Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

HJT log need serious help


  • This topic is locked This topic is locked
8 replies to this topic

#1 wagner12

wagner12

  • Members
  • 10 posts
  • OFFLINE
  •  
  • Local time:01:55 PM

Posted 30 May 2005 - 03:31 PM

hey here's my HJT log. my homepage is stuck on about:blank and when i use my microsoft antispyware it keeps asking me if i want to allow stuff or block stuff constantly. Also when i ran AVG it caught some stuff but i dunno what newayz please help me!!!

Thank you


Logfile of HijackThis v1.99.1
Scan saved at 3:26:09 PM, on 5/30/2005
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\TGTSoft\StyleXP\StyleXPService.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\devldr32.exe
C:\WINDOWS\d3yo.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
C:\CFusion\cfam\program\ccmgr.exe
C:\CFusion\Bin\cfserver.exe
C:\CFusion\cfam\Program\wsm.exe
C:\CFusion\cfam\Program\dfp.exe
C:\CFusion\cfam\Program\wsprobe.exe
C:\CFusion\Bin\cfexec.exe
C:\CFusion\Bin\cfrdsservice.exe
C:\CFusion\JRun\bin\JRun.exe
C:\CFusion\jrun\bin\jrun.exe
C:\WINDOWS\System32\CTsvcCDA.EXE
C:\CFusion\jre\bin\ntConsoleJava.exe
C:\CFusion\jre\bin\ntConsoleJava.exe
C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
C:\WINDOWS\System32\nvsvc32.exe
C:\Program Files\Dantz\Retrospect\retrorun.exe
C:\CFusion\cfam\bin\CANamingAdapter.exe
C:\Program Files\Common Files\Microsoft Shared\Works Shared\WkUFind.exe
C:\PROGRA~1\Maxtor\OneTouch\Utils\OneTouch.exe
C:\WINDOWS\MXOALDR.EXE
C:\Program Files\Viewpoint\Viewpoint Manager\ViewMgr.exe
C:\Program Files\Java\jre1.5.0_02\bin\jusched.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\WildTangent\Apps\CDA\GameDrvr.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe
C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_A10IC2.EXE
C:\Program Files\Microsoft AntiSpyware\gcasDtServ.exe
C:\Program Files\Common Files\Microsoft Shared\Works Shared\wkcalrem.exe
C:\Program Files\Save\Save.exe
C:\WINDOWS\explorer.exe
C:\WINDOWS\system32\p2pnetworking.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Media Access\MediaAccess.exe
C:\Program Files\Media Access\MediaAccK.exe
C:\Program Files\ISTsvc\istsvc.exe
C:\WINDOWS\system32\ap9h4qmo.exe
C:\DOCUME~1\JUDDWA~1\LOCALS~1\Temp\Temporary Directory 2 for hijackthis.zip\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.dellnet.com
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\WINDOWS\system32\mbqjb.dll/sp.html#37049
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINDOWS\system32\mbqjb.dll/sp.html#37049
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = res://C:\WINDOWS\system32\mbqjb.dll/sp.html#37049
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\WINDOWS\system32\mbqjb.dll/sp.html#37049
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINDOWS\system32\mbqjb.dll/sp.html#37049
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = res://C:\WINDOWS\system32\mbqjb.dll/sp.html#37049
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = res://C:\WINDOWS\system32\mbqjb.dll/sp.html#37049
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = sas.r21.mchsi.com:8000
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.r21.mchsi.com
R3 - Default URLSearchHook is missing
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
O2 - BHO: Class - {61962599-064B-C5A8-AF52-14758C8A1676} - C:\WINDOWS\system32\d3uc32.dll
O2 - BHO: (no name) - {DE07D81F-E8E1-F3D3-F74F-4FD627E2D770} - C:\WINDOWS\atlwc.dll
O2 - BHO: Class - {FED80FE1-0881-76EA-AF03-58D3E618C89A} - C:\WINDOWS\atlwc.dll
O4 - HKLM\..\Run: [Microsoft Works Update Detection] C:\Program Files\Common Files\Microsoft Shared\Works Shared\WkUFind.exe
O4 - HKLM\..\Run: [UpdReg] C:\WINDOWS\Updreg.exe
O4 - HKLM\..\Run: [AHQInit] C:\Program Files\Creative\SBLive\Program\AHQInit.exe
O4 - HKLM\..\Run: [MCAgentExe] C:\Program Files\McAfee.com\Agent\mcagent.exe
O4 - HKLM\..\Run: [MCUpdateExe] C:\PROGRA~1\McAfee.com\Agent\mcupdate.exe
O4 - HKLM\..\Run: [RoxioEngineUtility] "C:\Program Files\Common Files\Roxio Shared\System\EngUtil.exe"
O4 - HKLM\..\Run: [MaxtorOneTouch] C:\PROGRA~1\Maxtor\OneTouch\Utils\OneTouch.exe
O4 - HKLM\..\Run: [MXO Auto Loader] C:\WINDOWS\MXOALDR.EXE
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [ViewMgr] C:\Program Files\Viewpoint\Viewpoint Manager\ViewMgr.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_02\bin\jusched.exe
O4 - HKLM\..\Run: [gcasServ] "C:\Program Files\Microsoft AntiSpyware\gcasServ.exe"
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [WildTangent CDA] "C:\Program Files\WildTangent\Apps\CDA\GameDrvr.exe" /startup "C:\Program Files\WildTangent\Apps\CDA\cdaEngine0500.dll"
O4 - HKLM\..\Run: [addkk.exe] C:\WINDOWS\system32\addkk.exe
O4 - HKLM\..\Run: [crjs32.exe] C:\WINDOWS\crjs32.exe
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [d3yo.exe] C:\WINDOWS\d3yo.exe
O4 - HKLM\..\Run: [BearShare] "C:\Program Files\BearShare\BearShare.exe" /pause
O4 - HKLM\..\Run: [WhenUSave] "C:\Program Files\Save\Save.exe"
O4 - HKLM\..\Run: [winupdate] C:\Program Files\winupdate\winupdate.exe /auto
O4 - HKLM\..\Run: [p2pnetworking] p2pnetworking.exe
O4 - HKLM\..\Run: [Media Access] C:\Program Files\Media Access\MediaAccK.exe
O4 - HKLM\..\Run: [IST Service] C:\Program Files\ISTsvc\istsvc.exe
O4 - HKLM\..\Run: [sais] c:\program files\180solutions\sais.exe
O4 - HKLM\..\Run: [fmtqh] C:\WINDOWS\fmtqh.exe
O4 - HKLM\..\Run: [ap9h4qmo] C:\WINDOWS\system32\ap9h4qmo.exe
O4 - HKLM\..\Run: [qp5ncu7s] C:\WINDOWS\system32\qp5ncu7s.exe
O4 - HKLM\..\RunServices: [p2pnetworking] p2pnetworking.exe
O4 - HKLM\..\RunOnce: [d3rt.exe] C:\WINDOWS\d3rt.exe
O4 - HKLM\..\RunOnce: [addnb32.exe] C:\WINDOWS\addnb32.exe
O4 - HKLM\..\RunOnce: [atlkb32.exe] C:\WINDOWS\system32\atlkb32.exe
O4 - HKLM\..\RunOnce: [msrg.exe] C:\WINDOWS\msrg.exe
O4 - HKLM\..\RunOnce: [ipjw.exe] C:\WINDOWS\system32\ipjw.exe
O4 - HKLM\..\RunOnce: [crny.exe] C:\WINDOWS\system32\crny.exe
O4 - HKLM\..\RunOnce: [sysmf.exe] C:\WINDOWS\sysmf.exe
O4 - HKLM\..\RunOnce: [sdkrz32.exe] C:\WINDOWS\sdkrz32.exe
O4 - HKLM\..\RunOnce: [appcn32.exe] C:\WINDOWS\appcn32.exe
O4 - HKLM\..\RunOnce: [d3we.exe] C:\WINDOWS\system32\d3we.exe
O4 - HKLM\..\RunOnce: [sdklt.exe] C:\WINDOWS\system32\sdklt.exe
O4 - HKLM\..\RunOnce: [mfcqn32.exe] C:\WINDOWS\mfcqn32.exe
O4 - HKLM\..\RunOnce: [ipbi.exe] C:\WINDOWS\ipbi.exe
O4 - HKLM\..\RunOnce: [winai32.exe] C:\WINDOWS\winai32.exe
O4 - HKLM\..\RunOnce: [crfk.exe] C:\WINDOWS\crfk.exe
O4 - HKLM\..\RunOnce: [msde.exe] C:\WINDOWS\msde.exe
O4 - HKLM\..\RunOnce: [ntig32.exe] C:\WINDOWS\system32\ntig32.exe
O4 - HKLM\..\RunOnce: [d3xr.exe] C:\WINDOWS\d3xr.exe
O4 - HKLM\..\RunOnce: [addhg.exe] C:\WINDOWS\system32\addhg.exe
O4 - HKLM\..\RunOnce: [apiyd.exe] C:\WINDOWS\apiyd.exe
O4 - HKLM\..\RunOnce: [crbh.exe] C:\WINDOWS\crbh.exe
O4 - HKLM\..\RunOnce: [netgb32.exe] C:\WINDOWS\system32\netgb32.exe
O4 - HKLM\..\RunOnce: [winju.exe] C:\WINDOWS\winju.exe
O4 - HKLM\..\RunOnce: [ipta32.exe] C:\WINDOWS\ipta32.exe
O4 - HKLM\..\RunOnce: [added.exe] C:\WINDOWS\added.exe
O4 - HKLM\..\RunOnce: [winru.exe] C:\WINDOWS\system32\winru.exe
O4 - HKLM\..\RunOnce: [apiqf.exe] C:\WINDOWS\system32\apiqf.exe
O4 - HKLM\..\RunOnce: [winzf.exe] C:\WINDOWS\system32\winzf.exe
O4 - HKLM\..\RunOnce: [javasq32.exe] C:\WINDOWS\javasq32.exe
O4 - HKLM\..\RunOnce: [winmg32.exe] C:\WINDOWS\winmg32.exe
O4 - HKLM\..\RunOnce: [ntke.exe] C:\WINDOWS\ntke.exe
O4 - HKLM\..\RunOnce: [sysps32.exe] C:\WINDOWS\sysps32.exe
O4 - HKLM\..\RunOnce: [d3cn32.exe] C:\WINDOWS\system32\d3cn32.exe
O4 - HKLM\..\RunOnce: [ntmi32.exe] C:\WINDOWS\ntmi32.exe
O4 - HKLM\..\RunOnce: [d3ig.exe] C:\WINDOWS\d3ig.exe
O4 - HKLM\..\RunOnce: [winmk.exe] C:\WINDOWS\system32\winmk.exe
O4 - HKLM\..\RunOnce: [mfceb.exe] C:\WINDOWS\system32\mfceb.exe
O4 - HKLM\..\RunOnce: [mssw.exe] C:\WINDOWS\system32\mssw.exe
O4 - HKLM\..\RunOnce: [mfcbc32.exe] C:\WINDOWS\mfcbc32.exe
O4 - HKLM\..\RunOnce: [sdkur32.exe] C:\WINDOWS\sdkur32.exe
O4 - HKLM\..\RunOnce: [syswr.exe] C:\WINDOWS\system32\syswr.exe
O4 - HKLM\..\RunOnce: [crzv.exe] C:\WINDOWS\system32\crzv.exe
O4 - HKLM\..\RunOnce: [sdkdh.exe] C:\WINDOWS\sdkdh.exe
O4 - HKLM\..\RunOnce: [javaxy.exe] C:\WINDOWS\system32\javaxy.exe
O4 - HKLM\..\RunOnce: [sdkcl32.exe] C:\WINDOWS\sdkcl32.exe
O4 - HKLM\..\RunOnce: [atlfe.exe] C:\WINDOWS\atlfe.exe
O4 - HKLM\..\RunOnce: [apibw32.exe] C:\WINDOWS\system32\apibw32.exe
O4 - HKLM\..\RunOnce: [sysyj32.exe] C:\WINDOWS\sysyj32.exe
O4 - HKLM\..\RunOnce: [cros.exe] C:\WINDOWS\system32\cros.exe
O4 - HKCU\..\Run: [ssate.exe] C:\WINDOWS\System32\winsys.exe
O4 - HKCU\..\Run: [EPSON Stylus C60 Series] C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_A10IC2.EXE /P23 "EPSON Stylus C60 Series" /O5 "LPT1:" /M "Stylus C60"
O4 - HKCU\..\Run: [STYLEXP] C:\Program Files\TGTSoft\StyleXP\StyleXP.exe -Hide
O4 - HKCU\..\Run: [Yahoo! Pager] C:\Program Files\Yahoo!\Messenger\ypager.exe -quiet
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O4 - Global Startup: Microsoft Works Calendar Reminders.lnk = ?
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~4\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_02\bin\npjpi150_02.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_02\bin\npjpi150_02.dll
O9 - Extra button: SideFind - {10E42047-DEB9-4535-A118-B3F6EC39B807} - C:\Program Files\SideFind\sidefind.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~4\OFFICE11\REFIEBAR.DLL
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM95\aim.exe
O9 - Extra button: (no name) - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - (no file)
O9 - Extra button: MoneySide - {E023F504-0C5A-4750-A1E7-A9046DEA8A21} - C:\Program Files\Microsoft Money\System\mnyviewer.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O12 - Plugin for .mov: C:\Program Files\Internet Explorer\PLUGINS\npqtplugin.dll
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O15 - Trusted Zone: http://ny.contentmatch.net (HKLM)
O16 - DPF: {1C955F3B-5B32-4393-A05D-24B4970CD2A1} (Video Class) - http://stream10k.redhotnetworks.com/cabs/videox.cab
O16 - DPF: {B9191F79-5613-4C76-AA2A-398534BB8999} - http://us.dl1.yimg.com/download.yahoo.com/...utocomplete.cab
O16 - DPF: {CAFEEFAC-0014-0000-0001-ABCDEFFEDCBA} (Java Runtime Environment 1.4.0_01) -
O18 - Protocol: ms-help - {314111C7-A502-11D2-BBCA-00C04F8EC294} - C:\Program Files\Common Files\Microsoft Shared\Help\hxds.dll
O23 - Service: Remote Procedure Call (RPC) Helper ( 11F#`I) - Unknown owner - C:\WINDOWS\addnb32.exe
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
O23 - Service: ColdFusion Monitoring Service (ClusterCATS Service) - Unknown owner - C:\CFusion\cfam\program\ccmgr.exe
O23 - Service: Cold Fusion Application Server - Macromedia Inc. - C:\CFusion\Bin\cfserver.exe
O23 - Service: ColdFusion Executive (Cold Fusion Executive) - Macromedia Inc. - C:\CFusion\Bin\cfexec.exe
O23 - Service: ColdFusion RDS (Cold Fusion RDS) - Macromedia Inc. - C:\CFusion\Bin\cfrdsservice.exe
O23 - Service: ColdFusion Graphing Server - Unknown owner - C:\CFusion\JRun\bin\JRun.exe
O23 - Service: ColdFusion Management Repository Server (ColdFusion Management Repository) - Unknown owner - C:\CFusion\jrun\bin\jrun.exe" -jrundir "C:\CFusion\jrun" -nt "ColdFusion Management Repository" "cfam (file missing)
O23 - Service: ColdFusion Management Service - Unknown owner - C:\CFusion\cfam\bin\CANamingAdapter.exe
O23 - Service: Creative Service for CDROM Access - Creative Technology Ltd - C:\WINDOWS\System32\CTsvcCDA.EXE
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe
O23 - Service: Retrospect Launcher (RetroLauncher) - Dantz Development Corporation - C:\Program Files\Dantz\Retrospect\retrorun.exe
O23 - Service: StyleXPService - Unknown owner - C:\Program Files\TGTSoft\StyleXP\StyleXPService.exe

