Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Hjt Log For Feargal


  • This topic is locked This topic is locked
14 replies to this topic

#1 Feargal

Feargal

  • Members
  • 8 posts
  • OFFLINE
  •  
  • Local time:06:31 AM

Posted 08 November 2005 - 09:54 AM

//Mod edit: Log split away from this post http://www.bleepingcomputer.com/forums/ind...topic=22667&hl=


All

This is my first Post!

I have the same problem. CWS.Homepage keeps taking my Browser. I remove with Xoftspy but it always
comes back.

HJT posted below

Feargal

Logfile of HijackThis v1.99.1
Scan saved at 14:26:59, on 08/11/2005
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Norton AntiVirus\navapsvc.exe
C:\Program Files\Norton AntiVirus\IWP\NPFMntor.exe
C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
C:\WINDOWS\System32\hkcmd.exe
C:\WINDOWS\system32\dla\tfswctrl.exe
C:\Program Files\Dell\Media Experience\PCMService.exe
C:\WINDOWS\System32\DSentry.exe
C:\Program Files\Musicmatch\Musicmatch Jukebox\mm_tray.exe
C:\Program Files\Musicmatch\Musicmatch Jukebox\mmtask.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\Program Files\Messenger\msmsgs.exe
C:\windows\ythgdfe.exe
C:\Program Files\Digital Line Detect\DLG.exe
C:\Program Files\FinePixViewer\QuickDCF.exe
C:\Program Files\ONSPEED\onspeed.exe
C:\WINDOWS\System32\wuauclt.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\Program Files\Outlook Express\MSIMN.EXE
C:\Program Files\HijackThis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.euro.dell.com/countries/ie/enu/gen/default.htm
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://ie-searchengine.com/sp.htm
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://ie-searchengine.com/
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://ie-searchengine.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.euro.dell.com/countries/ie/enu/gen/default.htm
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://www.google.ie
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.ie
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://ie-searchengine.com/sp.htm
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://ie-searchengine.com/
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = http=127.0.0.1:5400
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
O2 - BHO: PBlockHelper Class - {4115122B-85FF-4DD3-9515-F075BEDE5EB5} - C:\Program Files\ONSPEED\PBHelper.dll
O2 - BHO: DriveLetterAccess - {5CA3D70E-1895-11CF-8E15-001234567890} - C:\WINDOWS\system32\dla\tfswshx.dll
O2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\System32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\System32\hkcmd.exe
O4 - HKLM\..\Run: [dla] C:\WINDOWS\system32\dla\tfswctrl.exe
O4 - HKLM\..\Run: [StorageGuard] "C:\Program Files\Common Files\Sonic\Update Manager\sgtray.exe" /r
O4 - HKLM\..\Run: [PCMService] "C:\Program Files\Dell\Media Experience\PCMService.exe"
O4 - HKLM\..\Run: [DVDSentry] C:\WINDOWS\System32\DSentry.exe
O4 - HKLM\..\Run: [REGSHAVE] C:\Program Files\REGSHAVE\REGSHAVE.EXE /AUTORUN
O4 - HKLM\..\Run: [SSC_UserPrompt] C:\Program Files\Common Files\Symantec Shared\Security Center\UsrPrmpt.exe
O4 - HKLM\..\Run: [Symantec NetDriver Monitor] C:\PROGRA~1\SYMNET~1\SNDMon.exe /Consumer
O4 - HKLM\..\Run: [MMTray] "C:\Program Files\Musicmatch\Musicmatch Jukebox\mm_tray.exe"
O4 - HKLM\..\Run: [mmtask] "C:\Program Files\Musicmatch\Musicmatch Jukebox\mmtask.exe"
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [oodgbft] c:\windows\ythgdfe.exe
O4 - HKCU\..\Run: [birvvnu] c:\windows\gfgymdl.exe
O4 - HKCU\..\Run: [yeougsu] c:\windows\gfgymdl.exe
O4 - HKCU\..\Run: [xyjbhtc] c:\windows\gfgymdl.exe
O4 - HKCU\..\Run: [ldhbvaj] c:\windows\gfgymdl.exe
O4 - HKCU\..\Run: [scblups] c:\windows\gfgymdl.exe
O4 - HKCU\..\Run: [vltosux] c:\windows\gfgymdl.exe
O4 - HKCU\..\Run: [hcuawib] c:\windows\gfgymdl.exe
O4 - HKCU\..\Run: [pymsose] c:\windows\gfgymdl.exe
O4 - HKCU\..\Run: [xfypqdo] c:\windows\gfgymdl.exe
O4 - HKCU\..\Run: [fyopavt] c:\windows\gfgymdl.exe
O4 - HKCU\..\Run: [mkoelvq] c:\windows\gfgymdl.exe
O4 - HKCU\..\Run: [yeagapk] c:\windows\gfgymdl.exe
O4 - HKCU\..\Run: [ogmqadm] c:\windows\gfgymdl.exe
O4 - HKCU\..\Run: [otvwyvf] c:\windows\gpwvchm.exe
O4 - HKCU\..\Run: [bgrkmjv] c:\windows\gpwvchm.exe
O4 - HKCU\..\Run: [ctwnotq] c:\windows\gpwvchm.exe
O4 - HKCU\..\Run: [fikgoba] c:\windows\evsvrpp.exe
O4 - HKCU\..\Run: [bbtkukt] c:\windows\eqrtqia.exe
O4 - HKCU\..\Run: [gfinwbo] c:\windows\eqrtqia.exe
O4 - HKCU\..\Run: [jjylbdr] c:\windows\eqrtqia.exe
O4 - HKCU\..\Run: [ttbushs] c:\windows\eqrtqia.exe
O4 - HKCU\..\Run: [vlonnxd] c:\windows\eqrtqia.exe
O4 - HKCU\..\Run: [bpstfuu] c:\windows\cyluxkc.exe
O4 - HKCU\..\Run: [gyxfaxh] c:\windows\brwtysa.exe
O4 - HKCU\..\Run: [txnihpb] c:\windows\brwtysa.exe
O4 - HKCU\..\Run: [odvxbjx] c:\windows\brwtysa.exe
O4 - HKCU\..\Run: [avpuamt] c:\windows\brwtysa.exe
O4 - HKCU\..\Run: [fatyssj] c:\windows\cggoecf.exe
O4 - HKCU\..\Run: [wldstue] c:\windows\cggoecf.exe
O4 - HKCU\..\Run: [bhuqxtr] c:\windows\cggoecf.exe
O4 - HKCU\..\Run: [bcjvnag] c:\windows\qblosiv.exe
O4 - HKCU\..\Run: [ewkjpkp] c:\windows\qblosiv.exe
O4 - HKCU\..\Run: [fnxodpg] c:\windows\gsasjqv.exe
O4 - HKCU\..\Run: [uifnlun] c:\windows\gsasjqv.exe
O4 - HKCU\..\Run: [vqemxbd] c:\windows\gsasjqv.exe
O4 - HKCU\..\Run: [kxaqeeq] c:\windows\oisfcpu.exe
O4 - HKCU\..\Run: [kgkwbln] c:\windows\oisfcpu.exe
O4 - HKCU\..\Run: [arwvsdx] c:\windows\oisfcpu.exe
O4 - HKCU\..\Run: [ujoawin] c:\windows\oisfcpu.exe
O4 - HKCU\..\Run: [uhilwly] c:\windows\sbsamsm.exe
O4 - HKCU\..\Run: [isudpnb] c:\windows\sbsamsm.exe
O4 - HKCU\..\Run: [vdvrjqu] c:\windows\sbsamsm.exe
O4 - HKCU\..\Run: [gdgneag] c:\windows\sbsamsm.exe
O4 - HKCU\..\Run: [vdrwokd] c:\windows\wuqdavh.exe
O4 - HKCU\..\Run: [gituikp] c:\windows\wuqdavh.exe
O4 - HKCU\..\Run: [hdnvjew] c:\windows\wuqdavh.exe
O4 - HKCU\..\Run: [heedrgb] c:\windows\tavxkcb.exe
O4 - HKCU\..\Run: [bimrtwr] c:\windows\tavxkcb.exe
O4 - HKCU\..\Run: [lsqpjym] c:\windows\aujwebq.exe
O4 - HKCU\..\Run: [tfwkiop] c:\windows\aujwebq.exe
O4 - HKCU\..\Run: [omiqurf] c:\windows\aujwebq.exe
O4 - HKCU\..\Run: [udtxawg] c:\windows\aujwebq.exe
O4 - HKCU\..\Run: [bbxbxae] c:\windows\aujwebq.exe
O4 - HKCU\..\Run: [wlqdqoh] c:\windows\edkmxjc.exe
O4 - HKCU\..\Run: [dbuowra] c:\windows\edkmxjc.exe
O4 - HKCU\..\Run: [ncsktde] c:\windows\hqabbon.exe
O4 - HKCU\..\Run: [enqmckd] c:\windows\vankddd.exe
O4 - HKCU\..\Run: [nogeroe] c:\windows\vankddd.exe
O4 - HKCU\..\Run: [hflbbir] c:\windows\vankddd.exe
O4 - HKCU\..\Run: [obprssi] c:\windows\vankddd.exe
O4 - HKCU\..\Run: [vwqnddg] c:\windows\vankddd.exe
O4 - HKCU\..\Run: [xubdcto] c:\windows\vankddd.exe
O4 - HKCU\..\Run: [bijusvf] c:\windows\quoagjm.exe
O4 - HKCU\..\Run: [pojguqs] c:\windows\omibsww.exe
O4 - HKCU\..\Run: [qwfvxxr] c:\windows\omibsww.exe
O4 - HKCU\..\Run: [jflxehp] c:\windows\omibsww.exe
O4 - HKCU\..\Run: [rtracht] c:\windows\omibsww.exe
O4 - HKCU\..\Run: [redqquf] c:\windows\omibsww.exe
O4 - HKCU\..\Run: [xndfnug] c:\windows\omibsww.exe
O4 - HKCU\..\Run: [fwweulm] c:\windows\omibsww.exe
O4 - HKCU\..\Run: [ubouthc] c:\windows\omibsww.exe
O4 - HKCU\..\Run: [dhrired] c:\windows\omibsww.exe
O4 - HKCU\..\Run: [ftwfrod] c:\windows\omibsww.exe
O4 - HKCU\..\Run: [ybnkuay] c:\windows\omibsww.exe
O4 - HKCU\..\Run: [spxxxcc] c:\windows\omibsww.exe
O4 - HKCU\..\Run: [ldhyybr] c:\windows\omibsww.exe
O4 - HKCU\..\Run: [vstwujt] c:\windows\omibsww.exe
O4 - HKCU\..\Run: [osjpmed] c:\windows\omibsww.exe
O4 - HKCU\..\Run: [ddggbcv] c:\windows\omibsww.exe
O4 - HKCU\..\Run: [poutyug] c:\windows\omibsww.exe
O4 - HKCU\..\Run: [oabjphm] c:\windows\omibsww.exe
O4 - HKCU\..\Run: [flojbsu] c:\windows\uqgjqta.exe
O4 - HKCU\..\Run: [vxxlhsb] c:\windows\uqgjqta.exe
O4 - HKCU\..\Run: [lpitdsf] c:\windows\aqsvmtd.exe
O4 - HKCU\..\Run: [mbcuegd] c:\windows\qygjroy.exe
O4 - HKCU\..\Run: [dufidoi] c:\windows\ycvhuay.exe
O4 - HKCU\..\Run: [wrjojyb] c:\windows\rnmpqsr.exe
O4 - HKCU\..\Run: [mukqyeu] c:\windows\pklwkos.exe
O4 - HKCU\..\Run: [anjvryr] c:\windows\fbvncpf.exe
O4 - HKCU\..\Run: [swkovdo] c:\windows\fbvncpf.exe
O4 - HKCU\..\Run: [eskysuu] c:\windows\hjummtq.exe
O4 - HKCU\..\Run: [ovbuodx] c:\windows\hjummtq.exe
O4 - HKCU\..\Run: [bauorej] c:\windows\hjummtq.exe
O4 - HKCU\..\Run: [cmylipm] c:\windows\hjummtq.exe
O4 - HKCU\..\Run: [gvxjkmm] c:\windows\hjummtq.exe
O4 - HKCU\..\Run: [rtfmddy] c:\windows\hjummtq.exe
O4 - HKCU\..\Run: [abjgaxf] c:\windows\hjummtq.exe
O4 - HKCU\..\Run: [elokvim] c:\windows\njkxbqn.exe
O4 - HKCU\..\Run: [eiubceb] c:\windows\njkxbqn.exe
