Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Surf Sidekick


  • Please log in to reply
11 replies to this topic

#1 Sunshine1271

Sunshine1271

  • Members
  • 6 posts
  • OFFLINE
  •  
  • Local time:11:03 AM

Posted 09 August 2006 - 08:46 PM

I followed the instructions in about 4 logs already - I fix through Hijack, reboot, try to uninstall
not present in add/remove programs - won't let me delete - says in use... even in safe mode - augh!

here is my hijack log - I have downloaded ewido / look2me / bfu / ad-aware /spybot... I am getting to my wits end - here is my hijack log - any help would be so appreciated.... thanks!


Logfile of HijackThis v1.99.1
Scan saved at 9:39:15 PM, on 8/9/2006
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\csrss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\ibmpmsvc.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Windows Defender\MsMpEng.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Intel\Wireless\Bin\EvtEng.exe
C:\Program Files\Intel\Wireless\Bin\S24EvMon.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\msdtc.exe
C:\Program Files\Cisco Systems\VPN Client\cvpnd.exe
C:\Program Files\Symantec AntiVirus\DefWatch.exe
C:\Program Files\ewido anti-spyware 4.0\guard.exe
C:\Program Files\IBM\IBM Rapid Restore Ultra\rrpcsb.exe
C:\WINDOWS\system32\inetsrv\inetinfo.exe
C:\Program Files\iPass\iPassConnect CPS_Regular\iPCAgent.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\WINDOWS\System32\QCONSVC.EXE
C:\Program Files\Intel\Wireless\Bin\RegSrvc.exe
C:\Program Files\Symantec AntiVirus\Rtvscan.exe
C:\WINDOWS\System32\TPHDEXLG.EXE
C:\WINDOWS\system32\TpKmpSVC.exe
C:\WINDOWS\system32\wdfmgr.exe
C:\WINDOWS\system32\CCM\CLICOMP\RemCtrl\Wuser32.exe
C:\WINDOWS\system32\CCM\CcmExec.exe
C:\WINDOWS\system32\mqsvc.exe
C:\WINDOWS\system32\mqtgsvc.exe
C:\WINDOWS\System32\alg.exe
C:\WINDOWS\system32\wbem\wmiprvse.exe
C:\WINDOWS\system32\wbem\wmiprvse.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\PROGRA~1\ThinkPad\PkgMgr\HOTKEY\TPHKMGR.exe
C:\Program Files\ThinkPad\PkgMgr\HOTKEY\TPONSCR.exe
C:\Program Files\ThinkPad\PkgMgr\HOTKEY_1\TpScrex.exe
C:\PROGRA~1\ThinkPad\UTILIT~1\EzEjMnAp.Exe
C:\Program Files\iPass\iPassConnect CPS_Regular\downloader\ipccheck.exe
C:\WINDOWS\system32\dla\tfswctrl.exe
C:\Program Files\IBM\Messages By IBM\ibmmessages.exe
C:\IBMTOOLS\UTILS\ibmprc.exe
C:\Program Files\ThinkPad\ConnectUtilities\QCWLICON.EXE
C:\WINDOWS\system32\rundll32.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\PROGRA~1\SYMANT~1\VPTray.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\ewido anti-spyware 4.0\ewido.exe
C:\Program Files\Windows Defender\MSASCui.exe
C:\Program Files\Messenger\msmsgs.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Adobe\Acrobat 5.0\Distillr\AcroTray.exe
C:\Program Files\Digital Line Detect\DLG.exe
C:\Program Files\iPass\iPassConnect CPS_Regular\IPassConnectGUI.exe
C:\Program Files\Microsoft SQL Server\80\Tools\Binn\sqlmangr.exe
C:\Program Files\iPass\iPassConnect CPS_Regular\iPassConnectEngine.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Hijack\HijackThis.exe

R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://www.mrfindalot.com/search.asp?si=
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch = http://www.mrfindalot.com/search.asp?si=
R3 - URLSearchHook: (no name) - {02EE5B04-F144-47BB-83FB-A60BD91B74A9} - C:\Program Files\SurfSideKick 3\SskBho.dll
F2 - REG:system.ini: UserInit=C:\WINDOWS\system32\userinit.exe,iqsapqq.exe
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll
O3 - Toolbar: ToolBar888 - {CBCC61FA-0221-4ccc-B409-CEE865CACA3A} - C:\Program Files\ToolBar888\MyToolBar.dll
O4 - HKLM\..\Run: [SynTPLpr] C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
O4 - HKLM\..\Run: [SynTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
O4 - HKLM\..\Run: [TPKMAPHELPER] C:\Program Files\ThinkPad\Utilities\TpKmapAp.exe -helper
O4 - HKLM\..\Run: [TPHOTKEY] C:\PROGRA~1\ThinkPad\PkgMgr\HOTKEY\TPHKMGR.exe
O4 - HKLM\..\Run: [EZEJMNAP] C:\PROGRA~1\ThinkPad\UTILIT~1\EzEjMnAp.Exe
O4 - HKLM\..\Run: [ATIPTA] C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
O4 - HKLM\..\Run: [UC_Start] C:\Program Files\IBM\Updater\\ucstartup.exe
O4 - HKLM\..\Run: [UpdateManager] "C:\Program Files\Common Files\Sonic\Update Manager\sgtray.exe" /r
O4 - HKLM\..\Run: [dla] C:\WINDOWS\system32\dla\tfswctrl.exe
O4 - HKLM\..\Run: [ibmmessages] C:\Program Files\IBM\Messages By IBM\\ibmmessages.exe
O4 - HKLM\..\Run: [IBMPRC] C:\IBMTOOLS\UTILS\ibmprc.exe
O4 - HKLM\..\Run: [QCWLICON] C:\Program Files\ThinkPad\ConnectUtilities\QCWLICON.EXE
O4 - HKLM\..\Run: [PWRMGRTR] rundll32 C:\PROGRA~1\ThinkPad\UTILIT~1\PWRMGRTR.DLL,PwrMgrBkGndMonitor
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [vptray] C:\PROGRA~1\SYMANT~1\VPTray.exe
O4 - HKLM\..\Run: [MsmqIntCert] regsvr32 /s mqrt.dll
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [ACTX1] C:\WINDOWS\v1201.exe
O4 - HKLM\..\Run: [Fjbddbrf] c:\Program Files\Oszi\Rciqtm.exe
O4 - HKLM\..\Run: [!ewido] "C:\Program Files\ewido anti-spyware 4.0\ewido.exe" /minimized
O4 - HKLM\..\Run: [gdyjfi] C:\WINDOWS\system32\hlurfk.exe reg_run
O4 - HKLM\..\Run: [Windows Defender] "C:\Program Files\Windows Defender\MSASCui.exe" -hide
O4 - HKLM\..\Run: [SurfSideKick 3] C:\Program Files\SurfSideKick 3\Ssk.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [ibmmessages] C:\Program Files\IBM\Messages By IBM\ibmmessages.exe
O4 - HKCU\..\Run: [Cqygpcor] C:\Documents and Settings\Administrator\My Documents\??crosoft.NET\rundll.exe
O4 - HKCU\..\Run: [daflg] C:\WINDOWS\system32\hlurfk.exe reg_run
O4 - HKCU\..\Run: [SurfSideKick 3] C:\Program Files\SurfSideKick 3\Ssk.exe
O4 - Global Startup: Acrobat Assistant.lnk = C:\Program Files\Adobe\Acrobat 5.0\Distillr\AcroTray.exe
O4 - Global Startup: Cisco Systems VPN Client.lnk = C:\Program Files\Cisco Systems\VPN Client\vpngui.exe
O4 - Global Startup: Digital Line Detect.lnk = ?
O4 - Global Startup: iPassConnect CPS_Regular.lnk = C:\Program Files\iPass\iPassConnect CPS_Regular\IPassConnectGUI.exe
O4 - Global Startup: Service Manager.lnk = C:\Program Files\Microsoft SQL Server\80\Tools\Binn\sqlmangr.exe
O8 - Extra context menu item: &Google Search - res://c:\program files\google\GoogleToolbar1.dll/cmsearch.html
O8 - Extra context menu item: &Translate English Word - res://c:\program files\google\GoogleToolbar1.dll/cmwordtrans.html
O8 - Extra context menu item: Backward Links - res://c:\program files\google\GoogleToolbar1.dll/cmbacklinks.html
O8 - Extra context menu item: Cached Snapshot of Page - res://c:\program files\google\GoogleToolbar1.dll/cmcache.html
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O8 - Extra context menu item: Similar Pages - res://c:\program files\google\GoogleToolbar1.dll/cmsimilar.html
O8 - Extra context menu item: Translate Page into English - res://c:\program files\google\GoogleToolbar1.dll/cmtrans.html
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\IBM\Java142\jre\bin\NPJPI142.dll
O9 - Extra 'Tools' menuitem: IBM Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\IBM\Java142\jre\bin\NPJPI142.dll
O9 - Extra button: (no name) - {4ABF810A-F11D-4169-9D5F-7D274F2270A1} - C:\WINDOWS\system32\dmonwv.dll (file missing)
O9 - Extra 'Tools' menuitem: Java - {4ABF810A-F11D-4169-9D5F-7D274F2270A1} - C:\WINDOWS\system32\dmonwv.dll (file missing)
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O10 - Unknown file in Winsock LSP: c:\windows\system32\betsp.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\betsp.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\betsp.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\betsp.dll
O11 - Options group: [JAVA_IBM] Java (IBM)
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O15 - Trusted Zone: *.mmohsix.com
O15 - Trusted Zone: http://click.getmirar.com (HKLM)
O15 - Trusted Zone: http://click.mirarsearch.com (HKLM)
O15 - Trusted Zone: http://redirect.mirarsearch.com (HKLM)
O15 - Trusted Zone: http://awbeta.net-nucleus.com (HKLM)
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {5EDB10D9-7E95-4833-A218-62F375DAFCF1} (Aventail Installer ) - https://thetrain.choicepoint.com/postauthI/epi.cab
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: Domain = na.choicepoint.net
O17 - HKLM\Software\..\Telephony: DomainName = na.choicepoint.net
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: Domain = na.choicepoint.net
O18 - Filter: text/html - {B5F86455-BF18-4E12-965A-6642A0AC0549} - (no file)
O20 - AppInit_DLLs: repairs303169590.dll
O20 - Winlogon Notify: logons - C:\WINDOWS\system32\redist.dll (file missing)
O20 - Winlogon Notify: NavLogon - C:\WINDOWS\system32\NavLogon.dll
O20 - Winlogon Notify: QConGina - C:\WINDOWS\SYSTEM32\QConGina.dll
O20 - Winlogon Notify: tphotkey - C:\WINDOWS\SYSTEM32\tphklock.dll
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Password Validation (ccPwdSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
O23 - Service: CI Remote Service Provider (CI RemoteServiceProvider) - - c:\program files\insurity\commercial intellisys\comps\remoteserviceprovider.exe
O23 - Service: Cisco Systems, Inc. VPN Service (CVPND) - Cisco Systems, Inc. - C:\Program Files\Cisco Systems\VPN Client\cvpnd.exe
O23 - Service: Symantec AntiVirus Definition Watcher (DefWatch) - Symantec Corporation - C:\Program Files\Symantec AntiVirus\DefWatch.exe
O23 - Service: EvtEng - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\EvtEng.exe
O23 - Service: ewido anti-spyware 4.0 guard - Anti-Malware Development a.s. - C:\Program Files\ewido anti-spyware 4.0\guard.exe
O23 - Service: IBM Rapid Restore Ultra Service - Unknown owner - C:\Program Files\IBM\IBM Rapid Restore Ultra\rrpcsb.exe
O23 - Service: IBM PM Service (IBMPMSVC) - Unknown owner - C:\WINDOWS\system32\ibmpmsvc.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPassConnectEngine - iPass - C:\Program Files\iPass\iPassConnect CPS_Regular\iPassConnectEngine.exe
O23 - Service: iPCAgent - iPass, Inc. - C:\Program Files\iPass\iPassConnect CPS_Regular\iPCAgent.exe
O23 - Service: iPodService - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: IBM PSA Access Driver Control (PsaSrv) - Unknown owner - C:\WINDOWS\system32\PsaSrv.exe (file missing)
O23 - Service: QCONSVC - IBM Corp. - C:\WINDOWS\System32\QCONSVC.EXE
O23 - Service: RegSrvc - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\RegSrvc.exe
O23 - Service: Spectrum24 Event Monitor (S24EventMonitor) - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\S24EvMon.exe
O23 - Service: SAVRoam (SavRoam) - symantec - C:\Program Files\Symantec AntiVirus\SavRoam.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: Symantec AntiVirus - Symantec Corporation - C:\Program Files\Symantec AntiVirus\Rtvscan.exe
O23 - Service: IBM HDD APS Logging Service (TPHDEXLGSVC) - IBM Corporation - C:\WINDOWS\System32\TPHDEXLG.EXE
O23 - Service: IBM KCU Service (TpKmpSVC) - Unknown owner - C:\WINDOWS\system32\TpKmpSVC.exe

BC AdBot (Login to Remove)

 


#2 didom

didom

  • Members
  • 1,389 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:04:03 PM

Posted 10 August 2006 - 06:53 AM

I followed the instructions in about 4 logs already

The fixes were written specifically for this infection on those person's computer. It is NOT to be used on another computer, as it may cause damage that could result in a format!

