Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

hjt log


  • This topic is locked This topic is locked
15 replies to this topic

#1 davidboundy

davidboundy

  • Members
  • 36 posts
  • OFFLINE
  •  
  • Local time:05:06 AM

Posted 18 July 2005 - 04:33 AM

my problems are as follows:

1.computer has slowed down
2.i keep getting favorites put into my favorites that i dont ask for and when i remove them they keep coming back
3.i get pop up advertisements keep coming up (even though i have pop up blocker on)
4.i keep getting my default home page changed to "about:blank" and it starts up when i start my computer up.

i would appreciate any help given. i have used spybot search and destroy and ad aware. they keep finding problems i fix them and then when i use them again, they find the infection again.

here is my hijackthis log:

Logfile of HijackThis v1.99.1
Scan saved at 10:22:28, on 18/07/2005
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\SYSTEM32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Dell\OpenManage\Client\ActionAgent.exe
C:\Program Files\NavNT\defwatch.exe
C:\DMI\WIN32\bin\DellDmi.exe
C:\Program Files\Dell\OpenManage\Client\EventAgt.exe
C:\Program Files\Dell\OpenManage\Client\DLT.exe
C:\Program Files\BT Digital Access USB\vstartx.exe
C:\Program Files\BT Digital Access USB\gisdnlog.exe
C:\Program Files\Dell\OpenManage\Client\Iap.exe
C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
C:\Program Files\Canon\MultiPASS4\MPSERVIC.EXE
C:\Program Files\NavNT\rtvscan.exe
C:\WINDOWS\System32\nvsvc32.exe
C:\WINDOWS\System32\tcpsvcs.exe
C:\WINDOWS\System32\svchost.exe
C:\dmi\win32\bin\Win32sl.exe
C:\Program Files\Inventel\Gateway\wlancfg.exe
C:\WINDOWS\system32\MsgSys.EXE
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\RUNDLL32.EXE
C:\WINDOWS\system32\pctspk.exe
C:\Program Files\Apoint\Apoint.exe
C:\WINDOWS\System32\DSentry.exe
C:\Program Files\NavNT\vptray.exe
C:\Program Files\BT Digital Access USB\gsyno.exe
C:\Program Files\Apoint\Apntex.exe
C:\Program Files\eBay\eBay Toolbar2\eBayTBDaemon.exe
C:\WINDOWS\sysoo.exe
C:\WINDOWS\system32\ctfmon.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Sony Corporation\Image Transfer\SonyTray.exe
C:\Program Files\Canon\MultiPASS4\MPDBMgr.exe
C:\WINDOWS\system32\notepad.exe
C:\HJT\HijackThis\hijackthis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\WINDOWS\wmtdr.dll/sp.html#37049
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINDOWS\wmtdr.dll/sp.html#37049
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = res://C:\WINDOWS\wmtdr.dll/sp.html#37049
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\WINDOWS\wmtdr.dll/sp.html#37049
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINDOWS\wmtdr.dll/sp.html#37049
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = res://C:\WINDOWS\wmtdr.dll/sp.html#37049
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = res://C:\WINDOWS\wmtdr.dll/sp.html#37049
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = http://www-cach.freeserve.net/:8080
R3 - Default URLSearchHook is missing
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: Class - {C2FA80DA-98A5-92AA-61BD-3EDED8569F27} - C:\WINDOWS\sysyw.dll
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE NvQTwk,NvCplDaemon initialize
O4 - HKLM\..\Run: [PCTVOICE] pctspk.exe
O4 - HKLM\..\Run: [Apoint] C:\Program Files\Apoint\Apoint.exe
O4 - HKLM\..\Run: [DVDSentry] C:\WINDOWS\System32\DSentry.exe
O4 - HKLM\..\Run: [vptray] C:\Program Files\NavNT\vptray.exe
O4 - HKLM\..\Run: [GazelDisplay] "C:\Program Files\BT Digital Access USB\gsyno.exe" -h
O4 - HKLM\..\Run: [eBayToolbar] C:\Program Files\eBay\eBay Toolbar2\eBayTBDaemon.exe
O4 - HKLM\..\Run: [iexplore.exe] C:\Program Files\Internet Explorer\iexplore.exe
O4 - HKLM\..\Run: [NAVNet] "C:\DOCUME~1\david\LOCALS~1\Temp\6.tmp" /m
O4 - HKLM\..\Run: [sysoo.exe] C:\WINDOWS\sysoo.exe
O4 - HKLM\..\RunOnce: [iedy32.exe] C:\WINDOWS\iedy32.exe
O4 - HKLM\..\RunOnce: [mfcfj32.exe] C:\WINDOWS\mfcfj32.exe
O4 - HKLM\..\RunOnce: [sdkpg32.exe] C:\WINDOWS\system32\sdkpg32.exe
O4 - HKLM\..\RunOnce: [wintp32.exe] C:\WINDOWS\wintp32.exe
O4 - HKLM\..\RunOnce: [javayr.exe] C:\WINDOWS\system32\javayr.exe
O4 - HKLM\..\RunOnce: [mfcxr32.exe] C:\WINDOWS\system32\mfcxr32.exe
O4 - HKLM\..\RunOnce: [atlgx32.exe] C:\WINDOWS\atlgx32.exe
O4 - HKLM\..\RunOnce: [iemr.exe] C:\WINDOWS\iemr.exe
O4 - HKLM\..\RunOnce: [apiio32.exe] C:\WINDOWS\system32\apiio32.exe
O4 - HKLM\..\RunOnce: [mfctw32.exe] C:\WINDOWS\system32\mfctw32.exe
O4 - HKLM\..\RunOnce: [ntlh32.exe] C:\WINDOWS\ntlh32.exe
O4 - HKLM\..\RunOnce: [atlqj32.exe] C:\WINDOWS\atlqj32.exe
O4 - HKLM\..\RunOnce: [ntdr.exe] C:\WINDOWS\ntdr.exe
O4 - HKLM\..\RunOnce: [atlqb.exe] C:\WINDOWS\system32\atlqb.exe
O4 - HKLM\..\RunOnce: [sdkby.exe] C:\WINDOWS\system32\sdkby.exe
O4 - HKLM\..\RunOnce: [apiec.exe] C:\WINDOWS\system32\apiec.exe
O4 - HKLM\..\RunOnce: [atlrz32.exe] C:\WINDOWS\atlrz32.exe
O4 - HKLM\..\RunOnce: [mswu.exe] C:\WINDOWS\mswu.exe
O4 - HKLM\..\RunOnce: [sdkpk32.exe] C:\WINDOWS\system32\sdkpk32.exe
O4 - HKLM\..\RunOnce: [atlvm.exe] C:\WINDOWS\atlvm.exe
O4 - HKLM\..\RunOnce: [javaig32.exe] C:\WINDOWS\javaig32.exe
O4 - HKLM\..\RunOnce: [apiwo.exe] C:\WINDOWS\apiwo.exe
O4 - HKLM\..\RunOnce: [ipkr32.exe] C:\WINDOWS\ipkr32.exe
O4 - HKLM\..\RunOnce: [mfcwa.exe] C:\WINDOWS\system32\mfcwa.exe
O4 - HKLM\..\RunOnce: [iecv32.exe] C:\WINDOWS\iecv32.exe
O4 - HKLM\..\RunOnce: [ntqd.exe] C:\WINDOWS\system32\ntqd.exe
O4 - HKLM\..\RunOnce: [appfd.exe] C:\WINDOWS\appfd.exe
O4 - HKLM\..\RunOnce: [sysxc.exe] C:\WINDOWS\sysxc.exe
O4 - HKLM\..\RunOnce: [javaws32.exe] C:\WINDOWS\javaws32.exe
O4 - HKLM\..\RunOnce: [mfcbu.exe] C:\WINDOWS\mfcbu.exe
O4 - HKLM\..\RunOnce: [mspq32.exe] C:\WINDOWS\system32\mspq32.exe
O4 - HKLM\..\RunOnce: [atlzn32.exe] C:\WINDOWS\atlzn32.exe
O4 - HKLM\..\RunOnce: [ieyc.exe] C:\WINDOWS\system32\ieyc.exe
O4 - HKLM\..\RunOnce: [sdkxs32.exe] C:\WINDOWS\system32\sdkxs32.exe
O4 - HKLM\..\RunOnce: [mshr.exe] C:\WINDOWS\system32\mshr.exe
O4 - HKLM\..\RunOnce: [ipvl.exe] C:\WINDOWS\system32\ipvl.exe
O4 - HKLM\..\RunOnce: [atlor32.exe] C:\WINDOWS\system32\atlor32.exe
O4 - HKLM\..\RunOnce: [mfcib32.exe] C:\WINDOWS\system32\mfcib32.exe
O4 - HKLM\..\RunOnce: [ieod.exe] C:\WINDOWS\system32\ieod.exe
O4 - HKLM\..\RunOnce: [javahu32.exe] C:\WINDOWS\javahu32.exe
O4 - HKLM\..\RunOnce: [wincf32.exe] C:\WINDOWS\system32\wincf32.exe
O4 - HKLM\..\RunOnce: [winup.exe] C:\WINDOWS\winup.exe
O4 - HKLM\..\RunOnce: [javatx32.exe] C:\WINDOWS\javatx32.exe
O4 - HKLM\..\RunOnce: [ntcv32.exe] C:\WINDOWS\system32\ntcv32.exe
O4 - HKLM\..\RunOnce: [msgf32.exe] C:\WINDOWS\system32\msgf32.exe
O4 - HKLM\..\RunOnce: [addze32.exe] C:\WINDOWS\system32\addze32.exe
O4 - HKLM\..\RunOnce: [d3fg.exe] C:\WINDOWS\system32\d3fg.exe
O4 - HKLM\..\RunOnce: [javang.exe] C:\WINDOWS\javang.exe
O4 - HKLM\..\RunOnce: [winyd32.exe] C:\WINDOWS\system32\winyd32.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: Image Transfer.lnk = ?
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O8 - Extra context menu item: &eBay Search - res://C:\Program Files\eBay\eBay Toolbar2\eBayTb.dll/RCSearch.html
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O8 - Extra context menu item: Search with Wanadoo - res://C:\PROGRA~1\Wanadoo\WSBar\WSBar.dll/VSearch.htm
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=36467&clcid=0x409
O16 - DPF: {26CBF141-7D0F-46E1-AA06-718958B6E4D2} - http://download.ebay.com/turbo_lister/UK/install.cab
O16 - DPF: {31B7EB4E-8B4B-11D1-A789-00A0CC6651A8} (Cult3D ActiveX Player) - http://www.cult3d.com/download/cult.cab
O16 - DPF: {4C39376E-FA9D-4349-BACC-D305C1750EF3} (EPUImageControl Class) - http://tools.ebayimg.com/eps/wl/activex/EP...l_v1-0-3-24.cab
O16 - DPF: {4E62C4DE-627D-4604-B157-4B7D6B09F02E} (AccountTracking Profile Manager Class) - https://moneymanager.egg.com/Pinsafe/accounttracking.cab
O16 - DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} (MSN Photo Upload Tool) - http://by17fd.bay17.hotmail.msn.com/resources/MsnPUpld.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://v5.windowsupdate.microsoft.com/v5co...b?1093963762678
O16 - DPF: {B38870E4-7ECB-40DA-8C6A-595F0A5519FF} (MsnMessengerSetupDownloadControl Class) - http://messenger.msn.com/download/msnmesse...pdownloader.cab
O16 - DPF: {E6EB803E-DD89-11D3-80C4-0050DA2E09D0} (LightSurfUploadCtl Class) - http://mediamessaging.o2.co.uk/activex/Lig...loadControl.cab
O16 - DPF: {EC5A4E7B-02EB-451D-B310-D5F2E0A4D8C3} (webhelper Class) - https://register.btopenworld.com/templates/btwebcontrol.cab
O20 - Winlogon Notify: NavLogon - C:\WINDOWS\System32\NavLogon.dll
O23 - Service: ActionAgent - Dell Computer Corporation - C:\Program Files\Dell\OpenManage\Client\ActionAgent.exe
O23 - Service: DefWatch - Symantec Corporation - C:\Program Files\NavNT\defwatch.exe
O23 - Service: DellDmi - Dell Computer Corporation - C:\DMI\WIN32\bin\DellDmi.exe
O23 - Service: DEventAgent - Dell Computer Corporation - C:\Program Files\Dell\OpenManage\Client\EventAgt.exe
O23 - Service: DLT - Dell Computer Corporation - C:\Program Files\Dell\OpenManage\Client\DLT.exe
O23 - Service: BT Digital Access USB start up (Gazel Startup) - Unknown owner - C:\Program Files\BT Digital Access USB\vstartx.exe" /s (file missing)
O23 - Service: ISDN connection log (GisdnLog) - Unknown owner - C:\Program Files\BT Digital Access USB\gisdnlog.exe" -s (file missing)
O23 - Service: Iap - Dell Computer Corporation - C:\Program Files\Dell\OpenManage\Client\Iap.exe
O23 - Service: MpService - Canon Inc. - C:\Program Files\Canon\MultiPASS4\MPSERVIC.EXE
O23 - Service: Norton AntiVirus Client (Norton AntiVirus Server) - Symantec Corporation - C:\Program Files\NavNT\rtvscan.exe
O23 - Service: NVIDIA Driver Helper Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe
O23 - Service: Win32Sl - Intel - C:\dmi\win32\bin\Win32sl.exe
O23 - Service: Service de lancement de WlanCfg (Wlancfg) - Inventel - C:\Program Files\Inventel\Gateway\wlancfg.exe

BC AdBot (Login to Remove)

 


#2 Omerr

Omerr

  • Members
  • 58 posts
  • OFFLINE
  •  
  • Local time:05:06 AM

Posted 18 July 2005 - 07:10 AM

Hello and welcome to BleepingComputers.

I am currently reviewing your log. Please understand that in order to give you the best answer to your problem, I must dedicate time and thought to your log, so please be patient with me.

I will come back to you with an answer as soon as possible.

Omer.

#3 Omerr

Omerr

  • Members
  • 58 posts
  • OFFLINE
  •  
  • Local time:05:06 AM

Posted 18 July 2005 - 07:53 AM

Hello and welcome to BleepingComputer.

Please print out or copy this page to Notepad in order to assist you when carrying out the following instructions.

Go to My Computer >Tools >Folder Options >View tab and make sure that Show hidden files and folders is enabled. Also make sure that the System Files and Folders are showing / visible. Uncheck the Hide protected operating system files option. Please do NOT change any of those settings until we finish the fixing process.

NOTE: you have the following website as a proxy server: http://www-cach.freeserve.net/:8080. Are you interested in it? It certainly may be the cause for your slow-down.

Download AboutBuster, and unzip it to a folder on your the Desktop. Run AboutBuster and click OK. Click Update and then Check For Update to see if there are any updates. Close the program now.

Download CleanUp! and install it. Do NOT run it yet.

Reboot your system in Safe Mode (By repeatedly tapping the F8 key until the menu appears).

Go into Hijack This->Config->Misc. Tools->Open process manager. Select the following and click “Kill process” for each one (If they still exist)(You must kill them one at a time).

