Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

HJT Log


  • Please log in to reply
8 replies to this topic

#1 jones7981

jones7981

  • Members
  • 21 posts
  • OFFLINE
  •  
  • Local time:07:24 AM

Posted 24 November 2004 - 02:25 AM

Computer has been running very slow and I am having problems with getting my home page hijacked in IE. Any help concerning my HJT log would be greatly appreciated. This is a friends computer, so my previous HJT log under my name is separate from this.

Thanks,
Aaron

Logfile of HijackThis v1.98.2
Scan saved at 1:05:13 AM, on 11/24/2004
Platform: Windows 2000 (WinNT 5.00.2195)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\System32\CTsvcCDA.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\regsvc.exe
C:\WINDOWS\system32\MSTask.exe
C:\WINDOWS\System32\WBEM\WinMgmt.exe
C:\WINDOWS\System32\MsPMSPSv.exe
C:\Program Files\WUSB11 WLAN Monitor\WLService.exe
C:\Program Files\WUSB11 WLAN Monitor\WUSB11B.exe
C:\WINDOWS\Explorer.exe
C:\WINDOWS\System32\atiptaxx.exe
C:\WINDOWS\System32\desk95.exe
C:\WINDOWS\System32\spool\drivers\w32x86\3\hpztsb04.exe
C:\Program Files\Logitech\iTouch\iTouch.exe
C:\PROGRA~1\Logitech\MOUSEW~1\SYSTEM\EM_EXEC.EXE
C:\WINDOWS\AGRSMMSG.exe
C:\Program Files\DIGStream\digstream.exe
C:\WINDOWS\System32\CTHELPER.EXE
C:\WINDOWS\System32\P2P Networking\P2P Networking.exe
C:\Program Files\Common files\SearchUpgrader\SearchUpgrader.exe
C:\Program Files\Web_Rebates\WebRebates0.exe
C:\Program Files\BullsEye Network\bin\bargains.exe
C:\WINDOWS\System32\KAZAALITE.EXE
C:\WINDOWS\apire.exe
C:\WINDOWS\System32\RUNDLL32.exe
C:\Program Files\Windows AdControl\WinAdCtl.exe
C:\Program Files\Windows AdControl\WinAdAlt.exe
C:\PROGRA~1\AWS\WEATHE~1\Weather.EXE
C:\PROGRA~1\Altnet\DOWNLO~1\asm.exe
C:\Program Files\Web_Rebates\WebRebates1.exe
C:\Program Files\AIM\aim.exe
C:\WINDOWS\crhc32.exe
C:\WINDOWS\system32\d3yh32.exe
C:\PROGRAM FILES\YAHOO!\BROWSER\YCOMMON.EXE
C:\PROGRA~1\YAHOO!\MESSEN~1\YPAGER.EXE
C:\PROGRA~1\MOZILL~1\firefox.exe
C:\Program Files\Hijackthis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\WINDOWS\system32\bverr.dll/sp.html#37049
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINDOWS\system32\bverr.dll/sp.html#37049
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = res://C:\WINDOWS\system32\bverr.dll/sp.html#37049
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\WINDOWS\system32\bverr.dll/sp.html#37049
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINDOWS\system32\bverr.dll/sp.html#37049
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = about:blank
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = res://C:\WINDOWS\system32\bverr.dll/sp.html#37049
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = res://C:\WINDOWS\system32\bverr.dll/sp.html#37049
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://search.yahoo.com/search?p=%s
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page = C:\WINDOWS\SYSTEM\blank.htm
R3 - Default URLSearchHook is missing
O2 - BHO: (no name) - {000020DD-C72E-4113-AF77-DD56626C6C42} - (no file)
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
O2 - BHO: (no name) - {592AA13A-FD50-4FA6-8606-5911BE2097D4} - C:\WINDOWS\system32\mscc32.dll
O3 - Toolbar: &Yahoo! Companion - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\PROGRAM FILES\YAHOO!\COMMON\YCOMP5_1_6_0.DLL
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O4 - HKLM\..\Run: [Synchronization Manager] mobsync.exe /logon
O4 - HKLM\..\Run: [AtiPTA] atiptaxx.exe
O4 - HKLM\..\Run: [HydarVisionDesktopManager] desk95.exe
O4 - HKLM\..\Run: [HPDJ Taskbar Utility] C:\WINDOWS\System32\spool\drivers\w32x86\3\hpztsb04.exe
O4 - HKLM\..\Run: [zBrowser Launcher] C:\Program Files\Logitech\iTouch\iTouch.exe
O4 - HKLM\..\Run: [EM_EXEC] C:\PROGRA~1\Logitech\MOUSEW~1\SYSTEM\EM_EXEC.EXE
O4 - HKLM\..\Run: [AGRSMMSG] AGRSMMSG.exe
O4 - HKLM\..\Run: [DIGStream] C:\Program Files\DIGStream\digstream.exe
O4 - HKLM\..\Run: [ViewMgr] C:\Program Files\Viewpoint\Viewpoint Manager\ViewMgr.exe
O4 - HKLM\..\Run: [CTHelper] CTHELPER.EXE
O4 - HKLM\..\Run: [Jet Detection] "C:\Program Files\Creative\SBLive\PROGRAM\ADGJDet.exe"
O4 - HKLM\..\Run: [P2P Networking] C:\WINDOWS\System32\P2P Networking\P2P Networking.exe /AUTOSTART
O4 - HKLM\..\Run: [SearchUpgrader] C:\Program Files\Common files\SearchUpgrader\SearchUpgrader.exe
O4 - HKLM\..\Run: [AltnetPointsManager] c:\program files\altnet\points manager\points manager.exe -s
O4 - HKLM\..\Run: [KAZAA] C:\Program Files\Kazaa\kazaa.exe /SYSTRAY
O4 - HKLM\..\Run: [WebRebates0] "C:\Program Files\Web_Rebates\WebRebates0.exe"
O4 - HKLM\..\Run: [BullsEye Network] C:\Program Files\BullsEye Network\bin\bargains.exe
O4 - HKLM\..\Run: [Kazaa Lite] KAZAALITE.EXE
O4 - HKLM\..\Run: [apire.exe] C:\WINDOWS\apire.exe
O4 - HKLM\..\Run: [WildTangent CDA] RUNDLL32.exe "C:\Program Files\WildTangent\Apps\CDA\cdaEngine0400.dll",cdaEngineMain
O4 - HKLM\..\Run: [Windows AdControl] C:\Program Files\Windows AdControl\WinAdCtl.exe
O4 - HKLM\..\RunOnce: [d3yh32.exe] C:\WINDOWS\system32\d3yh32.exe
O4 - HKLM\..\RunOnce: [javaxd32.exe] C:\WINDOWS\javaxd32.exe
O4 - HKCU\..\Run: [Weather] C:\PROGRA~1\AWS\WEATHE~1\Weather.EXE 1
O4 - HKCU\..\RunOnce: [Kazaa Lite] KAZAALITE.EXE
O4 - Global Startup: Logitech Desktop Messenger.lnk = C:\Program Files\Logitech\Desktop Messenger\8876480\Program\LDMConf.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O8 - Extra context menu item: &AIM Search - res://C:\Program Files\AIM Toolbar\AIMBar.dll/aimsearch.htm
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~1\OFFICE10\EXCEL.EXE/3000
O8 - Extra context menu item: Web Rebates - file://C:\Program Files\Web_Rebates\Sy1150\Tp1150\scri1150a.htm
O8 - Extra context menu item: Yahoo! Dictionary - file:///C:\Program Files\Yahoo!\Common/ycdict.htm
O8 - Extra context menu item: Yahoo! Search - file:///C:\Program Files\Yahoo!\Common/ycsrch.htm
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\System32\msjava.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\System32\msjava.dll
O9 - Extra button: Yahoo! Login - {2499216C-4BA5-11D5-BD9C-000103C116D5} - C:\PROGRAM FILES\YAHOO!\COMMON\YLOGIN.DLL
O9 - Extra 'Tools' menuitem: Yahoo! Login - {2499216C-4BA5-11D5-BD9C-000103C116D5} - C:\PROGRAM FILES\YAHOO!\COMMON\YLOGIN.DLL
O9 - Extra button: Messenger - {4528BBE0-4E08-11D5-AD55-00010333D0AD} - C:\PROGRAM FILES\YAHOO!\MESSENGER\YHEXBMES.DLL
O9 - Extra 'Tools' menuitem: Yahoo! Messenger - {4528BBE0-4E08-11D5-AD55-00010333D0AD} - C:\PROGRAM FILES\YAHOO!\MESSENGER\YHEXBMES.DLL
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe
O9 - Extra button: PartyPoker.com - {B7FE5D70-9AA2-40F1-9C6B-12A255F085E1} - C:\program files\partypoker\IEExtension.dll
O9 - Extra 'Tools' menuitem: PartyPoker.com - {B7FE5D70-9AA2-40F1-9C6B-12A255F085E1} - C:\program files\partypoker\IEExtension.dll
O9 - Extra button: Related - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINDOWS\web\related.htm
O9 - Extra 'Tools' menuitem: Show &Related Links - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINDOWS\web\related.htm
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\system32\SHDOCVW.DLL
O9 - Extra button: WeatherBug - {AF6CABAB-61F9-4f12-A198-B7D41EF1CB52} - C:\PROGRA~1\AWS\WEATHE~1\Weather.exe (HKCU)
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O16 - DPF: binions - http://binions.access.com.au/classes/binions.cab
O16 - DPF: Yahoo! Poker - http://download.games.yahoo.com/games/clients/y/pt0_x.cab
O16 - DPF: Yahoo! Spades - http://download.games.yahoo.com/games/clients/y/st2_x.cab
O16 - DPF: {0F9B4CA4-A30F-480A-841D-69B45C50A8F8} (SekureL0gin.SekureKontrol) - http://secure2.comned.com/signuptemplates/AktiveSekurity.cab
O16 - DPF: {15AD4789-CDB4-47E1-A9DA-992EE8E6BAD6} - http://public.windupdates.com/get_file.php...c80e4ac3a715ede
O16 - DPF: {1D6711C8-7154-40BB-8380-3DEA45B69CBF} (Web P2P Installer) -
O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai.net/7/840/537/2003120...all/xscan53.cab
O16 - DPF: {75D1F3B2-2A21-11D7-97B9-0010DC2A6243} (SecureLogin.SecureControl) - http://secure2.comned.com/signuptemplates/ActiveSecurity.cab
O16 - DPF: {D18F962A-3722-4B59-B08D-28BB9EB2281E} (PhotosCtrl Class) - http://photos.yahoo.com/ocx/us/yexplorer1_9us.cab
O16 - DPF: {D8089245-3211-40F6-819B-9E5E92CD61A2} (FlashXControl Object) - https://register3.valueactive.com/286/webolr/OCX/FlashAX.cab
O18 - Protocol: icoo - {4A8DADD4-5A25-4D41-8599-CB7458766220} - C:\WINDOWS\msopt.dll (file missing)

BC AdBot (Login to Remove)

 


#2 Nirvana

Nirvana

    In Utero


  • Members
  • 218 posts
  • OFFLINE
  •  
  • Local time:12:24 PM

Posted 24 November 2004 - 03:38 AM

Hi jones7981,

You have a nasty CoolWebSearch infection which requires precise steps to fix:

Please download ServiceFilter.zip. This will reveal potential unauthorized running services in your system. Extract it to a new folder on your desktop. Double-click ServiceFilter.vbs. This script will create a text file named Post_This.txt in the same folder as the script itself has been saved - copy and paste the contents of Post_This.txt in your next reply here along with a new Hijackthis log.

