Javascript Disabled Detected

You currently have javascript disabled. Several functions may not work. Please re-enable javascript to access full functionality.

very slow boot, many popups with popup blocker ON, frequent computer l

Started by rjemps6 , Feb 20 2006 05:16 PM

This topic is locked

#1
rjemps6

Posted 20 February 2006 - 05:16 PM

Member

Member
10 posts

Hi,
I ran all the spyware, adware and trojan things you suggested. Got rid of whatever it would let me get rid of. It reboots much quicker now and I don't have to restart it 10 or so times to get desktop to come up (comes up the first time, now.). I did a hijack this log. Here it is. Even though my computer boots up easily :tazz:

, I do get one window that says there is afile it cannot open, but no info when I go to search about the file (ptpn.exe.tcf). This message is new and started today after the fix, and, as has happened for several months now, a window comes up that says "Tango Manager" must close because there is a problem with it. I don't know what that is. I would greatly appreciate any help. Thanks.

Logfile of HijackThis v1.99.1
Scan saved at 1:29:56 PM, on 2/20/2006
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\csrss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\WINDOWS\system32\CTsvcCDA.EXE
C:\Program Files\ewido\security suite\ewidoctrl.exe
C:\Program Files\Norton SystemWorks\Norton Antivirus\navapsvc.exe
C:\PROGRA~1\NORTON~1\NORTON~2\NPROTECT.EXE
C:\Program Files\Norton SystemWorks\Norton Antivirus\SAVScan.exe
C:\PROGRA~1\NORTON~1\NORTON~2\SPEEDD~1\NOPDB.EXE
C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
C:\Program Files\FrontierNet\FrontierNet DSL Attendant\app\TangoService.exe
C:\WINDOWS\system32\wdfmgr.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\Program Files\Common Files\Symantec Shared\Security Center\SymWSC.exe
C:\WINDOWS\System32\alg.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_S09IC1.EXE
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\DIGStream\digstream.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe
C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe
C:\windows\system32\qsdsregq.exe
C:\WINDOWS\system32\hpsw.exe
C:\WINDOWS\system32\wgse.exe
C:\Program Files\Lavasoft\Personal Firewall\lpfw.exe
C:\Program Files\Google\Google Desktop Search\GoogleDesktopIndex.exe
C:\Program Files\Messenger\msmsgs.exe
C:\WINDOWS\system32\mwintrai.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Yahoo!\Messenger\ymsgr_tray.exe
C:\WINDOWS\system32\wscntfy.exe
C:\WINDOWS\SMBOLS~1\javaw.exe
C:\Documents and Settings\mom\My Documents\??mantec\d?xplore.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Documents and Settings\mom\My Documents\My Downloads\hijack this\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.foxnews.com/
R3 - URLSearchHook: (no name) - {CDAF2B19-B8A6-B05F-A4DD-91CB5EE85FB2} - C:\WINDOWS\system32\lmknc.dll
R3 - URLSearchHook: (no name) - _{CFBFAE00-17A6-11D0-99CB-00C04FD64497} - (no file)
O2 - BHO: Bucket Class - {00000001-C003-4A2F-9142-7CB1D78DE6C1} - C:\WINDOWS\tct101.dll (file missing)
O2 - BHO: bitlocker - {01EB5130-FC0C-4d75-B9CE-4801B1B854F5} - C:\WINDOWS\system32\nspF2.dll
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
O2 - BHO: CRSSSubscriber Object - {18A5CAE8-FAF6-49A9-B3D8-2954437D9BBC} - C:\Program Files\Lektora\LektoraCOM.dll
O2 - BHO: Trecker Class - {39C78B50-7E98-4aa0-B007-D83114EA6E0F} - C:\PROGRA~1\Jalmp\jalmp.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: UberButton Class - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\Program Files\Yahoo!\Common\yiesrvc.dll
O2 - BHO: YahooTaggedBM Class - {65D886A2-7CA7-479B-BB95-14D1EFB7946A} - C:\Program Files\Yahoo!\Common\YIeTagBm.dll
O2 - BHO: RieMon Class - {70F6A776-579A-4C95-BA88-134253907752} - C:\WINDOWS\system32\irsmilvo.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar2.dll
O2 - BHO: CNavExtBho Class - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\Norton SystemWorks\Norton Antivirus\NavShExt.dll
O2 - BHO: Glitch - {C3F699FD-5F86-451B-8150-81979857047E} - C:\WINDOWS\system32\nsrB.dll
O2 - BHO: (no name) - {CDAF2B19-B8A6-B05F-A4DD-91CB5EE85FB2} - C:\WINDOWS\system32\lmknc.dll
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton SystemWorks\Norton Antivirus\NavShExt.dll
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn1\yt.dll
O3 - Toolbar: Lektora - {C55D30C7-3B86-4D70-98D3-CAA716DF0D83} - C:\Program Files\Lektora\LektoraCOM.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar2.dll
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [TangoManager] C:\PROGRA~1\FRONTI~1\FRONTI~1\app\TANGOM~1.EXE
O4 - HKLM\..\Run: [Cmaudio] RunDll32 cmicnfg.cpl,CMICtrlWnd
O4 - HKLM\..\Run: [EPSON Stylus C44 Series] C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_S09IC1.EXE /P23 "EPSON Stylus C44 Series" /O6 "USB001" /M "Stylus C44"
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [iTunesHelper] C:\Program Files\iTunes\iTunesHelper.exe
O4 - HKLM\..\Run: [Symantec NetDriver Monitor] C:\PROGRA~1\SYMNET~1\SNDMon.exe /Consumer
O4 - HKLM\..\Run: [DIGStream] C:\Program Files\DIGStream\digstream.exe
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe
O4 - HKLM\..\Run: [Google Desktop Search] "C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe" /startup
O4 - HKLM\..\Run: [winsync] C:\WINDOWS\system32\4d4lxd.exe reg_run
O4 - HKLM\..\Run: [{F1-10-06-60-ZN}] C:\windows\system32\qsdsregq.exe FI002
O4 - HKLM\..\Run: [susse] "C:\WINDOWS\system32\hpsw.exe"
O4 - HKLM\..\Run: [Personal Firewall] C:\Program Files\Lavasoft\Personal Firewall\lpfw.exe /waitservice
O4 - HKLM\..\Run: [Start Outpost] C:\Documents and Settings\mom\Local Settings\Temporary Internet Files\Content.IE5\FMHQ8WBF\Lavasoft%20Personal%20Firewall%20Setup[1].exe
O4 - HKLM\..\Run: [BrowserUpdateSched] C:\WINDOWS\system32\mwintrai.exe FI002
O4 - HKLM\..\Run: [THGuard] "C:\Program Files\TrojanHunter 4.2\THGuard.exe"
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [Skype] "C:\Program Files\Skype\Phone\Skype.exe" /nosplash /minimized
O4 - HKCU\..\Run: [Yahoo! Pager] C:\Program Files\Yahoo!\Messenger\ypager.exe -quiet
O4 - HKCU\..\Run: [Rsue] "C:\WINDOWS\SMBOLS~1\javaw.exe" -vt ndrv
O4 - HKCU\..\Run: [Jqnsrtn] C:\Documents and Settings\mom\My Documents\??mantec\d?xplore.exe
O4 - HKCU\..\Run: [irssyncd] C:\WINDOWS\system32\irssyncd.exe
O4 - Startup: PowerReg Scheduler V3.exe
O4 - Startup: PowerReg Scheduler.exe
O4 - Startup: Zeno.lnk = C:\WINDOWS\system32\mwintrai.exe
O4 - Startup: Z_Start.lnk = C:\WINDOWS\system32\rrdsregs.exe
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: Event Reminder.lnk = ?
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O4 - Global Startup: ptpn.exe.tcf
O8 - Extra context menu item: &Google Search - res://c:\program files\google\GoogleToolbar1.dll/cmsearch.html
O8 - Extra context menu item: &Translate English Word - res://c:\program files\google\GoogleToolbar1.dll/cmwordtrans.html
O8 - Extra context menu item: &Yahoo! Search - file:///C:\Program Files\Yahoo!\Common/ycsrch.htm
O8 - Extra context menu item: Backward Links - res://c:\program files\google\GoogleToolbar1.dll/cmbacklinks.html
O8 - Extra context menu item: Cached Snapshot of Page - res://c:\program files\google\GoogleToolbar1.dll/cmcache.html
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O8 - Extra context menu item: Similar Pages - res://c:\program files\google\GoogleToolbar1.dll/cmsimilar.html
O8 - Extra context menu item: Translate Page into English - res://c:\program files\google\GoogleToolbar1.dll/cmtrans.html
O8 - Extra context menu item: Yahoo! &Dictionary - file:///C:\Program Files\Yahoo!\Common/ycdict.htm
O8 - Extra context menu item: Yahoo! &Maps - file:///C:\Program Files\Yahoo!\Common/ycdict.htm
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra button: Yahoo! Services - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\Program Files\Yahoo!\Common\yiesrvc.dll
O9 - Extra button: (no name) - {9E248641-0E24-4DDB-9A1F-705087832AD6} - (no file)
O9 - Extra 'Tools' menuitem: Java - {9E248641-0E24-4DDB-9A1F-705087832AD6} - (no file)
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O15 - Trusted Zone: *.elitemediagroup.net
O15 - Trusted Zone: http://click.getmirar.com (HKLM)
O15 - Trusted Zone: http://click.mirarsearch.com (HKLM)
O15 - Trusted Zone: http://redirect.mirarsearch.com (HKLM)
O16 - DPF: {01010E00-5E80-11D8-9E86-0007E96C65AE} (SupportSoft SmartIssue) - http://www.symantec....trl/tgctlsi.cab
O16 - DPF: {01012101-5E80-11D8-9E86-0007E96C65AE} (SupportSoft Script Runner Class) - http://www.symantec....trl/tgctlsr.cab
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft....k/?linkid=39204
O16 - DPF: {1F2F4C9E-6F09-47BC-970D-3C54734667FE} (LSSupCtl Class) - http://www.symantec....rl/LSSupCtl.cab
O16 - DPF: {3FE16C08-D6A7-4133-84FC-D5BFB4F7D886} (WebGameLoader Class) - http://miniclip.com/...bGameLoader.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.micros...b?1140465121009
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.micros...b?1130738487178
O16 - DPF: {8A0DCBDB-6E20-489C-9041-C1E8A0352E75} (Mirar_Dummy_ATS1 Class) - http://awbeta.net-nu.../FIX/WinATS.cab
O16 - DPF: {9AC54695-69A4-46F1-BE10-10C74F9520D5} (elitectl.DemoCtl) - http://cabs.elitemed...s/mediaview.cab
O16 - DPF: {CE28D5D2-60CF-4C7D-9FE8-0F47A3308078} (ActiveDataInfo Class) - http://www.symantec....rl/SymAData.cab
O18 - Filter: text/html - {2F6E85DC-8D2D-4896-8A4F-7DF8A7B1749D} - C:\PROGRA~1\Jalmp\jalmp.dll
O20 - AppInit_DLLs: c:\progra~1\google\google~1\goec62~1.dll
O23 - Service: Automatic LiveUpdate Scheduler - Symantec Corporation - C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Password Validation (ccPwdSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
O23 - Service: Creative Service for CDROM Access - Creative Technology Ltd - C:\WINDOWS\system32\CTsvcCDA.EXE
O23 - Service: ewido security suite control - ewido networks - C:\Program Files\ewido\security suite\ewidoctrl.exe
O23 - Service: iPod Service (iPodService) - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: LiveUpdate - Symantec Corporation - C:\PROGRA~1\Symantec\LIVEUP~1\LUCOMS~1.EXE
O23 - Service: Norton AntiVirus Auto Protect Service (navapsvc) - Symantec Corporation - C:\Program Files\Norton SystemWorks\Norton Antivirus\navapsvc.exe
O23 - Service: Norton Unerase Protection (NProtectService) - Symantec Corporation - C:\PROGRA~1\NORTON~1\NORTON~2\NPROTECT.EXE
O23 - Service: SAVScan - Symantec Corporation - C:\Program Files\Norton SystemWorks\Norton Antivirus\SAVScan.exe
O23 - Service: ScriptBlocking Service (SBService) - Symantec Corporation - C:\PROGRA~1\COMMON~1\SYMANT~1\SCRIPT~1\SBServ.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: Speed Disk service - Symantec Corporation - C:\PROGRA~1\NORTON~1\NORTON~2\SPEEDD~1\NOPDB.EXE
O23 - Service: Symantec Core LC - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
O23 - Service: SymWMI Service (SymWSC) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\Security Center\SymWSC.exe
O23 - Service: Tango Service (TangoService) - Unknown owner - C:\Program Files\FrontierNet\FrontierNet DSL Attendant\app\TangoService.exe

#2
Buckeye_Sam

Posted 20 February 2006 - 07:01 PM

Malware Expert

Member
10,019 posts

Hi and welcome to GeeksToGo! My name is Sam and I will be helping you. :tazz:

Please follow these steps:

Please make sure that you can View Hidden Files
- Click Start -> My Computer
- Select Tools -> Folder options
- Select the View tab and make sure that 'Show hidden files and folders' (or 'Show all files') is enabled.
- Also make sure that 'Display the contents of system folders' is checked.
- Make sure "Hide extensions for known file types" is unchecked
- Make sure "Hide protected operating system files (recommended)" is unchecked
- For more info on how to show hidden files click here.
Run Hijackthis again, click scan, and Put a checkmark next to each of these. Then close all other windows--you should only see HijackThis on your Desktop--and click the Fix Checked button.

R3 - URLSearchHook: (no name) - {CDAF2B19-B8A6-B05F-A4DD-91CB5EE85FB2} - C:\WINDOWS\system32\lmknc.dll
R3 - URLSearchHook: (no name) - _{CFBFAE00-17A6-11D0-99CB-00C04FD64497} - (no file)
O2 - BHO: Bucket Class - {00000001-C003-4A2F-9142-7CB1D78DE6C1} - C:\WINDOWS\tct101.dll (file missing)
O2 - BHO: bitlocker - {01EB5130-FC0C-4d75-B9CE-4801B1B854F5} - C:\WINDOWS\system32\nspF2.dll
O2 - BHO: Trecker Class - {39C78B50-7E98-4aa0-B007-D83114EA6E0F} - C:\PROGRA~1\Jalmp\jalmp.dll
O2 - BHO: RieMon Class - {70F6A776-579A-4C95-BA88-134253907752} - C:\WINDOWS\system32\irsmilvo.dll
O2 - BHO: Glitch - {C3F699FD-5F86-451B-8150-81979857047E} - C:\WINDOWS\system32\nsrB.dll
O2 - BHO: (no name) - {CDAF2B19-B8A6-B05F-A4DD-91CB5EE85FB2} - C:\WINDOWS\system32\lmknc.dll
O4 - HKLM\..\Run: [winsync] C:\WINDOWS\system32\4d4lxd.exe reg_run
O4 - HKLM\..\Run: [{F1-10-06-60-ZN}] C:\windows\system32\qsdsregq.exe FI002
O4 - HKLM\..\Run: [susse] "C:\WINDOWS\system32\hpsw.exe"
O4 - HKLM\..\Run: [Start Outpost] C:\Documents and Settings\mom\Local Settings\Temporary Internet Files\Content.IE5\FMHQ8WBF\Lavasoft%20Personal%20Firewall%20Setup[1].exe
O4 - HKLM\..\Run: [BrowserUpdateSched] C:\WINDOWS\system32\mwintrai.exe FI002
O4 - HKCU\..\Run: [Rsue] "C:\WINDOWS\SMBOLS~1\javaw.exe" -vt ndrv
O4 - HKCU\..\Run: [Jqnsrtn] C:\Documents and Settings\mom\My Documents\??mantec\d?xplore.exe
O4 - HKCU\..\Run: [irssyncd] C:\WINDOWS\system32\irssyncd.exe
O4 - Startup: PowerReg Scheduler V3.exe
O4 - Startup: PowerReg Scheduler.exe
O4 - Startup: Zeno.lnk = C:\WINDOWS\system32\mwintrai.exe
O4 - Startup: Z_Start.lnk = C:\WINDOWS\system32\rrdsregs.exe
O4 - Global Startup: ptpn.exe.tcf
O9 - Extra button: (no name) - {9E248641-0E24-4DDB-9A1F-705087832AD6} - (no file)
O9 - Extra 'Tools' menuitem: Java - {9E248641-0E24-4DDB-9A1F-705087832AD6} - (no file)
O15 - Trusted Zone: *.elitemediagroup.net
O15 - Trusted Zone: http://click.getmirar.com (HKLM)
O15 - Trusted Zone: http://click.mirarsearch.com (HKLM)
O15 - Trusted Zone: http://redirect.mirarsearch.com (HKLM)
O16 - DPF: {8A0DCBDB-6E20-489C-9041-C1E8A0352E75} (Mirar_Dummy_ATS1 Class) - http://awbeta.net-nu.../FIX/WinATS.cab
O16 - DPF: {9AC54695-69A4-46F1-BE10-10C74F9520D5} (elitectl.DemoCtl) - http://cabs.elitemed...s/mediaview.cab
O18 - Filter: text/html - {2F6E85DC-8D2D-4896-8A4F-7DF8A7B1749D} - C:\PROGRA~1\Jalmp\jalmp.dll
Please reboot your computer in SafeMode by doing the following:
- Restart your computer
- After hearing your computer beep once during startup, but before the Windows icon appears, press F8.
- Instead of Windows loading as normal, a menu should appear
- Select the first option, to run Windows in Safe Mode.
- If you have trouble getting into Safe mode go here for more info.
Once in Safe mode, delete these files or directories (Do not be concerned if they do not exist):

C:\WINDOWS\system32\lmknc.dll
C:\WINDOWS\system32\nspF2.dll
C:\WINDOWS\system32\irsmilvo.dll
C:\WINDOWS\system32\nsrB.dll
C:\WINDOWS\system32\lmknc.dll
C:\WINDOWS\system32\4d4lxd.exe
C:\windows\system32\qsdsregq.exe
C:\WINDOWS\system32\hpsw.exe
C:\WINDOWS\system32\mwintrai.exe
C:\WINDOWS\SMBOLS~1\javaw.exe
C:\WINDOWS\system32\irssyncd.exe
C:\WINDOWS\system32\mwintrai.exe
C:\WINDOWS\system32\rrdsregs.exe
C:\PROGRA~1\Jalmp <-- delete this folder
C:\Documents and Settings\mom\My Documents\??mantec\d?xplore.exe

Reboot your computer to go back to normal mode.

Now I need to see a different type of log.

Download WindPFind

Extract WinPFind.zip to your c:\ folder.

Reboot your computer into Safe Mode

Restart your computer
After hearing your computer beep once during startup, but before the Windows icon appears, press F8.
Instead of Windows loading as normal, a menu should appear
Select the first option, to run Windows in Safe Mode.

* if you have trouble getting into Safe mode go here for more info.

Then open c:\WinPFind and double-click on WinPFind.exe.
When the program is open, click on the Start Scan button to start scanning your computer. Be patient as this scan may take a while.
When it is done, it will show a log and tell you the scan is completed. Reboot your computer back to normal mode and and post the contents of c:\WinPFind\WinPFind.txt as a reply to this topic.

