Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

HiJack Log


  • Please log in to reply
23 replies to this topic

#1 uukelly

uukelly

  • Members
  • 18 posts
  • OFFLINE
  •  
  • Local time:06:54 AM

Posted 18 March 2005 - 07:02 PM

My pc is a mess. I run a current version of Nortin Anti Virus and Black Ice and last week all kinds of IE windows started popping up. I ran Hijack_This based on someone's recomendation, but I'm an amateur on pc's an am not sure what to remove. I am attaching the entire log and hope you can guide me through what needs to be removed.
Thank you so much for your help!

Logfile of HijackThis v1.99.1
Scan saved at 6:42:58 PM, on 3/17/2005
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\csrss.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\PROGRA~1\SYMANT~1\SYMANT~1\vptray.exe
C:\Program Files\Common Files\AOL\ACS\AOLDial.exe
C:\Program Files\Real\RealPlayer\RealPlay.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\iRiver\iRiver Manager\Updater\Updater.exe
C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe
C:\WINDOWS\Ver.exe
C:\PROGRA~1\COMMON~1\AOL\ACS\AOLacsd.exe
C:\Program Files\ISS\BlackICE\blackd.exe
C:\WINDOWS\system32\drivers\dcfssvc.exe
C:\Program Files\Symantec_Client_Security\Symantec AntiVirus\DefWatch.exe
C:\Program Files\Executive Software\DiskeeperWorkstation\DKService.exe
C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
C:\WINDOWS\System32\devldr32.exe
C:\Program Files\Symantec_Client_Security\Symantec AntiVirus\Rtvscan.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\wdfmgr.exe
C:\WINDOWS\System32\wbem\wmiprvse.exe
C:\Program Files\Messenger\msmsgs.exe
C:\WINDOWS\System32\ctfmon.exe
C:\Program Files\AIM\aim.exe
C:\WINDOWS\System32\wuauclt.exe
C:\Program Files\America Online 9.0\aoltray.exe
C:\Program Files\ISS\BlackICE\blackice.exe
C:\Program Files\Kodak\KODAK Picture Transfer Software\pts.exe
C:\DOCUME~1\Jean\LOCALS~1\Temp\tmp31.tmp
C:\Program Files\America Online 9.0\waol.exe
C:\Program Files\America Online 9.0\shellmon.exe
C:\Program Files\Common Files\Aol\aoltpspd.exe
C:\PROGRA~1\MICROS~2\Office10\OUTLOOK.EXE
C:\Program Files\Mozilla Firefox\firefox.exe
C:\PROGRA~1\WinZip\winzip32.exe
C:\DOCUME~1\Jean\LOCALS~1\Temp\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://channels.aimtoday.com/search/aimtoolbar.jsp
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://aimhome.netscape.com/aimhome.adp
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://channels.aimtoday.com/search/aimtoolbar.jsp
N3 - Netscape 7: user_pref("browser.search.defaultengine", "engine://C%3A%5CProgram%20Files%5CNetscape%5CNetscape%5Csearchplugins%5CSBWeb_01.src"); (C:\Documents and Settings\Jean\Application Data\Mozilla\Profiles\default\b1rfknvs.slt\prefs.js)
O2 - BHO: CCHelper - {0CF0B8EE-6596-11D5-A98E-0003470BB48E} - C:\Program Files\Panicware\Pop-Up Stopper Pro\CCHelper.dll
O2 - BHO: (no name) - {7B55BB05-0B4D-44fd-81A6-B136188F5DEB} - C:\WINDOWS\questmod.dll
O2 - BHO: Explorer Class - {962F12AE-2773-4BEB-99EA-B5C3AB9A6606} - C:\WINDOWS\System32\DSMANA~1.DLL
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar2.dll
O3 - Toolbar: Pa&nicware Pop-Up Stopper Pro - {B1E741E7-1E77-40D4-9FD8-51949B9CCBD0} - C:\Program Files\Panicware\Pop-Up Stopper Pro\popuppro.dll
O3 - Toolbar: AOL Toolbar - {4982D40A-C53B-4615-B15B-B5B5E98D167C} - C:\Program Files\AOL Toolbar\toolbar.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar2.dll
O3 - Toolbar: AIM Search - {40D41A8B-D79B-43d7-99A7-9EE0F344C385} - C:\Program Files\AIM Toolbar\AIMBar.dll
O4 - HKLM\..\Run: [vptray] C:\PROGRA~1\SYMANT~1\SYMANT~1\vptray.exe
O4 - HKLM\..\Run: [AOLDialer] C:\Program Files\Common Files\AOL\ACS\AOLDial.exe
O4 - HKLM\..\Run: [RealTray] C:\Program Files\Real\RealPlayer\RealPlay.exe SYSTEMBOOTHIDEPLAYER
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [AOL Spyware Protection] "C:\PROGRA~1\COMMON~1\AOL\AOLSPY~1\AOLSP Scheduler.exe"
O4 - HKLM\..\Run: [iRiver Updater] C:\Program Files\iRiver\iRiver Manager\Updater\Updater.exe
O4 - HKLM\..\Run: [ISUSPM Startup] C:\PROGRA~1\COMMON~1\INSTAL~1\UPDATE~1\ISUSPM.exe -startup
O4 - HKLM\..\Run: [ISUSScheduler] "C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe" -start
O4 - HKLM\..\Run: [Ctp] C:\WINDOWS\Ver.exe
O4 - HKLM\..\Run: [Vgn] C:\WINDOWS\System32\Fhr.exe
O4 - HKLM\..\Run: [Egt] C:\WINDOWS\Cvr.exe
O4 - HKLM\..\Run: [Kui] C:\WINDOWS\System32\Qfs.exe
O4 - HKLM\..\Run: [Abp] C:\WINDOWS\System32\Rae.exe
O4 - HKLM\..\Run: [Asn] C:\WINDOWS\System32\Mui.exe
O4 - HKLM\..\Run: [Cje] C:\WINDOWS\System32\Tcb.exe
O4 - HKLM\..\Run: [Sjr] C:\WINDOWS\System32\Fhn.exe
O4 - HKLM\..\Run: [Ucv] C:\WINDOWS\System32\Vco.exe
O4 - HKLM\..\Run: [Jme] C:\WINDOWS\Spi.exe
O4 - HKLM\..\Run: [Med] C:\WINDOWS\Uvb.exe
O4 - HKLM\..\Run: [Cdo] C:\WINDOWS\Vge.exe
O4 - HKLM\..\Run: [Cum] C:\WINDOWS\System32\Lfd.exe
O4 - HKLM\..\Run: [Lii] C:\WINDOWS\System32\Unn.exe
O4 - HKLM\..\Run: [Gid] C:\WINDOWS\Hmu.exe
O4 - HKLM\..\Run: [Ovh] C:\WINDOWS\System32\Jpa.exe
O4 - HKLM\..\Run: [Kru] C:\WINDOWS\System32\Aqt.exe
O4 - HKLM\..\Run: [Jpr] C:\WINDOWS\Aol.exe
O4 - HKLM\..\Run: [Ikc] C:\WINDOWS\System32\Fsu.exe
O4 - HKLM\..\Run: [Obu] C:\WINDOWS\System32\Ktq.exe
O4 - HKLM\..\Run: [Cbd] C:\WINDOWS\Nbp.exe
O4 - HKLM\..\Run: [Tnb] C:\WINDOWS\Obs.exe
O4 - HKLM\..\Run: [Bpo] C:\WINDOWS\System32\Fqf.exe
O4 - HKLM\..\Run: [Qeb] C:\WINDOWS\System32\Hkv.exe
O4 - HKLM\..\Run: [Hdt] C:\WINDOWS\System32\Bub.exe
O4 - HKLM\..\Run: [Ndv] C:\WINDOWS\Jrs.exe
O4 - HKLM\..\Run: [Tli] C:\WINDOWS\Rhi.exe
O4 - HKLM\..\Run: [Hgk] C:\WINDOWS\Gmq.exe
O4 - HKLM\..\Run: [Dna] C:\WINDOWS\System32\Mmq.exe
O4 - HKLM\..\Run: [Dbi] C:\WINDOWS\Uvb.exe
O4 - HKLM\..\Run: [Hjr] C:\WINDOWS\System32\Ntp.exe
O4 - HKLM\..\Run: [Ekr] C:\WINDOWS\Gmk.exe
O4 - HKLM\..\Run: [Fpj] C:\WINDOWS\Sio.exe
O4 - HKLM\..\Run: [Sme] C:\WINDOWS\Gao.exe
O4 - HKLM\..\Run: [Ark] C:\WINDOWS\System32\Knm.exe
O4 - HKLM\..\Run: [Hif] C:\WINDOWS\Alt.exe
O4 - HKLM\..\Run: [Ugf] C:\WINDOWS\System32\Aho.exe
O4 - HKLM\..\Run: [Sjk] C:\WINDOWS\Gcb.exe
O4 - HKLM\..\Run: [Ert] C:\WINDOWS\Cnr.exe
O4 - HKLM\..\Run: [Mjl] C:\WINDOWS\System32\Tib.exe
O4 - HKLM\..\Run: [Akl] C:\WINDOWS\Hql.exe
O4 - HKLM\..\Run: [Elr] C:\WINDOWS\Erc.exe
O4 - HKLM\..\Run: [Prc] C:\WINDOWS\Bnt.exe
O4 - HKLM\..\Run: [Fde] C:\WINDOWS\Tic.exe
O4 - HKLM\..\Run: [Ghg] C:\WINDOWS\Hbf.exe
O4 - HKLM\..\Run: [Vfp] C:\WINDOWS\Bpi.exe
O4 - HKLM\..\Run: [Uke] C:\WINDOWS\System32\Lje.exe
O4 - HKLM\..\Run: [Mlp] C:\WINDOWS\Okh.exe
O4 - HKLM\..\Run: [Ppf] C:\WINDOWS\System32\Qud.exe
O4 - HKLM\..\Run: [Jms] C:\WINDOWS\Ieu.exe
O4 - HKLM\..\Run: [Qop] C:\WINDOWS\System32\Frj.exe
O4 - HKLM\..\Run: [Gac] C:\WINDOWS\System32\Uhs.exe
O4 - HKLM\..\Run: [Bus] C:\WINDOWS\Sim.exe
O4 - HKLM\..\Run: [Fet] C:\WINDOWS\System32\Mmn.exe
O4 - HKLM\..\Run: [Inj] C:\WINDOWS\Ktd.exe
O4 - HKLM\..\Run: [Hca] C:\WINDOWS\Gkf.exe
O4 - HKLM\..\Run: [Eeb] C:\WINDOWS\System32\Pqq.exe
O4 - HKLM\..\Run: [Uln] C:\WINDOWS\Qna.exe
O4 - HKLM\..\Run: [Oqg] C:\WINDOWS\System32\Jke.exe
O4 - HKLM\..\Run: [Nge] C:\WINDOWS\Jgh.exe
O4 - HKLM\..\Run: [Ivu] C:\WINDOWS\System32\Nhv.exe
O4 - HKLM\..\Run: [Daf] C:\WINDOWS\Nal.exe
O4 - HKLM\..\Run: [Htp] C:\WINDOWS\Vli.exe
O4 - HKLM\..\Run: [Eov] C:\WINDOWS\System32\Asi.exe
O4 - HKLM\..\Run: [Ttb] C:\WINDOWS\System32\Uhc.exe
O4 - HKLM\..\Run: [Ejv] C:\WINDOWS\Aut.exe
O4 - HKLM\..\Run: [Bth] C:\WINDOWS\Ide.exe
O4 - HKLM\..\Run: [Gti] C:\WINDOWS\System32\Cjd.exe
O4 - HKLM\..\Run: [Oiq] C:\WINDOWS\Sku.exe
O4 - HKLM\..\Run: [Hmm] C:\WINDOWS\System32\Ksp.exe
O4 - HKLM\..\Run: [Nhj] C:\WINDOWS\System32\Hvb.exe
O4 - HKLM\..\Run: [Hii] C:\WINDOWS\System32\Lvv.exe
O4 - HKLM\..\Run: [Ojf] C:\WINDOWS\Tvh.exe
O4 - HKLM\..\Run: [Ctt] C:\WINDOWS\Feo.exe
O4 - HKLM\..\Run: [Osd] C:\WINDOWS\System32\Sta.exe
O4 - HKLM\..\Run: [Tpn] C:\WINDOWS\System32\Lkd.exe
O4 - HKLM\..\Run: [Csv] C:\WINDOWS\System32\Fqp.exe
O4 - HKLM\..\Run: [Lkf] C:\WINDOWS\Nqn.exe
O4 - HKLM\..\Run: [Uav] C:\WINDOWS\Ikb.exe
O4 - HKLM\..\Run: [Jtb] C:\WINDOWS\System32\Clv.exe
O4 - HKLM\..\Run: [Dgp] C:\WINDOWS\System32\Jkk.exe
O4 - HKLM\..\Run: [Ore] C:\WINDOWS\Ctl.exe
O4 - HKLM\..\Run: [Rmc] C:\WINDOWS\Tgh.exe
O4 - HKLM\..\Run: [Neu] C:\WINDOWS\System32\Qks.exe
O4 - HKLM\..\Run: [Sgg] C:\WINDOWS\Tcd.exe
O4 - HKLM\..\Run: [Ats] C:\WINDOWS\Olr.exe
O4 - HKLM\..\Run: [Bov] C:\WINDOWS\System32\Mff.exe
O4 - HKLM\..\Run: [Ddf] C:\WINDOWS\Ikf.exe
O4 - HKLM\..\Run: [Rut] C:\WINDOWS\Jiu.exe
O4 - HKLM\..\Run: [Nus] C:\WINDOWS\Jdb.exe
O4 - HKLM\..\Run: [Aif] C:\WINDOWS\Lon.exe
O4 - HKLM\..\Run: [Emq] C:\WINDOWS\Soq.exe
O4 - HKLM\..\Run: [Hai] C:\WINDOWS\System32\Kkk.exe
O4 - HKLM\..\Run: [Fsj] C:\WINDOWS\Ant.exe
O4 - HKLM\..\Run: [Oao] C:\WINDOWS\Enr.exe
O4 - HKLM\..\Run: [Thr] C:\WINDOWS\Bdi.exe
O4 - HKLM\..\Run: [Dil] C:\WINDOWS\Lir.exe
O4 - HKLM\..\Run: [Mod] C:\WINDOWS\Umg.exe
O4 - HKLM\..\Run: [Brv] C:\WINDOWS\System32\Uhk.exe
O4 - HKLM\..\Run: [Fcu] C:\WINDOWS\Cla.exe
O4 - HKLM\..\Run: [Qlr] C:\WINDOWS\Mbf.exe
O4 - HKLM\..\Run: [Gcq] C:\WINDOWS\Qmg.exe
O4 - HKLM\..\Run: [Kbq] C:\WINDOWS\System32\Irf.exe
O4 - HKLM\..\Run: [Fdv] C:\WINDOWS\Ctb.exe
O4 - HKLM\..\Run: [Dhu] C:\WINDOWS\System32\Mqe.exe
O4 - HKLM\..\Run: [Lvd] C:\WINDOWS\Nhe.exe
O4 - HKLM\..\Run: [Raq] C:\WINDOWS\System32\Ses.exe
O4 - HKLM\..\Run: [Ukr] C:\WINDOWS\System32\Fia.exe
O4 - HKLM\..\Run: [Kkq] C:\WINDOWS\Qtd.exe
O4 - HKLM\..\Run: [Bog] C:\WINDOWS\System32\Urj.exe
O4 - HKLM\..\Run: [Qsi] C:\WINDOWS\System32\Ptq.exe
O4 - HKLM\..\Run: [Nqj] C:\WINDOWS\System32\Ufc.exe
O4 - HKLM\..\Run: [Kvh] C:\WINDOWS\Odi.exe
O4 - HKLM\..\Run: [Nla] C:\WINDOWS\Lau.exe
O4 - HKLM\..\Run: [Jls] C:\WINDOWS\System32\Gnk.exe
O4 - HKLM\..\Run: [Jge] C:\WINDOWS\System32\Jhs.exe
O4 - HKLM\..\Run: [Dms] C:\WINDOWS\System32\Moe.exe
O4 - HKLM\..\Run: [Kpq] C:\WINDOWS\Jbs.exe
O4 - HKLM\..\Run: [Tpm] C:\WINDOWS\Ivr.exe
O4 - HKLM\..\Run: [Pvt] C:\WINDOWS\System32\Fpm.exe
O4 - HKLM\..\Run: [Pds] C:\WINDOWS\Aes.exe
O4 - HKLM\..\Run: [Jcl] C:\WINDOWS\System32\Omd.exe
O4 - HKLM\..\Run: [Egp] C:\WINDOWS\Pmi.exe
O4 - HKLM\..\Run: [Pbs] C:\WINDOWS\System32\Ugd.exe
O4 - HKLM\..\Run: [Lgb] C:\WINDOWS\Fsc.exe
O4 - HKLM\..\Run: [Uij] C:\WINDOWS\System32\Pou.exe
O4 - HKLM\..\Run: [Sjd] C:\WINDOWS\Hpv.exe
O4 - HKLM\..\Run: [Tqv] C:\WINDOWS\Qgq.exe
O4 - HKLM\..\Run: [Nkj] C:\WINDOWS\Lin.exe
O4 - HKLM\..\Run: [Ogp] C:\WINDOWS\Qpo.exe
O4 - HKLM\..\Run: [Tke] C:\WINDOWS\Pfg.exe
