Tech Support banner

Status
Not open for further replies.
1 - 5 of 5 Posts

·
Registered
Joined
·
3 Posts
Discussion Starter · #1 ·
alright, so ive been battling this r?ndll32.exe for too long and i think its time to throw in the towel and ask for some assistance. Heres my log file.... hope you can help.

Logfile of HijackThis v1.99.1
Scan saved at 5:11:03 PM, on 10/20/2005
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\csrss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\System32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Symantec AntiVirus\DefWatch.exe
C:\Program Files\Linksys\Wireless-G Notebook Adapter with SpeedBooster\NICServ.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\wdfmgr.exe
C:\WINDOWS\BCMSMMSG.exe
C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
C:\Program Files\Dell\AccessDirect\dadapp.exe
C:\Program Files\Dell\QuickSet\quickset.exe
C:\WINDOWS\system32\dla\tfswctrl.exe
C:\WINDOWS\System32\DSentry.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\MUSICMATCH\MUSICMATCH Jukebox\mm_tray.exe
C:\Program Files\Common Files\Microsoft Shared\Works Shared\WkUFind.exe
C:\Program Files\Microsoft IntelliPoint\point32.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\Viewpoint\Viewpoint Manager\ViewMgr.exe
C:\WINDOWS\system32\bomsj428.exe
C:\WINDOWS\System32\alg.exe
C:\WINDOWS\system32\tuhx\utyty.exe
C:\WINDOWS\system32\meicva\obtxwl.exe
C:\WINDOWS\system32\ybpjanyn\dtqmqlpq.exe
C:\WINDOWS\system32\ajmtqsj\fgyo.exe
C:\WINDOWS\system32\nxih\impbs.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\WINDOWS\system32\rrama\opeg.exe
C:\PROGRA~1\MUSICM~1\MUSICM~2\MMDiag.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\WINDOWS\system32\xbxx\hwpm.exe
C:\WINDOWS\system32\ddlurq\bnhqfg.exe
C:\Program Files\MUSICMATCH\MUSICMATCH Jukebox\mim.exe
C:\WINDOWS\system32\eymjj\vahdw.exe
C:\WINDOWS\system32\ocvmcw\aokdc.exe
C:\WINDOWS\system32\xpydg\secwv.exe
C:\WINDOWS\system32\lsujbsfv\pteua.exe
C:\WINDOWS\system32\bwyln\xdej.exe
C:\WINDOWS\system32\mcke\fngbr.exe
C:\WINDOWS\system32\cxihk\ktfyt.exe
C:\WINDOWS\system32\pdbm\uysa.exe
C:\WINDOWS\system32\okwf\ogmmuvwm.exe
C:\WINDOWS\system32\dtgf\ytby.exe
C:\WINDOWS\system32\qsifhj\jtgbnu.exe
C:\WINDOWS\system32\bvdoqd\edtnnpls.exe
C:\WINDOWS\system32\ijqiiy\aoaa.exe
C:\WINDOWS\system32\cdvntv\tphuej.exe
C:\Program Files\Common Files\AOL\1125533828\ee\AOLHostManager.exe
C:\WINDOWS\system32\syvccbyx\bnqwa.exe
C:\WINDOWS\system32\aqcbmm\mgaj.exe
C:\WINDOWS\system32\acmwket\bglulhit.exe
C:\WINDOWS\system32\uiixu\cpli.exe
C:\WINDOWS\system32\gqhml\rwdif.exe
C:\Program Files\Common Files\AOL\1125533828\ee\AOLServiceHost.exe
C:\WINDOWS\system32\heiemwt\bpteqc.exe
C:\WINDOWS\system32\murs\vmijactb.exe
C:\WINDOWS\system32\ofndkk\jckynj.exe
C:\WINDOWS\system32\gdda\esvtw.exe
C:\WINDOWS\system32\kvyae\dsjdqjm.exe
C:\WINDOWS\system32\vooun\spkiyfop.exe
C:\WINDOWS\system32\ndelbm\miwlgar.exe
C:\WINDOWS\system32\ukmrgxvv\bhxlrxgb.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\PROGRA~1\SYMANT~1\VPTray.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\Symantec AntiVirus\DoScan.exe
C:\Program Files\AIM\aim.exe
C:\Program Files\Ares\Ares.exe
C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpohmr08.exe
C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpotdd01.exe
C:\Program Files\SpywareGuard\sgmain.exe
C:\Program Files\SpywareGuard\sgbhp.exe
C:\Program Files\Linksys\Wireless-G Notebook Adapter with SpeedBooster\OdHost.exe
C:\Program Files\Linksys\Wireless-G Notebook Adapter with SpeedBooster\WPC54Cfg.exe
C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpoevm08.exe
C:\Program Files\Hewlett-Packard\Digital Imaging\Bin\hpoSTS08.exe
C:\Program Files\Common Files\AOL\1125533828\ee\AOLServiceHost.exe
C:\Program Files\Symantec AntiVirus\VPC32.exe
C:\WINDOWS\explorer.exe
C:\Program Files\Symantec AntiVirus\Rtvscan.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\DOCUME~1\Josh\LOCALS~1\Temp\Temporary Directory 2 for hijackthis.zip\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.dell4me.com/myway
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page_bak = about:blank
R3 - URLSearchHook: AOLTBSearch Class - {EA756889-2338-43DB-8F07-D1CA6FB9C90D} - C:\Program Files\AOL\AOL Toolbar 2.0\aoltb.dll
R3 - URLSearchHook: (no name) - _{CFBFAE00-17A6-11D0-99CB-00C04FD64497} - (no file)
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {369ABBD3-0092-8745-2028-63ADC7061F76} - C:\WINDOWS\ipvh32.dll (file missing)
O2 - BHO: SpywareGuard Download Protection - {4A368E80-174F-4872-96B5-0B27DDD11DB2} - C:\Program Files\SpywareGuard\dlprotect.dll
O2 - BHO: AOL Toolbar Launcher - {7C554162-8CB7-45A4-B8F4-8EA1C75885F9} - C:\Program Files\AOL\AOL Toolbar 2.0\aoltb.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar2.dll
O3 - Toolbar: AOL Toolbar - {DE9C389F-3316-41A7-809B-AA305ED9D922} - C:\Program Files\AOL\AOL Toolbar 2.0\aoltb.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar2.dll
O4 - HKLM\..\Run: [ATIModeChange] Ati2mdxx.exe
O4 - HKLM\..\Run: [BCMSMMSG] BCMSMMSG.exe
O4 - HKLM\..\Run: [ATIPTA] C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
O4 - HKLM\..\Run: [DadApp] C:\Program Files\Dell\AccessDirect\dadapp.exe
O4 - HKLM\..\Run: [Dell QuickSet] C:\Program Files\Dell\QuickSet\quickset.exe
O4 - HKLM\..\Run: [dla] C:\WINDOWS\system32\dla\tfswctrl.exe
O4 - HKLM\..\Run: [DVDSentry] C:\WINDOWS\System32\DSentry.exe
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [MMTray] "C:\Program Files\MUSICMATCH\MUSICMATCH Jukebox\mm_tray.exe"
O4 - HKLM\..\Run: [Microsoft Works Update Detection] C:\Program Files\Common Files\Microsoft Shared\Works Shared\WkUFind.exe
O4 - HKLM\..\Run: [IntelliPoint] "C:\Program Files\Microsoft IntelliPoint\point32.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [Cryptographic Service] C:\WINDOWS\System32\zucejzz.exe
O4 - HKLM\..\Run: [ViewMgr] C:\Program Files\Viewpoint\Viewpoint Manager\ViewMgr.exe
O4 - HKLM\..\Run: [Kaspersky Antivirus] KasperskyAV.exe
O4 - HKLM\..\Run: [UpdateManager] "C:\Program Files\Common Files\Sonic\Update Manager\sgtray.exe" /r
O4 - HKLM\..\Run: [qdbih] C:\WINDOWS\system32\utwhu\qdbih.exe
O4 - HKLM\..\Run: [bomsj428] C:\WINDOWS\system32\bomsj428.exe
O4 - HKLM\..\Run: [dtqmqlpq] C:\WINDOWS\system32\ybpjanyn\dtqmqlpq.exe
O4 - HKLM\..\Run: [bqndrpa] C:\WINDOWS\system32\kauecnn\bqndrpa.exe
O4 - HKLM\..\Run: [impbs] C:\WINDOWS\system32\nxih\impbs.exe
O4 - HKLM\..\Run: [pkxhotnx] C:\WINDOWS\system32\oltderck\pkxhotnx.exe
O4 - HKLM\..\Run: [iTunesHelper] C:\Program Files\iTunes\iTunesHelper.exe
O4 - HKLM\..\Run: [MimBoot] C:\PROGRA~1\MUSICM~1\MUSICM~2\mimboot.exe
O4 - HKLM\..\Run: [opeg] C:\WINDOWS\system32\rrama\opeg.exe
O4 - HKLM\..\Run: [hwpm] C:\WINDOWS\system32\xbxx\hwpm.exe
O4 - HKLM\..\Run: [mtqgw] C:\WINDOWS\system32\hdcu\mtqgw.exe
O4 - HKLM\..\Run: [bnhqfg] C:\WINDOWS\system32\ddlurq\bnhqfg.exe
O4 - HKLM\..\Run: [vahdw] C:\WINDOWS\system32\eymjj\vahdw.exe
O4 - HKLM\..\Run: [mufhl] C:\WINDOWS\system32\inqkevyw\mufhl.exe
O4 - HKLM\..\Run: [aokdc] C:\WINDOWS\system32\ocvmcw\aokdc.exe
O4 - HKLM\..\Run: [secwv] C:\WINDOWS\system32\xpydg\secwv.exe
O4 - HKLM\..\Run: [pteua] C:\WINDOWS\system32\lsujbsfv\pteua.exe
