Tech Support banner

Status
Not open for further replies.
1 - 6 of 6 Posts

·
Registered
Joined
·
3 Posts
Discussion Starter #1
Hi all,
My start page changes to www.w-find4u.com whenever I open my browser. I also seem to have a number of shortcuts added to my favorites. In addition, when I shut-down my system it says it cannot close down "win min".

I have tried the following software to get rid of it, to no avail: CWShreader, Adaware, Norton.

My Hijackthis log follows. I would be very greatful for any assistance anyone could offer!

Thanks very much,

Conor

Logfile of HijackThis v1.99.1
Scan saved at 3:36:22 PM, on 9/26/2005
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\System32\drivers\CDAC11BA.EXE
C:\WINDOWS\System32\DRIVERS\CDANTSRV.EXE
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\WINDOWS\system32\cisvc.exe
C:\PROGRA~1\Iomega\System32\AppServices.exe
C:\Program Files\Norton AntiVirus\navapsvc.exe
C:\Program Files\Norton AntiVirus\IWP\NPFMntor.exe
C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
C:\Program Files\Iomega\AutoDisk\ADService.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\System32\hkcmd.exe
C:\WINDOWS\System32\DSentry.exe
C:\Program Files\Real\RealPlayer\RealPlay.exe
C:\Program Files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe
C:\Program Files\Iomega\AutoDisk\ADUserMon.exe
C:\Program Files\Iomega\DriveIcons\ImgIcon.exe
C:\WINDOWS\PublishPDF\PublishPDF_Loader.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\Program Files\QuickTime\qttask.exe
C:\PROGRA~1\NETASS~1\SMARTB~1\MotiveSB.exe
C:\WINDOWS\System32\adhnenoy.exe
C:\Program Files\Dell Support\DSAgnt.exe
C:\windows\nfsxlyn.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\Adobe\Acrobat 5.0\Distillr\AcroTray.exe
C:\Program Files\Digital Line Detect\DLG.exe
C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpohmr08.exe
C:\Program Files\WinZip\WZQKPICK.EXE
C:\Program Files\Handspring\HOTSYNC.EXE
C:\Program Files\NetAssistant\bin\mpbtn.exe
C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpoevm08.exe
C:\WINDOWS\System32\HPZipm12.exe
C:\Program Files\Hewlett-Packard\Digital Imaging\Bin\hpoSTS08.exe
C:\WINDOWS\system32\cidaemon.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Documents and Settings\Conor\Desktop\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.dellnet.com
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://w-find4u.com/sp.htm
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://w-find4u.com/
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://w-find4u.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.dellnet.com
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.dellnet.com
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://w-find4u.com/sp.htm
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://w-find4u.com/
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://www.dellnet.com/
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = 127.0.0.1
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Acrobat\ActiveX\AcroIEHelper.ocx
O2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\System32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\System32\hkcmd.exe
O4 - HKLM\..\Run: [DVDSentry] C:\WINDOWS\System32\DSentry.exe
O4 - HKLM\..\Run: [RealTray] C:\Program Files\Real\RealPlayer\RealPlay.exe SYSTEMBOOTHIDEPLAYER
O4 - HKLM\..\Run: [AdaptecDirectCD] "C:\Program Files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe"
O4 - HKLM\..\Run: [ADUserMon] C:\Program Files\Iomega\AutoDisk\ADUserMon.exe
O4 - HKLM\..\Run: [Iomega Startup Options] C:\Program Files\Iomega\Common\ImgStart.exe
O4 - HKLM\..\Run: [Iomega Drive Icons] C:\Program Files\Iomega\DriveIcons\ImgIcon.exe
O4 - HKLM\..\Run: [Deskup] C:\Program Files\Iomega\DriveIcons\deskup.exe
O4 - HKLM\..\Run: [PublishPDF] C:\WINDOWS\PublishPDF\PublishPDF_Loader.exe
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [Symantec NetDriver Monitor] C:\PROGRA~1\SYMNET~1\SNDMon.exe /Consumer
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [Motive SmartBridge] C:\PROGRA~1\NETASS~1\SMARTB~1\MotiveSB.exe
O4 - HKLM\..\Run: [adhnenoy] C:\WINDOWS\System32\adhnenoy.exe
O4 - HKLM\..\Run: [desktop] C:\WINDOWS\system32\desktop.exe
O4 - HKLM\..\RunServices: [desktop] C:\WINDOWS\system32\desktop.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [DellSupport] "C:\Program Files\Dell Support\DSAgnt.exe" /startup
O4 - HKCU\..\Run: [kxujdpb] c:\windows\nfsxlyn.exe
O4 - HKCU\..\Run: [adhnenoy] C:\WINDOWS\System32\adhnenoy.exe
O4 - HKCU\..\Run: [uubajyn] c:\windows\nfsxlyn.exe
O4 - HKCU\..\Run: [vglcdkl] c:\windows\nfsxlyn.exe
O4 - HKCU\..\Run: [ypsuiwp] c:\windows\nfsxlyn.exe
O4 - HKCU\..\Run: [mhvedbo] c:\windows\nfsxlyn.exe
O4 - HKCU\..\Run: [wpbhxbt] c:\windows\nfsxlyn.exe
O4 - HKCU\..\Run: [elojtle] c:\windows\nfsxlyn.exe
O4 - HKCU\..\Run: [wobxkyx] c:\windows\nfsxlyn.exe
O4 - HKCU\..\Run: [xlsmcai] c:\windows\jeekxwq.exe
O4 - HKCU\..\Run: [yqjtqsi] c:\windows\jeekxwq.exe
O4 - HKCU\..\Run: [mdefvpj] c:\windows\jeekxwq.exe
O4 - HKCU\..\Run: [yomfgpn] c:\windows\jeekxwq.exe
O4 - HKCU\..\Run: [lmbbrea] c:\windows\jeekxwq.exe
O4 - HKCU\..\Run: [yjusluo] c:\windows\jeekxwq.exe
O4 - HKCU\..\Run: [dnnumui] c:\windows\jeekxwq.exe
O4 - HKCU\..\Run: [rreuupc] c:\windows\jeekxwq.exe
O4 - HKCU\..\Run: [ikcwqwn] c:\windows\jeekxwq.exe
O4 - HKCU\..\Run: [qtmddta] c:\windows\jeekxwq.exe
O4 - HKCU\..\Run: [vvkdltc] c:\windows\flogfct.exe
O4 - HKCU\..\Run: [phauuuo] c:\windows\flogfct.exe
O4 - HKCU\..\Run: [bwoqskk] c:\windows\flogfct.exe
O4 - HKCU\..\Run: [ghnxwne] c:\windows\flogfct.exe
O4 - HKCU\..\Run: [nrnudei] c:\windows\flogfct.exe
O4 - HKCU\..\Run: [kobyvgn] c:\windows\flogfct.exe
O4 - HKCU\..\Run: [ebfbtyk] c:\windows\flogfct.exe
O4 - HKCU\..\Run: [pjdtbib] c:\windows\flogfct.exe
O4 - HKCU\..\Run: [tmybrxk] c:\windows\flogfct.exe
O4 - HKCU\..\Run: [uppculh] c:\windows\flogfct.exe
O4 - HKCU\..\Run: [lwvacwa] c:\windows\flogfct.exe
O4 - HKCU\..\Run: [xrcdjui] c:\windows\flogfct.exe
O4 - HKCU\..\Run: [mbdqhjm] c:\windows\flogfct.exe
O4 - HKCU\..\Run: [vnhxnct] c:\windows\flogfct.exe
O4 - HKCU\..\Run: [qujjapk] c:\windows\flogfct.exe
O4 - HKCU\..\Run: [fckgcmb] c:\windows\flogfct.exe
O4 - HKCU\..\Run: [ajjtigf] c:\windows\flogfct.exe
O4 - HKCU\..\Run: [lcxoaeu] c:\windows\flogfct.exe
O4 - HKCU\..\Run: [oyjhgcm] c:\windows\flogfct.exe
O4 - HKCU\..\Run: [sfuwjxf] c:\windows\flogfct.exe
O4 - HKCU\..\Run: [evvrqdl] c:\windows\flogfct.exe
O4 - HKCU\..\Run: [ahpaqig] c:\windows\flogfct.exe
O4 - HKCU\..\Run: [hnfxedd] c:\windows\flogfct.exe
O4 - HKCU\..\Run: [garcpvo] c:\windows\flogfct.exe
O4 - HKCU\..\Run: [akmmdhi] c:\windows\flogfct.exe
O4 - HKCU\..\Run: [qelrwvs] c:\windows\flogfct.exe
O4 - HKCU\..\Run: [vsdyljs] c:\windows\flogfct.exe
O4 - HKCU\..\Run: [tqwuvix] c:\windows\flogfct.exe
O4 - HKCU\..\Run: [bsxtybd] c:\windows\flogfct.exe
O4 - HKCU\..\Run: [fkkcmpl] c:\windows\ebwdbhc.exe
O4 - HKCU\..\Run: [ghorinh] c:\windows\ebwdbhc.exe
O4 - HKCU\..\Run: [remhcdb] c:\windows\joahouk.exe
O4 - HKCU\..\Run: [qvoggdb] c:\windows\etcspud.exe
O4 - HKCU\..\Run: [esibrgq] c:\windows\hanuuhd.exe
O4 - HKCU\..\Run: [ugfuigl] c:\windows\hanuuhd.exe
O4 - HKCU\..\Run: [wdsunjc] c:\windows\hanuuhd.exe
O4 - HKCU\..\Run: [xtvmqbh] c:\windows\hanuuhd.exe
O4 - HKCU\..\Run: [dnfavlf] c:\windows\hanuuhd.exe
O4 - HKCU\..\Run: [olnkvvi] c:\windows\hanuuhd.exe
O4 - HKCU\..\Run: [vpcsfip] c:\windows\hanuuhd.exe
O4 - HKCU\..\Run: [crpwwqd] c:\windows\hanuuhd.exe
O4 - HKCU\..\Run: [sicjoek] c:\windows\hanuuhd.exe
O4 - HKCU\..\Run: [kpqicrk] c:\windows\hanuuhd.exe
O4 - HKCU\..\Run: [nfiuvmr] c:\windows\hanuuhd.exe
O4 - HKCU\..\Run: [ruwciiq] c:\windows\hanuuhd.exe
O4 - HKCU\..\Run: [ifetxnc] c:\windows\hanuuhd.exe
O4 - HKCU\..\Run: [kkhcraf] c:\windows\hanuuhd.exe
O4 - HKCU\..\Run: [tkofrir] c:\windows\hanuuhd.exe
O4 - HKCU\..\Run: [bcpwepu] c:\windows\hanuuhd.exe
O4 - HKCU\..\Run: [pyqntln] c:\windows\hanuuhd.exe
O4 - HKCU\..\Run: [rgbkddy] c:\windows\hanuuhd.exe
O4 - HKCU\..\Run: [rssfdxy] c:\windows\hanuuhd.exe
O4 - HKCU\..\Run: [cccejkh] c:\windows\hanuuhd.exe
O4 - HKCU\..\Run: [slleljs] c:\windows\nvmxcvq.exe
O4 - HKCU\..\Run: [rldrruq] c:\windows\nvmxcvq.exe
O4 - HKCU\..\Run: [fthjxto] c:\windows\vocgxxr.exe
O4 - HKCU\..\Run: [ggdtnwm] c:\windows\vocgxxr.exe
O4 - HKCU\..\Run: [atehgkt] c:\windows\vocgxxr.exe
O4 - HKCU\..\Run: [urxmeqi] c:\windows\vocgxxr.exe
O4 - HKCU\..\Run: [qbteeqh] c:\windows\vocgxxr.exe
O4 - HKCU\..\Run: [pqfakoy] c:\windows\vocgxxr.exe
O4 - HKCU\..\Run: [xcdcdac] c:\windows\vocgxxr.exe
O4 - HKCU\..\Run: [enupfdx] c:\windows\wikqpwd.exe
O4 - HKCU\..\Run: [dgxkbii] c:\windows\wikqpwd.exe
O4 - HKCU\..\Run: [rtixymn] c:\windows\wikqpwd.exe
O4 - HKCU\..\Run: [vpluuwc] c:\windows\wikqpwd.exe
O4 - HKCU\..\Run: [mxulysv] c:\windows\wikqpwd.exe
O4 - HKCU\..\Run: [uwqssah] c:\windows\wikqpwd.exe
O4 - HKCU\..\Run: [sajwjit] c:\windows\wikqpwd.exe
O4 - HKCU\..\Run: [nmbpmkf] c:\windows\wikqpwd.exe
O4 - HKCU\..\Run: [vcfcwbk] c:\windows\wikqpwd.exe
O4 - HKCU\..\Run: [awvnyja] c:\windows\wikqpwd.exe
O4 - HKCU\..\Run: [vtnysli] c:\windows\wikqpwd.exe
O4 - HKCU\..\Run: [vvlulfg] c:\windows\wikqpwd.exe
O4 - HKCU\..\Run: [yggtrag] c:\windows\wikqpwd.exe
O4 - HKCU\..\Run: [ofgqpbf] c:\windows\wikqpwd.exe
O4 - HKCU\..\Run: [vxpamrb] c:\windows\wikqpwd.exe
O4 - HKCU\..\Run: [nlcxlgy] c:\windows\wikqpwd.exe
O4 - HKCU\..\Run: [tokepft] c:\windows\wikqpwd.exe
O4 - HKCU\..\Run: [kiluulg] c:\windows\wikqpwd.exe
O4 - HKCU\..\Run: [iailjun] c:\windows\wikqpwd.exe
O4 - HKCU\..\Run: [cvmtyyg] c:\windows\wikqpwd.exe
O4 - HKCU\..\Run: [ilqoenb] c:\windows\wikqpwd.exe
O4 - HKCU\..\Run: [vuekscd] c:\windows\wikqpwd.exe
O4 - HKCU\..\Run: [fklahaf] c:\windows\wikqpwd.exe
O4 - HKCU\..\Run: [owomtoh] c:\windows\wikqpwd.exe
O4 - HKCU\..\Run: [kcqnsge] c:\windows\wikqpwd.exe
O4 - HKCU\..\Run: [rpqsgct] c:\windows\wikqpwd.exe
O4 - HKCU\..\Run: [oebttho] c:\windows\wikqpwd.exe
O4 - HKCU\..\Run: [bemjtru] c:\windows\wikqpwd.exe
O4 - HKCU\..\Run: [htxxgxj] c:\windows\wikqpwd.exe
O4 - HKCU\..\Run: [ormrroe] c:\windows\wikqpwd.exe
O4 - HKCU\..\Run: [gfmpbpu] c:\windows\kwsooms.exe
O4 - HKCU\..\Run: [dleraci] c:\windows\kwsooms.exe
O4 - HKCU\..\Run: [fmewwkr] c:\windows\kwsooms.exe
O4 - HKCU\..\Run: [xvemome] c:\windows\bvhrrxs.exe
O4 - HKCU\..\Run: [oafwntp] c:\windows\ownkpht.exe
O4 - HKCU\..\Run: [jqilsrt] c:\windows\ownkpht.exe
O4 - HKCU\..\Run: [emhwpix] c:\windows\ownkpht.exe
O4 - HKCU\..\Run: [mipirhr] c:\windows\ownkpht.exe
O4 - HKCU\..\Run: [imkjdvn] c:\windows\ownkpht.exe
O4 - HKCU\..\Run: [lygowio] c:\windows\ownkpht.exe
O4 - HKCU\..\Run: [hncamto] c:\windows\ownkpht.exe
O4 - HKCU\..\Run: [hcaowqa] c:\windows\ownkpht.exe
O4 - HKCU\..\Run: [qhkjdiv] c:\windows\ownkpht.exe
O4 - HKCU\..\Run: [dywmvpc] c:\windows\ownkpht.exe
O4 - HKCU\..\Run: [cnvifug] c:\windows\ownkpht.exe
O4 - HKCU\..\Run: [jyscapa] c:\windows\ownkpht.exe
O4 - HKCU\..\Run: [tvqvnsl] c:\windows\ownkpht.exe
O4 - HKCU\..\Run: [qcaqaic] c:\windows\ownkpht.exe
O4 - HKCU\..\Run: [fcjvoql] c:\windows\ownkpht.exe
O4 - HKCU\..\Run: [fexpjvm] c:\windows\ownkpht.exe
O4 - HKCU\..\Run: [qvsvgaj] c:\windows\ownkpht.exe
O4 - HKCU\..\Run: [xpffbmk] c:\windows\ownkpht.exe
O4 - HKCU\..\Run: [adtbffi] c:\windows\uaoinrg.exe
O4 - HKCU\..\Run: [vgpttaf] c:\windows\cddvvux.exe
O4 - HKCU\..\Run: [ywdhkry] c:\windows\uaoinrg.exe
O4 - HKCU\..\Run: [ltrouqm] c:\windows\cddvvux.exe
O4 - HKCU\..\Run: [htlfjeb] c:\windows\uaoinrg.exe
O4 - HKCU\..\Run: [xyfcdoo] c:\windows\cddvvux.exe
O4 - HKCU\..\Run: [tqutpop] c:\windows\uaoinrg.exe
O4 - HKCU\..\Run: [mgwhmor] c:\windows\cddvvux.exe
O4 - HKCU\..\Run: [jsnjaaf] c:\windows\amlyiny.exe
O4 - HKCU\..\Run: [oboubao] c:\windows\amlyiny.exe
O4 - HKCU\..\Run: [nogajcf] c:\windows\amlyiny.exe
O4 - HKCU\..\Run: [groafie] c:\windows\amlyiny.exe
O4 - HKCU\..\Run: [wdwkxis] c:\windows\amlyiny.exe
O4 - HKCU\..\Run: [frjdtur] c:\windows\rhjourm.exe
O4 - HKCU\..\Run: [txobusc] c:\windows\rcptmxe.exe
O4 - HKCU\..\Run: [pemdbhf] c:\windows\rcptmxe.exe
O4 - HKCU\..\Run: [sxpxclw] c:\windows\rcptmxe.exe
O4 - HKCU\..\Run: [grcqipp] c:\windows\rcptmxe.exe
O4 - HKCU\..\Run: [eurhfwy] c:\windows\hbfxbnk.exe
O4 - HKCU\..\Run: [ieadkar] c:\windows\hbfxbnk.exe
O4 - HKCU\..\Run: [ipxkbew] c:\windows\hbfxbnk.exe
O4 - HKCU\..\Run: [iglsnha] c:\windows\hbfxbnk.exe
O4 - HKCU\..\Run: [pfbgrli] c:\windows\hbfxbnk.exe
O4 - HKCU\..\Run: [pwockqv] c:\windows\hbfxbnk.exe
O4 - HKCU\..\Run: [jaavawp] c:\windows\hbfxbnk.exe
O4 - HKCU\..\Run: [ltcxssy] c:\windows\inwtjve.exe
O4 - Startup: HotSync Manager.lnk = C:\Program Files\Handspring\HOTSYNC.EXE
O4 - Global Startup: Acrobat Assistant.lnk = C:\Program Files\Adobe\Acrobat 5.0\Distillr\AcroTray.exe
O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: Digital Line Detect.lnk = ?
O4 - Global Startup: Distiller Assistant 3.0.lnk = C:\Acrobat3\Distillr\DISTASST.EXE
O4 - Global Startup: hp psc 1000 series.lnk = ?
O4 - Global Startup: NetAssistant.lnk = C:\Program Files\NetAssistant\bin\matcli.exe
O4 - Global Startup: WinZip Quick Pick.lnk = C:\Program Files\WinZip\WZQKPICK.EXE
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O16 - DPF: {04E214E5-63AF-4236-83C6-A7ADCBF9BD02} (HouseCall Control) - http://housecall60.trendmicro.com/housecall/xscan60.cab
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O21 - SSODL: SysTray.Exlv - {5368DCFC-4F5C-4f5b-B134-E67294FC78E9} - C:\WINDOWS\System32\beccpjbg.dll (file missing)
O23 - Service: Adobe LM Service - Unknown owner - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: C-DillaCdaC11BA - Macrovision - C:\WINDOWS\System32\drivers\CDAC11BA.EXE
O23 - Service: C-DillaSrv - C-Dilla Ltd - C:\WINDOWS\System32\DRIVERS\CDANTSRV.EXE
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Password Validation (ccPwdSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
O23 - Service: Iomega App Services - Iomega Corporation - C:\PROGRA~1\Iomega\System32\AppServices.exe
O23 - Service: Norton AntiVirus Auto-Protect Service (navapsvc) - Symantec Corporation - C:\Program Files\Norton AntiVirus\navapsvc.exe
O23 - Service: Norton AntiVirus Firewall Monitor Service (NPFMntor) - Symantec Corporation - C:\Program Files\Norton AntiVirus\IWP\NPFMntor.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\System32\HPZipm12.exe
O23 - Service: SAVScan - Symantec Corporation - C:\Program Files\Norton AntiVirus\SAVScan.exe
O23 - Service: ScriptBlocking Service (SBService) - Symantec Corporation - C:\PROGRA~1\COMMON~1\SYMANT~1\SCRIPT~1\SBServ.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: Symantec SPBBCSvc (SPBBCSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
O23 - Service: Symantec Core LC - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
O23 - Service: Iomega Active Disk (_IOMEGA_ACTIVE_DISK_SERVICE_) - Iomega Corporation - C:\Program Files\Iomega\AutoDisk\ADService.exe
 