O4 - HKCU\..\Run: [etgebkj] c:\windows\njkxbqn.exe
O4 - HKCU\..\Run: [vqlpbbq] c:\windows\njkxbqn.exe
O4 - HKCU\..\Run: [adnkdmw] c:\windows\njkxbqn.exe
O4 - HKCU\..\Run: [peeoung] c:\windows\njkxbqn.exe
O4 - HKCU\..\Run: [eeydaxp] c:\windows\njkxbqn.exe
O4 - HKCU\..\Run: [kjjxflx] c:\windows\njkxbqn.exe
O4 - HKCU\..\Run: [acofian] c:\windows\qkqktgw.exe
O4 - HKCU\..\Run: [xmdltmh] c:\windows\qkqktgw.exe
O4 - HKCU\..\Run: [vgmscwu] c:\windows\qkqktgw.exe
O4 - HKCU\..\Run: [whvtvip] c:\windows\chqipwr.exe
O4 - HKCU\..\Run: [bttqjat] c:\windows\chqipwr.exe
O4 - HKCU\..\Run: [yfcfniq] c:\windows\chqipwr.exe
O4 - HKCU\..\Run: [ojhdjta] c:\windows\chqipwr.exe
O4 - HKCU\..\Run: [avurftu] c:\windows\chqipwr.exe
O4 - HKCU\..\Run: [lavyvhq] c:\windows\chqipwr.exe
O4 - HKCU\..\Run: [vnrkvry] c:\windows\chqipwr.exe
O4 - HKCU\..\Run: [jlufsse] c:\windows\chqipwr.exe
O4 - HKCU\..\Run: [vyarhit] c:\windows\chqipwr.exe
O4 - HKCU\..\Run: [wceknph] c:\windows\chqipwr.exe
O4 - HKCU\..\Run: [einjanl] c:\windows\chqipwr.exe
O4 - HKCU\..\Run: [svraone] c:\windows\chqipwr.exe
O4 - HKCU\..\Run: [inpigrn] c:\windows\chqipwr.exe
O4 - HKCU\..\Run: [khaclkw] c:\windows\wndvgmt.exe
O4 - HKCU\..\Run: [wuxcmbt] c:\windows\wndvgmt.exe
O4 - HKCU\..\Run: [tgtxalu] c:\windows\wndvgmt.exe
O4 - HKCU\..\Run: [yvbbiqb] c:\windows\wndvgmt.exe
O4 - HKCU\..\Run: [sblcjdd] c:\windows\wndvgmt.exe
O4 - HKCU\..\Run: [jnosrwn] c:\windows\wndvgmt.exe
O4 - HKCU\..\Run: [bcohtxx] c:\windows\wndvgmt.exe
O4 - HKCU\..\Run: [ufmypqu] c:\windows\wndvgmt.exe
O4 - HKCU\..\Run: [fgvrpqo] c:\windows\mwfgriy.exe
O4 - HKCU\..\Run: [sknepbr] c:\windows\jkcqxiq.exe
O4 - HKCU\..\Run: [typdyia] c:\windows\adfudar.exe
O4 - HKCU\..\Run: [ksvjpnv] c:\windows\adfudar.exe
O4 - HKCU\..\Run: [jjwakdi] c:\windows\adfudar.exe
O4 - HKCU\..\Run: [blewcsr] c:\windows\adfudar.exe
O4 - HKCU\..\Run: [pgqbtfw] c:\windows\adfudar.exe
O4 - HKCU\..\Run: [pncqtna] c:\windows\klllput.exe
O4 - HKCU\..\Run: [hiamjrp] c:\windows\itrtpdk.exe
O4 - HKCU\..\Run: [odfgwyc] c:\windows\frvovjl.exe
O4 - HKCU\..\Run: [okwjsyw] c:\windows\frvovjl.exe
O4 - HKCU\..\Run: [hqwtdeb] c:\windows\frvovjl.exe
O4 - HKCU\..\Run: [nhvtnfr] c:\windows\frvovjl.exe
O4 - HKCU\..\Run: [iqqumnq] c:\windows\frvovjl.exe
O4 - HKCU\..\Run: [haudjqy] c:\windows\frvovjl.exe
O4 - HKCU\..\Run: [fxkqbcr] c:\windows\frvovjl.exe
O4 - HKCU\..\Run: [sehjxob] c:\windows\frvovjl.exe
O4 - HKCU\..\Run: [yrhcifx] c:\windows\frvovjl.exe
O4 - HKCU\..\Run: [oxupfqm] c:\windows\frvovjl.exe
O4 - HKCU\..\Run: [uafacpo] c:\windows\frvovjl.exe
O4 - HKCU\..\Run: [dmhdunu] c:\windows\frvovjl.exe
O4 - HKCU\..\Run: [srronro] c:\windows\frvovjl.exe
O4 - HKCU\..\Run: [crtcejf] c:\windows\frvovjl.exe
O4 - HKCU\..\Run: [yavtucj] c:\windows\frvovjl.exe
O4 - HKCU\..\Run: [bphqhmv] c:\windows\frvovjl.exe
O4 - HKCU\..\Run: [xtbpavd] c:\windows\frvovjl.exe
O4 - HKCU\..\Run: [tdpsrej] c:\windows\frvovjl.exe
O4 - HKCU\..\Run: [kyodabb] c:\windows\frvovjl.exe
O4 - HKCU\..\Run: [lwkktgr] c:\windows\frvovjl.exe
O4 - HKCU\..\Run: [juvwpbu] c:\windows\tnrpqvm.exe
O4 - HKCU\..\Run: [eqjaeui] c:\windows\tnrpqvm.exe
O4 - HKCU\..\Run: [iwkphim] c:\windows\tnrpqvm.exe
O4 - HKCU\..\Run: [wknbvkb] c:\windows\tnrpqvm.exe
O4 - HKCU\..\Run: [kjbfmke] c:\windows\bmujxir.exe
O4 - HKCU\..\Run: [lcjfuvj] c:\windows\bmujxir.exe
O4 - HKCU\..\Run: [xecmlxf] c:\windows\ejvumqe.exe
O4 - HKCU\..\Run: [qufpplt] c:\windows\ejvumqe.exe
O4 - HKCU\..\Run: [cudmbbi] c:\windows\ejvumqe.exe
O4 - HKCU\..\Run: [megybjc] c:\windows\ejvumqe.exe
O4 - HKCU\..\Run: [dqrxknp] c:\windows\ejvumqe.exe
O4 - HKCU\..\Run: [iwirflp] c:\windows\jujkdoa.exe
O4 - HKCU\..\Run: [kjovcch] c:\windows\jujkdoa.exe
O4 - HKCU\..\Run: [nfbeems] c:\windows\jujkdoa.exe
O4 - HKCU\..\Run: [aydpnfa] c:\windows\jujkdoa.exe
O4 - HKCU\..\Run: [pkqopcd] c:\windows\jujkdoa.exe
O4 - HKCU\..\Run: [lduaceh] c:\windows\jujkdoa.exe
O4 - HKCU\..\Run: [eaidkjv] c:\windows\jujkdoa.exe
O4 - HKCU\..\Run: [orevrxf] c:\windows\jujkdoa.exe
O4 - HKCU\..\Run: [aobnhse] c:\windows\jujkdoa.exe
O4 - HKCU\..\Run: [ttamvbg] c:\windows\jujkdoa.exe
O4 - HKCU\..\Run: [cupujxo] c:\windows\jujkdoa.exe
O4 - HKCU\..\Run: [amjwyia] c:\windows\jujkdoa.exe
O4 - HKCU\..\Run: [uardges] c:\windows\jujkdoa.exe
O4 - HKCU\..\Run: [ayxoolo] c:\windows\jujkdoa.exe
O4 - HKCU\..\Run: [hwowrhi] c:\windows\qublyoa.exe
O4 - HKCU\..\Run: [ewuwnrg] c:\windows\xgqqqib.exe
O4 - HKCU\..\Run: [fpiaxve] c:\windows\oopnujq.exe
O4 - HKCU\..\Run: [vmnktiv] c:\windows\oirfqaj.exe
O4 - HKCU\..\Run: [udwfgnb] c:\windows\oirfqaj.exe
O4 - HKCU\..\Run: [velojuv] c:\windows\pvajayr.exe
O4 - HKCU\..\Run: [poujecd] c:\windows\pvajayr.exe
O4 - HKCU\..\Run: [syxrmct] c:\windows\prdcrki.exe
O4 - HKCU\..\Run: [hgsurjc] c:\windows\prdcrki.exe
O4 - HKCU\..\Run: [grerxua] c:\windows\prdcrki.exe
O4 - HKCU\..\Run: [mwflblu] c:\windows\prdcrki.exe
O4 - HKCU\..\Run: [ddoqrtq] c:\windows\esusybl.exe
O4 - HKCU\..\Run: [rdwmmqi] c:\windows\esusybl.exe
O4 - HKCU\..\Run: [abxvtyy] c:\windows\esusybl.exe
O4 - HKCU\..\Run: [hnrdshl] c:\windows\esusybl.exe
O4 - HKCU\..\Run: [avmitjx] c:\windows\esusybl.exe
O4 - HKCU\..\Run: [njvomvs] c:\windows\rxadgbi.exe
O4 - HKCU\..\Run: [omsfpfm] c:\windows\rxadgbi.exe
O4 - HKCU\..\Run: [hqogsdp] c:\windows\rxadgbi.exe
O4 - HKCU\..\Run: [keragje] c:\windows\rxadgbi.exe
O4 - HKCU\..\Run: [rkhoykt] c:\windows\rxadgbi.exe
O4 - HKCU\..\Run: [srcitue] c:\windows\rxadgbi.exe
O4 - HKCU\..\Run: [gbdqgmr] c:\windows\rxadgbi.exe
O4 - HKCU\..\Run: [segvctm] c:\windows\rxadgbi.exe
O4 - HKCU\..\Run: [xdijyoa] c:\windows\rxadgbi.exe
O4 - HKCU\..\Run: [nkukdck] c:\windows\rxadgbi.exe
O4 - HKCU\..\Run: [rhormwj] c:\windows\rxadgbi.exe
O4 - HKCU\..\Run: [tsljbtm] c:\windows\rxadgbi.exe
O4 - HKCU\..\Run: [geekafq] c:\windows\rxadgbi.exe
O4 - HKCU\..\Run: [cwawhwy] c:\windows\rxadgbi.exe
O4 - HKCU\..\Run: [afxssws] c:\windows\rxadgbi.exe
O4 - HKCU\..\Run: [vldorhe] c:\windows\ikywryk.exe
O4 - HKCU\..\Run: [dfysijl] c:\windows\ikywryk.exe
O4 - HKCU\..\Run: [bjedwmp] c:\windows\ikywryk.exe
O4 - HKCU\..\Run: [khdbdqx] c:\windows\ikywryk.exe
O4 - HKCU\..\Run: [cgkrdqb] c:\windows\ikywryk.exe
O4 - HKCU\..\Run: [wofpqfw] c:\windows\equhdlb.exe
O4 - HKCU\..\Run: [mwyeuxd] c:\windows\equhdlb.exe
O4 - HKCU\..\Run: [dhyehek] c:\windows\equhdlb.exe
O4 - HKCU\..\Run: [jnlkaog] c:\windows\equhdlb.exe
O4 - HKCU\..\Run: [lfkeluy] c:\windows\equhdlb.exe
O4 - HKCU\..\Run: [vebshdr] c:\windows\equhdlb.exe
O4 - HKCU\..\Run: [yflemrk] c:\windows\equhdlb.exe
O4 - HKCU\..\Run: [vekqlnq] c:\windows\equhdlb.exe
O4 - HKCU\..\Run: [fawbtqe] c:\windows\equhdlb.exe
O4 - HKCU\..\Run: [kyaepak] c:\windows\tjanmgk.exe
O4 - HKCU\..\Run: [clhpuyl] c:\windows\tjanmgk.exe
O4 - HKCU\..\Run: [tltcvgf] c:\windows\tjanmgk.exe
O4 - HKCU\..\Run: [kfdnucq] c:\windows\tjanmgk.exe
O4 - HKCU\..\Run: [okcrntp] c:\windows\tjanmgk.exe
O4 - HKCU\..\Run: [udwuyan] c:\windows\tjanmgk.exe
O4 - HKCU\..\Run: [sdhjcls] c:\windows\tjanmgk.exe
O4 - HKCU\..\Run: [wnhthfk] c:\windows\tjanmgk.exe
O4 - HKCU\..\Run: [tacpclo] c:\windows\tjanmgk.exe
O4 - HKCU\..\Run: [kkopvbn] c:\windows\tjanmgk.exe
O4 - HKCU\..\Run: [eswyxbh] c:\windows\tjanmgk.exe
O4 - HKCU\..\Run: [rljalpn] c:\windows\tjanmgk.exe
O4 - HKCU\..\Run: [jmutdhm] c:\windows\tjanmgk.exe
O4 - HKCU\..\Run: [ubbdjyk] c:\windows\tjanmgk.exe
O4 - HKCU\..\Run: [nkqdyah] c:\windows\tjanmgk.exe
O4 - HKCU\..\Run: [rkcnsgm] c:\windows\tjanmgk.exe
O4 - HKCU\..\Run: [jwmrcrc] c:\windows\tjanmgk.exe
O4 - HKCU\..\Run: [xtcdrrh] c:\windows\tjanmgk.exe
O4 - HKCU\..\Run: [qdhywhh] c:\windows\tjanmgk.exe
O4 - HKCU\..\Run: [hprfndy] c:\windows\tjanmgk.exe
O4 - HKCU\..\Run: [hjdesnt] c:\windows\tjanmgk.exe
O4 - HKCU\..\Run: [jvkuqfu] c:\windows\tjanmgk.exe
O4 - HKCU\..\Run: [rxipywf] c:\windows\tjanmgk.exe
O4 - HKCU\..\Run: [sicnatf] c:\windows\tjanmgk.exe
O4 - HKCU\..\Run: [ojopusa] c:\windows\tjanmgk.exe
O4 - HKCU\..\Run: [cgebtjc] c:\windows\tjanmgk.exe
O4 - HKCU\..\Run: [rmicvqm] c:\windows\tjanmgk.exe
O4 - HKCU\..\Run: [cmbipre] c:\windows\tjanmgk.exe
O4 - HKCU\..\Run: [juttwik] c:\windows\amevuei.exe
O4 - HKCU\..\Run: [ipofuyk] c:\windows\amevuei.exe
O4 - HKCU\..\Run: [kboeajj] c:\windows\amevuei.exe
O4 - HKCU\..\Run: [fcovseo] c:\windows\amevuei.exe
O4 - HKCU\..\Run: [djcfbng] c:\windows\amevuei.exe
O4 - HKCU\..\Run: [nlbeori] c:\windows\gdwruvd.exe
O4 - HKCU\..\Run: [uylrwdw] c:\windows\gdwruvd.exe
O4 - HKCU\..\Run: [cxmwkpv] c:\windows\gdwruvd.exe
O4 - HKCU\..\Run: [dlmyoff] c:\windows\gdwruvd.exe
O4 - HKCU\..\Run: [ytgtlgs] c:\windows\dubwfhe.exe
