Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Surf Sidekick 3 Problem!


  • This topic is locked This topic is locked
31 replies to this topic

#1 Arbriel

Arbriel

  • Members
  • 42 posts
  • OFFLINE
  •  
  • Location:Portland, Oregon
  • Local time:10:21 AM

Posted 13 May 2006 - 02:00 AM

Like sjaded39 I followed your directions and those of Major Geeks and nothing has worked so far.
Here is my HJT log:
PS-- I also, looking at the log of sjaded, think I have a lot of extra junk on here....


Logfile of HijackThis v1.99.1
Scan saved at 11:39:32 PM, on 5/12/2006
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINNT\System32\smss.exe
C:\WINNT\system32\csrss.exe
C:\WINNT\system32\winlogon.exe
C:\WINNT\system32\services.exe
C:\WINNT\system32\lsass.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\System32\svchost.exe
C:\WINNT\System32\svchost.exe
C:\WINNT\System32\svchost.exe
C:\WINNT\system32\spoolsv.exe
C:\WINNT\System32\DRIVERS\CDANTSRV.EXE
C:\Program Files\Common Files\EPSON\EBAPI\SAgent2.exe
C:\WINNT\System32\nvsvc32.exe
C:\WINNT\System32\svchost.exe
C:\WINNT\system32\wdfmgr.exe
C:\Program Files\PCSecurityShield\ShieldAntivirus\vrmonsvc.exe
C:\WINNT\wanmpsvc.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\System32\alg.exe
C:\WINNT\explorer.exe
C:\WINNT\System32\svchost.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\MSN\MSNCoreFiles\msn.exe
C:\Program Files\MSN Messenger\msnmsgr.exe
C:\Program Files\Hijack This\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = www.google.com
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = www.google.com
R3 - URLSearchHook: (no name) - {02EE5B04-F144-47BB-83FB-A60BD91B74A9} - C:\Program Files\SurfSideKick 3\SskBho.dll
F2 - REG:system.ini: Shell=Explorer.exe, C:\WINNT\system32\gcmhx.exe
F2 - REG:system.ini: UserInit=userinit.exe,rxtlilq.exe
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar2.dll (file missing)
O2 - BHO: (no name) - {C094EC90-5314-4A1F-917A-9EE66A743F94} - C:\Program Files\Messenger\horedom.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar2.dll (file missing)
O4 - HKLM\..\Run: [Ink Monitor] C:\Program Files\EPSON\Ink Monitor\InkMonitor.exe
O4 - HKLM\..\Run: [HPHUPD05] C:\Program Files\Hewlett-Packard\{45B6180B-DCAB-4093-8EE8-6164457517F0}\hphupd05.exe
O4 - HKLM\..\Run: [HPHmon05] C:\WINNT\System32\hphmon05.exe
O4 - HKLM\..\Run: [HPDJ Taskbar Utility] C:\WINNT\system32\spool\drivers\w32x86\3\hpztsb09.exe
O4 - HKLM\..\Run: [gcasServ] "C:\Program Files\Microsoft AntiSpyware\gcasServ.exe"
O4 - HKLM\..\Run: [Picasa Media Detector] C:\Documents and Settings\Elizabeth\Desktop\New Folder\Picasa2\PicasaMediaDetector.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [Vrmon] C:\Program Files\PCSecurityShield\ShieldAntivirus\vrmonnt.exe Main
O4 - HKLM\..\Run: [VrSchedule] C:\Program Files\PCSecurityShield\ShieldAntivirus\Vrres.exe
O4 - HKLM\..\Run: [tgcmd] "C:\Program Files\Support.com\bin\tgcmd.exe" /server /startmonitor /deaf
O4 - HKLM\..\Run: [pop06apelt] C:\WINNT\thiselt.exe
O4 - HKLM\..\Run: [{10-03-35-5C-ZN}] C:\winnt\system32\pqdsregn.exe FI002
O4 - HKLM\..\Run: [w067be59.dll] RUNDLL32.EXE w067be59.dll,I2 000c919e0067be59
O4 - HKLM\..\Run: [TheMonitor] C:\WINNT\CCZoop05.exe
O4 - HKLM\..\Run: [sys01120519844-] C:\WINNT\sys01120519844-.exe
O4 - HKLM\..\Run: [UnlockerAssistant] "C:\Program Files\Unlocker\UnlockerAssistant.exe"
O4 - HKLM\..\Run: [SurfSideKick 3] C:\Program Files\SurfSideKick 3\Ssk.exe
O4 - HKLM\..\RunOnce: [SpybotSnD] "C:\Program Files\Spybot - Search & Destroy\SpybotSD.exe" /autocheck
O4 - HKLM\..\RunOnce: [AAW] "C:\Program Files\Lavasoft\Ad-Aware SE Personal\Ad-Aware.exe" "+b1"
O4 - HKCU\..\Run: [Microsoft Works Update Detection] C:\Program Files\Microsoft Works\WkDetect.exe
O4 - HKCU\..\Run: [updateMgr] C:\Program Files\Adobe\Acrobat 7.0\Reader\AdobeUpdateManager.exe AcRdB7_0_5 -reboot 1
O4 - HKCU\..\Run: [VSL04.exe] C:\WINNT\system32\VSL04.exe
O4 - HKCU\..\Run: [Ltho] "C:\Program Files\sder\dees.exe" -vt yazb
O4 - HKCU\..\Run: [Rms] C:\WINNT\s?curity\cmd.exe
O4 - HKCU\..\Run: [irssyncd] C:\WINNT\system32\irssyncd.exe
O4 - HKCU\..\Run: [SurfSideKick 3] C:\Program Files\SurfSideKick 3\Ssk.exe
O4 - Startup: Screen Saver Control.lnk = C:\WINNT\FSScrCtl.exe
O4 - Startup: Zeno.lnk = C:\WINNT\system32\kwinrqaf.exe
O4 - Startup: Z_Start.lnk = C:\WINNT\system32\dwdsregt.exe
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: EPSON Status Monitor 3 Environment Check 2.lnk = C:\WINNT\system32\spool\drivers\w32x86\3\E_SRCV02.EXE
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MI1933~1\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {4ABF810A-F11D-4169-9D5F-7D274F2270A1} - C:\WINNT\system32\dmonwv.dll (file missing)
O9 - Extra 'Tools' menuitem: Java - {4ABF810A-F11D-4169-9D5F-7D274F2270A1} - C:\WINNT\system32\dmonwv.dll (file missing)
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MI1933~1\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Share in Hello - {B13B4423-2647-4cfc-A4B3-C7D56CB83487} - C:\Program Files\Hello\PicasaCapture.dll (file missing)
O9 - Extra 'Tools' menuitem: Share in H&ello - {B13B4423-2647-4cfc-A4B3-C7D56CB83487} - C:\Program Files\Hello\PicasaCapture.dll (file missing)
O15 - Trusted Zone: *.elitemediagroup.net
O15 - Trusted Zone: *.mmohsix.com
O15 - Trusted Zone: http://click.getmirar.com (HKLM)
O15 - Trusted Zone: http://click.mirarsearch.com (HKLM)
O15 - Trusted Zone: http://redirect.mirarsearch.com (HKLM)
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {1754A1BA-A1DF-4F10-B199-AA55AA1A120F} (InstallerBehaviorFactory Class) - https://signup.msn.com/pages/MsnInstC.cab
O16 - DPF: {4AD73894-A895-4FC2-B233-299867E08753} (Cadwkzctl Object) - http://apps.deskwizz.com/ax/adwerkz.cab
O16 - DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} (MSN Photo Upload Tool) - http://by114fd.bay114.hotmail.msn.com/resources/MsnPUpld.cab
O16 - DPF: {5526B4C6-63D6-41A1-9783-0FABF529859A} (mm06ocx.mm06ocxf) - http://cabs.elitemediagroup.net/cabs/mediaview.cab
O16 - DPF: {6BEA1C48-1850-486C-8F58-C7354BA3165E} (Install Class) - http://updates.lifescapeinc.com/installers...ll/pinstall.cab
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftupdat...b?1143772936140
O16 - DPF: {739E8D90-2F4C-43AD-A1B8-66C356FCEA35} (RunExeActiveX.RunExe) - hcp://system/RunExeActiveX.CAB
O16 - DPF: {99CDFD87-F97A-42E1-9C13-D18220D90AD1} (StartFirstControl.CheckFirst) - hcp://system/StartFirstControl.CAB
O16 - DPF: {E6F5C938-F98A-40AA-A428-3CFC40F0E6D5} (HearingScreener Class) - http://63.194.44.8/hearingtest/screener.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{E7B93A7E-70C7-4136-9FED-04E85BA72E2E}: NameServer = 192.168.1.1
O20 - AppInit_DLLs: repairs303169584.dll
O23 - Service: C-DillaSrv - C-Dilla Ltd - C:\WINNT\System32\DRIVERS\CDANTSRV.EXE
O23 - Service: EPSON Printer Status Agent2 (EPSONStatusAgent2) - SEIKO EPSON CORPORATION - C:\Program Files\Common Files\EPSON\EBAPI\SAgent2.exe
O23 - Service: NVIDIA Driver Helper Service (NVSvc) - NVIDIA Corporation - C:\WINNT\System32\nvsvc32.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINNT\System32\HPZipm12.exe
O23 - Service: ViRobot Expert Monitoring (vrmonsvc) - HAURI - C:\Program Files\PCSecurityShield\ShieldAntivirus\vrmonsvc.exe
O23 - Service: WAN Miniport (ATW) Service (WANMiniportService) - America Online, Inc. - C:\WINNT\wanmpsvc.exe

BC AdBot (Login to Remove)

 


#2 Rawe

Rawe

  • Members
  • 2,363 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Finland
  • Local time:09:21 PM

Posted 13 May 2006 - 04:40 AM

Nice collection.. Welcome aboard. Lets get started :thumbsup:

==

Please download Brute Force Uninstaller to your desktop.
  • Right-click the BFU folder on your desktop, and choose Extract All
  • Click "Next"
  • In the box to choose where to extract the files to,
  • Click "Browse"
  • Click on the + sign next to "My Computer"
  • Click on "Local Disk ( C: ) or whatever your primary drive is
  • Click "Make New Folder"
  • Type in BFU
  • Click "Next", and Uncheck the "Show Extracted Files" box and then click "Finish".
RIGHT-CLICK HERE and choose "Save As" (in IE it's "Save Target As") in order to download QooFix.bat by LonnyRJones.
Save it in the same folder you made earlier (c:\BFU).

Please close ALL other open windows & explorer folder's, then double-click on QooFix.bat.
Choose option 1# (Qoolfix autofix) and follow the prompts.
Please be patient, it will take about five minutes.

==

Once finished:

RIGHT-CLICK HERE and choose "Save As" (in IE it's "Save Target As") in order to download SideKickFix by LonnyRJones.
Save it in the same folder you made earlier (c:\BFU).

Please close ALL other open windows & explorer folder's, then double-click on sidekickFix.bat.
Click YES and follow the prompts, when prompted to restart the PC please do so.
Then please post back with a fresh HijackThis log by using AddReply.

We'll clean up the rest after this. :flowers:

==
Hi there, stranger!

