Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

I Need Help With Internet Explorer Popups!


  • This topic is locked This topic is locked
36 replies to this topic

#1 helpme203230239

helpme203230239

  • Members
  • 27 posts
  • OFFLINE
  •  
  • Local time:08:37 AM

Posted 29 March 2006 - 11:33 PM

Logfile of HijackThis v1.99.1
Scan saved at 10:30:39 PM, on 3/29/2006
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\rundll32.exe
C:\WINDOWS\Explorer.EXE
C:\PROGRA~1\COMMON~1\AOL\ACS\acsd.exe
C:\WINDOWS\system32\cisvc.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\Program Files\QuickTime\qttask.exe
C:\WINDOWS\win32079071682627.exe
C:\Program Files\PC Tools AntiVirus\PCTAV.exe
C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\AIM\aim.exe
C:\DOCUME~1\Owner\MYDOCU~1\STEM32~1\regedit.exe
C:\Program Files\Common Files\?racle\nopdb.exe
C:\Program Files\WinZip\WZQKPICK.EXE
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\ZoneLabs\vsmon.exe
C:\WINDOWS\wanmpsvc.exe
C:\Program Files\PC Tools AntiVirus\ScanningProcess.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\WINDOWS\system32\cidaemon.exe
C:\unzipped\hijackthis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://dsl.sbc.yahoo.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://yahoo.sbc.com/dsl
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://yahoo.sbc.com/dsl
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page = \blank.htm
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page = \blank.htm
F2 - REG:system.ini: Shell=Explorer.exe, C:\WINDOWS\system32\wfxny.exe
F2 - REG:system.ini: UserInit=C:\WINDOWS\system32\userinit.exe,iafqjxp.exe
O3 - Toolbar: &Yahoo! Companion - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\ycomp5_3_12_0.dll
O3 - Toolbar: AIM Search - {40D41A8B-D79B-43d7-99A7-9EE0F344C385} - C:\Program Files\AIM Toolbar\AIMBar.dll
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\System32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\System32\hkcmd.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [IPInSightMonitor 01] "C:\Program Files\SBC Yahoo!\Connection Manager\IP InSight\IPMon32.exe"
O4 - HKLM\..\Run: [MyWebSearch Email Plugin] C:\PROGRA~1\MYWEBS~1\bar\2.bin\mwsoemon.exe
O4 - HKLM\..\Run: [qtabmt] C:\WINDOWS\qtabmt.exe
O4 - HKLM\..\Run: [bufqx] C:\WINDOWS\bufqx.exe
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [PinnacleDriverCheck] C:\WINDOWS\system32\PSDrvCheck.exe -CheckReg
O4 - HKLM\..\Run: [win32079071682627] C:\WINDOWS\win32079071682627.exe
O4 - HKLM\..\Run: [q8lg] "C:\WINDOWS\system32\slk8x2peu.exe"
O4 - HKLM\..\Run: [PCTAVApp] "C:\Program Files\PC Tools AntiVirus\PCTAV.exe" /MONITORSCAN
O4 - HKLM\..\Run: [ieugzv] C:\WINDOWS\system32\ikgivfs.exe r
O4 - HKLM\..\Run: [Zone Labs Client] C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [AIM] C:\Program Files\AIM\aim.exe -cnetwait.odl
O4 - HKCU\..\Run: [MyWebSearch Email Plugin] C:\PROGRA~1\MYWEBS~1\bar\2.bin\mwsoemon.exe
O4 - HKCU\..\Run: [Steam] "c:\program files\valve\steam\steam.exe" -silent
O4 - HKCU\..\Run: [mifm] C:\PROGRA~1\COMMON~1\mifm\mifmm.exe
O4 - HKCU\..\Run: [Aida] "C:\DOCUME~1\Owner\MYDOCU~1\STEM32~1\regedit.exe" -vt yazr
O4 - HKCU\..\Run: [Ztzgalny] C:\Program Files\Common Files\?racle\nopdb.exe
O4 - Global Startup: America Online 9.0 Tray Icon.lnk = C:\Program Files\America Online 9.0\aoltray.exe
O4 - Global Startup: WinZip Quick Pick.lnk = C:\Program Files\WinZip\WZQKPICK.EXE
O8 - Extra context menu item: &AIM Search - res://C:\Program Files\AIM Toolbar\AIMBar.dll/aimsearch.htm
O8 - Extra context menu item: Yahoo! Dictionary - file:///C:\Program Files\Yahoo!\Common/ycdict.htm
O8 - Extra context menu item: Yahoo! Search - file:///C:\Program Files\Yahoo!\Common/ycsrch.htm
O9 - Extra button: Yahoo! Login - {2499216C-4BA5-11D5-BD9C-000103C116D5} - C:\Program Files\Yahoo!\common\ylogin.dll
O9 - Extra 'Tools' menuitem: Yahoo! Login - {2499216C-4BA5-11D5-BD9C-000103C116D5} - C:\Program Files\Yahoo!\common\ylogin.dll
O9 - Extra button: Messenger - {4528BBE0-4E08-11D5-AD55-00010333D0AD} - C:\Program Files\Yahoo!\Messenger\yhexbmes.dll
O9 - Extra 'Tools' menuitem: Yahoo! Messenger - {4528BBE0-4E08-11D5-AD55-00010333D0AD} - C:\Program Files\Yahoo!\Messenger\yhexbmes.dll
O9 - Extra button: (no name) - {4ABF810A-F11D-4169-9D5F-7D274F2270A1} - C:\WINDOWS\system32\dmonwv.dll (file missing)
O9 - Extra 'Tools' menuitem: Java - {4ABF810A-F11D-4169-9D5F-7D274F2270A1} - C:\WINDOWS\system32\dmonwv.dll (file missing)
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe
O9 - Extra button: PartyPoker.com - {B7FE5D70-9AA2-40F1-9C6B-12A255F085E1} - C:\Program Files\PartyPoker\PartyPoker.exe (file missing)
O9 - Extra 'Tools' menuitem: PartyPoker.com - {B7FE5D70-9AA2-40F1-9C6B-12A255F085E1} - C:\Program Files\PartyPoker\PartyPoker.exe (file missing)
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (YInstStarter Class) - C:\Program Files\Yahoo!\common\yinsthelper.dll
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/activescan/as5free/asinst.cab
O18 - Filter: text/html - {CEA53356-C414-4331-A35E-AA4CE9D8DFA2} - C:\WINDOWS\system32\w9seq.dll
O20 - Winlogon Notify: App Management - C:\WINDOWS\system32\n26qlcj51fo.dll
O20 - Winlogon Notify: igfxcui - C:\WINDOWS\SYSTEM32\igfxsrvc.dll
O23 - Service: AOL Connectivity Service (AOL ACS) - America Online, Inc. - C:\PROGRA~1\COMMON~1\AOL\ACS\acsd.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: Remote Packet Capture Protocol v.0 (experimental) (rpcapd) - Unknown owner - %ProgramFiles%\WinPcap\rpcapd.exe" -d -f "%ProgramFiles%\WinPcap\rpcapd.ini (file missing)
O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs, LLC - C:\WINDOWS\system32\ZoneLabs\vsmon.exe
O23 - Service: WAN Miniport (ATW) Service (WANMiniportService) - America Online, Inc. - C:\WINDOWS\wanmpsvc.exe
O23 - Service: YPCService - Yahoo! Inc. - C:\WINDOWS\system32\YPCSER~1.EX