·
Security Team (ret.)
Joined
·
7,403 Posts
Hi and Welcome
It may help you if you print out or copy this page for easy reference.. Make sure to work through the fixes in the exact order its listed..These instructions only apply to HJT v1.99.1

Please Keep your browser and all open programs closed (except firewalls and antivirus) when you are carrying out the fixes..

Download any of the required programs before attempting to start any of the fixes.


Please do NOT run Hijack This in a TEMPorary folder or on the Desktop. I recommend c:/program files/HJT/

Turn off System Restore instructions (WinXP)
Rightclick My Computer | Properties | System Restore | check “Turn off System Restore”, <Apply>, <OK>. Reboot. When we have confirmed that your log file is clean, you may renable System Restore and create a new restore point.

SHOW HIDDEN FILES AND FOLDERS.
To show hidden files instructions (WinXP)
Doubleclick My Computer | Tools | Folder Options | View tab
Select Show Hidden Files and Folders
Uncheck Hide extensions for known file types
Uncheck Hide protected operating system files (Recommended)
Select Apply to All Folders | Yes | Apply | OK
------------------------------------------------------------------



Please download Ewido Security Suite

Install Ewido Security Suite.
When installing, under 'Additional Options' uncheck: "Install background guard" and "Install scan via context menu"

To open the main screen double click the icon on the desktop.

You will get a warning 'Database could not be found!'.(only if no updated have first been installed) Click OK.

Update to the latest definition files.On the left of the main screen click Update.Then click on Start Update.Let it complete the updates.

Now Click on Scanner and Click on Complete System Scan and the scan will start.

During some scans it may find cases of false positives so you will need to step through the process of cleaning files one-by-one.

If a file is detected you KNOW to be legitimate, select None as the action. Do NOT select 'Perform action on all infections'

If you are unsure of any entry found play safe and select None as the action.
Press the button marked Save Report

Save the report .txt file to your desktop or somewhere you can find it.Post it back with your next HJT log.



-----------------------------------------------------------------------

Files highlighted in BLACK will need to be removed from your hard drive.


------------------------------------------------------------------

Please start by putting HJT in SAFE MODE. During reboot, tap the F8 key. Select Safe Mode and then run "Hijack This"
------------------------------------------------------------------



Go into HijackThis->Config->Misc. Tools->Open process manager. Select the following exe file/s and click End Process for each one if they are listed.

C:\WINDOWS\System32\adhnenoy.exe
C:\WINDOWS\system32\desktop.exe
c:\windows\inwtjve.exe
c:\windows\hbfxbnk.exe
c:\windows\rcptmxe.exe
c:\windows\rhjourm.exe
c:\windows\amlyiny.exe
c:\windows\cddvvux.exe
c:\windows\uaoinrg.exe
c:\windows\cddvvux.exe
c:\windows\ownkpht.exe
c:\windows\bvhrrxs.exe
c:\windows\kwsooms.exe
c:\windows\wikqpwd.exe
c:\windows\vocgxxr.exe
c:\windows\nvmxcvq.exe
c:\windows\hanuuhd.exe
c:\windows\etcspud.exe
c:\windows\joahouk.exe
c:\windows\ebwdbhc.exe
c:\windows\flogfct.exe
c:\windows\jeekxwq.exe
c:\windows\nfsxlyn.exe
c:\windows\nfsxlyn.exe


------------------------------------------------------------------

Have "Hijack This" fix all the following items in the list below by placing a check in the appropriate boxes.Confirm that you have only the listed ones checked, then press <Fix checked> and Close HJT.

