# memory infection with with downloader delf.zu error during cleaning



## peterboy (Dec 15, 2005)

helo i visted some site then my desktop got all blue and in the middel it said detected spyware infection and my browser was hijacked some how i got rid of that but then it said on my tool bar microsoft has detected a spyware infection i used microsoft spyware it went away but evry time i reboot it would happen again then i used ewido sucurity that worked it dosn't say i have spy ware infection anymore and it boots normaly but know under my desktop icons theres like a blue box when i scan my memory but only ewido detects it downloader.delf.zu error during cleaning do i stiil have that infection can this break my pc or loose my memory how can i get rid of this please help soon *** possible thank you ahead 

ewido security suite - Scan report
---------------------------------------------------------

+ Created on: 11:16:48 PM, 12/14/2005
+ Report-Checksum: BD62A05E

+ Scan result:

[496] C:\WINDOWS\g1938828.dll -> Downloader.Delf.zu : Error during cleaning
[1296] C:\WINDOWS\g1938828.dll -> Downloader.Delf.zu : Error during cleaning
C:\Documents and Settings Spyware.Cookie.2o7 : Cleaned with backup
C:\Documents and Settings\ : Cleaned with backup
C:\Documents and SettingsSpyware.Cookie.Addynamix : Cleaned with backup
C:\Documents and SettingsSpyware.Cookie.Falkag : Cleaned with backup
C:\Documents and Settings\Spyware.Cookie.Paypopup : Cleaned with backup
C:\Documents and Settings\ : Cleaned with backup
C:\Documents and Settings\ Spyware.Cookie.Adserver : Cleaned with backup
C:\WINDOWS\__delete_on_reboot__g1938828.dll -> Downloader.Delf.zu : Cleaned with backup

::Report End
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.exe
C:\WINDOWS\system32\netdde.exe
C:\WINDOWS\System32\drivers\CDAC11BA.EXE
C:\Program Files\TOSHIBA\ConfigFree\CFSvcs.exe
C:\WINDOWS\System32\DVDRAMSV.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\Program Files\Panda Software\Panda Antivirus Platinum\pavsrv51.exe
C:\WINDOWS\System32\tcpsvcs.exe
C:\WINDOWS\System32\snmp.exe
C:\Program Files\Panda Software\Panda Antivirus Platinum\AVENGINE.EXE
C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\wbem\wmiapsrv.exe
C:\WINDOWS\System32\dmadmin.exe
C:\Program Files\TOSHIBA\TouchED\TouchED.Exe
C:\toshiba\ivp\ism\pinger.exe
C:\WINDOWS\AGRSMMSG.exe
C:\WINDOWS\System32\00THotkey.exe
C:\WINDOWS\System32\TPSBattM.exe
C:\WINDOWS\System32\igfxtray.exe
C:\WINDOWS\System32\hkcmd.exe
C:\WINDOWS\System32\igfxpers.exe
C:\Program Files\Panda Software\Panda Antivirus Platinum\APVXDWIN.EXE
C:\Program Files\Messenger\msmsgs.exe
C:\WINDOWS\System32\ctfmon.exe
C:\Program Files\htwu\rrup.exe
C:\Documents and Settings\All Users\Start Menu\Programs\Startup\palstart.exe
C:\Program Files\Panda Software\Panda Antivirus Platinum\pavProxy.exe
C:\Program Files\ewido\security suite\ewidoctrl.exe
C:\WINDOWS\notepad.exe
C:\Program Files\Microsoft AntiSpyware\gcasDtServ.exe
C:\Program Files\Microsoft AntiSpyware\gcasServ.exe
C:\WINDOWS\system32\w?crtupd.exe
C:\Program Files\MSN Messenger\msnmsgr.exe
C:\WINDOWS\system32\NOTEPAD.EXE
C:\Documents and Settings\Karen Granger\My Documents\set ups\hijackthis\HijackThis.exe
C:\Program Files\Internet Explorer\iexplore.exe

R3 - Default URLSearchHook is missing
F2 - REG:system.ini: Shell=Explorer.exe 
F3 - REG:win.ini: run=C:\WINDOWS\inet20099\winlogon.exe
O2 - BHO: (no name) - SOFTWARE - (no file)
O2 - BHO: (no name) - {00000000-0000-462D-8829-B203006D443F} - (no file)
O2 - BHO: (no name) - {00000000-0000-487D-91B5-08E871FA0D1B} - (no file)
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
O2 - BHO: (no name) - {A118664C-8FA4-8B75-8FA4-A528E65636BB} - C:\WINDOWS\System32\ynryre.dll
O2 - BHO: (no name) - {D27DF2AC-C028-FF78-3D4B-72A2F9B8BA6F} - (no file)
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O3 - Toolbar: (no name) - {6C68515E-13EF-A5E3-D4B4-231357B0E7BB} - (no file)
O4 - HKLM\..\Run: [winsync] C:\WINDOWS\System32\pwcarc.exe reg_run
O4 - HKLM\..\Run: [TPSMain] TPSMain.exe
O4 - HKLM\..\Run: [TouchED] C:\Program Files\TOSHIBA\TouchED\TouchED.Exe
O4 - HKLM\..\Run: [Pinger] c:\toshiba\ivp\ism\pinger.exe /run
O4 - HKLM\..\Run: [Apoint] C:\Program Files\Apoint2K\Apoint.exe
O4 - HKLM\..\Run: [AGRSMMSG] AGRSMMSG.exe
O4 - HKLM\..\Run: [00THotkey] C:\WINDOWS\System32\00THotkey.exe
O4 - HKLM\..\Run: [000StTHK] 000StTHK.exe
O4 - HKLM\..\Run: [igfxtray] C:\WINDOWS\System32\igfxtray.exe
O4 - HKLM\..\Run: [igfxhkcmd] C:\WINDOWS\System32\hkcmd.exe
O4 - HKLM\..\Run: [igfxpers] C:\WINDOWS\System32\igfxpers.exe
O4 - HKLM\..\Run: [SCANINICIO] "C:\Program Files\Panda Software\Panda Antivirus Platinum\Inicio.exe"
O4 - HKLM\..\Run: [APVXDWIN] "C:\Program Files\Panda Software\Panda Antivirus Platinum\APVXDWIN.EXE" /s
O4 - HKLM\..\Run: [gcasServ] "C:\Program Files\Microsoft AntiSpyware\gcasServ.exe"
O4 - HKLM\..\RunServices: [WinProfile] sndcfg16.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\System32\ctfmon.exe
O4 - HKCU\..\Run: [Osus] "C:\Program Files\htwu\rrup.exe" -vt yazr
O4 - HKCU\..\Run: [Zausp] C:\WINDOWS\System32\w?crtupd.exe
O4 - Global Startup: palstart.exe
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\j2re1.4.2\bin\npjpi142.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\j2re1.4.2\bin\npjpi142.dll
O9 - Extra button: (no name) - {9E248641-0E24-4DDB-9A1F-705087832AD6} - (no file)
O9 - Extra 'Tools' menuitem: Java - {9E248641-0E24-4DDB-9A1F-705087832AD6} - (no file)
O9 - Extra button: (no name) - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - (no file)
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O9 - Extra 'Tools' menuitem: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O14 - IERESET.INF: START_PAGE_URL=http://www.toshiba.com
O15 - ProtocolDefaults: 'http' protocol is in My Computer Zone, should be Internet Zone
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1133829558718
O16 - DPF: {B38870E4-7ECB-40DA-8C6A-595F0A5519FF} (MsnMessengerSetupDownloadControl Class) - http://messenger.msn.com/download/MsnMessengerSetupDownloader.cab
O16 - DPF: {E856B973-45FD-4559-8F82-EAB539144667} (Dell PC Checkup Installer Control) - http://pccheckup.dellfix.com/rel/35/install/gtdownde.cab
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - "C:\PROGRA~1\MSNMES~1\msgrapp.dll" (file missing)
O20 - Winlogon Notify: igfxcui - C:\WINDOWS\SYSTEM32\igfxdev.dll
O20 - Winlogon Notify: st3 - C:\WINDOWS\g1938828.dll (file missing)
O23 - Service: C-DillaCdaC11BA - C-Dilla Ltd - C:\WINDOWS\System32\drivers\CDAC11BA.EXE
O23 - Service: ConfigFree Service (CFSvcs) - TOSHIBA CORPORATION - C:\Program Files\TOSHIBA\ConfigFree\CFSvcs.exe
O23 - Service: Command Service (cmdService) - Unknown owner - C:\WINDOWS\S2FyZW4gR3JhbmdlcgAA\command.exe (file missing)
O23 - Service: DVD-RAM_Service - Matsu****a Electric Industrial Co., Ltd. - C:\WINDOWS\System32\DVDRAMSV.exe
O23 - Service: ewido security suite control - ewido networks - C:\Program Files\ewido\security suite\ewidoctrl.exe
O23 - Service: Panda anti-virus service (PAVSRV) - Panda Software - C:\Program Files\Panda Software\Panda Antivirus Platinum\pavsrv51.exe
O23 - Service: SoundMAX Agent Service (SoundMAX Agent Service (default)) - Analog Devices, Inc. - C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe
O23 - Service: Windows User Mode Driver Framework (UMWdf) - Unknown owner - C:\WINDOWS\System32\wdfmgr.exe (file missing)
O23 - Service: Windows Overlay Components - Unknown owner - C:\WINDOWS\ufgfrmr.exe (file missing)


----------



## khazars (Feb 15, 2004)

hi, welcome to TSG.

Before you proceed with the removal directions below you need to turn off MS 
Anti-Spyware's realtime protection as it will interfere with the changes we 
are trying to make.

Open MS Anti-Spyware and click on Options > Settings. Click on "Realtime 
Protection" in the left pane.

Remove the check by these:

"Enable the Microsoft Security Agents on startup (recommended)"

"Enable real-time spyware threat protection (recommended)"

Click "Save"

Now right click the MS Anti-spyware icon in your system tray and choose 
"Shutdown Microsoft Anti-Spyware"

You should re-enable these when we are finished here.

Click Start > Run > and type in:

services.msc

Click OK.

In the services window find Command Service (cmdService)
Right click and choose "Properties". On the "General" tab under "Service 
Status" click the "Stop" button to stop the service. Beside "Startup Type" 
in the dropdown menu select "Disabled". Click Apply then OK. Exit the 
Services utility.

Note: You may get an error here when trying to access the properties of the 
service. If you do get an error, just select the service and look there in 
the top left of the main service window and click "Stop" to stop the service. If that gives an error or it is already stopped, just skip this step and proceed with the rest.

repeat for this service

Windows Overlay Components

In Hijack This, click on the "Open Misc Tools section" button. Next click the
"Delete an NT service" button. Copy and paste the following in that box:

S2FyZW4gR3JhbmdlcgAA

Click OK.

Download win32delfkil.exe:

http://users.telenet.be/marcvn/tools/win32delfkil.exe

Save it on your desktop.

Double click on win32delfkil.exe and install it. This creates a new folder on
your desktop: win32delfkil
Close all windows, open the win32delfkil folder and double click on fix.bat.

The computer will reboot automaticly and after the reboot the infection should be killed.

Download the pocket killbox

http://www.bleepingcomputer.com/files/killbox.php

* Download the trial version of Ewido Security Suite here

http://www.ewido.net/en/

* Install ewido.
* During the installation, under "Additional Options" uncheck "Install background guard" and "Install scan via context menu".
* Launch ewido
* It will prompt you to update click the OK button and it will go to the main screen
* On the left side of the main screen click update
* Click on Start and let it update.
* DO NOT run a scan yet. You will do that later in safe mode.

*Download Cleanup from Here

http://www.stevengould.org/software/cleanup/download.html

* A window will open and choose SAVE, then DESKTOP as the destination.
* On your Desktop, click on Cleanup40.exe icon.
* Then, click RUN and place a checkmark beside "I Agree"
* Then click NEXT followed by START and OK.
* A window will appear with many choices, keep all the defaults as set when the Slide Bar to the left is set to Standard Quality.
* Click OK
* DO NOT RUN IT YET

* Click here for info on how to boot to safe mode if you don't already know
how.

http://service1.symantec.com/SUPPOR...2001052409420406?OpenDocument&src=sec_doc_nam

* Now copy these instructions to notepad and save them to your desktop. You
will need them to refer to in safe mode.

* Restart your computer into safe mode now. Perform the following steps in
safe mode:

have hijack this fix these entries. close all browsers and programmes before
clicking FIX.

R3 - Default URLSearchHook is missing
F2 - REG:system.ini: Shell=Explorer.exe
F3 - REG:win.ini: run=C:\WINDOWS\inet20099\winlogon.exe
O2 - BHO: (no name) - SOFTWARE - (no file)
O2 - BHO: (no name) - {00000000-0000-462D-8829-B203006D443F} - (no file)
O2 - BHO: (no name) - {00000000-0000-487D-91B5-08E871FA0D1B} - (no file)
O2 - BHO: (no name) - {A118664C-8FA4-8B75-8FA4-A528E65636BB} - C:\WINDOWS\System32\ynryre.dll
O2 - BHO: (no name) - {D27DF2AC-C028-FF78-3D4B-72A2F9B8BA6F} - (no file)
O3 - Toolbar: (no name) - {6C68515E-13EF-A5E3-D4B4-231357B0E7BB} - (no file)
O4 - HKCU\..\Run: [Osus] "C:\Program Files\htwu\rrup.exe" -vt yazr
O4 - HKCU\..\Run: [Zausp] C:\WINDOWS\System32\w?crtupd.exe
O4 - Global Startup: palstart.exe
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O9 - Extra button: (no name) - {9E248641-0E24-4DDB-9A1F-705087832AD6} - (no file)
O9 - Extra 'Tools' menuitem: Java - {9E248641-0E24-4DDB-9A1F-705087832AD6} - (no file)
O9 - Extra button: (no name) - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - (no file)
O15 - ProtocolDefaults: 'http' protocol is in My Computer Zone, should be Internet Zone
O20 - Winlogon Notify: st3 - C:\WINDOWS\g1938828.dll (file missing)
O23 - Service: Command Service (cmdService) - Unknown owner - C:\WINDOWS\S2FyZW4gR3JhbmdlcgAA\command.exe (file missing)
O23 - Service: Windows Overlay Components - Unknown owner - C:\WINDOWS\ufgfrmr.exe (file missing)

Double-click on Killbox.exe to run it. Now put a tick by Standard File Kill.
In the Full Path of File to Delete box, copy and paste each of the following
lines one at a time then click on the button that has the red circle with the
X in the middle after you enter each file. It will ask for confirmation to
delete the file. Click Yes. Continue with that same procedure until you have
copied and pasted all of these in the Paste Full Path of File to Delete box.

Note: It is possible that Killbox will tell you that one or more files do not
exist. If that happens, just continue on with all the files. Be sure you
don't miss any.

C:\WINDOWS\System32\ynryre.dll
C:\WINDOWS\inet20099\winlogon.exe
C:\Program Files\htwu\rrup.exe
C:\WINDOWS\System32\w?crtupd.exe

find and delete these files and folders if there?

C:\WINDOWS\inet20099
C:\Program Files\htwu

* Run Ewido:

* Click on scanner
* Click Complete System Scan and the scan will begin.
* During the scan it will prompt you to clean files, click OK
* When the scan is finished, look at the bottom of the screen and click the Save report button.
* Save the report to your desktop

* Run Cleanup:

* Click on the "Cleanup" button and let it run.
* Once its done, close the program.

reboot to normal mode and run a few online scans!

Run an online antivirus check from

http://www.kaspersky.com/virusscanner

choose extended database for the scan!

Run ActiveScan online virus scan here

http://www.pandasoftware.com/products/activescan.htm

When the scan is finished, anything that it cannot clean have it delete it.
Make a note of the file location of anything that cannot be deleted so you
can delete it yourself.
- Save the results from the scan!

post another hijack this log, the ewido and active scan logs


----------



## peterboy (Dec 15, 2005)

hi khazars i did what you told me i hope i did it right i did a scan with a ewido and i got a crazy result its some worm krepper theres like 10000 files infected i couldent copy and paste its to much i dont know what to do let me know please my hijack this result Logfile of HijackThis v1.99.1
Scan saved at 2:34:41 PM, on 12/20/2005
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\csrss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\Program Files\Panda Software\Panda Titanium Antivirus 2005\PavProt.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\netdde.exe
C:\WINDOWS\System32\alg.exe
C:\WINDOWS\Microsoft.NET\Framework\v1.1.4322\aspnet_state.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\System32\drivers\CDAC11BA.EXE
C:\WINDOWS\System32\DVDRAMSV.exe
C:\Program Files\ewido\security suite\ewidoctrl.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\Program Files\Panda Software\Panda Titanium Antivirus 2005\Firewall\PavFires.exe
C:\Program Files\Panda Software\Panda Titanium Antivirus 2005\PavFnSvr.exe
C:\Program Files\Panda Software\Panda Titanium Antivirus 2005\Pavkre.exe
C:\Program Files\Common Files\Panda Software\PavShld\pavprsrv.exe
C:\Program Files\Panda Software\Panda Titanium Antivirus 2005\pavsrv51.exe
C:\Program Files\Panda Software\Panda Titanium Antivirus 2005\prevsrv.exe
C:\Program Files\Panda Software\Panda Titanium Antivirus 2005\PsImSvc.exe
C:\WINDOWS\System32\SCardSvr.exe
C:\WINDOWS\System32\tcpsvcs.exe
C:\Program Files\Panda Software\Panda Titanium Antivirus 2005\AVENGINE.EXE
C:\WINDOWS\System32\snmp.exe
C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\wdfmgr.exe
C:\WINDOWS\System32\wbem\wmiapsrv.exe
C:\WINDOWS\System32\dmadmin.exe
C:\Program Files\TOSHIBA\TouchED\TouchED.Exe
C:\WINDOWS\AGRSMMSG.exe
C:\WINDOWS\System32\00THotkey.exe
C:\WINDOWS\System32\igfxtray.exe
C:\WINDOWS\System32\hkcmd.exe
C:\WINDOWS\System32\igfxpers.exe
C:\Program Files\Microsoft AntiSpyware\gcasServ.exe
C:\Program Files\Panda Software\Panda Titanium Antivirus 2005\APVXDWIN.EXE
C:\WINDOWS\System32\TPSBattM.exe
C:\Program Files\Messenger\msmsgs.exe
C:\WINDOWS\System32\ctfmon.exe
C:\Program Files\Microsoft AntiSpyware\gcasDtServ.exe
C:\Program Files\Panda Software\Panda Titanium Antivirus 2005\WebProxy.exe
C:\Program Files\MSN Messenger\msnmsgr.exe
C:\Program Files\Windows Media Player\wmplayer.exe
C:\toshiba\ivp\ism\ivpsvmgr.exe
C:\Program Files\ewido\security suite\SecuritySuite.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Documents and Settings\Karen Granger\My Documents\set ups\hijackthis\HijackThis.exe

O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O4 - HKLM\..\Run: [winsync] C:\WINDOWS\System32\pwcarc.exe reg_run
O4 - HKLM\..\Run: [TPSMain] TPSMain.exe
O4 - HKLM\..\Run: [TouchED] C:\Program Files\TOSHIBA\TouchED\TouchED.Exe
O4 - HKLM\..\Run: [Pinger] c:\toshiba\ivp\ism\pinger.exe /run
O4 - HKLM\..\Run: [Apoint] C:\Program Files\Apoint2K\Apoint.exe
O4 - HKLM\..\Run: [AGRSMMSG] AGRSMMSG.exe
O4 - HKLM\..\Run: [00THotkey] C:\WINDOWS\System32\00THotkey.exe
O4 - HKLM\..\Run: [000StTHK] 000StTHK.exe
O4 - HKLM\..\Run: [igfxtray] C:\WINDOWS\System32\igfxtray.exe
O4 - HKLM\..\Run: [igfxhkcmd] C:\WINDOWS\System32\hkcmd.exe
O4 - HKLM\..\Run: [igfxpers] C:\WINDOWS\System32\igfxpers.exe
O4 - HKLM\..\Run: [gcasServ] "C:\Program Files\Microsoft AntiSpyware\gcasServ.exe"
O4 - HKLM\..\Run: [APVXDWIN] "C:\Program Files\Panda Software\Panda Titanium Antivirus 2005\APVXDWIN.EXE" /s
O4 - HKLM\..\RunServices: [WinProfile] sndcfg16.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\System32\ctfmon.exe
O4 - Global Startup: oxjz.exe
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - (no file)
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O9 - Extra 'Tools' menuitem: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O14 - IERESET.INF: START_PAGE_URL=http://www.toshiba.com
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky.com/downloads/kws/kavwebscan_unicode.cab
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1133829558718
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/activescan/as5free/asinst.cab
O16 - DPF: {B38870E4-7ECB-40DA-8C6A-595F0A5519FF} (MsnMessengerSetupDownloadControl Class) - http://messenger.msn.com/download/MsnMessengerSetupDownloader.cab
O16 - DPF: {E856B973-45FD-4559-8F82-EAB539144667} (Dell PC Checkup Installer Control) - http://pccheckup.dellfix.com/rel/35/install/gtdownde.cab
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - "C:\PROGRA~1\MSNMES~1\msgrapp.dll" (file missing)
O20 - Winlogon Notify: igfxcui - C:\WINDOWS\SYSTEM32\igfxdev.dll
O23 - Service: C-DillaCdaC11BA - C-Dilla Ltd - C:\WINDOWS\System32\drivers\CDAC11BA.EXE
O23 - Service: DVD-RAM_Service - Matsu****a Electric Industrial Co., Ltd. - C:\WINDOWS\System32\DVDRAMSV.exe
O23 - Service: ewido security suite control - ewido networks - C:\Program Files\ewido\security suite\ewidoctrl.exe
O23 - Service: Panda Firewall Service (PAVFIRES) - Panda Software - C:\Program Files\Panda Software\Panda Titanium Antivirus 2005\Firewall\PavFires.exe
O23 - Service: Panda Function Service (PAVFNSVR) - Panda Software - C:\Program Files\Panda Software\Panda Titanium Antivirus 2005\PavFnSvr.exe
O23 - Service: Panda Pavkre (Pavkre) - Panda Software - C:\Program Files\Panda Software\Panda Titanium Antivirus 2005\Pavkre.exe
O23 - Service: Panda PavProt (PavProt) - Panda Software - C:\Program Files\Panda Software\Panda Titanium Antivirus 2005\PavProt.exe
O23 - Service: Panda Process Protection Service (PavPrSrv) - Panda Software - C:\Program Files\Common Files\Panda Software\PavShld\pavprsrv.exe
O23 - Service: Panda anti-virus service (PAVSRV) - Panda Software - C:\Program Files\Panda Software\Panda Titanium Antivirus 2005\pavsrv51.exe
O23 - Service: Panda Preventium+ Service (PREVSRV) - Panda Software - C:\Program Files\Panda Software\Panda Titanium Antivirus 2005\prevsrv.exe
O23 - Service: Panda IManager Service (PSIMSVC) - Panda Software Internacional - C:\Program Files\Panda Software\Panda Titanium Antivirus 2005\PsImSvc.exe
O23 - Service: SoundMAX Agent Service (SoundMAX Agent Service (default)) - Analog Devices, Inc. - C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe

ok i hope im doing this right please reply than you


----------



## khazars (Feb 15, 2004)

you never posted any of the logs, wewido, panda or kaspersky. You can cut and paste the ewido log if it's too big, just post it in 2 or 3 parts!

Make sure Microsofts antipsyware is still disabled.

do a ctr/alt/del and in taskmanager stop these processes if running.

pwcarc.exe 
sndcfg16.exe
oxjz.exe

have hijack this fix these entries. close all browsers and programmes before
clicking FIX.

O4 - HKLM\..\Run: [winsync] C:\WINDOWS\System32\pwcarc.exe reg_run
O4 - HKLM\..\RunServices: [WinProfile] sndcfg16.exe
O4 - Global Startup: oxjz.exe
O9 - Extra button: (no name) - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - (no file)

Double-click on Killbox.exe to run it. Now put a tick by Delete on 
Reboot. In the "Full Path of File to Delete" box, copy and paste each 
of the following lines one at a time then click on the button that has
the red circle with the X in the middle after you enter each file. 
It will ask for confimation to delete the file on next reboot. Click 
Yes. It will then ask if you want to reboot now. Click No. Continue 
with that same procedure until you have copied and pasted all of 
these in the "Paste Full Path of File to Delete" box.Then click yes 
to reboot after you entered the last one.

Note: It is possible that Killbox will tell you that one or more files do not
exist. If that happens, just continue on with all the files. Be sure you 
don't miss any.

C:\WINDOWS\System32\pwcarc.exe 
C:\WINDOWS\System32\sndcfg16.exe
C:\WINDOWS\System32\ oxjz.exe

then in normal mode download and run these tools!

go to this site and download these tools and once you get both
adaware Se 1.6 and spybot, update both of them.

Set adaware to do a full system scan and deselect, "search for neglible risk 
entries". Click next to start the scan. Delete everything adaware finds.

reboot and now run spybot

Spybot: Search and destroy.

Delete what spybot finds marked in red. After updating spybot hit the 
immunize button.

All tools can be downloaded at the link below and found on that page!

. SpyBot search and destroy
. AdAware SE personal

http://www.majorgeeks.com/downloads31.html

post another log


----------



## peterboy (Dec 15, 2005)

hi kazars well i did what you to hers my log ogfile of HijackThis v1.99.1
Scan saved at 8:12:43 PM, on 12/22/2005
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\SYSTEM32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\netdde.exe
C:\Program Files\TOSHIBA\TouchED\TouchED.Exe
C:\toshiba\ivp\ism\pinger.exe
C:\WINDOWS\AGRSMMSG.exe
C:\WINDOWS\System32\00THotkey.exe
C:\WINDOWS\System32\igfxtray.exe
C:\WINDOWS\System32\hkcmd.exe
C:\WINDOWS\System32\TPSBattM.exe
C:\WINDOWS\System32\igfxpers.exe
C:\Program Files\Messenger\msmsgs.exe
C:\WINDOWS\System32\ctfmon.exe
C:\WINDOWS\System32\drivers\CDAC11BA.EXE
C:\WINDOWS\System32\DVDRAMSV.exe
C:\Program Files\ewido\security suite\ewidoctrl.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\WINDOWS\System32\tcpsvcs.exe
C:\WINDOWS\System32\snmp.exe
C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\wbem\wmiapsrv.exe
C:\WINDOWS\System32\dmadmin.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Documents and Settings\Karen Granger\My Documents\set ups\hijackthis\HijackThis.exe

O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O4 - HKLM\..\Run: [TPSMain] TPSMain.exe
O4 - HKLM\..\Run: [TouchED] C:\Program Files\TOSHIBA\TouchED\TouchED.Exe
O4 - HKLM\..\Run: [Pinger] c:\toshiba\ivp\ism\pinger.exe /run
O4 - HKLM\..\Run: [Apoint] C:\Program Files\Apoint2K\Apoint.exe
O4 - HKLM\..\Run: [AGRSMMSG] AGRSMMSG.exe
O4 - HKLM\..\Run: [00THotkey] C:\WINDOWS\System32\00THotkey.exe
O4 - HKLM\..\Run: [000StTHK] 000StTHK.exe
O4 - HKLM\..\Run: [igfxtray] C:\WINDOWS\System32\igfxtray.exe
O4 - HKLM\..\Run: [igfxhkcmd] C:\WINDOWS\System32\hkcmd.exe
O4 - HKLM\..\Run: [igfxpers] C:\WINDOWS\System32\igfxpers.exe
O4 - HKLM\..\Run: [gcasServ] "C:\Program Files\Microsoft AntiSpyware\gcasServ.exe"
O4 - HKLM\..\Run: [MSConfig] C:\WINDOWS\PCHealth\HelpCtr\Binaries\MSConfig.exe /auto
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\System32\ctfmon.exe
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O9 - Extra 'Tools' menuitem: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O14 - IERESET.INF: START_PAGE_URL=http://www.toshiba.com
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky.com/downloads/kws/kavwebscan_unicode.cab
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1133829558718
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/activescan/as5free/asinst.cab
O16 - DPF: {B38870E4-7ECB-40DA-8C6A-595F0A5519FF} (MsnMessengerSetupDownloadControl Class) - http://messenger.msn.com/download/MsnMessengerSetupDownloader.cab
O16 - DPF: {E856B973-45FD-4559-8F82-EAB539144667} (Dell PC Checkup Installer Control) - http://pccheckup.dellfix.com/rel/35/install/gtdownde.cab
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - "C:\PROGRA~1\MSNMES~1\msgrapp.dll" (file missing)
O20 - Winlogon Notify: igfxcui - C:\WINDOWS\SYSTEM32\igfxdev.dll
O23 - Service: C-DillaCdaC11BA - C-Dilla Ltd - C:\WINDOWS\System32\drivers\CDAC11BA.EXE
O23 - Service: DVD-RAM_Service - Matsu****a Electric Industrial Co., Ltd. - C:\WINDOWS\System32\DVDRAMSV.exe
O23 - Service: ewido security suite control - ewido networks - C:\Program Files\ewido\security suite\ewidoctrl.exe
O23 - Service: SoundMAX Agent Service (SoundMAX Agent Service (default)) - Analog Devices, Inc. - C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe

please let me know how am doing than you kazhars your :up:  happy holidays


----------



## khazars (Feb 15, 2004)

you really ned topost those logs so I can tell what left and waht you have. With ewido, you said the same infection about a thousand times, just post a few lines from it so I cna see what it is and where it is?

Also post the panda and kaspersky logs, if you have not ran a scan please do so!

fizx these two!

O4 - HKLM\..\Run: [MSConfig] C:\WINDOWS\PCHealth\HelpCtr\Binaries\MSConfig.exe /auto
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present


----------



## peterboy (Dec 15, 2005)

hi kazhars i did a couple of scans here they are KASPERSKY ON-LINE SCANNER REPORT
Saturday, December 31, 2005 00:47:21
Operating System: Microsoft Windows XP Home Edition, Service Pack 1 (Build 2600)
Kaspersky On-line Scanner version: 5.0.67.0
Kaspersky Anti-Virus database last update: 31/12/2005
Kaspersky Anti-Virus database records: 158190
-------------------------------------------------------------------------------

Scan Settings:
Scan using the following antivirus database: standard
Scan Archives: true
Scan Mail Bases: true

Scan Target - My Computer:
C:\
D:\

Scan Statistics:
Total number of scanned objects: 55264
Number of viruses found: 4
Number of infected objects: 16
Number of suspicious objects: 0
Duration of the scan process: 2769 sec

Infected Object Name - Virus Name
C:\System Volume Information\_restore{5808F9B6-96B5-4803-A039-47EB1E010CB7}\RP33\A0023193.dll	Infected: Trojan.Win32.Crypt.t
C:\System Volume Information\_restore{5808F9B6-96B5-4803-A039-47EB1E010CB7}\RP33\A0023194.exe	Infected: Trojan.Win32.Crypt.t
C:\System Volume Information\_restore{5808F9B6-96B5-4803-A039-47EB1E010CB7}\RP33\A0023195.dll	Infected: Trojan.Win32.Crypt.t
C:\System Volume Information\_restore{5808F9B6-96B5-4803-A039-47EB1E010CB7}\RP33\A0023196.dll	Infected: Trojan.Win32.Crypt.t
C:\System Volume Information\_restore{5808F9B6-96B5-4803-A039-47EB1E010CB7}\RP74\A0028341.exe	Infected: IM-Worm.Win32.Kelvir.e
C:\System Volume Information\_restore{5808F9B6-96B5-4803-A039-47EB1E010CB7}\RP74\A0028342.exe	Infected: Trojan.Win32.Crypt.t
C:\System Volume Information\_restore{5808F9B6-96B5-4803-A039-47EB1E010CB7}\RP74\A0028343.exe/data0002/data0006	Infected: Trojan-Dropper.Win32.VB.kk
C:\System Volume Information\_restore{5808F9B6-96B5-4803-A039-47EB1E010CB7}\RP74\A0028343.exe/data0002	Infected: Trojan-Dropper.Win32.VB.kk
C:\System Volume Information\_restore{5808F9B6-96B5-4803-A039-47EB1E010CB7}\RP74\A0028343.exe	Infected: Trojan-Dropper.Win32.VB.kk
C:\System Volume Information\_restore{5808F9B6-96B5-4803-A039-47EB1E010CB7}\RP75\A0028400.exe	Infected: Trojan.Win32.Crypt.t
C:\System Volume Information\_restore{5808F9B6-96B5-4803-A039-47EB1E010CB7}\RP75\A0028402.exe/data0002/data0006	Infected: Trojan-Dropper.Win32.VB.kk
C:\System Volume Information\_restore{5808F9B6-96B5-4803-A039-47EB1E010CB7}\RP75\A0028402.exe/data0002	Infected: Trojan-Dropper.Win32.VB.kk
C:\System Volume Information\_restore{5808F9B6-96B5-4803-A039-47EB1E010CB7}\RP75\A0028402.exe	Infected: Trojan-Dropper.Win32.VB.kk
C:\System Volume Information\_restore{5808F9B6-96B5-4803-A039-47EB1E010CB7}\RP75\A0028407.exe	Infected: IM-Worm.Win32.Kelvir.e
C:\System Volume Information\_restore{5808F9B6-96B5-4803-A039-47EB1E010CB7}\RP76\A0028859.exe	Infected: Trojan-Downloader.Win32.PurityScan.bb
C:\System Volume Information\_restore{5808F9B6-96B5-4803-A039-47EB1E010CB7}\RP76\A0028890.exe	Infected: Trojan-Downloader.Win32.PurityScan.bb

Scan process completed.
-----------------------------------------------
ewido anti-malware - Scan report
---------------------------------------------------------

+ Created on: 1:09:03 AM, 12/31/2005
+ Report-Checksum: E93E5129

+ Scan result:

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\SYSTEM32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\netdde.exe
C:\Program Files\TOSHIBA\TouchED\TouchED.Exe
C:\toshiba\ivp\ism\pinger.exe
C:\WINDOWS\AGRSMMSG.exe
C:\WINDOWS\System32\00THotkey.exe
C:\WINDOWS\System32\igfxtray.exe
C:\WINDOWS\System32\hkcmd.exe
C:\WINDOWS\System32\igfxpers.exe
C:\Program Files\Messenger\msmsgs.exe
C:\WINDOWS\System32\ctfmon.exe
C:\Program Files\WinZip\WZQKPICK.EXE
C:\WINDOWS\System32\drivers\CDAC11BA.EXE
C:\WINDOWS\System32\DVDRAMSV.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\Program Files\Microsoft AntiSpyware\gcasDtServ.exe
C:\WINDOWS\System32\tcpsvcs.exe
C:\WINDOWS\System32\snmp.exe
C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\wbem\wmiapsrv.exe
C:\WINDOWS\System32\dmadmin.exe
C:\Program Files\Microsoft AntiSpyware\gcasServ.exe
C:\WINDOWS\system32\rundll32.exe
C:\Program Files\ewido\security suite\ewidoctrl.exe
C:\Program Files\ewido\security suite\ewidoguard.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\WINDOWS\system32\NOTEPAD.EXE
C:\WINDOWS\system32\NOTEPAD.EXE
C:\Documents and Settings\Karen Granger\My Documents\set ups\hijackthis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.toshiba.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.toshiba.com
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O4 - HKLM\..\Run: [TouchED] C:\Program Files\TOSHIBA\TouchED\TouchED.Exe
O4 - HKLM\..\Run: [Pinger] c:\toshiba\ivp\ism\pinger.exe /run
O4 - HKLM\..\Run: [Apoint] C:\Program Files\Apoint2K\Apoint.exe
O4 - HKLM\..\Run: [AGRSMMSG] AGRSMMSG.exe
O4 - HKLM\..\Run: [00THotkey] C:\WINDOWS\System32\00THotkey.exe
O4 - HKLM\..\Run: [000StTHK] 000StTHK.exe
O4 - HKLM\..\Run: [igfxtray] C:\WINDOWS\System32\igfxtray.exe
O4 - HKLM\..\Run: [igfxhkcmd] C:\WINDOWS\System32\hkcmd.exe
O4 - HKLM\..\Run: [igfxpers] C:\WINDOWS\System32\igfxpers.exe
O4 - HKLM\..\Run: [gcasServ] "C:\Program Files\Microsoft AntiSpyware\gcasServ.exe"
O4 - HKLM\..\Run: [winsync] C:\WINDOWS\System32\pwcarc.exe reg_run
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\System32\ctfmon.exe
O4 - Global Startup: WinZip Quick Pick.lnk = C:\Program Files\WinZip\WZQKPICK.EXE
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O9 - Extra 'Tools' menuitem: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O14 - IERESET.INF: START_PAGE_URL=http://www.toshiba.com
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky.com/downloads/kws/kavwebscan_unicode.cab
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1133829558718
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/activescan/as5free/asinst.cab
O16 - DPF: {B38870E4-7ECB-40DA-8C6A-595F0A5519FF} (MsnMessengerSetupDownloadControl Class) - http://messenger.msn.com/download/MsnMessengerSetupDownloader.cab
O16 - DPF: {E856B973-45FD-4559-8F82-EAB539144667} (Dell PC Checkup Installer Control) - http://pccheckup.dellfix.com/rel/35/install/gtdownde.cab
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - "C:\PROGRA~1\MSNMES~1\msgrapp.dll" (file missing)
O20 - Winlogon Notify: igfxcui - C:\WINDOWS\SYSTEM32\igfxdev.dll
O23 - Service: C-DillaCdaC11BA - C-Dilla Ltd - C:\WINDOWS\System32\drivers\CDAC11BA.EXE
O23 - Service: DVD-RAM_Service - Matsu****a Electric Industrial Co., Ltd. - C:\WINDOWS\System32\DVDRAMSV.exe
O23 - Service: ewido security suite control - ewido networks - C:\Program Files\ewido\security suite\ewidoctrl.exe
O23 - Service: ewido security suite guard - ewido networks - C:\Program Files\ewido\security suite\ewidoguard.exe
O23 - Service: SoundMAX Agent Service (SoundMAX Agent Service (default)) - Analog Devices, Inc. - C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe

please let me know how im doing thank you :up:


----------



## khazars (Feb 15, 2004)

turn off ewido's security guard as it can interfere with the fixes!

Before you proceed with the removal directions below you need to turn off MS 
Anti-Spyware's realtime protection as it will interfere with the changes we 
are trying to make.

Open MS Anti-Spyware and click on Options > Settings. Click on "Realtime 
Protection" in the left pane.

Remove the check by these:

"Enable the Microsoft Security Agents on startup (recommended)"

"Enable real-time spyware threat protection (recommended)"

Click "Save"

Now right click the MS Anti-spyware icon in your system tray and choose 
"Shutdown Microsoft Anti-Spyware"

You should re-enable these when we are finished here.

do a ctr/alt/del and in taskmanager stop these processes if running.

pwcarc.exe

have hijack this fix these entries. close all browsers and programmes before 
clicking FIX.

O4 - HKLM\..\Run: [winsync] C:\WINDOWS\System32\pwcarc.exe reg_run

Double-click on Killbox.exe to run it. Now put a tick by Delete on 
Reboot. In the "Full Path of File to Delete" box, copy and paste each 
of the following lines one at a time then click on the button that has
the red circle with the X in the middle after you enter each file. 
It will ask for confimation to delete the file on next reboot. Click 
Yes. It will then ask if you want to reboot now. Click No. Continue 
with that same procedure until you have copied and pasted all of 
these in the "Paste Full Path of File to Delete" box.Then click yes 
to reboot after you entered the last one.

Note: It is possible that Killbox will tell you that one or more files do not
exist. If that happens, just continue on with all the files. Be sure you 
don't miss any.

C:\WINDOWS\System32\pwcarc.exe

go to this site and download adaware Se 1.6 once you get adaware 
update it.

Set adaware to do a full system scan and deselect, "search for neglible risk 
entries". Click next to start the scan. Delete everything adaware finds.

All tools can be downloaded at the link below and found on that page!

. AdAware SE personal

http://www.majorgeeks.com/downloads31.html

WinPFind

* Download WinPFind http://www.bleepingcomputer.com/files/winpfind.php
Double click on WinPFind and unzip it to your Desktop.
Don't do anything with it yet!
*

Download Track qoo http://www.geekstogo.com/downloads/Trackqoo.zip
o Save it to the Desktop.

Restart your computer and boot into Safe Mode by hitting the F8 key repeatedly
until a menu shows up (and choose Safe Mode from the list). In some systems, 
this may be the F5 key, so try that if F8 doesn't work.

Double click WinPFind.exe

* Click 'Start Scan'
* It will scan the entire system, so please be patient!
* Once the scan is complete:
1. Go to the WinPFind folder
2. Locate WinPFind.txt
3. Copy those results in the next post!

Reboot back to Normal Mode!

Double click on 'Track qoo.vbs'

Note - If you have an anti-virus program that has script blocking features, 
you will get a pop up window asking you what to do. Allow this entire script 
to run. It's harmless.

Wait a few seconds and Notepad will pop up. Copy & Paste those results and 
place them in the next post along with the results of WinPFind!

post another log, the wpfind and trackqoo logs!


----------



## peterboy (Dec 15, 2005)

hi kazhar hers my results Logfile of HijackThis v1.99.1
Scan saved at 8:12:43 PM, on 12/22/2005
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\SYSTEM32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\netdde.exe
C:\Program Files\TOSHIBA\TouchED\TouchED.Exe
C:\toshiba\ivp\ism\pinger.exe
C:\WINDOWS\AGRSMMSG.exe
C:\WINDOWS\System32\00THotkey.exe
C:\WINDOWS\System32\igfxtray.exe
C:\WINDOWS\System32\hkcmd.exe
C:\WINDOWS\System32\TPSBattM.exe
C:\WINDOWS\System32\igfxpers.exe
C:\Program Files\Messenger\msmsgs.exe
C:\WINDOWS\System32\ctfmon.exe
C:\WINDOWS\System32\drivers\CDAC11BA.EXE
C:\WINDOWS\System32\DVDRAMSV.exe
C:\Program Files\ewido\security suite\ewidoctrl.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\WINDOWS\System32\tcpsvcs.exe
C:\WINDOWS\System32\snmp.exe
C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\wbem\wmiapsrv.exe
C:\WINDOWS\System32\dmadmin.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Documents and Settings\Karen Granger\My Documents\set ups\hijackthis\HijackThis.exe

O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O4 - HKLM\..\Run: [TPSMain] TPSMain.exe
O4 - HKLM\..\Run: [TouchED] C:\Program Files\TOSHIBA\TouchED\TouchED.Exe
O4 - HKLM\..\Run: [Pinger] c:\toshiba\ivp\ism\pinger.exe /run
O4 - HKLM\..\Run: [Apoint] C:\Program Files\Apoint2K\Apoint.exe
O4 - HKLM\..\Run: [AGRSMMSG] AGRSMMSG.exe
O4 - HKLM\..\Run: [00THotkey] C:\WINDOWS\System32\00THotkey.exe
O4 - HKLM\..\Run: [000StTHK] 000StTHK.exe
O4 - HKLM\..\Run: [igfxtray] C:\WINDOWS\System32\igfxtray.exe
O4 - HKLM\..\Run: [igfxhkcmd] C:\WINDOWS\System32\hkcmd.exe
O4 - HKLM\..\Run: [igfxpers] C:\WINDOWS\System32\igfxpers.exe
O4 - HKLM\..\Run: [gcasServ] "C:\Program Files\Microsoft AntiSpyware\gcasServ.exe"
O4 - HKLM\..\Run: [MSConfig] C:\WINDOWS\PCHealth\HelpCtr\Binaries\MSConfig.exe /auto
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\System32\ctfmon.exe
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O9 - Extra 'Tools' menuitem: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O14 - IERESET.INF: START_PAGE_URL=http://www.toshiba.com
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky.com/downloads/kws/kavwebscan_unicode.cab
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1133829558718
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/activescan/as5free/asinst.cab
O16 - DPF: {B38870E4-7ECB-40DA-8C6A-595F0A5519FF} (MsnMessengerSetupDownloadControl Class) - http://messenger.msn.com/download/MsnMessengerSetupDownloader.cab
O16 - DPF: {E856B973-45FD-4559-8F82-EAB539144667} (Dell PC Checkup Installer Control) - http://pccheckup.dellfix.com/rel/35/install/gtdownde.cab
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - "C:\PROGRA~1\MSNMES~1\msgrapp.dll" (file missing)
O20 - Winlogon Notify: igfxcui - C:\WINDOWS\SYSTEM32\igfxdev.dll
O23 - Service: C-DillaCdaC11BA - C-Dilla Ltd - C:\WINDOWS\System32\drivers\CDAC11BA.EXE
O23 - Service: DVD-RAM_Service - Matsu****a Electric Industrial Co., Ltd. - C:\WINDOWS\System32\DVDRAMSV.exe
O23 - Service: ewido security suite control - ewido networks - C:\Program Files\ewido\security suite\ewidoctrl.exe
O23 - Service: SoundMAX Agent Service (SoundMAX Agent Service (default)) - Analog Devices, Inc. - C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe

WARNING: not all files found by this scanner are bad. Consult with a knowledgable person before proceeding.

If you see a message in the titlebar saying "Not responding..." you can ignore it. Windows somethimes displays this message due to the high volume of disk I/O. As long as the hard disk light is flashing, the program is still working properly.

»»»»»»»»»»»»»»»»» Windows OS and Versions »»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»
Product Name: Microsoft Windows XP Current Build: Service Pack 1 Current Build Number: 2600
Internet Explorer Version: 6.0.2800.1106

»»»»»»»»»»»»»»»»» Checking Selected Standard Folders »»»»»»»»»»»»»»»»»»»»

Checking %SystemDrive% folder...

Checking %ProgramFilesDir% folder...

Checking %WinDir% folder...
PECompact2 9/18/2005 12:08:02 PM 15841777 C:\WINDOWS\lpt$vpn.845
qoologic 9/18/2005 12:08:02 PM 15841777 C:\WINDOWS\lpt$vpn.845
SAHAgent 9/18/2005 12:08:02 PM 15841777 C:\WINDOWS\lpt$vpn.845
UPX! 1/10/2005 3:17:24 PM 170053 C:\WINDOWS\tsc.exe
PECompact2 9/18/2005 12:08:02 PM 15841777 C:\WINDOWS\VPTNFILE.845
qoologic 9/18/2005 12:08:02 PM 15841777 C:\WINDOWS\VPTNFILE.845
SAHAgent 9/18/2005 12:08:02 PM 15841777 C:\WINDOWS\VPTNFILE.845
UPX! 2/18/2005 5:40:14 PM 1044560 C:\WINDOWS\vsapi32.dll
aspack 2/18/2005 5:40:14 PM 1044560 C:\WINDOWS\vsapi32.dll

Checking %System% folder...
UPX! 12/2/2005 5:31:00 AM 478208 C:\WINDOWS\SYSTEM32\aswBoot.exe
PEC2 3/31/2003 4:00:00 AM 41397 C:\WINDOWS\SYSTEM32\dfrg.msc
PTech 11/4/2005 4:27:24 PM 534280 C:\WINDOWS\SYSTEM32\LegitCheckControl.DLL
UPX! 12/7/2005 1:52:10 PM 575488 C:\WINDOWS\SYSTEM32\mdmfcplayer.ocx
PECompact2 11/2/2005 10:49:02 AM 2368864 C:\WINDOWS\SYSTEM32\MRT.exe
aspack 11/2/2005 10:49:02 AM 2368864 C:\WINDOWS\SYSTEM32\MRT.exe
Umonitor 3/31/2003 4:00:00 AM 631808 C:\WINDOWS\SYSTEM32\rasdlg.dll
UPX! 10/30/2005 8:49:02 PM 42496 C:\WINDOWS\SYSTEM32\swreg.exe
FSG! 7/5/2004 7:09:14 AM R 295424 C:\WINDOWS\SYSTEM32\TFTP2404
winsync 3/31/2003 4:00:00 AM 1309184 C:\WINDOWS\SYSTEM32\wbdbase.deu

Checking %System%\Drivers folder and sub-folders...

Items found in C:\WINDOWS\SYSTEM32\drivers\etc\hosts

Checking the Windows folder and sub-folders for system and hidden files within the last 60 days...
12/31/2005 11:45:48 AM S 2048 C:\WINDOWS\bootstat.dat
12/4/2005 8:00:18 AM RH 30720 C:\WINDOWS\CdaC13BA.EXE
12/4/2005 8:00:18 AM RH 112128 C:\WINDOWS\CdaC14BA.DLL
12/7/2005 3:07:40 AM H 24 C:\WINDOWS\p1J7N
12/14/2005 3:50:12 AM H 10820 C:\WINDOWS\Help\nocontnt.GID
11/29/2005 10:22:36 PM HS 229376 C:\WINDOWS\Help\Tours\htmlTour\Thumbs.db
11/29/2005 10:23:14 PM HS 11776 C:\WINDOWS\Help\Tours\WindowsMediaPlayer\Img\Thumbs.db
11/29/2005 10:23:20 PM HS 15360 C:\WINDOWS\Help\Tours\WindowsMediaPlayer\Img\Btn\Thumbs.db
11/29/2005 10:23:26 PM HS 17920 C:\WINDOWS\Help\Tours\WindowsMediaPlayer\Img\WMarks\Thumbs.db
11/29/2005 10:23:38 PM HS 40960 C:\WINDOWS\Help\Tours\WindowsMediaPlayer\Video\Thumbs.db
12/7/2005 1:31:54 AM H 0 C:\WINDOWS\inf\oem44.inf
11/29/2005 10:41:38 PM HS 16384 C:\WINDOWS\PCHealth\HelpCtr\System\images\16x16\Thumbs.db
11/29/2005 10:41:48 PM HS 14336 C:\WINDOWS\PCHealth\HelpCtr\System\images\24x24\Thumbs.db
11/29/2005 10:41:30 PM HS 8192 C:\WINDOWS\PCHealth\HelpCtr\System\images\32x32\Thumbs.db
11/29/2005 10:41:30 PM HS 12288 C:\WINDOWS\PCHealth\HelpCtr\System\images\48x48\Thumbs.db
11/29/2005 10:41:30 PM HS 11264 C:\WINDOWS\PCHealth\HelpCtr\System\images\Centers\Thumbs.db
11/29/2005 10:42:06 PM HS 6656 C:\WINDOWS\PCHealth\HelpCtr\System\Remote Assistance\Interaction\Common\Thumbs.db
11/29/2005 10:42:16 PM HS 19456 C:\WINDOWS\PCHealth\HelpCtr\System\sysinfo\graphics\Thumbs.db
11/29/2005 10:42:20 PM HS 15360 C:\WINDOWS\PCHealth\HelpCtr\System\sysinfo\graphics\33x16pie\Thumbs.db
11/29/2005 10:42:24 PM HS 18432 C:\WINDOWS\PCHealth\HelpCtr\System\sysinfo\graphics\47x24pie\Thumbs.db
11/29/2005 10:42:30 PM HS 6144 C:\WINDOWS\PCHealth\HelpCtr\System_OEM\images\Thumbs.db
11/29/2005 10:42:28 PM HS 8192 C:\WINDOWS\PCHealth\HelpCtr\System_OEM\images\32x32\Thumbs.db
11/29/2005 10:42:46 PM HS 18944 C:\WINDOWS\PCHealth\HelpCtr\Vendors\CN=Microsoft Corporation,L=Redmond,S=Washington,C=US\Remote Assistance\Escalation\Common\Thumbs.db
11/22/2005 6:12:02 PM S 20273 C:\WINDOWS\system32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\KB905915-IE6SP1-20051122.175908.cat
12/1/2005 4:12:48 PM S 10925 C:\WINDOWS\system32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\KB910437.cat
12/31/2005 11:45:40 AM H 8192 C:\WINDOWS\system32\config\default.LOG
12/31/2005 11:45:56 AM H 1024 C:\WINDOWS\system32\config\SAM.LOG
12/31/2005 11:45:50 AM H 16384 C:\WINDOWS\system32\config\SECURITY.LOG
12/31/2005 11:46:58 AM H 106496 C:\WINDOWS\system32\config\software.LOG
12/31/2005 11:45:52 AM H 1024000 C:\WINDOWS\system32\config\system.LOG
12/7/2005 5:26:12 AM H 1024 C:\WINDOWS\system32\config\systemprofile\NTUSER.DAT.LOG
11/8/2005 7:49:02 PM HS 67 C:\WINDOWS\system32\config\systemprofile\Local Settings\Temporary Internet Files\desktop.ini
11/8/2005 7:49:02 PM HS 67 C:\WINDOWS\system32\config\systemprofile\Local Settings\Temporary Internet Files\Content.IE5\desktop.ini
11/8/2005 7:49:02 PM HS 67 C:\WINDOWS\system32\config\systemprofile\Local Settings\Temporary Internet Files\Content.IE5\6XQBX8IZ\desktop.ini
11/8/2005 7:49:02 PM HS 67 C:\WINDOWS\system32\config\systemprofile\Local Settings\Temporary Internet Files\Content.IE5\CVK3SZ6P\desktop.ini
11/8/2005 7:49:02 PM HS 67 C:\WINDOWS\system32\config\systemprofile\Local Settings\Temporary Internet Files\Content.IE5\FEP5LCUK\desktop.ini
11/8/2005 7:49:02 PM HS 67 C:\WINDOWS\system32\config\systemprofile\Local Settings\Temporary Internet Files\Content.IE5\IXSQOCIQ\desktop.ini
11/29/2005 10:49:52 PM HS 8192 C:\WINDOWS\system32\oobe\html\oemreg\images\Thumbs.db
11/29/2005 10:49:56 PM HS 3072 C:\WINDOWS\system32\oobe\images\Thumbs.db
11/29/2005 10:50:16 PM HS 11264 C:\WINDOWS\system32\oobe\setup\Images\Thumbs.db
12/31/2005 11:44:40 AM H 6 C:\WINDOWS\Tasks\SA.DAT
11/29/2005 10:52:18 PM HS 18944 C:\WINDOWS\TOSHOFER\Thumbs.db
12/20/2005 12:44:26 AM HS 7168 C:\WINDOWS\VALUEADD\Thumbs.db
11/29/2005 10:52:56 PM HS 6656 C:\WINDOWS\Web\printers\images\Thumbs.db
11/29/2005 10:52:58 PM HS 20992 C:\WINDOWS\Web\Wallpaper\Thumbs.db

Checking for CPL files...
Microsoft Corporation 3/31/2003 4:00:00 AM 66048 C:\WINDOWS\SYSTEM32\access.cpl
Microsoft Corporation 3/31/2003 4:00:00 AM 578560 C:\WINDOWS\SYSTEM32\appwiz.cpl
Microsoft Corporation 3/31/2003 4:00:00 AM 129024 C:\WINDOWS\SYSTEM32\desk.cpl
Microsoft Corporation 3/31/2003 4:00:00 AM 150016 C:\WINDOWS\SYSTEM32\hdwwiz.cpl
TOSHIBA Corp. 10/31/2003 11:28:06 AM 520192 C:\WINDOWS\SYSTEM32\HWSETUP.CPL
Intel Corporation 9/20/2005 10:35:12 AM 77824 C:\WINDOWS\SYSTEM32\igfxcpl.cpl
Microsoft Corporation 3/31/2003 4:00:00 AM 292352 C:\WINDOWS\SYSTEM32\inetcpl.cpl
Microsoft Corporation 3/31/2003 4:00:00 AM 121856 C:\WINDOWS\SYSTEM32\intl.cpl
Microsoft Corporation 3/31/2003 4:00:00 AM 65536 C:\WINDOWS\SYSTEM32\joy.cpl
Sun Microsystems 11/20/2003 4:41:52 PM 53352 C:\WINDOWS\SYSTEM32\jpicpl32.cpl
Microsoft Corporation 3/31/2003 4:00:00 AM 187904 C:\WINDOWS\SYSTEM32\main.cpl
Microsoft Corporation 3/31/2003 4:00:00 AM 559616 C:\WINDOWS\SYSTEM32\mmsys.cpl
M-Audio 8/15/2004 10:28:10 AM 131072 C:\WINDOWS\SYSTEM32\mobpre.cpl
Microsoft Corporation 3/31/2003 4:00:00 AM 35840 C:\WINDOWS\SYSTEM32\ncpa.cpl
Microsoft Corporation 3/31/2003 4:00:00 AM 256000 C:\WINDOWS\SYSTEM32\nusrmgr.cpl
Microsoft Corporation 3/31/2003 4:00:00 AM 36864 C:\WINDOWS\SYSTEM32\odbccp32.cpl
Microsoft Corporation 12/30/2005 8:46:24 PM 109056 C:\WINDOWS\SYSTEM32\powercfg.cpl
Microsoft Corporation 3/31/2003 4:00:00 AM 268288 C:\WINDOWS\SYSTEM32\sysdm.cpl
Microsoft Corporation 3/31/2003 4:00:00 AM 28160 C:\WINDOWS\SYSTEM32\telephon.cpl
Microsoft Corporation 3/31/2003 4:00:00 AM 90112 C:\WINDOWS\SYSTEM32\timedate.cpl
 9/5/2003 1:36:40 PM 495616 C:\WINDOWS\SYSTEM32\TOSCDSPD.cpl
Microsoft Corporation 5/26/2005 3:16:30 AM 174360 C:\WINDOWS\SYSTEM32\wuaucpl.cpl
Microsoft Corporation 3/31/2003 4:00:00 AM 36864 C:\WINDOWS\SYSTEM32\dllcache\odbccp32.cpl
Microsoft Corporation 12/30/2005 8:46:24 PM 109056 C:\WINDOWS\SYSTEM32\dllcache\powercfg.cpl
Intel Corporation 4/7/2003 12:14:30 AM 94208 C:\WINDOWS\SYSTEM32\ReinstallBackups\0013\DriverFiles\igfxcpl.cpl

»»»»»»»»»»»»»»»»» Checking Selected Startup Folders »»»»»»»»»»»»»»»»»»»»»

Checking files in %ALLUSERSPROFILE%\Startup folder...
11/20/2003 3:46:40 PM HS 84 C:\Documents and Settings\All Users\Start Menu\Programs\Startup\desktop.ini
12/31/2005 11:47:24 AM 228352 C:\Documents and Settings\All Users\Start Menu\Programs\Startup\oxjz.exe
12/23/2005 11:31:42 AM 1518 C:\Documents and Settings\All Users\Start Menu\Programs\Startup\WinZip Quick Pick.lnk

Checking files in %ALLUSERSPROFILE%\Application Data folder...
11/20/2003 7:37:56 AM HS 62 C:\Documents and Settings\All Users\Application Data\desktop.ini
12/23/2005 10:27:18 PM 13 C:\Documents and Settings\All Users\Application Data\DragToDiscUserNameD.txt
5/1/2004 8:17:10 PM 13 C:\Documents and Settings\All Users\Application Data\DragToDiscUserNameE.txt
4/29/2004 3:41:20 AM 188 C:\Documents and Settings\All Users\Application Data\hpzinstall.log

Checking files in %USERPROFILE%\Startup folder...
11/20/2003 3:46:40 PM HS 84 C:\Documents and Settings\Karen Granger\Start Menu\Programs\Startup\desktop.ini

Checking files in %USERPROFILE%\Application Data folder...
11/20/2003 7:37:56 AM HS 62 C:\Documents and Settings\Karen Granger\Application Data\desktop.ini
12/7/2005 1:52:04 PM 68 C:\Documents and Settings\Karen Granger\Application Data\fc_location.txt
6/8/2004 11:55:44 AM H 0 C:\Documents and Settings\Karen Granger\Application Data\hpothb07.dat
6/8/2004 11:55:44 AM H 0 C:\Documents and Settings\Karen Granger\Application Data\hpothb07.tif
12/13/2005 2:58:06 PM 2235201 C:\Documents and Settings\Karen Granger\Application Data\Install.dat

»»»»»»»»»»»»»»»»» Checking Selected Registry Keys »»»»»»»»»»»»»»»»»»»»»»»

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\User Agent\Post Platform]
acc=ventura5 = 
acc=none =

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved]

[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved]

[HKEY_CLASSES_ROOT\*\shellex\ContextMenuHandlers]
HKEY_CLASSES_ROOT\*\shellex\ContextMenuHandlers\BriefcaseMenu
{85BBD920-42A0-1069-A2E4-08002B30309D} = syncui.dll
HKEY_CLASSES_ROOT\*\shellex\ContextMenuHandlers\ewido
{57BD36D7-CE32-4600-9B1C-1A0C47EFC02E} = C:\Program Files\ewido\security suite\context.dll
HKEY_CLASSES_ROOT\*\shellex\ContextMenuHandlers\mfxytxtf
{02071e9e-1413-44b8-91f4-3702d9d295f2} = C:\WINDOWS\System32\kfwmr.dll
HKEY_CLASSES_ROOT\*\shellex\ContextMenuHandlers\Offline Files
{750fdf0e-2a26-11d1-a3ea-080036587f03} = %SystemRoot%\System32\cscui.dll
HKEY_CLASSES_ROOT\*\shellex\ContextMenuHandlers\Open With
{09799AFB-AD67-11d1-ABCD-00C04FC30936} = %SystemRoot%\system32\SHELL32.dll
HKEY_CLASSES_ROOT\*\shellex\ContextMenuHandlers\Open With EncryptionMenu
{A470F8CF-A1E8-4f65-8335-227475AA5C46} = %SystemRoot%\system32\SHELL32.dll
HKEY_CLASSES_ROOT\*\shellex\ContextMenuHandlers\WinZip
{E0D79304-84BE-11CE-9641-444553540000} = C:\PROGRA~1\WINZIP\WZSHLSTB.DLL
HKEY_CLASSES_ROOT\*\shellex\ContextMenuHandlers\{8C504614-A455-4CBA-81B4-D279644B8A7D}
= tfaxext.dll
HKEY_CLASSES_ROOT\*\shellex\ContextMenuHandlers\{a2a9545d-a0c2-42b4-9708-a0b2badd77c8}
Start Menu Pin = %SystemRoot%\system32\SHELL32.dll

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Folder\shellex\ContextMenuHandlers]
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Folder\shellex\ContextMenuHandlers\BriefcaseMenu
{85BBD920-42A0-1069-A2E4-08002B30309D} = syncui.dll
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Folder\shellex\ContextMenuHandlers\WinZip
{E0D79304-84BE-11CE-9641-444553540000} = C:\PROGRA~1\WINZIP\WZSHLSTB.DLL

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Directory\shellex\ContextMenuHandlers]
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Directory\shellex\ContextMenuHandlers\EncryptionMenu
{A470F8CF-A1E8-4f65-8335-227475AA5C46} = %SystemRoot%\system32\SHELL32.dll
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Directory\shellex\ContextMenuHandlers\ewido
{57BD36D7-CE32-4600-9B1C-1A0C47EFC02E} = C:\Program Files\ewido\security suite\context.dll
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Directory\shellex\ContextMenuHandlers\Offline Files
{750fdf0e-2a26-11d1-a3ea-080036587f03} = %SystemRoot%\System32\cscui.dll
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Directory\shellex\ContextMenuHandlers\Sharing
{f81e9010-6ea4-11ce-a7ff-00aa003ca9f6} = ntshrui.dll
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Directory\shellex\ContextMenuHandlers\WinZip
{E0D79304-84BE-11CE-9641-444553540000} = C:\PROGRA~1\WINZIP\WZSHLSTB.DLL

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Folder\shellex\ColumnHandlers]
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Folder\shellex\ColumnHandlers\{0D2E74C4-3C34-11d2-A27E-00C04FC30871}
= %SystemRoot%\system32\SHELL32.dll
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Folder\shellex\ColumnHandlers\{24F14F01-7B1C-11d1-838f-0000F80461CF}
= %SystemRoot%\system32\SHELL32.dll
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Folder\shellex\ColumnHandlers\{24F14F02-7B1C-11d1-838f-0000F80461CF}
= %SystemRoot%\system32\SHELL32.dll
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Folder\shellex\ColumnHandlers\{66742402-F9B9-11D1-A202-0000F81FEDEE}
= %SystemRoot%\system32\SHELL32.dll

[HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects]
HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{06849E9F-C8D7-4D59-B87D-784B7D6BE0B3}
AcroIEHlprObj Class = C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{53707962-6F74-2D53-2644-206D7942484F}
= C:\PROGRA~1\SPYBOT~1\SDHelper.dll

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Explorer Bars]
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Explorer Bars\{4D5C8C25-D075-11d0-B416-00C04FB90376}
&Tip of the Day = %SystemRoot%\System32\shdocvw.dll

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\ToolBar]
{8E718888-423F-11D2-876E-00A0C9082467} = &Radio	: C:\WINDOWS\System32\msdxm.ocx

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Extensions]
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Extensions\{FB5F1910-F110-11d2-BB9E-00C04F795683}
ButtonText = Messenger	: C:\Program Files\Messenger\MSMSGS.EXE

[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Explorer Bars]
HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Explorer Bars\{30D02401-6A81-11D0-8274-00C04FD5AE38}
Search Band = %SystemRoot%\System32\browseui.dll
HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Explorer Bars\{32683183-48a0-441b-a342-7c2a440a9478}
Media Band = %SystemRoot%\System32\browseui.dll
HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Explorer Bars\{C4EE31F3-4768-11D2-BE5C-00A0C9A83DA1}
File Search Explorer Band = %SystemRoot%\system32\SHELL32.dll
HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Explorer Bars\{EFA24E61-B078-11D0-89E4-00C04FC9E26E}
Favorites Band = %SystemRoot%\System32\shdocvw.dll
HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Explorer Bars\{EFA24E64-B078-11D0-89E4-00C04FC9E26E}
Explorer Band = %SystemRoot%\System32\shdocvw.dll
HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Explorer Bars\{FF059E31-CC5A-4E2E-BF3B-96E929D65503}
=

[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Toolbar]
HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Toolbar\ShellBrowser
{42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} = : 
HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser
{01E04581-4EEE-11D0-BFE9-00AA005B4383} = &Address	: %SystemRoot%\System32\browseui.dll
{E6AE90A4-1B01-47F0-AA78-E6B122E145E9} = : 
{0E5CBF21-D15F-11D0-8301-00AA005B4383} = &Links	: %SystemRoot%\system32\SHELL32.dll

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
TouchED	C:\Program Files\TOSHIBA\TouchED\TouchED.Exe
Pinger	c:\toshiba\ivp\ism\pinger.exe /run
Apoint	C:\Program Files\Apoint2K\Apoint.exe
AGRSMMSG	AGRSMMSG.exe
00THotkey	C:\WINDOWS\System32\00THotkey.exe
000StTHK	000StTHK.exe
igfxtray	C:\WINDOWS\System32\igfxtray.exe
igfxhkcmd	C:\WINDOWS\System32\hkcmd.exe
igfxpers	C:\WINDOWS\System32\igfxpers.exe
gcasServ	"C:\Program Files\Microsoft AntiSpyware\gcasServ.exe"
winsync C:\WINDOWS\System32\pwcarc.exe reg_run

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\OptionalComponents]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnceEx]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunServices]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunServicesOnce]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
MSMSGS	"C:\Program Files\Messenger\msmsgs.exe" /background
ctfmon.exe	C:\WINDOWS\System32\ctfmon.exe

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\RunServices]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\RunServicesOnce]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows\load]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows\run]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSConfig]

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSConfig\ExpandFrom

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSConfig\ExpandTo

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSConfig\services

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSConfig\startupfolder

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSConfig\startupreg

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSConfig\state
system.ini	0
win.ini	0
bootini	0
services	0
startup	0

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies]

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\NonEnum
{BDEADF00-C265-11D0-BCED-00A0C90AB50F} = C:\PROGRA~1\COMMON~1\MICROS~1\WEBFOL~1\MSONSEXT.DLL
{6DFD7C5C-2451-11d3-A299-00C04F8EF6AF} = 
{0DF44EAA-FF21-4412-828E-260A8728E7F1} =

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Ratings

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\system
dontdisplaylastusername	0
legalnoticecaption	
legalnoticetext	
shutdownwithoutlogon	1
undockwithoutlogon	1

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\policies]

HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer
NoDriveTypeAutoRun	145

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad]
PostBootReminder {7849596a-48ea-486e-8937-a2a3009f31a9} = %SystemRoot%\system32\SHELL32.dll
CDBurn {fbeb8a05-beee-4442-804e-409d6c4515e9} = %SystemRoot%\system32\SHELL32.dll
WebCheck {E6FB5E20-DE35-11CF-9C87-00AA005127ED} = %SystemRoot%\System32\webcheck.dll
SysTray {35CEC8A3-2BE6-11D2-8773-92E220524153} = C:\WINDOWS\System32\stobject.dll
UPnPMonitor {e57ce738-33e8-4c51-8354-bb4de9d215d1} = C:\WINDOWS\System32\upnpui.dll

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon]
UserInit	= C:\WINDOWS\system32\userinit.exe,
Shell = explorer.exe
System =

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\cscdll
= cscdll.dll

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\igfxcui
= igfxdev.dll

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options]
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Your Image File Name Here without a path
Debugger = ntsd -d

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows]
AppInit_DLLs

»»»»»»»»»»»»»»»»»»»»»»»» Scan Complete »»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»
WinPFind v1.4.1	- Log file written to "WinPFind.Txt" in the WinPFind folder.
Scan completed on 12/31/2005 11:53:17 AM


----------



## peterboy (Dec 15, 2005)

i had a problem wit this program wen i try to open it say pavscrip.exe.cant be found so i tri veiw with note pad hope thats ok Dim Def,Wshsell,FN,fso,Report,SysF,SS

const HKEY_CLASSES_ROOT = &H80000000

Set fso = Wscript.CreateObject("Scripting.FilesystemObject")
Set Wshshell = Wscript.CreateObject("Wscript.Shell")


Wshshell.Run "regedit /e /a Report.txt" & " " & "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run",, True
Set Report = fspenTextFile("Report.txt",8 , true)

Report.WriteLine "-----------------"


strComputer = "."
Set oReg=GetObject("winmgmts:{impersonationLevel=impersonate}!\\" &_ 
strComputer & "\root\default:StdRegProv")
strKeyPath = "*\shellex\ContextMenuHandlers"
oReg.EnumKey HKEY_CLASSES_ROOT, strKeyPath, arrSubKeys
For Each subkey In arrSubKeys

On error Resume Next 
Err.Clear
Def = Wshshell.RegRead ("HKCR\" & strKeyPath & "\" & subkey & "\")

On Error Resume Next
FN = Wshshell.RegRead("HKCR\CLSID\" & Def & "\InprocServer32\")
If not FN Then 
FN = Wshshell.RegRead("HKCR\CLSID\" & subkey & "\InprocServer32\")
End IF

FN = WshShell.ExpandEnvironmentStrings(FN)

Msg = Msg & vbcrlf & "Subkey --- " & subkey & vbcrlf & Def & vbcrlf & FN & vbcrlf
Err.Clear

Def = ""
FN = ""
Next


Report.WriteLine "HKEY_CLASSES_ROOT\*\shellex\ContextMenuHandlers"
Report.WriteLine
Report.Write Msg

'---------------------

Dim Mess

Report.WriteLine
Report.WriteLine "====================="
Report.WriteLine


strComputer = "."
Set oReg=GetObject("winmgmts:{impersonationLevel=impersonate}!\\" &_ 
strComputer & "\root\default:StdRegProv")
strKeyPath = "Folder\shellex\ColumnHandlers"
oReg.EnumKey HKEY_CLASSES_ROOT, strKeyPath, arrSubKeys
For Each subkey In arrSubKeys

On error Resume Next 
Err.Clear

On Error Resume Next

FN = Wshshell.RegRead("HKCR\CLSID\" & subkey & "\InprocServer32\")
FN = WshShell.ExpandEnvironmentStrings(FN)

Mess = Mess & vbcrlf & "Subkey --- " & subkey & vbcrlf & FN & vbcrlf
Err.Clear

FN = ""
Next




Report.WriteLine "HKEY_CLASSES_ROOT\Folder\shellex\ColumnHandlers"
Report.WriteLine
Report.Write Mess

Report.Writeline
Report.WriteLine "=============================="

Dim SU ,s ,f,f1, C
SU = Wshshell.SpecialFolders("AllUsersStartup")
Report.WriteLine SU

Set f = fso.getFolder(SU)
Set fc = f.files
For Each f1 in fc
Set C = fso.GetFile(f1)
s = s & C.name & vbcrlf 

Next

Report.Writeline
Report.Write s

'-----------------------------
Report.Writeline "=============================="




SU = Wshshell.SpecialFolders("Startup")
Report.WriteLine SU

Set f = fso.getFolder(SU)
Set fc = f.files
For Each f1 in fc
Set C = fso.GetFile(f1)
s = s & C.name & vbcrlf 

Next

Report.Writeline
Report.Write s

'-----------------------------
Report.Writeline "=============================="


dim Q, cpl, Sys ,Maker

Sys = fso.GetSpecialFolder(1)

Report.Writeline Sys & " cpl files"
Report.Writeline


set f = Fso.getFolder(Sys)
set fc =f.files
for each f1 in fc
IF LCASE(Right(fso.GetFileName(f1),4)) = ".cpl" Then
Q = f1.path

Q = Replace (Q, "\", "\\")
Set cpl = GetObject("winmgmts:root\cimv2").Get _
("CIM_DataFile.Name=""" & Q & """")


Maker = cpl.Manufacturer

Q = Replace (Q, "\\", "\")

On error resume next
Report.write vbcrlf & f1.name & Space(30 - len(f1.name)) & Maker

Err.Clear
End IF
Next

Report.close
WshShell.run "Notepad Report.txt"

Set fso = Nothing
Set Maker = Nothing
Set Report = Nothing
Set cpl = Nothing
Set f = Nothing
Set fc = Nothing
Set C = Nothing
Set oReg = Nothing
Set Wshshell = Nothing


----------



## khazars (Feb 15, 2004)

go to msconfig and recheck all the boxes which are unchecked just to make sure there are no baddies in there!


