Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Surfsidekick3


  • This topic is locked This topic is locked
21 replies to this topic

#1 tornaXsunder

tornaXsunder

  • Members
  • 10 posts
  • OFFLINE
  •  
  • Local time:04:49 AM

Posted 26 February 2006 - 03:48 PM

Hi,

I've recently become infected by the PUP surfsidekick3. I've tried many different removal processes..... everything from McAfee to manually going into the registry and removing the designated files..... Some how it keeps reloading everytime I restart windows.... I have yet to find a way to delete the actual program and dll files in the programfiles folder (ssk.exe, sskBho.dll, sskCore.dll)

My Hijackthis info is :

Logfile of HijackThis v1.99.1
Scan saved at 2:29:05 PM, on 2/26/2006
Platform: Windows XP (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 (6.00.2600.0000)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\System32\Ati2evxx.exe
C:\WINDOWS\TmV3IFVzZXI\command.exe
C:\WINDOWS\system32\rundll32.exe
c:\program files\mcafee.com\agent\mcdetect.exe
C:\WINDOWS\Explorer.EXE
c:\PROGRA~1\mcafee.com\vso\mcshield.exe
c:\PROGRA~1\mcafee.com\agent\mctskshd.exe
c:\PROGRA~1\mcafee.com\vso\OasClnt.exe
C:\Program Files\Network Monitor\netmon.exe
c:\program files\mcafee.com\vso\mcvsshld.exe
c:\program files\mcafee.com\agent\mcagent.exe
c:\progra~1\mcafee.com\vso\mcvsescn.exe
C:\WINDOWS\kjldzax.exe
C:\Program Files\Compaq\Easy Access Button Support\StartEAK.exe
C:\Program Files\Compaq\Easy Access Button Support\CPQEADM.EXE
C:\Program Files\Real\RealPlayer\RealPlay.exe
C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
C:\COMPAQ\CPQINET\CPQInet.exe
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\Compaq\EAKDRV\EAUSBKBD.EXE
C:\PROGRA~1\Compaq\EASYAC~1\BttnServ.exe
C:\WINDOWS\kjldzaxA.exe
C:\WINDOWS\SYSC00.exe
C:\Program Files\MediaGateway\MediaGateway.exe
C:\windows\winsysban11.exe
C:\WINDOWS\System32\dgfgql.exe
C:\WINDOWS\System32\rundll32.exe
C:\WINDOWS\win32081316793398.exe
C:\WINDOWS\ms069813167933.exe
C:\windows\eee2.exe
C:\Program Files\RegiFast\RFManager.exe
C:\Program Files\Messenger\msmsgs.exe
C:\PROGRA~1\COMMON~1\izwo\izwom.exe
C:\Program Files\McAfee\McAfee QuickClean\Plguni.exe
C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe
C:\Program Files\Common Files\Microsoft Shared\Works Shared\wkcalrem.exe
C:\Program Files\Microsoft Office\Office\OSA.EXE
C:\WINDOWS\System32\u1um0id.exe
C:\Program Files\Common Files\Windows\services32.exe
c:\progra~1\mcafee.com\vso\mcvsftsn.exe
C:\Documents and Settings\New User\Desktop\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://searchbar.findthewebsiteyouneed.com
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://searchbar.findthewebsiteyouneed.com
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://searchbar.findthewebsiteyouneed.com
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.findthewebsiteyouneed.com
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://store.presario.net/scripts/redirect...&c=3c01&lc=0409
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Microsoft Internet Explorer provided by Compaq
R3 - URLSearchHook: (no name) - _{02EE5B04-F144-47BB-83FB-A60BD91B74A9} - (no file)
R3 - URLSearchHook: (no name) - {02EE5B04-F144-47BB-83FB-A60BD91B74A9} - C:\Program Files\SurfSideKick 3\SskBho.dll
O2 - BHO: Yvakt Class - {156AFB23-6A31-443C-A1D0-FD418898C11B} - C:\WINDOWS\System32\v9gcyb8xi.dll
O2 - BHO: RegiFastObj Class - {C67A62C7-A68D-484C-9617-880C1F70D3F7} - C:\PROGRA~1\RegiFast\RegiFast.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O3 - Toolbar: (no name) - {44BE0690-5429-47f0-85BB-3FFD8020233E} - (no file)
O3 - Toolbar: Toolbar888 - {77FBF9B8-1D37-4FF2-9CED-192D8E3ABA6F} - C:\Program Files\Toolbar888\ToolBar888.dll
O3 - Toolbar: McAfee VirusScan - {BA52B914-B692-46c4-B683-905236F6F655} - c:\progra~1\mcafee.com\vso\mcvsshl.dll
O4 - HKLM\..\Run: [CPQEASYACC] C:\Program Files\Compaq\Easy Access Button Support\StartEAK.exe
O4 - HKLM\..\Run: [ATIModeChange] Ati2mdxx.exe
O4 - HKLM\..\Run: [Microsoft Works Portfolio] C:\Program Files\Microsoft Works\WksSb.exe /AllUsers
O4 - HKLM\..\Run: [Microsoft Works Update Detection] C:\Program Files\Microsoft Works\WkDetect.exe
O4 - HKLM\..\Run: [RealTray] C:\Program Files\Real\RealPlayer\RealPlay.exe SYSTEMBOOTHIDEPLAYER
O4 - HKLM\..\Run: [SynTPLpr] C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
O4 - HKLM\..\Run: [SynTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
O4 - HKLM\..\Run: [srmclean] C:\Cpqs\Scom\srmclean.exe
O4 - HKLM\..\Run: [winsysupd] C:\windows\winsysupd11.exe
O4 - HKLM\..\Run: [kjldzaxA] C:\WINDOWS\kjldzaxA.exe
O4 - HKLM\..\Run: [TheMonitor] C:\WINDOWS\SYSC00.exe
O4 - HKLM\..\Run: [MediaGateway] C:\Program Files\MediaGateway\MediaGateway.exe
O4 - HKLM\..\Run: [winsysban] C:\windows\winsysban11.exe
O4 - HKLM\..\Run: [gimmygames] C:\\gimmygames11.exe
O4 - HKLM\..\Run: [winsync] C:\WINDOWS\System32\wicqpp.exe reg_run
O4 - HKLM\..\Run: [eC7YdH8] "C:\WINDOWS\System32\dgfgql.exe"
O4 - HKLM\..\Run: [New.net Startup] rundll32 C:\PROGRA~1\NEWDOT~1\NEWDOT~2.DLL,ClientStartup -s
O4 - HKLM\..\Run: [BrowserUpdateSched] C:\WINDOWS\SYSTEM32\twinmrai.exe CORN001
O4 - HKLM\..\Run: [win32081316793398] C:\WINDOWS\win32081316793398.exe
O4 - HKLM\..\Run: [ms069813167933] C:\WINDOWS\ms069813167933.exe
O4 - HKLM\..\Run: [loadadv64] C:\WINDOWS\System32\loadadv64
O4 - HKLM\..\Run: [ahkw] C:\windows\eee2.exe
O4 - HKLM\..\Run: [FT_SilentSudokuInstaller.exe] C:\WINDOWS\System32\FT_SilentSudokuInstaller.exe
O4 - HKLM\..\Run: [RegiFast] C:\Program Files\RegiFast\RFManager.exe
O4 - HKLM\..\Run: [MCAgentExe] c:\PROGRA~1\mcafee.com\agent\mcagent.exe
O4 - HKLM\..\Run: [MCUpdateExe] c:\PROGRA~1\mcafee.com\agent\mcupdate.exe
O4 - HKLM\..\Run: [VSOCheckTask] "C:\PROGRA~1\McAfee.com\VSO\mcmnhdlr.exe" /checktask
O4 - HKLM\..\Run: [VirusScan Online] C:\Program Files\McAfee.com\VSO\mcvsshld.exe
O4 - HKLM\..\Run: [OASClnt] C:\Program Files\McAfee.com\VSO\oasclnt.exe
O4 - HKLM\..\Run: [SurfSideKick 3] C:\Program Files\SurfSideKick 3\Ssk.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [MoneyStartUp] c:\Program Files\Microsoft Money\System\Money Startup.exe
O4 - HKCU\..\Run: [CU1] C:\Program Files\Common Files\VCClient\VCClient.exe
O4 - HKCU\..\Run: [CU2] C:\Program Files\Common Files\VCClient\VCMain.exe
O4 - HKCU\..\Run: [izwo] C:\PROGRA~1\COMMON~1\izwo\izwom.exe
O4 - HKCU\..\Run: [services32] C:\Program Files\Common Files\Windows\mc-110-12-0000118.exe
O4 - HKCU\..\Run: [McAfee QuickClean Imonitor] C:\Program Files\McAfee\McAfee QuickClean\Plguni.exe /START
O4 - HKCU\..\Run: [SpySweeper] C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe /0
O4 - HKCU\..\Run: [SurfSideKick 3] C:\Program Files\SurfSideKick 3\Ssk.exe
O4 - Startup: Office Startup.lnk = C:\Program Files\Microsoft Office\Office\OSA.EXE
O4 - Startup: Zeno.lnk = C:\WINDOWS\SYSTEM32\twinmrai.exe
O4 - Global Startup: Microsoft Works Calendar Reminders.lnk = ?
O4 - Global Startup: xhjw.exe
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\System32\Shdocvw.dll
O9 - Extra button: Support - {4D2222B2-AE9B-490B-AACB-D8BCD6D6C58D} - C:\Program Files\Internet Explorer\SIGNUP\Presario.htm (file missing) (HKCU)
O10 - Hijacked Internet access by New.Net
O10 - Hijacked Internet access by New.Net
O10 - Hijacked Internet access by New.Net
O10 - Hijacked Internet access by New.Net
O10 - Hijacked Internet access by New.Net
O14 - IERESET.INF: START_PAGE_URL=http://store.presario.net/scripts/redirectors/presario/storeredir2.dll?s=consumerfav&c=3c01&lc=0409
O15 - Trusted Zone: *.media-motor.net
O15 - Trusted Zone: *.popuppers.com
O16 - DPF: {2ED9BC2B-4DF1-472E-9B5E-55477D2C97F5} (Microsoft Data Collection Control) - https://support.microsoft.com/OAS/ActiveX/odc.cab
O16 - DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} (MSN Photo Upload Tool) - http://by107fd.bay107.hotmail.msn.com/resources/MsnPUpld.cab
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftupdat...b?1137110696801
O16 - DPF: {928626A3-6B98-11CF-90B4-00AA00A4011F} (SurroundVideoCtrl Object) - http://www.homesteadhotels.com/minisite/ac...nd/MSSurVid.cab
O18 - Filter: text/html - {F4C522E0-5BD5-407B-99A3-5A435DB6694A} - C:\WINDOWS\System32\v9gcyb8xi.dll
O20 - AppInit_DLLs: repairs302973000.dll
O20 - Winlogon Notify: Shell Extensions - C:\WINDOWS\system32\j62qlgf5162.dll
O23 - Service: Ati HotKey Poller - Unknown owner - C:\WINDOWS\System32\Ati2evxx.exe
O23 - Service: Command Service (cmdService) - Unknown owner - C:\WINDOWS\TmV3IFVzZXI\command.exe
O23 - Service: McAfee WSC Integration (McDetect.exe) - McAfee, Inc - c:\program files\mcafee.com\agent\mcdetect.exe
O23 - Service: McAfee.com McShield (McShield) - McAfee Inc. - c:\PROGRA~1\mcafee.com\vso\mcshield.exe
O23 - Service: McAfee Task Scheduler (McTskshd.exe) - McAfee, Inc - c:\PROGRA~1\mcafee.com\agent\mctskshd.exe
O23 - Service: McAfee SecurityCenter Update Manager (mcupdmgr.exe) - McAfee, Inc - C:\PROGRA~1\McAfee.com\Agent\mcupdmgr.exe
O23 - Service: Network Monitor - Unknown owner - C:\Program Files\Network Monitor\netmon.exe
O23 - Service: Windows Overlay Components - Unknown owner - C:\WINDOWS\kjldzax.exe




any suggestions would be much appreciated!

Thank you
Brian

BC AdBot (Login to Remove)

 


m

#2 John_McKenna

John_McKenna

    World Class Hairy Chest


  • Members
  • 497 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Liverpool
  • Local time:09:49 AM

Posted 27 February 2006 - 04:34 AM

Hi and welcome to Bleeping. :thumbsup:

You are in a pickle aren't you.

Surfsidekick is the least of your problems I'm afraid. You have some really nasty spyware programs on your machine. However, there's no point in even attempting to remove these unless you patch up Windows and Internet Explorer first. You have no Service Packs installed at the moment which means you'e wide open to infection every time you go online.

Please click HERE to download and install Service Pack 1a. Choose the 'Network Installation' link.

Then post a fresh HijackThis log in your next reply to this topic.



Keeping Track of Your Topic
  • Please subscribe to this thread by clicking 'Track this topic' at the top of the thread.
  • Enable email notification to subscribed threads via the My Control Panel link above.
  • Keep ALL future replies in this thread please.

Want to fight back? Click HERE and learn how to remove spyware.