I have downloaded ewido / look2me / bfu / ad-aware /spybot... I am getting to my wits end -

Please follow my advise from now.

These files are known to be part of a Trojan that transmits information about your bank accounts, passwords, and other financial information. It should be deleted immediately, enable your firewall, change your passwords, and if necassary contact your banks or other financial instituions.

Please print out or copy this page to Notepad. Make sure to work through the fixes in the exact order in which they are mentioned below. If there's anything that you don't understand, ask your question(s) before proceeding with the fixes.

Step #1

Download Brute Force Uninstaller to your desktop.
  • Right click the file on your Desktop, and choose Extract All.
  • Click Next.
  • In the box to choose where to extract the files to:
  • Click Browse.
  • Click on the + sign next to My Computer
  • Click on Local Disk (C:) or whatever your primary drive is.
  • Click Make New Folder
  • Type in BFU
  • Click Next, and uncheck the Show Extracted Files box and then click Finish.
Download sidekickFix.bat (rightclick on that link and choose save as)
  • Place sidekickFix.bat in your C:\BFU - folder. (Important!)
  • Close all browsers and explorer folders.
  • Double-click on sidekickFix.bat
  • Click Yes and follow the prompts, when prompted to restart the PC please do so.
Step #2

Scan again with HijackThis and check the following items:
R3 - URLSearchHook: (no name) - {02EE5B04-F144-47BB-83FB-A60BD91B74A9} - C:\Program Files\SurfSideKick 3\SskBho.dll

F2 - REG:system.ini: UserInit=C:\WINDOWS\system32\userinit.exe,iqsapqq.exe

O3 - Toolbar: ToolBar888 - {CBCC61FA-0221-4ccc-B409-CEE865CACA3A} - C:\Program Files\ToolBar888\MyToolBar.dll

O4 - HKLM\..\Run: [ACTX1] C:\WINDOWS\v1201.exe
O4 - HKLM\..\Run: [Fjbddbrf] c:\Program Files\Oszi\Rciqtm.exe
O4 - HKLM\..\Run: [gdyjfi] C:\WINDOWS\system32\hlurfk.exe reg_run
O4 - HKLM\..\Run: [SurfSideKick 3] C:\Program Files\SurfSideKick 3\Ssk.exe
O4 - HKCU\..\Run: [Cqygpcor] C:\Documents and Settings\Administrator\My Documents\??crosoft.NET\rundll.exe
O4 - HKCU\..\Run: [daflg] C:\WINDOWS\system32\hlurfk.exe reg_run
O4 - HKCU\..\Run: [SurfSideKick 3] C:\Program Files\SurfSideKick 3\Ssk.exe

O15 - Trusted Zone: *.mmohsix.com
O15 - Trusted Zone: http://click.getmirar.com (HKLM)
O15 - Trusted Zone: http://click.mirarsearch.com (HKLM)
O15 - Trusted Zone: http://redirect.mirarsearch.com (HKLM)
O15 - Trusted Zone: http://awbeta.net-nucleus.com (HKLM)

O18 - Filter: text/html - {B5F86455-BF18-4E12-965A-6642A0AC0549} - (no file)

020 - AppInit_DLLs: repairs303169590.dll
O20 - Winlogon Notify: logons - C:\WINDOWS\system32\redist.dll (file missing)

After checking these items, close all browser windows except HijackThis and click "Fix checked".

Step #3

Locate the icon on the desktop and double-click it to launch the set up program.
  • Once the setup is complete you will need run ewido and update the definition files.
  • On the main screen select the icon "Update" then select the "Update now" link.
    • Next select the "Start Update" button, the update will start and a progress bar will show the updates being installed.
  • Once the update has completed please close Ewido.
Step #4

We need to make sure all hidden files are showing so please:
  • Click Start.
  • Open My Computer.
  • Select the Tools menu and click Folder Options.
  • Select the View tab.
  • Under the Hidden files and folders heading select Show hidden files and folders.
  • Uncheck the Hide file extensions for known types option.
  • Uncheck the Hide protected operating system files (recommended) option.
  • Click Yes to confirm.
  • Click OK.
Step #5

Reboot Your System in Safe Mode:
  • Restart the computer.
  • As soon as BIOS is loaded begin tapping the F8 key until the Advanced Options menu appears.
  • Use the arrow keys to select the Safe Mode menu item.
  • Press the Enter key.
Step #6

Find and delete these files and folders (if they are still there):
C:\WINDOWS\v1201.exe
C:\WINDOWS\system32\hlurfk.exe
C:\WINDOWS\system32\iqsapqq.exe
c:\Program Files\Oszi <= folder
C:\Program Files\ToolBar888 <= folder
C:\Program Files\SurfSideKick 3 <= folder
C:\Documents and Settings\Administrator\My Documents\??crosoft.NET <= folder. The "?" could be anything (it will probably look like "Mi" from Microsoft.) and delete the folder and all its content.


Step #7

Lauch ewido-anti-spyware by double-clicking the icon on your desktop.
  • Select the "Scanner" icon at the top and then the "Scan" tab then click on "Complete System Scan".
  • ewido will now begin the scanning process, be patient this may take a little time.
    Once the scan is complete do the following:
  • If you have any infections you will prompted, then select "Apply all actions"
  • Next select the "Reports" icon at the top.
  • Select the "Save report as" button in the lower left hand of the screen and save it to a text file on your system (make sure to remember where you saved that file, this is important).
  • Close ewido and reboot your system back into Normal Mode.
  • Please go HERE to run Panda's ActiveScan
    • Once you are on the Panda site click the Scan your PC button
    • A new window will open...click the Check Now button
    • Enter your Country
    • Enter your State/Province
    • Enter your e-mail address and click send
    • Select either Home User or Company
    • Click the big Scan Now button
    • If it wants to install an ActiveX component allow it
    • It will start downloading the files it requires for the scan (Note: It may take a couple of minutes)
    • When download is complete, click on My Computer to start the scan
    • When the scan completes, if anything malicious is detected, click the See Report button, then Save Report and save it to a convenient location.
  • Post the contents of the ActiveScan report, the results of the ewido report scan and a fresh HijackThis log.


#3 Sunshine1271

Sunshine1271
  • Topic Starter

  • Members
  • 6 posts
  • OFFLINE
  •  
  • Local time:11:03 AM

Posted 10 August 2006 - 07:39 PM

Thanks for your reply - I have done everything you listed in exact order - here are my logs for your review :thumbsup:


Ewido report:

---------------------------------------------------------
ewido anti-spyware - Scan Report
---------------------------------------------------------

+ Created at: 4:11:36 PM 8/6/2006

+ Scan result:



[1044] C:\WINDOWS\system32\agmpvcno.dll -> Adware.Look2Me : Ignored.
[876] C:\WINDOWS\system32\agmpvcno.dll -> Adware.Look2Me : Ignored.
C:\Documents and Settings\Administrator\My Documents\Міcrosoft.NET\rundll.exe -> Adware.PurityScan : Cleaned with backup (quarantined).
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Surf SideKick -> Adware.SurfSide : Cleaned with backup (quarantined).
HKLM\SOFTWARE\SurfSideKick3 -> Adware.SurfSide : Cleaned with backup (quarantined).
HKLM\SOFTWARE\SurfSideKick3\Internet Explorer -> Adware.SurfSide : Cleaned with backup (quarantined).
HKU\S-1-5-21-3799598701-2588356038-2379779253-500\Software\SurfSideKick3 -> Adware.SurfSide : Cleaned with backup (quarantined).
HKU\S-1-5-21-3799598701-2588356038-2379779253-500\Software\SurfSideKick3\Internet Explorer -> Adware.SurfSide : Cleaned with backup (quarantined).
C:\Documents and Settings\euro423\Desktop\luxor\luxorSetup-dm.exe -> Adware.Trymedia : Cleaned with backup (quarantined).
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\UCmore - The Search Accelerator -> Adware.UCmore : Cleaned with backup (quarantined).
[1520] C:\WINDOWS\system32\nstrvsc.dll -> Downloader.Qoologic.bj : Error during cleaning.
C:\Documents and Settings\Administrator\Cookies\administrator@247realmedia[1].txt -> TrackingCookie.247realmedia : Cleaned.
C:\Documents and Settings\Administrator\Cookies\administrator@2o7[1].txt -> TrackingCookie.2o7 : Cleaned.
C:\Documents and Settings\Administrator\Cookies\administrator@cnn.122.2o7[1].txt -> TrackingCookie.2o7 : Cleaned.
C:\Documents and Settings\Administrator\Cookies\administrator@dowjones.122.2o7[1].txt -> TrackingCookie.2o7 : Cleaned.
C:\Documents and Settings\Administrator\Cookies\administrator@entrepreneur.122.2o7[1].txt -> TrackingCookie.2o7 : Cleaned.
C:\Documents and Settings\Administrator\Cookies\administrator@heavycom.122.2o7[1].txt -> TrackingCookie.2o7 : Cleaned.
C:\Documents and Settings\Administrator\Cookies\administrator@journalregistercompany.122.2o7[1].txt -> TrackingCookie.2o7 : Cleaned.
C:\Documents and Settings\Administrator\Cookies\administrator@microsofteup.112.2o7[1].txt -> TrackingCookie.2o7 : Cleaned.
C:\Documents and Settings\Administrator\Cookies\administrator@msnportal.112.2o7[1].txt -> TrackingCookie.2o7 : Cleaned.
C:\Documents and Settings\Administrator\Cookies\administrator@solmeliahotels.122.2o7[1].txt -> TrackingCookie.2o7 : Cleaned.
C:\Documents and Settings\Administrator\Cookies\administrator@stubhub.122.2o7[1].txt -> TrackingCookie.2o7 : Cleaned.
C:\Documents and Settings\Administrator\Cookies\administrator@sylvane.122.2o7[1].txt -> TrackingCookie.2o7 : Cleaned.
C:\Documents and Settings\Administrator\Cookies\administrator@thestar.122.2o7[1].txt -> TrackingCookie.2o7 : Cleaned.
C:\Documents and Settings\euc0i20\Cookies\euc0i20@microsoftwga.112.2o7[1].txt -> TrackingCookie.2o7 : Cleaned.
C:\Documents and Settings\euro423\Cookies\euro423@2o7[1].txt -> TrackingCookie.2o7 : Cleaned.
C:\Documents and Settings\euro423\Cookies\euro423@cnn.122.2o7[1].txt -> TrackingCookie.2o7 : Cleaned.
C:\Documents and Settings\Administrator\Cookies\administrator@ads.addynamix[1].txt -> TrackingCookie.Addynamix : Cleaned.
C:\Documents and Settings\euro423\Cookies\euro423@ads.addynamix[2].txt -> TrackingCookie.Addynamix : Cleaned.
C:\Documents and Settings\euro423\Cookies\euro423@rotator.adjuggler[1].txt -> TrackingCookie.Adjuggler : Cleaned.
C:\Documents and Settings\Administrator\Cookies\administrator@adrevolver[2].txt -> TrackingCookie.Adrevolver : Cleaned.
C:\Documents and Settings\Administrator\Cookies\administrator@media.adrevolver[1].txt -> TrackingCookie.Adrevolver : Cleaned.
C:\Documents and Settings\euro423\Cookies\euro423@adrevolver[2].txt -> TrackingCookie.Adrevolver : Cleaned.
C:\Documents and Settings\Administrator\Cookies\administrator@z1.adserver[1].txt -> TrackingCookie.Adserver : Cleaned.
C:\Documents and Settings\euro423\Cookies\euro423@z1.adserver[1].txt -> TrackingCookie.Adserver : Cleaned.
C:\Documents and Settings\euro423\Cookies\euro423@adtech[2].txt -> TrackingCookie.Adtech : Cleaned.
C:\Documents and Settings\Administrator\Cookies\administrator@advertising[2].txt -> TrackingCookie.Advertising : Cleaned.
C:\Documents and Settings\euro423\Cookies\euro423@advertising[2].txt -> TrackingCookie.Advertising : Cleaned.
C:\Documents and Settings\Administrator\Cookies\administrator@adviva[2].txt -> TrackingCookie.Adviva : Cleaned.
C:\Documents and Settings\Administrator\Cookies\administrator@atdmt[2].txt -> TrackingCookie.Atdmt : Cleaned.
C:\Documents and Settings\euro423\Cookies\euro423@atdmt[2].txt -> TrackingCookie.Atdmt : Cleaned.
C:\Documents and Settings\Administrator\Cookies\administrator@bfast[1].txt -> TrackingCookie.Bfast : Cleaned.
C:\Documents and Settings\Administrator\Cookies\administrator@bluestreak[1].txt -> TrackingCookie.Bluestreak : Cleaned.
C:\Documents and Settings\Administrator\Cookies\administrator@citi.bridgetrack[1].txt -> TrackingCookie.Bridgetrack : Cleaned.
C:\Documents and Settings\Administrator\Cookies\administrator@rccl.bridgetrack[2].txt -> TrackingCookie.Bridgetrack : Cleaned.
C:\Documents and Settings\Administrator\Cookies\administrator@www.burstbeacon[2].txt -> TrackingCookie.Burstbeacon : Cleaned.
C:\Documents and Settings\euro423\Cookies\euro423@www.burstbeacon[1].txt -> TrackingCookie.Burstbeacon : Cleaned.
C:\Documents and Settings\Administrator\Cookies\administrator@burstnet[1].txt -> TrackingCookie.Burstnet : Cleaned.
C:\Documents and Settings\Administrator\Cookies\administrator@www.burstnet[2].txt -> TrackingCookie.Burstnet : Cleaned.
C:\Documents and Settings\euro423\Cookies\euro423@burstnet[2].txt -> TrackingCookie.Burstnet : Cleaned.
C:\Documents and Settings\Administrator\Cookies\administrator@casalemedia[2].txt -> TrackingCookie.Casalemedia : Cleaned.
C:\Documents and Settings\euro423\Cookies\euro423@casalemedia[2].txt -> TrackingCookie.Casalemedia : Cleaned.
C:\Documents and Settings\Administrator\Cookies\administrator@com[2].txt -> TrackingCookie.Com : Cleaned.
C:\Documents and Settings\euro423\Cookies\euro423@com[2].txt -> TrackingCookie.Com : Cleaned.
C:\Documents and Settings\Administrator\Cookies\administrator@data.coremetrics[1].txt -> TrackingCookie.Coremetrics : Cleaned.
C:\Documents and Settings\Administrator\Cookies\administrator@test.coremetrics[1].txt -> TrackingCookie.Coremetrics : Cleaned.
C:\Documents and Settings\Administrator\Cookies\administrator@twci.coremetrics[1].txt -> TrackingCookie.Coremetrics : Cleaned.
C:\Documents and Settings\euro423\Cookies\euro423@data.coremetrics[1].txt -> TrackingCookie.Coremetrics : Cleaned.
C:\Documents and Settings\euro423\Cookies\euro423@twci.coremetrics[1].txt -> TrackingCookie.Coremetrics : Cleaned.
C:\Documents and Settings\Administrator\Cookies\administrator@cpvfeed[1].txt -> TrackingCookie.Cpvfeed : Cleaned.
C:\Documents and Settings\Administrator\Cookies\administrator@doubleclick[1].txt -> TrackingCookie.Doubleclick : Cleaned.
C:\Documents and Settings\euc0i20\Cookies\euc0i20@doubleclick[2].txt -> TrackingCookie.Doubleclick : Cleaned.
C:\Documents and Settings\euro423\Cookies\euro423@doubleclick[2].txt -> TrackingCookie.Doubleclick : Cleaned.
C:\Documents and Settings\Administrator\Cookies\administrator@e-2dj6wfk4elc5mdo.stats.esomniture[2].txt -> TrackingCookie.Esomniture : Cleaned.
C:\Documents and Settings\Administrator\Cookies\administrator@e-2dj6wfkocgc5wfp.stats.esomniture[2].txt -> TrackingCookie.Esomniture : Cleaned.
C:\Documents and Settings\Administrator\Cookies\administrator@e-2dj6wgk4gpajolp.stats.esomniture[2].txt -> TrackingCookie.Esomniture : Cleaned.
C:\Documents and Settings\Administrator\Cookies\administrator@e-2dj6wgkowpcjklp.stats.esomniture[2].txt -> TrackingCookie.Esomniture : Cleaned.
C:\Documents and Settings\Administrator\Cookies\administrator@e-2dj6whkiamd5gbo.stats.esomniture[2].txt -> TrackingCookie.Esomniture : Cleaned.
C:\Documents and Settings\Administrator\Cookies\administrator@e-2dj6wjkoqicpmlo.stats.esomniture[2].txt -> TrackingCookie.Esomniture : Cleaned.
C:\Documents and Settings\Administrator\Cookies\administrator@e-2dj6wjmyujajweq.stats.esomniture[2].txt -> TrackingCookie.Esomniture : Cleaned.
C:\Documents and Settings\euro423\Cookies\euro423@e-2dj6wjnyqodjkfq.stats.esomniture[2].txt -> TrackingCookie.Esomniture : Cleaned.
C:\Documents and Settings\euro423\Cookies\euro423@estat[1].txt -> TrackingCookie.Estat : Cleaned.
C:\Documents and Settings\Administrator\Cookies\administrator@adopt.euroclick[1].txt -> TrackingCookie.Euroclick : Cleaned.
C:\Documents and Settings\Administrator\Cookies\administrator@as-us.falkag[2].txt -> TrackingCookie.Falkag : Cleaned.
C:\Documents and Settings\Administrator\Cookies\administrator@sel.as-eu.falkag[1].txt -> TrackingCookie.Falkag : Cleaned.
C:\Documents and Settings\Administrator\Cookies\administrator@fastclick[1].txt -> TrackingCookie.Fastclick : Cleaned.
C:\Documents and Settings\euro423\Cookies\euro423@fastclick[2].txt -> TrackingCookie.Fastclick : Cleaned.
C:\Documents and Settings\euro423\Cookies\euro423@media.fastclick[1].txt -> TrackingCookie.Fastclick : Cleaned.
C:\Documents and Settings\Administrator\Cookies\administrator@ehg-aha.hitbox[2].txt -> TrackingCookie.Hitbox : Cleaned.
C:\Documents and Settings\Administrator\Cookies\administrator@ehg-applevac.hitbox[1].txt -> TrackingCookie.Hitbox : Cleaned.
C:\Documents and Settings\Administrator\Cookies\administrator@ehg-bestbuy.hitbox[2].txt -> TrackingCookie.Hitbox : Cleaned.
C:\Documents and Settings\Administrator\Cookies\administrator@ehg-comcast.hitbox[2].txt -> TrackingCookie.Hitbox : Cleaned.
C:\Documents and Settings\Administrator\Cookies\administrator@ehg-dig.hitbox[1].txt -> TrackingCookie.Hitbox : Cleaned.
C:\Documents and Settings\Administrator\Cookies\administrator@ehg-foxsports.hitbox[1].txt -> TrackingCookie.Hitbox : Cleaned.
C:\Documents and Settings\Administrator\Cookies\administrator@ehg-growingtree.hitbox[1].txt -> TrackingCookie.Hitbox : Cleaned.
C:\Documents and Settings\Administrator\Cookies\administrator@ehg-hasbro.hitbox[2].txt -> TrackingCookie.Hitbox : Cleaned.
C:\Documents and Settings\Administrator\Cookies\administrator@ehg-maniatv.hitbox[2].txt -> TrackingCookie.Hitbox : Cleaned.
C:\Documents and Settings\Administrator\Cookies\administrator@ehg-myswitzerland.hitbox[2].txt -> TrackingCookie.Hitbox : Cleaned.
C:\Documents and Settings\Administrator\Cookies\administrator@ehg-samsungusa.hitbox[1].txt -> TrackingCookie.Hitbox : Cleaned.
C:\Documents and Settings\Administrator\Cookies\administrator@ehg-xmsatelliteradio.hitbox[2].txt -> TrackingCookie.Hitbox : Cleaned.
C:\Documents and Settings\Administrator\Cookies\administrator@ehg.hitbox[2].txt -> TrackingCookie.Hitbox : Cleaned.
C:\Documents and Settings\Administrator\Cookies\administrator@hitbox[2].txt -> TrackingCookie.Hitbox : Cleaned.
C:\Documents and Settings\Administrator\Cookies\administrator@phg.hitbox[1].txt -> TrackingCookie.Hitbox : Cleaned.
C:\Documents and Settings\euro423\Cookies\euro423@ehg-bestbuy.hitbox[1].txt -> TrackingCookie.Hitbox : Cleaned.
C:\Documents and Settings\euro423\Cookies\euro423@ehg-comcast.hitbox[2].txt -> TrackingCookie.Hitbox : Cleaned.
C:\Documents and Settings\euro423\Cookies\euro423@ehg-dig.hitbox[1].txt -> TrackingCookie.Hitbox : Cleaned.
C:\Documents and Settings\euro423\Cookies\euro423@ehg-fandango.hitbox[1].txt -> TrackingCookie.Hitbox : Cleaned.
C:\Documents and Settings\euro423\Cookies\euro423@ehg-leapfrog.hitbox[2].txt -> TrackingCookie.Hitbox : Cleaned.
C:\Documents and Settings\euro423\Cookies\euro423@ehg-microsoft.hitbox[1].txt -> TrackingCookie.Hitbox : Cleaned.
C:\Documents and Settings\euro423\Cookies\euro423@ehg-sierratradingpost.hitbox[2].txt -> TrackingCookie.Hitbox : Cleaned.
C:\Documents and Settings\euro423\Cookies\euro423@ehg-space.hitbox[1].txt -> TrackingCookie.Hitbox : Cleaned.
C:\Documents and Settings\euro423\Cookies\euro423@ehg-warnerbrothers.hitbox[2].txt -> TrackingCookie.Hitbox : Cleaned.
C:\Documents and Settings\euro423\Cookies\euro423@hitbox[2].txt -> TrackingCookie.Hitbox : Cleaned.
C:\Documents and Settings\Administrator\Cookies\administrator@counter.hitslink[1].txt -> TrackingCookie.Hitslink : Cleaned.
C:\Documents and Settings\Administrator\Cookies\administrator@counter2.hitslink[2].txt -> TrackingCookie.Hitslink : Cleaned.
C:\Documents and Settings\Administrator\Cookies\administrator@kmpads[2].txt -> TrackingCookie.Kmpads : Cleaned.
C:\Documents and Settings\Administrator\Cookies\administrator@linksynergy[1].txt -> TrackingCookie.Linksynergy : Cleaned.
C:\Documents and Settings\euro423\Cookies\euro423@linksynergy[2].txt -> TrackingCookie.Linksynergy : Cleaned.
C:\Documents and Settings\Administrator\Cookies\administrator@sales.liveperson[1].txt -> TrackingCookie.Liveperson : Cleaned.
C:\Documents and Settings\Administrator\Cookies\administrator@server.iad.liveperson[1].txt -> TrackingCookie.Liveperson : Cleaned.
C:\Documents and Settings\euro423\Cookies\euro423@sales.liveperson[1].txt -> TrackingCookie.Liveperson : Cleaned.
C:\Documents and Settings\euro423\Cookies\euro423@server.iad.liveperson[2].txt -> TrackingCookie.Liveperson : Cleaned.
C:\Documents and Settings\Administrator\Cookies\administrator@mediaplex[2].txt -> TrackingCookie.Mediaplex : Cleaned.
C:\Documents and Settings\euro423\Cookies\euro423@mediaplex[1].txt -> TrackingCookie.Mediaplex : Cleaned.
C:\Documents and Settings\Administrator\Cookies\administrator@stat.onestat[2].txt -> TrackingCookie.Onestat : Cleaned.
C:\Documents and Settings\euro423\Cookies\euro423@stat.onestat[2].txt -> TrackingCookie.Onestat : Cleaned.
C:\Documents and Settings\Administrator\Cookies\administrator@data1.perf.overture[2].txt -> TrackingCookie.Overture : Cleaned.
C:\Documents and Settings\Administrator\Cookies\administrator@data2.perf.overture[1].txt -> TrackingCookie.Overture : Cleaned.
C:\Documents and Settings\Administrator\Cookies\administrator@data3.perf.overture[1].txt -> TrackingCookie.Overture : Cleaned.
C:\Documents and Settings\Administrator\Cookies\administrator@data4.perf.overture[1].txt -> TrackingCookie.Overture : Cleaned.
C:\Documents and Settings\Administrator\Cookies\administrator@overture[1].txt -> TrackingCookie.Overture : Cleaned.
C:\Documents and Settings\Administrator\Cookies\administrator@perf.overture[1].txt -> TrackingCookie.Overture : Cleaned.
C:\Documents and Settings\euro423\Cookies\euro423@data3.perf.overture[1].txt -> TrackingCookie.Overture : Cleaned.
C:\Documents and Settings\euro423\Cookies\euro423@overture[1].txt -> TrackingCookie.Overture : Cleaned.
C:\Documents and Settings\euro423\Cookies\euro423@perf.overture[1].txt -> TrackingCookie.Overture : Cleaned.
C:\Documents and Settings\Administrator\Cookies\administrator@ads.pointroll[2].txt -> TrackingCookie.Pointroll : Cleaned.
C:\Documents and Settings\euro423\Cookies\euro423@ads.pointroll[2].txt -> TrackingCookie.Pointroll : Cleaned.
C:\Documents and Settings\Administrator\Cookies\administrator@questionmarket[2].txt -> TrackingCookie.Questionmarket : Cleaned.
C:\Documents and Settings\euro423\Cookies\euro423@questionmarket[2].txt -> TrackingCookie.Questionmarket : Cleaned.
C:\Documents and Settings\Administrator\Cookies\administrator@revenue[2].txt -> TrackingCookie.Revenue : Cleaned.
C:\Documents and Settings\euro423\Cookies\euro423@revenue[1].txt -> TrackingCookie.Revenue : Cleaned.
C:\Documents and Settings\Administrator\Cookies\administrator@edge.ru4[1].txt -> TrackingCookie.Ru4 : Cleaned.
C:\Documents and Settings\euro423\Cookies\euro423@edge.ru4[1].txt -> TrackingCookie.Ru4 : Cleaned.
C:\Documents and Settings\Administrator\Cookies\administrator@banners.searchingbooth[1].txt -> TrackingCookie.Searchingbooth : Cleaned.
C:\Documents and Settings\Administrator\Cookies\administrator@bs.serving-sys[1].txt -> TrackingCookie.Serving-sys : Cleaned.
C:\Documents and Settings\Administrator\Cookies\administrator@serving-sys[1].txt -> TrackingCookie.Serving-sys : Cleaned.
C:\Documents and Settings\euro423\Cookies\euro423@serving-sys[1].txt -> TrackingCookie.Serving-sys : Cleaned.
C:\Documents and Settings\euro423\Cookies\euro423@www.smartadserver[2].txt -> TrackingCookie.Smartadserver : Cleaned.
C:\Documents and Settings\Administrator\Cookies\administrator@adopt.specificclick[2].txt -> TrackingCookie.Specificclick : Cleaned.
C:\Documents and Settings\Administrator\Cookies\administrator@statcounter[2].txt -> TrackingCookie.Statcounter : Cleaned.
C:\Documents and Settings\Administrator\Cookies\administrator@anat.tacoda[1].txt -> TrackingCookie.Tacoda : Cleaned.
C:\Documents and Settings\Administrator\Cookies\administrator@tacoda[2].txt -> TrackingCookie.Tacoda : Cleaned.
C:\Documents and Settings\euro423\Cookies\euro423@tacoda[1].txt -> TrackingCookie.Tacoda : Cleaned.
C:\Documents and Settings\Administrator\Cookies\administrator@media.top-banners[1].txt -> TrackingCookie.Top-banners : Cleaned.
C:\Documents and Settings\Administrator\Cookies\administrator@trafficmp[2].txt -> TrackingCookie.Trafficmp : Cleaned.
C:\Documents and Settings\euro423\Cookies\euro423@trafficmp[1].txt -> TrackingCookie.Trafficmp : Cleaned.
C:\Documents and Settings\Administrator\Cookies\administrator@trafic[1].txt -> TrackingCookie.Trafic : Cleaned.
C:\Documents and Settings\Administrator\Cookies\administrator@a.tribalfusion[1].txt -> TrackingCookie.Tribalfusion : Cleaned.
C:\Documents and Settings\Administrator\Cookies\administrator@tribalfusion[1].txt -> TrackingCookie.Tribalfusion : Cleaned.
C:\Documents and Settings\euro423\Cookies\euro423@tribalfusion[1].txt -> TrackingCookie.Tribalfusion : Cleaned.
C:\Documents and Settings\Administrator\Cookies\administrator@statse.webtrendslive[2].txt -> TrackingCookie.Webtrendslive : Cleaned.
C:\Documents and Settings\euro423\Cookies\euro423@statse.webtrendslive[1].txt -> TrackingCookie.Webtrendslive : Cleaned.
C:\Documents and Settings\Administrator\Cookies\administrator@ad.yieldmanager[2].txt -> TrackingCookie.Yieldmanager : Cleaned.
C:\Documents and Settings\euro423\Cookies\euro423@ad.yieldmanager[1].txt -> TrackingCookie.Yieldmanager : Cleaned.
C:\Documents and Settings\Administrator\Cookies\administrator@c1.zedo[1].txt -> TrackingCookie.Zedo : Cleaned.
C:\Documents and Settings\Administrator\Cookies\administrator@zedo[1].txt -> TrackingCookie.Zedo : Cleaned.
C:\Documents and Settings\euro423\Cookies\euro423@zedo[1].txt -> TrackingCookie.Zedo : Cleaned.