O4 - HKLM\..\Run: [xdej] C:\WINDOWS\system32\bwyln\xdej.exe
O4 - HKLM\..\Run: [fngbr] C:\WINDOWS\system32\mcke\fngbr.exe
O4 - HKLM\..\Run: [ktfyt] C:\WINDOWS\system32\cxihk\ktfyt.exe
O4 - HKLM\..\Run: [uysa] C:\WINDOWS\system32\pdbm\uysa.exe
O4 - HKLM\..\Run: [ogmmuvwm] C:\WINDOWS\system32\okwf\ogmmuvwm.exe
O4 - HKLM\..\Run: [ytby] C:\WINDOWS\system32\dtgf\ytby.exe
O4 - HKLM\..\Run: [HostManager] C:\Program Files\Common Files\AOL\1125533828\ee\AOLHostManager.exe
O4 - HKLM\..\Run: [jtgbnu] C:\WINDOWS\system32\qsifhj\jtgbnu.exe
O4 - HKLM\..\Run: [edtnnpls] C:\WINDOWS\system32\bvdoqd\edtnnpls.exe
O4 - HKLM\..\Run: [fevska] C:\WINDOWS\system32\rkeolrrq\fevska.exe
O4 - HKLM\..\Run: [aoaa] C:\WINDOWS\system32\ijqiiy\aoaa.exe
O4 - HKLM\..\Run: [tphuej] C:\WINDOWS\system32\cdvntv\tphuej.exe
O4 - HKLM\..\Run: [rqxreme] C:\WINDOWS\system32\psqoddgc\rqxreme.exe
O4 - HKLM\..\Run: [pdbbgrdr] C:\WINDOWS\system32\aiin\pdbbgrdr.exe
O4 - HKLM\..\Run: [bnqwa] C:\WINDOWS\system32\syvccbyx\bnqwa.exe
O4 - HKLM\..\Run: [mgaj] C:\WINDOWS\system32\aqcbmm\mgaj.exe
O4 - HKLM\..\Run: [bglulhit] C:\WINDOWS\system32\acmwket\bglulhit.exe
O4 - HKLM\..\Run: [cpli] C:\WINDOWS\system32\uiixu\cpli.exe
O4 - HKLM\..\Run: [rwdif] C:\WINDOWS\system32\gqhml\rwdif.exe
O4 - HKLM\..\Run: [prbb] C:\WINDOWS\system32\bkjq\prbb.exe
O4 - HKLM\..\Run: [endbuq] C:\WINDOWS\system32\nolc\endbuq.exe
O4 - HKLM\..\Run: [bpteqc] C:\WINDOWS\system32\heiemwt\bpteqc.exe
O4 - HKLM\..\Run: [vmijactb] C:\WINDOWS\system32\murs\vmijactb.exe
O4 - HKLM\..\Run: [yugqvk] C:\WINDOWS\system32\qliocd\yugqvk.exe
O4 - HKLM\..\Run: [jckynj] C:\WINDOWS\system32\ofndkk\jckynj.exe
O4 - HKLM\..\Run: [esvtw] C:\WINDOWS\system32\gdda\esvtw.exe
O4 - HKLM\..\Run: [dsjdqjm] C:\WINDOWS\system32\kvyae\dsjdqjm.exe
O4 - HKLM\..\Run: [kycoa] C:\WINDOWS\system32\irex\kycoa.exe
O4 - HKLM\..\Run: [oiiyc] C:\WINDOWS\system32\lpnahn\oiiyc.exe
O4 - HKLM\..\Run: [spkiyfop] C:\WINDOWS\system32\vooun\spkiyfop.exe
O4 - HKLM\..\Run: [edtefjng] C:\WINDOWS\system32\mwyptpeu\edtefjng.exe
O4 - HKLM\..\Run: [miwlgar] C:\WINDOWS\system32\ndelbm\miwlgar.exe
O4 - HKLM\..\Run: [bhxlrxgb] C:\WINDOWS\system32\ukmrgxvv\bhxlrxgb.exe
O4 - HKLM\..\Run: [fgyo] C:\WINDOWS\system32\ajmtqsj\fgyo.exe
O4 - HKLM\..\Run: [obtxwl] C:\WINDOWS\system32\meicva\obtxwl.exe
O4 - HKLM\..\Run: [utyty] C:\WINDOWS\system32\tuhx\utyty.exe
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [vptray] C:\PROGRA~1\SYMANT~1\VPTray.exe
O4 - HKLM\..\Run: [Symantec NetDriver Monitor] C:\PROGRA~1\SYMNET~1\SNDMon.exe /Enterprise
O4 - HKLM\..\RunServices: [Kaspersky Antivirus] KasperskyAV.exe
O4 - HKLM\..\RunOnce: [AAW] "C:\Program Files\Lavasoft\Ad-Aware SE Personal\Ad-Aware.exe" "+b1"
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [MoneyAgent] "C:\Program Files\Microsoft Money\System\mnyexpr.exe"
O4 - HKCU\..\Run: [AIM] C:\Program Files\AIM\aim.exe -cnetwait.odl
O4 - HKCU\..\Run: [areslite] "C:\Program Files\Ares Lite Edition\AresLite.exe" -h
O4 - HKCU\..\Run: [ares] "C:\Program Files\Ares\Ares.exe" -h
O4 - HKCU\..\Run: [Vhrz] C:\WINDOWS\System32\r?ndll32.exe
O4 - HKCU\..\Run: [Kaspersky Antivirus] KasperskyAV.exe
O4 - HKCU\..\Run: [DellSupport] "C:\Program Files\Dell Support\DSAgnt.exe" /startup
O4 - Startup: SpywareGuard.lnk = C:\Program Files\SpywareGuard\sgmain.exe
O4 - Global Startup: hp psc 1000 series.lnk = ?
O4 - Global Startup: hpoddt01.exe.lnk = ?
O4 - Global Startup: Wireless-G Notebook Adapter with SpeedBooster Utility.lnk = C:\Program Files\Linksys\Wireless-G Notebook Adapter with SpeedBooster\Startup.exe
O8 - Extra context menu item: &AIM Search - res://C:\Program Files\AIM Toolbar\AIMBar.dll/aimsearch.htm
O8 - Extra context menu item: &AOL Toolbar Search - c:\program files\aol\aol toolbar 2.0\resources\en-US\local\search.html
O8 - Extra context menu item: &Google Search - res://c:\program files\google\GoogleToolbar2.dll/cmsearch.html
O8 - Extra context menu item: &Translate English Word - res://c:\program files\google\GoogleToolbar2.dll/cmwordtrans.html
O8 - Extra context menu item: Backward Links - res://c:\program files\google\GoogleToolbar2.dll/cmbacklinks.html
O8 - Extra context menu item: Cached Snapshot of Page - res://c:\program files\google\GoogleToolbar2.dll/cmcache.html
O8 - Extra context menu item: Similar Pages - res://c:\program files\google\GoogleToolbar2.dll/cmsimilar.html
O8 - Extra context menu item: Translate Page into English - res://c:\program files\google\GoogleToolbar2.dll/cmtrans.html
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\System32\msjava.dll (file missing)
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\System32\msjava.dll (file missing)
O9 - Extra button: AOL Toolbar - {3369AF0D-62E9-4bda-8103-B4C75499B578} - C:\Program Files\AOL\AOL Toolbar 2.0\aoltb.dll
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe
O9 - Extra button: PartyPoker.com - {B7FE5D70-9AA2-40F1-9C6B-12A255F085E1} - C:\Program Files\PartyPoker\PartyPoker.exe (file missing)
O9 - Extra 'Tools' menuitem: PartyPoker.com - {B7FE5D70-9AA2-40F1-9C6B-12A255F085E1} - C:\Program Files\PartyPoker\PartyPoker.exe (file missing)
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\System32\Shdocvw.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra button: Ebates - {6685509E-B47B-4f47-8E16-9A5F3A62F683} - file://C:\Program Files\Ebates_MoeMoneyMaker\Sy350\Tp350\scri350a.htm (file missing) (HKCU)
O9 - Extra button: WeatherBug - {AF6CABAB-61F9-4f12-A198-B7D41EF1CB52} - C:\Program Files\AWS\WeatherBug\Weather.exe (file missing) (HKCU)
O15 - ProtocolDefaults: 'http' protocol is in My Computer Zone, should be Internet Zone (HKLM)
O16 - DPF: {15AD6789-CDB4-47E1-A9DA-992EE8E6BAD6} - http://static.windupdates.com/cab/DownloadAccess/ie/bridge-c9.cab
O16 - DPF: {666DDE35-E955-11D0-A707-000000521958} - http://69.56.176.227/webplugin.cab
O16 - DPF: {886DDE35-E955-11D0-A707-000000521958} - http://69.56.176.78/webplugin.cab
O20 - Winlogon Notify: NavLogon - C:\WINDOWS\system32\NavLogon.dll
O21 - SSODL: Web Event Logger - {79FEACFF-FFCE-815E-A900-316290B5B738} - C:\WINDOWS\System32\Gpginfqd.dll (file missing)
O23 - Service: Ati HotKey Poller - Unknown owner - C:\WINDOWS\System32\Ati2evxx.exe
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Password Validation (ccPwdSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
O23 - Service: Symantec AntiVirus Definition Watcher (DefWatch) - Symantec Corporation - C:\Program Files\Symantec AntiVirus\DefWatch.exe
O23 - Service: iPod Service (iPodService) - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: NICSer_WPC54GS - Unknown owner - C:\Program Files\Linksys\Wireless-G Notebook Adapter with SpeedBooster\NICServ.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\System32\HPZipm12.exe
O23 - Service: SAVRoam (SavRoam) - symantec - C:\Program Files\Symantec AntiVirus\SavRoam.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: Symantec SPBBCSvc (SPBBCSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
O23 - Service: Symantec AntiVirus - Symantec Corporation - C:\Program Files\Symantec AntiVirus\Rtvscan.exe
O23 - Service: SymWMI Service (SymWSC) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\Security Center\SymWSC.exe