If I've helped you, please consider donating to the Multiple Sclerosis Society (UK)

#3 tornaXsunder

tornaXsunder
  • Topic Starter

  • Members
  • 10 posts
  • OFFLINE
  •  
  • Local time:04:49 AM

Posted 03 March 2006 - 05:11 PM

allright I installed the service pack.... here is my fresh HiJackThis log:


Logfile of HijackThis v1.99.1
Scan saved at 5:07:53 PM, on 3/3/2006
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\System32\Ati2evxx.exe
c:\program files\mcafee.com\agent\mcdetect.exe
c:\PROGRA~1\mcafee.com\agent\mctskshd.exe
C:\WINDOWS\kjldzax.exe
C:\WINDOWS\system32\rundll32.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\System32\wuauclt.exe
C:\WINDOWS\System32\msiexec.exe
C:\Program Files\Compaq\Easy Access Button Support\StartEAK.exe
C:\Program Files\Compaq\Easy Access Button Support\CPQEADM.EXE
C:\COMPAQ\CPQINET\CPQInet.exe
C:\Compaq\EAKDRV\EAUSBKBD.EXE
C:\PROGRA~1\Compaq\EASYAC~1\BttnServ.exe
C:\Program Files\Real\RealPlayer\RealPlay.exe
C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\WINDOWS\kjldzaxA.exe
C:\WINDOWS\SYSC00.exe
C:\windows\winsysban11.exe
C:\WINDOWS\System32\dgfgql.exe
C:\WINDOWS\System32\rundll32.exe
C:\WINDOWS\win32081316793398.exe
C:\WINDOWS\System32\u1um0id.exe
C:\WINDOWS\ms069813167933.exe
C:\windows\eee2.exe
C:\WINDOWS\System32\FT_SilentSudokuInstaller.exe
C:\Program Files\RegiFast\RFManager.exe
C:\PROGRA~1\mcafee.com\agent\mcagent.exe
C:\DOCUME~1\NEWUSE~1\LOCALS~1\Temp\FT_SudokuInstaller.exe
C:\WINDOWS\SYSTEM32\twinmrai.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\McAfee\McAfee QuickClean\Plguni.exe
C:\Program Files\Yazzle Sudoku\Sudoku.exe
C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe
C:\Program Files\Yazzle Sudoku\OINSetup.exe
C:\Program Files\Common Files\Microsoft Shared\Works Shared\wkcalrem.exe
C:\DOCUME~1\NEWUSE~1\LOCALS~1\Temp\mshtml2.exe
C:\Program Files\Microsoft Office\Office\OSA.EXE
C:\WINDOWS\SYSTEM32\twinmrai.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Documents and Settings\New User\Desktop\HijackThis.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://store.presario.net/scripts/redirect...&c=3c01&lc=0409
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Microsoft Internet Explorer provided by Compaq
R3 - URLSearchHook: (no name) - {02EE5B04-F144-47BB-83FB-A60BD91B74A9} - C:\Program Files\SurfSideKick 3\SskBho.dll
O2 - BHO: Yvakt Class - {156AFB23-6A31-443C-A1D0-FD418898C11B} - C:\WINDOWS\System32\v9gcyb8xi.dll
O2 - BHO: RegiFastObj Class - {C67A62C7-A68D-484C-9617-880C1F70D3F7} - C:\PROGRA~1\RegiFast\RegiFast.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O4 - HKLM\..\Run: [CPQEASYACC] C:\Program Files\Compaq\Easy Access Button Support\StartEAK.exe
O4 - HKLM\..\Run: [ATIModeChange] Ati2mdxx.exe
O4 - HKLM\..\Run: [Microsoft Works Portfolio] C:\Program Files\Microsoft Works\WksSb.exe /AllUsers
O4 - HKLM\..\Run: [Microsoft Works Update Detection] C:\Program Files\Microsoft Works\WkDetect.exe
O4 - HKLM\..\Run: [RealTray] C:\Program Files\Real\RealPlayer\RealPlay.exe SYSTEMBOOTHIDEPLAYER
O4 - HKLM\..\Run: [SynTPLpr] C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
O4 - HKLM\..\Run: [SynTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
O4 - HKLM\..\Run: [srmclean] C:\Cpqs\Scom\srmclean.exe
O4 - HKLM\..\Run: [winsysupd] C:\windows\winsysupd11.exe
O4 - HKLM\..\Run: [kjldzaxA] C:\WINDOWS\kjldzaxA.exe
O4 - HKLM\..\Run: [TheMonitor] C:\WINDOWS\SYSC00.exe
O4 - HKLM\..\Run: [MediaGateway] C:\Program Files\MediaGateway\MediaGateway.exe
O4 - HKLM\..\Run: [winsysban] C:\windows\winsysban11.exe
O4 - HKLM\..\Run: [gimmygames] C:\\gimmygames11.exe
O4 - HKLM\..\Run: [winsync] C:\WINDOWS\System32\wicqpp.exe reg_run
O4 - HKLM\..\Run: [eC7YdH8] "C:\WINDOWS\System32\dgfgql.exe"
O4 - HKLM\..\Run: [New.net Startup] rundll32 C:\PROGRA~1\NEWDOT~1\NEWDOT~2.DLL,ClientStartup -s
O4 - HKLM\..\Run: [win32081316793398] C:\WINDOWS\win32081316793398.exe
O4 - HKLM\..\Run: [ms069813167933] C:\WINDOWS\ms069813167933.exe
O4 - HKLM\..\Run: [loadadv64] C:\WINDOWS\System32\loadadv64
O4 - HKLM\..\Run: [ahkw] C:\windows\eee2.exe
O4 - HKLM\..\Run: [FT_SilentSudokuInstaller.exe] C:\WINDOWS\System32\FT_SilentSudokuInstaller.exe
O4 - HKLM\..\Run: [RegiFast] C:\Program Files\RegiFast\RFManager.exe
O4 - HKLM\..\Run: [MCAgentExe] c:\PROGRA~1\mcafee.com\agent\mcagent.exe
O4 - HKLM\..\Run: [MCUpdateExe] C:\PROGRA~1\mcafee.com\agent\mcupdate.exe
O4 - HKLM\..\Run: [SurfSideKick 3] C:\Program Files\SurfSideKick 3\Ssk.exe
O4 - HKLM\..\Run: [>G9a] C:\windows\eee2.exe
O4 - HKLM\..\Run: [BrowserUpdateSched] C:\WINDOWS\SYSTEM32\twinmrai.exe CORN001
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [MoneyStartUp] c:\Program Files\Microsoft Money\System\Money Startup.exe
O4 - HKCU\..\Run: [McAfee QuickClean Imonitor] C:\Program Files\McAfee\McAfee QuickClean\Plguni.exe /START
O4 - HKCU\..\Run: [SpySweeper] C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe /0
O4 - HKCU\..\Run: [SurfSideKick 3] C:\Program Files\SurfSideKick 3\Ssk.exe
O4 - Startup: Office Startup.lnk = C:\Program Files\Microsoft Office\Office\OSA.EXE
O4 - Startup: Zeno.lnk = C:\WINDOWS\SYSTEM32\twinmrai.exe
O4 - Global Startup: Microsoft Works Calendar Reminders.lnk = ?
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\System32\Shdocvw.dll
O9 - Extra button: Support - {4D2222B2-AE9B-490B-AACB-D8BCD6D6C58D} - C:\Program Files\Internet Explorer\SIGNUP\Presario.htm (file missing) (HKCU)
O10 - Hijacked Internet access by New.Net
O10 - Hijacked Internet access by New.Net
O10 - Hijacked Internet access by New.Net
O10 - Hijacked Internet access by New.Net
O10 - Hijacked Internet access by New.Net
O14 - IERESET.INF: START_PAGE_URL=http://store.presario.net/scripts/redirectors/presario/storeredir2.dll?s=consumerfav&c=3c01&lc=0409
O15 - Trusted Zone: *.media-motor.net
O15 - Trusted Zone: *.popuppers.com
O16 - DPF: {2ED9BC2B-4DF1-472E-9B5E-55477D2C97F5} (Microsoft Data Collection Control) - https://support.microsoft.com/OAS/ActiveX/odc.cab
O16 - DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} (MSN Photo Upload Tool) - http://by107fd.bay107.hotmail.msn.com/resources/MsnPUpld.cab
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftupdat...b?1137110696801
O16 - DPF: {928626A3-6B98-11CF-90B4-00AA00A4011F} (SurroundVideoCtrl Object) - http://www.homesteadhotels.com/minisite/ac...nd/MSSurVid.cab
O18 - Filter: text/html - {F4C522E0-5BD5-407B-99A3-5A435DB6694A} - C:\WINDOWS\System32\v9gcyb8xi.dll
O20 - Winlogon Notify: ShellServiceObjectDelayLoad - C:\WINDOWS\system32\fp0003dme.dll
O23 - Service: Ati HotKey Poller - Unknown owner - C:\WINDOWS\System32\Ati2evxx.exe
O23 - Service: Command Service (cmdService) - Unknown owner - C:\WINDOWS\TmV3IFVzZXI\command.exe (file missing)
O23 - Service: McAfee WSC Integration (McDetect.exe) - McAfee, Inc - c:\program files\mcafee.com\agent\mcdetect.exe
O23 - Service: McAfee Task Scheduler (McTskshd.exe) - McAfee, Inc - c:\PROGRA~1\mcafee.com\agent\mctskshd.exe
O23 - Service: McAfee SecurityCenter Update Manager (mcupdmgr.exe) - McAfee, Inc - C:\PROGRA~1\McAfee.com\Agent\mcupdmgr.exe
O23 - Service: Windows Overlay Components - Unknown owner - C:\WINDOWS\kjldzax.exe



thanks again for helping!
Brian

#4 John_McKenna

John_McKenna

    World Class Hairy Chest


  • Members
  • 497 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Liverpool
  • Local time:09:49 AM

Posted 04 March 2006 - 08:09 AM

Thank you. I'd like to check for some rootkit behaviour and hidden files first to ensure we're not chasing our own tales from the off.


Step # 1

Download F-Secure's BlackLight to a new folder on your desktop.
  • Double-click blbeta.exe
  • Click Scan and then Next when it's finished scanning.
  • Let Blacklight rename any malicious files it finds apart from "wbemtest.exe" which is legitimate.
  • Allow the machine to reboot if prompted.
  • Post the contents of the "fsbl.log" from the folder please.
Step # 2

Download WinPFind.zip from here and unzip it to your C:\ folder. to create C:\WinPFind.
  • Important! Reboot in Safe Mode
  • Double-click WinPFind.exe inside c:\WinPFind to launch the program.
  • Then click on the Start Scan button and wait for it to finish.
  • This program will scan large amounts of files on your computer for known patterns so please be patient while it works as it can take a while, upwards to 30 minutes or more.
  • When it is done, it will show the results of the scan.
  • Click on the Copy to Clipboard button and save them to notepad for posting.
Step # 3

Please also post a HijackThis Uninstall List:
  • Open HijackThis and click 'Config' (bottom right)
  • Click 'Misc Tools' and then 'Open Uninstall Manager'
  • A list of the entries in Add/remove programs will appear.
  • Click on Save List...
  • The list will be saved as 'Uninstall_list.txt'
  • Copy & Paste the contents in your next reply.
Then we'll get to work removing these blighters. :thumbsup:
Want to fight back? Click HERE and learn how to remove spyware.

If I've helped you, please consider donating to the Multiple Sclerosis Society (UK)

#5 tornaXsunder

tornaXsunder
  • Topic Starter

  • Members
  • 10 posts
  • OFFLINE
  •  
  • Local time:04:49 AM

Posted 04 March 2006 - 08:28 PM

hey thanks for replying so fast!

well the BlackLight program will not work on my computer for some reason..... It keeps giving me the error message: "F-Secure BlackLight was unable to acquire necessary privileges (SeDebugPrivilege)" I don't think it's anything wrong that I am doing because it works fine on my other computer...... I hope this doesnt hinder the fixing of my computer too much! :thumbsup:

I was able to complete the other two requests though:

winPfind Log:
WARNING: not all files found by this scanner are bad. Consult with a knowledgable person before proceeding.

If you see a message in the titlebar saying "Not responding..." you can ignore it. Windows somethimes displays this message due to the high volume of disk I/O. As long as the hard disk light is flashing, the program is still working properly.

»»»»»»»»»»»»»»»»» Windows OS and Versions »»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»
Product Name: Microsoft Windows XP Current Build: Service Pack 1 Current Build Number: 2600
Internet Explorer Version: 6.0.2800.1106

»»»»»»»»»»»»»»»»» Checking Selected Standard Folders »»»»»»»»»»»»»»»»»»»»

Checking %SystemDrive% folder...
UPX! 2/25/2006 11:02:26 PM 1144839 C:\stng260.exe
UPX! 3/3/2006 8:16:38 PM 467968 C:\visfx500.exe

Checking %ProgramFilesDir% folder...

