Jump to content

Welcome to Geeks to Go - Register now for FREE

Need help with your computer or device? Want to learn new tech skills? You're in the right place!
Geeks to Go is a friendly community of tech experts who can solve any problem you have. Just create a free account and post your question. Our volunteers will reply quickly and guide you through the steps. Don't let tech troubles stop you. Join Geeks to Go now and get the support you need!

How it Works Create Account
Photo

Cannot open many windows files. help please

Started by pablo , Feb 04 2005 10:49 AM

  • Please log in to reply

#1
pablo
Posted 04 February 2005 - 10:49 AM

pablo

    Member

  • Member
  • PipPip
  • 12 posts
My desktop icons have been slightly re-arranged and i can't open 'my computer' and other windows files. i really don't know too much about all this so would really appreciate your help. here's my hijackthis report:

many thanks.

Logfile of HijackThis v1.99.0
Scan saved at 1:02:21 AM, on 2/4/2005
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\System32\Ati2evxx.exe
C:\WINDOWS\wanmpsvc.exe
C:\WINDOWS\atlqh.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\atiptaxx.exe
C:\Program Files\ltmoh\Ltmoh.exe
C:\Program Files\Apoint2K\Apoint.exe
C:\Program Files\TOSHIBA\Power Management\CePMTray.exe
C:\Program Files\TOSHIBA\E-KEY\CeEKey.exe
C:\WINDOWS\System32\ezSP_Px.exe
C:\PROGRA~1\EzButton\CPATR10.EXE
C:\toshiba\ivp\ism\pinger.exe
C:\Program Files\Drag'n Drop CD\BinFiles\DragDrop.exe
C:\WINDOWS\System32\byezahrw.exe
C:\Program Files\QuickTime\qttask.exe
C:\WINDOWS\system32\sysdr.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\Apoint2K\Apntex.exe
C:\PROGRA~1\Yahoo!\MESSEN~1\ymsgr_tray.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Documents and Settings\Paul\My Documents\New Folder\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = about:blank
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = about:blank
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\WINDOWS\qanbt.dll/sp.html#22776
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINDOWS\qanbt.dll/sp.html#22776
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = res://C:\WINDOWS\qanbt.dll/sp.html#22776
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\WINDOWS\qanbt.dll/sp.html#22776
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINDOWS\qanbt.dll/sp.html#22776
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = res://C:\WINDOWS\qanbt.dll/sp.html#22776
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,CustomizeSearch = about:blank
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = res://C:\WINDOWS\qanbt.dll/sp.html#22776
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page_bak = about:blank
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,HomeOldSP = about:blank
R3 - Default URLSearchHook is missing
F1 - win.ini: run=fntldr.exe
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
O2 - BHO: (no name) - {1EA22818-3233-BBF8-DFB1-B4AA3994E16B} - C:\WINDOWS\addqi.dll
O2 - BHO: (no name) - {2E9CAFF6-30C7-4208-8807-E79D4EC6F806} - C:\Program Files\Submit\submithook.dll
O4 - HKLM\..\Run: [SoundFusion] RunDll32 cwaprops.cpl,CrystalControlWnd
O4 - HKLM\..\Run: [ATIModeChange] Ati2mdxx.exe
O4 - HKLM\..\Run: [AtiPTA] atiptaxx.exe
O4 - HKLM\..\Run: [LtMoh] C:\Program Files\ltmoh\Ltmoh.exe
O4 - HKLM\..\Run: [Apoint] C:\Program Files\Apoint2K\Apoint.exe
O4 - HKLM\..\Run: [CeEPOWER] C:\Program Files\TOSHIBA\Power Management\CePMTray.exe
O4 - HKLM\..\Run: [CeEKEY] C:\Program Files\TOSHIBA\E-KEY\CeEKey.exe
O4 - HKLM\..\Run: [TPNF] C:\Program Files\TOSHIBA\TouchPad\TPTray.exe
O4 - HKLM\..\Run: [ezShieldProtector for Px] C:\WINDOWS\System32\ezSP_Px.exe
O4 - HKLM\..\Run: [CPATR10] C:\PROGRA~1\EzButton\CPATR10.EXE
O4 - HKLM\..\Run: [Pinger] c:\toshiba\ivp\ism\pinger.exe /run
O4 - HKLM\..\Run: [TSysSMon] c:\toshiba\sysstability\tsyssmon.exe /detect
O4 - HKLM\..\Run: [Drag'n Drop CD] C:\Program Files\Drag'n Drop CD\BinFiles\DragDrop.exe /StartUp
O4 - HKLM\..\Run: [Microsoft Works Update Detection] C:\Program Files\Common Files\Microsoft Shared\Works Shared\WkUFind.exe
O4 - HKLM\..\Run: [oglqdarg] C:\WINDOWS\System32\byezahrw.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [sysdr.exe] C:\WINDOWS\system32\sysdr.exe
O4 - HKLM\..\Run: [iTunesHelper] C:\Program Files\iTunes\iTunesHelper.exe
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKCU\..\Run: [MoneyAgent] "C:\Program Files\Microsoft Money\System\mnyexpr.exe"
O4 - HKCU\..\Run: [Yahoo! Pager] C:\PROGRA~1\Yahoo!\MESSEN~1\ypager.exe -quiet
O4 - Startup: Check For Dope Wars Updates.lnk = C:\Program Files\Dopewars\WiseUpdt.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\System32\Shdocvw.dll
O9 - Extra button: Yahoo! Messenger - {E5D12C4E-7B4F-11D3-B5C9-0050045C3C96} - C:\PROGRA~1\Yahoo!\MESSEN~1\YPager.exe
O9 - Extra 'Tools' menuitem: Yahoo! Messenger - {E5D12C4E-7B4F-11D3-B5C9-0050045C3C96} - C:\PROGRA~1\Yahoo!\MESSEN~1\YPager.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O14 - IERESET.INF: START_PAGE_URL=http://www.toshiba.com
O16 - DPF: Yahoo! Pool 2 - http://download.game...ts/y/potc_x.cab
O16 - DPF: {56336BCB-3D8A-11D6-A00B-0050DA18DE71} (RdxIE Class) - http://207.188.7.150...1e...xIE601.cab
O16 - DPF: {E7D2588A-7FB5-47DC-8830-832605661009} (Live Collaboration) - http://livenj01.righ...ia...a/RntX.cab
O19 - User stylesheet: (file missing)
O21 - SSODL: systemie - {DE945816-3B34-4BF9-9A00-D3408C1CCEEC} - sysie.dll (file missing)
O21 - SSODL: systemha - 00000409{14A5D34C-E2BB-400F-8BDC-7E7B8 - (no file)
O23 - Service: Ati HotKey Poller - Unknown - C:\WINDOWS\System32\Ati2evxx.exe
O23 - Service: iPod Service - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: WAN Miniport (ATW) Service - America Online, Inc. - C:\WINDOWS\wanmpsvc.exe
O23 - Service: Remote Procedure Call (RPC) Helper - Unknown - C:\WINDOWS\atlqh.exe
  • 0

Advertisements

#2
LineOFire
Posted 05 February 2005 - 12:04 PM

LineOFire

    Malware Expert

  • Retired Staff
  • 235 posts
Hello and welcome to the GeeksToGo Forums. We hope you enjoy your stay here! :tazz:

You may want to print out these instructions or save them to your desktop as a text file with Notepad because we will be restarting into Safe Mode later on in the fix and you might not be able to access the Internet.
  • Prepare CWShredder for use:
    • Download CWShredder.
    • Save CWShredder.exe to a convenient location.
    • Please do not do anything with it yet.
  • Prepare AboutBuster for use:
    • Download AboutBuster.
    • Unzip the contents of AboutBuster.zip and an AboutBuster directory will be created.
    • Navigate to the AboutBuster directory and double-click on AboutBuster.exe.
    • Click "OK" at the prompt with instructions.
    • Click "Update" and then "Check For Update" to begin the update process.
    • If any updates exist please download them by clicking "Download Update".
    • You should not run the program yet so click "Exit".
  • Prepare cwsserviceremove.reg for use:
    • Download cwsserviceremove.zip.
    • Unzip the contents of cwsserviceremove.zip (cwsserviceremove.reg) to your desktop.
    • Please do not do anything with it yet.
Reconfigure Windows XP to show hidden files:
Click Start. Open My Computer.
Select the Tools menu and click Folder Options. Select the View Tab.

Under the Hidden files and folders heading select "Show hidden files and folders".
Uncheck the "Hide protected operating system files (recommended)" option.
Uncheck the "Hide file extensions for known file types" option.
Click Yes to confirm. Click OK.

