|
|
|
|
|||||
|
|
|
|
|
|
|||
| Welcome
to Tech Support Forum home to more then 136,000 problems solved. Issues
have included: Spyware, Malware, Virus Issues, Windows, Microsoft,
Linux, Networking, Security, Hardware, and Gaming Getting your
problem solved is as easy as: 1. Registering for a free account 2. Asking your question 3. Receiving an answer Registered members: * See fewer ads. * And much more..
|
| Want to know how to post a question? click here | Having problems with spyware and pop-ups? First Steps |
|
|||||||
| Resolved HJT Threads Resolved spyware and popup issues. |
|
|
LinkBack | Thread Tools |
05-20-2006, 07:34 PM
|
#1 (permalink) |
|
Registered User
Join Date: Apr 2006
Location: vallejo
Posts: 55
OS: windows xp
 |
Need Masters Help!!
hey guys im back with my girlfriends laptop running xp and the problem is that it shut down whenever it wants and their are a bunch of pop up adds and there are error messages that come up. anyhelp would be truly appreciated. thanks in advanced.
Logfile of HijackThis v1.99.1 Scan saved at 6:20:07 PM, on 5/20/2006 Platform: Windows XP SP2 (WinNT 5.01.2600) MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180) Running processes: C:\WINNT\System32\smss.exe C:\WINNT\system32\winlogon.exe C:\WINNT\system32\services.exe C:\WINNT\system32\lsass.exe C:\WINNT\system32\svchost.exe C:\WINNT\System32\svchost.exe C:\WINNT\Explorer.EXE C:\WINNT\system32\spoolsv.exe C:\PROGRA~1\COMMON~1\AOL\ACS\acsd.exe C:\PROGRA~1\SYMANT~1\DefWatch.exe C:\PROGRA~1\SYMANT~1\Rtvscan.exe C:\WINNT\GWMDMMSG.exe C:\WINNT\System32\igfxtray.exe C:\WINNT\System32\hkcmd.exe C:\Program Files\Apoint2K\Apoint.exe C:\WINNT\GWHotKey.exe C:\WINNT\System32\spool\drivers\w32x86\3\hpztsb05.exe C:\Program Files\Real\RealPlayer\RealPlay.exe C:\Program Files\QuickTime\qttask.exe C:\PROGRA~1\SYMANT~1\vptray.exe C:\Program Files\Java\jre1.5.0_03\bin\jusched.exe C:\Program Files\Viewpoint\Viewpoint Manager\ViewMgr.exe C:\Program Files\Microsoft AntiSpyware\gcasServ.exe C:\Program Files\Network\network.exe C:\winnt\system32\rldsregk.exe C:\Program Files\Messenger\msmsgs.exe C:\Program Files\AIM\aim.exe C:\Program Files\Java\jre1.5.0_03\bin\jucheck.exe C:\Program Files\Microsoft AntiSpyware\gcasDtServ.exe C:\Program Files\Apoint2K\Apntex.exe C:\Program Files\Common Files\AOL\1124746521\ee\AOLHostManager.exe C:\WINNT\system32\wuauclt.exe C:\Program Files\Common Files\AOL\1124746521\ee\AOLServiceHost.exe C:\Documents and Settings\Owner\Desktop\hijackthis\HijackThis.exe R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/ R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/ R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Access4Free R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = 127.0.0.1 F2 - REG:system.ini: Shell=Explorer.exe, C:\WINNT\system32\dnxaa.exe F2 - REG:system.ini: UserInit=C:\WINNT\system32\userinit.exe,nifekdh.exe O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx O2 - BHO: web compressor - {23FB5ADD-DA37-4a40-9FC0-B0E2384CDE92} - C:\WINNT\system32\nsg18.dll O2 - BHO: (no name) - {243B17DE-77C7-46BF-B94B-0B5F309A0E64} - C:\Program Files\Microsoft Money\System\mnyside.dll O2 - BHO: RieMon Class - {70F6A776-579A-4C95-BA88-134253907752} - C:\WINNT\system32\irsmxdyc.dll O2 - BHO: Viewpoint Toolbar BHO - {A7327C09-B521-4EDB-8509-7D2660C9EC98} - C:\Program Files\Viewpoint\Viewpoint Toolbar\ViewBarBHO.dll O2 - BHO: (no name) - {C0F45088-9654-DD35-CA46-618F03BFCDB1} - C:\WINNT\moyflscg.dll O2 - BHO: (no name) - {FDD3B846-8D59-4ffb-8758-209B6AD74ACC} - (no file) O3 - Toolbar: Viewpoint Toolbar - {F8AD5AA5-D966-4667-9DAF-2561D68B2012} - C:\Program Files\Viewpoint\Viewpoint Toolbar\ViewBar.dll O3 - Toolbar: Search - {F6803F16-C61E-6542-708E-A91E5B9A39B9} - C:\WINNT\moyflscg.dll O4 - HKLM\..\Run: [GWMDMMSG] GWMDMMSG.exe O4 - HKLM\..\Run: [IgfxTray] C:\WINNT\System32\igfxtray.exe O4 - HKLM\..\Run: [HotKeysCmds] C:\WINNT\System32\hkcmd.exe O4 - HKLM\..\Run: [Apoint] C:\Program Files\Apoint2K\Apoint.exe O4 - HKLM\..\Run: [GWMDMpi] C:\WINNT\GWMDMpi.exe O4 - HKLM\..\Run: [Multi-function Keyboard] GWHotKey.exe O4 - HKLM\..\Run: [HPDJ Taskbar Utility] C:\WINNT\System32\spool\drivers\w32x86\3\hpztsb05.exe O4 - HKLM\..\Run: [RealTray] C:\Program Files\Real\RealPlayer\RealPlay.exe SYSTEMBOOTHIDEPLAYER O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime O4 - HKLM\..\Run: [HostManager] C:\Program Files\Common Files\AOL\1124746521\ee\AOLHostManager.exe O4 - HKLM\..\Run: [vptray] C:\PROGRA~1\SYMANT~1\vptray.exe O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_03\bin\jusched.exe O4 - HKLM\..\Run: [ViewMgr] C:\Program Files\Viewpoint\Viewpoint Manager\ViewMgr.exe O4 - HKLM\..\Run: [Auto Updater] C:\WINNT\System32\aupdate.exe O4 - HKLM\..\Run: [fcctfwy] C:\WINNT\fcctfwy.exe O4 - HKLM\..\Run: [wbzawri] C:\WINNT\wbzawri.exe O4 - HKLM\..\Run: [gcasServ] "C:\Program Files\Microsoft AntiSpyware\gcasServ.exe" O4 - HKLM\..\Run: [Network] C:\Program Files\Network\network.exe O4 - HKLM\..\Run: [0go40948.dll] RUNDLL32.EXE 0go40948.dll,b 4034401 O4 - HKLM\..\Run: [{70-0E-E1-13-ZN}] C:\winnt\system32\rldsregk.exe FI002 O4 - HKLM\..\Run: [BrowserUpdateSched] C:\WINNT\system32\nwinmsag.exe FI002 O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background O4 - HKCU\..\Run: [MoneyAgent] "C:\Program Files\Microsoft Money\System\mnyexpr.exe" O4 - HKCU\..\Run: [AIM] C:\Program Files\AIM\aim.exe -cnetwait.odl O4 - HKCU\..\Run: [irssyncd] C:\WINNT\system32\irssyncd.exe O4 - Startup: Webshots.lnk = C:\Program Files\Webshots\Launcher.exe O4 - Startup: Zeno.lnk = C:\WINNT\system32\nwinmsag.exe O8 - Extra context menu item: &Viewpoint Search - res://C:\Program Files\Viewpoint\Viewpoint Toolbar\ViewBar.dll/CXTSEARCH.HTML O9 - Extra button: (no name) - {4ABF810A-F11D-4169-9D5F-7D274F2270A1} - C:\WINNT\system32\dmonwv.dll O9 - Extra 'Tools' menuitem: Java - {4ABF810A-F11D-4169-9D5F-7D274F2270A1} - C:\WINNT\system32\dmonwv.dll O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINNT\System32\Shdocvw.dll O9 - Extra button: MoneySide - {E023F504-0C5A-4750-A1E7-A9046DEA8A21} - C:\Program Files\Microsoft Money\System\mnyside.dll O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll O15 - Trusted Zone: *.elitemediagroup.net O15 - Trusted Zone: http://click.getmirar.com (HKLM) O15 - Trusted Zone: http://click.mirarsearch.com (HKLM) O15 - Trusted Zone: http://redirect.mirarsearch.com (HKLM) O15 - Trusted Zone: http://awbeta.net-nucleus.com (HKLM) O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204 O16 - DPF: {5F8469B4-B055-49DD-83F7-62B522420ECC} (Facebook Photo Uploader Control) - http://upload.facebook.com/controls/...toUploader.cab O16 - DPF: {DF780F87-FF2B-4DF8-92D0-73DB16A1543A} (PopCapLoader Object) - http://download.games.yahoo.com/game...ploader_v6.cab O20 - Winlogon Notify: igfxcui - C:\WINNT\SYSTEM32\igfxsrvc.dll O20 - Winlogon Notify: NavLogon - C:\WINNT\System32\NavLogon.dll O23 - Service: AOL Connectivity Service (AOL ACS) - America Online, Inc. - C:\PROGRA~1\COMMON~1\AOL\ACS\acsd.exe O23 - Service: DefWatch - Symantec Corporation - C:\PROGRA~1\SYMANT~1\DefWatch.exe O23 - Service: Symantec AntiVirus Client (Norton AntiVirus Server) - Symantec Corporation - C:\PROGRA~1\SYMANT~1\Rtvscan.exe O23 - Service: PictureTaker - Unknown owner - c:\fixit\pt\PCTKRNT.SYS (file missing) |
|
     |
| Important Information |
|
Join the #1 Tech Support Forum Today - It's Totally Free!
TechSupportForum.com is a leading support website for your computer needs. We offer free, friendly and personalized computer support. Why pay to have your computer fixed when you can do it for free. Join TechSupportforum.com Today - Click Here |
|
05-22-2006, 09:29 AM
|
#2 (permalink) |
|
Manager, The Conversation Pit/Analyst, Security Team
Join Date: Apr 2002
Location: NW Territory circa 1787
Posts: 11,692
OS: winxp pro sp2
 |
Hello and Welcome to TSF!!