#3
rjemps6

Posted 22 February 2006 - 03:40 PM

Member

Topic Starter
Member
10 posts

Hi Sam,
Whew! :tazz:

I think I did it alright. I made sure that I could View Hidden Files. Then ran Hijack this and put a check next to all but one that wasn't there 04 - Global Startup: ptpn.exe.tcf. Then booted to safe mode and deleted all files and directories except C:windows\system32\4d4lxd.exe , cause it wasn't there; C:windows\SMBOLS~1\javaw.exe , cause I couldn't find smbols~1 (could find symbols, and I believe it had a javaw.exe file, but was unsure); c:windows\system32\irssyncd.exe because it had .tcf after it; I also did not delete C:\Documents and Settings\mom\My Documents\??mantec\d?xplore.exe , because I couldn't find the exact one. I did do a file search and found symantec (Norton Antivirus?), but didn't find the corresponding file.

I finished up and ran the WinPFind. Here is the log:

WARNING: not all files found by this scanner are bad. Consult with a knowledgable person before proceeding.

If you see a message in the titlebar saying "Not responding..." you can ignore it. Windows somethimes displays this message due to the high volume of disk I/O. As long as the hard disk light is flashing, the program is still working properly.

»»»»»»»»»»»»»»»»» Windows OS and Versions »»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»
Product Name: Microsoft Windows XP Current Build: Service Pack 2 Current Build Number: 2600
Internet Explorer Version: 6.0.2900.2180

»»»»»»»»»»»»»»»»» Checking Selected Standard Folders »»»»»»»»»»»»»»»»»»»»

Checking %SystemDrive% folder...

Checking %ProgramFilesDir% folder...

Checking %WinDir% folder...
PECompact2 10/30/2005 6:06:36 PM 16232461 C:\WINDOWS\LPT$VPN.917
qoologic 10/30/2005 6:06:36 PM 16232461 C:\WINDOWS\LPT$VPN.917
SAHAgent 10/30/2005 6:06:36 PM 16232461 C:\WINDOWS\LPT$VPN.917
UPX! 10/30/2005 6:06:36 PM 170053 C:\WINDOWS\tsc.exe
PECompact2 10/30/2005 6:06:36 PM 16232461 C:\WINDOWS\VPTNFILE.917
qoologic 10/30/2005 6:06:36 PM 16232461 C:\WINDOWS\VPTNFILE.917
SAHAgent 10/30/2005 6:06:36 PM 16232461 C:\WINDOWS\VPTNFILE.917
UPX! 10/30/2005 6:06:36 PM 1044560 C:\WINDOWS\vsapi32.dll
aspack 10/30/2005 6:06:36 PM 1044560 C:\WINDOWS\vsapi32.dll

Checking %System% folder...
UPX! 2/18/2002 5:19:06 AM 45568 C:\WINDOWS\SYSTEM32\002k3slc.dll
PEC2 8/23/2001 4:00:00 AM 41397 C:\WINDOWS\SYSTEM32\dfrg.msc
PEC2 2/14/1997 9:24:14 PM 197171 C:\WINDOWS\SYSTEM32\Dwapilib.tlb
69.59.186.63 2/22/2006 12:40:36 PM 46080 C:\WINDOWS\SYSTEM32\kgksfds.dll
209.66.67.134 2/22/2006 12:40:36 PM 46080 C:\WINDOWS\SYSTEM32\kgksfds.dll
web-nex 2/22/2006 12:40:36 PM 46080 C:\WINDOWS\SYSTEM32\kgksfds.dll
winsync 2/22/2006 12:40:36 PM 46080 C:\WINDOWS\SYSTEM32\kgksfds.dll
PTech 1/12/2006 11:32:12 AM 543496 C:\WINDOWS\SYSTEM32\LegitCheckControl.DLL
PECompact2 2/7/2006 9:23:40 PM 4513120 C:\WINDOWS\SYSTEM32\MRT.exe
aspack 2/7/2006 9:23:40 PM 4513120 C:\WINDOWS\SYSTEM32\MRT.exe
UPX! 1/18/2006 1:19:02 PM 84480 C:\WINDOWS\SYSTEM32\nsj57.dll
UPX! 2/13/2006 4:09:08 AM 95232 C:\WINDOWS\SYSTEM32\nst64.dll
UPX! 2/13/2006 4:09:08 AM 95232 C:\WINDOWS\SYSTEM32\nsv63.dll
aspack 8/4/2004 12:56:38 AM 708096 C:\WINDOWS\SYSTEM32\ntdll.dll
69.59.186.63 2/22/2006 12:21:32 PM 10240 C:\WINDOWS\SYSTEM32\obojr.dll
209.66.67.134 2/22/2006 12:21:32 PM 10240 C:\WINDOWS\SYSTEM32\obojr.dll
web-nex 2/22/2006 12:21:32 PM 10240 C:\WINDOWS\SYSTEM32\obojr.dll
winsync 2/22/2006 12:21:32 PM 10240 C:\WINDOWS\SYSTEM32\obojr.dll
Umonitor 8/4/2004 12:56:46 AM 657920 C:\WINDOWS\SYSTEM32\rasdlg.dll
winsync 8/23/2001 4:00:00 AM 1309184 C:\WINDOWS\SYSTEM32\wbdbase.deu

Checking %System%\Drivers folder and sub-folders...
PTech 8/3/2004 10:41:38 PM 1309184 C:\WINDOWS\SYSTEM32\drivers\mtlstrm.sys

Items found in C:\WINDOWS\SYSTEM32\drivers\etc\hosts

Checking the Windows folder and sub-folders for system and hidden files within the last 60 days...
2/22/2006 12:39:00 PM S 2048 C:\WINDOWS\bootstat.dat
1/3/2006 1:17:06 PM S 8792 C:\WINDOWS\system32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\KB911564.cat
1/13/2006 12:34:32 PM S 7898 C:\WINDOWS\system32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\KB911565.cat
1/3/2006 9:39:38 PM S 11223 C:\WINDOWS\system32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\KB911927.cat
1/2/2006 3:09:36 PM S 11223 C:\WINDOWS\system32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\KB912919.cat
1/13/2006 11:28:32 AM S 10925 C:\WINDOWS\system32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\KB913446.cat
2/22/2006 12:38:54 PM H 8192 C:\WINDOWS\system32\config\default.LOG
2/22/2006 12:39:12 PM H 1024 C:\WINDOWS\system32\config\SAM.LOG
2/22/2006 12:39:02 PM H 12288 C:\WINDOWS\system32\config\SECURITY.LOG
2/22/2006 12:39:12 PM H 65536 C:\WINDOWS\system32\config\software.LOG
2/22/2006 12:39:04 PM H 974848 C:\WINDOWS\system32\config\system.LOG
2/20/2006 1:05:20 PM H 1024 C:\WINDOWS\system32\config\systemprofile\ntuser.dat.LOG
1/3/2006 9:02:52 AM S 1047 C:\WINDOWS\system32\config\systemprofile\Application Data\Microsoft\CryptnetUrlCache\Content\7C8A03C4580C6B04FDF34357F3474EDC
1/3/2006 9:02:52 AM S 1370 C:\WINDOWS\system32\config\systemprofile\Application Data\Microsoft\CryptnetUrlCache\Content\B82262A5D5DA4DDACE9EDA7F787D0DEB
1/3/2006 9:02:52 AM S 126 C:\WINDOWS\system32\config\systemprofile\Application Data\Microsoft\CryptnetUrlCache\MetaData\7C8A03C4580C6B04FDF34357F3474EDC
1/3/2006 9:02:52 AM S 194 C:\WINDOWS\system32\config\systemprofile\Application Data\Microsoft\CryptnetUrlCache\MetaData\B82262A5D5DA4DDACE9EDA7F787D0DEB
2/20/2006 3:04:50 AM HS 388 C:\WINDOWS\system32\Microsoft\Protect\S-1-5-18\User\3564f2bc-f2fa-4590-9786-773fbb2a2a3f
12/25/2005 11:29:14 PM HS 388 C:\WINDOWS\system32\Microsoft\Protect\S-1-5-18\User\e85d51cd-647c-43d5-a6a5-83e5fe494a7f
2/20/2006 3:04:50 AM HS 24 C:\WINDOWS\system32\Microsoft\Protect\S-1-5-18\User\Preferred
1/6/2006 11:59:56 AM H 8628 C:\WINDOWS\system32\spool\drivers\w32x86\3\E_SMSTE3.GID
2/22/2006 12:38:16 PM H 6 C:\WINDOWS\Tasks\SA.DAT
2/20/2006 4:18:30 PM HS 67 C:\WINDOWS\Temp\Temporary Internet Files\Content.IE5\GVYFIV8L\desktop.ini
2/20/2006 4:18:30 PM HS 67 C:\WINDOWS\Temp\Temporary Internet Files\Content.IE5\GX2B01MN\desktop.ini
2/20/2006 4:18:30 PM HS 67 C:\WINDOWS\Temp\Temporary Internet Files\Content.IE5\I3S3SBCP\desktop.ini
2/20/2006 4:18:30 PM HS 67 C:\WINDOWS\Temp\Temporary Internet Files\Content.IE5\WTYVGDQ7\desktop.ini

Checking for CPL files...
Microsoft Corporation 8/4/2004 12:56:58 AM 68608 C:\WINDOWS\SYSTEM32\access.cpl
Microsoft Corporation 8/4/2004 12:56:58 AM 549888 C:\WINDOWS\SYSTEM32\appwiz.cpl
Microsoft Corporation 8/4/2004 12:56:58 AM 110592 C:\WINDOWS\SYSTEM32\bthprops.cpl
Microsoft Corporation 8/4/2004 12:56:58 AM 135168 C:\WINDOWS\SYSTEM32\desk.cpl
Microsoft Corporation 8/4/2004 12:56:58 AM 80384 C:\WINDOWS\SYSTEM32\firewall.cpl
Microsoft Corporation 8/4/2004 12:56:58 AM 155136 C:\WINDOWS\SYSTEM32\hdwwiz.cpl
Microsoft Corporation 8/4/2004 12:56:58 AM 358400 C:\WINDOWS\SYSTEM32\inetcpl.cpl
Microsoft Corporation 8/4/2004 12:56:58 AM 129536 C:\WINDOWS\SYSTEM32\intl.cpl
Microsoft Corporation 8/4/2004 12:56:58 AM 380416 C:\WINDOWS\SYSTEM32\irprops.cpl
Microsoft Corporation 8/4/2004 12:56:58 AM 68608 C:\WINDOWS\SYSTEM32\joy.cpl
Sun Microsystems, Inc. 11/10/2005 1:03:50 PM 49265 C:\WINDOWS\SYSTEM32\jpicpl32.cpl
Microsoft Corporation 8/23/2001 4:00:00 AM 187904 C:\WINDOWS\SYSTEM32\main.cpl
Microsoft Corporation 8/4/2004 12:56:58 AM 618496 C:\WINDOWS\SYSTEM32\mmsys.cpl
Microsoft Corporation 8/23/2001 4:00:00 AM 35840 C:\WINDOWS\SYSTEM32\ncpa.cpl
Microsoft Corporation 8/4/2004 12:56:58 AM 25600 C:\WINDOWS\SYSTEM32\netsetup.cpl
Microsoft Corporation 8/4/2004 12:56:58 AM 257024 C:\WINDOWS\SYSTEM32\nusrmgr.cpl
Microsoft Corporation 8/23/2001 4:00:00 AM 36864 C:\WINDOWS\SYSTEM32\nwc.cpl
Microsoft Corporation 8/4/2004 12:56:58 AM 32768 C:\WINDOWS\SYSTEM32\odbccp32.cpl
Microsoft Corporation 8/4/2004 12:56:58 AM 114688 C:\WINDOWS\SYSTEM32\powercfg.cpl
Apple Computer, Inc. 9/23/2004 5:57:40 PM 323072 C:\WINDOWS\SYSTEM32\QuickTime.cpl
Microsoft Corporation 8/4/2004 12:56:58 AM 298496 C:\WINDOWS\SYSTEM32\sysdm.cpl
Microsoft Corporation 8/23/2001 4:00:00 AM 28160 C:\WINDOWS\SYSTEM32\telephon.cpl
Microsoft Corporation 8/4/2004 12:56:58 AM 94208 C:\WINDOWS\SYSTEM32\timedate.cpl
Microsoft Corporation 8/4/2004 12:56:58 AM 148480 C:\WINDOWS\SYSTEM32\wscui.cpl
Microsoft Corporation 5/26/2005 3:16:30 AM 174360 C:\WINDOWS\SYSTEM32\wuaucpl.cpl
Microsoft Corporation 8/23/2001 4:00:00 AM 187904 C:\WINDOWS\SYSTEM32\dllcache\main.cpl
Microsoft Corporation 8/23/2001 4:00:00 AM 35840 C:\WINDOWS\SYSTEM32\dllcache\ncpa.cpl
Microsoft Corporation 8/23/2001 4:00:00 AM 36864 C:\WINDOWS\SYSTEM32\dllcache\nwc.cpl
Microsoft Corporation 8/23/2001 4:00:00 AM 28160 C:\WINDOWS\SYSTEM32\dllcache\telephon.cpl
Microsoft Corporation 5/26/2005 3:16:30 AM 174360 C:\WINDOWS\SYSTEM32\dllcache\wuaucpl.cpl

»»»»»»»»»»»»»»»»» Checking Selected Startup Folders »»»»»»»»»»»»»»»»»»»»»

Checking files in %ALLUSERSPROFILE%\Startup folder...
11/15/2005 12:08:46 PM 1757 C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Adobe Reader Speed Launch.lnk
1/10/2005 7:56:36 PM HS 84 C:\Documents and Settings\All Users\Start Menu\Programs\Startup\desktop.ini
9/11/2005 2:17:32 PM 1465 C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Event Reminder.lnk
1/10/2005 8:16:32 PM 1730 C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Microsoft Office.lnk
2/22/2006 12:40:36 PM 91648 C:\Documents and Settings\All Users\Start Menu\Programs\Startup\ptpn.exe

Checking files in %ALLUSERSPROFILE%\Application Data folder...
1/10/2005 10:50:32 AM HS 62 C:\Documents and Settings\All Users\Application Data\desktop.ini

Checking files in %USERPROFILE%\Startup folder...
1/10/2005 7:56:36 PM HS 84 C:\Documents and Settings\mom\Start Menu\Programs\Startup\desktop.ini

Checking files in %USERPROFILE%\Application Data folder...
1/12/2005 3:11:02 PM 1558 C:\Documents and Settings\mom\Application Data\AdobeDLM.log
1/10/2005 10:50:32 AM HS 62 C:\Documents and Settings\mom\Application Data\desktop.ini
1/12/2005 3:11:02 PM 0 C:\Documents and Settings\mom\Application Data\dm.ini
9/11/2005 5:04:56 PM 83632 C:\Documents and Settings\mom\Application Data\GDIPFONTCACHEV1.DAT

»»»»»»»»»»»»»»»»» Checking Selected Registry Keys »»»»»»»»»»»»»»»»»»»»»»»

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\User Agent\Post Platform]
SV1 =

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved]

[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved]

[HKEY_CLASSES_ROOT\*\shellex\ContextMenuHandlers]
HKEY_CLASSES_ROOT\*\shellex\ContextMenuHandlers\ASW
{33C9E362-3EDA-4930-8AFE-5DA39A8BB77A} =
HKEY_CLASSES_ROOT\*\shellex\ContextMenuHandlers\ewido
{57BD36D7-CE32-4600-9B1C-1A0C47EFC02E} = C:\Program Files\ewido\security suite\context.dll
HKEY_CLASSES_ROOT\*\shellex\ContextMenuHandlers\Offline Files
{750fdf0e-2a26-11d1-a3ea-080036587f03} = %SystemRoot%\System32\cscui.dll
HKEY_CLASSES_ROOT\*\shellex\ContextMenuHandlers\Open With
{09799AFB-AD67-11d1-ABCD-00C04FC30936} = %SystemRoot%\system32\SHELL32.dll
HKEY_CLASSES_ROOT\*\shellex\ContextMenuHandlers\Open With EncryptionMenu
{A470F8CF-A1E8-4f65-8335-227475AA5C46} = %SystemRoot%\system32\SHELL32.dll
HKEY_CLASSES_ROOT\*\shellex\ContextMenuHandlers\Symantec.Norton.Antivirus.IEContextMenu
{5345A4D5-41EB-4A2F-9616-CE1D4F6C35B2} = C:\Program Files\Norton SystemWorks\Norton Antivirus\NavShExt.dll
HKEY_CLASSES_ROOT\*\shellex\ContextMenuHandlers\tqtfskfx
{9c8b5612-5356-4bd8-aa0c-ee63fe0cd020} = C:\WINDOWS\system32\obojr.dll
HKEY_CLASSES_ROOT\*\shellex\ContextMenuHandlers\TrojanHunter
{EBDF1F20-C829-11D1-8233-FF20AF3E97A9} = C:\PROGRA~1\TROJAN~1.2\contmenu.dll
HKEY_CLASSES_ROOT\*\shellex\ContextMenuHandlers\Yahoo! Mail
{5464D816-CF16-4784-B9F3-75C0DB52B499} = C:\PROGRA~1\Yahoo!\Common\ymmapi20041123.dll
HKEY_CLASSES_ROOT\*\shellex\ContextMenuHandlers\{a2a9545d-a0c2-42b4-9708-a0b2badd77c8}
Start Menu Pin = %SystemRoot%\system32\SHELL32.dll

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Folder\shellex\ContextMenuHandlers]
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Folder\shellex\ContextMenuHandlers\ASW
{33C9E362-3EDA-4930-8AFE-5DA39A8BB77A} =
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Folder\shellex\ContextMenuHandlers\Symantec.Norton.Antivirus.IEContextMenu
{5345A4D5-41EB-4A2F-9616-CE1D4F6C35B2} = C:\Program Files\Norton SystemWorks\Norton Antivirus\NavShExt.dll
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Folder\shellex\ContextMenuHandlers\TrojanHunter
{EBDF1F20-C829-11D1-8233-FF20AF3E97A9} = C:\PROGRA~1\TROJAN~1.2\contmenu.dll

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Directory\shellex\ContextMenuHandlers]
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Directory\shellex\ContextMenuHandlers\ASW
{33C9E362-3EDA-4930-8AFE-5DA39A8BB77A} =
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Directory\shellex\ContextMenuHandlers\EncryptionMenu
{A470F8CF-A1E8-4f65-8335-227475AA5C46} = %SystemRoot%\system32\SHELL32.dll
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Directory\shellex\ContextMenuHandlers\ewido
{57BD36D7-CE32-4600-9B1C-1A0C47EFC02E} = C:\Program Files\ewido\security suite\context.dll
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Directory\shellex\ContextMenuHandlers\Offline Files
{750fdf0e-2a26-11d1-a3ea-080036587f03} = %SystemRoot%\System32\cscui.dll
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Directory\shellex\ContextMenuHandlers\Sharing
{f81e9010-6ea4-11ce-a7ff-00aa003ca9f6} = ntshrui.dll
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Directory\shellex\ContextMenuHandlers\TrojanHunter
{EBDF1F20-C829-11D1-8233-FF20AF3E97A9} = C:\PROGRA~1\TROJAN~1.2\contmenu.dll