Boot into Safe Mode:
Restart your computer and immediately begin tapping the F8 key on your keyboard.
If done right a Windows Advanced Options menu will appear. Select the Safe Mode option and press Enter.
To return to normal mode just restart your computer as you normally would.
  • Run CWShredder:
    • Double-click on CWShredder.exe.
    • Click "Fix ->" and click "OK" at the prompt.
    • CWShredder will scan and clean your system of CWS files.
    • Click "Next->" and then "Exit".
  • Remove the offending service:
    • Double-click on cwsserviceremove.reg you downloaded earlier.
    • When it asks you to merge the information to the registry click "Yes".
  • Run AboutBuster and save the logs:
    • Browse to where you saved AboutBuster and run AboutBuster.exe.
    • Click OK at the directions prompt.
    • Click Start and then OK to allow AboutBuster to scan for Alternate Data Streams.
    • Click Yes to allow it to shutdown explorer.exe.
    • It will begin to your computer for malicious files. If it asks if you would like to do a second pass, allow it to do so.
    • When it has finished, click Save Log. Make sure you save it as I need a copy of it.
  • Clean out temporary files:
    • Start | Run | type cleanmgr | OK
    • Let it scan your system for files to remove.
    • Make sure Temporary Files, Temporary Internet Files, and Recycle Bin are the only things checked.
    • Click "OK" to remove them.
    • Click "Yes" to confirm the deletion.
  • Restart your computer normally to return to normal mode.
  • Free TrendMicro Housecall scan:
    • Vist the TrendMicro Housecall website.
    • Select your country from the drop-down list and click "Go".
    • Choose "Yes" at the ActiveX Security Warning prompt.
    • Please wait while the Housecall engine is updated.
    • Select the drives to be scanned by placing a check in their respective boxes.
    • Check the "Auto Clean" box.
    • Click "SCAN" in order to begin scanning your system.
    • Please be patient while Housecall scans your system for malicious files.
    • If not auto-cleaned, remove anything it finds.
    • Click "Close" to exit the Housecall scanner.
    • Choose "Yes" at the HouseCall message prompt.
  • Prepare your reply:
    • Please post a fresh HijackThis log
    • Please post the AboutBuster log.
    • Please note any complications you had.

  • 0

#3
pablo
Posted 05 February 2005 - 05:54 PM

pablo

    Member

  • Topic Starter
  • Member
  • PipPip
  • 12 posts
hey, thanks very much for your help. it seems to be running nice and smoothly now. one complication was that i could not open 'mycomputer' before the scans so i was unable to 'Reconfigure Windows XP to show hidden files'. anyway here are the new log files:

Logfile of HijackThis v1.99.0
Scan saved at 6:48:16 PM, on 2/5/2005
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\System32\Ati2evxx.exe
C:\WINDOWS\wanmpsvc.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\atiptaxx.exe
C:\Program Files\ltmoh\Ltmoh.exe
C:\Program Files\TOSHIBA\Power Management\CePMTray.exe
C:\Program Files\TOSHIBA\E-KEY\CeEKey.exe
C:\Program Files\TOSHIBA\TouchPad\TPTray.exe
C:\WINDOWS\System32\ezSP_Px.exe
C:\PROGRA~1\EzButton\CPATR10.EXE
C:\toshiba\ivp\ism\pinger.exe
C:\Program Files\Drag'n Drop CD\BinFiles\DragDrop.exe
C:\WINDOWS\System32\byezahrw.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\WINDOWS\system32\sysdr.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\PROGRA~1\Yahoo!\MESSEN~1\ymsgr_tray.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\America Online 7.0\waol.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Documents and Settings\Paul\My Documents\New Folder\HijackThis.exe
C:\WINDOWS\atlqh.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = about:blank
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = about:blank
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = about:NavigationFailure
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = about:NavigationFailure
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = about:NavigationFailure
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,CustomizeSearch = about:blank
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = about:NavigationFailure
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page_bak = about:blank
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,HomeOldSP = about:blank
R3 - Default URLSearchHook is missing
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
O2 - BHO: (no name) - {46D4CC4E-BCF6-41DB-455D-02D62640627A} - C:\WINDOWS\system32\apprp32.dll
O4 - HKLM\..\Run: [SoundFusion] RunDll32 cwaprops.cpl,CrystalControlWnd
O4 - HKLM\..\Run: [ATIModeChange] Ati2mdxx.exe
O4 - HKLM\..\Run: [AtiPTA] atiptaxx.exe
O4 - HKLM\..\Run: [LtMoh] C:\Program Files\ltmoh\Ltmoh.exe
O4 - HKLM\..\Run: [CeEPOWER] C:\Program Files\TOSHIBA\Power Management\CePMTray.exe
O4 - HKLM\..\Run: [CeEKEY] C:\Program Files\TOSHIBA\E-KEY\CeEKey.exe
O4 - HKLM\..\Run: [TPNF] C:\Program Files\TOSHIBA\TouchPad\TPTray.exe
O4 - HKLM\..\Run: [ezShieldProtector for Px] C:\WINDOWS\System32\ezSP_Px.exe
O4 - HKLM\..\Run: [CPATR10] C:\PROGRA~1\EzButton\CPATR10.EXE
O4 - HKLM\..\Run: [Pinger] c:\toshiba\ivp\ism\pinger.exe /run
O4 - HKLM\..\Run: [TSysSMon] c:\toshiba\sysstability\tsyssmon.exe /detect
O4 - HKLM\..\Run: [Drag'n Drop CD] C:\Program Files\Drag'n Drop CD\BinFiles\DragDrop.exe /StartUp
O4 - HKLM\..\Run: [Microsoft Works Update Detection] C:\Program Files\Common Files\Microsoft Shared\Works Shared\WkUFind.exe
O4 - HKLM\..\Run: [oglqdarg] C:\WINDOWS\System32\byezahrw.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] C:\Program Files\iTunes\iTunesHelper.exe
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [sysdr.exe] C:\WINDOWS\system32\sysdr.exe
O4 - HKCU\..\Run: [MoneyAgent] "C:\Program Files\Microsoft Money\System\mnyexpr.exe"
O4 - HKCU\..\Run: [Yahoo! Pager] C:\PROGRA~1\Yahoo!\MESSEN~1\ypager.exe -quiet
O4 - Startup: Check For Dope Wars Updates.lnk = C:\Program Files\Dopewars\WiseUpdt.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\System32\Shdocvw.dll
O9 - Extra button: Yahoo! Messenger - {E5D12C4E-7B4F-11D3-B5C9-0050045C3C96} - C:\PROGRA~1\Yahoo!\MESSEN~1\YPager.exe
O9 - Extra 'Tools' menuitem: Yahoo! Messenger - {E5D12C4E-7B4F-11D3-B5C9-0050045C3C96} - C:\PROGRA~1\Yahoo!\MESSEN~1\YPager.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O14 - IERESET.INF: START_PAGE_URL=http://www.toshiba.com
O16 - DPF: Yahoo! Pool 2 - http://download.game...ts/y/potc_x.cab
O16 - DPF: {56336BCB-3D8A-11D6-A00B-0050DA18DE71} (RdxIE Class) - http://207.188.7.150...ip/RdxIE601.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{AF84E3DB-5EED-45AC-82F4-A0FCF94EDE14}: NameServer = 205.188.146.145
O23 - Service: Ati HotKey Poller - Unknown - C:\WINDOWS\System32\Ati2evxx.exe
O23 - Service: iPod Service - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: WAN Miniport (ATW) Service - America Online, Inc. - C:\WINDOWS\wanmpsvc.exe
O23 - Service: Network Security Service (NSS) - Unknown - C:\WINDOWS\atlqh.exe

&

Scanned at: 6:30:30 PM on: 2/5/2005


-- Scan 1 ---------------------------
About:Buster Version 4.0
Reference List : 23


Removed Data Streams:
C:\WINDOWS\apiqe32.dll:zsmmy
C:\WINDOWS\apisc32.dll:rsezs
C:\WINDOWS\appam32.dll:mdmzi
C:\WINDOWS\appam32.dll:mdmzi
C:\WINDOWS\appsh32.exe:ktxfu
C:\WINDOWS\Blue Lace 16.bmp:nkrjs
C:\WINDOWS\BVER.BAT:xkcou
C:\WINDOWS\chipset.log:qluuo
C:\WINDOWS\control.ini:ienhq
C:\WINDOWS\CPATR10.UNI:mblsi
C:\WINDOWS\croy.exe:etexc
C:\WINDOWS\DtcInstall.log:orqlf
C:\WINDOWS\dtoedv.dat:rrgit
C:\WINDOWS\Fcic.ini:zrdgn
C:\WINDOWS\fntldr.exe:klgyj
C:\WINDOWS\fwyayb.dat:cmzem
C:\WINDOWS\gdeuo.txt:gdbds
C:\WINDOWS\gfdwz.dat:yemiu
C:\WINDOWS\gophxx.dat:qfeno
C:\WINDOWS\Greenstone.bmp:jyxbr
C:\WINDOWS\Greenstone.bmp:jyxbr
C:\WINDOWS\javaiw32.exe:donak
C:\WINDOWS\javapg.dll:psaqx
C:\WINDOWS\javate32.dll:iltdz
C:\WINDOWS\jdgim.dat:almiu
C:\WINDOWS\msdfmap.ini:ukfoa
C:\WINDOWS\msdfmap.ini:ukfoa
C:\WINDOWS\msgsocm.log:dcluc
C:\WINDOWS\msks.dll:vdeze
C:\WINDOWS\msxs32.dll:oeofy
C:\WINDOWS\Q312370.log:wbsdb
C:\WINDOWS\Q314862.log:ocdiv
C:\WINDOWS\Q317277.log:gdwnx
C:\WINDOWS\Q810577.log:ybclj
C:\WINDOWS\SchedLgU.Txt:bkcqy
C:\WINDOWS\setupact.log:mwepf
C:\WINDOWS\smscfg.ini:xxiac
C:\WINDOWS\spupdsvc.log:pyafw
C:\WINDOWS\sysed32.dll:cvhmk
C:\WINDOWS\sysno.dll:uwsrm
C:\WINDOWS\ToshDefs.reg:pctpk
C:\WINDOWS\Toshiba.bmp:yynpd


