Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Errors On Startup/summer Cleaning..thanks


  • This topic is locked This topic is locked
15 replies to this topic

#1 honda2nr

honda2nr

  • Members
  • 115 posts
  • OFFLINE
  •  
  • Local time:05:59 AM

Posted 24 May 2006 - 10:30 AM

Logfile of HijackThis v1.99.1
Scan saved at 11:27:33 AM, on 5/24/2006
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\TGTSoft\StyleXP\StyleXPService.exe
C:\WINDOWS\system32\spoolsv.exe
c:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\Program Files\ewido anti-malware\ewidoctrl.exe
c:\Program Files\Norton AntiVirus\navapsvc.exe
C:\WINDOWS\System32\nvsvc32.exe
C:\Program Files\Softex\OmniPass\Omniserv.exe
C:\Program Files\Alcohol Soft\Alcohol 120\StarWind\StarWindService.exe
C:\Program Files\Softex\OmniPass\OPXPApp.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\AIM\aim.exe
C:\Program Files\InterVideo\Common\Bin\WinCinemaMgr.exe
C:\Program Files\BitTorrent\bittorrent.exe
C:\HJT\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page_bak = http://www.yahoo.com/
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page =
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
O3 - Toolbar: Popup Blocker - {815A82AE-CDEF-11D8-BA48-A6D245798277} - c:\windows\20040818\TOOLBA~1.DLL
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKCU\..\Run: [AIM] C:\Program Files\AIM\aim.exe -cnetwait.odl
O4 - Startup: BitTorrent.lnk = C:\Program Files\BitTorrent\bittorrent.exe
O4 - Global Startup: InterVideo WinCinema Manager.lnk = C:\Program Files\InterVideo\Common\Bin\WinCinemaMgr.exe
O4 - Global Startup: Quicken Scheduled Updates.lnk = C:\Program Files\Quicken\bagent.exe
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_01\bin\npjpi150_01.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_01\bin\npjpi150_01.dll
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe
O9 - Extra button: PartyCasino.com - {B4B52284-A248-4c51-9F7C-F0A0C67FCC9D} - C:\Program Files\PartyGaming\PartyCasino\RunCasino.exe
O9 - Extra 'Tools' menuitem: PartyCasino.com - {B4B52284-A248-4c51-9F7C-F0A0C67FCC9D} - C:\Program Files\PartyGaming\PartyCasino\RunCasino.exe
O9 - Extra button: PartyPoker.com - {B7FE5D70-9AA2-40F1-9C6B-12A255F085E1} - C:\Program Files\PartyGaming\PartyPoker\RunApp.exe
O9 - Extra 'Tools' menuitem: PartyPoker.com - {B7FE5D70-9AA2-40F1-9C6B-12A255F085E1} - C:\Program Files\PartyGaming\PartyPoker\RunApp.exe
O9 - Extra button: (no name) - {D5770C25-E0F4-4bb9-BCB6-DB17F7BFBB7F} - C:\Program Files\SafeGuard Popup Blocker Pro\PBOptions.exe
O9 - Extra 'Tools' menuitem: Popup Blocker Options - {D5770C25-E0F4-4bb9-BCB6-DB17F7BFBB7F} - C:\Program Files\SafeGuard Popup Blocker Pro\PBOptions.exe
O9 - Extra button: MoneySide - {E023F504-0C5A-4750-A1E7-A9046DEA8A21} - C:\Program Files\Microsoft Money\System\mnyside.dll
O16 - DPF: {37A273C2-5129-11D5-BF37-00A0CCE8754B} (TTestGenXInstallObject) - http://www.mathxl.com/wizmodules/testgen/i...GenXInstall.cab
O16 - DPF: {4FE89055-5300-469E-AFAD-DEB3181EDE76} (PearsonAsstX Control) - http://www.mathxl.com/applets/PearsonInstallAsst.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://www.pandasoftware.com/activescan/as5/asinst.cab
O16 - DPF: {C4DD6732-1E82-4AE7-BD94-180331B84082} (DeltaCVX Control) - http://www.mathxl.com/applets/DeltaCVX.cab
O20 - Winlogon Notify: cfgmngr32 - C:\WINDOWS\system32\cfgmngr32.dll
O20 - Winlogon Notify: igfxcui - C:\WINDOWS\SYSTEM32\igfxsrvc.dll
O20 - Winlogon Notify: OPXPGina - C:\Program Files\Softex\OmniPass\opxpgina.dll
O20 - Winlogon Notify: WOW - C:\WINDOWS\system32\3tvxVfWCodec.dll
O23 - Service: .NET Framework Service (.NET Connection Service) - Unknown owner - C:\WINDOWS\svchost.exe (file missing)
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - c:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Password Validation Service (ccPwdSvc) - Symantec Corporation - c:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
O23 - Service: ewido security suite control - ewido networks - C:\Program Files\ewido anti-malware\ewidoctrl.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPodService - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Norton AntiVirus Auto Protect Service (navapsvc) - Symantec Corporation - c:\Program Files\Norton AntiVirus\navapsvc.exe
O23 - Service: NVIDIA Driver Helper Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe
O23 - Service: Softex OmniPass Service (omniserv) - Unknown owner - C:\Program Files\Softex\OmniPass\Omniserv.exe
O23 - Service: StarWind iSCSI Service (StarWindService) - Rocket Division Software - C:\Program Files\Alcohol Soft\Alcohol 120\StarWind\StarWindService.exe
O23 - Service: StyleXPService - Unknown owner - C:\Program Files\TGTSoft\StyleXP\StyleXPService.exe

BC AdBot (Login to Remove)

 


#2 miekiemoes

miekiemoes

    Malware Killer Dog


  • Malware Response Team
  • 19,420 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Belgium
  • Local time:11:59 AM

Posted 28 May 2006 - 05:43 PM

Hi,

The forums are really busy, that explains why logs get behind. If you still need some help, please start with posting a new hijackthislog in this thread. Don't start with a new thread.
Then I'll take a look. :thumbsup:
AntispywareScanners---Antivirus Scanners---Firewalls---Online Scanners---Prevention---Help! My computer is slow---My Blog---Follow me on Twitter.
My help is ALWAYS FREE, but if you want to donate to help me continue my fight against malware -- click here!
Asking for help via Private Message or Mail will be ignored - So If you need help, post your problem in the forum.

#3 honda2nr

honda2nr
  • Topic Starter

  • Members
  • 115 posts
  • OFFLINE
  •  
  • Local time:05:59 AM

Posted 28 May 2006 - 08:17 PM

what is that? I click it and its some advertisement for SUN

#4 miekiemoes

miekiemoes

    Malware Killer Dog


  • Malware Response Team
  • 19,420 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Belgium
  • Local time:11:59 AM

Posted 29 May 2006 - 12:37 AM

what is that? I click it and its some advertisement for SUN


What are you talking about?
Just post a new hijackthislog if you still need help. :thumbsup:
AntispywareScanners---Antivirus Scanners---Firewalls---Online Scanners---Prevention---Help! My computer is slow---My Blog---Follow me on Twitter.
My help is ALWAYS FREE, but if you want to donate to help me continue my fight against malware -- click here!
Asking for help via Private Message or Mail will be ignored - So If you need help, post your problem in the forum.

#5 honda2nr

honda2nr
  • Topic Starter

  • Members
  • 115 posts
  • OFFLINE
  •  
  • Local time:05:59 AM

Posted 31 May 2006 - 07:27 PM

Logfile of HijackThis v1.99.1
Scan saved at 8:25:23 PM, on 5/31/2006
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\csrss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\TGTSoft\StyleXP\StyleXPService.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
c:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\Program Files\ewido anti-malware\ewidoctrl.exe
c:\Program Files\Norton AntiVirus\navapsvc.exe
C:\WINDOWS\System32\nvsvc32.exe
C:\Program Files\Softex\OmniPass\Omniserv.exe
C:\Program Files\Alcohol Soft\Alcohol 120\StarWind\StarWindService.exe
C:\WINDOWS\System32\wdfmgr.exe
C:\Program Files\Softex\OmniPass\OPXPApp.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\InterVideo\Common\Bin\WinCinemaMgr.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\WINDOWS\thiselt.exe
C:\WINDOWS\CCZoop05.exe
C:\WINDOWS\sys021644262418.exe
C:\Program Files\apsi\wtta.exe
C:\Program Files\Network Monitor\netmon.exe
C:\WINDOWS\RWRkaWUgRGF3c29u\command.exe
C:\WINDOWS\?racle\n?lookup.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\HJT\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page_bak = http://www.yahoo.com/
F2 - REG:system.ini: Shell=Explorer.exe, C:\WINDOWS\System32\fsndi.exe
F2 - REG:system.ini: UserInit=C:\WINDOWS\SYSTEM32\Userinit.exe,pougtaq.exe
O2 - BHO: web compressor - {23FB5ADD-DA37-4a40-9FC0-B0E2384CDE92} - C:\WINDOWS\System32\nsd4F9C.dll
O2 - BHO: RieMon Class - {70F6A776-579A-4C95-BA88-134253907752} - C:\WINDOWS\System32\irsmsdaw.dll
O2 - BHO: Related Page - {9A9C9B69-F908-4AAB-8D0C-10EA8997F37E} - C:\WINDOWS\System32\WinNB57.dll
O3 - Toolbar: Popup Blocker - {815A82AE-CDEF-11D8-BA48-A6D245798277} - c:\windows\20040818\TOOLBA~1.DLL
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O3 - Toolbar: Related Page - {9A9C9B68-F908-4AAB-8D0C-10EA8997F37E} - C:\WINDOWS\System32\WinNB57.dll
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [pop06apelt] C:\WINDOWS\thiselt.exe
O4 - HKLM\..\Run: [TheMonitor] C:\WINDOWS\CCZoop05.exe
O4 - HKLM\..\Run: [sys021644262418] C:\WINDOWS\sys021644262418.exe
O4 - HKCU\..\Run: [AIM] C:\Program Files\AIM\aim.exe -cnetwait.odl
O4 - HKCU\..\Run: [Notn] "C:\Program Files\apsi\wtta.exe" -vt yazb
O4 - HKCU\..\Run: [Tht] C:\WINDOWS\RACLE~1\NLOOKU~1.EXE
O4 - HKCU\..\Run: [irssyncd] C:\WINDOWS\System32\irssyncd.exe
O4 - Startup: BitTorrent.lnk = C:\Program Files\BitTorrent\bittorrent.exe
O4 - Global Startup: InterVideo WinCinema Manager.lnk = C:\Program Files\InterVideo\Common\Bin\WinCinemaMgr.exe
O4 - Global Startup: Quicken Scheduled Updates.lnk = C:\Program Files\Quicken\bagent.exe
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_01\bin\npjpi150_01.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_01\bin\npjpi150_01.dll
O9 - Extra button: (no name) - {4ABF810A-F11D-4169-9D5F-7D274F2270A1} - C:\WINDOWS\System32\dmonwv.dll
O9 - Extra 'Tools' menuitem: Java - {4ABF810A-F11D-4169-9D5F-7D274F2270A1} - C:\WINDOWS\System32\dmonwv.dll
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe
O9 - Extra button: PartyCasino.com - {B4B52284-A248-4c51-9F7C-F0A0C67FCC9D} - C:\Program Files\PartyGaming\PartyCasino\RunCasino.exe
O9 - Extra 'Tools' menuitem: PartyCasino.com - {B4B52284-A248-4c51-9F7C-F0A0C67FCC9D} - C:\Program Files\PartyGaming\PartyCasino\RunCasino.exe
O9 - Extra button: PartyPoker.com - {B7FE5D70-9AA2-40F1-9C6B-12A255F085E1} - C:\Program Files\PartyGaming\PartyPoker\RunApp.exe
O9 - Extra 'Tools' menuitem: PartyPoker.com - {B7FE5D70-9AA2-40F1-9C6B-12A255F085E1} - C:\Program Files\PartyGaming\PartyPoker\RunApp.exe
O9 - Extra button: (no name) - {D5770C25-E0F4-4bb9-BCB6-DB17F7BFBB7F} - C:\Program Files\SafeGuard Popup Blocker Pro\PBOptions.exe
O9 - Extra 'Tools' menuitem: Popup Blocker Options - {D5770C25-E0F4-4bb9-BCB6-DB17F7BFBB7F} - C:\Program Files\SafeGuard Popup Blocker Pro\PBOptions.exe
O9 - Extra button: MoneySide - {E023F504-0C5A-4750-A1E7-A9046DEA8A21} - C:\Program Files\Microsoft Money\System\mnyside.dll
O15 - Trusted Zone: *.elitemediagroup.net
O15 - Trusted Zone: *.media-motor.net
O15 - Trusted Zone: *.mmohsix.com
O15 - Trusted Zone: http://click.getmirar.com (HKLM)
O15 - Trusted Zone: http://click.mirarsearch.com (HKLM)
O15 - Trusted Zone: http://redirect.mirarsearch.com (HKLM)
O15 - Trusted Zone: http://awbeta.net-nucleus.com (HKLM)
O16 - DPF: {37A273C2-5129-11D5-BF37-00A0CCE8754B} (TTestGenXInstallObject) - http://www.mathxl.com/wizmodules/testgen/i...GenXInstall.cab
O16 - DPF: {4FE89055-5300-469E-AFAD-DEB3181EDE76} (PearsonAsstX Control) - http://www.mathxl.com/applets/PearsonInstallAsst.cab
O16 - DPF: {5526B4C6-63D6-41A1-9783-0FABF529859A} (mm06ocx.mm06ocxf) - http://cabs.elitemediagroup.net/cabs/mediaview.cab
O16 - DPF: {8A0DCBDB-6E20-489C-9041-C1E8A0352E75} (Mirar_Dummy_ATS1 Class) - http://awbeta.net-nucleus.com/FIX/WinATS.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://www.pandasoftware.com/activescan/as5/asinst.cab
O16 - DPF: {C4DD6732-1E82-4AE7-BD94-180331B84082} (DeltaCVX Control) - http://www.mathxl.com/applets/DeltaCVX.cab
O20 - AppInit_DLLs: C:\WINDOWS\System32\msdtc.dll
O20 - Winlogon Notify: cfgmngr32 - C:\WINDOWS\system32\cfgmngr32.dll
O20 - Winlogon Notify: igfxcui - C:\WINDOWS\SYSTEM32\igfxsrvc.dll
O20 - Winlogon Notify: OPXPGina - C:\Program Files\Softex\OmniPass\opxpgina.dll
O20 - Winlogon Notify: WOW - C:\WINDOWS\system32\3tvxVfWCodec.dll
O23 - Service: .NET Framework Service (.NET Connection Service) - Unknown owner - C:\WINDOWS\svchost.exe (file missing)
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - c:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Password Validation Service (ccPwdSvc) - Symantec Corporation - c:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
O23 - Service: Command Service (cmdService) - Unknown owner - C:\WINDOWS\RWRkaWUgRGF3c29u\command.exe
O23 - Service: ewido security suite control - ewido networks - C:\Program Files\ewido anti-malware\ewidoctrl.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPodService - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Norton AntiVirus Auto Protect Service (navapsvc) - Symantec Corporation - c:\Program Files\Norton AntiVirus\navapsvc.exe
O23 - Service: Network Monitor - Unknown owner - C:\Program Files\Network Monitor\netmon.exe
O23 - Service: NVIDIA Driver Helper Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe
O23 - Service: Softex OmniPass Service (omniserv) - Unknown owner - C:\Program Files\Softex\OmniPass\Omniserv.exe
O23 - Service: StarWind iSCSI Service (StarWindService) - Rocket Division Software - C:\Program Files\Alcohol Soft\Alcohol 120\StarWind\StarWindService.exe
O23 - Service: StyleXPService - Unknown owner - C:\Program Files\TGTSoft\StyleXP\StyleXPService.exe

#6 miekiemoes

miekiemoes

    Malware Killer Dog


  • Malware Response Team
  • 19,420 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Belgium
  • Local time:11:59 AM

Posted 01 June 2006 - 12:28 AM

Hello,
This is a nasty log with several different infections. :thumbsup:

It's better to print out the next instructions or save it in notepad, because you also have to work in safe mode without networking support, so this page wouldn't be available then.
It is also important you don't miss a step and perform everything in the right order!!