O4 - HKCU\..\Run: [wjxugpo] c:\windows\yreysso.exe
O4 - HKCU\..\Run: [wgahoeg] c:\windows\yreysso.exe
O4 - HKCU\..\Run: [cxsnjwq] c:\windows\yreysso.exe
O4 - HKCU\..\Run: [aewgkrv] c:\windows\yreysso.exe
O4 - HKCU\..\Run: [idesoyb] c:\windows\yreysso.exe
O4 - HKCU\..\Run: [drminbf] c:\windows\yreysso.exe
O4 - HKCU\..\Run: [idvlnay] c:\windows\yreysso.exe
O4 - HKCU\..\Run: [ilwdcha] c:\windows\yreysso.exe
O4 - HKCU\..\Run: [axevxxv] c:\windows\yreysso.exe
O4 - HKCU\..\Run: [limfdnt] c:\windows\yreysso.exe
O4 - HKCU\..\Run: [aukalac] c:\windows\yreysso.exe
O4 - HKCU\..\Run: [gfvooba] c:\windows\yreysso.exe
O4 - HKCU\..\Run: [wjfcflh] c:\windows\yreysso.exe
O4 - HKCU\..\Run: [dtgbuqo] c:\windows\yreysso.exe
O4 - HKCU\..\Run: [wkepwqu] c:\windows\yreysso.exe
O4 - HKCU\..\Run: [jyjasmu] c:\windows\yreysso.exe
O4 - HKCU\..\Run: [lqhjhgj] c:\windows\yreysso.exe
O4 - HKCU\..\Run: [xwoboyf] c:\windows\cckownx.exe
O4 - HKCU\..\Run: [mdbfjby] c:\windows\oonpvgp.exe
O4 - HKCU\..\Run: [mddombu] c:\windows\cckownx.exe
O4 - HKCU\..\Run: [vcgpgab] c:\windows\oonpvgp.exe
O4 - HKCU\..\Run: [hbcqylf] c:\windows\cckownx.exe
O4 - HKCU\..\Run: [oqyreti] c:\windows\oonpvgp.exe
O4 - HKCU\..\Run: [fchutsg] c:\windows\cckownx.exe
O4 - HKCU\..\Run: [ysybdgs] c:\windows\oonpvgp.exe
O4 - HKCU\..\Run: [gjjpcbi] c:\windows\cckownx.exe
O4 - HKCU\..\Run: [kxwctci] c:\windows\oonpvgp.exe
O4 - HKCU\..\Run: [tvoyise] c:\windows\cckownx.exe
O4 - HKCU\..\Run: [olihovk] c:\windows\oonpvgp.exe
O4 - HKCU\..\Run: [aiqspef] c:\windows\cckownx.exe
O4 - HKCU\..\Run: [drsfqta] c:\windows\oonpvgp.exe
O4 - HKCU\..\Run: [dnlphyj] c:\windows\cckownx.exe
O4 - HKCU\..\Run: [yqimflm] c:\windows\oonpvgp.exe
O4 - HKCU\..\Run: [ijngydb] c:\windows\cckownx.exe
O4 - HKCU\..\Run: [omclqqd] c:\windows\oonpvgp.exe
O4 - HKCU\..\Run: [aithxvh] c:\windows\cckownx.exe
O4 - HKCU\..\Run: [mrnmsmy] c:\windows\oonpvgp.exe
O4 - HKCU\..\Run: [trocoqb] c:\windows\cckownx.exe
O4 - HKCU\..\Run: [fdycshp] c:\windows\oonpvgp.exe
O4 - HKCU\..\Run: [wwjxmmg] c:\windows\sjjwucx.exe
O4 - HKCU\..\Run: [sjmgpbj] c:\windows\hudybkv.exe
O4 - HKCU\..\Run: [owifmqs] c:\windows\hudybkv.exe
O4 - HKCU\..\Run: [wpqxkip] c:\windows\hudybkv.exe
O4 - HKCU\..\Run: [tyvmspt] c:\windows\qnfrtvq.exe
O4 - HKCU\..\Run: [dfpslgr] c:\windows\qnfrtvq.exe
O4 - HKCU\..\Run: [yynmraq] c:\windows\rkbsunn.exe
O4 - HKCU\..\Run: [lsvffcj] c:\windows\rkbsunn.exe
O4 - HKCU\..\Run: [qmisnwk] c:\windows\rkbsunn.exe
O4 - HKCU\..\Run: [xkbtfsj] c:\windows\nlxdsvl.exe
O4 - HKCU\..\Run: [eysxqhs] c:\windows\nlxdsvl.exe
O4 - HKCU\..\Run: [iyykdfl] c:\windows\nlxdsvl.exe
O4 - HKCU\..\Run: [eugojnx] c:\windows\nlxdsvl.exe
O4 - HKCU\..\Run: [ofgjlsv] c:\windows\nlxdsvl.exe
O4 - HKCU\..\Run: [wpsquqe] c:\windows\nlxdsvl.exe
O4 - HKCU\..\Run: [harehln] c:\windows\nlxdsvl.exe
O4 - HKCU\..\Run: [tmmsxif] c:\windows\nlxdsvl.exe
O4 - HKCU\..\Run: [uljvdyq] c:\windows\nlxdsvl.exe
O4 - HKCU\..\Run: [mflaudv] c:\windows\nlxdsvl.exe
O4 - HKCU\..\Run: [geppdpg] c:\windows\nlxdsvl.exe
O4 - HKCU\..\Run: [jknkieo] c:\windows\nlxdsvl.exe
O4 - HKCU\..\Run: [xeukrcs] c:\windows\nlxdsvl.exe
O4 - HKCU\..\Run: [pwcosed] c:\windows\heuvsux.exe
O4 - HKCU\..\Run: [dmrdvny] c:\windows\hyuthys.exe
O4 - HKCU\..\Run: [jhsxsty] c:\windows\hyuthys.exe
O4 - HKCU\..\Run: [ntmcvpo] c:\windows\hyuthys.exe
O4 - HKCU\..\Run: [cvasuim] c:\windows\hyuthys.exe
O4 - HKCU\..\Run: [wnnnjtu] c:\windows\hyuthys.exe
O4 - HKCU\..\Run: [kvatevy] c:\windows\hyuthys.exe
O4 - HKCU\..\Run: [jlmcted] c:\windows\hyuthys.exe
O4 - HKCU\..\Run: [oeaqqeu] c:\windows\hyuthys.exe
O4 - HKCU\..\Run: [ducafhe] c:\windows\hyuthys.exe
O4 - HKCU\..\Run: [xemujhj] c:\windows\hyuthys.exe
O4 - HKCU\..\Run: [stevmoi] c:\windows\hyuthys.exe
O4 - HKCU\..\Run: [wsdmbpr] c:\windows\hyuthys.exe
O4 - HKCU\..\Run: [ferdscx] c:\windows\hyuthys.exe
O4 - HKCU\..\Run: [xyukpvi] c:\windows\hyuthys.exe
O4 - HKCU\..\Run: [njvngtp] c:\windows\hyuthys.exe
O4 - HKCU\..\Run: [qyvixyo] c:\windows\hyuthys.exe
O4 - HKCU\..\Run: [tnkhgvt] c:\windows\hyuthys.exe
O4 - HKCU\..\Run: [bdgghmx] c:\windows\hyuthys.exe
O4 - HKCU\..\Run: [xepmguo] c:\windows\rsterey.exe
O4 - HKCU\..\Run: [wqwpkyy] c:\windows\rsterey.exe
O4 - HKCU\..\Run: [ghsndwg] c:\windows\rsterey.exe
O4 - HKCU\..\Run: [nptuydb] c:\windows\rsterey.exe
O4 - HKCU\..\Run: [hwkuafg] c:\windows\rsterey.exe
O4 - HKCU\..\Run: [edmulec] c:\windows\rsterey.exe
O4 - HKCU\..\Run: [vxejuxb] c:\windows\rsterey.exe
O4 - HKCU\..\Run: [llxxpun] c:\windows\rsterey.exe
O4 - HKCU\..\Run: [cbmyhrh] c:\windows\rsterey.exe
O4 - HKCU\..\Run: [qwlhofa] c:\windows\rsterey.exe
O4 - HKCU\..\Run: [gssqynf] c:\windows\rsterey.exe
O4 - HKCU\..\Run: [uddkgvs] c:\windows\rsterey.exe
O4 - HKCU\..\Run: [phttxlh] c:\windows\rsterey.exe
O4 - HKCU\..\Run: [slalsxi] c:\windows\hehakmn.exe
O4 - HKCU\..\Run: [srjfxoy] c:\windows\hehakmn.exe
O4 - HKCU\..\Run: [nvmcnrb] c:\windows\hehakmn.exe
O4 - HKCU\..\Run: [wthgjcj] c:\windows\cqsbvlr.exe
O4 - HKCU\..\Run: [cvrwlvc] c:\windows\cqsbvlr.exe
O4 - HKCU\..\Run: [ihilfeo] c:\windows\cqsbvlr.exe
O4 - HKCU\..\Run: [hjvekva] c:\windows\cqsbvlr.exe
O4 - HKCU\..\Run: [sslarel] c:\windows\cqsbvlr.exe
O4 - HKCU\..\Run: [jnmqcnc] c:\windows\twfqaha.exe
O4 - HKCU\..\Run: [rrrfdms] c:\windows\twfqaha.exe
O4 - HKCU\..\Run: [vvvvgkc] c:\windows\twfqaha.exe
O4 - HKCU\..\Run: [vrxbsmm] c:\windows\yotiwou.exe
O4 - HKCU\..\Run: [walpxyy] c:\windows\yotiwou.exe
O4 - HKCU\..\Run: [joewxuv] c:\windows\yotiwou.exe
O4 - HKCU\..\Run: [okxwrvi] c:\windows\yotiwou.exe
O4 - HKCU\..\Run: [wtxiaeb] c:\windows\yotiwou.exe
O4 - HKCU\..\Run: [actjrkt] c:\windows\yotiwou.exe
O4 - HKCU\..\Run: [mpvenvi] c:\windows\yotiwou.exe
O4 - HKCU\..\Run: [jpyprbq] c:\windows\wgeugfq.exe
O4 - HKCU\..\Run: [evcfrua] c:\windows\wgeugfq.exe
O4 - HKCU\..\Run: [cspexhf] c:\windows\wgeugfq.exe
O4 - HKCU\..\Run: [ipqpnme] c:\windows\wgeugfq.exe
O4 - HKCU\..\Run: [lcrdbyr] c:\windows\wgeugfq.exe
O4 - HKCU\..\Run: [ffbcxta] c:\windows\wgeugfq.exe
O4 - HKCU\..\Run: [gcxnxct] c:\windows\wgeugfq.exe
O4 - HKCU\..\Run: [puraryu] c:\windows\wgeugfq.exe
O4 - HKCU\..\Run: [jotuejt] c:\windows\wgeugfq.exe
O4 - HKCU\..\Run: [wwhdypc] c:\windows\wgeugfq.exe
O4 - HKCU\..\Run: [fxgsfsi] c:\windows\vbsdsvt.exe
O4 - HKCU\..\Run: [kxerpyi] c:\windows\gwrwmpj.exe
O4 - HKCU\..\Run: [spefxdn] c:\windows\gwrwmpj.exe
O4 - HKCU\..\Run: [toewlse] c:\windows\gwrwmpj.exe
O4 - HKCU\..\Run: [qfyiitr] c:\windows\gwrwmpj.exe
O4 - HKCU\..\Run: [kpmucwj] c:\windows\gwrwmpj.exe
O4 - HKCU\..\Run: [omjbhha] c:\windows\gwrwmpj.exe
O4 - HKCU\..\Run: [rukxwbi] c:\windows\gwrwmpj.exe
O4 - HKCU\..\Run: [cnlsfnt] c:\windows\gwrwmpj.exe
O4 - HKCU\..\Run: [lejubxl] c:\windows\gwrwmpj.exe
O4 - HKCU\..\Run: [uvmjpld] c:\windows\gwrwmpj.exe
O4 - HKCU\..\Run: [fjmifud] c:\windows\gwrwmpj.exe
O4 - HKCU\..\Run: [ynhiypn] c:\windows\gwrwmpj.exe
O4 - HKCU\..\Run: [ondpoaa] c:\windows\gwrwmpj.exe
O4 - HKCU\..\Run: [ahghjrr] c:\windows\gwrwmpj.exe
O4 - HKCU\..\Run: [phlfeui] c:\windows\ihfgpsc.exe
O4 - HKCU\..\Run: [tyrgbux] c:\windows\uorjybo.exe
O4 - HKCU\..\Run: [sjwwkvd] c:\windows\ihfgpsc.exe
O4 - HKCU\..\Run: [xxtlukq] c:\windows\uorjybo.exe
O4 - HKCU\..\Run: [srtvolh] c:\windows\ihfgpsc.exe
O4 - HKCU\..\Run: [ygrygit] c:\windows\uorjybo.exe
O4 - HKCU\..\Run: [ffbjfex] c:\windows\ihfgpsc.exe
O4 - HKCU\..\Run: [wryyare] c:\windows\uorjybo.exe
O4 - HKCU\..\Run: [vjfvixs] c:\windows\ihfgpsc.exe
O4 - HKCU\..\Run: [smicmui] c:\windows\uorjybo.exe
O4 - HKCU\..\Run: [tadxinv] c:\windows\ihfgpsc.exe
O4 - HKCU\..\Run: [gyxgsuu] c:\windows\uorjybo.exe
O4 - HKCU\..\Run: [ocddntf] c:\windows\ihfgpsc.exe
O4 - HKCU\..\Run: [iwtnurd] c:\windows\uorjybo.exe
O4 - HKCU\..\Run: [druphxp] c:\windows\ihfgpsc.exe
O4 - HKCU\..\Run: [gtkksqo] c:\windows\uorjybo.exe
O4 - HKCU\..\Run: [qffltbc] c:\windows\ihfgpsc.exe
O4 - HKCU\..\Run: [bqnopqw] c:\windows\uorjybo.exe
O4 - HKCU\..\Run: [hjgxcpn] c:\windows\ihfgpsc.exe
O4 - HKCU\..\Run: [xphrwuk] c:\windows\uorjybo.exe
O4 - HKCU\..\Run: [avvcfoy] c:\windows\oinetax.exe
O4 - HKCU\..\Run: [ruxkjcl] c:\windows\oinetax.exe
O4 - HKCU\..\Run: [vhpfdhu] c:\windows\oinetax.exe
O4 - HKCU\..\Run: [wxbjhic] c:\windows\oinetax.exe
O4 - HKCU\..\Run: [fpoiirb] c:\windows\oinetax.exe
O4 - HKCU\..\Run: [ytwabph] c:\windows\oinetax.exe
O4 - HKCU\..\Run: [uosnmfd] c:\windows\oinetax.exe
O4 - HKCU\..\Run: [mqhlifx] c:\windows\oinetax.exe
O4 - HKCU\..\Run: [gjuxyga] c:\windows\oinetax.exe
O4 - HKCU\..\Run: [kqgsqud] c:\windows\oinetax.exe
O4 - HKCU\..\Run: [bdlarqo] c:\windows\oinetax.exe