Removed 6 Random Key Entries
Removed! : C:\WINDOWS\apiaz32.exe
Removed! : C:\WINDOWS\apijk32.exe
Removed! : C:\WINDOWS\aslwb.dat
Removed! : C:\WINDOWS\asrgf.dll
Removed! : C:\WINDOWS\auesp.dll
Removed! : C:\WINDOWS\awkjl.dat
Removed! : C:\WINDOWS\aybql.dat
Removed! : C:\WINDOWS\ayewq.dat
Removed! : C:\WINDOWS\Belt.exe
Removed! : C:\WINDOWS\bmrikr.dat
Removed! : C:\WINDOWS\brmqe.dat
Removed! : C:\WINDOWS\cbpmu.dll
Removed! : C:\WINDOWS\cilvn.dat
Removed! : C:\WINDOWS\cmzyl.dat
Removed! : C:\WINDOWS\cnuxr.dat
Removed! : C:\WINDOWS\croy.exe
Removed! : C:\WINDOWS\crxha.dat
Removed! : C:\WINDOWS\cscvv.dat
Removed! : C:\WINDOWS\cvaor.dat
Removed! : C:\WINDOWS\d3jn32.exe
Removed! : C:\WINDOWS\dnkob.dat
Removed! : C:\WINDOWS\dochq.dll
Removed! : C:\WINDOWS\dpxfe.dat
Removed! : C:\WINDOWS\dpybj.dat
Removed! : C:\WINDOWS\dwqpd.dat
Removed! : C:\WINDOWS\dzmue.dll
Removed! : C:\WINDOWS\dzntu.dat
Removed! : C:\WINDOWS\eeibr.dat
Removed! : C:\WINDOWS\elftkq.dat
Removed! : C:\WINDOWS\euhkr.dat
Removed! : C:\WINDOWS\faory.dat
Removed! : C:\WINDOWS\fdrjpr.dat
Removed! : C:\WINDOWS\fjjgk.dll
Removed! : C:\WINDOWS\flizx.dat
Removed! : C:\WINDOWS\fqnlb.dll
Removed! : C:\WINDOWS\fsfkd.dat
Removed! : C:\WINDOWS\fwgix.dat
Removed! : C:\WINDOWS\fwxli.dll
Removed! : C:\WINDOWS\gaahk.dat
Removed! : C:\WINDOWS\geokp.dat
Removed! : C:\WINDOWS\gfcpf.dat
Removed! : C:\WINDOWS\gfdwz.dat
Removed! : C:\WINDOWS\gmmof.dll
Removed! : C:\WINDOWS\goyjf.dll
Removed! : C:\WINDOWS\gqejo.dll
Removed! : C:\WINDOWS\hkkrv.dll
Removed! : C:\WINDOWS\hyvlc.dll
Removed! : C:\WINDOWS\ieqzu.dat
Removed! : C:\WINDOWS\izigo.dat
Removed! : C:\WINDOWS\javaep.exe
Removed! : C:\WINDOWS\javafw32.exe
Removed! : C:\WINDOWS\javaiw32.exe
Removed! : C:\WINDOWS\javarb.exe
Removed! : C:\WINDOWS\jdgim.dat
Removed! : C:\WINDOWS\kgoal.dat
Removed! : C:\WINDOWS\kksla.dat
Removed! : C:\WINDOWS\kmojw.dat
Removed! : C:\WINDOWS\kuwks.dat
Removed! : C:\WINDOWS\liqts.dat
Removed! : C:\WINDOWS\lzezk.dat
Removed! : C:\WINDOWS\mbrpx.dat
Removed! : C:\WINDOWS\mrtfh.dat
Removed! : C:\WINDOWS\mshp.dll
Removed! : C:\WINDOWS\msjvk.dat
Removed! : C:\WINDOWS\mtodv.dat
Removed! : C:\WINDOWS\nlkmws.dat
Removed! : C:\WINDOWS\n_cqhunh.dat
Error Removing! : C:\WINDOWS\n_mpwptx.dat
Removed! : C:\WINDOWS\n_mwoube.dat
Removed! : C:\WINDOWS\n_snpxzr.dat
Removed! : C:\WINDOWS\n_wddhiu.dat
Removed! : C:\WINDOWS\oakov.dat
Removed! : C:\WINDOWS\offff.dat
Removed! : C:\WINDOWS\onfwe.dat
Removed! : C:\WINDOWS\onrvf.dll
Removed! : C:\WINDOWS\pgvcj.dat
Removed! : C:\WINDOWS\plvki.dll
Removed! : C:\WINDOWS\pqvbg.dat
Removed! : C:\WINDOWS\qanbt.dll
Removed! : C:\WINDOWS\qckdt.dll
Removed! : C:\WINDOWS\qdgbo.dat
Removed! : C:\WINDOWS\qfgyl.dll
Removed! : C:\WINDOWS\qgoxa.dat
Removed! : C:\WINDOWS\qqnka.dat
Removed! : C:\WINDOWS\qrnvy.dll
Removed! : C:\WINDOWS\qtmim.dll
Removed! : C:\WINDOWS\qvbgk.dll
Error Removing! : C:\WINDOWS\rvjvpo.dat
Removed! : C:\WINDOWS\saozh.dat
Removed! : C:\WINDOWS\smits.dat
Removed! : C:\WINDOWS\srpjm.dll
Removed! : C:\WINDOWS\szsmj.dll
Removed! : C:\WINDOWS\tiruf.dat
Removed! : C:\WINDOWS\tsagx.dat
Removed! : C:\WINDOWS\udvmd.dat
Removed! : C:\WINDOWS\ueedv.dat
Removed! : C:\WINDOWS\ugkjq.dat
Removed! : C:\WINDOWS\vomef.dll
Removed! : C:\WINDOWS\voyxu.dat
Removed! : C:\WINDOWS\vsfyi.dat
Removed! : C:\WINDOWS\vtzxs.dll
Removed! : C:\WINDOWS\vysvy.dll
Removed! : C:\WINDOWS\wiefp.dat
Removed! : C:\WINDOWS\wokry.dat
Removed! : C:\WINDOWS\xfgik.dll
Removed! : C:\WINDOWS\xomxo.dat
Removed! : C:\WINDOWS\xpwha.dll
Removed! : C:\WINDOWS\xtcae.dat
Removed! : C:\WINDOWS\yltbv.dat
Removed! : C:\WINDOWS\yvekj.dll
Removed! : C:\WINDOWS\yxmbv.dat
Removed! : C:\WINDOWS\zpbck.dll
Removed! : C:\WINDOWS\system32\adcfi.dat
Removed! : C:\WINDOWS\system32\addpr.exe
Removed! : C:\WINDOWS\system32\aebvr.dat
Removed! : C:\WINDOWS\system32\aewes.dat
Removed! : C:\WINDOWS\system32\ahjhg.dll
Removed! : C:\WINDOWS\system32\ajlti.dll
Error Removing! : C:\WINDOWS\system32\amfg.dll
Removed! : C:\WINDOWS\system32\areip.dat
Removed! : C:\WINDOWS\system32\bzhfp.dll
Removed! : C:\WINDOWS\system32\caftk.dll
Error Removing! : C:\WINDOWS\system32\cba.dll
Removed! : C:\WINDOWS\system32\ccgta.dat
Error Removing! : C:\WINDOWS\system32\ceigno.dll
Removed! : C:\WINDOWS\system32\ckcli.dat
Removed! : C:\WINDOWS\system32\clhar.dll
Removed! : C:\WINDOWS\system32\ctpkv.dll
Removed! : C:\WINDOWS\system32\cuato.dat
Removed! : C:\WINDOWS\system32\dad.dll
Removed! : C:\WINDOWS\system32\dgrqu.dll
Removed! : C:\WINDOWS\system32\dhjfc.dll
Removed! : C:\WINDOWS\system32\dnpmb.dll
Removed! : C:\WINDOWS\system32\duera.dat
Removed! : C:\WINDOWS\system32\dxpio.dat
Removed! : C:\WINDOWS\system32\eewek.dat
Removed! : C:\WINDOWS\system32\ejjvb.dat
Removed! : C:\WINDOWS\system32\emfsv.dll
Removed! : C:\WINDOWS\system32\eqdlw.dll
Removed! : C:\WINDOWS\system32\espcr.dll
Removed! : C:\WINDOWS\system32\fnbdfa.dll
Removed! : C:\WINDOWS\system32\fucph.dat
Removed! : C:\WINDOWS\system32\fxpnn.dll
Removed! : C:\WINDOWS\system32\gdjfe.dat
Removed! : C:\WINDOWS\system32\gfi.dll
Removed! : C:\WINDOWS\system32\hbmdo.dat
Removed! : C:\WINDOWS\system32\hcicg.dat
Removed! : C:\WINDOWS\system32\hnfjp.dat
Removed! : C:\WINDOWS\system32\hqvzk.dll
Removed! : C:\WINDOWS\system32\ibtnx.dat
Removed! : C:\WINDOWS\system32\ihean.dll
Removed! : C:\WINDOWS\system32\ihidc.dat
Removed! : C:\WINDOWS\system32\iphkn.dat
Removed! : C:\WINDOWS\system32\jcnak.dat
Removed! : C:\WINDOWS\system32\jekbc.dat
Removed! : C:\WINDOWS\system32\jgdar.dat
Removed! : C:\WINDOWS\system32\jzwei.dll
Removed! : C:\WINDOWS\system32\kuyur.dat
Removed! : C:\WINDOWS\system32\lcwqw.dat
Removed! : C:\WINDOWS\system32\lxgzn.dll
Removed! : C:\WINDOWS\system32\mftrb.dll
Removed! : C:\WINDOWS\system32\mhmpz.dat
Error Removing! : C:\WINDOWS\system32\mnj.dll
Removed! : C:\WINDOWS\system32\msasi.dat
Removed! : C:\WINDOWS\system32\msax.exe
Removed! : C:\WINDOWS\system32\mxrre.dll
Removed! : C:\WINDOWS\system32\nmbrs.dll
Removed! : C:\WINDOWS\system32\okclca.dll
Removed! : C:\WINDOWS\system32\ouncq.dat
Removed! : C:\WINDOWS\system32\paxqn.dat
Removed! : C:\WINDOWS\system32\pko.dll
Removed! : C:\WINDOWS\system32\prith.dll
Removed! : C:\WINDOWS\system32\ptmng.dat
Removed! : C:\WINDOWS\system32\qfekg.dat
Removed! : C:\WINDOWS\system32\quocy.dat
Removed! : C:\WINDOWS\system32\ragzj.dat
Removed! : C:\WINDOWS\system32\rdjqh.dll
Removed! : C:\WINDOWS\system32\rofma.dat
Removed! : C:\WINDOWS\system32\rohqw.dat
Removed! : C:\WINDOWS\system32\rqunn.dll
Removed! : C:\WINDOWS\system32\rwcia.dat
Removed! : C:\WINDOWS\system32\sjiqu.dat
Removed! : C:\WINDOWS\system32\sughm.dll
Removed! : C:\WINDOWS\system32\svrph.dll
Removed! : C:\WINDOWS\system32\tbmmf.dll
Removed! : C:\WINDOWS\system32\tdxjv.dat
Removed! : C:\WINDOWS\system32\tgimj.dat
Removed! : C:\WINDOWS\system32\tsjto.dat
Removed! : C:\WINDOWS\system32\tuhvn.dat
Removed! : C:\WINDOWS\system32\ubxoy.dat
Removed! : C:\WINDOWS\system32\vbgcg.dat
Removed! : C:\WINDOWS\system32\vgpoj.dat
Removed! : C:\WINDOWS\system32\vorsg.dat
Removed! : C:\WINDOWS\system32\vsles.dat
Removed! : C:\WINDOWS\system32\wgmmv.dat
Removed! : C:\WINDOWS\system32\winor.exe
Removed! : C:\WINDOWS\system32\wjkxf.dat
Removed! : C:\WINDOWS\system32\woknj.dll
Removed! : C:\WINDOWS\system32\wokut.dll
Removed! : C:\WINDOWS\system32\wshwc.dat
Removed! : C:\WINDOWS\system32\wyfnu.dll
Removed! : C:\WINDOWS\system32\xcdgy.dat
Removed! : C:\WINDOWS\system32\xcnfg.dll
Removed! : C:\WINDOWS\system32\xeidt.dat
Removed! : C:\WINDOWS\system32\xjyxl.dat
Removed! : C:\WINDOWS\system32\yltid.dat
Removed! : C:\WINDOWS\system32\yorlt.dat
Removed! : C:\WINDOWS\system32\yxopj.dll
Removed! : C:\WINDOWS\system32\yxwbd.dll
Removed! : C:\WINDOWS\system32\yzgzy.dll
Removed! : C:\WINDOWS\system32\zafvy.dat
Removed! : C:\WINDOWS\system32\ziglb.dat
Removed! : C:\WINDOWS\system32\zitwu.dat
Removed! : C:\WINDOWS\system32\zpdyi.dll
Removed! : C:\WINDOWS\system32\zspuq.dat
Removed! : C:\WINDOWS\system32\zybxv.dat
Removed! : C:\WINDOWS\system32\zyzwe.dat
Attempted Clean Of Temp folder.
Removed Uninstall Key (HSA)
Removed Uninstall Key (SE)
Removed Uninstall Key (SW)
Pages Reset... Done!

