Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Hijackthis Log Please Help Diagnose


  • This topic is locked This topic is locked
21 replies to this topic

#1 meeps

meeps

  • Members
  • 11 posts
  • OFFLINE
  •  
  • Local time:09:06 PM

Posted 30 March 2006 - 09:52 AM

Hello,

I am working on an XP Pro Dell Latitude D610. I've been inundated with pop-ups ever since clicking on a weblink. I've run MS AnitSpyware Beta, Spybot, and Adaware (Free version). They indicate that the programs have been deleted but I still get the pop-ups. Please let me know if there is any other information you need from me. I would appreciate if someone can analyze my log file. Thanks!!

meeps.

Logfile of HijackThis v1.99.1
Scan saved at 9:40:54 AM, on 3/30/2006
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\WINDOWS\System32\wltrysvc.exe
C:\WINDOWS\System32\bcmwltry.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\basfipm.exe
C:\Program Files\Symantec AntiVirus\DefWatch.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\Program Files\Microsoft SQL Server\MSSQL\Binn\sqlservr.exe
C:\Program Files\Dell\NICCONFIGSVC\NICCONFIGSVC.exe
C:\Program Files\Symantec AntiVirus\SavRoam.exe
C:\Program Files\Symantec AntiVirus\Rtvscan.exe
C:\Program Files\Microsoft SQL Server\MSSQL\Binn\sqlagent.EXE
C:\WINDOWS\system32\rundll32.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Apoint\Apoint.exe
C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe
C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
C:\Program Files\Dell\QuickSet\quickset.exe
C:\WINDOWS\system32\WLTRAY.exe
C:\Program Files\Apoint\Apntex.exe
C:\Program Files\CyberLink\PowerDVD\DVDLauncher.exe
C:\WINDOWS\system32\dla\tfswctrl.exe
C:\Program Files\Microsoft AntiSpyware\gcasServ.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\PROGRA~1\SYMANT~1\VPTray.exe
C:\Program Files\Adobe\Acrobat 7.0\Distillr\Acrotray.exe
C:\Program Files\QuickTime\qttask.exe
C:\windows\mousepad6.exe
C:\WINDOWS\ms05624308-1474.exe
C:\WINDOWS\system32\slk8x2peu.exe
C:\WINDOWS\system32\RUNDLL32.EXE
C:\WINDOWS\jfgkeavA.exe
C:\WINDOWS\errorhandler.exe
C:\WINDOWS\system32\DCE4DDE1E3E2E7.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\EQAdvice\EQAdvice.exe
C:\Program Files\Toshiba\Bluetooth Toshiba Stack\TosBtMng.exe
C:\Program Files\Digital Line Detect\DLG.exe
C:\Program Files\Microsoft AntiSpyware\gcasDtServ.exe
C:\Program Files\Toshiba\Bluetooth Toshiba Stack\TosA2dp.exe
C:\Program Files\Microsoft SQL Server\80\Tools\Binn\sqlmangr.exe
C:\Program Files\Toshiba\Bluetooth Toshiba Stack\TosBtHsp.exe
C:\Program Files\WinZip\WZQKPICK.EXE
C:\Program Files\Toshiba\Bluetooth Toshiba Stack\tosOBEX.exe
C:\Program Files\Toshiba\Bluetooth Toshiba Stack\tosBtProc.exe
C:\HijackThis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.microsoft.com/isapi/redir.dll?p...er=6&ar=msnhome
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://searchbar.findthewebsiteyouneed.com
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://searchbar.findthewebsiteyouneed.com
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://searchbar.findthewebsiteyouneed.com
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.microsoft.com/isapi/redir.dll?p...er=6&ar=msnhome
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://home.microsoft.com/search/search.asp
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://searchbar.findthewebsiteyouneed.com
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.com/
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://searchbar.findthewebsiteyouneed.com
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch = about:blank
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://home.microsoft.com/access/autosearch.asp?p=%s
R1 - HKLM\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://home.microsoft.com/access/autosearch.asp?p=%s
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://www.dell.com/
R3 - Default URLSearchHook is missing
F2 - REG:system.ini: Shell=Explorer.exe, C:\WINDOWS\system32\skrde.exe
F2 - REG:system.ini: UserInit=userinit.exe,egxhpby.exe
O2 - BHO: Yvakt Class - {DAAC59E5-093D-4D24-A105-55BFE4ACDE14} - C:\WINDOWS\system32\w9seq.dll
O3 - Toolbar: Adobe PDF - {47833539-D0C5-4125-9FA8-0819E2EAAC93} - C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll
O4 - HKLM\..\Run: [Apoint] C:\Program Files\Apoint\Apoint.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe
O4 - HKLM\..\Run: [ATIPTA] C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
O4 - HKLM\..\Run: [Dell QuickSet] C:\Program Files\Dell\QuickSet\quickset.exe
O4 - HKLM\..\Run: [Dell Wireless Manager UI] C:\WINDOWS\system32\WLTRAY
O4 - HKLM\..\Run: [DVDLauncher] "C:\Program Files\CyberLink\PowerDVD\DVDLauncher.exe"
O4 - HKLM\..\Run: [UpdateManager] "C:\Program Files\Common Files\Sonic\Update Manager\sgtray.exe" /r
O4 - HKLM\..\Run: [dla] C:\WINDOWS\system32\dla\tfswctrl.exe
O4 - HKLM\..\Run: [gcasServ] "C:\Program Files\Microsoft AntiSpyware\gcasServ.exe"
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [vptray] C:\PROGRA~1\SYMANT~1\VPTray.exe
O4 - HKLM\..\Run: [Acrobat Assistant 7.0] "C:\Program Files\Adobe\Acrobat 7.0\Distillr\Acrotray.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [keyboard] C:\windows\keyboard6.exe
O4 - HKLM\..\Run: [mousepad] C:\windows\mousepad6.exe
O4 - HKLM\..\Run: [newname] C:\windows\newname6.exe
O4 - HKLM\..\Run: [ms05624308-1474] C:\WINDOWS\ms05624308-1474.exe
O4 - HKLM\..\Run: [q8lg] "C:\WINDOWS\system32\slk8x2peu.exe"
O4 - HKLM\..\Run: [w1361190.dll] RUNDLL32.EXE w1361190.dll,I2 0000077801361190
O4 - HKLM\..\Run: [jfgkeavA] C:\WINDOWS\jfgkeavA.exe
O4 - HKLM\..\Run: [errorhandler] C:\WINDOWS\errorhandler.exe
O4 - HKLM\..\Run: [ms044624308-147] C:\WINDOWS\ms044624308-147.exe
O4 - HKLM\..\Run: [ms0624308-14746] C:\WINDOWS\ms0624308-14746.exe
O4 - HKLM\..\Run: [8B938C9092919695] DCE4DDE1E3E2E7.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [EQAdvice] "C:\Program Files\EQAdvice\EQAdvice.exe"
O4 - Global Startup: Adobe Acrobat Speed Launcher.lnk = ?
O4 - Global Startup: AltiView.lnk = C:\Program Files\Altigen\AltiView\AltiView.exe
O4 - Global Startup: Bluetooth Manager.lnk = ?
O4 - Global Startup: Digital Line Detect.lnk = ?
O4 - Global Startup: HOTSYNCSHORTCUTNAME.lnk = C:\Program Files\palmOne\Hotsync.exe
O4 - Global Startup: Service Manager.lnk = C:\Program Files\Microsoft SQL Server\80\Tools\Binn\sqlmangr.exe
O4 - Global Startup: WinZip Quick Pick.lnk = C:\Program Files\WinZip\WZQKPICK.EXE
O8 - Extra context menu item: Convert link target to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: Convert link target to existing PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: Convert selected links to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECaptureSelLinks.html
O8 - Extra context menu item: Convert selected links to existing PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppendSelLinks.html
O8 - Extra context menu item: Convert selection to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: Convert selection to existing PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: Convert to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: Convert to existing PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~3\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~3\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {238F6F83-B8B4-11CF-8771-00A024541EE3} (Citrix ICA Client) - http://download.aligo.com/CitrixAccess/ICA...ca32/wficat.cab
O16 - DPF: {4A3CBDDD-C4DC-4C38-B44F-704DAEF628AE} (PjAdoInfo3 Class) - http://h2webserver/projectserver/objects/pjclient.cab
O16 - DPF: {886DDE35-E585-11D0-A707-000000521958} - http://69.56.176.76/webplugin.cab
O16 - DPF: {8D95D14D-4AFB-4885-8BF1-FB09FD72FCD2} (eBLVD ActiveX Control) - https://www.eblvd.com/control/launcher/3.2/ebie.cab
O16 - DPF: {AF9A1421-E128-4D5F-A37E-039F305867B9} (Pj11enuC Class) - http://h2webserver/projectserver/objects/1033/pjcintl.cab
O16 - DPF: {B38870E4-7ECB-40DA-8C6A-595F0A5519FF} (MsnMessengerSetupDownloadControl Class) - http://messenger.msn.com/download/MsnMesse...pDownloader.cab
O16 - DPF: {E06E2E99-0AA1-11D4-ABA6-0060082AA75C} (GpcContainer Class) - https://aligo.webex.com/client/v_mywebex-t2...bex/ieatgpc.cab
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: Domain = aligo.net
O17 - HKLM\Software\..\Telephony: DomainName = aligo.net
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: Domain = aligo.net
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - "C:\PROGRA~1\MSNMES~1\msgrapp.dll" (file missing)
O18 - Filter: text/html - {CEA53356-C414-4331-A35E-AA4CE9D8DFA2} - C:\WINDOWS\system32\w9seq.dll
O20 - Winlogon Notify: NavLogon - C:\WINDOWS\system32\NavLogon.dll
O20 - Winlogon Notify: Uninstall - C:\WINDOWS\system32\j2j60c1sef.dll
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: Broadcom ASF IP monitoring service v6.0.4 (BAsfIpM) - Broadcom Corp. - C:\WINDOWS\system32\basfipm.exe
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Password Validation (ccPwdSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
O23 - Service: Symantec AntiVirus Definition Watcher (DefWatch) - Symantec Corporation - C:\Program Files\Symantec AntiVirus\DefWatch.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPodService - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: NICCONFIGSVC - Dell Inc. - C:\Program Files\Dell\NICCONFIGSVC\NICCONFIGSVC.exe
O23 - Service: SAVRoam (SavRoam) - symantec - C:\Program Files\Symantec AntiVirus\SavRoam.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: Symantec AntiVirus - Symantec Corporation - C:\Program Files\Symantec AntiVirus\Rtvscan.exe
O23 - Service: Dell Wireless WLAN Tray Service (wltrysvc) - Unknown owner - C:\WINDOWS\System32\wltrysvc.exe

BC AdBot (Login to Remove)

 


#2 Rawe

Rawe

  • Members
  • 2,363 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Finland
  • Local time:05:06 AM

Posted 30 March 2006 - 10:25 AM

Hello and welcome.. Lets get started. :thumbsup:

==

Please print these instructions out, or write them down, as you can't read them during the fix.

Please download Look2Me-Destroyer.exe to your desktop.

Before continuing with the fix there is something you must do:
  • Click Start -> Run and type in: services.msc
  • Check that the following services are running and that their startup is set to automatic:
  • Seclogon, or Secondary logon service
  • Next your machine needs to be offline, manually disconnect the network cable if necessary.
  • Your antivirus, and every other security software MUST be disabled.
Now continue:
  • Double-click Look2Me-Destroyer.exe to run it.
  • Put a check next to Run this program as a task.
  • You will receive a message saying Look2Me-Destroyer will close and re-open in approximately 1 minute. Click OK
  • When Look2Me-Destroyer re-opens, click the Scan for L2M button, your desktop icons will disappear, this is normal.
  • Once it's done scanning, click the Remove L2M button.
  • You will receive a Done Scanning message, click OK.
  • When completed, you will receive this message: Done removing infected files! Look2Me-Destroyer will now shutdown your computer, click OK.
  • Your computer will then shutdown.
  • Turn your computer back on.
  • Re-connect back to the internet.
  • Please post the contents of C:\Look2Me-Destroyer.txt and a fresh HiJackThis log. :flowers:
If Look2Me-Destroyer does not reopen automatically, reboot and try again.
Hi there, stranger!

#3 meeps

meeps
  • Topic Starter

  • Members
  • 11 posts
  • OFFLINE
  •  
  • Local time:09:06 PM

Posted 30 March 2006 - 10:38 AM

Great, Thanks Rawe!