From the moment you post your list, until you see a detailed fix written up, DO NOT reboot your system or log off. If you do, the service will have changed and the fix provided will not work
"Computers are useless. They can only give you answers." <span style='color:red'>Pablo Picasso</span>

#3 jones7981

jones7981
  • Topic Starter

  • Members
  • 21 posts
  • OFFLINE
  •  
  • Local time:07:24 AM

Posted 24 November 2004 - 04:27 AM

Here are the new logs you requested.

Thank you

The script did not recognize the services listed below.
This does not mean that they are a problem.

To copy the entire contents of this document for posting:
At the top of this window click "Edit" then "Select All"
Next click "Edit" again then "Copy"
Now right click in the forum post box then click "Paste"

########################################

ServiceFilter 1.1
by rand1038

Microsoft Windows 2000 Professional
Version: 5.0.2195
Nov 24, 2004 3:07:55 AM


---> Begin Service Listing <---

Unknown Service # 1
Service Name: ISEXEng
Display Name: ISEXEng
Start Mode: Auto
Start Name: LocalSystem
Description: ISEXEng...
Service Type: Own Process
Path: c:\windows\system32\angelex.exe
State: Stopped
Process ID: 0
Started: False
Exit Code: 0
Accept Pause: False
Accept Stop: False

Unknown Service # 2
Service Name: WUSB28SVC
Display Name: WUSB28SVC
Start Mode: Auto
Start Name: LocalSystem
Description: WUSB28SVC...
Service Type: Own Process
Path: "c:\program files\wusb11 wlan monitor\wlservice.exe" "wusb11b.exe"
State: Running
Process ID: 748
Started: True
Exit Code: 0
Accept Pause: True
Accept Stop: True

Unknown Service # 3
Service Name: %AF
Display Name: Network Security Service
Start Mode: Auto
Start Name: LocalSystem
Description: Network Security ...
Service Type: Share Process
Path: c:\windows\crhc32.exe /s
State: Running
Process ID: 404
Started: True
Exit Code: 0
Accept Pause: False
Accept Stop: True

---> End Service Listing <---

There are 58 Win32 services on this machine.
3 were unrecognized.

Script Execution Time: 9.893555 seconds.

Logfile of HijackThis v1.98.2
Scan saved at 3:08:52 AM, on 11/24/2004
Platform: Windows 2000 (WinNT 5.00.2195)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\System32\CTsvcCDA.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\regsvc.exe
C:\WINDOWS\system32\MSTask.exe
C:\WINDOWS\System32\WBEM\WinMgmt.exe
C:\WINDOWS\System32\MsPMSPSv.exe
C:\Program Files\WUSB11 WLAN Monitor\WLService.exe
C:\Program Files\WUSB11 WLAN Monitor\WUSB11B.exe
C:\WINDOWS\Explorer.exe
C:\WINDOWS\System32\atiptaxx.exe
C:\WINDOWS\System32\desk95.exe
C:\WINDOWS\System32\spool\drivers\w32x86\3\hpztsb04.exe
C:\Program Files\Logitech\iTouch\iTouch.exe
C:\PROGRA~1\Logitech\MOUSEW~1\SYSTEM\EM_EXEC.EXE
C:\WINDOWS\AGRSMMSG.exe
C:\Program Files\DIGStream\digstream.exe
C:\WINDOWS\System32\CTHELPER.EXE
C:\WINDOWS\System32\P2P Networking\P2P Networking.exe
C:\Program Files\Common files\SearchUpgrader\SearchUpgrader.exe
C:\Program Files\Web_Rebates\WebRebates0.exe
C:\Program Files\BullsEye Network\bin\bargains.exe
C:\WINDOWS\System32\KAZAALITE.EXE
C:\WINDOWS\apire.exe
C:\WINDOWS\System32\RUNDLL32.exe
C:\Program Files\Windows AdControl\WinAdCtl.exe
C:\Program Files\Windows AdControl\WinAdAlt.exe
C:\PROGRA~1\Altnet\DOWNLO~1\asm.exe
C:\Program Files\Web_Rebates\WebRebates1.exe
C:\WINDOWS\crhc32.exe
C:\WINDOWS\system32\d3yh32.exe
C:\PROGRA~1\MOZILL~1\firefox.exe
C:\Program Files\Windows NT\Accessories\WORDPAD.EXE
C:\Program Files\Hijackthis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\WINDOWS\system32\bverr.dll/sp.html#37049
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINDOWS\system32\bverr.dll/sp.html#37049
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = res://C:\WINDOWS\system32\bverr.dll/sp.html#37049
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\WINDOWS\system32\bverr.dll/sp.html#37049
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINDOWS\system32\bverr.dll/sp.html#37049
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = about:blank
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = res://C:\WINDOWS\system32\bverr.dll/sp.html#37049
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = res://C:\WINDOWS\system32\bverr.dll/sp.html#37049
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://search.yahoo.com/search?p=%s
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page = C:\WINDOWS\SYSTEM\blank.htm
R3 - Default URLSearchHook is missing
O2 - BHO: (no name) - {000020DD-C72E-4113-AF77-DD56626C6C42} - (no file)
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
O2 - BHO: (no name) - {592AA13A-FD50-4FA6-8606-5911BE2097D4} - C:\WINDOWS\system32\mscc32.dll
O3 - Toolbar: &Yahoo! Companion - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\PROGRAM FILES\YAHOO!\COMMON\YCOMP5_1_6_0.DLL
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O4 - HKLM\..\Run: [Synchronization Manager] mobsync.exe /logon
O4 - HKLM\..\Run: [AtiPTA] atiptaxx.exe
O4 - HKLM\..\Run: [HydarVisionDesktopManager] desk95.exe
O4 - HKLM\..\Run: [HPDJ Taskbar Utility] C:\WINDOWS\System32\spool\drivers\w32x86\3\hpztsb04.exe
O4 - HKLM\..\Run: [zBrowser Launcher] C:\Program Files\Logitech\iTouch\iTouch.exe
O4 - HKLM\..\Run: [EM_EXEC] C:\PROGRA~1\Logitech\MOUSEW~1\SYSTEM\EM_EXEC.EXE
O4 - HKLM\..\Run: [AGRSMMSG] AGRSMMSG.exe
O4 - HKLM\..\Run: [DIGStream] C:\Program Files\DIGStream\digstream.exe
O4 - HKLM\..\Run: [ViewMgr] C:\Program Files\Viewpoint\Viewpoint Manager\ViewMgr.exe
O4 - HKLM\..\Run: [CTHelper] CTHELPER.EXE
O4 - HKLM\..\Run: [Jet Detection] "C:\Program Files\Creative\SBLive\PROGRAM\ADGJDet.exe"
O4 - HKLM\..\Run: [P2P Networking] C:\WINDOWS\System32\P2P Networking\P2P Networking.exe /AUTOSTART
O4 - HKLM\..\Run: [SearchUpgrader] C:\Program Files\Common files\SearchUpgrader\SearchUpgrader.exe
O4 - HKLM\..\Run: [AltnetPointsManager] c:\program files\altnet\points manager\points manager.exe -s
O4 - HKLM\..\Run: [KAZAA] C:\Program Files\Kazaa\kazaa.exe /SYSTRAY
O4 - HKLM\..\Run: [WebRebates0] "C:\Program Files\Web_Rebates\WebRebates0.exe"
O4 - HKLM\..\Run: [BullsEye Network] C:\Program Files\BullsEye Network\bin\bargains.exe
O4 - HKLM\..\Run: [Kazaa Lite] KAZAALITE.EXE
O4 - HKLM\..\Run: [apire.exe] C:\WINDOWS\apire.exe
O4 - HKLM\..\Run: [WildTangent CDA] RUNDLL32.exe "C:\Program Files\WildTangent\Apps\CDA\cdaEngine0400.dll",cdaEngineMain
O4 - HKLM\..\Run: [Windows AdControl] C:\Program Files\Windows AdControl\WinAdCtl.exe
O4 - HKLM\..\RunOnce: [d3yh32.exe] C:\WINDOWS\system32\d3yh32.exe
O4 - HKLM\..\RunOnce: [javaxd32.exe] C:\WINDOWS\javaxd32.exe
O4 - HKCU\..\Run: [Weather] C:\PROGRA~1\AWS\WEATHE~1\Weather.EXE 1
O4 - HKCU\..\RunOnce: [Kazaa Lite] KAZAALITE.EXE
O4 - Global Startup: Logitech Desktop Messenger.lnk = C:\Program Files\Logitech\Desktop Messenger\8876480\Program\LDMConf.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O8 - Extra context menu item: &AIM Search - res://C:\Program Files\AIM Toolbar\AIMBar.dll/aimsearch.htm
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~1\OFFICE10\EXCEL.EXE/3000
O8 - Extra context menu item: Web Rebates - file://C:\Program Files\Web_Rebates\Sy1150\Tp1150\scri1150a.htm
O8 - Extra context menu item: Yahoo! Dictionary - file:///C:\Program Files\Yahoo!\Common/ycdict.htm
O8 - Extra context menu item: Yahoo! Search - file:///C:\Program Files\Yahoo!\Common/ycsrch.htm
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\System32\msjava.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\System32\msjava.dll
O9 - Extra button: Yahoo! Login - {2499216C-4BA5-11D5-BD9C-000103C116D5} - C:\PROGRAM FILES\YAHOO!\COMMON\YLOGIN.DLL
O9 - Extra 'Tools' menuitem: Yahoo! Login - {2499216C-4BA5-11D5-BD9C-000103C116D5} - C:\PROGRAM FILES\YAHOO!\COMMON\YLOGIN.DLL
O9 - Extra button: Messenger - {4528BBE0-4E08-11D5-AD55-00010333D0AD} - C:\PROGRAM FILES\YAHOO!\MESSENGER\YHEXBMES.DLL
O9 - Extra 'Tools' menuitem: Yahoo! Messenger - {4528BBE0-4E08-11D5-AD55-00010333D0AD} - C:\PROGRAM FILES\YAHOO!\MESSENGER\YHEXBMES.DLL
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe
O9 - Extra button: PartyPoker.com - {B7FE5D70-9AA2-40F1-9C6B-12A255F085E1} - C:\program files\partypoker\IEExtension.dll
O9 - Extra 'Tools' menuitem: PartyPoker.com - {B7FE5D70-9AA2-40F1-9C6B-12A255F085E1} - C:\program files\partypoker\IEExtension.dll
O9 - Extra button: Related - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINDOWS\web\related.htm
O9 - Extra 'Tools' menuitem: Show &Related Links - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINDOWS\web\related.htm
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\system32\SHDOCVW.DLL
O9 - Extra button: WeatherBug - {AF6CABAB-61F9-4f12-A198-B7D41EF1CB52} - C:\PROGRA~1\AWS\WEATHE~1\Weather.exe (HKCU)
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O16 - DPF: binions - http://binions.access.com.au/classes/binions.cab
O16 - DPF: Yahoo! Poker - http://download.games.yahoo.com/games/clients/y/pt0_x.cab
O16 - DPF: Yahoo! Spades - http://download.games.yahoo.com/games/clients/y/st2_x.cab
O16 - DPF: {0F9B4CA4-A30F-480A-841D-69B45C50A8F8} (SekureL0gin.SekureKontrol) - http://secure2.comned.com/signuptemplates/AktiveSekurity.cab
O16 - DPF: {15AD4789-CDB4-47E1-A9DA-992EE8E6BAD6} - http://public.windupdates.com/get_file.php...c80e4ac3a715ede
O16 - DPF: {1D6711C8-7154-40BB-8380-3DEA45B69CBF} (Web P2P Installer) -
O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai.net/7/840/537/2003120...all/xscan53.cab
O16 - DPF: {75D1F3B2-2A21-11D7-97B9-0010DC2A6243} (SecureLogin.SecureControl) - http://secure2.comned.com/signuptemplates/ActiveSecurity.cab
O16 - DPF: {D18F962A-3722-4B59-B08D-28BB9EB2281E} (PhotosCtrl Class) - http://photos.yahoo.com/ocx/us/yexplorer1_9us.cab
O16 - DPF: {D8089245-3211-40F6-819B-9E5E92CD61A2} (FlashXControl Object) - https://register3.valueactive.com/286/webolr/OCX/FlashAX.cab
O18 - Protocol: icoo - {4A8DADD4-5A25-4D41-8599-CB7458766220} - C:\WINDOWS\msopt.dll (file missing)