Please print out or copy this page to Notepad. Make sure to work through the fixes in the exact order it is mentioned below. If there's anything that you don't understand, ask your question(s) before proceeding with the fixes. You should 'not' have any open browsers when you are following the procedures below. Also if you have any programs that may prevent system changes (like Spybot's TeaTimer program, Ad-aware's Ad-Watch, and others), make sure you disable them before doing any of the fixes (or accept the changes for the fix we give you when asked by the programs). Go to My Computer->Tools (or View)->Folder Options->View tab: * Under the Hidden files and folders heading, select Show hidden files and folders (it's Show all files for Windows 98). * Uncheck the Hide protected operating system files (recommended) option. * Click Yes to confirm and then click OK. For the options that you checked/enabled earlier, you may uncheck them after your log is clean. If we ask you to fix a program that you use or want to keep, please post back saying that (we don't know every program that exists, so we may tell you to delete a program that we think is bad to keep). Right click on this link http://www.greyknight17.com/spy/DelO15Domains.inf and choose Save As. Save it to your desktop. Right click on that file and choose Install. It will run immediately (you won't be able to see anything happen). You may delete it afterwards. NOTE: This script will delete any sites you may have added to the Trusted Sites. So if you want them back, you have to add them back to the Trusted Sites again. Download Ewido Security Suite
If you are having problems with the updater, you can use this link to manually update Ewido When you have finished updating, EXIT Ewido. =============================================================== Restart your computer and boot into Safe Mode (if you don't know how, go to http://www.bleepingcomputer.com/foru...howtutorial=61 ). Make sure to close any open browsers. Uninstall the following via the Add/Remove Panel (Start->(Settings)->Control Panel->Add/Remove Programs) if found: Viewpoint =============================================================== Run a scan in HijackThis. Check each of the following if they still exist and hit 'Fix Checked' after you check the last one: R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Access4Free F2 - REG:system.ini: Shell=Explorer.exe, C:\WINNT\system32\dnxaa.exe F2 - REG:system.ini: UserInit=C:\WINNT\system32\userinit.exe,nifekdh.ex e O2 - BHO: web compressor - {23FB5ADD-DA37-4a40-9FC0-B0E2384CDE92} - C:\WINNT\system32\nsg18.dll O2 - BHO: RieMon Class - {70F6A776-579A-4C95-BA88-134253907752} - C:\WINNT\system32\irsmxdyc.dll O2 - BHO: Viewpoint Toolbar BHO - {A7327C09-B521-4EDB-8509-7D2660C9EC98} - C:\Program Files\Viewpoint\Viewpoint Toolbar\ViewBarBHO.dll O2 - BHO: (no name) - {C0F45088-9654-DD35-CA46-618F03BFCDB1} - C:\WINNT\moyflscg.dll O2 - BHO: (no name) - {FDD3B846-8D59-4ffb-8758-209B6AD74ACC} - (no file) O3 - Toolbar: Viewpoint Toolbar - {F8AD5AA5-D966-4667-9DAF-2561D68B2012} - C:\Program Files\Viewpoint\Viewpoint Toolbar\ViewBar.dll O3 - Toolbar: Search - {F6803F16-C61E-6542-708E-A91E5B9A39B9} - C:\WINNT\moyflscg.dll O4 - HKLM\..\Run: [ViewMgr] C:\Program Files\Viewpoint\Viewpoint Manager\ViewMgr.exe O4 - HKLM\..\Run: [Auto Updater] C:\WINNT\System32\aupdate.exe O4 - HKLM\..\Run: [fcctfwy] C:\WINNT\fcctfwy.exe O4 - HKLM\..\Run: [wbzawri] C:\WINNT\wbzawri.exe O4 - HKLM\..\Run: [Network] C:\Program Files\Network\network.exe O4 - HKLM\..\Run: [0go40948.dll] RUNDLL32.EXE 0go40948.dll,b 4034401 O4 - HKLM\..\Run: [{70-0E-E1-13-ZN}] C:\winnt\system32\rldsregk.exe FI002 O4 - HKLM\..\Run: [BrowserUpdateSched] C:\WINNT\system32\nwinmsag.exe FI002 O4 - HKCU\..\Run: [irssyncd] C:\WINNT\system32\irssyncd.exe O4 - Startup: Zeno.lnk = C:\WINNT\system32\nwinmsag.exe O8 - Extra context menu item: &Viewpoint Search - res://C:\Program Files\Viewpoint\Viewpoint Toolbar\ViewBar.dll/CXTSEARCH.HTML O15 - Trusted Zone: *.elitemediagroup.net O15 - Trusted Zone: http://click.getmirar.com (HKLM) O15 - Trusted Zone: http://click.mirarsearch.com (HKLM) O15 - Trusted Zone: http://redirect.mirarsearch.com (HKLM) O15 - Trusted Zone: http://awbeta.net-nucleus.com (HKLM) =============================================================== Delete the following Files indicated in RED and Folders indicated in BLUE if they still exist. C:\WINNT\system32\dnxaa.exe nifekdh.exe<<<<<< Do a search for and delete C:\WINNT\system32\nsg18.dll C:\WINNT\system32\irsmxdyc.dll C:\Program Files\Viewpoint C:\WINNT\System32\aupdate.exe C:\WINNT\fcctfwy.exe C:\WINNT\wbzawri.exe C:\Program Files\Network 0go40948.dll<<<<<<<Do search for and delete C:\winnt\system32\rldsregk.exe C:\WINNT\system32\nwinmsag.exe C:\WINNT\system32\irssyncd.exe Run Ewido with it's updated definitions:(...it's important that all windows must be closed)
** Ewido scan would require at least an hour =============================================================== Reboot your system in Normal Mode. Perform an online scan with Internet Explorer with Panda ActiveScan Click on the "Free To Use ActiveScan" located on the top right hand corner
*Turn off the real time scanner of any existing antivirus program while performing the online scan Paste the Panda Scan report here together with a new HiJack This log. and the Ewido Log
__________________
"If you aren't a liberal when you're 20, you have no heart. If you aren't a conservative when you are 50, you have no brain" 
|
|
|
|
|
05-22-2006, 08:47 PM
|
#3 (permalink) |
|
Registered User
Join Date: Apr 2006
Location: vallejo
Posts: 55
OS: windows xp
|
hey thanks for the welcome and the help, im on the step where i rebooted in safe mode to delete VIEWPOINT but there are three different ones not sure which one you want me to get rid of. here they are in appearing order:
Viewpoint Manager (Remove Only) Viewpoint Media Player Viewpoint Toolbar (Remove Only) thanks fer the help |
|
|
|
|
05-23-2006, 07:50 AM
|
#4 (permalink) |
|
Manager, The Conversation Pit/Analyst, Security Team
Join Date: Apr 2002
Location: NW Territory circa 1787
Posts: 11,692
OS: winxp pro sp2
|
All of them.
__________________
"If you aren't a liberal when you're 20, you have no heart. If you aren't a conservative when you are 50, you have no brain"
|
|
|
|
|
05-23-2006, 12:25 PM
|
#5 (permalink) |
|
Registered User
Join Date: Apr 2006
Location: vallejo
Posts: 55
OS: windows xp
|
ok completedall steps here are the scans inthisorder hijackthis, ewido, and panda thanks fer the help:
Logfile of HijackThis v1.99.1 Scan saved at 11:20:49 AM, on 5/23/2006 Platform: Windows XP SP2 (WinNT 5.01.2600) MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180) Running processes: C:\WINNT\System32\smss.exe C:\WINNT\system32\winlogon.exe C:\WINNT\system32\services.exe C:\WINNT\system32\lsass.exe C:\WINNT\system32\svchost.exe C:\WINNT\System32\svchost.exe C:\WINNT\system32\spoolsv.exe C:\WINNT\Explorer.EXE C:\PROGRA~1\COMMON~1\AOL\ACS\acsd.aexe C:\PROGRA~1\SYMANT~1\DefWatch.exe C:\Program Files\ewido anti-malware\ewidoctrl.exe C:\WINNT\GWMDMMSG.exe C:\WINNT\System32\igfxtray.exe C:\WINNT\System32\hkcmd.exe C:\PROGRA~1\SYMANT~1\Rtvscan.exe C:\Program Files\Apoint2K\Apoint.exe C:\WINNT\GWHotKey.exe C:\WINNT\System32\spool\drivers\w32x86\3\hpztsb05.exe C:\Program Files\Real\RealPlayer\RealPlay.exe C:\Program Files\QuickTime\qttask.exe C:\PROGRA~1\SYMANT~1\vptray.exe C:\Program Files\Java\jre1.5.0_03\bin\jusched.exe C:\Program Files\Messenger\msmsgs.exe C:\Program Files\Java\jre1.5.0_03\bin\jucheck.exe C:\Program Files\Microsoft AntiSpyware\gcasDtServ.exe C:\Program Files\AIM\aim.exe C:\Program Files\Common Files\AOL\1124746521\ee\AOLHostManager.exe C:\Program Files\Common Files\AOL\1124746521\ee\AOLServiceHost.exe C:\Program Files\Apoint2K\Apntex.exe C:\PROGRA~1\Webshots\webshots.scr C:\Program Files\Common Files\AOL\1124746521\ee\AOLServiceHost.exe C:\Documents and Settings\Owner\Desktop\hijackthis\HijackThis.exe R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/ R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/ R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = 127.0.0.1 F2 - REG:system.ini: Shell=Explorer.exe, C:\WINNT\system32\dnxaa.exe F2 - REG:system.ini: UserInit=C:\WINNT\SYSTEM32\Userinit.exe,nifekdh.exe O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx O2 - BHO: (no name) - {243B17DE-77C7-46BF-B94B-0B5F309A0E64} - C:\Program Files\Microsoft Money\System\mnyside.dll O4 - HKLM\..\Run: [GWMDMMSG] GWMDMMSG.exe O4 - HKLM\..\Run: [IgfxTray] C:\WINNT\System32\igfxtray.exe O4 - HKLM\..\Run: [HotKeysCmds] C:\WINNT\System32\hkcmd.exe O4 - HKLM\..\Run: [Apoint] C:\Program Files\Apoint2K\Apoint.exe O4 - HKLM\..\Run: [GWMDMpi] C:\WINNT\GWMDMpi.exe O4 - HKLM\..\Run: [Multi-function Keyboard] GWHotKey.exe O4 - HKLM\..\Run: [HPDJ Taskbar Utility] C:\WINNT\System32\spool\drivers\w32x86\3\hpztsb05.exe O4 - HKLM\..\Run: [RealTray] C:\Program Files\Real\RealPlayer\RealPlay.exe SYSTEMBOOTHIDEPLAYER O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime O4 - HKLM\..\Run: [HostManager] C:\Program Files\Common Files\AOL\1124746521\ee\AOLHostManager.exe O4 - HKLM\..\Run: [vptray] C:\PROGRA~1\SYMANT~1\vptray.exe O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_03\bin\jusched.exe O4 - HKLM\..\Run: [gcasServ] "C:\Program Files\Microsoft AntiSpyware\gcasServ.exe" O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background O4 - HKCU\..\Run: [MoneyAgent] "C:\Program Files\Microsoft Money\System\mnyexpr.exe" O4 - HKCU\..