Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

HJT Log


  • Please log in to reply
5 replies to this topic

#1 gmr

gmr

  • Members
  • 3 posts
  • OFFLINE
  •  
  • Local time:10:51 AM

Posted 09 August 2005 - 05:14 AM

Hi, for a couple of weeks I've had consistant pop ups from revenue.net and rn11.net. I run ad-aware se a lot and keep deleting ebates money maker but it keeps coming back, and back, and back. There is also a registery key (eliterbg32) that keeps coming back when I delete ebates. Can somebody please help me?

----------------
HijackThis Log
-----------------

Logfile of HijackThis v1.99.1
Scan saved at 8:10:47 PM, on 9/08/2005
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Ahead\InCD\InCDsrv.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\System32\cisvc.exe
C:\CFusionMX\runtime\bin\jrunsvc.exe
C:\CFusionMX\db\slserver52\bin\swagent.exe
C:\CFusionMX\runtime\bin\jrun.exe
C:\CFusionMX\db\slserver52\bin\swstrtr.exe
C:\CFusionMX\db\slserver52\bin\swsoc.exe
C:\Program Files\Common Files\EPSON\EBAPI\SAgent2.exe
C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
C:\Program Files\Trend Micro\OfficeScan Client\ntrtscan.exe
C:\Program Files\Trend Micro\OfficeScan Client\OfcPfwSvc.exe
C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Trend Micro\OfficeScan Client\tmlisten.exe
C:\Program Files\Intel\Intel® Active Monitor\imonnt.exe
C:\WINDOWS\TEMP\JW237F.EXE
C:\WINDOWS\Explorer.EXE
C:\Program Files\Ahead\InCD\InCD.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\Trend Micro\OfficeScan Client\pccntmon.exe
C:\WINDOWS\system32\igfxtray.exe
C:\Program Files\Java\jre1.5.0_01\bin\jusched.exe
C:\Program Files\Adobe\Acrobat 6.0\Distillr\acrotray.exe
C:\Program Files\InterVideo\Common\Bin\WinCinemaMgr.exe
C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_S10IC2.EXE
C:\Program Files\Trend Micro\OfficeScan Client\Pop3Trap.exe
C:\Program Files\Trend Micro\OfficeScan Client\pccntupd.exe
C:\Program Files\mozilla.org\Mozilla\mozilla.exe
C:\WINDOWS\system32\cidaemon.exe
C:\Program Files\Microsoft Office\Office10\WINWORD.EXE
C:\Program Files\Lavasoft\Ad-Aware SE Professional\Ad-Aware.exe
C:\WINDOWS\system32\ctfmon.exe
C:\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.bigpond.com/
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [InCD] C:\Program Files\Ahead\InCD\InCD.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [OfficeScanNT Monitor] "C:\Program Files\Trend Micro\OfficeScan Client\pccntmon.exe" -HideWindow
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\system32\igfxtray.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_01\bin\jusched.exe
O4 - HKLM\..\Run: [checkrun] C:\windows\system32\elitergb32.exe
O4 - HKCU\..\Run: [Steam] "d:\program files\valve\steam\steam.exe" -silent
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - Global Startup: Acrobat Assistant.lnk = C:\Program Files\Adobe\Acrobat 6.0\Distillr\acrotray.exe
O4 - Global Startup: EPSON Status Monitor 3 Environment Check 2.lnk = C:\WINDOWS\system32\spool\drivers\w32x86\3\E_SRCV02.EXE
O4 - Global Startup: InterVideo WinCinema Manager.lnk = C:\Program Files\InterVideo\Common\Bin\WinCinemaMgr.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_02\bin\npjpi150_02.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_02\bin\npjpi150_02.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {11260943-421B-11D0-8EAC-0000C07D88CF} (iPIX ActiveX Control) - http://www.ipix.com/viewers/ipixx.cab
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: SearchList = vic.bigpond.net.au
O17 - HKLM\System\CS1\Services\VxD\MSTCP: SearchList = vic.bigpond.net.au
O17 - HKLM\System\CS2\Services\Tcpip\Parameters: SearchList = vic.bigpond.net.au
O17 - HKLM\System\CS2\Services\VxD\MSTCP: SearchList = vic.bigpond.net.au
O17 - HKLM\System\CCS\Services\VxD\MSTCP: SearchList = vic.bigpond.net.au
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: SearchList = vic.bigpond.net.au
O23 - Service: ColdFusion MX Application Server - Macromedia Inc. - C:\CFusionMX\runtime\bin\jrunsvc.exe
O23 - Service: ColdFusion MX ODBC Agent - Unknown owner - C:\CFusionMX\db\slserver52\bin\swagent.exe
O23 - Service: ColdFusion MX ODBC Server - Unknown owner - C:\CFusionMX\db\slserver52\bin\swstrtr.exe
O23 - Service: EPSON Printer Status Agent2 (EPSONStatusAgent2) - SEIKO EPSON CORPORATION - C:\Program Files\Common Files\EPSON\EBAPI\SAgent2.exe
O23 - Service: Intel® Active Monitor (imonNT) - Intel Corp. - C:\Program Files\Intel\Intel® Active Monitor\imonnt.exe
O23 - Service: InCD Helper (InCDsrv) - Ahead Software AG - C:\Program Files\Ahead\InCD\InCDsrv.exe
O23 - Service: OfficeScanNT RealTime Scan (ntrtscan) - Trend Micro Inc. - C:\Program Files\Trend Micro\OfficeScan Client\ntrtscan.exe
O23 - Service: OfficeScanNT Personal Firewall (OfcPfwSvc) - Trend Micro Inc. - C:\Program Files\Trend Micro\OfficeScan Client\OfcPfwSvc.exe
O23 - Service: SoundMAX Agent Service (SoundMAX Agent Service (default)) - Analog Devices, Inc. - C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe
O23 - Service: OfficeScanNT Listener (tmlisten) - Trend Micro Inc. - C:\Program Files\Trend Micro\OfficeScan Client\tmlisten.exe

Thanks

BC AdBot (Login to Remove)

 


#2 Guest_Cretemonster_*

Guest_Cretemonster_*

  • Guests
  • OFFLINE
  •  

Posted 11 August 2005 - 04:35 PM

Hi GMR and Welcome to the Bleeping Computer!