Any and all help will be appreciated. Merci.
 

·
Administrator
Joined
·
4,870 Posts
Hi and welcome to TSF

You have quite a few badguys in your log but I am just going to see if we can clean up a bit with a few tools before tackling it head on.
_________________________________________________

You are running Hijack This from a temporary directory. It needs to be in a permanent folder. Please go into Windows Explorer, click on C: then click on File > New > Folder and call it HJK , or another name of your choice.
_________________________________________________

Please download Cleanup! or use this (Alternate Link) if the main link does not work and install it. You will use this later.
_________________________________________________

Please make sure you run the following tools. Download and update the databases on each program before running.
_________________________________________________

Download, install,and update Ewido Security Suite
  • Install Ewido Security Suite
  • Launch Ewido, there will be a big E icon on your desktop which you must double-click.
  • The program will prompt you to update so you need to click the OK button
  • The program will take you to the main screen
You must update Ewido with the latest definition files.
  • On the left hand side of the main screen click Update
  • Click on Start
The update will start and a progress bar will show the updates being installed. After the updates are installed, exit Ewido
_________________________________________________

Reboot into Safe Mode by restarting your computer and continually tapping the F8 key until a menu appears. Use your up arrow key to highlight Safe Mode, then hit enter.
_________________________________________________

Run Ewido:
  • Click [Scanner]
  • Click [Complete System Scan] to begin scanning.
  • Click [OK] when prompted to clean files
  • With the first file it prompts to clean, select the option - Perform action on all infections. Choose clean then click [OK].
  • Once finished, click the [Save report] button and save the report to your desktop.
Close Ewido
_________________________________________________

Open Cleanup! by double-clicking the icon on your desktop (or from Start > All Programs). Set the program up as follows:

Click Options
Move the slider button down to Custom CleanUp!

Check the following:
  • Empty Recycle Bins
  • Delete Cookies
  • Delete Prefetch files
  • Cleanup! All Users
Uncheck the following :
  • Scan local drives for temporary files

*WARNING* Cleanup deletes EVERYTHING out of temp/temporary folders and does not make backups. If you have a 64 bit Operating System do NOT run Cleanup and let me know as we will need to use another utility

Click OK, Press the CleanUp! button to start the program and reboot your system in Normal Mode when prompted.
_________________________________________________

Please do an online scan at Panda ActiveScan

  1. Click on the Scan your PC button & a pop up window shall appear. *Ensure that your pop up blocker doesn't block it*
  2. Click On Next
  3. Enter your e-mail address & click Send. *It will begin downloading Panda's ActiveX controls which are about 8MB in size*
  4. In the next window, & checkmark the following:
    • Disinfect automatically
    • Scan compressed files
    • Scan e-mail files
    • Detect unknown viruses (Heuristic)
    • Detect spyware

  5. Begin the scan by selecting All My Computer

    You needn't remain online while it's doing the scan but you have to re-connect after it has finished to see the report.

  6. If it finds any malware, it will offer you a report. Click on See report
  7. Then click Save report
_________________________________________________

Paste the results of the Panda Scan here together with a new HiJack This log.
 

·
Registered
Joined
·
3 Posts
Discussion Starter · #3 ·
thanks horse, time for round two

i did everything on the list, and here are the documents that you asked for.

