HJT log - really bad infection - please help

naft11 · Aug 28, 2005

Hi guys. My friends computer has a bad infection. He has windows xp SP1. I ran adaware, spybot, stinger, microsoft all in safe mode. I wasn't able to even get into normal mode. After running all those I was able to get into normal mode and still got unbeleivable amounts of pop ups. Also in the middle of scans, the computer just shuts off and restarts randomely. I've set his computer to download a some updates and I hope it makes it through. Here is the HJT log, any advice would be much appreciated. Thanks.

Logfile of HijackThis v1.99.1
Scan saved at 3:06:57 PM, on 8/28/2005
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\WINDOWS\system32\rundll32.exe
C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\WINDOWS\Explorer.exe
C:\WINDOWS\system32\spoolsv.exe
C:\PROGRA~1\COMMON~1\AOL\ACS\acsd.exe
C:\Program Files\Norton AntiVirus\navapsvc.exe
C:\Program Files\Norton AntiVirus\IWP\NPFMntor.exe
C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
C:\WINDOWS\wanmpsvc.exe
C:\WINDOWS\izgyhbe.exe
C:\WINDOWS\System32\cxjqdmh.exe
C:\PROGRA~1\VERIZO~1\SMARTB~1\MotiveSB.exe
C:\WINDOWS\dinst.exe
C:\WINDOWS\etb\pokapoka63.exe
C:\WINDOWS\rmopzzp.EXE
C:\WINDOWS\system\rosvg.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\Microsoft Money\System\mnyexpr.exe
C:\Program Files\Microsoft AntiSpyware\gcasDtServ.exe
C:\WINDOWS\System32\wuauclt.exe
C:\Program Files\Common Files\Windows\services32.exe
C:\WINDOWS\system32\cmd.exe
C:\Program Files\Common Files\services.exe
C:\Program Files\Verizon Online\bin\mpbtn.exe
J:\Spyware\hijackthis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://websearch.drsnsrch.com/sidesearch.cgi?id=
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://websearch.drsnsrch.com/sidesearch.cgi?id=
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = res://C:\WINDOWS\vpeii.dll/sp.html#10001
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://websearch.drsnsrch.com/sidesearch.cgi?id=
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://websearch.drsnsrch.com/sidesearch.cgi?id=
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page =
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://websearch.drsnsrch.com/sidesearch.cgi?id=
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch = http://websearch.drsnsrch.com/sidesearch.cgi?id=
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = websearch.drsnsrch.com/q.cgi?q=
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Microsoft Internet Explorer provided by Verizon Online
R3 - URLSearchHook: (no name) - {02EE5B04-F144-47BB-83FB-A60BD91B74A9} - C:\Program Files\SurfSideKick 3\SskBho.dll
F2 - REG:system.ini: Shell=Explorer.exe C:\WINDOWS\Nail.exe
O4 - HKLM\..\Run: [Symantec NetDriver Monitor] C:\PROGRA~1\SYMNET~1\SNDMon.exe /Consumer
O4 - HKLM\..\Run: [ieog.exe] C:\WINDOWS\ieog.exe
O4 - HKLM\..\Run: [Motive SmartBridge] C:\PROGRA~1\VERIZO~1\SMARTB~1\MotiveSB.exe
O4 - HKLM\..\Run: [Dinst] C:\WINDOWS\dinst.exe
O4 - HKLM\..\Run: [System service63] C:\WINDOWS\etb\pokapoka63.exe
O4 - HKLM\..\Run: [winsync] C:\WINDOWS\System32\sdkddx.exe reg_run
O4 - HKLM\..\Run: [rmopzzp] C:\WINDOWS\rmopzzp.EXE
O4 - HKLM\..\Run: [gcasServ] "C:\Program Files\Microsoft AntiSpyware\gcasServ.exe"
O4 - HKLM\..\Run: [SurfSideKick 3] C:\Program Files\SurfSideKick 3\Ssk.exe
O4 - HKLM\..\Run: [nhpyqkk] C:\WINDOWS\System32\cxjqdmh.exe r
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [MoneyAgent] "C:\Program Files\Microsoft Money\System\mnyexpr.exe"
O4 - HKCU\..\Run: [pshower] C:\WINDOWS\System32\pshwr.exe
O4 - HKCU\..\Run: [services32] C:\Program Files\Common Files\Windows\mc-110-12-0000079.exe
O4 - HKCU\..\Run: [DNS] C:\Program Files\Common Files\mc-110-12-0000079.exe
O4 - HKCU\..\Run: [SurfSideKick 3] C:\Program Files\SurfSideKick 3\Ssk.exe
O4 - Global Startup: Verizon Online Support Center.lnk = C:\Program Files\Verizon Online\bin\matcli.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MI1933~1\Office10\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\System32\msjava.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\System32\msjava.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MI1933~1\OFFICE11\REFIEBAR.DLL
O16 - DPF: {24311111-1111-1121-1111-111191113457} - file://c:\eied_s7.cab
O16 - DPF: {33331111-1111-1111-1111-611111193457} - file://c:\ex.cab
O16 - DPF: {33331111-1111-1111-1111-611111193458} - file://c:\ex.cab
O16 - DPF: {90051A81-3018-4826-8B38-DD60B6B53F9C} (Snapfish File Upload ActiveX Control) - http://www.snapfish.com/SnapfishUpload.cab
O16 - DPF: {9600F64D-755F-11D4-A47F-0001023E6D5A} (Shutterfly Picture Upload Plugin) - http://web1.shutterfly.com/downloads/Uploader.cab
O20 - AppInit_DLLs: repairs.dll
O20 - Winlogon Notify: igfxcui - C:\WINDOWS\SYSTEM32\igfxsrvc.dll
O20 - Winlogon Notify: SMDEn - C:\WINDOWS\system32\WmndowsAccessBridge.dll
O21 - SSODL: SystemCheck2 - {54645654-2225-4455-44A1-9F4543D34545} - C:\WINDOWS\System32\vbsys2.dll (file missing)
O23 - Service: AOL Connectivity Service (AOL ACS) - America Online, Inc. - C:\PROGRA~1\COMMON~1\AOL\ACS\acsd.exe
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Password Validation (ccPwdSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
O23 - Service: Norton AntiVirus Auto-Protect Service (navapsvc) - Symantec Corporation - C:\Program Files\Norton AntiVirus\navapsvc.exe
O23 - Service: Norton AntiVirus Firewall Monitor Service (NPFMntor) - Symantec Corporation - C:\Program Files\Norton AntiVirus\IWP\NPFMntor.exe
O23 - Service: SAVScan - Symantec Corporation - C:\Program Files\Norton AntiVirus\SAVScan.exe
O23 - Service: ScriptBlocking Service (SBService) - Symantec Corporation - C:\PROGRA~1\COMMON~1\SYMANT~1\SCRIPT~1\SBServ.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: Symantec SPBBCSvc (SPBBCSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
O23 - Service: Symantec Core LC - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
O23 - Service: SymWMI Service (SymWSC) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\Security Center\SymWSC.exe
O23 - Service: WAN Miniport (ATW) Service (WANMiniportService) - America Online, Inc. - C:\WINDOWS\wanmpsvc.exe
O23 - Service: Windows Overlay Components - Unknown owner - C:\WINDOWS\izgyhbe.exe

tetonbob · Aug 29, 2005

Ugh.....please do not have this system updated to SP2 until it is clean! This can cause more trouble than good.

Let's begin with this:

BEFORE BEGINNING, Please read completely through the instructions below and download the files from the links provided. You may want to save or print out these instructions for easier reference.

First, download Ewido Security Suite.

Next, download Lavasoft's Ad-Aware and the VX2 Cleaner Plug-in. Install Ad-Aware using the default options, then install vx2cleaner_inst.exe, taking all the defaults there as well.

Run Ad-Aware, update to the latest definitions, then click on Add-ons in the lefthand column. Select VX2 Cleaner V2.0 and click Run Tool. Click "OK", then, if something is found, click "Clean" as in the directions given. Click "Close", and exit Ad-Aware.

Reboot your PC and run Ad-Aware again. This time, click on the Start button in Ad-Aware, select "Perform smart system scan" and click Next. Once the scan finishes, click "Next" again. Select all objects found (right click anywhere in the list of found objects and click "Select All Objects"). Click "Next" one more time, then "OK" to confirm the removal.

You will be prompted to set Ad-Aware to run on reboot, click "OK". Exit Ad-Aware and restart your PC once again.

When Ad-Aware starts up, click on "Start", then "Next". Follow the steps above if anything is found, or click "Finish", then exit Ad-Aware.

For a final cleanup, please install and run Ewido.

When installing, under "Additional Options" uncheck "Install background guard" and "Install scan via context menu".
When you run ewido for the first time, you may get a warning "Database could not be found!". Click OK. We will fix this in a moment.
From the main ewido screen, click on update in the left menu, then click the Start update button.
After the update finishes (the status bar at the bottom will display "Update successful")
Click on the Scanner button in the left menu, then click on Complete System Scan. This scan can take quite a while to run.
If ewido finds anything, it will pop up a notification. We have been finding some cases of false positives with the new version of Ewido, so we need to step through the fixes one-by-one. If Ewido finds something that you KNOW is legitimate (for example, parts of AVG Antivirus, pcAnywhere and the game "Risk" have been flagged), select "none" as the action. DO NOT check "Perform action with all infections". If you are unsure of an entry, select "none" for the time being. I'll see that in the log you will post later and let you know if ewido needs to be run again.
When the scan finishes, click on "Save Report". This will create a text file. Make sure you know where to find this file again.

Please finish up by rebooting your system once more, and posting a new HijackThis log and the log from the Ewido scan.

naft11 · Aug 30, 2005

Can I do this all in safe mode?

sUBs · Aug 30, 2005

The fix may be done in Safe Mode. Please proceed.

naft11 · Sep 1, 2005

Ewido Report followed by HJT log - thanks

Hi, I thought I posted this earlier but I guess not. Here are the two reports.

Ewido:

---------------------------------------------------------
ewido security suite - Scan report
---------------------------------------------------------

+ Created on: 9:13:55 PM, 8/30/2005
+ Report-Checksum: 40B12351

+ Scan result:

HKLM\SOFTWARE\Classes\CLSID\{69A88C5E-04E5-741D-6CA2-9CB5374EB263} -> Spyware.CoolWebSearch : Cleaned with backup
[1444] VM_011C0000 -> Adware.BetterInternet : Error during cleaning
[508] C:\WINDOWS\system32\oveacc.dll -> Spyware.Look2Me : Error during cleaning
[1412] C:\WINDOWS\System32\AUNPS2.DLL -> Spyware.Hijacker.Generic : Error during cleaning
[1540] C:\WINDOWS\System32\zsipdqm.exe -> Trojan.Agent.cp : Cleaned with backup
[3048] C:\WINDOWS\dsr.dll -> Spyware.Hijacker.Generic : Error during cleaning
C:\Documents and Settings\All Users\Start Menu\Programs\Startup\rtdt.exe -> TrojanDownloader.Qoologic.ac : Cleaned with backup
:mozilla.6:C:\Documents and Settings\Owner\Application Data\Mozilla\Firefox\Profiles\eee08l7q.default\cookies.txt -> Spyware.Cookie.Tribalfusion : Cleaned with backup
:mozilla.8:C:\Documents and Settings\Owner\Application Data\Mozilla\Firefox\Profiles\eee08l7q.default\cookies.txt -> Spyware.Cookie.Atdmt : Cleaned with backup
:mozilla.9:C:\Documents and Settings\Owner\Application Data\Mozilla\Firefox\Profiles\eee08l7q.default\cookies.txt -> Spyware.Cookie.Tribalfusion : Cleaned with backup
:mozilla.15:C:\Documents and Settings\Owner\Application Data\Mozilla\Firefox\Profiles\eee08l7q.default\cookies.txt -> Spyware.Cookie.Overture : Cleaned with backup
:mozilla.17:C:\Documents and Settings\Owner\Application Data\Mozilla\Firefox\Profiles\eee08l7q.default\cookies.txt -> Spyware.Cookie.Overture : Cleaned with backup
:mozilla.18:C:\Documents and Settings\Owner\Application Data\Mozilla\Firefox\Profiles\eee08l7q.default\cookies.txt -> Spyware.Cookie.Overture : Cleaned with backup
:mozilla.20:C:\Documents and Settings\Owner\Application Data\Mozilla\Firefox\Profiles\eee08l7q.default\cookies.txt -> Spyware.Cookie.Advertising : Cleaned with backup
:mozilla.21:C:\Documents and Settings\Owner\Application Data\Mozilla\Firefox\Profiles\eee08l7q.default\cookies.txt -> Spyware.Cookie.Advertising : Cleaned with backup
:mozilla.22:C:\Documents and Settings\Owner\Application Data\Mozilla\Firefox\Profiles\eee08l7q.default\cookies.txt -> Spyware.Cookie.Advertising : Cleaned with backup
:mozilla.23:C:\Documents and Settings\Owner\Application Data\Mozilla\Firefox\Profiles\eee08l7q.default\cookies.txt -> Spyware.Cookie.Advertising : Cleaned with backup
:mozilla.24:C:\Documents and Settings\Owner\Application Data\Mozilla\Firefox\Profiles\eee08l7q.default\cookies.txt -> Spyware.Cookie.Advertising : Cleaned with backup
:mozilla.25:C:\Documents and Settings\Owner\Application Data\Mozilla\Firefox\Profiles\eee08l7q.default\cookies.txt -> Spyware.Cookie.Advertising : Cleaned with backup
:mozilla.26:C:\Documents and Settings\Owner\Application Data\Mozilla\Firefox\Profiles\eee08l7q.default\cookies.txt -> Spyware.Cookie.Advertising : Cleaned with backup
:mozilla.28:C:\Documents and Settings\Owner\Application Data\Mozilla\Firefox\Profiles\eee08l7q.default\cookies.txt -> Spyware.Cookie.2o7 : Cleaned with backup
:mozilla.29:C:\Documents and Settings\Owner\Application Data\Mozilla\Firefox\Profiles\eee08l7q.default\cookies.txt -> Spyware.Cookie.Advertising : Cleaned with backup
:mozilla.30:C:\Documents and Settings\Owner\Application Data\Mozilla\Firefox\Profiles\eee08l7q.default\cookies.txt -> Spyware.Cookie.Advertising : Cleaned with backup
:mozilla.31:C:\Documents and Settings\Owner\Application Data\Mozilla\Firefox\Profiles\eee08l7q.default\cookies.txt -> Spyware.Cookie.Advertising : Cleaned with backup
:mozilla.32:C:\Documents and Settings\Owner\Application Data\Mozilla\Firefox\Profiles\eee08l7q.default\cookies.txt -> Spyware.Cookie.Advertising : Cleaned with backup
:mozilla.37:C:\Documents and Settings\Owner\Application Data\Mozilla\Firefox\Profiles\eee08l7q.default\cookies.txt -> Spyware.Cookie.Yieldmanager : Cleaned with backup
:mozilla.38:C:\Documents and Settings\Owner\Application Data\Mozilla\Firefox\Profiles\eee08l7q.default\cookies.txt -> Spyware.Cookie.Yieldmanager : Cleaned with backup
:mozilla.39:C:\Documents and Settings\Owner\Application Data\Mozilla\Firefox\Profiles\eee08l7q.default\cookies.txt -> Spyware.Cookie.Doubleclick : Cleaned with backup
C:\Documents and Settings\Owner\Cookies\[email protected][1].txt -> Spyware.Cookie.2o7 : Cleaned with backup
C:\Documents and Settings\Owner\Cookies\[email protected]2-2.stats.esomniture[2].txt -> Spyware.Cookie.Esomniture : Cleaned with backup
C:\Documents and Settings\Owner\Cookies\[email protected]2-2.stats.esomniture[1].txt -> Spyware.Cookie.Esomniture : Cleaned with backup
C:\Documents and Settings\Owner\Cookies\[email protected]2-2.stats.esomniture[1].txt -> Spyware.Cookie.Esomniture : Cleaned with backup
C:\Documents and Settings\Owner\Cookies\[email protected]2-2.stats.esomniture[2].txt -> Spyware.Cookie.Esomniture : Cleaned with backup
C:\Documents and Settings\Owner\Cookies\[email protected]2-2.stats.esomniture[1].txt -> Spyware.Cookie.Esomniture : Cleaned with backup
C:\Documents and Settings\Owner\Cookies\owne[email protected][2].txt -> Spyware.Cookie.Abetterinternet : Cleaned with backup
C:\Documents and Settings\Owner\Cookies\[email protected][2].txt -> Spyware.Cookie.Yieldmanager : Cleaned with backup
C:\Documents and Settings\Owner\Cookies\[email protected][2].txt -> Spyware.Cookie.Specificclick : Cleaned with backup
C:\Documents and Settings\Owner\Cookies\[email protected][2].txt -> Spyware.Cookie.Burstnet : Cleaned with backup
C:\Documents and Settings\Owner\Cookies\[email protected][2].txt -> Spyware.Cookie.2o7 : Cleaned with backup
C:\Documents and Settings\Owner\Cookies\[email protected][2].txt -> Spyware.Cookie.2o7 : Cleaned with backup
C:\Documents and Settings\Owner\Cookies\[email protected][1].txt -> Spyware.Cookie.Clickzs : Cleaned with backup
C:\Documents and Settings\Owner\Cookies\[email protected][2].txt -> Spyware.Cookie.Clickzs : Cleaned with backup
C:\Documents and Settings\Owner\Cookies\[email protected][2].txt -> Spyware.Cookie.Clickzs : Cleaned with backup
C:\Documents and Settings\Owner\Cookies\[email protected][1].txt -> Spyware.Cookie.Esomniture : Cleaned with backup
C:\Documents and Settings\Owner\Cookies\[email protected][2].txt -> Spyware.Cookie.Esomniture : Cleaned with backup
C:\Documents and Settings\Owner\Cookies\[email protected][1].txt -> Spyware.Cookie.Liveperson : Cleaned with backup
C:\Documents and Settings\Owner\Cookies\[email protected][2].txt -> Spyware.Cookie.Burstnet : Cleaned with backup
C:\Documents and Settings\Owner\Cookies\[email protected]-2.stats.esomniture[2].txt -> Spyware.Cookie.Esomniture : Cleaned with backup
C:\Documents and Settings\Owner\Cookies\[email protected]-2.stats.esomniture[2].txt -> Spyware.Cookie.Esomniture : Cleaned with backup
C:\Documents and Settings\Owner\Cookies\[email protected]-2.stats.esomniture[2].txt -> Spyware.Cookie.Esomniture : Cleaned with backup
C:\Documents and Settings\Owner\Cookies\[email protected]-2.stats.esomniture[2].txt -> Spyware.Cookie.Esomniture : Cleaned with backup
C:\Documents and Settings\Owner\Cookies\[email protected]-2.stats.esomniture[2].txt -> Spyware.Cookie.Esomniture : Cleaned with backup
C:\Documents and Settings\Owner\Cookies\[email protected]-2.stats.esomniture[1].txt -> Spyware.Cookie.Esomniture : Cleaned with backup
C:\Documents and Settings\Owner\Cookies\[email protected]-2.stats.esomniture[1].txt -> Spyware.Cookie.Esomniture : Cleaned with backup
C:\Documents and Settings\Owner\Cookies\[email protected]-2.stats.esomniture[2].txt -> Spyware.Cookie.Esomniture : Cleaned with backup
C:\Documents and Settings\Owner\Cookies\[email protected]-2.stats.esomniture[2].txt -> Spyware.Cookie.Esomniture : Cleaned with backup
C:\Documents and Settings\Owner\Cookies\[email protected]-2.stats.esomniture[2].txt -> Spyware.Cookie.Esomniture : Cleaned with backup
C:\Documents and Settings\Owner\Cookies\[email protected]-2.stats.esomniture[2].txt -> Spyware.Cookie.Esomniture : Cleaned with backup
C:\Documents and Settings\Owner\Cookies\[email protected]-2.stats.esomniture[2].txt -> Spyware.Cookie.Esomniture : Cleaned with backup
C:\Documents and Settings\Owner\Cookies\[email protected]-2.stats.esomniture[1].txt -> Spyware.Cookie.Esomniture : Cleaned with backup
C:\Documents and Settings\Owner\Cookies\[email protected]-2.stats.esomniture[2].txt -> Spyware.Cookie.Esomniture : Cleaned with backup
C:\Documents and Settings\Owner\Cookies\[email protected]-2.stats.esomniture[1].txt -> Spyware.Cookie.Esomniture : Cleaned with backup
C:\Documents and Settings\Owner\Cookies\[email protected]-2.stats.esomniture[2].txt -> Spyware.Cookie.Esomniture : Cleaned with backup
C:\Documents and Settings\Owner\Cookies\[email protected]-2.stats.esomniture[2].txt -> Spyware.Cookie.Esomniture : Cleaned with backup
C:\Documents and Settings\Owner\Cookies\[email protected]-2.stats.esomniture[1].txt -> Spyware.Cookie.Esomniture : Cleaned with backup
C:\Documents and Settings\Owner\Cookies\[email protected]-2.stats.esomniture[2].txt -> Spyware.Cookie.Esomniture : Cleaned with backup
C:\Documents and Settings\Owner\Cookies\[email protected]-2.stats.esomniture[1].txt -> Spyware.Cookie.Esomniture : Cleaned with backup
C:\Documents and Settings\Owner\Cookies\[email protected]-2.stats.esomniture[2].txt -> Spyware.Cookie.Esomniture : Cleaned with backup
C:\Documents and Settings\Owner\Cookies\[email protected]-2.stats.esomniture[2].txt -> Spyware.Cookie.Esomniture : Cleaned with backup
C:\Documents and Settings\Owner\Cookies\[email protected]-2.stats.esomniture[2].txt -> Spyware.Cookie.Esomniture : Cleaned with backup
C:\Documents and Settings\Owner\Cookies\[email protected]-2.stats.esomniture[2].txt -> Spyware.Cookie.Esomniture : Cleaned with backup
C:\Documents and Settings\Owner\Cookies\[email protected]-2.stats.esomniture[2].txt -> Spyware.Cookie.Esomniture : Cleaned with backup
C:\Documents and Settings\Owner\Cookies\[email protected]-2.stats.esomniture[2].txt -> Spyware.Cookie.Esomniture : Cleaned with backup
C:\Documents and Settings\Owner\Cookies\[email protected]-2.stats.esomniture[1].txt -> Spyware.Cookie.Esomniture : Cleaned with backup
C:\Documents and Settings\Owner\Cookies\[email protected]-2.stats.esomniture[2].txt -> Spyware.Cookie.Esomniture : Cleaned with backup
C:\Documents and Settings\Owner\Cookies\[email protected]-2.stats.esomniture[2].txt -> Spyware.Cookie.Esomniture : Cleaned with backup
C:\Documents and Settings\Owner\Local Settings\Temp\b.com -> TrojanDropper.Agent.pb : Cleaned with backup
C:\Documents and Settings\Owner\Local Settings\Temp\DelD.tmp -> TrojanDownloader.Small.asf : Cleaned with backup
C:\Documents and Settings\Owner\Local Settings\Temp\i37C.tmp -> Spyware.SurfSide : Cleaned with backup
C:\Documents and Settings\Owner\Local Settings\Temp\jar_cache35551.tmp/Gummy.class -> Trojan.Java.Femad : Error during cleaning
C:\Documents and Settings\Owner\Local Settings\Temp\nsh_104.exe -> Spyware.Downloadware : Cleaned with backup
C:\Documents and Settings\Owner\Local Settings\Temp\nsh_105.exe -> Spyware.Downloadware : Cleaned with backup
C:\Documents and Settings\Owner\Local Settings\Temp\nsh_110.exe -> Spyware.Downloadware : Cleaned with backup
C:\Documents and Settings\Owner\Local Settings\Temp\pcs_0016.exe -> Spyware.Pacer : Cleaned with backup
C:\Documents and Settings\Owner\Local Settings\Temp\ptf_0016.exe -> Spyware.Pacer : Cleaned with backup
C:\Documents and Settings\Owner\Local Settings\Temp\resE.tmp -> Spyware.180Solutions : Cleaned with backup
C:\Documents and Settings\Owner\Local Settings\Temp\temp.fr06B7\xud_63.dll -> Spyware.EliteBar : Cleaned with backup
C:\Documents and Settings\Owner\Local Settings\Temp\temp.fr8A4D -> Spyware.EliteBar : Cleaned with backup
C:\Documents and Settings\Owner\Local Settings\Temporary Internet Files\Content.IE5\IP2RAN0V\AppWrap[1].exe -> TrojanDropper.Agent.pb : Cleaned with backup
C:\Documents and Settings\Owner\Local Settings\Temporary Internet Files\Content.IE5\OPE3SH0J\AppWrap[1].exe -> TrojanDropper.Agent.pb : Cleaned with backup
C:\Documents and Settings\Owner\Local Settings\Temporary Internet Files\Content.IE5\W3AHO1WL\AppWrap[1].exe -> TrojanDropper.Agent.pb : Cleaned with backup
C:\Documents and Settings\Owner\Local Settings\Temporary Internet Files\Content.IE5\Y5CDK9ST\AppWrap[1].exe -> TrojanDropper.Agent.pb : Cleaned with backup
C:\eied_s7.cab/eied_s7_c_30.exe -> TrojanDownloader.Mediket.ay : Error during cleaning
C:\Program Files\Common Files\mc-110-12-0000079.exe -> TrojanDownloader.Agent.rv : Cleaned with backup
C:\Program Files\Common Files\system32.dll/gui.exe -> TrojanDownloader.Agent.rv : Error during cleaning
C:\Program Files\Common Files\Verizon Online\SFP\vzbb.dll -> Spyware.MegaSearch : Cleaned with backup
C:\Program Files\Microsoft AntiSpyware\Quarantine\0F171AF3-4117-4EC5-8AEE-882962\6E16078E-8C7F-4E28-9D72-9C3351 -> TrojanDropper.Small.qn : Cleaned with backup
C:\Program Files\Microsoft AntiSpyware\Quarantine\0F171AF3-4117-4EC5-8AEE-882962\EE7F1B9C-5FD2-48CB-B21A-D498A7 -> TrojanDropper.Agent.hl : Cleaned with backup
C:\Program Files\Microsoft AntiSpyware\Quarantine\A32E9A4D-2134-43AC-AF43-943FBB\C3CDCB10-FD42-4EE0-A766-E2C9B5 -> Spyware.HotSearchBar : Cleaned with backup
C:\Program Files\Microsoft AntiSpyware\Quarantine\A752A816-A58E-4F6D-A1BF-F4AB07\38795B5C-9174-4498-B641-75AC29 -> Spyware.180Solutions : Cleaned with backup
C:\RECYCLER\S-1-5-21-228871674-3870199324-3360530579-1003\Dc3.exe -> Spyware.Pacer : Cleaned with backup
C:\RECYCLER\S-1-5-21-228871674-3870199324-3360530579-1003\Dc5.exe -> Adware.Saha : Cleaned with backup
C:\Temp\Installer.exe -> Spyware.Look2Me : Cleaned with backup
C:\WINDOWS\aolback.exe.lnk:mxfli -> TrojanDownloader.Agent.bq : Cleaned with backup
C:\WINDOWS\atid.ini:alvka -> TrojanDownloader.Agent.bq : Cleaned with backup
C:\WINDOWS\dsr.exe -> Trojan.Imiserv.c : Cleaned with backup
C:\WINDOWS\gsxgl.txt:gyrqz -> TrojanDownloader.Agent.bc : Cleaned with backup
C:\WINDOWS\KB821431.log:rscjv -> TrojanDownloader.Agent.bq : Cleaned with backup
C:\WINDOWS\mfclk32.dll -> TrojanDownloader.Agent.bc : Cleaned with backup
C:\WINDOWS\offun.exe -> TrojanDownloader.VB.hw : Cleaned with backup
C:\WINDOWS\Q329112.log

uezny -> TrojanDownloader.Agent.bc : Cleaned with backup
C:\WINDOWS\QTFont.qfn:tqfxf -> TrojanDownloader.Agent.bc : Cleaned with backup
C:\WINDOWS\regopt.log:qqamw -> TrojanDownloader.Agent.bc : Cleaned with backup
C:\WINDOWS\regopt.log:zwunl -> TrojanDownloader.Agent.bc : Cleaned with backup
C:\WINDOWS\River Sumida.bmp:esqqu -> TrojanDownloader.Agent.bq : Cleaned with backup
C:\WINDOWS\SchedLgU.Txt:mwclf -> TrojanDownloader.Agent.bc : Cleaned with backup
C:\WINDOWS\sessmgr.setup.log:kyffh -> TrojanDownloader.Agent.bq : Cleaned with backup
C:\WINDOWS\sessmgr.setup.log:nanuu -> TrojanDownloader.Agent.bc : Cleaned with backup
C:\WINDOWS\sessmgr.setup.log:nijdm -> TrojanDownloader.Agent.bc : Cleaned with backup
C:\WINDOWS\setuperr.log

ncng -> TrojanDownloader.Agent.bc : Cleaned with backup
C:\WINDOWS\Soap Bubbles.bmp:xygwc -> TrojanDownloader.Agent.bq : Cleaned with backup
C:\WINDOWS\Soap Bubbles.bmp:yjmnj -> TrojanDownloader.Agent.bq : Cleaned with backup
C:\WINDOWS\Ssgw6su.GID:houta -> Trojan.Agent.bi : Cleaned with backup
C:\WINDOWS\Ssgw6su.GID:ybqfq -> TrojanDownloader.Agent.bq : Cleaned with backup
C:\WINDOWS\system\__delete_on_reboot__rosvg.exe -> TrojanDownloader.Small.ayh : Cleaned with backup
C:\WINDOWS\system.ini:mtbjw -> TrojanDownloader.Agent.bc : Cleaned with backup
C:\WINDOWS\system32\agledit.dll -> Spyware.Look2Me : Cleaned with backup
C:\WINDOWS\system32\CQWMDM.dll -> Spyware.Look2Me : Cleaned with backup
C:\WINDOWS\system32\docooxb.exe -> TrojanDownloader.Qoologic.ac : Cleaned with backup
C:\WINDOWS\system32\dxloader.dll -> Spyware.Look2Me : Cleaned with backup
C:\WINDOWS\system32\guard.tmp -> Spyware.Look2Me : Cleaned with backup
C:\WINDOWS\system32\hrtplug.dll -> Spyware.Look2Me : Cleaned with backup
C:\WINDOWS\system32\izeshare.dll -> Spyware.Look2Me : Cleaned with backup
C:\WINDOWS\system32\jTvaee.dll -> Spyware.Look2Me : Cleaned with backup
C:\WINDOWS\system32\lcimg11n.dll -> Spyware.Look2Me : Cleaned with backup
C:\WINDOWS\system32\lvghours.dll -> Spyware.Look2Me : Cleaned with backup
C:\WINDOWS\system32\mqjter35.dll -> Spyware.Look2Me : Cleaned with backup
C:\WINDOWS\system32\MTE2ODM6ODoxNg.exe -> Spyware.ISearch : Cleaned with backup
C:\WINDOWS\system32\mxwstr10.dll -> Spyware.Look2Me : Cleaned with backup
C:\WINDOWS\system32\redit.cpl -> TrojanDownloader.Qoologic.p : Cleaned with backup
C:\WINDOWS\system32\rlboex32.dll -> Spyware.Look2Me : Cleaned with backup
C:\WINDOWS\system32\ssayerxp.dll -> Spyware.Look2Me : Cleaned with backup
C:\WINDOWS\system32\stlgntfy.dll -> Spyware.Look2Me : Cleaned with backup
C:\WINDOWS\system32\supdate.dll -> TrojanDownloader.Qoologic.p : Cleaned with backup
C:\WINDOWS\system32\tDpi.dll -> Spyware.Look2Me : Cleaned with backup
C:\WINDOWS\system32\wihisn.dll -> Spyware.Look2Me : Cleaned with backup
C:\WINDOWS\system32\wknsrv.dll -> Spyware.Look2Me : Cleaned with backup
C:\WINDOWS\system32\WmndowsAccessBridge.dll -> Spyware.Look2Me : Cleaned with backup
C:\WINDOWS\system32\wvp.dll -> Spyware.Look2Me : Cleaned with backup
C:\WINDOWS\system32\wvqvv.dat -> TrojanDownloader.Qoologic.ac : Cleaned with backup
C:\WINDOWS\system32\wwnhttp.dll -> Spyware.Look2Me : Cleaned with backup
C:\WINDOWS\system32\__delete_on_reboot__AUNPS2.DLL -> Spyware.Hijacker.Generic : Cleaned with backup
C:\WINDOWS\system32\__delete_on_reboot__ebdbb.dll -> TrojanDownloader.Qoologic.ac : Cleaned with backup
C:\WINDOWS\system32\__delete_on_reboot__fgdggfs.dll -> TrojanDownloader.Qoologic.ac : Cleaned with backup
C:\WINDOWS\system32\__delete_on_reboot__oveacc.dll -> Spyware.Look2Me : Cleaned with backup
C:\WINDOWS\system32\__delete_on_reboot__sdkddx.exe -> TrojanDownloader.Qoologic.ac : Cleaned with backup
C:\WINDOWS\Temp\b.com -> TrojanDropper.Agent.pb : Cleaned with backup
C:\WINDOWS\vbaddin.ini

mett -> TrojanDownloader.Agent.bq : Cleaned with backup
C:\WINDOWS\WindowsUpdate.log:gkjtr -> TrojanDownloader.Agent.bc : Cleaned with backup
C:\WINDOWS\winnt.bmp:glmhp -> TrojanDownloader.Agent.bq : Cleaned with backup
C:\WINDOWS\wsdu.log:jdnmo -> TrojanDownloader.Agent.bq : Cleaned with backup
C:\WINDOWS\ytbsa.txt:rcked -> TrojanDownloader.Agent.bc : Cleaned with backup
C:\WINDOWS\_default.pif:ceuam -> TrojanDownloader.Agent.bc : Cleaned with backup
C:\WINDOWS\_default.pif:cmrie -> TrojanDownloader.Agent.bc : Cleaned with backup
C:\WINDOWS\_default.pif:cucrl -> TrojanDownloader.Agent.bq : Cleaned with backup
C:\WINDOWS\_default.pif:dpkmlb -> Spyware.SearchPage : Cleaned with backup
C:\WINDOWS\_default.pif:iwcya -> TrojanDownloader.Agent.bc : Cleaned with backup
C:\WINDOWS\_default.pif

skze -> TrojanDownloader.Agent.bc : Cleaned with backup
C:\WINDOWS\_default.pif:razgx -> TrojanDownloader.Agent.bc : Cleaned with backup
C:\WINDOWS\_default.pif:tyfqw -> TrojanDownloader.Agent.bq : Cleaned with backup
C:\WINDOWS\_default.pif:udvxz -> TrojanDownloader.Agent.bq : Cleaned with backup
C:\WINDOWS\__delete_on_reboot__dinst.exe -> TrojanDownloader.Intexp.d : Cleaned with backup
C:\WINDOWS\__delete_on_reboot__dsr.dll -> Spyware.Hijacker.Generic : Cleaned with backup