Checking %WinDir% folder...
UPX! 2/23/2006 6:42:10 PM 70910 C:\WINDOWS\elos.exe

Checking %System% folder...
WinShutDown 2/26/2006 2:45:52 PM R S 234773 C:\WINDOWS\SYSTEM32\AASLDP.DLL
WinShutDown 2/26/2006 1:51:50 PM R S 233738 C:\WINDOWS\SYSTEM32\ACMPARSE.DLL
ad-w-a-r-e.com 2/26/2006 1:51:50 PM R S 233738 C:\WINDOWS\SYSTEM32\ACMPARSE.DLL
WinShutDown 2/25/2006 10:07:38 PM R S 235828 C:\WINDOWS\SYSTEM32\AQMFD.DLL
ad-w-a-r-e.com 2/25/2006 10:07:38 PM R S 235828 C:\WINDOWS\SYSTEM32\AQMFD.DLL
WinShutDown 2/26/2006 2:40:02 PM R S 233417 C:\WINDOWS\SYSTEM32\AYIFILE.DLL
WinShutDown 3/3/2006 7:12:50 PM R S 236095 C:\WINDOWS\SYSTEM32\btowsewm.dll
PEC2 8/18/2001 2:00:00 PM 41397 C:\WINDOWS\SYSTEM32\DFRG.MSC
WinShutDown 2/26/2006 1:58:32 PM R S 237028 C:\WINDOWS\SYSTEM32\DKDXOF.DLL
ad-w-a-r-e.com 2/26/2006 1:58:32 PM R S 237028 C:\WINDOWS\SYSTEM32\DKDXOF.DLL
WinShutDown 3/3/2006 10:45:28 AM R S 236013 C:\WINDOWS\SYSTEM32\DSNADDR.DLL
WinShutDown 3/3/2006 7:24:06 PM R S 236095 C:\WINDOWS\SYSTEM32\g4220efoeh2c0.dll
WinShutDown 2/26/2006 4:06:26 PM R S 236880 C:\WINDOWS\SYSTEM32\h6j4lg1q16.dll
WinShutDown 2/25/2006 9:33:26 PM R S 237028 C:\WINDOWS\SYSTEM32\HAICONS.DLL
ad-w-a-r-e.com 2/25/2006 9:33:26 PM R S 237028 C:\WINDOWS\SYSTEM32\HAICONS.DLL
WinShutDown 2/25/2006 9:32:08 PM R S 235828 C:\WINDOWS\SYSTEM32\hrrs0597e.dll
ad-w-a-r-e.com 2/25/2006 9:32:08 PM R S 235828 C:\WINDOWS\SYSTEM32\hrrs0597e.dll
WinShutDown 2/26/2006 1:05:52 PM R S 237028 C:\WINDOWS\SYSTEM32\ISETRES.DLL
ad-w-a-r-e.com 2/26/2006 1:05:52 PM R S 237028 C:\WINDOWS\SYSTEM32\ISETRES.DLL
WinShutDown 3/3/2006 6:48:50 PM R S 235998 C:\WINDOWS\SYSTEM32\l04qlah51d4.dll
WinShutDown 2/26/2006 4:06:28 PM R S 235464 C:\WINDOWS\SYSTEM32\MFI.DLL
WinShutDown 2/26/2006 4:48:36 PM R S 235464 C:\WINDOWS\SYSTEM32\mrcorier.dll
PECompact2 2/8/2006 12:23:40 AM 4513120 C:\WINDOWS\SYSTEM32\MRT.exe
aspack 2/8/2006 12:23:40 AM 4513120 C:\WINDOWS\SYSTEM32\MRT.exe
WinShutDown 2/26/2006 12:18:32 PM R S 235828 C:\WINDOWS\SYSTEM32\mw3216.dll
ad-w-a-r-e.com 2/26/2006 12:18:32 PM R S 235828 C:\WINDOWS\SYSTEM32\mw3216.dll
WinShutDown 3/3/2006 7:12:50 PM R S 236749 C:\WINDOWS\SYSTEM32\n4n60e5seh.dll
WinShutDown 3/3/2006 7:10:12 PM R S 236095 C:\WINDOWS\SYSTEM32\ndmsapi.dll
WinShutDown 2/26/2006 2:55:32 PM R S 233417 C:\WINDOWS\SYSTEM32\NIXPNT.DLL
WinShutDown 2/26/2006 2:31:26 PM R S 234993 C:\WINDOWS\SYSTEM32\NKTUI0.DLL
WinShutDown 3/3/2006 7:46:50 PM R S 236823 C:\WINDOWS\SYSTEM32\o8pq0i75e8.dll
Umonitor 8/29/2002 3:41:10 AM 631808 C:\WINDOWS\SYSTEM32\rasdlg.dll
WinShutDown 2/26/2006 2:14:08 PM R S 233417 C:\WINDOWS\SYSTEM32\ROSTAPI.DLL
WinShutDown 3/3/2006 4:18:04 PM R S 235998 C:\WINDOWS\SYSTEM32\UVANDLG.DLL
winsync 8/18/2001 2:00:00 PM 1309184 C:\WINDOWS\SYSTEM32\WBDBASE.DEU
WinShutDown 2/25/2006 10:25:10 PM R S 237028 C:\WINDOWS\SYSTEM32\wdaudsdk.dll
ad-w-a-r-e.com 2/25/2006 10:25:10 PM R S 237028 C:\WINDOWS\SYSTEM32\wdaudsdk.dll
WinShutDown 2/25/2006 8:32:06 PM R S 235828 C:\WINDOWS\SYSTEM32\wxmioctl.dll
ad-w-a-r-e.com 2/25/2006 8:32:06 PM R S 235828 C:\WINDOWS\SYSTEM32\wxmioctl.dll
WinShutDown 2/26/2006 5:09:42 PM R S 235998 C:\WINDOWS\SYSTEM32\XBCTSRV.DLL

Checking %System%\Drivers folder and sub-folders...

Items found in C:\WINDOWS\SYSTEM32\drivers\ETC\HOSTS
127.0.0.1 www.qoologic.com
127.0.0.1 www.urllogic.com


Checking the Windows folder and sub-folders for system and hidden files within the last 60 days...
3/4/2006 7:57:36 PM S 2048 C:\WINDOWS\BOOTSTAT.DAT
2/23/2006 6:43:46 PM S 183296 C:\WINDOWS\NDNuninstall7_22.exe
2/26/2006 4:41:32 PM RHS 227 C:\WINDOWS\assembly\Desktop.ini
1/10/2006 7:15:24 PM H 0 C:\WINDOWS\INF\oem8.inf
1/10/2006 7:17:32 PM H 0 C:\WINDOWS\INF\oem9.inf
3/3/2006 8:26:04 PM H 0 C:\WINDOWS\LastGood\INF\oem11.inf
3/3/2006 8:26:06 PM H 0 C:\WINDOWS\LastGood\INF\oem11.PNF
3/3/2006 7:53:22 PM H 0 C:\WINDOWS\LastGood.Tmp\INF\oem11.inf
3/3/2006 7:53:22 PM H 0 C:\WINDOWS\LastGood.Tmp\INF\oem11.PNF
3/3/2006 4:40:24 PM RHS 70111 C:\WINDOWS\PCHEALTH\HELPCTR\PackageStore\package_10.cab
2/20/2006 10:14:14 PM H 97749521 C:\WINDOWS\SoftwareDistribution\Download\S-1-5-18\2cf41f1db14bc8f414e16e1555b77108\download\BIT3.tmp
2/26/2006 2:45:52 PM R S 234773 C:\WINDOWS\SYSTEM32\AASLDP.DLL
2/26/2006 1:51:50 PM R S 233738 C:\WINDOWS\SYSTEM32\ACMPARSE.DLL
2/25/2006 10:07:38 PM R S 235828 C:\WINDOWS\SYSTEM32\AQMFD.DLL
2/26/2006 2:40:02 PM R S 233417 C:\WINDOWS\SYSTEM32\AYIFILE.DLL
3/3/2006 7:12:50 PM R S 236095 C:\WINDOWS\SYSTEM32\btowsewm.dll
2/26/2006 1:58:32 PM R S 237028 C:\WINDOWS\SYSTEM32\DKDXOF.DLL
3/3/2006 10:45:28 AM R S 236013 C:\WINDOWS\SYSTEM32\DSNADDR.DLL
3/4/2006 7:58:02 PM R S 235492 C:\WINDOWS\SYSTEM32\g022lafo1d2c.dll
3/3/2006 7:24:06 PM R S 236095 C:\WINDOWS\SYSTEM32\g4220efoeh2c0.dll
2/26/2006 4:06:26 PM R S 236880 C:\WINDOWS\SYSTEM32\h6j4lg1q16.dll
2/25/2006 9:33:26 PM R S 237028 C:\WINDOWS\SYSTEM32\HAICONS.DLL
2/25/2006 9:32:08 PM R S 235828 C:\WINDOWS\SYSTEM32\hrrs0597e.dll
2/26/2006 1:05:52 PM R S 237028 C:\WINDOWS\SYSTEM32\ISETRES.DLL
3/3/2006 6:48:50 PM R S 235998 C:\WINDOWS\SYSTEM32\l04qlah51d4.dll
2/26/2006 4:06:28 PM R S 235464 C:\WINDOWS\SYSTEM32\MFI.DLL
2/26/2006 4:48:36 PM R S 235464 C:\WINDOWS\SYSTEM32\mrcorier.dll
2/26/2006 12:18:32 PM R S 235828 C:\WINDOWS\SYSTEM32\mw3216.dll
3/3/2006 7:12:50 PM R S 236749 C:\WINDOWS\SYSTEM32\n4n60e5seh.dll
3/3/2006 7:10:12 PM R S 236095 C:\WINDOWS\SYSTEM32\ndmsapi.dll
2/26/2006 2:55:32 PM R S 233417 C:\WINDOWS\SYSTEM32\NIXPNT.DLL
2/26/2006 2:31:26 PM R S 234993 C:\WINDOWS\SYSTEM32\NKTUI0.DLL
3/3/2006 7:46:50 PM R S 236823 C:\WINDOWS\SYSTEM32\o8pq0i75e8.dll
3/3/2006 8:17:40 PM R S 234272 C:\WINDOWS\SYSTEM32\OCBCINT.DLL
3/4/2006 7:58:02 PM R S 234272 C:\WINDOWS\SYSTEM32\rfaenh.dll
2/26/2006 2:14:08 PM R S 233417 C:\WINDOWS\SYSTEM32\ROSTAPI.DLL
3/3/2006 4:18:04 PM R S 235998 C:\WINDOWS\SYSTEM32\UVANDLG.DLL
2/25/2006 10:25:10 PM R S 237028 C:\WINDOWS\SYSTEM32\wdaudsdk.dll
2/25/2006 8:32:06 PM R S 235828 C:\WINDOWS\SYSTEM32\wxmioctl.dll
2/26/2006 5:09:42 PM R S 235998 C:\WINDOWS\SYSTEM32\XBCTSRV.DLL
3/4/2006 7:58:02 PM H 24576 C:\WINDOWS\SYSTEM32\CONFIG\DEFAULT.LOG
3/4/2006 7:58:00 PM H 1024 C:\WINDOWS\SYSTEM32\CONFIG\SAM.LOG
3/4/2006 7:57:38 PM H 16384 C:\WINDOWS\SYSTEM32\CONFIG\SECURITY.LOG
3/4/2006 7:58:50 PM H 217088 C:\WINDOWS\SYSTEM32\CONFIG\SOFTWARE.LOG
3/4/2006 7:57:44 PM H 827392 C:\WINDOWS\SYSTEM32\CONFIG\SYSTEM.LOG
2/23/2006 7:25:06 PM H 1024 C:\WINDOWS\SYSTEM32\CONFIG\systemprofile\NTUSER.DAT.LOG
3/3/2006 6:43:58 PM HS 388 C:\WINDOWS\SYSTEM32\Microsoft\Protect\S-1-5-18\User\b40d11ff-45f9-4243-beb3-778ae65f9a69
3/3/2006 6:43:58 PM HS 24 C:\WINDOWS\SYSTEM32\Microsoft\Protect\S-1-5-18\User\Preferred
3/4/2006 7:56:30 PM H 6 C:\WINDOWS\Tasks\SA.DAT

Checking for CPL files...
Microsoft Corporation 8/18/2001 2:00:00 PM 66048 C:\WINDOWS\SYSTEM32\ACCESS.CPL
Microsoft Corporation 8/29/2002 3:41:28 AM 578560 C:\WINDOWS\SYSTEM32\appwiz.cpl
NeoPlanet Inc. 8/21/2001 10:12:38 PM 98304 C:\WINDOWS\SYSTEM32\compaq-rbaPanel.cpl
Microsoft Corporation 8/29/2002 3:41:28 AM 129024 C:\WINDOWS\SYSTEM32\desk.cpl
Microsoft Corporation 8/18/2001 2:00:00 PM 150016 C:\WINDOWS\SYSTEM32\HDWWIZ.CPL
Microsoft Corporation 8/29/2002 3:41:28 AM 292352 C:\WINDOWS\SYSTEM32\inetcpl.cpl
Microsoft Corporation 8/29/2002 3:41:28 AM 121856 C:\WINDOWS\SYSTEM32\intl.cpl
Microsoft Corporation 8/29/2002 3:41:28 AM 65536 C:\WINDOWS\SYSTEM32\joy.cpl
Microsoft Corporation 8/18/2001 2:00:00 PM 187904 C:\WINDOWS\SYSTEM32\MAIN.CPL
Microsoft Corporation 8/18/2001 2:00:00 PM 559616 C:\WINDOWS\SYSTEM32\MMSYS.CPL
Microsoft Corporation 8/18/2001 2:00:00 PM 35840 C:\WINDOWS\SYSTEM32\NCPA.CPL
Microsoft Corporation 8/18/2001 2:00:00 PM 256000 C:\WINDOWS\SYSTEM32\NUSRMGR.CPL
Microsoft Corporation 8/18/2001 2:00:00 PM 36864 C:\WINDOWS\SYSTEM32\ODBCCP32.CPL
Microsoft Corporation 8/18/2001 2:00:00 PM 109056 C:\WINDOWS\SYSTEM32\POWERCFG.CPL
RealNetworks, Inc. 10/1/2001 11:53:12 AM 24576 C:\WINDOWS\SYSTEM32\prefscpl.cpl
Analog Devices 5/22/2001 12:56:20 PM 236544 C:\WINDOWS\SYSTEM32\SoundMAX.cpl
Microsoft Corporation 8/29/2002 3:41:28 AM 268288 C:\WINDOWS\SYSTEM32\sysdm.cpl
Microsoft Corporation 8/18/2001 2:00:00 PM 28160 C:\WINDOWS\SYSTEM32\TELEPHON.CPL
Microsoft Corporation 8/18/2001 2:00:00 PM 90112 C:\WINDOWS\SYSTEM32\TIMEDATE.CPL
Compaq Computer Corporation 3/30/2001 6:32:44 PM 122880 C:\WINDOWS\SYSTEM32\UICONFIG.cpl
Microsoft Corporation 5/26/2005 5:16:30 AM 174360 C:\WINDOWS\SYSTEM32\wuaucpl.cpl

»»»»»»»»»»»»»»»»» Checking Selected Startup Folders »»»»»»»»»»»»»»»»»»»»»

Checking files in %ALLUSERSPROFILE%\Startup folder...
8/25/2001 2:06:22 PM HS 84 C:\Documents and Settings\All Users\Start Menu\Programs\Startup\DESKTOP.INI
10/1/2001 11:50:12 AM 875 C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Microsoft Works Calendar Reminders.lnk
3/4/2006 7:52:06 PM 227840 C:\Documents and Settings\All Users\Start Menu\Programs\Startup\xhjw.exe

Checking files in %ALLUSERSPROFILE%\Application Data folder...
8/25/2001 1:52:54 PM HS 62 C:\Documents and Settings\All Users\Application Data\DESKTOP.INI

Checking files in %USERPROFILE%\Startup folder...
8/25/2001 2:06:22 PM HS 84 C:\Documents and Settings\Administrator\Start Menu\Programs\Startup\DESKTOP.INI

Checking files in %USERPROFILE%\Application Data folder...
8/25/2001 1:52:54 PM HS 62 C:\Documents and Settings\Administrator\Application Data\DESKTOP.INI

»»»»»»»»»»»»»»»»» Checking Selected Registry Keys »»»»»»»»»»»»»»»»»»»»»»»

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\User Agent\Post Platform]
=