Download LQfix.zip:
http://users.pandora.be/bluepatchy/LQfix.zip
Unzip it and save it to your desktop, don't use it yet!

Reboot into SAFE MODE(Tap F8 when restarting)
Here is a link on how to boot into Safe Mode:
http://service1.symantec.com/SUPPORT/tsgen...src=sec_doc_nam

From the LQFix folder-> Doubleclick LQfix.bat that you saved on your desktop before.

A doswindow will open and close again, this is normal.

Run MSCONFIG and enable everything in the startup area. To get to MSCONFIG, click on Start -> Run -> type in MSCONFIG -> click OK!

Under the "General" Tab
Make Sure Normal Startup is Checked!!

Click Apply>>Close>>Follow the Prompts to Restart!!

Restart Normal and have the PC Scanned here:
Panda Active Scan

You will need to be using Internet Explorer for the Scan to work!

Save the Report it generates and post it along with a Fresh HiijackThis log!

#3 gmr

gmr
  • Topic Starter

  • Members
  • 3 posts
  • OFFLINE
  •  

Posted 13 August 2005 - 12:42 AM

Thanks for replying Cretemonster. I've followed your instructions and everything appears to be clean, but Panda disagrees. Here are the logs:

---------------------
ActiveScan Logfile
8 Viruses
7 Spyware
----------------------

Incident Status Location

Virus:Exploit/ByteVerify Disinfected C:\Documents and Settings\User\Application Data\Sun\Java\Deployment\cache\javapi\v1.0\jar\count.jar-69430f0d-7ca0a081.zip[BlackBox.class]
Virus:Exploit/ByteVerify Disinfected C:\Documents and Settings\User\Application Data\Sun\Java\Deployment\cache\javapi\v1.0\jar\count.jar-69430f0d-7ca0a081.zip[VerifierBug.class]
Virus:Exploit/ByteVerify Disinfected C:\Documents and Settings\User\Application Data\Sun\Java\Deployment\cache\javapi\v1.0\jar\count.jar-69430f0d-7ca0a081.zip[Dummy.class]
Virus:Exploit/ByteVerify Disinfected C:\Documents and Settings\User\Application Data\Sun\Java\Deployment\cache\javapi\v1.0\jar\count.jar-69430f0d-7ca0a081.zip[Beyond.class]
Virus:Trj/ClassLoader.J Disinfected C:\Documents and Settings\User\Application Data\Sun\Java\Deployment\cache\javapi\v1.0\jar\count3.jar-a5399d2-4b36aef0.zip[Beyond.class]
Virus:Trj/ClassLoader.J Disinfected C:\Documents and Settings\User\Application Data\Sun\Java\Deployment\cache\javapi\v1.0\jar\count3.jar-a5399d2-4b36aef0.zip[BlackBox.class]
Virus:Exploit/ByteVerify Disinfected C:\Documents and Settings\User\Application Data\Sun\Java\Deployment\cache\javapi\v1.0\jar\count3.jar-a5399d2-4b36aef0.zip[Dummy.class]
Virus:Trj/ClassLoader.J Disinfected C:\Documents and Settings\User\Application Data\Sun\Java\Deployment\cache\javapi\v1.0\jar\count3.jar-a5399d2-4b36aef0.zip[VerifierBug.class]
Spyware:Spyware/ISTbar No disinfected C:\Documents and Settings\User\Application Data\Sun\Java\Deployment\cache\javapi\v1.0\jar\javainstaller.jar-3c936701-426058a6.zip[InstallerApplet.class]
Spyware:Spyware/ClearSearch No disinfected C:\Documents and Settings\User\Desktop\Clear Up\backups\backup-20040803-181219-660.dll
Adware:Adware/Midaddle No disinfected C:\Documents and Settings\User\Desktop\Clear Up\backups\backup-20040803-184047-667.dll
Adware:Adware/WUpd No disinfected C:\Documents and Settings\User\Local Settings\Temporary Internet Files\Content.IE5\0BPJYQ75\toolbar1[1].htm
Spyware:Spyware/ISTbar No disinfected C:\Documents and Settings\User\Local Settings\Temporary Internet Files\Content.IE5\TFBZH5GE\toolbar2[1].htm
Adware:adware/gator No disinfected C:\GatorPatch.log
Adware:adware/delfinmedia No disinfected C:\keys.ini