#4 Nirvana

Nirvana

    In Utero


  • Members
  • 218 posts
  • OFFLINE
  •  
  • Local time:12:24 PM

Posted 24 November 2004 - 11:59 AM

Go to Add/Remove in your control panel and uninstall P2P Networking, KAZAA, WebRebates, BullsEye Network, WildTangent and Windows AdControl, they all carry some kind of malware and none of them are needed.

Copy and paste the contents of the quotebox to Notepad. Name the file as fix.reg. Change the Save as Type to All Files. Save this file on the desktop, we'll use it a bit later:

REGEDIT4

[-HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\HSA]
[-HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\SE]
[-HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\SW]


Same again with the quote box below but "Save As" remove.reg
In the "Save as type" select: All files.

Windows Registry Editor Version 5.00

[-HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Enum\Root\LEGACY_ISEXENG]

[-HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\ISEXEng]

[-HKEY_LOCAL_MACHINE\SYSTEM\ControlSet003\Enum\Root\LEGACY_ISEXENG]

[-HKEY_LOCAL_MACHINE\SYSTEM\ControlSet003\Services\ISEXEng]

[-HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_ISEXENG]

[-HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\ISEXEng]


Follow the tutorial here to download and configure Ad-Aware: http://www.bleepingcomputer.com/forums/ind...showtutorial=48. Do not run it yet, we'll do that a bit later.

Download AboutBuster. Unzip it to C:\aboutbuster but don't run it yet we'll do that later on down in this list in SAFE MODE.

Make sure you have Set Windows to show Hidden Files & Folders, then reboot into safe mode.

You may want to print out the rest of these steps to refer to as you go. IMPORTANT: Please stay offline until instructed otherwise, connecting to the internet could cause this fix to fail.

Next, go to Start => Run and type "Services.msc" (without quotes) then hit Ok.

Scroll down and find the services called:

ISEXEng and Network Security Service

Double-click on each one in turn. In the next window that opens, click the Stop button, then click on properties and under the General Tab, change the Startup Type to Disabled. Now hit Apply and then Ok and close any open windows.

Press control-alt-delete to get into the task manager and end the follow processes if they exist:

angelex.exe and crhc32.exe

Restart HijackThis and put checks next to the following, close all browser windows (including this one) then click on 'Fix Checked':

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\WINDOWS\system32\bverr.dll/sp.html#37049
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINDOWS\system32\bverr.dll/sp.html#37049
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = res://C:\WINDOWS\system32\bverr.dll/sp.html#37049
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\WINDOWS\system32\bverr.dll/sp.html#37049
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINDOWS\system32\bverr.dll/sp.html#37049
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = about:blank
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = res://C:\WINDOWS\system32\bverr.dll/sp.html#37049
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = res://C:\WINDOWS\system32\bverr.dll/sp.html#37049
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page = C:\WINDOWS\SYSTEM\blank.htm
R3 - Default URLSearchHook is missing
O2 - BHO: (no name) - {000020DD-C72E-4113-AF77-DD56626C6C42} - (no file)
O2 - BHO: (no name) - {592AA13A-FD50-4FA6-8606-5911BE2097D4} - C:\WINDOWS\system32\mscc32.dll

O4 - HKLM\..\Run: [P2P Networking] C:\WINDOWS\System32\P2P Networking\P2P Networking.exe /AUTOSTART
O4 - HKLM\..\Run: [SearchUpgrader] C:\Program Files\Common files\SearchUpgrader\SearchUpgrader.exe
O4 - HKLM\..\Run: [AltnetPointsManager] c:\program files\altnet\points manager\points manager.exe -s
O4 - HKLM\..\Run: [KAZAA] C:\Program Files\Kazaa\kazaa.exe /SYSTRAY
O4 - HKLM\..\Run: [WebRebates0] "C:\Program Files\Web_Rebates\WebRebates0.exe"
O4 - HKLM\..\Run: [BullsEye Network] C:\Program Files\BullsEye Network\bin\bargains.exe
O4 - HKLM\..\Run: [apire.exe] C:\WINDOWS\apire.exe
O4 - HKLM\..\Run: [WildTangent CDA] RUNDLL32.exe "C:\Program Files\WildTangent\Apps\CDA\cdaEngine0400.dll",cdaEngineMain
O4 - HKLM\..\Run: [Windows AdControl] C:\Program Files\Windows AdControl\WinAdCtl.exe
O4 - HKLM\..\RunOnce: [d3yh32.exe] C:\WINDOWS\system32\d3yh32.exe
O4 - HKLM\..\RunOnce: [javaxd32.exe] C:\WINDOWS\javaxd32.exe

O8 - Extra context menu item: Web Rebates - file://C:\Program Files\Web_Rebates\Sy1150\Tp1150\scri1150a.htm

O16 - DPF: {15AD4789-CDB4-47E1-A9DA-992EE8E6BAD6} - d89d09d2c86f5b30597ea87d3d2a4c1ed47e9128c74281bfb4:a6d60611056994dfac80e4ac3a715ede" target=_blankhttp://public.windupdates.com/get_file.php...c80e4ac3a715ede
O16 - DPF: {1D6711C8-7154-40BB-8380-3DEA45B69CBF} (Web P2P Installer) -

O18 - Protocol: icoo - {4A8DADD4-5A25-4D41-8599-CB7458766220} - C:\WINDOWS\msopt.dll (file missing)

Navigate to and delete the following files if present (If you get an error when deleting a file. Right click on the file and check to see if the read only attribute is checked. if it is uncheck it and try again.):

C:\WINDOWS\crhc32.exe <-------- Delete this file.
C:\WINDOWS\apire.exe <-------- Delete this file.
C:\WINDOWS\javaxd32.exe <-------- Delete this file.
C:\WINDOWS\system32\angelex.exe <-------- Delete this file.
C:\WINDOWS\system32\bverr.dll <-------- Delete this file.
C:\WINDOWS\system32\mscc32.dll <-------- Delete this file.
C:\WINDOWS\system32\d3yh32.exe <-------- Delete this file.
C:\WINDOWS\System32\P2P Networking <-------- Delete this folder.
C:\Program Files\Common files\SearchUpgrader <-------- Delete this folder.
C:\Program Files\Kazaa <-------- Delete this folder.
C:\Program Files\Web_Rebates <-------- Delete this folder.
C:\Program Files\BullsEye Network <-------- Delete this folder.
C:\Program Files\WildTangent <-------- Delete this folder.
C:\Program Files\Windows AdControl <-------- Delete this folder.