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Folder\shellex\ColumnHandlers]
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Folder\shellex\ColumnHandlers\{0D2E74C4-3C34-11d2-A27E-00C04FC30871}
= %SystemRoot%\system32\SHELL32.dll
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Folder\shellex\ColumnHandlers\{24F14F01-7B1C-11d1-838f-0000F80461CF}
= %SystemRoot%\system32\SHELL32.dll
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Folder\shellex\ColumnHandlers\{24F14F02-7B1C-11d1-838f-0000F80461CF}
= %SystemRoot%\system32\SHELL32.dll
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Folder\shellex\ColumnHandlers\{66742402-F9B9-11D1-A202-0000F81FEDEE}
= %SystemRoot%\system32\SHELL32.dll
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Folder\shellex\ColumnHandlers\{7D4D6379-F301-4311-BEBA-E26EB0561882}
=
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Folder\shellex\ColumnHandlers\{F9DB5320-233E-11D1-9F84-707F02C10627}
= C:\Program Files\Adobe\Acrobat 7.0\ActiveX\PDFShell.dll

[HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects]
HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{06849E9F-C8D7-4D59-B87D-784B7D6BE0B3}
AcroIEHlprObj Class = C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{18A5CAE8-FAF6-49A9-B3D8-2954437D9BBC}
CRSSSubscriber Object = C:\Program Files\Lektora\LektoraCOM.dll
HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{39C78B50-7E98-4aa0-B007-D83114EA6E0F}
Trecker Class = C:\PROGRA~1\Jalmp\jalmp.dll
HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{53707962-6F74-2D53-2644-206D7942484F}
= C:\PROGRA~1\SPYBOT~1\SDHelper.dll
HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897}
UberButton Class = C:\Program Files\Yahoo!\Common\yiesrvc.dll
HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{65D886A2-7CA7-479B-BB95-14D1EFB7946A}
YahooTaggedBM Class = C:\Program Files\Yahoo!\Common\YIeTagBm.dll
HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{761497BB-D6F0-462C-B6EB-D4DAF1D92D43}
SSVHelper Class = C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{AA58ED58-01DD-4d91-8333-CF10577473F7}
Google Toolbar Helper = c:\program files\google\googletoolbar1.dll
HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{BDF3E430-B101-42AD-A544-FADC6B084872}
CNavExtBho Class = C:\Program Files\Norton SystemWorks\Norton Antivirus\NavShExt.dll
HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{CDAF2B19-B8A6-B05F-A4DD-91CB5EE85FB2}
= C:\WINDOWS\system32\lmknc.dll

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Explorer Bars]
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Explorer Bars\{4528BBE0-4E08-11D5-AD55-00010333D0AD}
&Yahoo! Messenger = C:\PROGRA~1\Yahoo!\Common\yhexbmesus.dll
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Explorer Bars\{4D5C8C25-D075-11d0-B416-00C04FB90376}
&Tip of the Day = %SystemRoot%\System32\shdocvw.dll

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\ToolBar]
{42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} = Norton AntiVirus : C:\Program Files\Norton SystemWorks\Norton Antivirus\NavShExt.dll
{EF99BD32-C1FB-11D2-892F-0090271D4F88} = Yahoo! Toolbar : C:\Program Files\Yahoo!\Companion\Installs\cpn1\yt.dll
{C55D30C7-3B86-4D70-98D3-CAA716DF0D83} = Lektora : C:\Program Files\Lektora\LektoraCOM.dll
{2318C2B1-4965-11d4-9B18-009027A5CD4F} = &Google : c:\program files\google\googletoolbar1.dll

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Extensions]
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Extensions\{08B0E5C0-4FCB-11CF-AAA5-00401C608501}
MenuText = Sun Java Console : C:\Program Files\Java\jre1.5.0_06\bin\npjpi150_06.dll
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Extensions\{5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897}
ButtonText = Yahoo! Services :
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Extensions\{FB5F1910-F110-11d2-BB9E-00C04F795683}
ButtonText = Messenger : C:\Program Files\Messenger\msmsgs.exe

[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Explorer Bars]
HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Explorer Bars\{30D02401-6A81-11D0-8274-00C04FD5AE38}
Search Band = %SystemRoot%\System32\browseui.dll
HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Explorer Bars\{32683183-48a0-441b-a342-7c2a440a9478}
=
HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Explorer Bars\{4528BBE0-4E08-11D5-AD55-00010333D0AD}
&Yahoo! Messenger = C:\PROGRA~1\Yahoo!\Common\yhexbmesus.dll
HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Explorer Bars\{EFA24E61-B078-11D0-89E4-00C04FC9E26E}
Favorites Band = %SystemRoot%\System32\shdocvw.dll
HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Explorer Bars\{EFA24E62-B078-11D0-89E4-00C04FC9E26E}
History Band = %SystemRoot%\System32\shdocvw.dll

[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Toolbar]
HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Toolbar\ShellBrowser
{01E04581-4EEE-11D0-BFE9-00AA005B4383} = &Address : %SystemRoot%\System32\browseui.dll
{42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} = Norton AntiVirus : C:\Program Files\Norton SystemWorks\Norton Antivirus\NavShExt.dll
{2318C2B1-4965-11D4-9B18-009027A5CD4F} = &Google : c:\program files\google\googletoolbar1.dll
HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser
{01E04581-4EEE-11D0-BFE9-00AA005B4383} = &Address : %SystemRoot%\System32\browseui.dll
{0E5CBF21-D15F-11D0-8301-00AA005B4383} = &Links : %SystemRoot%\system32\SHELL32.dll
{2318C2B1-4965-11D4-9B18-009027A5CD4F} = &Google : c:\program files\google\googletoolbar1.dll
{EF99BD32-C1FB-11D2-892F-0090271D4F88} = Yahoo! Toolbar : C:\Program Files\Yahoo!\Companion\Installs\cpn1\yt.dll
{4E7BD74F-2B8D-469E-89B3-BE29F5D3E32D} = :
{C55D30C7-3B86-4D70-98D3-CAA716DF0D83} = Lektora : C:\Program Files\Lektora\LektoraCOM.dll

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
ccApp "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
TangoManager C:\PROGRA~1\FRONTI~1\FRONTI~1\app\TANGOM~1.EXE
Cmaudio RunDll32 cmicnfg.cpl,CMICtrlWnd
EPSON Stylus C44 Series C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_S09IC1.EXE /P23 "EPSON Stylus C44 Series" /O6 "USB001" /M "Stylus C44"
TkBellExe "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
iTunesHelper C:\Program Files\iTunes\iTunesHelper.exe
Symantec NetDriver Monitor C:\PROGRA~1\SYMNET~1\SNDMon.exe /Consumer
DIGStream C:\Program Files\DIGStream\digstream.exe
NeroFilterCheck C:\WINDOWS\system32\NeroCheck.exe
QuickTime Task "C:\Program Files\QuickTime\qttask.exe" -atboottime
SunJavaUpdateSched C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe
Google Desktop Search "C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe" /startup
RegistryMechanic
Personal Firewall C:\Program Files\Lavasoft\Personal Firewall\lpfw.exe /waitservice
Start Outpost C:\Documents and Settings\mom\Local Settings\Temporary Internet Files\Content.IE5\FMHQ8WBF\Lavasoft%20Personal%20Firewall%20Setup[1].exe
THGuard "C:\Program Files\TrojanHunter 4.2\THGuard.exe"
susse "C:\WINDOWS\system32\hpsw.exe"
winsync C:\WINDOWS\system32\4d4lxd.exe reg_run
MSConfig C:\WINDOWS\PCHealth\HelpCtr\Binaries\MSConfig.exe /auto

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\OptionalComponents]
IMAIL Installed = 1
MAPI Installed = 1
MSFS Installed = 1

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnceEx]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunServices]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunServicesOnce]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
MSMSGS "C:\Program Files\Messenger\msmsgs.exe" /background
Yahoo! Pager C:\Program Files\Yahoo!\Messenger\ypager.exe -quiet
Skype "C:\Program Files\Skype\Phone\Skype.exe" /nosplash /minimized
Rsue "C:\WINDOWS\SMBOLS~1\javaw.exe" -vt ndrv

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\RunServices]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\RunServicesOnce]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows\load]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows\run]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSConfig]

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSConfig\services

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSConfig\startupfolder

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSConfig\startupreg

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSConfig\state
system.ini 0
win.ini 0
bootini 2
services 0
startup 0

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies]

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\NonEnum
{BDEADF00-C265-11D0-BCED-00A0C90AB50F} = C:\PROGRA~1\COMMON~1\MICROS~1\WEBFOL~1\MSONSEXT.DLL
{6DFD7C5C-2451-11d3-A299-00C04F8EF6AF} =
{0DF44EAA-FF21-4412-828E-260A8728E7F1} =

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Ratings

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\system
dontdisplaylastusername 0
legalnoticecaption
legalnoticetext
shutdownwithoutlogon 1
undockwithoutlogon 1

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\policies]

HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer
NoDriveTypeAutoRun 145

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad]
PostBootReminder {7849596a-48ea-486e-8937-a2a3009f31a9} = %SystemRoot%\system32\SHELL32.dll
CDBurn {fbeb8a05-beee-4442-804e-409d6c4515e9} = %SystemRoot%\system32\SHELL32.dll
WebCheck {E6FB5E20-DE35-11CF-9C87-00AA005127ED} = %SystemRoot%\System32\webcheck.dll
SysTray {35CEC8A3-2BE6-11D2-8773-92E220524153} = C:\WINDOWS\System32\stobject.dll

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon]
UserInit = C:\WINDOWS\system32\userinit.exe,
Shell = Explorer.exe
System =

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\crypt32chain
= crypt32.dll

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\cryptnet
= cryptnet.dll

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\cscdll
= cscdll.dll

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\ScCertProp
= wlnotify.dll

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\Schedule
= wlnotify.dll

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\sclgntfy
= sclgntfy.dll

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\SensLogn
= WlNotify.dll

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\termsrv
= wlnotify.dll

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\wlballoon
= wlnotify.dll

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options]
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Your Image File Name Here without a path
Debugger = ntsd -d

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows]
AppInit_DLLs c:\progra~1\google\google~1\goec62~1.dll

»»»»»»»»»»»»»»»»»»»»»»»» Scan Complete »»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»
WinPFind v1.4.1 - Log file written to "WinPFind.Txt" in the WinPFind folder.
Scan completed on 2/22/2006 12:47:52 PM

I also copied an ewido scan and copied its contents. This was after the first hijack log, I believe. I couldn't believe how many infected files it had. I rebooted my computer before stating today. I don't know if this will help or just confuse things. I just have it, so thought I will include.

---------------------------------------------------------
ewido security suite - Scan report
---------------------------------------------------------

+ Created on: 7:33:55 PM, 2/20/2006
+ Report-Checksum: 14C96111

+ Scan result:

[1772] C:\WINDOWS\system32\obojr.dll -> TrojanDownloader.Qoologic.ac : Cleaned with backup
[1780] C:\WINDOWS\system32\kgksfds.dll -> TrojanDownloader.Qoologic.ac : Cleaned with backup
[2080] C:\WINDOWS\system32\kgksfds.dll -> TrojanDownloader.Qoologic.ac : Error during cleaning
[2108] C:\WINDOWS\system32\kgksfds.dll -> TrojanDownloader.Qoologic.ac : Error during cleaning
[2116] C:\WINDOWS\system32\kgksfds.dll -> TrojanDownloader.Qoologic.ac : Error during cleaning
[2124] C:\WINDOWS\system32\kgksfds.dll -> TrojanDownloader.Qoologic.ac : Error during cleaning
[2140] C:\WINDOWS\system32\kgksfds.dll -> TrojanDownloader.Qoologic.ac : Error during cleaning
[2188] C:\WINDOWS\system32\kgksfds.dll -> TrojanDownloader.Qoologic.ac : Error during cleaning
[2204] C:\WINDOWS\system32\kgksfds.dll -> TrojanDownloader.Qoologic.ac : Error during cleaning
[2244] C:\WINDOWS\system32\kgksfds.dll -> TrojanDownloader.Qoologic.ac : Error during cleaning
[2276] C:\WINDOWS\system32\kgksfds.dll -> TrojanDownloader.Qoologic.ac : Error during cleaning
[2452] C:\WINDOWS\system32\kgksfds.dll -> TrojanDownloader.Qoologic.ac : Error during cleaning
[2480] C:\WINDOWS\system32\kgksfds.dll -> TrojanDownloader.Qoologic.ac : Error during cleaning
[3092] C:\WINDOWS\system32\kgksfds.dll -> TrojanDownloader.Qoologic.ac : Error during cleaning
[3340] C:\WINDOWS\system32\kgksfds.dll -> TrojanDownloader.Qoologic.ac : Error during cleaning
[3560] C:\WINDOWS\system32\kgksfds.dll -> TrojanDownloader.Qoologic.ac : Error during cleaning
[2348] C:\WINDOWS\system32\kgksfds.dll -> TrojanDownloader.Qoologic.ac : Error during cleaning
[2440] C:\WINDOWS\system32\kgksfds.dll -> TrojanDownloader.Qoologic.ac : Error during cleaning
C:\Documents and Settings\All Users\Start Menu\Programs\Startup\ptpn.exe.tcf -> TrojanDownloader.Qoologic.ac : Cleaned with backup
C:\Documents and Settings\mom\Cookies\[email protected][2].txt -> Spyware.Cookie.Yieldmanager : Cleaned with backup
C:\Documents and Settings\mom\Cookies\[email protected][2].txt -> Spyware.Cookie.Specificclick : Cleaned with backup
C:\Documents and Settings\mom\Cookies\[email protected][1].txt -> Spyware.Cookie.Addynamix : Cleaned with backup
C:\Documents and Settings\mom\Cookies\[email protected][2].txt -> Spyware.Cookie.Pointroll : Cleaned with backup
C:\Documents and Settings\mom\Cookies\mom@bluestreak[2].txt -> Spyware.Cookie.Bluestreak : Cleaned with backup
C:\Documents and Settings\mom\Cookies\mom@com[2].txt -> Spyware.Cookie.Com : Cleaned with backup
C:\Documents and Settings\mom\Cookies\[email protected][1].txt -> Spyware.Cookie.Overture : Cleaned with backup
C:\Documents and Settings\mom\Cookies\[email protected][1].txt -> Spyware.Cookie.Overture : Cleaned with backup
C:\Documents and Settings\mom\Cookies\[email protected][2].txt -> Spyware.Cookie.Ru4 : Cleaned with backup
C:\Documents and Settings\mom\Cookies\mom@epilot[1].txt -> Spyware.Cookie.Epilot : Cleaned with backup
C:\Documents and Settings\mom\Cookies\mom@findwhat[1].txt -> Spyware.Cookie.Findwhat : Cleaned with backup
C:\Documents and Settings\mom\Cookies\[email protected][1].txt -> Spyware.Cookie.2o7 : Cleaned with backup
C:\Documents and Settings\mom\Cookies\[email protected][1].txt -> Spyware.Cookie.2o7 : Cleaned with backup
C:\Documents and Settings\mom\Cookies\[email protected][1].txt -> Spyware.Cookie.Overture : Cleaned with backup
C:\Documents and Settings\mom\Cookies\mom@pro-market[2].txt -> Spyware.Cookie.Pro-market : Cleaned with backup
C:\Documents and Settings\mom\Cookies\mom@qksrv[1].txt -> Spyware.Cookie.Qksrv : Cleaned with backup
C:\Documents and Settings\mom\Cookies\mom@revenue[2].txt -> Spyware.Cookie.Revenue : Cleaned with backup
C:\Documents and Settings\mom\Cookies\[email protected][2].txt -> Spyware.Cookie.Liveperson : Cleaned with backup
C:\Documents and Settings\mom\Cookies\mom@trafficmp[1].txt -> Spyware.Cookie.Trafficmp : Cleaned with backup
C:\Documents and Settings\mom\Cookies\mom@tribalfusion[1].txt -> Spyware.Cookie.Tribalfusion : Cleaned with backup
C:\Documents and Settings\mom\Cookies\mom@yieldmanager[1].txt -> Spyware.Cookie.Yieldmanager : Cleaned with backup
C:\Documents and Settings\mom\Cookies\[email protected][1].txt -> Spyware.Cookie.Adserver : Cleaned with backup
C:\Documents and Settings\mom\Local Settings\Temp\Cookies\[email protected][2].txt -> Spyware.Cookie.Yieldmanager : Cleaned with backup
C:\Documents and Settings\mom\Local Settings\Temp\Cookies\mom@pro-market[2].txt -> Spyware.Cookie.Pro-market : Cleaned with backup
C:\Documents and Settings\mom\Local Settings\Temp\Cookies\[email protected][1].txt -> Spyware.Cookie.Liveperson : Cleaned with backup
C:\Documents and Settings\mom\Local Settings\Temp\Cookies\mom@trafficmp[1].txt -> Spyware.Cookie.Trafficmp : Cleaned with backup
C:\Documents and Settings\mom\Local Settings\Temp\Cookies\mom@yieldmanager[2].txt -> Spyware.Cookie.Yieldmanager : Cleaned with backup
C:\Documents and Settings\mom\Local Settings\Temp\Cookies\[email protected][1].txt -> Spyware.Cookie.Adserver : Cleaned with backup
C:\Documents and Settings\mom\Local Settings\Temp\Temporary Internet Files\Content.IE5\O9A7KLYB\drsmartload_js[1].htm -> TrojanDownloader.IstBar.j : Cleaned with backup
C:\RECYCLER\NPROTECT\01478967.TXT -> Spyware.Cookie.Yieldmanager : Cleaned with backup
C:\RECYCLER\NPROTECT\01478971.TXT -> Spyware.Cookie.Specificclick : Cleaned with backup
C:\RECYCLER\NPROTECT\01478995.TXT -> Spyware.Cookie.Burstnet : Cleaned with backup
C:\RECYCLER\NPROTECT\01479006.TXT -> Spyware.Cookie.Overture : Cleaned with backup
C:\RECYCLER\NPROTECT\01479012.TXT -> Spyware.Cookie.Esomniture : Cleaned with backup
C:\RECYCLER\NPROTECT\01479013.TXT -> Spyware.Cookie.Esomniture : Cleaned with backup
C:\RECYCLER\NPROTECT\01479014.TXT -> Spyware.Cookie.Esomniture : Cleaned with backup
C:\RECYCLER\NPROTECT\01479021.TXT -> Spyware.Cookie.Falkag : Cleaned with backup
C:\RECYCLER\NPROTECT\01479106.TXT -> Spyware.Cookie.2o7 : Cleaned with backup
C:\RECYCLER\NPROTECT\01479141.TXT -> Spyware.Cookie.Burstbeacon : Cleaned with backup
C:\RECYCLER\NPROTECT\01479475.TXT -> Spyware.Cookie.Yieldmanager : Cleaned with backup
C:\RECYCLER\NPROTECT\01479496.TXT -> Spyware.Cookie.2o7 : Cleaned with backup
C:\RECYCLER\NPROTECT\01479503.TXT -> Spyware.Cookie.Yieldmanager : Cleaned with backup
C:\System Volume Information\_restore{A213A27B-F5A9-4D92-BD99-70EECBD73842}\RP421\A0477136.exe.tcf -> TrojanDownloader.Qoologic.ac : Cleaned with backup
C:\System Volume Information\_restore{A213A27B-F5A9-4D92-BD99-70EECBD73842}\RP421\A0477138.exe -> TrojanDownloader.Qoologic.ac : Cleaned with backup
C:\System Volume Information\_restore{A213A27B-F5A9-4D92-BD99-70EECBD73842}\RP421\A0477139.dll -> TrojanDownloader.Qoologic.ac : Cleaned with backup
C:\System Volume Information\_restore{A213A27B-F5A9-4D92-BD99-70EECBD73842}\RP421\A0477140.dll -> TrojanDownloader.Qoologic.ac : Cleaned with backup
C:\System Volume Information\_restore{A213A27B-F5A9-4D92-BD99-70EECBD73842}\RP421\A0479136.exe.tcf -> TrojanDownloader.Qoologic.ac : Cleaned with backup
C:\System Volume Information\_restore{A213A27B-F5A9-4D92-BD99-70EECBD73842}\RP421\A0479137.exe -> TrojanDownloader.Qoologic.ac : Cleaned with backup
C:\System Volume Information\_restore{A213A27B-F5A9-4D92-BD99-70EECBD73842}\RP421\A0479138.dll -> TrojanDownloader.Qoologic.ac : Cleaned with backup
C:\System Volume Information\_restore{A213A27B-F5A9-4D92-BD99-70EECBD73842}\RP421\A0479139.dll -> TrojanDownloader.Qoologic.ac : Cleaned with backup
C:\System Volume Information\_restore{A213A27B-F5A9-4D92-BD99-70EECBD73842}\RP421\A0480136.exe.tcf -> TrojanDownloader.Qoologic.ac : Cleaned with backup
C:\System Volume Information\_restore{A213A27B-F5A9-4D92-BD99-70EECBD73842}\RP421\A0480137.exe -> TrojanDownloader.Qoologic.ac : Cleaned with backup
C:\System Volume Information\_restore{A213A27B-F5A9-4D92-BD99-70EECBD73842}\RP421\A0480138.dll -> TrojanDownloader.Qoologic.ac : Cleaned with backup
C:\System Volume Information\_restore{A213A27B-F5A9-4D92-BD99-70EECBD73842}\RP421\A0480139.dll -> TrojanDownloader.Qoologic.ac : Cleaned with backup
C:\System Volume Information\_restore{A213A27B-F5A9-4D92-BD99-70EECBD73842}\RP421\A0482136.exe.tcf -> TrojanDownloader.Qoologic.ac : Cleaned with backup
C:\System Volume Information\_restore{A213A27B-F5A9-4D92-BD99-70EECBD73842}\RP421\A0482137.exe -> TrojanDownloader.Qoologic.ac : Cleaned with backup
C:\System Volume Information\_restore{A213A27B-F5A9-4D92-BD99-70EECBD73842}\RP421\A0482138.dll -> TrojanDownloader.Qoologic.ac : Cleaned with backup
C:\System Volume Information\_restore{A213A27B-F5A9-4D92-BD99-70EECBD73842}\RP421\A0482139.dll -> TrojanDownloader.Qoologic.ac : Cleaned with backup
C:\System Volume Information\_restore{A213A27B-F5A9-4D92-BD99-70EECBD73842}\RP421\A0483136.exe.tcf -> TrojanDownloader.Qoologic.ac : Cleaned with backup
C:\System Volume Information\_restore{A213A27B-F5A9-4D92-BD99-70EECBD73842}\RP421\A0483137.exe -> TrojanDownloader.Qoologic.ac : Cleaned with backup
C:\System Volume Information\_restore{A213A27B-F5A9-4D92-BD99-70EECBD73842}\RP421\A0483138.dll -> TrojanDownloader.Qoologic.ac : Cleaned with backup
C:\System Volume Information\_restore{A213A27B-F5A9-4D92-BD99-70EECBD73842}\RP421\A0483139.dll -> TrojanDownloader.Qoologic.ac : Cleaned with backup
C:\System Volume Information\_restore{A213A27B-F5A9-4D92-BD99-70EECBD73842}\RP421\A0484136.exe.tcf -> TrojanDownloader.Qoologic.ac : Cleaned with backup
C:\System Volume Information\_restore{A213A27B-F5A9-4D92-BD99-70EECBD73842}\RP421\A0484137.exe -> TrojanDownloader.Qoologic.ac : Cleaned with backup
C:\System Volume Information\_restore{A213A27B-F5A9-4D92-BD99-70EECBD73842}\RP421\A0484138.dll -> TrojanDownloader.Qoologic.ac : Cleaned with backup
C:\System Volume Information\_restore{A213A27B-F5A9-4D92-BD99-70EECBD73842}\RP421\A0484139.dll -> TrojanDownloader.Qoologic.ac : Cleaned with backup
C:\System Volume Information\_restore{A213A27B-F5A9-4D92-BD99-70EECBD73842}\RP421\A0485135.exe.tcf -> TrojanDownloader.Qoologic.ac : Cleaned with backup
C:\System Volume Information\_restore{A213A27B-F5A9-4D92-BD99-70EECBD73842}\RP421\A0485137.exe -> TrojanDownloader.Qoologic.ac : Cleaned with backup
C:\System Volume Information\_restore{A213A27B-F5A9-4D92-BD99-70EECBD73842}\RP421\A0485138.dll -> TrojanDownloader.Qoologic.ac : Cleaned with backup
C:\System Volume Information\_restore{A213A27B-F5A9-4D92-BD99-70EECBD73842}\RP421\A0485139.dll -> TrojanDownloader.Qoologic.ac : Cleaned with backup
C:\System Volume Information\_restore{A213A27B-F5A9-4D92-BD99-70EECBD73842}\RP421\A0486135.exe.tcf -> TrojanDownloader.Qoologic.ac : Cleaned with backup
C:\System Volume Information\_restore{A213A27B-F5A9-4D92-BD99-70EECBD73842}\RP421\A0486137.exe -> TrojanDownloader.Qoologic.ac : Cleaned with backup
C:\System Volume Information\_restore{A213A27B-F5A9-4D92-BD99-70EECBD73842}\RP421\A0486138.dll -> TrojanDownloader.Qoologic.ac : Cleaned with backup
C:\System Volume Information\_restore{A213A27B-F5A9-4D92-BD99-70EECBD73842}\RP421\A0486139.dll -> TrojanDownloader.Qoologic.ac : Cleaned with backup
C:\System Volume Information\_restore{A213A27B-F5A9-4D92-BD99-70EECBD73842}\RP421\A0488135.exe.tcf -> TrojanDownloader.Qoologic.ac : Cleaned with backup
C:\System Volume Information\_restore{A213A27B-F5A9-4D92-BD99-70EECBD73842}\RP421\A0488137.exe -> TrojanDownloader.Qoologic.ac : Cleaned with backup
C:\System Volume Information\_restore{A213A27B-F5A9-4D92-BD99-70EECBD73842}\RP421\A0488139.dll -> TrojanDownloader.Qoologic.ac : Cleaned with backup
C:\System Volume Information\_restore{A213A27B-F5A9-4D92-BD99-70EECBD73842}\RP421\A0488140.dll -> TrojanDownloader.Qoologic.ac : Cleaned with backup
C:\System Volume Information\_restore{A213A27B-F5A9-4D92-BD99-70EECBD73842}\RP421\A0491136.exe.tcf -> TrojanDownloader.Qoologic.ac : Cleaned with backup
C:\System Volume Information\_restore{A213A27B-F5A9-4D92-BD99-70EECBD73842}\RP421\A0491137.exe -> TrojanDownloader.Qoologic.ac : Cleaned with backup
C:\System Volume Information\_restore{A213A27B-F5A9-4D92-BD99-70EECBD73842}\RP421\A0491138.dll -> TrojanDownloader.Qoologic.ac : Cleaned with backup
C:\System Volume Information\_restore{A213A27B-F5A9-4D92-BD99-70EECBD73842}\RP421\A0491139.dll -> TrojanDownloader.Qoologic.ac : Cleaned with backup
C:\System Volume Information\_restore{A213A27B-F5A9-4D92-BD99-70EECBD73842}\RP422\A0491159.exe.tcf -> Spyware.MyWebSearch : Cleaned with backup
C:\System Volume Information\_restore{A213A27B-F5A9-4D92-BD99-70EECBD73842}\RP423\A0493135.exe.tcf -> TrojanDownloader.Qoologic.ac : Cleaned with backup
C:\System Volume Information\_restore{A213A27B-F5A9-4D92-BD99-70EECBD73842}\RP423\A0493137.exe -> TrojanDownloader.Qoologic.ac : Cleaned with backup
C:\System Volume Information\_restore{A213A27B-F5A9-4D92-BD99-70EECBD73842}\RP423\A0493138.dll -> TrojanDownloader.Qoologic.ac : Cleaned with backup
C:\System Volume Information\_restore{A213A27B-F5A9-4D92-BD99-70EECBD73842}\RP423\A0493139.dll -> TrojanDownloader.Qoologic.ac : Cleaned with backup
C:\System Volume Information\_restore{A213A27B-F5A9-4D92-BD99-70EECBD73842}\RP423\A0494154.exe.tcf -> TrojanDownloader.Qoologic.ac : Cleaned with backup
C:\System Volume Information\_restore{A213A27B-F5A9-4D92-BD99-70EECBD73842}\RP423\A0494155.exe -> TrojanDownloader.Qoologic.ac : Cleaned with backup
C:\System Volume Information\_restore{A213A27B-F5A9-4D92-BD99-70EECBD73842}\RP423\A0494156.dll -> TrojanDownloader.Qoologic.ac : Cleaned with backup
C:\System Volume Information\_restore{A213A27B-F5A9-4D92-BD99-70EECBD73842}\RP423\A0494158.dll -> TrojanDownloader.Qoologic.ac : Cleaned with backup
C:\System Volume Information\_restore{A213A27B-F5A9-4D92-BD99-70EECBD73842}\RP423\A0495153.exe.tcf -> TrojanDownloader.Qoologic.ac : Cleaned with backup
C:\System Volume Information\_restore{A213A27B-F5A9-4D92-BD99-70EECBD73842}\RP423\A0495154.exe -> TrojanDownloader.Qoologic.ac : Cleaned with backup
C:\System Volume Information\_restore{A213A27B-F5A9-4D92-BD99-70EECBD73842}\RP423\A0495156.dll -> TrojanDownloader.Qoologic.ac : Cleaned with backup
C:\System Volume Information\_restore{A213A27B-F5A9-4D92-BD99-70EECBD73842}\RP423\A0495157.dll -> TrojanDownloader.Qoologic.ac : Cleaned with backup
C:\System Volume Information\_restore{A213A27B-F5A9-4D92-BD99-70EECBD73842}\RP423\A0496153.exe.tcf -> TrojanDownloader.Qoologic.ac : Cleaned with backup
C:\System Volume Information\_restore{A213A27B-F5A9-4D92-BD99-70EECBD73842}\RP423\A0496155.exe -> TrojanDownloader.Qoologic.ac : Cleaned with backup
C:\System Volume Information\_restore{A213A27B-F5A9-4D92-BD99-70EECBD73842}\RP423\A0496157.dll -> TrojanDownloader.Qoologic.ac : Cleaned with backup
C:\System Volume Information\_restore{A213A27B-F5A9-4D92-BD99-70EECBD73842}\RP423\A0496158.dll -> TrojanDownloader.Qoologic.ac : Cleaned with backup
C:\System Volume Information\_restore{A213A27B-F5A9-4D92-BD99-70EECBD73842}\RP423\A0497153.exe.tcf -> TrojanDownloader.Qoologic.ac : Cleaned with backup
C:\System Volume Information\_restore{A213A27B-F5A9-4D92-BD99-70EECBD73842}\RP423\A0497155.exe -> TrojanDownloader.Qoologic.ac : Cleaned with backup
C:\System Volume Information\_restore{A213A27B-F5A9-4D92-BD99-70EECBD73842}\RP423\A0497156.dll -> TrojanDownloader.Qoologic.ac : Cleaned with backup
C:\System Volume Information\_restore{A213A27B-F5A9-4D92-BD99-70EECBD73842}\RP423\A0497157.dll -> TrojanDownloader.Qoologic.ac : Cleaned with backup
C:\System Volume Information\_restore{A213A27B-F5A9-4D92-BD99-70EECBD73842}\RP423\A0498153.exe.tcf -> TrojanDownloader.Qoologic.ac : Cleaned with backup
C:\System Volume Information\_restore{A213A27B-F5A9-4D92-BD99-70EECBD73842}\RP423\A0498155.exe -> TrojanDownloader.Qoologic.ac : Cleaned with backup
C:\System Volume Information\_restore{A213A27B-F5A9-4D92-BD99-70EECBD73842}\RP423\A0498156.dll -> TrojanDownloader.Qoologic.ac : Cleaned with backup
C:\System Volume Information\_restore{A213A27B-F5A9-4D92-BD99-70EECBD73842}\RP423\A0498157.dll -> TrojanDownloader.Qoologic.ac : Cleaned with backup
C:\System Volume Information\_restore{A213A27B-F5A9-4D92-BD99-70EECBD73842}\RP424\A0499153.exe.tcf -> TrojanDownloader.Qoologic.ac : Cleaned with backup
C:\System Volume Information\_restore{A213A27B-F5A9-4D92-BD99-70EECBD73842}\RP424\A0499155.exe -> TrojanDownloader.Qoologic.ac : Cleaned with backup
C:\System Volume Information\_restore{A213A27B-F5A9-4D92-BD99-70EECBD73842}\RP424\A0499156.dll -> TrojanDownloader.Qoologic.ac : Cleaned with backup
C:\System Volume Information\_restore{A213A27B-F5A9-4D92-BD99-70EECBD73842}\RP424\A0499157.dll -> TrojanDownloader.Qoologic.ac : Cleaned with backup
C:\System Volume Information\_restore{A213A27B-F5A9-4D92-BD99-70EECBD73842}\RP424\A0500154.exe -> TrojanDownloader.Qoologic.ac : Cleaned with backup
C:\System Volume Information\_restore{A213A27B-F5A9-4D92-BD99-70EECBD73842}\RP424\A0500155.dll -> TrojanDownloader.Qoologic.ac : Cleaned with backup
C:\System Volume Information\_restore{A213A27B-F5A9-4D92-BD99-70EECBD73842}\RP424\A0500157.dll -> TrojanDownloader.Qoologic.ac : Cleaned with backup
C:\System Volume Information\_restore{A213A27B-F5A9-4D92-BD99-70EECBD73842}\RP425\A0500279.exe.tcf -> TrojanDownloader.Dyfuca.ei : Cleaned with backup
C:\System Volume Information\_restore{A213A27B-F5A9-4D92-BD99-70EECBD73842}\RP425\A0500327.EXE.tcf -> Spyware.MyWebSearch : Cleaned with backup
C:\System Volume Information\_restore{A213A27B-F5A9-4D92-BD99-70EECBD73842}\RP425\A0500344.exe.tcf -> TrojanDownloader.Qoologic.ac : Cleaned with backup
C:\System Volume Information\_restore{A213A27B-F5A9-4D92-BD99-70EECBD73842}\RP425\A0500345.exe -> TrojanDownloader.Qoologic.ac : Cleaned with backup
C:\System Volume Information\_restore{A213A27B-F5A9-4D92-BD99-70EECBD73842}\RP425\A0500356.exe.tcf -> TrojanDownloader.Dyfuca.ei : Cleaned with backup
C:\System Volume Information\_restore{A213A27B-F5A9-4D92-BD99-70EECBD73842}\RP425\A0500357.cpl.tcf -> TrojanDownloader.Qoologic.ad : Cleaned with backup
C:\System Volume Information\_restore{A213A27B-F5A9-4D92-BD99-70EECBD73842}\RP425\A0500358.dll.tcf -> TrojanDownloader.Small : Cleaned with backup
C:\System Volume Information\_restore{A213A27B-F5A9-4D92-BD99-70EECBD73842}\RP425\A0500359.EXE.tcf -> Trojan.LowZones.am : Cleaned with backup
C:\System Volume Information\_restore{A213A27B-F5A9-4D92-BD99-70EECBD73842}\RP425\A0502150.dll -> TrojanDownloader.Qoologic.ac : Cleaned with backup
C:\System Volume Information\_restore{A213A27B-F5A9-4D92-BD99-70EECBD73842}\RP425\A0502151.dll -> TrojanDownloader.Qoologic.ac : Cleaned with backup
C:\System Volume Information\_restore{A213A27B-F5A9-4D92-BD99-70EECBD73842}\RP425\A0502152.dll -> TrojanDownloader.Dyfuca.eg : Cleaned with backup
C:\System Volume Information\_restore{A213A27B-F5A9-4D92-BD99-70EECBD73842}\RP426\A0502156.exe -> TrojanDownloader.Qoologic.ac : Cleaned with backup
C:\System Volume Information\_restore{A213A27B-F5A9-4D92-BD99-70EECBD73842}\RP426\A0502158.dll -> TrojanDownloader.Qoologic.ac : Cleaned with backup
C:\System Volume Information\_restore{A213A27B-F5A9-4D92-BD99-70EECBD73842}\RP426\A0502159.dll -> TrojanDownloader.Qoologic.ac : Cleaned with backup
C:\System Volume Information\_restore{A213A27B-F5A9-4D92-BD99-70EECBD73842}\RP426\A0503154.exe.tcf -> TrojanDownloader.Qoologic.ac : Cleaned with backup
C:\System Volume Information\_restore{A213A27B-F5A9-4D92-BD99-70EECBD73842}\RP426\A0503157.exe -> TrojanDownloader.Qoologic.ac : Cleaned with backup
C:\System Volume Information\_restore{A213A27B-F5A9-4D92-BD99-70EECBD73842}\RP426\A0503158.dll -> TrojanDownloader.Qoologic.ac : Cleaned with backup
C:\System Volume Information\_restore{A213A27B-F5A9-4D92-BD99-70EECBD73842}\RP426\A0504153.exe.tcf -> TrojanDownloader.Qoologic.ac : Cleaned with backup
C:\System Volume Information\_restore{A213A27B-F5A9-4D92-BD99-70EECBD73842}\RP426\A0504155.exe -> TrojanDownloader.Qoologic.ac : Cleaned with backup
C:\System Volume Information\_restore{A213A27B-F5A9-4D92-BD99-70EECBD73842}\RP426\A0504156.dll -> TrojanDownloader.Qoologic.ac : Cleaned with backup
C:\System Volume Information\_restore{A213A27B-F5A9-4D92-BD99-70EECBD73842}\RP426\A0504157.dll -> TrojanDownloader.Qoologic.ac : Cleaned with backup
C:\System Volume Information\_restore{A213A27B-F5A9-4D92-BD99-70EECBD73842}\RP426\A0505154.exe.tcf -> TrojanDownloader.Qoologic.ac : Cleaned with backup
C:\System Volume Information\_restore{A213A27B-F5A9-4D92-BD99-70EECBD73842}\RP426\A0505155.exe -> TrojanDownloader.Qoologic.ac : Cleaned with backup
C:\System Volume Information\_restore{A213A27B-F5A9-4D92-BD99-70EECBD73842}\RP426\A0505156.dll -> TrojanDownloader.Qoologic.ac : Cleaned with backup
C:\System Volume Information\_restore{A213A27B-F5A9-4D92-BD99-70EECBD73842}\RP426\A0505157.dll -> TrojanDownloader.Qoologic.ac : Cleaned with backup
C:\System Volume Information\_restore{A213A27B-F5A9-4D92-BD99-70EECBD73842}\RP426\A0506154.exe -> TrojanDownloader.Qoologic.ac : Cleaned with backup
C:\System Volume Information\_restore{A213A27B-F5A9-4D92-BD99-70EECBD73842}\RP426\A0506156.dll -> TrojanDownloader.Qoologic.ac : Cleaned with backup
C:\System Volume Information\_restore{A213A27B-F5A9-4D92-BD99-70EECBD73842}\RP426\A0506157.dll -> TrojanDownloader.Qoologic.ac : Cleaned with backup
C:\System Volume Information\_restore{A213A27B-F5A9-4D92-BD99-70EECBD73842}\RP427\A0508151.exe.tcf -> TrojanDownloader.Qoologic.ac : Cleaned with backup
C:\System Volume Information\_restore{A213A27B-F5A9-4D92-BD99-70EECBD73842}\RP427\A0508153.exe -> TrojanDownloader.Qoologic.ac : Cleaned with backup
C:\System Volume Information\_restore{A213A27B-F5A9-4D92-BD99-70EECBD73842}\RP427\A0508154.dll -> TrojanDownloader.Qoologic.ac : Cleaned with backup
C:\System Volume Information\_restore{A213A27B-F5A9-4D92-BD99-70EECBD73842}\RP427\A0508155.dll -> TrojanDownloader.Qoologic.ac : Cleaned with backup
C:\System Volume Information\_restore{A213A27B-F5A9-4D92-BD99-70EECBD73842}\RP427\A0509153.exe.tcf -> TrojanDownloader.Qoologic.ac : Cleaned with backup
C:\System Volume Information\_restore{A213A27B-F5A9-4D92-BD99-70EECBD73842}\RP427\A0509155.exe -> TrojanDownloader.Qoologic.ac : Cleaned with backup
C:\System Volume Information\_restore{A213A27B-F5A9-4D92-BD99-70EECBD73842}\RP427\A0509156.dll -> TrojanDownloader.Qoologic.ac : Cleaned with backup
C:\System Volume Information\_restore{A213A27B-F5A9-4D92-BD99-70EECBD73842}\RP427\A0509157.dll -> TrojanDownloader.Qoologic.ac : Cleaned with backup
C:\System Volume Information\_restore{A213A27B-F5A9-4D92-BD99-70EECBD73842}\RP427\A0510153.exe -> TrojanDownloader.Qoologic.ac : Cleaned with backup
C:\System Volume Information\_restore{A213A27B-F5A9-4D92-BD99-70EECBD73842}\RP427\A0510155.dll -> TrojanDownloader.Qoologic.ac : Cleaned with backup
C:\System Volume Information\_restore{A213A27B-F5A9-4D92-BD99-70EECBD73842}\RP427\A0510156.dll -> TrojanDownloader.Qoologic.ac : Cleaned with backup
C:\System Volume Information\_restore{A213A27B-F5A9-4D92-BD99-70EECBD73842}\RP427\A0511153.exe.tcf -> TrojanDownloader.Qoologic.ac : Cleaned with backup
C:\System Volume Information\_restore{A213A27B-F5A9-4D92-BD99-70EECBD73842}\RP427\A0511155.exe -> TrojanDo