-----------------
HijackThis Log
-----------------

Logfile of HijackThis v1.99.1
Scan saved at 3:38:59 PM, on 13/08/2005
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Ahead\InCD\InCDsrv.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\System32\cisvc.exe
C:\CFusionMX\runtime\bin\jrunsvc.exe
C:\CFusionMX\db\slserver52\bin\swagent.exe
C:\CFusionMX\runtime\bin\jrun.exe
C:\CFusionMX\db\slserver52\bin\swstrtr.exe
C:\CFusionMX\db\slserver52\bin\swsoc.exe
C:\Program Files\Common Files\EPSON\EBAPI\SAgent2.exe
C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
C:\Program Files\Trend Micro\OfficeScan Client\ntrtscan.exe
C:\Program Files\Trend Micro\OfficeScan Client\OfcPfwSvc.exe
C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Trend Micro\OfficeScan Client\tmlisten.exe
C:\Program Files\Intel\Intel® Active Monitor\imonnt.exe
C:\WINDOWS\TEMP\DJ5E39.EXE
C:\WINDOWS\system32\cidaemon.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Ahead\InCD\InCD.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\Trend Micro\OfficeScan Client\pccntmon.exe
C:\WINDOWS\system32\igfxtray.exe
C:\Program Files\Java\jre1.5.0_01\bin\jusched.exe
C:\WINDOWS\system32\hkcmd.exe
C:\WINDOWS\system32\LoadSettings.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Adobe\Acrobat 6.0\Distillr\acrotray.exe
C:\Program Files\InterVideo\Common\Bin\WinCinemaMgr.exe
C:\Program Files\Trend Micro\OfficeScan Client\pccntupd.exe
C:\Program Files\Trend Micro\OfficeScan Client\Pop3Trap.exe
C:\WINDOWS\system32\wuauclt.exe
C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_S10IC2.EXE
C:\WINDOWS\System32\BrvxMFLv.exe
C:\WINDOWS\System32\FgoeGdW1.exe
C:\Program Files\mozilla.org\Mozilla\mozilla.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.bigpond.com/
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [InCD] C:\Program Files\Ahead\InCD\InCD.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [OfficeScanNT Monitor] "C:\Program Files\Trend Micro\OfficeScan Client\pccntmon.exe" -HideWindow
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\system32\igfxtray.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_01\bin\jusched.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\system32\hkcmd.exe
O4 - HKLM\..\Run: [WinTools] C:\Program Files\Common Files\WinTools\WToolsA.exe
O4 - HKLM\..\Run: [TB_setup] C:\DOCUME~1\User\LOCALS~1\Temp\tb_setup.exe /dcheck
O4 - HKLM\..\Run: [3B5AFCC3355K5L] C:\WINDOWS\System32\YemE.exe
O4 - HKLM\..\Run: [LoadUserSettings] C:\WINDOWS\system32\LoadSettings.exe
O4 - HKCU\..\Run: [Steam] "d:\program files\valve\steam\steam.exe" -silent
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - Startup: PowerReg Scheduler.exe
O4 - Global Startup: Acrobat Assistant.lnk = C:\Program Files\Adobe\Acrobat 6.0\Distillr\acrotray.exe
O4 - Global Startup: EPSON Status Monitor 3 Environment Check 2.lnk = C:\WINDOWS\system32\spool\drivers\w32x86\3\E_SRCV02.EXE
O4 - Global Startup: InterVideo WinCinema Manager.lnk = C:\Program Files\InterVideo\Common\Bin\WinCinemaMgr.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_02\bin\npjpi150_02.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_02\bin\npjpi150_02.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {11260943-421B-11D0-8EAC-0000C07D88CF} (iPIX ActiveX Control) - http://www.ipix.com/viewers/ipixx.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://www.pandasoftware.com/activescan/as5free/asinst.cab
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: SearchList = vic.bigpond.net.au
O17 - HKLM\System\CS1\Services\VxD\MSTCP: SearchList = vic.bigpond.net.au
O17 - HKLM\System\CS2\Services\Tcpip\Parameters: SearchList = vic.bigpond.net.au
O17 - HKLM\System\CS2\Services\VxD\MSTCP: SearchList = vic.bigpond.net.au
O17 - HKLM\System\CCS\Services\VxD\MSTCP: SearchList = vic.bigpond.net.au
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: SearchList = vic.bigpond.net.au
O23 - Service: ColdFusion MX Application Server - Macromedia Inc. - C:\CFusionMX\runtime\bin\jrunsvc.exe
O23 - Service: ColdFusion MX ODBC Agent - Unknown owner - C:\CFusionMX\db\slserver52\bin\swagent.exe
O23 - Service: ColdFusion MX ODBC Server - Unknown owner - C:\CFusionMX\db\slserver52\bin\swstrtr.exe
O23 - Service: EPSON Printer Status Agent2 (EPSONStatusAgent2) - SEIKO EPSON CORPORATION - C:\Program Files\Common Files\EPSON\EBAPI\SAgent2.exe
O23 - Service: Intel® Active Monitor (imonNT) - Intel Corp. - C:\Program Files\Intel\Intel® Active Monitor\imonnt.exe
O23 - Service: InCD Helper (InCDsrv) - Ahead Software AG - C:\Program Files\Ahead\InCD\InCDsrv.exe
O23 - Service: OfficeScanNT RealTime Scan (ntrtscan) - Trend Micro Inc. - C:\Program Files\Trend Micro\OfficeScan Client\ntrtscan.exe
O23 - Service: OfficeScanNT Personal Firewall (OfcPfwSvc) - Trend Micro Inc. - C:\Program Files\Trend Micro\OfficeScan Client\OfcPfwSvc.exe
O23 - Service: SoundMAX Agent Service (SoundMAX Agent Service (default)) - Analog Devices, Inc. - C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe
O23 - Service: OfficeScanNT Listener (tmlisten) - Trend Micro Inc. - C:\Program Files\Trend Micro\OfficeScan Client\tmlisten.exe

#4 Guest_Cretemonster_*

Guest_Cretemonster_*

  • Guests
  • OFFLINE
  •  

Posted 13 August 2005 - 09:36 AM

I need to know if you have any idea where this entry came from?

O4 - HKLM\..\Run: [LoadUserSettings] C:\WINDOWS\system32\LoadSettings.exe

If not include it in the set of files below I need you to upload

C:\WINDOWS\TEMP\DJ5E39.EXE

C:\WINDOWS\System32\BrvxMFLv.exe

C:\WINDOWS\System32\FgoeGdW1.exe

C:\WINDOWS\System32\YemE.exe

C:\WINDOWS\system32\LoadSettings.exe

Upload those files here
http://www.bleepingcomputer.com/submit-malware.php

Leave a link to this Post and Put Attn: Crete in the message box!