Still in Safe Mode go to C:\Windows\Temp folder.
Open the Temp folder and go to Edit>Select All, then Edit>Delete to remove the entire contents of the Temp folder.

Next, go to C:\Documents and Settings\username\Local Settings\Temp folder.
Open the Temp folder and go to Edit>Select All, then Edit>Delete to remove the entire contents of that Temp folder (do this for all usernames).

Finally, go to Control Panel>Internet Options.
On the General tab under: Temporary Internet Files, click: Delete Files
Place a check by: Delete Offline Content when the prompt appears, and click OK.
Next, click on the Programs tab, then click: Reset Web Settings button.
Click Apply, then OK.

Also, empty the Recycle Bin.

Next, we will remove the offending service. Go to Start | Run and type Regedit then click Ok.
Navigate to HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services
and expand Services in the left pane. Look for any entries named as:

%AF or Network Security Service or ISEXEng

If any are listed, right-click that entry in and choose Delete.

Again in Regedit, navigate to HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Enum\Root and expand Root in the Left Pane. Look for any entries like this:

LEGACY %AF or LEGACY Network Security Service or LEGACY ISEXEng

If any are listed, right-click the entry and choose Delete.

If you have trouble deleting a key. Then click once on the key name to highlight it and click on the Permission menu option under Security or Edit. Then Uncheck "Allow inheritible permissions" and press copy. Then click on everyone and put a checkmark in "full control". Then press apply and ok and attempt to delete the key again.

Browse to C:\aboutbuster and double click on aboutbuster.exe. When the tool is open press the OK button, then the Start button, then the OK button, and then finally the Yes button. It will start scanning your computer for files. If it asks if you would like to do a second pass, allow it to do so.When finished, press the "Save log" button. I will want a copy of that log after all steps are completed here.

Then double-click on the fix.reg file we created earlier on your desktop and when it prompts to merge say yes, this will clear some registry entries left behind by the process. Do the same with the Remove.reg file.

Now run Ad-Aware.

Reboot into normal mode.

It is also possible that the infection may have deleted up to three files from your system. If these files are present, to be safe I suggest you overwrite them with a new copy.

Go here and download the version of control.exe for your operating system. If you are running Windows 2000, copy it to c:\winnt\system32\. For Windows XP, copy it to c:\windows\system32\.

Download the Hoster from here Press 'Restore Original Hosts' and press 'OK'
Exit Program.

If you have Spybot S&D installed you may also need to replace one file.
Go here and download SDHelper.dll. Copy the file to the folder containing you Spybot S&D program (normally C:\Program Files\Spybot - Search & Destroy)

Additionally, Please check your ActiveX security settings. They may have been changed by this CWS variant to allow ALL ActiveX!! If they have been changed, reset your active x security settings in IE as recommended.
Go to Internet Options/Security/Internet, press 'default level', then OK.
Now press "Custom Level."
In the ActiveX section, set the first option, 'Download signed controls', to 'Prompt; set the
second option, 'Download unsigned controls', to 'Disable'; and finally, set 'Initialize and Script ActiveX controls not marked as safe" to 'Disable'.


Do an online scan at TrendMicro's site. Let it remove any infected files found.

Finally, when you are all done, please post the new HJT log and the AboutBuster log here for review.
"Computers are useless. They can only give you answers." <span style='color:red'>Pablo Picasso</span>

#5 jones7981

jones7981
  • Topic Starter

  • Members
  • 21 posts
  • OFFLINE
  •  
  • Local time:07:24 AM

Posted 24 November 2004 - 04:52 PM

We are having some difficulty opening "Add/Remove Programs", it wont run. Control panel will open up but double clicking on Add/Remove Programs does nothing. Should I continue the rest of the steps skipping that one???

Thanks,
Aaron

#6 Nirvana

Nirvana

    In Utero


  • Members
  • 218 posts
  • OFFLINE
  •  
  • Local time:12:24 PM

Posted 24 November 2004 - 06:22 PM

Please do, thanks.
"Computers are useless. They can only give you answers." <span style='color:red'>Pablo Picasso</span>

#7 jones7981

jones7981
  • Topic Starter

  • Members
  • 21 posts
  • OFFLINE
  •  
  • Local time:07:24 AM

Posted 24 November 2004 - 08:59 PM

Here are the new logs. Thanks for all your help. Also, do you know why my add/remove programs will not open???

Thanks,
Aaron


Logfile of HijackThis v1.98.2
Scan saved at 7:28:20 PM, on 11/24/2004
Platform: Windows 2000 (WinNT 5.00.2195)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\System32\CTsvcCDA.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\regsvc.exe
C:\WINDOWS\system32\MSTask.exe
C:\WINDOWS\System32\WBEM\WinMgmt.exe
C:\WINDOWS\System32\MsPMSPSv.exe
C:\Program Files\WUSB11 WLAN Monitor\WLService.exe
C:\Program Files\WUSB11 WLAN Monitor\WUSB11B.exe
C:\WINDOWS\Explorer.exe
C:\WINDOWS\System32\atiptaxx.exe
C:\WINDOWS\System32\desk95.exe
C:\WINDOWS\System32\spool\drivers\w32x86\3\hpztsb04.exe
C:\Program Files\Logitech\iTouch\iTouch.exe
C:\PROGRA~1\Logitech\MOUSEW~1\SYSTEM\EM_EXEC.EXE
C:\WINDOWS\AGRSMMSG.exe
C:\Program Files\DIGStream\digstream.exe
C:\Program Files\Viewpoint\Viewpoint Manager\ViewMgr.exe
C:\WINDOWS\System32\CTHELPER.EXE
C:\WINDOWS\System32\KAZAALITE.EXE
C:\PROGRA~1\AWS\WEATHE~1\Weather.EXE
C:\Program Files\Hijackthis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://search.yahoo.com/search?p=%s
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
O3 - Toolbar: &Yahoo! Companion - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\PROGRAM FILES\YAHOO!\COMMON\YCOMP5_1_6_0.DLL
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O4 - HKLM\..\Run: [Synchronization Manager] mobsync.exe /logon
O4 - HKLM\..\Run: [AtiPTA] atiptaxx.exe
O4 - HKLM\..\Run: [HydarVisionDesktopManager] desk95.exe
O4 - HKLM\..\Run: [HPDJ Taskbar Utility] C:\WINDOWS\System32\spool\drivers\w32x86\3\hpztsb04.exe
O4 - HKLM\..\Run: [zBrowser Launcher] C:\Program Files\Logitech\iTouch\iTouch.exe
O4 - HKLM\..\Run: [EM_EXEC] C:\PROGRA~1\Logitech\MOUSEW~1\SYSTEM\EM_EXEC.EXE
O4 - HKLM\..\Run: [AGRSMMSG] AGRSMMSG.exe
O4 - HKLM\..\Run: [DIGStream] C:\Program Files\DIGStream\digstream.exe
O4 - HKLM\..\Run: [ViewMgr] C:\Program Files\Viewpoint\Viewpoint Manager\ViewMgr.exe
O4 - HKLM\..\Run: [CTHelper] CTHELPER.EXE
O4 - HKLM\..\Run: [Jet Detection] "C:\Program Files\Creative\SBLive\PROGRAM\ADGJDet.exe"
O4 - HKLM\..\Run: [Kazaa Lite] KAZAALITE.EXE
O4 - HKCU\..\Run: [Weather] C:\PROGRA~1\AWS\WEATHE~1\Weather.EXE 1
O4 - HKCU\..\RunOnce: [Kazaa Lite] KAZAALITE.EXE
O4 - Global Startup: Logitech Desktop Messenger.lnk = C:\Program Files\Logitech\Desktop Messenger\8876480\Program\LDMConf.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O8 - Extra context menu item: &AIM Search - res://C:\Program Files\AIM Toolbar\AIMBar.dll/aimsearch.htm
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~1\OFFICE10\EXCEL.EXE/3000
O8 - Extra context menu item: Yahoo! Dictionary - file:///C:\Program Files\Yahoo!\Common/ycdict.htm
O8 - Extra context menu item: Yahoo! Search - file:///C:\Program Files\Yahoo!\Common/ycsrch.htm
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\System32\msjava.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\System32\msjava.dll
O9 - Extra button: Yahoo! Login - {2499216C-4BA5-11D5-BD9C-000103C116D5} - C:\PROGRAM FILES\YAHOO!\COMMON\YLOGIN.DLL
O9 - Extra 'Tools' menuitem: Yahoo! Login - {2499216C-4BA5-11D5-BD9C-000103C116D5} - C:\PROGRAM FILES\YAHOO!\COMMON\YLOGIN.DLL
O9 - Extra button: Messenger - {4528BBE0-4E08-11D5-AD55-00010333D0AD} - C:\PROGRAM FILES\YAHOO!\MESSENGER\YHEXBMES.DLL
O9 - Extra 'Tools' menuitem: Yahoo! Messenger - {4528BBE0-4E08-11D5-AD55-00010333D0AD} - C:\PROGRAM FILES\YAHOO!\MESSENGER\YHEXBMES.DLL
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe
O9 - Extra button: PartyPoker.com - {B7FE5D70-9AA2-40F1-9C6B-12A255F085E1} - C:\program files\partypoker\IEExtension.dll
O9 - Extra 'Tools' menuitem: PartyPoker.com - {B7FE5D70-9AA2-40F1-9C6B-12A255F085E1} - C:\program files\partypoker\IEExtension.dll
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\system32\SHDOCVW.DLL
O9 - Extra button: WeatherBug - {AF6CABAB-61F9-4f12-A198-B7D41EF1CB52} - C:\PROGRA~1\AWS\WEATHE~1\Weather.exe (HKCU)
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O16 - DPF: binions - http://binions.access.com.au/classes/binions.cab
O16 - DPF: Yahoo! Poker - http://download.games.yahoo.com/games/clients/y/pt0_x.cab
O16 - DPF: Yahoo! Spades - http://download.games.yahoo.com/games/clients/y/st2_x.cab
O16 - DPF: {0F9B4CA4-A30F-480A-841D-69B45C50A8F8} (SekureL0gin.SekureKontrol) - http://secure2.comned.com/signuptemplates/AktiveSekurity.cab
O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai.net/7/840/537/2004061...all/xscan53.cab
O16 - DPF: {75D1F3B2-2A21-11D7-97B9-0010DC2A6243} (SecureLogin.SecureControl) - http://secure2.comned.com/signuptemplates/ActiveSecurity.cab
O16 - DPF: {D18F962A-3722-4B59-B08D-28BB9EB2281E} (PhotosCtrl Class) - http://photos.yahoo.com/ocx/us/yexplorer1_9us.cab
O16 - DPF: {D8089245-3211-40F6-819B-9E5E92CD61A2} (FlashXControl Object) - https://register3.valueactive.com/286/webolr/OCX/FlashAX.cab