O4 - HKCU\..\Run: [pqvhhdf] c:\windows\oinetax.exe
O4 - HKCU\..\Run: [ywwwptn] c:\windows\oinetax.exe
O4 - HKCU\..\Run: [mljgisj] c:\windows\oinetax.exe
O4 - HKCU\..\Run: [aolhrug] c:\windows\oinetax.exe
O4 - HKCU\..\Run: [xjejmsh] c:\windows\imkoivn.exe
O4 - HKCU\..\Run: [wekynpy] c:\windows\imkoivn.exe
O4 - HKCU\..\Run: [ntkilal] c:\windows\otrqiyj.exe
O4 - HKCU\..\Run: [dylwiff] c:\windows\otrqiyj.exe
O4 - HKCU\..\Run: [omxghoe] c:\windows\qnpbyna.exe
O4 - HKCU\..\Run: [colanej] c:\windows\qnpbyna.exe
O4 - HKCU\..\Run: [leqdage] c:\windows\qnpbyna.exe
O4 - HKCU\..\Run: [xrgduot] c:\windows\nudahpv.exe
O4 - HKCU\..\Run: [jtxlnbl] c:\windows\nudahpv.exe
O4 - HKCU\..\Run: [lcggigt] c:\windows\nudahpv.exe
O4 - HKCU\..\Run: [ruavubn] c:\windows\nudahpv.exe
O4 - HKCU\..\Run: [sgmnhka] c:\windows\nudahpv.exe
O4 - HKCU\..\Run: [dfueepy] c:\windows\nudahpv.exe
O4 - HKCU\..\Run: [ebalcft] c:\windows\ndbeqsw.exe
O4 - HKCU\..\Run: [ffsrojn] c:\windows\kibnpah.exe
O4 - HKCU\..\Run: [arwgpbo] c:\windows\kibnpah.exe
O4 - HKCU\..\Run: [wvwocuf] c:\windows\kxumcxv.exe
O4 - HKCU\..\Run: [uqrelnd] c:\windows\kxumcxv.exe
O4 - HKCU\..\Run: [wpvoaho] c:\windows\jbfllsg.exe
O4 - HKCU\..\Run: [juhgupx] c:\windows\jbfllsg.exe
O4 - HKCU\..\Run: [seqgsue] c:\windows\vusciko.exe
O4 - HKCU\..\Run: [qtchywk] c:\windows\vusciko.exe
O4 - HKCU\..\Run: [ithrbba] c:\windows\vusciko.exe
O4 - HKCU\..\Run: [rycqhwd] c:\windows\vusciko.exe
O4 - HKCU\..\Run: [ifcsbmp] c:\windows\vusciko.exe
O4 - HKCU\..\Run: [onefihh] c:\windows\vusciko.exe
O4 - HKCU\..\Run: [ctclypr] c:\windows\dndsadt.exe
O4 - HKCU\..\Run: [cefackh] c:\windows\dndsadt.exe
O4 - HKCU\..\Run: [lpcdnqc] c:\windows\dndsadt.exe
O4 - HKCU\..\Run: [mdqtljj] c:\windows\dndsadt.exe
O4 - HKCU\..\Run: [wvlfirm] c:\windows\mrnmhgm.exe
O4 - HKCU\..\Run: [xancquw] c:\windows\mrnmhgm.exe
O4 - HKCU\..\Run: [yskqhhs] c:\windows\mrnmhgm.exe
O4 - HKCU\..\Run: [uvkyamr] c:\windows\mrnmhgm.exe
O4 - HKCU\..\Run: [dyhwhme] c:\windows\lbcivpe.exe
O4 - HKCU\..\Run: [afxcgbi] c:\windows\llapwse.exe
O4 - HKCU\..\Run: [yrpifur] c:\windows\btirkts.exe
O4 - HKCU\..\Run: [xohairn] c:\windows\nwvcswn.exe
O4 - HKCU\..\Run: [kgjkmtk] c:\windows\nwvcswn.exe
O4 - HKCU\..\Run: [ppmdriy] c:\windows\yigvsfg.exe
O4 - HKCU\..\Run: [ydiumek] c:\windows\yigvsfg.exe
O4 - HKCU\..\Run: [aecvybk] c:\windows\yigvsfg.exe
O4 - HKCU\..\Run: [jghawwd] c:\windows\yigvsfg.exe
O4 - HKCU\..\Run: [xcwowia] c:\windows\yigvsfg.exe
O4 - HKCU\..\Run: [vlktgyf] c:\windows\yigvsfg.exe
O4 - HKCU\..\Run: [yppsaue] c:\windows\yigvsfg.exe
O4 - HKCU\..\Run: [lbphlux] c:\windows\yigvsfg.exe
O4 - HKCU\..\Run: [tvlgdxe] c:\windows\yigvsfg.exe
O4 - HKCU\..\Run: [qvlelgh] c:\windows\yigvsfg.exe
O4 - HKCU\..\Run: [yhwfjlg] c:\windows\yigvsfg.exe
O4 - HKCU\..\Run: [nahgoeb] c:\windows\yigvsfg.exe
O4 - HKCU\..\Run: [rllbbcl] c:\windows\yigvsfg.exe
O4 - HKCU\..\Run: [cxsuspo] c:\windows\yigvsfg.exe
O4 - HKCU\..\Run: [cvwywws] c:\windows\uprgpre.exe
O4 - HKCU\..\Run: [ovtmekq] c:\windows\mmlxpgi.exe
O4 - HKCU\..\Run: [ysnypkx] c:\windows\mmlxpgi.exe
O4 - HKCU\..\Run: [mluminl] c:\windows\mmlxpgi.exe
O4 - HKCU\..\Run: [wljoiwx] c:\windows\mmlxpgi.exe
O4 - HKCU\..\Run: [abdwkqg] c:\windows\mmlxpgi.exe
O4 - HKCU\..\Run: [ravagvx] c:\windows\mmlxpgi.exe
O4 - HKCU\..\Run: [oipbpma] c:\windows\mmlxpgi.exe
O4 - HKCU\..\Run: [yfkfqnv] c:\windows\mmlxpgi.exe
O4 - HKCU\..\Run: [rursgek] c:\windows\mmlxpgi.exe
O4 - HKCU\..\Run: [rkhhjvy] c:\windows\mmlxpgi.exe
O4 - HKCU\..\Run: [mkbbcvf] c:\windows\kvkstov.exe
O4 - HKCU\..\Run: [lihhdvt] c:\windows\kbhvabi.exe
O4 - HKCU\..\Run: [dauvafx] c:\windows\kbhvabi.exe
O4 - HKCU\..\Run: [ggtuapa] c:\windows\kbhvabi.exe
O4 - HKCU\..\Run: [jvnyrry] c:\windows\kbhvabi.exe
O4 - HKCU\..\Run: [mrbfhdn] c:\windows\pmtkeri.exe
O4 - HKCU\..\Run: [vkyjivy] c:\windows\pmtkeri.exe
O4 - HKCU\..\Run: [xvyppjl] c:\windows\pmtkeri.exe
O4 - HKCU\..\Run: [uuwoyhd] c:\windows\pmtkeri.exe
O4 - HKCU\..\Run: [laiqcam] c:\windows\pmtkeri.exe
O4 - HKCU\..\Run: [xpjcdjk] c:\windows\pmtkeri.exe
O4 - HKCU\..\Run: [ptilokw] c:\windows\pmtkeri.exe
O4 - HKCU\..\Run: [drogpyo] c:\windows\pmtkeri.exe
O4 - HKCU\..\Run: [ksjlnxr] c:\windows\pmtkeri.exe
O4 - HKCU\..\Run: [uoqrgvv] c:\windows\eethooe.exe
O4 - HKCU\..\Run: [dfcrxvl] c:\windows\eethooe.exe
O4 - HKCU\..\Run: [yrjbgoi] c:\windows\eethooe.exe
O4 - HKCU\..\Run: [vwoonov] c:\windows\eethooe.exe
O4 - HKCU\..\Run: [vlnawxl] c:\windows\eethooe.exe
O4 - HKCU\..\Run: [ksshgka] c:\windows\eethooe.exe
O4 - HKCU\..\Run: [nudleew] c:\windows\eethooe.exe
O4 - HKCU\..\Run: [mbtvbtk] c:\windows\eethooe.exe
O4 - HKCU\..\Run: [jtodivx] c:\windows\eethooe.exe
O4 - HKCU\..\Run: [opiqshv] c:\windows\dxmegqf.exe
O4 - HKCU\..\Run: [ulweill] c:\windows\bkdvjpg.exe
O4 - HKCU\..\Run: [eajiqbi] c:\windows\bkdvjpg.exe
O4 - HKCU\..\Run: [ipcclsu] c:\windows\bkdvjpg.exe
O4 - HKCU\..\Run: [xmcgdtt] c:\windows\bkdvjpg.exe
O4 - HKCU\..\Run: [ayhtmnn] c:\windows\bkdvjpg.exe
O4 - HKCU\..\Run: [ajljmwr] c:\windows\bkdvjpg.exe
O4 - HKCU\..\Run: [ahpcghd] c:\windows\bkdvjpg.exe
O4 - HKCU\..\Run: [gbvhvws] c:\windows\bkdvjpg.exe
O4 - HKCU\..\Run: [trrfnpk] c:\windows\ovbunhe.exe
O4 - HKCU\..\Run: [puqspyo] c:\windows\ovbunhe.exe
O4 - HKCU\..\Run: [fexvkqc] c:\windows\rcmmatq.exe
O4 - HKCU\..\Run: [uaghckk] c:\windows\rcmmatq.exe
O4 - HKCU\..\Run: [jagjobb] c:\windows\pcrmrvy.exe
O4 - HKCU\..\Run: [efhgbwl] c:\windows\pcrmrvy.exe
O4 - HKCU\..\Run: [wyqphga] c:\windows\pcrmrvy.exe
O4 - HKCU\..\Run: [eudlwyg] c:\windows\pcrmrvy.exe
O4 - HKCU\..\Run: [egxebbc] c:\windows\mhmukdv.exe
O4 - HKCU\..\Run: [mimfpoc] c:\windows\ouralrq.exe
O4 - HKCU\..\Run: [ksbkmwi] c:\windows\ouralrq.exe
O4 - HKCU\..\Run: [gkunnxv] c:\windows\ouralrq.exe
O4 - HKCU\..\Run: [owdvvrw] c:\windows\ouralrq.exe
O4 - HKCU\..\Run: [uuvlvko] c:\windows\xsgouyl.exe
O4 - HKCU\..\Run: [nvdrxen] c:\windows\xsgouyl.exe
O4 - HKCU\..\Run: [hcicbcr] c:\windows\xsgouyl.exe
O4 - HKCU\..\Run: [opuktto] c:\windows\xsgouyl.exe
O4 - HKCU\..\Run: [ljoxfks] c:\windows\vjbgtck.exe
O4 - HKCU\..\Run: [itdneir] c:\windows\vjbgtck.exe
O4 - HKCU\..\Run: [toqhimq] c:\windows\vjbgtck.exe
O4 - HKCU\..\Run: [yvtahwu] c:\windows\vjbgtck.exe
O4 - HKCU\..\Run: [kjvbouo] c:\windows\vjbgtck.exe
O4 - HKCU\..\Run: [jktcoui] c:\windows\vjbgtck.exe
O4 - HKCU\..\Run: [tbfqmlw] c:\windows\vjbgtck.exe
O4 - HKCU\..\Run: [psthqht] c:\windows\vjbgtck.exe
O4 - HKCU\..\Run: [sfkdwvf] c:\windows\vjbgtck.exe
O4 - HKCU\..\Run: [gyuwnah] c:\windows\vjbgtck.exe
O4 - HKCU\..\Run: [emqkcqp] c:\windows\vjbgtck.exe
O4 - HKCU\..\Run: [oaavtyl] c:\windows\vjbgtck.exe
O4 - HKCU\..\Run: [otxiure] c:\windows\gmyvveg.exe
O4 - HKCU\..\Run: [rbuehoc] c:\windows\gmyvveg.exe
O4 - HKCU\..\Run: [afhhfko] c:\windows\gmyvveg.exe
O4 - HKCU\..\Run: [hwvcopo] c:\windows\gmyvveg.exe
O4 - HKCU\..\Run: [ihdoxls] c:\windows\gmyvveg.exe
O4 - HKCU\..\Run: [mvtvjak] c:\windows\pdcfqwh.exe
O4 - HKCU\..\Run: [kpopypk] c:\windows\tntynaq.exe
O4 - HKCU\..\Run: [rffkjhl] c:\windows\tntynaq.exe
O4 - HKCU\..\Run: [pevwhqu] c:\windows\tntynaq.exe
O4 - HKCU\..\Run: [gxlvgau] c:\windows\tntynaq.exe
O4 - HKCU\..\Run: [yjgjugt] c:\windows\tntynaq.exe
O4 - HKCU\..\Run: [ugfjnfv] c:\windows\tntynaq.exe
O4 - HKCU\..\Run: [ialrghb] c:\windows\tntynaq.exe
O4 - HKCU\..\Run: [jgjsjth] c:\windows\tntynaq.exe
O4 - HKCU\..\Run: [rhvuduh] c:\windows\tntynaq.exe
O4 - HKCU\..\Run: [vrjloxw] c:\windows\tntynaq.exe
O4 - HKCU\..\Run: [avtfgru] c:\windows\tntynaq.exe
O4 - HKCU\..\Run: [cxfvmqt] c:\windows\tntynaq.exe
O4 - HKCU\..\Run: [oosptql] c:\windows\tntynaq.exe
O4 - HKCU\..\Run: [tlfaflt] c:\windows\iorfibn.exe
O4 - HKCU\..\Run: [qxtfwcu] c:\windows\ptnidgy.exe
O4 - HKCU\..\Run: [daflqdb] c:\windows\kfxxqlp.exe
O4 - HKCU\..\Run: [vsnqkej] c:\windows\nqekheg.exe
O4 - HKCU\..\Run: [orsxqdd] c:\windows\vodfnjf.exe
O4 - HKCU\..\Run: [udohrni] c:\windows\paxmquf.exe
O4 - HKCU\..\Run: [qtvryru] c:\windows\paxmquf.exe
O4 - HKCU\..\Run: [vxgpfbi] c:\windows\paxmquf.exe
O4 - HKCU\..\Run: [khtpohc] c:\windows\paxmquf.exe
O4 - HKCU\..\Run: [vgrseil] c:\windows\paxmquf.exe
O4 - HKCU\..\Run: [fvoorkr] c:\windows\sqbqnyk.exe
O4 - HKCU\..\Run: [cfcdjqy] c:\windows\sqbqnyk.exe
O4 - HKCU\..\Run: [xahmqgy] c:\windows\sqbqnyk.exe
O4 - HKCU\..\Run: [epoatui] c:\windows\paytrcp.exe
O4 - HKCU\..\Run: [lmhoqxg] c:\windows\paytrcp.exe
O4 - HKCU\..\Run: [svpccgp] c:\windows\paytrcp.exe
O4 - HKCU\..\Run: [hovioox] c:\windows\paytrcp.exe
O4 - HKCU\..\Run: [uiyebhg] c:\windows\paytrcp.exe
O4 - HKCU\..\Run: [jxukuuu] c:\windows\nyskpsn.exe
