Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Can someone help please?


  • This topic is locked This topic is locked
26 replies to this topic

#1 zrmjsr

zrmjsr

  • Members
  • 34 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:02:54 AM

Posted 01 May 2005 - 01:33 PM

Logfile of HijackThis v1.99.1
Scan saved at 2:22:47 PM, on 5/1/2005
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\LEXBCES.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\LEXPPS.EXE
C:\WINDOWS\ienx32.exe
C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
C:\WINDOWS\system32\cisvc.exe
C:\Program Files\Norton AntiVirus\navapsvc.exe
C:\WINDOWS\System32\svchost.exe
C:\PROGRA~1\Toolbar\TBPSSvc.exe
C:\WINDOWS\wanmpsvc.exe
C:\Program Files\Common Files\WinTools\WToolsS.exe
C:\WINDOWS\Explorer.exe
C:\WINDOWS\System32\hkcmd.exe
C:\WINDOWS\System32\DSentry.exe
C:\PROGRA~1\NORTON~1\navapw32.exe
C:\Program Files\Real\RealPlayer\RealPlay.exe
C:\Program Files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe
C:\Program Files\Common Files\Dell\EUSW\Support.exe
C:\PROGRA~1\MYWEBS~1\bar\2.bin\mwsoemon.exe
C:\Program Files\Dell\Support\Alert\bin\NotifyAlert.exe
C:\Program Files\Dell AIO Printer A960\dlbfbmgr.exe
C:\windows\system32\saie.exe
C:\Program Files\Dell AIO Printer A960\dlbfbmon.exe
C:\Program Files\HomelandNetwork\HomelandNetwork.exe
C:\Program Files\MSN Apps\Updater\01.02.3000.1001\en-us\msnappau.exe
C:\Program Files\MUSICMATCH\MUSICMATCH Jukebox\mmtask.exe
C:\WINDOWS\System32\rundll32.exe
C:\WINDOWS\System32\RUNDLL32.exe
C:\WINDOWS\System32\nznkmz.exe
C:\Program Files\BullsEye Network\bin\bargains.exe
C:\WINDOWS\System32\wbem\wmiapsrv.exe
C:\PROGRA~1\COMMON~1\WinTools\WToolsA.exe
C:\PROGRA~1\Toolbar\TBPS.exe
C:\Program Files\gg95h2u5\gg95h2u5.exe
C:\PROGRA~1\Grisoft\AVG7\avgcc.exe
C:\Program Files\Common Files\WinTools\WSup.exe
C:\PROGRA~1\Grisoft\AVG7\avgemc.exe
C:\WINDOWS\System32\lmhrhe.exe
c:\windows\system32\jfuppd.exe
C:\PROGRA~1\Toolbar\PIB.exe
C:\PROGRA~1\Web Offer\wo.exe
C:\Program Files\MSN Messenger\MsnMsgr.Exe
C:\WINDOWS\System32\r?ndll32.exe
C:\WINDOWS\System32\lmhrhe.exe
C:\Documents and Settings\Susan\Application Data\eetu.exe
C:\WINDOWS\System32\robpsnap.exe
C:\wp.exe
C:\Program Files\Digital Line Detect\DLG.exe
c:\PROGRA~1\Toolbar\radio.exe
C:\Program Files\gg95h2u5\25985876.exe
C:\WINDOWS\System32\wuauclt.exe
C:\WINDOWS\system32\cidaemon.exe
C:\WINDOWS\system32\cidaemon.exe
C:\Program Files\gg95h2u5\gg95h2u5.exe
C:\Documents and Settings\Susan\Local Settings\Temporary Internet Files\Content.IE5\YP010VO9\HijackThis[1]\HijackThis.exe
C:\Program Files\America Online 7.0\waol.exe
C:\Program Files\Web_Rebates\WebRebates0.exe
C:\Program Files\Web_Rebates\WebRebates1.exe
C:\WINDOWS\System32\winsta.exe
C:\WINDOWS\System32\kbdlt1.exe