C:\WINDOWS\sysoo.exe


Open Hijack This and click on Scan. Check the following entries (make sure you do not miss any)

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\WINDOWS\wmtdr.dll/sp.html#37049
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINDOWS\wmtdr.dll/sp.html#37049
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = res://C:\WINDOWS\wmtdr.dll/sp.html#37049
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\WINDOWS\wmtdr.dll/sp.html#37049
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINDOWS\wmtdr.dll/sp.html#37049
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = res://C:\WINDOWS\wmtdr.dll/sp.html#37049
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = res://C:\WINDOWS\wmtdr.dll/sp.html#37049
R3 - Default URLSearchHook is missing
O2 - BHO: Class - {C2FA80DA-98A5-92AA-61BD-3EDED8569F27} - C:\WINDOWS\sysyw.dll
O4 - HKLM\..\Run: [NAVNet] "C:\DOCUME~1\david\LOCALS~1\Temp\6.tmp" /m
O4 - HKLM\..\Run: [sysoo.exe] C:\WINDOWS\sysoo.exe
O4 - HKLM\..\RunOnce: [iedy32.exe] C:\WINDOWS\iedy32.exe
O4 - HKLM\..\RunOnce: [mfcfj32.exe] C:\WINDOWS\mfcfj32.exe
O4 - HKLM\..\RunOnce: [sdkpg32.exe] C:\WINDOWS\system32\sdkpg32.exe
O4 - HKLM\..\RunOnce: [wintp32.exe] C:\WINDOWS\wintp32.exe
O4 - HKLM\..\RunOnce: [javayr.exe] C:\WINDOWS\system32\javayr.exe
O4 - HKLM\..\RunOnce: [mfcxr32.exe] C:\WINDOWS\system32\mfcxr32.exe
O4 - HKLM\..\RunOnce: [atlgx32.exe] C:\WINDOWS\atlgx32.exe
O4 - HKLM\..\RunOnce: [iemr.exe] C:\WINDOWS\iemr.exe
O4 - HKLM\..\RunOnce: [apiio32.exe] C:\WINDOWS\system32\apiio32.exe
O4 - HKLM\..\RunOnce: [mfctw32.exe] C:\WINDOWS\system32\mfctw32.exe
O4 - HKLM\..\RunOnce: [ntlh32.exe] C:\WINDOWS\ntlh32.exe
O4 - HKLM\..\RunOnce: [atlqj32.exe] C:\WINDOWS\atlqj32.exe
O4 - HKLM\..\RunOnce: [ntdr.exe] C:\WINDOWS\ntdr.exe
O4 - HKLM\..\RunOnce: [atlqb.exe] C:\WINDOWS\system32\atlqb.exe
O4 - HKLM\..\RunOnce: [sdkby.exe] C:\WINDOWS\system32\sdkby.exe
O4 - HKLM\..\RunOnce: [apiec.exe] C:\WINDOWS\system32\apiec.exe
O4 - HKLM\..\RunOnce: [atlrz32.exe] C:\WINDOWS\atlrz32.exe
O4 - HKLM\..\RunOnce: [mswu.exe] C:\WINDOWS\mswu.exe
O4 - HKLM\..\RunOnce: [sdkpk32.exe] C:\WINDOWS\system32\sdkpk32.exe
O4 - HKLM\..\RunOnce: [atlvm.exe] C:\WINDOWS\atlvm.exe
O4 - HKLM\..\RunOnce: [javaig32.exe] C:\WINDOWS\javaig32.exe
O4 - HKLM\..\RunOnce: [apiwo.exe] C:\WINDOWS\apiwo.exe
O4 - HKLM\..\RunOnce: [ipkr32.exe] C:\WINDOWS\ipkr32.exe
O4 - HKLM\..\RunOnce: [mfcwa.exe] C:\WINDOWS\system32\mfcwa.exe
O4 - HKLM\..\RunOnce: [iecv32.exe] C:\WINDOWS\iecv32.exe
O4 - HKLM\..\RunOnce: [ntqd.exe] C:\WINDOWS\system32\ntqd.exe
O4 - HKLM\..\RunOnce: [appfd.exe] C:\WINDOWS\appfd.exe
O4 - HKLM\..\RunOnce: [sysxc.exe] C:\WINDOWS\sysxc.exe
O4 - HKLM\..\RunOnce: [javaws32.exe] C:\WINDOWS\javaws32.exe
O4 - HKLM\..\RunOnce: [mfcbu.exe] C:\WINDOWS\mfcbu.exe
O4 - HKLM\..\RunOnce: [mspq32.exe] C:\WINDOWS\system32\mspq32.exe
O4 - HKLM\..\RunOnce: [atlzn32.exe] C:\WINDOWS\atlzn32.exe
O4 - HKLM\..\RunOnce: [ieyc.exe] C:\WINDOWS\system32\ieyc.exe
O4 - HKLM\..\RunOnce: [sdkxs32.exe] C:\WINDOWS\system32\sdkxs32.exe
O4 - HKLM\..\RunOnce: [mshr.exe] C:\WINDOWS\system32\mshr.exe
O4 - HKLM\..\RunOnce: [ipvl.exe] C:\WINDOWS\system32\ipvl.exe
O4 - HKLM\..\RunOnce: [atlor32.exe] C:\WINDOWS\system32\atlor32.exe
O4 - HKLM\..\RunOnce: [mfcib32.exe] C:\WINDOWS\system32\mfcib32.exe
O4 - HKLM\..\RunOnce: [ieod.exe] C:\WINDOWS\system32\ieod.exe
O4 - HKLM\..\RunOnce: [javahu32.exe] C:\WINDOWS\javahu32.exe
O4 - HKLM\..\RunOnce: [wincf32.exe] C:\WINDOWS\system32\wincf32.exe
O4 - HKLM\..\RunOnce: [winup.exe] C:\WINDOWS\winup.exe
O4 - HKLM\..\RunOnce: [javatx32.exe] C:\WINDOWS\javatx32.exe
O4 - HKLM\..\RunOnce: [ntcv32.exe] C:\WINDOWS\system32\ntcv32.exe
O4 - HKLM\..\RunOnce: [msgf32.exe] C:\WINDOWS\system32\msgf32.exe
O4 - HKLM\..\RunOnce: [addze32.exe] C:\WINDOWS\system32\addze32.exe
O4 - HKLM\..\RunOnce: [d3fg.exe] C:\WINDOWS\system32\d3fg.exe
O4 - HKLM\..\RunOnce: [javang.exe] C:\WINDOWS\javang.exe
O4 - HKLM\..\RunOnce: [winyd32.exe] C:\WINDOWS\system32\winyd32.exe


Run AboutBuster and click OK. Click Start->OK and then follow the rest of the prompts to scan (choose Yes/OK for all). It will ask you if you want a second scan, choose Yes. Save the log file and post it here.

Please remember to close all other windows, including browsers then click Fix checked.

Delete the following Files indicated in RED if they still exist:

C:\WINDOWS\sysoo.exe
C:\WINDOWS\wmtdr.dll
C:\WINDOWS\sysyw.dll
C:\WINDOWS\iedy32.exe
C:\WINDOWS\mfcfj32.exe
c:\windows\system32\sdkpg32.exe
C:\WINDOWS\wintp32.exe
c:\windows\system32\javayr.exe
c:\windows\system32\mfcxr32.exe
C:\WINDOWS\atlgx32.exe
C:\WINDOWS\iemr.exe
c:\windows\system32\apiio32.exe
c:\windows\system32\mfctw32.exe
C:\WINDOWS\ntlh32.exe
C:\WINDOWS\atlqj32.exe
C:\WINDOWS\ntdr.exe
c:\windows\system32\atlqb.exe
c:\windows\system32\sdkby.exe
c:\windows\system32\apiec.exe
C:\WINDOWS\atlrz32.exe
C:\WINDOWS\mswu.exe
c:\windows\system32\sdkpk32.exe
C:\WINDOWS\atlvm.exe
C:\WINDOWS\javaig32.exe
C:\WINDOWS\apiwo.exe
C:\WINDOWS\ipkr32.exe
c:\windows\system32\mfcwa.exe
C:\WINDOWS\iecv32.exe
c:\windows\system32\ntqd.exe
C:\WINDOWS\appfd.exe
C:\WINDOWS\sysxc.exe
C:\WINDOWS\javaws32.exe
C:\WINDOWS\mfcbu.exe
c:\windows\system32\mspq32.exe
C:\WINDOWS\atlzn32.exe
c:\windows\system32\ieyc.exe
c:\windows\system32\sdkxs32.exe
c:\windows\system32\mshr.exe
c:\windows\system32\ipvl.exe
c:\windows\system32\atlor32.exe
c:\windows\system32\mfcib32.exe
c:\windows\system32\ieod.exe
C:\WINDOWS\javahu32.exe
c:\windows\system32\wincf32.exe
C:\WINDOWS\winup.exe
C:\WINDOWS\javatx32.exe
c:\windows\system32\ntcv32.exe
c:\windows\system32\msgf32.exe
c:\windows\system32\addze32.exe
c:\windows\system32\d3fg.exe
C:\WINDOWS\javang.exe
c:\windows\system32\winyd32.exe


Open Cleanup! by double-clicking the icon on your desktop (or from the Start > All Programs menu). Set the program up as follows:
1) Click "Options..."
2) Move the arrow down to "Custom CleanUp!"
3)Put a check next to the following:
  • Empty Recycle Bins
  • Delete Cookies
  • Delete Prefetch files
  • Cleanup! All Users
4) Uncheck the following:
  • Scan local drives for temporary files
5) Click OK
6) Press the CleanUp! button to start the program. Reboot/logoff when prompted.

WARNING - CleanUp! will delete all files and folders contained within Temporary Directories. If you knowingly have items you would liek to keep stored in these locations, Move them now!!!


Reboot your system in Normal Mode.

Please use Panda ActiveScan at http://www.pandasoftware.com/products/activescan. Give us the scan’s log.

Please scan again with HijackThis to get a new log.
Get HijackThis Analyzer and save it to the same folder as the hijackthis.log file. Run HijackThis Analyzer and type in 'y' if you agree. The 'result.txt' file will open up in Notepad. Copy the whole result.txt log and post it in the forum. You don't need to post the original hijackthis.log (unless we ask for it). Do not fix anything in HijackThis since they may be harmless.

Now give us a new HijackThis Analyzer log, along with Panda ActiveScan’s log, so we can make sure your system is clean.

#4 davidboundy

davidboundy
  • Topic Starter

  • Members
  • 36 posts
  • OFFLINE
  •  
  • Local time:05:06 AM

Posted 18 July 2005 - 12:08 PM

thanks for your quick response

i think i have done everything right. but it still seems the same.

your first question about http://www-cach.freeserve.net/:8080 being the proxy server. i dont know if i need this, the only thing i think it can do with, is my broadband provider which is wanadoo which bought freeserve a couple of years ago.

here is the AboutBuster log file:

AboutBuster 5.0 reference file 30
Scan started on [18/07/2005] at [16:00:05]
------------------------------------------------
Removed Stream! C:\WINDOWS\0-wlancfg.log:vpkui
Removed Stream! C:\WINDOWS\000001_.tmp:tuilo
Removed Stream! C:\WINDOWS\3-wlancfg.log:hvodb
Removed Stream! C:\WINDOWS\4-wlancfg.log:bjkmh
Removed Stream! C:\WINDOWS\AMS2INST.LOG:yycxl
Removed Stream! C:\WINDOWS\DESKTOP.INI:ygupa
Removed Stream! C:\WINDOWS\DtcInstall.log:saumcf
Removed Stream! C:\WINDOWS\EventSystem.log:ihoug
Removed Stream! C:\WINDOWS\feaqu.log:zbqgb
Removed Stream! C:\WINDOWS\Gone Fishing.bmp:duxxya
Removed Stream! C:\WINDOWS\Greenstone.bmp:tjrfc
Removed Stream! C:\WINDOWS\IIS6.LOG:iwnre
Removed Stream! C:\WINDOWS\InvInstaller.log:nfvfg
Removed Stream! C:\WINDOWS\jqkgp.dat:fggki
Removed Stream! C:\WINDOWS\KB823559.log:macsd
Removed Stream! C:\WINDOWS\KB823980.log:xgcio
Removed Stream! C:\WINDOWS\KB873333.log:swmjd
Removed Stream! C:\WINDOWS\KB873339.log:tkwyv
Removed Stream! C:\WINDOWS\KB883939.log:uqqym
Removed Stream! C:\WINDOWS\KB885835.log:cuzlp
Removed Stream! C:\WINDOWS\KB885836.log:dvyph
Removed Stream! C:\WINDOWS\KB888113.log:igrnd
Removed Stream! C:\WINDOWS\KB890047.log:jquyu
Removed Stream! C:\WINDOWS\KB890859.log:wnsrd
Removed Stream! C:\WINDOWS\KB893086.log:nsemjw
Removed Stream! C:\WINDOWS\kzvfc.txt:arymz
Removed Stream! C:\WINDOWS\ModemLog_PCTEL 2304WT V.92 MDC Modem.txt:txdfoe
Removed Stream! C:\WINDOWS\netfxocm.log:txdhyq
Removed Stream! C:\WINDOWS\ntdtcsetup.log:abqrs
Removed Stream! C:\WINDOWS\OCGEN.LOG:myontb
Removed Stream! C:\WINDOWS\ocnrm.txt:mluvra
Removed Stream! C:\WINDOWS\ODBCINST.INI:dvtkp
Removed Stream! C:\WINDOWS\OEWABLog.txt:crlnc
Removed Stream! C:\WINDOWS\OOBEACT.LOG:scyqr
Removed Stream! C:\WINDOWS\otocd.dat:uechz
Removed Stream! C:\WINDOWS\photoimpression.ini:xcylpk
Removed Stream! C:\WINDOWS\Prairie Wind.bmp:mkefs
Removed Stream! C:\WINDOWS\Q306676.log:qdqqru
Removed Stream! C:\WINDOWS\Q328310.log:nexnj
Removed Stream! C:\WINDOWS\Q329115.log:elftq
Removed Stream! C:\WINDOWS\Q814033.log:blmvrx
Removed Stream! C:\WINDOWS\Q814033.log:hjfgk
Removed Stream! C:\WINDOWS\Q819696.log:umfjtz
Removed Stream! C:\WINDOWS\Rhododendron.bmp:epytw
Removed Stream! C:\WINDOWS\setupapi.log:zttdae
Removed Stream! C:\WINDOWS\setupapi.log.0.old:mylhh
Removed Stream! C:\WINDOWS\SETUPLOG.TXT:jakpg
Removed Stream! C:\WINDOWS\Soap Bubbles.bmp:lmgma
Removed Stream! C:\WINDOWS\speakfre.ini:cuxowq
Removed Stream! C:\WINDOWS\speakfre.ini:iksgw
Removed Stream! C:\WINDOWS\spupdsvc.log:vqfqst
Removed Stream! C:\WINDOWS\Sti_Trace.log:rjjpc
Removed Stream! C:\WINDOWS\SYSTEM.INI:frydmd
Removed Stream! C:\WINDOWS\WINNT256.BMP:fvxvkn
Removed Stream! C:\WINDOWS\WMSysPr9.prx:xnpbmx
Removed Stream! C:\WINDOWS\_DEFAULT.PIF:avbei
------------------------------------------------
Removed File! : C:\Windows\ijuls.dll
Removed File! : C:\Windows\jqkgp.dat
Removed File! : C:\Windows\kzras.dat
Removed File! : C:\Windows\sdicp.dat
Removed File! : C:\Windows\twpxw.dat
Removed File! : C:\Windows\wmtdr.dll
Removed File! : C:\Windows\xxtfn.dat
Removed File! : C:\Windows\System32\bggkx.dat
Removed File! : C:\Windows\System32\gpfef.dat
Removed File! : C:\Windows\System32\sarmr.dat
Removed File! : C:\Windows\System32\vshqy.dat
Removed File! : C:\Windows\System32\wnwjk.dll
------------------------------------------------
Scan was COMPLETED SUCCESSFULLY at 16:03:14



here is the activescan log

Incident Status Location

Adware:adware/searchaid No disinfected C:\WINDOWS\SYSTEM32\appxd32.exe
Adware:adware/transponder No disinfected C:\WINDOWS\SYSTEM32\ntec32.exe
Spyware:spyware/petro-line No disinfected C:\DOCUMENTS AND SETTINGS\DAVID\FAVORITES\SITES ABOUT\Ab scissor.url
Adware:adware/cws.homesearchasisstantNo disinfected HKEY_LOCAL_MACHINE\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\UNINSTALL\HSA
Adware:adware/cws.aboutblank No disinfected HKEY_LOCAL_MACHINE\Software\Microsoft\Internet Explorer\Main\Search Bar

here is the current hijackthis analyzer log

====================================================================
Log was analyzed using KRC HijackThis Analyzer - Updated on 6/3/05
Get updates at http://www.greyknight17.com/download.htm#programs

***Security Programs Detected***

C:\Program Files\NavNT\defwatch.exe
C:\Program Files\NavNT\rtvscan.exe
C:\Program Files\NavNT\vptray.exe
O4 - HKLM\..\Run: [vptray] C:\Program Files\NavNT\vptray.exe
O23 - Service: DefWatch - Symantec Corporation - C:\Program Files\NavNT\defwatch.exe
O23 - Service: Norton AntiVirus Client (Norton AntiVirus Server) - Symantec Corporation - C:\Program Files\NavNT\rtvscan.exe