O4 - HKLM\..\Run: [Omq] C:\WINDOWS\Him.exe
O4 - HKLM\..\Run: [Ahm] C:\WINDOWS\Pda.exe
O4 - HKLM\..\Run: [Csi] C:\WINDOWS\System32\Rvr.exe
O4 - HKLM\..\Run: [Ibp] C:\WINDOWS\System32\Aon.exe
O4 - HKLM\..\Run: [Epi] C:\WINDOWS\Ogd.exe
O4 - HKLM\..\Run: [Toj] C:\WINDOWS\System32\Gou.exe
O4 - HKLM\..\Run: [Elv] C:\WINDOWS\Pkv.exe
O4 - HKLM\..\Run: [Cio] C:\WINDOWS\System32\Duh.exe
O4 - HKLM\..\Run: [Cgs] C:\WINDOWS\System32\Tlh.exe
O4 - HKLM\..\Run: [Rmb] C:\WINDOWS\System32\Lip.exe
O4 - HKLM\..\Run: [Red] C:\WINDOWS\System32\Uvn.exe
O4 - HKLM\..\Run: [Sai] C:\WINDOWS\System32\Pao.exe
O4 - HKLM\..\Run: [Vpg] C:\WINDOWS\System32\Hii.exe
O4 - HKLM\..\Run: [Epj] C:\WINDOWS\System32\Ird.exe
O4 - HKLM\..\Run: [Bnd] C:\WINDOWS\System32\Khu.exe
O4 - HKLM\..\Run: [Hou] C:\WINDOWS\Sqg.exe
O4 - HKLM\..\Run: [Puv] C:\WINDOWS\System32\Euq.exe
O4 - HKLM\..\Run: [Boh] C:\WINDOWS\System32\Rnk.exe
O4 - HKLM\..\Run: [Jff] C:\WINDOWS\Gfv.exe
O4 - HKLM\..\Run: [Hik] C:\WINDOWS\System32\Vss.exe
O4 - HKLM\..\Run: [Ado] C:\WINDOWS\Hur.exe
O4 - HKLM\..\Run: [Oiv] C:\WINDOWS\System32\Unf.exe
O4 - HKLM\..\Run: [Vjc] C:\WINDOWS\System32\Jdb.exe
O4 - HKLM\..\Run: [Uju] C:\WINDOWS\System32\Ikv.exe
O4 - HKLM\..\Run: [Sgu] C:\WINDOWS\Sgg.exe
O4 - HKLM\..\Run: [Vpm] C:\WINDOWS\System32\Ljn.exe
O4 - HKLM\..\Run: [Fcc] C:\WINDOWS\System32\Msd.exe
O4 - HKLM\..\Run: [Rrd] C:\WINDOWS\System32\Rvu.exe
O4 - HKLM\..\Run: [Rad] C:\WINDOWS\System32\Ejp.exe
O4 - HKLM\..\Run: [Usl] C:\WINDOWS\Sgc.exe
O4 - HKLM\..\Run: [Eko] C:\WINDOWS\Hee.exe
O4 - HKLM\..\Run: [Rnu] C:\WINDOWS\System32\Rpm.exe
O4 - HKLM\..\Run: [Vht] C:\WINDOWS\Atr.exe
O4 - HKLM\..\Run: [Ikv] C:\WINDOWS\System32\Uvk.exe
O4 - HKLM\..\Run: [Pkm] C:\WINDOWS\Pjl.exe
O4 - HKLM\..\Run: [Jft] C:\WINDOWS\System32\Oki.exe
O4 - HKLM\..\Run: [Onm] C:\WINDOWS\Vpm.exe
O4 - HKLM\..\Run: [Kia] C:\WINDOWS\Rfv.exe
O4 - HKLM\..\Run: [Tmt] C:\WINDOWS\System32\Nsl.exe
O4 - HKLM\..\Run: [Qhh] C:\WINDOWS\System32\Grh.exe
O4 - HKLM\..\Run: [Ric] C:\WINDOWS\Got.exe
O4 - HKLM\..\Run: [Cic] C:\WINDOWS\System32\Trb.exe
O4 - HKLM\..\Run: [Nvc] C:\WINDOWS\Ogc.exe
O4 - HKLM\..\Run: [Dac] C:\WINDOWS\Ljr.exe
O4 - HKLM\..\Run: [Vsl] C:\WINDOWS\System32\Qun.exe
O4 - HKLM\..\Run: [Ekl] C:\WINDOWS\System32\Oum.exe
O4 - HKLM\..\Run: [Lgf] C:\WINDOWS\Kge.exe
O4 - HKLM\..\Run: [Emm] C:\WINDOWS\Hai.exe
O4 - HKLM\..\Run: [Ung] C:\WINDOWS\System32\Ecb.exe
O4 - HKLM\..\Run: [Hjp] C:\WINDOWS\Qfl.exe
O4 - HKLM\..\Run: [Dgv] C:\WINDOWS\System32\Mbi.exe
O4 - HKLM\..\Run: [Ddr] C:\WINDOWS\Qmp.exe
O4 - HKLM\..\Run: [Fcl] C:\WINDOWS\Slt.exe
O4 - HKLM\..\Run: [Bok] C:\WINDOWS\System32\Cej.exe
O4 - HKLM\..\Run: [Vqi] C:\WINDOWS\System32\Jdr.exe
O4 - HKLM\..\Run: [Iqq] C:\WINDOWS\Tho.exe
O4 - HKLM\..\Run: [Qos] C:\WINDOWS\Ngg.exe
O4 - HKLM\..\Run: [Pnk] C:\WINDOWS\Svi.exe
O4 - HKLM\..\Run: [Ulf] C:\WINDOWS\Eak.exe
O4 - HKLM\..\Run: [Vnf] C:\WINDOWS\Gqj.exe
O4 - HKLM\..\Run: [Ivj] C:\WINDOWS\Fdp.exe
O4 - HKLM\..\Run: [Ggj] C:\WINDOWS\System32\Ejd.exe
O4 - HKLM\..\Run: [Dcd] C:\WINDOWS\Ctd.exe
O4 - HKLM\..\Run: [Ihi] C:\WINDOWS\System32\Kib.exe
O4 - HKLM\..\Run: [Lah] C:\WINDOWS\System32\Jjs.exe
O4 - HKLM\..\Run: [Ijr] C:\WINDOWS\System32\Ghr.exe
O4 - HKLM\..\Run: [Hjv] C:\WINDOWS\Gui.exe
O4 - HKLM\..\Run: [Gpp] C:\WINDOWS\Vmn.exe
O4 - HKLM\..\Run: [Rer] C:\WINDOWS\System32\Cne.exe
O4 - HKLM\..\Run: [Efd] C:\WINDOWS\System32\Pnp.exe
O4 - HKLM\..\Run: [Com] C:\WINDOWS\System32\Kcj.exe
O4 - HKLM\..\Run: [Oce] C:\WINDOWS\Hug.exe
O4 - HKLM\..\Run: [Fnl] C:\WINDOWS\System32\Ceq.exe
O4 - HKLM\..\Run: [Alo] C:\WINDOWS\Ior.exe
O4 - HKLM\..\Run: [Tmv] C:\WINDOWS\System32\Irr.exe
O4 - HKLM\..\Run: [Pct] C:\WINDOWS\System32\Ctg.exe
O4 - HKLM\..\Run: [Sku] C:\WINDOWS\Flk.exe
O4 - HKLM\..\Run: [Dqo] C:\WINDOWS\Uol.exe
O4 - HKLM\..\Run: [Rnc] C:\WINDOWS\Krj.exe
O4 - HKLM\..\Run: [Lta] C:\WINDOWS\Hhl.exe
O4 - HKLM\..\Run: [Vur] C:\WINDOWS\Bgq.exe
O4 - HKLM\..\Run: [Npp] C:\WINDOWS\System32\Bdb.exe
O4 - HKLM\..\Run: [Due] C:\WINDOWS\System32\Lmm.exe
O4 - HKLM\..\Run: [Nms] C:\WINDOWS\Ndo.exe
O4 - HKLM\..\Run: [Hpc] C:\WINDOWS\System32\Upn.exe
O4 - HKLM\..\Run: [Bds] C:\WINDOWS\Iif.exe
O4 - HKLM\..\Run: [Fhr] C:\WINDOWS\Nuo.exe
O4 - HKLM\..\Run: [Rrk] C:\WINDOWS\Srq.exe
O4 - HKLM\..\Run: [Afp] C:\WINDOWS\Epc.exe
O4 - HKLM\..\Run: [Dar] C:\WINDOWS\Hbn.exe
O4 - HKLM\..\Run: [Gnj] C:\WINDOWS\Hjt.exe
O4 - HKLM\..\Run: [Our] C:\WINDOWS\System32\Tai.exe
O4 - HKLM\..\Run: [Uar] C:\WINDOWS\System32\Hkq.exe
O4 - HKLM\..\Run: [Ehq] C:\WINDOWS\System32\Duc.exe
O4 - HKLM\..\Run: [Dhd] C:\WINDOWS\System32\Mkh.exe
O4 - HKLM\..\Run: [Cne] C:\WINDOWS\Fis.exe
O4 - HKLM\..\Run: [Dvf] C:\WINDOWS\System32\Tuj.exe
O4 - HKLM\..\Run: [Gpv] C:\WINDOWS\System32\Mik.exe
O4 - HKLM\..\Run: [Rcp] C:\WINDOWS\System32\Bjh.exe
O4 - HKLM\..\Run: [Gcm] C:\WINDOWS\Chn.exe
O4 - HKLM\..\Run: [Uds] C:\WINDOWS\Jvn.exe
O4 - HKLM\..\Run: [Vvb] C:\WINDOWS\Jof.exe
O4 - HKLM\..\Run: [Nhk] C:\WINDOWS\System32\Ltf.exe
O4 - HKLM\..\Run: [Oae] C:\WINDOWS\System32\Psi.exe
O4 - HKLM\..\Run: [Jvq] C:\WINDOWS\System32\Rok.exe
O4 - HKLM\..\Run: [Bjl] C:\WINDOWS\Jee.exe
O4 - HKLM\..\Run: [Avh] C:\WINDOWS\System32\Qrt.exe
O4 - HKLM\..\Run: [Ens] C:\WINDOWS\System32\Nul.exe
O4 - HKLM\..\Run: [Buh] C:\WINDOWS\System32\Lqd.exe
O4 - HKLM\..\Run: [Ffr] C:\WINDOWS\System32\Bgo.exe
O4 - HKLM\..\Run: [Olm] C:\WINDOWS\System32\Fmo.exe
O4 - HKLM\..\Run: [Gsg] C:\WINDOWS\System32\Mcv.exe
O4 - HKLM\..\Run: [Mah] C:\WINDOWS\Obj.exe
O4 - HKLM\..\Run: [Aod] C:\WINDOWS\Isv.exe
O4 - HKLM\..\Run: [Fcs] C:\WINDOWS\System32\Aht.exe
O4 - HKLM\..\Run: [Ceg] C:\WINDOWS\System32\Brm.exe
O4 - HKLM\..\Run: [Odu] C:\WINDOWS\System32\Eor.exe
O4 - HKLM\..\Run: [Tvc] C:\WINDOWS\Ikr.exe
O4 - HKLM\..\Run: [Pbf] C:\WINDOWS\System32\Juv.exe
O4 - HKLM\..\Run: [Dat] C:\WINDOWS\Pcb.exe
O4 - HKLM\..\Run: [Akv] C:\WINDOWS\System32\Qvh.exe
O4 - HKLM\..\Run: [Gjp] C:\WINDOWS\System32\Gdb.exe
O4 - HKLM\..\Run: [Rkf] C:\WINDOWS\Aaj.exe
O4 - HKLM\..\Run: [Pba] C:\WINDOWS\Lhs.exe
O4 - HKLM\..\Run: [Pch] C:\WINDOWS\System32\Som.exe
O4 - HKLM\..\Run: [Hab] C:\WINDOWS\System32\Rdg.exe
O4 - HKLM\..\Run: [Eev] C:\WINDOWS\System32\Jlt.exe
O4 - HKLM\..\Run: [Vme] C:\WINDOWS\System32\Mdd.exe
O4 - HKLM\..\Run: [Kfc] C:\WINDOWS\System32\Kpj.exe
O4 - HKLM\..\Run: [Rij] C:\WINDOWS\Obv.exe
O4 - HKLM\..\Run: [Mcb] C:\WINDOWS\Npb.exe
O4 - HKLM\..\Run: [Hkq] C:\WINDOWS\Jrn.exe
O4 - HKLM\..\Run: [Gfo] C:\WINDOWS\Avk.exe
O4 - HKLM\..\Run: [Lup] C:\WINDOWS\System32\Uig.exe
O4 - HKLM\..\Run: [Snr] C:\WINDOWS\Gcc.exe
O4 - HKLM\..\Run: [Iku] C:\WINDOWS\Hsg.exe
O4 - HKLM\..\Run: [Ove] C:\WINDOWS\Qno.exe
O4 - HKLM\..\Run: [Vne] C:\WINDOWS\System32\Nlq.exe
O4 - HKLM\..\Run: [Haj] C:\WINDOWS\Its.exe
O4 - HKLM\..\Run: [Uee] C:\WINDOWS\Rsh.exe
O4 - HKLM\..\Run: [And] C:\WINDOWS\Aib.exe
O4 - HKLM\..\Run: [Goh] C:\WINDOWS\System32\Vbd.exe
O4 - HKLM\..\Run: [Fdk] C:\WINDOWS\Kvm.exe
O4 - HKLM\..\Run: [Dnv] C:\WINDOWS\System32\Kvo.exe
O4 - HKLM\..\Run: [Ahf] C:\WINDOWS\System32\Dja.exe
O4 - HKLM\..\Run: [Alt] C:\WINDOWS\Ist.exe
O4 - HKLM\..\Run: [Nik] C:\WINDOWS\Kon.exe
O4 - HKLM\..\Run: [Csd] C:\WINDOWS\System32\Vll.exe
O4 - HKLM\..\Run: [Kch] C:\WINDOWS\Onv.exe
O4 - HKLM\..\Run: [Bko] C:\WINDOWS\Unh.exe
O4 - HKLM\..\Run: [Rid] C:\WINDOWS\Pnp.exe
O4 - HKLM\..\Run: [Ajo] C:\WINDOWS\Tae.exe
O4 - HKLM\..\Run: [Ijv] C:\WINDOWS\Sva.exe
O4 - HKLM\..\Run: [Dps] C:\WINDOWS\Son.exe
O4 - HKLM\..\Run: [Foc] C:\WINDOWS\System32\Dkr.exe
O4 - HKLM\..\Run: [Los] C:\WINDOWS\System32\Iiu.exe
O4 - HKLM\..\Run: [Kje] C:\WINDOWS\System32\Goq.exe
O4 - HKLM\..\Run: [Cnf] C:\WINDOWS\Cek.exe
O4 - HKLM\..\Run: [Bjd] C:\WINDOWS\System32\Rln.exe
O4 - HKLM\..\Run: [Qsu] C:\WINDOWS\Bln.exe
O4 - HKLM\..\Run: [Uvl] C:\WINDOWS\Com.exe
O4 - HKLM\..\Run: [Tde] C:\WINDOWS\System32\Pnm.exe
O4 - HKLM\..\Run: [Jnj] C:\WINDOWS\Oto.exe
O4 - HKLM\..\Run: [Bqm] C:\WINDOWS\Cgq.exe
O4 - HKLM\..\Run: [Jcu] C:\WINDOWS\Lfu.exe
O4 - HKLM\..\Run: [Mqm] C:\WINDOWS\Jtp.exe
O4 - HKLM\..\Run: [Cka] C:\WINDOWS\Gol.exe
O4 - HKLM\..\Run: [Arh] C:\WINDOWS\Fqd.exe
O4 - HKLM\..\Run: [Vtt] C:\WINDOWS\Kll.exe
O4 - HKLM\..\Run: [Uqt] C:\WINDOWS\Jqs.exe
O4 - HKLM\..\Run: [Thd] C:\WINDOWS\System32\Mvf.exe
O4 - HKLM\..\Run: [Som] C:\WINDOWS\System32\Mpc.exe
O4 - HKLM\..\Run: [Paq] C:\WINDOWS\System32\Ujf.exe
O4 - HKLM\..\Run: [Naa] C:\WINDOWS\Odm.exe
O4 - HKLM\..\Run: [Idv] C:\WINDOWS\System32\Rlv.exe
O4 - HKLM\..\Run: [Edq] C:\WINDOWS\Rlf.exe
O4 - HKLM\..\Run: [Uvq] C:\WINDOWS\Ugv.exe
O4 - HKLM\..\Run: [Ljn] C:\WINDOWS\Cbh.exe
O4 - HKLM\..\Run: [Pqr] C:\WINDOWS\System32\Ppj.exe
O4 - HKLM\..\Run: [Mcd] C:\WINDOWS\System32\Dqf.exe
O4 - HKLM\..\Run: [Ign] C:\WINDOWS\System32\Hqt.exe
O4 - HKLM\..\Run: [Ojs] C:\WINDOWS\Tko.exe
O4 - HKLM\..\Run: [Juo] C:\WINDOWS\System32\Rvs.exe
O4 - HKLM\..\Run: [Fkp] C:\WINDOWS\Pbh.exe
O4 - HKLM\..\Run: [Llc] C:\WINDOWS\System32\Ild.exe
O4 - HKLM\..\Run: [Fjf] C:\WINDOWS\Gha.exe
O4 - HKLM\..\Run: [Udo] C:\WINDOWS\Nrr.exe
O4 - HKLM\..\Run: [Fhc] C:\WINDOWS\Bta.exe
O4 - HKLM\..\Run: [Rcb] C:\WINDOWS\System32\Ifj.exe
O4 - HKLM\..\Run: [Qgo] C:\WINDOWS\System32\Cfb.exe
O4 - HKLM\..\Run: [Buu] C:\WINDOWS\Lum.exe
O4 - HKLM\..\Run: [Oou] C:\WINDOWS\Olh.exe
O4 - HKLM\..\Run: [Hun] C:\WINDOWS\System32\Lrq.exe
O4 - HKLM\..\Run: [Sum] C:\WINDOWS\System32\Kvo.exe
O4 - HKLM\..\Run: [Qjk] C:\WINDOWS\Mue.exe
O4 - HKLM\..\Run: [Ujk] C:\WINDOWS\Qon.exe
O4 - HKLM\..\Run: [Jpm] C:\WINDOWS\System32\Scv.exe
O4 - HKLM\..\Run: [Snd] C:\WINDOWS\Ugt.exe
O4 - HKLM\..\Run: [Vpa] C:\WINDOWS\Kbn.exe
O4 - HKLM\..\Run: [Htu] C:\WINDOWS\Qhb.exe
O4 - HKLM\..\Run: [Upj] C:\WINDOWS\Uaq.exe
O4 - HKLM\..\Run: [Ukd] C:\WINDOWS\System32\Chq.exe
O4 - HKLM\..\Run: [Jtq] C:\WINDOWS\Aed.exe
O4 - HKLM\..\Run: [Iir] C:\WINDOWS\System32\Oij.exe
O4 - HKLM\..\Run: [Upf] C:\WINDOWS\Rsq.exe
O4 - HKLM\..\Run: [Npq] C:\WINDOWS\Lni.exe
O4 - HKLM\..\Run: [Rnj] C:\WINDOWS\System32\Blc.exe
O4 - HKLM\..\Run: [Ppn] C:\WINDOWS\System32\Liv.exe
O4 - HKLM\..\Run: [Bqc] C:\WINDOWS\Mlq.exe
O4 - HKLM\..\Run: [Vju] C:\WINDOWS\Ngu.exe
O4 - HKLM\..\Run: [Mht] C:\WINDOWS\Mss.exe
O4 - HKLM\..\Run: [Ask] C:\WINDOWS\Nhi.exe
O4 - HKLM\..\Run: [Qqj] C:\WINDOWS\Hsg.exe
O4 - HKLM\..\Run: [Unh] C:\WINDOWS\Blg.exe
O4 - HKLM\..\Run: [Ted] C:\WINDOWS\System32\Ebm.exe
O4 - HKLM\..\Run: [Thl] C:\WINDOWS\Pvv.exe
O4 - HKLM\..\Run: [Vfi] C:\WINDOWS\System32\Btu.exe
O4 - HKLM\..\Run: [Hlo] C:\WINDOWS\Rad.exe
O4 - HKLM\..\Run: [Mtp] C:\WINDOWS\Jum.exe