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://w-find4u.com/sp.htm
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://w-find4u.com/
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://w-find4u.com/
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://w-find4u.com/sp.htm
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://w-find4u.com/
O4 - HKLM\..\Run: [adhnenoy] C:\WINDOWS\System32\adhnenoy.exe
O4 - HKLM\..\Run: [desktop] C:\WINDOWS\system32\desktop.exe
O4 - HKLM\..\RunServices: [desktop] C:\WINDOWS\system32\desktop.exe
O4 - HKCU\..\Run: [kxujdpb] c:\windows\nfsxlyn.exe
O4 - HKCU\..\Run: [adhnenoy] C:\WINDOWS\System32\adhnenoy.exe
O4 - HKCU\..\Run: [uubajyn] c:\windows\nfsxlyn.exe
O4 - HKCU\..\Run: [vglcdkl] c:\windows\nfsxlyn.exe
O4 - HKCU\..\Run: [ypsuiwp] c:\windows\nfsxlyn.exe
O4 - HKCU\..\Run: [mhvedbo] c:\windows\nfsxlyn.exe
O4 - HKCU\..\Run: [wpbhxbt] c:\windows\nfsxlyn.exe
O4 - HKCU\..\Run: [elojtle] c:\windows\nfsxlyn.exe
O4 - HKCU\..\Run: [wobxkyx] c:\windows\nfsxlyn.exe
O4 - HKCU\..\Run: [xlsmcai] c:\windows\jeekxwq.exe
O4 - HKCU\..\Run: [yqjtqsi] c:\windows\jeekxwq.exe
O4 - HKCU\..\Run: [mdefvpj] c:\windows\jeekxwq.exe
O4 - HKCU\..\Run: [yomfgpn] c:\windows\jeekxwq.exe
O4 - HKCU\..\Run: [lmbbrea] c:\windows\jeekxwq.exe
O4 - HKCU\..\Run: [yjusluo] c:\windows\jeekxwq.exe
O4 - HKCU\..\Run: [dnnumui] c:\windows\jeekxwq.exe
O4 - HKCU\..\Run: [rreuupc] c:\windows\jeekxwq.exe
O4 - HKCU\..\Run: [ikcwqwn] c:\windows\jeekxwq.exe
O4 - HKCU\..\Run: [qtmddta] c:\windows\jeekxwq.exe
O4 - HKCU\..\Run: [vvkdltc] c:\windows\flogfct.exe
O4 - HKCU\..\Run: [phauuuo] c:\windows\flogfct.exe
O4 - HKCU\..\Run: [bwoqskk] c:\windows\flogfct.exe
O4 - HKCU\..\Run: [ghnxwne] c:\windows\flogfct.exe
O4 - HKCU\..\Run: [nrnudei] c:\windows\flogfct.exe
O4 - HKCU\..\Run: [kobyvgn] c:\windows\flogfct.exe
O4 - HKCU\..\Run: [ebfbtyk] c:\windows\flogfct.exe
O4 - HKCU\..\Run: [pjdtbib] c:\windows\flogfct.exe
O4 - HKCU\..\Run: [tmybrxk] c:\windows\flogfct.exe
O4 - HKCU\..\Run: [uppculh] c:\windows\flogfct.exe
O4 - HKCU\..\Run: [lwvacwa] c:\windows\flogfct.exe
O4 - HKCU\..\Run: [xrcdjui] c:\windows\flogfct.exe
O4 - HKCU\..\Run: [mbdqhjm] c:\windows\flogfct.exe
O4 - HKCU\..\Run: [vnhxnct] c:\windows\flogfct.exe
O4 - HKCU\..\Run: [qujjapk] c:\windows\flogfct.exe
O4 - HKCU\..\Run: [fckgcmb] c:\windows\flogfct.exe
O4 - HKCU\..\Run: [ajjtigf] c:\windows\flogfct.exe
O4 - HKCU\..\Run: [lcxoaeu] c:\windows\flogfct.exe
O4 - HKCU\..\Run: [oyjhgcm] c:\windows\flogfct.exe
O4 - HKCU\..\Run: [sfuwjxf] c:\windows\flogfct.exe
O4 - HKCU\..\Run: [evvrqdl] c:\windows\flogfct.exe
O4 - HKCU\..\Run: [ahpaqig] c:\windows\flogfct.exe
O4 - HKCU\..\Run: [hnfxedd] c:\windows\flogfct.exe
O4 - HKCU\..\Run: [garcpvo] c:\windows\flogfct.exe
O4 - HKCU\..\Run: [akmmdhi] c:\windows\flogfct.exe
O4 - HKCU\..\Run: [qelrwvs] c:\windows\flogfct.exe
O4 - HKCU\..\Run: [vsdyljs] c:\windows\flogfct.exe
O4 - HKCU\..\Run: [tqwuvix] c:\windows\flogfct.exe
O4 - HKCU\..\Run: [bsxtybd] c:\windows\flogfct.exe
O4 - HKCU\..\Run: [fkkcmpl] c:\windows\ebwdbhc.exe
O4 - HKCU\..\Run: [ghorinh] c:\windows\ebwdbhc.exe
O4 - HKCU\..\Run: [remhcdb] c:\windows\joahouk.exe
O4 - HKCU\..\Run: [qvoggdb] c:\windows\etcspud.exe
O4 - HKCU\..\Run: [esibrgq] c:\windows\hanuuhd.exe
O4 - HKCU\..\Run: [ugfuigl] c:\windows\hanuuhd.exe
O4 - HKCU\..\Run: [wdsunjc] c:\windows\hanuuhd.exe
O4 - HKCU\..\Run: [xtvmqbh] c:\windows\hanuuhd.exe
O4 - HKCU\..\Run: [dnfavlf] c:\windows\hanuuhd.exe
O4 - HKCU\..\Run: [olnkvvi] c:\windows\hanuuhd.exe
O4 - HKCU\..\Run: [vpcsfip] c:\windows\hanuuhd.exe
O4 - HKCU\..\Run: [crpwwqd] c:\windows\hanuuhd.exe
O4 - HKCU\..\Run: [sicjoek] c:\windows\hanuuhd.exe
O4 - HKCU\..\Run: [kpqicrk] c:\windows\hanuuhd.exe
O4 - HKCU\..\Run: [nfiuvmr] c:\windows\hanuuhd.exe
O4 - HKCU\..\Run: [ruwciiq] c:\windows\hanuuhd.exe
O4 - HKCU\..\Run: [ifetxnc] c:\windows\hanuuhd.exe
O4 - HKCU\..\Run: [kkhcraf] c:\windows\hanuuhd.exe
O4 - HKCU\..\Run: [tkofrir] c:\windows\hanuuhd.exe
O4 - HKCU\..\Run: [bcpwepu] c:\windows\hanuuhd.exe
O4 - HKCU\..\Run: [pyqntln] c:\windows\hanuuhd.exe
O4 - HKCU\..\Run: [rgbkddy] c:\windows\hanuuhd.exe
O4 - HKCU\..\Run: [rssfdxy] c:\windows\hanuuhd.exe
O4 - HKCU\..\Run: [cccejkh] c:\windows\hanuuhd.exe
O4 - HKCU\..\Run: [slleljs] c:\windows\nvmxcvq.exe
O4 - HKCU\..\Run: [rldrruq] c:\windows\nvmxcvq.exe
O4 - HKCU\..\Run: [fthjxto] c:\windows\vocgxxr.exe
O4 - HKCU\..\Run: [ggdtnwm] c:\windows\vocgxxr.exe
O4 - HKCU\..\Run: [atehgkt] c:\windows\vocgxxr.exe
O4 - HKCU\..\Run: [urxmeqi] c:\windows\vocgxxr.exe
O4 - HKCU\..\Run: [qbteeqh] c:\windows\vocgxxr.exe
O4 - HKCU\..\Run: [pqfakoy] c:\windows\vocgxxr.exe
O4 - HKCU\..\Run: [xcdcdac] c:\windows\vocgxxr.exe
O4 - HKCU\..\Run: [enupfdx] c:\windows\wikqpwd.exe
O4 - HKCU\..\Run: [dgxkbii] c:\windows\wikqpwd.exe
O4 - HKCU\..\Run: [rtixymn] c:\windows\wikqpwd.exe
O4 - HKCU\..\Run: [vpluuwc] c:\windows\wikqpwd.exe
O4 - HKCU\..\Run: [mxulysv] c:\windows\wikqpwd.exe
O4 - HKCU\..\Run: [uwqssah] c:\windows\wikqpwd.exe
O4 - HKCU\..\Run: [sajwjit] c:\windows\wikqpwd.exe
O4 - HKCU\..\Run: [nmbpmkf] c:\windows\wikqpwd.exe
O4 - HKCU\..\Run: [vcfcwbk] c:\windows\wikqpwd.exe
O4 - HKCU\..\Run: [awvnyja] c:\windows\wikqpwd.exe
O4 - HKCU\..\Run: [vtnysli] c:\windows\wikqpwd.exe
O4 - HKCU\..\Run: [vvlulfg] c:\windows\wikqpwd.exe
O4 - HKCU\..\Run: [yggtrag] c:\windows\wikqpwd.exe
O4 - HKCU\..\Run: [ofgqpbf] c:\windows\wikqpwd.exe
O4 - HKCU\..\Run: [vxpamrb] c:\windows\wikqpwd.exe
O4 - HKCU\..\Run: [nlcxlgy] c:\windows\wikqpwd.exe
O4 - HKCU\..\Run: [tokepft] c:\windows\wikqpwd.exe
O4 - HKCU\..\Run: [kiluulg] c:\windows\wikqpwd.exe
O4 - HKCU\..\Run: [iailjun] c:\windows\wikqpwd.exe
O4 - HKCU\..\Run: [cvmtyyg] c:\windows\wikqpwd.exe
O4 - HKCU\..\Run: [ilqoenb] c:\windows\wikqpwd.exe
O4 - HKCU\..\Run: [vuekscd] c:\windows\wikqpwd.exe
O4 - HKCU\..\Run: [fklahaf] c:\windows\wikqpwd.exe
O4 - HKCU\..\Run: [owomtoh] c:\windows\wikqpwd.exe
O4 - HKCU\..\Run: [kcqnsge] c:\windows\wikqpwd.exe
O4 - HKCU\..\Run: [rpqsgct] c:\windows\wikqpwd.exe
O4 - HKCU\..\Run: [oebttho] c:\windows\wikqpwd.exe
O4 - HKCU\..\Run: [bemjtru] c:\windows\wikqpwd.exe
O4 - HKCU\..\Run: [htxxgxj] c:\windows\wikqpwd.exe
O4 - HKCU\..\Run: [ormrroe] c:\windows\wikqpwd.exe
O4 - HKCU\..\Run: [gfmpbpu] c:\windows\kwsooms.exe
O4 - HKCU\..\Run: [dleraci] c:\windows\kwsooms.exe
O4 - HKCU\..\Run: [fmewwkr] c:\windows\kwsooms.exe
O4 - HKCU\..\Run: [xvemome] c:\windows\bvhrrxs.exe
O4 - HKCU\..\Run: [oafwntp] c:\windows\ownkpht.exe
O4 - HKCU\..\Run: [jqilsrt] c:\windows\ownkpht.exe
O4 - HKCU\..\Run: [emhwpix] c:\windows\ownkpht.exe
O4 - HKCU\..\Run: [mipirhr] c:\windows\ownkpht.exe
O4 - HKCU\..\Run: [imkjdvn] c:\windows\ownkpht.exe
O4 - HKCU\..\Run: [lygowio] c:\windows\ownkpht.exe
O4 - HKCU\..\Run: [hncamto] c:\windows\ownkpht.exe
O4 - HKCU\..\Run: [hcaowqa] c:\windows\ownkpht.exe
O4 - HKCU\..\Run: [qhkjdiv] c:\windows\ownkpht.exe
O4 - HKCU\..\Run: [dywmvpc] c:\windows\ownkpht.exe
O4 - HKCU\..\Run: [cnvifug] c:\windows\ownkpht.exe
O4 - HKCU\..\Run: [jyscapa] c:\windows\ownkpht.exe
O4 - HKCU\..\Run: [tvqvnsl] c:\windows\ownkpht.exe
O4 - HKCU\..\Run: [qcaqaic] c:\windows\ownkpht.exe
O4 - HKCU\..\Run: [fcjvoql] c:\windows\ownkpht.exe
O4 - HKCU\..\Run: [fexpjvm] c:\windows\ownkpht.exe
O4 - HKCU\..\Run: [qvsvgaj] c:\windows\ownkpht.exe
O4 - HKCU\..\Run: [xpffbmk] c:\windows\ownkpht.exe
O4 - HKCU\..\Run: [adtbffi] c:\windows\uaoinrg.exe
O4 - HKCU\..\Run: [vgpttaf] c:\windows\cddvvux.exe
O4 - HKCU\..\Run: [ywdhkry] c:\windows\uaoinrg.exe
O4 - HKCU\..\Run: [ltrouqm] c:\windows\cddvvux.exe
O4 - HKCU\..\Run: [htlfjeb] c:\windows\uaoinrg.exe
O4 - HKCU\..\Run: [xyfcdoo] c:\windows\cddvvux.exe
O4 - HKCU\..\Run: [tqutpop] c:\windows\uaoinrg.exe
O4 - HKCU\..\Run: [mgwhmor] c:\windows\cddvvux.exe
O4 - HKCU\..\Run: [jsnjaaf] c:\windows\amlyiny.exe
O4 - HKCU\..\Run: [oboubao] c:\windows\amlyiny.exe
O4 - HKCU\..\Run: [nogajcf] c:\windows\amlyiny.exe
O4 - HKCU\..\Run: [groafie] c:\windows\amlyiny.exe
O4 - HKCU\..\Run: [wdwkxis] c:\windows\amlyiny.exe
O4 - HKCU\..\Run: [frjdtur] c:\windows\rhjourm.exe
O4 - HKCU\..\Run: [txobusc] c:\windows\rcptmxe.exe
O4 - HKCU\..\Run: [pemdbhf] c:\windows\rcptmxe.exe
O4 - HKCU\..\Run: [sxpxclw] c:\windows\rcptmxe.exe
O4 - HKCU\..\Run: [grcqipp] c:\windows\rcptmxe.exe
O4 - HKCU\..\Run: [eurhfwy] c:\windows\hbfxbnk.exe
O4 - HKCU\..\Run: [ieadkar] c:\windows\hbfxbnk.exe
O4 - HKCU\..\Run: [ipxkbew] c:\windows\hbfxbnk.exe
O4 - HKCU\..\Run: [iglsnha] c:\windows\hbfxbnk.exe
O4 - HKCU\..\Run: [pfbgrli] c:\windows\hbfxbnk.exe
O4 - HKCU\..\Run: [pwockqv] c:\windows\hbfxbnk.exe
O4 - HKCU\..\Run: [jaavawp] c:\windows\hbfxbnk.exe
O4 - HKCU\..\Run: [ltcxssy] c:\windows\inwtjve.exe



------------------------------------------------------------------

Open Windows Explorer and delete the following highlighted file/s (or delete the whole (Red) folder if listed).

or..................You can use the alternative method to fix these exe files.

Download Killbox v2.0.0.175 and unzip the file to your Desktop and have it ready to use.

Right click and drag your cursor over the below files to highlight them and then.use Control+C to copy them to the clipboard..Open KILLBOX and go to File and click on"Paste From Clipboard". All the files should now appear in the box (click on the Tab and check to make sure that only the files I have identified as malware and marked for deletion are there) . Then checkmark the "Delete on Reboot" box..and click the red X. You will get a message saying "File will be deleted on next reboot" , Process and Reboot now?" Click "Yes" and post a new log when you have rebooted.

C:\WINDOWS\System32\adhnenoy.exe
C:\WINDOWS\system32\desktop.exe
c:\windows\inwtjve.exe
c:\windows\hbfxbnk.exe
c:\windows\rcptmxe.exe
c:\windows\rhjourm.exe
c:\windows\amlyiny.exe
c:\windows\cddvvux.exe
c:\windows\uaoinrg.exe
c:\windows\cddvvux.exe
c:\windows\ownkpht.exe
c:\windows\bvhrrxs.exe
c:\windows\kwsooms.exe
c:\windows\wikqpwd.exe
c:\windows\vocgxxr.exe
c:\windows\nvmxcvq.exe
c:\windows\hanuuhd.exe
c:\windows\etcspud.exe
c:\windows\joahouk.exe
c:\windows\ebwdbhc.exe
c:\windows\flogfct.exe
c:\windows\jeekxwq.exe
c:\windows\nfsxlyn.exe


-------------------------------------------------------------------
Check that you have carried out all the above steps/fixes and then reboot into Normal Mode and download Cleanup This will clean out your tempory files.

When finished please post a new log......
 

·
Registered
Joined
·
3 Posts
Discussion Starter #3
Thanks for your help Pancake, but...

Hi Pancake,

thanks for your jelp, but - no luck! I'm still getting my homepage rerouted and favorites added. Any more tricks for me?