::Report end


PANDA ACTIVE SCAN


Incident Status Location

Adware:adware/commad Not disinfected c:\windows\system32\atmtd.dll
Adware:adware/sqwire Not disinfected c:\windows\system32\tsuninst.exe
Spyware:spyware/surfsidekick Not disinfected C:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Ssk.log
Adware:adware/dollarrevenue Not disinfected c:\windows\teller2.chk
Adware:adware/consumeralertsystem Not disinfected c:\program files\System Files
Adware:adware/qoologic Not disinfected Windows Registry
Spyware:spyware/media-motor Not disinfected Windows Registry
Adware:adware/popupsearches Not disinfected Windows Registry
Adware:adware/mirar Not disinfected Windows Registry
Adware:adware/sidesearch Not disinfected Windows Registry
Adware:adware/dyfuca Not disinfected Windows Registry
Adware:Adware/Deskwizz Not disinfected C:\bintheredunthat\RDFX4.exe
Spyware:Cookie/Com.com Not disinfected C:\Documents and Settings\Administrator\Cookies\administrator@ad.sensismediasmart.com[1].txt
Spyware:Cookie/Adrevolver Not disinfected C:\Documents and Settings\Administrator\Cookies\administrator@adrevolver[1].txt
Spyware:Cookie/Atwola Not disinfected C:\Documents and Settings\Administrator\Cookies\administrator@atwola[1].txt
Spyware:Cookie/Belnk Not disinfected C:\Documents and Settings\Administrator\Cookies\administrator@belnk[1].txt
Spyware:Cookie/Ccbill Not disinfected C:\Documents and Settings\Administrator\Cookies\administrator@ccbill[1].txt
Spyware:Cookie/360i Not disinfected C:\Documents and Settings\Administrator\Cookies\administrator@ct.360i[2].txt
Spyware:Cookie/Belnk Not disinfected C:\Documents and Settings\Administrator\Cookies\administrator@dist.belnk[2].txt
Spyware:Cookie/Entrepreneur Not disinfected C:\Documents and Settings\Administrator\Cookies\administrator@entrepreneur[1].txt
Spyware:Cookie/Go Not disinfected C:\Documents and Settings\Administrator\Cookies\administrator@go[1].txt
Spyware:Cookie/RealMedia Not disinfected C:\Documents and Settings\Administrator\Cookies\administrator@realmedia[1].txt
Spyware:Cookie/Searchportal Not disinfected C:\Documents and Settings\Administrator\Cookies\administrator@searchportal.information[1].txt
Spyware:Cookie/Target Not disinfected C:\Documents and Settings\Administrator\Cookies\administrator@target[1].txt
Spyware:Cookie/Seeq Not disinfected C:\Documents and Settings\Administrator\Cookies\administrator@www48.seeq[1].txt
Spyware:Cookie/Xiti Not disinfected C:\Documents and Settings\Administrator\Cookies\administrator@xiti[1].txt
Spyware:Cookie/Atwola Not disinfected C:\Documents and Settings\euro423\Cookies\euro423@atwola[1].txt
Spyware:Cookie/did-it Not disinfected C:\Documents and Settings\euro423\Cookies\euro423@did-it[1].txt
Spyware:Cookie/Go Not disinfected C:\Documents and Settings\euro423\Cookies\euro423@go[2].txt
Spyware:Cookie/Lop Not disinfected C:\Documents and Settings\euro423\Cookies\euro423@mp3search[2].txt
Spyware:Cookie/Target Not disinfected C:\Documents and Settings\euro423\Cookies\euro423@target[1].txt
Spyware:Cookie/Xiti Not disinfected C:\Documents and Settings\euro423\Cookies\euro423@xiti[1].txt

NEW HIJACK LOG:


Logfile of HijackThis v1.99.1
Scan saved at 8:32:51 PM, on 8/10/2006
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\ibmpmsvc.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Windows Defender\MsMpEng.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Intel\Wireless\Bin\EvtEng.exe
C:\Program Files\Intel\Wireless\Bin\S24EvMon.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Cisco Systems\VPN Client\cvpnd.exe
C:\Program Files\Symantec AntiVirus\DefWatch.exe
C:\Program Files\ewido anti-spyware 4.0\guard.exe
C:\Program Files\IBM\IBM Rapid Restore Ultra\rrpcsb.exe
C:\WINDOWS\system32\inetsrv\inetinfo.exe
C:\Program Files\iPass\iPassConnect CPS_Regular\iPCAgent.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\WINDOWS\System32\QCONSVC.EXE
C:\Program Files\Intel\Wireless\Bin\RegSrvc.exe
C:\Program Files\Symantec AntiVirus\Rtvscan.exe
C:\WINDOWS\System32\TPHDEXLG.EXE
C:\WINDOWS\system32\TpKmpSVC.exe
C:\WINDOWS\system32\CCM\CLICOMP\RemCtrl\Wuser32.exe
C:\WINDOWS\system32\CCM\CcmExec.exe
C:\WINDOWS\system32\mqsvc.exe
C:\WINDOWS\system32\mqtgsvc.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\PROGRA~1\ThinkPad\PkgMgr\HOTKEY\TPHKMGR.exe
C:\PROGRA~1\ThinkPad\UTILIT~1\EzEjMnAp.Exe
C:\Program Files\iPass\iPassConnect CPS_Regular\downloader\ipccheck.exe
C:\Program Files\ThinkPad\PkgMgr\HOTKEY\TPONSCR.exe
C:\Program Files\ThinkPad\PkgMgr\HOTKEY_1\TpScrex.exe
C:\WINDOWS\system32\dla\tfswctrl.exe
C:\Program Files\IBM\Messages By IBM\ibmmessages.exe
C:\IBMTOOLS\UTILS\ibmprc.exe
C:\Program Files\ThinkPad\ConnectUtilities\QCWLICON.EXE
C:\WINDOWS\system32\rundll32.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\PROGRA~1\SYMANT~1\VPTray.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\ewido anti-spyware 4.0\ewido.exe
C:\Program Files\Windows Defender\MSASCui.exe
C:\Program Files\Messenger\msmsgs.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Adobe\Acrobat 5.0\Distillr\AcroTray.exe
C:\Program Files\Digital Line Detect\DLG.exe
C:\Program Files\iPass\iPassConnect CPS_Regular\IPassConnectGUI.exe
C:\Program Files\Microsoft SQL Server\80\Tools\Binn\sqlmangr.exe
C:\Program Files\iPass\iPassConnect CPS_Regular\iPassConnectEngine.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Hijack\HijackThis.exe