O4 - HKLM\..\Run: [Jmm] C:\WINDOWS\System32\Lok.exe
O4 - HKLM\..\Run: [Emu] C:\WINDOWS\System32\Fjo.exe
O4 - HKLM\..\Run: [Cok] C:\WINDOWS\System32\Jok.exe
O4 - HKLM\..\Run: [Skk] C:\WINDOWS\Klq.exe
O4 - HKLM\..\Run: [Luo] C:\WINDOWS\System32\Lnd.exe
O4 - HKLM\..\Run: [Pus] C:\WINDOWS\System32\Mbb.exe
O4 - HKLM\..\Run: [Voe] C:\WINDOWS\System32\Uki.exe
O4 - HKLM\..\Run: [Bsq] C:\WINDOWS\System32\Ffi.exe
O4 - HKLM\..\Run: [Cnj] C:\WINDOWS\Lpk.exe
O4 - HKLM\..\Run: [Lof] C:\WINDOWS\System32\Nmj.exe
O4 - HKLM\..\Run: [Pqa] C:\WINDOWS\System32\Vmd.exe
O4 - HKLM\..\Run: [Sqs] C:\WINDOWS\System32\Gsf.exe
O4 - HKLM\..\Run: [Nbd] C:\WINDOWS\System32\Pms.exe
O4 - HKLM\..\Run: [Hrn] C:\WINDOWS\Ldj.exe
O4 - HKLM\..\Run: [Hnk] C:\WINDOWS\Ifm.exe
O4 - HKLM\..\Run: [Dnt] C:\WINDOWS\System32\Pni.exe
O4 - HKLM\..\Run: [Qqb] C:\WINDOWS\Opm.exe
O4 - HKLM\..\Run: [Jfs] C:\WINDOWS\Msc.exe
O4 - HKLM\..\Run: [Sst] C:\WINDOWS\Voq.exe
O4 - HKLM\..\Run: [Usi] C:\WINDOWS\System32\Fnl.exe
O4 - HKLM\..\Run: [Ban] C:\WINDOWS\Gbf.exe
O4 - HKLM\..\Run: [Iai] C:\WINDOWS\Mfs.exe
O4 - HKLM\..\Run: [Daq] C:\WINDOWS\System32\Run.exe
O4 - HKLM\..\Run: [Hbp] C:\WINDOWS\System32\Ket.exe
O4 - HKLM\..\Run: [Iuo] C:\WINDOWS\System32\Efd.exe
O4 - HKLM\..\Run: [Qmj] C:\WINDOWS\Mqo.exe
O4 - HKLM\..\Run: [Lql] C:\WINDOWS\Vlp.exe
O4 - HKLM\..\Run: [Lmo] C:\WINDOWS\System32\Rfj.exe
O4 - HKLM\..\Run: [Isq] C:\WINDOWS\System32\Dhe.exe
O4 - HKLM\..\Run: [Nol] C:\WINDOWS\Scu.exe
O4 - HKLM\..\Run: [Dvs] C:\WINDOWS\System32\Krj.exe
O4 - HKLM\..\Run: [Shb] C:\WINDOWS\System32\Hqn.exe
O4 - HKLM\..\Run: [Tdi] C:\WINDOWS\Qob.exe
O4 - HKLM\..\Run: [Cta] C:\WINDOWS\System32\Ntf.exe
O4 - HKLM\..\Run: [Isj] C:\WINDOWS\System32\Obf.exe
O4 - HKLM\..\Run: [Egr] C:\WINDOWS\System32\Mkc.exe
O4 - HKLM\..\Run: [Qff] C:\WINDOWS\System32\Uic.exe
O4 - HKLM\..\Run: [Lrt] C:\WINDOWS\System32\Cej.exe
O4 - HKLM\..\Run: [Ovr] C:\WINDOWS\Kea.exe
O4 - HKLM\..\Run: [Obj] C:\WINDOWS\Dkg.exe
O4 - HKLM\..\Run: [Vte] C:\WINDOWS\Rqd.exe
O4 - HKLM\..\Run: [Dti] C:\WINDOWS\Lhn.exe
O4 - HKLM\..\Run: [Boj] C:\WINDOWS\System32\Jsa.exe
O4 - HKLM\..\Run: [Dss] C:\WINDOWS\Nao.exe
O4 - HKLM\..\Run: [Qrt] C:\WINDOWS\System32\Mav.exe
O4 - HKLM\..\Run: [Cdu] C:\WINDOWS\System32\Qqv.exe
O4 - HKLM\..\Run: [Ajq] C:\WINDOWS\System32\Gkh.exe
O4 - HKLM\..\Run: [Qic] C:\WINDOWS\Ekc.exe
O4 - HKLM\..\Run: [Tmj] C:\WINDOWS\System32\Brm.exe
O4 - HKLM\..\Run: [Eru] C:\WINDOWS\Jpg.exe
O4 - HKLM\..\Run: [Mfo] C:\WINDOWS\System32\Eci.exe
O4 - HKLM\..\Run: [Nlt] C:\WINDOWS\System32\Puj.exe
O4 - HKLM\..\Run: [Sbo] C:\WINDOWS\Qvr.exe
O4 - HKLM\..\Run: [Uot] C:\WINDOWS\System32\Jdq.exe
O4 - HKLM\..\Run: [Cvq] C:\WINDOWS\Nan.exe
O4 - HKLM\..\Run: [Lob] C:\WINDOWS\Qaq.exe
O4 - HKLM\..\Run: [Bcp] C:\WINDOWS\Sfq.exe
O4 - HKLM\..\Run: [Gpl] C:\WINDOWS\Ujd.exe
O4 - HKLM\..\Run: [Mln] C:\WINDOWS\System32\Uql.exe
O4 - HKLM\..\Run: [Mbk] C:\WINDOWS\Smf.exe
O4 - HKLM\..\Run: [Bkn] C:\WINDOWS\System32\Sqn.exe
O4 - HKLM\..\Run: [Nrt] C:\WINDOWS\Tuk.exe
O4 - HKLM\..\Run: [Fne] C:\WINDOWS\System32\Tlr.exe
O4 - HKLM\..\Run: [Uil] C:\WINDOWS\Eas.exe
O4 - HKLM\..\Run: [Dvj] C:\WINDOWS\Err.exe
O4 - HKLM\..\Run: [Ejf] C:\WINDOWS\Pgn.exe
O4 - HKLM\..\Run: [Dql] C:\WINDOWS\System32\Pir.exe
O4 - HKLM\..\Run: [Qko] C:\WINDOWS\System32\Ldc.exe
O4 - HKLM\..\Run: [Iok] C:\WINDOWS\System32\Pks.exe
O4 - HKLM\..\Run: [Flq] C:\WINDOWS\System32\Ihi.exe
O4 - HKLM\..\Run: [Abj] C:\WINDOWS\Shl.exe
O4 - HKLM\..\Run: [Vti] C:\WINDOWS\System32\Cli.exe
O4 - HKLM\..\Run: [Gjs] C:\WINDOWS\Vqi.exe
O4 - HKLM\..\Run: [Mec] C:\WINDOWS\System32\Lmt.exe
O4 - HKLM\..\Run: [Nqf] C:\WINDOWS\Gdr.exe
O4 - HKLM\..\Run: [Fnk] C:\WINDOWS\Eqg.exe
O4 - HKLM\..\Run: [Cqb] C:\WINDOWS\Smh.exe
O4 - HKLM\..\Run: [Mnv] C:\WINDOWS\Jtn.exe
O4 - HKLM\..\Run: [Ilr] C:\WINDOWS\Opt.exe
O4 - HKLM\..\Run: [Mll] C:\WINDOWS\System32\Cop.exe
O4 - HKLM\..\Run: [Cos] C:\WINDOWS\Udg.exe
O4 - HKLM\..\Run: [Kit] C:\WINDOWS\Rdt.exe
O4 - HKLM\..\Run: [Ppu] C:\WINDOWS\System32\Bhc.exe
O4 - HKLM\..\Run: [Oca] C:\WINDOWS\System32\Uoe.exe
O4 - HKLM\..\Run: [Lfs] C:\WINDOWS\Abh.exe
O4 - HKLM\..\Run: [Iib] C:\WINDOWS\System32\Poc.exe
O4 - HKLM\..\Run: [Vgh] C:\WINDOWS\Oth.exe
O4 - HKLM\..\Run: [Ipe] C:\WINDOWS\System32\Rbp.exe
O4 - HKLM\..\Run: [Nsf] C:\WINDOWS\System32\Pec.exe
O4 - HKLM\..\Run: [Ksn] C:\WINDOWS\System32\Mjp.exe
O4 - HKLM\..\Run: [Ilh] C:\WINDOWS\System32\Tgt.exe
O4 - HKLM\..\Run: [Vds] C:\WINDOWS\System32\Hrd.exe
O4 - HKLM\..\Run: [Jom] C:\WINDOWS\System32\Sib.exe
O4 - HKLM\..\Run: [Tss] C:\WINDOWS\Hat.exe
O4 - HKLM\..\Run: [Slv] C:\WINDOWS\System32\Dpp.exe
O4 - HKLM\..\Run: [Sak] C:\WINDOWS\Mmn.exe
O4 - HKLM\..\Run: [Umh] C:\WINDOWS\System32\Jhj.exe
O4 - HKLM\..\Run: [Etp] C:\WINDOWS\Jdq.exe
O4 - HKLM\..\Run: [Bfd] C:\WINDOWS\Flo.exe
O4 - HKLM\..\Run: [Odd] C:\WINDOWS\System32\Dri.exe
O4 - HKLM\..\Run: [Grd] C:\WINDOWS\Tqo.exe
O4 - HKLM\..\Run: [Cld] C:\WINDOWS\System32\Ppm.exe
O4 - HKLM\..\Run: [Cep] C:\WINDOWS\Rfa.exe
O4 - HKLM\..\Run: [Chg] C:\WINDOWS\Nof.exe
O4 - HKLM\..\Run: [Bhi] C:\WINDOWS\Oqn.exe
O4 - HKLM\..\Run: [Eld] C:\WINDOWS\System32\Pjg.exe
O4 - HKLM\..\Run: [Mjc] C:\WINDOWS\System32\Elj.exe
O4 - HKLM\..\Run: [Irj] C:\WINDOWS\Lnd.exe
O4 - HKLM\..\Run: [Hqh] C:\WINDOWS\System32\Mnh.exe
O4 - HKLM\..\Run: [Sri] C:\WINDOWS\System32\Ind.exe
O4 - HKLM\..\Run: [Eoj] C:\WINDOWS\System32\Qbj.exe
O4 - HKLM\..\Run: [Crp] C:\WINDOWS\System32\Qqp.exe
O4 - HKLM\..\Run: [Mfv] C:\WINDOWS\System32\Ulf.exe
O4 - HKLM\..\Run: [Akm] C:\WINDOWS\System32\Qej.exe
O4 - HKLM\..\Run: [Cef] C:\WINDOWS\System32\Ala.exe
O4 - HKLM\..\Run: [Seq] C:\WINDOWS\Ska.exe
O4 - HKLM\..\Run: [Hno] C:\WINDOWS\Hla.exe
O4 - HKLM\..\Run: [Jhe] C:\WINDOWS\Igl.exe
O4 - HKLM\..\Run: [Qpn] C:\WINDOWS\Nvb.exe
O4 - HKLM\..\Run: [Sfl] C:\WINDOWS\Hui.exe
O4 - HKLM\..\Run: [Usu] C:\WINDOWS\Aoa.exe
O4 - HKLM\..\Run: [Mmc] C:\WINDOWS\Ioe.exe
O4 - HKLM\..\Run: [Iub] C:\WINDOWS\Akt.exe
O4 - HKLM\..\Run: [Lgt] C:\WINDOWS\Por.exe
O4 - HKLM\..\Run: [Enh] C:\WINDOWS\Dom.exe
O4 - HKLM\..\Run: [Rgs] C:\WINDOWS\Vim.exe
O4 - HKLM\..\Run: [Tqc] C:\WINDOWS\Fjd.exe
O4 - HKLM\..\Run: [Ufm] C:\WINDOWS\Jsh.exe
O4 - HKLM\..\Run: [Frm] C:\WINDOWS\Nlt.exe
O4 - HKLM\..\Run: [Orq] C:\WINDOWS\System32\Gbi.exe
O4 - HKLM\..\Run: [Security iGuard] C:\Program Files\Security iGuard\Security iGuard.exe
O4 - HKLM\..\Run: [Rga] C:\WINDOWS\System32\Gdd.exe
O4 - HKLM\..\Run: [Mai] C:\WINDOWS\Auc.exe
O4 - HKLM\..\Run: [Ldl] C:\WINDOWS\Joc.exe
O4 - HKLM\..\Run: [Lbc] C:\WINDOWS\System32\Cek.exe
O4 - HKLM\..\Run: [Seb] C:\WINDOWS\System32\Tmn.exe
O4 - HKLM\..\Run: [Rnn] C:\WINDOWS\Rce.exe
O4 - HKLM\..\Run: [Spr] C:\WINDOWS\Vno.exe
O4 - HKLM\..\Run: [Clt] C:\WINDOWS\Vja.exe
O4 - HKLM\..\Run: [Qha] C:\WINDOWS\System32\Kju.exe
O4 - HKLM\..\Run: [Hnc] C:\WINDOWS\Gkh.exe
O4 - HKLM\..\Run: [Bnq] C:\WINDOWS\System32\Gmg.exe
O4 - HKLM\..\Run: [Lav] C:\WINDOWS\Jro.exe
O4 - HKLM\..\Run: [Aci] C:\WINDOWS\System32\Gvf.exe
O4 - HKLM\..\Run: [Bjg] C:\WINDOWS\System32\Ckf.exe
O4 - HKLM\..\Run: [Vhq] C:\WINDOWS\System32\Hqt.exe
O4 - HKLM\..\Run: [Lmk] C:\WINDOWS\System32\Usp.exe
O4 - HKLM\..\Run: [Sen] C:\WINDOWS\System32\Ptr.exe
O4 - HKLM\..\Run: [Fko] C:\WINDOWS\Esv.exe
O4 - HKLM\..\Run: [Iom] C:\WINDOWS\System32\Fmi.exe
O4 - HKLM\..\Run: [Nqh] C:\WINDOWS\System32\Fpq.exe
O4 - HKLM\..\Run: [Ifl] C:\WINDOWS\System32\Ndb.exe
O4 - HKLM\..\Run: [Bih] C:\WINDOWS\Mnv.exe
O4 - HKLM\..\Run: [Shv] C:\WINDOWS\Kim.exe
O4 - HKLM\..\Run: [Bhn] C:\WINDOWS\System32\Fng.exe
O4 - HKLM\..\Run: [Oug] C:\WINDOWS\System32\Oth.exe
O4 - HKLM\..\Run: [Aob] C:\WINDOWS\System32\Ppf.exe
O4 - HKLM\..\Run: [Mth] C:\WINDOWS\System32\Koj.exe
O4 - HKLM\..\Run: [Stm] C:\WINDOWS\Hhe.exe
O4 - HKLM\..\Run: [Pue] C:\WINDOWS\Jqr.exe
O4 - HKLM\..\Run: [Ljp] C:\WINDOWS\Cpm.exe
O4 - HKLM\..\Run: [Ovn] C:\WINDOWS\Amr.exe
O4 - HKLM\..\Run: [Vbq] C:\WINDOWS\System32\Ajb.exe
O4 - HKLM\..\Run: [Cfh] C:\WINDOWS\Ret.exe
O4 - HKLM\..\Run: [Eme] C:\WINDOWS\System32\Hvj.exe
O4 - HKLM\..\Run: [Lvu] C:\WINDOWS\Cnk.exe
O4 - HKLM\..\Run: [Tnp] C:\WINDOWS\Osc.exe
O4 - HKLM\..\Run: [Mqo] C:\WINDOWS\System32\Ovu.exe
O4 - HKLM\..\Run: [Itg] C:\WINDOWS\System32\Jqc.exe
O4 - HKLM\..\Run: [Rsu] C:\WINDOWS\Uqk.exe
O4 - HKLM\..\Run: [Jkp] C:\WINDOWS\System32\Eqn.exe
O4 - HKLM\..\Run: [Jtg] C:\WINDOWS\System32\Bsr.exe
O4 - HKLM\..\Run: [Hid] C:\WINDOWS\System32\Uao.exe
O4 - HKLM\..\Run: [Kci] C:\WINDOWS\System32\Bge.exe
O4 - HKLM\..\Run: [Hnh] C:\WINDOWS\Gqt.exe
O4 - HKLM\..\Run: [Vrm] C:\WINDOWS\System32\Sjg.exe
O4 - HKLM\..\Run: [Ufg] C:\WINDOWS\System32\Saf.exe
O4 - HKLM\..\Run: [Gnr] C:\WINDOWS\Mkg.exe
O4 - HKLM\..\Run: [Jvt] C:\WINDOWS\Jqq.exe
O4 - HKLM\..\Run: [Raj] C:\WINDOWS\System32\Djc.exe
O4 - HKLM\..\Run: [Qjv] C:\WINDOWS\Vdj.exe
O4 - HKLM\..\Run: [Cmm] C:\WINDOWS\Hvo.exe
O4 - HKLM\..\Run: [Equ] C:\WINDOWS\System32\Dqd.exe
O4 - HKLM\..\Run: [Fhl] C:\WINDOWS\System32\Dtu.exe
O4 - HKLM\..\Run: [Slk] C:\WINDOWS\Hog.exe
O4 - HKLM\..\Run: [Jnh] C:\WINDOWS\System32\Gqp.exe
O4 - HKLM\..\Run: [Bji] C:\WINDOWS\Emb.exe
O4 - HKLM\..\Run: [Ctd] C:\WINDOWS\System32\Vlq.exe
O4 - HKLM\..\Run: [Hap] C:\WINDOWS\Cpm.exe
O4 - HKLM\..\Run: [Svj] C:\WINDOWS\Tdh.exe
O4 - HKLM\..\Run: [Fqh] C:\WINDOWS\System32\Fko.exe
O4 - HKLM\..\Run: [Phr] C:\WINDOWS\Hqt.exe
O4 - HKLM\..\Run: [Omm] C:\WINDOWS\System32\Ncs.exe
O4 - HKLM\..\Run: [Rfc] C:\WINDOWS\System32\Lvq.exe
O4 - HKLM\..\Run: [Usq] C:\WINDOWS\System32\Pbt.exe
O4 - HKLM\..\Run: [Glb] C:\WINDOWS\System32\Arr.exe
O4 - HKLM\..\Run: [Sbp] C:\WINDOWS\Clm.exe
O4 - HKLM\..\Run: [Gqs] C:\WINDOWS\System32\Sfd.exe
O4 - HKLM\..\Run: [Mrq] C:\WINDOWS\System32\Vnv.exe
O4 - HKLM\..\Run: [Upo] C:\WINDOWS\Kae.exe
O4 - HKLM\..\Run: [Hft] C:\WINDOWS\System32\Qkv.exe
O4 - HKLM\..\Run: [Fpp] C:\WINDOWS\System32\Hjf.exe
O4 - HKLM\..\Run: [Ehv] C:\WINDOWS\System32\Jpm.exe
O4 - HKLM\..\Run: [Dqh] C:\WINDOWS\Uml.exe
O4 - HKLM\..\Run: [Ihd] C:\WINDOWS\System32\Nir.exe
O4 - HKLM\..\Run: [Qtv] C:\WINDOWS\Kks.exe
O4 - HKLM\..\Run: [Ngl] C:\WINDOWS\System32\Tgl.exe
O4 - HKLM\..\Run: [Hmc] C:\WINDOWS\System32\Dcp.exe
O4 - HKLM\..\Run: [Fei] C:\WINDOWS\Aaj.exe
O4 - HKLM\..\Run: [Mtd] C:\WINDOWS\Pkh.exe
O4 - HKLM\..\Run: [Qfg] C:\WINDOWS\System32\Lmh.exe
O4 - HKLM\..\Run: [Jlt] C:\WINDOWS\Cqm.exe
O4 - HKLM\..\Run: [Mls] C:\WINDOWS\System32\Acg.exe
O4 - HKLM\..\Run: [Kfb] C:\WINDOWS\Cog.exe
O4 - HKLM\..\Run: [Snm] C:\WINDOWS\Oqu.exe
O4 - HKLM\..\Run: [Jfc] C:\WINDOWS\System32\Vnr.exe
O4 - HKLM\..\Run: [Rhn] C:\WINDOWS\System32\Pcr.exe