But in much haste, I've already gone in and started removing items from the Hijack list. I am an IT chick but by no means profess to be an expert. I removed most of the dlls that had cryptic names, is all. Below is another copy of my log. I hope I didn't screw anything up!

meeps.
---------------

Logfile of HijackThis v1.99.1
Scan saved at 10:34:15 AM, on 3/30/2006
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\WINDOWS\System32\wltrysvc.exe
C:\WINDOWS\System32\bcmwltry.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\basfipm.exe
C:\Program Files\Symantec AntiVirus\DefWatch.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\Program Files\Microsoft SQL Server\MSSQL\Binn\sqlservr.exe
C:\Program Files\Dell\NICCONFIGSVC\NICCONFIGSVC.exe
C:\Program Files\Symantec AntiVirus\SavRoam.exe
C:\Program Files\Symantec AntiVirus\Rtvscan.exe
C:\Program Files\Microsoft SQL Server\MSSQL\Binn\sqlagent.EXE
C:\WINDOWS\system32\rundll32.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Apoint\Apoint.exe
C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe
C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
C:\Program Files\Dell\QuickSet\quickset.exe
C:\WINDOWS\system32\WLTRAY.exe
C:\Program Files\Apoint\Apntex.exe
C:\Program Files\CyberLink\PowerDVD\DVDLauncher.exe
C:\WINDOWS\system32\dla\tfswctrl.exe
C:\Program Files\Microsoft AntiSpyware\gcasServ.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\PROGRA~1\SYMANT~1\VPTray.exe
C:\Program Files\Adobe\Acrobat 7.0\Distillr\Acrotray.exe
C:\Program Files\QuickTime\qttask.exe
C:\windows\mousepad6.exe
C:\WINDOWS\ms05624308-1474.exe
C:\WINDOWS\system32\RUNDLL32.EXE
C:\WINDOWS\errorhandler.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\EQAdvice\EQAdvice.exe
C:\Program Files\Toshiba\Bluetooth Toshiba Stack\TosBtMng.exe
C:\Program Files\Digital Line Detect\DLG.exe
C:\Program Files\Microsoft AntiSpyware\gcasDtServ.exe
C:\Program Files\Toshiba\Bluetooth Toshiba Stack\TosA2dp.exe
C:\Program Files\Microsoft SQL Server\80\Tools\Binn\sqlmangr.exe
C:\Program Files\Toshiba\Bluetooth Toshiba Stack\TosBtHsp.exe
C:\Program Files\WinZip\WZQKPICK.EXE
C:\Program Files\Toshiba\Bluetooth Toshiba Stack\tosOBEX.exe
C:\Program Files\Toshiba\Bluetooth Toshiba Stack\tosBtProc.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\Microsoft Office\OFFICE11\OUTLOOK.EXE
C:\HijackThis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.microsoft.com/isapi/redir.dll?p...er=6&ar=msnhome
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.microsoft.com/isapi/redir.dll?p...er=6&ar=msnhome
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://home.microsoft.com/search/search.asp
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.com/
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch = about:blank
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://home.microsoft.com/access/autosearch.asp?p=%s
R1 - HKLM\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://home.microsoft.com/access/autosearch.asp?p=%s
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://www.dell.com/
R3 - Default URLSearchHook is missing
F2 - REG:system.ini: Shell=Explorer.exe, C:\WINDOWS\system32\skrde.exe
F2 - REG:system.ini: UserInit=C:\WINDOWS\SYSTEM32\Userinit.exe,egxhpby.exe
O3 - Toolbar: Adobe PDF - {47833539-D0C5-4125-9FA8-0819E2EAAC93} - C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll
O4 - HKLM\..\Run: [Apoint] C:\Program Files\Apoint\Apoint.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe
O4 - HKLM\..\Run: [ATIPTA] C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
O4 - HKLM\..\Run: [Dell QuickSet] C:\Program Files\Dell\QuickSet\quickset.exe
O4 - HKLM\..\Run: [Dell Wireless Manager UI] C:\WINDOWS\system32\WLTRAY
O4 - HKLM\..\Run: [DVDLauncher] "C:\Program Files\CyberLink\PowerDVD\DVDLauncher.exe"
O4 - HKLM\..\Run: [UpdateManager] "C:\Program Files\Common Files\Sonic\Update Manager\sgtray.exe" /r
O4 - HKLM\..\Run: [gcasServ] "C:\Program Files\Microsoft AntiSpyware\gcasServ.exe"
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [vptray] C:\PROGRA~1\SYMANT~1\VPTray.exe
O4 - HKLM\..\Run: [Acrobat Assistant 7.0] "C:\Program Files\Adobe\Acrobat 7.0\Distillr\Acrotray.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [keyboard] C:\windows\keyboard6.exe
O4 - HKLM\..\Run: [mousepad] C:\windows\mousepad6.exe
O4 - HKLM\..\Run: [newname] C:\windows\newname6.exe
O4 - HKLM\..\Run: [ms05624308-1474] C:\WINDOWS\ms05624308-1474.exe
O4 - HKLM\..\Run: [errorhandler] C:\WINDOWS\errorhandler.exe
O4 - HKLM\..\Run: [ms044624308-147] C:\WINDOWS\ms044624308-147.exe
O4 - HKLM\..\Run: [ms0624308-14746] C:\WINDOWS\ms0624308-14746.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [EQAdvice] "C:\Program Files\EQAdvice\EQAdvice.exe"
O4 - Global Startup: Adobe Acrobat Speed Launcher.lnk = ?
O4 - Global Startup: AltiView.lnk = C:\Program Files\Altigen\AltiView\AltiView.exe
O4 - Global Startup: Bluetooth Manager.lnk = ?
O4 - Global Startup: Digital Line Detect.lnk = ?
O4 - Global Startup: HOTSYNCSHORTCUTNAME.lnk = C:\Program Files\palmOne\Hotsync.exe
O4 - Global Startup: Service Manager.lnk = C:\Program Files\Microsoft SQL Server\80\Tools\Binn\sqlmangr.exe
O4 - Global Startup: WinZip Quick Pick.lnk = C:\Program Files\WinZip\WZQKPICK.EXE
O8 - Extra context menu item: Convert link target to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: Convert link target to existing PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: Convert selected links to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECaptureSelLinks.html
O8 - Extra context menu item: Convert selected links to existing PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppendSelLinks.html
O8 - Extra context menu item: Convert selection to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: Convert selection to existing PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: Convert to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: Convert to existing PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~3\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~3\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {238F6F83-B8B4-11CF-8771-00A024541EE3} (Citrix ICA Client) - http://download.aligo.com/CitrixAccess/ICA...ca32/wficat.cab
O16 - DPF: {4A3CBDDD-C4DC-4C38-B44F-704DAEF628AE} (PjAdoInfo3 Class) - http://h2webserver/projectserver/objects/pjclient.cab
O16 - DPF: {886DDE35-E585-11D0-A707-000000521958} - http://69.56.176.76/webplugin.cab
O16 - DPF: {8D95D14D-4AFB-4885-8BF1-FB09FD72FCD2} (eBLVD ActiveX Control) - https://www.eblvd.com/control/launcher/3.2/ebie.cab
O16 - DPF: {AF9A1421-E128-4D5F-A37E-039F305867B9} (Pj11enuC Class) - http://h2webserver/projectserver/objects/1033/pjcintl.cab
O16 - DPF: {B38870E4-7ECB-40DA-8C6A-595F0A5519FF} (MsnMessengerSetupDownloadControl Class) - http://messenger.msn.com/download/MsnMesse...pDownloader.cab
O16 - DPF: {E06E2E99-0AA1-11D4-ABA6-0060082AA75C} (GpcContainer Class) - https://aligo.webex.com/client/v_mywebex-t2...bex/ieatgpc.cab
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: Domain = aligo.net
O17 - HKLM\Software\..\Telephony: DomainName = aligo.net
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: Domain = aligo.net
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - "C:\PROGRA~1\MSNMES~1\msgrapp.dll" (file missing)
O20 - Winlogon Notify: NavLogon - C:\WINDOWS\system32\NavLogon.dll
O20 - Winlogon Notify: Uninstall - C:\WINDOWS\system32\j2j60c1sef.dll
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: Broadcom ASF IP monitoring service v6.0.4 (BAsfIpM) - Broadcom Corp. - C:\WINDOWS\system32\basfipm.exe
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Password Validation (ccPwdSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
O23 - Service: Symantec AntiVirus Definition Watcher (DefWatch) - Symantec Corporation - C:\Program Files\Symantec AntiVirus\DefWatch.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPodService - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: NICCONFIGSVC - Dell Inc. - C:\Program Files\Dell\NICCONFIGSVC\NICCONFIGSVC.exe
O23 - Service: SAVRoam (SavRoam) - symantec - C:\Program Files\Symantec AntiVirus\SavRoam.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: Symantec AntiVirus - Symantec Corporation - C:\Program Files\Symantec AntiVirus\Rtvscan.exe
O23 - Service: Dell Wireless WLAN Tray Service (wltrysvc) - Unknown owner - C:\WINDOWS\System32\wltrysvc.exe

#4 meeps

meeps
  • Topic Starter

  • Members
  • 11 posts
  • OFFLINE
  •  
  • Local time:09:06 PM

Posted 30 March 2006 - 10:59 AM

Hi Rawe,

Here are the results of the L2M run and the latest Hijack run (and I have yet to see a pop-up!). How'd I do?

-meeps.

---------------


Look2Me-Destroyer V1.0.12

Scanning for infected files.....
Scan started at 3/30/2006 10:49:02 AM

Infected! C:\WINDOWS\system32\j2j60c1sef.dll
Infected! C:\System Volume Information\_restore{46DE8921-1D39-44D2-A9E9-64119261F211}\RP203\A0039039.dll
Infected! C:\System Volume Information\_restore{46DE8921-1D39-44D2-A9E9-64119261F211}\RP203\A0039045.dll
Infected! C:\System Volume Information\_restore{46DE8921-1D39-44D2-A9E9-64119261F211}\RP203\A0039108.dll
Infected! C:\System Volume Information\_restore{46DE8921-1D39-44D2-A9E9-64119261F211}\RP205\A0039251.dll
Infected! C:\System Volume Information\_restore{46DE8921-1D39-44D2-A9E9-64119261F211}\RP205\A0039257.dll
Infected! C:\WINDOWS\system32\en80l1lm1.dll
Infected! C:\WINDOWS\system32\j2j60c1sef.dll

Attempting to delete infected files...

Attempting to delete: C:\WINDOWS\system32\j2j60c1sef.dll
C:\WINDOWS\system32\j2j60c1sef.dll Deleted successfully!

Attempting to delete: C:\System Volume Information\_restore{46DE8921-1D39-44D2-A9E9-64119261F211}\RP203\A0039039.dll
C:\System Volume Information\_restore{46DE8921-1D39-44D2-A9E9-64119261F211}\RP203\A0039039.dll Deleted successfully!

Attempting to delete: C:\System Volume Information\_restore{46DE8921-1D39-44D2-A9E9-64119261F211}\RP203\A0039045.dll
C:\System Volume Information\_restore{46DE8921-1D39-44D2-A9E9-64119261F211}\RP203\A0039045.dll Deleted successfully!

Attempting to delete: C:\System Volume Information\_restore{46DE8921-1D39-44D2-A9E9-64119261F211}\RP203\A0039108.dll
C:\System Volume Information\_restore{46DE8921-1D39-44D2-A9E9-64119261F211}\RP203\A0039108.dll Deleted successfully!

Attempting to delete: C:\System Volume Information\_restore{46DE8921-1D39-44D2-A9E9-64119261F211}\RP205\A0039251.dll
C:\System Volume Information\_restore{46DE8921-1D39-44D2-A9E9-64119261F211}\RP205\A0039251.dll Deleted successfully!

Attempting to delete: C:\System Volume Information\_restore{46DE8921-1D39-44D2-A9E9-64119261F211}\RP205\A0039257.dll
C:\System Volume Information\_restore{46DE8921-1D39-44D2-A9E9-64119261F211}\RP205\A0039257.dll Deleted successfully!

Attempting to delete: C:\WINDOWS\system32\en80l1lm1.dll
C:\WINDOWS\system32\en80l1lm1.dll Deleted successfully!

Attempting to delete: C:\WINDOWS\system32\j2j60c1sef.dll
C:\WINDOWS\system32\j2j60c1sef.dll Deleted successfully!

Making registry repairs.

Removing: HKLM\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\Uninstall

Removing: HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved "{B6A2D5CC-C582-49A8-B371-BFF821250E7A}"
HKCR\Clsid\{B6A2D5CC-C582-49A8-B371-BFF821250E7A}

Removing: HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved "{1F0B988C-6CC5-4BD8-92E9-E195C7FF1F72}"
HKCR\Clsid\{1F0B988C-6CC5-4BD8-92E9-E195C7FF1F72}

Restoring Windows certificates.

