDOWS\SYSTEM32\drct16.dll
O20 - Winlogon Notify: gs - C:\WINDOWS\adsldpbd.dll
O20 - Winlogon Notify: igfxcui - C:\WINDOWS\SYSTEM32\igfxsrvc.dll
O20 - Winlogon Notify: NavLogon - C:\WINDOWS\System32\NavLogon.dll
O20 - Winlogon Notify: st3 - C:\WINDOWS\q167078.dll
O23 - Service: DefWatch - Symantec Corporation - C:\PROGRA~1\SYMANT~1\SYMANT~1\DefWatch.exe
O23 - Service: Intel NCS NetService (NetSvc) - Intel® Corporation - C:\Program Files\Intel\NCS\Sync\NetSvc.exe
O23 - Service: Symantec AntiVirus Client (Norton AntiVirus Server) - Symantec Corporation - C:\PROGRA~1\SYMANT~1\SYMANT~1\Rtvscan.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\System32\HPZipm12.exe
O23 - Service: System Startup Service (SvcProc) - Unknown owner - C:\WINDOWS\svcproc.exe (file missing)
O23 - Service: YPCService - Yahoo! Inc. - C:\WINDOWS\SYSTEM32\YPCSER~1.EXE
Thanks again, look forward to hearing from you.
Paul
Logfile of HijackThis v1.99.1
Scan saved at 6:04:56 PM, on 11/15/2005
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\csrss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\QuickTime\qttask.exe
C:\WINDOWS\System32\winldra.exe
C:\PROGRA~1\PESTPA~1\PPControl.exe
C:\PROGRA~1\PESTPA~1\PPMemCheck.exe
C:\PROGRA~1\PESTPA~1\CookiePatrol.exe
C:\Program Files\Symantec_Client_Security\Symantec AntiVirus\vptray.exe
C:\Program Files\Dell Support\DSAgnt.exe
C:\Documents and Settings\All Users\Start Menu\Programs\Startup\start.exe
C:\WINDOWS\system32\cisvc.exe
C:\PROGRA~1\SYMANT~1\SYMANT~1\DefWatch.exe
C:\PROGRA~1\SYMANT~1\SYMANT~1\Rtvscan.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\WINDOWS\System32\wuauclt.exe
C:\WINDOWS\system32\cidaemon.exe
C:\Program Files\Hijack This\HijackThis.exe
R1 - HKCU\Software\Microsoft\Internet Explorer,SearchURL = http://s-redirect.com/?a=2&b=enc
R1 - HKLM\Software\Microsoft\Internet Explorer,SearchURL = http://s-redirect.com/?a=2&b=enc
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.dell4me.com/myway
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://websearch.drs...esearch.cgi?id=
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = C:\WINDOWS\System32\msblank.html
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://websearch.drs...esearch.cgi?id=
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://websearch.drs...esearch.cgi?id=
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://s-redirect.com/?a=2&b=enc
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch = http://websearch.drs...esearch.cgi?id=
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = websearch.drsnsrch.com/q.cgi?q=
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,SearchURL = http://s-redirect.com/?a=2&b=enc
R1 - HKLM\Software\Microsoft\Internet Explorer\SearchURL,SearchURL = http://s-redirect.com/?a=2&b=enc
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://adshttp.com/s...L?zone=enternet
O2 - BHO: C:\WINDOWS\adsldpbd.dll - {826B2228-BC09-49F2-B5F8-42CE26B1B712} - C:\WINDOWS\adsldpbd.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O4 - HKLM\..\Run: [Disk Keeper] C:\DOCUME~1\Bryan\LOCALS~1\Temp\keep.exe
O4 - HKLM\..\Run: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k
O4 - HKLM\..\Run: [Jch] C:\WINDOWS\Erk.exe
O4 - HKLM\..\Run: [Mgm] C:\WINDOWS\Hdp.exe
O4 - HKLM\..\Run: [Hhs] C:\WINDOWS\Ftj.exe
O4 - HKLM\..\Run: [Vng] C:\WINDOWS\Sac.exe
O4 - HKLM\..\Run: [Seb] C:\WINDOWS\System32\Alp.exe
O4 - HKLM\..\Run: [Ois] C:\WINDOWS\System32\Asj.exe
O4 - HKLM\..\Run: [Caj] C:\WINDOWS\System32\Dke.exe
O4 - HKLM\..\Run: [Pnb] C:\WINDOWS\Kfk.exe
O4 - HKLM\..\Run: [Ngu] C:\WINDOWS\System32\Ftd.exe
O4 - HKLM\..\Run: [Tck] C:\WINDOWS\System32\Ivo.exe
O4 - HKLM\..\Run: [Ung] C:\WINDOWS\Ern.exe
O4 - HKLM\..\Run: [Sgc] C:\WINDOWS\Vgq.exe
O4 - HKLM\..\Run: [Ses] C:\WINDOWS\System32\Cll.exe
O4 - HKLM\..\Run: [Hlp] C:\WINDOWS\System32\Bto.exe
O4 - HKLM\..\Run: [Qks] C:\WINDOWS\Ptr.exe
O4 - HKLM\..\Run: [Mkd] C:\WINDOWS\System32\Jjq.exe
O4 - HKLM\..\Run: [Nfq] C:\WINDOWS\Bnt.exe
O4 - HKLM\..\Run: [Cvn] C:\WINDOWS\System32\Btp.exe
O4 - HKLM\..\Run: [Fmk] C:\WINDOWS\Vkq.exe
O4 - HKLM\..\Run: [Nks] C:\WINDOWS\Lbu.exe
O4 - HKLM\..\Run: [Edl] C:\WINDOWS\System32\Ftv.exe
O4 - HKLM\..\Run: [Rsa] C:\WINDOWS\System32\Abk.exe
O4 - HKLM\..\Run: [Diq] C:\WINDOWS\Thi.exe
O4 - HKLM\..\Run: [Tmf] C:\WINDOWS\System32\Vge.exe
O4 - HKLM\..\Run: [Bvs] C:\WINDOWS\Lpe.exe
O4 - HKLM\..\Run: [Lem] C:\WINDOWS\Gnk.exe
O4 - HKLM\..\Run: [Jdt] C:\WINDOWS\Ctf.exe
O4 - HKLM\..\Run: [Dkf] C:\WINDOWS\System32\Qqb.exe
O4 - HKLM\..\Run: [Bfd] C:\WINDOWS\System32\Nmf.exe
O4 - HKLM\..\Run: [Otj] C:\WINDOWS\System32\Aog.exe
O4 - HKLM\..\Run: [Eph] C:\WINDOWS\Qio.exe
O4 - HKLM\..\Run: [Rco] C:\WINDOWS\System32\Fbn.exe
O4 - HKLM\..\Run: [Egp] C:\WINDOWS\Mml.exe
O4 - HKLM\..\Run: [Kvl] C:\WINDOWS\System32\Fgo.exe
O4 - HKLM\..\Run: [Ajh] C:\WINDOWS\Bcc.exe
O4 - HKLM\..\Run: [Bra] C:\WINDOWS\System32\Ldi.exe
O4 - HKLM\..\Run: [Tkc] C:\WINDOWS\Lle.exe
O4 - HKLM\..\Run: [Tei] C:\WINDOWS\System32\Bef.exe
O4 - HKLM\..\Run: [Gml] C:\WINDOWS\Egh.exe
O4 - HKLM\..\Run: [Elf] C:\WINDOWS\Rpc.exe
O4 - HKLM\..\Run: [Rla] C:\WINDOWS\Uid.exe
O4 - HKLM\..\Run: [Lqb] C:\WINDOWS\Ejr.exe
O4 - HKLM\..\Run: [Vef] C:\WINDOWS\Qql.exe
O4 - HKLM\..\Run: [Cer] C:\WINDOWS\System32\Cjo.exe
O4 - HKLM\..\Run: [Fdj] C:\WINDOWS\Hlg.exe
O4 - HKLM\..\Run: [Gef] C:\WINDOWS\System32\Laa.exe
O4 - HKLM\..\Run: [Ujg] C:\WINDOWS\Rjt.exe
O4 - HKLM\..\Run: [Til] C:\WINDOWS\Tjm.exe
O4 - HKLM\..\Run: [Drp] C:\WINDOWS\Bbd.exe
O4 - HKLM\..\Run: [Efa] C:\WINDOWS\Pmo.exe
O4 - HKLM\..\Run: [Gjb] C:\WINDOWS\Hrl.exe
O4 - HKLM\..\Run: [Osu] C:\WINDOWS\Euj.exe
O4 - HKLM\..\Run: [Fhs] C:\WINDOWS\System32\Dgi.exe
O4 - HKLM\..\Run: [Ltb] C:\WINDOWS\Omd.exe
O4 - HKLM\..\Run: [Ifn] C:\WINDOWS\Rld.exe
O4 - HKLM\..\Run: [Amd] C:\WINDOWS\System32\Jrq.exe
O4 - HKLM\..\Run: [Jtp] C:\WINDOWS\System32\Mnq.exe
O4 - HKLM\..\Run: [Spa] C:\WINDOWS\System32\Jls.exe
O4 - HKLM\..\Run: [Oos] C:\WINDOWS\System32\Brs.exe
O4 - HKLM\..\Run: [Qtp] C:\WINDOWS\Sca.exe
O4 - HKLM\..\Run: [Ora] C:\WINDOWS\Peq.exe
O4 - HKLM\..\Run: [Hdo] C:\WINDOWS\Ivl.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [Bfb] C:\WINDOWS\System32\Kba.exe
O4 - HKLM\..\Run: [Eve] C:\WINDOWS\Foe.exe
O4 - HKLM\..\Run: [Fih] C:\WINDOWS\System32\Lgf.exe
O4 - HKLM\..\Run: [Dmi] C:\WINDOWS\System32\Glu.exe
O4 - HKLM\..\Run: [Oht] C:\WINDOWS\System32\Ksj.exe
O4 - HKLM\..\Run: [Qsb] C:\WINDOWS\System32\Tja.exe
O4 - HKLM\..\Run: [Vjk] C:\WINDOWS\Lsi.exe
O4 - HKLM\..\Run: [Pkn] C:\WINDOWS\System32\Mdj.exe
O4 - HKLM\..\Run: [Dnu] C:\WINDOWS\Hvg.exe
O4 - HKLM\..\Run: [Jbf] C:\WINDOWS\System32\Rjh.exe
O4 - HKLM\..\Run: [Gpn] C:\WINDOWS\Mcu.exe
O4 - HKLM\..\Run: [Opu] C:\WINDOWS\Dvs.exe