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved]
{9901A2D9-5390-4CCC-846F-D88184BB7FE1} = C:\WINDOWS\system32\AQMFD.DLL
{71FE00BD-15CC-4C07-AA44-9879C005DE8E} = C:\WINDOWS\system32\wdaudsdk.dll
{49E4744B-97D5-4438-AC28-70EC935FC29D} = C:\WINDOWS\system32\PYBASE.DLL
{5A8A22A4-D932-40EA-AB38-1EBCB7367636} = C:\WINDOWS\system32\rfaenh.dll
{BE2AD977-8A8D-4311-A4A5-DE39B07474BF} = C:\WINDOWS\system32\OCBCINT.DLL

[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved]

[HKEY_CLASSES_ROOT\*\shellex\ContextMenuHandlers]
HKEY_CLASSES_ROOT\*\shellex\ContextMenuHandlers\fnxsmmsk
{cf32b152-ac4e-4797-9507-bcad1a20ecb5} = C:\WINDOWS\System32\fewqk.dll
HKEY_CLASSES_ROOT\*\shellex\ContextMenuHandlers\Offline Files
{750fdf0e-2a26-11d1-a3ea-080036587f03} = %SystemRoot%\System32\cscui.dll
HKEY_CLASSES_ROOT\*\shellex\ContextMenuHandlers\Open With
{09799AFB-AD67-11d1-ABCD-00C04FC30936} = %SystemRoot%\system32\SHELL32.dll
HKEY_CLASSES_ROOT\*\shellex\ContextMenuHandlers\Open With EncryptionMenu
{A470F8CF-A1E8-4f65-8335-227475AA5C46} = %SystemRoot%\system32\SHELL32.dll
HKEY_CLASSES_ROOT\*\shellex\ContextMenuHandlers\{a2a9545d-a0c2-42b4-9708-a0b2badd77c8}
Start Menu Pin = %SystemRoot%\system32\SHELL32.dll
HKEY_CLASSES_ROOT\*\shellex\ContextMenuHandlers\{CFC7205E-2792-4378-9591-3879CC6C9022}
= c:\progra~1\mcafee.com\vso\mcvsshl.dll

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Folder\shellex\ContextMenuHandlers]
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Folder\shellex\ContextMenuHandlers\{CFC7205E-2792-4378-9591-3879CC6C9022}
= c:\progra~1\mcafee.com\vso\mcvsshl.dll

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Directory\shellex\ContextMenuHandlers]
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Directory\shellex\ContextMenuHandlers\EncryptionMenu
{A470F8CF-A1E8-4f65-8335-227475AA5C46} = %SystemRoot%\system32\SHELL32.dll
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Directory\shellex\ContextMenuHandlers\Offline Files
{750fdf0e-2a26-11d1-a3ea-080036587f03} = %SystemRoot%\System32\cscui.dll
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Directory\shellex\ContextMenuHandlers\Sharing
{f81e9010-6ea4-11ce-a7ff-00aa003ca9f6} = ntshrui.dll

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Folder\shellex\ColumnHandlers]
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Folder\shellex\ColumnHandlers\{0D2E74C4-3C34-11d2-A27E-00C04FC30871}
= %SystemRoot%\system32\SHELL32.dll
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Folder\shellex\ColumnHandlers\{24F14F01-7B1C-11d1-838f-0000F80461CF}
= %SystemRoot%\system32\SHELL32.dll
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Folder\shellex\ColumnHandlers\{24F14F02-7B1C-11d1-838f-0000F80461CF}
= %SystemRoot%\system32\SHELL32.dll
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Folder\shellex\ColumnHandlers\{66742402-F9B9-11D1-A202-0000F81FEDEE}
= %SystemRoot%\system32\SHELL32.dll

[HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects]
HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{156AFB23-6A31-443C-A1D0-FD418898C11B}
Yvakt Class = C:\WINDOWS\System32\v9gcyb8xi.dll
HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{C67A62C7-A68D-484C-9617-880C1F70D3F7}
RegiFastObj Class = C:\PROGRA~1\RegiFast\RegiFast.dll
HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{F4E534A0-A216-FD91-1EF9-FD5A633045B2}
= C:\WINDOWS\System32\urx.dll

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Explorer Bars]
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Explorer Bars\{4D5C8C25-D075-11d0-B416-00C04FB90376}
&Tip of the Day = %SystemRoot%\System32\shdocvw.dll
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Explorer Bars\{FE54FA40-D68C-11d2-98FA-00C0F0318AFE}
Real.com = C:\WINDOWS\System32\Shdocvw.dll

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\ToolBar]
{8E718888-423F-11D2-876E-00A0C9082467} = &Radio : C:\WINDOWS\System32\msdxm.ocx
{BA52B914-B692-46c4-B683-905236F6F655} = McAfee VirusScan : c:\progra~1\mcafee.com\vso\mcvsshl.dll

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Extensions]
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Extensions\{CD67F990-D8E9-11d2-98FE-00C0F0318AFE}
ButtonText = Real.com :

[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Explorer Bars]
HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Explorer Bars\{32683183-48a0-441b-a342-7c2a440a9478}
Media Band = %SystemRoot%\System32\browseui.dll

[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Toolbar]
HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser
{01E04581-4EEE-11D0-BFE9-00AA005B4383} = &Address : %SystemRoot%\System32\browseui.dll
{0E5CBF21-D15F-11D0-8301-00AA005B4383} = &Links : %SystemRoot%\system32\SHELL32.dll

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
CPQEASYACC C:\Program Files\Compaq\Easy Access Button Support\StartEAK.exe
ATIModeChange Ati2mdxx.exe
WorksFUD
Microsoft Works Portfolio C:\Program Files\Microsoft Works\WksSb.exe /AllUsers
Microsoft Works Update Detection C:\Program Files\Microsoft Works\WkDetect.exe
RealTray C:\Program Files\Real\RealPlayer\RealPlay.exe SYSTEMBOOTHIDEPLAYER
SynTPLpr C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
SynTPEnh C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
srmclean C:\Cpqs\Scom\srmclean.exe
kjldzaxA C:\WINDOWS\kjldzaxA.exe
TheMonitor C:\WINDOWS\SYSC00.exe
MediaGateway C:\Program Files\MediaGateway\MediaGateway.exe
winsync C:\WINDOWS\System32\wicqpp.exe reg_run
eC7YdH8 "C:\WINDOWS\System32\dgfgql.exe"
New.net Startup rundll32 C:\PROGRA~1\NEWDOT~1\NEWDOT~2.DLL,ClientStartup -s
loadadv64 C:\WINDOWS\System32\loadadv64
ahkw C:\windows\eee2.exe
FT_SilentSudokuInstaller.exe C:\WINDOWS\System32\FT_SilentSudokuInstaller.exe
RegiFast C:\Program Files\RegiFast\RFManager.exe
MCAgentExe c:\PROGRA~1\mcafee.com\agent\mcagent.exe
MCUpdateExe C:\PROGRA~1\mcafee.com\agent\mcupdate.exe
SurfSideKick 3 C:\Program Files\SurfSideKick 3\Ssk.exe
>G9a C:\windows\eee2.exe
VSOCheckTask "C:\PROGRA~1\McAfee.com\VSO\mcmnhdlr.exe" /checktask
VirusScan Online C:\Program Files\McAfee.com\VSO\mcvsshld.exe
OASClnt C:\Program Files\McAfee.com\VSO\oasclnt.exe
keyboard C:\\keyboard.exe
mousepad C:\\mousepad.exe
gimmysmileys C:\\gimmysmileys.exe
ms053981316793 C:\WINDOWS\ms053981316793.exe
BrowserUpdateSched C:\WINDOWS\SYSTEM32\twinmrai.exe CORN001

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\OptionalComponents]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnceEx]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunServices]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunServicesOnce]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
MSMSGS "C:\Program Files\Messenger\msmsgs.exe" /background
MoneyStartUp c:\Program Files\Microsoft Money\System\Money Startup.exe
SurfSideKick 3 C:\Program Files\SurfSideKick 3\Ssk.exe

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\RunServices]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\RunServicesOnce]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows\load]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows\run]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSConfig]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies]

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\NonEnum
{BDEADF00-C265-11D0-BCED-00A0C90AB50F} = C:\PROGRA~1\COMMON~1\MICROS~1\WEBFOL~1\MSONSEXT.DLL
{6DFD7C5C-2451-11d3-A299-00C04F8EF6AF} =
{0DF44EAA-FF21-4412-828E-260A8728E7F1} =


HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Ratings

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\system
dontdisplaylastusername 0
legalnoticecaption
legalnoticetext
shutdownwithoutlogon 1
undockwithoutlogon 1


[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\policies]

HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer
NoDriveTypeAutoRun 145


[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad]
PostBootReminder {7849596a-48ea-486e-8937-a2a3009f31a9} = %SystemRoot%\system32\SHELL32.dll
CDBurn {fbeb8a05-beee-4442-804e-409d6c4515e9} = %SystemRoot%\system32\SHELL32.dll
WebCheck {E6FB5E20-DE35-11CF-9C87-00AA005127ED} = %SystemRoot%\System32\webcheck.dll
SysTray {35CEC8A3-2BE6-11D2-8773-92E220524153} = C:\WINDOWS\System32\stobject.dll

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon]
UserInit = C:\WINDOWS\system32\userinit.exe,
Shell = Explorer.exe
System =

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\crypt32chain
= crypt32.dll

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\cryptnet
= cryptnet.dll

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\cscdll
= cscdll.dll

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\ScCertProp
= wlnotify.dll

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\Schedule
= wlnotify.dll

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\sclgntfy
= sclgntfy.dll

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\SensLogn
= WlNotify.dll

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\ShellServiceObjectDelayLoad
= C:\WINDOWS\system32\OCBCINT.DLL

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\termsrv
= wlnotify.dll

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\wlballoon
= wlnotify.dll

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options]
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Your Image File Name Here without a path
Debugger = ntsd -d

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows]
AppInit_DLLs repairs303169536.dll


»»»»»»»»»»»»»»»»»»»»»»»» Scan Complete »»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»
WinPFind v1.4.1 - Log file written to "WinPFind.Txt" in the WinPFind folder.
Scan completed on 3/4/2006 8:08:06 PM



hijackthis Uninstall list:

Ad-Aware SE Personal
Agatha Christie - And Then There Were None
ATI Display Driver
Compaq Advisor
Compaq Wallpaper
CompuServe 2000
Easy Access Button Support
Encarta Online
Enhanced Ads by Zeno removal
HijackThis 1.99.1
InterVideo WinDVD
Macromedia Flash Player 8
McAfee QuickClean 6.0
McAfee SecurityCenter
McAfee VirusScan
MediaGateway
Microsoft .NET Framework 1.1
Microsoft Money 2001
Microsoft Office 97, Professional Edition
Microsoft Works 6.0
Netscape 6 (6.1)
NetWaiting
New.net Domains 7.22
Quicklinks
RealPlayer Basic
RegiFast Software
SoundMAX2
Spy Sweeper
Spybot - Search & Destroy 1.4
Synaptics TouchPad
Windows Overlay Components
Windows XP Hotfix - KB823559
Windows XP Hotfix - KB824151
Windows XP Hotfix - KB828741
Windows XP Hotfix - KB835732
Windows XP Hotfix - KB842773
Windows XP Hotfix (SP2) [See Q329048 for more information]
Windows XP Hotfix (SP2) [See Q329115 for more information]
Windows XP Hotfix (SP2) [See Q329390 for more information]
Windows XP Hotfix (SP2) [See Q329834 for more information]
Windows XP Hotfix (SP2) Q329170
Windows XP Hotfix (SP2) Q329441
Windows XP Hotfix (SP2) Q810577
Windows XP Hotfix (SP2) Q810833
Windows XP Hotfix (SP2) Q817606
Yazzle Sudoku by OIN
Zeno Search Assistant removal


thanks!
Brian

#6 John_McKenna

John_McKenna

    World Class Hairy Chest


  • Members
  • 497 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Liverpool
  • Local time:09:49 AM

Posted 05 March 2006 - 11:47 AM

We'll repair the SeDebugPrivilege as part of the following fix.

You may wish to save these instructions to notepad for reference.


Step # 1

RIGHT CLICK HERE and choose "Save Target as" or "Save link location" (depending on your browser).
  • Save DelDomains.inf to your desktop.
  • Ensure ALL Internet Explorer windows are closed.
  • Right click the DelDomains.inf file and click "Install"
Note: If you have the following programs installed, you must re-enable their protections after installing DelDomains:
  • SpywareBlaster's protection must be re-enabled.
  • Spybot's Immunize feature must be used again.
  • IE-SpyAd should be re-installed.
Step # 2

Disconnect from the net and go to Start > Control Panel > Add/Remove Programs and uninstall the following:

MediaGateway
New.net Domains 7.22
Quicklinks
RegiFast Software
Windows Overlay Components
Yazzle Sudoku by OIN
Zeno Search Assistant removal



Step # 3

Run HijackThis again and checkmark the boxes before the following (if still present):-

R3 - URLSearchHook: (no name) - {02EE5B04-F144-47BB-83FB-A60BD91B74A9} - C:\Program Files\SurfSideKick 3\SskBho.dll

O2 - BHO: Yvakt Class - {156AFB23-6A31-443C-A1D0-FD418898C11B} - C:\WINDOWS\System32\v9gcyb8xi.dll

O2 - BHO: RegiFastObj Class - {C67A62C7-A68D-484C-9617-880C1F70D3F7} - C:\PROGRA~1\RegiFast\RegiFast.dll

O4 - HKLM\..\Run: [winsysupd] C:\windows\winsysupd11.exe

O4 - HKLM\..\Run: [kjldzaxA] C:\WINDOWS\kjldzaxA.exe

O4 - HKLM\..\Run: [TheMonitor] C:\WINDOWS\SYSC00.exe

O4 - HKLM\..\Run: [MediaGateway] C:\Program Files\MediaGateway\MediaGateway.exe

O4 - HKLM\..\Run: [winsysban] C:\windows\winsysban11.exe

O4 - HKLM\..\Run: [gimmygames] C:\\gimmygames11.exe

O4 - HKLM\..\Run: [winsync] C:\WINDOWS\System32\wicqpp.exe reg_run

O4 - HKLM\..\Run: [eC7YdH8] "C:\WINDOWS\System32\dgfgql.exe"

O4 - HKLM\..\Run: [New.net Startup] rundll32 C:\PROGRA~1\NEWDOT~1\NEWDOT~2.DLL,ClientStartup -s