#3 Arbriel

Arbriel
  • Topic Starter

  • Members
  • 42 posts
  • OFFLINE
  •  
  • Location:Portland, Oregon
  • Local time:10:21 AM

Posted 13 May 2006 - 10:52 PM

OKay, All done!
Sorry it took so long, had to work today...
What next?
Here's my log:

Logfile of HijackThis v1.99.1
Scan saved at 8:45:08 PM, on 5/13/2006
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINNT\System32\smss.exe
C:\WINNT\system32\winlogon.exe
C:\WINNT\system32\services.exe
C:\WINNT\system32\lsass.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\System32\svchost.exe
C:\WINNT\Explorer.EXE
C:\WINNT\system32\spoolsv.exe
C:\WINNT\System32\DRIVERS\CDANTSRV.EXE
C:\Program Files\Common Files\EPSON\EBAPI\SAgent2.exe
C:\WINNT\System32\nvsvc32.exe
C:\WINNT\System32\svchost.exe
C:\Program Files\PCSecurityShield\ShieldAntivirus\vrmonsvc.exe
C:\WINNT\wanmpsvc.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\System32\hphmon05.exe
C:\WINNT\system32\spool\drivers\w32x86\3\hpztsb09.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\PCSecurityShield\ShieldAntivirus\vrmonnt.exe
C:\Program Files\PCSecurityShield\ShieldAntivirus\Vrres.exe
C:\Program Files\Microsoft AntiSpyware\gcasDtServ.exe
C:\WINNT\System32\HPZipm12.exe
C:\WINNT\thiselt.exe
C:\winnt\system32\pqdsregn.exe
C:\WINNT\CCZoop05.exe
C:\WINNT\sys01120519844-.exe
C:\Program Files\sder\dees.exe
C:\WINNT\s?curity\cmd.exe
C:\WINNT\system32\kwinrqaf.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\WINNT\FSScrCtl.exe
C:\Program Files\Hijack This\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = www.google.com
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = www.google.com
F2 - REG:system.ini: Shell=Explorer.exe, C:\WINNT\system32\gcmhx.exe
F2 - REG:system.ini: UserInit=C:\WINNT\system32\Userinit.exe,rxtlilq.exe
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar2.dll (file missing)
O2 - BHO: (no name) - {C094EC90-5314-4A1F-917A-9EE66A743F94} - C:\Program Files\Messenger\horedom.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar2.dll (file missing)
O4 - HKLM\..\Run: [Ink Monitor] C:\Program Files\EPSON\Ink Monitor\InkMonitor.exe
O4 - HKLM\..\Run: [HPHUPD05] C:\Program Files\Hewlett-Packard\{45B6180B-DCAB-4093-8EE8-6164457517F0}\hphupd05.exe
O4 - HKLM\..\Run: [HPHmon05] C:\WINNT\System32\hphmon05.exe
O4 - HKLM\..\Run: [HPDJ Taskbar Utility] C:\WINNT\system32\spool\drivers\w32x86\3\hpztsb09.exe
O4 - HKLM\..\Run: [gcasServ] "C:\Program Files\Microsoft AntiSpyware\gcasServ.exe"
O4 - HKLM\..\Run: [Picasa Media Detector] C:\Documents and Settings\Elizabeth\Desktop\New Folder\Picasa2\PicasaMediaDetector.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [Vrmon] C:\Program Files\PCSecurityShield\ShieldAntivirus\vrmonnt.exe Main
O4 - HKLM\..\Run: [VrSchedule] C:\Program Files\PCSecurityShield\ShieldAntivirus\Vrres.exe
O4 - HKLM\..\Run: [tgcmd] "C:\Program Files\Support.com\bin\tgcmd.exe" /server /startmonitor /deaf
O4 - HKLM\..\Run: [pop06apelt] C:\WINNT\thiselt.exe
O4 - HKLM\..\Run: [{10-03-35-5C-ZN}] C:\winnt\system32\pqdsregn.exe FI002
O4 - HKLM\..\Run: [w067be59.dll] RUNDLL32.EXE w067be59.dll,I2 000c919e0067be59
O4 - HKLM\..\Run: [TheMonitor] C:\WINNT\CCZoop05.exe
O4 - HKLM\..\Run: [sys01120519844-] C:\WINNT\sys01120519844-.exe
O4 - HKLM\..\Run: [UnlockerAssistant] "C:\Program Files\Unlocker\UnlockerAssistant.exe"
O4 - HKLM\..\Run: [BrowserUpdateSched] C:\WINNT\system32\kwinrqaf.exe FI002
O4 - HKCU\..\Run: [Microsoft Works Update Detection] C:\Program Files\Microsoft Works\WkDetect.exe
O4 - HKCU\..\Run: [updateMgr] C:\Program Files\Adobe\Acrobat 7.0\Reader\AdobeUpdateManager.exe AcRdB7_0_5 -reboot 1
O4 - HKCU\..\Run: [VSL04.exe] C:\WINNT\system32\VSL04.exe
O4 - HKCU\..\Run: [Ltho] "C:\Program Files\sder\dees.exe" -vt yazb
O4 - HKCU\..\Run: [Rms] C:\WINNT\s?curity\cmd.exe
O4 - HKCU\..\Run: [irssyncd] C:\WINNT\system32\irssyncd.exe
O4 - Startup: Screen Saver Control.lnk = C:\WINNT\FSScrCtl.exe
O4 - Startup: Zeno.lnk = C:\WINNT\system32\kwinrqaf.exe
O4 - Startup: Z_Start.lnk = C:\WINNT\system32\dwdsregt.exe
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: EPSON Status Monitor 3 Environment Check 2.lnk = C:\WINNT\system32\spool\drivers\w32x86\3\E_SRCV02.EXE
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MI1933~1\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MI1933~1\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Share in Hello - {B13B4423-2647-4cfc-A4B3-C7D56CB83487} - C:\Program Files\Hello\PicasaCapture.dll (file missing)
O9 - Extra 'Tools' menuitem: Share in H&ello - {B13B4423-2647-4cfc-A4B3-C7D56CB83487} - C:\Program Files\Hello\PicasaCapture.dll (file missing)
O15 - Trusted Zone: *.elitemediagroup.net
O15 - Trusted Zone: *.media-motor.net
O15 - Trusted Zone: *.mmohsix.com
O15 - Trusted Zone: http://click.getmirar.com (HKLM)
O15 - Trusted Zone: http://click.mirarsearch.com (HKLM)
O15 - Trusted Zone: http://redirect.mirarsearch.com (HKLM)
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {1754A1BA-A1DF-4F10-B199-AA55AA1A120F} (InstallerBehaviorFactory Class) - https://signup.msn.com/pages/MsnInstC.cab
O16 - DPF: {4AD73894-A895-4FC2-B233-299867E08753} (Cadwkzctl Object) - http://apps.deskwizz.com/ax/adwerkz.cab
O16 - DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} (MSN Photo Upload Tool) - http://by114fd.bay114.hotmail.msn.com/resources/MsnPUpld.cab
O16 - DPF: {5526B4C6-63D6-41A1-9783-0FABF529859A} (mm06ocx.mm06ocxf) - http://cabs.elitemediagroup.net/cabs/mediaview.cab
O16 - DPF: {6BEA1C48-1850-486C-8F58-C7354BA3165E} (Install Class) - http://updates.lifescapeinc.com/installers...ll/pinstall.cab
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftupdat...b?1143772936140
O16 - DPF: {739E8D90-2F4C-43AD-A1B8-66C356FCEA35} (RunExeActiveX.RunExe) - hcp://system/RunExeActiveX.CAB
O16 - DPF: {99CDFD87-F97A-42E1-9C13-D18220D90AD1} (StartFirstControl.CheckFirst) - hcp://system/StartFirstControl.CAB
O16 - DPF: {E6F5C938-F98A-40AA-A428-3CFC40F0E6D5} (HearingScreener Class) - http://63.194.44.8/hearingtest/screener.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{E7B93A7E-70C7-4136-9FED-04E85BA72E2E}: NameServer = 192.168.1.1
O23 - Service: C-DillaSrv - C-Dilla Ltd - C:\WINNT\System32\DRIVERS\CDANTSRV.EXE
O23 - Service: EPSON Printer Status Agent2 (EPSONStatusAgent2) - SEIKO EPSON CORPORATION - C:\Program Files\Common Files\EPSON\EBAPI\SAgent2.exe
O23 - Service: NVIDIA Driver Helper Service (NVSvc) - NVIDIA Corporation - C:\WINNT\System32\nvsvc32.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINNT\System32\HPZipm12.exe
O23 - Service: ViRobot Expert Monitoring (vrmonsvc) - HAURI - C:\Program Files\PCSecurityShield\ShieldAntivirus\vrmonsvc.exe
O23 - Service: WAN Miniport (ATW) Service (WANMiniportService) - America Online, Inc. - C:\WINNT\wanmpsvc.exe

Thanks,
Arbriel

#4 Rawe

Rawe

  • Members
  • 2,363 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Finland
  • Local time:09:21 PM

Posted 14 May 2006 - 01:26 AM

Well, lets continue.. :thumbsup:

==

Please print these instructions out, or write them down, as you can't read them during the fix.

1. Through Control Panel -> Add/Remove programs and uninstall these entries (if any of them are present):

PuritySCAN By OIN
OIN
OuterInfo


IF there are no entries listed on Add/Remove programs, please download and run this uninstaller:

OiUninstaller.exe

==

2. Please download the trial version of Ewido Anti-malware here:
http://www.ewido.net/en/download/

Please read Ewido Setup Instructions
Install it, and update the definitions to the newest files. Do NOT run a scan yet.

==

3. RIGHT-CLICK HERE and choose "Save As" (in IE it's "Save Target As") in order to download Alcra PLUS Remover.
Save it in the same folder you made earlier (c:\BFU).

Do not do anything with these yet!

==

Next, please reboot your computer in Safe Mode by doing the following:
1) Restart your computer
2) After hearing your computer beep once during startup, but before the Windows icon appears, press F8.
3) Instead of Windows loading as normal, a menu should appear
4) Select the first option, to run Windows in Safe Mode.


==

4. Once in Safe Mode, Run Ewido:
  • Click on scanner
  • Click on Complete System Scan and the scan will begin.
  • You will be prompted to clean the first infection.
  • Select "Perform action on all infections", then proceed.
  • Once the scan has completed, there will be a button located on the bottom of the screen named Save report
  • Click Save report.
  • Save the report .txt file to your desktop or a location where you can find it easily.
Close Ewido anti-malware.

==

5. Run a scan with HijackThis and check the following objects for removal if present:

O2 - BHO: (no name) - {C094EC90-5314-4A1F-917A-9EE66A743F94} - C:\Program Files\Messenger\horedom.dll
O4 - HKLM\..\Run: [pop06apelt] C:\WINNT\thiselt.exe
O4 - HKLM\..\Run: [{10-03-35-5C-ZN}] C:\winnt\system32\pqdsregn.exe FI002
O4 - HKLM\..\Run: [w067be59.dll] RUNDLL32.EXE w067be59.dll,I2 000c919e0067be59
O4 - HKLM\..\Run: [TheMonitor] C:\WINNT\CCZoop05.exe
O4 - HKLM\..\Run: [sys01120519844-] C:\WINNT\sys01120519844-.exe
O4 - HKLM\..\Run: [BrowserUpdateSched] C:\WINNT\system32\kwinrqaf.exe FI002
O4 - HKCU\..\Run: [VSL04.exe] C:\WINNT\system32\VSL04.exe
O4 - HKCU\..\Run: [irssyncd] C:\WINNT\system32\irssyncd.exe
O4 - Startup: Zeno.lnk = C:\WINNT\system32\kwinrqaf.exe
O4 - Startup: Z_Start.lnk = C:\WINNT\system32\dwdsregt.exe
O15 - Trusted Zone: *.elitemediagroup.net
O15 - Trusted Zone: *.media-motor.net
O15 - Trusted Zone: *.mmohsix.com
O15 - Trusted Zone: http://click.getmirar.com (HKLM)
O15 - Trusted Zone: http://click.mirarsearch.com (HKLM)
O15 - Trusted Zone: http://redirect.mirarsearch.com (HKLM)
O16 - DPF: {4AD73894-A895-4FC2-B233-299867E08753} (Cadwkzctl Object) - http://apps.deskwizz.com/ax/adwerkz.cab
O16 - DPF: {5526B4C6-63D6-41A1-9783-0FABF529859A} (mm06ocx.mm06ocxf) - http://cabs.elitemediagroup.net/cabs/mediaview.cab
O16 - DPF: {739E8D90-2F4C-43AD-A1B8-66C356FCEA35} (RunExeActiveX.RunExe) - hcp://system/RunExeActiveX.CAB


Now close ALL other open windows except for HijackThis and hit FIX CHECKED. Close HijackThis.