Thanks again,

Conor

Here are my HJT and Ewido logs:

Logfile of HijackThis v1.99.1
Scan saved at 3:36:22 PM, on 9/26/2005
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\System32\drivers\CDAC11BA.EXE
C:\WINDOWS\System32\DRIVERS\CDANTSRV.EXE
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\WINDOWS\system32\cisvc.exe
C:\PROGRA~1\Iomega\System32\AppServices.exe
C:\Program Files\Norton AntiVirus\navapsvc.exe
C:\Program Files\Norton AntiVirus\IWP\NPFMntor.exe
C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
C:\Program Files\Iomega\AutoDisk\ADService.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\System32\hkcmd.exe
C:\WINDOWS\System32\DSentry.exe
C:\Program Files\Real\RealPlayer\RealPlay.exe
C:\Program Files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe
C:\Program Files\Iomega\AutoDisk\ADUserMon.exe
C:\Program Files\Iomega\DriveIcons\ImgIcon.exe
C:\WINDOWS\PublishPDF\PublishPDF_Loader.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\Program Files\QuickTime\qttask.exe
C:\PROGRA~1\NETASS~1\SMARTB~1\MotiveSB.exe
C:\WINDOWS\System32\adhnenoy.exe
C:\Program Files\Dell Support\DSAgnt.exe
C:\windows\nfsxlyn.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\Adobe\Acrobat 5.0\Distillr\AcroTray.exe
C:\Program Files\Digital Line Detect\DLG.exe
C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpohmr08.exe
C:\Program Files\WinZip\WZQKPICK.EXE
C:\Program Files\Handspring\HOTSYNC.EXE
C:\Program Files\NetAssistant\bin\mpbtn.exe
C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpoevm08.exe
C:\WINDOWS\System32\HPZipm12.exe
C:\Program Files\Hewlett-Packard\Digital Imaging\Bin\hpoSTS08.exe
C:\WINDOWS\system32\cidaemon.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Documents and Settings\Conor\Desktop\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.dellnet.com
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://w-find4u.com/sp.htm
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://w-find4u.com/
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://w-find4u.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.dellnet.com
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.dellnet.com
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://w-find4u.com/sp.htm
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://w-find4u.com/
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://www.dellnet.com/
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = 127.0.0.1
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Acrobat\ActiveX\AcroIEHelper.ocx
O2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\System32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\System32\hkcmd.exe
O4 - HKLM\..\Run: [DVDSentry] C:\WINDOWS\System32\DSentry.exe
O4 - HKLM\..\Run: [RealTray] C:\Program Files\Real\RealPlayer\RealPlay.exe SYSTEMBOOTHIDEPLAYER
O4 - HKLM\..\Run: [AdaptecDirectCD] "C:\Program Files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe"
O4 - HKLM\..\Run: [ADUserMon] C:\Program Files\Iomega\AutoDisk\ADUserMon.exe
O4 - HKLM\..\Run: [Iomega Startup Options] C:\Program Files\Iomega\Common\ImgStart.exe
O4 - HKLM\..\Run: [Iomega Drive Icons] C:\Program Files\Iomega\DriveIcons\ImgIcon.exe
O4 - HKLM\..\Run: [Deskup] C:\Program Files\Iomega\DriveIcons\deskup.exe
O4 - HKLM\..\Run: [PublishPDF] C:\WINDOWS\PublishPDF\PublishPDF_Loader.exe
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [Symantec NetDriver Monitor] C:\PROGRA~1\SYMNET~1\SNDMon.exe /Consumer
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [Motive SmartBridge] C:\PROGRA~1\NETASS~1\SMARTB~1\MotiveSB.exe
O4 - HKLM\..\Run: [adhnenoy] C:\WINDOWS\System32\adhnenoy.exe
O4 - HKLM\..\Run: [desktop] C:\WINDOWS\system32\desktop.exe
O4 - HKLM\..\RunServices: [desktop] C:\WINDOWS\system32\desktop.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [DellSupport] "C:\Program Files\Dell Support\DSAgnt.exe" /startup
O4 - HKCU\..\Run: [kxujdpb] c:\windows\nfsxlyn.exe
O4 - HKCU\..\Run: [adhnenoy] C:\WINDOWS\System32\adhnenoy.exe
O4 - HKCU\..\Run: [uubajyn] c:\windows\nfsxlyn.exe
O4 - HKCU\..\Run: [vglcdkl] c:\windows\nfsxlyn.exe
O4 - HKCU\..\Run: [ypsuiwp] c:\windows\nfsxlyn.exe
O4 - HKCU\..\Run: [mhvedbo] c:\windows\nfsxlyn.exe
O4 - HKCU\..\Run: [wpbhxbt] c:\windows\nfsxlyn.exe
O4 - HKCU\..\Run: [elojtle] c:\windows\nfsxlyn.exe
O4 - HKCU\..\Run: [wobxkyx] c:\windows\nfsxlyn.exe
O4 - HKCU\..\Run: [xlsmcai] c:\windows\jeekxwq.exe
O4 - HKCU\..\Run: [yqjtqsi] c:\windows\jeekxwq.exe
O4 - HKCU\..\Run: [mdefvpj] c:\windows\jeekxwq.exe
O4 - HKCU\..\Run: [yomfgpn] c:\windows\jeekxwq.exe
O4 - HKCU\..\Run: [lmbbrea] c:\windows\jeekxwq.exe
O4 - HKCU\..\Run: [yjusluo] c:\windows\jeekxwq.exe
O4 - HKCU\..\Run: [dnnumui] c:\windows\jeekxwq.exe
O4 - HKCU\..\Run: [rreuupc] c:\windows\jeekxwq.exe
O4 - HKCU\..\Run: [ikcwqwn] c:\windows\jeekxwq.exe
O4 - HKCU\..\Run: [qtmddta] c:\windows\jeekxwq.exe
O4 - HKCU\..\Run: [vvkdltc] c:\windows\flogfct.exe
O4 - HKCU\..\Run: [phauuuo] c:\windows\flogfct.exe
O4 - HKCU\..\Run: [bwoqskk] c:\windows\flogfct.exe
O4 - HKCU\..\Run: [ghnxwne] c:\windows\flogfct.exe
O4 - HKCU\..\Run: [nrnudei] c:\windows\flogfct.exe
O4 - HKCU\..\Run: [kobyvgn] c:\windows\flogfct.exe
O4 - HKCU\..\Run: [ebfbtyk] c:\windows\flogfct.exe
O4 - HKCU\..\Run: [pjdtbib] c:\windows\flogfct.exe
O4 - HKCU\..\Run: [tmybrxk] c:\windows\flogfct.exe
O4 - HKCU\..\Run: [uppculh] c:\windows\flogfct.exe
O4 - HKCU\..\Run: [lwvacwa] c:\windows\flogfct.exe
O4 - HKCU\..\Run: [xrcdjui] c:\windows\flogfct.exe
O4 - HKCU\..\Run: [mbdqhjm] c:\windows\flogfct.exe
O4 - HKCU\..\Run: [vnhxnct] c:\windows\flogfct.exe
O4 - HKCU\..\Run: [qujjapk] c:\windows\flogfct.exe
O4 - HKCU\..\Run: [fckgcmb] c:\windows\flogfct.exe
O4 - HKCU\..\Run: [ajjtigf] c:\windows\flogfct.exe
O4 - HKCU\..\Run: [lcxoaeu] c:\windows\flogfct.exe
O4 - HKCU\..\Run: [oyjhgcm] c:\windows\flogfct.exe
O4 - HKCU\..\Run: [sfuwjxf] c:\windows\flogfct.exe
O4 - HKCU\..\Run: [evvrqdl] c:\windows\flogfct.exe
O4 - HKCU\..\Run: [ahpaqig] c:\windows\flogfct.exe
O4 - HKCU\..\Run: [hnfxedd] c:\windows\flogfct.exe
O4 - HKCU\..\Run: [garcpvo] c:\windows\flogfct.exe
O4 - HKCU\..\Run: [akmmdhi] c:\windows\flogfct.exe
O4 - HKCU\..\Run: [qelrwvs] c:\windows\flogfct.exe
O4 - HKCU\..\Run: [vsdyljs] c:\windows\flogfct.exe
O4 - HKCU\..\Run: [tqwuvix] c:\windows\flogfct.exe
O4 - HKCU\..\Run: [bsxtybd] c:\windows\flogfct.exe
O4 - HKCU\..\Run: [fkkcmpl] c:\windows\ebwdbhc.exe
O4 - HKCU\..\Run: [ghorinh] c:\windows\ebwdbhc.exe
O4 - HKCU\..\Run: [remhcdb] c:\windows\joahouk.exe
O4 - HKCU\..\Run: [qvoggdb] c:\windows\etcspud.exe
O4 - HKCU\..\Run: [esibrgq] c:\windows\hanuuhd.exe
O4 - HKCU\..\Run: [ugfuigl] c:\windows\hanuuhd.exe
O4 - HKCU\..\Run: [wdsunjc] c:\windows\hanuuhd.exe
O4 - HKCU\..\Run: [xtvmqbh] c:\windows\hanuuhd.exe
O4 - HKCU\..\Run: [dnfavlf] c:\windows\hanuuhd.exe
O4 - HKCU\..\Run: [olnkvvi] c:\windows\hanuuhd.exe
O4 - HKCU\..\Run: [vpcsfip] c:\windows\hanuuhd.exe
O4 - HKCU\..\Run: [crpwwqd] c:\windows\hanuuhd.exe
O4 - HKCU\..\Run: [sicjoek] c:\windows\hanuuhd.exe
O4 - HKCU\..\Run: [kpqicrk] c:\windows\hanuuhd.exe
O4 - HKCU\..\Run: [nfiuvmr] c:\windows\hanuuhd.exe
O4 - HKCU\..\Run: [ruwciiq] c:\windows\hanuuhd.exe
O4 - HKCU\..\Run: [ifetxnc] c:\windows\hanuuhd.exe
O4 - HKCU\..\Run: [kkhcraf] c:\windows\hanuuhd.exe
O4 - HKCU\..\Run: [tkofrir] c:\windows\hanuuhd.exe
O4 - HKCU\..\Run: [bcpwepu] c:\windows\hanuuhd.exe
O4 - HKCU\..\Run: [pyqntln] c:\windows\hanuuhd.exe
O4 - HKCU\..\Run: [rgbkddy] c:\windows\hanuuhd.exe
O4 - HKCU\..\Run: [rssfdxy] c:\windows\hanuuhd.exe
O4 - HKCU\..\Run: [cccejkh] c:\windows\hanuuhd.exe
O4 - HKCU\..\Run: [slleljs] c:\windows\nvmxcvq.exe
O4 - HKCU\..\Run: [rldrruq] c:\windows\nvmxcvq.exe
O4 - HKCU\..\Run: [fthjxto] c:\windows\vocgxxr.exe
O4 - HKCU\..\Run: [ggdtnwm] c:\windows\vocgxxr.exe
O4 - HKCU\..\Run: [atehgkt] c:\windows\vocgxxr.exe
O4 - HKCU\..\Run: [urxmeqi] c:\windows\vocgxxr.exe
O4 - HKCU\..\Run: [qbteeqh] c:\windows\vocgxxr.exe
O4 - HKCU\..\Run: [pqfakoy] c:\windows\vocgxxr.exe
O4 - HKCU\..\Run: [xcdcdac] c:\windows\vocgxxr.exe
O4 - HKCU\..\Run: [enupfdx] c:\windows\wikqpwd.exe
O4 - HKCU\..\Run: [dgxkbii] c:\windows\wikqpwd.exe
O4 - HKCU\..\Run: [rtixymn] c:\windows\wikqpwd.exe
O4 - HKCU\..\Run: [vpluuwc] c:\windows\wikqpwd.exe
O4 - HKCU\..\Run: [mxulysv] c:\windows\wikqpwd.exe
O4 - HKCU\..\Run: [uwqssah] c:\windows\wikqpwd.exe
O4 - HKCU\..\Run: [sajwjit] c:\windows\wikqpwd.exe
O4 - HKCU\..\Run: [nmbpmkf] c:\windows\wikqpwd.exe
O4 - HKCU\..\Run: [vcfcwbk] c:\windows\wikqpwd.exe
O4 - HKCU\..\Run: [awvnyja] c:\windows\wikqpwd.exe
O4 - HKCU\..\Run: [vtnysli] c:\windows\wikqpwd.exe
O4 - HKCU\..\Run: [vvlulfg] c:\windows\wikqpwd.exe
O4 - HKCU\..\Run: [yggtrag] c:\windows\wikqpwd.exe
O4 - HKCU\..\Run: [ofgqpbf] c:\windows\wikqpwd.exe
O4 - HKCU\..\Run: [vxpamrb] c:\windows\wikqpwd.exe
O4 - HKCU\..\Run: [nlcxlgy] c:\windows\wikqpwd.exe
O4 - HKCU\..\Run: [tokepft] c:\windows\wikqpwd.exe
O4 - HKCU\..\Run: [kiluulg] c:\windows\wikqpwd.exe
O4 - HKCU\..\Run: [iailjun] c:\windows\wikqpwd.exe
O4 - HKCU\..\Run: [cvmtyyg] c:\windows\wikqpwd.exe
O4 - HKCU\..\Run: [ilqoenb] c:\windows\wikqpwd.exe
O4 - HKCU\..\Run: [vuekscd] c:\windows\wikqpwd.exe
O4 - HKCU\..\Run: [fklahaf] c:\windows\wikqpwd.exe
O4 - HKCU\..\Run: [owomtoh] c:\windows\wikqpwd.exe
O4 - HKCU\..\Run: [kcqnsge] c:\windows\wikqpwd.exe
O4 - HKCU\..\Run: [rpqsgct] c:\windows\wikqpwd.exe
O4 - HKCU\..\Run: [oebttho] c:\windows\wikqpwd.exe
O4 - HKCU\..\Run: [bemjtru] c:\windows\wikqpwd.exe
O4 - HKCU\..\Run: [htxxgxj] c:\windows\wikqpwd.exe
O4 - HKCU\..\Run: [ormrroe] c:\windows\wikqpwd.exe
O4 - HKCU\..\Run: [gfmpbpu] c:\windows\kwsooms.exe
O4 - HKCU\..\Run: [dleraci] c:\windows\kwsooms.exe
O4 - HKCU\..\Run: [fmewwkr] c:\windows\kwsooms.exe
O4 - HKCU\..\Run: [xvemome] c:\windows\bvhrrxs.exe
O4 - HKCU\..\Run: [oafwntp] c:\windows\ownkpht.exe
O4 - HKCU\..\Run: [jqilsrt] c:\windows\ownkpht.exe
O4 - HKCU\..\Run: [emhwpix] c:\windows\ownkpht.exe
O4 - HKCU\..\Run: [mipirhr] c:\windows\ownkpht.exe
O4 - HKCU\..\Run: [imkjdvn] c:\windows\ownkpht.exe
O4 - HKCU\..\Run: [lygowio] c:\windows\ownkpht.exe
O4 - HKCU\..\Run: [hncamto] c:\windows\ownkpht.exe
O4 - HKCU\..\Run: [hcaowqa] c:\windows\ownkpht.exe
O4 - HKCU\..\Run: [qhkjdiv] c:\windows\ownkpht.exe
O4 - HKCU\..\Run: [dywmvpc] c:\windows\ownkpht.exe
O4 - HKCU\..\Run: [cnvifug] c:\windows\ownkpht.exe
O4 - HKCU\..\Run: [jyscapa] c:\windows\ownkpht.exe
O4 - HKCU\..\Run: [tvqvnsl] c:\windows\ownkpht.exe
O4 - HKCU\..\Run: [qcaqaic] c:\windows\ownkpht.exe
O4 - HKCU\..\Run: [fcjvoql] c:\windows\ownkpht.exe
O4 - HKCU\..\Run: [fexpjvm] c:\windows\ownkpht.exe
O4 - HKCU\..\Run: [qvsvgaj] c:\windows\ownkpht.exe
O4 - HKCU\..\Run: [xpffbmk] c:\windows\ownkpht.exe
O4 - HKCU\..\Run: [adtbffi] c:\windows\uaoinrg.exe
O4 - HKCU\..\Run: [vgpttaf] c:\windows\cddvvux.exe
O4 - HKCU\..\Run: [ywdhkry] c:\windows\uaoinrg.exe
O4 - HKCU\..\Run: [ltrouqm] c:\windows\cddvvux.exe
O4 - HKCU\..\Run: [htlfjeb] c:\windows\uaoinrg.exe
O4 - HKCU\..\Run: [xyfcdoo] c:\windows\cddvvux.exe
O4 - HKCU\..\Run: [tqutpop] c:\windows\uaoinrg.exe
O4 - HKCU\..\Run: [mgwhmor] c:\windows\cddvvux.exe
O4 - HKCU\..\Run: [jsnjaaf] c:\windows\amlyiny.exe
O4 - HKCU\..\Run: [oboubao] c:\windows\amlyiny.exe
O4 - HKCU\..\Run: [nogajcf] c:\windows\amlyiny.exe
O4 - HKCU\..\Run: [groafie] c:\windows\amlyiny.exe
O4 - HKCU\..\Run: [wdwkxis] c:\windows\amlyiny.exe
O4 - HKCU\..\Run: [frjdtur] c:\windows\rhjourm.exe
O4 - HKCU\..\Run: [txobusc] c:\windows\rcptmxe.exe
O4 - HKCU\..\Run: [pemdbhf] c:\windows\rcptmxe.exe
O4 - HKCU\..\Run: [sxpxclw] c:\windows\rcptmxe.exe
O4 - HKCU\..\Run: [grcqipp] c:\windows\rcptmxe.exe
O4 - HKCU\..\Run: [eurhfwy] c:\windows\hbfxbnk.exe
O4 - HKCU\..\Run: [ieadkar] c:\windows\hbfxbnk.exe
O4 - HKCU\..\Run: [ipxkbew] c:\windows\hbfxbnk.exe
O4 - HKCU\..\Run: [iglsnha] c:\windows\hbfxbnk.exe
O4 - HKCU\..\Run: [pfbgrli] c:\windows\hbfxbnk.exe
O4 - HKCU\..\Run: [pwockqv] c:\windows\hbfxbnk.exe
O4 - HKCU\..\Run: [jaavawp] c:\windows\hbfxbnk.exe
O4 - HKCU\..\Run: [ltcxssy] c:\windows\inwtjve.exe
O4 - Startup: HotSync Manager.lnk = C:\Program Files\Handspring\HOTSYNC.EXE
O4 - Global Startup: Acrobat Assistant.lnk = C:\Program Files\Adobe\Acrobat 5.0\Distillr\AcroTray.exe
O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: Digital Line Detect.lnk = ?
O4 - Global Startup: Distiller Assistant 3.0.lnk = C:\Acrobat3\Distillr\DISTASST.EXE
O4 - Global Startup: hp psc 1000 series.lnk = ?
O4 - Global Startup: NetAssistant.lnk = C:\Program Files\NetAssistant\bin\matcli.exe
O4 - Global Startup: WinZip Quick Pick.lnk = C:\Program Files\WinZip\WZQKPICK.EXE
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O16 - DPF: {04E214E5-63AF-4236-83C6-A7ADCBF9BD02} (HouseCall Control) - http://housecall60.trendmicro.com/housecall/xscan60.cab
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O21 - SSODL: SysTray.Exlv - {5368DCFC-4F5C-4f5b-B134-E67294FC78E9} - C:\WINDOWS\System32\beccpjbg.dll (file missing)
O23 - Service: Adobe LM Service - Unknown owner - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: C-DillaCdaC11BA - Macrovision - C:\WINDOWS\System32\drivers\CDAC11BA.EXE
O23 - Service: C-DillaSrv - C-Dilla Ltd - C:\WINDOWS\System32\DRIVERS\CDANTSRV.EXE
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Password Validation (ccPwdSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
O23 - Service: Iomega App Services - Iomega Corporation - C:\PROGRA~1\Iomega\System32\AppServices.exe
O23 - Service: Norton AntiVirus Auto-Protect Service (navapsvc) - Symantec Corporation - C:\Program Files\Norton AntiVirus\navapsvc.exe
O23 - Service: Norton AntiVirus Firewall Monitor Service (NPFMntor) - Symantec Corporation - C:\Program Files\Norton AntiVirus\IWP\NPFMntor.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\System32\HPZipm12.exe
O23 - Service: SAVScan - Symantec Corporation - C:\Program Files\Norton AntiVirus\SAVScan.exe
O23 - Service: ScriptBlocking Service (SBService) - Symantec Corporation - C:\PROGRA~1\COMMON~1\SYMANT~1\SCRIPT~1\SBServ.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: Symantec SPBBCSvc (SPBBCSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
O23 - Service: Symantec Core LC - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
O23 - Service: Iomega Active Disk (_IOMEGA_ACTIVE_DISK_SERVICE_) - Iomega Corporation - C:\Program Files\Iomega\AutoDisk\ADService.exe