-- Scan 2 ---------------------------
About:Buster Version 4.0
Reference List : 23


Removed Data Streams:
C:\WINDOWS\apiqe32.dll:zsmmy
C:\WINDOWS\apisc32.dll:rsezs
C:\WINDOWS\appam32.dll:mdmzi
C:\WINDOWS\appam32.dll:mdmzi
C:\WINDOWS\appsh32.exe:ktxfu
C:\WINDOWS\Blue Lace 16.bmp:nkrjs
C:\WINDOWS\BVER.BAT:xkcou
C:\WINDOWS\chipset.log:qluuo
C:\WINDOWS\control.ini:ienhq
C:\WINDOWS\CPATR10.UNI:mblsi
C:\WINDOWS\croy.exe:etexc
C:\WINDOWS\DtcInstall.log:orqlf
C:\WINDOWS\dtoedv.dat:rrgit
C:\WINDOWS\Fcic.ini:zrdgn
C:\WINDOWS\fntldr.exe:klgyj
C:\WINDOWS\fwyayb.dat:cmzem
C:\WINDOWS\gdeuo.txt:gdbds
C:\WINDOWS\gfdwz.dat:yemiu
C:\WINDOWS\gophxx.dat:qfeno
C:\WINDOWS\Greenstone.bmp:jyxbr
C:\WINDOWS\Greenstone.bmp:jyxbr
C:\WINDOWS\javaiw32.exe:donak
C:\WINDOWS\javapg.dll:psaqx
C:\WINDOWS\javate32.dll:iltdz
C:\WINDOWS\jdgim.dat:almiu
C:\WINDOWS\msdfmap.ini:ukfoa
C:\WINDOWS\msdfmap.ini:ukfoa
C:\WINDOWS\msgsocm.log:dcluc
C:\WINDOWS\msks.dll:vdeze
C:\WINDOWS\msxs32.dll:oeofy
C:\WINDOWS\Q312370.log:wbsdb
C:\WINDOWS\Q314862.log:ocdiv
C:\WINDOWS\Q317277.log:gdwnx
C:\WINDOWS\Q810577.log:ybclj
C:\WINDOWS\SchedLgU.Txt:bkcqy
C:\WINDOWS\setupact.log:mwepf
C:\WINDOWS\smscfg.ini:xxiac
C:\WINDOWS\spupdsvc.log:pyafw
C:\WINDOWS\sysed32.dll:cvhmk
C:\WINDOWS\sysno.dll:uwsrm
C:\WINDOWS\ToshDefs.reg:pctpk
C:\WINDOWS\Toshiba.bmp:yynpd


Removed! : C:\WINDOWS\n_mpwptx.dat
Removed! : C:\WINDOWS\rvjvpo.dat
Attempted Clean Of Temp folder.
Pages Reset... Done!