O4 - HKLM\..\Run: [Inm] C:\WINDOWS\Puv.exe
O4 - HKLM\..\Run: [Tpb] C:\WINDOWS\Dlr.exe
O4 - HKLM\..\Run: [Poj] C:\WINDOWS\Pfo.exe
O4 - HKLM\..\Run: [Arn] C:\WINDOWS\Vtc.exe
O4 - HKLM\..\Run: [Bsn] C:\WINDOWS\System32\Tgb.exe
O4 - HKLM\..\Run: [Nnb] C:\WINDOWS\System32\Rgj.exe
O4 - HKLM\..\Run: [Utg] C:\WINDOWS\System32\Loo.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\System32\ctfmon.exe
O4 - HKCU\..\Run: [AIM] C:\Program Files\AIM\aim.exe -cnetwait.odl
O4 - HKCU\..\Run: [Ctp] C:\WINDOWS\Ver.exe
O4 - HKCU\..\Run: [Vgn] C:\WINDOWS\System32\Fhr.exe
O4 - HKCU\..\Run: [Egt] C:\WINDOWS\Cvr.exe
O4 - HKCU\..\Run: [Kui] C:\WINDOWS\System32\Qfs.exe
O4 - HKCU\..\Run: [Abp] C:\WINDOWS\System32\Rae.exe
O4 - HKCU\..\Run: [Asn] C:\WINDOWS\System32\Mui.exe
O4 - HKCU\..\Run: [Cje] C:\WINDOWS\System32\Tcb.exe
O4 - HKCU\..\Run: [Sjr] C:\WINDOWS\System32\Fhn.exe
O4 - HKCU\..\Run: [Ucv] C:\WINDOWS\System32\Vco.exe
O4 - HKCU\..\Run: [Jme] C:\WINDOWS\Spi.exe
O4 - HKCU\..\Run: [Med] C:\WINDOWS\Uvb.exe
O4 - HKCU\..\Run: [Cdo] C:\WINDOWS\Vge.exe
O4 - HKCU\..\Run: [Cum] C:\WINDOWS\System32\Lfd.exe
O4 - HKCU\..\Run: [Lii] C:\WINDOWS\System32\Unn.exe
O4 - HKCU\..\Run: [Gid] C:\WINDOWS\Hmu.exe
O4 - HKCU\..\Run: [Ovh] C:\WINDOWS\System32\Jpa.exe
O4 - HKCU\..\Run: [Kru] C:\WINDOWS\System32\Aqt.exe
O4 - HKCU\..\Run: [Jpr] C:\WINDOWS\Aol.exe
O4 - HKCU\..\Run: [Ikc] C:\WINDOWS\System32\Fsu.exe
O4 - HKCU\..\Run: [Obu] C:\WINDOWS\System32\Ktq.exe
O4 - HKCU\..\Run: [Cbd] C:\WINDOWS\Nbp.exe
O4 - HKCU\..\Run: [Tnb] C:\WINDOWS\Obs.exe
O4 - HKCU\..\Run: [Bpo] C:\WINDOWS\System32\Fqf.exe
O4 - HKCU\..\Run: [Qeb] C:\WINDOWS\System32\Hkv.exe
O4 - HKCU\..\Run: [Hdt] C:\WINDOWS\System32\Bub.exe
O4 - HKCU\..\Run: [Ndv] C:\WINDOWS\Jrs.exe
O4 - HKCU\..\Run: [Tli] C:\WINDOWS\Rhi.exe
O4 - HKCU\..\Run: [Hgk] C:\WINDOWS\Gmq.exe
O4 - HKCU\..\Run: [Dna] C:\WINDOWS\System32\Mmq.exe
O4 - HKCU\..\Run: [Dbi] C:\WINDOWS\Uvb.exe
O4 - HKCU\..\Run: [Hjr] C:\WINDOWS\System32\Ntp.exe
O4 - HKCU\..\Run: [Ekr] C:\WINDOWS\Gmk.exe
O4 - HKCU\..\Run: [Fpj] C:\WINDOWS\Sio.exe
O4 - HKCU\..\Run: [Sme] C:\WINDOWS\Gao.exe
O4 - HKCU\..\Run: [Ark] C:\WINDOWS\System32\Knm.exe
O4 - HKCU\..\Run: [Hif] C:\WINDOWS\Alt.exe
O4 - HKCU\..\Run: [Ugf] C:\WINDOWS\System32\Aho.exe
O4 - HKCU\..\Run: [Sjk] C:\WINDOWS\Gcb.exe
O4 - HKCU\..\Run: [Ert] C:\WINDOWS\Cnr.exe
O4 - HKCU\..\Run: [Mjl] C:\WINDOWS\System32\Tib.exe
O4 - HKCU\..\Run: [Akl] C:\WINDOWS\Hql.exe
O4 - HKCU\..\Run: [Elr] C:\WINDOWS\Erc.exe
O4 - HKCU\..\Run: [Prc] C:\WINDOWS\Bnt.exe
O4 - HKCU\..\Run: [Fde] C:\WINDOWS\Tic.exe
O4 - HKCU\..\Run: [Ghg] C:\WINDOWS\Hbf.exe
O4 - HKCU\..\Run: [Vfp] C:\WINDOWS\Bpi.exe
O4 - HKCU\..\Run: [Uke] C:\WINDOWS\System32\Lje.exe
O4 - HKCU\..\Run: [Mlp] C:\WINDOWS\Okh.exe
O4 - HKCU\..\Run: [Ppf] C:\WINDOWS\System32\Qud.exe
O4 - HKCU\..\Run: [Jms] C:\WINDOWS\Ieu.exe
O4 - HKCU\..\Run: [Qop] C:\WINDOWS\System32\Frj.exe
O4 - HKCU\..\Run: [Gac] C:\WINDOWS\System32\Uhs.exe
O4 - HKCU\..\Run: [Bus] C:\WINDOWS\Sim.exe
O4 - HKCU\..\Run: [Fet] C:\WINDOWS\System32\Mmn.exe
O4 - HKCU\..\Run: [Inj] C:\WINDOWS\Ktd.exe
O4 - HKCU\..\Run: [Hca] C:\WINDOWS\Gkf.exe
O4 - HKCU\..\Run: [Eeb] C:\WINDOWS\System32\Pqq.exe
O4 - HKCU\..\Run: [Uln] C:\WINDOWS\Qna.exe
O4 - HKCU\..\Run: [Oqg] C:\WINDOWS\System32\Jke.exe
O4 - HKCU\..\Run: [Nge] C:\WINDOWS\Jgh.exe
O4 - HKCU\..\Run: [Ivu] C:\WINDOWS\System32\Nhv.exe
O4 - HKCU\..\Run: [Daf] C:\WINDOWS\Nal.exe
O4 - HKCU\..\Run: [Htp] C:\WINDOWS\Vli.exe
O4 - HKCU\..\Run: [Eov] C:\WINDOWS\System32\Asi.exe
O4 - HKCU\..\Run: [Ttb] C:\WINDOWS\System32\Uhc.exe
O4 - HKCU\..\Run: [Ejv] C:\WINDOWS\Aut.exe
O4 - HKCU\..\Run: [Bth] C:\WINDOWS\Ide.exe
O4 - HKCU\..\Run: [Gti] C:\WINDOWS\System32\Cjd.exe
O4 - HKCU\..\Run: [Oiq] C:\WINDOWS\Sku.exe
O4 - HKCU\..\Run: [Hmm] C:\WINDOWS\System32\Ksp.exe
O4 - HKCU\..\Run: [Nhj] C:\WINDOWS\System32\Hvb.exe
O4 - HKCU\..\Run: [Hii] C:\WINDOWS\System32\Lvv.exe
O4 - HKCU\..\Run: [Ojf] C:\WINDOWS\Tvh.exe
O4 - HKCU\..\Run: [Ctt] C:\WINDOWS\Feo.exe
O4 - HKCU\..\Run: [Osd] C:\WINDOWS\System32\Sta.exe
O4 - HKCU\..\Run: [Tpn] C:\WINDOWS\System32\Lkd.exe
O4 - HKCU\..\Run: [Csv] C:\WINDOWS\System32\Fqp.exe
O4 - HKCU\..\Run: [Lkf] C:\WINDOWS\Nqn.exe
O4 - HKCU\..\Run: [Uav] C:\WINDOWS\Ikb.exe
O4 - HKCU\..\Run: [Jtb] C:\WINDOWS\System32\Clv.exe
O4 - HKCU\..\Run: [Dgp] C:\WINDOWS\System32\Jkk.exe
O4 - HKCU\..\Run: [Ore] C:\WINDOWS\Ctl.exe
O4 - HKCU\..\Run: [Rmc] C:\WINDOWS\Tgh.exe
O4 - HKCU\..\Run: [Neu] C:\WINDOWS\System32\Qks.exe
O4 - HKCU\..\Run: [Sgg] C:\WINDOWS\Tcd.exe
O4 - HKCU\..\Run: [Ats] C:\WINDOWS\Olr.exe
O4 - HKCU\..\Run: [Bov] C:\WINDOWS\System32\Mff.exe
O4 - HKCU\..\Run: [Ddf] C:\WINDOWS\Ikf.exe
O4 - HKCU\..\Run: [Rut] C:\WINDOWS\Jiu.exe
O4 - HKCU\..\Run: [Nus] C:\WINDOWS\Jdb.exe
O4 - HKCU\..\Run: [Aif] C:\WINDOWS\Lon.exe
O4 - HKCU\..\Run: [Emq] C:\WINDOWS\Soq.exe
O4 - HKCU\..\Run: [Hai] C:\WINDOWS\System32\Kkk.exe
O4 - HKCU\..\Run: [Fsj] C:\WINDOWS\Ant.exe
O4 - HKCU\..\Run: [Oao] C:\WINDOWS\Enr.exe
O4 - HKCU\..\Run: [Thr] C:\WINDOWS\Bdi.exe
O4 - HKCU\..\Run: [Dil] C:\WINDOWS\Lir.exe
O4 - HKCU\..\Run: [Mod] C:\WINDOWS\Umg.exe
O4 - HKCU\..\Run: [Brv] C:\WINDOWS\System32\Uhk.exe
O4 - HKCU\..\Run: [Fcu] C:\WINDOWS\Cla.exe
O4 - HKCU\..\Run: [Qlr] C:\WINDOWS\Mbf.exe
O4 - HKCU\..\Run: [Gcq] C:\WINDOWS\Qmg.exe
O4 - HKCU\..\Run: [Kbq] C:\WINDOWS\System32\Irf.exe
O4 - HKCU\..\Run: [Fdv] C:\WINDOWS\Ctb.exe
O4 - HKCU\..\Run: [Dhu] C:\WINDOWS\System32\Mqe.exe
O4 - HKCU\..\Run: [Lvd] C:\WINDOWS\Nhe.exe
O4 - HKCU\..\Run: [Raq] C:\WINDOWS\System32\Ses.exe
O4 - HKCU\..\Run: [Ukr] C:\WINDOWS\System32\Fia.exe
O4 - HKCU\..\Run: [Kkq] C:\WINDOWS\Qtd.exe
O4 - HKCU\..\Run: [Bog] C:\WINDOWS\System32\Urj.exe
O4 - HKCU\..\Run: [Qsi] C:\WINDOWS\System32\Ptq.exe
O4 - HKCU\..\Run: [Nqj] C:\WINDOWS\System32\Ufc.exe
O4 - HKCU\..\Run: [Kvh] C:\WINDOWS\Odi.exe
O4 - HKCU\..\Run: [Nla] C:\WINDOWS\Lau.exe
O4 - HKCU\..\Run: [Jls] C:\WINDOWS\System32\Gnk.exe
O4 - HKCU\..\Run: [Jge] C:\WINDOWS\System32\Jhs.exe
O4 - HKCU\..\Run: [Dms] C:\WINDOWS\System32\Moe.exe
O4 - HKCU\..\Run: [Kpq] C:\WINDOWS\Jbs.exe
O4 - HKCU\..\Run: [Tpm] C:\WINDOWS\Ivr.exe
O4 - HKCU\..\Run: [Pvt] C:\WINDOWS\System32\Fpm.exe
O4 - HKCU\..\Run: [Pds] C:\WINDOWS\Aes.exe
O4 - HKCU\..\Run: [Jcl] C:\WINDOWS\System32\Omd.exe
O4 - HKCU\..\Run: [Egp] C:\WINDOWS\Pmi.exe
O4 - HKCU\..\Run: [Pbs] C:\WINDOWS\System32\Ugd.exe
O4 - HKCU\..\Run: [Lgb] C:\WINDOWS\Fsc.exe
O4 - HKCU\..\Run: [Uij] C:\WINDOWS\System32\Pou.exe
O4 - HKCU\..\Run: [Sjd] C:\WINDOWS\Hpv.exe
O4 - HKCU\..\Run: [Tqv] C:\WINDOWS\Qgq.exe
O4 - HKCU\..\Run: [Nkj] C:\WINDOWS\Lin.exe
O4 - HKCU\..\Run: [Ogp] C:\WINDOWS\Qpo.exe
O4 - HKCU\..\Run: [Tke] C:\WINDOWS\Pfg.exe
O4 - HKCU\..\Run: [Omq] C:\WINDOWS\Him.exe
O4 - HKCU\..\Run: [Ahm] C:\WINDOWS\Pda.exe
O4 - HKCU\..\Run: [Csi] C:\WINDOWS\System32\Rvr.exe
O4 - HKCU\..\Run: [Ibp] C:\WINDOWS\System32\Aon.exe
O4 - HKCU\..\Run: [Epi] C:\WINDOWS\Ogd.exe
O4 - HKCU\..\Run: [Toj] C:\WINDOWS\System32\Gou.exe
O4 - HKCU\..\Run: [Elv] C:\WINDOWS\Pkv.exe
O4 - HKCU\..\Run: [Cio] C:\WINDOWS\System32\Duh.exe
O4 - HKCU\..\Run: [Cgs] C:\WINDOWS\System32\Tlh.exe
O4 - HKCU\..\Run: [Rmb] C:\WINDOWS\System32\Lip.exe
O4 - HKCU\..\Run: [Red] C:\WINDOWS\System32\Uvn.exe
O4 - HKCU\..\Run: [Sai] C:\WINDOWS\System32\Pao.exe
O4 - HKCU\..\Run: [Vpg] C:\WINDOWS\System32\Hii.exe
O4 - HKCU\..\Run: [Epj] C:\WINDOWS\System32\Ird.exe
O4 - HKCU\..\Run: [Bnd] C:\WINDOWS\System32\Khu.exe
O4 - HKCU\..\Run: [Hou] C:\WINDOWS\Sqg.exe
O4 - HKCU\..\Run: [Puv] C:\WINDOWS\System32\Euq.exe
O4 - HKCU\..\Run: [Boh] C:\WINDOWS\System32\Rnk.exe
O4 - HKCU\..\Run: [Jff] C:\WINDOWS\Gfv.exe
O4 - HKCU\..\Run: [Hik] C:\WINDOWS\System32\Vss.exe
O4 - HKCU\..\Run: [Ado] C:\WINDOWS\Hur.exe
O4 - HKCU\..\Run: [Oiv] C:\WINDOWS\System32\Unf.exe
O4 - HKCU\..\Run: [Vjc] C:\WINDOWS\System32\Jdb.exe
O4 - HKCU\..\Run: [Uju] C:\WINDOWS\System32\Ikv.exe
O4 - HKCU\..\Run: [Sgu] C:\WINDOWS\Sgg.exe
O4 - HKCU\..\Run: [Vpm] C:\WINDOWS\System32\Ljn.exe
O4 - HKCU\..\Run: [Fcc] C:\WINDOWS\System32\Msd.exe
O4 - HKCU\..\Run: [Rrd] C:\WINDOWS\System32\Rvu.exe
O4 - HKCU\..\Run: [Rad] C:\WINDOWS\System32\Ejp.exe
O4 - HKCU\..\Run: [Usl] C:\WINDOWS\Sgc.exe
O4 - HKCU\..\Run: [Eko] C:\WINDOWS\Hee.exe
O4 - HKCU\..\Run: [Rnu] C:\WINDOWS\System32\Rpm.exe
O4 - HKCU\..\Run: [Vht] C:\WINDOWS\Atr.exe
O4 - HKCU\..\Run: [Ikv] C:\WINDOWS\System32\Uvk.exe
O4 - HKCU\..\Run: [Pkm] C:\WINDOWS\Pjl.exe
O4 - HKCU\..\Run: [Jft] C:\WINDOWS\System32\Oki.exe
O4 - HKCU\..\Run: [Onm] C:\WINDOWS\Vpm.exe
O4 - HKCU\..\Run: [Kia] C:\WINDOWS\Rfv.exe
O4 - HKCU\..\Run: [Tmt] C:\WINDOWS\System32\Nsl.exe
O4 - HKCU\..\Run: [Qhh] C:\WINDOWS\System32\Grh.exe
O4 - HKCU\..\Run: [Ric] C:\WINDOWS\Got.exe
O4 - HKCU\..\Run: [Cic] C:\WINDOWS\System32\Trb.exe
O4 - HKCU\..\Run: [Nvc] C:\WINDOWS\Ogc.exe
O4 - HKCU\..\Run: [Dac] C:\WINDOWS\Ljr.exe
O4 - HKCU\..\Run: [Vsl] C:\WINDOWS\System32\Qun.exe
O4 - HKCU\..\Run: [Ekl] C:\WINDOWS\System32\Oum.exe
O4 - HKCU\..\Run: [Lgf] C:\WINDOWS\Kge.exe
O4 - HKCU\..\Run: [Emm] C:\WINDOWS\Hai.exe
O4 - HKCU\..\Run: [Ung] C:\WINDOWS\System32\Ecb.exe
O4 - HKCU\..\Run: [Hjp] C:\WINDOWS\Qfl.exe
O4 - HKCU\..\Run: [Dgv] C:\WINDOWS\System32\Mbi.exe
O4 - HKCU\..\Run: [Ddr] C:\WINDOWS\Qmp.exe
O4 - HKCU\..\Run: [Fcl] C:\WINDOWS\Slt.exe
O4 - HKCU\..\Run: [Bok] C:\WINDOWS\System32\Cej.exe
O4 - HKCU\..\Run: [Vqi] C:\WINDOWS\System32\Jdr.exe
O4 - HKCU\..\Run: [Iqq] C:\WINDOWS\Tho.exe
O4 - HKCU\..\Run: [Qos] C:\WINDOWS\Ngg.exe
O4 - HKCU\..\Run: [Pnk] C:\WINDOWS\Svi.exe
O4 - HKCU\..\Run: [Ulf] C:\WINDOWS\Eak.exe
O4 - HKCU\..\Run: [Vnf] C:\WINDOWS\Gqj.exe
O4 - HKCU\..\Run: [Ivj] C:\WINDOWS\Fdp.exe
O4 - HKCU\..\Run: [Ggj] C:\WINDOWS\System32\Ejd.exe
O4 - HKCU\..\Run: [Dcd] C:\WINDOWS\Ctd.exe
O4 - HKCU\..\Run: [Ihi] C:\WINDOWS\System32\Kib.exe
O4 - HKCU\..\Run: [Lah] C:\WINDOWS\System32\Jjs.exe
O4 - HKCU\..\Run: [Ijr] C:\WINDOWS\System32\Ghr.exe
O4 - HKCU\..\Run: [Hjv] C:\WINDOWS\Gui.exe
O4 - HKCU\..\Run: [Gpp] C:\WINDOWS\Vmn.exe
O4 - HKCU\..\Run: [Rer] C:\WINDOWS\System32\Cne.exe
O4 - HKCU\..\Run: [Efd] C:\WINDOWS\System32\Pnp.exe
O4 - HKCU\..\Run: [Com] C:\WINDOWS\System32\Kcj.exe
O4 - HKCU\..\Run: [Oce] C:\WINDOWS\Hug.exe
O4 - HKCU\..\Run: [Fnl] C:\WINDOWS\System32\Ceq.exe
O4 - HKCU\..\Run: [Alo] C:\WINDOWS\Ior.exe
O4 - HKCU\..\Run: [Tmv] C:\WINDOWS\System32\Irr.exe
O4 - HKCU\..\Run: [Pct] C:\WINDOWS\System32\Ctg.exe
O4 - HKCU\..\Run: [Sku] C:\WINDOWS\Flk.exe
O4 - HKCU\..\Run: [Dqo] C:\WINDOWS\U