please tell me what to delete

BC AdBot (Login to Remove)

 


#2 Rawe

Rawe

  • Members
  • 2,363 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Finland
  • Local time:04:37 PM

Posted 30 March 2006 - 08:40 AM

Hello and welcome.. Lets get started. :thumbsup:

==

Create a folder in your C:\ - drive. Name it blacklight

Then please do the following:

Download and save Blacklight to the folder you made earlier (C:\blacklight):
  • Click Start -> Run and type in: CMD
  • In the cmd.exe box that pops up, write in: c:\blacklight\blbeta.exe /expert (notice there's a space before c:\blacklight... and a single space between blbeta.exe and /expert)
  • Hit Enter.
  • Accept the agreement.
  • Click Scan.
  • Click Next.
You'll see a list of all items found. There will also be a log on your desktop with the name fsbl.xxxxxxx.log (the xxxxxxx stand for numbers).

Copy and paste this log in your next reply. Don't choose the rename option yet! I want to see the log first, because legitimate items can also be present there. :flowers:
Hi there, stranger!

#3 helpme203230239

helpme203230239
  • Topic Starter

  • Members
  • 27 posts
  • OFFLINE
  •  
  • Local time:08:37 AM

Posted 01 April 2006 - 01:34 PM

when i get to the part about opening it, it gives me an error saying "F secure Blacklight was unable to acquire necessary privileges (SeDebugPrivilege)

#4 Rawe

Rawe

  • Members
  • 2,363 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Finland
  • Local time:04:37 PM

Posted 01 April 2006 - 01:45 PM

Hi again.. Lets check something:

Please download NTrights.zip by freeatlast.
If you can't access it, download NTrights.zip via here: http://www10.brinkster.com/expl0iter/freea.../dumprights.htm
Save it on your desktop.
Unzip/extract it.
Read here how to unzip/extract properly:
http://metallica.geekstogo.com/xpcompressedexplanation.html
Open the NTrights-folder
Double click on the Debug.bat file to run it, follow any prompts it asks.

REBOOT

Doubleclick the Debug.bat again after reboot.

It will create a log.
If the log says:
"Granting SeDebugPrivilege to Administrators ... successful", you should be able to run F-Secure BlackLight.
Hi there, stranger!

#5 helpme203230239

helpme203230239
  • Topic Starter

  • Members
  • 27 posts
  • OFFLINE
  •  
  • Local time:08:37 AM

Posted 01 April 2006 - 09:51 PM

i did everything you said to with the debug thing and it did give me a message saying is was successful but i then tryed to launch blacklight and it gave me the same error. :thumbsup:

#6 Rawe

Rawe

  • Members
  • 2,363 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Finland
  • Local time:04:37 PM

Posted 02 April 2006 - 04:22 AM

Yep, I missed something. We need to clean up the infection which denies you from having DeBugPrivileges first. :thumbsup:

==

Please print these instructions out, or write them down, as you can't read them during the fix.

Please download Look2Me-Destroyer to your desktop.

Before continuing with the fix there is something you must do:
  • Click Start -> Run and type in: services.msc
  • Check that the following services are running and that their startup is set to automatic:
  • Seclogon, or Secondary logon service
  • Next your machine needs to be offline, manually disconnect the network cable if necessary.
  • Your antivirus, and every other security software MUST be disabled.
Now continue:
  • Double-click Look2Me-Destroyer.exe to run it.
  • Put a check next to Run this program as a task.
  • You will receive a message saying Look2Me-Destroyer will close and re-open in approximately 1 minute. Click OK
  • When Look2Me-Destroyer re-opens, click the Scan for L2M button, your desktop icons will disappear, this is normal.
  • Once it's done scanning, click the Remove L2M button.
  • You will receive a Done Scanning message, click OK.
  • When completed, you will receive this message: Done removing infected files! Look2Me-Destroyer will now shutdown your computer, click OK.
  • Your computer will then shutdown.
  • Turn your computer back on.
  • Re-launch your Anti-virus/Firewall protection.
  • Re-connect back to the internet.
  • Please post the contents of C:\Look2Me-Destroyer.txt and a fresh HiJackThis log. :flowers:
If Look2Me-Destroyer does not reopen automatically, reboot and try again.
Hi there, stranger!