::Report End

________________________________________________________________

Logfile of HijackThis v1.99.1
Scan saved at 9:15:05 PM, on 8/30/2005
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\System32\rundll32.exe
C:\PROGRA~1\VERIZO~1\SMARTB~1\MotiveSB.exe
C:\WINDOWS\rmopzzp.EXE
C:\PROGRA~1\COMMON~1\AOL\ACS\acsd.exe
C:\WINDOWS\ALCXMNTR.EXE
C:\WINDOWS\System32\RUNDLL32.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\Microsoft AntiSpyware\gcasDtServ.exe
C:\Program Files\Norton AntiVirus\navapsvc.exe
C:\Program Files\Norton AntiVirus\IWP\NPFMntor.exe
C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
C:\Program Files\Microsoft Money\System\mnyexpr.exe
C:\WINDOWS\wanmpsvc.exe
C:\WINDOWS\izgyhbe.exe
C:\WINDOWS\System32\??pPatch\ping.exe
C:\Program Files\Common Files\Windows\services32.exe
C:\WINDOWS\system32\cmd.exe
C:\Program Files\Common Files\services.exe
C:\Program Files\Verizon Online\bin\mpbtn.exe
C:\Program Files\ewido\security suite\ewidoguard.exe
C:\Program Files\ewido\security suite\ewidoctrl.exe
C:\Documents and Settings\Owner\Desktop\Spyware\hijackthis\HijackThis.exe
C:\WINDOWS\System32\onecabl.exe

R1 - HKCU\Software\Microsoft\Internet Explorer,SearchURL = http://www.search345quest.com/sp2.php
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://websearch.drsnsrch.com/sidesearch.cgi?id=
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://websearch.drsnsrch.com/sidesearch.cgi?id=
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = res://C:\WINDOWS\vpeii.dll/sp.html#10001
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://websearch.drsnsrch.com/sidesearch.cgi?id=
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://websearch.drsnsrch.com/sidesearch.cgi?id=
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page =
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://www.search345quest.com/sp2.php
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://websearch.drsnsrch.com/sidesearch.cgi?id=
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch = http://websearch.drsnsrch.com/sidesearch.cgi?id=
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = websearch.drsnsrch.com/q.cgi?q=
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Microsoft Internet Explorer provided by Verizon Online
R3 - URLSearchHook: (no name) - {02EE5B04-F144-47BB-83FB-A60BD91B74A9} - C:\Program Files\SurfSideKick 3\SskBho.dll
O2 - BHO: Band Class - {00F1D395-4744-40f0-A611-980F61AE2C59} - C:\WINDOWS\dsr.dll (file missing)
O2 - BHO: PicShow Class - {4487598C-2EC7-43A2-870E-6D8D720FDD9F} - C:\WINDOWS\System32\pkshdwpr.dll
O2 - BHO: Internet Explorer Web Content Catcher - {FFF4E223-7019-4ce7-BE03-D7D3C8CCE884} - C:\Program Files\DNS\Catcher.dll
O4 - HKLM\..\Run: [Symantec NetDriver Monitor] C:\PROGRA~1\SYMNET~1\SNDMon.exe /Consumer
O4 - HKLM\..\Run: [ieog.exe] C:\WINDOWS\ieog.exe
O4 - HKLM\..\Run: [Motive SmartBridge] C:\PROGRA~1\VERIZO~1\SMARTB~1\MotiveSB.exe
O4 - HKLM\..\Run: [System service63] C:\WINDOWS\etb\pokapoka63.exe
O4 - HKLM\..\Run: [rmopzzp] C:\WINDOWS\rmopzzp.EXE
O4 - HKLM\..\Run: [gcasServ] "C:\Program Files\Microsoft AntiSpyware\gcasServ.exe"
O4 - HKLM\..\Run: [SurfSideKick 3] C:\Program Files\SurfSideKick 3\Ssk.exe
O4 - HKLM\..\Run: [C:\WINDOWS\VCMnet11.exe] C:\WINDOWS\VCMnet11.exe
O4 - HKLM\..\Run: [AlcxMonitor] ALCXMNTR.EXE
O4 - HKLM\..\Run: [AUNPS2] RUNDLL32 AUNPS2.DLL,[email protected]
O4 - HKLM\..\Run: [icddpjp] C:\WINDOWS\System32\onecabl.exe r
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [MoneyAgent] "C:\Program Files\Microsoft Money\System\mnyexpr.exe"
O4 - HKCU\..\Run: [pshower] C:\WINDOWS\System32\pshwr.exe
O4 - HKCU\..\Run: [services32] C:\Program Files\Common Files\Windows\mc-110-12-0000079.exe
O4 - HKCU\..\Run: [DNS] C:\Program Files\Common Files\mc-110-12-0000079.exe
O4 - HKCU\..\Run: [SurfSideKick 3] C:\Program Files\SurfSideKick 3\Ssk.exe
O4 - HKCU\..\Run: [Jssh] C:\WINDOWS\System32\??pPatch\ping.exe
O4 - Global Startup: Verizon Online Support Center.lnk = C:\Program Files\Verizon Online\bin\matcli.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MI1933~1\Office10\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\System32\msjava.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\System32\msjava.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MI1933~1\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O9 - Extra 'Tools' menuitem: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {24311111-1111-1121-1111-111191113457} - file://c:\eied_s7.cab
O16 - DPF: {33331111-1111-1111-1111-611111193457} - file://c:\ex.cab
O16 - DPF: {33331111-1111-1111-1111-611111193458} - file://c:\ex.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1125256244468
O16 - DPF: {90051A81-3018-4826-8B38-DD60B6B53F9C} (Snapfish File Upload ActiveX Control) - http://www.snapfish.com/SnapfishUpload.cab
O16 - DPF: {9600F64D-755F-11D4-A47F-0001023E6D5A} (Shutterfly Picture Upload Plugin) - http://web1.shutterfly.com/downloads/Uploader.cab
O20 - AppInit_DLLs: repairs.dll
O20 - Winlogon Notify: igfxcui - C:\WINDOWS\SYSTEM32\igfxsrvc.dll
O20 - Winlogon Notify: MediaContentIndex - C:\WINDOWS\system32\bec42d.dll
O21 - SSODL: SystemCheck2 - {54645654-2225-4455-44A1-9F4543D34545} - C:\WINDOWS\System32\vbsys2.dll (file missing)
O23 - Service: AOL Connectivity Service (AOL ACS) - America Online, Inc. - C:\PROGRA~1\COMMON~1\AOL\ACS\acsd.exe
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Password Validation (ccPwdSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
O23 - Service: ewido security suite control - ewido networks - C:\Program Files\ewido\security suite\ewidoctrl.exe
O23 - Service: ewido security suite guard - ewido networks - C:\Program Files\ewido\security suite\ewidoguard.exe
O23 - Service: Norton AntiVirus Auto-Protect Service (navapsvc) - Symantec Corporation - C:\Program Files\Norton AntiVirus\navapsvc.exe
O23 - Service: Norton AntiVirus Firewall Monitor Service (NPFMntor) - Symantec Corporation - C:\Program Files\Norton AntiVirus\IWP\NPFMntor.exe
O23 - Service: SAVScan - Symantec Corporation - C:\Program Files\Norton AntiVirus\SAVScan.exe
O23 - Service: ScriptBlocking Service (SBService) - Symantec Corporation - C:\PROGRA~1\COMMON~1\SYMANT~1\SCRIPT~1\SBServ.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: Symantec SPBBCSvc (SPBBCSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
O23 - Service: System Startup Service (SvcProc) - Unknown owner - C:\WINDOWS\svcproc.exe (file missing)
O23 - Service: Symantec Core LC - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
O23 - Service: SymWMI Service (SymWSC) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\Security Center\SymWSC.exe
O23 - Service: WAN Miniport (ATW) Service (WANMiniportService) - America Online, Inc. - C:\WINDOWS\wanmpsvc.exe
O23 - Service: Windows Overlay Components - Unknown owner - C:\WINDOWS\izgyhbe.exe

skate_punk_21 · Sep 1, 2005

Please print out or Save this Page to your desktop in order to assist you when carrying out the following instructions.

Notes
FYI: I had you thread at SpyWareInfo.com Closed, as you are receving help here.

Downloads
Please download dsrfix.zip from Atribune and save it to your desktop.

Double-Click on dsrfix.zip and extract it to your desktop.
This will create a new folder on your desktop named dsrfix.
DO NOT RUN IT YET

Download AboutBusterhttp://www.greyknight17.com/spy/AboutBuster.sfx.exe and uncompress the files to a folder on your the Desktop. Run AboutBuster and click OK. Click Update button to see if there are any updates. Close the program now. DO NOT RUN IT YET

Download SpSeHjfix Here.and unzip it to its own folder (preferably C:\spsehjfix) DO NOT RUN IT YET

Download LQfixhttp://users.pandora.be/bluepatchy/LQfix.zip & save it to your desktop DO NOT RUN IT YET

Download L2mfix from one of these two locations:

http://www.atribune.org/downloads/l2mfix.exe
http://www.downloads.subratam.org/l2mfix.exe
DO NOT RUN IT YET

Download Process Explorer from http://www.sysinternals.com/Utilities/ProcessExplorer.html

To begin: Please open Hijack This and click on Scan.
look for any entry in the O4 section that has a lonely " r" at the end. LEAVE HIJACKTHIS OPEN, and note the path to that file

Run Process Explorer and find the file we just found in HijackThis in the list of Processes.
Select the process and click Process > Suspend.
DO NOT CLOSE THIS PROGRAM

Then in HijackThis click Config > Misc Tools > Delete a file on reboot...
In the explorer Window Navigate to the file we just found and click Open
When prompted if you want to reboot click YES
Leave Process explorer running with the process suspended.

Boot Into Safe Mode
Reboot into Safe Mode by hitting the F8 key repeatedly until a menu shows up (and choose Safe Mode from the list). In some systems, this may be the F5 key, so try that if F8 doesn't work.

View Hidden Files and Folders
Go to My Computer >Tools >Folder Options >View tab and make sure that Show hidden files and folders is enabled. Also make sure that the System Files and Folders are showing / visible. Uncheck the Hide protected operating system files option.

Potential Uninstallations
Click > Start > Control Panel > Add / Remove Programs and uninstall the following programs:

SurfSideKick

Run Downloaded Programs
1. Please run about:buster by RubbeRDuckY:

Click Start and then OK to allow AboutBuster to scan for Alternate Data Streams.
Click Yes to allow it to shutdown explorer.exe.
It will begin to check your computer for malicious files. If it asks if you would like to do a second pass, allow it to do so.
When it has finished, click Save Log. Make sure you save it as I may need a copy of it later.

2. Now run SpSeHjfix. A log will be saved in the same folder that you put the exe into. Please post the results of that log in your next reply.

3. Double click on the LQFix.bat program u downloaded.
A dos window will open and close again, this is normal.

Start HijackThis Fix
Open Hijack This and click on Scan. Check the following entries (make sure you do not miss any)

R1 - HKCU\Software\Microsoft\Internet Explorer,SearchURL = http://www.search345quest.com/sp2.php
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://websearch.drsnsrch.com/sidesearch.cgi?id=
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://websearch.drsnsrch.com/sidesearch.cgi?id=
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = res://C:\WINDOWS\vpeii.dll/sp.html#10001
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://websearch.drsnsrch.com/sidesearch.cgi?id=
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://websearch.drsnsrch.com/sidesearch.cgi?id=
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page =
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://www.search345quest.com/sp2.php
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://websearch.drsnsrch.com/sidesearch.cgi?id=
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch = http://websearch.drsnsrch.com/sidesearch.cgi?id=
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = websearch.drsnsrch.com/q.cgi?q=
R3 - URLSearchHook: (no name) - {02EE5B04-F144-47BB-83FB-A60BD91B74A9} - C:\Program Files\SurfSideKick 3\SskBho.dll
O2 - BHO: Band Class - {00F1D395-4744-40f0-A611-980F61AE2C59} - C:\WINDOWS\dsr.dll (file missing)
O2 - BHO: PicShow Class - {4487598C-2EC7-43A2-870E-6D8D720FDD9F} - C:\WINDOWS\System32\pkshdwpr.dll
O4 - HKLM\..\Run: [ieog.exe] C:\WINDOWS\ieog.exe
O4 - HKLM\..\Run: [System service63] C:\WINDOWS\etb\pokapoka63.exe
O4 - HKLM\..\Run: [rmopzzp] C:\WINDOWS\rmopzzp.EXE
O4 - HKLM\..\Run: [SurfSideKick 3] C:\Program Files\SurfSideKick 3\Ssk.exe
O4 - HKLM\..\Run: [C:\WINDOWS\VCMnet11.exe] C:\WINDOWS\VCMnet11.exe
O4 - HKLM\..\Run: [AlcxMonitor] ALCXMNTR.EXE
O4 - HKLM\..\Run: [AUNPS2] RUNDLL32 AUNPS2.DLL,[email protected]
O4 - HKLM\..\Run: [icddpjp] C:\WINDOWS\System32\onecabl.exe r <--entry with lone " r"
O4 - HKCU\..\Run: [pshower] C:\WINDOWS\System32\pshwr.exe
O4 - HKCU\..\Run: [services32] C:\Program Files\Common Files\Windows\mc-110-12-0000079.exe
O4 - HKCU\..\Run: [DNS] C:\Program Files\Common Files\mc-110-12-0000079.exe
O4 - HKCU\..\Run: [SurfSideKick 3] C:\Program Files\SurfSideKick 3\Ssk.exe
O4 - HKCU\..\Run: [Jssh] C:\WINDOWS\System32\??pPatch\ping.exe
O16 - DPF: {24311111-1111-1121-1111-111191113457} - file://c:\eied_s7.cab
O16 - DPF: {33331111-1111-1111-1111-611111193457} - file://c:\ex.cab
O16 - DPF: {33331111-1111-1111-1111-611111193458} - file://c:\ex.cab
O16 - DPF: {90051A81-3018-4826-8B38-DD60B6B53F9C} (Snapfish File
O21 - SSODL: SystemCheck2 - {54645654-2225-4455-44A1-9F4543D34545} - C:\WINDOWS\System32\vbsys2.dll (file missing)
O23 - Service: System Startup Service (SvcProc) - Unknown owner - C:\WINDOWS\svcproc.exe (file missing)

Please remember to close all other windows, including browsers then click Fix checked.

Run Downloaded Programs
4. Now open the folder dsrfix on your desktop.

Double-Click on dsrfix.bat
A window will pop up briefly then close, this is normal.

Stop NT Service

Part1

Click Start>Run, type services.msc into the Open editbox and click the Ok button.
Locate the " System Startup Service " service and double-click on it to open the Properties dialog.
Click the Stop button.
In the Startup type dropdown select Disabled.
Click the Apply button and then the Ok button.
Close the Services window

Part 2

Click Start>Run, type cmd into the Open editbox and click the Ok button.
Copy/paste the line below into the Command Prompt window and press the Enter key:
sc delete svcproc
Close the Command Prompt window

File/Folder Deletions
Delete the following Files indicated in RED and Folders indicated in BLUE if they still exist.

C:\Program Files\SurfSideKick 3\
C:\WINDOWS\System32\pkshdwpr.dll
C:\WINDOWS\rmopzzp.EXE
C:\WINDOWS\VCMnet11.exe
ALCXMNTR.EXE <--search for via "start | Search"
AUNPS2.DLL<--search for via "start | Search"
C:\WINDOWS\System32\pshwr.exe
C:\Program Files\Common Files\Windows\
C:\Program Files\Common Files\mc-110-12-0000079.exe
C:\WINDOWS\System32\??pPatch\
c:\ex.cab
C:\WINDOWS\System32\vbsys2.dll

Reboot your system in Normal Mode.

5. From the l2mfix folder on your desktop, double click l2mfix.bat and select option #2 for Run Fix by typing 2 and then pressing enter, then press any key to reboot your computer. After a reboot, your desktop and icons will appear, then disappear (this is normal). L2mfix will continue to scan your computer and when it's finished, notepad will open with a log. Copy the contents of that log and paste it back into this thread, along with a new hijackthis log.

IMPORTANT: Do NOT run any other files in the l2mfix folder unless you are asked to do so!

What I need back...
1. About:buster log
2. Spsehjfix log
3. L2MFix log
4. fresh HijackThis Log

After these infections we will tackle KavSvc.

naft11 · Sep 2, 2005

Ok, that was rough - here are all the logs

-I couldn't download LQfix - link didn't work
-There was no 04 with the lonely " r" at the end
-SurfSideKick was really hard to uninstall - I think I got it in the end - but not positive
-Couldn't locate the "System Startup Service" in services.msc so I didn't do those two parts - doesn't seem to exist
-Thanks for all the help!!!