\Run: [AIM] C:\Program Files\AIM\aim.exe -cnetwait.odl O4 - Startup: Webshots.lnk = C:\Program Files\Webshots\Launcher.exe O9 - Extra button: (no name) - {4ABF810A-F11D-4169-9D5F-7D274F2270A1} - C:\WINNT\system32\dmonwv.dll (file missing) O9 - Extra 'Tools' menuitem: Java - {4ABF810A-F11D-4169-9D5F-7D274F2270A1} - C:\WINNT\system32\dmonwv.dll (file missing) O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINNT\System32\Shdocvw.dll O9 - Extra button: MoneySide - {E023F504-0C5A-4750-A1E7-A9046DEA8A21} - C:\Program Files\Microsoft Money\System\mnyside.dll O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204 O16 - DPF: {5F8469B4-B055-49DD-83F7-62B522420ECC} (Facebook Photo Uploader Control) - http://upload.facebook.com/controls/...toUploader.cab O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/actives...ree/asinst.cab O16 - DPF: {DF780F87-FF2B-4DF8-92D0-73DB16A1543A} (PopCapLoader Object) - http://download.games.yahoo.com/game...ploader_v6.cab O20 - Winlogon Notify: igfxcui - C:\WINNT\SYSTEM32\igfxsrvc.dll O20 - Winlogon Notify: NavLogon - C:\WINNT\System32\NavLogon.dll O23 - Service: AOL Connectivity Service (AOL ACS) - America Online, Inc. - C:\PROGRA~1\COMMON~1\AOL\ACS\acsd.exe O23 - Service: DefWatch - Symantec Corporation - C:\PROGRA~1\SYMANT~1\DefWatch.exe O23 - Service: ewido security suite control - ewido networks - C:\Program Files\ewido anti-malware\ewidoctrl.exe O23 - Service: Symantec AntiVirus Client (Norton AntiVirus Server) - Symantec Corporation - C:\PROGRA~1\SYMANT~1\Rtvscan.exe O23 - Service: PictureTaker - Unknown owner - c:\fixit\pt\PCTKRNT.SYS (file missing) --------------------------------------------------------- ewido anti-malware - Scan report --------------------------------------------------------- + Created on: 10:44:34 AM, 5/23/2006 + Report-Checksum: 7A20FC01 + Scan result: HKLM\SOFTWARE\Classes\BHO.Adware -> Adware.Ezula : Cleaned with backup HKLM\SOFTWARE\Classes\BHO.Adware\CLSID -> Adware.Ezula : Cleaned with backup HKLM\SOFTWARE\Classes\BHO.Adware\CurVer -> Adware.Ezula : Cleaned with backup HKLM\SOFTWARE\Classes\BHO.Adware.1 -> Adware.Ezula : Cleaned with backup HKLM\SOFTWARE\Classes\BHO.Hider -> Adware.Ezula : Cleaned with backup HKLM\SOFTWARE\Classes\BHO.Hider\CLSID -> Adware.Ezula : Cleaned with backup HKLM\SOFTWARE\Classes\BHO.Hider\CurVer -> Adware.Ezula : Cleaned with backup HKLM\SOFTWARE\Classes\BHO.Hider.1 -> Adware.Ezula : Cleaned with backup HKLM\SOFTWARE\Classes\Interface\{39C78B50-7E98-4AA0-B007-D83114EA6E0F} -> Adware.Generic : Cleaned with backup HKLM\SOFTWARE\DelFin -> Adware.Delfin : Cleaned with backup HKLM\SOFTWARE\DelFin\PromulGate -> Adware.Delfin : Cleaned with backup HKLM\SOFTWARE\Microsoft\Netstat -> Adware.Ezula : Cleaned with backup HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\DelFin Media Viewer -> Adware.Delfin : Cleaned with backup HKU\S-1-5-21-3569660965-118950172-1455628950-1003\Software\DelFin -> Adware.Delfin : Cleaned with backup HKU\S-1-5-21-3569660965-118950172-1455628950-1003\Software\DelFin\PromulGate -> Adware.Delfin : Cleaned with backup HKU\S-1-5-21-3569660965-118950172-1455628950-1003\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{01EB5130-FC0C-4D75-B9CE-4801B1B854F5} -> Adware.Begin2Search : Cleaned with backup HKU\S-1-5-21-3569660965-118950172-1455628950-1003\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{39C78B50-7E98-4AA0-B007-D83114EA6E0F} -> Adware.Generic : Cleaned with backup [744] C:\WINNT\system32\slgwqgr.dll -> Downloader.Qoologic.bj : Cleaned with backup C:\Documents and Settings\Owner\Cookies\owner@247realmedia[1].txt -> TrackingCookie.247realmedia : Cleaned with backup C:\Documents and Settings\Owner\Cookies\owner@2o7[2].txt -> TrackingCookie.2o7 : Cleaned with backup C:\Documents and Settings\Owner\Cookies\owner@ad.yieldmanager[1].txt -> TrackingCookie.Yieldmanager : Cleaned with backup C:\Documents and Settings\Owner\Cookies\owner@ad.yieldmanager[4].txt -> TrackingCookie.Yieldmanager : Cleaned with backup C:\Documents and Settings\Owner\Cookies\owner@addynamix[1].txt -> TrackingCookie.Addynamix : Cleaned with backup C:\Documents and Settings\Owner\Cookies\owner@adopt.euroclick[1].txt -> TrackingCookie.Euroclick : Cleaned with backup C:\Documents and Settings\Owner\Cookies\owner@adopt.specificclick[2].txt -> TrackingCookie.Specificclick : Cleaned with backup C:\Documents and Settings\Owner\Cookies\owner@adrevolver[2].txt -> TrackingCookie.Adrevolver : Cleaned with backup C:\Documents and Settings\Owner\Cookies\owner@ads.addynamix[1].txt -> TrackingCookie.Addynamix : Cleaned with backup C:\Documents and Settings\Owner\Cookies\owner@ads.pointroll[1].txt -> TrackingCookie.Pointroll : Cleaned with backup C:\Documents and Settings\Owner\Cookies\owner@ads.realcastmedia[1].txt -> TrackingCookie.Realcastmedia : Cleaned with backup C:\Documents and Settings\Owner\Cookies\owner@as-eu.falkag[1].txt -> TrackingCookie.Falkag : Cleaned with backup C:\Documents and Settings\Owner\Cookies\owner@as-us.falkag[2].txt -> TrackingCookie.Falkag : Cleaned with backup C:\Documents and Settings\Owner\Cookies\owner@as.casalemedia[1].txt -> TrackingCookie.Casalemedia : Cleaned with backup C:\Documents and Settings\Owner\Cookies\owner@as1.falkag[1].txt -> TrackingCookie.Falkag : Cleaned with backup C:\Documents and Settings\Owner\Cookies\owner@banner.paypopup[2].txt -> TrackingCookie.Paypopup : Cleaned with backup C:\Documents and Settings\Owner\Cookies\owner@banners.searchingbooth[1].txt -> TrackingCookie.Searchingbooth : Cleaned with backup C:\Documents and Settings\Owner\Cookies\owner@bluestreak[1].txt -> TrackingCookie.Bluestreak : Cleaned with backup C:\Documents and Settings\Owner\Cookies\owner@bs.serving-sys[2].txt -> TrackingCookie.Serving-sys : Cleaned with backup C:\Documents and Settings\Owner\Cookies\owner@burstnet[1].txt -> TrackingCookie.Burstnet : Cleaned with backup C:\Documents and Settings\Owner\Cookies\owner@c.enhance[1].txt -> TrackingCookie.Enhance : Cleaned with backup C:\Documents and Settings\Owner\Cookies\owner@c.goclick[2].txt -> TrackingCookie.Goclick : Cleaned with backup C:\Documents and Settings\Owner\Cookies\owner@c5.zedo[2].txt -> TrackingCookie.Zedo : Cleaned with backup C:\Documents and Settings\Owner\Cookies\owner@callingcardscom.122.2o7[1].txt -> TrackingCookie.2o7 : Cleaned with backup C:\Documents and Settings\Owner\Cookies\owner@casalemedia[1].txt -> TrackingCookie.Casalemedia : Cleaned with backup C:\Documents and Settings\Owner\Cookies\owner@casinotropez[1].txt -> TrackingCookie.Casinotropez : Cleaned with backup C:\Documents and Settings\Owner\Cookies\owner@cbs.112.2o7[1].txt -> TrackingCookie.2o7 : Cleaned with backup C:\Documents and Settings\Owner\Cookies\owner@centrport[1].txt -> TrackingCookie.Centrport : Cleaned with backup C:\Documents and Settings\Owner\Cookies\owner@citi.bridgetrack[1].txt -> TrackingCookie.Bridgetrack : Cleaned with backup C:\Documents and Settings\Owner\Cookies\owner@clickbank[2].txt -> TrackingCookie.Clickbank : Cleaned with backup C:\Documents and Settings\Owner\Cookies\owner@cnn.122.2o7[1].txt -> TrackingCookie.2o7 : Cleaned with backup C:\Documents and Settings\Owner\Cookies\owner@cochranfirm.122.2o7[1].txt -> TrackingCookie.2o7 : Cleaned with backup C:\Documents and Settings\Owner\Cookies\owner@com[2].txt -> TrackingCookie.Com : Cleaned with backup C:\Documents and Settings\Owner\Cookies\owner@cpvfeed[2].txt -> TrackingCookie.Cpvfeed : Cleaned with backup C:\Documents and Settings\Owner\Cookies\owner@data1.perf.overture[1].txt -> TrackingCookie.Overture : Cleaned with backup C:\Documents and Settings\Owner\Cookies\owner@data2.perf.overture[2].txt -> TrackingCookie.Overture : Cleaned with backup C:\Documents and Settings\Owner\Cookies\owner@data4.perf.overture[2].txt -> TrackingCookie.Overture : Cleaned with backup C:\Documents and Settings\Owner\Cookies\owner@edge.ru4[2].txt -> TrackingCookie.Ru4 : Cleaned with backup C:\Documents and Settings\Owner\Cookies\owner@findwhat[1].txt -> TrackingCookie.Findwhat : Cleaned with backup C:\Documents and Settings\Owner\Cookies\owner@h.starware[1].txt -> TrackingCookie.Starware : Cleaned with backup C:\Documents and Settings\Owner\Cookies\owner@hotlog[1].txt -> TrackingCookie.Hotlog : Cleaned with backup C:\Documents and Settings\Owner\Cookies\owner@hypertracker[2].txt -> TrackingCookie.Hypertracker : Cleaned with backup C:\Documents and Settings\Owner\Cookies\owner@install.bestoffersnetworks[1].txt -> TrackingCookie.Bestoffersnetworks : Cleaned with backup C:\Documents and Settings\Owner\Cookies\owner@internetfuel[2].txt -> TrackingCookie.Internetfuel : Cleaned with backup C:\Documents and Settings\Owner\Cookies\owner@login.tracking101[2].txt -> TrackingCookie.Tracking101 : Cleaned with backup C:\Documents and Settings\Owner\Cookies\owner@media.adrevolver[1].txt -> TrackingCookie.Adrevolver : Cleaned with backup C:\Documents and Settings\Owner\Cookies\owner@microsofteup.112.2o7[1].txt -> TrackingCookie.2o7 : Cleaned with backup C:\Documents and Settings\Owner\Cookies\owner@microsoftwga.112.2o7[1].txt -> TrackingCookie.2o7 : Cleaned with backup C:\Documents and Settings\Owner\Cookies\owner@overture[2].txt -> TrackingCookie.Overture : Cleaned with backup C:\Documents and Settings\Owner\Cookies\owner@partygaming.122.2o7[1].txt -> TrackingCookie.2o7 : Cleaned with backup C:\Documents and Settings\Owner\Cookies\owner@perf.overture[1].txt -> TrackingCookie.Overture : Cleaned with backup C:\Documents and Settings\Owner\Cookies\owner@pro-market[1].txt -> TrackingCookie.Pro-market : Cleaned with backup C:\Documents and Settings\Owner\Cookies\owner@qksrv[2].txt -> TrackingCookie.Qksrv : Cleaned with backup C:\Documents and Settings\Owner\Cookies\owner@questionmarket[1].txt -> TrackingCookie.Questionmarket : Cleaned with backup C:\Documents and Settings\Owner\Cookies\owner@reduxads.valuead[2].txt -> TrackingCookie.Valuead : Cleaned with backup C:\Documents and Settings\Owner\Cookies\owner@revenue[1].txt -> TrackingCookie.Revenue : Cleaned with backup C:\Documents and Settings\Owner\Cookies\owner@sales.liveperson[2].txt -> TrackingCookie.Liveperson : Cleaned with backup C:\Documents and Settings\Owner\Cookies\owner@sel.as-eu.falkag[1].txt -> TrackingCookie.Falkag : Cleaned with backup C:\Documents and Settings\Owner\Cookies\owner@sel.as-us.falkag[2].txt -> TrackingCookie.Falkag : Cleaned with backup C:\Documents and Settings\Owner\Cookies\owner@server.iad.liveperson[1].txt -> TrackingCookie.Liveperson : Cleaned with backup C:\Documents and Settings\Owner\Cookies\owner@serving-sys[2].txt -> TrackingCookie.Serving-sys : Cleaned with backup C:\Documents and Settings\Owner\Cookies\owner@sonycorporate.122.2o7[1].txt -> TrackingCookie.2o7 : Cleaned with backup C:\Documents and Settings\Owner\Cookies\owner@spylog[2].txt -> TrackingCookie.Spylog : Cleaned with backup C:\Documents and Settings\Owner\Cookies\owner@statcounter[2].txt -> TrackingCookie.Statcounter : Cleaned with backup C:\Documents and Settings\Owner\Cookies\owner@stats1.reliablestats[2].txt -> TrackingCookie.Reliablestats : Cleaned with backup C:\Documents and Settings\Owner\Cookies\owner@tacoda[2].txt -> TrackingCookie.Tacoda : Cleaned with backup C:\Documents and Settings\Owner\Cookies\owner@tradedoubler[1].txt -> TrackingCookie.Tradedoubler : Cleaned with backup C:\Documents and Settings\Owner\Cookies\owner@trafficmp[1].txt -> TrackingCookie.Trafficmp : Cleaned with backup C:\Documents and Settings\Owner\Cookies\owner@tribalfusion[1].txt -> TrackingCookie.Tribalfusion : Cleaned with backup C:\Documents and Settings\Owner\Cookies\owner@weborama[1].txt -> TrackingCookie.Weborama : Cleaned with backup C:\Documents and Settings\Owner\Cookies\owner@www.casinotropez[1].txt -> TrackingCookie.Casinotropez : Cleaned with backup C:\Documents and Settings\Owner\Cookies\owner@www.myaffiliateprogram[1].txt -> TrackingCookie.Myaffiliateprogram : Cleaned with backup C:\Documents and Settings\Owner\Cookies\owner@www.starware[2].txt -> TrackingCookie.Starware : Cleaned with backup C:\Documents and Settings\Owner\Cookies\owner@www4.click2begin[1].txt -> TrackingCookie.Click2begin : Cleaned with backup C:\Documents and Settings\Owner\Cookies\owner@yadro[1].txt -> TrackingCookie.Yadro : Cleaned with backup C:\Documents and Settings\Owner\Cookies\owner@yieldmanager[1].txt -> TrackingCookie.Yieldmanager : Cleaned with backup C:\Documents and Settings\Owner\Cookies\owner@z1.adserver[2].txt -> TrackingCookie.Adserver : Cleaned with backup C:\Documents and Settings\Owner\Cookies\owner@zedo[2].txt -> TrackingCookie.Zedo : Cleaned with backup C:\Documents and Settings\Owner\Desktop\hijackthis\backups\backup-20060523-094247-879.dll -> Adware.SafeSurfing : Cleaned with backup C:\Documents