Panda:


Incident Status Location

Virus:Trj/Downloader.EMU Disinfected Operating system
Spyware:Spyware/Ukiee No disinfected C:\WINDOWS\SYSTEM32\RRAMA\OPEG.EXE
Adware:adware/toprebates No disinfected C:\WINDOWS\DOWNLOADED PROGRAM FILES\WinadX.inf
Adware:adware/savenow No disinfected C:\WINDOWS\DOWNLOADED PROGRAM FILES\WUInst.inf
Adware:adware/ipinsight No disinfected C:\WINDOWS\INF\alchem.inf
Adware:adware/gator No disinfected C:\WINDOWS\FT1_02_0_402_GEPFAH.EXE
Adware:adware/wupd No disinfected Windows Registry
Possible Virus. No disinfected C:\Program Files\Symantec AntiVirus\SAVRT\0026NAV~.TMP
Possible Virus. No disinfected C:\Program Files\Symantec AntiVirus\SAVRT\0387NAV~.TMP
Possible Virus. No disinfected C:\Program Files\Symantec AntiVirus\SAVRT\0529NAV~.TMP
Possible Virus. No disinfected C:\Program Files\Symantec AntiVirus\SAVRT\0818NAV~.TMP
Adware:Adware/MultiMPP No disinfected C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP274\A0036782.inf
Adware:Adware/MediaTickets No disinfected C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP274\A0036915.REG
Virus:Trj/Downloader.BVH Disinfected C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP274\A0036920.exe
Virus:Trj/Downloader.BVH Disinfected C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP274\A0036923.exe
Virus:Trj/Downloader.BVH Disinfected C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP274\A0036925.exe
Virus:Trj/Downloader.BVH Disinfected C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP274\A0036926.exe
Virus:Trj/Downloader.EMU Disinfected C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP274\A0036953.exe
Virus:Trj/Downloader.EMU Disinfected C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP274\A0036954.exe
Virus:Trj/Downloader.EMU Disinfected C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP274\A0036955.exe
Virus:Trj/Downloader.EMU Disinfected C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP274\A0036956.exe
Virus:Trj/Downloader.FAL Disinfected C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP274\A0036957.exe
Virus:Trj/Downloader.FAL Disinfected C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP274\A0036958.exe
Virus:Trj/Downloader.EMU Disinfected C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP274\A0036959.exe
Virus:Trj/Downloader.EMU Disinfected C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP274\A0036960.exe
Virus:Trj/Downloader.EMU Disinfected C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP274\A0036961.exe
Virus:Trj/Downloader.FAL Disinfected C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP274\A0036962.exe
Virus:Trj/Downloader.EMU Disinfected C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP274\A0036963.exe
Virus:Trj/Downloader.EMU Disinfected C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP274\A0036964.exe
Virus:Trj/Downloader.EMU Disinfected C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP274\A0036965.exe
Virus:Trj/Downloader.EMU Disinfected C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP274\A0036966.exe
Virus:Trj/Downloader.EMU Disinfected C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP274\A0036967.exe
Virus:Trj/Downloader.FAL Disinfected C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP274\A0036968.exe
Spyware:Spyware/Ukiee No disinfected C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP275\A0036972.exe
Adware:Adware/Gator No disinfected C:\WINDOWS\Downloaded Program Files\CONFLICT.2\HDPlugin1019.inf
Adware:Adware/WUpd No disinfected C:\WINDOWS\Downloaded Program Files\WinadX.inf
Adware:Adware/IPInsight No disinfected C:\WINDOWS\INF\alchem.inf
Adware:Adware/IPInsight No disinfected C:\WINDOWS\INF\conscorr.inf
Spyware:Spyware/Ukiee No disinfected C:\WINDOWS\SYSTEM32\rrama\opeg.exe
Adware:Adware/WUpd No disinfected C:\world.htm
Hijackthis:

Logfile of HijackThis v1.99.1
Scan saved at 7:35:55 PM, on 10/26/2006
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\System32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Symantec AntiVirus\DefWatch.exe
C:\Program Files\ewido\security suite\ewidoctrl.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\ewido\security suite\ewidoguard.exe
C:\Program Files\Linksys\Wireless-G Notebook Adapter with SpeedBooster\NICServ.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Symantec AntiVirus\Rtvscan.exe
C:\WINDOWS\BCMSMMSG.exe
C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
C:\Program Files\Dell\AccessDirect\dadapp.exe
C:\Program Files\Dell\QuickSet\quickset.exe
C:\WINDOWS\system32\dla\tfswctrl.exe
C:\WINDOWS\System32\DSentry.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\MUSICMATCH\MUSICMATCH Jukebox\mm_tray.exe
C:\Program Files\Common Files\Microsoft Shared\Works Shared\WkUFind.exe
C:\Program Files\Microsoft IntelliPoint\point32.exe
C:\Program Files\Viewpoint\Viewpoint Manager\ViewMgr.exe
C:\WINDOWS\system32\bslhysq\eiuks.exe
C:\PROGRA~1\MUSICM~1\MUSICM~2\MMDiag.exe
C:\WINDOWS\system32\fnjsgl\cicqvdne.exe
C:\WINDOWS\system32\ocvmcw\aokdc.exe
C:\Program Files\MUSICMATCH\MUSICMATCH Jukebox\mim.exe
C:\WINDOWS\system32\cdvntv\tphuej.exe
C:\Program Files\Common Files\AOL\1125533828\ee\AOLHostManager.exe
C:\Program Files\Common Files\AOL\1125533828\ee\AOLServiceHost.exe
C:\WINDOWS\system32\wscntfy.exe
C:\WINDOWS\system32\vooun\spkiyfop.exe
C:\WINDOWS\system32\meicva\obtxwl.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\PROGRA~1\SYMANT~1\VPTray.exe
C:\WINDOWS\system32\plivfg\cekyoysp.exe
C:\WINDOWS\system32\kvtlyhgo\ursnfy.exe
C:\WINDOWS\system32\rkhh\kbivphwl.exe
C:\WINDOWS\system32\qcnrex\hkklt.exe
C:\WINDOWS\system32\dvsxjx\lknddeai.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\AIM\aim.exe
C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpohmr08.exe
C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpotdd01.exe
C:\Program Files\SpywareGuard\sgmain.exe
C:\Program Files\Linksys\Wireless-G Notebook Adapter with SpeedBooster\OdHost.exe
C:\Program Files\Linksys\Wireless-G Notebook Adapter with SpeedBooster\WPC54Cfg.exe
C:\Program Files\SpywareGuard\sgbhp.exe
C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpoevm08.exe
C:\Program Files\Hewlett-Packard\Digital Imaging\Bin\hpoSTS08.exe
C:\Program Files\Common Files\AOL\1125533828\ee\AOLServiceHost.exe
C:\WINDOWS\system32\NOTEPAD.EXE
C:\Program Files\Internet Explorer\iexplore.exe
C:\WINDOWS\system32\mtdqmim\nxvfln.exe
C:\WINDOWS\system32\sonxn\tyxrolvx.exe
C:\DOCUME~1\Josh\LOCALS~1\Temp\Temporary Directory 1 for hijackthis.zip\HijackThis.exe
C:\WINDOWS\system32\NOTEPAD.EXE