BC AdBot (Login to Remove)

 


m

#2 IMM

IMM

  • Members
  • 134 posts
  • OFFLINE
  •  
  • Local time:06:54 AM

Posted 18 March 2005 - 07:38 PM

Before you start, please unzip HijackThis to a permanent location.
The program will make backups in the folder it's run from.
These easily get lost in a Temp folder and are an annoyance on the desktop.

The log you posted is incomplete

Download PocketKillbox from http://www.bleepingcomputer.com/files/spyware/KillBox.zip

Use Ctrl-Alt-Del and try to end these tasks
C:\WINDOWS\Ver.exe
C:\DOCUME~1\Jean\LOCALS~1\Temp\tmp31.tmp


Unzip and run the killbox you downloaded
choose Tools > Delete Temp Files and click OK


Run HijackThis again and check then fix all the 3 letter O4 specials - here's a prtial list of em
(you are getting the long list because it's being partly blocked)
O4 - HKLM\..\Run: [Ctp] C:\WINDOWS\Ver.exe
O4 - HKLM\..\Run: [Vgn] C:\WINDOWS\System32\Fhr.exe
O4 - HKLM\..\Run: [Egt] C:\WINDOWS\Cvr.exe
O4 - HKLM\..\Run: [Kui] C:\WINDOWS\System32\Qfs.exe
O4 - HKLM\..\Run: [Abp] C:\WINDOWS\System32\Rae.exe
O4 - HKLM\..\Run: [Asn] C:\WINDOWS\System32\Mui.exe
O4 - HKLM\..\Run: [Cje] C:\WINDOWS\System32\Tcb.exe
O4 - HKLM\..\Run: [Sjr] C:\WINDOWS\System32\Fhn.exe
O4 - HKLM\..\Run: [Ucv] C:\WINDOWS\System32\Vco.exe
O4 - HKLM\..\Run: [Jme] C:\WINDOWS\Spi.exe
O4 - HKLM\..\Run: [Med] C:\WINDOWS\Uvb.exe
O4 - HKLM\..\Run: [Cdo] C:\WINDOWS\Vge.exe
O4 - HKLM\..\Run: [Cum] C:\WINDOWS\System32\Lfd.exe
O4 - HKLM\..\Run: [Lii] C:\WINDOWS\System32\Unn.exe
O4 - HKLM\..\Run: [Gid] C:\WINDOWS\Hmu.exe
O4 - HKLM\..\Run: [Ovh] C:\WINDOWS\System32\Jpa.exe
O4 - HKLM\..\Run: [Kru] C:\WINDOWS\System32\Aqt.exe
O4 - HKLM\..\Run: [Jpr] C:\WINDOWS\Aol.exe
O4 - HKLM\..\Run: [Ikc] C:\WINDOWS\System32\Fsu.exe
etc.....


Run killbox again and put a mark next to "Delete on Reboot". Copy and paste the following filename into the box, then click the red button with the X after each.
C:\WINDOWS\Ver.exe

It will reboot

You have this one:
http://www.sophos.com/virusinfo/analyses/trojvidlof.html

Does the virus scanner on the machine have up to date definition files?

At any rate,when the list is cut down to a reasonable length using HJT - reboot and post another log

#3 uukelly

uukelly
  • Topic Starter

  • Members
  • 18 posts
  • OFFLINE
  •  
  • Local time:06:54 AM

Posted 20 March 2005 - 08:12 AM

I hope I'm replying correctly to repost a revised HJT log.

I followed your instructions. Thank you so much for the step-by-step guidance--it was great.

Following summary is provided:

1. I could not end the Ver.exe and tmp31.tmp via Ctrl-Alt-Del. They did not show up
2. Followed all your instructions. There were 1,522 3 letter 04 specials that I deleted through HJT
3. I have a corporate edition of Symantec AntiVirus running on my pc so I assume it has up to date definition files. The last live update was 3/17/05.
4. When I completed your instructions and rebooted, I received two pop ups again ("Security iGuard" and some Tean Porn pop-up). The tean porn pop-up is a result of a program re-installing called "WebSiteViewer\126099.exe" in my program file I suspect.

Below is a revised log from HJT after completing all your instructions. Thanks so much again for all your help. I could not do this without you!

