Sign in to follow this  
XxCaution210xX

Hijackthis.log Can't get rid of POPUP Ads!

Recommended Posts

don't know wutsup with this crap.. but heres my log.. hopefully u can help me...

 

Logfile of HijackThis v1.99.1

Scan saved at 5:46:31 PM, on 6/5/2006

Platform: Windows XP SP2 (WinNT 5.01.2600)

MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

 

Running processes:

C:\WINDOWS\System32\smss.exe

C:\WINDOWS\system32\winlogon.exe

C:\WINDOWS\system32\services.exe

C:\WINDOWS\system32\lsass.exe

C:\WINDOWS\system32\svchost.exe

C:\WINDOWS\System32\svchost.exe

C:\WINDOWS\system32\spoolsv.exe

C:\WINDOWS\system32\crypserv.exe

C:\WINDOWS\System32\imapi.exe

C:\WINDOWS\System32\svchost.exe

C:\WINDOWS\System32\dmadmin.exe

C:\WINDOWS\Explorer.EXE

C:\PROGRA~1\McAfee.com\Agent\McAgent.exe

C:\Program Files\WinAntiVirus Pro 2006\WinAV.exe

C:\Program Files\WinAntiVirus Pro 2006\FWSvc.exe

C:\WINDOWS\system32\rundll32.exe

c:\progra~1\mcafee.com\vso\mcvsescn.exe

C:\PROGRAM FILES\INTERNET EXPLORER\IEXPLORE.EXE

C:\WINDOWS\PCHealth\HelpCtr\Binaries\MSConfig.exe

C:\PROGRAM FILES\INTERNET EXPLORER\IEXPLORE.EXE

C:\PROGRAM FILES\INTERNET EXPLORER\IEXPLORE.EXE

C:\NEW\HijackThis.exe

 

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = about:blank

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = about:blank

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,SearchAssistant = about:blank

R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = about:blank

R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = localhost;final-kf8fvcbaw;192.168.0;<local>

R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =

R3 - URLSearchHook: (no name) - _{00D6A7E7-4A97-456f-848A-3B75BF7554D7} - (no file)

F2 - REG:system.ini: Shell=Explorer.exe, C:\WINDOWS\system32\joxmx.exe

F2 - REG:system.ini: UserInit=C:\WINDOWS\system32\userinit.exe,ujfqinx.exe

O3 - Toolbar: My &Search Bar - {0494D0D9-F8E0-41ad-92A3-14154ECE70AC} - C:\Program Files\MyWay\myBar\1.bin\MYBAR.DLL (file missing)

O3 - Toolbar: Viewpoint Toolbar - {F8AD5AA5-D966-4667-9DAF-2561D68B2012} - C:\Program Files\Viewpoint\Viewpoint Toolbar\ViewBar.dll

O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn0\yt.dll

O3 - Toolbar: McAfee VirusScan - {BA52B914-B692-46c4-B683-905236F6F655} - c:\progra~1\mcafee.com\vso\mcvsshl.dll

O4 - HKLM\..\Run: [MCUpdateExe] C:\PROGRA~1\McAfee.com\Agent\McUpdate.exe

O4 - HKLM\..\Run: [MCAgentExe] C:\PROGRA~1\McAfee.com\Agent\McAgent.exe

O4 - HKLM\..\Run: [WinAntiVirusPro2006] "C:\Program Files\WinAntiVirus Pro 2006\WinAV.exe" /min

O4 - HKLM\..\Run: [VSOCheckTask] "c:\PROGRA~1\mcafee.com\vso\mcmnhdlr.exe" /checktask

O4 - HKLM\..\Run: [VirusScan Online] "c:\PROGRA~1\mcafee.com\vso\mcvsshld.exe"

O4 - HKLM\..\Run: [CleanUp] C:\PROGRA~1\McAfee.com\Shared\mcappins.exe /v=3 /cleanup

O8 - Extra context menu item: &Viewpoint Search - res://C:\Program Files\Viewpoint\Viewpoint Toolbar\ViewBar.dll/CXTSEARCH.HTML

O8 - Extra context menu item: &Yahoo! Search - file:///C:\Program Files\Yahoo!\Common/ycsrch.htm

O8 - Extra context menu item: Download with Go!Zilla - file://C:\Program Files\Go!Zilla\download-with-gozilla.html

O8 - Extra context menu item: Yahoo! &Dictionary - file:///C:\Program Files\Yahoo!\Common/ycdict.htm

O8 - Extra context menu item: Yahoo! &Maps - file:///C:\Program Files\Yahoo!\Common/ycmap.htm

O8 - Extra context menu item: Yahoo! &SMS - file:///C:\Program Files\Yahoo!\Common/ycsms.htm

O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_04\bin\npjpi150_04.dll

O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_04\bin\npjpi150_04.dll

O9 - Extra button: (no name) - {120E090D-9136-4b78-8258-F0B44B4BD2AC} - C:\WINDOWS\system32\ms.exe (file missing)

O9 - Extra 'Tools' menuitem: MaxSpeed - {120E090D-9136-4b78-8258-F0B44B4BD2AC} - C:\WINDOWS\system32\ms.exe (file missing)

O9 - Extra button: (no name) - {4ABF810A-F11D-4169-9D5F-7D274F2270A1} - C:\WINDOWS\system32\dmonwv.dll

O9 - Extra 'Tools' menuitem: Java - {4ABF810A-F11D-4169-9D5F-7D274F2270A1} - C:\WINDOWS\system32\dmonwv.dll

O9 - Extra button: Yahoo! Services - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\Program Files\Yahoo!\Common\yiesrvc.dll

O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe

O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\System32\Shdocvw.dll

O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe

O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe

O9 - Extra button: Ebates - {6685509E-B47B-4f47-8E16-9A5F3A62F683} - file://C:\Program Files\Ebates_MoeMoneyMaker\Sy350\Tp350\scri350a.htm (file missing) (HKCU)

O12 - Plugin for .fpx: C:\\Program Files\\Internet Explorer\\PLUGINS\\NPRVRT32.dll

O12 - Plugin for .ivr: C:\\Program Files\\Internet Explorer\\PLUGINS\\NPRVRT32.dll

O16 - DPF: {42F2C9BA-614F-47C0-B3E3-ECFD34EED658} - http://promo.dollarrevenue.com/activex/pro...631382D2D2D.exe

O16 - DPF: {E53458D2-5A83-4BD1-8DE2-EEEBE73BAB77} - http://zllin.info/n/us48/48.cab

O18 - Filter: text/html - {624A3CDB-8C0A-4902-8480-191582C8498E} - (no file)

O20 - Winlogon Notify: Installer - C:\WINDOWS\system32\fnj0211mg.dll

O23 - Service: Adobe LM Service - Unknown owner - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe

O23 - Service: Crypkey License - Kenonic Controls Ltd. - C:\WINDOWS\SYSTEM32\crypserv.exe

O23 - Service: Firewall service (FWSvc) - WinSoftware, Ltd. - C:\Program Files\WinAntiVirus Pro 2006\FWSvc.exe

O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe

O23 - Service: iPodService - Unknown owner - C:\Program Files\iPod\bin\iPodService.exe (file missing)

O23 - Service: McAfee SecurityCenter Update Manager (mcupdmgr.exe) - McAfee, Inc - C:\PROGRA~1\McAfee.com\Agent\mcupdmgr.exe

O23 - Service: Network Monitor - Unknown owner - C:\Program Files\Network Monitor\netmon.exe (file missing)

O23 - Service: Titan FTP Server Daemon (SRTSERVERDAEMON) - Unknown owner - C:\WINDOWS\SYSTEM32\srxTitan.exe

O23 - Service: Ulead Burning Helper (UleadBurningHelper) - Unknown owner - C:\Program Files\Common Files\Ulead Systems\DVD\ULCDRSvr.exe (file missing)

Share this post


Link to post
Share on other sites

Yuk, you have gotten a nasty bundle of some of the hardest to remove malware, including a download trojan that just proceeds to download more malware onto your system as fast as we can clean it up.

 

This is going to take a number of steps and special removal tools, but first, download and install this free trial of Ewido Antimalware to scan (and protect) for trojans. The realtime protection only is good for 2 weeks during trial, but you can keep it past the trial period and it still will work as a good antitrojan scanner as long as you manually check for updates before scanning.

 

Well, actually, let's get rid of the Look2me infection first, then we'll do Ewido:

 

Next, Please download Look2Me-Destroyer.exe to your desktop.

  • Close all windows before continuing.
  • Double-click Look2Me-Destroyer.exe to run it.
  • Put a check next to Run this program as a task.
  • You will receive a message saying Look2Me-Destroyer will close and re-open in approximately 1 minute. Click OK
  • When Look2Me-Destroyer re-opens, click the Scan for L2M button, your desktop icons will disappear, this is normal.
  • Once it's done scanning, click the Remove L2M button.
  • You will receive a Done Scanning message, click OK.
  • When completed, you will receive this message: Done removing infected files! Look2Me-Destroyer will now shutdown your computer, click OK.
  • Your computer will then shutdown.
  • Turn your computer back on.
  • Please post the contents of Look2Me-Destroyer.txt (it can be found wherever you saved Look2Me-Destroyer.exe) and a new HiJackThis log.

If Look2Me-Destroyer does not reopen automatically, reboot and try again.

..............................................................

 

Please download, install, and update the free version of Ewido AntiMalware:

http://www.ewido.net/en/download/

 

[1]From the main ewido screen, click on update in the left menu, then click the Start update button.

 

[2]After the update finishes (the status bar at the bottom will display "Update successful")

 

 

Close the program after updating (don't scan with it yet, we'll do that in SAFE MODE)

 

Copy the following instructions to have handy as you will need to be offline, in SAFE MODE and with IE closed so you will not be able to view this page during the process.

 

Reboot your PC into SAFE MODE

 

How to start the computer in Safe mode

http://service1.symantec.com/SUPPORT/tsgen...src=sec_doc_nam

 

 

Next, run a scan with Ewido.

 

[3]Click on the Scanner button in the left menu, then click on the Complete System Scan button. This scan can take quite a while to run, so please be patient

 

[4]If Ewido finds anything, it will pop up a notification. You can select "remove" and check the boxes "Perform action with all infections" and "Create encrypted backup" before clicking on OK.

 

[5]When the scan finishes, click on "Save Report". This will create a text file. Make sure you know where to find this file again.

 

Copy and paste the results from that scan back here please for review :)

 

*Note: Ewido is a free trial product for 14 days. After that you can purchase it for full features OR you can also keep the free version to use as an on-demand scanner (recommended).

You will still be able to manually update Ewido using the *update* button :)

 

There will be more to do after this but I want to see those reports and fresh HijackThis log before continuing to make sure everything went ok on those.

Share this post


Link to post
Share on other sites

Hey the Look2Me Demo thing didn't work or ever turn back on n i rebooted 4 times

 

---------------------------------------------------------

ewido anti-malware - Scan report

---------------------------------------------------------

 

+ Created on: 12:40:23 AM, 6/6/2006

+ Report-Checksum: 2278FDD5

 

+ Scan result:

 

HKLM\SOFTWARE\Classes\CLSID\{2178F3FB-2560-458f-BDEE-631E2FE0DFE4} -> Adware.WinAntiVirus : Cleaned with backup

HKLM\SOFTWARE\Classes\CLSID\{5929CD6E-2062-44a4-B2C5-2C7E78FBAB38} -> Adware.Generic : Cleaned with backup

HKLM\SOFTWARE\Classes\PROTOCOLS\Name-Space Handler\res -> Adware.WebSearch : Cleaned with backup

HKLM\SOFTWARE\Dsi -> Adware.Delfin : Cleaned with backup

HKLM\SOFTWARE\Microsoft\Internet Explorer\Main\ins -> Adware.WebRebates : Cleaned with backup

HKLM\SOFTWARE\Microsoft\Shared Tools\MSConfig\startupreg\WhenUSave -> Adware.SaveNow : Cleaned with backup

HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\ModuleUsage\C:/WINDOWS/Downloaded Program Files/ISTactivex.dll -> Adware.ISTBar : Cleaned with backup

HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\unebmm350 -> Adware.MoneyMaker : Cleaned with backup

HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\WinDH -> Adware.DealHelper : Cleaned with backup

HKLM\SOFTWARE\PerfectNav -> Adware.KeenValue : Cleaned with backup

HKLM\SOFTWARE\SurfSideKick3 -> Adware.SurfSide : Cleaned with backup

HKLM\SOFTWARE\SurfSideKick3\Internet Explorer -> Adware.SurfSide : Cleaned with backup

HKLM\SOFTWARE\vmss -> Adware.Delfin : Cleaned with backup

HKU\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{2178F3FB-2560-458F-BDEE-631E2FE0DFE4} -> Adware.WinAntiVirus : Cleaned with backup

HKU\S-1-5-21-823518204-1677128483-842925246-1004\Software\Dvx -> Adware.Delfin : Cleaned with backup

HKU\S-1-5-21-823518204-1677128483-842925246-1004\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{2178F3FB-2560-458F-BDEE-631E2FE0DFE4} -> Adware.WinAntiVirus : Cleaned with backup

HKU\S-1-5-21-823518204-1677128483-842925246-1004\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{5929CD6E-2062-44A4-B2C5-2C7E78FBAB38} -> Adware.Generic : Cleaned with backup

HKU\S-1-5-21-823518204-1677128483-842925246-1004\Software\SurfSideKick3 -> Adware.SurfSide : Cleaned with backup

HKU\S-1-5-21-823518204-1677128483-842925246-1004\Software\SurfSideKick3\Internet Explorer -> Adware.SurfSide : Cleaned with backup

HKU\S-1-5-18\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{2178F3FB-2560-458F-BDEE-631E2FE0DFE4} -> Adware.WinAntiVirus : Cleaned with backup