R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://www.mrfindalot.com/search.asp?si=
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch = http://www.mrfindalot.com/search.asp?si=
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll
O4 - HKLM\..\Run: [SynTPLpr] C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
O4 - HKLM\..\Run: [SynTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
O4 - HKLM\..\Run: [TPKMAPHELPER] C:\Program Files\ThinkPad\Utilities\TpKmapAp.exe -helper
O4 - HKLM\..\Run: [TPHOTKEY] C:\PROGRA~1\ThinkPad\PkgMgr\HOTKEY\TPHKMGR.exe
O4 - HKLM\..\Run: [EZEJMNAP] C:\PROGRA~1\ThinkPad\UTILIT~1\EzEjMnAp.Exe
O4 - HKLM\..\Run: [ATIPTA] C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
O4 - HKLM\..\Run: [UC_Start] C:\Program Files\IBM\Updater\\ucstartup.exe
O4 - HKLM\..\Run: [UpdateManager] "C:\Program Files\Common Files\Sonic\Update Manager\sgtray.exe" /r
O4 - HKLM\..\Run: [dla] C:\WINDOWS\system32\dla\tfswctrl.exe
O4 - HKLM\..\Run: [ibmmessages] C:\Program Files\IBM\Messages By IBM\\ibmmessages.exe
O4 - HKLM\..\Run: [IBMPRC] C:\IBMTOOLS\UTILS\ibmprc.exe
O4 - HKLM\..\Run: [QCWLICON] C:\Program Files\ThinkPad\ConnectUtilities\QCWLICON.EXE
O4 - HKLM\..\Run: [PWRMGRTR] rundll32 C:\PROGRA~1\ThinkPad\UTILIT~1\PWRMGRTR.DLL,PwrMgrBkGndMonitor
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [vptray] C:\PROGRA~1\SYMANT~1\VPTray.exe
O4 - HKLM\..\Run: [MsmqIntCert] regsvr32 /s mqrt.dll
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [!ewido] "C:\Program Files\ewido anti-spyware 4.0\ewido.exe" /minimized
O4 - HKLM\..\Run: [Windows Defender] "C:\Program Files\Windows Defender\MSASCui.exe" -hide
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [ibmmessages] C:\Program Files\IBM\Messages By IBM\ibmmessages.exe
O4 - HKCU\..\Run: [Cqygpcor] C:\Documents and Settings\Administrator\My Documents\??crosoft.NET\rundll.exe
O4 - Global Startup: Acrobat Assistant.lnk = C:\Program Files\Adobe\Acrobat 5.0\Distillr\AcroTray.exe
O4 - Global Startup: Cisco Systems VPN Client.lnk = C:\Program Files\Cisco Systems\VPN Client\vpngui.exe
O4 - Global Startup: Digital Line Detect.lnk = ?
O4 - Global Startup: iPassConnect CPS_Regular.lnk = C:\Program Files\iPass\iPassConnect CPS_Regular\IPassConnectGUI.exe
O4 - Global Startup: Service Manager.lnk = C:\Program Files\Microsoft SQL Server\80\Tools\Binn\sqlmangr.exe
O8 - Extra context menu item: &Google Search - res://c:\program files\google\GoogleToolbar1.dll/cmsearch.html
O8 - Extra context menu item: &Translate English Word - res://c:\program files\google\GoogleToolbar1.dll/cmwordtrans.html
O8 - Extra context menu item: Backward Links - res://c:\program files\google\GoogleToolbar1.dll/cmbacklinks.html
O8 - Extra context menu item: Cached Snapshot of Page - res://c:\program files\google\GoogleToolbar1.dll/cmcache.html
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O8 - Extra context menu item: Similar Pages - res://c:\program files\google\GoogleToolbar1.dll/cmsimilar.html
O8 - Extra context menu item: Translate Page into English - res://c:\program files\google\GoogleToolbar1.dll/cmtrans.html
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\IBM\Java142\jre\bin\NPJPI142.dll
O9 - Extra 'Tools' menuitem: IBM Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\IBM\Java142\jre\bin\NPJPI142.dll
O9 - Extra button: (no name) - {4ABF810A-F11D-4169-9D5F-7D274F2270A1} - C:\WINDOWS\system32\dmonwv.dll (file missing)
O9 - Extra 'Tools' menuitem: Java - {4ABF810A-F11D-4169-9D5F-7D274F2270A1} - C:\WINDOWS\system32\dmonwv.dll (file missing)
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O10 - Unknown file in Winsock LSP: c:\windows\system32\betsp.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\betsp.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\betsp.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\betsp.dll
O11 - Options group: [JAVA_IBM] Java (IBM)
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {5EDB10D9-7E95-4833-A218-62F375DAFCF1} (Aventail Installer ) - https://thetrain.choicepoint.com/postauthI/epi.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/activescan/as5free/asinst.cab
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: Domain = na.choicepoint.net
O17 - HKLM\Software\..\Telephony: DomainName = na.choicepoint.net
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: Domain = na.choicepoint.net
O20 - Winlogon Notify: NavLogon - C:\WINDOWS\system32\NavLogon.dll
O20 - Winlogon Notify: QConGina - C:\WINDOWS\SYSTEM32\QConGina.dll
O20 - Winlogon Notify: tphotkey - C:\WINDOWS\SYSTEM32\tphklock.dll
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Password Validation (ccPwdSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
O23 - Service: CI Remote Service Provider (CI RemoteServiceProvider) - - c:\program files\insurity\commercial intellisys\comps\remoteserviceprovider.exe
O23 - Service: Cisco Systems, Inc. VPN Service (CVPND) - Cisco Systems, Inc. - C:\Program Files\Cisco Systems\VPN Client\cvpnd.exe
O23 - Service: Symantec AntiVirus Definition Watcher (DefWatch) - Symantec Corporation - C:\Program Files\Symantec AntiVirus\DefWatch.exe
O23 - Service: EvtEng - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\EvtEng.exe
O23 - Service: ewido anti-spyware 4.0 guard - Anti-Malware Development a.s. - C:\Program Files\ewido anti-spyware 4.0\guard.exe
O23 - Service: IBM Rapid Restore Ultra Service - Unknown owner - C:\Program Files\IBM\IBM Rapid Restore Ultra\rrpcsb.exe
O23 - Service: IBM PM Service (IBMPMSVC) - Unknown owner - C:\WINDOWS\system32\ibmpmsvc.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPassConnectEngine - iPass - C:\Program Files\iPass\iPassConnect CPS_Regular\iPassConnectEngine.exe
O23 - Service: iPCAgent - iPass, Inc. - C:\Program Files\iPass\iPassConnect CPS_Regular\iPCAgent.exe
O23 - Service: iPodService - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: IBM PSA Access Driver Control (PsaSrv) - Unknown owner - C:\WINDOWS\system32\PsaSrv.exe (file missing)
O23 - Service: QCONSVC - IBM Corp. - C:\WINDOWS\System32\QCONSVC.EXE
O23 - Service: RegSrvc - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\RegSrvc.exe
O23 - Service: Spectrum24 Event Monitor (S24EventMonitor) - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\S24EvMon.exe
O23 - Service: SAVRoam (SavRoam) - symantec - C:\Program Files\Symantec AntiVirus\SavRoam.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: Symantec AntiVirus - Symantec Corporation - C:\Program Files\Symantec AntiVirus\Rtvscan.exe
O23 - Service: IBM HDD APS Logging Service (TPHDEXLGSVC) - IBM Corporation - C:\WINDOWS\System32\TPHDEXLG.EXE
O23 - Service: IBM KCU Service (TpKmpSVC) - Unknown owner - C:\WINDOWS\system32\TpKmpSVC.exe



I think this did the trick in removing the SURF SIDEKICK!!!!! How do the logs look....and....What can I do to keep my self clean?!?

I got this thing showing my 1 1/2 year old a picture of SNOOPY off Google Images! :flowers:

#4 didom

didom

  • Members
  • 1,389 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:04:03 PM

Posted 11 August 2006 - 07:04 AM

Please print out or copy this page to Notepad. Make sure to work through the fixes in the exact order in which they are mentioned below. If there's anything that you don't understand, ask your question(s) before proceeding with the fixes.

Step #1

Scan again with HijackThis and check the following items:
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://www.mrfindalot.com/search.asp?si=
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch = http://www.mrfindalot.com/search.asp?si=

O4 - HKCU\..\Run: [Cqygpcor] C:\Documents and Settings\Administrator\My Documents\??crosoft.NET\rundll.exe

After checking these items, close all browser windows except HijackThis and click "Fix checked".

Step #2

Please download Look2Me-Destroyer.exe to your desktop.
  • Close all windows before continuing.
  • Double-click Look2Me-Destroyer.exe to run it.
  • Put a check next to Run this program as a task.
  • You will receive a message saying Look2Me-Destroyer will close and re-open in approximately 1 minute. Click OK
  • When Look2Me-Destroyer re-opens, click the Scan for L2M button, your desktop icons will disappear, this is normal.
  • Once it's done scanning, click the Remove L2M button.
  • You will receive a Done Scanning message, click OK.
  • When completed, you will receive this message: Done removing infected files! Look2Me-Destroyer will now shutdown your computer, click OK.
  • Your computer will then shutdown.
  • Turn your computer back on.
If Look2Me-Destroyer does not reopen automatically, reboot and try again.

Step #3

Please download Qoofix by Rubber Ducky to your desktop.
  • Right click on the Qoofix folder, and choose "Extract All". Extract Qoofix to your C: drive
  • Close all windows and programs, including internet windows.
  • Go to C:\Qoofix and open the folder, then double click on Qoofix.exe
  • Click Begin Removal and wait for the scan to finish
  • If Qoofix finds an infection, select yes to restart your computer
Step #3

Download Killbox.
Click killbox.exe.
Select the option "Delete on reboot".

Now copy the next bold part:

C:\WINDOWS\system32\nstrvsc.dll
C:\WINDOWS\system32\agmpvcno.dll
C:\WINDOWS\system32\agmpvcno.dll
c:\windows\system32\atmtd.dll
C:\windows\system32\tsuninst.exe
c:\windows\teller2.chk
C:\bintheredunthat\RDFX4.exe
c:\program files\System Files
C:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Ssk.log


Open 'file' in the killboxmenu on top and choose Paste from clipboard

Now you will see, this is pasted in the "Full Path of File to Delete"-field.
There's a little arrow (dropdown-arrow) next to that field.
If you expand it, these lines must be there together if the files are
present!

Click the button: All Files (!important!)

Then press the button that looks like a red circle with a white X in it.
Killbox will tell you that all listed files will be removed on next reboot and asks if you would like to Reboot now, click YES
If you don't get that message, reboot manually.

Your computer must reboot now.

