Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Casclient? Please Review My Log


  • This topic is locked This topic is locked
18 replies to this topic

#1 jgz

jgz

  • Members
  • 16 posts
  • OFFLINE
  •  
  • Local time:04:28 PM

Posted 24 February 2006 - 09:38 PM

Logfile of HijackThis v1.99.1
Scan saved at 8:53:09 PM, on 2/24/2006
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\System32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\LEXBCES.EXE
C:\WINDOWS\system32\LEXPPS.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Yahoo!\Antivirus\ISafe.exe
C:\Program Files\Network Monitor\netmon.exe
C:\WINDOWS\sysvx_.exe
C:\WINDOWS\sachostx.exe
C:\windows\system32\dwdsregt.exe
C:\WINDOWS\System32\nvsvc32.exe
C:\PROGRA~1\Yahoo!\YOP\yop.exe
C:\windows\winsysban11.exe
C:\Program Files\Java\j2re1.4.2_06\bin\jusched.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Yahoo!\Antivirus\CAVRID.exe
C:\Program Files\Yahoo!\Antivirus\CAVTray.exe
C:\WINDOWS\system32\rundll32.exe
C:\Program Files\Veoh\VeohClientService.exe
C:\Program Files\Yahoo!\Messenger\ymsgr_tray.exe
C:\Program Files\Yahoo!\Antivirus\VetMsg.exe
C:\PROGRA~1\Yahoo!\browser\ycommon.exe
C:\WINDOWS\system32\sysvx.exe
C:\WINDOWS\wanmpsvc.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\WINDOWS\system32\sachosts.exe
C:\WINDOWS\system32\sachostc.exe
C:\WINDOWS\system32\sachosts.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\Yahoo!\YPSR\ppclean.exe
C:\WINDOWS\explorer.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\PROGRA~1\WINZIP\winzip32.exe
C:\PROGRA~1\WINZIP\winzip32.exe
C:\Documents and Settings\johnny\Local Settings\Temp\wz3077\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL =
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL =
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,SearchAssistant = about:blank
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page =
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page =
R3 - URLSearchHook: (no name) - {02EE5B04-F144-47BB-83FB-A60BD91B74A9} - C:\Program Files\SurfSideKick 3\SskBho.dll
N2 - Netscape 6: user_pref("browser.startup.homepage", "http://www.sqeiwzqxtdxwgpa.com/U1FAXRocZ48pJ_JC_sdefL3sm62B8qtqFjPAFqlqsSU.html");\nuser_pref("browser.startup.page", 1); (C:\Documents and Settings\johnny\Application Data\Mozilla\Profiles\default\rcqc9ax8.slt\prefs.js)
O3 - Toolbar: Search - {E93470A6-891B-E6F9-263C-42C4A584DED1} - C:\WINDOWS\Odgygqyc.dll
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn2\yt.dll
O4 - HKLM\..\Run: [sysvx] C:\WINDOWS\sysvx_.exe
O4 - HKLM\..\Run: [HostSrv] C:\WINDOWS\sachostx.exe
O4 - HKLM\..\Run: [{AA-A6-60-0B-ZN}] C:\windows\system32\dwdsregt.exe CORN001
O4 - HKLM\..\Run: [YOP] C:\PROGRA~1\Yahoo!\YOP\yop.exe /autostart
O4 - HKLM\..\Run: [winsysupd] C:\windows\winsysupd11.exe
O4 - HKLM\..\Run: [winsysban] C:\windows\winsysban11.exe
O4 - HKLM\..\Run: [winlog] winlog.exe
O4 - HKLM\..\Run: [WindowsUpdateNT] C:\WINDOWS\System\svwhost.exe /s
O4 - HKLM\..\Run: [win32077957-133518] C:\WINDOWS\win32077957-133518.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\j2re1.4.2_06\bin\jusched.exe
O4 - HKLM\..\Run: [OSS] C:\windows\rlvknlg.exe -boot
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [ms05187957-1335] C:\WINDOWS\ms05187957-1335.exe
O4 - HKLM\..\Run: [ms045187957-133] C:\WINDOWS\ms045187957-133.exe
O4 - HKLM\..\Run: [mmxp2passion.exe] C:\WINDOWS\system32\mmxp2passion.exe
O4 - HKLM\..\Run: [Microsoft Windows System] srwhost.exe
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\System32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\System32\hkcmd.exe
O4 - HKLM\..\Run: [MSConfig] C:\WINDOWS\PCHealth\HelpCtr\Binaries\MSConfig.exe /auto
O4 - HKLM\..\Run: [ResChangerXP] C:\Program Files\ResChanger XP\ResChangerXP.exe
O4 - HKLM\..\Run: [RealTray] C:\Program Files\Real\RealPlayer\RealPlay.exe SYSTEMBOOTHIDEPLAYER
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [Lexmark X74-X75] "C:\Program Files\Lexmark X74-X75\lxbbbmgr.exe"
O4 - HKLM\..\Run: [KAZAA] C:\Program Files\Kazaa\kazaa.exe /SYSTRAY
O4 - HKLM\..\Run: [gimmygames] C:\\gimmygames11.exe
O4 - HKLM\..\Run: [CHotkey] mHotkey.exe
O4 - HKLM\..\Run: [CAVRID] "C:\Program Files\Yahoo!\Antivirus\CAVRID.exe"
O4 - HKLM\..\Run: [CaAvTray] "C:\Program Files\Yahoo!\Antivirus\CAVTray.exe"
O4 - HKLM\..\Run: [3464] c:\windows\eee2.exe
O4 - HKLM\..\Run: [SurfSideKick 3] C:\Program Files\SurfSideKick 3\Ssk.exe
O4 - HKLM\..\RunOnce: [AAW] "C:\Program Files\Lavasoft\Ad-Aware SE Personal\Ad-Aware.exe" "+b1"
O4 - HKCU\..\Run: [Yahoo! Pager] C:\Program Files\Yahoo!\Messenger\ypager.exe -quiet
O4 - HKCU\..\Run: [WindowsUpdateNT] C:\WINDOWS\System\svwhost.exe
O4 - HKCU\..\Run: [CU1] C:\Program Files\Common Files\VCClient\VCClient.exe
O4 - HKCU\..\Run: [CU2] C:\Program Files\Common Files\VCClient\VCMain.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [Fulvpmeb] C:\WINDOWS\System32\n?tdde.exe
O4 - HKCU\..\Run: [AIM] C:\Program Files\aim\aim.exe -cnetwait.odl
O4 - HKCU\..\Run: [SurfSideKick 3] C:\Program Files\SurfSideKick 3\Ssk.exe
O4 - Startup: Zeno.lnk = C:\WINDOWS\system32\twinnrai.exe
O4 - Startup: Z_Start.lnk = C:\WINDOWS\system32\qmdsregs.exe
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\System32\msjava.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\System32\msjava.dll
O9 - Extra button: ICQ - {6224f700-cba3-4071-b251-47cb894244cd} - C:\Program Files\ICQ\ICQ.exe
O9 - Extra 'Tools' menuitem: ICQ - {6224f700-cba3-4071-b251-47cb894244cd} - C:\Program Files\ICQ\ICQ.exe
O9 - Extra button: AOL Instant Messenger (SM) - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\aim\aim.exe
O9 - Extra button: PartyPoker.com - {B7FE5D70-9AA2-40F1-9C6B-12A255F085E1} - C:\Program Files\PartyGaming\PartyPoker\RunApp.exe
O9 - Extra 'Tools' menuitem: PartyPoker.com - {B7FE5D70-9AA2-40F1-9C6B-12A255F085E1} - C:\Program Files\PartyGaming\PartyPoker\RunApp.exe
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\System32\Shdocvw.dll
O9 - Extra button: MoneySide - {E023F504-0C5A-4750-A1E7-A9046DEA8A21} - C:\Program Files\Microsoft Money\System\mnyviewer.dll
O9 - Extra button: Yahoo! Messenger - {E5D12C4E-7B4F-11D3-B5C9-0050045C3C96} - C:\PROGRA~1\Yahoo!\MESSEN~1\YPager.exe
O9 - Extra 'Tools' menuitem: Yahoo! Messenger - {E5D12C4E-7B4F-11D3-B5C9-0050045C3C96} - C:\PROGRA~1\Yahoo!\MESSEN~1\YPager.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O14 - IERESET.INF: START_PAGE_URL=http://www.emachines.com
O16 - DPF: Yahoo! Blackjack - http://download.games.yahoo.com/games/clients/y/jt0_x.cab
O16 - DPF: Yahoo! Chat - http://us.chat1.yimg.com/us.yimg.com/i/cha...t/c381/chat.cab
O16 - DPF: Yahoo! Poker - http://download.games.yahoo.com/games/clients/y/pt1_x.cab
O16 - DPF: {040F4385-8DAD-4306-94BF-B8291D841FAE} (USBAPTester Class) - http://www.nintendowifi.com/troubleshooting/usbaptest.cab
O16 - DPF: {13EC55CF-D993-475B-9ACA-F4A384957956} (Controller Class) - https://www.windowsonecare.com/install/cli/...nSSWebAgent.CAB
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=48835
O16 - DPF: {2B96D5CC-C5B5-49A5-A69D-CC0A30F9028C} (MiniBugTransporterX Class) - http://download.weatherbug.com/minibug/tri...?rand=200341312
O16 - DPF: {30528230-99F7-4BB4-88D8-FA1D4F56A2AB} (YInstStarter Class) - http://us.dl1.yimg.com/download.yahoo.com/...s/yinst0401.cab
O16 - DPF: {406B5949-7190-4245-91A9-30A17DE16AD0} (Snapfish Activia) - http://www.snapfish.com/SnapfishActivia.cab
O16 - DPF: {56336BCB-3D8A-11D6-A00B-0050DA18DE71} (RdxIE Class) - http://207.188.7.150/2639971314dd87151c18/...ip/RdxIE601.cab
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftupdat...b?1136665057359
O16 - DPF: {77E32299-629F-43C6-AB77-6A1E6D7663F6} (Groove Control) - http://www.nick.com/common/groove/gx/GrooveAX25.cab
O16 - DPF: {7B297BFD-85E4-4092-B2AF-16A91B2EA103} (WScanCtl Class) - http://www3.ca.com/securityadvisor/virusinfo/webscan.cab
O16 - DPF: {8714912E-380D-11D5-B8AA-00D0B78F3D48} (Yahoo! Webcam Upload Wrapper) - http://chat.yahoo.com/cab/yuplapp.cab
O16 - DPF: {A17E30C4-A9BA-11D4-8673-60DB54C10000} (YahooYMailTo Class) - http://us.dl1.yimg.com/download.yahoo.com/.../yse/ymmapi.dll
O16 - DPF: {AED98630-0251-4E83-917D-43A23D66D507} - http://activex.microgaming.com/DLhelper/ve...n7/dlhelper.cab
O16 - DPF: {C4925E65-7A1E-11D2-8BB4-00A0C9CC72C3} (Virtools WebPlayer Class) - http://a532.g.akamai.net/f/532/6712/5m/vir...0/installer.exe
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - https://fpdownload.macromedia.com/pub/shock...ash/swflash.cab
O16 - DPF: {D8089245-3211-40F6-819B-9E5E92CD61A2} - https://register3.valueactive.com/318/webolr/OCX/FlashAX.cab
O16 - DPF: {E504EE6E-47C6-11D5-B8AB-00D0B78F3D48} (Yahoo! Webcam Viewer Wrapper) - http://chat.yahoo.com/cab/yvwrctl.cab
O20 - AppInit_DLLs: repairs302973000.dll
O20 - Winlogon Notify: App Management - C:\WINDOWS\
O20 - Winlogon Notify: igfxcui - C:\WINDOWS\SYSTEM32\igfxsrvc.dll
O20 - Winlogon Notify: logon16x - C:\WINDOWS\SYSTEM32\logon16x.dll
O20 - Winlogon Notify: msupdate - msupdate32.dll (file missing)
O20 - Winlogon Notify: Reliability - C:\WINDOWS\
O20 - Winlogon Notify: satmmc - C:\WINDOWS\SYSTEM32\satmmc.dll
O20 - Winlogon Notify: ssldr - ssldr32.dll (file missing)
O20 - Winlogon Notify: wancp - wancp.dll (file missing)
O21 - SSODL: SysTray.Exbr - {6368D1FC-6F5C-4f1b-B164-E67214F678E9} - (no file)
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPodService - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: LexBce Server (LexBceS) - Lexmark International, Inc. - C:\WINDOWS\system32\LEXBCES.EXE
O23 - Service: Network Monitor - Unknown owner - C:\Program Files\Network Monitor\netmon.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe
O23 - Service: Veoh Client Service - Unknown owner - C:\Program Files\Veoh\VeohClientService.exe
O23 - Service: VET Message Service (VETMSGNT) - Computer Associates International, Inc. - C:\Program Files\Yahoo!\Antivirus\VetMsg.exe
O23 - Service: WAN Miniport (ATW) Service (WANMiniportService) - America Online, Inc. - C:\WINDOWS\wanmpsvc.exe