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.dell4me.com/myway
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page_bak = about:blank
R3 - URLSearchHook: AOLTBSearch Class - {EA756889-2338-43DB-8F07-D1CA6FB9C90D} - C:\Program Files\AOL\AOL Toolbar 2.0\aoltb.dll
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {369ABBD3-0092-8745-2028-63ADC7061F76} - C:\WINDOWS\ipvh32.dll (file missing)
O2 - BHO: SpywareGuard Download Protection - {4A368E80-174F-4872-96B5-0B27DDD11DB2} - C:\Program Files\SpywareGuard\dlprotect.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O2 - BHO: AOL Toolbar Launcher - {7C554162-8CB7-45A4-B8F4-8EA1C75885F9} - C:\Program Files\AOL\AOL Toolbar 2.0\aoltb.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar2.dll
O3 - Toolbar: AOL Toolbar - {DE9C389F-3316-41A7-809B-AA305ED9D922} - C:\Program Files\AOL\AOL Toolbar 2.0\aoltb.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar2.dll
O4 - HKLM\..\Run: [ATIModeChange] Ati2mdxx.exe
O4 - HKLM\..\Run: [BCMSMMSG] BCMSMMSG.exe
O4 - HKLM\..\Run: [ATIPTA] C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
O4 - HKLM\..\Run: [DadApp] C:\Program Files\Dell\AccessDirect\dadapp.exe
O4 - HKLM\..\Run: [Dell QuickSet] C:\Program Files\Dell\QuickSet\quickset.exe
O4 - HKLM\..\Run: [dla] C:\WINDOWS\system32\dla\tfswctrl.exe
O4 - HKLM\..\Run: [DVDSentry] C:\WINDOWS\System32\DSentry.exe
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [MMTray] "C:\Program Files\MUSICMATCH\MUSICMATCH Jukebox\mm_tray.exe"
O4 - HKLM\..\Run: [Microsoft Works Update Detection] C:\Program Files\Common Files\Microsoft Shared\Works Shared\WkUFind.exe
O4 - HKLM\..\Run: [IntelliPoint] "C:\Program Files\Microsoft IntelliPoint\point32.exe"
O4 - HKLM\..\Run: [Cryptographic Service] C:\WINDOWS\System32\zucejzz.exe
O4 - HKLM\..\Run: [ViewMgr] C:\Program Files\Viewpoint\Viewpoint Manager\ViewMgr.exe
O4 - HKLM\..\Run: [Kaspersky Antivirus] KasperskyAV.exe
O4 - HKLM\..\Run: [UpdateManager] "C:\Program Files\Common Files\Sonic\Update Manager\sgtray.exe" /r
O4 - HKLM\..\Run: [qdbih] C:\WINDOWS\system32\utwhu\qdbih.exe
O4 - HKLM\..\Run: [bqndrpa] C:\WINDOWS\system32\kauecnn\bqndrpa.exe
O4 - HKLM\..\Run: [pkxhotnx] C:\WINDOWS\system32\oltderck\pkxhotnx.exe
O4 - HKLM\..\Run: [MimBoot] C:\PROGRA~1\MUSICM~1\MUSICM~2\mimboot.exe
O4 - HKLM\..\Run: [opeg] C:\WINDOWS\system32\rrama\opeg.exe
O4 - HKLM\..\Run: [aokdc] C:\WINDOWS\system32\ocvmcw\aokdc.exe
O4 - HKLM\..\Run: [HostManager] C:\Program Files\Common Files\AOL\1125533828\ee\AOLHostManager.exe
O4 - HKLM\..\Run: [tphuej] C:\WINDOWS\system32\cdvntv\tphuej.exe
O4 - HKLM\..\Run: [prbb] C:\WINDOWS\system32\bkjq\prbb.exe
O4 - HKLM\..\Run: [esvtw] C:\WINDOWS\system32\gdda\esvtw.exe
O4 - HKLM\..\Run: [spkiyfop] C:\WINDOWS\system32\vooun\spkiyfop.exe
O4 - HKLM\..\Run: [obtxwl] C:\WINDOWS\system32\meicva\obtxwl.exe
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [vptray] C:\PROGRA~1\SYMANT~1\VPTray.exe
O4 - HKLM\..\Run: [Symantec NetDriver Monitor] C:\PROGRA~1\SYMNET~1\SNDMon.exe /Enterprise
O4 - HKLM\..\Run: [cekyoysp] C:\WINDOWS\system32\plivfg\cekyoysp.exe
O4 - HKLM\..\Run: [ftkabkr] C:\WINDOWS\system32\ckhjrha\ftkabkr.exe
O4 - HKLM\..\Run: [qxoa] C:\WINDOWS\system32\hgpprlmp\qxoa.exe
O4 - HKLM\..\Run: [kbivphwl] C:\WINDOWS\system32\rkhh\kbivphwl.exe
O4 - HKLM\..\Run: [hkklt] C:\WINDOWS\system32\qcnrex\hkklt.exe
O4 - HKLM\..\Run: [lknddeai] C:\WINDOWS\system32\dvsxjx\lknddeai.exe
O4 - HKLM\..\Run: [ursnfy] C:\WINDOWS\system32\kvtlyhgo\ursnfy.exe
O4 - HKLM\..\Run: [cicqvdne] C:\WINDOWS\system32\fnjsgl\cicqvdne.exe
O4 - HKLM\..\Run: [eiuks] C:\WINDOWS\system32\bslhysq\eiuks.exe
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [nxvfln] C:\WINDOWS\system32\mtdqmim\nxvfln.exe
O4 - HKLM\..\Run: [tyxrolvx] C:\WINDOWS\system32\sonxn\tyxrolvx.exe
O4 - HKLM\..\RunServices: [Kaspersky Antivirus] KasperskyAV.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [MoneyAgent] "C:\Program Files\Microsoft Money\System\mnyexpr.exe"
O4 - HKCU\..\Run: [AIM] C:\Program Files\AIM\aim.exe -cnetwait.odl
O4 - HKCU\..\Run: [areslite] "C:\Program Files\Ares Lite Edition\AresLite.exe" -h
O4 - HKCU\..\Run: [ares] "C:\Program Files\Ares\Ares.exe" -h
O4 - HKCU\..\Run: [Vhrz] C:\WINDOWS\System32\r?ndll32.exe
O4 - HKCU\..\Run: [Kaspersky Antivirus] KasperskyAV.exe
O4 - HKCU\..\Run: [DellSupport] "C:\Program Files\Dell Support\DSAgnt.exe" /startup
O4 - Startup: SpywareGuard.lnk = C:\Program Files\SpywareGuard\sgmain.exe
O4 - Global Startup: hp psc 1000 series.lnk = ?
O4 - Global Startup: hpoddt01.exe.lnk = ?
O4 - Global Startup: Wireless-G Notebook Adapter with SpeedBooster Utility.lnk = C:\Program Files\Linksys\Wireless-G Notebook Adapter with SpeedBooster\Startup.exe
O8 - Extra context menu item: &AIM Search - res://C:\Program Files\AIM Toolbar\AIMBar.dll/aimsearch.htm
O8 - Extra context menu item: &AOL Toolbar Search - c:\program files\aol\aol toolbar 2.0\resources\en-US\local\search.html
O8 - Extra context menu item: &Google Search - res://c:\program files\google\GoogleToolbar2.dll/cmsearch.html
O8 - Extra context menu item: &Translate English Word - res://c:\program files\google\GoogleToolbar2.dll/cmwordtrans.html
O8 - Extra context menu item: Backward Links - res://c:\program files\google\GoogleToolbar2.dll/cmbacklinks.html
O8 - Extra context menu item: Cached Snapshot of Page - res://c:\program files\google\GoogleToolbar2.dll/cmcache.html
O8 - Extra context menu item: Similar Pages - res://c:\program files\google\GoogleToolbar2.dll/cmsimilar.html
O8 - Extra context menu item: Translate Page into English - res://c:\program files\google\GoogleToolbar2.dll/cmtrans.html
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\System32\msjava.dll (file missing)
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\System32\msjava.dll (file missing)
O9 - Extra button: AOL Toolbar - {3369AF0D-62E9-4bda-8103-B4C75499B578} - C:\Program Files\AOL\AOL Toolbar 2.0\aoltb.dll
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe
O9 - Extra button: PartyPoker.com - {B7FE5D70-9AA2-40F1-9C6B-12A255F085E1} - C:\Program Files\PartyPoker\PartyPoker.exe (file missing)
O9 - Extra 'Tools' menuitem: PartyPoker.com - {B7FE5D70-9AA2-40F1-9C6B-12A255F085E1} - C:\Program Files\PartyPoker\PartyPoker.exe (file missing)
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\System32\Shdocvw.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra button: WeatherBug - {AF6CABAB-61F9-4f12-A198-B7D41EF1CB52} - C:\Program Files\AWS\WeatherBug\Weather.exe (file missing) (HKCU)
O15 - ProtocolDefaults: 'http' protocol is in My Computer Zone, should be Internet Zone (HKLM)
O16 - DPF: {15AD6789-CDB4-47E1-A9DA-992EE8E6BAD6} - http://static.windupdates.com/cab/DownloadAccess/ie/bridge-c9.cab
O16 - DPF: {886DDE35-E955-11D0-A707-000000521958} - http://69.56.176.78/webplugin.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/activescan/as5free/asinst.cab
O20 - Winlogon Notify: NavLogon - C:\WINDOWS\system32\NavLogon.dll
O23 - Service: Ati HotKey Poller - Unknown owner - C:\WINDOWS\System32\Ati2evxx.exe
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Password Validation (ccPwdSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
O23 - Service: Symantec AntiVirus Definition Watcher (DefWatch) - Symantec Corporation - C:\Program Files\Symantec AntiVirus\DefWatch.exe
O23 - Service: ewido security suite control - ewido networks - C:\Program Files\ewido\security suite\ewidoctrl.exe
O23 - Service: ewido security suite guard - ewido networks - C:\Program Files\ewido\security suite\ewidoguard.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPodService - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: NICSer_WPC54GS - Unknown owner - C:\Program Files\Linksys\Wireless-G Notebook Adapter with SpeedBooster\NICServ.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\System32\HPZipm12.exe
O23 - Service: SAVRoam (SavRoam) - symantec - C:\Program Files\Symantec AntiVirus\SavRoam.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: Symantec SPBBCSvc (SPBBCSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
O23 - Service: Symantec AntiVirus - Symantec Corporation - C:\Program Files\Symantec AntiVirus\Rtvscan.exe
O23 - Service: SymWMI Service (SymWSC) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\Security Center\SymWSC.exe