O4 - HKCU\..\Run: [mgkyuci] c:\windows\nyskpsn.exe
O4 - HKCU\..\Run: [hiplyvy] c:\windows\llsheta.exe
O4 - HKCU\..\Run: [yoxejcs] c:\windows\llsheta.exe
O4 - HKCU\..\Run: [vrunluy] c:\windows\llsheta.exe
O4 - HKCU\..\Run: [uejacxs] c:\windows\llsheta.exe
O4 - HKCU\..\Run: [tbttfks] c:\windows\llsheta.exe
O4 - HKCU\..\Run: [nlpinbt] c:\windows\deldlrf.exe
O4 - HKCU\..\Run: [jjmacid] c:\windows\ycymlar.exe
O4 - HKCU\..\Run: [hetmyfd] c:\windows\ycymlar.exe
O4 - HKCU\..\Run: [uwchdaq] c:\windows\qedlksm.exe
O4 - HKCU\..\Run: [vxwqiqc] c:\windows\ljgshot.exe
O4 - HKCU\..\Run: [mefduee] c:\windows\aphbcej.exe
O4 - HKCU\..\Run: [krpqqoq] c:\windows\aphbcej.exe
O4 - HKCU\..\Run: [vvxfnfx] c:\windows\aphbcej.exe
O4 - HKCU\..\Run: [snwaxjx] c:\windows\aphbcej.exe
O4 - HKCU\..\Run: [rnyrrak] c:\windows\ocogwon.exe
O4 - HKCU\..\Run: [gthphij] c:\windows\qwvffnb.exe
O4 - HKCU\..\Run: [lnrjlpg] c:\windows\dhrpbjk.exe
O4 - HKCU\..\Run: [mcpgtea] c:\windows\hhfmweq.exe
O4 - HKCU\..\Run: [mpfpgjw] c:\windows\eglmjbb.exe
O4 - HKCU\..\Run: [icrlsgb] c:\windows\eglmjbb.exe
O4 - HKCU\..\Run: [ejonsvo] c:\windows\eglmjbb.exe
O4 - HKCU\..\Run: [nxojqyc] c:\windows\eglmjbb.exe
O4 - HKCU\..\Run: [qduhfww] c:\windows\eglmjbb.exe
O4 - HKCU\..\Run: [akouqfl] c:\windows\eglmjbb.exe
O4 - HKCU\..\Run: [loaciji] c:\windows\eglmjbb.exe
O4 - HKCU\..\Run: [sjcwqwh] c:\windows\eglmjbb.exe
O4 - HKCU\..\Run: [dsrnwhd] c:\windows\eglmjbb.exe
O4 - HKCU\..\Run: [wrenrfw] c:\windows\eglmjbb.exe
O4 - HKCU\..\Run: [ihjdbmx] c:\windows\eglmjbb.exe
O4 - HKCU\..\Run: [ehgaqbr] c:\windows\eglmjbb.exe
O4 - HKCU\..\Run: [bpxnooq] c:\windows\eglmjbb.exe
O4 - HKCU\..\Run: [kjinlwu] c:\windows\eglmjbb.exe
O4 - HKCU\..\Run: [tskqyfe] c:\windows\eglmjbb.exe
O4 - HKCU\..\Run: [yyahvhh] c:\windows\eglmjbb.exe
O4 - HKCU\..\Run: [vahiyyn] c:\windows\eglmjbb.exe
O4 - HKCU\..\Run: [hsunudn] c:\windows\eglmjbb.exe
O4 - HKCU\..\Run: [vtnisym] c:\windows\eglmjbb.exe
O4 - HKCU\..\Run: [sfkksgb] c:\windows\vochrxk.exe
O4 - HKCU\..\Run: [fdlemln] c:\windows\vochrxk.exe
O4 - HKCU\..\Run: [nupqein] c:\windows\vochrxk.exe
O4 - HKCU\..\Run: [ommtypo] c:\windows\vochrxk.exe
O4 - HKCU\..\Run: [ngdwnoy] c:\windows\vochrxk.exe
O4 - HKCU\..\Run: [uxufpww] c:\windows\vochrxk.exe
O4 - HKCU\..\Run: [ooaiopy] c:\windows\wvmatxb.exe
O4 - HKCU\..\Run: [dmjsskf] c:\windows\wvmatxb.exe
O4 - HKCU\..\Run: [agsmkiw] c:\windows\wvmatxb.exe
O4 - HKCU\..\Run: [fkmvwvl] c:\windows\wvmatxb.exe
O4 - HKCU\..\Run: [imhbqrp] c:\windows\wvmatxb.exe
O4 - HKCU\..\Run: [xsnhxlx] c:\windows\wvmatxb.exe
O4 - HKCU\..\Run: [xcbpgpf] c:\windows\wvmatxb.exe
O4 - HKCU\..\Run: [stbhqdo] c:\windows\wvmatxb.exe
O4 - HKCU\..\Run: [dsquikg] c:\windows\wvmatxb.exe
O4 - HKCU\..\Run: [nheyxrl] c:\windows\wvmatxb.exe
O4 - HKCU\..\Run: [hyjupcm] c:\windows\wvmatxb.exe
O4 - HKCU\..\Run: [myltgqf] c:\windows\wvmatxb.exe
O4 - HKCU\..\Run: [rmxrnkx] c:\windows\wvmatxb.exe
O4 - HKCU\..\Run: [mvbtbee] c:\windows\wvmatxb.exe
O4 - HKCU\..\Run: [cgtclic] c:\windows\wvmatxb.exe
O4 - HKCU\..\Run: [ogqlibm] c:\windows\duydokd.exe
O4 - HKCU\..\Run: [gnsbigu] c:\windows\duydokd.exe
O4 - HKCU\..\Run: [fswmfqe] c:\windows\duydokd.exe
O4 - HKCU\..\Run: [xjcqloq] c:\windows\duydokd.exe
O4 - HKCU\..\Run: [bbcbpat] c:\windows\duydokd.exe
O4 - HKCU\..\Run: [vevpjqo] c:\windows\duydokd.exe
O4 - HKCU\..\Run: [lnwqeak] c:\windows\duydokd.exe
O4 - HKCU\..\Run: [bxhqkxq] c:\windows\duydokd.exe
O4 - HKCU\..\Run: [mykqqdm] c:\windows\duydokd.exe
O4 - HKCU\..\Run: [oxhpuhr] c:\windows\duydokd.exe
O4 - HKCU\..\Run: [iwsdgdi] c:\windows\duydokd.exe
O4 - HKCU\..\Run: [hifuger] c:\windows\dieqgwg.exe
O4 - HKCU\..\Run: [jrivlcn] c:\windows\dieqgwg.exe
O4 - HKCU\..\Run: [ofuhitt] c:\windows\dieqgwg.exe
O4 - HKCU\..\Run: [wolxgps] c:\windows\dieqgwg.exe
O4 - HKCU\..\Run: [unrfjty] c:\windows\niwostu.exe
O4 - HKCU\..\Run: [rsglsov] c:\windows\niwostu.exe
O4 - HKCU\..\Run: [tyetkty] c:\windows\niwostu.exe
O4 - HKCU\..\Run: [feqxnbw] c:\windows\niwostu.exe
O4 - HKCU\..\Run: [dtbuxqt] c:\windows\niwostu.exe
O4 - HKCU\..\Run: [vuavpoe] c:\windows\niwostu.exe
O4 - HKCU\..\Run: [wxkbmfi] c:\windows\byjxvgj.exe
O4 - HKCU\..\Run: [ljfosas] c:\windows\byjxvgj.exe
O4 - HKCU\..\Run: [xapcirr] c:\windows\byjxvgj.exe
O4 - HKCU\..\Run: [uojmoqv] c:\windows\byjxvgj.exe
O4 - HKCU\..\Run: [kgmvmty] c:\windows\byjxvgj.exe
O4 - HKCU\..\Run: [dtbowxa] c:\windows\byjxvgj.exe
O4 - HKCU\..\Run: [tugutjg] c:\windows\byjxvgj.exe
O4 - HKCU\..\Run: [pklrnvx] c:\windows\byjxvgj.exe
O4 - HKCU\..\Run: [wrfmher] c:\windows\byjxvgj.exe
O4 - HKCU\..\Run: [cuaafve] c:\windows\byjxvgj.exe
O4 - HKCU\..\Run: [dcelknd] c:\windows\jdjbkkp.exe
O4 - HKCU\..\Run: [pjfxnyq] c:\windows\jdjbkkp.exe
O4 - HKCU\..\Run: [ehndqhl] c:\windows\jdjbkkp.exe
O4 - HKCU\..\Run: [wjakivl] c:\windows\jdjbkkp.exe
O4 - HKCU\..\Run: [tqjaejb] c:\windows\jdjbkkp.exe
O4 - HKCU\..\Run: [xoelhys] c:\windows\jdjbkkp.exe
O4 - HKCU\..\Run: [udltfyy] c:\windows\jdjbkkp.exe
O4 - HKCU\..\Run: [ypccyov] c:\windows\jdjbkkp.exe
O4 - HKCU\..\Run: [nadabpx] c:\windows\jdjbkkp.exe
O4 - HKCU\..\Run: [tjxhsov] c:\windows\jdjbkkp.exe
O4 - HKCU\..\Run: [vmcdska] c:\windows\jdjbkkp.exe
O4 - HKCU\..\Run: [mthpfvk] c:\windows\jdjbkkp.exe
O4 - HKCU\..\Run: [fciwqtb] c:\windows\jdjbkkp.exe
O4 - HKCU\..\Run: [jhdadhw] c:\windows\jdjbkkp.exe
O4 - HKCU\..\Run: [vbslrph] c:\windows\jdjbkkp.exe
O4 - HKCU\..\Run: [ntitsjv] c:\windows\jdjbkkp.exe
O4 - HKCU\..\Run: [dusyjfa] c:\windows\jdjbkkp.exe
O4 - HKCU\..\Run: [ciaichx] c:\windows\jdjbkkp.exe
O4 - HKCU\..\Run: [iuhxany] c:\windows\jdjbkkp.exe
O4 - HKCU\..\Run: [iethdjt] c:\windows\jdjbkkp.exe
O4 - HKCU\..\Run: [vcipbhu] c:\windows\jdjbkkp.exe
O4 - HKCU\..\Run: [xnqintn] c:\windows\jdjbkkp.exe
O4 - HKCU\..\Run: [jwkqyju] c:\windows\jdjbkkp.exe
O4 - HKCU\..\Run: [rmwtbdx] c:\windows\lglmcnw.exe
O4 - HKCU\..\Run: [qvpjwyg] c:\windows\lglmcnw.exe
O4 - HKCU\..\Run: [ueqxpqc] c:\windows\lglmcnw.exe
O4 - HKCU\..\Run: [lgpdsnm] c:\windows\lglmcnw.exe
O4 - HKCU\..\Run: [sxenvux] c:\windows\yprdvyr.exe
O4 - HKCU\..\Run: [ctmusoj] c:\windows\yprdvyr.exe
O4 - HKCU\..\Run: [qewcbnp] c:\windows\yprdvyr.exe
O4 - HKCU\..\Run: [wfbfgpf] c:\windows\yprdvyr.exe
O4 - HKCU\..\Run: [aqasato] c:\windows\yprdvyr.exe
O4 - HKCU\..\Run: [kkrdaap] c:\windows\yprdvyr.exe
O4 - HKCU\..\Run: [radjeec] c:\windows\yprdvyr.exe
O4 - HKCU\..\Run: [svtcmfr] c:\windows\yprdvyr.exe
O4 - HKCU\..\Run: [rgyuxst] c:\windows\yprdvyr.exe
O4 - HKCU\..\Run: [elgxgvl] c:\windows\yprdvyr.exe
O4 - HKCU\..\Run: [jypgoec] c:\windows\yprdvyr.exe
O4 - HKCU\..\Run: [pyjiskt] c:\windows\jdmwliw.exe
O4 - HKCU\..\Run: [inegfej] c:\windows\jdmwliw.exe
O4 - HKCU\..\Run: [bssrdxi] c:\windows\jdmwliw.exe
O4 - HKCU\..\Run: [ftfpvtk] c:\windows\jdmwliw.exe
O4 - HKCU\..\Run: [inbwkdh] c:\windows\bfrqkeq.exe
O4 - HKCU\..\Run: [ocdvqdp] c:\windows\tvndyxu.exe
O4 - HKCU\..\Run: [brqpuog] c:\windows\ckjlybt.exe
O4 - HKCU\..\Run: [jhcvfot] c:\windows\whenwgn.exe
O4 - HKCU\..\Run: [xbxjctn] c:\windows\ihilcmk.exe
O4 - HKCU\..\Run: [vwoqypt] c:\windows\whenwgn.exe
O4 - HKCU\..\Run: [dhedtuu] c:\windows\ihilcmk.exe
O4 - HKCU\..\Run: [ufkiofj] c:\windows\whenwgn.exe
O4 - HKCU\..\Run: [bmlecks] c:\windows\ihilcmk.exe
O4 - HKCU\..\Run: [ogqowbl] c:\windows\whenwgn.exe
O4 - HKCU\..\Run: [wcgyptk] c:\windows\ihilcmk.exe
O4 - HKCU\..\Run: [bvpwnot] c:\windows\whenwgn.exe
O4 - HKCU\..\Run: [siasoyi] c:\windows\ihilcmk.exe
O4 - HKCU\..\Run: [phojwnc] c:\windows\whenwgn.exe
O4 - HKCU\..\Run: [xrseeot] c:\windows\ihilcmk.exe
O4 - HKCU\..\Run: [vtlkjtm] c:\windows\whenwgn.exe
O4 - HKCU\..\Run: [ympibdq] c:\windows\ihilcmk.exe
O4 - HKCU\..\Run: [qnypawk] c:\windows\whenwgn.exe
O4 - HKCU\..\Run: [xjewerj] c:\windows\ihilcmk.exe
O4 - HKCU\..\Run: [rklumyu] c:\windows\whenwgn.exe
O4 - HKCU\..\Run: [rhyhqev] c:\windows\ihilcmk.exe
O4 - HKCU\..\Run: [rpqwaet] c:\windows\fhxmeun.exe
O4 - HKCU\..\Run: [epexvbq] c:\windows\fhxmeun.exe
O4 - HKCU\..\Run: [xouwljb] c:\windows\fhxmeun.exe
O4 - HKCU\..\Run: [yhwkdhu] c:\windows\ygolrxb.exe
O4 - HKCU\..\Run: [kaihcoo] c:\windows\ygolrxb.exe
O4 - HKCU\..\Run: [xabdrse] c:\windows\ygolrxb.exe
O4 - HKCU\..\Run: [pwglwsj] c:\windows\ygolrxb.exe
O4 - HKCU\..\Run: [mmbdtlb] c:\windows\ygolrxb.exe
O4 - HKCU\..\Run: [ghhxdxo] c:\windows\ygolrxb.exe
O4 - HKCU\..\Run: [qvoobyw] c:\windows\ygolrxb.exe
O4 - HKCU\..\Run: [qqglual] c:\windows\ygolrxb.exe
O4 - HKCU\..\Run: [hnqqolu] c:\windows\cvwnopn.exe
O4 - HKCU\..\Run: [xoihlue] c:\windows\cvwnopn.exe
O4 - HKCU\..\Run: [kxrhepm] c:\windows\ghvlceu.exe
O4 - HKCU\..\Run: [vad