[980] C:\WINDOWS\system32\rjoc3260.dll -> Adware.Look2Me : Error during cleaning

[1192] C:\WINDOWS\system32\rjoc3260.dll -> Adware.Look2Me : Error during cleaning

[1356] C:\WINDOWS\system32\amhioqi.dll -> Downloader.Qoologic.bj : Cleaned with backup

C:\WINDOWS\SYSTEM32\joxmx.exe -> Downloader.Qoologic.bj : Cleaned with backup

C:\WINDOWS\SYSTEM32\wsxsvc\wsx.dll -> Adware.DelphinMediaViewer : Cleaned with backup

C:\WINDOWS\SYSTEM32\wsxsvc\wsx.ocx -> Adware.DelphinMediaViewer : Cleaned with backup

C:\WINDOWS\SYSTEM32\vmss\vmss.exe -> Adware.DelphinMediaViewer : Cleaned with backup

C:\WINDOWS\SYSTEM32\dun.exe -> Adware.DealHelper : Cleaned with backup

C:\WINDOWS\SYSTEM32\Sibnfn.exe -> Adware.DealHelper : Cleaned with backup

C:\WINDOWS\SYSTEM32\Lgitzw.exe -> Downloader.Small : Cleaned with backup

C:\WINDOWS\SYSTEM32\dwdsregt.exe -> Adware.ZenoSearch : Cleaned with backup

C:\WINDOWS\SYSTEM32\nr1rnqm8.exe -> Adware.Suggestor : Cleaned with backup

C:\WINDOWS\SYSTEM32\h0n0la5m1d.dll -> Adware.Look2Me : Cleaned with backup

C:\WINDOWS\SYSTEM32\ycvlj.dat -> Downloader.Qoologic.bj : Cleaned with backup

C:\WINDOWS\SYSTEM32\w013d70f.dll -> Downloader.Agent.ahv : Cleaned with backup

C:\WINDOWS\SYSTEM32\c000ladm1d0a.dll -> Adware.Look2Me : Cleaned with backup

C:\WINDOWS\pss\lmtje.exeCommon Startup -> Downloader.Qoologic.bj : Cleaned with backup

C:\WINDOWS\TEMP\Temporary Internet Files\Content.IE5\A1OFR1VD\rcverlib[1].exe -> Downloader.Qoologic.ax : Cleaned with backup

C:\WINDOWS\TEMP\Cookies\[email protected][1].txt -> TrackingCookie.2o7 : Cleaned with backup

C:\WINDOWS\TEMP\Cookies\[email protected][1].txt -> TrackingCookie.Falkag : Cleaned with backup

C:\WINDOWS\TEMP\Cookies\[email protected][1].txt -> TrackingCookie.Goldenpalace : Cleaned with backup

C:\WINDOWS\TEMP\Cookies\[email protected][2].txt -> TrackingCookie.Tacoda : Cleaned with backup

C:\WINDOWS\TEMP\Cookies\[email protected][1].txt -> TrackingCookie.Addynamix : Cleaned with backup

C:\WINDOWS\TEMP\Cookies\[email protected][1].txt -> TrackingCookie.Zedo : Cleaned with backup

C:\WINDOWS\TEMP\Cookies\[email protected][2].txt -> TrackingCookie.Trafficmp : Cleaned with backup

C:\WINDOWS\TEMP\Cookies\[email protected][2].txt -> TrackingCookie.Targetnet : Cleaned with backup

C:\WINDOWS\TEMP\Cookies\[email protected][1].txt -> TrackingCookie.2o7 : Cleaned with backup

C:\WINDOWS\TEMP\Cookies\[email protected][1].txt -> TrackingCookie.Clickbank : Cleaned with backup

C:\WINDOWS\TEMP\Cookies\[email protected][1].txt -> TrackingCookie.Statcounter : Cleaned with backup

C:\WINDOWS\TEMP\Cookies\[email protected][3].txt -> TrackingCookie.Adrevolver : Cleaned with backup

C:\WINDOWS\TEMP\Cookies\[email protected][2].txt -> TrackingCookie.Revenue : Cleaned with backup

C:\WINDOWS\TEMP\Cookies\[email protected][2].txt -> TrackingCookie.Atdmt : Cleaned with backup

C:\WINDOWS\TEMP\Cookies\[email protected][2].txt -> TrackingCookie.Fastclick : Cleaned with backup

C:\WINDOWS\TEMP\Cookies\[email protected][2].txt -> TrackingCookie.Falkag : Cleaned with backup

C:\WINDOWS\TEMP\Cookies\[email protected][2].txt -> TrackingCookie.Doubleclick : Cleaned with backup

C:\WINDOWS\TEMP\Cookies\[email protected][2].txt -> TrackingCookie.Fastclick : Cleaned with backup

C:\WINDOWS\TEMP\Cookies\[email protected][1].txt -> TrackingCookie.Mediaplex : Cleaned with backup

C:\WINDOWS\TEMP\Cookies\[email protected][2].txt -> TrackingCookie.Zedo : Cleaned with backup

C:\WINDOWS\TEMP\Cookies\[email protected][1].txt -> TrackingCookie.Yieldmanager : Cleaned with backup

C:\WINDOWS\TEMP\Cookies\[email protected][2].txt -> TrackingCookie.Yieldmanager : Cleaned with backup

C:\WINDOWS\TEMP\Cookies\[email protected][1].txt -> TrackingCookie.Bfast : Cleaned with backup

C:\WINDOWS\TEMP\Cookies\[email protected][2].txt -> TrackingCookie.Cpvfeed : Cleaned with backup

C:\WINDOWS\TEMP\tp7543.exe -> Downloader.Qoologic.ax : Cleaned with backup

C:\WINDOWS\TEMP\TBuninst.exe -> Adware.WebSearch : Cleaned with backup

C:\WINDOWS\justin.exe -> Adware.EZula : Cleaned with backup

C:\WINDOWS\idlemg.exe -> Downloader.Small.buy : Cleaned with backup

C:\WINDOWS\eliteunstall.exe -> Adware.EliteMedia : Cleaned with backup

C:\WINDOWS\uutwwig.exe -> Hijacker.VB.ij : Cleaned with backup

C:\WINDOWS\unwn.exe -> Trojan.Qoologic : Cleaned with backup

C:\WINDOWS\SYSC00.exe -> Trojan.VB.tg : Cleaned with backup

C:\WINDOWS\uni_eh.exe -> Trojan.VB.tg : Cleaned with backup

C:\WINDOWS\unin101.exe -> Trojan.VB.tg : Cleaned with backup

C:\WINDOWS\NDNuninstall6_38.exe -> Adware.NewDotNet : Cleaned with backup

C:\WINDOWS\system32tfthot.exe -> Adware.SearchAssistant : Cleaned with backup

C:\WINDOWS\system32ssec.exe -> Trojan.Runner.h : Cleaned with backup

C:\Program Files\PLUS!\podewamo.dll.exe -> Downloader.Small.ajc : Cleaned with backup

C:\Program Files\PLUS!\podewamo.dll -> Downloader.Small.ctp : Cleaned with backup

C:\Program Files\PLUS!\VSL.dl_.exe -> Downloader.Small.ajc : Cleaned with backup

C:\Program Files\Windows AdStatus\WinStatComm.dll -> Adware.WinAD : Cleaned with backup

C:\Program Files\Orange Audio\WAV - MP3 Converter Encoder\SaveInstCm.exe/Save.exe -> Adware.SaveNow : Cleaned with backup

C:\Program Files\Orange Audio\WAV - MP3 Converter Encoder\SaveInstCm.exe/SaveUninst.exe -> Adware.SaveNow : Cleaned with backup

C:\Program Files\Orange Audio\WAV - MP3 Converter Encoder\SaveInstCm.exe/Save.exe -> Adware.SaveNow : Cleaned with backup

C:\Program Files\Orange Audio\WAV - MP3 Converter Encoder\SaveInstCm.exe/SaveUninst.exe -> Adware.SaveNow : Cleaned with backup

C:\Program Files\Orange Audio\WAV - MP3 Converter Encoder\SaveInstCm.exe/Sync.exe -> Adware.SaveNow : Cleaned with backup

C:\Program Files\Orange Audio\WAV - MP3 Converter Encoder\SaveInstCm.exe/Uninst.exe -> Adware.SaveNow : Cleaned with backup

C:\Program Files\Orange Audio\WAV - MP3 Converter Encoder\SaveInstCm.exe/Sync.exe -> Adware.SaveNow : Cleaned with backup

C:\Program Files\Orange Audio\WAV - MP3 Converter Encoder\SaveInstCm.exe/Uninst.exe -> Adware.SaveNow : Cleaned with backup

C:\Program Files\ClockSync -> Adware.WhenU : Cleaned with backup

C:\Program Files\WÑ–nSxS\tracert.exe -> Downloader.PurityScan.cl : Cleaned with backup

C:\Documents and Settings\LocalService\Local Settings\Temporary Internet Files\Content.IE5\Q9JK3M5O\WinAntiVirusPro2006FreeInstall[1].exe -> Not-A-Virus.Downloader.Win32.WinFixer.j : Cleaned with backup

C:\Documents and Settings\LocalService\Cookies\[email protected][1].txt -> TrackingCookie.Cpvfeed : Cleaned with backup

C:\Documents and Settings\LocalService\Cookies\[email protected][2].txt -> TrackingCookie.Reliablestats : Cleaned with backup

C:\Documents and Settings\LocalService\Cookies\[email protected][1].txt -> TrackingCookie.Enhance : Cleaned with backup

C:\Documents and Settings\LocalService\Cookies\[email protected][1].txt -> TrackingCookie.Goclick : Cleaned with backup

C:\Documents and Settings\Caution\Local Settings\Temp\ICD1.tmp\n.exe -> Downloader.Small.cpg : Cleaned with backup

C:\Documents and Settings\Caution\Local Settings\Temp\i7.tmp -> Adware.SurfSide : Cleaned with backup

C:\Documents and Settings\Caution\Local Settings\Temp\D0E8.tmp/nr1rnqm8.exe -> Adware.Suggestor : Cleaned with backup

C:\Documents and Settings\Caution\Local Settings\Temp\D0E8.tmp/mptft.exe -> Adware.SearchAssistant : Cleaned with backup

C:\Documents and Settings\Caution\Local Settings\Temp\tp7543.exe -> Downloader.Qoologic.ax : Cleaned with backup

C:\Documents and Settings\Caution\Local Settings\Temp\temp.fr3652 -> Adware.Look2Me : Cleaned with backup

C:\Documents and Settings\Caution\Local Settings\Temp\temp.fr252F -> Adware.CommAd : Cleaned with backup

C:\Documents and Settings\Caution\Local Settings\Temp\da1A.tmp -> Adware.SurfSide : Cleaned with backup

C:\Documents and Settings\Caution\Local Settings\Temp\ac2_0004.exe -> Downloader.Small.cpu : Cleaned with backup

C:\Documents and Settings\Caution\Local Settings\Temp\temp.fr2B57 -> Adware.CommAd : Cleaned with backup

C:\Documents and Settings\Caution\Local Settings\Temp\temp.fr8F5F -> Adware.Look2Me : Cleaned with backup

C:\Documents and Settings\Caution\Local Settings\Temp\temp.fr800E -> Not-A-Virus.Monitor.Win32.NetMon.a : Cleaned with backup

C:\Documents and Settings\Caution\Local Settings\Temp\temp.frF12D -> Downloader.Qoologic.bj : Cleaned with backup

C:\Documents and Settings\Caution\Local Settings\Temp\temp.fr169E -> Adware.Look2Me : Cleaned with backup

C:\Documents and Settings\Caution\Local Settings\Temp\Temporary Internet Files\Content.IE5\0DGH2N4L\gozilla[1].exe -> Adware.EZula : Cleaned with backup

C:\Documents and Settings\Caution\Local Settings\Temp\Temporary Internet Files\Content.IE5\8H8ZSFKV\rcverlib[1].exe -> Downloader.Qoologic.ax : Cleaned with backup

C:\Documents and Settings\Caution\Local Settings\Temp\Cookies\[email protected][1].txt -> TrackingCookie.Casalemedia : Cleaned with backup

C:\Documents and Settings\Caution\Local Settings\Temp\Cookies\[email protected][2].txt -> TrackingCookie.Atdmt : Cleaned with backup

C:\Documents and Settings\Caution\Local Settings\Temp\Cookies\[email protected][1].txt -> TrackingCookie.Com : Cleaned with backup

C:\Documents and Settings\Caution\Local Settings\Temp\Cookies\[email protected][1].txt -> TrackingCookie.Advertising : Cleaned with backup

C:\Documents and Settings\Caution\Local Settings\Temp\Cookies\[email protected][1].txt -> TrackingCookie.Clickbank : Cleaned with backup

C:\Documents and Settings\Caution\Local Settings\Temp\Cookies\[email protected][1].txt -> TrackingCookie.Doubleclick : Cleaned with backup

C:\Documents and Settings\Caution\Local Settings\Temp\Cookies\[email protected][2].txt -> TrackingCookie.Zedo : Cleaned with backup

C:\Documents and Settings\Caution\Local Settings\Temp\Cookies\[email protected] -> TrackingCookie.Tacoda : Cleaned with backup

C:\Documents and Settings\Caution\Local Settings\Temp\Cookies\[email protected][1].txt -> TrackingCookie.Tribalfusion : Cleaned with backup

C:\Documents and Settings\Caution\Local Settings\Temp\Cookies\[email protected][1].txt -> TrackingCookie.Cpvfeed : Cleaned with backup

C:\Documents and Settings\Caution\Local Settings\Temp\Cookies\[email protected][1].txt -> TrackingCookie.Yieldmanager : Cleaned with backup