Logfile of HijackThis v1.99.1
Scan saved at 8:00:24 AM, on 3/20/2005
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\csrss.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\PROGRA~1\SYMANT~1\SYMANT~1\vptray.exe
C:\Program Files\Common Files\AOL\ACS\AOLDial.exe
C:\Program Files\Real\RealPlayer\RealPlay.exe
C:\Program Files\QuickTime\qttask.exe
C:\PROGRA~1\COMMON~1\AOL\AOLSPY~1\AOLSP Scheduler.exe
C:\Program Files\iRiver\iRiver Manager\Updater\Updater.exe
C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe
C:\PROGRA~1\COMMON~1\AOL\ACS\AOLacsd.exe
C:\windows\system32\bibpblts.exe
C:\WINDOWS\Vhr.exe
C:\WINDOWS\System32\devldr32.exe
C:\Program Files\ISS\BlackICE\blackd.exe
C:\Program Files\Messenger\msmsgs.exe
C:\WINDOWS\System32\ctfmon.exe
C:\WINDOWS\system32\drivers\dcfssvc.exe
C:\Program Files\Symantec_Client_Security\Symantec AntiVirus\DefWatch.exe
C:\Program Files\AIM\aim.exe
C:\Program Files\Executive Software\DiskeeperWorkstation\DKService.exe
C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
C:\Program Files\America Online 9.0\aoltray.exe
C:\Program Files\ISS\BlackICE\blackice.exe
C:\windows\system32\packager.exe
C:\Program Files\Symantec_Client_Security\Symantec AntiVirus\Rtvscan.exe
C:\Program Files\Kodak\KODAK Picture Transfer Software\pts.exe
C:\WINDOWS\System32\svchost.exe
C:\Documents and Settings\Jean\Start Menu\Programs\Startup\winupdate16907254[1].exe
C:\WINDOWS\System32\wdfmgr.exe
C:\DOCUME~1\Jean\LOCALS~1\Temp\tmp3.tmp
C:\WINDOWS\System32\wbem\wmiprvse.exe
C:\WINDOWS\System32\wuauclt.exe
C:\WINDOWS\System32\wuauclt.exe
C:\PROGRA~1\WinZip\winzip32.exe
C:\DOCUME~1\Jean\LOCALS~1\Temp\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://channels.aimtoday.com/search/aimtoolbar.jsp
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://aimhome.netscape.com/aimhome.adp
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://channels.aimtoday.com/search/aimtoolbar.jsp
N3 - Netscape 7: user_pref("browser.search.defaultengine", "engine://C%3A%5CProgram%20Files%5CNetscape%5CNetscape%5Csearchplugins%5CSBWeb_01.src"); (C:\Documents and Settings\Jean\Application Data\Mozilla\Profiles\default\b1rfknvs.slt\prefs.js)
O2 - BHO: PynixObj Class - {00000000-DD60-0064-6EC2-6E0100000000} - C:\WINDOWS\Pynix.dll
O2 - BHO: CCHelper - {0CF0B8EE-6596-11D5-A98E-0003470BB48E} - C:\Program Files\Panicware\Pop-Up Stopper Pro\CCHelper.dll
O2 - BHO: (no name) - {7B55BB05-0B4D-44fd-81A6-B136188F5DEB} - C:\WINDOWS\questmod.dll
O2 - BHO: Explorer Class - {962F12AE-2773-4BEB-99EA-B5C3AB9A6606} - C:\WINDOWS\System32\DSMANA~1.DLL
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar2.dll
O3 - Toolbar: Pa&nicware Pop-Up Stopper Pro - {B1E741E7-1E77-40D4-9FD8-51949B9CCBD0} - C:\Program Files\Panicware\Pop-Up Stopper Pro\popuppro.dll
O3 - Toolbar: AOL Toolbar - {4982D40A-C53B-4615-B15B-B5B5E98D167C} - C:\Program Files\AOL Toolbar\toolbar.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar2.dll
O3 - Toolbar: AIM Search - {40D41A8B-D79B-43d7-99A7-9EE0F344C385} - C:\Program Files\AIM Toolbar\AIMBar.dll
O4 - HKLM\..\Run: [vptray] C:\PROGRA~1\SYMANT~1\SYMANT~1\vptray.exe
O4 - HKLM\..\Run: [AOLDialer] C:\Program Files\Common Files\AOL\ACS\AOLDial.exe
O4 - HKLM\..\Run: [RealTray] C:\Program Files\Real\RealPlayer\RealPlay.exe SYSTEMBOOTHIDEPLAYER
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [AOL Spyware Protection] "C:\PROGRA~1\COMMON~1\AOL\AOLSPY~1\AOLSP Scheduler.exe"
O4 - HKLM\..\Run: [iRiver Updater] C:\Program Files\iRiver\iRiver Manager\Updater\Updater.exe
O4 - HKLM\..\Run: [ISUSPM Startup] C:\PROGRA~1\COMMON~1\INSTAL~1\UPDATE~1\ISUSPM.exe -startup
O4 - HKLM\..\Run: [ISUSScheduler] "C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe" -start
O4 - HKLM\..\Run: [Security iGuard] C:\Program Files\Security iGuard\Security iGuard.exe
O4 - HKLM\..\Run: [swcroot] C:\WINDOWS\System32\swcroot.exe
O4 - HKLM\..\Run: [bibpblts] c:\windows\system32\bibpblts.exe
O4 - HKLM\..\Run: [Nnl] C:\WINDOWS\Vhr.exe
O4 - HKLM\..\Run: [Ppo] C:\WINDOWS\System32\Hfh.exe
O4 - HKLM\..\Run: [Tag] C:\WINDOWS\Ohi.exe
O4 - HKLM\..\Run: [Usq] C:\WINDOWS\Qia.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\System32\ctfmon.exe
O4 - HKCU\..\Run: [AIM] C:\Program Files\AIM\aim.exe -cnetwait.odl
O4 - HKCU\..\Run: [Nnl] C:\WINDOWS\Vhr.exe
O4 - HKCU\..\Run: [Ppo] C:\WINDOWS\System32\Hfh.exe
O4 - HKCU\..\Run: [Tag] C:\WINDOWS\Ohi.exe
O4 - HKCU\..\Run: [Usq] C:\WINDOWS\Qia.exe
O4 - Startup: winupdate16907254[1].exe
O4 - Global Startup: America Online 9.0 Tray Icon.lnk = C:\Program Files\America Online 9.0\aoltray.exe
O4 - Global Startup: BlackICE PC Protection.lnk = C:\Program Files\ISS\BlackICE\blackice.exe
O4 - Global Startup: KODAK Picture Transfer Software.lnk = ?
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O8 - Extra context menu item: &AIM Search - res://C:\Program Files\AIM Toolbar\AIMBar.dll/aimsearch.htm
O8 - Extra context menu item: &AOL Toolbar search - res://C:\Program Files\AOL Toolbar\toolbar.dll/SEARCH.HTML
O8 - Extra context menu item: &Google Search - res://c:\program files\google\GoogleToolbar2.dll/cmsearch.html
O8 - Extra context menu item: Backward Links - res://c:\program files\google\GoogleToolbar2.dll/cmbacklinks.html
O8 - Extra context menu item: Cached Snapshot of Page - res://c:\program files\google\GoogleToolbar2.dll/cmcache.html
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O8 - Extra context menu item: Similar Pages - res://c:\program files\google\GoogleToolbar2.dll/cmsimilar.html
O8 - Extra context menu item: Translate into English - res://c:\program files\google\GoogleToolbar2.dll/cmtrans.html
O9 - Extra button: AOL Toolbar - {4982D40A-C53B-4615-B15B-B5B5E98D167C} - C:\Program Files\AOL Toolbar\toolbar.dll
O9 - Extra 'Tools' menuitem: AOL Toolbar - {4982D40A-C53B-4615-B15B-B5B5E98D167C} - C:\Program Files\AOL Toolbar\toolbar.dll
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe
O9 - Extra button: Related - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINDOWS\web\related.htm
O9 - Extra 'Tools' menuitem: Show &Related Links - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINDOWS\web\related.htm
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\System32\Shdocvw.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O9 - Extra 'Tools' menuitem: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O9 - Extra button: Microsoft AntiSpyware helper - {8EFBC78F-237B-478D-97A4-DEE77466B85F} - (no file) (HKCU)
O9 - Extra 'Tools' menuitem: Microsoft AntiSpyware helper - {8EFBC78F-237B-478D-97A4-DEE77466B85F} - (no file) (HKCU)
O20 - Winlogon Notify: drct16 - C:\WINDOWS\SYSTEM32\drct16.dll
O20 - Winlogon Notify: NavLogon - C:\WINDOWS\System32\NavLogon.dll
O23 - Service: AOL Connectivity Service (AOL ACS) - America Online, Inc. - C:\PROGRA~1\COMMON~1\AOL\ACS\AOLacsd.exe
O23 - Service: BlackICE - Internet Security Systems, Inc. - C:\Program Files\ISS\BlackICE\blackd.exe
O23 - Service: Dcfssvc - Eastman Kodak Company - C:\WINDOWS\system32\drivers\dcfssvc.exe
O23 - Service: DefWatch - Symantec Corporation - C:\Program Files\Symantec_Client_Security\Symantec AntiVirus\DefWatch.exe
O23 - Service: Diskeeper - Executive Software International, Inc. - C:\Program Files\Executive Software\DiskeeperWorkstation\DKService.exe
O23 - Service: Symantec AntiVirus Client (Norton AntiVirus Server) - Symantec Corporation - C:\Program Files\Symantec_Client_Security\Symantec AntiVirus\Rtvscan.exe
O23 - Service: RapApp - Internet Security Systems, Inc. - C:\Program Files\ISS\BlackICE\rapapp.exe

#4 IMM

IMM

  • Members
  • 134 posts
  • OFFLINE
  •  
  • Local time:06:54 AM

Posted 21 March 2005 - 11:23 AM

Sorry I lost track of this one for a while

Download PocketKillbox from http://www.bleepingcomputer.com/files/spyware/KillBox.zip
Unzip it somewhere you will find it easily -- we'll use it in a while.

These haxdoor infections can be quite difficult to remove
You will want to print these to follow them - read through them first to find what you need to know from the internet.

Download the file attached to this post (fixhx.txt) and save it to your desktop (or wherever you will find it convenient).
Right click on the file and choose rename. Rename the file from fixhx.txt to fixhx.reg

In the lists below add any newly produced 3 letter specials which don't show here to the lists

Take the machine offline (disconnect from the internet by pulling phone line or whatever)

Use Add/Remove Programs to uninstall Security iGuard.

Run HijackThis again, push Scan and place a check mark next to the following items using your mouse.
Next, close all browser Windows, and push the 'Fix checked' button in HijackThis

O2 - BHO: PynixObj Class - {00000000-DD60-0064-6EC2-6E0100000000} - C:\WINDOWS\Pynix.dll
O2 - BHO: (no name) - {7B55BB05-0B4D-44fd-81A6-B136188F5DEB} - C:\WINDOWS\questmod.dll
O2 - BHO: Explorer Class - {962F12AE-2773-4BEB-99EA-B5C3AB9A6606} - C:\WINDOWS\System32\DSMANA~1.DLL
O4 - HKLM\..\Run: [Security iGuard] C:\Program Files\Security iGuard\Security iGuard.exe
O4 - HKLM\..\Run: [swcroot] C:\WINDOWS\System32\swcroot.exe
O4 - HKLM\..\Run: [bibpblts] c:\windows\system32\bibpblts.exe
O4 - HKLM\..\Run: [Nnl] C:\WINDOWS\Vhr.exe
O4 - HKLM\..\Run: [Ppo] C:\WINDOWS\System32\Hfh.exe
O4 - HKLM\..\Run: [Tag] C:\WINDOWS\Ohi.exe
O4 - HKLM\..\Run: [Usq] C:\WINDOWS\Qia.exe
O4 - HKCU\..\Run: [Nnl] C:\WINDOWS\Vhr.exe
O4 - HKCU\..\Run: [Ppo] C:\WINDOWS\System32\Hfh.exe
O4 - HKCU\..\Run: [Tag] C:\WINDOWS\Ohi.exe
O4 - HKCU\..\Run: [Usq] C:\WINDOWS\Qia.exe
O4 - Startup: winupdate16907254[1].exe
O9 - Extra button: Microsoft AntiSpyware helper - {8EFBC78F-237B-478D-97A4-DEE77466B85F} - (no file) (HKCU)
O9 - Extra 'Tools' menuitem: Microsoft AntiSpyware helper - {8EFBC78F-237B-478D-97A4-DEE77466B85F} - (no file) (HKCU)
O20 - Winlogon Notify: drct16 - C:\WINDOWS\SYSTEM32\drct16.dll
O20 - Winlogon Notify: NavLogon - C:\WINDOWS\System32\NavLogon.dll



Set your Explorer up using the info in this link so that hidden and System files are visible
Also Uncheck the "Hide extensions for known file types" box
You will have to do this again in safe mode - but you should figure out how now while you have access to the net.

If you aren't sure how to use f8 or similar to get to SAFE mode -- read the following:
How to start the computer in Safe mode


Empty the TIF (Temporary Internet Files)
To do so use Control Panel > Internet Options(or right click the IE icon on the desktop and choose Properties)
Click Delete Files on the General Tab - place a check in the Delete all offline content box and then press OK

Run the Killbox you downloaded earlier
- choose Tools > Delete Temp Files and click OK
In Killbox - put a check next to "Delete on Reboot".
Copy and paste each of the following lines (the ones in bold type) one at a time into the topmost box.
C:\WINDOWS\System32\Hfh.exe
C:\WINDOWS\Ohi.exe
C:\WINDOWS\Qia.exe
C:\Documents and Settings\Jean\Start Menu\Programs\Startup\winupdate16907254[1].exe
C:\WINDOWS\System32\swcroot.exe
c:\windows\system32\bibpblts.exe
C:\WINDOWS\System32\NavLogon.dll
C:\WINDOWS\SYSTEM32\drct16.dll
C:\WINDOWS\Vhr.exe


On the reboot choose SAFE mode

Double click on the fixhx.reg we made earlier and merge it to the registry

Run Killbox again and clear the temp files
- choose Tools > Delete Temp Files and click OK

Manually have a look for the files we tried to delete with killbox using explorer (you will have to change the settings ro view hidden files again in safe mode)
- if you find them - try to delete them

Reboot normally and plug into the internet again

*********************************
Download the free version of AdawareSE here:
http://www.lavasoftusa.com/support/download/
or here (alternate download location)
http://www.majorgeeks.com/download506.html

You need to be logged on as Adminstrator through the installation.
Install it by double clicking the downloaded file. (called aawsepersonal.exe at the moment)
It is recommended to use the default setting of "Protect anyone who uses this computer".

On the main screen of Adaware please look for the *check for updates now* link, just above the start button in the bottom right corner or you can click on the Webupdate button that looks like a globe icon at the top. Press * connect* to let it check for any recent updates. If any are found, please let it download and install them.

Configure your settings. Click the gear icon at the top. These are the recommended settings:

General Button
Safety:
Check (Green) all three.

Advanced Button
Logfile Detail Level:
All options under this should be checked (Green).

Tweak Button
Check (Green) the following:
Log Files
Include basic Ad-Aware settings in logfile:
Include additional Ad-Aware settings in logfile:
Please do not check (Green): Include Module list in logfile:

On your first scan, use the Full Scan (Perform full system scan) mode.

Let Adaware remove any *bad* objects found. Reboot your PC and scan again. Repeat this process until no more bad items are found. It may take several scans to clean everything, depending on the type of infections found.
******************

Get a good online virus scan at HouseCall

Post a fresh log here (along with any info you think pertinent) so we can see how we did.


-------------- Some info (partial)
Pynix.dll => http://www.doxdesk.com/parasite/Transponder.html
questmod.dll => http://sarc.com/avcenter/venc/data/adware.sa.html
DSMANA~1.DLL => CoolWebSearch variant
drct16.dll => indicates a haxdoor infection such as indicated in
http://securityresponse.symantec.com/avcen....haxdoor.d.html

Attached Files


Edited by IMM, 21 March 2005 - 11:25 AM.