Thanks again... your help is vastly appreciated.
 

·
TSF Security Team, Emeritus
Joined
·
6,962 Posts
Next pass.....

Go to My Computer->Tools->Folder Options->View tab and make sure that Show hidden files and folders is enabled. Also make sure that the System Files and Folders are showing/visible.
Please make sure system restore is enabled by right clicking on My Computer and go to Properties->System Restore and check the box for Turn OFF System Restore and make sure it’s NOT checked. We want system restore ON and monitoring your current hard drive. Once your clean we will turn this off and then back on to remove the infection from the restore folder and create a clean restore point.

Reboot into Safe Mode (hit F8 key until menu shows up). Make sure to close any open browsers. Open add/remove programs and remove the following IF listed.

Viewpoint
WeatherBug
Myway/MySearch


Go into HijackThis->Config->Misc. Tools->Open process manager. Select the following and click Kill process for each one IF they are still listed (they shouldn't be but make sure)

C:\Program Files\Viewpoint\Viewpoint Manager\ViewMgr.exe
C:\WINDOWS\system32\bslhysq\eiuks.exe
C:\WINDOWS\system32\fnjsgl\cicqvdne.exe
C:\WINDOWS\system32\ocvmcw\aokdc.exe
C:\WINDOWS\system32\cdvntv\tphuej.exe
C:\WINDOWS\system32\vooun\spkiyfop.exe
C:\WINDOWS\system32\meicva\obtxwl.exe
C:\WINDOWS\system32\plivfg\cekyoysp.exe
C:\WINDOWS\system32\kvtlyhgo\ursnfy.exe
C:\WINDOWS\system32\rkhh\kbivphwl.exe
C:\WINDOWS\system32\qcnrex\hkklt.exe
C:\WINDOWS\system32\dvsxjx\lknddeai.exe
C:\WINDOWS\system32\mtdqmim\nxvfln.exe
C:\WINDOWS\system32\sonxn\tyxrolvx.exe


Check and fix the following in HijackThis if they still exist (make sure you do not miss an entry)

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.dell4me.com/myway
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page_bak = about:blank
O2 - BHO: (no name) - {369ABBD3-0092-8745-2028-63ADC7061F76} - C:\WINDOWS\ipvh32.dll (file missing)
O4 - HKLM\..\Run: [Cryptographic Service] C:\WINDOWS\System32\zucejzz.exe
O4 - HKLM\..\Run: [ViewMgr] C:\Program Files\Viewpoint\Viewpoint Manager\ViewMgr.exe
O4 - HKLM\..\Run: [Kaspersky Antivirus] KasperskyAV.exe
O4 - HKLM\..\Run: [qdbih] C:\WINDOWS\system32\utwhu\qdbih.exe
O4 - HKLM\..\Run: [bqndrpa] C:\WINDOWS\system32\kauecnn\bqndrpa.exe
O4 - HKLM\..\Run: [pkxhotnx] C:\WINDOWS\system32\oltderck\pkxhotnx.exe
O4 - HKLM\..\Run: [opeg] C:\WINDOWS\system32\rrama\opeg.exe
O4 - HKLM\..\Run: [aokdc] C:\WINDOWS\system32\ocvmcw\aokdc.exe
O4 - HKLM\..\Run: [tphuej] C:\WINDOWS\system32\cdvntv\tphuej.exe
O4 - HKLM\..\Run: [prbb] C:\WINDOWS\system32\bkjq\prbb.exe
O4 - HKLM\..\Run: [esvtw] C:\WINDOWS\system32\gdda\esvtw.exe
O4 - HKLM\..\Run: [spkiyfop] C:\WINDOWS\system32\vooun\spkiyfop.exe
O4 - HKLM\..\Run: [obtxwl] C:\WINDOWS\system32\meicva\obtxwl.exe
O4 - HKLM\..\Run: [cekyoysp] C:\WINDOWS\system32\plivfg\cekyoysp.exe
O4 - HKLM\..\Run: [ftkabkr] C:\WINDOWS\system32\ckhjrha\ftkabkr.exe
O4 - HKLM\..\Run: [qxoa] C:\WINDOWS\system32\hgpprlmp\qxoa.exe
O4 - HKLM\..\Run: [kbivphwl] C:\WINDOWS\system32\rkhh\kbivphwl.exe
O4 - HKLM\..\Run: [hkklt] C:\WINDOWS\system32\qcnrex\hkklt.exe
O4 - HKLM\..\Run: [lknddeai] C:\WINDOWS\system32\dvsxjx\lknddeai.exe
O4 - HKLM\..\Run: [ursnfy] C:\WINDOWS\system32\kvtlyhgo\ursnfy.exe
O4 - HKLM\..\Run: [cicqvdne] C:\WINDOWS\system32\fnjsgl\cicqvdne.exe
O4 - HKLM\..\Run: [eiuks] C:\WINDOWS\system32\bslhysq\eiuks.exe
O4 - HKLM\..\Run: [nxvfln] C:\WINDOWS\system32\mtdqmim\nxvfln.exe
O4 - HKLM\..\Run: [tyxrolvx] C:\WINDOWS\system32\sonxn\tyxrolvx.exe
O4 - HKLM\..\RunServices: [Kaspersky Antivirus] KasperskyAV.exe
O4 - HKCU\..\Run: [Vhrz] C:\WINDOWS\System32\r?ndll32.exe
O4 - HKCU\..\Run: [Kaspersky Antivirus] KasperskyAV.exe
O9 - Extra button: WeatherBug - {AF6CABAB-61F9-4f12-A198-B7D41EF1CB52} - C:\Program Files\AWS\WeatherBug\Weather.exe (file missing) (HKCU)
O15 - ProtocolDefaults: 'http' protocol is in My Computer Zone, should be Internet Zone (HKLM)
O16 - DPF: {15AD6789-CDB4-47E1-A9DA-992EE8E6BAD6} - http://static.windupdates.com/cab/D...e/bridge-c9.cab
O16 - DPF: {886DDE35-E955-11D0-A707-000000521958} - http://69.56.176.78/webplugin.cab