O4 - HKLM\..\Run: [win32081316793398] C:\WINDOWS\win32081316793398.exe

O4 - HKLM\..\Run: [ms069813167933] C:\WINDOWS\ms069813167933.exe

O4 - HKLM\..\Run: [loadadv64] C:\WINDOWS\System32\loadadv64

O4 - HKLM\..\Run: [ahkw] C:\windows\eee2.exe

O4 - HKLM\..\Run: [FT_SilentSudokuInstaller.exe] C:\WINDOWS\System32\FT_SilentSudokuInstaller.exe

O4 - HKLM\..\Run: [RegiFast] C:\Program Files\RegiFast\RFManager.exe

O4 - HKLM\..\Run: [SurfSideKick 3] C:\Program Files\SurfSideKick 3\Ssk.exe

O4 - HKLM\..\Run: [>G9a] C:\windows\eee2.exe

O4 - HKLM\..\Run: [BrowserUpdateSched] C:\WINDOWS\SYSTEM32\twinmrai.exe CORN001

O4 - HKCU\..\Run: [SurfSideKick 3] C:\Program Files\SurfSideKick 3\Ssk.exe

O4 - Startup: Zeno.lnk = C:\WINDOWS\SYSTEM32\twinmrai.exe

O18 - Filter: text/html - {F4C522E0-5BD5-407B-99A3-5A435DB6694A} - C:\WINDOWS\System32\v9gcyb8xi.dll

O20 - Winlogon Notify: ShellServiceObjectDelayLoad - C:\WINDOWS\system32\fp0003dme.dll

O23 - Service: Command Service (cmdService) - Unknown owner - C:\WINDOWS\TmV3IFVzZXI\command.exe (file missing)

O23 - Service: Windows Overlay Components - Unknown owner - C:\WINDOWS\kjldzax.exe


Close ALL OTHER OPEN WINDOWS and click "Fix Checked"


Step # 4

1. Reconnect to the net and download The Avenger and unzip it to your Desktop.

2. Copy all the text contained in the code box below to your Clipboard by highlighting it and pressing (Ctrl+C):

Files to delete:
C:\visfx500.exe
C:\WINDOWS\elos.exe
C:\Documents and Settings\All Users\Start Menu\Programs\Startup\xhjw.exe
C:\WINDOWS\SYSTEM32\AASLDP.DLL
C:\WINDOWS\SYSTEM32\ACMPARSE.DLL
C:\WINDOWS\SYSTEM32\ACMPARSE.DLL
C:\WINDOWS\SYSTEM32\AQMFD.DLL
C:\WINDOWS\SYSTEM32\AQMFD.DLL
C:\WINDOWS\SYSTEM32\AYIFILE.DLL
C:\WINDOWS\SYSTEM32\btowsewm.dll
C:\WINDOWS\SYSTEM32\DKDXOF.DLL
C:\WINDOWS\SYSTEM32\DKDXOF.DLL
C:\WINDOWS\SYSTEM32\DSNADDR.DLL
C:\WINDOWS\SYSTEM32\g4220efoeh2c0.dll
C:\WINDOWS\SYSTEM32\h6j4lg1q16.dll
C:\WINDOWS\SYSTEM32\HAICONS.DLL
C:\WINDOWS\SYSTEM32\HAICONS.DLL
C:\WINDOWS\SYSTEM32\hrrs0597e.dll
C:\WINDOWS\SYSTEM32\hrrs0597e.dll
C:\WINDOWS\SYSTEM32\ISETRES.DLL
C:\WINDOWS\SYSTEM32\ISETRES.DLL
C:\WINDOWS\SYSTEM32\l04qlah51d4.dll
C:\WINDOWS\SYSTEM32\MFI.DLL
C:\WINDOWS\SYSTEM32\mrcorier.dll
C:\WINDOWS\SYSTEM32\mw3216.dll
C:\WINDOWS\SYSTEM32\mw3216.dll
C:\WINDOWS\SYSTEM32\n4n60e5seh.dll
C:\WINDOWS\SYSTEM32\ndmsapi.dll
C:\WINDOWS\SYSTEM32\NIXPNT.DLL
C:\WINDOWS\SYSTEM32\NKTUI0.DLL
C:\WINDOWS\SYSTEM32\o8pq0i75e8.dll
C:\WINDOWS\SYSTEM32\ROSTAPI.DLL
C:\WINDOWS\SYSTEM32\UVANDLG.DLL
C:\WINDOWS\SYSTEM32\wdaudsdk.dll
C:\WINDOWS\SYSTEM32\wdaudsdk.dll
C:\WINDOWS\SYSTEM32\wxmioctl.dll
C:\WINDOWS\SYSTEM32\wxmioctl.dll
C:\WINDOWS\SYSTEM32\XBCTSRV.DLL
C:\WINDOWS\system32\AQMFD.DLL
C:\WINDOWS\system32\wdaudsdk.dll
C:\WINDOWS\system32\PYBASE.DLL
C:\WINDOWS\system32\rfaenh.dll
C:\WINDOWS\system32\OCBCINT.DLL
C:\WINDOWS\System32\fewqk.dll
C:\WINDOWS\System32\v9gcyb8xi.dll
C:\WINDOWS\System32\urx.dll
C:\WINDOWS\kjldzaxA.exe
C:\WINDOWS\SYSC00.exe
C:\WINDOWS\System32\wicqpp.exe
C:\WINDOWS\System32\dgfgql.exe"
C:\windows\eee2.exe
C:\WINDOWS\System32\FT_SilentSudokuInstaller.exe
C:\windows\eee2.exe
C:\keyboard.exe
C:\mousepad.exe
C:\gimmysmileys.exe
C:\WINDOWS\ms053981316793.exe
C:\WINDOWS\SYSTEM32\twinmrai.exe 
C:\WINDOWS\kjldzax.exe
C:\WINDOWS\System32\loadadv64.exe
C:\windows\winsysupd11.exe
C:\windows\winsysban11.exe
C:\WINDOWS\win32081316793398.exe
C:\WINDOWS\ms069813167933.exe

Folders to delete:
C:\Program Files\RegiFast
C:\Program Files\MediaGateway
C:\PROGRA~1\NEWDOT~1
C:\Program Files\SurfSideKick 3
C:\WINDOWS\TmV3IFVzZXI

Registry values to delete:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved | {9901A2D9-5390-4CCC-846F-D88184BB7FE1}
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved | {71FE00BD-15CC-4C07-AA44-9879C005DE8E}
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved | {49E4744B-97D5-4438-AC28-70EC935FC29D}
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved | {5A8A22A4-D932-40EA-AB38-1EBCB7367636}
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved | {BE2AD977-8A8D-4311-A4A5-DE39B07474BF}

Note: the above code was created specifically for this user. If you are not this user, do NOT follow these directions as they could damage the workings of your system.


3. Now, start The Avenger program by clicking on its icon on your desktop.
  • Under "Script file to execute" choose "Input Script Manually".
  • Now click on the Magnifying Glass icon which will open a new window titled "View/edit script"
  • Paste the text copied to clipboard into this window by pressing (Ctrl+V)
  • Click Done
  • Now click on the Green Light to begin execution of the script
  • Answer "Yes" twice when prompted.
4. The Avenger will automatically perform the following 4 tasks:
  • Restart your computer. ( In cases where the code to execute contains "Drivers to Unload", The Avenger will actually restart your system twice.)
  • On reboot, briefly open a black command window on your desktop, this is normal.
  • After the restart, create a log file that should open with the results of Avenger’s actions. This log file will be located at C:\avenger.txt
  • Back up everything you've asked it to delete, and will have zipped them and moved the zip archives to C:\avenger\backup.zip.
Step # 5

Please download Look2Me-Destroyer.exe to your desktop.
  • Close all windows before continuing.
  • Double-click Look2Me-Destroyer.exe to run it.
  • Put a check next to Run this program as a task.
  • You will receive a message saying Look2Me-Destroyer will close and re-open in approximately 10 seconds. Click OK
  • When Look2Me-Destroyer re-opens, click the Scan for L2M button, your desktop icons will disappear, this is normal.
  • Once it's done scanning, click the Remove L2M button.
  • You will receive a Done Scanning message, click OK.
  • When completed, you will receive this message: Done removing infected files! Look2Me-Destroyer will now shutdown your computer, click OK.
  • Your computer will then shutdown.
  • Turn your computer back on.
  • Please post the contents of C:\Look2Me-Destroyer.txt and a new HiJackThis log.
  • If Look2Me-Destroyer does not reopen automatically, reboot and try again.
If you receive a message from your firewall about this program accessing the internet please allow it.

If you receive a runtime error '339' please download MSWINSCK.OCX from the link below and place it in your C:\Windows\System32 Directory. http://www.ascentive.com/support/new/images/lib/MSWINSCK.OCX


Step # 6

Then run the following online virus scan with Internet Explorer (saving the scan report when complete):

Panda ActiveScan
  • Once on the Panda site click the Scan your PC button and then the Check Now button on the nex screen.
  • Enter your details in the required fields.
  • Then click the big Scan Now button.
  • Allow the Active X component to install and download the necessary files. (Note: It may take a couple of minutes)
  • When the download is complete, click on Local Disks to start the scan.
  • Upon scan completion, if anything malicious is detected, click the See Report button, then Save Report and save it to a convenient location.
Step # 7

Then post the following in your next reply please:
  • C:\avenger.txt.
  • C:\Look2Me-Destroyer.txt
  • Online scan results.
  • New HijackThis log.
  • Any problems you encountered.

Want to fight back? Click HERE and learn how to remove spyware.

If I've helped you, please consider donating to the Multiple Sclerosis Society (UK)

#7 tornaXsunder

tornaXsunder
  • Topic Starter

  • Members
  • 10 posts
  • OFFLINE
  •  
  • Local time:04:49 AM

Posted 05 March 2006 - 08:52 PM

1.AVENGER:

Logfile of The Avenger version 1, by Swandog46
Running from registry key:
\Registry\Machine\System\CurrentControlSet\Services\xnrwyuxe

*******************

Script file located at: \??\C:\Documents and Settings\pbujeuyj.txt
Script file opened successfully.

Script file read successfully

Backups directory opened successfully at C:\Avenger

*******************

Beginning to process script file:

File C:\visfx500.exe deleted successfully.
File C:\WINDOWS\elos.exe deleted successfully.
File C:\Documents and Settings\All Users\Start Menu\Programs\Startup\xhjw.exe deleted successfully.
File C:\WINDOWS\SYSTEM32\AASLDP.DLL deleted successfully.
File C:\WINDOWS\SYSTEM32\ACMPARSE.DLL deleted successfully.


File C:\WINDOWS\SYSTEM32\ACMPARSE.DLL not found!
Deletion of file C:\WINDOWS\SYSTEM32\ACMPARSE.DLL failed!

Could not process line:
C:\WINDOWS\SYSTEM32\ACMPARSE.DLL
Status: 0xc0000034

File C:\WINDOWS\SYSTEM32\AQMFD.DLL deleted successfully.


File C:\WINDOWS\SYSTEM32\AQMFD.DLL not found!
Deletion of file C:\WINDOWS\SYSTEM32\AQMFD.DLL failed!

Could not process line:
C:\WINDOWS\SYSTEM32\AQMFD.DLL
Status: 0xc0000034

File C:\WINDOWS\SYSTEM32\AYIFILE.DLL deleted successfully.
File C:\WINDOWS\SYSTEM32\btowsewm.dll deleted successfully.
File C:\WINDOWS\SYSTEM32\DKDXOF.DLL deleted successfully.


File C:\WINDOWS\SYSTEM32\DKDXOF.DLL not found!
Deletion of file C:\WINDOWS\SYSTEM32\DKDXOF.DLL failed!

Could not process line:
C:\WINDOWS\SYSTEM32\DKDXOF.DLL
Status: 0xc0000034

File C:\WINDOWS\SYSTEM32\DSNADDR.DLL deleted successfully.
File C:\WINDOWS\SYSTEM32\g4220efoeh2c0.dll deleted successfully.
File C:\WINDOWS\SYSTEM32\h6j4lg1q16.dll deleted successfully.
File C:\WINDOWS\SYSTEM32\HAICONS.DLL deleted successfully.


File C:\WINDOWS\SYSTEM32\HAICONS.DLL not found!
Deletion of file C:\WINDOWS\SYSTEM32\HAICONS.DLL failed!

Could not process line:
C:\WINDOWS\SYSTEM32\HAICONS.DLL
Status: 0xc0000034

File C:\WINDOWS\SYSTEM32\hrrs0597e.dll deleted successfully.


File C:\WINDOWS\SYSTEM32\hrrs0597e.dll not found!
Deletion of file C:\WINDOWS\SYSTEM32\hrrs0597e.dll failed!

Could not process line:
C:\WINDOWS\SYSTEM32\hrrs0597e.dll
Status: 0xc0000034

File C:\WINDOWS\SYSTEM32\ISETRES.DLL deleted successfully.


File C:\WINDOWS\SYSTEM32\ISETRES.DLL not found!
Deletion of file C:\WINDOWS\SYSTEM32\ISETRES.DLL failed!

Could not process line:
C:\WINDOWS\SYSTEM32\ISETRES.DLL
Status: 0xc0000034

File C:\WINDOWS\SYSTEM32\l04qlah51d4.dll deleted successfully.
File C:\WINDOWS\SYSTEM32\MFI.DLL deleted successfully.
File C:\WINDOWS\SYSTEM32\mrcorier.dll deleted successfully.
File C:\WINDOWS\SYSTEM32\mw3216.dll deleted successfully.


File C:\WINDOWS\SYSTEM32\mw3216.dll not found!
Deletion of file C:\WINDOWS\SYSTEM32\mw3216.dll failed!

Could not process line:
C:\WINDOWS\SYSTEM32\mw3216.dll
Status: 0xc0000034

File C:\WINDOWS\SYSTEM32\n4n60e5seh.dll deleted successfully.
File C:\WINDOWS\SYSTEM32\ndmsapi.dll deleted successfully.
File C:\WINDOWS\SYSTEM32\NIXPNT.DLL deleted successfully.
File C:\WINDOWS\SYSTEM32\NKTUI0.DLL deleted successfully.
File C:\WINDOWS\SYSTEM32\o8pq0i75e8.dll deleted successfully.
File C:\WINDOWS\SYSTEM32\ROSTAPI.DLL deleted successfully.
File C:\WINDOWS\SYSTEM32\UVANDLG.DLL deleted successfully.
File C:\WINDOWS\SYSTEM32\wdaudsdk.dll deleted successfully.