Double-click on Killbox.exe to run it. Now put a tick by Delete on 
Reboot. In the "Full Path of File to Delete" box, copy and paste each 
of the following lines one at a time then click on the button that has
the red circle with the X in the middle after you enter each file. 
It will ask for confimation to delete the file on next reboot. Click 
Yes. It will then ask if you want to reboot now. Click No. Continue 
with that same procedure until you have copied and pasted all of 
these in the "Paste Full Path of File to Delete" box.Then click yes 
to reboot after you entered the last one.


Note: It is possible that Killbox will tell you that one or more files do not
exist. If that happens, just continue on with all the files. Be sure you 
don't miss any.



C:\WINDOWS\SYSTEM32\TFTP2404
C:\Documents and Settings\All Users\Start Menu\Programs\Startup\oxjz.exe



post another log!


----------



## khazars (Feb 15, 2004)

wait ignore the above post i have got a file mistaken!


----------



## khazars (Feb 15, 2004)

ok I have edited the post, i had did a search and pasted wreg.exe which ia a virus and of course your file was swreg.exe, my mistake cutting and pasting!


----------



## peterboy (Dec 15, 2005)

i did a search on that file swreg.exe. and fouc 2 of them and deleted them hope thats right please let me know how im doing do i still have virus is my pc at risk is it healthy. Logfile of HijackThis v1.99.1
Scan saved at 2:04:05 PM, on 12/31/2005
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\SYSTEM32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\netdde.exe
C:\Program Files\TOSHIBA\TouchED\TouchED.Exe
C:\toshiba\ivp\ism\pinger.exe
C:\WINDOWS\AGRSMMSG.exe
C:\WINDOWS\System32\00THotkey.exe
C:\WINDOWS\System32\hkcmd.exe
C:\WINDOWS\System32\igfxpers.exe
C:\WINDOWS\System32\drivers\CDAC11BA.EXE
C:\WINDOWS\System32\DVDRAMSV.exe
C:\Program Files\ewido\security suite\ewidoctrl.exe
C:\Program Files\ewido\security suite\ewidoguard.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\WINDOWS\System32\ctfmon.exe
C:\Program Files\WinZip\WZQKPICK.EXE
C:\Program Files\Microsoft AntiSpyware\gcasDtServ.exe
C:\WINDOWS\System32\tcpsvcs.exe
C:\WINDOWS\System32\snmp.exe
C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\wbem\wmiapsrv.exe
C:\WINDOWS\System32\dmadmin.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\Documents and Settings\Karen Granger\My Documents\set ups\hijackthis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.toshiba.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.toshiba.com
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O4 - HKLM\..\Run: [TouchED] C:\Program Files\TOSHIBA\TouchED\TouchED.Exe
O4 - HKLM\..\Run: [Pinger] c:\toshiba\ivp\ism\pinger.exe /run
O4 - HKLM\..\Run: [Apoint] C:\Program Files\Apoint2K\Apoint.exe
O4 - HKLM\..\Run: [AGRSMMSG] AGRSMMSG.exe
O4 - HKLM\..\Run: [00THotkey] C:\WINDOWS\System32\00THotkey.exe
O4 - HKLM\..\Run: [000StTHK] 000StTHK.exe
O4 - HKLM\..\Run: [igfxtray] C:\WINDOWS\System32\igfxtray.exe
O4 - HKLM\..\Run: [igfxhkcmd] C:\WINDOWS\System32\hkcmd.exe
O4 - HKLM\..\Run: [igfxpers] C:\WINDOWS\System32\igfxpers.exe
O4 - HKLM\..\Run: [gcasServ] "C:\Program Files\Microsoft AntiSpyware\gcasServ.exe"
O4 - HKLM\..\Run: [winsync] C:\WINDOWS\System32\pwcarc.exe reg_run
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\System32\ctfmon.exe
O4 - Global Startup: WinZip Quick Pick.lnk = C:\Program Files\WinZip\WZQKPICK.EXE
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O9 - Extra 'Tools' menuitem: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O14 - IERESET.INF: START_PAGE_URL=http://www.toshiba.com
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky.com/downloads/kws/kavwebscan_unicode.cab
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1133829558718
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/activescan/as5free/asinst.cab
O16 - DPF: {B38870E4-7ECB-40DA-8C6A-595F0A5519FF} (MsnMessengerSetupDownloadControl Class) - http://messenger.msn.com/download/MsnMessengerSetupDownloader.cab
O16 - DPF: {E856B973-45FD-4559-8F82-EAB539144667} (Dell PC Checkup Installer Control) - http://pccheckup.dellfix.com/rel/35/install/gtdownde.cab
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - "C:\PROGRA~1\MSNMES~1\msgrapp.dll" (file missing)
O20 - Winlogon Notify: igfxcui - C:\WINDOWS\SYSTEM32\igfxdev.dll
O23 - Service: C-DillaCdaC11BA - C-Dilla Ltd - C:\WINDOWS\System32\drivers\CDAC11BA.EXE
O23 - Service: DVD-RAM_Service - Matsu****a Electric Industrial Co., Ltd. - C:\WINDOWS\System32\DVDRAMSV.exe
O23 - Service: ewido security suite control - ewido networks - C:\Program Files\ewido\security suite\ewidoctrl.exe
O23 - Service: ewido security suite guard - ewido networks - C:\Program Files\ewido\security suite\ewidoguard.exe
O23 - Service: SoundMAX Agent Service (SoundMAX Agent Service (default)) - Analog Devices, Inc. - C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe


----------



## khazars (Feb 15, 2004)

This one keeps coming back, run these again!

Follow my instructions properly, if you miss any the fix won't work, you must disable microsoft antispyware and Ewido's security guard!

turn off ewido's security guard as it can interfere with the fixes!

Before you proceed with the removal directions below you need to turn off MS
Anti-Spyware's realtime protection as it will interfere with the changes we
are trying to make.

Open MS Anti-Spyware and click on Options > Settings. Click on "Realtime
Protection" in the left pane.

Remove the check by these:

"Enable the Microsoft Security Agents on startup (recommended)"

"Enable real-time spyware threat protection (recommended)"

Click "Save"

Now right click the MS Anti-spyware icon in your system tray and choose
"Shutdown Microsoft Anti-Spyware"

You should re-enable these when we are finished here.

do a ctr/alt/del and in taskmanager stop these processes if running.

pwcarc.exe

have hijack this fix these entries. close all browsers and programmes before
clicking FIX.

O4 - HKLM\..\Run: [winsync] C:\WINDOWS\System32\pwcarc.exe reg_run

Make sure you use the delete on reboot method for killbox!

Double-click on Killbox.exe to run it. Now put a tick by Delete on
Reboot. In the "Full Path of File to Delete" box, copy and paste each
of the following lines one at a time then click on the button that has
the red circle with the X in the middle after you enter each file.
It will ask for confimation to delete the file on next reboot. Click
Yes. It will then ask if you want to reboot now. Click No. Continue
with that same procedure until you have copied and pasted all of
these in the "Paste Full Path of File to Delete" box.Then click yes
to reboot after you entered the last one.

Note: It is possible that Killbox will tell you that one or more files do not
exist. If that happens, just continue on with all the files. Be sure you
don't miss any.

C:\WINDOWS\System32\pwcarc.exe

post another log


----------



## peterboy (Dec 15, 2005)

hi khazars happy new years well i diid evrything you told me right please let me know what goin on hows my pc ??Logfile of HijackThis v1.99.1
Scan saved at 2:16:02 PM, on 1/1/2006
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\SYSTEM32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\netdde.exe
C:\Program Files\TOSHIBA\TouchED\TouchED.Exe
C:\toshiba\ivp\ism\pinger.exe
C:\WINDOWS\AGRSMMSG.exe
C:\WINDOWS\System32\drivers\CDAC11BA.EXE
C:\WINDOWS\System32\00THotkey.exe
C:\WINDOWS\System32\DVDRAMSV.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\WINDOWS\System32\hkcmd.exe
C:\WINDOWS\System32\igfxpers.exe
C:\Program Files\Messenger\msmsgs.exe
C:\WINDOWS\System32\ctfmon.exe
C:\Program Files\WinZip\WZQKPICK.EXE
C:\Program Files\Microsoft AntiSpyware\gcasDtServ.exe
C:\WINDOWS\System32\tcpsvcs.exe
C:\WINDOWS\System32\snmp.exe
C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\wbem\wmiapsrv.exe
C:\WINDOWS\System32\dmadmin.exe
C:\Program Files\Microsoft AntiSpyware\gcasServ.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\Documents and Settings\Karen Granger\My Documents\set ups\hijackthis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.toshiba.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.toshiba.com
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O4 - HKLM\..\Run: [TouchED] C:\Program Files\TOSHIBA\TouchED\TouchED.Exe
O4 - HKLM\..\Run: [Pinger] c:\toshiba\ivp\ism\pinger.exe /run
O4 - HKLM\..\Run: [Apoint] C:\Program Files\Apoint2K\Apoint.exe
O4 - HKLM\..\Run: [AGRSMMSG] AGRSMMSG.exe
O4 - HKLM\..\Run: [00THotkey] C:\WINDOWS\System32\00THotkey.exe
O4 - HKLM\..\Run: [000StTHK] 000StTHK.exe
O4 - HKLM\..\Run: [igfxtray] C:\WINDOWS\System32\igfxtray.exe
O4 - HKLM\..\Run: [igfxhkcmd] C:\WINDOWS\System32\hkcmd.exe
O4 - HKLM\..\Run: [igfxpers] C:\WINDOWS\System32\igfxpers.exe
O4 - HKLM\..\Run: [gcasServ] "C:\Program Files\Microsoft AntiSpyware\gcasServ.exe"
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\System32\ctfmon.exe
O4 - Global Startup: WinZip Quick Pick.lnk = C:\Program Files\WinZip\WZQKPICK.EXE
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O9 - Extra 'Tools' menuitem: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O14 - IERESET.INF: START_PAGE_URL=http://www.toshiba.com
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky.com/downloads/kws/kavwebscan_unicode.cab
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1133829558718
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/activescan/as5free/asinst.cab
O16 - DPF: {B38870E4-7ECB-40DA-8C6A-595F0A5519FF} (MsnMessengerSetupDownloadControl Class) - http://messenger.msn.com/download/MsnMessengerSetupDownloader.cab
O16 - DPF: {E856B973-45FD-4559-8F82-EAB539144667} (Dell PC Checkup Installer Control) - http://pccheckup.dellfix.com/rel/35/install/gtdownde.cab
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - "C:\PROGRA~1\MSNMES~1\msgrapp.dll" (file missing)
O20 - Winlogon Notify: igfxcui - C:\WINDOWS\SYSTEM32\igfxdev.dll
O23 - Service: C-DillaCdaC11BA - C-Dilla Ltd - C:\WINDOWS\System32\drivers\CDAC11BA.EXE
O23 - Service: DVD-RAM_Service - Matsu****a Electric Industrial Co., Ltd. - C:\WINDOWS\System32\DVDRAMSV.exe
O23 - Service: SoundMAX Agent Service (SoundMAX Agent Service (default)) - Analog Devices, Inc. - C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe


----------



## khazars (Feb 15, 2004)

clean log, and happy Ray Mears to ya too! 

Is your computer running nay better now?

you should now turn off system restore to flush out the bad restore points and
then re-enable it and make a new clean restore point.

How to turn off system restore

http://service1.symantec.com/SUPPOR...2001111912274039?OpenDocument&src=sec_doc_nam

http://support.microsoft.com/default.aspx?scid=kb;[LN];310405

here's some free tools to keep you from getting infected in the future.

to stop reinfection get these two tools, spywareguard and spywareblaster 
from

http://www.javacoolsoftware.com/downloads.html

get the hosts file from here.

http://www.mvps.org/winhelp2002/hosts.htm

put it into :

Windows XP = C:\WINDOWS\SYSTEM32\DRIVERS\ETC
Windows 2K = C:\WINNT\SYSTEM32\DRIVERS\ETC
Win 98\ME = C:\WINDOWS

ie-spyad.Puts over 5000 sites in your restricted zone so you'll be protected

when you visit innocent-looking sites that aren't actually innocent at all.

https://netfiles.uiuc.edu/ehowes/www/resource.htm

http://www.winpatrol.com/winpatrol.html

Use spybot's immunize button and use spywareblaster' enable 
protection once you update it. you can put spybot's hosts file into 
your own and lock it.

I would also suggest switching to Mozilla's firefox browser, it's safer, has 
a built in pop up blocker, blocks cookies and adds. Mozilla Thunderbird is also a good 
e-mail client.

http://www.mozilla.org/

Read here to see how to tighten your security:

http://forums.techguy.org/t208517.html

A good overall guide for firewalls, anti-virus, and anti-trojans as well as 
regular spyware cleaners.

http://www.firewallguide.com/anti-trojan.htm

you can mark your own thread solved through thread tools at the top of 
the page.


----------



## peterboy (Dec 15, 2005)

hi kazhars i downloadid all those spy ware things there all on protection my pc is working fine but that file keeps coming back no matter what i did evrything right its good for like a houre but then it comes back that file pwcarc.exe ms spyware bloks it when its comes up so please whats going on ??Logfile of HijackThis v1.99.1
Scan saved at 8:45:23 PM, on 1/1/2006
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\SYSTEM32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\netdde.exe
C:\Program Files\TOSHIBA\TouchED\TouchED.Exe
C:\TOSHIBA\IVP\ISM\pinger.exe
C:\WINDOWS\AGRSMMSG.exe
C:\WINDOWS\System32\00THotkey.exe
C:\WINDOWS\System32\hkcmd.exe
C:\WINDOWS\System32\igfxpers.exe
C:\WINDOWS\System32\ctfmon.exe
C:\WINDOWS\System32\drivers\CDAC11BA.EXE
C:\WINDOWS\System32\DVDRAMSV.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\WINDOWS\System32\tcpsvcs.exe
C:\WINDOWS\System32\snmp.exe
C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe
C:\Program Files\Microsoft AntiSpyware\gcasDtServ.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\wbem\wmiapsrv.exe
C:\WINDOWS\System32\dmadmin.exe
C:\Program Files\Microsoft AntiSpyware\gcasServ.exe
C:\Program Files\SpywareGuard\sgmain.exe
C:\Program Files\SpywareGuard\sgbhp.exe
C:\WINDOWS\system32\NOTEPAD.EXE
C:\PROGRA~1\MOZILL~1\FIREFOX.EXE
C:\WINDOWS\system32\NOTEPAD.EXE
C:\Documents and Settings\Karen Granger\My Documents\set ups\hijackthis\HijackThis.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.toshiba.com
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
O2 - BHO: SpywareGuard Download Protection - {4A368E80-174F-4872-96B5-0B27DDD11DB2} - C:\Program Files\SpywareGuard\dlprotect.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O4 - HKLM\..\Run: [TouchED] C:\Program Files\TOSHIBA\TouchED\TouchED.Exe
O4 - HKLM\..\Run: [Pinger] C:\TOSHIBA\IVP\ISM\pinger.exe /run
O4 - HKLM\..\Run: [Apoint] C:\Program Files\Apoint2K\Apoint.exe
O4 - HKLM\..\Run: [AGRSMMSG] AGRSMMSG.exe
O4 - HKLM\..\Run: [00THotkey] C:\WINDOWS\System32\00THotkey.exe
O4 - HKLM\..\Run: [000StTHK] 000StTHK.exe
O4 - HKLM\..\Run: [igfxtray] C:\WINDOWS\System32\igfxtray.exe
O4 - HKLM\..\Run: [igfxhkcmd] C:\WINDOWS\System32\hkcmd.exe
O4 - HKLM\..\Run: [igfxpers] C:\WINDOWS\System32\igfxpers.exe
O4 - HKLM\..\Run: [gcasServ] "C:\Program Files\Microsoft AntiSpyware\gcasServ.exe"
O4 - HKLM\..\Run: [winsync] C:\WINDOWS\System32\pwcarc.exe reg_run
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\System32\ctfmon.exe
O4 - Startup: SpywareGuard.lnk = C:\Program Files\SpywareGuard\sgmain.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O9 - Extra 'Tools' menuitem: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O14 - IERESET.INF: START_PAGE_URL=http://www.toshiba.com
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky.com/downloads/kws/kavwebscan_unicode.cab
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1133829558718
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/activescan/as5free/asinst.cab
O16 - DPF: {B38870E4-7ECB-40DA-8C6A-595F0A5519FF} (MsnMessengerSetupDownloadControl Class) - http://messenger.msn.com/download/MsnMessengerSetupDownloader.cab
O16 - DPF: {E856B973-45FD-4559-8F82-EAB539144667} (Dell PC Checkup Installer Control) - http://pccheckup.dellfix.com/rel/35/install/gtdownde.cab
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - "C:\PROGRA~1\MSNMES~1\msgrapp.dll" (file missing)
O20 - Winlogon Notify: igfxcui - C:\WINDOWS\SYSTEM32\igfxdev.dll
O23 - Service: C-DillaCdaC11BA - C-Dilla Ltd - C:\WINDOWS\System32\drivers\CDAC11BA.EXE
O23 - Service: DVD-RAM_Service - Matsu****a Electric Industrial Co., Ltd. - C:\WINDOWS\System32\DVDRAMSV.exe
O23 - Service: SoundMAX Agent Service (SoundMAX Agent Service (default)) - Analog Devices, Inc. - C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe

)


----------



## khazars (Feb 15, 2004)

Apropos fix

You may want to print out these instructions for reference, since you will 
have to restart your computer during the fix.

Please download AproposFix from here:
http://swandog46.geekstogo.com/aproposfix.exe

Save it to your desktop but do NOT run it yet.

Then please reboot your computer in Safe Mode by doing the following:
1) Restart your computer
2) After hearing your computer beep once during startup, but before the 
Windows icon appears, press F8.
3) Instead of Windows loading as normal, a menu should appear
4) Select the first option, to run Windows in Safe Mode.

Once in Safe Mode, please double-click aproposfix.exe and unzip it to the 
desktop. Open the aproposfix folder on your desktop and run RunThis.bat. 
Follow the prompts.

When the tool is finished, please reboot back into normal mode, and post a 
new HijackThis log, along with the entire contents of the log.txt file in 
the aproposfix folder.


----------



## khazars (Feb 15, 2004)

Please download WebRoot SpySweeper from HERE (It's a 2 week trial):

http://www.webroot.com/consumer/products/spysweeper/index.html?acode=af1&rc=4129

* Click the Free Trial link under "Downloads/SpySweeper" to download the program.
* Install it. Once the program is installed, it will open.
* It will prompt you to update to the latest definitions, click Yes.
* Once the definitions are installed, click Options on the left side.
* Click the Sweep Options tab.
* Under What to Sweep please put a check next to the following:
o
o Sweep Memory
o Sweep Registry
o Sweep Cookies
o Sweep All User Accounts
o Enable Direct Disk Sweeping
o Sweep Contents of Compressed Files
o Sweep for Rootkits
o Please UNCHECK Do not Sweep System Restore Folder.
* Click Sweep Now on the left side.
* Click the Start button.
* When it's done scanning, click the Next button.
* Make sure everything has a check next to it, then click the Next button.
* It will remove all of the items found.
* Click Session Log in the upper right corner, copy everything in that window.
* Click the Summary tab and click Finish.
* Paste the contents of the session log you copied into your next reply.

Also post a new Hijack This log.


----------



## peterboy (Dec 15, 2005)

ok i did evrithing including the spy sweeperogfile of HijackThis v1.99.1
Scan saved at 10:55:26 PM, on 1/1/2006
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\SYSTEM32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\netdde.exe
C:\WINDOWS\System32\drivers\CDAC11BA.EXE
C:\WINDOWS\System32\DVDRAMSV.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\WINDOWS\System32\tcpsvcs.exe
C:\WINDOWS\System32\snmp.exe
C:\Program Files\TOSHIBA\TouchED\TouchED.Exe
C:\TOSHIBA\IVP\ISM\pinger.exe
C:\WINDOWS\AGRSMMSG.exe
C:\WINDOWS\System32\00THotkey.exe
C:\WINDOWS\System32\hkcmd.exe
C:\WINDOWS\System32\igfxpers.exe
C:\Program Files\Microsoft AntiSpyware\gcasServ.exe
C:\Program Files\Microsoft AntiSpyware\gcasDtServ.exe
C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\wbem\wmiapsrv.exe
C:\Program Files\Messenger\msmsgs.exe
C:\WINDOWS\System32\dmadmin.exe
C:\WINDOWS\System32\ctfmon.exe
C:\Program Files\SpywareGuard\sgmain.exe
C:\Program Files\SpywareGuard\sgbhp.exe
C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe
C:\Program Files\Webroot\Spy Sweeper\WRSSSDK.exe
C:\PROGRA~1\MOZILL~1\FIREFOX.EXE
C:\Documents and Settings\Karen Granger\My Documents\set ups\hijackthis\HijackThis.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.toshiba.com
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
O2 - BHO: SpywareGuard Download Protection - {4A368E80-174F-4872-96B5-0B27DDD11DB2} - C:\Program Files\SpywareGuard\dlprotect.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O4 - HKLM\..\Run: [TouchED] C:\Program Files\TOSHIBA\TouchED\TouchED.Exe
O4 - HKLM\..\Run: [Pinger] C:\TOSHIBA\IVP\ISM\pinger.exe /run
O4 - HKLM\..\Run: [Apoint] C:\Program Files\Apoint2K\Apoint.exe
O4 - HKLM\..\Run: [AGRSMMSG] AGRSMMSG.exe
O4 - HKLM\..\Run: [00THotkey] C:\WINDOWS\System32\00THotkey.exe
O4 - HKLM\..\Run: [000StTHK] 000StTHK.exe
O4 - HKLM\..\Run: [igfxtray] C:\WINDOWS\System32\igfxtray.exe
O4 - HKLM\..\Run: [igfxhkcmd] C:\WINDOWS\System32\hkcmd.exe
O4 - HKLM\..\Run: [igfxpers] C:\WINDOWS\System32\igfxpers.exe
O4 - HKLM\..\Run: [gcasServ] "C:\Program Files\Microsoft AntiSpyware\gcasServ.exe"
O4 - HKLM\..\Run: [SpySweeper] "C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe" /startintray
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\System32\ctfmon.exe
O4 - Startup: SpywareGuard.lnk = C:\Program Files\SpywareGuard\sgmain.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O9 - Extra 'Tools' menuitem: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O14 - IERESET.INF: START_PAGE_URL=http://www.toshiba.com
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky.com/downloads/kws/kavwebscan_unicode.cab
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1133829558718
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/activescan/as5free/asinst.cab
O16 - DPF: {B38870E4-7ECB-40DA-8C6A-595F0A5519FF} (MsnMessengerSetupDownloadControl Class) - http://messenger.msn.com/download/MsnMessengerSetupDownloader.cab
O16 - DPF: {E856B973-45FD-4559-8F82-EAB539144667} (Dell PC Checkup Installer Control) - http://pccheckup.dellfix.com/rel/35/install/gtdownde.cab
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - "C:\PROGRA~1\MSNMES~1\msgrapp.dll" (file missing)
O20 - Winlogon Notify: igfxcui - C:\WINDOWS\SYSTEM32\igfxdev.dll
O20 - Winlogon Notify: WRNotifier - C:\WINDOWS\SYSTEM32\WRLogonNTF.dll
O23 - Service: C-DillaCdaC11BA - C-Dilla Ltd - C:\WINDOWS\System32\drivers\CDAC11BA.EXE
O23 - Service: DVD-RAM_Service - Matsu****a Electric Industrial Co., Ltd. - C:\WINDOWS\System32\DVDRAMSV.exe
O23 - Service: SoundMAX Agent Service (SoundMAX Agent Service (default)) - Analog Devices, Inc. - C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe
O23 - Service: Webroot Spy Sweeper Engine (svcWRSSSDK) - Webroot Software, Inc. - C:\Program Files\Webroot\Spy Sweeper\WRSSSDK.exe

Log of AproposFix v1

************

Running from directory: 
C:\Documents and Settings\Karen Granger\Desktop\aproposfix

************

Registry entries found:

[HKEY_LOCAL_MACHINE\Software\C1iesAC9ZXtm]
@="2DUuDWDdeedeefeNOE9PuLOdeedtge9z0u195e5bVWHPkjeGULYHUVeLphbGLVNfVbV"
"Device"="\\\\.\\klbWmDil"
"DriverPath"="C:\\WINDOWS\\System32\\drivers\\i80ydisk.sys"
"DriverName"="ParData"
"HideUninstallerName"="C:\\Program Files\\Quiicken\\capsprop.exe"
"HDll"="C:\\WINDOWS\\System32\\mdmcon07.dll"
"ServerAddress"="adchannel.contextplus.net"
"LegalNote"="http://adchannel.contextplus.net/legal-note/nonbranded.html"
"PartnerId"="CP.SAV2"
"InstallationId"="{Xce0916f-be85-3938-70d2-6aea82500a1d}"
"PageFiltering"=dword:00000001
"ClientName"="C:\\Program Files\\Quiicken\\accncapp.exe"
"AutoUpdater"="C:\\WINDOWS\\System32\\atmkbduk.exe"
"Version"="2.0.106"
"LastAURestoreMsgTS"="2005:12:19-16:53:27:031"

************

Removing hidden service: 
Service ParData removed.

Removing hidden folder: 
Deletion of folder Quiicken succeeded!

Deleting files:

Deletion of file C:\WINDOWS\System32\drivers\i80ydisk.sys succeeded! 
Deletion of file C:\WINDOWS\System32\atmkbduk.exe succeeded! 
Deletion of file C:\WINDOWS\System32\mdmcon07.dll succeeded!

Backing up files: 
Done!

Removing registry entries:

REGEDIT4

[-HKEY_CURRENT_USER\Software\C1iesAC9ZXtm]
[-HKEY_LOCAL_MACHINE\Software\C1iesAC9ZXtm]

Done!

Finished!


----------



## peterboy (Dec 15, 2005)

heres the spysweep log ogfile of HijackThis v1.99.1
Scan saved at 10:58:40 PM, on 1/1/2006
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\SYSTEM32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\netdde.exe
C:\WINDOWS\System32\drivers\CDAC11BA.EXE
C:\WINDOWS\System32\DVDRAMSV.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\WINDOWS\System32\tcpsvcs.exe
C:\WINDOWS\System32\snmp.exe
C:\Program Files\TOSHIBA\TouchED\TouchED.Exe
C:\TOSHIBA\IVP\ISM\pinger.exe
C:\WINDOWS\AGRSMMSG.exe
C:\WINDOWS\System32\00THotkey.exe
C:\WINDOWS\System32\hkcmd.exe
C:\WINDOWS\System32\igfxpers.exe
C:\Program Files\Microsoft AntiSpyware\gcasServ.exe
C:\Program Files\Microsoft AntiSpyware\gcasDtServ.exe
C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\wbem\wmiapsrv.exe
C:\Program Files\Messenger\msmsgs.exe
C:\WINDOWS\System32\dmadmin.exe
C:\WINDOWS\System32\ctfmon.exe
C:\Program Files\SpywareGuard\sgmain.exe
C:\Program Files\SpywareGuard\sgbhp.exe
C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe
C:\Program Files\Webroot\Spy Sweeper\WRSSSDK.exe
C:\PROGRA~1\MOZILL~1\FIREFOX.EXE
C:\WINDOWS\system32\NOTEPAD.EXE
C:\WINDOWS\system32\NOTEPAD.EXE
C:\Documents and Settings\Karen Granger\My Documents\set ups\hijackthis\HijackThis.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.toshiba.com
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
O2 - BHO: SpywareGuard Download Protection - {4A368E80-174F-4872-96B5-0B27DDD11DB2} - C:\Program Files\SpywareGuard\dlprotect.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O4 - HKLM\..\Run: [TouchED] C:\Program Files\TOSHIBA\TouchED\TouchED.Exe
O4 - HKLM\..\Run: [Pinger] C:\TOSHIBA\IVP\ISM\pinger.exe /run
O4 - HKLM\..\Run: [Apoint] C:\Program Files\Apoint2K\Apoint.exe
O4 - HKLM\..\Run: [AGRSMMSG] AGRSMMSG.exe
O4 - HKLM\..\Run: [00THotkey] C:\WINDOWS\System32\00THotkey.exe
O4 - HKLM\..\Run: [000StTHK] 000StTHK.exe
O4 - HKLM\..\Run: [igfxtray] C:\WINDOWS\System32\igfxtray.exe
O4 - HKLM\..\Run: [igfxhkcmd] C:\WINDOWS\System32\hkcmd.exe
O4 - HKLM\..\Run: [igfxpers] C:\WINDOWS\System32\igfxpers.exe
O4 - HKLM\..\Run: [gcasServ] "C:\Program Files\Microsoft AntiSpyware\gcasServ.exe"
O4 - HKLM\..\Run: [SpySweeper] "C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe" /startintray
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\System32\ctfmon.exe
O4 - Startup: SpywareGuard.lnk = C:\Program Files\SpywareGuard\sgmain.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O9 - Extra 'Tools' menuitem: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O14 - IERESET.INF: START_PAGE_URL=http://www.toshiba.com
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky.com/downloads/kws/kavwebscan_unicode.cab
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1133829558718
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/activescan/as5free/asinst.cab
O16 - DPF: {B38870E4-7ECB-40DA-8C6A-595F0A5519FF} (MsnMessengerSetupDownloadControl Class) - http://messenger.msn.com/download/MsnMessengerSetupDownloader.cab
O16 - DPF: {E856B973-45FD-4559-8F82-EAB539144667} (Dell PC Checkup Installer Control) - http://pccheckup.dellfix.com/rel/35/install/gtdownde.cab
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - "C:\PROGRA~1\MSNMES~1\msgrapp.dll" (file missing)
O20 - Winlogon Notify: igfxcui - C:\WINDOWS\SYSTEM32\igfxdev.dll
O20 - Winlogon Notify: WRNotifier - C:\WINDOWS\SYSTEM32\WRLogonNTF.dll
O23 - Service: C-DillaCdaC11BA - C-Dilla Ltd - C:\WINDOWS\System32\drivers\CDAC11BA.EXE
O23 - Service: DVD-RAM_Service - Matsu****a Electric Industrial Co., Ltd. - C:\WINDOWS\System32\DVDRAMSV.exe
O23 - Service: SoundMAX Agent Service (SoundMAX Agent Service (default)) - Analog Devices, Inc. - C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe
O23 - Service: Webroot Spy Sweeper Engine (svcWRSSSDK) - Webroot Software, Inc. - C:\Program Files\Webroot\Spy Sweeper\WRSSSDK.exe

19 PM: | Start of Session, Sunday, January 01, 2006 |
10:19 PM: Spy Sweeper started
10:19 PM: Sweep initiated using definitions version 594
10:19 PM: Starting Memory Sweep
10:21 PM: Memory Sweep Complete, Elapsed Time: 00:01:51
10:21 PM: Starting Registry Sweep
10:21 PM: Found Adware: multidial
10:21 PM: HKCR\dialerr.dialerr\ (3 subtraces) (ID = 135344)
10:21 PM: HKLM\software\classes\dialerr.dialerr\ (3 subtraces) (ID = 135355)
10:21 PM: Found Trojan Horse: sdbot
10:21 PM: HKU\.default\software\microsoft\windows\currentversion\runonce\ || win32 usb2 driver (ID = 140594)
10:21 PM: Found Adware: clkoptimizer
10:21 PM: HKLM\software\microsoft\windows\currentversion\run\ || winsync (ID = 601545)
10:21 PM: HKCR\dialerr.dialerr.1\ (3 subtraces) (ID = 661961)
10:21 PM: HKCR\icwconn.apprentice\ (5 subtraces) (ID = 661963)
10:21 PM: HKCR\icwconn.gifconvert\ (5 subtraces) (ID = 661968)
10:21 PM: HKCR\icwconn.ispdata\ (5 subtraces) (ID = 661973)
10:21 PM: HKCR\icwconn.walker\ (5 subtraces) (ID = 661978)
10:21 PM: HKCR\icwconn.webview\ (5 subtraces) (ID = 661983)
10:21 PM: HKCR\icwsystemconfig.icwsystemconfig\ (3 subtraces) (ID = 661988)
10:21 PM: HKCR\inshandler.inshandler\ (3 subtraces) (ID = 661992)
10:21 PM: HKCR\refdial.refdial\ (3 subtraces) (ID = 661996)
10:21 PM: HKCR\smartstart.smartstart\ (3 subtraces) (ID = 662000)
10:21 PM: HKCR\tapilocationinfo.tapilocationinfo\ (3 subtraces) (ID = 662004)
10:21 PM: HKCR\userinfo.userinfo\ (3 subtraces) (ID = 662008)
10:21 PM: HKCR\webgate.webgate\ (3 subtraces) (ID = 662012)
10:21 PM: HKCR\clsid\{462f7758-8848-11d1-add8-0000f87734f0}\control\ (ID = 662065)
10:21 PM: HKLM\software\classes\dialerr.dialerr.1\ (3 subtraces) (ID = 662143)
10:21 PM: HKLM\software\qstat\ (5 subtraces) (ID = 769771)
10:21 PM: HKLM\software\qstat\ || brr (ID = 877670)
10:21 PM: Found Adware: command
10:21 PM: HKLM\system\currentcontrolset\enum\root\legacy_cmdservice\0000\ (6 subtraces) (ID = 1016064)
10:21 PM: HKLM\system\currentcontrolset\enum\root\legacy_cmdservice\ (8 subtraces) (ID = 1016072)
10:21 PM: Found Adware: coolwebsearch (cws)
10:21 PM: HKU\S-1-5-21-2880192093-366807815-226484545-1006\software\microsoft\internet explorer\sites\ (7 subtraces) (ID = 109822)
10:21 PM: Found Adware: drsnsrch.com hijack
10:21 PM: HKU\S-1-5-21-2880192093-366807815-226484545-1006\software\microsoft\search assistant\ || defaultsearchurl (ID = 128205)
10:21 PM: Found Adware: drsnsrch hijacker
10:21 PM: HKU\S-1-5-21-2880192093-366807815-226484545-1006\software\dsrch\ (11 subtraces) (ID = 509156)
10:21 PM: Found Adware: sidesearch
10:21 PM: HKU\S-1-5-21-2880192093-366807815-226484545-1006\software\microsoft\internet explorer\extensions\cmdmapping\ || {000007c6-17df-4438-92a4-de5537471ba3} (ID = 530423)
10:21 PM: HKU\S-1-5-18\software\microsoft\search assistant\ || defaultsearchurl (ID = 128205)
10:21 PM: HKU\S-1-5-18\software\microsoft\windows\currentversion\runonce\ || win32 usb2 driver (ID = 140631)
10:21 PM: HKU\S-1-5-18\software\dsrch\ (7 subtraces) (ID = 509156)
10:21 PM: HKU\S-1-5-18\software\microsoft\internet explorer\extensions\cmdmapping\ || {000007c6-17df-4438-92a4-de5537471ba3} (ID = 530423)
10:21 PM: Registry Sweep Complete, Elapsed Time:00:00:15
10:21 PM: Starting Cookie Sweep
10:21 PM: Found Spy Cookie: 2o7.net cookie
10:21 PM: karen [email protected][1].txt (ID = 1957)
10:21 PM: Found Spy Cookie: yieldmanager cookie
10:21 PM: karen [email protected][2].txt (ID = 3751)
10:21 PM: Found Spy Cookie: adknowledge cookie
10:21 PM: karen [email protected][2].txt (ID = 2072)
10:21 PM: Found Spy Cookie: hbmediapro cookie
10:21 PM: karen [email protected][2].txt (ID = 2768)
10:21 PM: Found Spy Cookie: specificclick.com cookie
10:21 PM: karen [email protected][1].txt (ID = 3400)
10:21 PM: Found Spy Cookie: addynamix cookie
10:21 PM: karen [email protected][2].txt (ID = 2062)
10:21 PM: Found Spy Cookie: pointroll cookie
10:21 PM: karen [email protected][1].txt (ID = 3148)
10:21 PM: Found Spy Cookie: azjmp cookie
10:21 PM: karen [email protected][2].txt (ID = 2270)
10:21 PM: Found Spy Cookie: burstnet cookie
10:21 PM: karen [email protected][2].txt (ID = 2336)
10:21 PM: Found Spy Cookie: ru4 cookie
10:21 PM: karen [email protected][2].txt (ID = 3269)
10:21 PM: Found Spy Cookie: clickandtrack cookie
10:21 PM: karen [email protected][2].txt (ID = 2397)
10:21 PM: Found Spy Cookie: maxserving cookie
10:21 PM: karen [email protected][1].txt (ID = 2966)
10:21 PM: karen [email protected][1].txt (ID = 1958)
10:21 PM: Found Spy Cookie: partypoker cookie
10:21 PM: karen [email protected][2].txt (ID = 3111)
10:21 PM: Found Spy Cookie: overture cookie
10:21 PM: karen [email protected][1].txt (ID = 3106)
10:21 PM: Found Spy Cookie: realmedia cookie
10:21 PM: karen [email protected][1].txt (ID = 3235)
10:21 PM: Found Spy Cookie: rn11 cookie
10:21 PM: karen [email protected][2].txt (ID = 3261)
10:21 PM: Found Spy Cookie: adjuggler cookie
10:21 PM: karen [email protected][1].txt (ID = 2071)
10:21 PM: Found Spy Cookie: onestat.com cookie
10:21 PM: karen [email protected][2].txt (ID = 3098)
10:21 PM: Found Spy Cookie: statcounter cookie
10:21 PM: karen [email protected][2].txt (ID = 3447)
10:21 PM: Found Spy Cookie: reliablestats cookie
10:21 PM: karen [email protected][2].txt (ID = 3254)
10:21 PM: Found Spy Cookie: tradedoubler cookie
10:21 PM: karen [email protected][2].txt (ID = 3575)
10:21 PM: Found Spy Cookie: trafficmp cookie
10:21 PM: karen [email protected][2].txt (ID = 3581)
10:21 PM: Found Spy Cookie: tribalfusion cookie
10:21 PM: karen [email protected][1].txt (ID = 3589)
10:21 PM: Found Spy Cookie: webpower cookie
10:21 PM: karen [email protected][2].txt (ID = 3660)
10:21 PM: Found Spy Cookie: winantiviruspro cookie
10:21 PM: karen [email protected][1].txt (ID = 3689)
10:21 PM: Found Spy Cookie: burstbeacon cookie
10:21 PM: karen [email protected][1].txt (ID = 2335)
10:21 PM: Found Spy Cookie: myaffiliateprogram.com cookie
10:21 PM: karen [email protected][1].txt (ID = 3032)
10:21 PM: karen [email protected][2].txt (ID = 3749)
10:21 PM: Found Spy Cookie: adserver cookie
10:21 PM: karen [email protected][1].txt (ID = 2142)
10:21 PM: Cookie Sweep Complete, Elapsed Time: 00:00:03
10:21 PM: Starting File Sweep
10:22 PM: Found Adware: bookedspace
10:22 PM: pkaeueleya.cds (ID = 159038)
10:22 PM: fdtysff.ahp (ID = 159001)
10:22 PM: lonykzhhv.dab (ID = 159051)
10:22 PM: xfdhvpgs.uug (ID = 164367)
10:22 PM: nubnqkhceoy.rxu (ID = 158990)
10:22 PM: Found Adware: ietoolbar
10:22 PM: mbkwnst.exe (ID = 63431)
10:22 PM: kjxadff.nkt (ID = 159029)
10:23 PM: beflwmmw.jzn (ID = 159010)
10:23 PM: cbdyzgrsqo.yim (ID = 159015)
10:23 PM: owslppx.ouf (ID = 159046)
10:23 PM: kojujhoqgm.toj (ID = 159059)
10:24 PM: fofieax.xgu (ID = 164350)
10:24 PM: nynblechgwy.gfr (ID = 159023)
10:24 PM: qyipcmun.wru (ID = 164344)
10:24 PM: znkcawdrcta.czi (ID = 158997)
10:25 PM: swbizqnyzo.nav (ID = 164416)
10:26 PM: mmcxvqjrc.nff (ID = 158998)
10:27 PM: dzxvnyn.sls (ID = 164348)
10:27 PM: cdnyytzjbaf.nea (ID = 164416)
10:27 PM: bmmsfdv.lyk (ID = 158998)
10:27 PM: pobedrie.osd (ID = 164348)
10:27 PM: afhttzskwm.vju (ID = 159005)
10:27 PM: ntyrzpiikpb.lfq (ID = 164350)
10:27 PM: bvhjzekocea.nxf (ID = 159040)
10:27 PM: smhiynabn.dfi (ID = 164357)
10:27 PM: lwtshftmlh.szv (ID = 159013)
10:27 PM: mouvuugysl.bjq (ID = 159017)
10:27 PM: vytxezjk.iea (ID = 159027)
10:27 PM: hssugbg.rfu (ID = 158991)
10:28 PM: qzugqjts.cri (ID = 159030)
10:28 PM: qhqmive.jwr (ID = 159004)
10:28 PM: biykxatwbz.ltv (ID = 159003)
10:28 PM: xwwgxzwua.rtk (ID = 158995)
10:28 PM: vxphffyeqd.qlt (ID = 159020)
10:28 PM: itdpvfkob.rso (ID = 159037)
10:28 PM: imvrykjsocx.fcb (ID = 159016)
10:28 PM: nnqxutode.fdy (ID = 164403)
10:28 PM: kexnfmq.ynm (ID = 164398)
10:28 PM: lqextmg.dkn (ID = 164380)
10:28 PM: jikfvmh.kjf (ID = 158988)
10:28 PM: eryusdylhx.bfs (ID = 164351)
10:28 PM: bhxrzgdu.lri (ID = 159047)
10:28 PM: pckctlc.ged (ID = 159045)
10:28 PM: ynipjjfxuj.bfh (ID = 159060)
10:28 PM: ehmgkqvtngg.rkx (ID = 158986)
10:28 PM: zrolcucak.qag (ID = 164410)
10:28 PM: ypmqekpesdd.doi (ID = 159024)
10:28 PM: xujvnhyxx.fof (ID = 159019)
10:28 PM: tszdfml.ick (ID = 159056)
10:28 PM: hhskqcrul.flt (ID = 159014)
10:28 PM: utclvdt.nau (ID = 164392)
10:28 PM: lwgwajfb.kst (ID = 159058)
10:28 PM: qqnuzkwf.ggz (ID = 164404)
10:28 PM: iuribqgd.ums (ID = 164372)
10:28 PM: rdvulskdamr.rup (ID = 164377)
10:28 PM: nelwazes.gaj (ID = 159028)
10:28 PM: lbkqwxgraxy.smb (ID = 159005)
10:28 PM: bwhqhwtgb.phi (ID = 159030)
10:28 PM: twtrvxc.pvq (ID = 159061)
10:28 PM: fpxdycxr.xtz (ID = 164354)
10:28 PM: ssannhmbxc.shd (ID = 159012)
10:28 PM: fmtimcdueug.cvl (ID = 159025)
10:28 PM: vumeveovki.guq (ID = 164373)
10:28 PM: zzcnpvow.tsg (ID = 164390)
10:28 PM: xsatyinn.qfd (ID = 164342)
10:28 PM: rktloaazku.cwn (ID = 159004)
10:28 PM: mwnefwct.ixb (ID = 159003)
10:28 PM: crfuytcvfz.iky (ID = 159026)
10:28 PM: ptmhpcvmy.ysh (ID = 164415)
10:29 PM: vkbjczbek.omx (ID = 158995)
10:29 PM: mkbehilijfs.dsd (ID = 159018)
10:29 PM: wyqxrfie.jdp (ID = 159020)
10:29 PM: eucpyqfr.iyx (ID = 159037)
10:29 PM: mmomden.zxx (ID = 158994)
10:29 PM: pdzoiifzn.pca (ID = 164408)
10:29 PM: xqqrlrlb.btg (ID = 159031)
10:29 PM: wfkeevl.sxn (ID = 159035)
10:29 PM: ppljzgy.ufa (ID = 159016)
10:29 PM: ynoqkywgfm.mfd (ID = 164403)
10:29 PM: nmrgeod.bod (ID = 164398)
10:29 PM: moaxpex.fpj (ID = 164380)
10:30 PM: arcwfef.zub (ID = 158987)
10:30 PM: buqxlgpgdv.amm (ID = 159052)
10:30 PM: kvbrdhj.sbt (ID = 159001)
10:30 PM: ppwapnh.nvv (ID = 159051)
10:30 PM: xblayqkw.gde (ID = 164367)
10:30 PM: fayyfnafkuj.tze (ID = 158990)
10:30 PM: ioikqlolly.eph (ID = 159029)
10:30 PM: dznbmbcauy.jkz (ID = 159010)
10:30 PM: hccmvdqki.cwr (ID = 159015)
10:30 PM: ubqmxdbzol.gpp (ID = 159046)
10:30 PM: cufylvk.szu (ID = 159059)
10:30 PM: bjhkukt.vmd (ID = 159023)
10:30 PM: eiqcadmpa.lbc (ID = 164344)
10:31 PM: cqclangoc.hbe (ID = 158997)
10:31 PM: holxpjl.gff (ID = 159040)
10:31 PM: qfuxzigo.iix (ID = 164357)
10:31 PM: zsaecvjnm.tpp (ID = 159013)
10:31 PM: ojhqgykpqth.rmr (ID = 159017)
10:32 PM: xqhmunjx.mec (ID = 159027)
10:32 PM: tmtvxcwvn.zww (ID = 158988)
10:32 PM: ktupegc.bbc (ID = 158991)
10:32 PM: hsctazkcifh.qlt (ID = 164351)
10:32 PM: nmnoovjbzni.mez (ID = 159047)
10:32 PM: ignytalnf.jlk (ID = 159045)
10:32 PM: ioihvnrhw.caq (ID = 159060)
10:32 PM: mwtficmye.dhs (ID = 158986)
10:32 PM: msgvbwm.rda (ID = 164361)
10:32 PM: zkhnyqpxqkz.dix (ID = 164410)
10:32 PM: ohelypjtlq.xyg (ID = 159024)
10:33 PM: edsbvsdb.smf (ID = 159019)
10:33 PM: yrxkkjlokwv.urf (ID = 159056)
10:33 PM: uignqqumn.bdk (ID = 159014)
10:33 PM: vcrixgaw.fqe (ID = 159058)
10:33 PM: khviwui.mpc (ID = 164404)
10:35 PM: keupctyc.cpt (ID = 164372)
10:35 PM: zrogergm.orc (ID = 164377)
10:35 PM: kvjbfpbyrq.jkd (ID = 159028)
10:36 PM: glzgustoa.hop (ID = 159061)
10:36 PM: bbvkocwf.etn (ID = 164354)
10:36 PM: xiayizlgpv.hvv (ID = 159012)
10:36 PM: gpyddomh.dbu (ID = 159025)
10:36 PM: nmsgspmsk.lgo (ID = 164373)
10:36 PM: ufemaiy.xhr (ID = 164390)
10:36 PM: ygzvixnplv.fcg (ID = 164342)
10:36 PM: skvtwirg.ajo (ID = 159026)
10:36 PM: qzuzepyrux.vyl (ID = 164415)
10:36 PM: kmwgackod.abt (ID = 159018)
10:36 PM: oajcuyey.wze (ID = 158994)
10:36 PM: gotnkwa.exm (ID = 164408)
10:36 PM: poavinzj.vaa (ID = 159031)
10:36 PM: znrnfvh.jcs (ID = 159035)
10:37 PM: uzftwap.erb (ID = 158987)
10:37 PM: yawtrdsmgiw.pgo (ID = 159052)
10:37 PM: vlyqcbmj.arl (ID = 164392)
10:37 PM: mbkwnst.inf (ID = 63433)
10:37 PM: Warning: Invalid Stream
10:37 PM: Warning: Invalid Stream
10:38 PM: Warning: Unhandled Archive Type
10:38 PM: File Sweep Complete, Elapsed Time: 00:17:05
10:38 PM: Full Sweep has completed. Elapsed time 00:19:17
10:38 PM: Traces Found: 299
10:49 PM: Removal process initiated
10:49 PM: Quarantining All Traces: clkoptimizer
10:49 PM: Quarantining All Traces: sdbot
10:49 PM: Quarantining All Traces: coolwebsearch (cws)
10:49 PM: Quarantining All Traces: sidesearch
10:49 PM: Quarantining All Traces: bookedspace
10:49 PM: Quarantining All Traces: command
10:49 PM: Quarantining All Traces: drsnsrch hijacker
10:49 PM: Quarantining All Traces: drsnsrch.com hijack
10:49 PM: Quarantining All Traces: ietoolbar
10:49 PM: Quarantining All Traces: multidial
10:50 PM: Quarantining All Traces: 2o7.net cookie
10:50 PM: Quarantining All Traces: addynamix cookie
10:50 PM: Quarantining All Traces: adjuggler cookie
10:50 PM: Quarantining All Traces: adknowledge cookie
10:50 PM: Quarantining All Traces: adserver cookie
10:50 PM: Quarantining All Traces: azjmp cookie
10:50 PM: Quarantining All Traces: burstbeacon cookie
10:50 PM: Quarantining All Traces: burstnet cookie
10:50 PM: Quarantining All Traces: clickandtrack cookie
10:50 PM: Quarantining All Traces: hbmediapro cookie
10:50 PM: Quarantining All Traces: maxserving cookie
10:50 PM: Quarantining All Traces: myaffiliateprogram.com cookie
10:50 PM: Quarantining All Traces: onestat.com cookie
10:50 PM: Quarantining All Traces: overture cookie
10:50 PM: Quarantining All Traces: partypoker cookie
10:50 PM: Quarantining All Traces: pointroll cookie
10:50 PM: Quarantining All Traces: realmedia cookie
10:50 PM: Quarantining All Traces: reliablestats cookie
10:50 PM: Quarantining All Traces: rn11 cookie
10:50 PM: Quarantining All Traces: ru4 cookie
10:50 PM: Quarantining All Traces: specificclick.com cookie
10:50 PM: Quarantining All Traces: statcounter cookie
10:50 PM: Quarantining All Traces: tradedoubler cookie
10:50 PM: Quarantining All Traces: trafficmp cookie
10:50 PM: Quarantining All Traces: tribalfusion cookie
10:50 PM: Quarantining All Traces: webpower cookie
10:50 PM: Quarantining All Traces: winantiviruspro cookie
10:50 PM: Quarantining All Traces: yieldmanager cookie
10:50 PM: Removal process completed. Elapsed time 00:00:44
********
10:09 PM: | Start of Session, Sunday, January 01, 2006 |
10:09 PM: Spy Sweeper started
10:11 PM: Hosts file is too large.
10:19 PM: | End of Session, Sunday, January 01, 2006 |


----------



## khazars (Feb 15, 2004)

yip that seems to have got it! 

clean log, everything ok now?


----------



## peterboy (Dec 15, 2005)

wow great thanks alot you #1 i hope thats it my pc semms to be runing good ok know if you can please help me out with my other pc its a dell inspiron 1100 its running realy bad its takes realy long to load at strart up not respondig erros its real slow must be some major virus or somethin so plaes let me know what to do i tryd to scan with ewido but it takes real long and then it gives me a ecounterd rpoblem must close i get that with a lota things so heres the log at laest


----------



## khazars (Feb 15, 2004)

ok, post the log for the other pc, let me know when you post the log that it's a difffernet computer!


----------



## peterboy (Dec 15, 2005)

i had truble loging in my other pc i trd woth my name and it didnt work i tried regestring and i cloudt get a pass word the email didt come in so i just had the hihjack log sent to my old pc so this is my fisrt pc we were worikng on but this is the highjacj log from my secodn pc its a dell inspiron 1100 Logfile of HijackThis v1.99.1
Scan saved at 4:18:25 PM, on 1/2/2006
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\System32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\System32\hkcmd.exe
C:\WINDOWS\BCMSMMSG.exe
C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\WINDOWS\System32\DSentry.exe
C:\Program Files\MUSICMATCH\MUSICMATCH Jukebox\mmtask.exe
C:\Program Files\Common Files\AOL\ACS\AOLDial.exe
C:\Program Files\Network\network.exe
C:\Program Files\Common Files\AOL\ACS\AOLAcsd.exe
C:\Program Files\Microsoft AntiSpyware\gcasServ.exe
C:\PROGRA~1\COMMON~1\AOL\112538~2\EE\AOLHOS~1.EXE
C:\Program Files\Common Files\AOL\TopSpeed\2.0\aoltsmon.exe
C:\Program Files\Messenger\msmsgs.exe
C:\WINDOWS\System32\cisvc.exe
C:\program files\SSND\SSND.exe
C:\Program Files\ewido\security suite\ewidoctrl.exe
C:\PROGRA~1\COMMON~1\AOL\112538~2\EE\AOLServiceHost.exe
C:\Program Files\ewido\security suite\ewidoguard.exe
C:\Program Files\Microsoft AntiSpyware\gcasDtServ.exe
C:\Program Files\Kodak\Kodak EasyShare software\bin\EasyShare.exe
C:\WINDOWS\System32\tcpsvcs.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Kodak\KODAK Software Updater\7288971\Program\Kodak Software Updater.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\WINDOWS\SYSTEM32\osk.exe
C:\WINDOWS\SYSTEM32\MSSWCHX.EXE
C:\WINDOWS\System32\cidaemon.exe
C:\Program Files\MSN Messenger\msnmsgr.exe
C:\Documents and Settings\MaRITTA ROSS\Desktop\set ups\hijackthis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.dell4me.com/myway
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = about:blank
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = 
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page = \blank.htm
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,HomeOldSP = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,HomeOldSP = about:blank
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = 
O2 - BHO: (no name) - {5C8B2A36-3DB1-42A4-A3CB-D426709BBFEB} - (no file)
O2 - BHO: MSEvents Object - {6DD0BC06-4719-4BA3-BEBC-FBAE6A448152} - C:\WINDOWS\System32\awtut.dll
O2 - BHO: (no name) - {88C88CBE-154B-4C08-81BC-D488868A1AEF} - (no file)
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\System32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\System32\hkcmd.exe
O4 - HKLM\..\Run: [BCMSMMSG] BCMSMMSG.exe
O4 - HKLM\..\Run: [SynTPLpr] C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
O4 - HKLM\..\Run: [SynTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
O4 - HKLM\..\Run: [DVDSentry] C:\WINDOWS\System32\DSentry.exe
O4 - HKLM\..\Run: [Synchronization Manager] %SystemRoot%\system32\mobsync.exe /logon
O4 - HKLM\..\Run: [mmtask] "C:\Program Files\MUSICMATCH\MUSICMATCH Jukebox\mmtask.exe"
O4 - HKLM\..\Run: [HostManager] C:\Program Files\Common Files\AOL\1125385294\EE\AOLHostManager.exe
O4 - HKLM\..\Run: [AOLDialer] C:\Program Files\Common Files\AOL\ACS\AOLDial.exe
O4 - HKLM\..\Run: [Network] C:\Program Files\Network\network.exe
O4 - HKLM\..\Run: [gcasServ] "C:\Program Files\Microsoft AntiSpyware\gcasServ.exe"
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [SSND] c:\program files\SSND\SSND.exe 439
O4 - Global Startup: Kodak EasyShare software.lnk = C:\Program Files\Kodak\Kodak EasyShare software\bin\EasyShare.exe
O4 - Global Startup: Kodak software updater.lnk = C:\Program Files\Kodak\KODAK Software Updater\7288971\Program\Kodak Software Updater.exe
O8 - Extra context menu item: &AOL Toolbar search - res://C:\Program Files\AOL Toolbar\toolbar.dll/SEARCH.HTML
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\System32\shdocvw.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\System32\shdocvw.dll
O9 - Extra button: (no name) - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - (no file)
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O9 - Extra 'Tools' menuitem: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O15 - Trusted Zone: http://ny.contentmatch.net (HKLM)
O16 - DPF: {30528230-99F7-4BB4-88D8-FA1D4F56A2AB} (YInstStarter Class) - http://us.dl1.yimg.com/download.yahoo.com/dl/installs/yinst20040510.cab
O16 - DPF: {85D1F3B2-2A21-11D7-97B9-0010DC2A6243} (SecureLogin class) - http://secure2.comned.com/signuptemplates/securelogin-devel.cab
O16 - DPF: {88D758A3-D33B-45FD-91E3-67749B4057FA} (Sinstaller Class) - http://dm.screensavers.com/dm/installers/si/1/sinstaller.cab
O16 - DPF: {B38870E4-7ECB-40DA-8C6A-595F0A5519FF} (MsnMessengerSetupDownloadControl Class) - http://messenger.msn.com/download/MsnMessengerSetupDownloader.cab
O16 - DPF: {C02226EB-A5D7-4B1F-BD7E-635E46C2288D} (Toontown Installer ActiveX Control) - http://a.download.toontown.com/sv1.0.15.43/ttinst.cab
O20 - Winlogon Notify: awtut - C:\WINDOWS\System32\awtut.dll
O21 - SSODL: HEGCCBGE - {65D51F7F-32D4-0D09-023A-15E7450F6D3B} - (no file)
O23 - Service: AOL Connectivity Service (AOL ACS) - America Online - C:\Program Files\Common Files\AOL\ACS\AOLAcsd.exe
O23 - Service: AOL TopSpeed Monitor (AOL TopSpeedMonitor) - America Online, Inc - C:\Program Files\Common Files\AOL\TopSpeed\2.0\aoltsmon.exe
O23 - Service: Command Service (cmdService) - Unknown owner - C:\WINDOWS\TWFSSVRUQSAgUk9TUw\command.exe (file missing)
O23 - Service: ewido security suite control - ewido networks - C:\Program Files\ewido\security suite\ewidoctrl.exe
O23 - Service: ewido security suite guard - ewido networks - C:\Program Files\ewido\security suite\ewidoguard.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: PACSPTISVR - Sony Corporation - C:\Program Files\Common Files\Sony Shared\AVLib\PACSPTISVR.exe
O23 - Service: Sony SPTI Service (SPTISRV) - Sony Corporation - C:\Program Files\Common Files\Sony Shared\AVLib\SPTISRV.exe


----------



## khazars (Feb 15, 2004)

ok, you have most of the tools already but this has a different infection. You can download these tools onto your pc and transfer them to the other computer, you can fit vundo.fix on a floppy and transfer it to the infected pc if you can get into it?

Click Start > Run > and type in:

services.msc

Click OK.

In the services window find Command Service 
Right click and choose "Properties". On the "General" tab under "Service 
Status" click the "Stop" button to stop the service. Beside "Startup Type" 
in the dropdown menu select "Disabled". Click Apply then OK. Exit the 
Services utility.

Note: You may get an error here when trying to access the properties of the 
service. If you do get an error, just select the service and look there in 
the top left of the main service window and click "Stop" to stop the service. If that gives an error or it is already stopped, just skip this step and proceed with the rest.