==

6. Navigate to, and delete the following folder if present:

C:\Program Files\PurityScan

Empty recycle bin.

==

7. Then, please go to Start > My Computer and navigate to the C:\BFU folder.
  • Start the Brute Force Uninstaller by double-clicking BFU.exe
  • Behind the scriptline to execute field click the folder icon Posted Image and select alcanshorty.bfu
  • Press Execute and let it do itís job. (You ought to see a progress bar if you did this correctly.)
  • Wait for the Complete script execution box to pop up and hit OK.
  • Press Exit to terminate the BFU program.
Reboot into normal Windows and post the contents of Ewido log that you saved along with a fresh HiJackThis log. :flowers:
Hi there, stranger!

#5 Arbriel

Arbriel
  • Topic Starter

  • Members
  • 42 posts
  • OFFLINE
  •  
  • Location:Portland, Oregon
  • Local time:10:21 AM

Posted 14 May 2006 - 09:16 PM

HI,
I am amazed, but I did what you said--I CAN follow directions! Here are my logs. Thanks for all your help!
Arbriel

---------------------------------------------------------
ewido anti-malware - Scan report
---------------------------------------------------------

+ Created on: 6:49:09 PM, 5/14/2006
+ Report-Checksum: 7A0B3781

+ Scan result:

HKLM\SOFTWARE\Microsoft\Internet Explorer\Toolbar\AutorunsDisabled\\{364B6276-C6C1-40B6-A6D7-6C48871FD707} -> Adware.Accoona : Cleaned with backup
HKU\S-1-5-21-101265881-222395546-2225589205-1005\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{364B6276-C6C1-40B6-A6D7-6C48871FD707} -> Adware.Accoona : Cleaned with backup
HKU\S-1-5-21-101265881-222395546-2225589205-1005\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{944864A5-3916-46E2-96A9-A2E84F3F1208} -> Adware.Accoona : Cleaned with backup
HKU\S-1-5-21-101265881-222395546-2225589205-1005\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{CA356D79-679B-4B4C-8E49-5AF97014F4C1} -> Adware.Starware : Cleaned with backup
HKU\S-1-5-21-101265881-222395546-2225589205-1005\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{D49E9D35-254C-4C6A-9D17-95018D228FF5} -> Adware.Starware : Cleaned with backup
[796] C:\WINNT\system32\vavdpoc.dll -> Downloader.Qoologic.bj : Cleaned with backup
C:\Documents and Settings\Elizabeth\.jpi_cache\jar\1.0\counter.jpg-6067f8ab-656be38e.zip/Gummy.class -> Not-A-Virus.Exploit.ByteVerify : Cleaned with backup
C:\Documents and Settings\Elizabeth\.jpi_cache\jar\1.0\counter.jpg-78a1e2b-7d0a6dd0.zip/Gummy.class -> Not-A-Virus.Exploit.ByteVerify : Cleaned with backup
C:\Documents and Settings\Elizabeth\Cookies\elizabeth@ad.yieldmanager[1].txt -> TrackingCookie.Yieldmanager : Cleaned with backup
C:\Documents and Settings\Elizabeth\Cookies\elizabeth@ad.yieldmanager[4].txt -> TrackingCookie.Yieldmanager : Cleaned with backup
C:\Documents and Settings\Elizabeth\Cookies\elizabeth@adopt.specificclick[2].txt -> TrackingCookie.Specificclick : Cleaned with backup
C:\Documents and Settings\Elizabeth\Cookies\elizabeth@ads.addynamix[1].txt -> TrackingCookie.Addynamix : Cleaned with backup
C:\Documents and Settings\Elizabeth\Cookies\elizabeth@ads.pointroll[2].txt -> TrackingCookie.Pointroll : Cleaned with backup
C:\Documents and Settings\Elizabeth\Cookies\elizabeth@ads.searchingbooth[2].txt -> TrackingCookie.Searchingbooth : Cleaned with backup
C:\Documents and Settings\Elizabeth\Cookies\elizabeth@ads1.revenue[1].txt -> TrackingCookie.Revenue : Cleaned with backup
C:\Documents and Settings\Elizabeth\Cookies\elizabeth@as-eu.falkag[2].txt -> TrackingCookie.Falkag : Cleaned with backup
C:\Documents and Settings\Elizabeth\Cookies\elizabeth@as.casalemedia[1].txt -> TrackingCookie.Casalemedia : Cleaned with backup
C:\Documents and Settings\Elizabeth\Cookies\elizabeth@banners.searchingbooth[1].txt -> TrackingCookie.Searchingbooth : Cleaned with backup
C:\Documents and Settings\Elizabeth\Cookies\elizabeth@c.enhance[1].txt -> TrackingCookie.Enhance : Cleaned with backup
C:\Documents and Settings\Elizabeth\Cookies\elizabeth@c.goclick[2].txt -> TrackingCookie.Goclick : Cleaned with backup
C:\Documents and Settings\Elizabeth\Cookies\elizabeth@casalemedia[1].txt -> TrackingCookie.Casalemedia : Cleaned with backup
C:\Documents and Settings\Elizabeth\Cookies\elizabeth@com[1].txt -> TrackingCookie.Com : Cleaned with backup
C:\Documents and Settings\Elizabeth\Cookies\elizabeth@cpvfeed[1].txt -> TrackingCookie.Cpvfeed : Cleaned with backup
C:\Documents and Settings\Elizabeth\Cookies\elizabeth@e-2dj6wjnyaocpclp.stats.esomniture[1].txt -> TrackingCookie.Esomniture : Cleaned with backup
C:\Documents and Settings\Elizabeth\Cookies\elizabeth@edge.ru4[2].txt -> TrackingCookie.Ru4 : Cleaned with backup
C:\Documents and Settings\Elizabeth\Cookies\elizabeth@epilot[2].txt -> TrackingCookie.Epilot : Cleaned with backup
C:\Documents and Settings\Elizabeth\Cookies\elizabeth@h.starware[1].txt -> TrackingCookie.Starware : Cleaned with backup
C:\Documents and Settings\Elizabeth\Cookies\elizabeth@kmpads[2].txt -> TrackingCookie.Kmpads : Cleaned with backup
C:\Documents and Settings\Elizabeth\Cookies\elizabeth@media.top-banners[1].txt -> TrackingCookie.Top-banners : Cleaned with backup
C:\Documents and Settings\Elizabeth\Cookies\elizabeth@perf.overture[1].txt -> TrackingCookie.Overture : Cleaned with backup
C:\Documents and Settings\Elizabeth\Cookies\elizabeth@pro-market[2].txt -> TrackingCookie.Pro-market : Cleaned with backup
C:\Documents and Settings\Elizabeth\Cookies\elizabeth@questionmarket[1].txt -> TrackingCookie.Questionmarket : Cleaned with backup
C:\Documents and Settings\Elizabeth\Cookies\elizabeth@revenue[2].txt -> TrackingCookie.Revenue : Cleaned with backup
C:\Documents and Settings\Elizabeth\Cookies\elizabeth@rotator.adjuggler[1].txt -> TrackingCookie.Adjuggler : Cleaned with backup
C:\Documents and Settings\Elizabeth\Cookies\elizabeth@sales.liveperson[1].txt -> TrackingCookie.Liveperson : Cleaned with backup
C:\Documents and Settings\Elizabeth\Cookies\elizabeth@searchingbooth[1].txt -> TrackingCookie.Searchingbooth : Cleaned with backup
C:\Documents and Settings\Elizabeth\Cookies\elizabeth@statcounter[1].txt -> TrackingCookie.Statcounter : Cleaned with backup
C:\Documents and Settings\Elizabeth\Cookies\elizabeth@trafficmp[2].txt -> TrackingCookie.Trafficmp : Cleaned with backup
C:\Documents and Settings\Elizabeth\Cookies\elizabeth@try.starware[1].txt -> TrackingCookie.Starware : Cleaned with backup
C:\Documents and Settings\Elizabeth\Cookies\elizabeth@www.epilot[1].txt -> TrackingCookie.Epilot : Cleaned with backup
C:\Documents and Settings\Elizabeth\Cookies\elizabeth@zedo[2].txt -> TrackingCookie.Zedo : Cleaned with backup
C:\Documents and Settings\Elizabeth\Local Settings\Temporary Internet Files\Content.IE5\GHE3K9QB\wallpap[1].exe -> Hijacker.Agent.gp : Cleaned with backup
C:\Program Files\Common Files\misc001\webhc1.exe/whAgent.exe -> Adware.WebHancer : Cleaned with backup
C:\Program Files\Messenger\horedom.dll -> Downloader.Small.ctp : Cleaned with backup
C:\Program Files\Microsoft AntiSpyware\Quarantine\0764F238-B35A-4E87-A693-215606\68959A19-5626-4A42-ACD3-BFEF97 -> Adware.NewDotNet : Cleaned with backup
C:\Program Files\Microsoft AntiSpyware\Quarantine\6A20D70B-49DE-4742-9B7E-031120\88073FFD-94D0-463A-AEBC-BE13F0 -> Adware.NewDotNet : Cleaned with backup
C:\Program Files\Pumpkin Man\harvestmoon.zip\NNWDAC638.EXE -> Adware.NewDotNet : Cleaned with backup
C:\RECYCLER\S-1-5-21-101265881-222395546-2225589205-1005\Dc20\dees.exe -> Downloader.PurityScan.be : Cleaned with backup
C:\System Volume Information\_restore{0193FC1C-0A70-478B-8107-B531B8E70CAB}\RP1612\A0267193.exe -> Downloader.Small.ajc : Cleaned with backup
C:\System Volume Information\_restore{0193FC1C-0A70-478B-8107-B531B8E70CAB}\RP1612\A0267216.dll -> Downloader.Small.ctp : Cleaned with backup
C:\System Volume Information\_restore{0193FC1C-0A70-478B-8107-B531B8E70CAB}\RP1612\A0267219.exe -> Downloader.Small.ajc : Cleaned with backup
C:\System Volume Information\_restore{0193FC1C-0A70-478B-8107-B531B8E70CAB}\RP1614\A0267392.dll -> Downloader.Small.ctp : Cleaned with backup
C:\System Volume Information\_restore{0193FC1C-0A70-478B-8107-B531B8E70CAB}\RP1614\A0267393.exe -> Downloader.Small.ajc : Cleaned with backup
C:\System Volume Information\_restore{0193FC1C-0A70-478B-8107-B531B8E70CAB}\RP1614\A0267418.dll -> Downloader.Small.ctp : Cleaned with backup
C:\System Volume Information\_restore{0193FC1C-0A70-478B-8107-B531B8E70CAB}\RP1614\A0267420.exe -> Downloader.Small.ajc : Cleaned with backup
C:\System Volume Information\_restore{0193FC1C-0A70-478B-8107-B531B8E70CAB}\RP1614\A0268418.dll -> Downloader.Small.ctp : Cleaned with backup
C:\System Volume Information\_restore{0193FC1C-0A70-478B-8107-B531B8E70CAB}\RP1614\A0268421.exe -> Downloader.Small.ajc : Cleaned with backup
C:\System Volume Information\_restore{0193FC1C-0A70-478B-8107-B531B8E70CAB}\RP1615\A0268554.dll -> Downloader.Small.ctp : Cleaned with backup
C:\System Volume Information\_restore{0193FC1C-0A70-478B-8107-B531B8E70CAB}\RP1615\A0268556.exe -> Downloader.Small.ajc : Cleaned with backup
C:\System Volume Information\_restore{0193FC1C-0A70-478B-8107-B531B8E70CAB}\RP1615\A0268568.dll -> Downloader.Small.ctp : Cleaned with backup
C:\System Volume Information\_restore{0193FC1C-0A70-478B-8107-B531B8E70CAB}\RP1615\A0268570.exe -> Downloader.Small.ajc : Cleaned with backup
C:\System Volume Information\_restore{0193FC1C-0A70-478B-8107-B531B8E70CAB}\RP1615\A0268605.exe -> Downloader.Qoologic.at : Cleaned with backup
C:\System Volume Information\_restore{0193FC1C-0A70-478B-8107-B531B8E70CAB}\RP1615\A0268606.dll -> Adware.SideFind : Cleaned with backup
C:\System Volume Information\_restore{0193FC1C-0A70-478B-8107-B531B8E70CAB}\RP1615\A0268615.dll -> Downloader.Small.ctp : Cleaned with backup
C:\System Volume Information\_restore{0193FC1C-0A70-478B-8107-B531B8E70CAB}\RP1615\A0268617.exe -> Downloader.Small.ajc : Cleaned with backup
C:\System Volume Information\_restore{0193FC1C-0A70-478B-8107-B531B8E70CAB}\RP1615\A0268627.exe -> Adware.ZenoSearch : Cleaned with backup
C:\System Volume Information\_restore{0193FC1C-0A70-478B-8107-B531B8E70CAB}\RP1616\A0268649.exe -> Downloader.Small.ajc : Cleaned with backup
C:\System Volume Information\_restore{0193FC1C-0A70-478B-8107-B531B8E70CAB}\RP1616\A0268650.dll -> Downloader.Small.ctp : Cleaned with backup