BC AdBot (Login to Remove)

 


#2 miekiemoes

miekiemoes

    Malware Killer Dog


  • Malware Response Team
  • 19,420 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Belgium
  • Local time:11:28 PM

Posted 25 February 2006 - 07:49 AM

Hello,

This is a really nasty log! You are dealing with A LOT different infections. :thumbsup:
Or at least a lot leftovers!

Hijackthis is still in your temp-folder, so I strongly advise to create a permanent folder and move hijackthis.exe into it. The reason is because hijackthis creates backups and when it's in your temp-folder it can be accidentally deleted.
How do you make a permanent folder:

Click My Computer, then C:\ and then on Program Files.
In the menu bar, File->New->Folder.
That will create a folder named New Folder, which you can rename to "HJT" or "HijackThis".
Now you have C:\Program Files\HijackThis. Put your HijackThis.exe there.

It's better to print out the next instructions or save it in notepad, because you also have to work in safe mode without networking support, so this page wouldn't be available then.
It is also important you don't miss a step and perform everything in the right order!!

* Go to start > controlpanel > software > add/remove programs and uninstall next programs if present:

Network Monitor
Relevant knowledge
Kazaa
<== Kazaa is bundled with malware
SurfsideKick

I see you have PartyPoker installed.
If you didn't install it with intension to play with, I suggest you uninstall it, because in most cases, these programs are supported by malware, getting installed without asking for it and also lead you to sites where malware is lurking.
If you do play it, then leave it alone.

* Reboot your system! Really important!!

Download Brute Force Uninstaller.
Unzip it to a folder of itís own (c:\BFU).
Read here how to unzip/extract properly:
http://metallica.geekstogo.com/xpcompressedexplanation.html
Start the Brute Force Uninstaller by doubleclicking BFU.exe

Next to the 'scriptfile to execute'-window you'll see a little icon as shown in next picture: Posted Image
When you click that icon, a little window will open that says: 'Please enter the full URL to the sript you want to execute'
In the field, copy and paste next URL:

http://metallica.geekstogo.com/p2pnetwork.bfu

Click Ok
Then click execute in Brute Force Uninstaller.

Wait for the complete script execution box to popup and press OK.
Press exit to terminate the BFU program.

* Please set your system to show all files; please see here if you're unsure how to do this.

* Please download ATF Cleaner by Atribune to your desktop.
Do not use it yet.

Please download Ewido anti-malware ; it is a free version of the program.
  • Install ewido security suite
  • When installing, under "Additional Options" uncheck..
    • Install background guard
    • Install scan via context menu
  • Launch ewido by double-clicking on the icon on your desktop.
  • The program will now open to the main screen.
  • When you run ewido for the first time, you may get a warning "Database could not be found!". Click OK. We will fix this in a moment.
  • You will need to update ewido to the latest definition files.
    • On the left hand side of the main screen click update.
    • Then click on Start Update.
  • The update will start and a progress bar will show the updates being installed.
    (the status bar at the bottom will display ("Update successful")
If you are having problems with the updater, you can use this link to manually update ewido.
ewido manual updates
Don't run it yet.

* Start HijackThis, close all open windows leaving only HijackThis running. Place a check against each of the following:

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL =
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL =
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,SearchAssistant = about:blank
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page =
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page =
R3 - URLSearchHook: (no name) - {02EE5B04-F144-47BB-83FB-A60BD91B74A9} - C:\Program Files\SurfSideKick 3\SskBho.dll
O3 - Toolbar: Search - {E93470A6-891B-E6F9-263C-42C4A584DED1} - C:\WINDOWS\Odgygqyc.dll
O4 - HKLM\..\Run: [sysvx] C:\WINDOWS\sysvx_.exe
O4 - HKLM\..\Run: [HostSrv] C:\WINDOWS\sachostx.exe
O4 - HKLM\..\Run: [{AA-A6-60-0B-ZN}] C:\windows\system32\dwdsregt.exe CORN001
O4 - HKLM\..\Run: [winsysupd] C:\windows\winsysupd11.exe
O4 - HKLM\..\Run: [winsysban] C:\windows\winsysban11.exe
O4 - HKLM\..\Run: [winlog] winlog.exe
O4 - HKLM\..\Run: [WindowsUpdateNT] C:\WINDOWS\System\svwhost.exe /s
O4 - HKLM\..\Run: [win32077957-133518] C:\WINDOWS\win32077957-133518.exe
O4 - HKLM\..\Run: [OSS] C:\windows\rlvknlg.exe -boot
O4 - HKLM\..\Run: [ms05187957-1335] C:\WINDOWS\ms05187957-1335.exe
O4 - HKLM\..\Run: [ms045187957-133] C:\WINDOWS\ms045187957-133.exe
O4 - HKLM\..\Run: [mmxp2passion.exe] C:\WINDOWS\system32\mmxp2passion.exe
O4 - HKLM\..\Run: [Microsoft Windows System] srwhost.exe
O4 - HKLM\..\Run: [KAZAA] C:\Program Files\Kazaa\kazaa.exe /SYSTRAY
O4 - HKLM\..\Run: [gimmygames] C:\\gimmygames11.exe
O4 - HKLM\..\Run: [3464] c:\windows\eee2.exe
O4 - HKLM\..\Run: [SurfSideKick 3] C:\Program Files\SurfSideKick 3\Ssk.exe
O4 - HKCU\..\Run: [CU1] C:\Program Files\Common Files\VCClient\VCClient.exe
O4 - HKCU\..\Run: [CU2] C:\Program Files\Common Files\VCClient\VCMain.exe
O4 - HKCU\..\Run: [Fulvpmeb] C:\WINDOWS\System32\n?tdde.exe
O4 - HKCU\..\Run: [SurfSideKick 3] C:\Program Files\SurfSideKick 3\Ssk.exe
O4 - Startup: Zeno.lnk = C:\WINDOWS\system32\twinnrai.exe
O4 - Startup: Z_Start.lnk = C:\WINDOWS\system32\qmdsregs.exe
O16 - DPF: {2B96D5CC-C5B5-49A5-A69D-CC0A30F9028C} (MiniBugTransporterX Class) - http://download.weatherbug.com/minibug/tri...?rand=200341312
O16 - DPF: {56336BCB-3D8A-11D6-A00B-0050DA18DE71} (RdxIE Class) - http://207.188.7.150/2639971314dd87151c18/...ip/RdxIE601.cab
O16 - DPF: {AED98630-0251-4E83-917D-43A23D66D507} - http://activex.microgaming.com/DLhelper/ve...n7/dlhelper.cab
O16 - DPF: {D8089245-3211-40F6-819B-9E5E92CD61A2} - https://register3.valueactive.com/318/webolr/OCX/FlashAX.cab
O20 - AppInit_DLLs: repairs302973000.dll
O20 - Winlogon Notify: App Management - C:\WINDOWS\
O20 - Winlogon Notify: logon16x - C:\WINDOWS\SYSTEM32\logon16x.dll
O20 - Winlogon Notify: msupdate - msupdate32.dll (file missing)
O20 - Winlogon Notify: Reliability - C:\WINDOWS\
O20 - Winlogon Notify: satmmc - C:\WINDOWS\SYSTEM32\satmmc.dll
O20 - Winlogon Notify: ssldr - ssldr32.dll (file missing)
O20 - Winlogon Notify: wancp - wancp.dll (file missing)
O21 - SSODL: SysTray.Exbr - {6368D1FC-6F5C-4f1b-B164-E67214F678E9} - (no file)
O23 - Service: Network Monitor - Unknown owner - C:\Program Files\Network Monitor\netmon.exe