BC AdBot (Login to Remove)

 


m

#2 wagner12

wagner12
  • Topic Starter

  • Members
  • 10 posts
  • OFFLINE
  •  
  • Local time:01:55 PM

Posted 31 May 2005 - 11:32 AM

Here is my HJT log, i get the about:blank screen as my homepage, also AVG detects viruses that won't heal or be deleted and MSAntispyware keeps asking if i want to allow or block all kinds of stuff. please help i don't know what to do!!!!
thank you


Logfile of HijackThis v1.99.1
Scan saved at 11:27:25 AM, on 5/31/2005
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\TGTSoft\StyleXP\StyleXPService.exe
C:\WINDOWS\system32\spoolsv.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
C:\CFusion\cfam\program\ccmgr.exe
C:\CFusion\Bin\cfserver.exe
C:\CFusion\cfam\Program\dfp.exe
C:\CFusion\cfam\Program\wsm.exe
C:\CFusion\cfam\Program\wsprobe.exe
C:\CFusion\Bin\cfexec.exe
C:\CFusion\Bin\cfrdsservice.exe
C:\CFusion\JRun\bin\JRun.exe
C:\CFusion\jrun\bin\jrun.exe
C:\WINDOWS\System32\CTsvcCDA.EXE
C:\CFusion\jre\bin\ntConsoleJava.exe
C:\CFusion\jre\bin\ntConsoleJava.exe
C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
C:\WINDOWS\System32\nvsvc32.exe
C:\Program Files\Dantz\Retrospect\retrorun.exe
C:\CFusion\cfam\bin\CANamingAdapter.exe
C:\WINDOWS\system32\devldr32.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\appnd32.exe
C:\Program Files\Common Files\Microsoft Shared\Works Shared\WkUFind.exe
C:\PROGRA~1\Maxtor\OneTouch\Utils\OneTouch.exe
C:\WINDOWS\MXOALDR.EXE
C:\Program Files\Viewpoint\Viewpoint Manager\ViewMgr.exe
C:\Program Files\Java\jre1.5.0_02\bin\jusched.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\WildTangent\Apps\CDA\GameDrvr.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe
C:\Program Files\Microsoft AntiSpyware\gcasDtServ.exe
C:\Program Files\Save\Save.exe
C:\WINDOWS\system32\p2pnetworking.exe
C:\Program Files\Media Access\MediaAccK.exe
C:\Program Files\Media Access\MediaAccess.exe
C:\Program Files\ISTsvc\istsvc.exe
C:\WINDOWS\system32\qp5ncu7s.exe
C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_A10IC2.EXE
C:\Program Files\Common Files\Microsoft Shared\Works Shared\wkcalrem.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\WINDOWS\system32\iefl32.exe
C:\Program Files\Common Files\Microsoft Shared\Works Shared\WkUFind.exe
C:\DOCUME~1\JUDDWA~1\LOCALS~1\Temp\Temporary Directory 1 for hijackthis.zip\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.dellnet.com
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\WINDOWS\system32\qnbmy.dll/sp.html#37049
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINDOWS\system32\qnbmy.dll/sp.html#37049
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = res://C:\WINDOWS\system32\qnbmy.dll/sp.html#37049
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\WINDOWS\system32\qnbmy.dll/sp.html#37049
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINDOWS\system32\qnbmy.dll/sp.html#37049
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = res://C:\WINDOWS\system32\qnbmy.dll/sp.html#37049
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = res://C:\WINDOWS\system32\qnbmy.dll/sp.html#37049
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = sas.r21.mchsi.com:8000
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.r21.mchsi.com
R3 - Default URLSearchHook is missing
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
O2 - BHO: Class - {1B77DF8A-7146-738E-D008-4323A6C9AF79} - C:\WINDOWS\system32\crqq32.dll
O2 - BHO: Class - {FED80FE1-0881-76EA-AF03-58D3E618C89A} - C:\WINDOWS\atlwc.dll
O4 - HKLM\..\Run: [Microsoft Works Update Detection] C:\Program Files\Common Files\Microsoft Shared\Works Shared\WkUFind.exe
O4 - HKLM\..\Run: [UpdReg] C:\WINDOWS\Updreg.exe
O4 - HKLM\..\Run: [AHQInit] C:\Program Files\Creative\SBLive\Program\AHQInit.exe
O4 - HKLM\..\Run: [MCAgentExe] C:\Program Files\McAfee.com\Agent\mcagent.exe
O4 - HKLM\..\Run: [MCUpdateExe] C:\PROGRA~1\McAfee.com\Agent\mcupdate.exe
O4 - HKLM\..\Run: [RoxioEngineUtility] "C:\Program Files\Common Files\Roxio Shared\System\EngUtil.exe"
O4 - HKLM\..\Run: [MaxtorOneTouch] C:\PROGRA~1\Maxtor\OneTouch\Utils\OneTouch.exe
O4 - HKLM\..\Run: [MXO Auto Loader] C:\WINDOWS\MXOALDR.EXE
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [ViewMgr] C:\Program Files\Viewpoint\Viewpoint Manager\ViewMgr.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_02\bin\jusched.exe
O4 - HKLM\..\Run: [gcasServ] "C:\Program Files\Microsoft AntiSpyware\gcasServ.exe"
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [WildTangent CDA] "C:\Program Files\WildTangent\Apps\CDA\GameDrvr.exe" /startup "C:\Program Files\WildTangent\Apps\CDA\cdaEngine0500.dll"
O4 - HKLM\..\Run: [addkk.exe] C:\WINDOWS\system32\addkk.exe
O4 - HKLM\..\Run: [crjs32.exe] C:\WINDOWS\crjs32.exe
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [d3yo.exe] C:\WINDOWS\d3yo.exe
O4 - HKLM\..\Run: [BearShare] "C:\Program Files\BearShare\BearShare.exe" /pause
O4 - HKLM\..\Run: [WhenUSave] "C:\Program Files\Save\Save.exe"
O4 - HKLM\..\Run: [winupdate] C:\Program Files\winupdate\winupdate.exe /auto
O4 - HKLM\..\Run: [p2pnetworking] p2pnetworking.exe
O4 - HKLM\..\Run: [Media Access] C:\Program Files\Media Access\MediaAccK.exe
O4 - HKLM\..\Run: [IST Service] C:\Program Files\ISTsvc\istsvc.exe
O4 - HKLM\..\Run: [sais] c:\program files\180solutions\sais.exe
O4 - HKLM\..\Run: [qp5ncu7s] C:\WINDOWS\system32\qp5ncu7s.exe
O4 - HKLM\..\Run: [appnd32.exe] C:\WINDOWS\system32\appnd32.exe
O4 - HKLM\..\Run: [gah95on6] C:\WINDOWS\system32\gah95on6.exe
O4 - HKLM\..\RunServices: [p2pnetworking] p2pnetworking.exe
O4 - HKLM\..\RunOnce: [d3rt.exe] C:\WINDOWS\d3rt.exe
O4 - HKLM\..\RunOnce: [msrg.exe] C:\WINDOWS\msrg.exe
O4 - HKLM\..\RunOnce: [crat.exe] C:\WINDOWS\system32\crat.exe
O4 - HKLM\..\RunOnce: [addnb32.exe] C:\WINDOWS\addnb32.exe
O4 - HKLM\..\RunOnce: [atlew.exe] C:\WINDOWS\atlew.exe
O4 - HKLM\..\RunOnce: [nton.exe] C:\WINDOWS\system32\nton.exe
O4 - HKLM\..\RunOnce: [atlrf32.exe] C:\WINDOWS\system32\atlrf32.exe
O4 - HKLM\..\RunOnce: [ntbg32.exe] C:\WINDOWS\system32\ntbg32.exe
O4 - HKLM\..\RunOnce: [iefl32.exe] C:\WINDOWS\system32\iefl32.exe
O4 - HKCU\..\Run: [ssate.exe] C:\WINDOWS\System32\winsys.exe
O4 - HKCU\..\Run: [EPSON Stylus C60 Series] C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_A10IC2.EXE /P23 "EPSON Stylus C60 Series" /O5 "LPT1:" /M "Stylus C60"
O4 - HKCU\..\Run: [STYLEXP] C:\Program Files\TGTSoft\StyleXP\StyleXP.exe -Hide
O4 - HKCU\..\Run: [Yahoo! Pager] C:\Program Files\Yahoo!\Messenger\ypager.exe -quiet
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O4 - Global Startup: Microsoft Works Calendar Reminders.lnk = ?
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~4\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_02\bin\npjpi150_02.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_02\bin\npjpi150_02.dll
O9 - Extra button: SideFind - {10E42047-DEB9-4535-A118-B3F6EC39B807} - C:\Program Files\SideFind\sidefind.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~4\OFFICE11\REFIEBAR.DLL
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM95\aim.exe
O9 - Extra button: (no name) - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - (no file)
O9 - Extra button: MoneySide - {E023F504-0C5A-4750-A1E7-A9046DEA8A21} - C:\Program Files\Microsoft Money\System\mnyviewer.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O12 - Plugin for .mov: C:\Program Files\Internet Explorer\PLUGINS\npqtplugin.dll
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O15 - Trusted Zone: http://ny.contentmatch.net (HKLM)
O16 - DPF: {1C955F3B-5B32-4393-A05D-24B4970CD2A1} (Video Class) - http://stream10k.redhotnetworks.com/cabs/videox.cab
O16 - DPF: {B9191F79-5613-4C76-AA2A-398534BB8999} - http://us.dl1.yimg.com/download.yahoo.com/...utocomplete.cab
O16 - DPF: {CAFEEFAC-0014-0000-0001-ABCDEFFEDCBA} (Java Runtime Environment 1.4.0_01) -
O18 - Protocol: ms-help - {314111C7-A502-11D2-BBCA-00C04F8EC294} - C:\Program Files\Common Files\Microsoft Shared\Help\hxds.dll
O23 - Service: Remote Procedure Call (RPC) Helper ( 11F#`I) - Unknown owner - C:\WINDOWS\addnb32.exe
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
O23 - Service: ColdFusion Monitoring Service (ClusterCATS Service) - Unknown owner - C:\CFusion\cfam\program\ccmgr.exe
O23 - Service: Cold Fusion Application Server - Macromedia Inc. - C:\CFusion\Bin\cfserver.exe
O23 - Service: ColdFusion Executive (Cold Fusion Executive) - Macromedia Inc. - C:\CFusion\Bin\cfexec.exe
O23 - Service: ColdFusion RDS (Cold Fusion RDS) - Macromedia Inc. - C:\CFusion\Bin\cfrdsservice.exe
O23 - Service: ColdFusion Graphing Server - Unknown owner - C:\CFusion\JRun\bin\JRun.exe
O23 - Service: ColdFusion Management Repository Server (ColdFusion Management Repository) - Unknown owner - C:\CFusion\jrun\bin\jrun.exe" -jrundir "C:\CFusion\jrun" -nt "ColdFusion Management Repository" "cfam (file missing)
O23 - Service: ColdFusion Management Service - Unknown owner - C:\CFusion\cfam\bin\CANamingAdapter.exe
O23 - Service: Creative Service for CDROM Access - Creative Technology Ltd - C:\WINDOWS\System32\CTsvcCDA.EXE
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe
O23 - Service: Retrospect Launcher (RetroLauncher) - Dantz Development Corporation - C:\Program Files\Dantz\Retrospect\retrorun.exe
O23 - Service: StyleXPService - Unknown owner - C:\Program Files\TGTSoft\StyleXP\StyleXPService.exe

#3 Buckeye_Sam

Buckeye_Sam

    Malware Expert


  • Members
  • 17,382 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Pickerington, Ohio
  • Local time:01:55 PM

Posted 31 May 2005 - 02:33 PM

You've got a lot going on there, so this will probably take a few steps. Let's see what we can get rid of all at once before getting too meticulous.

