Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Can't Stop Pop-up, Delete Mniseq.dll And P4p60e7seh.dll


  • This topic is locked This topic is locked
13 replies to this topic

#1 johnsxt

johnsxt

  • Members
  • 7 posts
  • OFFLINE
  •  
  • Local time:11:39 AM

Posted 30 April 2006 - 11:54 PM

Logfile of HijackThis v1.99.1
Scan saved at 11:50:43 PM, on 4/30/2006
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\rundll32.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\MSSQL7\binn\sqlservr.exe
C:\Program Files\OLAP Services\Bin\msmdsrv.exe
C:\Program Files\Norton AntiVirus\navapsvc.exe
C:\Program Files\Norton AntiVirus\SAVScan.exe
C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
C:\Program Files\Common Files\Symantec Shared\Security Center\SymWSC.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\Program Files\Messenger\msmsgs.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\InterVideo\Common\Bin\WinCinemaMgr.exe
C:\MSSQL7\Binn\sqlmangr.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\HiJackThis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = about:blank
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Search_URL =
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://us.rd.yahoo.com/customize/ycomp/def...//www.yahoo.com
R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn0\yt.dll
F2 - REG:system.ini: Shell=Explorer.exe, C:\WINDOWS\system32\klxfu.exe
F2 - REG:system.ini: UserInit=C:\WINDOWS\system32\userinit.exe,vhfiffy.exe
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn0\yt.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar2.dll
O4 - HKLM\..\Run: [IMJPMIG8.1] C:\WINDOWS\IME\imjp8_1\IMJPMIG.EXE /Spoil /RemAdvDef /Migration32
O4 - HKLM\..\Run: [PHIME2002ASync] C:\WINDOWS\System32\IME\TINTLGNT\TINTSETP.EXE /SYNC
O4 - HKLM\..\Run: [PHIME2002A] C:\WINDOWS\System32\IME\TINTLGNT\TINTSETP.EXE /IMEName
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [Symantec NetDriver Monitor] C:\PROGRA~1\SYMNET~1\SNDMon.exe /Consumer
O4 - HKLM\..\Run: [SSC_UserPrompt] C:\Program Files\Common Files\Symantec Shared\Security Center\UsrPrmpt.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - Global Startup: InterVideo WinCinema Manager.lnk = C:\Program Files\InterVideo\Common\Bin\WinCinemaMgr.exe
O4 - Global Startup: Service Manager.lnk = C:\MSSQL7\Binn\sqlmangr.exe
O8 - Extra context menu item: &Google Search - res://c:\program files\google\GoogleToolbar2.dll/cmsearch.html
O8 - Extra context menu item: &Translate English Word - res://c:\program files\google\GoogleToolbar2.dll/cmwordtrans.html
O8 - Extra context menu item: Backward Links - res://c:\program files\google\GoogleToolbar2.dll/cmbacklinks.html
O8 - Extra context menu item: Cached Snapshot of Page - res://c:\program files\google\GoogleToolbar2.dll/cmcache.html
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~3\OFFICE11\EXCEL.EXE/3000
O8 - Extra context menu item: Similar Pages - res://c:\program files\google\GoogleToolbar2.dll/cmsimilar.html
O8 - Extra context menu item: Translate Page into English - res://c:\program files\google\GoogleToolbar2.dll/cmtrans.html
O9 - Extra button: (no name) - {4ABF810A-F11D-4169-9D5F-7D274F2270A1} - C:\WINDOWS\system32\dmonwv.dll
O9 - Extra 'Tools' menuitem: Java - {4ABF810A-F11D-4169-9D5F-7D274F2270A1} - C:\WINDOWS\system32\dmonwv.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~3\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {30528230-99F7-4BB4-88D8-FA1D4F56A2AB} (YInstStarter Class) - http://us.dl1.yimg.com/download.yahoo.com/...nst20040510.cab
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftupdat...b?1144711517984
O16 - DPF: {AECD14A8-F662-11D1-A395-00805F535788} (Plotwon Control) - http://www.investors.com/member/ocx/plotwon.ocx
O18 - Protocol: ms-help - {314111C7-A502-11D2-BBCA-00C04F8EC294} - C:\Program Files\Common Files\Microsoft Shared\Help\hxds.dll
O20 - Winlogon Notify: App Management - C:\WINDOWS\system32\lvrq0995e.dll
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Password Validation (ccPwdSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
O23 - Service: SQL Server (SQLEXPRESS) (MSSQL$SQLEXPRESS) - Unknown owner - c:\Program Files\Microsoft SQL Server\MSSQL.1\MSSQL\Binn\sqlservr.exe" -sSQLEXPRESS (file missing)
O23 - Service: Norton AntiVirus Auto Protect Service (navapsvc) - Symantec Corporation - C:\Program Files\Norton AntiVirus\navapsvc.exe
O23 - Service: SAVScan - Symantec Corporation - C:\Program Files\Norton AntiVirus\SAVScan.exe
O23 - Service: ScriptBlocking Service (SBService) - Symantec Corporation - C:\PROGRA~1\COMMON~1\SYMANT~1\SCRIPT~1\SBServ.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: Symantec Core LC - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
O23 - Service: SymWMI Service (SymWSC) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\Security Center\SymWSC.exe

BC AdBot (Login to Remove)

 


#2 Daemon

Daemon

    Security Expert


  • Members
  • 1,446 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:UK
  • Local time:04:39 PM

Posted 01 May 2006 - 01:51 AM

Please download Atribune's Look2Me-Destroyer.exe to your desktop.
  • Close all windows before continuing.
  • Double-click Look2Me-Destroyer.exe to run it.
  • Put a check next to Run this program as a task.
  • You will receive a message saying Look2Me-Destroyer will close and re-open in approximately 10 seconds. Click OK
  • When Look2Me-Destroyer re-opens, click the Scan for L2M button, your desktop icons will disappear, this is normal.
  • Once it's done scanning, click the Remove L2M button.
  • You will receive a Done Scanning message, click OK.
  • When completed, you will receive this message: Done removing infected files! Look2Me-Destroyer will now shutdown your computer, click OK.
  • Your computer will then shutdown.
  • Turn your computer back on.
  • Please post the contents of C:\Look2Me-Destroyer.txt and a new HiJackThis log.
If you receive a message from your firewall about this program accessing the internet please allow it.
Posted Image

Have I helped you? Please consider donating to help me continue with the fight against malware. Click here

#3 johnsxt

johnsxt
  • Topic Starter

  • Members
  • 7 posts
  • OFFLINE
  •  
  • Local time:11:39 AM

Posted 01 May 2006 - 03:33 PM

I ran the program and it seems like it did delete most of them successfully. Thanks alot. Here is the result and the report generated by
Look2Me-Destroyer V1.0.12.

Scanning for infected files.....
Scan started at 5/1/2006 3:12:02 PM

Infected! C:\System Volume Information\_restore{ABAB22E7-1995-48E3-B3F4-4C4F1D915C6E}\RP30\A0020718.dll
Infected! C:\System Volume Information\_restore{ABAB22E7-1995-48E3-B3F4-4C4F1D915C6E}\RP30\A0020719.dll
Infected! C:\System Volume Information\_restore{ABAB22E7-1995-48E3-B3F4-4C4F1D915C6E}\RP30\A0020720.dll
Infected! C:\System Volume Information\_restore{ABAB22E7-1995-48E3-B3F4-4C4F1D915C6E}\RP30\A0020721.dll
Infected! C:\System Volume Information\_restore{ABAB22E7-1995-48E3-B3F4-4C4F1D915C6E}\RP30\A0020722.dll
Infected! C:\System Volume Information\_restore{ABAB22E7-1995-48E3-B3F4-4C4F1D915C6E}\RP30\A0020723.dll
Infected! C:\System Volume Information\_restore{ABAB22E7-1995-48E3-B3F4-4C4F1D915C6E}\RP30\A0020724.dll
Infected! C:\System Volume Information\_restore{ABAB22E7-1995-48E3-B3F4-4C4F1D915C6E}\RP30\A0020725.dll
Infected! C:\System Volume Information\_restore{ABAB22E7-1995-48E3-B3F4-4C4F1D915C6E}\RP30\A0020726.dll

Attempting to delete infected files...

Attempting to delete: C:\System Volume Information\_restore{ABAB22E7-1995-48E3-B3F4-4C4F1D915C6E}\RP30\A0020718.dll
C:\System Volume Information\_restore{ABAB22E7-1995-48E3-B3F4-4C4F1D915C6E}\RP30\A0020718.dll Deleted successfully!

Attempting to delete: C:\System Volume Information\_restore{ABAB22E7-1995-48E3-B3F4-4C4F1D915C6E}\RP30\A0020719.dll
C:\System Volume Information\_restore{ABAB22E7-1995-48E3-B3F4-4C4F1D915C6E}\RP30\A0020719.dll Deleted successfully!