O4 - HKLM\..\Run: [Nqa] C:\WINDOWS\System32\Gkc.exe
O4 - HKLM\..\Run: [Pov] C:\WINDOWS\Cuu.exe
O4 - HKLM\..\Run: [Kan] C:\WINDOWS\System32\Fsh.exe
O4 - HKLM\..\Run: [Btc] C:\WINDOWS\Vde.exe
O4 - HKLM\..\Run: [Dpv] C:\WINDOWS\System32\Qnl.exe
O4 - HKLM\..\Run: [Bsc] C:\WINDOWS\System32\Hol.exe
O4 - HKLM\..\Run: [Kih] C:\WINDOWS\Kai.exe
O4 - HKLM\..\Run: [Lrv] C:\WINDOWS\Sue.exe
O4 - HKLM\..\Run: [Jdo] C:\WINDOWS\Lth.exe
O4 - HKLM\..\Run: [Ook] C:\WINDOWS\Iav.exe
O4 - HKLM\..\Run: [Fsa] C:\WINDOWS\System32\Fci.exe
O4 - HKLM\..\Run: [Ceo] C:\WINDOWS\Pds.exe
O4 - HKLM\..\Run: [Vvo] C:\WINDOWS\System32\Smh.exe
O4 - HKLM\..\Run: [Mkh] C:\WINDOWS\System32\Vqg.exe
O4 - HKLM\..\Run: [Djd] C:\WINDOWS\Qkl.exe
O4 - HKLM\..\Run: [Pja] C:\WINDOWS\System32\Mlq.exe
O4 - HKLM\..\Run: [Sut] C:\WINDOWS\System32\Eob.exe
O4 - HKLM\..\Run: [Lfr] C:\WINDOWS\System32\Pbd.exe
O4 - HKLM\..\Run: [Fjc] C:\WINDOWS\Kkv.exe
O4 - HKLM\..\Run: [Bsd] C:\WINDOWS\System32\Cds.exe
O4 - HKLM\..\Run: [Tjn] C:\WINDOWS\Nif.exe
O4 - HKLM\..\Run: [Qst] C:\WINDOWS\Bie.exe
O4 - HKLM\..\Run: [Dcg] C:\WINDOWS\System32\Unf.exe
O4 - HKLM\..\Run: [Lpd] C:\WINDOWS\System32\Qro.exe
O4 - HKLM\..\Run: [Quo] C:\WINDOWS\System32\Uqk.exe
O4 - HKLM\..\Run: [Itc] C:\WINDOWS\Ito.exe
O4 - HKLM\..\Run: [Ivp] C:\WINDOWS\Ilf.exe
O4 - HKLM\..\Run: [Iru] C:\WINDOWS\System32\Gte.exe
O4 - HKLM\..\Run: [Jpf] C:\WINDOWS\System32\Mnk.exe
O4 - HKLM\..\Run: [Moe] C:\WINDOWS\Bls.exe
O4 - HKLM\..\Run: [Ecm] C:\WINDOWS\System32\Mot.exe
O4 - HKLM\..\Run: [Nfj] C:\WINDOWS\System32\Jbg.exe
O4 - HKLM\..\Run: [Ssk] C:\WINDOWS\Bpu.exe
O4 - HKLM\..\Run: [Csn] C:\WINDOWS\System32\Pva.exe
O4 - HKLM\..\Run: [Jlf] C:\WINDOWS\System32\Tve.exe
O4 - HKLM\..\Run: [Ojj] C:\WINDOWS\Nrq.exe
O4 - HKLM\..\Run: [Vka] C:\WINDOWS\Lgn.exe
O4 - HKLM\..\Run: [Hhc] C:\WINDOWS\Rsv.exe
O4 - HKLM\..\Run: [Nbh] C:\WINDOWS\Aqu.exe
O4 - HKLM\..\Run: [Hde] C:\WINDOWS\Dur.exe
O4 - HKLM\..\Run: [Pft] C:\WINDOWS\Bfc.exe
O4 - HKLM\..\Run: [Hfp] C:\WINDOWS\Cbr.exe
O4 - HKLM\..\Run: [Vrt] C:\WINDOWS\System32\Lec.exe
O4 - HKLM\..\Run: [Hps] C:\WINDOWS\Tgv.exe
O4 - HKLM\..\Run: [Ofi] C:\WINDOWS\Fdg.exe
O4 - HKLM\..\Run: [Bop] C:\WINDOWS\System32\Hpg.exe
O4 - HKLM\..\Run: [Mqk] C:\WINDOWS\System32\Jus.exe
O4 - HKLM\..\Run: [Cpm] C:\WINDOWS\Ene.exe
O4 - HKLM\..\Run: [Krr] C:\WINDOWS\System32\Lbs.exe
O4 - HKLM\..\Run: [Fau] C:\WINDOWS\System32\Mem.exe
O4 - HKLM\..\Run: [Epp] C:\WINDOWS\She.exe
O4 - HKLM\..\Run: [Fgf] C:\WINDOWS\Sus.exe
O4 - HKLM\..\Run: [Npm] C:\WINDOWS\System32\Rtm.exe
O4 - HKLM\..\Run: [Pev] C:\WINDOWS\Tqh.exe
O4 - HKLM\..\Run: [Rme] C:\WINDOWS\System32\Obj.exe
O4 - HKLM\..\Run: [Iue] C:\WINDOWS\System32\Glq.exe
O4 - HKLM\..\Run: [Epg] C:\WINDOWS\System32\Cab.exe
O4 - HKLM\..\Run: [Aai] C:\WINDOWS\Jre.exe
O4 - HKLM\..\Run: [Msg] C:\WINDOWS\Ahq.exe
O4 - HKLM\..\Run: [Nfn] C:\WINDOWS\System32\Ivj.exe
O4 - HKLM\..\Run: [Tro] C:\WINDOWS\System32\Psb.exe
O4 - HKLM\..\Run: [Mjr] C:\WINDOWS\Fvb.exe
O4 - HKLM\..\Run: [Ark] C:\WINDOWS\Cjn.exe
O4 - HKLM\..\Run: [Rqj] C:\WINDOWS\Pih.exe
O4 - HKLM\..\Run: [Qtd] C:\WINDOWS\System32\Nkj.exe
O4 - HKLM\..\Run: [Pqj] C:\WINDOWS\Khn.exe
O4 - HKLM\..\Run: [Lll] C:\WINDOWS\Ugn.exe
O4 - HKLM\..\Run: [Ato] C:\WINDOWS\Cbv.exe
O4 - HKLM\..\Run: [Toa] C:\WINDOWS\Chi.exe
O4 - HKLM\..\Run: [Kdg] C:\WINDOWS\Cte.exe
O4 - HKLM\..\Run: [Fdi] C:\WINDOWS\Vbl.exe
O4 - HKLM\..\Run: [Vug] C:\WINDOWS\System32\Jhi.exe
O4 - HKLM\..\Run: [Hpa] C:\WINDOWS\Tcj.exe
O4 - HKLM\..\Run: [Dvr] C:\WINDOWS\Hef.exe
O4 - HKLM\..\Run: [Ntr] C:\WINDOWS\Opf.exe
O4 - HKLM\..\Run: [Tom] C:\WINDOWS\System32\Vai.exe
O4 - HKLM\..\Run: [Dka] C:\WINDOWS\Ttk.exe
O4 - HKLM\..\Run: [load32] C:\WINDOWS\System32\winldra.exe
O4 - HKLM\..\Run: [Odb] C:\WINDOWS\System32\Ivr.exe
O4 - HKLM\..\Run: [Sgp] C:\WINDOWS\System32\Hpu.exe
O4 - HKLM\..\Run: [Ibl] C:\WINDOWS\System32\Mrt.exe
O4 - HKLM\..\Run: [Fqg] C:\WINDOWS\Bal.exe
O4 - HKLM\..\Run: [ControlPanel] C:\WINDOWS\System32\popcorn72.exe rundll.dll,LoadMouseProfile
O4 - HKLM\..\Run: [Jlv] C:\WINDOWS\Mfd.exe
O4 - HKLM\..\Run: [Phf] C:\WINDOWS\Bkj.exe
O4 - HKLM\..\Run: [Nuv] C:\WINDOWS\Der.exe
O4 - HKLM\..\Run: [Mpj] C:\WINDOWS\Vla.exe
O4 - HKLM\..\Run: [Cfh] C:\WINDOWS\Ijj.exe
O4 - HKLM\..\Run: [Uth] C:\WINDOWS\System32\Aiq.exe
O4 - HKLM\..\Run: [Ome] C:\WINDOWS\System32\Dbn.exe
O4 - HKLM\..\Run: [Rts] C:\WINDOWS\System32\Tlv.exe
O4 - HKLM\..\Run: [Cgv] C:\WINDOWS\Nuf.exe
O4 - HKLM\..\Run: [Gvb] C:\WINDOWS\System32\Hsn.exe
O4 - HKLM\..\Run: [Cso] C:\WINDOWS\System32\Usp.exe
O4 - HKLM\..\Run: [Qba] C:\WINDOWS\Fal.exe
O4 - HKLM\..\Run: [Qmr] C:\WINDOWS\System32\Qdn.exe
O4 - HKLM\..\Run: [Kpr] C:\WINDOWS\System32\Sbs.exe
O4 - HKLM\..\Run: [Rjn] C:\WINDOWS\Uam.exe
O4 - HKLM\..\Run: [Kdn] C:\WINDOWS\Nlc.exe
O4 - HKLM\..\Run: [Qou] C:\WINDOWS\Lmq.exe
O4 - HKLM\..\Run: [Cun] C:\WINDOWS\Ckl.exe
O4 - HKLM\..\Run: [Knn] C:\WINDOWS\Kvs.exe
O4 - HKLM\..\Run: [Gfp] C:\WINDOWS\Vsn.exe
O4 - HKLM\..\Run: [Rfm] C:\WINDOWS\Ttl.exe
O4 - HKLM\..\Run: [Ina] C:\WINDOWS\Psm.exe
O4 - HKLM\..\Run: [Aep] C:\WINDOWS\Hda.exe
O4 - HKLM\..\Run: [Kma] C:\WINDOWS\System32\Lve.exe
O4 - HKLM\..\Run: [Kqo] C:\WINDOWS\Ggq.exe
O4 - HKLM\..\Run: [Dev] C:\WINDOWS\System32\Dsu.exe
O4 - HKLM\..\Run: [Dlr] C:\WINDOWS\Irn.exe
O4 - HKLM\..\Run: [Tee] C:\WINDOWS\System32\Bku.exe
O4 - HKLM\..\Run: [Aql] C:\WINDOWS\Rrt.exe
O4 - HKLM\..\Run: [Ulb] C:\WINDOWS\System32\Tjh.exe
O4 - HKLM\..\Run: [Hmb] C:\WINDOWS\System32\Bdm.exe
O4 - HKLM\..\Run: [Snd] C:\WINDOWS\Fsb.exe
O4 - HKLM\..\Run: [Mnp] C:\WINDOWS\Tss.exe
O4 - HKLM\..\Run: [Qjf] C:\WINDOWS\System32\Efe.exe
O4 - HKLM\..\Run: [Cct] C:\WINDOWS\System32\Hmq.exe
O4 - HKLM\..\Run: [Clq] C:\WINDOWS\Tpa.exe
O4 - HKLM\..\Run: [Lnj] C:\WINDOWS\Mnd.exe
O4 - HKLM\..\Run: [Nae] C:\WINDOWS\System32\Obn.exe
O4 - HKLM\..\Run: [Iij] C:\WINDOWS\Gjp.exe
O4 - HKLM\..\Run: [Rlr] C:\WINDOWS\System32\Fna.exe
O4 - HKLM\..\Run: [Aqk] C:\WINDOWS\Naf.exe
O4 - HKLM\..\Run: [Jko] C:\WINDOWS\Kpq.exe
O4 - HKLM\..\Run: [Lir] C:\WINDOWS\System32\Elc.exe
O4 - HKLM\..\Run: [Ftg] C:\WINDOWS\Bsl.exe
O4 - HKLM\..\Run: [Hlo] C:\WINDOWS\Tll.exe
O4 - HKLM\..\Run: [Ijf] C:\WINDOWS\System32\Fgl.exe
O4 - HKLM\..\Run: [Kbp] C:\WINDOWS\Gfj.exe
O4 - HKLM\..\Run: [Avj] C:\WINDOWS\Smh.exe
O4 - HKLM\..\Run: [Icn] C:\WINDOWS\Jbb.exe
O4 - HKLM\..\Run: [Skh] C:\WINDOWS\System32\Tjr.exe
O4 - HKLM\..\Run: [Gel] C:\WINDOWS\Pqj.exe
O4 - HKLM\..\Run: [Mfn] C:\WINDOWS\Lsr.exe
O4 - HKLM\..\Run: [Lqu] C:\WINDOWS\System32\Vuu.exe
O4 - HKLM\..\Run: [Qru] C:\WINDOWS\Sqr.exe
O4 - HKLM\..\Run: [Jqj] C:\WINDOWS\System32\Jts.exe
O4 - HKLM\..\Run: [Bus] C:\WINDOWS\System32\Dbf.exe
O4 - HKLM\..\Run: [Sbg] C:\WINDOWS\Riu.exe
O4 - HKLM\..\Run: [Vcd] C:\WINDOWS\Fid.exe