You may want to print out these instructions or save them to your desktop as a text file with Notepad because we will be restarting into Safe Mode later on in the fix and you might not be able to access the Internet.
  • Prepare CWShredder for use:
    • Download CWShredder.
    • Save CWShredder.exe to a convenient location.
    • Please do not do anything with it yet.
  • Prepare AboutBuster for use:
    • Download AboutBuster.
    • Unzip the contents of AboutBuster.zip and an AboutBuster directory will be created.
    • Navigate to the AboutBuster directory and double-click on AboutBuster.exe.
    • Click "OK" at the prompt with instructions.
    • Click "Update" and then "Check For Update" to begin the update process.
    • If any updates exist please download them by clicking "Download Update".
    • You should not run the program yet so click "Exit".
  • Prepare cwsserviceremove.reg for use:
    • Download cwsserviceremove.zip.
    • Unzip the contents of cwsserviceremove.zip (cwsserviceremove.reg) to your desktop.
    • Please do not do anything with it yet.
Reconfigure Windows XP to show hidden files:
Click Start. Open My Computer.
Select the Tools menu and click Folder Options. Select the View Tab.

Under the Hidden files and folders heading select "Show hidden files and folders".
Uncheck the "Hide protected operating system files (recommended)" option.
Uncheck the "Hide file extensions for known file types" option.
Click Yes to confirm. Click OK.

Boot into Safe Mode:
Restart your computer and immediately begin tapping the F8 key on your keyboard.
If done right a Windows Advanced Options menu will appear. Select the Safe Mode option and press Enter.
To return to normal mode just restart your computer as you normally would.
  • Run CWShredder:
    • Double-click on CWShredder.exe.
    • Click "Fix ->" and click "OK" at the prompt.
    • CWShredder will scan and clean your system of CWS files.
    • Click "Next->" and then "Exit".
  • Remove the offending service:
    • Double-click on cwsserviceremove.reg you downloaded earlier.
    • When it asks you to merge the information to the registry click "Yes".
  • Run AboutBuster and save the logs:
    • Browse to where you saved AboutBuster and run AboutBuster.exe.
    • Click OK at the directions prompt.
    • Click Start and then OK to allow AboutBuster to scan for Alternate Data Streams.
    • Click Yes to allow it to shutdown explorer.exe.
    • It will begin to your computer for malicious files. If it asks if you would like to do a second pass, allow it to do so.
    • When it has finished, click Save Log. Make sure you save it as I need a copy of it.
  • Clean out temporary files:
    • Start | Run | type cleanmgr | OK
    • Let it scan your system for files to remove.
    • Make sure Temporary Files, Temporary Internet Files, and Recycle Bin are the only things checked.
    • Click "OK" to remove them.
    • Click "Yes" to confirm the deletion.
  • Restart your computer normally to return to normal mode.
  • Free TrendMicro Housecall scan:
    • Vist the TrendMicro Housecall website.
    • Select your country from the drop-down list and click "Go".
    • Choose "Yes" at the ActiveX Security Warning prompt.
    • Please wait while the Housecall engine is updated.
    • Select the drives to be scanned by placing a check in their respective boxes.
    • Check the "Auto Clean" box.
    • Click "SCAN" in order to begin scanning your system.
    • Please be patient while Housecall scans your system for malicious files.
    • If not auto-cleaned, remove anything it finds.
    • Click "Close" to exit the Housecall scanner.
    • Choose "Yes" at the HouseCall message prompt.
  • Prepare your reply:
    • Please post a fresh HijackThis log
    • Please post the AboutBuster log.
    • Please note any complications you had.

Posted Image If I have helped you in any way, please consider a donation to help me continue the fight against malware.


Failing to respond back to the person that is giving up their own time to help you not only is insensitive and disrespectful, but it guarantees that you will never receive help from me again. Please thank your helpers and there will always be help here when you need it!


========================================================

#4 wagner12

wagner12
  • Topic Starter

  • Members
  • 10 posts
  • OFFLINE
  •  
  • Local time:01:55 PM

Posted 31 May 2005 - 05:27 PM

here is my new HJT Log. I didn't have any problems with the CWShredder but the link to about buster didn't work, Also when i went to trendmicro housecall i installed activeX b/c a security prompt didn't come up and then after that i refreshed and it says unable to run because another housecall is running.
And my AIM doesn't work
but heres my HJT log.

thanks

Logfile of HijackThis v1.99.1
Scan saved at 5:23:01 PM, on 5/31/2005
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\TGTSoft\StyleXP\StyleXPService.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\devldr32.exe
C:\WINDOWS\Explorer.EXE
C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
C:\CFusion\cfam\program\ccmgr.exe
C:\CFusion\Bin\cfserver.exe
C:\CFusion\cfam\Program\dfp.exe
C:\CFusion\cfam\Program\wsm.exe
C:\CFusion\cfam\Program\wsprobe.exe
C:\CFusion\Bin\cfexec.exe
C:\CFusion\Bin\cfrdsservice.exe
C:\CFusion\JRun\bin\JRun.exe
C:\CFusion\jrun\bin\jrun.exe
C:\WINDOWS\System32\CTsvcCDA.EXE
C:\CFusion\jre\bin\ntConsoleJava.exe
C:\CFusion\jre\bin\ntConsoleJava.exe
C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
C:\WINDOWS\System32\nvsvc32.exe
C:\Program Files\Dantz\Retrospect\retrorun.exe
C:\CFusion\cfam\bin\CANamingAdapter.exe
C:\Program Files\Common Files\Microsoft Shared\Works Shared\WkUFind.exe
C:\PROGRA~1\Maxtor\OneTouch\Utils\OneTouch.exe
C:\WINDOWS\MXOALDR.EXE
C:\Program Files\Viewpoint\Viewpoint Manager\ViewMgr.exe
C:\Program Files\Java\jre1.5.0_02\bin\jusched.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\WildTangent\Apps\CDA\GameDrvr.exe
C:\WINDOWS\crjs32.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe
C:\Program Files\Save\Save.exe
C:\Program Files\Microsoft AntiSpyware\gcasDtServ.exe
C:\WINDOWS\system32\p2pnetworking.exe
C:\Program Files\Media Access\MediaAccK.exe
C:\Program Files\ISTsvc\istsvc.exe
C:\Program Files\Media Access\MediaAccess.exe
C:\WINDOWS\system32\qp5ncu7s.exe
C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_A10IC2.EXE
C:\Program Files\Common Files\Microsoft Shared\Works Shared\wkcalrem.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\program files\internet explorer\iexplore.exe
C:\DOCUME~1\JUDDWA~1\LOCALS~1\Temp\Temporary Directory 3 for hijackthis.zip\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.dellnet.com
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\WINDOWS\abniz.dll/sp.html#37049
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINDOWS\abniz.dll/sp.html#37049
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = res://C:\WINDOWS\abniz.dll/sp.html#37049
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\WINDOWS\abniz.dll/sp.html#37049
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINDOWS\abniz.dll/sp.html#37049
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = res://C:\WINDOWS\abniz.dll/sp.html#37049
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = res://C:\WINDOWS\abniz.dll/sp.html#37049
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = sas.r21.mchsi.com:8000
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.r21.mchsi.com
R3 - Default URLSearchHook is missing
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
O2 - BHO: Class - {FED80FE1-0881-76EA-AF03-58D3E618C89A} - C:\WINDOWS\atlwc.dll
O4 - HKLM\..\Run: [Microsoft Works Update Detection] C:\Program Files\Common Files\Microsoft Shared\Works Shared\WkUFind.exe
O4 - HKLM\..\Run: [UpdReg] C:\WINDOWS\Updreg.exe
O4 - HKLM\..\Run: [AHQInit] C:\Program Files\Creative\SBLive\Program\AHQInit.exe
O4 - HKLM\..\Run: [MCAgentExe] C:\Program Files\McAfee.com\Agent\mcagent.exe
O4 - HKLM\..\Run: [MCUpdateExe] C:\PROGRA~1\McAfee.com\Agent\mcupdate.exe
O4 - HKLM\..\Run: [RoxioEngineUtility] "C:\Program Files\Common Files\Roxio Shared\System\EngUtil.exe"
O4 - HKLM\..\Run: [MaxtorOneTouch] C:\PROGRA~1\Maxtor\OneTouch\Utils\OneTouch.exe
O4 - HKLM\..\Run: [MXO Auto Loader] C:\WINDOWS\MXOALDR.EXE
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [ViewMgr] C:\Program Files\Viewpoint\Viewpoint Manager\ViewMgr.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_02\bin\jusched.exe
O4 - HKLM\..\Run: [gcasServ] "C:\Program Files\Microsoft AntiSpyware\gcasServ.exe"
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [WildTangent CDA] "C:\Program Files\WildTangent\Apps\CDA\GameDrvr.exe" /startup "C:\Program Files\WildTangent\Apps\CDA\cdaEngine0500.dll"
O4 - HKLM\..\Run: [addkk.exe] C:\WINDOWS\system32\addkk.exe
O4 - HKLM\..\Run: [crjs32.exe] C:\WINDOWS\crjs32.exe
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [d3yo.exe] C:\WINDOWS\d3yo.exe
O4 - HKLM\..\Run: [BearShare] "C:\Program Files\BearShare\BearShare.exe" /pause
O4 - HKLM\..\Run: [WhenUSave] "C:\Program Files\Save\Save.exe"
O4 - HKLM\..\Run: [winupdate] C:\Program Files\winupdate\winupdate.exe /auto
O4 - HKLM\..\Run: [p2pnetworking] p2pnetworking.exe
O4 - HKLM\..\Run: [Media Access] C:\Program Files\Media Access\MediaAccK.exe
O4 - HKLM\..\Run: [IST Service] C:\Program Files\ISTsvc\istsvc.exe
O4 - HKLM\..\Run: [sais] c:\program files\180solutions\sais.exe
O4 - HKLM\..\Run: [qp5ncu7s] C:\WINDOWS\system32\qp5ncu7s.exe
O4 - HKLM\..\Run: [appnd32.exe] C:\WINDOWS\system32\appnd32.exe
O4 - HKLM\..\Run: [gah95on6] C:\WINDOWS\system32\gah95on6.exe
O4 - HKLM\..\Run: [javanw.exe] C:\WINDOWS\javanw.exe
O4 - HKLM\..\RunServices: [p2pnetworking] p2pnetworking.exe
O4 - HKLM\..\RunOnce: [msrg.exe] C:\WINDOWS\msrg.exe
O4 - HKLM\..\RunOnce: [addab.exe] C:\WINDOWS\system32\addab.exe
O4 - HKLM\..\RunOnce: [winym32.exe] C:\WINDOWS\system32\winym32.exe
O4 - HKLM\..\RunOnce: [atlmm32.exe] C:\WINDOWS\atlmm32.exe
O4 - HKLM\..\RunOnce: [netcw32.exe] C:\WINDOWS\netcw32.exe
O4 - HKLM\..\RunOnce: [mfchh32.exe] C:\WINDOWS\system32\mfchh32.exe
O4 - HKLM\..\RunOnce: [addnb32.exe] C:\WINDOWS\addnb32.exe
O4 - HKLM\..\RunOnce: [d3fh32.exe] C:\WINDOWS\system32\d3fh32.exe
O4 - HKLM\..\RunOnce: [ipkk.exe] C:\WINDOWS\ipkk.exe
O4 - HKCU\..\Run: [ssate.exe] C:\WINDOWS\System32\winsys.exe
O4 - HKCU\..\Run: [EPSON Stylus C60 Series] C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_A10IC2.EXE /P23 "EPSON Stylus C60 Series" /O5 "LPT1:" /M "Stylus C60"
O4 - HKCU\..\Run: [STYLEXP] C:\Program Files\TGTSoft\StyleXP\StyleXP.exe -Hide
O4 - HKCU\..\Run: [Yahoo! Pager] C:\Program Files\Yahoo!\Messenger\ypager.exe -quiet
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O4 - Global Startup: Microsoft Works Calendar Reminders.lnk = ?
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~4\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_02\bin\npjpi150_02.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_02\bin\npjpi150_02.dll
O9 - Extra button: SideFind - {10E42047-DEB9-4535-A118-B3F6EC39B807} - C:\Program Files\SideFind\sidefind.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~4\OFFICE11\REFIEBAR.DLL
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM95\aim.exe
O9 - Extra button: (no name) - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - (no file)
O9 - Extra button: MoneySide - {E023F504-0C5A-4750-A1E7-A9046DEA8A21} - C:\Program Files\Microsoft Money\System\mnyviewer.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O12 - Plugin for .mov: C:\Program Files\Internet Explorer\PLUGINS\npqtplugin.dll
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O15 - Trusted Zone: http://ny.contentmatch.net (HKLM)
O16 - DPF: {1C955F3B-5B32-4393-A05D-24B4970CD2A1} (Video Class) - http://stream10k.redhotnetworks.com/cabs/videox.cab
O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai.net/7/840/537/2004061...all/xscan53.cab
O16 - DPF: {B9191F79-5613-4C76-AA2A-398534BB8999} - http://us.dl1.yimg.com/download.yahoo.com/...utocomplete.cab
O16 - DPF: {CAFEEFAC-0014-0000-0001-ABCDEFFEDCBA} (Java Runtime Environment 1.4.0_01) -
O18 - Protocol: ms-help - {314111C7-A502-11D2-BBCA-00C04F8EC294} - C:\Program Files\Common Files\Microsoft Shared\Help\hxds.dll
O23 - Service: Remote Procedure Call (RPC) Helper ( 11F#`I) - Unknown owner - C:\WINDOWS\addnb32.exe
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
O23 - Service: ColdFusion Monitoring Service (ClusterCATS Service) - Unknown owner - C:\CFusion\cfam\program\ccmgr.exe
O23 - Service: Cold Fusion Application Server - Macromedia Inc. - C:\CFusion\Bin\cfserver.exe
O23 - Service: ColdFusion Executive (Cold Fusion Executive) - Macromedia Inc. - C:\CFusion\Bin\cfexec.exe
O23 - Service: ColdFusion RDS (Cold Fusion RDS) - Macromedia Inc. - C:\CFusion\Bin\cfrdsservice.exe
O23 - Service: ColdFusion Graphing Server - Unknown owner - C:\CFusion\JRun\bin\JRun.exe
O23 - Service: ColdFusion Management Repository Server (ColdFusion Management Repository) - Unknown owner - C:\CFusion\jrun\bin\jrun.exe" -jrundir "C:\CFusion\jrun" -nt "ColdFusion Management Repository" "cfam (file missing)
O23 - Service: ColdFusion Management Service - Unknown owner - C:\CFusion\cfam\bin\CANamingAdapter.exe
O23 - Service: Creative Service for CDROM Access - Creative Technology Ltd - C:\WINDOWS\System32\CTsvcCDA.EXE
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe
O23 - Service: Retrospect Launcher (RetroLauncher) - Dantz Development Corporation - C:\Program Files\Dantz\Retrospect\retrorun.exe
O23 - Service: StyleXPService - Unknown owner - C:\Program Files\TGTSoft\StyleXP\StyleXPService.exe