* Click on Fix Checked when finished and exit HijackThis.
Make sure your Internet Explorer is closed when you click Fix Checked!

* Reboot into Safe Mode`: ( without networking support !)
įTo get into the Safe mode as the computer is booting press and hold your "F8 Key". Use your arrow keys to move to "Safe Mode" and press your Enter key.

* Using Windows Explorer, locate the following files/folders, and delete them if still present:

C:\Program Files\Network Monitor <== folder
C:\WINDOWS\sysvx_.exe
C:\WINDOWS\sachostx.exe
C:\windows\system32\dwdsregt.exe
C:\windows\winsysban11.exe
C:\WINDOWS\system32\sysvx.exe
C:\WINDOWS\system32\sachosts.exe
C:\WINDOWS\system32\sachostc.exe
C:\Program Files\SurfSideKick 3 <== folder
C:\WINDOWS\Odgygqyc.dll
C:\windows\winsysupd11.exe
C:\WINDOWS\System\svwhost.exe <== watch the spelling!! Don't delete similar looking files somewhere else!!!
C:\WINDOWS\System\svwhost.dll
C:\WINDOWS\win32077957-133518.exe
C:\windows\rlvknlg.exe
C:\WINDOWS\ms05187957-1335.exe
C:\WINDOWS\ms045187957-133.exe
C:\WINDOWS\system32\mmxp2passion.exe
C:\\gimmygames11.exe
c:\windows\eee2.exe
C:\Program Files\Common Files\VCClient <== folder
C:\WINDOWS\system32\twinnrai.exe
C:\WINDOWS\system32\qmdsregs.exe
C:\WINDOWS\SYSTEM32\logon16x.dll
C:\WINDOWS\SYSTEM32\satmmc.dll

* Still in safe mode Double-click ATF-Cleaner.exe to run the program.
Under Main choose: Select All
Click the Empty Selected button.
If you use Firefox browserClick Firefox at the top and choose: Select All
Click the Empty Selected button.
NOTE: If you would like to keep your saved passwords, please click No at the prompt.
If you use Opera browserClick Opera at the top and choose: Select All
Click the Empty Selected button.
NOTE: If you would like to keep your saved passwords, please click No at the prompt.
Click Exit on the Main menu to close the program.

* Open Ewido anti-malware
Click on scanner

* Click Complete System Scan and the scan will begin.
* During the scan it will prompt you to clean files, click OK
* When the scan is finished, look at the bottom of the screen and click the Save report button.
* Save the report to your desktop

Close Ewido

* Reboot your system back to normal mode.

* Perform an onlinescan with panda: (please use this scanner instead of any other scanner!)
Panda Online
- Once you are on the Panda site click the Scan your PC button
- A new window will open...click the Check Now button
- Enter your Country
- Enter your State/Province
- Enter your e-mail address and click send
- Select either Home User or Company
- Click the big Scan Now button
- If it wants to install an ActiveX component allow it
- It will start downloading the files it requires for the scan (Note: It may take a couple of minutes)
- When download is complete, click on Local Disks to start the scan
- When the scan completes, if anything malicious is detected, click the See Report button, then Save Report and save it to a convenient location.
Post the contents of the Panda scan report in your next reply
together a fresh HijackThis log and the ewido-log so I can take another look.
AntispywareScanners---Antivirus Scanners---Firewalls---Online Scanners---Prevention---Help! My computer is slow---My Blog---Follow me on Twitter.
My help is ALWAYS FREE, but if you want to donate to help me continue my fight against malware -- click here!
Asking for help via Private Message or Mail will be ignored - So If you need help, post your problem in the forum.

#3 jgz

jgz
  • Topic Starter

  • Members
  • 16 posts
  • OFFLINE
  •  
  • Local time:04:28 PM

Posted 25 February 2006 - 11:11 AM

Thanks for the instructions, I'm going to attempt to try to fix this. But how am I supposed to do all of that in safe mode w/o networking? How am I supposed to download the programs?

#4 miekiemoes

miekiemoes

    Malware Killer Dog


  • Malware Response Team
  • 19,420 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Belgium
  • Local time:11:28 PM

Posted 25 February 2006 - 11:15 AM

Hi,

Please read my instructions very carefully. It is important you follow everything in the exact order. If you reread the instructions, I ask you to download the tools before going in Safe Mode without networking support.
That's why every step is so important. :thumbsup:
AntispywareScanners---Antivirus Scanners---Firewalls---Online Scanners---Prevention---Help! My computer is slow---My Blog---Follow me on Twitter.
My help is ALWAYS FREE, but if you want to donate to help me continue my fight against malware -- click here!
Asking for help via Private Message or Mail will be ignored - So If you need help, post your problem in the forum.

#5 jgz

jgz
  • Topic Starter

  • Members
  • 16 posts
  • OFFLINE
  •  
  • Local time:04:28 PM

Posted 25 February 2006 - 11:22 AM

Oh..i see. One question, what about the Panda thing? Don't I have to do that online?

#6 jgz

jgz
  • Topic Starter

  • Members
  • 16 posts
  • OFFLINE
  •  
  • Local time:04:28 PM

Posted 25 February 2006 - 11:24 AM

Ooops..never mind.. i re-read it.. sorry! I'll post the logs when I'm done.

Edited by jgz, 25 February 2006 - 11:26 AM.


#7 miekiemoes

miekiemoes

    Malware Killer Dog


  • Malware Response Team
  • 19,420 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Belgium
  • Local time:11:28 PM

Posted 25 February 2006 - 11:29 AM

That's why reading everything is so important. :thumbsup:

While in the middle of the fix and you are having some problems with something or can't delete a file or find it when in safe mode, just skip that step and go on with the next step. Just tell me afterwards and don't interrupt your fix to tell me. :flowers:

Edited by miekiemoes, 25 February 2006 - 11:31 AM.

AntispywareScanners---Antivirus Scanners---Firewalls---Online Scanners---Prevention---Help! My computer is slow---My Blog---Follow me on Twitter.
My help is ALWAYS FREE, but if you want to donate to help me continue my fight against malware -- click here!
Asking for help via Private Message or Mail will be ignored - So If you need help, post your problem in the forum.

#8 jgz

jgz
  • Topic Starter

  • Members
  • 16 posts
  • OFFLINE
  •  
  • Local time:04:28 PM

Posted 25 February 2006 - 03:54 PM

Alright, I followed all of the instructions. Here are the logs...Please reply..Thanks!

HiJack This

Logfile of HijackThis v1.99.1
Scan saved at 3:51:22 PM, on 2/25/2006
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\System32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\LEXBCES.EXE
C:\WINDOWS\system32\LEXPPS.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Yahoo!\Antivirus\ISafe.exe
C:\Program Files\ewido anti-malware\ewidoctrl.exe
C:\PROGRA~1\Yahoo!\YOP\yop.exe
C:\Program Files\Java\j2re1.4.2_06\bin\jusched.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\ResChanger XP\ResChangerXP.exe
C:\Program Files\Real\RealPlayer\RealPlay.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\Lexmark X74-X75\lxbbbmgr.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Yahoo!\Antivirus\CAVRID.exe
C:\Program Files\Yahoo!\Antivirus\CAVTray.exe
C:\Program Files\Lexmark X74-X75\lxbbbmon.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\aim\aim.exe
C:\Program Files\Veoh\VeohClientService.exe
C:\Program Files\Java\j2re1.4.2_06\bin\jucheck.exe
C:\Program Files\Yahoo!\Antivirus\VetMsg.exe
C:\WINDOWS\wanmpsvc.exe
C:\Program Files\Yahoo!\Messenger\ymsgr_tray.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\PROGRA~1\Yahoo!\browser\ycommon.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\WINDOWS\system32\NOTEPAD.EXE
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Documents and Settings\johnny\My Documents\Unzipped\hijackthis\HijackThis.exe