* Please download Look2Me-Destroyer.exe to your desktop.
  • Close all windows before continuing.
  • Double-click Look2Me-Destroyer.exe to run it.
  • Put a check next to Run this program as a task.
  • You will receive a message saying Look2Me-Destroyer will close and re-open in approximately 1 minute. Click OK
  • (If Look2Me-Destroyer does not reopen automatically, reboot and try again.)
  • When Look2Me-Destroyer re-opens, click the Scan for L2M button, your desktop icons will disappear, this is normal.
  • Once it's done scanning, click the Remove L2M button.
  • You will receive a Done Scanning message, click OK.
  • When completed, you will receive this message: Done removing infected files! Look2Me-Destroyer will now shutdown your computer, click OK.
  • Your computer will then shutdown.
  • Turn your computer back on.
If you receive a message from your firewall about this program accessing the internet please allow it.

If you receive a runtime error '339' please download MSWINSCK.OCX from the link below and place it in your C:\Windows\System32 Directory.
http://www.ascentive.com/support/new/images/lib/MSWINSCK.OCX

* Download win32delfkil.exe.
Save it on your desktop.
Double click on win32delfkil.exe and install it. This creates a new folder on your desktop: win32delfkil.
Close all windows, open the win32delfkil folder and double click on fix.bat.
The computer will reboot automatically.
  • Download Brute Force Uninstaller to your C:\
  • Unzip it to a folder of its own (C:\BFU). So the BFU-folder should be on your root. In most cases this is C:\
  • Download qoofix.bat (rightclick on this link and choose save as)
  • Place qoofix.bat in your C:\BFU - folder. (Important!)
  • Doubleclick qooFix.bat, Close all browsers and explorer folders.
  • Choose option 1 (Qoolfix autofix) and follow the prompts.
  • Please be patient, it will take about five minutes.
  • It will ask to reboot your computer, so please allow it to reboot.
* Please set your system to show all files; please see here if you're unsure how to do this.

* Look in your control panels add/remove programs for PuritySCAN By OIN, OuterInfo or similar , click on it and click remove.
If not listed, download and run this uninstaller:
http://www.outerinfo.com/OiUninstaller.exe

I see you have PartyPoker and PartyCasino installed.
If you didn't install it with intension to play with, I suggest you uninstall it, because in most cases, these programs are supported by malware, getting installed without asking for it and also lead you to sites where malware is lurking.
If you do play it, then leave it alone.
I also see SafeGuard Popup Blocker Pro installed. Be aware that a lot of these so called popup blockers, spywareremovers etc are just as bad as spyware and are spying as well. And I guess Safeguard is one of them. That's why I also recommend you uninstall it in case you didn't buy it.
Reboot.

* Start the Brute Force Uninstaller by doubleclicking BFU.exe

Next to the 'scriptfile to execute'-window you'll see a little icon as shown in next picture: Posted Image
When you click that icon, a little window will open that says: 'Please enter the full URL to the sript you want to execute'
In the field, copy and paste next URL:

http://metallica.geekstogo.com/alcanshorty.bfu

Click Ok.
Then click execute in Brute Force Uninstaller.

* Download Ewido anti-malware ; it is a free version of the program.
  • Install ewido security suite
  • When installing, under "Additional Options" uncheck..
    • Install background guard
    • Install scan via context menu
  • Launch ewido by double-clicking on the icon on your desktop.
  • The program will now open to the main screen.
  • When you run ewido for the first time, you may get a warning "Database could not be found!". Click OK. We will fix this in a moment.
  • You will need to update ewido to the latest definition files.
    • On the left hand side of the main screen click update.
    • Then click on Start Update.
  • The update will start and a progress bar will show the updates being installed.
    (the status bar at the bottom will display ("Update successful")
If you are having problems with the updater, you can use this link to manually update ewido.
ewido manual updates
Don't run it yet.

* Start HijackThis, close all open windows leaving only HijackThis running. Place a check against each of the following:

F2 - REG:system.ini: Shell=Explorer.exe, C:\WINDOWS\System32\fsndi.exe
F2 - REG:system.ini: UserInit=C:\WINDOWS\SYSTEM32\Userinit.exe,pougtaq.exe
O2 - BHO: web compressor - {23FB5ADD-DA37-4a40-9FC0-B0E2384CDE92} - C:\WINDOWS\System32\nsd4F9C.dll
O2 - BHO: RieMon Class - {70F6A776-579A-4C95-BA88-134253907752} - C:\WINDOWS\System32\irsmsdaw.dll
O2 - BHO: Related Page - {9A9C9B69-F908-4AAB-8D0C-10EA8997F37E} - C:\WINDOWS\System32\WinNB57.dll
O3 - Toolbar: Popup Blocker - {815A82AE-CDEF-11D8-BA48-A6D245798277} - c:\windows\20040818\TOOLBA~1.DLL
O3 - Toolbar: Related Page - {9A9C9B68-F908-4AAB-8D0C-10EA8997F37E} - C:\WINDOWS\System32\WinNB57.dll
O4 - HKLM\..\Run: [pop06apelt] C:\WINDOWS\thiselt.exe
O4 - HKLM\..\Run: [TheMonitor] C:\WINDOWS\CCZoop05.exe
O4 - HKLM\..\Run: [sys021644262418] C:\WINDOWS\sys021644262418.exe
O4 - HKCU\..\Run: [Notn] "C:\Program Files\apsi\wtta.exe" -vt yazb
O4 - HKCU\..\Run: [Tht] C:\WINDOWS\RACLE~1\NLOOKU~1.EXE
O4 - HKCU\..\Run: [irssyncd] C:\WINDOWS\System32\irssyncd.exe
O9 - Extra button: (no name) - {4ABF810A-F11D-4169-9D5F-7D274F2270A1} - C:\WINDOWS\System32\dmonwv.dll
O9 - Extra 'Tools' menuitem: Java - {4ABF810A-F11D-4169-9D5F-7D274F2270A1} - C:\WINDOWS\System32\dmonwv.dll
O15 - Trusted Zone: *.elitemediagroup.net
O15 - Trusted Zone: *.media-motor.net
O15 - Trusted Zone: *.mmohsix.com
O15 - Trusted Zone: http://click.getmirar.com (HKLM)
O15 - Trusted Zone: http://click.mirarsearch.com (HKLM)
O15 - Trusted Zone: http://redirect.mirarsearch.com (HKLM)
O15 - Trusted Zone: http://awbeta.net-nucleus.com (HKLM)
O16 - DPF: {4FE89055-5300-469E-AFAD-DEB3181EDE76} (PearsonAsstX Control) - http://www.mathxl.com/applets/PearsonInstallAsst.cab
O16 - DPF: {5526B4C6-63D6-41A1-9783-0FABF529859A} (mm06ocx.mm06ocxf) - http://cabs.elitemediagroup.net/cabs/mediaview.cab
O16 - DPF: {8A0DCBDB-6E20-489C-9041-C1E8A0352E75} (Mirar_Dummy_ATS1 Class) - http://awbeta.net-nucleus.com/FIX/WinATS.cab
O20 - AppInit_DLLs: C:\WINDOWS\System32\msdtc.dll
O20 - Winlogon Notify: cfgmngr32 - C:\WINDOWS\system32\cfgmngr32.dll
O20 - Winlogon Notify: WOW - C:\WINDOWS\system32\3tvxVfWCodec.dll
O23 - Service: .NET Framework Service (.NET Connection Service) - Unknown owner - C:\WINDOWS\svchost.exe (file missing)
O23 - Service: Command Service (cmdService) - Unknown owner - C:\WINDOWS\RWRkaWUgRGF3c29u\command.exe
O23 - Service: Network Monitor - Unknown owner - C:\Program Files\Network Monitor\netmon.exe


* Click on Fix Checked when finished and exit HijackThis.
Make sure your Internet Explorer is closed when you click Fix Checked!

* Reboot into Safe Mode`: ( without networking support !)
°To get into the Safe mode as the computer is booting press and hold your "F8 Key". Use your arrow keys to move to "Safe Mode" and press your Enter key.

* Using Windows Explorer, locate the following files/folders, and delete them if still present:

C:\WINDOWS\thiselt.exe
C:\WINDOWS\CCZoop05.exe
C:\WINDOWS\sys021644262418.exe
C:\Program Files\Network Monitor <== folder
C:\WINDOWS\RWRkaWUgRGF3c29u <== folder
C:\WINDOWS\System32\irssyncd.exe
C:\WINDOWS\System32\msdtc.dll

* Still in safe mode... * Clean your Cache and Cookies in IE:
  • Close all instances of Outlook Express and Internet Explorer
  • Go to Control Panel > Internet Options > General tab
  • Click the "Delete Cookies" button
  • Next to it, Click the "Delete Files" button
  • When prompted, place a check in: "Delete all offline content", click OK
* Clean your Cache and Cookies in Firefox (In case you also have Firefox installed):
  • Go to Tools > Options.
  • Click Privacy in the menu on the left side of the Options window.
  • Click the Clear button located to the right of each option (History, Cookies, Cache).
  • Click OK to close the Options window
    Alternatively, you can clear all information stored while browsing by clicking Clear All.
    A confirmation dialog box will be shown before clearing the information.
* Clean other Temporary files + Recycle bin
  • Go to start > run and type: cleanmgr and click ok.
  • Let it scan your system for files to remove.
  • Make sure Temporary Files, Temporary Internet Files, and Recycle Bin are the only things checked.
  • Press OK to remove them.
* Open Ewido anti-malware
Click on scanner

* Click Complete System Scan and the scan will begin.
* During the scan it will prompt you to clean files, click OK
* When the scan is finished, look at the bottom of the screen and click the Save report button.
* Save the report to your desktop

Close Ewido

* Reboot your system back to normal mode.

* Perform an onlinescan with panda: (please use this scanner instead of any other scanner!)
Panda Online
- Once you are on the Panda site click the Scan your PC button
- A new window will open...click the Check Now button
- Enter your Country
- Enter your State/Province
- Enter your e-mail address and click send
- Select either Home User or Company
- Click the big Scan Now button
- If it wants to install an ActiveX component allow it
- It will start downloading the files it requires for the scan (Note: It may take a couple of minutes)
- When download is complete, click on Local Disks to start the scan
- When the scan completes, if anything malicious is detected, click the See Report button, then Save Report and save it to a convenient location.
Post the contents of the Panda scan report in your next reply,
together with the contents of ewido-log present on your desktop, the contents of the logfile c\windelf.txt, the contents of Look2Me-Destroyer.txt present on your desktop and a new HiJackThis log.
AntispywareScanners---Antivirus Scanners---Firewalls---Online Scanners---Prevention---Help! My computer is slow---My Blog---Follow me on Twitter.
My help is ALWAYS FREE, but if you want to donate to help me continue my fight against malware -- click here!
Asking for help via Private Message or Mail will be ignored - So If you need help, post your problem in the forum.

#7 honda2nr

honda2nr
  • Topic Starter

  • Members
  • 115 posts
  • OFFLINE
  •  
  • Local time:05:59 AM

Posted 04 June 2006 - 05:54 PM

Look2Me-Destroyer V1.0.12

Scanning for infected files.....
Scan started at 6/3/2006 10:52:09 AM


Attempting to delete infected files...

Making registry repairs.


Removing: HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved "{D82BE2B0-5764-11D0-A96E-00C04FD705A2}"
HKCR\Clsid\{D82BE2B0-5764-11D0-A96E-00C04FD705A2}

Restoring Windows certificates.