O4 - HKLM\..\Run: [Thm] C:\WINDOWS\Fim.exe
O4 - HKLM\..\Run: [Shr] C:\WINDOWS\System32\Dgq.exe
O4 - HKLM\..\Run: [Sre] C:\WINDOWS\Deh.exe
O4 - HKLM\..\Run: [Fkj] C:\WINDOWS\Rdp.exe
O4 - HKLM\..\Run: [Ihk] C:\WINDOWS\System32\Qem.exe
O4 - HKLM\..\Run: [Bpg] C:\WINDOWS\Ucn.exe
O4 - HKLM\..\Run: [Gja] C:\WINDOWS\System32\Nmm.exe
O4 - HKLM\..\Run: [Hqq] C:\WINDOWS\Gqv.exe
O4 - HKLM\..\Run: [Ufq] C:\WINDOWS\System32\Esb.exe
O4 - HKLM\..\Run: [Hkm] C:\WINDOWS\System32\Sva.exe
O4 - HKLM\..\Run: [Cbs] C:\WINDOWS\Ucl.exe
O4 - HKLM\..\Run: [PestPatrol Control Center] C:\PROGRA~1\PESTPA~1\PPControl.exe
O4 - HKLM\..\Run: [PPMemCheck] C:\PROGRA~1\PESTPA~1\PPMemCheck.exe
O4 - HKLM\..\Run: [CookiePatrol] C:\PROGRA~1\PESTPA~1\CookiePatrol.exe
O4 - HKLM\..\Run: [Eho] C:\WINDOWS\System32\Jfr.exe
O4 - HKLM\..\Run: [Bji] C:\WINDOWS\System32\Nko.exe
O4 - HKLM\..\Run: [vptray] C:\Program Files\Symantec_Client_Security\Symantec AntiVirus\vptray.exe
O4 - HKLM\..\Run: [Jvq] C:\WINDOWS\Uor.exe
O4 - HKLM\..\Run: [Nkf] C:\WINDOWS\System32\Hdr.exe
O4 - HKLM\..\Run: [Ufb] C:\WINDOWS\System32\Nop.exe
O4 - HKLM\..\Run: [Lpm] C:\WINDOWS\Mqq.exe
O4 - HKLM\..\Run: [Frc] C:\WINDOWS\Bas.exe
O4 - HKLM\..\Run: [Iva] C:\WINDOWS\Mik.exe
O4 - HKLM\..\Run: [System service79] C:\WINDOWS\etb\pokapoka79.exe
O4 - HKLM\..\RunOnce: [Pest Cleaning] "C:\PROGRA~1\PESTPA~1\ppclean.exe" "clean" "ts:20051115170247" "cws" "2"
O4 - HKCU\..\Run: [DellSupport] "C:\Program Files\Dell Support\DSAgnt.exe" /startup
O4 - HKCU\..\Run: [Frc] C:\WINDOWS\Bas.exe
O4 - HKCU\..\Run: [Iva] C:\WINDOWS\Mik.exe
O4 - Global Startup: start.exe
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\System32\msjava.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\System32\msjava.dll
O9 - Extra button: Yahoo! Login - {2499216C-4BA5-11D5-BD9C-000103C116D5} - C:\Program Files\Yahoo!\Common\ylogin.dll
O9 - Extra 'Tools' menuitem: Yahoo! Login - {2499216C-4BA5-11D5-BD9C-000103C116D5} - C:\Program Files\Yahoo!\Common\ylogin.dll
O9 - Extra button: Messenger - {4528BBE0-4E08-11D5-AD55-00010333D0AD} - C:\Program Files\Yahoo!\Messenger\yhexbmes.dll
O9 - Extra 'Tools' menuitem: Yahoo! Messenger - {4528BBE0-4E08-11D5-AD55-00010333D0AD} - C:\Program Files\Yahoo!\Messenger\yhexbmes.dll
O9 - Extra button: (no name) - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - (no file)
O9 - Extra button: MUSICMATCH MX Web Player - {d81ca86b-ef63-42af-bee3-4502d9a03c2d} - http://wwws.musicmat...enWebRadio.html (file missing)
O15 - Trusted Zone: *.coolwebsearch.com
O15 - Trusted Zone: *.searchmeup.com
O15 - Trusted Zone: *.musicmatch.com (HKLM)
O16 - DPF: {10000000-1000-0000-1000-000000000000} - file://C:\windows\system32\cm.exe
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft....k/?linkid=39204
O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} - C:\Program Files\Yahoo!\common\yinsthelper.dll
O16 - DPF: {CC05BC12-2AA2-4AC7-AC81-0E40F83B1ADF} (Live365Player Class) - http://www.live365.c...ers/play365.cab
O16 - DPF: {D18F962A-3722-4B59-B08D-28BB9EB2281E} (PhotosCtrl Class) - http://photos.yahoo....plorer1_9us.cab
O16 - DPF: {FC67BB52-AAB6-4282-9D51-2DAFFE73AFD0} - http://download.spys...erInstall_2.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{B0FCE2FB-4CB0-4B65-BCDF-40D4EC314841}: NameServer = 85.255.115.69,85.255.112.12
O20 - Winlogon Notify: drct16 - C:\WINDOWS\SYSTEM32\drct16.dll
O20 - Winlogon Notify: gs - C:\WINDOWS\adsldpbd.dll
O20 - Winlogon Notify: igfxcui - C:\WINDOWS\SYSTEM32\igfxsrvc.dll
O20 - Winlogon Notify: NavLogon - C:\WINDOWS\System32\NavLogon.dll
O20 - Winlogon Notify: st3 - C:\WINDOWS\q167078.dll
O23 - Service: DefWatch - Symantec Corporation - C:\PROGRA~1\SYMANT~1\SYMANT~1\DefWatch.exe
O23 - Service: Intel NCS NetService (NetSvc) - Intel® Corporation - C:\Program Files\Intel\NCS\Sync\NetSvc.exe
O23 - Service: Symantec AntiVirus Client (Norton AntiVirus Server) - Symantec Corporation - C:\PROGRA~1\SYMANT~1\SYMANT~1\Rtvscan.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\System32\HPZipm12.exe
O23 - Service: System Startup Service (SvcProc) - Unknown owner - C:\WINDOWS\svcproc.exe (file missing)
O23 - Service: YPCService - Yahoo! Inc. - C:\WINDOWS\SYSTEM32\YPCSER~1.EXE
#4
Posted 18 November 2005 - 05:55 PM
infaddict
-
- Member
-
- 734 posts
Visiting Staff
Hi AlphaBITS
You are infected with several nasty Trojans (including a keylogger) and also infections such as CoolWebSearch and Elite Tool Bar. You may also have a Haxdoor rootkit infection. In addition to this, your internet access is being routed through Kiev, Ukraine.
Don't worry though, together we can fix this - it will take several iterations and I urge you to follow my instructions carefully
Firstly though, I see you are running an Anti Virus product (Norton) which is good. However, it is not clear from your log if this includes a firewall. A firewall is an essential piece of software to prevent unauthorised internet access both to and from your computer. If you have the Norton firewall, please ensure it is turned on. If you do not, then you must install a good free firewall such as ZoneAlarm which I can highly recommend as I use it personally. Download and install it and then follow the tutorial. If any alerts popup for programs you do not recognise, deny them access to the internet.
Once you have the firewall installed, please restart your computer before proceeding.
Note that you have a keylogger infection which can record and send keystrokes including passwords and confidential bank information. Once you are clean (or from a clean computer), I strongly recommend you change all your online passwords, especially related to online banking.
Please print these instructions as you will not have access to the internet during parts of the fix. Please also save these instructions to Notepad (and save the file somewhere safe), as I will ask you to copy & paste from it during the fix
Preparation
1) Download CWShredder here to its own folder.
Update CWShredder
* Open CWShredder and click I AGREE
* Click Check For Update
* Close CWShredder
2) Download LQfix.exe from one of the following locations and save it to your desktop :
http://www.downloads.subratam.org/LQfix.exe
http://miekiemoes.geekstogo.com/tools/LQfix.exe
3) Download HSFix from here
After it is downloaded, create a new folder on your desktop called "HSFix" and extract all the files into the newly created folder.
4) Download CleanUp! Install it, but do not run it yet.
5) Right click Here and select Save As to download DelDomains.inf. Please save the file somewhere you can find it like on the desktop.
6) Download the Killbox. Unzip it to the desktop but do NOT run it yet.