and Settings\Owner\Desktop\hijackthis\backups\backup-20060523-094247-927.dll -> Adware.BookedSpace : Cleaned with backup C:\Documents and Settings\Owner\Desktop\hijackthis\backups\backup-20060523-094247-931.dll -> Adware.Ezula : Cleaned with backup C:\Documents and Settings\Owner\Local Settings\Temp\b2search_v17.exe -> Dropper.Agent.abb : Cleaned with backup C:\Documents and Settings\Owner\Local Settings\Temp\E9E2D.tmp/drwst.exe -> Adware.MDH : Cleaned with backup C:\Documents and Settings\Owner\Local Settings\Temp\F9AC.tmp/drwst.exe -> Adware.MDH : Cleaned with backup C:\Documents and Settings\Owner\Local Settings\Temp\mndcntas.tmp -> Adware.SafeSurfing : Cleaned with backup C:\Documents and Settings\Owner\Local Settings\Temp\tp7543.exe -> Downloader.Qoologic.ax : Cleaned with backup C:\Documents and Settings\Owner\Local Settings\Temporary Internet Files\Content.IE5\SPER05MV\rcverlib[1].exe -> Downloader.Qoologic.ax : Cleaned with backup C:\Program Files\Microsoft AntiSpyware\Quarantine\04EDC13C-4E17-4D32-9893-3BFA58\09AEE8A2-2555-4F97-890F-847A40 -> Adware.Suggestor : Cleaned with backup C:\Program Files\Microsoft AntiSpyware\Quarantine\1E85CCFC-139E-4B4D-BF3D-3DCB97\11E06F97-D4F7-4DA5-94CC-95B3DB -> Adware.Mirar : Cleaned with backup C:\Program Files\Microsoft AntiSpyware\Quarantine\1E85CCFC-139E-4B4D-BF3D-3DCB97\DAA68512-BB29-4BF1-8940-B54CD6 -> Adware.Mirar : Cleaned with backup C:\Program Files\Microsoft AntiSpyware\Quarantine\2028EA73-47B9-406D-A580-BEA4F9\59C819CB-B323-45F7-9F30-F581B4 -> Downloader.Qoologic.ae : Cleaned with backup C:\Program Files\Microsoft AntiSpyware\Quarantine\573A8C61-CADE-4FD7-87FA-1EC96E\510237F5-2046-4D81-B555-B5BB6C -> Adware.BookedSpace : Cleaned with backup C:\Program Files\Microsoft AntiSpyware\Quarantine\63935C80-1F99-46DD-96B3-D259F6\D91453F2-8F78-4D85-9EDD-5DB522 -> Adware.EZula : Cleaned with backup C:\Program Files\Microsoft AntiSpyware\Quarantine\6FA84692-B434-42D2-875D-B58C89\42021F81-D5B7-4063-8372-AAE1C6 -> Adware.DownloadWare : Cleaned with backup C:\Program Files\Microsoft AntiSpyware\Quarantine\83948E43-F06B-4CEF-9F76-5DB639\BFD5D63B-E9EB-4480-816B-4CAEE3 -> Downloader.Qoologic.ae : Cleaned with backup C:\Program Files\Microsoft AntiSpyware\Quarantine\8B1A08EC-2FD3-44B0-9836-6A34B3\ACD595C4-B40D-48FF-9090-B65FF6 -> Adware.Sud : Cleaned with backup C:\Program Files\Microsoft AntiSpyware\Quarantine\8B1A08EC-2FD3-44B0-9836-6A34B3\FE8A3822-AE34-4312-83DE-DE009A -> Adware.Sud : Cleaned with backup C:\Program Files\Microsoft AntiSpyware\Quarantine\C904535C-7871-40BB-A4EE-06CF5C\A0364EB0-24EA-4522-ABCD-89D1F8 -> Adware.Suggestor : Cleaned with backup C:\Program Files\Microsoft AntiSpyware\Quarantine\CDAFE723-05EE-46C7-87EC-7451E4\A3A8E0B2-6084-4A59-A825-BA7295 -> Downloader.Qoologic.ae : Cleaned with backup C:\Program Files\Microsoft AntiSpyware\Quarantine\E78BCD4F-B22C-4008-A0E6-76EF46\3BA2502C-B266-479F-AA79-632438 -> Adware.Suggestor : Cleaned with backup C:\RECYCLER\S-1-5-21-3569660965-118950172-1455628950-1003\Dc6\network.exe -> Adware.Maxifiles : Cleaned with backup C:\RECYCLER\S-1-5-21-3569660965-118950172-1455628950-1003\Dc7.exe -> Adware.ZenoSearch : Cleaned with backup C:\RECYCLER\S-1-5-21-3569660965-118950172-1455628950-1003\Dc8.exe -> Adware.ZenoSearch : Cleaned with backup C:\RECYCLER\S-1-5-21-3569660965-118950172-1455628950-1003\Dc9.exe -> Adware.SafeSurfing : Cleaned with backup C:\System Volume Information\_restore{717DED14-B9DD-4C52-8322-6043B9687C5A}\RP220\A0059439.cpl -> Downloader.Qoologic.ad : Cleaned with backup C:\System Volume Information\_restore{717DED14-B9DD-4C52-8322-6043B9687C5A}\RP233\A0063206.exe -> Adware.EZula : Cleaned with backup C:\System Volume Information\_restore{717DED14-B9DD-4C52-8322-6043B9687C5A}\RP233\A0063207.dll -> Adware.EZula : Cleaned with backup C:\System Volume Information\_restore{717DED14-B9DD-4C52-8322-6043B9687C5A}\RP233\A0063208.dll -> Adware.EZula : Cleaned with backup C:\System Volume Information\_restore{717DED14-B9DD-4C52-8322-6043B9687C5A}\RP233\A0063209.dll -> Adware.EZula : Cleaned with backup C:\System Volume Information\_restore{717DED14-B9DD-4C52-8322-6043B9687C5A}\RP233\A0063210.exe -> Trojan.LowZones.am : Cleaned with backup C:\System Volume Information\_restore{717DED14-B9DD-4C52-8322-6043B9687C5A}\RP233\A0063211.exe -> Adware.EliteMedia : Cleaned with backup C:\System Volume Information\_restore{717DED14-B9DD-4C52-8322-6043B9687C5A}\RP233\A0063212.exe -> Dropper.Agent.aac : Cleaned with backup C:\System Volume Information\_restore{717DED14-B9DD-4C52-8322-6043B9687C5A}\RP233\A0063213.exe -> Downloader.TSUpdate.l : Cleaned with backup C:\System Volume Information\_restore{717DED14-B9DD-4C52-8322-6043B9687C5A}\RP233\A0063214.exe -> Downloader.TSUpdate.p : Cleaned with backup C:\System Volume Information\_restore{717DED14-B9DD-4C52-8322-6043B9687C5A}\RP233\A0063215.exe -> Downloader.TSUpdate.f : Cleaned with backup C:\System Volume Information\_restore{717DED14-B9DD-4C52-8322-6043B9687C5A}\RP233\A0063216.dll -> Adware.TargetServer : Cleaned with backup C:\System Volume Information\_restore{717DED14-B9DD-4C52-8322-6043B9687C5A}\RP233\A0063217.exe -> Downloader.Small.bmx : Cleaned with backup C:\System Volume Information\_restore{717DED14-B9DD-4C52-8322-6043B9687C5A}\RP233\A0063218.exe -> Adware.ZenoSearch : Cleaned with backup C:\System Volume Information\_restore{717DED14-B9DD-4C52-8322-6043B9687C5A}\RP243\A0067114.exe -> Adware.Mirar : Cleaned with backup C:\System Volume Information\_restore{717DED14-B9DD-4C52-8322-6043B9687C5A}\RP243\A0068096.exe -> Downloader.Qoologic.at : Cleaned with backup C:\System Volume Information\_restore{717DED14-B9DD-4C52-8322-6043B9687C5A}\RP243\A0068110.exe -> Trojan.LowZones.am : Cleaned with backup C:\System Volume Information\_restore{717DED14-B9DD-4C52-8322-6043B9687C5A}\RP243\A0068111.exe -> Adware.EliteMedia : Cleaned with backup C:\System Volume Information\_restore{717DED14-B9DD-4C52-8322-6043B9687C5A}\RP243\A0068113.exe -> Adware.ZenoSearch : Cleaned with backup C:\System Volume Information\_restore{717DED14-B9DD-4C52-8322-6043B9687C5A}\RP243\A0068116.dll -> Adware.Mirar : Cleaned with backup C:\System Volume Information\_restore{717DED14-B9DD-4C52-8322-6043B9687C5A}\RP243\A0068117.dll -> Adware.Mirar : Cleaned with backup C:\System Volume Information\_restore{717DED14-B9DD-4C52-8322-6043B9687C5A}\RP243\A0068118.exe -> Dropper.Agent.abb : Cleaned with backup C:\System Volume Information\_restore{717DED14-B9DD-4C52-8322-6043B9687C5A}\RP243\A0068119.dll -> Adware.HideOne : Cleaned with backup C:\System Volume Information\_restore{717DED14-B9DD-4C52-8322-6043B9687C5A}\RP248\A0072470.exe -> Downloader.PurityScan.be : Cleaned with backup C:\System Volume Information\_restore{717DED14-B9DD-4C52-8322-6043B9687C5A}\RP258\A0091969.dll -> Adware.Ezula : Cleaned with backup C:\System Volume Information\_restore{717DED14-B9DD-4C52-8322-6043B9687C5A}\RP258\A0091970.dll -> Adware.SafeSurfing : Cleaned with backup C:\System Volume Information\_restore{717DED14-B9DD-4C52-8322-6043B9687C5A}\RP258\A0091971.dll -> Adware.BookedSpace : Cleaned with backup C:\WINNT\876056.exe -> Adware.Mirar : Cleaned with backup C:\WINNT\876057.exe -> Adware.Mirar : Cleaned with backup C:\WINNT\Downloaded Program Files\popcaploader.dll -> Not-A-Virus.Downloader.Win32.PopCap.b : Cleaned with backup C:\WINNT\Etmxnuuo.dll -> Adware.BookedSpace : Cleaned with backup C:\WINNT\inst_0005.exe -> Downloader.Small : Cleaned with backup C:\WINNT\inst_adperform.exe -> Adware.BargainBuddy : Cleaned with backup C:\WINNT\NDNuninstall6_98.exe -> Adware.NewDotNet : Cleaned with backup C:\WINNT\system32\adsetup.exe -> Dropper.Agent.abb : Cleaned with backup C:\WINNT\system32\dmonwv.dll -> Downloader.Agent.agw : Cleaned with backup C:\WINNT\system32\dwdsregt.exe -> Adware.ZenoSearch : Cleaned with backup C:\WINNT\system32\irismon.dll -> Adware.SafeSurfing : Cleaned with backup C:\WINNT\system32\MTE3ODM6ODoxNg.exe -> Downloader.Small.buy : Cleaned with backup C:\WINNT\system32\nsy26.dll -> Adware.EZula : Cleaned with backup C:\WINNT\system32\nwinmsap.exe -> Adware.ZenoSearch : Cleaned with backup C:\WINNT\system32\rbval.dat -> Downloader.Qoologic.bj : Cleaned with backup C:\WINNT\system32\WinATS.dll -> Adware.Mirar : Cleaned with backup C:\WINNT\unwn.exe -> Trojan.Qoologic : Cleaned with backup ::Report End Incident Status Location Adware:Adware/Qoologic Not disinfected C:\WINNT\system32\slgwqgr.dll Spyware:spyware/surfsidekick Not disinfected c:\winnt\system32\bk.exe Spyware:spyware/safesurf Not disinfected c:\winnt\system32\unirimon.exe Adware:adware/purityscan Not disinfected c:\winnt\system32\wtssvtr.exe Adware:adware/bookedspace Not disinfected c:\winnt\cfgmgr52.ini Adware:adware/maxifiles Not disinfected c:\program files\common files\Download Adware:adware/downloadware Not disinfected c:\program files\MediaLoads Adware:adware/novo Not disinfected Windows Registry Adware:adware/searchresults Not disinfected Windows Registry Spyware:spyware/betterinet Not disinfected Windows Registry Spyware:spyware/clipgenie Not disinfected Windows Registry Adware:adware/sqwire Not disinfected Windows Registry Adware:adware/webext Not disinfected Windows Registry Adware:adware/mirar Not disinfected Windows Registry Spyware:Cookie/2o7 Not disinfected C:\Documents and Settings\Owner\Cookies\owner@2o7[1].txt Spyware:Cookie/888 Not disinfected C:\Documents and Settings\Owner\Cookies\owner@888[1].txt Spyware:Cookie/888 Not disinfected C:\Documents and Settings\Owner\Cookies\owner@888[2].txt Spyware:Cookie/Hbmediapro Not disinfected C:\Documents and Settings\Owner\Cookies\owner@adopt.hbmediapro[2].txt Spyware:Cookie/Adrevolver Not disinfected C:\Documents and Settings\Owner\Cookies\owner@adrevolver[3].txt Spyware:Cookie/Apmebf Not disinfected C:\Documents and Settings\Owner\Cookies\owner@apmebf[1].txt Spyware:Cookie/Belnk Not disinfected C:\Documents and Settings\Owner\Cookies\owner@ath.belnk[2].txt Spyware:Cookie/Atwola Not disinfected C:\Documents and Settings\Owner\Cookies\owner@atwola[2].txt Spyware:Cookie/Azjmp Not disinfected C:\Documents and Settings\Owner\Cookies\owner@azjmp[2].txt Spyware:Cookie/Banner Not disinfected C:\Documents and Settings\Owner\Cookies\owner@banner[2].txt Spyware:Cookie/Belnk Not disinfected C:\Documents and Settings\Owner\Cookies\owner@belnk[2].txt Spyware:Cookie/Cassava Not disinfected C:\Documents and Settings\Owner\Cookies\owner@cassava[1].txt Spyware:Cookie/Cgi-bin Not disinfected C:\Documents and Settings\Owner\Cookies\owner@cgi-bin[4].txt Spyware:Cookie/did-it Not disinfected C:\Documents and Settings\Owner\Cookies\owner@did-it[1].txt Spyware:Cookie/Belnk Not disinfected C:\Documents and Settings\Owner\Cookies\owner@dist.belnk[2].txt Spyware:Cookie/ErrorSafe Not disinfected C:\Documents and Settings\Owner\Cookies\owner@errorsafe[2].txt Spyware:Cookie/FortuneCity Not disinfected C:\Documents and Settings\Owner\Cookies\owner@fortunecity[1].txt Spyware:Cookie/Screensavers Not disinfected C:\Documents and Settings\Owner\Cookies\owner@i.screensavers[2].txt Spyware:Cookie/Maxserving Not disinfected C:\Documents and Settings\Owner\Cookies\owner@maxserving[1].txt