Attempting to delete: C:\System Volume Information\_restore{ABAB22E7-1995-48E3-B3F4-4C4F1D915C6E}\RP30\A0020720.dll
C:\System Volume Information\_restore{ABAB22E7-1995-48E3-B3F4-4C4F1D915C6E}\RP30\A0020720.dll Deleted successfully!

Attempting to delete: C:\System Volume Information\_restore{ABAB22E7-1995-48E3-B3F4-4C4F1D915C6E}\RP30\A0020721.dll
C:\System Volume Information\_restore{ABAB22E7-1995-48E3-B3F4-4C4F1D915C6E}\RP30\A0020721.dll Deleted successfully!

Attempting to delete: C:\System Volume Information\_restore{ABAB22E7-1995-48E3-B3F4-4C4F1D915C6E}\RP30\A0020722.dll
C:\System Volume Information\_restore{ABAB22E7-1995-48E3-B3F4-4C4F1D915C6E}\RP30\A0020722.dll Deleted successfully!

Attempting to delete: C:\System Volume Information\_restore{ABAB22E7-1995-48E3-B3F4-4C4F1D915C6E}\RP30\A0020723.dll
C:\System Volume Information\_restore{ABAB22E7-1995-48E3-B3F4-4C4F1D915C6E}\RP30\A0020723.dll Deleted successfully!

Attempting to delete: C:\System Volume Information\_restore{ABAB22E7-1995-48E3-B3F4-4C4F1D915C6E}\RP30\A0020724.dll
C:\System Volume Information\_restore{ABAB22E7-1995-48E3-B3F4-4C4F1D915C6E}\RP30\A0020724.dll Deleted successfully!

Attempting to delete: C:\System Volume Information\_restore{ABAB22E7-1995-48E3-B3F4-4C4F1D915C6E}\RP30\A0020725.dll
C:\System Volume Information\_restore{ABAB22E7-1995-48E3-B3F4-4C4F1D915C6E}\RP30\A0020725.dll Deleted successfully!

Attempting to delete: C:\System Volume Information\_restore{ABAB22E7-1995-48E3-B3F4-4C4F1D915C6E}\RP30\A0020726.dll
C:\System Volume Information\_restore{ABAB22E7-1995-48E3-B3F4-4C4F1D915C6E}\RP30\A0020726.dll Deleted successfully!

Making registry repairs.


Restoring Windows certificates.

Replaced hosts file with default windows hosts file


Restoring SeDebugPrivilege for Administrators - Succeeded

============================================================================================

Logfile of HijackThis v1.99.1
Scan saved at 3:22:58 PM, on 5/1/2006
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\MSSQL7\binn\sqlservr.exe
C:\Program Files\OLAP Services\Bin\msmdsrv.exe
C:\Program Files\Norton AntiVirus\navapsvc.exe
C:\Program Files\Norton AntiVirus\SAVScan.exe
C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
C:\Program Files\Common Files\Symantec Shared\Security Center\SymWSC.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\Program Files\Messenger\msmsgs.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\InterVideo\Common\Bin\WinCinemaMgr.exe
C:\MSSQL7\Binn\sqlmangr.exe
C:\Program Files\Spy-Ad-Ware-Fighters\SpywareGuard\sgmain.exe
C:\Program Files\Spy-Ad-Ware-Fighters\SpywareGuard\sgbhp.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\HiJackThis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = about:blank
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Search_URL =
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://us.rd.yahoo.com/customize/ycomp/def...//www.yahoo.com
R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn0\yt.dll
F2 - REG:system.ini: Shell=Explorer.exe, C:\WINDOWS\system32\klxfu.exe
F2 - REG:system.ini: UserInit=C:\WINDOWS\system32\userinit.exe,vhfiffy.exe
O2 - BHO: SpywareGuard Download Protection - {4A368E80-174F-4872-96B5-0B27DDD11DB2} - C:\Program Files\Spy-Ad-Ware-Fighters\SpywareGuard\dlprotect.dll
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn0\yt.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar2.dll
O4 - HKLM\..\Run: [IMJPMIG8.1] C:\WINDOWS\IME\imjp8_1\IMJPMIG.EXE /Spoil /RemAdvDef /Migration32
O4 - HKLM\..\Run: [PHIME2002ASync] C:\WINDOWS\System32\IME\TINTLGNT\TINTSETP.EXE /SYNC
O4 - HKLM\..\Run: [PHIME2002A] C:\WINDOWS\System32\IME\TINTLGNT\TINTSETP.EXE /IMEName
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [Symantec NetDriver Monitor] C:\PROGRA~1\SYMNET~1\SNDMon.exe /Consumer
O4 - HKLM\..\Run: [SSC_UserPrompt] C:\Program Files\Common Files\Symantec Shared\Security Center\UsrPrmpt.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - Startup: SpywareGuard.lnk = C:\Program Files\Spy-Ad-Ware-Fighters\SpywareGuard\sgmain.exe
O4 - Global Startup: InterVideo WinCinema Manager.lnk = C:\Program Files\InterVideo\Common\Bin\WinCinemaMgr.exe
O4 - Global Startup: Service Manager.lnk = C:\MSSQL7\Binn\sqlmangr.exe
O8 - Extra context menu item: &Google Search - res://c:\program files\google\GoogleToolbar2.dll/cmsearch.html
O8 - Extra context menu item: &Translate English Word - res://c:\program files\google\GoogleToolbar2.dll/cmwordtrans.html
O8 - Extra context menu item: Backward Links - res://c:\program files\google\GoogleToolbar2.dll/cmbacklinks.html
O8 - Extra context menu item: Cached Snapshot of Page - res://c:\program files\google\GoogleToolbar2.dll/cmcache.html
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~3\OFFICE11\EXCEL.EXE/3000
O8 - Extra context menu item: Similar Pages - res://c:\program files\google\GoogleToolbar2.dll/cmsimilar.html
O8 - Extra context menu item: Translate Page into English - res://c:\program files\google\GoogleToolbar2.dll/cmtrans.html
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~3\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {30528230-99F7-4BB4-88D8-FA1D4F56A2AB} (YInstStarter Class) - http://us.dl1.yimg.com/download.yahoo.com/...nst20040510.cab
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftupdat...b?1144711517984
O16 - DPF: {AECD14A8-F662-11D1-A395-00805F535788} (Plotwon Control) - http://www.investors.com/member/ocx/plotwon.ocx
O18 - Protocol: ms-help - {314111C7-A502-11D2-BBCA-00C04F8EC294} - C:\Program Files\Common Files\Microsoft Shared\Help\hxds.dll
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Password Validation (ccPwdSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
O23 - Service: SQL Server (SQLEXPRESS) (MSSQL$SQLEXPRESS) - Unknown owner - c:\Program Files\Microsoft SQL Server\MSSQL.1\MSSQL\Binn\sqlservr.exe" -sSQLEXPRESS (file missing)
O23 - Service: Norton AntiVirus Auto Protect Service (navapsvc) - Symantec Corporation - C:\Program Files\Norton AntiVirus\navapsvc.exe
O23 - Service: SAVScan - Symantec Corporation - C:\Program Files\Norton AntiVirus\SAVScan.exe
O23 - Service: ScriptBlocking Service (SBService) - Symantec Corporation - C:\PROGRA~1\COMMON~1\SYMANT~1\SCRIPT~1\SBServ.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: Symantec Core LC - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
O23 - Service: SymWMI Service (SymWSC) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\Security Center\SymWSC.exe

#4 Daemon

Daemon

    Security Expert


  • Members
  • 1,446 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:UK
  • Local time:04:39 PM

Posted 01 May 2006 - 04:33 PM

Make sure that you have no browser windows open as this could prevent the fix from working properly. Open HijackThis, scan and when complete, remove the following entries by checking the box to the left and clicking 'fixed checked':

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = about:blank
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Search_URL =
F2 - REG:system.ini: Shell=Explorer.exe, C:\WINDOWS\system32\klxfu.exe
F2 - REG:system.ini: UserInit=C:\WINDOWS\system32\userinit.exe,vhfiffy.exe


Exit HijackThis when done. Reboot, rescan with HijackThis and post a new log here.
Posted Image

Have I helped you? Please consider donating to help me continue with the fight against malware. Click here

#5 johnsxt

johnsxt
  • Topic Starter

  • Members
  • 7 posts
  • OFFLINE
  •  
  • Local time:11:39 AM

Posted 01 May 2006 - 11:31 PM

Here's the new log.