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

Logfile of HijackThis v1.99.1
Scan saved at 17:51:45, on 18/07/2005
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\Program Files\BT Digital Access USB\vstartx.exe
C:\Program Files\BT Digital Access USB\gisdnlog.exe
C:\Program Files\Inventel\Gateway\wlancfg.exe
C:\WINDOWS\ipqo.exe
C:\Program Files\BT Digital Access USB\gsyno.exe
C:\Program Files\eBay\eBay Toolbar2\eBayTBDaemon.exe
C:\HJT\HijackThis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\WINDOWS\system32\qhowz.dll/sp.html#37049
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINDOWS\system32\qhowz.dll/sp.html#37049
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = res://C:\WINDOWS\system32\qhowz.dll/sp.html#37049
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\WINDOWS\system32\qhowz.dll/sp.html#37049
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINDOWS\system32\qhowz.dll/sp.html#37049
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = res://C:\WINDOWS\system32\qhowz.dll/sp.html#37049
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = res://C:\WINDOWS\system32\qhowz.dll/sp.html#37049
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = http://www-cach.freeserve.net/:8080
R3 - Default URLSearchHook is missing
O2 - BHO: Class - {E4CBD514-E599-C72F-5DD0-DC9B8741D00A} - C:\WINDOWS\atlrg32.dll
O4 - HKLM\..\Run: [GazelDisplay] "C:\Program Files\BT Digital Access USB\gsyno.exe" -h
O4 - HKLM\..\Run: [eBayToolbar] C:\Program Files\eBay\eBay Toolbar2\eBayTBDaemon.exe
O4 - HKLM\..\Run: [iexplore.exe] C:\Program Files\Internet Explorer\iexplore.exe
O4 - HKLM\..\Run: [ipqo.exe] C:\WINDOWS\ipqo.exe
O4 - HKLM\..\RunOnce: [netlg.exe] C:\WINDOWS\netlg.exe
O4 - HKLM\..\RunOnce: [d3np.exe] C:\WINDOWS\system32\d3np.exe
O4 - HKLM\..\RunOnce: [javalw.exe] C:\WINDOWS\system32\javalw.exe
O4 - HKLM\..\RunOnce: [netfb32.exe] C:\WINDOWS\netfb32.exe
O4 - HKLM\..\RunOnce: [mswf32.exe] C:\WINDOWS\mswf32.exe
O4 - HKLM\..\RunOnce: [sdkcp32.exe] C:\WINDOWS\sdkcp32.exe
O4 - HKLM\..\RunOnce: [addnk32.exe] C:\WINDOWS\addnk32.exe
O4 - HKLM\..\RunOnce: [atlfa32.exe] C:\WINDOWS\atlfa32.exe
O4 - HKLM\..\RunOnce: [ntdv.exe] C:\WINDOWS\ntdv.exe
O4 - HKLM\..\RunOnce: [netrh32.exe] C:\WINDOWS\system32\netrh32.exe
O4 - HKLM\..\RunOnce: [apivw.exe] C:\WINDOWS\system32\apivw.exe
O4 - HKLM\..\RunOnce: [sdkzy.exe] C:\WINDOWS\sdkzy.exe
O8 - Extra context menu item: &eBay Search - res://C:\Program Files\eBay\eBay Toolbar2\eBayTb.dll/RCSearch.html
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=36467&clcid=0x409
O16 - DPF: {26CBF141-7D0F-46E1-AA06-718958B6E4D2} - http://download.ebay.com/turbo_lister/UK/install.cab
O16 - DPF: {31B7EB4E-8B4B-11D1-A789-00A0CC6651A8} (Cult3D ActiveX Player) - http://www.cult3d.com/download/cult.cab
O16 - DPF: {4C39376E-FA9D-4349-BACC-D305C1750EF3} (EPUImageControl Class) - http://tools.ebayimg.com/eps/wl/activex/EP...l_v1-0-3-24.cab
O16 - DPF: {4E62C4DE-627D-4604-B157-4B7D6B09F02E} (AccountTracking Profile Manager Class) - https://moneymanager.egg.com/Pinsafe/accounttracking.cab
O16 - DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} (MSN Photo Upload Tool) - http://by17fd.bay17.hotmail.msn.com/resources/MsnPUpld.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://v5.windowsupdate.microsoft.com/v5co...b?1093963762678
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://www.pandasoftware.com/activescan/as5/asinst.cab
O16 - DPF: {B38870E4-7ECB-40DA-8C6A-595F0A5519FF} (MsnMessengerSetupDownloadControl Class) - http://messenger.msn.com/download/msnmesse...pdownloader.cab
O16 - DPF: {E6EB803E-DD89-11D3-80C4-0050DA2E09D0} (LightSurfUploadCtl Class) - http://mediamessaging.o2.co.uk/activex/Lig...loadControl.cab
O16 - DPF: {EC5A4E7B-02EB-451D-B310-D5F2E0A4D8C3} (webhelper Class) - https://register.btopenworld.com/templates/btwebcontrol.cab
O20 - Winlogon Notify: NavLogon - C:\WINDOWS\System32\NavLogon.dll
O23 - Service: Workstation NetLogon Service ( 11Fßä#·ºÄÖ`I) - Unknown owner - C:\WINDOWS\iedy32.exe" /s (file missing)
O23 - Service: BT Digital Access USB start up (Gazel Startup) - Unknown owner - C:\Program Files\BT Digital Access USB\vstartx.exe" /s (file missing)
O23 - Service: ISDN connection log (GisdnLog) - Unknown owner - C:\Program Files\BT Digital Access USB\gisdnlog.exe" -s (file missing)
O23 - Service: Service de lancement de WlanCfg (Wlancfg) - Inventel - C:\Program Files\Inventel\Gateway\wlancfg.exe


End of KRC HijackThis Analyzer Log.


and finally the HijackThis log


Logfile of HijackThis v1.99.1
Scan saved at 17:51:45, on 18/07/2005
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\SYSTEM32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Dell\OpenManage\Client\ActionAgent.exe
C:\Program Files\NavNT\defwatch.exe
C:\DMI\WIN32\bin\DellDmi.exe
C:\Program Files\Dell\OpenManage\Client\EventAgt.exe
C:\Program Files\Dell\OpenManage\Client\DLT.exe
C:\Program Files\BT Digital Access USB\vstartx.exe
C:\Program Files\BT Digital Access USB\gisdnlog.exe
C:\Program Files\Dell\OpenManage\Client\Iap.exe
C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
C:\Program Files\Canon\MultiPASS4\MPSERVIC.EXE
C:\WINDOWS\Explorer.EXE
C:\Program Files\NavNT\rtvscan.exe
C:\WINDOWS\System32\nvsvc32.exe
C:\WINDOWS\System32\tcpsvcs.exe
C:\WINDOWS\System32\svchost.exe
C:\dmi\win32\bin\Win32sl.exe
C:\Program Files\Inventel\Gateway\wlancfg.exe
C:\WINDOWS\system32\MsgSys.EXE
C:\WINDOWS\ipqo.exe
C:\WINDOWS\system32\RUNDLL32.EXE
C:\WINDOWS\system32\pctspk.exe
C:\Program Files\Apoint\Apoint.exe
C:\WINDOWS\System32\DSentry.exe
C:\Program Files\NavNT\vptray.exe
C:\Program Files\BT Digital Access USB\gsyno.exe
C:\Program Files\Apoint\Apntex.exe
C:\Program Files\eBay\eBay Toolbar2\eBayTBDaemon.exe
C:\WINDOWS\system32\ctfmon.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Sony Corporation\Image Transfer\SonyTray.exe
C:\Program Files\Canon\MultiPASS4\MPDBMgr.exe
C:\HJT\HijackThis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar =

res://C:\WINDOWS\system32\qhowz.dll/sp.html#37049
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page =

res://C:\WINDOWS\system32\qhowz.dll/sp.html#37049
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL =

about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL =

res://C:\WINDOWS\system32\qhowz.dll/sp.html#37049
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar =

res://C:\WINDOWS\system32\qhowz.dll/sp.html#37049
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page =

res://C:\WINDOWS\system32\qhowz.dll/sp.html#37049
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant =

res://C:\WINDOWS\system32\qhowz.dll/sp.html#37049
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant =

res://C:\WINDOWS\system32\qhowz.dll/sp.html#37049
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet

Settings,ProxyServer = http://www-cach.freeserve.net/:8080
R3 - Default URLSearchHook is missing
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} -

C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: Class - {E4CBD514-E599-C72F-5DD0-DC9B8741D00A} -

C:\WINDOWS\atlrg32.dll
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE NvQTwk,NvCplDaemon initialize
O4 - HKLM\..\Run: [PCTVOICE] pctspk.exe
O4 - HKLM\..\Run: [Apoint] C:\Program Files\Apoint\Apoint.exe
O4 - HKLM\..\Run: [DVDSentry] C:\WINDOWS\System32\DSentry.exe
O4 - HKLM\..\Run: [vptray] C:\Program Files\NavNT\vptray.exe
O4 - HKLM\..\Run: [GazelDisplay] "C:\Program Files\BT Digital Access

USB\gsyno.exe" -h
O4 - HKLM\..\Run: [eBayToolbar] C:\Program Files\eBay\eBay

Toolbar2\eBayTBDaemon.exe
O4 - HKLM\..\Run: [iexplore.exe] C:\Program Files\Internet

Explorer\iexplore.exe
O4 - HKLM\..\Run: [ipqo.exe] C:\WINDOWS\ipqo.exe
O4 - HKLM\..\RunOnce: [netlg.exe] C:\WINDOWS\netlg.exe
O4 - HKLM\..\RunOnce: [d3np.exe] C:\WINDOWS\system32\d3np.exe
O4 - HKLM\..\RunOnce: [javalw.exe] C:\WINDOWS\system32\javalw.exe
O4 - HKLM\..\RunOnce: [netfb32.exe] C:\WINDOWS\netfb32.exe
O4 - HKLM\..\RunOnce: [mswf32.exe] C:\WINDOWS\mswf32.exe
O4 - HKLM\..\RunOnce: [sdkcp32.exe] C:\WINDOWS\sdkcp32.exe
O4 - HKLM\..\RunOnce: [addnk32.exe] C:\WINDOWS\addnk32.exe
O4 - HKLM\..\RunOnce: [atlfa32.exe] C:\WINDOWS\atlfa32.exe
O4 - HKLM\..\RunOnce: [ntdv.exe] C:\WINDOWS\ntdv.exe
O4 - HKLM\..\RunOnce: [netrh32.exe] C:\WINDOWS\system32\netrh32.exe
O4 - HKLM\..\RunOnce: [apivw.exe] C:\WINDOWS\system32\apivw.exe
O4 - HKLM\..\RunOnce: [sdkzy.exe] C:\WINDOWS\sdkzy.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program

Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: Image Transfer.lnk = ?
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft

Office\Office10\OSA.EXE
O8 - Extra context menu item: &eBay Search - res://C:\Program Files\eBay\eBay

Toolbar2\eBayTb.dll/RCSearch.html
O8 - Extra context menu item: E&xport to Microsoft Excel -

res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O8 - Extra context menu item: Search with Wanadoo -

res://C:\PROGRA~1\Wanadoo\WSBar\WSBar.dll/VSearch.htm
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} -

C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger -

{FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program

Files\Messenger\msmsgs.exe
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage

Validation Tool) - http://go.microsoft.com/fwlink/?linkid=36467&clcid=0x409
O16 - DPF: {26CBF141-7D0F-46E1-AA06-718958B6E4D2} -

http://download.ebay.com/turbo_lister/UK/install.cab
O16 - DPF: {31B7EB4E-8B4B-11D1-A789-00A0CC6651A8} (Cult3D ActiveX Player) -

http://www.cult3d.com/download/cult.cab
O16 - DPF: {4C39376E-FA9D-4349-BACC-D305C1750EF3} (EPUImageControl Class) -

http://tools.ebayimg.com/eps/wl/activex/EP...l_v1-0-3-24.cab
O16 - DPF: {4E62C4DE-627D-4604-B157-4B7D6B09F02E} (AccountTracking Profile

Manager Class) - https://moneymanager.egg.com/Pinsafe/accounttracking.cab
O16 - DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} (MSN Photo Upload Tool) -

http://by17fd.bay17.hotmail.msn.com/resources/MsnPUpld.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) -

http://v5.windowsupdate.microsoft.com/v5co.../x86/client/wuw

eb_site.cab?1093963762678
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer

Class) - http://www.pandasoftware.com/activescan/as5/asinst.cab
O16 - DPF: {B38870E4-7ECB-40DA-8C6A-595F0A5519FF}

(MsnMessengerSetupDownloadControl Class) -

http://messenger.msn.com/download/msnmesse...pdownloader.cab
O16 - DPF: {E6EB803E-DD89-11D3-80C4-0050DA2E09D0} (LightSurfUploadCtl Class)

- http://mediamessaging.o2.co.uk/activex/Lig...loadControl.cab
O16 - DPF: {EC5A4E7B-02EB-451D-B310-D5F2E0A4D8C3} (webhelper Class) -

https://register.btopenworld.com/templates/btwebcontrol.cab
O20 - Winlogon Notify: NavLogon - C:\WINDOWS\System32\NavLogon.dll
O23 - Service: Workstation NetLogon Service ( 11Fßä#·ºÄÖ`I) - Unknown owner

- C:\WINDOWS\iedy32.exe" /s (file missing)
O23 - Service: ActionAgent - Dell Computer Corporation - C:\Program

Files\Dell\OpenManage\Client\ActionAgent.exe
O23 - Service: DefWatch - Symantec Corporation - C:\Program

Files\NavNT\defwatch.exe
O23 - Service: DellDmi - Dell Computer Corporation -

C:\DMI\WIN32\bin\DellDmi.exe
O23 - Service: DEventAgent - Dell Computer Corporation - C:\Program

Files\Dell\OpenManage\Client\EventAgt.exe
O23 - Service: DLT - Dell Computer Corporation - C:\Program

Files\Dell\OpenManage\Client\DLT.exe
O23 - Service: BT Digital Access USB start up (Gazel Startup) - Unknown owner

- C:\Program Files\BT Digital Access USB\vstartx.exe" /s (file missing)
O23 - Service: ISDN connection log (GisdnLog) - Unknown owner - C:\Program

Files\BT Digital Access USB\gisdnlog.exe" -s (file missing)
O23 - Service: Iap - Dell Computer Corporation - C:\Program

Files\Dell\OpenManage\Client\Iap.exe
O23 - Service: MpService - Canon Inc. - C:\Program

Files\Canon\MultiPASS4\MPSERVIC.EXE
O23 - Service: Norton AntiVirus Client (Norton AntiVirus Server) - Symantec

Corporation - C:\Program Files\NavNT\rtvscan.exe
O23 - Service: NVIDIA Driver Helper Service (NVSvc) - NVIDIA Corporation -

C:\WINDOWS\System32\nvsvc32.exe
O23 - Service: Win32Sl - Intel - C:\dmi\win32\bin\Win32sl.exe
O23 - Service: Service de lancement de WlanCfg (Wlancfg) - Inventel -

C:\Program Files\Inventel\Gateway\wlancfg.exe

#5 Omerr

Omerr

  • Members
  • 58 posts
  • OFFLINE
  •  
  • Local time:05:06 AM

Posted 18 July 2005 - 03:48 PM

Hello again.
You are right it didn’t make it much better, but it did improve things.

BEFORE YOU DO ANYTHING, please open Notepad by going to Start->All Programs->Accessories->Notepad. On it's bar click on Format and then click on Word Wrap to disable this option.
Please print out or copy this page to Notepad in order to assist you when carrying out the following instructions.

Download CWShredder and run it. Click on 'I Agree' button if you agree with it. Click on 'Fix' (it will automatically fix anything it finds for you) and OK. If it asks if you want to delete a certain random file, choose No and post that filename here. Let it finish the scan and then hit Next and Exit.

Download cwsserviceremove and unzip it to your desktop. It'll create a file called cwsserviceremove.reg. Do NOT run this yet.

Reboot your system in Safe Mode (By repeatedly tapping the F8 key until the menu appears).

Go to Start->Run and type in services.msc and hit OK. Then look for the following service:

Workstation NetLogon Service ( 11F?? #•???`I)
Double click on it. Click on the Stop button and under Startup type, choose Disabled.

Go into Hijack This->Config->Misc. Tools->Open process manager. Select the following and click “Kill process” for each one (If they still exist)(You must kill them one at a time).

C:\WINDOWS\ipqo.exe


Open Hijack This and click on Scan. Check the following entries (make sure you do not miss any)

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\WINDOWS\system32\qhowz.dll/sp.html#37049
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINDOWS\system32\qhowz.dll/sp.html#37049
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = res://C:\WINDOWS\system32\qhowz.dll/sp.html#37049
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\WINDOWS\system32\qhowz.dll/sp.html#37049
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINDOWS\system32\qhowz.dll/sp.html#37049
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = res://C:\WINDOWS\system32\qhowz.dll/sp.html#37049
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = res://C:\WINDOWS\system32\qhowz.dll/sp.html#37049
R3 - Default URLSearchHook is missing
O2 - BHO: Class - {E4CBD514-E599-C72F-5DD0-DC9B8741D00A} - C:\WINDOWS\atlrg32.dll
O4 - HKLM\..\Run: [ipqo.exe] C:\WINDOWS\ipqo.exe
O4 - HKLM\..\RunOnce: [netlg.exe] C:\WINDOWS\netlg.exe
O4 - HKLM\..\RunOnce: [d3np.exe] C:\WINDOWS\system32\d3np.exe
O4 - HKLM\..\RunOnce: [javalw.exe] C:\WINDOWS\system32\javalw.exe
O4 - HKLM\..\RunOnce: [netfb32.exe] C:\WINDOWS\netfb32.exe
O4 - HKLM\..\RunOnce: [mswf32.exe] C:\WINDOWS\mswf32.exe
O4 - HKLM\..\RunOnce: [sdkcp32.exe] C:\WINDOWS\sdkcp32.exe
O4 - HKLM\..\RunOnce: [addnk32.exe] C:\WINDOWS\addnk32.exe
O4 - HKLM\..\RunOnce: [atlfa32.exe] C:\WINDOWS\atlfa32.exe
O4 - HKLM\..\RunOnce: [ntdv.exe] C:\WINDOWS\ntdv.exe
O4 - HKLM\..\RunOnce: [netrh32.exe] C:\WINDOWS\system32\netrh32.exe
O4 - HKLM\..\RunOnce: [apivw.exe] C:\WINDOWS\system32\apivw.exe
O4 - HKLM\..\RunOnce: [sdkzy.exe] C:\WINDOWS\sdkzy.exe
O23 - Service: Workstation NetLogon Service ( 11F?? #•???`I) - Unknown owner - C:\WINDOWS\iedy32.exe" /s (file missing)


Please run About Buster again.

Please remember to close all other windows, including browsers then click Fix checked.

Delete the following Files indicated in RED if they still exist:

C:\WINDOWS\system32\qhowz.dll
C:\WINDOWS\atlrg32.dll
C:\WINDOWS\netlg.exe
C:\WINDOWS\system32\d3np.exe
C:\WINDOWS\system32\javalw.exe
C:\WINDOWS\netfb32.exe
C:\WINDOWS\mswf32.exe
C:\WINDOWS\sdkcp32.exe
C:\WINDOWS\addnk32.exe
C:\WINDOWS\atlfa32.exe
C:\WINDOWS\ntdv.exe
C:\WINDOWS\system32\netrh32.exe
C:\WINDOWS\system32\apivw.exe
C:\WINDOWS\sdkzy.exe
C:\WINDOWS\iedy32.exe


Double-click on the cwsserviceremove.reg file you unzipped to your desktop earlier. When it prompts to merge, click Yes. This will clear some registry entries left behind by the malware infections.

Reboot your system in Normal Mode.

Now give us a new HijackThis Analyzer log, along with Panda ActiveScan’s log, so we can make sure your system is clean.

#6 davidboundy

davidboundy
  • Topic Starter

  • Members
  • 36 posts
  • OFFLINE
  •  
  • Local time:05:06 AM

Posted 19 July 2005 - 06:53 AM

still seems the same.

here are the logs.