R1 - HKCU\Software\Microsoft\Internet Explorer,SearchURL = http://searchmiracle.com/sp.php
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.dellnet.com
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://www.websearch.com/ie.aspx?tb_id=50266
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINDOWS\nbbyy.dll/sp.html#28129
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.newgenlook.info/ad/ad0278/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = res://C:\WINDOWS\nbbyy.dll/sp.html#28129
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,SearchAssistant = http://www.websearch.com/ie.aspx?tb_id=50266
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,CustomizeSearch = res://C:\PROGRA~1\Toolbar\toolbar.dll/sa
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\WINDOWS\nbbyy.dll/sp.html#28129
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINDOWS\nbbyy.dll/sp.html#28129
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = res://C:\WINDOWS\nbbyy.dll/sp.html#28129
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://www.websearch.com/ie.aspx?tb_id=50266
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch = res://C:\PROGRA~1\Toolbar\toolbar.dll/sa
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = websearch.drsnsrch.com/q.cgi?q=
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
R3 - URLSearchHook: (no name) - {8952A998-1E7E-4716-B23D-3DBE03910972} - C:\PROGRA~1\Toolbar\toolbar.dll
F2 - REG:system.ini: Shell=Explorer.exe C:\WINDOWS\Nail.exe
O2 - BHO: (no name) - {0F1C7655-3424-3D59-0FBE-AC5AAE8D7B58} - C:\WINDOWS\system32\apioi32.dll (file missing)
O2 - BHO: BolgerObj Class - {302A3240-4805-4a34-97D7-1645A0B08410} - C:\WINDOWS\Bolger.dll
O2 - BHO: CControl Object - {3643ABC2-21BF-46B9-B230-F247DB0C6FD6} - C:\Program Files\E2G\IeBHOs.dll (file missing)
O2 - BHO: (no name) - {87766247-311C-43B4-8499-3D5FEC94A183} - C:\PROGRA~1\COMMON~1\WinTools\WToolsB.dll
O2 - BHO: (no name) - {8952A998-1E7E-4716-B23D-3DBE03910972} - C:\PROGRA~1\Toolbar\toolbar.dll
O3 - Toolbar: YourSiteBar - {86227D9C-0EFE-4f8a-AA55-30386A3F5686} - C:\PROGRA~1\YOURSI~1\ysb.dll
O3 - Toolbar: &Search Toolbar - {339BB23F-A864-48C0-A59F-29EA915965EC} - C:\PROGRA~1\Toolbar\toolbar.dll
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\System32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\System32\hkcmd.exe
O4 - HKLM\..\Run: [DVDSentry] C:\WINDOWS\System32\DSentry.exe
O4 - HKLM\..\Run: [NAV Agent] C:\PROGRA~1\NORTON~1\navapw32.exe
O4 - HKLM\..\Run: [RealTray] C:\Program Files\Real\RealPlayer\RealPlay.exe SYSTEMBOOTHIDEPLAYER
O4 - HKLM\..\Run: [AdaptecDirectCD] "C:\Program Files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe"
O4 - HKLM\..\Run: [DwlClient] C:\Program Files\Common Files\Dell\EUSW\Support.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [MyWebSearch Email Plugin] C:\PROGRA~1\MYWEBS~1\bar\2.bin\mwsoemon.exe
O4 - HKLM\..\Run: [ICQ Lite] C:\Program Files\ICQLite\ICQLite.exe -minimize
O4 - HKLM\..\Run: [Dell AIO Printer A960] "C:\Program Files\Dell AIO Printer A960\dlbfbmgr.exe"
O4 - HKLM\..\Run: [intdctrr] C:\WINDOWS\System32\idctup20.exe
O4 - HKLM\..\Run: [saie] c:\windows\system32\saie.exe
O4 - HKLM\..\Run: [appqr32.exe] C:\WINDOWS\system32\appqr32.exe
O4 - HKLM\..\Run: [Homeland Network] "C:\Program Files\HomelandNetwork\HomelandNetwork.exe"
O4 - HKLM\..\Run: [TV Media] C:\Program Files\TV Media\Tvm.exe
O4 - HKLM\..\Run: [msnappau] "C:\Program Files\MSN Apps\Updater\01.02.3000.1001\en-us\msnappau.exe"
O4 - HKLM\..\Run: [mmtask] C:\Program Files\MUSICMATCH\MUSICMATCH Jukebox\mmtask.exe
O4 - HKLM\..\Run: [{12EE7A5E-0674-42f9-A76B-000000004D00}] rundll32.exe stlb2.dll,DllRunMain
O4 - HKLM\..\Run: [A70F6A1D-0195-42a2-934C-D8AC0F7C08EB] rundll32.exe E6F1873B.DLL,D9EBC318C
O4 - HKLM\..\Run: [98D0CE0C16B1] rundll32.exe D0CE0C16B1,D0CE0C16B1
O4 - HKLM\..\Run: [EbatesMoeMoneyMaker0] "C:\Program Files\Ebates_MoeMoneyMaker\EbatesMoeMoneyMaker0.exe"
O4 - HKLM\..\Run: [winupdtl] C:\WINDOWS\System32\winupdt.exe
O4 - HKLM\..\Run: [AUNPS2] RUNDLL32 AUNPS2.DLL,_Run@16
O4 - HKLM\..\Run: [KavSvc] C:\WINDOWS\System32\nznkmz.exe
O4 - HKLM\..\Run: [BullsEye Network] C:\Program Files\BullsEye Network\bin\bargains.exe
O4 - HKLM\..\Run: [CashBack] C:\Program Files\CashBack\bin\cashback.exe
O4 - HKLM\..\Run: [VBouncer] C:\PROGRA~1\VBouncer\VirtualBouncer.exe
O4 - HKLM\..\Run: [cfgmgr51] RunDLL32.EXE C:\WINDOWS\cfgmgr51.dll,DllRun
O4 - HKLM\..\Run: [WinTools] C:\PROGRA~1\COMMON~1\WinTools\WToolsA.exe
O4 - HKLM\..\Run: [WebRebates0] "C:\Program Files\Web_Rebates\WebRebates0.exe"
O4 - HKLM\..\Run: [TBPS] C:\PROGRA~1\Toolbar\TBPS.exe
O4 - HKLM\..\Run: [AutoUpdater] "C:\Program Files\AutoUpdate\AutoUpdate.exe"
O4 - HKLM\..\Run: [AutoLoaderoso51dbkaIXM] "C:\WINDOWS\System32\sbetetab.exe" /HideDir /HideUninstall /PC="CP.FHB" /ShowLegalNote="nonbranded"
O4 - HKLM\..\Run: [oF7f3pe] sbetetab.exe
O4 - HKLM\..\Run: [exp.exe] C:\WINDOWS\System32\exp.exe
O4 - HKLM\..\Run: [WinTask driver] C:\WINDOWS\System32\wintask.exe
O4 - HKLM\..\Run: [Security iGuard] C:\Program Files\Security iGuard\Security iGuard.exe
O4 - HKLM\..\Run: [gg95h2u5] C:\Program Files\gg95h2u5\gg95h2u5.exe
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVG7\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [AVG7_EMC] C:\PROGRA~1\Grisoft\AVG7\avgemc.exe
O4 - HKLM\..\Run: [glqnwhst] C:\WINDOWS\glqnwhst.exe
O4 - HKLM\..\Run: [rcedfk] c:\windows\system32\jfuppd.exe
O4 - HKCU\..\Run: [ccfgnt] C:\WINDOWS\System32\ccfgnt.exe
O4 - HKCU\..\Run: [winsta] C:\WINDOWS\System32\winsta.exe
O4 - HKCU\..\Run: [eZWO] C:\PROGRA~1\Web Offer\wo.exe
O4 - HKCU\..\Run: [SpySweeper] "C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe" /0
O4 - HKCU\..\Run: [TV Media] C:\Program Files\TV Media\Tvm.exe
O4 - HKCU\..\Run: [winpack] C:\WINDOWS\System32\winpack.exe
O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\MSN Messenger\MsnMsgr.Exe" /background
O4 - HKCU\..\Run: [Iwsunmdj] C:\WINDOWS\System32\r?ndll32.exe
O4 - HKCU\..\Run: [Aida] C:\Documents and Settings\Susan\Application Data\eetu.exe
O4 - HKCU\..\Run: [lmhrhe] C:\WINDOWS\System32\lmhrhe.exe
O4 - HKCU\..\Run: [ZoopRfKml] robpsnap.exe
O4 - HKCU\..\Run: [kbdlt1] C:\WINDOWS\System32\kbdlt1.exe
O4 - HKCU\..\Run: [WindowsFY] c:\wp.exe
O4 - HKCU\..\RunOnce: [lmhrhe] C:\WINDOWS\System32\lmhrhe.exe
O4 - HKCU\..\RunOnce: [ICQ Lite] C:\Program Files\ICQLite\ICQLite.exe -trayboot
O4 - Startup: AdDestroyer.lnk = C:\Program Files\AdDestroyer\AdDestroyer.exe
O4 - Global Startup: America Online 7.0 Tray Icon.lnk = C:\Program Files\America Online 7.0\aoltray.exe
O4 - Global Startup: Digital Line Detect.lnk = ?
O4 - Global Startup: MyWebSearch Email Plugin.lnk = C:\Program Files\MyWebSearch\bar\2.bin\MWSOEMON.EXE
O8 - Extra context menu item: Ebates - file://C:\Program Files\Ebates_MoeMoneyMaker\Sy350\Tp350\scri350a.htm
O8 - Extra context menu item: Web Rebates - file://C:\Program Files\Web_Rebates\Sy1150\Tp1150\scri1150a.htm
O9 - Extra button: ICQ Lite - {B863453A-26C3-4e1f-A54D-A2CD196348E9} - C:\Program Files\ICQLite\ICQLite.exe
O9 - Extra 'Tools' menuitem: ICQ Lite - {B863453A-26C3-4e1f-A54D-A2CD196348E9} - C:\Program Files\ICQLite\ICQLite.exe
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\System32\Shdocvw.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O9 - Extra 'Tools' menuitem: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O9 - Extra button: Your PC is infected with Spyware - click here to fix your PC - {FB74C951-ACA1-4e33-A94C-A9261EB2CCB7} - https://www.spydeleter.com/order2.php?KBID=1062 (file missing)
O9 - Extra button: Microsoft AntiSpyware helper - {166E6AC8-9DB7-49EC-AE3F-87F6FDD3C28E} - (no file) (HKCU)
O9 - Extra 'Tools' menuitem: Microsoft AntiSpyware helper - {166E6AC8-9DB7-49EC-AE3F-87F6FDD3C28E} - (no file) (HKCU)
O9 - Extra button: Ebates - {6685509E-B47B-4f47-8E16-9A5F3A62F683} - file://C:\Program Files\Ebates_MoeMoneyMaker\Sy350\Tp350\scri350a.htm (HKCU)
O15 - Trusted Zone: *.05p.com
O15 - Trusted Zone: *.clickspring.net
O15 - Trusted Zone: *.flingstone.com
O15 - Trusted Zone: *.mt-download.com
O15 - Trusted Zone: *.musicmatch.com
O15 - Trusted Zone: *.my-internet.info
O15 - Trusted Zone: *.scoobidoo.com
O15 - Trusted Zone: *.searchbarcash.com
O15 - Trusted Zone: *.searchmiracle.com
O15 - Trusted Zone: *.05p.com (HKLM)
O15 - Trusted Zone: *.blazefind.com (HKLM)
O15 - Trusted Zone: *.clickspring.net (HKLM)
O15 - Trusted Zone: *.flingstone.com (HKLM)
O15 - Trusted Zone: *.mt-download.com (HKLM)
O15 - Trusted Zone: *.musicmatch.com (HKLM)
O15 - Trusted Zone: *.my-internet.info (HKLM)
O15 - Trusted Zone: *.scoobidoo.com (HKLM)
O15 - Trusted Zone: *.searchbarcash.com (HKLM)
O15 - Trusted Zone: *.searchmiracle.com (HKLM)
O15 - Trusted Zone: *.slotch.com (HKLM)
O15 - Trusted Zone: *.xxxtoolbar.com (HKLM)
O15 - Trusted IP range: 206.161.125.149
O15 - Trusted IP range: 206.161.124.130 (HKLM)
O16 - DPF: Yahoo! Blackjack - http://download.games.yahoo.com/games/clients/y/jt0_x.cab
O16 - DPF: Yahoo! Checkers - http://download.games.yahoo.com/games/clients/y/kt3_x.cab
O16 - DPF: Yahoo! Poker - http://download.games.yahoo.com/games/clients/y/pt1_x.cab
O16 - DPF: {11117711-1111-1711-7121-111177111157} - ms-its:mhtml:file://c:\bebe.mht!http://www.alarm-works.com/tx.chm::/ai.exe
O16 - DPF: {11120607-1001-1111-1000-110199901123} - ms-its:mhtml:file://c:default.mht!http://www.realizeit.biz/v278/dropper.chm::/dropper.exe
O16 - DPF: {11260943-421B-11D0-8EAC-0000C07D88CF} (iPIX ActiveX Control) - http://www.ipix.com/viewers/ipixx.cab
O16 - DPF: {1D0D9077-3798-49BB-9058-393499174D5D} - file://c:\counter.cab
O16 - DPF: {1D4DB7D2-6EC9-47A3-BD87-1E41684E07BB} - http://imgfarm.com/images/nocache/funwebpr...etup1.0.0.8.cab
O16 - DPF: {205FF73B-CA67-11D5-99DD-444553540000} (CInstall Class) - http://www.spywarestormer.com/files2/Install.cab
O16 - DPF: {33E54F7F-561C-49E6-929B-D7E76D3AFEB1} (Pool Control) - http://mirror.worldwinner.com/games/v45/pool/pool.cab
O16 - DPF: {41F17733-B041-4099-A042-B518BB6A408C} - http://a1540.g.akamai.net/7/1540/52/200212...meInstaller.exe
O16 - DPF: {5E8FD788-C323-4357-AB76-7CBCEFBA573C} (SpyBouncer.SBDownloader) - http://www.spybouncer.com/downloader.ocx
O16 - DPF: {87067F04-DE4C-4688-BC3C-4FCF39D609E7} - http://download.websearch.com/Dnl/T_50038/QDow_AS2.cab
O16 - DPF: {89D75D39-5531-47BA-9E4F-B346BA9C362C} (CWDL_DownLoadControl Class) - http://www.callwave.com/include/cab/CWDL_DownLoad.CAB
O16 - DPF: {8A94C905-FF9D-43B6-8708-F0F22D22B1CB} (Wwlaunch Control) - http://mirror.worldwinner.com/games/shared/wwlaunch.cab
O16 - DPF: {90C9629E-CD32-11D3-BBFB-00105A1F0D68} (InstallShield International Setup Player) - http://www.installengine.com/engine/isetup.cab
O16 - DPF: {B38870E4-7ECB-40DA-8C6A-595F0A5519FF} (MsnMessengerSetupDownloadControl Class) - http://messenger.msn.com/download/MsnMesse...pDownloader.cab
O16 - DPF: {DED22F57-FEE2-11D0-953B-00C04FD9152D} (CarPoint Auto-Pricer Control) - http://autos.msn.com/components/ocx/autopr.../autopricer.cab
O16 - DPF: {FAE74270-E5EE-49C3-B816-EA8B4D55F38F} (H2hPool Control) - http://mirror.worldwinner.com/games/v51/h2hpool/h2hpool.cab
O16 - DPF: {FDC7A535-4070-4B92-A0EA-D9994BCC0DC5} - http://activex.microsoft.com/objects/ocget.dll
O17 - HKLM\System\CCS\Services\Tcpip\..\{99967467-DC91-4C82-B29C-A234BAD605FC}: NameServer = 205.188.146.145
O18 - Protocol: tpro - {FF76A5DA-6158-4439-99FF-EDC1B3FE100C} - C:\PROGRA~1\Toolbar\toolbar.dll
O20 - Winlogon Notify: igfxcui - C:\WINDOWS\SYSTEM32\igfxsrvc.dll
O23 - Service: Network Security Service (NSS) ( 11F▀ń#Ě║─Í`I) - Unknown owner - C:\WINDOWS\ienx32.exe
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
O23 - Service: LexBce Server (LexBceS) - Lexmark International, Inc. - C:\WINDOWS\system32\LEXBCES.EXE
O23 - Service: Norton AntiVirus Auto Protect Service (navapsvc) - Symantec Corporation - C:\Program Files\Norton AntiVirus\navapsvc.exe
O23 - Service: ScriptBlocking Service (SBService) - Symantec Corporation - C:\PROGRA~1\COMMON~1\SYMANT~1\SCRIPT~1\SBServ.exe
O23 - Service: System Startup Service (SvcProc) - Unknown owner - C:\WINDOWS\svcproc.exe
O23 - Service: WebSeach Toolbar support NT service (TBPSSvc) - Unknown owner - C:\PROGRA~1\Toolbar\TBPSSvc.exe
O23 - Service: WAN Miniport (ATW) Service (WANMiniportService) - America Online, Inc. - C:\WINDOWS\wanmpsvc.exe
O23 - Service: WinTools for IE service (WinToolsSvc) - Unknown owner - C:\Program Files\Common Files\WinTools\WToolsS.exe
O23 - Service: ZESOFT - Unknown owner - C:\WINDOWS\zeta.exe

BC AdBot (Login to Remove)

 


#2 miekiemoes

miekiemoes

    Malware Killer Dog


  • Malware Response Team
  • 19,420 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Belgium
  • Local time:08:54 AM

Posted 01 May 2005 - 03:32 PM

Wow.. That is a nice collection you have in there.
So we have to take care of it in different steps.
It is really important you follow ALL my next steps.
When finished those steps, you'll have still some problems, but we need to cleanup most of it first.

Uninstall via your add/remove programs next programs:

WinTools
WebSeach Toolbar
Ebates_MoeMoneyMaker
Web_Rebates
TV Media
Web Offer
Security iGuard
AutoUpdate
VBouncer
CashBack
BullsEye Network
MyWebSearch
YourSiteBar


REBOOT afterwards.