Go to Add\Remove Programs and Remove this

WinTools

You have the Peper trojan.
Download the Peperfix Tool and save it to your Desktop.
http://www.bleepingcomputer.com/files/peperremover.php

Make sure you are connected to the Internet and run it; reboot afterwards. Repeat the procedure as it has to be run twice to ensure its effectiveness.

Please download the trial version of Ewido Security Suite here:
http://www.ewido.net/en/download/

Please read Ewido Setup Instructions
Install it, and update the definitions to the newest files. Do NOT run a scan yet.

If you have not already installed Ad-Aware SE 1.06, follow these download and setup instructions, otherwise, check for updates:
Ad-Aware SE Setup
Don't run it yet!

Download and Install
CleanUp!
Dont use it yet!

Reboot into SAFE MODE(Tap F8 when restarting)

After restarting in Safe Mode,Configure Windows to Show All Hidden Files and Folders Here is a link to help with that:
http://www.bleepingcomputer.com/forums/ind...torial=62#winxp

Locate and Delete

C:\GatorPatch.log<- File!

C:\keys.ini<- File!

C:\WINDOWS\TEMP\DJ5E39.EXE<- File!

C:\WINDOWS\System32\BrvxMFLv.exe<- File!

C:\WINDOWS\System32\FgoeGdW1.exe<- File!

C:\WINDOWS\System32\YemE.exe<- File!

C:\WINDOWS\system32\LoadSettings.exe<- [COLOR=red]Unless you know where it came from![\COLOR]

C:\Documents and Settings\User\Application Data\Sun\Java\Deployment\cache\javapi\v1.0\jar\javainstaller.jar-3c936701-426058a6.zip<- File!

C:\Documents and Settings\User\Local Settings\Temp\tb_setup.exe<- File!

C:\Documents and Settings\User\Desktop\Clear Up<- Folder!

C:\Program Files\Common Files\WinTools<- Folder!

Open HijackThis and put a check by these but DO NOT hit the Fix Checked button yet!

O4 - HKLM\..\Run: [WinTools] C:\Program Files\Common Files\WinTools\WToolsA.exe

O4 - HKLM\..\Run: [TB_setup] C:\DOCUME~1\User\LOCALS~1\Temp\tb_setup.exe /dcheck

O4 - HKLM\..\Run: [3B5AFCC3355K5L] C:\WINDOWS\System32\YemE.exe

O4 - HKLM\..\Run: [LoadUserSettings] C:\WINDOWS\system32\LoadSettings.exe

O4 - Startup: PowerReg Scheduler.exe

O16 - DPF: {11260943-421B-11D0-8EAC-0000C07D88CF} (iPIX ActiveX Control) - http://www.ipix.com/viewers/ipixx.cab

Now Make sure ALL WINDOWS and BROWSERS are CLOSED and hit the Fix Checked Button!

Now,Open up Ewido and Scan the Entire System-> Clean everything it finds and be sure to Click the tab to Save a Report!

Scan the System With Ad Aware-> Delete all it finds and Remove all Quaratine Files!

Restart Normal and have the PC scanned here
http://support.f-secure.com/enu/home/ols.shtml

Save that Report!

Post back with a fresh HijackThis log and the reports from Ewido and F-Secure!

#5 gmr

gmr
  • Topic Starter

  • Members
  • 3 posts
  • OFFLINE
  •  
  • Local time:10:51 AM

Posted 17 August 2005 - 05:58 AM

Hi Cretemonster,

Sorry it took so long to reply. Some of these scans took a long time to complete.

Here are the results:

-------------
Ewido Scan
-------------

---------------------------------------------------------
ewido security suite - Scan report
---------------------------------------------------------

+ Created on: 9:21:08 PM, 15/08/2005
+ Report-Checksum: E599F476

+ Scan result:

C:\!PeperFix\Eah1q5.exe -> TrojanDownloader.VB.em : Cleaned without backup
C:\!PeperFix\GnsDk.exe -> TrojanDownloader.VB.em : Cleaned without backup
C:\!PeperFix\Whn5y.exe -> TrojanDownloader.VB.em : Cleaned without backup
C:\!PeperFix\YemE.exe -> TrojanDownloader.VB.em : Cleaned without backup
:mozilla.19:C:\Documents and Settings\Patricia Cocker.INTELP4\Application Data\Mozilla\Profiles\default\2j7bvslb.slt\cookies.txt -> Spyware.Cookie.Advertising : Cleaned without backup
:mozilla.20:C:\Documents and Settings\Patricia Cocker.INTELP4\Application Data\Mozilla\Profiles\default\2j7bvslb.slt\cookies.txt -> Spyware.Cookie.Advertising : Cleaned without backup
:mozilla.21:C:\Documents and Settings\Patricia Cocker.INTELP4\Application Data\Mozilla\Profiles\default\2j7bvslb.slt\cookies.txt -> Spyware.Cookie.Advertising : Cleaned without backup
:mozilla.22:C:\Documents and Settings\Patricia Cocker.INTELP4\Application Data\Mozilla\Profiles\default\2j7bvslb.slt\cookies.txt -> Spyware.Cookie.Advertising : Cleaned without backup
:mozilla.23:C:\Documents and Settings\Patricia Cocker.INTELP4\Application Data\Mozilla\Profiles\default\2j7bvslb.slt\cookies.txt -> Spyware.Cookie.Advertising : Cleaned without backup
:mozilla.24:C:\Documents and Settings\Patricia Cocker.INTELP4\Application Data\Mozilla\Profiles\default\2j7bvslb.slt\cookies.txt -> Spyware.Cookie.Advertising : Cleaned without backup
:mozilla.25:C:\Documents and Settings\Patricia Cocker.INTELP4\Application Data\Mozilla\Profiles\default\2j7bvslb.slt\cookies.txt -> Spyware.Cookie.Advertising : Cleaned without backup
:mozilla.27:C:\Documents and Settings\Patricia Cocker.INTELP4\Application Data\Mozilla\Profiles\default\2j7bvslb.slt\cookies.txt -> Spyware.Cookie.Doubleclick : Cleaned without backup
:mozilla.28:C:\Documents and Settings\Patricia Cocker.INTELP4\Application Data\Mozilla\Profiles\default\2j7bvslb.slt\cookies.txt -> Spyware.Cookie.Adserver : Cleaned without backup
:mozilla.29:C:\Documents and Settings\Patricia Cocker.INTELP4\Application Data\Mozilla\Profiles\default\2j7bvslb.slt\cookies.txt -> Spyware.Cookie.Fastclick : Cleaned without backup
:mozilla.30:C:\Documents and Settings\Patricia Cocker.INTELP4\Application Data\Mozilla\Profiles\default\2j7bvslb.slt\cookies.txt -> Spyware.Cookie.Fastclick : Cleaned without backup
:mozilla.31:C:\Documents and Settings\Patricia Cocker.INTELP4\Application Data\Mozilla\Profiles\default\2j7bvslb.slt\cookies.txt -> Spyware.Cookie.Adserver : Cleaned without backup
:mozilla.39:C:\Documents and Settings\Patricia Cocker.INTELP4\Application Data\Mozilla\Profiles\default\2j7bvslb.slt\cookies.txt -> Spyware.Cookie.2o7 : Cleaned without backup
:mozilla.55:C:\Documents and Settings\Patricia Cocker.INTELP4\Application Data\Mozilla\Profiles\default\2j7bvslb.slt\cookies.txt -> Spyware.Cookie.Webtrendslive : Cleaned without backup
C:\Documents and Settings\Patricia Cocker.INTELP4\Cookies\patricia cocker@112.2o7[2].txt -> Spyware.Cookie.2o7 : Cleaned without backup
C:\Documents and Settings\Patricia Cocker.INTELP4\Cookies\patricia cocker@e-2dj6wfk4cgdzibo.stats.esomniture[1].txt -> Spyware.Cookie.Esomniture : Cleaned without backup
:mozilla.14:C:\Documents and Settings\User\Application Data\Mozilla\Profiles\default\19t4xhep.slt\cookies.txt -> Spyware.Cookie.Adserver : Cleaned without backup
:mozilla.16:C:\Documents and Settings\User\Application Data\Mozilla\Profiles\default\19t4xhep.slt\cookies.txt -> Spyware.Cookie.Fastclick : Cleaned without backup
:mozilla.17:C:\Documents and Settings\User\Application Data\Mozilla\Profiles\default\19t4xhep.slt\cookies.txt -> Spyware.Cookie.Fastclick : Cleaned without backup
:mozilla.18:C:\Documents and Settings\User\Application Data\Mozilla\Profiles\default\19t4xhep.slt\cookies.txt -> Spyware.Cookie.Fastclick : Cleaned without backup
:mozilla.19:C:\Documents and Settings\User\Application Data\Mozilla\Profiles\default\19t4xhep.slt\cookies.txt -> Spyware.Cookie.Fastclick : Cleaned without backup
:mozilla.20:C:\Documents and Settings\User\Application Data\Mozilla\Profiles\default\19t4xhep.slt\cookies.txt -> Spyware.Cookie.Fastclick : Cleaned without backup
:mozilla.21:C:\Documents and Settings\User\Application Data\Mozilla\Profiles\default\19t4xhep.slt\cookies.txt -> Spyware.Cookie.Fastclick : Cleaned without backup
:mozilla.22:C:\Documents and Settings\User\Application Data\Mozilla\Profiles\default\19t4xhep.slt\cookies.txt -> Spyware.Cookie.Adserver : Cleaned without backup
:mozilla.23:C:\Documents and Settings\User\Application Data\Mozilla\Profiles\default\19t4xhep.slt\cookies.txt -> Spyware.Cookie.Adserver : Cleaned without backup
:mozilla.25:C:\Documents and Settings\User\Application Data\Mozilla\Profiles\default\19t4xhep.slt\cookies.txt -> Spyware.Cookie.Tribalfusion : Cleaned without backup
:mozilla.26:C:\Documents and Settings\User\Application Data\Mozilla\Profiles\default\19t4xhep.slt\cookies.txt -> Spyware.Cookie.Tribalfusion : Cleaned without backup
:mozilla.29:C:\Documents and Settings\User\Application Data\Mozilla\Profiles\default\19t4xhep.slt\cookies.txt -> Spyware.Cookie.Atdmt : Cleaned without backup
:mozilla.49:C:\Documents and Settings\User\Application Data\Mozilla\Profiles\default\19t4xhep.slt\cookies.txt -> Spyware.Cookie.Advertising : Cleaned without backup
:mozilla.50:C:\Documents and Settings\User\Application Data\Mozilla\Profiles\default\19t4xhep.slt\cookies.txt -> Spyware.Cookie.Advertising : Cleaned without backup