Replaced hosts file with default windows hosts file


Restoring SeDebugPrivilege for Administrators - Succeeded

---------------------------------------------------
Logfile of HijackThis v1.99.1
Scan saved at 10:59:41 AM, on 3/30/2006
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\WINDOWS\System32\wltrysvc.exe
C:\WINDOWS\System32\bcmwltry.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\basfipm.exe
C:\Program Files\Symantec AntiVirus\DefWatch.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\Program Files\Microsoft SQL Server\MSSQL\Binn\sqlservr.exe
C:\Program Files\Dell\NICCONFIGSVC\NICCONFIGSVC.exe
C:\Program Files\Symantec AntiVirus\SavRoam.exe
C:\Program Files\Symantec AntiVirus\Rtvscan.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Apoint\Apoint.exe
C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe
C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
C:\Program Files\Dell\QuickSet\quickset.exe
C:\WINDOWS\system32\WLTRAY.exe
C:\Program Files\CyberLink\PowerDVD\DVDLauncher.exe
C:\Program Files\Apoint\Apntex.exe
C:\Program Files\Microsoft AntiSpyware\gcasServ.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\PROGRA~1\SYMANT~1\VPTray.exe
C:\Program Files\Adobe\Acrobat 7.0\Distillr\Acrotray.exe
C:\Program Files\QuickTime\qttask.exe
C:\windows\mousepad6.exe
C:\WINDOWS\ms05624308-1474.exe
C:\WINDOWS\errorhandler.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\EQAdvice\EQAdvice.exe
C:\Program Files\Microsoft SQL Server\MSSQL\Binn\sqlagent.EXE
C:\Program Files\Toshiba\Bluetooth Toshiba Stack\TosBtMng.exe
C:\Program Files\Digital Line Detect\DLG.exe
C:\Program Files\Microsoft AntiSpyware\gcasDtServ.exe
C:\Program Files\Microsoft SQL Server\80\Tools\Binn\sqlmangr.exe
C:\Program Files\Toshiba\Bluetooth Toshiba Stack\TosA2dp.exe
C:\Program Files\WinZip\WZQKPICK.EXE
C:\Program Files\Toshiba\Bluetooth Toshiba Stack\TosBtHsp.exe
C:\Program Files\Toshiba\Bluetooth Toshiba Stack\tosOBEX.exe
C:\Program Files\Toshiba\Bluetooth Toshiba Stack\tosBtProc.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\HijackThis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.microsoft.com/isapi/redir.dll?p...er=6&ar=msnhome
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.microsoft.com/isapi/redir.dll?p...er=6&ar=msnhome
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://home.microsoft.com/search/search.asp
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.com/
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch = about:blank
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://home.microsoft.com/access/autosearch.asp?p=%s
R1 - HKLM\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://home.microsoft.com/access/autosearch.asp?p=%s
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://www.dell.com/
R3 - Default URLSearchHook is missing
F2 - REG:system.ini: Shell=Explorer.exe, C:\WINDOWS\system32\skrde.exe
F2 - REG:system.ini: UserInit=C:\WINDOWS\SYSTEM32\Userinit.exe,egxhpby.exe
O3 - Toolbar: Adobe PDF - {47833539-D0C5-4125-9FA8-0819E2EAAC93} - C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll
O4 - HKLM\..\Run: [Apoint] C:\Program Files\Apoint\Apoint.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe
O4 - HKLM\..\Run: [ATIPTA] C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
O4 - HKLM\..\Run: [Dell QuickSet] C:\Program Files\Dell\QuickSet\quickset.exe
O4 - HKLM\..\Run: [Dell Wireless Manager UI] C:\WINDOWS\system32\WLTRAY
O4 - HKLM\..\Run: [DVDLauncher] "C:\Program Files\CyberLink\PowerDVD\DVDLauncher.exe"
O4 - HKLM\..\Run: [UpdateManager] "C:\Program Files\Common Files\Sonic\Update Manager\sgtray.exe" /r
O4 - HKLM\..\Run: [gcasServ] "C:\Program Files\Microsoft AntiSpyware\gcasServ.exe"
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [vptray] C:\PROGRA~1\SYMANT~1\VPTray.exe
O4 - HKLM\..\Run: [Acrobat Assistant 7.0] "C:\Program Files\Adobe\Acrobat 7.0\Distillr\Acrotray.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [keyboard] C:\windows\keyboard6.exe
O4 - HKLM\..\Run: [mousepad] C:\windows\mousepad6.exe
O4 - HKLM\..\Run: [newname] C:\windows\newname6.exe
O4 - HKLM\..\Run: [ms05624308-1474] C:\WINDOWS\ms05624308-1474.exe
O4 - HKLM\..\Run: [errorhandler] C:\WINDOWS\errorhandler.exe
O4 - HKLM\..\Run: [ms044624308-147] C:\WINDOWS\ms044624308-147.exe
O4 - HKLM\..\Run: [ms0624308-14746] C:\WINDOWS\ms0624308-14746.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [EQAdvice] "C:\Program Files\EQAdvice\EQAdvice.exe"
O4 - Global Startup: Adobe Acrobat Speed Launcher.lnk = ?
O4 - Global Startup: AltiView.lnk = C:\Program Files\Altigen\AltiView\AltiView.exe
O4 - Global Startup: Bluetooth Manager.lnk = ?
O4 - Global Startup: Digital Line Detect.lnk = ?
O4 - Global Startup: HOTSYNCSHORTCUTNAME.lnk = C:\Program Files\palmOne\Hotsync.exe
O4 - Global Startup: Service Manager.lnk = C:\Program Files\Microsoft SQL Server\80\Tools\Binn\sqlmangr.exe
O4 - Global Startup: WinZip Quick Pick.lnk = C:\Program Files\WinZip\WZQKPICK.EXE
O8 - Extra context menu item: Convert link target to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: Convert link target to existing PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: Convert selected links to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECaptureSelLinks.html
O8 - Extra context menu item: Convert selected links to existing PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppendSelLinks.html
O8 - Extra context menu item: Convert selection to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: Convert selection to existing PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: Convert to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: Convert to existing PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~3\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~3\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {238F6F83-B8B4-11CF-8771-00A024541EE3} (Citrix ICA Client) - http://download.aligo.com/CitrixAccess/ICA...ca32/wficat.cab
O16 - DPF: {4A3CBDDD-C4DC-4C38-B44F-704DAEF628AE} (PjAdoInfo3 Class) - http://h2webserver/projectserver/objects/pjclient.cab
O16 - DPF: {886DDE35-E585-11D0-A707-000000521958} - http://69.56.176.76/webplugin.cab
O16 - DPF: {8D95D14D-4AFB-4885-8BF1-FB09FD72FCD2} (eBLVD ActiveX Control) - https://www.eblvd.com/control/launcher/3.2/ebie.cab
O16 - DPF: {AF9A1421-E128-4D5F-A37E-039F305867B9} (Pj11enuC Class) - http://h2webserver/projectserver/objects/1033/pjcintl.cab
O16 - DPF: {B38870E4-7ECB-40DA-8C6A-595F0A5519FF} (MsnMessengerSetupDownloadControl Class) - http://messenger.msn.com/download/MsnMesse...pDownloader.cab
O16 - DPF: {E06E2E99-0AA1-11D4-ABA6-0060082AA75C} (GpcContainer Class) - https://aligo.webex.com/client/v_mywebex-t2...bex/ieatgpc.cab
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: Domain = aligo.net
O17 - HKLM\Software\..\Telephony: DomainName = aligo.net
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: Domain = aligo.net
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - "C:\PROGRA~1\MSNMES~1\msgrapp.dll" (file missing)
O20 - Winlogon Notify: NavLogon - C:\WINDOWS\system32\NavLogon.dll
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: Broadcom ASF IP monitoring service v6.0.4 (BAsfIpM) - Broadcom Corp. - C:\WINDOWS\system32\basfipm.exe
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Password Validation (ccPwdSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
O23 - Service: Symantec AntiVirus Definition Watcher (DefWatch) - Symantec Corporation - C:\Program Files\Symantec AntiVirus\DefWatch.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPodService - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: NICCONFIGSVC - Dell Inc. - C:\Program Files\Dell\NICCONFIGSVC\NICCONFIGSVC.exe
O23 - Service: SAVRoam (SavRoam) - symantec - C:\Program Files\Symantec AntiVirus\SavRoam.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: Symantec AntiVirus - Symantec Corporation - C:\Program Files\Symantec AntiVirus\Rtvscan.exe
O23 - Service: Dell Wireless WLAN Tray Service (wltrysvc) - Unknown owner - C:\WINDOWS\System32\wltrysvc.exe

Edited by meeps, 30 March 2006 - 11:01 AM.


#5 Rawe

Rawe

  • Members
  • 2,363 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Finland
  • Local time:05:06 AM

Posted 30 March 2006 - 11:01 AM

Hi; lets continue. :thumbsup:

You do have some infections left, that was only Look2Me which we removed.

==

Please print these instructions out, or write them down, as you can't read them during the fix.

1. Please download Ewido Anti-Malware
  • Install Ewido Anti-malware
  • Launch Ewido, there should be an icon on your desktop, double-click it.
  • The program will now open to the main screen.
  • When you run Ewido for the first time, you may get a warning "Database could not be found!". Click OK. We will fix this in a moment.

    You will need to update Ewido to the latest definition files.
    • On the left hand side of the main screen click Update.
    • Then click on Start Update.
  • The update will start and a progress bar will show the updates being installed.
    (the status bar at the bottom will display ("Update successful")
  • Exit Ewido, do not run the scan yet!
If you are having problems with the updater, you can use this link to manually update ewido.
ewido manual updates

==

2. Please download Brute Force Uninstaller to your desktop.
  • Right-click the BFU folder on your desktop, and choose Extract All
  • Click "Next"
  • In the box to choose where to extract the files to,
  • Click "Browse"
  • Click on the + sign next to "My Computer"
  • Click on "Local Disk (C:) or whatever your primary drive is
  • Click "Make New Folder"
  • Type in BFU
  • Click "Next", and Uncheck the "Show Extracted Files" box and then click "Finish".
3. RIGHT-CLICK HERE and choose "Save As" (in IE it's "Save Target As") in order to download Alcra PLUS Remover.
Save it in the same folder you made earlier (c:\BFU).

Do not do anything with these yet!

==

Next, please reboot your computer in Safe Mode by doing the following:
1) Restart your computer
2) After hearing your computer beep once during startup, but before the Windows icon appears, press F8.
3) Instead of Windows loading as normal, a menu should appear
4) Select the first option, to run Windows in Safe Mode.


==

4. Once in Safe Mode, Run Ewido:
  • Click on scanner
  • Click on Complete System Scan and the scan will begin.
  • You will be prompted to clean the first infection.
  • Select "Perform action on all infections", then proceed.
  • Once the scan has completed, there will be a button located on the bottom of the screen named Save report
  • Click Save report.
  • Save the report .txt file to your desktop or a location where you can find it easily.
Close Ewido anti-malware.

==

5. Then, please go to Start > My Computer and navigate to the C:\BFU folder.
  • Start the Brute Force Uninstaller by doubleclicking BFU.exe
  • In the Scriptline to execute field type or paste c:\bfu\alcanshorty.bfu
  • Press Execute and let it do itís job. (You ought to see a progress bar if you did this correctly.)
  • Wait for the Complete script execution box to pop up and hit OK.
  • Press Exit to terminate the BFU program.
Reboot into normal Windows and post the contents of Ewido log that you saved along with a fresh HiJackThis log. :flowers:
Hi there, stranger!

#6 meeps

meeps
  • Topic Starter

  • Members
  • 11 posts
  • OFFLINE
  •  
  • Local time:09:06 PM

Posted 30 March 2006 - 12:09 PM

Ok, this time, I hope it's complete. I've run all the programs and have included the log files below (ewido and hijack). Thanks,

Meeps.
--------------

p.s. - i got a pop-up as i was typing this reply.... java script:emoticon(':(', 'smid_2')
:thumbsup:

Ewido:
---------------------------------------------------------
ewido anti-malware - Scan report
---------------------------------------------------------

+ Created on: 11:59:11 AM, 3/30/2006
+ Report-Checksum: 6D12712F

+ Scan result:

HKU\S-1-5-21-2544376339-2820386884-2762103172-4263\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{6001CDF7-6F45-471B-A203-0225615E35A7} -> Adware.Generic : Cleaned with backup
C:\315502.exe -> Trojan.Small : Cleaned with backup
C:\Documents and Settings\gerald_wright\Cookies\gerald_wright@msnportal.112.2o7[1].txt -> TrackingCookie.2o7 : Cleaned with backup
:mozilla.15:C:\Documents and Settings\Sandra_Williams\Application Data\Mozilla\Firefox\Profiles\8mrp5azy.default\cookies.txt -> TrackingCookie.Adserver : Cleaned with backup
:mozilla.17:C:\Documents and Settings\Sandra_Williams\Application Data\Mozilla\Firefox\Profiles\8mrp5azy.default\cookies.txt -> TrackingCookie.Yieldmanager : Cleaned with backup
:mozilla.18:C:\Documents and Settings\Sandra_Williams\Application Data\Mozilla\Firefox\Profiles\8mrp5azy.default\cookies.txt -> TrackingCookie.Yieldmanager : Cleaned with backup
:mozilla.19:C:\Documents and Settings\Sandra_Williams\Application Data\Mozilla\Firefox\Profiles\8mrp5azy.default\cookies.txt -> TrackingCookie.Yieldmanager : Cleaned with backup
:mozilla.20:C:\Documents and Settings\Sandra_Williams\Application Data\Mozilla\Firefox\Profiles\8mrp5azy.default\cookies.txt -> TrackingCookie.Yieldmanager : Cleaned with backup
:mozilla.21:C:\Documents and Settings\Sandra_Williams\Application Data\Mozilla\Firefox\Profiles\8mrp5azy.default\cookies.txt -> TrackingCookie.Yieldmanager : Cleaned with backup
:mozilla.22:C:\Documents and Settings\Sandra_Williams\Application Data\Mozilla\Firefox\Profiles\8mrp5azy.default\cookies.txt -> TrackingCookie.Yieldmanager : Cleaned with backup
:mozilla.23:C:\Documents and Settings\Sandra_Williams\Application Data\Mozilla\Firefox\Profiles\8mrp5azy.default\cookies.txt -> TrackingCookie.Yieldmanager : Cleaned with backup
:mozilla.24:C:\Documents and Settings\Sandra_Williams\Application Data\Mozilla\Firefox\Profiles\8mrp5azy.default\cookies.txt -> TrackingCookie.Yieldmanager : Cleaned with backup
:mozilla.25:C:\Documents and Settings\Sandra_Williams\Application Data\Mozilla\Firefox\Profiles\8mrp5azy.default\cookies.txt -> TrackingCookie.Yieldmanager : Cleaned with backup
:mozilla.26:C:\Documents and Settings\Sandra_Williams\Application Data\Mozilla\Firefox\Profiles\8mrp5azy.default\cookies.txt -> TrackingCookie.Trafficmp : Cleaned with backup
:mozilla.28:C:\Documents and Settings\Sandra_Williams\Application Data\Mozilla\Firefox\Profiles\8mrp5azy.default\cookies.txt -> TrackingCookie.Trafficmp : Cleaned with backup
:mozilla.29:C:\Documents and Settings\Sandra_Williams\Application Data\Mozilla\Firefox\Profiles\8mrp5azy.default\cookies.txt -> TrackingCookie.Trafficmp : Cleaned with backup
:mozilla.30:C:\Documents and Settings\Sandra_Williams\Application Data\Mozilla\Firefox\Profiles\8mrp5azy.default\cookies.txt -> TrackingCookie.Trafficmp : Cleaned with backup
:mozilla.31:C:\Documents and Settings\Sandra_Williams\Application Data\Mozilla\Firefox\Profiles\8mrp5azy.default\cookies.txt -> TrackingCookie.Trafficmp : Cleaned with backup
:mozilla.32:C:\Documents and Settings\Sandra_Williams\Application Data\Mozilla\Firefox\Profiles\8mrp5azy.default\cookies.txt -> TrackingCookie.Trafficmp : Cleaned with backup
:mozilla.33:C:\Documents and Settings\Sandra_Williams\Application Data\Mozilla\Firefox\Profiles\8mrp5azy.default\cookies.txt -> TrackingCookie.Trafficmp : Cleaned with backup
:mozilla.34:C:\Documents and Settings\Sandra_Williams\Application Data\Mozilla\Firefox\Profiles\8mrp5azy.default\cookies.txt -> TrackingCookie.Trafficmp : Cleaned with backup
:mozilla.35:C:\Documents and Settings\Sandra_Williams\Application Data\Mozilla\Firefox\Profiles\8mrp5azy.default\cookies.txt -> TrackingCookie.Trafficmp : Cleaned with backup
:mozilla.36:C:\Documents and Settings\Sandra_Williams\Application Data\Mozilla\Firefox\Profiles\8mrp5azy.default\cookies.txt -> TrackingCookie.Trafficmp : Cleaned with backup
:mozilla.38:C:\Documents and Settings\Sandra_Williams\Application Data\Mozilla\Firefox\Profiles\8mrp5azy.default\cookies.txt -> TrackingCookie.Falkag : Cleaned with backup
:mozilla.39:C:\Documents and Settings\Sandra_Williams\Application Data\Mozilla\Firefox\Profiles\8mrp5azy.default\cookies.txt -> TrackingCookie.Falkag : Cleaned with backup
:mozilla.40:C:\Documents and Settings\Sandra_Williams\Application Data\Mozilla\Firefox\Profiles\8mrp5azy.default\cookies.txt -> TrackingCookie.Falkag : Cleaned with backup
:mozilla.41:C:\Documents and Settings\Sandra_Williams\Application Data\Mozilla\Firefox\Profiles\8mrp5azy.default\cookies.txt -> TrackingCookie.Falkag : Cleaned with backup
:mozilla.42:C:\Documents and Settings\Sandra_Williams\Application Data\Mozilla\Firefox\Profiles\8mrp5azy.default\cookies.txt -> TrackingCookie.Falkag : Cleaned with backup
:mozilla.50:C:\Documents and Settings\Sandra_Williams\Application Data\Mozilla\Firefox\Profiles\8mrp5azy.default\cookies.txt -> TrackingCookie.Valuead : Cleaned with backup
:mozilla.51:C:\Documents and Settings\Sandra_Williams\Application Data\Mozilla\Firefox\Profiles\8mrp5azy.default\cookies.txt -> TrackingCookie.Valuead : Cleaned with backup
:mozilla.52:C:\Documents and Settings\Sandra_Williams\Application Data\Mozilla\Firefox\Profiles\8mrp5azy.default\cookies.txt -> TrackingCookie.Valuead : Cleaned with backup
:mozilla.53:C:\Documents and Settings\Sandra_Williams\Application Data\Mozilla\Firefox\Profiles\8mrp5azy.default\cookies.txt -> TrackingCookie.Valuead : Cleaned with backup
:mozilla.54:C:\Documents and Settings\Sandra_Williams\Application Data\Mozilla\Firefox\Profiles\8mrp5azy.default\cookies.txt -> TrackingCookie.Valuead : Cleaned with backup
:mozilla.55:C:\Documents and Settings\Sandra_Williams\Application Data\Mozilla\Firefox\Profiles\8mrp5azy.default\cookies.txt -> TrackingCookie.Valuead : Cleaned with backup
:mozilla.60:C:\Documents and Settings\Sandra_Williams\Application Data\Mozilla\Firefox\Profiles\8mrp5azy.default\cookies.txt -> TrackingCookie.Atdmt : Cleaned with backup
:mozilla.61:C:\Documents and Settings\Sandra_Williams\Application Data\Mozilla\Firefox\Profiles\8mrp5azy.default\cookies.txt -> TrackingCookie.Falkag : Cleaned with backup
:mozilla.62:C:\Documents and Settings\Sandra_Williams\Application Data\Mozilla\Firefox\Profiles\8mrp5azy.default\cookies.txt -> TrackingCookie.Falkag : Cleaned with backup
:mozilla.63:C:\Documents and Settings\Sandra_Williams\Application Data\Mozilla\Firefox\Profiles\8mrp5azy.default\cookies.txt -> TrackingCookie.Falkag : Cleaned with backup
:mozilla.64:C:\Documents and Settings\Sandra_Williams\Application Data\Mozilla\Firefox\Profiles\8mrp5azy.default\cookies.txt -> TrackingCookie.Falkag : Cleaned with backup
:mozilla.65:C:\Documents and Settings\Sandra_Williams\Application Data\Mozilla\Firefox\Profiles\8mrp5azy.default\cookies.txt -> TrackingCookie.Falkag : Cleaned with backup
:mozilla.66:C:\Documents and Settings\Sandra_Williams\Application Data\Mozilla\Firefox\Profiles\8mrp5azy.default\cookies.txt -> TrackingCookie.Zedo : Cleaned with backup
:mozilla.67:C:\Documents and Settings\Sandra_Williams\Application Data\Mozilla\Firefox\Profiles\8mrp5azy.default\cookies.txt -> TrackingCookie.Zedo : Cleaned with backup
:mozilla.68:C:\Documents and Settings\Sandra_Williams\Application Data\Mozilla\Firefox\Profiles\8mrp5azy.default\cookies.txt -> TrackingCookie.Zedo : Cleaned with backup
:mozilla.73:C:\Documents and Settings\Sandra_Williams\Application Data\Mozilla\Firefox\Profiles\8mrp5azy.default\cookies.txt -> TrackingCookie.Specificclick : Cleaned with backup
:mozilla.74:C:\Documents and Settings\Sandra_Williams\Application Data\Mozilla\Firefox\Profiles\8mrp5azy.default\cookies.txt -> TrackingCookie.Specificclick : Cleaned with backup
:mozilla.75:C:\Documents and Settings\Sandra_Williams\Application Data\Mozilla\Firefox\Profiles\8mrp5azy.default\cookies.txt -> TrackingCookie.Doubleclick : Cleaned with backup
:mozilla.76:C:\Documents and Settings\Sandra_Williams\Application Data\Mozilla\Firefox\Profiles\8mrp5azy.default\cookies.txt -> TrackingCookie.Specificclick : Cleaned with backup
:mozilla.77:C:\Documents and Settings\Sandra_Williams\Application Data\Mozilla\Firefox\Profiles\8mrp5azy.default\cookies.txt -> TrackingCookie.Specificclick : Cleaned with backup
:mozilla.78:C:\Documents and Settings\Sandra_Williams\Application Data\Mozilla\Firefox\Profiles\8mrp5azy.default\cookies.txt -> TrackingCookie.Valueclick : Cleaned with backup
:mozilla.79:C:\Documents and Settings\Sandra_Williams\Application Data\Mozilla\Firefox\Profiles\8mrp5azy.default\cookies.txt -> TrackingCookie.Casalemedia : Cleaned with backup
:mozilla.80:C:\Documents and Settings\Sandra_Williams\Application Data\Mozilla\Firefox\Profiles\8mrp5azy.default\cookies.txt -> TrackingCookie.Casalemedia : Cleaned with backup
:mozilla.81:C:\Documents and Settings\Sandra_Williams\Application Data\Mozilla\Firefox\Profiles\8mrp5azy.default\cookies.txt -> TrackingCookie.Casalemedia : Cleaned with backup
:mozilla.82:C:\Documents and Settings\Sandra_Williams\Application Data\Mozilla\Firefox\Profiles\8mrp5azy.default\cookies.txt -> TrackingCookie.Tribalfusion : Cleaned with backup
:mozilla.83:C:\Documents and Settings\Sandra_Williams\Application Data\Mozilla\Firefox\Profiles\8mrp5azy.default\cookies.txt -> TrackingCookie.Fastclick : Cleaned with backup
:mozilla.84:C:\Documents and Settings\Sandra_Williams\Application Data\Mozilla\Firefox\Profiles\8mrp5azy.default\cookies.txt -> TrackingCookie.Fastclick : Cleaned with backup
:mozilla.85:C:\Documents and Settings\Sandra_Williams\Application Data\Mozilla\Firefox\Profiles\8mrp5azy.default\cookies.txt -> TrackingCookie.Tribalfusion : Cleaned with backup
:mozilla.87:C:\Documents and Settings\Sandra_Williams\Application Data\Mozilla\Firefox\Profiles\8mrp5azy.default\cookies.txt -> TrackingCookie.Fastclick : Cleaned with backup
:mozilla.88:C:\Documents and Settings\Sandra_Williams\Application Data\Mozilla\Firefox\Profiles\8mrp5azy.default\cookies.txt -> TrackingCookie.Revenue : Cleaned with backup
:mozilla.89:C:\Documents and Settings\Sandra_Williams\Application Data\Mozilla\Firefox\Profiles\8mrp5azy.default\cookies.txt -> TrackingCookie.Revenue : Cleaned with backup
:mozilla.90:C:\Documents and Settings\Sandra_Williams\Application Data\Mozilla\Firefox\Profiles\8mrp5azy.default\cookies.txt -> TrackingCookie.Tacoda : Cleaned with backup
:mozilla.91:C:\Documents and Settings\Sandra_Williams\Application Data\Mozilla\Firefox\Profiles\8mrp5azy.default\cookies.txt -> TrackingCookie.Tacoda : Cleaned with backup
:mozilla.92:C:\Documents and Settings\Sandra_Williams\Application Data\Mozilla\Firefox\Profiles\8mrp5azy.default\cookies.txt -> TrackingCookie.Tacoda : Cleaned with backup
:mozilla.93:C:\Documents and Settings\Sandra_Williams\Application Data\Mozilla\Firefox\Profiles\8mrp5azy.default\cookies.txt -> TrackingCookie.Tacoda : Cleaned with backup
:mozilla.103:C:\Documents and Settings\Sandra_Williams\Application Data\Mozilla\Firefox\Profiles\8mrp5azy.default\cookies.txt -> TrackingCookie.Advertising : Cleaned with backup
:mozilla.104:C:\Documents and Settings\Sandra_Williams\Application Data\Mozilla\Firefox\Profiles\8mrp5azy.default\cookies.txt -> TrackingCookie.Advertising : Cleaned with backup
:mozilla.105:C:\Documents and Settings\Sandra_Williams\Application Data\Mozilla\Firefox\Profiles\8mrp5azy.default\cookies.txt -> TrackingCookie.Advertising : Cleaned with backup
:mozilla.106:C:\Documents and Settings\Sandra_Williams\Application Data\Mozilla\Firefox\Profiles\8mrp5azy.default\cookies.txt -> TrackingCookie.Adrevolver : Cleaned with backup