Find and delete this folder :
C:\!Killbox <= this folder

Step #4

Clean your Cache and Cookies in IE:
  • Close all instances of Outlook Express and Internet Explorer
  • Go to Control Panel > Internet Options > General tab
  • Click the "Delete Cookies" button
  • Next to it, Click the "Delete Files" button
  • When prompted, place a check in: "Delete all offline content", click OK
* Clean your Cache and Cookies in Firefox (In case you also have Firefox installed):
  • Go to Tools > Options.
  • Click Privacy in the menu on the left side of the Options window.
  • Click the Clear button located to the right of each option (History, Cookies, Cache).
  • Click OK to close the Options window
    Alternatively, you can clear all information stored while browsing by clicking Clear All.
    A confirmation dialog box will be shown before clearing the information.
* Clean other Temporary files + Recycle bin
  • Go to start > run and type: cleanmgr and click ok.
  • Let it scan your system for files to remove.
  • Make sure Temporary Files, Temporary Internet Files, and Recycle Bin are the only things checked.
  • Press OK to remove them.
Then reboot your computer.

Step #5

Run Panda's online virus scan and perform a full system scan: Panda ActiveScan

Save the scan log and post it along with the contents of C:\Look2Me-Destroyer.txt, the contents of C:\Qoofix\Qoofix Logfile.txt and a new HijackThis Log in your next reply.

Edited by didom, 11 August 2006 - 07:05 AM.


#5 Sunshine1271

Sunshine1271
  • Topic Starter

  • Members
  • 6 posts
  • OFFLINE
  •  
  • Local time:11:03 AM

Posted 11 August 2006 - 08:53 PM

Ok, here is the results of the last items you suggest I do:

Hijack

Logfile of HijackThis v1.99.1
Scan saved at 9:43:54 PM, on 8/11/2006
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\ibmpmsvc.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Windows Defender\MsMpEng.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Intel\Wireless\Bin\EvtEng.exe
C:\Program Files\Intel\Wireless\Bin\S24EvMon.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Cisco Systems\VPN Client\cvpnd.exe
C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
C:\Program Files\Symantec AntiVirus\DefWatch.exe
C:\Program Files\ewido anti-spyware 4.0\guard.exe
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\PROGRA~1\ThinkPad\PkgMgr\HOTKEY\TPHKMGR.exe
C:\PROGRA~1\ThinkPad\UTILIT~1\EzEjMnAp.Exe
C:\Program Files\ThinkPad\PkgMgr\HOTKEY\TPONSCR.exe
C:\Program Files\ThinkPad\PkgMgr\HOTKEY_1\TpScrex.exe
C:\Program Files\IBM\IBM Rapid Restore Ultra\rrpcsb.exe
C:\WINDOWS\system32\inetsrv\inetinfo.exe
C:\Program Files\iPass\iPassConnect CPS_Regular\iPCAgent.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\WINDOWS\system32\dla\tfswctrl.exe
C:\WINDOWS\System32\QCONSVC.EXE
C:\Program Files\Intel\Wireless\Bin\RegSrvc.exe
C:\Program Files\Symantec AntiVirus\Rtvscan.exe
C:\Program Files\IBM\Messages By IBM\ibmmessages.exe
C:\IBMTOOLS\UTILS\ibmprc.exe
C:\Program Files\ThinkPad\ConnectUtilities\QCWLICON.EXE
C:\WINDOWS\system32\rundll32.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\WINDOWS\System32\TPHDEXLG.EXE
C:\PROGRA~1\SYMANT~1\VPTray.exe
C:\WINDOWS\system32\TpKmpSVC.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\WINDOWS\system32\CCM\CLICOMP\RemCtrl\Wuser32.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\iPass\iPassConnect CPS_Regular\downloader\ipccheck.exe
C:\WINDOWS\system32\mqsvc.exe
C:\WINDOWS\system32\CCM\CcmExec.exe
C:\Program Files\ewido anti-spyware 4.0\ewido.exe
C:\Program Files\Windows Defender\MSASCui.exe
C:\Program Files\Messenger\msmsgs.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Adobe\Acrobat 5.0\Distillr\AcroTray.exe
C:\WINDOWS\system32\mqtgsvc.exe
C:\Program Files\Digital Line Detect\DLG.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\iPass\iPassConnect CPS_Regular\IPassConnectGUI.exe
C:\Program Files\Microsoft SQL Server\80\Tools\Binn\sqlmangr.exe
C:\Program Files\iPass\iPassConnect CPS_Regular\iPassConnectEngine.exe
C:\Hijack\HijackThis.exe

O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll
O4 - HKLM\..\Run: [SynTPLpr] C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
O4 - HKLM\..\Run: [SynTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
O4 - HKLM\..\Run: [TPKMAPHELPER] C:\Program Files\ThinkPad\Utilities\TpKmapAp.exe -helper
O4 - HKLM\..\Run: [TPHOTKEY] C:\PROGRA~1\ThinkPad\PkgMgr\HOTKEY\TPHKMGR.exe
O4 - HKLM\..\Run: [EZEJMNAP] C:\PROGRA~1\ThinkPad\UTILIT~1\EzEjMnAp.Exe
O4 - HKLM\..\Run: [ATIPTA] C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
O4 - HKLM\..\Run: [UC_Start] C:\Program Files\IBM\Updater\\ucstartup.exe
O4 - HKLM\..\Run: [UpdateManager] "C:\Program Files\Common Files\Sonic\Update Manager\sgtray.exe" /r
O4 - HKLM\..\Run: [dla] C:\WINDOWS\system32\dla\tfswctrl.exe
O4 - HKLM\..\Run: [ibmmessages] C:\Program Files\IBM\Messages By IBM\\ibmmessages.exe
O4 - HKLM\..\Run: [IBMPRC] C:\IBMTOOLS\UTILS\ibmprc.exe
O4 - HKLM\..\Run: [QCWLICON] C:\Program Files\ThinkPad\ConnectUtilities\QCWLICON.EXE
O4 - HKLM\..\Run: [PWRMGRTR] rundll32 C:\PROGRA~1\ThinkPad\UTILIT~1\PWRMGRTR.DLL,PwrMgrBkGndMonitor
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [vptray] C:\PROGRA~1\SYMANT~1\VPTray.exe
O4 - HKLM\..\Run: [MsmqIntCert] regsvr32 /s mqrt.dll
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [!ewido] "C:\Program Files\ewido anti-spyware 4.0\ewido.exe" /minimized
O4 - HKLM\..\Run: [Windows Defender] "C:\Program Files\Windows Defender\MSASCui.exe" -hide
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [ibmmessages] C:\Program Files\IBM\Messages By IBM\ibmmessages.exe
O4 - Global Startup: Acrobat Assistant.lnk = C:\Program Files\Adobe\Acrobat 5.0\Distillr\AcroTray.exe
O4 - Global Startup: Cisco Systems VPN Client.lnk = C:\Program Files\Cisco Systems\VPN Client\vpngui.exe
O4 - Global Startup: Digital Line Detect.lnk = ?
O4 - Global Startup: iPassConnect CPS_Regular.lnk = C:\Program Files\iPass\iPassConnect CPS_Regular\IPassConnectGUI.exe
O4 - Global Startup: Service Manager.lnk = C:\Program Files\Microsoft SQL Server\80\Tools\Binn\sqlmangr.exe
O8 - Extra context menu item: &Google Search - res://c:\program files\google\GoogleToolbar1.dll/cmsearch.html
O8 - Extra context menu item: &Translate English Word - res://c:\program files\google\GoogleToolbar1.dll/cmwordtrans.html
O8 - Extra context menu item: Backward Links - res://c:\program files\google\GoogleToolbar1.dll/cmbacklinks.html
O8 - Extra context menu item: Cached Snapshot of Page - res://c:\program files\google\GoogleToolbar1.dll/cmcache.html
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O8 - Extra context menu item: Similar Pages - res://c:\program files\google\GoogleToolbar1.dll/cmsimilar.html
O8 - Extra context menu item: Translate Page into English - res://c:\program files\google\GoogleToolbar1.dll/cmtrans.html
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\IBM\Java142\jre\bin\NPJPI142.dll
O9 - Extra 'Tools' menuitem: IBM Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\IBM\Java142\jre\bin\NPJPI142.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O10 - Unknown file in Winsock LSP: c:\windows\system32\betsp.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\betsp.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\betsp.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\betsp.dll
O11 - Options group: [JAVA_IBM] Java (IBM)
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {5EDB10D9-7E95-4833-A218-62F375DAFCF1} (Aventail Installer ) - https://thetrain.choicepoint.com/postauthI/epi.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/activescan/as5free/asinst.cab
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: Domain = na.choicepoint.net
O17 - HKLM\Software\..\Telephony: DomainName = na.choicepoint.net
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: Domain = na.choicepoint.net
O20 - Winlogon Notify: NavLogon - C:\WINDOWS\system32\NavLogon.dll
O20 - Winlogon Notify: QConGina - C:\WINDOWS\SYSTEM32\QConGina.dll
O20 - Winlogon Notify: tphotkey - C:\WINDOWS\SYSTEM32\tphklock.dll
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Password Validation (ccPwdSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
O23 - Service: CI Remote Service Provider (CI RemoteServiceProvider) - - c:\program files\insurity\commercial intellisys\comps\remoteserviceprovider.exe
O23 - Service: Cisco Systems, Inc. VPN Service (CVPND) - Cisco Systems, Inc. - C:\Program Files\Cisco Systems\VPN Client\cvpnd.exe
O23 - Service: Symantec AntiVirus Definition Watcher (DefWatch) - Symantec Corporation - C:\Program Files\Symantec AntiVirus\DefWatch.exe
O23 - Service: EvtEng - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\EvtEng.exe
O23 - Service: ewido anti-spyware 4.0 guard - Anti-Malware Development a.s. - C:\Program Files\ewido anti-spyware 4.0\guard.exe
O23 - Service: IBM Rapid Restore Ultra Service - Unknown owner - C:\Program Files\IBM\IBM Rapid Restore Ultra\rrpcsb.exe
O23 - Service: IBM PM Service (IBMPMSVC) - Unknown owner - C:\WINDOWS\system32\ibmpmsvc.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPassConnectEngine - iPass - C:\Program Files\iPass\iPassConnect CPS_Regular\iPassConnectEngine.exe
O23 - Service: iPCAgent - iPass, Inc. - C:\Program Files\iPass\iPassConnect CPS_Regular\iPCAgent.exe
O23 - Service: iPodService - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: IBM PSA Access Driver Control (PsaSrv) - Unknown owner - C:\WINDOWS\system32\PsaSrv.exe (file missing)
O23 - Service: QCONSVC - IBM Corp. - C:\WINDOWS\System32\QCONSVC.EXE
O23 - Service: RegSrvc - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\RegSrvc.exe
O23 - Service: Spectrum24 Event Monitor (S24EventMonitor) - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\S24EvMon.exe
O23 - Service: SAVRoam (SavRoam) - symantec - C:\Program Files\Symantec AntiVirus\SavRoam.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: Symantec AntiVirus - Symantec Corporation - C:\Program Files\Symantec AntiVirus\Rtvscan.exe
O23 - Service: IBM HDD APS Logging Service (TPHDEXLGSVC) - IBM Corporation - C:\WINDOWS\System32\TPHDEXLG.EXE
O23 - Service: IBM KCU Service (TpKmpSVC) - Unknown owner - C:\WINDOWS\system32\TpKmpSVC.exe




Qooofix


Qoofix v1.03 by http://www.malwarebytes.org
Scan started on [8/11/2006] at [8:49:28 PM]
-------------------------------------------------------------
No malicious modules found!
-------------------------------------------------------------
No Qoologic infected files found!
-------------------------------------------------------------
Scan COMPLETED SUCCESSFULLY on [8/11/2006] at [8:51:11 PM]

Note: Some registry keys may have been removed.



Look2ME



Look2Me-Destroyer V1.0.12

Scanning for infected files.....
Scan started at 8/11/2006 8:28:10 PM


Attempting to delete infected files...

Making registry repairs.


Restoring Windows certificates.

Replaced hosts file with default windows hosts file


Restoring SeDebugPrivilege for Administrators - Succeeded


Please let me know what you think :thumbsup: You have been a tremendous help so far and I really appreciate all you have done.