Edited by KoanYorel, 08 November 2005 - 12:30 PM.


BC AdBot (Login to Remove)

 


#2 -David-

-David-

  • Members
  • 10,603 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:London
  • Local time:07:31 AM

Posted 09 November 2005 - 11:57 AM

Hi and Welcome to bleeping computer!! Posted Image

My name is David Posted Image

Please do both of the following before we start if possible!:

1) Please print off these intructions - they will be needed later when internet access is not available.
2) Save these instructions in word/notepad to the desktop where they can be easily found for the same reasons as above.

You have a possible CoolWebSearch infection. Posted Image

Download CWShredder Here to its own folder.
Update CWShredder
  • Open CWShredder and click I AGREE
  • Click Check For Update
  • Close CWShredder
Boot into Safe Mode:
Start your computer and as soon as it starts booting up again continuously tap F8. A menu should come up where you will be given the option to enter Safe Mode.

Now run CWShredder. Click I Agree, then Fix and then Next, let it fix everything it asks about. Reboot your computer into normal windows.

There is a bit to do on the log - i can almost guaruntee ewido will remove something - it's also a good free tool to keep in your arsenal! :thumbsup:

Please download ewido security suite it is a free version of the program.
  • Install ewido security suite
  • When installing, under "Additional Options" uncheck.
    • Install background guard
    • Install scan via context menu
  • Launch ewido, there should be an icon on your desktop, double-click it.
  • The program will now open to the main screen.
  • When you run ewido for the first time, you may get a warning "Database could not be found!". Click OK. We will fix this in a moment.
  • You will need to update ewido to the latest definition files.
    • On the left hand side of the main screen click update.
    • Then click on Start Update.
  • The update will start and a progress bar will show the updates being installed.
    (the status bar at the bottom will display ("Update successful") Posted Image
If you are having problems with the updater, you can use this link to manually update ewido.
ewido manual updates

Once the updates are installed do the following:
  • Click on scanner
  • Click on Complete System Scan and the scan will begin.
  • You will be prompted to clean the first infection.
  • Select "Perform action on all infections", then proceed.
  • Once the scan has completed, there will be a button located on the bottom of the screen named Save report
  • Click Save report.
  • Save the report .txt file to your desktop or a location where you can find it easily.
Close ewido security suite.

Post a new HJT log and the ewido log at the end! :flowers:
David

#3 Feargal

Feargal
  • Topic Starter

  • Members
  • 8 posts
  • OFFLINE
  •  
  • Local time:06:31 AM

Posted 10 November 2005 - 12:58 PM

David

Here's the latest. I followed the instructions.

CWShredder didn't find any problem! Even tho XSoftSpy does find CWS.Homepage.
EWido found and removed a number of threats.
I also used HijackThis to remove the thousands of entries in this format:
O4 - HKCU\..\Run: [ogmqadm] c:\windows\gfgymdl.exe (The exe files had all been created at the sam time). These were slowingmy boot time - not sure if they were doing anything else.

So I'm not really sure if I've fixed anything.

Here's the current HJT LogFile
Logfile of HijackThis v1.99.1
Scan saved at 16:24:41, on 10/11/2005
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\ewido\security suite\ewidoctrl.exe
C:\Program Files\Norton AntiVirus\navapsvc.exe
C:\Program Files\Norton AntiVirus\IWP\NPFMntor.exe
C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
C:\WINDOWS\System32\hkcmd.exe
C:\WINDOWS\system32\dla\tfswctrl.exe
C:\Program Files\Common Files\Sonic\Update Manager\sgtray.exe
C:\Program Files\Dell\Media Experience\PCMService.exe
C:\WINDOWS\System32\DSentry.exe
C:\Program Files\Common Files\Symantec Shared\Security Center\UsrPrmpt.exe
C:\Program Files\Musicmatch\Musicmatch Jukebox\mm_tray.exe
C:\Program Files\Musicmatch\Musicmatch Jukebox\mmtask.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\Digital Line Detect\DLG.exe
C:\Program Files\FinePixViewer\QuickDCF.exe
C:\Program Files\ONSPEED\onspeed.exe
C:\WINDOWS\System32\wuauclt.exe
C:\Program Files\HijackThis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.euro.dell.com/countries/ie/enu/gen/default.htm
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://www.google.ie
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.ie
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.euro.dell.com/countries/ie/enu/gen/default.htm
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://www.google.ie
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.ie
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://ie-searchengine.com/
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
O2 - BHO: PBlockHelper Class - {4115122B-85FF-4DD3-9515-F075BEDE5EB5} - C:\Program Files\ONSPEED\PBHelper.dll
O2 - BHO: DriveLetterAccess - {5CA3D70E-1895-11CF-8E15-001234567890} - C:\WINDOWS\system32\dla\tfswshx.dll
O2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\System32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\System32\hkcmd.exe
O4 - HKLM\..\Run: [dla] C:\WINDOWS\system32\dla\tfswctrl.exe
O4 - HKLM\..\Run: [StorageGuard] "C:\Program Files\Common Files\Sonic\Update Manager\sgtray.exe" /r
O4 - HKLM\..\Run: [PCMService] "C:\Program Files\Dell\Media Experience\PCMService.exe"
O4 - HKLM\..\Run: [DVDSentry] C:\WINDOWS\System32\DSentry.exe
O4 - HKLM\..\Run: [REGSHAVE] C:\Program Files\REGSHAVE\REGSHAVE.EXE /AUTORUN
O4 - HKLM\..\Run: [SSC_UserPrompt] C:\Program Files\Common Files\Symantec Shared\Security Center\UsrPrmpt.exe
O4 - HKLM\..\Run: [Symantec NetDriver Monitor] C:\PROGRA~1\SYMNET~1\SNDMon.exe /Consumer
O4 - HKLM\..\Run: [MMTray] "C:\Program Files\Musicmatch\Musicmatch Jukebox\mm_tray.exe"
O4 - HKLM\..\Run: [mmtask] "C:\Program Files\Musicmatch\Musicmatch Jukebox\mmtask.exe"
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - Global Startup: Digital Line Detect.lnk = ?
O4 - Global Startup: Exif Launcher.lnk = C:\Program Files\FinePixViewer\QuickDCF.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O4 - Global Startup: ONSPEED.lnk = C:\Program Files\ONSPEED\onspeed.exe
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\System32\msjava.dll (file missing)
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\System32\msjava.dll (file missing)
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O9 - Extra 'Tools' menuitem: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O10 - Unknown file in Winsock LSP: c:\windows\system32\flsmngr.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\flsmngr.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\flsmngr.dll
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {33331111-1111-1111-1111-611111193457} - file://c:\ex.cab
O16 - DPF: {33331111-1111-1111-1111-611111193458} - file://c:\ex.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsupdate/...b?1124305450281
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://www.pandasoftware.com/activescan/as5free/asinst.cab
O16 - DPF: {D8A8A7F1-53EF-41F2-B44D-F3E2E595DC27} - ms-its:mhtml:file://C:\MAIN.MHT!http://69.50.172.102/355//strpg.chm::/update.exe
O16 - DPF: {E06E2E99-0AA1-11D4-ABA6-0060082AA75C} (GpcContainer Class) - https://mathworks.webex.com/client/v_mywebe...bex/ieatgpc.cab
O20 - Winlogon Notify: igfxcui - C:\WINDOWS\SYSTEM32\igfxsrvc.dll
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Password Validation (ccPwdSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
O23 - Service: ewido security suite control - ewido networks - C:\Program Files\ewido\security suite\ewidoctrl.exe
O23 - Service: Norton AntiVirus Auto-Protect Service (navapsvc) - Symantec Corporation - C:\Program Files\Norton AntiVirus\navapsvc.exe
O23 - Service: Norton AntiVirus Firewall Monitor Service (NPFMntor) - Symantec Corporation - C:\Program Files\Norton AntiVirus\IWP\NPFMntor.exe
O23 - Service: SAVScan - Symantec Corporation - C:\Program Files\Norton AntiVirus\SAVScan.exe
O23 - Service: ScriptBlocking Service (SBService) - Symantec Corporation - C:\PROGRA~1\COMMON~1\SYMANT~1\SCRIPT~1\SBServ.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: Symantec SPBBCSvc (SPBBCSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
O23 - Service: Symantec Core LC - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
O23 - Service: SymWMI Service (SymWSC) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\Security Center\SymWSC.exe