Delete the following Files/Folders in RED (delete folders if no filename is specified or if they are highlighted in RED) according to their directory (If you can't find them...do a search for them…make sure you have search hidden files, folders, sub directory’s ect enabled if it apply’s to your OS)

C:\Program Files\Viewpoint\Viewpoint Manager\ViewMgr.exe
C:\WINDOWS\system32\bslhysq\eiuks.exe
C:\WINDOWS\system32\fnjsgl\cicqvdne.exe
C:\WINDOWS\system32\ocvmcw\aokdc.exe
C:\WINDOWS\system32\cdvntv\tphuej.exe
C:\WINDOWS\system32\vooun\spkiyfop.exe
C:\WINDOWS\system32\meicva\obtxwl.exe
C:\WINDOWS\system32\plivfg\cekyoysp.exe
C:\WINDOWS\system32\kvtlyhgo\ursnfy.exe
C:\WINDOWS\system32\rkhh\kbivphwl.exe
C:\WINDOWS\system32\qcnrex\hkklt.exe
C:\WINDOWS\system32\dvsxjx\lknddeai.exe
C:\WINDOWS\system32\mtdqmim\nxvfln.exe
C:\WINDOWS\system32\sonxn\tyxrolvx.exe
C:\Program Files\AWS\WeatherBug\Weather.exe
C:\WINDOWS\System32\r?ndll32.exe
C:\WINDOWS\SYSTEM32\RRAMA\OPEG.EXE
C:\WINDOWS\DOWNLOADED PROGRAM FILES\WinadX.inf
C:\WINDOWS\DOWNLOADED PROGRAM FILES\WUInst.inf
C:\WINDOWS\INF\alchem.inf
C:\WINDOWS\FT1_02_0_402_GEPFAH.EXE
C:\WINDOWS\Downloaded Program Files\CONFLICT.2\HDPlugin1019.inf
C:\WINDOWS\Downloaded Program Files\WinadX.inf
C:\WINDOWS\INF\conscorr.inf
C:\WINDOWS\SYSTEM32\rrama\opeg.exe
C:\world.htm
C:\WINDOWS\ipvh32.dll
C:\WINDOWS\System32\zucejzz.exe
KasperskyAV.exe
<--locate and delete this file.

IMPORTANT!

Now..I need you to also delete EVERY file/folder I listed above to be fixed with the hijackthis program.... as well. You will need to check your system32 folder for any random named folders and files (like what we are deleting) and delete those as well as this infection will keep replicating these random named folders in that directory.
Run Ewido:
  • Click [Scanner]
  • Click [Complete System Scan] to begin scanning.
  • Click [OK] when prompted to clean files
  • With the first file it prompts to clean, select the option - "Perform action on all infections" - & choose clean and click [OK].
  • Once finished, click the [Save report] button
  • Save the report to your desktop
Close Ewido

Open Cleanup! by double-clicking the icon on your desktop (or from the Start > All Programs menu). Set the program up as follows:
*Click "Options..."
*Move the arrow down to "Custom CleanUp!"
*Put a check next to the following:
  • Empty Recycle Bins
  • Delete Cookies
  • Delete Prefetch files
    [X]Scan local drives for temporary files (Please uncheck this option)
  • Cleanup! All Users
Click OK
Press the CleanUp! button to start the program. Reboot/logoff when prompted.

Once back to normal windows......

Please run an online scan at http://www.pandasoftware.com/products/activescan.htm
Make sure you click the ”Free Online Virus Scan” in the upper right hand corner of the page under the Free use Activescan header.

We do NOT want the default spyXposer scan. Once it has finished save the activescan log. Then post that log in your next post along with the Ewido log and a new hijackthis log.
 

·
Registered
Joined
·
3 Posts
Discussion Starter · #5 ·
its going down in the third

Alright... I followed the directions to a t, however, there were a couple files that I was unable to find, even using the search bar with all files shown... here's a list of them:

C:\WINDOWS\System32\r?ndll32.exe (Note: I did find a pair of files called rundll32... I dont know if those are the same thing.)
C:\WINDOWS\DOWNLOADED PROGRAM FILES\WinadX.inf
C:\WINDOWS\DOWNLOADED PROGRAM FILES\WUInst.inf
C:\WINDOWS\Downloaded Program Files\CONFLICT.2\HDPlugin1019.inf
C:\WINDOWS\Downloaded Program Files\WinadX.inf
C:\WINDOWS\ipvh32.dll
C:\WINDOWS\System32\zucejzz.exe
KasperskyAV.exe

Ewido:

---------------------------------------------------------
ewido security suite - Scan report
---------------------------------------------------------

+ Created on: 5:27:02 PM, 10/27/2006
+ Report-Checksum: 7ABB7B9

+ Scan result:

C:\Documents and Settings\Josh\Cookies\[email protected][2].txt -> Spyware.Cookie.2o7 : Cleaned with backup
C:\Documents and Settings\Josh\Cookies\[email protected][2].txt -> Spyware.Cookie.Yieldmanager : Cleaned with backup
C:\Documents and Settings\Josh\Cookies\[email protected][1].txt -> Spyware.Cookie.Pointroll : Cleaned with backup
C:\Documents and Settings\Josh\Cookies\[email protected][1].txt -> Spyware.Cookie.Questionmarket : Cleaned with backup
C:\Documents and Settings\Josh\Cookies\[email protected][1].txt -> Spyware.Cookie.Tradedoubler : Cleaned with backup
C:\Documents and Settings\Josh\Cookies\[email protected][1].txt -> Spyware.Cookie.Tribalfusion : Cleaned with backup
C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP274\A0036914.dll -> Spyware.Wheaterbug : Cleaned with backup
C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP274\A0036915.REG -> Trojan.LowZones.e : Cleaned with backup
C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP274\A0036916.exe -> TrojanDownloader.Agent.lg : Cleaned with backup
C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP274\A0036917.exe -> TrojanDownloader.Agent.lg : Cleaned with backup
C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP274\A0036918.exe -> TrojanDownloader.Agent.lg : Cleaned with backup
C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP274\A0036919.exe -> TrojanDownloader.Agent.lg : Cleaned with backup
C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP274\A0036921.exe -> TrojanDownloader.Agent.lg : Cleaned with backup
C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP274\A0036922.exe -> TrojanDownloader.Agent.lg : Cleaned with backup
C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP274\A0036924.exe -> TrojanDownloader.Agent.lg : Cleaned with backup
C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP274\A0036927.exe -> TrojanDownloader.Agent.lg : Cleaned with backup


::Report End

Panda:

Incident Status Location

Adware:adware/toprebates No disinfected C:\WINDOWS\DOWNLOADED PROGRAM FILES\WinadX.inf
Adware:adware/savenow No disinfected C:\WINDOWS\DOWNLOADED PROGRAM FILES\WUInst.inf
Adware:adware/clickalchemy No disinfected C:\WINDOWS\INF\alchem.inf
Adware:adware/gator No disinfected C:\WINDOWS\FT1_02_0_402_GEPFAH.EXE
Adware:adware/wupd No disinfected Windows Registry
Adware:Adware/MultiMPP No disinfected C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP274\A0036782.inf
Spyware:Spyware/Ukiee No disinfected C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP275\A0036972.exe
Adware:Adware/IPInsight No disinfected C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP276\A0038199.inf
Adware:Adware/IPInsight No disinfected C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP276\A0038214.inf
Spyware:Spyware/Ukiee No disinfected C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP276\A0038221.exe
Spyware:Spyware/Ukiee No disinfected C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP276\A0038233.exe
Spyware:Spyware/Ukiee No disinfected C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP276\A0038237.exe
Adware:Adware/Gator No disinfected C:\WINDOWS\Downloaded Program Files\CONFLICT.2\HDPlugin1019.inf
Adware:Adware/WUpd No disinfected C:\WINDOWS\Downloaded Program Files\WinadX.inf
Adware:Adware/IPInsight No disinfected C:\WINDOWS\INF\alchem.inf
And finally, Hijackthis:

Logfile of HijackThis v1.99.1
Scan saved at 5:41:28 PM, on 10/27/2006
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\System32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Symantec AntiVirus\DefWatch.exe
C:\Program Files\ewido\security suite\ewidoctrl.exe
C:\Program Files\ewido\security suite\ewidoguard.exe
C:\Program Files\Linksys\Wireless-G Notebook Adapter with SpeedBooster\NICServ.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Symantec AntiVirus\Rtvscan.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\BCMSMMSG.exe
C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
C:\Program Files\Dell\AccessDirect\dadapp.exe
C:\Program Files\Dell\QuickSet\quickset.exe
C:\WINDOWS\system32\dla\tfswctrl.exe
C:\WINDOWS\system32\wscntfy.exe
C:\WINDOWS\System32\DSentry.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\MUSICMATCH\MUSICMATCH Jukebox\mm_tray.exe
C:\Program Files\Common Files\Microsoft Shared\Works Shared\WkUFind.exe
C:\Program Files\Microsoft IntelliPoint\point32.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\PROGRA~1\MUSICM~1\MUSICM~2\MMDiag.exe
C:\PROGRA~1\SYMANT~1\VPTray.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\Symantec AntiVirus\DoScan.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\MUSICMATCH\MUSICMATCH Jukebox\mim.exe
C:\Program Files\AIM\aim.exe
C:\Program Files\Dell Support\DSAgnt.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpohmr08.exe
C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpotdd01.exe
C:\Program Files\SpywareGuard\sgmain.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\Linksys\Wireless-G Notebook Adapter with SpeedBooster\OdHost.exe
C:\Program Files\Linksys\Wireless-G Notebook Adapter with SpeedBooster\WPC54Cfg.exe
C:\Program Files\SpywareGuard\sgbhp.exe
C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpoevm08.exe
C:\Program Files\Hewlett-Packard\Digital Imaging\Bin\hpoSTS08.exe
C:\DOCUME~1\Josh\LOCALS~1\Temp\Temporary Directory 1 for hijackthis.zip\HijackThis.exe
C:\WINDOWS\system32\NOTEPAD.EXE

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O2 - BHO: SpywareGuard Download Protection - {4A368E80-174F-4872-96B5-0B27DDD11DB2} - C:\Program Files\SpywareGuard\dlprotect.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar2.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar2.dll
O4 - HKLM\..\Run: [ATIModeChange] Ati2mdxx.exe
O4 - HKLM\..\Run: [BCMSMMSG] BCMSMMSG.exe
O4 - HKLM\..\Run: [ATIPTA] C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
O4 - HKLM\..\Run: [DadApp] C:\Program Files\Dell\AccessDirect\dadapp.exe
O4 - HKLM\..\Run: [Dell QuickSet] C:\Program Files\Dell\QuickSet\quickset.exe
O4 - HKLM\..\Run: [dla] C:\WINDOWS\system32\dla\tfswctrl.exe
O4 - HKLM\..\Run: [DVDSentry] C:\WINDOWS\System32\DSentry.exe
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [MMTray] "C:\Program Files\MUSICMATCH\MUSICMATCH Jukebox\mm_tray.exe"
O4 - HKLM\..\Run: [Microsoft Works Update Detection] C:\Program Files\Common Files\Microsoft Shared\Works Shared\WkUFind.exe
O4 - HKLM\..\Run: [IntelliPoint] "C:\Program Files\Microsoft IntelliPoint\point32.exe"
O4 - HKLM\..\Run: [UpdateManager] "C:\Program Files\Common Files\Sonic\Update Manager\sgtray.exe" /r
O4 - HKLM\..\Run: [MimBoot] C:\PROGRA~1\MUSICM~1\MUSICM~2\mimboot.exe
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [vptray] C:\PROGRA~1\SYMANT~1\VPTray.exe
O4 - HKLM\..\Run: [Symantec NetDriver Monitor] C:\PROGRA~1\SYMNET~1\SNDMon.exe /Enterprise
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [MoneyAgent] "C:\Program Files\Microsoft Money\System\mnyexpr.exe"
O4 - HKCU\..\Run: [AIM] C:\Program Files\AIM\aim.exe -cnetwait.odl
O4 - HKCU\..\Run: [DellSupport] "C:\Program Files\Dell Support\DSAgnt.exe" /startup
O4 - Startup: SpywareGuard.lnk = C:\Program Files\SpywareGuard\sgmain.exe
O4 - Global Startup: hp psc 1000 series.lnk = ?
O4 - Global Startup: hpoddt01.exe.lnk = ?
O4 - Global Startup: Wireless-G Notebook Adapter with SpeedBooster Utility.lnk = C:\Program Files\Linksys\Wireless-G Notebook Adapter with SpeedBooster\Startup.exe
O8 - Extra context menu item: &AIM Search - res://C:\Program Files\AIM Toolbar\AIMBar.dll/aimsearch.htm
O8 - Extra context menu item: &Google Search - res://c:\program files\google\GoogleToolbar2.dll/cmsearch.html
O8 - Extra context menu item: &Translate English Word - res://c:\program files\google\GoogleToolbar2.dll/cmwordtrans.html
O8 - Extra context menu item: Backward Links - res://c:\program files\google\GoogleToolbar2.dll/cmbacklinks.html
O8 - Extra context menu item: Cached Snapshot of Page - res://c:\program files\google\GoogleToolbar2.dll/cmcache.html
O8 - Extra context menu item: Similar Pages - res://c:\program files\google\GoogleToolbar2.dll/cmsimilar.html
O8 - Extra context menu item: Translate Page into English - res://c:\program files\google\GoogleToolbar2.dll/cmtrans.html
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\System32\msjava.dll (file missing)
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\System32\msjava.dll (file missing)
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe
O9 - Extra button: PartyPoker.com - {B7FE5D70-9AA2-40F1-9C6B-12A255F085E1} - C:\Program Files\PartyPoker\PartyPoker.exe (file missing)
O9 - Extra 'Tools' menuitem: PartyPoker.com - {B7FE5D70-9AA2-40F1-9C6B-12A255F085E1} - C:\Program Files\PartyPoker\PartyPoker.exe (file missing)
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\System32\Shdocvw.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/activescan/as5free/asinst.cab
O20 - Winlogon Notify: NavLogon - C:\WINDOWS\system32\NavLogon.dll
O23 - Service: Ati HotKey Poller - Unknown owner - C:\WINDOWS\System32\Ati2evxx.exe
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Password Validation (ccPwdSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
O23 - Service: Symantec AntiVirus Definition Watcher (DefWatch) - Symantec Corporation - C:\Program Files\Symantec AntiVirus\DefWatch.exe
O23 - Service: ewido security suite control - ewido networks - C:\Program Files\ewido\security suite\ewidoctrl.exe
O23 - Service: ewido security suite guard - ewido networks - C:\Program Files\ewido\security suite\ewidoguard.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPodService - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: NICSer_WPC54GS - Unknown owner - C:\Program Files\Linksys\Wireless-G Notebook Adapter with SpeedBooster\NICServ.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\System32\HPZipm12.exe
O23 - Service: SAVRoam (SavRoam) - symantec - C:\Program Files\Symantec AntiVirus\SavRoam.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: Symantec SPBBCSvc (SPBBCSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
O23 - Service: Symantec AntiVirus - Symantec Corporation - C:\Program Files\Symantec AntiVirus\Rtvscan.exe
O23 - Service: SymWMI Service (SymWSC) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\Security Center\SymWSC.exe

Hopefully we only need one more go at it... thanks again.
 
1 - 5 of 5 Posts
Status
Not open for further replies.
Top