I will await your expertise analysis of the logs before I go any further :flowers:

Sunshine

#6 didom

didom

  • Members
  • 1,389 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:04:03 PM

Posted 12 August 2006 - 05:18 AM

1. Please go HERE to run Panda's ActiveScan
  • Once you are on the Panda site click the Scan your PC button
  • A new window will open...click the Check Now button
  • Enter your Country
  • Enter your State/Province
  • Enter your e-mail address and click send
  • Select either Home User or Company
  • Click the big Scan Now button
  • If it wants to install an ActiveX component allow it
  • It will start downloading the files it requires for the scan (Note: It may take a couple of minutes)
  • When download is complete, click on My Computer to start the scan
  • When the scan completes, if anything malicious is detected, click the See Report button, then Save Report and save it to a convenient location. Post the contents of the ActiveScan report
2. Please run a free online scan with Kaspersky AntiVirus (works only with MS Internet Explorer 5.0 or higher).
Go to http://www.kaspersky.com/virusscanner and click the "Kaspersky Online Scanner" button (NOT "Kaspersky File Scanner").
  • In the new window that opens, click the "Accept" button to accept the user agreement, install the ActiveX control, and download the program.
  • When you get the Windows dialog asking if you want to install this software, click the "Install" button.
  • When the "Update progress" line changes to "Ready" and the "NEXT ->" button lights up with a green arrow, click it.
  • Click on the "Scan Settings" button, and in the next window select the "extended" database, and click Ok.
  • Under "Please select a target to scan:", click My Computer to start the scan.
When the scan is finished, click the "Save as Text" button, and save the file as kavscan.txt to your Desktop, close the Kaspersky On-line Scanner window, and post the text in kavscan.txt in your next reply.

3. Start HijackThis and perform a new scan.

4. Use the Add Reply button to post your new logs back here along withas details of any problems you encountered performing the above steps and I will review it when it comes in.

#7 Sunshine1271

Sunshine1271
  • Topic Starter

  • Members
  • 6 posts
  • OFFLINE
  •  
  • Local time:11:03 AM

Posted 12 August 2006 - 09:49 AM

Ok, here are the results of

Hijack :

Logfile of HijackThis v1.99.1
Scan saved at 10:40:36 AM, on 8/12/2006
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\ibmpmsvc.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Windows Defender\MsMpEng.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Intel\Wireless\Bin\EvtEng.exe
C:\Program Files\Intel\Wireless\Bin\S24EvMon.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Cisco Systems\VPN Client\cvpnd.exe
C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
C:\Program Files\Symantec AntiVirus\DefWatch.exe
C:\Program Files\ewido anti-spyware 4.0\guard.exe
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\PROGRA~1\ThinkPad\PkgMgr\HOTKEY\TPHKMGR.exe
C:\PROGRA~1\ThinkPad\UTILIT~1\EzEjMnAp.Exe
C:\Program Files\ThinkPad\PkgMgr\HOTKEY\TPONSCR.exe
C:\Program Files\ThinkPad\PkgMgr\HOTKEY_1\TpScrex.exe
C:\Program Files\IBM\IBM Rapid Restore Ultra\rrpcsb.exe
C:\WINDOWS\system32\inetsrv\inetinfo.exe
C:\Program Files\iPass\iPassConnect CPS_Regular\iPCAgent.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\WINDOWS\system32\dla\tfswctrl.exe
C:\WINDOWS\System32\QCONSVC.EXE
C:\Program Files\Intel\Wireless\Bin\RegSrvc.exe
C:\Program Files\Symantec AntiVirus\Rtvscan.exe
C:\Program Files\IBM\Messages By IBM\ibmmessages.exe
C:\IBMTOOLS\UTILS\ibmprc.exe
C:\Program Files\ThinkPad\ConnectUtilities\QCWLICON.EXE
C:\WINDOWS\system32\rundll32.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\WINDOWS\System32\TPHDEXLG.EXE
C:\PROGRA~1\SYMANT~1\VPTray.exe
C:\WINDOWS\system32\TpKmpSVC.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\WINDOWS\system32\CCM\CLICOMP\RemCtrl\Wuser32.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\iPass\iPassConnect CPS_Regular\downloader\ipccheck.exe
C:\WINDOWS\system32\mqsvc.exe
C:\WINDOWS\system32\CCM\CcmExec.exe
C:\Program Files\ewido anti-spyware 4.0\ewido.exe
C:\Program Files\Windows Defender\MSASCui.exe
C:\Program Files\Messenger\msmsgs.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Adobe\Acrobat 5.0\Distillr\AcroTray.exe
C:\WINDOWS\system32\mqtgsvc.exe
C:\Program Files\Digital Line Detect\DLG.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\iPass\iPassConnect CPS_Regular\IPassConnectGUI.exe
C:\Program Files\Microsoft SQL Server\80\Tools\Binn\sqlmangr.exe
C:\Program Files\iPass\iPassConnect CPS_Regular\iPassConnectEngine.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Hijack\HijackThis.exe

O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll
O4 - HKLM\..\Run: [SynTPLpr] C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
O4 - HKLM\..\Run: [SynTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
O4 - HKLM\..\Run: [TPKMAPHELPER] C:\Program Files\ThinkPad\Utilities\TpKmapAp.exe -helper
O4 - HKLM\..\Run: [TPHOTKEY] C:\PROGRA~1\ThinkPad\PkgMgr\HOTKEY\TPHKMGR.exe
O4 - HKLM\..\Run: [EZEJMNAP] C:\PROGRA~1\ThinkPad\UTILIT~1\EzEjMnAp.Exe
O4 - HKLM\..\Run: [ATIPTA] C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
O4 - HKLM\..\Run: [UC_Start] C:\Program Files\IBM\Updater\\ucstartup.exe
O4 - HKLM\..\Run: [UpdateManager] "C:\Program Files\Common Files\Sonic\Update Manager\sgtray.exe" /r
O4 - HKLM\..\Run: [dla] C:\WINDOWS\system32\dla\tfswctrl.exe
O4 - HKLM\..\Run: [ibmmessages] C:\Program Files\IBM\Messages By IBM\\ibmmessages.exe
O4 - HKLM\..\Run: [IBMPRC] C:\IBMTOOLS\UTILS\ibmprc.exe
O4 - HKLM\..\Run: [QCWLICON] C:\Program Files\ThinkPad\ConnectUtilities\QCWLICON.EXE
O4 - HKLM\..\Run: [PWRMGRTR] rundll32 C:\PROGRA~1\ThinkPad\UTILIT~1\PWRMGRTR.DLL,PwrMgrBkGndMonitor
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [vptray] C:\PROGRA~1\SYMANT~1\VPTray.exe
O4 - HKLM\..\Run: [MsmqIntCert] regsvr32 /s mqrt.dll
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [!ewido] "C:\Program Files\ewido anti-spyware 4.0\ewido.exe" /minimized
O4 - HKLM\..\Run: [Windows Defender] "C:\Program Files\Windows Defender\MSASCui.exe" -hide
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [ibmmessages] C:\Program Files\IBM\Messages By IBM\ibmmessages.exe
O4 - Global Startup: Acrobat Assistant.lnk = C:\Program Files\Adobe\Acrobat 5.0\Distillr\AcroTray.exe
O4 - Global Startup: Cisco Systems VPN Client.lnk = C:\Program Files\Cisco Systems\VPN Client\vpngui.exe
O4 - Global Startup: Digital Line Detect.lnk = ?
O4 - Global Startup: iPassConnect CPS_Regular.lnk = C:\Program Files\iPass\iPassConnect CPS_Regular\IPassConnectGUI.exe
O4 - Global Startup: Service Manager.lnk = C:\Program Files\Microsoft SQL Server\80\Tools\Binn\sqlmangr.exe
O8 - Extra context menu item: &Google Search - res://c:\program files\google\GoogleToolbar1.dll/cmsearch.html
O8 - Extra context menu item: &Translate English Word - res://c:\program files\google\GoogleToolbar1.dll/cmwordtrans.html
O8 - Extra context menu item: Backward Links - res://c:\program files\google\GoogleToolbar1.dll/cmbacklinks.html
O8 - Extra context menu item: Cached Snapshot of Page - res://c:\program files\google\GoogleToolbar1.dll/cmcache.html
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O8 - Extra context menu item: Similar Pages - res://c:\program files\google\GoogleToolbar1.dll/cmsimilar.html
O8 - Extra context menu item: Translate Page into English - res://c:\program files\google\GoogleToolbar1.dll/cmtrans.html
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\IBM\Java142\jre\bin\NPJPI142.dll
O9 - Extra 'Tools' menuitem: IBM Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\IBM\Java142\jre\bin\NPJPI142.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O10 - Unknown file in Winsock LSP: c:\windows\system32\betsp.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\betsp.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\betsp.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\betsp.dll
O11 - Options group: [JAVA_IBM] Java (IBM)
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky.com/kos/eng/partner/d...can_unicode.cab
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {5EDB10D9-7E95-4833-A218-62F375DAFCF1} (Aventail Installer ) - https://thetrain.choicepoint.com/postauthI/epi.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/activescan/as5free/asinst.cab
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: Domain = na.choicepoint.net
O17 - HKLM\Software\..\Telephony: DomainName = na.choicepoint.net
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: Domain = na.choicepoint.net
O20 - Winlogon Notify: NavLogon - C:\WINDOWS\system32\NavLogon.dll
O20 - Winlogon Notify: QConGina - C:\WINDOWS\SYSTEM32\QConGina.dll
O20 - Winlogon Notify: tphotkey - C:\WINDOWS\SYSTEM32\tphklock.dll
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Password Validation (ccPwdSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
O23 - Service: CI Remote Service Provider (CI RemoteServiceProvider) - - c:\program files\insurity\commercial intellisys\comps\remoteserviceprovider.exe
O23 - Service: Cisco Systems, Inc. VPN Service (CVPND) - Cisco Systems, Inc. - C:\Program Files\Cisco Systems\VPN Client\cvpnd.exe
O23 - Service: Symantec AntiVirus Definition Watcher (DefWatch) - Symantec Corporation - C:\Program Files\Symantec AntiVirus\DefWatch.exe
O23 - Service: EvtEng - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\EvtEng.exe
O23 - Service: ewido anti-spyware 4.0 guard - Anti-Malware Development a.s. - C:\Program Files\ewido anti-spyware 4.0\guard.exe
O23 - Service: IBM Rapid Restore Ultra Service - Unknown owner - C:\Program Files\IBM\IBM Rapid Restore Ultra\rrpcsb.exe
O23 - Service: IBM PM Service (IBMPMSVC) - Unknown owner - C:\WINDOWS\system32\ibmpmsvc.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPassConnectEngine - iPass - C:\Program Files\iPass\iPassConnect CPS_Regular\iPassConnectEngine.exe
O23 - Service: iPCAgent - iPass, Inc. - C:\Program Files\iPass\iPassConnect CPS_Regular\iPCAgent.exe
O23 - Service: iPodService - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: IBM PSA Access Driver Control (PsaSrv) - Unknown owner - C:\WINDOWS\system32\PsaSrv.exe (file missing)
O23 - Service: QCONSVC - IBM Corp. - C:\WINDOWS\System32\QCONSVC.EXE
O23 - Service: RegSrvc - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\RegSrvc.exe
O23 - Service: Spectrum24 Event Monitor (S24EventMonitor) - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\S24EvMon.exe
O23 - Service: SAVRoam (SavRoam) - symantec - C:\Program Files\Symantec AntiVirus\SavRoam.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: Symantec AntiVirus - Symantec Corporation - C:\Program Files\Symantec AntiVirus\Rtvscan.exe
O23 - Service: IBM HDD APS Logging Service (TPHDEXLGSVC) - IBM Corporation - C:\WINDOWS\System32\TPHDEXLG.EXE
O23 - Service: IBM KCU Service (TpKmpSVC) - Unknown owner - C:\WINDOWS\system32\TpKmpSVC.exe



Kaskperky log:

-------------------------------------------------------------------------------
KASPERSKY ONLINE SCANNER REPORT
Saturday, August 12, 2006 10:38:41 AM
Operating System: Microsoft Windows XP Professional, Service Pack 2 (Build 2600)
Kaspersky Online Scanner version: 5.0.83.0
Kaspersky Anti-Virus database last update: 12/08/2006
Kaspersky Anti-Virus database records: 214328
-------------------------------------------------------------------------------

Scan Settings:
Scan using the following antivirus database: extended
Scan Archives: true
Scan Mail Bases: true