Download CWShredder
Start CWShredder and click FIX

Download About:Buster
Unzip the files to a convenient location such as C:\AboutBuster.
Start AboutBuster and Click: "Check for updates"
Download the updates if present.
When done...Click Start to begin the scan.
If prompted to end the Explorer.exe process, click Yes.
Your desktop may disappear.. but don't worry, this is normal.
Allow AboutBuster to scan a second time.
When completed, click: "Save log".

Download the latest version of Ad-Aware:
http://www.lavasoft.de/support/download/

After installing AAW, and before running the program.
Please be sure to update the reference file following the instructions here:
http://www.lavahelp.net/howto/updref/

Reconfigure Ad-Aware for Full Scan:

Launch the program, and click on the Gear at the top of the start screen.

Click the 'Scanning' button.
Under Drives, Folders and Files, select 'Scan within Archives'.
Click 'Click here to select Drives + folders' and select your installed hard drives.

Under Memory & Registry, select all options.
Click the 'Advanced' button.
Under 'Log-file detail level', select all options.
Click the 'Tweaks' button.

Under 'Scanning Engine', select the following:
'Unload recognized processes during scanning.'
Under 'Cleaning Engine', select the following:
'Let Windows remove files in use after reboot.'
Click on 'Proceed' to save these Preferences.

Run the Ad-Aware scan and allow it to remove everything it finds and then REBOOT to allow it to finish.

* Download DelDomains.inf and save it to your desktop.
Rightclick on it and choose 'install'.

* Perform an onlinescan with housecall and Etrust and let it delete everything it is finding.

Reboot your computer.

Post a new hijackthislog in your next reply together with the log from AboutBuster ( -AB Logfile.txt - present in the AboutBuster-folder)
AntispywareScanners---Antivirus Scanners---Firewalls---Online Scanners---Prevention---Help! My computer is slow---My Blog---Follow me on Twitter.
My help is ALWAYS FREE, but if you want to donate to help me continue my fight against malware -- click here!
Asking for help via Private Message or Mail will be ignored - So If you need help, post your problem in the forum.

#3 zrmjsr

zrmjsr
  • Topic Starter

  • Members
  • 34 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:02:54 AM

Posted 02 May 2005 - 09:08 PM

Thank you, thank you, thank you. I am down to the portion of the insturctions for HouseCall. I have ran the scan but I do not see a "delete" button and when I choose the option to "clean and rescan" or "clean" the files, it asks for a ticket number. I have requested a ticket number but did not receive one by email. Is there something that I am overlooking? I really do appreciate your help. I have mentioned that website at work today to numerous ppl. Thanks Again.

#4 miekiemoes

miekiemoes

    Malware Killer Dog


  • Malware Response Team
  • 19,420 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Belgium
  • Local time:08:54 AM

Posted 03 May 2005 - 12:00 AM

I didn't know it asks for a ticket number now?
Perform an online scan with Etrust instead.
Bitdefender is also a great onlinescanner: http://www.bitdefender.com/scan/licence.php
AntispywareScanners---Antivirus Scanners---Firewalls---Online Scanners---Prevention---Help! My computer is slow---My Blog---Follow me on Twitter.
My help is ALWAYS FREE, but if you want to donate to help me continue my fight against malware -- click here!
Asking for help via Private Message or Mail will be ignored - So If you need help, post your problem in the forum.

#5 zrmjsr

zrmjsr
  • Topic Starter

  • Members
  • 34 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:02:54 AM

Posted 03 May 2005 - 10:12 PM

I finally got the BitDefender to scan. I have rebooted the computer. I hope this makes sense to you and I hope there is "hope" for all of this. I am so frustrated and I really appreciate everything you are trying to do. This is a great website and I am amazed at you guys.

Here is the HijackThis log.

Logfile of HijackThis v1.99.1
Scan saved at 11:07:36 PM, on 5/3/2005
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\LEXBCES.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\LEXPPS.EXE
C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
C:\WINDOWS\system32\cisvc.exe
C:\Program Files\Norton AntiVirus\navapsvc.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\wanmpsvc.exe
C:\WINDOWS\System32\hkcmd.exe
C:\WINDOWS\System32\DSentry.exe
C:\PROGRA~1\NORTON~1\navapw32.exe
C:\Program Files\Real\RealPlayer\RealPlay.exe
C:\Program Files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe
C:\Program Files\Common Files\Dell\EUSW\Support.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\HomelandNetwork\HomelandNetwork.exe
C:\Program Files\MSN Apps\Updater\01.02.3000.1001\en-us\msnappau.exe
C:\Program Files\Dell\Support\Alert\bin\NotifyAlert.exe
C:\WINDOWS\System32\rundll32.exe
C:\WINDOWS\System32\nznkmz.exe
C:\Program Files\gg95h2u5\gg95h2u5.exe
C:\PROGRA~1\Grisoft\AVG7\avgcc.exe
C:\PROGRA~1\Grisoft\AVG7\avgemc.exe
c:\windows\system32\tiuppzc.exe
C:\Program Files\Digital Line Detect\DLG.exe
C:\WINDOWS\System32\wbem\wmiapsrv.exe
C:\Program Files\gg95h2u5\25985876.exe
C:\WINDOWS\System32\wuauclt.exe
C:\WINDOWS\system32\cidaemon.exe
C:\WINDOWS\system32\cidaemon.exe
C:\WINDOWS\explorer.exe
C:\Program Files\gg95h2u5\gg95h2u5.exe
C:\Program Files\America Online 7.0\waol.exe
C:\Documents and Settings\Susan\Desktop\AboutBuster\AboutBuster\AboutBuster.exe
C:\WINDOWS\system32\NOTEPAD.EXE
C:\WINDOWS\System32\winsta.exe
C:\WINDOWS\System32\kbdlt1.exe
C:\Documents and Settings\Susan\Local Settings\Temp\Temporary Directory 2 for HijackThis[1].zip\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.dellnet.com
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.newgenlook.info/ad/ad0278/
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
O2 - BHO: BolgerObj Class - {302A3240-4805-4a34-97D7-1645A0B08410} - C:\WINDOWS\Bolger.dll
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\System32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\System32\hkcmd.exe
O4 - HKLM\..\Run: [DVDSentry] C:\WINDOWS\System32\DSentry.exe
O4 - HKLM\..\Run: [NAV Agent] C:\PROGRA~1\NORTON~1\navapw32.exe
O4 - HKLM\..\Run: [RealTray] C:\Program Files\Real\RealPlayer\RealPlay.exe SYSTEMBOOTHIDEPLAYER
O4 - HKLM\..\Run: [AdaptecDirectCD] "C:\Program Files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe"
O4 - HKLM\..\Run: [DwlClient] C:\Program Files\Common Files\Dell\EUSW\Support.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [ICQ Lite] C:\Program Files\ICQLite\ICQLite.exe -minimize
O4 - HKLM\..\Run: [intdctrr] C:\WINDOWS\System32\idctup20.exe
O4 - HKLM\..\Run: [Homeland Network] "C:\Program Files\HomelandNetwork\HomelandNetwork.exe"
O4 - HKLM\..\Run: [msnappau] "C:\Program Files\MSN Apps\Updater\01.02.3000.1001\en-us\msnappau.exe"
O4 - HKLM\..\Run: [A70F6A1D-0195-42a2-934C-D8AC0F7C08EB] rundll32.exe E6F1873B.DLL,D9EBC318C
O4 - HKLM\..\Run: [98D0CE0C16B1] rundll32.exe D0CE0C16B1,D0CE0C16B1
O4 - HKLM\..\Run: [winupdtl] C:\WINDOWS\System32\winupdt.exe
O4 - HKLM\..\Run: [KavSvc] C:\WINDOWS\System32\nznkmz.exe
O4 - HKLM\..\Run: [cfgmgr51] RunDLL32.EXE C:\WINDOWS\cfgmgr51.dll,DllRun
O4 - HKLM\..\Run: [AutoLoaderoso51dbkaIXM] "C:\WINDOWS\System32\sbetetab.exe" /HideDir /HideUninstall /PC="CP.FHB" /ShowLegalNote="nonbranded"
O4 - HKLM\..\Run: [oF7f3pe] sbetetab.exe
O4 - HKLM\..\Run: [gg95h2u5] C:\Program Files\gg95h2u5\gg95h2u5.exe
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVG7\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [AVG7_EMC] C:\PROGRA~1\Grisoft\AVG7\avgemc.exe
O4 - HKLM\..\Run: [caeqld] c:\windows\system32\tiuppzc.exe
O4 - HKCU\..\Run: [kbdlt1] C:\WINDOWS\System32\kbdlt1.exe
O4 - HKCU\..\Run: [winsta] C:\WINDOWS\System32\winsta.exe
O4 - HKCU\..\Run: [msnmsgr] "C:\Program Files\MSN Messenger\msnmsgr.exe" /background
O4 - HKCU\..\RunOnce: [ICQ Lite] C:\Program Files\ICQLite\ICQLite.exe -trayboot
O4 - Global Startup: America Online 7.0 Tray Icon.lnk = C:\Program Files\America Online 7.0\aoltray.exe
O4 - Global Startup: Digital Line Detect.lnk = ?
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\System32\msjava.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\System32\msjava.dll
O9 - Extra button: (no name) - {85d1f590-48f4-11d9-9669-0800200c9a66} - %windir%\bdoscandel.exe (file missing)
O9 - Extra 'Tools' menuitem: Uninstall BitDefender Online Scanner v8 - {85d1f590-48f4-11d9-9669-0800200c9a66} - %windir%\bdoscandel.exe (file missing)
O9 - Extra button: ICQ Lite - {B863453A-26C3-4e1f-A54D-A2CD196348E9} - C:\Program Files\ICQLite\ICQLite.exe
O9 - Extra 'Tools' menuitem: ICQ Lite - {B863453A-26C3-4e1f-A54D-A2CD196348E9} - C:\Program Files\ICQLite\ICQLite.exe
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\System32\Shdocvw.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O9 - Extra 'Tools' menuitem: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O9 - Extra button: Microsoft AntiSpyware helper - {166E6AC8-9DB7-49EC-AE3F-87F6FDD3C28E} - (no file) (HKCU)
O9 - Extra 'Tools' menuitem: Microsoft AntiSpyware helper - {166E6AC8-9DB7-49EC-AE3F-87F6FDD3C28E} - (no file) (HKCU)
O9 - Extra button: Ebates - {6685509E-B47B-4f47-8E16-9A5F3A62F683} - file://C:\Program Files\Ebates_MoeMoneyMaker\Sy350\Tp350\scri350a.htm (file missing) (HKCU)
O16 - DPF: Yahoo! Blackjack - http://download.games.yahoo.com/games/clients/y/jt0_x.cab
O16 - DPF: Yahoo! Checkers - http://download.games.yahoo.com/games/clients/y/kt3_x.cab
O16 - DPF: Yahoo! Poker - http://download.games.yahoo.com/games/clients/y/pt1_x.cab
O16 - DPF: {11117711-1111-1711-7121-111177111157} - ms-its:mhtml:file://c:\bebe.mht!http://www.alarm-works.com/tx.chm::/ai.exe
O16 - DPF: {11260943-421B-11D0-8EAC-0000C07D88CF} (iPIX ActiveX Control) - http://www.ipix.com/viewers/ipixx.cab
O16 - DPF: {1D0D9077-3798-49BB-9058-393499174D5D} - file://c:\counter.cab
O16 - DPF: {1D4DB7D2-6EC9-47A3-BD87-1E41684E07BB} - http://imgfarm.com/images/nocache/funwebpr...etup1.0.0.8.cab
O16 - DPF: {33E54F7F-561C-49E6-929B-D7E76D3AFEB1} (Pool Control) - http://mirror.worldwinner.com/games/v45/pool/pool.cab
O16 - DPF: {41F17733-B041-4099-A042-B518BB6A408C} - http://a1540.g.akamai.net/7/1540/52/200212...meInstaller.exe
O16 - DPF: {5D86DDB5-BDF9-441B-9E9E-D4730F4EE499} (BDSCANONLINE Control) - http://www.bitdefender.com/scan8/oscan8.cab
O16 - DPF: {5E8FD788-C323-4357-AB76-7CBCEFBA573C} (SpyBouncer.SBDownloader) - http://www.spybouncer.com/downloader.ocx
O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai.net/7/840/537/2004061...all/xscan53.cab
O16 - DPF: {7B297BFD-85E4-4092-B2AF-16A91B2EA103} (WScanCtl Class) - http://www3.ca.com/securityadvisor/virusinfo/webscan.cab
O16 - DPF: {80DD2229-B8E4-4C77-B72F-F22972D723EA} - http://www.bitdefender.com/scan/Msie/bitdefender.cab
O16 - DPF: {87067F04-DE4C-4688-BC3C-4FCF39D609E7} - http://download.websearch.com/Dnl/T_50038/QDow_AS2.cab
O16 - DPF: {89D75D39-5531-47BA-9E4F-B346BA9C362C} (CWDL_DownLoadControl Class) - http://www.callwave.com/include/cab/CWDL_DownLoad.CAB
O16 - DPF: {8A94C905-FF9D-43B6-8708-F0F22D22B1CB} (Wwlaunch Control) - http://mirror.worldwinner.com/games/shared/wwlaunch.cab
O16 - DPF: {90C9629E-CD32-11D3-BBFB-00105A1F0D68} (InstallShield International Setup Player) - http://www.installengine.com/engine/isetup.cab
O16 - DPF: {B38870E4-7ECB-40DA-8C6A-595F0A5519FF} (MsnMessengerSetupDownloadControl Class) - http://messenger.msn.com/download/MsnMesse...pDownloader.cab
O16 - DPF: {DED22F57-FEE2-11D0-953B-00C04FD9152D} (CarPoint Auto-Pricer Control) - http://autos.msn.com/components/ocx/autopr.../autopricer.cab
O16 - DPF: {FAE74270-E5EE-49C3-B816-EA8B4D55F38F} (H2hPool Control) - http://mirror.worldwinner.com/games/v51/h2hpool/h2hpool.cab
O16 - DPF: {FDC7A535-4070-4B92-A0EA-D9994BCC0DC5} - http://activex.microsoft.com/objects/ocget.dll
O17 - HKLM\System\CCS\Services\Tcpip\..\{99967467-DC91-4C82-B29C-A234BAD605FC}: NameServer = 205.188.146.145
O20 - Winlogon Notify: igfxcui - C:\WINDOWS\SYSTEM32\igfxsrvc.dll
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
O23 - Service: LexBce Server (LexBceS) - Lexmark International, Inc. - C:\WINDOWS\system32\LEXBCES.EXE
O23 - Service: Norton AntiVirus Auto Protect Service (navapsvc) - Symantec Corporation - C:\Program Files\Norton AntiVirus\navapsvc.exe
O23 - Service: ScriptBlocking Service (SBService) - Symantec Corporation - C:\PROGRA~1\COMMON~1\SYMANT~1\SCRIPT~1\SBServ.exe
O23 - Service: System Startup Service (SvcProc) - Unknown owner - C:\WINDOWS\svcproc.exe
O23 - Service: WAN Miniport (ATW) Service (WANMiniportService) - America Online, Inc. - C:\WINDOWS\wanmpsvc.exe
O23 - Service: ZESOFT - Unknown owner - C:\WINDOWS\zeta.exe (file miss