#4
Buckeye_Sam

Posted 22 February 2006 - 05:20 PM

Malware Expert

Member
10,019 posts

Please open Notepad, and copy/paste the code in the box below into a new text file. Save it as KillQoo.reg (set Filetype to "All Files") and save it on your Desktop.

REGEDIT4

[-HKEY_LOCAL_MACHINE\SOFTWARE\Classes\*\shellex\ContextMenuHandlers\tqtfskfx]

[-HKEY_CLASSES_ROOT\CLSID\{9c8b5612-5356-4bd8-aa0c-ee63fe0cd020}]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"susse"=-
"winsync"=-

Now Locate and DoubleClick KillQoo.reg-> Allow it to merge into the Registry!

Please download the Killbox by Option^Explicit.

Note: In the event you already have Killbox, this is a new version that I need you to download.

Save it to your desktop.
Please double-click Killbox.exe to run it.
Select:
- Delete on Reboot
- then Click on the All Files button.
Please copy the file paths below to the clipboard by highlighting ALL of them and pressing CTRL + C (or, after highlighting, right-click and choose copy):

C:\WINDOWS\SYSTEM32\002k3slc.dll
C:\WINDOWS\SYSTEM32\kgksfds.dll
C:\WINDOWS\SYSTEM32\nsj57.dll
C:\WINDOWS\SYSTEM32\nst64.dll
C:\WINDOWS\SYSTEM32\nsv63.dll
C:\WINDOWS\SYSTEM32\ntdll.dll
C:\WINDOWS\SYSTEM32\obojr.dll
C:\Documents and Settings\All Users\Start Menu\Programs\Startup\ptpn.exe
C:\PROGRA~1\Jalmp\jalmp.dll
C:\WINDOWS\system32\lmknc.dll
C:\WINDOWS\system32\hpsw.exe
C:\WINDOWS\system32\4d4lxd.exe
C:\WINDOWS\SMBOLS~1\javaw.exe
Return to Killbox, go to the File menu, and choose Paste from Clipboard.
Click the red-and-white Delete File button. Click Yes at the Delete on Reboot prompt. Click OK at any PendingFileRenameOperations prompt (and please let me know if you receive this message!).

If your computer does not restart automatically, please restart it manually.

If you receive a message such as: "Component 'MsComCtl.ocx' or one of its dependencies not correctly registered: a file is missing or invalid." when trying to run Killbox, click here to download and run missingfilesetup.exe. Then try Killbox again.

===========

Once your computer reboots please post a new hijackthis log.

#5
rjemps6

Posted 23 February 2006 - 11:01 AM

Member

Topic Starter
Member
10 posts

Hi Sam,
I am sorry,

I couldn't figure out how to get back into my own previous thread so I went here.

I can't remember how I did it last time! Hope you find me! Like I said, I am a novice at this, but can follow explicit directions well. I am such a novice that I had to do a google search on NotePad to figure out what that was and how to open it up, but I did it! Thank you for your detailed instructions. :tazz:

I did all you said to do - did NOT get the message PendingFileRenameOperations prompt, so did not click OK.
Computer did start automatically, but had to push the restart button 3 times in the process because the desktop icons as well as the Start menu toolbar wouldn't fully load. I finally manually shut the computer off and made myself a cup of coffee before turning it back on, and it came up correctly. I am still getting pop-ups, many from "offer brought to you by Zeno?" and hotstuffreview.com or adserver? Anyway, let me know if I am giving you too much info, I tend to be wordy. Here's the new Hijack this log. Am I still supposed to have the KillQoo.reg and Killbox.exe on my desktop? It is still there. Thanks so much for your help!

Logfile of HijackThis v1.99.1
Scan saved at 8:36:28 AM, on 2/23/2006
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\csrss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\WINDOWS\system32\CTsvcCDA.EXE
C:\Program Files\ewido\security suite\ewidoctrl.exe
C:\Program Files\Norton SystemWorks\Norton Antivirus\navapsvc.exe
C:\PROGRA~1\NORTON~1\NORTON~2\NPROTECT.EXE
C:\Program Files\Norton SystemWorks\Norton Antivirus\SAVScan.exe
C:\PROGRA~1\NORTON~1\NORTON~2\SPEEDD~1\NOPDB.EXE
C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
C:\Program Files\FrontierNet\FrontierNet DSL Attendant\app\TangoService.exe
C:\WINDOWS\system32\wdfmgr.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\Program Files\Common Files\Symantec Shared\Security Center\SymWSC.exe
C:\WINDOWS\System32\alg.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\wscntfy.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_S09IC1.EXE
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\DIGStream\digstream.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe
C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe
C:\Program Files\Lavasoft\Personal Firewall\lpfw.exe
C:\windows\system32\qsdsregq.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\Skype\Phone\Skype.exe
C:\WINDOWS\system32\s?stem\w?wexec.exe
C:\Program Files\Google\Google Desktop Search\GoogleDesktopIndex.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\Yahoo!\Messenger\ymsgr_tray.exe
C:\WINDOWS\system32\mwintrai.exe
C:\WINDOWS\SMBOLS~1\javaw.exe
C:\Documents and Settings\mom\My Documents\My Downloads\hijack this\HijackThis.exe
C:\Documents and Settings\mom\My Documents\My Downloads\hijack this\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.foxnews.com/
R3 - URLSearchHook: (no name) - {CDAF2B19-B8A6-B05F-A4DD-91CB5EE85FB2} - C:\WINDOWS\system32\lmknc.dll (file missing)
R3 - URLSearchHook: (no name) - {BC0B2B19-E3A4-E15B-A588-943BF17228B6} - C:\WINDOWS\system32\rcyv.dll
R3 - URLSearchHook: (no name) - _{CFBFAE00-17A6-11D0-99CB-00C04FD64497} - (no file)
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
O2 - BHO: CRSSSubscriber Object - {18A5CAE8-FAF6-49A9-B3D8-2954437D9BBC} - C:\Program Files\Lektora\LektoraCOM.dll
O2 - BHO: Trecker Class - {39C78B50-7E98-4aa0-B007-D83114EA6E0F} - C:\PROGRA~1\Jalmp\jalmp.dll (file missing)
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: UberButton Class - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\Program Files\Yahoo!\Common\yiesrvc.dll
O2 - BHO: YahooTaggedBM Class - {65D886A2-7CA7-479B-BB95-14D1EFB7946A} - C:\Program Files\Yahoo!\Common\YIeTagBm.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar1.dll
O2 - BHO: (no name) - {BC0B2B19-E3A4-E15B-A588-943BF17228B6} - C:\WINDOWS\system32\rcyv.dll
O2 - BHO: CNavExtBho Class - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\Norton SystemWorks\Norton Antivirus\NavShExt.dll
O2 - BHO: (no name) - {CDAF2B19-B8A6-B05F-A4DD-91CB5EE85FB2} - C:\WINDOWS\system32\lmknc.dll (file missing)
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton SystemWorks\Norton Antivirus\NavShExt.dll
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn1\yt.dll
O3 - Toolbar: Lektora - {C55D30C7-3B86-4D70-98D3-CAA716DF0D83} - C:\Program Files\Lektora\LektoraCOM.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [TangoManager] C:\PROGRA~1\FRONTI~1\FRONTI~1\app\TANGOM~1.EXE
O4 - HKLM\..\Run: [Cmaudio] RunDll32 cmicnfg.cpl,CMICtrlWnd
O4 - HKLM\..\Run: [EPSON Stylus C44 Series] C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_S09IC1.EXE /P23 "EPSON Stylus C44 Series" /O6 "USB001" /M "Stylus C44"
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [iTunesHelper] C:\Program Files\iTunes\iTunesHelper.exe
O4 - HKLM\..\Run: [Symantec NetDriver Monitor] C:\PROGRA~1\SYMNET~1\SNDMon.exe /Consumer
O4 - HKLM\..\Run: [DIGStream] C:\Program Files\DIGStream\digstream.exe
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe
O4 - HKLM\..\Run: [Google Desktop Search] "C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe" /startup
O4 - HKLM\..\Run: [Personal Firewall] C:\Program Files\Lavasoft\Personal Firewall\lpfw.exe /waitservice
O4 - HKLM\..\Run: [Start Outpost] C:\Documents and Settings\mom\Local Settings\Temporary Internet Files\Content.IE5\FMHQ8WBF\Lavasoft%20Personal%20Firewall%20Setup[1].exe
O4 - HKLM\..\Run: [THGuard] "C:\Program Files\TrojanHunter 4.2\THGuard.exe"
O4 - HKLM\..\Run: [{F1-10-06-60-ZN}] C:\windows\system32\qsdsregq.exe FI002
O4 - HKLM\..\Run: [BrowserUpdateSched] C:\WINDOWS\system32\mwintrai.exe FI002
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [Yahoo! Pager] C:\Program Files\Yahoo!\Messenger\ypager.exe -quiet
O4 - HKCU\..\Run: [Skype] "C:\Program Files\Skype\Phone\Skype.exe" /nosplash /minimized
O4 - HKCU\..\Run: [Rsue] "C:\WINDOWS\SMBOLS~1\javaw.exe" -vt ndrv
O4 - HKCU\..\Run: [Loghb] C:\WINDOWS\system32\s?stem\w?wexec.exe
O4 - Startup: Zeno.lnk = C:\WINDOWS\system32\mwintrai.exe
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: Event Reminder.lnk = ?
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O8 - Extra context menu item: &Google Search - res://c:\program files\google\GoogleToolbar1.dll/cmsearch.html
O8 - Extra context menu item: &Translate English Word - res://c:\program files\google\GoogleToolbar1.dll/cmwordtrans.html
O8 - Extra context menu item: &Yahoo! Search - file:///C:\Program Files\Yahoo!\Common/ycsrch.htm
O8 - Extra context menu item: Backward Links - res://c:\program files\google\GoogleToolbar1.dll/cmbacklinks.html
O8 - Extra context menu item: Cached Snapshot of Page - res://c:\program files\google\GoogleToolbar1.dll/cmcache.html
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O8 - Extra context menu item: Similar Pages - res://c:\program files\google\GoogleToolbar1.dll/cmsimilar.html
O8 - Extra context menu item: Translate Page into English - res://c:\program files\google\GoogleToolbar1.dll/cmtrans.html
O8 - Extra context menu item: Yahoo! &Dictionary - file:///C:\Program Files\Yahoo!\Common/ycdict.htm
O8 - Extra context menu item: Yahoo! &Maps - file:///C:\Program Files\Yahoo!\Common/ycdict.htm
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra button: Yahoo! Services - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\Program Files\Yahoo!\Common\yiesrvc.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O16 - DPF: {01010E00-5E80-11D8-9E86-0007E96C65AE} (SupportSoft SmartIssue) - http://www.symantec....trl/tgctlsi.cab
O16 - DPF: {01012101-5E80-11D8-9E86-0007E96C65AE} (SupportSoft Script Runner Class) - http://www.symantec....trl/tgctlsr.cab
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft....k/?linkid=39204
O16 - DPF: {1F2F4C9E-6F09-47BC-970D-3C54734667FE} (LSSupCtl Class) - http://www.symantec....rl/LSSupCtl.cab
O16 - DPF: {3FE16C08-D6A7-4133-84FC-D5BFB4F7D886} (WebGameLoader Class) - http://miniclip.com/...bGameLoader.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.micros...b?1140465121009
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.micros...b?1130738487178
O16 - DPF: {CE28D5D2-60CF-4C7D-9FE8-0F47A3308078} (ActiveDataInfo Class) - http://www.symantec....rl/SymAData.cab
O18 - Filter: text/html - {2F6E85DC-8D2D-4896-8A4F-7DF8A7B1749D} - C:\PROGRA~1\Jalmp\jalmp.dll
O20 - AppInit_DLLs: c:\progra~1\google\google~1\goec62~1.dll
O23 - Service: Automatic LiveUpdate Scheduler - Symantec Corporation - C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Password Validation (ccPwdSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
O23 - Service: Creative Service for CDROM Access - Creative Technology Ltd - C:\WINDOWS\system32\CTsvcCDA.EXE
O23 - Service: ewido security suite control - ewido networks - C:\Program Files\ewido\security suite\ewidoctrl.exe
O23 - Service: iPod Service (iPodService) - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: LiveUpdate - Symantec Corporation - C:\PROGRA~1\Symantec\LIVEUP~1\LUCOMS~1.EXE
O23 - Service: Norton AntiVirus Auto Protect Service (navapsvc) - Symantec Corporation - C:\Program Files\Norton SystemWorks\Norton Antivirus\navapsvc.exe
O23 - Service: Norton Unerase Protection (NProtectService) - Symantec Corporation - C:\PROGRA~1\NORTON~1\NORTON~2\NPROTECT.EXE
O23 - Service: SAVScan - Symantec Corporation - C:\Program Files\Norton SystemWorks\Norton Antivirus\SAVScan.exe
O23 - Service: ScriptBlocking Service (SBService) - Symantec Corporation - C:\PROGRA~1\COMMON~1\SYMANT~1\SCRIPT~1\SBServ.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: Speed Disk service - Symantec Corporation - C:\PROGRA~1\NORTON~1\NORTON~2\SPEEDD~1\NOPDB.EXE
O23 - Service: Symantec Core LC - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
O23 - Service: SymWMI Service (SymWSC) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\Security Center\SymWSC.exe
O23 - Service: Tango Service (TangoService) - Unknown owner - C:\Program Files\FrontierNet\FrontierNet DSL Attendant\app\TangoService.exe

merged misplaced post with original post for clarity

#6
Buckeye_Sam

Posted 23 February 2006 - 12:45 PM

Malware Expert

Member
10,019 posts

When you come to the site click on My Controls and then on the left side click View Topics. It should always be able to find your thread listed here.

You can delete killqoo.reg, but keep Killbox as we'll need to use it a few more times.

Run Hijackthis again, click scan, and Put a checkmark next to each of these. Then close all other windows--you should only see HijackThis on your Desktop--and click the Fix Checked button.

R3 - URLSearchHook: (no name) - {CDAF2B19-B8A6-B05F-A4DD-91CB5EE85FB2} - C:\WINDOWS\system32\lmknc.dll (file missing)
R3 - URLSearchHook: (no name) - {BC0B2B19-E3A4-E15B-A588-943BF17228B6} - C:\WINDOWS\system32\rcyv.dll
R3 - URLSearchHook: (no name) - _{CFBFAE00-17A6-11D0-99CB-00C04FD64497} - (no file)
O2 - BHO: Trecker Class - {39C78B50-7E98-4aa0-B007-D83114EA6E0F} - C:\PROGRA~1\Jalmp\jalmp.dll (file missing)
O2 - BHO: (no name) - {BC0B2B19-E3A4-E15B-A588-943BF17228B6} - C:\WINDOWS\system32\rcyv.dll
O2 - BHO: (no name) - {CDAF2B19-B8A6-B05F-A4DD-91CB5EE85FB2} - C:\WINDOWS\system32\lmknc.dll (file missing)
O4 - HKLM\..\Run: [Start Outpost] C:\Documents and Settings\mom\Local Settings\Temporary Internet Files\Content.IE5\FMHQ8WBF\Lavasoft%20Personal%20Firewall%20Setup[1].exe
O4 - HKLM\..\Run: [{F1-10-06-60-ZN}] C:\windows\system32\qsdsregq.exe FI002
O4 - HKLM\..\Run: [BrowserUpdateSched] C:\WINDOWS\system32\mwintrai.exe FI002
O4 - HKCU\..\Run: [Rsue] "C:\WINDOWS\SMBOLS~1\javaw.exe" -vt ndrv
O4 - HKCU\..\Run: [Loghb] C:\WINDOWS\system32\s?stem\w?wexec.exe
O4 - Startup: Zeno.lnk = C:\WINDOWS\system32\mwintrai.exe
O18 - Filter: text/html - {2F6E85DC-8D2D-4896-8A4F-7DF8A7B1749D} - C:\PROGRA~1\Jalmp\jalmp.dll

Use Killbox again as before to delete these files.

C:\WINDOWS\system32\rcyv.dll
C:\windows\system32\qsdsregq.exe
C:\WINDOWS\SMBOLS~1\javaw.exe
C:\WINDOWS\system32\mwintrai.exe

After you reboot follow these steps to complete this online virus scan.