The Fix
1) Run LQFix :
(note : if your internet access should not be routed thru Kiev (e.g. you do not live in the Ukraine and your ISP is not in the Ukraine), please include the items in red, otherwise leave them out)
R1 - HKCU\Software\Microsoft\Internet Explorer,SearchURL = http://s-redirect.com/?a=2&b=enc
R1 - HKLM\Software\Microsoft\Internet Explorer,SearchURL = http://s-redirect.com/?a=2&b=enc
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://websearch.drs...esearch.cgi?id=
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = C:\WINDOWS\System32\msblank.html
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://websearch.drs...esearch.cgi?id=
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://websearch.drs...esearch.cgi?id=
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://s-redirect.com/?a=2&b=enc
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch = http://websearch.drs...esearch.cgi?id=
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = websearch.drsnsrch.com/q.cgi?q=
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,SearchURL = http://s-redirect.com/?a=2&b=enc
R1 - HKLM\Software\Microsoft\Internet Explorer\SearchURL,SearchURL = http://s-redirect.com/?a=2&b=enc
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://adshttp.com/s...L?zone=enternet
O2 - BHO: C:\WINDOWS\adsldpbd.dll - {826B2228-BC09-49F2-B5F8-42CE26B1B712} - C:\WINDOWS\adsldpbd.dll
O4 - HKLM\..\Run: [Disk Keeper] C:\DOCUME~1\Bryan\LOCALS~1\Temp\keep.exe
O4 - HKLM\..\Run: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k
O4 - HKLM\..\Run: [Jch] C:\WINDOWS\Erk.exe
O4 - HKLM\..\Run: [Mgm] C:\WINDOWS\Hdp.exe
O4 - HKLM\..\Run: [Hhs] C:\WINDOWS\Ftj.exe
O4 - HKLM\..\Run: [Vng] C:\WINDOWS\Sac.exe
O4 - HKLM\..\Run: [Seb] C:\WINDOWS\System32\Alp.exe
O4 - HKLM\..\Run: [Ois] C:\WINDOWS\System32\Asj.exe
O4 - HKLM\..\Run: [Caj] C:\WINDOWS\System32\Dke.exe
O4 - HKLM\..\Run: [Pnb] C:\WINDOWS\Kfk.exe
O4 - HKLM\..\Run: [Ngu] C:\WINDOWS\System32\Ftd.exe
O4 - HKLM\..\Run: [Tck] C:\WINDOWS\System32\Ivo.exe
O4 - HKLM\..\Run: [Ung] C:\WINDOWS\Ern.exe
O4 - HKLM\..\Run: [Sgc] C:\WINDOWS\Vgq.exe
O4 - HKLM\..\Run: [Ses] C:\WINDOWS\System32\Cll.exe
O4 - HKLM\..\Run: [Hlp] C:\WINDOWS\System32\Bto.exe
O4 - HKLM\..\Run: [Qks] C:\WINDOWS\Ptr.exe
O4 - HKLM\..\Run: [Mkd] C:\WINDOWS\System32\Jjq.exe
O4 - HKLM\..\Run: [Nfq] C:\WINDOWS\Bnt.exe
O4 - HKLM\..\Run: [Cvn] C:\WINDOWS\System32\Btp.exe
O4 - HKLM\..\Run: [Fmk] C:\WINDOWS\Vkq.exe
O4 - HKLM\..\Run: [Nks] C:\WINDOWS\Lbu.exe
O4 - HKLM\..\Run: [Edl] C:\WINDOWS\System32\Ftv.exe
O4 - HKLM\..\Run: [Rsa] C:\WINDOWS\System32\Abk.exe
O4 - HKLM\..\Run: [Diq] C:\WINDOWS\Thi.exe
O4 - HKLM\..\Run: [Tmf] C:\WINDOWS\System32\Vge.exe
O4 - HKLM\..\Run: [Bvs] C:\WINDOWS\Lpe.exe
O4 - HKLM\..\Run: [Lem] C:\WINDOWS\Gnk.exe
O4 - HKLM\..\Run: [Jdt] C:\WINDOWS\Ctf.exe
O4 - HKLM\..\Run: [Dkf] C:\WINDOWS\System32\Qqb.exe
O4 - HKLM\..\Run: [Bfd] C:\WINDOWS\System32\Nmf.exe
O4 - HKLM\..\Run: [Otj] C:\WINDOWS\System32\Aog.exe
O4 - HKLM\..\Run: [Eph] C:\WINDOWS\Qio.exe
O4 - HKLM\..\Run: [Rco] C:\WINDOWS\System32\Fbn.exe
O4 - HKLM\..\Run: [Egp] C:\WINDOWS\Mml.exe
O4 - HKLM\..\Run: [Kvl] C:\WINDOWS\System32\Fgo.exe
O4 - HKLM\..\Run: [Ajh] C:\WINDOWS\Bcc.exe
O4 - HKLM\..\Run: [Bra] C:\WINDOWS\System32\Ldi.exe
O4 - HKLM\..\Run: [Tkc] C:\WINDOWS\Lle.exe
O4 - HKLM\..\Run: [Tei] C:\WINDOWS\System32\Bef.exe
O4 - HKLM\..\Run: [Gml] C:\WINDOWS\Egh.exe
O4 - HKLM\..\Run: [Elf] C:\WINDOWS\Rpc.exe
O4 - HKLM\..\Run: [Rla] C:\WINDOWS\Uid.exe
O4 - HKLM\..\Run: [Lqb] C:\WINDOWS\Ejr.exe
O4 - HKLM\..\Run: [Vef] C:\WINDOWS\Qql.exe
O4 - HKLM\..\Run: [Cer] C:\WINDOWS\System32\Cjo.exe
O4 - HKLM\..\Run: [Fdj] C:\WINDOWS\Hlg.exe
O4 - HKLM\..\Run: [Gef] C:\WINDOWS\System32\Laa.exe
O4 - HKLM\..\Run: [Ujg] C:\WINDOWS\Rjt.exe
O4 - HKLM\..\Run: [Til] C:\WINDOWS\Tjm.exe
O4 - HKLM\..\Run: [Drp] C:\WINDOWS\Bbd.exe
O4 - HKLM\..\Run: [Efa] C:\WINDOWS\Pmo.exe
O4 - HKLM\..\Run: [Gjb] C:\WINDOWS\Hrl.exe
O4 - HKLM\..\Run: [Osu] C:\WINDOWS\Euj.exe
O4 - HKLM\..\Run: [Fhs] C:\WINDOWS\System32\Dgi.exe
O4 - HKLM\..\Run: [Ltb] C:\WINDOWS\Omd.exe
O4 - HKLM\..\Run: [Ifn] C:\WINDOWS\Rld.exe
O4 - HKLM\..\Run: [Amd] C:\WINDOWS\System32\Jrq.exe
O4 - HKLM\..\Run: [Jtp] C:\WINDOWS\System32\Mnq.exe
O4 - HKLM\..\Run: [Spa] C:\WINDOWS\System32\Jls.exe
O4 - HKLM\..\Run: [Oos] C:\WINDOWS\System32\Brs.exe
O4 - HKLM\..\Run: [Qtp] C:\WINDOWS\Sca.exe
O4 - HKLM\..\Run: [Ora] C:\WINDOWS\Peq.exe
O4 - HKLM\..\Run: [Hdo] C:\WINDOWS\Ivl.exe
O4 - HKLM\..\Run: [Bfb] C:\WINDOWS\System32\Kba.exe
O4 - HKLM\..\Run: [Eve] C:\WINDOWS\Foe.exe
O4 - HKLM\..\Run: [Fih] C:\WINDOWS\System32\Lgf.exe
O4 - HKLM\..\Run: [Dmi] C:\WINDOWS\System32\Glu.exe
O4 - HKLM\..\Run: [Oht] C:\WINDOWS\System32\Ksj.exe
O4 - HKLM\..\Run: [Qsb] C:\WINDOWS\System32\Tja.exe
O4 - HKLM\..\Run: [Vjk] C:\WINDOWS\Lsi.exe
O4 - HKLM\..\Run: [Pkn] C:\WINDOWS\System32\Mdj.exe
O4 - HKLM\..\Run: [Dnu] C:\WINDOWS\Hvg.exe
O4 - HKLM\..\Run: [Jbf] C:\WINDOWS\System32\Rjh.exe
O4 - HKLM\..\Run: [Gpn] C:\WINDOWS\Mcu.exe
O4 - HKLM\..\Run: [Opu] C:\WINDOWS\Dvs.exe
O4 - HKLM\..\Run: [Nqa] C:\WINDOWS\System32\Gkc.exe
O4 - HKLM\..\Run: [Pov] C:\WINDOWS\Cuu.exe
O4 - HKLM\..\Run: [Kan] C:\WINDOWS\System32\Fsh.exe
O4 - HKLM\..\Run: [Btc] C:\WINDOWS\Vde.exe
O4 - HKLM\..\Run: [Dpv] C:\WINDOWS\System32\Qnl.exe
O4 - HKLM\..\Run: [Bsc] C:\WINDOWS\System32\Hol.exe
O4 - HKLM\..\Run: [Kih] C:\WINDOWS\Kai.exe
O4 - HKLM\..\Run: [Lrv] C:\WINDOWS\Sue.exe
O4 - HKLM\..\Run: [Jdo] C:\WINDOWS\Lth.exe
O4 - HKLM\..\Run: [Ook] C:\WINDOWS\Iav.exe
O4 - HKLM\..\Run: [Fsa] C:\WINDOWS\System32\Fci.exe
O4 - HKLM\..\Run: [Ceo] C:\WINDOWS\Pds.exe
O4 - HKLM\..\Run: [Vvo] C:\WINDOWS\System32\Smh.exe
O4 - HKLM\..\Run: [Mkh] C:\WINDOWS\System32\Vqg.exe
O4 - HKLM\..\Run: [Djd] C:\WINDOWS\Qkl.exe
O4 - HKLM\..\Run: [Pja] C:\WINDOWS\System32\Mlq.exe
O4 - HKLM\..\Run: [Sut] C:\WINDOWS\System32\Eob.exe
O4 - HKLM\..\Run: [Lfr] C:\WINDOWS\System32\Pbd.exe
O4 - HKLM\..\Run: [Fjc] C:\WINDOWS\Kkv.exe
O4 - HKLM\..\Run: [Bsd] C:\WINDOWS\System32\Cds.exe
O4 - HKLM\..\Run: [Tjn] C:\WINDOWS\Nif.exe
O4 - HKLM\..\Run: [Qst] C:\WINDOWS\Bie.exe
O4 - HKLM\..\Run: [Dcg] C:\WINDOWS\System32\Unf.exe
O4 - HKLM\..\Run: [Lpd] C:\WINDOWS\System32\Qro.exe
O4 - HKLM\..\Run: [Quo] C:\WINDOWS\System32\Uqk.exe
O4 - HKLM\..\Run: [Itc] C:\WINDOWS\Ito.exe
O4 - HKLM\..\Run: [Ivp] C:\WINDOWS\Ilf.exe
O4 - HKLM\..\Run: [Iru] C:\WINDOWS\System32\Gte.exe
O4 - HKLM\..\Run: [Jpf] C:\WINDOWS\System32\Mnk.exe
O4 - HKLM\..\Run: [Moe] C:\WINDOWS\Bls.exe
O4 - HKLM\..\Run: [Ecm] C:\WINDOWS\System32\Mot.exe
O4 - HKLM\..\Run: [Nfj] C:\WINDOWS\System32\Jbg.exe
O4 - HKLM\..\Run: [Ssk] C:\WINDOWS\Bpu.exe
O4 - HKLM\..\Run: [Csn] C:\WINDOWS\System32\Pva.exe
O4 - HKLM\..\Run: [Jlf] C:\WINDOWS\System32\Tve.exe
O4 - HKLM\..\Run: [Ojj] C:\WINDOWS\Nrq.exe
O4 - HKLM\..\Run: [Vka] C:\WINDOWS\Lgn.exe
O4 - HKLM\..\Run: [Hhc] C:\WINDOWS\Rsv.exe
O4 - HKLM\..\Run: [Nbh] C:\WINDOWS\Aqu.exe