#7 helpme203230239

helpme203230239
  • Topic Starter

  • Members
  • 27 posts
  • OFFLINE
  •  
  • Local time:08:37 AM

Posted 02 April 2006 - 11:53 AM

ok i did everything you said to do


Infected! C:\WINDOWS\system32\hr8605lse.dll
Infected! C:\System Volume Information\_restore{BD02E70D-E5AF-4CF7-A004-33E36224CFCB}\RP668\A0116126.dll
Infected! C:\System Volume Information\_restore{BD02E70D-E5AF-4CF7-A004-33E36224CFCB}\RP668\A0117201.dll
Infected! C:\System Volume Information\_restore{BD02E70D-E5AF-4CF7-A004-33E36224CFCB}\RP668\A0117217.dll
Infected! C:\System Volume Information\_restore{BD02E70D-E5AF-4CF7-A004-33E36224CFCB}\RP668\A0117221.dll
Infected! C:\System Volume Information\_restore{BD02E70D-E5AF-4CF7-A004-33E36224CFCB}\RP669\A0117281.dll
Infected! C:\System Volume Information\_restore{BD02E70D-E5AF-4CF7-A004-33E36224CFCB}\RP669\A0117291.dll
Infected! C:\System Volume Information\_restore{BD02E70D-E5AF-4CF7-A004-33E36224CFCB}\RP671\A0117346.dll
Infected! C:\System Volume Information\_restore{BD02E70D-E5AF-4CF7-A004-33E36224CFCB}\RP671\A0118356.dll
Infected! C:\System Volume Information\_restore{BD02E70D-E5AF-4CF7-A004-33E36224CFCB}\RP671\A0118360.dll
Infected! C:\System Volume Information\_restore{BD02E70D-E5AF-4CF7-A004-33E36224CFCB}\RP671\A0118384.dll
Infected! C:\System Volume Information\_restore{BD02E70D-E5AF-4CF7-A004-33E36224CFCB}\RP671\A0118388.dll
Infected! C:\System Volume Information\_restore{BD02E70D-E5AF-4CF7-A004-33E36224CFCB}\RP672\A0118412.dll
Infected! C:\System Volume Information\_restore{BD02E70D-E5AF-4CF7-A004-33E36224CFCB}\RP672\A0118422.dll
Infected! C:\WINDOWS\system32\dfnput8.dll
Infected! C:\WINDOWS\system32\dnr6019se.dll
Infected! C:\WINDOWS\system32\dnrm0191e.dll
Infected! C:\WINDOWS\system32\fp6003jme.dll
Infected! C:\WINDOWS\system32\hr8605lse.dll
Infected! C:\WINDOWS\system32\kt2ql7f51.dll
Infected! C:\WINDOWS\system32\kydcz1.dll
Infected! C:\WINDOWS\system32\l2l60c3sef.dll
Infected! C:\WINDOWS\system32\n22ulcf91f2.dll
Infected! C:\WINDOWS\system32\pch.dll
Infected! C:\WINDOWS\system32\r68s0gl7e6q.dll
Infected! C:\WINDOWS\system32\s488lelu1hq8.dll
Infected! C:\WINDOWS\system32\s8puli7918.dll
Infected! C:\WINDOWS\system32\sbmedia.dll
Infected! C:\WINDOWS\system32\swrrun.dll
Infected! C:\WINDOWS\system32\uarvpa.dll
Infected! C:\WINDOWS\system32\vnpodbc.dll
Infected! C:\WINDOWS\system32\wgiprop.dll
Infected! C:\WINDOWS\system32\wkhisn.dll

Attempting to delete infected files...

Attempting to delete: C:\WINDOWS\system32\hr8605lse.dll
C:\WINDOWS\system32\hr8605lse.dll Deleted successfully!

Attempting to delete: C:\System Volume Information\_restore{BD02E70D-E5AF-4CF7-A004-33E36224CFCB}\RP668\A0116126.dll
C:\System Volume Information\_restore{BD02E70D-E5AF-4CF7-A004-33E36224CFCB}\RP668\A0116126.dll Deleted successfully!

Attempting to delete: C:\System Volume Information\_restore{BD02E70D-E5AF-4CF7-A004-33E36224CFCB}\RP668\A0117201.dll
C:\System Volume Information\_restore{BD02E70D-E5AF-4CF7-A004-33E36224CFCB}\RP668\A0117201.dll Deleted successfully!

Attempting to delete: C:\System Volume Information\_restore{BD02E70D-E5AF-4CF7-A004-33E36224CFCB}\RP668\A0117217.dll
C:\System Volume Information\_restore{BD02E70D-E5AF-4CF7-A004-33E36224CFCB}\RP668\A0117217.dll Deleted successfully!

Attempting to delete: C:\System Volume Information\_restore{BD02E70D-E5AF-4CF7-A004-33E36224CFCB}\RP668\A0117221.dll
C:\System Volume Information\_restore{BD02E70D-E5AF-4CF7-A004-33E36224CFCB}\RP668\A0117221.dll Deleted successfully!

Attempting to delete: C:\System Volume Information\_restore{BD02E70D-E5AF-4CF7-A004-33E36224CFCB}\RP669\A0117281.dll
C:\System Volume Information\_restore{BD02E70D-E5AF-4CF7-A004-33E36224CFCB}\RP669\A0117281.dll Deleted successfully!

Attempting to delete: C:\System Volume Information\_restore{BD02E70D-E5AF-4CF7-A004-33E36224CFCB}\RP669\A0117291.dll
C:\System Volume Information\_restore{BD02E70D-E5AF-4CF7-A004-33E36224CFCB}\RP669\A0117291.dll Deleted successfully!

Attempting to delete: C:\System Volume Information\_restore{BD02E70D-E5AF-4CF7-A004-33E36224CFCB}\RP671\A0117346.dll
C:\System Volume Information\_restore{BD02E70D-E5AF-4CF7-A004-33E36224CFCB}\RP671\A0117346.dll Deleted successfully!

Attempting to delete: C:\System Volume Information\_restore{BD02E70D-E5AF-4CF7-A004-33E36224CFCB}\RP671\A0118356.dll
C:\System Volume Information\_restore{BD02E70D-E5AF-4CF7-A004-33E36224CFCB}\RP671\A0118356.dll Deleted successfully!