AB Log file

AboutBuster 5.0 reference file 31
Scan started on [9/2/2005] at [4:52:55 PM]
------------------------------------------------
Removed Stream! C:\WINDOWS\Q814995.log:bjbknj
Removed Stream! C:\WINDOWS\_default.pif:avpovd
Removed Stream! C:\WINDOWS\_default.pif:lpsyrq
------------------------------------------------
Removed File! : C:\Windows\System32\qtugc.dat
------------------------------------------------
Scan was COMPLETED SUCCESSFULLY at 4:53:13 PM

__________________________________________________________________

Spsehjfix log file

(9/2/05 4:54:30 PM) SPSeHjFix started v1.1.2
(9/2/05 4:54:30 PM) OS: WinXP Service Pack 1 (5.1.2600)
(9/2/05 4:54:30 PM) Language: english
(9/2/05 4:54:30 PM) Win-Path: C:\WINDOWS
(9/2/05 4:54:30 PM) System-Path: C:\WINDOWS\System32
(9/2/05 4:54:30 PM) Temp-Path: C:\DOCUME~1\Owner\LOCALS~1\Temp\
(9/2/05 4:54:35 PM) Disinfection started
(9/2/05 4:54:35 PM) Bad-Dll(IEP): c:\windows\vpeii.dll
(9/2/05 4:54:35 PM) UBF: 8 - UBB: 2 - UBR: 13
(9/2/05 4:54:35 PM) UBF: 8 - UBB: 2 - UBR: 13
(9/2/05 4:54:35 PM) Bad IE-pages:
deleted: HKLM\Software\Microsoft\Internet Explorer\Main, Search Bar: about:blank
deleted: HKLM\Software\Microsoft\Internet Explorer\Main, Search Page: about:blank
deleted: HKLM\Software\Microsoft\Internet Explorer\Main, Start Page:
deleted: HKLM\Software\Microsoft\Internet Explorer\Main, Default_Search_URL: res://c:\windows\vpeii.dll/sp.html#10001
deleted: HKLM\Software\Microsoft\Internet Explorer\Search, SearchAssistant: about:blank
deleted: HKLM\Software\Microsoft\Internet Explorer\Search, CustomizeSearch: about:blank
(9/2/05 4:54:35 PM) Stealth-String not found
(9/2/05 4:54:35 PM) No locked Files to delete. End without Reboot
(9/2/05 4:54:46 PM) Disinfection started
(9/2/05 4:54:46 PM) Bad-Dll(IEP): c:\windows\vpeii.dll
(9/2/05 4:54:46 PM) UBF: 8 - UBB: 2 - UBR: 13
(9/2/05 4:54:46 PM) UBF: 8 - UBB: 2 - UBR: 13
(9/2/05 4:54:46 PM) Bad IE-pages: (none)
(9/2/05 4:54:46 PM) Stealth-String not found
(9/2/05 4:54:46 PM) No locked Files to delete. End without Reboot
(9/2/05 4:54:46 PM) Disinfection started
(9/2/05 4:54:46 PM) Bad-Dll(IEP): c:\windows\vpeii.dll
(9/2/05 4:54:46 PM) UBF: 8 - UBB: 2 - UBR: 13
(9/2/05 4:54:46 PM) UBF: 8 - UBB: 2 - UBR: 13
(9/2/05 4:54:46 PM) Bad IE-pages: (none)
(9/2/05 4:54:46 PM) Stealth-String not found
(9/2/05 4:54:46 PM) No locked Files to delete. End without Reboot
(9/2/05 4:54:46 PM) Disinfection started
(9/2/05 4:54:46 PM) Bad-Dll(IEP): c:\windows\vpeii.dll
(9/2/05 4:54:47 PM) UBF: 8 - UBB: 2 - UBR: 13
(9/2/05 4:54:47 PM) UBF: 8 - UBB: 2 - UBR: 13
(9/2/05 4:54:47 PM) Bad IE-pages: (none)
(9/2/05 4:54:47 PM) Stealth-String not found
(9/2/05 4:54:47 PM) No locked Files to delete. End without Reboot

(9/2/05 4:54:54 PM) SPSeHjFix started v1.1.2
(9/2/05 4:54:54 PM) OS: WinXP Service Pack 1 (5.1.2600)
(9/2/05 4:54:54 PM) Language: english
(9/2/05 4:54:54 PM) Win-Path: C:\WINDOWS
(9/2/05 4:54:54 PM) System-Path: C:\WINDOWS\System32
(9/2/05 4:54:54 PM) Temp-Path: C:\DOCUME~1\Owner\LOCALS~1\Temp\
(9/2/05 4:54:55 PM) Disinfection started
(9/2/05 4:54:55 PM) Bad-Dll(IEP): (not found)
(9/2/05 4:54:55 PM) Bad-Dll(IEP) in BHO: (not found)
(9/2/05 4:54:55 PM) UBF: 8 - UBB: 2 - UBR: 13
(9/2/05 4:54:55 PM) UBF: 8 - UBB: 2 - UBR: 13
(9/2/05 4:54:55 PM) Bad IE-pages: (none)
(9/2/05 4:54:55 PM) Stealth-String not found
(9/2/05 4:54:55 PM) Not infected->END
________________________________________________________________

L2MFix log file

Setting Directory
C:\
C:\
System Rebooted!

Running From:
C:\

killing explorer and rundll32.exe

Command Line Process Viewer/Killer/Suspender for Windows NT/2000/XP V2.03
Copyright(C) 2002-2003 [email protected]
Killing PID 1284 'explorer.exe'

Command Line Process Viewer/Killer/Suspender for Windows NT/2000/XP V2.03
Copyright(C) 2002-2003 [email protected]
Killing PID 1316 'rundll32.exe'

Scanning First Pass. Please Wait!

First Pass Completed

Second Pass Scanning

Second pass Completed!
Backing Up: C:\WINDOWS\system32\bec42d.dll
1 file(s) copied.
Backing Up: C:\WINDOWS\system32\bec42d.dll
1 file(s) copied.
Backing Up: C:\WINDOWS\system32\dAdim.dll
1 file(s) copied.
Backing Up: C:\WINDOWS\system32\dAdim.dll
1 file(s) copied.
Backing Up: C:\WINDOWS\system32\dgutil.dll
1 file(s) copied.
Backing Up: C:\WINDOWS\system32\dgutil.dll
1 file(s) copied.
Backing Up: C:\WINDOWS\system32\iEssam.dll
1 file(s) copied.
Backing Up: C:\WINDOWS\system32\iEssam.dll
1 file(s) copied.
Backing Up: C:\WINDOWS\system32\mrdmo.dll
1 file(s) copied.
Backing Up: C:\WINDOWS\system32\mrdmo.dll
1 file(s) copied.
Backing Up: C:\WINDOWS\system32\okexl32.dll
1 file(s) copied.
Backing Up: C:\WINDOWS\system32\okexl32.dll
1 file(s) copied.
Backing Up: C:\WINDOWS\system32\smbiop.dll
1 file(s) copied.
Backing Up: C:\WINDOWS\system32\smbiop.dll
1 file(s) copied.
Backing Up: C:\WINDOWS\system32\wjspdmoe.dll
1 file(s) copied.
Backing Up: C:\WINDOWS\system32\wjspdmoe.dll
1 file(s) copied.
Backing Up: C:\WINDOWS\system32\guard.tmp
1 file(s) copied.
Backing Up: C:\WINDOWS\system32\guard.tmp
1 file(s) copied.
deleting: C:\WINDOWS\system32\bec42d.dll
Successfully Deleted: C:\WINDOWS\system32\bec42d.dll
deleting: C:\WINDOWS\system32\bec42d.dll
Successfully Deleted: C:\WINDOWS\system32\bec42d.dll
deleting: C:\WINDOWS\system32\dAdim.dll
Successfully Deleted: C:\WINDOWS\system32\dAdim.dll
deleting: C:\WINDOWS\system32\dAdim.dll
Successfully Deleted: C:\WINDOWS\system32\dAdim.dll
deleting: C:\WINDOWS\system32\dgutil.dll
Successfully Deleted: C:\WINDOWS\system32\dgutil.dll
deleting: C:\WINDOWS\system32\dgutil.dll
Successfully Deleted: C:\WINDOWS\system32\dgutil.dll
deleting: C:\WINDOWS\system32\iEssam.dll
Successfully Deleted: C:\WINDOWS\system32\iEssam.dll
deleting: C:\WINDOWS\system32\iEssam.dll
Successfully Deleted: C:\WINDOWS\system32\iEssam.dll
deleting: C:\WINDOWS\system32\mrdmo.dll
Successfully Deleted: C:\WINDOWS\system32\mrdmo.dll
deleting: C:\WINDOWS\system32\mrdmo.dll
Successfully Deleted: C:\WINDOWS\system32\mrdmo.dll
deleting: C:\WINDOWS\system32\okexl32.dll
Successfully Deleted: C:\WINDOWS\system32\okexl32.dll
deleting: C:\WINDOWS\system32\okexl32.dll
Successfully Deleted: C:\WINDOWS\system32\okexl32.dll
deleting: C:\WINDOWS\system32\smbiop.dll
Successfully Deleted: C:\WINDOWS\system32\smbiop.dll
deleting: C:\WINDOWS\system32\smbiop.dll
Successfully Deleted: C:\WINDOWS\system32\smbiop.dll
deleting: C:\WINDOWS\system32\wjspdmoe.dll
Successfully Deleted: C:\WINDOWS\system32\wjspdmoe.dll
deleting: C:\WINDOWS\system32\wjspdmoe.dll
Successfully Deleted: C:\WINDOWS\system32\wjspdmoe.dll
deleting: C:\WINDOWS\system32\guard.tmp
Successfully Deleted: C:\WINDOWS\system32\guard.tmp
deleting: C:\WINDOWS\system32\guard.tmp
Successfully Deleted: C:\WINDOWS\system32\guard.tmp

Zipping up files for submission:
adding: bec42d.dll (188 bytes security) (deflated 48%)
adding: dAdim.dll (188 bytes security) (deflated 48%)
adding: dgutil.dll (188 bytes security) (deflated 48%)
adding: iEssam.dll (188 bytes security) (deflated 48%)
adding: mrdmo.dll (188 bytes security) (deflated 48%)
adding: okexl32.dll (188 bytes security) (deflated 48%)
adding: smbiop.dll (188 bytes security) (deflated 48%)
adding: wjspdmoe.dll (188 bytes security) (deflated 48%)
adding: guard.tmp (188 bytes security) (deflated 48%)
adding: clear.reg (188 bytes security) (deflated 46%)
adding: lo2.txt (188 bytes security) (deflated 86%)
adding: test.txt (188 bytes security) (deflated 85%)
adding: test2.txt (188 bytes security) (deflated 27%)
adding: test3.txt (188 bytes security) (deflated 27%)
adding: test5.txt (188 bytes security) (deflated 27%)
adding: vx2logs.txt (188 bytes security) (stored 0%)
adding: xfind.txt (188 bytes security) (deflated 82%)

Restoring Registry Permissions:

RegDACL 5.1 - Permissions Manager for Registry keys for Windows NT 4 and above
Copyright (c) 1999-2001 Frank Heyne Software (http://www.heysoft.de)
This program is Freeware, use it on your own risk!

Revoking access for predefined group "Administrators"
Inherited ACE can not be revoked here!
Inherited ACE can not be revoked here!

Registry permissions set too:

RegDACL 5.1 - Permissions Manager for Registry keys for Windows NT 4 and above
Copyright (c) 1999-2001 Frank Heyne Software (http://www.heysoft.de)
This program is Freeware, use it on your own risk!

Access Control List for Registry key HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify:
(NI) ALLOW Full access NT AUTHORITY\SYSTEM
(IO) ALLOW Full access NT AUTHORITY\SYSTEM
(NI) ALLOW Full access NT AUTHORITY\SYSTEM
(IO) ALLOW Full access NT AUTHORITY\SYSTEM
(ID-NI) ALLOW Read BUILTIN\Users
(ID-IO) ALLOW Read BUILTIN\Users
(ID-NI) ALLOW Full access BUILTIN\Administrators
(ID-IO) ALLOW Full access BUILTIN\Administrators
(ID-NI) ALLOW Full access NT AUTHORITY\SYSTEM
(ID-IO) ALLOW Full access NT AUTHORITY\SYSTEM
(ID-IO) ALLOW Full access CREATOR OWNER

Restoring Sedebugprivilege:

Granting SeDebugPrivilege to Administrators ... successful

Restoring Windows Update Certificates.:

deleting local copy: bec42d.dll
deleting local copy: bec42d.dll
deleting local copy: dAdim.dll
deleting local copy: dAdim.dll
deleting local copy: dgutil.dll
deleting local copy: dgutil.dll
deleting local copy: iEssam.dll
deleting local copy: iEssam.dll
deleting local copy: mrdmo.dll
deleting local copy: mrdmo.dll
deleting local copy: okexl32.dll
deleting local copy: okexl32.dll
deleting local copy: smbiop.dll
deleting local copy: smbiop.dll
deleting local copy: wjspdmoe.dll
deleting local copy: wjspdmoe.dll
deleting local copy: guard.tmp
deleting local copy: guard.tmp

The following Is the Current Export of the Winlogon notify key:
****************************************************************************
Windows Registry Editor Version 5.00

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify]

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\crypt32chain]
"Asynchronous"=dword:00000000
"Impersonate"=dword:00000000
"DllName"=hex(2):63,00,72,00,79,00,70,00,74,00,33,00,32,00,2e,00,64,00,6c,00,\
6c,00,00,00
"Logoff"="ChainWlxLogoffEvent"

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\cryptnet]
"Asynchronous"=dword:00000000
"Impersonate"=dword:00000000
"DllName"=hex(2):63,00,72,00,79,00,70,00,74,00,6e,00,65,00,74,00,2e,00,64,00,\
6c,00,6c,00,00,00
"Logoff"="CryptnetWlxLogoffEvent"

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\cscdll]
"DLLName"="cscdll.dll"
"Logon"="WinlogonLogonEvent"
"Logoff"="WinlogonLogoffEvent"
"ScreenSaver"="WinlogonScreenSaverEvent"
"Startup"="WinlogonStartupEvent"
"Shutdown"="WinlogonShutdownEvent"
"StartShell"="WinlogonStartShellEvent"
"Impersonate"=dword:00000000
"Asynchronous"=dword:00000001

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\igfxcui]
@=""
"DLLName"="igfxsrvc.dll"
"Asynchronous"=dword:00000001
"Impersonate"=dword:00000001
"Unlock"="WinlogonUnlockEvent"

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\ScCertProp]
"DLLName"="wlnotify.dll"
"Logon"="SCardStartCertProp"
"Logoff"="SCardStopCertProp"
"Lock"="SCardSuspendCertProp"
"Unlock"="SCardResumeCertProp"
"Enabled"=dword:00000001
"Impersonate"=dword:00000001
"Asynchronous"=dword:00000001

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\Schedule]
"Asynchronous"=dword:00000000
"DllName"=hex(2):77,00,6c,00,6e,00,6f,00,74,00,69,00,66,00,79,00,2e,00,64,00,\
6c,00,6c,00,00,00
"Impersonate"=dword:00000000
"StartShell"="SchedStartShell"
"Logoff"="SchedEventLogOff"

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\sclgntfy]
"Logoff"="WLEventLogoff"
"Impersonate"=dword:00000000
"Asynchronous"=dword:00000001
"DllName"=hex(2):73,00,63,00,6c,00,67,00,6e,00,74,00,66,00,79,00,2e,00,64,00,\
6c,00,6c,00,00,00

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\SensLogn]
"DLLName"="WlNotify.dll"
"Lock"="SensLockEvent"
"Logon"="SensLogonEvent"
"Logoff"="SensLogoffEvent"
"Safe"=dword:00000001
"MaxWait"=dword:00000258
"StartScreenSaver"="SensStartScreenSaverEvent"
"StopScreenSaver"="SensStopScreenSaverEvent"
"Startup"="SensStartupEvent"
"Shutdown"="SensShutdownEvent"
"StartShell"="SensStartShellEvent"
"PostShell"="SensPostShellEvent"
"Disconnect"="SensDisconnectEvent"
"Reconnect"="SensReconnectEvent"
"Unlock"="SensUnlockEvent"
"Impersonate"=dword:00000001
"Asynchronous"=dword:00000001

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\termsrv]
"Asynchronous"=dword:00000000
"DllName"=hex(2):77,00,6c,00,6e,00,6f,00,74,00,69,00,66,00,79,00,2e,00,64,00,\
6c,00,6c,00,00,00
"Impersonate"=dword:00000000
"Logoff"="TSEventLogoff"
"Logon"="TSEventLogon"
"PostShell"="TSEventPostShell"
"Shutdown"="TSEventShutdown"
"StartShell"="TSEventStartShell"
"Startup"="TSEventStartup"
"MaxWait"=dword:00000258
"Reconnect"="TSEventReconnect"
"Disconnect"="TSEventDisconnect"

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\wlballoon]
"DLLName"="wlnotify.dll"
"Logon"="RegisterTicketExpiredNotificationEvent"
"Logoff"="UnregisterTicketExpiredNotificationEvent"
"Impersonate"=dword:00000001
"Asynchronous"=dword:00000001

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\wzcnotif]
"DLLName"="wzcdlg.dll"
"Logon"="WZCEventLogon"
"Logoff"="WZCEventLogoff"
"Impersonate"=dword:00000000
"Asynchronous"=dword:00000000