Scanned at: 6:28:11 PM on: 11/24/2004


-- Scan 1 ---------------------------
About:Buster Version 4.0
Reference List : 16


Removed Data Streams:
C:\WINDOWS\2PORTALMON_Debug.txt:fuhqp
C:\WINDOWS\aaoum.dll:zegsp
C:\WINDOWS\addfs.exe:inelh
C:\WINDOWS\control.ini:wflwy
C:\WINDOWS\cqnskc.dat:cxypn
C:\WINDOWS\crao32.exe:pgwbt
C:\WINDOWS\criu.exe:vprvi
C:\WINDOWS\CTCCW.DLL:nqjak
C:\WINDOWS\CTDVAUDY.CDF:grufe
C:\WINDOWS\CTL3D32.DLL:hgoon
C:\WINDOWS\cwebb.dat:ahhup
C:\WINDOWS\delttsul.exe:zvylh
C:\WINDOWS\discover.exe:swirb
C:\WINDOWS\dvadn.dat:kwbwd
C:\WINDOWS\EasyPhoto Slide Show.scr:vxtbx
C:\WINDOWS\fff00b03_{395E7C20-E319-11D7-B033-00045A8D9434}.tmp:bmtnw
C:\WINDOWS\fff037fd_{1B3298A1-F25D-11D7-B033-00045A8D9434}.tmp:tndsy
C:\WINDOWS\fff0a3eb_{B8DFAB41-D9F5-11D7-B033-00045A8D9434}.tmp:lowxs
C:\WINDOWS\fff0df73_{86E06D80-D78B-11D7-B033-00045A8D9434}.tmp:epoln
C:\WINDOWS\fffc5dfd_{29BCFCA0-C4F2-11D7-B033-00045A8D9434}.tmp:cxarw
C:\WINDOWS\fffcbabd_{81AA4521-AE2D-11D7-B033-00045A8D9434}.tmp:uqlwy
C:\WINDOWS\fffd4333_{4DC00F01-F019-11D7-B033-00045A8D9434}.tmp:uckbo
C:\WINDOWS\fffd5021_{60DEC281-F743-11D7-B033-00045A8D9434}.tmp:xrwhu
C:\WINDOWS\fffd74bf_{CF5AFD80-DDCD-11D7-B033-00045A8D9434}.tmp:nvupi
C:\WINDOWS\fffd74bf_{CF5AFD81-DDCD-11D7-B033-00045A8D9434}.tmp:hptee
C:\WINDOWS\fffe085b_{E11FA921-9CD3-11D7-B033-00045A8D9434}.tmp:pmfyh
C:\WINDOWS\fffe122f_{6D9DE7C1-9B46-11D7-B033-00045A8D9434}.tmp:pwgze
C:\WINDOWS\fffe1243_{37255560-9F07-11D7-B033-00045A8D9434}.tmp:rrxpa
C:\WINDOWS\fffe132b_{30C55C81-9FFA-11D7-B033-00045A8D9434}.tmp:kspcv
C:\WINDOWS\fffe1f9f_{D6598401-9C26-11D7-B033-00045A8D9434}.tmp:noriv
C:\WINDOWS\fffe2a05_{736C38C0-AA8A-11D7-B033-00045A8D9434}.tmp:fgknp
C:\WINDOWS\fffe31b1_{E74637A1-9AD1-11D7-B033-00045A8D9434}.tmp:yhvsr
C:\WINDOWS\fffe3937_{89F668E0-A14D-11D7-B033-00045A8D9434}.tmp:qingl
C:\WINDOWS\fffe810d_{C05F5741-83D7-11D7-B033-00045A8D9434}.tmp:wreri
C:\WINDOWS\fffea363_{84609B01-56D7-11D7-B033-00045A8D9434}.tmp:stapy
C:\WINDOWS\fffebd5f_{B93FFBE0-70C7-11D7-B033-00045A8D9434}.tmp:tmvjd
C:\WINDOWS\fffebdb5_{599E99A1-6ADA-11D7-B033-00045A8D9434}.tmp:eogta
C:\WINDOWS\fffebdeb_{058573A0-67C1-11D7-B033-00045A8D9434}.tmp:wozzu
C:\WINDOWS\fffebefb_{CE585EC0-74CB-11D7-B033-00045A8D9434}.tmp:qqylc
C:\WINDOWS\fffebf3b_{493E5A41-5604-11D7-B033-00045A8D9434}.tmp:jrjre
C:\WINDOWS\fffebf51_{0602AC60-593B-11D7-B033-00045A8D9434}.tmp:tsbwy
C:\WINDOWS\fffec01f_{A6FC8B40-7EE8-11D7-B033-00045A8D9434}.tmp:msuba
C:\WINDOWS\fffec1d7_{BD26D9C0-9A9A-11D7-B033-00045A8D9434}.tmp:qrdcx
C:\WINDOWS\fffec3a9_{BF751A20-7EFC-11D7-B033-00045A8D9434}.tmp:isnhr
C:\WINDOWS\fffec429_{D1258F21-9B44-11D7-B033-00045A8D9434}.tmp:bsgvt
C:\WINDOWS\fffec5e3_{75DD9AA0-65F1-11D7-B033-00045A8D9434}.tmp:ttzao
C:\WINDOWS\fffec9dd_{F0FF72E0-4F12-11EA-B032-00045A8D9434}.tmp:zlapn
C:\WINDOWS\fffecb7f_{41C54E61-4E32-11D7-B033-00045A8D9434}.tmp:qhuch
C:\WINDOWS\fffeccad_{E032A540-7B4E-11D7-B033-00045A8D9434}.tmp:dovnd
C:\WINDOWS\fffeccff_{157872E1-9BFF-11D7-B033-00045A8D9434}.tmp:jinij
C:\WINDOWS\fffef125_{F2871581-5305-11D7-B033-00045A8D9434}.tmp:qcbsk
C:\WINDOWS\fffef207_{69A0F661-4F30-11D7-B033-00045A8D9434}.tmp:idlym
C:\WINDOWS\fffef443_{D95FE7E0-9B02-11D7-B033-00045A8D9434}.tmp:bdelg
C:\WINDOWS\fffef44b_{34F56521-A42D-11D7-B033-00045A8D9434}.tmp:tewqa
C:\WINDOWS\gqzzks.dat:weqso
C:\WINDOWS\HCExtOutput.dll:ofjyi
C:\WINDOWS\hh.exe:hgtlk
C:\WINDOWS\hhqaya.dat:czcdv
C:\WINDOWS\HLPSTEP3.GIF:uojtg
C:\WINDOWS\hqubv.dll:mpchi
C:\WINDOWS\hrirei.dat:fssvw
C:\WINDOWS\hstcc.dat:fqmmc
C:\WINDOWS\HTMLHELP.HTM:xtkbq
C:\WINDOWS\hylqb.dll:qtvgs
C:\WINDOWS\idtnqo.dat:iunlm
C:\WINDOWS\javapl.exe:tqvag
C:\WINDOWS\javaw.exe:syeua
C:\WINDOWS\jfmvv.dat:lrofi
C:\WINDOWS\jnvwxv.dat:erhkd
C:\WINDOWS\kewunt.dat:tcjja
C:\WINDOWS\khpjz.dat:driew
C:\WINDOWS\kpcms.ini:lvupu
C:\WINDOWS\lclnot.dat:wwfhr
C:\WINDOWS\Lexarej0.exe:ntxwn
C:\WINDOWS\lkwcd.dat:fmqji
C:\WINDOWS\loadhttp.dll:yniok
C:\WINDOWS\mspc.exe:xhacm
C:\WINDOWS\mzory.dll:hidni
C:\WINDOWS\odbs.log:uword
C:\WINDOWS\oismct.dat:ccznd
C:\WINDOWS\PROTOCOL.---:oczbw
C:\WINDOWS\ptari.dat:hcrgy
C:\WINDOWS\qmyqk.dll:zdkmt
C:\WINDOWS\qpqpxp.dat:seurv
C:\WINDOWS\rmkyf.dat:qsenn
C:\WINDOWS\SPROF32.DLL:rgpal
C:\WINDOWS\Sti_Trace.log:jhign
C:\WINDOWS\sxzkr.dll:chblh
C:\WINDOWS\SYSTEM.BAK:uilqj
C:\WINDOWS\TELEPHON.INI:xrtht
C:\WINDOWS\tfghd.dat:wdotl
C:\WINDOWS\tkwrl.log:prlmn
C:\WINDOWS\tmpdelis.bat:kkaxh
C:\WINDOWS\TMUPDATE.DLL:oegyf
C:\WINDOWS\Triangles.bmp:iswzh
C:\WINDOWS\TWAINTEC.DLL:nmevy
C:\WINDOWS\winrep.exe:dhepk
C:\WINDOWS\WMSysPr9.prx:viwce
C:\WINDOWS\WMSysPrx.prx:cnjwe
C:\WINDOWS\wplog.txt:giphg
C:\WINDOWS\wqgkrw.dat:uocjy
C:\WINDOWS\xgtai.dll:noups
C:\WINDOWS\xkcwsr.dat:fpfuu
C:\WINDOWS\Zapotec.bmp:bsmsr
C:\WINDOWS\zijmt.dll:uteyt
C:\WINDOWS\zsgle.dat:mupdn