AboutBuster:

Scanned at: 8:23:00 PM on: 5/1/2005


-- Scan 1 ---------------------------
About:Buster Version 4.0
Reference List : 26


Removed Data Streams:
C:\WINDOWS\BcdSetup.log:rleaz
C:\WINDOWS\BOOTSTAT.DAT:kmpft
C:\WINDOWS\cdPlayer.ini:cmhlv
C:\WINDOWS\conscorr.ini:yhdbz
C:\WINDOWS\Digital Signature 20021227.htm:shfkq
C:\WINDOWS\Digital Signature 20040813.htm:wwdzz
C:\WINDOWS\DirectTVIcon.ico:nsxhx
C:\WINDOWS\DirectX.log:pxvet
C:\WINDOWS\dirsaver.ini:vvwlo
C:\WINDOWS\DtcInstall.log:ytqmr
C:\WINDOWS\ISSM0064.DAT:xrmeb
C:\WINDOWS\jydja.log:prejd
C:\WINDOWS\kozsd.dll:hkxjj
C:\WINDOWS\ljvrc.dll:keacf
C:\WINDOWS\lxrmk.dat:dethz
C:\WINDOWS\msnavpklog.txt:nrkzu
C:\WINDOWS\NCUNINST.EXE:oqahm
C:\WINDOWS\NDNuninstall4_80.exe:zpxsj
C:\WINDOWS\NDNuninstall4_80.exe:zpxsj
C:\WINDOWS\NDNuninstall4_88.exe:gjsmp
C:\WINDOWS\NDNuninstall5_64.exe:zzahy
C:\WINDOWS\netflix.ico:ztpfy
C:\WINDOWS\nsreg.dat:hxhbt
C:\WINDOWS\ntdtcsetup.log:ueisx
C:\WINDOWS\n_alpvbs.log:nojeo
C:\WINDOWS\n_ievfgm.dat:qwtjx
C:\WINDOWS\OEWABLog.txt:blvon
C:\WINDOWS\Prairie Wind.bmp:kssrz
C:\WINDOWS\Q811630.log:qapec
C:\WINDOWS\SchedLgU.Txt:hivgz
C:\WINDOWS\setdebug.exe:ajgub
C:\WINDOWS\SETUPERR.LOG:elqbw
C:\WINDOWS\SETUPLOG.TXT:czbjo
C:\WINDOWS\SETUPLOG.TXT:czbjo
C:\WINDOWS\smdat32m.sys:xljgy
C:\WINDOWS\smscfg.ini:kkrex
C:\WINDOWS\Sti_Trace.log:ddbss
C:\WINDOWS\sxici.dat:lmzhm
C:\WINDOWS\sxici.dat:lmzhm
C:\WINDOWS\trickortreaters.exe:cudwr
C:\WINDOWS\trickortreaters.scr:dwrql
C:\WINDOWS\TWAIN.DLL:plljn
C:\WINDOWS\TWAIN_32.DLL:wxjwo
C:\WINDOWS\TWUNK_32.EXE:tzzfh
C:\WINDOWS\unvise32.exe:bxjod
C:\WINDOWS\VB.INI:tycux
C:\WINDOWS\VB.INI:tycux
C:\WINDOWS\VBADDIN.INI:lyclr
C:\WINDOWS\VMMREG32.DLL:drnrt
C:\WINDOWS\wininit.ini:hyata


Removed! : C:\WINDOWS\aphhd.dat
Removed! : C:\WINDOWS\biylo.dat
Removed! : C:\WINDOWS\d3so.exe
Removed! : C:\WINDOWS\elbfe.dat
Removed! : C:\WINDOWS\fcgnk.dat
Removed! : C:\WINDOWS\kbwlb.dll
Removed! : C:\WINDOWS\kuzpa.dat
Removed! : C:\WINDOWS\ljvrc.dll
Removed! : C:\WINDOWS\noepm.dat
Removed! : C:\WINDOWS\ntrrz.dat
Removed! : C:\WINDOWS\oepmi.dll
Removed! : C:\WINDOWS\svncp.dat
Removed! : C:\WINDOWS\taofz.dat
Removed! : C:\WINDOWS\tdylr.dat
Removed! : C:\WINDOWS\ueisx.dat
Removed! : C:\WINDOWS\wfqmb.dll
Removed! : C:\WINDOWS\xquxs.dat
Removed! : C:\WINDOWS\yahwq.dll
Removed! : C:\WINDOWS\zbolh.dat
Removed! : C:\WINDOWS\System32\ackgt.dat
Removed! : C:\WINDOWS\System32\atlyj32.exe
Removed! : C:\WINDOWS\System32\brxhh.dat
Removed! : C:\WINDOWS\System32\bxhjw.dat
Removed! : C:\WINDOWS\System32\dmrvo.dat
Removed! : C:\WINDOWS\System32\ewonx.dat
Removed! : C:\WINDOWS\System32\gknol.dat
Removed! : C:\WINDOWS\System32\iknxg.dat
Removed! : C:\WINDOWS\System32\ipybz.dat
Removed! : C:\WINDOWS\System32\irqpy.dll
Removed! : C:\WINDOWS\System32\nzwqp.dat
Removed! : C:\WINDOWS\System32\okvxf.dll
Removed! : C:\WINDOWS\System32\qoxbh.dll
Removed! : C:\WINDOWS\System32\rbgvo.dll
Removed! : C:\WINDOWS\System32\rfkhw.dat
Removed! : C:\WINDOWS\System32\rqcoh.dat
Removed! : C:\WINDOWS\System32\rtutk.dat
Removed! : C:\WINDOWS\System32\vhofb.dat
Removed! : C:\WINDOWS\System32\yqrzi.dat
Attempted Clean Of Temp folder.
Pages Reset... Done!