Spyware:Cookie/OfferOptimizer Not disinfected C:\Documents and Settings\Owner\Cookies\owner@offeroptimizer[2].txt Spyware:Cookie/Peel Not disinfected C:\Documents and Settings\Owner\Cookies\owner@peel[2].txt Spyware:Cookie/RealMedia Not disinfected C:\Documents and Settings\Owner\Cookies\owner@realmedia[1].txt Spyware:Cookie/Rn11 Not disinfected C:\Documents and Settings\Owner\Cookies\owner@rn11[2].txt Spyware:Cookie/Searchportal Not disinfected C:\Documents and Settings\Owner\Cookies\owner@searchportal.information[2].txt Spyware:Cookie/Server.iad.Liveperson Not disinfected C:\Documents and Settings\Owner\Cookies\owner@server.iad.liveperson[2].txt Spyware:Cookie/Reliablestats Not disinfected C:\Documents and Settings\Owner\Cookies\owner@stats1.reliablestats[2].txt Spyware:Cookie/Tribalfusion Not disinfected C:\Documents and Settings\Owner\Cookies\owner@tribalfusion[1].txt Spyware:Cookie/WebPower Not disinfected C:\Documents and Settings\Owner\Cookies\owner@webpower[2].txt Spyware:Cookie/Advnt Not disinfected C:\Documents and Settings\Owner\Cookies\owner@www.advnt01[1].txt Spyware:Cookie/ErrorSafe Not disinfected C:\Documents and Settings\Owner\Cookies\owner@www.errorsafe[1].txt Spyware:Cookie/Maxifiles Not disinfected C:\Documents and Settings\Owner\Cookies\owner@www.maxifiles[2].txt Spyware:Cookie/Zedo Not disinfected C:\Documents and Settings\Owner\Cookies\owner@zedo[1].txt Potentially unwanted tool:Application/Processor Not disinfected C:\Documents and Settings\Owner\Desktop\comp fix\win32delfkil\Process.exe Spyware:Spyware/SafeSurf Not disinfected C:\Documents and Settings\Owner\Local Settings\Temp\ExtractDLL.dll Spyware:Spyware/SafeSurf Not disinfected C:\Documents and Settings\Owner\Local Settings\Temp\s3qc..exe[ExtractDLL.dll] Spyware:Spyware/SafeSurf Not disinfected C:\Documents and Settings\Owner\Local Settings\Temp\s4qk..exe[ExtractDLL.dll] Spyware:Spyware/SafeSurf Not disinfected C:\Documents and Settings\Owner\Local Settings\Temp\s6vk..exe[ExtractDLL.dll] Spyware:Spyware/SafeSurf Not disinfected C:\Documents and Settings\Owner\Local Settings\Temp\s85s.4.exe[ExtractDLL.dll] thanks again |
|
|
|
|
05-23-2006, 01:35 PM
|
#6 (permalink) |
|
Manager, The Conversation Pit/Analyst, Security Team
Join Date: Apr 2002
Location: NW Territory circa 1787
Posts: 11,692
OS: winxp pro sp2
|
Please download Brute Force Uninstaller to your desktop. (rightclick on this link and choose save as, if using IE save target as)
Open HijackThis *Click on the "Configure" button on the bottom right *Click on the tab "Misc Tools" *Click on the Box that says "Open Uninstall Manager" *Click on the button "Save list" Please copy and past the List from the notebook here.
__________________
"If you aren't a liberal when you're 20, you have no heart. If you aren't a conservative when you are 50, you have no brain"
|
|
|
|
|
05-24-2006, 01:31 AM
|
#7 (permalink) |
|
Registered User
Join Date: Apr 2006
Location: vallejo
Posts: 55
OS: windows xp
|
here ya gooooo, gracias.
Logfile of HijackThis v1.99.1 Scan saved at 12:25:48 AM, on 5/24/2006 Platform: Windows XP SP2 (WinNT 5.01.2600) MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180) Running processes: C:\WINNT\System32\smss.exe C:\WINNT\system32\winlogon.exe C:\WINNT\system32\services.exe C:\WINNT\system32\lsass.exe C:\WINNT\system32\svchost.exe C:\WINNT\System32\svchost.exe C:\WINNT\system32\spoolsv.exe C:\WINNT\Explorer.EXE C:\PROGRA~1\COMMON~1\AOL\ACS\acsd.exe C:\PROGRA~1\SYMANT~1\DefWatch.exe C:\Program Files\ewido anti-malware\ewidoctrl.exe C:\PROGRA~1\SYMANT~1\Rtvscan.exe C:\WINNT\GWMDMMSG.exe C:\WINNT\System32\igfxtray.exe C:\WINNT\System32\hkcmd.exe C:\Program Files\Apoint2K\Apoint.exe C:\WINNT\GWHotKey.exe C:\WINNT\System32\spool\drivers\w32x86\3\hpztsb05.exe C:\Program Files\Apoint2K\Apntex.exe C:\Program Files\Real\RealPlayer\RealPlay.exe C:\Program Files\QuickTime\qttask.exe C:\PROGRA~1\SYMANT~1\vptray.exe C:\Program Files\Java\jre1.5.0_03\bin\jusched.exe C:\Program Files\Messenger\msmsgs.exe C:\Program Files\Java\jre1.5.0_03\bin\jucheck.exe C:\Program Files\Microsoft AntiSpyware\gcasDtServ.exe C:\Program Files\Common Files\AOL\1124746521\ee\AOLHostManager.exe C:\Program Files\Common Files\AOL\1124746521\ee\AOLServiceHost.exe C:\Program Files\AIM\aim.exe C:\PROGRA~1\Webshots\webshots.scr C:\Documents and Settings\Owner\Desktop\hijackthis\HijackThis.exe C:\Program Files\Common Files\AOL\1124746521\ee\AOLServiceHost.exe R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/ R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/ R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = 127.0.0.1 F2 - REG:system.ini: Shell=Explorer.exe, C:\WINNT\system32\dnxaa.exe F2 - REG:system.ini: UserInit=C:\WINNT\system32\Userinit.exe,nifekdh.exe O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx O2 - BHO: (no name) - {243B17DE-77C7-46BF-B94B-0B5F309A0E64} - C:\Program Files\Microsoft Money\System\mnyside.dll O4 - HKLM\..\Run: [GWMDMMSG] GWMDMMSG.exe O4 - HKLM\..\Run: [IgfxTray] C:\WINNT\System32\igfxtray.exe O4 - HKLM\..\Run: [HotKeysCmds] C:\WINNT\System32\hkcmd.exe O4 - HKLM\..\Run: [Apoint] C:\Program Files\Apoint2K\Apoint.exe O4 - HKLM\..\Run: [GWMDMpi] C:\WINNT\GWMDMpi.exe O4 - HKLM\..\Run: [Multi-function Keyboard] GWHotKey.exe O4 - HKLM\..\Run: [HPDJ Taskbar Utility] C:\WINNT\System32\spool\drivers\w32x86\3\hpztsb05.exe O4 - HKLM\..\Run: [RealTray] C:\Program Files\Real\RealPlayer\RealPlay.exe SYSTEMBOOTHIDEPLAYER O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime O4 - HKLM\..\Run: [HostManager] C:\Program Files\Common Files\AOL\1124746521\ee\AOLHostManager.exe O4 - HKLM\..\Run: [vptray] C:\PROGRA~1\SYMANT~1\vptray.exe O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_03\bin\jusched.exe O4 - HKLM\..\Run: [gcasServ] "C:\Program Files\Microsoft AntiSpyware\gcasServ.exe" O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background O4 - HKCU\..\Run: [MoneyAgent] "C:\Program Files\Microsoft Money\System\mnyexpr.exe" O4 - HKCU\..\Run: [AIM] C:\Program Files\AIM\aim.exe -cnetwait.odl O4 - Startup: Webshots.lnk = C:\Program Files\Webshots\Launcher.exe O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINNT\System32\Shdocvw.dll O9 - Extra button: MoneySide - {E023F504-0C5A-4750-A1E7-A9046DEA8A21} - C:\Program Files\Microsoft Money\System\mnyside.dll O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204 O16 - DPF: {5F8469B4-B055-49DD-83F7-62B522420ECC} (Facebook Photo Uploader Control) - http://upload.facebook.com/controls/...toUploader.cab O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/actives...ree/asinst.cab O16 - DPF: {DF780F87-FF2B-4DF8-92D0-73DB16A1543A} (PopCapLoader Object) - http://download.games.yahoo.com/game...ploader_v6.cab O20 - Winlogon Notify: igfxcui - C:\WINNT\SYSTEM32\igfxsrvc.dll O20 - Winlogon Notify: NavLogon - C:\WINNT\System32\NavLogon.dll O23 - Service: AOL Connectivity Service (AOL ACS) - America Online, Inc. - C:\PROGRA~1\COMMON~1\AOL\ACS\acsd.exe O23 - Service: DefWatch - Symantec Corporation - C:\PROGRA~1\SYMANT~1\DefWatch.exe O23 - Service: ewido security suite control - ewido networks - C:\Program Files\ewido anti-malware\ewidoctrl.exe O23 - Service: Symantec AntiVirus Client (Norton AntiVirus Server) - Symantec Corporation - C:\PROGRA~1\SYMANT~1\Rtvscan.exe O23 - Service: PictureTaker - Unknown owner - c:\fixit\pt\PCTKRNT.SYS (file missing) Adobe Acrobat 5.0 Adobe Download Manager (Remove Only) AOL Explorer AOL Instant Messenger Bejeweled 2 Deluxe Content Delivery Module Creative Jukebox Driver Creative NOMAD II Driver Do More DVD ewido anti-malware Gateway Multi-function Keyboard GTW V.92 Voicemodem HijackThis 1.99.1 Homeland Network Hotfix for Windows XP (KB893357) Hotfix for Windows XP (KB896344) hp deskjet 3820 series (Remove only) hp instant support Intel(R) 830M Chipset Graphics Driver Software Intel(R) PRO Ethernet Adapter and Software InterActual Player IRISmon J2SE Runtime Environment 5.0 Update 3 Learn2 Player (Uninstall Only) LimeWire 4.9.30 LiveReg (Symantec Corporation) LiveUpdate 1.80 (Symantec Corporation) MediaLoads Microsoft AntiSpyware Microsoft Encarta Encyclopedia Standard 2003 Microsoft Money 2003 Microsoft Money 2003 System Pack Microsoft Picture It! Photo 7.0 Microsoft Streets and Trips 2002 Microsoft Word 2002 Microsoft Works 2003 Setup Launcher Microsoft Works 7.0 Microsoft Works Suite Add-in for Microsoft Word Microsoft XML Parser and SDK MSN Music Assistant NOMAD Jukebox 3 Driver Panda ActiveScan Quicken 2002 New User Edition Quicklinks QuickTime RealPlayer Basic Security Update for Step By Step Interactive Training (KB898458) Security Update for Windows Media Player (KB911564) Security Update for Windows Media Player 10 (KB911565) Security Update for Windows XP (KB890046) Security Update for Windows XP (KB893066) Security Update for Windows XP (KB893756) Security Update for Windows XP (KB896358) Security Update for Windows XP (KB896422) Security Update for Windows XP (KB896423) Security Update for Windows XP (KB896424) Security Update for Windows XP (KB896428) Security Update for Windows XP (KB896688) Security Update for Windows XP (KB899587) Security Update for Windows XP (KB899588) Security Update for Windows XP (KB899589) Security Update for Windows XP (KB899591) Security Update for Windows XP (KB900725) Security Update for Windows XP (KB901017) Security Update for Windows XP (KB901214) Security Update for Windows XP (KB902400) Security Update for Windows XP (KB904706) Security Update for Windows XP (KB905414) Security Update for Windows XP (KB905749) Security Update for Windows XP (KB905915) Security Update for Windows XP (KB908519) Security Update for Windows XP (KB908531) Security Update for Windows XP (KB911562) Security Update for Windows XP (KB911567) Security Update for Windows XP (KB911927) Security Update for Windows XP (KB912812) Security Update for Windows XP (KB912919) Security Update for Windows XP (KB913446) Security Update for Windows XP (KB913580) Shockwave Super TextTwist Symantec AntiVirus Client Update for Windows XP (KB894391) Update for Windows XP (KB896727) Update for Windows XP (KB898461) Update for Windows XP (KB910437) Webshots Desktop Windows Genuine Advantage v1.3.0254.0 Windows Installer 3.1 (KB893803) Windows Media Format Runtime Windows Media Player 10 Windows XP Hotfix - KB873333 Windows XP Hotfix - KB873339 Windows XP Hotfix - KB884883 Windows XP Hotfix - KB885222 Windows XP Hotfix - KB885250 Windows XP Hotfix - KB885835 Windows XP Hotfix - KB885836 Windows XP Hotfix - KB885884 Windows XP Hotfix - KB886185 Windows XP Hotfix - KB886716 Windows XP Hotfix - KB887472 Windows XP Hotfix - KB887742 Windows XP Hotfix - KB888113 Windows XP Hotfix - KB888302 Windows XP Hotfix - KB889016 Windows XP Hotfix - KB890047 Windows XP Hotfix - KB890859 Windows XP Hotfix - KB891781 Windows XP Hotfix - KB893086 Windows XP Hotfix - KB896626 Windows XP Service Pack 2 |
|
|
|
|
05-24-2006, 07:03 AM
|
#8 (permalink) |
|
Manager, The Conversation Pit/Analyst, Security Team
Join Date: Apr 2002
Location: NW Territory circa 1787
Posts: 11,692
OS: winxp pro sp2
|
Please print out or copy this page to Notepad.