O4 - HKLM\..\Run: [Hde] C:\WINDOWS\Dur.exe
O4 - HKLM\..\Run: [Pft] C:\WINDOWS\Bfc.exe
O4 - HKLM\..\Run: [Hfp] C:\WINDOWS\Cbr.exe
O4 - HKLM\..\Run: [Vrt] C:\WINDOWS\System32\Lec.exe
O4 - HKLM\..\Run: [Hps] C:\WINDOWS\Tgv.exe
O4 - HKLM\..\Run: [Ofi] C:\WINDOWS\Fdg.exe
O4 - HKLM\..\Run: [Bop] C:\WINDOWS\System32\Hpg.exe
O4 - HKLM\..\Run: [Mqk] C:\WINDOWS\System32\Jus.exe
O4 - HKLM\..\Run: [Cpm] C:\WINDOWS\Ene.exe
O4 - HKLM\..\Run: [Krr] C:\WINDOWS\System32\Lbs.exe
O4 - HKLM\..\Run: [Fau] C:\WINDOWS\System32\Mem.exe
O4 - HKLM\..\Run: [Epp] C:\WINDOWS\She.exe
O4 - HKLM\..\Run: [Fgf] C:\WINDOWS\Sus.exe
O4 - HKLM\..\Run: [Npm] C:\WINDOWS\System32\Rtm.exe
O4 - HKLM\..\Run: [Pev] C:\WINDOWS\Tqh.exe
O4 - HKLM\..\Run: [Rme] C:\WINDOWS\System32\Obj.exe
O4 - HKLM\..\Run: [Iue] C:\WINDOWS\System32\Glq.exe
O4 - HKLM\..\Run: [Epg] C:\WINDOWS\System32\Cab.exe
O4 - HKLM\..\Run: [Aai] C:\WINDOWS\Jre.exe
O4 - HKLM\..\Run: [Msg] C:\WINDOWS\Ahq.exe
O4 - HKLM\..\Run: [Nfn] C:\WINDOWS\System32\Ivj.exe
O4 - HKLM\..\Run: [Tro] C:\WINDOWS\System32\Psb.exe
O4 - HKLM\..\Run: [Mjr] C:\WINDOWS\Fvb.exe
O4 - HKLM\..\Run: [Ark] C:\WINDOWS\Cjn.exe
O4 - HKLM\..\Run: [Rqj] C:\WINDOWS\Pih.exe
O4 - HKLM\..\Run: [Qtd] C:\WINDOWS\System32\Nkj.exe
O4 - HKLM\..\Run: [Pqj] C:\WINDOWS\Khn.exe
O4 - HKLM\..\Run: [Lll] C:\WINDOWS\Ugn.exe
O4 - HKLM\..\Run: [Ato] C:\WINDOWS\Cbv.exe
O4 - HKLM\..\Run: [Toa] C:\WINDOWS\Chi.exe
O4 - HKLM\..\Run: [Kdg] C:\WINDOWS\Cte.exe
O4 - HKLM\..\Run: [Fdi] C:\WINDOWS\Vbl.exe
O4 - HKLM\..\Run: [Vug] C:\WINDOWS\System32\Jhi.exe
O4 - HKLM\..\Run: [Hpa] C:\WINDOWS\Tcj.exe
O4 - HKLM\..\Run: [Dvr] C:\WINDOWS\Hef.exe
O4 - HKLM\..\Run: [Ntr] C:\WINDOWS\Opf.exe
O4 - HKLM\..\Run: [Tom] C:\WINDOWS\System32\Vai.exe
O4 - HKLM\..\Run: [Dka] C:\WINDOWS\Ttk.exe
O4 - HKLM\..\Run: [load32] C:\WINDOWS\System32\winldra.exe
O4 - HKLM\..\Run: [Odb] C:\WINDOWS\System32\Ivr.exe
O4 - HKLM\..\Run: [Sgp] C:\WINDOWS\System32\Hpu.exe
O4 - HKLM\..\Run: [Ibl] C:\WINDOWS\System32\Mrt.exe
O4 - HKLM\..\Run: [Fqg] C:\WINDOWS\Bal.exe
O4 - HKLM\..\Run: [ControlPanel] C:\WINDOWS\System32\popcorn72.exe rundll.dll,LoadMouseProfile
O4 - HKLM\..\Run: [Jlv] C:\WINDOWS\Mfd.exe
O4 - HKLM\..\Run: [Phf] C:\WINDOWS\Bkj.exe
O4 - HKLM\..\Run: [Nuv] C:\WINDOWS\Der.exe
O4 - HKLM\..\Run: [Mpj] C:\WINDOWS\Vla.exe
O4 - HKLM\..\Run: [Cfh] C:\WINDOWS\Ijj.exe
O4 - HKLM\..\Run: [Uth] C:\WINDOWS\System32\Aiq.exe
O4 - HKLM\..\Run: [Ome] C:\WINDOWS\System32\Dbn.exe
O4 - HKLM\..\Run: [Rts] C:\WINDOWS\System32\Tlv.exe
O4 - HKLM\..\Run: [Cgv] C:\WINDOWS\Nuf.exe
O4 - HKLM\..\Run: [Gvb] C:\WINDOWS\System32\Hsn.exe
O4 - HKLM\..\Run: [Cso] C:\WINDOWS\System32\Usp.exe
O4 - HKLM\..\Run: [Qba] C:\WINDOWS\Fal.exe
O4 - HKLM\..\Run: [Qmr] C:\WINDOWS\System32\Qdn.exe
O4 - HKLM\..\Run: [Kpr] C:\WINDOWS\System32\Sbs.exe
O4 - HKLM\..\Run: [Rjn] C:\WINDOWS\Uam.exe
O4 - HKLM\..\Run: [Kdn] C:\WINDOWS\Nlc.exe
O4 - HKLM\..\Run: [Qou] C:\WINDOWS\Lmq.exe
O4 - HKLM\..\Run: [Cun] C:\WINDOWS\Ckl.exe
O4 - HKLM\..\Run: [Knn] C:\WINDOWS\Kvs.exe
O4 - HKLM\..\Run: [Gfp] C:\WINDOWS\Vsn.exe
O4 - HKLM\..\Run: [Rfm] C:\WINDOWS\Ttl.exe
O4 - HKLM\..\Run: [Ina] C:\WINDOWS\Psm.exe
O4 - HKLM\..\Run: [Aep] C:\WINDOWS\Hda.exe
O4 - HKLM\..\Run: [Kma] C:\WINDOWS\System32\Lve.exe
O4 - HKLM\..\Run: [Kqo] C:\WINDOWS\Ggq.exe
O4 - HKLM\..\Run: [Dev] C:\WINDOWS\System32\Dsu.exe
O4 - HKLM\..\Run: [Dlr] C:\WINDOWS\Irn.exe
O4 - HKLM\..\Run: [Tee] C:\WINDOWS\System32\Bku.exe
O4 - HKLM\..\Run: [Aql] C:\WINDOWS\Rrt.exe
O4 - HKLM\..\Run: [Ulb] C:\WINDOWS\System32\Tjh.exe
O4 - HKLM\..\Run: [Hmb] C:\WINDOWS\System32\Bdm.exe
O4 - HKLM\..\Run: [Snd] C:\WINDOWS\Fsb.exe
O4 - HKLM\..\Run: [Mnp] C:\WINDOWS\Tss.exe
O4 - HKLM\..\Run: [Qjf] C:\WINDOWS\System32\Efe.exe
O4 - HKLM\..\Run: [Cct] C:\WINDOWS\System32\Hmq.exe
O4 - HKLM\..\Run: [Clq] C:\WINDOWS\Tpa.exe
O4 - HKLM\..\Run: [Lnj] C:\WINDOWS\Mnd.exe
O4 - HKLM\..\Run: [Nae] C:\WINDOWS\System32\Obn.exe
O4 - HKLM\..\Run: [Iij] C:\WINDOWS\Gjp.exe
O4 - HKLM\..\Run: [Rlr] C:\WINDOWS\System32\Fna.exe
O4 - HKLM\..\Run: [Aqk] C:\WINDOWS\Naf.exe
O4 - HKLM\..\Run: [Jko] C:\WINDOWS\Kpq.exe
O4 - HKLM\..\Run: [Lir] C:\WINDOWS\System32\Elc.exe
O4 - HKLM\..\Run: [Ftg] C:\WINDOWS\Bsl.exe
O4 - HKLM\..\Run: [Hlo] C:\WINDOWS\Tll.exe
O4 - HKLM\..\Run: [Ijf] C:\WINDOWS\System32\Fgl.exe
O4 - HKLM\..\Run: [Kbp] C:\WINDOWS\Gfj.exe
O4 - HKLM\..\Run: [Avj] C:\WINDOWS\Smh.exe
O4 - HKLM\..\Run: [Icn] C:\WINDOWS\Jbb.exe
O4 - HKLM\..\Run: [Skh] C:\WINDOWS\System32\Tjr.exe
O4 - HKLM\..\Run: [Gel] C:\WINDOWS\Pqj.exe
O4 - HKLM\..\Run: [Mfn] C:\WINDOWS\Lsr.exe
O4 - HKLM\..\Run: [Lqu] C:\WINDOWS\System32\Vuu.exe
O4 - HKLM\..\Run: [Qru] C:\WINDOWS\Sqr.exe
O4 - HKLM\..\Run: [Jqj] C:\WINDOWS\System32\Jts.exe
O4 - HKLM\..\Run: [Bus] C:\WINDOWS\System32\Dbf.exe
O4 - HKLM\..\Run: [Sbg] C:\WINDOWS\Riu.exe
O4 - HKLM\..\Run: [Vcd] C:\WINDOWS\Fid.exe
O4 - HKLM\..\Run: [Thm] C:\WINDOWS\Fim.exe
O4 - HKLM\..\Run: [Shr] C:\WINDOWS\System32\Dgq.exe
O4 - HKLM\..\Run: [Sre] C:\WINDOWS\Deh.exe
O4 - HKLM\..\Run: [Fkj] C:\WINDOWS\Rdp.exe
O4 - HKLM\..\Run: [Ihk] C:\WINDOWS\System32\Qem.exe
O4 - HKLM\..\Run: [Bpg] C:\WINDOWS\Ucn.exe
O4 - HKLM\..\Run: [Gja] C:\WINDOWS\System32\Nmm.exe
O4 - HKLM\..\Run: [Hqq] C:\WINDOWS\Gqv.exe
O4 - HKLM\..\Run: [Ufq] C:\WINDOWS\System32\Esb.exe
O4 - HKLM\..\Run: [Hkm] C:\WINDOWS\System32\Sva.exe
O4 - HKLM\..\Run: [Cbs] C:\WINDOWS\Ucl.exe
O4 - HKLM\..\Run: [Eho] C:\WINDOWS\System32\Jfr.exe
O4 - HKLM\..\Run: [Bji] C:\WINDOWS\System32\Nko.exe
O4 - HKLM\..\Run: [Jvq] C:\WINDOWS\Uor.exe
O4 - HKLM\..\Run: [Nkf] C:\WINDOWS\System32\Hdr.exe
O4 - HKLM\..\Run: [Ufb] C:\WINDOWS\System32\Nop.exe
O4 - HKLM\..\Run: [Lpm] C:\WINDOWS\Mqq.exe
O4 - HKLM\..\Run: [Frc] C:\WINDOWS\Bas.exe
O4 - HKLM\..\Run: [Iva] C:\WINDOWS\Mik.exe
O4 - HKLM\..\Run: [System service79] C:\WINDOWS\etb\pokapoka79.exe
O4 - HKCU\..\Run: [Frc] C:\WINDOWS\Bas.exe
O4 - HKCU\..\Run: [Iva] C:\WINDOWS\Mik.exe
O4 - Global Startup: start.exe
O15 - Trusted Zone: *.coolwebsearch.com
O15 - Trusted Zone: *.searchmeup.com
O15 - Trusted Zone: *.musicmatch.com (HKLM)
O16 - DPF: {10000000-1000-0000-1000-000000000000} - file://C:\windows\system32\cm.exe
O16 - DPF: {FC67BB52-AAB6-4282-9D51-2DAFFE73AFD0} - http://download.spys...erInstall_2.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{B0FCE2FB-4CB0-4B65-BCDF-40D4EC314841}: NameServer = 85.255.115.69,85.255.112.12
O20 - Winlogon Notify: drct16 - C:\WINDOWS\SYSTEM32\drct16.dll
O20 - Winlogon Notify: gs - C:\WINDOWS\adsldpbd.dll
O20 - Winlogon Notify: st3 - C:\WINDOWS\q167078.dll
O23 - Service: System Startup Service (SvcProc) - Unknown owner - C:\WINDOWS\svcproc.exe (file missing)
3) Go to your desktop and right-click on the deldomains.inf file and select Install
4) Reboot into Safe Mode :
Restart your computer and as soon as it starts booting up again continuously tap F8. A menu should come up where you will be given the option to enter Safe Mode.