C:\System Volume Information\_restore{0193FC1C-0A70-478B-8107-B531B8E70CAB}\RP1616\A0268651.exe -> Adware.ZenoSearch : Cleaned with backup
C:\System Volume Information\_restore{0193FC1C-0A70-478B-8107-B531B8E70CAB}\RP1616\A0268710.dll -> Adware.Mirar : Cleaned with backup
C:\System Volume Information\_restore{0193FC1C-0A70-478B-8107-B531B8E70CAB}\RP1616\A0268715.exe -> Downloader.PurityScan.be : Cleaned with backup
C:\System Volume Information\_restore{0193FC1C-0A70-478B-8107-B531B8E70CAB}\RP1616\A0268717.dll -> Adware.Mirar : Cleaned with backup
C:\System Volume Information\_restore{0193FC1C-0A70-478B-8107-B531B8E70CAB}\RP1616\A0268719.dll -> Downloader.Agent.ahv : Cleaned with backup
C:\System Volume Information\_restore{0193FC1C-0A70-478B-8107-B531B8E70CAB}\RP1616\A0268720.exe -> Adware.Mirar : Cleaned with backup
C:\System Volume Information\_restore{0193FC1C-0A70-478B-8107-B531B8E70CAB}\RP1616\A0268721.exe -> Downloader.Small.cpu : Cleaned with backup
C:\System Volume Information\_restore{0193FC1C-0A70-478B-8107-B531B8E70CAB}\RP1616\A0268722.exe -> Adware.ZenoSearch : Cleaned with backup
C:\System Volume Information\_restore{0193FC1C-0A70-478B-8107-B531B8E70CAB}\RP1616\A0268724.exe -> Trojan.Qoologic : Cleaned with backup
C:\System Volume Information\_restore{0193FC1C-0A70-478B-8107-B531B8E70CAB}\RP1616\A0268726.dll -> Downloader.Qoologic.bj : Cleaned with backup
C:\System Volume Information\_restore{0193FC1C-0A70-478B-8107-B531B8E70CAB}\RP1616\A0268742.exe -> Downloader.Small.ajc : Cleaned with backup
C:\System Volume Information\_restore{0193FC1C-0A70-478B-8107-B531B8E70CAB}\RP1616\A0268770.exe -> Downloader.Small.ajc : Cleaned with backup
C:\System Volume Information\_restore{0193FC1C-0A70-478B-8107-B531B8E70CAB}\RP1616\A0268867.dll -> Downloader.Small.ctp : Cleaned with backup
C:\System Volume Information\_restore{0193FC1C-0A70-478B-8107-B531B8E70CAB}\RP1616\A0268868.exe -> Downloader.Small.ajc : Cleaned with backup
C:\System Volume Information\_restore{0193FC1C-0A70-478B-8107-B531B8E70CAB}\RP1617\A0269029.dll -> Adware.Mirar : Cleaned with backup
C:\System Volume Information\_restore{0193FC1C-0A70-478B-8107-B531B8E70CAB}\RP1617\A0269030.dll -> Downloader.Agent.ahv : Cleaned with backup
C:\System Volume Information\_restore{0193FC1C-0A70-478B-8107-B531B8E70CAB}\RP1617\A0269031.exe -> Adware.ZenoSearch : Cleaned with backup
C:\System Volume Information\_restore{0193FC1C-0A70-478B-8107-B531B8E70CAB}\RP1617\A0270040.dll -> Downloader.Small.ctp : Cleaned with backup
C:\System Volume Information\_restore{0193FC1C-0A70-478B-8107-B531B8E70CAB}\RP1617\A0270042.exe -> Downloader.Small.ajc : Cleaned with backup
C:\System Volume Information\_restore{0193FC1C-0A70-478B-8107-B531B8E70CAB}\RP1617\A0270059.dll -> Downloader.Small.ctp : Cleaned with backup
C:\System Volume Information\_restore{0193FC1C-0A70-478B-8107-B531B8E70CAB}\RP1617\A0270061.exe -> Downloader.Small.ajc : Cleaned with backup
C:\System Volume Information\_restore{0193FC1C-0A70-478B-8107-B531B8E70CAB}\RP1618\A0270092.exe -> Adware.ZenoSearch : Cleaned with backup
C:\System Volume Information\_restore{0193FC1C-0A70-478B-8107-B531B8E70CAB}\RP1618\A0270125.exe -> Adware.ZenoSearch : Cleaned with backup
C:\System Volume Information\_restore{0193FC1C-0A70-478B-8107-B531B8E70CAB}\RP1618\A0270136.dll -> Downloader.Small.ctp : Cleaned with backup
C:\System Volume Information\_restore{0193FC1C-0A70-478B-8107-B531B8E70CAB}\RP1618\A0270140.exe -> Downloader.Small.ajc : Cleaned with backup
C:\System Volume Information\_restore{0193FC1C-0A70-478B-8107-B531B8E70CAB}\RP1619\A0270155.exe -> Adware.ZenoSearch : Cleaned with backup
C:\System Volume Information\_restore{0193FC1C-0A70-478B-8107-B531B8E70CAB}\RP1622\A0270178.dll -> Downloader.Small.ctp : Cleaned with backup
C:\System Volume Information\_restore{0193FC1C-0A70-478B-8107-B531B8E70CAB}\RP1622\A0270180.exe -> Downloader.Small.ajc : Cleaned with backup
C:\System Volume Information\_restore{0193FC1C-0A70-478B-8107-B531B8E70CAB}\RP1623\A0270249.dll -> Downloader.Small.ctp : Cleaned with backup
C:\System Volume Information\_restore{0193FC1C-0A70-478B-8107-B531B8E70CAB}\RP1623\A0270252.exe -> Hijacker.Agent.gp : Cleaned with backup
C:\System Volume Information\_restore{0193FC1C-0A70-478B-8107-B531B8E70CAB}\RP1623\A0270253.exe -> Downloader.Small.ajc : Cleaned with backup
C:\System Volume Information\_restore{0193FC1C-0A70-478B-8107-B531B8E70CAB}\RP1623\A0270271.dll -> Downloader.Small.ctp : Cleaned with backup
C:\System Volume Information\_restore{0193FC1C-0A70-478B-8107-B531B8E70CAB}\RP1623\A0270272.exe -> Hijacker.Agent.gp : Cleaned with backup
C:\System Volume Information\_restore{0193FC1C-0A70-478B-8107-B531B8E70CAB}\RP1623\A0270274.exe -> Downloader.Small.ajc : Cleaned with backup
C:\System Volume Information\_restore{0193FC1C-0A70-478B-8107-B531B8E70CAB}\RP1623\A0270276.exe -> Downloader.Qoologic.bj : Cleaned with backup
C:\System Volume Information\_restore{0193FC1C-0A70-478B-8107-B531B8E70CAB}\RP1625\A0270318.exe -> Adware.ZenoSearch : Cleaned with backup
C:\System Volume Information\_restore{0193FC1C-0A70-478B-8107-B531B8E70CAB}\RP1625\A0270332.exe -> Hijacker.Agent.gp : Cleaned with backup
C:\System Volume Information\_restore{0193FC1C-0A70-478B-8107-B531B8E70CAB}\RP1627\A0270364.dll -> Downloader.Small.ctp : Cleaned with backup
C:\System Volume Information\_restore{0193FC1C-0A70-478B-8107-B531B8E70CAB}\RP1627\A0270365.exe -> Downloader.Small.ajc : Cleaned with backup
C:\System Volume Information\_restore{0193FC1C-0A70-478B-8107-B531B8E70CAB}\RP1627\A0270391.dll -> Downloader.Small.ctp : Cleaned with backup
C:\System Volume Information\_restore{0193FC1C-0A70-478B-8107-B531B8E70CAB}\RP1627\A0270392.exe -> Downloader.Small.ajc : Cleaned with backup
C:\System Volume Information\_restore{0193FC1C-0A70-478B-8107-B531B8E70CAB}\RP1627\A0270403.exe -> Downloader.Qoologic.bj : Cleaned with backup
C:\System Volume Information\_restore{0193FC1C-0A70-478B-8107-B531B8E70CAB}\RP1627\A0270404.dll -> Downloader.Qoologic.bj : Cleaned with backup
C:\System Volume Information\_restore{0193FC1C-0A70-478B-8107-B531B8E70CAB}\RP1627\A0270405.exe -> Trojan.Qoologic : Cleaned with backup
C:\System Volume Information\_restore{0193FC1C-0A70-478B-8107-B531B8E70CAB}\RP1627\A0270415.exe -> Hijacker.Agent.gp : Cleaned with backup
C:\System Volume Information\_restore{0193FC1C-0A70-478B-8107-B531B8E70CAB}\RP1627\A0270416.exe -> Downloader.Small.ajc : Cleaned with backup
C:\System Volume Information\_restore{0193FC1C-0A70-478B-8107-B531B8E70CAB}\RP1627\A0270421.dll -> Downloader.Small.ctp : Cleaned with backup
C:\System Volume Information\_restore{0193FC1C-0A70-478B-8107-B531B8E70CAB}\RP1627\A0270424.dll -> Adware.Surfside : Cleaned with backup
C:\System Volume Information\_restore{0193FC1C-0A70-478B-8107-B531B8E70CAB}\RP1627\A0270430.exe -> Adware.Surfside : Cleaned with backup
C:\System Volume Information\_restore{0193FC1C-0A70-478B-8107-B531B8E70CAB}\RP1627\A0270437.exe -> Hijacker.Agent.gp : Cleaned with backup
C:\System Volume Information\_restore{0193FC1C-0A70-478B-8107-B531B8E70CAB}\RP1627\A0270438.exe -> Downloader.Small.ajc : Cleaned with backup
C:\System Volume Information\_restore{0193FC1C-0A70-478B-8107-B531B8E70CAB}\RP1627\A0270472.exe -> Adware.WebHancer : Cleaned with backup
C:\System Volume Information\_restore{0193FC1C-0A70-478B-8107-B531B8E70CAB}\RP1627\A0270473.exe -> Adware.WebHancer : Cleaned with backup
C:\System Volume Information\_restore{0193FC1C-0A70-478B-8107-B531B8E70CAB}\RP1627\A0270474.exe -> Adware.WebHancer : Cleaned with backup
C:\System Volume Information\_restore{0193FC1C-0A70-478B-8107-B531B8E70CAB}\RP1627\A0270475.dll -> Adware.WebHancer : Cleaned with backup
C:\System Volume Information\_restore{0193FC1C-0A70-478B-8107-B531B8E70CAB}\RP1627\A0270476.dll -> Adware.WebHancer : Cleaned with backup
C:\System Volume Information\_restore{0193FC1C-0A70-478B-8107-B531B8E70CAB}\RP1627\A0270490.dll -> Downloader.Small.ctp : Cleaned with backup
C:\System Volume Information\_restore{0193FC1C-0A70-478B-8107-B531B8E70CAB}\RP1627\A0270493.exe -> Downloader.Small.ajc : Cleaned with backup
C:\System Volume Information\_restore{0193FC1C-0A70-478B-8107-B531B8E70CAB}\RP1627\A0271487.dll -> Downloader.Small.ctp : Cleaned with backup
C:\System Volume Information\_restore{0193FC1C-0A70-478B-8107-B531B8E70CAB}\RP1627\A0271488.exe -> Hijacker.Agent.gp : Cleaned with backup
C:\System Volume Information\_restore{0193FC1C-0A70-478B-8107-B531B8E70CAB}\RP1627\A0271491.exe -> Downloader.Small.ajc : Cleaned with backup
C:\System Volume Information\_restore{0193FC1C-0A70-478B-8107-B531B8E70CAB}\RP1628\A0271510.dll -> Downloader.Small.ctp : Cleaned with backup
C:\System Volume Information\_restore{0193FC1C-0A70-478B-8107-B531B8E70CAB}\RP1628\A0271511.exe -> Hijacker.Agent.gp : Cleaned with backup
C:\System Volume Information\_restore{0193FC1C-0A70-478B-8107-B531B8E70CAB}\RP1628\A0271512.exe -> Downloader.Small.ajc : Cleaned with backup
C:\System Volume Information\_restore{0193FC1C-0A70-478B-8107-B531B8E70CAB}\RP1628\A0271607.dll -> Downloader.Small.ctp : Cleaned with backup
C:\System Volume Information\_restore{0193FC1C-0A70-478B-8107-B531B8E70CAB}\RP1628\A0271608.exe -> Hijacker.Agent.gp : Cleaned with backup
C:\System Volume Information\_restore{0193FC1C-0A70-478B-8107-B531B8E70CAB}\RP1628\A0271611.exe -> Downloader.Small.ajc : Cleaned with backup
C:\WINNT\876057.exe -> Adware.Mirar : Cleaned with backup
C:\WINNT\ac2_0002.exe -> Downloader.Small.cpu : Cleaned with backup
C:\WINNT\idlemg.exe -> Downloader.Small.buy : Cleaned with backup
C:\WINNT\NDNuninstall6_98.exe -> Adware.NewDotNet : Cleaned with backup
C:\WINNT\system32\ad.html -> Hijacker.Agent.e : Cleaned with backup
C:\WINNT\system32\dwdsregt.exe -> Adware.ZenoSearch : Cleaned with backup
C:\WINNT\system32\Hardcore Asians-uninstall.exe -> Dialer.Generic : Cleaned with backup
C:\WINNT\system32\kwinrqaf.exe -> Adware.ZenoSearch : Cleaned with backup
C:\WINNT\system32\pqdsregn.exe -> Adware.ZenoSearch : Cleaned with backup
C:\WINNT\system32\vqlgk.dat -> Downloader.Qoologic.bj : Cleaned with backup
C:\WINNT\system32\WinNB57.dll -> Adware.Mirar : Cleaned with backup
C:\WINNT\wallpap.exe -> Hijacker.Agent.gp : Cleaned with backup