C:\Documents and Settings\Caution\Local Settings\Temp\Cookies\[email protected][1].txt -> TrackingCookie.Casalemedia : Cleaned with backup

C:\Documents and Settings\Caution\Local Settings\Temp\Cookies\[email protected][1].txt -> TrackingCookie.2o7 : Cleaned with backup

C:\Documents and Settings\Caution\Local Settings\Temp\Cookies\[email protected][1].txt -> TrackingCookie.Statcounter : Cleaned with backup

C:\Documents and Settings\Caution\Local Settings\Temp\Cookies\[email protected][2].txt -> TrackingCookie.Fastclick : Cleaned with backup

C:\Documents and Settings\Caution\Local Settings\Temp\Cookies\[email protected][1].txt -> TrackingCookie.Yadro : Cleaned with backup

C:\Documents and Settings\Caution\Local Settings\Temp\Cookies\[email protected][1].txt -> TrackingCookie.Tribalfusion : Cleaned with backup

C:\Documents and Settings\Caution\Local Settings\Temp\Cookies\[email protected][1].txt -> TrackingCookie.Trafficmp : Cleaned with backup

C:\Documents and Settings\Caution\Local Settings\Temp\Cookies\[email protected][1].txt -> TrackingCookie.Addynamix : Cleaned with backup

C:\Documents and Settings\Caution\Cookies\[email protected][2].txt -> TrackingCookie.Sidefind : Cleaned with backup

C:\Documents and Settings\Caution\Cookies\[email protected][2].txt -> TrackingCookie.Burstnet : Cleaned with backup

C:\Documents and Settings\Caution\Cookies\[email protected][2].txt -> TrackingCookie.Com : Cleaned with backup

C:\Documents and Settings\Caution\Cookies\[email protected][1].txt -> TrackingCookie.Fastclick : Cleaned with backup

C:\Documents and Settings\Caution\Cookies\[email protected][1].txt -> TrackingCookie.Adserver : Cleaned with backup

C:\Documents and Settings\Caution\Cookies\[email protected][2].txt -> TrackingCookie.Serving-sys : Cleaned with backup

C:\Documents and Settings\Caution\Cookies\[email protected][1].txt -> TrackingCookie.Burstnet : Cleaned with backup

C:\Documents and Settings\Caution\Cookies\[email protected][2].txt -> TrackingCookie.Doubleclick : Cleaned with backup

C:\Documents and Settings\Caution\Cookies\[email protected][1].txt -> TrackingCookie.Specificclick : Cleaned with backup

C:\Documents and Settings\Caution\Cookies\[email protected][1].txt -> TrackingCookie.Overture : Cleaned with backup

C:\Documents and Settings\Caution\Cookies\[email protected][1].txt -> TrackingCookie.Epilot : Cleaned with backup

C:\Documents and Settings\Caution\Cookies\[email protected][1].txt -> TrackingCookie.Mediaplex : Cleaned with backup

C:\Documents and Settings\Caution\Cookies\[email protected]acker[2].txt -> TrackingCookie.Hypertracker : Cleaned with backup

C:\Documents and Settings\Caution\Cookies\[email protected][2].txt -> TrackingCookie.Starware : Cleaned with backup

C:\Documents and Settings\Caution\Cookies\[email protected][2].txt -> TrackingCookie.Tribalfusion : Cleaned with backup

C:\Documents and Settings\Caution\Cookies\[email protected][2].txt -> TrackingCookie.Yadro : Cleaned with backup

C:\Documents and Settings\Caution\Cookies\[email protected][1].txt -> TrackingCookie.Masterstats : Cleaned with backup

C:\Documents and Settings\Caution\Cookies\[email protected][1].txt -> TrackingCookie.Euniverseads : Cleaned with backup

C:\Documents and Settings\Caution\Cookies\[email protected][1].txt -> TrackingCookie.Enhance : Cleaned with backup

C:\Documents and Settings\Caution\Cookies\[email protected][2].txt -> TrackingCookie.Tradedoubler : Cleaned with backup

C:\Documents and Settings\Caution\Cookies\[email protected][1].txt -> TrackingCookie.Tracking101 : Cleaned with backup

C:\Documents and Settings\Caution\Cookies\[email protected][2].txt -> TrackingCookie.Goclick : Cleaned with backup

C:\Documents and Settings\Caution\Cookies\[email protected][2].txt -> TrackingCookie.Yieldmanager : Cleaned with backup

C:\Documents and Settings\Caution\Cookies\[email protected][3].txt -> TrackingCookie.Sidefind : Cleaned with backup

C:\Documents and Settings\Caution\Cookies\[email protected][1].txt -> TrackingCookie.Hypertracker : Cleaned with backup

C:\Documents and Settings\Caution\Cookies\[email protected][2].txt -> TrackingCookie.Adorigin : Cleaned with backup

C:\Documents and Settings\Caution\Cookies\[email protected][4].txt -> TrackingCookie.Sidefind : Cleaned with backup

C:\Documents and Settings\Caution\Cookies\[email protected][1].txt -> TrackingCookie.Bridgetrack : Cleaned with backup

C:\Documents and Settings\Caution\Cookies\[email protected][3].txt -> TrackingCookie.Goclick : Cleaned with backup

C:\Documents and Settings\Caution\Cookies\[email protected][1].txt -> TrackingCookie.Yieldmanager : Cleaned with backup

C:\Documents and Settings\Caution\Cookies\[email protected][2].txt -> TrackingCookie.Casalemedia : Cleaned with backup

C:\Documents and Settings\Caution\Cookies\[email protected][2].txt -> TrackingCookie.Enhance : Cleaned with backup

C:\Documents and Settings\Caution\Cookies\[email protected][2].txt -> TrackingCookie.Ru4 : Cleaned with backup

C:\Documents and Settings\Caution\Cookies\[email protected][2].txt -> TrackingCookie.Hitbox : Cleaned with backup

C:\Documents and Settings\Caution\Cookies\[email protected][1].txt -> TrackingCookie.Questionmarket : Cleaned with backup

C:\Documents and Settings\Caution\Cookies\[email protected][2].txt -> TrackingCookie.Reliablestats : Cleaned with backup

C:\Documents and Settings\Caution\Cookies\[email protected][4].txt -> TrackingCookie.Yieldmanager : Cleaned with backup

C:\Documents and Settings\Caution\Cookies\[email protected][1].txt -> TrackingCookie.2o7 : Cleaned with backup

C:\Documents and Settings\Caution\Cookies\[email protected][1].txt -> TrackingCookie.Clickbank : Cleaned with backup

C:\Documents and Settings\Caution\Cookies\[email protected][1].txt -> TrackingCookie.Burstbeacon : Cleaned with backup

C:\Documents and Settings\Caution\Cookies\[email protected][2].txt -> TrackingCookie.Tracking101 : Cleaned with backup

C:\Documents and Settings\Caution\Cookies\[email protected][1].txt -> TrackingCookie.2o7 : Cleaned with backup

C:\Documents and Settings\Caution\Cookies\[email protected][2].txt -> TrackingCookie.Cpvfeed : Cleaned with backup

C:\Documents and Settings\Caution\Cookies\[email protected][3].txt -> TrackingCookie.Reliablestats : Cleaned with backup

C:\Documents and Settings\Caution\Cookies\[email protected][1].txt -> TrackingCookie.Overture : Cleaned with backup

C:\Documents and Settings\Caution\Cookies\[email protected][3].txt -> TrackingCookie.Com : Cleaned with backup

C:\Documents and Settings\Caution\Cookies\[email protected][1].txt -> TrackingCookie.Realcastmedia : Cleaned with backup

C:\Documents and Settings\Caution\Cookies\[email protected][1].txt -> TrackingCookie.2o7 : Cleaned with backup

C:\Documents and Settings\Caution\Cookies\[email protected][3].txt -> TrackingCookie.Burstnet : Cleaned with backup

C:\Documents and Settings\Caution\Cookies\[email protected][1].txt -> TrackingCookie.Goldenpalace : Cleaned with backup

C:\Documents and Settings\Caution\Cookies\[email protected][1].txt -> TrackingCookie.Tacoda : Cleaned with backup

C:\Documents and Settings\Caution\Cookies\[email protected][3].txt -> TrackingCookie.Specificclick : Cleaned with backup

C:\Documents and Settings\Caution\Cookies\[email protected][1].txt -> TrackingCookie.2o7 : Cleaned with backup

C:\Documents and Settings\Caution\Cookies\[email protected][2].txt -> TrackingCookie.Overture : Cleaned with backup

C:\Documents and Settings\Caution\Cookies\[email protected][1].txt -> TrackingCookie.Zedo : Cleaned with backup

C:\Documents and Settings\Caution\Cookies\[email protected][2].txt -> TrackingCookie.Esomniture : Cleaned with backup

C:\Documents and Settings\Caution\Cookies\[email protected][2].txt -> TrackingCookie.Yieldmanager : Cleaned with backup

C:\Documents and Settings\Caution\Cookies\[email protected][1].txt -> TrackingCookie.Casalemedia : Cleaned with backup

C:\Documents and Settings\Caution\Cookies\[email protected][1].txt -> TrackingCookie.Paypopup : Cleaned with backup

C:\Documents and Settings\Caution\Cookies\[email protected][2].txt -> TrackingCookie.Paypopup : Cleaned with backup

C:\Documents and Settings\Caution\Cookies\[email protected][3].txt -> TrackingCookie.Hypertracker : Cleaned with backup

C:\Documents and Settings\Caution\Cookies\[email protected][3].txt -> TrackingCookie.Yadro : Cleaned with backup

C:\Documents and Settings\Caution\Cookies\[email protected][1].txt -> TrackingCookie.Overture : Cleaned with backup

C:\Documents and Settings\Caution\Cookies\[email protected][6].txt -> TrackingCookie.Yieldmanager : Cleaned with backup

C:\Documents and Settings\Caution\Cookies\[email protected][1].txt -> TrackingCookie.Gamingpromo : Cleaned with backup

C:\Documents and Settings\Caution\Cookies\[email protected][4].txt -> TrackingCookie.Specificclick : Cleaned with backup

C:\Documents and Settings\Caution\Cookies\[email protected][1].txt -> TrackingCookie.Yieldmanager : Cleaned with backup

C:\Documents and Settings\Caution\Cookies\[email protected][1].txt -> TrackingCookie.2o7 : Cleaned with backup

C:\Documents and Settings\Caution\Cookies\[email protected][1].txt -> TrackingCookie.Reliablestats : Cleaned with backup

C:\Documents and Settings\Caution\Cookies\[email protected][5].txt -> TrackingCookie.Burstnet : Cleaned with backup

C:\Documents and Settings\Caution\Cookies\[email protected][3].txt -> TrackingCookie.Cpvfeed : Cleaned with backup

C:\Documents and Settings\Caution\Cookies\[email protected][3].txt -> TrackingCookie.Casalemedia : Cleaned with backup

C:\Documents and Settings\Caution\Cookies\[email protected][3].txt -> TrackingCookie.Yieldmanager : Cleaned with backup

C:\Documents and Settings\Caution\Cookies\[email protected][1].txt -> TrackingCookie.Tacoda : Cleaned with backup

C:\Documents and Settings\Caution\Cookies\[email protected]ng101[4].txt -> TrackingCookie.Tracking101 : Cleaned with backup

C:\Documents and Settings\Caution\Cookies\[email protected][3].txt -> TrackingCookie.Burstbeacon : Cleaned with backup

C:\Documents and Settings\Caution\Cookies\[email protected][3].txt -> TrackingCookie.Goldenpalace : Cleaned with backup

C:\Documents and Settings\Caution\Cookies\[email protected][1].txt -> TrackingCookie.2o7 : Cleaned with backup

C:\Documents and Settings\Caution\Cookies\[email protected][2].txt -> TrackingCookie.Gamingpromo : Cleaned with backup

C:\Documents and Settings\Caution\Cookies\[email protected][3].txt -> TrackingCookie.Tacoda : Cleaned with backup

C:\Documents and Settings\Caution\Cookies\[email protected][4].txt -> TrackingCookie.Yadro : Cleaned with backup

C:\Documents and Settings\Caution\Cookies\[email protected][1].txt -> TrackingCookie.Hotlog : Cleaned with backup

C:\Documents and Settings\Caution\Cookies\[email protected][1].txt -> TrackingCookie.Searchingbooth : Cleaned with backup

C:\Documents and Settings\Caution\Cookies\[email protected][1].txt -> TrackingCookie.Top-banners : Cleaned with backup

C:\temp\SeekmoInstaller.exe/clientax.dll -> Adware.180Solutions : Cleaned with backup

C:\temp\SeekmoInstaller.exe/clientax.dll -> Adware.180Solutions : Cleaned with backup

 

 

::Report End::

 

 

-----------------------------------------------

 

Logfile of HijackThis v1.99.1

Scan saved at 1:52:19 AM, on 6/6/2006

Platform: Windows XP SP2 (WinNT 5.01.2600)

MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

 

Running processes:

C:\WINDOWS\System32\smss.exe

C:\WINDOWS\system32\winlogon.exe

C:\WINDOWS\system32\services.exe

C:\WINDOWS\system32\lsass.exe

C:\WINDOWS\system32\svchost.exe

C:\WINDOWS\System32\svchost.exe

C:\WINDOWS\system32\spoolsv.exe

C:\WINDOWS\system32\rundll32.exe

C:\WINDOWS\Explorer.EXE

C:\WINDOWS\system32\crypserv.exe

C:\Program Files\ewido anti-malware\ewidoctrl.exe

C:\Program Files\ewido anti-malware\ewidoguard.exe

C:\WINDOWS\System32\imapi.exe

C:\WINDOWS\System32\svchost.exe

C:\WINDOWS\System32\dmadmin.exe

C:\WINDOWS\System32\svchost.exe

C:\Program Files\Internet Explorer\IEXPLORE.EXE

C:\PROGRAM FILES\INTERNET EXPLORER\IEXPLORE.EXE

C:\WINDOWS\system32\tfhixi.exe

C:\WINDOWS\system32\joxmx.exe

C:\PROGRAM FILES\INTERNET EXPLORER\IEXPLORE.EXE

C:\PROGRAM FILES\INTERNET EXPLORER\IEXPLORE.EXE

C:\PROGRAM FILES\INTERNET EXPLORER\IEXPLORE.EXE

C:\WINDOWS\SYSTEM32\notepad.exe

C:\NEW\HijackThis.exe

 

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = about:blank

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = about:blank

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,SearchAssistant = about:blank

R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = about:blank

R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = localhost;final-kf8fvcbaw;192.168.0;<local>

R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =

R3 - URLSearchHook: (no name) - _{00D6A7E7-4A97-456f-848A-3B75BF7554D7} - (no file)

F2 - REG:system.ini: Shell=Explorer.exe, C:\WINDOWS\system32\joxmx.exe

F2 - REG:system.ini: UserInit=C:\WINDOWS\system32\userinit.exe,ujfqinx.exe

O3 - Toolbar: My &Search Bar - {0494D0D9-F8E0-41ad-92A3-14154ECE70AC} - C:\Program Files\MyWay\myBar\1.bin\MYBAR.DLL (file missing)

O3 - Toolbar: Viewpoint Toolbar - {F8AD5AA5-D966-4667-9DAF-2561D68B2012} - C:\Program Files\Viewpoint\Viewpoint Toolbar\ViewBar.dll

O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn0\yt.dll

O3 - Toolbar: McAfee VirusScan - {BA52B914-B692-46c4-B683-905236F6F655} - c:\progra~1\mcafee.com\vso\mcvsshl.dll

O4 - HKLM\..\Run: [MCUpdateExe] C:\PROGRA~1\mcafee.com\agent\McUpdate.exe

O4 - HKLM\..\Run: [MCAgentExe] c:\PROGRA~1\mcafee.com\agent\McAgent.exe

O4 - HKLM\..\Run: [McRegWiz] c:\PROGRA~1\mcafee.com\agent\mcregwiz.exe /autorun

O8 - Extra context menu item: &Viewpoint Search - res://C:\Program Files\Viewpoint\Viewpoint Toolbar\ViewBar.dll/CXTSEARCH.HTML

O8 - Extra context menu item: &Yahoo! Search - file:///C:\Program Files\Yahoo!\Common/ycsrch.htm

O8 - Extra context menu item: Download with Go!Zilla - file://C:\Program Files\Go!Zilla\download-with-gozilla.html

O8 - Extra context menu item: Yahoo! &Dictionary - file:///C:\Program Files\Yahoo!\Common/ycdict.htm

O8 - Extra context menu item: Yahoo! &Maps - file:///C:\Program Files\Yahoo!\Common/ycmap.htm

O8 - Extra context menu item: Yahoo! &SMS - file:///C:\Program Files\Yahoo!\Common/ycsms.htm

O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_04\bin\npjpi150_04.dll

O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_04\bin\npjpi150_04.dll

O9 - Extra button: (no name) - {120E090D-9136-4b78-8258-F0B44B4BD2AC} - C:\WINDOWS\system32\ms.exe (file missing)

O9 - Extra 'Tools' menuitem: MaxSpeed - {120E090D-9136-4b78-8258-F0B44B4BD2AC} - C:\WINDOWS\system32\ms.exe (file missing)

O9 - Extra button: (no name) - {4ABF810A-F11D-4169-9D5F-7D274F2270A1} - C:\WINDOWS\system32\dmonwv.dll (file missing)

O9 - Extra 'Tools' menuitem: Java - {4ABF810A-F11D-4169-9D5F-7D274F2270A1} - C:\WINDOWS\system32\dmonwv.dll (file missing)

O9 - Extra button: Yahoo! Services - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\Program Files\Yahoo!\Common\yiesrvc.dll

O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe

O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\System32\Shdocvw.dll

O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe

O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe

O9 - Extra button: Ebates - {6685509E-B47B-4f47-8E16-9A5F3A62F683} - file://C:\Program Files\Ebates_MoeMoneyMaker\Sy350\Tp350\scri350a.htm (file missing) (HKCU)

O12 - Plugin for .fpx: C:\\Program Files\\Internet Explorer\\PLUGINS\\NPRVRT32.dll

O12 - Plugin for .ivr: C:\\Program Files\\Internet Explorer\\PLUGINS\\NPRVRT32.dll

O16 - DPF: {42F2C9BA-614F-47C0-B3E3-ECFD34EED658} - http://promo.dollarrevenue.com/activex/pro...631382D2D2D.exe

O16 - DPF: {E53458D2-5A83-4BD1-8DE2-EEEBE73BAB77} - http://zllin.info/n/us48/48.cab

O18 - Filter: text/html - {624A3CDB-8C0A-4902-8480-191582C8498E} - (no file)

O20 - Winlogon Notify: SharedDLLs - C:\WINDOWS\system32\gpj4l31q1.dll

O23 - Service: Adobe LM Service - Unknown owner - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe

O23 - Service: Crypkey License - Kenonic Controls Ltd. - C:\WINDOWS\SYSTEM32\crypserv.exe

O23 - Service: ewido security suite control - ewido networks - C:\Program Files\ewido anti-malware\ewidoctrl.exe

O23 - Service: ewido security suite guard - ewido networks - C:\Program Files\ewido anti-malware\ewidoguard.exe

O23 - Service: Firewall service (FWSvc) - WinSoftware, Ltd. - C:\Program Files\WinAntiVirus Pro 2006\FWSvc.exe

O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe

O23 - Service: iPodService - Unknown owner - C:\Program Files\iPod\bin\iPodService.exe (file missing)

O23 - Service: Network Monitor - Unknown owner - C:\Program Files\Network Monitor\netmon.exe (file missing)

O23 - Service: Titan FTP Server Daemon (SRTSERVERDAEMON) - Unknown owner - C:\WINDOWS\SYSTEM32\srxTitan.exe

O23 - Service: Ulead Burning Helper (UleadBurningHelper) - Unknown owner - C:\Program Files\Common Files\Ulead Systems\DVD\ULCDRSvr.exe (file missing)

Share this post


Link to post
Share on other sites

It could be that Task Scheduler isn't running and it needs to be for Look2Me-Destroyer to work

 

To check that Task Scheduler is running in services (Go to....Start > Run: type in the box: services.msc. Find Task Scheduler in the list and click on it to see the status. If not running click on *Start service*. Then Right click on it and choose *properties* and change the startup type to *Automatic* if it isn't already.

 

Then, please run the Look2Me-Destroyer again following my instructions above.

Share this post


Link to post
Share on other sites

I went into task schedular.. it was alrdy working... don't know why.. i turned it off n back on.. restarted comp..... regular mode tried it........ safe mode tried it.... both times still didn't work.... this computer is irritatin me

Share this post


Link to post
Share on other sites

Ok, let's remove some of the other junk, it may interfering with Look2me destroyer and we'll come back to that.

 

Please download Brute Force Uninstaller to your desktop.

[*]Right click the BFU folder on your desktop, and choose Extract All

[*]Click "Next"

[*]In the box to choose where to extract the files to,

[*]Click "Browse"

[*]Click on the + sign next to "My Computer"

[*]Click on "Local Disk (C:) or whatever your primary drive is

[*]Click "Make New Folder"

[*]Type in BFU

[*]Click "Next", and Uncheck the "Show Extracted Files" box and then click "Finish".

 

[*]Download qoofix.bat (rightclick on this link and choose save as)

[*]Place qoofix.bat in your C:\BFU - folder. (Important!)

[*]Doubleclick qooFix.bat, Close all browsers and explorer folders.

[*]Choose option 1 (Qoolfix autofix) and follow the prompts.

[*]Please be patient, it will take about five minutes.

[*]After the PC has restarted please post another hijackthis log.

Share this post


Link to post
Share on other sites

Logfile of HijackThis v1.99.1

Scan saved at 3:10:37 PM, on 6/6/2006

Platform: Windows XP SP2 (WinNT 5.01.2600)

MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

 

Running processes:

C:\WINDOWS\System32\smss.exe

C:\WINDOWS\system32\winlogon.exe

C:\WINDOWS\system32\services.exe

C:\WINDOWS\system32\lsass.exe

C:\WINDOWS\system32\svchost.exe

C:\WINDOWS\System32\svchost.exe

C:\WINDOWS\system32\spoolsv.exe

C:\WINDOWS\system32\rundll32.exe

C:\WINDOWS\Explorer.EXE

C:\WINDOWS\System32\imapi.exe

C:\WINDOWS\System32\svchost.exe

C:\WINDOWS\System32\dmadmin.exe

C:\WINDOWS\System32\svchost.exe

C:\WINDOWS\thiselt.exe

C:\WINDOWS\CCZoop05.exe

C:\WINDOWS\win32035348.exe

C:\Program Files\rlut\hato.exe

C:\WINDOWS\Q2F1dGlvbg\command.exe

C:\WINDOWS\System32\wbem\wmiapsrv.exe

C:\WINDOWS\?ystem\?poolsv.exe

C:\NEW\HijackThis.exe

 

R3 - URLSearchHook: (no name) - _{CFBFAE00-17A6-11D0-99CB-00C04FD64497} - (no file)

F2 - REG:system.ini: Shell=Explorer.exe, C:\WINDOWS\system32\joxmx.exe

F2 - REG:system.ini: UserInit=C:\WINDOWS\SYSTEM32\Userinit.exe,ujfqinx.exe

O3 - Toolbar: Related Page - {9A9C9B68-F908-4AAB-8D0C-10EA8997F37E} - C:\WINDOWS\system32\WinNB57.dll

O4 - HKLM\..\Run: [pop06apelt] C:\WINDOWS\thiselt.exe

O4 - HKLM\..\Run: [TheMonitor] C:\WINDOWS\CCZoop05.exe

O4 - HKLM\..\Run: [win32035348] C:\WINDOWS\win32035348.exe

O4 - HKCU\..\Run: [Rhcu] "C:\Program Files\rlut\hato.exe" -vt yazb

O4 - HKCU\..\Run: [Yiaggi] C:\WINDOWS\?ystem\?poolsv.exe

O9 - Extra button: (no name) - {4ABF810A-F11D-4169-9D5F-7D274F2270A1} - C:\WINDOWS\system32\dmonwv.dll

O9 - Extra 'Tools' menuitem: Java - {4ABF810A-F11D-4169-9D5F-7D274F2270A1} - C:\WINDOWS\system32\dmonwv.dll

O15 - Trusted Zone: *.elitemediagroup.net

O15 - Trusted Zone: *.media-motor.net

O15 - Trusted Zone: *.mmohsix.com

O15 - Trusted Zone: http://awbeta.net-nucleus.com (HKLM)

O16 - DPF: {5526B4C6-63D6-41A1-9783-0FABF529859A} (mm06ocx.mm06ocxf) - http://cabs.elitemediagroup.net/cabs/mediaview.cab

O20 - AppInit_DLLs: C:\WINDOWS\system32\spoolsv.dll

O20 - Winlogon Notify: Dynamic Directory - C:\WINDOWS\system32\p0n80a5ued.dll

O23 - Service: Adobe LM Service - Unknown owner - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe

O23 - Service: Command Service (cmdService) - Unknown owner - C:\WINDOWS\Q2F1dGlvbg\command.exe

O23 - Service: Firewall service (FWSvc) - WinSoftware, Ltd. - C:\Program Files\WinAntiVirus Pro 2006\FWSvc.exe

O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe

O23 - Service: Titan FTP Server Daemon (SRTSERVERDAEMON) - Unknown owner - C:\WINDOWS\SYSTEM32\srxTitan.exe

O23 - Service: Ulead Burning Helper (UleadBurningHelper) - Unknown owner - C:\Program Files\Common Files\Ulead Systems\DVD\ULCDRSvr.exe (file missing)

Share this post


Link to post
Share on other sites

Qoofix must not have worked either. Did you get any error message or anything?

 

I've asked miekiemoes to have a look here and see if she can spot what the problem might be getting these tools to run. She's pretty good at that.

Share this post


Link to post
Share on other sites

ya cuz these ads are irritating me..... n i personally don't know as much about computers to find it all.... I mean my comp was KILLED wit virus's cuz of my gf.. n i fixed em all but these

Share this post


Link to post
Share on other sites

Ok, we have a plan here. Miekiemoes was a big help.

 

But first, what did you do with McAfee and Ewido? I don't see them running anymore?

 

Instead I see: WinAntiVirus Pro 2006

 

Was that something you did? Beause WinAntiVirus Pro 2006 is one of the Smitfraud malware.

 

And you have new malware infections, which is why I had you download and install Ewido to prevent while we are trying to clean up this mess.

.....................................

Look in your Control Panel under Add/Remove programs for the following:

PuritySCAN By OIN,

Snowballwars by OIN,

OuterInfo or anything similar ,

 

If found, click on it and click remove.

 

If not listed, download and run this uninstaller:

http://www.outerinfo.com/OiUninstaller.exe

 

Also remove this one in the Control Panel under Add/Remove Programs:

WinAntiVirus Pro 2006

 

..............................................

Next, we're going to use the BFU you downloaded earlier with a different fix

 

RIGHT-CLICK HERE and choose "Save As" (in IE it's "Save Target As") in order to download Alcra PLUS Remover.

Save it in the same folder you made earlier (c:\BFU).

 

Then, please go to Start > My Computer and navigate to the C:\BFU folder.