Logfile of HijackThis v1.99.1
Scan saved at 11:26:37 PM, on 5/1/2006
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\MSSQL7\binn\sqlservr.exe
C:\Program Files\OLAP Services\Bin\msmdsrv.exe
C:\Program Files\Norton AntiVirus\navapsvc.exe
C:\Program Files\Norton AntiVirus\SAVScan.exe
C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
C:\Program Files\Common Files\Symantec Shared\Security Center\SymWSC.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\Program Files\Messenger\msmsgs.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\InterVideo\Common\Bin\WinCinemaMgr.exe
C:\MSSQL7\Binn\sqlmangr.exe
C:\Program Files\Spy-Ad-Ware-Fighters\SpywareGuard\sgmain.exe
C:\Program Files\Spy-Ad-Ware-Fighters\SpywareGuard\sgbhp.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\Spy-Ad-Ware-Fighters\HiJackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://us.rd.yahoo.com/customize/ycomp/def...//www.yahoo.com
R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn0\yt.dll
F2 - REG:system.ini: Shell=Explorer.exe, C:\WINDOWS\system32\klxfu.exe
F2 - REG:system.ini: UserInit=C:\WINDOWS\SYSTEM32\Userinit.exe,vhfiffy.exe
O2 - BHO: SpywareGuard Download Protection - {4A368E80-174F-4872-96B5-0B27DDD11DB2} - C:\Program Files\Spy-Ad-Ware-Fighters\SpywareGuard\dlprotect.dll
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn0\yt.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar2.dll
O4 - HKLM\..\Run: [IMJPMIG8.1] C:\WINDOWS\IME\imjp8_1\IMJPMIG.EXE /Spoil /RemAdvDef /Migration32
O4 - HKLM\..\Run: [PHIME2002ASync] C:\WINDOWS\System32\IME\TINTLGNT\TINTSETP.EXE /SYNC
O4 - HKLM\..\Run: [PHIME2002A] C:\WINDOWS\System32\IME\TINTLGNT\TINTSETP.EXE /IMEName
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [Symantec NetDriver Monitor] C:\PROGRA~1\SYMNET~1\SNDMon.exe /Consumer
O4 - HKLM\..\Run: [SSC_UserPrompt] C:\Program Files\Common Files\Symantec Shared\Security Center\UsrPrmpt.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - Startup: SpywareGuard.lnk = C:\Program Files\Spy-Ad-Ware-Fighters\SpywareGuard\sgmain.exe
O4 - Global Startup: InterVideo WinCinema Manager.lnk = C:\Program Files\InterVideo\Common\Bin\WinCinemaMgr.exe
O4 - Global Startup: Service Manager.lnk = C:\MSSQL7\Binn\sqlmangr.exe
O8 - Extra context menu item: &Google Search - res://c:\program files\google\GoogleToolbar2.dll/cmsearch.html
O8 - Extra context menu item: &Translate English Word - res://c:\program files\google\GoogleToolbar2.dll/cmwordtrans.html
O8 - Extra context menu item: Backward Links - res://c:\program files\google\GoogleToolbar2.dll/cmbacklinks.html
O8 - Extra context menu item: Cached Snapshot of Page - res://c:\program files\google\GoogleToolbar2.dll/cmcache.html
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~3\OFFICE11\EXCEL.EXE/3000
O8 - Extra context menu item: Similar Pages - res://c:\program files\google\GoogleToolbar2.dll/cmsimilar.html
O8 - Extra context menu item: Translate Page into English - res://c:\program files\google\GoogleToolbar2.dll/cmtrans.html
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~3\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {30528230-99F7-4BB4-88D8-FA1D4F56A2AB} (YInstStarter Class) - http://us.dl1.yimg.com/download.yahoo.com/...nst20040510.cab
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftupdat...b?1144711517984
O16 - DPF: {AECD14A8-F662-11D1-A395-00805F535788} (Plotwon Control) - http://www.investors.com/member/ocx/plotwon.ocx
O18 - Protocol: ms-help - {314111C7-A502-11D2-BBCA-00C04F8EC294} - C:\Program Files\Common Files\Microsoft Shared\Help\hxds.dll
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Password Validation (ccPwdSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
O23 - Service: SQL Server (SQLEXPRESS) (MSSQL$SQLEXPRESS) - Unknown owner - c:\Program Files\Microsoft SQL Server\MSSQL.1\MSSQL\Binn\sqlservr.exe" -sSQLEXPRESS (file missing)
O23 - Service: Norton AntiVirus Auto Protect Service (navapsvc) - Symantec Corporation - C:\Program Files\Norton AntiVirus\navapsvc.exe
O23 - Service: SAVScan - Symantec Corporation - C:\Program Files\Norton AntiVirus\SAVScan.exe
O23 - Service: ScriptBlocking Service (SBService) - Symantec Corporation - C:\PROGRA~1\COMMON~1\SYMANT~1\SCRIPT~1\SBServ.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: Symantec Core LC - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
O23 - Service: SymWMI Service (SymWSC) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\Security Center\SymWSC.exe

#6 Daemon

Daemon

    Security Expert


  • Members
  • 1,446 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:UK
  • Local time:04:39 PM

Posted 02 May 2006 - 12:38 AM

The F2 entries are still there. Reboot into Safe Mode by tapping F8 after the BIOS has loaded and repeat my last instructions. Boot back into Normal Mode when done and post a fresh HJT log.
Posted Image

Have I helped you? Please consider donating to help me continue with the fight against malware. Click here

#7 johnsxt

johnsxt
  • Topic Starter

  • Members
  • 7 posts
  • OFFLINE
  •  
  • Local time:11:39 AM

Posted 02 May 2006 - 12:37 PM

I tried it twice in safe mode but the F2 entries won't remove. Here is the result.

Logfile of HijackThis v1.99.1
Scan saved at 12:32:52 PM, on 5/2/2006
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\MSSQL7\binn\sqlservr.exe
C:\Program Files\OLAP Services\Bin\msmdsrv.exe
C:\Program Files\Norton AntiVirus\navapsvc.exe
C:\Program Files\Norton AntiVirus\SAVScan.exe
C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
C:\Program Files\Common Files\Symantec Shared\Security Center\SymWSC.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\Program Files\Messenger\msmsgs.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\InterVideo\Common\Bin\WinCinemaMgr.exe
C:\MSSQL7\Binn\sqlmangr.exe
C:\Program Files\Spy-Ad-Ware-Fighters\SpywareGuard\sgmain.exe
C:\Program Files\Spy-Ad-Ware-Fighters\SpywareGuard\sgbhp.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Documents and Settings\Soua.INSPIRON8200\Desktop\Download Utilities\HiJackThis\HijackThis.exe
C:\PROGRA~1\Symantec\LIVEUP~1\LUCOMS~1.EXE

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://us.rd.yahoo.com/customize/ycomp/def...//www.yahoo.com
R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn0\yt.dll
F2 - REG:system.ini: Shell=Explorer.exe, C:\WINDOWS\system32\klxfu.exe
F2 - REG:system.ini: UserInit=C:\WINDOWS\SYSTEM32\Userinit.exe,vhfiffy.exe
O2 - BHO: SpywareGuard Download Protection - {4A368E80-174F-4872-96B5-0B27DDD11DB2} - C:\Program Files\Spy-Ad-Ware-Fighters\SpywareGuard\dlprotect.dll
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn0\yt.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar2.dll
O4 - HKLM\..\Run: [IMJPMIG8.1] C:\WINDOWS\IME\imjp8_1\IMJPMIG.EXE /Spoil /RemAdvDef /Migration32
O4 - HKLM\..\Run: [PHIME2002ASync] C:\WINDOWS\System32\IME\TINTLGNT\TINTSETP.EXE /SYNC
O4 - HKLM\..\Run: [PHIME2002A] C:\WINDOWS\System32\IME\TINTLGNT\TINTSETP.EXE /IMEName
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [Symantec NetDriver Monitor] C:\PROGRA~1\SYMNET~1\SNDMon.exe /Consumer
O4 - HKLM\..\Run: [SSC_UserPrompt] C:\Program Files\Common Files\Symantec Shared\Security Center\UsrPrmpt.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - Startup: SpywareGuard.lnk = C:\Program Files\Spy-Ad-Ware-Fighters\SpywareGuard\sgmain.exe
O4 - Global Startup: InterVideo WinCinema Manager.lnk = C:\Program Files\InterVideo\Common\Bin\WinCinemaMgr.exe
O4 - Global Startup: Service Manager.lnk = C:\MSSQL7\Binn\sqlmangr.exe
O8 - Extra context menu item: &Google Search - res://c:\program files\google\GoogleToolbar2.dll/cmsearch.html
O8 - Extra context menu item: &Translate English Word - res://c:\program files\google\GoogleToolbar2.dll/cmwordtrans.html
O8 - Extra context menu item: Backward Links - res://c:\program files\google\GoogleToolbar2.dll/cmbacklinks.html
O8 - Extra context menu item: Cached Snapshot of Page - res://c:\program files\google\GoogleToolbar2.dll/cmcache.html
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~3\OFFICE11\EXCEL.EXE/3000
O8 - Extra context menu item: Similar Pages - res://c:\program files\google\GoogleToolbar2.dll/cmsimilar.html
O8 - Extra context menu item: Translate Page into English - res://c:\program files\google\GoogleToolbar2.dll/cmtrans.html
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~3\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {30528230-99F7-4BB4-88D8-FA1D4F56A2AB} (YInstStarter Class) - http://us.dl1.yimg.com/download.yahoo.com/...nst20040510.cab
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftupdat...b?1144711517984
O16 - DPF: {AECD14A8-F662-11D1-A395-00805F535788} (Plotwon Control) - http://www.investors.com/member/ocx/plotwon.ocx
O18 - Protocol: ms-help - {314111C7-A502-11D2-BBCA-00C04F8EC294} - C:\Program Files\Common Files\Microsoft Shared\Help\hxds.dll
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Password Validation (ccPwdSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
O23 - Service: SQL Server (SQLEXPRESS) (MSSQL$SQLEXPRESS) - Unknown owner - c:\Program Files\Microsoft SQL Server\MSSQL.1\MSSQL\Binn\sqlservr.exe" -sSQLEXPRESS (file missing)
O23 - Service: Norton AntiVirus Auto Protect Service (navapsvc) - Symantec Corporation - C:\Program Files\Norton AntiVirus\navapsvc.exe
O23 - Service: SAVScan - Symantec Corporation - C:\Program Files\Norton AntiVirus\SAVScan.exe
O23 - Service: ScriptBlocking Service (SBService) - Symantec Corporation - C:\PROGRA~1\COMMON~1\SYMANT~1\SCRIPT~1\SBServ.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: Symantec Core LC - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
O23 - Service: SymWMI Service (SymWSC) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\Security Center\SymWSC.exe