5) Run CWShredder. Click I Agree, then Fix and then Next, let it fix everything it asks about.
6) Run HSFix :
8) Using Windows Explorer or My Computer please delete the following folders :
C:\WINDOWS\etb\
9) Search for the following files using Start -> Search and all files and folder. Ensure you are searching for hidden and system files and also searching subfolders (all within Advanced Options). When found, delete the file :
start.exe
10) Run CleanUp! and let it clean your computer of temp files. Decline when it asks you to log off.
11) Restart your computer in Normal Mode
12) Run at least one of the following free, online virus scans. Note the scans may prompt to download and install an ActiveX control - this is ok, please allow it :
TrendMicro HouseCall
Panda ActiveScan
CA Scan
13) Restart your computer one last time
14) Please post back with the following information :
You are infected with several nasty Trojans (including a keylogger) and also infections such as CoolWebSearch and Elite Tool Bar. You may also have a Haxdoor rootkit infection. In addition to this, your internet access is being routed through Kiev, Ukraine.
Don't worry though, together we can fix this - it will take several iterations and I urge you to follow my instructions carefully
Firstly though, I see you are running an Anti Virus product (Norton) which is good. However, it is not clear from your log if this includes a firewall. A firewall is an essential piece of software to prevent unauthorised internet access both to and from your computer. If you have the Norton firewall, please ensure it is turned on. If you do not, then you must install a good free firewall such as ZoneAlarm which I can highly recommend as I use it personally. Download and install it and then follow the tutorial. If any alerts popup for programs you do not recognise, deny them access to the internet.
Once you have the firewall installed, please restart your computer before proceeding.
Note that you have a keylogger infection which can record and send keystrokes including passwords and confidential bank information. Once you are clean (or from a clean computer), I strongly recommend you change all your online passwords, especially related to online banking.
Please print these instructions as you will not have access to the internet during parts of the fix. Please also save these instructions to Notepad (and save the file somewhere safe), as I will ask you to copy & paste from it during the fix
Preparation
1) Download CWShredder here to its own folder.
Update CWShredder
* Open CWShredder and click I AGREE
* Click Check For Update
* Close CWShredder
2) Download LQfix.exe from one of the following locations and save it to your desktop :
http://www.downloads.subratam.org/LQfix.exe
http://miekiemoes.geekstogo.com/tools/LQfix.exe
3) Download HSFix from here
After it is downloaded, create a new folder on your desktop called "HSFix" and extract all the files into the newly created folder.
4) Download CleanUp! Install it, but do not run it yet.
5) Right click Here and select Save As to download DelDomains.inf. Please save the file somewhere you can find it like on the desktop.
6) Download the Killbox. Unzip it to the desktop but do NOT run it yet.
The Fix
1) Run LQFix :
- Double-Click LQfix.exe and click Next > Next > Install.
- Leave the default settings, if you change them, the fix will Fail!
- You need an active Internet Connection, so make sure your you're not blocking any connection now.
- Now make sure the "Launch LQfix" box is checked.
- Click the Finish button, after clicking the Finish button the fix will start.
- Follow the on-screen prompts.
- Your system will reboot afterwards.
- Please be patient after the reboot, there is a script running in the background that needs to complete.
(note : if your internet access should not be routed thru Kiev (e.g. you do not live in the Ukraine and your ISP is not in the Ukraine), please include the items in red, otherwise leave them out)
R1 - HKCU\Software\Microsoft\Internet Explorer,SearchURL = http://s-redirect.com/?a=2&b=enc
R1 - HKLM\Software\Microsoft\Internet Explorer,SearchURL = http://s-redirect.com/?a=2&b=enc
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://websearch.drs...esearch.cgi?id=
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = C:\WINDOWS\System32\msblank.html
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://websearch.drs...esearch.cgi?id=
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://websearch.drs...esearch.cgi?id=
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://s-redirect.com/?a=2&b=enc
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch = http://websearch.drs...esearch.cgi?id=
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = websearch.drsnsrch.com/q.cgi?q=
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,SearchURL = http://s-redirect.com/?a=2&b=enc
R1 - HKLM\Software\Microsoft\Internet Explorer\SearchURL,SearchURL = http://s-redirect.com/?a=2&b=enc
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://adshttp.com/s...L?zone=enternet
O2 - BHO: C:\WINDOWS\adsldpbd.dll - {826B2228-BC09-49F2-B5F8-42CE26B1B712} - C:\WINDOWS\adsldpbd.dll
O4 - HKLM\..\Run: [Disk Keeper] C:\DOCUME~1\Bryan\LOCALS~1\Temp\keep.exe
O4 - HKLM\..\Run: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k
O4 - HKLM\..\Run: [Jch] C:\WINDOWS\Erk.exe
O4 - HKLM\..\Run: [Mgm] C:\WINDOWS\Hdp.exe
O4 - HKLM\..\Run: [Hhs] C:\WINDOWS\Ftj.exe
O4 - HKLM\..\Run: [Vng] C:\WINDOWS\Sac.exe
O4 - HKLM\..\Run: [Seb] C:\WINDOWS\System32\Alp.exe
O4 - HKLM\..\Run: [Ois] C:\WINDOWS\System32\Asj.exe
O4 - HKLM\..\Run: [Caj] C:\WINDOWS\System32\Dke.exe
O4 - HKLM\..\Run: [Pnb] C:\WINDOWS\Kfk.exe
O4 - HKLM\..\Run: [Ngu] C:\WINDOWS\System32\Ftd.exe
O4 - HKLM\..\Run: [Tck] C:\WINDOWS\System32\Ivo.exe
O4 - HKLM\..\Run: [Ung] C:\WINDOWS\Ern.exe
O4 - HKLM\..\Run: [Sgc] C:\WINDOWS\Vgq.exe
O4 - HKLM\..\Run: [Ses] C:\WINDOWS\System32\Cll.exe
O4 - HKLM\..\Run: [Hlp] C:\WINDOWS\System32\Bto.exe
O4 - HKLM\..\Run: [Qks] C:\WINDOWS\Ptr.exe
O4 - HKLM\..\Run: [Mkd] C:\WINDOWS\System32\Jjq.exe
O4 - HKLM\..\Run: [Nfq] C:\WINDOWS\Bnt.exe
O4 - HKLM\..\Run: [Cvn] C:\WINDOWS\System32\Btp.exe
O4 - HKLM\..\Run: [Fmk] C:\WINDOWS\Vkq.exe
O4 - HKLM\..\Run: [Nks] C:\WINDOWS\Lbu.exe
O4 - HKLM\..\Run: [Edl] C:\WINDOWS\System32\Ftv.exe
O4 - HKLM\..\Run: [Rsa] C:\WINDOWS\System32\Abk.exe
O4 - HKLM\..\Run: [Diq] C:\WINDOWS\Thi.exe
O4 - HKLM\..\Run: [Tmf] C:\WINDOWS\System32\Vge.exe
O4 - HKLM\..\Run: [Bvs] C:\WINDOWS\Lpe.exe
O4 - HKLM\..\Run: [Lem] C:\WINDOWS\Gnk.exe
O4 - HKLM\..\Run: [Jdt] C:\WINDOWS\Ctf.exe
O4 - HKLM\..\Run: [Dkf] C:\WINDOWS\System32\Qqb.exe
O4 - HKLM\..\Run: [Bfd] C:\WINDOWS\System32\Nmf.exe
O4 - HKLM\..\Run: [Otj] C:\WINDOWS\System32\Aog.exe
O4 - HKLM\..\Run: [Eph] C:\WINDOWS\Qio.exe
O4 - HKLM\..\Run: [Rco] C:\WINDOWS\System32\Fbn.exe
O4 - HKLM\..\Run: [Egp] C:\WINDOWS\Mml.exe
O4 - HKLM\..\Run: [Kvl] C:\WINDOWS\System32\Fgo.exe
O4 - HKLM\..\Run: [Ajh] C:\WINDOWS\Bcc.exe