:mozilla.52:C:\Documents and Settings\User\Application Data\Mozilla\Profiles\default\19t4xhep.slt\cookies.txt -> Spyware.Cookie.Advertising : Cleaned without backup
:mozilla.53:C:\Documents and Settings\User\Application Data\Mozilla\Profiles\default\19t4xhep.slt\cookies.txt -> Spyware.Cookie.Advertising : Cleaned without backup
:mozilla.54:C:\Documents and Settings\User\Application Data\Mozilla\Profiles\default\19t4xhep.slt\cookies.txt -> Spyware.Cookie.Advertising : Cleaned without backup
:mozilla.55:C:\Documents and Settings\User\Application Data\Mozilla\Profiles\default\19t4xhep.slt\cookies.txt -> Spyware.Cookie.Advertising : Cleaned without backup
:mozilla.56:C:\Documents and Settings\User\Application Data\Mozilla\Profiles\default\19t4xhep.slt\cookies.txt -> Spyware.Cookie.Advertising : Cleaned without backup
:mozilla.57:C:\Documents and Settings\User\Application Data\Mozilla\Profiles\default\19t4xhep.slt\cookies.txt -> Spyware.Cookie.Advertising : Cleaned without backup
:mozilla.58:C:\Documents and Settings\User\Application Data\Mozilla\Profiles\default\19t4xhep.slt\cookies.txt -> Spyware.Cookie.Advertising : Cleaned without backup
:mozilla.59:C:\Documents and Settings\User\Application Data\Mozilla\Profiles\default\19t4xhep.slt\cookies.txt -> Spyware.Cookie.Advertising : Cleaned without backup
:mozilla.60:C:\Documents and Settings\User\Application Data\Mozilla\Profiles\default\19t4xhep.slt\cookies.txt -> Spyware.Cookie.Advertising : Cleaned without backup
:mozilla.61:C:\Documents and Settings\User\Application Data\Mozilla\Profiles\default\19t4xhep.slt\cookies.txt -> Spyware.Cookie.Advertising : Cleaned without backup
:mozilla.63:C:\Documents and Settings\User\Application Data\Mozilla\Profiles\default\19t4xhep.slt\cookies.txt -> Spyware.Cookie.Yieldmanager : Cleaned without backup
:mozilla.64:C:\Documents and Settings\User\Application Data\Mozilla\Profiles\default\19t4xhep.slt\cookies.txt -> Spyware.Cookie.Yieldmanager : Cleaned without backup
:mozilla.65:C:\Documents and Settings\User\Application Data\Mozilla\Profiles\default\19t4xhep.slt\cookies.txt -> Spyware.Cookie.Yieldmanager : Cleaned without backup
:mozilla.69:C:\Documents and Settings\User\Application Data\Mozilla\Profiles\default\19t4xhep.slt\cookies.txt -> Spyware.Cookie.Revenue : Cleaned without backup
:mozilla.78:C:\Documents and Settings\User\Application Data\Mozilla\Profiles\default\19t4xhep.slt\cookies.txt -> Spyware.Cookie.Doubleclick : Cleaned without backup
:mozilla.83:C:\Documents and Settings\User\Application Data\Mozilla\Profiles\default\19t4xhep.slt\cookies.txt -> Spyware.Cookie.Falkag : Cleaned without backup
:mozilla.90:C:\Documents and Settings\User\Application Data\Mozilla\Profiles\default\19t4xhep.slt\cookies.txt -> Spyware.Cookie.Pointroll : Cleaned without backup
:mozilla.91:C:\Documents and Settings\User\Application Data\Mozilla\Profiles\default\19t4xhep.slt\cookies.txt -> Spyware.Cookie.Pointroll : Cleaned without backup
:mozilla.92:C:\Documents and Settings\User\Application Data\Mozilla\Profiles\default\19t4xhep.slt\cookies.txt -> Spyware.Cookie.Pointroll : Cleaned without backup
:mozilla.93:C:\Documents and Settings\User\Application Data\Mozilla\Profiles\default\19t4xhep.slt\cookies.txt -> Spyware.Cookie.Pointroll : Cleaned without backup
:mozilla.98:C:\Documents and Settings\User\Application Data\Mozilla\Profiles\default\19t4xhep.slt\cookies.txt -> Spyware.Cookie.Serving-sys : Cleaned without backup
:mozilla.99:C:\Documents and Settings\User\Application Data\Mozilla\Profiles\default\19t4xhep.slt\cookies.txt -> Spyware.Cookie.Serving-sys : Cleaned without backup
:mozilla.100:C:\Documents and Settings\User\Application Data\Mozilla\Profiles\default\19t4xhep.slt\cookies.txt -> Spyware.Cookie.Serving-sys : Cleaned without backup
:mozilla.101:C:\Documents and Settings\User\Application Data\Mozilla\Profiles\default\19t4xhep.slt\cookies.txt -> Spyware.Cookie.Serving-sys : Cleaned without backup
:mozilla.103:C:\Documents and Settings\User\Application Data\Mozilla\Profiles\default\19t4xhep.slt\cookies.txt -> Spyware.Cookie.Sitestat : Cleaned without backup
:mozilla.104:C:\Documents and Settings\User\Application Data\Mozilla\Profiles\default\19t4xhep.slt\cookies.txt -> Spyware.Cookie.247realmedia : Cleaned without backup
:mozilla.105:C:\Documents and Settings\User\Application Data\Mozilla\Profiles\default\19t4xhep.slt\cookies.txt -> Spyware.Cookie.247realmedia : Cleaned without backup
:mozilla.119:C:\Documents and Settings\User\Application Data\Mozilla\Profiles\default\19t4xhep.slt\cookies.txt -> Spyware.Cookie.2o7 : Cleaned without backup
:mozilla.120:C:\Documents and Settings\User\Application Data\Mozilla\Profiles\default\19t4xhep.slt\cookies.txt -> Spyware.Cookie.2o7 : Cleaned without backup
:mozilla.124:C:\Documents and Settings\User\Application Data\Mozilla\Profiles\default\19t4xhep.slt\cookies.txt -> Spyware.Cookie.Statcounter : Cleaned without backup
:mozilla.125:C:\Documents and Settings\User\Application Data\Mozilla\Profiles\default\19t4xhep.slt\cookies.txt -> Spyware.Cookie.Statcounter : Cleaned without backup
:mozilla.126:C:\Documents and Settings\User\Application Data\Mozilla\Profiles\default\19t4xhep.slt\cookies.txt -> Spyware.Cookie.Statcounter : Cleaned without backup
:mozilla.143:C:\Documents and Settings\User\Application Data\Mozilla\Profiles\default\19t4xhep.slt\cookies.txt -> Spyware.Cookie.Specificclick : Cleaned without backup