Please download VundoFix.exe to your desktop.

http://www.atribune.org/downloads/VundoFix.exe

* Double-click VundoFix.exe to extract the files
* This will create a VundoFix folder on your desktop.
* After the files are extracted, please reboot your computer into Safe Mode. You can do this by restarting your computer and continually tapping the F8 key until a menu appears. Use your up arrow key to highlight Safe Mode then hit enter.
* Once in safe mode open the VundoFix folder and doubleclick on KillVundo.bat
* You will first be presented with a warning and a list of forums to seek help at.
it should look like this



> VundoFix V2.1 by Atri
> By pressing enter you agree that you are using this at your own risk
> Please seek assistance at one of the following forums:
> http://www.atribune.org/forums
> ...


 * At this point press enter one time.
* Next you will see:



> Type in the filepath as instructed by the forum staff
> Then Press Enter, Then F6, Then Enter Again to continue with the fix.


 * At this point please type the following file path (make sure to enter it exactly as below!):
o C:\WINDOWS\system32\geebc.dll
* Press Enter, then press the F6 key, then press Enter one more time to continue with the fix.
* Next you will see:



> Please type in the second filepath as instructed by the forum staff
> Then Press Enter, Then F6, Then Enter Again to continue with the fix.


 * At this point please type the following file path (make sure to enter it exactly as below!):

o C:\WINDOWS\System32\tutwa.*

* Press Enter, then press the F6 key, then press Enter one more time to continue with the fix.
* If you have a script blocker running, you may get a warning about a malicious script. Allow the script to run. It is not malicious.	
* The fix will run then HijackThis will open.
* In HiJackThis, please place a check next to the following items and click FIX CHECKED:

o O2 - BHO: MSEvents Object - {6DD0BC06-4719-4BA3-BEBC-FBAE6A448152} - C:\WINDOWS\System32\awtut.dll
o O20 - Winlogon Notify: awtut - C:\WINDOWS\System32\awtut.dll

R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = about:blank
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant =
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page = \blank.htm
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,HomeOldSP = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,HomeOldSP = about:blank
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
O2 - BHO: (no name) - {5C8B2A36-3DB1-42A4-A3CB-D426709BBFEB} - (no file)
O2 - BHO: (no name) - {88C88CBE-154B-4C08-81BC-D488868A1AEF} - (no file)
O21 - SSODL: HEGCCBGE - {65D51F7F-32D4-0D09-023A-15E7450F6D3B} - (no file)
O23 - Service: Command Service (cmdService) - Unknown owner - C:\WINDOWS\TWFSSVRUQSAgUk9TUw\command.exe (file missing)

* After you have fixed these items, close Hijackthis and Press any key to Force a reboot of your computer.
* Pressing any key will cause a "Blue Screen of Death" this is normal, do not worry!
* Once your machine reboots please continue with the instructions below.

Download and install CleanUp!

http://www.stevengould.org/software...p/download.html

Open Cleanup! by double-clicking the icon on your desktop (or from the Start >
All Programs menu).
Set the program up as follows:
Click "Options..."
Move the arrow down to "Custom CleanUp!"
Put a check next to the following (Make sure nothing else is checked!):

* Empty Recycle Bins
* Delete Cookies
* Delete Prefetch files
* Cleanup! All Users

Click OK
Press the CleanUp! button to start the program.

It may ask you to reboot at the end, click NO.

Find and delete this folder

C:\WINDOWS\TWFSSVRUQSAgUk9TUw

Run an online antivirus check from

http://www.kaspersky.com/virusscanner

Then, please run this online virus scan: ActiveScan

http://www.pandasoftware.com/products/activescan.htm

Copy the results of the ActiveScan and paste them here along with a new 
HiJackThis log and the vundofix.txt file from the vundofix folder into this 
topic.


----------



## khazars (Feb 15, 2004)

make sure you disable both ewido's security guard and Microsoft's antispyware before running the fixes and then re-enable them when we're finished!


----------



## peterboy (Dec 15, 2005)

hi kazhars well i tride my best i couldnt get to safe mode so i just did it normal well heres the results
--------------------------------------------------------------------------------------

Listing files contained in the vundofix folder.
--------------------------------------------------------------------------------------

killvundo.bat
process.exe
ReadMe.txt
vundo.reg
vundofix.txt

--------------------------------------------------------------------------------------

Filepaths entered
--------------------------------------------------------------------------------------

The filepath entered was c:\windows\system32\geebc.dll

The second filepath entered was c:\windows\ststem32\tutwa.

--------------------------------------------------------------------------------------

Log from Process
--------------------------------------------------------------------------------------

Killing PID 380 'smss.exe'

Killing PID 964 'explorer.exe'

Killing PID 460 'winlogon.exe'
Killing PID 460 'winlogon.exe'
Killing PID 460 'winlogon.exe'
--------------------------------------------------------------------------------------

c:\windows\system32\geebc.dll Deleted sucessfully.
c:\windows\ststem32\tutwa. Deleted sucessfully.

Fixing Registry
--------------------------------------------------------------------------------------

Incident Status Location

Adware:adware/maxifiles Not disinfected C:\PROGRAM FILES\COMMON FILES\system32.dll 
Adware:adware/commad Not disinfected C:\WINDOWS\SYSTEM32\atmtd.dll 
Adware:adware/topspyware Not disinfected C:\WINDOWS\DOWNLOADED PROGRAM FILES\frame.exe 
Adware:adware/wupd Not disinfected C:\WINDOWS\DOWNLOADED PROGRAM FILES\MediaGatewayX.dll 
Spyware:spyware/new.net Not disinfected C:\WINDOWS\NDNuninstall5_64.exe 
Adware:adware/quicksearch Not disinfected C:\PROGRAM FILES\QuickSearch 
Adware:adware/cws.yexe Not disinfected C:\WINDOWS\inet20009 
Adware:adware/comet Not disinfected C:\DOCUMENTS AND SETTINGS\ALL USERS\APPLICATION DATA\Starware 
Spyware:spyware/virtumonde Not disinfected Windows Registry 
Spyware:Spyware/Virtumonde Not disinfected C:\Documents and Settings\MaRITTA ROSS\Desktop\set ups\hijackthis\backups\backup-20060102-215001-356.dll 
Adware:Adware/Gator Not disinfected C:\Documents and Settings\MaRITTA ROSS\My Documents\Downloaded Program Files\HDPlugin1100.dll 
Adware:Adware/Maxifiles Not disinfected C:\Program Files\Common Files\system32.dll[gui.exe] 
Adware:Adware/Maxifiles Not disinfected C:\Program Files\Common Files\system32.dll[cwebpage.dll] 
Adware:Adware/Maxifiles Not disinfected C:\Program Files\DNS\cwebpage.dll 
Possible Virus. Not disinfected C:\q500152.exe  
Adware:Adware/Adtomi Not disinfected C:\WINDOWS\1ljv1.sys 
Adware:Adware/Gator Not disinfected C:\WINDOWS\Downloaded Program Files\CONFLICT.1\HDPlugin1101.dll 
Virus:Trj/Agent.EY Not disinfected C:\WINDOWS\Downloaded Program Files\frame.exe 
Adware:Adware/WUpd Not disinfected C:\WINDOWS\Downloaded Program Files\MediaGatewayX.dll 
Virus:Trj/Delf.PR Not disinfected C:\WINDOWS\inet20009\alg.exe.bak 
Virus:Trj/Pintxatore.K Not disinfected C:\WINDOWS\inet20009\mm4.exe.bak 
Spyware:Spyware/New.net Not disinfected C:\WINDOWS\NDNuninstall5_64.exe 
Spyware:Spyware/New.net Not disinfected C:\WINDOWS\NDNuninstall6_38-1.exe 
Spyware:Spyware/New.net Not disinfected C:\WINDOWS\NDNuninstall6_38.exe 
Spyware:Spyware/New.net Not disinfected C:\WINDOWS\NDNuninstall6_90.exe 
Adware:Adware/Adtomi Not disinfected C:\WINDOWS\SYSTEM32\1ljv1.sys 
Adware:Adware/Adtomi Not disinfected C:\WINDOWS\SYSTEM32\4ym9x.exe 
Virus:W32/Korgo.BF.worm Not disinfected C:\WINDOWS\SYSTEM32\aqgfoe.exe  
Virus:W32/Korgo.U.worm Not disinfected C:\WINDOWS\SYSTEM32\CONFIG\systemprofile\Local Settings\Temporary Internet Files\Content.IE5\O9YJK1IJ\x[1].exe 
Adware:Adware/StartPage.AIW Not disinfected C:\WINDOWS\SYSTEM32\ddcba.dll 
Virus:W32/Korgo.BF.worm Not disinfected C:\WINDOWS\SYSTEM32\Efhbek32.exe 
Virus:W32/Korgo.BF.worm Not disinfected C:\WINDOWS\SYSTEM32\fscmvq.exe 
Virus:W32/Korgo.U.worm Not disinfected C:\WINDOWS\SYSTEM32\ftpupd.exe 
Virus:W32/Korgo.BF.worm Not disinfected C:\WINDOWS\SYSTEM32\gfhjal.exe 
Virus:W32/Korgo.BF.worm Not disinfected C:\WINDOWS\SYSTEM32\hczycn.exe 
Virus:W32/Korgo.BI.worm Not disinfected C:\WINDOWS\SYSTEM32\HEGCCBGE.exe 
Virus:W32/Korgo.BF.worm Not disinfected C:\WINDOWS\SYSTEM32\hmhifp.exe 
Virus:W32/Korgo.BF.worm Not disinfected C:\WINDOWS\SYSTEM32\kkasvw.exe 
Virus:W32/Korgo.BF.worm Not disinfected C:\WINDOWS\SYSTEM32\mhembl.exe 
Virus:W32/Korgo.BF.worm Not disinfected C:\WINDOWS\SYSTEM32\nqduxw.exe 
Virus:W32/Korgo.BF.worm Not disinfected C:\WINDOWS\SYSTEM32\phqghu.exe 
Virus:W32/Korgo.BF.worm Not disinfected C:\WINDOWS\SYSTEM32\pooefx.exe 
Virus:W32/Korgo.BF.worm Not disinfected C:\WINDOWS\SYSTEM32\repggx.exe 
Virus:W32/Korgo.BF.worm Not disinfected C:\WINDOWS\SYSTEM32\rpnrvy.exe 
Virus:W32/Korgo.BF.worm Not disinfected C:\WINDOWS\SYSTEM32\scxggb.exe 
Virus:W32/Korgo.BF.worm Not disinfected C:\WINDOWS\SYSTEM32\sgibci.exe 
Virus:W32/Korgo.BF.worm Not disinfected C:\WINDOWS\SYSTEM32\smhjvn.exe 
Virus:W32/Korgo.BF.worm Not disinfected C:\WINDOWS\SYSTEM32\snitck.exe 
Virus:W32/Korgo.BF.worm Not disinfected C:\WINDOWS\SYSTEM32\ueibic.exe 
Virus:W32/Korgo.BF.worm Not disinfected C:\WINDOWS\SYSTEM32\ulrccx.exe 
Virus:W32/Korgo.BF.worm Not disinfected C:\WINDOWS\SYSTEM32\urcitw.exe 
Virus:W32/Korgo.BF.worm Not disinfected C:\WINDOWS\SYSTEM32\vevlyd.exe 
Adware:Adware/Adtomi Not disinfected C:\WINDOWS\SYSTEM32\wnm.dll  
Virus:W32/Korgo.BF.worm Not disinfected C:\WINDOWS\SYSTEM32\wpxqyu.exe 
Virus:W32/Korgo.BF.worm Not disinfected C:\WINDOWS\SYSTEM32\wwmtyk.exe Logfile of HijackThis v1.99.1
Scan saved at 1:34:22 AM, on 1/4/2006
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\System32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\System32\hkcmd.exe
C:\WINDOWS\BCMSMMSG.exe
C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\WINDOWS\System32\DSentry.exe
C:\Program Files\MUSICMATCH\MUSICMATCH Jukebox\mmtask.exe
C:\Program Files\Network\network.exe
C:\Program Files\Microsoft AntiSpyware\gcasServ.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\Microsoft AntiSpyware\gcasDtServ.exe
C:\Program Files\Common Files\AOL\ACS\AOLAcsd.exe
C:\Program Files\Common Files\AOL\TopSpeed\2.0\aoltsmon.exe
C:\WINDOWS\System32\cisvc.exe
C:\Program Files\ewido\security suite\ewidoctrl.exe
C:\Program Files\ewido\security suite\ewidoguard.exe
C:\WINDOWS\System32\tcpsvcs.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\SYSTEM32\osk.exe
C:\WINDOWS\SYSTEM32\MSSWCHX.EXE
C:\Program Files\MSN Messenger\msnmsgr.exe
C:\WINDOWS\System32\cidaemon.exe
C:\Documents and Settings\MaRITTA ROSS\Desktop\set ups\hijackthis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.dell4me.com/myway
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\System32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\System32\hkcmd.exe
O4 - HKLM\..\Run: [BCMSMMSG] BCMSMMSG.exe
O4 - HKLM\..\Run: [SynTPLpr] C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
O4 - HKLM\..\Run: [SynTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
O4 - HKLM\..\Run: [DVDSentry] C:\WINDOWS\System32\DSentry.exe
O4 - HKLM\..\Run: [Synchronization Manager] %SystemRoot%\system32\mobsync.exe /logon
O4 - HKLM\..\Run: [mmtask] "C:\Program Files\MUSICMATCH\MUSICMATCH Jukebox\mmtask.exe"
O4 - HKLM\..\Run: [Network] C:\Program Files\Network\network.exe
O4 - HKLM\..\Run: [gcasServ] "C:\Program Files\Microsoft AntiSpyware\gcasServ.exe"
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [SSND] c:\program files\SSND\SSND.exe 568
O8 - Extra context menu item: &AOL Toolbar search - res://C:\Program Files\AOL Toolbar\toolbar.dll/SEARCH.HTML
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\System32\shdocvw.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\System32\shdocvw.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O9 - Extra 'Tools' menuitem: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O15 - Trusted Zone: http://ny.contentmatch.net (HKLM)
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky.com/downloads/kws/kavwebscan_unicode.cab
O16 - DPF: {30528230-99F7-4BB4-88D8-FA1D4F56A2AB} (YInstStarter Class) - http://us.dl1.yimg.com/download.yahoo.com/dl/installs/yinst20040510.cab
O16 - DPF: {85D1F3B2-2A21-11D7-97B9-0010DC2A6243} (SecureLogin class) - http://secure2.comned.com/signuptemplates/securelogin-devel.cab
O16 - DPF: {88D758A3-D33B-45FD-91E3-67749B4057FA} (Sinstaller Class) - http://dm.screensavers.com/dm/installers/si/1/sinstaller.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/activescan/as5free/asinst.cab
O16 - DPF: {B38870E4-7ECB-40DA-8C6A-595F0A5519FF} (MsnMessengerSetupDownloadControl Class) - http://messenger.msn.com/download/MsnMessengerSetupDownloader.cab
O16 - DPF: {C02226EB-A5D7-4B1F-BD7E-635E46C2288D} (Toontown Installer ActiveX Control) - http://a.download.toontown.com/sv1.0.15.43/ttinst.cab
O23 - Service: AOL Connectivity Service (AOL ACS) - America Online - C:\Program Files\Common Files\AOL\ACS\AOLAcsd.exe
O23 - Service: AOL TopSpeed Monitor (AOL TopSpeedMonitor) - America Online, Inc - C:\Program Files\Common Files\AOL\TopSpeed\2.0\aoltsmon.exe
O23 - Service: ewido security suite control - ewido networks - C:\Program Files\ewido\security suite\ewidoctrl.exe
O23 - Service: ewido security suite guard - ewido networks - C:\Program Files\ewido\security suite\ewidoguard.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: PACSPTISVR - Sony Corporation - C:\Program Files\Common Files\Sony Shared\AVLib\PACSPTISVR.exe
O23 - Service: Sony SPTI Service (SPTISRV) - Sony Corporation - C:\Program Files\Common Files\Sony Shared\AVLib\SPTISRV.exe


----------



## khazars (Feb 15, 2004)

wow some amount of viruses in that log !

Download the pocket killbox

http://www.bleepingcomputer.com/files/killbox.php

* Download the trial version of Ewido Security Suite here

http://www.ewido.net/en/

* Install ewido.
* During the installation, under "Additional Options" uncheck "Install background guard" and "Install scan via context menu".
* Launch ewido
* It will prompt you to update click the OK button and it will go to the main screen
* On the left side of the main screen click update
* Click on Start and let it update.
* DO NOT run a scan yet. You will do that later in safe mode.

*Download Cleanup from Here

http://www.stevengould.org/software/cleanup/download.html

* A window will open and choose SAVE, then DESKTOP as the destination.
* On your Desktop, click on Cleanup40.exe icon.
* Then, click RUN and place a checkmark beside "I Agree"
* Then click NEXT followed by START and OK.
* A window will appear with many choices, keep all the defaults as set when the Slide Bar to the left is set to Standard Quality.
* Click OK
* DO NOT RUN IT YET

* Click here for info on how to boot to safe mode if you don't already know
how.

http://service1.symantec.com/SUPPOR...2001052409420406?OpenDocument&src=sec_doc_nam

* Now copy these instructions to notepad and save them to your desktop. You
will need them to refer to in safe mode.

* Restart your computer into safe mode now. Perform the following steps in
safe mode:

have hijack this fix these entries. close all browsers and programmes before
clicking FIX.

Double-click on Killbox.exe to run it. Now put a tick by Standard File Kill.
In the Full Path of File to Delete box, copy and paste each of the following
lines one at a time then click on the button that has the red circle with the
X in the middle after you enter each file. It will ask for confirmation to
delete the file. Click Yes. Continue with that same procedure until you have
copied and pasted all of these in the Paste Full Path of File to Delete box.

Note: It is possible that Killbox will tell you that one or more files do not
exist. If that happens, just continue on with all the files. Be sure you
don't miss any.

C:\PROGRAM FILES\COMMON FILES\system32.dll
C:\WINDOWS\SYSTEM32\atmtd.dll
C:\WINDOWS\DOWNLOADED PROGRAM FILES\frame.exe
C:\WINDOWS\DOWNLOADED PROGRAM FILES\MediaGatewayX.dll
C:\WINDOWS\NDNuninstall5_64.exe
C:\PROGRAM FILES\QuickSearch
C:\WINDOWS\inet20009
C:\DOCUMENTS AND SETTINGS\ALL USERS\APPLICATION DATA\Starware
C:\Documents and Settings\MaRITTA ROSS\Desktop\set ups\hijackthis\backups\backup-20060102-215001-356.dll
C:\Documents and Settings\MaRITTA ROSS\My Documents\Downloaded Program Files\HDPlugin1100.dll
C:\Program Files\Common Files\system32.dll[gui.exe]
C:\Program Files\Common Files\system32.dll[cwebpage.dll]
C:\Program Files\DNS\cwebpage.dll
C:\q500152.exe
C:\WINDOWS\1ljv1.sys
C:\WINDOWS\Downloaded Program Files\CONFLICT.1\HDPlugin1101.dll
C:\WINDOWS\Downloaded Program Files\frame.exe
C:\WINDOWS\Downloaded Program Files\MediaGatewayX.dll
C:\WINDOWS\inet20009\alg.exe.bak
C:\WINDOWS\inet20009\mm4.exe.bak
C:\WINDOWS\NDNuninstall5_64.exe
C:\WINDOWS\NDNuninstall6_38-1.exe
C:\WINDOWS\NDNuninstall6_38.exe
C:\WINDOWS\NDNuninstall6_90.exe
C:\WINDOWS\SYSTEM32\1ljv1.sys
C:\WINDOWS\SYSTEM32\4ym9x.exe
C:\WINDOWS\SYSTEM32\aqgfoe.exe
C:\WINDOWS\SYSTEM32\CONFIG\systemprofile\Local Settings\Temporary Internet Files\Content.IE5\O9YJK1IJ\x[1].exe
C:\WINDOWS\SYSTEM32\ddcba.dll
C:\WINDOWS\SYSTEM32\Efhbek32.exe
C:\WINDOWS\SYSTEM32\fscmvq.exe
C:\WINDOWS\SYSTEM32\ftpupd.exe
C:\WINDOWS\SYSTEM32\gfhjal.exe
C:\WINDOWS\SYSTEM32\hczycn.exe
C:\WINDOWS\SYSTEM32\HEGCCBGE.exe
C:\WINDOWS\SYSTEM32\hmhifp.exe
C:\WINDOWS\SYSTEM32\kkasvw.exe
C:\WINDOWS\SYSTEM32\mhembl.exe
C:\WINDOWS\SYSTEM32\nqduxw.exe
C:\WINDOWS\SYSTEM32\phqghu.exe
C:\WINDOWS\SYSTEM32\pooefx.exe
C:\WINDOWS\SYSTEM32\repggx.exe
C:\WINDOWS\SYSTEM32\rpnrvy.exe
C:\WINDOWS\SYSTEM32\scxggb.exe
C:\WINDOWS\SYSTEM32\sgibci.exe
C:\WINDOWS\SYSTEM32\smhjvn.exe
C:\WINDOWS\SYSTEM32\snitck.exe
C:\WINDOWS\SYSTEM32\ueibic.exe
C:\WINDOWS\SYSTEM32\ulrccx.exe
C:\WINDOWS\SYSTEM32\urcitw.exe
C:\WINDOWS\SYSTEM32\vevlyd.exe
C:\WINDOWS\SYSTEM32\wnm.dll
C:\WINDOWS\SYSTEM32\wpxqyu.exe
C:\WINDOWS\SYSTEM32\wwmtyk.exe

* Run Ewido:

* Click on scanner
* Click Complete System Scan and the scan will begin.
* During the scan it will prompt you to clean files, click OK
* When the scan is finished, look at the bottom of the screen and click the Save report button.
* Save the report to your desktop

* Run Cleanup:

* Click on the "Cleanup" button and let it run.
* Once its done, close the program.

reboot to normal mode and run a few online scans!

Run an online antivirus check from

http://www.kaspersky.com/virusscanner

choose extended database for the scan!

Run ActiveScan online virus scan here

http://www.pandasoftware.com/products/activescan.htm

When the scan is finished, anything that it cannot clean have it delete it.
Make a note of the file location of anything that cannot be deleted so you
can delete it yourself.
- Save the results from the scan!

post another hijack this log, the ewido and active scan logs


----------



## peterboy (Dec 15, 2005)

hi there well i tried my best i did evrithing i ant get in to safe mode so i hope it dosent matter that much the pc is still runing slow not runing good the cpu usage is always highncident Status Location

Adware:adware/commad Not disinfected C:\WINDOWS\SYSTEM32\atmtd.dll._ 
Potentially unwanted tool:application/mywebsearch Not disinfected C:\WINDOWS\SYSTEM32\f3PSSavr.scr 
Potentially unwanted tool:application/funweb Not disinfected C:\WINDOWS\DOWNLOADED PROGRAM FILES\f3initialsetup1.0.0.15.inf 
Spyware:spyware/new.net Not disinfected C:\WINDOWS\NDNuninstall7_14.exe 
Potentially unwanted tool:application/zango Not disinfected C:\PROGRAM FILES\Zango 
Adware:adware/maxifiles Not disinfected C:\PROGRAM FILES\COMMON FILES\InetGet 
Potentially unwanted tool:application/regclean32 Not disinfected HKEY_CURRENT_USER\SOFTWARE\REGISTRY CLEANER 
Spyware:spyware/virtumonde Not disinfected Windows Registry 
Potentially unwanted tool:application/myway Not disinfected HKEY_CLASSES_ROOT\CLSID\{9AFB8248-617F-460D-9366-D71CDEDA3179} 
Adware:adware/wupd Not disinfected Windows Registry 
Spyware:Cookie/Weborama Not disinfected C:\Documents and Settings\MaRITTA ROSS\Cookies\maritta [email protected][1].txt 
Adware:Adware/Maxifiles Not disinfected C:\!KillBox\system32.dll[gui.exe] 
Adware:Adware/Maxifiles Not disinfected C:\!KillBox\system32.dll[cwebpage.dll] 
Spyware:Cookie/Weborama Not disinfected C:\Documents and Settings\MaRITTA ROSS\Cookies\maritta [email protected][1].txt 
Spyware:Spyware/Virtumonde Not disinfected C:\Documents and Settings\MaRITTA ROSS\Desktop\set ups\hijackthis\backups\backup-20060102-215001-356.dll 
Potentially unwanted tool:Application/Processor Not disinfected C:\Documents and Settings\MaRITTA ROSS\Desktop\VundoFix\VundoFix\process.exe 
Potentially unwanted tool:Application/MyWebSearch Not disinfected C:\Program Files\MyWebSearch\bar\1.bin\MWSOEPLG.DLL 
Potentially unwanted tool:Application/FunWeb Not disinfected C:\WINDOWS\Downloaded Program Files\f3initialsetup1.0.0.15.inf  
Potentially unwanted tool:Application/MyWebSearch Not disinfected C:\WINDOWS\SYSTEM32\f3PSSavr.scr 
Virus:W32/Korgo.BF.worm Disinfected C:\WINDOWS\SYSTEM32\ueibic.exe 
Virus:W32/Korgo.BF.worm Disinfected C:\WINDOWS\SYSTEM32\ulrccx.exe

+ Created on: 5:34:12 PM, 1/4/2006
+ Report-Checksum: 3950E976

+ Scan result:

HKLM\SOFTWARE\Classes\MSEvents.MSEvents -> Spyware.VirtuMonde : Error during cleaning
HKLM\SOFTWARE\Classes\MSEvents.MSEvents\CLSID -> Spyware.VirtuMonde : Error during cleaning
HKLM\SOFTWARE\Classes\MSEvents.MSEvents\CurVer -> Spyware.VirtuMonde : Error during cleaning
HKLM\SOFTWARE\Classes\MSEvents.MSEvents.1 -> Spyware.VirtuMonde : Error during cleaning
C:\!KillBox\1ljv1.sys -> Trojan.Kolweb.e : Cleaned with backup
C:\!KillBox\4ym9x.exe -> Trojan.Kolweb.e : Cleaned with backup
C:\!KillBox\aqgfoe.exe -> Worm.Padobot.z : Cleaned with backup
C:\!KillBox\ddcba.dll -> Downloader.Small.bpk : Cleaned with backup
C:\!KillBox\Efhbek32.exe -> Worm.Padobot.z : Cleaned with backup
C:\!KillBox\frame.exe -> Downloader.Agent.ho : Cleaned with backup
C:\!KillBox\fscmvq.exe -> Worm.Padobot.z : Cleaned with backup
C:\!KillBox\ftpupd.exe -> Worm.Padobot.m : Cleaned with backup
C:\!KillBox\gfhjal.exe -> Worm.Padobot.z : Cleaned with backup
C:\!KillBox\hczycn.exe -> Worm.Padobot.z : Cleaned with backup
C:\!KillBox\HDPlugin1101.dll -> Adware.Gator : Cleaned with backup
C:\!KillBox\HEGCCBGE.exe -> Worm.Padobot.z : Cleaned with backup
C:\!KillBox\hmhifp.exe -> Worm.Padobot.z : Cleaned with backup
C:\!KillBox\inet20009\alg.exe.bak -> Worm.Delf.i : Cleaned with backup
C:\!KillBox\inet20009\mm4.exe.bak -> Proxy.Delf.an : Cleaned with backup
C:\!KillBox\kkasvw.exe -> Worm.Padobot.z : Cleaned with backup
C:\!KillBox\MediaGatewayX.dll -> Adware.WinAD : Cleaned with backup
C:\!KillBox\mhembl.exe -> Worm.Padobot.z : Cleaned with backup
C:\!KillBox\NDNuninstall5_64.exe -> Spyware.NewDotNet : Cleaned with backup
C:\!KillBox\NDNuninstall6_38-1.exe -> Spyware.NewDotNet : Cleaned with backup
C:\!KillBox\NDNuninstall6_38.exe -> Spyware.NewDotNet : Cleaned with backup
C:\!KillBox\NDNuninstall6_90.exe -> Adware.NewDotNet : Cleaned with backup
C:\!KillBox\nqduxw.exe -> Worm.Padobot.z : Cleaned with backup
C:\!KillBox\phqghu.exe -> Worm.Padobot.z : Cleaned with backup
C:\!KillBox\pooefx.exe -> Worm.Padobot.z : Cleaned with backup
C:\!KillBox\repggx.exe -> Worm.Padobot.z : Cleaned with backup
C:\!KillBox\rpnrvy.exe -> Worm.Padobot.z : Cleaned with backup
C:\!KillBox\scxggb.exe -> Worm.Padobot.z : Cleaned with backup
C:\!KillBox\sgibci.exe -> Worm.Padobot.z : Cleaned with backup
C:\!KillBox\smhjvn.exe -> Worm.Padobot.z : Cleaned with backup
C:\!KillBox\snitck.exe -> Worm.Padobot.z : Cleaned with backup
C:\!KillBox\system32.dll/gui.exe -> Downloader.Agent.rv : Error during cleaning
C:\!KillBox\urcitw.exe -> Worm.Padobot.z : Cleaned with backup
C:\!KillBox\vevlyd.exe -> Worm.Padobot.z : Cleaned with backup
C:\!KillBox\wnm.dll -> Trojan.Kolweb.d : Cleaned with backup
C:\!KillBox\wpxqyu.exe -> Worm.Padobot.z : Cleaned with backup
C:\!KillBox\wwmtyk.exe -> Worm.Padobot.z : Cleaned with backup
C:\Documents and Settings\MaRITTA ROSS\b.exe -> Downloader.VB.up : Cleaned with backup
C:\Documents and Settings\MaRITTA ROSS\Cookies\maritta [email protected][2].txt -> Spyware.Cookie.2o7 : Cleaned with backup
C:\RECYCLER\S-1-5-21-200454190-714184247-1501281460-1007\Dc4.dll -> Adware.Gator : Cleaned with backup
C:\RECYCLER\S-1-5-21-200454190-714184247-1501281460-1007\Dc5.bak -> Proxy.Delf.an : Cleaned with backup
C:\RECYCLER\S-1-5-21-200454190-714184247-1501281460-1007\Dc6.exe -> Worm.Padobot.m : Cleaned with backup
C:\RECYCLER\S-1-5-21-200454190-714184247-1501281460-1007\Dc7.exe -> Adware.NewDotNet : Cleaned with backup
C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP122\A0149820.dll -> Spyware.NewDotNet : Cleaned with backup
C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP122\A0149825.exe -> Worm.Padobot.z : Cleaned with backup
C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP122\A0149831.exe -> Worm.Padobot.z : Cleaned with backup
C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP123\A0150831.exe -> Worm.Padobot.z : Cleaned with backup
C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP123\A0151831.exe -> Worm.Padobot.z : Cleaned with backup
C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP123\A0151850.exe -> Worm.Padobot.z : Cleaned with backup
C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP123\A0152850.exe -> Worm.Padobot.z : Cleaned with backup
C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP123\A0152858.exe -> Worm.Padobot.z : Cleaned with backup
C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP123\A0154858.exe -> Worm.Padobot.z : Cleaned with backup
C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP123\A0154895.exe -> Worm.Padobot.z : Cleaned with backup
C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP123\A0154901.exe -> Worm.Padobot.z : Cleaned with backup
C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP123\A0154923.exe -> Worm.Padobot.z : Cleaned with backup
C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP123\A0154934.exe -> Worm.Padobot.z : Cleaned with backup
C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP123\A0154941.exe -> Worm.Padobot.z : Cleaned with backup
C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP124\A0154951.exe -> Worm.Padobot.z : Cleaned with backup
C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP124\A0154995.exe -> Worm.Padobot.z : Cleaned with backup
C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP124\A0155001.exe -> Worm.Padobot.z : Cleaned with backup
C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP124\A0155007.exe -> Worm.Padobot.z : Cleaned with backup
C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP124\A0155014.exe -> Worm.Padobot.z : Cleaned with backup
C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP124\A0155020.exe -> Worm.Padobot.z : Cleaned with backup
C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP124\A0155032.exe -> Worm.Padobot.z : Cleaned with backup
C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP124\A0155039.exe -> Worm.Padobot.z : Cleaned with backup
C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP124\A0155046.exe -> Worm.Padobot.z : Cleaned with backup
C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP124\A0156046.exe -> Worm.Padobot.z : Cleaned with backup
C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP124\A0157046.exe -> Worm.Padobot.z : Cleaned with backup
C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP124\A0157055.exe -> Worm.Padobot.z : Cleaned with backup
C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP124\A0157061.exe -> Worm.Padobot.z : Cleaned with backup
C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP124\A0158061.exe -> Worm.Padobot.z : Cleaned with backup
C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP124\A0158077.exe -> Worm.Padobot.z : Cleaned with backup
C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP124\A0159077.exe -> Worm.Padobot.z : Cleaned with backup
C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP124\A0159092.exe -> Worm.Padobot.z : Cleaned with backup
C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP125\A0159097.exe -> Worm.Padobot.z : Cleaned with backup
C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP125\A0159163.exe -> Adware.NewDotNet : Cleaned with backup
C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP125\A0159164.exe -> Adware.NewDotNet : Cleaned with backup
C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP125\A0159165.dll -> Spyware.NewDotNet : Cleaned with backup
C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP125\A0159169.exe -> Worm.Padobot.z : Cleaned with backup
C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP125\A0160168.exe -> Worm.Padobot.z : Cleaned with backup
C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP125\A0161168.exe -> Worm.Padobot.z : Cleaned with backup
C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP125\A0161174.exe -> Worm.Padobot.z : Cleaned with backup
C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP125\A0161209.exe -> Worm.Padobot.z : Cleaned with backup
C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP125\A0162209.exe -> Worm.Padobot.z : Cleaned with backup
C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP125\A0163209.exe -> Worm.Padobot.z : Cleaned with backup
C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP126\A0163219.exe -> Worm.Padobot.z : Cleaned with backup
C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP126\A0163258.exe -> Worm.Padobot.z : Cleaned with backup
C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP126\A0163267.exe -> Worm.Padobot.z : Cleaned with backup
C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP126\A0164267.exe -> Worm.Padobot.z : Cleaned with backup
C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP126\A0164272.exe -> Adware.NewDotNet : Cleaned with backup
C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP126\A0164276.dll -> Spyware.NewDotNet : Cleaned with backup
C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP126\A0164280.exe -> Worm.Padobot.z : Cleaned with backup
C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP127\A0164314.exe -> Dropper.Delf.ev : Cleaned with backup
C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP127\A0164315.exe -> Downloader.Agent.rv : Cleaned with backup
C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP127\A0164316.exe -> Spyware.Maxifiles : Cleaned with backup
C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP127\A0164317.exe -> Spyware.NewDotNet : Cleaned with backup
C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP127\A0164318.exe -> Spyware.NewDotNet : Cleaned with backup
C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP127\A0164319.exe -> Spyware.NewDotNet : Cleaned with backup
C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP127\A0164320.exe -> Adware.NewDotNet : Cleaned with backup
C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP127\A0164326.dll -> Spyware.NewDotNet : Cleaned with backup
C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP127\A0164327.exe -> Worm.Padobot.z : Cleaned with backup
C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP127\A0165326.exe -> Worm.Padobot.z : Cleaned with backup
C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP127\A0166326.exe -> Worm.Padobot.z : Cleaned with backup
C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP127\A0166368.exe -> Worm.Padobot.z : Cleaned with backup
C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP127\A0168367.exe -> Worm.Padobot.z : Cleaned with backup
C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP127\A0168381.exe -> Downloader.Small.bqq : Cleaned with backup
C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP127\A0168382.exe -> Spyware.NewDotNet : Cleaned with backup
C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP127\A0169397.exe -> Worm.Padobot.z : Cleaned with backup
C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP127\A0169408.exe -> Worm.Padobot.z : Cleaned with backup
C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP127\A0169417.exe -> Worm.Padobot.z : Cleaned with backup
C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP127\A0170417.exe -> Worm.Padobot.z : Cleaned with backup
C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP127\A0170425.exe -> Worm.Padobot.z : Cleaned with backup
C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP127\A0171425.exe -> Worm.Padobot.z : Cleaned with backup
C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP127\A0171468.exe -> Worm.Padobot.z : Cleaned with backup
C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP127\A0171484.exe -> Worm.Padobot.z : Cleaned with backup
C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP127\A0172483.exe -> Worm.Padobot.z : Cleaned with backup
C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP128\A0172496.exe -> Worm.Padobot.z : Cleaned with backup
C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP128\A0172533.exe -> Worm.Padobot.z : Cleaned with backup
C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP128\A0173533.exe -> Worm.Padobot.z : Cleaned with backup
C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP128\A0173541.exe -> Worm.Padobot.z : Cleaned with backup
C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP128\A0174541.exe -> Worm.Padobot.z : Cleaned with backup
C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP128\A0174549.exe -> Worm.Padobot.z : Cleaned with backup
C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP128\A0174562.exe -> Worm.Padobot.z : Cleaned with backup
C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP128\A0175557.exe -> Worm.Padobot.z : Cleaned with backup
C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP128\A0176557.exe -> Worm.Padobot.z : Cleaned with backup
C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP128\A0176573.exe -> Worm.Padobot.z : Cleaned with backup
C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP128\A0176574.exe -> Adware.SaveNow : Cleaned with backup
C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP128\A0176575.exe -> Adware.SaveNow : Cleaned with backup
C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP129\A0176592.exe -> Worm.Padobot.z : Cleaned with backup
C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP129\A0176599.exe -> Worm.Padobot.z : Cleaned with backup
C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP129\A0176606.exe -> Worm.Padobot.z : Cleaned with backup
C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP129\A0176615.exe -> Worm.Padobot.z : Cleaned with backup
C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP129\A0177615.exe -> Worm.Padobot.z : Cleaned with backup
C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP130\A0177655.exe -> Worm.Padobot.z : Cleaned with backup
C:\System Volume InformatLogfile of HijackThis v1.99.1
Scan saved at 8:52:45 PM, on 1/4/2006
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\System32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\AOL\ACS\AOLAcsd.exe
C:\Program Files\Common Files\AOL\TopSpeed\2.0\aoltsmon.exe
C:\WINDOWS\System32\hkcmd.exe
C:\WINDOWS\BCMSMMSG.exe
C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\WINDOWS\System32\cisvc.exe
C:\WINDOWS\System32\DSentry.exe
C:\Program Files\MUSICMATCH\MUSICMATCH Jukebox\mmtask.exe
C:\Program Files\Network\network.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\ewido\security suite\ewidoctrl.exe
C:\WINDOWS\System32\tcpsvcs.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Microsoft AntiSpyware\gcasDtServ.exe
C:\WINDOWS\System32\cidaemon.exe
C:\Program Files\MSN Messenger\msnmsgr.exe
C:\WINDOWS\SYSTEM32\osk.exe
C:\WINDOWS\SYSTEM32\MSSWCHX.EXE
C:\Documents and Settings\MaRITTA ROSS\Desktop\set ups\hijackthis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.dell4me.com/myway
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\System32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\System32\hkcmd.exe
O4 - HKLM\..\Run: [BCMSMMSG] BCMSMMSG.exe
O4 - HKLM\..\Run: [SynTPLpr] C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
O4 - HKLM\..\Run: [SynTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
O4 - HKLM\..\Run: [DVDSentry] C:\WINDOWS\System32\DSentry.exe
O4 - HKLM\..\Run: [Synchronization Manager] %SystemRoot%\system32\mobsync.exe /logon
O4 - HKLM\..\Run: [mmtask] "C:\Program Files\MUSICMATCH\MUSICMATCH Jukebox\mmtask.exe"
O4 - HKLM\..\Run: [Network] C:\Program Files\Network\network.exe
O4 - HKLM\..\Run: [gcasServ] "C:\Program Files\Microsoft AntiSpyware\gcasServ.exe"
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [SSND] c:\program files\SSND\SSND.exe 141
O8 - Extra context menu item: &AOL Toolbar search - res://C:\Program Files\AOL Toolbar\toolbar.dll/SEARCH.HTML
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\System32\shdocvw.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\System32\shdocvw.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O9 - Extra 'Tools' menuitem: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O15 - Trusted Zone: http://ny.contentmatch.net (HKLM)
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky.com/downloads/kws/kavwebscan_unicode.cab
O16 - DPF: {30528230-99F7-4BB4-88D8-FA1D4F56A2AB} (YInstStarter Class) - http://us.dl1.yimg.com/download.yahoo.com/dl/installs/yinst20040510.cab
O16 - DPF: {85D1F3B2-2A21-11D7-97B9-0010DC2A6243} (SecureLogin class) - http://secure2.comned.com/signuptemplates/securelogin-devel.cab
O16 - DPF: {88D758A3-D33B-45FD-91E3-67749B4057FA} (Sinstaller Class) - http://dm.screensavers.com/dm/installers/si/1/sinstaller.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/activescan/as5free/asinst.cab
O16 - DPF: {B38870E4-7ECB-40DA-8C6A-595F0A5519FF} (MsnMessengerSetupDownloadControl Class) - http://messenger.msn.com/download/MsnMessengerSetupDownloader.cab
O16 - DPF: {C02226EB-A5D7-4B1F-BD7E-635E46C2288D} (Toontown Installer ActiveX Control) - http://a.download.toontown.com/sv1.0.15.43/ttinst.cab
O23 - Service: AOL Connectivity Service (AOL ACS) - America Online - C:\Program Files\Common Files\AOL\ACS\AOLAcsd.exe
O23 - Service: AOL TopSpeed Monitor (AOL TopSpeedMonitor) - America Online, Inc - C:\Program Files\Common Files\AOL\TopSpeed\2.0\aoltsmon.exe
O23 - Service: ewido security suite control - ewido networks - C:\Program Files\ewido\security suite\ewidoctrl.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: PACSPTISVR - Sony Corporation - C:\Program Files\Common Files\Sony Shared\AVLib\PACSPTISVR.exe
O23 - Service: Sony SPTI Service (SPTISRV) - Sony Corporation - C:\Program Files\Common Files\Sony Shared\AVLib\SPTISRV.exe


----------



## khazars (Feb 15, 2004)

have hijack this fix these entries. close all browsers and programmes before
clicking FIX.

O4 - HKCU\..\Run: [SSND] c:\program files\SSND\SSND.exe 141

Double-click on Killbox.exe to run it. Now put a tick by Delete on 
Reboot. In the "Full Path of File to Delete" box, copy and paste each 
of the following lines one at a time then click on the button that has
the red circle with the X in the middle after you enter each file. 
It will ask for confimation to delete the file on next reboot. Click 
Yes. It will then ask if you want to reboot now. Click No. Continue 
with that same procedure until you have copied and pasted all of 
these in the "Paste Full Path of File to Delete" box.Then click yes 
to reboot after you entered the last one.

Note: It is possible that Killbox will tell you that one or more files do not
exist. If that happens, just continue on with all the files. Be sure you 
don't miss any.

c:\program files\SSND\SSND.exe 141
c:\program files\SSND
C:\WINDOWS\SYSTEM32\atmtd.dll._
Potentially unwanted tool:application/mywebsearch Not disinfected C:\WINDOWS\SYSTEM32\f3PSSavr.scr
C:\WINDOWS\DOWNLOADED PROGRAM FILES\f3initialsetup1.0.0.15.inf
C:\WINDOWS\NDNuninstall7_14.exe
C:\PROGRAM FILES\Zango
C:\PROGRAM FILES\COMMON FILES\InetGet
Potentially unwanted tool:application/regclean32 
C:\Documents and Settings\MaRITTA ROSS\Cookies\maritta [email protected][1].txt
C:\Program Files\MyWebSearch\bar\1.bin\MWSOEPLG.DLL
C:\Program Files\MyWebSearch
C:\WINDOWS\Downloaded Program Files\f3initialsetup1.0.0.15.inf

reboot to normal mode and run thee tools!

go to this site and download these tools and once you get both
adaware Se 1.6 and spybot, update both of them.

Set adaware to do a full system scan and deselect, "search for neglible risk 
entries". Click next to start the scan. Delete everything adaware finds.

reboot and now run spybot

Spybot: Search and destroy.

Delete what spybot finds marked in red. After updating spybot hit the 
immunize button.

reboot again

With CWshredder close all browsers and programmes and select the FIX button.

All tools can be downloaded at the link below and found on that page!

. Trend micro CWShredder
. SpyBot search and destroy
. AdAware SE personal

http://www.majorgeeks.com/downloads31.html

Please download WebRoot SpySweeper from HERE (It's a 2 week trial):

http://www.webroot.com/consumer/products/spysweeper/index.html?acode=af1&rc=4129

* Click the Free Trial link under "Downloads/SpySweeper" to download the program.
* Install it. Once the program is installed, it will open.
* It will prompt you to update to the latest definitions, click Yes.
* Once the definitions are installed, click Options on the left side.
* Click the Sweep Options tab.
* Under What to Sweep please put a check next to the following:
o
o Sweep Memory
o Sweep Registry
o Sweep Cookies
o Sweep All User Accounts
o Enable Direct Disk Sweeping
o Sweep Contents of Compressed Files
o Sweep for Rootkits
o Please UNCHECK Do not Sweep System Restore Folder.
* Click Sweep Now on the left side.
* Click the Start button.
* When it's done scanning, click the Next button.
* Make sure everything has a check next to it, then click the Next button.
* It will remove all of the items found.
* Click Session Log in the upper right corner, copy everything in that window.
* Click the Summary tab and click Finish.
* Paste the contents of the session log you copied into your next reply.

Run an online antivirus check from at least one and preferably 2 of the following sites....
http://housecall.trendmicro.com/. Do the full scan for spyware and viruses

make sure autoclean is enabled on the scans

If it says any files can't be cleaned, delete them

Also post a new Hijack This log and the housecall log.


----------



## peterboy (Dec 15, 2005)

hi khazar i cant get a result from housecall i tride couple of times and it takes like 4 houres i almost had it but i got a widows close error heres the results from the other stuff:08 PM: | Start of Session, Thursday, January 05, 2006 |
1:08 PM: Spy Sweeper started
1:08 PM: Sweep initiated using definitions version 597
1:08 PM: Starting Memory Sweep
1:13 PM: Memory Sweep Complete, Elapsed Time: 00:04:23
1:13 PM: Starting Registry Sweep
1:13 PM: Found Adware: screensavers
1:13 PM: HKLM\software\microsoft\code store database\distribution units\{88d758a3-d33b-45fd-91e3-67749b4057fa}\ (9 subtraces) (ID = 140566)
1:13 PM: Found Adware: virtumonde
1:13 PM: HKCR\msevents.msevents\ (5 subtraces) (ID = 749130)
1:13 PM: HKCR\msevents.msevents.1\ (3 subtraces) (ID = 749136)
1:13 PM: HKLM\software\classes\msevents.msevents\ (5 subtraces) (ID = 749153)
1:13 PM: HKLM\software\classes\msevents.msevents.1\ (3 subtraces) (ID = 749157)
1:13 PM: Found Adware: winad
1:13 PM: HKLM\software\microsoft\windows\currentversion\moduleusage\c:/windows/downloaded program files/mediagatewayx.dll\ (2 subtraces) (ID = 763026)
1:13 PM: HKLM\software\microsoft\windows\currentversion\shareddlls\ || c:\windows\downloaded program files\mediagatewayx.dll (ID = 763028)
1:13 PM: Found Adware: maxifiles
1:13 PM: HKCR\typelib\{fff24f28-3ae2-46cd-aebe-2f625133a1ca}\ (9 subtraces) (ID = 829253)
1:13 PM: HKLM\software\classes\typelib\{fff24f28-3ae2-46cd-aebe-2f625133a1ca}\ (9 subtraces) (ID = 829282)
1:13 PM: Found Adware: command
1:13 PM: HKLM\system\currentcontrolset\enum\root\legacy_cmdservice\0000\ (6 subtraces) (ID = 1016064)
1:13 PM: HKLM\system\currentcontrolset\enum\root\legacy_cmdservice\ (8 subtraces) (ID = 1016072)
1:13 PM: Registry Sweep Complete, Elapsed Time:00:00:49
1:13 PM: Starting Cookie Sweep
1:13 PM: Found Spy Cookie: yieldmanager cookie
1:13 PM: maritta [email protected][1].txt (ID = 3751)
1:13 PM: Cookie Sweep Complete, Elapsed Time: 00:00:01
1:13 PM: Starting File Sweep
1:16 PM: x.bmp (ID = 69314)
1:16 PM: Found Adware: 180search assistant/zango
1:16 PM: a0193741.dll (ID = 210205)
1:18 PM: a0229519.dll (ID = 69301)
1:22 PM: Found Adware: targetsaver
1:22 PM: class-barrel (ID = 78229)
1:31 PM: a0206374.exe (ID = 185254)
1:36 PM: a0229477.dll (ID = 156271)
1:40 PM: Found Adware: gain - common components
1:40 PM: hdplugin1101.inf (ID = 61480)
1:40 PM: Found Trojan Horse: trojan downloader matcash
1:40 PM: a0204357.exe (ID = 119348)
1:44 PM: a0205373.exe (ID = 185254)
1:44 PM: a0206392.exe (ID = 185254)
1:45 PM: a0206510.exe (ID = 185254)
1:45 PM: a0207514.exe (ID = 185254)
1:45 PM: a0208511.exe (ID = 185254)
1:45 PM: a0209511.exe (ID = 185254)
1:45 PM: a0210510.exe (ID = 185254)
1:45 PM: a0211510.exe (ID = 185254)
1:46 PM: a0211547.exe (ID = 185254)
1:46 PM: a0211568.exe (ID = 185254)
1:54 PM: a0211601.exe (ID = 185254)
1:57 PM: a0211621.exe (ID = 185254)
1:57 PM: a0229576.dll (ID = 156271)
1:57 PM: a0199861.exe (ID = 208349)
1:58 PM: a0199860.dll (ID = 210205)
1:59 PM: a0212622.exe (ID = 185254)
2:00 PM: a0213622.exe (ID = 185254)
2:07 PM: a0229694.exe (ID = 185254)
2:08 PM: vocabulary (ID = 78283)
2:15 PM: hdplugin1101.inf (ID = 122623)
2:18 PM: hdplugin1101.dll (ID = 122622)
2:18 PM: a0229693.exe (ID = 74759)
2:19 PM: Found Adware: whenu save
2:19 PM: a0200061.dll (ID = 182873)
2:19 PM: a0185186.dll (ID = 182873)
2:24 PM: a0229605.vbs (ID = 185675)
2:24 PM: sinstaller.inf (ID = 74756)
2:24 PM: sinstaller.inf (ID = 74756)
2:24 PM: sinstaller.inf (ID = 74756)
2:43 PM: File Sweep Complete, Elapsed Time: 01:29:33
2:43 PM: Full Sweep has completed. Elapsed time 01:34:42
2:43 PM: Traces Found: 107
2:44 PM: Removal process initiated
2:44 PM: Quarantining All Traces: 180search assistant/zango
2:44 PM: Quarantining All Traces: trojan downloader matcash
2:44 PM: Quarantining All Traces: virtumonde
2:44 PM: Quarantining All Traces: maxifiles
2:45 PM: Quarantining All Traces: winad
2:45 PM: Quarantining All Traces: command
2:45 PM: Quarantining All Traces: screensavers
2:45 PM: Quarantining All Traces: targetsaver
2:45 PM: Quarantining All Traces: gain - common components
2:45 PM: Quarantining All Traces: whenu save
2:45 PM: Quarantining All Traces: yieldmanager cookie
2:45 PM: Removal process completed. Elapsed time 00:01:31
********
1:04 PM: | Start of Session, Thursday, January 05, 2006 |
1:04 PM: Spy Sweeper started
1:05 PM: Your spyware definitions have been updated.
1:08 PM: | End of Session, Thursday, January 05, 2006 |
Logfile of HijackThis v1.99.1
Scan saved at 9:16:27 PM, on 1/5/2006
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\System32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\System32\hkcmd.exe
C:\WINDOWS\BCMSMMSG.exe
C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\WINDOWS\System32\DSentry.exe
C:\Program Files\MUSICMATCH\MUSICMATCH Jukebox\mmtask.exe
C:\Program Files\Network\network.exe
C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe
C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\Common Files\AOL\ACS\AOLAcsd.exe
C:\Program Files\Common Files\AOL\TopSpeed\2.0\aoltsmon.exe
C:\WINDOWS\System32\cisvc.exe
C:\Program Files\ewido\security suite\ewidoctrl.exe
C:\WINDOWS\System32\tcpsvcs.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Webroot\Spy Sweeper\WRSSSDK.exe
C:\Program Files\Microsoft AntiSpyware\gcasDtServ.exe
C:\WINDOWS\SYSTEM32\osk.exe
C:\WINDOWS\SYSTEM32\MSSWCHX.EXE
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\WINDOWS\System32\wbem\wmiapsrv.exe
C:\WINDOWS\System32\cidaemon.exe
C:\WINDOWS\system32\NOTEPAD.EXE
C:\Program Files\MSN Messenger\msnmsgr.exe
C:\Documents and Settings\MaRITTA ROSS\Desktop\set ups\hijackthis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.dell4me.com/myway
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\System32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\System32\hkcmd.exe
O4 - HKLM\..\Run: [BCMSMMSG] BCMSMMSG.exe
O4 - HKLM\..\Run: [SynTPLpr] C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
O4 - HKLM\..\Run: [SynTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
O4 - HKLM\..\Run: [DVDSentry] C:\WINDOWS\System32\DSentry.exe
O4 - HKLM\..\Run: [Synchronization Manager] %SystemRoot%\system32\mobsync.exe /logon
O4 - HKLM\..\Run: [mmtask] "C:\Program Files\MUSICMATCH\MUSICMATCH Jukebox\mmtask.exe"
O4 - HKLM\..\Run: [Network] C:\Program Files\Network\network.exe
O4 - HKLM\..\Run: [gcasServ] "C:\Program Files\Microsoft AntiSpyware\gcasServ.exe"
O4 - HKLM\..\Run: [SpySweeper] "C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe" /startintray
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O8 - Extra context menu item: &AOL Toolbar search - res://C:\Program Files\AOL Toolbar\toolbar.dll/SEARCH.HTML
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O9 - Extra 'Tools' menuitem: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky.com/downloads/kws/kavwebscan_unicode.cab
O16 - DPF: {30528230-99F7-4BB4-88D8-FA1D4F56A2AB} (YInstStarter Class) - http://us.dl1.yimg.com/download.yahoo.com/dl/installs/yinst20040510.cab
O16 - DPF: {85D1F3B2-2A21-11D7-97B9-0010DC2A6243} (SecureLogin class) - http://secure2.comned.com/signuptemplates/securelogin-devel.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/activescan/as5free/asinst.cab
O16 - DPF: {B38870E4-7ECB-40DA-8C6A-595F0A5519FF} (MsnMessengerSetupDownloadControl Class) - http://messenger.msn.com/download/MsnMessengerSetupDownloader.cab
O16 - DPF: {C02226EB-A5D7-4B1F-BD7E-635E46C2288D} (Toontown Installer ActiveX Control) - http://a.download.toontown.com/sv1.0.15.43/ttinst.cab
O20 - Winlogon Notify: WRNotifier - C:\WINDOWS\SYSTEM32\WRLogonNTF.dll
O23 - Service: AOL Connectivity Service (AOL ACS) - America Online - C:\Program Files\Common Files\AOL\ACS\AOLAcsd.exe
O23 - Service: AOL TopSpeed Monitor (AOL TopSpeedMonitor) - America Online, Inc - C:\Program Files\Common Files\AOL\TopSpeed\2.0\aoltsmon.exe
O23 - Service: ewido security suite control - ewido networks - C:\Program Files\ewido\security suite\ewidoctrl.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: PACSPTISVR - Sony Corporation - C:\Program Files\Common Files\Sony Shared\AVLib\PACSPTISVR.exe
O23 - Service: Sony SPTI Service (SPTISRV) - Sony Corporation - C:\Program Files\Common Files\Sony Shared\AVLib\SPTISRV.exe
O23 - Service: Webroot Spy Sweeper Engine (svcWRSSSDK) - Webroot Software, Inc. - C:\Program Files\Webroot\Spy Sweeper\WRSSSDK.exe


----------



## khazars (Feb 15, 2004)

clean log.

I would also put adaware on this machine and use it regularly!

how's the computer running now any better?

you should now turn off system restore to flush out the bad restore points and
then re-enable it and make a new clean restore point.

How to turn off system restore

http://service1.symantec.com/SUPPOR...2001111912274039?OpenDocument&src=sec_doc_nam

http://support.microsoft.com/default.aspx?scid=kb;[LN];310405

here's some free tools to keep you from getting infected in the future.

to stop reinfection get these two tools, spywareguard and spywareblaster 
from

http://www.javacoolsoftware.com/downloads.html

get the hosts file from here.

http://www.mvps.org/winhelp2002/hosts.htm

put it into :

Windows XP = C:\WINDOWS\SYSTEM32\DRIVERS\ETC
Windows 2K = C:\WINNT\SYSTEM32\DRIVERS\ETC
Win 98\ME = C:\WINDOWS

ie-spyad.Puts over 5000 sites in your restricted zone so you'll be protected

when you visit innocent-looking sites that aren't actually innocent at all.

https://netfiles.uiuc.edu/ehowes/www/resource.htm

http://www.winpatrol.com/winpatrol.html

Use spybot's immunize button and use spywareblaster' enable 
protection once you update it. you can put spybot's hosts file into 
your own and lock it.

I would also suggest switching to Mozilla's firefox browser, it's safer, has 
a built in pop up blocker, blocks cookies and adds. Mozilla Thunderbird is also a good 
e-mail client.

http://www.mozilla.org/

Another good and free browser is Opera!

http://www.opera.com/

Read here to see how to tighten your security:

http://forums.techguy.org/t208517.html

A good overall guide for firewalls, anti-virus, and anti-trojans as well as 
regular spyware cleaners.

http://www.firewallguide.com/anti-trojan.htm

you can mark your own thread solved through thread tools at the top of 
the page.


----------



## peterboy (Dec 15, 2005)

hi kazhars thanks for your reply realy apreciate that yes my pc is working better but still its slow when i play a video its choppy and skips kinda and the cpu is 100% when i play video and overall so please have anys ideas thanks ahead :up:


----------



## khazars (Feb 15, 2004)

How much RAM does it have and how fast is the processor, some of these video games are very graphics intensive so you might have to live with it or buy more RAM? Check the specs of your laptop and the specs of the video game? 

Is your computer running ok apart from when your playing the video games?

ypu can post for further advice in .the games forums

To free up some resources you can disable Ewido's security suite and uninstall spysweeper! MS antispyware with spywareguard, winpatrol, and spywareblaster will give you plenty of protection coupled with a hosts file and IE spyad if you installed them!

Ewido's security suite is known to slow pcs down as it takes up some resources!


----------



## peterboy (Dec 15, 2005)

hi kazar sorry i ment video as in video clip or movie not video game i disabled ewido my speed is 2.4 gigs celron intel nside when i play a video clip its choppy and skips and he cpu is way up that not to good ha ? i tried evrithin i can from my knowlege can it still be some virus >>


----------



## khazars (Feb 15, 2004)

I doubt it we have ran plenty of scans and tools! Try posting in th web/e-mail and maybe hardware. you have had a lot of viruses and spyware, maybe a bit of Xps plumbing has got screwed up somewhere?

When was the last time you defragged the hard drive? How old is this installtion of windows as all computers will eventually start to slow down after a year or so as the garbage and broken dlls build up!

We all eventually have to reformat and do a clean install, it's the only way to get back to a pristine state as the computer gets older!