And Here's the Ewido LogFile
---------------------------------------------------------
ewido security suite - Scan report
---------------------------------------------------------

+ Created on: 12:36:28, 10/11/2005
+ Report-Checksum: 27F80846

+ Scan result:

HKU\.DEFAULT\Software\Microsoft\Internet Explorer\Extensions\CmdMapping\\{c95fe080-8f5d-11d2-a20b-00aa003c157a} -> Spyware.Alexa : Cleaned with backup
HKU\S-1-5-18\Software\Microsoft\Internet Explorer\Extensions\CmdMapping\\{c95fe080-8f5d-11d2-a20b-00aa003c157a} -> Spyware.Alexa : Error during cleaning
C:\Documents and Settings\All Users\Start Menu\Programs\PSGuard -> Spyware.PSGuard : Cleaned with backup
C:\Documents and Settings\All Users\Start Menu\Programs\PSGuard\PSGuard.lnk -> Spyware.PSGuard : Cleaned with backup
C:\Documents and Settings\All Users\Start Menu\Programs\PSGuard\Register.lnk -> Spyware.PSGuard : Cleaned with backup
C:\Documents and Settings\All Users\Start Menu\Programs\PSGuard\Uninstall.lnk -> Spyware.PSGuard : Cleaned with backup
C:\Documents and Settings\Feargal Delaney\Application Data\Microsoft\Internet Explorer\Quick Launch\PSGuard.lnk -> Spyware.PSGuard : Cleaned with backup
C:\Documents and Settings\Feargal Delaney\Cookies\feargal delaney@ad.yieldmanager[2].txt -> Spyware.Cookie.Yieldmanager : Cleaned with backup
C:\Documents and Settings\Feargal Delaney\Cookies\feargal delaney@adopt.euroclick[1].txt -> Spyware.Cookie.Euroclick : Cleaned with backup
C:\Documents and Settings\Feargal Delaney\Cookies\feargal delaney@atdmt[2].txt -> Spyware.Cookie.Atdmt : Cleaned with backup
C:\Documents and Settings\Feargal Delaney\Cookies\feargal delaney@burstnet[1].txt -> Spyware.Cookie.Burstnet : Cleaned with backup
C:\Documents and Settings\Feargal Delaney\Cookies\feargal delaney@ehg-inteljobs.hitbox[2].txt -> Spyware.Cookie.Hitbox : Cleaned with backup
C:\Documents and Settings\Feargal Delaney\Cookies\feargal delaney@hitbox[1].txt -> Spyware.Cookie.Hitbox : Cleaned with backup
C:\Documents and Settings\Feargal Delaney\Cookies\feargal delaney@statcounter[2].txt -> Spyware.Cookie.Statcounter : Cleaned with backup
C:\Documents and Settings\Feargal Delaney\Cookies\feargal delaney@web4.realtracker[2].txt -> Spyware.Cookie.Realtracker : Cleaned with backup
C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP11\A0004714.dll -> Spyware.Searcher : Cleaned with backup
C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP12\snapshot\MFEX-1.DAT -> Spyware.Searcher : Cleaned with backup
C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP13\snapshot\MFEX-1.DAT -> Spyware.Searcher : Cleaned with backup
C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP14\snapshot\MFEX-1.DAT -> Spyware.Searcher : Cleaned with backup
C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP15\snapshot\MFEX-1.DAT -> Spyware.Searcher : Cleaned with backup
C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP16\snapshot\MFEX-1.DAT -> Spyware.Searcher : Cleaned with backup
C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP17\snapshot\MFEX-1.DAT -> Spyware.Searcher : Cleaned with backup
C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP18\snapshot\MFEX-1.DAT -> Spyware.Searcher : Cleaned with backup
C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP19\snapshot\MFEX-1.DAT -> Spyware.Searcher : Cleaned with backup
C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP20\snapshot\MFEX-1.DAT -> Spyware.Searcher : Cleaned with backup
C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP21\snapshot\MFEX-1.DAT -> Spyware.Searcher : Cleaned with backup
C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP22\snapshot\MFEX-1.DAT -> Spyware.Searcher : Cleaned with backup
C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP23\snapshot\MFEX-1.DAT -> Spyware.Searcher : Cleaned with backup
C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP24\snapshot\MFEX-1.DAT -> Spyware.Searcher : Cleaned with backup
C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP25\snapshot\MFEX-1.DAT -> Spyware.Searcher : Cleaned with backup
C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP26\A0004872.dll -> Spyware.Searcher : Cleaned with backup
C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP26\A0004941.dll -> Spyware.Searcher : Cleaned with backup
C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP26\snapshot\MFEX-1.DAT -> Spyware.Searcher : Cleaned with backup
C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP27\A0005045.dll -> Spyware.Searcher : Cleaned with backup
C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP28\A0005099.dll -> Spyware.Searcher : Cleaned with backup
C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP28\snapshot\MFEX-1.DAT -> Spyware.Searcher : Cleaned with backup
C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP31\A0006208.dll -> Spyware.Searcher : Cleaned with backup
C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP31\A0006278.dll -> Trojan.Agent.eo : Cleaned with backup
C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP31\A0006453.exe -> TrojanDropper.Small.adv : Cleaned with backup
C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP31\A0006454.dll -> TrojanDownloader.Small.bik : Cleaned with backup
C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP31\A0006533.dll -> Spyware.Searcher : Cleaned with backup
C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP31\snapshot\MFEX-1.DAT -> Spyware.Searcher : Cleaned with backup
C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP31\snapshot\MFEX-2.DAT -> Spyware.Searcher : Cleaned with backup
C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP33\A0007648.dll -> Spyware.Searcher : Cleaned with backup
C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP34\A0008668.dll -> Spyware.Searcher : Cleaned with backup
C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP36\A0009792.dll -> Spyware.Searcher : Cleaned with backup
C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP36\A0009852.dll -> Spyware.Searcher : Cleaned with backup
C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP38\A0010977.dll -> Spyware.Searcher : Cleaned with backup
C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP6\A0004470.dll -> Spyware.Searcher : Cleaned with backup
C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP9\snapshot\MFEX-1.DAT -> Spyware.Searcher : Cleaned with backup
C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP9\snapshot\MFEX-2.DAT -> Spyware.Searcher : Cleaned with backup
C:\WINDOWS\Downloaded Program Files\update.exe -> TrojanDropper.Small.adv : Cleaned with backup


::Report End

Not sure if I am fully well - but I feel better.

Let me know if I am using the tool wrongly - I feel there must be a wat of attaching these text files.

Thanks


Feargal

:thumbsup: :flowers:

#4 -David-

-David-

  • Members
  • 10,603 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:London
  • Local time:07:31 AM

Posted 10 November 2005 - 05:53 PM

Download Lspfix. Extract(unzip) it to its own folder. Disconnect from the internet, and close all browser windows. Run LSPFix. Click the "I know what I'm doing" button. In the left hand pane, hilite all instances of flsmngr.dll (and nothing else), move them to the "Remove" pane and by clicking the >> button. Click Finish. Reboot to complete the process.

Then post new HJT log
David

Edited by D-Trojanator, 10 November 2005 - 05:54 PM.


#5 Feargal

Feargal
  • Topic Starter

  • Members
  • 8 posts
  • OFFLINE
  •  
  • Local time:06:31 AM

Posted 11 November 2005 - 07:28 AM

Download Lspfix. Extract(unzip) it to its own folder. Disconnect from the internet, and close all browser windows. Run LSPFix. Click the "I know what I'm doing" button. In the left hand pane, hilite all instances of flsmngr.dll (and nothing else), move them to the "Remove" pane and by clicking the >> button. Click Finish. Reboot to complete the process.

Then post new HJT log
David



#6 Feargal

Feargal
  • Topic Starter

  • Members
  • 8 posts
  • OFFLINE
  •  
  • Local time:06:31 AM

Posted 11 November 2005 - 07:31 AM

David

Followed the instructions. And yes - flsmngr is gone. Note that even before I had done this, CWS.Homepage had not reappeared. So it looks as if I may be clear.

Thanks a lot for the help. Much appreciation.

HJT Log is below.

Feargal

:thumbsup:

Logfile of HijackThis v1.99.1
Scan saved at 12:21:42, on 11/11/2005
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\WINDOWS\System32\hkcmd.exe
C:\WINDOWS\system32\dla\tfswctrl.exe
C:\Program Files\Common Files\Sonic\Update Manager\sgtray.exe
C:\Program Files\Dell\Media Experience\PCMService.exe
C:\WINDOWS\System32\DSentry.exe
C:\Program Files\Common Files\Symantec Shared\Security Center\UsrPrmpt.exe
C:\Program Files\Musicmatch\Musicmatch Jukebox\mm_tray.exe
C:\Program Files\Musicmatch\Musicmatch Jukebox\mmtask.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\Digital Line Detect\DLG.exe
C:\Program Files\FinePixViewer\QuickDCF.exe
C:\Program Files\ONSPEED\onspeed.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\ewido\security suite\ewidoctrl.exe
C:\Program Files\Norton AntiVirus\navapsvc.exe
C:\Program Files\Norton AntiVirus\IWP\NPFMntor.exe
C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
C:\WINDOWS\System32\wuauclt.exe
C:\WINDOWS\System32\wuauclt.exe
C:\Program Files\HijackThis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.euro.dell.com/countries/ie/enu/gen/default.htm
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://www.google.ie
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.ie
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.euro.dell.com/countries/ie/enu/gen/default.htm
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://www.google.ie
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.ie
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://www.google.ie/
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = http=127.0.0.1:5400
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
O2 - BHO: PBlockHelper Class - {4115122B-85FF-4DD3-9515-F075BEDE5EB5} - C:\Program Files\ONSPEED\PBHelper.dll
O2 - BHO: DriveLetterAccess - {5CA3D70E-1895-11CF-8E15-001234567890} - C:\WINDOWS\system32\dla\tfswshx.dll
O2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\System32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\System32\hkcmd.exe
O4 - HKLM\..\Run: [dla] C:\WINDOWS\system32\dla\tfswctrl.exe
O4 - HKLM\..\Run: [StorageGuard] "C:\Program Files\Common Files\Sonic\Update Manager\sgtray.exe" /r
O4 - HKLM\..\Run: [PCMService] "C:\Program Files\Dell\Media Experience\PCMService.exe"
O4 - HKLM\..\Run: [DVDSentry] C:\WINDOWS\System32\DSentry.exe
O4 - HKLM\..\Run: [REGSHAVE] C:\Program Files\REGSHAVE\REGSHAVE.EXE /AUTORUN
O4 - HKLM\..\Run: [SSC_UserPrompt] C:\Program Files\Common Files\Symantec Shared\Security Center\UsrPrmpt.exe
O4 - HKLM\..\Run: [Symantec NetDriver Monitor] C:\PROGRA~1\SYMNET~1\SNDMon.exe /Consumer
O4 - HKLM\..\Run: [MMTray] "C:\Program Files\Musicmatch\Musicmatch Jukebox\mm_tray.exe"
O4 - HKLM\..\Run: [mmtask] "C:\Program Files\Musicmatch\Musicmatch Jukebox\mmtask.exe"
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - Global Startup: Digital Line Detect.lnk = ?
O4 - Global Startup: Exif Launcher.lnk = C:\Program Files\FinePixViewer\QuickDCF.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O4 - Global Startup: ONSPEED.lnk = C:\Program Files\ONSPEED\onspeed.exe
O8 - Extra context menu item: Show All Original Images - res://C:\Program Files\ONSPEED\onspeed.exe/250
O8 - Extra context menu item: Show Original Image - res://C:\Program Files\ONSPEED\onspeed.exe/227
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\System32\msjava.dll (file missing)
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\System32\msjava.dll (file missing)
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O9 - Extra 'Tools' menuitem: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {33331111-1111-1111-1111-611111193457} - file://c:\ex.cab
O16 - DPF: {33331111-1111-1111-1111-611111193458} - file://c:\ex.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsupdate/...b?1124305450281
O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai.net/7/840/537/2005102...all/xscan53.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://www.pandasoftware.com/activescan/as5free/asinst.cab
O16 - DPF: {D8A8A7F1-53EF-41F2-B44D-F3E2E595DC27} - ms-its:mhtml:file://C:\MAIN.MHT!http://69.50.172.102/355//strpg.chm::/update.exe
O16 - DPF: {E06E2E99-0AA1-11D4-ABA6-0060082AA75C} (GpcContainer Class) - https://mathworks.webex.com/client/v_mywebe...bex/ieatgpc.cab
O20 - Winlogon Notify: igfxcui - C:\WINDOWS\SYSTEM32\igfxsrvc.dll
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Password Validation (ccPwdSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
O23 - Service: ewido security suite control - ewido networks - C:\Program Files\ewido\security suite\ewidoctrl.exe
O23 - Service: Norton AntiVirus Auto-Protect Service (navapsvc) - Symantec Corporation - C:\Program Files\Norton AntiVirus\navapsvc.exe
O23 - Service: Norton AntiVirus Firewall Monitor Service (NPFMntor) - Symantec Corporation - C:\Program Files\Norton AntiVirus\IWP\NPFMntor.exe
O23 - Service: SAVScan - Symantec Corporation - C:\Program Files\Norton AntiVirus\SAVScan.exe
O23 - Service: ScriptBlocking Service (SBService) - Symantec Corporation - C:\PROGRA~1\COMMON~1\SYMANT~1\SCRIPT~1\SBServ.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: Symantec SPBBCSvc (SPBBCSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
O23 - Service: Symantec Core LC - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
O23 - Service: SymWMI Service (SymWSC) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\Security Center\SymWSC.exe

#7 -David-

-David-

  • Members
  • 10,603 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:London
  • Local time:07:31 AM

Posted 11 November 2005 - 12:01 PM

Fix these with HijackThis:

O16 - DPF: {33331111-1111-1111-1111-611111193457} - file://c:\ex.cab
O16 - DPF: {33331111-1111-1111-1111-611111193458} - file://c:\ex.cab
O16 - DPF: {D8A8A7F1-53EF-41F2-B44D-F3E2E595DC27} - ms-its:mhtml:file://C:\MAIN.MHT!http://69.50.172.102/355//strpg.chm::/update.exe


Reboot and post new HJT log
David :thumbsup:

#8 Feargal

Feargal
  • Topic Starter

  • Members
  • 8 posts
  • OFFLINE
  •  
  • Local time:06:31 AM

Posted 14 November 2005 - 04:56 AM

David

Did it. Log attached. Note that when I did the HJT fix, I immediately got a NAV virus message about Bloodhound. Not seen before or since. I assume this is a red herring.

Thanks

Feargal



Logfile of HijackThis v1.99.1
Scan saved at 09:47:47, on 14/11/2005
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\WINDOWS\System32\hkcmd.exe
C:\WINDOWS\system32\dla\tfswctrl.exe
C:\Program Files\Common Files\Sonic\Update Manager\sgtray.exe
C:\Program Files\Dell\Media Experience\PCMService.exe
C:\WINDOWS\System32\DSentry.exe
C:\Program Files\Common Files\Symantec Shared\Security Center\UsrPrmpt.exe
C:\Program Files\Musicmatch\Musicmatch Jukebox\mm_tray.exe
C:\Program Files\Musicmatch\Musicmatch Jukebox\mmtask.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\Digital Line Detect\DLG.exe
C:\Program Files\FinePixViewer\QuickDCF.exe
C:\Program Files\ONSPEED\onspeed.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\ewido\security suite\ewidoctrl.exe
C:\Program Files\Norton AntiVirus\navapsvc.exe
C:\Program Files\Norton AntiVirus\IWP\NPFMntor.exe
C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
C:\WINDOWS\System32\wuauclt.exe
C:\WINDOWS\System32\wuauclt.exe
C:\Program Files\HijackThis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.euro.dell.com/countries/ie/enu/gen/default.htm
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://www.google.ie
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.ie
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.euro.dell.com/countries/ie/enu/gen/default.htm
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://www.google.ie
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.ie
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://www.google.ie/
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = http=127.0.0.1:5400
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
O2 - BHO: PBlockHelper Class - {4115122B-85FF-4DD3-9515-F075BEDE5EB5} - C:\Program Files\ONSPEED\PBHelper.dll
O2 - BHO: DriveLetterAccess - {5CA3D70E-1895-11CF-8E15-001234567890} - C:\WINDOWS\system32\dla\tfswshx.dll
O2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\System32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\System32\hkcmd.exe
O4 - HKLM\..\Run: [dla] C:\WINDOWS\system32\dla\tfswctrl.exe
O4 - HKLM\..\Run: [StorageGuard] "C:\Program Files\Common Files\Sonic\Update Manager\sgtray.exe" /r
O4 - HKLM\..\Run: [PCMService] "C:\Program Files\Dell\Media Experience\PCMService.exe"
O4 - HKLM\..\Run: [DVDSentry] C:\WINDOWS\System32\DSentry.exe
O4 - HKLM\..\Run: [REGSHAVE] C:\Program Files\REGSHAVE\REGSHAVE.EXE /AUTORUN
O4 - HKLM\..\Run: [SSC_UserPrompt] C:\Program Files\Common Files\Symantec Shared\Security Center\UsrPrmpt.exe
O4 - HKLM\..\Run: [Symantec NetDriver Monitor] C:\PROGRA~1\SYMNET~1\SNDMon.exe /Consumer
O4 - HKLM\..\Run: [MMTray] "C:\Program Files\Musicmatch\Musicmatch Jukebox\mm_tray.exe"
O4 - HKLM\..\Run: [mmtask] "C:\Program Files\Musicmatch\Musicmatch Jukebox\mmtask.exe"
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - Global Startup: Digital Line Detect.lnk = ?
O4 - Global Startup: Exif Launcher.lnk = C:\Program Files\FinePixViewer\QuickDCF.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O4 - Global Startup: ONSPEED.lnk = C:\Program Files\ONSPEED\onspeed.exe
O8 - Extra context menu item: Show All Original Images - res://C:\Program Files\ONSPEED\onspeed.exe/250
O8 - Extra context menu item: Show Original Image - res://C:\Program Files\ONSPEED\onspeed.exe/227
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\System32\msjava.dll (file missing)
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\System32\msjava.dll (file missing)
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O9 - Extra 'Tools' menuitem: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsupdate/...b?1124305450281
O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai.net/7/840/537/2005102...all/xscan53.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://www.pandasoftware.com/activescan/as5free/asinst.cab
O16 - DPF: {E06E2E99-0AA1-11D4-ABA6-0060082AA75C} (GpcContainer Class) - https://mathworks.webex.com/client/v_mywebe...bex/ieatgpc.cab
O20 - Winlogon Notify: igfxcui - C:\WINDOWS\SYSTEM32\igfxsrvc.dll
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Password Validation (ccPwdSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
O23 - Service: ewido security suite control - ewido networks - C:\Program Files\ewido\security suite\ewidoctrl.exe
O23 - Service: Norton AntiVirus Auto-Protect Service (navapsvc) - Symantec Corporation - C:\Program Files\Norton AntiVirus\navapsvc.exe
O23 - Service: Norton AntiVirus Firewall Monitor Service (NPFMntor) - Symantec Corporation - C:\Program Files\Norton AntiVirus\IWP\NPFMntor.exe
O23 - Service: SAVScan - Symantec Corporation - C:\Program Files\Norton AntiVirus\SAVScan.exe
O23 - Service: ScriptBlocking Service (SBService) - Symantec Corporation - C:\PROGRA~1\COMMON~1\SYMANT~1\SCRIPT~1\SBServ.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: Symantec SPBBCSvc (SPBBCSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
O23 - Service: Symantec Core LC - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
O23 - Service: SymWMI Service (SymWSC) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\Security Center\SymWSC.exe





:thumbsup:

#9 -David-

-David-

  • Members
  • 10,603 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:London
  • Local time:07:31 AM

Posted 14 November 2005 - 06:09 AM

Well your HJT log is looking 100 times better! :thumbsup:

Note that when I did the HJT fix, I immediately got a NAV virus message about Bloodhound. Not seen before or since. I assume this is a red herring.


Does it give you a pathname at all?

David

#10 Feargal

Feargal
  • Topic Starter

  • Members
  • 8 posts
  • OFFLINE
  •  
  • Local time:06:31 AM

Posted 15 November 2005 - 06:41 AM

David

I neglected to note down the pathname when it occurred. And I have not seen it since - and don't know that I can retrieve it from Nav.

If it does reappear, I'll send it on...

Feargal

#11 -David-

-David-

  • Members
  • 10,603 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:London
  • Local time:07:31 AM

Posted 15 November 2005 - 11:25 AM

Click Here to do a Panda online scan
  • If it asks you install active x controls click Yes
  • if a box comes up telling you to install the program also click Yes
  • Make sure you tick Disinfect automatically under Scan Options
  • complete the scan and post the log that you can save afterwards in the same way you did the HJT log.
  • It is normal for it to take a reasonable time to complete
David

#12 Feargal

Feargal
  • Topic Starter

  • Members
  • 8 posts
  • OFFLINE
  •  
  • Local time:06:31 AM

Posted 16 November 2005 - 06:49 AM

David

Done it/ Now since I had left some of my deleted objects in the Recycled Bin, they all appeared in the Panda scan so I have removed them from the listing.

Panda Scan contents below.

Thanks

Feargal


Incident Status Location

Adware:adware/spysheriff No disinfected C:\WINDOWS\SYSTEM32\thn.dll
Dialer:dialer.xd No disinfected C:\WINDOWS\switchagreement.txt
Adware:adware/oemji No disinfected Windows Registry
Dialer:Dialer.ABR No disinfected C:\Program Files\HijackThis\backups\backup-20051114-094440-792.inf
Adware:Adware/PurityScan No disinfected C:\Program Files\HijackThis\backups\backup-20051114-094441-893.inf
Virus:W32/Smitfraud.B Disinfected C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP31\A0006492.old
Dialer:Dialer.Gen No disinfected C:\WINDOWS\switchagreement.txt

#13 -David-

-David-

  • Members
  • 10,603 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:London
  • Local time:07:31 AM

Posted 16 November 2005 - 12:22 PM

Download killbox from here:

KillBox

Unzip the folder to your desktop.

1. Start Killbox.exe
2. Select the Delete on Reboot option.
3. Copy the complete text in bold below to the clipboard by highlighting the filepaths and pressing Control + C:

C:\WINDOWS\SYSTEM32\thn.dll
C:\WINDOWS\switchagreement.txt


4. Go to the File menu of Killbox, and choose Paste from Clipboard.
5. Click the Delete File button that is a red-and-white X. When asked if you want to delete these files say Yes. When asked if you want to reboot now, say No.
6. Exit Killbox.

Now turn off System Restore:

On the Desktop, right-click My Computer.
Click Properties.
Click the System Restore tab.
Check Turn off System Restore.
Click Apply, and then click OK.

Restart your computer, turn System Restore back on and create a restore point.

To create a restore point:

Single-click Start and point to All Programs.
Mouse over Accessories, then System Tools, and select System Restore.In the System Restore wizard, select the box next the text labeled "Create a restore point" and click the Next button.
Type a description for your new restore point. Something like "After trojan/spyware cleanup". Click Create and you're done.

How's everything running? :up: or :down: ?

#14 Feargal

Feargal
  • Topic Starter

  • Members
  • 8 posts
  • OFFLINE
  •  
  • Local time:06:31 AM

Posted 17 November 2005 - 10:56 AM

David

All done - and yes - I'm running much better.

Thanks

Feargal

#15 -David-

-David-

  • Members
  • 10,603 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:London
  • Local time:07:31 AM

Posted 17 November 2005 - 01:38 PM

:thumbsup:

Due to the fact that this topic has thankfully been resolved, I will close this thread. :flowers:

If you want to thread to be re-opened at any point ? please PM me or any other staff with a link to it!

If anyone else is reading this with a similar problem that you would like help with, please post it in a new thread in the security section!


:trumpet: David :inlove:




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users