For the options that you checked/enabled earlier, you may uncheck them after your log is clean. If we ask you to fix a program that you use or want to keep, please post back saying that (we don't know every program that exists, so we may tell you to delete a program that we think is bad to keep). Download KillBox http://www.greyknight17.com/spy/KillBox.exe. Download and install CleanUp! but do not run it yet. =============================================================== Restart your computer and boot into Safe Mode (if you don't know how, go to http://www.bleepingcomputer.com/foru...howtutorial=61 ). Make sure to close any open browsers. Run a scan in HijackThis. Check each of the following if they still exist and hit 'Fix Checked' after you check the last one: F2 - REG:system.ini: Shell=Explorer.exe, C:\WINNT\system32\dnxaa.exe F2 - REG:system.ini: UserInit=C:\WINNT\system32\Userinit.exe,nifekdh.ex e =============================================================== Delete the following Files indicated in RED and Folders indicated in BLUE if they still exist. nifekdh.exe c:\program files\common files\Download c:\program files\MediaLoads Copy the file names below to the clipboard by highlighting them and pressing Ctrl-C: C:\WINNT\system32\dnxaa.exe C:\WINNT\system32\slgwqgr.dll c:\winnt\system32\bk.exe c:\winnt\system32\unirimon.exe c:\winnt\system32\wtssvtr.exe c:\winnt\cfgmgr52.ini Start KillBox. Go to the File menu, and choose Paste from Clipboard. *Verify that you've done this properly by clicking the dropdown-arrow next to the Full Path of File to Delete field. The filenames you pasted will be found in there. Select/tick the following: * Delete on Reboot * End Explorer Shell While Killing File * Unregister.dll Before Deleting" if it's not grayed out. Click the RED X button. Click [Yes] at the 'Delete on Reboot' prompt. Click [Yes] at the Pending Operations prompt. *WARNING* Cleanup deletes EVERYTHING out of temp/temporary folders and does not make backups. Open Cleanup! by double-clicking the icon on your desktop (or from the Start > All Programs menu). Set the program up as follows: *Click "Options..." *Move the arrow down to "Custom CleanUp!" *Put a check next to the following:
Press the CleanUp! button to start the program. Reboot/logoff when prompted. =============================================================== Reboot your system in Normal Mode. Please run another Panda Scan. Paste the Panda Scan report here together with a new HiJack This log.
__________________
"If you aren't a liberal when you're 20, you have no heart. If you aren't a conservative when you are 50, you have no brain"
|
|
|
|
|
05-24-2006, 10:58 AM
|
#9 (permalink) |
|
Registered User
Join Date: Apr 2006
Location: vallejo
Posts: 55
OS: windows xp
|
here yea go
Logfile of HijackThis v1.99.1 Scan saved at 9:46:34 AM, on 5/24/2006 Platform: Windows XP SP2 (WinNT 5.01.2600) MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180) Running processes: C:\WINNT\System32\smss.exe C:\WINNT\system32\winlogon.exe C:\WINNT\system32\services.exe C:\WINNT\system32\lsass.exe C:\WINNT\system32\svchost.exe C:\WINNT\System32\svchost.exe C:\WINNT\system32\spoolsv.exe C:\WINNT\Explorer.EXE C:\PROGRA~1\COMMON~1\AOL\ACS\acsd.exe C:\PROGRA~1\SYMANT~1\DefWatch.exe C:\Program Files\ewido anti-malware\ewidoctrl.exe C:\PROGRA~1\SYMANT~1\Rtvscan.exe C:\WINNT\GWMDMMSG.exe C:\WINNT\System32\igfxtray.exe C:\WINNT\System32\hkcmd.exe C:\Program Files\Apoint2K\Apoint.exe C:\WINNT\GWHotKey.exe C:\WINNT\System32\spool\drivers\w32x86\3\hpztsb05.exe C:\Program Files\Real\RealPlayer\RealPlay.exe C:\Program Files\QuickTime\qttask.exe C:\PROGRA~1\SYMANT~1\vptray.exe C:\Program Files\Internet Explorer\iexplore.exe C:\Program Files\Java\jre1.5.0_03\bin\jusched.exe C:\Program Files\Messenger\msmsgs.exe C:\Program Files\AIM\aim.exe C:\PROGRA~1\Webshots\webshots.scr C:\Program Files\Java\jre1.5.0_03\bin\jucheck.exe C:\Program Files\Common Files\AOL\1124746521\ee\AOLHostManager.exe C:\Program Files\Microsoft AntiSpyware\gcasDtServ.exe C:\Program Files\Apoint2K\Apntex.exe C:\Program Files\Common Files\AOL\1124746521\ee\AOLServiceHost.exe C:\Program Files\Common Files\AOL\1124746521\ee\AOLServiceHost.exe C:\Documents and Settings\Owner\Desktop\hijackthis\HijackThis.exe R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/ R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/ R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = 127.0.0.1 F2 - REG:system.ini: Shell=Explorer.exe, C:\WINNT\system32\dnxaa.exe F2 - REG:system.ini: UserInit=C:\WINNT\SYSTEM32\Userinit.exe,nifekdh.exe O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx O2 - BHO: (no name) - {243B17DE-77C7-46BF-B94B-0B5F309A0E64} - C:\Program Files\Microsoft Money\System\mnyside.dll O4 - HKLM\..\Run: [GWMDMMSG] GWMDMMSG.exe O4 - HKLM\..\Run: [IgfxTray] C:\WINNT\System32\igfxtray.exe O4 - HKLM\..\Run: [HotKeysCmds] C:\WINNT\System32\hkcmd.exe O4 - HKLM\..\Run: [Apoint] C:\Program Files\Apoint2K\Apoint.exe O4 - HKLM\..\Run: [GWMDMpi] C:\WINNT\GWMDMpi.exe O4 - HKLM\..\Run: [Multi-function Keyboard] GWHotKey.exe O4 - HKLM\..\Run: [HPDJ Taskbar Utility] C:\WINNT\System32\spool\drivers\w32x86\3\hpztsb05.exe O4 - HKLM\..\Run: [RealTray] C:\Program Files\Real\RealPlayer\RealPlay.exe SYSTEMBOOTHIDEPLAYER O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime O4 - HKLM\..\Run: [HostManager] C:\Program Files\Common Files\AOL\1124746521\ee\AOLHostManager.exe O4 - HKLM\..\Run: [vptray] C:\PROGRA~1\SYMANT~1\vptray.exe O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_03\bin\jusched.exe O4 - HKLM\..\Run: [gcasServ] "C:\Program Files\Microsoft AntiSpyware\gcasServ.exe" O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background O4 - HKCU\..\Run: [MoneyAgent] "C:\Program Files\Microsoft Money\System\mnyexpr.exe" O4 - HKCU\..\Run: [AIM] C:\Program Files\AIM\aim.exe -cnetwait.odl O4 - Startup: Webshots.lnk = C:\Program Files\Webshots\Launcher.exe O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINNT\System32\Shdocvw.dll O9 - Extra button: MoneySide - {E023F504-0C5A-4750-A1E7-A9046DEA8A21} - C:\Program Files\Microsoft Money\System\mnyside.dll O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204 O16 - DPF: {5F8469B4-B055-49DD-83F7-62B522420ECC} (Facebook Photo Uploader Control) - http://upload.facebook.com/controls/...toUploader.cab O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/actives...ree/asinst.cab O16 - DPF: {DF780F87-FF2B-4DF8-92D0-73DB16A1543A} (PopCapLoader Object) - http://download.games.yahoo.com/game...ploader_v6.cab O20 - Winlogon Notify: igfxcui - C:\WINNT\SYSTEM32\igfxsrvc.dll O20 - Winlogon Notify: NavLogon - C:\WINNT\System32\NavLogon.dll O23 - Service: AOL Connectivity Service (AOL ACS) - America Online, Inc. - C:\PROGRA~1\COMMON~1\AOL\ACS\acsd.exe O23 - Service: DefWatch - Symantec Corporation - C:\PROGRA~1\SYMANT~1\DefWatch.exe O23 - Service: ewido security suite control - ewido networks - C:\Program Files\ewido anti-malware\ewidoctrl.exe O23 - Service: Symantec AntiVirus Client (Norton AntiVirus Server) - Symantec Corporation - C:\PROGRA~1\SYMANT~1\Rtvscan.exe O23 - Service: PictureTaker - Unknown owner - c:\fixit\pt\PCTKRNT.SYS (file missing) Incident Status Location Adware:Adware/Qoologic Not disinfected C:\WINNT\system32\slgwqgr.dll Adware:adware/maxifiles Not disinfected c:\program files\common files\InetGet Adware:adware/novo Not disinfected Windows Registry Spyware:spyware/safesurf Not disinfected Windows Registry Adware:adware/downloadware Not disinfected Windows Registry Adware:adware/searchresults Not disinfected Windows Registry Spyware:spyware/betterinet Not disinfected Windows Registry Spyware:spyware/clipgenie Not disinfected Windows Registry Adware:adware/sqwire Not disinfected Windows Registry Adware:adware/webext Not disinfected Windows Registry Adware:adware/mirar Not disinfected Windows Registry Adware:adware/bookedspace Not disinfected Windows Registry Spyware:Cookie/2o7 Not disinfected C:\Documents and Settings\Owner\Cookies\owner@2o7[1].txt Spyware:Cookie/Apmebf Not disinfected C:\Documents and Settings\Owner\Cookies\owner@apmebf[2].txt Spyware:Cookie/Atwola Not disinfected C:\Documents and Settings\Owner\Cookies\owner@atwola[1].txt Spyware:Cookie/QkSrv Not disinfected C:\Documents and Settings\Owner\Cookies\owner@qksrv[2].txt Spyware:Cookie/Traffic Marketplace Not disinfected C:\Documents and Settings\Owner\Cookies\owner@trafficmp[1].txt Spyware:Cookie/Tribalfusion Not disinfected C:\Documents and Settings\Owner\Cookies\owner@tribalfusion[1].txt |
|
|
|
|
05-25-2006, 06:44 AM
|
#10 (permalink) |
|
Manager, The Conversation Pit/Analyst, Security Team
Join Date: Apr 2002
Location: NW Territory circa 1787
Posts: 11,692
OS: winxp pro sp2
|
Please save this page or print it out. Be sure to work through the fixes in exact order.