Replaced hosts file with default windows hosts file


Restoring SeDebugPrivilege for Administrators - Succeeded





Incident Status Location

Spyware:Cookie/WinFixer Not disinfected C:\Documents and Settings\LocalService\Cookies\system@winfixer[2].txt
Spyware:Spyware/SafeSurf Not disinfected C:\Documents and Settings\LocalService\Local Settings\Temporary Internet Files\Content.IE5\140EUF9Y\IrsmInst[1].exe
Spyware:Spyware/ShopNav Not disinfected C:\Documents and Settings\LocalService\Local Settings\Temporary Internet Files\Content.IE5\D3IDB2PQ\Srng_karmamedia_osall_3.0.6[1].zip[C:\Documents and Settings\LocalService\Local Settings\Temporary Internet Files\Content.IE5\D3IDB2PQ\Srng_karmamedia_osall_3.
Adware:Adware/Beginto Not disinfected C:\Documents and Settings\LocalService\Local Settings\Temporary Internet Files\Content.IE5\D3IDB2PQ\trafficsectorInst[1].exe[b2search_v17.exe]
Adware:Adware/PopupSearches Not disinfected C:\Documents and Settings\LocalService\Local Settings\Temporary Internet Files\Content.IE5\D3IDB2PQ\trafficsectorInst[1].exe[b2search_v17.exe][²θΗ]
Adware:Adware/CWS Not disinfected C:\Documents and Settings\Owner\.jpi_cache\file\1.0\Parser.class-10c4f7e-7546100d.class
Adware:Adware/CWS Not disinfected C:\Documents and Settings\Owner\.jpi_cache\file\1.0\SecurityClassLoader.class-52260159-4d72b82f.class
Adware:Adware/CWS Not disinfected C:\Documents and Settings\Owner\.jpi_cache\file\1.0\SecurityClassLoader.class-6fd9f626-2d926365.class
Virus:Exploit/ByteVerify Disinfected C:\Documents and Settings\Owner\.jpi_cache\file\1.0\stat.class-141a778f-654ee710.class
Virus:Exploit/ByteVerify Disinfected C:\Documents and Settings\Owner\.jpi_cache\file\1.0\stat.class-42aa1024-7431634a.class
Virus:Exploit/ByteVerify Disinfected C:\Documents and Settings\Owner\.jpi_cache\file\1.0\stat.class-7553e213-506a2c10.class
Virus:Exploit/ByteVerify Disinfected C:\Documents and Settings\Owner\.jpi_cache\jar\1.0\ar3.jar-13861c29-62e4db2c.zip[Gummy.class]
Virus:Exploit/ByteVerify Disinfected C:\Documents and Settings\Owner\.jpi_cache\jar\1.0\ar3.jar-13861c29-62e4db2c.zip[Counter.class]
Virus:Exploit/ByteVerify Disinfected C:\Documents and Settings\Owner\.jpi_cache\jar\1.0\ar3.jar-13861c29-62e4db2c.zip[VerifierBug.class]
Virus:Exploit/ByteVerify Disinfected C:\Documents and Settings\Owner\.jpi_cache\jar\1.0\ar3.jar-16a0a4a4-7f486469.zip[Gummy.class]
Virus:Exploit/ByteVerify Disinfected C:\Documents and Settings\Owner\.jpi_cache\jar\1.0\ar3.jar-16a0a4a4-7f486469.zip[Counter.class]
Virus:Exploit/ByteVerify Disinfected C:\Documents and Settings\Owner\.jpi_cache\jar\1.0\ar3.jar-16a0a4a4-7f486469.zip[VerifierBug.class]
Virus:Exploit/ByteVerify Disinfected C:\Documents and Settings\Owner\.jpi_cache\jar\1.0\ar3.jar-3c0efa2b-292ef843.zip[Gummy.class]
Virus:Exploit/ByteVerify Disinfected C:\Documents and Settings\Owner\.jpi_cache\jar\1.0\ar3.jar-3c0efa2b-292ef843.zip[Counter.class]
Virus:Exploit/ByteVerify Disinfected C:\Documents and Settings\Owner\.jpi_cache\jar\1.0\ar3.jar-3c0efa2b-292ef843.zip[VerifierBug.class]
Virus:Exploit/ByteVerify Disinfected C:\Documents and Settings\Owner\.jpi_cache\jar\1.0\ar3.jar-4271db64-25000690.zip[Gummy.class]
Virus:Exploit/ByteVerify Disinfected C:\Documents and Settings\Owner\.jpi_cache\jar\1.0\ar3.jar-4271db64-25000690.zip[Counter.class]
Virus:Exploit/ByteVerify Disinfected C:\Documents and Settings\Owner\.jpi_cache\jar\1.0\ar3.jar-4271db64-25000690.zip[VerifierBug.class]
Virus:Exploit/ByteVerify Disinfected C:\Documents and Settings\Owner\.jpi_cache\jar\1.0\ar3.jar-4271db64-25000690.zip[Beyond.class]
Virus:Exploit/ByteVerify Disinfected C:\Documents and Settings\Owner\.jpi_cache\jar\1.0\ar3.jar-4f65e3a2-2d65ce3c.zip[Gummy.class]
Virus:Exploit/ByteVerify Disinfected C:\Documents and Settings\Owner\.jpi_cache\jar\1.0\ar3.jar-4f65e3a2-2d65ce3c.zip[Counter.class]
Virus:Exploit/ByteVerify Disinfected C:\Documents and Settings\Owner\.jpi_cache\jar\1.0\ar3.jar-4f65e3a2-2d65ce3c.zip[VerifierBug.class]
Virus:Exploit/ByteVerify Disinfected C:\Documents and Settings\Owner\.jpi_cache\jar\1.0\ar3.jar-4f65e3a2-2d65ce3c.zip[Beyond.class]
Virus:Exploit/ByteVerify Disinfected C:\Documents and Settings\Owner\.jpi_cache\jar\1.0\ar3.jar-50b22ead-1710d855.zip[Gummy.class]
Virus:Exploit/ByteVerify Disinfected C:\Documents and Settings\Owner\.jpi_cache\jar\1.0\ar3.jar-50b22ead-1710d855.zip[Counter.class]
Virus:Exploit/ByteVerify Disinfected C:\Documents and Settings\Owner\.jpi_cache\jar\1.0\ar3.jar-50b22ead-1710d855.zip[VerifierBug.class]
Virus:Exploit/ByteVerify Disinfected C:\Documents and Settings\Owner\.jpi_cache\jar\1.0\ar3.jar-58581c27-1bbe8fb5.zip[Gummy.class]
Virus:Exploit/ByteVerify Disinfected C:\Documents and Settings\Owner\.jpi_cache\jar\1.0\ar3.jar-58581c27-1bbe8fb5.zip[Counter.class]
Virus:Exploit/ByteVerify Disinfected C:\Documents and Settings\Owner\.jpi_cache\jar\1.0\ar3.jar-58581c27-1bbe8fb5.zip[VerifierBug.class]
Virus:Trj/ClassLoader.E Disinfected C:\Documents and Settings\Owner\.jpi_cache\jar\1.0\ar3.jar-58581c27-1bbe8fb5.zip[Beyond.class]
Virus:Exploit/ByteVerify Disinfected C:\Documents and Settings\Owner\.jpi_cache\jar\1.0\ar3.jar-6198e311-156aaf43.zip[Gummy.class]
Virus:Exploit/ByteVerify Disinfected C:\Documents and Settings\Owner\.jpi_cache\jar\1.0\ar3.jar-6198e311-156aaf43.zip[Counter.class]
Virus:Exploit/ByteVerify Disinfected C:\Documents and Settings\Owner\.jpi_cache\jar\1.0\ar3.jar-6198e311-156aaf43.zip[VerifierBug.class]
Virus:Exploit/ByteVerify Disinfected C:\Documents and Settings\Owner\.jpi_cache\jar\1.0\ar3.jar-623dacb7-7f883e99.zip[Gummy.class]
Virus:Exploit/ByteVerify Disinfected C:\Documents and Settings\Owner\.jpi_cache\jar\1.0\ar3.jar-623dacb7-7f883e99.zip[Counter.class]
Virus:Exploit/ByteVerify Disinfected C:\Documents and Settings\Owner\.jpi_cache\jar\1.0\ar3.jar-623dacb7-7f883e99.zip[VerifierBug.class]
Virus:Exploit/ByteVerify Disinfected C:\Documents and Settings\Owner\.jpi_cache\jar\1.0\ar3.jar-724f57b4-581832b1.zip[Gummy.class]
Virus:Exploit/ByteVerify Disinfected C:\Documents and Settings\Owner\.jpi_cache\jar\1.0\ar3.jar-724f57b4-581832b1.zip[Counter.class]
Virus:Exploit/ByteVerify Disinfected C:\Documents and Settings\Owner\.jpi_cache\jar\1.0\ar3.jar-724f57b4-581832b1.zip[VerifierBug.class]
Virus:Exploit/ByteVerify Disinfected C:\Documents and Settings\Owner\.jpi_cache\jar\1.0\archive.jar-246797d4-4a992607.zip[Mein.class]
Virus:Exploit/ByteVerify Disinfected C:\Documents and Settings\Owner\.jpi_cache\jar\1.0\archive.jar-246797d4-4a992607.zip[ProbeLoader.class]
Virus:Exploit/ByteVerify Disinfected C:\Documents and Settings\Owner\.jpi_cache\jar\1.0\archive.jar-246797d4-4a992607.zip[Dummy.class]
Virus:Trojan Horse Disinfected C:\Documents and Settings\Owner\.jpi_cache\jar\1.0\archive.jar-246797d4-4a992607.zip[Beyond.class]
Virus:Trj/Downloader.BJ Disinfected C:\Documents and Settings\Owner\.jpi_cache\jar\1.0\archive.jar-27b6d962-14a494d1.idx
Virus:Exploit/ByteVerify Disinfected C:\Documents and Settings\Owner\.jpi_cache\jar\1.0\archive.jar-487b52a0-5d1dec5c.zip[BlackBox.class]
Virus:Exploit/ByteVerify Disinfected C:\Documents and Settings\Owner\.jpi_cache\jar\1.0\archive.jar-487b52a0-5d1dec5c.zip[VBUG.class]
Virus:Exploit/ByteVerify Disinfected C:\Documents and Settings\Owner\.jpi_cache\jar\1.0\archive.jar-487b52a0-5d1dec5c.zip[Dummy.class]
Adware:Adware/Startpage.JU Not disinfected C:\Documents and Settings\Owner\.jpi_cache\jar\1.0\archive.jar-487b52a0-5d1dec5c.zip[Beyond.class]
Adware:Adware/Startpage.JU Not disinfected C:\Documents and Settings\Owner\.jpi_cache\jar\1.0\archive.jar-487b52a0-5d1dec5c.zip[winmodem.exe]
Adware:Adware/Startpage.JK Not disinfected C:\Documents and Settings\Owner\.jpi_cache\jar\1.0\archive.jar-487b52a0-5d1dec5c.zip[rundll32.exe]
Virus:Trojan Horse Disinfected C:\Documents and Settings\Owner\.jpi_cache\jar\1.0\archive.jar-6daaeec0-1e995425.zip[Beyond.class]
Virus:Exploit/ByteVerify Disinfected C:\Documents and Settings\Owner\.jpi_cache\jar\1.0\archive.jar-730774d5-3e076466.zip[Mein.class]
Virus:Exploit/ByteVerify Disinfected C:\Documents and Settings\Owner\.jpi_cache\jar\1.0\archive.jar-730774d5-3e076466.zip[ProbeLoader.class]
Virus:Exploit/ByteVerify Disinfected C:\Documents and Settings\Owner\.jpi_cache\jar\1.0\archive.jar-730774d5-3e076466.zip[Dummy.class]
Virus:Trojan Horse Disinfected C:\Documents and Settings\Owner\.jpi_cache\jar\1.0\archive.jar-730774d5-3e076466.zip[Beyond.class]
Virus:Exploit/ByteVerify Disinfected C:\Documents and Settings\Owner\.jpi_cache\jar\1.0\counter.zip-408709b2-3228c4f2.zip[BlackBox.class]
Virus:Exploit/ByteVerify Disinfected C:\Documents and Settings\Owner\.jpi_cache\jar\1.0\counter.zip-408709b2-3228c4f2.zip[Dummy.class]
Virus:Exploit/ByteVerify Disinfected C:\Documents and Settings\Owner\.jpi_cache\jar\1.0\counter.zip-408709b2-3228c4f2.zip[NewClasssss.class]
Virus:Exploit/ByteVerify Disinfected C:\Documents and Settings\Owner\.jpi_cache\jar\1.0\Counters.jar-64e31c12-2e1851cf.zip[Counter.class]
Virus:Exploit/ByteVerify Disinfected C:\Documents and Settings\Owner\.jpi_cache\jar\1.0\Counters.jar-64e31c12-2e1851cf.zip[VerifierBug.class]
Virus:Exploit/ByteVerify Disinfected C:\Documents and Settings\Owner\.jpi_cache\jar\1.0\Counters.jar-64e31c12-2e1851cf.zip[Gummy.class]
Virus:Exploit/ByteVerify Disinfected C:\Documents and Settings\Owner\.jpi_cache\jar\1.0\Counters.jar-64e31c12-2e1851cf.zip[Xeyond.class]
Virus:Exploit/ByteVerify Disinfected C:\Documents and Settings\Owner\.jpi_cache\jar\1.0\Counters.jar-64e31c12-2e1851cf.zip[Worker.class]