Please go HERE to run Panda's ActiveScan

Once you are on the Panda site click the Scan your PC button
A new window will open...click the Check Now button
Enter your Country
Enter your State/Province
Enter your e-mail address and click send
Select either Home User or Company
Click the big Scan Now button
If it wants to install an ActiveX component allow it
It will start downloading the files it requires for the scan (Note: It may take a couple of minutes)
When download is complete, click on My Computer to start the scan
When the scan completes, if anything malicious is detected, click the See Report button, then Save Report and save it to a convenient location. Post the contents of the ActiveScan report along with a new hijackthis log.

#7
rjemps6

Posted 23 February 2006 - 09:42 PM

Member

Topic Starter
Member
10 posts

Hi Sam,
Sorry it took me so long to get back. Thanks for the help and instructions. Here is the results from the Panda Active Scan and it is followed by the new hijackthis log. I had trouble getting to the Panda site from your email, so I tried directly and after some trouble, I was able to do the scan. Hope this is helpful to you, cause it's all Greek to me!
Ruthie

Incident Status Location

Adware:adware/purityscan Not disinfected C:\Documents and Settings\mom\Local Settings\Temp\!update.exe
Potentially unwanted tool:application/winfixer2005 Not disinfected C:\WINDOWS\DOWNLOADED PROGRAM FILES\UERS_0001_N68M1801NetInstaller.exe
Spyware:Cookie/2o7.net Not disinfected C:\Documents and Settings\mom\Cookies\mom@2o7[2].txt
Spyware:Cookie/888 Not disinfected C:\Documents and Settings\mom\Cookies\mom@888[1].txt
Spyware:Cookie/888 Not disinfected C:\Documents and Settings\mom\Cookies\mom@888[2].txt
Spyware:Cookie/YieldManager Not disinfected C:\Documents and Settings\mom\Cookies\[email protected][1].txt
Spyware:Cookie/Hbmediapro Not disinfected C:\Documents and Settings\mom\Cookies\[email protected][2].txt
Spyware:Cookie/PointRoll Not disinfected C:\Documents and Settings\mom\Cookies\[email protected][1].txt
Spyware:Cookie/adultfriendfinder Not disinfected C:\Documents and Settings\mom\Cookies\mom@adultfriendfinder[2].txt
Spyware:Cookie/Apmebf Not disinfected C:\Documents and Settings\mom\Cookies\mom@apmebf[1].txt
Spyware:Cookie/Falkag Not disinfected C:\Documents and Settings\mom\Cookies\[email protected][1].txt
Spyware:Cookie/Falkag Not disinfected C:\Documents and Settings\mom\Cookies\[email protected][2].txt
Spyware:Cookie/Azjmp Not disinfected C:\Documents and Settings\mom\Cookies\mom@azjmp[2].txt
Spyware:Cookie/Belnk Not disinfected C:\Documents and Settings\mom\Cookies\mom@belnk[1].txt
Spyware:Cookie/Bluestreak Not disinfected C:\Documents and Settings\mom\Cookies\mom@bluestreak[1].txt
Spyware:Cookie/Enhance Not disinfected C:\Documents and Settings\mom\Cookies\[email protected][1].txt
Spyware:Cookie/GoClick Not disinfected C:\Documents and Settings\mom\Cookies\[email protected][1].txt
Spyware:Cookie/Cassava Not disinfected C:\Documents and Settings\mom\Cookies\mom@cassava[1].txt
Spyware:Cookie/Clickbank Not disinfected C:\Documents and Settings\mom\Cookies\mom@clickbank[1].txt
Spyware:Cookie/did-it Not disinfected C:\Documents and Settings\mom\Cookies\mom@did-it[1].txt
Spyware:Cookie/Belnk Not disinfected C:\Documents and Settings\mom\Cookies\[email protected][2].txt
Spyware:Cookie/Findwhat Not disinfected C:\Documents and Settings\mom\Cookies\mom@findwhat[1].txt
Spyware:Cookie/go Not disinfected C:\Documents and Settings\mom\Cookies\mom@go[3].txt
Spyware:Cookie/go Not disinfected C:\Documents and Settings\mom\Cookies\mom@go[4].txt
Spyware:Cookie/go Not disinfected C:\Documents and Settings\mom\Cookies\mom@go[5].txt
Spyware:Cookie/Screensavers Not disinfected C:\Documents and Settings\mom\Cookies\[email protected][2].txt
Spyware:Cookie/Maxserving Not disinfected C:\Documents and Settings\mom\Cookies\mom@maxserving[1].txt
Spyware:Cookie/Overture Not disinfected C:\Documents and Settings\mom\Cookies\mom@overture[1].txt
Spyware:Cookie/Paypopup Not disinfected C:\Documents and Settings\mom\Cookies\mom@paypopup[2].txt
Spyware:Cookie/Overture Not disinfected C:\Documents and Settings\mom\Cookies\[email protected][1].txt
Spyware:Cookie/QuestionMarket Not disinfected C:\Documents and Settings\mom\Cookies\mom@questionmarket[1].txt
Spyware:Cookie/RealMedia Not disinfected C:\Documents and Settings\mom\Cookies\mom@realmedia[1].txt
Spyware:Cookie/WUpd Not disinfected C:\Documents and Settings\mom\Cookies\mom@revenue[2].txt
Spyware:Cookie/Searchportal Not disinfected C:\Documents and Settings\mom\Cookies\[email protected][1].txt
Spyware:Cookie/Server.iad.Liveperson Not disinfected C:\Documents and Settings\mom\Cookies\[email protected][2].txt
Spyware:Cookie/Traffic Marketplace Not disinfected C:\Documents and Settings\mom\Cookies\mom@trafficmp[1].txt
Spyware:Cookie/WebPower Not disinfected C:\Documents and Settings\mom\Cookies\mom@webpower[2].txt
Spyware:Cookie/Adserver Not disinfected C:\Documents and Settings\mom\Cookies\[email protected][1].txt
Spyware:Cookie/Zedo Not disinfected C:\Documents and Settings\mom\Cookies\mom@zedo[1].txt
Adware:Adware/QoolShown Not disinfected C:\!KillBox\4d4lxd.exe
Adware:Adware/PurityScan Not disinfected C:\!KillBox\javaw.exe
Adware:Adware/QoolShown Not disinfected C:\!KillBox\kgksfds.dll
Adware:Adware/Qoologic Not disinfected C:\!KillBox\obojr.dll
Adware:Adware/QoolShown Not disinfected C:\!KillBox\ptpn.exe
Spyware:Cookie/go Not disinfected C:\Documents and Settings\dad\Cookies\dad@go[1].txt
Spyware:Cookie/go Not disinfected C:\Documents and Settings\emma\Cookies\emma@go[2].txt
Spyware:Cookie/2o7.net Not disinfected C:\Documents and Settings\mom\Cookies\mom@2o7[2].txt
Spyware:Cookie/888 Not disinfected C:\Documents and Settings\mom\Cookies\mom@888[1].txt
Spyware:Cookie/888 Not disinfected C:\Documents and Settings\mom\Cookies\mom@888[2].txt
Spyware:Cookie/YieldManager Not disinfected C:\Documents and Settings\mom\Cookies\[email protected][1].txt
Spyware:Cookie/Hbmediapro Not disinfected C:\Documents and Settings\mom\Cookies\[email protected][2].txt
Spyware:Cookie/PointRoll Not disinfected C:\Documents and Settings\mom\Cookies\[email protected][1].txt
Spyware:Cookie/adultfriendfinder Not disinfected C:\Documents and Settings\mom\Cookies\mom@adultfriendfinder[2].txt
Spyware:Cookie/Apmebf Not disinfected C:\Documents and Settings\mom\Cookies\mom@apmebf[1].txt
Spyware:Cookie/Falkag Not disinfected C:\Documents and Settings\mom\Cookies\[email protected][1].txt
Spyware:Cookie/Falkag Not disinfected C:\Documents and Settings\mom\Cookies\[email protected][2].txt
Spyware:Cookie/Azjmp Not disinfected C:\Documents and Settings\mom\Cookies\mom@azjmp[2].txt
Spyware:Cookie/Belnk Not disinfected C:\Documents and Settings\mom\Cookies\mom@belnk[1].txt
Spyware:Cookie/Bluestreak Not disinfected C:\Documents and Settings\mom\Cookies\mom@bluestreak[1].txt
Spyware:Cookie/Enhance Not disinfected C:\Documents and Settings\mom\Cookies\[email protected][1].txt
Spyware:Cookie/GoClick Not disinfected C:\Documents and Settings\mom\Cookies\[email protected][1].txt
Spyware:Cookie/Cassava Not disinfected C:\Documents and Settings\mom\Cookies\mom@cassava[1].txt
Spyware:Cookie/Clickbank Not disinfected C:\Documents and Settings\mom\Cookies\mom@clickbank[1].txt
Spyware:Cookie/did-it Not disinfected C:\Documents and Settings\mom\Cookies\mom@did-it[1].txt
Spyware:Cookie/Belnk Not disinfected C:\Documents and Settings\mom\Cookies\[email protected][2].txt
Spyware:Cookie/Findwhat Not disinfected C:\Documents and Settings\mom\Cookies\mom@findwhat[1].txt
Spyware:Cookie/go Not disinfected C:\Documents and Settings\mom\Cookies\mom@go[2].txt
Spyware:Cookie/go Not disinfected C:\Documents and Settings\mom\Cookies\mom@go[3].txt
Spyware:Cookie/go Not disinfected C:\Documents and Settings\mom\Cookies\mom@go[4].txt
Spyware:Cookie/Screensavers Not disinfected C:\Documents and Settings\mom\Cookies\[email protected][2].txt
Spyware:Cookie/Maxserving Not disinfected C:\Documents and Settings\mom\Cookies\mom@maxserving[1].txt
Spyware:Cookie/Overture Not disinfected C:\Documents and Settings\mom\Cookies\mom@overture[1].txt
Spyware:Cookie/Paypopup Not disinfected C:\Documents and Settings\mom\Cookies\mom@paypopup[2].txt
Spyware:Cookie/Overture Not disinfected C:\Documents and Settings\mom\Cookies\[email protected][1].txt
Spyware:Cookie/QuestionMarket Not disinfected C:\Documents and Settings\mom\Cookies\mom@questionmarket[1].txt
Spyware:Cookie/RealMedia Not disinfected C:\Documents and Settings\mom\Cookies\mom@realmedia[1].txt
Spyware:Cookie/WUpd Not disinfected C:\Documents and Settings\mom\Cookies\mom@revenue[2].txt
Spyware:Cookie/Searchportal Not disinfected C:\Documents and Settings\mom\Cookies\[email protected][1].txt
Spyware:Cookie/Server.iad.Liveperson Not disinfected C:\Documents and Settings\mom\Cookies\[email protected][2].txt
Spyware:Cookie/Traffic Marketplace Not disinfected C:\Documents and Settings\mom\Cookies\mom@trafficmp[1].txt
Spyware:Cookie/WebPower Not disinfected C:\Documents and Settings\mom\Cookies\mom@webpower[2].txt
Spyware:Cookie/Adserver Not disinfected C:\Documents and Settings\mom\Cookies\[email protected][1].txt
Spyware:Cookie/Zedo Not disinfected C:\Documents and Settings\mom\Cookies\mom@zedo[1].txt
Adware:Adware/PurityScan Not disinfected C:\Documents and Settings\mom\Local Settings\Temp\!update.exe
Spyware:Cookie/888 Not disinfected C:\Documents and Settings\mom\Local Settings\Temp\Cookies\mom@888[1].txt
Spyware:Cookie/888 Not disinfected C:\Documents and Settings\mom\Local Settings\Temp\Cookies\mom@888[2].txt
Spyware:Cookie/YieldManager Not disinfected C:\Documents and Settings\mom\Local Settings\Temp\Cookies\[email protected][1].txt
Spyware:Cookie/Hbmediapro Not disinfected C:\Documents and Settings\mom\Local Settings\Temp\Cookies\[email protected][2].txt
Spyware:Cookie/PointRoll Not disinfected C:\Documents and Settings\mom\Local Settings\Temp\Cookies\[email protected][1].txt
Spyware:Cookie/Cassava Not disinfected C:\Documents and Settings\mom\Local Settings\Temp\Cookies\mom@cassava[1].txt
Spyware:Cookie/go Not disinfected C:\Documents and Settings\mom\Local Settings\Temp\Cookies\mom@go[1].txt
Spyware:Cookie/RealMedia Not disinfected C:\Documents and Settings\mom\Local Settings\Temp\Cookies\mom@realmedia[1].txt
Spyware:Cookie/Traffic Marketplace Not disinfected C:\Documents and Settings\mom\Local Settings\Temp\Cookies\mom@trafficmp[2].txt
Spyware:Cookie/Tribalfusion Not disinfected C:\Documents and Settings\mom\Local Settings\Temp\Cookies\mom@tribalfusion[1].txt
Spyware:Cookie/Zedo Not disinfected C:\Documents and Settings\mom\Local Settings\Temp\Cookies\mom@zedo[2].txt
Adware:Adware/SearchResults Not disinfected C:\Documents and Settings\mom\My Documents\My Downloads\hijack this\backups\backup-20060222-095317-853.dll
Adware:Adware/PurityScan Not disinfected C:\Documents and Settings\mom\My Documents\My Downloads\hijack this\backups\backup-20060222-095318-851.dll
Spyware:Cookie/go Not disinfected C:\found.003\dir0000.chk\mom@go[51].txt
Spyware:Cookie/go Not disinfected C:\found.003\dir0000.chk\mom@go[52].txt
Spyware:Cookie/go Not disinfected C:\found.004\dir0000.chk\emma@go[4].txt
Spyware:Cookie/go Not disinfected C:\found.007\dir0000.chk\mom@go[63].txt
Adware:Adware/PurityScan Not disinfected C:\Program Files\epad\rtae.exe.tcf
Adware:Adware/QoolShown Not disinfected C:\RECYCLER\NPROTECT\01482149.TCF
Adware:Adware/QoolShown Not disinfected C:\RECYCLER\NPROTECT\01482150.TCF
Adware:Adware/QoolShown Not disinfected C:\RECYCLER\NPROTECT\01482151.dat
Spyware:Cookie/go Not disinfected C:\RECYCLER\NPROTECT\01482366.TXT
Spyware:Cookie/go Not disinfected C:\RECYCLER\NPROTECT\01482378.TXT
Spyware:Cookie/go Not disinfected C:\RECYCLER\NPROTECT\01482387.TXT
Spyware:Cookie/go Not disinfected C:\RECYCLER\NPROTECT\01482388.TXT
Spyware:Cookie/go Not disinfected C:\RECYCLER\NPROTECT\01482392.TXT
Spyware:Cookie/go Not disinfected C:\RECYCLER\NPROTECT\01482395.TXT
Spyware:Cookie/go Not disinfected C:\RECYCLER\NPROTECT\01482398.TXT
Spyware:Cookie/go Not disinfected C:\RECYCLER\NPROTECT\01482402.TXT
Spyware:Cookie/go Not disinfected C:\RECYCLER\NPROTECT\01482405.TXT
Spyware:Cookie/go Not disinfected C:\RECYCLER\NPROTECT\01482406.TXT
Spyware:Cookie/go Not disinfected C:\RECYCLER\NPROTECT\01482407.TXT
Spyware:Cookie/go Not disinfected C:\RECYCLER\NPROTECT\01482408.TXT
Spyware:Cookie/go Not disinfected C:\RECYCLER\NPROTECT\01482409.TXT
Spyware:Cookie/go Not disinfected C:\RECYCLER\NPROTECT\01482410.TXT
Spyware:Cookie/go Not disinfected C:\RECYCLER\NPROTECT\01482411.TXT
Spyware:Cookie/go Not disinfected C:\RECYCLER\NPROTECT\01482412.TXT
Spyware:Cookie/go Not disinfected C:\RECYCLER\NPROTECT\01482413.TXT
Spyware:Cookie/go Not disinfected C:\RECYCLER\NPROTECT\01482414.TXT
Spyware:Cookie/go Not disinfected C:\RECYCLER\NPROTECT\01482415.TXT
Spyware:Cookie/go Not disinfected C:\RECYCLER\NPROTECT\01482416.TXT
Spyware:Cookie/go Not disinfected C:\RECYCLER\NPROTECT\01482417.TXT
Spyware:Cookie/go Not disinfected C:\RECYCLER\NPROTECT\01482418.TXT
Spyware:Cookie/go Not disinfected C:\RECYCLER\NPROTECT\01482419.TXT
Spyware:Cookie/go Not disinfected C:\RECYCLER\NPROTECT\01482421.TXT
Spyware:Cookie/go Not disinfected C:\RECYCLER\NPROTECT\01482423.TXT
Spyware:Cookie/go Not disinfected C:\RECYCLER\NPROTECT\01482424.TXT
Spyware:Cookie/go Not disinfected C:\RECYCLER\NPROTECT\01482425.TXT
Spyware:Cookie/go Not disinfected C:\RECYCLER\NPROTECT\01482426.TXT
Spyware:Cookie/go Not disinfected C:\RECYCLER\NPROTECT\01482427.TXT
Spyware:Cookie/go Not disinfected C:\RECYCLER\NPROTECT\01482428.TXT
Spyware:Cookie/go Not disinfected C:\RECYCLER\NPROTECT\01482429.TXT
Spyware:Cookie/go Not disinfected C:\RECYCLER\NPROTECT\01482430.TXT
Spyware:Cookie/go Not disinfected C:\RECYCLER\NPROTECT\01482431.TXT
Spyware:Cookie/go Not disinfected C:\RECYCLER\NPROTECT\01482432.TXT
Spyware:Cookie/go Not disinfected C:\RECYCLER\NPROTECT\01482433.TXT
Spyware:Cookie/go Not disinfected C:\RECYCLER\NPROTECT\01482434.TXT
Spyware:Cookie/go Not disinfected C:\RECYCLER\NPROTECT\01482435.TXT
Spyware:Cookie/go Not disinfected C:\RECYCLER\NPROTECT\01482436.TXT
Spyware:Cookie/go Not disinfected C:\RECYCLER\NPROTECT\01482437.TXT
Spyware:Cookie/go Not disinfected C:\RECYCLER\NPROTECT\01482438.TXT
Spyware:Cookie/go Not disinfected C:\RECYCLER\NPROTECT\01482439.TXT
Spyware:Cookie/go Not disinfected C:\RECYCLER\NPROTECT\01482440.TXT
Spyware:Cookie/go Not disinfected C:\RECYCLER\NPROTECT\01482441.TXT
Spyware:Cookie/go Not disinfected C:\RECYCLER\NPROTECT\01482442.TXT
Spyware:Cookie/go Not disinfected C:\RECYCLER\NPROTECT\01482443.TXT
Spyware:Cookie/go Not disinfected C:\RECYCLER\NPROTECT\01482444.TXT
Spyware:Cookie/go Not disinfected C:\RECYCLER\NPROTECT\01482445.TXT
Spyware:Cookie/go Not disinfected C:\RECYCLER\NPROTECT\01482446.TXT
Spyware:Cookie/go Not disinfected C:\RECYCLER\NPROTECT\01482447.TXT
Spyware:Cookie/go Not disinfected C:\RECYCLER\NPROTECT\01482448.TXT
Spyware:Cookie/go Not disinfected C:\RECYCLER\NPROTECT\01482449.TXT
Spyware:Cookie/go Not disinfected C:\RECYCLER\NPROTECT\01482450.TXT
Spyware:Cookie/go Not disinfected C:\RECYCLER\NPROTECT\01482451.TXT
Spyware:Cookie/go Not disinfected C:\RECYCLER\NPROTECT\01482452.TXT
Spyware:Cookie/go Not disinfected C:\RECYCLER\NPROTECT\01482453.TXT
Spyware:Cookie/go Not disinfected C:\RECYCLER\NPROTECT\01482454.TXT
Spyware:Cookie/go Not disinfected C:\RECYCLER\NPROTECT\01482455.TXT
Spyware:Cookie/go Not disinfected C:\RECYCLER\NPROTECT\01482456.TXT
Spyware:Cookie/go Not disinfected C:\RECYCLER\NPROTECT\01482457.TXT
Spyware:Cookie/go Not disinfected C:\RECYCLER\NPROTECT\01482458.TXT
Spyware:Cookie/go Not disinfected C:\RECYCLER\NPROTECT\01482459.TXT

#8
rjemps6

Posted 23 February 2006 - 09:51 PM

Member

Topic Starter
Member
10 posts

Sam, did you get the entire Panda scan and hijack log? The message, after I sent it, looked awfully short. I can resend it all, cause I saved both scans, if you didn't.
Ruthie

#9
Buckeye_Sam

Posted 24 February 2006 - 08:36 AM

Malware Expert

Member
10,019 posts

No, I didn't get all of them. If you attach the Panda scan log and then post your hijackthis log that should get them both to me.