:mozilla.107:C:\Documents and Settings\Sandra_Williams\Application Data\Mozilla\Firefox\Profiles\8mrp5azy.default\cookies.txt -> TrackingCookie.Adrevolver : Cleaned with backup
:mozilla.108:C:\Documents and Settings\Sandra_Williams\Application Data\Mozilla\Firefox\Profiles\8mrp5azy.default\cookies.txt -> TrackingCookie.Adrevolver : Cleaned with backup
:mozilla.109:C:\Documents and Settings\Sandra_Williams\Application Data\Mozilla\Firefox\Profiles\8mrp5azy.default\cookies.txt -> TrackingCookie.Adrevolver : Cleaned with backup
:mozilla.110:C:\Documents and Settings\Sandra_Williams\Application Data\Mozilla\Firefox\Profiles\8mrp5azy.default\cookies.txt -> TrackingCookie.Adrevolver : Cleaned with backup
:mozilla.111:C:\Documents and Settings\Sandra_Williams\Application Data\Mozilla\Firefox\Profiles\8mrp5azy.default\cookies.txt -> TrackingCookie.Burstbeacon : Cleaned with backup
:mozilla.112:C:\Documents and Settings\Sandra_Williams\Application Data\Mozilla\Firefox\Profiles\8mrp5azy.default\cookies.txt -> TrackingCookie.Mediaplex : Cleaned with backup
:mozilla.114:C:\Documents and Settings\Sandra_Williams\Application Data\Mozilla\Firefox\Profiles\8mrp5azy.default\cookies.txt -> TrackingCookie.2o7 : Cleaned with backup
:mozilla.117:C:\Documents and Settings\Sandra_Williams\Application Data\Mozilla\Firefox\Profiles\8mrp5azy.default\cookies.txt -> TrackingCookie.Falkag : Cleaned with backup
:mozilla.118:C:\Documents and Settings\Sandra_Williams\Application Data\Mozilla\Firefox\Profiles\8mrp5azy.default\cookies.txt -> TrackingCookie.Addynamix : Cleaned with backup
:mozilla.119:C:\Documents and Settings\Sandra_Williams\Application Data\Mozilla\Firefox\Profiles\8mrp5azy.default\cookies.txt -> TrackingCookie.Addynamix : Cleaned with backup
:mozilla.134:C:\Documents and Settings\Sandra_Williams\Application Data\Mozilla\Firefox\Profiles\8mrp5azy.default\cookies.txt -> TrackingCookie.Com : Cleaned with backup
:mozilla.137:C:\Documents and Settings\Sandra_Williams\Application Data\Mozilla\Firefox\Profiles\8mrp5azy.default\cookies.txt -> TrackingCookie.Overture : Cleaned with backup
:mozilla.140:C:\Documents and Settings\Sandra_Williams\Application Data\Mozilla\Firefox\Profiles\8mrp5azy.default\cookies.txt -> TrackingCookie.Overture : Cleaned with backup
:mozilla.141:C:\Documents and Settings\Sandra_Williams\Application Data\Mozilla\Firefox\Profiles\8mrp5azy.default\cookies.txt -> TrackingCookie.Reliablestats : Cleaned with backup
:mozilla.142:C:\Documents and Settings\Sandra_Williams\Application Data\Mozilla\Firefox\Profiles\8mrp5azy.default\cookies.txt -> TrackingCookie.Reliablestats : Cleaned with backup
:mozilla.143:C:\Documents and Settings\Sandra_Williams\Application Data\Mozilla\Firefox\Profiles\8mrp5azy.default\cookies.txt -> TrackingCookie.Reliablestats : Cleaned with backup
:mozilla.144:C:\Documents and Settings\Sandra_Williams\Application Data\Mozilla\Firefox\Profiles\8mrp5azy.default\cookies.txt -> TrackingCookie.Reliablestats : Cleaned with backup
:mozilla.145:C:\Documents and Settings\Sandra_Williams\Application Data\Mozilla\Firefox\Profiles\8mrp5azy.default\cookies.txt -> TrackingCookie.Reliablestats : Cleaned with backup
:mozilla.146:C:\Documents and Settings\Sandra_Williams\Application Data\Mozilla\Firefox\Profiles\8mrp5azy.default\cookies.txt -> TrackingCookie.Reliablestats : Cleaned with backup
:mozilla.147:C:\Documents and Settings\Sandra_Williams\Application Data\Mozilla\Firefox\Profiles\8mrp5azy.default\cookies.txt -> TrackingCookie.Reliablestats : Cleaned with backup
:mozilla.148:C:\Documents and Settings\Sandra_Williams\Application Data\Mozilla\Firefox\Profiles\8mrp5azy.default\cookies.txt -> TrackingCookie.Reliablestats : Cleaned with backup
:mozilla.156:C:\Documents and Settings\Sandra_Williams\Application Data\Mozilla\Firefox\Profiles\8mrp5azy.default\cookies.txt -> TrackingCookie.Googleadservices : Cleaned with backup
C:\Documents and Settings\Sandra_Williams\Cookies\sandra_williams@ad.yieldmanager[2].txt -> TrackingCookie.Yieldmanager : Cleaned with backup
C:\Documents and Settings\Sandra_Williams\Cookies\sandra_williams@ads1.revenue[1].txt -> TrackingCookie.Revenue : Cleaned with backup
C:\Documents and Settings\Sandra_Williams\Cookies\sandra_williams@revenue[1].txt -> TrackingCookie.Revenue : Cleaned with backup
C:\Documents and Settings\Sandra_Williams\Local Settings\Temp\!update.exe -> Downloader.PurityScan.w : Cleaned with backup
C:\Documents and Settings\Sandra_Williams\Local Settings\Temp\Cookies\sandra_williams@aavalue[2].txt -> TrackingCookie.Aavalue : Cleaned with backup
C:\Documents and Settings\Sandra_Williams\Local Settings\Temp\Cookies\sandra_williams@ad.yieldmanager[2].txt -> TrackingCookie.Yieldmanager : Cleaned with backup
C:\Documents and Settings\Sandra_Williams\Local Settings\Temp\Cookies\sandra_williams@adopt.euroclick[2].txt -> TrackingCookie.Euroclick : Cleaned with backup
C:\Documents and Settings\Sandra_Williams\Local Settings\Temp\Cookies\sandra_williams@adopt.specificclick[2].txt -> TrackingCookie.Specificclick : Cleaned with backup
C:\Documents and Settings\Sandra_Williams\Local Settings\Temp\Cookies\sandra_williams@ads.addynamix[2].txt -> TrackingCookie.Addynamix : Cleaned with backup
C:\Documents and Settings\Sandra_Williams\Local Settings\Temp\Cookies\sandra_williams@ads1.revenue[1].txt -> TrackingCookie.Revenue : Cleaned with backup
C:\Documents and Settings\Sandra_Williams\Local Settings\Temp\Cookies\sandra_williams@as-us.falkag[2].txt -> TrackingCookie.Falkag : Cleaned with backup
C:\Documents and Settings\Sandra_Williams\Local Settings\Temp\Cookies\sandra_williams@banners.searchingbooth[1].txt -> TrackingCookie.Searchingbooth : Cleaned with backup
C:\Documents and Settings\Sandra_Williams\Local Settings\Temp\Cookies\sandra_williams@casalemedia[1].txt -> TrackingCookie.Casalemedia : Cleaned with backup
C:\Documents and Settings\Sandra_Williams\Local Settings\Temp\Cookies\sandra_williams@cpvfeed[2].txt -> TrackingCookie.Cpvfeed : Cleaned with backup
C:\Documents and Settings\Sandra_Williams\Local Settings\Temp\Cookies\sandra_williams@eztracks.aavalue[1].txt -> TrackingCookie.Aavalue : Cleaned with backup
C:\Documents and Settings\Sandra_Williams\Local Settings\Temp\Cookies\sandra_williams@h.starware[1].txt -> TrackingCookie.Starware : Cleaned with backup
C:\Documents and Settings\Sandra_Williams\Local Settings\Temp\Cookies\sandra_williams@kmpads[2].txt -> TrackingCookie.Kmpads : Cleaned with backup
C:\Documents and Settings\Sandra_Williams\Local Settings\Temp\Cookies\sandra_williams@media.top-banners[1].txt -> TrackingCookie.Top-banners : Cleaned with backup
C:\Documents and Settings\Sandra_Williams\Local Settings\Temp\Cookies\sandra_williams@overture[1].txt -> TrackingCookie.Overture : Cleaned with backup
C:\Documents and Settings\Sandra_Williams\Local Settings\Temp\Cookies\sandra_williams@partygaming.122.2o7[1].txt -> TrackingCookie.2o7 : Cleaned with backup
C:\Documents and Settings\Sandra_Williams\Local Settings\Temp\Cookies\sandra_williams@revenue[1].txt -> TrackingCookie.Revenue : Cleaned with backup
C:\Documents and Settings\Sandra_Williams\Local Settings\Temp\Cookies\sandra_williams@roispy[1].txt -> TrackingCookie.Roispy : Cleaned with backup
C:\Documents and Settings\Sandra_Williams\Local Settings\Temp\Cookies\sandra_williams@searchingbooth[2].txt -> TrackingCookie.Searchingbooth : Cleaned with backup
C:\Documents and Settings\Sandra_Williams\Local Settings\Temp\Cookies\sandra_williams@server.iad.liveperson[2].txt -> TrackingCookie.Liveperson : Cleaned with backup
C:\Documents and Settings\Sandra_Williams\Local Settings\Temp\Cookies\sandra_williams@stats1.reliablestats[2].txt -> TrackingCookie.Reliablestats : Cleaned with backup
C:\Documents and Settings\Sandra_Williams\Local Settings\Temp\Cookies\sandra_williams@tacoda[1].txt -> TrackingCookie.Tacoda : Cleaned with backup
C:\Documents and Settings\Sandra_Williams\Local Settings\Temp\Cookies\sandra_williams@trafficmp[1].txt -> TrackingCookie.Trafficmp : Cleaned with backup
C:\Documents and Settings\Sandra_Williams\Local Settings\Temp\Cookies\sandra_williams@tribalfusion[1].txt -> TrackingCookie.Tribalfusion : Cleaned with backup
C:\Documents and Settings\Sandra_Williams\Local Settings\Temp\Cookies\sandra_williams@yieldmanager[1].txt -> TrackingCookie.Yieldmanager : Cleaned with backup
C:\Documents and Settings\Sandra_Williams\Local Settings\Temp\echo.exe -> Dropper.Small.qn : Cleaned with backup
C:\Documents and Settings\Sandra_Williams\Local Settings\Temp\F0F4E.tmp/slk8x2peu.exe -> Adware.Suggestor : Cleaned with backup
C:\Documents and Settings\Sandra_Williams\Local Settings\Temp\F0F4E.tmp/faotvpap7.exe -> Trojan.Runner.h : Cleaned with backup
C:\Documents and Settings\Sandra_Williams\Local Settings\Temp\i18.tmp -> Adware.SurfSide : Cleaned with backup
C:\Documents and Settings\Sandra_Williams\Local Settings\Temp\i4D.tmp -> Adware.SurfSide : Cleaned with backup
C:\Documents and Settings\Sandra_Williams\Local Settings\Temp\MONEY1.exe -> Downloader.Adload.t : Cleaned with backup
C:\Documents and Settings\Sandra_Williams\Local Settings\Temp\temp.fr8700 -> Adware.Look2Me : Cleaned with backup
C:\Documents and Settings\Sandra_Williams\Local Settings\Temp\temp.frAD1D -> Adware.Look2Me : Cleaned with backup
C:\Documents and Settings\Sandra_Williams\Local Settings\Temp\Transpd.dll -> Adware.Agent : Cleaned with backup
C:\HijackThis\backups\backup-20060330-100101-620.dll -> Adware.Suggestor : Cleaned with backup
C:\krw1dn.exe -> Downloader.Agent.afi : Cleaned with backup
C:\Program Files\FCAdvice\FCAdvice.dll -> Adware.CASClient : Cleaned with backup
C:\Program Files\FCAdvice\FCAdvice.exe -> Adware.CASClient : Cleaned with backup
C:\Program Files\Microsoft AntiSpyware\DeactivatedItems\16E7A1DB-84E7-40E7-A658-1BB6CA.asq -> Downloader.Qoologic.bj : Cleaned with backup
C:\Program Files\Microsoft AntiSpyware\Quarantine\533CBB64-B9F0-4F98-9FFB-554781\5C4BDA21-D339-427D-AA20-DAD8FC -> Adware.WebHancer : Cleaned with backup
C:\Program Files\Microsoft AntiSpyware\Quarantine\7BE8D60E-837C-4F62-A8CD-4ECCCB\14F32C38-552A-4FD2-B001-039B7F -> Adware.NewDotNet : Cleaned with backup
C:\WINDOWS\CheckS02.exe -> Trojan.VB.tg : Cleaned with backup
C:\WINDOWS\getnexus.exe -> Adware.SurfSide : Cleaned with backup
C:\WINDOWS\jfgkeav.exe -> Hijacker.VB.ij : Cleaned with backup
C:\WINDOWS\mynexus.exe -> Trojan.Imiserv.c : Cleaned with backup
C:\WINDOWS\system32\DCE4DDE1E3E2E7.exe -> Trojan.VB.aft : Cleaned with backup
C:\WINDOWS\system32\dmonwv.dll -> Downloader.Agent.agw : Cleaned with backup
C:\WINDOWS\system32\dt16gt.dLL -> Adware.Look2Me : Cleaned with backup
C:\WINDOWS\system32\faotvpap7.exe -> Trojan.Runner.h : Cleaned with backup
C:\WINDOWS\system32\iypcq.dat -> Downloader.Qoologic.bj : Cleaned with backup
C:\WINDOWS\system32\jfbacmah.dll -> Adware.Agent : Cleaned with backup
C:\WINDOWS\system32\jiayvek.dll -> Downloader.Qoologic.bj : Cleaned with backup
C:\WINDOWS\system32\slk8x2peu.exe -> Adware.Suggestor : Cleaned with backup
C:\WINDOWS\system32\w9seq.dll -> Adware.Suggestor : Cleaned with backup
C:\WINDOWS\system32\{8110581C-FEA4-47AC-ADBC-DE958DD0F354}.dll -> Trojan.VB.aft : Cleaned with backup
C:\WINDOWS\Temp\Cookies\sandra_williams@ad.yieldmanager[2].txt -> TrackingCookie.Yieldmanager : Cleaned with backup
C:\WINDOWS\Temp\Cookies\sandra_williams@cpvfeed[1].txt -> TrackingCookie.Cpvfeed : Cleaned with backup
C:\WINDOWS\Temp\Cookies\sandra_williams@kmpads[2].txt -> TrackingCookie.Kmpads : Cleaned with backup
C:\WINDOWS\webnexus.exe -> Downloader.Qoologic.at : Cleaned with backup
C:\ZICORN001.exe -> Adware.ZenoSearch : Cleaned with backup