Virus:Trj/ComSys.A Disinfected C:\Documents and Settings\Owner\.jpi_cache\jar\1.0\Counters.jar-64e31c12-2e1851cf.zip[web.exe]
Virus:Exploit/ByteVerify Disinfected C:\Documents and Settings\Owner\.jpi_cache\jar\1.0\menu.jr-5b83c8a-43ae1cff.zip[Beyond.class]
Virus:Exploit/ByteVerify Disinfected C:\Documents and Settings\Owner\.jpi_cache\jar\1.0\menu.jr-5b83c8a-43ae1cff.zip[Dummy.class]
Virus:Exploit/ByteVerify Disinfected C:\Documents and Settings\Owner\.jpi_cache\jar\1.0\menu.jr-5b83c8a-43ae1cff.zip[NudeBox.class]
Virus:Exploit/ByteVerify Disinfected C:\Documents and Settings\Owner\.jpi_cache\jar\1.0\menu.jr-5b83c8a-43ae1cff.zip[Worker.class]
Virus:Exploit/ByteVerify Disinfected C:\Documents and Settings\Owner\.jpi_cache\jar\1.0\menu.jr-5b83c8a-43ae1cff.zip[VerifierBug.class]
Virus:Exploit/ByteVerify Disinfected C:\Documents and Settings\Owner\.jpi_cache\jar\1.0\menu.jr-5b83c8a-4d8a9e1f.zip[Beyond.class]
Virus:Exploit/ByteVerify Disinfected C:\Documents and Settings\Owner\.jpi_cache\jar\1.0\menu.jr-5b83c8a-4d8a9e1f.zip[Dummy.class]
Virus:Exploit/ByteVerify Disinfected C:\Documents and Settings\Owner\.jpi_cache\jar\1.0\menu.jr-5b83c8a-4d8a9e1f.zip[NudeBox.class]
Virus:Exploit/ByteVerify Disinfected C:\Documents and Settings\Owner\.jpi_cache\jar\1.0\menu.jr-5b83c8a-4d8a9e1f.zip[Worker.class]
Virus:Exploit/ByteVerify Disinfected C:\Documents and Settings\Owner\.jpi_cache\jar\1.0\menu.jr-5b83c8a-4d8a9e1f.zip[VerifierBug.class]
Adware:adware/tvmedia Not disinfected C:\Documents and Settings\Owner\Application Data\tvmcwrd.dll
Spyware:Cookie/888 Not disinfected C:\Documents and Settings\Owner\Cookies\owner@888[1].txt
Spyware:Cookie/888 Not disinfected C:\Documents and Settings\Owner\Cookies\owner@888[2].txt
Spyware:Cookie/Hbmediapro Not disinfected C:\Documents and Settings\Owner\Cookies\owner@adopt.hbmediapro[2].txt
Spyware:Cookie/adultfriendfinder Not disinfected C:\Documents and Settings\Owner\Cookies\owner@adultfriendfinder[2].txt
Spyware:Cookie/Advertising Not disinfected C:\Documents and Settings\Owner\Cookies\owner@advertising[1].txt
Spyware:Cookie/Apmebf Not disinfected C:\Documents and Settings\Owner\Cookies\owner@apmebf[2].txt
Spyware:Cookie/Atlas DMT Not disinfected C:\Documents and Settings\Owner\Cookies\owner@atdmt[1].txt
Spyware:Cookie/Atwola Not disinfected C:\Documents and Settings\Owner\Cookies\owner@atwola[1].txt
Spyware:Cookie/Casalemedia Not disinfected C:\Documents and Settings\Owner\Cookies\owner@casalemedia[1].txt
Spyware:Cookie/Cassava Not disinfected C:\Documents and Settings\Owner\Cookies\owner@cassava[1].txt
Spyware:Cookie/Doubleclick Not disinfected C:\Documents and Settings\Owner\Cookies\owner@doubleclick[1].txt
Spyware:Cookie/FortuneCity Not disinfected C:\Documents and Settings\Owner\Cookies\owner@fortunecity[1].txt
Spyware:Cookie/Maxserving Not disinfected C:\Documents and Settings\Owner\Cookies\owner@maxserving[1].txt
Spyware:Cookie/Media-motor Not disinfected C:\Documents and Settings\Owner\Cookies\owner@mmm.media-motor[1].txt
Spyware:Cookie/RealMedia Not disinfected C:\Documents and Settings\Owner\Cookies\owner@realmedia[1].txt
Spyware:Cookie/Traffic Marketplace Not disinfected C:\Documents and Settings\Owner\Cookies\owner@trafficmp[2].txt
Spyware:Cookie/WinFixer Not disinfected C:\Documents and Settings\Owner\Cookies\owner@winfixer[2].txt
Virus:W32/Gaobot.HJC.worm Disinfected C:\Documents and Settings\Owner\Desktop\My Muzic\B3 Power Tabs v2.0.314.6.zip[setup.exe]
Adware:Adware/MediaTickets Not disinfected C:\Documents and Settings\Owner\Desktop\Prom 2004\New Folder\backup-20040522-230348-160
Adware:Adware/MediaTickets Not disinfected C:\Documents and Settings\Owner\Desktop\Prom 2004\New Folder\backup-20040522-230348-160.inf
Adware:Adware Program Not disinfected C:\Documents and Settings\Owner\Desktop\Prom 2004\New Folder\backup-20040522-230348-989.inf
Dialer:dialer.cos Not disinfected C:\Documents and Settings\Owner\My Documents\WinMoviePlugin.lnk
Dialer:dialer.akd Not disinfected C:\Documents and Settings\Owner\Start Menu\exsplorer.lnk
Dialer:dialer.gyc Not disinfected C:\Documents and Settings\Owner\Start Menu\Programs\exsplorer.lnk
Adware:Adware/eZula Not disinfected C:\Documents and Settings\Owner\Start Menu\Programs\TopText iLookup\My Keywords.lnk
Adware:Adware/eZula Not disinfected C:\Documents and Settings\Owner\Start Menu\Programs\TopText iLookup\My Preferences.lnk
Adware:Adware/eZula Not disinfected C:\Documents and Settings\Owner\Start Menu\Programs\TopText iLookup\TopText Button Show - Hide.lnk
Dialer:dialer.bb Not disinfected C:\Documents and Settings\Owner\Start Menu\sex.lnk
Virus:Trj/Killche.A Disinfected C:\Documents and Settings\Owner\stop.exe
Potentially unwanted tool:Application/HideWindow.A Not disinfected C:\hp\bin\FondleWindow.exe
Potentially unwanted tool:Application/KillApp.B Not disinfected C:\hp\bin\KillIt.exe
Potentially unwanted tool:Application/KillApp.A Not disinfected C:\hp\bin\Terminator.exe
Adware:adware/superspider Not disinfected C:\m.exe
Virus:Bck/Small.CM Disinfected C:\Plugin\crss.exe
Virus:Trj/Downloader.FMN Disinfected C:\Plugin\mmgrt.exe
Virus:Trj/Downloader.FMN Disinfected C:\Plugin\mmgrt.exe.tmp
Virus:Trj/Clicker.QE Disinfected C:\Program Files\Common Files\simtest\sysstall.exe
Adware:Adware/DollarRevenue Not disinfected C:\Program Files\Common Files\svchostsys\sysid.exe
Adware:adware/vog Not disinfected C:\Program Files\Internet Explorer\update.exe
Adware:Adware/TVMedia Not disinfected C:\Program Files\TV Media\TvmBho.dll
Adware:Adware/TVMedia Not disinfected C:\Program Files\TV Media\TvmCore.dll
Adware:Adware/TopMoxie Not disinfected C:\Program Files\Windows Media Player\EbatesMoeMoneyMaker.exe
Adware:Adware/eZula Not disinfected C:\Program Files\Windows Media Player\ezStub.exe
Virus:Trj/Multidropper.IU Disinfected C:\Program Files\Windows Media Player\setup_BikiniDesk_bundle.exe
Adware:Adware/WebHancer Not disinfected C:\RECYCLER\S-1-5-21-709730831-4258633224-830553078-500\Dc7\Programs\__delete_on_reboot__webhdll.dll
Adware:Adware/WinTools Not disinfected C:\RECYCLER\S-1-5-21-709730831-4258633224-830553078-500\Dc9\common.dll
Adware:Adware/CWS.Yexe Not disinfected C:\sm.exe
Virus:W32/Gaobot.HJC.worm Disinfected C:\Uploads\X-Ways Forensics v11.7 SR-1 REPACK by ROR.zip[setup.exe]
Virus:W32/Gaobot.HJC.worm Disinfected C:\Uploads\X-Ways Forensics v11.7 SR-1 Repacked.zip[setup.exe]
Virus:W32/Gaobot.HJC.worm Disinfected C:\Uploads\X-Ways Forensics v11.7 SR-1.zip[setup.exe]
Virus:W32/Gaobot.HJC.worm Disinfected C:\Uploads\X-Ways Forensics v11.7 SR-5 by ROR.zip[setup.exe]
Virus:W32/Gaobot.HJC.worm Disinfected C:\Uploads\X-Ways Forensics v11.7 SR-5.zip[setup.exe]
Virus:W32/Gaobot.HJC.worm Disinfected C:\Uploads\X-Ways Forensics v11.8 SR-9 by ROR.zip[setup.exe]
Virus:W32/Gaobot.HJC.worm Disinfected C:\Uploads\X-Ways Forensics v11.8 SR-9.zip[setup.exe]
Virus:W32/Gaobot.HJC.worm Disinfected C:\Uploads\XaraX v1.0 Final.zip[setup.exe]
Virus:W32/Gaobot.HJC.worm Disinfected C:\Uploads\XaraX v1.0 Patch Fix.zip[setup.exe]
Virus:W32/Gaobot.HJC.worm Disinfected C:\Uploads\XaraX v1.0a Crack.zip[setup.exe]
Virus:W32/Gaobot.HJC.worm Disinfected C:\Uploads\XaraX v1.0a Patch.zip[setup.exe]
Virus:W32/Gaobot.HJC.worm Disinfected C:\Uploads\XaraX v1.0aa by Oddity.zip[setup.exe]
Virus:W32/Gaobot.HJC.worm Disinfected C:\Uploads\XaraX v1.0aa by TCA.zip[setup.exe]
Virus:W32/Gaobot.HJC.worm Disinfected C:\Uploads\XaraX v1.0aa by Viking.zip[setup.exe]
Virus:W32/Gaobot.HJC.worm Disinfected C:\Uploads\XaraX v1.0aa Keygen and Patch by TEX.zip[setup.exe]
Virus:W32/Gaobot.HJC.worm Disinfected C:\Uploads\XaraX v1.0aa Keygen by TEX.zip[setup.exe]
Virus:W32/Gaobot.HJC.worm Disinfected C:\Uploads\XaraX v1.0c DL2 by Eminence.zip[setup.exe]
Virus:W32/Gaobot.HJC.worm Disinfected C:\Uploads\XaraX v1.0c DL2 by EVC.zip[setup.exe]
Virus:W32/Gaobot.HJC.worm Disinfected C:\Uploads\XaraX v1.0c DL2 Mar 13 2001.zip[setup.exe]
Virus:W32/Gaobot.HJC.worm Disinfected C:\Uploads\XaraX v1.0c Dl2.zip[setup.exe]
Virus:W32/Gaobot.HJC.worm Disinfected C:\Uploads\XaraX v1.0c.zip[setup.exe]
Virus:W32/Gaobot.HJC.worm Disinfected C:\Uploads\XarGon.zip[setup.exe]
Virus:W32/Gaobot.HJC.worm Disinfected C:\Uploads\Xarion 1.03.zip[setup.exe]
Virus:W32/Gaobot.HJC.worm Disinfected C:\Uploads\Xarka OptiPerl Professional 4.5.zip[setup.exe]
Virus:W32/Gaobot.HJC.worm Disinfected C:\Uploads\Xarka OptiPerl Professional v4.5 by ZWT.zip[setup.exe]
Virus:W32/Gaobot.HJC.worm Disinfected C:\Uploads\Xat.com Image Optimizer 3.01 Professional.zip[setup.exe]
Virus:W32/Gaobot.HJC.worm Disinfected C:\Uploads\Xatshow v5.02 by HTBTeam.zip[setup.exe]
Virus:W32/Gaobot.HJC.worm Disinfected C:\Uploads\Xavius's ATCC v1.1 - Air Traffic Control Center.zip[setup.exe]
Virus:W32/Gaobot.HJC.worm Disinfected C:\Uploads\Xbau Baukalkulation nach STLB-Bau v2004.04 GERMAN INTERNAL by PARADOX.zip[setup.exe]
Virus:W32/Gaobot.HJC.worm Disinfected C:\Uploads\XBMC Xbox Media Center 2004-09-17.zip[setup.exe]
Virus:W32/Gaobot.HJC.worm Disinfected C:\Uploads\XBox BIOS Slicer.zip[setup.exe]
Virus:W32/Gaobot.HJC.worm Disinfected C:\Uploads\XBox Debugging Client-Server.zip[setup.exe]
Virus:W32/Gaobot.HJC.worm Disinfected C:\Uploads\XBox ISO Reader v0.1.zip[setup.exe]
Virus:W32/Gaobot.HJC.worm Disinfected C:\Uploads\XBox ISO Tool.zip[setup.exe]
Virus:W32/Gaobot.HJC.worm Disinfected C:\Uploads\XBox MS Factory Test Disk.zip[setup.exe]
Virus:W32/Gaobot.HJC.worm Disinfected C:\Uploads\XBuilder 2.5 Keygen.zip[setup.exe]
Virus:W32/Gaobot.HJC.worm Disinfected C:\Uploads\XBuilder 2.5 Seri