N2 - Netscape 6: user_pref("browser.startup.homepage", "http://www.sqeiwzqxtdxwgpa.com/U1FAXRocZ48pJ_JC_sdefL3sm62B8qtqFjPAFqlqsSU.html");\nuser_pref("browser.startup.page", 1); (C:\Documents and Settings\johnny\Application Data\Mozilla\Profiles\default\rcqc9ax8.slt\prefs.js)
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn2\yt.dll
O4 - HKLM\..\Run: [YOP] C:\PROGRA~1\Yahoo!\YOP\yop.exe /autostart
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\j2re1.4.2_06\bin\jusched.exe
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\System32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\System32\hkcmd.exe
O4 - HKLM\..\Run: [ResChangerXP] C:\Program Files\ResChanger XP\ResChangerXP.exe
O4 - HKLM\..\Run: [RealTray] C:\Program Files\Real\RealPlayer\RealPlay.exe SYSTEMBOOTHIDEPLAYER
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [Lexmark X74-X75] "C:\Program Files\Lexmark X74-X75\lxbbbmgr.exe"
O4 - HKLM\..\Run: [CHotkey] mHotkey.exe
O4 - HKLM\..\Run: [CAVRID] "C:\Program Files\Yahoo!\Antivirus\CAVRID.exe"
O4 - HKLM\..\Run: [CaAvTray] "C:\Program Files\Yahoo!\Antivirus\CAVTray.exe"
O4 - HKLM\..\Run: [BrowserUpdateSched] C:\WINDOWS\system32\twinnrai.exe CORN001
O4 - HKLM\..\Run: [wahm] C:\windows\eee2.exe
O4 - HKCU\..\Run: [Yahoo! Pager] C:\Program Files\Yahoo!\Messenger\ypager.exe -quiet
O4 - HKCU\..\Run: [WindowsUpdateNT] C:\WINDOWS\System\svwhost.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [AIM] C:\Program Files\aim\aim.exe -cnetwait.odl
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\System32\msjava.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\System32\msjava.dll
O9 - Extra button: ICQ - {6224f700-cba3-4071-b251-47cb894244cd} - C:\Program Files\ICQ\ICQ.exe
O9 - Extra 'Tools' menuitem: ICQ - {6224f700-cba3-4071-b251-47cb894244cd} - C:\Program Files\ICQ\ICQ.exe
O9 - Extra button: AOL Instant Messenger (SM) - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\aim\aim.exe
O9 - Extra button: PartyPoker.com - {B7FE5D70-9AA2-40F1-9C6B-12A255F085E1} - C:\Program Files\PartyGaming\PartyPoker\RunApp.exe (file missing)
O9 - Extra 'Tools' menuitem: PartyPoker.com - {B7FE5D70-9AA2-40F1-9C6B-12A255F085E1} - C:\Program Files\PartyGaming\PartyPoker\RunApp.exe (file missing)
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\System32\Shdocvw.dll
O9 - Extra button: MoneySide - {E023F504-0C5A-4750-A1E7-A9046DEA8A21} - C:\Program Files\Microsoft Money\System\mnyviewer.dll
O9 - Extra button: Yahoo! Messenger - {E5D12C4E-7B4F-11D3-B5C9-0050045C3C96} - C:\PROGRA~1\Yahoo!\MESSEN~1\YPager.exe
O9 - Extra 'Tools' menuitem: Yahoo! Messenger - {E5D12C4E-7B4F-11D3-B5C9-0050045C3C96} - C:\PROGRA~1\Yahoo!\MESSEN~1\YPager.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O14 - IERESET.INF: START_PAGE_URL=http://www.emachines.com
O15 - Trusted Zone: *.media-motor.net
O15 - Trusted Zone: *.popuppers.com
O16 - DPF: Yahoo! Blackjack - http://download.games.yahoo.com/games/clients/y/jt0_x.cab
O16 - DPF: Yahoo! Chat - http://us.chat1.yimg.com/us.yimg.com/i/cha...t/c381/chat.cab
O16 - DPF: Yahoo! Poker - http://download.games.yahoo.com/games/clients/y/pt1_x.cab
O16 - DPF: {040F4385-8DAD-4306-94BF-B8291D841FAE} (USBAPTester Class) - http://www.nintendowifi.com/troubleshooting/usbaptest.cab
O16 - DPF: {13EC55CF-D993-475B-9ACA-F4A384957956} (Controller Class) - https://www.windowsonecare.com/install/cli/...nSSWebAgent.CAB
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=48835
O16 - DPF: {30528230-99F7-4BB4-88D8-FA1D4F56A2AB} (YInstStarter Class) - http://us.dl1.yimg.com/download.yahoo.com/...s/yinst0401.cab
O16 - DPF: {406B5949-7190-4245-91A9-30A17DE16AD0} (Snapfish Activia) - http://www.snapfish.com/SnapfishActivia.cab
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftupdat...b?1136665057359
O16 - DPF: {77E32299-629F-43C6-AB77-6A1E6D7663F6} (Groove Control) - http://www.nick.com/common/groove/gx/GrooveAX25.cab
O16 - DPF: {7B297BFD-85E4-4092-B2AF-16A91B2EA103} (WScanCtl Class) - http://www3.ca.com/securityadvisor/virusinfo/webscan.cab
O16 - DPF: {8714912E-380D-11D5-B8AA-00D0B78F3D48} (Yahoo! Webcam Upload Wrapper) - http://chat.yahoo.com/cab/yuplapp.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/activescan/as5free/asinst.cab
O16 - DPF: {A17E30C4-A9BA-11D4-8673-60DB54C10000} (YahooYMailTo Class) - http://us.dl1.yimg.com/download.yahoo.com/.../yse/ymmapi.dll
O16 - DPF: {C4925E65-7A1E-11D2-8BB4-00A0C9CC72C3} (Virtools WebPlayer Class) - http://a532.g.akamai.net/f/532/6712/5m/vir...0/installer.exe
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - https://fpdownload.macromedia.com/pub/shock...ash/swflash.cab
O16 - DPF: {E504EE6E-47C6-11D5-B8AB-00D0B78F3D48} (Yahoo! Webcam Viewer Wrapper) - http://chat.yahoo.com/cab/yvwrctl.cab
O20 - Winlogon Notify: logon16x - logon16x.dll (file missing)
O20 - Winlogon Notify: satmmc - satmmc.dll (file missing)
O23 - Service: CAISafe - Computer Associates International, Inc. - C:\Program Files\Yahoo!\Antivirus\ISafe.exe
O23 - Service: ewido security suite control - ewido networks - C:\Program Files\ewido anti-malware\ewidoctrl.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPodService - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: LexBce Server (LexBceS) - Lexmark International, Inc. - C:\WINDOWS\system32\LEXBCES.EXE
O23 - Service: Veoh Client Service - Unknown owner - C:\Program Files\Veoh\VeohClientService.exe
O23 - Service: VET Message Service (VETMSGNT) - Computer Associates International, Inc. - C:\Program Files\Yahoo!\Antivirus\VetMsg.exe
O23 - Service: WAN Miniport (ATW) Service (WANMiniportService) - America Online, Inc. - C:\WINDOWS\wanmpsvc.exe

Ewido

---------------------------------------------------------
ewido anti-malware - Scan report
---------------------------------------------------------

+ Created on: 2:18:08 PM, 2/25/2006
+ Report-Checksum: 88089762

+ Scan result:

HKLM\SOFTWARE\Classes\CLSID\{39C78B50-7E98-4aa0-B007-D83114EA6E0F} -> Adware.Generic : Cleaned with backup
HKLM\SOFTWARE\Classes\CLSID\{6001CDF7-6F45-471b-A203-0225615E35A7} -> Adware.Generic : Cleaned with backup
HKLM\SOFTWARE\Classes\Interface\{39C78B50-7E98-4AA0-B007-D83114EA6E0F} -> Adware.Generic : Cleaned with backup
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\UserData\AUI -> Adware.WebSearch : Cleaned with backup
HKU\S-1-5-21-3472313688-694050851-139080822-1005\Software\Microsoft\Internet Explorer\Keywords -> Adware.CoolWebSearch : Cleaned with backup
HKU\S-1-5-21-3472313688-694050851-139080822-1005\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{2296428D-C133-4928-B76A-A200FF409572} -> Adware.Generic : Cleaned with backup
HKU\S-1-5-21-3472313688-694050851-139080822-1005\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{39C78B50-7E98-4AA0-B007-D83114EA6E0F} -> Adware.Generic : Cleaned with backup
HKU\S-1-5-21-3472313688-694050851-139080822-1005\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{6001CDF7-6F45-471B-A203-0225615E35A7} -> Adware.Generic : Cleaned with backup
:mozilla.26:C:\Documents and Settings\Administrator\Application Data\Mozilla\Firefox\Profiles\2luvz4a8.default\cookies.txt -> TrackingCookie.2o7 : Cleaned with backup
:mozilla.34:C:\Documents and Settings\Administrator\Application Data\Mozilla\Firefox\Profiles\2luvz4a8.default\cookies.txt -> TrackingCookie.Hitbox : Cleaned with backup
:mozilla.35:C:\Documents and Settings\Administrator\Application Data\Mozilla\Firefox\Profiles\2luvz4a8.default\cookies.txt -> TrackingCookie.Hitbox : Cleaned with backup
:mozilla.36:C:\Documents and Settings\Administrator\Application Data\Mozilla\Firefox\Profiles\2luvz4a8.default\cookies.txt -> TrackingCookie.Hitbox : Cleaned with backup
:mozilla.37:C:\Documents and Settings\Administrator\Application Data\Mozilla\Firefox\Profiles\2luvz4a8.default\cookies.txt -> TrackingCookie.Hitbox : Cleaned with backup
:mozilla.40:C:\Documents and Settings\Administrator\Application Data\Mozilla\Firefox\Profiles\2luvz4a8.default\cookies.txt -> TrackingCookie.Doubleclick : Cleaned with backup
:mozilla.42:C:\Documents and Settings\Administrator\Application Data\Mozilla\Firefox\Profiles\2luvz4a8.default\cookies.txt -> TrackingCookie.Yieldmanager : Cleaned with backup
:mozilla.43:C:\Documents and Settings\Administrator\Application Data\Mozilla\Firefox\Profiles\2luvz4a8.default\cookies.txt -> TrackingCookie.Yieldmanager : Cleaned with backup
:mozilla.47:C:\Documents and Settings\Administrator\Application Data\Mozilla\Firefox\Profiles\2luvz4a8.default\cookies.txt -> TrackingCookie.Atdmt : Cleaned with backup
:mozilla.48:C:\Documents and Settings\Administrator\Application Data\Mozilla\Firefox\Profiles\2luvz4a8.default\cookies.txt -> TrackingCookie.Yieldmanager : Cleaned with backup
:mozilla.61:C:\Documents and Settings\Administrator\Application Data\Mozilla\Firefox\Profiles\2luvz4a8.default\cookies.txt -> TrackingCookie.Googleadservices : Cleaned with backup
:mozilla.62:C:\Documents and Settings\Administrator\Application Data\Mozilla\Firefox\Profiles\2luvz4a8.default\cookies.txt -> TrackingCookie.Mediaplex : Cleaned with backup
:mozilla.63:C:\Documents and Settings\Administrator\Application Data\Mozilla\Firefox\Profiles\2luvz4a8.default\cookies.txt -> TrackingCookie.Com : Cleaned with backup
:mozilla.69:C:\Documents and Settings\Administrator\Application Data\Mozilla\Firefox\Profiles\2luvz4a8.default\cookies.txt -> TrackingCookie.Com : Cleaned with backup
:mozilla.71:C:\Documents and Settings\Administrator\Application Data\Mozilla\Firefox\Profiles\2luvz4a8.default\cookies.txt -> TrackingCookie.Fastclick : Cleaned with backup
:mozilla.72:C:\Documents and Settings\Administrator\Application Data\Mozilla\Firefox\Profiles\2luvz4a8.default\cookies.txt -> TrackingCookie.Fastclick : Cleaned with backup
:mozilla.73:C:\Documents and Settings\Administrator\Application Data\Mozilla\Firefox\Profiles\2luvz4a8.default\cookies.txt -> TrackingCookie.Fastclick : Cleaned with backup
:mozilla.74:C:\Documents and Settings\Administrator\Application Data\Mozilla\Firefox\Profiles\2luvz4a8.default\cookies.txt -> TrackingCookie.Fastclick : Cleaned with backup
:mozilla.75:C:\Documents and Settings\Administrator\Application Data\Mozilla\Firefox\Profiles\2luvz4a8.default\cookies.txt -> TrackingCookie.Fastclick : Cleaned with backup
:mozilla.76:C:\Documents and Settings\Administrator\Application Data\Mozilla\Firefox\Profiles\2luvz4a8.default\cookies.txt -> TrackingCookie.Tribalfusion : Cleaned with backup
:mozilla.79:C:\Documents and Settings\Administrator\Application Data\Mozilla\Firefox\Profiles\2luvz4a8.default\cookies.txt -> TrackingCookie.Hitslink : Cleaned with backup
:mozilla.80:C:\Documents and Settings\Administrator\Application Data\Mozilla\Firefox\Profiles\2luvz4a8.default\cookies.txt -> TrackingCookie.Hitslink : Cleaned with backup
:mozilla.81:C:\Documents and Settings\Administrator\Application Data\Mozilla\Firefox\Profiles\2luvz4a8.default\cookies.txt -> TrackingCookie.Hitslink : Cleaned with backup
:mozilla.82:C:\Documents and Settings\Administrator\Application Data\Mozilla\Firefox\Profiles\2luvz4a8.default\cookies.txt -> TrackingCookie.Hitslink : Cleaned with backup
:mozilla.93:C:\Documents and Settings\Administrator\Application Data\Mozilla\Firefox\Profiles\2luvz4a8.default\cookies.txt -> TrackingCookie.Googleadservices : Cleaned with backup
C:\Documents and Settings\Administrator\Cookies\administrator@ad.yieldmanager[2].txt -> TrackingCookie.Yieldmanager : Cleaned with backup
C:\Documents and Settings\Administrator\Cookies\administrator@adopt.specificclick[2].txt -> TrackingCookie.Specificclick : Cleaned with backup
C:\Documents and Settings\Administrator\Cookies\administrator@ads.realcastmedia[2].txt -> TrackingCookie.Realcastmedia : Cleaned with backup
C:\Documents and Settings\Administrator\Cookies\administrator@ads1.revenue[1].txt -> TrackingCookie.Revenue : Cleaned with backup
C:\Documents and Settings\Administrator\Cookies\administrator@cpvfeed[2].txt -> TrackingCookie.Cpvfeed : Cleaned with backup
C:\Documents and Settings\Administrator\Cookies\administrator@entrepreneur.122.2o7[1].txt -> TrackingCookie.2o7 : Cleaned with backup
C:\Documents and Settings\Administrator\Cookies\administrator@partygaming.122.2o7[1].txt -> TrackingCookie.2o7 : Cleaned with backup
C:\Documents and Settings\Administrator\Cookies\administrator@paypopup[2].txt -> TrackingCookie.Paypopup : Cleaned with backup
C:\Documents and Settings\Administrator\Cookies\administrator@tacoda[1].txt -> TrackingCookie.Tacoda : Cleaned with backup
C:\Documents and Settings\Administrator\Cookies\administrator@yieldmanager[1].txt -> TrackingCookie.Yieldmanager : Cleaned with backup
C:\Documents and Settings\Administrator\Local Settings\Temp\temp.frAE84 -> Logger.Small.dg : Cleaned with backup
C:\Documents and Settings\johnny\Local Settings\Temp\vx1.game -> Downloader.Small.ckh : Cleaned with backup
C:\Documents and Settings\johnny\Local Settings\Temp\vxt1.game -> Downloader.Small.ckn : Cleaned with backup
C:\Documents and Settings\johnny\Local Settings\Temporary Internet Files\Content.IE5\23MFI5YR\eeedo[1].exe/eee2.exe -> Adware.MediaMotor : Cleaned with backup
C:\Documents and Settings\johnny\Local Settings\Temporary Internet Files\Content.IE5\23MFI5YR\MTE3NDI6ODoxNg[1].exe -> Downloader.Small.buy : Cleaned with backup
C:\Documents and Settings\johnny\Local Settings\Temporary Internet Files\Content.IE5\23MFI5YR\ucmoreiex[1].exe/UCMTSAIE.DLL -> Adware.Ucmore : Cleaned with backup
C:\Documents and Settings\johnny\Local Settings\Temporary Internet Files\Content.IE5\23MFI5YR\ucmoreiex[1].exe/IUCMORE.DLL -> Adware.Ucmore : Cleaned with backup