Please disable Microsoft AntiSpyware, as it may hinder the removal of some entries. You can re-enable it after you're clean. Right click the Microsoft AntiSpyware icon located in the system tray Click on Security Agents Status (Enabled) Click on Disable Real-time Protection Reboot into safe mode. Delete the following folder c:\program files\common files\InetGet Now, run another ewido scan and save the log. Next, Please run Qoofix.bat from earlier. Reboot into normal mode. Now run another Panda Scan and save the log. Run another Hijack This scan and save the log Download FindQool http://downloads.subratam.org/Lon/FindQool.zip * Extract the files and place the FindQool folder in root. Usually C:\ * Open the folder and run Qlocate.bat. * Post the contents of the txt.log which will open So the reports we are looking for are
__________________
"If you aren't a liberal when you're 20, you have no heart. If you aren't a conservative when you are 50, you have no brain"
|
|
|
|
|
05-25-2006, 10:52 PM
|
#11 (permalink) |
|
Registered User
Join Date: Apr 2006
Location: vallejo
Posts: 55
OS: windows xp
|
here ya go:
--------------------------------------------------------- ewido anti-malware - Scan report --------------------------------------------------------- + Created on: 8:41:05 PM, 5/25/2006 + Report-Checksum: 3ACBDBA4 + Scan result: [744] C:\WINNT\system32\slgwqgr.dll -> Downloader.Qoologic.bj : Cleaned with backup C:\Documents and Settings\Owner\Cookies\owner@2o7[1].txt -> TrackingCookie.2o7 : Cleaned with backup C:\Documents and Settings\Owner\Cookies\owner@ads.pointroll[2].txt -> TrackingCookie.Pointroll : Cleaned with backup C:\Documents and Settings\Owner\Cookies\owner@qksrv[2].txt -> TrackingCookie.Qksrv : Cleaned with backup C:\Documents and Settings\Owner\Cookies\owner@trafficmp[1].txt -> TrackingCookie.Trafficmp : Cleaned with backup C:\Documents and Settings\Owner\Cookies\owner@tribalfusion[2].txt -> TrackingCookie.Tribalfusion : Cleaned with backup C:\Documents and Settings\Owner\Cookies\owner@zedo[2].txt -> TrackingCookie.Zedo : Cleaned with backup C:\System Volume Information\_restore{717DED14-B9DD-4C52-8322-6043B9687C5A}\RP258\A0091973.exe -> Adware.Maxifiles : Cleaned with backup C:\System Volume Information\_restore{717DED14-B9DD-4C52-8322-6043B9687C5A}\RP258\A0091974.exe -> Adware.ZenoSearch : Cleaned with backup C:\System Volume Information\_restore{717DED14-B9DD-4C52-8322-6043B9687C5A}\RP258\A0091975.exe -> Adware.ZenoSearch : Cleaned with backup C:\System Volume Information\_restore{717DED14-B9DD-4C52-8322-6043B9687C5A}\RP258\A0091976.exe -> Adware.SafeSurfing : Cleaned with backup C:\System Volume Information\_restore{717DED14-B9DD-4C52-8322-6043B9687C5A}\RP258\A0091977.exe -> Adware.Mirar : Cleaned with backup C:\System Volume Information\_restore{717DED14-B9DD-4C52-8322-6043B9687C5A}\RP258\A0091978.exe -> Adware.Mirar : Cleaned with backup C:\System Volume Information\_restore{717DED14-B9DD-4C52-8322-6043B9687C5A}\RP258\A0091979.dll -> Adware.BookedSpace : Cleaned with backup C:\System Volume Information\_restore{717DED14-B9DD-4C52-8322-6043B9687C5A}\RP258\A0091980.exe -> Downloader.Small : Cleaned with backup C:\System Volume Information\_restore{717DED14-B9DD-4C52-8322-6043B9687C5A}\RP258\A0091981.exe -> Adware.BargainBuddy : Cleaned with backup C:\System Volume Information\_restore{717DED14-B9DD-4C52-8322-6043B9687C5A}\RP258\A0091982.exe -> Adware.NewDotNet : Cleaned with backup C:\System Volume Information\_restore{717DED14-B9DD-4C52-8322-6043B9687C5A}\RP258\A0091983.exe -> Dropper.Agent.abb : Cleaned with backup C:\System Volume Information\_restore{717DED14-B9DD-4C52-8322-6043B9687C5A}\RP258\A0091984.dll -> Downloader.Agent.agw : Cleaned with backup C:\System Volume Information\_restore{717DED14-B9DD-4C52-8322-6043B9687C5A}\RP258\A0091985.exe -> Adware.ZenoSearch : Cleaned with backup C:\System Volume Information\_restore{717DED14-B9DD-4C52-8322-6043B9687C5A}\RP258\A0091986.dll -> Adware.SafeSurfing : Cleaned with backup C:\System Volume Information\_restore{717DED14-B9DD-4C52-8322-6043B9687C5A}\RP258\A0091987.exe -> Downloader.Small.buy : Cleaned with backup C:\System Volume Information\_restore{717DED14-B9DD-4C52-8322-6043B9687C5A}\RP258\A0091988.dll -> Adware.EZula : Cleaned with backup C:\System Volume Information\_restore{717DED14-B9DD-4C52-8322-6043B9687C5A}\RP258\A0091989.exe -> Adware.ZenoSearch : Cleaned with backup C:\System Volume Information\_restore{717DED14-B9DD-4C52-8322-6043B9687C5A}\RP258\A0091990.dll -> Adware.Mirar : Cleaned with backup C:\System Volume Information\_restore{717DED14-B9DD-4C52-8322-6043B9687C5A}\RP258\A0091991.exe -> Trojan.Qoologic : Cleaned with backup C:\System Volume Information\_restore{717DED14-B9DD-4C52-8322-6043B9687C5A}\RP258\A0091993.dll -> Downloader.Qoologic.bj : Cleaned with backup C:\System Volume Information\_restore{717DED14-B9DD-4C52-8322-6043B9687C5A}\RP258\A0092015.exe -> Downloader.Qoologic.bj : Cleaned with backup C:\System Volume Information\_restore{717DED14-B9DD-4C52-8322-6043B9687C5A}\RP258\A0092039.exe -> Downloader.Qoologic.bj : Cleaned with backup C:\System Volume Information\_restore{717DED14-B9DD-4C52-8322-6043B9687C5A}\RP258\A0092040.dll -> Downloader.Qoologic.bj : Cleaned with backup C:\WINNT\system32\rbval.dat -> Downloader.Qoologic.bj : Cleaned with backup ::Report End Incident Status Location Adware:adware/maxifiles Not disinfected c:\program files\common files\Windows Adware:adware/novo Not disinfected Windows Registry Spyware:spyware/safesurf Not disinfected Windows Registry Adware:adware/downloadware Not disinfected Windows Registry Adware:adware/searchresults Not disinfected Windows Registry Spyware:spyware/betterinet Not disinfected Windows Registry Spyware:spyware/clipgenie Not disinfected Windows Registry Adware:adware/sqwire Not disinfected Windows Registry Adware:adware/webext Not disinfected Windows Registry Adware:adware/mirar Not disinfected Windows Registry Adware:adware/bookedspace Not disinfected Windows Registry Spyware:Cookie/2o7 Not disinfected C:\Documents and Settings\Owner\Cookies\owner@2o7[2].txt Spyware:Cookie/PointRoll Not disinfected C:\Documents and Settings\Owner\Cookies\owner@ads.pointroll[2].txt Spyware:Cookie/Apmebf Not disinfected C:\Documents and Settings\Owner\Cookies\owner@apmebf[2].txt Spyware:Cookie/Atwola Not disinfected C:\Documents and Settings\Owner\Cookies\owner@atwola[1].txt Spyware:Cookie/Reliablestats Not disinfected C:\Documents and Settings\Owner\Cookies\owner@stats1.reliablestats[2].txt Spyware:Cookie/Tribalfusion Not disinfected C:\Documents and Settings\Owner\Cookies\owner@tribalfusion[2].txt Adware:Adware/Maxifiles Not disinfected C:\Program Files\InetGet2\webhost2.exe Spyware:Spyware/LinkReplacer Not disinfected C:\Program Files\Microsoft AntiSpyware\Quarantine\04EDC13C-4E17-4D32-9893-3BFA58\54743BCD-EEC7-487C-BF36-E1C2D2 Virus:Trj/Downloader.GIK Disinfected C:\Program Files\Microsoft AntiSpyware\Quarantine\E358A593-5785-4C63-9D92-376CED\72B4DBB7-25F2-42B6-BA51-7E3A41 Adware:Adware/ConsumerAlertSystem Not disinfected C:\WINNT\pf78.exe Adware:Adware/PurityScan Not disinfected C:\WINNT\system32\GS2.exe Adware:Adware/eZula Not disinfected C:\WINNT\system32\nsz49.dll Adware:Adware/BookedSpace Not disinfected C:\WINNT\system32\ventcc.exe[²ÇÇ] Logfile of HijackThis v1.99.1 Scan saved at 9:40:46 PM, on 5/25/2006 Platform: Windows XP SP2 (WinNT 5.01.2600) MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180) Running processes: C:\WINNT\System32\smss.exe C:\WINNT\system32\winlogon.exe C:\WINNT\system32\services.exe C:\WINNT\system32\lsass.exe C:\WINNT\system32\svchost.exe C:\WINNT\System32\svchost.exe C:\WINNT\system32\spoolsv.exe C:\WINNT\Explorer.EXE C:\PROGRA~1\COMMON~1\AOL\ACS\acsd.exe C:\PROGRA~1\SYMANT~1\DefWatch.exe C:\Program Files\ewido anti-malware\ewidoctrl.exe C:\PROGRA~1\SYMANT~1\Rtvscan.exe C:\WINNT\GWMDMMSG.exe C:\WINNT\System32\igfxtray.exe C:\WINNT\System32\hkcmd.exe C:\Program Files\Apoint2K\Apoint.exe C:\WINNT\GWHotKey.exe C:\WINNT\System32\spool\drivers\w32x86\3\hpztsb05.exe C:\Program Files\Real\RealPlayer\RealPlay.exe C:\Program Files\Apoint2K\Apntex.exe C:\Program Files\QuickTime\qttask.exe C:\PROGRA~1\SYMANT~1\vptray.exe C:\Program Files\Java\jre1.5.0_03\bin\jusched.exe C:\Program Files\Messenger\msmsgs.exe C:\Program Files\Common Files\AOL\1124746521\ee\AOLHostManager.exe C:\Program Files\AIM\aim.exe C:\Program Files\Common Files\AOL\1124746521\ee\AOLServiceHost.exe C:\Program Files\Microsoft AntiSpyware\gcasDtServ.exe C:\PROGRA~1\Webshots\webshots.scr C:\Program Files\Common Files\AOL\1124746521\ee\AOLServiceHost.exe C:\Documents and Settings\Owner\Desktop\hijackthis\HijackThis.exe R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/ R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/ R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = 127.0.0.1 O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx O2 - BHO: (no name) - {243B17DE-77C7-46BF-B94B-0B5F309A0E64} - C:\Program Files\Microsoft Money\System\mnyside.dll O4 - HKLM\..\Run: [GWMDMMSG] GWMDMMSG.exe O4 - HKLM\..\Run: [IgfxTray] C:\WINNT\System32\igfxtray.exe O4 - HKLM\..\Run: [HotKeysCmds] C:\WINNT\System32\hkcmd.exe O4 - HKLM\..\Run: [Apoint] C:\Program Files\Apoint2K\Apoint.exe O4 - HKLM\..\Run: [GWMDMpi] C:\WINNT\GWMDMpi.exe O4 - HKLM\..\Run: [Multi-function Keyboard] GWHotKey.exe O4 - HKLM\..\Run: [HPDJ Taskbar Utility] C:\WINNT\System32\spool\drivers\w32x86\3\hpztsb05.exe O4 - HKLM\..\Run: [RealTray] C:\Program Files\Real\RealPlayer\RealPlay.exe SYSTEMBOOTHIDEPLAYER O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime O4 - HKLM\..\Run: [HostManager] C:\Program Files\Common Files\AOL\1124746521\ee\AOLHostManager.exe O4 - HKLM\..\Run: [vptray] C:\PROGRA~1\SYMANT~1\vptray.exe O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_03\bin\jusched.exe O4 - HKLM\..\Run: [gcasServ] "C:\Program Files\Microsoft AntiSpyware\gcasServ.exe" O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background O4 - HKCU\..\Run: [MoneyAgent] "C:\Program Files\Microsoft Money\System\mnyexpr.exe" O4 - HKCU\..\Run: [AIM] C:\Program Files\AIM\aim.exe -cnetwait.odl O4 - Startup: Webshots.lnk = C:\Program Files\Webshots\Launcher.exe O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINNT\System32\Shdocvw.dll O9 - Extra button: MoneySide - {E023F504-0C5A-4750-A1E7-A9046DEA8A21} - C:\Program Files\Microsoft Money\System\mnyside.dll O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204 O16 - DPF: {5F8469B4-B055-49DD-83F7-62B522420ECC} (Facebook Photo Uploader Control) - http://upload.facebook.com/controls/...toUploader.cab O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/actives...ree/asinst.cab O16 - DPF: {DF780F87-FF2B-4DF8-92D0-73DB16A1543A} (PopCapLoader Object) - http://download.games.yahoo.com/game...ploader_v6.cab O20 - Winlogon Notify: igfxcui - C:\WINNT\SYSTEM32\igfxsrvc.dll O20 - Winlogon Notify: NavLogon - C:\WINNT\System32\NavLogon.dll O23 - Service: AOL Connectivity Service (AOL ACS) - America Online, Inc. - C:\PROGRA~1\COMMON~1\AOL\ACS\acsd.exe O23 - Service: DefWatch - Symantec Corporation - C:\PROGRA~1\SYMANT~1\DefWatch.exe O23 - Service: ewido security suite control - ewido networks - C:\Program Files\ewido anti-malware\ewidoctrl.exe O23 - Service: Symantec AntiVirus Client (Norton AntiVirus Server) - Symantec Corporation - C:\PROGRA~1\SYMANT~1\Rtvscan.exe O23 - Service: PictureTaker - Unknown owner - c:\fixit\pt\PCTKRNT.SYS (file missing) Thu 05/25/2006 Running from: C:\FindQool PLEASE NOTE: LEGIT FILES MIGHT BE LISTED. IF YOU ARE UNSURE OF WHAT IS LISTED LEAVE THEM ALONE. Known file names MD5 Check.... Files found with locate com. Re-check using dir /a:-d C:\Documents and Settings\All Users\Start Menu\Programs\Startup ... [HKEY_CLASSES_ROOT\*\shellex\ContextMenuHandlers\LDVPMenu] @="{BDA77241-42F6-11d0-85E2-00AA001FE28C}" HKEY_CLASSES_ROOT\folder\shellex\columnhandlers\{6ec11407-5b2e-4e25-8bdf-77445b52ab37} ... Runs, Listed here as a Doublecheck for the locate com results HKLM HKCU ... Files In Winlogon shell and userinit Listed here as a Doublecheck for the locate com results shell REG_SZ Explorer.exe userinit REG_SZ C:\WINNT\system32\Userinit.exe, ... SWReg utility Written by Bobbi Flekman © 2005 Findqool edited 17/05/2006 |
|
|
|
|
05-29-2006, 01:59 PM
|
#13 (permalink) |
|
Analyst, Security Team
|
Delete these:
c:\program files\common files\Windows C:\Program Files\InetGet2\ C:\WINNT\pf78.exe C:\WINNT\system32\GS2.exe C:\WINNT\system32\nsz49.dll C:\WINNT\system32\ventcc.exe Delete everything inside these folders: C:\Program Files\Microsoft AntiSpyware\Quarantine\ C:\Documents and Settings\Owner\Cookies\ Turn off system restore by right clicking on My Computer and go to Properties->System Restore and check the box for Turn off System Restore. Click Apply and then OK. Restart your computer and uncheck the same box to enable System Restore. Your log is clean. To help prevent future spyware infections, read the Anti-Spyware Tutorial and use the tools provided. Are there any problems now? If not, you should be set to go.