#8 Daemon

Daemon

    Security Expert


  • Members
  • 1,446 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:UK
  • Local time:04:39 PM

Posted 02 May 2006 - 01:28 PM

I'm not sure whether it's spywareguard that may be causing the problem. Let's try something else first. Click here to download ewido anti-malware - it is a trial version of the program.
  • Install ewido.
  • When installing, under "Additional Options" uncheck "Install background guard" and "Install scan via context menu".
  • Launch ewido, there should be an icon on your desktop double-click it.
  • The program will now go to the main screen.
You will need to update ewido to the latest definition files.
  • On the left hand side of the main screen click update
  • Then click on Start Update
The update will start and a progress bar will show the updates being installed. Then:
  • Click on scanner
  • Click on Complete System Scan and the scan will begin (do not open any folders or open the windows control panel while the scan is in progress).
  • While the scan is in progress you will be prompted to clean files, click OK
  • When it asks if you want to clean the first file, put a check in the lower left corner of the box that says "Perform action on all infections" then choose clean and click OK.
  • Once the scan has completed, there will be a button located on the bottom of the screen named Save report
  • Click Save report.
  • Save the report .txt file to your desktop.
Now close ewido.

Rescan with HJT and post a new log here together with the ewido log so that any remnants can be removed manually.
Posted Image

Have I helped you? Please consider donating to help me continue with the fight against malware. Click here

#9 johnsxt

johnsxt
  • Topic Starter

  • Members
  • 7 posts
  • OFFLINE
  •  
  • Local time:11:39 AM

Posted 02 May 2006 - 04:24 PM

Here is the result from hijackthis and report from ewido. Ewido has trouble deleting Qoologic.

Logfile of HijackThis v1.99.1
Scan saved at 4:17:37 PM, on 5/2/2006
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Spy-Ad-Ware-Fighters\Ewido Anti-Malware\ewidoctrl.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\MSSQL7\binn\sqlservr.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\OLAP Services\Bin\msmdsrv.exe
C:\Program Files\Norton AntiVirus\navapsvc.exe
C:\Program Files\Norton AntiVirus\SAVScan.exe
C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
C:\Program Files\Common Files\Symantec Shared\Security Center\SymWSC.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\Program Files\Messenger\msmsgs.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\InterVideo\Common\Bin\WinCinemaMgr.exe
C:\MSSQL7\Binn\sqlmangr.exe
C:\Program Files\Spy-Ad-Ware-Fighters\SpywareGuard\sgmain.exe
C:\Program Files\Spy-Ad-Ware-Fighters\SpywareGuard\sgbhp.exe
C:\WINDOWS\system32\wuauclt.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Documents and Settings\Soua.INSPIRON8200\Desktop\Download Utilities\HiJackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://us.rd.yahoo.com/customize/ycomp/def...//www.yahoo.com
R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn0\yt.dll
F2 - REG:system.ini: Shell=Explorer.exe, C:\WINDOWS\system32\klxfu.exe
F2 - REG:system.ini: UserInit=C:\WINDOWS\SYSTEM32\Userinit.exe,vhfiffy.exe
O2 - BHO: SpywareGuard Download Protection - {4A368E80-174F-4872-96B5-0B27DDD11DB2} - C:\Program Files\Spy-Ad-Ware-Fighters\SpywareGuard\dlprotect.dll
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn0\yt.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar2.dll
O4 - HKLM\..\Run: [IMJPMIG8.1] C:\WINDOWS\IME\imjp8_1\IMJPMIG.EXE /Spoil /RemAdvDef /Migration32
O4 - HKLM\..\Run: [PHIME2002ASync] C:\WINDOWS\System32\IME\TINTLGNT\TINTSETP.EXE /SYNC
O4 - HKLM\..\Run: [PHIME2002A] C:\WINDOWS\System32\IME\TINTLGNT\TINTSETP.EXE /IMEName
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [Symantec NetDriver Monitor] C:\PROGRA~1\SYMNET~1\SNDMon.exe /Consumer
O4 - HKLM\..\Run: [SSC_UserPrompt] C:\Program Files\Common Files\Symantec Shared\Security Center\UsrPrmpt.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - Startup: SpywareGuard.lnk = C:\Program Files\Spy-Ad-Ware-Fighters\SpywareGuard\sgmain.exe
O4 - Global Startup: InterVideo WinCinema Manager.lnk = C:\Program Files\InterVideo\Common\Bin\WinCinemaMgr.exe
O4 - Global Startup: Service Manager.lnk = C:\MSSQL7\Binn\sqlmangr.exe
O8 - Extra context menu item: &Google Search - res://c:\program files\google\GoogleToolbar2.dll/cmsearch.html
O8 - Extra context menu item: &Translate English Word - res://c:\program files\google\GoogleToolbar2.dll/cmwordtrans.html
O8 - Extra context menu item: Backward Links - res://c:\program files\google\GoogleToolbar2.dll/cmbacklinks.html
O8 - Extra context menu item: Cached Snapshot of Page - res://c:\program files\google\GoogleToolbar2.dll/cmcache.html
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~3\OFFICE11\EXCEL.EXE/3000
O8 - Extra context menu item: Similar Pages - res://c:\program files\google\GoogleToolbar2.dll/cmsimilar.html
O8 - Extra context menu item: Translate Page into English - res://c:\program files\google\GoogleToolbar2.dll/cmtrans.html
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~3\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {30528230-99F7-4BB4-88D8-FA1D4F56A2AB} (YInstStarter Class) - http://us.dl1.yimg.com/download.yahoo.com/...nst20040510.cab
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftupdat...b?1144711517984
O16 - DPF: {AECD14A8-F662-11D1-A395-00805F535788} (Plotwon Control) - http://www.investors.com/member/ocx/plotwon.ocx
O18 - Protocol: ms-help - {314111C7-A502-11D2-BBCA-00C04F8EC294} - C:\Program Files\Common Files\Microsoft Shared\Help\hxds.dll
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Password Validation (ccPwdSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
O23 - Service: ewido security suite control - ewido networks - C:\Program Files\Spy-Ad-Ware-Fighters\Ewido Anti-Malware\ewidoctrl.exe
O23 - Service: SQL Server (SQLEXPRESS) (MSSQL$SQLEXPRESS) - Unknown owner - c:\Program Files\Microsoft SQL Server\MSSQL.1\MSSQL\Binn\sqlservr.exe" -sSQLEXPRESS (file missing)
O23 - Service: Norton AntiVirus Auto Protect Service (navapsvc) - Symantec Corporation - C:\Program Files\Norton AntiVirus\navapsvc.exe
O23 - Service: SAVScan - Symantec Corporation - C:\Program Files\Norton AntiVirus\SAVScan.exe
O23 - Service: ScriptBlocking Service (SBService) - Symantec Corporation - C:\PROGRA~1\COMMON~1\SYMANT~1\SCRIPT~1\SBServ.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: Symantec Core LC - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
O23 - Service: SymWMI Service (SymWSC) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\Security Center\SymWSC.exe