Incident Status Location

Adware:adware/searchaid No disinfected C:\WINDOWS\SYSTEM32\appxd32.exe
Adware:adware/transponder No disinfected C:\WINDOWS\SYSTEM32\ntec32.exe
Spyware:spyware/petro-line No disinfected C:\DOCUMENTS AND SETTINGS\DAVID\FAVORITES\SITES ABOUT\Ab scissor.url
Adware:adware/cws.homesearchasisstantNo disinfected HKEY_LOCAL_MACHINE\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\UNINSTALL\HSA
Adware:adware/cws.aboutblank No disinfected HKEY_LOCAL_MACHINE\Software\Microsoft\Internet Explorer\Main\Search Bar


====================================================================
Log was analyzed using KRC HijackThis Analyzer - Updated on 6/3/05
Get updates at http://www.greyknight17.com/download.htm#programs

***Security Programs Detected***

O4 - HKLM\..\Run: [vptray] C:\Program Files\NavNT\vptray.exe
O23 - Service: DefWatch - Symantec Corporation - C:\Program Files\NavNT\defwatch.exe
O23 - Service: Norton AntiVirus Client (Norton AntiVirus Server) - Symantec Corporation - C:\Program Files\NavNT\rtvscan.exe

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

Logfile of HijackThis v1.99.1
Scan saved at 10:28:32, on 19/07/2005
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\HJT\HijackThis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = http://www-cach.freeserve.net/:8080
O2 - BHO: Class - {2011992A-AD4D-BFA8-7571-6A97B3F00404} - C:\WINDOWS\system32\winir32.dll
O2 - BHO: Class - {8C69AF50-B4D5-7388-4CA4-3D0EEF96193F} - C:\WINDOWS\netbb.dll
O4 - HKLM\..\Run: [GazelDisplay] "C:\Program Files\BT Digital Access USB\gsyno.exe" -h
O4 - HKLM\..\Run: [eBayToolbar] C:\Program Files\eBay\eBay Toolbar2\eBayTBDaemon.exe
O4 - HKLM\..\Run: [iexplore.exe] C:\Program Files\Internet Explorer\iexplore.exe
O4 - HKLM\..\Run: [ntsq.exe] C:\WINDOWS\system32\ntsq.exe
O4 - HKLM\..\RunOnce: [netrk32.exe] C:\WINDOWS\system32\netrk32.exe
O4 - HKLM\..\RunOnce: [winpv32.exe] C:\WINDOWS\winpv32.exe
O4 - HKLM\..\RunOnce: [crux.exe] C:\WINDOWS\system32\crux.exe
O4 - HKLM\..\RunOnce: [javajs32.exe] C:\WINDOWS\javajs32.exe
O4 - HKLM\..\RunOnce: [apiom.exe] C:\WINDOWS\apiom.exe
O8 - Extra context menu item: &eBay Search - res://C:\Program Files\eBay\eBay Toolbar2\eBayTb.dll/RCSearch.html
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=36467&clcid=0x409
O16 - DPF: {26CBF141-7D0F-46E1-AA06-718958B6E4D2} - http://download.ebay.com/turbo_lister/UK/install.cab
O16 - DPF: {31B7EB4E-8B4B-11D1-A789-00A0CC6651A8} (Cult3D ActiveX Player) - http://www.cult3d.com/download/cult.cab
O16 - DPF: {4C39376E-FA9D-4349-BACC-D305C1750EF3} (EPUImageControl Class) - http://tools.ebayimg.com/eps/wl/activex/EP...l_v1-0-3-24.cab
O16 - DPF: {4E62C4DE-627D-4604-B157-4B7D6B09F02E} (AccountTracking Profile Manager Class) - https://moneymanager.egg.com/Pinsafe/accounttracking.cab
O16 - DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} (MSN Photo Upload Tool) - http://by17fd.bay17.hotmail.msn.com/resources/MsnPUpld.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://v5.windowsupdate.microsoft.com/v5co...b?1093963762678
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://www.pandasoftware.com/activescan/as5/asinst.cab
O16 - DPF: {B38870E4-7ECB-40DA-8C6A-595F0A5519FF} (MsnMessengerSetupDownloadControl Class) - http://messenger.msn.com/download/msnmesse...pdownloader.cab
O16 - DPF: {E6EB803E-DD89-11D3-80C4-0050DA2E09D0} (LightSurfUploadCtl Class) - http://mediamessaging.o2.co.uk/activex/Lig...loadControl.cab
O16 - DPF: {EC5A4E7B-02EB-451D-B310-D5F2E0A4D8C3} (webhelper Class) - https://register.btopenworld.com/templates/btwebcontrol.cab
O20 - Winlogon Notify: NavLogon - C:\WINDOWS\System32\NavLogon.dll
O23 - Service: Workstation NetLogon Service ( 11Fßä#·ºÄÖ`I) - Unknown owner - C:\WINDOWS\iedy32.exe" /s (file missing)
O23 - Service: BT Digital Access USB start up (Gazel Startup) - Unknown owner - C:\Program Files\BT Digital Access USB\vstartx.exe" /s (file missing)
O23 - Service: ISDN connection log (GisdnLog) - Unknown owner - C:\Program Files\BT Digital Access USB\gisdnlog.exe" -s (file missing)
O23 - Service: Service de lancement de WlanCfg (Wlancfg) - Inventel - C:\Program Files\Inventel\Gateway\wlancfg.exe


End of KRC HijackThis Analyzer Log.
====================================================================

#7 Omerr

Omerr

  • Members
  • 58 posts
  • OFFLINE
  •  
  • Local time:05:06 AM

Posted 19 July 2005 - 10:21 AM

I can't understand why you're saying that, your log looks much better now.

I would like to run a few tools.

1)Please download Ad-aware at http://www.lavasoftusa.com/ and install it if you don't have it already. Make sure it's the newest version and check for any updates before running it. Also go to http://www.lavasoftusa.com/software/addons/vx2cleaner.shtml to download the plug-in for fixing VX2 variants. To run this tool, go into Ad-aware->Add-ons and select VX2 Cleaner.

Now, we will configure AdAware so it will provide the best results possible:
Click on the Gear icon (second from the left) to access the preferences/settings window.
1. In the General window make sure the following are selected:
  • Automatically save logfile
  • Automatically quarantine objects prior to removal
  • Safe Mode (always request confirmation)
2. Click on the Scanning button on the left and select :
  • Scan within archives
  • Scan active processes
  • Scan registry
  • Deep-scan registry
  • Scan my IE Favorites for banned URLs
  • Scan my Hosts file
Under Select drives & folders to scan, choose:
  • Select all of your hard drives that are not selected already
    Click on the Advanced button on the left and select:
  • Include additional object information
  • Include negligible objects information
  • Include environment information
Click the Tweak button and select:
· Under the Scanning Engine:
  • Unload recognized processes & modules during scan
· Under the Cleaning Engine:
  • Let Windows remove files in use at next reboot
Click on Proceed to save the settings.

Click Start and on the next screen choose:
  • Use custom scanning options
Click Next and Ad-aware will scan your hard drive(s) with the options you have selected.
Then click Run Tool and OK to start it. If it's clean, it will say Status System Clean. Otherwise, you will have to click on the Clean button to remove the VX2 infection.

2)Download and install Spybot S&D from http://security.kolla.de/. Run Spybot and click on the 'Search for Updates' button. Install any updates that are available.

Now click Mode menu and choose 'Advanced Mode'. Next click on Immunize to your left. Click the Immunize button (green cross) on top to Immunize your computer - you should do this each time there is an update. Now go to Tools->Resident and make sure that TeaTimer is checked. What this will do is monitor any system/registry changes and will ask you for permission to change any of these settings.

Now click on the 'Spybot-S&D' option on the top left to go back to the main screen. Next click on the 'Check for Problems' button. Let it run the scan. If it finds something, check all those in RED and hit the 'Fix Selected Problems' button. Exit Spybot. If you keep getting the DSO Exploit entries, even after you updated Windows and fixed them, then download the Spybot DSO Exploit Fix from http://majorgeeks.com/download4392.html and install it over the current Spybot installation.

3) Download CWShredder and run it. Click on 'I Agree' button if you agree with it. Click on 'Fix' (it will automatically fix anything it finds for you) and OK. If it asks if you want to delete a certain random file, choose No and post that filename here. Let it finish the scan and then hit Next and Exit.


Now please scan again with both KRC HijackThis Analyzer and Panda ActiveScan and give us refresh logs.

#8 davidboundy

davidboundy
  • Topic Starter

  • Members
  • 36 posts
  • OFFLINE
  •  
  • Local time:05:06 AM

Posted 19 July 2005 - 12:39 PM

the speed is alot better thank you. but i'm still getting the advertising pop ups and spybot keeps telling me that it keeps wanting to do a registry change very frequently with a different file each time.

thanks again for all the help you are giving me. i appreciate it alot.

here are the logs


====================================================================
Log was analyzed using KRC HijackThis Analyzer - Updated on 6/3/05
Get updates at http://www.greyknight17.com/download.htm#programs

***Security Programs Detected***

C:\Program Files\NavNT\defwatch.exe
C:\Program Files\NavNT\rtvscan.exe
C:\Program Files\NavNT\vptray.exe
C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
O4 - HKLM\..\Run: [vptray] C:\Program Files\NavNT\vptray.exe
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
O23 - Service: DefWatch - Symantec Corporation - C:\Program Files\NavNT\defwatch.exe
O23 - Service: Norton AntiVirus Client (Norton AntiVirus Server) - Symantec Corporation - C:\Program Files\NavNT\rtvscan.exe

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

Logfile of HijackThis v1.99.1
Scan saved at 17:47:37, on 19/07/2005
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\Program Files\BT Digital Access USB\vstartx.exe
C:\Program Files\BT Digital Access USB\gisdnlog.exe
C:\Program Files\Inventel\Gateway\wlancfg.exe
C:\Program Files\BT Digital Access USB\gsyno.exe
C:\Program Files\eBay\eBay Toolbar2\eBayTBDaemon.exe
C:\WINDOWS\system32\ntsq.exe
C:\HJT\HijackThis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\WINDOWS\oanfd.dll/sp.html#37049
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINDOWS\oanfd.dll/sp.html#37049
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = res://C:\WINDOWS\oanfd.dll/sp.html#37049
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\WINDOWS\oanfd.dll/sp.html#37049
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINDOWS\oanfd.dll/sp.html#37049
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = res://C:\WINDOWS\oanfd.dll/sp.html#37049
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = res://C:\WINDOWS\oanfd.dll/sp.html#37049
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = http://www-cach.freeserve.net/:8080
R3 - Default URLSearchHook is missing
O2 - BHO: Class - {8C69AF50-B4D5-7388-4CA4-3D0EEF96193F} - C:\WINDOWS\netbb.dll
O4 - HKLM\..\Run: [GazelDisplay] "C:\Program Files\BT Digital Access USB\gsyno.exe" -h
O4 - HKLM\..\Run: [eBayToolbar] C:\Program Files\eBay\eBay Toolbar2\eBayTBDaemon.exe
O4 - HKLM\..\Run: [iexplore.exe] C:\Program Files\Internet Explorer\iexplore.exe
O4 - HKLM\..\Run: [ntsq.exe] C:\WINDOWS\system32\ntsq.exe
O4 - HKLM\..\RunOnce: [netrk32.exe] C:\WINDOWS\system32\netrk32.exe
O4 - HKLM\..\RunOnce: [addht.exe] C:\WINDOWS\addht.exe
O4 - HKLM\..\RunOnce: [netah.exe] C:\WINDOWS\netah.exe
O4 - HKLM\..\RunOnce: [atlfp32.exe] C:\WINDOWS\atlfp32.exe
O4 - HKLM\..\RunOnce: [netni.exe] C:\WINDOWS\system32\netni.exe
O4 - HKLM\..\RunOnce: [d3bt.exe] C:\WINDOWS\system32\d3bt.exe
O4 - HKLM\..\RunOnce: [winjp.exe] C:\WINDOWS\winjp.exe
O4 - HKLM\..\RunOnce: [apioq.exe] C:\WINDOWS\apioq.exe
O4 - HKLM\..\RunOnce: [atlxx.exe] C:\WINDOWS\system32\atlxx.exe
O4 - HKLM\..\RunOnce: [sdkch.exe] C:\WINDOWS\system32\sdkch.exe
O4 - HKLM\..\RunOnce: [addsz.exe] C:\WINDOWS\addsz.exe
O4 - HKLM\..\RunOnce: [netbi.exe] C:\WINDOWS\netbi.exe
O4 - HKLM\..\RunOnce: [ipxi.exe] C:\WINDOWS\ipxi.exe
O4 - HKLM\..\RunOnce: [appxw32.exe] C:\WINDOWS\appxw32.exe
O4 - HKLM\..\RunOnce: [apikw.exe] C:\WINDOWS\system32\apikw.exe
O4 - HKLM\..\RunOnce: [winqy.exe] C:\WINDOWS\winqy.exe
O4 - HKLM\..\RunOnce: [ntyc32.exe] C:\WINDOWS\system32\ntyc32.exe
O4 - HKLM\..\RunOnce: [apivo32.exe] C:\WINDOWS\system32\apivo32.exe
O4 - HKLM\..\RunOnce: [netpf32.exe] C:\WINDOWS\system32\netpf32.exe
O4 - HKLM\..\RunOnce: [atlij.exe] C:\WINDOWS\atlij.exe
O4 - HKLM\..\RunOnce: [ipmn.exe] C:\WINDOWS\ipmn.exe
O4 - HKLM\..\RunOnce: [msfs32.exe] C:\WINDOWS\system32\msfs32.exe
O4 - HKLM\..\RunOnce: [winjw.exe] C:\WINDOWS\winjw.exe
O4 - HKLM\..\RunOnce: [javapq32.exe] C:\WINDOWS\system32\javapq32.exe
O4 - HKLM\..\RunOnce: [javael32.exe] C:\WINDOWS\javael32.exe
O8 - Extra context menu item: &eBay Search - res://C:\Program Files\eBay\eBay Toolbar2\eBayTb.dll/RCSearch.html
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=36467&clcid=0x409
O16 - DPF: {26CBF141-7D0F-46E1-AA06-718958B6E4D2} - http://download.ebay.com/turbo_lister/UK/install.cab
O16 - DPF: {31B7EB4E-8B4B-11D1-A789-00A0CC6651A8} (Cult3D ActiveX Player) - http://www.cult3d.com/download/cult.cab
O16 - DPF: {4C39376E-FA9D-4349-BACC-D305C1750EF3} (EPUImageControl Class) - http://tools.ebayimg.com/eps/wl/activex/EP...l_v1-0-3-24.cab
O16 - DPF: {4E62C4DE-627D-4604-B157-4B7D6B09F02E} (AccountTracking Profile Manager Class) - https://moneymanager.egg.com/Pinsafe/accounttracking.cab
O16 - DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} (MSN Photo Upload Tool) - http://by17fd.bay17.hotmail.msn.com/resources/MsnPUpld.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://v5.windowsupdate.microsoft.com/v5co...b?1093963762678
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://www.pandasoftware.com/activescan/as5/asinst.cab
O16 - DPF: {B38870E4-7ECB-40DA-8C6A-595F0A5519FF} (MsnMessengerSetupDownloadControl Class) - http://messenger.msn.com/download/msnmesse...pdownloader.cab
O16 - DPF: {E6EB803E-DD89-11D3-80C4-0050DA2E09D0} (LightSurfUploadCtl Class) - http://mediamessaging.o2.co.uk/activex/Lig...loadControl.cab
O16 - DPF: {EC5A4E7B-02EB-451D-B310-D5F2E0A4D8C3} (webhelper Class) - https://register.btopenworld.com/templates/btwebcontrol.cab
O20 - Winlogon Notify: NavLogon - C:\WINDOWS\System32\NavLogon.dll
O23 - Service: BT Digital Access USB start up (Gazel Startup) - Unknown owner - C:\Program Files\BT Digital Access USB\vstartx.exe" /s (file missing)
O23 - Service: ISDN connection log (GisdnLog) - Unknown owner - C:\Program Files\BT Digital Access USB\gisdnlog.exe" -s (file missing)
O23 - Service: Service de lancement de WlanCfg (Wlancfg) - Inventel - C:\Program Files\Inventel\Gateway\wlancfg.exe


End of KRC HijackThis Analyzer Log.
====================================================================


Incident Status Location

Adware:adware/searchaid No disinfected C:\WINDOWS\SYSTEM32\appxd32.exe
Adware:adware/transponder No disinfected C:\WINDOWS\SYSTEM32\ntec32.exe
Adware:adware/cws.homesearchasisstantNo disinfected HKEY_LOCAL_MACHINE\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\UNINSTALL\HSA
Adware:adware/cws.aboutblank No disinfected HKEY_LOCAL_MACHINE\Software\Microsoft\Internet Explorer\Main\Search Bar

#9 Omerr

Omerr

  • Members
  • 58 posts
  • OFFLINE
  •  
  • Local time:05:06 AM

Posted 19 July 2005 - 04:28 PM

Hello again.

Please print out or copy this page to Notepad in order to assist you when carrying out the following instructions.

Reboot your system in Safe Mode (By repeatedly tapping the F8 key until the menu appears).

Go into Hijack This->Config->Misc. Tools->Open process manager. Select the following and click “Kill process” for each one (If they still exist)(You must kill them one at a time).