:mozilla.144:C:\Documents and Settings\User\Application Data\Mozilla\Profiles\default\19t4xhep.slt\cookies.txt -> Spyware.Cookie.Specificclick : Cleaned without backup
:mozilla.145:C:\Documents and Settings\User\Application Data\Mozilla\Profiles\default\19t4xhep.slt\cookies.txt -> Spyware.Cookie.Specificclick : Cleaned without backup
:mozilla.146:C:\Documents and Settings\User\Application Data\Mozilla\Profiles\default\19t4xhep.slt\cookies.txt -> Spyware.Cookie.Specificclick : Cleaned without backup
:mozilla.147:C:\Documents and Settings\User\Application Data\Mozilla\Profiles\default\19t4xhep.slt\cookies.txt -> Spyware.Cookie.Specificclick : Cleaned without backup
:mozilla.156:C:\Documents and Settings\User\Application Data\Mozilla\Profiles\default\19t4xhep.slt\cookies.txt -> Spyware.Cookie.Casalemedia : Cleaned without backup
:mozilla.157:C:\Documents and Settings\User\Application Data\Mozilla\Profiles\default\19t4xhep.slt\cookies.txt -> Spyware.Cookie.Casalemedia : Cleaned without backup
:mozilla.158:C:\Documents and Settings\User\Application Data\Mozilla\Profiles\default\19t4xhep.slt\cookies.txt -> Spyware.Cookie.Casalemedia : Cleaned without backup
:mozilla.159:C:\Documents and Settings\User\Application Data\Mozilla\Profiles\default\19t4xhep.slt\cookies.txt -> Spyware.Cookie.Casalemedia : Cleaned without backup
:mozilla.160:C:\Documents and Settings\User\Application Data\Mozilla\Profiles\default\19t4xhep.slt\cookies.txt -> Spyware.Cookie.Casalemedia : Cleaned without backup
:mozilla.161:C:\Documents and Settings\User\Application Data\Mozilla\Profiles\default\19t4xhep.slt\cookies.txt -> Spyware.Cookie.Casalemedia : Cleaned without backup
:mozilla.162:C:\Documents and Settings\User\Application Data\Mozilla\Profiles\default\19t4xhep.slt\cookies.txt -> Spyware.Cookie.Casalemedia : Cleaned without backup
:mozilla.163:C:\Documents and Settings\User\Application Data\Mozilla\Profiles\default\19t4xhep.slt\cookies.txt -> Spyware.Cookie.Casalemedia : Cleaned without backup
:mozilla.170:C:\Documents and Settings\User\Application Data\Mozilla\Profiles\default\19t4xhep.slt\cookies.txt -> Spyware.Cookie.Coremetrics : Cleaned without backup
:mozilla.175:C:\Documents and Settings\User\Application Data\Mozilla\Profiles\default\19t4xhep.slt\cookies.txt -> Spyware.Cookie.Overture : Cleaned without backup
:mozilla.201:C:\Documents and Settings\User\Application Data\Mozilla\Profiles\default\19t4xhep.slt\cookies.txt -> Spyware.Cookie.Trafic : Cleaned without backup
:mozilla.202:C:\Documents and Settings\User\Application Data\Mozilla\Profiles\default\19t4xhep.slt\cookies.txt -> Spyware.Cookie.Burstnet : Cleaned without backup
:mozilla.203:C:\Documents and Settings\User\Application Data\Mozilla\Profiles\default\19t4xhep.slt\cookies.txt -> Spyware.Cookie.Burstnet : Cleaned without backup
:mozilla.219:C:\Documents and Settings\User\Application Data\Mozilla\Profiles\default\19t4xhep.slt\cookies.txt -> Spyware.Cookie.Bridgetrack : Cleaned without backup
:mozilla.221:C:\Documents and Settings\User\Application Data\Mozilla\Profiles\default\19t4xhep.slt\cookies.txt -> Spyware.Cookie.Bridgetrack : Cleaned without backup
:mozilla.251:C:\Documents and Settings\User\Application Data\Mozilla\Profiles\default\19t4xhep.slt\cookies.txt -> Spyware.Cookie.Hitbox : Cleaned without backup
:mozilla.252:C:\Documents and Settings\User\Application Data\Mozilla\Profiles\default\19t4xhep.slt\cookies.txt -> Spyware.Cookie.Hitbox : Cleaned without backup
:mozilla.253:C:\Documents and Settings\User\Application Data\Mozilla\Profiles\default\19t4xhep.slt\cookies.txt -> Spyware.Cookie.Hitbox : Cleaned without backup
C:\Documents and Settings\User\Application Data\Mozilla\Profiles\default\19t4xhep.slt\Mail\mail.bigpond.com\Junk -> TrojanDropper.Zerolin : Cleaned without backup
C:\Documents and Settings\User\Cookies\user@112.2o7[2].txt -> Spyware.Cookie.2o7 : Cleaned without backup
C:\Documents and Settings\User\Cookies\user@casalemedia[2].txt -> Spyware.Cookie.Casalemedia : Cleaned without backup
C:\protas.exe -> Spyware.Hijacker.Generic : Cleaned without backup
C:\WINDOWS\protector.exe -> Spyware.Hijacker.Generic : Cleaned without backup
C:\WINDOWS\system32\Agent.dll -> Adware.SAHA : Cleaned without backup
C:\WINDOWS\system32\config\systemprofile\Local Settings\Temporary Internet Files\Content.IE5\49GLAL69\Australia[1].exe -> Dialer.Generic : Cleaned without backup
C:\WINDOWS\system32\config\systemprofile\Local Settings\Temporary Internet Files\Content.IE5\49GLAL69\Australia[2].exe -> Dialer.Generic : Cleaned without backup
C:\WINDOWS\system32\config\systemprofile\Local Settings\Temporary Internet Files\Content.IE5\49GLAL69\silent_install[1].exe -> TrojanDropper.Agent.hh : Cleaned without backup
C:\WINDOWS\system32\ctbv2.dll -> Adware.SAHA : Cleaned without backup
C:\WINDOWS\system32\ezStubx.exe -> Adware.EZula : Cleaned without backup
C:\WINDOWS\system32\gpeblr.exe -> Backdoor.Agent.Ag : Cleaned without backup
C:\WINDOWS\system32\NLNP13.dll -> Spyware.IGetNet : Cleaned without backup
C:\WINDOWS\system32\NLNP131.dll -> Spyware.IGetNet : Cleaned without backup
C:\WINDOWS\system32\SearchBar.htm -> Spyware.TwainTech : Cleaned without backup
C:\WINDOWS\system32\SHAgent.dll -> Adware.SAHA : Cleaned without backup
C:\WINDOWS\system32\shell32.exe -> Spyware.WinAD : Cleaned without backup
C:\WINDOWS\system32\temp532.exe -> Dialer.Generic : Cleaned without backup