---------------------------------------------------------
ewido security suite - Scan report
---------------------------------------------------------

+ Created on: 10:32:19 PM, 9/27/2005
+ Report-Checksum: 30345FBD

+ Scan result:

[432] C:\WINDOWS\System32\adhnenoy.exe -> TrojanDownloader.Small.bnk : Cleaned with backup
C:\Documents and Settings\Conor\Cookies\[email protected][1].txt -> Spyware.Cookie.2o7 : Cleaned with backup
C:\Documents and Settings\Conor\Cookies\[email protected][2].txt -> Spyware.Cookie.Yieldmanager : Cleaned with backup
C:\Documents and Settings\Conor\Cookies\[email protected][1].txt -> Spyware.Cookie.Addynamix : Cleaned with backup
C:\Documents and Settings\Conor\Cookies\[email protected][2].txt -> Spyware.Cookie.Advertising : Cleaned with backup
C:\Documents and Settings\Conor\Cookies\[email protected][2].txt -> Spyware.Cookie.Atdmt : Cleaned with backup
C:\Documents and Settings\Conor\Cookies\[email protected][1].txt -> Spyware.Cookie.Centrport : Cleaned with backup
C:\Documents and Settings\Conor\Cookies\[email protected][1].txt -> Spyware.Cookie.Mediaplex : Cleaned with backup
C:\Documents and Settings\Conor\Cookies\[email protected][1].txt -> Spyware.Cookie.Questionmarket : Cleaned with backup
C:\Documents and Settings\Conor\Cookies\[email protected][2].txt -> Spyware.Cookie.Advertising : Cleaned with backup
C:\Documents and Settings\Conor\Cookies\[email protected][2].txt -> Spyware.Cookie.Liveperson : Cleaned with backup
C:\Documents and Settings\Conor\Cookies\[email protected][2].txt -> Spyware.Cookie.Tradedoubler : Cleaned with backup
C:\Documents and Settings\Conor\Cookies\[email protected][1].txt -> Spyware.Cookie.Tribalfusion : Cleaned with backup
C:\Documents and Settings\Conor\Cookies\[email protected][2].txt -> Spyware.Cookie.Valueclick : Cleaned with backup
C:\Documents and Settings\Conor\Cookies\[email protected][1].txt -> Spyware.Cookie.Burstbeacon : Cleaned with backup
C:\Documents and Settings\Conor\Cookies\[email protected][1].txt -> Spyware.Cookie.Adserver : Cleaned with backup
C:\Documents and Settings\Sophie\Cookies\[email protected][2].txt -> Spyware.Cookie.Specificclick : Cleaned with backup
C:\WINDOWS\hosts -> Trojan.Qhost.k : Cleaned with backup
C:\WINDOWS\loadnew.exe -> TrojanDownloader.Agent.tk : Cleaned with backup
C:\WINDOWS\SYSTEM32\adhnenoy.exe -> TrojanDownloader.Small.bnk : Cleaned with backup
C:\WINDOWS\SYSTEM32\aehddlmd.exe -> TrojanDropper.Small.afo : Cleaned with backup
C:\WINDOWS\SYSTEM32\CONFIG\systemprofile\Local Settings\Temporary Internet Files\Content.IE5\0LXWKK8F\zaebali[1].dat -> Backdoor.Small.hk : Cleaned with backup
C:\WINDOWS\SYSTEM32\desktop.dll -> Backdoor.Small.hk : Cleaned with backup
C:\WINDOWS\SYSTEM32\l_____e.exe -> Backdoor.Small.hk : Cleaned with backup
C:\WINDOWS\SYSTEM32\paydial.exe -> Dialer.Generic : Cleaned with backup
C:\WINDOWS\SYSTEM32\vlpqxeid.exe -> TrojanDropper.Small.adu : Cleaned with backup
C:\WINDOWS\SYSTEM32\wins32.dll -> TrojanDownloader.Small.bnc : Cleaned with backup


::Report End
 

·
TSF Security Team, Emeritus
Joined
·
6,962 Posts
Download WinPFInd http://www.bleepingcomputer.com/files/oldtimer/WinPFind.zip and extract it to your C:\ folder. This will create a folder called WinPFind in the C:\ folder.

Download Track qoo http://www.geekstogo.com/downloads/Trackqoo.zip
Save it somewhere you will remember like the Desktop. Unzip the Track qoo.vbs inside to your desktop. DO NOT run it yet!

Reboot into Safe Mode
Restart your computer and as soon as it starts booting up again continuously tap F8. A menu should come up where you will be given the option to enter Safe Mode.!



Inside C:\WinPFind is a file called WinPFind.exe. Double-click on this file to launch the program. Once it is launched, click on the Start Scan button and wait for it to finish. This program will scan large amounts of files on your computer for known patterns so please be patient while it works as it can take a while, upwards to 30 minutes or more.! Once the Scan is Complete it will make a txt file (log) of what was found.

1. Go to the WinPFind folder
2. Locate WinPFind.txt
3. Please post those results in your next post!

REBOOT to normal mode.

Double Click on "Track qoo.vbs"

Note - If you Antivirus has Script Blocking, you will get a Pop Up Windows asking you what to do. Allow this Entire Script to Run, its harmless!

Wait a few seconds and a notepad page will pop up, Copy & Paste those results and place them in the next post along with the results of WinPFind!

So I need the following tool logs..

WinPFind.txt log
Track qoo.vbs log
 

·
Registered
Joined
·
3 Posts
Discussion Starter #5
followup to find4u problem

Thanks Microbell,

Here are the reports you requested. Hope this works! Thanks for your help,

Conor

WARNING: not all files found by this scanner are bad. Consult with a knowledgable person before proceeding.

If you see a message in the titlebar saying "Not responding..." you can ignore it. Windows somethimes displays this message due to the high volume of disk I/O. As long as the hard disk light is flashing, the program is still working properly.

»»»»»»»»»»»»»»»»» Windows OS and Versions »»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»
Product Name: Microsoft Windows XP Current Build: Service Pack 2 Current Build Number: 2600
Internet Explorer Version: 6.0.2900.2180

»»»»»»»»»»»»»»»»» Checking Selected Standard Folders »»»»»»»»»»»»»»»»»»»»

Checking %SystemDrive% folder...
UPX! 9/18/2005 1:33:04 PM 13312 C:\ld597082632.exe

Checking %ProgramFilesDir% folder...

Checking %WinDir% folder...
UPX! 9/18/2005 1:33:10 PM 35840 C:\WINDOWS\amlyiny.exe
UPX! 9/18/2005 1:33:10 PM 35840 C:\WINDOWS\bvhrrxs.exe
UPX! 9/18/2005 1:33:10 PM 35840 C:\WINDOWS\cddvvux.exe
UPX! 9/18/2005 1:33:10 PM 35840 C:\WINDOWS\ebwdbhc.exe
UPX! 9/18/2005 1:33:10 PM 35840 C:\WINDOWS\enphmba.exe
UPX! 9/18/2005 1:33:10 PM 35840 C:\WINDOWS\etcspud.exe
UPX! 9/18/2005 1:33:10 PM 35840 C:\WINDOWS\flogfct.exe
UPX! 9/18/2005 1:33:10 PM 35840 C:\WINDOWS\hanuuhd.exe
UPX! 9/18/2005 1:33:10 PM 35840 C:\WINDOWS\hbfxbnk.exe
UPX! 9/18/2005 1:33:10 PM 35840 C:\WINDOWS\inwtjve.exe
UPX! 9/18/2005 1:33:10 PM 35840 C:\WINDOWS\jeekxwq.exe
UPX! 9/18/2005 1:33:10 PM 35840 C:\WINDOWS\joahouk.exe
UPX! 9/18/2005 1:33:10 PM 35840 C:\WINDOWS\kwsooms.exe
UPX! 9/18/2005 1:33:10 PM 35840 C:\WINDOWS\nfsxlyn.exe
UPX! 9/18/2005 1:33:10 PM 35840 C:\WINDOWS\nvmxcvq.exe
UPX! 9/18/2005 1:33:10 PM 35840 C:\WINDOWS\ownkpht.exe
UPX! 9/18/2005 1:33:10 PM 35840 C:\WINDOWS\qmwuxxd.exe
UPX! 9/18/2005 1:33:10 PM 35840 C:\WINDOWS\rcptmxe.exe
UPX! 9/18/2005 1:33:10 PM 35840 C:\WINDOWS\rcqdqri.exe
UPX! 9/18/2005 1:33:10 PM 35840 C:\WINDOWS\rhjourm.exe
UPX! 5/3/2005 11:44:44 AM 25157 C:\WINDOWS\RMAgentOutput.dll
UPX! 9/18/2005 1:33:10 PM 35840 C:\WINDOWS\ruomrkn.exe
UPX! 9/18/2005 1:33:10 PM 35840 C:\WINDOWS\suirues.exe
UPX! 9/18/2005 1:33:10 PM 35840 C:\WINDOWS\tgmdfly.exe
UPX! 1/10/2005 4:17:24 PM 170053 C:\WINDOWS\tsc.exe
UPX! 9/18/2005 1:33:10 PM 35840 C:\WINDOWS\uaoinrg.exe
UPX! 9/18/2005 1:33:10 PM 35840 C:\WINDOWS\vocgxxr.exe
UPX! 9/18/2005 1:33:10 PM 35840 C:\WINDOWS\wikqpwd.exe
UPX! 9/18/2005 1:33:10 PM 35840 C:\WINDOWS\xaatsxw.exe