#5 Buckeye_Sam

Buckeye_Sam

    Malware Expert


  • Members
  • 17,382 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Pickerington, Ohio
  • Local time:01:55 PM

Posted 31 May 2005 - 08:07 PM

Sorry about that bad link. Here's a new set of instructions and the link to About Buster is a good one.


Please remove these entries from Add/Remove Programs in the Control Panel(if present):

Media Access
Viewpoint Manager
Viewpoint Media Player
180 Solutions
Wild Tangent



You have an HSA infection. The filenames on this type of infection can change each time you reboot your computer or use Internet Explorer. The sooner you perform this fix, the higher it's chances for success.

Much of this fix has to be performed in Safe Mode where you won't be able to access the Internet.
Please print out these instructions.


Step 1
Download CWShredder but don't run it yet.


Step 2
Download AboutBuster
Unzip it to your desktop but don't run it yet.


Step 3
Download Ad-aware SE 1.05
Install the program and launch it. First, in the main window, look in the bottom right corner and click on Check for updates now and download the latest reference files. Exit Adaware for now.


Step 5
Make sure that you can VIEW ALL HIDDEN FILES.


Step 6
Run Hijackthis again, click scan, and Put a checkmark next to each of these. Then close all other windows--you should only see HijackThis on your Desktop--and click the Fix Checked button.

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\WINDOWS\abniz.dll/sp.html#37049
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINDOWS\abniz.dll/sp.html#37049
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = res://C:\WINDOWS\abniz.dll/sp.html#37049
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\WINDOWS\abniz.dll/sp.html#37049
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINDOWS\abniz.dll/sp.html#37049
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = res://C:\WINDOWS\abniz.dll/sp.html#37049
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = res://C:\WINDOWS\abniz.dll/sp.html#37049
R3 - Default URLSearchHook is missing
O2 - BHO: Class - {FED80FE1-0881-76EA-AF03-58D3E618C89A} - C:\WINDOWS\atlwc.dll
O4 - HKLM\..\Run: [addkk.exe] C:\WINDOWS\system32\addkk.exe
O4 - HKLM\..\Run: [crjs32.exe] C:\WINDOWS\crjs32.exe
O4 - HKLM\..\Run: [d3yo.exe] C:\WINDOWS\d3yo.exe
O4 - HKLM\..\Run: [WhenUSave] "C:\Program Files\Save\Save.exe"
O4 - HKLM\..\Run: [winupdate] C:\Program Files\winupdate\winupdate.exe /auto
O4 - HKLM\..\Run: [p2pnetworking] p2pnetworking.exe
O4 - HKLM\..\Run: [Media Access] C:\Program Files\Media Access\MediaAccK.exe
O4 - HKLM\..\Run: [IST Service] C:\Program Files\ISTsvc\istsvc.exe
O4 - HKLM\..\Run: [sais] c:\program files\180solutions\sais.exe
O4 - HKLM\..\Run: [qp5ncu7s] C:\WINDOWS\system32\qp5ncu7s.exe
O4 - HKLM\..\Run: [appnd32.exe] C:\WINDOWS\system32\appnd32.exe
O4 - HKLM\..\Run: [gah95on6] C:\WINDOWS\system32\gah95on6.exe
O4 - HKLM\..\Run: [javanw.exe] C:\WINDOWS\javanw.exe
O4 - HKLM\..\RunServices: [p2pnetworking] p2pnetworking.exe
O4 - HKLM\..\RunOnce: [msrg.exe] C:\WINDOWS\msrg.exe
O4 - HKLM\..\RunOnce: [addab.exe] C:\WINDOWS\system32\addab.exe
O4 - HKLM\..\RunOnce: [winym32.exe] C:\WINDOWS\system32\winym32.exe
O4 - HKLM\..\RunOnce: [atlmm32.exe] C:\WINDOWS\atlmm32.exe
O4 - HKLM\..\RunOnce: [netcw32.exe] C:\WINDOWS\netcw32.exe
O4 - HKLM\..\RunOnce: [mfchh32.exe] C:\WINDOWS\system32\mfchh32.exe
O4 - HKLM\..\RunOnce: [addnb32.exe] C:\WINDOWS\addnb32.exe
O4 - HKLM\..\RunOnce: [d3fh32.exe] C:\WINDOWS\system32\d3fh32.exe
O4 - HKLM\..\RunOnce: [ipkk.exe] C:\WINDOWS\ipkk.exe
O4 - HKCU\..\Run: [ssate.exe] C:\WINDOWS\System32\winsys.exe
O9 - Extra button: SideFind - {10E42047-DEB9-4535-A118-B3F6EC39B807} - C:\Program Files\SideFind\sidefind.dll
O16 - DPF: {1C955F3B-5B32-4393-A05D-24B4970CD2A1} (Video Class) - http://stream10k.redhotnetworks.com/cabs/videox.cab
O23 - Service: Remote Procedure Call (RPC) Helper ( 11F#`I) - Unknown owner - C:\WINDOWS\addnb32.exe


Step 7
Reboot your computer into SAFE MODE


Step 8
Now run CWShredder, making sure to click "Fix".


Step 9
Then delete these files or directories (Do not be concerned if they do not exist)

C:\WINDOWS\addnb32.exe
C:\WINDOWS\atlwc.dll
C:\WINDOWS\abniz.dll
C:\WINDOWS\msrg.exe
C:\WINDOWS\crjs32.exe
C:\WINDOWS\d3yo.exe
C:\WINDOWS\javanw.exe
C:\WINDOWS\atlmm32.exe
C:\WINDOWS\netcw32.exe
C:\WINDOWS\addnb32.exe
C:\WINDOWS\ipkk.exe
C:\WINDOWS\system32\p2pnetworking.exe
C:\WINDOWS\system32\addkk.exe
C:\WINDOWS\system32\qp5ncu7s.exe
C:\WINDOWS\system32\appnd32.exe
C:\WINDOWS\system32\gah95on6.exe
C:\WINDOWS\system32\addab.exe
C:\WINDOWS\system32\winym32.exe
C:\WINDOWS\system32\mfchh32.exe
C:\WINDOWS\system32\d3fh32.exe
C:\WINDOWS\System32\winsys.exe
C:\Program Files\SideFind
C:\Program Files\Save
C:\Program Files\winupdate
C:\Program Files\Media Access
C:\Program Files\ISTsvc
c:\program files\180solutions



Step 10
Double click AboutBuster.exe that you downloaded earlier. Click OK, click Start, then click OK. This will scan your computer for the bad files and delete them. Save the report(copy and paste into notepad or wordpad and save as a .txt file) and post a copy back here when you are done with all the steps.


Step 11
Run a full scan with Adaware.


Reboot your computer to go back to normal mode and post a new hijackthis log and the log from About Buster.
Posted Image If I have helped you in any way, please consider a donation to help me continue the fight against malware.


Failing to respond back to the person that is giving up their own time to help you not only is insensitive and disrespectful, but it guarantees that you will never receive help from me again. Please thank your helpers and there will always be help here when you need it!


========================================================

#6 wagner12

wagner12
  • Topic Starter

  • Members
  • 10 posts
  • OFFLINE
  •  
  • Local time:01:55 PM

Posted 31 May 2005 - 10:35 PM

hey,
didn't have any problems with this except when i rebooted normally finally the internet explorer had an error message and wouldn't open.

Also i still get virus popups from AVG but the MS Antispyware stopped having many popups.