::Report End

------------------------------------------------------------------------------------------------------------------------
------------------------------------------------------------------------------------------------------------------------

HijackThis

Logfile of HijackThis v1.99.1
Scan saved at 12:01:59 PM, on 3/30/2006
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\WINDOWS\System32\wltrysvc.exe
C:\WINDOWS\System32\bcmwltry.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\basfipm.exe
C:\Program Files\Symantec AntiVirus\DefWatch.exe
C:\Program Files\ewido anti-malware\ewidoctrl.exe
C:\Program Files\ewido anti-malware\ewidoguard.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\Program Files\Microsoft SQL Server\MSSQL\Binn\sqlservr.exe
C:\Program Files\Dell\NICCONFIGSVC\NICCONFIGSVC.exe
C:\Program Files\Symantec AntiVirus\SavRoam.exe
C:\Program Files\Symantec AntiVirus\Rtvscan.exe
C:\Program Files\Microsoft SQL Server\MSSQL\Binn\sqlagent.EXE
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Apoint\Apoint.exe
C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe
C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
C:\Program Files\Dell\QuickSet\quickset.exe
C:\WINDOWS\system32\WLTRAY.exe
C:\Program Files\CyberLink\PowerDVD\DVDLauncher.exe
C:\Program Files\Apoint\Apntex.exe
C:\Program Files\Microsoft AntiSpyware\gcasServ.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\PROGRA~1\SYMANT~1\VPTray.exe
C:\Program Files\Adobe\Acrobat 7.0\Distillr\Acrotray.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\Microsoft AntiSpyware\gcasDtServ.exe
C:\WINDOWS\ms05624308-1474.exe
C:\WINDOWS\errorhandler.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\EQAdvice\EQAdvice.exe
C:\Program Files\Toshiba\Bluetooth Toshiba Stack\TosBtMng.exe
C:\Program Files\Digital Line Detect\DLG.exe
C:\Program Files\Toshiba\Bluetooth Toshiba Stack\TosA2dp.exe
C:\Program Files\Microsoft SQL Server\80\Tools\Binn\sqlmangr.exe
C:\Program Files\WinZip\WZQKPICK.EXE
C:\Program Files\Toshiba\Bluetooth Toshiba Stack\TosBtHsp.exe
C:\Program Files\Toshiba\Bluetooth Toshiba Stack\tosOBEX.exe
C:\Program Files\Toshiba\Bluetooth Toshiba Stack\tosBtProc.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\HijackThis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.microsoft.com/isapi/redir.dll?p...er=6&ar=msnhome
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.microsoft.com/isapi/redir.dll?p...er=6&ar=msnhome
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://home.microsoft.com/search/search.asp
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.com/
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch = about:blank
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://home.microsoft.com/access/autosearch.asp?p=%s
R1 - HKLM\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://home.microsoft.com/access/autosearch.asp?p=%s
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://www.dell.com/
R3 - Default URLSearchHook is missing
F2 - REG:system.ini: UserInit=C:\WINDOWS\SYSTEM32\Userinit.exe,egxhpby.exe
O3 - Toolbar: Adobe PDF - {47833539-D0C5-4125-9FA8-0819E2EAAC93} - C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll
O4 - HKLM\..\Run: [Apoint] C:\Program Files\Apoint\Apoint.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe
O4 - HKLM\..\Run: [ATIPTA] C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
O4 - HKLM\..\Run: [Dell QuickSet] C:\Program Files\Dell\QuickSet\quickset.exe
O4 - HKLM\..\Run: [Dell Wireless Manager UI] C:\WINDOWS\system32\WLTRAY
O4 - HKLM\..\Run: [DVDLauncher] "C:\Program Files\CyberLink\PowerDVD\DVDLauncher.exe"
O4 - HKLM\..\Run: [UpdateManager] "C:\Program Files\Common Files\Sonic\Update Manager\sgtray.exe" /r
O4 - HKLM\..\Run: [gcasServ] "C:\Program Files\Microsoft AntiSpyware\gcasServ.exe"
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [vptray] C:\PROGRA~1\SYMANT~1\VPTray.exe
O4 - HKLM\..\Run: [Acrobat Assistant 7.0] "C:\Program Files\Adobe\Acrobat 7.0\Distillr\Acrotray.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [ms05624308-1474] C:\WINDOWS\ms05624308-1474.exe
O4 - HKLM\..\Run: [errorhandler] C:\WINDOWS\errorhandler.exe
O4 - HKLM\..\Run: [ms044624308-147] C:\WINDOWS\ms044624308-147.exe
O4 - HKLM\..\Run: [ms0624308-14746] C:\WINDOWS\ms0624308-14746.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [yplrg] C:\WINDOWS\system32\dbayev.exe reg_run
O4 - HKCU\..\Run: [EQAdvice] "C:\Program Files\EQAdvice\EQAdvice.exe"
O4 - Global Startup: Adobe Acrobat Speed Launcher.lnk = ?
O4 - Global Startup: AltiView.lnk = C:\Program Files\Altigen\AltiView\AltiView.exe
O4 - Global Startup: Bluetooth Manager.lnk = ?
O4 - Global Startup: Digital Line Detect.lnk = ?
O4 - Global Startup: HOTSYNCSHORTCUTNAME.lnk = C:\Program Files\palmOne\Hotsync.exe
O4 - Global Startup: Service Manager.lnk = C:\Program Files\Microsoft SQL Server\80\Tools\Binn\sqlmangr.exe
O4 - Global Startup: WinZip Quick Pick.lnk = C:\Program Files\WinZip\WZQKPICK.EXE
O8 - Extra context menu item: Convert link target to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: Convert link target to existing PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: Convert selected links to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECaptureSelLinks.html
O8 - Extra context menu item: Convert selected links to existing PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppendSelLinks.html
O8 - Extra context menu item: Convert selection to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: Convert selection to existing PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: Convert to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: Convert to existing PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~3\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~3\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {238F6F83-B8B4-11CF-8771-00A024541EE3} (Citrix ICA Client) - http://download.aligo.com/CitrixAccess/ICA...ca32/wficat.cab
O16 - DPF: {4A3CBDDD-C4DC-4C38-B44F-704DAEF628AE} (PjAdoInfo3 Class) - http://h2webserver/projectserver/objects/pjclient.cab
O16 - DPF: {886DDE35-E585-11D0-A707-000000521958} - http://69.56.176.76/webplugin.cab
O16 - DPF: {8D95D14D-4AFB-4885-8BF1-FB09FD72FCD2} (eBLVD ActiveX Control) - https://www.eblvd.com/control/launcher/3.2/ebie.cab
O16 - DPF: {AF9A1421-E128-4D5F-A37E-039F305867B9} (Pj11enuC Class) - http://h2webserver/projectserver/objects/1033/pjcintl.cab
O16 - DPF: {B38870E4-7ECB-40DA-8C6A-595F0A5519FF} (MsnMessengerSetupDownloadControl Class) - http://messenger.msn.com/download/MsnMesse...pDownloader.cab
O16 - DPF: {E06E2E99-0AA1-11D4-ABA6-0060082AA75C} (GpcContainer Class) - https://aligo.webex.com/client/v_mywebex-t2...bex/ieatgpc.cab
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: Domain = aligo.net
O17 - HKLM\Software\..\Telephony: DomainName = aligo.net
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: Domain = aligo.net
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - "C:\PROGRA~1\MSNMES~1\msgrapp.dll" (file missing)
O20 - Winlogon Notify: NavLogon - C:\WINDOWS\system32\NavLogon.dll
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: Broadcom ASF IP monitoring service v6.0.4 (BAsfIpM) - Broadcom Corp. - C:\WINDOWS\system32\basfipm.exe
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Password Validation (ccPwdSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
O23 - Service: Symantec AntiVirus Definition Watcher (DefWatch) - Symantec Corporation - C:\Program Files\Symantec AntiVirus\DefWatch.exe
O23 - Service: ewido security suite control - ewido networks - C:\Program Files\ewido anti-malware\ewidoctrl.exe
O23 - Service: ewido security suite guard - ewido networks - C:\Program Files\ewido anti-malware\ewidoguard.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPodService - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: NICCONFIGSVC - Dell Inc. - C:\Program Files\Dell\NICCONFIGSVC\NICCONFIGSVC.exe
O23 - Service: SAVRoam (SavRoam) - symantec - C:\Program Files\Symantec AntiVirus\SavRoam.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: Symantec AntiVirus - Symantec Corporation - C:\Program Files\Symantec AntiVirus\Rtvscan.exe
O23 - Service: Dell Wireless WLAN Tray Service (wltrysvc) - Unknown owner - C:\WINDOWS\System32\wltrysvc.exe

#7 Rawe

Rawe

  • Members
  • 2,363 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Finland
  • Local time:05:06 AM

Posted 30 March 2006 - 11:29 PM

Hi.. You have quite a few other infections there left. :thumbsup:

BUT, its looking a whole lot better now.

==

Create a folder in your C:\ - drive. Name it blacklight

Then please do the following:

Download and save Blacklight to the folder you made earlier (C:\blacklight):
  • Click Start -> Run and type in: CMD
  • In the cmd.exe box that pops up, write in: c:\blacklight\blbeta.exe /expert (notice there's a space before c:\blacklight... and a single space between blbeta.exe and /expert)
  • Hit Enter.
  • Accept the agreement.
  • Click Scan.
  • Click Next.
You'll see a list of all items found. There will also be a log on your desktop with the name fsbl.xxxxxxx.log (the xxxxxxx stand for numbers).

Copy and paste this log in your next reply. Don't choose the rename option yet! I want to see the log first, because legitimate items can also be present there. :flowers:
Hi there, stranger!

#8 meeps

meeps
  • Topic Starter

  • Members
  • 11 posts
  • OFFLINE
  •  
  • Local time:09:06 PM

Posted 31 March 2006 - 12:28 PM

Hi.. You have quite a few other infections there left. :thumbsup:

BUT, its looking a whole lot better now.


Tell me about it....
java script:emoticon(':(', 'smid_2')
:flowers:

Okay. Below please find the Backlight log as well as the latest Hijack log. THANKS!

--------------------------------------------------------------------------------------------------

Blacklight log scan:

03/31/06 12:15:26 [Info]: BlackLight Engine 1.0.33 initialized
03/31/06 12:15:26 [Info]: OS: 5.1 build 2600 (Service Pack 2)
03/31/06 12:15:26 [Note]: 7019 4
03/31/06 12:15:26 [Note]: 7005 0
03/31/06 12:15:35 [Note]: 7006 0
03/31/06 12:15:35 [Note]: 7022 0
03/31/06 12:15:35 [Note]: 7011 3804
03/31/06 12:15:35 [Note]: FSRAW library version 1.7.1015
03/31/06 12:19:28 [Note]: 7007 0

--------------------------------------------------------------------------------------------------------
--------------------------------------------------------------------------------------------------------

Latest Hijack Scan:

Logfile of HijackThis v1.99.1
Scan saved at 12:01:12 PM, on 3/31/2006
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\WINDOWS\System32\wltrysvc.exe
C:\WINDOWS\System32\bcmwltry.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\basfipm.exe
C:\Program Files\Symantec AntiVirus\DefWatch.exe
C:\Program Files\ewido anti-malware\ewidoctrl.exe
C:\Program Files\ewido anti-malware\ewidoguard.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\Program Files\Microsoft SQL Server\MSSQL\Binn\sqlservr.exe
C:\Program Files\Dell\NICCONFIGSVC\NICCONFIGSVC.exe
C:\Program Files\Symantec AntiVirus\SavRoam.exe
C:\Program Files\Symantec AntiVirus\Rtvscan.exe
C:\Program Files\Microsoft SQL Server\MSSQL\Binn\sqlagent.EXE
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Apoint\Apoint.exe
C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe
C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
C:\Program Files\Dell\QuickSet\quickset.exe
C:\WINDOWS\system32\WLTRAY.exe
C:\Program Files\CyberLink\PowerDVD\DVDLauncher.exe
C:\Program Files\Apoint\Apntex.exe
C:\Program Files\Microsoft AntiSpyware\gcasServ.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\PROGRA~1\SYMANT~1\VPTray.exe
C:\Program Files\Adobe\Acrobat 7.0\Distillr\Acrotray.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\Microsoft AntiSpyware\gcasDtServ.exe
C:\WINDOWS\ms05624308-1474.exe
C:\WINDOWS\errorhandler.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\Altigen\AltiView\AltiView.exe
C:\Program Files\Toshiba\Bluetooth Toshiba Stack\TosBtMng.exe
C:\Program Files\Digital Line Detect\DLG.exe
C:\Program Files\Microsoft SQL Server\80\Tools\Binn\sqlmangr.exe
C:\Program Files\WinZip\WZQKPICK.EXE
C:\Program Files\Toshiba\Bluetooth Toshiba Stack\TosA2dp.exe
C:\Program Files\Toshiba\Bluetooth Toshiba Stack\TosBtHsp.exe
C:\Program Files\Toshiba\Bluetooth Toshiba Stack\tosOBEX.exe
C:\Program Files\Toshiba\Bluetooth Toshiba Stack\tosBtProc.exe
C:\Program Files\Microsoft Office\OFFICE11\OUTLOOK.EXE
C:\Servicom\Servicom.exe
C:\Program Files\Microsoft Office\OFFICE11\WINWORD.EXE
C:\HijackThis\HijackThis.exe
C:\Program Files\Mozilla Firefox\firefox.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.microsoft.com/isapi/redir.dll?p...er=6&ar=msnhome
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.microsoft.com/isapi/redir.dll?p...er=6&ar=msnhome
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://home.microsoft.com/search/search.asp
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.com/
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch = about:blank
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://home.microsoft.com/access/autosearch.asp?p=%s
R1 - HKLM\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://home.microsoft.com/access/autosearch.asp?p=%s
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://www.dell.com/
R3 - Default URLSearchHook is missing
F2 - REG:system.ini: UserInit=C:\WINDOWS\SYSTEM32\Userinit.exe,egxhpby.exe
O3 - Toolbar: Adobe PDF - {47833539-D0C5-4125-9FA8-0819E2EAAC93} - C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll
O4 - HKLM\..\Run: [Apoint] C:\Program Files\Apoint\Apoint.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe
O4 - HKLM\..\Run: [ATIPTA] C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
O4 - HKLM\..\Run: [Dell QuickSet] C:\Program Files\Dell\QuickSet\quickset.exe
O4 - HKLM\..\Run: [Dell Wireless Manager UI] C:\WINDOWS\system32\WLTRAY
O4 - HKLM\..\Run: [DVDLauncher] "C:\Program Files\CyberLink\PowerDVD\DVDLauncher.exe"
O4 - HKLM\..\Run: [UpdateManager] "C:\Program Files\Common Files\Sonic\Update Manager\sgtray.exe" /r
O4 - HKLM\..\Run: [gcasServ] "C:\Program Files\Microsoft AntiSpyware\gcasServ.exe"
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [vptray] C:\PROGRA~1\SYMANT~1\VPTray.exe
O4 - HKLM\..\Run: [Acrobat Assistant 7.0] "C:\Program Files\Adobe\Acrobat 7.0\Distillr\Acrotray.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [ms05624308-1474] C:\WINDOWS\ms05624308-1474.exe
O4 - HKLM\..\Run: [errorhandler] C:\WINDOWS\errorhandler.exe
O4 - HKLM\..\Run: [ms044624308-147] C:\WINDOWS\ms044624308-147.exe
O4 - HKLM\..\Run: [ms0624308-14746] C:\WINDOWS\ms0624308-14746.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [yplrg] C:\WINDOWS\system32\dbayev.exe reg_run
O4 - Global Startup: Adobe Acrobat Speed Launcher.lnk = ?
O4 - Global Startup: AltiView.lnk = C:\Program Files\Altigen\AltiView\AltiView.exe
O4 - Global Startup: Bluetooth Manager.lnk = ?
O4 - Global Startup: Digital Line Detect.lnk = ?
O4 - Global Startup: HOTSYNCSHORTCUTNAME.lnk = C:\Program Files\palmOne\Hotsync.exe
O4 - Global Startup: Service Manager.lnk = C:\Program Files\Microsoft SQL Server\80\Tools\Binn\sqlmangr.exe
O4 - Global Startup: WinZip Quick Pick.lnk = C:\Program Files\WinZip\WZQKPICK.EXE
O8 - Extra context menu item: Convert link target to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: Convert link target to existing PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: Convert selected links to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECaptureSelLinks.html
O8 - Extra context menu item: Convert selected links to existing PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppendSelLinks.html
O8 - Extra context menu item: Convert selection to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: Convert selection to existing PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: Convert to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: Convert to existing PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~3\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~3\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {238F6F83-B8B4-11CF-8771-00A024541EE3} (Citrix ICA Client) - http://download.aligo.com/CitrixAccess/ICA...ca32/wficat.cab
O16 - DPF: {4A3CBDDD-C4DC-4C38-B44F-704DAEF628AE} (PjAdoInfo3 Class) - http://h2webserver/projectserver/objects/pjclient.cab
O16 - DPF: {886DDE35-E585-11D0-A707-000000521958} - http://69.56.176.76/webplugin.cab
O16 - DPF: {8D95D14D-4AFB-4885-8BF1-FB09FD72FCD2} (eBLVD ActiveX Control) - https://www.eblvd.com/control/launcher/3.2/ebie.cab
O16 - DPF: {AF9A1421-E128-4D5F-A37E-039F305867B9} (Pj11enuC Class) - http://h2webserver/projectserver/objects/1033/pjcintl.cab
O16 - DPF: {B38870E4-7ECB-40DA-8C6A-595F0A5519FF} (MsnMessengerSetupDownloadControl Class) - http://messenger.msn.com/download/MsnMesse...pDownloader.cab
O16 - DPF: {E06E2E99-0AA1-11D4-ABA6-0060082AA75C} (GpcContainer Class) - https://aligo.webex.com/client/v_mywebex-t2...bex/ieatgpc.cab
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: Domain = aligo.net
O17 - HKLM\Software\..\Telephony: DomainName = aligo.net
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: Domain = aligo.net
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - "C:\PROGRA~1\MSNMES~1\msgrapp.dll" (file missing)
O20 - Winlogon Notify: NavLogon - C:\WINDOWS\system32\NavLogon.dll
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: Broadcom ASF IP monitoring service v6.0.4 (BAsfIpM) - Broadcom Corp. - C:\WINDOWS\system32\basfipm.exe
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Password Validation (ccPwdSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
O23 - Service: Symantec AntiVirus Definition Watcher (DefWatch) - Symantec Corporation - C:\Program Files\Symantec AntiVirus\DefWatch.exe
O23 - Service: ewido security suite control - ewido networks - C:\Program Files\ewido anti-malware\ewidoctrl.exe
O23 - Service: ewido security suite guard - ewido networks - C:\Program Files\ewido anti-malware\ewidoguard.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPodService - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: NICCONFIGSVC - Dell Inc. - C:\Program Files\Dell\NICCONFIGSVC\NICCONFIGSVC.exe
O23 - Service: SAVRoam (SavRoam) - symantec - C:\Program Files\Symantec AntiVirus\SavRoam.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: Symantec AntiVirus - Symantec Corporation - C:\Program Files\Symantec AntiVirus\Rtvscan.exe
O23 - Service: Dell Wireless WLAN Tray Service (wltrysvc) - Unknown owner - C:\WINDOWS\System32\wltrysvc.exe

Edited by meeps, 31 March 2006 - 12:29 PM.