Scanned at: 6:31:53 PM on: 2/5/2005


-- Scan 1 ---------------------------
About:Buster Version 4.0
Reference List : 23


Removed Data Streams:
C:\WINDOWS\apiqe32.dll:zsmmy
C:\WINDOWS\apisc32.dll:rsezs
C:\WINDOWS\appam32.dll:mdmzi
C:\WINDOWS\appam32.dll:mdmzi
C:\WINDOWS\appsh32.exe:ktxfu
C:\WINDOWS\Blue Lace 16.bmp:nkrjs
C:\WINDOWS\BVER.BAT:xkcou
C:\WINDOWS\chipset.log:qluuo
C:\WINDOWS\control.ini:ienhq
C:\WINDOWS\CPATR10.UNI:mblsi
C:\WINDOWS\croy.exe:etexc
C:\WINDOWS\DtcInstall.log:orqlf
C:\WINDOWS\dtoedv.dat:rrgit
C:\WINDOWS\Fcic.ini:zrdgn
C:\WINDOWS\fntldr.exe:klgyj
C:\WINDOWS\fwyayb.dat:cmzem
C:\WINDOWS\gdeuo.txt:gdbds
C:\WINDOWS\gfdwz.dat:yemiu
C:\WINDOWS\gophxx.dat:qfeno
C:\WINDOWS\Greenstone.bmp:jyxbr
C:\WINDOWS\Greenstone.bmp:jyxbr
C:\WINDOWS\javaiw32.exe:donak
C:\WINDOWS\javapg.dll:psaqx
C:\WINDOWS\javate32.dll:iltdz
C:\WINDOWS\jdgim.dat:almiu
C:\WINDOWS\msdfmap.ini:ukfoa
C:\WINDOWS\msdfmap.ini:ukfoa
C:\WINDOWS\msgsocm.log:dcluc
C:\WINDOWS\msks.dll:vdeze
C:\WINDOWS\msxs32.dll:oeofy
C:\WINDOWS\Q312370.log:wbsdb
C:\WINDOWS\Q314862.log:ocdiv
C:\WINDOWS\Q317277.log:gdwnx
C:\WINDOWS\Q810577.log:ybclj
C:\WINDOWS\SchedLgU.Txt:bkcqy
C:\WINDOWS\setupact.log:mwepf
C:\WINDOWS\smscfg.ini:xxiac
C:\WINDOWS\spupdsvc.log:pyafw
C:\WINDOWS\sysed32.dll:cvhmk
C:\WINDOWS\sysno.dll:uwsrm
C:\WINDOWS\ToshDefs.reg:pctpk
C:\WINDOWS\Toshiba.bmp:yynpd


Removed 6 Random Key Entries
Removed! : C:\WINDOWS\apiaz32.exe
Removed! : C:\WINDOWS\apijk32.exe
Removed! : C:\WINDOWS\aslwb.dat
Removed! : C:\WINDOWS\asrgf.dll
Removed! : C:\WINDOWS\auesp.dll
Removed! : C:\WINDOWS\awkjl.dat
Removed! : C:\WINDOWS\aybql.dat
Removed! : C:\WINDOWS\ayewq.dat
Removed! : C:\WINDOWS\Belt.exe
Removed! : C:\WINDOWS\bmrikr.dat
Removed! : C:\WINDOWS\brmqe.dat
Removed! : C:\WINDOWS\cbpmu.dll
Removed! : C:\WINDOWS\cilvn.dat
Removed! : C:\WINDOWS\cmzyl.dat
Removed! : C:\WINDOWS\cnuxr.dat
Removed! : C:\WINDOWS\croy.exe
Removed! : C:\WINDOWS\crxha.dat
Removed! : C:\WINDOWS\cscvv.dat
Removed! : C:\WINDOWS\cvaor.dat
Removed! : C:\WINDOWS\d3jn32.exe
Removed! : C:\WINDOWS\dnkob.dat
Removed! : C:\WINDOWS\dochq.dll
Removed! : C:\WINDOWS\dpxfe.dat
Removed! : C:\WINDOWS\dpybj.dat
Removed! : C:\WINDOWS\dwqpd.dat
Removed! : C:\WINDOWS\dzmue.dll
Removed! : C:\WINDOWS\dzntu.dat
Removed! : C:\WINDOWS\eeibr.dat
Removed! : C:\WINDOWS\elftkq.dat
Removed! : C:\WINDOWS\euhkr.dat
Removed! : C:\WINDOWS\faory.dat
Removed! : C:\WINDOWS\fdrjpr.dat
Removed! : C:\WINDOWS\fjjgk.dll
Removed! : C:\WINDOWS\flizx.dat
Removed! : C:\WINDOWS\fqnlb.dll
Removed! : C:\WINDOWS\fsfkd.dat
Removed! : C:\WINDOWS\fwgix.dat
Removed! : C:\WINDOWS\fwxli.dll
Removed! : C:\WINDOWS\gaahk.dat
Removed! : C:\WINDOWS\geokp.dat
Removed! : C:\WINDOWS\gfcpf.dat
Removed! : C:\WINDOWS\gfdwz.dat
Removed! : C:\WINDOWS\gmmof.dll
Removed! : C:\WINDOWS\goyjf.dll
Removed! : C:\WINDOWS\gqejo.dll
Removed! : C:\WINDOWS\hkkrv.dll
Removed! : C:\WINDOWS\hyvlc.dll
Removed! : C:\WINDOWS\ieqzu.dat
Removed! : C:\WINDOWS\izigo.dat
Removed! : C:\WINDOWS\javaep.exe
Removed! : C:\WINDOWS\javafw32.exe
Removed! : C:\WINDOWS\javaiw32.exe
Removed! : C:\WINDOWS\javarb.exe
Removed! : C:\WINDOWS\jdgim.dat
Removed! : C:\WINDOWS\kgoal.dat
Removed! : C:\WINDOWS\kksla.dat
Removed! : C:\WINDOWS\kmojw.dat
Removed! : C:\WINDOWS\kuwks.dat
Removed! : C:\WINDOWS\liqts.dat
Removed! : C:\WINDOWS\lzezk.dat
Removed! : C:\WINDOWS\mbrpx.dat
Removed! : C:\WINDOWS\mrtfh.dat
Removed! : C:\WINDOWS\mshp.dll
Removed! : C:\WINDOWS\msjvk.dat
Removed! : C:\WINDOWS\mtodv.dat
Removed! : C:\WINDOWS\nlkmws.dat
Removed! : C:\WINDOWS\n_cqhunh.dat
Error Removing! : C:\WINDOWS\n_mpwptx.dat
Removed! : C:\WINDOWS\n_mwoube.dat
Removed! : C:\WINDOWS\n_snpxzr.dat
Removed! : C:\WINDOWS\n_wddhiu.dat
Removed! : C:\WINDOWS\oakov.dat
Removed! : C:\WINDOWS\offff.dat
Removed! : C:\WINDOWS\onfwe.dat
Removed! : C:\WINDOWS\onrvf.dll
Removed! : C:\WINDOWS\pgvcj.dat
Removed! : C:\WINDOWS\plvki.dll
Removed! : C:\WINDOWS\pqvbg.dat
Removed! : C:\WINDOWS\qanbt.dll
Removed! : C:\WINDOWS\qckdt.dll
Removed! : C:\WINDOWS\qdgbo.dat
Removed! : C:\WINDOWS\qfgyl.dll
Removed! : C:\WINDOWS\qgoxa.dat
Removed! : C:\WINDOWS\qqnka.dat
Removed! : C:\WINDOWS\qrnvy.dll
Removed! : C:\WINDOWS\qtmim.dll
Removed! : C:\WINDOWS\qvbgk.dll
Error Removing! : C:\WINDOWS\rvjvpo.dat
Removed! : C:\WINDOWS\saozh.dat
Removed! : C:\WINDOWS\smits.dat
Removed! : C:\WINDOWS\srpjm.dll
Removed! : C:\WINDOWS\szsmj.dll
Removed! : C:\WINDOWS\tiruf.dat
Removed! : C:\WINDOWS\tsagx.dat
Removed! : C:\WINDOWS\udvmd.dat
Removed! : C:\WINDOWS\ueedv.dat
Removed! : C:\WINDOWS\ugkjq.dat
Removed! : C:\WINDOWS\vomef.dll
Removed! : C:\WINDOWS\voyxu.dat
Removed! : C:\WINDOWS\vsfyi.dat
Removed! : C:\WINDOWS\vtzxs.dll
Removed! : C:\WINDOWS\vysvy.dll
Removed! : C:\WINDOWS\wiefp.dat
Removed! : C:\WINDOWS\wokry.dat
Removed! : C:\WINDOWS\xfgik.dll
Removed! : C:\WINDOWS\xomxo.dat
Removed! : C:\WINDOWS\xpwha.dll
Removed! : C:\WINDOWS\xtcae.dat
Removed! : C:\WINDOWS\yltbv.dat
Removed! : C:\WINDOWS\yvekj.dll
Removed! : C:\WINDOWS\yxmbv.dat
Removed! : C:\WINDOWS\zpbck.dll
Removed! : C:\WINDOWS\system32\adcfi.dat
Removed! : C:\WINDOWS\system32\addpr.exe
Removed! : C:\WINDOWS\system32\aebvr.dat
Removed! : C:\WINDOWS\system32\aewes.dat
Removed! : C:\WINDOWS\system32\ahjhg.dll
Removed! : C:\WINDOWS\system32\ajlti.dll
Error Removing! : C:\WINDOWS\system32\amfg.dll
Removed! : C:\WINDOWS\system32\areip.dat
Removed! : C:\WINDOWS\system32\bzhfp.dll
Removed! : C:\WINDOWS\system32\caftk.dll
Error Removing! : C:\WINDOWS\system32\cba.dll
Removed! : C:\WINDOWS\system32\ccgta.dat
Error Removing! : C:\WINDOWS\system32\ceigno.dll
Removed! : C:\WINDOWS\system32\ckcli.dat
Removed! : C:\WINDOWS\system32\clhar.dll
Removed! : C:\WINDOWS\system32\ctpkv.dll
Removed! : C:\WINDOWS\system32\cuato.dat
Removed! : C:\WINDOWS\system32\dad.dll
Removed! : C:\WINDOWS\system32\dgrqu.dll
Removed! : C:\WINDOWS\system32\dhjfc.dll
Removed! : C:\WINDOWS\system32\dnpmb.dll
Removed! : C:\WINDOWS\system32\duera.dat
Removed! : C:\WINDOWS\system32\dxpio.dat
Removed! : C:\WINDOWS\system32\eewek.dat
Removed! : C:\WINDOWS\system32\ejjvb.dat
Removed! : C:\WINDOWS\system32\emfsv.dll
Removed! : C:\WINDOWS\system32\eqdlw.dll
Removed! : C:\WINDOWS\system32\espcr.dll
Removed! : C:\WINDOWS\system32\fnbdfa.dll
Removed! : C:\WINDOWS\system32\fucph.dat
Removed! : C:\WINDOWS\system32\fxpnn.dll
Removed! : C:\WINDOWS\system32\gdjfe.dat
Removed! : C:\WINDOWS\system32\gfi.dll
Removed! : C:\WINDOWS\system32\hbmdo.dat
Removed! : C:\WINDOWS\system32\hcicg.dat
Removed! : C:\WINDOWS\system32\hnfjp.dat
Removed! : C:\WINDOWS\system32\hqvzk.dll
Removed! : C:\WINDOWS\system32\ibtnx.dat
Removed! : C:\WINDOWS\system32\ihean.dll
Removed! : C:\WINDOWS\system32\ihidc.dat
Removed! : C:\WINDOWS\system32\iphkn.dat
Removed! : C:\WINDOWS\system32\jcnak.dat
Removed! : C:\WINDOWS\system32\jekbc.dat
Removed! : C:\WINDOWS\system32\jgdar.dat
Removed! : C:\WINDOWS\system32\jzwei.dll
Removed! : C:\WINDOWS\system32\kuyur.dat
Removed! : C:\WINDOWS\system32\lcwqw.dat
Removed! : C:\WINDOWS\system32\lxgzn.dll
Removed! : C:\WINDOWS\system32\mftrb.dll
Removed! : C:\WINDOWS\system32\mhmpz.dat
Error Removing! : C:\WINDOWS\system32\mnj.dll
Removed! : C:\WINDOWS\system32\msasi.dat
Removed! : C:\WINDOWS\system32\msax.exe
Removed! : C:\WINDOWS\system32\mxrre.dll
Removed! : C:\WINDOWS\system32\nmbrs.dll
Removed! : C:\WINDOWS\system32\okclca.dll
Removed! : C:\WINDOWS\system32\ouncq.dat
Removed! : C:\WINDOWS\system32\paxqn.dat
Removed! : C:\WINDOWS\system32\pko.dll
Removed! : C:\WINDOWS\system32\prith.dll
Removed! : C:\WINDOWS\system32\ptmng.dat
Removed! : C:\WINDOWS\system32\qfekg.dat
Removed! : C:\WINDOWS\system32\quocy.dat
Removed! : C:\WINDOWS\system32\ragzj.dat
Removed! : C:\WINDOWS\system32\rdjqh.dll
Removed! : C:\WINDOWS\system32\rofma.dat
Removed! : C:\WINDOWS\system32\rohqw.dat
Removed! : C:\WINDOWS\system32\rqunn.dll
Removed! : C:\WINDOWS\system32\rwcia.dat
Removed! : C:\WINDOWS\system32\sjiqu.dat
Removed! : C:\WINDOWS\system32\sughm.dll
Removed! : C:\WINDOWS\system32\svrph.dll
Removed! : C:\WINDOWS\system32\tbmmf.dll
Removed! : C:\WINDOWS\system32\tdxjv.dat
Removed! : C:\WINDOWS\system32\tgimj.dat
Removed! : C:\WINDOWS\system32\tsjto.dat
Removed! : C:\WINDOWS\system32\tuhvn.dat
Removed! : C:\WINDOWS\system32\ubxoy.dat
Removed! : C:\WINDOWS\system32\vbgcg.dat
Removed! : C:\WINDOWS\system32\vgpoj.dat
Removed! : C:\WINDOWS\system32\vorsg.dat
Removed! : C:\WINDOWS\system32\vsles.dat
Removed! : C:\WINDOWS\system32\wgmmv.dat
Removed! : C:\WINDOWS\system32\winor.exe
Removed! : C:\WINDOWS\system32\wjkxf.dat
Removed! : C:\WINDOWS\system32\woknj.dll
Removed! : C:\WINDOWS\system32\wokut.dll
Removed! : C:\WINDOWS\system32\wshwc.dat
Removed! : C:\WINDOWS\system32\wyfnu.dll
Removed! : C:\WINDOWS\system32\xcdgy.dat
Removed! : C:\WINDOWS\system32\xcnfg.dll
Removed! : C:\WINDOWS\system32\xeidt.dat
Removed! : C:\WINDOWS\system32\xjyxl.dat
Removed! : C:\WINDOWS\system32\yltid.dat
Removed! : C:\WINDOWS\system32\yorlt.dat
Removed! : C:\WINDOWS\system32\yxopj.dll
Removed! : C:\WINDOWS\system32\yxwbd.dll
Removed! : C:\WINDOWS\system32\yzgzy.dll
Removed! : C:\WINDOWS\system32\zafvy.dat
Removed! : C:\WINDOWS\system32\ziglb.dat
Removed! : C:\WINDOWS\system32\zitwu.dat
Removed! : C:\WINDOWS\system32\zpdyi.dll
Removed! : C:\WINDOWS\system32\zspuq.dat
Removed! : C:\WINDOWS\system32\zybxv.dat
Removed! : C:\WINDOWS\system32\zyzwe.dat
Attempted Clean Of Temp folder.
Removed Uninstall Key (HSA)
Removed Uninstall Key (SE)
Removed Uninstall Key (SW)
Pages Reset... Done!