Thanx again


Here's the HJT Log:

Logfile of HijackThis v1.99.1
Scan saved at 10:25:47 PM, on 5/31/2005
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\TGTSoft\StyleXP\StyleXPService.exe
C:\WINDOWS\system32\spoolsv.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
C:\CFusion\cfam\program\ccmgr.exe
C:\CFusion\Bin\cfserver.exe
C:\CFusion\cfam\Program\dfp.exe
C:\CFusion\cfam\Program\wsm.exe
C:\CFusion\cfam\Program\wsprobe.exe
C:\CFusion\Bin\cfexec.exe
C:\CFusion\Bin\cfrdsservice.exe
C:\CFusion\JRun\bin\JRun.exe
C:\CFusion\jrun\bin\jrun.exe
C:\WINDOWS\System32\CTsvcCDA.EXE
C:\CFusion\jre\bin\ntConsoleJava.exe
C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
C:\CFusion\jre\bin\ntConsoleJava.exe
C:\WINDOWS\System32\nvsvc32.exe
C:\Program Files\Dantz\Retrospect\retrorun.exe
C:\CFusion\cfam\bin\CANamingAdapter.exe
C:\WINDOWS\system32\devldr32.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\netli32.exe
C:\Program Files\Common Files\Microsoft Shared\Works Shared\WkUFind.exe
C:\PROGRA~1\Maxtor\OneTouch\Utils\OneTouch.exe
C:\WINDOWS\MXOALDR.EXE
C:\Program Files\Java\jre1.5.0_02\bin\jusched.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe
C:\Program Files\Microsoft AntiSpyware\gcasDtServ.exe
C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_A10IC2.EXE
C:\Program Files\Common Files\Microsoft Shared\Works Shared\wkcalrem.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Common Files\Microsoft Shared\Works Shared\WkUFind.exe
C:\DOCUME~1\JUDDWA~1\LOCALS~1\Temp\Temporary Directory 5 for hijackthis.zip\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.dellnet.com
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\WINDOWS\system32\hjdpe.dll/sp.html#37049
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINDOWS\system32\hjdpe.dll/sp.html#37049
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = res://C:\WINDOWS\system32\hjdpe.dll/sp.html#37049
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\WINDOWS\system32\hjdpe.dll/sp.html#37049
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINDOWS\system32\hjdpe.dll/sp.html#37049
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = res://C:\WINDOWS\system32\hjdpe.dll/sp.html#37049
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = res://C:\WINDOWS\system32\hjdpe.dll/sp.html#37049
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = sas.r21.mchsi.com:8000
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.r21.mchsi.com
R3 - Default URLSearchHook is missing
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
O2 - BHO: Class - {EAD01F30-8167-D510-8ED0-53B9B66F4880} - C:\WINDOWS\d3ve.dll
O4 - HKLM\..\Run: [Microsoft Works Update Detection] C:\Program Files\Common Files\Microsoft Shared\Works Shared\WkUFind.exe
O4 - HKLM\..\Run: [UpdReg] C:\WINDOWS\Updreg.exe
O4 - HKLM\..\Run: [AHQInit] C:\Program Files\Creative\SBLive\Program\AHQInit.exe
O4 - HKLM\..\Run: [MCAgentExe] C:\Program Files\McAfee.com\Agent\mcagent.exe
O4 - HKLM\..\Run: [MCUpdateExe] C:\PROGRA~1\McAfee.com\Agent\mcupdate.exe
O4 - HKLM\..\Run: [RoxioEngineUtility] "C:\Program Files\Common Files\Roxio Shared\System\EngUtil.exe"
O4 - HKLM\..\Run: [MaxtorOneTouch] C:\PROGRA~1\Maxtor\OneTouch\Utils\OneTouch.exe
O4 - HKLM\..\Run: [MXO Auto Loader] C:\WINDOWS\MXOALDR.EXE
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_02\bin\jusched.exe
O4 - HKLM\..\Run: [gcasServ] "C:\Program Files\Microsoft AntiSpyware\gcasServ.exe"
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [netli32.exe] C:\WINDOWS\system32\netli32.exe
O4 - HKLM\..\RunOnce: [wineb.exe] C:\WINDOWS\wineb.exe
O4 - HKLM\..\RunOnce: [atljx.exe] C:\WINDOWS\atljx.exe
O4 - HKLM\..\RunOnce: [iejl32.exe] C:\WINDOWS\iejl32.exe
O4 - HKLM\..\RunOnce: [ntcm.exe] C:\WINDOWS\system32\ntcm.exe
O4 - HKLM\..\RunOnce: [addlt32.exe] C:\WINDOWS\system32\addlt32.exe
O4 - HKLM\..\RunOnce: [ieak32.exe] C:\WINDOWS\system32\ieak32.exe
O4 - HKLM\..\RunOnce: [sysfh32.exe] C:\WINDOWS\system32\sysfh32.exe
O4 - HKLM\..\RunOnce: [netjo.exe] C:\WINDOWS\system32\netjo.exe
O4 - HKCU\..\Run: [ssate.exe] C:\WINDOWS\System32\winsys.exe
O4 - HKCU\..\Run: [EPSON Stylus C60 Series] C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_A10IC2.EXE /P23 "EPSON Stylus C60 Series" /O5 "LPT1:" /M "Stylus C60"
O4 - HKCU\..\Run: [STYLEXP] C:\Program Files\TGTSoft\StyleXP\StyleXP.exe -Hide
O4 - HKCU\..\Run: [Yahoo! Pager] C:\Program Files\Yahoo!\Messenger\ypager.exe -quiet
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O4 - Global Startup: Microsoft Works Calendar Reminders.lnk = ?
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~4\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_02\bin\npjpi150_02.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_02\bin\npjpi150_02.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~4\OFFICE11\REFIEBAR.DLL
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM95\aim.exe
O9 - Extra button: (no name) - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - (no file)
O9 - Extra button: MoneySide - {E023F504-0C5A-4750-A1E7-A9046DEA8A21} - C:\Program Files\Microsoft Money\System\mnyviewer.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O12 - Plugin for .mov: C:\Program Files\Internet Explorer\PLUGINS\npqtplugin.dll
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai.net/7/840/537/2004061...all/xscan53.cab
O16 - DPF: {B9191F79-5613-4C76-AA2A-398534BB8999} - http://us.dl1.yimg.com/download.yahoo.com/...utocomplete.cab
O16 - DPF: {CAFEEFAC-0014-0000-0001-ABCDEFFEDCBA} (Java Runtime Environment 1.4.0_01) -
O18 - Protocol: ms-help - {314111C7-A502-11D2-BBCA-00C04F8EC294} - C:\Program Files\Common Files\Microsoft Shared\Help\hxds.dll
O23 - Service: Workstation NetLogon Service ( 11F#`I) - Unknown owner - C:\WINDOWS\wineb.exe" /s (file missing)
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
O23 - Service: ColdFusion Monitoring Service (ClusterCATS Service) - Unknown owner - C:\CFusion\cfam\program\ccmgr.exe
O23 - Service: Cold Fusion Application Server - Macromedia Inc. - C:\CFusion\Bin\cfserver.exe
O23 - Service: ColdFusion Executive (Cold Fusion Executive) - Macromedia Inc. - C:\CFusion\Bin\cfexec.exe
O23 - Service: ColdFusion RDS (Cold Fusion RDS) - Macromedia Inc. - C:\CFusion\Bin\cfrdsservice.exe
O23 - Service: ColdFusion Graphing Server - Unknown owner - C:\CFusion\JRun\bin\JRun.exe
O23 - Service: ColdFusion Management Repository Server (ColdFusion Management Repository) - Unknown owner - C:\CFusion\jrun\bin\jrun.exe" -jrundir "C:\CFusion\jrun" -nt "ColdFusion Management Repository" "cfam (file missing)
O23 - Service: ColdFusion Management Service - Unknown owner - C:\CFusion\cfam\bin\CANamingAdapter.exe
O23 - Service: Creative Service for CDROM Access - Creative Technology Ltd - C:\WINDOWS\System32\CTsvcCDA.EXE
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe
O23 - Service: Retrospect Launcher (RetroLauncher) - Dantz Development Corporation - C:\Program Files\Dantz\Retrospect\retrorun.exe
O23 - Service: StyleXPService - Unknown owner - C:\Program Files\TGTSoft\StyleXP\StyleXPService.exe



Here's the AB LogFile:

AboutBuster 5.0 reference file 28
Scan started on [5/31/2005] at [9:07:24 PM]
------------------------------------------------
Removed Stream! C:\WINDOWS\0.LOG:ribni
Removed Stream! C:\WINDOWS\001150_.tmp:nmmnv
Removed Stream! C:\WINDOWS\001150_.tmp:omwvg
Removed Stream! C:\WINDOWS\001150_.tmp:omwvgy
Removed Stream! C:\WINDOWS\001303_.tmp:lbtyb
Removed Stream! C:\WINDOWS\004119_.tmp:fisei
Removed Stream! C:\WINDOWS\Abstract 8.jpg:fmesp
Removed Stream! C:\WINDOWS\Abstract 8.jpg:mngfs
Removed Stream! C:\WINDOWS\AllState.ini:uugtww
Removed Stream! C:\WINDOWS\AllState.ini:zphbz
Removed Stream! C:\WINDOWS\bihpj.log:qfcflf
Removed Stream! C:\WINDOWS\Blue Lace 16.bmp:orkszv
Removed Stream! C:\WINDOWS\BOOTSTAT.DAT:mnprf
Removed Stream! C:\WINDOWS\box boat blue.ico:fvrdtj
Removed Stream! C:\WINDOWS\box boat blue.ico:gscybx
Removed Stream! C:\WINDOWS\box boat blue.ico:hqces
Removed Stream! C:\WINDOWS\box boat blue.ico:uifjsi
Removed Stream! C:\WINDOWS\cdPlayer.ini:yzfol
Removed Stream! C:\WINDOWS\CFML.INI:xwbjvt
Removed Stream! C:\WINDOWS\CFML.INI:ylvlwi
Removed Stream! C:\WINDOWS\cmsetacl.log:fkqcpv
Removed Stream! C:\WINDOWS\cmsetacl.log:viwga
Removed Stream! C:\WINDOWS\Coffee Bean.bmp:qpuwpe
Removed Stream! C:\WINDOWS\COM+.log:eiqidf
Removed Stream! C:\WINDOWS\COM+.log:xkahrg
Removed Stream! C:\WINDOWS\Corrupted Vortex.jpg:wjbvyp
Removed Stream! C:\WINDOWS\crins.txt:gbhyw
Removed Stream! C:\WINDOWS\dcsrr.dat:oktbaa
Removed Stream! C:\WINDOWS\dkhaj.dat:scsbi
Removed Stream! C:\WINDOWS\dxfuk.txt:vfeyn
Removed Stream! C:\WINDOWS\entpack.ini:cnwkp
Removed Stream! C:\WINDOWS\entpack.ini:hpatj
Removed Stream! C:\WINDOWS\EReg072.dat:eqzkbt
Removed Stream! C:\WINDOWS\EReg072.dat:qhktpx
Removed Stream! C:\WINDOWS\FaxSetup.log:xrjqvv
Removed Stream! C:\WINDOWS\FaxSetup.log:yhhrj
Removed Stream! C:\WINDOWS\FeatherTexture.bmp:utvluw
Removed Stream! C:\WINDOWS\gisrf.txt:pscvqg
Removed Stream! C:\WINDOWS\Grand_Eclipse.jpg:uzovwi
Removed Stream! C:\WINDOWS\Grand_Eclipse.jpg:wmmft
Removed Stream! C:\WINDOWS\Greenstone.bmp:ituasq
Removed Stream! C:\WINDOWS\high XP.bmp:eahayl
Removed Stream! C:\WINDOWS\high XP.bmp:qyudjt
Removed Stream! C:\WINDOWS\iilkl.dat:jqusln
Removed Stream! C:\WINDOWS\iilkl.dat:jzfimv
Removed Stream! C:\WINDOWS\IIS6.LOG:vgqnl
Removed Stream! C:\WINDOWS\ImageX.bmp:hokonw
Removed Stream! C:\WINDOWS\imsins.BAK:baxwgg
Removed Stream! C:\WINDOWS\imsins.BAK:crnxny
Removed Stream! C:\WINDOWS\imsins.BAK:milunt
Removed Stream! C:\WINDOWS\imsins.BAK:nmucr
Removed Stream! C:\WINDOWS\imsins.BAK:yutyy
Removed Stream! C:\WINDOWS\imsins.log:hdfwj
Removed Stream! C:\WINDOWS\install_AdvSecMig.log:ejdzid
Removed Stream! C:\WINDOWS\install_AdvSecMig.log:urxkia
Removed Stream! C:\WINDOWS\install_AdvSecMig.log:wdjbbp
Removed Stream! C:\WINDOWS\install_CFGraph.log:hucypi
Removed Stream! C:\WINDOWS\isncfg.dat:nsqqcl
Removed Stream! C:\WINDOWS\isncfg.dat:tjlgd
Removed Stream! C:\WINDOWS\jisfk.dat:akbobm
Removed Stream! C:\WINDOWS\KB821557.log:pfkmk
Removed Stream! C:\WINDOWS\KB825119.log:scclk
Removed Stream! C:\WINDOWS\KB828741.log:bblqw
Removed Stream! C:\WINDOWS\KB839643-DirectX9.log:bzltzg
Removed Stream! C:\WINDOWS\KB841873.log:oapkr
Removed Stream! C:\WINDOWS\KB842773.log:xdzhf
Removed Stream! C:\WINDOWS\KB867282.log:sxaqy
Removed Stream! C:\WINDOWS\KB885884.log:ddlzr
Removed Stream! C:\WINDOWS\KB890175.log:fgevyk
Removed Stream! C:\WINDOWS\KB890859.log:tcanu
Removed Stream! C:\WINDOWS\KB890923.log:ytpvd
Removed Stream! C:\WINDOWS\KB891781.log:wnvsq
Removed Stream! C:\WINDOWS\KB893066.log:kcxkz
Removed Stream! C:\WINDOWS\KB893803v2.log:phpfuf
Removed Stream! C:\WINDOWS\MedCtrOC.log:skezh
Removed Stream! C:\WINDOWS\MEMORY.DMP:aiakph
Removed Stream! C:\WINDOWS\middleofnowhere.jpg:epsqn
Removed Stream! C:\WINDOWS\ModemLog_Conexant HSF V92 56K RTAD Speakerphone PCI Modem.txt:sfapa
Removed Stream! C:\WINDOWS\ModemLog_Standard Modem over IR link.txt:sjsyrs
Removed Stream! C:\WINDOWS\OCMSN.LOG:vjosv
Removed Stream! C:\WINDOWS\ODBC.INI:zbgpt
Removed Stream! C:\WINDOWS\orun32.ini:unvfxd
Removed Stream! C:\WINDOWS\PowerReg.dat:mnokzn
Removed Stream! C:\WINDOWS\Prairie Wind.bmp:dxypo
Removed Stream! C:\WINDOWS\Q306676.log:sarxt
Removed Stream! C:\WINDOWS\Q308677.log:fogptq
Removed Stream! C:\WINDOWS\Q308677.log:vnprp
Removed Stream! C:\WINDOWS\Q310601.log:egbyzx
Removed Stream! C:\WINDOWS\Q311889.log:xprcva
Removed Stream! C:\WINDOWS\Q313450.log:whudch
Removed Stream! C:\WINDOWS\Q315000.log:mlgnk
Removed Stream! C:\WINDOWS\Q323172.log:llzbs
Removed Stream! C:\WINDOWS\Q324380.log:kwupu
Removed Stream! C:\WINDOWS\Q326830.log:lwbzmp
Removed Stream! C:\WINDOWS\Q328940.log:fowql
Removed Stream! C:\WINDOWS\Q329115.log:muclxv
Removed Stream! C:\WINDOWS\Q329115.log:vwmmoz
Removed Stream! C:\WINDOWS\Q329170.log:uzgvi
Removed Stream! C:\WINDOWS\Q329441.log:oxerij
Removed Stream! C:\WINDOWS\Q331953.log:mdjqq
Removed Stream! C:\WINDOWS\Q810565.log:gyxxkm
Removed Stream! C:\WINDOWS\Q810833.log:dlzob
Removed Stream! C:\WINDOWS\Q811630.log:qpxbwt
Removed Stream! C:\WINDOWS\Q817287.log:ipqpqd
Removed Stream! C:\WINDOWS\Q817287.log:vdnkj
Removed Stream! C:\WINDOWS\Q819696.log:uhlac
Removed Stream! C:\WINDOWS\Q828026.log:pzeva
Removed Stream! C:\WINDOWS\Q828026.log:zfsus
Removed Stream! C:\WINDOWS\qvcut.log:mhefw
Removed Stream! C:\WINDOWS\REGLOCS.OLD:yczzv
Removed Stream! C:\WINDOWS\REGOPT.LOG:iwtnc
Removed Stream! C:\WINDOWS\SchedLgU.Txt:tpwgz
Removed Stream! C:\WINDOWS\setupapi.log:txool
Removed Stream! C:\WINDOWS\setupapi.log.0.old:uapqo
Removed Stream! C:\WINDOWS\setupapi.old:wdykfg
Removed Stream! C:\WINDOWS\Smooth Graphite.jpg:pwqpzi
Removed Stream! C:\WINDOWS\Soap Bubbles.bmp:hwjvct
Removed Stream! C:\WINDOWS\spupdsvc.log:dqdgr
Removed Stream! C:\WINDOWS\swukn.log:utojvt
Removed Stream! C:\WINDOWS\tlhzw.log:mmzope
Removed Stream! C:\WINDOWS\tlhzw.log:pvvwfc
Removed Stream! C:\WINDOWS\tzeqi.dat:xpsnq
Removed Stream! C:\WINDOWS\ueymi.log:emsbsg
Removed Stream! C:\WINDOWS\updspapi.log:asxbeh
Removed Stream! C:\WINDOWS\uupxi.log:gsfeqc
Removed Stream! C:\WINDOWS\VB.INI:yrwjz
Removed Stream! C:\WINDOWS\VBADDIN.INI:stqgzr
Removed Stream! C:\WINDOWS\vwpwg.dat:luiutc
Removed Stream! C:\WINDOWS\wajqn.log:kbamjc
Removed Stream! C:\WINDOWS\wavywinxp.jpg:gcnhrd
Removed Stream! C:\WINDOWS\WIADEBUG.LOG:dyjzyk
Removed Stream! C:\WINDOWS\WIADEBUG.LOG:gxahcv
Removed Stream! C:\WINDOWS\WIASERVC.LOG:zdfutn
Removed Stream! C:\WINDOWS\Windows Update.log:kmrdq
Removed Stream! C:\WINDOWS\WindowsUpdate.log:reyanp
Removed Stream! C:\WINDOWS\WindowsUpdate.log:rktkl
Removed Stream! C:\WINDOWS\WINNT32.LOG:kfjfpa
Removed Stream! C:\WINDOWS\wsdu.log:kqwks
Removed Stream! C:\WINDOWS\xmtvv.log:icbuy
Removed Stream! C:\WINDOWS\xncxn.txt:lxlzq
Removed Stream! C:\WINDOWS\yghmo.dat:incrir
Removed Stream! C:\WINDOWS\zaiew.log:qdhny
Removed Stream! C:\WINDOWS\zilwh.txt:aouwdc
Removed Stream! C:\WINDOWS\_DEFAULT.PIF:agide
Removed Stream! C:\WINDOWS\_DEFAULT.PIF:ajhbj
------------------------------------------------
Removed File! : C:\Windows\abjqr.dll
Removed File! : C:\Windows\addpg.exe
Removed File! : C:\Windows\addxk32.exe
Removed File! : C:\Windows\apiew.exe
Removed File! : C:\Windows\apijf.exe
Removed File! : C:\Windows\apiwa.exe
Removed File! : C:\Windows\apiys.exe
Removed File! : C:\Windows\apizh32.exe
Removed File! : C:\Windows\appbr32.exe
Removed File! : C:\Windows\appft32.exe
Removed File! : C:\Windows\appiw.exe
Removed File! : C:\Windows\applq.exe
Removed File! : C:\Windows\appok.exe
Removed File! : C:\Windows\appyu.exe
Removed File! : C:\Windows\appzz.exe
Removed File! : C:\Windows\atlbr.exe
Removed File! : C:\Windows\atldk32.exe
Removed File! : C:\Windows\atlew.exe
Removed File! : C:\Windows\atlfe.exe
Removed File! : C:\Windows\atlmk.exe
Removed File! : C:\Windows\bucfi.dat
Removed File! : C:\Windows\byulo.dat
Removed File! : C:\Windows\cgsdm.dll
Removed File! : C:\Windows\crfk.exe
Removed File! : C:\Windows\crjr32.exe
Removed File! : C:\Windows\crlc32.exe
Removed File! : C:\Windows\crlk.exe
Removed File! : C:\Windows\crty32.exe
Removed File! : C:\Windows\crut.exe
Removed File! : C:\Windows\crwc32.exe
Removed File! : C:\Windows\cttor.dll
Removed File! : C:\Windows\cxqvx.dll
Removed File! : C:\Windows\d3lu32.exe
Removed File! : C:\Windows\d3yd32.exe
Removed File! : C:\Windows\dcsrr.dat
Removed File! : C:\Windows\dkhaj.dat
Removed File! : C:\Windows\eztfw.dat
Removed File! : C:\Windows\fqrkx.dll
Removed File! : C:\Windows\hipni.dll
Removed File! : C:\Windows\ievv.exe
Removed File! : C:\Windows\iilkl.dat
Removed File! : C:\Windows\javaks.exe
Removed File! : C:\Windows\jcubt.dat
Removed File! : C:\Windows\jisfk.dat
Removed File! : C:\Windows\juvmk.dat
Removed File! : C:\Windows\kodji.dll
Removed File! : C:\Windows\kporx.dll
Removed File! : C:\Windows\ltpzg.dll
Removed File! : C:\Windows\mfcho32.exe
Removed File! : C:\Windows\mfcma32.exe
Removed File! : C:\Windows\mfcmd32.exe
Removed File! : C:\Windows\mfcnb32.exe
Removed File! : C:\Windows\mfcqn32.exe
Removed File! : C:\Windows\msao.exe
Removed File! : C:\Windows\msfi32.exe
Removed File! : C:\Windows\mslp.exe
Removed File! : C:\Windows\msns.exe
Removed File! : C:\Windows\mssr32.exe
Removed File! : C:\Windows\mvjwz.dat
Removed File! : C:\Windows\netgc.exe
Removed File! : C:\Windows\netwk.exe
Removed File! : C:\Windows\ntgz.exe
Removed File! : C:\Windows\ntia.exe
Removed File! : C:\Windows\ntjx32.exe
Removed File! : C:\Windows\nttt32.exe
Removed File! : C:\Windows\ntya.exe
Removed File! : C:\Windows\ntzz32.exe
Removed File! : C:\Windows\ommvb.dat
Removed File! : C:\Windows\oofez.dat
Removed File! : C:\Windows\scigu.dat
Removed File! : C:\Windows\sdkdh.exe
Removed File! : C:\Windows\sdked32.exe
Removed File! : C:\Windows\sdkrz32.exe
Removed File! : C:\Windows\sdkxx.exe
Removed File! : C:\Windows\sysou32.exe
Removed File! : C:\Windows\sysrg.exe
Removed File! : C:\Windows\sysvz.exe
Removed File! : C:\Windows\syswt32.exe
Removed File! : C:\Windows\tlyph.dll
Removed File! : C:\Windows\tzeqi.dat
Removed File! : C:\Windows\vfcor.dll
Removed File! : C:\Windows\vkouo.dat
Removed File! : C:\Windows\vnrnf.dll
Removed File! : C:\Windows\vwpwg.dat
Removed File! : C:\Windows\winbm32.exe
Removed File! : C:\Windows\winbt.exe
Removed File! : C:\Windows\wingn32.exe
Removed File! : C:\Windows\winhu32.exe
Removed File! : C:\Windows\winsx32.exe
Removed File! : C:\Windows\winwg.exe
Removed File! : C:\Windows\xfuqx.dll
Removed File! : C:\Windows\ybdgk.dll
Removed File! : C:\Windows\yghmo.dat
Removed File! : C:\Windows\ykxcp.dll
Removed File! : C:\Windows\ysuar.dat
Removed File! : C:\Windows\System32\addbm32.exe
Removed File! : C:\Windows\System32\addfh32.exe
Removed File! : C:\Windows\System32\addhg.exe
Removed File! : C:\Windows\System32\apihc32.exe
Removed File! : C:\Windows\System32\apipt.exe
Removed File! : C:\Windows\System32\appaq.exe
Removed File! : C:\Windows\System32\appba32.exe
Removed File! : C:\Windows\System32\appfn32.exe
Removed File! : C:\Windows\System32\appga.exe
Removed File! : C:\Windows\System32\appkk32.exe
Removed File! : C:\Windows\System32\applc.exe
Removed File! : C:\Windows\System32\atldn.exe
Removed File! : C:\Windows\System32\atldr32.exe
Removed File! : C:\Windows\System32\atlnq32.exe
Removed File! : C:\Windows\System32\atlrf32.exe
Removed File! : C:\Windows\System32\bognz.dat
Removed File! : C:\Windows\System32\d3ea32.exe
Removed File! : C:\Windows\System32\d3jv.exe
Removed File! : C:\Windows\System32\dmulc.dat
Removed File! : C:\Windows\System32\eyjym.dat
Removed File! : C:\Windows\System32\fenjx.dll
Removed File! : C:\Windows\System32\fnbfn.dat
Removed File! : C:\Windows\System32\fpbly.dat
Removed File! : C:\Windows\System32\gompx.dll
Removed File! : C:\Windows\System32\gzylt.dat
Removed File! : C:\Windows\System32\hzqqu.dat
Removed File! : C:\Windows\System32\ieso32.exe
Removed File! : C:\Windows\System32\ievd32.exe
Removed File! : C:\Windows\System32\ipdl32.exe
Removed File! : C:\Windows\System32\javahg.exe
Removed File! : C:\Windows\System32\javaja32.exe
Removed File! : C:\Windows\System32\javarn.exe
Removed File! : C:\Windows\System32\javasn.exe
Removed File! : C:\Windows\System32\kguyx.dll
Removed File! : C:\Windows\System32\mbqjb.dll
Removed File! : C:\Windows\System32\mfcwx.exe
Removed File! : C:\Windows\System32\msdp.exe
Removed File! : C:\Windows\System32\mspc.exe
Removed File! : C:\Windows\System32\msqw32.exe
Removed File! : C:\Windows\System32\mssp.exe
Removed File! : C:\Windows\System32\msxg32.exe
Removed File! : C:\Windows\System32\msxk32.exe
Removed File! : C:\Windows\System32\netgb32.exe
Removed File! : C:\Windows\System32\netjo.exe
Removed File! : C:\Windows\System32\netxx32.exe
Removed File! : C:\Windows\System32\nlhaq.dat
Removed File! : C:\Windows\System32\ntfb32.exe
Removed File! : C:\Windows\System32\ntig32.exe
Removed File! : C:\Windows\System32\oamty.dat
Removed File! : C:\Windows\System32\pnyja.dll
Removed File! : C:\Windows\System32\qnbmy.dll
Removed File! : C:\Windows\System32\qqmev.dat
Removed File! : C:\Windows\System32\rbcyq.dat
Removed File! : C:\Windows\System32\rsmfl.dat
Removed File! : C:\Windows\System32\sysil32.exe
Removed File! : C:\Windows\System32\syswp.exe
Removed File! : C:\Windows\System32\uiefh.dat
Removed File! : C:\Windows\System32\vqxbv.dat
Removed File! : C:\Windows\System32\vvkkb.dll
Removed File! : C:\Windows\System32\vxtgv.dll
Removed File! : C:\Windows\System32\wdcxl.dat
Removed File! : C:\Windows\System32\wgngy.dat
Removed File! : C:\Windows\System32\winco.exe
Removed File! : C:\Windows\System32\windp.exe
Removed File! : C:\Windows\System32\winfw.exe
Removed File! : C:\Windows\System32\winfy.exe
Removed File! : C:\Windows\System32\winmk.exe
Removed File! : C:\Windows\System32\wintx.exe
Removed File! : C:\Windows\System32\wnjoq.dat
Removed File! : C:\Windows\System32\ybrix.dat
------------------------------------------------
Scan was COMPLETED SUCCESSFULLY at 9:09:54 PM

#7 Buckeye_Sam

Buckeye_Sam

    Malware Expert


  • Members
  • 17,382 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Pickerington, Ohio
  • Local time:01:55 PM

Posted 01 June 2005 - 04:48 PM

You have the new strain of HSA, which is very persistent.