#9 Rawe

Rawe

  • Members
  • 2,363 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Finland
  • Local time:05:06 AM

Posted 31 March 2006 - 12:51 PM

Hmm.. BlackLight didn't found what I was looking for.

Uninstall the following entry through Add/Remove programs if present:

EQAdvice

==

Please print these instructions out, or write them down, as you can't read them during the fix.

1. Please download The Avenger by Swandog46 to your Desktop.
  • Click on Avenger.zip to open the file
  • Extract Avenger.exe to your desktop.
2. Copy all the text in bold contained in the quotebox below to a blank notepad file:

Files to delete:
C:\WINDOWS\System32\egxhpby.exe
C:\WINDOWS\ms05624308-1474.exe
C:\WINDOWS\errorhandler.exe
C:\WINDOWS\ms044624308-147.exe
C:\WINDOWS\ms0624308-14746.exe
C:\WINDOWS\system32\dbayev.exe

Folders to delete:
C:\Program Files\EQAdvice\


Note: the above code was created specifically for this user. If you are not this user, do NOT follow these directions as they could damage the workings of your system.


3. Now, start The Avenger program by clicking on its icon on your desktop.
  • Under "Script file to execute" choose "Input Script Manually".
  • Now click on the Magnifying Glass icon which will open a new window titled "View/edit script"
  • Paste the text copied to the notepad file into this window
  • Click Done
  • Now click on the Green Light to begin execution of the script
  • Answer "Yes" twice when prompted.
The Avenger will automatically do the following:
  • Restarts your computer. ( In cases where the code to execute contains "Drivers to Unload", The Avenger will actually restart your system twice.)
  • On reboot, it briefly opens a black command window on your desktop, this is normal.
  • After the restart, it creates a log file that should open with the results of Avengerís actions. This log file will be located at C:\avenger.txt
  • The Avenger will also have backed up all the files, etc., that you asked it to delete, and will have zipped them and moved the zip archives to C:\avenger\backup.zip.
5. Please copy/paste all the contents of avenger.txt into your reply along with a fresh HJT log by using AddReply. :thumbsup:
Hi there, stranger!

#10 meeps

meeps
  • Topic Starter

  • Members
  • 11 posts
  • OFFLINE
  •  
  • Local time:09:06 PM

Posted 31 March 2006 - 02:52 PM

Ok, here goes the Avenger and Hijack This log files...

Tell me whatcha got!

-meeps.

Avenger:

Logfile of The Avenger version 1, by Swandog46
Running from registry key:
\Registry\Machine\System\CurrentControlSet\Services\rspbxqih

*******************

Script file located at: \??\C:\Documents and Settings\envrqpqc.txt
Script file opened successfully.

Script file read successfully

Backups directory opened successfully at C:\Avenger

*******************

Beginning to process script file:



File C:\WINDOWS\System32\egxhpby.exe not found!
Deletion of file C:\WINDOWS\System32\egxhpby.exe failed!

Could not process line:
C:\WINDOWS\System32\egxhpby.exe
Status: 0xc0000034

File C:\WINDOWS\ms05624308-1474.exe deleted successfully.
File C:\WINDOWS\errorhandler.exe deleted successfully.


File C:\WINDOWS\ms044624308-147.exe not found!
Deletion of file C:\WINDOWS\ms044624308-147.exe failed!

Could not process line:
C:\WINDOWS\ms044624308-147.exe
Status: 0xc0000034



File C:\WINDOWS\ms0624308-14746.exe not found!
Deletion of file C:\WINDOWS\ms0624308-14746.exe failed!

Could not process line:
C:\WINDOWS\ms0624308-14746.exe
Status: 0xc0000034



File C:\WINDOWS\system32\dbayev.exe not found!
Deletion of file C:\WINDOWS\system32\dbayev.exe failed!

Could not process line:
C:\WINDOWS\system32\dbayev.exe
Status: 0xc0000034



Folder C:\Program Files\EQAdvice not found!
Deletion of folder C:\Program Files\EQAdvice failed!

Could not process line:
C:\Program Files\EQAdvice
Status: 0xc0000034


Completed script processing.

*******************

Finished! Terminate.

---------------------------------------------------------------------
---------------------------------------------------------------------


Hijack This Log:

Logfile of HijackThis v1.99.1
Scan saved at 2:48:05 PM, on 3/31/2006
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\WINDOWS\System32\wltrysvc.exe
C:\WINDOWS\System32\bcmwltry.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\basfipm.exe
C:\Program Files\Symantec AntiVirus\DefWatch.exe
C:\Program Files\ewido anti-malware\ewidoctrl.exe
C:\Program Files\ewido anti-malware\ewidoguard.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\Program Files\Microsoft SQL Server\MSSQL\Binn\sqlservr.exe
C:\Program Files\Dell\NICCONFIGSVC\NICCONFIGSVC.exe
C:\Program Files\Symantec AntiVirus\SavRoam.exe
C:\Program Files\Symantec AntiVirus\Rtvscan.exe
C:\Program Files\Microsoft SQL Server\MSSQL\Binn\sqlagent.EXE
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Apoint\Apoint.exe
C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe
C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
C:\Program Files\Dell\QuickSet\quickset.exe
C:\WINDOWS\system32\WLTRAY.exe
C:\Program Files\CyberLink\PowerDVD\DVDLauncher.exe
C:\Program Files\Apoint\Apntex.exe
C:\Program Files\Common Files\Sonic\Update Manager\sgtray.exe
C:\Program Files\Microsoft AntiSpyware\gcasServ.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\PROGRA~1\SYMANT~1\VPTray.exe
C:\Program Files\Adobe\Acrobat 7.0\Distillr\Acrotray.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\Microsoft AntiSpyware\gcasDtServ.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Messenger\msmsgs.exe
C:\WINDOWS\system32\wuauclt.exe
C:\WINDOWS\system32\notepad.exe
C:\Program Files\Adobe\Acrobat 7.0\Acrobat\acrobat_sl.exe
C:\Program Files\Altigen\AltiView\AltiView.exe
C:\Program Files\Toshiba\Bluetooth Toshiba Stack\TosBtMng.exe
C:\Program Files\Digital Line Detect\DLG.exe
C:\Program Files\Toshiba\Bluetooth Toshiba Stack\TosA2dp.exe
C:\Program Files\Toshiba\Bluetooth Toshiba Stack\TosBtHsp.exe
C:\Program Files\Microsoft SQL Server\80\Tools\Binn\sqlmangr.exe
C:\Program Files\WinZip\WZQKPICK.EXE
C:\Program Files\Toshiba\Bluetooth Toshiba Stack\tosOBEX.exe
C:\Program Files\Toshiba\Bluetooth Toshiba Stack\tosBtProc.exe
C:\HijackThis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.microsoft.com/isapi/redir.dll?p...er=6&ar=msnhome
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.microsoft.com/isapi/redir.dll?p...er=6&ar=msnhome
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://home.microsoft.com/search/search.asp
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.com/
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch = about:blank
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://home.microsoft.com/access/autosearch.asp?p=%s
R1 - HKLM\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://home.microsoft.com/access/autosearch.asp?p=%s
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://www.dell.com/
R3 - Default URLSearchHook is missing
F2 - REG:system.ini: UserInit=C:\WINDOWS\SYSTEM32\Userinit.exe,egxhpby.exe
O3 - Toolbar: Adobe PDF - {47833539-D0C5-4125-9FA8-0819E2EAAC93} - C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll
O4 - HKLM\..\Run: [Apoint] C:\Program Files\Apoint\Apoint.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe
O4 - HKLM\..\Run: [ATIPTA] C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
O4 - HKLM\..\Run: [Dell QuickSet] C:\Program Files\Dell\QuickSet\quickset.exe
O4 - HKLM\..\Run: [Dell Wireless Manager UI] C:\WINDOWS\system32\WLTRAY
O4 - HKLM\..\Run: [DVDLauncher] "C:\Program Files\CyberLink\PowerDVD\DVDLauncher.exe"
O4 - HKLM\..\Run: [UpdateManager] "C:\Program Files\Common Files\Sonic\Update Manager\sgtray.exe" /r
O4 - HKLM\..\Run: [gcasServ] "C:\Program Files\Microsoft AntiSpyware\gcasServ.exe"
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [vptray] C:\PROGRA~1\SYMANT~1\VPTray.exe
O4 - HKLM\..\Run: [Acrobat Assistant 7.0] "C:\Program Files\Adobe\Acrobat 7.0\Distillr\Acrotray.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [ms05624308-1474] C:\WINDOWS\ms05624308-1474.exe
O4 - HKLM\..\Run: [errorhandler] C:\WINDOWS\errorhandler.exe
O4 - HKLM\..\Run: [ms044624308-147] C:\WINDOWS\ms044624308-147.exe
O4 - HKLM\..\Run: [ms0624308-14746] C:\WINDOWS\ms0624308-14746.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [yplrg] C:\WINDOWS\system32\dbayev.exe reg_run
O4 - Global Startup: Adobe Acrobat Speed Launcher.lnk = ?
O4 - Global Startup: AltiView.lnk = C:\Program Files\Altigen\AltiView\AltiView.exe
O4 - Global Startup: Bluetooth Manager.lnk = ?
O4 - Global Startup: Digital Line Detect.lnk = ?
O4 - Global Startup: HOTSYNCSHORTCUTNAME.lnk = C:\Program Files\palmOne\Hotsync.exe
O4 - Global Startup: Service Manager.lnk = C:\Program Files\Microsoft SQL Server\80\Tools\Binn\sqlmangr.exe
O4 - Global Startup: WinZip Quick Pick.lnk = C:\Program Files\WinZip\WZQKPICK.EXE
O8 - Extra context menu item: Convert link target to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: Convert link target to existing PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: Convert selected links to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECaptureSelLinks.html
O8 - Extra context menu item: Convert selected links to existing PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppendSelLinks.html
O8 - Extra context menu item: Convert selection to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: Convert selection to existing PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: Convert to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: Convert to existing PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~3\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~3\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {238F6F83-B8B4-11CF-8771-00A024541EE3} (Citrix ICA Client) - http://download.aligo.com/CitrixAccess/ICA...ca32/wficat.cab
O16 - DPF: {4A3CBDDD-C4DC-4C38-B44F-704DAEF628AE} (PjAdoInfo3 Class) - http://h2webserver/projectserver/objects/pjclient.cab
O16 - DPF: {886DDE35-E585-11D0-A707-000000521958} - http://69.56.176.76/webplugin.cab
O16 - DPF: {8D95D14D-4AFB-4885-8BF1-FB09FD72FCD2} (eBLVD ActiveX Control) - https://www.eblvd.com/control/launcher/3.2/ebie.cab
O16 - DPF: {AF9A1421-E128-4D5F-A37E-039F305867B9} (Pj11enuC Class) - http://h2webserver/projectserver/objects/1033/pjcintl.cab
O16 - DPF: {B38870E4-7ECB-40DA-8C6A-595F0A5519FF} (MsnMessengerSetupDownloadControl Class) - http://messenger.msn.com/download/MsnMesse...pDownloader.cab
O16 - DPF: {E06E2E99-0AA1-11D4-ABA6-0060082AA75C} (GpcContainer Class) - https://aligo.webex.com/client/v_mywebex-t2...bex/ieatgpc.cab
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: Domain = aligo.net
O17 - HKLM\Software\..\Telephony: DomainName = aligo.net
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: Domain = aligo.net
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - "C:\PROGRA~1\MSNMES~1\msgrapp.dll" (file missing)
O20 - Winlogon Notify: NavLogon - C:\WINDOWS\system32\NavLogon.dll
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: Broadcom ASF IP monitoring service v6.0.4 (BAsfIpM) - Broadcom Corp. - C:\WINDOWS\system32\basfipm.exe
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Password Validation (ccPwdSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
O23 - Service: Symantec AntiVirus Definition Watcher (DefWatch) - Symantec Corporation - C:\Program Files\Symantec AntiVirus\DefWatch.exe
O23 - Service: ewido security suite control - ewido networks - C:\Program Files\ewido anti-malware\ewidoctrl.exe
O23 - Service: ewido security suite guard - ewido networks - C:\Program Files\ewido anti-malware\ewidoguard.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPodService - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: NICCONFIGSVC - Dell Inc. - C:\Program Files\Dell\NICCONFIGSVC\NICCONFIGSVC.exe
O23 - Service: SAVRoam (SavRoam) - symantec - C:\Program Files\Symantec AntiVirus\SavRoam.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: Symantec AntiVirus - Symantec Corporation - C:\Program Files\Symantec AntiVirus\Rtvscan.exe
O23 - Service: Dell Wireless WLAN Tray Service (wltrysvc) - Unknown owner - C:\WINDOWS\System32\wltrysvc.exe

#11 Rawe

Rawe

  • Members
  • 2,363 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Finland
  • Local time:05:06 AM

Posted 31 March 2006 - 03:23 PM

Ugh, this just reminds me how I hate Qoologic infections.. :thumbsup:

==

Please download FindQool by LonnyRJones:
  • Extract the files and place the FindQool folder in root. Usually C:\
  • Open the folder and run Qlocate.bat.
  • Post the contents of the txt.log which will open.