Checking %System% folder...
PEC2 8/29/2002 6:00:00 AM 41397 C:\WINDOWS\SYSTEM32\DFRG.MSC
PEC2 2/14/1997 10:24:14 PM 197171 C:\WINDOWS\SYSTEM32\Dwapilib.tlb
PTech 8/29/2005 1:27:12 PM 520968 C:\WINDOWS\SYSTEM32\LegitCheckControl.DLL
PECompact2 9/8/2005 9:36:32 PM 1997664 C:\WINDOWS\SYSTEM32\MRT.exe
aspack 9/8/2005 9:36:32 PM 1997664 C:\WINDOWS\SYSTEM32\MRT.exe
aspack 8/4/2004 2:56:36 AM 708096 C:\WINDOWS\SYSTEM32\ntdll.dll
UPX! 9/18/2005 1:33:18 PM 3072 C:\WINDOWS\SYSTEM32\ppmrrtxs.exe
Umonitor 8/4/2004 2:56:44 AM 657920 C:\WINDOWS\SYSTEM32\rasdlg.dll
UPX! 9/18/2005 1:33:10 PM 35840 C:\WINDOWS\SYSTEM32\sisysaaa.exe
winsync 8/29/2002 6:00:00 AM 1309184 C:\WINDOWS\SYSTEM32\WBDBASE.DEU

Checking %System%\Drivers folder and sub-folders...
PTech 8/4/2004 12:41:38 AM 1309184 C:\WINDOWS\SYSTEM32\drivers\mtlstrm.sys

Items found in C:\WINDOWS\SYSTEM32\drivers\ETC\Hosts


Checking the Windows folder and sub-folders for system and hidden files within the last 60 days...
9/28/2005 6:24:30 PM S 2048 C:\WINDOWS\BOOTSTAT.DAT
9/18/2005 1:39:34 PM H 54156 C:\WINDOWS\QTFont.qfn
8/26/2005 8:09:12 AM H 0 C:\WINDOWS\INF\oem37.inf
8/26/2005 8:11:42 AM H 0 C:\WINDOWS\INF\oem38.inf
9/19/2005 4:37:24 PM RHS 286777 C:\WINDOWS\PCHealth\HelpCtr\PackageStore\package_14.cab
9/28/2005 6:24:20 PM H 8192 C:\WINDOWS\SYSTEM32\CONFIG\DEFAULT.LOG
9/28/2005 6:24:48 PM H 1024 C:\WINDOWS\SYSTEM32\CONFIG\SAM.LOG
9/28/2005 6:24:32 PM H 16384 C:\WINDOWS\SYSTEM32\CONFIG\SECURITY.LOG
9/28/2005 6:24:50 PM H 73728 C:\WINDOWS\SYSTEM32\CONFIG\SOFTWARE.LOG
9/28/2005 6:24:40 PM H 991232 C:\WINDOWS\SYSTEM32\CONFIG\SYSTEM.LOG
9/19/2005 5:02:46 PM H 1024 C:\WINDOWS\SYSTEM32\CONFIG\systemprofile\NTUSER.DAT.LOG
9/4/2005 7:37:34 AM HS 67 C:\WINDOWS\SYSTEM32\CONFIG\systemprofile\Local Settings\Temporary Internet Files\Content.IE5\desktop.ini
9/4/2005 7:37:34 AM HS 67 C:\WINDOWS\SYSTEM32\CONFIG\systemprofile\Local Settings\Temporary Internet Files\Content.IE5\0LXWKK8F\desktop.ini
9/4/2005 7:37:34 AM HS 67 C:\WINDOWS\SYSTEM32\CONFIG\systemprofile\Local Settings\Temporary Internet Files\Content.IE5\OBSJIF4L\desktop.ini
9/4/2005 7:37:34 AM HS 67 C:\WINDOWS\SYSTEM32\CONFIG\systemprofile\Local Settings\Temporary Internet Files\Content.IE5\OF0KK80Y\desktop.ini
9/4/2005 7:37:34 AM HS 67 C:\WINDOWS\SYSTEM32\CONFIG\systemprofile\Local Settings\Temporary Internet Files\Content.IE5\OPQ9ABCV\desktop.ini
9/28/2005 6:23:32 PM H 6 C:\WINDOWS\Tasks\SA.DAT

Checking for CPL files...
Microsoft Corporation 8/4/2004 2:56:58 AM 68608 C:\WINDOWS\SYSTEM32\access.cpl
Iomega Corporation 1/24/2002 3:10:56 PM 126976 C:\WINDOWS\SYSTEM32\ADPanel.cpl
Microsoft Corporation 8/4/2004 2:56:58 AM 549888 C:\WINDOWS\SYSTEM32\appwiz.cpl
Broadcom Corporation 9/10/2002 4:07:54 PM 716800 C:\WINDOWS\SYSTEM32\B57exp.cpl
Microsoft Corporation 8/4/2004 2:56:58 AM 110592 C:\WINDOWS\SYSTEM32\bthprops.cpl
Microsoft Corporation 8/4/2004 2:56:58 AM 135168 C:\WINDOWS\SYSTEM32\desk.cpl
Microsoft Corporation 8/4/2004 2:56:58 AM 80384 C:\WINDOWS\SYSTEM32\firewall.cpl
Microsoft Corporation 8/4/2004 2:56:58 AM 155136 C:\WINDOWS\SYSTEM32\hdwwiz.cpl
Intel Corporation 8/20/2004 3:53:06 PM 94208 C:\WINDOWS\SYSTEM32\igfxcpl.cpl
Microsoft Corporation 8/4/2004 2:56:58 AM 358400 C:\WINDOWS\SYSTEM32\inetcpl.cpl
Microsoft Corporation 8/4/2004 2:56:58 AM 129536 C:\WINDOWS\SYSTEM32\intl.cpl
Microsoft Corporation 8/4/2004 2:56:58 AM 380416 C:\WINDOWS\SYSTEM32\irprops.cpl
Microsoft Corporation 8/4/2004 2:56:58 AM 68608 C:\WINDOWS\SYSTEM32\joy.cpl
Microsoft Corporation 8/29/2002 6:00:00 AM 187904 C:\WINDOWS\SYSTEM32\MAIN.CPL
Microsoft Corporation 8/4/2004 2:56:58 AM 618496 C:\WINDOWS\SYSTEM32\mmsys.cpl
Microsoft Corporation 8/29/2002 6:00:00 AM 35840 C:\WINDOWS\SYSTEM32\NCPA.CPL
Microsoft Corporation 8/4/2004 2:56:58 AM 25600 C:\WINDOWS\SYSTEM32\netsetup.cpl
Microsoft Corporation 8/4/2004 2:56:58 AM 257024 C:\WINDOWS\SYSTEM32\nusrmgr.cpl
Microsoft Corporation 8/4/2004 2:56:58 AM 32768 C:\WINDOWS\SYSTEM32\odbccp32.cpl
Autodesk, Inc. 2/13/2003 12:34:12 PM 205472 C:\WINDOWS\SYSTEM32\plotman.cpl
Microsoft Corporation 8/4/2004 2:56:58 AM 114688 C:\WINDOWS\SYSTEM32\powercfg.cpl
RealNetworks, Inc. 4/3/2003 11:28:40 PM 24576 C:\WINDOWS\SYSTEM32\prefscpl.cpl
Apple Computer, Inc. 4/4/1996 1:11:00 AM R 340480 C:\WINDOWS\SYSTEM32\QTW32.CPL
Apple Computer, Inc. 12/14/2003 9:20:50 AM 323072 C:\WINDOWS\SYSTEM32\QuickTime.cpl
Autodesk, Inc. 2/13/2003 12:34:14 PM 205472 C:\WINDOWS\SYSTEM32\styleman.cpl
Microsoft Corporation 8/4/2004 2:56:58 AM 298496 C:\WINDOWS\SYSTEM32\sysdm.cpl
Microsoft Corporation 8/29/2002 6:00:00 AM 28160 C:\WINDOWS\SYSTEM32\TELEPHON.CPL
Microsoft Corporation 8/4/2004 2:56:58 AM 94208 C:\WINDOWS\SYSTEM32\timedate.cpl
Microsoft Corporation 8/4/2004 2:56:58 AM 148480 C:\WINDOWS\SYSTEM32\wscui.cpl
Microsoft Corporation 5/26/2005 4:16:30 AM 174360 C:\WINDOWS\SYSTEM32\wuaucpl.cpl
Intel Corporation 1/13/2003 3:01:10 PM 94208 C:\WINDOWS\SYSTEM32\ReinstallBackups\0001\DriverFiles\igfxcpl.cpl

»»»»»»»»»»»»»»»»» Checking Selected Startup Folders »»»»»»»»»»»»»»»»»»»»»

Checking files in %ALLUSERSPROFILE%\Startup folder...
2/6/2005 5:14:30 PM 928 C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Acrobat Assistant.lnk
3/6/2004 11:32:12 AM 1936 C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Adobe Gamma Loader.lnk
9/3/2002 10:00:00 AM HS 84 C:\Documents and Settings\All Users\Start Menu\Programs\Startup\DESKTOP.INI
4/3/2003 11:25:48 PM 567 C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Digital Line Detect.lnk
5/16/2004 11:11:28 AM 661 C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Distiller Assistant 3.0.lnk
8/19/2003 6:41:06 PM 779 C:\Documents and Settings\All Users\Start Menu\Programs\Startup\hp psc 1000 series.lnk
8/25/2005 12:17:00 PM 1690 C:\Documents and Settings\All Users\Start Menu\Programs\Startup\NetAssistant.lnk
7/26/2003 8:19:50 PM 1536 C:\Documents and Settings\All Users\Start Menu\Programs\Startup\WinZip Quick Pick.lnk

Checking files in %ALLUSERSPROFILE%\Application Data folder...
9/3/2002 9:50:46 AM HS 62 C:\Documents and Settings\All Users\Application Data\DESKTOP.INI
3/6/2005 10:56:26 PM 5 C:\Documents and Settings\All Users\Application Data\DirectCDUserNameE.txt
8/19/2003 6:48:32 PM 388 C:\Documents and Settings\All Users\Application Data\hpzinstall.log

Checking files in %USERPROFILE%\Startup folder...
9/3/2002 10:00:00 AM HS 84 C:\Documents and Settings\Conor\Start Menu\Programs\Startup\DESKTOP.INI
8/9/2003 6:29:06 PM 1587 C:\Documents and Settings\Conor\Start Menu\Programs\Startup\HotSync Manager.lnk

Checking files in %USERPROFILE%\Application Data folder...
9/3/2002 9:50:46 AM HS 62 C:\Documents and Settings\Conor\Application Data\DESKTOP.INI

»»»»»»»»»»»»»»»»» Checking Selected Registry Keys »»»»»»»»»»»»»»»»»»»»»»»

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\User Agent\Post Platform]
SV1 =

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved]

[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved]

[HKEY_CLASSES_ROOT\*\shellex\ContextMenuHandlers]
HKEY_CLASSES_ROOT\*\shellex\ContextMenuHandlers\Offline Files
{750fdf0e-2a26-11d1-a3ea-080036587f03} = %SystemRoot%\System32\cscui.dll
HKEY_CLASSES_ROOT\*\shellex\ContextMenuHandlers\Open With
{09799AFB-AD67-11d1-ABCD-00C04FC30936} = %SystemRoot%\system32\SHELL32.dll
HKEY_CLASSES_ROOT\*\shellex\ContextMenuHandlers\Open With EncryptionMenu
{A470F8CF-A1E8-4f65-8335-227475AA5C46} = %SystemRoot%\system32\SHELL32.dll
HKEY_CLASSES_ROOT\*\shellex\ContextMenuHandlers\Symantec.Norton.Antivirus.IEContextMenu
{5345A4D5-41EB-4A2F-9616-CE1D4F6C35B2} = C:\Program Files\Norton AntiVirus\NavShExt.dll
HKEY_CLASSES_ROOT\*\shellex\ContextMenuHandlers\WinRAR
{B41DB860-8EE4-11D2-9906-E49FADC173CA} = C:\Program Files\WinRAR\rarext.dll
HKEY_CLASSES_ROOT\*\shellex\ContextMenuHandlers\WinZip
{E0D79304-84BE-11CE-9641-444553540000} = C:\PROGRA~1\WINZIP\WZSHLSTB.DLL
HKEY_CLASSES_ROOT\*\shellex\ContextMenuHandlers\{a2a9545d-a0c2-42b4-9708-a0b2badd77c8}
Start Menu Pin = %SystemRoot%\system32\SHELL32.dll

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Folder\shellex\ContextMenuHandlers]
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Folder\shellex\ContextMenuHandlers\Symantec.Norton.Antivirus.IEContextMenu
{5345A4D5-41EB-4A2F-9616-CE1D4F6C35B2} = C:\Program Files\Norton AntiVirus\NavShExt.dll
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Folder\shellex\ContextMenuHandlers\WinRAR
{B41DB860-8EE4-11D2-9906-E49FADC173CA} = C:\Program Files\WinRAR\rarext.dll
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Folder\shellex\ContextMenuHandlers\WinZip
{E0D79304-84BE-11CE-9641-444553540000} = C:\PROGRA~1\WINZIP\WZSHLSTB.DLL

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Directory\shellex\ContextMenuHandlers]
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Directory\shellex\ContextMenuHandlers\EncryptionMenu
{A470F8CF-A1E8-4f65-8335-227475AA5C46} = %SystemRoot%\system32\SHELL32.dll
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Directory\shellex\ContextMenuHandlers\Offline Files
{750fdf0e-2a26-11d1-a3ea-080036587f03} = %SystemRoot%\System32\cscui.dll
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Directory\shellex\ContextMenuHandlers\Sharing
{f81e9010-6ea4-11ce-a7ff-00aa003ca9f6} = ntshrui.dll
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Directory\shellex\ContextMenuHandlers\WinRAR
{B41DB860-8EE4-11D2-9906-E49FADC173CA} = C:\Program Files\WinRAR\rarext.dll
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Directory\shellex\ContextMenuHandlers\WinZip
{E0D79304-84BE-11CE-9641-444553540000} = C:\PROGRA~1\WINZIP\WZSHLSTB.DLL