The following are the files found:
****************************************************************************
C:\WINDOWS\system32\bec42d.dll
C:\WINDOWS\system32\bec42d.dll
C:\WINDOWS\system32\dAdim.dll
C:\WINDOWS\system32\dAdim.dll
C:\WINDOWS\system32\dgutil.dll
C:\WINDOWS\system32\dgutil.dll
C:\WINDOWS\system32\iEssam.dll
C:\WINDOWS\system32\iEssam.dll
C:\WINDOWS\system32\mrdmo.dll
C:\WINDOWS\system32\mrdmo.dll
C:\WINDOWS\system32\okexl32.dll
C:\WINDOWS\system32\okexl32.dll
C:\WINDOWS\system32\smbiop.dll
C:\WINDOWS\system32\smbiop.dll
C:\WINDOWS\system32\wjspdmoe.dll
C:\WINDOWS\system32\wjspdmoe.dll
C:\WINDOWS\system32\guard.tmp
C:\WINDOWS\system32\guard.tmp

Registry Entries that were Deleted:
Please verify that the listing looks ok.
If there was something deleted wrongly there are backups in the backreg folder.
****************************************************************************
REGEDIT4

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved]
"{CE05AA2B-DD3D-4AF8-968B-7B3E2EF5E4FD}"=-
"{931AB084-368F-4F5A-AF1F-1A86CB26ACFB}"=-
"{5AEA2036-6F89-4F72-80AE-A46A2C6E9666}"=-
[-HKEY_CLASSES_ROOT\CLSID\{CE05AA2B-DD3D-4AF8-968B-7B3E2EF5E4FD}]
[-HKEY_CLASSES_ROOT\CLSID\{931AB084-368F-4F5A-AF1F-1A86CB26ACFB}]
[-HKEY_CLASSES_ROOT\CLSID\{5AEA2036-6F89-4F72-80AE-A46A2C6E9666}]
REGEDIT4

[-HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\User Agent\Post Platform]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\User Agent\Post Platform]
"SV1"=""
****************************************************************************
Desktop.ini Contents:
****************************************************************************
****************************************************************************
_________________________________________________________________

HJT log file

Logfile of HijackThis v1.99.1
Scan saved at 5:42:02 PM, on 9/2/2005
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\WINDOWS\system32\spoolsv.exe
C:\PROGRA~1\COMMON~1\AOL\ACS\acsd.exe
C:\Program Files\ewido\security suite\ewidoctrl.exe
C:\Program Files\ewido\security suite\ewidoguard.exe
C:\Program Files\Norton AntiVirus\navapsvc.exe
C:\Program Files\Norton AntiVirus\IWP\NPFMntor.exe
C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
C:\WINDOWS\wanmpsvc.exe
C:\WINDOWS\explorer.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Documents and Settings\Owner\Desktop\Spyware\hijackthis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Microsoft Internet Explorer provided by Verizon Online
R3 - Default URLSearchHook is missing
O2 - BHO: SDWin32 Class - {8F8E2623-7A34-4C70-A7AD-BC65C07865FC} - C:\WINDOWS\System32\ebgvw.dll
O2 - BHO: Internet Explorer Web Content Catcher - {FFF4E223-7019-4ce7-BE03-D7D3C8CCE884} - C:\Program Files\DNS\Catcher.dll
O4 - HKLM\..\Run: [Symantec NetDriver Monitor] C:\PROGRA~1\SYMNET~1\SNDMon.exe /Consumer
O4 - HKLM\..\Run: [Motive SmartBridge] C:\PROGRA~1\VERIZO~1\SMARTB~1\MotiveSB.exe
O4 - HKLM\..\Run: [gcasServ] "C:\Program Files\Microsoft AntiSpyware\gcasServ.exe"
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [MoneyAgent] "C:\Program Files\Microsoft Money\System\mnyexpr.exe"
O4 - HKCU\..\Run: [wincmap] "C:\Program Files\winCMAPP\wincmapp.exe"
O4 - Global Startup: Verizon Online Support Center.lnk = C:\Program Files\Verizon Online\bin\matcli.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MI1933~1\Office10\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\System32\msjava.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\System32\msjava.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MI1933~1\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O9 - Extra 'Tools' menuitem: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1125256244468
O20 - Winlogon Notify: igfxcui - C:\WINDOWS\SYSTEM32\igfxsrvc.dll
O23 - Service: AOL Connectivity Service (AOL ACS) - America Online, Inc. - C:\PROGRA~1\COMMON~1\AOL\ACS\acsd.exe
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Password Validation (ccPwdSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
O23 - Service: ewido security suite control - ewido networks - C:\Program Files\ewido\security suite\ewidoctrl.exe
O23 - Service: ewido security suite guard - ewido networks - C:\Program Files\ewido\security suite\ewidoguard.exe
O23 - Service: Norton AntiVirus Auto-Protect Service (navapsvc) - Symantec Corporation - C:\Program Files\Norton AntiVirus\navapsvc.exe
O23 - Service: Norton AntiVirus Firewall Monitor Service (NPFMntor) - Symantec Corporation - C:\Program Files\Norton AntiVirus\IWP\NPFMntor.exe
O23 - Service: SAVScan - Symantec Corporation - C:\Program Files\Norton AntiVirus\SAVScan.exe
O23 - Service: ScriptBlocking Service (SBService) - Symantec Corporation - C:\PROGRA~1\COMMON~1\SYMANT~1\SCRIPT~1\SBServ.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: Symantec SPBBCSvc (SPBBCSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
O23 - Service: Symantec Core LC - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
O23 - Service: SymWMI Service (SymWSC) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\Security Center\SymWSC.exe
O23 - Service: WAN Miniport (ATW) Service (WANMiniportService) - America Online, Inc. - C:\WINDOWS\wanmpsvc.exe
O23 - Service: Windows Overlay Components - Unknown owner - C:\WINDOWS\izgyhbe.exe (file missing)

sUBs · Sep 2, 2005

Try this -> http://users.telenet.be/bluepatchy/miekiemoes/tools/LQfix.zip

naft11 · Sep 4, 2005

sUBs said:
Try this -> http://users.telenet.be/bluepatchy/miekiemoes/tools/LQfix.zip

after I run this, do you want all the logs again?

POADB · Sep 4, 2005

After you have run the LQfix, return us a new HJT log for us to review. We'll proceed from there.

naft11 · Sep 9, 2005

New HJT log after running LQfix

Logfile of HijackThis v1.99.1
Scan saved at 8:47:15 PM, on 9/8/2005
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\WINDOWS\system32\spoolsv.exe
C:\PROGRA~1\VERIZO~1\SMARTB~1\MotiveSB.exe
C:\Program Files\Microsoft AntiSpyware\gcasServ.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\Microsoft Money\System\mnyexpr.exe
C:\Program Files\winCMAPP\wincmapp.exe
C:\PROGRA~1\COMMON~1\AOL\ACS\acsd.exe
C:\Program Files\Microsoft AntiSpyware\gcasDtServ.exe
C:\Program Files\ewido\security suite\ewidoctrl.exe
C:\Program Files\ewido\security suite\ewidoguard.exe
C:\Program Files\Norton AntiVirus\navapsvc.exe
C:\Program Files\Norton AntiVirus\IWP\NPFMntor.exe
C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
C:\WINDOWS\wanmpsvc.exe
C:\WINDOWS\System32\msiexec.exe
C:\WINDOWS\System32\wuauclt.exe
C:\Documents and Settings\Owner\Desktop\Spyware\hijackthis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = about:blank
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Microsoft Internet Explorer provided by Verizon Online
R3 - Default URLSearchHook is missing
O2 - BHO: SDWin32 Class - {8F8E2623-7A34-4C70-A7AD-BC65C07865FC} - C:\WINDOWS\System32\ebgvw.dll
O2 - BHO: Internet Explorer Web Content Catcher - {FFF4E223-7019-4ce7-BE03-D7D3C8CCE884} - C:\Program Files\DNS\Catcher.dll
O4 - HKLM\..\Run: [Symantec NetDriver Monitor] C:\PROGRA~1\SYMNET~1\SNDMon.exe /Consumer
O4 - HKLM\..\Run: [Motive SmartBridge] C:\PROGRA~1\VERIZO~1\SMARTB~1\MotiveSB.exe
O4 - HKLM\..\Run: [gcasServ] "C:\Program Files\Microsoft AntiSpyware\gcasServ.exe"
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [MoneyAgent] "C:\Program Files\Microsoft Money\System\mnyexpr.exe"
O4 - HKCU\..\Run: [wincmap] "C:\Program Files\winCMAPP\wincmapp.exe"
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MI1933~1\Office10\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\System32\msjava.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\System32\msjava.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MI1933~1\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O9 - Extra 'Tools' menuitem: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1125256244468
O20 - Winlogon Notify: igfxcui - C:\WINDOWS\SYSTEM32\igfxsrvc.dll
O23 - Service: AOL Connectivity Service (AOL ACS) - America Online, Inc. - C:\PROGRA~1\COMMON~1\AOL\ACS\acsd.exe
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Password Validation (ccPwdSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
O23 - Service: ewido security suite control - ewido networks - C:\Program Files\ewido\security suite\ewidoctrl.exe
O23 - Service: ewido security suite guard - ewido networks - C:\Program Files\ewido\security suite\ewidoguard.exe
O23 - Service: Norton AntiVirus Auto-Protect Service (navapsvc) - Symantec Corporation - C:\Program Files\Norton AntiVirus\navapsvc.exe
O23 - Service: Norton AntiVirus Firewall Monitor Service (NPFMntor) - Symantec Corporation - C:\Program Files\Norton AntiVirus\IWP\NPFMntor.exe
O23 - Service: SAVScan - Symantec Corporation - C:\Program Files\Norton AntiVirus\SAVScan.exe
O23 - Service: ScriptBlocking Service (SBService) - Symantec Corporation - C:\PROGRA~1\COMMON~1\SYMANT~1\SCRIPT~1\SBServ.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: Symantec SPBBCSvc (SPBBCSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
O23 - Service: Symantec Core LC - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
O23 - Service: SymWMI Service (SymWSC) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\Security Center\SymWSC.exe
O23 - Service: WAN Miniport (ATW) Service (WANMiniportService) - America Online, Inc. - C:\WINDOWS\wanmpsvc.exe
O23 - Service: Windows Overlay Components - Unknown owner - C:\WINDOWS\izgyhbe.exe (file missing)

sUBs · Sep 9, 2005

Please save the following instructions to Notepad.

Download & install - CleanUp.exe

Uninstall the following programs, if present, using Control Panel->Add/Remove Programs:

DNS
winCMAPP

Click Start->Run - type SERVICES.MSC & then click on the OK button

Locate the service - Windows Overlay Components
Double-click on it to open the Properties dialog.
- Under the General tab, note down the name of "Service name". We shall need it later.
- Stop the service by using the Stop button.
- Change the Startup type to Disabled & then click on the OK button
Then start HiJackThis & go to Config>Misc.Tools...> Delete an NT service...
In the popup box that appears, type in "Service name" & then click on the OK button

Have HijackThis fix these:

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = about:blank
R3 - Default URLSearchHook is missing
O2 - BHO: SDWin32 Class - {8F8E2623-7A34-4C70-A7AD-BC65C07865FC} - C:\WINDOWS\System32\ebgvw.dll
O2 - BHO: Internet Explorer Web Content Catcher - {FFF4E223-7019-4ce7-BE03-D7D3C8CCE884} - C:\Program Files\DNS\Catcher.dll
O4 - HKCU\..\Run: [wincmap] "C:\Program Files\winCMAPP\wincmapp.exe"
O23 - Service: Windows Overlay Components - Unknown owner - C:\WINDOWS\izgyhbe.exe (file missing)

Reboot to Safe Mode

If you have not done so already, please enable the viewing of Hidden files
From Windows Explorer, go to Tools>Folder Options> View tab.

Tick - Show hidden files and folder
Untick - Hide file extensions for known types
Untick - Hide protected operating system files

Click Yes to confirm & then click OK

Locate and delete the following folders, if present:

C:\Program Files\DNS\
C:\Program Files\winCMAPP\

Locate and delete the following files:

C:\WINDOWS\System32\ebgvw.dll
C:\WINDOWS\izgyhbe.exe

Run Cleanup! using the following configuration:

1. Click Options...
2. Set the slider to Standard CleanUp!
3. Uncheck the following:

Delete Newsgroup cache
[*]Delete Newsgroup Subscriptions
[*]Scan local drives for temporary files

4. Click OK
5. Press the CleanUp! button to start the program. Reboot/logoff when prompted.
* CleanUp! will not create any backups!!

Reboot to Normal Mode & Perform an online scan with Internet Explorer with Kaspersky WebScanner

Next Click on Launch Kaspersky Anti-Virus Web Scanner

You will be promted to install an ActiveX component from Kaspersky, Click Yes.

The program will launch and then begin downloading the latest definition files:
Once the files have been downloaded click on NEXT
Now click on Scan Settings
- In the scan settings make that the following are selected:
  - Scan using the following Anti-Virus database:
    - Standard
  - Scan Options:
    - Scan Archives
    - Scan Mail Bases
Click OK
Now under select a target to scan:Select My Computer
This will program will start and scan your system.
The scan will take a while so be patient and let it run.
Once the scan is complete it will display if your system has been infected.
- Now click on the Save as Text button:
Save the file to your desktop.

Copy and paste that information in your next post along with a new HJT log

* Turn off the real time scanner of any existing antivirus program while performing the online scan

naft11 · Sep 14, 2005

kaspersky log and HJT log

-------------------------------------------------------------------------------
KASPERSKY ON-LINE SCANNER REPORT
Tuesday, September 13, 2005 21:41:55
Operating System: Microsoft Windows XP Home Edition, Service Pack 1 (Build 2600)
Kaspersky On-line Scanner version: 5.0.67.0
Kaspersky Anti-Virus database last update: 14/09/2005
Kaspersky Anti-Virus database records: 140200
-------------------------------------------------------------------------------

Scan Settings:
Scan using the following antivirus database: standard
Scan Archives: true
Scan Mail Bases: true

Scan Target - My Computer:
A:\
C:\
D:\
E:\
F:\
G:\
H:\
I:\

Scan Statistics:
Total number of scanned objects: 57311
Number of viruses found: 39
Number of infected objects: 243
Number of suspicious objects: 0
Duration of the scan process: 2967 sec