Hi there, stranger!

#12 meeps

meeps
  • Topic Starter

  • Members
  • 11 posts
  • OFFLINE
  •  
  • Local time:09:06 PM

Posted 31 March 2006 - 04:07 PM

Yikes! I'm sorry you feel that way. But I can definitely see why :thumbsup: And to make matters worse, I was not able to extract the FindQool files on the account they are password protected. You have another copy?

#13 Rawe

Rawe

  • Members
  • 2,363 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Finland
  • Local time:05:06 AM

Posted 31 March 2006 - 04:22 PM

Password protected?

Try this attachment
Hi there, stranger!

#14 meeps

meeps
  • Topic Starter

  • Members
  • 11 posts
  • OFFLINE
  •  
  • Local time:09:06 PM

Posted 31 March 2006 - 04:55 PM

oops. my bad. i realized that i'd typed in c:findqool instead of c:\findqool when i had tried to extract the files...

anyhoo....

Below is the latest and greatest (FindQool and HijackThis logs):

Holla at a sistah.

--------------------------------------------------------------------------------------


Fri 03/31/2006
Running from: C:\findqool\FindQool
PLEASE NOTE: LEGIT FILES MIGHT BE LISTED. IF YOU ARE UNSURE OF WHAT IS LISTED LEAVE THEM ALONE.
Files found with locate com.

C:\WINDOWS\UNWN.EXE
Re-check using dir /a:-d
C:\Documents and Settings\All Users\Start Menu\Programs\Startup
...

[HKEY_CLASSES_ROOT\*\shellex\ContextMenuHandlers\LDVPMenu]
@="{BDA77241-42F6-11d0-85E2-00AA001FE28C}"

[-HKEY_CLASSES_ROOT\CLSID\{incert HKCR\*\shellex csdl above here if present}]

...
Runs, Listed here as a Doublecheck for the locate com results
HKLM
HKCU
"yplrg"="C:\\WINDOWS\\system32\\dbayev.exe reg_run"
...

Files In Winlogon shell and userinit
Listed here as a Doublecheck for the locate com results
shell REG_SZ Explorer.exe
userinit REG_SZ C:\WINDOWS\SYSTEM32\Userinit.exe,egxhpby.exe
...
SWReg utility
Written by Bobbi Flekman © 2005
Findqool edited 3/26/2006


********************************************HijackThis:*********************************************

Logfile of HijackThis v1.99.1
Scan saved at 4:51:23 PM, on 3/31/2006
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\WINDOWS\System32\wltrysvc.exe
C:\WINDOWS\System32\bcmwltry.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\basfipm.exe
C:\Program Files\Symantec AntiVirus\DefWatch.exe
C:\Program Files\ewido anti-malware\ewidoctrl.exe
C:\Program Files\ewido anti-malware\ewidoguard.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\Program Files\Microsoft SQL Server\MSSQL\Binn\sqlservr.exe
C:\Program Files\Dell\NICCONFIGSVC\NICCONFIGSVC.exe
C:\Program Files\Symantec AntiVirus\SavRoam.exe
C:\Program Files\Symantec AntiVirus\Rtvscan.exe
C:\Program Files\Microsoft SQL Server\MSSQL\Binn\sqlagent.EXE
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Apoint\Apoint.exe
C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe
C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
C:\Program Files\Dell\QuickSet\quickset.exe
C:\WINDOWS\system32\WLTRAY.exe
C:\Program Files\CyberLink\PowerDVD\DVDLauncher.exe
C:\Program Files\Apoint\Apntex.exe
C:\Program Files\Microsoft AntiSpyware\gcasServ.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\PROGRA~1\SYMANT~1\VPTray.exe
C:\Program Files\Adobe\Acrobat 7.0\Distillr\Acrotray.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\Microsoft AntiSpyware\gcasDtServ.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\Altigen\AltiView\AltiView.exe
C:\Program Files\Toshiba\Bluetooth Toshiba Stack\TosBtMng.exe
C:\Program Files\Digital Line Detect\DLG.exe
C:\Program Files\Toshiba\Bluetooth Toshiba Stack\TosA2dp.exe
C:\Program Files\Toshiba\Bluetooth Toshiba Stack\TosBtHsp.exe
C:\Program Files\Microsoft SQL Server\80\Tools\Binn\sqlmangr.exe
C:\Program Files\WinZip\WZQKPICK.EXE
C:\Program Files\Toshiba\Bluetooth Toshiba Stack\tosOBEX.exe
C:\Program Files\Toshiba\Bluetooth Toshiba Stack\tosBtProc.exe
C:\Program Files\Microsoft Office\OFFICE11\OUTLOOK.EXE
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Servicom\Servicom.exe
C:\Program Files\Microsoft Office\OFFICE11\WINWORD.EXE
C:\Program Files\Microsoft Office\OFFICE11\POWERPNT.EXE
C:\WINDOWS\system32\notepad.exe
C:\HijackThis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.microsoft.com/isapi/redir.dll?p...er=6&ar=msnhome
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.microsoft.com/isapi/redir.dll?p...er=6&ar=msnhome
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://home.microsoft.com/search/search.asp
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.com/
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch = about:blank
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://home.microsoft.com/access/autosearch.asp?p=%s
R1 - HKLM\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://home.microsoft.com/access/autosearch.asp?p=%s
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://www.dell.com/
R3 - Default URLSearchHook is missing
F2 - REG:system.ini: UserInit=C:\WINDOWS\SYSTEM32\Userinit.exe,egxhpby.exe
O3 - Toolbar: Adobe PDF - {47833539-D0C5-4125-9FA8-0819E2EAAC93} - C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll
O4 - HKLM\..\Run: [Apoint] C:\Program Files\Apoint\Apoint.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe
O4 - HKLM\..\Run: [ATIPTA] C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
O4 - HKLM\..\Run: [Dell QuickSet] C:\Program Files\Dell\QuickSet\quickset.exe
O4 - HKLM\..\Run: [Dell Wireless Manager UI] C:\WINDOWS\system32\WLTRAY
O4 - HKLM\..\Run: [DVDLauncher] "C:\Program Files\CyberLink\PowerDVD\DVDLauncher.exe"
O4 - HKLM\..\Run: [UpdateManager] "C:\Program Files\Common Files\Sonic\Update Manager\sgtray.exe" /r
O4 - HKLM\..\Run: [gcasServ] "C:\Program Files\Microsoft AntiSpyware\gcasServ.exe"
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [vptray] C:\PROGRA~1\SYMANT~1\VPTray.exe
O4 - HKLM\..\Run: [Acrobat Assistant 7.0] "C:\Program Files\Adobe\Acrobat 7.0\Distillr\Acrotray.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [ms05624308-1474] C:\WINDOWS\ms05624308-1474.exe
O4 - HKLM\..\Run: [errorhandler] C:\WINDOWS\errorhandler.exe
O4 - HKLM\..\Run: [ms044624308-147] C:\WINDOWS\ms044624308-147.exe
O4 - HKLM\..\Run: [ms0624308-14746] C:\WINDOWS\ms0624308-14746.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [yplrg] C:\WINDOWS\system32\dbayev.exe reg_run
O4 - Global Startup: Adobe Acrobat Speed Launcher.lnk = ?
O4 - Global Startup: AltiView.lnk = C:\Program Files\Altigen\AltiView\AltiView.exe
O4 - Global Startup: Bluetooth Manager.lnk = ?
O4 - Global Startup: Digital Line Detect.lnk = ?
O4 - Global Startup: HOTSYNCSHORTCUTNAME.lnk = C:\Program Files\palmOne\Hotsync.exe
O4 - Global Startup: Service Manager.lnk = C:\Program Files\Microsoft SQL Server\80\Tools\Binn\sqlmangr.exe
O4 - Global Startup: WinZip Quick Pick.lnk = C:\Program Files\WinZip\WZQKPICK.EXE
O8 - Extra context menu item: Convert link target to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: Convert link target to existing PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: Convert selected links to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECaptureSelLinks.html
O8 - Extra context menu item: Convert selected links to existing PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppendSelLinks.html
O8 - Extra context menu item: Convert selection to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: Convert selection to existing PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: Convert to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: Convert to existing PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~3\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~3\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {238F6F83-B8B4-11CF-8771-00A024541EE3} (Citrix ICA Client) - http://download.aligo.com/CitrixAccess/ICA...ca32/wficat.cab
O16 - DPF: {4A3CBDDD-C4DC-4C38-B44F-704DAEF628AE} (PjAdoInfo3 Class) - http://h2webserver/projectserver/objects/pjclient.cab
O16 - DPF: {886DDE35-E585-11D0-A707-000000521958} - http://69.56.176.76/webplugin.cab
O16 - DPF: {8D95D14D-4AFB-4885-8BF1-FB09FD72FCD2} (eBLVD ActiveX Control) - https://www.eblvd.com/control/launcher/3.2/ebie.cab
O16 - DPF: {AF9A1421-E128-4D5F-A37E-039F305867B9} (Pj11enuC Class) - http://h2webserver/projectserver/objects/1033/pjcintl.cab
O16 - DPF: {B38870E4-7ECB-40DA-8C6A-595F0A5519FF} (MsnMessengerSetupDownloadControl Class) - http://messenger.msn.com/download/MsnMesse...pDownloader.cab
O16 - DPF: {E06E2E99-0AA1-11D4-ABA6-0060082AA75C} (GpcContainer Class) - https://aligo.webex.com/client/v_mywebex-t2...bex/ieatgpc.cab
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: Domain = aligo.net
O17 - HKLM\Software\..\Telephony: DomainName = aligo.net
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: Domain = aligo.net
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - "C:\PROGRA~1\MSNMES~1\msgrapp.dll" (file missing)
O20 - Winlogon Notify: NavLogon - C:\WINDOWS\system32\NavLogon.dll
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: Broadcom ASF IP monitoring service v6.0.4 (BAsfIpM) - Broadcom Corp. - C:\WINDOWS\system32\basfipm.exe
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Password Validation (ccPwdSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
O23 - Service: Symantec AntiVirus Definition Watcher (DefWatch) - Symantec Corporation - C:\Program Files\Symantec AntiVirus\DefWatch.exe
O23 - Service: ewido security suite control - ewido networks - C:\Program Files\ewido anti-malware\ewidoctrl.exe
O23 - Service: ewido security suite guard - ewido networks - C:\Program Files\ewido anti-malware\ewidoguard.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPodService - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: NICCONFIGSVC - Dell Inc. - C:\Program Files\Dell\NICCONFIGSVC\NICCONFIGSVC.exe
O23 - Service: SAVRoam (SavRoam) - symantec - C:\Program Files\Symantec AntiVirus\SavRoam.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: Symantec AntiVirus - Symantec Corporation - C:\Program Files\Symantec AntiVirus\Rtvscan.exe
O23 - Service: Dell Wireless WLAN Tray Service (wltrysvc) - Unknown owner - C:\WINDOWS\System32\wltrysvc.exe

#15 Rawe

Rawe

  • Members
  • 2,363 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Finland
  • Local time:05:06 AM

Posted 31 March 2006 - 05:18 PM

Lets try the following (I'm not that good with REGEDIT -- we'll see if this works any), copy/paste the following text in the quotebox below into a blank Notepad file. Name it as killqoo.reg and save it to your desktop with making sure the filetype is set to "All Files".

REGEDIT4

[-HKEY_CLASSES_ROOT\*\shellex\ContextMenuHandlers\LDVPMenu]

[-HKEY_CLASSES_ROOT\CLSID\{incert HKCR\*\{BDA77241-42F6-11d0-85E2-00AA001FE28C}]

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon]
"Shell"="Explorer.exe"
"Userinit"="C:\\WINDOWS\\System32\\userinit.exe,egxhpby.exe"


Now double-click on Killqoo.reg on your desktop and answer YES when it asks you to merge this data with registry.

==

Run a scan with HijackThis and check the following objects for removal if present:

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.microsoft.com/isapi/redir.dll?p...er=6&ar=msnhome
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.microsoft.com/isapi/redir.dll?p...er=6&ar=msnhome
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://home.microsoft.com/search/search.asp
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch = about:blank
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://home.microsoft.com/access/autosearch.asp?p=%s
R1 - HKLM\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://home.microsoft.com/access/autosearch.asp?p=%s
R3 - Default URLSearchHook is missing
F2 - REG:system.ini: UserInit=C:\WINDOWS\SYSTEM32\Userinit.exe,egxhpby.exe
O4 - HKLM\..\Run: [ms05624308-1474] C:\WINDOWS\ms05624308-1474.exe
O4 - HKLM\..\Run: [errorhandler] C:\WINDOWS\errorhandler.exe
O4 - HKLM\..\Run: [ms044624308-147] C:\WINDOWS\ms044624308-147.exe
O4 - HKLM\..\Run: [ms0624308-14746] C:\WINDOWS\ms0624308-14746.exe
O4 - HKCU\..\Run: [yplrg] C:\WINDOWS\system32\dbayev.exe reg_run


Now close ALL other open windows except for HijackThis and hit FIX CHECKED. Please reboot.

==

Post back with a fresh HijackThis log aswell as a fresh FindQool log. :thumbsup:
Hi there, stranger!




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users