#5 IMM

IMM

  • Members
  • 134 posts
  • OFFLINE
  •  
  • Local time:06:54 AM

Posted 21 March 2005 - 11:59 AM

It looks like there will more to do after that - it appears that the 3 letter special (Spywad) will have really messed up some destop and other settings :thumbsup:

#6 IMM

IMM

  • Members
  • 134 posts
  • OFFLINE
  •  
  • Local time:06:54 AM

Posted 23 March 2005 - 04:30 PM

I just got your email - please do NOT send logs by email - I don't usu. respond at all that way (and I don't check that mailbox often unless I'm expecting something)
Here is the log you sent

Logfile of HijackThis v1.99.1
Scan saved at 10:23:14 PM, on 3/21/2005
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\PROGRA~1\SYMANT~1\SYMANT~1\vptray.exe
C:\Program Files\Common Files\AOL\ACS\AOLDial.exe
C:\Program Files\Real\RealPlayer\RealPlay.exe
C:\Program Files\QuickTime\qttask.exe
C:\PROGRA~1\COMMON~1\AOL\AOLSPY~1\AOLSP Scheduler.exe
C:\Program Files\iRiver\iRiver Manager\Updater\Updater.exe
C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe
C:\WINDOWS\System32\Jnp.exe
C:\Program Files\Messenger\msmsgs.exe
C:\WINDOWS\System32\ctfmon.exe
C:\Program Files\AIM\aim.exe
C:\WINDOWS\System32\devldr32.exe
C:\Program Files\America Online 9.0\aoltray.exe
C:\PROGRA~1\COMMON~1\AOL\ACS\AOLacsd.exe
C:\Program Files\ISS\BlackICE\blackice.exe
C:\Program Files\Kodak\KODAK Picture Transfer Software\pts.exe
C:\Program Files\ISS\BlackICE\blackd.exe
C:\WINDOWS\system32\drivers\dcfssvc.exe
C:\Program Files\Symantec_Client_Security\Symantec AntiVirus\DefWatch.exe
C:\Program Files\Executive Software\DiskeeperWorkstation\DKService.exe
C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
C:\Program Files\Symantec_Client_Security\Symantec AntiVirus\Rtvscan.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\wuauclt.exe
C:\PROGRA~1\WinZip\winzip32.exe
C:\DOCUME~1\Jean\LOCALS~1\Temp\HijackThis.exe
C:\WINDOWS\System32\wuauclt.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://channels.aimtoday.com/search/aimtoolbar.jsp
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://aimhome.netscape.com/aimhome.adp
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://channels.aimtoday.com/search/aimtoolbar.jsp
N3 - Netscape 7: user_pref("browser.search.defaultengine", "engine://C%3A%5CProgram%20Files%5CNetscape%5CNetscape%5Csearchplugins%5CSBWeb_01.src"); (C:\Documents and Settings\Jean\Application Data\Mozilla\Profiles\default\b1rfknvs.slt\prefs.js)
O2 - BHO: CCHelper - {0CF0B8EE-6596-11D5-A98E-0003470BB48E} - C:\Program Files\Panicware\Pop-Up Stopper Pro\CCHelper.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar2.dll
O3 - Toolbar: Pa&nicware Pop-Up Stopper Pro - {B1E741E7-1E77-40D4-9FD8-51949B9CCBD0} - C:\Program Files\Panicware\Pop-Up Stopper Pro\popuppro.dll
O3 - Toolbar: AOL Toolbar - {4982D40A-C53B-4615-B15B-B5B5E98D167C} - C:\Program Files\AOL Toolbar\toolbar.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar2.dll
O3 - Toolbar: AIM Search - {40D41A8B-D79B-43d7-99A7-9EE0F344C385} - C:\Program Files\AIM Toolbar\AIMBar.dll
O4 - HKLM\..\Run: [vptray] C:\PROGRA~1\SYMANT~1\SYMANT~1\vptray.exe
O4 - HKLM\..\Run: [AOLDialer] C:\Program Files\Common Files\AOL\ACS\AOLDial.exe
O4 - HKLM\..\Run: [RealTray] C:\Program Files\Real\RealPlayer\RealPlay.exe SYSTEMBOOTHIDEPLAYER
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [AOL Spyware Protection] "C:\PROGRA~1\COMMON~1\AOL\AOLSPY~1\AOLSP Scheduler.exe"
O4 - HKLM\..\Run: [iRiver Updater] C:\Program Files\iRiver\iRiver Manager\Updater\Updater.exe
O4 - HKLM\..\Run: [ISUSPM Startup] C:\PROGRA~1\COMMON~1\INSTAL~1\UPDATE~1\ISUSPM.exe -startup
O4 - HKLM\..\Run: [ISUSScheduler] "C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe" -start
O4 - HKLM\..\Run: [Buo] C:\WINDOWS\System32\Jnp.exe
O4 - HKLM\..\Run: [bibpblts] c:\windows\system32\bibpblts.exe
O4 - HKLM\..\Run: [Bhc] C:\WINDOWS\Krr.exe
O4 - HKLM\..\Run: [Blb] C:\WINDOWS\System32\Fdq.exe
O4 - HKLM\..\Run: [Lgv] C:\WINDOWS\System32\Uhl.exe
O4 - HKLM\..\Run: [Fea] C:\WINDOWS\System32\Nvk.exe
O4 - HKLM\..\Run: [Pfi] C:\WINDOWS\Qiq.exe
O4 - HKLM\..\Run: [Fkk] C:\WINDOWS\Cio.exe
O4 - HKLM\..\Run: [Bkt] C:\WINDOWS\Qkm.exe
O4 - HKLM\..\Run: [Rrt] C:\WINDOWS\Mvs.exe
O4 - HKLM\..\Run: [Aqc] C:\WINDOWS\Tch.exe
O4 - HKLM\..\Run: [Gif] C:\WINDOWS\Mbs.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\System32\ctfmon.exe
O4 - HKCU\..\Run: [AIM] C:\Program Files\AIM\aim.exe -cnetwait.odl
O4 - HKCU\..\Run: [Buo] C:\WINDOWS\System32\Jnp.exe
O4 - HKCU\..\Run: [Bhc] C:\WINDOWS\Krr.exe
O4 - HKCU\..\Run: [Blb] C:\WINDOWS\System32\Fdq.exe
O4 - HKCU\..\Run: [Lgv] C:\WINDOWS\System32\Uhl.exe
O4 - HKCU\..\Run: [Fea] C:\WINDOWS\System32\Nvk.exe
O4 - HKCU\..\Run: [Pfi] C:\WINDOWS\Qiq.exe
O4 - HKCU\..\Run: [Fkk] C:\WINDOWS\Cio.exe
O4 - HKCU\..\Run: [Bkt] C:\WINDOWS\Qkm.exe
O4 - HKCU\..\Run: [Rrt] C:\WINDOWS\Mvs.exe
O4 - HKCU\..\Run: [Aqc] C:\WINDOWS\Tch.exe
O4 - HKCU\..\Run: [Gif] C:\WINDOWS\Mbs.exe
O4 - Global Startup: America Online 9.0 Tray Icon.lnk = C:\Program Files\America Online 9.0\aoltray.exe
O4 - Global Startup: BlackICE PC Protection.lnk = C:\Program Files\ISS\BlackICE\blackice.exe
O4 - Global Startup: KODAK Picture Transfer Software.lnk = ?
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O8 - Extra context menu item: &AIM Search - res://C:\Program Files\AIM Toolbar\AIMBar.dll/aimsearch.htm
O8 - Extra context menu item: &AOL Toolbar search - res://C:\Program Files\AOL Toolbar\toolbar.dll/SEARCH.HTML
O8 - Extra context menu item: &Google Search - res://c:\program files\google\GoogleToolbar2.dll/cmsearch.html
O8 - Extra context menu item: Backward Links - res://c:\program files\google\GoogleToolbar2.dll/cmbacklinks.html
O8 - Extra context menu item: Cached Snapshot of Page - res://c:\program files\google\GoogleToolbar2.dll/cmcache.html
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O8 - Extra context menu item: Similar Pages - res://c:\program files\google\GoogleToolbar2.dll/cmsimilar.html
O8 - Extra context menu item: Translate into English - res://c:\program files\google\GoogleToolbar2.dll/cmtrans.html
O9 - Extra button: AOL Toolbar - {4982D40A-C53B-4615-B15B-B5B5E98D167C} - C:\Program Files\AOL Toolbar\toolbar.dll
O9 - Extra 'Tools' menuitem: AOL Toolbar - {4982D40A-C53B-4615-B15B-B5B5E98D167C} - C:\Program Files\AOL Toolbar\toolbar.dll
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\System32\Shdocvw.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O9 - Extra 'Tools' menuitem: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O23 - Service: AOL Connectivity Service (AOL ACS) - America Online, Inc. - C:\PROGRA~1\COMMON~1\AOL\ACS\AOLacsd.exe
O23 - Service: BlackICE - Internet Security Systems, Inc. - C:\Program Files\ISS\BlackICE\blackd.exe
O23 - Service: Dcfssvc - Eastman Kodak Company - C:\WINDOWS\system32\drivers\dcfssvc.exe
O23 - Service: DefWatch - Symantec Corporation - C:\Program Files\Symantec_Client_Security\Symantec AntiVirus\DefWatch.exe
O23 - Service: Diskeeper - Executive Software International, Inc. - C:\Program Files\Executive Software\DiskeeperWorkstation\DKService.exe
O23 - Service: Symantec AntiVirus Client (Norton AntiVirus Server) - Symantec Corporation - C:\Program Files\Symantec_Client_Security\Symantec AntiVirus\Rtvscan.exe
O23 - Service: RapApp - Internet Security Systems, Inc. - C:\Program Files\ISS\BlackICE\rapapp.exe

#7 IMM

IMM

  • Members
  • 134 posts
  • OFFLINE
  •  
  • Local time:06:54 AM

Posted 23 March 2005 - 04:32 PM

There is possibly an item in shell serviceobjectdelayload
Make a startup list log - save it where you cna find it and post it here later
To get the StartupList log in HJT use Misc. Tools > place a check beside "List also minor sections (full)" > then press the "Generate StartupList log" button.

Let's try this:

Use Ctrl-Alt-Del and end this process (or whichever 3 letter one you have at the moment)
C:\WINDOWS\System32\Jnp.exe

Download the Freeclean utility from
http://www.smart-security.info/removal.html
and save it somewhere handy (don't run it yet)

Disconnect from the internet (pull the phone line or equivalent)

Fix these entries with HijackThis (add any new 3 letter ones to this list)
O4 - HKLM\..\Run: [Buo] C:\WINDOWS\System32\Jnp.exe
O4 - HKLM\..\Run: [bibpblts] c:\windows\system32\bibpblts.exe
O4 - HKLM\..\Run: [Bhc] C:\WINDOWS\Krr.exe
O4 - HKLM\..\Run: [Blb] C:\WINDOWS\System32\Fdq.exe
O4 - HKLM\..\Run: [Lgv] C:\WINDOWS\System32\Uhl.exe
O4 - HKLM\..\Run: [Fea] C:\WINDOWS\System32\Nvk.exe
O4 - HKLM\..\Run: [Pfi] C:\WINDOWS\Qiq.exe
O4 - HKLM\..\Run: [Fkk] C:\WINDOWS\Cio.exe
O4 - HKLM\..\Run: [Bkt] C:\WINDOWS\Qkm.exe
O4 - HKLM\..\Run: [Rrt] C:\WINDOWS\Mvs.exe
O4 - HKLM\..\Run: [Aqc] C:\WINDOWS\Tch.exe
O4 - HKLM\..\Run: [Gif] C:\WINDOWS\Mbs.exe
O4 - HKCU\..\Run: [Buo] C:\WINDOWS\System32\Jnp.exe
O4 - HKCU\..\Run: [Bhc] C:\WINDOWS\Krr.exe
O4 - HKCU\..\Run: [Blb] C:\WINDOWS\System32\Fdq.exe
O4 - HKCU\..\Run: [Lgv] C:\WINDOWS\System32\Uhl.exe
O4 - HKCU\..\Run: [Fea] C:\WINDOWS\System32\Nvk.exe
O4 - HKCU\..\Run: [Pfi] C:\WINDOWS\Qiq.exe
O4 - HKCU\..\Run: [Fkk] C:\WINDOWS\Cio.exe
O4 - HKCU\..\Run: [Bkt] C:\WINDOWS\Qkm.exe
O4 - HKCU\..\Run: [Rrt] C:\WINDOWS\Mvs.exe
O4 - HKCU\..\Run: [Aqc] C:\WINDOWS\Tch.exe
O4 - HKCU\..\Run: [Gif] C:\WINDOWS\Mbs.exe


Run the cleaning (freeclean) utility you downloaded
Reboot immediately!

Reconnect and post a fresh log

Edited by IMM, 23 March 2005 - 07:05 PM.


#8 uukelly

uukelly
  • Topic Starter

  • Members
  • 18 posts
  • OFFLINE
  •  
  • Local time:06:54 AM

Posted 23 March 2005 - 07:19 PM

IMM:

OK, I followed the latest instructions. I used Ctrl-Alt-Del and ended any processes that were 3 letters. exe. I downloaded "Freeclean", disconnected from the internet, ran HJT (there were no 3 letter specials), and tried to run "Freeclean" but it said I needed to reboot to "uninstall" which I thought was strange.

I tried to reboot my pc and I can't even boot up now. It can't get beyond the Symantec Anti-Virus install when I get an Error 2718, {DEFC6259-3AD8-4CD2-BC57-D4937AF5CCOE} error.

I can get to my main screen but no screensaver and I cannot see many things like HJT, Freeclean, Killbox.

Help!

#9 uukelly

uukelly
  • Topic Starter

  • Members
  • 18 posts
  • OFFLINE
  •  
  • Local time:06:54 AM

Posted 23 March 2005 - 07:37 PM

IMM:

I forgot to provide my latest log:

Logfile of HijackThis v1.99.1
Scan saved at 7:35:55 PM, on 3/23/2005
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\PROGRA~1\COMMON~1\AOL\ACS\AOLacsd.exe
C:\Program Files\ISS\BlackICE\blackd.exe
C:\WINDOWS\system32\drivers\dcfssvc.exe
C:\Program Files\Executive Software\DiskeeperWorkstation\DKService.exe
C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Common Files\AOL\ACS\AOLDial.exe
C:\Program Files\Real\RealPlayer\RealPlay.exe
C:\Program Files\QuickTime\qttask.exe
C:\PROGRA~1\COMMON~1\AOL\AOLSPY~1\AOLSP Scheduler.exe
C:\Program Files\iRiver\iRiver Manager\Updater\Updater.exe
C:\WINDOWS\System32\devldr32.exe
C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe
C:\Program Files\Messenger\msmsgs.exe
C:\WINDOWS\System32\ctfmon.exe
C:\Program Files\America Online 9.0\aoltray.exe
C:\Program Files\ISS\BlackICE\blackice.exe
C:\WINDOWS\System32\msiexec.exe
C:\Program Files\Kodak\KODAK Picture Transfer Software\pts.exe
C:\WINDOWS\System32\wuauclt.exe
C:\Program Files\Symantec_Client_Security\Symantec AntiVirus\Rtvscan.exe
C:\Program Files\Symantec_Client_Security\Symantec AntiVirus\DefWatch.exe
C:\PROGRA~1\WinZip\winzip32.exe
C:\DOCUME~1\Jean\LOCALS~1\Temp\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://channels.aimtoday.com/search/aimtoolbar.jsp
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://aimhome.netscape.com/aimhome.adp
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://channels.aimtoday.com/search/aimtoolbar.jsp
N3 - Netscape 7: user_pref("browser.search.defaultengine", "engine://C%3A%5CProgram%20Files%5CNetscape%5CNetscape%5Csearchplugins%5CSBWeb_01.src"); (C:\Documents and Settings\Jean\Application Data\Mozilla\Profiles\default\b1rfknvs.slt\prefs.js)
O2 - BHO: CCHelper - {0CF0B8EE-6596-11D5-A98E-0003470BB48E} - C:\Program Files\Panicware\Pop-Up Stopper Pro\CCHelper.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar2.dll
O3 - Toolbar: Pa&nicware Pop-Up Stopper Pro - {B1E741E7-1E77-40D4-9FD8-51949B9CCBD0} - C:\Program Files\Panicware\Pop-Up Stopper Pro\popuppro.dll
O3 - Toolbar: AOL Toolbar - {4982D40A-C53B-4615-B15B-B5B5E98D167C} - C:\Program Files\AOL Toolbar\toolbar.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar2.dll
O3 - Toolbar: AIM Search - {40D41A8B-D79B-43d7-99A7-9EE0F344C385} - C:\Program Files\AIM Toolbar\AIMBar.dll
O4 - HKLM\..\Run: [vptray] C:\PROGRA~1\SYMANT~1\SYMANT~1\vptray.exe
O4 - HKLM\..\Run: [AOLDialer] C:\Program Files\Common Files\AOL\ACS\AOLDial.exe
O4 - HKLM\..\Run: [RealTray] C:\Program Files\Real\RealPlayer\RealPlay.exe SYSTEMBOOTHIDEPLAYER
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [AOL Spyware Protection] "C:\PROGRA~1\COMMON~1\AOL\AOLSPY~1\AOLSP Scheduler.exe"
O4 - HKLM\..\Run: [iRiver Updater] C:\Program Files\iRiver\iRiver Manager\Updater\Updater.exe
O4 - HKLM\..\Run: [ISUSPM Startup] C:\PROGRA~1\COMMON~1\INSTAL~1\UPDATE~1\ISUSPM.exe -startup
O4 - HKLM\..\Run: [ISUSScheduler] "C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe" -start
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\System32\ctfmon.exe
O4 - Global Startup: America Online 9.0 Tray Icon.lnk = C:\Program Files\America Online 9.0\aoltray.exe
O4 - Global Startup: BlackICE PC Protection.lnk = C:\Program Files\ISS\BlackICE\blackice.exe
O4 - Global Startup: KODAK Picture Transfer Software.lnk = ?
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O8 - Extra context menu item: &AIM Search - res://C:\Program Files\AIM Toolbar\AIMBar.dll/aimsearch.htm
O8 - Extra context menu item: &AOL Toolbar search - res://C:\Program Files\AOL Toolbar\toolbar.dll/SEARCH.HTML
O8 - Extra context menu item: &Google Search - res://c:\program files\google\GoogleToolbar2.dll/cmsearch.html
O8 - Extra context menu item: Backward Links - res://c:\program files\google\GoogleToolbar2.dll/cmbacklinks.html
O8 - Extra context menu item: Cached Snapshot of Page - res://c:\program files\google\GoogleToolbar2.dll/cmcache.html
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O8 - Extra context menu item: Similar Pages - res://c:\program files\google\GoogleToolbar2.dll/cmsimilar.html
O8 - Extra context menu item: Translate into English - res://c:\program files\google\GoogleToolbar2.dll/cmtrans.html
O9 - Extra button: AOL Toolbar - {4982D40A-C53B-4615-B15B-B5B5E98D167C} - C:\Program Files\AOL Toolbar\toolbar.dll
O9 - Extra 'Tools' menuitem: AOL Toolbar - {4982D40A-C53B-4615-B15B-B5B5E98D167C} - C:\Program Files\AOL Toolbar\toolbar.dll
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\System32\Shdocvw.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O9 - Extra 'Tools' menuitem: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O23 - Service: AOL Connectivity Service (AOL ACS) - America Online, Inc. - C:\PROGRA~1\COMMON~1\AOL\ACS\AOLacsd.exe
O23 - Service: BlackICE - Internet Security Systems, Inc. - C:\Program Files\ISS\BlackICE\blackd.exe
O23 - Service: Dcfssvc - Eastman Kodak Company - C:\WINDOWS\system32\drivers\dcfssvc.exe
O23 - Service: DefWatch - Symantec Corporation - C:\Program Files\Symantec_Client_Security\Symantec AntiVirus\DefWatch.exe
O23 - Service: Diskeeper - Executive Software International, Inc. - C:\Program Files\Executive Software\DiskeeperWorkstation\DKService.exe
O23 - Service: Symantec AntiVirus Client (Norton AntiVirus Server) - Symantec Corporation - C:\Program Files\Symantec_Client_Security\Symantec AntiVirus\Rtvscan.exe
O23 - Service: RapApp - Internet Security Systems, Inc. - C:\Program Files\ISS\BlackICE\rapapp.exe

#10 uukelly

uukelly
  • Topic Starter

  • Members
  • 18 posts
  • OFFLINE
  •  
  • Local time:06:54 AM

Posted 23 March 2005 - 07:46 PM

IMM: I do not understand your miscellaneous tools instrucitons and pulling it into HJT--could you elaborate for me please? Thanks.