C:\WINDOWS\system32\ntsq.exe


Open Hijack This and click on Scan. Check the following entries (make sure you do not miss any)

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\WINDOWS\oanfd.dll/sp.html#37049
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINDOWS\oanfd.dll/sp.html#37049
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = res://C:\WINDOWS\oanfd.dll/sp.html#37049
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\WINDOWS\oanfd.dll/sp.html#37049
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINDOWS\oanfd.dll/sp.html#37049
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = res://C:\WINDOWS\oanfd.dll/sp.html#37049
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = res://C:\WINDOWS\oanfd.dll/sp.html#37049
O2 - BHO: Class - {8C69AF50-B4D5-7388-4CA4-3D0EEF96193F} - C:\WINDOWS\netbb.dll
O4 - HKLM\..\Run: [ntsq.exe] C:\WINDOWS\system32\ntsq.exe
O4 - HKLM\..\RunOnce: [netrk32.exe] C:\WINDOWS\system32\netrk32.exe
O4 - HKLM\..\RunOnce: [addht.exe] C:\WINDOWS\addht.exe
O4 - HKLM\..\RunOnce: [netah.exe] C:\WINDOWS\netah.exe
O4 - HKLM\..\RunOnce: [atlfp32.exe] C:\WINDOWS\atlfp32.exe
O4 - HKLM\..\RunOnce: [netni.exe] C:\WINDOWS\system32\netni.exe
O4 - HKLM\..\RunOnce: [d3bt.exe] C:\WINDOWS\system32\d3bt.exe
O4 - HKLM\..\RunOnce: [winjp.exe] C:\WINDOWS\winjp.exe
O4 - HKLM\..\RunOnce: [apioq.exe] C:\WINDOWS\apioq.exe
O4 - HKLM\..\RunOnce: [atlxx.exe] C:\WINDOWS\system32\atlxx.exe
O4 - HKLM\..\RunOnce: [sdkch.exe] C:\WINDOWS\system32\sdkch.exe
O4 - HKLM\..\RunOnce: [addsz.exe] C:\WINDOWS\addsz.exe
O4 - HKLM\..\RunOnce: [netbi.exe] C:\WINDOWS\netbi.exe
O4 - HKLM\..\RunOnce: [ipxi.exe] C:\WINDOWS\ipxi.exe
O4 - HKLM\..\RunOnce: [appxw32.exe] C:\WINDOWS\appxw32.exe
O4 - HKLM\..\RunOnce: [apikw.exe] C:\WINDOWS\system32\apikw.exe
O4 - HKLM\..\RunOnce: [winqy.exe] C:\WINDOWS\winqy.exe
O4 - HKLM\..\RunOnce: [ntyc32.exe] C:\WINDOWS\system32\ntyc32.exe
O4 - HKLM\..\RunOnce: [apivo32.exe] C:\WINDOWS\system32\apivo32.exe
O4 - HKLM\..\RunOnce: [netpf32.exe] C:\WINDOWS\system32\netpf32.exe
O4 - HKLM\..\RunOnce: [atlij.exe] C:\WINDOWS\atlij.exe
O4 - HKLM\..\RunOnce: [ipmn.exe] C:\WINDOWS\ipmn.exe
O4 - HKLM\..\RunOnce: [msfs32.exe] C:\WINDOWS\system32\msfs32.exe
O4 - HKLM\..\RunOnce: [winjw.exe] C:\WINDOWS\winjw.exe
O4 - HKLM\..\RunOnce: [javapq32.exe] C:\WINDOWS\system32\javapq32.exe
O4 - HKLM\..\RunOnce: [javael32.exe] C:\WINDOWS\javael32.exe


Please remember to close all other windows, including browsers then click Fix checked.

Please run AboutBuster again.

Delete the following Files indicated in RED if they still exist:

C:\WINDOWS\system32\ntsq.exe
C:\WINDOWS\oanfd.dll
C:\WINDOWS\netbb.dll
C:\WINDOWS\system32\netrk32.exe
C:\WINDOWS\addht.exe
C:\WINDOWS\netah.exe
C:\WINDOWS\atlfp32.exe
C:\WINDOWS\system32\netni.exe
C:\WINDOWS\system32\d3bt.exe
C:\WINDOWS\winjp.exe
C:\WINDOWS\apioq.exe
C:\WINDOWS\system32\atlxx.exe
C:\WINDOWS\system32\sdkch.exe
C:\WINDOWS\addsz.exe
C:\WINDOWS\netbi.exe
C:\WINDOWS\ipxi.exe
C:\WINDOWS\appxw32.exe
C:\WINDOWS\system32\apikw.exe
C:\WINDOWS\winqy.exe
C:\WINDOWS\system32\ntyc32.exe
C:\WINDOWS\system32\apivo32.exe
C:\WINDOWS\system32\netpf32.exe
C:\WINDOWS\atlij.exe
C:\WINDOWS\ipmn.exe
C:\WINDOWS\system32\msfs32.exe
C:\WINDOWS\winjw.exe
C:\WINDOWS\system32\javapq32.exe
C:\WINDOWS\javael32.exe
C:\WINDOWS\SYSTEM32\appxd32.exe
C:\WINDOWS\SYSTEM32\ntec32.exe


Reboot your system in Normal Mode.

Go to Start->Run and type in regedit and hit OK. Go to File->Export and save the registry somewhere as a backup. Close the Registry Editor now. Go to Start->Run and type in notepad and hit OK. Then copy and paste the following into Notepad:

REGEDIT4

[-HKEY_LOCAL_MACHINE\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\UNINSTALL\HSA]

[-HKEY_LOCAL_MACHINE\Software\Microsoft\Internet Explorer\Main\Search Bar]

Save the file as "delete.reg". Make sure to save it with the quotes. Double click on it and choose Yes to merge it. You may delete the file afterwards.

Please empty any Quarantine folder in your antivirus program and purge all recovery items in the Spybot program (if you use it) before running this tool.

Download the Mwav virus checker at http://www.mwti.net/antivirus/mwav.asp (Use Link 3)

1. Save it to a folder.
2. Reboot into Safe Mode (yes, again),
3. Double click the Mwav.exe file. This is a stand alone tool and NOT just a virus checker......so it won't install anything.
4. Select all local drives, scan all files, and press SCAN. When it is completed, anything found will be displayed in the lower pane.
5. In the Virus Log Information Pane......
Left click and highlight all the information in the Lower pane --- Use &CTRL C &on your keyboard to copy everything found in the lower pane and save it to a notepad file
*Note* If prompted that a virus was found and you need to purchase the product to remove the malware, just close out the prompt and let it continue scanning. We are not going to use this to remove anything...but to ID the bad files.

Once you copy that to a Notepad file...highlight the text and copy it here, with the other logs.

Please use Panda ActiveScan at http://www.pandasoftware.com/products/activescan. Give us the scan’s log.

Now give us a new HijackThis Analyzer log, along with Panda ActiveScan’s log and Mwav’s log, so we can make sure your system is clean.

#10 davidboundy

davidboundy
  • Topic Starter

  • Members
  • 36 posts
  • OFFLINE
  •  
  • Local time:05:06 AM

Posted 20 July 2005 - 10:19 AM

hi,

here are the logs

====================================================================
Log was analyzed using KRC HijackThis Analyzer - Updated on 6/3/05
Get updates at http://www.greyknight17.com/download.htm#programs

***Security Programs Detected***

C:\Program Files\NavNT\defwatch.exe
C:\Program Files\NavNT\rtvscan.exe
C:\Program Files\NavNT\vptray.exe
C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
O4 - HKLM\..\Run: [vptray] C:\Program Files\NavNT\vptray.exe
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
O23 - Service: DefWatch - Symantec Corporation - C:\Program Files\NavNT\defwatch.exe
O23 - Service: Norton AntiVirus Client (Norton AntiVirus Server) - Symantec Corporation - C:\Program Files\NavNT\rtvscan.exe

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

Logfile of HijackThis v1.99.1
Scan saved at 16:12:23, on 20/07/2005
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\Program Files\BT Digital Access USB\vstartx.exe
C:\Program Files\BT Digital Access USB\gisdnlog.exe
C:\Program Files\Inventel\Gateway\wlancfg.exe
C:\Program Files\BT Digital Access USB\gsyno.exe
C:\Program Files\eBay\eBay Toolbar2\eBayTBDaemon.exe
C:\WINDOWS\sdkjl32.exe
C:\HJT\HijackThis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\WINDOWS\zglmq.dll/sp.html#37049
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINDOWS\zglmq.dll/sp.html#37049
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = res://C:\WINDOWS\zglmq.dll/sp.html#37049
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\WINDOWS\zglmq.dll/sp.html#37049
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINDOWS\zglmq.dll/sp.html#37049
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = res://C:\WINDOWS\zglmq.dll/sp.html#37049
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = res://C:\WINDOWS\zglmq.dll/sp.html#37049
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = http://www-cach.freeserve.net/:8080
R3 - Default URLSearchHook is missing
O2 - BHO: Class - {E7C0C490-197B-0CFC-C47F-A5FF86D1B072} - C:\WINDOWS\system32\mstt.dll
O4 - HKLM\..\Run: [GazelDisplay] "C:\Program Files\BT Digital Access USB\gsyno.exe" -h
O4 - HKLM\..\Run: [eBayToolbar] C:\Program Files\eBay\eBay Toolbar2\eBayTBDaemon.exe
O4 - HKLM\..\Run: [iexplore.exe] C:\Program Files\Internet Explorer\iexplore.exe
O4 - HKLM\..\Run: [sdkjl32.exe] C:\WINDOWS\sdkjl32.exe
O4 - HKLM\..\RunOnce: [netrk32.exe] C:\WINDOWS\system32\netrk32.exe
O4 - HKLM\..\RunOnce: [mfcao.exe] C:\WINDOWS\mfcao.exe
O8 - Extra context menu item: &eBay Search - res://C:\Program Files\eBay\eBay Toolbar2\eBayTb.dll/RCSearch.html
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=36467&clcid=0x409
O16 - DPF: {26CBF141-7D0F-46E1-AA06-718958B6E4D2} - http://download.ebay.com/turbo_lister/UK/install.cab
O16 - DPF: {31B7EB4E-8B4B-11D1-A789-00A0CC6651A8} (Cult3D ActiveX Player) - http://www.cult3d.com/download/cult.cab
O16 - DPF: {4C39376E-FA9D-4349-BACC-D305C1750EF3} (EPUImageControl Class) - http://tools.ebayimg.com/eps/wl/activex/EP...l_v1-0-3-24.cab
O16 - DPF: {4E62C4DE-627D-4604-B157-4B7D6B09F02E} (AccountTracking Profile Manager Class) - https://moneymanager.egg.com/Pinsafe/accounttracking.cab
O16 - DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} (MSN Photo Upload Tool) - http://by17fd.bay17.hotmail.msn.com/resources/MsnPUpld.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://v5.windowsupdate.microsoft.com/v5co...b?1093963762678
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://www.pandasoftware.com/activescan/as5/asinst.cab
O16 - DPF: {B38870E4-7ECB-40DA-8C6A-595F0A5519FF} (MsnMessengerSetupDownloadControl Class) - http://messenger.msn.com/download/msnmesse...pdownloader.cab
O16 - DPF: {E6EB803E-DD89-11D3-80C4-0050DA2E09D0} (LightSurfUploadCtl Class) - http://mediamessaging.o2.co.uk/activex/Lig...loadControl.cab
O16 - DPF: {EC5A4E7B-02EB-451D-B310-D5F2E0A4D8C3} (webhelper Class) - https://register.btopenworld.com/templates/btwebcontrol.cab
O20 - Winlogon Notify: NavLogon - C:\WINDOWS\System32\NavLogon.dll
O23 - Service: Workstation NetLogon Service ( 11Fßä#·ºÄÖ`I) - Unknown owner - C:\WINDOWS\system32\netrk32.exe" /s (file missing)
O23 - Service: BT Digital Access USB start up (Gazel Startup) - Unknown owner - C:\Program Files\BT Digital Access USB\vstartx.exe" /s (file missing)
O23 - Service: ISDN connection log (GisdnLog) - Unknown owner - C:\Program Files\BT Digital Access USB\gisdnlog.exe" -s (file missing)
O23 - Service: Service de lancement de WlanCfg (Wlancfg) - Inventel - C:\Program Files\Inventel\Gateway\wlancfg.exe


End of KRC HijackThis Analyzer Log.



Incident Status Location

Adware:adware/searchaid No disinfected C:\WINDOWS\SYSTEM32\appxd32.exe
Adware:adware/transponder No disinfected C:\WINDOWS\SYSTEM32\ntec32.exe
Adware:adware/cws.homesearchasisstantNo disinfected HKEY_LOCAL_MACHINE\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\UNINSTALL\HSA
Adware:adware/cws.aboutblank No disinfected HKEY_LOCAL_MACHINE\Software\Microsoft\Internet Explorer\Main\Search Bar