  • Start the Brute Force Uninstaller by doubleclicking BFU.exe
  • Behind the scriptline to execute field click the folder icon foldericon.png and select alcanshorty.bfu
  • Press Execute and let the program do it’s job. (You ought to see a progress bar if you did this correctly.)
  • Wait for the complete script execution box to pop up and press OK.
  • click "save"
    IN "filename" enter log.txt
  • click exit to exit the BFU program.

Please copy the contents of the log.txt back here in your next reply. The log.txt will be in the C:\BFU\ folder

......................................

Download Combofix.zip

http://www.bleepingcomputer.com/forums/ind...ype=post&id=866

Unzip it to its own folder.

Read here how to unzip/extract properly.

http://metallica.geekstogo.com/xpcompressedexplanation.html

 

Open the Combofix folder and doubleclick combo.exe

Follow the prompts.

Don't click on the window while the fix is running, because that will cause your system to hang.

When finished, it should produce a log, combofix.txt. Post this log in your next reply together with a newHijackThis log, and log.txt from the BFU folder

Share this post


Link to post
Share on other sites

BFU v1.00.9

Windows XP SP2 (WinNT 5.01.2600 SP2)

Script started at 12:13:28 AM, on 6/7/2006

 

Option Unload Explorer: Yes

Failed: DllUnregister C:\WINDOWS\DH.dll|1 (file not found)

Failed: ServiceStop Network Monitor (service not found)

Failed: ServiceStop cmdService (operation failed)

Failed: ServiceDisable Network Monitor (service not found)

Failed: ServiceDisable cmdService (operation failed)

Failed: ServiceDelete Network Monitor (service not found)

Failed: ServiceDelete cmdService (operation failed)

Failed: RegDelValue HKCU\System\CurrentControlSet\Control\Lsa|p2pnetwork (key not found)

Failed: RegDelValue HKCU\SOFTWARE\Microsoft\OLE|p2pnetwork (key not found)

Failed: RegDelValue HKCU\SOFTWARE\Microsoft\OLE|winlog (key not found)

Failed: RegDelValue HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Associations|LowRiskFileTypes (key not found)

Failed: RegDelValue HKCU\Microsoft\Windows\CurrentVersion\policies\Explorer\Run|WinUpdate.exe (key not found)

Failed: RegDelValue HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\RunServices|CU1 (key not found)

Failed: RegDelValue HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\RunServices|CU2 (key not found)

Failed: RegDelValue HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\RunServices|services32 (key not found)

Option pause between commands: 300 ms

Option pause between commands: 50 ms

Failed: FolderDelete C:\Program Files\MsConfigs (folder not found)

Failed: FolderDelete C:\Program Files\winupdates (folder not found)

Failed: FolderDelete C:\Program Files\winupdate (folder not found)

Failed: FolderDelete C:\Program Files\winsupdater (folder not found)

Failed: FolderDelete C:\Program Files\MsUpdate (folder not found)

Failed: FolderDelete C:\Program Files\MsMovies (folder not found)

Failed: FolderDelete C:\Program Files\wmplayer (folder not found)

Failed: FolderDelete C:\Program Files\outlook (folder not found)

Failed: FileDelete C:\Program Files\Common Files\Windows\mc-*-*.exe (operation failed)

Failed: FileDelete C:\Program Files\Common Files\Download\mc-*-*.exe (operation failed)

Failed: FileDelete C:\DOCUME~1\Caution\LOCALS~1\Temp\~DF9CD2.tmp (operation failed)

Failed: FileDelete C:\DOCUME~1\Caution\LOCALS~1\Temp\~DFEB93.tmp (operation failed)

Failed: FileDelete C:\DOCUME~1\Caution\LOCALS~1\Temp\~DFF64E.tmp (operation failed)

Failed: FolderDelete C:\DOCUME~1\Caution\LOCALS~1\Temp\Temporary Internet Files (operation failed)

Failed: FolderDelete C:\DOCUME~1\Caution\LOCALS~1\Temp\Cookies (operation failed)

Failed: FolderDelete C:\DOCUME~1\Caution\LOCALS~1\Temp\History (operation failed)

Failed: FolderDelete C:\WINDOWS\Temp\Temporary Internet Files (operation failed)

Failed: FolderDelete C:\WINDOWS\Temp\Cookies (operation failed)

Failed: FolderDelete C:\WINDOWS\Temp\History (operation failed)

Failed: FolderDelete C:\Program Files\Maxifiles (folder not found)

Failed: FolderDelete C:\Program Files\DNS (folder not found)

Failed: FolderDelete C:\Program Files\EQAdvice (folder not found)

Failed: FolderDelete C:\Program Files\FCAdvice (folder not found)

Failed: FolderDelete C:\Program Files\Common Files\FreeProd1 (folder not found)

Failed: FolderDelete C:\Program Files\Common Files\FreeProd2 (folder not found)

Failed: FolderDelete C:\Program Files\Common Files\InetGet (folder not found)

Failed: FolderDelete C:\Program Files\Common Files\InetGet2 (folder not found)

Failed: FolderDelete C:\Program Files\Common Files\svchostsys (folder not found)

Failed: FolderDelete C:\Program Files\InetGet2 (folder not found)

Failed: FolderDelete C:\Program Files\Common Files\VCClient (folder not found)

Failed: FolderDelete C:\Program Files\Network Monitor (folder not found)

Failed: FolderDelete C:\WINDOWS\inet20001 (folder not found)

Failed: FolderDelete C:\Program Files\Update06 (folder not found)

Failed: FolderDelete C:\Program Files\Update03 (folder not found)

Failed: FolderDelete C:\Program Files\Update04 (folder not found)

Failed: FolderDelete C:\Program Files\Update08 (folder not found)

Failed: FolderDelete C:\Program Files\W-Update (folder not found)

Failed: FolderDelete C:\Program Files\Yazzle Sudoku (folder not found)

Failed: FolderDelete C:\Program Files\Cas (folder not found)

Failed: FolderDelete C:\Program Files\CasStub (folder not found)

Failed: FolderDelete C:\Program Files\Cas2Stub (folder not found)

Failed: FolderDelete C:\Program Files\ipwins (folder not found)

Failed: FolderDelete C:\temp (folder not found)

Failed: FolderDelete C:\WINDOWS\mdrive (folder not found)

Failed: FolderCreate C:\bintheredunthat (folder already exists)

Failed: FileMove C:\WINDOWS\win*-*.exe|C:\bintheredunthat (source file not found)

Script completed.

Share this post


Link to post
Share on other sites

Start Time= Wed 06/07/2006 0:20:18.85

 

(((((((((((((((((((((((((((((((((((((((((((((((( Look2Me's Log )))))))))))))))))))))))))))))))))))))))))))))))))))))

 

 

HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify

HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\crypt32chain

HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\cryptnet

HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\cscdll

HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\ScCertProp

HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\Schedule

HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\sclgntfy

HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\SensLogn

HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\termsrv

HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\wlballoon

HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\wzcnotif

 

 

* * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * *

 

 

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\User Agent\Post Platform]

"sv1"=""

 

* * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * *

 

 

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved]

"{00022613-0000-0000-C000-000000000046}"="Multimedia File Property Sheet"

"{176d6597-26d3-11d1-b350-080036a75b03}"="ICM Scanner Management"

"{1F2E5C40-9550-11CE-99D2-00AA006E086C}"="NTFS Security Page"

"{3EA48300-8CF6-101B-84FB-666CCB9BCD32}"="OLE Docfile Property Page"

"{40dd6e20-7c17-11ce-a804-00aa003ca9f6}"="Shell extensions for sharing"

"{41E300E0-78B6-11ce-849B-444553540000}"="PlusPack CPL Extension"

"{42071712-76d4-11d1-8b24-00a0c9068ff3}"="Display Adapter CPL Extension"

"{42071713-76d4-11d1-8b24-00a0c9068ff3}"="Display Monitor CPL Extension"

"{42071714-76d4-11d1-8b24-00a0c9068ff3}"="Display Panning CPL Extension"

"{4E40F770-369C-11d0-8922-00A024AB2DBB}"="DS Security Page"

"{513D916F-2A8E-4F51-AEAB-0CBC76FB1AF8}"="Compatibility Page"

"{56117100-C0CD-101B-81E2-00AA004AE837}"="Shell Scrap DataHandler"

"{59099400-57FF-11CE-BD94-0020AF85B590}"="Disk Copy Extension"

"{59be4990-f85c-11ce-aff7-00aa003ca9f6}"="Shell extensions for Microsoft Windows Network objects"

"{5DB2625A-54DF-11D0-B6C4-0800091AA605}"="ICM Monitor Management"

"{675F097E-4C4D-11D0-B6C1-0800091AA605}"="ICM Printer Management"

"{764BF0E1-F219-11ce-972D-00AA00A14F56}"="Shell extensions for file compression"

"{77597368-7b15-11d0-a0c2-080036af3f03}"="Web Printer Shell Extension"

"{7988B573-EC89-11cf-9C00-00AA00A14F56}"="Disk Quota UI"

"{853FE2B1-B769-11d0-9C4E-00C04FB6C6FA}"="Encryption Context Menu"

"{85BBD920-42A0-1069-A2E4-08002B30309D}"="Briefcase"

"{88895560-9AA2-1069-930E-00AA0030EBC8}"="HyperTerminal Icon Ext"

"{BD84B380-8CA2-1069-AB1D-08000948F534}"="Fonts"

"{DBCE2480-C732-101B-BE72-BA78E9AD5B27}"="ICC Profile"

"{F37C5810-4D3F-11d0-B4BF-00AA00BBB723}"="Printers Security Page"

"{f81e9010-6ea4-11ce-a7ff-00aa003ca9f6}"="Shell extensions for sharing"

"{f92e8c40-3d33-11d2-b1aa-080036a75b03}"="Display TroubleShoot CPL Extension"

"{7444C717-39BF-11D1-8CD9-00C04FC29D45}"="Crypto PKO Extension"

"{7444C719-39BF-11D1-8CD9-00C04FC29D45}"="Crypto Sign Extension"

"{7007ACC7-3202-11D1-AAD2-00805FC1270E}"="Network Connections"

"{992CFFA0-F557-101A-88EC-00DD010CCC48}"="Network Connections"

"{E211B736-43FD-11D1-9EFB-0000F8757FCD}"="Scanners & Cameras"

"{FB0C9C8A-6C50-11D1-9F1D-0000F8757FCD}"="Scanners & Cameras"

"{905667aa-acd6-11d2-8080-00805f6596d2}"="Scanners & Cameras"

"{3F953603-1008-4f6e-A73A-04AAC7A992F1}"="Scanners & Cameras"

"{83bbcbf3-b28a-4919-a5aa-73027445d672}"="Scanners & Cameras"

"{F0152790-D56E-4445-850E-4F3117DB740C}"="Remote Sessions CPL Extension"

"{60254CA5-953B-11CF-8C96-00AA00B8708C}"="Shell extensions for Windows Script Host"

"{2206CDB2-19C1-11D1-89E0-00C04FD7A829}"="Microsoft Data Link"

"{DD2110F0-9EEF-11cf-8D8E-00AA0060F5BF}"="Tasks Folder Icon Handler"

"{797F1E90-9EDD-11cf-8D8E-00AA0060F5BF}"="Tasks Folder Shell Extension"

"{D6277990-4C6A-11CF-8D87-00AA0060F5BF}"="Scheduled Tasks"

"{0DF44EAA-FF21-4412-828E-260A8728E7F1}"="Taskbar and Start Menu"

"{2559a1f0-21d7-11d4-bdaf-00c04f60b9f0}"="Search"

"{2559a1f1-21d7-11d4-bdaf-00c04f60b9f0}"="Help and Support"

"{2559a1f2-21d7-11d4-bdaf-00c04f60b9f0}"="Help and Support"

"{2559a1f3-21d7-11d4-bdaf-00c04f60b9f0}"="Run..."