#11 Grinler

Grinler

    Lawrence Abrams


  • Admin
  • 43,394 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:USA
  • Local time:06:54 AM

Posted 23 March 2005 - 09:32 PM

UUkelley, I have merged all your topics back to the original. When making a reply to IMM about this topic and your problem, DO NOT make a new topic, instead reply to this existing one so there is a continuous train of thought for IMM as he works on your log.

IMM will get back to you when he is available. Please be patient.

#12 IMM

IMM

  • Members
  • 134 posts
  • OFFLINE
  •  
  • Local time:06:54 AM

Posted 23 March 2005 - 10:00 PM

That the screensaver is gone and that your "active desktop (web content)" is gone from the desktop is good news for now.
It was part of the problem - you may want to reapply some settings later when you are sure you are clean.
The shortcuts for the missing ones were probably part of the "web content" on the desktop - don't worry about it - they aren't really gone.

I see that no new 3 letter specials have shown up :thumbsup:

Regarding the HijackThis scan log
Don't run this thing from within Winzip!

Unzip it to a location where you will keep it. ( C:\HijackThis\ ) would be a good location.
You have been running it from the temp folder and that is bad news! (probably as a result of running it from within winzip)
The program will make backups in the folder it's run from.
These easily get lost in a Temp folder and are an annoyance on the desktop.
When you have it unzipped - you can right click on hijackthis.exe and "send To" the desktop - this will make a shortcut to it on the desktop

Run HijackThis (the exe not the zip) and rather than click Scan - click the "Open Miscs Tools section" instead.
Put a check in "show minor sections" box and then click "Generate Startuplist".

The same thing about unzipping it to a folder applies to Killbox - when you've got it - clean out the temp files with it.

#13 uukelly

uukelly
  • Topic Starter

  • Members
  • 18 posts
  • OFFLINE
  •  
  • Local time:06:54 AM

Posted 24 March 2005 - 02:19 PM

Sorry about adding new topics. I'm learning how to navigate your site.
OK--followed all the newest directions and below is the startup log. I will reboot now and see if the Symantec Anti Virus s/w executes:

StartupList report, 3/24/2005, 2:12:59 PM
StartupList version: 1.52.2
Started from : C:\Documents and Settings\All Users\Desktop\HijackThis.EXE
Detected: Windows XP SP1 (WinNT 5.01.2600)
Detected: Internet Explorer v6.00 SP1 (6.00.2800.1106)
* Using default options
* Showing rarely important sections
==================================================

Running processes:

C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\PROGRA~1\COMMON~1\AOL\ACS\AOLacsd.exe
C:\Program Files\ISS\BlackICE\blackd.exe
C:\WINDOWS\system32\drivers\dcfssvc.exe
C:\Program Files\Executive Software\DiskeeperWorkstation\DKService.exe
C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Common Files\AOL\ACS\AOLDial.exe
C:\Program Files\Real\RealPlayer\RealPlay.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\iRiver\iRiver Manager\Updater\Updater.exe
C:\WINDOWS\System32\devldr32.exe
C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe
C:\Program Files\Messenger\msmsgs.exe
C:\WINDOWS\System32\ctfmon.exe
C:\Program Files\America Online 9.0\aoltray.exe
C:\Program Files\ISS\BlackICE\blackice.exe
C:\Program Files\Kodak\KODAK Picture Transfer Software\pts.exe
C:\WINDOWS\System32\wuauclt.exe
C:\Program Files\Symantec_Client_Security\Symantec AntiVirus\Rtvscan.exe
C:\Program Files\Symantec_Client_Security\Symantec AntiVirus\DefWatch.exe
C:\PROGRA~1\COMMON~1\AOL\AOLSPY~1\AOLSPS~1.EXE
C:\PROGRA~1\MICROS~2\Office10\OUTLOOK.EXE
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Documents and Settings\All Users\Desktop\HijackThis.exe

--------------------------------------------------

Listing of startup folders:

Shell folders Common Startup:
[C:\Documents and Settings\All Users\Start Menu\Programs\Startup]
America Online 9.0 Tray Icon.lnk = C:\Program Files\America Online 9.0\aoltray.exe
BlackICE PC Protection.lnk = C:\Program Files\ISS\BlackICE\blackice.exe
KODAK Picture Transfer Software.lnk = ?
Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE

--------------------------------------------------

Checking Windows NT UserInit:

[HKLM\Software\Microsoft\Windows NT\CurrentVersion\Winlogon]
UserInit = C:\WINDOWS\system32\userinit.exe,

--------------------------------------------------

Autorun entries from Registry:
HKLM\Software\Microsoft\Windows\CurrentVersion\Run

vptray = C:\PROGRA~1\SYMANT~1\SYMANT~1\vptray.exe
AOLDialer = C:\Program Files\Common Files\AOL\ACS\AOLDial.exe
RealTray = C:\Program Files\Real\RealPlayer\RealPlay.exe SYSTEMBOOTHIDEPLAYER
QuickTime Task = "C:\Program Files\QuickTime\qttask.exe" -atboottime
AOL Spyware Protection = "C:\PROGRA~1\COMMON~1\AOL\AOLSPY~1\AOLSP Scheduler.exe"
iRiver Updater = C:\Program Files\iRiver\iRiver Manager\Updater\Updater.exe
ISUSPM Startup = C:\PROGRA~1\COMMON~1\INSTAL~1\UPDATE~1\ISUSPM.exe -startup
ISUSScheduler = "C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe" -start

--------------------------------------------------

Autorun entries from Registry:
HKCU\Software\Microsoft\Windows\CurrentVersion\Run

MSMSGS = "C:\Program Files\Messenger\msmsgs.exe" /background
ctfmon.exe = C:\WINDOWS\System32\ctfmon.exe

--------------------------------------------------

Enumerating Active Setup stub paths:
HKLM\Software\Microsoft\Active Setup\Installed Components
(* = disabled by HKCU twin)

[>{22d6f312-b0f6-11d0-94ab-0080c74c7e95}]
StubPath = C:\WINDOWS\inf\unregmp2.exe /ShowWMP

[>{26923b43-4d38-484f-9b9e-de460746276c}] *
StubPath = %systemroot%\system32\shmgrate.exe OCInstallUserConfigIE

[>{881dd1c5-3dcf-431b-b061-f3f88e8be88a}] *
StubPath = %systemroot%\system32\shmgrate.exe OCInstallUserConfigOE

[{2C7339CF-2B09-4501-B3F3-F3508C9228ED}] *
StubPath = %SystemRoot%\system32\regsvr32.exe /s /n /i:/UserInstall %SystemRoot%\system32\themeui.dll

[{44BBA840-CC51-11CF-AAFA-00AA00B6015C}] *
StubPath = "%ProgramFiles%\Outlook Express\setup50.exe" /APP:OE /CALLER:WINNT /user /install

[{7790769C-0471-11d2-AF11-00C04FA35D02}] *
StubPath = "%ProgramFiles%\Outlook Express\setup50.exe" /APP:WAB /CALLER:WINNT /user /install

[{89820200-ECBD-11cf-8B85-00AA005B4340}] *
StubPath = regsvr32.exe /s /n /i:U shell32.dll

[{89820200-ECBD-11cf-8B85-00AA005B4383}] *
StubPath = %SystemRoot%\system32\ie4uinit.exe

[{89B4C1CD-B018-4511-B0A1-5476DBF70820}] *
StubPath = C:\WINDOWS\System32\Rundll32.exe C:\WINDOWS\System32\mscories.dll,Install

--------------------------------------------------

Shell & screensaver key from C:\WINDOWS\SYSTEM.INI:

Shell=*INI section not found*
SCRNSAVE.EXE=*INI section not found*
drivers=*INI section not found*

Shell & screensaver key from Registry:

Shell=Explorer.exe
SCRNSAVE.EXE=C:\WINDOWS\System32\logon.scr
drivers=*Registry value not found*

Policies Shell key:

HKCU\..\Policies: Shell=*Registry key not found*
HKLM\..\Policies: Shell=*Registry value not found*

--------------------------------------------------

Checking for EXPLORER.EXE instances:

C:\WINDOWS\Explorer.exe: PRESENT!

C:\Explorer.exe: not present
C:\WINDOWS\Explorer\Explorer.exe: not present
C:\WINDOWS\System\Explorer.exe: not present
C:\WINDOWS\System32\Explorer.exe: not present
C:\WINDOWS\Command\Explorer.exe: not present
C:\WINDOWS\Fonts\Explorer.exe: not present

--------------------------------------------------

Checking for superhidden extensions:

.lnk: HIDDEN! (arrow overlay: yes)
.pif: HIDDEN! (arrow overlay: yes)
.exe: not hidden
.com: not hidden
.bat: not hidden
.hta: not hidden
.scr: not hidden
.shs: HIDDEN!
.shb: HIDDEN!
.vbs: not hidden
.vbe: not hidden
.wsh: not hidden
.scf: HIDDEN! (arrow overlay: NO!)
.url: HIDDEN! (arrow overlay: yes)
.js: not hidden
.jse: not hidden

--------------------------------------------------

Enumerating Browser Helper Objects:

CCHelper - C:\Program Files\Panicware\Pop-Up Stopper Pro\CCHelper.dll - {0CF0B8EE-6596-11D5-A98E-0003470BB48E}
(no name) - c:\program files\google\googletoolbar2.dll - {AA58ED58-01DD-4d91-8333-CF10577473F7}

--------------------------------------------------

Enumerating Windows NT/2000/XP services

AFD Networking Support Environment: \SystemRoot\System32\drivers\afd.sys (autostart)
AOL Connectivity Service: C:\PROGRA~1\COMMON~1\AOL\ACS\AOLacsd.exe (autostart)
Windows Audio: %SystemRoot%\System32\svchost.exe -k netsvcs (autostart)
BlackICE: "C:\Program Files\ISS\BlackICE\blackd.exe" (autostart)
Computer Browser: %SystemRoot%\System32\svchost.exe -k netsvcs (autostart)
Cryptographic Services: %SystemRoot%\system32\svchost.exe -k netsvcs (autostart)
DCFS2K: system32\drivers\dcfs2k.sys (autostart)
Dcfssvc: %SystemRoot%\system32\drivers\dcfssvc.exe (autostart)
DefWatch: C:\Program Files\Symantec_Client_Security\Symantec AntiVirus\DefWatch.exe (autostart)
DHCP Client: %SystemRoot%\System32\svchost.exe -k netsvcs (autostart)
Diskeeper: C:\Program Files\Executive Software\DiskeeperWorkstation\DKService.exe (autostart)
Logical Disk Manager: %SystemRoot%\System32\svchost.exe -k netsvcs (autostart)
DNS Client: %SystemRoot%\System32\svchost.exe -k NetworkService (autostart)
Event Log: %SystemRoot%\system32\services.exe (autostart)
Help and Support: %SystemRoot%\System32\svchost.exe -k netsvcs (autostart)
Server: %SystemRoot%\System32\svchost.exe -k netsvcs (autostart)
Workstation: %SystemRoot%\System32\svchost.exe -k netsvcs (autostart)
TCP/IP NetBIOS Helper: %SystemRoot%\System32\svchost.exe -k LocalService (autostart)
Machine Debug Manager: "C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe" (autostart)
NAVAPEL: \??\C:\Program Files\Symantec_Client_Security\Symantec AntiVirus\NAVAPEL.SYS (autostart)
Symantec AntiVirus Client: C:\Program Files\Symantec_Client_Security\Symantec AntiVirus\Rtvscan.exe (autostart)
Plug and Play: %SystemRoot%\system32\services.exe (autostart)
IPSEC Services: %SystemRoot%\System32\lsass.exe (autostart)
Protected Storage: %SystemRoot%\system32\lsass.exe (autostart)
Remote Registry: %SystemRoot%\system32\svchost.exe -k LocalService (autostart)
Remote Procedure Call (RPC): %SystemRoot%\system32\svchost -k rpcss (autostart)
Security Accounts Manager: %SystemRoot%\system32\lsass.exe (autostart)
Task Scheduler: %SystemRoot%\System32\svchost.exe -k netsvcs (autostart)
System Event Notification: %SystemRoot%\system32\svchost.exe -k netsvcs (autostart)
Shell Hardware Detection: %SystemRoot%\System32\svchost.exe -k netsvcs (autostart)
Print Spooler: %SystemRoot%\system32\spoolsv.exe (autostart)
System Restore Service: %SystemRoot%\System32\svchost.exe -k netsvcs (autostart)
Windows Image Acquisition (WIA): %SystemRoot%\System32\svchost.exe -k imgsvc (autostart)
Themes: %SystemRoot%\System32\svchost.exe -k netsvcs (autostart)
Distributed Link Tracking Client: %SystemRoot%\system32\svchost.exe -k netsvcs (autostart)
Windows User Mode Driver Framework: C:\WINDOWS\System32\wdfmgr.exe (autostart)
Upload Manager: %SystemRoot%\System32\svchost.exe -k netsvcs (autostart)
Windows Time: %SystemRoot%\System32\svchost.exe -k netsvcs (autostart)
WebClient: %SystemRoot%\System32\svchost.exe -k LocalService (autostart)
Windows Management Instrumentation: %systemroot%\system32\svchost.exe -k netsvcs (autostart)
Automatic Updates: %systemroot%\system32\svchost.exe -k netsvcs (autostart)
Wireless Zero Configuration: %SystemRoot%\System32\svchost.exe -k netsvcs (autostart)


--------------------------------------------------

Enumerating ShellServiceObjectDelayLoad items:

PostBootReminder: C:\WINDOWS\system32\SHELL32.dll
CDBurn: C:\WINDOWS\system32\SHELL32.dll
WebCheck: C:\WINDOWS\System32\webcheck.dll
SysTray: C:\WINDOWS\System32\stobject.dll

--------------------------------------------------
End of report, 10,794 bytes
Report generated in 0.210 seconds

Command line options:
/verbose - to add additional info on each section
/complete - to include empty sections and unsuspicious data
/full - to include several rarely-important sections
/force9x - to include Win9x-only startups even if running on WinNT
/forcent - to include WinNT-only startups even if running on Win9x
/forceall - to include all Win9x and WinNT startups, regardless of platform
/history - to list version history only

#14 uukelly

uukelly
  • Topic Starter

  • Members
  • 18 posts
  • OFFLINE
  •  
  • Local time:06:54 AM

Posted 24 March 2005 - 02:36 PM

I rebooted my pc and I am unable to execute Symantec AntiVirus. I continue to receive "Internal Error 2718 {OEFC6259-3AD8-4CD2-BC57-D4937AF5CCOE}. However, my pc looks 200% better thanks to you! Any suggestions on what I can do to restore the AntiVirus application?

#15 IMM

IMM

  • Members
  • 134 posts
  • OFFLINE
  •  
  • Local time:06:54 AM

Posted 24 March 2005 - 04:41 PM

I'm sorry to say that some virii and trojans will destroy files associated with antivirus applications
The best bet is probably going to be to reinstall it

At this point Turn off System Restore http://www.trendmicro.com/en/security/advi...in_me_clean.htm
Reboot with it off and then turn it on - it will make a fresh restore point

Before you do anything about fixing norton - get a good online virus scan at HouseCall
If that one gives trouble try one of the other free scans you can find in
http://www.bleepingcomputer.com/forums/Vir...urces-t405.html

Edited by IMM, 24 March 2005 - 04:42 PM.





0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users