From what I did see, a lot of your Norton Protected files are infected. Delete everything from Norton's protected recycle bin.

Please download ATF Cleaner by Atribune.
This program is for XP and Windows 2000 onlyDouble-click ATF-Cleaner.exe to run the program.
Under Main choose: Select All
Click the Empty Selected button.
If you use Firefox browserClick Firefox at the top and choose: Select All
Click the Empty Selected button.
NOTE: If you would like to keep your saved passwords, please click No at the prompt.
If you use Opera browserClick Opera at the top and choose: Select All
Click the Empty Selected button.
NOTE: If you would like to keep your saved passwords, please click No at the prompt.
Click Exit on the Main menu to close the program.
For Technical Support, double-click the e-mail address located at the bottom of each menu.

#10
rjemps6

Posted 24 February 2006 - 09:32 AM

Member

Topic Starter
Member
10 posts

Good Morning, Sam. I will post both separately. Thanks. Please give me instructions on how to delete Nortons Protected recycle bin. I will wait to do ATF cleaner until I hear back. Should I delete the norton files before ATF Cleaner? Here is the panda log:

Incident Status Location

Adware:adware/purityscan Not disinfected C:\Documents and Settings\mom\Local Settings\Temp\!update.exe
Potentially unwanted tool:application/winfixer2005 Not disinfected C:\WINDOWS\DOWNLOADED PROGRAM FILES\UERS_0001_N68M1801NetInstaller.exe
Spyware:Cookie/2o7.net Not disinfected C:\Documents and Settings\mom\Cookies\mom@2o7[2].txt
Spyware:Cookie/888 Not disinfected C:\Documents and Settings\mom\Cookies\mom@888[1].txt
Spyware:Cookie/888 Not disinfected C:\Documents and Settings\mom\Cookies\mom@888[2].txt
Spyware:Cookie/YieldManager Not disinfected C:\Documents and Settings\mom\Cookies\[email protected][1].txt
Spyware:Cookie/Hbmediapro Not disinfected C:\Documents and Settings\mom\Cookies\[email protected][2].txt
Spyware:Cookie/PointRoll Not disinfected C:\Documents and Settings\mom\Cookies\[email protected][1].txt
Spyware:Cookie/adultfriendfinder Not disinfected C:\Documents and Settings\mom\Cookies\mom@adultfriendfinder[2].txt
Spyware:Cookie/Apmebf Not disinfected C:\Documents and Settings\mom\Cookies\mom@apmebf[1].txt
Spyware:Cookie/Falkag Not disinfected C:\Documents and Settings\mom\Cookies\[email protected][1].txt
Spyware:Cookie/Falkag Not disinfected C:\Documents and Settings\mom\Cookies\[email protected][2].txt
Spyware:Cookie/Azjmp Not disinfected C:\Documents and Settings\mom\Cookies\mom@azjmp[2].txt
Spyware:Cookie/Belnk Not disinfected C:\Documents and Settings\mom\Cookies\mom@belnk[1].txt
Spyware:Cookie/Bluestreak Not disinfected C:\Documents and Settings\mom\Cookies\mom@bluestreak[1].txt
Spyware:Cookie/Enhance Not disinfected C:\Documents and Settings\mom\Cookies\[email protected][1].txt
Spyware:Cookie/GoClick Not disinfected C:\Documents and Settings\mom\Cookies\[email protected][1].txt
Spyware:Cookie/Cassava Not disinfected C:\Documents and Settings\mom\Cookies\mom@cassava[1].txt
Spyware:Cookie/Clickbank Not disinfected C:\Documents and Settings\mom\Cookies\mom@clickbank[1].txt
Spyware:Cookie/did-it Not disinfected C:\Documents and Settings\mom\Cookies\mom@did-it[1].txt
Spyware:Cookie/Belnk Not disinfected C:\Documents and Settings\mom\Cookies\[email protected][2].txt
Spyware:Cookie/Findwhat Not disinfected C:\Documents and Settings\mom\Cookies\mom@findwhat[1].txt
Spyware:Cookie/go Not disinfected C:\Documents and Settings\mom\Cookies\mom@go[3].txt
Spyware:Cookie/go Not disinfected C:\Documents and Settings\mom\Cookies\mom@go[4].txt
Spyware:Cookie/go Not disinfected C:\Documents and Settings\mom\Cookies\mom@go[5].txt
Spyware:Cookie/Screensavers Not disinfected C:\Documents and Settings\mom\Cookies\[email protected][2].txt
Spyware:Cookie/Maxserving Not disinfected C:\Documents and Settings\mom\Cookies\mom@maxserving[1].txt
Spyware:Cookie/Overture Not disinfected C:\Documents and Settings\mom\Cookies\mom@overture[1].txt
Spyware:Cookie/Paypopup Not disinfected C:\Documents and Settings\mom\Cookies\mom@paypopup[2].txt
Spyware:Cookie/Overture Not disinfected C:\Documents and Settings\mom\Cookies\[email protected][1].txt
Spyware:Cookie/QuestionMarket Not disinfected C:\Documents and Settings\mom\Cookies\mom@questionmarket[1].txt
Spyware:Cookie/RealMedia Not disinfected C:\Documents and Settings\mom\Cookies\mom@realmedia[1].txt
Spyware:Cookie/WUpd Not disinfected C:\Documents and Settings\mom\Cookies\mom@revenue[2].txt
Spyware:Cookie/Searchportal Not disinfected C:\Documents and Settings\mom\Cookies\[email protected][1].txt
Spyware:Cookie/Server.iad.Liveperson Not disinfected C:\Documents and Settings\mom\Cookies\[email protected][2].txt
Spyware:Cookie/Traffic Marketplace Not disinfected C:\Documents and Settings\mom\Cookies\mom@trafficmp[1].txt
Spyware:Cookie/WebPower Not disinfected C:\Documents and Settings\mom\Cookies\mom@webpower[2].txt
Spyware:Cookie/Adserver Not disinfected C:\Documents and Settings\mom\Cookies\[email protected][1].txt
Spyware:Cookie/Zedo Not disinfected C:\Documents and Settings\mom\Cookies\mom@zedo[1].txt
Adware:Adware/QoolShown Not disinfected C:\!KillBox\4d4lxd.exe
Adware:Adware/PurityScan Not disinfected C:\!KillBox\javaw.exe
Adware:Adware/QoolShown Not disinfected C:\!KillBox\kgksfds.dll
Adware:Adware/Qoologic Not disinfected C:\!KillBox\obojr.dll
Adware:Adware/QoolShown Not disinfected C:\!KillBox\ptpn.exe
Spyware:Cookie/go Not disinfected C:\Documents and Settings\dad\Cookies\dad@go[1].txt
Spyware:Cookie/go Not disinfected C:\Documents and Settings\emma\Cookies\emma@go[2].txt
Spyware:Cookie/2o7.net Not disinfected C:\Documents and Settings\mom\Cookies\mom@2o7[2].txt
Spyware:Cookie/888 Not disinfected C:\Documents and Settings\mom\Cookies\mom@888[1].txt
Spyware:Cookie/888 Not disinfected C:\Documents and Settings\mom\Cookies\mom@888[2].txt
Spyware:Cookie/YieldManager Not disinfected C:\Documents and Settings\mom\Cookies\[email protected][1].txt
Spyware:Cookie/Hbmediapro Not disinfected C:\Documents and Settings\mom\Cookies\[email protected][2].txt
Spyware:Cookie/PointRoll Not disinfected C:\Documents and Settings\mom\Cookies\[email protected][1].txt
Spyware:Cookie/adultfriendfinder Not disinfected C:\Documents and Settings\mom\Cookies\mom@adultfriendfinder[2].txt
Spyware:Cookie/Apmebf Not disinfected C:\Documents and Settings\mom\Cookies\mom@apmebf[1].txt
Spyware:Cookie/Falkag Not disinfected C:\Documents and Settings\mom\Cookies\[email protected][1].txt
Spyware:Cookie/Falkag Not disinfected C:\Documents and Settings\mom\Cookies\[email protected][2].txt
Spyware:Cookie/Azjmp Not disinfected C:\Documents and Settings\mom\Cookies\mom@azjmp[2].txt
Spyware:Cookie/Belnk Not disinfected C:\Documents and Settings\mom\Cookies\mom@belnk[1].txt
Spyware:Cookie/Bluestreak Not disinfected C:\Documents and Settings\mom\Cookies\mom@bluestreak[1].txt
Spyware:Cookie/Enhance Not disinfected C:\Documents and Settings\mom\Cookies\[email protected][1].txt
Spyware:Cookie/GoClick Not disinfected C:\Documents and Settings\mom\Cookies\[email protected][1].txt
Spyware:Cookie/Cassava Not disinfected C:\Documents and Settings\mom\Cookies\mom@cassava[1].txt
Spyware:Cookie/Clickbank Not disinfected C:\Documents and Settings\mom\Cookies\mom@clickbank[1].txt
Spyware:Cookie/did-it Not disinfected C:\Documents and Settings\mom\Cookies\mom@did-it[1].txt
Spyware:Cookie/Belnk Not disinfected C:\Documents and Settings\mom\Cookies\[email protected][2].txt
Spyware:Cookie/Findwhat Not disinfected C:\Documents and Settings\mom\Cookies\mom@findwhat[1].txt
Spyware:Cookie/go Not disinfected C:\Documents and Settings\mom\Cookies\mom@go[2].txt
Spyware:Cookie/go Not disinfected C:\Documents and Settings\mom\Cookies\mom@go[3].txt
Spyware:Cookie/go Not disinfected C:\Documents and Settings\mom\Cookies\mom@go[4].txt
Spyware:Cookie/Screensavers Not disinfected C:\Documents and Settings\mom\Cookies\[email protected][2].txt
Spyware:Cookie/Maxserving Not disinfected C:\Documents and Settings\mom\Cookies\mom@maxserving[1].txt
Spyware:Cookie/Overture Not disinfected C:\Documents and Settings\mom\Cookies\mom@overture[1].txt
Spyware:Cookie/Paypopup Not disinfected C:\Documents and Settings\mom\Cookies\mom@paypopup[2].txt
Spyware:Cookie/Overture Not disinfected C:\Documents and Settings\mom\Cookies\[email protected][1].txt
Spyware:Cookie/QuestionMarket Not disinfected C:\Documents and Settings\mom\Cookies\mom@questionmarket[1].txt
Spyware:Cookie/RealMedia Not disinfected C:\Documents and Settings\mom\Cookies\mom@realmedia[1].txt
Spyware:Cookie/WUpd Not disinfected C:\Documents and Settings\mom\Cookies\mom@revenue[2].txt
Spyware:Cookie/Searchportal Not disinfected C:\Documents and Settings\mom\Cookies\[email protected][1].txt
Spyware:Cookie/Server.iad.Liveperson Not disinfected C:\Documents and Settings\mom\Cookies\[email protected][2].txt
Spyware:Cookie/Traffic Marketplace Not disinfected C:\Documents and Settings\mom\Cookies\mom@trafficmp[1].txt
Spyware:Cookie/WebPower Not disinfected C:\Documents and Settings\mom\Cookies\mom@webpower[2].txt
Spyware:Cookie/Adserver Not disinfected C:\Documents and Settings\mom\Cookies\[email protected][1].txt
Spyware:Cookie/Zedo Not disinfected C:\Documents and Settings\mom\Cookies\mom@zedo[1].txt
Adware:Adware/PurityScan Not disinfected C:\Documents and Settings\mom\Local Settings\Temp\!update.exe
Spyware:Cookie/888 Not disinfected C:\Documents and Settings\mom\Local Settings\Temp\Cookies\mom@888[1].txt
Spyware:Cookie/888 Not disinfected C:\Documents and Settings\mom\Local Settings\Temp\Cookies\mom@888[2].txt
Spyware:Cookie/YieldManager Not disinfected C:\Documents and Settings\mom\Local Settings\Temp\Cookies\[email protected][1].txt
Spyware:Cookie/Hbmediapro Not disinfected C:\Documents and Settings\mom\Local Settings\Temp\Cookies\[email protected][2].txt
Spyware:Cookie/PointRoll Not disinfected C:\Documents and Settings\mom\Local Settings\Temp\Cookies\[email protected][1].txt
Spyware:Cookie/Cassava Not disinfected C:\Documents and Settings\mom\Local Settings\Temp\Cookies\mom@cassava[1].txt
Spyware:Cookie/go Not disinfected C:\Documents and Settings\mom\Local Settings\Temp\Cookies\mom@go[1].txt
Spyware:Cookie/RealMedia Not disinfected C:\Documents and Settings\mom\Local Settings\Temp\Cookies\mom@realmedia[1].txt
Spyware:Cookie/Traffic Marketplace Not disinfected C:\Documents and Settings\mom\Local Settings\Temp\Cookies\mom@trafficmp[2].txt
Spyware:Cookie/Tribalfusion Not disinfected C:\Documents and Settings\mom\Local Settings\Temp\Cookies\mom@tribalfusion[1].txt
Spyware:Cookie/Zedo Not disinfected C:\Documents and Settings\mom\Local Settings\Temp\Cookies\mom@zedo[2].txt
Adware:Adware/SearchResults Not disinfected C:\Documents and Settings\mom\My Documents\My Downloads\hijack this\backups\backup-20060222-095317-853.dll
Adware:Adware/PurityScan Not disinfected C:\Documents and Settings\mom\My Documents\My Downloads\hijack this\backups\backup-20060222-095318-851.dll
Spyware:Cookie/go Not disinfected C:\found.003\dir0000.chk\mom@go[51].txt
Spyware:Cookie/go Not disinfected C:\found.003\dir0000.chk\mom@go[52].txt
Spyware:Cookie/go Not disinfected C:\found.004\dir0000.chk\emma@go[4].txt
Spyware:Cookie/go Not disinfected C:\found.007\dir0000.chk\mom@go[63].txt
Adware:Adware/PurityScan Not disinfected C:\Program Files\epad\rtae.exe.tcf
Adware:Adware/QoolShown Not disinfected C:\RECYCLER\NPROTECT\01482149.TCF
Adware:Adware/QoolShown Not disinfected C:\RECYCLER\NPROTECT\01482150.TCF
Adware:Adware/QoolShown Not disinfected C:\RECYCLER\NPROTECT\01482151.dat
Spyware:Cookie/go Not disinfected C:\RECYCLER\NPROTECT\01482366.TXT
Spyware:Cookie/go Not disinfected C:\RECYCLER\NPROTECT\01482378.TXT
Spyware:Cookie/go Not disinfected C:\RECYCLER\NPROTECT\01482387.TXT
Spyware:Cookie/go Not disinfected C:\RECYCLER\NPROTECT\01482388.TXT
Spyware:Cookie/go Not disinfected C:\RECYCLER\NPROTECT\01482392.TXT
Spyware:Cookie/go Not disinfected C:\RECYCLER\NPROTECT\01482395.TXT
Spyware:Cookie/go Not disinfected C:\RECYCLER\NPROTECT\01482398.TXT
Spyware:Cookie/go Not disinfected C:\RECYCLER\NPROTECT\01482402.TXT
Spyware:Cookie/go Not disinfected C:\RECYCLER\NPROTECT\01482405.TXT
Spyware:Cookie/go Not disinfected C:\RECYCLER\NPROTECT\01482406.TXT
Spyware:Cookie/go Not disinfected C:\RECYCLER\NPROTECT\01482407.TXT
Spyware:Cookie/go Not disinfected C:\RECYCLER\NPROTECT\01482408.TXT
Spyware:Cookie/go Not disinfected C:\RECYCLER\NPROTECT\01482409.TXT
Spyware:Cookie/go Not disinfected C:\RECYCLER\NPROTECT\01482410.TXT
Spyware:Cookie/go Not disinfected C:\RECYCLER\NPROTECT\01482411.TXT
Spyware:Cookie/go Not disinfected C:\RECYCLER\NPROTECT\01482412.TXT
Spyware:Cookie/go Not disinfected C:\RECYCLER\NPROTECT\01482413.TXT
Spyware:Cookie/go Not disinfected C:\RECYCLER\NPROTECT\01482414.TXT
Spyware:Cookie/go Not disinfected C:\RECYCLER\NPROTECT\01482415.TXT
Spyware:Cookie/go Not disinfected C:\RECYCLER\NPROTECT\01482416.TXT
Spyware:Cookie/go Not disinfected C:\RECYCLER\NPROTECT\01482417.TXT
Spyware:Cookie/go Not disinfected C:\RECYCLER\NPROTECT\01482418.TXT
Spyware:Cookie/go Not disinfected C:\RECYCLER\NPROTECT\01482419.TXT
Spyware:Cookie/go Not disinfected C:\RECYCLER\NPROTECT\01482421.TXT
Spyware:Cookie/go Not disinfected C:\RECYCLER\NPROTECT\01482423.TXT
Spyware:Cookie/go Not disinfected C:\RECYCLER\NPROTECT\01482424.TXT
Spyware:Cookie/go Not disinfected C:\RECYCLER\NPROTECT\01482425.TXT
Spyware:Cookie/go Not disinfected C:\RECYCLER\NPROTECT\01482426.TXT
Spyware:Cookie/go Not disinfected C:\RECYCLER\NPROTECT\01482427.TXT
Spyware:Cookie/go Not disinfected C:\RECYCLER\NPROTECT\01482428.TXT
Spyware:Cookie/go Not disinfected C:\RECYCLER\NPROTECT\01482429.TXT
Spyware:Cookie/go Not disinfected C:\RECYCLER\NPROTECT\01482430.TXT
Spyware:Cookie/go Not disinfected C:\RECYCLER\NPROTECT\01482431.TXT
Spyware:Cookie/go Not disinfected C:\RECYCLER\NPROTECT\01482432.TXT
Spyware:Cookie/go Not disinfected C:\RECYCLER\NPROTECT\01482433.TXT
Spyware:Cookie/go Not disinfected C:\RECYCLER\NPROTECT\01482434.TXT
Spyware:Cookie/go Not disinfected C:\RECYCLER\NPROTECT\01482435.TXT
Spyware:Cookie/go Not disinfected C:\RECYCLER\NPROTECT\01482436.TXT
Spyware:Cookie/go Not disinfected C:\RECYCLER\NPROTECT\01482437.TXT
Spyware:Cookie/go Not disinfected C:\RECYCLER\NPROTECT\01482438.TXT
Spyware:Cookie/go Not disinfected C:\RECYCLER\NPROTECT\01482439.TXT
Spyware:Cookie/go Not disinfected C:\RECYCLER\NPROTECT\01482440.TXT
Spyware:Cookie/go Not disinfected C:\RECYCLER\NPROTECT\01482441.TXT
Spyware:Cookie/go Not disinfected C:\RECYCLER\NPROTECT\01482442.TXT
Spyware:Cookie/go Not disinfected C:\RECYCLER\NPROTECT\01482443.TXT
Spyware:Cookie/go Not disinfected C:\RECYCLER\NPROTECT\01482444.TXT
Spyware:Cookie/go Not disinfected C:\RECYCLER\NPROTECT\01482445.TXT
Spyware:Cookie/go Not disinfected C:\RECYCLER\NPROTECT\01482446.TXT
Spyware:Cookie/go Not disinfected C:\RECYCLER\NPROTECT\01482447.TXT
Spyware:Cookie/go Not disinfected C:\RECYCLER\NPROTECT\01482448.TXT
Spyware:Cookie/go Not disinfected C:\RECYCLER\NPROTECT\01482449.TXT
Spyware:Cookie/go Not disinfected C:\RECYCLER\NPROTECT\01482450.TXT
Spyware:Cookie/go Not disinfected C:\RECYCLER\NPROTECT\01482451.TXT
Spyware:Cookie/go Not disinfected C:\RECYCLER\NPROTECT\01482452.TXT
Spyware:Cookie/go Not disinfected C:\RECYCLER\NPROTECT\01482453.TXT
Spyware:Cookie/go Not disinfected C:\RECYCLER\NPROTECT\01482454.TXT
Spyware:Cookie/go Not disinfected C:\RECYCLER\NPROTECT\01482455.TXT
Spyware:Cookie/go Not disinfected C:\RECYCLER\NPROTECT\01482456.TXT
Spyware:Cookie/go Not disinfected C:\RECYCLER\NPROTECT\01482457.TXT
Spyware:Cookie/go Not disinfected C:\RECYCLER\NPROTECT\01482458.TXT
Spyware:Cookie/go Not disinfected C:\RECYCLER\NPROTECT\01482459.TXT
Spyware:Cookie/go