----------



## peterboy (Dec 15, 2005)

ok ill try to defragment maybe that wiil help than you very much for evrithing now if you can please help with my freinds pc i cheked his log it dosent seem to clean i think he has some spy ware and virus please be so kind chek it it out for me hers his log Logfile of and a cuople of scans HijackThis v1.99.1
Scan saved at 1:41:34 PM, on 1/8/2006
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\netdde.exe
C:\WINDOWS\system32\clipsrv.exe
C:\Program Files\Dell\NICCONFIGSVC\NICCONFIGSVC.exe
C:\WINDOWS\system32\tcpsvcs.exe
C:\WINDOWS\System32\snmp.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\wltrysvc.exe
C:\WINDOWS\System32\dmadmin.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\wscntfy.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Microsoft AntiSpyware\gcasDtServ.exe
C:\Program Files\Apoint\Apoint.exe
C:\WINDOWS\system32\hkcmd.exe
C:\Program Files\Java\j2re1.4.2_03\bin\jusched.exe
C:\Program Files\Apoint\Apntex.exe
C:\Program Files\CyberLink\PowerDVD\DVDLauncher.exe
C:\WINDOWS\system32\dla\tfswctrl.exe
C:\PROGRA~1\PESTPA~1\PPControl.exe
C:\PROGRA~1\PESTPA~1\PPMemCheck.exe
C:\PROGRA~1\PESTPA~1\CookiePatrol.exe
C:\Program Files\Dell\QuickSet\Quickset.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\Microsoft AntiSpyware\gcasServ.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\DOCUME~1\jeff\LOCALS~1\Temp\Temporary Directory 1 for hijackthis[1].zip\HijackThis.exe

R3 - Default URLSearchHook is missing
O2 - BHO: MyWebSearch Search Assistant BHO - {00A6FAF1-072E-44cf-8957-5838F569A31D} - C:\Program Files\MyWebSearch\SrchAstt\1.bin\MWSSRCAS.DLL (file missing)
O2 - BHO: My Search BHO - {014DA6C1-189F-421a-88CD-07CFE51CFF10} - (no file)
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O2 - BHO: DriveLetterAccess - {5CA3D70E-1895-11CF-8E15-001234567890} - C:\WINDOWS\system32\dla\tfswshx.dll
O2 - BHO: Starware - {CA356D79-679B-4b4c-8E49-5AF97014F4C1} - C:\Program Files\Starware\bin\Starware.dll
O3 - Toolbar: (no name) - {BA52B914-B692-46c4-B683-905236F6F655} - (no file)
O3 - Toolbar: (no name) - {014DA6C9-189F-421a-88CD-07CFE51CFF10} - (no file)
O3 - Toolbar: My &Web Search - {07B18EA9-A523-4961-B6BB-170DE4475CCA} - C:\Program Files\MyWebSearch\bar\1.bin\MWSBAR.DLL (file missing)
O3 - Toolbar: Starware - {D49E9D35-254C-4c6a-9D17-95018D228FF5} - C:\Program Files\Starware\bin\Starware.dll
O4 - HKLM\..\Run: [Apoint] C:\Program Files\Apoint\Apoint.exe
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\system32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\system32\hkcmd.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\j2re1.4.2_03\bin\jusched.exe
O4 - HKLM\..\Run: [DVDLauncher] "C:\Program Files\CyberLink\PowerDVD\DVDLauncher.exe"
O4 - HKLM\..\Run: [dla] C:\WINDOWS\system32\dla\tfswctrl.exe
O4 - HKLM\..\Run: [PestPatrol Control Center] C:\PROGRA~1\PESTPA~1\PPControl.exe
O4 - HKLM\..\Run: [PPMemCheck] C:\PROGRA~1\PESTPA~1\PPMemCheck.exe
O4 - HKLM\..\Run: [CookiePatrol] C:\PROGRA~1\PESTPA~1\CookiePatrol.exe
O4 - HKLM\..\Run: [Dell QuickSet] C:\Program Files\Dell\QuickSet\Quickset.exe
O4 - HKLM\..\Run: [MyWebSearch Email Plugin] C:\PROGRA~1\MYWEBS~1\bar\1.bin\mwsoemon.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [gcasServ] "C:\Program Files\Microsoft AntiSpyware\gcasServ.exe"
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKCU\..\Run: [MyWebSearch Email Plugin] C:\PROGRA~1\MYWEBS~1\bar\1.bin\mwsoemon.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O8 - Extra context menu item: &AOL Toolbar search - res://C:\Program Files\AOL Toolbar\toolbar.dll/SEARCH.HTML
O8 - Extra context menu item: &Search - http://edits.mywebsearch.com/toolbaredits/menusearch.jhtml?p=ZNxmk873CSUS
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\j2re1.4.2_03\bin\npjpi142_03.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\j2re1.4.2_03\bin\npjpi142_03.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~4\OFFICE11\REFIEBAR.DLL
O9 - Extra button: (no name) - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - (no file)
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {00B71CFB-6864-4346-A978-C0A14556272C} (Checkers Class) - http://messenger.zone.msn.com/binary/msgrchkr.cab31267.cab
O16 - DPF: {14B87622-7E19-4EA8-93B3-97215F77A6BC} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/MessengerStatsPAClient.cab31267.cab
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {1D4DB7D2-6EC9-47A3-BD87-1E41684E07BB} - http://ak.imgfarm.com/images/nocache/funwebproducts/ei/SmileyCentralFWBInitialSetup1.0.0.15.cab
O16 - DPF: {8E0D4DE5-3180-4024-A327-4DFAD1796A8D} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/MessengerStatsClient.cab31267.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/activescan/as5free/asinst.cab
O16 - DPF: {B8BE5E93-A60C-4D26-A2DC-220313175592} (ZoneIntro Class) - http://messenger.zone.msn.com/binary/ZIntro.cab32846.cab
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - "C:\PROGRA~1\MSNMES~1\msgrapp.dll" (file missing)
O20 - Winlogon Notify: igfxcui - C:\WINDOWS\SYSTEM32\igfxsrvc.dll
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPodService - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: NICCONFIGSVC - Dell Inc. - C:\Program Files\Dell\NICCONFIGSVC\NICCONFIGSVC.exe
O23 - Service: WLTRYSVC - Unknown owner - C:\WINDOWS\System32\wltrysvc.exe

---------------------------------------------------------
ewido anti-malware - Scan report
---------------------------------------------------------

+ Created on: 2:58:30 PM, 1/8/2006
+ Report-Checksum: 6E0EE993

+ Scan result:

HKLM\SOFTWARE\Classes\CLSID\{00A6FAF1-072E-44cf-8957-5838F569A31D} -> Spyware.MyWebSearch : Cleaned with backup
HKLM\SOFTWARE\Classes\CLSID\{014DA6C1-189F-421a-88CD-07CFE51CFF10} -> Spyware.eXact : Cleaned with backup
HKLM\SOFTWARE\Classes\CLSID\{014DA6CB-189F-421a-88CD-07CFE51CFF10} -> Spyware.BargainBuddy : Cleaned with backup
HKLM\SOFTWARE\Classes\CLSID\{07B18EA9-A523-4961-B6BB-170DE4475CCA} -> Spyware.MyWebSearch : Cleaned with backup
HKLM\SOFTWARE\Classes\CLSID\{2B96D5CC-C5B5-49A5-A69D-CC0A30F9028C} -> Spyware.MiniBug : Cleaned with backup
HKLM\SOFTWARE\Microsoft\Code Store Database\Distribution Units\{1D4DB7D2-6EC9-47A3-BD87-1E41684E07BB} -> Spyware.PopularScreensavers : Cleaned with backup
HKLM\SOFTWARE\Microsoft\Internet Explorer\Toolbar\\{014DA6C9-189F-421a-88CD-07CFE51CFF10} -> Spyware.MySearch : Cleaned with backup
HKLM\SOFTWARE\Microsoft\Internet Explorer\Toolbar\\{07B18EA9-A523-4961-B6BB-170DE4475CCA} -> Spyware.MyWebSearch : Cleaned with backup
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{00A6FAF1-072E-44cf-8957-5838F569A31D} -> Spyware.MyWebSearch : Cleaned with backup
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{014DA6C1-189F-421a-88CD-07CFE51CFF10} -> Spyware.eXact : Cleaned with backup
HKU\S-1-5-21-2902605101-4206894065-1762447117-1007\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{00A6FAF1-072E-44CF-8957-5838F569A31D} -> Spyware.MyWebSearch : Cleaned with backup
HKU\S-1-5-21-2902605101-4206894065-1762447117-1007\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{014DA6C1-189F-421A-88CD-07CFE51CFF10} -> Spyware.eXact : Cleaned with backup
HKU\S-1-5-21-2902605101-4206894065-1762447117-1007\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{07B18EA9-A523-4961-B6BB-170DE4475CCA} -> Spyware.MyWebSearch : Cleaned with backup
HKU\S-1-5-21-2902605101-4206894065-1762447117-1008\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{00A6FAF1-072E-44CF-8957-5838F569A31D} -> Spyware.MyWebSearch : Cleaned with backup
HKU\S-1-5-21-2902605101-4206894065-1762447117-1008\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{014DA6C1-189F-421A-88CD-07CFE51CFF10} -> Spyware.eXact : Cleaned with backup
HKU\S-1-5-21-2902605101-4206894065-1762447117-1008\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{07B18EA9-A523-4961-B6BB-170DE4475CCA} -> Spyware.MyWebSearch : Cleaned with backup
[2020] C:\Program Files\MSN Messenger\RICHED20.dll -> Spyware.MyWebSearch : Cleaned with backup
:mozilla.6:C:\Documents and Settings\jeff\Application Data\Mozilla\Firefox\Profiles\3k6zic7q.default\cookies.txt -> Spyware.Cookie.Com : Cleaned with backup
:mozilla.7:C:\Documents and Settings\jeff\Application Data\Mozilla\Firefox\Profiles\3k6zic7q.default\cookies.txt -> Spyware.Cookie.Com : Cleaned with backup
:mozilla.17:C:\Documents and Settings\jeff\Application Data\Mozilla\Firefox\Profiles\3k6zic7q.default\cookies.txt -> Spyware.Cookie.Doubleclick : Cleaned with backup
:mozilla.20:C:\Documents and Settings\jeff\Application Data\Mozilla\Firefox\Profiles\3k6zic7q.default\cookies.txt -> Spyware.Cookie.Hitbox : Cleaned with backup
:mozilla.24:C:\Documents and Settings\jeff\Application Data\Mozilla\Firefox\Profiles\3k6zic7q.default\cookies.txt -> Spyware.Cookie.Hitbox : Cleaned with backup
:mozilla.25:C:\Documents and Settings\jeff\Application Data\Mozilla\Firefox\Profiles\3k6zic7q.default\cookies.txt -> Spyware.Cookie.Hitbox : Cleaned with backup
:mozilla.26:C:\Documents and Settings\jeff\Application Data\Mozilla\Firefox\Profiles\3k6zic7q.default\cookies.txt -> Spyware.Cookie.Hitbox : Cleaned with backup
:mozilla.27:C:\Documents and Settings\jeff\Application Data\Mozilla\Firefox\Profiles\3k6zic7q.default\cookies.txt -> Spyware.Cookie.Hitbox : Cleaned with backup
:mozilla.28:C:\Documents and Settings\jeff\Application Data\Mozilla\Firefox\Profiles\3k6zic7q.default\cookies.txt -> Spyware.Cookie.Hitbox : Cleaned with backup
C:\Documents and Settings\jeff\Application Data\Sun\Java\Deployment\cache\javapi\v1.0\file\omfg.class-352f55f0-4e33419e.class -> Downloader.OpenStream.y : Cleaned with backup
C:\Documents and Settings\RICHIES LAP TOP\Cookies\richies lap [email protected][1].txt -> Spyware.Cookie.Yieldmanager : Cleaned with backup
C:\Documents and Settings\RICHIES LAP TOP\Cookies\richies lap [email protected][1].txt -> Spyware.Cookie.Adbrite : Cleaned with backup
C:\Documents and Settings\RICHIES LAP TOP\Cookies\richies lap [email protected][1].txt -> Spyware.Cookie.Addynamix : Cleaned with backup
C:\Documents and Settings\RICHIES LAP TOP\Cookies\richies lap [email protected][2].txt -> Spyware.Cookie.Pointroll : Cleaned with backup
C:\Documents and Settings\RICHIES LAP TOP\Cookies\richies lap [email protected][1].txt -> Spyware.Cookie.Overture : Cleaned with backup
C:\Documents and Settings\RICHIES LAP TOP\Cookies\richies lap [email protected][1].txt -> Spyware.Cookie.Overture : Cleaned with backup
C:\Documents and Settings\RICHIES LAP TOP\Cookies\richies lap [email protected][1].txt -> Spyware.Cookie.2o7 : Cleaned with backup
C:\Documents and Settings\RICHIES LAP TOP\Cookies\richies lap [email protected][1].txt -> Spyware.Cookie.Overture : Cleaned with backup
C:\Documents and Settings\RICHIES LAP TOP\Cookies\richies lap [email protected][1].txt -> Spyware.Cookie.Overture : Cleaned with backup
C:\Documents and Settings\RICHIES LAP TOP\Local Settings\Temp\2.exe -> Adware.MyWebSearch : Cleaned with backup
C:\Documents and Settings\RICHIES LAP TOP\Local Settings\Temp\900.WUT\vvsn.cab/VVSN.exe -> Adware.SaveNow : Cleaned with backup
C:\Documents and Settings\RICHIES LAP TOP\Local Settings\Temporary Internet Files\Content.IE5\60KG8T7T\s4setp[1].exe -> Adware.MyWebSearch : Cleaned with backup
C:\Documents and Settings\RICHIES LAP TOP\Local Settings\Temporary Internet Files\Content.IE5\YKDBZMTJ\mm[1].js -> Spyware.Chitika : Cleaned with backup
C:\Program Files\Microsoft AntiSpyware\Quarantine\A00C7A6A-E5EB-4004-9C03-ABE9A7\0BDC0C7B-62B2-4F45-BC63-41F811 -> Spyware.SideFind : Cleaned with backup
C:\Program Files\MSN Messenger\riched20.dll -> Spyware.MyWebSearch : Cleaned with backup
C:\Program Files\Screensavers.com\Installer\bin\ScreensaversInst.dll -> Spyware.Comet : Cleaned with backup

::Report End
Incident Status Location

Potentially unwanted tool:application/funweb Not disinfected C:\WINDOWS\DOWNLOADED PROGRAM FILES\f3initialsetup1.0.0.15.inf 
Adware:adware/psguard Not disinfected C:\WINDOWS\warnhp.html 
Adware:adware/comet Not disinfected C:\PROGRAM FILES\Starware 
Adware:adware/savenow Not disinfected Windows Registry 
Potentially unwanted tool:application/myway Not disinfected HKEY_CLASSES_ROOT\MYSEARCHTOOLBAR.SETTINGSPLUGIN 
Potentially unwanted tool:application/mywebsearch Not disinfected HKEY_LOCAL_MACHINE\SOFTWARE\FOCUSINTERACTIVE 
Adware:adware/surfaccuracy Not disinfected Windows Registry 
Spyware:Cookie/Com.com Not disinfected C:\Documents and Settings\jeff\Application Data\Mozilla\Firefox\Profiles\3k6zic7q.default\cookies.txt[.com.com/] 
Spyware:Cookie/Doubleclick Not disinfected C:\Documents and Settings\jeff\Application Data\Mozilla\Firefox\Profiles\3k6zic7q.default\cookies.txt[.doubleclick.net/] 
Spyware:Cookie/Hitbox Not disinfected C:\Documents and Settings\jeff\Application Data\Mozilla\Firefox\Profiles\3k6zic7q.default\cookies.txt[.hitbox.com/]  
Spyware:Cookie/go Not disinfected C:\Documents and Settings\jeff\Application Data\Mozilla\Firefox\Profiles\3k6zic7q.default\cookies.txt[.go.com/] 
Spyware:Cookie/Hitbox Not disinfected C:\Documents and Settings\jeff\Application Data\Mozilla\Firefox\Profiles\3k6zic7q.default\cookies.txt[.hitbox.com/] 
Spyware:Cookie/Com.com Not disinfected C:\Documents and Settings\jeff\Application Data\Mozilla\Firefox\Profiles\3k6zic7q.default\cookies.txt[] 
Spyware:Cookie/YieldManager Not disinfected C:\Documents and Settings\RICHIES LAP TOP\Cookies\richies lap [email protected][1].txt 
Spyware:Cookie/Adrevolver Not disinfected C:\Documents and Settings\RICHIES LAP TOP\Cookies\richies lap [email protected][1].txt 
Spyware:Cookie/Adrevolver Not disinfected C:\Documents and Settings\RICHIES LAP TOP\Cookies\richies lap [email protected][3].txt 
Spyware:Cookie/PointRoll Not disinfected C:\Documents and Settings\RICHIES LAP TOP\Cookies\richies lap [email protected][2].txt 
Spyware:Cookie/Apmebf Not disinfected C:\Documents and Settings\RICHIES LAP TOP\Cookies\richies lap [email protected][1].txt 
Spyware:Cookie/go Not disinfected C:\Documents and Settings\RICHIES LAP TOP\Cookies\richies lap [email protected][2].txt 
Spyware:Cookie/Screensavers Not disinfected C:\Documents and Settings\RICHIES LAP TOP\Cookies\richies lap [email protected][1].txt 
Spyware:Cookie/Microsofte Not disinfected C:\Documents and Settings\RICHIES LAP TOP\Cookies\richies lap [email protected][1].txt 
Spyware:Cookie/Overture Not disinfected C:\Documents and Settings\RICHIES LAP TOP\Cookies\richies lap [email protected][1].txt 
Spyware:Cookie/Overture Not disinfected C:\Documents and Settings\RICHIES LAP TOP\Cookies\richies lap [email protected][1].txt 
Spyware:Cookie/Mp3s Hits Not disinfected C:\Documents and Settings\RICHIES LAP TOP\Cookies\richies lap [email protected]****s[2].txt 
Potentially unwanted tool:Application/MyWay Not disinfected C:\Documents and Settings\RICHIES LAP TOP\Local Settings\Temp\2.exe 
Adware:Adware/WeatherCast Not disinfected C:\Documents and Settings\RICHIES LAP TOP\Local Settings\Temp\900.WUT\vvsn.cab 
Adware:Adware/WeatherCast Not disinfected C:\Documents and Settings\RICHIES LAP TOP\Local Settings\Temp\900.WUT\vvsn.cab[VVSN.exe] 
Potentially unwanted tool:Application/MyWay Not disinfected C:\Documents and Settings\RICHIES LAP TOP\Local Settings\Temporary Internet Files\Content.IE5\60KG8T7T\s4setp[1].exe 
Adware:Adware/IST.SideFind Not disinfected C:\Program Files\Microsoft AntiSpyware\Quarantine\A00C7A6A-E5EB-4004-9C03-ABE9A7\0BDC0C7B-62B2-4F45-BC63-41F811 
Potentially unwanted tool:Application/MyWebSearch Not disinfected C:\Program Files\MSN Messenger\riched20.dll 
Virus:Eicar.Mod Not disinfected C:\Program Files\PestPatrol\Help.chm[HowCanITestDetection.html]  
Adware:Adware/Comet Not disinfected C:\Program Files\Screensavers.com\Installer\bin\ScreensaversInst.dll 
Potentially unwanted tool:Application/FunWeb Not disinfected C:\WINDOWS\Downloaded Program Files\f3initialsetup1.0.0.15.inf 
Spyware:Spyware/Smitfraud Not disinfected C:\WINDOWS\warnhp.html 
thank you ahead :up:


----------



## khazars (Feb 15, 2004)

IMPORTANT! Move Hijack this from the Temp, or from the zip folder to it's own folder!

Make a new folder in C:\ and call it Hijack this, and Save hijack this to 
this folder so that it runs properly and can make back ups. Click scan, 
then save the log and post it here so we can take a look at it for you.

Before you proceed with the removal directions below you need to turn off MS 
Anti-Spyware's realtime protection as it will interfere with the changes we 
are trying to make.

Open MS Anti-Spyware and click on Options > Settings. Click on "Realtime 
Protection" in the left pane.

Remove the check by these:

"Enable the Microsoft Security Agents on startup (recommended)"

"Enable real-time spyware threat protection (recommended)"

Click "Save"

Now right click the MS Anti-spyware icon in your system tray and choose 
"Shutdown Microsoft Anti-Spyware"

You should re-enable these when we are finished here.

Download the pocket killbox

http://www.bleepingcomputer.com/files/killbox.php

*Download Cleanup from Here

http://www.stevengould.org/software/cleanup/download.html

* A window will open and choose SAVE, then DESKTOP as the destination.
* On your Desktop, click on Cleanup40.exe icon.
* Then, click RUN and place a checkmark beside "I Agree"
* Then click NEXT followed by START and OK.
* A window will appear with many choices, keep all the defaults as set when the Slide Bar to the left is set to Standard Quality.
* Click OK
* DO NOT RUN IT YET

* Click here to download smitRem.zip.

http://noahdfear.geekstogo.com/click counter/click.php?id=1

* Save the file to your desktop.
* Unzip smitRem.zip to extract the two files it contains.
* Do not do anything with it yet. You will run the RunThis.bat file later in safe mode.

boot to safe mode and fix these.

have hijack this fix these

R3 - Default URLSearchHook is missing
O2 - BHO: MyWebSearch Search Assistant BHO - {00A6FAF1-072E-44cf-8957-5838F569A31D} - C:\Program Files\MyWebSearch\SrchAstt\1.bin\MWSSRCAS.DLL (file missing)
O2 - BHO: My Search BHO - {014DA6C1-189F-421a-88CD-07CFE51CFF10} - (no file)
O2 - BHO: Starware - {CA356D79-679B-4b4c-8E49-5AF97014F4C1} - C:\Program Files\Starware\bin\Starware.dll
O3 - Toolbar: (no name) - {BA52B914-B692-46c4-B683-905236F6F655} - (no file)
O3 - Toolbar: (no name) - {014DA6C9-189F-421a-88CD-07CFE51CFF10} - (no file)
O4 - HKLM\..\Run: [MyWebSearch Email Plugin] C:\PROGRA~1\MYWEBS~1\bar\1.bin\mwsoemon.exe
O4 - HKCU\..\Run: [MyWebSearch Email Plugin] C:\PROGRA~1\MYWEBS~1\bar\1.bin\mwsoemon.exe
O9 - Extra button: (no name) - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - (no file)

Double-click on Killbox.exe to run it. Now put a tick by Standard File Kill.
In the Full Path of File to Delete box, copy and paste each of the following
lines one at a time then click on the button that has the red circle with the
X in the middle after you enter each file. It will ask for confirmation to
delete the file. Click Yes. Continue with that same procedure until you have
copied and pasted all of these in the Paste Full Path of File to Delete box.

Note: It is possible that Killbox will tell you that one or more files do not
exist. If that happens, just continue on with all the files. Be sure you
don't miss any.

C:\Program Files\Starware\bin\Starware.dll
C:\PROGRA~1\MYWEBS~1\bar\1.bin\mwsoemon.exe
C:\WINDOWS\DOWNLOADED PROGRAM FILES\f3initialsetup1.0.0.15.inf
C:\WINDOWS\warnhp.html
C:\PROGRAM FILES\Starware
C:\Program Files\Screensavers.com\Installer\bin\ScreensaversInst.dll
C:\PROGRAM FILES\MYWEBSEARCH

* Open the smitRem folder, then double click the RunThis.bat file to start the tool. Follow the prompts on screen.
Wait for the tool to complete and disk cleanup to finish.

* Run Cleanup:

* Click on the "Cleanup" button and let it run.
* Once its done, close the program.

Run an online antivirus check from

http://www.kaspersky.com/virusscanner

choose extended database for the scan!

post another hijack this log, the kaspersky scan log


----------



## peterboy (Dec 15, 2005)

hi kazhars i tride my best heres the results thanks for you time -------------------------------------------------------------------------------
KASPERSKY ON-LINE SCANNER REPORT
Monday, January 09, 2006 05:14:20
Operating System: Microsoft Windows XP Home Edition, Service Pack 2 (Build 2600)
Kaspersky On-line Scanner version: 5.0.67.0
Kaspersky Anti-Virus database last update: 8/01/2006
Kaspersky Anti-Virus database records: 159613
-------------------------------------------------------------------------------

Scan Settings:
Scan using the following antivirus database: standard
Scan Archives: true
Scan Mail Bases: true

Scan Target - My Computer:
C:\
D:\

Scan Statistics:
Total number of scanned objects: 59633
Number of viruses found: 7
Number of infected objects: 41
Number of suspicious objects: 2
Duration of the scan process: 3736 sec

Infected Object Name - Virus Name
C:\Documents and Settings\jeff\Application Data\Sun\Java\Deployment\cache\javapi\v1.0\file\omfg.class-486c9904-21a6dd7c.class	Infected: Trojan-Downloader.Java.OpenStream.y
C:\Documents and Settings\jeff\Application Data\Sun\Java\Deployment\cache\javapi\v1.0\file\omfg.class-4ee51477-66fb1220.class	Infected: Trojan-Downloader.Java.OpenStream.y
C:\Program Files\PestPatrol\Quarantine\20060107103724.zip/WINDOWS/SYSTEM32/redxtmgr.exe	Infected: Trojan.Win32.Crypt.t
C:\Program Files\PestPatrol\Quarantine\20060107103724.zip	Infected: Trojan.Win32.Crypt.t
C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP59\A0094035.exe	Infected: Trojan.Win32.Crypt.t
C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP59\A0094036.dll	Infected: Trojan.Win32.Crypt.t
C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP59\A0094037.exe	Infected: Trojan.Win32.Crypt.t
C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP59\A0094038.dll	Infected: Trojan.Win32.Crypt.t
C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP59\A0094039.sys	Suspicious: Rootkit.Win32.Agent.ao
C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP59\A0094041.dll	Infected: Trojan.Win32.Crypt.t
C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP59\A0094042.exe	Infected: Trojan.Win32.Crypt.t
C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP71\A0110365.exe	Infected: Trojan.Win32.Crypt.t
C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP71\A0110366.dll	Infected: Trojan.Win32.Crypt.t
C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP71\A0110367.exe	Infected: Trojan.Win32.Crypt.t
C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP71\A0110368.exe	Infected: Trojan.Win32.Crypt.t
C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP71\A0110369.dll	Infected: Trojan.Win32.Crypt.t
C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP71\A0110370.exe	Infected: Trojan.Win32.Crypt.t
C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP71\A0110371.sys	Suspicious: Rootkit.Win32.Agent.ao
C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP78\A0114001.exe	Infected: Trojan.Win32.Crypt.t
C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP78\A0114150.exe	Infected: Trojan.Win32.Small.ev
C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP78\A0114152.exe	Infected: Trojan-Downloader.Win32.Small.vu
C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP79\A0118191.exe	Infected: Trojan.Win32.Small.ev
C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP79\A0118264.exe	Infected: Trojan.Win32.LowZones.df
C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP79\A0118265.exe	Infected: Trojan.Win32.LowZones.df
C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP80\A0118690.exe	Infected: Trojan.Win32.Small.ev
C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP80\A0118761.exe	Infected: Trojan.Win32.LowZones.df
C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP80\A0118762.exe	Infected: Trojan.Win32.LowZones.df
C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP80\A0118763.dll	Infected: Virus.Win32.Nsag.b
C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP80\A0118764.dll	Infected: Trojan.Win32.Small.ev
C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP81\A0118851.exe	Infected: Trojan.Win32.Crypt.t
C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP81\A0118859.dll	Infected: Virus.Win32.Nsag.b
C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP81\A0118860.dll	Infected: Trojan.Win32.Small.ev
C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP88\A0123244.exe	Infected: Trojan.Win32.Crypt.t
C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP88\A0123248.dll	Infected: Virus.Win32.Nsag.b
C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP88\A0123249.dll	Infected: Trojan.Win32.Small.ev
C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP89\A0123803.exe	Infected: Trojan.Win32.Crypt.t
C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP89\A0123807.dll	Infected: Virus.Win32.Nsag.b
C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP89\A0123808.dll	Infected: Trojan.Win32.Small.ev
C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP90\A0124362.exe	Infected: Trojan.Win32.Crypt.t
C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP90\A0124366.dll	Infected: Virus.Win32.Nsag.b
C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP90\A0124367.dll	Infected: Trojan.Win32.Small.ev
C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP95\A0131165.exe	Infected: Trojan.Win32.Crypt.t
C:\WINDOWS\SYSTEM32\dskbdlt1.dll	Infected: Trojan.Win32.Crypt.t

Scan process completed.
Logfile of HijackThis v1.99.1
Scan saved at 5:40:36 AM, on 1/9/2006
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\netdde.exe
C:\WINDOWS\system32\clipsrv.exe
C:\Program Files\ewido anti-malware\ewidoctrl.exe
C:\Program Files\Dell\NICCONFIGSVC\NICCONFIGSVC.exe
C:\WINDOWS\system32\tcpsvcs.exe
C:\WINDOWS\System32\snmp.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\wltrysvc.exe
C:\WINDOWS\System32\bcmwltry.exe
C:\WINDOWS\System32\dmadmin.exe
C:\Program Files\Apoint\Apoint.exe
C:\WINDOWS\system32\hkcmd.exe
C:\Program Files\Java\j2re1.4.2_03\bin\jusched.exe
C:\Program Files\CyberLink\PowerDVD\DVDLauncher.exe
C:\WINDOWS\system32\dla\tfswctrl.exe
C:\PROGRA~1\PESTPA~1\PPControl.exe
C:\PROGRA~1\PESTPA~1\PPMemCheck.exe
C:\Program Files\Apoint\Apntex.exe
C:\PROGRA~1\PESTPA~1\CookiePatrol.exe
C:\Program Files\Dell\QuickSet\Quickset.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\WINDOWS\system32\wscntfy.exe
C:\Program Files\Windows Media Player\wmplayer.exe
C:\Program Files\MSN Messenger\msnmsgr.exe
C:\Documents and Settings\jeff\My Documents\hijackthis\HijackThis.exe

R3 - Default URLSearchHook is missing
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O2 - BHO: DriveLetterAccess - {5CA3D70E-1895-11CF-8E15-001234567890} - C:\WINDOWS\system32\dla\tfswshx.dll
O4 - HKLM\..\Run: [Apoint] C:\Program Files\Apoint\Apoint.exe
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\system32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\system32\hkcmd.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\j2re1.4.2_03\bin\jusched.exe
O4 - HKLM\..\Run: [DVDLauncher] "C:\Program Files\CyberLink\PowerDVD\DVDLauncher.exe"
O4 - HKLM\..\Run: [dla] C:\WINDOWS\system32\dla\tfswctrl.exe
O4 - HKLM\..\Run: [PestPatrol Control Center] C:\PROGRA~1\PESTPA~1\PPControl.exe
O4 - HKLM\..\Run: [PPMemCheck] C:\PROGRA~1\PESTPA~1\PPMemCheck.exe
O4 - HKLM\..\Run: [CookiePatrol] C:\PROGRA~1\PESTPA~1\CookiePatrol.exe
O4 - HKLM\..\Run: [Dell QuickSet] C:\Program Files\Dell\QuickSet\Quickset.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKCU\..\Run: [MyWebSearch Email Plugin] C:\PROGRA~1\MYWEBS~1\bar\1.bin\mwsoemon.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O8 - Extra context menu item: &AOL Toolbar search - res://C:\Program Files\AOL Toolbar\toolbar.dll/SEARCH.HTML
O8 - Extra context menu item: &Search - http://edits.mywebsearch.com/toolbaredits/menusearch.jhtml?p=ZNxmk873CSUS
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\j2re1.4.2_03\bin\npjpi142_03.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\j2re1.4.2_03\bin\npjpi142_03.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~4\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {00B71CFB-6864-4346-A978-C0A14556272C} (Checkers Class) - http://messenger.zone.msn.com/binary/msgrchkr.cab31267.cab
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky.com/downloads/kws/kavwebscan_unicode.cab
O16 - DPF: {14B87622-7E19-4EA8-93B3-97215F77A6BC} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/MessengerStatsPAClient.cab31267.cab
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {8E0D4DE5-3180-4024-A327-4DFAD1796A8D} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/MessengerStatsClient.cab31267.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/activescan/as5free/asinst.cab
O16 - DPF: {B8BE5E93-A60C-4D26-A2DC-220313175592} (ZoneIntro Class) - http://messenger.zone.msn.com/binary/ZIntro.cab32846.cab
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - "C:\PROGRA~1\MSNMES~1\msgrapp.dll" (file missing)
O20 - Winlogon Notify: igfxcui - C:\WINDOWS\SYSTEM32\igfxsrvc.dll
O23 - Service: ewido security suite control - ewido networks - C:\Program Files\ewido anti-malware\ewidoctrl.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPodService - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: NICCONFIGSVC - Dell Inc. - C:\Program Files\Dell\NICCONFIGSVC\NICCONFIGSVC.exe
O23 - Service: WLTRYSVC - Unknown owner - C:\WINDOWS\System32\wltrysvc.exe


----------



## khazars (Feb 15, 2004)

go here and empty out this folder.

C:\Documents and Settings\jeff\Application Data\Sun\Java\Deployment\cache\

have hijack this fix these entries!

R3 - Default URLSearchHook is missing
O4 - HKCU\..\Run: [MyWebSearch Email Plugin] C:\PROGRA~1\MYWEBS~1\bar\1.bin\mwsoemon.exe
O8 - Extra context menu item: &Search - http://edits.mywebsearch.com/toolbar...p=ZNxmk873CSUS

use the killbox on these.

Double-click on Killbox.exe to run it. Now put a tick by Delete on 
Reboot. In the "Full Path of File to Delete" box, copy and paste each 
of the following lines one at a time then click on the button that has
the red circle with the X in the middle after you enter each file. 
It will ask for confimation to delete the file on next reboot. Click 
Yes. It will then ask if you want to reboot now. Click No. Continue 
with that same procedure until you have copied and pasted all of 
these in the "Paste Full Path of File to Delete" box.Then click yes 
to reboot after you entered the last one.

Note: It is possible that Killbox will tell you that one or more files do not
exist. If that happens, just continue on with all the files. Be sure you 
don't miss any.

C:\WINDOWS\SYSTEM32\dskbdlt1.dll 
C:\PROGRA~1\MYWEBS~1\bar\1.bin\mwsoemon.exe

Apropos fix

You may want to print out these instructions for reference, since you will 
have to restart your computer during the fix.

Please download AproposFix from here:
http://swandog46.geekstogo.com/aproposfix.exe

Save it to your desktop but do NOT run it yet.

Then please reboot your computer in Safe Mode by doing the following:
1) Restart your computer
2) After hearing your computer beep once during startup, but before the 
Windows icon appears, press F8.
3) Instead of Windows loading as normal, a menu should appear
4) Select the first option, to run Windows in Safe Mode.

Once in Safe Mode, please double-click aproposfix.exe and unzip it to the 
desktop. Open the aproposfix folder on your desktop and run RunThis.bat. 
Follow the prompts.

When the tool is finished, please reboot back into normal mode, and post a 
new HijackThis log, along with the entire contents of the log.txt file in 
the aproposfix folder.

go to this site and download these tools and once you get both
adaware Se 1.6 and spybot, update both of them.

Set adaware to do a full system scan and deselect, "search for neglible risk 
entries". Click next to start the scan. Delete everything adaware finds.

reboot and now run spybot

Spybot: Search and destroy.

Delete what spybot finds marked in red. After updating spybot hit the 
immunize button.

reboot again

With CWshredder close all browsers and programmes and select the FIX button.

Go here and download Microsoft Antispyware Beta. First in the top menu click 
File then Check for updates to download the definitons updates.

After updating look in the right side of the main window under "Run Quick 
Scan Now" and click Spyware scan options. In that window put a tick by Run a
full system scan and then put a check by all three options below that then 
click Run Scan now.

When the scan is finished, let it fix anything that it finds (have it 
quarantine the items that have that option rather than delete just in case. 
It is a beta program and there may be false positives)

Restart your computer.

All tools can be downloaded at the link below and found on that page!

. Microsoft® Windows AntiSpyware 
. Trend micro CWShredder
. SpyBot search and destroy
. AdAware SE personal

http://www.majorgeeks.com/downloads31.html

post another log and the apropos log


----------



## peterboy (Dec 15, 2005)

hi khazar than you for you time well i tride my best heres the resultsLog of AproposFix v1

************

Running from directory: 
C:\Documents and Settings\RICHIES LAP TOP\My Documents\My Received Files\aproposfix

************

Registry entries found:

[HKEY_LOCAL_MACHINE\Software\C1ij4AD2dltm]
@="w:2S GRabbabbcb:r1ACHEabbaqdb6w\\r.62bSYSTEMhgbDRIVERSbDXAELPgecSYS"
"Device"="\\\\.\\PDRache"
"DriverPath"="C:\\WINDOWS\\system32\\drivers\\dxaelp20.sys"
"DriverName"="IPSsMgr"
"HideUninstallerName"="C:\\Program Files\\Javmsn\\grpo4svc.exe"
"UninstallerPath"="C:\\WINDOWS\\system32\\dfrcic.exe"
"UninstallerRegKey"="HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Uninstall\\{B255C424-9832-4A68-8179-55FB49BD7EB2}"
"UninstallerParams"="/CTUN"
"HDll"="C:\\WINDOWS\\system32\\dskbdlt1.dll"
"ServerAddress"="adchannel.contextplus.net"
"LegalNote"="http://adchannel.contextplus.net/legal-note/nonbranded.html"
"PartnerId"="CP.IST2"
"InstallationId"="{X0295f7d-f6f3-3c74-1368-a5e9038286ae}"
"PageFiltering"=dword:00000001
"ClientName"="C:\\Program Files\\Javmsn\\davent97.exe"

************

Removing hidden service: 
Service IPSsMgr removed.

Removing hidden folder: 
Deletion of folder Javmsn succeeded!

Deleting files:

Deletion of file C:\WINDOWS\system32\drivers\dxaelp20.sys succeeded! 
Deletion of file C:\WINDOWS\system32\avtxml3r.exe succeeded! 
Deletion of file C:\WINDOWS\system32\dskbdlt1.dll succeeded! 
Deletion of file C:\WINDOWS\system32\dfrcic.exe succeeded!

Backing up files: 
Done!

Removing registry entries:

REGEDIT4

[-HKEY_CURRENT_USER\Software\C1ij4AD2dltm]
[-HKEY_LOCAL_MACHINE\Software\C1ij4AD2dltm]
[-HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{B255C424-9832-4A68-8179-55FB49BD7EB2}]

Done!

Finished! 
Logfile of HijackThis v1.99.1
Scan saved at 11:17:41 AM, on 1/10/2006
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Apoint\Apoint.exe
C:\WINDOWS\system32\hkcmd.exe
C:\Program Files\Java\j2re1.4.2_03\bin\jusched.exe
C:\Program Files\CyberLink\PowerDVD\DVDLauncher.exe
C:\WINDOWS\system32\dla\tfswctrl.exe
C:\PROGRA~1\PESTPA~1\PPControl.exe
C:\PROGRA~1\PESTPA~1\PPMemCheck.exe
C:\PROGRA~1\PESTPA~1\CookiePatrol.exe
C:\Program Files\Dell\QuickSet\Quickset.exe
C:\WINDOWS\system32\netdde.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\Microsoft AntiSpyware\gcasServ.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\Apoint\Apntex.exe
C:\WINDOWS\system32\clipsrv.exe
C:\Program Files\ewido anti-malware\ewidoctrl.exe
C:\Program Files\Dell\NICCONFIGSVC\NICCONFIGSVC.exe
C:\Program Files\Microsoft AntiSpyware\gcasDtServ.exe
C:\WINDOWS\system32\tcpsvcs.exe
C:\WINDOWS\System32\snmp.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\wltrysvc.exe
C:\WINDOWS\System32\bcmwltry.exe
C:\WINDOWS\System32\dmadmin.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\WINDOWS\system32\wscntfy.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Documents and Settings\jeff\My Documents\hijackthis\HijackThis.exe

O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: DriveLetterAccess - {5CA3D70E-1895-11CF-8E15-001234567890} - C:\WINDOWS\system32\dla\tfswshx.dll
O4 - HKLM\..\Run: [Apoint] C:\Program Files\Apoint\Apoint.exe
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\system32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\system32\hkcmd.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\j2re1.4.2_03\bin\jusched.exe
O4 - HKLM\..\Run: [DVDLauncher] "C:\Program Files\CyberLink\PowerDVD\DVDLauncher.exe"
O4 - HKLM\..\Run: [dla] C:\WINDOWS\system32\dla\tfswctrl.exe
O4 - HKLM\..\Run: [PestPatrol Control Center] C:\PROGRA~1\PESTPA~1\PPControl.exe
O4 - HKLM\..\Run: [PPMemCheck] C:\PROGRA~1\PESTPA~1\PPMemCheck.exe
O4 - HKLM\..\Run: [CookiePatrol] C:\PROGRA~1\PESTPA~1\CookiePatrol.exe
O4 - HKLM\..\Run: [Dell QuickSet] C:\Program Files\Dell\QuickSet\Quickset.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [gcasServ] "C:\Program Files\Microsoft AntiSpyware\gcasServ.exe"
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O8 - Extra context menu item: &AOL Toolbar search - res://C:\Program Files\AOL Toolbar\toolbar.dll/SEARCH.HTML
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\j2re1.4.2_03\bin\npjpi142_03.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\j2re1.4.2_03\bin\npjpi142_03.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~4\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {00B71CFB-6864-4346-A978-C0A14556272C} (Checkers Class) - http://messenger.zone.msn.com/binary/msgrchkr.cab31267.cab
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky.com/downloads/kws/kavwebscan_unicode.cab
O16 - DPF: {14B87622-7E19-4EA8-93B3-97215F77A6BC} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/MessengerStatsPAClient.cab31267.cab
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {8E0D4DE5-3180-4024-A327-4DFAD1796A8D} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/MessengerStatsClient.cab31267.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/activescan/as5free/asinst.cab
O16 - DPF: {B8BE5E93-A60C-4D26-A2DC-220313175592} (ZoneIntro Class) - http://messenger.zone.msn.com/binary/ZIntro.cab32846.cab
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - "C:\PROGRA~1\MSNMES~1\msgrapp.dll" (file missing)
O20 - Winlogon Notify: igfxcui - C:\WINDOWS\SYSTEM32\igfxsrvc.dll
O23 - Service: ewido security suite control - ewido networks - C:\Program Files\ewido anti-malware\ewidoctrl.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPodService - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: NICCONFIGSVC - Dell Inc. - C:\Program Files\Dell\NICCONFIGSVC\NICCONFIGSVC.exe
O23 - Service: WLTRYSVC - Unknown owner - C:\WINDOWS\System32\wltrysvc.exe

ok thanks khazars:up:


----------



## peterboy (Dec 15, 2005)

hi khazar if you can please be so kind help me out with 1 more its my older deskop ita a compaq 400mgh 128ram it has win 98 its runing bad if you can please check this log out for meLogfile of HijackThis v1.99.1
Scan saved at 8:57:45 AM, on 1/9/06
Platform: Windows 98 SE (Win9x 4.10.2222A)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\SYSTEM\KERNEL32.DLL
C:\WINDOWS\SYSTEM\MSGSRV32.EXE
C:\WINDOWS\SYSTEM\MPREXE.EXE
C:\WINDOWS\SYSTEM\MSTASK.EXE
C:\WINDOWS\EXPLORER.EXE
C:\WINDOWS\TASKMON.EXE
C:\WINDOWS\SYSTEM\SYSTRAY.EXE
C:\WINDOWS\RUNDLL32.EXE
C:\WINDOWS\LOADQM.EXE
C:\PROGRAM FILES\MEDIA ACCESS\MEDIAACCK.EXE
C:\PROGRAM FILES\INTERNET OPTIMIZER\OPTIMIZE.EXE
C:\PROGRAM FILES\IOMEGA HOTBURN\AUTOLAUNCH.EXE
C:\PROGRAM FILES\MEDIA ACCESS\MEDIAACCESS.EXE
C:\WINDOWS\TPPALDR.EXE
C:\WINDOWS\SYSTEM\INTERNAT.EXE
C:\PROGRAM FILES\TOPSEARCH\TOPSEARCH.EXE
C:\PROGRAM FILES\RCRROYY\ZNEPUT.EXE
C:\PROGRAM FILES\WINZIP\WZQKPICK.EXE
C:\PROGRAM FILES\D-LINK AIRPLUS G\AIRPLUS.EXE
C:\WINDOWS\SYSTEM\WMIEXE.EXE
C:\WINDOWS\SYSTEM\DDHELP.EXE
C:\PROGRAM FILES\MSN MESSENGER\MSNMSGR.EXE
C:\PROGRAM FILES\QUICKREG\QUICKREG.EXE
C:\WINDOWS\SYSTEM\PSTORES.EXE
C:\WINDOWS\DESKTOP\HIJACKTHIS.EXE

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://ws1.appswebservice.com/index.php?tpid=10244&ttid=104
R3 - URLSearchHook: (no name) - _{CFBFAE00-17A6-11D0-99CB-00C04FD64497} - (no file)
O2 - BHO: BHObj Class - {00000010-6F7D-442C-93E3-4A4827C2E4C8} - C:\WINDOWS\NEM220.DLL
O2 - BHO: BHObj Class - {8F4E5661-F99E-4B3E-8D85-0EA71C0748E4} - C:\WINDOWS\WSEM303.DLL
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\SYSTEM\MSDXM.OCX
O4 - HKLM\..\Run: [TaskMonitor] C:\WINDOWS\taskmon.exe
O4 - HKLM\..\Run: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
O4 - HKLM\..\Run: [SystemTray] SysTray.Exe
O4 - HKLM\..\Run: [SoundFusion] RunDll32 cwcprops.cpl,CrystalControlWnd
O4 - HKLM\..\Run: [LoadQM] loadqm.exe
O4 - HKLM\..\Run: [Media Access] C:\PROGRAM FILES\MEDIA ACCESS\MediaAccK.exe
O4 - HKLM\..\Run: [Internet Optimizer] "C:\Program Files\Internet Optimizer\optimize.exe"
O4 - HKLM\..\Run: [Drag'n'Drop_Autolaunch] "C:\Program Files\Iomega HotBurn\Autolaunch.exe"
O4 - HKLM\..\Run: [TPP Auto Loader] C:\WINDOWS\TPPALDR.EXE
O4 - HKLM\..\Run: [internat.exe] internat.exe
O4 - HKLM\..\Run: [webrebates] "C:\PROGRAM FILES\WEBREBATES4\WEBREBATES.EXE"
O4 - HKLM\..\Run: [TopSearch] C:\Program Files\TopSearch\TopSearch.exe
O4 - HKLM\..\Run: [CriticalUpdate] C:\WINDOWS\SYSTEM\wucrtupd.exe -startup
O4 - HKLM\..\Run: [Xezohtqw] C:\PROGRAM FILES\RCRROYY\ZNEPUT.EXE
O4 - HKLM\..\Run: [ScanRegistry] C:\WINDOWS\scanregw.exe /autorun
O4 - HKLM\..\Run: [WebRebates0] "C:\PROGRAM FILES\WEB_REBATES\WebRebates0.exe"
O4 - HKLM\..\Run: [Registry Toolkit] C:\PROGRAM FILES\REGISTRY TOOLKIT\REGTOOLKIT.EXE /scan
O4 - HKLM\..\RunServices: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
O4 - HKLM\..\RunServices: [SchedulingAgent] mstask.exe
O4 - Startup: WinZip Quick Pick.lnk = C:\Program Files\WinZip\WZQKPICK.EXE
O4 - Startup: D-Link AirPlus G Configuration Utility.lnk = C:\Program Files\D-Link AirPlus G\AirPlus.exe
O9 - Extra button: Related - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINDOWS\web\related.htm
O9 - Extra 'Tools' menuitem: Show &Related Links - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINDOWS\web\related.htm
O16 - DPF: {15AD6789-CDB4-47E1-A9DA-992EE8E6BAD6} - http://static.windupdates.com/cab/MediaAccessVerisign/ie/Bridge-c139.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/activescan/as5free/asinst.cab
O17 - HKLM\System\CCS\Services\VxD\MSTCP: NameServer = 192.88.195.10,192.88.193.144

ill be very happy


----------



## khazars (Feb 15, 2004)

clean log, for that one, how's it running now any better? You can now turn off system restore etc you know my drill and download those tools for added protection which you should have on the other machines!

This is for the Win 98 machine

go to Microsoft and download all available patches for this machine!

go to add/remove and uninstall WEBREBATES ,TopSearch, Mediaaccess and
nternet Optimizer. delete their folders from c:\program files

Download the pocket killbox

http://www.bleepingcomputer.com/files/killbox.php

*Download Cleanup from Here

http://www.stevengould.org/software/cleanup/download.html

* A window will open and choose SAVE, then DESKTOP as the destination.
* On your Desktop, click on Cleanup40.exe icon.
* Then, click RUN and place a checkmark beside "I Agree"
* Then click NEXT followed by START and OK.
* A window will appear with many choices, keep all the defaults as set when the Slide Bar to the left is set to Standard Quality.
* Click OK
* run clean up

Please download WebRoot SpySweeper from HERE (It's a 2 week trial):

http://www.webroot.com/consumer/products/spysweeper/index.html?acode=af1&rc=4129

* Click the Free Trial link under "Downloads/SpySweeper" to download the program.
* Install it. Once the program is installed, it will open.
* It will prompt you to update to the latest definitions, click Yes.
* Once the definitions are installed, click Options on the left side.
* Click the Sweep Options tab.
* Under What to Sweep please put a check next to the following:
o
o Sweep Memory
o Sweep Registry
o Sweep Cookies
o Sweep All User Accounts
o Enable Direct Disk Sweeping
o Sweep Contents of Compressed Files
o Sweep for Rootkits
o Please UNCHECK Do not Sweep System Restore Folder.
* Click Sweep Now on the left side.
* Click the Start button.
* When it's done scanning, click the Next button.
* Make sure everything has a check next to it, then click the Next button.
* It will remove all of the items found.
* Click Session Log in the upper right corner, copy everything in that window.
* Click the Summary tab and click Finish.
* Paste the contents of the session log you copied into your next reply.

R3 - URLSearchHook: (no name) - _{CFBFAE00-17A6-11D0-99CB-00C04FD64497} - (no file)
O2 - BHO: BHObj Class - {00000010-6F7D-442C-93E3-4A4827C2E4C8} - C:\WINDOWS\NEM220.DLL
O2 - BHO: BHObj Class - {8F4E5661-F99E-4B3E-8D85-0EA71C0748E4} - C:\WINDOWS\WSEM303.DLL
O4 - HKLM\..\Run: [Media Access] C:\PROGRAM FILES\MEDIA ACCESS\MediaAccK.exe
O4 - HKLM\..\Run: [Internet Optimizer] "C:\Program Files\Internet Optimizer\optimize.exe"
O4 - HKLM\..\Run: [webrebates] "C:\PROGRAM FILES\WEBREBATES4\WEBREBATES.EXE"
O4 - HKLM\..\Run: [TopSearch] C:\Program Files\TopSearch\TopSearch.exe
O4 - HKLM\..\Run: [CriticalUpdate] C:\WINDOWS\SYSTEM\wucrtupd.exe -startup
O4 - HKLM\..\Run: [Xezohtqw] C:\PROGRAM FILES\RCRROYY\ZNEPUT.EXE
O4 - HKLM\..\Run: [ScanRegistry] C:\WINDOWS\scanregw.exe /autorun
O4 - HKLM\..\Run: [WebRebates0] "C:\PROGRAM FILES\WEB_REBATES\WebRebates0.exe"
O9 - Extra button: Related - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINDOWS\web\related.htm
O9 - Extra 'Tools' menuitem: Show &Related Links - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINDOWS\web\related.htm

Double-click on Killbox.exe to run it. Now put a tick by Delete on 
Reboot. In the "Full Path of File to Delete" box, copy and paste each 
of the following lines one at a time then click on the button that has
the red circle with the X in the middle after you enter each file. 
It will ask for confimation to delete the file on next reboot. Click 
Yes. It will then ask if you want to reboot now. Click No. Continue 
with that same procedure until you have copied and pasted all of 
these in the "Paste Full Path of File to Delete" box.Then click yes 
to reboot after you entered the last one.

Note: It is possible that Killbox will tell you that one or more files do not
exist. If that happens, just continue on with all the files. Be sure you 
don't miss any.

C:\WINDOWS\NEM220.DLL
C:\WINDOWS\WSEM303.DLL
C:\PROGRAM FILES\MEDIA ACCESS\MediaAccK.exe
C:\Program Files\Internet Optimizer\optimize.exe
C:\PROGRAM FILES\WEBREBATES4\WEBREBATES.EXE
C:\Program Files\TopSearch\TopSearch.exe
C:\PROGRAM FILES\RCRROYY\ZNEPUT.EXE
C:\PROGRAM FILES\WEB_REBATES\WebRebates0.exe

reboot to normal mode

Win 98 service pack!

for anyone having issues with 98 stability, I thoroughly recommend the 
Unofficial 98 service pack from http://exuberant.ms11.net/98sesp.html

Run an online antivirus check from

http://www.kaspersky.com/virusscanner

choose extended database for the scan!

Run ActiveScan online virus scan here

http://www.pandasoftware.com/products/activescan.htm

When the scan is finished, anything that it cannot clean have it delete it.
Make a note of the file location of anything that cannot be deleted so you
can delete it yourself.
- Save the results from the scan!

post another hijack this log, the kaspersky, spysweeper and active scan logs


----------



## peterboy (Dec 15, 2005)

hi khazar i hope your still here my pc is running bad again it loads real long and i get a a error message when i start up aplication error svchost. teger over flow couldnt read memory refrence somthing like i hope its not anything serius and if you remember that file pwcarc.exe it comes back no matter what if you can plaes help me with this i did some scans if can please chech it out for me thank you ahead   Logfile of HijackThis v1.99.1
Scan saved at 2:57:55 AM, on 3/27/2006
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\SYSTEM32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\TOSHIBA\TouchED\TouchED.Exe
C:\TOSHIBA\IVP\ISM\pinger.exe
C:\WINDOWS\AGRSMMSG.exe
C:\WINDOWS\system32\netdde.exe
C:\WINDOWS\System32\00THotkey.exe
C:\WINDOWS\System32\hkcmd.exe
C:\WINDOWS\System32\igfxpers.exe
C:\Program Files\Microsoft AntiSpyware\gcasServ.exe
C:\Program Files\QuickTime\qttask.exe
C:\WINDOWS\System32\ctfmon.exe
C:\Program Files\SpywareGuard\sgmain.exe
C:\WINDOWS\System32\drivers\CDAC11BA.EXE
C:\WINDOWS\System32\DVDRAMSV.exe
C:\Program Files\Microsoft AntiSpyware\gcasDtServ.exe
C:\PROGRA~1\Iomega\System32\AppServices.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\Program Files\SpywareGuard\sgbhp.exe
C:\WINDOWS\System32\tcpsvcs.exe
C:\WINDOWS\System32\snmp.exe
C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\wbem\wmiapsrv.exe
C:\WINDOWS\System32\dmadmin.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\ewido anti-malware\ewidoctrl.exe
C:\Documents and Settings\Karen Granger\My Documents\set ups\hijackthis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://red.clientapps.yahoo.com/customize/ycomp/defaults/sb/*http://www.yahoo.com/search/ie.html
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.toshiba.com
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
O2 - BHO: DosSpecFolder Object - {3E1BEA96-02D9-4992-B508-9B51819D9D86} - C:\WINDOWS\System32\mllml.dll
O2 - BHO: SpywareGuardDLBLOCK.CBrowserHelper - {4A368E80-174F-4872-96B5-0B27DDD11DB2} - C:\Program Files\SpywareGuard\dlprotect.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O4 - HKLM\..\Run: [TouchED] C:\Program Files\TOSHIBA\TouchED\TouchED.Exe
O4 - HKLM\..\Run: [Pinger] C:\TOSHIBA\IVP\ISM\pinger.exe /run
O4 - HKLM\..\Run: [Apoint] C:\Program Files\Apoint2K\Apoint.exe
O4 - HKLM\..\Run: [AGRSMMSG] AGRSMMSG.exe
O4 - HKLM\..\Run: [00THotkey] C:\WINDOWS\System32\00THotkey.exe
O4 - HKLM\..\Run: [000StTHK] 000StTHK.exe
O4 - HKLM\..\Run: [igfxtray] C:\WINDOWS\System32\igfxtray.exe
O4 - HKLM\..\Run: [igfxhkcmd] C:\WINDOWS\System32\hkcmd.exe
O4 - HKLM\..\Run: [igfxpers] C:\WINDOWS\System32\igfxpers.exe
O4 - HKLM\..\Run: [gcasServ] "C:\Program Files\Microsoft AntiSpyware\gcasServ.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [InternetShield] C:\PROGRA~1\INTERN~3\InternetShield.exe -CheckStartup
O4 - HKLM\..\Run: [winsync] C:\WINDOWS\System32\pwcarc.exe reg_run
O4 - HKLM\..\Run: [UserFaultCheck] %systemroot%\system32\dumprep 0 -u
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\System32\ctfmon.exe
O4 - Startup: SpywareGuard.lnk = C:\Program Files\SpywareGuard\sgmain.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O9 - Extra 'Tools' menuitem: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O14 - IERESET.INF: START_PAGE_URL=http://www.toshiba.com
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky.com/kos/english/kavwebscan_unicode.cab
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1133829558718
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/activescan/as5free/asinst.cab
O16 - DPF: {B38870E4-7ECB-40DA-8C6A-595F0A5519FF} (MsnMessengerSetupDownloadControl Class) - http://messenger.msn.com/download/MsnMessengerSetupDownloader.cab
O16 - DPF: {E856B973-45FD-4559-8F82-EAB539144667} (Dell PC Checkup Installer Control) - http://pccheckup.dellfix.com/rel/35/install/gtdownde.cab
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - "C:\PROGRA~1\MSNMES~1\msgrapp.dll" (file missing)
O20 - Winlogon Notify: igfxcui - C:\WINDOWS\SYSTEM32\igfxdev.dll
O20 - Winlogon Notify: mllml - C:\WINDOWS\System32\mllml.dll
O20 - Winlogon Notify: WRNotifier - WRLogonNTF.dll (file missing)
O23 - Service: C-DillaCdaC11BA - C-Dilla Ltd - C:\WINDOWS\System32\drivers\CDAC11BA.EXE
O23 - Service: DVD-RAM_Service - Matsu****a Electric Industrial Co., Ltd. - C:\WINDOWS\System32\DVDRAMSV.exe
O23 - Service: ewido security suite control - ewido networks - C:\Program Files\ewido anti-malware\ewidoctrl.exe
O23 - Service: Iomega App Services - Iomega Corporation - C:\PROGRA~1\Iomega\System32\AppServices.exe
O23 - Service: Power Manager (PowerManager) - Unknown owner - C:\WINDOWS\svchost.exe (file missing)
O23 - Service: SoundMAX Agent Service (SoundMAX Agent Service (default)) - Analog Devices, Inc. - C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe

ewido anti-malware - Scan report
---------------------------------------------------------

+ Created on: 2:56:04 AM, 3/27/2006
+ Report-Checksum: CFF6E119

+ Scan result:

:mozilla.15:C:\Documents and Settings\Karen Granger\Application Data\Mozilla\Firefox\Profiles\117brzcj.default\cookies.txt -> TrackingCookie.Statcounter : Cleaned with backup
:mozilla.16:C:\Documents and Settings\Karen Granger\Application Data\Mozilla\Firefox\Profiles\117brzcj.default\cookies.txt -> TrackingCookie.Statcounter : Cleaned with backup
:mozilla.17:C:\Documents and Settings\Karen Granger\Application Data\Mozilla\Firefox\Profiles\117brzcj.default\cookies.txt -> TrackingCookie.Statcounter : Cleaned with backup
:mozilla.20:C:\Documents and Settings\Karen Granger\Application Data\Mozilla\Firefox\Profiles\117brzcj.default\cookies.txt -> TrackingCookie.Burstbeacon : Cleaned with backup
:mozilla.21:C:\Documents and Settings\Karen Granger\Application Data\Mozilla\Firefox\Profiles\117brzcj.default\cookies.txt -> TrackingCookie.Burstnet : Cleaned with backup
:mozilla.22:C:\Documents and Settings\Karen Granger\Application Data\Mozilla\Firefox\Profiles\117brzcj.default\cookies.txt -> TrackingCookie.Burstnet : Cleaned with backup
:mozilla.32:C:\Documents and Settings\Karen Granger\Application Data\Mozilla\Firefox\Profiles\117brzcj.default\cookies.txt -> TrackingCookie.Falkag : Cleaned with backup
:mozilla.33:C:\Documents and Settings\Karen Granger\Application Data\Mozilla\Firefox\Profiles\117brzcj.default\cookies.txt -> TrackingCookie.Falkag : Cleaned with backup
:mozilla.34:C:\Documents and Settings\Karen Granger\Application Data\Mozilla\Firefox\Profiles\117brzcj.default\cookies.txt -> TrackingCookie.Falkag : Cleaned with backup
:mozilla.35:C:\Documents and Settings\Karen Granger\Application Data\Mozilla\Firefox\Profiles\117brzcj.default\cookies.txt -> TrackingCookie.Falkag : Cleaned with backup
:mozilla.36:C:\Documents and Settings\Karen Granger\Application Data\Mozilla\Firefox\Profiles\117brzcj.default\cookies.txt -> TrackingCookie.Falkag : Cleaned with backup
:mozilla.43:C:\Documents and Settings\Karen Granger\Application Data\Mozilla\Firefox\Profiles\117brzcj.default\cookies.txt -> TrackingCookie.Com : Cleaned with backup
:mozilla.73:C:\Documents and Settings\Karen Granger\Application Data\Mozilla\Firefox\Profiles\117brzcj.default\cookies.txt -> TrackingCookie.Yieldmanager : Cleaned with backup
:mozilla.74:C:\Documents and Settings\Karen Granger\Application Data\Mozilla\Firefox\Profiles\117brzcj.default\cookies.txt -> TrackingCookie.Yieldmanager : Cleaned with backup
:mozilla.75:C:\Documents and Settings\Karen Granger\Application Data\Mozilla\Firefox\Profiles\117brzcj.default\cookies.txt -> TrackingCookie.Yieldmanager : Cleaned with backup
:mozilla.76:C:\Documents and Settings\Karen Granger\Application Data\Mozilla\Firefox\Profiles\117brzcj.default\cookies.txt -> TrackingCookie.Casalemedia : Cleaned with backup
:mozilla.77:C:\Documents and Settings\Karen Granger\Application Data\Mozilla\Firefox\Profiles\117brzcj.default\cookies.txt -> TrackingCookie.Casalemedia : Cleaned with backup
:mozilla.78:C:\Documents and Settings\Karen Granger\Application Data\Mozilla\Firefox\Profiles\117brzcj.default\cookies.txt -> TrackingCookie.Casalemedia : Cleaned with backup
:mozilla.79:C:\Documents and Settings\Karen Granger\Application Data\Mozilla\Firefox\Profiles\117brzcj.default\cookies.txt -> TrackingCookie.Casalemedia : Cleaned with backup
:mozilla.80:C:\Documents and Settings\Karen Granger\Application Data\Mozilla\Firefox\Profiles\117brzcj.default\cookies.txt -> TrackingCookie.Casalemedia : Cleaned with backup
:mozilla.81:C:\Documents and Settings\Karen Granger\Application Data\Mozilla\Firefox\Profiles\117brzcj.default\cookies.txt -> TrackingCookie.Casalemedia : Cleaned with backup
:mozilla.82:C:\Documents and Settings\Karen Granger\Application Data\Mozilla\Firefox\Profiles\117brzcj.default\cookies.txt -> TrackingCookie.Casalemedia : Cleaned with backup
:mozilla.98:C:\Documents and Settings\Karen Granger\Application Data\Mozilla\Firefox\Profiles\117brzcj.default\cookies.txt -> TrackingCookie.Zedo : Cleaned with backup
:mozilla.99:C:\Documents and Settings\Karen Granger\Application Data\Mozilla\Firefox\Profiles\117brzcj.default\cookies.txt -> TrackingCookie.Zedo : Cleaned with backup
:mozilla.100:C:\Documents and Settings\Karen Granger\Application Data\Mozilla\Firefox\Profiles\117brzcj.default\cookies.txt -> TrackingCookie.Zedo : Cleaned with backup
:mozilla.102:C:\Documents and Settings\Karen Granger\Application Data\Mozilla\Firefox\Profiles\117brzcj.default\cookies.txt -> TrackingCookie.Adrevolver : Cleaned with backup
:mozilla.103:C:\Documents and Settings\Karen Granger\Application Data\Mozilla\Firefox\Profiles\117brzcj.default\cookies.txt -> TrackingCookie.Adrevolver : Cleaned with backup
:mozilla.104:C:\Documents and Settings\Karen Granger\Application Data\Mozilla\Firefox\Profiles\117brzcj.default\cookies.txt -> TrackingCookie.Adrevolver : Cleaned with backup
:mozilla.105:C:\Documents and Settings\Karen Granger\Application Data\Mozilla\Firefox\Profiles\117brzcj.default\cookies.txt -> TrackingCookie.Adrevolver : Cleaned with backup
:mozilla.106:C:\Documents and Settings\Karen Granger\Application Data\Mozilla\Firefox\Profiles\117brzcj.default\cookies.txt -> TrackingCookie.Adrevolver : Cleaned with backup
:mozilla.151:C:\Documents and Settings\Karen Granger\Application Data\Mozilla\Firefox\Profiles\117brzcj.default\cookies.txt -> TrackingCookie.Liveperson : Cleaned with backup
:mozilla.152:C:\Documents and Settings\Karen Granger\Application Data\Mozilla\Firefox\Profiles\117brzcj.default\cookies.txt -> TrackingCookie.Liveperson : Cleaned with backup
:mozilla.153:C:\Documents and Settings\Karen Granger\Application Data\Mozilla\Firefox\Profiles\117brzcj.default\cookies.txt -> TrackingCookie.Liveperson : Cleaned with backup
:mozilla.162:C:\Documents and Settings\Karen Granger\Application Data\Mozilla\Firefox\Profiles\117brzcj.default\cookies.txt -> TrackingCookie.Googleadservices : Cleaned with backup
:mozilla.163:C:\Documents and Settings\Karen Granger\Application Data\Mozilla\Firefox\Profiles\117brzcj.default\cookies.txt -> TrackingCookie.Clickbank : Cleaned with backup
:mozilla.164:C:\Documents and Settings\Karen Granger\Application Data\Mozilla\Firefox\Profiles\117brzcj.default\cookies.txt -> TrackingCookie.Googleadservices : Cleaned with backup
:mozilla.173:C:\Documents and Settings\Karen Granger\Application Data\Mozilla\Firefox\Profiles\117brzcj.default\cookies.txt -> TrackingCookie.Trafic : Cleaned with backup
:mozilla.174:C:\Documents and Settings\Karen Granger\Application Data\Mozilla\Firefox\Profiles\117brzcj.default\cookies.txt -> TrackingCookie.Tacoda : Cleaned with backup
:mozilla.175:C:\Documents and Settings\Karen Granger\Application Data\Mozilla\Firefox\Profiles\117brzcj.default\cookies.txt -> TrackingCookie.Tacoda : Cleaned with backup
:mozilla.176:C:\Documents and Settings\Karen Granger\Application Data\Mozilla\Firefox\Profiles\117brzcj.default\cookies.txt -> TrackingCookie.Tacoda : Cleaned with backup
C:\Documents and Settings\Karen Granger\Cookies\karen [email protected][2].txt -> TrackingCookie.Aavalue : Cleaned with backup
C:\Documents and Settings\Karen Granger\Cookies\karen [email protected][1].txt -> TrackingCookie.Yieldmanager : Cleaned with backup
C:\Documents and Settings\Karen Granger\Cookies\karen [email protected][1].txt -> TrackingCookie.Euroclick : Cleaned with backup
C:\Documents and Settings\Karen Granger\Cookies\karen [email protected][1].txt -> TrackingCookie.Cpvfeed : Cleaned with backup
C:\Documents and Settings\Karen Granger\Cookies\karen [email protected][1].txt -> TrackingCookie.Aavalue : Cleaned with backup
C:\Documents and Settings\Karen Granger\Cookies\karen [email protected][1].txt -> TrackingCookie.Reliablestats : Cleaned with backup
C:\Documents and Settings\Karen Granger\Cookies\karen [email protected][1].txt -> TrackingCookie.Tacoda : Cleaned with backup
C:\Documents and Settings\Karen Granger\Cookies\karen [email protected][2].txt -> TrackingCookie.Yieldmanager : Cleaned with backup

::Report End


----------



## Cookiegal (Aug 27, 2003)

khazars is away for a bit so I will hellp you with this.

First, we need copies of the files for this particular infection and would appreciate it if you would do the following:

Go to Start > Search and under "More advanced search options". 
Make sure there is a check by "Search System Folders" and "Search hidden files and folders" and "Search system subfolders"

Next click on My Computer. Go to Tools > Folder Options. Click on the View tab and make sure that "Show hidden files and folders" is checked. Also uncheck "Hide protected operating system files" and "Hide extensions for known file types" . Now click "Apply to all folders"
Click "Apply" then "OK"

Go to the following link, fill in your username and the link to this thread, then click on browse and locate this file on your computer, then click on "send file".

http://www.atribune.org/submit-malware.php

C:\WINDOWS\System32\*mllml.dll*

Please let us know if you were able to do this and then we will proceed.


----------



## peterboy (Dec 15, 2005)

hi cookigal thanks for your reply i foliowd you you instructions i send that file i hope i did it right  thank you


----------



## Cookiegal (Aug 27, 2003)

Thanks for that. :up:

Please download *VundoFix.exe* to your desktop.
Double-click *VundoFix.exe* to run it.
Put a check next to *Run VundoFix as a task.*
You will receive a message saying vundofix will close and re-open in a minute or less. Click *OK*
When VundoFix re-opens, click the *Scan for Vundo* button.
Once it's done scanning, click the *Remove Vundo* button.
You will receive a prompt asking if you want to remove the files, click *YES*
Once you click yes, your desktop will go blank as it starts removing Vundo.
When completed, it will prompt that it will shutdown your computer, click *OK*.
Turn your computer back on.
Please post the contents of C:\*vundofix.txt* and a new HijackThis log.


----------



## peterboy (Dec 15, 2005)

well the vundo fix didnt reopen by it self so i just did a scan and removed the files ut it seems llike my highjack list is still the same looks like the yahoo tool bar i dont even have any yahho tool bars and the pwcarc.exe is still there and i got a error message generic host win32 something like that thank you for your time heres my results Logfile of HijackThis v1.99.1
Scan saved at 2:10:23 PM, on 3/27/2006
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\SYSTEM32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\netdde.exe
C:\Program Files\TOSHIBA\TouchED\TouchED.Exe
C:\TOSHIBA\IVP\ISM\pinger.exe
C:\WINDOWS\AGRSMMSG.exe
C:\WINDOWS\System32\00THotkey.exe
C:\WINDOWS\System32\drivers\CDAC11BA.EXE
C:\WINDOWS\System32\DVDRAMSV.exe
C:\WINDOWS\System32\hkcmd.exe
C:\Program Files\ewido anti-malware\ewidoctrl.exe
C:\WINDOWS\System32\igfxpers.exe
C:\Program Files\Microsoft AntiSpyware\gcasServ.exe
C:\Program Files\QuickTime\qttask.exe
C:\WINDOWS\System32\ctfmon.exe
C:\Program Files\SpywareGuard\sgmain.exe
C:\PROGRA~1\Iomega\System32\AppServices.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\Program Files\Microsoft AntiSpyware\gcasDtServ.exe
C:\WINDOWS\System32\tcpsvcs.exe
C:\Program Files\SpywareGuard\sgbhp.exe
C:\WINDOWS\System32\snmp.exe
C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\wbem\wmiapsrv.exe
C:\WINDOWS\System32\dmadmin.exe
C:\WINDOWS\System32\wuauclt.exe
C:\Documents and Settings\Karen Granger\My Documents\set ups\hijackthis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://red.clientapps.yahoo.com/customize/ycomp/defaults/sb/*http://www.yahoo.com/search/ie.html
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.toshiba.com
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
O2 - BHO: DosSpecFolder Object - {3E1BEA96-02D9-4992-B508-9B51819D9D86} - C:\WINDOWS\System32\mllml.dll (file missing)
O2 - BHO: SpywareGuardDLBLOCK.CBrowserHelper - {4A368E80-174F-4872-96B5-0B27DDD11DB2} - C:\Program Files\SpywareGuard\dlprotect.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O4 - HKLM\..\Run: [TouchED] C:\Program Files\TOSHIBA\TouchED\TouchED.Exe
O4 - HKLM\..\Run: [Pinger] C:\TOSHIBA\IVP\ISM\pinger.exe /run
O4 - HKLM\..\Run: [Apoint] C:\Program Files\Apoint2K\Apoint.exe
O4 - HKLM\..\Run: [AGRSMMSG] AGRSMMSG.exe
O4 - HKLM\..\Run: [00THotkey] C:\WINDOWS\System32\00THotkey.exe
O4 - HKLM\..\Run: [000StTHK] 000StTHK.exe
O4 - HKLM\..\Run: [igfxtray] C:\WINDOWS\System32\igfxtray.exe
O4 - HKLM\..\Run: [igfxhkcmd] C:\WINDOWS\System32\hkcmd.exe
O4 - HKLM\..\Run: [igfxpers] C:\WINDOWS\System32\igfxpers.exe
O4 - HKLM\..\Run: [gcasServ] "C:\Program Files\Microsoft AntiSpyware\gcasServ.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [InternetShield] C:\PROGRA~1\INTERN~3\InternetShield.exe -CheckStartup
O4 - HKLM\..\Run: [winsync] C:\WINDOWS\System32\pwcarc.exe reg_run
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\System32\ctfmon.exe
O4 - Startup: SpywareGuard.lnk = C:\Program Files\SpywareGuard\sgmain.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O9 - Extra 'Tools' menuitem: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O14 - IERESET.INF: START_PAGE_URL=http://www.toshiba.com
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky.com/kos/english/kavwebscan_unicode.cab
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1133829558718
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/activescan/as5free/asinst.cab
O16 - DPF: {B38870E4-7ECB-40DA-8C6A-595F0A5519FF} (MsnMessengerSetupDownloadControl Class) - http://messenger.msn.com/download/MsnMessengerSetupDownloader.cab
O16 - DPF: {E856B973-45FD-4559-8F82-EAB539144667} (Dell PC Checkup Installer Control) - http://pccheckup.dellfix.com/rel/35/install/gtdownde.cab
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - "C:\PROGRA~1\MSNMES~1\msgrapp.dll" (file missing)
O20 - Winlogon Notify: igfxcui - C:\WINDOWS\SYSTEM32\igfxdev.dll
O20 - Winlogon Notify: WRNotifier - WRLogonNTF.dll (file missing)
O23 - Service: C-DillaCdaC11BA - C-Dilla Ltd - C:\WINDOWS\System32\drivers\CDAC11BA.EXE
O23 - Service: DVD-RAM_Service - Matsu****a Electric Industrial Co., Ltd. - C:\WINDOWS\System32\DVDRAMSV.exe
O23 - Service: ewido security suite control - ewido networks - C:\Program Files\ewido anti-malware\ewidoctrl.exe
O23 - Service: Iomega App Services - Iomega Corporation - C:\PROGRA~1\Iomega\System32\AppServices.exe
O23 - Service: Power Manager (PowerManager) - Unknown owner - C:\WINDOWS\svchost.exe (file missing)
O23 - Service: SoundMAX Agent Service (SoundMAX Agent Service (default)) - Analog Devices, Inc. - C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe

VundoFix V4.2.35

Checking Java version...