-- Scan 2 ---------------------------
About:Buster Version 4.0
Reference List : 26


Removed Data Streams:
C:\WINDOWS\BcdSetup.log:rleaz
C:\WINDOWS\BOOTSTAT.DAT:kmpft
C:\WINDOWS\cdPlayer.ini:cmhlv
C:\WINDOWS\conscorr.ini:yhdbz
C:\WINDOWS\Digital Signature 20021227.htm:shfkq
C:\WINDOWS\Digital Signature 20040813.htm:wwdzz
C:\WINDOWS\DirectTVIcon.ico:nsxhx
C:\WINDOWS\DirectX.log:pxvet
C:\WINDOWS\dirsaver.ini:vvwlo
C:\WINDOWS\DtcInstall.log:ytqmr
C:\WINDOWS\ISSM0064.DAT:xrmeb
C:\WINDOWS\jydja.log:prejd
C:\WINDOWS\kozsd.dll:hkxjj
C:\WINDOWS\ljvrc.dll:keacf
C:\WINDOWS\lxrmk.dat:dethz
C:\WINDOWS\msnavpklog.txt:nrkzu
C:\WINDOWS\NCUNINST.EXE:oqahm
C:\WINDOWS\NDNuninstall4_80.exe:zpxsj
C:\WINDOWS\NDNuninstall4_80.exe:zpxsj
C:\WINDOWS\NDNuninstall4_88.exe:gjsmp
C:\WINDOWS\NDNuninstall5_64.exe:zzahy
C:\WINDOWS\netflix.ico:ztpfy
C:\WINDOWS\nsreg.dat:hxhbt
C:\WINDOWS\ntdtcsetup.log:ueisx
C:\WINDOWS\n_alpvbs.log:nojeo
C:\WINDOWS\n_ievfgm.dat:qwtjx
C:\WINDOWS\OEWABLog.txt:blvon
C:\WINDOWS\Prairie Wind.bmp:kssrz
C:\WINDOWS\Q811630.log:qapec
C:\WINDOWS\SchedLgU.Txt:hivgz
C:\WINDOWS\setdebug.exe:ajgub
C:\WINDOWS\SETUPERR.LOG:elqbw
C:\WINDOWS\SETUPLOG.TXT:czbjo
C:\WINDOWS\SETUPLOG.TXT:czbjo
C:\WINDOWS\smdat32m.sys:xljgy
C:\WINDOWS\smscfg.ini:kkrex
C:\WINDOWS\Sti_Trace.log:ddbss
C:\WINDOWS\sxici.dat:lmzhm
C:\WINDOWS\sxici.dat:lmzhm
C:\WINDOWS\trickortreaters.exe:cudwr
C:\WINDOWS\trickortreaters.scr:dwrql
C:\WINDOWS\TWAIN.DLL:plljn
C:\WINDOWS\TWAIN_32.DLL:wxjwo
C:\WINDOWS\TWUNK_32.EXE:tzzfh
C:\WINDOWS\unvise32.exe:bxjod
C:\WINDOWS\VB.INI:tycux
C:\WINDOWS\VB.INI:tycux
C:\WINDOWS\VBADDIN.INI:lyclr
C:\WINDOWS\VMMREG32.DLL:drnrt
C:\WINDOWS\wininit.ini:hyata


Attempted Clean Of Temp folder.
Pages Reset... Done!


Help! Please!

#6 miekiemoes

miekiemoes

    Malware Killer Dog


  • Malware Response Team
  • 19,420 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Belgium
  • Local time:08:54 AM

Posted 04 May 2005 - 03:06 AM

Hi there,

This is looking much better, but not finished yet.
We still need to perform a lot of steps. Because there are some nasty ones you are dealing with that needs a special treatment.

Hijackthis is still in your temp-folder, so I strongly advise to create a permanent folder and move hijackthis.exe into it. The reason is because hijackthis creates backups and when it's in your temp-folder it can be accidentally deleted.
How do you make a permanent folder:

Click My Computer, then C:\ and then on Program Files.
In the menu bar, File->New->Folder.
That will create a folder named New Folder, which you can rename to "HJT" or "HijackThis".
Now you have C:\Program Files\HijackThis. Put your HijackThis.exe there.}
{ifhjtsys You are running HijackThis from a system folder. This means that when you use it for fixing, your system folder will be littered with its backups. Please create a new folder for it and move the program into it

I strongly suggest you print out next instructions, or save them in notepad, because you'll have a lot of steps to take (in the right order) and you also have to work in safe mode, so this page wouldn't be available then.

* Download and install CCleaner
Do not use it yet.

* Please set your system to show all files; please see here if you're unsure how to do this.

* Download ewido security suite here: http://www.ewido.net/en/download/
Install and update it. Don't let it scan yet!!

* Start HijackThis, close all open windows leaving only HijackThis running. Place a check against each of the following:

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.newgenlook.info/ad/ad0278/
O2 - BHO: BolgerObj Class - {302A3240-4805-4a34-97D7-1645A0B08410} - C:\WINDOWS\Bolger.dll
O4 - HKLM\..\Run: [intdctrr] C:\WINDOWS\System32\idctup20.exe
O4 - HKLM\..\Run: [A70F6A1D-0195-42a2-934C-D8AC0F7C08EB] rundll32.exe E6F1873B.DLL,D9EBC318C
O4 - HKLM\..\Run: [98D0CE0C16B1] rundll32.exe D0CE0C16B1,D0CE0C16B1
O4 - HKLM\..\Run: [winupdtl] C:\WINDOWS\System32\winupdt.exe
O4 - HKLM\..\Run: [KavSvc] C:\WINDOWS\System32\nznkmz.exe
O4 - HKLM\..\Run: [cfgmgr51] RunDLL32.EXE C:\WINDOWS\cfgmgr51.dll,DllRun
O4 - HKLM\..\Run: [AutoLoaderoso51dbkaIXM] "C:\WINDOWS\System32\sbetetab.exe" /HideDir /HideUninstall /PC="CP.FHB" /ShowLegalNote="nonbranded"
O4 - HKLM\..\Run: [oF7f3pe] sbetetab.exe
O4 - HKLM\..\Run: [gg95h2u5] C:\Program Files\gg95h2u5\gg95h2u5.exe
O4 - HKLM\..\Run: [caeqld] c:\windows\system32\tiuppzc.exe
O4 - HKCU\..\Run: [kbdlt1] C:\WINDOWS\System32\kbdlt1.exe
O9 - Extra button: Microsoft AntiSpyware helper - {166E6AC8-9DB7-49EC-AE3F-87F6FDD3C28E} - (no file) (HKCU)
O9 - Extra 'Tools' menuitem: Microsoft AntiSpyware helper - {166E6AC8-9DB7-49EC-AE3F-87F6FDD3C28E} - (no file) (HKCU)
O9 - Extra button: Ebates - {6685509E-B47B-4f47-8E16-9A5F3A62F683} - file://C:\Program Files\Ebates_MoeMoneyMaker\Sy350\Tp350\scri350a.htm (file missing) (HKCU)
O16 - DPF: {11117711-1111-1711-7121-111177111157} - ms-its:mhtml:file://c:\bebe.mht!http://www.alarm-works.com/tx.chm::/ai.exe
O16 - DPF: {1D0D9077-3798-49BB-9058-393499174D5D} - file://c:\counter.cab
O16 - DPF: {1D4DB7D2-6EC9-47A3-BD87-1E41684E07BB} - http://imgfarm.com/images/nocache/funwebpr...etup1.0.0.8.cab
O16 - DPF: {5E8FD788-C323-4357-AB76-7CBCEFBA573C} (SpyBouncer.SBDownloader) - http://www.spybouncer.com/downloader.ocx
O16 - DPF: {87067F04-DE4C-4688-BC3C-4FCF39D609E7} - http://download.websearch.com/Dnl/T_50038/QDow_AS2.cab
O16 - DPF: {89D75D39-5531-47BA-9E4F-B346BA9C362C} (CWDL_DownLoadControl Class) - http://www.callwave.com/include/cab/CWDL_DownLoad.CAB
O23 - Service: System Startup Service (SvcProc) - Unknown owner - C:\WINDOWS\svcproc.exe
O23 - Service: ZESOFT - Unknown owner - C:\WINDOWS\zeta.exe (file miss


* Click on Fix Checked when finished and exit HijackThis.

* Reboot into Safe Mode`:
░To get into the Safe mode as the computer is booting press and hold your "F8 Key". Use your arrow keys to move to "Safe Mode" and press your Enter key.

* Using Windows Explorer, locate the following files/folders, and delete them if still present:

C:\WINDOWS\Nail.exe
C:\WINDOWS\svcproc.exe
C:\WINDOWS\System32\DrPmon.dll
C:\WINDOWS\System32\nznkmz.exe
C:\Program Files\gg95h2u5 <== this folder
c:\windows\system32\tiuppzc.exe
C:\WINDOWS\System32\kbdlt1.exe
C:\WINDOWS\Bolger.dll
C:\WINDOWS\System32\idctup20.exe
C:\WINDOWS\System32\winupdt.exe
C:\WINDOWS\cfgmgr51.dll
C:\Program Files\Ebates_MoeMoneyMaker <== this folder
E6F1873B.DLL
D9EBC318C
D0CE0C16B1
D0CE0C16B1

(most probably, those 4 files above are present in your system32-folder or Windows-folder)

* Go to start > run and type: sc delete SvcProc <OK>
Again in start > run and type: sc delete ZESOFT <OK>

* Still in safe mode Run Ccleaner and click Run Cleaner (bottom right)

* Still in safe mode; Perform a full scan with ewido.
Let it delete everything it is finding.
When finished, you'll get the option to make a log.
Save this log, because I'll need that later.

* Also let aboutbuster scan for 2 times in safe mode, so we are sure everything is gone.

* Reboot your system back to normal mode.

Download FindQoologic.zip save it to your Desktop.
http://forums.net-integration.net/index.ph...=post&id=134981

Extract (unzip) the files inside into their own folder called FindQoologic.
Open the FindQoologic folder. Preferable to your desktop.
Locate and double-click the Find-Qoologic.bat file to run it.
Wait until a text opens.
Save this txtfile.

If you get an error while running that scan, similar like: "''C:\windows\system32\cmd.exe
C:\windows\system32\autoexec.nt the system file is not suitable for running ms-dos and microsoft windows applications. choose close to terminate the application..
Download and use next fix: http://www.visualtour.com/downloads/xp_fix.exe

Download Findit
Unzip it to your desktop. Make sure the FindIt's.bat and XFind.com are together in the same UNZIPPED folder!
Disconnect from the internet, if you use an always on internet connection unplug it.
Let your PC be idle for 15 minutes !!

Doubleclick FindIt's.bat. When the scan is done, it will produce a log.
Post that log in your next reply together with a fresh HijackThis log , the findqoologiclog and the log from ewido and I'll take another look.
So; I'll need 4 logs from you.
AntispywareScanners---Antivirus Scanners---Firewalls---Online Scanners---Prevention---Help! My computer is slow---My Blog---Follow me on Twitter.
My help is ALWAYS FREE, but if you want to donate to help me continue my fight against malware -- click here!
Asking for help via Private Message or Mail will be ignored - So If you need help, post your problem in the forum.

#7 zrmjsr

zrmjsr
  • Topic Starter

  • Members
  • 34 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:02:54 AM

Posted 07 May 2005 - 09:15 PM

Hey there. Sorry it has been a few days but btw prom, birthday, and a sickness in the family, it is hard to find the time. I am so sorry.

Where do I go to find "download FindQoologic?" It is probably right in front of my face.

Thanks. The more I look at this website, the better it gets.

#8 miekiemoes

miekiemoes

    Malware Killer Dog


  • Malware Response Team
  • 19,420 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Belgium
  • Local time:08:54 AM

Posted 08 May 2005 - 02:25 AM

Download FindQoologic.zip save it to your Desktop.
http://forums.net-integration.net/index.ph...=post&id=134981

Click that link and your download for findqoologic starts.

Edited by miekiemoes, 08 May 2005 - 02:25 AM.

AntispywareScanners---Antivirus Scanners---Firewalls---Online Scanners---Prevention---Help! My computer is slow---My Blog---Follow me on Twitter.
My help is ALWAYS FREE, but if you want to donate to help me continue my fight against malware -- click here!
Asking for help via Private Message or Mail will be ignored - So If you need help, post your problem in the forum.