#11
rjemps6

Posted 24 February 2006 - 09:49 AM

Member

Topic Starter
Member
10 posts

That other panda active scan looked funny, too, so I went back to the log and changed the format and font. Here it is again. The hijack is to follow. The computer is acting irratically. Sometimes freezing and at other times doing great. My kids enjoy playing Disney's Toon Town. It is an online game you play with your friends. I also recently went onto MySpace.com after I had heard alot of bad things about it on the news. I wanted to check it out myself, since some of my daughter's friends have web space on there. Since having these two things (especiallly myspace, except I don't think I had to download anything from them, just open an account so I could view) the computer had all the popups, etc. But it had been freezing regularly before that and had a hard time booting up without multiple restarts. Could it be any of these things? Two last things, the majority of times before the computer freezes, we hear an audible "click" from the PC tower. And the last two times my computer has restarted, before all the icons are up on the desktop, there is a sound, I will try hard to describe it, like "zoooooooopp", drawn out and sort of musical, getting louder towards the end. I know it sounds wierd, but its the truth! What's up with that? Again, I so appreciate allyour help and for sticking with me!

Here is the most recent hijack:
Logfile of HijackThis v1.99.1
Scan saved at 7:08:29 PM, on 2/23/2006
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\csrss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\WINDOWS\system32\CTsvcCDA.EXE
C:\Program Files\ewido\security suite\ewidoctrl.exe
C:\Program Files\Norton SystemWorks\Norton Antivirus\navapsvc.exe
C:\PROGRA~1\NORTON~1\NORTON~2\NPROTECT.EXE
C:\Program Files\Norton SystemWorks\Norton Antivirus\SAVScan.exe
C:\PROGRA~1\NORTON~1\NORTON~2\SPEEDD~1\NOPDB.EXE
C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
C:\Program Files\FrontierNet\FrontierNet DSL Attendant\app\TangoService.exe
C:\WINDOWS\system32\wdfmgr.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\Program Files\Common Files\Symantec Shared\Security Center\SymWSC.exe
C:\WINDOWS\System32\alg.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\wscntfy.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\DIGStream\digstream.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe
C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe
C:\Program Files\Lavasoft\Personal Firewall\lpfw.exe
C:\Program Files\TrojanHunter 4.2\THGuard.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\Skype\Phone\Skype.exe
C:\Program Files\Google\Google Desktop Search\GoogleDesktopIndex.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Yahoo!\Messenger\ymsgr_tray.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Documents and Settings\mom\My Documents\My Downloads\hijack this\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.foxnews.com/
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
O2 - BHO: CRSSSubscriber Object - {18A5CAE8-FAF6-49A9-B3D8-2954437D9BBC} - C:\Program Files\Lektora\LektoraCOM.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: UberButton Class - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\Program Files\Yahoo!\Common\yiesrvc.dll
O2 - BHO: YahooTaggedBM Class - {65D886A2-7CA7-479B-BB95-14D1EFB7946A} - C:\Program Files\Yahoo!\Common\YIeTagBm.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar1.dll
O2 - BHO: CNavExtBho Class - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\Norton SystemWorks\Norton Antivirus\NavShExt.dll
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton SystemWorks\Norton Antivirus\NavShExt.dll
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn1\yt.dll
O3 - Toolbar: Lektora - {C55D30C7-3B86-4D70-98D3-CAA716DF0D83} - C:\Program Files\Lektora\LektoraCOM.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [TangoManager] C:\PROGRA~1\FRONTI~1\FRONTI~1\app\TANGOM~1.EXE
O4 - HKLM\..\Run: [Cmaudio] RunDll32 cmicnfg.cpl,CMICtrlWnd
O4 - HKLM\..\Run: [EPSON Stylus C44 Series] C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_S09IC1.EXE /P23 "EPSON Stylus C44 Series" /O6 "USB001" /M "Stylus C44"
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [iTunesHelper] C:\Program Files\iTunes\iTunesHelper.exe
O4 - HKLM\..\Run: [Symantec NetDriver Monitor] C:\PROGRA~1\SYMNET~1\SNDMon.exe /Consumer
O4 - HKLM\..\Run: [DIGStream] C:\Program Files\DIGStream\digstream.exe
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe
O4 - HKLM\..\Run: [Google Desktop Search] "C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe" /startup
O4 - HKLM\..\Run: [Personal Firewall] C:\Program Files\Lavasoft\Personal Firewall\lpfw.exe /waitservice
O4 - HKLM\..\Run: [Start Outpost] C:\Documents and Settings\mom\Local Settings\Temporary Internet Files\Content.IE5\FMHQ8WBF\Lavasoft%20Personal%20Firewall%20Setup[1].exe
O4 - HKLM\..\Run: [THGuard] "C:\Program Files\TrojanHunter 4.2\THGuard.exe"
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [Yahoo! Pager] C:\Program Files\Yahoo!\Messenger\ypager.exe -quiet
O4 - HKCU\..\Run: [Skype] "C:\Program Files\Skype\Phone\Skype.exe" /nosplash /minimized
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: Event Reminder.lnk = ?
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O8 - Extra context menu item: &Google Search - res://c:\program files\google\GoogleToolbar1.dll/cmsearch.html
O8 - Extra context menu item: &Translate English Word - res://c:\program files\google\GoogleToolbar1.dll/cmwordtrans.html
O8 - Extra context menu item: &Yahoo! Search - file:///C:\Program Files\Yahoo!\Common/ycsrch.htm
O8 - Extra context menu item: Backward Links - res://c:\program files\google\GoogleToolbar1.dll/cmbacklinks.html
O8 - Extra context menu item: Cached Snapshot of Page - res://c:\program files\google\GoogleToolbar1.dll/cmcache.html
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O8 - Extra context menu item: Similar Pages - res://c:\program files\google\GoogleToolbar1.dll/cmsimilar.html
O8 - Extra context menu item: Translate Page into English - res://c:\program files\google\GoogleToolbar1.dll/cmtrans.html
O8 - Extra context menu item: Yahoo! &Dictionary - file:///C:\Program Files\Yahoo!\Common/ycdict.htm
O8 - Extra context menu item: Yahoo! &Maps - file:///C:\Program Files\Yahoo!\Common/ycdict.htm
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra button: Yahoo! Services - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\Program Files\Yahoo!\Common\yiesrvc.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O16 - DPF: {01010E00-5E80-11D8-9E86-0007E96C65AE} (SupportSoft SmartIssue) - http://www.symantec....trl/tgctlsi.cab
O16 - DPF: {01012101-5E80-11D8-9E86-0007E96C65AE} (SupportSoft Script Runner Class) - http://www.symantec....trl/tgctlsr.cab
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft....k/?linkid=39204
O16 - DPF: {1F2F4C9E-6F09-47BC-970D-3C54734667FE} (LSSupCtl Class) - http://www.symantec....rl/LSSupCtl.cab
O16 - DPF: {3FE16C08-D6A7-4133-84FC-D5BFB4F7D886} (WebGameLoader Class) - http://miniclip.com/...bGameLoader.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.micros...b?1140465121009
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.micros...b?1130738487178
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoft...free/asinst.cab
O16 - DPF: {CE28D5D2-60CF-4C7D-9FE8-0F47A3308078} (ActiveDataInfo Class) - http://www.symantec....rl/SymAData.cab
O20 - AppInit_DLLs: c:\progra~1\google\google~1\goec62~1.dll
O23 - Service: Automatic LiveUpdate Scheduler - Symantec Corporation - C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Password Validation (ccPwdSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
O23 - Service: Creative Service for CDROM Access - Creative Technology Ltd - C:\WINDOWS\system32\CTsvcCDA.EXE
O23 - Service: ewido security suite control - ewido networks - C:\Program Files\ewido\security suite\ewidoctrl.exe
O23 - Service: iPod Service (iPodService) - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: LiveUpdate - Symantec Corporation - C:\PROGRA~1\Symantec\LIVEUP~1\LUCOMS~1.EXE
O23 - Service: Norton AntiVirus Auto Protect Service (navapsvc) - Symantec Corporation - C:\Program Files\Norton SystemWorks\Norton Antivirus\navapsvc.exe
O23 - Service: Norton Unerase Protection (NProtectService) - Symantec Corporation - C:\PROGRA~1\NORTON~1\NORTON~2\NPROTECT.EXE
O23 - Service: SAVScan - Symantec Corporation - C:\Program Files\Norton SystemWorks\Norton Antivirus\SAVScan.exe
O23 - Service: ScriptBlocking Service (SBService) - Symantec Corporation - C:\PROGRA~1\COMMON~1\SYMANT~1\SCRIPT~1\SBServ.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: Speed Disk service - Symantec Corporation - C:\PROGRA~1\NORTON~1\NORTON~2\SPEEDD~1\NOPDB.EXE
O23 - Service: Symantec Core LC - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
O23 - Service: SymWMI Service (SymWSC) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\Security Center\SymWSC.exe
O23 - Service: Tango Service (TangoService) - Unknown owner - C:\Program Files\FrontierNet\FrontierNet DSL Attendant\app\TangoService.exe

#12
rjemps6

Posted 24 February 2006 - 12:45 PM

Member

Topic Starter
Member
10 posts

Sam, I don't know what "bumping" mean? Am I "bumping"? I just wanted you to know that I did the AFT Cleaner and freed up 44,433,408 bytes! That seems like alot! I also figured out how to delete all the Norton Protedted files in the recycle bin. Done!

#13
Buckeye_Sam

Posted 24 February 2006 - 09:37 PM

Malware Expert

Member
10,019 posts

Oh no, you're not bumping. Bumping refers to constantly replying to your own post in order to keep moving your post back onto the first page of the forum. You've already got a reply from me and I'll be with you until we get your problems sorted out. So feel free to reply as often as you want whenever you have additional info to add.

The sounds that your computer makes may indicate a hardware problem. They are called beep codes and can tell us what hardware component is causing problems. Reboot your computer and listen carefully as it starts to boot up. You may hear one or more short(or long) beep tones. Let me know what you hear.

Now that you've removed the Norton protected files and deleted all of the temp files I'd like to have you run another Panda scan just so we can be sure the malware is gone before we start exploring any other issues.

Save the results of the scan and post it here in your next reply.

BTW, my kids love ToonTown also. :tazz:

There's nothing to worry about there, or at Myspace either.

Edited by Buckeye_Sam, 24 February 2006 - 09:39 PM.

#14
rjemps6

Posted 25 February 2006 - 10:24 AM

Member

Topic Starter
Member
10 posts

Sam,
Here is the Active scan. Sorry if this is a duplicate, but I didn't see it when I checked the posts going back and forth between us. I was tired and could have screwed up. I will shut down the computer and listen to "beeps".
Ruthie

Incident Status Location

Potentially unwanted tool:application/winfixer2005 Not disinfected C:\WINDOWS\DOWNLOADED PROGRAM FILES\UERS_0001_N68M1801NetInstaller.exe
Spyware:Cookie/PointRoll Not disinfected C:\Documents and Settings\mom\Cookies\[email protected][2].txt
Spyware:Cookie/Apmebf Not disinfected C:\Documents and Settings\mom\Cookies\mom@apmebf[2].txt
Spyware:Cookie/Falkag Not disinfected C:\Documents and Settings\mom\Cookies\[email protected][1].txt
Spyware:Cookie/Bluestreak Not disinfected C:\Documents and Settings\mom\Cookies\mom@bluestreak[1].txt
Spyware:Cookie/go Not disinfected C:\Documents and Settings\mom\Cookies\mom@go[2].txt
Spyware:Cookie/Maxserving Not disinfected C:\Documents and Settings\mom\Cookies\mom@maxserving[1].txt
Spyware:Cookie/Overture Not disinfected C:\Documents and Settings\mom\Cookies\[email protected][1].txt
Spyware:Cookie/WUpd Not disinfected C:\Documents and Settings\mom\Cookies\mom@revenue[1].txt
Spyware:Cookie/Searchportal Not disinfected C:\Documents and Settings\mom\Cookies\[email protected][1].txt
Spyware:Cookie/Zedo Not disinfected C:\Documents and Settings\mom\Cookies\mom@zedo[2].txt
Adware:Adware/QoolShown Not disinfected C:\!KillBox\4d4lxd.exe
Adware:Adware/PurityScan Not disinfected C:\!KillBox\javaw.exe
Adware:Adware/QoolShown Not disinfected C:\!KillBox\kgksfds.dll
Adware:Adware/Qoologic Not disinfected C:\!KillBox\obojr.dll
Adware:Adware/QoolShown Not disinfected C:\!KillBox\ptpn.exe
Spyware:Cookie/go Not disinfected C:\Documents and Settings\dad\Cookies\dad@go[1].txt
Spyware:Cookie/go Not disinfected C:\Documents and Settings\emma\Cookies\emma@go[2].txt
Spyware:Cookie/PointRoll Not disinfected C:\Documents and Settings\mom\Cookies\[email protected][2].txt
Spyware:Cookie/Apmebf Not disinfected C:\Documents and Settings\mom\Cookies\mom@apmebf[2].txt
Spyware:Cookie/Falkag Not disinfected C:\Documents and Settings\mom\Cookies\[email protected][1].txt
Spyware:Cookie/Bluestreak Not disinfected C:\Documents and Settings\mom\Cookies\mom@bluestreak[1].txt
Spyware:Cookie/go Not disinfected C:\Documents and Settings\mom\Cookies\mom@go[1].txt
Spyware:Cookie/Maxserving Not disinfected C:\Documents and Settings\mom\Cookies\mom@maxserving[1].txt
Spyware:Cookie/Overture Not disinfected C:\Documents and Settings\mom\Cookies\[email protected][1].txt
Spyware:Cookie/WUpd Not disinfected C:\Documents and Settings\mom\Cookies\mom@revenue[1].txt
Spyware:Cookie/Searchportal Not disinfected C:\Documents and Settings\mom\Cookies\[email protected][1].txt
Spyware:Cookie/Zedo Not disinfected C:\Documents and Settings\mom\Cookies\mom@zedo[2].txt
Adware:Adware/SearchResults Not disinfected C:\Documents and Settings\mom\My Documents\My Downloads\hijack this\backups\backup-20060222-095317-853.dll
Adware:Adware/PurityScan Not disinfected C:\Documents and Settings\mom\My Documents\My Downloads\hijack this\backups\backup-20060222-095318-851.dll
Spyware:Cookie/go Not disinfected C:\Documents and Settings\shea\Cookies\shea@go[1].txt
Spyware:Cookie/go Not disinfected C:\found.003\dir0000.chk\mom@go[51].txt
Spyware:Cookie/go Not disinfected C:\found.003\dir0000.chk\mom@go[52].txt
Spyware:Cookie/go Not disinfected C:\found.004\dir0000.chk\emma@go[4].txt
Spyware:Cookie/go Not disinfected C:\found.007\dir0000.chk\mom@go[63].txt
Adware:Adware/PurityScan Not disinfected C:\Program Files\epad\rtae.exe.tcf
Potentially unwanted tool:Application/ErrorSafe Not disinfected C:\WINDOWS\Downloaded Program Files\CONFLICT.1\UERS_0001_N68M1801NetInstaller.exe
Potentially unwanted tool:Application/ErrorSafe Not disinfected C:\WINDOWS\Downloaded Program Files\UERS_0001_N68M1801NetInstaller.exe
Adware:Adware/QoolShown Not disinfected C:\WINDOWS\system32\bvbpg.dat
Adware:Adware/QoolShown Not disinfected C:\WINDOWS\system32\rorbxqb.exe
Adware:Adware/Mirar Not disinfected C:\WINDOWS\system32\WinNB57.dll.tcf

#15
rjemps6

Posted 25 February 2006 - 11:41 AM

Member

Topic Starter
Member
10 posts

Sam,

Okay, this is the way the computer turned on after being shut off and left for a few minutes:

beep, (pause), beep, then a quiet sound like a CD ROM (a small whirring sound)booting up. Blue Windows screen came up with the 3 blue squares running acrosss the long rectangle. Three more beeps with the quiet CD booting up sound. The blue windows screen just stayed up and the screen that follows it, the one showing the individual "accounts" you can choose from, never came up. I gave it 5-7 minutes, then hit the restart button.

Here is what happened then:

Beep, (pause), beep, then the window came up where it gave me a choice on how to start windows because it was shut sown improperly. I just let the time run out and let windows start normally.
Grind sound like a fan inside the tower was having a hard time, blue windows screen with the blue squares running across, then blank screen with the arrow cursor, then the screen that shows the accounts, clicked on "mom", and my desk top came up. The icons changed (loaded, I guess) one at a time to the program icon. A quick window came up the said Fontier net (My DSL) was loading and then that musical "zoooooopp" sound from the speakers, not the tower.

Make what you will of all this! I wrote it down just as it happened!

I will be out of town till Tuesday afternoon, so I won't be able to do any more till then. I am leaving in a few hours. Again, Thanks for all your help, and I will look at the posts again on Tuesday.