Attempting to delete: C:\System Volume Information\_restore{BD02E70D-E5AF-4CF7-A004-33E36224CFCB}\RP671\A0118360.dll
C:\System Volume Information\_restore{BD02E70D-E5AF-4CF7-A004-33E36224CFCB}\RP671\A0118360.dll Deleted successfully!

Attempting to delete: C:\System Volume Information\_restore{BD02E70D-E5AF-4CF7-A004-33E36224CFCB}\RP671\A0118384.dll
C:\System Volume Information\_restore{BD02E70D-E5AF-4CF7-A004-33E36224CFCB}\RP671\A0118384.dll Deleted successfully!

Attempting to delete: C:\System Volume Information\_restore{BD02E70D-E5AF-4CF7-A004-33E36224CFCB}\RP671\A0118388.dll
C:\System Volume Information\_restore{BD02E70D-E5AF-4CF7-A004-33E36224CFCB}\RP671\A0118388.dll Deleted successfully!

Attempting to delete: C:\System Volume Information\_restore{BD02E70D-E5AF-4CF7-A004-33E36224CFCB}\RP672\A0118412.dll
C:\System Volume Information\_restore{BD02E70D-E5AF-4CF7-A004-33E36224CFCB}\RP672\A0118412.dll Deleted successfully!

Attempting to delete: C:\System Volume Information\_restore{BD02E70D-E5AF-4CF7-A004-33E36224CFCB}\RP672\A0118422.dll
C:\System Volume Information\_restore{BD02E70D-E5AF-4CF7-A004-33E36224CFCB}\RP672\A0118422.dll Deleted successfully!

Attempting to delete: C:\WINDOWS\system32\dfnput8.dll
C:\WINDOWS\system32\dfnput8.dll Deleted successfully!

Attempting to delete: C:\WINDOWS\system32\dnr6019se.dll
C:\WINDOWS\system32\dnr6019se.dll Deleted successfully!

Attempting to delete: C:\WINDOWS\system32\dnrm0191e.dll
C:\WINDOWS\system32\dnrm0191e.dll Deleted successfully!

Attempting to delete: C:\WINDOWS\system32\fp6003jme.dll
C:\WINDOWS\system32\fp6003jme.dll Deleted successfully!

Attempting to delete: C:\WINDOWS\system32\hr8605lse.dll
C:\WINDOWS\system32\hr8605lse.dll Deleted successfully!

Attempting to delete: C:\WINDOWS\system32\kt2ql7f51.dll
C:\WINDOWS\system32\kt2ql7f51.dll Deleted successfully!

Attempting to delete: C:\WINDOWS\system32\kydcz1.dll
C:\WINDOWS\system32\kydcz1.dll Deleted successfully!

Attempting to delete: C:\WINDOWS\system32\l2l60c3sef.dll
C:\WINDOWS\system32\l2l60c3sef.dll Deleted successfully!

Attempting to delete: C:\WINDOWS\system32\n22ulcf91f2.dll
C:\WINDOWS\system32\n22ulcf91f2.dll Deleted successfully!

Attempting to delete: C:\WINDOWS\system32\pch.dll
C:\WINDOWS\system32\pch.dll Deleted successfully!

Attempting to delete: C:\WINDOWS\system32\r68s0gl7e6q.dll
C:\WINDOWS\system32\r68s0gl7e6q.dll Deleted successfully!

Attempting to delete: C:\WINDOWS\system32\s488lelu1hq8.dll
C:\WINDOWS\system32\s488lelu1hq8.dll Deleted successfully!

Attempting to delete: C:\WINDOWS\system32\s8puli7918.dll
C:\WINDOWS\system32\s8puli7918.dll Deleted successfully!

Attempting to delete: C:\WINDOWS\system32\sbmedia.dll
C:\WINDOWS\system32\sbmedia.dll Deleted successfully!

Attempting to delete: C:\WINDOWS\system32\swrrun.dll
C:\WINDOWS\system32\swrrun.dll Deleted successfully!

Attempting to delete: C:\WINDOWS\system32\uarvpa.dll
C:\WINDOWS\system32\uarvpa.dll Deleted successfully!

Attempting to delete: C:\WINDOWS\system32\vnpodbc.dll
C:\WINDOWS\system32\vnpodbc.dll Deleted successfully!

Attempting to delete: C:\WINDOWS\system32\wgiprop.dll
C:\WINDOWS\system32\wgiprop.dll Deleted successfully!

Attempting to delete: C:\WINDOWS\system32\wkhisn.dll
C:\WINDOWS\system32\wkhisn.dll Deleted successfully!

Making registry repairs.

Removing: HKLM\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\Setup

Removing: HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved "{86A4B4AD-E545-40F6-A864-A105A2B138D0}"
HKCR\Clsid\{86A4B4AD-E545-40F6-A864-A105A2B138D0}

Removing: HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved "{B79F0656-CA78-4AD5-AA2B-CFF3FB078B7B}"
HKCR\Clsid\{B79F0656-CA78-4AD5-AA2B-CFF3FB078B7B}

Restoring Windows certificates.