Removed 8 Random Key Entries
Removed! : C:\WINDOWS\aaoum.dll
Removed! : C:\WINDOWS\addah32.exe
Removed! : C:\WINDOWS\addyr.exe
Removed! : C:\WINDOWS\afljb.dat
Removed! : C:\WINDOWS\amtjc.dat
Removed! : C:\WINDOWS\apixc.exe
Removed! : C:\WINDOWS\appxd32.exe
Removed! : C:\WINDOWS\aqhsf.dat
Removed! : C:\WINDOWS\atmvz.dll
Removed! : C:\WINDOWS\awohrl.dat
Removed! : C:\WINDOWS\awxjwe.dat
Removed! : C:\WINDOWS\ayveye.dat
Removed! : C:\WINDOWS\bboatl.dat
Removed! : C:\WINDOWS\bcemak.dat
Removed! : C:\WINDOWS\bjqace.dat
Removed! : C:\WINDOWS\bknas.dll
Removed! : C:\WINDOWS\bsxph.dat
Removed! : C:\WINDOWS\btxno.dat
Removed! : C:\WINDOWS\caieer.dat
Removed! : C:\WINDOWS\cdcso.dat
Removed! : C:\WINDOWS\cfcgv.dat
Removed! : C:\WINDOWS\chrzz.dat
Removed! : C:\WINDOWS\corusf.dat
Removed! : C:\WINDOWS\crao32.exe
Removed! : C:\WINDOWS\criu.exe
Removed! : C:\WINDOWS\crqc.exe
Removed! : C:\WINDOWS\cuiuum.dat
Removed! : C:\WINDOWS\culzk.dat
Removed! : C:\WINDOWS\cutdv.dat
Removed! : C:\WINDOWS\cwebb.dat
Removed! : C:\WINDOWS\cytbr.dll
Removed! : C:\WINDOWS\d3bc.exe
Removed! : C:\WINDOWS\d3uo.exe
Removed! : C:\WINDOWS\dituuf.dat
Removed! : C:\WINDOWS\dixbj.dat
Removed! : C:\WINDOWS\dlhgh.dll
Removed! : C:\WINDOWS\dodpc.dat
Removed! : C:\WINDOWS\dxdrm.dat
Removed! : C:\WINDOWS\dzqrfk.dat
Removed! : C:\WINDOWS\edgdp.dat
Removed! : C:\WINDOWS\enegl.dat
Removed! : C:\WINDOWS\eqolx.dat
Removed! : C:\WINDOWS\esloq.dat
Removed! : C:\WINDOWS\euanf.dat
Removed! : C:\WINDOWS\evghyv.dat
Removed! : C:\WINDOWS\evpozk.dat
Removed! : C:\WINDOWS\ezakh.dll
Removed! : C:\WINDOWS\fhzak.dat
Removed! : C:\WINDOWS\frboff.dat
Removed! : C:\WINDOWS\fskxj.dll
Removed! : C:\WINDOWS\fwvmf.dat
Removed! : C:\WINDOWS\gbczc.dat
Removed! : C:\WINDOWS\gddkd.dat
Removed! : C:\WINDOWS\gokzi.dat
Removed! : C:\WINDOWS\gqzzks.dat
Removed! : C:\WINDOWS\gryzw.dll
Removed! : C:\WINDOWS\gwakq.dll
Removed! : C:\WINDOWS\gzeum.dat
Removed! : C:\WINDOWS\hcpqh.dll
Removed! : C:\WINDOWS\hevvw.dll
Removed! : C:\WINDOWS\hfxwv.dat
Removed! : C:\WINDOWS\hhqaya.dat
Removed! : C:\WINDOWS\hkrjdj.dat
Removed! : C:\WINDOWS\hmrnco.dat
Removed! : C:\WINDOWS\hqubv.dll
Removed! : C:\WINDOWS\hrirei.dat
Removed! : C:\WINDOWS\hstcc.dat
Removed! : C:\WINDOWS\hyzft.dat
Removed! : C:\WINDOWS\idtnqo.dat
Removed! : C:\WINDOWS\ieel32.exe
Removed! : C:\WINDOWS\ihglt.dll
Removed! : C:\WINDOWS\iimhe.dat
Removed! : C:\WINDOWS\iimhe.dll
Removed! : C:\WINDOWS\ikipfy.dat
Removed! : C:\WINDOWS\iptu32.exe
Removed! : C:\WINDOWS\iyxmf.dat
Removed! : C:\WINDOWS\iztba.dll
Removed! : C:\WINDOWS\javads32.exe
Removed! : C:\WINDOWS\javahd.exe
Removed! : C:\WINDOWS\javapl.exe
Removed! : C:\WINDOWS\jefyd.dat
Removed! : C:\WINDOWS\jfmvv.dat
Removed! : C:\WINDOWS\jfoaa.dll
Removed! : C:\WINDOWS\jnvwxv.dat
Removed! : C:\WINDOWS\kewunt.dat
Removed! : C:\WINDOWS\khpjz.dat
Removed! : C:\WINDOWS\kpfcjj.dat
Removed! : C:\WINDOWS\kzmaq.dll
Removed! : C:\WINDOWS\lbzwd.dll
Removed! : C:\WINDOWS\lgbif.dll
Removed! : C:\WINDOWS\lgeae.dat
Removed! : C:\WINDOWS\lkwcd.dat
Removed! : C:\WINDOWS\lzvdj.dat
Removed! : C:\WINDOWS\mfcco.exe
Removed! : C:\WINDOWS\mfnpt.dat
Removed! : C:\WINDOWS\mgfis.dll
Removed! : C:\WINDOWS\mhgwg.dat
Removed! : C:\WINDOWS\mjfidy.dat
Removed! : C:\WINDOWS\mvbxl.dat
Removed! : C:\WINDOWS\mvkxo.dat
Removed! : C:\WINDOWS\mwssf.dat
Removed! : C:\WINDOWS\mzory.dll
Removed! : C:\WINDOWS\nauqf.dat
Removed! : C:\WINDOWS\netku32.exe
Removed! : C:\WINDOWS\niglg.dll
Removed! : C:\WINDOWS\njvpgj.dat
Removed! : C:\WINDOWS\nmzor.dat
Removed! : C:\WINDOWS\npzrrc.dat
Removed! : C:\WINDOWS\nrpth.dat
Removed! : C:\WINDOWS\ntafvg.dat
Removed! : C:\WINDOWS\nwdjie.dat
Removed! : C:\WINDOWS\n_alpezm.dat
Removed! : C:\WINDOWS\n_dgbwdl.dat
Removed! : C:\WINDOWS\n_dkgmvr.dat
Removed! : C:\WINDOWS\n_evpozk.dat
Removed! : C:\WINDOWS\n_eyhwxh.dat
Removed! : C:\WINDOWS\n_hshwgq.dat
Removed! : C:\WINDOWS\n_ikipfy.dat
Removed! : C:\WINDOWS\n_ilfgmp.dat
Removed! : C:\WINDOWS\n_jkoity.dat
Removed! : C:\WINDOWS\n_llnwvn.dat
Removed! : C:\WINDOWS\n_lsggnx.dat
Removed! : C:\WINDOWS\n_luqted.dat
Removed! : C:\WINDOWS\n_mtuanb.dat
Removed! : C:\WINDOWS\n_nguxap.dat
Removed! : C:\WINDOWS\n_omvowv.dat
Removed! : C:\WINDOWS\n_pembtk.dat
Removed! : C:\WINDOWS\n_qgnawq.dat
Removed! : C:\WINDOWS\n_qxjabj.dat
Removed! : C:\WINDOWS\n_qzgtra.dat
Removed! : C:\WINDOWS\n_rfkhqg.dat
Removed! : C:\WINDOWS\n_sxarkw.dat
Removed! : C:\WINDOWS\n_tjqnjp.dat
Removed! : C:\WINDOWS\n_tjxubi.dat
Removed! : C:\WINDOWS\n_tynmqs.dat
Removed! : C:\WINDOWS\n_uqaosv.dat
Removed! : C:\WINDOWS\n_vcyzdy.dat
Removed! : C:\WINDOWS\n_vukaeb.dat
Removed! : C:\WINDOWS\n_xmeyqn.dat
Removed! : C:\WINDOWS\n_yjhwlg.dat
Removed! : C:\WINDOWS\n_yqqlcu.dat
Removed! : C:\WINDOWS\n_zbgbmm.dat
Removed! : C:\WINDOWS\oabas.dat
Removed! : C:\WINDOWS\ocuoj.dll
Removed! : C:\WINDOWS\odpcq.dll
Removed! : C:\WINDOWS\oismct.dat
Removed! : C:\WINDOWS\oyzwj.dat
Removed! : C:\WINDOWS\ponxw.dat
Removed! : C:\WINDOWS\ptari.dat
Removed! : C:\WINDOWS\puqkb.dll
Removed! : C:\WINDOWS\qmyqk.dll
Removed! : C:\WINDOWS\qtddn.dat
Removed! : C:\WINDOWS\raffd.dat
Removed! : C:\WINDOWS\rfcrm.dat
Removed! : C:\WINDOWS\rplkls.dat
Removed! : C:\WINDOWS\rpnck.dat
Removed! : C:\WINDOWS\rvdoi.dat
Removed! : C:\WINDOWS\sdksw.exe
Removed! : C:\WINDOWS\srvfni.dat
Removed! : C:\WINDOWS\sxzkr.dll
Removed! : C:\WINDOWS\systk32.dll
Removed! : C:\WINDOWS\szsrbm.dat
Removed! : C:\WINDOWS\szvin.dat
Removed! : C:\WINDOWS\tdpcy.dat
Removed! : C:\WINDOWS\tfghd.dat
Removed! : C:\WINDOWS\ubendn.dat
Removed! : C:\WINDOWS\uhgoi.dat
Removed! : C:\WINDOWS\untels.dat
Removed! : C:\WINDOWS\uoygv.dat
Removed! : C:\WINDOWS\uwvwa.dat
Removed! : C:\WINDOWS\uxhkp.dll
Removed! : C:\WINDOWS\vbxlb.dll
Removed! : C:\WINDOWS\vmrcdej.exe
Removed! : C:\WINDOWS\vnclv.dat
Removed! : C:\WINDOWS\vrbjt.dll
Removed! : C:\WINDOWS\vvepc.dat
Removed! : C:\WINDOWS\vznsv.dll
Removed! : C:\WINDOWS\weuet.dat
Removed! : C:\WINDOWS\wingq.exe
Removed! : C:\WINDOWS\wlwosl.dat
Removed! : C:\WINDOWS\wpeow.dat
Removed! : C:\WINDOWS\wqgkrw.dat
Removed! : C:\WINDOWS\xhmyi.dat
Removed! : C:\WINDOWS\xkcwsr.dat
Removed! : C:\WINDOWS\xmfsci.dat
Removed! : C:\WINDOWS\xmgfi.dat
Removed! : C:\WINDOWS\xmlwn.dat
Removed! : C:\WINDOWS\xyqan.dll
Removed! : C:\WINDOWS\ybdfmx.dat
Removed! : C:\WINDOWS\yfzdnb.dat
Removed! : C:\WINDOWS\yghbz.dat