"{2559a1f4-21d7-11d4-bdaf-00c04f60b9f0}"="Internet"

"{2559a1f5-21d7-11d4-bdaf-00c04f60b9f0}"="E-mail"

"{D20EA4E1-3957-11d2-A40B-0C5020524152}"="Fonts"

"{D20EA4E1-3957-11d2-A40B-0C5020524153}"="Administrative Tools"

"{875CB1A1-0F29-45de-A1AE-CFB4950D0B78}"="Audio Media Properties Handler"

"{40C3D757-D6E4-4b49-BB41-0E5BBEA28817}"="Video Media Properties Handler"

"{E4B29F9D-D390-480b-92FD-7DDB47101D71}"="Wav Properties Handler"

"{87D62D94-71B3-4b9a-9489-5FE6850DC73E}"="Avi Properties Handler"

"{A6FD9E45-6E44-43f9-8644-08598F5A74D9}"="Midi Properties Handler"

"{c5a40261-cd64-4ccf-84cb-c394da41d590}"="Video Thumbnail Extractor"

"{5E6AB780-7743-11CF-A12B-00AA004AE837}"="Microsoft Internet Toolbar"

"{22BF0C20-6DA7-11D0-B373-00A0C9034938}"="Download Status"

"{91EA3F8B-C99B-11d0-9815-00C04FD91972}"="Augmented Shell Folder"

"{6413BA2C-B461-11d1-A18A-080036B11A03}"="Augmented Shell Folder 2"

"{F61FFEC1-754F-11d0-80CA-00AA005B4383}"="BandProxy"

"{7BA4C742-9E81-11CF-99D3-00AA004AE837}"="Microsoft BrowserBand"

"{30D02401-6A81-11d0-8274-00C04FD5AE38}"="Search Band"

"{32683183-48a0-441b-a342-7c2a440a9478}"="Media Band"

"{169A0691-8DF9-11d1-A1C4-00C04FD75D13}"="In-pane search"

"{07798131-AF23-11d1-9111-00A0C98BA67D}"="Web Search"

"{AF4F6510-F982-11d0-8595-00AA004CD6D8}"="Registry Tree Options Utility"

"{01E04581-4EEE-11d0-BFE9-00AA005B4383}"="&Address"

"{A08C11D2-A228-11d0-825B-00AA005B4383}"="Address EditBox"

"{00BB2763-6A77-11D0-A535-00C04FD7D062}"="Microsoft AutoComplete"

"{7376D660-C583-11d0-A3A5-00C04FD706EC}"="TridentImageExtractor"

"{6756A641-DE71-11d0-831B-00AA005B4383}"="MRU AutoComplete List"

"{6935DB93-21E8-4ccc-BEB9-9FE3C77A297A}"="Custom MRU AutoCompleted List"

"{7e653215-fa25-46bd-a339-34a2790f3cb7}"="Accessible"

"{acf35015-526e-4230-9596-becbe19f0ac9}"="Track Popup Bar"

"{E0E11A09-5CB8-4B6C-8332-E00720A168F2}"="Address Bar Parser"

"{00BB2764-6A77-11D0-A535-00C04FD7D062}"="Microsoft History AutoComplete List"

"{03C036F1-A186-11D0-824A-00AA005B4383}"="Microsoft Shell Folder AutoComplete List"

"{00BB2765-6A77-11D0-A535-00C04FD7D062}"="Microsoft Multiple AutoComplete List Container"

"{ECD4FC4E-521C-11D0-B792-00A0C90312E1}"="Shell Band Site Menu"

"{3CCF8A41-5C85-11d0-9796-00AA00B90ADF}"="Shell DeskBarApp"

"{ECD4FC4C-521C-11D0-B792-00A0C90312E1}"="Shell DeskBar"

"{ECD4FC4D-521C-11D0-B792-00A0C90312E1}"="Shell Rebar BandSite"

"{DD313E04-FEFF-11d1-8ECD-0000F87A470C}"="User Assist"

"{EF8AD2D1-AE36-11D1-B2D2-006097DF8C11}"="Global Folder Settings"

"{EFA24E61-B078-11d0-89E4-00C04FC9E26E}"="Favorites Band"

"{0A89A860-D7B1-11CE-8350-444553540000}"="Shell Automation Inproc Service"

"{E7E4BC40-E76A-11CE-A9BB-00AA004AE837}"="Shell DocObject Viewer"

"{A5E46E3A-8849-11D1-9D8C-00C04FC99D61}"="Microsoft Browser Architecture"

"{FBF23B40-E3F0-101B-8488-00AA003E56F8}"="InternetShortcut"

"{3C374A40-BAE4-11CF-BF7D-00AA006946EE}"="Microsoft Url History Service"

"{FF393560-C2A7-11CF-BFF4-444553540000}"="History"

"{7BD29E00-76C1-11CF-9DD0-00A0C9034933}"="Temporary Internet Files"

"{7BD29E01-76C1-11CF-9DD0-00A0C9034933}"="Temporary Internet Files"

"{CFBFAE00-17A6-11D0-99CB-00C04FD64497}"="Microsoft Url Search Hook"

"{A2B0DD40-CC59-11d0-A3A5-00C04FD706EC}"="IE4 Suite Splash Screen"

"{67EA19A0-CCEF-11d0-8024-00C04FD75D13}"="CDF Extension Copy Hook"

"{131A6951-7F78-11D0-A979-00C04FD705A2}"="ISFBand OC"

"{9461b922-3c5a-11d2-bf8b-00c04fb93661}"="Search Assistant OC"

"{3DC7A020-0ACD-11CF-A9BB-00AA004AE837}"="The Internet"

"{871C5380-42A0-1069-A2EA-08002B30309D}"="Internet Name Space"

"{EFA24E64-B078-11d0-89E4-00C04FC9E26E}"="Explorer Band"

"{9E56BE60-C50F-11CF-9A2C-00A0C90A90CE}"="Sendmail service"

"{9E56BE61-C50F-11CF-9A2C-00A0C90A90CE}"="Sendmail service"

"{88C6C381-2E85-11D0-94DE-444553540000}"="ActiveX Cache Folder"

"{E6FB5E20-DE35-11CF-9C87-00AA005127ED}"="WebCheck"

"{ABBE31D0-6DAE-11D0-BECA-00C04FD940BE}"="Subscription Mgr"

"{F5175861-2688-11d0-9C5E-00AA00A45957}"="Subscription Folder"

"{08165EA0-E946-11CF-9C87-00AA005127ED}"="WebCheckWebCrawler"

"{E3A8BDE6-ABCE-11d0-BC4B-00C04FD929DB}"="WebCheckChannelAgent"

"{E8BB6DC0-6B4E-11d0-92DB-00A0C90C2BD7}"="TrayAgent"

"{7D559C10-9FE9-11d0-93F7-00AA0059CE02}"="Code Download Agent"

"{E6CC6978-6B6E-11D0-BECA-00C04FD940BE}"="ConnectionAgent"

"{D8BD2030-6FC9-11D0-864F-00AA006809D9}"="PostAgent"

"{7FC0B86E-5FA7-11d1-BC7C-00C04FD929DB}"="WebCheck SyncMgr Handler"

"{352EC2B7-8B9A-11D1-B8AE-006008059382}"="Shell Application Manager"

"{0B124F8F-91F0-11D1-B8B5-006008059382}"="Installed Apps Enumerator"

"{CFCCC7A0-A282-11D1-9082-006008059382}"="Darwin App Publisher"

"{e84fda7c-1d6a-45f6-b725-cb260c236066}"="Shell Image Verbs"

"{66e4e4fb-f385-4dd0-8d74-a2efd1bc6178}"="Shell Image Data Factory"

"{3F30C968-480A-4C6C-862D-EFC0897BB84B}"="GDI+ file thumbnail extractor"

"{9DBD2C50-62AD-11d0-B806-00C04FD706EC}"="Summary Info Thumbnail handler (DOCFILES)"

"{EAB841A0-9550-11cf-8C16-00805F1408F3}"="HTML Thumbnail Extractor"

"{eb9b1153-3b57-4e68-959a-a3266bc3d7fe}"="Shell Image Property Handler"

"{CC6EEFFB-43F6-46c5-9619-51D571967F7D}"="Web Publishing Wizard"

"{add36aa8-751a-4579-a266-d66f5202ccbb}"="Print Ordering via the Web"

"{6b33163c-76a5-4b6c-bf21-45de9cd503a1}"="Shell Publishing Wizard Object"

"{58f1f272-9240-4f51-b6d4-fd63d1618591}"="Get a Passport Wizard"

"{7A9D77BD-5403-11d2-8785-2E0420524153}"="User Accounts"

"{E88DCCE0-B7B3-11d1-A9F0-00AA0060FA31}"="Compressed (zipped) Folder"

"{BD472F60-27FA-11cf-B8B4-444553540000}"="Compressed (zipped) Folder Right Drag Handler"

"{888DCA60-FC0A-11CF-8F0F-00C04FD7D062}"="Compressed (zipped) Folder SendTo Target"

"{f39a0dc0-9cc8-11d0-a599-00c04fd64433}"="Channel File"

"{f3aa0dc0-9cc8-11d0-a599-00c04fd64434}"="Channel Shortcut"

"{f3ba0dc0-9cc8-11d0-a599-00c04fd64435}"="Channel Handler Object"

"{f3da0dc0-9cc8-11d0-a599-00c04fd64437}"="Channel Menu"

"{f3ea0dc0-9cc8-11d0-a599-00c04fd64438}"="Channel Properties"

"{63da6ec0-2e98-11cf-8d82-444553540000}"="FTP Folders Webview"

"{883373C3-BF89-11D1-BE35-080036B11A03}"="Microsoft DocProp Shell Ext"

"{A9CF0EAE-901A-4739-A481-E35B73E47F6D}"="Microsoft DocProp Inplace Edit Box Control"

"{8EE97210-FD1F-4B19-91DA-67914005F020}"="Microsoft DocProp Inplace ML Edit Box Control"

"{0EEA25CC-4362-4A12-850B-86EE61B0D3EB}"="Microsoft DocProp Inplace Droplist Combo Control"

"{6A205B57-2567-4A2C-B881-F787FAB579A3}"="Microsoft DocProp Inplace Calendar Control"

"{28F8A4AC-BBB3-4D9B-B177-82BFC914FA33}"="Microsoft DocProp Inplace Time Control"

"{8A23E65E-31C2-11d0-891C-00A024AB2DBB}"="Directory Query UI"

"{9E51E0D0-6E0F-11d2-9601-00C04FA31A86}"="Shell properties for a DS object"

"{163FDC20-2ABC-11d0-88F0-00A024AB2DBB}"="Directory Object Find"

"{F020E586-5264-11d1-A532-0000F8757D7E}"="Directory Start/Search Find"

"{0D45D530-764B-11d0-A1CA-00AA00C16E65}"="Directory Property UI"

"{62AE1F9A-126A-11D0-A14B-0800361B1103}"="Directory Context Menu Verbs"

"{ECF03A33-103D-11d2-854D-006008059367}"="MyDocs Copy Hook"

"{ECF03A32-103D-11d2-854D-006008059367}"="MyDocs Drop Target"

"{4a7ded0a-ad25-11d0-98a8-0800361b1103}"="MyDocs Properties"

"{750fdf0e-2a26-11d1-a3ea-080036587f03}"="Offline Files Menu"

"{10CFC467-4392-11d2-8DB4-00C04FA31A66}"="Offline Files Folder Options"

"{AFDB1F70-2A4C-11d2-9039-00C04F8EEB3E}"="Offline Files Folder"

"{143A62C8-C33B-11D1-84FE-00C04FA34A14}"="Microsoft Agent Character Property Sheet Handler"

"{ECCDF543-45CC-11CE-B9BF-0080C87CDBA6}"="DfsShell"

"{60fd46de-f830-4894-a628-6fa81bc0190d}"="%DESC_PublishDropTarget%"

"{7A80E4A8-8005-11D2-BCF8-00C04F72C717}"="MMC Icon Handler"

"{0CD7A5C0-9F37-11CE-AE65-08002B2E1262}"=".CAB file viewer"

"{32714800-2E5F-11d0-8B85-00AA0044F941}"="For &People..."

"{8DD448E6-C188-4aed-AF92-44956194EB1F}"="Windows Media Player Play as Playlist Context Menu Handler"

"{CE3FB1D1-02AE-4a5f-A6E9-D9F1B4073E6C}"="Windows Media Player Burn Audio CD Context Menu Handler"

"{F1B9284F-E9DC-4e68-9D7E-42362A59F0FD}"="Windows Media Player Add to Playlist Context Menu Handler"

"{5F327514-6C5E-4d60-8F16-D07FA08A78ED}"="Auto Update Property Sheet Extension"

"{5464D816-CF16-4784-B9F3-75C0DB52B499}"="Yahoo! Mail"

"{E0D79304-84BE-11CE-9641-444553540000}"="WinZip"

"{E0D79305-84BE-11CE-9641-444553540000}"="WinZip"

"{E0D79306-84BE-11CE-9641-444553540000}"="WinZip"

"{E0D79307-84BE-11CE-9641-444553540000}"="WinZip"

"{2559a1f7-21d7-11d4-bdaf-00c04f60b9f0}"="Set Program Access and Defaults"

"{596AB062-B4D2-4215-9F74-E9109B0A8153}"="Previous Versions Property Page"

"{9DB7A13C-F208-4981-8353-73CC61AE2783}"="Previous Versions"

"{692F0339-CBAA-47e6-B5B5-3B84DB604E87}"="Extensions Manager Folder"

"{B41DB860-8EE4-11D2-9906-E49FADC173CA}"="WinRAR shell extension"

"{8F7261D0-D2B9-11D2-9909-00605205B24C}"="CuteFTP Shell Extension"

"{400CFEE2-39D0-46DC-96DF-E0BB5A4324B3}"="My Labtec Pictures"

"{21569614-B795-46b1-85F4-E737A8DC09AD}"="Shell Search Band"

"{B9E1D2CB-CCFF-4AA6-9579-D7A4754030EF}"="iTunes"

 

* * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * *

 

 

REGISTRY ENTRIES REMOVED:

 

[HKEY_CLASSES_ROOT\CLSID\{6C37A38F-5458-4EC6-AB05-087D364B3B67}]

@=""

 

[HKEY_CLASSES_ROOT\CLSID\{6C37A38F-5458-4EC6-AB05-087D364B3B67}\Implemented Categories]

@=""

 

[HKEY_CLASSES_ROOT\CLSID\{6C37A38F-5458-4EC6-AB05-087D364B3B67}\Implemented Categories\{00021492-0000-0000-C000-000000000046}]

@=""

 

[HKEY_CLASSES_ROOT\CLSID\{6C37A38F-5458-4EC6-AB05-087D364B3B67}\InprocServer32]

@="C:\\WINDOWS\\system32\\btotvid.dll"

"ThreadingModel"="Apartment"

 

* * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * *

 

 

FILES REMOVED:

 

C:\WINDOWS\SYSTEM32\BTOTVID.DLL

C:\WINDOWS\SYSTEM32\I4NM0E~1.DLL

C:\WINDOWS\SYSTEM32\HRN805~1.DLL

C:\WINDOWS\SYSTEM32\LVLM09~1.DLL

C:\WINDOWS\system32\guard.tmp

 

 

Granting SeDebugPrivilege to Administrators ... successful

0:21:37.28

 

 

(((((((((((((((((((((((((((((((((((((((((((((((( Qoologic's Log ))))))))))))))))))))))))))))))))))))))))))))))))))))))