#9 zrmjsr

zrmjsr
  • Topic Starter

  • Members
  • 34 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:02:54 AM

Posted 09 May 2005 - 05:43 PM

Hi there!

I hope that I have done all of this and done it correctly. I am afraid that the novice side of me is showing a little too much. I realize how much I don't know when I get into all of this. I am sorry that there are so many of us out there. When I look at the forums and see the number of pages..........

Anyway,

Hijack Log:

Logfile of HijackThis v1.99.1
Scan saved at 6:13:12 PM, on 5/9/2005
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\LEXBCES.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\LEXPPS.EXE
C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
C:\WINDOWS\system32\cisvc.exe
C:\Program Files\ewido\security suite\ewidoctrl.exe
C:\Program Files\Norton AntiVirus\navapsvc.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\wanmpsvc.exe
C:\WINDOWS\Explorer.EXE
C:\PROGRA~1\NORTON~1\navapw32.exe
C:\Program Files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe
C:\Program Files\QuickTime\qttask.exe
C:\PROGRA~1\Grisoft\AVG7\avgcc.exe
C:\PROGRA~1\Grisoft\AVG7\avgemc.exe
C:\Program Files\Digital Line Detect\DLG.exe
C:\WINDOWS\system32\cidaemon.exe
C:\WINDOWS\system32\cidaemon.exe
C:\Program Files\ICQLite\ICQLite.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\System32\wuauclt.exe
C:\WINDOWS\System32\nznkmz.exe
C:\Program Files\America Online 7.0\waol.exe
C:\Program Files\HijackThis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.dellnet.com
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
O4 - HKLM\..\Run: [NAV Agent] C:\PROGRA~1\NORTON~1\navapw32.exe
O4 - HKLM\..\Run: [RealTray] C:\Program Files\Real\RealPlayer\RealPlay.exe SYSTEMBOOTHIDEPLAYER
O4 - HKLM\..\Run: [AdaptecDirectCD] "C:\Program Files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe"
O4 - HKLM\..\Run: [DwlClient] C:\Program Files\Common Files\Dell\EUSW\Support.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [ICQ Lite] C:\Program Files\ICQLite\ICQLite.exe -minimize
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVG7\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [AVG7_EMC] C:\PROGRA~1\Grisoft\AVG7\avgemc.exe
O4 - HKLM\..\Run: [KavSvc] C:\WINDOWS\System32\nznkmz.exe
O4 - HKCU\..\Run: [winsta] C:\WINDOWS\System32\winsta.exe
O4 - HKCU\..\Run: [msnmsgr] "C:\Program Files\MSN Messenger\msnmsgr.exe" /background
O4 - HKCU\..\RunOnce: [ICQ Lite] C:\Program Files\ICQLite\ICQLite.exe -trayboot
O4 - Global Startup: America Online 7.0 Tray Icon.lnk = C:\Program Files\America Online 7.0\aoltray.exe
O4 - Global Startup: Digital Line Detect.lnk = ?
O9 - Extra button: (no name) - {85d1f590-48f4-11d9-9669-0800200c9a66} - %windir%\bdoscandel.exe (file missing)
O9 - Extra 'Tools' menuitem: Uninstall BitDefender Online Scanner v8 - {85d1f590-48f4-11d9-9669-0800200c9a66} - %windir%\bdoscandel.exe (file missing)
O9 - Extra button: ICQ Lite - {B863453A-26C3-4e1f-A54D-A2CD196348E9} - C:\Program Files\ICQLite\ICQLite.exe
O9 - Extra 'Tools' menuitem: ICQ Lite - {B863453A-26C3-4e1f-A54D-A2CD196348E9} - C:\Program Files\ICQLite\ICQLite.exe
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\System32\Shdocvw.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O16 - DPF: Yahoo! Blackjack - http://download.games.yahoo.com/games/clients/y/jt0_x.cab
O16 - DPF: Yahoo! Checkers - http://download.games.yahoo.com/games/clients/y/kt3_x.cab
O16 - DPF: Yahoo! Poker - http://download.games.yahoo.com/games/clients/y/pt1_x.cab
O16 - DPF: {11260943-421B-11D0-8EAC-0000C07D88CF} (iPIX ActiveX Control) - http://www.ipix.com/viewers/ipixx.cab
O16 - DPF: {33E54F7F-561C-49E6-929B-D7E76D3AFEB1} (Pool Control) - http://mirror.worldwinner.com/games/v45/pool/pool.cab
O16 - DPF: {41F17733-B041-4099-A042-B518BB6A408C} - http://a1540.g.akamai.net/7/1540/52/200212...meInstaller.exe
O16 - DPF: {5D86DDB5-BDF9-441B-9E9E-D4730F4EE499} (BDSCANONLINE Control) - http://www.bitdefender.com/scan8/oscan8.cab
O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai.net/7/840/537/2004061...all/xscan53.cab
O16 - DPF: {7B297BFD-85E4-4092-B2AF-16A91B2EA103} (WScanCtl Class) - http://www3.ca.com/securityadvisor/virusinfo/webscan.cab
O16 - DPF: {80DD2229-B8E4-4C77-B72F-F22972D723EA} - http://www.bitdefender.com/scan/Msie/bitdefender.cab
O16 - DPF: {8A94C905-FF9D-43B6-8708-F0F22D22B1CB} (Wwlaunch Control) - http://mirror.worldwinner.com/games/shared/wwlaunch.cab
O16 - DPF: {90C9629E-CD32-11D3-BBFB-00105A1F0D68} (InstallShield International Setup Player) - http://www.installengine.com/engine/isetup.cab
O16 - DPF: {B38870E4-7ECB-40DA-8C6A-595F0A5519FF} (MsnMessengerSetupDownloadControl Class) - http://messenger.msn.com/download/MsnMesse...pDownloader.cab
O16 - DPF: {DED22F57-FEE2-11D0-953B-00C04FD9152D} (CarPoint Auto-Pricer Control) - http://autos.msn.com/components/ocx/autopr.../autopricer.cab
O16 - DPF: {FAE74270-E5EE-49C3-B816-EA8B4D55F38F} (H2hPool Control) - http://mirror.worldwinner.com/games/v51/h2hpool/h2hpool.cab
O16 - DPF: {FDC7A535-4070-4B92-A0EA-D9994BCC0DC5} - http://activex.microsoft.com/objects/ocget.dll
O17 - HKLM\System\CCS\Services\Tcpip\..\{99967467-DC91-4C82-B29C-A234BAD605FC}: NameServer = 205.188.146.145
O20 - Winlogon Notify: igfxcui - C:\WINDOWS\SYSTEM32\igfxsrvc.dll
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
O23 - Service: ewido security suite control - ewido networks - C:\Program Files\ewido\security suite\ewidoctrl.exe
O23 - Service: ewido security suite guard - ewido networks - C:\Program Files\ewido\security suite\ewidoguard.exe
O23 - Service: LexBce Server (LexBceS) - Lexmark International, Inc. - C:\WINDOWS\system32\LEXBCES.EXE
O23 - Service: Norton AntiVirus Auto Protect Service (navapsvc) - Symantec Corporation - C:\Program Files\Norton AntiVirus\navapsvc.exe
O23 - Service: ScriptBlocking Service (SBService) - Symantec Corporation - C:\PROGRA~1\COMMON~1\SYMANT~1\SCRIPT~1\SBServ.exe
O23 - Service: WAN Miniport (ATW) Service (WANMiniportService) - America Online, Inc. - C:\WINDOWS\wanmpsvc.exe



PLEASE NOTE THAT ALL FILES FOUND BY THIS METHOD ARE NOT BAD FILES, THERE MIGHT BE LEGIT FILES LISTED AND PLEASE BE CAREFUL WHILE FIXING. IF YOU ARE UNSURE OF WHAT IT IS LEAVE THEM ALONE.
╗╗╗╗╗╗╗╗╗╗╗╗╗╗╗╗╗╗╗╗╗╗╗╗ Files found ╗╗╗╗╗╗╗╗╗╗╗╗╗╗╗╗╗╗╗╗╗╗╗╗╗╗╗╗╗╗╗╗╗╗


╗╗╗╗╗╗╗╗╗╗╗╗╗╗╗╗╗╗╗╗╗╗╗╗ startup files╗╗╗╗╗╗╗╗╗╗╗╗╗╗╗╗╗╗╗╗╗╗╗╗╗╗╗╗╗╗╗╗╗


╗╗╗╗╗╗╗╗╗╗╗╗╗╗╗╗╗╗╗╗╗╗╗╗ Checking Global Startup ╗╗╗╗╗╗╗╗╗╗╗╗╗╗╗╗╗╗╗╗╗╗

(fstarts by IMM - test ver. 0.001) NOT using address check -- 0x77f5bd48

Global Startup:
C:\Documents and Settings\All Users\Start Menu\Programs\Startup
.
..
America Online 7.0 Tray Icon.lnk
DESKTOP.INI
Digital Line Detect.lnk

User Startup:
C:\Documents and Settings\Susan\Start Menu\Programs\Startup
.
..
DESKTOP.INI

╗╗╗╗╗╗╗╗╗╗╗╗╗╗╗╗╗╗╗╗╗╗╗╗ Registry Entries Found ╗╗╗╗╗╗╗╗╗╗╗╗╗╗╗╗╗╗╗╗╗╗╗

! REG.EXE VERSION 3.0

HKEY_CLASSES_ROOT\*\shellex\ContextMenuHandlers

HKEY_CLASSES_ROOT\*\shellex\ContextMenuHandlers\AVG7 Shell Extension
<NO NAME> REG_SZ {9F97547E-4609-42C5-AE0C-81C61FFAEBC3}

HKEY_CLASSES_ROOT\*\shellex\ContextMenuHandlers\BriefcaseMenu
<NO NAME> REG_SZ {85BBD920-42A0-1069-A2E4-08002B30309D}

HKEY_CLASSES_ROOT\*\shellex\ContextMenuHandlers\ewido
<NO NAME> REG_SZ {57BD36D7-CE32-4600-9B1C-1A0C47EFC02E}

HKEY_CLASSES_ROOT\*\shellex\ContextMenuHandlers\ICQLiteMenu
<NO NAME> REG_SZ {73B24247-042E-4EF5-ADC2-42F62E6FD654}

HKEY_CLASSES_ROOT\*\shellex\ContextMenuHandlers\Offline Files
<NO NAME> REG_SZ {750fdf0e-2a26-11d1-a3ea-080036587f03}

HKEY_CLASSES_ROOT\*\shellex\ContextMenuHandlers\Open With
<NO NAME> REG_SZ {09799AFB-AD67-11d1-ABCD-00C04FC30936}

HKEY_CLASSES_ROOT\*\shellex\ContextMenuHandlers\Open With EncryptionMenu
<NO NAME> REG_SZ {A470F8CF-A1E8-4f65-8335-227475AA5C46}

HKEY_CLASSES_ROOT\*\shellex\ContextMenuHandlers\qyqxtymf
<NO NAME> REG_SZ {e4ef7ff2-f840-4ef6-b854-5827f507a69d}

HKEY_CLASSES_ROOT\*\shellex\ContextMenuHandlers\Symantec.Norton.Antivirus.IEContextMenu
<NO NAME> REG_SZ {5345A4D5-41EB-4A2F-9616-CE1D4F6C35B2}