===============================================

---------------------------------------------------------
ewido anti-malware - Scan report
---------------------------------------------------------

+ Created on: 4:04:11 PM, 5/2/2006
+ Report-Checksum: 755C6554

+ Scan result:

[1384] C:\WINDOWS\system32\bjgbmik.dll -> Downloader.Qoologic.bj : Cleaned with backup
[2128] C:\WINDOWS\system32\bjgbmik.dll -> Downloader.Qoologic.bj : Error during cleaning
[2256] C:\WINDOWS\system32\bjgbmik.dll -> Downloader.Qoologic.bj : Error during cleaning
[2284] C:\WINDOWS\system32\bjgbmik.dll -> Downloader.Qoologic.bj : Error during cleaning
[2440] C:\WINDOWS\system32\bjgbmik.dll -> Downloader.Qoologic.bj : Error during cleaning
[2452] C:\WINDOWS\system32\bjgbmik.dll -> Downloader.Qoologic.bj : Error during cleaning
[2484] C:\WINDOWS\system32\bjgbmik.dll -> Downloader.Qoologic.bj : Error during cleaning
[2744] C:\WINDOWS\system32\bjgbmik.dll -> Downloader.Qoologic.bj : Error during cleaning
[3748] C:\WINDOWS\system32\bjgbmik.dll -> Downloader.Qoologic.bj : Error during cleaning
[2480] C:\WINDOWS\system32\bjgbmik.dll -> Downloader.Qoologic.bj : Error during cleaning
[3560] C:\WINDOWS\system32\bjgbmik.dll -> Downloader.Qoologic.bj : Error during cleaning
C:\Documents and Settings\LocalService.NT AUTHORITY\Cookies\system@c.enhance[2].txt -> TrackingCookie.Enhance : Cleaned with backup
C:\Documents and Settings\LocalService.NT AUTHORITY\Cookies\system@c.goclick[2].txt -> TrackingCookie.Goclick : Cleaned with backup
:mozilla.24:C:\Documents and Settings\Soua.INSPIRON8200\Application Data\Mozilla\Firefox\Profiles\jz2ggjn8.default\cookies.txt -> TrackingCookie.Yieldmanager : Cleaned with backup
:mozilla.25:C:\Documents and Settings\Soua.INSPIRON8200\Application Data\Mozilla\Firefox\Profiles\jz2ggjn8.default\cookies.txt -> TrackingCookie.Yieldmanager : Cleaned with backup
:mozilla.26:C:\Documents and Settings\Soua.INSPIRON8200\Application Data\Mozilla\Firefox\Profiles\jz2ggjn8.default\cookies.txt -> TrackingCookie.Yieldmanager : Cleaned with backup
:mozilla.27:C:\Documents and Settings\Soua.INSPIRON8200\Application Data\Mozilla\Firefox\Profiles\jz2ggjn8.default\cookies.txt -> TrackingCookie.Yieldmanager : Cleaned with backup
:mozilla.30:C:\Documents and Settings\Soua.INSPIRON8200\Application Data\Mozilla\Firefox\Profiles\jz2ggjn8.default\cookies.txt -> TrackingCookie.Euroclick : Cleaned with backup
:mozilla.31:C:\Documents and Settings\Soua.INSPIRON8200\Application Data\Mozilla\Firefox\Profiles\jz2ggjn8.default\cookies.txt -> TrackingCookie.Euroclick : Cleaned with backup
:mozilla.46:C:\Documents and Settings\Soua.INSPIRON8200\Application Data\Mozilla\Firefox\Profiles\jz2ggjn8.default\cookies.txt -> TrackingCookie.Falkag : Cleaned with backup
:mozilla.47:C:\Documents and Settings\Soua.INSPIRON8200\Application Data\Mozilla\Firefox\Profiles\jz2ggjn8.default\cookies.txt -> TrackingCookie.Falkag : Cleaned with backup
:mozilla.48:C:\Documents and Settings\Soua.INSPIRON8200\Application Data\Mozilla\Firefox\Profiles\jz2ggjn8.default\cookies.txt -> TrackingCookie.Falkag : Cleaned with backup
:mozilla.49:C:\Documents and Settings\Soua.INSPIRON8200\Application Data\Mozilla\Firefox\Profiles\jz2ggjn8.default\cookies.txt -> TrackingCookie.Falkag : Cleaned with backup
:mozilla.53:C:\Documents and Settings\Soua.INSPIRON8200\Application Data\Mozilla\Firefox\Profiles\jz2ggjn8.default\cookies.txt -> TrackingCookie.Falkag : Cleaned with backup
:mozilla.54:C:\Documents and Settings\Soua.INSPIRON8200\Application Data\Mozilla\Firefox\Profiles\jz2ggjn8.default\cookies.txt -> TrackingCookie.Falkag : Cleaned with backup
:mozilla.55:C:\Documents and Settings\Soua.INSPIRON8200\Application Data\Mozilla\Firefox\Profiles\jz2ggjn8.default\cookies.txt -> TrackingCookie.Falkag : Cleaned with backup
:mozilla.56:C:\Documents and Settings\Soua.INSPIRON8200\Application Data\Mozilla\Firefox\Profiles\jz2ggjn8.default\cookies.txt -> TrackingCookie.Falkag : Cleaned with backup
:mozilla.58:C:\Documents and Settings\Soua.INSPIRON8200\Application Data\Mozilla\Firefox\Profiles\jz2ggjn8.default\cookies.txt -> TrackingCookie.Clickbank : Cleaned with backup
:mozilla.60:C:\Documents and Settings\Soua.INSPIRON8200\Application Data\Mozilla\Firefox\Profiles\jz2ggjn8.default\cookies.txt -> TrackingCookie.Com : Cleaned with backup
:mozilla.62:C:\Documents and Settings\Soua.INSPIRON8200\Application Data\Mozilla\Firefox\Profiles\jz2ggjn8.default\cookies.txt -> TrackingCookie.Cpvfeed : Cleaned with backup
:mozilla.84:C:\Documents and Settings\Soua.INSPIRON8200\Application Data\Mozilla\Firefox\Profiles\jz2ggjn8.default\cookies.txt -> TrackingCookie.Hotlog : Cleaned with backup
:mozilla.92:C:\Documents and Settings\Soua.INSPIRON8200\Application Data\Mozilla\Firefox\Profiles\jz2ggjn8.default\cookies.txt -> TrackingCookie.Sitestat : Cleaned with backup
:mozilla.93:C:\Documents and Settings\Soua.INSPIRON8200\Application Data\Mozilla\Firefox\Profiles\jz2ggjn8.default\cookies.txt -> TrackingCookie.Sitestat : Cleaned with backup
:mozilla.109:C:\Documents and Settings\Soua.INSPIRON8200\Application Data\Mozilla\Firefox\Profiles\jz2ggjn8.default\cookies.txt -> TrackingCookie.Overture : Cleaned with backup
:mozilla.110:C:\Documents and Settings\Soua.INSPIRON8200\Application Data\Mozilla\Firefox\Profiles\jz2ggjn8.default\cookies.txt -> TrackingCookie.Overture : Cleaned with backup
:mozilla.111:C:\Documents and Settings\Soua.INSPIRON8200\Application Data\Mozilla\Firefox\Profiles\jz2ggjn8.default\cookies.txt -> TrackingCookie.2o7 : Cleaned with backup
:mozilla.117:C:\Documents and Settings\Soua.INSPIRON8200\Application Data\Mozilla\Firefox\Profiles\jz2ggjn8.default\cookies.txt -> TrackingCookie.Overture : Cleaned with backup
:mozilla.118:C:\Documents and Settings\Soua.INSPIRON8200\Application Data\Mozilla\Firefox\Profiles\jz2ggjn8.default\cookies.txt -> TrackingCookie.Qksrv : Cleaned with backup
:mozilla.119:C:\Documents and Settings\Soua.INSPIRON8200\Application Data\Mozilla\Firefox\Profiles\jz2ggjn8.default\cookies.txt -> TrackingCookie.Qksrv : Cleaned with backup
:mozilla.131:C:\Documents and Settings\Soua.INSPIRON8200\Application Data\Mozilla\Firefox\Profiles\jz2ggjn8.default\cookies.txt -> TrackingCookie.Valuead : Cleaned with backup
:mozilla.132:C:\Documents and Settings\Soua.INSPIRON8200\Application Data\Mozilla\Firefox\Profiles\jz2ggjn8.default\cookies.txt -> TrackingCookie.Valuead : Cleaned with backup
:mozilla.133:C:\Documents and Settings\Soua.INSPIRON8200\Application Data\Mozilla\Firefox\Profiles\jz2ggjn8.default\cookies.txt -> TrackingCookie.Valuead : Cleaned with backup
:mozilla.134:C:\Documents and Settings\Soua.INSPIRON8200\Application Data\Mozilla\Firefox\Profiles\jz2ggjn8.default\cookies.txt -> TrackingCookie.Valuead : Cleaned with backup