Scan started at 2:01:00 PM 3/27/2006

Listing files found while scanning....

C:\WINDOWS\system32\lmllm.bak1
C:\WINDOWS\system32\lmllm.bak2
C:\WINDOWS\system32\lmllm.ini
C:\WINDOWS\system32\mllml.dll
Attempting to delete C:\WINDOWS\system32\lmllm.bak1
C:\WINDOWS\system32\lmllm.bak1 Has been deleted!

Attempting to delete C:\WINDOWS\system32\lmllm.bak2
C:\WINDOWS\system32\lmllm.bak2 Has been deleted!

Attempting to delete C:\WINDOWS\system32\lmllm.ini
C:\WINDOWS\system32\lmllm.ini Has been deleted!

Attempting to delete C:\WINDOWS\system32\mllml.dll
C:\WINDOWS\system32\mllml.dll Has been deleted!

Performing Repairs to the registry.
Done!


----------



## Cookiegal (Aug 27, 2003)

Download the trial version of Ewido Anti-Malware *here*.
Install ewido.
During the installation, under "Additional Options" *uncheck* "Install background guard" and "Install scan via context menu".
Launch ewido
It will prompt you to update click the OK button and it will go to the main screen
On the left side of the main screen click *update*
Click on *Start* and let it update.
*DO NOT* run a scan yet. You will do that later in safe mode.

*Click here* for info on how to boot to safe mode.

Restart your computer into safe mode now. Perform the following steps in safe mode:

Run Ewido:
Click on *scanner*
Click *Complete System Scan* and the scan will begin.
During the scan it will prompt you to clean files, click *OK*
When the scan is finished, look at the bottom of the screen and click the *Save report* button.
Save the report to your desktop

Restart back into Windows normally now.

Run ActiveScan online virus scan *here*

When the scan is finished, save the results from the scan!

*Come back here and post a new HijackThis log, as well as the logs from the Ewido and Panda scans.*


----------



## peterboy (Dec 15, 2005)

ok im ready here's the results thank you for you time Logfile of HijackThis v1.99.1
Scan saved at 7:46:24 PM, on 3/27/2006
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\SYSTEM32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\netdde.exe
C:\WINDOWS\System32\drivers\CDAC11BA.EXE
C:\WINDOWS\System32\DVDRAMSV.exe
C:\Program Files\ewido anti-malware\ewidoctrl.exe
C:\PROGRA~1\Iomega\System32\AppServices.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\WINDOWS\System32\tcpsvcs.exe
C:\WINDOWS\System32\snmp.exe
C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\TOSHIBA\TouchED\TouchED.Exe
C:\TOSHIBA\IVP\ISM\pinger.exe
C:\WINDOWS\AGRSMMSG.exe
C:\WINDOWS\System32\00THotkey.exe
C:\WINDOWS\System32\hkcmd.exe
C:\WINDOWS\System32\igfxpers.exe
C:\Program Files\Microsoft AntiSpyware\gcasServ.exe
C:\Program Files\QuickTime\qttask.exe
C:\WINDOWS\System32\ctfmon.exe
C:\Program Files\SpywareGuard\sgmain.exe
C:\WINDOWS\System32\wbem\wmiapsrv.exe
C:\WINDOWS\System32\dmadmin.exe
C:\Program Files\Microsoft AntiSpyware\gcasDtServ.exe
C:\Program Files\SpywareGuard\sgbhp.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\WINDOWS\System32\wuauclt.exe
C:\Documents and Settings\Karen Granger\My Documents\set ups\hijackthis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://red.clientapps.yahoo.com/customize/ycomp/defaults/sb/*http://www.yahoo.com/search/ie.html
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.toshiba.com
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
O2 - BHO: DosSpecFolder Object - {3E1BEA96-02D9-4992-B508-9B51819D9D86} - C:\WINDOWS\System32\mllml.dll (file missing)
O2 - BHO: SpywareGuardDLBLOCK.CBrowserHelper - {4A368E80-174F-4872-96B5-0B27DDD11DB2} - C:\Program Files\SpywareGuard\dlprotect.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O4 - HKLM\..\Run: [TouchED] C:\Program Files\TOSHIBA\TouchED\TouchED.Exe
O4 - HKLM\..\Run: [Pinger] C:\TOSHIBA\IVP\ISM\pinger.exe /run
O4 - HKLM\..\Run: [Apoint] C:\Program Files\Apoint2K\Apoint.exe
O4 - HKLM\..\Run: [AGRSMMSG] AGRSMMSG.exe
O4 - HKLM\..\Run: [00THotkey] C:\WINDOWS\System32\00THotkey.exe
O4 - HKLM\..\Run: [000StTHK] 000StTHK.exe
O4 - HKLM\..\Run: [igfxtray] C:\WINDOWS\System32\igfxtray.exe
O4 - HKLM\..\Run: [igfxhkcmd] C:\WINDOWS\System32\hkcmd.exe
O4 - HKLM\..\Run: [igfxpers] C:\WINDOWS\System32\igfxpers.exe
O4 - HKLM\..\Run: [gcasServ] "C:\Program Files\Microsoft AntiSpyware\gcasServ.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [InternetShield] C:\PROGRA~1\INTERN~3\InternetShield.exe -CheckStartup
O4 - HKLM\..\Run: [winsync] C:\WINDOWS\System32\pwcarc.exe reg_run
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\System32\ctfmon.exe
O4 - Startup: SpywareGuard.lnk = C:\Program Files\SpywareGuard\sgmain.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O9 - Extra 'Tools' menuitem: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O14 - IERESET.INF: START_PAGE_URL=http://www.toshiba.com
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky.com/kos/english/kavwebscan_unicode.cab
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1133829558718
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/activescan/as5free/asinst.cab
O16 - DPF: {B38870E4-7ECB-40DA-8C6A-595F0A5519FF} (MsnMessengerSetupDownloadControl Class) - http://messenger.msn.com/download/MsnMessengerSetupDownloader.cab
O16 - DPF: {E856B973-45FD-4559-8F82-EAB539144667} (Dell PC Checkup Installer Control) - http://pccheckup.dellfix.com/rel/35/install/gtdownde.cab
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - "C:\PROGRA~1\MSNMES~1\msgrapp.dll" (file missing)
O20 - Winlogon Notify: igfxcui - C:\WINDOWS\SYSTEM32\igfxdev.dll
O20 - Winlogon Notify: WRNotifier - WRLogonNTF.dll (file missing)
O23 - Service: C-DillaCdaC11BA - C-Dilla Ltd - C:\WINDOWS\System32\drivers\CDAC11BA.EXE
O23 - Service: DVD-RAM_Service - Matsu****a Electric Industrial Co., Ltd. - C:\WINDOWS\System32\DVDRAMSV.exe
O23 - Service: ewido security suite control - ewido networks - C:\Program Files\ewido anti-malware\ewidoctrl.exe
O23 - Service: Iomega App Services - Iomega Corporation - C:\PROGRA~1\Iomega\System32\AppServices.exe
O23 - Service: Power Manager (PowerManager) - Unknown owner - C:\WINDOWS\svchost.exe (file missing)
O23 - Service: SoundMAX Agent Service (SoundMAX Agent Service (default)) - Analog Devices, Inc. - C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe

Incident Status Location

Adware:adware/maxifiles Not disinfected C:\PROGRAM FILES\COMMON FILES\Download 
Adware:adware/block-checker Not disinfected Windows Registry 
Potentially unwanted tool:application/mywebsearch Not disinfected HKEY_CLASSES_ROOT\CLSID\{147A976E-EEE1-4377-8EA7-4716E4CDD239} 
Spyware:Cookie/YieldManager Not disinfected C:\Documents and Settings\Karen Granger\Cookies\karen [email protected][2].txt 
Spyware:Cookie/Hbmediapro Not disinfected C:\Documents and Settings\Karen Granger\Cookies\karen [email protected][2].txt 
Spyware:Cookie/adultfriendfinder Not disinfected C:\Documents and Settings\Karen Granger\Cookies\karen [email protected][2].txt 
Spyware:Cookie/Screensavers Not disinfected C:\Documents and Settings\Karen Granger\Cookies\karen [email protected][2].txt 
Spyware:Cookie/Statcounter Not disinfected C:\Documents and Settings\Karen Granger\Cookies\karen [email protected][1].txt 
Spyware:Cookie/WebPower Not disinfected C:\Documents and Settings\Karen Granger\Cookies\karen [email protected][2].txt 
Spyware:Cookie/myaffiliateprogram Not disinfected C:\Documents and Settings\Karen Granger\Cookies\karen [email protected][2].txt 
Spyware:Cookie/Statcounter Not disinfected C:\Documents and Settings\Karen Granger\Application Data\Mozilla\Firefox\Profiles\117brzcj.default\cookies.txt[.statcounter.com/] 
Spyware:Cookie/BurstBeacon Not disinfected C:\Documents and Settings\Karen Granger\Application Data\Mozilla\Firefox\Profiles\117brzcj.default\cookies.txt[www.burstbeacon.com/] 
Spyware:Cookie/BurstNet Not disinfected C:\Documents and Settings\Karen Granger\Application Data\Mozilla\Firefox\Profiles\117brzcj.default\cookies.txt[.burstnet.com/] 
Spyware:Cookie/Falkag Not disinfected C:\Documents and Settings\Karen Granger\Application Data\Mozilla\Firefox\Profiles\117brzcj.default\cookies.txt[.as-us.falkag.net/] 
Spyware:Cookie/Com.com Not disinfected C:\Documents and Settings\Karen Granger\Application Data\Mozilla\Firefox\Profiles\117brzcj.default\cookies.txt[.com.com/] 
Spyware:Cookie/YieldManager Not disinfected C:\Documents and Settings\Karen Granger\Application Data\Mozilla\Firefox\Profiles\117brzcj.default\cookies.txt[ad.yieldmanager.com/] 
Spyware:Cookie/Casalemedia Not disinfected C:\Documents and Settings\Karen Granger\Application Data\Mozilla\Firefox\Profiles\117brzcj.default\cookies.txt[.casalemedia.com/] 
Spyware:Cookie/RealMedia Not disinfected C:\Documents and Settings\Karen Granger\Application Data\Mozilla\Firefox\Profiles\117brzcj.default\cookies.txt[.realmedia.com/] 
Spyware:Cookie/Zedo Not disinfected C:\Documents and Settings\Karen Granger\Application Data\Mozilla\Firefox\Profiles\117brzcj.default\cookies.txt[.zedo.com/] 
Spyware:Cookie/Adrevolver Not disinfected C:\Documents and Settings\Karen Granger\Application Data\Mozilla\Firefox\Profiles\117brzcj.default\cookies.txt[.adrevolver.com/] 
Spyware:Cookie/Clickbank Not disinfected C:\Documents and Settings\Karen Granger\Application Data\Mozilla\Firefox\Profiles\117brzcj.default\cookies.txt[.clickbank.net/] 
Spyware:Cookie/Apmebf Not disinfected C:\Documents and Settings\Karen Granger\Application Data\Mozilla\Firefox\Profiles\117brzcj.default\cookies.txt[.apmebf.com/] 
Spyware:Cookie/Statcounter Not disinfected C:\Documents and Settings\Karen Granger\Application Data\Mozilla\Firefox\Profiles\117brzcj.default\cookies.txt[] 
Spyware:Cookie/YieldManager Not disinfected C:\Documents and Settings\Karen Granger\Cookies\karen [email protected][2].txt 
Spyware:Cookie/Hbmediapro Not disinfected C:\Documents and Settings\Karen Granger\Cookies\karen [email protected][2].txt 
Spyware:Cookie/adultfriendfinder Not disinfected C:\Documents and Settings\Karen Granger\Cookies\karen [email protected][2].txt 
Spyware:Cookie/Screensavers Not disinfected C:\Documents and Settings\Karen Granger\Cookies\karen [email protected][2].txt 
Spyware:Cookie/Statcounter Not disinfected C:\Documents and Settings\Karen Granger\Cookies\karen [email protected][1].txt 
Spyware:Cookie/WebPower Not disinfected C:\Documents and Settings\Karen Granger\Cookies\karen [email protected][2].txt 
Spyware:Cookie/myaffiliateprogram Not disinfected C:\Documents and Settings\Karen Granger\Cookies\karen [email protected][2].txt 
Adware:Adware/PurityScan Not disinfected C:\Program Files\Yazzle Sudoku\uninstaller.exe 
---------------------------------------------------------
ewido anti-malware - Scan report
---------------------------------------------------------

+ Created on: 7:40:35 PM, 3/27/2006
+ Report-Checksum: 3096FC5B

+ Scan result:

:mozilla.15:C:\Documents and Settings\Karen Granger\Application Data\Mozilla\Firefox\Profiles\117brzcj.default\cookies.txt -> TrackingCookie.Statcounter : Cleaned with backup
:mozilla.16:C:\Documents and Settings\Karen Granger\Application Data\Mozilla\Firefox\Profiles\117brzcj.default\cookies.txt -> TrackingCookie.Statcounter : Cleaned with backup
:mozilla.17:C:\Documents and Settings\Karen Granger\Application Data\Mozilla\Firefox\Profiles\117brzcj.default\cookies.txt -> TrackingCookie.Statcounter : Cleaned with backup
:mozilla.22:C:\Documents and Settings\Karen Granger\Application Data\Mozilla\Firefox\Profiles\117brzcj.default\cookies.txt -> TrackingCookie.Onestat : Cleaned with backup
:mozilla.23:C:\Documents and Settings\Karen Granger\Application Data\Mozilla\Firefox\Profiles\117brzcj.default\cookies.txt -> TrackingCookie.Onestat : Cleaned with backup
:mozilla.33:C:\Documents and Settings\Karen Granger\Application Data\Mozilla\Firefox\Profiles\117brzcj.default\cookies.txt -> TrackingCookie.Zedo : Cleaned with backup
:mozilla.34:C:\Documents and Settings\Karen Granger\Application Data\Mozilla\Firefox\Profiles\117brzcj.default\cookies.txt -> TrackingCookie.Zedo : Cleaned with backup
:mozilla.35:C:\Documents and Settings\Karen Granger\Application Data\Mozilla\Firefox\Profiles\117brzcj.default\cookies.txt -> TrackingCookie.Zedo : Cleaned with backup
:mozilla.52:C:\Documents and Settings\Karen Granger\Application Data\Mozilla\Firefox\Profiles\117brzcj.default\cookies.txt -> TrackingCookie.Ivwbox : Cleaned with backup
:mozilla.60:C:\Documents and Settings\Karen Granger\Application Data\Mozilla\Firefox\Profiles\117brzcj.default\cookies.txt -> TrackingCookie.Burstbeacon : Cleaned with backup
:mozilla.61:C:\Documents and Settings\Karen Granger\Application Data\Mozilla\Firefox\Profiles\117brzcj.default\cookies.txt -> TrackingCookie.Burstnet : Cleaned with backup
:mozilla.62:C:\Documents and Settings\Karen Granger\Application Data\Mozilla\Firefox\Profiles\117brzcj.default\cookies.txt -> TrackingCookie.Burstnet : Cleaned with backup
:mozilla.78:C:\Documents and Settings\Karen Granger\Application Data\Mozilla\Firefox\Profiles\117brzcj.default\cookies.txt -> TrackingCookie.Falkag : Cleaned with backup
:mozilla.79:C:\Documents and Settings\Karen Granger\Application Data\Mozilla\Firefox\Profiles\117brzcj.default\cookies.txt -> TrackingCookie.Falkag : Cleaned with backup
:mozilla.80:C:\Documents and Settings\Karen Granger\Application Data\Mozilla\Firefox\Profiles\117brzcj.default\cookies.txt -> TrackingCookie.Falkag : Cleaned with backup
:mozilla.81:C:\Documents and Settings\Karen Granger\Application Data\Mozilla\Firefox\Profiles\117brzcj.default\cookies.txt -> TrackingCookie.Falkag : Cleaned with backup
:mozilla.88:C:\Documents and Settings\Karen Granger\Application Data\Mozilla\Firefox\Profiles\117brzcj.default\cookies.txt -> TrackingCookie.Com : Cleaned with backup
:mozilla.116:C:\Documents and Settings\Karen Granger\Application Data\Mozilla\Firefox\Profiles\117brzcj.default\cookies.txt -> TrackingCookie.Yieldmanager : Cleaned with backup
:mozilla.117:C:\Documents and Settings\Karen Granger\Application Data\Mozilla\Firefox\Profiles\117brzcj.default\cookies.txt -> TrackingCookie.Yieldmanager : Cleaned with backup
:mozilla.118:C:\Documents and Settings\Karen Granger\Application Data\Mozilla\Firefox\Profiles\117brzcj.default\cookies.txt -> TrackingCookie.Yieldmanager : Cleaned with backup
:mozilla.119:C:\Documents and Settings\Karen Granger\Application Data\Mozilla\Firefox\Profiles\117brzcj.default\cookies.txt -> TrackingCookie.Casalemedia : Cleaned with backup
:mozilla.120:C:\Documents and Settings\Karen Granger\Application Data\Mozilla\Firefox\Profiles\117brzcj.default\cookies.txt -> TrackingCookie.Casalemedia : Cleaned with backup
:mozilla.121:C:\Documents and Settings\Karen Granger\Application Data\Mozilla\Firefox\Profiles\117brzcj.default\cookies.txt -> TrackingCookie.Casalemedia : Cleaned with backup
:mozilla.122:C:\Documents and Settings\Karen Granger\Application Data\Mozilla\Firefox\Profiles\117brzcj.default\cookies.txt -> TrackingCookie.Casalemedia : Cleaned with backup
:mozilla.129:C:\Documents and Settings\Karen Granger\Application Data\Mozilla\Firefox\Profiles\117brzcj.default\cookies.txt -> TrackingCookie.Adrevolver : Cleaned with backup
:mozilla.130:C:\Documents and Settings\Karen Granger\Application Data\Mozilla\Firefox\Profiles\117brzcj.default\cookies.txt -> TrackingCookie.Adrevolver : Cleaned with backup
:mozilla.131:C:\Documents and Settings\Karen Granger\Application Data\Mozilla\Firefox\Profiles\117brzcj.default\cookies.txt -> TrackingCookie.Adrevolver : Cleaned with backup
:mozilla.132:C:\Documents and Settings\Karen Granger\Application Data\Mozilla\Firefox\Profiles\117brzcj.default\cookies.txt -> TrackingCookie.Adrevolver : Cleaned with backup
:mozilla.133:C:\Documents and Settings\Karen Granger\Application Data\Mozilla\Firefox\Profiles\117brzcj.default\cookies.txt -> TrackingCookie.Adrevolver : Cleaned with backup
:mozilla.172:C:\Documents and Settings\Karen Granger\Application Data\Mozilla\Firefox\Profiles\117brzcj.default\cookies.txt -> TrackingCookie.Liveperson : Cleaned with backup
:mozilla.173:C:\Documents and Settings\Karen Granger\Application Data\Mozilla\Firefox\Profiles\117brzcj.default\cookies.txt -> TrackingCookie.Liveperson : Cleaned with backup
:mozilla.174:C:\Documents and Settings\Karen Granger\Application Data\Mozilla\Firefox\Profiles\117brzcj.default\cookies.txt -> TrackingCookie.Liveperson : Cleaned with backup
:mozilla.183:C:\Documents and Settings\Karen Granger\Application Data\Mozilla\Firefox\Profiles\117brzcj.default\cookies.txt -> TrackingCookie.Googleadservices : Cleaned with backup
:mozilla.184:C:\Documents and Settings\Karen Granger\Application Data\Mozilla\Firefox\Profiles\117brzcj.default\cookies.txt -> TrackingCookie.Clickbank : Cleaned with backup
:mozilla.185:C:\Documents and Settings\Karen Granger\Application Data\Mozilla\Firefox\Profiles\117brzcj.default\cookies.txt -> TrackingCookie.Googleadservices : Cleaned with backup
:mozilla.194:C:\Documents and Settings\Karen Granger\Application Data\Mozilla\Firefox\Profiles\117brzcj.default\cookies.txt -> TrackingCookie.Trafic : Cleaned with backup
:mozilla.195:C:\Documents and Settings\Karen Granger\Application Data\Mozilla\Firefox\Profiles\117brzcj.default\cookies.txt -> TrackingCookie.Tacoda : Cleaned with backup
:mozilla.196:C:\Documents and Settings\Karen Granger\Application Data\Mozilla\Firefox\Profiles\117brzcj.default\cookies.txt -> TrackingCookie.Tacoda : Cleaned with backup
:mozilla.197:C:\Documents and Settings\Karen Granger\Application Data\Mozilla\Firefox\Profiles\117brzcj.default\cookies.txt -> TrackingCookie.Tacoda : Cleaned with backup
C:\Documents and Settings\Karen Granger\Cookies\karen [email protected][2].txt -> TrackingCookie.Yieldmanager : Cleaned with backup
C:\Documents and Settings\Karen Granger\Cookies\karen [email protected][1].txt -> TrackingCookie.Statcounter : Cleaned with backup
C:\Documents and Settings\Karen Granger\Cookies\karen [email protected][2].txt -> TrackingCookie.Myaffiliateprogram : Cleaned with backup
C:\Documents and Settings\Karen Granger\Cookies\karen [email protected][2].txt -> TrackingCookie.Yieldmanager : Cleaned with backup

::Report End


----------



## Cookiegal (Aug 27, 2003)

Download *WinPFind*
*Right Click* the Zip Folder and Select "*Extract All*"
Extract it somewhere you will remember like the *Desktop*
Dont do anything with it yet!

*Click here* for info on how to boot to safe mode if you don't already know how.

Reboot into Safe Mode.

Double click *WinPFind.exe*
Click "*Start Scan*"
*It will scan the entire System, so please be patient and let it complete.*

Reboot back to Normal Mode!


Go to the *WinPFind folder*
Locate *WinPFind.txt*
Copy and paste WinPFind.txt in your next post here please.


----------



## peterboy (Dec 15, 2005)

hi thanks for your reply heres te results 
»»»»»»»»»»»»»»»»» Checking Selected Standard Folders »»»»»»»»»»»»»»»»»»»»

Checking %SystemDrive% folder...

Checking %ProgramFilesDir% folder...

Checking %WinDir% folder...
PECompact2 9/18/2005 12:08:02 PM 15841777 C:\WINDOWS\lpt$vpn.845
qoologic 9/18/2005 12:08:02 PM 15841777 C:\WINDOWS\lpt$vpn.845
SAHAgent 9/18/2005 12:08:02 PM 15841777 C:\WINDOWS\lpt$vpn.845
UPX! 1/10/2005 3:17:24 PM 170053 C:\WINDOWS\tsc.exe
PECompact2 9/18/2005 12:08:02 PM 15841777 C:\WINDOWS\VPTNFILE.845
qoologic 9/18/2005 12:08:02 PM 15841777 C:\WINDOWS\VPTNFILE.845
SAHAgent 9/18/2005 12:08:02 PM 15841777 C:\WINDOWS\VPTNFILE.845
UPX! 2/18/2005 5:40:14 PM 1044560 C:\WINDOWS\vsapi32.dll
aspack 2/18/2005 5:40:14 PM 1044560 C:\WINDOWS\vsapi32.dll

Checking %System% folder...
UPX! 12/2/2005 5:31:00 AM 478208 C:\WINDOWS\SYSTEM32\aswBoot.exe
PEC2 3/31/2003 4:00:00 AM 41397 C:\WINDOWS\SYSTEM32\dfrg.msc
PTech 11/4/2005 4:27:24 PM 534280 C:\WINDOWS\SYSTEM32\LegitCheckControl.DLL
UPX! 12/7/2005 1:52:10 PM 575488 C:\WINDOWS\SYSTEM32\mdmfcplayer.ocx
PECompact2 11/2/2005 10:49:02 AM 2368864 C:\WINDOWS\SYSTEM32\MRT.exe
aspack 11/2/2005 10:49:02 AM 2368864 C:\WINDOWS\SYSTEM32\MRT.exe
Umonitor 3/31/2003 4:00:00 AM 631808 C:\WINDOWS\SYSTEM32\rasdlg.dll
FSG! 7/5/2004 7:09:14 AM R 295424 C:\WINDOWS\SYSTEM32\TFTP2404
winsync 3/31/2003 4:00:00 AM 1309184 C:\WINDOWS\SYSTEM32\wbdbase.deu

Checking %System%\Drivers folder and sub-folders...

Items found in C:\WINDOWS\SYSTEM32\drivers\etc\HOSTS
127.0.0.1 download1.shopathomeselect.com #[ADW_SAHAGENT.A]
127.0.0.1 www.shopathomeselect.com #[Adware.SAHAgent]
127.0.0.1 web-nexus.net #[Adw.Web-Nexus.WebNexusAdServer]
127.0.0.1 dl.web-nexus.net #[eTrust.Win32.Qoologic]
127.0.0.1 dl.web-nexus.net #[eTrust.Win32.Qoologic]
127.0.0.1 stech.web-nexus.net
127.0.0.1 www.web-nexus.net
127.0.0.1 agentq.vpptechnologies.com
127.0.0.1 main.vpptechnologies.com #[IE-SpyAd]
127.0.0.1 media-0.vpptechnologies.com
127.0.0.1 media-1.vpptechnologies.com
127.0.0.1 media-4.vpptechnologies.com
127.0.0.1 media-5.vpptechnologies.com
127.0.0.1 media-6.vpptechnologies.com
127.0.0.1 media-a.vpptechnologies.com
127.0.0.1 media-b.vpptechnologies.com
127.0.0.1 media-c.vpptechnologies.com
127.0.0.1 media-d.vpptechnologies.com
127.0.0.1 media-e.vpptechnologies.com
127.0.0.1 media-f.vpptechnologies.com
127.0.0.1 msxml.vpptechnologies.com
127.0.0.1 static.vpptechnologies.com #[hotsearchbar.com]
127.0.0.1 thumbs.vpptechnologies.com
127.0.0.1 xml.vpptechnologies.com #[BlazeFind]
127.0.0.1 ad-w-a-r-e.com #[Win32.Canbede][Troj/Dloader-IG]
127.0.0.1 www.ad-w-a-r-e.com #[AdWare.Win32.Look2Me.ab]
127.0.0.1 abetterinternet.com #[Downloader.Stubby.A][Adware.Aurora]
127.0.0.1 belt.abetterinternet.com
127.0.0.1 c.abetterinternet.com #[Adware-BetterInet application]
127.0.0.1 download.abetterinternet.com #[Adware.StopPopupAdsNow]
127.0.0.1 download2.abetterinternet.com #[Parasite.Transponder]
127.0.0.1 s.abetterinternet.com
127.0.0.1 st.abetterinternet.com
127.0.0.1 static.abetterinternet.com
127.0.0.1 thinstall.abetterinternet.com
127.0.0.1 www.abetterinternet.com #[Trojan-Downloader.Win32.Stubby.d]

qoologic 1/21/2006 2:17:18 AM 389282 C:\WINDOWS\SYSTEM32\drivers\etc\hosts.msn
PTech 1/21/2006 2:17:18 AM 389282 C:\WINDOWS\SYSTEM32\drivers\etc\hosts.msn
SAHAgent 1/21/2006 2:17:18 AM 389282 C:\WINDOWS\SYSTEM32\drivers\etc\hosts.msn
abetterinternet.com 1/21/2006 2:17:18 AM 389282 C:\WINDOWS\SYSTEM32\drivers\etc\hosts.msn
web-nex 1/21/2006 2:17:18 AM 389282 C:\WINDOWS\SYSTEM32\drivers\etc\hosts.msn
ad-w-a-r-e.com 1/21/2006 2:17:18 AM 389282 C:\WINDOWS\SYSTEM32\drivers\etc\hosts.msn
qoologic 12/28/2005 12:22:08 PM 389282 C:\WINDOWS\SYSTEM32\drivers\etc\HOSTS.MVP
PTech 12/28/2005 12:22:08 PM 389282 C:\WINDOWS\SYSTEM32\drivers\etc\HOSTS.MVP
SAHAgent 12/28/2005 12:22:08 PM 389282 C:\WINDOWS\SYSTEM32\drivers\etc\HOSTS.MVP
abetterinternet.com 12/28/2005 12:22:08 PM 389282 C:\WINDOWS\SYSTEM32\drivers\etc\HOSTS.MVP
web-nex 12/28/2005 12:22:08 PM 389282 C:\WINDOWS\SYSTEM32\drivers\etc\HOSTS.MVP
ad-w-a-r-e.com 12/28/2005 12:22:08 PM 389282 C:\WINDOWS\SYSTEM32\drivers\etc\HOSTS.MVP

Checking the Windows folder and sub-folders for system and hidden files within the last 60 days...
3/28/2006 11:47:42 AM S 2048 C:\WINDOWS\bootstat.dat
3/28/2006 8:35:08 AM H 0 C:\WINDOWS\LastGood\INF\oem47.inf
3/28/2006 8:35:08 AM H 0 C:\WINDOWS\LastGood\INF\oem47.PNF
3/7/2006 11:59:38 PM S 9341 C:\WINDOWS\system32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\KB914798.cat
3/28/2006 11:47:34 AM H 8192 C:\WINDOWS\system32\config\default.LOG
3/28/2006 11:47:50 AM H 1024 C:\WINDOWS\system32\config\SAM.LOG
3/28/2006 11:47:46 AM H 16384 C:\WINDOWS\system32\config\SECURITY.LOG
3/28/2006 11:49:02 AM H 102400 C:\WINDOWS\system32\config\software.LOG
3/28/2006 11:47:48 AM H 1052672 C:\WINDOWS\system32\config\system.LOG
3/26/2006 9:01:14 PM HS 67 C:\WINDOWS\system32\config\systemprofile\Local Settings\Temporary Internet Files\Content.IE5\FO7LJY20\desktop.ini
3/26/2006 9:01:14 PM HS 67 C:\WINDOWS\system32\config\systemprofile\Local Settings\Temporary Internet Files\Content.IE5\T1L2J1PJ\desktop.ini
3/26/2006 9:01:14 PM HS 67 C:\WINDOWS\system32\config\systemprofile\Local Settings\Temporary Internet Files\Content.IE5\VR6EJI5Q\desktop.ini
3/26/2006 9:01:14 PM HS 67 C:\WINDOWS\system32\config\systemprofile\Local Settings\Temporary Internet Files\Content.IE5\WP8D4HQT\desktop.ini
3/28/2006 11:46:40 AM H 6 C:\WINDOWS\Tasks\SA.DAT

Checking for CPL files...
Microsoft Corporation 3/31/2003 4:00:00 AM 66048 C:\WINDOWS\SYSTEM32\access.cpl
Microsoft Corporation 3/31/2003 4:00:00 AM 578560 C:\WINDOWS\SYSTEM32\appwiz.cpl
Microsoft Corporation 3/31/2003 4:00:00 AM 129024 C:\WINDOWS\SYSTEM32\desk.cpl
Microsoft Corporation 3/31/2003 4:00:00 AM 150016 C:\WINDOWS\SYSTEM32\hdwwiz.cpl
TOSHIBA Corp. 10/31/2003 11:28:06 AM 520192 C:\WINDOWS\SYSTEM32\HWSETUP.CPL
Intel Corporation 9/20/2005 10:35:12 AM 77824 C:\WINDOWS\SYSTEM32\igfxcpl.cpl
Microsoft Corporation 3/31/2003 4:00:00 AM 292352 C:\WINDOWS\SYSTEM32\inetcpl.cpl
Microsoft Corporation 3/31/2003 4:00:00 AM 121856 C:\WINDOWS\SYSTEM32\intl.cpl
Microsoft Corporation 3/31/2003 4:00:00 AM 65536 C:\WINDOWS\SYSTEM32\joy.cpl
Sun Microsystems 11/20/2003 4:41:52 PM 53352 C:\WINDOWS\SYSTEM32\jpicpl32.cpl
Microsoft Corporation 3/31/2003 4:00:00 AM 187904 C:\WINDOWS\SYSTEM32\main.cpl
Microsoft Corporation 3/31/2003 4:00:00 AM 559616 C:\WINDOWS\SYSTEM32\mmsys.cpl
M-Audio 8/15/2004 10:28:10 AM 131072 C:\WINDOWS\SYSTEM32\mobpre.cpl
Microsoft Corporation 3/31/2003 4:00:00 AM 35840 C:\WINDOWS\SYSTEM32\ncpa.cpl
Microsoft Corporation 3/31/2003 4:00:00 AM 256000 C:\WINDOWS\SYSTEM32\nusrmgr.cpl
Microsoft Corporation 3/31/2003 4:00:00 AM 36864 C:\WINDOWS\SYSTEM32\odbccp32.cpl
Microsoft Corporation 12/30/2005 8:46:24 PM 109056 C:\WINDOWS\SYSTEM32\powercfg.cpl
Microsoft Corporation 3/31/2003 4:00:00 AM 268288 C:\WINDOWS\SYSTEM32\sysdm.cpl
Microsoft Corporation 3/31/2003 4:00:00 AM 28160 C:\WINDOWS\SYSTEM32\telephon.cpl
Microsoft Corporation 3/31/2003 4:00:00 AM 90112 C:\WINDOWS\SYSTEM32\timedate.cpl
9/5/2003 1:36:40 PM 495616 C:\WINDOWS\SYSTEM32\TOSCDSPD.cpl
Microsoft Corporation 5/26/2005 3:16:30 AM 174360 C:\WINDOWS\SYSTEM32\wuaucpl.cpl
Microsoft Corporation 3/31/2003 4:00:00 AM 36864 C:\WINDOWS\SYSTEM32\dllcache\odbccp32.cpl
Microsoft Corporation 12/30/2005 8:46:24 PM 109056 C:\WINDOWS\SYSTEM32\dllcache\powercfg.cpl
Intel Corporation 4/7/2003 12:14:30 AM 94208 C:\WINDOWS\SYSTEM32\ReinstallBackups\0013\DriverFiles\igfxcpl.cpl

»»»»»»»»»»»»»»»»» Checking Selected Startup Folders »»»»»»»»»»»»»»»»»»»»»

Checking files in %ALLUSERSPROFILE%\Startup folder...
11/20/2003 3:46:40 PM HS 84 C:\Documents and Settings\All Users\Start Menu\Programs\Startup\desktop.ini

Checking files in %ALLUSERSPROFILE%\Application Data folder...
11/20/2003 7:37:56 AM HS 62 C:\Documents and Settings\All Users\Application Data\desktop.ini
12/23/2005 10:27:18 PM 13 C:\Documents and Settings\All Users\Application Data\DragToDiscUserNameD.txt
5/1/2004 8:17:10 PM 13 C:\Documents and Settings\All Users\Application Data\DragToDiscUserNameE.txt
4/29/2004 3:41:20 AM 188 C:\Documents and Settings\All Users\Application Data\hpzinstall.log

Checking files in %USERPROFILE%\Startup folder...
11/20/2003 3:46:40 PM HS 84 C:\Documents and Settings\Karen Granger\Start Menu\Programs\Startup\desktop.ini
1/1/2006 7:13:56 PM 650 C:\Documents and Settings\Karen Granger\Start Menu\Programs\Startup\SpywareGuard.lnk

Checking files in %USERPROFILE%\Application Data folder...
11/20/2003 7:37:56 AM HS 62 C:\Documents and Settings\Karen Granger\Application Data\desktop.ini
12/7/2005 1:52:04 PM 68 C:\Documents and Settings\Karen Granger\Application Data\fc_location.txt
6/8/2004 11:55:44 AM H 0 C:\Documents and Settings\Karen Granger\Application Data\hpothb07.dat
6/8/2004 11:55:44 AM H 0 C:\Documents and Settings\Karen Granger\Application Data\hpothb07.tif
12/13/2005 2:58:06 PM 2235201 C:\Documents and Settings\Karen Granger\Application Data\Install.dat

»»»»»»»»»»»»»»»»» Checking Selected Registry Keys »»»»»»»»»»»»»»»»»»»»»»»

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\User Agent\Post Platform]
acc=ventura5 = 
acc=none =

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved]
{81559C35-8464-49F7-BB0E-07A383BEF910} = C:\Program Files\SpywareGuard\spywareguard.dll

[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved]

[HKEY_CLASSES_ROOT\*\shellex\ContextMenuHandlers]
HKEY_CLASSES_ROOT\*\shellex\ContextMenuHandlers\BriefcaseMenu
{85BBD920-42A0-1069-A2E4-08002B30309D} = syncui.dll
HKEY_CLASSES_ROOT\*\shellex\ContextMenuHandlers\mfxytxtf
{02071e9e-1413-44b8-91f4-3702d9d295f2} = C:\WINDOWS\System32\kfwmr.dll
HKEY_CLASSES_ROOT\*\shellex\ContextMenuHandlers\Offline Files
{750fdf0e-2a26-11d1-a3ea-080036587f03} = %SystemRoot%\System32\cscui.dll
HKEY_CLASSES_ROOT\*\shellex\ContextMenuHandlers\Open With
{09799AFB-AD67-11d1-ABCD-00C04FC30936} = %SystemRoot%\system32\SHELL32.dll
HKEY_CLASSES_ROOT\*\shellex\ContextMenuHandlers\Open With EncryptionMenu
{A470F8CF-A1E8-4f65-8335-227475AA5C46} = %SystemRoot%\system32\SHELL32.dll
HKEY_CLASSES_ROOT\*\shellex\ContextMenuHandlers\{8C504614-A455-4CBA-81B4-D279644B8A7D}
= tfaxext.dll
HKEY_CLASSES_ROOT\*\shellex\ContextMenuHandlers\{a2a9545d-a0c2-42b4-9708-a0b2badd77c8}
Start Menu Pin = %SystemRoot%\system32\SHELL32.dll

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Folder\shellex\ContextMenuHandlers]
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Folder\shellex\ContextMenuHandlers\BriefcaseMenu
{85BBD920-42A0-1069-A2E4-08002B30309D} = syncui.dll

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Directory\shellex\ContextMenuHandlers]
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Directory\shellex\ContextMenuHandlers\EncryptionMenu
{A470F8CF-A1E8-4f65-8335-227475AA5C46} = %SystemRoot%\system32\SHELL32.dll
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Directory\shellex\ContextMenuHandlers\Offline Files
{750fdf0e-2a26-11d1-a3ea-080036587f03} = %SystemRoot%\System32\cscui.dll
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Directory\shellex\ContextMenuHandlers\Sharing
{f81e9010-6ea4-11ce-a7ff-00aa003ca9f6} = ntshrui.dll

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Folder\shellex\ColumnHandlers]
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Folder\shellex\ColumnHandlers\{0D2E74C4-3C34-11d2-A27E-00C04FC30871}
= %SystemRoot%\system32\SHELL32.dll
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Folder\shellex\ColumnHandlers\{24F14F01-7B1C-11d1-838f-0000F80461CF}
= %SystemRoot%\system32\SHELL32.dll
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Folder\shellex\ColumnHandlers\{24F14F02-7B1C-11d1-838f-0000F80461CF}
= %SystemRoot%\system32\SHELL32.dll
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Folder\shellex\ColumnHandlers\{66742402-F9B9-11D1-A202-0000F81FEDEE}
= %SystemRoot%\system32\SHELL32.dll

[HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects]
HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{06849E9F-C8D7-4D59-B87D-784B7D6BE0B3}
AcroIEHlprObj Class = C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{3E1BEA96-02D9-4992-B508-9B51819D9D86}
DosSpecFolder Object = C:\WINDOWS\System32\mllml.dll
HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{4A368E80-174F-4872-96B5-0B27DDD11DB2}
SpywareGuardDLBLOCK.CBrowserHelper = C:\Program Files\SpywareGuard\dlprotect.dll

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Explorer Bars]
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Explorer Bars\{4D5C8C25-D075-11d0-B416-00C04FB90376}
&Tip of the Day = %SystemRoot%\System32\shdocvw.dll

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\ToolBar]
{8E718888-423F-11D2-876E-00A0C9082467} = &Radio	: C:\WINDOWS\System32\msdxm.ocx

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Extensions]
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Extensions\{FB5F1910-F110-11d2-BB9E-00C04F795683}
ButtonText = Messenger	: C:\Program Files\Messenger\MSMSGS.EXE

[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Explorer Bars]
HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Explorer Bars\{30D02401-6A81-11D0-8274-00C04FD5AE38}
Search Band = %SystemRoot%\System32\browseui.dll
HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Explorer Bars\{32683183-48a0-441b-a342-7c2a440a9478}
Media Band = %SystemRoot%\System32\browseui.dll
HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Explorer Bars\{C4EE31F3-4768-11D2-BE5C-00A0C9A83DA1}
File Search Explorer Band = %SystemRoot%\system32\SHELL32.dll
HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Explorer Bars\{EFA24E61-B078-11D0-89E4-00C04FC9E26E}
Favorites Band = %SystemRoot%\System32\shdocvw.dll
HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Explorer Bars\{EFA24E64-B078-11D0-89E4-00C04FC9E26E}
Explorer Band = %SystemRoot%\System32\shdocvw.dll
HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Explorer Bars\{FF059E31-CC5A-4E2E-BF3B-96E929D65503}
=

[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Toolbar]
HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Toolbar\ShellBrowser
{42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} = : 
HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser
{01E04581-4EEE-11D0-BFE9-00AA005B4383} = &Address	: %SystemRoot%\System32\browseui.dll
{E6AE90A4-1B01-47F0-AA78-E6B122E145E9} = : 
{0E5CBF21-D15F-11D0-8301-00AA005B4383} = &Links	: %SystemRoot%\system32\SHELL32.dll

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
TouchED	C:\Program Files\TOSHIBA\TouchED\TouchED.Exe
Pinger	C:\TOSHIBA\IVP\ISM\pinger.exe /run
Apoint	C:\Program Files\Apoint2K\Apoint.exe
AGRSMMSG	AGRSMMSG.exe
00THotkey	C:\WINDOWS\System32\00THotkey.exe
000StTHK	000StTHK.exe
igfxtray	C:\WINDOWS\System32\igfxtray.exe
igfxhkcmd	C:\WINDOWS\System32\hkcmd.exe
igfxpers	C:\WINDOWS\System32\igfxpers.exe
gcasServ	"C:\Program Files\Microsoft AntiSpyware\gcasServ.exe"
QuickTime Task	"C:\Program Files\QuickTime\qttask.exe" -atboottime
InternetShield	C:\PROGRA~1\INTERN~3\InternetShield.exe -CheckStartup
winsync	C:\WINDOWS\System32\pwcarc.exe reg_run

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\OptionalComponents]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnceEx]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunServices]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunServicesOnce]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
ctfmon.exe	C:\WINDOWS\System32\ctfmon.exe

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\RunServices]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\RunServicesOnce]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows\load]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows\run]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSConfig]

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSConfig\ExpandFrom

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSConfig\ExpandTo

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSConfig\services

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSConfig\startupfolder

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSConfig\startupreg

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSConfig\state
system.ini	0
win.ini	0
bootini	0
services	0
startup	0

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies]

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\NonEnum
{BDEADF00-C265-11D0-BCED-00A0C90AB50F} = C:\PROGRA~1\COMMON~1\MICROS~1\WEBFOL~1\MSONSEXT.DLL
{6DFD7C5C-2451-11d3-A299-00C04F8EF6AF} = 
{0DF44EAA-FF21-4412-828E-260A8728E7F1} =

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Ratings

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\system
dontdisplaylastusername	0
legalnoticecaption	
legalnoticetext	
shutdownwithoutlogon	1
undockwithoutlogon	1

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\policies]

HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer
NoDriveTypeAutoRun	145

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad]
PostBootReminder {7849596a-48ea-486e-8937-a2a3009f31a9} = %SystemRoot%\system32\SHELL32.dll
CDBurn {fbeb8a05-beee-4442-804e-409d6c4515e9} = %SystemRoot%\system32\SHELL32.dll
WebCheck {E6FB5E20-DE35-11CF-9C87-00AA005127ED} = %SystemRoot%\System32\webcheck.dll
SysTray {35CEC8A3-2BE6-11D2-8773-92E220524153} = C:\WINDOWS\System32\stobject.dll
UPnPMonitor {e57ce738-33e8-4c51-8354-bb4de9d215d1} = C:\WINDOWS\System32\upnpui.dll

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon]
UserInit	= C:\WINDOWS\system32\userinit.exe,
Shell = explorer.exe
System =

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\cscdll
= cscdll.dll

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\igfxcui
= igfxdev.dll

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\WRNotifier
= WRLogonNTF.dll

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options]
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Your Image File Name Here without a path
Debugger = ntsd -d

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows]
AppInit_DLLs

»»»»»»»»»»»»»»»»»»»»»»»» Scan Complete »»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»
WinPFind v1.4.1	- Log file written to "WinPFind.Txt" in the WinPFind folder.
Scan completed on 3/28/2006 11:53:46 AM


----------



## Cookiegal (Aug 27, 2003)

Go to the following link and upload each of the following files for analysis and let me know what the results are please:

http://virusscan.jotti.org/

*C:\WINDOWS\SYSTEM32\mdmfcplayer.ocx*


----------



## peterboy (Dec 15, 2005)

ok heres the results : 
0% 100%
File: mdmfcplayer.ocx
Status: 
MIGHT BE INFECTED/MALWARE (Sandbox emulation took a long time and/or runtime packers were found, this is suspicious. Normally programs aren't packed and don't force the sandbox into lengthy emulation. Do realize no scanner issued any warning, the file can very well be harmless. Caution is advised, however.)
MD5 21712058faf74f4db88cafc99106fb4f
Packers detected: 
UPX
Scanner results
AntiVir 
Found nothing
ArcaVir 
Found nothing
Avast 
Found nothing
AVG Antivirus 
Found nothing
BitDefender 
Found nothing
ClamAV 
Found nothing
Dr.Web 
Found nothing
F-Prot Antivirus 
Found nothing
Fortinet 
Found nothing
Kaspersky Anti-Virus 
Found nothing
NOD32 
Found nothing
Norman Virus Control 
Found nothing
UNA 
Found nothing
VirusBuster 
Found nothing
VBA32 
Found nothing


----------



## Cookiegal (Aug 27, 2003)

Alright, I'd like to investigate that file further so please do this:

Go to the forum *here* and upload this (these) file(s):

*C:\WINDOWS\SYSTEM32\mdmfcplayer.ocx*

Here are the directions for uploading the file:

Just click "New Topic", fill in the needed details and post a link to your thread here. Click the "Browse" button. Navigate to the file on your computer. When the file is listed in the window click "Post" to upload the file.

Derek will analyze it and let us know if it's bad or not.


----------



## peterboy (Dec 15, 2005)

i didnt know what to do acactly i uploadid the file on that site i put in my email adres its under file upload mt name peterboy i hope i did it right


----------



## Cookiegal (Aug 27, 2003)

Yes, you did fine. I see the file is uploaded there. Derek is in the UK so there is a time difference.

I will post further instructions once we hear back about that file.


----------



## peterboy (Dec 15, 2005)

ok thanks guys for your time i realy apritiate this thanks you wow i wish i was as good as you


----------



## dvk01 (Dec 14, 2002)

It seems to be some sort of cd or media player file and so far all the antivirus companies that I sent to have replied as it's clean 

I'm still getting it fully checked though


----------



## peterboy (Dec 15, 2005)

ok thank you for that but i think my highjack isnt clean i did some scans i a highjack list and you guys didnt help me on that when khazars helped me he showe me what files to to remove and my high jack was clean now its not theres a file winsync pwcarc.exe that keeps coming back kazars helped me to remove it but it keeps coming back is that bad cant it be harmfuul or make my pc run slow is my pc ok its runing good but im concerd so i dont have some spyware or virus to break my pc Logfile of HijackThis v1.99.1
Scan saved at 2:41:53 AM, on 3/29/2006
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\SYSTEM32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\netdde.exe
C:\WINDOWS\System32\drivers\CDAC11BA.EXE
C:\WINDOWS\System32\DVDRAMSV.exe
C:\Program Files\ewido anti-malware\ewidoctrl.exe
C:\PROGRA~1\Iomega\System32\AppServices.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\System32\tcpsvcs.exe
C:\WINDOWS\System32\snmp.exe
C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\wbem\wmiapsrv.exe
C:\Program Files\TOSHIBA\TouchED\TouchED.Exe
C:\TOSHIBA\IVP\ISM\pinger.exe
C:\WINDOWS\AGRSMMSG.exe
C:\WINDOWS\System32\00THotkey.exe
C:\WINDOWS\System32\hkcmd.exe
C:\WINDOWS\System32\igfxpers.exe
C:\Program Files\Microsoft AntiSpyware\gcasServ.exe
C:\Program Files\QuickTime\qttask.exe
C:\WINDOWS\System32\ctfmon.exe
C:\Program Files\SpywareGuard\sgmain.exe
C:\Program Files\Microsoft AntiSpyware\gcasDtServ.exe
C:\WINDOWS\System32\dmadmin.exe
C:\Program Files\SpywareGuard\sgbhp.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Documents and Settings\Karen Granger\My Documents\set ups\hijackthis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://red.clientapps.yahoo.com/customize/ycomp/defaults/sb/*http://www.yahoo.com/search/ie.html
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.toshiba.com
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
O2 - BHO: DosSpecFolder Object - {3E1BEA96-02D9-4992-B508-9B51819D9D86} - C:\WINDOWS\System32\mllml.dll (file missing)
O2 - BHO: SpywareGuardDLBLOCK.CBrowserHelper - {4A368E80-174F-4872-96B5-0B27DDD11DB2} - C:\Program Files\SpywareGuard\dlprotect.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O4 - HKLM\..\Run: [TouchED] C:\Program Files\TOSHIBA\TouchED\TouchED.Exe
O4 - HKLM\..\Run: [Pinger] C:\TOSHIBA\IVP\ISM\pinger.exe /run
O4 - HKLM\..\Run: [Apoint] C:\Program Files\Apoint2K\Apoint.exe
O4 - HKLM\..\Run: [AGRSMMSG] AGRSMMSG.exe
O4 - HKLM\..\Run: [00THotkey] C:\WINDOWS\System32\00THotkey.exe
O4 - HKLM\..\Run: [000StTHK] 000StTHK.exe
O4 - HKLM\..\Run: [igfxtray] C:\WINDOWS\System32\igfxtray.exe
O4 - HKLM\..\Run: [igfxhkcmd] C:\WINDOWS\System32\hkcmd.exe
O4 - HKLM\..\Run: [igfxpers] C:\WINDOWS\System32\igfxpers.exe
O4 - HKLM\..\Run: [gcasServ] "C:\Program Files\Microsoft AntiSpyware\gcasServ.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [InternetShield] C:\PROGRA~1\INTERN~3\InternetShield.exe -CheckStartup
O4 - HKLM\..\Run: [winsync] C:\WINDOWS\System32\pwcarc.exe reg_run
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\System32\ctfmon.exe
O4 - Startup: SpywareGuard.lnk = C:\Program Files\SpywareGuard\sgmain.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O9 - Extra 'Tools' menuitem: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O14 - IERESET.INF: START_PAGE_URL=http://www.toshiba.com
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky.com/kos/english/kavwebscan_unicode.cab
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1133829558718
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/activescan/as5free/asinst.cab
O16 - DPF: {B38870E4-7ECB-40DA-8C6A-595F0A5519FF} (MsnMessengerSetupDownloadControl Class) - http://messenger.msn.com/download/MsnMessengerSetupDownloader.cab
O16 - DPF: {E856B973-45FD-4559-8F82-EAB539144667} (Dell PC Checkup Installer Control) - http://pccheckup.dellfix.com/rel/35/install/gtdownde.cab
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - "C:\PROGRA~1\MSNMES~1\msgrapp.dll" (file missing)
O20 - Winlogon Notify: igfxcui - C:\WINDOWS\SYSTEM32\igfxdev.dll
O20 - Winlogon Notify: WRNotifier - WRLogonNTF.dll (file missing)
O23 - Service: C-DillaCdaC11BA - C-Dilla Ltd - C:\WINDOWS\System32\drivers\CDAC11BA.EXE
O23 - Service: DVD-RAM_Service - Matsu****a Electric Industrial Co., Ltd. - C:\WINDOWS\System32\DVDRAMSV.exe
O23 - Service: ewido security suite control - ewido networks - C:\Program Files\ewido anti-malware\ewidoctrl.exe
O23 - Service: Iomega App Services - Iomega Corporation - C:\PROGRA~1\Iomega\System32\AppServices.exe
O23 - Service: Power Manager (PowerManager) - Unknown owner - C:\WINDOWS\svchost.exe (file missing)
O23 - Service: SoundMAX Agent Service (SoundMAX Agent Service (default)) - Analog Devices, Inc. - C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe

---------------------------------------------------------
ewido anti-malware - Scan report
---------------------------------------------------------

+ Created on: 7:40:35 PM, 3/27/2006
+ Report-Checksum: 3096FC5B

+ Scan result:

:mozilla.15:C:\Documents and Settings\Karen Granger\Application Data\Mozilla\Firefox\Profiles\117brzcj.default\cookies.txt -> TrackingCookie.Statcounter : Cleaned with backup
:mozilla.16:C:\Documents and Settings\Karen Granger\Application Data\Mozilla\Firefox\Profiles\117brzcj.default\cookies.txt -> TrackingCookie.Statcounter : Cleaned with backup
:mozilla.17:C:\Documents and Settings\Karen Granger\Application Data\Mozilla\Firefox\Profiles\117brzcj.default\cookies.txt -> TrackingCookie.Statcounter : Cleaned with backup
:mozilla.22:C:\Documents and Settings\Karen Granger\Application Data\Mozilla\Firefox\Profiles\117brzcj.default\cookies.txt -> TrackingCookie.Onestat : Cleaned with backup
:mozilla.23:C:\Documents and Settings\Karen Granger\Application Data\Mozilla\Firefox\Profiles\117brzcj.default\cookies.txt -> TrackingCookie.Onestat : Cleaned with backup
:mozilla.33:C:\Documents and Settings\Karen Granger\Application Data\Mozilla\Firefox\Profiles\117brzcj.default\cookies.txt -> TrackingCookie.Zedo : Cleaned with backup
:mozilla.34:C:\Documents and Settings\Karen Granger\Application Data\Mozilla\Firefox\Profiles\117brzcj.default\cookies.txt -> TrackingCookie.Zedo : Cleaned with backup
:mozilla.35:C:\Documents and Settings\Karen Granger\Application Data\Mozilla\Firefox\Profiles\117brzcj.default\cookies.txt -> TrackingCookie.Zedo : Cleaned with backup
:mozilla.52:C:\Documents and Settings\Karen Granger\Application Data\Mozilla\Firefox\Profiles\117brzcj.default\cookies.txt -> TrackingCookie.Ivwbox : Cleaned with backup
:mozilla.60:C:\Documents and Settings\Karen Granger\Application Data\Mozilla\Firefox\Profiles\117brzcj.default\cookies.txt -> TrackingCookie.Burstbeacon : Cleaned with backup
:mozilla.61:C:\Documents and Settings\Karen Granger\Application Data\Mozilla\Firefox\Profiles\117brzcj.default\cookies.txt -> TrackingCookie.Burstnet : Cleaned with backup
:mozilla.62:C:\Documents and Settings\Karen Granger\Application Data\Mozilla\Firefox\Profiles\117brzcj.default\cookies.txt -> TrackingCookie.Burstnet : Cleaned with backup
:mozilla.78:C:\Documents and Settings\Karen Granger\Application Data\Mozilla\Firefox\Profiles\117brzcj.default\cookies.txt -> TrackingCookie.Falkag : Cleaned with backup
:mozilla.79:C:\Documents and Settings\Karen Granger\Application Data\Mozilla\Firefox\Profiles\117brzcj.default\cookies.txt -> TrackingCookie.Falkag : Cleaned with backup
:mozilla.80:C:\Documents and Settings\Karen Granger\Application Data\Mozilla\Firefox\Profiles\117brzcj.default\cookies.txt -> TrackingCookie.Falkag : Cleaned with backup
:mozilla.81:C:\Documents and Settings\Karen Granger\Application Data\Mozilla\Firefox\Profiles\117brzcj.default\cookies.txt -> TrackingCookie.Falkag : Cleaned with backup
:mozilla.88:C:\Documents and Settings\Karen Granger\Application Data\Mozilla\Firefox\Profiles\117brzcj.default\cookies.txt -> TrackingCookie.Com : Cleaned with backup
:mozilla.116:C:\Documents and Settings\Karen Granger\Application Data\Mozilla\Firefox\Profiles\117brzcj.default\cookies.txt -> TrackingCookie.Yieldmanager : Cleaned with backup
:mozilla.117:C:\Documents and Settings\Karen Granger\Application Data\Mozilla\Firefox\Profiles\117brzcj.default\cookies.txt -> TrackingCookie.Yieldmanager : Cleaned with backup
:mozilla.118:C:\Documents and Settings\Karen Granger\Application Data\Mozilla\Firefox\Profiles\117brzcj.default\cookies.txt -> TrackingCookie.Yieldmanager : Cleaned with backup
:mozilla.119:C:\Documents and Settings\Karen Granger\Application Data\Mozilla\Firefox\Profiles\117brzcj.default\cookies.txt -> TrackingCookie.Casalemedia : Cleaned with backup
:mozilla.120:C:\Documents and Settings\Karen Granger\Application Data\Mozilla\Firefox\Profiles\117brzcj.default\cookies.txt -> TrackingCookie.Casalemedia : Cleaned with backup
:mozilla.121:C:\Documents and Settings\Karen Granger\Application Data\Mozilla\Firefox\Profiles\117brzcj.default\cookies.txt -> TrackingCookie.Casalemedia : Cleaned with backup
:mozilla.122:C:\Documents and Settings\Karen Granger\Application Data\Mozilla\Firefox\Profiles\117brzcj.default\cookies.txt -> TrackingCookie.Casalemedia : Cleaned with backup
:mozilla.129:C:\Documents and Settings\Karen Granger\Application Data\Mozilla\Firefox\Profiles\117brzcj.default\cookies.txt -> TrackingCookie.Adrevolver : Cleaned with backup
:mozilla.130:C:\Documents and Settings\Karen Granger\Application Data\Mozilla\Firefox\Profiles\117brzcj.default\cookies.txt -> TrackingCookie.Adrevolver : Cleaned with backup
:mozilla.131:C:\Documents and Settings\Karen Granger\Application Data\Mozilla\Firefox\Profiles\117brzcj.default\cookies.txt -> TrackingCookie.Adrevolver : Cleaned with backup
:mozilla.132:C:\Documents and Settings\Karen Granger\Application Data\Mozilla\Firefox\Profiles\117brzcj.default\cookies.txt -> TrackingCookie.Adrevolver : Cleaned with backup
:mozilla.133:C:\Documents and Settings\Karen Granger\Application Data\Mozilla\Firefox\Profiles\117brzcj.default\cookies.txt -> TrackingCookie.Adrevolver : Cleaned with backup
:mozilla.172:C:\Documents and Settings\Karen Granger\Application Data\Mozilla\Firefox\Profiles\117brzcj.default\cookies.txt -> TrackingCookie.Liveperson : Cleaned with backup
:mozilla.173:C:\Documents and Settings\Karen Granger\Application Data\Mozilla\Firefox\Profiles\117brzcj.default\cookies.txt -> TrackingCookie.Liveperson : Cleaned with backup
:mozilla.174:C:\Documents and Settings\Karen Granger\Application Data\Mozilla\Firefox\Profiles\117brzcj.default\cookies.txt -> TrackingCookie.Liveperson : Cleaned with backup
:mozilla.183:C:\Documents and Settings\Karen Granger\Application Data\Mozilla\Firefox\Profiles\117brzcj.default\cookies.txt -> TrackingCookie.Googleadservices : Cleaned with backup
:mozilla.184:C:\Documents and Settings\Karen Granger\Application Data\Mozilla\Firefox\Profiles\117brzcj.default\cookies.txt -> TrackingCookie.Clickbank : Cleaned with backup
:mozilla.185:C:\Documents and Settings\Karen Granger\Application Data\Mozilla\Firefox\Profiles\117brzcj.default\cookies.txt -> TrackingCookie.Googleadservices : Cleaned with backup
:mozilla.194:C:\Documents and Settings\Karen Granger\Application Data\Mozilla\Firefox\Profiles\117brzcj.default\cookies.txt -> TrackingCookie.Trafic : Cleaned with backup
:mozilla.195:C:\Documents and Settings\Karen Granger\Application Data\Mozilla\Firefox\Profiles\117brzcj.default\cookies.txt -> TrackingCookie.Tacoda : Cleaned with backup
:mozilla.196:C:\Documents and Settings\Karen Granger\Application Data\Mozilla\Firefox\Profiles\117brzcj.default\cookies.txt -> TrackingCookie.Tacoda : Cleaned with backup
:mozilla.197:C:\Documents and Settings\Karen Granger\Application Data\Mozilla\Firefox\Profiles\117brzcj.default\cookies.txt -> TrackingCookie.Tacoda : Cleaned with backup
C:\Documents and Settings\Karen Granger\Cookies\karen [email protected][2].txt -> TrackingCookie.Yieldmanager : Cleaned with backup
C:\Documents and Settings\Karen Granger\Cookies\karen [email protected][1].txt -> TrackingCookie.Statcounter : Cleaned with backup
C:\Documents and Settings\Karen Granger\Cookies\karen [email protected][2].txt -> TrackingCookie.Myaffiliateprogram : Cleaned with backup
C:\Documents and Settings\Karen Granger\Cookies\karen [email protected][2].txt -> TrackingCookie.Yieldmanager : Cleaned with backup

::Report End
Incident Status Location

Adware:adware/maxifiles Not disinfected C:\PROGRAM FILES\COMMON FILES\Download 
Adware:adware/block-checker Not disinfected Windows Registry 
Potentially unwanted tool:application/mywebsearch Not disinfected HKEY_CLASSES_ROOT\CLSID\{147A976E-EEE1-4377-8EA7-4716E4CDD239} 
Spyware:Cookie/YieldManager Not disinfected C:\Documents and Settings\Karen Granger\Cookies\karen [email protected][2].txt 
Spyware:Cookie/Hbmediapro Not disinfected C:\Documents and Settings\Karen Granger\Cookies\karen [email protected][2].txt 
Spyware:Cookie/adultfriendfinder Not disinfected C:\Documents and Settings\Karen Granger\Cookies\karen [email protected][2].txt 
Spyware:Cookie/Screensavers Not disinfected C:\Documents and Settings\Karen Granger\Cookies\karen [email protected][2].txt 
Spyware:Cookie/Statcounter Not disinfected C:\Documents and Settings\Karen Granger\Cookies\karen [email protected][1].txt 
Spyware:Cookie/WebPower Not disinfected C:\Documents and Settings\Karen Granger\Cookies\karen [email protected][2].txt 
Spyware:Cookie/myaffiliateprogram Not disinfected C:\Documents and Settings\Karen Granger\Cookies\karen [email protected][2].txt 
Spyware:Cookie/Statcounter Not disinfected C:\Documents and Settings\Karen Granger\Application Data\Mozilla\Firefox\Profiles\117brzcj.default\cookies.txt[.statcounter.com/] 
Spyware:Cookie/BurstBeacon Not disinfected C:\Documents and Settings\Karen Granger\Application Data\Mozilla\Firefox\Profiles\117brzcj.default\cookies.txt[www.burstbeacon.com/] 
Spyware:Cookie/BurstNet Not disinfected C:\Documents and Settings\Karen Granger\Application Data\Mozilla\Firefox\Profiles\117brzcj.default\cookies.txt[.burstnet.com/] 
Spyware:Cookie/Falkag Not disinfected C:\Documents and Settings\Karen Granger\Application Data\Mozilla\Firefox\Profiles\117brzcj.default\cookies.txt[.as-us.falkag.net/] 
Spyware:Cookie/Com.com Not disinfected C:\Documents and Settings\Karen Granger\Application Data\Mozilla\Firefox\Profiles\117brzcj.default\cookies.txt[.com.com/] 
Spyware:Cookie/YieldManager Not disinfected C:\Documents and Settings\Karen Granger\Application Data\Mozilla\Firefox\Profiles\117brzcj.default\cookies.txt[ad.yieldmanager.com/]  
Spyware:Cookie/Casalemedia Not disinfected C:\Documents and Settings\Karen Granger\Application Data\Mozilla\Firefox\Profiles\117brzcj.default\cookies.txt[.casalemedia.com/] 
Spyware:Cookie/RealMedia Not disinfected C:\Documents and Settings\Karen Granger\Application Data\Mozilla\Firefox\Profiles\117brzcj.default\cookies.txt[.realmedia.com/] 
Spyware:Cookie/Zedo Not disinfected C:\Documents and Settings\Karen Granger\Application Data\Mozilla\Firefox\Profiles\117brzcj.default\cookies.txt[.zedo.com/] 
Spyware:Cookie/Adrevolver Not disinfected C:\Documents and Settings\Karen Granger\Application Data\Mozilla\Firefox\Profiles\117brzcj.default\cookies.txt[.adrevolver.com/] 
Spyware:Cookie/Clickbank Not disinfected C:\Documents and Settings\Karen Granger\Application Data\Mozilla\Firefox\Profiles\117brzcj.default\cookies.txt[.clickbank.net/] 
Spyware:Cookie/Apmebf Not disinfected C:\Documents and Settings\Karen Granger\Application Data\Mozilla\Firefox\Profiles\117brzcj.default\cookies.txt[.apmebf.com/] 
Spyware:Cookie/Statcounter Not disinfected C:\Documents and Settings\Karen Granger\Application Data\Mozilla\Firefox\Profiles\117brzcj.default\cookies.txt[] 
Spyware:Cookie/YieldManager Not disinfected C:\Documents and Settings\Karen Granger\Cookies\karen [email protected][2].txt 
Spyware:Cookie/Hbmediapro Not disinfected C:\Documents and Settings\Karen Granger\Cookies\karen [email protected][2].txt 
Spyware:Cookie/adultfriendfinder Not disinfected C:\Documents and Settings\Karen Granger\Cookies\karen [email protected][2].txt 
Spyware:Cookie/Screensavers Not disinfected C:\Documents and Settings\Karen Granger\Cookies\karen [email protected][2].txt 
Spyware:Cookie/Statcounter Not disinfected C:\Documents and Settings\Karen Granger\Cookies\karen [email protected][1].txt 
Spyware:Cookie/WebPower Not disinfected C:\Documents and Settings\Karen Granger\Cookies\karen [email protected][2].txt 
Spyware:Cookie/myaffiliateprogram Not disinfected C:\Documents and Settings\Karen Granger\Cookies\karen [email protected][2].txt 
Adware:Adware/PurityScan Not disinfected C:\Program Files\Yazzle Sudoku\uninstaller.exe


----------



## Cookiegal (Aug 27, 2003)

First you need to disable Microsoft Anti-Spyware as it may interfere with the fix so please do this:

Open Microsoft AntiSpyware.