::Report End


Logfile of HijackThis v1.99.1
Scan saved at 7:09:20 PM, on 5/14/2006
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINNT\System32\smss.exe
C:\WINNT\system32\winlogon.exe
C:\WINNT\system32\services.exe
C:\WINNT\system32\lsass.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\System32\svchost.exe
C:\WINNT\Explorer.EXE
C:\WINNT\system32\spoolsv.exe
C:\WINNT\System32\DRIVERS\CDANTSRV.EXE
C:\Program Files\Common Files\EPSON\EBAPI\SAgent2.exe
C:\Program Files\ewido anti-malware\ewidoctrl.exe
C:\WINNT\System32\nvsvc32.exe
C:\WINNT\System32\svchost.exe
C:\Program Files\PCSecurityShield\ShieldAntivirus\vrmonsvc.exe
C:\WINNT\System32\hphmon05.exe
C:\WINNT\system32\spool\drivers\w32x86\3\hpztsb09.exe
C:\Program Files\Microsoft AntiSpyware\gcasServ.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\PCSecurityShield\ShieldAntivirus\vrmonnt.exe
C:\Program Files\PCSecurityShield\ShieldAntivirus\Vrres.exe
C:\WINNT\s?curity\cmd.exe
C:\WINNT\wanmpsvc.exe
C:\WINNT\system32\svchost.exe
C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
C:\WINNT\FSScrCtl.exe
C:\Program Files\Microsoft AntiSpyware\gcasDtServ.exe
C:\WINNT\System32\HPZipm12.exe
C:\WINNT\system32\wuauclt.exe
C:\WINNT\system32\NOTEPAD.EXE
C:\WINNT\system32\taskmgr.exe
C:\Program Files\MSN\MSNCoreFiles\msn.exe
C:\Program Files\MSN Messenger\msnmsgr.exe
C:\Program Files\Hijack This\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = www.google.com
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = www.google.com
F2 - REG:system.ini: Shell=Explorer.exe, C:\WINNT\system32\gcmhx.exe
F2 - REG:system.ini: UserInit=C:\WINNT\system32\Userinit.exe,rxtlilq.exe
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar2.dll (file missing)
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar2.dll (file missing)
O4 - HKLM\..\Run: [Ink Monitor] C:\Program Files\EPSON\Ink Monitor\InkMonitor.exe
O4 - HKLM\..\Run: [HPHUPD05] C:\Program Files\Hewlett-Packard\{45B6180B-DCAB-4093-8EE8-6164457517F0}\hphupd05.exe
O4 - HKLM\..\Run: [HPHmon05] C:\WINNT\System32\hphmon05.exe
O4 - HKLM\..\Run: [HPDJ Taskbar Utility] C:\WINNT\system32\spool\drivers\w32x86\3\hpztsb09.exe
O4 - HKLM\..\Run: [gcasServ] "C:\Program Files\Microsoft AntiSpyware\gcasServ.exe"
O4 - HKLM\..\Run: [Picasa Media Detector] C:\Documents and Settings\Elizabeth\Desktop\New Folder\Picasa2\PicasaMediaDetector.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [Vrmon] C:\Program Files\PCSecurityShield\ShieldAntivirus\vrmonnt.exe Main
O4 - HKLM\..\Run: [VrSchedule] C:\Program Files\PCSecurityShield\ShieldAntivirus\Vrres.exe
O4 - HKCU\..\Run: [Microsoft Works Update Detection] C:\Program Files\Microsoft Works\WkDetect.exe
O4 - HKCU\..\Run: [updateMgr] C:\Program Files\Adobe\Acrobat 7.0\Reader\AdobeUpdateManager.exe AcRdB7_0_5 -reboot 1
O4 - HKCU\..\Run: [Ltho] "C:\Program Files\sder\dees.exe" -vt yazb
O4 - HKCU\..\Run: [Rms] C:\WINNT\s?curity\cmd.exe
O4 - Startup: Screen Saver Control.lnk = C:\WINNT\FSScrCtl.exe
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: EPSON Status Monitor 3 Environment Check 2.lnk = C:\WINNT\system32\spool\drivers\w32x86\3\E_SRCV02.EXE
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MI1933~1\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MI1933~1\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Share in Hello - {B13B4423-2647-4cfc-A4B3-C7D56CB83487} - C:\Program Files\Hello\PicasaCapture.dll (file missing)
O9 - Extra 'Tools' menuitem: Share in H&ello - {B13B4423-2647-4cfc-A4B3-C7D56CB83487} - C:\Program Files\Hello\PicasaCapture.dll (file missing)
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {1754A1BA-A1DF-4F10-B199-AA55AA1A120F} (InstallerBehaviorFactory Class) - https://signup.msn.com/pages/MsnInstC.cab
O16 - DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} (MSN Photo Upload Tool) - http://by114fd.bay114.hotmail.msn.com/resources/MsnPUpld.cab
O16 - DPF: {6BEA1C48-1850-486C-8F58-C7354BA3165E} (Install Class) - http://updates.lifescapeinc.com/installers...ll/pinstall.cab
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftupdat...b?1143772936140
O16 - DPF: {99CDFD87-F97A-42E1-9C13-D18220D90AD1} (StartFirstControl.CheckFirst) - hcp://system/StartFirstControl.CAB
O16 - DPF: {E6F5C938-F98A-40AA-A428-3CFC40F0E6D5} (HearingScreener Class) - http://63.194.44.8/hearingtest/screener.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{E7B93A7E-70C7-4136-9FED-04E85BA72E2E}: NameServer = 192.168.1.1
O23 - Service: C-DillaSrv - C-Dilla Ltd - C:\WINNT\System32\DRIVERS\CDANTSRV.EXE
O23 - Service: EPSON Printer Status Agent2 (EPSONStatusAgent2) - SEIKO EPSON CORPORATION - C:\Program Files\Common Files\EPSON\EBAPI\SAgent2.exe
O23 - Service: ewido security suite control - ewido networks - C:\Program Files\ewido anti-malware\ewidoctrl.exe
O23 - Service: NVIDIA Driver Helper Service (NVSvc) - NVIDIA Corporation - C:\WINNT\System32\nvsvc32.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINNT\System32\HPZipm12.exe
O23 - Service: ViRobot Expert Monitoring (vrmonsvc) - HAURI - C:\Program Files\PCSecurityShield\ShieldAntivirus\vrmonsvc.exe
O23 - Service: WAN Miniport (ATW) Service (WANMiniportService) - America Online, Inc. - C:\WINNT\wanmpsvc.exe

Thanks again! :thumbsup:

#6 Rawe

Rawe

  • Members
  • 2,363 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Finland
  • Local time:09:21 PM

Posted 15 May 2006 - 06:43 AM

Sure looks better.. :thumbsup:

Please go HERE to run Panda's ActiveScan
  • Once you are on the Panda site click the Scan your PC button
  • A new window will open...click the Check Now button
  • Enter your Country
  • Enter your State/Province
  • Enter your e-mail address and click send
  • Select either Home User or Company
  • Click the big Scan Now button
  • If it wants to install an ActiveX component allow it
  • It will start downloading the files it requires for the scan (Note: It may take a couple of minutes)
  • When download is complete, click on My Computer to start the scan
  • When the scan completes, if anything malicious is detected, click the See Report button, then Save Report and save it to a convenient location. Post the contents of the ActiveScan report.