#8 miekiemoes

miekiemoes

    Malware Killer Dog


  • Malware Response Team
  • 19,420 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Belgium
  • Local time:11:59 AM

Posted 04 June 2006 - 05:59 PM

Hello,

Your Panda log got cut off, so look in above log where it cut off and post the rest. :thumbsup:

Also, can you post a new hijackthislog, the ewido log and the log c\windelf.txt please? If it doesn't fit in one post, use more posts instead.

Also, why did you wait so long to fix this terribly infected system? I already posted the instructions 5 days ago. Keep in mind, malware downloads more malware all the time.. the longer you wait, the more damage it causes and the harder it will be to remove all malware and restore the damage.
AntispywareScanners---Antivirus Scanners---Firewalls---Online Scanners---Prevention---Help! My computer is slow---My Blog---Follow me on Twitter.
My help is ALWAYS FREE, but if you want to donate to help me continue my fight against malware -- click here!
Asking for help via Private Message or Mail will be ignored - So If you need help, post your problem in the forum.

#9 honda2nr

honda2nr
  • Topic Starter

  • Members
  • 115 posts
  • OFFLINE
  •  
  • Local time:05:59 AM

Posted 04 June 2006 - 07:09 PM

Incident Status Location

Spyware:Cookie/WinFixer Not disinfected C:\Documents and Settings\LocalService\Cookies\system@winfixer[2].txt
Spyware:Spyware/SafeSurf Not disinfected C:\Documents and Settings\LocalService\Local Settings\Temporary Internet Files\Content.IE5\140EUF9Y\IrsmInst[1].exe
Spyware:Spyware/ShopNav Not disinfected C:\Documents and Settings\LocalService\Local Settings\Temporary Internet Files\Content.IE5\D3IDB2PQ\Srng_karmamedia_osall_3.0.6[1].zip[C:\Documents and Settings\LocalService\Local Settings\Temporary Internet Files\Content.IE5\D3IDB2PQ\Srng_karmamedia_osall_3.
Adware:Adware/Beginto Not disinfected C:\Documents and Settings\LocalService\Local Settings\Temporary Internet Files\Content.IE5\D3IDB2PQ\trafficsectorInst[1].exe[b2search_v17.exe]
Adware:Adware/PopupSearches Not disinfected C:\Documents and Settings\LocalService\Local Settings\Temporary Internet Files\Content.IE5\D3IDB2PQ\trafficsectorInst[1].exe[b2search_v17.exe][²θΗ]
Adware:Adware/CWS Not disinfected C:\Documents and Settings\Owner\.jpi_cache\file\1.0\Parser.class-10c4f7e-7546100d.class
Adware:Adware/CWS Not disinfected C:\Documents and Settings\Owner\.jpi_cache\file\1.0\SecurityClassLoader.class-52260159-4d72b82f.class
Adware:Adware/CWS Not disinfected C:\Documents and Settings\Owner\.jpi_cache\file\1.0\SecurityClassLoader.class-6fd9f626-2d926365.class
Virus:Exploit/ByteVerify Disinfected C:\Documents and Settings\Owner\.jpi_cache\file\1.0\stat.class-141a778f-654ee710.class
Virus:Exploit/ByteVerify Disinfected C:\Documents and Settings\Owner\.jpi_cache\file\1.0\stat.class-42aa1024-7431634a.class
Virus:Exploit/ByteVerify Disinfected C:\Documents and Settings\Owner\.jpi_cache\file\1.0\stat.class-7553e213-506a2c10.class
Virus:Exploit/ByteVerify Disinfected C:\Documents and Settings\Owner\.jpi_cache\jar\1.0\ar3.jar-13861c29-62e4db2c.zip[Gummy.class]
Virus:Exploit/ByteVerify Disinfected C:\Documents and Settings\Owner\.jpi_cache\jar\1.0\ar3.jar-13861c29-62e4db2c.zip[Counter.class]
Virus:Exploit/ByteVerify Disinfected C:\Documents and Settings\Owner\.jpi_cache\jar\1.0\ar3.jar-13861c29-62e4db2c.zip[VerifierBug.class]
Virus:Exploit/ByteVerify Disinfected C:\Documents and Settings\Owner\.jpi_cache\jar\1.0\ar3.jar-16a0a4a4-7f486469.zip[Gummy.class]
Virus:Exploit/ByteVerify Disinfected C:\Documents and Settings\Owner\.jpi_cache\jar\1.0\ar3.jar-16a0a4a4-7f486469.zip[Counter.class]
Virus:Exploit/ByteVerify Disinfected C:\Documents and Settings\Owner\.jpi_cache\jar\1.0\ar3.jar-16a0a4a4-7f486469.zip[VerifierBug.class]
Virus:Exploit/ByteVerify Disinfected C:\Documents and Settings\Owner\.jpi_cache\jar\1.0\ar3.jar-3c0efa2b-292ef843.zip[Gummy.class]
Virus:Exploit/ByteVerify Disinfected C:\Documents and Settings\Owner\.jpi_cache\jar\1.0\ar3.jar-3c0efa2b-292ef843.zip[Counter.class]
Virus:Exploit/ByteVerify Disinfected C:\Documents and Settings\Owner\.jpi_cache\jar\1.0\ar3.jar-3c0efa2b-292ef843.zip[VerifierBug.class]
Virus:Exploit/ByteVerify Disinfected C:\Documents and Settings\Owner\.jpi_cache\jar\1.0\ar3.jar-4271db64-25000690.zip[Gummy.class]
Virus:Exploit/ByteVerify Disinfected C:\Documents and Settings\Owner\.jpi_cache\jar\1.0\ar3.jar-4271db64-25000690.zip[Counter.class]
Virus:Exploit/ByteVerify Disinfected C:\Documents and Settings\Owner\.jpi_cache\jar\1.0\ar3.jar-4271db64-25000690.zip[VerifierBug.class]
Virus:Exploit/ByteVerify Disinfected C:\Documents and Settings\Owner\.jpi_cache\jar\1.0\ar3.jar-4271db64-25000690.zip[Beyond.class]
Virus:Exploit/ByteVerify Disinfected C:\Documents and Settings\Owner\.jpi_cache\jar\1.0\ar3.jar-4f65e3a2-2d65ce3c.zip[Gummy.class]
Virus:Exploit/ByteVerify Disinfected C:\Documents and Settings\Owner\.jpi_cache\jar\1.0\ar3.jar-4f65e3a2-2d65ce3c.zip[Counter.class]
Virus:Exploit/ByteVerify Disinfected C:\Documents and Settings\Owner\.jpi_cache\jar\1.0\ar3.jar-4f65e3a2-2d65ce3c.zip[VerifierBug.class]
Virus:Exploit/ByteVerify Disinfected C:\Documents and Settings\Owner\.jpi_cache\jar\1.0\ar3.jar-4f65e3a2-2d65ce3c.zip[Beyond.class]
Virus:Exploit/ByteVerify Disinfected C:\Documents and Settings\Owner\.jpi_cache\jar\1.0\ar3.jar-50b22ead-1710d855.zip[Gummy.class]
Virus:Exploit/ByteVerify Disinfected C:\Documents and Settings\Owner\.jpi_cache\jar\1.0\ar3.jar-50b22ead-1710d855.zip[Counter.class]
Virus:Exploit/ByteVerify Disinfected C:\Documents and Settings\Owner\.jpi_cache\jar\1.0\ar3.jar-50b22ead-1710d855.zip[VerifierBug.class]
Virus:Exploit/ByteVerify Disinfected C:\Documents and Settings\Owner\.jpi_cache\jar\1.0\ar3.jar-58581c27-1bbe8fb5.zip[Gummy.class]
Virus:Exploit/ByteVerify Disinfected C:\Documents and Settings\Owner\.jpi_cache\jar\1.0\ar3.jar-58581c27-1bbe8fb5.zip[Counter.class]
Virus:Exploit/ByteVerify Disinfected C:\Documents and Settings\Owner\.jpi_cache\jar\1.0\ar3.jar-58581c27-1bbe8fb5.zip[VerifierBug.class]
Virus:Trj/ClassLoader.E Disinfected C:\Documents and Settings\Owner\.jpi_cache\jar\1.0\ar3.jar-58581c27-1bbe8fb5.zip[Beyond.class]
Virus:Exploit/ByteVerify Disinfected C:\Documents and Settings\Owner\.jpi_cache\jar\1.0\ar3.jar-6198e311-156aaf43.zip[Gummy.class]
Virus:Exploit/ByteVerify Disinfected C:\Documents and Settings\Owner\.jpi_cache\jar\1.0\ar3.jar-6198e311-156aaf43.zip[Counter.class]
Virus:Exploit/ByteVerify Disinfected C:\Documents and Settings\Owner\.jpi_cache\jar\1.0\ar3.jar-6198e311-156aaf43.zip[VerifierBug.class]
Virus:Exploit/ByteVerify Disinfected C:\Documents and Settings\Owner\.jpi_cache\jar\1.0\ar3.jar-623dacb7-7f883e99.zip[Gummy.class]
Virus:Exploit/ByteVerify Disinfected C:\Documents and Settings\Owner\.jpi_cache\jar\1.0\ar3.jar-623dacb7-7f883e99.zip[Counter.class]
Virus:Exploit/ByteVerify Disinfected C:\Documents and Settings\Owner\.jpi_cache\jar\1.0\ar3.jar-623dacb7-7f883e99.zip[VerifierBug.class]
Virus:Exploit/ByteVerify Disinfected C:\Documents and Settings\Owner\.jpi_cache\jar\1.0\ar3.jar-724f57b4-581832b1.zip[Gummy.class]
Virus:Exploit/ByteVerify Disinfected C:\Documents and Settings\Owner\.jpi_cache\jar\1.0\ar3.jar-724f57b4-581832b1.zip[Counter.class]
Virus:Exploit/ByteVerify Disinfected C:\Documents and Settings\Owner\.jpi_cache\jar\1.0\ar3.jar-724f57b4-581832b1.zip[VerifierBug.class]
Virus:Exploit/ByteVerify Disinfected C:\Documents and Settings\Owner\.jpi_cache\jar\1.0\archive.jar-246797d4-4a992607.zip[Mein.class]
Virus:Exploit/ByteVerify Disinfected C:\Documents and Settings\Owner\.jpi_cache\jar\1.0\archive.jar-246797d4-4a992607.zip[ProbeLoader.class]
Virus:Exploit/ByteVerify Disinfected C:\Documents and Settings\Owner\.jpi_cache\jar\1.0\archive.jar-246797d4-4a992607.zip[Dummy.class]
Virus:Trojan Horse Disinfected C:\Documents and Settings\Owner\.jpi_cache\jar\1.0\archive.jar-246797d4-4a992607.zip[Beyond.class]
Virus:Trj/Downloader.BJ Disinfected C:\Documents and Settings\Owner\.jpi_cache\jar\1.0\archive.jar-27b6d962-14a494d1.idx
Virus:Exploit/ByteVerify Disinfected C:\Documents and Settings\Owner\.jpi_cache\jar\1.0\archive.jar-487b52a0-5d1dec5c.zip[BlackBox.class]
Virus:Exploit/ByteVerify Disinfected C:\Documents and Settings\Owner\.jpi_cache\jar\1.0\archive.jar-487b52a0-5d1dec5c.zip[VBUG.class]
Virus:Exploit/ByteVerify Disinfected C:\Documents and Settings\Owner\.jpi_cache\jar\1.0\archive.jar-487b52a0-5d1dec5c.zip[Dummy.class]
Adware:Adware/Startpage.JU Not disinfected C:\Documents and Settings\Owner\.jpi_cache\jar\1.0\archive.jar-487b52a0-5d1dec5c.zip[Beyond.class]
Adware:Adware/Startpage.JU Not disinfected C:\Documents and Settings\Owner\.jpi_cache\jar\1.0\archive.jar-487b52a0-5d1dec5c.zip[winmodem.exe]
Adware:Adware/Startpage.JK Not disinfected C:\Documents and Settings\Owner\.jpi_cache\jar\1.0\archive.jar-487b52a0-5d1dec5c.zip[rundll32.exe]
Virus:Trojan Horse Disinfected C:\Documents and Settings\Owner\.jpi_cache\jar\1.0\archive.jar-6daaeec0-1e995425.zip[Beyond.class]
Virus:Exploit/ByteVerify Disinfected C:\Documents and Settings\Owner\.jpi_cache\jar\1.0\archive.jar-730774d5-3e076466.zip[Mein.class]
Virus:Exploit/ByteVerify Disinfected C:\Documents and Settings\Owner\.jpi_cache\jar\1.0\archive.jar-730774d5-3e076466.zip[ProbeLoader.class]
Virus:Exploit/ByteVerify Disinfected C:\Documents and Settings\Owner\.jpi_cache\jar\1.0\archive.jar-730774d5-3e076466.zip[Dummy.class]
Virus:Trojan Horse Disinfected C:\Documents and Settings\Owner\.jpi_cache\jar\1.0\archive.jar-730774d5-3e076466.zip[Beyond.class]
Virus:Exploit/ByteVerify Disinfected C:\Documents and Settings\Owner\.jpi_cache\jar\1.0\counter.zip-408709b2-3228c4f2.zip[BlackBox.class]
Virus:Exploit/ByteVerify Disinfected C:\Documents and Settings\Owner\.jpi_cache\jar\1.0\counter.zip-408709b2-3228c4f2.zip[Dummy.class]
Virus:Exploit/ByteVerify Disinfected C:\Documents and Settings\Owner\.jpi_cache\jar\1.0\counter.zip-408709b2-3228c4f2.zip[NewClasssss.class]
Virus:Exploit/ByteVerify Disinfected C:\Documents and Settings\Owner\.jpi_cache\jar\1.0\Counters.jar-64e31c12-2e1851cf.zip[Counter.class]
Virus:Exploit/ByteVerify Disinfected C:\Documents and Settings\Owner\.jpi_cache\jar\1.0\Counters.jar-64e31c12-2e1851cf.zip[VerifierBug.class]
Virus:Exploit/ByteVerify Disinfected C:\Documents and Settings\Owner\.jpi_cache\jar\1.0\Counters.jar-64e31c12-2e1851cf.zip[Gummy.class]
Virus:Exploit/ByteVerify Disinfected C:\Documents and Settings\Owner\.jpi_cache\jar\1.0\Counters.jar-64e31c12-2e1851cf.zip[Xeyond.class]
Virus:Exploit/ByteVerify Disinfected C:\Documents and Settings\Owner\.jpi_cache\jar\1.0\Counters.jar-64e31c12-2e1851cf.zip[Worker.class]
Virus:Trj/ComSys.A Disinfected C:\Documents and Settings\Owner\.jpi_cache\jar\1.0\Counters.jar-64e31c12-2e1851cf.zip[web.exe]
Virus:Exploit/ByteVerify Disinfected C:\Documents and Settings\Owner\.jpi_cache\jar\1.0\menu.jr-5b83c8a-43ae1cff.zip[Beyond.class]
Virus:Exploit/ByteVerify Disinfected C:\Documents and Settings\Owner\.jpi_cache\jar\1.0\menu.jr-5b83c8a-43ae1cff.zip[Dummy.class]
Virus:Exploit/ByteVerify Disinfected C:\Documents and Settings\Owner\.jpi_cache\jar\1.0\menu.jr-5b83c8a-43ae1cff.zip[NudeBox.class]
Virus:Exploit/ByteVerify Disinfected C:\Documents and Settings\Owner\.jpi_cache\jar\1.0\menu.jr-5b83c8a-43ae1cff.zip[Worker.class]
Virus:Exploit/ByteVerify Disinfected C:\Documents and Settings\Owner\.jpi_cache\jar\1.0\menu.jr-5b83c8a-43ae1cff.zip[VerifierBug.class]
Virus:Exploit/ByteVerify Disinfected C:\Documents and Settings\Owner\.jpi_cache\jar\1.0\menu.jr-5b83c8a-4d8a9e1f.zip[Beyond.class]
Virus:Exploit/ByteVerify Disinfected C:\Documents and Settings\Owner\.jpi_cache\jar\1.0\menu.jr-5b83c8a-4d8a9e1f.zip[Dummy.class]
Virus:Exploit/ByteVerify Disinfected C:\Documents and Settings\Owner\.jpi_cache\jar\1.0\menu.jr-5b83c8a-4d8a9e1f.zip[NudeBox.class]
Virus:Exploit/ByteVerify Disinfected C:\Documents and Settings\Owner\.jpi_cache\jar\1.0\menu.jr-5b83c8a-4d8a9e1f.zip[Worker.class]
Virus:Exploit/ByteVerify Disinfected C:\Documents and Settings\Owner\.jpi_cache\jar\1.0\menu.jr-5b83c8a-4d8a9e1f.zip[VerifierBug.class]
Adware:adware/tvmedia Not disinfected C:\Documents and Settings\Owner\Application Data\tvmcwrd.dll
Spyware:Cookie/888 Not disinfected C:\Documents and Settings\Owner\Cookies\owner@888[1].txt
Spyware:Cookie/888 Not disinfected C:\Documents and Settings\Owner\Cookies\owner@888[2].txt
Spyware:Cookie/Hbmediapro Not disinfected C:\Documents and Settings\Owner\Cookies\owner@adopt.hbmediapro[2].txt
Spyware:Cookie/adultfriendfinder Not disinfected C:\Documents and Settings\Owner\Cookies\owner@adultfriendfinder[2].txt
Spyware:Cookie/Advertising Not disinfected C:\Documents and Settings\Owner\Cookies\owner@advertising[1].txt
Spyware:Cookie/Apmebf Not disinfected C:\Documents and Settings\Owner\Cookies\owner@apmebf[2].txt
Spyware:Cookie/Atlas DMT Not disinfected C:\Documents and Settings\Owner\Cookies\owner@atdmt[1].txt
Spyware:Cookie/Atwola Not disinfected C:\Documents and Settings\Owner\Cookies\owner@atwola[1].txt
Spyware:Cookie/Casalemedia Not disinfected C:\Documents and Settings\Owner\Cookies\owner@casalemedia[1].txt
Spyware:Cookie/Cassava Not disinfected C:\Documents and Settings\Owner\Cookies\owner@cassava[1].txt
Spyware:Cookie/Doubleclick Not disinfected C:\Documents and Settings\Owner\Cookies\owner@doubleclick[1].txt
Spyware:Cookie/FortuneCity Not disinfected C:\Documents and Settings\Owner\Cookies\owner@fortunecity[1].txt
Spyware:Cookie/Maxserving Not disinfected C:\Documents and Settings\Owner\Cookies\owner@maxserving[1].txt
Spyware:Cookie/Media-motor Not disinfected C:\Documents and Settings\Owner\Cookies\owner@mmm.media-motor[1].txt
Spyware:Cookie/RealMedia Not disinfected C:\Documents and Settings\Owner\Cookies\owner@realmedia[1].txt
Spyware:Cookie/Traffic Marketplace Not disinfected C:\Documents and Settings\Owner\Cookies\owner@trafficmp[2].txt
Spyware:Cookie/WinFixer Not disinfected C:\Documents and Settings\Owner\Cookies\owner@winfixer[2].txt
Virus:W32/Gaobot.HJC.worm Disinfected C:\Documents and Settings\Owner\Desktop\My Muzic\B3 Power Tabs v2.0.314.6.zip[setup.exe]
Adware:Adware/MediaTickets Not disinfected C:\Documents and Settings\Owner\Desktop\Prom 2004\New Folder\backup-20040522-230348-160
Adware:Adware/MediaTickets Not disinfected C:\Documents and Settings\Owner\Desktop\Prom 2004\New Folder\backup-20040522-230348-160.inf
Adware:Adware Program Not disinfected C:\Documents and Settings\Owner\Desktop\Prom 2004\New Folder\backup-20040522-230348-989.inf
Dialer:dialer.cos Not disinfected C:\Documents and Settings\Owner\My Documents\WinMoviePlugin.lnk
Dialer:dialer.akd Not disinfected C:\Documents and Settings\Owner\Start Menu\exsplorer.lnk
Dialer:dialer.gyc Not disinfected C:\Documents and Settings\Owner\Start Menu\Programs\exsplorer.lnk
Adware:Adware/eZula Not disinfected C:\Documents and Settings\Owner\Start Menu\Programs\TopText iLookup\My Keywords.lnk
Adware:Adware/eZula Not disinfected C:\Documents and Settings\Owner\Start Menu\Programs\TopText iLookup\My Preferences.lnk
Adware:Adware/eZula Not disinfected C:\Documents and Settings\Owner\Start Menu\Programs\TopText iLookup\TopText Button Show - Hide.lnk
Dialer:dialer.bb Not disinfected C:\Documents and Settings\Owner\Start Menu\sex.lnk
Virus:Trj/Killche.A Disinfected C:\Documents and Settings\Owner\stop.exe
Potentially unwanted tool:Application/HideWindow.A Not disinfected C:\hp\bin\FondleWindow.exe
Potentially unwanted tool:Application/KillApp.B Not disinfected C:\hp\bin\KillIt.exe
Potentially unwanted tool:Application/KillApp.A Not disinfected C:\hp\bin\Terminator.exe
Adware:adware/superspider Not disinfected C:\m.exe
Virus:Bck/Small.CM Disinfected C:\Plugin\crss.exe
Virus:Trj/Downloader.FMN Disinfected C:\Plugin\mmgrt.exe
Virus:Trj/Downloader.FMN Disinfected C:\Plugin\mmgrt.exe.tmp
Virus:Trj/Clicker.QE Disinfected C:\Program Files\Common Files\simtest\sysstall.exe
Adware:Adware/DollarRevenue Not disinfected C:\Program Files\Common Files\svchostsys\sysid.exe
Adware:adware/vog Not disinfected C:\Program Files\Internet Explorer\update.exe
Adware:Adware/TVMedia Not disinfected C:\Program Files\TV Media\TvmBho.dll
Adware:Adware/TVMedia Not disinfected C:\Program Files\TV Media\TvmCore.dll
Adware:Adware/TopMoxie Not disinfected C:\Program Files\Windows Media Player\EbatesMoeMoneyMaker.exe
Adware:Adware/eZula Not disinfected C:\Program Files\Windows Media Player\ezStub.exe
Virus:Trj/Multidropper.IU Disinfected C:\Program Files\Windows Media Player\setup_BikiniDesk_bundle.exe
Adware:Adware/WebHancer Not disinfected C:\RECYCLER\S-1-5-21-709730831-4258633224-830553078-500\Dc7\Programs\__delete_on_reboot__webhdll.dll
Adware:Adware/WinTools Not disinfected C:\RECYCLER\S-1-5-21-709730831-4258633224-830553078-500\Dc9\common.dll
Adware:Adware/CWS.Yexe Not disinfected C:\sm.exe
Virus:W32/Gaobot.HJC.worm Disinfected C:\Uploads\X-Ways Forensics v11.7 SR-1 REPACK by ROR.zip[setup.exe]
Virus:W32/Gaobot.HJC.worm Disinfected C:\Uploads\X-Ways Forensics v11.7 SR-1 Repacked.zip[setup.exe]
Virus:W32/Gaobot.HJC.worm Disinfected C:\Uploads\X-Ways Forensics v11.7 SR-1.zip[setup.exe]
Virus:W32/Gaobot.HJC.worm Disinfected C:\Uploads\X-Ways Forensics v11.7 SR-5 by ROR.zip[setup.exe]
Virus:W32/Gaobot.HJC.worm Disinfected C:\Uploads\X-Ways Forensics v11.7 SR-5.zip[setup.exe]
Virus:W32/Gaobot.HJC.worm Disinfected C:\Uploads\X-Ways Forensics v11.8 SR-9 by ROR.zip[setup.exe]
Virus:W32/Gaobot.HJC.worm Disinfected C:\Uploads\X-Ways Forensics v11.8 SR-9.zip[setup.exe]
Virus:W32/Gaobot.HJC.worm Disinfected C:\Uploads\XaraX v1.0 Final.zip[setup.exe]
Virus:W32/Gaobot.HJC.worm Disinfected C:\Uploads\XaraX v1.0 Patch Fix.zip[setup.exe]
Virus:W32/Gaobot.HJC.worm Disinfected C:\Uploads\XaraX v1.0a Crack.zip[setup.exe]
Virus:W32/Gaobot.HJC.worm Disinfected C:\Uploads\XaraX v1.0a Patch.zip[setup.exe]
Virus:W32/Gaobot.HJC.worm Disinfected C:\Uploads\XaraX v1.0aa by Oddity.zip[setup.exe]
Virus:W32/Gaobot.HJC.worm Disinfected C:\Uploads\XaraX v1.0aa by TCA.zip[setup.exe]
Virus:W32/Gaobot.HJC.worm Disinfected C:\Uploads\XaraX v1.0aa by Viking.zip[setup.exe]
Virus:W32/Gaobot.HJC.worm Disinfected C:\Uploads\XaraX v1.0aa Keygen and Patch by TEX.zip[setup.exe]
Virus:W32/Gaobot.HJC.worm Disinfected C:\Uploads\XaraX v1.0aa Keygen by TEX.zip[setup.exe]
Virus:W32/Gaobot.HJC.worm Disinfected C:\Uploads\XaraX v1.0c DL2 by Eminence.zip[setup.exe]