Click on Tools, Settings. In the left pane, click on Real-time Protection.

Under Startup Options uncheck Enable the Microsoft AntiSpyware Security Agents on startup (recommended).

Under Real-time spyware threat protection uncheck Enable real-time spyware threat protection (recommended).

After you uncheck these, click on the Save button and close Microsoft AntiSpyware.

Right click on the Microsoft AntiSpyware icon on the taskbar and select Shutdown Microsoft AntiSpyware.

*services.msc*

Click OK.

In the services window find *Power Manager*.
Right click and choose "Properties". On the "General" tab under "Service Status" click the "Stop" button to stop the service. Beside "Start-up Type" in the dropdown menu select "Disabled". Click Apply then OK. Exit the Services utility.

Open HijackThis and click on the "Open Misc Tools section button. Now click on the "Delete an NT service" button. Copy and paste this line in that box:

*Power Manager*

Click OK.

*Click Here* and download Killbox and save it to your desktop but dont run it yet.

Rescan with HijackThis, close all browser windows except HijackThis, put a check mark beside these entries and click *fix checked*.

* 
O2 - BHO: DosSpecFolder Object - {3E1BEA96-02D9-4992-B508-9B51819D9D86} - C:\WINDOWS\System32\mllml.dll (file missing)

O4 - HKLM\..\Run: [winsync] C:\WINDOWS\System32\pwcarc.exe reg_run

O23 - Service: Power Manager (PowerManager) - Unknown owner - C:\WINDOWS\svchost.exe (file missing)
*

Then boot to safe mode:

 *How to restart to safe mode*

Double-click on Killbox.exe to run it. 

Put a tick by *Standard File Kill*. 
In the "Full Path of File to Delete" box, copy and paste each of the following lines one at a time:

*
C:\WINDOWS\System32\kfwmr.dll

C:\WINDOWS\System32\pwcarc.exe

C:\Program Files\Yazzle Sudoku

C:\WINDOWS\SYSTEM32\TFTP2404

C:\WINDOWS\svchost.exe *

Click on the button that has the red circle with the X in the middle after you enter each file. 
It will ask for confirmation to delete the file. 
Click Yes. 
Continue with that procedure until you have pasted all of these in the "Paste Full Path of File to Delete" box.
Killbox may tell you that one or more files do not exist. 
If that happens, just continue on with all the files. Be sure you don't miss any.
Next in Killbox go to *Tools > Delete Temp Files*
In the window that pops up, put a check by *ALL* the options there *except* these three:
XP Prefetch
Recent
History

Now click the *Delete Selected Temp Files* button.
Exit the Killbox.

Boot back to Windows normally and post another HijackThis log please.

Also, please download RootkitRevealer from here:

http://www.sysinternals.com/utilities/rootkitrevealer.html

Unzip it then doubleclick the RootkitRevealer.exe file. Click the scan button and let it scan. Save the scan results and post them here.


----------



## peterboy (Dec 15, 2005)

hi cookiegal thanks for your reply ran to a couple of problems durijng the procces i got tis message when i tryid to the delete the power manger service power maneger was not found in the registry make sure enterd the short vbexclmation im just letting you know and this wsnat in th highjack log O23 - Service: Power Manager (PowerManager) - Unknown owner - C:\WINDOWS\svchost.exe (file missing) Logfile of HijackThis v1.99.1
Scan saved at 6:38:56 PM, on 3/29/2006
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\SYSTEM32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\TOSHIBA\TouchED\TouchED.Exe
C:\TOSHIBA\IVP\ISM\pinger.exe
C:\WINDOWS\system32\netdde.exe
C:\WINDOWS\AGRSMMSG.exe
C:\WINDOWS\System32\00THotkey.exe
C:\WINDOWS\System32\hkcmd.exe
C:\WINDOWS\System32\igfxpers.exe
C:\Program Files\QuickTime\qttask.exe
C:\WINDOWS\System32\ctfmon.exe
C:\WINDOWS\System32\drivers\CDAC11BA.EXE
C:\WINDOWS\System32\DVDRAMSV.exe
C:\Program Files\ewido anti-malware\ewidoctrl.exe
C:\PROGRA~1\Iomega\System32\AppServices.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\WINDOWS\System32\tcpsvcs.exe
C:\WINDOWS\System32\snmp.exe
C:\Program Files\SpywareGuard\sgmain.exe
C:\Program Files\Microsoft AntiSpyware\gcasDtServ.exe
C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\wbem\wmiapsrv.exe
C:\Program Files\SpywareGuard\sgbhp.exe
C:\WINDOWS\System32\dmadmin.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Documents and Settings\Karen Granger\My Documents\set ups\hijackthis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://red.clientapps.yahoo.com/customize/ycomp/defaults/sb/*http://www.yahoo.com/search/ie.html
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.toshiba.com
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
O2 - BHO: SpywareGuardDLBLOCK.CBrowserHelper - {4A368E80-174F-4872-96B5-0B27DDD11DB2} - C:\Program Files\SpywareGuard\dlprotect.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O4 - HKLM\..\Run: [TouchED] C:\Program Files\TOSHIBA\TouchED\TouchED.Exe
O4 - HKLM\..\Run: [Pinger] C:\TOSHIBA\IVP\ISM\pinger.exe /run
O4 - HKLM\..\Run: [Apoint] C:\Program Files\Apoint2K\Apoint.exe
O4 - HKLM\..\Run: [AGRSMMSG] AGRSMMSG.exe
O4 - HKLM\..\Run: [00THotkey] C:\WINDOWS\System32\00THotkey.exe
O4 - HKLM\..\Run: [000StTHK] 000StTHK.exe
O4 - HKLM\..\Run: [igfxtray] C:\WINDOWS\System32\igfxtray.exe
O4 - HKLM\..\Run: [igfxhkcmd] C:\WINDOWS\System32\hkcmd.exe
O4 - HKLM\..\Run: [igfxpers] C:\WINDOWS\System32\igfxpers.exe
O4 - HKLM\..\Run: [gcasServ] "C:\Program Files\Microsoft AntiSpyware\gcasServ.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [InternetShield] C:\PROGRA~1\INTERN~3\InternetShield.exe -CheckStartup
O4 - HKLM\..\Run: [winsync] C:\WINDOWS\System32\pwcarc.exe reg_run
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\System32\ctfmon.exe
O4 - Startup: SpywareGuard.lnk = C:\Program Files\SpywareGuard\sgmain.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O9 - Extra 'Tools' menuitem: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O14 - IERESET.INF: START_PAGE_URL=http://www.toshiba.com
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1133829558718
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/activescan/as5free/asinst.cab
O16 - DPF: {B38870E4-7ECB-40DA-8C6A-595F0A5519FF} (MsnMessengerSetupDownloadControl Class) - http://messenger.msn.com/download/MsnMessengerSetupDownloader.cab
O16 - DPF: {E856B973-45FD-4559-8F82-EAB539144667} (Dell PC Checkup Installer Control) - http://pccheckup.dellfix.com/rel/35/install/gtdownde.cab
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - "C:\PROGRA~1\MSNMES~1\msgrapp.dll" (file missing)
O20 - Winlogon Notify: igfxcui - C:\WINDOWS\SYSTEM32\igfxdev.dll
O20 - Winlogon Notify: WRNotifier - WRLogonNTF.dll (file missing)
O23 - Service: C-DillaCdaC11BA - C-Dilla Ltd - C:\WINDOWS\System32\drivers\CDAC11BA.EXE
O23 - Service: DVD-RAM_Service - Matsu****a Electric Industrial Co., Ltd. - C:\WINDOWS\System32\DVDRAMSV.exe
O23 - Service: ewido security suite control - ewido networks - C:\Program Files\ewido anti-malware\ewidoctrl.exe
O23 - Service: Iomega App Services - Iomega Corporation - C:\PROGRA~1\Iomega\System32\AppServices.exe
O23 - Service: SoundMAX Agent Service (SoundMAX Agent Service (default)) - Analog Devices, Inc. - C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe
heres the resuslt from the rootkit 
SOFTWARE 0 bytes	Error dumping hive: The system cannot find the file specified.
C:\WINDOWS\Temp\Perflib_Perfdata_7bc.dat:KAVICHS	3/29/2006 6:26 PM	36 bytes	Hidden from Windows API.


----------



## Cookiegal (Aug 27, 2003)

Download *Track qoo*

Save it somewhere you will remember like the *Desktop but don't run it yet.*

Please download AproposFix from  *here*

Save it to your desktop but do NOT run it yet.

Then please reboot your computer in Safe Mode by doing the following:

 Restart your computer
 After hearing your computer beep once during start-up, but before the Windows icon appears, press F8.
 Instead of Windows loading as normal, a menu should appear
 Select the first option, to run Windows in Safe Mode.

Once in Safe Mode, please double-click *aproposfix.exe* and unzip it to the desktop. Open the aproposfix folder on your desktop and run *RunThis.bat*. Follow the prompts.

When the tool is finished and while still in safe mode, please do this:

Double Click on "*Track qoo.vbs*"

Note - If your Antivirus has Script Blocking, you will get a Pop Up Window asking you what to do. Allow this Entire Script to Run, its harmless!

Wait a few seconds and a notepad page will pop up, Copy those results and paste them in your next post along with a new HijackThis log and the entire contents of the *log.txt* file in the aproposfix folder!


----------



## peterboy (Dec 15, 2005)

i ran in to a problem with traqoo when i double clik it says cannot find pavscrip.exe this program is needed for opening files of type vbs script files i tride to open it with my note pad but i dont think thats rigght i pasted it here to show you so please Dim Def,Wshsell,FN,fso,Report,SysF,SS

const HKEY_CLASSES_ROOT = &H80000000

Set fso = Wscript.CreateObject("Scripting.FilesystemObject")
Set Wshshell = Wscript.CreateObject("Wscript.Shell")

Wshshell.Run "regedit /e /a Report.txt" & " " & "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run",, True
Set Report = fspenTextFile("Report.txt",8 , true)

Report.WriteLine "-----------------"

strComputer = "."
Set oReg=GetObject("winmgmts:{impersonationLevel=impersonate}!\\" &_ 
strComputer & "\root\default:StdRegProv")
strKeyPath = "*\shellex\ContextMenuHandlers"
oReg.EnumKey HKEY_CLASSES_ROOT, strKeyPath, arrSubKeys
For Each subkey In arrSubKeys

On error Resume Next 
Err.Clear
Def = Wshshell.RegRead ("HKCR\" & strKeyPath & "\" & subkey & "\")

On Error Resume Next
FN = Wshshell.RegRead("HKCR\CLSID\" & Def & "\InprocServer32\")
If not FN Then 
FN = Wshshell.RegRead("HKCR\CLSID\" & subkey & "\InprocServer32\")
End IF

FN = WshShell.ExpandEnvironmentStrings(FN)

Msg = Msg & vbcrlf & "Subkey --- " & subkey & vbcrlf & Def & vbcrlf & FN & vbcrlf
Err.Clear

Def = ""
FN = ""
Next

Report.WriteLine "HKEY_CLASSES_ROOT\*\shellex\ContextMenuHandlers"
Report.WriteLine
Report.Write Msg

'---------------------

Dim Mess

Report.WriteLine
Report.WriteLine "====================="
Report.WriteLine

strComputer = "."
Set oReg=GetObject("winmgmts:{impersonationLevel=impersonate}!\\" &_ 
strComputer & "\root\default:StdRegProv")
strKeyPath = "Folder\shellex\ColumnHandlers"
oReg.EnumKey HKEY_CLASSES_ROOT, strKeyPath, arrSubKeys
For Each subkey In arrSubKeys

On error Resume Next 
Err.Clear

On Error Resume Next

FN = Wshshell.RegRead("HKCR\CLSID\" & subkey & "\InprocServer32\")
FN = WshShell.ExpandEnvironmentStrings(FN)

Mess = Mess & vbcrlf & "Subkey --- " & subkey & vbcrlf & FN & vbcrlf
Err.Clear

FN = ""
Next

Report.WriteLine "HKEY_CLASSES_ROOT\Folder\shellex\ColumnHandlers"
Report.WriteLine
Report.Write Mess

Report.Writeline
Report.WriteLine "=============================="

Dim SU ,s ,f,f1, C
SU = Wshshell.SpecialFolders("AllUsersStartup")
Report.WriteLine SU

Set f = fso.getFolder(SU)
Set fc = f.files
For Each f1 in fc
Set C = fso.GetFile(f1)
s = s & C.name & vbcrlf

Next

Report.Writeline
Report.Write s

'-----------------------------
Report.Writeline "=============================="

SU = Wshshell.SpecialFolders("Startup")
Report.WriteLine SU

Set f = fso.getFolder(SU)
Set fc = f.files
For Each f1 in fc
Set C = fso.GetFile(f1)
s = s & C.name & vbcrlf

Next

Report.Writeline
Report.Write s

'-----------------------------
Report.Writeline "=============================="

dim Q, cpl, Sys ,Maker

Sys = fso.GetSpecialFolder(1)

Report.Writeline Sys & " cpl files"
Report.Writeline

set f = Fso.getFolder(Sys)
set fc =f.files
for each f1 in fc
IF LCASE(Right(fso.GetFileName(f1),4)) = ".cpl" Then
Q = f1.path

Q = Replace (Q, "\", "\\")
Set cpl = GetObject("winmgmts:root\cimv2").Get _
("CIM_DataFile.Name=""" & Q & """")

Maker = cpl.Manufacturer

Q = Replace (Q, "\\", "\")

On error resume next
Report.write vbcrlf & f1.name & Space(30 - len(f1.name)) & Maker

Err.Clear
End IF
Next

Report.close
WshShell.run "Notepad Report.txt"

Set fso = Nothing
Set Maker = Nothing
Set Report = Nothing
Set cpl = Nothing
Set f = Nothing
Set fc = Nothing
Set C = Nothing
Set oReg = Nothing
Set Wshshell = Nothing

Log of AproposFix v1.1

************

Running from directory: 
C:\Documents and Settings\Karen Granger\Desktop\aproposfix

************

Registry entries found:

************

No service found!

Removing hidden folder: 
No folder found!

Deleting files:

Backing up files: 
Done!

Removing registry entries:

REGEDIT4

Done!

Finished! 
Logfile of HijackThis v1.99.1
Scan saved at 3:11:03 AM, on 3/31/2006
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\SYSTEM32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\TOSHIBA\TouchED\TouchED.Exe
C:\TOSHIBA\IVP\ISM\pinger.exe
C:\WINDOWS\AGRSMMSG.exe
C:\WINDOWS\System32\00THotkey.exe
C:\WINDOWS\system32\netdde.exe
C:\WINDOWS\System32\hkcmd.exe
C:\WINDOWS\System32\igfxpers.exe
C:\Program Files\QuickTime\qttask.exe
C:\WINDOWS\System32\ctfmon.exe
C:\Program Files\SpywareGuard\sgmain.exe
C:\Program Files\Microsoft AntiSpyware\gcasDtServ.exe
C:\Program Files\SpywareGuard\sgbhp.exe
C:\WINDOWS\System32\drivers\CDAC11BA.EXE
C:\WINDOWS\System32\DVDRAMSV.exe
C:\Program Files\ewido anti-malware\ewidoctrl.exe
C:\PROGRA~1\Iomega\System32\AppServices.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\WINDOWS\System32\tcpsvcs.exe
C:\WINDOWS\System32\snmp.exe
C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\wbem\wmiapsrv.exe
C:\WINDOWS\System32\dmadmin.exe
C:\PROGRA~1\MOZILL~1\FIREFOX.EXE
C:\Documents and Settings\Karen Granger\My Documents\set ups\hijackthis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://red.clientapps.yahoo.com/customize/ycomp/defaults/sb/*http://www.yahoo.com/search/ie.html
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.toshiba.com
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
O2 - BHO: SpywareGuardDLBLOCK.CBrowserHelper - {4A368E80-174F-4872-96B5-0B27DDD11DB2} - C:\Program Files\SpywareGuard\dlprotect.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O4 - HKLM\..\Run: [TouchED] C:\Program Files\TOSHIBA\TouchED\TouchED.Exe
O4 - HKLM\..\Run: [Pinger] C:\TOSHIBA\IVP\ISM\pinger.exe /run
O4 - HKLM\..\Run: [Apoint] C:\Program Files\Apoint2K\Apoint.exe
O4 - HKLM\..\Run: [AGRSMMSG] AGRSMMSG.exe
O4 - HKLM\..\Run: [00THotkey] C:\WINDOWS\System32\00THotkey.exe
O4 - HKLM\..\Run: [000StTHK] 000StTHK.exe
O4 - HKLM\..\Run: [igfxtray] C:\WINDOWS\System32\igfxtray.exe
O4 - HKLM\..\Run: [igfxhkcmd] C:\WINDOWS\System32\hkcmd.exe
O4 - HKLM\..\Run: [igfxpers] C:\WINDOWS\System32\igfxpers.exe
O4 - HKLM\..\Run: [gcasServ] "C:\Program Files\Microsoft AntiSpyware\gcasServ.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [InternetShield] C:\PROGRA~1\INTERN~3\InternetShield.exe -CheckStartup
O4 - HKLM\..\Run: [winsync] C:\WINDOWS\System32\pwcarc.exe reg_run
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\System32\ctfmon.exe
O4 - Startup: SpywareGuard.lnk = C:\Program Files\SpywareGuard\sgmain.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O9 - Extra 'Tools' menuitem: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O14 - IERESET.INF: START_PAGE_URL=http://www.toshiba.com
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1133829558718
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/activescan/as5free/asinst.cab
O16 - DPF: {B38870E4-7ECB-40DA-8C6A-595F0A5519FF} (MsnMessengerSetupDownloadControl Class) - http://messenger.msn.com/download/MsnMessengerSetupDownloader.cab
O16 - DPF: {E856B973-45FD-4559-8F82-EAB539144667} (Dell PC Checkup Installer Control) - http://pccheckup.dellfix.com/rel/35/install/gtdownde.cab
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - "C:\PROGRA~1\MSNMES~1\msgrapp.dll" (file missing)
O20 - Winlogon Notify: igfxcui - C:\WINDOWS\SYSTEM32\igfxdev.dll
O20 - Winlogon Notify: WRNotifier - WRLogonNTF.dll (file missing)
O23 - Service: C-DillaCdaC11BA - C-Dilla Ltd - C:\WINDOWS\System32\drivers\CDAC11BA.EXE
O23 - Service: DVD-RAM_Service - Matsu****a Electric Industrial Co., Ltd. - C:\WINDOWS\System32\DVDRAMSV.exe
O23 - Service: ewido security suite control - ewido networks - C:\Program Files\ewido anti-malware\ewidoctrl.exe
O23 - Service: Iomega App Services - Iomega Corporation - C:\PROGRA~1\Iomega\System32\AppServices.exe
O23 - Service: SoundMAX Agent Service (SoundMAX Agent Service (default)) - Analog Devices, Inc. - C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe


----------



## dvk01 (Dec 14, 2002)

right click the track goo & select open with and select windows scripting host 

You have had Panda antivirus and when you uninstalled it, it left behind the setting telling scripts to be checked by it


----------



## peterboy (Dec 15, 2005)

nope that dint work no scripting host wasnt there i downloaded the program and instaled it and still nothing now it says trackqoo vbs.1 is not a valid win32 aplication what should i do is there any othere way we can do this please is it ok that i downloadid that scrpting host program can it harm my pc


----------



## peterboy (Dec 15, 2005)

hello is anyone out there i havent had any repiles whats going on


----------



## Cookiegal (Aug 27, 2003)

Sorry, I guess we got our signals crossed. 

Installing the script host will not harm your computer.

*Click here* to download ATF Cleaner by Atribune and save it to your desktop.
Double-click *ATF-Cleaner.exe* to run the program.
Under *Main* choose: *Select All*
Click the *Empty Selected* button.
*If you use Firefox:*
Click *Firefox* at the top and choose: *Select All*
Click the *Empty Selected* button.
*NOTE:* If you would like to keep your saved passwords, please click *No* at the prompt.


*If you use Opera:*
Click *Opera* at the top and choose: *Select All*
Click the *Empty Selected* button.
*
[*]NOTE:* If you would like to keep your saved passwords, please click *No* at the prompt.


Click *Exit* on the Main menu to close the program.

Remove the TrackQoo that you have and redownload it.

Download *Track qoo*

Save it somewhere you will remember like the *Desktop but don't run it yet.*

Then please reboot your computer in Safe Mode by doing the following:

 Restart your computer
 After hearing your computer beep once during start-up, but before the Windows icon appears, press F8.
 Instead of Windows loading as normal, a menu should appear
 Select the first option, to run Windows in Safe Mode.

Double Click on "*Track qoo.vbs*"

Note - If your Antivirus has Script Blocking, you will get a Pop Up Window asking you what to do. Allow this Entire Script to Run, its harmless!

Wait a few seconds and a notepad page will pop up, Copy those results and paste them in your next post along with a new HijackThis log.


----------



## peterboy (Dec 15, 2005)

ok great your back finaly i got the traqoo to work i fixed it myself i was researching and i found this file oxjz.exe i found it in the highjack this backups i think it has somthing to do with that pwcarc.exe file i did a on line scan with that oxjz.exe file and it came up as malware heres the results on that im just letting you know about this it might help you let me know if im right and heres the rest of the results Service load: 
0% 100%
File: backup-034852-oxjz.exe
Status: 
INFECTED/MALWARE (Note: this file has been scanned before. Therefore, this file's scan results will not be stored in the database)
MD5 627626f5ba1a09a4d1b2862e80cb0cf7
Packers detected: 
-
Scanner results
AntiVir 
Found Heuristic/Crypted.Modified (probable variant)
ArcaVir 
Found nothing
Avast 
Found nothing
AVG Antivirus 
Found nothing
BitDefender 
Found nothing
ClamAV 
Found nothing
Dr.Web 
Found Adware.Nexus
F-Prot Antivirus 
Found W32/Sdbot.CGU
Fortinet 
Found W32/NewThreat!Morphine
Kaspersky Anti-Virus 
Found nothing
NOD32 
Found a variant of Win32/TrojanDownloader.Qoologic
Norman Virus Control 
Found nothing
UNA 
Found nothing
VirusBuster 
Found nothing
VBA32 
Found Trojan-Downloader.Win32.Qoologic.ai

REGEDIT4

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"TouchED"="C:\\Program Files\\TOSHIBA\\TouchED\\TouchED.Exe"
"Pinger"="C:\\TOSHIBA\\IVP\\ISM\\pinger.exe /run"
"Apoint"="C:\\Program Files\\Apoint2K\\Apoint.exe"
"AGRSMMSG"="AGRSMMSG.exe"
"00THotkey"="C:\\WINDOWS\\System32\\00THotkey.exe"
"000StTHK"="000StTHK.exe"
"igfxtray"="C:\\WINDOWS\\System32\\igfxtray.exe"
"igfxhkcmd"="C:\\WINDOWS\\System32\\hkcmd.exe"
"igfxpers"="C:\\WINDOWS\\System32\\igfxpers.exe"
"gcasServ"="\"C:\\Program Files\\Microsoft AntiSpyware\\gcasServ.exe\""
"QuickTime Task"="\"C:\\Program Files\\QuickTime\\qttask.exe\" -atboottime"
"InternetShield"="C:\\PROGRA~1\\INTERN~3\\InternetShield.exe -CheckStartup"
"winsync"="C:\\WINDOWS\\System32\\pwcarc.exe reg_run"

-----------------
HKEY_CLASSES_ROOT\*\shellex\ContextMenuHandlers

Subkey --- BriefcaseMenu
{85BBD920-42A0-1069-A2E4-08002B30309D}
syncui.dll

Subkey --- mfxytxtf
{02071e9e-1413-44b8-91f4-3702d9d295f2}
C:\WINDOWS\System32\kfwmr.dll

Subkey --- Offline Files
{750fdf0e-2a26-11d1-a3ea-080036587f03}
C:\WINDOWS\System32\cscui.dll

Subkey --- Open With
{09799AFB-AD67-11d1-ABCD-00C04FC30936}
C:\WINDOWS\system32\SHELL32.dll

Subkey --- Open With EncryptionMenu
{A470F8CF-A1E8-4f65-8335-227475AA5C46}
C:\WINDOWS\system32\SHELL32.dll

Subkey --- {8C504614-A455-4CBA-81B4-D279644B8A7D}

tfaxext.dll

Subkey --- {a2a9545d-a0c2-42b4-9708-a0b2badd77c8}
Start Menu Pin
C:\WINDOWS\system32\SHELL32.dll

=====================

HKEY_CLASSES_ROOT\Folder\shellex\ColumnHandlers

Subkey --- {0D2E74C4-3C34-11d2-A27E-00C04FC30871}
C:\WINDOWS\system32\SHELL32.dll

Subkey --- {24F14F01-7B1C-11d1-838f-0000F80461CF}
C:\WINDOWS\system32\SHELL32.dll

Subkey --- {24F14F02-7B1C-11d1-838f-0000F80461CF}
C:\WINDOWS\system32\SHELL32.dll

Subkey --- {66742402-F9B9-11D1-A202-0000F81FEDEE}
C:\WINDOWS\system32\SHELL32.dll

==============================
C:\Documents and Settings\All Users\Start Menu\Programs\Startup

desktop.ini
==============================
C:\Documents and Settings\Karen Granger\Start Menu\Programs\Startup

desktop.ini
desktop.ini
SpywareGuard.lnk
==============================
C:\WINDOWS\system32 cpl files

access.cpl Microsoft Corporation
appwiz.cpl Microsoft Corporation
desk.cpl Microsoft Corporation
hdwwiz.cpl Microsoft Corporation
HWSETUP.CPL TOSHIBA Corp.
igfxcpl.cpl Intel Corporation
inetcpl.cpl Microsoft Corporation
intl.cpl Microsoft Corporation
joy.cpl Microsoft Corporation
jpicpl32.cpl Sun Microsystems
main.cpl Microsoft Corporation
mmsys.cpl Microsoft Corporation
mobpre.cpl M-Audio
ncpa.cpl Microsoft Corporation
nusrmgr.cpl Microsoft Corporation
odbccp32.cpl Microsoft Corporation
powercfg.cpl Microsoft Corporation
sysdm.cpl Microsoft Corporation
telephon.cpl Microsoft Corporation
timedate.cpl Microsoft Corporation
TOSCDSPD.cpl 
wuaucpl.cpl Microsoft CorporationLogfile of HijackThis v1.99.1
Scan saved at 5:39:21 AM, on 4/4/2006
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\SYSTEM32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\TOSHIBA\TouchED\TouchED.Exe
C:\TOSHIBA\IVP\ISM\pinger.exe
C:\WINDOWS\AGRSMMSG.exe
C:\WINDOWS\system32\netdde.exe
C:\WINDOWS\System32\00THotkey.exe
C:\WINDOWS\System32\hkcmd.exe
C:\WINDOWS\System32\igfxpers.exe
C:\Program Files\Microsoft AntiSpyware\gcasServ.exe
C:\Program Files\QuickTime\qttask.exe
C:\WINDOWS\System32\ctfmon.exe
C:\WINDOWS\System32\drivers\CDAC11BA.EXE
C:\WINDOWS\System32\DVDRAMSV.exe
C:\Program Files\ewido anti-malware\ewidoctrl.exe
C:\PROGRA~1\Iomega\System32\AppServices.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\WINDOWS\System32\tcpsvcs.exe
C:\Program Files\Microsoft AntiSpyware\gcasDtServ.exe
C:\WINDOWS\System32\snmp.exe
C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\wbem\wmiapsrv.exe
C:\WINDOWS\System32\dmadmin.exe
C:\Program Files\SpywareGuard\sgmain.exe
C:\Program Files\SpywareGuard\sgbhp.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\MSN Messenger\msnmsgr.exe
C:\Documents and Settings\Karen Granger\My Documents\set ups\hijackthis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://red.clientapps.yahoo.com/customize/ycomp/defaults/sb/*http://www.yahoo.com/search/ie.html
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.toshiba.com
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
O2 - BHO: SpywareGuardDLBLOCK.CBrowserHelper - {4A368E80-174F-4872-96B5-0B27DDD11DB2} - C:\Program Files\SpywareGuard\dlprotect.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O4 - HKLM\..\Run: [TouchED] C:\Program Files\TOSHIBA\TouchED\TouchED.Exe
O4 - HKLM\..\Run: [Pinger] C:\TOSHIBA\IVP\ISM\pinger.exe /run
O4 - HKLM\..\Run: [Apoint] C:\Program Files\Apoint2K\Apoint.exe
O4 - HKLM\..\Run: [AGRSMMSG] AGRSMMSG.exe
O4 - HKLM\..\Run: [00THotkey] C:\WINDOWS\System32\00THotkey.exe
O4 - HKLM\..\Run: [000StTHK] 000StTHK.exe
O4 - HKLM\..\Run: [igfxtray] C:\WINDOWS\System32\igfxtray.exe
O4 - HKLM\..\Run: [igfxhkcmd] C:\WINDOWS\System32\hkcmd.exe
O4 - HKLM\..\Run: [igfxpers] C:\WINDOWS\System32\igfxpers.exe
O4 - HKLM\..\Run: [gcasServ] "C:\Program Files\Microsoft AntiSpyware\gcasServ.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [InternetShield] C:\PROGRA~1\INTERN~3\InternetShield.exe -CheckStartup
O4 - HKLM\..\Run: [winsync] C:\WINDOWS\System32\pwcarc.exe reg_run
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\System32\ctfmon.exe
O4 - Startup: SpywareGuard.lnk = C:\Program Files\SpywareGuard\sgmain.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O9 - Extra 'Tools' menuitem: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O14 - IERESET.INF: START_PAGE_URL=http://www.toshiba.com
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1133829558718
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/activescan/as5free/asinst.cab
O16 - DPF: {B38870E4-7ECB-40DA-8C6A-595F0A5519FF} (MsnMessengerSetupDownloadControl Class) - http://messenger.msn.com/download/MsnMessengerSetupDownloader.cab
O16 - DPF: {E856B973-45FD-4559-8F82-EAB539144667} (Dell PC Checkup Installer Control) - http://pccheckup.dellfix.com/rel/35/install/gtdownde.cab
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - "C:\PROGRA~1\MSNMES~1\msgrapp.dll" (file missing)
O20 - Winlogon Notify: igfxcui - C:\WINDOWS\SYSTEM32\igfxdev.dll
O20 - Winlogon Notify: WRNotifier - WRLogonNTF.dll (file missing)
O23 - Service: C-DillaCdaC11BA - C-Dilla Ltd - C:\WINDOWS\System32\drivers\CDAC11BA.EXE
O23 - Service: DVD-RAM_Service - Matsu****a Electric Industrial Co., Ltd. - C:\WINDOWS\System32\DVDRAMSV.exe
O23 - Service: ewido security suite control - ewido networks - C:\Program Files\ewido anti-malware\ewidoctrl.exe
O23 - Service: Iomega App Services - Iomega Corporation - C:\PROGRA~1\Iomega\System32\AppServices.exe
O23 - Service: SoundMAX Agent Service (SoundMAX Agent Service (default)) - Analog Devices, Inc. - C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe


----------



## Cookiegal (Aug 27, 2003)

I am attaching a fixpeter2.zip file to this post. Unzip it to your desktop. Double click on the fixpeter2.reg file and allow it to enter into the registry.

Rescan with HijackThis, close all browser windows except HijackThis, put a check mark beside these entries and click *fix checked*.

*R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://red.clientapps.yahoo.com/cust...search/ie.html

O4 - HKLM\..\Run: [winsync] C:\WINDOWS\System32\pwcarc.exe reg_run*

Boot to safe mode and run Killbox on these files:

*C:\WINDOWS\System32\kfwmr.dll

C:\WINDOWS\System32\pwcarc.exe*

Reboot and post a new HijackThis log please.


----------



## peterboy (Dec 15, 2005)

ok im ready i followed your intructions heres the highjack log thank you cookiegal i realy apritiate this thanks for your timeLogfile of HijackThis v1.99.1
Scan saved at 1:40:50 PM, on 4/4/2006
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\SYSTEM32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\TOSHIBA\TouchED\TouchED.Exe
C:\TOSHIBA\IVP\ISM\pinger.exe
C:\WINDOWS\AGRSMMSG.exe
C:\WINDOWS\System32\00THotkey.exe
C:\WINDOWS\system32\netdde.exe
C:\WINDOWS\System32\hkcmd.exe
C:\WINDOWS\System32\igfxpers.exe
C:\Program Files\Microsoft AntiSpyware\gcasServ.exe
C:\Program Files\QuickTime\qttask.exe
C:\WINDOWS\System32\ctfmon.exe
C:\Program Files\Microsoft AntiSpyware\gcasDtServ.exe
C:\WINDOWS\System32\drivers\CDAC11BA.EXE
C:\WINDOWS\System32\DVDRAMSV.exe
C:\Program Files\ewido anti-malware\ewidoctrl.exe
C:\PROGRA~1\Iomega\System32\AppServices.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\Program Files\SpywareGuard\sgmain.exe
C:\WINDOWS\System32\tcpsvcs.exe
C:\WINDOWS\System32\snmp.exe
C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\wbem\wmiapsrv.exe
C:\WINDOWS\System32\dmadmin.exe
C:\Program Files\SpywareGuard\sgbhp.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\WINDOWS\System32\wuauclt.exe
C:\Documents and Settings\Karen Granger\My Documents\set ups\hijackthis\HijackThis.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.toshiba.com
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
O2 - BHO: SpywareGuardDLBLOCK.CBrowserHelper - {4A368E80-174F-4872-96B5-0B27DDD11DB2} - C:\Program Files\SpywareGuard\dlprotect.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O4 - HKLM\..\Run: [TouchED] C:\Program Files\TOSHIBA\TouchED\TouchED.Exe
O4 - HKLM\..\Run: [Pinger] C:\TOSHIBA\IVP\ISM\pinger.exe /run
O4 - HKLM\..\Run: [Apoint] C:\Program Files\Apoint2K\Apoint.exe
O4 - HKLM\..\Run: [AGRSMMSG] AGRSMMSG.exe
O4 - HKLM\..\Run: [00THotkey] C:\WINDOWS\System32\00THotkey.exe
O4 - HKLM\..\Run: [000StTHK] 000StTHK.exe
O4 - HKLM\..\Run: [igfxtray] C:\WINDOWS\System32\igfxtray.exe
O4 - HKLM\..\Run: [igfxhkcmd] C:\WINDOWS\System32\hkcmd.exe
O4 - HKLM\..\Run: [igfxpers] C:\WINDOWS\System32\igfxpers.exe
O4 - HKLM\..\Run: [gcasServ] "C:\Program Files\Microsoft AntiSpyware\gcasServ.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [InternetShield] C:\PROGRA~1\INTERN~3\InternetShield.exe -CheckStartup
O4 - HKLM\..\Run: [winsync] C:\WINDOWS\System32\pwcarc.exe reg_run
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\System32\ctfmon.exe
O4 - Startup: SpywareGuard.lnk = C:\Program Files\SpywareGuard\sgmain.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O9 - Extra 'Tools' menuitem: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O14 - IERESET.INF: START_PAGE_URL=http://www.toshiba.com
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1133829558718
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/activescan/as5free/asinst.cab
O16 - DPF: {B38870E4-7ECB-40DA-8C6A-595F0A5519FF} (MsnMessengerSetupDownloadControl Class) - http://messenger.msn.com/download/MsnMessengerSetupDownloader.cab
O16 - DPF: {E856B973-45FD-4559-8F82-EAB539144667} (Dell PC Checkup Installer Control) - http://pccheckup.dellfix.com/rel/35/install/gtdownde.cab
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - "C:\PROGRA~1\MSNMES~1\msgrapp.dll" (file missing)
O20 - Winlogon Notify: igfxcui - C:\WINDOWS\SYSTEM32\igfxdev.dll
O20 - Winlogon Notify: WRNotifier - WRLogonNTF.dll (file missing)
O23 - Service: C-DillaCdaC11BA - C-Dilla Ltd - C:\WINDOWS\System32\drivers\CDAC11BA.EXE
O23 - Service: DVD-RAM_Service - Matsu****a Electric Industrial Co., Ltd. - C:\WINDOWS\System32\DVDRAMSV.exe
O23 - Service: ewido security suite control - ewido networks - C:\Program Files\ewido anti-malware\ewidoctrl.exe
O23 - Service: Iomega App Services - Iomega Corporation - C:\PROGRA~1\Iomega\System32\AppServices.exe
O23 - Service: SoundMAX Agent Service (SoundMAX Agent Service (default)) - Analog Devices, Inc. - C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe


----------



## Cookiegal (Aug 27, 2003)

1. Please *download* *The Avenger* by Swandog46 to your *Desktop*.
Click on Avenger.zip to open the file
Extract *avenger.exe* to your desktop

2. Copy all the text contained in the code box below to your Clipboard by highlighting it and pressing (*Ctrl+C*):



> Files to delete:
> C:\WINDOWS\System32\pwcarc.exe


_*
Note: the above code was created specifically for this user. If you are not this user, do NOT follow these directions as they could damage the workings of your system.*_

3. Now, *start The Avenger program* by clicking on its icon on your desktop.
 Under "*Script file to execute*" choose "*Input Script Manually*".
Now click on the *Magnifying Glass icon* which will open a new window titled "*View/edit script*" 
 Paste the text copied to clipboard into this window by pressing (*Ctrl+V*).
 Click *Done* 
 Now click on the *Green Light* to begin execution of the script 
 Answer "*Yes*" twice when prompted.
4. *The Avenger will automatically do the following*:
It will *Restart your computer*. ( In cases where the code to execute contains "*Drivers to Unload*", The Avenger will actually *restart your system twice.*) 
On reboot, it will briefly *open a black command window* on your desktop, this is normal.
After the restart, it *creates a log file* that should open with the results of Avengers actions. This log file will be located at *C:\avenger.txt*
 The Avenger will also have *backed up all the files, etc., that you asked it to delete*, and will have zipped them and moved the zip archives to *C:\avenger\backup.zip*.
5. Please *copy/paste* the content of *c:\avenger.txt* into your reply.


----------



## peterboy (Dec 15, 2005)

ok done hope i did it right Logfile of The Avenger version 1, by Swandog46
Running from registry key:
\Registry\Machine\System\CurrentControlSet\Services\lqyxcjkx

*******************

Script file located at: \??\C:\pa^fpwoy.txt
Script file opened successfully.

Script file read successfully

Backups directory opened successfully at C:\Avenger

*******************

Beginning to process script file:

File C:\WINDOWS\System32\pwcarc.exe deleted successfully.

Completed script processing.

*******************

Finished! Terminate.Logfile of HijackThis v1.99.1
Scan saved at 4:34:54 PM, on 4/4/2006
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\SYSTEM32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\TOSHIBA\TouchED\TouchED.Exe
C:\WINDOWS\system32\netdde.exe
C:\TOSHIBA\IVP\ISM\pinger.exe
C:\WINDOWS\AGRSMMSG.exe
C:\WINDOWS\System32\00THotkey.exe
C:\WINDOWS\System32\hkcmd.exe
C:\WINDOWS\System32\igfxpers.exe
C:\Program Files\Microsoft AntiSpyware\gcasServ.exe
C:\Program Files\QuickTime\qttask.exe
C:\WINDOWS\System32\ctfmon.exe
C:\Program Files\SpywareGuard\sgmain.exe
C:\Program Files\Microsoft AntiSpyware\gcasDtServ.exe
C:\WINDOWS\System32\drivers\CDAC11BA.EXE
C:\WINDOWS\System32\DVDRAMSV.exe
C:\Program Files\ewido anti-malware\ewidoctrl.exe
C:\PROGRA~1\Iomega\System32\AppServices.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\WINDOWS\System32\tcpsvcs.exe
C:\WINDOWS\System32\snmp.exe
C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\wbem\wmiapsrv.exe
C:\Program Files\SpywareGuard\sgbhp.exe
C:\WINDOWS\System32\dmadmin.exe
C:\WINDOWS\System32\wuauclt.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Documents and Settings\Karen Granger\My Documents\set ups\hijackthis\HijackThis.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.toshiba.com
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
O2 - BHO: SpywareGuardDLBLOCK.CBrowserHelper - {4A368E80-174F-4872-96B5-0B27DDD11DB2} - C:\Program Files\SpywareGuard\dlprotect.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O4 - HKLM\..\Run: [TouchED] C:\Program Files\TOSHIBA\TouchED\TouchED.Exe
O4 - HKLM\..\Run: [Pinger] C:\TOSHIBA\IVP\ISM\pinger.exe /run
O4 - HKLM\..\Run: [Apoint] C:\Program Files\Apoint2K\Apoint.exe
O4 - HKLM\..\Run: [AGRSMMSG] AGRSMMSG.exe
O4 - HKLM\..\Run: [00THotkey] C:\WINDOWS\System32\00THotkey.exe
O4 - HKLM\..\Run: [000StTHK] 000StTHK.exe
O4 - HKLM\..\Run: [igfxtray] C:\WINDOWS\System32\igfxtray.exe
O4 - HKLM\..\Run: [igfxhkcmd] C:\WINDOWS\System32\hkcmd.exe
O4 - HKLM\..\Run: [igfxpers] C:\WINDOWS\System32\igfxpers.exe
O4 - HKLM\..\Run: [gcasServ] "C:\Program Files\Microsoft AntiSpyware\gcasServ.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [InternetShield] C:\PROGRA~1\INTERN~3\InternetShield.exe -CheckStartup
O4 - HKLM\..\Run: [winsync] C:\WINDOWS\System32\pwcarc.exe reg_run
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\System32\ctfmon.exe
O4 - Startup: SpywareGuard.lnk = C:\Program Files\SpywareGuard\sgmain.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O9 - Extra 'Tools' menuitem: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O14 - IERESET.INF: START_PAGE_URL=http://www.toshiba.com
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1133829558718
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/activescan/as5free/asinst.cab
O16 - DPF: {B38870E4-7ECB-40DA-8C6A-595F0A5519FF} (MsnMessengerSetupDownloadControl Class) - http://messenger.msn.com/download/MsnMessengerSetupDownloader.cab
O16 - DPF: {E856B973-45FD-4559-8F82-EAB539144667} (Dell PC Checkup Installer Control) - http://pccheckup.dellfix.com/rel/35/install/gtdownde.cab
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - "C:\PROGRA~1\MSNMES~1\msgrapp.dll" (file missing)
O20 - Winlogon Notify: igfxcui - C:\WINDOWS\SYSTEM32\igfxdev.dll
O20 - Winlogon Notify: WRNotifier - WRLogonNTF.dll (file missing)
O23 - Service: C-DillaCdaC11BA - C-Dilla Ltd - C:\WINDOWS\System32\drivers\CDAC11BA.EXE
O23 - Service: DVD-RAM_Service - Matsu****a Electric Industrial Co., Ltd. - C:\WINDOWS\System32\DVDRAMSV.exe
O23 - Service: ewido security suite control - ewido networks - C:\Program Files\ewido anti-malware\ewidoctrl.exe
O23 - Service: Iomega App Services - Iomega Corporation - C:\PROGRA~1\Iomega\System32\AppServices.exe
O23 - Service: SoundMAX Agent Service (SoundMAX Agent Service (default)) - Analog Devices, Inc. - C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe


----------



## Cookiegal (Aug 27, 2003)

Please post the contents of the *avenger.txt* file so we can see what went wrong.


----------



## peterboy (Dec 15, 2005)

i did that in the other reply i followed i copied and pasted the results from c/ avenger txt here the are again Logfile of The Avenger version 1, by Swandog46
Running from registry key:
\Registry\Machine\System\CurrentControlSet\Services\lqyxcjkx

*******************

Script file located at: \??\C:\pa^fpwoy.txt
Script file opened successfully.

Script file read successfully

Backups directory opened successfully at C:\Avenger

*******************

Beginning to process script file:

File C:\WINDOWS\System32\pwcarc.exe deleted successfully.

Completed script processing.

*******************

Finished! Terminate.


----------



## peterboy (Dec 15, 2005)

is this the the avenger.txt. ? did our signals get crossed again hello!


----------



## Cookiegal (Aug 27, 2003)

Sorry, it was a long day. 

Download RootkitRevealer from *here* (link is at the very bottom of the page).
Unzip it to your desktop.
Open the RootkitRevealer folder and double-click *rootkitrevealer.exe*
Click the *Scan* button (bottom right)
It may take a while to scan (don't do anything while it's running)
When it's done, go up to *File - Save*. Choose to save it to your desktop.
Open *RootkitRevealer.txt* on your desktop and copy the entire contents and paste them here.


----------



## peterboy (Dec 15, 2005)

thats ok thanks for replying i purchused norton anti virus 2006 i think it removed that pwcarc.exe should i keep ms antisypware adware se spyware blaster spyware guard do i realy need all those wich one's should i keep ? well any way here's the rootkit results SOFTWARE 0 bytes	Error dumping hive: The system cannot find the file specified.
C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcrst.dll:KAVICHS	4/6/2006 3:49 AM	36 bytes	Hidden from Windows API.


----------



## peterboy (Dec 15, 2005)

is norton antivirus 2006 good ?


----------



## Cookiegal (Aug 27, 2003)

There is no one program that will catch everything but Norton is known to be a resource hog. You should keep all of the programs you mentioned.

Please post a new HijackThis log.


----------



## peterboy (Dec 15, 2005)

should i keep the norton antivirus ,? and what do you mean acactly by resource hog it slows down the peformence ?Logfile of HijackThis v1.99.1
Scan saved at 4:20:45 AM, on 4/7/2006
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\SYSTEM32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\TOSHIBA\TouchED\TouchED.Exe
C:\TOSHIBA\IVP\ISM\pinger.exe
C:\WINDOWS\AGRSMMSG.exe
C:\WINDOWS\System32\00THotkey.exe
C:\WINDOWS\System32\hkcmd.exe
C:\WINDOWS\System32\igfxpers.exe
C:\Program Files\Microsoft AntiSpyware\gcasServ.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\WINDOWS\System32\ctfmon.exe
C:\Program Files\SpywareGuard\sgmain.exe
C:\WINDOWS\system32\netdde.exe
C:\Program Files\Messenger\msmsgs.exe
C:\WINDOWS\System32\drivers\CDAC11BA.EXE
C:\WINDOWS\System32\DVDRAMSV.exe
C:\PROGRA~1\Iomega\System32\AppServices.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\Program Files\Norton AntiVirus\navapsvc.exe
C:\Program Files\SpywareGuard\sgbhp.exe
C:\Program Files\Norton AntiVirus\IWP\NPFMntor.exe
C:\WINDOWS\System32\tcpsvcs.exe
C:\WINDOWS\System32\snmp.exe
C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\wbem\wmiapsrv.exe
C:\WINDOWS\System32\dmadmin.exe
C:\Program Files\Microsoft AntiSpyware\gcasDtServ.exe
C:\Program Files\Common Files\Symantec Shared\Security Console\NSCSRVCE.EXE
C:\Program Files\Windows Media Player\wmplayer.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Documents and Settings\Karen Granger\My Documents\set ups\hijackthis\HijackThis.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.toshiba.com
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
O2 - BHO: SpywareGuardDLBLOCK.CBrowserHelper - {4A368E80-174F-4872-96B5-0B27DDD11DB2} - C:\Program Files\SpywareGuard\dlprotect.dll
O2 - BHO: NAV Helper - {A8F38D8D-E480-4D52-B7A2-731BB6995FDD} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O3 - Toolbar: Norton AntiVirus - {C4069E3A-68F1-403E-B40E-20066696354B} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O4 - HKLM\..\Run: [TouchED] C:\Program Files\TOSHIBA\TouchED\TouchED.Exe
O4 - HKLM\..\Run: [Pinger] C:\TOSHIBA\IVP\ISM\pinger.exe /run
O4 - HKLM\..\Run: [Apoint] C:\Program Files\Apoint2K\Apoint.exe
O4 - HKLM\..\Run: [AGRSMMSG] AGRSMMSG.exe
O4 - HKLM\..\Run: [00THotkey] C:\WINDOWS\System32\00THotkey.exe
O4 - HKLM\..\Run: [000StTHK] 000StTHK.exe
O4 - HKLM\..\Run: [igfxtray] C:\WINDOWS\System32\igfxtray.exe
O4 - HKLM\..\Run: [igfxhkcmd] C:\WINDOWS\System32\hkcmd.exe
O4 - HKLM\..\Run: [igfxpers] C:\WINDOWS\System32\igfxpers.exe
O4 - HKLM\..\Run: [gcasServ] "C:\Program Files\Microsoft AntiSpyware\gcasServ.exe"
O4 - HKLM\..\Run: [InternetShield] C:\PROGRA~1\INTERN~3\InternetShield.exe -CheckStartup
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [SSC_UserPrompt] "C:\Program Files\Common Files\Symantec Shared\Security Center\UsrPrmpt.exe"
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\System32\ctfmon.exe
O4 - Startup: SpywareGuard.lnk = C:\Program Files\SpywareGuard\sgmain.exe
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O14 - IERESET.INF: START_PAGE_URL=http://www.toshiba.com
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1133829558718
O16 - DPF: {B38870E4-7ECB-40DA-8C6A-595F0A5519FF} (MsnMessengerSetupDownloadControl Class) - http://messenger.msn.com/download/MsnMessengerSetupDownloader.cab
O16 - DPF: {E856B973-45FD-4559-8F82-EAB539144667} (Dell PC Checkup Installer Control) - http://pccheckup.dellfix.com/rel/35/install/gtdownde.cab
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - "C:\PROGRA~1\MSNMES~1\msgrapp.dll" (file missing)
O20 - Winlogon Notify: igfxcui - C:\WINDOWS\SYSTEM32\igfxdev.dll
O20 - Winlogon Notify: WRNotifier - WRLogonNTF.dll (file missing)
O23 - Service: C-DillaCdaC11BA - C-Dilla Ltd - C:\WINDOWS\System32\drivers\CDAC11BA.EXE
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
O23 - Service: DVD-RAM_Service - Matsu****a Electric Industrial Co., Ltd. - C:\WINDOWS\System32\DVDRAMSV.exe
O23 - Service: Iomega App Services - Iomega Corporation - C:\PROGRA~1\Iomega\System32\AppServices.exe
O23 - Service: Norton AntiVirus Auto-Protect Service (navapsvc) - Symantec Corporation - C:\Program Files\Norton AntiVirus\navapsvc.exe
O23 - Service: Norton AntiVirus Firewall Monitor Service (NPFMntor) - Symantec Corporation - C:\Program Files\Norton AntiVirus\IWP\NPFMntor.exe
O23 - Service: Norton Protection Center Service (NSCService) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\Security Console\NSCSRVCE.EXE
O23 - Service: Symantec AVScan (SAVScan) - Symantec Corporation - C:\Program Files\Norton AntiVirus\SAVScan.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: SoundMAX Agent Service (SoundMAX Agent Service (default)) - Analog Devices, Inc. - C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe
O23 - Service: SPBBCSvc - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
O23 - Service: Symantec Core LC - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe


----------



## Cookiegal (Aug 27, 2003)

Yes, Norton takes up a log of resources on a computer. If you're not having any problems you should keep it, at least until it expires.


The log looks good now. How's everything running?


----------



## peterboy (Dec 15, 2005)

ervrything is runnig good the norton just slowed my pc down a littel but its fine otherwise should i still keep my other sypware programs is it neceseri to have all of those ? thank you for everything cookiegal. o yeah and cute pet you have there


----------



## peterboy (Dec 15, 2005)

can you please help me out with my freinds pc it starst up with erros and its realy slow and she gets losta pop up's i did some scans with ewido and active scan her's the results Logfile of HijackThis v1.99.1
Scan saved at 9:20:34 PM, on 04/07/2006
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\cisvc.exe
C:\WINDOWS\System32\snmp.exe
C:\WINDOWS\System32\svchost.exe
C:\windows\system32\qmdsrego.exe
C:\WINDOWS\system32\slk8x2peu.exe
C:\Program Files\Microsoft AntiSpyware\gcasServ.exe
C:\Program Files\D-Link AirPlus G\AirPlus.exe
C:\WINDOWS\system32\kwinnrag.exe
C:\Program Files\Microsoft AntiSpyware\gcasDtServ.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\WINDOWS\system32\cidaemon.exe
C:\Program Files\ewido anti-malware\ewidoctrl.exe
C:\DOCUME~1\jennifer\LOCALS~1\Temp\Temporary Directory 1 for hijackthis.zip\HijackThis.exe

R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = localhost
F2 - REG:system.ini: UserInit=C:\WINDOWS\system32\Userinit.exe
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O2 - BHO: web compressor - {23FB5ADD-DA37-4a40-9FC0-B0E2384CDE92} - C:\WINDOWS\system32\nss5.dll
O2 - BHO: RieMon Class - {70F6A776-579A-4C95-BA88-134253907752} - C:\WINDOWS\system32\irsmoevk.dll
O2 - BHO: Yvakt Class - {E5E2A3E7-00FE-4D31-A030-A10799DDCA66} - C:\WINDOWS\system32\y7xnyala7.dll
O3 - Toolbar: (no name) - {BA52B914-B692-46c4-B683-905236F6F655} - (no file)
O4 - HKLM\..\Run: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k
O4 - HKLM\..\Run: [Pure Networks Port Magic] "C:\PROGRA~1\PURENE~1\PORTMA~1\PortAOL.exe" -Run
O4 - HKLM\..\Run: [InternetShield] C:\PROGRA~1\INTERN~3\InternetShield.exe -CheckStartup
O4 - HKLM\..\Run: [{0E-E1-1C-C3-ZN}] C:\windows\system32\qmdsrego.exe FI002
O4 - HKLM\..\Run: [zGSl] "C:\WINDOWS\system32\slk8x2peu.exe"
O4 - HKLM\..\Run: [BrowserUpdateSched] C:\WINDOWS\system32\kwinnrag.exe FI002
O4 - HKLM\..\Run: [arcaderockstar] C:\Program Files\ArcadeRockstar\arcaderockstar32.exe
O4 - HKLM\..\Run: [winsync] C:\WINDOWS\system32\pcrowr.exe reg_run
O4 - HKLM\..\Run: [gcasServ] "C:\Program Files\Microsoft AntiSpyware\gcasServ.exe"
O4 - HKCU\..\Run: [Registry Cleaner] C:\PROGRA~1\REGIST~2\regclean.exe
O4 - HKCU\..\Run: [Windows Registry Repair Pro] C:\Program Files\3B Software\Windows Registry Repair Pro\RegistryRepairPro.exe 4
O4 - Startup: Zeno.lnk = C:\WINDOWS\system32\kwinnrag.exe
O4 - Global Startup: D-Link AirPlus G Configuration Utility.lnk = ?
O8 - Extra context menu item: &AIM Search - res://C:\Program Files\AIM Toolbar\AIMBar.dll/aimsearch.htm
O8 - Extra context menu item: &AOL Toolbar search - res://C:\Program Files\AOL Toolbar\toolbar.dll/SEARCH.HTML
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\j2re1.4.2\bin\npjpi142.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\j2re1.4.2\bin\npjpi142.dll
O9 - Extra button: ICQ - {6224f700-cba3-4071-b251-47cb894244cd} - C:\Program Files\ICQ\ICQ.exe
O9 - Extra 'Tools' menuitem: ICQ - {6224f700-cba3-4071-b251-47cb894244cd} - C:\Program Files\ICQ\ICQ.exe
O9 - Extra button: (no name) - {9E248641-0E24-4DDB-9A1F-705087832AD6} - C:\WINDOWS\system32\wuauclt.dll
O9 - Extra 'Tools' menuitem: Java - {9E248641-0E24-4DDB-9A1F-705087832AD6} - C:\WINDOWS\system32\wuauclt.dll
O9 - Extra button: (no name) - {B6E649FA-5461-40d7-AB4D-54FC3C8DB767} - C:\Program Files\DropSpam\ewwie.dll (file missing)
O9 - Extra 'Tools' menuitem: Looksitup Toolbar - {B6E649FA-5461-40d7-AB4D-54FC3C8DB767} - C:\Program Files\DropSpam\ewwie.dll (file missing)
O9 - Extra button: (no name) - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - (no file)
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra button: WeatherBug - {AF6CABAB-61F9-4f12-A198-B7D41EF1CB52} - C:\Program Files\AWS\WeatherBug\Weather.exe (file missing) (HKCU)
O15 - Trusted Zone: *.elitemediagroup.net
O15 - Trusted Zone: http://click.getmirar.com (HKLM)
O15 - Trusted Zone: http://click.mirarsearch.com (HKLM)
O15 - Trusted Zone: http://redirect.mirarsearch.com (HKLM)
O15 - Trusted Zone: http://awbeta.net-nucleus.com (HKLM)
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {4AD73894-A895-4FC2-B233-299867E08753} (Cadwkzctl Object) - http://apps.deskwizz.com/ax/adwerkz.cab
O16 - DPF: {4ED9DDF0-7479-4BBE-9335-5A1EDB1D8A21} - https://objects.aol.com/mcafee/molbin/shared/mcinsctl/en-us/4,0,0,83/mcinsctl.cab
O16 - DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} (MSN Photo Upload Tool) - http://spaces.msn.com//PhotoUpload/MsnPUpld.cab
O16 - DPF: {8A0DCBDB-6E20-489C-9041-C1E8A0352E75} (Mirar_Dummy_ATS1 Class) - http://awbeta.net-nucleus.com/FIX/WinATS.cab
O16 - DPF: {9AC54695-69A4-46F1-BE10-10C74F9520D5} (elitectl.DemoCtl) - http://cabs.elitemediagroup.net/cabs/mediaview.cab
O16 - DPF: {ADB6CCF9-8853-4431-82A0-B7494DED18C3} (WcnfGrpCtl Class) - http://download.paltalk.com/webconftest/WcnfGroupControl.cab
O16 - DPF: {B38870E4-7ECB-40DA-8C6A-595F0A5519FF} (MsnMessengerSetupDownloadControl Class) - http://cdn.messenger.msn.com/download/MsnMessengerSetupDownloader.cab
O16 - DPF: {BCC0FF27-31D9-4614-A68E-C18E1ADA4389} - https://objects.aol.com/mcafee/molbin/shared/mcgdmgr/en-us/1,0,0,20/McGDMgr.cab
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - "C:\PROGRA~1\MSNMES~1\msgrapp.dll" (file missing)
O18 - Filter: text/html - {828DEFB6-7F3F-49B1-A024-2B849D619E24} - C:\WINDOWS\system32\y7xnyala7.dll
O23 - Service: ewido security suite control - ewido networks - C:\Program Files\ewido anti-malware\ewidoctrl.exe

I


----------



## peterboy (Dec 15, 2005)

this is the active scan i didnt fit all at on 1 post.
Incident Status Location

Adware:Adware/QoolAid Not disinfected C:\WINDOWS\SYSTEM32\PCROWR.EXE 
Adware:adware/zenosearch Not disinfected C:\Documents and Settings\jennifer\Start Menu\Programs\Startup\Zeno.lnk 
Adware:adware/deskwizz Not disinfected C:\WINDOWS\dh.ini 
Adware:adware/dropspam Not disinfected C:\PROGRAM FILES\DropSpam 
Potentially unwanted tool:application/funweb Not disinfected C:\PROGRAM FILES\FunWebProducts 
Adware:adware/wupd Not disinfected C:\PROGRAM FILES\MediaGateway 
Potentially unwanted tool:application/myway Not disinfected C:\PROGRAM FILES\MyWay 
Potentially unwanted tool:application/regclean32 Not disinfected C:\PROGRAM FILES\TPT Registry_Cleaner (Trial) 
Potentially unwanted tool:application/winantispyware2006 Not disinfected C:\PROGRAM FILES\WinAntiSpyware 2006 Scanner 
Adware:adware/oemji Not disinfected C:\PROGRAM FILES\COMMON FILES\Oem Common 
Adware:adware program Not disinfected C:\WINDOWS\SYSTEM32\cache32dsrf4535dfs 
Adware:adware/pacimedia Not disinfected c:\documents and settings\jennifer\favorites\1111 
Spyware:spyware/betterinet Not disinfected Windows Registry 
Potentially unwanted tool:application/zango Not disinfected HKEY_CLASSES_ROOT\CLSID\{8FCDF9D9-A28B-480F-8C3D-581F119A8AB8} 
Adware:adware/mirar Not disinfected Windows Registry 
Spyware:Cookie/888 Not disinfected C:\Documents and Settings\jennifer\cookies\[email protected][1].txt 
Spyware:Cookie/888 Not disinfected C:\Documents and Settings\jennifer\cookies\[email protected][2].txt 
Spyware:Cookie/YieldManager Not disinfected C:\Documents and Settings\jennifer\cookies\[email protected][2].txt 
Spyware:Cookie/Hbmediapro Not disinfected C:\Documents and Settings\jennifer\cookies\[email protected][2].txt 
Spyware:Cookie/Falkag Not disinfected C:\Documents and Settings\jennifer\cookies\[email protected][1].txt 
Spyware:Cookie/Falkag Not disinfected C:\Documents and Settings\jennifer\cookies\[email protected][2].txt 
Spyware:Cookie/Enhance Not disinfected C:\Documents and Settings\jennifer\cookies\[email protected][1].txt 
Spyware:Cookie/Cassava Not disinfected C:\Documents and Settings\jennifer\cookies\[email protected][1].txt 
Spyware:Cookie/Doubleclick Not disinfected C:\Documents and Settings\jennifer\cookies\[email protected][1].txt 
Spyware:Cookie/Findwhat Not disinfected C:\Documents and Settings\jennifer\cookies\[email protected][1].txt 
Spyware:Cookie/Linksynergy Not disinfected C:\Documents and Settings\jennifer\cookies\[email protected][1].txt 
Spyware:Cookie/QuestionMarket Not disinfected C:\Documents and Settings\jennifer\cookies\[email protected][2].txt 
Spyware:Cookie/RealMedia Not disinfected C:\Documents and Settings\jennifer\cookies\[email protected][1].txt 
Spyware:Cookie/WUpd Not disinfected C:\Documents and Settings\jennifer\cookies\[email protected][2].txt 
Spyware:Cookie/Server.iad.Liveperson Not disinfected C:\Documents and Settings\jennifer\cookies\[email protected][1].txt 
Spyware:Cookie/WebtrendsLive Not disinfected C:\Documents and Settings\jennifer\cookies\[email protected][1].txt 
Spyware:Cookie/Mammamediasolutions Not disinfected C:\Documents and Settings\jennifer\cookies\[email protected][2].txt 
Spyware:Cookie/Traffic Marketplace Not disinfected C:\Documents and Settings\jennifer\cookies\[email protected][1].txt 
Spyware:Cookie/WinFixer Not disinfected C:\Documents and Settings\jennifer\cookies\[email protected][2].txt 
Spyware:Cookie/nCase Not disinfected C:\Documents and Settings\jennifer\cookies\[email protected][1].txt 
Spyware:Cookie/Zedo Not disinfected C:\Documents and Settings\jennifer\cookies\[email protected][1].txt 
Virus:Exploit/ByteVerify Not disinfected C:\Documents and Settings\jennifer\Application Data\Sun\Java\Deployment\cache\javapi\v1.0\jar\count.jar-f2473c1-3b0bbac1.zip[BlackBox.class] 
Virus:Exploit/ByteVerify Not disinfected C:\Documents and Settings\jennifer\Application Data\Sun\Java\Deployment\cache\javapi\v1.0\jar\count.jar-f2473c1-3b0bbac1.zip[VerifierBug.class] 
Virus:Exploit/ByteVerify Not disinfected C:\Documents and Settings\jennifer\Application Data\Sun\Java\Deployment\cache\javapi\v1.0\jar\count.jar-f2473c1-3b0bbac1.zip[Dummy.class] 
Virus:Exploit/ByteVerify Not disinfected C:\Documents and Settings\jennifer\Application Data\Sun\Java\Deployment\cache\javapi\v1.0\jar\count.jar-f2473c1-3b0bbac1.zip[Beyond.class] 
Spyware:Cookie/888 Not disinfected C:\Documents and Settings\jennifer\Cookies\[email protected][1].txt 
Spyware:Cookie/888 Not disinfected C:\Documents and Settings\jennifer\Cookies\[email protected][2].txt 
Spyware:Cookie/YieldManager Not disinfected C:\Documents and Settings\jennifer\Cookies\[email protected][1].txt 
Spyware:Cookie/Hbmediapro Not disinfected C:\Documents and Settings\jennifer\Cookies\[email protected][2].txt 
Spyware:Cookie/Falkag Not disinfected C:\Documents and Settings\jennifer\Cookies\[email protected][1].txt 
Spyware:Cookie/Falkag Not disinfected C:\Documents and Settings\jennifer\Cookies\[email protected][2].txt 
Spyware:Cookie/Enhance Not disinfected C:\Documents and Settings\jennifer\Cookies\[email protected][1].txt 
Spyware:Cookie/Cassava Not disinfected C:\Documents and Settings\jennifer\Cookies\[email protected][1].txt 
Spyware:Cookie/Doubleclick Not disinfected C:\Documents and Settings\jennifer\Cookies\[email protected][1].txt 
Spyware:Cookie/Findwhat Not disinfected C:\Documents and Settings\jennifer\Cookies\[email protected][1].txt 
Spyware:Cookie/Linksynergy Not disinfected C:\Documents and Settings\jennifer\Cookies\[email protected][1].txt 
Spyware:Cookie/QuestionMarket Not disinfected C:\Documents and Settings\jennifer\Cookies\[email protected][2].txt 
Spyware:Cookie/RealMedia Not disinfected C:\Documents and Settings\jennifer\Cookies\[email protected][1].txt 
Spyware:Cookie/WUpd Not disinfected C:\Documents and Settings\jennifer\Cookies\[email protected][1].txt 
Spyware:Cookie/Server.iad.Liveperson Not disinfected C:\Documents and Settings\jennifer\Cookies\[email protected][1].txt 
Spyware:Cookie/WebtrendsLive Not disinfected C:\Documents and Settings\jennifer\Cookies\[email protected][1].txt 
Spyware:Cookie/Mammamediasolutions Not disinfected C:\Documents and Settings\jennifer\Cookies\[email protected][2].txt 
Spyware:Cookie/Traffic Marketplace Not disinfected  C:\Documents and Settings\jennifer\Cookies\[email protected][1].txt 
Spyware:Cookie/WinFixer Not disinfected C:\Documents and Settings\jennifer\Cookies\[email protected][2].txt 
Spyware:Cookie/nCase Not disinfected C:\Documents and Settings\jennifer\Cookies\[email protected][1].txt 
Spyware:Cookie/Zedo Not disinfected C:\Documents and Settings\jennifer\Cookies\[email protected][1].txt 
Potentially unwanted tool:Application/FunWeb Not disinfected C:\Program Files\FunWebProducts\Installr\1.bin\F3EZSETP.DLL 
Potentially unwanted tool:Application/MyWebSearch Not disinfected C:\Program Files\Microsoft AntiSpyware\Quarantine\B7D43904-E464-41B9-8C1D-8E51BE\29951DE1-E67F-43C3-9998-045F85 
Virus:Trj/Deldir.A Not disinfected C:\WINDOWS\system32\oobe\emachines\Preinstall.cmd 
Adware:Adware/QoolAid Not disinfected C:\WINDOWS\system32\pcrowr.exe 
Virus:Trj/Agent.BPC Not disinfected C:\WINDOWS\system32\__delete_on_reboot__kwinnrag.exe 
Adware:Adware/QoolShown Not disinfected C:\WINDOWS\system32\__delete_on_reboot__wuauclt.dll