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Folder\shellex\ColumnHandlers]
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Folder\shellex\ColumnHandlers\{0D2E74C4-3C34-11d2-A27E-00C04FC30871}
= %SystemRoot%\system32\SHELL32.dll
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Folder\shellex\ColumnHandlers\{24F14F01-7B1C-11d1-838f-0000F80461CF}
= %SystemRoot%\system32\SHELL32.dll
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Folder\shellex\ColumnHandlers\{24F14F02-7B1C-11d1-838f-0000F80461CF}
= %SystemRoot%\system32\SHELL32.dll
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Folder\shellex\ColumnHandlers\{66742402-F9B9-11D1-A202-0000F81FEDEE}
= %SystemRoot%\system32\SHELL32.dll

[HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects]
HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{06849E9F-C8D7-4D59-B87D-784B7D6BE0B3}
AcroIEHlprObj Class = C:\Program Files\Adobe\Acrobat 5.0\Acrobat\ActiveX\AcroIEHelper.ocx
HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{BDF3E430-B101-42AD-A544-FADC6B084872}
CNavExtBho Class = C:\Program Files\Norton AntiVirus\NavShExt.dll

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Explorer Bars]
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Explorer Bars\{4D5C8C25-D075-11d0-B416-00C04FB90376}
&Tip of the Day = %SystemRoot%\System32\shdocvw.dll
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Explorer Bars\{FE54FA40-D68C-11d2-98FA-00C0F0318AFE}
Real.com = C:\WINDOWS\System32\Shdocvw.dll

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\ToolBar]
{42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} = Norton AntiVirus : C:\Program Files\Norton AntiVirus\NavShExt.dll

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Extensions]
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Extensions\{FB5F1910-F110-11d2-BB9E-00C04F795683}
ButtonText = Messenger : C:\Program Files\Messenger\msmsgs.exe

[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Explorer Bars]
HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Explorer Bars\{32683183-48a0-441b-a342-7c2a440a9478}
=
HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Explorer Bars\{C4EE31F3-4768-11D2-BE5C-00A0C9A83DA1}
File Search Explorer Band = %SystemRoot%\system32\SHELL32.dll
HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Explorer Bars\{EFA24E61-B078-11D0-89E4-00C04FC9E26E}
Favorites Band = %SystemRoot%\System32\shdocvw.dll
HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Explorer Bars\{EFA24E62-B078-11D0-89E4-00C04FC9E26E}
History Band = %SystemRoot%\System32\shdocvw.dll
HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Explorer Bars\{EFA24E64-B078-11D0-89E4-00C04FC9E26E}
Explorer Band = %SystemRoot%\System32\shdocvw.dll

[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Toolbar]
HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Toolbar\ShellBrowser
{42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} = Norton AntiVirus : C:\Program Files\Norton AntiVirus\NavShExt.dll
HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser
{01E04581-4EEE-11D0-BFE9-00AA005B4383} = &Address : %SystemRoot%\System32\browseui.dll
{0E5CBF21-D15F-11D0-8301-00AA005B4383} = &Links : %SystemRoot%\system32\SHELL32.dll

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
IgfxTray C:\WINDOWS\System32\igfxtray.exe
HotKeysCmds C:\WINDOWS\System32\hkcmd.exe
DVDSentry C:\WINDOWS\System32\DSentry.exe
RealTray C:\Program Files\Real\RealPlayer\RealPlay.exe SYSTEMBOOTHIDEPLAYER
AdaptecDirectCD "C:\Program Files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe"
ADUserMon C:\Program Files\Iomega\AutoDisk\ADUserMon.exe
Iomega Startup Options C:\Program Files\Iomega\Common\ImgStart.exe
Iomega Drive Icons C:\Program Files\Iomega\DriveIcons\ImgIcon.exe
Deskup C:\Program Files\Iomega\DriveIcons\deskup.exe
PublishPDF C:\WINDOWS\PublishPDF\PublishPDF_Loader.exe
ccApp "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
Symantec NetDriver Monitor C:\PROGRA~1\SYMNET~1\SNDMon.exe /Consumer
QuickTime Task "C:\Program Files\QuickTime\qttask.exe" -atboottime
Motive SmartBridge C:\PROGRA~1\NETASS~1\SMARTB~1\MotiveSB.exe
StandardInstall

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\OptionalComponents]
IMAIL Installed = 1
MAPI Installed = 1
MSFS Installed = 1

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnceEx]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunServices]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunServicesOnce]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
MSMSGS "C:\Program Files\Messenger\msmsgs.exe" /background
DellSupport "C:\Program Files\Dell Support\DSAgnt.exe" /startup
ypsuiwp c:\windows\nfsxlyn.exe
mhvedbo c:\windows\nfsxlyn.exe
wpbhxbt c:\windows\nfsxlyn.exe
elojtle c:\windows\nfsxlyn.exe
wobxkyx c:\windows\nfsxlyn.exe
ephhipq c:\windows\inwtjve.exe
dgdbsgr c:\windows\inwtjve.exe
yferjqb c:\windows\inwtjve.exe
slwauxr c:\windows\inwtjve.exe
lsdctku c:\windows\inwtjve.exe
ltwmmyu c:\windows\inwtjve.exe
mxehncb c:\windows\inwtjve.exe
wxohvwk c:\windows\inwtjve.exe
fxafele c:\windows\inwtjve.exe
gqetqlp c:\windows\inwtjve.exe
ljhwigq c:\windows\inwtjve.exe
vredleg c:\windows\inwtjve.exe
ieevvmh c:\windows\inwtjve.exe
qhjleul c:\windows\inwtjve.exe
pgvbgtv c:\windows\inwtjve.exe
dlipktv c:\windows\inwtjve.exe
sefrcvq c:\windows\inwtjve.exe
oepvuxb c:\windows\inwtjve.exe
fklpotl c:\windows\inwtjve.exe
fonpvvb c:\windows\inwtjve.exe
pkudacb c:\windows\inwtjve.exe
qkgibgw c:\windows\inwtjve.exe
gqitmlb c:\windows\inwtjve.exe
cyucbpe c:\windows\inwtjve.exe
emwrnry c:\windows\inwtjve.exe
rrqaydx c:\windows\suirues.exe
txfrpnb c:\windows\suirues.exe
hgffobr c:\windows\suirues.exe
tinwtug c:\windows\suirues.exe
btxqbcl c:\windows\suirues.exe
xoaepbt c:\windows\suirues.exe
ktwomyj c:\windows\suirues.exe
qbbyscd c:\windows\suirues.exe
mphlkoo c:\windows\suirues.exe
uwgnbsp c:\windows\suirues.exe
hdxaxfv c:\windows\suirues.exe
jiganyb c:\windows\suirues.exe
wgclkic c:\windows\suirues.exe
vrjwwui c:\windows\suirues.exe
ksmncrk c:\windows\suirues.exe
hlitgaj c:\windows\qmwuxxd.exe
tlhbkob c:\windows\qmwuxxd.exe
ocixbuv c:\windows\qmwuxxd.exe
khmmkxa c:\windows\qmwuxxd.exe
wfcqpuf c:\windows\qmwuxxd.exe
lgkaedw c:\windows\qmwuxxd.exe
qjxikut c:\windows\qmwuxxd.exe
oivreqa c:\windows\qmwuxxd.exe
cvavjnb c:\windows\qmwuxxd.exe
xtxjjlo c:\windows\qmwuxxd.exe
wevidov c:\windows\qmwuxxd.exe
tdyfaeg c:\windows\qmwuxxd.exe
sqcrjow c:\windows\qmwuxxd.exe
uxuelfs c:\windows\qmwuxxd.exe
walagss c:\windows\qmwuxxd.exe
edljixh c:\windows\qmwuxxd.exe
xgnusrp c:\windows\qmwuxxd.exe
tmvcgap c:\windows\qmwuxxd.exe
nuqvkop c:\windows\qmwuxxd.exe
mtktchl c:\windows\qmwuxxd.exe
djegtpj c:\windows\qmwuxxd.exe
ppyswyn c:\windows\qmwuxxd.exe
xlftctr c:\windows\qmwuxxd.exe
bhrnjxi c:\windows\qmwuxxd.exe
trbrxyc c:\windows\qmwuxxd.exe
cmtrtof c:\windows\qmwuxxd.exe
gkgngfs c:\windows\qmwuxxd.exe
qlpjosf c:\windows\qmwuxxd.exe
njuptrw c:\windows\qmwuxxd.exe
bitumgh c:\windows\qmwuxxd.exe
trqqlkg c:\windows\qmwuxxd.exe
mdetfkm c:\windows\qmwuxxd.exe
bqxowwl c:\windows\qmwuxxd.exe
cpdksev c:\windows\qmwuxxd.exe
vdnxulf c:\windows\qmwuxxd.exe
fyrjaec c:\windows\qmwuxxd.exe
avmgtml c:\windows\qmwuxxd.exe
sevjjtq c:\windows\qmwuxxd.exe
uecgjac c:\windows\rcqdqri.exe
spsgcvu c:\windows\rcqdqri.exe
nmwkhau c:\windows\rcqdqri.exe
whlbkcr c:\windows\rcqdqri.exe
cnxtfgv c:\windows\ruomrkn.exe
olsdvxx c:\windows\xaatsxw.exe
uuvqrai c:\windows\xaatsxw.exe
xksscgy c:\windows\xaatsxw.exe
iichbax c:\windows\xaatsxw.exe
rnwnwic c:\windows\xaatsxw.exe
sekaygn c:\windows\xaatsxw.exe
mbvgdkm c:\windows\xaatsxw.exe
qmthdhf c:\windows\tgmdfly.exe
dpucyqo c:\windows\tgmdfly.exe
fjybecf c:\windows\tgmdfly.exe
jyuenye c:\windows\tgmdfly.exe
vhuhvbr c:\windows\tgmdfly.exe
oebspky c:\windows\tgmdfly.exe
amuajke c:\windows\tgmdfly.exe
lhmgpbl c:\windows\tgmdfly.exe
oirmbas c:\windows\tgmdfly.exe
xtgyxpl c:\windows\tgmdfly.exe
dwxrgnr c:\windows\tgmdfly.exe
kspevnr c:\windows\tgmdfly.exe
fxjgyun c:\windows\tgmdfly.exe
pvfdqem c:\windows\tgmdfly.exe
nqmwiib c:\windows\tgmdfly.exe

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\RunServices]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\RunServicesOnce]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows\load]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows\run]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSConfig]

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSConfig\services

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSConfig\startupfolder

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSConfig\startupreg

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSConfig\state

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies]

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\NonEnum
{BDEADF00-C265-11D0-BCED-00A0C90AB50F} = C:\PROGRA~1\COMMON~1\MICROS~1\WEBFOL~1\MSONSEXT.DLL
{6DFD7C5C-2451-11d3-A299-00C04F8EF6AF} =
{0DF44EAA-FF21-4412-828E-260A8728E7F1} =


HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Ratings

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\system
dontdisplaylastusername 0
legalnoticecaption
legalnoticetext
shutdownwithoutlogon 1
undockwithoutlogon 1


[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\policies]

HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer
NoDriveTypeAutoRun 145


[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad]
PostBootReminder {7849596a-48ea-486e-8937-a2a3009f31a9} = %SystemRoot%\system32\SHELL32.dll
CDBurn {fbeb8a05-beee-4442-804e-409d6c4515e9} = %SystemRoot%\system32\SHELL32.dll
WebCheck {E6FB5E20-DE35-11CF-9C87-00AA005127ED} = %SystemRoot%\System32\webcheck.dll
SysTray {35CEC8A3-2BE6-11D2-8773-92E220524153} = C:\WINDOWS\System32\stobject.dll
SysTray.Exlv {5368DCFC-4F5C-4f5b-B134-E67294FC78E9} = C:\WINDOWS\System32\beccpjbg.dll

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon]
UserInit = C:\WINDOWS\system32\userinit.exe,
Shell = Explorer.exe
System =

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\crypt32chain
= crypt32.dll

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\cryptnet
= cryptnet.dll

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\cscdll
= cscdll.dll

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\ScCertProp
= wlnotify.dll

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\Schedule
= wlnotify.dll

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\sclgntfy
= sclgntfy.dll

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\SensLogn
= WlNotify.dll

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\termsrv
= wlnotify.dll

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\wlballoon
= wlnotify.dll

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options]
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Your Image File Name Here without a path
Debugger = ntsd -d

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows]
AppInit_DLLs


»»»»»»»»»»»»»»»»»»»»»»»» Scan Complete »»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»
WinPFind v1.4.1 - Log file written to "WinPFind.Txt" in the WinPFind folder.
Scan completed on 9/28/2005 6:31:21 PM


REGEDIT4

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"IgfxTray"="C:\\WINDOWS\\System32\\igfxtray.exe"
"HotKeysCmds"="C:\\WINDOWS\\System32\\hkcmd.exe"
"DVDSentry"="C:\\WINDOWS\\System32\\DSentry.exe"
"RealTray"="C:\\Program Files\\Real\\RealPlayer\\RealPlay.exe SYSTEMBOOTHIDEPLAYER"
"AdaptecDirectCD"="\"C:\\Program Files\\Roxio\\Easy CD Creator 5\\DirectCD\\DirectCD.exe\""
"ADUserMon"="C:\\Program Files\\Iomega\\AutoDisk\\ADUserMon.exe"
"Iomega Startup Options"="C:\\Program Files\\Iomega\\Common\\ImgStart.exe"
"Iomega Drive Icons"="C:\\Program Files\\Iomega\\DriveIcons\\ImgIcon.exe"
"Deskup"="C:\\Program Files\\Iomega\\DriveIcons\\deskup.exe"
"PublishPDF"="C:\\WINDOWS\\PublishPDF\\PublishPDF_Loader.exe"
"ccApp"="\"C:\\Program Files\\Common Files\\Symantec Shared\\ccApp.exe\""
"Symantec NetDriver Monitor"="C:\\PROGRA~1\\SYMNET~1\\SNDMon.exe /Consumer"
"QuickTime Task"="\"C:\\Program Files\\QuickTime\\qttask.exe\" -atboottime"
"Motive SmartBridge"="C:\\PROGRA~1\\NETASS~1\\SMARTB~1\\MotiveSB.exe"
"StandardInstall"=""

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\OptionalComponents]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\OptionalComponents\IMAIL]
"Installed"="1"