C:\Documents and Settings\johnny\Local Settings\Temporary Internet Files\Content.IE5\AHC325Y1\mm63[1].ocx -> Adware.MediaMotor : Cleaned with backup
C:\Documents and Settings\johnny\Local Settings\Temporary Internet Files\Content.IE5\AHC325Y1\surv3[1].exe -> Downloader.VB.vv : Cleaned with backup
C:\Documents and Settings\johnny\Shared\Registry Mechanic latest + CRACK zip.zip/Setup.exe -> Worm.VB.dw : Cleaned with backup
C:\installerwebnex.exe -> Downloader.Qoologic.bh : Cleaned with backup
C:\ld.exe -> Downloader.Small.cke : Cleaned with backup
C:\ld.exe.bak -> Downloader.Small.cke : Cleaned with backup
C:\MTE3NDI6ODoxNg.exe -> Downloader.Small.buy : Cleaned with backup
C:\NNSCAA638.EXE -> Adware.NewDotNet : Cleaned with backup
C:\Program Files\Jalmp\uninstall.exe -> Adware.Suggestor : Cleaned with backup
C:\Program Files\Yahoo!\YPSR\Quarantine\ppq109.tmp\plugin.dll -> Adware.CASClient : Cleaned with backup
C:\visfx500.exe -> Dropper.Agent.aie : Cleaned with backup
C:\WINDOWS\7020.exe/eee2.exe -> Adware.MediaMotor : Cleaned with backup
C:\WINDOWS\876056.exe -> Adware.Mirar : Cleaned with backup
C:\WINDOWS\a.exe -> Downloader.VB.xd : Cleaned with backup
C:\WINDOWS\am9obm55ICB6aWFkZWg\asappsrv.dll -> Adware.CommAd : Cleaned with backup
C:\WINDOWS\gimmygames10a.exe -> Downloader.VB.xl : Cleaned with backup
C:\WINDOWS\Golden Palace Casino PT setup.exe -> Adware.Casino : Cleaned with backup
C:\WINDOWS\kl1.exe -> Dropper.Small.amd : Cleaned with backup
C:\WINDOWS\kovzvkt.exe -> Hijacker.VB.ij : Cleaned with backup
C:\WINDOWS\mm63.ocx -> Adware.MediaMotor : Cleaned with backup
C:\WINDOWS\oqeejhcv.dll -> Adware.BookedSpace : Cleaned with backup
C:\WINDOWS\surv3.exe -> Downloader.VB.vv : Cleaned with backup
C:\WINDOWS\system\svchost.dll -> Backdoor.Agent.iw : Cleaned with backup
C:\WINDOWS\system\svchost.exe -> Backdoor.Agent.iw : Cleaned with backup
C:\WINDOWS\system32\1.dat -> Dialer.Kotu.b : Cleaned with backup
C:\WINDOWS\system32\config\systemprofile\Local Settings\Temporary Internet Files\Content.IE5\2R2BSLOD\AppWrap[1].exe -> Adware.AdURL : Cleaned with backup
C:\WINDOWS\system32\config\systemprofile\Local Settings\Temporary Internet Files\Content.IE5\6DUT4PUP\AppWrap[1].exe -> Adware.AdURL : Cleaned with backup
C:\WINDOWS\system32\config\systemprofile\Local Settings\Temporary Internet Files\Content.IE5\AHQ7ADK9\AppWrap[1].exe -> Adware.Zestyfind : Cleaned with backup
C:\WINDOWS\system32\logon16x.dll -> Logger.Haxspy.q : Cleaned with backup
C:\WINDOWS\system32\mmlogon.sys -> Logger.Haxspy.q : Error during cleaning
C:\WINDOWS\system32\P2P Networking -> Adware.P2PNetworking : Cleaned with backup
C:\WINDOWS\system32\P2P Networking\Cache -> Adware.P2PNetworking : Cleaned with backup
C:\WINDOWS\system32\P2P Networking\Cache\Database -> Adware.P2PNetworking : Cleaned with backup
C:\WINDOWS\system32\P2P Networking\Cache\Database\file-10000-0x027a2fba8a17af1658048b9a91e3e6f1.sig -> Adware.P2PNetworking : Cleaned with backup
C:\WINDOWS\system32\P2P Networking\Cache\Database\file-10000-0x18326e4ee4bd6077e9d03be99bb960fc.sig -> Adware.P2PNetworking : Cleaned with backup
C:\WINDOWS\system32\P2P Networking\Cache\Database\file-10000-0x224438f9d3f55c9c6be503c6a868bf27.sig -> Adware.P2PNetworking : Cleaned with backup
C:\WINDOWS\system32\P2P Networking\Cache\Database\file-10000-0x28dc56e7c29c39c8e36a1dc0e895eeab.sig -> Adware.P2PNetworking : Cleaned with backup
C:\WINDOWS\system32\P2P Networking\Cache\Database\file-10000-0x396a4aaadda74e092371b388474ed52e.sig -> Adware.P2PNetworking : Cleaned with backup
C:\WINDOWS\system32\P2P Networking\Cache\Database\file-10000-0x5131b1b1183a4b11b41836c9a693f4b2.sig -> Adware.P2PNetworking : Cleaned with backup
C:\WINDOWS\system32\P2P Networking\Cache\Database\file-10000-0x5746625fc2a6f3b821f0803c1457aec3.sig -> Adware.P2PNetworking : Cleaned with backup
C:\WINDOWS\system32\P2P Networking\Cache\Database\file-10000-0x5a7e4a14d5b1ba72c268565d63b052c4.sig -> Adware.P2PNetworking : Cleaned with backup
C:\WINDOWS\system32\P2P Networking\Cache\Database\file-10000-0xa661d2e097c1fa4b9b22798d96fdf903.sig -> Adware.P2PNetworking : Cleaned with backup
C:\WINDOWS\system32\P2P Networking\Cache\Database\file-10000-0xe609b5458323785ffb8d82a1d2c5fe13.sig -> Adware.P2PNetworking : Cleaned with backup
C:\WINDOWS\system32\P2P Networking\Cache\Database\file-10001-1709607797.sig -> Adware.P2PNetworking : Cleaned with backup
C:\WINDOWS\system32\P2P Networking\Cache\Database\file-1001-83.sig -> Adware.P2PNetworking : Cleaned with backup
C:\WINDOWS\system32\P2P Networking\Cache\Database\file-5001-1925535829.sig -> Adware.P2PNetworking : Cleaned with backup
C:\WINDOWS\system32\P2P Networking\Cache\Database\index256.dbb -> Adware.P2PNetworking : Cleaned with backup
C:\WINDOWS\system32\P2P Networking\P2P Networking.eng -> Adware.P2PNetworking : Cleaned with backup
C:\WINDOWS\system32\rk.bin -> Adware.RK : Cleaned with backup
C:\WINDOWS\system32\sachostm.exe -> Logger.Small.fe : Cleaned with backup
C:\WINDOWS\system32\satmmc.dll -> Logger.Goldun.hu : Cleaned with backup
C:\WINDOWS\system32\srwhost.exe.mwt -> Backdoor.Rbot.adf : Cleaned with backup
C:\WINDOWS\system32\vxgamet1.exe -> Downloader.Small.ckn : Cleaned with backup
C:\WINDOWS\system32\vxgamet2.exe -> Downloader.Small.skn : Cleaned with backup
C:\WINDOWS\system32\vxgamet3.exe -> Dropper.Delf.th : Cleaned with backup
C:\WINDOWS\system32\vxgamet4.exe26624.exe -> Backdoor.Agent.iw : Cleaned with backup
C:\WINDOWS\system32\vxgamet4.exe51200.exe.mwt -> Backdoor.Agent.qr : Cleaned with backup
C:\WINDOWS\system32\WinNB57.dll -> Adware.Mirar : Cleaned with backup
C:\WINDOWS\temp\Temporary Internet Files\Content.IE5\14HW3EHY\adv640[1].htm -> Not-A-Virus.Exploit.HTML.Mht : Cleaned with backup
C:\WINDOWS\temp\Temporary Internet Files\Content.IE5\14HW3EHY\bag[1].htm -> Not-A-Virus.Exploit.JS.CVE20051790.j : Cleaned with backup
C:\WINDOWS\temp\Temporary Internet Files\Content.IE5\8N6X6VEB\1[1].exe -> Downloader.Small.ckm : Cleaned with backup
C:\WINDOWS\temp\Temporary Internet Files\Content.IE5\8N6X6VEB\tool2[1].txt -> Hijacker.Spywad.m : Cleaned with backup
C:\WINDOWS\temp\Temporary Internet Files\Content.IE5\9A23D5XG\send_car_int[1].htm.mwt -> Not-A-Virus.Exploit.HTML.CodeBaseExec : Cleaned with backup
C:\WINDOWS\temp\Temporary Internet Files\Content.IE5\FLYGUYWG\kl[1].txt -> Dropper.Small.amd : Cleaned with backup
C:\WINDOWS\temp\Temporary Internet Files\Content.IE5\FLYGUYWG\korm[1].exe -> Proxy.Agent.hs : Cleaned with backup
C:\WINDOWS\temp\Temporary Internet Files\Content.IE5\FLYGUYWG\visfx500[1].exe -> Dropper.Agent.aie : Cleaned with backup
C:\WINDOWS\temp\Temporary Internet Files\Content.IE5\IL4VSLQ3\ZICORN001[1].exe -> Adware.ZenoSearch : Cleaned with backup
C:\WINDOWS\temp\Temporary Internet Files\Content.IE5\K5I7CD63\send_ocx_sof[1].htm -> Not-A-Virus.Exploit.HTML.CodeBaseExec : Cleaned with backup
C:\WINDOWS\temp\vx1.game -> Downloader.Small.ckh : Cleaned with backup
C:\WINDOWS\temp\vx2.game -> Trojan.Lineage.pa : Cleaned with backup
C:\WINDOWS\temp\vx3.game -> Downloader.Small.cgy : Cleaned with backup
C:\WINDOWS\temp\vx6.game -> Worm.Locksky.aj : Cleaned with backup
C:\WINDOWS\temp\vxt1.game -> Downloader.Small.ckn : Cleaned with backup
C:\WINDOWS\temp\vxt2.game -> Downloader.Small.skn : Cleaned with backup
C:\WINDOWS\temp\vxt3.game -> Dropper.Delf.th : Cleaned with backup
C:\WINDOWS\temp\vxt4.game -> Downloader.Tiny.ba : Cleaned with backup
C:\WINDOWS\tivtikuz.exe -> Adware.BookedSpace : Cleaned with backup
C:\WINDOWS\tool2.exe -> Hijacker.Spywad.m : Cleaned with backup
C:\WINDOWS\whCC-GIANT.exe/WhAgent.exe -> Adware.WebHancer : Cleaned with backup
C:\WINDOWS\winsysban10.exe -> Hijacker.VB.ld : Cleaned with backup
C:\WINDOWS\winsysupd10.exe -> Downloader.VB.wg : Cleaned with backup
C:\ZICORN001.exe -> Adware.ZenoSearch : Cleaned with backup