::Report End

-----------------
F-Secure Scan
-----------------

Scanned Files: 126828 2 File(s) still infected!

C:\WINDOWS\nem217.dll Trojan-Downloader.Win32.Dyfuca.gen

C:\WINDOWS\system32\nostalgia.dll Trojan-Dropper.Win32.Agent.og

-----------------
HijackThis Log
-----------------

Logfile of HijackThis v1.99.1
Scan saved at 7:55:11 PM, on 15/08/2005
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.bigpond.com/
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [InCD] C:\Program Files\Ahead\InCD\InCD.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [OfficeScanNT Monitor] "C:\Program Files\Trend Micro\OfficeScan Client\pccntmon.exe" -HideWindow
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\system32\igfxtray.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_01\bin\jusched.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\system32\hkcmd.exe
O4 - HKCU\..\Run: [Steam] "d:\program files\valve\steam\steam.exe" -silent
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - Startup: PowerReg Scheduler.exe
O4 - Global Startup: Acrobat Assistant.lnk = C:\Program Files\Adobe\Acrobat 6.0\Distillr\acrotray.exe
O4 - Global Startup: EPSON Status Monitor 3 Environment Check 2.lnk = C:\WINDOWS\system32\spool\drivers\w32x86\3\E_SRCV02.EXE
O4 - Global Startup: InterVideo WinCinema Manager.lnk = C:\Program Files\InterVideo\Common\Bin\WinCinemaMgr.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_02\bin\npjpi150_02.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_02\bin\npjpi150_02.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://www.pandasoftware.com/activescan/as5free/asinst.cab
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: SearchList = vic.bigpond.net.au
O17 - HKLM\System\CS1\Services\VxD\MSTCP: SearchList = vic.bigpond.net.au
O17 - HKLM\System\CS2\Services\Tcpip\Parameters: SearchList = vic.bigpond.net.au
O17 - HKLM\System\CS2\Services\VxD\MSTCP: SearchList = vic.bigpond.net.au
O17 - HKLM\System\CCS\Services\VxD\MSTCP: SearchList = vic.bigpond.net.au
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: SearchList = vic.bigpond.net.au
O23 - Service: ColdFusion MX Application Server - Macromedia Inc. - C:\CFusionMX\runtime\bin\jrunsvc.exe
O23 - Service: ColdFusion MX ODBC Agent - Unknown owner - C:\CFusionMX\db\slserver52\bin\swagent.exe
O23 - Service: ColdFusion MX ODBC Server - Unknown owner - C:\CFusionMX\db\slserver52\bin\swstrtr.exe
O23 - Service: EPSON Printer Status Agent2 (EPSONStatusAgent2) - SEIKO EPSON CORPORATION - C:\Program Files\Common Files\EPSON\EBAPI\SAgent2.exe
O23 - Service: ewido security suite control - ewido networks - C:\Program Files\ewido\security suite\ewidoctrl.exe
O23 - Service: ewido security suite guard - ewido networks - C:\Program Files\ewido\security suite\ewidoguard.exe
O23 - Service: Intel® Active Monitor (imonNT) - Intel Corp. - C:\Program Files\Intel\Intel® Active Monitor\imonnt.exe
O23 - Service: InCD Helper (InCDsrv) - Ahead Software AG - C:\Program Files\Ahead\InCD\InCDsrv.exe
O23 - Service: OfficeScanNT RealTime Scan (ntrtscan) - Trend Micro Inc. - C:\Program Files\Trend Micro\OfficeScan Client\ntrtscan.exe
O23 - Service: OfficeScanNT Personal Firewall (OfcPfwSvc) - Trend Micro Inc. - C:\Program Files\Trend Micro\OfficeScan Client\OfcPfwSvc.exe
O23 - Service: SoundMAX Agent Service (SoundMAX Agent Service (default)) - Analog Devices, Inc. - C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe
O23 - Service: OfficeScanNT Listener (tmlisten) - Trend Micro Inc. - C:\Program Files\Trend Micro\OfficeScan Client\tmlisten.exe

#6 Guest_Cretemonster_*

Guest_Cretemonster_*

  • Guests
  • OFFLINE
  •  

Posted 17 August 2005 - 06:20 AM

Looking better!

Go to Safe Mode and be sure windows is showing hidden files
http://www.bleepingcomputer.com/forums/ind...showtutorial=62

Locate and Delete

C:\WINDOWS\nem217.dll

C:\WINDOWS\system32\nostalgia.dll

Restart Normal and Post back letting me know how the PC is running?




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users