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\OptionalComponents\MAPI]
"Installed"="1"
"NoChange"="1"

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\OptionalComponents\MSFS]
"Installed"="1"

-----------------
HKEY_CLASSES_ROOT\*\shellex\ContextMenuHandlers


Subkey --- Offline Files
{750fdf0e-2a26-11d1-a3ea-080036587f03}
C:\WINDOWS\System32\cscui.dll

Subkey --- Open With
{09799AFB-AD67-11d1-ABCD-00C04FC30936}
C:\WINDOWS\system32\SHELL32.dll

Subkey --- Open With EncryptionMenu
{A470F8CF-A1E8-4f65-8335-227475AA5C46}
C:\WINDOWS\system32\SHELL32.dll

Subkey --- Symantec.Norton.Antivirus.IEContextMenu
{5345A4D5-41EB-4A2F-9616-CE1D4F6C35B2}
C:\Program Files\Norton AntiVirus\NavShExt.dll

Subkey --- WinRAR
{B41DB860-8EE4-11D2-9906-E49FADC173CA}
C:\Program Files\WinRAR\rarext.dll

Subkey --- WinZip
{E0D79304-84BE-11CE-9641-444553540000}
C:\PROGRA~1\WINZIP\WZSHLSTB.DLL

Subkey --- {a2a9545d-a0c2-42b4-9708-a0b2badd77c8}
Start Menu Pin
C:\WINDOWS\system32\SHELL32.dll

=====================

HKEY_CLASSES_ROOT\Folder\shellex\ColumnHandlers


Subkey --- {0D2E74C4-3C34-11d2-A27E-00C04FC30871}
C:\WINDOWS\system32\SHELL32.dll

Subkey --- {24F14F01-7B1C-11d1-838f-0000F80461CF}
C:\WINDOWS\system32\SHELL32.dll

Subkey --- {24F14F02-7B1C-11d1-838f-0000F80461CF}
C:\WINDOWS\system32\SHELL32.dll

Subkey --- {66742402-F9B9-11D1-A202-0000F81FEDEE}
C:\WINDOWS\system32\SHELL32.dll

==============================
C:\Documents and Settings\All Users\Start Menu\Programs\Startup

Acrobat Assistant.lnk
Adobe Gamma Loader.lnk
DESKTOP.INI
Digital Line Detect.lnk
Distiller Assistant 3.0.lnk
hp psc 1000 series.lnk
NetAssistant.lnk
WinZip Quick Pick.lnk
==============================
C:\Documents and Settings\Conor\Start Menu\Programs\Startup

Acrobat Assistant.lnk
Adobe Gamma Loader.lnk
DESKTOP.INI
Digital Line Detect.lnk
Distiller Assistant 3.0.lnk
hp psc 1000 series.lnk
NetAssistant.lnk
WinZip Quick Pick.lnk
DESKTOP.INI
HotSync Manager.lnk
==============================
C:\WINDOWS\SYSTEM32 cpl files


access.cpl Microsoft Corporation
ADPanel.cpl Iomega Corporation
appwiz.cpl Microsoft Corporation
B57exp.cpl Broadcom Corporation
bthprops.cpl Microsoft Corporation
desk.cpl Microsoft Corporation
firewall.cpl Microsoft Corporation
hdwwiz.cpl Microsoft Corporation
igfxcpl.cpl Intel Corporation
inetcpl.cpl Microsoft Corporation
intl.cpl Microsoft Corporation
irprops.cpl Microsoft Corporation
joy.cpl Microsoft Corporation
MAIN.CPL Microsoft Corporation
mmsys.cpl Microsoft Corporation
NCPA.CPL Microsoft Corporation
netsetup.cpl Microsoft Corporation
nusrmgr.cpl Microsoft Corporation
odbccp32.cpl Microsoft Corporation
plotman.cpl Autodesk, Inc.
powercfg.cpl Microsoft Corporation
prefscpl.cpl RealNetworks, Inc.
QTW32.CPL Apple Computer, Inc.
QuickTime.cpl Apple Computer, Inc.
styleman.cpl Autodesk, Inc.
sysdm.cpl Microsoft Corporation
TELEPHON.CPL Microsoft Corporation
timedate.cpl Microsoft Corporation
wscui.cpl Microsoft Corporation
wuaucpl.cpl Microsoft Corporation
 

·
TSF Security Team, Emeritus
Joined
·
6,962 Posts
Ok....here we go.... It's CRITICAL you do not miss a file or entry that I list for removal. So print these instructions out so you can follow along.

EDIT:: I want to add that this infection may create a new file and entry every time you reboot. So if you find an entry in the registry or a new file (Random named EXE) that looks simular to what I'm removing...include it in the deletion process.

Download KillBox http://www.bleepingcomputer.com/files/spyware/KillBox.zip

Download About Buster 5 and unzip it to a folder on your the Desktop. Do not run it yet!

Once thats done... DISCONNECT your PC from any internet access.

Open Cleanup! by double-clicking the icon on your desktop (or from the Start > All Programs menu). Set the program up as follows:
*Click "Options..."
*Move the arrow down to "Custom CleanUp!"
*Put a check next to the following:
  • Empty Recycle Bins
  • Delete Cookies
  • Delete Prefetch files
    [X]Scan local drives for temporary files (Please uncheck this option)
  • Cleanup! All Users
Click OK
Press the CleanUp! button to start the program. Reboot/logoff when prompted.


Reboot into safe mode.

Click START…RUN…Type in regedit. Make sure just “My Computer” is showing in the left pane and click..FILE….EXPORT…and save a copy some were in case you make a mistake. Now navigate to each of the following keys and delete the file/folder/entry I highlighted in RED.

HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
ypsuiwp c:\windows\nfsxlyn.exe
mhvedbo c:\windows\nfsxlyn.exe
wpbhxbt c:\windows\nfsxlyn.exe
elojtle c:\windows\nfsxlyn.exe
wobxkyx c:\windows\nfsxlyn.exe
ephhipq c:\windows\inwtjve.exe
dgdbsgr c:\windows\inwtjve.exe
yferjqb c:\windows\inwtjve.exe
slwauxr c:\windows\inwtjve.exe
lsdctku c:\windows\inwtjve.exe
ltwmmyu c:\windows\inwtjve.exe
mxehncb c:\windows\inwtjve.exe
wxohvwk c:\windows\inwtjve.exe
fxafele c:\windows\inwtjve.exe
gqetqlp c:\windows\inwtjve.exe
ljhwigq c:\windows\inwtjve.exe
vredleg c:\windows\inwtjve.exe
ieevvmh c:\windows\inwtjve.exe
qhjleul c:\windows\inwtjve.exe
pgvbgtv c:\windows\inwtjve.exe
dlipktv c:\windows\inwtjve.exe
sefrcvq c:\windows\inwtjve.exe
oepvuxb c:\windows\inwtjve.exe
fklpotl c:\windows\inwtjve.exe
fonpvvb c:\windows\inwtjve.exe
pkudacb c:\windows\inwtjve.exe
qkgibgw c:\windows\inwtjve.exe
gqitmlb c:\windows\inwtjve.exe
cyucbpe c:\windows\inwtjve.exe
emwrnry c:\windows\inwtjve.exe
rrqaydx c:\windows\suirues.exe
txfrpnb c:\windows\suirues.exe
hgffobr c:\windows\suirues.exe
tinwtug c:\windows\suirues.exe
btxqbcl c:\windows\suirues.exe
xoaepbt c:\windows\suirues.exe
ktwomyj c:\windows\suirues.exe
qbbyscd c:\windows\suirues.exe
mphlkoo c:\windows\suirues.exe
uwgnbsp c:\windows\suirues.exe
hdxaxfv c:\windows\suirues.exe
jiganyb c:\windows\suirues.exe
wgclkic c:\windows\suirues.exe
vrjwwui c:\windows\suirues.exe
ksmncrk c:\windows\suirues.exe
hlitgaj c:\windows\qmwuxxd.exe
tlhbkob c:\windows\qmwuxxd.exe
ocixbuv c:\windows\qmwuxxd.exe
khmmkxa c:\windows\qmwuxxd.exe
wfcqpuf c:\windows\qmwuxxd.exe
lgkaedw c:\windows\qmwuxxd.exe
qjxikut c:\windows\qmwuxxd.exe
oivreqa c:\windows\qmwuxxd.exe
cvavjnb c:\windows\qmwuxxd.exe
xtxjjlo c:\windows\qmwuxxd.exe
wevidov c:\windows\qmwuxxd.exe
tdyfaeg c:\windows\qmwuxxd.exe
sqcrjow c:\windows\qmwuxxd.exe
uxuelfs c:\windows\qmwuxxd.exe
walagss c:\windows\qmwuxxd.exe
edljixh c:\windows\qmwuxxd.exe
xgnusrp c:\windows\qmwuxxd.exe
tmvcgap c:\windows\qmwuxxd.exe
nuqvkop c:\windows\qmwuxxd.exe
mtktchl c:\windows\qmwuxxd.exe
djegtpj c:\windows\qmwuxxd.exe
ppyswyn c:\windows\qmwuxxd.exe
xlftctr c:\windows\qmwuxxd.exe
bhrnjxi c:\windows\qmwuxxd.exe
trbrxyc c:\windows\qmwuxxd.exe
cmtrtof c:\windows\qmwuxxd.exe
gkgngfs c:\windows\qmwuxxd.exe
qlpjosf c:\windows\qmwuxxd.exe
njuptrw c:\windows\qmwuxxd.exe
bitumgh c:\windows\qmwuxxd.exe
trqqlkg c:\windows\qmwuxxd.exe
mdetfkm c:\windows\qmwuxxd.exe
bqxowwl c:\windows\qmwuxxd.exe
cpdksev c:\windows\qmwuxxd.exe
vdnxulf c:\windows\qmwuxxd.exe
fyrjaec c:\windows\qmwuxxd.exe
avmgtml c:\windows\qmwuxxd.exe
sevjjtq c:\windows\qmwuxxd.exe
uecgjac c:\windows\rcqdqri.exe
spsgcvu c:\windows\rcqdqri.exe
nmwkhau c:\windows\rcqdqri.exe
whlbkcr c:\windows\rcqdqri.exe
cnxtfgv c:\windows\ruomrkn.exe
olsdvxx c:\windows\xaatsxw.exe
uuvqrai c:\windows\xaatsxw.exe
xksscgy c:\windows\xaatsxw.exe
iichbax c:\windows\xaatsxw.exe
rnwnwic c:\windows\xaatsxw.exe
sekaygn c:\windows\xaatsxw.exe
mbvgdkm c:\windows\xaatsxw.exe
qmthdhf c:\windows\tgmdfly.exe
dpucyqo c:\windows\tgmdfly.exe
fjybecf c:\windows\tgmdfly.exe
jyuenye c:\windows\tgmdfly.exe
vhuhvbr c:\windows\tgmdfly.exe
oebspky c:\windows\tgmdfly.exe
amuajke c:\windows\tgmdfly.exe
lhmgpbl c:\windows\tgmdfly.exe
oirmbas c:\windows\tgmdfly.exe
xtgyxpl c:\windows\tgmdfly.exe
dwxrgnr c:\windows\tgmdfly.exe
kspevnr c:\windows\tgmdfly.exe
fxjgyun c:\windows\tgmdfly.exe
pvfdqem c:\windows\tgmdfly.exe
nqmwiib c:\windows\tgmdfly.exe


*Note* Remove any others that look simular if I didn't list them as this infection sometimes creates new entrys. If you find any...dont forget to add that file to the KILLBOX instructions below.

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
"StandardInstall"=""


HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\Curr entVersion\ShellServiceObjectDelayLoad
{5368DCFC-4F5C-4f5b-B134-E67294FC78E9} = C:\WINDOWS\System32\beccpjbg.dll


*Note* Delete that folder above in RED.

Close Regedit...

Run AboutBuster and follow the prompts to scan (choose Yes/OK for all). It will ask you if you want a second scan, choose Yes. Save the log file and post it here once your back to normal mode.

Run KILL box. Paste the following locations into KILL BOX one at a time. Checkmark the box that says "Delete on Reboot" and checkmark the box "Unregister DLL" (If available) Click the RED X and it will ask you to confirm the file for deletion…say YES and when the next box opens prompting you to reboot now...click NO...and proceed with the next file. Once you get to the last one click YES and it will reboot.

*Note* In case the Copy method keeps missing a file..we are going to do this one at a time.


C:\WINDOWS\amlyiny.exe
C:\WINDOWS\bvhrrxs.exe
C:\WINDOWS\cddvvux.exe
C:\WINDOWS\ebwdbhc.exe
C:\WINDOWS\enphmba.exe
C:\WINDOWS\etcspud.exe
C:\WINDOWS\flogfct.exe
C:\WINDOWS\hanuuhd.exe
C:\WINDOWS\hbfxbnk.exe
C:\WINDOWS\inwtjve.exe
C:\WINDOWS\jeekxwq.exe
C:\WINDOWS\joahouk.exe
C:\WINDOWS\kwsooms.exe
C:\WINDOWS\nfsxlyn.exe
C:\WINDOWS\nvmxcvq.exe
C:\WINDOWS\ownkpht.exe
C:\WINDOWS\qmwuxxd.exe
C:\WINDOWS\rcptmxe.exe
C:\WINDOWS\rcqdqri.exe
C:\WINDOWS\rhjourm.exe
C:\WINDOWS\ruomrkn.exe
C:\WINDOWS\suirues.exe
C:\WINDOWS\tgmdfly.exe
C:\WINDOWS\uaoinrg.exe
C:\WINDOWS\vocgxxr.exe
C:\WINDOWS\wikqpwd.exe
C:\WINDOWS\xaatsxw.exe
C:\ld597082632.exe
C:\WINDOWS\System32\beccpjbg.dll
C:\WINDOWS\SYSTEM32\ppmrrtxs.exe
C:\WINDOWS\SYSTEM32\sisysaaa.exe


Once you reboot....I want you to first check both your System32 folder and your Windows folder for any new files. They should be simular to these file sizes..35840 and be a random named exe.

Then I need you to Run KILLBOX again..using the same files. We want to run them through twice to make sure nothing survived. Once you reboot this time....run Ewido and let it clean the PC.

Run Cleanup one more time..and reboot/logoff when prompted.

Once your back to normal windows RECONNECT your internet.

Post the following logs....

AboutBuster
WinPfind
Hijackthis
 
1 - 6 of 6 Posts
Status
Not open for further replies.
Top