HKEY_CLASSES_ROOT\*\shellex\ContextMenuHandlers\{a2a9545d-a0c2-42b4-9708-a0b2badd77c8}
<NO NAME> REG_SZ Start Menu Pin

╗╗╗╗╗╗╗╗╗╗╗╗╗╗╗╗╗╗╗╗╗╗╗╗╗ Active setup ╗╗╗╗╗╗╗╗╗╗╗╗╗╗╗╗╗╗╗╗╗╗╗╗╗╗╗╗╗╗╗╗

"Find activesetup", version1, launched at: 16:45
Operating System: Windows XP


HKLM\Software\Microsoft\Active Setup\Installed Components\
">{22d6f312-b0f6-11d0-94ab-0080c74c7e95}\(Default)" = "Microsoft Windows Media Player"
\StubPath = "C:\WINDOWS\inf\unregmp2.exe /ShowWMP" [MS]







Microsoft Windows XP [Version 5.1.2600]
The current date is: Mon 05/09/2005
PLEASE NOTE THAT ALL FILES FOUND BY THIS METHOD ARE NOT BAD FILES, THERE MIGHT BE LEGIT FILES LISTED AND PLEASE BE CAREFUL WHILE FIXING. IF YOU ARE UNSURE OF WHAT IT IS LEAVE THEM ALONE.
╗╗╗╗╗╗╗╗╗╗╗╗╗╗╗╗╗╗╗╗╗╗╗╗ Todo Files found ╗╗╗╗╗╗╗╗╗╗╗╗╗╗╗╗╗╗╗╗╗╗╗╗╗╗╗╗╗


╗╗╗╗╗╗╗╗╗╗╗╗╗╗╗╗╗╗╗╗╗╗╗╗ aurora Files found ╗╗╗╗╗╗╗╗╗╗╗╗╗╗╗╗╗╗╗╗╗╗╗╗╗╗╗


╗╗╗╗╗╗╗╗╗╗╗╗╗╗╗╗╗╗╗╗╗╗╗╗ Suspect's ╗╗╗╗╗╗╗╗╗╗╗╗╗╗╗╗╗╗╗╗╗╗╗╗╗╗╗╗╗╗╗╗╗╗╗
Dont delete file's in the section without guidance
If any doubt back them up first


╗╗╗╗╗ lagitamate file's can/will show in this section.

╗╗╗╗╗╗╗╗╗╗╗╗╗╗╗╗╗╗╗╗╗╗╗╗ Buddy file's ╗╗╗╗╗╗╗╗╗╗╗╗╗╗╗╗╗╗╗╗╗╗╗╗╗╗╗╗╗╗╗╗╗

╗╗╗╗╗╗╗╗╗╗╗╗╗╗╗╗╗╗╗╗╗╗╗╗ SAHAgent Files found ╗╗╗╗╗╗╗╗╗╗╗╗╗╗╗╗╗╗╗╗╗╗╗╗╗

╗╗╗╗╗╗╗╗╗╗╗╗╗╗╗╗╗╗╗╗╗╗╗╗ Misc checks ╗╗╗╗╗╗╗╗╗╗╗╗╗╗╗╗╗╗╗╗╗╗╗╗╗╗╗╗╗╗╗╗╗╗


╗╗╗╗╗ Checking Windir\svcproc.exe and nail.exe.

╗╗╗╗╗ Checking for System32\DrPMon.dll.

╗╗╗╗╗ Check for Windows\SYSTEM32\cache32_rtneg* folder.

Volume in drive C has no label.
Volume Serial Number is 181F-FFEA

Directory of C:\WINDOWS\SYSTEM32

╗╗╗╗╗ Checking for SAHAgent ico files.
Volume in drive C has no label.
Volume Serial Number is 181F-FFEA

Directory of C:\WINDOWS\system32

04/27/2005 10:21 PM 766 Air Tickets.ico
04/27/2005 10:21 PM 4,286 Big Tits.ico
04/27/2005 10:21 PM 766 BlackJack.ico
04/27/2005 10:21 PM 2,238 Britney Spears.ico
04/27/2005 10:21 PM 2,238 Car Insurance.ico
04/27/2005 07:56 AM 2,238 Casino-on-Net.ico
04/27/2005 10:21 PM 2,238 Cigarettes.ico
04/27/2005 10:21 PM 4,606 Credit Card.ico
10/07/2004 07:53 PM 3,262 creditcard21.ico
04/27/2005 10:21 PM 2,238 Cruises.ico
10/07/2004 07:53 PM 4,286 dating1.ico
10/07/2004 07:53 PM 4,286 driving4dollars.ico
04/27/2005 10:21 PM 2,238 Forex Trading.ico
04/27/2005 07:57 AM 3,774 Free Cell Phone.ico
04/27/2005 07:57 AM 7,358 Free LapTop Computer.ico
04/27/2005 07:57 AM 3,774 Free Ringtones!.ico
04/27/2005 07:57 AM 7,358 Free Sony Playstation.ico
04/27/2005 07:57 AM 7,358 Free U2 iPod.ico
10/03/2004 10:13 PM 4,286 greenmovie1.ico
10/07/2004 07:53 PM 4,286 kevid1.ico
10/06/2004 10:13 PM 4,286 kill all spyware11.ico
10/07/2004 06:51 PM 2,526 kill all spyware31.ico
10/01/2004 02:50 PM 4,286 kill evidence1.ico
04/27/2005 10:21 PM 4,286 Lesbian Sex.ico
12/07/2001 03:40 PM 22,486 LRNXP.ICO
04/27/2005 10:21 PM 2,238 MP3.ico
04/27/2005 07:57 AM 3,774 NBA Giveaway.ico
04/27/2005 10:21 PM 2,238 Online Betting.ico
04/27/2005 10:21 PM 766 Online Casino.ico
04/27/2005 10:21 PM 766 Party Poker.ico
04/27/2005 10:21 PM 766 Pharmacy.ico
04/27/2005 10:21 PM 766 Phentermine.ico
10/01/2004 02:50 PM 3,262 poker1.ico
10/07/2004 07:53 PM 3,262 poker112.ico
10/06/2004 10:14 PM 3,262 pokercard1.ico
04/27/2005 10:21 PM 4,286 Pornstars.ico
04/27/2005 10:21 PM 4,534 Remove Spyware.ico
10/07/2004 07:53 PM 4,286 stop popups231.ico
10/01/2004 02:51 PM 4,286 usagold31.ico
10/07/2004 07:53 PM 4,286 usaplatinum51.ico
04/27/2005 10:21 PM 2,238 Viagra.ico
10/07/2004 07:53 PM 19,942 virushunter21.ico
42 File(s) 176,708 bytes
0 Dir(s) 49,744,523,264 bytes free

╗╗╗╗╗╗╗╗╗╗╗╗╗╗╗╗╗╗╗╗╗╗╗╗.


! REG.EXE VERSION 3.0

HKEY_CURRENT_USER\Software\aurora


! REG.EXE VERSION 3.0

HKEY_CURRENT_USER\Software\Bolger


! REG.EXE VERSION 3.0

HKEY_CLASSES_ROOT\BolgerDll.BolgerDllObj
<NO NAME> REG_SZ Bolger Functional Class


! REG.EXE VERSION 3.0

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Print\Monitors\ZepMon
Driver REG_SZ DrPMon.dll

! REG.EXE VERSION 3.0

HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Print\Monitors\ZepMon
Driver REG_SZ DrPMon.dll



ewido security suite - Startup report
---------------------------------------------------------

+ Created on: 9:43:56 PM, 5/7/2005
+ Report-Checksum: 5916253D

Reg\HKLM\Run HotKeysCmds C:\WINDOWS\System32\hkcmd.exe
Reg\HKLM\Run IgfxTray C:\WINDOWS\System32\igfxtray.exe
Reg\HKLM\Run DVDSentry C:\WINDOWS\System32\DSentry.exe
Reg\HKLM\Run NAV Agent C:\PROGRA~1\NORTON~1\navapw32.exe
Reg\HKLM\Run RealTray C:\Program Files\Real\RealPlayer\RealPlay.exe SYSTEMBOOTHIDEPLAYER
Reg\HKLM\Run AdaptecDirectCD "C:\Program Files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe"
Reg\HKLM\Run DwlClient C:\Program Files\Common Files\Dell\EUSW\Support.exe
Reg\HKLM\Run QuickTime Task "C:\Program Files\QuickTime\qttask.exe" -atboottime
Reg\HKLM\Run Homeland Network "C:\Program Files\HomelandNetwork\HomelandNetwork.exe"
Reg\HKLM\Run ICQ Lite C:\Program Files\ICQLite\ICQLite.exe -minimize
Reg\HKLM\Run msnappau "C:\Program Files\MSN Apps\Updater\01.02.3000.1001\en-us\msnappau.exe"
Reg\HKLM\Run AVG7_CC C:\PROGRA~1\Grisoft\AVG7\avgcc.exe /STARTUP
Reg\HKLM\Run AVG7_EMC C:\PROGRA~1\Grisoft\AVG7\avgemc.exe
Reg\HKCU\Run MSMSGS "C:\Program Files\Messenger\msmsgs.exe" /background
Shell\CommonStartup America Online 7.0 Tray Icon.lnk C:\Documents and Settings\All Users\Start Menu\Programs\Startup\America Online 7.0 Tray Icon.lnk
Shell\CommonStartup Digital Line Detect.lnk C:\Documents and Se




For some reason, I just don't know if this is right. I ask for your patience. I know that it is working b/c the desktop icons aren't popping up when I delete them.

Thanks.

#10 miekiemoes

miekiemoes

    Malware Killer Dog


  • Malware Response Team
  • 19,420 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Belgium
  • Local time:08:54 AM

Posted 09 May 2005 - 05:52 PM

Well, I have to say you already did a great job, but I think you received an error while running findit's.bat and findqoologic similar to: ''C:\windows\system32\cmd.exe
C:\windows\system32\autoexec.nt the system file is not suitable for running ms-dos and microsoft windows applications. choose close to terminate the application..'
If I'm correct, please use next fix and run findit's and findqoologic again (one by one, not on the same time): http://www.visualtour.com/downloads/xp_fix.exe

Post both logs in your next reply. :thumbsup:
AntispywareScanners---Antivirus Scanners---Firewalls---Online Scanners---Prevention---Help! My computer is slow---My Blog---Follow me on Twitter.
My help is ALWAYS FREE, but if you want to donate to help me continue my fight against malware -- click here!
Asking for help via Private Message or Mail will be ignored - So If you need help, post your problem in the forum.

#11 zrmjsr

zrmjsr
  • Topic Starter

  • Members
  • 34 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:02:54 AM

Posted 12 May 2005 - 07:45 PM

Okay, I am officially a total novice.

When I am opening the FindIT... I am getting a Nortn AntiVirus Alert: Malicious script detected. It wants to know if it should "stop the script.. recommended". I told it to allow the scrip to continue once. Anyway, it ran through and gave me a text file. PLEASE let me know if this is what you needed or where I am missing the boat. I know you must get so frustrated with all of us.