Edited by Rawe, 15 May 2006 - 06:43 AM.

Hi there, stranger!

#7 Arbriel

Arbriel
  • Topic Starter

  • Members
  • 42 posts
  • OFFLINE
  •  
  • Location:Portland, Oregon
  • Local time:10:21 AM

Posted 15 May 2006 - 04:44 PM

Ok here is scan from Panda active scan:
Still lots of stuff, huh? :thumbsup:



Incident Status Location

Adware:Adware/PurityScan Not disinfected c:\progra~1\common~1\sstem~1\netdde.exe
Adware:Adware/Qoologic Not disinfected C:\WINNT\system32\vavdpoc.dll
Adware:adware/cydoor Not disinfected C:\WINNT\system32\cd_clint.dll
Spyware:spyware/surfsidekick Not disinfected C:\Documents and Settings\Elizabeth\Local Settings\Temporary Internet Files\Ssk.log
Adware:adware/downloadware Not disinfected c:\program files\MediaLoads
Spyware:spyware/clipgenie Not disinfected Windows Registry
Potentially unwanted tool:application/altnet Not disinfected hkey_local_machine\software\microsoft\windows\currentversion\app management\arpcache\AltnetDM
Potentially unwanted tool:application/myway Not disinfected HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser\{014DA6C9-189F-421A-88CD-07CFE51CFF10}
Adware:Adware/CWS Not disinfected C:\Documents and Settings\Elizabeth\.jpi_cache\file\1.0\Counter.class-762d722b-17fa26f6.class
Virus:Trj/Downloader.BJ Disinfected C:\Documents and Settings\Elizabeth\.jpi_cache\jar\1.0\archive.jar-27b6d962-34fd1b11.idx
Spyware:Cookie/Hbmediapro Not disinfected C:\Documents and Settings\Elizabeth\Cookies\elizabeth@adopt.hbmediapro[2].txt
Spyware:Cookie/Adrevolver Not disinfected C:\Documents and Settings\Elizabeth\Cookies\elizabeth@adrevolver[2].txt
Spyware:Cookie/Adrevolver Not disinfected C:\Documents and Settings\Elizabeth\Cookies\elizabeth@adrevolver[3].txt
Spyware:Cookie/aff504 Not disinfected C:\Documents and Settings\Elizabeth\Cookies\elizabeth@aff504[1].txt
Spyware:Cookie/aff6008 Not disinfected C:\Documents and Settings\Elizabeth\Cookies\elizabeth@aff6008[1].txt
Spyware:Cookie/Atwola Not disinfected C:\Documents and Settings\Elizabeth\Cookies\elizabeth@atwola[1].txt
Spyware:Cookie/Belnk Not disinfected C:\Documents and Settings\Elizabeth\Cookies\elizabeth@belnk[1].txt
Spyware:Cookie/Casalemedia Not disinfected C:\Documents and Settings\Elizabeth\Cookies\elizabeth@casalemedia[2].txt
Spyware:Cookie/Belnk Not disinfected C:\Documents and Settings\Elizabeth\Cookies\elizabeth@dist.belnk[2].txt
Spyware:Cookie/Screensavers Not disinfected C:\Documents and Settings\Elizabeth\Cookies\elizabeth@i.screensavers[2].txt
Spyware:Cookie/OfferOptimizer Not disinfected C:\Documents and Settings\Elizabeth\Cookies\elizabeth@offeroptimizer[2].txt
Spyware:Cookie/RealMedia Not disinfected C:\Documents and Settings\Elizabeth\Cookies\elizabeth@realmedia[2].txt
Spyware:Cookie/Tribalfusion Not disinfected C:\Documents and Settings\Elizabeth\Cookies\elizabeth@tribalfusion[1].txt
Adware:Adware/PurityScan Not disinfected C:\Documents and Settings\Elizabeth\Local Settings\Temp\!update.exe
Adware:Adware/PurityScan Not disinfected C:\Program Files\Common Files\s?stem\netdde.exe
Adware:Adware/Deskwizz Not disinfected C:\Program Files\Hijack This\backups\backup-20060514-185620-915.dll
Adware:Adware/DigInk Not disinfected C:\WINNT\CCZoop05.exe
Adware:Adware/Look2Me Not disinfected C:\WINNT\Downloaded Program Files\pinstall.dll
Adware:Adware/DigInk Not disinfected C:\WINNT\sys01120519844-.exe
Potentially unwanted tool:Application/P2PNetworking Not disinfected C:\WINNT\system32\P2P Networking v125.cpl
Spyware:Spyware/LinkReplacer Not disinfected C:\WINNT\system32\PreUninstallHL.exe
Adware:Adware/Deskwizz Not disinfected C:\WINNT\system32\VSL04.exe[VSL.dl_]
Adware:Adware/DigInk Not disinfected C:\WINNT\Taga96.exe
Spyware:Spyware/Media-motor Not disinfected C:\WINNT\thiselt.exe
Adware:Adware/DigInk Not disinfected C:\WINNT\unin101.exe
Adware:Adware/DigInk Not disinfected C:\WINNT\uni_ehhh.exe

#8 Rawe

Rawe

  • Members
  • 2,363 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Finland
  • Local time:09:21 PM

Posted 16 May 2006 - 12:27 AM

Hi again.. Lets continue :thumbsup:

Please download and run this uninstaller: http://www.outerinfo.com/OiUninstaller.exe

==

Next, please copy the following text in the quotebox below to a blank Notepad file. Make sure the filetype is set to "All Files" and save it as Fixit.reg to your desktop.

REGEDIT4

[-hkey_local_machine\software\microsoft\windows\currentversion\app management\arpcache\AltnetDM]

[-HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser\{014DA6C9-189F-421A-88CD-07CFE51CFF10}]


Now double-click on the Fixit.reg on your desktop and allow it to merge with registry by clicking YES on the prompt.

==

Please download ATF Cleaner by Atribune.
This program is for XP and Windows 2000 only.Double-click ATF-Cleaner.exe to run the program.
Under Main choose: Select All
Click the Empty Selected button.
Click Exit on the Main menu to close the program.
For Technical Support, double-click the e-mail address located at the bottom of each menu.

==

Please download the Killbox by Option^Explicit.

Note: In the event you already have Killbox, this is a new version that I need you to download.
  • Save it to your desktop.
  • Please double-click Killbox.exe to run it.
  • Select:
    • Delete on Reboot
    • Unregister .dll Before Deletion (You can check this box after you have pasted the files for deletion)
    • then Click on the All Files button.
  • Please copy the file paths below to the clipboard by highlighting ALL of them and pressing CTRL + C (or, after highlighting, right-click and choose copy):

    C:\WINNT\system32\vavdpoc.dll
    C:\WINNT\system32\cd_clint.dll
    c:\program files\MediaLoads
    C:\WINNT\CCZoop05.exe
    C:\WINNT\Downloaded Program Files\pinstall.dll
    C:\WINNT\sys01120519844-.exe
    C:\WINNT\system32\P2P Networking v125.cpl
    C:\WINNT\system32\PreUninstallHL.exe
    C:\WINNT\system32\VSL04.exe
    C:\WINNT\Taga96.exe
    C:\WINNT\thiselt.exe
    C:\WINNT\unin101.exe
    C:\WINNT\uni_ehhh.exe


  • Return to Killbox, go to the File menu, and choose Paste from Clipboard.
  • Click the red-and-white Delete File button. Click Yes at the Delete on Reboot prompt. Click OK at any PendingFileRenameOperations prompt (and please let me know if you receive this message!).
If your computer does not restart automatically, please restart it manually.

If you receive a message such as: "Component 'MsComCtl.ocx' or one of its dependencies not correctly registered: a file is missing or invalid." when trying to run Killbox, click here to download and run missingfilesetup.exe. Then try Killbox again.

==

Post back with a fresh HijackThis log. :flowers:
Hi there, stranger!

#9 Arbriel

Arbriel
  • Topic Starter

  • Members
  • 42 posts
  • OFFLINE
  •  
  • Location:Portland, Oregon
  • Local time:10:21 AM

Posted 16 May 2006 - 01:23 AM

:thumbsup: HI, Here is the latest log:
Are we there YET???!!!
Thanks for all your help you all!--Arbriel



Logfile of HijackThis v1.99.1
Scan saved at 11:14:45 PM, on 5/15/2006
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINNT\System32\smss.exe
C:\WINNT\system32\winlogon.exe
C:\WINNT\system32\services.exe
C:\WINNT\system32\lsass.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\System32\svchost.exe
C:\WINNT\Explorer.EXE
C:\WINNT\system32\spoolsv.exe
C:\WINNT\System32\DRIVERS\CDANTSRV.EXE
C:\Program Files\Common Files\EPSON\EBAPI\SAgent2.exe
C:\Program Files\ewido anti-malware\ewidoctrl.exe
C:\WINNT\System32\nvsvc32.exe
C:\WINNT\System32\svchost.exe
C:\Program Files\PCSecurityShield\ShieldAntivirus\vrmonsvc.exe
C:\WINNT\wanmpsvc.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\System32\hphmon05.exe
C:\WINNT\system32\spool\drivers\w32x86\3\hpztsb09.exe
C:\Program Files\Microsoft AntiSpyware\gcasServ.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\PCSecurityShield\ShieldAntivirus\vrmonnt.exe
C:\Program Files\PCSecurityShield\ShieldAntivirus\Vrres.exe
C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
C:\WINNT\FSScrCtl.exe
C:\WINNT\System32\HPZipm12.exe
C:\Program Files\Microsoft AntiSpyware\gcasDtServ.exe
C:\WINNT\system32\wuauclt.exe
C:\Program Files\Hijack This\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = www.google.com
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = www.google.com
F2 - REG:system.ini: Shell=Explorer.exe, C:\WINNT\system32\gcmhx.exe
F2 - REG:system.ini: UserInit=C:\WINNT\system32\Userinit.exe,rxtlilq.exe
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar2.dll (file missing)
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar2.dll (file missing)
O4 - HKLM\..\Run: [Ink Monitor] C:\Program Files\EPSON\Ink Monitor\InkMonitor.exe
O4 - HKLM\..\Run: [HPHUPD05] C:\Program Files\Hewlett-Packard\{45B6180B-DCAB-4093-8EE8-6164457517F0}\hphupd05.exe
O4 - HKLM\..\Run: [HPHmon05] C:\WINNT\System32\hphmon05.exe
O4 - HKLM\..\Run: [HPDJ Taskbar Utility] C:\WINNT\system32\spool\drivers\w32x86\3\hpztsb09.exe
O4 - HKLM\..\Run: [gcasServ] "C:\Program Files\Microsoft AntiSpyware\gcasServ.exe"
O4 - HKLM\..\Run: [Picasa Media Detector] C:\Documents and Settings\Elizabeth\Desktop\New Folder\Picasa2\PicasaMediaDetector.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [Vrmon] C:\Program Files\PCSecurityShield\ShieldAntivirus\vrmonnt.exe Main
O4 - HKLM\..\Run: [VrSchedule] C:\Program Files\PCSecurityShield\ShieldAntivirus\Vrres.exe
O4 - HKCU\..\Run: [Microsoft Works Update Detection] C:\Program Files\Microsoft Works\WkDetect.exe
O4 - HKCU\..\Run: [updateMgr] C:\Program Files\Adobe\Acrobat 7.0\Reader\AdobeUpdateManager.exe AcRdB7_0_5 -reboot 1
O4 - Startup: Screen Saver Control.lnk = C:\WINNT\FSScrCtl.exe
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: EPSON Status Monitor 3 Environment Check 2.lnk = C:\WINNT\system32\spool\drivers\w32x86\3\E_SRCV02.EXE
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MI1933~1\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MI1933~1\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Share in Hello - {B13B4423-2647-4cfc-A4B3-C7D56CB83487} - C:\Program Files\Hello\PicasaCapture.dll (file missing)
O9 - Extra 'Tools' menuitem: Share in H&ello - {B13B4423-2647-4cfc-A4B3-C7D56CB83487} - C:\Program Files\Hello\PicasaCapture.dll (file missing)
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {1754A1BA-A1DF-4F10-B199-AA55AA1A120F} (InstallerBehaviorFactory Class) - https://signup.msn.com/pages/MsnInstC.cab
O16 - DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} (MSN Photo Upload Tool) - http://by114fd.bay114.hotmail.msn.com/resources/MsnPUpld.cab
O16 - DPF: {6BEA1C48-1850-486C-8F58-C7354BA3165E} (Install Class) - http://updates.lifescapeinc.com/installers...ll/pinstall.cab
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftupdat...b?1143772936140
O16 - DPF: {99CDFD87-F97A-42E1-9C13-D18220D90AD1} (StartFirstControl.CheckFirst) - hcp://system/StartFirstControl.CAB
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/activescan/as5free/asinst.cab
O16 - DPF: {E6F5C938-F98A-40AA-A428-3CFC40F0E6D5} (HearingScreener Class) - http://63.194.44.8/hearingtest/screener.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{E7B93A7E-70C7-4136-9FED-04E85BA72E2E}: NameServer = 192.168.1.1
O23 - Service: C-DillaSrv - C-Dilla Ltd - C:\WINNT\System32\DRIVERS\CDANTSRV.EXE
O23 - Service: EPSON Printer Status Agent2 (EPSONStatusAgent2) - SEIKO EPSON CORPORATION - C:\Program Files\Common Files\EPSON\EBAPI\SAgent2.exe
O23 - Service: ewido security suite control - ewido networks - C:\Program Files\ewido anti-malware\ewidoctrl.exe
O23 - Service: NVIDIA Driver Helper Service (NVSvc) - NVIDIA Corporation - C:\WINNT\System32\nvsvc32.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINNT\System32\HPZipm12.exe
O23 - Service: ViRobot Expert Monitoring (vrmonsvc) - HAURI - C:\Program Files\PCSecurityShield\ShieldAntivirus\vrmonsvc.exe
O23 - Service: WAN Miniport (ATW) Service (WANMiniportService) - America Online, Inc. - C:\WINNT\wanmpsvc.exe