Infected Object Name - Virus Name
C:\Program Files\apsi\wtta.exe Infected: Trojan-Downloader.Win32.PurityScan.an
C:\Program Files\Norton AntiVirus\Quarantine\02B64702.tmp Infected: Trojan.Java.ClassLoader.k
C:\Program Files\Norton AntiVirus\Quarantine\1A290BED.tmp Infected: Trojan.Java.ClassLoader.z
C:\Program Files\Norton AntiVirus\Quarantine\1A4F26E4.dll Infected: Trojan-Clicker.Win32.Agent.ac
C:\Program Files\Norton AntiVirus\Quarantine\1C0B3A89.tmp Infected: Trojan-Downloader.Java.OpenConnection.v
C:\Program Files\Norton AntiVirus\Quarantine\4A1720FA.exe Infected: Trojan.Win32.Dialer.eb
C:\Program Files\Norton AntiVirus\Quarantine\617605B1.exe Infected: Trojan.Win32.Dialer.eb
C:\Program Files\Norton AntiVirus\Quarantine\66DE36E3 Infected: Trojan-Downloader.Win32.Agent.bc
C:\Program Files\Norton AntiVirus\Quarantine\6E027FEF.exe Infected: Trojan.Win32.StartPage.tj
C:\Program Files\Norton AntiVirus\Quarantine\6E0529EB.exe Infected: Trojan.Win32.StartPage.tj
C:\Program Files\Norton AntiVirus\Quarantine\790B1A2C.tmp Infected: Trojan.Java.ClassLoader.i
C:\Program Files\Norton AntiVirus\Quarantine\7C0705BB.tmp Infected: Trojan.Java.ClassLoader.ak
C:\Program Files\Windows Media Player\wmplayer.exe.tmp Infected: Trojan-Downloader.Win32.Small.bem
C:\System Volume Information\_restore{B06C75F0-9FCC-4D32-A4A4-58CDE7C44A50}\RP246\A0049634.exe Infected: Trojan-Downloader.Win32.QDown.z
C:\System Volume Information\_restore{B06C75F0-9FCC-4D32-A4A4-58CDE7C44A50}\RP246\A0049640.exe Infected: Trojan.Win32.Pakes
C:\System Volume Information\_restore{B06C75F0-9FCC-4D32-A4A4-58CDE7C44A50}\RP246\A0049642.dll Infected: Trojan.Win32.EliteBar.a
C:\System Volume Information\_restore{B06C75F0-9FCC-4D32-A4A4-58CDE7C44A50}\RP246\A0049643.dll Infected: Trojan-Downloader.Win32.Agent.tv
C:\System Volume Information\_restore{B06C75F0-9FCC-4D32-A4A4-58CDE7C44A50}\RP246\A0049664.exe Infected: Trojan.Win32.Pakes
C:\System Volume Information\_restore{B06C75F0-9FCC-4D32-A4A4-58CDE7C44A50}\RP246\A0049666.dll Infected: Trojan.Win32.EliteBar.a
C:\System Volume Information\_restore{B06C75F0-9FCC-4D32-A4A4-58CDE7C44A50}\RP246\A0049667.dll Infected: Trojan-Downloader.Win32.Agent.tv
C:\System Volume Information\_restore{B06C75F0-9FCC-4D32-A4A4-58CDE7C44A50}\RP246\A0050664.exe Infected: Trojan.Win32.Pakes
C:\System Volume Information\_restore{B06C75F0-9FCC-4D32-A4A4-58CDE7C44A50}\RP246\A0050666.dll Infected: Trojan.Win32.EliteBar.a
C:\System Volume Information\_restore{B06C75F0-9FCC-4D32-A4A4-58CDE7C44A50}\RP246\A0050667.dll Infected: Trojan-Downloader.Win32.Agent.tv
C:\System Volume Information\_restore{B06C75F0-9FCC-4D32-A4A4-58CDE7C44A50}\RP246\A0050674.exe Infected: Trojan-Downloader.Win32.Qoologic.v
C:\System Volume Information\_restore{B06C75F0-9FCC-4D32-A4A4-58CDE7C44A50}\RP246\A0050680.exe Infected: Trojan.Win32.Pakes
C:\System Volume Information\_restore{B06C75F0-9FCC-4D32-A4A4-58CDE7C44A50}\RP246\A0050681.exe Infected: Trojan.Win32.Pakes
C:\System Volume Information\_restore{B06C75F0-9FCC-4D32-A4A4-58CDE7C44A50}\RP246\A0050683.dll Infected: Trojan.Win32.EliteBar.a
C:\System Volume Information\_restore{B06C75F0-9FCC-4D32-A4A4-58CDE7C44A50}\RP246\A0050686.dll Infected: Trojan-Downloader.Win32.Agent.tv
C:\System Volume Information\_restore{B06C75F0-9FCC-4D32-A4A4-58CDE7C44A50}\RP246\A0050708.dll Infected: Trojan.Win32.EliteBar.a
C:\System Volume Information\_restore{B06C75F0-9FCC-4D32-A4A4-58CDE7C44A50}\RP246\A0050709.exe Infected: Trojan-Downloader.Win32.Qoologic.ac
C:\System Volume Information\_restore{B06C75F0-9FCC-4D32-A4A4-58CDE7C44A50}\RP246\A0050711.exe Infected: Trojan-Downloader.Win32.Qoologic.ac
C:\System Volume Information\_restore{B06C75F0-9FCC-4D32-A4A4-58CDE7C44A50}\RP246\A0050712.dll Infected: Trojan-Downloader.Win32.Qoologic.ac
C:\System Volume Information\_restore{B06C75F0-9FCC-4D32-A4A4-58CDE7C44A50}\RP246\A0050713.dll Infected: Trojan-Downloader.Win32.Qoologic.ac
C:\System Volume Information\_restore{B06C75F0-9FCC-4D32-A4A4-58CDE7C44A50}\RP246\A0050715.dll Infected: Trojan-Downloader.Win32.Agent.tv
C:\System Volume Information\_restore{B06C75F0-9FCC-4D32-A4A4-58CDE7C44A50}\RP246\A0051706.exe Infected: Trojan.Win32.Pakes
C:\System Volume Information\_restore{B06C75F0-9FCC-4D32-A4A4-58CDE7C44A50}\RP246\A0051713.exe Infected: Trojan.Win32.Stervis.d
C:\System Volume Information\_restore{B06C75F0-9FCC-4D32-A4A4-58CDE7C44A50}\RP246\A0051714.dll Infected: Trojan.Win32.Agent.db
C:\System Volume Information\_restore{B06C75F0-9FCC-4D32-A4A4-58CDE7C44A50}\RP246\A0051723.exe Infected: Trojan.Win32.Pakes
C:\System Volume Information\_restore{B06C75F0-9FCC-4D32-A4A4-58CDE7C44A50}\RP246\A0052724.exe Infected: Trojan.Win32.Pakes
C:\System Volume Information\_restore{B06C75F0-9FCC-4D32-A4A4-58CDE7C44A50}\RP246\A0052726.dll Infected: Trojan.Win32.EliteBar.a
C:\System Volume Information\_restore{B06C75F0-9FCC-4D32-A4A4-58CDE7C44A50}\RP246\A0052727.exe Infected: Trojan-Downloader.Win32.Qoologic.ac
C:\System Volume Information\_restore{B06C75F0-9FCC-4D32-A4A4-58CDE7C44A50}\RP246\A0052728.dll Infected: Trojan-Downloader.Win32.Agent.tv
C:\System Volume Information\_restore{B06C75F0-9FCC-4D32-A4A4-58CDE7C44A50}\RP246\A0052729.exe Infected: Trojan-Downloader.Win32.Qoologic.ac
C:\System Volume Information\_restore{B06C75F0-9FCC-4D32-A4A4-58CDE7C44A50}\RP246\A0052730.dll Infected: Trojan-Downloader.Win32.Qoologic.ac
C:\System Volume Information\_restore{B06C75F0-9FCC-4D32-A4A4-58CDE7C44A50}\RP246\A0052731.dll Infected: Trojan-Downloader.Win32.Qoologic.ac
C:\System Volume Information\_restore{B06C75F0-9FCC-4D32-A4A4-58CDE7C44A50}\RP246\A0052740.exe Infected: Trojan-Downloader.Win32.Qoologic.ac
C:\System Volume Information\_restore{B06C75F0-9FCC-4D32-A4A4-58CDE7C44A50}\RP246\A0052742.dll Infected: Trojan.Win32.EliteBar.a
C:\System Volume Information\_restore{B06C75F0-9FCC-4D32-A4A4-58CDE7C44A50}\RP246\A0052743.exe Infected: Trojan-Downloader.Win32.Qoologic.ac
C:\System Volume Information\_restore{B06C75F0-9FCC-4D32-A4A4-58CDE7C44A50}\RP246\A0052744.dll Infected: Trojan-Downloader.Win32.Qoologic.ac
C:\System Volume Information\_restore{B06C75F0-9FCC-4D32-A4A4-58CDE7C44A50}\RP246\A0052745.dll Infected: Trojan-Downloader.Win32.Qoologic.ac
C:\System Volume Information\_restore{B06C75F0-9FCC-4D32-A4A4-58CDE7C44A50}\RP246\A0052746.dll Infected: Trojan-Downloader.Win32.Agent.tv
C:\System Volume Information\_restore{B06C75F0-9FCC-4D32-A4A4-58CDE7C44A50}\RP246\A0053739.exe Infected: Trojan.Win32.Pakes
C:\System Volume Information\_restore{B06C75F0-9FCC-4D32-A4A4-58CDE7C44A50}\RP246\A0053741.exe Infected: Trojan-Downloader.Win32.Qoologic.ac
C:\System Volume Information\_restore{B06C75F0-9FCC-4D32-A4A4-58CDE7C44A50}\RP246\A0053742.dll Infected: Trojan.Win32.EliteBar.a
C:\System Volume Information\_restore{B06C75F0-9FCC-4D32-A4A4-58CDE7C44A50}\RP246\A0053743.exe Infected: Trojan-Downloader.Win32.Qoologic.ac
C:\System Volume Information\_restore{B06C75F0-9FCC-4D32-A4A4-58CDE7C44A50}\RP246\A0053744.dll Infected: Trojan-Downloader.Win32.Qoologic.ac
C:\System Volume Information\_restore{B06C75F0-9FCC-4D32-A4A4-58CDE7C44A50}\RP246\A0053745.dll Infected: Trojan-Downloader.Win32.Qoologic.ac
C:\System Volume Information\_restore{B06C75F0-9FCC-4D32-A4A4-58CDE7C44A50}\RP246\A0053747.dll Infected: Trojan-Downloader.Win32.Agent.tv
C:\System Volume Information\_restore{B06C75F0-9FCC-4D32-A4A4-58CDE7C44A50}\RP246\A0053754.exe Infected: Trojan.Win32.Pakes
C:\System Volume Information\_restore{B06C75F0-9FCC-4D32-A4A4-58CDE7C44A50}\RP246\A0053755.exe Infected: Trojan.Win32.Pakes
C:\System Volume Information\_restore{B06C75F0-9FCC-4D32-A4A4-58CDE7C44A50}\RP246\A0053757.dll Infected: Trojan.Win32.EliteBar.a
C:\System Volume Information\_restore{B06C75F0-9FCC-4D32-A4A4-58CDE7C44A50}\RP246\A0053758.exe Infected: Trojan-Downloader.Win32.Qoologic.ac
C:\System Volume Information\_restore{B06C75F0-9FCC-4D32-A4A4-58CDE7C44A50}\RP246\A0053759.exe Infected: Trojan-Downloader.Win32.Qoologic.ac
C:\System Volume Information\_restore{B06C75F0-9FCC-4D32-A4A4-58CDE7C44A50}\RP246\A0053760.dll Infected: Trojan-Downloader.Win32.Qoologic.ac
C:\System Volume Information\_restore{B06C75F0-9FCC-4D32-A4A4-58CDE7C44A50}\RP246\A0053761.dll Infected: Trojan-Downloader.Win32.Qoologic.ac
C:\System Volume Information\_restore{B06C75F0-9FCC-4D32-A4A4-58CDE7C44A50}\RP246\A0053762.dll Infected: Trojan-Downloader.Win32.Agent.tv
C:\System Volume Information\_restore{B06C75F0-9FCC-4D32-A4A4-58CDE7C44A50}\RP247\A0054754.exe Infected: Trojan.Win32.Pakes
C:\System Volume Information\_restore{B06C75F0-9FCC-4D32-A4A4-58CDE7C44A50}\RP247\A0054756.dll Infected: Trojan.Win32.EliteBar.a
C:\System Volume Information\_restore{B06C75F0-9FCC-4D32-A4A4-58CDE7C44A50}\RP247\A0054757.exe Infected: Trojan-Downloader.Win32.Qoologic.ac
C:\System Volume Information\_restore{B06C75F0-9FCC-4D32-A4A4-58CDE7C44A50}\RP247\A0054758.dll Infected: Trojan-Downloader.Win32.Agent.tv
C:\System Volume Information\_restore{B06C75F0-9FCC-4D32-A4A4-58CDE7C44A50}\RP247\A0054759.exe Infected: Trojan-Downloader.Win32.Qoologic.ac
C:\System Volume Information\_restore{B06C75F0-9FCC-4D32-A4A4-58CDE7C44A50}\RP247\A0054760.dll Infected: Trojan-Downloader.Win32.Qoologic.ac
C:\System Volume Information\_restore{B06C75F0-9FCC-4D32-A4A4-58CDE7C44A50}\RP247\A0054761.dll Infected: Trojan-Downloader.Win32.Qoologic.ac
C:\System Volume Information\_restore{B06C75F0-9FCC-4D32-A4A4-58CDE7C44A50}\RP247\A0055767.exe Infected: Trojan.Win32.Pakes
C:\System Volume Information\_restore{B06C75F0-9FCC-4D32-A4A4-58CDE7C44A50}\RP247\A0055768.exe Infected: Trojan.Win32.Pakes
C:\System Volume Information\_restore{B06C75F0-9FCC-4D32-A4A4-58CDE7C44A50}\RP247\A0055769.exe Infected: Trojan-Downloader.Win32.Small.abd
C:\System Volume Information\_restore{B06C75F0-9FCC-4D32-A4A4-58CDE7C44A50}\RP247\A0055770.exe Infected: Trojan-Downloader.Win32.Small.abd
C:\System Volume Information\_restore{B06C75F0-9FCC-4D32-A4A4-58CDE7C44A50}\RP247\A0055771.exe Infected: Trojan-Dropper.Win32.Agent.hl
C:\System Volume Information\_restore{B06C75F0-9FCC-4D32-A4A4-58CDE7C44A50}\RP247\A0055773.dll Infected: Trojan.Win32.Agent.db
C:\System Volume Information\_restore{B06C75F0-9FCC-4D32-A4A4-58CDE7C44A50}\RP247\A0055776.exe Infected: Trojan-Downloader.Win32.Agent.qg
C:\System Volume Information\_restore{B06C75F0-9FCC-4D32-A4A4-58CDE7C44A50}\RP247\A0055779.exe Infected: Trojan-Downloader.Win32.Agent.qg
C:\System Volume Information\_restore{B06C75F0-9FCC-4D32-A4A4-58CDE7C44A50}\RP247\A0055782.exe/data0002 Infected: Trojan.Win32.Registrator.b
C:\System Volume Information\_restore{B06C75F0-9FCC-4D32-A4A4-58CDE7C44A50}\RP247\A0055782.exe/data0003 Infected: Trojan-Downloader.Win32.Small.ayh
C:\System Volume Information\_restore{B06C75F0-9FCC-4D32-A4A4-58CDE7C44A50}\RP247\A0055782.exe Infected: Trojan-Downloader.Win32.Small.ayh
C:\System Volume Information\_restore{B06C75F0-9FCC-4D32-A4A4-58CDE7C44A50}\RP247\A0055787.exe Infected: Trojan-Dropper.Win32.Agent.hl
C:\System Volume Information\_restore{B06C75F0-9FCC-4D32-A4A4-58CDE7C44A50}\RP247\A0055798.exe Infected: Trojan-Downloader.Win32.Qoologic.ac
C:\System Volume Information\_restore{B06C75F0-9FCC-4D32-A4A4-58CDE7C44A50}\RP247\A0055799.dll Infected: Trojan.Win32.EliteBar.a
C:\System Volume Information\_restore{B06C75F0-9FCC-4D32-A4A4-58CDE7C44A50}\RP247\A0055800.exe Infected: Trojan-Downloader.Win32.Qoologic.ac
C:\System Volume Information\_restore{B06C75F0-9FCC-4D32-A4A4-58CDE7C44A50}\RP247\A0055801.dll Infected: Trojan-Downloader.Win32.Qoologic.ac
C:\System Volume Information\_restore{B06C75F0-9FCC-4D32-A4A4-58CDE7C44A50}\RP247\A0055802.dll Infected: Trojan-Downloader.Win32.Qoologic.ac
C:\System Volume Information\_restore{B06C75F0-9FCC-4D32-A4A4-58CDE7C44A50}\RP247\A0055803.dll Infected: Trojan-Downloader.Win32.Agent.tv
C:\System Volume Information\_restore{B06C75F0-9FCC-4D32-A4A4-58CDE7C44A50}\RP247\A0055810.exe Infected: Trojan.Win32.Pakes
C:\System Volume Information\_restore{B06C75F0-9FCC-4D32-A4A4-58CDE7C44A50}\RP247\A0055811.exe Infected: Trojan.Win32.Pakes
C:\System Volume Information\_restore{B06C75F0-9FCC-4D32-A4A4-58CDE7C44A50}\RP247\A0055813.dll Infected: Trojan.Win32.EliteBar.a
C:\System Volume Information\_restore{B06C75F0-9FCC-4D32-A4A4-58CDE7C44A50}\RP247\A0055814.exe Infected: Trojan-Downloader.Win32.Qoologic.ac
C:\System Volume Information\_restore{B06C75F0-9FCC-4D32-A4A4-58CDE7C44A50}\RP247\A0055815.exe Infected: Trojan-Downloader.Win32.Qoologic.ac
C:\System Volume Information\_restore{B06C75F0-9FCC-4D32-A4A4-58CDE7C44A50}\RP247\A0055816.dll Infected: Trojan-Downloader.Win32.Qoologic.ac
C:\System Volume Information\_restore{B06C75F0-9FCC-4D32-A4A4-58CDE7C44A50}\RP247\A0055817.dll Infected: Trojan-Downloader.Win32.Qoologic.ac
C:\System Volume Information\_restore{B06C75F0-9FCC-4D32-A4A4-58CDE7C44A50}\RP247\A0055818.dll Infected: Trojan-Downloader.Win32.Agent.tv
C:\System Volume Information\_restore{B06C75F0-9FCC-4D32-A4A4-58CDE7C44A50}\RP247\A0055824.exe Infected: Trojan.Win32.Pakes
C:\System Volume Information\_restore{B06C75F0-9FCC-4D32-A4A4-58CDE7C44A50}\RP247\A0055825.exe Infected: Trojan.Win32.Pakes
C:\System Volume Information\_restore{B06C75F0-9FCC-4D32-A4A4-58CDE7C44A50}\RP247\A0056144.exe Infected: Trojan.Win32.Stervis.d
C:\System Volume Information\_restore{B06C75F0-9FCC-4D32-A4A4-58CDE7C44A50}\RP247\A0056147.exe Infected: Trojan-Downloader.Win32.Qoologic.ac
C:\System Volume Information\_restore{B06C75F0-9FCC-4D32-A4A4-58CDE7C44A50}\RP247\A0056148.exe Infected: Trojan-Downloader.Win32.Qoologic.ac
C:\System Volume Information\_restore{B06C75F0-9FCC-4D32-A4A4-58CDE7C44A50}\RP247\A0056149.dll Infected: Trojan-Downloader.Win32.Qoologic.ac
C:\System Volume Information\_restore{B06C75F0-9FCC-4D32-A4A4-58CDE7C44A50}\RP247\A0056157.exe Infected: Trojan.Win32.Pakes
C:\System Volume Information\_restore{B06C75F0-9FCC-4D32-A4A4-58CDE7C44A50}\RP247\A0056159.exe Infected: Trojan-Downloader.Win32.Qoologic.ac
C:\System Volume Information\_restore{B06C75F0-9FCC-4D32-A4A4-58CDE7C44A50}\RP247\A0056160.dll Infected: Trojan.Win32.EliteBar.a