O4 - HKLM\..\Run: [Bra] C:\WINDOWS\System32\Ldi.exe
O4 - HKLM\..\Run: [Tkc] C:\WINDOWS\Lle.exe
O4 - HKLM\..\Run: [Tei] C:\WINDOWS\System32\Bef.exe
O4 - HKLM\..\Run: [Gml] C:\WINDOWS\Egh.exe
O4 - HKLM\..\Run: [Elf] C:\WINDOWS\Rpc.exe
O4 - HKLM\..\Run: [Rla] C:\WINDOWS\Uid.exe
O4 - HKLM\..\Run: [Lqb] C:\WINDOWS\Ejr.exe
O4 - HKLM\..\Run: [Vef] C:\WINDOWS\Qql.exe
O4 - HKLM\..\Run: [Cer] C:\WINDOWS\System32\Cjo.exe
O4 - HKLM\..\Run: [Fdj] C:\WINDOWS\Hlg.exe
O4 - HKLM\..\Run: [Gef] C:\WINDOWS\System32\Laa.exe
O4 - HKLM\..\Run: [Ujg] C:\WINDOWS\Rjt.exe
O4 - HKLM\..\Run: [Til] C:\WINDOWS\Tjm.exe
O4 - HKLM\..\Run: [Drp] C:\WINDOWS\Bbd.exe
O4 - HKLM\..\Run: [Efa] C:\WINDOWS\Pmo.exe
O4 - HKLM\..\Run: [Gjb] C:\WINDOWS\Hrl.exe
O4 - HKLM\..\Run: [Osu] C:\WINDOWS\Euj.exe
O4 - HKLM\..\Run: [Fhs] C:\WINDOWS\System32\Dgi.exe
O4 - HKLM\..\Run: [Ltb] C:\WINDOWS\Omd.exe
O4 - HKLM\..\Run: [Ifn] C:\WINDOWS\Rld.exe
O4 - HKLM\..\Run: [Amd] C:\WINDOWS\System32\Jrq.exe
O4 - HKLM\..\Run: [Jtp] C:\WINDOWS\System32\Mnq.exe
O4 - HKLM\..\Run: [Spa] C:\WINDOWS\System32\Jls.exe
O4 - HKLM\..\Run: [Oos] C:\WINDOWS\System32\Brs.exe
O4 - HKLM\..\Run: [Qtp] C:\WINDOWS\Sca.exe
O4 - HKLM\..\Run: [Ora] C:\WINDOWS\Peq.exe
O4 - HKLM\..\Run: [Hdo] C:\WINDOWS\Ivl.exe
O4 - HKLM\..\Run: [Bfb] C:\WINDOWS\System32\Kba.exe
O4 - HKLM\..\Run: [Eve] C:\WINDOWS\Foe.exe
O4 - HKLM\..\Run: [Fih] C:\WINDOWS\System32\Lgf.exe
O4 - HKLM\..\Run: [Dmi] C:\WINDOWS\System32\Glu.exe
O4 - HKLM\..\Run: [Oht] C:\WINDOWS\System32\Ksj.exe
O4 - HKLM\..\Run: [Qsb] C:\WINDOWS\System32\Tja.exe
O4 - HKLM\..\Run: [Vjk] C:\WINDOWS\Lsi.exe
O4 - HKLM\..\Run: [Pkn] C:\WINDOWS\System32\Mdj.exe
O4 - HKLM\..\Run: [Dnu] C:\WINDOWS\Hvg.exe
O4 - HKLM\..\Run: [Jbf] C:\WINDOWS\System32\Rjh.exe
O4 - HKLM\..\Run: [Gpn] C:\WINDOWS\Mcu.exe
O4 - HKLM\..\Run: [Opu] C:\WINDOWS\Dvs.exe
O4 - HKLM\..\Run: [Nqa] C:\WINDOWS\System32\Gkc.exe
O4 - HKLM\..\Run: [Pov] C:\WINDOWS\Cuu.exe
O4 - HKLM\..\Run: [Kan] C:\WINDOWS\System32\Fsh.exe
O4 - HKLM\..\Run: [Btc] C:\WINDOWS\Vde.exe
O4 - HKLM\..\Run: [Dpv] C:\WINDOWS\System32\Qnl.exe
O4 - HKLM\..\Run: [Bsc] C:\WINDOWS\System32\Hol.exe
O4 - HKLM\..\Run: [Kih] C:\WINDOWS\Kai.exe
O4 - HKLM\..\Run: [Lrv] C:\WINDOWS\Sue.exe
O4 - HKLM\..\Run: [Jdo] C:\WINDOWS\Lth.exe
O4 - HKLM\..\Run: [Ook] C:\WINDOWS\Iav.exe
O4 - HKLM\..\Run: [Fsa] C:\WINDOWS\System32\Fci.exe
O4 - HKLM\..\Run: [Ceo] C:\WINDOWS\Pds.exe
O4 - HKLM\..\Run: [Vvo] C:\WINDOWS\System32\Smh.exe
O4 - HKLM\..\Run: [Mkh] C:\WINDOWS\System32\Vqg.exe
O4 - HKLM\..\Run: [Djd] C:\WINDOWS\Qkl.exe
O4 - HKLM\..\Run: [Pja] C:\WINDOWS\System32\Mlq.exe
O4 - HKLM\..\Run: [Sut] C:\WINDOWS\System32\Eob.exe
O4 - HKLM\..\Run: [Lfr] C:\WINDOWS\System32\Pbd.exe
O4 - HKLM\..\Run: [Fjc] C:\WINDOWS\Kkv.exe
O4 - HKLM\..\Run: [Bsd] C:\WINDOWS\System32\Cds.exe
O4 - HKLM\..\Run: [Tjn] C:\WINDOWS\Nif.exe
O4 - HKLM\..\Run: [Qst] C:\WINDOWS\Bie.exe
O4 - HKLM\..\Run: [Dcg] C:\WINDOWS\System32\Unf.exe
O4 - HKLM\..\Run: [Lpd] C:\WINDOWS\System32\Qro.exe
O4 - HKLM\..\Run: [Quo] C:\WINDOWS\System32\Uqk.exe
O4 - HKLM\..\Run: [Itc] C:\WINDOWS\Ito.exe
O4 - HKLM\..\Run: [Ivp] C:\WINDOWS\Ilf.exe
O4 - HKLM\..\Run: [Iru] C:\WINDOWS\System32\Gte.exe
O4 - HKLM\..\Run: [Jpf] C:\WINDOWS\System32\Mnk.exe
O4 - HKLM\..\Run: [Moe] C:\WINDOWS\Bls.exe
O4 - HKLM\..\Run: [Ecm] C:\WINDOWS\System32\Mot.exe
O4 - HKLM\..\Run: [Nfj] C:\WINDOWS\System32\Jbg.exe
O4 - HKLM\..\Run: [Ssk] C:\WINDOWS\Bpu.exe
O4 - HKLM\..\Run: [Csn] C:\WINDOWS\System32\Pva.exe
O4 - HKLM\..\Run: [Jlf] C:\WINDOWS\System32\Tve.exe
O4 - HKLM\..\Run: [Ojj] C:\WINDOWS\Nrq.exe
O4 - HKLM\..\Run: [Vka] C:\WINDOWS\Lgn.exe
O4 - HKLM\..\Run: [Hhc] C:\WINDOWS\Rsv.exe
O4 - HKLM\..\Run: [Nbh] C:\WINDOWS\Aqu.exe
O4 - HKLM\..\Run: [Hde] C:\WINDOWS\Dur.exe
O4 - HKLM\..\Run: [Pft] C:\WINDOWS\Bfc.exe
O4 - HKLM\..\Run: [Hfp] C:\WINDOWS\Cbr.exe
O4 - HKLM\..\Run: [Vrt] C:\WINDOWS\System32\Lec.exe
O4 - HKLM\..\Run: [Hps] C:\WINDOWS\Tgv.exe
O4 - HKLM\..\Run: [Ofi] C:\WINDOWS\Fdg.exe
O4 - HKLM\..\Run: [Bop] C:\WINDOWS\System32\Hpg.exe
O4 - HKLM\..\Run: [Mqk] C:\WINDOWS\System32\Jus.exe
O4 - HKLM\..\Run: [Cpm] C:\WINDOWS\Ene.exe
O4 - HKLM\..\Run: [Krr] C:\WINDOWS\System32\Lbs.exe
O4 - HKLM\..\Run: [Fau] C:\WINDOWS\System32\Mem.exe
O4 - HKLM\..\Run: [Epp] C:\WINDOWS\She.exe
O4 - HKLM\..\Run: [Fgf] C:\WINDOWS\Sus.exe
O4 - HKLM\..\Run: [Npm] C:\WINDOWS\System32\Rtm.exe
O4 - HKLM\..\Run: [Pev] C:\WINDOWS\Tqh.exe
O4 - HKLM\..\Run: [Rme] C:\WINDOWS\System32\Obj.exe
O4 - HKLM\..\Run: [Iue] C:\WINDOWS\System32\Glq.exe
O4 - HKLM\..\Run: [Epg] C:\WINDOWS\System32\Cab.exe
O4 - HKLM\..\Run: [Aai] C:\WINDOWS\Jre.exe
O4 - HKLM\..\Run: [Msg] C:\WINDOWS\Ahq.exe
O4 - HKLM\..\Run: [Nfn] C:\WINDOWS\System32\Ivj.exe
O4 - HKLM\..\Run: [Tro] C:\WINDOWS\System32\Psb.exe
O4 - HKLM\..\Run: [Mjr] C:\WINDOWS\Fvb.exe
O4 - HKLM\..\Run: [Ark] C:\WINDOWS\Cjn.exe
O4 - HKLM\..\Run: [Rqj] C:\WINDOWS\Pih.exe
O4 - HKLM\..\Run: [Qtd] C:\WINDOWS\System32\Nkj.exe
O4 - HKLM\..\Run: [Pqj] C:\WINDOWS\Khn.exe
O4 - HKLM\..\Run: [Lll] C:\WINDOWS\Ugn.exe
O4 - HKLM\..\Run: [Ato] C:\WINDOWS\Cbv.exe
O4 - HKLM\..\Run: [Toa] C:\WINDOWS\Chi.exe
O4 - HKLM\..\Run: [Kdg] C:\WINDOWS\Cte.exe
O4 - HKLM\..\Run: [Fdi] C:\WINDOWS\Vbl.exe
O4 - HKLM\..\Run: [Vug] C:\WINDOWS\System32\Jhi.exe
O4 - HKLM\..\Run: [Hpa] C:\WINDOWS\Tcj.exe
O4 - HKLM\..\Run: [Dvr] C:\WINDOWS\Hef.exe
O4 - HKLM\..\Run: [Ntr] C:\WINDOWS\Opf.exe
O4 - HKLM\..\Run: [Tom] C:\WINDOWS\System32\Vai.exe
O4 - HKLM\..\Run: [Dka] C:\WINDOWS\Ttk.exe
O4 - HKLM\..\Run: [load32] C:\WINDOWS\System32\winldra.exe
O4 - HKLM\..\Run: [Odb] C:\WINDOWS\System32\Ivr.exe
O4 - HKLM\..\Run: [Sgp] C:\WINDOWS\System32\Hpu.exe
O4 - HKLM\..\Run: [Ibl] C:\WINDOWS\System32\Mrt.exe
O4 - HKLM\..\Run: [Fqg] C:\WINDOWS\Bal.exe
O4 - HKLM\..\Run: [ControlPanel] C:\WINDOWS\System32\popcorn72.exe rundll.dll,LoadMouseProfile
O4 - HKLM\..\Run: [Jlv] C:\WINDOWS\Mfd.exe
O4 - HKLM\..\Run: [Phf] C:\WINDOWS\Bkj.exe
O4 - HKLM\..\Run: [Nuv] C:\WINDOWS\Der.exe
O4 - HKLM\..\Run: [Mpj] C:\WINDOWS\Vla.exe
O4 - HKLM\..\Run: [Cfh] C:\WINDOWS\Ijj.exe
O4 - HKLM\..\Run: [Uth] C:\WINDOWS\System32\Aiq.exe
O4 - HKLM\..\Run: [Ome] C:\WINDOWS\System32\Dbn.exe
O4 - HKLM\..\Run: [Rts] C:\WINDOWS\System32\Tlv.exe
O4 - HKLM\..\Run: [Cgv] C:\WINDOWS\Nuf.exe
O4 - HKLM\..\Run: [Gvb] C:\WINDOWS\System32\Hsn.exe
O4 - HKLM\..\Run: [Cso] C:\WINDOWS\System32\Usp.exe
O4 - HKLM\..\Run: [Qba] C:\WINDOWS\Fal.exe
O4 - HKLM\..\Run: [Qmr] C:\WINDOWS\System32\Qdn.exe
O4 - HKLM\..\Run: [Kpr] C:\WINDOWS\System32\Sbs.exe
O4 - HKLM\..\Run: [Rjn] C:\WINDOWS\Uam.exe
O4 - HKLM\..\Run: [Kdn] C:\WINDOWS\Nlc.exe
O4 - HKLM\..\Run: [Qou] C:\WINDOWS\Lmq.exe
O4 - HKLM\..\Run: [Cun] C:\WINDOWS\Ckl.exe
O4 - HKLM\..\Run: [Knn] C:\WINDOWS\Kvs.exe
O4 - HKLM\..\Run: [Gfp] C:\WINDOWS\Vsn.exe
O4 - HKLM\..\Run: [Rfm] C:\WINDOWS\Ttl.exe
O4 - HKLM\..\Run: [Ina] C:\WINDOWS\Psm.exe
O4 - HKLM\..\Run: [Aep] C:\WINDOWS\Hda.exe
O4 - HKLM\..\Run: [Kma] C:\WINDOWS\System32\Lve.exe
O4 - HKLM\..\Run: [Kqo] C:\WINDOWS\Ggq.exe