__________________
Please do NOT PM me. Post whatever questions you may have in the forum and we will take a look at it when we get to it. If you have waited for more than 3 days, you may then and ONLY then PM me for assistance. I will take a look at it. |
|
|
|
|
05-31-2006, 09:00 PM
|
#15 (permalink) |
|
Analyst, Security Team
|
Try reinstalling AOL to see if it fixes that dll error message you are getting.
Make sure you turn off any antivirus programs you have running while performing the online scan below. Using Internet Explorer, run a virus scan at http://www.kaspersky.com/virusscanner Click on 'Launch Kaspersky Anti-Virus Web Scanner' and install the ActiveX component from Kaspersky. Click Yes and it will begin downloading the latest definition files. Once that's done, click on 'Scan Settings' and make sure the following are selected: Scan using the following Anti-Virus database: - Extended Scan Options: - Scan Archives - Scan Mail Bases Click OK. Now under select a target to scan, select 'My Computer'. It will start and scan your system. The scan will take a while so be patient and let it run. Once the scan is complete it will display if your system has been infected. Now click on the 'Save as Text' button. Save the file to your desktop. Copy and paste that information in your next post.
__________________
Please do NOT PM me. Post whatever questions you may have in the forum and we will take a look at it when we get to it. If you have waited for more than 3 days, you may then and ONLY then PM me for assistance. I will take a look at it. |
|
|
|
|
06-02-2006, 12:40 AM
|
#16 (permalink) |
|
Registered User
Join Date: Apr 2006
Location: vallejo
Posts: 55
OS: windows xp
|
here yea go, and also i delelted aol because i really dont need it.
------------------------------------------------------------------------------- KASPERSKY ON-LINE SCANNER REPORT Thursday, June 01, 2006 11:37:41 PM Operating System: Microsoft Windows XP Home Edition, Service Pack 2 (Build 2600) Kaspersky On-line Scanner version: 5.0.78.0 Kaspersky Anti-Virus database last update: 2/06/2006 Kaspersky Anti-Virus database records: 197845 ------------------------------------------------------------------------------- Scan Settings: Scan using the following antivirus database: extended Scan Archives: true Scan Mail Bases: true Scan Target - My Computer: A:\ C:\ D:\ Scan Statistics: Total number of scanned objects: 37450 Number of viruses found: 9 Number of infected objects: 24 Number of suspicious objects: 0 Duration of the scan process: 00:50:25 Infected Object Name / Virus Name / Last Action C:\Documents and Settings\All Users\Application Data\Symantec\Norton AntiVirus Corporate Edition\7.5\Quarantine\06880000.VBN Infected: Trojan-Downloader.Win32.Qoologic.bj skipped C:\Documents and Settings\All Users\Application Data\Symantec\Norton AntiVirus Corporate Edition\7.5\Quarantine\09480000.VBN Infected: Trojan-Downloader.Win32.Small.cpu skipped C:\Documents and Settings\All Users\Application Data\Symantec\Norton AntiVirus Corporate Edition\7.5\Quarantine\09480001.VBN Infected: Trojan-Downloader.Win32.Qoologic.bj skipped C:\Documents and Settings\All Users\Application Data\Symantec\Norton AntiVirus Corporate Edition\7.5\Quarantine\09480002.VBN Infected: Trojan-Downloader.Win32.Qoologic.bj skipped C:\Documents and Settings\All Users\Application Data\Symantec\Norton AntiVirus Corporate Edition\7.5\Quarantine\0B980000.VBN/BlackBox.class Infected: Exploit.Java.ByteVerify skipped C:\Documents and Settings\All Users\Application Data\Symantec\Norton AntiVirus Corporate Edition\7.5\Quarantine\0B980000.VBN/VerifierBug.class Infected: Exploit.Java.ByteVerify skipped C:\Documents and Settings\All Users\Application Data\Symantec\Norton AntiVirus Corporate Edition\7.5\Quarantine\0B980000.VBN/Beyond.class Infected: Trojan-Downloader.Java.OpenConnection.aa skipped C:\Documents and Settings\All Users\Application Data\Symantec\Norton AntiVirus Corporate Edition\7.5\Quarantine\0B980000.VBN ZIP: infected - 3 skipped C:\Documents and Settings\All Users\Application Data\Symantec\Norton AntiVirus Corporate Edition\7.5\Quarantine\0B980000.VBN CryptZ: infected - 3 skipped C:\Documents and Settings\All Users\Application Data\Symantec\Norton AntiVirus Corporate Edition\7.5\Quarantine\13700000.VBN Infected: Trojan-Downloader.Win32.Agent.acd skipped C:\Documents and Settings\All Users\Application Data\Symantec\Norton AntiVirus Corporate Edition\7.5\Quarantine\14C40000.VBN Infected: Trojan-Downloader.Win32.Agent.acd skipped C:\Documents and Settings\All Users\Application Data\Symantec\Norton AntiVirus Corporate Edition\7.5\Quarantine\16B40000.VBN Infected: Trojan-Downloader.Win32.Agent.acd skipped C:\Documents and Settings\All Users\Application Data\Symantec\Norton AntiVirus Corporate Edition\7.5\Quarantine\16FC0000.VBN Infected: Trojan-Downloader.Win32.Agent.acd skipped C:\Documents and Settings\All Users\Application Data\Symantec\Norton AntiVirus Corporate Edition\7.5\Quarantine\BE780000.VBN Infected: Trojan-Downloader.Win32.Qoologic.bj skipped C:\Documents and Settings\All Users\Application Data\Symantec\Norton AntiVirus Corporate Edition\7.5\Quarantine\BE780001.VBN Infected: Trojan-Downloader.Win32.Qoologic.bj skipped C:\WINNT\justin2a.exe/stream/data0002 Infected: not-a-virus:AdWare.Win32.SideFind.a skipped C:\WINNT\justin2a.exe/stream Infected: not-a-virus:AdWare.Win32.SideFind.a skipped C:\WINNT\justin2a.exe NSIS: infected - 2 skipped C:\WINNT\system32\ir4epl35.dll Infected: Trojan.Win32.Crypt.t skipped C:\WINNT\system32\VB1.exe/WISE0001.BIN Infected: not-a-virus:AdWare.Win32.VirtualBouncer.j skipped C:\WINNT\system32\VB1.exe WiseSFX: infected - 1 skipped C:\WINNT\system32\VB1.exe WiseSFX Dropper: infected - 1 skipped C:\WINNT\YOINSI.exe/data0002 Infected: Trojan.Win32.Scapur.k skipped C:\WINNT\YOINSI.exe NSIS: infected - 1 skipped Scan process completed. |
|
|
|
|
06-03-2006, 01:10 PM
|
#17 (permalink) |
|
Analyst, Security Team
|
Empty your Norton Quarantined files folder...
Delete these: C:\WINNT\justin2a.exe C:\WINNT\system32\ir4epl35.dll C:\WINNT\system32\VB1.exe C:\WINNT\YOINSI.exe Restart the computer. How is it running now?
__________________
Please do NOT PM me. Post whatever questions you may have in the forum and we will take a look at it when we get to it. If you have waited for more than 3 days, you may then and ONLY then PM me for assistance. I will take a look at it. |
|
|
|
|
06-03-2006, 11:19 PM
|
#18 (permalink) |
|
Registered User
Join Date: Apr 2006
Location: vallejo
Posts: 55
OS: windows xp
|
i was unable to delete C:\WINNT\system32\ir4epl35.dll, dont know why just couldn't. "access denied" and i still get one or two pop ups and when i shut down i get erroer messages. last time i wrote some of it down.
hr32...tr.exe(not completely sure if that right.) the other one i got today was dsqtmler.exe so any help will do thanks alot. |
|
|
|
|
06-04-2006, 09:12 PM
|
#19 (permalink) |
|
Analyst, Security Team
|
Print out these instructions and close ALL windows before continuing.
Download Look2Me-Destroyer http://www.atribune.org/ccount/click.php?id=7 and save the file to your desktop. * Double-click Look2Me-Destroyer.exe to run it. * Put a check next to 'Run this program as a task'. * You will receive a message saying 'Look2Me-Destroyer will close and re-open in approximately 10 seconds'. Click OK. * When Look2Me-Destroyer re-opens, click the 'Scan for L2M button'. Your desktop icons will disappear - this is normal. * Once it's done scanning, click the 'Remove L2M button'. * You will receive a 'Done Scanning message'. Click OK. * When completed, you will receive this message: 'Done removing infected files! Look2Me-Destroyer will now shutdown your computer'. Click OK. * Your computer will then shutdown. * Turn your computer back on. Post the contents of C:\Look2Me-Destroyer.txt here. *NOTE: If for some reason you get a mswinsck.ocx file missing when running Look2Me Destroyer, go to http://www.ascentive.com/support/new...e=MSWINSCK.OCX and get the file there instead. Then try running Look2Me Destroyer again. Run a new Kaspersky scan and post that log here along with a new HijackThis log.
__________________
Please do NOT PM me. Post whatever questions you may have in the forum and we will take a look at it when we get to it. If you have waited for more than 3 days, you may then and ONLY then PM me for assistance. I will take a look at it. |
|
|
|
|
06-06-2006, 10:47 PM
|
#20 (permalink) |
|
Registered User
Join Date: Apr 2006
Location: vallejo
Posts: 55
OS: windows xp
|
i downloaded the program but when i ran it, and clicked ok it doesn't pop up like it saids it will in the instructions. i tried it several times and even restarted the computer and tried it after that...no luck. what now?
|
|
|
|
| Thread Tools | |
|
|