:mozilla.135:C:\Documents and Settings\Soua.INSPIRON8200\Application Data\Mozilla\Firefox\Profiles\jz2ggjn8.default\cookies.txt -> TrackingCookie.Valuead : Cleaned with backup
:mozilla.136:C:\Documents and Settings\Soua.INSPIRON8200\Application Data\Mozilla\Firefox\Profiles\jz2ggjn8.default\cookies.txt -> TrackingCookie.Revenue : Cleaned with backup
:mozilla.150:C:\Documents and Settings\Soua.INSPIRON8200\Application Data\Mozilla\Firefox\Profiles\jz2ggjn8.default\cookies.txt -> TrackingCookie.Liveperson : Cleaned with backup
:mozilla.151:C:\Documents and Settings\Soua.INSPIRON8200\Application Data\Mozilla\Firefox\Profiles\jz2ggjn8.default\cookies.txt -> TrackingCookie.Liveperson : Cleaned with backup
:mozilla.152:C:\Documents and Settings\Soua.INSPIRON8200\Application Data\Mozilla\Firefox\Profiles\jz2ggjn8.default\cookies.txt -> TrackingCookie.Liveperson : Cleaned with backup
:mozilla.154:C:\Documents and Settings\Soua.INSPIRON8200\Application Data\Mozilla\Firefox\Profiles\jz2ggjn8.default\cookies.txt -> TrackingCookie.Spylog : Cleaned with backup
:mozilla.155:C:\Documents and Settings\Soua.INSPIRON8200\Application Data\Mozilla\Firefox\Profiles\jz2ggjn8.default\cookies.txt -> TrackingCookie.Statcounter : Cleaned with backup
:mozilla.158:C:\Documents and Settings\Soua.INSPIRON8200\Application Data\Mozilla\Firefox\Profiles\jz2ggjn8.default\cookies.txt -> TrackingCookie.Tacoda : Cleaned with backup
:mozilla.159:C:\Documents and Settings\Soua.INSPIRON8200\Application Data\Mozilla\Firefox\Profiles\jz2ggjn8.default\cookies.txt -> TrackingCookie.Tacoda : Cleaned with backup
:mozilla.160:C:\Documents and Settings\Soua.INSPIRON8200\Application Data\Mozilla\Firefox\Profiles\jz2ggjn8.default\cookies.txt -> TrackingCookie.Tacoda : Cleaned with backup
:mozilla.164:C:\Documents and Settings\Soua.INSPIRON8200\Application Data\Mozilla\Firefox\Profiles\jz2ggjn8.default\cookies.txt -> TrackingCookie.Trafficmp : Cleaned with backup
:mozilla.166:C:\Documents and Settings\Soua.INSPIRON8200\Application Data\Mozilla\Firefox\Profiles\jz2ggjn8.default\cookies.txt -> TrackingCookie.Tribalfusion : Cleaned with backup
:mozilla.174:C:\Documents and Settings\Soua.INSPIRON8200\Application Data\Mozilla\Firefox\Profiles\jz2ggjn8.default\cookies.txt -> TrackingCookie.Googleadservices : Cleaned with backup
:mozilla.175:C:\Documents and Settings\Soua.INSPIRON8200\Application Data\Mozilla\Firefox\Profiles\jz2ggjn8.default\cookies.txt -> TrackingCookie.Googleadservices : Cleaned with backup
:mozilla.176:C:\Documents and Settings\Soua.INSPIRON8200\Application Data\Mozilla\Firefox\Profiles\jz2ggjn8.default\cookies.txt -> TrackingCookie.Googleadservices : Cleaned with backup
:mozilla.177:C:\Documents and Settings\Soua.INSPIRON8200\Application Data\Mozilla\Firefox\Profiles\jz2ggjn8.default\cookies.txt -> TrackingCookie.Googleadservices : Cleaned with backup
:mozilla.178:C:\Documents and Settings\Soua.INSPIRON8200\Application Data\Mozilla\Firefox\Profiles\jz2ggjn8.default\cookies.txt -> TrackingCookie.Googleadservices : Cleaned with backup
:mozilla.179:C:\Documents and Settings\Soua.INSPIRON8200\Application Data\Mozilla\Firefox\Profiles\jz2ggjn8.default\cookies.txt -> TrackingCookie.Googleadservices : Cleaned with backup
:mozilla.180:C:\Documents and Settings\Soua.INSPIRON8200\Application Data\Mozilla\Firefox\Profiles\jz2ggjn8.default\cookies.txt -> TrackingCookie.Googleadservices : Cleaned with backup
:mozilla.183:C:\Documents and Settings\Soua.INSPIRON8200\Application Data\Mozilla\Firefox\Profiles\jz2ggjn8.default\cookies.txt -> TrackingCookie.Myaffiliateprogram : Cleaned with backup
:mozilla.194:C:\Documents and Settings\Soua.INSPIRON8200\Application Data\Mozilla\Firefox\Profiles\jz2ggjn8.default\cookies.txt -> TrackingCookie.Yadro : Cleaned with backup
:mozilla.195:C:\Documents and Settings\Soua.INSPIRON8200\Application Data\Mozilla\Firefox\Profiles\jz2ggjn8.default\cookies.txt -> TrackingCookie.Yieldmanager : Cleaned with backup
:mozilla.196:C:\Documents and Settings\Soua.INSPIRON8200\Application Data\Mozilla\Firefox\Profiles\jz2ggjn8.default\cookies.txt -> TrackingCookie.Yieldmanager : Cleaned with backup
:mozilla.197:C:\Documents and Settings\Soua.INSPIRON8200\Application Data\Mozilla\Firefox\Profiles\jz2ggjn8.default\cookies.txt -> TrackingCookie.Yieldmanager : Cleaned with backup
:mozilla.198:C:\Documents and Settings\Soua.INSPIRON8200\Application Data\Mozilla\Firefox\Profiles\jz2ggjn8.default\cookies.txt -> TrackingCookie.Yieldmanager : Cleaned with backup
:mozilla.199:C:\Documents and Settings\Soua.INSPIRON8200\Application Data\Mozilla\Firefox\Profiles\jz2ggjn8.default\cookies.txt -> TrackingCookie.Zedo : Cleaned with backup
:mozilla.200:C:\Documents and Settings\Soua.INSPIRON8200\Application Data\Mozilla\Firefox\Profiles\jz2ggjn8.default\cookies.txt -> TrackingCookie.Zedo : Cleaned with backup
:mozilla.201:C:\Documents and Settings\Soua.INSPIRON8200\Application Data\Mozilla\Firefox\Profiles\jz2ggjn8.default\cookies.txt -> TrackingCookie.Zedo : Cleaned with backup
:mozilla.202:C:\Documents and Settings\Soua.INSPIRON8200\Application Data\Mozilla\Firefox\Profiles\jz2ggjn8.default\cookies.txt -> TrackingCookie.Yieldmanager : Cleaned with backup
:mozilla.203:C:\Documents and Settings\Soua.INSPIRON8200\Application Data\Mozilla\Firefox\Profiles\jz2ggjn8.default\cookies.txt -> TrackingCookie.Yieldmanager : Cleaned with backup
:mozilla.204:C:\Documents and Settings\Soua.INSPIRON8200\Application Data\Mozilla\Firefox\Profiles\jz2ggjn8.default\cookies.txt -> TrackingCookie.Yieldmanager : Cleaned with backup
:mozilla.205:C:\Documents and Settings\Soua.INSPIRON8200\Application Data\Mozilla\Firefox\Profiles\jz2ggjn8.default\cookies.txt -> TrackingCookie.Yieldmanager : Cleaned with backup
:mozilla.206:C:\Documents and Settings\Soua.INSPIRON8200\Application Data\Mozilla\Firefox\Profiles\jz2ggjn8.default\cookies.txt -> TrackingCookie.Yieldmanager : Cleaned with backup
:mozilla.208:C:\Documents and Settings\Soua.INSPIRON8200\Application Data\Mozilla\Firefox\Profiles\jz2ggjn8.default\cookies.txt -> TrackingCookie.Tacoda : Cleaned with backup
:mozilla.217:C:\Documents and Settings\Soua.INSPIRON8200\Application Data\Mozilla\Firefox\Profiles\jz2ggjn8.default\cookies.txt -> TrackingCookie.Tribalfusion : Cleaned with backup
:mozilla.228:C:\Documents and Settings\Soua.INSPIRON8200\Application Data\Mozilla\Firefox\Profiles\jz2ggjn8.default\cookies.txt -> TrackingCookie.Liveperson : Cleaned with backup
:mozilla.229:C:\Documents and Settings\Soua.INSPIRON8200\Application Data\Mozilla\Firefox\Profiles\jz2ggjn8.default\cookies.txt -> TrackingCookie.Liveperson : Cleaned with backup