::Report End


Panda


Incident Status Location

Spyware:Cookie/888 Not disinfected C:\Documents and Settings\Administrator\Cookies\administrator@888[1].txt
Spyware:Cookie/Hbmediapro Not disinfected C:\Documents and Settings\Administrator\Cookies\administrator@adopt.hbmediapro[2].txt
Spyware:Cookie/Azjmp Not disinfected C:\Documents and Settings\Administrator\Cookies\administrator@azjmp[2].txt
Spyware:Cookie/Belnk Not disinfected C:\Documents and Settings\Administrator\Cookies\administrator@belnk[1].txt
Spyware:Cookie/Cassava Not disinfected C:\Documents and Settings\Administrator\Cookies\administrator@cassava[1].txt
Spyware:Cookie/Belnk Not disinfected C:\Documents and Settings\Administrator\Cookies\administrator@dist.belnk[2].txt
Spyware:Cookie/Entrepreneur Not disinfected C:\Documents and Settings\Administrator\Cookies\administrator@entrepreneur[1].txt
Spyware:spyware/surfsidekick Not disinfected C:\Documents and Settings\johnny\Application Data\sskknwrd.dll
Adware:Adware/Twain-Tech Not disinfected C:\Documents and Settings\johnny\Local Settings\Temp\THI3018.tmp\twaintec.inf
Adware:Adware/LocalNRD Not disinfected C:\Documents and Settings\johnny\Local Settings\Temp\THI5DFF.tmp\localNrd.inf
Adware:Adware/Twain-Tech Not disinfected C:\Documents and Settings\johnny\Local Settings\Temp\THI6C1F.tmp\twaintec.inf
Adware:Adware/Twain-Tech Not disinfected C:\Documents and Settings\johnny\Local Settings\Temp\THI715E.tmp\twaintec.inf
Adware:Adware/Adsmart Not disinfected C:\Documents and Settings\johnny\Local Settings\Temp\vx2.game
Adware:Adware/CommAd Not disinfected C:\Documents and Settings\johnny\Local Settings\Temporary Internet Files\Content.IE5\23MFI5YR\installer[1].exe
Spyware:Spyware/Media-motor Not disinfected C:\Documents and Settings\johnny\Local Settings\Temporary Internet Files\Content.IE5\AHC325Y1\unstall[1].exe
Spyware:Cookie/Mysearch Not disinfected C:\Documents and Settings\LocalService\Cookies\system@mysearch[1].txt
Adware:adware/dollarrevenue Not disinfected C:\drsmartload1.exe
Adware:Adware/BrilliantDigital Not disinfected C:\Program Files\Kazaa\bdcore.dll
Adware:adware/secure32 Not disinfected C:\secure32.html
Adware:adware/bookedspace Not disinfected C:\WINDOWS\cfgmgr52.ini
Adware:Adware/WUpd Not disinfected C:\WINDOWS\Downloaded Program Files\BridgeX.inf
Adware:Adware Program Not disinfected C:\WINDOWS\Downloaded Program Files\WildApp.inf
Adware:adware/dealhelper Not disinfected C:\WINDOWS\dsearch1.bin
Adware:adware/ncase Not disinfected C:\WINDOWS\msbb.log
Adware:adware/cydoor Not disinfected C:\WINDOWS\system32\cd_clint.dll
Adware:adware/virtualbouncer Not disinfected C:\WINDOWS\system32\INNERVBINSTALL.LOG
Virus:Trj/Rirat.B Not disinfected C:\WINDOWS\system32\mmlogon.sys
Virus:W32/Locksky.BT.worm Not disinfected C:\WINDOWS\system32\msvcrl.dll
Virus:W32/Locksky.BT.worm Not disinfected C:\WINDOWS\system32\sachostp.exe
Adware:Adware/DollarRevenue Not disinfected C:\WINDOWS\temp\Temporary Internet Files\Content.IE5\FLYGUYWG\winsysupd11[1].exe
Adware:Adware/SearchAid Not disinfected C:\WINDOWS\uninstall_nmon.vbs
Adware:adware/cws.searchmeup Not disinfected C:\WINDOWS\uniq

#9 miekiemoes

miekiemoes

    Malware Killer Dog


  • Malware Response Team
  • 19,420 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Belgium
  • Local time:11:28 PM

Posted 25 February 2006 - 03:59 PM

Hello,

Can you perform next as well please?

Download and Save blacklight to your desktop.
F-Secure Blacklight: http://www.f-secure.com/blacklight/try.shtml
Double-click blbeta.exe then accept the agreement.
click > scan then > next,
You'll see a list of all items found.
Don't choose for rename yet! I want to see the log first.
There must be also a log on your desktop with the name fsbl.xxxxxxx.log (the xxxxxxx stand for numbers)
Post the contents of the log in your next reply.
AntispywareScanners---Antivirus Scanners---Firewalls---Online Scanners---Prevention---Help! My computer is slow---My Blog---Follow me on Twitter.
My help is ALWAYS FREE, but if you want to donate to help me continue my fight against malware -- click here!
Asking for help via Private Message or Mail will be ignored - So If you need help, post your problem in the forum.

#10 jgz

jgz
  • Topic Starter

  • Members
  • 16 posts
  • OFFLINE
  •  
  • Local time:04:28 PM

Posted 25 February 2006 - 04:05 PM

i just completed the blacklight scan , and it said there were no hidden items found. please advise me what to do next. by the way my comp. is working better so far!!!

#11 jgz

jgz
  • Topic Starter

  • Members
  • 16 posts
  • OFFLINE
  •  
  • Local time:04:28 PM

Posted 25 February 2006 - 04:12 PM

This was saved to my desktop..Im not sure if this is it..?

2/25/06 16:03:37 [Info]: BlackLight Engine 1.0.32 initialized
02/25/06 16:03:37 [Info]: OS: 5.1 build 2600 (Service Pack 2)
02/25/06 16:03:37 [Note]: 7019 4
02/25/06 16:03:37 [Note]: 7005 0
02/25/06 16:03:40 [Note]: 7006 0
02/25/06 16:03:40 [Note]: 7011 1388
02/25/06 16:03:40 [Note]: 7015 476
02/25/06 16:03:40 [Note]: 7015 5
02/25/06 16:03:40 [Note]: 7015 776
02/25/06 16:03:40 [Note]: 7015 5
02/25/06 16:03:40 [Note]: 7015 960
02/25/06 16:03:40 [Note]: 7015 5
02/25/06 16:03:40 [Note]: 7015 1036
02/25/06 16:03:40 [Note]: 7015 5
02/25/06 16:03:40 [Note]: 7015 1976
02/25/06 16:03:40 [Note]: 7015 5
02/25/06 16:03:41 [Note]: FSRAW library version 1.7.1015
02/25/06 16:04:46 [Note]: 4013 100038
02/25/06 16:04:46 [Note]: 4020 11718 65536
02/25/06 16:04:46 [Note]: 4018 11718 65536
02/25/06 16:06:39 [Note]: 7007 0

#12 miekiemoes

miekiemoes

    Malware Killer Dog


  • Malware Response Team
  • 19,420 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Belgium
  • Local time:11:28 PM

Posted 25 February 2006 - 04:12 PM

Ok, perform next..

* Open hijackthis, click 'config' (bottom right)
Choose the tab 'misc Tools' on top.
Choose 'delete a file on reboot'
In the field, copy and paste next:

C:\WINDOWS\system32\mmlogon.sys

Click open.
Hijackthis will tell you that this file will be deleted on next reboot and if you want to reboot now. Click Yes/ok
Your system must reboot now.

After reboot,

* Start HijackThis, close all open windows leaving only HijackThis running. Place a check against each of the following:

O4 - HKLM\..\Run: [BrowserUpdateSched] C:\WINDOWS\system32\twinnrai.exe CORN001
O4 - HKLM\..\Run: [wahm] C:\windows\eee2.exe
O4 - HKCU\..\Run: [WindowsUpdateNT] C:\WINDOWS\System\svwhost.exe
O9 - Extra button: PartyPoker.com - {B7FE5D70-9AA2-40F1-9C6B-12A255F085E1} - C:\Program Files\PartyGaming\PartyPoker\RunApp.exe (file missing)
O9 - Extra 'Tools' menuitem: PartyPoker.com - {B7FE5D70-9AA2-40F1-9C6B-12A255F085E1} - C:\Program Files\PartyGaming\PartyPoker\RunApp.exe (file missing)
O15 - Trusted Zone: *.media-motor.net
O15 - Trusted Zone: *.popuppers.com
O20 - Winlogon Notify: logon16x - logon16x.dll (file missing)
O20 - Winlogon Notify: satmmc - satmmc.dll (file missing)


* Click on Fix Checked when finished and exit HijackThis.
Make sure your Internet Explorer is closed when you click Fix Checked!

C:\drsmartload1.exe
C:\Program Files\Kazaa <== folder
C:\secure32.html
C:\WINDOWS\cfgmgr52.ini
C:\WINDOWS\dsearch1.bin
C:\WINDOWS\msbb.log
C:\WINDOWS\system32\cd_clint.dll
C:\WINDOWS\system32\INNERVBINSTALL.LOG
C:\WINDOWS\system32\msvcrl.dll
C:\WINDOWS\system32\sachostp.exe
C:\WINDOWS\uninstall_nmon.vbs
C:\WINDOWS\uniq

Go to start > run and type: regsvr32 /u occache.dll
(or copy and paste this in the field in start > run )
Click Ok

Now search and delete:

C:\WINDOWS\Downloaded Program Files\BridgeX.inf
C:\WINDOWS\Downloaded Program Files\WildApp.inf

Go to start > run and type regsvr32 occache.dll
Click OK

It also looks like you didn't run ATF-Cleaner as I asked you, or at least not how it was explained.

So please perform this again:Double-click ATF-Cleaner.exe to run the program.
Under Main choose: Select All
Click the Empty Selected button.
If you use Firefox browserClick Firefox at the top and choose: Select All
Click the Empty Selected button.
NOTE: If you would like to keep your saved passwords, please click No at the prompt.
If you use Opera browserClick Opera at the top and choose: Select All
Click the Empty Selected button.
NOTE: If you would like to keep your saved passwords, please click No at the prompt.
Click Exit on the Main menu to close the program.