File C:\WINDOWS\SYSTEM32\wdaudsdk.dll not found!
Deletion of file C:\WINDOWS\SYSTEM32\wdaudsdk.dll failed!

Could not process line:
C:\WINDOWS\SYSTEM32\wdaudsdk.dll
Status: 0xc0000034

File C:\WINDOWS\SYSTEM32\wxmioctl.dll deleted successfully.


File C:\WINDOWS\SYSTEM32\wxmioctl.dll not found!
Deletion of file C:\WINDOWS\SYSTEM32\wxmioctl.dll failed!

Could not process line:
C:\WINDOWS\SYSTEM32\wxmioctl.dll
Status: 0xc0000034

File C:\WINDOWS\SYSTEM32\XBCTSRV.DLL deleted successfully.


File C:\WINDOWS\system32\AQMFD.DLL not found!
Deletion of file C:\WINDOWS\system32\AQMFD.DLL failed!

Could not process line:
C:\WINDOWS\system32\AQMFD.DLL
Status: 0xc0000034



File C:\WINDOWS\system32\wdaudsdk.dll not found!
Deletion of file C:\WINDOWS\system32\wdaudsdk.dll failed!

Could not process line:
C:\WINDOWS\system32\wdaudsdk.dll
Status: 0xc0000034



File C:\WINDOWS\system32\PYBASE.DLL not found!
Deletion of file C:\WINDOWS\system32\PYBASE.DLL failed!

Could not process line:
C:\WINDOWS\system32\PYBASE.DLL
Status: 0xc0000034

File C:\WINDOWS\system32\rfaenh.dll deleted successfully.


File C:\WINDOWS\system32\OCBCINT.DLL not found!
Deletion of file C:\WINDOWS\system32\OCBCINT.DLL failed!

Could not process line:
C:\WINDOWS\system32\OCBCINT.DLL
Status: 0xc0000034

File C:\WINDOWS\System32\fewqk.dll deleted successfully.
File C:\WINDOWS\System32\v9gcyb8xi.dll deleted successfully.
File C:\WINDOWS\System32\urx.dll deleted successfully.


File C:\WINDOWS\kjldzaxA.exe not found!
Deletion of file C:\WINDOWS\kjldzaxA.exe failed!

Could not process line:
C:\WINDOWS\kjldzaxA.exe
Status: 0xc0000034

File C:\WINDOWS\SYSC00.exe deleted successfully.
File C:\WINDOWS\System32\wicqpp.exe deleted successfully.
File C:\WINDOWS\System32\dgfgql.exe deleted successfully.
File C:\windows\eee2.exe deleted successfully.
File C:\WINDOWS\System32\FT_SilentSudokuInstaller.exe deleted successfully.


File C:\windows\eee2.exe not found!
Deletion of file C:\windows\eee2.exe failed!

Could not process line:
C:\windows\eee2.exe
Status: 0xc0000034

File C:\keyboard.exe deleted successfully.
File C:\mousepad.exe deleted successfully.
File C:\gimmysmileys.exe deleted successfully.
File C:\WINDOWS\ms053981316793.exe deleted successfully.
File C:\WINDOWS\SYSTEM32\twinmrai.exe deleted successfully.


File C:\WINDOWS\kjldzax.exe not found!
Deletion of file C:\WINDOWS\kjldzax.exe failed!

Could not process line:
C:\WINDOWS\kjldzax.exe
Status: 0xc0000034



File C:\WINDOWS\System32\loadadv64.exe not found!
Deletion of file C:\WINDOWS\System32\loadadv64.exe failed!

Could not process line:
C:\WINDOWS\System32\loadadv64.exe
Status: 0xc0000034

File C:\windows\winsysupd11.exe deleted successfully.
File C:\windows\winsysban11.exe deleted successfully.


File C:\WINDOWS\win32081316793398.exe not found!
Deletion of file C:\WINDOWS\win32081316793398.exe failed!

Could not process line:
C:\WINDOWS\win32081316793398.exe
Status: 0xc0000034



File C:\WINDOWS\ms069813167933.exe not found!
Deletion of file C:\WINDOWS\ms069813167933.exe failed!

Could not process line:
C:\WINDOWS\ms069813167933.exe
Status: 0xc0000034

Folder C:\Program Files\RegiFast deleted successfully.
Folder C:\Program Files\MediaGateway deleted successfully.
Folder C:\PROGRA~1\NEWDOT~1 deleted successfully.
Folder C:\Program Files\SurfSideKick 3 deleted successfully.
Folder C:\WINDOWS\TmV3IFVzZXI deleted successfully.
Registry value HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved|{9901A2D9-5390-4CCC-846F-D88184BB7FE1} deleted successfully.
Registry value HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved|{71FE00BD-15CC-4C07-AA44-9879C005DE8E} deleted successfully.
Registry value HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved|{49E4744B-97D5-4438-AC28-70EC935FC29D} deleted successfully.
Registry value HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved|{5A8A22A4-D932-40EA-AB38-1EBCB7367636} deleted successfully.
Registry value HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved|{BE2AD977-8A8D-4311-A4A5-DE39B07474BF} deleted successfully.

Completed script processing.

*******************

Finished! Terminate.




2. Look to me destroyer:


Look2Me-Destroyer V1.0.7

Scanning for infected files.....
Scan started at 3/5/2006 7:49:06 PM

Infected! C:\WINDOWS\system32\g022lafo1d2c.dll
Infected! C:\WINDOWS\System32\guard.tmp

Attempting to delete infected files...

Attempting to delete: C:\WINDOWS\system32\g022lafo1d2c.dll
C:\WINDOWS\system32\g022lafo1d2c.dll Deleted successfully!

Attempting to delete: C:\WINDOWS\System32\guard.tmp
C:\WINDOWS\System32\guard.tmp Deleted successfully!

Making registry repairs.

Removing: HKLM\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\Themes

Restoring Windows certificates.

Replaced hosts file with default windows hosts file


Restoring SeDebugPrivilege for Administrators - Succeeded





3. ONLINE SCAN RESULTS

Incident Status Location

Spyware:Spyware/Media-motor Not disinfected C:\avenger\backup.zip[eee2.exe]
Spyware:Spyware/Media-motor Not disinfected C:\avenger\backup.zip[elos.exe]
Spyware:Spyware/Media-motor Not disinfected C:\avenger\backup.zip[eee2.exe]
Adware:Adware/PurityScan Not disinfected C:\avenger\backup.zip[urx.dll]
Adware:Adware/ClkOptimizer Not disinfected C:\avenger\backup.zip[wicqpp.exe]
Adware:Adware/DollarRevenue Not disinfected C:\avenger\backup.zip[winsysban11.exe]
Adware:Adware/DollarRevenue Not disinfected C:\avenger\backup.zip[winsysupd11.exe]
Adware:Adware/ClkOptimizer Not disinfected C:\avenger\backup.zip[xhjw.exe]
Spyware:spyware/surfsidekick Not disinfected C:\Documents and Settings\New User\Application Data\Sskcwrd.dll
Spyware:Cookie/888 Not disinfected C:\Documents and Settings\New User\Cookies\new user@888[1].txt
Spyware:Cookie/888 Not disinfected C:\Documents and Settings\New User\Cookies\new user@888[2].txt
Spyware:Cookie/YieldManager Not disinfected C:\Documents and Settings\New User\Cookies\new user@ad.yieldmanager[1].txt
Spyware:Cookie/Hbmediapro Not disinfected C:\Documents and Settings\New User\Cookies\new user@adopt.hbmediapro[2].txt
Spyware:Cookie/Cassava Not disinfected C:\Documents and Settings\New User\Cookies\new user@cassava[1].txt
Spyware:Cookie/Reliablestats Not disinfected C:\Documents and Settings\New User\Cookies\new user@stats1.reliablestats[2].txt
Spyware:Cookie/WinFixer Not disinfected C:\Documents and Settings\New User\Cookies\new user@winfixer[1].txt
Adware:adware/purityscan Not disinfected C:\Documents and Settings\New User\Local Settings\Temp\!update.exe
Spyware:Spyware/SurfSideKick Not disinfected C:\Documents and Settings\New User\Local Settings\Temp\i9.tmp
Spyware:Spyware/SurfSideKick Not disinfected C:\Documents and Settings\New User\Local Settings\Temp\temp.fr045B\VCClient.exe
Adware:Adware/BroadcastPC Not disinfected C:\DR21206.exe
Adware:Adware/DollarRevenue Not disinfected C:\drsmartload1.exe
Adware:Adware/DollarRevenue Not disinfected C:\gimmygames11.exe
Adware:Adware/ClkOptimizer Not disinfected C:\installerwebnex.exe
Adware:Adware/SearchAid Not disinfected C:\Program Files\Network Monitor\netmon.exe
Adware:Adware/Deskwizz Not disinfected C:\WINDOWS\DH.dll
Adware:adware/dollarrevenue Not disinfected C:\WINDOWS\drsmartload2.dat
Adware:Adware/DollarRevenue Not disinfected C:\WINDOWS\gimmygames11.exe
Spyware:Spyware/New.net Not disinfected C:\WINDOWS\NDNuninstall7_22.exe
Adware:Adware/ConsumerAlertSystem Not disinfected C:\WINDOWS\offun.exe
Virus:Trj/Downloader.HPZ Not disinfected C:\WINDOWS\pms111x.exe
Spyware:Spyware/Media-motor Not disinfected C:\WINDOWS\surv3.exe
Adware:Adware/ClkOptimizer Not disinfected C:\WINDOWS\SYSTEM32\pakgw.dat
Adware:Adware/SearchAid Not disinfected C:\WINDOWS\uninstall_nmon.vbs
Adware:Adware/WebHancer Not disinfected C:\WINDOWS\whAgent.inf




4. NEW HIJACK THIS LOG:

Logfile of HijackThis v1.99.1
Scan saved at 8:41:32 PM, on 3/5/2006
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\csrss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\System32\Ati2evxx.exe
c:\program files\mcafee.com\agent\mcdetect.exe
c:\PROGRA~1\mcafee.com\vso\mcshield.exe
c:\PROGRA~1\mcafee.com\agent\mctskshd.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Compaq\Easy Access Button Support\StartEAK.exe
C:\Program Files\Real\RealPlayer\RealPlay.exe
C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\Program Files\Compaq\Easy Access Button Support\CPQEADM.EXE
C:\COMPAQ\CPQINET\CPQInet.exe
C:\Compaq\EAKDRV\EAUSBKBD.EXE
C:\PROGRA~1\Compaq\EASYAC~1\BttnServ.exe
C:\Program Files\McAfee.com\VSO\oasclnt.exe
c:\program files\mcafee.com\vso\mcvsshld.exe
c:\progra~1\mcafee.com\vso\mcvsescn.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\McAfee\McAfee QuickClean\Plguni.exe
C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe
C:\Program Files\Common Files\Microsoft Shared\Works Shared\wkcalrem.exe
C:\Program Files\Microsoft Office\Office\OSA.EXE
c:\progra~1\mcafee.com\vso\mcvsftsn.exe
C:\WINDOWS\System32\wuauclt.exe
C:\Documents and Settings\New User\Desktop\HijackThis.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://store.presario.net/scripts/redirect...&c=3c01&lc=0409
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Microsoft Internet Explorer provided by Compaq
R3 - URLSearchHook: (no name) - {02EE5B04-F144-47BB-83FB-A60BD91B74A9} - C:\Program Files\SurfSideKick 3\SskBho.dll (file missing)
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O3 - Toolbar: McAfee VirusScan - {BA52B914-B692-46c4-B683-905236F6F655} - c:\progra~1\mcafee.com\vso\mcvsshl.dll
O4 - HKLM\..\Run: [CPQEASYACC] C:\Program Files\Compaq\Easy Access Button Support\StartEAK.exe
O4 - HKLM\..\Run: [ATIModeChange] Ati2mdxx.exe
O4 - HKLM\..\Run: [Microsoft Works Portfolio] C:\Program Files\Microsoft Works\WksSb.exe /AllUsers
O4 - HKLM\..\Run: [Microsoft Works Update Detection] C:\Program Files\Microsoft Works\WkDetect.exe
O4 - HKLM\..\Run: [RealTray] C:\Program Files\Real\RealPlayer\RealPlay.exe SYSTEMBOOTHIDEPLAYER
O4 - HKLM\..\Run: [SynTPLpr] C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
O4 - HKLM\..\Run: [SynTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
O4 - HKLM\..\Run: [srmclean] C:\Cpqs\Scom\srmclean.exe
O4 - HKLM\..\Run: [MCAgentExe] c:\PROGRA~1\mcafee.com\agent\mcagent.exe
O4 - HKLM\..\Run: [MCUpdateExe] C:\PROGRA~1\mcafee.com\agent\mcupdate.exe
O4 - HKLM\..\Run: [VSOCheckTask] "C:\PROGRA~1\McAfee.com\VSO\mcmnhdlr.exe" /checktask
O4 - HKLM\..\Run: [VirusScan Online] C:\Program Files\McAfee.com\VSO\mcvsshld.exe
O4 - HKLM\..\Run: [OASClnt] C:\Program Files\McAfee.com\VSO\oasclnt.exe
O4 - HKLM\..\Run: [keyboard] C:\\keyboard.exe
O4 - HKLM\..\Run: [mousepad] C:\\mousepad.exe
O4 - HKLM\..\Run: [gimmysmileys] C:\\gimmysmileys.exe
O4 - HKLM\..\Run: [ms053981316793] C:\WINDOWS\ms053981316793.exe
O4 - HKLM\..\Run: [SurfSideKick 3] C:\Program Files\SurfSideKick 3\Ssk.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [MoneyStartUp] c:\Program Files\Microsoft Money\System\Money Startup.exe
O4 - HKCU\..\Run: [McAfee QuickClean Imonitor] C:\Program Files\McAfee\McAfee QuickClean\Plguni.exe /START
O4 - HKCU\..\Run: [SpySweeper] C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe /0
O4 - HKCU\..\Run: [CU1] C:\Program Files\Common Files\VCClient\VCClient.exe
O4 - HKCU\..\Run: [CU2] C:\Program Files\Common Files\VCClient\VCMain.exe
O4 - HKCU\..\Run: [SurfSideKick 3] C:\Program Files\SurfSideKick 3\Ssk.exe
O4 - Startup: Office Startup.lnk = C:\Program Files\Microsoft Office\Office\OSA.EXE
O4 - Global Startup: Microsoft Works Calendar Reminders.lnk = ?
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\System32\Shdocvw.dll
O9 - Extra button: Support - {4D2222B2-AE9B-490B-AACB-D8BCD6D6C58D} - C:\Program Files\Internet Explorer\SIGNUP\Presario.htm (file missing) (HKCU)
O14 - IERESET.INF: START_PAGE_URL=http://store.presario.net/scripts/redirectors/presario/storeredir2.dll?s=consumerfav&c=3c01&lc=0409
O16 - DPF: {2ED9BC2B-4DF1-472E-9B5E-55477D2C97F5} (Microsoft Data Collection Control) - https://support.microsoft.com/OAS/ActiveX/odc.cab
O16 - DPF: {4ED9DDF0-7479-4BBE-9335-5A1EDB1D8A21} (McAfee.com Operating System Class) - http://download.mcafee.com/molbin/shared/m...01/mcinsctl.cab
O16 - DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} (MSN Photo Upload Tool) - http://by107fd.bay107.hotmail.msn.com/resources/MsnPUpld.cab
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftupdat...b?1137110696801
O16 - DPF: {928626A3-6B98-11CF-90B4-00AA00A4011F} (SurroundVideoCtrl Object) - http://www.homesteadhotels.com/minisite/ac...nd/MSSurVid.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/activescan/as5free/asinst.cab
O18 - Filter: text/html - {F4C522E0-5BD5-407B-99A3-5A435DB6694A} - C:\WINDOWS\System32\v9gcyb8xi.dll
O20 - AppInit_DLLs: repairs303169536.dll
O23 - Service: Ati HotKey Poller - Unknown owner - C:\WINDOWS\System32\Ati2evxx.exe
O23 - Service: McAfee WSC Integration (McDetect.exe) - McAfee, Inc - c:\program files\mcafee.com\agent\mcdetect.exe
O23 - Service: McAfee.com McShield (McShield) - McAfee Inc. - c:\PROGRA~1\mcafee.com\vso\mcshield.exe
O23 - Service: McAfee Task Scheduler (McTskshd.exe) - McAfee, Inc - c:\PROGRA~1\mcafee.com\agent\mctskshd.exe
O23 - Service: McAfee SecurityCenter Update Manager (mcupdmgr.exe) - McAfee, Inc - C:\PROGRA~1\McAfee.com\Agent\mcupdmgr.exe