Replaced hosts file with default windows hosts file


Restoring SeDebugPrivilege for Administrators - Succeeded



~Hijackthis log


Logfile of HijackThis v1.99.1
Scan saved at 11:51:29 AM, on 4/2/2006
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\PROGRA~1\COMMON~1\AOL\ACS\acsd.exe
C:\WINDOWS\system32\cisvc.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\ZoneLabs\vsmon.exe
C:\WINDOWS\wanmpsvc.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\QuickTime\qttask.exe
C:\WINDOWS\win32079071682627.exe
C:\WINDOWS\system32\slk8x2peu.exe
C:\Program Files\PC Tools AntiVirus\PCTAV.exe
C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\AIM\aim.exe
C:\DOCUME~1\Owner\MYDOCU~1\STEM32~1\regedit.exe
C:\Program Files\Common Files\?racle\nopdb.exe
C:\Program Files\WinZip\WZQKPICK.EXE
C:\Program Files\PC Tools AntiVirus\ScanningProcess.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\unzipped\hijackthis\HijackThis.exe
C:\WINDOWS\system32\cidaemon.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://yahoo.sbc.com/dsl
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://yahoo.sbc.com/dsl
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page = \blank.htm
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page = \blank.htm
F2 - REG:system.ini: Shell=Explorer.exe, C:\WINDOWS\system32\wfxny.exe
F2 - REG:system.ini: UserInit=C:\WINDOWS\system32\userinit.exe,iafqjxp.exe
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: Yvakt Class - {DAAC59E5-093D-4D24-A105-55BFE4ACDE14} - C:\WINDOWS\system32\w9seq.dll
O3 - Toolbar: &Yahoo! Companion - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\ycomp5_3_12_0.dll
O3 - Toolbar: AIM Search - {40D41A8B-D79B-43d7-99A7-9EE0F344C385} - C:\Program Files\AIM Toolbar\AIMBar.dll
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\System32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\System32\hkcmd.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [IPInSightMonitor 01] "C:\Program Files\SBC Yahoo!\Connection Manager\IP InSight\IPMon32.exe"
O4 - HKLM\..\Run: [MyWebSearch Email Plugin] C:\PROGRA~1\MYWEBS~1\bar\2.bin\mwsoemon.exe
O4 - HKLM\..\Run: [qtabmt] C:\WINDOWS\qtabmt.exe
O4 - HKLM\..\Run: [bufqx] C:\WINDOWS\bufqx.exe
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [PinnacleDriverCheck] C:\WINDOWS\system32\PSDrvCheck.exe -CheckReg
O4 - HKLM\..\Run: [win32079071682627] C:\WINDOWS\win32079071682627.exe
O4 - HKLM\..\Run: [q8lg] "C:\WINDOWS\system32\slk8x2peu.exe"
O4 - HKLM\..\Run: [PCTAVApp] "C:\Program Files\PC Tools AntiVirus\PCTAV.exe" /MONITORSCAN
O4 - HKLM\..\Run: [ieugzv] C:\WINDOWS\system32\ikgivfs.exe r
O4 - HKLM\..\Run: [Zone Labs Client] C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [AIM] C:\Program Files\AIM\aim.exe -cnetwait.odl
O4 - HKCU\..\Run: [MyWebSearch Email Plugin] C:\PROGRA~1\MYWEBS~1\bar\2.bin\mwsoemon.exe
O4 - HKCU\..\Run: [Steam] "c:\program files\valve\steam\steam.exe" -silent
O4 - HKCU\..\Run: [mifm] C:\PROGRA~1\COMMON~1\mifm\mifmm.exe
O4 - HKCU\..\Run: [Aida] "C:\DOCUME~1\Owner\MYDOCU~1\STEM32~1\regedit.exe" -vt yazr
O4 - HKCU\..\Run: [Ztzgalny] C:\Program Files\Common Files\?racle\nopdb.exe
O4 - Global Startup: America Online 9.0 Tray Icon.lnk = C:\Program Files\America Online 9.0\aoltray.exe
O4 - Global Startup: WinZip Quick Pick.lnk = C:\Program Files\WinZip\WZQKPICK.EXE
O8 - Extra context menu item: &AIM Search - res://C:\Program Files\AIM Toolbar\AIMBar.dll/aimsearch.htm
O8 - Extra context menu item: Yahoo! Dictionary - file:///C:\Program Files\Yahoo!\Common/ycdict.htm
O8 - Extra context menu item: Yahoo! Search - file:///C:\Program Files\Yahoo!\Common/ycsrch.htm
O9 - Extra button: Yahoo! Login - {2499216C-4BA5-11D5-BD9C-000103C116D5} - C:\Program Files\Yahoo!\common\ylogin.dll
O9 - Extra 'Tools' menuitem: Yahoo! Login - {2499216C-4BA5-11D5-BD9C-000103C116D5} - C:\Program Files\Yahoo!\common\ylogin.dll
O9 - Extra button: Messenger - {4528BBE0-4E08-11D5-AD55-00010333D0AD} - C:\Program Files\Yahoo!\Messenger\yhexbmes.dll
O9 - Extra 'Tools' menuitem: Yahoo! Messenger - {4528BBE0-4E08-11D5-AD55-00010333D0AD} - C:\Program Files\Yahoo!\Messenger\yhexbmes.dll
O9 - Extra button: (no name) - {4ABF810A-F11D-4169-9D5F-7D274F2270A1} - C:\WINDOWS\system32\dmonwv.dll (file missing)
O9 - Extra 'Tools' menuitem: Java - {4ABF810A-F11D-4169-9D5F-7D274F2270A1} - C:\WINDOWS\system32\dmonwv.dll (file missing)
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe
O9 - Extra button: PartyPoker.com - {B7FE5D70-9AA2-40F1-9C6B-12A255F085E1} - C:\Program Files\PartyPoker\PartyPoker.exe (file missing)
O9 - Extra 'Tools' menuitem: PartyPoker.com - {B7FE5D70-9AA2-40F1-9C6B-12A255F085E1} - C:\Program Files\PartyPoker\PartyPoker.exe (file missing)
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (YInstStarter Class) - C:\Program Files\Yahoo!\common\yinsthelper.dll
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/activescan/as5free/asinst.cab
O18 - Filter: text/html - {CEA53356-C414-4331-A35E-AA4CE9D8DFA2} - C:\WINDOWS\system32\w9seq.dll
O20 - Winlogon Notify: igfxcui - C:\WINDOWS\SYSTEM32\igfxsrvc.dll
O23 - Service: AOL Connectivity Service (AOL ACS) - America Online, Inc. - C:\PROGRA~1\COMMON~1\AOL\ACS\acsd.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: Remote Packet Capture Protocol v.0 (experimental) (rpcapd) - Unknown owner - %ProgramFiles%\WinPcap\rpcapd.exe" -d -f "%ProgramFiles%\WinPcap\rpcapd.ini (file missing)
O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs, LLC - C:\WINDOWS\system32\ZoneLabs\vsmon.exe
O23 - Service: WAN Miniport (ATW) Service (WANMiniportService) - America Online, Inc. - C:\WINDOWS\wanmpsvc.exe
O23 - Service: YPCService - Yahoo! Inc. - C:\WINDOWS\system32\YPCSER~1.EXE


that is it.. i havent seen a popup yet... but you tell me what to do :thumbsup:

#8 Rawe

Rawe

  • Members
  • 2,363 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Finland
  • Local time:04:37 PM

Posted 02 April 2006 - 12:22 PM

You still have few infections there.. Please try running BlackLight again, with the same instructions as earlier -- I believe it's going to work this time. :thumbsup:
Hi there, stranger!