Reboot your computer into SAFE MODE


Run Hijackthis again, click scan, and Put a checkmark next to each of these. Then close all other windows--you should only see HijackThis on your Desktop--and click the Fix Checked button.

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\WINDOWS\system32\hjdpe.dll/sp.html#37049
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINDOWS\system32\hjdpe.dll/sp.html#37049
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = res://C:\WINDOWS\system32\hjdpe.dll/sp.html#37049
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\WINDOWS\system32\hjdpe.dll/sp.html#37049
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINDOWS\system32\hjdpe.dll/sp.html#37049
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = res://C:\WINDOWS\system32\hjdpe.dll/sp.html#37049
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = res://C:\WINDOWS\system32\hjdpe.dll/sp.html#37049
R3 - Default URLSearchHook is missing
O2 - BHO: Class - {EAD01F30-8167-D510-8ED0-53B9B66F4880} - C:\WINDOWS\d3ve.dll
O4 - HKLM\..\Run: [netli32.exe] C:\WINDOWS\system32\netli32.exe
O4 - HKLM\..\RunOnce: [wineb.exe] C:\WINDOWS\wineb.exe
O4 - HKLM\..\RunOnce: [atljx.exe] C:\WINDOWS\atljx.exe
O4 - HKLM\..\RunOnce: [iejl32.exe] C:\WINDOWS\iejl32.exe
O4 - HKLM\..\RunOnce: [ntcm.exe] C:\WINDOWS\system32\ntcm.exe
O4 - HKLM\..\RunOnce: [addlt32.exe] C:\WINDOWS\system32\addlt32.exe
O4 - HKLM\..\RunOnce: [ieak32.exe] C:\WINDOWS\system32\ieak32.exe
O4 - HKLM\..\RunOnce: [sysfh32.exe] C:\WINDOWS\system32\sysfh32.exe
O4 - HKLM\..\RunOnce: [netjo.exe] C:\WINDOWS\system32\netjo.exe
O4 - HKCU\..\Run: [ssate.exe] C:\WINDOWS\System32\winsys.exe
O23 - Service: Workstation NetLogon Service ( 11F#`I) - Unknown owner - C:\WINDOWS\wineb.exe" /s (file missing)



Double click AboutBuster.exe that you downloaded earlier. Click OK, click Start, then click OK. This will scan your computer for the bad files and delete them. Save the report(copy and paste into notepad or wordpad and save as a .txt file) and post a copy back here when you are done with all the steps.



Now run CWShredder, making sure to click "Fix".



Then delete these files or directories (Do not be concerned if they do not exist):

C:\WINDOWS\d3ve.dll
C:\WINDOWS\wineb.exe
C:\WINDOWS\wineb.exe
C:\WINDOWS\atljx.exe
C:\WINDOWS\iejl32.exe
C:\WINDOWS\system32\hjdpe.dll
C:\WINDOWS\system32\ntcm.exe
C:\WINDOWS\system32\netli32.exe
C:\WINDOWS\system32\addlt32.exe
C:\WINDOWS\system32\ieak32.exe
C:\WINDOWS\system32\sysfh32.exe
C:\WINDOWS\system32\netjo.exe
C:\WINDOWS\System32\winsys.exe



Delete temp files

Navigate to the C:\Windows\Temp folder. Open the Temp folder and go to Edit > Select All then Edit > Delete to delete the entire contents of the Temp folder.

Navigate to the C:\Windows\Prefetch folder. Open the Prefetch folder and go to Edit > Select All then Edit > Delete to delete the entire contents of the Prefetch folder.

Go to Start > Run and type %temp% in the Run box. The Temp folder will open. Click Edit > Select All then Edit > Delete to delete the entire contents of the Temp folder.

Finally go to Control Panel > Internet Options. On the General tab under "Temporary Internet Files" Click "Delete Files". Put a check by "Delete Offline Content" and click OK. Click on the Programs tab then click the "Reset Web Settings" button. Click Apply then OK.

Empty the Recycle Bin.




Reboot back to normal mode.

Please run at least one of these online scans.
Make sure they are set to clean automatically:

Panda Virus Scan

Bit Defender

TrendMicro Housecall

There will be files that these scans will not remove. Please include that information in your next post.


Reboot and post a new hijackthis log, the AboutBuster log, and any info from your virus scans.
Posted Image If I have helped you in any way, please consider a donation to help me continue the fight against malware.


Failing to respond back to the person that is giving up their own time to help you not only is insensitive and disrespectful, but it guarantees that you will never receive help from me again. Please thank your helpers and there will always be help here when you need it!


========================================================

#8 wagner12

wagner12
  • Topic Starter

  • Members
  • 10 posts
  • OFFLINE
  •  
  • Local time:01:55 PM

Posted 02 June 2005 - 02:17 PM

hey here is my new HJT log everything went well except when i rebooted my computer a warning came up saying something about wineb.exe and also when i used the online virus scan Java Byteever.A was the only problem. It's located in C:\documentsandsettings\juddwagner\applicationdata\sun\java\seployment\cache\javapi\v1.0\file\dummy.classsaaceb0e-4f311esf.class

also i'm going to be moving here shortly possiibly today and i might not have internet till the 13th i think it is if this is a problem let me know

thanx again

HJT log

Logfile of HijackThis v1.99.1
Scan saved at 2:12:43 PM, on 6/2/2005
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\TGTSoft\StyleXP\StyleXPService.exe
C:\WINDOWS\system32\spoolsv.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
C:\CFusion\cfam\program\ccmgr.exe
C:\CFusion\Bin\cfserver.exe
C:\CFusion\cfam\Program\dfp.exe
C:\CFusion\cfam\Program\wsm.exe
C:\CFusion\cfam\Program\wsprobe.exe
C:\CFusion\Bin\cfexec.exe
C:\CFusion\Bin\cfrdsservice.exe
C:\CFusion\JRun\bin\JRun.exe
C:\CFusion\jrun\bin\jrun.exe
C:\WINDOWS\System32\CTsvcCDA.EXE
C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
C:\WINDOWS\System32\nvsvc32.exe
C:\Program Files\Dantz\Retrospect\retrorun.exe
C:\CFusion\jre\bin\ntConsoleJava.exe
C:\CFusion\jre\bin\ntConsoleJava.exe
C:\CFusion\cfam\bin\CANamingAdapter.exe
C:\WINDOWS\system32\devldr32.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Common Files\Microsoft Shared\Works Shared\WkUFind.exe
C:\PROGRA~1\Maxtor\OneTouch\Utils\OneTouch.exe
C:\WINDOWS\MXOALDR.EXE
C:\Program Files\Java\jre1.5.0_02\bin\jusched.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe
C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_A10IC2.EXE
C:\Program Files\Common Files\Microsoft Shared\Works Shared\wkcalrem.exe
C:\DOCUME~1\JUDDWA~1\LOCALS~1\Temp\Temporary Directory 1 for hijackthis.zip\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.dellnet.com
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = sas.r21.mchsi.com:8000
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.r21.mchsi.com
O4 - HKLM\..\Run: [Microsoft Works Update Detection] C:\Program Files\Common Files\Microsoft Shared\Works Shared\WkUFind.exe
O4 - HKLM\..\Run: [UpdReg] C:\WINDOWS\Updreg.exe
O4 - HKLM\..\Run: [MCAgentExe] C:\Program Files\McAfee.com\Agent\mcagent.exe
O4 - HKLM\..\Run: [MCUpdateExe] C:\PROGRA~1\McAfee.com\Agent\mcupdate.exe
O4 - HKLM\..\Run: [RoxioEngineUtility] "C:\Program Files\Common Files\Roxio Shared\System\EngUtil.exe"
O4 - HKLM\..\Run: [MaxtorOneTouch] C:\PROGRA~1\Maxtor\OneTouch\Utils\OneTouch.exe
O4 - HKLM\..\Run: [MXO Auto Loader] C:\WINDOWS\MXOALDR.EXE
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_02\bin\jusched.exe
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe /STARTUP
O4 - HKCU\..\Run: [EPSON Stylus C60 Series] C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_A10IC2.EXE /P23 "EPSON Stylus C60 Series" /O5 "LPT1:" /M "Stylus C60"
O4 - HKCU\..\Run: [STYLEXP] C:\Program Files\TGTSoft\StyleXP\StyleXP.exe -Hide
O4 - HKCU\..\Run: [Yahoo! Pager] C:\Program Files\Yahoo!\Messenger\ypager.exe -quiet
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O4 - Global Startup: Microsoft Works Calendar Reminders.lnk = ?
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~4\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_02\bin\npjpi150_02.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_02\bin\npjpi150_02.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~4\OFFICE11\REFIEBAR.DLL
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM95\aim.exe
O9 - Extra button: (no name) - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - (no file)
O9 - Extra button: MoneySide - {E023F504-0C5A-4750-A1E7-A9046DEA8A21} - C:\Program Files\Microsoft Money\System\mnyviewer.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O12 - Plugin for .mov: C:\Program Files\Internet Explorer\PLUGINS\npqtplugin.dll
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai.net/7/840/537/2004061...all/xscan53.cab
O16 - DPF: {B9191F79-5613-4C76-AA2A-398534BB8999} - http://us.dl1.yimg.com/download.yahoo.com/...utocomplete.cab
O16 - DPF: {CAFEEFAC-0014-0000-0001-ABCDEFFEDCBA} (Java Runtime Environment 1.4.0_01) -
O18 - Protocol: ms-help - {314111C7-A502-11D2-BBCA-00C04F8EC294} - C:\Program Files\Common Files\Microsoft Shared\Help\hxds.dll
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
O23 - Service: ColdFusion Monitoring Service (ClusterCATS Service) - Unknown owner - C:\CFusion\cfam\program\ccmgr.exe
O23 - Service: Cold Fusion Application Server - Macromedia Inc. - C:\CFusion\Bin\cfserver.exe
O23 - Service: ColdFusion Executive (Cold Fusion Executive) - Macromedia Inc. - C:\CFusion\Bin\cfexec.exe
O23 - Service: ColdFusion RDS (Cold Fusion RDS) - Macromedia Inc. - C:\CFusion\Bin\cfrdsservice.exe
O23 - Service: ColdFusion Graphing Server - Unknown owner - C:\CFusion\JRun\bin\JRun.exe
O23 - Service: ColdFusion Management Repository Server (ColdFusion Management Repository) - Unknown owner - C:\CFusion\jrun\bin\jrun.exe" -jrundir "C:\CFusion\jrun" -nt "ColdFusion Management Repository" "cfam (file missing)
O23 - Service: ColdFusion Management Service - Unknown owner - C:\CFusion\cfam\bin\CANamingAdapter.exe
O23 - Service: Creative Service for CDROM Access - Creative Technology Ltd - C:\WINDOWS\System32\CTsvcCDA.EXE
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe
O23 - Service: Retrospect Launcher (RetroLauncher) - Dantz Development Corporation - C:\Program Files\Dantz\Retrospect\retrorun.exe
O23 - Service: StyleXPService - Unknown owner - C:\Program Files\TGTSoft\StyleXP\StyleXPService.exe