----------



## peterboy (Dec 15, 2005)

---------------------------------------------------------
ewido anti-malware - Scan report
---------------------------------------------------------

+ Created on: 9:57:10 PM, 04/07/2006
+ Report-Checksum: EB190176

+ Scan result:

HKLM\SOFTWARE\ALifestyle -> Dialer.Generic : Cleaned with backup
HKLM\SOFTWARE\Classes\CLSID\{2DEA8791-C2B7-48E1-8992-8E8E6A6FE789} -> Adware.Generic : Cleaned without backup
HKLM\SOFTWARE\Classes\CLSID\{C5AF2622-8C75-4dfb-9693-23AB7686A456} -> Adware.Generic : Cleaned without backup
HKLM\SOFTWARE\Microsoft\Internet Explorer\Extensions\{B6E649FA-5461-40d7-AB4D-54FC3C8DB767}\\BandCLSID -> Adware.Generic : Cleaned without backup
HKLM\SOFTWARE\whpbgjb -> Adware.SecondThought : Cleaned without backup
HKU\S-1-5-21-2589269402-3691722185-3906348160-1006\Software\ShopperReports -> Adware.HotBar : Cleaned without backup
HKU\S-1-5-21-2589269402-3691722185-3906348160-1006\Software\ShopperReports\cs -> Adware.HotBar : Cleaned without backup
[1652] C:\WINDOWS\system32\wuauclt.dll -> Downloader.Qoologic.ae : Cleaned without backup
[1268] C:\windows\system32\qmdsrego.exe -> Adware.ZenoSearch : Cleaned without backup
[1308] C:\WINDOWS\system32\slk8x2peu.exe -> Adware.Suggestor : Cleaned without backup
[1372] C:\WINDOWS\system32\kwinnrag.exe -> Adware.ZenoSearch : Cleaned without backup
[1752] C:\WINDOWS\system32\wuauclt.dll -> Downloader.Qoologic.ae : Error during cleaning
C:\Documents and Settings\jennifer\Cookies\[email protected][2].txt -> TrackingCookie.2o7 : Cleaned without backup
C:\Documents and Settings\jennifer\Cookies\[email protected][2].txt -> TrackingCookie.Yieldmanager : Cleaned without backup
C:\Documents and Settings\jennifer\Cookies\[email protected][1].txt -> TrackingCookie.Addynamix : Cleaned without backup
C:\Documents and Settings\jennifer\Cookies\[email protected][1].txt -> TrackingCookie.Falkag : Cleaned without backup
C:\Documents and Settings\jennifer\Cookies\[email protected][1].txt -> TrackingCookie.Falkag : Cleaned without backup
C:\Documents and Settings\jennifer\Cookies\[email protected][2].txt -> TrackingCookie.Atdmt : Cleaned without backup
C:\Documents and Settings\jennifer\Cookies\[email protected][1].txt -> TrackingCookie.Searchingbooth : Cleaned without backup
C:\Documents and Settings\jennifer\Cookies\[email protected][1].txt -> TrackingCookie.Clickbank : Cleaned without backup
C:\Documents and Settings\jennifer\Cookies\[email protected][1].txt -> TrackingCookie.Doubleclick : Cleaned without backup
C:\Documents and Settings\jennifer\Cookies\[email protected][2].txt -> TrackingCookie.Fastclick : Cleaned without backup
C:\Documents and Settings\jennifer\Cookies\[email protected][1].txt -> TrackingCookie.Fastclick : Cleaned without backup
C:\Documents and Settings\jennifer\Cookies\[email protected][1].txt -> TrackingCookie.Top-banners : Cleaned without backup
C:\Documents and Settings\jennifer\Cookies\[email protected][1].txt -> TrackingCookie.Mediaplex : Cleaned without backup
C:\Documents and Settings\jennifer\Cookies\[email protected][1].txt -> TrackingCookie.Overture : Cleaned without backup
C:\Documents and Settings\jennifer\Cookies\[email protected][1].txt -> TrackingCookie.2o7 : Cleaned without backup
C:\Documents and Settings\jennifer\Cookies\[email protected][2].txt -> TrackingCookie.Pro-market : Cleaned without backup
C:\Documents and Settings\jennifer\Cookies\[email protected][2].txt -> TrackingCookie.Revenue : Cleaned without backup
C:\Documents and Settings\jennifer\Cookies\[email protected][2].txt -> TrackingCookie.Trafficmp : Cleaned without backup
C:\Documents and Settings\jennifer\Cookies\[email protected][1].txt -> TrackingCookie.Tribalfusion : Cleaned without backup
C:\Documents and Settings\jennifer\Cookies\[email protected][1].txt -> TrackingCookie.Click2begin : Cleaned without backup
C:\Documents and Settings\jennifer\Cookies\[email protected][2].txt -> TrackingCookie.Yieldmanager : Cleaned without backup
C:\Documents and Settings\jennifer\Cookies\[email protected][2].txt -> TrackingCookie.Zedo : Cleaned without backup
C:\Program Files\Microsoft AntiSpyware\DeactivatedItems\110B158A-4C3B-4117-B11C-3D2BC6.asq -> Downloader.Qoologic.ax : Cleaned without backup
C:\Program Files\Microsoft AntiSpyware\DeactivatedItems\347BF23D-485E-4231-BF24-9CA254.asq -> Downloader.Qoologic.ax : Cleaned without backup
C:\Program Files\Microsoft AntiSpyware\DeactivatedItems\5218AA95-BA2B-441E-8898-A7E846.asq -> Downloader.Qoologic.ax : Cleaned without backup
C:\Program Files\Microsoft AntiSpyware\DeactivatedItems\5F5A6DAB-28D4-490C-8623-BC5B85.asq -> Downloader.Qoologic.ax : Cleaned without backup
C:\Program Files\Microsoft AntiSpyware\DeactivatedItems\6887DCBD-03BB-4936-87D3-3D7C90.asq -> Downloader.Qoologic.ax : Cleaned without backup
C:\Program Files\Microsoft AntiSpyware\DeactivatedItems\AF7D2071-EFDF-4AA2-A743-62DEE1.asq -> Downloader.Qoologic.ax : Cleaned without backup
C:\Program Files\Microsoft AntiSpyware\DeactivatedItems\D5C3F33C-04A1-41D5-AD02-65CEFD.asq -> Downloader.Qoologic.ax : Cleaned without backup
C:\Program Files\Microsoft AntiSpyware\DeactivatedItems\EA3665E0-C794-4EAA-A7AA-AE4D7D.asq -> Downloader.Qoologic.ax : Cleaned without backup
C:\Program Files\Microsoft AntiSpyware\DeactivatedItems\EA4074AE-0FF3-4C87-B62E-39C372.asq -> Downloader.Qoologic.ax : Cleaned without backup
C:\Program Files\Microsoft AntiSpyware\DeactivatedItems\EE2D3AD6-B716-4254-83AC-1C5E8B.asq -> Downloader.Qoologic.ax : Cleaned without backup
C:\Program Files\Microsoft AntiSpyware\DeactivatedItems\EE35340B-A11F-4CD5-8CF7-BA8EF3.asq -> Downloader.Qoologic.ax : Cleaned without backup
C:\Program Files\Microsoft AntiSpyware\Quarantine\26F3EEAA-06C4-488D-A231-9761FE\320D00BE-7D0D-429C-B1F2-6CF43F -> Adware.HotBar : Cleaned without backup
C:\Program Files\Microsoft AntiSpyware\Quarantine\934925A7-EDDA-4412-B2E5-99B574\484913F6-881C-4750-97C8-92D16E -> Adware.HotSearchBar : Cleaned without backup
C:\Program Files\Microsoft AntiSpyware\Quarantine\A3AF6E3C-4FE9-427A-BC8D-C7957C\550E8EA5-AA43-405F-A073-44A039 -> Downloader.Qoologic.ae : Cleaned without backup
C:\RECYCLER\S-1-5-21-2589269402-3691722185-3906348160-500\Dc1.exe -> Downloader.Qoologic.ax : Cleaned without backup
C:\WINDOWS\876057.exe -> Adware.Mirar : Cleaned without backup
C:\WINDOWS\aae.exe -> Trojan.Imiserv.c : Cleaned without backup
C:\WINDOWS\abiaae.exe -> Trojan.Imiserv.c : Cleaned without backup
C:\WINDOWS\deskband.exe -> Trojan.Imiserv.c : Cleaned without backup
C:\WINDOWS\DH.dll -> Hijacker.Small.jf : Cleaned without backup
C:\WINDOWS\Downloaded Program Files\ABoxInst_int13.exe -> Downloader.VB.ft : Cleaned without backup
C:\WINDOWS\Downloaded Program Files\elite.ocx -> Adware.MediaMotor : Cleaned without backup
C:\WINDOWS\Downloaded Program Files\UWAS6_0001_N68M2301NetInstaller.exe -> Not-A-Virus.Downloader.Win32.WinFixer.d : Cleaned without backup
C:\WINDOWS\elitemediapop.exe -> Trojan.LowZones.am : Cleaned without backup
C:\WINDOWS\exactoffer.exe -> Trojan.Imiserv.c : Cleaned without backup
C:\WINDOWS\exactoffernew.exe -> Trojan.Imiserv.c : Cleaned without backup
C:\WINDOWS\gbinvite.exe -> Trojan.Imiserv.c : Cleaned without backup
C:\WINDOWS\JUSTIN2.exe -> Adware.EZula : Cleaned without backup
C:\WINDOWS\nexus.exe -> Trojan.Imiserv.c : Cleaned without backup
C:\WINDOWS\system32\ad.html -> Hijacker.Agent.e : Cleaned without backup
C:\WINDOWS\system32\dwdsregt.exe -> Adware.ZenoSearch : Cleaned without backup
C:\WINDOWS\system32\irismon.dll -> Adware.SafeSurfing : Cleaned without backup
C:\WINDOWS\system32\irssyncd.exe -> Adware.SafeSurfing : Cleaned without backup
C:\WINDOWS\system32\kwinnrag.exe -> Adware.ZenoSearch : Cleaned without backup
C:\WINDOWS\system32\p3lqd9.exe -> Adware.Suggestor : Cleaned without backup
C:\WINDOWS\system32\pusherman.exe -> Dropper.Agent.cj : Cleaned without backup
C:\WINDOWS\system32\qmdsrego.exe -> Adware.ZenoSearch : Cleaned without backup
C:\WINDOWS\system32\slk8x2peu.exe -> Adware.Suggestor : Cleaned without backup
C:\WINDOWS\system32\vgactl.cpl -> Downloader.Qoologic.ad : Cleaned without backup
C:\WINDOWS\system32\wallpap.exe -> Hijacker.Agent.gp : Cleaned without backup
C:\WINDOWS\system32\WinATS.dll -> Adware.Mirar : Cleaned without backup
C:\WINDOWS\system32\wkbyp.dat -> Downloader.Qoologic.ax : Cleaned without backup
C:\WINDOWS\system32\wuauclt.dll -> Downloader.Qoologic.ae : Cleaned without backup
C:\WINDOWS\system32\zj6n.exe -> Trojan.Runner.h : Cleaned without backup
C:\WINDOWS\tbdr.exe -> Trojan.Imiserv.c : Cleaned without backup
C:\WINDOWS\wncedjx.exe -> Downloader.Small.afi : Cleaned without backup
C:\WINDOWS\zgbinvite.exe -> Trojan.Imiserv.c : Cleaned without backup
C:\WINDOWS\ZIFI002.exe -> Adware.ZenoSearch : Cleaned without backup
C:\WINDOWS\zwinvite.exe -> Trojan.Imiserv.c : Cleaned without backup

::Report End


----------



## Cookiegal (Aug 27, 2003)

peterboy said:


> ervrything is runnig good the norton just slowed my pc down a littel but its fine otherwise should i still keep my other sypware programs is it neceseri to have all of those ? thank you for everything cookiegal. o yeah and cute pet you have there


Please list the anti-spyware programs you have and I'll tell you what to keep and what to remove.

To finish up with this computer. Now you should turn system restore off to flush out all previous system restore points, then turn it back on and create a new restore point:

To turn off system restore, on the Desktop, right click on *My Computer* and click on *Properties.*
Click the *System Restore* tab.
Check *Turn off System Restore.*
Click Apply and then click OK.

Restart your computer, turn System Restore back on and create a restore point.

To create a new restore point, click on *Start*  *All Programs*  *Accessories*  *System Tools* and then select *System Restore*.

In the System Restore wizard, select *Create a restore point* and click the Next button.

Type a name for your new restore point then click on Create.

I also recommend downloading  *SPYWAREBLASTER* for added protection.

*Read here* for info on how to tighten your security.


----------



## Cookiegal (Aug 27, 2003)

For the other computer, please run Blacklight beta in safe mode 
http://www.f-secure.com/blacklight/

Don't let it fix anything but post the log it makes.


----------



## peterboy (Dec 15, 2005)

i have (adware se) (sypwaregaurd)sypwareblaster)ms antispyware) on my pc


----------



## peterboy (Dec 15, 2005)

i ran in to a problem with the blacklight program i got a message this program cannot be used in safe mode so i jsut ran it in normal mode heres the results 04/08/06 11:41:38 [Info]: BlackLight Engine 1.0.35 initialized
04/08/06 11:41:38 [Info]: OS: 5.1 build 2600 (Service Pack 2)
04/08/06 11:41:38 [Note]: 7019 4
04/08/06 11:41:38 [Note]: 7005 0
04/08/06 11:41:43 [Note]: 7006 0
04/08/06 11:41:43 [Note]: 7011 1672
04/08/06 11:41:44 [Note]: 7026 0
04/08/06 11:41:44 [Note]: 7026 0
04/08/06 11:41:44 [Note]: 7024 3
04/08/06 11:41:44 [Info]: Hidden process: C:\WINDOWS\system32\pcrowr.exe
04/08/06 11:41:44 [Note]: FSRAW library version 1.7.1015
04/08/06 11:51:03 [Note]: 7007 0


----------



## Cookiegal (Aug 27, 2003)

I would keep all of those programs.


I will post back with further instructions.


----------



## Cookiegal (Aug 27, 2003)

Download and unzip BFUzip from http://www.merijn.org/files/bfu.zip
Run the program and click the Web button as shown here:









Use this URL to copy into the address bar of the Download script window:
*http://metallica.geekstogo.com/MediaGateway.BFU*

Make sure all IE windows are closed.

Execute the script by clicking the Execute button.

_If you have any questions about the use of BFU please read here:
http://metallica.geekstogo.com/BFUinstructions.html_

Post a new HijackThis log please.


----------



## peterboy (Dec 15, 2005)

ok i hope i did that right Logfile of HijackThis v1.99.1
Scan saved at 7:41:06 PM, on 04/08/2006
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\cisvc.exe
C:\Program Files\ewido anti-malware\ewidoctrl.exe
C:\WINDOWS\System32\snmp.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\D-Link AirPlus G\AirPlus.exe
C:\Program Files\Microsoft AntiSpyware\gcasDtServ.exe
C:\WINDOWS\system32\cidaemon.exe
C:\Program Files\MSN Messenger\msnmsgr.exe
C:\Documents and Settings\jennifer\Desktop\hijackthis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = localhost
F2 - REG:system.ini: UserInit=C:\WINDOWS\system32\Userinit.exe
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O2 - BHO: web compressor - {23FB5ADD-DA37-4a40-9FC0-B0E2384CDE92} - C:\WINDOWS\system32\nss5.dll
O2 - BHO: RieMon Class - {70F6A776-579A-4C95-BA88-134253907752} - C:\WINDOWS\system32\irsmoevk.dll
O2 - BHO: Yvakt Class - {E5E2A3E7-00FE-4D31-A030-A10799DDCA66} - C:\WINDOWS\system32\y7xnyala7.dll
O3 - Toolbar: (no name) - {BA52B914-B692-46c4-B683-905236F6F655} - (no file)
O4 - HKLM\..\Run: [Pure Networks Port Magic] "C:\PROGRA~1\PURENE~1\PORTMA~1\PortAOL.exe" -Run
O4 - HKLM\..\Run: [InternetShield] C:\PROGRA~1\INTERN~3\InternetShield.exe -CheckStartup
O4 - HKLM\..\Run: [arcaderockstar] C:\Program Files\ArcadeRockstar\arcaderockstar32.exe
O4 - HKLM\..\Run: [winsync] C:\WINDOWS\system32\pcrowr.exe reg_run
O4 - HKLM\..\Run: [gcasServ] "C:\Program Files\Microsoft AntiSpyware\gcasServ.exe"
O4 - HKLM\..\Run: [ybrqhvlj] C:\WINDOWS\system32\hzefipdv.exe
O4 - HKLM\..\Run: [websx] C:\Program Files\websx\int114844.exe -auto
O4 - HKLM\..\Run: [webscan] C:\Program Files\Acceleration Software\Anti-Virus\stopsignav.exe -k
O4 - HKLM\..\Run: [StopSignStatus] Rundll32.exe "C:\Program Files\Common Files\eAcceleration\Installer\stopsinfo.dll",VerifyStatus
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [msnappau] "C:\Program Files\MSN Apps\Updater\01.02.3000.1001\en-us\msnappau.exe"
O4 - HKLM\..\Run: [KiBYjC38f] C:\WINDOWS\rhhbvn.exe
O4 - HKLM\..\Run: [IST Service] C:\Program Files\ISTsvc\istsvc.exe
O4 - HKLM\..\Run: [Hotbar] C:\Program Files\Hotbar\Bin\4.6.1.0\HbOEAddOn.exe
O4 - HKLM\..\Run: [hoadgbw] C:\WINDOWS\kjberup.exe
O4 - HKLM\..\Run: [g3Cx] C:\WINDOWS\rhhbvn.exe
O4 - HKLM\..\Run: [ELNKProxy] C:\WINDOWS\surfmonkey\smproxy.exe
O4 - HKLM\..\Run: [EanthologyApp] "C:\Program Files\Common Files\eAcceleration\eanthology.exe" /b Startup
O4 - HKLM\..\Run: [Desksite CMA] C:\Program Files\desksite\bin\cma.exe
O4 - HKLM\..\Run: [AutoUpdater] "C:\Program Files\AutoUpdate\AutoUpdate.exe"
O4 - HKLM\..\Run: [476X3mX] hsftcmd.exe
O4 - HKLM\..\Run: [-
] C:\WINDOWS\rhhbvn.exe
O4 - HKLM\..\Run: [MSConfig] C:\WINDOWS\PCHealth\HelpCtr\Binaries\MSConfig.exe /auto
O4 - HKCU\..\Run: [Lwp7RgbsV] gdiptext.exe
O4 - HKCU\..\Run: [E6TaskPanel] "C:\PROGRA~1\EARTHL~1\TaskPanl.exe" -winstart
O4 - Global Startup: D-Link AirPlus G Configuration Utility.lnk = ?
O8 - Extra context menu item: &AIM Search - res://C:\Program Files\AIM Toolbar\AIMBar.dll/aimsearch.htm
O8 - Extra context menu item: &AOL Toolbar search - res://C:\Program Files\AOL Toolbar\toolbar.dll/SEARCH.HTML
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\j2re1.4.2\bin\npjpi142.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\j2re1.4.2\bin\npjpi142.dll
O9 - Extra button: ICQ - {6224f700-cba3-4071-b251-47cb894244cd} - C:\Program Files\ICQ\ICQ.exe
O9 - Extra 'Tools' menuitem: ICQ - {6224f700-cba3-4071-b251-47cb894244cd} - C:\Program Files\ICQ\ICQ.exe
O9 - Extra button: (no name) - {9E248641-0E24-4DDB-9A1F-705087832AD6} - C:\WINDOWS\system32\wuauclt.dll (file missing)
O9 - Extra 'Tools' menuitem: Java - {9E248641-0E24-4DDB-9A1F-705087832AD6} - C:\WINDOWS\system32\wuauclt.dll (file missing)
O9 - Extra button: (no name) - {B6E649FA-5461-40d7-AB4D-54FC3C8DB767} - C:\WINDOWS\system32\shdocvw.dll
O9 - Extra 'Tools' menuitem: Looksitup Toolbar - {B6E649FA-5461-40d7-AB4D-54FC3C8DB767} - C:\WINDOWS\system32\shdocvw.dll
O9 - Extra button: (no name) - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - (no file)
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra button: WeatherBug - {AF6CABAB-61F9-4f12-A198-B7D41EF1CB52} - C:\Program Files\AWS\WeatherBug\Weather.exe (file missing) (HKCU)
O15 - Trusted Zone: *.elitemediagroup.net
O15 - Trusted Zone: http://click.getmirar.com (HKLM)
O15 - Trusted Zone: http://click.mirarsearch.com (HKLM)
O15 - Trusted Zone: http://redirect.mirarsearch.com (HKLM)
O15 - Trusted Zone: http://awbeta.net-nucleus.com (HKLM)
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {4AD73894-A895-4FC2-B233-299867E08753} (Cadwkzctl Object) - http://apps.deskwizz.com/ax/adwerkz.cab
O16 - DPF: {4ED9DDF0-7479-4BBE-9335-5A1EDB1D8A21} - https://objects.aol.com/mcafee/molbin/shared/mcinsctl/en-us/4,0,0,83/mcinsctl.cab
O16 - DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} (MSN Photo Upload Tool) - http://spaces.msn.com//PhotoUpload/MsnPUpld.cab
O16 - DPF: {8A0DCBDB-6E20-489C-9041-C1E8A0352E75} (Mirar_Dummy_ATS1 Class) - http://awbeta.net-nucleus.com/FIX/WinATS.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/activescan/as5free/asinst.cab
O16 - DPF: {9AC54695-69A4-46F1-BE10-10C74F9520D5} (elitectl.DemoCtl) - http://cabs.elitemediagroup.net/cabs/mediaview.cab
O16 - DPF: {ADB6CCF9-8853-4431-82A0-B7494DED18C3} (WcnfGrpCtl Class) - http://download.paltalk.com/webconftest/WcnfGroupControl.cab
O16 - DPF: {B38870E4-7ECB-40DA-8C6A-595F0A5519FF} (MsnMessengerSetupDownloadControl Class) - http://cdn.messenger.msn.com/download/MsnMessengerSetupDownloader.cab
O16 - DPF: {BCC0FF27-31D9-4614-A68E-C18E1ADA4389} - https://objects.aol.com/mcafee/molbin/shared/mcgdmgr/en-us/1,0,0,20/McGDMgr.cab
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - "C:\PROGRA~1\MSNMES~1\msgrapp.dll" (file missing)
O18 - Filter: text/html - {828DEFB6-7F3F-49B1-A024-2B849D619E24} - C:\WINDOWS\system32\y7xnyala7.dll
O23 - Service: ewido security suite control - ewido networks - C:\Program Files\ewido anti-malware\ewidoctrl.exe


----------



## peterboy (Dec 15, 2005)

did our signals get crossed again


----------



## Cookiegal (Aug 27, 2003)

No, not this time.  

I'm working on this and will post back with instructions shortly.


----------



## Cookiegal (Aug 27, 2003)

Before proceeding, you need to disable Microsoft Anti-Spyware's realtime protection as it may interfere witih the fix.

Open Microsoft AntiSpyware.

Click on Tools, Settings. In the left pane, click on Real-time Protection.

Under Startup Options uncheck Enable the Microsoft AntiSpyware Security Agents on startup (recommended).

Under Real-time spyware threat protection uncheck Enable real-time spyware threat protection (recommended).

After you uncheck these, click on the Save button and close Microsoft AntiSpyware.

Right click on the Microsoft AntiSpyware icon on the taskbar and select Shutdown Microsoft AntiSpyware.

*Click here* to download *LQfix.exe* and Save it to your desktop.

Doubleclick LQfix.exe and click install.
Leave the default settings. If you change them, the fix will fail.
Make sure 'Launch LQfix' is checked. After clicking finish in the install, the fix will start.
Follow the prompts on the screen.
Your system will reboot afterwards.
Please be patient after reboot, because there is a script running in the background.
When it is finished, come back here and post a new Hijack This log.

*Click Here* and download Killbox and save it to your desktop but dont run it yet.

Go to Control Panel - Add/Remove programs and remove and of these you find there:

*Eacceleration or
Acceleration software
AWS (WeatherBug)
ArcadeRockstar
FunWebProducts
MyWay
SurfMonkey
AWS (WeatherBug)*

Rescan with HijackThis, close all browser windows except HijackThis, put a check mark beside these entries and click *fix checked*.

* 
O2 - BHO: web compressor - {23FB5ADD-DA37-4a40-9FC0-B0E2384CDE92} - C:\WINDOWS\system32\nss5.dll

O2 - BHO: RieMon Class - {70F6A776-579A-4C95-BA88-134253907752} - C:\WINDOWS\system32\irsmoevk.dll

O2 - BHO: Yvakt Class - {E5E2A3E7-00FE-4D31-A030-A10799DDCA66} - C:\WINDOWS\system32\y7xnyala7.dll

O4 - HKLM\..\Run: [arcaderockstar] C:\Program Files\ArcadeRockstar\arcaderockstar32.exe

O4 - HKLM\..\Run: [winsync] C:\WINDOWS\system32\pcrowr.exe reg_run

O4 - HKLM\..\Run: [ybrqhvlj] C:\WINDOWS\system32\hzefipdv.exe

O4 - HKLM\..\Run: [websx] C:\Program Files\websx\int114844.exe -auto

O4 - HKLM\..\Run: [webscan] C:\Program Files\Acceleration Software\Anti-Virus\stopsignav.exe -k

O4 - HKLM\..\Run: [StopSignStatus] Rundll32.exe "C:\Program Files\Common Files\eAcceleration\Installer\stopsinfo.dll",VerifyStatus

O4 - HKLM\..\Run: [KiBYjC38f] C:\WINDOWS\rhhbvn.exe

O4 - HKLM\..\Run: [IST Service] C:\Program Files\ISTsvc\istsvc.exe

O4 - HKLM\..\Run: [Hotbar] C:\Program Files\Hotbar\Bin\4.6.1.0\HbOEAddOn.exe

O4 - HKLM\..\Run: [hoadgbw] C:\WINDOWS\kjberup.exe

O4 - HKLM\..\Run: [g3Cx] C:\WINDOWS\rhhbvn.exe

O4 - HKLM\..\Run: [ELNKProxy] C:\WINDOWS\surfmonkey\smproxy.exe

O4 - HKLM\..\Run: [EanthologyApp] "C:\Program Files\Common Files\eAcceleration\eanthology.exe" /b Startup

O4 - HKLM\..\Run: [AutoUpdater] "C:\Program Files\AutoUpdate\AutoUpdate.exe"

O4 - HKLM\..\Run: [476X3mX] hsftcmd.exe

O4 - HKLM\..\Run: [-
] C:\WINDOWS\rhhbvn.exe

O4 - HKCU\..\Run: [Lwp7RgbsV] gdiptext.exe

O9 - Extra button: (no name) - {9E248641-0E24-4DDB-9A1F-705087832AD6} - C:\WINDOWS\system32\wuauclt.dll (file missing)

O9 - Extra 'Tools' menuitem: Java - {9E248641-0E24-4DDB-9A1F-705087832AD6} - C:\WINDOWS\system32\wuauclt.dll (file missing)

O9 - Extra button: WeatherBug - {AF6CABAB-61F9-4f12-A198-B7D41EF1CB52} - C:\Program Files\AWS\WeatherBug\Weather.exe (file missing) (HKCU)

O15 - Trusted Zone: *.elitemediagroup.net

O15 - Trusted Zone: http://click.getmirar.com (HKLM)

O15 - Trusted Zone: http://click.mirarsearch.com (HKLM)

O15 - Trusted Zone: http://redirect.mirarsearch.com (HKLM)

O15 - Trusted Zone: http://awbeta.net-nucleus.com (HKLM)

O16 - DPF: {4AD73894-A895-4FC2-B233-299867E08753} (Cadwkzctl Object) - http://apps.deskwizz.com/ax/adwerkz.cab

O16 - DPF: {8A0DCBDB-6E20-489C-9041-C1E8A0352E75} (Mirar_Dummy_ATS1 Class) - http://awbeta.net-nucleus.com/FIX/WinATS.cab

O16 - DPF: {9AC54695-69A4-46F1-BE10-10C74F9520D5} (elitectl.DemoCtl) - http://cabs.elitemediagroup.net/cabs/mediaview.cab

O16 - DPF: {ADB6CCF9-8853-4431-82A0-B7494DED18C3} (WcnfGrpCtl Class) - http://download.paltalk.com/webconft...oupControl.cab

O18 - Filter: text/html - {828DEFB6-7F3F-49B1-A024-2B849D619E24} - C:\WINDOWS\system32\y7xnyala7.dll
*

Then boot to safe mode:

 *How to restart to safe mode*

Double-click on Killbox.exe to run it. 

Put a tick by *Standard File Kill*. 
In the "Full Path of File to Delete" box, copy and paste each of the following lines one at a time:

*C:\WINDOWS\SYSTEM32\PCROWR.EXE

C:\Documents and Settings\jennifer\Start Menu\Programs\Startup\Zeno.lnk

C:\WINDOWS\dh.ini

C:\PROGRAM FILES\DropSpam

C:\PROGRAM FILES\FunWebProducts

C:\PROGRAM FILES\MediaGateway

C:\PROGRAM FILES\MyWay

C:\PROGRAM FILES\TPT Registry_Cleaner

C:\PROGRAM FILES\WinAntiSpyware 2006 Scanner

C:\PROGRAM FILES\COMMON FILES\Oem Common

C:\WINDOWS\SYSTEM32\cache32dsrf4535dfs

c:\documents and settings\jennifer\favorites\1111

C:\Program Files\FunWebProducts

C:\WINDOWS\system32\oobe\emachines\Preinstall.cmd

C:\WINDOWS\system32\__delete_on_reboot__kwinnrag.exe

C:\WINDOWS\system32\__delete_on_reboot__wuauclt.dll

C:\WINDOWS\system32\hzefipdv.exe

C:\Program Files\websx

C:\Program Files\Acceleration Software

C:\Program Files\Common Files\eAcceleration

C:\WINDOWS\rhhbvn.exe

C:\Program Files\ISTsvc

C:\Program Files\Hotbar

C:\WINDOWS\kjberup.exe

C:\WINDOWS\rhhbvn.exe

C:\WINDOWS\gdiptext.exe

C:\WINDOWS\surfmonkey

C:\Program Files\Common Files\eAcceleration

C:\Program Files\AutoUpdate

C:\WINDOWS\hsftcmd.exe

C:\WINDOWS\rhhbvn.exe

C:\WINDOWS\gdiptext.exe

*

Click on the button that has the red circle with the X in the middle after you enter each file. 
It will ask for confirmation to delete the file. 
Click Yes. 
Continue with that procedure until you have pasted all of these in the "Paste Full Path of File to Delete" box.
Killbox may tell you that one or more files do not exist. 
If that happens, just continue on with all the files. Be sure you don't miss any.
Next in Killbox go to *Tools > Delete Temp Files*
In the window that pops up, put a check by *ALL* the options there *except* these three:
XP Prefetch
Recent
History

Now click the *Delete Selected Temp Files* button.
Exit the Killbox.

Boot back to Windows normally.

Right click *HERE* and Save As (in IE it's "Save Target As") in order to download DelDomains.inf to your desktop.
To use: Right click *DelDomains.inf* and select: Install (no need to restart)
Note: This will remove all entries in the "Trusted Zone" and "Ranges" also.

Dont forget to re-apply IESpyad and Spybot immunization if you have those programs.

Please post another HijackThis log.


----------



## peterboy (Dec 15, 2005)

ok im ready i hope im doing good when i do msonfig in start up theres alot of weird things there let me names some for you ojgq -regclean-sypspotter weather on a tray registryrepairpro - zeno [ and thers 2 with some sqaer boxs } thank you for your time :up: Logfile of HijackThis v1.99.1
Scan saved at 7:40:41 PM, on 04/09/2006
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\cisvc.exe
C:\Program Files\ewido anti-malware\ewidoctrl.exe
C:\WINDOWS\System32\snmp.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Java\jre1.5.0_03\bin\jusched.exe
C:\Program Files\D-Link AirPlus G\AirPlus.exe
C:\Program Files\Microsoft AntiSpyware\gcasDtServ.exe
C:\Documents and Settings\jennifer\My Documents\SET UP'S\hijackthis\HijackThis.exe
C:\WINDOWS\system32\cidaemon.exe

R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = localhost
F2 - REG:system.ini: UserInit=C:\WINDOWS\system32\Userinit.exe
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O3 - Toolbar: (no name) - {BA52B914-B692-46c4-B683-905236F6F655} - (no file)
O4 - HKLM\..\Run: [InternetShield] C:\PROGRA~1\INTERN~3\InternetShield.exe -CheckStartup
O4 - HKLM\..\Run: [gcasServ] "C:\Program Files\Microsoft AntiSpyware\gcasServ.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [msnappau] "C:\Program Files\MSN Apps\Updater\01.02.3000.1001\en-us\msnappau.exe"
O4 - HKLM\..\Run: [Desksite CMA] C:\Program Files\desksite\bin\cma.exe
O4 - HKLM\..\Run: [MSConfig] C:\WINDOWS\PCHealth\HelpCtr\Binaries\MSConfig.exe /auto
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_03\bin\jusched.exe
O4 - HKLM\..\Run: [winsync] C:\WINDOWS\system32\pcrowr.exe reg_run
O4 - HKCU\..\Run: [E6TaskPanel] "C:\PROGRA~1\EARTHL~1\TaskPanl.exe" -winstart
O4 - Global Startup: D-Link AirPlus G Configuration Utility.lnk = ?
O8 - Extra context menu item: &AIM Search - res://C:\Program Files\AIM Toolbar\AIMBar.dll/aimsearch.htm
O8 - Extra context menu item: &AOL Toolbar search - res://C:\Program Files\AOL Toolbar\toolbar.dll/SEARCH.HTML
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\j2re1.4.2\bin\npjpi142.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\j2re1.4.2\bin\npjpi142.dll
O9 - Extra button: ICQ - {6224f700-cba3-4071-b251-47cb894244cd} - C:\Program Files\ICQ\ICQ.exe
O9 - Extra 'Tools' menuitem: ICQ - {6224f700-cba3-4071-b251-47cb894244cd} - C:\Program Files\ICQ\ICQ.exe
O9 - Extra button: (no name) - {B6E649FA-5461-40d7-AB4D-54FC3C8DB767} - C:\WINDOWS\system32\shdocvw.dll
O9 - Extra 'Tools' menuitem: Looksitup Toolbar - {B6E649FA-5461-40d7-AB4D-54FC3C8DB767} - C:\WINDOWS\system32\shdocvw.dll
O9 - Extra button: (no name) - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - (no file)
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {4ED9DDF0-7479-4BBE-9335-5A1EDB1D8A21} - https://objects.aol.com/mcafee/molbin/shared/mcinsctl/en-us/4,0,0,83/mcinsctl.cab
O16 - DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} (MSN Photo Upload Tool) - http://spaces.msn.com//PhotoUpload/MsnPUpld.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/activescan/as5free/asinst.cab
O16 - DPF: {B38870E4-7ECB-40DA-8C6A-595F0A5519FF} (MsnMessengerSetupDownloadControl Class) - http://cdn.messenger.msn.com/download/MsnMessengerSetupDownloader.cab
O16 - DPF: {BCC0FF27-31D9-4614-A68E-C18E1ADA4389} - https://objects.aol.com/mcafee/molbin/shared/mcgdmgr/en-us/1,0,0,20/McGDMgr.cab
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - "C:\PROGRA~1\MSNMES~1\msgrapp.dll" (file missing)
O23 - Service: ewido security suite control - ewido networks - C:\Program Files\ewido anti-malware\ewidoctrl.exe


----------



## Cookiegal (Aug 27, 2003)

Please go back into msconfig and put a check mark beside everything that's there and post a new log (but do NOT reboot).


----------



## peterboy (Dec 15, 2005)

ok sorry about that her;s the log thank for your time  Logfile of HijackThis v1.99.1
Scan saved at 9:33:17 AM, on 04/10/2006
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\cisvc.exe
C:\Program Files\ewido anti-malware\ewidoctrl.exe
C:\Program Files\Norton AntiVirus\navapsvc.exe
C:\Program Files\Norton AntiVirus\IWP\NPFMntor.exe
C:\WINDOWS\System32\snmp.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Microsoft AntiSpyware\gcasServ.exe
C:\Program Files\Java\jre1.5.0_03\bin\jusched.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\Program Files\D-Link AirPlus G\AirPlus.exe
C:\Program Files\Microsoft AntiSpyware\gcasDtServ.exe
C:\Program Files\Common Files\Symantec Shared\Security Console\NSCSRVCE.EXE
C:\WINDOWS\system32\cidaemon.exe
C:\Documents and Settings\jennifer\My Documents\SET UP'S\hijackthis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = localhost
F3 - REG:win.ini: load=???
?
F3 - REG:win.ini: run=???
?
F2 - REG:system.ini: UserInit=C:\WINDOWS\system32\Userinit.exe
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O2 - BHO: NAV Helper - {A8F38D8D-E480-4D52-B7A2-731BB6995FDD} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: (no name) - {BA52B914-B692-46c4-B683-905236F6F655} - (no file)
O3 - Toolbar: Norton AntiVirus - {C4069E3A-68F1-403E-B40E-20066696354B} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O4 - HKLM\..\Run: [InternetShield] C:\PROGRA~1\INTERN~3\InternetShield.exe -CheckStartup
O4 - HKLM\..\Run: [gcasServ] "C:\Program Files\Microsoft AntiSpyware\gcasServ.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [msnappau] "C:\Program Files\MSN Apps\Updater\01.02.3000.1001\en-us\msnappau.exe"
O4 - HKLM\..\Run: [Desksite CMA] C:\Program Files\desksite\bin\cma.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_03\bin\jusched.exe
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [WeatherOnTray] C:\Program Files\Hotbar\Bin\4.6.1.0\WeatherOnTray.exe
O4 - HKLM\..\Run: [SpySpotter] C:\PROGRA~1\SPYSPO~1\SpySpotter.exe
O4 - HKCU\..\Run: [E6TaskPanel] "C:\PROGRA~1\EARTHL~1\TaskPanl.exe" -winstart
O4 - HKCU\..\Run: [Windows Registry Repair Pro] C:\Program Files\3B Software\Windows Registry Repair Pro\RegistryRepairPro.exe 4
O4 - HKCU\..\Run: [Registry Cleaner] "C:\Program Files\Registry Cleaner Trial\RegClean.exe"
O4 - Startup: Zeno.lnk = C:\WINDOWS\system32\kwinnrag.exe
O4 - Global Startup: D-Link AirPlus G Configuration Utility.lnk = ?
O8 - Extra context menu item: &AIM Search - res://C:\Program Files\AIM Toolbar\AIMBar.dll/aimsearch.htm
O8 - Extra context menu item: &AOL Toolbar search - res://C:\Program Files\AOL Toolbar\toolbar.dll/SEARCH.HTML
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\j2re1.4.2\bin\npjpi142.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\j2re1.4.2\bin\npjpi142.dll
O9 - Extra button: ICQ - {6224f700-cba3-4071-b251-47cb894244cd} - C:\Program Files\ICQ\ICQ.exe
O9 - Extra 'Tools' menuitem: ICQ - {6224f700-cba3-4071-b251-47cb894244cd} - C:\Program Files\ICQ\ICQ.exe
O9 - Extra button: (no name) - {B6E649FA-5461-40d7-AB4D-54FC3C8DB767} - C:\WINDOWS\system32\shdocvw.dll
O9 - Extra 'Tools' menuitem: Looksitup Toolbar - {B6E649FA-5461-40d7-AB4D-54FC3C8DB767} - C:\WINDOWS\system32\shdocvw.dll
O9 - Extra button: (no name) - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - (no file)
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {4ED9DDF0-7479-4BBE-9335-5A1EDB1D8A21} - https://objects.aol.com/mcafee/molbin/shared/mcinsctl/en-us/4,0,0,83/mcinsctl.cab
O16 - DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} (MSN Photo Upload Tool) - http://spaces.msn.com//PhotoUpload/MsnPUpld.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/activescan/as5free/asinst.cab
O16 - DPF: {B38870E4-7ECB-40DA-8C6A-595F0A5519FF} (MsnMessengerSetupDownloadControl Class) - http://cdn.messenger.msn.com/download/MsnMessengerSetupDownloader.cab
O16 - DPF: {BCC0FF27-31D9-4614-A68E-C18E1ADA4389} - https://objects.aol.com/mcafee/molbin/shared/mcgdmgr/en-us/1,0,0,20/McGDMgr.cab
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - "C:\PROGRA~1\MSNMES~1\msgrapp.dll" (file missing)
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
O23 - Service: ewido security suite control - ewido networks - C:\Program Files\ewido anti-malware\ewidoctrl.exe
O23 - Service: Norton AntiVirus Auto-Protect Service (navapsvc) - Symantec Corporation - C:\Program Files\Norton AntiVirus\navapsvc.exe
O23 - Service: Norton AntiVirus Firewall Monitor Service (NPFMntor) - Symantec Corporation - C:\Program Files\Norton AntiVirus\IWP\NPFMntor.exe
O23 - Service: Norton Protection Center Service (NSCService) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\Security Console\NSCSRVCE.EXE
O23 - Service: Symantec AVScan (SAVScan) - Symantec Corporation - C:\Program Files\Norton AntiVirus\SAVScan.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: SPBBCSvc - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
O23 - Service: Symantec Core LC - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
O23 - Service: SymWMI Service (SymWSC) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\Security Center\SymWSC.exe


----------



## Cookiegal (Aug 27, 2003)

Rescan with HijackThis and have it fix these entries:

F3 - REG:win.ini: load=???
?

F3 - REG:win.ini: run=???
?

O3 - Toolbar: (no name) - {BA52B914-B692-46c4-B683-905236F6F655} - (no file)

O4 - HKLM\..\Run: [WeatherOnTray] C:\Program Files\Hotbar\Bin\4.6.1.0\WeatherOnTray.exe

O4 - HKLM\..\Run: [SpySpotter] C:\PROGRA~1\SPYSPO~1\SpySpotter.exe

O4 - Startup: Zeno.lnk = C:\WINDOWS\system32\kwinnrag.exe

Boot to safe mode and run killbox ont these items:

*C:\Program Files\Hotbar

C:\PROGRA~1\SPYSPOTTER

C:\WINDOWS\system32\kwinnrag.exe*

Reboot and post another HijackThis log please.


----------



## peterboy (Dec 15, 2005)

ok im ready Logfile of HijackThis v1.99.1
Scan saved at 12:25:24 AM, on 04/11/2006
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\cisvc.exe
C:\WINDOWS\System32\snmp.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Java\jre1.5.0_03\bin\jusched.exe
C:\Program Files\Microsoft AntiSpyware\gcasDtServ.exe
C:\Program Files\D-Link AirPlus G\AirPlus.exe
C:\Program Files\Microsoft AntiSpyware\gcasServ.exe
C:\WINDOWS\system32\cidaemon.exe
C:\Documents and Settings\jennifer\My Documents\SET UP'S\hijackthis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = localhost
F2 - REG:system.ini: UserInit=C:\WINDOWS\system32\Userinit.exe
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {F2FA09FB-EE7A-46d8-9145-A1EEF7850052} - C:\WINDOWS\system32\awvvu.dll
O4 - HKLM\..\Run: [InternetShield] C:\PROGRA~1\INTERN~3\InternetShield.exe -CheckStartup
O4 - HKLM\..\Run: [gcasServ] "C:\Program Files\Microsoft AntiSpyware\gcasServ.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [msnappau] "C:\Program Files\MSN Apps\Updater\01.02.3000.1001\en-us\msnappau.exe"
O4 - HKLM\..\Run: [Desksite CMA] C:\Program Files\desksite\bin\cma.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_03\bin\jusched.exe
O4 - HKCU\..\Run: [E6TaskPanel] "C:\PROGRA~1\EARTHL~1\TaskPanl.exe" -winstart
O4 - Global Startup: D-Link AirPlus G Configuration Utility.lnk = ?
O8 - Extra context menu item: &AIM Search - res://C:\Program Files\AIM Toolbar\AIMBar.dll/aimsearch.htm
O8 - Extra context menu item: &AOL Toolbar search - res://C:\Program Files\AOL Toolbar\toolbar.dll/SEARCH.HTML
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\j2re1.4.2\bin\npjpi142.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\j2re1.4.2\bin\npjpi142.dll
O9 - Extra button: ICQ - {6224f700-cba3-4071-b251-47cb894244cd} - C:\Program Files\ICQ\ICQ.exe
O9 - Extra 'Tools' menuitem: ICQ - {6224f700-cba3-4071-b251-47cb894244cd} - C:\Program Files\ICQ\ICQ.exe
O9 - Extra button: (no name) - {B6E649FA-5461-40d7-AB4D-54FC3C8DB767} - C:\WINDOWS\system32\shdocvw.dll
O9 - Extra 'Tools' menuitem: Looksitup Toolbar - {B6E649FA-5461-40d7-AB4D-54FC3C8DB767} - C:\WINDOWS\system32\shdocvw.dll
O9 - Extra button: (no name) - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - (no file)
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {4ED9DDF0-7479-4BBE-9335-5A1EDB1D8A21} - https://objects.aol.com/mcafee/molbin/shared/mcinsctl/en-us/4,0,0,83/mcinsctl.cab
O16 - DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} (MSN Photo Upload Tool) - http://spaces.msn.com//PhotoUpload/MsnPUpld.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/activescan/as5free/asinst.cab
O16 - DPF: {B38870E4-7ECB-40DA-8C6A-595F0A5519FF} (MsnMessengerSetupDownloadControl Class) - http://cdn.messenger.msn.com/download/MsnMessengerSetupDownloader.cab
O16 - DPF: {BCC0FF27-31D9-4614-A68E-C18E1ADA4389} - https://objects.aol.com/mcafee/molbin/shared/mcgdmgr/en-us/1,0,0,20/McGDMgr.cab
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - "C:\PROGRA~1\MSNMES~1\msgrapp.dll" (file missing)
O20 - Winlogon Notify: awvvu - C:\WINDOWS\SYSTEM32\awvvu.dll


----------



## Cookiegal (Aug 27, 2003)

Please download *VundoFix.exe* to your desktop.
Double-click *VundoFix.exe* to run it.
Put a check next to *Run VundoFix as a task.*
You will receive a message saying vundofix will close and re-open in a minute or less. Click *OK*
When VundoFix re-opens, click the *Scan for Vundo* button.
Once it's done scanning, click the *Remove Vundo* button.
You will receive a prompt asking if you want to remove the files, click *YES*
Once you click yes, your desktop will go blank as it starts removing Vundo.
When completed, it will prompt that it will shutdown your computer, click *OK*.
Turn your computer back on.
Please post the contents of C:\*vundofix.txt* and a new HijackThis log.

You also need to replace your Sun java with newest version:

Go to Add/Remove programs and uninstall this:

*Java 2 Runtime Environment, SE v1.4.2*

Now go *here* and install the latest version of Java.


----------



## peterboy (Dec 15, 2005)

hello thanks for your time hers the results 
VundoFix V4.2.57

Checking Java version...

Java version is 1.5.0.3

Scan started at 1:37:48 PM 4/11/2006

Listing files found while scanning....

C:\WINDOWS\system32\bcbeg.bak1
C:\WINDOWS\system32\bcbeg.ini
C:\WINDOWS\system32\gebcb.dll
Attempting to delete C:\WINDOWS\system32\bcbeg.bak1
C:\WINDOWS\system32\bcbeg.bak1 Has been deleted!

Attempting to delete C:\WINDOWS\system32\bcbeg.ini
C:\WINDOWS\system32\bcbeg.ini Has been deleted!

Attempting to delete C:\WINDOWS\system32\gebcb.dll
C:\WINDOWS\system32\gebcb.dll Has been deleted!

Performing Repairs to the registry.
Done!
Logfile of HijackThis v1.99.1
Scan saved at 1:47:04 PM, on 04/11/2006
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\cisvc.exe
C:\WINDOWS\System32\snmp.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Microsoft AntiSpyware\gcasServ.exe
C:\Program Files\Java\jre1.5.0_03\bin\jusched.exe
C:\Program Files\SysProtect\syp.exe
C:\Program Files\D-Link AirPlus G\AirPlus.exe
C:\Program Files\Microsoft AntiSpyware\gcasDtServ.exe
C:\WINDOWS\system32\msiexec.exe
C:\Program Files\MSN Messenger\msnmsgr.exe
C:\Documents and Settings\jennifer\My Documents\SET UP'S\hijackthis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = localhost
F2 - REG:system.ini: UserInit=C:\WINDOWS\system32\Userinit.exe
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O2 - BHO: InfoDocReader Object - {39D36F7F-81ED-45DC-87A3-A51824966B06} - C:\WINDOWS\system32\gebcb.dll (file missing)
O4 - HKLM\..\Run: [InternetShield] C:\PROGRA~1\INTERN~3\InternetShield.exe -CheckStartup
O4 - HKLM\..\Run: [gcasServ] "C:\Program Files\Microsoft AntiSpyware\gcasServ.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [msnappau] "C:\Program Files\MSN Apps\Updater\01.02.3000.1001\en-us\msnappau.exe"
O4 - HKLM\..\Run: [Desksite CMA] C:\Program Files\desksite\bin\cma.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_03\bin\jusched.exe
O4 - HKCU\..\Run: [E6TaskPanel] "C:\PROGRA~1\EARTHL~1\TaskPanl.exe" -winstart
O4 - Global Startup: D-Link AirPlus G Configuration Utility.lnk = ?
O8 - Extra context menu item: &AIM Search - res://C:\Program Files\AIM Toolbar\AIMBar.dll/aimsearch.htm
O8 - Extra context menu item: &AOL Toolbar search - res://C:\Program Files\AOL Toolbar\toolbar.dll/SEARCH.HTML
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_03\bin\npjpi150_03.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_03\bin\npjpi150_03.dll
O9 - Extra button: ICQ - {6224f700-cba3-4071-b251-47cb894244cd} - C:\Program Files\ICQ\ICQ.exe
O9 - Extra 'Tools' menuitem: ICQ - {6224f700-cba3-4071-b251-47cb894244cd} - C:\Program Files\ICQ\ICQ.exe
O9 - Extra button: (no name) - {B6E649FA-5461-40d7-AB4D-54FC3C8DB767} - C:\WINDOWS\system32\shdocvw.dll
O9 - Extra 'Tools' menuitem: Looksitup Toolbar - {B6E649FA-5461-40d7-AB4D-54FC3C8DB767} - C:\WINDOWS\system32\shdocvw.dll
O9 - Extra button: (no name) - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - (no file)
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {4ED9DDF0-7479-4BBE-9335-5A1EDB1D8A21} - https://objects.aol.com/mcafee/molbin/shared/mcinsctl/en-us/4,0,0,83/mcinsctl.cab
O16 - DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} (MSN Photo Upload Tool) - http://spaces.msn.com//PhotoUpload/MsnPUpld.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/activescan/as5free/asinst.cab
O16 - DPF: {B38870E4-7ECB-40DA-8C6A-595F0A5519FF} (MsnMessengerSetupDownloadControl Class) - http://cdn.messenger.msn.com/download/MsnMessengerSetupDownloader.cab
O16 - DPF: {BCC0FF27-31D9-4614-A68E-C18E1ADA4389} - https://objects.aol.com/mcafee/molbin/shared/mcgdmgr/en-us/1,0,0,20/McGDMgr.cab
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - "C:\PROGRA~1\MSNMES~1\msgrapp.dll" (file missing)


----------



## Cookiegal (Aug 27, 2003)

Rescan and have HijackThis fix this entry:

O2 - BHO: InfoDocReader Object - {39D36F7F-81ED-45DC-87A3-A51824966B06} - C:\WINDOWS\system32\gebcb.dll (file missing)


Reboot and post another HijackThis log please.


----------



## peterboy (Dec 15, 2005)

ok im ready thankyou Logfile of HijackThis v1.99.1
Scan saved at 4:14:18 AM, on 04/12/2006
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\cisvc.exe
C:\WINDOWS\System32\snmp.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe
C:\Program Files\D-Link AirPlus G\AirPlus.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Documents and Settings\jennifer\My Documents\SET UP'S\hijackthis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = localhost
F2 - REG:system.ini: UserInit=C:\WINDOWS\system32\Userinit.exe
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O4 - HKLM\..\Run: [InternetShield] C:\PROGRA~1\INTERN~3\InternetShield.exe -CheckStartup
O4 - HKLM\..\Run: [gcasServ] "C:\Program Files\Microsoft AntiSpyware\gcasServ.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [msnappau] "C:\Program Files\MSN Apps\Updater\01.02.3000.1001\en-us\msnappau.exe"
O4 - HKLM\..\Run: [Desksite CMA] C:\Program Files\desksite\bin\cma.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe
O4 - HKCU\..\Run: [E6TaskPanel] "C:\PROGRA~1\EARTHL~1\TaskPanl.exe" -winstart
O4 - Global Startup: D-Link AirPlus G Configuration Utility.lnk = ?
O8 - Extra context menu item: &AIM Search - res://C:\Program Files\AIM Toolbar\AIMBar.dll/aimsearch.htm
O8 - Extra context menu item: &AOL Toolbar search - res://C:\Program Files\AOL Toolbar\toolbar.dll/SEARCH.HTML
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra button: ICQ - {6224f700-cba3-4071-b251-47cb894244cd} - C:\Program Files\ICQ\ICQ.exe
O9 - Extra 'Tools' menuitem: ICQ - {6224f700-cba3-4071-b251-47cb894244cd} - C:\Program Files\ICQ\ICQ.exe
O9 - Extra button: (no name) - {B6E649FA-5461-40d7-AB4D-54FC3C8DB767} - C:\WINDOWS\system32\shdocvw.dll
O9 - Extra 'Tools' menuitem: Looksitup Toolbar - {B6E649FA-5461-40d7-AB4D-54FC3C8DB767} - C:\WINDOWS\system32\shdocvw.dll
O9 - Extra button: (no name) - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - (no file)
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {4ED9DDF0-7479-4BBE-9335-5A1EDB1D8A21} - https://objects.aol.com/mcafee/molbin/shared/mcinsctl/en-us/4,0,0,83/mcinsctl.cab
O16 - DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} (MSN Photo Upload Tool) - http://spaces.msn.com//PhotoUpload/MsnPUpld.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/activescan/as5free/asinst.cab
O16 - DPF: {B38870E4-7ECB-40DA-8C6A-595F0A5519FF} (MsnMessengerSetupDownloadControl Class) - http://cdn.messenger.msn.com/download/MsnMessengerSetupDownloader.cab
O16 - DPF: {BCC0FF27-31D9-4614-A68E-C18E1ADA4389} - https://objects.aol.com/mcafee/molbin/shared/mcgdmgr/en-us/1,0,0,20/McGDMgr.cab
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - "C:\PROGRA~1\MSNMES~1\msgrapp.dll" (file missing)


----------



## peterboy (Dec 15, 2005)

hello maybe our signals got crossed again ?


----------



## Cookiegal (Aug 27, 2003)

The log looks good. How are things running?


----------



## peterboy (Dec 15, 2005)

yes its running good big diffrence no more pop ups nothing thank you so much for your time your awsome  is there anything else i need to do


----------



## Cookiegal (Aug 27, 2003)

You're welcome. 

Now you should turn system restore off to flush out all previous system restore points, then turn it back on and create a new restore point:

To turn off system restore, on the Desktop, right click on *My Computer* and click on *Properties.*
Click the *System Restore* tab.
Check *Turn off System Restore.*
Click Apply and then click OK.

Restart your computer, turn System Restore back on and create a restore point.

To create a new restore point, click on *Start*  *All Programs*  *Accessories*  *System Tools* and then select *System Restore*.

In the System Restore wizard, select *Create a restore point* and click the Next button.

Type a name for your new restore point then click on Create.

I also recommend downloading  *SPYWAREBLASTER* for added protection.

*Read here* for info on how to tighten your security.

*Delete your temporary files:*

In safe mode navigate to the C:\Windows\Temp folder. Open the Temp folder and go to Edit - Select All then Edit - Delete to delete the entire contents of the Temp folder.

Go to Start - Run and type *%temp%* in the Run box. The Temp folder will open. Click *Edit - Select All* then hit *Delete* to delete the entire contents of the Temp folder.

Finally go to Control Panel - Internet Options. On the General tab under "Temporary Internet Files" Click "Delete Files". Put a check by "Delete Offline Content" and click OK. Click on the Programs tab then click the "Reset Web Settings" button. Click Apply then OK.

*Empty the recycle bin*.