#9 helpme203230239

helpme203230239
  • Topic Starter

  • Members
  • 27 posts
  • OFFLINE
  •  
  • Local time:08:37 AM

Posted 02 April 2006 - 04:31 PM

ok.. i ran blacklight and here is the log

04/02/06 16:22:54 [Info]: BlackLight Engine 1.0.33 initialized
04/02/06 16:22:54 [Info]: OS: 5.1 build 2600 (Service Pack 2)
04/02/06 16:22:54 [Note]: 7019 4
04/02/06 16:22:54 [Note]: 7005 0
04/02/06 16:22:57 [Note]: 7006 0
04/02/06 16:22:57 [Note]: 7022 0
04/02/06 16:22:57 [Note]: 7011 1644
04/02/06 16:22:58 [Note]: FSRAW library version 1.7.1015
04/02/06 16:28:10 [Note]: 7007 0

#10 Rawe

Rawe

  • Members
  • 2,363 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Finland
  • Local time:04:37 PM

Posted 03 April 2006 - 07:12 AM

Nothing special there,

Lets continue. :thumbsup:

You can delete BlackLight, Look2Me-Destroyer and NTRights.zip if you wish.

==

Please print these instructions out, or save them to a notepad file, as you can't read them during the fix.

Please download the trial version of Ewido Anti-malware here:
http://www.ewido.net/en/download/

Please read Ewido Setup Instructions
Install it, and update the definitions to the newest files. Do NOT run a scan yet.

==

Please download ATF Cleaner by Atribune.
This program is for XP and Windows 2000 only.

Do NOT run this program yet.

==

Next, please reboot your computer in Safe Mode by doing the following:
1) Restart your computer
2) After hearing your computer beep once during startup, but before the Windows icon appears, press F8.
3) Instead of Windows loading as normal, a menu should appear
4) Select the first option, to run Windows in Safe Mode.


==

Run ATF-Cleaner:Double-click ATF-Cleaner.exe to run the program.
Under Main choose: Select All
Click the Empty Selected button.
If you use Firefox browserClick Firefox at the top and choose: Select All
Click the Empty Selected button.
NOTE: If you would like to keep your saved passwords, please click No at the prompt.
If you use Opera browserClick Opera at the top and choose: Select All
Click the Empty Selected button.
NOTE: If you would like to keep your saved passwords, please click No at the prompt.
Click Exit on the Main menu to close the program.
For Technical Support, double-click the e-mail address located at the bottom of each menu.

==

Please run a scan with Ewido:
  • Click on scanner
  • Click on Complete System Scan and the scan will begin.
  • You will be prompted to clean the first infection.
  • Select "Perform action on all infections", then proceed.
  • Once the scan has completed, there will be a button located on the bottom of the screen named Save report
  • Click Save report.
  • Save the report .txt file to your desktop or a location where you can find it easily. (Maybe Desktop)
  • Close Ewido Anti-Malware.
==

Now, reboot back into Normal mode, open the Report.txt file and copy & paste it's content to this thread along with a fresh HijackThis log. :flowers:
Hi there, stranger!