:mozilla.230:C:\Documents and Settings\Soua.INSPIRON8200\Application Data\Mozilla\Firefox\Profiles\jz2ggjn8.default\cookies.txt -> TrackingCookie.Onestat : Cleaned with backup
:mozilla.231:C:\Documents and Settings\Soua.INSPIRON8200\Application Data\Mozilla\Firefox\Profiles\jz2ggjn8.default\cookies.txt -> TrackingCookie.Onestat : Cleaned with backup
:mozilla.232:C:\Documents and Settings\Soua.INSPIRON8200\Application Data\Mozilla\Firefox\Profiles\jz2ggjn8.default\cookies.txt -> TrackingCookie.Reliablestats : Cleaned with backup
:mozilla.233:C:\Documents and Settings\Soua.INSPIRON8200\Application Data\Mozilla\Firefox\Profiles\jz2ggjn8.default\cookies.txt -> TrackingCookie.Reliablestats : Cleaned with backup
:mozilla.234:C:\Documents and Settings\Soua.INSPIRON8200\Application Data\Mozilla\Firefox\Profiles\jz2ggjn8.default\cookies.txt -> TrackingCookie.Reliablestats : Cleaned with backup
:mozilla.235:C:\Documents and Settings\Soua.INSPIRON8200\Application Data\Mozilla\Firefox\Profiles\jz2ggjn8.default\cookies.txt -> TrackingCookie.Reliablestats : Cleaned with backup
:mozilla.236:C:\Documents and Settings\Soua.INSPIRON8200\Application Data\Mozilla\Firefox\Profiles\jz2ggjn8.default\cookies.txt -> TrackingCookie.Reliablestats : Cleaned with backup
:mozilla.237:C:\Documents and Settings\Soua.INSPIRON8200\Application Data\Mozilla\Firefox\Profiles\jz2ggjn8.default\cookies.txt -> TrackingCookie.Reliablestats : Cleaned with backup
:mozilla.238:C:\Documents and Settings\Soua.INSPIRON8200\Application Data\Mozilla\Firefox\Profiles\jz2ggjn8.default\cookies.txt -> TrackingCookie.Reliablestats : Cleaned with backup
:mozilla.239:C:\Documents and Settings\Soua.INSPIRON8200\Application Data\Mozilla\Firefox\Profiles\jz2ggjn8.default\cookies.txt -> TrackingCookie.Reliablestats : Cleaned with backup
:mozilla.253:C:\Documents and Settings\Soua.INSPIRON8200\Application Data\Mozilla\Firefox\Profiles\jz2ggjn8.default\cookies.txt -> TrackingCookie.Googleadservices : Cleaned with backup
:mozilla.254:C:\Documents and Settings\Soua.INSPIRON8200\Application Data\Mozilla\Firefox\Profiles\jz2ggjn8.default\cookies.txt -> TrackingCookie.Googleadservices : Cleaned with backup
:mozilla.255:C:\Documents and Settings\Soua.INSPIRON8200\Application Data\Mozilla\Firefox\Profiles\jz2ggjn8.default\cookies.txt -> TrackingCookie.Googleadservices : Cleaned with backup
:mozilla.256:C:\Documents and Settings\Soua.INSPIRON8200\Application Data\Mozilla\Firefox\Profiles\jz2ggjn8.default\cookies.txt -> TrackingCookie.Googleadservices : Cleaned with backup
C:\Documents and Settings\Soua.INSPIRON8200\Cookies\soua@ad.yieldmanager[2].txt -> TrackingCookie.Yieldmanager : Cleaned with backup
C:\Documents and Settings\Soua.INSPIRON8200\Cookies\soua@cpvfeed[1].txt -> TrackingCookie.Cpvfeed : Cleaned with backup
C:\Documents and Settings\Soua.INSPIRON8200\Cookies\soua@kmpads[2].txt -> TrackingCookie.Kmpads : Cleaned with backup
C:\Documents and Settings\Soua.INSPIRON8200\Cookies\soua@www.myaffiliateprogram[1].txt -> TrackingCookie.Myaffiliateprogram : Cleaned with backup
C:\Documents and Settings\Soua.INSPIRON8200\Local Settings\Temp\Cookies\soua@ad.yieldmanager[1].txt -> TrackingCookie.Yieldmanager : Cleaned with backup
C:\Documents and Settings\Soua.INSPIRON8200\Local Settings\Temp\Cookies\soua@adopt.specificclick[2].txt -> TrackingCookie.Specificclick : Cleaned with backup
C:\Documents and Settings\Soua.INSPIRON8200\Local Settings\Temp\Cookies\soua@ads1.revenue[1].txt -> TrackingCookie.Revenue : Cleaned with backup
C:\Documents and Settings\Soua.INSPIRON8200\Local Settings\Temp\Cookies\soua@com[1].txt -> TrackingCookie.Com : Cleaned with backup
C:\Documents and Settings\Soua.INSPIRON8200\Local Settings\Temp\Cookies\soua@cpvfeed[2].txt -> TrackingCookie.Cpvfeed : Cleaned with backup
C:\Documents and Settings\Soua.INSPIRON8200\Local Settings\Temp\Cookies\soua@kmpads[2].txt -> TrackingCookie.Kmpads : Cleaned with backup
C:\Documents and Settings\Soua.INSPIRON8200\Local Settings\Temp\Cookies\soua@login.tracking101[2].txt -> TrackingCookie.Tracking101 : Cleaned with backup
C:\Documents and Settings\Soua.INSPIRON8200\Local Settings\Temp\Cookies\soua@partygaming.122.2o7[1].txt -> TrackingCookie.2o7 : Cleaned with backup
C:\Documents and Settings\Soua.INSPIRON8200\Local Settings\Temp\Cookies\soua@stats1.reliablestats[1].txt -> TrackingCookie.Reliablestats : Cleaned with backup
C:\Documents and Settings\Soua.INSPIRON8200\Local Settings\Temp\Cookies\soua@www.myaffiliateprogram[1].txt -> TrackingCookie.Myaffiliateprogram : Cleaned with backup
C:\Documents and Settings\Soua.INSPIRON8200\Local Settings\Temp\Cookies\soua@yieldmanager[1].txt -> TrackingCookie.Yieldmanager : Cleaned with backup
C:\Program Files\Yahoo!\YPSR\Quarantine\ppqA8.tmp -> TrackingCookie.Atdmt : Cleaned with backup
C:\Program Files\Yahoo!\YPSR\Quarantine\ppqA9.tmp -> TrackingCookie.Doubleclick : Cleaned with backup
C:\Program Files\Yahoo!\YPSR\Quarantine\ppqAA.tmp -> TrackingCookie.Fastclick : Cleaned with backup
C:\Program Files\Yahoo!\YPSR\Quarantine\ppqAC.tmp -> TrackingCookie.Mediaplex : Cleaned with backup
C:\Program Files\Yahoo!\YPSR\Quarantine\ppqAD.tmp -> TrackingCookie.Realtracker : Cleaned with backup
C:\Program Files\Yahoo!\YPSR\Quarantine\ppqAE.tmp -> TrackingCookie.Realtracker : Cleaned with backup
C:\Program Files\Yahoo!\YPSR\Quarantine\ppqAF.tmp -> TrackingCookie.Statcounter : Cleaned with backup
C:\Program Files\Yahoo!\YPSR\Quarantine\ppqB0.tmp -> TrackingCookie.Tribalfusion : Cleaned with backup
C:\Program Files\Yahoo!\YPSR\Quarantine\ppqB1.tmp -> TrackingCookie.Adserver : Cleaned with backup
C:\visfx500.exe -> Dropper.Agent.aie : Cleaned with backup
C:\WINDOWS\mousepad13.exe -> Hijacker.VB.mo : Cleaned with backup
C:\WINDOWS\system32\aaveh.dat -> Downloader.Qoologic.bj : Cleaned with backup
C:\WINDOWS\Temp\Cookies\soua@ad.yieldmanager[1].txt -> TrackingCookie.Yieldmanager : Cleaned with backup
C:\WINDOWS\Temp\Cookies\soua@burstnet[2].txt -> TrackingCookie.Burstnet : Cleaned with backup
C:\WINDOWS\Temp\Cookies\soua@cpvfeed[2].txt -> TrackingCookie.Cpvfeed : Cleaned with backup
C:\WINDOWS\Temp\Cookies\soua@kmpads[2].txt -> TrackingCookie.Kmpads : Cleaned with backup
C:\WINDOWS\Temp\Cookies\soua@partygaming.122.2o7[1].txt -> TrackingCookie.2o7 : Cleaned with backup
C:\WINDOWS\Temp\Cookies\soua@paypopup[1].txt -> TrackingCookie.Paypopup : Cleaned with backup
C:\WINDOWS\Temp\Cookies\soua@stats1.reliablestats[1].txt -> TrackingCookie.Reliablestats : Cleaned with backup
C:\WINDOWS\Temp\Cookies\soua@tacoda[1].txt -> TrackingCookie.Tacoda : Cleaned with backup
C:\WINDOWS\Temp\Temporary Internet Files\Content.IE5\5RAE6YTR\WinAntiVirusPro2006FreeInstall[1].exe -> Not-A-Virus.Downloader.Win32.WinFixer.f : Cleaned with backup