#10 Rawe

Rawe

  • Members
  • 2,363 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Finland
  • Local time:09:21 PM

Posted 16 May 2006 - 08:03 AM

Sure looks better.. :thumbsup:

Please download FindQool by LonnyRJones:
  • Extract the files and place the FindQool folder in root. Usually C:\
  • Open the folder and run Qlocate.bat.
  • Post the contents of the txt.log which will open.

Hi there, stranger!

#11 Arbriel

Arbriel
  • Topic Starter

  • Members
  • 42 posts
  • OFFLINE
  •  
  • Location:Portland, Oregon
  • Local time:10:21 AM

Posted 16 May 2006 - 02:55 PM

Is this right? :thumbsup:
Thanks again for your help!
Arbriel


@echo off
::do not mirror or edit, Please.
::batch by Lonny and friends
:: Commandline utilities (SWReg and SWSC) -
:: Written by Bobbi Flekman © 2005
:: www.xs4all.nl/~fstaal01/commandline-us.html
::AUTHOR Of md5deep Jesse Kornblum, md5deep [at] jessekornblum [dot]com.
::http://md5deep.sourceforge.net/

VER|find "Windows 2000">NUL
IF NOT ERRORLEVEL 1 GOTO NT

VER|find "Windows XP">NUL
IF NOT ERRORLEVEL 1 GOTO NT

VER|find "Windows 95">NUL
IF NOT ERRORLEVEL 1 GOTO last

VER|find "Windows 98">NUL
IF NOT ERRORLEVEL 1 GOTO last

VER|find "Windows Millennium">NUL
IF NOT ERRORLEVEL 1 GOTO last

VER|find "Windows 2003">NUL
IF NOT ERRORLEVEL 1 GOTO NT

echo Unsupported Version
goto last



:NT

if not exist %windir%\system32\AUTOEXEC.NT goto check
if not exist %windir%\system32\Config.nt goto check
if not exist %windir%\system32\Command.com goto check

IF not exist %systemdrive%\FindQool\sub\swreg.exe Echo This utility cannot run unless Unzipped. Press any key to exit. Please try again. & Pause & Exit
if exist "%systemdrive%\FindQool" goto next

echo This batch should be ran from the %systemdrive%\FindQool folder.
echo Running from %CD%
echo.

echo If it is not please exit!! and move the unzipped FindQool folder to the %systemdrive% . & Pause
if not exist "%systemdrive%\FindQool" goto NT
:next
echo Working .......
echo %DATE% >report.txt
echo Running from: %CD% >> report.txt

echo.PLEASE NOTE: LEGIT FILES MIGHT BE LISTED. IF YOU ARE UNSURE OF WHAT IS LISTED LEAVE THEM ALONE. >>report.txt
echo. >>report.txt
echo.Known file names>>report.txt
sub\LOCATE %systemdrive%\installerwebnexus.exe /D- /NR /N >>report.txt
sub\LOCATE %WinDir%\system32\dmonwv.dll /D- /NR /N >>report.txt
sub\LOCATE %WinDir%\System32\fwrgm.dll /D- /NR /N >>report.txt
sub\LOCATE %WinDir%\System32\DATADX.DLL /D- /NR/N >>report.txt
sub\LOCATE %WinDir%\System32\vgactl.cpl /D- /NR /N >>report.txt
sub\LOCATE %WinDir%\System32\wmconfig.cpl /D- /NR /N >>report.txt
sub\LOCATE %WinDir%\System32\wuauclt.dll /D- /NR /N >>report.txt
sub\LOCATE %WinDir%\unwn.exe /D- /NR /N >>report.txt
sub\LOCATE %WinDir%\vqlbce.dat /D- /NR /N >>report.txt
echo. >>report.txt
echo.MD5 Check....>>report.txt
sub\md5deep -a 3C7545FDA6BA922C0BF8A3961B83884C %windir%\system32\*.dll >>report.txt
sub\md5deep -a 1DCDAF76521850F8A8980249BA098CF8 %windir%\system32\*.dat >>report.txt
sub\md5deep -a 1DCDAF76521850F8A8980249BA098CF8 %windir%\system32\*.exe >>report.txt
sub\md5deep -a 7A10365C5A51F63DB6F07172C4AC0BF1 %windir%\system32\*.dat >>report.txt
sub\md5deep -a 7A10365C5A51F63DB6F07172C4AC0BF1 %windir%\system32\*.exe >>report.txt
sub\md5deep -a 34927EFD7594648462BB18E713ADA55F %windir%\system32\*.exe >>report.txt
sub\md5deep -a EB881D123AF640B6C6BEAC76DF6F45DD %windir%\system32\*.dll >>report.txt
sub\md5deep -a 272E1D5EB4E85C4E03633F7D431FD6BE %windir%\system32\*.exe >>report.txt
sub\md5deep -a 08D83B32FBED84A20AFDA14135BE3ACD %windir%\system32\*.exe >>report.txt
sub\md5deep -a 469115047B4C4DD4723440D93B70739E %windir%\system32\*.exe >>report.txt
sub\md5deep -a F021056FD653F96EA629DD6BFCA6D444 %windir%\system32\*.exe >>report.txt
sub\md5deep -a 90A4F4C769C7A58EEB61370BF19AF58F %windir%\system32\*.dll >>report.txt

sub\md5deep -a C39CF3F7A081542C3A541642CA37EFC2 %windir%\system32\*.exe >>report.txt
sub\md5deep -a C39CF3F7A081542C3A541642CA37EFC2 %windir%\system32\*.dat >>report.txt
sub\md5deep -a 4156D29B461F25955B45B32D834D4E54 %windir%\system32\*.dll >>report.txt
sub\md5deep -a ADF22E6BD68DF549BA48E01210415700 %windir%\system32\*.exe >>report.txt

echo. >>report.txt
echo.Files found with locate com. >>report.txt

sub\LOCATE %WinDir%\System32\???????.exe /D- /D:T-5M /S:23552! /NR /N >>report.txt
sub\LOCATE %WinDir%\System32\???????.exe /D- /D:T-5M /S:29184! /NR /N >>report.txt
sub\LOCATE %WinDir%\System32\??????.exe /D- /D:T-5M /S:227840! /NR /N >>report.txt
sub\LOCATE %WinDir%\System32\???????.dll /D- /D:T-5M /S:51712! /NR /N >>report.txt
sub\LOCATE %WinDir%\System32\???????.dll /D- /D:T-5M /S:67072! /NR /N >>report.txt
sub\LOCATE %WinDir%\System32\?????.dll /D- /D:T-5M /S:24064! /NR /N >>report.txt
sub\LOCATE %WinDir%\System32\?????.dat /D- /D:T-5M /S:127488! /NR /N >>report.txt
sub\LOCATE %WinDir%\System32\?????.dat /D- /D:T-5M /S:227840! /NR /N >>report.txt
sub\LOCATE %WinDir%\System32\??????.exe /D- /D:T-5M /S:127488! /NR /N >>report.txt
sub\LOCATE %WinDir%\system32\?????.exe /D- /D:T-5M /S:28672! /NR /N >>report.txt
sub\LOCATE %WinDir%\?????.dll /D- /D:T-5M /S:13,34 /NR /N >>report.txt
sub\LOCATE %WinDir%\?????.dll /D- /D:T-5M /S:140,206 /NR /N >>report.txt
sub\LOCATE %WinDir%\??????.dat /D- /D:T-5M /S:52! /NR /N >>report.txt
sub\LOCATE %WinDir%\?????.dat /D- /D:T-5M /S:34,53 /NR /N >>report.txt

sub\swreg query "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders" /v "Common Startup">log1.txt
type log1.txt | find /i "Common Startup" > log2.txt
sub\sed -e "s/ common startup REG_SZ //g" log2.txt > log3.txt
for /f "tokens=* delims= " %%a in ('Type log3.txt') do sub\locate "%%a\*.exe" /NR /N >>report.txt
::echo.Checking path to common Startup>>report.txt
echo.Re-check using dir /a:-d>>report.txt
for /f "tokens=* delims= " %%a in ('Type log3.txt') do echo %%a >>report.txt
for /f "tokens=* delims= " %%a in ('Type log3.txt') do dir /a:-d "%%a" >log4.txt
type log4.txt | find ".exe" >>report.txt
sub\swreg query "HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders" /v "Startup">log1.txt
type log1.txt | find /i "Startup" > log2.txt
sub\sed -e "s/ startup REG_SZ //g" log2.txt > log3.txt


for /f "tokens=* delims= " %%a in ('Type log3.txt') do locate "%%a\*.exe" /O:"&W" >>report.txt
del log*.txt
echo....>>report.txt
cls

echo. >>report.txt
sub\swreg query "HKLM\SOFTWARE\Microsoft\qopwad" >>tmp.txt
sub\swreg query "HKLM\Software\Microsoft\lodwqu" >>tmp.txt
sub\swreg query "HKLM\Software\Microsoft\wlwtdw" >>tmp.txt
sub\swreg query "HKLM\SOFTWARE\qstat" >>tmp.txt
sub\swreg query "HKLM\SOFTWARE\Microsoft\Internet Explorer\Extensions\{4ABF810A-F11D-4169-9D5F-7D274F2270A1}" >>tmp.txt
sub\swreg query "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\WebNexus" >>tmp.txt
sub\swreg query "HKLM\SOFTWARE\Classes\Folder\shellex\ColumnHandlers\{CE3A44D8-BC88-4D62-A890-42D96245F8D6}" >>tmp.txt
Type tmp.txt | find "HKEY_LOCAL_MACHINE" >>report.txt

sub\SWReg export file3.txt "HKCR\*\shellex\ContextMenuHandlers"
sub\grep -E "\\........]" -A 2 file3.txt >> report.txt

sub\swreg query "HKCR\CLSID\{6EC11407-5B2E-4E25-8BDF-77445B52AB37}">tmp.txt

sub\swreg query "HKCR\Folder\shellex\ColumnHandlers\{6EC11407-5B2E-4E25-8BDF-77445B52AB37}">>tmp.txt