-- Scan 2 ---------------------------
About:Buster Version 4.0
Reference List : 23


Removed Data Streams:
C:\WINDOWS\apiqe32.dll:zsmmy
C:\WINDOWS\apisc32.dll:rsezs
C:\WINDOWS\appam32.dll:mdmzi
C:\WINDOWS\appam32.dll:mdmzi
C:\WINDOWS\appsh32.exe:ktxfu
C:\WINDOWS\Blue Lace 16.bmp:nkrjs
C:\WINDOWS\BVER.BAT:xkcou
C:\WINDOWS\chipset.log:qluuo
C:\WINDOWS\control.ini:ienhq
C:\WINDOWS\CPATR10.UNI:mblsi
C:\WINDOWS\croy.exe:etexc
C:\WINDOWS\DtcInstall.log:orqlf
C:\WINDOWS\dtoedv.dat:rrgit
C:\WINDOWS\Fcic.ini:zrdgn
C:\WINDOWS\fntldr.exe:klgyj
C:\WINDOWS\fwyayb.dat:cmzem
C:\WINDOWS\gdeuo.txt:gdbds
C:\WINDOWS\gfdwz.dat:yemiu
C:\WINDOWS\gophxx.dat:qfeno
C:\WINDOWS\Greenstone.bmp:jyxbr
C:\WINDOWS\Greenstone.bmp:jyxbr
C:\WINDOWS\javaiw32.exe:donak
C:\WINDOWS\javapg.dll:psaqx
C:\WINDOWS\javate32.dll:iltdz
C:\WINDOWS\jdgim.dat:almiu
C:\WINDOWS\msdfmap.ini:ukfoa
C:\WINDOWS\msdfmap.ini:ukfoa
C:\WINDOWS\msgsocm.log:dcluc
C:\WINDOWS\msks.dll:vdeze
C:\WINDOWS\msxs32.dll:oeofy
C:\WINDOWS\Q312370.log:wbsdb
C:\WINDOWS\Q314862.log:ocdiv
C:\WINDOWS\Q317277.log:gdwnx
C:\WINDOWS\Q810577.log:ybclj
C:\WINDOWS\SchedLgU.Txt:bkcqy
C:\WINDOWS\setupact.log:mwepf
C:\WINDOWS\smscfg.ini:xxiac
C:\WINDOWS\spupdsvc.log:pyafw
C:\WINDOWS\sysed32.dll:cvhmk
C:\WINDOWS\sysno.dll:uwsrm
C:\WINDOWS\ToshDefs.reg:pctpk
C:\WINDOWS\Toshiba.bmp:yynpd


Removed! : C:\WINDOWS\n_mpwptx.dat
Removed! : C:\WINDOWS\rvjvpo.dat
Attempted Clean Of Temp folder.
Pages Reset... Done!