Virus:W32/Gaobot.HJC.worm Disinfected C:\Uploads\XaraX v1.0c DL2 by EVC.zip[setup.exe]
Virus:W32/Gaobot.HJC.worm Disinfected C:\Uploads\XaraX v1.0c DL2 Mar 13 2001.zip[setup.exe]
Virus:W32/Gaobot.HJC.worm Disinfected C:\Uploads\XaraX v1.0c Dl2.zip[setup.exe]
Virus:W32/Gaobot.HJC.worm Disinfected C:\Uploads\XaraX v1.0c.zip[setup.exe]
Virus:W32/Gaobot.HJC.worm Disinfected C:\Uploads\XarGon.zip[setup.exe]
Virus:W32/Gaobot.HJC.worm Disinfected C:\Uploads\Xarion 1.03.zip[setup.exe]
Virus:W32/Gaobot.HJC.worm Disinfected C:\Uploads\Xarka OptiPerl Professional 4.5.zip[setup.exe]
Virus:W32/Gaobot.HJC.worm Disinfected C:\Uploads\Xarka OptiPerl Professional v4.5 by ZWT.zip[setup.exe]
Virus:W32/Gaobot.HJC.worm Disinfected C:\Uploads\Xat.com Image Optimizer 3.01 Professional.zip[setup.exe]
Virus:W32/Gaobot.HJC.worm Disinfected C:\Uploads\Xatshow v5.02 by HTBTeam.zip[setup.exe]
Virus:W32/Gaobot.HJC.worm Disinfected C:\Uploads\Xavius's ATCC v1.1 - Air Traffic Control Center.zip[setup.exe]
Virus:W32/Gaobot.HJC.worm Disinfected C:\Uploads\Xbau Baukalkulation nach STLB-Bau v2004.04 GERMAN INTERNAL by PARADOX.zip[setup.exe]
Virus:W32/Gaobot.HJC.worm Disinfected C:\Uploads\XBMC Xbox Media Center 2004-09-17.zip[setup.exe]
Virus:W32/Gaobot.HJC.worm Disinfected C:\Uploads\XBox BIOS Slicer.zip[setup.exe]
Virus:W32/Gaobot.HJC.worm Disinfected C:\Uploads\XBox Debugging Client-Server.zip[setup.exe]
Virus:W32/Gaobot.HJC.worm Disinfected C:\Uploads\XBox ISO Reader v0.1.zip[setup.exe]
Virus:W32/Gaobot.HJC.worm Disinfected C:\Uploads\XBox ISO Tool.zip[setup.exe]
Virus:W32/Gaobot.HJC.worm Disinfected C:\Uploads\XBox MS Factory Test Disk.zip[setup.exe]
Virus:W32/Gaobot.HJC.worm Disinfected C:\Uploads\XBuilder 2.5 Keygen.zip[setup.exe]
Virus:W32/Gaobot.HJC.worm Disinfected C:\Uploads\XBuilder 2.5 Serial.zip[setup.exe]
Virus:W32/Gaobot.HJC.worm Disinfected C:\Uploads\XCalc v1.0.zip[setup.exe]
Virus:W32/Gaobot.HJC.worm

#10 honda2nr

honda2nr
  • Topic Starter

  • Members
  • 115 posts
  • OFFLINE
  •  
  • Local time:05:59 AM

Posted 04 June 2006 - 07:10 PM

Did that work? If not would it be easier to just send you the file? it keeps saying the log is to long

#11 miekiemoes

miekiemoes

    Malware Killer Dog


  • Malware Response Team
  • 19,420 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Belgium
  • Local time:11:59 AM

Posted 05 June 2006 - 02:34 AM

That's because you are trying to post it in one reply, use more replies instead.

Ok, let's deal with it first. I am going to ask to scan again with Panda afterwards.

It looks like you installed most of this crap yourself without even knowing they were infected. You even backupped some infected files????
Panda already disinfected/deleted here a lot, but we're not finished yet.
I wonder if your Antivirus is still working and able to update.

Uninstall TopText iLookup and TVMedia via add/remove programs.

Reboot...

Delete next folders and files:

C:\Documents and Settings\Owner\Desktop\Prom 2004\New Folder\backup-20040522-230348-160
C:\Documents and Settings\Owner\Desktop\Prom 2004\New Folder\backup-20040522-230348-160.inf
C:\Documents and Settings\Owner\Desktop\Prom 2004\New Folder\backup-20040522-230348-989.inf
C:\Documents and Settings\Owner\My Documents\WinMoviePlugin.lnk
C:\Documents and Settings\Owner\Start Menu\exsplorer.lnk
C:\Documents and Settings\Owner\Start Menu\Programs\exsplorer.lnk
C:\Documents and Settings\Owner\Start Menu\Programs\TopText iLookup <== folder
C:\Documents and Settings\Owner\Start Menu\sex.lnk
C:\m.exe
C:\Program Files\Common Files\svchostsys <== folder
C:\Program Files\Internet Explorer\update.exe
C:\Program Files\TV Media <== folder
C:\Program Files\Windows Media Player\EbatesMoeMoneyMaker.exe
C:\Program Files\Windows Media Player\ezStub.exe
C:\sm.exe

Clearing Java Cache:
  • Go to Start > Control Panel double-click on the Java Icon (coffee cup) in the Control Panel.
  • It will say "Java Plug-in" under the icon.
  • Under Temporary Internet Files, click the Delete Files button.
  • There are three options in the window to clear the cache - Leave ALL 3 Checked
    • Downloaded Applets
      Downloaded Applications
      Other Files
  • Click OK on Delete Temporary Files Window.

    Note: This deletes ALL the Downloaded Applications and Applets from the CACHE.
  • Click OK to leave the Java Control Panel.
perform next step again, because it looks like you also forgot that:
* Clean your Cache and Cookies in IE:
  • Close all instances of Outlook Express and Internet Explorer
  • Go to Control Panel > Internet Options > General tab
  • Click the "Delete Cookies" button
  • Next to it, Click the "Delete Files" button
  • When prompted, place a check in: "Delete all offline content", click OK
* Clean your Cache and Cookies in Firefox (In case you also have Firefox installed):
  • Go to Tools > Options.
  • Click Privacy in the menu on the left side of the Options window.
  • Click the Clear button located to the right of each option (History, Cookies, Cache).
  • Click OK to close the Options window
    Alternatively, you can clear all information stored while browsing by clicking Clear All.
    A confirmation dialog box will be shown before clearing the information.
* Clean other Temporary files + Recycle bin
  • Go to start > run and type: cleanmgr and click ok.
  • Let it scan your system for files to remove.
  • Make sure Temporary Files, Temporary Internet Files, and Recycle Bin are the only things checked.
  • Press OK to remove them.
Then scan again with Panda and post the pandalog in your next reply together with a new hijackthislog, the log from ewido and the logfile c\windelf.txt
Use more posts to post the logs.
AntispywareScanners---Antivirus Scanners---Firewalls---Online Scanners---Prevention---Help! My computer is slow---My Blog---Follow me on Twitter.
My help is ALWAYS FREE, but if you want to donate to help me continue my fight against malware -- click here!
Asking for help via Private Message or Mail will be ignored - So If you need help, post your problem in the forum.