Removed! : C:\WINDOWS\ytkgs.dll
Removed! : C:\WINDOWS\yxesi.dat
Removed! : C:\WINDOWS\zhyhg.dat
Removed! : C:\WINDOWS\ziado.dat
Removed! : C:\WINDOWS\zijmt.dll
Removed! : C:\WINDOWS\zqcodx.dat
Removed! : C:\WINDOWS\zsgle.dat
Removed! : C:\WINDOWS\zwcms.dat
Removed! : C:\WINDOWS\System32\addoy32.exe
Removed! : C:\WINDOWS\System32\addyp.dll
Removed! : C:\WINDOWS\System32\adyqu.dat
Removed! : C:\WINDOWS\System32\aefuq.dll
Removed! : C:\WINDOWS\System32\ahmtu.dat
Removed! : C:\WINDOWS\System32\ahxqa.dll
Removed! : C:\WINDOWS\System32\altng.dat
Removed! : C:\WINDOWS\System32\aoprq.dat
Removed! : C:\WINDOWS\System32\apivw32.exe
Removed! : C:\WINDOWS\System32\appct.exe
Removed! : C:\WINDOWS\System32\appkj32.exe
Removed! : C:\WINDOWS\System32\atlgz.exe
Removed! : C:\WINDOWS\System32\atlou.dat
Removed! : C:\WINDOWS\System32\avbyq.dat
Removed! : C:\WINDOWS\System32\badfz.dat
Removed! : C:\WINDOWS\System32\bgsqi.dat
Removed! : C:\WINDOWS\System32\bjrxn.dat
Removed! : C:\WINDOWS\System32\bogaa.dat
Removed! : C:\WINDOWS\System32\bwquw.dat
Removed! : C:\WINDOWS\System32\bzsnf.dat
Removed! : C:\WINDOWS\System32\chree.dll
Removed! : C:\WINDOWS\System32\cjlmu.dat
Removed! : C:\WINDOWS\System32\crip.exe
Removed! : C:\WINDOWS\System32\cubti.dat
Removed! : C:\WINDOWS\System32\cwwlh.dat
Removed! : C:\WINDOWS\System32\d3yy32.exe
Removed! : C:\WINDOWS\System32\dlchx.dat
Removed! : C:\WINDOWS\System32\dqmci.dat
Removed! : C:\WINDOWS\System32\ecgul.dat
Removed! : C:\WINDOWS\System32\effpp.dat
Removed! : C:\WINDOWS\System32\effpp.dll
Removed! : C:\WINDOWS\System32\efogp.dat
Removed! : C:\WINDOWS\System32\eheoi.dat
Removed! : C:\WINDOWS\System32\exlub.dat
Removed! : C:\WINDOWS\System32\felwl.dll
Removed! : C:\WINDOWS\System32\fevcn.dat
Removed! : C:\WINDOWS\System32\fioyw.dat
Removed! : C:\WINDOWS\System32\gafis.dat
Removed! : C:\WINDOWS\System32\gfytf.dat
Removed! : C:\WINDOWS\System32\gijph.dll
Removed! : C:\WINDOWS\System32\gmxpg.dll
Removed! : C:\WINDOWS\System32\gplog.dll
Removed! : C:\WINDOWS\System32\gqcgv.dat
Removed! : C:\WINDOWS\System32\hdvpi.dat
Removed! : C:\WINDOWS\System32\hgres.dll
Removed! : C:\WINDOWS\System32\hlihj.dat
Removed! : C:\WINDOWS\System32\hnjen.dat
Removed! : C:\WINDOWS\System32\hwnci.dll
Removed! : C:\WINDOWS\System32\hzqts.dat
Removed! : C:\WINDOWS\System32\hzqts.dll
Removed! : C:\WINDOWS\System32\ielk.exe
Removed! : C:\WINDOWS\System32\ieul.exe
Removed! : C:\WINDOWS\System32\iobed.dat
Removed! : C:\WINDOWS\System32\iprj32.exe
Removed! : C:\WINDOWS\System32\isskk.dat
Removed! : C:\WINDOWS\System32\iuzbl.dat
Removed! : C:\WINDOWS\System32\javalg32.exe
Removed! : C:\WINDOWS\System32\javarj32.exe
Removed! : C:\WINDOWS\System32\jgmxp.dat
Removed! : C:\WINDOWS\System32\jhgyg.dat
Removed! : C:\WINDOWS\System32\jhqbk.dll
Removed! : C:\WINDOWS\System32\jpmvr.dat
Removed! : C:\WINDOWS\System32\jytgf.dat
Removed! : C:\WINDOWS\System32\kasxc.dll
Removed! : C:\WINDOWS\System32\kgffk.dll
Removed! : C:\WINDOWS\System32\kuvah.dat
Removed! : C:\WINDOWS\System32\kzhvn.dat
Removed! : C:\WINDOWS\System32\lchxt.dll
Removed! : C:\WINDOWS\System32\lisnn.dat
Removed! : C:\WINDOWS\System32\lkkcv.dat
Removed! : C:\WINDOWS\System32\lkwgd.dll
Removed! : C:\WINDOWS\System32\lvrvk.dat
Removed! : C:\WINDOWS\System32\mfczr.exe
Removed! : C:\WINDOWS\System32\mptre.dat
Removed! : C:\WINDOWS\System32\mqscp.dat
Removed! : C:\WINDOWS\System32\msfc.dll
Removed! : C:\WINDOWS\System32\netbo32.exe
Removed! : C:\WINDOWS\System32\netvf.exe
Removed! : C:\WINDOWS\System32\niqvv.dat
Removed! : C:\WINDOWS\System32\nlhdo.dat
Removed! : C:\WINDOWS\System32\nvgyz.dat
Removed! : C:\WINDOWS\System32\nykrx.dat
Removed! : C:\WINDOWS\System32\ojhqb.dat
Removed! : C:\WINDOWS\System32\oqlha.dat
Removed! : C:\WINDOWS\System32\orgno.dat
Removed! : C:\WINDOWS\System32\otmro.dat
Removed! : C:\WINDOWS\System32\pbjsv.dat
Removed! : C:\WINDOWS\System32\pibyy.dll
Removed! : C:\WINDOWS\System32\pjnpv.dat
Removed! : C:\WINDOWS\System32\pmpdl.dll
Removed! : C:\WINDOWS\System32\pofbl.dat
Removed! : C:\WINDOWS\System32\psgud.dat
Removed! : C:\WINDOWS\System32\psgud.dll
Removed! : C:\WINDOWS\System32\pywfy.dat
Removed! : C:\WINDOWS\System32\qhbrg.dll
Removed! : C:\WINDOWS\System32\qnfjc.dat
Removed! : C:\WINDOWS\System32\qwify.dat
Removed! : C:\WINDOWS\System32\qxoov.dll
Removed! : C:\WINDOWS\System32\rfcxz.dll
Removed! : C:\WINDOWS\System32\rmjxx.dat
Removed! : C:\WINDOWS\System32\rsxzq.dll
Removed! : C:\WINDOWS\System32\sdkwu32.exe
Removed! : C:\WINDOWS\System32\shbwu.dat
Removed! : C:\WINDOWS\System32\sjdvw.dll
Removed! : C:\WINDOWS\System32\sjufd.dll
Removed! : C:\WINDOWS\System32\speju.dat
Removed! : C:\WINDOWS\System32\sskkj.dll
Removed! : C:\WINDOWS\System32\swdkw.dat
Removed! : C:\WINDOWS\System32\sysji32.exe
Removed! : C:\WINDOWS\System32\tdsll.dat
Removed! : C:\WINDOWS\System32\tuqsj.dat
Removed! : C:\WINDOWS\System32\tutql.dll
Removed! : C:\WINDOWS\System32\uojck.dat
Removed! : C:\WINDOWS\System32\uzwhr.dat
Removed! : C:\WINDOWS\System32\vatis.dat
Removed! : C:\WINDOWS\System32\vatis.dll
Removed! : C:\WINDOWS\System32\vcqto.dll
Removed! : C:\WINDOWS\System32\vdemu.dll
Removed! : C:\WINDOWS\System32\vvqmc.dll
Removed! : C:\WINDOWS\System32\vwukx.dll
Removed! : C:\WINDOWS\System32\wifyt.dll
Removed! : C:\WINDOWS\System32\wjhqf.dat
Removed! : C:\WINDOWS\System32\wquwx.dll
Removed! : C:\WINDOWS\System32\wsoey.dll
Removed! : C:\WINDOWS\System32\wxhfy.dat
Removed! : C:\WINDOWS\System32\xbndo.dll
Removed! : C:\WINDOWS\System32\xhebg.dll
Removed! : C:\WINDOWS\System32\xspkj.dat
Removed! : C:\WINDOWS\System32\xzfhm.dll
Removed! : C:\WINDOWS\System32\yqbhk.dll
Removed! : C:\WINDOWS\System32\ytbpo.dat
Removed! : C:\WINDOWS\System32\ytzur.dat
Removed! : C:\WINDOWS\System32\ywfye.dll
Removed! : C:\WINDOWS\System32\zdyhi.dll
Removed! : C:\WINDOWS\System32\zgijp.dat
Removed! : C:\WINDOWS\System32\zhvns.dll
Removed! : C:\WINDOWS\System32\zjiig.dat
Removed! : C:\WINDOWS\System32\zpvxa.dat
Removed! : C:\WINDOWS\System32\zutvo.dat
Removed! : C:\WINDOWS\System32\zvjqg.dll
Removed! : C:\WINDOWS\System32\zxbnd.dat
Removed! : C:\WINDOWS\System32\zxkqg.dll
Removed! : C:\WINDOWS\System32\zxyzg.dat
Attempted Clean Of Temp folder.
Removed LEGACY___NS_Service_3 Key
Removed Uninstall Key (HSA)
Removed Uninstall Key (SE)
Removed Uninstall Key (SW)
Pages Reset... Done!