C:\System Volume Information\_restore{B06C75F0-9FCC-4D32-A4A4-58CDE7C44A50}\RP247\A0056161.dll Infected: Trojan-Downloader.Win32.Agent.tv
C:\System Volume Information\_restore{B06C75F0-9FCC-4D32-A4A4-58CDE7C44A50}\RP247\A0056162.exe Infected: Trojan-Downloader.Win32.Qoologic.ac
C:\System Volume Information\_restore{B06C75F0-9FCC-4D32-A4A4-58CDE7C44A50}\RP247\A0056163.dll Infected: Trojan-Downloader.Win32.Qoologic.ac
C:\System Volume Information\_restore{B06C75F0-9FCC-4D32-A4A4-58CDE7C44A50}\RP247\A0056164.dll Infected: Trojan-Downloader.Win32.Qoologic.ac
C:\System Volume Information\_restore{B06C75F0-9FCC-4D32-A4A4-58CDE7C44A50}\RP247\A0056176.dll Infected: Trojan.Win32.Agent.db
C:\System Volume Information\_restore{B06C75F0-9FCC-4D32-A4A4-58CDE7C44A50}\RP247\A0056182.exe Infected: Trojan.Win32.Pakes
C:\System Volume Information\_restore{B06C75F0-9FCC-4D32-A4A4-58CDE7C44A50}\RP247\A0056185.dll Infected: Trojan.Win32.EliteBar.a
C:\System Volume Information\_restore{B06C75F0-9FCC-4D32-A4A4-58CDE7C44A50}\RP247\A0056186.exe Infected: Trojan-Downloader.Win32.Qoologic.ac
C:\System Volume Information\_restore{B06C75F0-9FCC-4D32-A4A4-58CDE7C44A50}\RP247\A0056187.dll Infected: Trojan-Downloader.Win32.Agent.tv
C:\System Volume Information\_restore{B06C75F0-9FCC-4D32-A4A4-58CDE7C44A50}\RP247\A0056188.exe Infected: Trojan-Downloader.Win32.Qoologic.ac
C:\System Volume Information\_restore{B06C75F0-9FCC-4D32-A4A4-58CDE7C44A50}\RP247\A0056189.dll Infected: Trojan-Downloader.Win32.Qoologic.ac
C:\System Volume Information\_restore{B06C75F0-9FCC-4D32-A4A4-58CDE7C44A50}\RP247\A0056190.dll Infected: Trojan-Downloader.Win32.Qoologic.ac
C:\System Volume Information\_restore{B06C75F0-9FCC-4D32-A4A4-58CDE7C44A50}\RP247\A0056197.exe Infected: Trojan.Win32.Pakes
C:\System Volume Information\_restore{B06C75F0-9FCC-4D32-A4A4-58CDE7C44A50}\RP247\A0056198.exe Infected: Trojan.Win32.Pakes
C:\System Volume Information\_restore{B06C75F0-9FCC-4D32-A4A4-58CDE7C44A50}\RP247\A0056200.exe Infected: Trojan-Downloader.Win32.Qoologic.ac
C:\System Volume Information\_restore{B06C75F0-9FCC-4D32-A4A4-58CDE7C44A50}\RP247\A0056201.dll Infected: Trojan.Win32.EliteBar.a
C:\System Volume Information\_restore{B06C75F0-9FCC-4D32-A4A4-58CDE7C44A50}\RP247\A0056202.exe Infected: Trojan-Downloader.Win32.Qoologic.ac
C:\System Volume Information\_restore{B06C75F0-9FCC-4D32-A4A4-58CDE7C44A50}\RP247\A0056203.dll Infected: Trojan-Downloader.Win32.Qoologic.ac
C:\System Volume Information\_restore{B06C75F0-9FCC-4D32-A4A4-58CDE7C44A50}\RP247\A0056204.dll Infected: Trojan-Downloader.Win32.Qoologic.ac
C:\System Volume Information\_restore{B06C75F0-9FCC-4D32-A4A4-58CDE7C44A50}\RP247\A0056205.dll Infected: Trojan-Downloader.Win32.Agent.tv
C:\System Volume Information\_restore{B06C75F0-9FCC-4D32-A4A4-58CDE7C44A50}\RP247\A0056224.exe Infected: Trojan.Win32.Stervis.d
C:\System Volume Information\_restore{B06C75F0-9FCC-4D32-A4A4-58CDE7C44A50}\RP251\A0056261.exe Infected: Trojan.Win32.Pakes
C:\System Volume Information\_restore{B06C75F0-9FCC-4D32-A4A4-58CDE7C44A50}\RP251\A0056269.exe Infected: Trojan.Win32.Pakes
C:\System Volume Information\_restore{B06C75F0-9FCC-4D32-A4A4-58CDE7C44A50}\RP251\A0056271.exe Infected: Trojan-Downloader.Win32.Qoologic.ac
C:\System Volume Information\_restore{B06C75F0-9FCC-4D32-A4A4-58CDE7C44A50}\RP251\A0056272.dll Infected: Trojan.Win32.EliteBar.a
C:\System Volume Information\_restore{B06C75F0-9FCC-4D32-A4A4-58CDE7C44A50}\RP251\A0056273.exe Infected: Trojan-Downloader.Win32.Qoologic.ac
C:\System Volume Information\_restore{B06C75F0-9FCC-4D32-A4A4-58CDE7C44A50}\RP251\A0056274.dll Infected: Trojan-Downloader.Win32.Qoologic.ac
C:\System Volume Information\_restore{B06C75F0-9FCC-4D32-A4A4-58CDE7C44A50}\RP251\A0056275.dll Infected: Trojan-Downloader.Win32.Qoologic.ac
C:\System Volume Information\_restore{B06C75F0-9FCC-4D32-A4A4-58CDE7C44A50}\RP251\A0056276.dll Infected: Trojan-Downloader.Win32.Agent.tv
C:\System Volume Information\_restore{B06C75F0-9FCC-4D32-A4A4-58CDE7C44A50}\RP251\A0056308.exe Infected: Trojan-Downloader.Win32.Small.bem
C:\System Volume Information\_restore{B06C75F0-9FCC-4D32-A4A4-58CDE7C44A50}\RP251\A0057268.exe Infected: Trojan.Win32.Pakes
C:\System Volume Information\_restore{B06C75F0-9FCC-4D32-A4A4-58CDE7C44A50}\RP251\A0057271.exe Infected: Trojan-Downloader.Win32.Qoologic.ac
C:\System Volume Information\_restore{B06C75F0-9FCC-4D32-A4A4-58CDE7C44A50}\RP251\A0057272.dll Infected: Trojan.Win32.EliteBar.a
C:\System Volume Information\_restore{B06C75F0-9FCC-4D32-A4A4-58CDE7C44A50}\RP251\A0057273.exe Infected: Trojan-Downloader.Win32.Qoologic.ac
C:\System Volume Information\_restore{B06C75F0-9FCC-4D32-A4A4-58CDE7C44A50}\RP251\A0057274.dll Infected: Trojan-Downloader.Win32.Qoologic.ac
C:\System Volume Information\_restore{B06C75F0-9FCC-4D32-A4A4-58CDE7C44A50}\RP251\A0057275.dll Infected: Trojan-Downloader.Win32.Agent.tv
C:\System Volume Information\_restore{B06C75F0-9FCC-4D32-A4A4-58CDE7C44A50}\RP251\A0057276.dll Infected: Trojan-Downloader.Win32.Qoologic.ac
C:\System Volume Information\_restore{B06C75F0-9FCC-4D32-A4A4-58CDE7C44A50}\RP251\A0057283.exe Infected: Trojan.Win32.Stervis.d
C:\System Volume Information\_restore{B06C75F0-9FCC-4D32-A4A4-58CDE7C44A50}\RP276\A0057739.exe Infected: Trojan.Win32.Pakes
C:\System Volume Information\_restore{B06C75F0-9FCC-4D32-A4A4-58CDE7C44A50}\RP276\A0057794.exe Infected: Trojan.Win32.Pakes
C:\System Volume Information\_restore{B06C75F0-9FCC-4D32-A4A4-58CDE7C44A50}\RP276\A0057800.exe Infected: Trojan-Downloader.Win32.Qoologic.ac
C:\System Volume Information\_restore{B06C75F0-9FCC-4D32-A4A4-58CDE7C44A50}\RP276\A0057802.dll Infected: Trojan.Win32.EliteBar.a
C:\System Volume Information\_restore{B06C75F0-9FCC-4D32-A4A4-58CDE7C44A50}\RP276\A0057804.exe Infected: Trojan-Downloader.Win32.Qoologic.ac
C:\System Volume Information\_restore{B06C75F0-9FCC-4D32-A4A4-58CDE7C44A50}\RP276\A0057806.dll Infected: Trojan-Downloader.Win32.Qoologic.ac
C:\System Volume Information\_restore{B06C75F0-9FCC-4D32-A4A4-58CDE7C44A50}\RP276\A0057809.dll Infected: Trojan-Downloader.Win32.Agent.tv
C:\System Volume Information\_restore{B06C75F0-9FCC-4D32-A4A4-58CDE7C44A50}\RP276\A0057810.dll Infected: Trojan-Downloader.Win32.Qoologic.ac
C:\System Volume Information\_restore{B06C75F0-9FCC-4D32-A4A4-58CDE7C44A50}\RP276\A0057823.exe Infected: Trojan-Downloader.Win32.PurityScan.an
C:\System Volume Information\_restore{B06C75F0-9FCC-4D32-A4A4-58CDE7C44A50}\RP276\A0058747.exe Infected: Trojan.Win32.Pakes
C:\System Volume Information\_restore{B06C75F0-9FCC-4D32-A4A4-58CDE7C44A50}\RP276\A0058749.exe Infected: Trojan-Downloader.Win32.Qoologic.ac
C:\System Volume Information\_restore{B06C75F0-9FCC-4D32-A4A4-58CDE7C44A50}\RP276\A0058750.dll Infected: Trojan.Win32.EliteBar.a
C:\System Volume Information\_restore{B06C75F0-9FCC-4D32-A4A4-58CDE7C44A50}\RP276\A0058751.exe Infected: Trojan-Downloader.Win32.Qoologic.ac
C:\System Volume Information\_restore{B06C75F0-9FCC-4D32-A4A4-58CDE7C44A50}\RP276\A0058752.dll Infected: Trojan-Downloader.Win32.Qoologic.ac
C:\System Volume Information\_restore{B06C75F0-9FCC-4D32-A4A4-58CDE7C44A50}\RP276\A0058753.dll Infected: Trojan-Downloader.Win32.Qoologic.ac
C:\System Volume Information\_restore{B06C75F0-9FCC-4D32-A4A4-58CDE7C44A50}\RP276\A0058754.dll Infected: Trojan-Downloader.Win32.Agent.tv
C:\System Volume Information\_restore{B06C75F0-9FCC-4D32-A4A4-58CDE7C44A50}\RP276\A0058782.exe Infected: Trojan-Dropper.Win32.Agent.lu
C:\System Volume Information\_restore{B06C75F0-9FCC-4D32-A4A4-58CDE7C44A50}\RP276\A0058787.exe Infected: Trojan.Win32.Pakes
C:\System Volume Information\_restore{B06C75F0-9FCC-4D32-A4A4-58CDE7C44A50}\RP276\A0058790.exe Infected: Trojan-Downloader.Win32.Qoologic.ac
C:\System Volume Information\_restore{B06C75F0-9FCC-4D32-A4A4-58CDE7C44A50}\RP276\A0058791.dll Infected: Trojan.Win32.EliteBar.a
C:\System Volume Information\_restore{B06C75F0-9FCC-4D32-A4A4-58CDE7C44A50}\RP276\A0058792.exe Infected: Trojan-Downloader.Win32.Qoologic.ac
C:\System Volume Information\_restore{B06C75F0-9FCC-4D32-A4A4-58CDE7C44A50}\RP276\A0058793.dll Infected: Trojan-Downloader.Win32.Qoologic.ac
C:\System Volume Information\_restore{B06C75F0-9FCC-4D32-A4A4-58CDE7C44A50}\RP276\A0058794.dll Infected: Trojan-Downloader.Win32.Agent.tv
C:\System Volume Information\_restore{B06C75F0-9FCC-4D32-A4A4-58CDE7C44A50}\RP276\A0058795.dll Infected: Trojan-Downloader.Win32.Qoologic.ac
C:\System Volume Information\_restore{B06C75F0-9FCC-4D32-A4A4-58CDE7C44A50}\RP276\A0058805.exe Infected: Trojan.Win32.Pakes
C:\System Volume Information\_restore{B06C75F0-9FCC-4D32-A4A4-58CDE7C44A50}\RP276\A0058809.dll Infected: Trojan.Win32.EliteBar.a
C:\System Volume Information\_restore{B06C75F0-9FCC-4D32-A4A4-58CDE7C44A50}\RP276\A0058810.exe Infected: Trojan-Downloader.Win32.Qoologic.ac
C:\System Volume Information\_restore{B06C75F0-9FCC-4D32-A4A4-58CDE7C44A50}\RP276\A0058811.exe Infected: Trojan-Downloader.Win32.Qoologic.ac
C:\System Volume Information\_restore{B06C75F0-9FCC-4D32-A4A4-58CDE7C44A50}\RP276\A0058812.dll Infected: Trojan-Downloader.Win32.Agent.tv
C:\System Volume Information\_restore{B06C75F0-9FCC-4D32-A4A4-58CDE7C44A50}\RP276\A0058813.dll Infected: Trojan-Downloader.Win32.Qoologic.ac
C:\System Volume Information\_restore{B06C75F0-9FCC-4D32-A4A4-58CDE7C44A50}\RP276\A0058814.dll Infected: Trojan-Downloader.Win32.Qoologic.ac
C:\System Volume Information\_restore{B06C75F0-9FCC-4D32-A4A4-58CDE7C44A50}\RP277\A0059806.exe Infected: Trojan.Win32.Pakes
C:\System Volume Information\_restore{B06C75F0-9FCC-4D32-A4A4-58CDE7C44A50}\RP277\A0059809.exe Infected: Trojan-Downloader.Win32.Qoologic.ac
C:\System Volume Information\_restore{B06C75F0-9FCC-4D32-A4A4-58CDE7C44A50}\RP277\A0059810.dll Infected: Trojan.Win32.EliteBar.a
C:\System Volume Information\_restore{B06C75F0-9FCC-4D32-A4A4-58CDE7C44A50}\RP277\A0059811.exe Infected: Trojan-Downloader.Win32.Qoologic.ac
C:\System Volume Information\_restore{B06C75F0-9FCC-4D32-A4A4-58CDE7C44A50}\RP277\A0059812.dll Infected: Trojan-Downloader.Win32.Agent.tv
C:\System Volume Information\_restore{B06C75F0-9FCC-4D32-A4A4-58CDE7C44A50}\RP277\A0059813.dll Infected: Trojan-Downloader.Win32.Qoologic.ac
C:\System Volume Information\_restore{B06C75F0-9FCC-4D32-A4A4-58CDE7C44A50}\RP277\A0059814.dll Infected: Trojan-Downloader.Win32.Qoologic.ac
C:\System Volume Information\_restore{B06C75F0-9FCC-4D32-A4A4-58CDE7C44A50}\RP277\A0059820.exe Infected: Trojan.Win32.Pakes
C:\System Volume Information\_restore{B06C75F0-9FCC-4D32-A4A4-58CDE7C44A50}\RP277\A0059844.exe Infected: Trojan.Win32.Stervis.d
C:\System Volume Information\_restore{B06C75F0-9FCC-4D32-A4A4-58CDE7C44A50}\RP277\A0059845.dll Infected: Trojan.Win32.Agent.db
C:\System Volume Information\_restore{B06C75F0-9FCC-4D32-A4A4-58CDE7C44A50}\RP277\A0059853.dll Infected: Trojan.Win32.EliteBar.a
C:\System Volume Information\_restore{B06C75F0-9FCC-4D32-A4A4-58CDE7C44A50}\RP277\A0059854.exe Infected: Trojan-Downloader.Win32.Qoologic.ac
C:\System Volume Information\_restore{B06C75F0-9FCC-4D32-A4A4-58CDE7C44A50}\RP277\A0059855.dll Infected: Trojan-Downloader.Win32.Agent.tv
C:\System Volume Information\_restore{B06C75F0-9FCC-4D32-A4A4-58CDE7C44A50}\RP277\A0059856.exe Infected: Trojan-Downloader.Win32.Qoologic.ac
C:\System Volume Information\_restore{B06C75F0-9FCC-4D32-A4A4-58CDE7C44A50}\RP277\A0059857.dll Infected: Trojan-Downloader.Win32.Qoologic.ac
C:\System Volume Information\_restore{B06C75F0-9FCC-4D32-A4A4-58CDE7C44A50}\RP277\A0059858.dll Infected: Trojan-Downloader.Win32.Qoologic.ac
C:\System Volume Information\_restore{B06C75F0-9FCC-4D32-A4A4-58CDE7C44A50}\RP277\A0059859.exe Infected: Trojan.Win32.Pakes
C:\System Volume Information\_restore{B06C75F0-9FCC-4D32-A4A4-58CDE7C44A50}\RP277\A0059867.exe Infected: Trojan-Downloader.Win32.Agent.tv
C:\System Volume Information\_restore{B06C75F0-9FCC-4D32-A4A4-58CDE7C44A50}\RP277\A0059871.dll Infected: Trojan.Win32.EliteBar.a
C:\System Volume Information\_restore{B06C75F0-9FCC-4D32-A4A4-58CDE7C44A50}\RP277\A0059872.dll Infected: Trojan-Downloader.Win32.Agent.tv
C:\System Volume Information\_restore{B06C75F0-9FCC-4D32-A4A4-58CDE7C44A50}\RP277\A0059877.exe Infected: Trojan-Downloader.Win32.Qoologic.ac
C:\System Volume Information\_restore{B06C75F0-9FCC-4D32-A4A4-58CDE7C44A50}\RP277\A0059878.exe Infected: Trojan-Downloader.Win32.Qoologic.ac
C:\System Volume Information\_restore{B06C75F0-9FCC-4D32-A4A4-58CDE7C44A50}\RP277\A0059879.dll Infected: Trojan-Downloader.Win32.Qoologic.ac
C:\System Volume Information\_restore{B06C75F0-9FCC-4D32-A4A4-58CDE7C44A50}\RP277\A0059880.exe Infected: Trojan.Win32.Pakes
C:\System Volume Information\_restore{B06C75F0-9FCC-4D32-A4A4-58CDE7C44A50}\RP277\A0059881.dll Infected: Trojan-Downloader.Win32.Qoologic.ac
C:\System Volume Information\_restore{B06C75F0-9FCC-4D32-A4A4-58CDE7C44A50}\RP277\A0059890.lnk:mxfli:$DATA Infected: Trojan-Downloader.Win32.Agent.bq
C:\System Volume Information\_restore{B06C75F0-9FCC-4D32-A4A4-58CDE7C44A50}\RP277\A0059891.ini:alvka:$DATA Infected: Trojan-Downloader.Win32.Agent.bq
C:\System Volume Information\_restore{B06C75F0-9FCC-4D32-A4A4-58CDE7C44A50}\RP277\A0059894.exe Infected: Trojan-Downloader.Win32.VB.hw
C:\System Volume Information\_restore{B06C75F0-9FCC-4D32-A4A4-58CDE7C44A50}\RP277\A0059895.exe Infected: Trojan-Downloader.Win32.Small.ayh
C:\System Volume Information\_restore{B06C75F0-9FCC-4D32-A4A4-58CDE7C44A50}\RP277\A0059907.cpl Infected: Trojan-Downloader.Win32.Qoologic.p
C:\System Volume Information\_restore{B06C75F0-9FCC-4D32-A4A4-58CDE7C44A50}\RP277\A0059911.dll Infected: Trojan-Downloader.Win32.Qoologic.p
C:\System Volume Information\_restore{B06C75F0-9FCC-4D32-A4A4-58CDE7C44A50}\RP277\A0059918.dll Infected: Trojan-Downloader.Win32.Qoologic.ac
C:\System Volume Information\_restore{B06C75F0-9FCC-4D32-A4A4-58CDE7C44A50}\RP277\A0059919.exe Infected: Trojan-Downloader.Win32.Qoologic.ac
C:\System Volume Information\_restore{B06C75F0-9FCC-4D32-A4A4-58CDE7C44A50}\RP277\A0059920.ini