#12 honda2nr

honda2nr
  • Topic Starter

  • Members
  • 115 posts
  • OFFLINE
  •  
  • Local time:05:59 AM

Posted 06 June 2006 - 10:19 AM

Incident Status Location

Spyware:Cookie/WinFixer Not disinfected C:\Documents and Settings\LocalService\Cookies\system@winfixer[2].txt
Spyware:Spyware/SafeSurf Not disinfected C:\Documents and Settings\LocalService\Local Settings\Temporary Internet Files\Content.IE5\140EUF9Y\IrsmInst[1].exe
Spyware:Spyware/ShopNav Not disinfected C:\Documents and Settings\LocalService\Local Settings\Temporary Internet Files\Content.IE5\D3IDB2PQ\Srng_karmamedia_osall_3.0.6[1].zip[C:\Documents and Settings\LocalService\Local Settings\Temporary Internet Files\Content.IE5\D3IDB2PQ\Srng_karmamedia_osall_3.
Adware:Adware/Beginto Not disinfected C:\Documents and Settings\LocalService\Local Settings\Temporary Internet Files\Content.IE5\D3IDB2PQ\trafficsectorInst[1].exe[b2search_v17.exe]
Adware:Adware/PopupSearches Not disinfected C:\Documents and Settings\LocalService\Local Settings\Temporary Internet Files\Content.IE5\D3IDB2PQ\trafficsectorInst[1].exe[b2search_v17.exe][²θΗ]
Adware:Adware/CWS Not disinfected C:\Documents and Settings\Owner\.jpi_cache\file\1.0\Parser.class-10c4f7e-7546100d.class
Adware:Adware/CWS Not disinfected C:\Documents and Settings\Owner\.jpi_cache\file\1.0\SecurityClassLoader.class-52260159-4d72b82f.class
Adware:Adware/CWS Not disinfected C:\Documents and Settings\Owner\.jpi_cache\file\1.0\SecurityClassLoader.class-6fd9f626-2d926365.class
Adware:Adware/Startpage.JU Not disinfected C:\Documents and Settings\Owner\.jpi_cache\jar\1.0\archive.jar-487b52a0-5d1dec5c.zip[Beyond.class]
Adware:Adware/Startpage.JU Not disinfected C:\Documents and Settings\Owner\.jpi_cache\jar\1.0\archive.jar-487b52a0-5d1dec5c.zip[winmodem.exe]
Adware:Adware/Startpage.JK Not disinfected C:\Documents and Settings\Owner\.jpi_cache\jar\1.0\archive.jar-487b52a0-5d1dec5c.zip[rundll32.exe]
Adware:adware/tvmedia Not disinfected C:\Documents and Settings\Owner\Application Data\tvmcwrd.dll
Spyware:Cookie/Advertising Not disinfected C:\Documents and Settings\Owner\Cookies\owner@advertising[1].txt
Spyware:Cookie/Atlas DMT Not disinfected C:\Documents and Settings\Owner\Cookies\owner@atdmt[2].txt
Spyware:Cookie/Atwola Not disinfected C:\Documents and Settings\Owner\Cookies\owner@atwola[1].txt
Spyware:Cookie/Casalemedia Not disinfected C:\Documents and Settings\Owner\Cookies\owner@casalemedia[2].txt
Spyware:Cookie/Doubleclick Not disinfected C:\Documents and Settings\Owner\Cookies\owner@doubleclick[1].txt
Spyware:Cookie/Mediaplex Not disinfected C:\Documents and Settings\Owner\Cookies\owner@mediaplex[1].txt
Spyware:Cookie/QuestionMarket Not disinfected C:\Documents and Settings\Owner\Cookies\owner@questionmarket[1].txt
Spyware:Cookie/Traffic Marketplace Not disinfected C:\Documents and Settings\Owner\Cookies\owner@trafficmp[2].txt
Dialer:dialer.gyc Not disinfected C:\Documents and Settings\Owner\Start Menu\Programs\exsplorer.lnk
Dialer:dialer.akd Not disinfected C:\Documents and Settings\Owner\Start Menu\Programs\WinMoviePlugin.lnk
Potentially unwanted tool:Application/HideWindow.A Not disinfected C:\hp\bin\FondleWindow.exe
Potentially unwanted tool:Application/KillApp.B Not disinfected C:\hp\bin\KillIt.exe
Potentially unwanted tool:Application/KillApp.A Not disinfected C:\hp\bin\Terminator.exe
Adware:adware/superspider Not disinfected C:\m.exe
Adware:Adware/eZula Not disinfected C:\RECYCLER\S-1-5-21-709730831-4258633224-830553078-1003\Dc17\My Keywords.lnk
Adware:Adware/eZula Not disinfected C:\RECYCLER\S-1-5-21-709730831-4258633224-830553078-1003\Dc17\My Preferences.lnk
Adware:Adware/eZula Not disinfected C:\RECYCLER\S-1-5-21-709730831-4258633224-830553078-1003\Dc17\TopText Button Show - Hide.lnk
Adware:Adware/DollarRevenue Not disinfected C:\RECYCLER\S-1-5-21-709730831-4258633224-830553078-1003\Dc18\sysid.exe
Adware:Adware/TVMedia Not disinfected C:\RECYCLER\S-1-5-21-709730831-4258633224-830553078-1003\Dc20\TvmBho.dll
Adware:Adware/TVMedia Not disinfected C:\RECYCLER\S-1-5-21-709730831-4258633224-830553078-1003\Dc20\TvmCore.dll
Adware:Adware/eZula Not disinfected C:\RECYCLER\S-1-5-21-709730831-4258633224-830553078-1003\Dc21.exe
Adware:Adware/TopMoxie Not disinfected C:\RECYCLER\S-1-5-21-709730831-4258633224-830553078-1003\Dc22.exe
Adware:Adware/CWS.Yexe Not disinfected C:\RECYCLER\S-1-5-21-709730831-4258633224-830553078-1003\Dc23.exe
Adware:Adware/WebHancer Not disinfected C:\RECYCLER\S-1-5-21-709730831-4258633224-830553078-500\Dc7\Programs\__delete_on_reboot__webhdll.dll
Adware:Adware/WinTools Not disinfected C:\RECYCLER\S-1-5-21-709730831-4258633224-830553078-500\Dc9\common.dll
Adware:Adware/Mirar Not disinfected C:\WINDOWS\876057.exe
Adware:adware/clickalchemy Not disinfected C:\WINDOWS\alchem.ini
Adware:adware/bookedspace Not disinfected C:\WINDOWS\bsx32.ini
Adware:Adware/Exact.BargainBuddy Not disinfected C:\WINDOWS\cdt_bbi8016.exe
Spyware:spyware/bridge Not disinfected C:\WINDOWS\Downloaded Program Files\bridge.inf
Adware:Adware/IST.ISTBar Not disinfected C:\WINDOWS\Downloaded Program Files\CONFLICT.1\istactivex.inf
Adware:Adware/HuntBar Not disinfected C:\WINDOWS\Downloaded Program Files\CONFLICT.1\QDow.dll
Adware:Adware/HuntBar Not disinfected C:\WINDOWS\Downloaded Program Files\QDow.dll
Adware:adware/savenow Not disinfected C:\WINDOWS\Downloaded Program Files\WUInst.inf
Adware:Adware/eZula Not disinfected C:\WINDOWS\eZinstall.exe
Adware:adware/cws Not disinfected C:\WINDOWS\Favorites\Automotive resources.url
Adware:Adware/nCase Not disinfected C:\WINDOWS\iconz.exe
Adware:Adware/ISearch Not disinfected C:\WINDOWS\idlemg.exe
Adware:Adware/IPInsight Not disinfected C:\WINDOWS\inf\alchem.inf
Spyware:Spyware/BetterInet Not disinfected C:\WINDOWS\inf\biini.inf
Adware:Adware/SAHAgent Not disinfected C:\WINDOWS\inf\biQ.inf
Adware:Adware/LocalNRD Not disinfected C:\WINDOWS\inf\localNrd.inf
Adware:Adware/MultiMPP Not disinfected C:\WINDOWS\inf\multimpp.inf
Adware:Adware/Twain-Tech Not disinfected C:\WINDOWS\inf\twaintec.inf
Spyware:Spyware/BetterInet Not disinfected C:\WINDOWS\inf\zserv.inf
Adware:Adware/WinTools Not disinfected C:\WINDOWS\Key2.txt
Adware:adware/ieplugin Not disinfected C:\WINDOWS\kwv2.dat
Adware:adware/cws.searchmeup Not disinfected C:\WINDOWS\mstasks1.exe
Adware:adware/msxmidi Not disinfected C:\WINDOWS\msxmidi.exe
Adware:Adware/CommAd Not disinfected C:\WINDOWS\RWRkaWUgRGF3c29u\asappsrv.dll
Adware:Adware/CommAd Not disinfected C:\WINDOWS\RWRkaWUgRGF3c29u\command.exe
Adware:Adware/CommAd Not disinfected C:\WINDOWS\RWRkaWUgRGF3c29u\lql4uqo0l3IawZ6R.vbs
Adware:adware/twain-tech Not disinfected C:\WINDOWS\support.cn
Adware:Adware/Iagold Not disinfected C:\WINDOWS\system32\bncpvawe.dll
Adware:Adware/BookedSpace Not disinfected C:\WINDOWS\system32\dmk052404.exe
Adware:Adware/QoolAid Not disinfected C:\WINDOWS\system32\dmonwv.dll
Adware:adware/keenvalue Not disinfected C:\WINDOWS\system32\drivers\etc\hosts.bho
Adware:Adware/eZula Not disinfected C:\WINDOWS\system32\ezPopStub.exe
Adware:Adware/WinTools Not disinfected C:\WINDOWS\system32\ibissys.exe[edow.exe]
Spyware:Spyware/LZIO-Media Not disinfected C:\WINDOWS\system32\ielreg.exe
Adware:Adware/SearchFast Not disinfected C:\WINDOWS\system32\keywordsys.exe
Spyware:Spyware/ShopNav Not disinfected C:\WINDOWS\system32\km_install.exe
Spyware:Spyware/LZIO-Media Not disinfected C:\WINDOWS\system32\lzreg.exe
Adware:Adware/PopupSearches Not disinfected C:\WINDOWS\system32\nsa15.dll
Adware:Adware/PopupSearches Not disinfected C:\WINDOWS\system32\nsn31.dll
Spyware:Spyware/LZIO-Media Not disinfected C:\WINDOWS\system32\rdreg.exe
Adware:Adware/KeenValue Not disinfected C:\WINDOWS\system32\setup_incred_9.exe
Dialer:Dialer.GVC Not disinfected C:\WINDOWS\system32\sysmon.exe
Adware:Adware/Qoologic Not disinfected C:\WINDOWS\system32\thlcu.dat
Spyware:Spyware/SafeSurf Not disinfected C:\WINDOWS\system32\UnIrimon.exe
Adware:Adware/Popupdefence Not disinfected C:\WINDOWS\system32\veev5de1.dll
Adware:Adware/Mirar Not disinfected C:\WINDOWS\system32\WinNB57.dll
Adware:Adware/DigInk Not disinfected C:\WINDOWS\Tagasuarus2.exe
Adware:Adware/DigInk Not disinfected C:\WINDOWS\unin101.exe
Adware:Adware/DigInk Not disinfected C:\WINDOWS\uni_ehhh.exe
Adware:Adware/Qoologic Not disinfected C:\WINDOWS\unwn.exe
Adware:adware/ezula Not disinfected C:\WINDOWS\woinstall.exe


Logfile of HijackThis v1.99.1
Scan saved at 11:16:17 AM, on 6/6/2006
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\TGTSoft\StyleXP\StyleXPService.exe
C:\WINDOWS\system32\spoolsv.exe
c:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\Program Files\ewido anti-malware\ewidoctrl.exe
c:\Program Files\Norton AntiVirus\navapsvc.exe
C:\WINDOWS\System32\nvsvc32.exe
C:\Program Files\Softex\OmniPass\Omniserv.exe
C:\Program Files\Alcohol Soft\Alcohol 120\StarWind\StarWindService.exe
C:\Program Files\Softex\OmniPass\OPXPApp.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\System32\nodeipproc.exe
C:\Program Files\InterVideo\Common\Bin\WinCinemaMgr.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\LimeWire\LimeWire.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\HJT\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page_bak = http://www.yahoo.com/
F2 - REG:system.ini: Shell=Explorer.exe, C:\WINDOWS\System32\fsndi.exe
F2 - REG:system.ini: UserInit=C:\WINDOWS\SYSTEM32\Userinit.exe,pougtaq.exe
O2 - BHO: WhIeHelperObj Class - {c900b400-cdfe-11d3-976a-00e02913a9e0} - C:\Program Files\webHancer\programs\whiehlpr.dll (file missing)
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [sys021644262418] C:\WINDOWS\sys021644262418.exe
O4 - HKLM\..\Run: [nodeipproc] C:\WINDOWS\System32\nodeipproc.exe
O4 - HKLM\..\Run: [webHancer Agent] C:\Program Files\webHancer\Programs\whagent.exe
O4 - HKLM\..\Run: [webHancer Survey Companion] C:\Program Files\webHancer\Programs\whsurvey.exe
O4 - HKCU\..\Run: [AIM] C:\Program Files\AIM\aim.exe -cnetwait.odl
O4 - Startup: BitTorrent.lnk = C:\Program Files\BitTorrent\bittorrent.exe
O4 - Global Startup: InterVideo WinCinema Manager.lnk = C:\Program Files\InterVideo\Common\Bin\WinCinemaMgr.exe
O4 - Global Startup: Quicken Scheduled Updates.lnk = C:\Program Files\Quicken\bagent.exe
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_01\bin\npjpi150_01.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_01\bin\npjpi150_01.dll
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe
O9 - Extra button: PartyCasino.com - {B4B52284-A248-4c51-9F7C-F0A0C67FCC9D} - C:\Program Files\PartyGaming\PartyCasino\RunCasino.exe
O9 - Extra 'Tools' menuitem: PartyCasino.com - {B4B52284-A248-4c51-9F7C-F0A0C67FCC9D} - C:\Program Files\PartyGaming\PartyCasino\RunCasino.exe
O9 - Extra button: PartyPoker.com - {B7FE5D70-9AA2-40F1-9C6B-12A255F085E1} - C:\Program Files\PartyGaming\PartyPoker\RunApp.exe
O9 - Extra 'Tools' menuitem: PartyPoker.com - {B7FE5D70-9AA2-40F1-9C6B-12A255F085E1} - C:\Program Files\PartyGaming\PartyPoker\RunApp.exe
O9 - Extra button: MoneySide - {E023F504-0C5A-4750-A1E7-A9046DEA8A21} - C:\Program Files\Microsoft Money\System\mnyside.dll
O16 - DPF: {37A273C2-5129-11D5-BF37-00A0CCE8754B} (TTestGenXInstallObject) - http://www.mathxl.com/wizmodules/testgen/i...GenXInstall.cab
O16 - DPF: {4FE89055-5300-469E-AFAD-DEB3181EDE76} (PearsonAsstX Control) - http://www.mathxl.com/applets/PearsonInstallAsst.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/activescan/as5free/asinst.cab
O16 - DPF: {C4DD6732-1E82-4AE7-BD94-180331B84082} (DeltaCVX Control) - http://www.mathxl.com/applets/DeltaCVX.cab
O20 - Winlogon Notify: cfgmngr32 - C:\WINDOWS\system32\cfgmngr32.dll (file missing)
O20 - Winlogon Notify: igfxcui - C:\WINDOWS\SYSTEM32\igfxsrvc.dll
O20 - Winlogon Notify: OPXPGina - C:\Program Files\Softex\OmniPass\opxpgina.dll
O23 - Service: .NET Framework Service (.NET Connection Service) - Unknown owner - C:\WINDOWS\svchost.exe (file missing)
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - c:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Password Validation Service (ccPwdSvc) - Symantec Corporation - c:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
O23 - Service: ewido security suite control - ewido networks - C:\Program Files\ewido anti-malware\ewidoctrl.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPodService - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Norton AntiVirus Auto Protect Service (navapsvc) - Symantec Corporation - c:\Program Files\Norton AntiVirus\navapsvc.exe
O23 - Service: NVIDIA Driver Helper Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe
O23 - Service: Softex OmniPass Service (omniserv) - Unknown owner - C:\Program Files\Softex\OmniPass\Omniserv.exe
O23 - Service: StarWind iSCSI Service (StarWindService) - Rocket Division Software - C:\Program Files\Alcohol Soft\Alcohol 120\StarWind\StarWindService.exe
O23 - Service: StyleXPService - Unknown owner - C:\Program Files\TGTSoft\StyleXP\StyleXPService.exe

#13 miekiemoes

miekiemoes

    Malware Killer Dog


  • Malware Response Team
  • 19,420 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Belgium
  • Local time:11:59 AM

Posted 06 June 2006 - 10:52 AM

Hello,

It looks like you missed some steps previously or didn't perform it exactly as I described, so we have to give this another round...
It's better to print out the next instructions or save it in notepad, because you also have to work in safe mode without networking support, so this page wouldn't be available then.
It is also important you don't miss a step and perform everything in the right order!!

Don't start your Limewire during this fix!! If your Limewire starts automatically again, that's because malware is still present.
In that case, I suggest you temporary uninstall Limewire to prevent reinfection, because the malware you are dealing with is spreading via Limewire and you're infecting other computers as well because of that.

* Then Go to start > controlpanel > software and uninstall Webhancer (Webhancer Companion) or something similar.
It should immediately reboot your system after uninstalling.
After reboot,
  • Download Brute Force Uninstaller to your C:\ I already asked you this before, but I think you did something wrong here.
  • Unzip it to a folder of its own (C:\BFU). So the BFU-folder should be on your root. In most cases this is C:\ (make sure it is on your C:\, that's why I repost these instructions to make sure you did that properly.)
  • Download qoofix.bat (rightclick on this link and choose save as)
  • Place qoofix.bat in your C:\BFU - folder. (Important!)
  • Doubleclick qooFix.bat, Close all browsers and explorer folders.
  • Choose option 1 (Qoolfix autofix) and follow the prompts.
  • Please be patient, it will take about five minutes.
  • It will ask to reboot your computer, so please allow it to reboot.
* Go to your C:\BFU
Start the Brute Force Uninstaller by doubleclicking BFU.exe

Next to the 'scriptfile to execute'-window you'll see a little icon as shown in next picture: Posted Image
When you click that icon, a little window will open that says: 'Please enter the full URL to the sript you want to execute'
In the field, copy and paste next URL:

http://metallica.geekstogo.com/alcanshorty.bfu

Click Ok.
Then click execute in Brute Force Uninstaller.