AB log file

AboutBuster 5.0 reference file 28
Scan started on [6/2/2005] at [11:32:39 AM]
------------------------------------------------
Removed Stream! C:\WINDOWS\001303_.tmp:emflm
Removed Stream! C:\WINDOWS\001303_.tmp:meugj
Removed Stream! C:\WINDOWS\Abstract 8.jpg:pgtfws
Removed Stream! C:\WINDOWS\AllState.ini:qubyqo
Removed Stream! C:\WINDOWS\Coffee Bean.bmp:rlgqys
Removed Stream! C:\WINDOWS\Corrupted Vortex.jpg:eqcgb
Removed Stream! C:\WINDOWS\crins.txt:ymdaxw
Removed Stream! C:\WINDOWS\Dir.log:kbvvs
Removed Stream! C:\WINDOWS\Dir.log:smnes
Removed Stream! C:\WINDOWS\ecubd.log:ryvny
Removed Stream! C:\WINDOWS\entpack.ini:uroqu
Removed Stream! C:\WINDOWS\explorer.scf:mhjdp
Removed Stream! C:\WINDOWS\Gone Fishing.bmp:xqpfhz
Removed Stream! C:\WINDOWS\Greenstone.bmp:xmhwrj
Removed Stream! C:\WINDOWS\high XP.bmp:xsnqi
Removed Stream! C:\WINDOWS\hinwd.txt:bilpe
Removed Stream! C:\WINDOWS\imsins.BAK:nmucr
Removed Stream! C:\WINDOWS\imsins.log:jszvf
Removed Stream! C:\WINDOWS\imsins.log:mjoib
Removed Stream! C:\WINDOWS\imsins.log:pbktnf
Removed Stream! C:\WINDOWS\install_AdvSecMig.log:lldiay
Removed Stream! C:\WINDOWS\install_CFGraph.log:uaqbaq
Removed Stream! C:\WINDOWS\isncfg.dat:xcomkf
Removed Stream! C:\WINDOWS\KB823559.log:silgx
Removed Stream! C:\WINDOWS\KB828035.log:cwiwyb
Removed Stream! C:\WINDOWS\KB835732.log:rionm
Removed Stream! C:\WINDOWS\KB835732.log:uwacbm
Removed Stream! C:\WINDOWS\KB839645.log:zcehq
Removed Stream! C:\WINDOWS\KB841873.log:vhgxq
Removed Stream! C:\WINDOWS\KB867282.log:wftam
Removed Stream! C:\WINDOWS\KB873333.log:hdgmz
Removed Stream! C:\WINDOWS\KB873339.log:tkhes
Removed Stream! C:\WINDOWS\KB873339.log:vntpnc
Removed Stream! C:\WINDOWS\KB885835.log:vzasp
Removed Stream! C:\WINDOWS\KB885884.log:vuowut
Removed Stream! C:\WINDOWS\KB886185.log:jxqun
Removed Stream! C:\WINDOWS\kesub.txt:ytsqm
Removed Stream! C:\WINDOWS\lqjgz.log:lhumlb
Removed Stream! C:\WINDOWS\MEMORY.DMP:vfosg
Removed Stream! C:\WINDOWS\mmrat.txt:wixxio
Removed Stream! C:\WINDOWS\msdfmap.ini:pepea
Removed Stream! C:\WINDOWS\MSGSOCM.LOG:kqczz
Removed Stream! C:\WINDOWS\msmqinst.log:opjwa
Removed Stream! C:\WINDOWS\myhdq.log:hkapeb
Removed Stream! C:\WINDOWS\ntbtlog.txt:zdtvgl
Removed Stream! C:\WINDOWS\ntdtcsetup.log:bznmqw
Removed Stream! C:\WINDOWS\ntdtcsetup.log:iuebwy
Removed Stream! C:\WINDOWS\n_gfhxhz.dat:uygum
Removed Stream! C:\WINDOWS\OCGEN.LOG:tsgrk
Removed Stream! C:\WINDOWS\ODBCINST.INI:ltzxmj
Removed Stream! C:\WINDOWS\orun32.ini:eujkhu
Removed Stream! C:\WINDOWS\pnplog.txt:oucpjw
Removed Stream! C:\WINDOWS\Q306676.log:hvuvdg
Removed Stream! C:\WINDOWS\Q310601.log:ivipf
Removed Stream! C:\WINDOWS\Q311967.log:gvptx
Removed Stream! C:\WINDOWS\Q315403.log:cbggmd
Removed Stream! C:\WINDOWS\Q331953.log:llzmoi
Removed Stream! C:\WINDOWS\Q810565.log:gtouo
Removed Stream! C:\WINDOWS\Q810565.log:jzeyd
Removed Stream! C:\WINDOWS\Q810565.log:xwnwtq
Removed Stream! C:\WINDOWS\Q810833.log:jfahf
Removed Stream! C:\WINDOWS\Q811493.log:etelp
Removed Stream! C:\WINDOWS\Q811493.log:etelpd
Removed Stream! C:\WINDOWS\Q815021.log:wuwqro
Removed Stream! C:\WINDOWS\Q817287.log:henbu
Removed Stream! C:\WINDOWS\Q819696.log:hvhelq
Removed Stream! C:\WINDOWS\REGLOCS.OLD:ftcsb
Removed Stream! C:\WINDOWS\REGOPT.LOG:zbpfxf
Removed Stream! C:\WINDOWS\safestate.jpg:ynecf
Removed Stream! C:\WINDOWS\SBWIN.INI:arinyg
Removed Stream! C:\WINDOWS\setup.log:vrcyls
Removed Stream! C:\WINDOWS\Smooth Gray.jpg:csqsi
Removed Stream! C:\WINDOWS\spupdsvc.log:jswetj
Removed Stream! C:\WINDOWS\spupdsvc.log:vqwwp
Removed Stream! C:\WINDOWS\spznp.log:saosl
Removed Stream! C:\WINDOWS\ueymi.log:rhzyrx
Removed Stream! C:\WINDOWS\updspapi.log:quzla
Removed Stream! C:\WINDOWS\VBADDIN.INI:dewhf
Removed Stream! C:\WINDOWS\VBADDIN.INI:dewhfs
Removed Stream! C:\WINDOWS\VMINST.LOG:kaduk
Removed Stream! C:\WINDOWS\vntpn.txt:bwcvw
Removed Stream! C:\WINDOWS\vntpn.txt:wniue
Removed Stream! C:\WINDOWS\vrcyl.txt:ceiry
Removed Stream! C:\WINDOWS\wavywinxp.jpg:vfpvhv
Removed Stream! C:\WINDOWS\WIASERVC.LOG:ofiabf
Removed Stream! C:\WINDOWS\WIN.INI:hqaff
Removed Stream! C:\WINDOWS\Windows Update.log:qyluwf
Removed Stream! C:\WINDOWS\Windows Update.log:wqueau
Removed Stream! C:\WINDOWS\winnt.bmp:xrwri
Removed Stream! C:\WINDOWS\wmsetup.log:hbdskk
Removed Stream! C:\WINDOWS\wsdu.log:rqetz
Removed Stream! C:\WINDOWS\xmtvv.log:mosnlm
Removed Stream! C:\WINDOWS\xncxn.txt:wgwyz
Removed Stream! C:\WINDOWS\_DEFAULT.PIF:aiykfm
Removed Stream! C:\WINDOWS\_DEFAULT.PIF:akewx
------------------------------------------------
Removed File! : C:\Windows\addel.exe
Removed File! : C:\Windows\apifg.exe
Removed File! : C:\Windows\appnp.exe
Removed File! : C:\Windows\coudm.dll
Removed File! : C:\Windows\crny.exe
Removed File! : C:\Windows\crrg32.exe
Removed File! : C:\Windows\javaio.exe
Removed File! : C:\Windows\javaup32.exe
Removed File! : C:\Windows\msub.exe
Removed File! : C:\Windows\netzj.exe
Removed File! : C:\Windows\ntkm.exe
Removed File! : C:\Windows\pnepr.dat
Removed File! : C:\Windows\snqif.dll
Removed File! : C:\Windows\winlf32.exe
Removed File! : C:\Windows\zxiok.dll
Removed File! : C:\Windows\System32\addlt32.exe
Removed File! : C:\Windows\System32\apibd.exe
Removed File! : C:\Windows\System32\apiss32.exe
Removed File! : C:\Windows\System32\apixs.exe
Removed File! : C:\Windows\System32\atlxk.exe
Removed File! : C:\Windows\System32\crmz32.exe
Removed File! : C:\Windows\System32\crpo.exe
Removed File! : C:\Windows\System32\fmlvc.dat
Removed File! : C:\Windows\System32\hjdpe.dll
Removed File! : C:\Windows\System32\hwiko.dll
Removed File! : C:\Windows\System32\ibvgi.dat
Removed File! : C:\Windows\System32\ierr32.exe
Removed File! : C:\Windows\System32\ipxe.exe
Removed File! : C:\Windows\System32\javaer.exe
Removed File! : C:\Windows\System32\javagi32.exe
Removed File! : C:\Windows\System32\msws32.exe
Removed File! : C:\Windows\System32\netjo.exe
Removed File! : C:\Windows\System32\netli32.exe
Removed File! : C:\Windows\System32\netqv.exe
Removed File! : C:\Windows\System32\nthv32.exe
Removed File! : C:\Windows\System32\ntre.exe
Removed File! : C:\Windows\System32\ogdup.dat
Removed File! : C:\Windows\System32\qnofz.dat
Removed File! : C:\Windows\System32\sassr.dll
Removed File! : C:\Windows\System32\winju32.exe
Removed File! : C:\Windows\System32\winli32.exe
------------------------------------------------
Scan was COMPLETED SUCCESSFULLY at 11:34:38 AM

#9 Buckeye_Sam

Buckeye_Sam

    Malware Expert


  • Members
  • 17,382 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Pickerington, Ohio
  • Local time:01:55 PM

Posted 03 June 2005 - 06:00 AM

That last round seemed to do the trick, because your log is clean!

Now that you are clean, please follow these simple steps in order to keep your computer clean and secure:
  • Disable and Enable System Restore. - If you are using Windows ME or XP then you should disable and reenable system restore to make sure there are no infected files found in a restore point left over from what we have just cleaned.

    You can find instructions on how to enable and reenable system restore here:

    Managing Windows Millenium System Restore

    or

    Windows XP System Restore Guide

    Renable system restore with instructions from tutorial above

  • Make your Internet Explorer more secure - This can be done by following these simple instructions:
    • From within Internet Explorer click on the Tools menu and then click on Options.
    • Click once on the Security tab
    • Click once on the Internet icon so it becomes highlighted.
    • Click once on the Custom Level button.
      • Change the Download signed ActiveX controls to Prompt
      • Change the Download unsigned ActiveX controls to Disable
      • Change the Initialize and script ActiveX controls not marked as safe to Disable
      • Change the Installation of desktop items to Prompt
      • Change the Launching programs and files in an IFRAME to Prompt
      • Change the Navigate sub-frames across different domains to Prompt
      • When all these settings have been made, click on the OK button.
      • If it prompts you as to whether or not you want to save the settings, press the Yes button.
    • Next press the Apply button and then the OK to exit the Internet Properties page.
  • Use an AntiVirus Software - It is very important that your computer has an anti-virus software running on your machine. This alone can save you a lot of trouble with malware in the future.

    See this link for a listing of some online & their stand-alone antivirus programs:

    Virus, Spyware, and Malware Protection and Removal Resources

  • Update your AntiVirus Software - It is imperitive that you update your Antivirus software at least once a week (Even more if you wish). If you do not update your antivirus software then it will not be able to catch any of the new variants that may come out.

  • Use a Firewall - I can not stress how important it is that you use a Firewall on your computer. Without a firewall your computer is succeptible to being hacked and taken over. I am very serious about this and see it happen almost every day with my clients. Simply using a Firewall in its default configuration can lower your risk greatly.

    For a tutorial on Firewalls and a listing of some available ones see the link below:

    Understanding and Using Firewalls

  • Visit Microsoft's Windows Update Site Frequently - It is important that you visit http://www.windowsupdate.com regularly. This will ensure your computer has always the latest security updates available installed on your computer. If there are new updates to install, install them immediately, reboot your computer, and revisit the site until there are no more critical updates.

  • Install Spybot - Search and Destroy - Install and download Spybot - Search and Destroy with its TeaTimer option. This will provide realtime spyware & hijacker protection on your computer alongside your virus protection. You should also scan your computer with program on a regular basis just as you would an antivirus software.

    A tutorial on installing & using this product can be found here:

    Using Spybot - Search & Destroy to remove Spyware , Malware, and Hijackers

  • Install Ad-Aware - Install and download Ad-Aware. ou should also scan your computer with program on a regular basis just as you would an antivirus software in conjunction with Spybot.

    A tutorial on installing & using this product can be found here:

    Using Ad-aware to remove Spyware, Malware, & Hijackers from Your Computer

  • Install SpywareBlaster - SpywareBlaster will added a large list of programs and sites into your Internet Explorer settings that will protect you from running and downloading known malicious programs.

    A tutorial on installing & using this product can be found here:

    Using SpywareBlaster to protect your computer from Spyware and Malware

  • Update all these programs regularly - Make sure you update all the programs I have listed regularly. Without regular updates you WILL NOT be protected when new malicious programs are released.
Follow this list and your potential for being infected again will reduce dramatically.
Posted Image If I have helped you in any way, please consider a donation to help me continue the fight against malware.


Failing to respond back to the person that is giving up their own time to help you not only is insensitive and disrespectful, but it guarantees that you will never receive help from me again. Please thank your helpers and there will always be help here when you need it!


========================================================




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users