Object "sw Spyware/Adware" found in File System! Action Taken: No Action Taken.
Object "CoolWebSearch Spyware/Adware" found in File System! Action Taken: No Action Taken.
Object "hsa Spyware/Adware" found in File System! Action Taken: No Action Taken.
Entry "HKLM\Software\Microsoft\Windows\CurrentVersion\SharedDlls" refers to invalid object "C:\WINDOWS\System32\MSXML3A.DLL". Action Taken: No Action Taken.
Entry "HKLM\Software\Microsoft\Windows\CurrentVersion\SharedDlls" refers to invalid object "C:\WINDOWS\System32\DIMM.DLL". Action Taken: No Action Taken.
Entry "HKLM\Software\Microsoft\Windows\CurrentVersion\SharedDlls" refers to invalid object "C:\Program Files\MSPress\Training\O10P\AnswerWizard\Word\wO10P.aw". Action Taken: No Action Taken.
Entry "HKLM\Software\Microsoft\Windows\CurrentVersion\SharedDlls" refers to invalid object "C:\Program Files\MSPress\Training\O10P\AnswerWizard\Word\wO10P.chm". Action Taken: No Action Taken.
Entry "HKLM\Software\Microsoft\Windows\CurrentVersion\SharedDlls" refers to invalid object "C:\Program Files\MSPress\Training\O10P\AnswerWizard\Access\aO10P.aw". Action Taken: No Action Taken.
Entry "HKLM\Software\Microsoft\Windows\CurrentVersion\SharedDlls" refers to invalid object "C:\Program Files\MSPress\Training\O10P\AnswerWizard\Access\aO10P.chm". Action Taken: No Action Taken.
Entry "HKLM\Software\Microsoft\Windows\CurrentVersion\SharedDlls" refers to invalid object "C:\Program Files\MSPress\Training\O10P\AnswerWizard\Excel\eO10P.aw". Action Taken: No Action Taken.
Entry "HKLM\Software\Microsoft\Windows\CurrentVersion\SharedDlls" refers to invalid object "C:\Program Files\MSPress\Training\O10P\AnswerWizard\Excel\eO10P.chm". Action Taken: No Action Taken.
Entry "HKLM\Software\Microsoft\Windows\CurrentVersion\SharedDlls" refers to invalid object "C:\Program Files\MSPress\Training\O10P\AnswerWizard\Outlook\oO10P.aw". Action Taken: No Action Taken.
Entry "HKLM\Software\Microsoft\Windows\CurrentVersion\SharedDlls" refers to invalid object "C:\Program Files\MSPress\Training\O10P\AnswerWizard\Outlook\oO10P.chm". Action Taken: No Action Taken.
Entry "HKLM\Software\Microsoft\Windows\CurrentVersion\SharedDlls" refers to invalid object "C:\Program Files\MSPress\Training\O10P\AnswerWizard\PowerPoint\ppO10P.aw". Action Taken: No Action Taken.
Entry "HKLM\Software\Microsoft\Windows\CurrentVersion\SharedDlls" refers to invalid object "C:\Program Files\MSPress\Training\O10P\AnswerWizard\PowerPoint\ppO10P.chm". Action Taken: No Action Taken.
Entry "HKLM\Software\Microsoft\Windows\CurrentVersion\SharedDlls" refers to invalid object "C:\Program Files\MSPress\Training\O10P\AnswerWizard\Publisher\pO10P.aw". Action Taken: No Action Taken.
Entry "HKLM\Software\Microsoft\Windows\CurrentVersion\SharedDlls" refers to invalid object "C:\Program Files\MSPress\Training\O10P\AnswerWizard\Publisher\pO10P.chm". Action Taken: No Action Taken.
Entry "HKLM\Software\Microsoft\Windows\CurrentVersion\SharedDlls" refers to invalid object "C:\WINDOWS\System32\iuctl.dll". Action Taken: No Action Taken.
Entry "HKLM\Software\Microsoft\Windows\CurrentVersion\SharedDlls" refers to invalid object "C:\WINDOWS\Downloaded Program Files\eBayFile.Fil". Action Taken: No Action Taken.
Entry "HKCR\CLSID\{01A808AD-1441-43AA-BEE0-E26688213452}" refers to invalid object "c:\program files\bt together internet\dialbttogether4.0.dll". Action Taken: No Action Taken.
Entry "HKCR\CLSID\{02768AAF-7B48-48AB-B5EB-4A60EFF00587}" refers to invalid object "C:\Program Files\Microsoft AntiSpyware\gcASThreatAudit.dll". Action Taken: No Action Taken.
Entry "HKCR\CLSID\{02989195-B026-4182-9119-EC2BEC388237}" refers to invalid object "C:\Program Files\Microsoft AntiSpyware\gcAntiSpywareLibrary.dll". Action Taken: No Action Taken.
Entry "HKCR\CLSID\{05F6F6EC-DA71-D6F9-3745-C8D289B4EDEF}" refers to invalid object "C:\WINDOWS\appel32.dll". Action Taken: No Action Taken.
Entry "HKCR\CLSID\{0BB07B14-0CC8-11D3-B00E-00C04F4C0826}" refers to invalid object "C:\WINDOWS\system32\CDDBControl.dll". Action Taken: No Action Taken.
Entry "HKCR\CLSID\{0D64F7E4-BFB9-448C-903F-C4622D7592A7}" refers to invalid object "C:\Program Files\Microsoft AntiSpyware\gcASThreatAudit.dll". Action Taken: No Action Taken.
Entry "HKCR\CLSID\{0DED49D5-A8B7-4d5d-97A1-12B0C195874D}" refers to invalid object "BdaPlgin.ax". Action Taken: No Action Taken.
Entry "HKCR\CLSID\{1447E2CC-7C0C-4194-99F3-BB409DF1E8E0}" refers to invalid object "C:\Program Files\Microsoft AntiSpyware\gcASThreatAudit.dll". Action Taken: No Action Taken.
Entry "HKCR\CLSID\{1798921C-C200-4ED6-9AEA-5C53EED3DF4F}" refers to invalid object "C:\Program Files\Microsoft AntiSpyware\gcAntiSpywareLibrary.dll". Action Taken: No Action Taken.
Entry "HKCR\CLSID\{1E106BCE-DB1F-45DD-B449-0ACA539A215C}" refers to invalid object "C:\Program Files\Microsoft AntiSpyware\gcASSoapLib.dll". Action Taken: No Action Taken.
Entry "HKCR\CLSID\{1EFD6A40-3999-11CF-9150-00AA0059F70D}" refers to invalid object "C:\WINDOWS\system32\mci32.ocx". Action Taken: No Action Taken.
Entry "HKCR\CLSID\{1FF537E2-5407-6C66-D90C-07B8486033A1}" refers to invalid object "C:\WINDOWS\system32\appai32.dll". Action Taken: No Action Taken.
Entry "HKCR\CLSID\{22389272-F834-4FE1-9019-954A332CD789}" refers to invalid object "C:\Program Files\Microsoft AntiSpyware\gcAntiSpywareLibrary.dll". Action Taken: No Action Taken.
Entry "HKCR\CLSID\{235F44A7-3618-4044-AE48-C08471C7E887}" refers to invalid object "C:\Program Files\Microsoft AntiSpyware\gcAntiSpywareLibrary.dll". Action Taken: No Action Taken.
Entry "HKCR\CLSID\{275DBBA0-805A-11CF-91F7-C2863C385E30}" refers to invalid object "C:\WINDOWS\system32\msflxgrd.ocx". Action Taken: No Action Taken.
Entry "HKCR\CLSID\{29FF67FF-8050-480f-9F30-CC41635F2F9D}" refers to invalid object "ADMWPROX.DLL". Action Taken: No Action Taken.
Entry "HKCR\CLSID\{2F68F796-69A1-4B88-97A9-19E477974204}" refers to invalid object "C:\Program Files\Microsoft AntiSpyware\gcASThreatAudit.dll". Action Taken: No Action Taken.
Entry "HKCR\CLSID\{305F718E-620B-11D3-B484-008029659E91}" refers to invalid object "C:\MAGIX\MEDIA_~1\AudioVis.dll". Action Taken: No Action Taken.
Entry "HKCR\CLSID\{35465706-E211-11d3-8B87-C295F909460A}" refers to invalid object "C:\MAGIX\Media_Manager\WMServerReader.dll". Action Taken: No Action Taken.
Entry "HKCR\CLSID\{35CBB1E8-F8E4-4149-A533-576B54D2C5BF}" refers to invalid object "C:\Program Files\Microsoft AntiSpyware\gcSoftwareUpdateLib.dll". Action Taken: No Action Taken.
Entry "HKCR\CLSID\{35F7528D-D4EB-40D1-AC99-93E4421B02D6}" refers to invalid object "C:\WINDOWS\system32\CDDBControl.dll". Action Taken: No Action Taken.
Entry "HKCR\CLSID\{3775D2E0-7C5D-11CF-899E-00AA00688B10}" refers to invalid object "C:\WINDOWS\system32\mci32.ocx". Action Taken: No Action Taken.
Entry "HKCR\CLSID\{3789E9E8-BE1A-4CD8-9DCF-AEDA87AC2E4B}" refers to invalid object "C:\Program Files\Microsoft AntiSpyware\gcASThreatAudit.dll". Action Taken: No Action Taken.
Entry "HKCR\CLSID\{37AB4877-60C3-48EC-B119-A96783066031}" refers to invalid object "C:\Program Files\Microsoft AntiSpyware\gcASThreatAudit.dll". Action Taken: No Action Taken.
Entry "HKCR\CLSID\{3836A5BF-51B3-4B37-8E96-9D429C22183C}" refers to invalid object "C:\MAGIX\Media_Manager\CddbControl.dll". Action Taken: No Action Taken.
Entry "HKCR\CLSID\{3BE260D0-9FCB-4C1B-B514-708BBB385389}" refers to invalid object "C:\Program Files\Microsoft AntiSpyware\gcASThreatAudit.dll". Action Taken: No Action Taken.
Entry "HKCR\CLSID\{40AF8200-4E6E-11D4-878D-00C0F6B0D1A7}" refers to invalid object "C:\Program Files\ArcSoft\Camera Suite\photoimpression\ezrgb24.ax". Action Taken: No Action Taken.
Entry "HKCR\CLSID\{40AF8201-4E6E-11D4-878D-00C0F6B0D1A7}" refers to invalid object "C:\Program Files\ArcSoft\Camera Suite\photoimpression\ezrgb24.ax". Action Taken: No Action Taken.
Entry "HKCR\CLSID\{4163E2C5-690A-4FE4-974D-A4FA0C067F6D}" refers to invalid object "C:\Program Files\Microsoft AntiSpyware\gcASThreatAudit.dll". Action Taken: No Action Taken.
Entry "HKCR\CLSID\{417EA290-71D0-43FB-87A0-8F107C549B2A}" refers to invalid object "C:\WINDOWS\system32\CDDBControl.dll". Action Taken: No Action Taken.
Entry "HKCR\CLSID\{45C4810A-EE8A-4FB6-AB59-629D900CF83F}" refers to invalid object "C:\Program Files\Microsoft AntiSpyware\gcASPrivacyLib.dll". Action Taken: No Action Taken.
Entry "HKCR\CLSID\{45FA9444-4734-4CDA-A5B5-B90BAC76C12D}" refers to invalid object "C:\Program Files\Microsoft AntiSpyware\gcASThreatAudit.dll". Action Taken: No Action Taken.
Entry "HKCR\CLSID\{4C171D40-8277-11D5-AD55-00010333D0AD}" refers to invalid object "C:\Program Files\Yahoo!\Messenger\yhexbmes0521.dll". Action Taken: No Action Taken.
Entry "HKCR\CLSID\{4C76CAD6-DF47-440F-94D4-F85365945177}" refers to invalid object "C:\Program Files\Microsoft AntiSpyware\gcAntiSpywareLibrary.dll". Action Taken: No Action Taken.
Entry "HKCR\CLSID\{4F0BA33E-29D0-43C8-A4F6-1FE136FA5D5B}" refers to invalid object "C:\Program Files\Microsoft AntiSpyware\gcTCPObjLib.dll". Action Taken: No Action Taken.
Entry "HKCR\CLSID\{4FE65F23-F99C-48D1-B4B6-5F859C71DA2A}" refers to invalid object "C:\Program Files\Microsoft AntiSpyware\gcASThreatAudit.dll". Action Taken: No Action Taken.
Entry "HKCR\CLSID\{5D09EF28-9230-48F7-B9C5-1F60F02A8E1A}" refers to invalid object "C:\Program Files\Microsoft AntiSpyware\gcASSoapLib.dll". Action Taken: No Action Taken.
Entry "HKCR\CLSID\{6262D3A0-531B-11CF-91F6-C2863C385E30}" refers to invalid object "C:\WINDOWS\system32\msflxgrd.ocx". Action Taken: No Action Taken.
Entry "HKCR\CLSID\{6300A6F7-ACC4-4A18-BC75-3F6BDD68EF10}" refers to invalid object "C:\Program Files\Microsoft AntiSpyware\gcASThreatAudit.dll". Action Taken: No Action Taken.
Entry "HKCR\CLSID\{6319EEA0-531B-11CF-91F6-C2863C385E30}" refers to invalid object "C:\WINDOWS\system32\msflxgrd.ocx". Action Taken: No Action Taken.
Entry "HKCR\CLSID\{66B70351-AC63-4FE2-852D-5FBF600107BB}" refers to invalid object "C:\Program Files\Microsoft AntiSpyware\gcASSoapLib.dll". Action Taken: No Action Taken.
Entry "HKCR\CLSID\{6BC60883-CD50-4887-98C4-523D2F0DA9B1}" refers to invalid object "C:\Program Files\Microsoft AntiSpyware\gcASThreatAudit.dll". Action Taken: No Action Taken.
Entry "HKCR\CLSID\{6EFB4CCE-DAC0-4F74-BFEC-4AA3E9C4D892}" refers to invalid object "C:\Program Files\eBay\Turbo Lister\EpsStServ.dll". Action Taken: No Action Taken.
Entry "HKCR\CLSID\{70B51430-B6CA-11D0-B9B9-00A0C922E750}" refers to invalid object "ADMWPROX.DLL". Action Taken: No Action Taken.
Entry "HKCR\CLSID\{713BC7D8-E0AA-4A20-A3E1-A9A4470BF669}" refers to invalid object "C:\Program Files\eBay\Turbo Lister\attrHost.dll". Action Taken: No Action Taken.
Entry "HKCR\CLSID\{72EC0B1D-8962-4B4E-9D68-E49D08CD94AC}" refers to invalid object "C:\Program Files\eBay\Turbo Lister\Designer.dll". Action Taken: No Action Taken.
Entry "HKCR\CLSID\{795698C9-E328-4AB3-ACC6-F685635FBF9F}" refers to invalid object "C:\MAGIX\Media_Manager\Hhprend.ax". Action Taken: No Action Taken.
Entry "HKCR\CLSID\{7A0DCFDD-8599-4B89-B1EC-4A1708C19C81}" refers to invalid object "C:\Program Files\Microsoft AntiSpyware\gcASSoapLib.dll". Action Taken: No Action Taken.
Entry "HKCR\CLSID\{7BF4F354-8968-48E3-B748-177A13269116}" refers to invalid object "C:\Program Files\Microsoft AntiSpyware\gcASThreatAudit.dll". Action Taken: No Action Taken.
Entry "HKCR\CLSID\{8298d101-f992-43b7-8eca-5052d885b995}" refers to invalid object "ADMWPROX.DLL". Action Taken: No Action Taken.
Entry "HKCR\CLSID\{83D4679F-B6D7-11D2-BF36-00C04FB90A03}" refers to invalid object "C:\PROGRA~1\MESSEN~1\rtcimsp.dll". Action Taken: No Action Taken.
Entry "HKCR\CLSID\{86E68AEF-98D4-49CC-BA33-1A47585D3F44}" refers to invalid object "C:\Program Files\Microsoft AntiSpyware\gcTCPObjLib.dll". Action Taken: No Action Taken.
Entry "HKCR\CLSID\{8722111A-DE20-48ac-832D-0CEDA23212AB}" refers to invalid object "C:\MAGIX\Media_Manager\CDDBUI.dll". Action Taken: No Action Taken.
Entry "HKCR\CLSID\{8931F4C2-B0AC-11D4-B9D4-0050DAD9E185}" refers to invalid object "C:\PROGRA~1\Wanadoo\WSBar\WSBar.dll". Action Taken: No Action Taken.
Entry "HKCR\CLSID\{8DA66067-A7B1-4FC8-898F-075655C87AC3}" refers to invalid object "C:\Program Files\Microsoft AntiSpyware\gcASThreatAudit.dll". Action Taken: No Action Taken.
Entry "HKCR\CLSID\{8DA82F93-055E-4D30-9522-5C0E250FD9C7}" refers to invalid object "C:\Program Files\Microsoft AntiSpyware\gcASThreatAudit.dll". Action Taken: No Action Taken.
Entry "HKCR\CLSID\{8E094F33-F79D-11D3-8150-0000B49DBD2E}" refers to invalid object "C:\Program Files\eBay\Turbo Lister\AttrGrd.dll". Action Taken: No Action Taken.
Entry "HKCR\CLSID\{8F8A59E4-1388-11D3-8F9D-00C04F4C3B9F}" refers to invalid object "C:\WINDOWS\system32\CDDBControl.dll". Action Taken: No Action Taken.
Entry "HKCR\CLSID\{93162670-FF1B-4844-8FBC-041F1ABB6F7A}" refers to invalid object "C:\WINDOWS\system32\CDDBControl.dll". Action Taken: No Action Taken.
Entry "HKCR\CLSID\{97E14B03-0E0C-11D3-8F9D-00C04F4C3B9F}" refers to invalid object "C:\WINDOWS\system32\CDDBControl.dll". Action Taken: No Action Taken.
Entry "HKCR\CLSID\{98af6e01-6804-11d6-a433-00104b95cd66}" refers to invalid object "C:\Program Files\eBay\Turbo Lister\Designer.dll". Action Taken: No Action Taken.
Entry "HKCR\CLSID\{98af6e02-6804-11d6-a433-00104b95cd66}" refers to invalid object "C:\Program Files\eBay\Turbo Lister\Designer.dll". Action Taken: No Action Taken.
Entry "HKCR\CLSID\{98af6e03-6804-11d6-a433-00104b95cd66}" refers to invalid object "C:\Program Files\eBay\Turbo Lister\Designer.dll". Action Taken: No Action Taken.
Entry "HKCR\CLSID\{9EFBF860-5685-11D3-AA3D-00C04F4C5275}" refers to invalid object "cdooff.dll". Action Taken: No Action Taken.
Entry "HKCR\CLSID\{A4178E50-A793-4B93-8616-1AAC87DF373B}" refers to invalid object "C:\MAGIX\Media_Manager\JWVidRend.ax". Action Taken: No Action Taken.
Entry "HKCR\CLSID\{A4510D9C-1226-4A02-A0FE-42BEF285A856}" refers to invalid object "C:\Program Files\eBay\Turbo Lister\EpsStServ.dll". Action Taken: No Action Taken.
Entry "HKCR\CLSID\{A57028CC-39DE-42B5-A9E9-A5F16304CD40}" refers to invalid object "C:\Program Files\Microsoft AntiSpyware\gcTCPObjLib.dll". Action Taken: No Action Taken.
Entry "HKCR\CLSID\{A8A43B2F-72BD-4AB9-8CB6-CE626EE6CF96}" refers to invalid object "C:\Program Files\Microsoft AntiSpyware\gcASThreatAudit.dll". Action Taken: No Action Taken.
Entry "HKCR\CLSID\{A9E69612-B80D-11D0-B9B9-00A0C922E750}" refers to invalid object "ADMWPROX.DLL". Action Taken: No Action Taken.