* Start HijackThis, close all open windows leaving only HijackThis running. Place a check against each of the following:

F2 - REG:system.ini: Shell=Explorer.exe, C:\WINDOWS\System32\fsndi.exe
F2 - REG:system.ini: UserInit=C:\WINDOWS\SYSTEM32\Userinit.exe,pougtaq.exe
O2 - BHO: WhIeHelperObj Class - {c900b400-cdfe-11d3-976a-00e02913a9e0} - C:\Program Files\webHancer\programs\whiehlpr.dll (file missing)
O4 - HKLM\..\Run: [sys021644262418] C:\WINDOWS\sys021644262418.exe
O4 - HKLM\..\Run: [nodeipproc] C:\WINDOWS\System32\nodeipproc.exe
O4 - HKLM\..\Run: [webHancer Agent] C:\Program Files\webHancer\Programs\whagent.exe
O4 - HKLM\..\Run: [webHancer Survey Companion] C:\Program Files\webHancer\Programs\whsurvey.exe
O20 - Winlogon Notify: cfgmngr32 - C:\WINDOWS\system32\cfgmngr32.dll (file missing)
O23 - Service: .NET Framework Service (.NET Connection Service) - Unknown owner - C:\WINDOWS\svchost.exe (file missing)


* Click on Fix Checked when finished and exit HijackThis.
Make sure your Internet Explorer is closed when you click Fix Checked!

* Go to start > run and copy and paste next line in the field:

sc delete ".NET Connection Service" Hit enter.

* Reboot into Safe Mode`: ( without networking support !)
°To get into the Safe mode as the computer is booting press and hold your "F8 Key". Use your arrow keys to move to "Safe Mode" and press your Enter key.

Please set your system to show all files.
Click Start.
Open My Computer.
Select the Tools menu and click Folder Options.
Select the View Tab. Under the Hidden files and folders heading, select Show hidden files and folders.
Uncheck: Hide file extensions for known file types
Uncheck the Hide protected operating system files (recommended) option.
Click Yes to confirm.
Click OK.

Delete next files and folders if still present (I see you forgot some previously):

C:\Documents and Settings\LocalService\Cookies <== empty the content of this folder
C:\Documents and Settings\LocalService\Local Settings\Temporary Internet Files\Content.IE5 <== paste this line in your explorer window and empty the contents of the Content.IE5-folder
C:\Documents and Settings\Owner\Application Data\tvmcwrd.dll
C:\Documents and Settings\Owner\Start Menu\Programs\exsplorer.lnk
C:\Documents and Settings\Owner\Start Menu\Programs\WinMoviePlugin.lnk
C:\m.exe
C:\WINDOWS\876057.exe
C:\WINDOWS\alchem.ini
C:\WINDOWS\bsx32.ini
C:\WINDOWS\cdt_bbi8016.exe
C:\WINDOWS\eZinstall.exe
C:\WINDOWS\Favorites\Automotive resources.url
C:\WINDOWS\iconz.exe
C:\WINDOWS\idlemg.exe
C:\WINDOWS\inf\alchem.inf
C:\WINDOWS\inf\biini.inf
C:\WINDOWS\inf\biQ.inf
C:\WINDOWS\inf\localNrd.inf
C:\WINDOWS\inf\multimpp.inf
C:\WINDOWS\inf\twaintec.inf
C:\WINDOWS\inf\zserv.inf
C:\WINDOWS\Key2.txt
C:\WINDOWS\kwv2.dat
C:\WINDOWS\mstasks1.exe
C:\WINDOWS\msxmidi.exe
C:\WINDOWS\RWRkaWUgRGF3c29u <== folder
C:\WINDOWS\support.cn
C:\WINDOWS\system32\bncpvawe.dll
C:\WINDOWS\system32\dmk052404.exe
C:\WINDOWS\system32\dmonwv.dll
C:\WINDOWS\system32\drivers\etc\hosts.bho <== don't delete hosts!!!!
C:\WINDOWS\system32\ezPopStub.exe
C:\WINDOWS\system32\ibissys.exe
C:\WINDOWS\system32\ielreg.exe
C:\WINDOWS\System32\nodeipproc.exe
C:\WINDOWS\system32\keywordsys.exe
C:\WINDOWS\system32\km_install.exe
C:\WINDOWS\system32\lzreg.exe
C:\WINDOWS\system32\nsa15.dll
C:\WINDOWS\system32\nsn31.dll
C:\WINDOWS\system32\rdreg.exe
C:\WINDOWS\system32\setup_incred_9.exe
C:\WINDOWS\system32\sysmon.exe
C:\WINDOWS\system32\thlcu.dat
C:\WINDOWS\system32\UnIrimon.exe
C:\WINDOWS\system32\veev5de1.dll
C:\WINDOWS\system32\WinNB57.dll
C:\WINDOWS\Tagasuarus2.exe
C:\WINDOWS\unin101.exe
C:\WINDOWS\uni_ehhh.exe
C:\WINDOWS\unwn.exe
C:\WINDOWS\woinstall.exe

Go to start > run and type: regsvr32 /u occache.dll
(or copy and paste this in the field in start > run )
Click Ok

Now search and delete:

C:\WINDOWS\Downloaded Program Files\bridge.inf
C:\WINDOWS\Downloaded Program Files\CONFLICT.1\istactivex.inf
C:\WINDOWS\Downloaded Program Files\CONFLICT.1\QDow.dll
C:\WINDOWS\Downloaded Program Files\QDow.dll
C:\WINDOWS\Downloaded Program Files\WUInst.inf

Go to start > run and type regsvr32 occache.dll
Click OK


You forgot to clean your cache previously as well as running cleanmgr as I asked before. Because Panda flags files in your recycle bin and these should be gone after running cleanmgr previously
It looks like you also forgot to clean your Java cache as I asked you..
So again..
Clearing Java Cache:
  • Go to Start > Control Panel double-click on the Java Icon (coffee cup) in the Control Panel.
  • It will say "Java Plug-in" under the icon.
  • Under Temporary Internet Files, click the Delete Files button.
  • There are three options in the window to clear the cache - Leave ALL 3 Checked
    • Downloaded Applets
      Downloaded Applications
      Other Files
  • Click OK on Delete Temporary Files Window.

    Note: This deletes ALL the Downloaded Applications and Applets from the CACHE.
  • Click OK to leave the Java Control Panel.
* Clean your Cache and Cookies in IE:
  • Close all instances of Outlook Express and Internet Explorer
  • Go to Control Panel > Internet Options > General tab
  • Click the "Delete Cookies" button
  • Next to it, Click the "Delete Files" button
  • When prompted, place a check in: "Delete all offline content", click OK
* Clean your Cache and Cookies in Firefox (In case you also have Firefox installed):
  • Go to Tools > Options.
  • Click Privacy in the menu on the left side of the Options window.
  • Click the Clear button located to the right of each option (History, Cookies, Cache).
  • Click OK to close the Options window
    Alternatively, you can clear all information stored while browsing by clicking Clear All.
    A confirmation dialog box will be shown before clearing the information.
* Clean other Temporary files + Recycle bin
  • Go to start > run and type: cleanmgr and click ok.
  • Let it scan your system for files to remove.
  • Make sure Temporary Files, Temporary Internet Files, and Recycle Bin are the only things checked.
  • Press OK to remove them.
Reboot back to normal mode.

Update your Sun Java:
Updating Java:
  • Go to Start > Control Panel double-click on the Software icon > add/remove programs.
  • Search in the list for all previous installed versions of Java. (J2SE Runtime Environment.... )
    It should have next icon next to it: Posted Image
    Select it and click Remove.
  • Then Download and install the newest version from here:http://www.java.com/en/download/manual.jsp
Please hide your hidden files and folders afterwards again, because above instructions to set your system to show all files, unhide legit files and folders as well.
And I don't want you to delete them because they may look suspicious. To hide them again, just perform the above instructions in the opposite way.

As I see from your Panda log, it looks like you also never scanned with a decent antispywarescanner before, or at least not up to date or latest version, so perform next:

Download Ad-aware version SE Personal 1.06 from one of these locations:

http://www.download.com/3000-2144-10045910.html
http://www.majorgeeks.com/download506.html

Install by double-clicking on the downloaded file.
If you have a previous version of Ad-Aware installed, during the installation of the new version you will be prompted to uninstall or keep the older version. Be sure to uninstall the previous version.

1. Launch Ad-Aware SE and run the WebUpdate feature. (Click on the Globe icon > Click connect > Click OK > Click Finish.)
2. Set up the Configurations as follows:
-- Click the Gear wheel at the top of the Ad-Aware window
-- Click General > Safety & Settings: Check (Green) all three.
-- Click Tweak > Cleaning Engine > UNcheck "Always try to unload modules before deletion".
3. Click "Proceed"
4. Click "Scan Now"
5. Deselect "Search for negligible risk entries" as negligible risk entries (MRU's) are not considered to be a threat.
6. Select "Search for low-risk threats"
7. Run the scanner using the Full Scan (Perform full system scan) mode.
8. When the scan has completed, select Next.
9. In the Scanning Results window, select the "Scan Summary" tab.
10. Check the box next to each "target family" you wish to remove.
11. Click next > Click OK.
12. Reboot your computer and post a new hijackthislog.
AntispywareScanners---Antivirus Scanners---Firewalls---Online Scanners---Prevention---Help! My computer is slow---My Blog---Follow me on Twitter.
My help is ALWAYS FREE, but if you want to donate to help me continue my fight against malware -- click here!
Asking for help via Private Message or Mail will be ignored - So If you need help, post your problem in the forum.

#14 honda2nr

honda2nr
  • Topic Starter

  • Members
  • 115 posts
  • OFFLINE
  •  
  • Local time:05:59 AM

Posted 06 June 2006 - 02:51 PM

Logfile of HijackThis v1.99.1
Scan saved at 3:48:07 PM, on 6/6/2006
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\TGTSoft\StyleXP\StyleXPService.exe
C:\WINDOWS\system32\spoolsv.exe
c:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\Program Files\ewido anti-malware\ewidoctrl.exe
c:\Program Files\Norton AntiVirus\navapsvc.exe
C:\WINDOWS\System32\nvsvc32.exe
C:\Program Files\Softex\OmniPass\Omniserv.exe
C:\Program Files\Alcohol Soft\Alcohol 120\StarWind\StarWindService.exe
C:\Program Files\Softex\OmniPass\OPXPApp.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\InterVideo\Common\Bin\WinCinemaMgr.exe
C:\Program Files\AIM\aim.exe
C:\HJT\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page_bak = http://www.yahoo.com/
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_07\bin\ssv.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_07\bin\jusched.exe
O4 - HKLM\..\Run: [Ad-aware] "C:\Program Files\Lavasoft\Ad-aware 6\Ad-aware.exe" +c
O4 - HKCU\..\Run: [AIM] C:\Program Files\AIM\aim.exe -cnetwait.odl
O4 - HKCU\..\Run: [kxirk] C:\WINDOWS\System32\ojwyjt.exe reg_run
O4 - Startup: BitTorrent.lnk = C:\Program Files\BitTorrent\bittorrent.exe
O4 - Global Startup: InterVideo WinCinema Manager.lnk = C:\Program Files\InterVideo\Common\Bin\WinCinemaMgr.exe
O4 - Global Startup: Quicken Scheduled Updates.lnk = C:\Program Files\Quicken\bagent.exe
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_07\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_07\bin\ssv.dll
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe
O9 - Extra button: PartyCasino.com - {B4B52284-A248-4c51-9F7C-F0A0C67FCC9D} - C:\Program Files\PartyGaming\PartyCasino\RunCasino.exe
O9 - Extra 'Tools' menuitem: PartyCasino.com - {B4B52284-A248-4c51-9F7C-F0A0C67FCC9D} - C:\Program Files\PartyGaming\PartyCasino\RunCasino.exe
O9 - Extra button: PartyPoker.com - {B7FE5D70-9AA2-40F1-9C6B-12A255F085E1} - C:\Program Files\PartyGaming\PartyPoker\RunApp.exe
O9 - Extra 'Tools' menuitem: PartyPoker.com - {B7FE5D70-9AA2-40F1-9C6B-12A255F085E1} - C:\Program Files\PartyGaming\PartyPoker\RunApp.exe
O9 - Extra button: MoneySide - {E023F504-0C5A-4750-A1E7-A9046DEA8A21} - C:\Program Files\Microsoft Money\System\mnyside.dll
O16 - DPF: {37A273C2-5129-11D5-BF37-00A0CCE8754B} (TTestGenXInstallObject) - http://www.mathxl.com/wizmodules/testgen/i...GenXInstall.cab
O16 - DPF: {4FE89055-5300-469E-AFAD-DEB3181EDE76} (PearsonAsstX Control) - http://www.mathxl.com/applets/PearsonInstallAsst.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/activescan/as5free/asinst.cab
O16 - DPF: {C4DD6732-1E82-4AE7-BD94-180331B84082} (DeltaCVX Control) - http://www.mathxl.com/applets/DeltaCVX.cab
O20 - Winlogon Notify: igfxcui - C:\WINDOWS\SYSTEM32\igfxsrvc.dll
O20 - Winlogon Notify: OPXPGina - C:\Program Files\Softex\OmniPass\opxpgina.dll
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - c:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Password Validation Service (ccPwdSvc) - Symantec Corporation - c:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
O23 - Service: ewido security suite control - ewido networks - C:\Program Files\ewido anti-malware\ewidoctrl.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPodService - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Norton AntiVirus Auto Protect Service (navapsvc) - Symantec Corporation - c:\Program Files\Norton AntiVirus\navapsvc.exe
O23 - Service: NVIDIA Driver Helper Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe
O23 - Service: Softex OmniPass Service (omniserv) - Unknown owner - C:\Program Files\Softex\OmniPass\Omniserv.exe
O23 - Service: StarWind iSCSI Service (StarWindService) - Rocket Division Software - C:\Program Files\Alcohol Soft\Alcohol 120\StarWind\StarWindService.exe
O23 - Service: StyleXPService - Unknown owner - C:\Program Files\TGTSoft\StyleXP\StyleXPService.exe

#15 miekiemoes

miekiemoes

    Malware Killer Dog


  • Malware Response Team
  • 19,420 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Belgium
  • Local time:11:59 AM

Posted 06 June 2006 - 02:56 PM

Ok, this is looking much better.

Check and fix next entry in hijackthis:

O4 - HKCU\..\Run: [kxirk] C:\WINDOWS\System32\ojwyjt.exe reg_run


By the way, I see Adaware present, but an old version, the Adaware 6.0 version. You really need Adaware SE. Not sure where you got that old one from though. Please uninstall that version and install the latest version. See my previous link.
The version you are having is not able to update and misses a lot. That's why you really need that latest version.

Perform a full scan with Adaware SE and reboot afterwards. Then post a new hijackthislog in your next reply and also let me know how things are running now. :thumbsup:
AntispywareScanners---Antivirus Scanners---Firewalls---Online Scanners---Prevention---Help! My computer is slow---My Blog---Follow me on Twitter.
My help is ALWAYS FREE, but if you want to donate to help me continue my fight against malware -- click here!
Asking for help via Private Message or Mail will be ignored - So If you need help, post your problem in the forum.




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users