-- Scan 3 ---------------------------
About:Buster Version 4.0
Reference List : 23

No ADS found on system
Attempted Clean Of Temp folder.
Pages Reset... Done!
  • 0

#4
LineOFire
Posted 06 February 2005 - 01:53 AM

LineOFire

    Malware Expert

  • Retired Staff
  • 235 posts
The hidden files thing is alright. As long as you boot into Safe Mode.

You still seem to be infected. Would you mind going through the exact same instructions one more time?
  • 0

#5
pablo
Posted 07 February 2005 - 06:38 PM

pablo

    Member

  • Topic Starter
  • Member
  • PipPip
  • 12 posts
ok, just went through the same instructions and here are the new log files:

Logfile of HijackThis v1.99.0
Scan saved at 7:34:37 PM, on 2/7/2005
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\System32\Ati2evxx.exe
C:\WINDOWS\wanmpsvc.exe
C:\WINDOWS\system32\atiptaxx.exe
C:\Program Files\ltmoh\Ltmoh.exe
C:\Program Files\TOSHIBA\Power Management\CePMTray.exe
C:\Program Files\TOSHIBA\E-KEY\CeEKey.exe
C:\Program Files\TOSHIBA\TouchPad\TPTray.exe
C:\WINDOWS\System32\ezSP_Px.exe
C:\PROGRA~1\EzButton\CPATR10.EXE
C:\toshiba\ivp\ism\pinger.exe
C:\Program Files\Drag'n Drop CD\BinFiles\DragDrop.exe
C:\WINDOWS\System32\byezahrw.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\WINDOWS\system32\sysdr.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\WINDOWS\Q817287.log:jvfwg
C:\PROGRA~1\Yahoo!\MESSEN~1\ymsgr_tray.exe
C:\WINDOWS\system32\wuauclt.exe
C:\WINDOWS\explorer.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Documents and Settings\Paul\My Documents\New Folder\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = about:blank
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = about:blank
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\WINDOWS\zrdkb.dll/sp.html#37049
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINDOWS\zrdkb.dll/sp.html#37049
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = res://C:\WINDOWS\zrdkb.dll/sp.html#37049
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\WINDOWS\zrdkb.dll/sp.html#37049
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINDOWS\zrdkb.dll/sp.html#37049
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = res://C:\WINDOWS\zrdkb.dll/sp.html#37049
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,CustomizeSearch = about:blank
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = res://C:\WINDOWS\zrdkb.dll/sp.html#37049
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page_bak = about:blank
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,HomeOldSP = about:blank
R3 - Default URLSearchHook is missing
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
O2 - BHO: (no name) - {2850CFC5-2BAD-884B-1956-B7BC0BF9D853} - C:\WINDOWS\nethp.dll
O4 - HKLM\..\Run: [SoundFusion] RunDll32 cwaprops.cpl,CrystalControlWnd
O4 - HKLM\..\Run: [ATIModeChange] Ati2mdxx.exe
O4 - HKLM\..\Run: [AtiPTA] atiptaxx.exe
O4 - HKLM\..\Run: [LtMoh] C:\Program Files\ltmoh\Ltmoh.exe
O4 - HKLM\..\Run: [CeEPOWER] C:\Program Files\TOSHIBA\Power Management\CePMTray.exe
O4 - HKLM\..\Run: [CeEKEY] C:\Program Files\TOSHIBA\E-KEY\CeEKey.exe
O4 - HKLM\..\Run: [TPNF] C:\Program Files\TOSHIBA\TouchPad\TPTray.exe
O4 - HKLM\..\Run: [ezShieldProtector for Px] C:\WINDOWS\System32\ezSP_Px.exe
O4 - HKLM\..\Run: [CPATR10] C:\PROGRA~1\EzButton\CPATR10.EXE
O4 - HKLM\..\Run: [Pinger] c:\toshiba\ivp\ism\pinger.exe /run
O4 - HKLM\..\Run: [TSysSMon] c:\toshiba\sysstability\tsyssmon.exe /detect
O4 - HKLM\..\Run: [Drag'n Drop CD] C:\Program Files\Drag'n Drop CD\BinFiles\DragDrop.exe /StartUp
O4 - HKLM\..\Run: [Microsoft Works Update Detection] C:\Program Files\Common Files\Microsoft Shared\Works Shared\WkUFind.exe
O4 - HKLM\..\Run: [oglqdarg] C:\WINDOWS\System32\byezahrw.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] C:\Program Files\iTunes\iTunesHelper.exe
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [sysdr.exe] C:\WINDOWS\system32\sysdr.exe
O4 - HKCU\..\Run: [MoneyAgent] "C:\Program Files\Microsoft Money\System\mnyexpr.exe"
O4 - HKCU\..\Run: [Yahoo! Pager] C:\PROGRA~1\Yahoo!\MESSEN~1\ypager.exe -quiet
O4 - Startup: Check For Dope Wars Updates.lnk = C:\Program Files\Dopewars\WiseUpdt.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\System32\Shdocvw.dll
O9 - Extra button: Yahoo! Messenger - {E5D12C4E-7B4F-11D3-B5C9-0050045C3C96} - C:\PROGRA~1\Yahoo!\MESSEN~1\YPager.exe
O9 - Extra 'Tools' menuitem: Yahoo! Messenger - {E5D12C4E-7B4F-11D3-B5C9-0050045C3C96} - C:\PROGRA~1\Yahoo!\MESSEN~1\YPager.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O14 - IERESET.INF: START_PAGE_URL=http://www.toshiba.com
O16 - DPF: Yahoo! Pool 2 - http://download.game...ts/y/potc_x.cab
O16 - DPF: {56336BCB-3D8A-11D6-A00B-0050DA18DE71} (RdxIE Class) - http://207.188.7.150...ip/RdxIE601.cab
O23 - Service: Ati HotKey Poller - Unknown - C:\WINDOWS\System32\Ati2evxx.exe
O23 - Service: iPod Service - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: WAN Miniport (ATW) Service - America Online, Inc. - C:\WINDOWS\wanmpsvc.exe
O23 - Service: Network Security Service - Unknown - C:\WINDOWS\Q817287.log:jvfwg.exe (file missing)

&

Scanned at: 7:28:03 PM on: 2/7/2005


-- Scan 1 ---------------------------
About:Buster Version 4.0
Reference List : 23

No ADS found on system
Removed! : C:\WINDOWS\csukt.dll
Removed! : C:\WINDOWS\zltza.dll
Attempted Clean Of Temp folder.
Pages Reset... Done!

-- Scan 2 ---------------------------
About:Buster Version 4.0
Reference List : 23

No ADS found on system
Attempted Clean Of Temp folder.
Pages Reset... Done!
  • 0

#6
LineOFire
Posted 07 February 2005 - 07:41 PM

LineOFire

    Malware Expert

  • Retired Staff
  • 235 posts
You may want to print out these instructions or save them to your desktop as a text file with Notepad because we will be restarting into Safe Mode later on in the fix and you might not be able to access the Internet.

Place a checkmark next to these entries, close all browsers and windows, and have HijackThis fix them by clicking Fix Checked:

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = about:blank
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = about:blank
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\WINDOWS\zrdkb.dll/sp.html#37049
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINDOWS\zrdkb.dll/sp.html#37049
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = res://C:\WINDOWS\zrdkb.dll/sp.html#37049
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\WINDOWS\zrdkb.dll/sp.html#37049
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINDOWS\zrdkb.dll/sp.html#37049
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = res://C:\WINDOWS\zrdkb.dll/sp.html#37049
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,CustomizeSearch = about:blank
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = res://C:\WINDOWS\zrdkb.dll/sp.html#37049
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page_bak = about:blank
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,HomeOldSP = about:blank
R3 - Default URLSearchHook is missing
O2 - BHO: (no name) - {2850CFC5-2BAD-884B-1956-B7BC0BF9D853} - C:\WINDOWS\nethp.dll
O4 - HKLM\..\Run: [oglqdarg] C:\WINDOWS\System32\byezahrw.exe
O4 - HKLM\..\Run: [sysdr.exe] C:\WINDOWS\system32\sysdr.exe
O16 - DPF: {56336BCB-3D8A-11D6-A00B-0050DA18DE71} (RdxIE Class) - http://207.188.7.150...ip/RdxIE601.cab
O23 - Service: Network Security Service - Unknown - C:\WINDOWS\Q817287.log:jvfwg.exe (file missing)

Reconfigure Windows XP to show hidden files:
Click Start. Open My Computer.
Select the Tools menu and click Folder Options. Select the View Tab.