mett:$DATA Infected: Trojan-Downloader.Win32.Agent.bq
C:\System Volume Information\_restore{B06C75F0-9FCC-4D32-A4A4-58CDE7C44A50}\RP277\A0059921.pif:ceuam:$DATA Infected: Trojan-Downloader.Win32.Agent.bc
C:\System Volume Information\_restore{B06C75F0-9FCC-4D32-A4A4-58CDE7C44A50}\RP277\A0059921.pif:cmrie:$DATA Infected: Trojan-Downloader.Win32.Agent.bc
C:\System Volume Information\_restore{B06C75F0-9FCC-4D32-A4A4-58CDE7C44A50}\RP277\A0059921.pif:cucrl:$DATA Infected: Trojan-Downloader.Win32.Agent.bq
C:\System Volume Information\_restore{B06C75F0-9FCC-4D32-A4A4-58CDE7C44A50}\RP277\A0059921.pif:iwcya:$DATA Infected: Trojan-Downloader.Win32.Agent.bc
C:\System Volume Information\_restore{B06C75F0-9FCC-4D32-A4A4-58CDE7C44A50}\RP277\A0059921.pif

skze:$DATA Infected: Trojan-Downloader.Win32.Agent.bc
C:\System Volume Information\_restore{B06C75F0-9FCC-4D32-A4A4-58CDE7C44A50}\RP277\A0059921.pif:razgx:$DATA Infected: Trojan-Downloader.Win32.Agent.bc
C:\System Volume Information\_restore{B06C75F0-9FCC-4D32-A4A4-58CDE7C44A50}\RP277\A0059921.pif:tyfqw:$DATA Infected: Trojan-Downloader.Win32.Agent.bq
C:\System Volume Information\_restore{B06C75F0-9FCC-4D32-A4A4-58CDE7C44A50}\RP277\A0059921.pif:udvxz:$DATA Infected: Trojan-Downloader.Win32.Agent.bq
C:\System Volume Information\_restore{B06C75F0-9FCC-4D32-A4A4-58CDE7C44A50}\RP277\A0059922.exe Infected: Trojan-Downloader.Win32.Intexp.e
C:\System Volume Information\_restore{B06C75F0-9FCC-4D32-A4A4-58CDE7C44A50}\RP277\A0059926.dll Infected: Trojan-Clicker.Win32.Small.ez
C:\System Volume Information\_restore{B06C75F0-9FCC-4D32-A4A4-58CDE7C44A50}\RP277\A0059927.dll Infected: Trojan-Downloader.Win32.Qoologic.ac
C:\System Volume Information\_restore{B06C75F0-9FCC-4D32-A4A4-58CDE7C44A50}\RP277\A0059928.exe Infected: Trojan-Downloader.Win32.Agent.rv
C:\System Volume Information\_restore{B06C75F0-9FCC-4D32-A4A4-58CDE7C44A50}\RP277\A0059933.exe Infected: Trojan.Win32.Pakes
C:\System Volume Information\_restore{B06C75F0-9FCC-4D32-A4A4-58CDE7C44A50}\RP277\A0059946.EXE Infected: Trojan-Downloader.Win32.VB.nw
C:\System Volume Information\_restore{B06C75F0-9FCC-4D32-A4A4-58CDE7C44A50}\RP277\A0059947.exe Infected: Trojan.Win32.Pakes
C:\System Volume Information\_restore{B06C75F0-9FCC-4D32-A4A4-58CDE7C44A50}\RP277\A0059982.exe Infected: Trojan.Win32.Pakes
C:\System Volume Information\_restore{B06C75F0-9FCC-4D32-A4A4-58CDE7C44A50}\RP277\A0059984.exe Infected: Trojan.Win32.Stervis.f
C:\System Volume Information\_restore{B06C75F0-9FCC-4D32-A4A4-58CDE7C44A50}\RP277\A0059985.exe Infected: Trojan-Downloader.Win32.Small.apm
C:\System Volume Information\_restore{B06C75F0-9FCC-4D32-A4A4-58CDE7C44A50}\RP277\A0059986.dll Infected: Trojan.Win32.Agent.db
C:\System Volume Information\_restore{B06C75F0-9FCC-4D32-A4A4-58CDE7C44A50}\RP277\A0059987.EXE Infected: Trojan-Downloader.Win32.VB.nw
C:\System Volume Information\_restore{B06C75F0-9FCC-4D32-A4A4-58CDE7C44A50}\RP277\A0059988.exe Infected: Trojan-Dropper.Win32.Agent.tb
C:\System Volume Information\_restore{B06C75F0-9FCC-4D32-A4A4-58CDE7C44A50}\RP278\A0062090.exe Infected: Trojan-Downloader.Win32.PurityScan.an
C:\System Volume Information\_restore{B06C75F0-9FCC-4D32-A4A4-58CDE7C44A50}\RP278\A0062100.exe Infected: Trojan-Downloader.Win32.Agent.hw
C:\System Volume Information\_restore{B06C75F0-9FCC-4D32-A4A4-58CDE7C44A50}\RP278\A0062118.exe Infected: Trojan-Downloader.Win32.PurityScan.an
C:\System Volume Information\_restore{B06C75F0-9FCC-4D32-A4A4-58CDE7C44A50}\RP278\A0062136.exe Infected: Trojan-Dropper.Win32.Small.qn
C:\System Volume Information\_restore{B06C75F0-9FCC-4D32-A4A4-58CDE7C44A50}\RP284\A0070290.exe Infected: Trojan-Downloader.Win32.Apropo.aj
C:\WINDOWS\system32\config\systemprofile\Local Settings\Temporary Internet Files\Content.IE5\L81ZQEK8\!update-2434[1].0000 Infected: Trojan-Downloader.Win32.PurityScan.an
C:\WINDOWS\system32\config\systemprofile\Local Settings\Temporary Internet Files\Content.IE5\X9EBDG05\!update-2404[1].0000 Infected: Trojan-Downloader.Win32.PurityScan.an
C:\WINDOWS\system32\InstallerV5.exe/data0006 Infected: Backdoor.Win32.HacDef.bo
C:\WINDOWS\system32\InstallerV5.exe Infected: Backdoor.Win32.HacDef.bo
C:\WINDOWS\system32\Pop2.exe Infected: Trojan-Dropper.Win32.Agent.hl
C:\WINDOWS\system32\shopinst.exe Infected: Trojan-Downloader.Win32.Small.apm

Scan process completed.
________________________________________________________________

Logfile of HijackThis v1.99.1
Scan saved at 9:43:04 PM, on 9/13/2005
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\WINDOWS\system32\spoolsv.exe
C:\PROGRA~1\VERIZO~1\SMARTB~1\MotiveSB.exe
C:\Program Files\Microsoft AntiSpyware\gcasServ.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\Microsoft Money\System\mnyexpr.exe
C:\Program Files\Microsoft AntiSpyware\gcasDtServ.exe
C:\PROGRA~1\COMMON~1\AOL\ACS\acsd.exe
C:\Program Files\ewido\security suite\ewidoctrl.exe
C:\Program Files\Norton AntiVirus\navapsvc.exe
C:\Program Files\Norton AntiVirus\IWP\NPFMntor.exe
C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
C:\WINDOWS\wanmpsvc.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\Documents and Settings\Owner\Desktop\Spyware\hijackthis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Microsoft Internet Explorer provided by Verizon Online
O4 - HKLM\..\Run: [Symantec NetDriver Monitor] C:\PROGRA~1\SYMNET~1\SNDMon.exe /Consumer
O4 - HKLM\..\Run: [Motive SmartBridge] C:\PROGRA~1\VERIZO~1\SMARTB~1\MotiveSB.exe
O4 - HKLM\..\Run: [gcasServ] "C:\Program Files\Microsoft AntiSpyware\gcasServ.exe"
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [MoneyAgent] "C:\Program Files\Microsoft Money\System\mnyexpr.exe"
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MI1933~1\Office10\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\System32\msjava.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\System32\msjava.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MI1933~1\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O9 - Extra 'Tools' menuitem: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O16 - DPF: {0E5F0222-96B9-11D3-8997-00104BD12D94} (PCPitstop Utility) - http://www.pcpitstop.com/pcpitstop/PCPitStop.CAB
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky.com/downloads/kws/kavwebscan_unicode.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1125256244468
O20 - Winlogon Notify: igfxcui - C:\WINDOWS\SYSTEM32\igfxsrvc.dll
O23 - Service: AOL Connectivity Service (AOL ACS) - America Online, Inc. - C:\PROGRA~1\COMMON~1\AOL\ACS\acsd.exe
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Password Validation (ccPwdSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
O23 - Service: ewido security suite control - ewido networks - C:\Program Files\ewido\security suite\ewidoctrl.exe
O23 - Service: Norton AntiVirus Auto-Protect Service (navapsvc) - Symantec Corporation - C:\Program Files\Norton AntiVirus\navapsvc.exe
O23 - Service: Norton AntiVirus Firewall Monitor Service (NPFMntor) - Symantec Corporation - C:\Program Files\Norton AntiVirus\IWP\NPFMntor.exe
O23 - Service: SAVScan - Symantec Corporation - C:\Program Files\Norton AntiVirus\SAVScan.exe
O23 - Service: ScriptBlocking Service (SBService) - Symantec Corporation - C:\PROGRA~1\COMMON~1\SYMANT~1\SCRIPT~1\SBServ.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: Symantec SPBBCSvc (SPBBCSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
O23 - Service: Symantec Core LC - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
O23 - Service: SymWMI Service (SymWSC) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\Security Center\SymWSC.exe
O23 - Service: WAN Miniport (ATW) Service (WANMiniportService) - America Online, Inc. - C:\WINDOWS\wanmpsvc.exe

sUBs · Sep 14, 2005

Before we proceed, Kaspersky found a lot of infected files in Norton's quarantine folder & System Restore's cache. Let's clear that up or the next scan will pick it up again.

Please use Symantec's guide to remove the Quarantine files.

CLEAR & RESET SYSTEM RESTORE'S CACHE
Go to Start >> Run - type control sysdm.cpl,,4 & press Enter

Tick on the checkbox - Turn off System Restore on all drives
Click Apply

Turn it back 'On' by unticking the same checkbox & click OK

= = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = =

Download these files & save them on Desktop. We'll need to use them later

WinPfind.zip

TrackQoo.zip

KillBox v2.0.0.175.exe (it's important that you get version v2.0.0.175)

= = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = =

Launch KillBox.exe & select the following options:

delete on Reboot

Select all the filenames below & then right-click & select Copy

C:\Program Files\apsi\wtta.exe
C:\WINDOWS\system32\config\systemprofile\Local Settings\Temporary Internet Files\Content.IE5\L81ZQEK8\!update-2434[1].0000
C:\WINDOWS\system32\config\systemprofile\Local Settings\Temporary Internet Files\Content.IE5\X9EBDG05\!update-2404[1].0000
C:\WINDOWS\system32\InstallerV5.exe
C:\WINDOWS\system32\Pop2.exe
C:\WINDOWS\system32\shopinst.exe

* Go to the File menu, and choose Paste from Clipboard
* Click on the dropdown menu next to Full Path of File to Delete field.
* Verify that the filenames you pasted are found there
* Click the RED X button.
* Click Yes at the Delete on Reboot prompt.
* Click Yes at the 'Pending Operations prompt'.

If you receive a message such as: "Component 'MsComCtl.ocx' or one of its dependencies not correctly registered: a file is missing or invalid." when trying to run TheKillbox, download and run missingfilesetup.exe. Then try Killbox again.

= = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = =

Next, please reboot your computer in SafeMode by doing the following:

1. Restart your computer
2. After hearing your computer beep once during startup, but before the Windows icon appears, press F8.
3. Instead of Windows loading as normal, a menu should appear
4. Select the first option, to run Windows in Safe Mode.

= = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = =

If you have not done so already, please enable the viewing of Hidden files
From Windows Explorer, go to Tools>Folder Options> View tab.

Tick - Show hidden files and folder
Untick - Hide file extensions for known types
Untick - Hide protected operating system files

Click Yes to confirm & then click OK

Locate and delete the following folders, if present:

C:\Program Files\apsi\

= = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = =

Run Cleanup! using the following configuration:

1. Click Options...
2. Set the slider to Standard CleanUp!
3. Uncheck the following:

Delete Newsgroup cache
[*]Delete Newsgroup Subscriptions
[*]Scan local drives for temporary files

4. Click OK
5. Press the CleanUp! button to start the program. Reboot/logoff when prompted.
* CleanUp! will not create any backups!!

= = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = =

Double-click WinPFind.zip & extract the contents to a new folder at Drive C.

1. From within that folder, double click WinPFind.exe
2. Click Start Scan
3. Once the Scan is complete, it will create a report in a text file
4. Go to the WinPFind folder & locate WinPFind.txt
5. Post the results in your next reply!

** This program will scan large amounts of files on your computer for known patterns so please be patient while it works as it can take a while, upwards to 30 minutes or more.

= = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = =

REBOOT TO NORMAL MODE

Perform an online scan with Internet Explorer with Panda ActiveScan

Click Scan your PC & a 'pop up' window shall appear. *ensure that your pop up blocker doesn't block it
Click Scan Now
Enter your e-mail address & click Scan Now ...begins downloading 8 MB Panda's ActiveX controls

Begin the scan by selecting My Computer

If it finds any malware, it will offer you a report.
Click on see report. Then click Save report

Post the contents of the report in your next reply

Extract the contents of TrackQoo.zip & double-click on TrackQoo1.vbs. Wait a few seconds and a notepad page will pop up, Copy & Paste those results in your next reply.
* If your Antivirus has Script Blocking, you will get a Pop Up Windows asking you what to do. Allow this Entire Script to Run, its harmless!

In your next post, please include fresh logs from:

HiJackThis log
[*] WinPfind
[*] TrackQoo1.vbs

Please provide details of any problems you encountered whilst performing the above steps & update us on how the computer behaves now

HJT log - really bad infection - please help

naft11

Registered

tetonbob

TSF Security Manager, Emeritus

naft11

Registered

sUBs

TSF Security Team, Emeritus

naft11

Registered

skate_punk_21

Registered

naft11

Registered

sUBs

TSF Security Team, Emeritus

naft11

Registered

POADB

Registered

naft11

Registered

sUBs

TSF Security Team, Emeritus

naft11

Registered

sUBs

TSF Security Team, Emeritus