#11 helpme203230239

helpme203230239
  • Topic Starter

  • Members
  • 27 posts
  • OFFLINE
  •  
  • Local time:08:37 AM

Posted 04 April 2006 - 03:44 PM

well i did what you asked, and heres the hijack this log first

~
Logfile of HijackThis v1.99.1
Scan saved at 3:39:23 PM, on 4/4/2006
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\PROGRA~1\COMMON~1\AOL\ACS\acsd.exe
C:\WINDOWS\system32\cisvc.exe
C:\Program Files\ewido anti-malware\ewidoctrl.exe
C:\Program Files\ewido anti-malware\ewidoguard.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\ZoneLabs\vsmon.exe
C:\WINDOWS\wanmpsvc.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\QuickTime\qttask.exe
C:\WINDOWS\system32\wuauclt.exe
C:\WINDOWS\win32079071682627.exe
C:\Program Files\PC Tools AntiVirus\PCTAV.exe
C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\AIM\aim.exe
C:\program files\valve\steam\steam.exe
C:\Program Files\Common Files\?racle\nopdb.exe
C:\Program Files\WinZip\WZQKPICK.EXE
C:\Program Files\PC Tools AntiVirus\ScanningProcess.exe
C:\WINDOWS\system32\NOTEPAD.EXE
C:\unzipped\hijackthis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://dsl.sbc.yahoo.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://yahoo.sbc.com/dsl
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://yahoo.sbc.com/dsl
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page = \blank.htm
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page = \blank.htm
F2 - REG:system.ini: Shell=Explorer.exe, C:\WINDOWS\system32\wfxny.exe
F2 - REG:system.ini: UserInit=C:\WINDOWS\system32\userinit.exe,iafqjxp.exe
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: Yvakt Class - {DAAC59E5-093D-4D24-A105-55BFE4ACDE14} - C:\WINDOWS\system32\w9seq.dll (file missing)
O3 - Toolbar: &Yahoo! Companion - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\ycomp5_3_12_0.dll
O3 - Toolbar: AIM Search - {40D41A8B-D79B-43d7-99A7-9EE0F344C385} - C:\Program Files\AIM Toolbar\AIMBar.dll
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\System32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\System32\hkcmd.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [IPInSightMonitor 01] "C:\Program Files\SBC Yahoo!\Connection Manager\IP InSight\IPMon32.exe"
O4 - HKLM\..\Run: [MyWebSearch Email Plugin] C:\PROGRA~1\MYWEBS~1\bar\2.bin\mwsoemon.exe
O4 - HKLM\..\Run: [qtabmt] C:\WINDOWS\qtabmt.exe
O4 - HKLM\..\Run: [bufqx] C:\WINDOWS\bufqx.exe
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [PinnacleDriverCheck] C:\WINDOWS\system32\PSDrvCheck.exe -CheckReg
O4 - HKLM\..\Run: [win32079071682627] C:\WINDOWS\win32079071682627.exe
O4 - HKLM\..\Run: [PCTAVApp] "C:\Program Files\PC Tools AntiVirus\PCTAV.exe" /MONITORSCAN
O4 - HKLM\..\Run: [ieugzv] C:\WINDOWS\system32\ikgivfs.exe r
O4 - HKLM\..\Run: [Zone Labs Client] C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [AIM] C:\Program Files\AIM\aim.exe -cnetwait.odl
O4 - HKCU\..\Run: [MyWebSearch Email Plugin] C:\PROGRA~1\MYWEBS~1\bar\2.bin\mwsoemon.exe
O4 - HKCU\..\Run: [Steam] "c:\program files\valve\steam\steam.exe" -silent
O4 - HKCU\..\Run: [mifm] C:\PROGRA~1\COMMON~1\mifm\mifmm.exe
O4 - HKCU\..\Run: [Ztzgalny] C:\Program Files\Common Files\?racle\nopdb.exe
O4 - Global Startup: America Online 9.0 Tray Icon.lnk = C:\Program Files\America Online 9.0\aoltray.exe
O4 - Global Startup: WinZip Quick Pick.lnk = C:\Program Files\WinZip\WZQKPICK.EXE
O8 - Extra context menu item: &AIM Search - res://C:\Program Files\AIM Toolbar\AIMBar.dll/aimsearch.htm
O8 - Extra context menu item: Yahoo! Dictionary - file:///C:\Program Files\Yahoo!\Common/ycdict.htm
O8 - Extra context menu item: Yahoo! Search - file:///C:\Program Files\Yahoo!\Common/ycsrch.htm
O9 - Extra button: Yahoo! Login - {2499216C-4BA5-11D5-BD9C-000103C116D5} - C:\Program Files\Yahoo!\common\ylogin.dll
O9 - Extra 'Tools' menuitem: Yahoo! Login - {2499216C-4BA5-11D5-BD9C-000103C116D5} - C:\Program Files\Yahoo!\common\ylogin.dll
O9 - Extra button: Messenger - {4528BBE0-4E08-11D5-AD55-00010333D0AD} - C:\Program Files\Yahoo!\Messenger\yhexbmes.dll
O9 - Extra 'Tools' menuitem: Yahoo! Messenger - {4528BBE0-4E08-11D5-AD55-00010333D0AD} - C:\Program Files\Yahoo!\Messenger\yhexbmes.dll
O9 - Extra button: (no name) - {4ABF810A-F11D-4169-9D5F-7D274F2270A1} - C:\WINDOWS\system32\dmonwv.dll (file missing)
O9 - Extra 'Tools' menuitem: Java - {4ABF810A-F11D-4169-9D5F-7D274F2270A1} - C:\WINDOWS\system32\dmonwv.dll (file missing)
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe
O9 - Extra button: PartyPoker.com - {B7FE5D70-9AA2-40F1-9C6B-12A255F085E1} - C:\Program Files\PartyPoker\PartyPoker.exe (file missing)
O9 - Extra 'Tools' menuitem: PartyPoker.com - {B7FE5D70-9AA2-40F1-9C6B-12A255F085E1} - C:\Program Files\PartyPoker\PartyPoker.exe (file missing)
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (YInstStarter Class) - C:\Program Files\Yahoo!\common\yinsthelper.dll
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/activescan/as5free/asinst.cab
O18 - Filter: text/html - {CEA53356-C414-4331-A35E-AA4CE9D8DFA2} - C:\WINDOWS\system32\w9seq.dll
O20 - Winlogon Notify: igfxcui - C:\WINDOWS\SYSTEM32\igfxsrvc.dll
O23 - Service: AOL Connectivity Service (AOL ACS) - America Online, Inc. - C:\PROGRA~1\COMMON~1\AOL\ACS\acsd.exe
O23 - Service: ewido security suite control - ewido networks - C:\Program Files\ewido anti-malware\ewidoctrl.exe
O23 - Service: ewido security suite guard - ewido networks - C:\Program Files\ewido anti-malware\ewidoguard.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: Remote Packet Capture Protocol v.0 (experimental) (rpcapd) - Unknown owner - %ProgramFiles%\WinPcap\rpcapd.exe" -d -f "%ProgramFiles%\WinPcap\rpcapd.ini (file missing)
O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs, LLC - C:\WINDOWS\system32\ZoneLabs\vsmon.exe
O23 - Service: WAN Miniport (ATW) Service (WANMiniportService) - America Online, Inc. - C:\WINDOWS\wanmpsvc.exe
O23 - Service: YPCService - Yahoo! Inc. - C:\WINDOWS\system32\YPCSER~1.EXE


~~heres the ewido report




---------------------------------------------------------
ewido anti-malware - Scan report
---------------------------------------------------------

+ Created on: 7:35:02 AM, 4/4/2006
+ Report-Checksum: 2966C02A

+ Scan result:

HKLM\SOFTWARE\Classes\WinAdToolsX.Installer -> Adware.BlazeFind : Cleaned with backup
HKLM\SOFTWARE\Classes\WinAdToolsX.Installer\CLSID -> Adware.BlazeFind : Cleaned with backup
HKU\S-1-5-21-1177238915-484763869-682003330-1003\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{00F1D395-4744-40F0-A611-980F61AE2C59} -> Adware.DrSearch : Cleaned with backup
HKU\S-1-5-21-1177238915-484763869-682003330-1003\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{21B4ACC4-8874-4AEC-AEAC-F567A249B4D4} -> Adware.ZangoSearch : Cleaned with backup
HKU\S-1-5-21-1177238915-484763869-682003330-1003\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{7FD44536-9DF0-4034-939F-5BD4D98E3187} -> Adware.Generic : Cleaned with backup
HKU\S-1-5-21-1177238915-484763869-682003330-1003\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{F5DE8ADB-4A69-4E56-96AB-823171C8E9D8} -> Adware.Generic : Cleaned with backup
C:\315502.exe -> Trojan.Small : Cleaned with backup
C:\Documents and Settings\Owner\Local Settings\Temp\pynix.cab/Pynix.dll -> Adware.DlMax : Cleaned with backup
C:\Documents and Settings\Owner\Local Settings\Temp\rndrcus.exe -> Adware.BetterInternet : Cleaned with backup
C:\Documents and Settings\Owner\Local Settings\Temp\thnall1r.exe -> Adware.BetterInternet : Cleaned with backup
C:\Documents and Settings\Owner\My Documents\ѕуstem32\regedit.exe -> Downloader.PurityScan.w : Cleaned with backup
C:\NNSCAA638.EXE -> Adware.NewDotNet : Cleaned with backup
C:\Program Files\Microsoft AntiSpyware\Quarantine\3620E668-99A3-482F-9519-273667\636983E9-C20D-4328-85C2-FCCD8A -> Adware.BetterInternet : Cleaned with backup
C:\Program Files\Microsoft AntiSpyware\Quarantine\A3AA26A0-F456-42B4-8051-1B9790\85D984C7-35B3-4908-87AA-E43083 -> Adware.DlMax : Cleaned with backup
C:\Program Files\Microsoft AntiSpyware\Quarantine\B04C580B-1288-4CFE-8C24-A45703\60124ED6-0165-4FBE-9BCD-C2B4F0 -> Adware.BetterInternet : Cleaned with backup
C:\Program Files\Microsoft AntiSpyware\Quarantine\C2E722A1-8B47-4038-8AE3-DE9E02\05238C84-E325-49A4-A6D1-52B536 -> Adware.180Solutions : Cleaned with backup
C:\Program Files\Microsoft AntiSpyware\Quarantine\C2E722A1-8B47-4038-8AE3-DE9E02\4A05AC2F-B356-4CEB-B90E-B6DE29 -> Adware.180Solutions : Cleaned with backup
C:\Program Files\Microsoft AntiSpyware\Quarantine\DE859F43-377F-4C6F-965D-FCA48F\4EF3E9E9-CA2B-4AE6-AC9D-51DBCC -> Adware.BetterInternet : Cleaned with backup
C:\Program Files\Microsoft AntiSpyware\Quarantine\E74E96A6-D036-4E24-8364-C98A9F\2BD96EA1-8EE2-435C-AC0E-A14894 -> Adware.ImiBar : Cleaned with backup
C:\Program Files\Microsoft AntiSpyware\Quarantine\ED207400-EE71-414A-BDFB-B788D8\D0685107-AC5E-4C50-8B74-00A5FD -> Adware.DlMax : Cleaned with backup
C:\temp\WinAdCtlInstPack.exe -> Adware.WinAD : Cleaned with backup
C:\WHCC2.exe/whAgent.exe -> Adware.WebHancer : Cleaned with backup
C:\WINDOWS\keyboard6.exe -> Downloader.VB.zo : Cleaned with backup
C:\WINDOWS\mousepad6.exe -> Hijacker.VB.ly : Cleaned with backup
C:\WINDOWS\NDNuninstall7_22.exe -> Adware.NewDotNet : Cleaned with backup
C:\WINDOWS\newname6.exe -> Downloader.Adload.ae : Cleaned with backup
C:\WINDOWS\system32\guard.tmp_tobedeleted -> Adware.Look2Me : Cleaned with backup
C:\WINDOWS\system32\qjdsregj.exe -> Adware.ZenoSearch : Cleaned with backup
C:\WINDOWS\system32\slk8x2peu.exe -> Adware.Suggestor : Cleaned with backup
C:\WINDOWS\system32\w9seq.dll -> Adware.Suggestor : Cleaned with backup
C:\ZICORN001.exe -> Adware.ZenoSearch : Cleaned with backup


::Report End

#12 Rawe

Rawe

  • Members
  • 2,363 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Finland
  • Local time:04:37 PM

Posted 05 April 2006 - 05:45 AM

Hi again :thumbsup:

Please download FindQool by LonnyRJones:
  • Extract the files and place the FindQool folder in root. Usually C:\
  • Open the folder and run Qlocate.bat.
  • Post the contents of the txt.log which will open.

Hi there, stranger!

#13 helpme203230239

helpme203230239
  • Topic Starter

  • Members
  • 27 posts
  • OFFLINE
  •  
  • Local time:08:37 AM

Posted 05 April 2006 - 06:42 PM

i downloaded the program you said to. i unziped the program to my desktop with winzip and goto open to qlocate.bat folder but at the top it says " this uttility cannot run unless unziped" so what should i do now? :thumbsup:

Edited by helpme203230239, 05 April 2006 - 06:43 PM.


#14 Rawe

Rawe

  • Members
  • 2,363 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Finland
  • Local time:04:37 PM

Posted 06 April 2006 - 02:40 AM

Are you sure you ran it from the unzipped folder?
Hi there, stranger!

#15 helpme203230239

helpme203230239
  • Topic Starter

  • Members
  • 27 posts
  • OFFLINE
  •  
  • Local time:08:37 AM

Posted 06 April 2006 - 05:26 PM

yes... i clicked on the program...witch was the winzip logo... and winziped poped up and i unziped it to my desktop




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users