 

0:21:38.84

 

Not all files found by this method are bad. There may be legitimate files found

This log should be examined by a trained analyst

 

 

* * * PRE-RUN - Filepaths extracted from the Registry * * * * * * * * * * * * * * * * * * * * * *

 

 

C:\WINDOWS\system32\tfhixi.exe

C:\WINDOWS\system32\joxmx.exe

C:\WINDOWS\SYSTEM32\UJFQINX.EXE

 

 

* * * PRE-RUN - Filepaths from Locate * * * * * * * * * * * * * * * * * * * * * * * * * * * * * *

 

 

2006-06-06 14:59:58 127,488 "C:\WINDOWS\SYSTEM32\tfhixi.exe"

2006-06-06 15:00:00 28,672 "C:\WINDOWS\SYSTEM32\joxmx.exe"

2006-06-04 21:58:58 48,187 "C:\WINDOWS\SYSTEM32\VSL03.exe"

2006-06-04 22:05:00 48,167 "C:\WINDOWS\SYSTEM32\VSL05.exe"

2006-03-18 06:09:38 613,376 "C:\WINDOWS\SYSTEM32\urlmon.dll"

2006-06-06 15:00:10 32,768 "C:\WINDOWS\SYSTEM32\WinDmy.dll"

2006-03-23 15:32:42 3,053,568 "C:\WINDOWS\SYSTEM32\mshtml.dll"

2006-06-06 15:00:00 23,552 "C:\WINDOWS\SYSTEM32\ujfqinx.exe"

2006-06-04 21:56:40 28,672 "C:\WINDOWS\SYSTEM32\gbe90qs.exe"

2006-06-06 15:00:00 51,712 "C:\WINDOWS\SYSTEM32\amhioqi.dll"

2006-06-06 15:01:46 81,920 "C:\WINDOWS\SYSTEM32\spoolsv.dll"

2006-06-06 15:00:10 303,104 "C:\WINDOWS\SYSTEM32\WinNB57.dll"

2006-03-30 04:16:04 1,492,480 "C:\WINDOWS\SYSTEM32\shdocvw.dll"

2006-03-16 23:03:54 8,452,096 "C:\WINDOWS\SYSTEM32\shell32.dll"

2006-06-04 21:57:18 8,464 "C:\WINDOWS\SYSTEM32\sporder.dll"

2006-06-06 15:01:04 687,592 "C:\WINDOWS\SYSTEM32\atmtd.dll"

2006-06-06 15:53:54 127,488 "C:\WINDOWS\SYSTEM32\ycvlj.dat"

2006-06-06 23:53:24 578 "C:\WINDOWS\ranpo.dll"

2006-06-06 15:00:00 127,488 "C:\Documents and Settings\All Users\Start Menu\Programs\Startup\lmtje.exe"

 

 

* * * POST-RUN - Files in the Quarantine folder * * * * * * * * * * * * * * * * * * * * * * * * *

 

 

06/06/2006 02:59 PM 127,488 tfhixi.exe.vir

06/06/2006 03:53 PM 127,488 ycvlj.dat.vir

06/06/2006 03:00 PM 127,488 lmtje.exe.vir

06/06/2006 03:00 PM 51,712 amhioqi.dll.vir

06/06/2006 03:00 PM 28,672 joxmx.exe.vir

06/06/2006 03:00 PM 23,552 ujfqinx.exe.vir

 

 

DO NOT DELETE ANY FILES FROM THIS DIRECTORY UNLESS INSTRUCTED TO

 

 

* * * POST-RUN - Filepaths from Locate * * * * * * * * * * * * * * * * * * * * * * * * * * * * * *

 

 

2006-06-04 21:56:40 28,672 "C:\WINDOWS\SYSTEM32\gbe90qs.exe"

2006-06-04 21:58:58 48,187 "C:\WINDOWS\SYSTEM32\VSL03.exe"

2006-06-04 22:05:00 48,167 "C:\WINDOWS\SYSTEM32\VSL05.exe"

2006-06-06 15:01:46 81,920 "C:\WINDOWS\SYSTEM32\spoolsv.dll"

2006-06-06 15:00:10 303,104 "C:\WINDOWS\SYSTEM32\WinNB57.dll"

2006-03-30 04:16:04 1,492,480 "C:\WINDOWS\SYSTEM32\shdocvw.dll"

2006-03-16 23:03:54 8,452,096 "C:\WINDOWS\SYSTEM32\shell32.dll"

2006-06-04 21:57:18 8,464 "C:\WINDOWS\SYSTEM32\sporder.dll"

2006-03-18 06:09:38 613,376 "C:\WINDOWS\SYSTEM32\urlmon.dll"

2006-06-06 15:00:10 32,768 "C:\WINDOWS\SYSTEM32\WinDmy.dll"

2006-03-23 15:32:42 3,053,568 "C:\WINDOWS\SYSTEM32\mshtml.dll"

2006-06-06 15:01:04 687,592 "C:\WINDOWS\SYSTEM32\atmtd.dll"

2006-06-06 23:53:24 578 "C:\WINDOWS\ranpo.dll"

 

 

((((((((((((((((((((((((((((((((((((((((((((((((((( Ssk's Log ))))))))))))))))))))))))))))))))))))))))))))))))))))))))

 

 

C:\WINDOWS\SYSTEM32\BK.EXE

 

 

* * * POST RUN FILES/FOLDERS * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * *

 

 

 

0:30:43.67

(((((((((((((((((((((((((((((((((((((((((((((((( Find3M Report )))))))))))))))))))))))))))))))))))))))))))))))))))))

 

 

2006-06-06 23:53:24 578 ( A.... ) "C:\WINDOWS\ranpo.dll"

2006-06-06 23:47:28 ( .D... ) "C:\Program Files\Common Files\?ssembly"

2006-06-06 16:50:22 528446 ( A.... ) "C:\WINDOWS\gmer.dll"

2006-06-06 15:20:20 ( .D... ) "C:\Program Files\webHancer"

2006-06-06 15:20:12 ( .D... ) "C:\Program Files\whInstall"

2006-06-06 15:20:08 ( .D... ) "C:\Program Files\Common Files\simtest"

2006-06-06 15:20:08 ( .D... ) "C:\Program Files\Common Files\misc001"

2006-06-06 15:01:46 81920 ( A.... ) "C:\WINDOWS\SYSTEM32\spoolsv.dll"

2006-06-06 15:01:04 687592 ( A.... ) "C:\WINDOWS\SYSTEM32\atmtd.dll"

2006-06-06 15:00:28 25105 ( A.... ) "C:\WINDOWS\idlemg.exe"

2006-06-06 15:00:26 ( .D... ) "C:\Program Files\rlut"

2006-06-06 15:00:22 319294 ( A.... ) "C:\WINDOWS\YOINSI.exe"

2006-06-06 15:00:14 234248 ( A.... ) "C:\WINDOWS\Tagasuarus2.exe"

2006-06-06 15:00:10 303104 ( A.... ) "C:\WINDOWS\SYSTEM32\WinNB57.dll"

2006-06-06 15:00:10 32768 ( A.... ) "C:\WINDOWS\SYSTEM32\WinDmy.dll"

2006-06-06 15:00:08 376832 ( A.... ) "C:\WINDOWS\876057.exe"

2006-06-06 14:59:40 114137 ( A.... ) "C:\WINDOWS\justin2a.exe"

2006-06-05 23:41:32 ( .D... ) "C:\Program Files\ewido anti-malware"

2006-06-05 17:26:00 ( .D... ) "C:\Documents and Settings\Caution\Application Data\WinAntiVirus Pro 2006"

2006-06-05 16:40:26 ( .D... ) "C:\Documents and Settings\Caution\Application Data\Lavasoft"

2006-06-05 16:39:06 ( .D... ) "C:\Program Files\Common Files\WinAntiVirus Pro 2006"

2006-06-05 16:33:22 ( .D... ) "C:\Program Files\Lavasoft"

2006-06-04 22:05:00 48167 ( A.... ) "C:\WINDOWS\SYSTEM32\VSL05.exe"

2006-06-04 22:02:48 35862 ( A.... ) "C:\WINDOWS\wallp2.exe"

2006-06-04 21:58:58 48187 ( A.... ) "C:\WINDOWS\SYSTEM32\VSL03.exe"

2006-06-04 21:57:18 8464 ( A.... ) "C:\WINDOWS\SYSTEM32\sporder.dll"

2006-06-04 21:57:00 28672 ( A.... ) "C:\WINDOWS\system32ftuninst.exe"

2006-06-04 21:56:48 28672 ( A.... ) "C:\WINDOWS\SYSTEM32\ftuninst.exe"

2006-06-04 21:56:40 28672 ( A.... ) "C:\WINDOWS\SYSTEM32\gbe90qs.exe"

2006-06-04 21:55:16 232749 ( A.... ) "C:\WINDOWS\pf78.exe"

2006-06-04 18:44:08 ( .D... ) "C:\Program Files\MP3 Audio Converter"

2006-05-25 22:05:20 745531 ( A.... ) "C:\WINDOWS\gmer.exe"

2006-05-16 15:56:14 2112 ( A.... ) "C:\Program Files\folder.js"

2006-05-07 17:59:10 ( .D... ) "C:\Documents and Settings\Caution\Application Data\Apple Computer"

2006-05-07 17:55:56 ( .D... ) "C:\Program Files\iTunes"

2006-05-03 23:26:22 5818784 ( A.... ) "C:\WINDOWS\SYSTEM32\MRT.exe"

2006-03-30 23:51:28 78336 ( A.... ) "C:\WINDOWS\SYSTEM32\nsy7.dll"

2006-03-30 04:16:04 1492480 ( A.... ) "C:\WINDOWS\SYSTEM32\shdocvw.dll"

2006-03-29 20:00:14 16384 ( A.... ) "C:\WINDOWS\SYSTEM32\xpsp3res.dll"

2006-03-23 15:32:42 3053568 ( A.... ) "C:\WINDOWS\SYSTEM32\mshtml.dll"

2006-03-23 11:43:56 139264 ( A.... ) "C:\WINDOWS\win32035348.exe"

2006-03-18 06:09:38 613376 ( A.... ) "C:\WINDOWS\SYSTEM32\urlmon.dll"

2006-03-17 04:07:18 679424 ( A.... ) "C:\WINDOWS\SYSTEM32\inetcomm.dll"

2006-03-16 23:03:54 8452096 ( A.... ) "C:\WINDOWS\SYSTEM32\shell32.dll"

2006-03-16 19:38:02 28672 ( ..... ) "C:\WINDOWS\SYSTEM32\verclsid.exe"

2006-03-08 15:50:50 102400 ( A.... ) "C:\WINDOWS\CCZoop05.exe"

2006-03-08 15:50:50 57344 ( A.... ) "C:\WINDOWS\uni_ehhh.exe"

2006-03-08 15:50:50 53248 ( A.... ) "C:\WINDOWS\unin101.exe"

2004-05-30 16:59:34 11079 ( ...H. ) "C:\Program Files\folder.htt"

2004-05-30 16:59:34 266 ( ..SH. ) "C:\Program Files\desktop.ini"

 

 

((((((((((((((((((((((((((((((((((((((((((((( Reg Loading Points )))))))))))))))))))))))))))))))))))))))))))))))))))

 

*Note* empty entries are not shown

 

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnceEx]

flags REG_DWORD 8 (0x8)

 

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run-]

Ad-aware REG_SZ "C:\PROGRA~1\LAVASOFT\AD-AWA~1\Ad-aware.exe" +c

IST Service REG_SZ C:\Program Files\ISTsvc\istsvc.exe

KernelFaultCheck REG_SZ %systemroot%\system32\dumprep 0 -k

MCAgentExe REG_SZ C:\PROGRA~1\McAfee.com\Agent\McAgent.exe

McRegWiz REG_SZ c:\PROGRA~1\mcafee.com\agent\mcregwiz.exe /autorun

MCUpdateExe REG_SZ C:\PROGRA~1\McAfee.com\Agent\McUpdate.exe

Media Gateway REG_SZ C:\Program Files\Media Gateway\MediaGateway.exe

 

Scheduled Tasks Folder Contents

C:\WINDOWS\Tasks\McAfee.com Update Check (FINAL-KF8FVCBAW-Caution).job

C:\WINDOWS\Tasks\desktop.ini

C:\WINDOWS\Tasks\SA.DAT

C:\WINDOWS\Tasks\McAfee.com Update Check (CAUTION-Caution).job

C:\WINDOWS\Tasks\At4.job

 

Completion time: Wed 06/07/2006 0:30:51.88

ComboFix ver 06.06.06 - This logfile is located at C:\ComboFix.txt

Share this post


Link to post
Share on other sites

Logfile of HijackThis v1.99.1

Scan saved at 12:35:30 AM, on 6/7/2006

Platform: Windows XP SP2 (WinNT 5.01.2600)

MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

 

Running processes:

C:\WINDOWS\System32\smss.exe

C:\WINDOWS\system32\winlogon.exe

C:\WINDOWS\system32\services.exe

C:\WINDOWS\system32\lsass.exe

C:\WINDOWS\system32\svchost.exe

C:\WINDOWS\System32\svchost.exe

C:\WINDOWS\system32\spoolsv.exe

C:\WINDOWS\Explorer.EXE

C:\WINDOWS\System32\imapi.exe

C:\WINDOWS\system32\msiexec.exe

C:\WINDOWS\System32\svchost.exe

C:\WINDOWS\System32\dmadmin.exe

C:\WINDOWS\System32\svchost.exe

C:\WINDOWS\Explorer.EXE

C:\Program Files\Internet Explorer\IEXPLORE.EXE

C:\NEW\HijackThis.exe

 

O3 - Toolbar: Related Page - {9A9C9B68-F908-4AAB-8D0C-10EA8997F37E} - C:\WINDOWS\system32\WinNB57.dll

O10 - Hijacked Internet access by WebHancer

O10 - Hijacked Internet access by WebHancer

O10 - Hijacked Internet access by WebHancer

O15 - Trusted Zone: *.elitemediagroup.net

O15 - Trusted Zone: *.media-motor.net

O15 - Trusted Zone: *.mmohsix.com

O15 - Trusted Zone: http://awbeta.net-nucleus.com (HKLM)

O16 - DPF: {5526B4C6-63D6-41A1-9783-0FABF529859A} (mm06ocx.mm06ocxf) - http://cabs.elitemediagroup.net/cabs/mediaview.cab

O23 - Service: Adobe LM Service - Unknown owner - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe

O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe

O23 - Service: Titan FTP Server Daemon (SRTSERVERDAEMON) - Unknown owner - C:\WINDOWS\SYSTEM32\srxTitan.exe

O23 - Service: Ulead Burning Helper (UleadBurningHelper) - Unknown owner - C:\Program Files\Common Files\Ulead Systems\DVD\ULCDRSvr.exe (file missing)

Share this post


Link to post
Share on other sites

That Combofix tool did a lot of good,however, it appears you have been *fixing* things on your own in the HijackThis log. Many of your legitimate entries are missing. What has been done other than what I have advised in this thread? I'm afraid you may have removed some things you shouldn't have and this means your system won't run properly

 

Go to your Control panel and locate this program:

 

Webhancer

 

Highlight it in the list and press *remove*

..........................