Under the Hidden files and folders heading select "Show hidden files and folders".
Uncheck the "Hide protected operating system files (recommended)" option.
Uncheck the "Hide file extensions for known file types" option.
Click Yes to confirm. Click OK.

Boot into Safe Mode:
Restart your computer and immediately begin tapping the F8 key on your keyboard.
If done right a Windows Advanced Options menu will appear. Select the Safe Mode option and press Enter.
To return to normal mode just restart your computer as you normally would.

Please delete these files using Windows Explorer(if present):

C:\WINDOWS\Q817287.log
C:\WINDOWS\System32\byezahrw.exe
C:\WINDOWS\system32\sysdr.exe

Now run CWShredder again.

Now you can restart the computer normally.
Please run HijackThis again and post a fresh log, just so I can make sure that all the malware was deleted according to plan. :tazz:
  • 0

#7
pablo
Posted 07 February 2005 - 09:41 PM

pablo

    Member

  • Topic Starter
  • Member
  • PipPip
  • 12 posts
i deleted C:\WINDOWS\Q817287.log
was unable to delete C:\WINDOWS\System32\byezahrw.exe ("Access denied")
and could not find C:\WINDOWS\system32\sysdr.exe

i also downloaded and ran AVG. it found over 200 viruses. but now it keeps popping up every minute with a virus alert which i'm unable to delete. you think i should remove the AVG software?

anyway, getting into 'my computer' etc now seems to be working ok. fingers crossed.

Logfile of HijackThis v1.99.0
Scan saved at 10:35:44 PM, on 2/7/2005
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\System32\Ati2evxx.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
C:\WINDOWS\wanmpsvc.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\atiptaxx.exe
C:\Program Files\ltmoh\Ltmoh.exe
C:\Program Files\TOSHIBA\Power Management\CePMTray.exe
C:\Program Files\TOSHIBA\E-KEY\CeEKey.exe
C:\Program Files\TOSHIBA\TouchPad\TPTray.exe
C:\WINDOWS\System32\ezSP_Px.exe
C:\PROGRA~1\EzButton\CPATR10.EXE
C:\toshiba\ivp\ism\pinger.exe
C:\Program Files\Drag'n Drop CD\BinFiles\DragDrop.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\PROGRA~1\Yahoo!\MESSEN~1\ymsgr_tray.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\America Online 7.0\waol.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Documents and Settings\Paul\My Documents\New Folder\HijackThis.exe

O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
O4 - HKLM\..\Run: [ATIModeChange] Ati2mdxx.exe
O4 - HKLM\..\Run: [AtiPTA] atiptaxx.exe
O4 - HKLM\..\Run: [LtMoh] C:\Program Files\ltmoh\Ltmoh.exe
O4 - HKLM\..\Run: [CeEPOWER] C:\Program Files\TOSHIBA\Power Management\CePMTray.exe
O4 - HKLM\..\Run: [CeEKEY] C:\Program Files\TOSHIBA\E-KEY\CeEKey.exe
O4 - HKLM\..\Run: [TPNF] C:\Program Files\TOSHIBA\TouchPad\TPTray.exe
O4 - HKLM\..\Run: [ezShieldProtector for Px] C:\WINDOWS\System32\ezSP_Px.exe
O4 - HKLM\..\Run: [CPATR10] C:\PROGRA~1\EzButton\CPATR10.EXE
O4 - HKLM\..\Run: [Pinger] c:\toshiba\ivp\ism\pinger.exe /run
O4 - HKLM\..\Run: [TSysSMon] c:\toshiba\sysstability\tsyssmon.exe /detect
O4 - HKLM\..\Run: [Drag'n Drop CD] C:\Program Files\Drag'n Drop CD\BinFiles\DragDrop.exe /StartUp
O4 - HKLM\..\Run: [Microsoft Works Update Detection] C:\Program Files\Common Files\Microsoft Shared\Works Shared\WkUFind.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] C:\Program Files\iTunes\iTunesHelper.exe
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [AVG7_EMC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
O4 - HKCU\..\Run: [MoneyAgent] "C:\Program Files\Microsoft Money\System\mnyexpr.exe"
O4 - HKCU\..\Run: [Yahoo! Pager] C:\PROGRA~1\Yahoo!\MESSEN~1\ypager.exe -quiet
O4 - Startup: Check For Dope Wars Updates.lnk = C:\Program Files\Dopewars\WiseUpdt.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\System32\Shdocvw.dll
O9 - Extra button: Yahoo! Messenger - {E5D12C4E-7B4F-11D3-B5C9-0050045C3C96} - C:\PROGRA~1\Yahoo!\MESSEN~1\YPager.exe
O9 - Extra 'Tools' menuitem: Yahoo! Messenger - {E5D12C4E-7B4F-11D3-B5C9-0050045C3C96} - C:\PROGRA~1\Yahoo!\MESSEN~1\YPager.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O14 - IERESET.INF: START_PAGE_URL=http://www.toshiba.com
O16 - DPF: Yahoo! Pool 2 - http://download.game...ts/y/potc_x.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{AF84E3DB-5EED-45AC-82F4-A0FCF94EDE14}: NameServer = 205.188.146.145
O23 - Service: Ati HotKey Poller - Unknown - C:\WINDOWS\System32\Ati2evxx.exe
O23 - Service: AVG7 Alert Manager Server - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
O23 - Service: AVG7 Update Service - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
O23 - Service: iPod Service - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: WAN Miniport (ATW) Service - America Online, Inc. - C:\WINDOWS\wanmpsvc.exe
  • 0

#8
LineOFire
Posted 08 February 2005 - 12:24 AM

LineOFire

    Malware Expert

  • Retired Staff
  • 235 posts
Which virus does it pop up with and where is it located? Don't remove AVG yet. It can provide some helpful clues as to where these bad things are coming from. :tazz:
  • 0

#9
pablo
Posted 09 February 2005 - 06:33 PM

pablo

    Member

  • Topic Starter
  • Member
  • PipPip
  • 12 posts
it pops up as soon as i switch on and keeps on popping up after that.

it says: "Virus Detected!
While opening file C:\WINDOWS\system32\ctllga.dll
Trojan horse BackDoor.Agent.BA"

it offers a list of options: continue, info, heal, delete, move to vault. however i'm unable to perform any of these "Requested action is not available for this object" .

if i close it down or click 'continue' it goes away, but only temporarily.
  • 0

#10
pablo
Posted 09 February 2005 - 06:34 PM

pablo

    Member

  • Topic Starter
  • Member
  • PipPip
  • 12 posts
thanks again for all your help so far.
after tonight i'll be away from my computer til mid next week.

p
  • 0

Advertisements

#11
LineOFire
Posted 10 February 2005 - 12:33 AM

LineOFire

    Malware Expert

  • Retired Staff
  • 235 posts
Boot into Safe Mode:
Restart your computer and immediately begin tapping the F8 key on your keyboard.
If done right a Windows Advanced Options menu will appear. Select the Safe Mode option and press Enter.
To return to normal mode just restart your computer as you normally would.

Then find and delete C:\WINDOWS\system32\ctllga.dll.

Then restart and AVG should no longer detect that trojan. :tazz:
  • 0

#12
pablo
Posted 10 February 2005 - 02:02 AM

pablo

    Member

  • Topic Starter
  • Member
  • PipPip
  • 12 posts
was unable to delete C:\WINDOWS\system32\ctllga.dll ("Access denied")
Tried using AboutBuster and that could not get rid of it either. It had 'Error Removing" and then it froze (in safe mode).
CWShredder or Hijack this did not pick it up.
  • 0

#13
admin
Posted 10 February 2005 - 08:13 AM

admin

    Founder Geek

  • Community Leader
  • 24,639 posts
Click Here to download TheKillbox. Extract TheKillBox.exe from the zip file and double click it to open it up. In the 'Enter Full Path and Filename to Delete' box, copy and paste these entries one by one, clicking 'Find and Kill This File' after each one:

C:\WINDOWS\system32\ctllga.dll

Click 'Exit' when done.
  • 0

#14
pablo
Posted 16 February 2005 - 06:02 PM

pablo

    Member

  • Topic Starter
  • Member
  • PipPip
  • 12 posts
KillBox was 'unable to delete file'
  • 0

#15
LineOFire
Posted 17 February 2005 - 12:05 AM

LineOFire

    Malware Expert

  • Retired Staff
  • 235 posts
Use Killbox's Delete On Reboot function instead. Then restart and see if the file gets detected again.
  • 0
Back to Virus, Spyware, Malware Removal · Next Unread Topic →




Similar Topics

0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users

  1. Geeks to Go Community
  2. Security
  3. Virus, Spyware, Malware Removal

As Featured On:

Microsoft Yahoo BBC MSN PC Magazine Washington Post HP