PLEASE NOTE THAT ALL FILES FOUND BY THIS METHOD ARE NOT BAD FILES, THERE MIGHT BE LEGIT FILES LISTED AND PLEASE BE CAREFUL WHILE FIXING. IF YOU ARE UNSURE OF WHAT IT IS LEAVE THEM ALONE.
╗╗╗╗╗╗╗╗╗╗╗╗╗╗╗╗╗╗╗╗╗╗╗╗ Files found ╗╗╗╗╗╗╗╗╗╗╗╗╗╗╗╗╗╗╗╗╗╗╗╗╗╗╗╗╗╗╗╗╗╗


╗╗╗╗╗╗╗╗╗╗╗╗╗╗╗╗╗╗╗╗╗╗╗╗ startup files╗╗╗╗╗╗╗╗╗╗╗╗╗╗╗╗╗╗╗╗╗╗╗╗╗╗╗╗╗╗╗╗╗


╗╗╗╗╗╗╗╗╗╗╗╗╗╗╗╗╗╗╗╗╗╗╗╗ Checking Global Startup ╗╗╗╗╗╗╗╗╗╗╗╗╗╗╗╗╗╗╗╗╗╗

(fstarts by IMM - test ver. 0.001) NOT using address check -- 0x77f5bd48

Global Startup:
C:\Documents and Settings\All Users\Start Menu\Programs\Startup
.
..
America Online 7.0 Tray Icon.lnk
DESKTOP.INI
Digital Line Detect.lnk

User Startup:
C:\Documents and Settings\Susan\Start Menu\Programs\Startup
.
..
DESKTOP.INI

╗╗╗╗╗╗╗╗╗╗╗╗╗╗╗╗╗╗╗╗╗╗╗╗ Registry Entries Found ╗╗╗╗╗╗╗╗╗╗╗╗╗╗╗╗╗╗╗╗╗╗╗

! REG.EXE VERSION 3.0

HKEY_CLASSES_ROOT\*\shellex\ContextMenuHandlers

HKEY_CLASSES_ROOT\*\shellex\ContextMenuHandlers\AVG7 Shell Extension
<NO NAME> REG_SZ {9F97547E-4609-42C5-AE0C-81C61FFAEBC3}

HKEY_CLASSES_ROOT\*\shellex\ContextMenuHandlers\BriefcaseMenu
<NO NAME> REG_SZ {85BBD920-42A0-1069-A2E4-08002B30309D}

HKEY_CLASSES_ROOT\*\shellex\ContextMenuHandlers\ewido
<NO NAME> REG_SZ {57BD36D7-CE32-4600-9B1C-1A0C47EFC02E}

HKEY_CLASSES_ROOT\*\shellex\ContextMenuHandlers\ICQLiteMenu
<NO NAME> REG_SZ {73B24247-042E-4EF5-ADC2-42F62E6FD654}

HKEY_CLASSES_ROOT\*\shellex\ContextMenuHandlers\Offline Files
<NO NAME> REG_SZ {750fdf0e-2a26-11d1-a3ea-080036587f03}

HKEY_CLASSES_ROOT\*\shellex\ContextMenuHandlers\Open With
<NO NAME> REG_SZ {09799AFB-AD67-11d1-ABCD-00C04FC30936}

HKEY_CLASSES_ROOT\*\shellex\ContextMenuHandlers\Open With EncryptionMenu
<NO NAME> REG_SZ {A470F8CF-A1E8-4f65-8335-227475AA5C46}

HKEY_CLASSES_ROOT\*\shellex\ContextMenuHandlers\qyqxtymf
<NO NAME> REG_SZ {e4ef7ff2-f840-4ef6-b854-5827f507a69d}

HKEY_CLASSES_ROOT\*\shellex\ContextMenuHandlers\Symantec.Norton.Antivirus.IEContextMenu
<NO NAME> REG_SZ {5345A4D5-41EB-4A2F-9616-CE1D4F6C35B2}

HKEY_CLASSES_ROOT\*\shellex\ContextMenuHandlers\{a2a9545d-a0c2-42b4-9708-a0b2badd77c8}
<NO NAME> REG_SZ Start Menu Pin

╗╗╗╗╗╗╗╗╗╗╗╗╗╗╗╗╗╗╗╗╗╗╗╗╗ Active setup ╗╗╗╗╗╗╗╗╗╗╗╗╗╗╗╗╗╗╗╗╗╗╗╗╗╗╗╗╗╗╗╗

"Find activesetup", version1, launched at: 16:45
Operating System: Windows XP


HKLM\Software\Microsoft\Active Setup\Installed Components\
">{22d6f312-b0f6-11d0-94ab-0080c74c7e95}\(Default)" = "Microsoft Windows Media Player"
\StubPath = "C:\WINDOWS\inf\unregmp2.exe /ShowWMP"

I realize that this is just one text file but I don't feel like I am doing the right thing for some reason. (Could be that I am an idiot or this stuff makes me feel like one... sorry)

Is that the right action to take?

#12 miekiemoes

miekiemoes

    Malware Killer Dog


  • Malware Response Team
  • 19,420 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Belgium
  • Local time:08:54 AM

Posted 12 May 2005 - 08:29 PM

Yes, those are the logs I want, but it's odd that findqoologic doesn't show any files, while I can see in your hijackthislog it must at least show one.

Anyway, let's find out later.

* Start HijackThis, close all open windows leaving only HijackThis running. Place a check against each of the following:

O4 - HKLM\..\Run: [KavSvc] C:\WINDOWS\System32\nznkmz.exe
O4 - HKCU\..\Run: [winsta] C:\WINDOWS\System32\winsta.exe


* Click on Fix Checked when finished and exit HijackThis.

* Delete next files in your system32-folder:

Air Tickets.ico
Big Tits.ico
BlackJack.ico
Britney Spears.ico
Car Insurance.ico
Casino-on-Net.ico
Cigarettes.ico
Credit Card.ico
creditcard21.ico
Cruises.ico
dating1.ico
driving4dollars.ico
Forex Trading.ico
Free Cell Phone.ico
Free LapTop Computer.ico
Free Ringtones!.ico
Free Sony Playstation.ico
U2 iPod.ico
greenmovie1.ico
kevid1.ico
kill all spyware11.ico
kill all spyware31.ico
kill evidence1.ico
Lesbian Sex.ico
LRNXP.ICO
MP3.ico
NBA Giveaway.ico
Online Betting.ico
Online Casino.ico
Party Poker.ico
Pharmacy.ico
Phentermine.ico
poker1.ico
poker112.ico
pokercard1.ico
Pornstars.ico
Remove Spyware.ico
stop popups231.ico
usagold31.ico
usaplatinum51.ico
Viagra.ico
virushunter21.ico
nznkmz.exe <== if you can't find or delete this one, don't worry,we deal with it later, just tell me if you found it and could delete it.

When finished, open notepad and copy and paste next contents in bold in it:
(don't forget to copy and paste REGEDIT4 in it)

REGEDIT4

[-HKEY_CLASSES_ROOT\*\shellex\ContextMenuHandlers\qyqxtymf]

[-HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Print\Monitors\ZepMon]

[-HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Print\Monitors\ZepMon]

[-HKEY_CLASSES_ROOT\BolgerDll.BolgerDllObj]

[-HKEY_CURRENT_USER\Software\Bolger]

[-HKEY_CURRENT_USER\Software\aurora]


Save this as fix.reg ,choose to save as *all files and doubleclick on it. When it asks you if you want to merge the contents to the registry, click yes/ok

Reboot and post a new hijackthislog.
AntispywareScanners---Antivirus Scanners---Firewalls---Online Scanners---Prevention---Help! My computer is slow---My Blog---Follow me on Twitter.
My help is ALWAYS FREE, but if you want to donate to help me continue my fight against malware -- click here!
Asking for help via Private Message or Mail will be ignored - So If you need help, post your problem in the forum.

#13 zrmjsr

zrmjsr
  • Topic Starter

  • Members
  • 34 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:02:54 AM

Posted 15 May 2005 - 10:37 PM

Hey there.

I deleted all of the files that you listed. I did find NZNKMZ.EXE but could not delete it. I did not see anything called REGEDIT4, only REGEDT32. I opened this and found the files listed in bold. When I tried to copy the contents I could not highlight to copy or figure what else to do. I copied the "key something" which made my notebook look just like the files in bold you had listed. When I tried to merge that I received a message telling me that I couldn't do that unless it contained binary information. I am assuming that I am doing something wrong. I am so sorry. When you mentioned copy the contents, did you want me to open the files or try and show you what files were in that directory?

I feel really stupid and so bad for bugging you guys. When I see how many posts you get in a day, I am so amazed at your patience.

I am truly sorry to be such a pain. If I ever get this fixed please tell me what software I need to purchase or download or what to stop this junk from happening again.

Thanks.

#14 miekiemoes

miekiemoes

    Malware Killer Dog


  • Malware Response Team
  • 19,420 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Belgium
  • Local time:08:54 AM

Posted 16 May 2005 - 04:19 AM

Hello,

Don't feel sorry -- you already did a great job and we're almost there!! Now we just have to look a bit 'deeper' in your system to search for those bad files that are responsible for the popups.
It seems like findqoologic doesn't show them -- so I have another tool to search for them.
We're going to deal with that file you couldn't delete afterwards in an easy -- so don't worry about that. :thumbsup:

I made the regfix ( the one you had to copy and paste ) myself for you and uploaded it here. ( see attachement -- fix.reg )
Just Unzip/extract it and doubleclick on fix.reg
It will ask you if you want to merge the contents to the registry -- click yes/ok

When done --

Download rkfiles.zip
UNZIP the contents to a permanent folder

Reboot in SAFE MODE !! Important !!
░To get into the Safe mode as the computer is booting press and hold your "F8 Key". Use your arrow keys to move to "Safe Mode" and press your Enter key

Please set your system to show all files.
Click Start.
Open My Computer.
Select the Tools menu and click Folder Options.
Select the View Tab. Under the Hidden files and folders heading, select Show hidden files and folders.
Uncheck: Hide file extensions for known file types
Uncheck the Hide protected operating system files (recommended) option.
Click Yes to confirm.
Click OK.

Doubleclick rkfiles.bat
It will scan for a while, so please be patient.
Wait till the doswindow closes and reboot back to normal mode.

Post the contents of C:\log.txt in your next reply.

Edited by miekiemoes, 16 May 2005 - 04:20 AM.

AntispywareScanners---Antivirus Scanners---Firewalls---Online Scanners---Prevention---Help! My computer is slow---My Blog---Follow me on Twitter.
My help is ALWAYS FREE, but if you want to donate to help me continue my fight against malware -- click here!
Asking for help via Private Message or Mail will be ignored - So If you need help, post your problem in the forum.

#15 zrmjsr

zrmjsr
  • Topic Starter

  • Members
  • 34 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:02:54 AM

Posted 18 May 2005 - 04:41 PM

First, Thanks for your help.

When I click on rkfiles.zip I am receiving an error message telling me that this website no longer exists or has moved. I have tried it at least 5 times. It wants to take me to skads.org?

I am sorry. It seems like something all the time with me.

HELP!




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users