O4 - HKLM\..\Run: [Dev] C:\WINDOWS\System32\Dsu.exe
O4 - HKLM\..\Run: [Dlr] C:\WINDOWS\Irn.exe
O4 - HKLM\..\Run: [Tee] C:\WINDOWS\System32\Bku.exe
O4 - HKLM\..\Run: [Aql] C:\WINDOWS\Rrt.exe
O4 - HKLM\..\Run: [Ulb] C:\WINDOWS\System32\Tjh.exe
O4 - HKLM\..\Run: [Hmb] C:\WINDOWS\System32\Bdm.exe
O4 - HKLM\..\Run: [Snd] C:\WINDOWS\Fsb.exe
O4 - HKLM\..\Run: [Mnp] C:\WINDOWS\Tss.exe
O4 - HKLM\..\Run: [Qjf] C:\WINDOWS\System32\Efe.exe
O4 - HKLM\..\Run: [Cct] C:\WINDOWS\System32\Hmq.exe
O4 - HKLM\..\Run: [Clq] C:\WINDOWS\Tpa.exe
O4 - HKLM\..\Run: [Lnj] C:\WINDOWS\Mnd.exe
O4 - HKLM\..\Run: [Nae] C:\WINDOWS\System32\Obn.exe
O4 - HKLM\..\Run: [Iij] C:\WINDOWS\Gjp.exe
O4 - HKLM\..\Run: [Rlr] C:\WINDOWS\System32\Fna.exe
O4 - HKLM\..\Run: [Aqk] C:\WINDOWS\Naf.exe
O4 - HKLM\..\Run: [Jko] C:\WINDOWS\Kpq.exe
O4 - HKLM\..\Run: [Lir] C:\WINDOWS\System32\Elc.exe
O4 - HKLM\..\Run: [Ftg] C:\WINDOWS\Bsl.exe
O4 - HKLM\..\Run: [Hlo] C:\WINDOWS\Tll.exe
O4 - HKLM\..\Run: [Ijf] C:\WINDOWS\System32\Fgl.exe
O4 - HKLM\..\Run: [Kbp] C:\WINDOWS\Gfj.exe
O4 - HKLM\..\Run: [Avj] C:\WINDOWS\Smh.exe
O4 - HKLM\..\Run: [Icn] C:\WINDOWS\Jbb.exe
O4 - HKLM\..\Run: [Skh] C:\WINDOWS\System32\Tjr.exe
O4 - HKLM\..\Run: [Gel] C:\WINDOWS\Pqj.exe
O4 - HKLM\..\Run: [Mfn] C:\WINDOWS\Lsr.exe
O4 - HKLM\..\Run: [Lqu] C:\WINDOWS\System32\Vuu.exe
O4 - HKLM\..\Run: [Qru] C:\WINDOWS\Sqr.exe
O4 - HKLM\..\Run: [Jqj] C:\WINDOWS\System32\Jts.exe
O4 - HKLM\..\Run: [Bus] C:\WINDOWS\System32\Dbf.exe
O4 - HKLM\..\Run: [Sbg] C:\WINDOWS\Riu.exe
O4 - HKLM\..\Run: [Vcd] C:\WINDOWS\Fid.exe
O4 - HKLM\..\Run: [Thm] C:\WINDOWS\Fim.exe
O4 - HKLM\..\Run: [Shr] C:\WINDOWS\System32\Dgq.exe
O4 - HKLM\..\Run: [Sre] C:\WINDOWS\Deh.exe
O4 - HKLM\..\Run: [Fkj] C:\WINDOWS\Rdp.exe
O4 - HKLM\..\Run: [Ihk] C:\WINDOWS\System32\Qem.exe
O4 - HKLM\..\Run: [Bpg] C:\WINDOWS\Ucn.exe
O4 - HKLM\..\Run: [Gja] C:\WINDOWS\System32\Nmm.exe
O4 - HKLM\..\Run: [Hqq] C:\WINDOWS\Gqv.exe
O4 - HKLM\..\Run: [Ufq] C:\WINDOWS\System32\Esb.exe
O4 - HKLM\..\Run: [Hkm] C:\WINDOWS\System32\Sva.exe
O4 - HKLM\..\Run: [Cbs] C:\WINDOWS\Ucl.exe
O4 - HKLM\..\Run: [Eho] C:\WINDOWS\System32\Jfr.exe
O4 - HKLM\..\Run: [Bji] C:\WINDOWS\System32\Nko.exe
O4 - HKLM\..\Run: [Jvq] C:\WINDOWS\Uor.exe
O4 - HKLM\..\Run: [Nkf] C:\WINDOWS\System32\Hdr.exe
O4 - HKLM\..\Run: [Ufb] C:\WINDOWS\System32\Nop.exe
O4 - HKLM\..\Run: [Lpm] C:\WINDOWS\Mqq.exe
O4 - HKLM\..\Run: [Frc] C:\WINDOWS\Bas.exe
O4 - HKLM\..\Run: [Iva] C:\WINDOWS\Mik.exe
O4 - HKLM\..\Run: [System service79] C:\WINDOWS\etb\pokapoka79.exe
O4 - HKCU\..\Run: [Frc] C:\WINDOWS\Bas.exe
O4 - HKCU\..\Run: [Iva] C:\WINDOWS\Mik.exe
O4 - Global Startup: start.exe
O15 - Trusted Zone: *.coolwebsearch.com
O15 - Trusted Zone: *.searchmeup.com
O15 - Trusted Zone: *.musicmatch.com (HKLM)
O16 - DPF: {10000000-1000-0000-1000-000000000000} - file://C:\windows\system32\cm.exe
O16 - DPF: {FC67BB52-AAB6-4282-9D51-2DAFFE73AFD0} - http://download.spys...erInstall_2.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{B0FCE2FB-4CB0-4B65-BCDF-40D4EC314841}: NameServer = 85.255.115.69,85.255.112.12
O20 - Winlogon Notify: drct16 - C:\WINDOWS\SYSTEM32\drct16.dll
O20 - Winlogon Notify: gs - C:\WINDOWS\adsldpbd.dll
O20 - Winlogon Notify: st3 - C:\WINDOWS\q167078.dll
O23 - Service: System Startup Service (SvcProc) - Unknown owner - C:\WINDOWS\svcproc.exe (file missing)
3) Go to your desktop and right-click on the deldomains.inf file and select Install
4) Reboot into Safe Mode :
Restart your computer and as soon as it starts booting up again continuously tap F8. A menu should come up where you will be given the option to enter Safe Mode.
5) Run CWShredder. Click I Agree, then Fix and then Next, let it fix everything it asks about.
6) Run HSFix :
- Locate the HSFix folder on your desktop, open it, and double-click "hsfix.bat"
- A log will be produced which you can close out of.
- Select "Delete on Reboot".
- Open the text file with these instructions in it, and copy the file names below to the clipboard by highlighting them and pressing Control-C:
C:\WINDOWS\adsldpbd.dll
C:\DOCUME~1\Bryan\LOCALS~1\Temp\keep.exe
C:\WINDOWS\q167078.dll
C:\WINDOWS\svcproc.exe
C:\windows\system32\cm.exe
C:\WINDOWS\SYSTEM32\drct16.dll
C:\WINDOWS\System32\msblank.html
C:\WINDOWS\System32\popcorn72.exe
C:\WINDOWS\System32\winldra.exe
- Return to Killbox, go to the File menu, and choose "Paste from Clipboard". It is vital that you see the first file (C:\WINDOWS\adsldpbd.dll) appear in the white text box - if this doesn't happen, you will have to copy and paste each file, one by one, into the text box and proceed with clicking the delete button as described below. Repeat for each and every file on the list, ignoring one's where KillBox says the file does not exist)
- Click the red-and-white "Delete File" button.
- Click "Yes" at the Delete on Reboot prompt.
- Click "No" at the Pending Operations prompt.
8) Using Windows Explorer or My Computer please delete the following folders :
C:\WINDOWS\etb\
9) Search for the following files using Start -> Search and all files and folder. Ensure you are searching for hidden and system files and also searching subfolders (all within Advanced Options). When found, delete the file :
start.exe
10) Run CleanUp! and let it clean your computer of temp files. Decline when it asks you to log off.
11) Restart your computer in Normal Mode
12) Run at least one of the following free, online virus scans. Note the scans may prompt to download and install an ActiveX control - this is ok, please allow it :
TrendMicro HouseCall
Panda ActiveScan
CA Scan
13) Restart your computer one last time
14) Please post back with the following information :
- Fresh HijackThis log taken after following all of the above instructions
- The hsfix log located at C:\hslog.txt
- The results/log of the online virus scan(s)
#5
Posted 19 November 2005 - 08:18 AM
AlphaBITS
- Topic Starter
-
- Member
-
- 4 posts
New Member
Amazing! Thanks for your efforts. I have printed out this thread and will follow the instructions.
Re: firewalls, the customer had Norton Internet Security loaded on this machine, but I have removed it in an attempt to eliminate some of the problems. They are running DSL directly connected to their machine, no router.
In my own office, I use a router with a built-in firewall. I have no problems here other than some annoying spam email.
I will reply again when I've spent some time on this...
THANK YOU.
Paul
#6
Posted 29 November 2005 - 04:42 PM
infaddict
-
- Member
-
- 734 posts
Visiting Staff
Due to lack of feedback, this topic has been closed.
If you need this topic reopened, please contact a staff member. This applies only to the original topic starter. Everyone else please begin a New Topic.
If you need this topic reopened, please contact a staff member. This applies only to the original topic starter. Everyone else please begin a New Topic.
Similar Topics
0 user(s) are reading this topic
0 members, 0 guests, 0 anonymous users
As Featured On:
Sign In
Create Account