5. PROBLEMS ENCOUNTERED

everything seemed to go pretty good..... I wasn't sure if gimmie smileys was the same thing as gimmie games or not..... so i didn't remove it through hijackthis..... but since gimmie games is still on the computer I'm guessing it might be? I'll wait for your advice before deleting anything though

thanks! :thumbsup:
Brian

#8 John_McKenna

John_McKenna

    World Class Hairy Chest


  • Members
  • 497 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Liverpool
  • Local time:09:49 AM

Posted 05 March 2006 - 09:18 PM

Before we go any further Brian, can you try running BlackLight again now the SeDebugPrivilege has been restored.

It would appear you've had a new bundle of malware dumped on the system. :thumbsup:
Want to fight back? Click HERE and learn how to remove spyware.

If I've helped you, please consider donating to the Multiple Sclerosis Society (UK)

#9 tornaXsunder

tornaXsunder
  • Topic Starter

  • Members
  • 10 posts
  • OFFLINE
  •  
  • Local time:04:49 AM

Posted 06 March 2006 - 06:21 AM

I was able to run black light this time.... but it didn't seem to find anything.....


FSBL LOG:

03/06/06 06:10:48 [Info]: BlackLight Engine 1.0.33 initialized
03/06/06 06:10:48 [Info]: OS: 5.1 build 2600 (Service Pack 1)
03/06/06 06:10:50 [Note]: 7019 4
03/06/06 06:10:50 [Note]: 7005 0
03/06/06 06:12:38 [Note]: 7006 0
03/06/06 06:12:38 [Note]: 7011 208
03/06/06 06:12:41 [Note]: FSRAW library version 1.7.1015
03/06/06 06:15:40 [Note]: 4017 13175
03/06/06 06:15:40 [Note]: 4027 13175 863436800
03/06/06 06:15:40 [Note]: 4020 5 0
03/06/06 06:15:40 [Note]: 4018 5 0
03/06/06 06:18:08 [Note]: 7007 0

#10 John_McKenna

John_McKenna

    World Class Hairy Chest


  • Members
  • 497 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Liverpool
  • Local time:09:49 AM

Posted 06 March 2006 - 08:27 AM

That's good news. Round 2 !! :thumbsup:

You may wish to save these instructions to notepad or print them out for use while in Safe Mode.

Step # 1

Configure Windows to Show all hidden files & folders and ensure you're familiar with rebooting into Safe Mode.

Download ATF Cleaner to your desktop.

Download and install Ewido Anti-Malware.
  • When installing Ewido, under "Additonal Options" uncheck "Install Background Guard" and "Install Scan Via Context Menu".
  • Launch Ewido by double-clicking the desktop icon and click 'OK' at the "Database could not be found!" warning.
  • Click "Update" on the left side of the main screen to update the definitions file.
  • Then click "Start Update".
  • When you receive the "Update successful" prompt, close the program for use later.
Step # 2

Run HijackThis again and checkmark the boxes before the following:-

(if SpySweeper questions the changes, please allow them)R3 - URLSearchHook: (no name) - {02EE5B04-F144-47BB-83FB-A60BD91B74A9} - C:\Program Files\SurfSideKick 3\SskBho.dll (file missing)

O4 - HKLM\..\Run: [keyboard] C:\\keyboard.exe

O4 - HKLM\..\Run: [mousepad] C:\\mousepad.exe

O4 - HKLM\..\Run: [gimmysmileys] C:\\gimmysmileys.exe

O4 - HKLM\..\Run: [ms053981316793] C:\WINDOWS\ms053981316793.exe

O4 - HKLM\..\Run: [SurfSideKick 3] C:\Program Files\SurfSideKick 3\Ssk.exe

O4 - HKCU\..\Run: [CU1] C:\Program Files\Common Files\VCClient\VCClient.exe

O4 - HKCU\..\Run: [CU2] C:\Program Files\Common Files\VCClient\VCMain.exe

O4 - HKCU\..\Run: [SurfSideKick 3] C:\Program Files\SurfSideKick 3\Ssk.exe

O18 - Filter: text/html - {F4C522E0-5BD5-407B-99A3-5A435DB6694A} - C:\WINDOWS\System32\v9gcyb8xi.dll

O20 - AppInit_DLLs: repairs303169536.dll

Close ALL OTHER OPEN WINDOWS and click "Fix Checked"


Step # 3

Reboot into Safe Mode now please.

Go to Start > Control Panel > Add/Remove Programs and uninstall the following if present:

Network Monitor
Enhanced Ads by Zeno removal


Then use Windows Explorer to locate & delete the following files/folders in bold:

C:\keyboard.exe
C:\mousepad.exe
C:\gimmysmileys.exe
C:\DR21206.exe
C:\drsmartload1.exe
C:\gimmygames11.exe
C:\installerwebnex.exe
C:\WINDOWS\ms053981316793.exe
C:\WINDOWS\DH.dll
C:\WINDOWS\drsmartload2.dat
C:\WINDOWS\gimmygames11.exe
C:\WINDOWS\NDNuninstall7_22.exe
C:\WINDOWS\offun.exe
C:\WINDOWS\pms111x.exe
C:\WINDOWS\surv3.exe
C:\WINDOWS\uninstall_nmon.vbs
C:\WINDOWS\whAgent.inf
C:\WINDOWS\System32\v9gcyb8xi.dll
C:\WINDOWS\SYSTEM32\pakgw.dat
C:\Documents and Settings\New User\Application Data\Sskcwrd.dll

C:\Program Files\SurfSideKick 3\
C:\Program Files\Common Files\VCClient\
C:\Program Files\Network Monitor\


Step # 4

Double-click ATF-Cleaner.exe to run the program.
  • Under Main choose: Select All
  • Click the Empty Selected button.
If you use Firefox browser
  • Click Firefox at the top and choose: Select All
  • Click the Empty Selected button.
  • NOTE: If you would like to keep your saved passwords, please click No at the prompt.
If you use Opera browser
  • Click Opera at the top and choose: Select All
  • Click the Empty Selected button.
  • NOTE: If you would like to keep your saved passwords, please click No at the prompt.
  • Click Exit on the Main menu to close the program.
Step # 5

Launch Ewido Anti-Malware.
  • Click on Scanner.
  • Click on Complete System Scan and the scan will begin.
  • Warning: Do NOT open any other windows or your Control Panel while scanning as it may prevent scan completion!!
  • When prompted to clean the first infection, select "Remove" and checkmark the box beside "Perform action on all infections" in the left corner.
  • Upon scan completion, click the Save report button and save the report.txt to your desktop.
  • Then close Ewido and post the scan results please.
Step # 6

Reboot and run Panda again (saving the scan report when complete):

Panda ActiveScan
  • Once on the Panda site click the Scan your PC button and then the Check Now button on the nex screen.
  • Enter your details in the required fields.
  • Then click the big Scan Now button.
  • Allow the Active X component to install and download the necessary files. (Note: It may take a couple of minutes)
  • When the download is complete, click on Local Disks to start the scan.
  • Upon scan completion, if anything malicious is detected, click the See Report button, then Save Report and save it to a convenient location.
Step # 7

Then post the following in your next reply please:
  • New HijackThis log.
  • Ewido scan results.
  • Online scan results.
  • Any problems you encountered.

Want to fight back? Click HERE and learn how to remove spyware.

If I've helped you, please consider donating to the Multiple Sclerosis Society (UK)

#11 John_McKenna

John_McKenna

    World Class Hairy Chest


  • Members
  • 497 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Liverpool
  • Local time:09:49 AM

Posted 18 March 2006 - 05:03 AM

Due to a lack of feedback, this thread will now be closed. If you need this topic reopened, please contact a member of the HJT Team and we will reopen it for you. Include the address of this thread in your request. If you should have a new issue, please start a new topic. This applies only to the original topic starter. Everyone else please begin a New Topic.
Want to fight back? Click HERE and learn how to remove spyware.

If I've helped you, please consider donating to the Multiple Sclerosis Society (UK)

#12 John_McKenna

John_McKenna

    World Class Hairy Chest


  • Members
  • 497 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Liverpool
  • Local time:09:49 AM

Posted 20 March 2006 - 03:32 AM

Topic re-opened upon request. :thumbsup:
Want to fight back? Click HERE and learn how to remove spyware.

If I've helped you, please consider donating to the Multiple Sclerosis Society (UK)

#13 tornaXsunder

tornaXsunder
  • Topic Starter

  • Members
  • 10 posts
  • OFFLINE
  •  
  • Local time:04:49 AM

Posted 21 March 2006 - 07:17 AM

hey john,

thank you for re-opening the the topic! :thumbsup:

Incident Status Location

Spyware:spyware/surfsidekick Not disinfected C:\Documents and Settings\New User\Application Data\Sskknwrd.dll
Spyware:Cookie/888 Not disinfected C:\Documents and Settings\New User\Cookies\new user@888[1].txt
Spyware:Cookie/888 Not disinfected C:\Documents and Settings\New User\Cookies\new user@888[2].txt
Spyware:Cookie/Hbmediapro Not disinfected C:\Documents and Settings\New User\Cookies\new user@adopt.hbmediapro[2].txt
Spyware:Cookie/Cassava Not disinfected C:\Documents and Settings\New User\Cookies\new user@cassava[1].txt
Spyware:Cookie/WinFixer Not disinfected C:\Documents and Settings\New User\Cookies\new user@winfixer[1].txt
Adware:adware/dollarrevenue Not disinfected C:\WINDOWS\keyboard1.dat
Adware:Adware/Zenosearch Not disinfected C:\WINDOWS\SYSTEM32\dwdsregt.exe
Adware:Adware/Zenosearch Not disinfected C:\ZICORN001.exe

HJACK THIS:

Logfile of HijackThis v1.99.1
Scan saved at 8:17:14 PM, on 3/19/2006
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\csrss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\System32\Ati2evxx.exe
C:\Program Files\ewido anti-malware\ewidoctrl.exe
c:\program files\mcafee.com\agent\mcdetect.exe
c:\PROGRA~1\mcafee.com\vso\mcshield.exe
c:\PROGRA~1\mcafee.com\agent\mctskshd.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Compaq\Easy Access Button Support\StartEAK.exe
C:\Program Files\Compaq\Easy Access Button Support\CPQEADM.EXE
C:\COMPAQ\CPQINET\CPQInet.exe
C:\Compaq\EAKDRV\EAUSBKBD.EXE
C:\Program Files\Real\RealPlayer\RealPlay.exe
C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\PROGRA~1\mcafee.com\agent\mcagent.exe
C:\Program Files\McAfee.com\VSO\oasclnt.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\McAfee\McAfee QuickClean\Plguni.exe
C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe
C:\PROGRA~1\Compaq\EASYAC~1\BttnServ.exe
c:\program files\mcafee.com\vso\mcvsshld.exe
c:\progra~1\mcafee.com\vso\mcvsescn.exe
C:\Program Files\Common Files\Microsoft Shared\Works Shared\wkcalrem.exe
C:\Program Files\Microsoft Office\Office\OSA.EXE
C:\Program Files\Internet Explorer\iexplore.exe
c:\progra~1\mcafee.com\vso\mcvsftsn.exe
C:\Documents and Settings\New User\Desktop\HijackThis.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://store.presario.net/scripts/redirect...&c=3c01&lc=0409
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Microsoft Internet Explorer provided by Compaq
R3 - URLSearchHook: (no name) - {02EE5B04-F144-47BB-83FB-A60BD91B74A9} - C:\Program Files\SurfSideKick 3\SskBho.dll (file missing)
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O3 - Toolbar: McAfee VirusScan - {BA52B914-B692-46c4-B683-905236F6F655} - c:\progra~1\mcafee.com\vso\mcvsshl.dll
O4 - HKLM\..\Run: [CPQEASYACC] C:\Program Files\Compaq\Easy Access Button Support\StartEAK.exe
O4 - HKLM\..\Run: [ATIModeChange] Ati2mdxx.exe
O4 - HKLM\..\Run: [Microsoft Works Portfolio] C:\Program Files\Microsoft Works\WksSb.exe /AllUsers
O4 - HKLM\..\Run: [Microsoft Works Update Detection] C:\Program Files\Microsoft Works\WkDetect.exe
O4 - HKLM\..\Run: [RealTray] C:\Program Files\Real\RealPlayer\RealPlay.exe SYSTEMBOOTHIDEPLAYER
O4 - HKLM\..\Run: [SynTPLpr] C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
O4 - HKLM\..\Run: [SynTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
O4 - HKLM\..\Run: [srmclean] C:\Cpqs\Scom\srmclean.exe
O4 - HKLM\..\Run: [MCAgentExe] c:\PROGRA~1\mcafee.com\agent\mcagent.exe
O4 - HKLM\..\Run: [MCUpdateExe] C:\PROGRA~1\mcafee.com\agent\mcupdate.exe
O4 - HKLM\..\Run: [VSOCheckTask] "C:\PROGRA~1\McAfee.com\VSO\mcmnhdlr.exe" /checktask
O4 - HKLM\..\Run: [VirusScan Online] C:\Program Files\McAfee.com\VSO\mcvsshld.exe
O4 - HKLM\..\Run: [OASClnt] C:\Program Files\McAfee.com\VSO\oasclnt.exe
O4 - HKLM\..\Run: [SurfSideKick 3] C:\Program Files\SurfSideKick 3\Ssk.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [MoneyStartUp] c:\Program Files\Microsoft Money\System\Money Startup.exe
O4 - HKCU\..\Run: [McAfee QuickClean Imonitor] C:\Program Files\McAfee\McAfee QuickClean\Plguni.exe /START
O4 - HKCU\..\Run: [SpySweeper] C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe /0
O4 - HKCU\..\Run: [SurfSideKick 3] C:\Program Files\SurfSideKick 3\Ssk.exe
O4 - Startup: Office Startup.lnk = C:\Program Files\Microsoft Office\Office\OSA.EXE
O4 - Global Startup: Microsoft Works Calendar Reminders.lnk = ?
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\System32\Shdocvw.dll
O9 - Extra button: Support - {4D2222B2-AE9B-490B-AACB-D8BCD6D6C58D} - C:\Program Files\Internet Explorer\SIGNUP\Presario.htm (file missing) (HKCU)
O14 - IERESET.INF: START_PAGE_URL=http://store.presario.net/scripts/redirectors/presario/storeredir2.dll?s=consumerfav&c=3c01&lc=0409
O16 - DPF: {2ED9BC2B-4DF1-472E-9B5E-55477D2C97F5} (Microsoft Data Collection Control) - https://support.microsoft.com/OAS/ActiveX/odc.cab
O16 - DPF: {4ED9DDF0-7479-4BBE-9335-5A1EDB1D8A21} (McAfee.com Operating System Class) - http://download.mcafee.com/molbin/shared/m...01/mcinsctl.cab
O16 - DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} (MSN Photo Upload Tool) - http://by107fd.bay107.hotmail.msn.com/resources/MsnPUpld.cab
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftupdat...b?1137110696801
O16 - DPF: {928626A3-6B98-11CF-90B4-00AA00A4011F} (SurroundVideoCtrl Object) - http://www.homesteadhotels.com/minisite/ac...nd/MSSurVid.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/activescan/as5free/asinst.cab
O23 - Service: Ati HotKey Poller - Unknown owner - C:\WINDOWS\System32\Ati2evxx.exe
O23 - Service: ewido security suite control - ewido networks - C:\Program Files\ewido anti-malware\ewidoctrl.exe
O23 - Service: McAfee WSC Integration (McDetect.exe) - McAfee, Inc - c:\program files\mcafee.com\agent\mcdetect.exe
O23 - Service: McAfee.com McShield (McShield) - McAfee Inc. - c:\PROGRA~1\mcafee.com\vso\mcshield.exe
O23 - Service: McAfee Task Scheduler (McTskshd.exe) - McAfee, Inc - c:\PROGRA~1\mcafee.com\agent\mctskshd.exe
O23 - Service: McAfee SecurityCenter Update Manager (mcupdmgr.exe) - McAfee, Inc - C:\PROGRA~1\McAfee.com\Agent\mcupdmgr.exe





i still cant find a way to get rid of surfsidekick..... are there any type of programs that can get rid of a program whether it is being used by the computer or not? I've tried running it in safe mode and even used some programs that were supposed to delete it on start up before it had a chance to run.... but for some reason it just won't go away

thanks! and sorry again for the delay
Brian

#14 John_McKenna

John_McKenna

    World Class Hairy Chest


  • Members
  • 497 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Liverpool
  • Local time:09:49 AM

Posted 21 March 2006 - 09:48 AM

Still a few stragglers in there. :thumbsup:

Step # 1

Download Killbox to your desktop.

Update your Spy Sweeper definitions.

Step # 2

Reboot into Safe Mode now please.

Run HijackThis again and checkmark the boxes before the following:-

R3 - URLSearchHook: (no name) - {02EE5B04-F144-47BB-83FB-A60BD91B74A9} - C:\Program Files\SurfSideKick 3\SskBho.dll (file missing)

O4 - HKLM\..\Run: [SurfSideKick 3] C:\Program Files\SurfSideKick 3\Ssk.exe

O4 - HKCU\..\Run: [SurfSideKick 3] C:\Program Files\SurfSideKick 3\Ssk.exe


Close ALL OTHER OPEN WINDOWS and click "Fix Checked"


Step # 3

Double-click killbox.exe

Click Tools > Delete Temp Files.

Click the drop down menu in the middle and select C:\Documents and Settings\New User from the list.

Now check/tick the boxes beside the following options above the drop down menu:

[x] Temporary Internet Files
[x] Temp Files
[x] Cookies
[x] XP Prefetch
[x] Recent
[x] History

Then click the Delete Selected Temp Files button.

Back on the main Killbox menu now, select the option "Delete on reboot" and then click the All Files button.

Now highlight and 'copy' (Ctrl + C) the entire list of filepaths below:

C:\Documents and Settings\New User\Application Data\Sskknwrd.dll
C:\WINDOWS\keyboard1.dat
C:\WINDOWS\SYSTEM32\dwdsregt.exe
C:\ZICORN001.exe


Click 'File' on the killbox menu at the top and choose 'Paste from clipboard'.

Then press the red button with a white X in it.

Killbox will tell you that all listed files will be deleted on next reboot and ask if you wish to reboot now, click Yes.

If you get a "PendingFileRenameOperations Registry Data has been Removed by External Process!" message then just restart manually.


Step # 4

Once back in Windows, scan with Spy Sweeper and then another online scan at Panda.

Post a fresh HJT log and Panda results when done please. :flowers:
Want to fight back? Click HERE and learn how to remove spyware.

If I've helped you, please consider donating to the Multiple Sclerosis Society (UK)

#15 tornaXsunder

tornaXsunder
  • Topic Starter

  • Members
  • 10 posts
  • OFFLINE
  •  
  • Local time:04:49 AM

Posted 21 March 2006 - 05:32 PM

panda scan:

Incident Status Location

Spyware:spyware/surfsidekick Not disinfected C:\Documents and Settings\New User\Application Data\Sskuknwrd.dll
Adware:adware/dollarrevenue Not disinfected C:\WINDOWS\teller2.chk



hijack this:


Logfile of HijackThis v1.99.1
Scan saved at 5:27:36 PM, on 3/21/2006
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\System32\Ati2evxx.exe
C:\Program Files\ewido anti-malware\ewidoctrl.exe
c:\program files\mcafee.com\agent\mcdetect.exe
c:\PROGRA~1\mcafee.com\vso\mcshield.exe
c:\PROGRA~1\mcafee.com\agent\mctskshd.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Compaq\Easy Access Button Support\StartEAK.exe
C:\Program Files\Compaq\Easy Access Button Support\CPQEADM.EXE
C:\Program Files\Real\RealPlayer\RealPlay.exe
C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
C:\COMPAQ\CPQINET\CPQInet.exe
C:\PROGRA~1\Compaq\EASYAC~1\BttnServ.exe
C:\Compaq\EAKDRV\EAUSBKBD.EXE
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\PROGRA~1\mcafee.com\agent\mcagent.exe
C:\Program Files\McAfee.com\VSO\oasclnt.exe
c:\program files\mcafee.com\vso\mcvsshld.exe
c:\progra~1\mcafee.com\vso\mcvsescn.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\McAfee\McAfee QuickClean\Plguni.exe
C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe
C:\Program Files\Common Files\Microsoft Shared\Works Shared\wkcalrem.exe
C:\Program Files\Microsoft Office\Office\OSA.EXE
c:\progra~1\mcafee.com\vso\mcvsftsn.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Documents and Settings\New User\Desktop\HijackThis.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://store.presario.net/scripts/redirect...&c=3c01&lc=0409
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Microsoft Internet Explorer provided by Compaq
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O3 - Toolbar: McAfee VirusScan - {BA52B914-B692-46c4-B683-905236F6F655} - c:\progra~1\mcafee.com\vso\mcvsshl.dll
O4 - HKLM\..\Run: [CPQEASYACC] C:\Program Files\Compaq\Easy Access Button Support\StartEAK.exe
O4 - HKLM\..\Run: [ATIModeChange] Ati2mdxx.exe
O4 - HKLM\..\Run: [Microsoft Works Portfolio] C:\Program Files\Microsoft Works\WksSb.exe /AllUsers
O4 - HKLM\..\Run: [Microsoft Works Update Detection] C:\Program Files\Microsoft Works\WkDetect.exe
O4 - HKLM\..\Run: [RealTray] C:\Program Files\Real\RealPlayer\RealPlay.exe SYSTEMBOOTHIDEPLAYER
O4 - HKLM\..\Run: [SynTPLpr] C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
O4 - HKLM\..\Run: [SynTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
O4 - HKLM\..\Run: [srmclean] C:\Cpqs\Scom\srmclean.exe
O4 - HKLM\..\Run: [MCAgentExe] c:\PROGRA~1\mcafee.com\agent\mcagent.exe
O4 - HKLM\..\Run: [MCUpdateExe] C:\PROGRA~1\mcafee.com\agent\mcupdate.exe
O4 - HKLM\..\Run: [VSOCheckTask] "C:\PROGRA~1\McAfee.com\VSO\mcmnhdlr.exe" /checktask
O4 - HKLM\..\Run: [VirusScan Online] C:\Program Files\McAfee.com\VSO\mcvsshld.exe
O4 - HKLM\..\Run: [OASClnt] C:\Program Files\McAfee.com\VSO\oasclnt.exe
O4 - HKLM\..\Run: [CleanUp] C:\PROGRA~1\McAfee.com\Shared\mcappins.exe /v=3 /cleanup
O4 - HKLM\..\RunOnce: [mcvsshld.exe] c:\PROGRA~1\mcafee.com\vso\mcvsshld.exe -regserver
O4 - HKLM\..\RunOnce: [vsoupd.dll] rundll32.exe advpack.dll,RegisterOCX c:\PROGRA~1\mcafee.com\vso\vsoupd.dll
O4 - HKLM\..\RunOnce: [SpySweeper_BT01] "C:\Program Files\Webroot\Spy Sweeper\Bt01.exe" /SpySweeper_BT01
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [MoneyStartUp] c:\Program Files\Microsoft Money\System\Money Startup.exe
O4 - HKCU\..\Run: [McAfee QuickClean Imonitor] C:\Program Files\McAfee\McAfee QuickClean\Plguni.exe /START
O4 - HKCU\..\Run: [SpySweeper] C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe /0
O4 - Startup: Office Startup.lnk = C:\Program Files\Microsoft Office\Office\OSA.EXE
O4 - Global Startup: Microsoft Works Calendar Reminders.lnk = ?
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\System32\Shdocvw.dll
O9 - Extra button: Support - {4D2222B2-AE9B-490B-AACB-D8BCD6D6C58D} - C:\Program Files\Internet Explorer\SIGNUP\Presario.htm (file missing) (HKCU)
O14 - IERESET.INF: START_PAGE_URL=http://store.presario.net/scripts/redirectors/presario/storeredir2.dll?s=consumerfav&c=3c01&lc=0409
O16 - DPF: {2ED9BC2B-4DF1-472E-9B5E-55477D2C97F5} (Microsoft Data Collection Control) - https://support.microsoft.com/OAS/ActiveX/odc.cab
O16 - DPF: {4ED9DDF0-7479-4BBE-9335-5A1EDB1D8A21} (McAfee.com Operating System Class) - http://download.mcafee.com/molbin/shared/m...01/mcinsctl.cab
O16 - DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} (MSN Photo Upload Tool) - http://by107fd.bay107.hotmail.msn.com/resources/MsnPUpld.cab
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftupdat...b?1137110696801
O16 - DPF: {928626A3-6B98-11CF-90B4-00AA00A4011F} (SurroundVideoCtrl Object) - http://www.homesteadhotels.com/minisite/ac...nd/MSSurVid.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/activescan/as5free/asinst.cab
O23 - Service: Ati HotKey Poller - Unknown owner - C:\WINDOWS\System32\Ati2evxx.exe
O23 - Service: ewido security suite control - ewido networks - C:\Program Files\ewido anti-malware\ewidoctrl.exe
O23 - Service: McAfee WSC Integration (McDetect.exe) - McAfee, Inc - c:\program files\mcafee.com\agent\mcdetect.exe
O23 - Service: McAfee.com McShield (McShield) - McAfee Inc. - c:\PROGRA~1\mcafee.com\vso\mcshield.exe
O23 - Service: McAfee Task Scheduler (McTskshd.exe) - McAfee, Inc - c:\PROGRA~1\mcafee.com\agent\mctskshd.exe
O23 - Service: McAfee SecurityCenter Update Manager (mcupdmgr.exe) - McAfee, Inc - C:\PROGRA~1\McAfee.com\Agent\mcupdmgr.exe




that surfsidekick sure is stubborn!




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users