Make a copy of these instructions to have handy as you need to have all open windows and browsers closed during the next step>

 

Close all browsers and any open windows. Scan with HijackThis and checkmark these entries, then press *fix checked*

 

O3 - Toolbar: Related Page - {9A9C9B68-F908-4AAB-8D0C-10EA8997F37E} - C:\WINDOWS\system32\WinNB57.dll

 

O15 - Trusted Zone: *.elitemediagroup.net

O15 - Trusted Zone: *.media-motor.net

O15 - Trusted Zone: *.mmohsix.com

O15 - Trusted Zone: http://awbeta.net-nucleus.com (HKLM)

 

O16 - DPF: {5526B4C6-63D6-41A1-9783-0FABF529859A} (mm06ocx.mm06ocxf) - http://cabs.elitemediagroup.net/cabs/mediaview.cab

 

 

Is this something you knowingly installed?

O23 - Service: Titan FTP Server Daemon (SRTSERVERDAEMON) - Unknown owner - C:\WINDOWS\SYSTEM32\srxTitan.exe

 

And I really need to know what has been done inbetween these fixes I've posted.

Share this post


Link to post
Share on other sites

I did nothing inbetween the time except run ad-aware... spybot..... anti-malware and mcafee virus scanner every so often..... n deleted some in add/remove programs.. besides that.... nope really havn't done a lot......

 

n the Titan FTP Server is something i've had for longest time.......... I just nvr use it so i'm prob gonna end up deletin it

Share this post


Link to post
Share on other sites

Ok, thanks for the feedback. A lot your programs appear not to be running anymore (McAfee, Ewido) - perhaps they've been disabled. They need to be uninstalled/reinstalled to get them running properly. If a PC was ever a candidate for a fresh reformat and reinstall, this is one of them. Unfortunately that's not usually a easy task for a novice.

 

Can you please post a fresh HijackThis log and I also need a different log as well.

 

Do the scan then press the config button in the lower right corner and choose *Open Misc Tools Section*

From there, choose *Open Uninstall Manager*. It will make a list of your install programs. When it finishes please choose *Save list* and copy those results back here.

Share this post


Link to post
Share on other sites

Well the reason they wouldn't show up as running because in msconfig i turned everything off.. cuz i don't like things to load up at all when i'm on the computer...... it annoys me...... n as far as reformatting my computer..... i don't want to... I have too much on it that deals with my designing and promotion business.. as well as all my music n all, that i don't want to upload to a server and burn to cd.......

 

Logfile of HijackThis v1.99.1

Scan saved at 1:01:20 PM, on 6/7/2006

Platform: Windows XP SP2 (WinNT 5.01.2600)

MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

 

Running processes:

C:\WINDOWS\System32\smss.exe

C:\WINDOWS\system32\winlogon.exe

C:\WINDOWS\system32\services.exe

C:\WINDOWS\system32\lsass.exe

C:\WINDOWS\system32\svchost.exe

C:\WINDOWS\System32\svchost.exe

C:\WINDOWS\system32\spoolsv.exe

C:\WINDOWS\Explorer.EXE

C:\WINDOWS\System32\imapi.exe

C:\WINDOWS\System32\svchost.exe

C:\WINDOWS\System32\dmadmin.exe

C:\WINDOWS\System32\svchost.exe

C:\Program Files\Internet Explorer\IEXPLORE.EXE

C:\Program Files\Winamp\Winamp.exe

C:\NEW\HijackThis.exe

 

O4 - HKLM\..\Run: [MSConfig] C:\WINDOWS\PCHealth\HelpCtr\Binaries\MSConfig.exe /auto

O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe

O23 - Service: Titan FTP Server Daemon (SRTSERVERDAEMON) - Unknown owner - C:\WINDOWS\SYSTEM32\srxTitan.exe

O23 - Service: Ulead Burning Helper (UleadBurningHelper) - Unknown owner - C:\Program Files\Common Files\Ulead Systems\DVD\ULCDRSvr.exe (file missing)

 

 

 

Acoustica MP3 Audio Mixer

Ad-Aware SE Personal

Adobe Photoshop CS

Alien Skin Xenofex 2.0

AOL Instant Messenger

BuddyVision

CoffeeCup Image Mapper

Cool Edit Pro 2.0

CuteFTP 5.0 XP

CuteFTP 6 Home

CuteFTP 6 Professional

CuteFTP 7 Home

CuteHTML Pro 6

DivX 4.12 Codec

DRS 2006 Standard Demo Package

ewido anti-malware

Eye Candy 4000

EzVoice 2.1

HijackThis 1.99.1

HS CleanDisk Pro

Image Mapper

Ipswitch WS_FTP Home 2006

iTunes

J2SE Runtime Environment 5.0 Update 4

Kai's Power Tools 3

KPT Equalizer

LimeWire

LimeWire 4.10.9

Logitech QuickCam Software

Logitech® Camera Driver

Lyra Digital Audio Player

Macromedia Flash Player 8

MaxSpeed

McAfee Personal Firewall Plus

McAfee SecurityCenter

McAfee SpamKiller

McAfee VirusScan Professional

Microsoft PowerPoint Viewer 97

Monopoly v2.00.101 Crack - By Maggot Brain

MP3 Audio Converter

My Search Bar

Nero - Burning Rom

Odyssey Online Classic 3.0.1

Optimum XP 1.4

Paint Shop Pro 7 ESD

Photovista Panorama 2.02

QuickTime Alternative 1.69

RealPlayer 7 Basic

Search Assistant - My Search

Security Update for Windows Media Player (KB911564)

Security Update for Windows Media Player 9 (KB911565)

Security Update for Windows XP (KB890046)

Security Update for Windows XP (KB893756)

Security Update for Windows XP (KB896358)

Security Update for Windows XP (KB896422)

Security Update for Windows XP (KB896423)

Security Update for Windows XP (KB896424)

Security Update for Windows XP (KB896428)

Security Update for Windows XP (KB896688)

Security Update for Windows XP (KB899587)

Security Update for Windows XP (KB899588)

Security Update for Windows XP (KB899591)

Security Update for Windows XP (KB900725)

Security Update for Windows XP (KB901017)

Security Update for Windows XP (KB901190)

Security Update for Windows XP (KB902400)

Security Update for Windows XP (KB904706)

Security Update for Windows XP (KB905414)

Security Update for Windows XP (KB905749)

Security Update for Windows XP (KB905915)

Security Update for Windows XP (KB908519)

Security Update for Windows XP (KB908531)

Security Update for Windows XP (KB911562)

Security Update for Windows XP (KB911567)

Security Update for Windows XP (KB911927)

Security Update for Windows XP (KB912812)

Security Update for Windows XP (KB912919)

Security Update for Windows XP (KB913446)

Security Update for Windows XP (KB913580)

Spybot - Search & Destroy 1.3

SWiSH v2.0

Titan FTP Server

TPP Storage Driver Installation

Update for Windows XP (KB894391)

Update for Windows XP (KB896727)

Update for Windows XP (KB898461)

Update for Windows XP (KB900485)

Update for Windows XP (KB910437)

USB Storage Adapter (TPP)

USB Storage Adapter V2 (TPP)

USB Storage Adapter V3 (TPP)

V3750 User's Manual

Viewpoint Manager (Remove Only)

Viewpoint Media Player

Viewpoint Toolbar (Remove Only)

WAV - MP3 Converter Encoder

WebSearch Tools

Winamp (remove only)

Windows Installer 3.1 (KB893803)

Windows Live Safety scanner

Windows Media Encoder 9 Series

Windows Media Encoder 9 Series

Windows XP Hotfix - KB888113

Windows XP Hotfix - KB888302

Windows XP Hotfix - KB890047

Windows XP Hotfix - KB890175

Windows XP Hotfix - KB890859

Windows XP Hotfix - KB890923

Windows XP Hotfix - KB891781

Windows XP Hotfix - KB893066

Windows XP Hotfix - KB893086

Windows XP Service Pack 2

WinRAR archiver

WinZip

Xenofex 1.0

XPIPcfg 3.0

Yahoo! Address AutoComplete

Yahoo! extras

Yahoo! Install Manager

Yahoo! Internet Mail

Yahoo! Messenger

Yahoo! Photos Easy Upload Tool 1v5

Yahoo! Toolbar

Share this post


Link to post
Share on other sites
Well the reason they wouldn't show up as running because in msconfig i turned everything off.. cuz i don't like things to load up at all when i'm on the computer...... it annoys me......

Oh my, you should at least have your security program running - that's a good way to get reinfected by having them off. :D

 

Your Sun Java is out of date and old versions left on your pc, even after updating can be vulnerable to malware exploit. Go to Start / Control Panel and look in Add/Remove programs. Remove all old versions of Sun Java. Then go get the latest up to date version here:

http://www.java.com/en/download/manual.jsp

 

Here's why removing old versions of Sun Java is important:

Potential Vulnerability with Sun Java auto update

http://www.dslreports.com/forum/remark,14738046

 

These are Adware programs. If you did not install them on purpose or use them, I would remove them

 

MaxSpeed

 

My Search Bar

 

Search Assistant - My Search

 

WebSearch Tools

 

Everything else looks ok from those logs.

 

Now that your PC is clean, make sure all programs are running properly and then you'll need to reset your restore point in Windows XP.......why?

 

One of the best features of Windows ME or XP is the System Restore option, however if a malware infects a computer with this operating system it can be backed up in the System Restore folder. Therefore, clearing the restore points is necessary after malware removal.

 

To reset your restore points, please note that you will need to log into your computer with an account which has full administrator access. You will know if the account has administrator access because you will be able to see the System Restore tab. If the tab is missing, you are logged in under a limited account.

 

(winXP)

 

1. Turn off System Restore.

Go to Start and right-click on *My Computer*.

Click Properties.

Click the System Restore tab.

Put a Checkmark in the box next to "Turn off System Restore".

Click Apply, and then click OK.

 

2. Reboot.

 

3. Turn ON System Restore.

Go to Start and right-click on *My Computer*.

Click Properties.

Click the System Restore tab.

Remove the checkmark next to "Turn off System Restore".

Click Apply, and then click OK.

 

How to Turn On and Turn Off System Restore in Windows XP

http://support.microsoft.com/default.aspx?...kb;en-us;310405

 

Next, I highly recommend you get some extra protection to prevent future infections. Here are some things you can do and some free programs to help :).

How do I prevent Browser Hijacks and Spyware?

http://www.dslreports.com/faq/13620

 

I'm happy to see you have SP2 installed. That will address numerous security issues in your Operating System and IE

Make sure that you keep your Operating System and IE updated with the latest Critical Security Updates from Microsoft...they usually come out once a month, on the 2nd Tuesday of each month. This is the first step in malware prevention, as many nasties now take advantage of new exploits and if not patched, you are vulnerable!

Windows Update

http://update.microsoft.com/microsoftupdate/

 

And see this link for instructions on how to configure the enhanced security features in SP2:

http://www.microsoft.com/technet/security/...xp/iesecxp.mspx

 

I also highly recommend to get the free tool, Microsoft Baseline Security Analyzer (MBSA) from Microsoft to analyze your PC security for prevention purposes.

 

MBSA Version 2.0 will scan for common system misconfigurations on Windows 2000, Windows XP, and Windows Server 2003 systems. This program will identify the system security weaknesses in your browser and operating system and provides easy instructions to correct them. This includes any missing critical Windows security updates, system vulnerabilities and your IE Browser security settings. Get the download here:

Microsoft Baseline Security Analyzer

http://www.microsoft.com/technet/security/...s/mbsahome.mspx

Choose MBSAsetup-EN.msi = (English Version) or the language appropriate for you.

Share this post


Link to post
Share on other sites

Hey thanks for the help... and na i usually don't run through many sites on my computer or go to places to pikup the malware n wut not.... only reason i got it cuz i was looking for serial for KPT Equalizer.. n i went to wrong site n clicked wrong things... i wasn't payin attention.... but o well right?? things happen.......

 

I fixed most of them.. you shoulda seen how many trojans and wut not i started out with because of it lol.......

 

but otherwise i just design or do music on my computer......

 

but once again thx for helpin me fix the problems.......

Share this post


Link to post
Share on other sites
Sign in to follow this