Post a new hijackthislog in your next reply.
AntispywareScanners---Antivirus Scanners---Firewalls---Online Scanners---Prevention---Help! My computer is slow---My Blog---Follow me on Twitter.
My help is ALWAYS FREE, but if you want to donate to help me continue my fight against malware -- click here!
Asking for help via Private Message or Mail will be ignored - So If you need help, post your problem in the forum.

#13 jgz

jgz
  • Topic Starter

  • Members
  • 16 posts
  • OFFLINE
  •  
  • Local time:04:28 PM

Posted 25 February 2006 - 04:33 PM

I followed all instructions.. heres the new log.


Logfile of HijackThis v1.99.1
Scan saved at 4:30:11 PM, on 2/25/2006
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\System32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\LEXBCES.EXE
C:\WINDOWS\system32\LEXPPS.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Yahoo!\Antivirus\ISafe.exe
C:\Program Files\ewido anti-malware\ewidoctrl.exe
C:\WINDOWS\System32\svchost.exe
C:\PROGRA~1\Yahoo!\YOP\yop.exe
C:\Program Files\Java\j2re1.4.2_06\bin\jusched.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\ResChanger XP\ResChangerXP.exe
C:\Program Files\Veoh\VeohClientService.exe
C:\Program Files\Real\RealPlayer\RealPlay.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\Lexmark X74-X75\lxbbbmgr.exe
C:\Program Files\Yahoo!\Antivirus\CAVRID.exe
C:\Program Files\Yahoo!\Antivirus\CAVTray.exe
C:\Program Files\Yahoo!\Antivirus\VetMsg.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\aim\aim.exe
C:\Program Files\Java\j2re1.4.2_06\bin\jucheck.exe
C:\Program Files\Lexmark X74-X75\lxbbbmon.exe
C:\WINDOWS\wanmpsvc.exe
C:\Program Files\Yahoo!\Messenger\ymsgr_tray.exe
C:\PROGRA~1\Yahoo!\browser\ycommon.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\WINDOWS\system32\NOTEPAD.EXE
C:\WINDOWS\system32\NOTEPAD.EXE
C:\Documents and Settings\johnny\My Documents\Unzipped\hijackthis\HijackThis.exe

N2 - Netscape 6: user_pref("browser.startup.homepage", "http://www.sqeiwzqxtdxwgpa.com/U1FAXRocZ48pJ_JC_sdefL3sm62B8qtqFjPAFqlqsSU.html");\nuser_pref("browser.startup.page", 1); (C:\Documents and Settings\johnny\Application Data\Mozilla\Profiles\default\rcqc9ax8.slt\prefs.js)
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn2\yt.dll
O4 - HKLM\..\Run: [YOP] C:\PROGRA~1\Yahoo!\YOP\yop.exe /autostart
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\j2re1.4.2_06\bin\jusched.exe
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\System32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\System32\hkcmd.exe
O4 - HKLM\..\Run: [ResChangerXP] C:\Program Files\ResChanger XP\ResChangerXP.exe
O4 - HKLM\..\Run: [RealTray] C:\Program Files\Real\RealPlayer\RealPlay.exe SYSTEMBOOTHIDEPLAYER
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [Lexmark X74-X75] "C:\Program Files\Lexmark X74-X75\lxbbbmgr.exe"
O4 - HKLM\..\Run: [CHotkey] mHotkey.exe
O4 - HKLM\..\Run: [CAVRID] "C:\Program Files\Yahoo!\Antivirus\CAVRID.exe"
O4 - HKLM\..\Run: [CaAvTray] "C:\Program Files\Yahoo!\Antivirus\CAVTray.exe"
O4 - HKCU\..\Run: [Yahoo! Pager] C:\Program Files\Yahoo!\Messenger\ypager.exe -quiet
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [AIM] C:\Program Files\aim\aim.exe -cnetwait.odl
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\System32\msjava.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\System32\msjava.dll
O9 - Extra button: ICQ - {6224f700-cba3-4071-b251-47cb894244cd} - C:\Program Files\ICQ\ICQ.exe
O9 - Extra 'Tools' menuitem: ICQ - {6224f700-cba3-4071-b251-47cb894244cd} - C:\Program Files\ICQ\ICQ.exe
O9 - Extra button: AOL Instant Messenger (SM) - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\aim\aim.exe
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\System32\Shdocvw.dll
O9 - Extra button: MoneySide - {E023F504-0C5A-4750-A1E7-A9046DEA8A21} - C:\Program Files\Microsoft Money\System\mnyviewer.dll
O9 - Extra button: Yahoo! Messenger - {E5D12C4E-7B4F-11D3-B5C9-0050045C3C96} - C:\PROGRA~1\Yahoo!\MESSEN~1\YPager.exe
O9 - Extra 'Tools' menuitem: Yahoo! Messenger - {E5D12C4E-7B4F-11D3-B5C9-0050045C3C96} - C:\PROGRA~1\Yahoo!\MESSEN~1\YPager.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O14 - IERESET.INF: START_PAGE_URL=http://www.emachines.com
O16 - DPF: Yahoo! Blackjack - http://download.games.yahoo.com/games/clients/y/jt0_x.cab
O16 - DPF: Yahoo! Chat - http://us.chat1.yimg.com/us.yimg.com/i/cha...t/c381/chat.cab
O16 - DPF: Yahoo! Poker - http://download.games.yahoo.com/games/clients/y/pt1_x.cab
O16 - DPF: {040F4385-8DAD-4306-94BF-B8291D841FAE} (USBAPTester Class) - http://www.nintendowifi.com/troubleshooting/usbaptest.cab
O16 - DPF: {13EC55CF-D993-475B-9ACA-F4A384957956} (Controller Class) - https://www.windowsonecare.com/install/cli/...nSSWebAgent.CAB
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=48835
O16 - DPF: {30528230-99F7-4BB4-88D8-FA1D4F56A2AB} (YInstStarter Class) - http://us.dl1.yimg.com/download.yahoo.com/...s/yinst0401.cab
O16 - DPF: {406B5949-7190-4245-91A9-30A17DE16AD0} (Snapfish Activia) - http://www.snapfish.com/SnapfishActivia.cab
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftupdat...b?1136665057359
O16 - DPF: {77E32299-629F-43C6-AB77-6A1E6D7663F6} (Groove Control) - http://www.nick.com/common/groove/gx/GrooveAX25.cab
O16 - DPF: {7B297BFD-85E4-4092-B2AF-16A91B2EA103} (WScanCtl Class) - http://www3.ca.com/securityadvisor/virusinfo/webscan.cab
O16 - DPF: {8714912E-380D-11D5-B8AA-00D0B78F3D48} (Yahoo! Webcam Upload Wrapper) - http://chat.yahoo.com/cab/yuplapp.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/activescan/as5free/asinst.cab
O16 - DPF: {A17E30C4-A9BA-11D4-8673-60DB54C10000} (YahooYMailTo Class) - http://us.dl1.yimg.com/download.yahoo.com/.../yse/ymmapi.dll
O16 - DPF: {C4925E65-7A1E-11D2-8BB4-00A0C9CC72C3} (Virtools WebPlayer Class) - http://a532.g.akamai.net/f/532/6712/5m/vir...0/installer.exe
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - https://fpdownload.macromedia.com/pub/shock...ash/swflash.cab
O16 - DPF: {E504EE6E-47C6-11D5-B8AB-00D0B78F3D48} (Yahoo! Webcam Viewer Wrapper) - http://chat.yahoo.com/cab/yvwrctl.cab
O23 - Service: CAISafe - Computer Associates International, Inc. - C:\Program Files\Yahoo!\Antivirus\ISafe.exe
O23 - Service: ewido security suite control - ewido networks - C:\Program Files\ewido anti-malware\ewidoctrl.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPodService - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: LexBce Server (LexBceS) - Lexmark International, Inc. - C:\WINDOWS\system32\LEXBCES.EXE
O23 - Service: Veoh Client Service - Unknown owner - C:\Program Files\Veoh\VeohClientService.exe
O23 - Service: VET Message Service (VETMSGNT) - Computer Associates International, Inc. - C:\Program Files\Yahoo!\Antivirus\VetMsg.exe
O23 - Service: WAN Miniport (ATW) Service (WANMiniportService) - America Online, Inc. - C:\WINDOWS\wanmpsvc.exe

#14 miekiemoes

miekiemoes

    Malware Killer Dog


  • Malware Response Team
  • 19,420 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Belgium
  • Local time:11:28 PM

Posted 25 February 2006 - 04:35 PM

That was fast!

Looks clean.

How are things running now?

Perform a full scan with an updated Adaware SE and/or Spybot S&D to get rid of some leftovers if still present.
If you don't have those programs yet, you can find the downloadlocations in my sig.
AntispywareScanners---Antivirus Scanners---Firewalls---Online Scanners---Prevention---Help! My computer is slow---My Blog---Follow me on Twitter.
My help is ALWAYS FREE, but if you want to donate to help me continue my fight against malware -- click here!
Asking for help via Private Message or Mail will be ignored - So If you need help, post your problem in the forum.

#15 jgz

jgz
  • Topic Starter

  • Members
  • 16 posts
  • OFFLINE
  •  
  • Local time:04:28 PM

Posted 25 February 2006 - 04:45 PM

THANKS FOR ALL YOUR HELP!!! YOUR A GENIUS KEEP UP THE GOOD WORK AD-AWARE FOUND NOTHING, WOW YOUR GOOD




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users