Entry "HKCR\CLSID\{AA9B2BD7-B7AA-4d4a-AF5C-D7B2C8FB6582}" refers to invalid object "C:\MAGIX\Media_Manager\CDDBUI.dll". Action Taken: No Action Taken.
Entry "HKCR\CLSID\{AB7AB3FF-EB55-4B40-AE1D-80ECEFA32E17}" refers to invalid object "C:\MAGIX\Media_Manager\CDDBUI.dll". Action Taken: No Action Taken.
Entry "HKCR\CLSID\{AF1A9404-6CA9-11D3-B053-00C04F4C0826}" refers to invalid object "C:\MAGIX\Media_Manager\CddbControl.dll". Action Taken: No Action Taken.
Entry "HKCR\CLSID\{B0528CE2-F67E-11D2-8F8E-00C04F4C3B9F}" refers to invalid object "C:\WINDOWS\system32\CDDBControl.dll". Action Taken: No Action Taken.
Entry "HKCR\CLSID\{B0528CE4-F67E-11D2-8F8E-00C04F4C3B9F}" refers to invalid object "C:\MAGIX\Media_Manager\CddbControl.dll". Action Taken: No Action Taken.
Entry "HKCR\CLSID\{B0693766-5278-4ec6-B9E1-3CE40560EF5A}" refers to invalid object "CaPlgin.ax". Action Taken: No Action Taken.
Entry "HKCR\CLSID\{B0F96BB5-29DF-46F3-9876-D9C15B78BF0B}" refers to invalid object "C:\Program Files\Microsoft AntiSpyware\gcASThreatAudit.dll". Action Taken: No Action Taken.
Entry "HKCR\CLSID\{B269122C-3340-436D-ADD1-24E899E862FD}" refers to invalid object "C:\Program Files\Microsoft AntiSpyware\gcAntiSpywareLibrary.dll". Action Taken: No Action Taken.
Entry "HKCR\CLSID\{B2C058B8-CD91-4FC3-BF0A-CA628E41F3D3}" refers to invalid object "C:\Program Files\Microsoft AntiSpyware\gcASThreatAudit.dll". Action Taken: No Action Taken.
Entry "HKCR\CLSID\{B548EE9A-EA5C-49A3-AFD0-0C5BA7D93918}" refers to invalid object "C:\Program Files\Microsoft AntiSpyware\gcAntiSpywareLibrary.dll". Action Taken: No Action Taken.
Entry "HKCR\CLSID\{B793220B-C186-40E3-8C62-8F84398B4CC2}" refers to invalid object "C:\Program Files\Microsoft AntiSpyware\gcASThreatAudit.dll". Action Taken: No Action Taken.
Entry "HKCR\CLSID\{BBF37B96-2F4F-11D3-B02F-00C04F4C0826}" refers to invalid object "C:\WINDOWS\system32\CDDBControl.dll". Action Taken: No Action Taken.
Entry "HKCR\CLSID\{BBF37B98-2F4F-11D3-B02F-00C04F4C0826}" refers to invalid object "C:\WINDOWS\system32\CDDBControl.dll". Action Taken: No Action Taken.
Entry "HKCR\CLSID\{BBF37B9A-2F4F-11D3-B02F-00C04F4C0826}" refers to invalid object "C:\WINDOWS\system32\CDDBControl.dll". Action Taken: No Action Taken.
Entry "HKCR\CLSID\{BBF37B9C-2F4F-11D3-B02F-00C04F4C0826}" refers to invalid object "C:\WINDOWS\system32\CDDBControl.dll". Action Taken: No Action Taken.
Entry "HKCR\CLSID\{BBF37B9E-2F4F-11D3-B02F-00C04F4C0826}" refers to invalid object "C:\MAGIX\Media_Manager\CddbControl.dll". Action Taken: No Action Taken.
Entry "HKCR\CLSID\{BBF37BA0-2F4F-11D3-B02F-00C04F4C0826}" refers to invalid object "C:\MAGIX\Media_Manager\CddbControl.dll". Action Taken: No Action Taken.
Entry "HKCR\CLSID\{BBF37BA2-2F4F-11D3-B02F-00C04F4C0826}" refers to invalid object "C:\MAGIX\Media_Manager\CddbControl.dll". Action Taken: No Action Taken.
Entry "HKCR\CLSID\{BBF37BA4-2F4F-11D3-B02F-00C04F4C0826}" refers to invalid object "C:\MAGIX\Media_Manager\CddbControl.dll". Action Taken: No Action Taken.
Entry "HKCR\CLSID\{BE265956-6F5F-4790-9CAB-EDFAC64362EF}" refers to invalid object "C:\Program Files\AIM\rtvideo.dll". Action Taken: No Action Taken.
Entry "HKCR\CLSID\{BF2873A9-2034-4931-9267-EACF3A22FB69}" refers to invalid object "C:\Program Files\Microsoft AntiSpyware\gcAntiSpywareLibrary.dll". Action Taken: No Action Taken.
Entry "HKCR\CLSID\{C073A662-A344-4611-8632-06452280EBB0}" refers to invalid object "C:\MAGIX\Media_Manager\CddbControl.dll". Action Taken: No Action Taken.
Entry "HKCR\CLSID\{C1A8AF25-1257-101B-8FB0-0020AF039CA3}" refers to invalid object "C:\WINDOWS\system32\mci32.ocx". Action Taken: No Action Taken.
Entry "HKCR\CLSID\{C3FD60BC-932F-42C7-B4B6-EB872C77045F}" refers to invalid object "C:\Program Files\Microsoft AntiSpyware\gcASThreatAudit.dll". Action Taken: No Action Taken.
Entry "HKCR\CLSID\{C460D840-0E3E-4CAB-B419-0029F0F5EDE4}" refers to invalid object "C:\Program Files\Microsoft AntiSpyware\gcAntiSpywareLibrary.dll". Action Taken: No Action Taken.
Entry "HKCR\CLSID\{CCDAD954-C1EF-41BA-A940-D66A8C1F7F34}" refers to invalid object "C:\Program Files\Microsoft AntiSpyware\gcTCPObjLib.dll". Action Taken: No Action Taken.
Entry "HKCR\CLSID\{CE89C752-1A18-4712-8AA2-1D0A4C068EC9}" refers to invalid object "C:\Program Files\Microsoft AntiSpyware\gcASThreatAudit.dll". Action Taken: No Action Taken.
Entry "HKCR\CLSID\{CE918301-704F-46A0-96AF-2E8F76DE728D}" refers to invalid object "C:\Program Files\Microsoft AntiSpyware\gcSoftwareUpdateLib.dll". Action Taken: No Action Taken.
Entry "HKCR\CLSID\{D734EAE8-0810-4513-99B6-DDAC4BC30E29}" refers to invalid object "C:\MAGIX\Media_Manager\CddbControl.dll". Action Taken: No Action Taken.
Entry "HKCR\CLSID\{DB474993-39C2-4669-89A2-906C32AB0A0D}" refers to invalid object "C:\Program Files\Microsoft AntiSpyware\gcASPrivacyLib.dll". Action Taken: No Action Taken.
Entry "HKCR\CLSID\{DDD3E8A3-338F-4962-B565-922864AB6A74}" refers to invalid object "C:\Program Files\Microsoft AntiSpyware\gcAntiSpywareLibrary.dll". Action Taken: No Action Taken.
Entry "HKCR\CLSID\{DEE706A6-91EC-491B-8CD8-C670926178F0}" refers to invalid object "C:\Program Files\Microsoft AntiSpyware\gcASThreatAudit.dll". Action Taken: No Action Taken.
Entry "HKCR\CLSID\{DFC93F40-C82C-414A-BC08-0073EB0FBACB}" refers to invalid object "C:\Program Files\Microsoft AntiSpyware\gcASThreatAudit.dll". Action Taken: No Action Taken.
Entry "HKCR\CLSID\{DFEF3E96-F1D4-47CE-A429-2CC8C10DFDB6}" refers to invalid object "C:\MAGIX\Media_Manager\CddbControl.dll". Action Taken: No Action Taken.
Entry "HKCR\CLSID\{E0E03096-8351-4726-B697-FF6961E3E179}" refers to invalid object "C:\Program Files\Microsoft AntiSpyware\gcASThreatAudit.dll". Action Taken: No Action Taken.
Entry "HKCR\CLSID\{E1F6C504-A8CE-11D3-A324-0080AD303A9A}" refers to invalid object "C:\Program Files\eBay\Turbo Lister\AttrGrd.dll". Action Taken: No Action Taken.
Entry "HKCR\CLSID\{E223C523-DCA4-4A8E-95A9-8A3304494919}" refers to invalid object "C:\Program Files\Microsoft AntiSpyware\gcASPrivacyLib.dll". Action Taken: No Action Taken.
Entry "HKCR\CLSID\{E3D8D3FF-EDDE-41DE-BD6B-021A3D980460}" refers to invalid object "C:\Program Files\eBay\Turbo Lister\Designer.dll". Action Taken: No Action Taken.
Entry "HKCR\CLSID\{E5D17BB2-F52F-4C6A-B318-C0D16121014B}" refers to invalid object "C:\WINDOWS\system32\CDDBControl.dll". Action Taken: No Action Taken.
Entry "HKCR\CLSID\{E6D61E7A-6AE3-4CEE-9FF0-D57C99D2A809}" refers to invalid object "C:\Program Files\Microsoft AntiSpyware\gcASThreatAudit.dll". Action Taken: No Action Taken.
Entry "HKCR\CLSID\{F2B0FFDF-4439-447A-89E1-534ECDAE5291}" refers to invalid object "c:\program files\btopenworld\dialbtipayg4.0.dll". Action Taken: No Action Taken.
Entry "HKCR\CLSID\{F4BAFF02-F907-11D2-8F8F-00C04F4C3B9F}" refers to invalid object "C:\MAGIX\Media_Manager\CddbControl.dll". Action Taken: No Action Taken.
Entry "HKCR\CLSID\{F4BF3FEE-8773-4402-A2E2-D380AC66B562}" refers to invalid object "C:\Program Files\Microsoft AntiSpyware\gcASThreatAudit.dll". Action Taken: No Action Taken.
Entry "HKCR\CLSID\{F5F6A234-301B-11D3-B030-00C04F4C0826}" refers to invalid object "C:\WINDOWS\system32\CDDBControl.dll". Action Taken: No Action Taken.
Entry "HKCR\CLSID\{F5F6A236-301B-11D3-B030-00C04F4C0826}" refers to invalid object "C:\WINDOWS\system32\CDDBControl.dll". Action Taken: No Action Taken.
Entry "HKCR\CLSID\{F5F6A238-301B-11D3-B030-00C04F4C0826}" refers to invalid object "C:\WINDOWS\system32\CDDBControl.dll". Action Taken: No Action Taken.
Entry "HKCR\CLSID\{F5F6A23A-301B-11D3-B030-00C04F4C0826}" refers to invalid object "C:\WINDOWS\system32\CDDBControl.dll". Action Taken: No Action Taken.
Entry "HKCR\CLSID\{F5F6A23C-301B-11D3-B030-00C04F4C0826}" refers to invalid object "C:\WINDOWS\system32\CDDBControl.dll". Action Taken: No Action Taken.
Entry "HKCR\CLSID\{F5F6A23E-301B-11D3-B030-00C04F4C0826}" refers to invalid object "C:\WINDOWS\system32\CDDBControl.dll". Action Taken: No Action Taken.
Entry "HKCR\CLSID\{F5F6A240-301B-11D3-B030-00C04F4C0826}" refers to invalid object "C:\WINDOWS\system32\CDDBControl.dll". Action Taken: No Action Taken.
Entry "HKCR\CLSID\{F5F6A242-301B-11D3-B030-00C04F4C0826}" refers to invalid object "C:\WINDOWS\system32\CDDBControl.dll". Action Taken: No Action Taken.
Entry "HKCR\CLSID\{F5F6A244-301B-11D3-B030-00C04F4C0826}" refers to invalid object "C:\WINDOWS\system32\CDDBControl.dll". Action Taken: No Action Taken.
Entry "HKCR\CLSID\{f612954d-3b0b-4c56-9563-227b7be624b4}" refers to invalid object "ADMWPROX.DLL". Action Taken: No Action Taken.
Entry "HKCR\CLSID\{FD0A5AF3-B41D-11d2-9C95-00C04F7971E0}" refers to invalid object "BdaPlgin.ax". Action Taken: No Action Taken.
Entry "HKCR\CLSID\{FD3A38A1-AB66-4EC1-B4D9-58A92F0CF20E}" refers to invalid object "C:\Program Files\Microsoft AntiSpyware\gcASThreatAudit.dll". Action Taken: No Action Taken.
Entry "HKCR\CLSID\{FD709F7F-8BAE-4839-8F18-E3D41B719672}" refers to invalid object "C:\Program Files\Microsoft AntiSpyware\gcASThreatAudit.dll". Action Taken: No Action Taken.
Entry "HKCR\Alg.AlgSetup" refers to invalid object "{27D0BCCC-344D-4287-AF37-0C72C161C14C}". Action Taken: No Action Taken.
Entry "HKCR\Alg.AlgSetup.1" refers to invalid object "{27D0BCCC-344D-4287-AF37-0C72C161C14C}". Action Taken: No Action Taken.
Entry "HKCR\Class" refers to invalid object "{A9AC8FDE-6DA4-4D90-B6F8-5EB24CA74B9B}". Action Taken: No Action Taken.
Entry "HKCR\MailFileAtt" refers to invalid object "{00020D05-0000-0000-C000-000000000046}". Action Taken: No Action Taken.
Entry "HKCR\mapifvbx.object" refers to invalid object "{41116C00-8B90-101B-96CD-00AA003B14FC}". Action Taken: No Action Taken.
Entry "HKCR\mapifvbx.object.1" refers to invalid object "{41116C00-8B90-101B-96CD-00AA003B14FC}". Action Taken: No Action Taken.
Entry "HKCR\Plenoptic.Plenoptic" refers to invalid object "{607C27E9-AB27-11d3-A116-A0EA50C10801}". Action Taken: No Action Taken.
Entry "HKCR\Plenoptic.Plenoptic.1" refers to invalid object "{607C27E9-AB27-11d3-A116-A0EA50C10801}". Action Taken: No Action Taken.
Entry "HKCR\RTCCore.RTCClient" refers to invalid object "{7a42ea29-a2b7-40c4-b091-f6f024aa89be}". Action Taken: No Action Taken.
Entry "HKCR\RTCCore.RTCClient.1" refers to invalid object "{7a42ea29-a2b7-40c4-b091-f6f024aa89be}". Action Taken: No Action Taken.
Entry "HKCR\VoilaBar.ToolBand" refers to invalid object "{8B68564D-53FD-4293-B80C-993A9F3988EE}". Action Taken: No Action Taken.
Entry "HKCR\VoilaBar.ToolBand.1" refers to invalid object "{8B68564D-53FD-4293-B80C-993A9F3988EE}". Action Taken: No Action Taken.
Entry "HKCR\WMPPublsihCntr.WMPPublsihCntr" refers to invalid object "{939438A9-CF0F-44d8-9140-599736F0D3A2}". Action Taken: No Action Taken.
Entry "HKCR\WMPPublsihCntr.WMPPublsihCntr.1" refers to invalid object "{939438A9-CF0F-44d8-9140-599736F0D3A2}". Action Taken: No Action Taken.
Entry "HKCR\WMPShell.HWEventHandler" refers to invalid object "{9B186A8F-F520-4eeb-B553-118304AC46C5}". Action Taken: No Action Taken.
Entry "HKCR\WMPShell.HWEventHandler.1" refers to invalid object "{9B186A8F-F520-4eeb-B553-118304AC46C5}". Action Taken: No Action Taken.
File C:\WINDOWS\zglmq.dll tagged as "not-a-virus:AdWare.SearchPage". Action Taken: No Action Taken.
File C:\WINDOWS\system32\uennx.dll tagged as "not-a-virus:AdWare.SearchPage". Action Taken: No Action Taken.
File C:\adaware.exe tagged as not-a-virus:Tool.Win32.Reboot. No Action Taken.
File C:\Documents and Settings\david\My Documents\mirc616.exe tagged as not-a-virus:Client-IRC.Win32.mIRC.16. No Action Taken.
File C:\MAGIX\mp3_maker_titanium_2004\uninstall.exe tagged as not-a-virus:Tool.Win32.Reboot. No Action Taken.
File C:\Program Files\Lavasoft\Ad-Aware SE Personal\Plugins\vx2cleaner\UNWISE.EXE tagged as not-a-virus:Tool.Win32.Reboot. No Action Taken.
File C:\Program Files\Lavasoft\Ad-Aware SE Personal\plvx2cleaner.exe tagged as not-a-virus:Tool.Win32.Reboot. No Action Taken.
File C:\Program Files\Lavasoft\Ad-Aware SE Personal\UNWISE.EXE tagged as not-a-virus:Tool.Win32.Reboot. No Action Taken.
File C:\Program Files\plvx2cleaner.exe tagged as not-a-virus:Tool.Win32.Reboot. No Action Taken.
File C:\System Volume Information\_restore{E87A81FB-FDCF-4B92-A20C-951710F82D7C}\RP247\A0038279.EXE tagged as not-a-virus:Tool.Win32.Reboot. No Action Taken.
File C:\System Volume Information\_restore{E87A81FB-FDCF-4B92-A20C-951710F82D7C}\RP247\A0038313.EXE tagged as not-a-virus:Tool.Win32.Reboot. No Action Taken.
File C:\System Volume Information\_restore{E87A81FB-FDCF-4B92-A20C-951710F82D7C}\RP274\A0040235.dll tagged as "not-a-virus:AdWare.WildTangent.b". Action Taken: No Action Taken.
File C:\System Volume Information\_restore{E87A81FB-FDCF-4B92-A20C-951710F82D7C}\RP274\A0040250.dll tagged as "not-a-virus:AdWare.WildTangent.b". Action Taken: No Action Taken.
File C:\System Volume Information\_restore{E87A81FB-FDCF-4B92-A20C-951710F82D7C}\RP279\A0042091.dll tagged as "not-a-virus:AdWare.SearchPage". Action Taken: No Action Taken.
File C:\System Volume Information\_restore{E87A81FB-FDCF-4B92-A20C-951710F82D7C}\RP279\A0042092.dll tagged as "not-a-virus:AdWare.SearchPage". Action Taken: No Action Taken.
File C:\System Volume Information\_restore{E87A81FB-FDCF-4B92-A20C-951710F82D7C}\RP279\A0042093.dll tagged as "not-a-virus:AdWare.SearchPage". Action Taken: No Action Taken.
File C:\System Volume Information\_restore{E87A81FB-FDCF-4B92-A20C-951710F82D7C}\RP279\A0042094.dll tagged as "not-a-virus:AdWare.SearchPage". Action Taken: No Action Taken.
File C:\System Volume Information\_restore{E87A81FB-FDCF-4B92-A20C-951710F82D7C}\RP279\A0042095.dll tagged as "not-a-virus:AdWare.SearchPage". Action Taken: No Action Taken.
File C:\System Volume Information\_restore{E87A81FB-FDCF-4B92-A20C-951710F82D7C}\RP279\A0042144.dll tagged as "not-a-virus:AdWare.SearchPage". Action Taken: No Action Taken.
File C:\System Volume Information\_restore{E87A81FB-FDCF-4B92-A20C-951710F82D7C}\RP279\A0042145.dll tagged as "not-a-virus:AdWare.SearchPage". Action Taken: No Action Taken.
File C:\System Volume Information\_restore{E87A81FB-FDCF-4B92-A20C-951710F82D7C}\RP279\A0042146.dll tagged as "not-a-virus:AdWare.SearchPage". Action Taken: No Action Taken.
File C:\WINDOWS\Downloaded Program Files\btwebcontrol.dll tagged as "not-a-virus:Dialer.Win32.BT.b". Action Taken: No Action Taken.
File C:\WINDOWS\SYSTEM32\uennx.dll tagged as "not-a-virus:AdWare.SearchPage". Action Taken: No Action Taken.
File C:\WINDOWS\zglmq.dll tagged as "not-a-virus:AdWare.SearchPage". Action Taken: No Action Taken.