Type tmp.txt | find "HKEY_CLASSES_ROOT" >>report.txt
echo. >>report.txt
echo....>>report.txt
echo.Runs, Listed here as a Doublecheck for the locate com results>>report.txt
sub\swreg export temp01.txt "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run"
echo HKLM >>report.txt
Type temp01.txt | find " reg_run" >>report.txt

del tmp.txt
del temp01.txt
sub\swreg export temp01.txt "HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run"
echo HKCU >>report.txt
Type temp01.txt | find " reg_run" >>report.txt

echo....>>report.txt
echo. >>report.txt
echo.Files In Winlogon shell and userinit>>report.txt
echo.Listed here as a Doublecheck for the locate com results >>report.txt
sub\swreg query "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon" /v "Shell" >tmp.txt

sub\swreg query "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon" /v "Userinit" >>tmp.txt
Type tmp.txt | find "REG_SZ" >>report.txt
echo Finished................
pause
del file3.txt
del temp0*.txt
del tmp.txt
echo.... >>report.txt
echo SWReg utility >>report.txt
echo Written by Bobbi Flekman © 2005>>report.txt
echo Findqool edited 4/05/2006>>report.txt
start notepad report.txt
cls
exit

:last
echo Unsupported Version
cls
exit

:check

echo Check for missing files>>report.txt
echo...... >>report.txt
if not exist %windir%\system32\AUTOEXEC.NT echo %windir%\system32\AUTOEXEC.NT not there>>report.txt
if not exist %windir%\system32\Config.nt echo %windir%\system32\Config.nt not there>>report.txt
if not exist %windir%\system32\Command.com echo %windir%\system32\Command.com not there>>report.txt
if not exist %windir%\repair\autoexec.nt echo %windir%\repair\autoexec.nt not there>>report.txt
if not exist %windir%\repair\Config.nt echo %windir%\repair\Config.nt not present>>report.txt
echo...... >>report.txt
echo End check for missing files>>report.txt
echo...... >>report.txt
echo VXD Check "vdd REG_MULTI_SZ \0">>report.txt
sub\SWReg query "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\VirtualDeviceDrivers" /v "VDD" >>report.txt
echo...... >>report.txt
echo End vxd check>>report.txt
echo Please post this in the forum>>report.txt

notepad.exe report.txt
cls
exit

#12 Arbriel

Arbriel
  • Topic Starter

  • Members
  • 42 posts
  • OFFLINE
  •  
  • Location:Portland, Oregon
  • Local time:10:21 AM

Posted 16 May 2006 - 07:27 PM

Now my computer is acting wierd. It wonl't go online, it freezes and there are no pop-ups. The security center keeps insisting that it needs to update my computer every time I am working on it, lugging it down. I have told it to do automatic updates at 11pm and it happens whenever. I am beginning to think this thing is alive!
Arbriel


Logfile of HijackThis v1.99.1
Scan saved at 5:25:14 PM, on 5/16/2006
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINNT\System32\smss.exe
C:\WINNT\system32\winlogon.exe
C:\WINNT\system32\services.exe
C:\WINNT\system32\lsass.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\System32\svchost.exe
C:\WINNT\Explorer.EXE
C:\WINNT\system32\spoolsv.exe
C:\WINNT\System32\DRIVERS\CDANTSRV.EXE
C:\Program Files\Common Files\EPSON\EBAPI\SAgent2.exe
C:\Program Files\ewido anti-malware\ewidoctrl.exe
C:\WINNT\System32\nvsvc32.exe
C:\WINNT\System32\svchost.exe
C:\Program Files\PCSecurityShield\ShieldAntivirus\vrmonsvc.exe
C:\WINNT\wanmpsvc.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\System32\hphmon05.exe
C:\WINNT\system32\spool\drivers\w32x86\3\hpztsb09.exe
C:\Program Files\Microsoft AntiSpyware\gcasServ.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\PCSecurityShield\ShieldAntivirus\vrmonnt.exe
C:\Program Files\PCSecurityShield\ShieldAntivirus\Vrres.exe
C:\WINNT\FSScrCtl.exe
C:\Program Files\Microsoft AntiSpyware\gcasDtServ.exe
C:\WINNT\System32\HPZipm12.exe
C:\WINNT\system32\wscntfy.exe
C:\WINNT\system32\taskmgr.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\MSN Messenger\msnmsgr.exe
C:\Program Files\Hijack This\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = www.google.com
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = www.google.com
F2 - REG:system.ini: Shell=Explorer.exe, C:\WINNT\system32\gcmhx.exe
F2 - REG:system.ini: UserInit=C:\WINNT\system32\Userinit.exe,rxtlilq.exe
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar2.dll (file missing)
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar2.dll (file missing)
O4 - HKLM\..\Run: [Ink Monitor] C:\Program Files\EPSON\Ink Monitor\InkMonitor.exe
O4 - HKLM\..\Run: [HPHUPD05] C:\Program Files\Hewlett-Packard\{45B6180B-DCAB-4093-8EE8-6164457517F0}\hphupd05.exe
O4 - HKLM\..\Run: [HPHmon05] C:\WINNT\System32\hphmon05.exe
O4 - HKLM\..\Run: [HPDJ Taskbar Utility] C:\WINNT\system32\spool\drivers\w32x86\3\hpztsb09.exe
O4 - HKLM\..\Run: [gcasServ] "C:\Program Files\Microsoft AntiSpyware\gcasServ.exe"
O4 - HKLM\..\Run: [Picasa Media Detector] C:\Documents and Settings\Elizabeth\Desktop\New Folder\Picasa2\PicasaMediaDetector.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [Vrmon] C:\Program Files\PCSecurityShield\ShieldAntivirus\vrmonnt.exe Main
O4 - HKLM\..\Run: [VrSchedule] C:\Program Files\PCSecurityShield\ShieldAntivirus\Vrres.exe
O4 - HKCU\..\Run: [Microsoft Works Update Detection] C:\Program Files\Microsoft Works\WkDetect.exe
O4 - HKCU\..\Run: [updateMgr] C:\Program Files\Adobe\Acrobat 7.0\Reader\AdobeUpdateManager.exe AcRdB7_0_5 -reboot 1
O4 - Startup: Screen Saver Control.lnk = C:\WINNT\FSScrCtl.exe
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: EPSON Status Monitor 3 Environment Check 2.lnk = C:\WINNT\system32\spool\drivers\w32x86\3\E_SRCV02.EXE
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MI1933~1\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MI1933~1\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Share in Hello - {B13B4423-2647-4cfc-A4B3-C7D56CB83487} - C:\Program Files\Hello\PicasaCapture.dll (file missing)
O9 - Extra 'Tools' menuitem: Share in H&ello - {B13B4423-2647-4cfc-A4B3-C7D56CB83487} - C:\Program Files\Hello\PicasaCapture.dll (file missing)
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {1754A1BA-A1DF-4F10-B199-AA55AA1A120F} (InstallerBehaviorFactory Class) - https://signup.msn.com/pages/MsnInstC.cab
O16 - DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} (MSN Photo Upload Tool) - http://by114fd.bay114.hotmail.msn.com/resources/MsnPUpld.cab
O16 - DPF: {6BEA1C48-1850-486C-8F58-C7354BA3165E} (Install Class) - http://updates.lifescapeinc.com/installers...ll/pinstall.cab
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftupdat...b?1143772936140
O16 - DPF: {99CDFD87-F97A-42E1-9C13-D18220D90AD1} (StartFirstControl.CheckFirst) - hcp://system/StartFirstControl.CAB
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/activescan/as5free/asinst.cab
O16 - DPF: {E6F5C938-F98A-40AA-A428-3CFC40F0E6D5} (HearingScreener Class) - http://63.194.44.8/hearingtest/screener.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{E7B93A7E-70C7-4136-9FED-04E85BA72E2E}: NameServer = 192.168.1.1
O23 - Service: C-DillaSrv - C-Dilla Ltd - C:\WINNT\System32\DRIVERS\CDANTSRV.EXE
O23 - Service: EPSON Printer Status Agent2 (EPSONStatusAgent2) - SEIKO EPSON CORPORATION - C:\Program Files\Common Files\EPSON\EBAPI\SAgent2.exe
O23 - Service: ewido security suite control - ewido networks - C:\Program Files\ewido anti-malware\ewidoctrl.exe
O23 - Service: NVIDIA Driver Helper Service (NVSvc) - NVIDIA Corporation - C:\WINNT\System32\nvsvc32.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINNT\System32\HPZipm12.exe
O23 - Service: ViRobot Expert Monitoring (vrmonsvc) - HAURI - C:\Program Files\PCSecurityShield\ShieldAntivirus\vrmonsvc.exe
O23 - Service: WAN Miniport (ATW) Service (WANMiniportService) - America Online, Inc. - C:\WINNT\wanmpsvc.exe

#13 Rawe

Rawe

  • Members
  • 2,363 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Finland
  • Local time:09:21 PM

Posted 17 May 2006 - 10:35 AM

You will need to run QooFix.bat again. It didn't do exactly what it was supposed to.

Please close ALL other open windows & explorer folder's, then double-click on QooFix.bat. (in C:\BFU)
Choose option 1# (Qoolfix autofix) and follow the prompts.
Please be patient, it will take about five minutes.
Then please post back with a fresh HijackThis log by using AddReply. :thumbsup:
Hi there, stranger!

#14 Arbriel

Arbriel
  • Topic Starter

  • Members
  • 42 posts
  • OFFLINE
  •  
  • Location:Portland, Oregon
  • Local time:10:21 AM

Posted 17 May 2006 - 11:33 AM

I had trouble with this "program". When I tried to open it, nothing happened. Arbriel :thumbsup:

I went to the website to see if there was more to do. It said to close all explorer windows like you did, but I have DSL, isn't it always open? Should I close my Windows firewall? I have tried unplugging my modem and that didn't work.PLease advise.

Edited by Arbriel, 18 May 2006 - 09:23 AM.


#15 Rawe

Rawe

  • Members
  • 2,363 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Finland
  • Local time:09:21 PM

Posted 18 May 2006 - 11:05 AM

Sorry, I know this is getting frustrating for you too.. Lets look for bad files with WinPFind:

Download WinPFind:
  • Right-click the Zip Folder and Select "Extract All"
  • Extract it somewhere you will remember like the Desktop
  • Dont do anything with it yet.
==

Next, please reboot your computer in Safe Mode by doing the following:
1) Restart your computer
2) After hearing your computer beep once during startup, but before the Windows icon appears, press F8.
3) Instead of Windows loading as normal, a menu should appear
4) Select the first option, to run Windows in Safe Mode.


==

Double-click WinPFind.exe
Click "Start Scan"
It will scan the entire System, so please be patient!
Once the Scan is Complete:
  • Go to the WinPFind folder
  • Locate WinPFind.txt
  • Place those results in the next post.
==

Reboot normally and post back with the contents of WinPFind.txt log. :thumbsup:
Hi there, stranger!




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users