-- Scan 2 ---------------------------
About:Buster Version 4.0
Reference List : 16


Removed Data Streams:
C:\WINDOWS\2PORTALMON_Debug.txt:fuhqp
C:\WINDOWS\aaoum.dll:zegsp
C:\WINDOWS\addfs.exe:inelh
C:\WINDOWS\control.ini:wflwy
C:\WINDOWS\cqnskc.dat:cxypn
C:\WINDOWS\crao32.exe:pgwbt
C:\WINDOWS\criu.exe:vprvi
C:\WINDOWS\CTCCW.DLL:nqjak
C:\WINDOWS\CTDVAUDY.CDF:grufe
C:\WINDOWS\CTL3D32.DLL:hgoon
C:\WINDOWS\cwebb.dat:ahhup
C:\WINDOWS\delttsul.exe:zvylh
C:\WINDOWS\discover.exe:swirb
C:\WINDOWS\dvadn.dat:kwbwd
C:\WINDOWS\EasyPhoto Slide Show.scr:vxtbx
C:\WINDOWS\fff00b03_{395E7C20-E319-11D7-B033-00045A8D9434}.tmp:bmtnw
C:\WINDOWS\fff037fd_{1B3298A1-F25D-11D7-B033-00045A8D9434}.tmp:tndsy
C:\WINDOWS\fff0a3eb_{B8DFAB41-D9F5-11D7-B033-00045A8D9434}.tmp:lowxs
C:\WINDOWS\fff0df73_{86E06D80-D78B-11D7-B033-00045A8D9434}.tmp:epoln
C:\WINDOWS\fffc5dfd_{29BCFCA0-C4F2-11D7-B033-00045A8D9434}.tmp:cxarw
C:\WINDOWS\fffcbabd_{81AA4521-AE2D-11D7-B033-00045A8D9434}.tmp:uqlwy
C:\WINDOWS\fffd4333_{4DC00F01-F019-11D7-B033-00045A8D9434}.tmp:uckbo
C:\WINDOWS\fffd5021_{60DEC281-F743-11D7-B033-00045A8D9434}.tmp:xrwhu
C:\WINDOWS\fffd74bf_{CF5AFD80-DDCD-11D7-B033-00045A8D9434}.tmp:nvupi
C:\WINDOWS\fffd74bf_{CF5AFD81-DDCD-11D7-B033-00045A8D9434}.tmp:hptee
C:\WINDOWS\fffe085b_{E11FA921-9CD3-11D7-B033-00045A8D9434}.tmp:pmfyh
C:\WINDOWS\fffe122f_{6D9DE7C1-9B46-11D7-B033-00045A8D9434}.tmp:pwgze
C:\WINDOWS\fffe1243_{37255560-9F07-11D7-B033-00045A8D9434}.tmp:rrxpa
C:\WINDOWS\fffe132b_{30C55C81-9FFA-11D7-B033-00045A8D9434}.tmp:kspcv
C:\WINDOWS\fffe1f9f_{D6598401-9C26-11D7-B033-00045A8D9434}.tmp:noriv
C:\WINDOWS\fffe2a05_{736C38C0-AA8A-11D7-B033-00045A8D9434}.tmp:fgknp
C:\WINDOWS\fffe31b1_{E74637A1-9AD1-11D7-B033-00045A8D9434}.tmp:yhvsr
C:\WINDOWS\fffe3937_{89F668E0-A14D-11D7-B033-00045A8D9434}.tmp:qingl
C:\WINDOWS\fffe810d_{C05F5741-83D7-11D7-B033-00045A8D9434}.tmp:wreri
C:\WINDOWS\fffea363_{84609B01-56D7-11D7-B033-00045A8D9434}.tmp:stapy
C:\WINDOWS\fffebd5f_{B93FFBE0-70C7-11D7-B033-00045A8D9434}.tmp:tmvjd
C:\WINDOWS\fffebdb5_{599E99A1-6ADA-11D7-B033-00045A8D9434}.tmp:eogta
C:\WINDOWS\fffebdeb_{058573A0-67C1-11D7-B033-00045A8D9434}.tmp:wozzu
C:\WINDOWS\fffebefb_{CE585EC0-74CB-11D7-B033-00045A8D9434}.tmp:qqylc
C:\WINDOWS\fffebf3b_{493E5A41-5604-11D7-B033-00045A8D9434}.tmp:jrjre
C:\WINDOWS\fffebf51_{0602AC60-593B-11D7-B033-00045A8D9434}.tmp:tsbwy
C:\WINDOWS\fffec01f_{A6FC8B40-7EE8-11D7-B033-00045A8D9434}.tmp:msuba
C:\WINDOWS\fffec1d7_{BD26D9C0-9A9A-11D7-B033-00045A8D9434}.tmp:qrdcx
C:\WINDOWS\fffec3a9_{BF751A20-7EFC-11D7-B033-00045A8D9434}.tmp:isnhr
C:\WINDOWS\fffec429_{D1258F21-9B44-11D7-B033-00045A8D9434}.tmp:bsgvt
C:\WINDOWS\fffec5e3_{75DD9AA0-65F1-11D7-B033-00045A8D9434}.tmp:ttzao
C:\WINDOWS\fffec9dd_{F0FF72E0-4F12-11EA-B032-00045A8D9434}.tmp:zlapn
C:\WINDOWS\fffecb7f_{41C54E61-4E32-11D7-B033-00045A8D9434}.tmp:qhuch
C:\WINDOWS\fffeccad_{E032A540-7B4E-11D7-B033-00045A8D9434}.tmp:dovnd
C:\WINDOWS\fffeccff_{157872E1-9BFF-11D7-B033-00045A8D9434}.tmp:jinij
C:\WINDOWS\fffef125_{F2871581-5305-11D7-B033-00045A8D9434}.tmp:qcbsk
C:\WINDOWS\fffef207_{69A0F661-4F30-11D7-B033-00045A8D9434}.tmp:idlym
C:\WINDOWS\fffef443_{D95FE7E0-9B02-11D7-B033-00045A8D9434}.tmp:bdelg
C:\WINDOWS\fffef44b_{34F56521-A42D-11D7-B033-00045A8D9434}.tmp:tewqa
C:\WINDOWS\gqzzks.dat:weqso
C:\WINDOWS\HCExtOutput.dll:ofjyi
C:\WINDOWS\hh.exe:hgtlk
C:\WINDOWS\hhqaya.dat:czcdv
C:\WINDOWS\HLPSTEP3.GIF:uojtg
C:\WINDOWS\hqubv.dll:mpchi
C:\WINDOWS\hrirei.dat:fssvw
C:\WINDOWS\hstcc.dat:fqmmc
C:\WINDOWS\HTMLHELP.HTM:xtkbq
C:\WINDOWS\hylqb.dll:qtvgs
C:\WINDOWS\idtnqo.dat:iunlm
C:\WINDOWS\javapl.exe:tqvag
C:\WINDOWS\javaw.exe:syeua
C:\WINDOWS\jfmvv.dat:lrofi
C:\WINDOWS\jnvwxv.dat:erhkd
C:\WINDOWS\kewunt.dat:tcjja
C:\WINDOWS\khpjz.dat:driew
C:\WINDOWS\kpcms.ini:lvupu
C:\WINDOWS\lclnot.dat:wwfhr
C:\WINDOWS\Lexarej0.exe:ntxwn
C:\WINDOWS\lkwcd.dat:fmqji
C:\WINDOWS\loadhttp.dll:yniok
C:\WINDOWS\mspc.exe:xhacm
C:\WINDOWS\mzory.dll:hidni
C:\WINDOWS\odbs.log:uword
C:\WINDOWS\oismct.dat:ccznd
C:\WINDOWS\PROTOCOL.---:oczbw
C:\WINDOWS\ptari.dat:hcrgy
C:\WINDOWS\qmyqk.dll:zdkmt
C:\WINDOWS\qpqpxp.dat:seurv
C:\WINDOWS\rmkyf.dat:qsenn
C:\WINDOWS\SPROF32.DLL:rgpal
C:\WINDOWS\Sti_Trace.log:jhign
C:\WINDOWS\sxzkr.dll:chblh
C:\WINDOWS\SYSTEM.BAK:uilqj
C:\WINDOWS\TELEPHON.INI:xrtht
C:\WINDOWS\tfghd.dat:wdotl
C:\WINDOWS\tkwrl.log:prlmn
C:\WINDOWS\tmpdelis.bat:kkaxh
C:\WINDOWS\TMUPDATE.DLL:oegyf
C:\WINDOWS\Triangles.bmp:iswzh
C:\WINDOWS\TWAINTEC.DLL:nmevy
C:\WINDOWS\winrep.exe:dhepk
C:\WINDOWS\WMSysPr9.prx:viwce
C:\WINDOWS\WMSysPrx.prx:cnjwe
C:\WINDOWS\wplog.txt:giphg
C:\WINDOWS\wqgkrw.dat:uocjy
C:\WINDOWS\xgtai.dll:noups
C:\WINDOWS\xkcwsr.dat:fpfuu
C:\WINDOWS\Zapotec.bmp:bsmsr
C:\WINDOWS\zijmt.dll:uteyt
C:\WINDOWS\zsgle.dat:mupdn


Attempted Clean Of Temp folder.
Removed LEGACY___NS_Service_3 Key
Pages Reset... Done!

#8 Grinler

Grinler

    Lawrence Abrams


  • Admin
  • 43,639 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:USA
  • Local time:08:24 AM

Posted 27 November 2004 - 04:53 PM

Please be patient. Nirvana will help you when they are available

#9 Nirvana

Nirvana

    In Utero


  • Members
  • 218 posts
  • OFFLINE
  •  
  • Local time:12:24 PM

Posted 28 November 2004 - 12:26 AM

My apologies Aaron, this reply slipped pass me (thanks Grinler!). Are you still having problems? Please describe them and post a new HijackThis log.
"Computers are useless. They can only give you answers." <span style='color:red'>Pablo Picasso</span>




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users