#11 Omerr

Omerr

  • Members
  • 58 posts
  • OFFLINE
  •  
  • Local time:05:06 AM

Posted 20 July 2005 - 03:15 PM

First of all - last time I asked you to give me the log from AboutBuster and you didn't. Please give me all logs this time.

Please print out or copy this page to Notepad in order to assist you when carrying out the following instructions.

Please run CWShredder again.

Reboot your system in Safe Mode (By repeatedly tapping the F8 key until the menu appears).

Go into Hijack This->Config->Misc. Tools->Open process manager. Select the following and click “Kill process” for each one (If they still exist)(You must kill them one at a time).

C:\WINDOWS\sdkjl32.exe


Open Hijack This and click on Scan. Check the following entries (make sure you do not miss any)

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\WINDOWS\zglmq.dll/sp.html#37049
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINDOWS\zglmq.dll/sp.html#37049
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = res://C:\WINDOWS\zglmq.dll/sp.html#37049
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\WINDOWS\zglmq.dll/sp.html#37049
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINDOWS\zglmq.dll/sp.html#37049
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = res://C:\WINDOWS\zglmq.dll/sp.html#37049
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = res://C:\WINDOWS\zglmq.dll/sp.html#37049
R3 - Default URLSearchHook is missing
O2 - BHO: Class - {E7C0C490-197B-0CFC-C47F-A5FF86D1B072} - C:\WINDOWS\system32\mstt.dll
O4 - HKLM\..\Run: [sdkjl32.exe] C:\WINDOWS\sdkjl32.exe
O4 - HKLM\..\RunOnce: [netrk32.exe] C:\WINDOWS\system32\netrk32.exe
O4 - HKLM\..\RunOnce: [mfcao.exe] C:\WINDOWS\mfcao.exe
O23 - Service: Workstation NetLogon Service ( 11Fßä#·ºÄÖ`I) - Unknown owner - C:\WINDOWS\system32\netrk32.exe" /s (file missing)


Please remember to close all other windows, including browsers then click Fix checked.
Please run AboutBuster again and give us the logs.

Delete the following Folders indicated in BLUE if they still exist:




Delete the following Files indicated in RED if they still exist:

C:\WINDOWS\sdkjl32.exe
C:\WINDOWS\zglmq.dll
C:\WINDOWS\sdkjl32.exe
C:\WINDOWS\system32\netrk32.exe
C:\WINDOWS\mfcao.exe
C:\WINDOWS\system32\netrk32.exe
C:\WINDOWS\SYSTEM32\appxd32.exe
C:\WINDOWS\SYSTEM32\ntec32.exe
C:\WINDOWS\system32\uennx.dll
C:\WINDOWS\Downloaded Program Files\btwebcontrol.dll


Please run cwsserviceremove.reg again.

Reboot your system in Normal Mode.

Go to Start->Run and type in regedit and hit OK. Go to File->Export and save the registry somewhere as a backup. Close the Registry Editor now. Go to Start->Run and type in notepad and hit OK. Then copy and paste the following into Notepad:

REGEDIT4

[-HKEY_LOCAL_MACHINE\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\UNINSTALL\HSA]

[-HKEY_LOCAL_MACHINE\Software\Microsoft\Internet Explorer\Main\Search Bar]


Save the file as "delete.reg". Double click on it and choose Yes to merge it. You may delete the file afterwards.

Please turn off system restore.

Now give us a new HijackThis Analyzer log, along with Panda ActiveScan’s log and AboutBuster's log, so we can make sure your system is clean.

#12 davidboundy

davidboundy
  • Topic Starter

  • Members
  • 36 posts
  • OFFLINE
  •  
  • Local time:05:06 AM

Posted 21 July 2005 - 08:17 AM

sorry about that, here are the logs


====================================================================
Log was analyzed using KRC HijackThis Analyzer - Updated on 6/3/05
Get updates at http://www.greyknight17.com/download.htm#programs

***Security Programs Detected***

C:\Program Files\NavNT\defwatch.exe
C:\Program Files\NavNT\rtvscan.exe
C:\Program Files\NavNT\vptray.exe
C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
O4 - HKLM\..\Run: [vptray] C:\Program Files\NavNT\vptray.exe
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
O23 - Service: DefWatch - Symantec Corporation - C:\Program Files\NavNT\defwatch.exe
O23 - Service: Norton AntiVirus Client (Norton AntiVirus Server) - Symantec Corporation - C:\Program Files\NavNT\rtvscan.exe

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

Logfile of HijackThis v1.99.1
Scan saved at 13:48:27, on 21/07/2005
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\Program Files\BT Digital Access USB\vstartx.exe
C:\Program Files\BT Digital Access USB\gisdnlog.exe
C:\Program Files\Inventel\Gateway\wlancfg.exe
C:\Program Files\BT Digital Access USB\gsyno.exe
C:\Program Files\eBay\eBay Toolbar2\eBayTBDaemon.exe
C:\HJT\HijackThis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = http://www-cach.freeserve.net/:8080
O4 - HKLM\..\Run: [GazelDisplay] "C:\Program Files\BT Digital Access USB\gsyno.exe" -h
O4 - HKLM\..\Run: [eBayToolbar] C:\Program Files\eBay\eBay Toolbar2\eBayTBDaemon.exe
O4 - HKLM\..\Run: [iexplore.exe] C:\Program Files\Internet Explorer\iexplore.exe
O8 - Extra context menu item: &eBay Search - res://C:\Program Files\eBay\eBay Toolbar2\eBayTb.dll/RCSearch.html
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=36467&clcid=0x409
O16 - DPF: {26CBF141-7D0F-46E1-AA06-718958B6E4D2} - http://download.ebay.com/turbo_lister/UK/install.cab
O16 - DPF: {31B7EB4E-8B4B-11D1-A789-00A0CC6651A8} (Cult3D ActiveX Player) - http://www.cult3d.com/download/cult.cab
O16 - DPF: {4C39376E-FA9D-4349-BACC-D305C1750EF3} (EPUImageControl Class) - http://tools.ebayimg.com/eps/wl/activex/EP...l_v1-0-3-24.cab
O16 - DPF: {4E62C4DE-627D-4604-B157-4B7D6B09F02E} (AccountTracking Profile Manager Class) - https://moneymanager.egg.com/Pinsafe/accounttracking.cab
O16 - DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} (MSN Photo Upload Tool) - http://by17fd.bay17.hotmail.msn.com/resources/MsnPUpld.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://v5.windowsupdate.microsoft.com/v5co...b?1093963762678
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://www.pandasoftware.com/activescan/as5/asinst.cab
O16 - DPF: {B38870E4-7ECB-40DA-8C6A-595F0A5519FF} (MsnMessengerSetupDownloadControl Class) - http://messenger.msn.com/download/msnmesse...pdownloader.cab
O16 - DPF: {E6EB803E-DD89-11D3-80C4-0050DA2E09D0} (LightSurfUploadCtl Class) - http://mediamessaging.o2.co.uk/activex/Lig...loadControl.cab
O20 - Winlogon Notify: NavLogon - C:\WINDOWS\System32\NavLogon.dll
O23 - Service: Workstation NetLogon Service ( 11Fßä#·ºÄÖ`I) - Unknown owner - C:\WINDOWS\system32\netrk32.exe" /s (file missing)
O23 - Service: BT Digital Access USB start up (Gazel Startup) - Unknown owner - C:\Program Files\BT Digital Access USB\vstartx.exe" /s (file missing)
O23 - Service: ISDN connection log (GisdnLog) - Unknown owner - C:\Program Files\BT Digital Access USB\gisdnlog.exe" -s (file missing)
O23 - Service: Service de lancement de WlanCfg (Wlancfg) - Inventel - C:\Program Files\Inventel\Gateway\wlancfg.exe


End of KRC HijackThis Analyzer Log.
====================================================================

AboutBuster 5.0 reference file 30
Scan started on [18/07/2005] at [16:00:05]
------------------------------------------------
Removed Stream! C:\WINDOWS\0-wlancfg.log:vpkui
Removed Stream! C:\WINDOWS\000001_.tmp:tuilo
Removed Stream! C:\WINDOWS\3-wlancfg.log:hvodb
Removed Stream! C:\WINDOWS\4-wlancfg.log:bjkmh
Removed Stream! C:\WINDOWS\AMS2INST.LOG:yycxl
Removed Stream! C:\WINDOWS\DESKTOP.INI:ygupa
Removed Stream! C:\WINDOWS\DtcInstall.log:saumcf
Removed Stream! C:\WINDOWS\EventSystem.log:ihoug
Removed Stream! C:\WINDOWS\feaqu.log:zbqgb
Removed Stream! C:\WINDOWS\Gone Fishing.bmp:duxxya
Removed Stream! C:\WINDOWS\Greenstone.bmp:tjrfc
Removed Stream! C:\WINDOWS\IIS6.LOG:iwnre
Removed Stream! C:\WINDOWS\InvInstaller.log:nfvfg
Removed Stream! C:\WINDOWS\jqkgp.dat:fggki
Removed Stream! C:\WINDOWS\KB823559.log:macsd
Removed Stream! C:\WINDOWS\KB823980.log:xgcio
Removed Stream! C:\WINDOWS\KB873333.log:swmjd
Removed Stream! C:\WINDOWS\KB873339.log:tkwyv
Removed Stream! C:\WINDOWS\KB883939.log:uqqym
Removed Stream! C:\WINDOWS\KB885835.log:cuzlp
Removed Stream! C:\WINDOWS\KB885836.log:dvyph
Removed Stream! C:\WINDOWS\KB888113.log:igrnd
Removed Stream! C:\WINDOWS\KB890047.log:jquyu
Removed Stream! C:\WINDOWS\KB890859.log:wnsrd
Removed Stream! C:\WINDOWS\KB893086.log:nsemjw
Removed Stream! C:\WINDOWS\kzvfc.txt:arymz
Removed Stream! C:\WINDOWS\ModemLog_PCTEL 2304WT V.92 MDC Modem.txt:txdfoe
Removed Stream! C:\WINDOWS\netfxocm.log:txdhyq
Removed Stream! C:\WINDOWS\ntdtcsetup.log:abqrs
Removed Stream! C:\WINDOWS\OCGEN.LOG:myontb
Removed Stream! C:\WINDOWS\ocnrm.txt:mluvra
Removed Stream! C:\WINDOWS\ODBCINST.INI:dvtkp
Removed Stream! C:\WINDOWS\OEWABLog.txt:crlnc
Removed Stream! C:\WINDOWS\OOBEACT.LOG:scyqr
Removed Stream! C:\WINDOWS\otocd.dat:uechz
Removed Stream! C:\WINDOWS\photoimpression.ini:xcylpk
Removed Stream! C:\WINDOWS\Prairie Wind.bmp:mkefs
Removed Stream! C:\WINDOWS\Q306676.log:qdqqru
Removed Stream! C:\WINDOWS\Q328310.log:nexnj
Removed Stream! C:\WINDOWS\Q329115.log:elftq
Removed Stream! C:\WINDOWS\Q814033.log:blmvrx
Removed Stream! C:\WINDOWS\Q814033.log:hjfgk
Removed Stream! C:\WINDOWS\Q819696.log:umfjtz
Removed Stream! C:\WINDOWS\Rhododendron.bmp:epytw
Removed Stream! C:\WINDOWS\setupapi.log:zttdae
Removed Stream! C:\WINDOWS\setupapi.log.0.old:mylhh
Removed Stream! C:\WINDOWS\SETUPLOG.TXT:jakpg
Removed Stream! C:\WINDOWS\Soap Bubbles.bmp:lmgma
Removed Stream! C:\WINDOWS\speakfre.ini:cuxowq
Removed Stream! C:\WINDOWS\speakfre.ini:iksgw
Removed Stream! C:\WINDOWS\spupdsvc.log:vqfqst
Removed Stream! C:\WINDOWS\Sti_Trace.log:rjjpc
Removed Stream! C:\WINDOWS\SYSTEM.INI:frydmd
Removed Stream! C:\WINDOWS\WINNT256.BMP:fvxvkn
Removed Stream! C:\WINDOWS\WMSysPr9.prx:xnpbmx
Removed Stream! C:\WINDOWS\_DEFAULT.PIF:avbei
------------------------------------------------
Removed File! : C:\Windows\ijuls.dll
Removed File! : C:\Windows\jqkgp.dat
Removed File! : C:\Windows\kzras.dat
Removed File! : C:\Windows\sdicp.dat
Removed File! : C:\Windows\twpxw.dat
Removed File! : C:\Windows\wmtdr.dll
Removed File! : C:\Windows\xxtfn.dat
Removed File! : C:\Windows\System32\bggkx.dat
Removed File! : C:\Windows\System32\gpfef.dat
Removed File! : C:\Windows\System32\sarmr.dat
Removed File! : C:\Windows\System32\vshqy.dat
Removed File! : C:\Windows\System32\wnwjk.dll
------------------------------------------------
Scan was COMPLETED SUCCESSFULLY at 16:03:14


AboutBuster 5.0 reference file 30
Scan started on [19/07/2005] at [09:43:46]
------------------------------------------------
Removed Stream! C:\WINDOWS\fnvqz.log:fqrum
Removed Stream! C:\WINDOWS\KB885836.log:slwtn
Removed Stream! C:\WINDOWS\KB888113.log:zuymn
Removed Stream! C:\WINDOWS\KB893086.log:ymuem
Removed Stream! C:\WINDOWS\Rhododendron.bmp:jmhoi
Removed Stream! C:\WINDOWS\updspapi.log:yqenan
Removed Stream! C:\WINDOWS\uzxjp.txt:rrpsuq
Removed Stream! C:\WINDOWS\WIADEBUG.LOG:cspetg
Removed Stream! C:\WINDOWS\Windows Update.log:vthknj
Removed Stream! C:\WINDOWS\_DEFAULT.PIF:bbqiy
------------------------------------------------
Removed File! : C:\Windows\hhvhu.dll
Removed File! : C:\Windows\System32\lgoin.dat
Removed File! : C:\Windows\System32\qhowz.dll
------------------------------------------------
Scan was COMPLETED SUCCESSFULLY at 09:46:38


AboutBuster 5.0 reference file 30
Scan started on [19/07/2005] at [09:49:21]
------------------------------------------------
Removed Stream! C:\WINDOWS\KB893086.log:znfic
Removed Stream! C:\WINDOWS\_DEFAULT.PIF:bcnsq
------------------------------------------------
No Files Found!
------------------------------------------------
Scan was COMPLETED SUCCESSFULLY at 09:49:57


AboutBuster 5.0 reference file 30
Scan started on [20/07/2005] at [11:21:17]
------------------------------------------------
Removed Stream! C:\WINDOWS\svcpack.log:ryfgt
Removed Stream! C:\WINDOWS\_DEFAULT.PIF:abzodu
Removed Stream! C:\WINDOWS\_DEFAULT.PIF:apouz
------------------------------------------------
Removed File! : C:\Windows\System32\moeib.dll
Removed File! : C:\Windows\System32\tetqv.dll
Removed File! : C:\Windows\System32\wopdk.dll
------------------------------------------------
Scan was COMPLETED SUCCESSFULLY at 11:25:00


AboutBuster 5.0 reference file 30
Scan started on [21/07/2005] at [13:09:51]
------------------------------------------------
Removed Stream! C:\WINDOWS\0-wlancfg.log:fcrnpr
Removed Stream! C:\WINDOWS\3-wlancfg.log:qcctjb
Removed Stream! C:\WINDOWS\thysr.log:zyzin
Removed Stream! C:\WINDOWS\_DEFAULT.PIF:bfgwb
------------------------------------------------
Removed File! : C:\Windows\zglmq.dll
Removed File! : C:\Windows\System32\uennx.dll
------------------------------------------------
Scan was COMPLETED SUCCESSFULLY at 13:13:52



Incident Status Location

Adware:adware/searchaid No disinfected C:\DOCUMENTS AND SETTINGS\DAVID\FAVORITES\Only sex website.url
Spyware:spyware/petro-line No disinfected C:\DOCUMENTS AND SETTINGS\DAVID\FAVORITES\SITES ABOUT\Ab scissor.url

#13 Omerr

Omerr

  • Members
  • 58 posts
  • OFFLINE
  •  
  • Local time:05:06 AM

Posted 22 July 2005 - 10:11 AM

Please delete the following folder:
C:\DOCUMENTS AND SETTINGS\DAVID\FAVORITES

Apart of that, everything seems clean. Are you having any more issues?

#14 davidboundy

davidboundy
  • Topic Starter

  • Members
  • 36 posts
  • OFFLINE
  •  
  • Local time:05:06 AM

Posted 22 July 2005 - 11:42 AM

my computer is running great now. thanks. all your help is very much appreciated.

how do you stop explorer starting up when i switch my computer on?

i would like to make a donation to the site. how much do you think for your time and effort?

regards

david boundy

#15 Omerr

Omerr

  • Members
  • 58 posts
  • OFFLINE
  •  
  • Local time:05:06 AM

Posted 22 July 2005 - 03:44 PM

Hello again David. You are very welcome, I am very glad I could help you.

how do you stop explorer starting up when i switch my computer on?


Please go to Start->Run, then insert msconfig and click on OK. Go to the Startup tab and UNCHECK the one related to Internet Explorer.

i would like to make a donation to the site. how much do you think for your time and effort?


Thank you very very much! I wouldn't like, thought, to give you any kind of "price" since I am doing everything here for free and as a volunteer. Give as much as you'd like to, every donation is appreciated and helpful!

Anyway, we aren't (yet) done with your PC:
Turn off System Restore by Clicking Start > right-click My Computer and then click Properties. Click the System Restore tab > Check "Turn off System Restore" or "Turn off System Restore on all drives". Click Apply. When turning off System Restore, the existing restore points will be deleted. Click Yes to do this. Click OK.

Reboot your System.

To turn on System Restore by Clicking Start. Right-click My Computer, and then click Properties. Click the System Restore tab. Uncheck "Turn off System Restore" or "Turn off System Restore on all drives." Click Apply, and then OK.

Please read THIS THREAD in order to prevent any problems in the future.




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users