----------



## peterboy (Dec 15, 2005)

ok thanks im done with that pc thank you so much ! but my pc has been attack again i was serving the net and i got inffected some how i get the message saying you pc is inffected with virus activities criticl stsem error your system has detected spyware something like that i tried the norton nd nothing it didnt detecd anything so here avtive scan and my highjack log please help soon as possible    Logfile of HijackThis v1.99.1
Scan saved at 7:23:16 PM, on 4/19/2006
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\SYSTEM32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\WINDOWS\System32\mssearchnet.exe
C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
C:\WINDOWS\system32\netdde.exe
C:\WINDOWS\System32\drivers\CDAC11BA.EXE
C:\WINDOWS\System32\DVDRAMSV.exe
C:\Program Files\ewido anti-malware\ewidoctrl.exe
C:\PROGRA~1\Iomega\System32\AppServices.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\Program Files\Norton AntiVirus\navapsvc.exe
C:\Program Files\Norton AntiVirus\IWP\NPFMntor.exe
C:\WINDOWS\System32\tcpsvcs.exe
C:\WINDOWS\System32\snmp.exe
C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\wbem\wmiapsrv.exe
C:\WINDOWS\System32\dmadmin.exe
C:\WINDOWS\System32\nvctrl.exe
C:\Program Files\TOSHIBA\TouchED\TouchED.Exe
C:\TOSHIBA\IVP\ISM\pinger.exe
C:\WINDOWS\AGRSMMSG.exe
C:\WINDOWS\System32\00THotkey.exe
C:\WINDOWS\System32\hkcmd.exe
C:\WINDOWS\System32\igfxpers.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\WINDOWS\System32\ctfmon.exe
C:\Program Files\SpywareGuard\sgmain.exe
C:\Program Files\SpywareGuard\sgbhp.exe
C:\Program Files\Common Files\Symantec Shared\Security Console\NSCSRVCE.EXE
C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Documents and Settings\Karen Granger\My Documents\set ups\hijackthis\HijackThis.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.toshiba.com
O2 - BHO: (no name) - {8d83b16e-0de1-452b-ac52-96ec0b34aa4b} - C:\WINDOWS\System32\hpBF15.tmp (file missing)
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O3 - Toolbar: Norton AntiVirus - {C4069E3A-68F1-403E-B40E-20066696354B} - C:\Program Files\Norton AntiVirus\NavShExt.dll (file missing)
O4 - HKLM\..\Run: [TouchED] C:\Program Files\TOSHIBA\TouchED\TouchED.Exe
O4 - HKLM\..\Run: [Pinger] C:\TOSHIBA\IVP\ISM\pinger.exe /run
O4 - HKLM\..\Run: [Apoint] C:\Program Files\Apoint2K\Apoint.exe
O4 - HKLM\..\Run: [AGRSMMSG] AGRSMMSG.exe
O4 - HKLM\..\Run: [00THotkey] C:\WINDOWS\System32\00THotkey.exe
O4 - HKLM\..\Run: [000StTHK] 000StTHK.exe
O4 - HKLM\..\Run: [igfxtray] C:\WINDOWS\System32\igfxtray.exe
O4 - HKLM\..\Run: [igfxhkcmd] C:\WINDOWS\System32\hkcmd.exe
O4 - HKLM\..\Run: [igfxpers] C:\WINDOWS\System32\igfxpers.exe
O4 - HKLM\..\Run: [InternetShield] C:\PROGRA~1\INTERN~3\InternetShield.exe -CheckStartup
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [SSC_UserPrompt] "C:\Program Files\Common Files\Symantec Shared\Security Center\UsrPrmpt.exe"
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\System32\ctfmon.exe
O4 - Startup: SpywareGuard.lnk = C:\Program Files\SpywareGuard\sgmain.exe
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O14 - IERESET.INF: START_PAGE_URL=http://www.toshiba.com
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1133829558718
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/activescan/as5free/asinst.cab
O16 - DPF: {B38870E4-7ECB-40DA-8C6A-595F0A5519FF} (MsnMessengerSetupDownloadControl Class) - http://messenger.msn.com/download/MsnMessengerSetupDownloader.cab
O16 - DPF: {E856B973-45FD-4559-8F82-EAB539144667} (Dell PC Checkup Installer Control) - http://pccheckup.dellfix.com/rel/35/install/gtdownde.cab
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - "C:\PROGRA~1\MSNMES~1\msgrapp.dll" (file missing)
O20 - Winlogon Notify: igfxcui - C:\WINDOWS\SYSTEM32\igfxdev.dll
O20 - Winlogon Notify: WRNotifier - WRLogonNTF.dll (file missing)
O23 - Service: C-DillaCdaC11BA - C-Dilla Ltd - C:\WINDOWS\System32\drivers\CDAC11BA.EXE
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
O23 - Service: DVD-RAM_Service - Matsu****a Electric Industrial Co., Ltd. - C:\WINDOWS\System32\DVDRAMSV.exe
O23 - Service: ewido security suite control - ewido networks - C:\Program Files\ewido anti-malware\ewidoctrl.exe
O23 - Service: Iomega App Services - Iomega Corporation - C:\PROGRA~1\Iomega\System32\AppServices.exe
O23 - Service: Norton AntiVirus Auto-Protect Service (navapsvc) - Symantec Corporation - C:\Program Files\Norton AntiVirus\navapsvc.exe
O23 - Service: Norton AntiVirus Firewall Monitor Service (NPFMntor) - Symantec Corporation - C:\Program Files\Norton AntiVirus\IWP\NPFMntor.exe
O23 - Service: Norton Protection Center Service (NSCService) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\Security Console\NSCSRVCE.EXE
O23 - Service: Symantec AVScan (SAVScan) - Symantec Corporation - C:\Program Files\Norton AntiVirus\SAVScan.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: SoundMAX Agent Service (SoundMAX Agent Service (default)) - Analog Devices, Inc. - C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe
O23 - Service: SPBBCSvc - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
O23 - Service: Symantec Core LC - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe

Incident Status Location

Adware:adware/emediacodec Not disinfected C:\WINDOWS\System32\nvctrl.exe  
Adware:adware/emediacodec Not disinfected C:\WINDOWS\SYSTEM32\interf.tlb 
Adware:adware/securityerror Not disinfected C:\WINDOWS\SYSTEM32\ot.ico 
Adware:adware/maxifiles Not disinfected C:\PROGRAM FILES\COMMON FILES\Download 
Adware:adware/block-checker Not disinfected Windows Registry 
Potentially unwanted tool:application/mywebsearch Not disinfected HKEY_CLASSES_ROOT\CLSID\{147A976E-EEE1-4377-8EA7-4716E4CDD239} 
Potentially unwanted tool:application/zango Not disinfected HKEY_LOCAL_MACHINE\Software\Microsoft\Internet Explorer\ActiveX Compatibility\{99410cde-6f16-42ce-9d49-3807f78f0287} 
Spyware:Cookie/YieldManager Not disinfected C:\Documents and Settings\Karen Granger\Cookies\karen [email protected][2].txt 
Spyware:Cookie/Hbmediapro Not disinfected C:\Documents and Settings\Karen Granger\Cookies\karen [email protected][2].txt 
Spyware:Cookie/Belnk Not disinfected C:\Documents and Settings\Karen Granger\Cookies\karen [email protected][2].txt 
Spyware:Cookie/Atwola Not disinfected C:\Documents and Settings\Karen Granger\Cookies\karen [email protected][2].txt 
Spyware:Cookie/Azjmp Not disinfected C:\Documents and Settings\Karen Granger\Cookies\karen [email protected][1].txt 
Spyware:Cookie/Belnk Not disinfected C:\Documents and Settings\Karen Granger\Cookies\karen [email protected][1].txt 
Spyware:Cookie/did-it Not disinfected C:\Documents and Settings\Karen Granger\Cookies\karen [email protected][1].txt 
Spyware:Cookie/Belnk Not disinfected C:\Documents and Settings\Karen Granger\Cookies\karen [email protected][1].txt 
Spyware:Cookie/Toplist Not disinfected C:\Documents and Settings\Karen Granger\Cookies\karen [email protected][1].txt 
Spyware:Cookie/WebPower Not disinfected C:\Documents and Settings\Karen Granger\Cookies\karen [email protected][2].txt 
Spyware:Cookie/adultfriendfinder Not disinfected C:\Documents and Settings\Karen Granger\Application Data\Mozilla\Firefox\Profiles\117brzcj.default\cookies.txt[.adultfriendfinder.com/] 
Spyware:Cookie/cs.sexcounter Not disinfected C:\Documents and Settings\Karen Granger\Application Data\Mozilla\Firefox\Profiles\117brzcj.default\cookies.txt[.cs.sexcounter.com/] 
Spyware:Cookie/Azjmp Not disinfected C:\Documents and Settings\Karen Granger\Application Data\Mozilla\Firefox\Profiles\117brzcj.default\cookies.txt[.azjmp.com/] 
Spyware:Cookie/YieldManager Not disinfected C:\Documents and Settings\Karen Granger\Application Data\Mozilla\Firefox\Profiles\117brzcj.default\cookies.txt[ad.yieldmanager.com/] 
Spyware:Cookie/RealMedia  Not disinfected C:\Documents and Settings\Karen Granger\Application Data\Mozilla\Firefox\Profiles\117brzcj.default\cookies.txt[.realmedia.com/] 
Spyware:Cookie/Statcounter Not disinfected C:\Documents and Settings\Karen Granger\Application Data\Mozilla\Firefox\Profiles\117brzcj.default\cookies.txt[.statcounter.com/] 
Spyware:Cookie/Zedo Not disinfected C:\Documents and Settings\Karen Granger\Application Data\Mozilla\Firefox\Profiles\117brzcj.default\cookies.txt[.zedo.com/] 
Spyware:Cookie/Casalemedia Not disinfected C:\Documents and Settings\Karen Granger\Application Data\Mozilla\Firefox\Profiles\117brzcj.default\cookies.txt[.casalemedia.com/] 
Spyware:Cookie/Peel Not disinfected C:\Documents and Settings\Karen Granger\Application Data\Mozilla\Firefox\Profiles\117brzcj.default\cookies.txt[.peel.com/] 
Spyware:Cookie/Toplist Not disinfected C:\Documents and Settings\Karen Granger\Application Data\Mozilla\Firefox\Profiles\117brzcj.default\cookies.txt[.toplist.cz/] 
Spyware:Cookie/Falkag Not disinfected C:\Documents and Settings\Karen Granger\Application Data\Mozilla\Firefox\Profiles\117brzcj.default\cookies.txt[.as-us.falkag.net/] 
Spyware:Cookie/WebPower Not disinfected C:\Documents and Settings\Karen Granger\Application Data\Mozilla\Firefox\Profiles\117brzcj.default\cookies.txt[.webpower.com/] 
Spyware:Cookie/Maxserving Not disinfected C:\Documents and Settings\Karen Granger\Application Data\Mozilla\Firefox\Profiles\117brzcj.default\cookies.txt[.maxserving.com/] 
Spyware:Cookie/Apmebf Not disinfected C:\Documents and Settings\Karen Granger\Application Data\Mozilla\Firefox\Profiles\117brzcj.default\cookies.txt[.apmebf.com/] 
Spyware:Cookie/Server.iad.Liveperson Not disinfected C:\Documents and Settings\Karen Granger\Application Data\Mozilla\Firefox\Profiles\117brzcj.default\cookies.txt[server.iad.liveperson.net/hc/1698736] 
Spyware:Cookie/Server.iad.Liveperson  Not disinfected C:\Documents and Settings\Karen Granger\Application Data\Mozilla\Firefox\Profiles\117brzcj.default\cookies.txt[server.iad.liveperson.net/] 
Spyware:Cookie/Adrevolver Not disinfected C:\Documents and Settings\Karen Granger\Application Data\Mozilla\Firefox\Profiles\117brzcj.default\cookies.txt[.adrevolver.com/] 
Adware:Adware/PurityScan Not disinfected C:\!KillBox\Yazzle Sudoku\uninstaller.exe 
Spyware:Cookie/adultfriendfinder Not disinfected C:\Documents and Settings\Karen Granger\Application Data\Mozilla\Firefox\Profiles\117brzcj.default\cookies.txt[] 
Spyware:Cookie/Server.iad.Liveperson Not disinfected C:\Documents and Settings\Karen Granger\Application Data\Mozilla\Firefox\Profiles\117brzcj.default\cookies.txt[1698736] 
Spyware:Cookie/Server.iad.Liveperson Not disinfected C:\Documents and Settings\Karen Granger\Application Data\Mozilla\Firefox\Profiles\117brzcj.default\cookies.txt[] 
Spyware:Cookie/YieldManager Not disinfected C:\Documents and Settings\Karen Granger\Cookies\karen [email protected][2].txt 
Spyware:Cookie/Hbmediapro Not disinfected C:\Documents and Settings\Karen Granger\Cookies\karen [email protected][2].txt 
Spyware:Cookie/Belnk Not disinfected C:\Documents and Settings\Karen Granger\Cookies\karen [email protected][2].txt 
Spyware:Cookie/Atwola Not disinfected C:\Documents and Settings\Karen Granger\Cookies\karen [email protected][2].txt 
Spyware:Cookie/Azjmp Not disinfected C:\Documents and Settings\Karen Granger\Cookies\karen [email protected]mp[1].txt 
Spyware:Cookie/Belnk Not disinfected C:\Documents and Settings\Karen Granger\Cookies\karen [email protected][1].txt 
Spyware:Cookie/did-it Not disinfected C:\Documents and Settings\Karen Granger\Cookies\karen [email protected][1].txt 
Spyware:Cookie/Belnk Not disinfected C:\Documents and Settings\Karen Granger\Cookies\karen [email protected][1].txt 
Spyware:Cookie/Toplist Not disinfected C:\Documents and Settings\Karen Granger\Cookies\karen [email protected][1].txt 
Spyware:Cookie/WebPower Not disinfected C:\Documents and Settings\Karen Granger\Cookies\karen [email protected][2].txt 
Adware:Adware/SpywareStrike Not disinfected C:\WINDOWS\system32\1024\ldD8AF.tmp


----------



## Cookiegal (Aug 27, 2003)

Please download *SmitfraudFix* (by *S!Ri*)
Extract the content (a folder named *SmitfraudFix*) to your Desktop.

Open the *SmitfraudFix* folder and double-click *smitfraudfix.cmd*
Select option #1 - *Search* by typing *1* and press "*Enter*"; a text file will appear, which lists infected files (if present).
Please copy/paste the content of that report into your next reply.

*Note* : *process.exe* is detected by some antivirus programs (AntiVir, Dr.Web, Kaspersky) as a "RiskTool"; it is not a virus, but a program used to stop system processes. Antivirus programs cannot distinguish between "good" and "malicious" use of such programs, therefore they may alert the user.
http://www.beyondlogic.org/consulting/proc...processutil.htm


----------



## peterboy (Dec 15, 2005)

ok im ready thanks for your reply heres the results thank you for your help you are a life saver! SmitFraudFix v2.33b

Scan done at 20:46:25.34, Wed 04/19/2006
Run from C:\Documents and Settings\Karen Granger\Desktop\SmitfraudFix\SmitfraudFix
OS: Microsoft Windows XP [Version 5.1.2600]

»»»»»»»»»»»»»»»»»»»»»»»» C:\

»»»»»»»»»»»»»»»»»»»»»»»» C:\WINDOWS

»»»»»»»»»»»»»»»»»»»»»»»» C:\WINDOWS\system

»»»»»»»»»»»»»»»»»»»»»»»» C:\WINDOWS\Web

»»»»»»»»»»»»»»»»»»»»»»»» C:\WINDOWS\system32

C:\WINDOWS\system32\casino.ico FOUND !
C:\WINDOWS\system32\interf.tlb FOUND !
C:\WINDOWS\system32\ld????.tmp FOUND !
C:\WINDOWS\system32\mssearchnet.exe FOUND !
C:\WINDOWS\system32\ncompat.tlb FOUND !
C:\WINDOWS\system32\nvctrl.exe FOUND !
C:\WINDOWS\system32\ot.ico FOUND !
C:\WINDOWS\system32\ts.ico FOUND !
C:\WINDOWS\system32\xenadot.dll FOUND !
C:\WINDOWS\system32\1024\ FOUND !

»»»»»»»»»»»»»»»»»»»»»»»» C:\Documents and Settings\Karen Granger\Application Data

C:\Documents and Settings\Karen Granger\Application Data\Install.dat FOUND !

»»»»»»»»»»»»»»»»»»»»»»»» Start Menu

»»»»»»»»»»»»»»»»»»»»»»»»

»»»»»»»»»»»»»»»»»»»»»»»» Desktop

»»»»»»»»»»»»»»»»»»»»»»»» C:\Program Files

»»»»»»»»»»»»»»»»»»»»»»»» Corrupted keys

»»»»»»»»»»»»»»»»»»»»»»»» Desktop Components

[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Desktop\Components\0]
"Source"="About:Home"
"SubscribedURL"="About:Home"
"FriendlyName"="My Current Home Page"

»»»»»»»»»»»»»»»»»»»»»»»» Sharedtaskscheduler

SrchSTS.exe by S!Ri
Search SharedTaskScheduler's .dll

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\SharedTaskScheduler]
"{438755C2-A8BA-11D1-B96B-00A0C90312E1}"="Browseui preloader"

[HKEY_CLASSES_ROOT\CLSID\{438755C2-A8BA-11D1-B96B-00A0C90312E1}\InProcServer32]
@="%SystemRoot%\System32\browseui.dll"

[HKEY_LOCAL_MACHINE\Software\Classes\CLSID\{438755C2-A8BA-11D1-B96B-00A0C90312E1}\InProcServer32]
@="%SystemRoot%\System32\browseui.dll"

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\SharedTaskScheduler]
"{8C7461EF-2B13-11d2-BE35-3078302C2030}"="Component Categories cache daemon"

[HKEY_CLASSES_ROOT\CLSID\{8C7461EF-2B13-11d2-BE35-3078302C2030}\InProcServer32]
@="%SystemRoot%\System32\browseui.dll"

[HKEY_LOCAL_MACHINE\Software\Classes\CLSID\{8C7461EF-2B13-11d2-BE35-3078302C2030}\InProcServer32]
@="%SystemRoot%\System32\browseui.dll"

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\SharedTaskScheduler]
"{CD5E2AC9-25CE-A1C5-D1E2-DC6B28A6ED5A}"="XenaDot Software"

[HKEY_CLASSES_ROOT\CLSID\{CD5E2AC9-25CE-A1C5-D1E2-DC6B28A6ED5A}\InProcServer32]
@="C:\WINDOWS\System32\xenadot.dll"

[HKEY_CURRENT_USER\Software\Classes\CLSID\{CD5E2AC9-25CE-A1C5-D1E2-DC6B28A6ED5A}\InProcServer32]
@="C:\WINDOWS\System32\xenadot.dll"

»»»»»»»»»»»»»»»»»»»»»»»» Scanning wininet.dll infection

»»»»»»»»»»»»»»»»»»»»»»»» End

Logfile of HijackThis v1.99.1
Scan saved at 8:50:08 PM, on 4/19/2006
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\SYSTEM32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\System32\mssearchnet.exe
C:\WINDOWS\System32\nvctrl.exe
C:\Program Files\TOSHIBA\TouchED\TouchED.Exe
C:\TOSHIBA\IVP\ISM\pinger.exe
C:\WINDOWS\AGRSMMSG.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\WINDOWS\System32\00THotkey.exe
C:\WINDOWS\System32\hkcmd.exe
C:\WINDOWS\System32\igfxpers.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\WINDOWS\System32\ctfmon.exe
C:\Program Files\SpywareGuard\sgmain.exe
C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
C:\Program Files\SpywareGuard\sgbhp.exe
C:\WINDOWS\system32\netdde.exe
C:\WINDOWS\System32\drivers\CDAC11BA.EXE
C:\WINDOWS\System32\DVDRAMSV.exe
C:\Program Files\ewido anti-malware\ewidoctrl.exe
C:\PROGRA~1\Iomega\System32\AppServices.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\Program Files\Norton AntiVirus\navapsvc.exe
C:\Program Files\Norton AntiVirus\IWP\NPFMntor.exe
C:\WINDOWS\System32\tcpsvcs.exe
C:\WINDOWS\System32\snmp.exe
C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\wbem\wmiapsrv.exe
C:\WINDOWS\System32\dmadmin.exe
C:\Program Files\Common Files\Symantec Shared\Security Console\NSCSRVCE.EXE
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\Messenger\msmsgs.exe
C:\WINDOWS\NOTEPAD.EXE
C:\Documents and Settings\Karen Granger\My Documents\set ups\hijackthis\HijackThis.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.toshiba.com
O2 - BHO: Nothing - {8d83b16e-0de1-452b-ac52-96ec0b34aa4b} - C:\WINDOWS\System32\hpB16D.tmp (file missing)
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O3 - Toolbar: Norton AntiVirus - {C4069E3A-68F1-403E-B40E-20066696354B} - C:\Program Files\Norton AntiVirus\NavShExt.dll (file missing)
O4 - HKLM\..\Run: [TouchED] C:\Program Files\TOSHIBA\TouchED\TouchED.Exe
O4 - HKLM\..\Run: [Pinger] C:\TOSHIBA\IVP\ISM\pinger.exe /run
O4 - HKLM\..\Run: [Apoint] C:\Program Files\Apoint2K\Apoint.exe
O4 - HKLM\..\Run: [AGRSMMSG] AGRSMMSG.exe
O4 - HKLM\..\Run: [00THotkey] C:\WINDOWS\System32\00THotkey.exe
O4 - HKLM\..\Run: [000StTHK] 000StTHK.exe
O4 - HKLM\..\Run: [igfxtray] C:\WINDOWS\System32\igfxtray.exe
O4 - HKLM\..\Run: [igfxhkcmd] C:\WINDOWS\System32\hkcmd.exe
O4 - HKLM\..\Run: [igfxpers] C:\WINDOWS\System32\igfxpers.exe
O4 - HKLM\..\Run: [InternetShield] C:\PROGRA~1\INTERN~3\InternetShield.exe -CheckStartup
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [SSC_UserPrompt] "C:\Program Files\Common Files\Symantec Shared\Security Center\UsrPrmpt.exe"
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\System32\ctfmon.exe
O4 - Startup: SpywareGuard.lnk = C:\Program Files\SpywareGuard\sgmain.exe
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O14 - IERESET.INF: START_PAGE_URL=http://www.toshiba.com
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1133829558718
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/activescan/as5free/asinst.cab
O16 - DPF: {B38870E4-7ECB-40DA-8C6A-595F0A5519FF} (MsnMessengerSetupDownloadControl Class) - http://messenger.msn.com/download/MsnMessengerSetupDownloader.cab
O16 - DPF: {E856B973-45FD-4559-8F82-EAB539144667} (Dell PC Checkup Installer Control) - http://pccheckup.dellfix.com/rel/35/install/gtdownde.cab
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - "C:\PROGRA~1\MSNMES~1\msgrapp.dll" (file missing)
O20 - Winlogon Notify: igfxcui - C:\WINDOWS\SYSTEM32\igfxdev.dll
O20 - Winlogon Notify: WRNotifier - WRLogonNTF.dll (file missing)
O23 - Service: C-DillaCdaC11BA - C-Dilla Ltd - C:\WINDOWS\System32\drivers\CDAC11BA.EXE
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
O23 - Service: DVD-RAM_Service - Matsu****a Electric Industrial Co., Ltd. - C:\WINDOWS\System32\DVDRAMSV.exe
O23 - Service: ewido security suite control - ewido networks - C:\Program Files\ewido anti-malware\ewidoctrl.exe
O23 - Service: Iomega App Services - Iomega Corporation - C:\PROGRA~1\Iomega\System32\AppServices.exe
O23 - Service: Norton AntiVirus Auto-Protect Service (navapsvc) - Symantec Corporation - C:\Program Files\Norton AntiVirus\navapsvc.exe
O23 - Service: Norton AntiVirus Firewall Monitor Service (NPFMntor) - Symantec Corporation - C:\Program Files\Norton AntiVirus\IWP\NPFMntor.exe
O23 - Service: Norton Protection Center Service (NSCService) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\Security Console\NSCSRVCE.EXE
O23 - Service: Symantec AVScan (SAVScan) - Symantec Corporation - C:\Program Files\Norton AntiVirus\SAVScan.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: SoundMAX Agent Service (SoundMAX Agent Service (default)) - Analog Devices, Inc. - C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe
O23 - Service: SPBBCSvc - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
O23 - Service: Symantec Core LC - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe


----------



## Cookiegal (Aug 27, 2003)

You should print out these instructions, or copy them to a NotePad file for reading while in Safe Mode, because you will not be able to connect to the Internet to read from this site.

Next, please reboot your computer in *Safe Mode* by doing the following :
Restart your computer
After hearing your computer beep once during startup, but before the Windows icon appears, tap the F8 key continually;
Instead of Windows loading as normal, a menu with options should appear;
Select the first option, to run Windows in Safe Mode, then press "Enter".
Choose your usual account.
Once in Safe Mode, open the *SmitfraudFix* folder again and double-click *smitfraudfix.cmd*
Select option #2 - *Clean* by typing *2* and press "*Enter*" to delete infected files.

You will be prompted: "Registry cleaning - Do you want to clean the registry?"; answer "Yes" by typing *Y* and press "Enter" in order to remove the Desktop background and clean registry keys associated with the infection.

The tool will now check if *wininet.dll* is infected. You may be prompted to replace the infected file (if found); answer "Yes" by typing *Y* and press "Enter".

The tool may need to restart your computer to finish the cleaning process; if it doesn't, please restart it into Normal Windows.

A text file will appear onscreen, with results from the cleaning process; please copy/paste the content of that report into your next reply.

The report can also be found at the root of the system drive, usually at *C:\rapport.txt*

Warning: running option #2 on a non infected computer will remove your Desktop background.


----------



## peterboy (Dec 15, 2005)

yup i think that got it no more of those anoying error messages :up: well heres the results i hope i didt right SmitFraudFix v2.33b

Scan done at 18:03:35.21, Thu 04/20/2006
Run from C:\Documents and Settings\Karen Granger\Desktop\SmitfraudFix\SmitfraudFix
OS: Microsoft Windows XP [Version 5.1.2600]

»»»»»»»»»»»»»»»»»»»»»»»» Killing process

»»»»»»»»»»»»»»»»»»»»»»»» Deleting infected files

C:\WINDOWS\system32\casino.ico Deleted
C:\WINDOWS\system32\interf.tlb Deleted
C:\WINDOWS\system32\ld????.tmp Deleted
C:\WINDOWS\system32\mssearchnet.exe Deleted
C:\WINDOWS\system32\ncompat.tlb Deleted
C:\WINDOWS\system32\nvctrl.exe Deleted
C:\WINDOWS\system32\ot.ico Deleted
C:\WINDOWS\system32\ts.ico Deleted
C:\WINDOWS\system32\xenadot.dll Deleted
C:\WINDOWS\system32\1024\ Deleted
C:\Documents and Settings\Karen Granger\Application Data\Install.dat Deleted

»»»»»»»»»»»»»»»»»»»»»»»» Deleting Temp Files

»»»»»»»»»»»»»»»»»»»»»»»» Registry Cleaning

Registry Cleaning done.

»»»»»»»»»»»»»»»»»»»»»»»» End

Logfile of HijackThis v1.99.1
Scan saved at 6:22:51 PM, on 4/20/2006
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\SYSTEM32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\TOSHIBA\TouchED\TouchED.Exe
C:\WINDOWS\AGRSMMSG.exe
C:\WINDOWS\System32\00THotkey.exe
C:\WINDOWS\System32\hkcmd.exe
C:\WINDOWS\System32\igfxpers.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\WINDOWS\system32\netdde.exe
C:\WINDOWS\System32\ctfmon.exe
C:\Program Files\SpywareGuard\sgmain.exe
C:\WINDOWS\System32\drivers\CDAC11BA.EXE
C:\WINDOWS\System32\DVDRAMSV.exe
C:\Program Files\ewido anti-malware\ewidoctrl.exe
C:\PROGRA~1\Iomega\System32\AppServices.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\Program Files\Norton AntiVirus\navapsvc.exe
C:\Program Files\Norton AntiVirus\IWP\NPFMntor.exe
C:\Program Files\SpywareGuard\sgbhp.exe
C:\WINDOWS\System32\tcpsvcs.exe
C:\WINDOWS\System32\snmp.exe
C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\wbem\wmiapsrv.exe
C:\WINDOWS\System32\dmadmin.exe
C:\Program Files\Common Files\Symantec Shared\Security Console\NSCSRVCE.EXE
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\TOSHIBA\IVP\ISM\ivpsvmgr.exe
C:\Documents and Settings\Karen Granger\My Documents\set ups\hijackthis\HijackThis.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.toshiba.com
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O3 - Toolbar: Norton AntiVirus - {C4069E3A-68F1-403E-B40E-20066696354B} - C:\Program Files\Norton AntiVirus\NavShExt.dll (file missing)
O4 - HKLM\..\Run: [TouchED] C:\Program Files\TOSHIBA\TouchED\TouchED.Exe
O4 - HKLM\..\Run: [Pinger] C:\TOSHIBA\IVP\ISM\pinger.exe /run
O4 - HKLM\..\Run: [Apoint] C:\Program Files\Apoint2K\Apoint.exe
O4 - HKLM\..\Run: [AGRSMMSG] AGRSMMSG.exe
O4 - HKLM\..\Run: [00THotkey] C:\WINDOWS\System32\00THotkey.exe
O4 - HKLM\..\Run: [000StTHK] 000StTHK.exe
O4 - HKLM\..\Run: [igfxtray] C:\WINDOWS\System32\igfxtray.exe
O4 - HKLM\..\Run: [igfxhkcmd] C:\WINDOWS\System32\hkcmd.exe
O4 - HKLM\..\Run: [igfxpers] C:\WINDOWS\System32\igfxpers.exe
O4 - HKLM\..\Run: [InternetShield] C:\PROGRA~1\INTERN~3\InternetShield.exe -CheckStartup
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [SSC_UserPrompt] "C:\Program Files\Common Files\Symantec Shared\Security Center\UsrPrmpt.exe"
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\System32\ctfmon.exe
O4 - Startup: SpywareGuard.lnk = C:\Program Files\SpywareGuard\sgmain.exe
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O14 - IERESET.INF: START_PAGE_URL=http://www.toshiba.com
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1133829558718
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/activescan/as5free/asinst.cab
O16 - DPF: {B38870E4-7ECB-40DA-8C6A-595F0A5519FF} (MsnMessengerSetupDownloadControl Class) - http://messenger.msn.com/download/MsnMessengerSetupDownloader.cab
O16 - DPF: {E856B973-45FD-4559-8F82-EAB539144667} (Dell PC Checkup Installer Control) - http://pccheckup.dellfix.com/rel/35/install/gtdownde.cab
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - "C:\PROGRA~1\MSNMES~1\msgrapp.dll" (file missing)
O20 - Winlogon Notify: igfxcui - C:\WINDOWS\SYSTEM32\igfxdev.dll
O20 - Winlogon Notify: WRNotifier - WRLogonNTF.dll (file missing)
O23 - Service: C-DillaCdaC11BA - C-Dilla Ltd - C:\WINDOWS\System32\drivers\CDAC11BA.EXE
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
O23 - Service: DVD-RAM_Service - Matsu****a Electric Industrial Co., Ltd. - C:\WINDOWS\System32\DVDRAMSV.exe
O23 - Service: ewido security suite control - ewido networks - C:\Program Files\ewido anti-malware\ewidoctrl.exe
O23 - Service: Iomega App Services - Iomega Corporation - C:\PROGRA~1\Iomega\System32\AppServices.exe
O23 - Service: Norton AntiVirus Auto-Protect Service (navapsvc) - Symantec Corporation - C:\Program Files\Norton AntiVirus\navapsvc.exe
O23 - Service: Norton AntiVirus Firewall Monitor Service (NPFMntor) - Symantec Corporation - C:\Program Files\Norton AntiVirus\IWP\NPFMntor.exe
O23 - Service: Norton Protection Center Service (NSCService) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\Security Console\NSCSRVCE.EXE
O23 - Service: Symantec AVScan (SAVScan) - Symantec Corporation - C:\Program Files\Norton AntiVirus\SAVScan.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: SoundMAX Agent Service (SoundMAX Agent Service (default)) - Analog Devices, Inc. - C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe
O23 - Service: SPBBCSvc - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
O23 - Service: Symantec Core LC - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe


----------



## Cookiegal (Aug 27, 2003)

The log looks fine.

Now you should turn system restore off to flush out all previous system restore points, then turn it back on and create a new restore point:

To turn off system restore, on the Desktop, right click on *My Computer* and click on *Properties.*
Click the *System Restore* tab.
Check *Turn off System Restore.*
Click Apply and then click OK.

Restart your computer, turn System Restore back on and create a restore point.

To create a new restore point, click on *Start*  *All Programs*  *Accessories*  *System Tools* and then select *System Restore*.

In the System Restore wizard, select *Create a restore point* and click the Next button.

Type a name for your new restore point then click on Create.

I also recommend downloading  *SPYWAREBLASTER* for added protection.

*Read here* for info on how to tighten your security.

*Delete your temporary files:*

In safe mode navigate to the C:\Windows\Temp folder. Open the Temp folder and go to Edit - Select All then Edit - Delete to delete the entire contents of the Temp folder.

Go to Start - Run and type *%temp%* in the Run box. The Temp folder will open. Click *Edit - Select All* then hit *Delete* to delete the entire contents of the Temp folder.

Finally go to Control Panel - Internet Options. On the General tab under "Temporary Internet Files" Click "Delete Files". Put a check by "Delete Offline Content" and click OK. Click on the Programs tab then click the "Reset Web Settings" button. Click Apply then OK.

*Empty the recycle bin*.


----------



## peterboy (Dec 15, 2005)

hi cookie gal evrything is runnig great thanks for all yuor help i have a older desktop its a hp 4oomhz win98 its runnig real slow and freezing up i did a scan with kapersky and got a hole lot off viruses can check this out me please thank you so much in advanced Logfile of HijackThis v1.99.1
Scan saved at 12:17:14 AM, on 1/2/88
Platform: Windows 98 SE (Win9x 4.10.2222A)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\SYSTEM\KERNEL32.DLL
C:\WINDOWS\SYSTEM\MSGSRV32.EXE
C:\WINDOWS\SYSTEM\MPREXE.EXE
C:\WINDOWS\SYSTEM\mmtask.tsk
C:\WINDOWS\SYSTEM\MSTASK.EXE
C:\WINDOWS\SYSTEM\KB891711\KB891711.EXE
C:\PROGRAM FILES\TOOLBAR\TBPS.EXE
C:\PROGRAM FILES\TOOLBAR\PIB.EXE
C:\WINDOWS\EXPLORER.EXE
C:\PROGRAM FILES\WINAMP\WINAMPA.EXE
C:\WINDOWS\TASKMON.EXE
C:\WINDOWS\TPPALDR.EXE
C:\WINDOWS\LOADQM.EXE
C:\WINDOWS\SYSTEM\INTERNAT.EXE
C:\PROGRAM FILES\IOMEGA HOTBURN\AUTOLAUNCH.EXE
C:\WINDOWS\SYSTEM\SYSTRAY.EXE
C:\WINDOWS\RUNDLL32.EXE
C:\WINDOWS\SYSTEM\KDCAZ.EXE
C:\PROGRAM FILES\TUSL\RSSA.EXE
C:\WINDOWS\RunDLL.exe
C:\PROGRAM FILES\D-LINK AIRPLUS G\AIRPLUS.EXE
C:\PROGRAM FILES\WINZIP\WZQKPICK.EXE
C:\WINDOWS\SYSTEM\WMIEXE.EXE
C:\PROGRAM FILES\INTERNET EXPLORER\IEXPLORE.EXE
C:\WINDOWS\SYSTEM\DDHELP.EXE
C:\WINDOWS\DESKTOP\HIJACKTHIS\HIJACKTHIS.EXE
C:\WINDOWS\SYSTEM\PSTORES.EXE
C:\WINDOWS\SYSTEM\XITGO.EXE
C:\WINDOWS\SYSTEM\JXIMO.EXE
C:\PROGRAM FILES\MSN MESSENGER\MSNMSGR.EXE
C:\PROGRAM FILES\TOOLBAR\TBPS.EXE

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://red.clientapps.yahoo.com/cus.../*http://www.yahoo.com/ext/search/search.html
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://red.clientapps.yahoo.com/customize/ie/defaults/su/ymsgr6/*http://www.yahoo.com
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = 
R3 - URLSearchHook: (no name) - {8952A998-1E7E-4716-B23D-3DBE03910972} - C:\PROGRA~1\TOOLBAR\TOOLBAR.DLL
O2 - BHO: myBar BHO - {0494D0D1-F8E0-41ad-92A3-14154ECE70AC} - C:\PROGRAM FILES\MYWAY\MYBAR\1.BIN\MYBAR.DLL (file missing)
O2 - BHO: MyWay Search Assistant BHO - {04079851-5845-4dea-848C-3ECD647AA554} - C:\PROGRAM FILES\MYWAY\SRCHASTT\1.BIN\MYSRCHAS.DLL (file missing)
O2 - BHO: Band Class - {C5183ABC-EB6E-4E05-B8C9-500A16B6CF94} - C:\PROGRAM FILES\SEP\SEP.DLL (file missing)
O2 - BHO: (no name) - {A4002649-CFA2-CF53-FE78-BEC9D9B46B95} - C:\WINDOWS\SYSTEM\FKCA.DLL (file missing)
O2 - BHO: (no name) - {942D163D-E2E4-8B60-D34C-FCE4EEF046A3} - C:\WINDOWS\SYSTEM\FKCA.DLL (file missing)
O2 - BHO: (no name) - {12EE7A5E-0674-42f9-A76A-000000004D00} - (no file)
O2 - BHO: (no name) - {9A254F6E-EDEC-DC3A-D34C-FCE4EEF046A3} - C:\WINDOWS\SYSTEM\FKCA.DLL (file missing)
O2 - BHO: (no name) - {8952A998-1E7E-4716-B23D-3DBE03910972} - C:\PROGRA~1\TOOLBAR\TOOLBAR.DLL
O2 - BHO: (no name) - {89701637-F3DD-A076-D0EA-D70FA5E74EC1} - C:\WINDOWS\SYSTEM\RTYFEYCV.DLL
O2 - BHO: (no name) - {B95D2643-DE9B-E445-FDDE-952292A363F7} - C:\WINDOWS\SYSTEM\RTYFEYCV.DLL
O2 - BHO: (no name) - {E60C2145-8793-B341-FDDE-952292A363F6} - C:\WINDOWS\SYSTEM\RTYFEYCV.DLL
O2 - BHO: (no name) - {D6211131-AAD5-F772-D0EA-D70FA5E74EC0} - C:\WINDOWS\SYSTEM\RTYFEYCV.DLL
O3 - Toolbar: My &Search Bar - {0494D0D9-F8E0-41ad-92A3-14154ECE70AC} - C:\PROGRAM FILES\MYWAY\MYBAR\1.BIN\MYBAR.DLL (file missing)
O3 - Toolbar: Band Class - {C5183ABC-EB6E-4E05-B8C9-500A16B6CF94} - C:\PROGRAM FILES\SEP\SEP.DLL (file missing)
O3 - Toolbar: &Search Toolbar - {339BB23F-A864-48C0-A59F-29EA915965EC} - C:\PROGRA~1\TOOLBAR\TOOLBAR.DLL
O3 - Toolbar: (no name) - {12EE7A5E-0674-42f9-A76B-000000004D00} - (no file)
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\SYSTEM\MSDXM.OCX
O4 - HKLM\..\Run: [SoundFusion] RunDll32 cwcprops.cpl,CrystalControlWnd
O4 - HKLM\..\Run: [WinampAgent] C:\Program Files\Winamp\winampa.exe
O4 - HKLM\..\Run: [5N4X2HT2EE2RQN] C:\WINDOWS\SYSTEM\VchsZRoq.exe
O4 - HKLM\..\Run: [TBPS] C:\PROGRA~1\TOOLBAR\TBPS.exe
O4 - HKLM\..\Run: [TaskMonitor] C:\WINDOWS\taskmon.exe
O4 - HKLM\..\Run: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
O4 - HKLM\..\Run: [TPP Auto Loader] C:\WINDOWS\TPPALDR.EXE
O4 - HKLM\..\Run: [LoadQM] loadqm.exe
O4 - HKLM\..\Run: [Drag'n'Drop_Autolaunch] "C:\Program Files\Iomega HotBurn\Autolaunch.exe"
O4 - HKLM\..\Run: [RealTray] C:\Program Files\Real\RealPlayer\RealPlay.exe SYSTEMBOOTHIDEPLAYER
O4 - HKLM\..\Run: [SystemTray] SysTray.Exe
O4 - HKLM\..\Run: [{12EE7A5E-0674-42f9-A76B-000000004D00}] rundll32.exe stlb2.dll,DllRunMain
O4 - HKLM\..\Run: [A70F6A1D-0195-42a2-934C-D8AC0F7C08EB] rundll32.exe E6F1873B.DLL,D9EBC318C
O4 - HKLM\..\Run: [98D0CE0C16B1] rundll32.exe D0CE0C16B1,D0CE0C16B1
O4 - HKLM\..\Run: [I4dovnnm] C:\WINDOWS\TEMP\I4DOVNNM.EXE
O4 - HKLM\..\Run: [ScanRegistry] C:\WINDOWS\scanregw.exe /autorun
O4 - HKLM\..\Run: [CriticalUpdate] C:\WINDOWS\SYSTEM\wucrtupd.exe -startup
O4 - HKLM\..\Run: [bet] C:\WINDOWS\bet.exe
O4 - HKLM\..\RunServices: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
O4 - HKLM\..\RunServices: [SchedulingAgent] mstask.exe
O4 - HKLM\..\RunServices: [KB891711] C:\WINDOWS\SYSTEM\KB891711\KB891711.EXE
O4 - HKLM\..\RunServicesOnce: [TBPS] C:\PROGRA~1\TOOLBAR\TBPS.exe /boot
O4 - HKCU\..\Run: [Bbe] C:\WINDOWS\SYSTEM\kdcaz.exe
O4 - HKCU\..\Run: [Nasr] C:\Program Files\tusl\rssa.exe
O4 - HKCU\..\Run: [Taskbar Display Controls] RunDLL deskcp16.dll,QUICKRES_RUNDLLENTRY
O4 - HKCU\..\Run: [Yahoo! Pager] C:\Program Files\Yahoo!\Messenger\ypager.exe -quiet
O4 - Startup: D-Link AirPlus G Configuration Utility.lnk = C:\Program Files\D-Link AirPlus G\AirPlus.exe
O4 - Startup: WinZip Quick Pick.lnk = C:\Program Files\WinZip\WZQKPICK.EXE
O9 - Extra button: Related - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINDOWS\web\related.htm
O9 - Extra 'Tools' menuitem: Show &Related Links - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINDOWS\web\related.htm
O16 - DPF: {F72BC3F0-6C20-4793-9DDA-258589D8A907} - http://akamai.downloadv3.com/binaries/IA/netslv32_EN.cab
O16 - DPF: {B38870E4-7ECB-40DA-8C6A-595F0A5519FF} (MsnMessengerSetupDownloadControl Class) - http://messenger.msn.com/download/MsnMessengerSetupDownloader.cab
O16 - DPF: {205FF73B-CA67-11D5-99DD-444553540006} (CInstall Class) - http://www.errorguard.com/installation/Install.cab
O16 - DPF: {75D1F3B2-2A21-11D7-97B9-0010DC2A6243} (SecureLogin.SecureControl) - http://secure2.comned.com/signuptemplates/ActiveSecurity.cab
O16 - DPF: {FA3662C3-B8E8-11D6-A667-0010B556D978} (IWinAmpActiveX Class) - http://cdn.digitalcity.com/_media/dalaillama/ampx.cab
O16 - DPF: {FF65677A-8977-48CA-916A-DFF81B037DF3} (WMService Class) - http://download.overpro.com/WildApp.cab
O16 - DPF: {01FE8D0A-51AD-459B-B62B-85E135128B32} (DD_v4.DDv4) - http://www.drivershq.com/DD_v4.CAB
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/activescan/as5free/asinst.cab
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky.com/kos/eng/partner/default/kavwebscan_ansi.cab
O18 - Protocol: tpro - {FF76A5DA-6158-4439-99FF-EDC1B3FE100C} - C:\PROGRA~1\TOOLBAR\TOOLBAR.DLL

:\WINDOWS\SYSTEM\VchsZQoq.exe Infected: Trojan-Downloader.Win32.VB.em skipped

c:\WINDOWS\SYSTEM\Sfzd5lMt.exe Infected: Trojan-Downloader.Win32.VB.em skipped

c:\WINDOWS\SYSTEM\OzaH.exe Infected: Trojan-Downloader.Win32.VB.em skipped

c:\WINDOWS\SYSTEM\NipM9X44.exe Infected: Trojan-Downloader.Win32.VB.em skipped

c:\WINDOWS\SYSTEM\DgsIq4.exe Infected: Trojan-Downloader.Win32.VB.em skipped

c:\WINDOWS\SYSTEM\Rus3tc5g.exe Infected: Trojan-Downloader.Win32.VB.em skipped

c:\WINDOWS\SYSTEM\Qax4LG2.exe Infected: Trojan-Downloader.Win32.VB.em skipped

c:\WINDOWS\SYSTEM\WccNV.exe Infected: Trojan-Downloader.Win32.VB.em skipped

c:\WINDOWS\SYSTEM\Pldgw3an.exe Infected: Trojan-Downloader.Win32.VB.em skipped

c:\WINDOWS\SYSTEM\dp-him.exe Infected: Trojan-Downloader.Win32.Agent.ac skipped

c:\WINDOWS\SYSTEM\TVM_B535.EXE Infected: Trojan-Downloader.Win32.Small.wk skipped

c:\WINDOWS\SYSTEM\Elq0h.exe Infected: Trojan-Downloader.Win32.VB.em skipped

c:\WINDOWS\SYSTEM\trkgif.exe Infected: Trojan-Clicker.Win32.VB.ex skipped

c:\WINDOWS\SYSTEM\Rxe8m14U.exe Infected: Trojan-Downloader.Win32.VB.em skipped

c:\WINDOWS\SYSTEM\JqvGme.exe Infected: Trojan-Downloader.Win32.VB.em skipped

c:\WINDOWS\SYSTEM\Cpsx6V9.exe Infected: Trojan-Downloader.Win32.VB.em skipped

c:\WINDOWS\SYSTEM\JraH.exe Infected: Trojan-Downloader.Win32.VB.em skipped

c:\WINDOWS\SYSTEM\Ndi39.exe Infected: Trojan-Downloader.Win32.VB.em skipped

c:\WINDOWS\SYSTEM\Eta3Gap2.exe Infected: Trojan-Downloader.Win32.VB.em skipped

c:\WINDOWS\SYSTEM\Znq4m71j.exe Infected: Trojan-Downloader.Win32.VB.em skipped

c:\WINDOWS\SYSTEM\Yrtye.exe Infected: Trojan-Downloader.Win32.VB.em skipped

c:\WINDOWS\SYSTEM\Dmk7u0Tz.exe Infected: Trojan-Downloader.Win32.VB.em skipped

c:\WINDOWS\SYSTEM\stlb2.dll Infected: Braidupdate.d skipped

c:\WINDOWS\SYSTEM\e6f1873b.dll Infected: Braidupdate.d skipped

c:\WINDOWS\SYSTEM\D0CE0C16B1.DLL Infected: Trojan-Clicker.Win32.Agent.dh skipped

c:\WINDOWS\SYSTEM\d15.exe Infected: Trojan-Downloader.Win32.Small.akj skipped

c:\WINDOWS\SYSTEM\PreInstaller_p1.exe/data0001 Infected: Trojan-Downloader.Win32.Keenval.o skipped

c:\WINDOWS\SYSTEM\PreInstaller_p1.exe NSIS: infected - 1 skipped

c:\WINDOWS\SYSTEM\MegasearchBarSetup.exe/stream Infected: Trojan-Downloader.NSIS.Agent.a skipped

c:\WINDOWS\SYSTEM\MegasearchBarSetup.exe NSIS: infected - 1 skipped

c:\WINDOWS\SYSTEM\cp.exe/data0001/EXE-file Infected: Trojan-Downloader.Win32.Agent.ic skipped

c:\WINDOWS\SYSTEM\cp.exe/data0001 Infected: Trojan-Downloader.Win32.Agent.ic skipped

c:\WINDOWS\SYSTEM\cp.exe Inno: infected - 2 skipped

c:\WINDOWS\SYSTEM\ir5fil32.exe Infected: Trojan.Win32.Pakes skipped

c:\WINDOWS\SYSTEM\uninv.exe Infected: Trojan-Downloader.Win32.Apropo.t skipped

c:\WINDOWS\SYSTEM\Zubyk.exe Infected: Trojan-Downloader.Win32.VB.em skipped

c:\WINDOWS\SYSTEM\Dovb.exe Infected: Trojan-Downloader.Win32.VB.em skipped

c:\WINDOWS\SYSTEM\Suh9.exe Infected: Trojan-Downloader.Win32.VB.em skipped

c:\WINDOWS\SYSTEM\GfqQ.exe Infected: Trojan-Downloader.Win32.VB.em skipped

c:\WINDOWS\SYSTEM\LrtL.exe Infected: Trojan-Downloader.Win32.VB.em skipped

c:\WINDOWS\SYSTEM\KpmS.exe Infected: Trojan-Downloader.Win32.VB.em skipped

c:\WINDOWS\SYSTEM\Eola0.exe Infected: Trojan-Downloader.Win32.VB.em skipped

c:\WINDOWS\SYSTEM\Uqxt.exe Infected: Trojan-Downloader.Win32.VB.em skipped

c:\WINDOWS\SYSTEM\YsfedyF.exe Infected: Trojan-Downloader.Win32.VB.em skipped

c:\WINDOWS\SYSTEM\Gdmhwa.exe Infected: Trojan-Downloader.Win32.VB.em skipped

c:\WINDOWS\SYSTEM\Cjue6hbt.exe Infected: Trojan-Downloader.Win32.VB.em skipped

c:\WINDOWS\SYSTEM\DhiCc.exe Infected: Trojan-Downloader.Win32.VB.em skipped

c:\WINDOWS\SYSTEM\CjiuCGp.exe Infected: Trojan-Downloader.Win32.VB.em skipped

c:\WINDOWS\SYSTEM\QapdUHg.exe Infected: Trojan-Downloader.Win32.VB.em skipped

c:\WINDOWS\SYSTEM\Pwbm74i.exe Infected: Trojan-Downloader.Win32.VB.em skipped

c:\WINDOWS\SYSTEM\Dwy14U.exe Infected: Trojan-Downloader.Win32.VB.em skipped

c:\WINDOWS\SYSTEM\QcfL.exe Infected: Trojan-Downloader.Win32.VB.em skipped

c:\WINDOWS\SYSTEM\ScdKh.exe Infected: Trojan-Downloader.Win32.VB.em skipped

c:\WINDOWS\SYSTEM\XhrZ12.exe Infected: Trojan-Downloader.Win32.VB.em skipped

c:\WINDOWS\SYSTEM\SosNx.exe Infected: Trojan-Downloader.Win32.VB.em skipped

c:\WINDOWS\SYSTEM\YugCu7.exe Infected: Trojan-Downloader.Win32.VB.em skipped

c:\WINDOWS\SYSTEM\Oval61.exe Infected: Trojan-Downloader.Win32.VB.em skipped

c:\WINDOWS\SYSTEM\Rydo84km.exe Infected: Trojan-Downloader.Win32.VB.em skipped

c:\WINDOWS\SYSTEM\IvpUeB.exe Infected: Trojan-Downloader.Win32.VB.em skipped

c:\WINDOWS\SYSTEM\NlqkQs5.exe Infected: Trojan-Downloader.Win32.VB.em skipped

c:\WINDOWS\SYSTEM\IscjOQFY.exe Infected: Trojan-Downloader.Win32.VB.em skipped

c:\WINDOWS\SYSTEM\DdlKe7.exe Infected: Trojan-Downloader.Win32.VB.em skipped

c:\WINDOWS\SYSTEM\Abm3.exe Infected: Trojan-Downloader.Win32.VB.em skipped

c:\WINDOWS\SYSTEM\Ozggr89m.exe Infected: Trojan-Downloader.Win32.VB.em skipped

c:\WINDOWS\SYSTEM\FliBYsg.exe Infected: Trojan-Downloader.Win32.VB.em skipped

c:\WINDOWS\SYSTEM\Ubsw.exe Infected: Trojan-Downloader.Win32.VB.em skipped

c:\WINDOWS\SYSTEM\ObvAkhI.exe Infected: Trojan-Downloader.Win32.VB.em skipped

c:\WINDOWS\SYSTEM\Cdlb1aT0.exe Infected: Trojan-Downloader.Win32.VB.em skipped

c:\WINDOWS\SYSTEM\ZpuwLDK.exe Infected: Trojan-Downloader.Win32.VB.em skipped

c:\WINDOWS\SYSTEM\Xya6Ew8e.exe Infected: Trojan-Downloader.Win32.VB.em skipped

c:\WINDOWS\SYSTEM\EpwW2ln.exe Infected: Trojan-Downloader.Win32.VB.em skipped

c:\WINDOWS\SYSTEM\NanZjg0.exe Infected: Trojan-Downloader.Win32.VB.em skipped

c:\WINDOWS\SYSTEM\Gpw2o.exe Infected: Trojan-Downloader.Win32.VB.em skipped

c:\WINDOWS\SYSTEM\Abr3.exe Infected: Trojan-Downloader.Win32.VB.em skipped

c:\WINDOWS\SYSTEM\Xej7.exe Infected: Trojan-Downloader.Win32.VB.em skipped

c:\WINDOWS\SYSTEM\Req78k13.exe Infected: Trojan-Downloader.Win32.VB.em skipped

c:\WINDOWS\SYSTEM\Ozk92Xd2.exe Infected: Trojan-Downloader.Win32.VB.em skipped

c:\WINDOWS\SYSTEM\Ucl1nrTI.exe Infected: Trojan-Downloader.Win32.VB.em skipped

c:\WINDOWS\SYSTEM\Wls09TH.exe Infected: Trojan-Downloader.Win32.VB.em skipped

c:\WINDOWS\SYSTEM\Ghr5e.exe Infected: Trojan-Downloader.Win32.VB.em skipped

c:\WINDOWS\SYSTEM\Pjc0FGV.exe Infected: Trojan-Downloader.Win32.VB.em skipped

c:\WINDOWS\SYSTEM\JoleBw4c.exe Infected: Trojan-Downloader.Win32.VB.em skipped

c:\WINDOWS\SYSTEM\UbgrYPnp.exe Infected: Trojan-Downloader.Win32.VB.em skipped

c:\WINDOWS\SYSTEM\PcwakiJQ.exe Infected: Trojan-Downloader.Win32.VB.em skipped

c:\WINDOWS\SYSTEM\Xijq4g.exe Infected: Trojan-Downloader.Win32.VB.em skipped

c:\WINDOWS\SYSTEM\Pmh01slr.exe Infected: Trojan-Downloader.Win32.VB.em skipped

c:\WINDOWS\SYSTEM\Rtu49Q5.exe Infected: Trojan-Downloader.Win32.VB.em skipped

c:\WINDOWS\SYSTEM\Rydo82.exe Infected: Trojan-Downloader.Win32.VB.em skipped

c:\WINDOWS\SYSTEM\UktBUA.exe Infected: Trojan-Downloader.Win32.VB.em skipped

c:\WINDOWS\SYSTEM\FqbHW5.exe Infected: Trojan-Downloader.Win32.VB.em skipped

c:\WINDOWS\SYSTEM\Tzg959e5.exe Infected: Trojan-Downloader.Win32.VB.em skipped

c:\WINDOWS\SYSTEM\FohqM.exe Infected: Trojan-Downloader.Win32.VB.em skipped

c:\WINDOWS\SYSTEM\RkmsYif2.exe Infected: Trojan-Downloader.Win32.VB.em skipped

c:\WINDOWS\SYSTEM\JqvGne.exe Infected: Trojan-Downloader.Win32.VB.em skipped

c:\WINDOWS\SYSTEM\Fwem24V7.exe Infected: Trojan-Downloader.Win32.VB.em skipped

c:\WINDOWS\SYSTEM\Igmf4N.exe Infected: Trojan-Downloader.Win32.VB.em skipped

c:\WINDOWS\SYSTEM\Ubl0mRTI.exe Infected: Trojan-Downloader.Win32.VB.em skipped

c:\WINDOWS\SYSTEM\GwcM.exe Infected: Trojan-Downloader.Win32.VB.em skipped

c:\WINDOWS\SYSTEM\Sna8O.exe Infected: Trojan-Downloader.Win32.VB.em skipped

c:\WINDOWS\SYSTEM\Dru6.exe Infected: Trojan-Downloader.Win32.VB.em skipped

c:\WINDOWS\SYSTEM\CwpN.exe Infected: Trojan-Downloader.Win32.VB.em skipped

c:\WINDOWS\SYSTEM\Abjz0Y6.exe Infected: Trojan-Downloader.Win32.VB.em skipped

c:\WINDOWS\SYSTEM\Spk12vou.exe Infected: Trojan-Downloader.Win32.VB.em skipped

c:\WINDOWS\SYSTEM\FhiY.exe Infected: Trojan-Downloader.Win32.VB.em skipped

c:\WINDOWS\SYSTEM\UmdD.exe Infected: Trojan-Downloader.Win32.VB.em skipped

c:\WINDOWS\SYSTEM\MtyJ6.exe Infected: Trojan-Downloader.Win32.VB.em skipped

c:\WINDOWS\SYSTEM\AaoG.exe Infected: Trojan-Downloader.Win32.VB.em skipped

c:\WINDOWS\SYSTEM\LylXhe9.exe Infected: Trojan-Downloader.Win32.VB.em skipped

c:\WINDOWS\SYSTEM\UbgrXPno.exe Infected: Trojan-Downloader.Win32.VB.em skipped

c:\WINDOWS\SYSTEM\PcwbkiJQ.exe Infected: Trojan-Downloader.Win32.VB.em skipped

c:\WINDOWS\SYSTEM\Kvv1.exe Infected: Trojan-Downloader.Win32.VB.em skipped

c:\WINDOWS\SYSTEM\Reyc4kLS.exe Infected: Trojan-Downloader.Win32.VB.em skipped

c:\WINDOWS\SYSTEM\Grs9V5wG.exe Infected: Trojan-Downloader.Win32.VB.em skipped

c:\WINDOWS\SYSTEM\RrqIB2R.exe Infected: Trojan-Downloader.Win32.VB.em skipped

c:\WINDOWS\SYSTEM\CylHzX2.exe Infected: Trojan-Downloader.Win32.VB.em  skipped

c:\WINDOWS\SYSTEM\Xio59.exe Infected: Trojan-Downloader.Win32.VB.em skipped

c:\WINDOWS\SYSTEM\QhpXQ.exe Infected: Trojan-Downloader.Win32.VB.em skipped

c:\WINDOWS\SYSTEM\Yhg5JX6.exe Infected: Trojan-Downloader.Win32.VB.em skipped

c:\WINDOWS\SYSTEM\TykxX.exe Infected: Trojan-Downloader.Win32.VB.em skipped

c:\WINDOWS\SYSTEM\Qdxc4jKS.exe Infected: Trojan-Downloader.Win32.VB.em skipped

c:\WINDOWS\SYSTEM\XnrtIB2.exe Infected: Trojan-Downloader.Win32.VB.em skipped

c:\WINDOWS\SYSTEM\Cjp9g.exe Infected: Trojan-Downloader.Win32.VB.em skipped

c:\WINDOWS\SYSTEM\Cjo9f.exe Infected: Trojan-Downloader.Win32.VB.em skipped

c:\WINDOWS\SYSTEM\Qwd8l13.exe Infected: Trojan-Downloader.Win32.VB.em skipped

c:\WINDOWS\SYSTEM\XjuHO.exe Infected: Trojan-Downloader.Win32.VB.em skipped

c:\WINDOWS\SYSTEM\Rzj0kPR.exe Infected: Trojan-Downloader.Win32.VB.em skipped

c:\WINDOWS\SYSTEM\Khk2PNh8.exe Infected: Trojan-Downloader.Win32.VB.em skipped

c:\WINDOWS\SYSTEM\LmwUkK.exe Infected: Trojan-Downloader.Win32.VB.em skipped

c:\WINDOWS\SYSTEM\Pvc8k1i.exe Infected: Trojan-Downloader.Win32.VB.em skipped

c:\WINDOWS\SYSTEM\Wit2N.exe Infected: Trojan-Downloader.Win32.VB.em skipped

c:\WINDOWS\SYSTEM\Xfo26uwL.exe Infected: Trojan-Downloader.Win32.VB.em skipped

c:\WINDOWS\SYSTEM\Xms09TI.exe Infected: Trojan-Downloader.Win32.VB.em skipped

c:\WINDOWS\SYSTEM\Cdn4.exe Infected: Trojan-Downloader.Win32.VB.em skipped

c:\WINDOWS\SYSTEM\Dou82k.exe Infected: Trojan-Downloader.Win32.VB.em skipped

c:\WINDOWS\SYSTEM\Ahm9.exe Infected: Trojan-Downloader.Win32.VB.em skipped

c:\WINDOWS\SYSTEM\Kyjnpex.exe Infected: Trojan-Downloader.Win32.VB.em skipped

c:\WINDOWS\SYSTEM\JtrA.exe Infected: Trojan-Downloader.Win32.VB.em skipped

c:\WINDOWS\SYSTEM\Hfle3M.exe Infected: Trojan-Downloader.Win32.VB.em skipped

c:\WINDOWS\SYSTEM\BjsJ.exe Infected: Trojan-Downloader.Win32.VB.em skipped

c:\WINDOWS\SYSTEM\Jzd2.exe Infected: Trojan-Downloader.Win32.VB.em skipped

c:\WINDOWS\SYSTEM\TafqX5mo.exe Infected: Trojan-Downloader.Win32.VB.em skipped

c:\WINDOWS\SYSTEM\Qdxc4jKR.exe Infected: Trojan-Downloader.Win32.VB.em skipped

c:\WINDOWS\SYSTEM\RccJg.exe Infected: Trojan-Downloader.Win32.VB.em skipped

c:\WINDOWS\SYSTEM\Nxgo.exe Infected: Trojan-Downloader.Win32.VB.em skipped

c:\WINDOWS\SYSTEM\Kkj070.exe Infected: Trojan-Downloader.Win32.VB.em skipped

c:\WINDOWS\SYSTEM\AcdTHaY2.exe Infected: Trojan-Downloader.Win32.VB.em skipped

c:\WINDOWS\SYSTEM\Scjj.exe Infected: Trojan-Downloader.Win32.VB.em skipped

c:\WINDOWS\SYSTEM\GftmBU.exe Infected: Trojan-Downloader.Win32.VB.em skipped

c:\WINDOWS\SYSTEM\SzfpW5mn.exe Infected: Trojan-Downloader.Win32.VB.em skipped

c:\WINDOWS\SYSTEM\Boi5W.exe Infected: Trojan-Downloader.Win32.VB.em skipped

c:\WINDOWS\SYSTEM\Nzc3.exe Infected: Trojan-Downloader.Win32.VB.em skipped

c:\WINDOWS\SYSTEM\AktB238.exe Infected: Trojan-Downloader.Win32.VB.em skipped

c:\WINDOWS\SYSTEM\JyeO.exe Infected: Trojan-Downloader.Win32.VB.em skipped

c:\WINDOWS\SYSTEM\Kgso.exe Infected: Trojan-Downloader.Win32.VB.em skipped

c:\WINDOWS\SYSTEM\XyigW8DN.exe Infected: Trojan-Downloader.Win32.VB.em skipped

c:\WINDOWS\SYSTEM\VchsZRoq.exe Infected: Trojan-Downloader.Win32.VB.em skipped

c:\WINDOWS\SYSTEM\Vich.exe Infected: Trojan-Downloader.Win32.VB.em skipped

c:\WINDOWS\SYSTEM\XitGO.exe Infected: Trojan-Downloader.Win32.VB.em skipped

c:\WINDOWS\SYSTEM\TefM3.exe Infected: Trojan-Downloader.Win32.VB.em skipped

c:\WINDOWS\SYSTEM\Vfo801.exe Infected: Trojan-Downloader.Win32.VB.em skipped

c:\WINDOWS\SYSTEM\Vsvqa9.exe Infected: Trojan-Downloader.Win32.VB.em skipped

c:\WINDOWS\SYSTEM\BjfPoX5n.exe Infected: Trojan-Downloader.Win32.VB.em skipped

c:\WINDOWS\SYSTEM\Jximo.exe Infected: Trojan-Downloader.Win32.VB.em skipped

c:\WINDOWS\TEMP\setup4.exe/data0003 Infected: Trojan-Downloader.Win32.Agent.adz skipped

c:\WINDOWS\TEMP\setup4.exe NSIS: infected - 1 skipped

c:\WINDOWS\TEMP\!update.exe Infected: Trojan-Downloader.Win32.PurityScan.am skipped

c:\WINDOWS\TEMP\all_files8.exe/data0002/data0004 Infected: Backdoor.Win32.VB.oq skipped

c:\WINDOWS\TEMP\all_files8.exe/data0002/data0006 Infected: Backdoor.Win32.VB.nb skipped

c:\WINDOWS\TEMP\all_files8.exe/data0002 Infected: Backdoor.Win32.VB.nb skipped

c:\WINDOWS\TEMP\all_files8.exe/data0010/data0002 Infected: Trojan.Win32.Septic.a skipped

c:\WINDOWS\TEMP\all_files8.exe/data0010 Infected: Trojan.Win32.Septic.a skipped

c:\WINDOWS\TEMP\all_files8.exe/data0005 Infected: Trojan.Win32.Qhost.bi skipped

c:\WINDOWS\TEMP\all_files8.exe NSIS: infected - 6 skipped

c:\WINDOWS\TEMP\auf0.exe Infected: Trojan-Downloader.Win32.Apropo.s skipped

c:\WINDOWS\TEMP\Incredifind.exe/data0002/data0006 Infected: Trojan-Downloader.Win32.Keenval.h skipped

c:\WINDOWS\TEMP\Incredifind.exe/data0002 Infected: Trojan-Downloader.Win32.Keenval.h skipped

c:\WINDOWS\TEMP\Incredifind.exe/data0009 Infected: Trojan-Downloader.Win32.Keenval.n skipped

c:\WINDOWS\TEMP\Incredifind.exe/data0005 Infected: Trojan.Win32.Keenval.a skipped

c:\WINDOWS\TEMP\Incredifind.exe NSIS: infected - 4 skipped

c:\WINDOWS\Application Data\Spybot - Search & Destroy\Recovery\eXactAdvertisingBargainsBuddy.zip/msexreg.exe Suspicious: Password-protected-EXE skipped

c:\WINDOWS\Application Data\Spybot - Search & Destroy\Recovery\eXactAdvertisingBargainsBuddy.zip ZIP: suspicious - 1 skipped

c:\WINDOWS\Downloaded Program Files\ActiveSecurity.ocx Infected: VirTool.Win32.Collector skipped

c:\WINDOWS\SchedLog.Txt Object is locked skipped

c:\WINDOWS\Temporary Internet Files\Content.IE5\index.dat Object is locked skipped

c:\WINDOWS\Cookies\index.dat Object is locked skipped

c:\WINDOWS\History\History.IE5\index.dat Object is locked skipped

c:\WINDOWS\Local Settings\Application Data\Microsoft\Internet Explorer\MSIMGSIZ.DAT Object is locked skipped

c:\WINDOWS\WIN386.SWP Object is locked skipped

c:\WINDOWS\wsem303.dll Infected: Trojan-Downloader.Win32.Dyfuca.dt skipped

c:\WINDOWS\minigolf_affiliate.exe/data0001 Infected: Trojan-Downloader.NSIS.Agent.g skipped

c:\WINDOWS\minigolf_affiliate.exe NSIS: infected - 1 skipped

c:\WINDOWS\HLInstaller3.exe/data0000 Infected: Trojan.Win32.SecondThought.aa skipped

c:\WINDOWS\HLInstaller3.exe AWinstall: infected - 1 skipped

c:\WINDOWS\HLInstaller3.exe UPX: infected - 1 skipped

c:\Program Files\Common Files\SearchUpgrader\SearchUpgrader.exe Infected: Trojan-Downloader.Win32.Keenval.h skipped

c:\Program Files\tusl\rssa.exe Infected: Trojan-Downloader.Win32.PurityScan.am skipped

c:\Program Files\Toolbar\TBPS.dat Object is locked skipped

c:\EXACT.exe Infected: Trojan.Win32.Qhost.bi skipped

Scan process completed.


----------



## khazars (Feb 15, 2004)

Download the pocket killbox

http://www.bleepingcomputer.com/files/killbox.php

Please download WebRoot SpySweeper from HERE (It's a 2 week trial):

http://www.webroot.com/consumer/products/spysweeper/index.html?acode=af1&rc=4129

* Click the Free Trial link under "Downloads/SpySweeper" to download the program.
* Install it. Once the program is installed, it will open.
* It will prompt you to update to the latest definitions, click Yes.
* Once the definitions are installed, click Options on the left side.
* Click the Sweep Options tab.
* Under What to Sweep please put a check next to the following:
o
o Sweep Memory
o Sweep Registry
o Sweep Cookies
o Sweep All User Accounts
o Enable Direct Disk Sweeping
o Sweep Contents of Compressed Files
o Sweep for Rootkits
o Please UNCHECK Do not Sweep System Restore Folder.
* Click Sweep Now on the left side.
* Click the Start button.
* When it's done scanning, click the Next button.
* Make sure everything has a check next to it, then click the Next button.
* It will remove all of the items found.
* Click Session Log in the upper right corner, copy everything in that window.
* Click the Summary tab and click Finish.
* Paste the contents of the session log you copied into your next reply.

After running spysweeper run these scans!

* Click here to download ATF Cleaner by Atribune and save it to your desktop.

http://majorgeeks.com/ATF_Cleaner_d4949.html

* Double-click ATF-Cleaner.exe to run the program.
* Under Main choose: Select All
* Click the Empty Selected button.
o If you use Firefox:
+ Click Firefox at the top and choose: Select All
+ Click the Empty Selected button.
+ NOTE: If you would like to keep your saved passwords, please click No at the prompt.
o If you use Opera:
+ Click Opera at the top and choose: Select All
+ Click the Empty Selected button.
 + NOTE: If you would like to keep your saved passwords, please click No at the prompt.
* Click Exit on the Main menu to close the program.

* Click here for info on how to boot to safe mode if you don't already know
how.

http://service1.symantec.com/SUPPOR...2001052409420406?OpenDocument&src=sec_doc_nam

go to this site and download these tools and once you get both
adaware Se 1.6 and spybot, update both of them.

Set adaware to do a full system scan and deselect, "search for neglible risk 
entries". Click next to start the scan. Delete everything adaware finds.

reboot and now run spybot

Spybot: Search and destroy.

Delete what spybot finds marked in red. After updating spybot hit the 
immunize button.

reboot again

Go here and download Microsoft® Windows Defender. First in the top menu click 
File then Check for updates to download the definitons updates.

After updating look in the right side of the main window under "Run Quick 
Scan Now" and click Spyware scan options. In that window put a tick by Run a
full system scan and then put a check by all three options below that then 
click Run Scan now.

When the scan is finished, let it fix anything that it finds (have it 
quarantine the items that have that option rather than delete just in case. 
It is a beta program and there may be false positives)

Restart your computer.

All tools can be downloaded at the link below and found on that page!

. SpyBot search and destroy
. AdAware SE personal

http://www.majorgeeks.com/downloads31.html

Note: this is a stand alone, it doesn't install to start/programmes.

Download Mwav,

http://www.spywareinfo.dk/download/mwav.exe

double click on it and it will extract to C:\kaspersky. Click 
on the kaspersky folder and click on Kavupd, a black dos window will open 
and it will update the programme for you, be patient it will take 5-10 
minutes to download the new definitions. Once it's updated, click on mwavscan 
to launch the programme.

Use the defaults of:

Memory
startup folders
Registry
system folders 
services

Choose drive , all drives and, click scan all files
and then click scan/clean. After it finishes scanning and cleaning post 
the log here with a new hijack this log.

Note: this is a very thorough scanner, it might take anything up to an hour
or more, depending on how many drives you have and how badly infected your 
pc is.

Highlight the portion of the scan that lists infected items and hold
CTRL + C to Copy then paste it here. The whole log with be extremely 
big so there is no way to copy the whole thing. I just need the 
infected items list.

http://www.spywarefri.dk/forum/topic.asp?TOPIC_ID=7592

Run an online antivirus check from

http://www.kaspersky.com/virusscanner

choose extended database for the scan!

post another hijack this log, the spysweeper, Mwav, and the kaspersky scan log


----------