::Report End

#10 Daemon

Daemon

    Security Expert


  • Members
  • 1,446 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:UK
  • Local time:04:39 PM

Posted 02 May 2006 - 04:34 PM

Yeah, it's the latest variant. Do this for me. Please download Brute Force Uninstaller to your desktop. (rightclick on this link and choose save as, if using IE save target as)
  • Right click the BFU folder on your desktop, and choose Extract All
  • Click "Next"
  • In the box to choose where to extract the files to,
  • Click "Browse"
  • Click on the + sign next to "My Computer"
  • Click on "Local Disk (C:) or whatever your primary drive is
  • Click "Make New Folder"
  • Type in BFU
  • Click "Next", and Uncheck the "Show Extracted Files" box and then click "Finish".
  • Download qoofix.bat (rightclick on this link and choose save as, if using IE save target as)
  • Place qoofix.bat in your C:\BFU - folder. (Important!)
  • Doubleclick qooFix.bat, Close all browsers and explorer folders.
  • Choose option 1 (Qoolfix autofix) and follow the prompts.
  • Please be patient, it will take about five minutes.
  • After the PC has restarted please post another hijackthis log.

Posted Image

Have I helped you? Please consider donating to help me continue with the fight against malware. Click here

#11 johnsxt

johnsxt
  • Topic Starter

  • Members
  • 7 posts
  • OFFLINE
  •  
  • Local time:11:39 AM

Posted 03 May 2006 - 10:58 PM

I think It looks a lot better now but maybe you can tell me if it is. One thing I did notice is that I no longer get pop-up which is a good sign. Follow is the HiJackThis result.

Logfile of HijackThis v1.99.1
Scan saved at 10:48:37 PM, on 5/3/2006
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Spy-Ad-Ware-Fighters\Ewido Anti-Malware\ewidoctrl.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\MSSQL7\binn\sqlservr.exe
C:\Program Files\OLAP Services\Bin\msmdsrv.exe
C:\Program Files\Norton AntiVirus\navapsvc.exe
C:\Program Files\Norton AntiVirus\SAVScan.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
C:\Program Files\Common Files\Symantec Shared\Security Center\SymWSC.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\Program Files\Messenger\msmsgs.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\InterVideo\Common\Bin\WinCinemaMgr.exe
C:\MSSQL7\Binn\sqlmangr.exe
C:\Program Files\Spy-Ad-Ware-Fighters\SpywareGuard\sgmain.exe
C:\Program Files\Spy-Ad-Ware-Fighters\SpywareGuard\sgbhp.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Documents and Settings\Soua.INSPIRON8200\Desktop\Download Utilities\HiJackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://us.rd.yahoo.com/customize/ycomp/def...//www.yahoo.com
R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn0\yt.dll
O2 - BHO: SpywareGuard Download Protection - {4A368E80-174F-4872-96B5-0B27DDD11DB2} - C:\Program Files\Spy-Ad-Ware-Fighters\SpywareGuard\dlprotect.dll
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn0\yt.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar2.dll
O4 - HKLM\..\Run: [IMJPMIG8.1] C:\WINDOWS\IME\imjp8_1\IMJPMIG.EXE /Spoil /RemAdvDef /Migration32
O4 - HKLM\..\Run: [PHIME2002ASync] C:\WINDOWS\System32\IME\TINTLGNT\TINTSETP.EXE /SYNC
O4 - HKLM\..\Run: [PHIME2002A] C:\WINDOWS\System32\IME\TINTLGNT\TINTSETP.EXE /IMEName
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [Symantec NetDriver Monitor] C:\PROGRA~1\SYMNET~1\SNDMon.exe /Consumer
O4 - HKLM\..\Run: [SSC_UserPrompt] C:\Program Files\Common Files\Symantec Shared\Security Center\UsrPrmpt.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - Startup: SpywareGuard.lnk = C:\Program Files\Spy-Ad-Ware-Fighters\SpywareGuard\sgmain.exe
O4 - Global Startup: InterVideo WinCinema Manager.lnk = C:\Program Files\InterVideo\Common\Bin\WinCinemaMgr.exe
O4 - Global Startup: Service Manager.lnk = C:\MSSQL7\Binn\sqlmangr.exe
O8 - Extra context menu item: &Google Search - res://c:\program files\google\GoogleToolbar2.dll/cmsearch.html
O8 - Extra context menu item: &Translate English Word - res://c:\program files\google\GoogleToolbar2.dll/cmwordtrans.html
O8 - Extra context menu item: Backward Links - res://c:\program files\google\GoogleToolbar2.dll/cmbacklinks.html
O8 - Extra context menu item: Cached Snapshot of Page - res://c:\program files\google\GoogleToolbar2.dll/cmcache.html
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~3\OFFICE11\EXCEL.EXE/3000
O8 - Extra context menu item: Similar Pages - res://c:\program files\google\GoogleToolbar2.dll/cmsimilar.html
O8 - Extra context menu item: Translate Page into English - res://c:\program files\google\GoogleToolbar2.dll/cmtrans.html
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~3\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {30528230-99F7-4BB4-88D8-FA1D4F56A2AB} (YInstStarter Class) - http://us.dl1.yimg.com/download.yahoo.com/...nst20040510.cab
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftupdat...b?1144711517984
O16 - DPF: {AECD14A8-F662-11D1-A395-00805F535788} (Plotwon Control) - http://www.investors.com/member/ocx/plotwon.ocx
O18 - Protocol: ms-help - {314111C7-A502-11D2-BBCA-00C04F8EC294} - C:\Program Files\Common Files\Microsoft Shared\Help\hxds.dll
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Password Validation (ccPwdSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
O23 - Service: ewido security suite control - ewido networks - C:\Program Files\Spy-Ad-Ware-Fighters\Ewido Anti-Malware\ewidoctrl.exe
O23 - Service: SQL Server (SQLEXPRESS) (MSSQL$SQLEXPRESS) - Unknown owner - c:\Program Files\Microsoft SQL Server\MSSQL.1\MSSQL\Binn\sqlservr.exe" -sSQLEXPRESS (file missing)
O23 - Service: Norton AntiVirus Auto Protect Service (navapsvc) - Symantec Corporation - C:\Program Files\Norton AntiVirus\navapsvc.exe
O23 - Service: SAVScan - Symantec Corporation - C:\Program Files\Norton AntiVirus\SAVScan.exe
O23 - Service: ScriptBlocking Service (SBService) - Symantec Corporation - C:\PROGRA~1\COMMON~1\SYMANT~1\SCRIPT~1\SBServ.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: Symantec Core LC - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
O23 - Service: SymWMI Service (SymWSC) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\Security Center\SymWSC.exe

#12 Daemon

Daemon

    Security Expert


  • Members
  • 1,446 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:UK
  • Local time:04:39 PM

Posted 04 May 2006 - 12:11 AM

Yes that's clean now. Is it still running OK?
Posted Image

Have I helped you? Please consider donating to help me continue with the fight against malware. Click here

#13 johnsxt

johnsxt
  • Topic Starter

  • Members
  • 7 posts
  • OFFLINE
  •  
  • Local time:11:39 AM

Posted 04 May 2006 - 10:36 AM

Yes, it does run a lot better now but how can I tell if all the problems are fixed by looking at the log above. When reading the log what are things I should look for.

#14 Daemon

Daemon

    Security Expert


  • Members
  • 1,446 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:UK
  • Local time:04:39 PM

Posted 04 May 2006 - 10:59 AM

It takes a long time and a lot of logs to gain the experience to be able to see when it's clean. Your best bet is to come to a forum like this if you are having problems.

To help keep you clean follow the recommendations in the article here:

So how did I get infected?



As this problem has been resolved the topic will be closed. If you need this topic reopened, please email the moderating team - be sure to include the address of the thread and the name you posted under.
Posted Image

Have I helped you? Please consider donating to help me continue with the fight against malware. Click here




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users