Scan Target - My Computer:
C:\
D:\
I:\

Scan Statistics:
Total number of scanned objects: 90022
Number of viruses found: 18
Number of infected objects: 66 / 0
Number of suspicious objects: 0
Duration of the scan process: 01:27:48

Infected Object Name / Virus Name / Last Action
C:\Documents and Settings\Administrator\Cookies\index.dat Object is locked skipped
C:\Documents and Settings\Administrator\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat Object is locked skipped
C:\Documents and Settings\Administrator\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped
C:\Documents and Settings\Administrator\Local Settings\Application Data\Microsoft\Windows Defender\FileTracker\{2E216FAA-AEDE-47FA-8051-979474F8F280} Object is locked skipped
C:\Documents and Settings\Administrator\Local Settings\History\History.IE5\index.dat Object is locked skipped
C:\Documents and Settings\Administrator\Local Settings\History\History.IE5\MSHist012006081220060813\index.dat Object is locked skipped
C:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\index.dat Object is locked skipped
C:\Documents and Settings\Administrator\NTUSER.DAT Object is locked skipped
C:\Documents and Settings\Administrator\ntuser.dat.LOG Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Aventail\LogFiles\odxsp.log Object is locked skipped
C:\Documents and Settings\All Users\Application Data\ibm\messages\logs\lf000.log Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Microsoft\Network\Downloader\qmgr0.dat Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Microsoft\Network\Downloader\qmgr1.dat Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Microsoft\Windows Defender\Support\WDLog-08062006-182929.log Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Symantec\Common Client\settings.dat Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\Quarantine\08540000.VBN Infected: Trojan-Clicker.Win32.VB.is skipped
C:\Documents and Settings\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\Quarantine\0DB00000.VBN Infected: Trojan-Clicker.Win32.VB.lb skipped
C:\Documents and Settings\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\Quarantine\0DB00001.VBN Infected: Trojan-Clicker.Win32.VB.lb skipped
C:\Documents and Settings\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\Quarantine\0DB00002.VBN Infected: Trojan-Clicker.Win32.VB.lb skipped
C:\Documents and Settings\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\Quarantine\0DB00003.VBN Infected: not-a-virus:AdWare.Win32.BHO.ao skipped
C:\Documents and Settings\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\Quarantine\0DB00004.VBN Infected: Trojan-Downloader.Win32.Small.cyh skipped
C:\Documents and Settings\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\Quarantine\0DB00006.VBN Infected: Trojan-Dropper.Win32.Agent.hl skipped
C:\Documents and Settings\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\Quarantine\0DB00007.VBN Infected: Trojan-Dropper.Win32.Agent.hl skipped
C:\Documents and Settings\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\Quarantine\0DB00008.VBN Infected: Trojan-Downloader.Win32.Small.cyh skipped
C:\Documents and Settings\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\Quarantine\0DB00009.VBN Infected: Trojan-Dropper.Win32.Agent.hl skipped
C:\Documents and Settings\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\Quarantine\0DB0000A.VBN Infected: Trojan-Dropper.Win32.Agent.hl skipped
C:\Documents and Settings\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\Quarantine\0F6C0000.VBN Infected: Trojan-Downloader.Win32.Small.cyh skipped
C:\Documents and Settings\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\Quarantine\0F6C0001.VBN Infected: Trojan-Dropper.Win32.Agent.hl skipped
C:\Documents and Settings\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\Quarantine\0F6C0002.VBN Infected: Trojan-Dropper.Win32.Agent.hl skipped
C:\Documents and Settings\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\Quarantine\0F6C0003.VBN Infected: Trojan-Downloader.Win32.Small.cyh skipped
C:\Documents and Settings\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\Quarantine\0F6C0004.VBN Infected: Trojan-Dropper.Win32.Agent.hl skipped
C:\Documents and Settings\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\Quarantine\0F6C0005.VBN Infected: not-a-virus:AdWare.Win32.SearchAssistant.g skipped
C:\Documents and Settings\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\Quarantine\0F6C0006.VBN Infected: not-a-virus:AdWare.Win32.SearchAssistant.g skipped
C:\Documents and Settings\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\Quarantine\0F6C0007.VBN Infected: Trojan.Win32.Runner.j skipped
C:\Documents and Settings\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\Quarantine\0F6C0008.VBN Infected: Trojan.Win32.Runner.j skipped
C:\Documents and Settings\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\Quarantine\0F6C0009.VBN Infected: Trojan-Downloader.Win32.Qoologic.ax skipped
C:\Documents and Settings\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\Quarantine\0F6C000A.VBN Infected: Trojan-Downloader.Win32.Qoologic.ax skipped
C:\Documents and Settings\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\Quarantine\0F6C000B.VBN Infected: Trojan.Win32.Runner.j skipped
C:\Documents and Settings\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\Quarantine\0F6C000C.VBN Infected: not-a-virus:AdWare.Win32.SearchAssistant.g skipped
C:\Documents and Settings\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\Quarantine\0F6C000D.VBN Infected: Trojan.Win32.Runner.j skipped
C:\Documents and Settings\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\Quarantine\13F80000.VBN Infected: Trojan-Clicker.Win32.VB.is skipped
C:\Documents and Settings\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\Quarantine\13F80001.VBN Infected: Trojan-Clicker.Win32.VB.is skipped
C:\Documents and Settings\LocalService\Cookies\index.dat Object is locked skipped
C:\Documents and Settings\LocalService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat Object is locked skipped
C:\Documents and Settings\LocalService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped
C:\Documents and Settings\LocalService\Local Settings\History\History.IE5\index.dat Object is locked skipped
C:\Documents and Settings\LocalService\Local Settings\Temporary Internet Files\Content.IE5\index.dat Object is locked skipped
C:\Documents and Settings\LocalService\NTUSER.DAT Object is locked skipped
C:\Documents and Settings\LocalService\ntuser.dat.LOG Object is locked skipped
C:\Documents and Settings\NetworkService\Cookies\index.dat Object is locked skipped
C:\Documents and Settings\NetworkService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat Object is locked skipped
C:\Documents and Settings\NetworkService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped
C:\Documents and Settings\NetworkService\Local Settings\History\History.IE5\index.dat Object is locked skipped
C:\Documents and Settings\NetworkService\Local Settings\Temporary Internet Files\Content.IE5\index.dat Object is locked skipped
C:\Documents and Settings\NetworkService\NTUSER.DAT Object is locked skipped
C:\Documents and Settings\NetworkService\ntuser.dat.LOG Object is locked skipped
C:\Program Files\iPass\iPassConnect CPS_Regular\log\Agent.log Object is locked skipped
C:\RECYCLER\S-1-5-21-3799598701-2588356038-2379779253-1011\Dc1.IE5\0LY74TQV\installer[2].exe/data0001 Infected: not-a-virus:AdWare.Win32.CommAd.a skipped
C:\RECYCLER\S-1-5-21-3799598701-2588356038-2379779253-1011\Dc1.IE5\0LY74TQV\installer[2].exe Inno: infected - 1 skipped
C:\RECYCLER\S-1-5-21-3799598701-2588356038-2379779253-1011\Dc1.IE5\0LY74TQV\recife[1].exe/data0006 Infected: Trojan-Dropper.Win32.VB.nn skipped
C:\RECYCLER\S-1-5-21-3799598701-2588356038-2379779253-1011\Dc1.IE5\0LY74TQV\recife[1].exe NSIS: infected - 1 skipped
C:\RECYCLER\S-1-5-21-3799598701-2588356038-2379779253-1011\Dc1.IE5\21ONQT2X\mc-110-12-0000103[1].exe/stream/data0005 Infected: not-a-virus:AdWare.Win32.Softomate.q skipped
C:\RECYCLER\S-1-5-21-3799598701-2588356038-2379779253-1011\Dc1.IE5\21ONQT2X\mc-110-12-0000103[1].exe/stream Infected: not-a-virus:AdWare.Win32.Softomate.q skipped
C:\RECYCLER\S-1-5-21-3799598701-2588356038-2379779253-1011\Dc1.IE5\21ONQT2X\mc-110-12-0000103[1].exe NSIS: infected - 2 skipped
C:\RECYCLER\S-1-5-21-3799598701-2588356038-2379779253-1011\Dc1.IE5\4TU7SPQR\cas2setup[1].exe/data0002 Infected: not-a-virus:AdWare.Win32.CASClient.d skipped
C:\RECYCLER\S-1-5-21-3799598701-2588356038-2379779253-1011\Dc1.IE5\4TU7SPQR\cas2setup[1].exe NSIS: infected - 1 skipped
C:\RECYCLER\S-1-5-21-3799598701-2588356038-2379779253-1011\Dc1.IE5\82CLS7A1\media_motor_bundle[1].exe/data0002/stream/data0002 Infected: not-a-virus:AdWare.Win32.SideFind.a skipped
C:\RECYCLER\S-1-5-21-3799598701-2588356038-2379779253-1011\Dc1.IE5\82CLS7A1\media_motor_bundle[1].exe/data0002/stream Infected: not-a-virus:AdWare.Win32.SideFind.a skipped
C:\RECYCLER\S-1-5-21-3799598701-2588356038-2379779253-1011\Dc1.IE5\82CLS7A1\media_motor_bundle[1].exe/data0002 Infected: not-a-virus:AdWare.Win32.SideFind.a skipped
C:\RECYCLER\S-1-5-21-3799598701-2588356038-2379779253-1011\Dc1.IE5\82CLS7A1\media_motor_bundle[1].exe/data0003/stream/data0001 Infected: not-a-virus:AdWare.Win32.BHO.ao skipped
C:\RECYCLER\S-1-5-21-3799598701-2588356038-2379779253-1011\Dc1.IE5\82CLS7A1\media_motor_bundle[1].exe/data0003/stream Infected: not-a-virus:AdWare.Win32.BHO.ao skipped
C:\RECYCLER\S-1-5-21-3799598701-2588356038-2379779253-1011\Dc1.IE5\82CLS7A1\media_motor_bundle[1].exe/data0003 Infected: not-a-virus:AdWare.Win32.BHO.ao skipped
C:\RECYCLER\S-1-5-21-3799598701-2588356038-2379779253-1011\Dc1.IE5\82CLS7A1\media_motor_bundle[1].exe NSIS: infected - 6 skipped
C:\RECYCLER\S-1-5-21-3799598701-2588356038-2379779253-1011\Dc1.IE5\GHAJW1IJ\111[1].net/stream/data0002 Infected: Trojan-Downloader.Win32.VB.afa skipped
C:\RECYCLER\S-1-5-21-3799598701-2588356038-2379779253-1011\Dc1.IE5\GHAJW1IJ\111[1].net/stream Infected: Trojan-Downloader.Win32.VB.afa skipped
C:\RECYCLER\S-1-5-21-3799598701-2588356038-2379779253-1011\Dc1.IE5\GHAJW1IJ\111[1].net NSIS: infected - 2 skipped
C:\RECYCLER\S-1-5-21-3799598701-2588356038-2379779253-1011\Dc1.IE5\ON8V2B2Z\RDFX4[1].exe/data0004 Infected: Trojan-Downloader.Win32.Small.ctp skipped
C:\RECYCLER\S-1-5-21-3799598701-2588356038-2379779253-1011\Dc1.IE5\ON8V2B2Z\RDFX4[1].exe/data0005 Infected: Trojan-Downloader.Win32.Small.ajc skipped
C:\RECYCLER\S-1-5-21-3799598701-2588356038-2379779253-1011\Dc1.IE5\ON8V2B2Z\RDFX4[1].exe NSIS: infected - 2 skipped
C:\RECYCLER\S-1-5-21-3799598701-2588356038-2379779253-1011\Dc1.IE5\TBNXVL34\adsetup_silent.1.53[1].exe/stream/data0002 Infected: not-a-virus:AdWare.Win32.EZula.cc skipped
C:\RECYCLER\S-1-5-21-3799598701-2588356038-2379779253-1011\Dc1.IE5\TBNXVL34\adsetup_silent.1.53[1].exe/stream Infected: not-a-virus:AdWare.Win32.EZula.cc skipped
C:\RECYCLER\S-1-5-21-3799598701-2588356038-2379779253-1011\Dc1.IE5\TBNXVL34\adsetup_silent.1.53[1].exe NSIS: infected - 2 skipped
C:\System Volume Information\MountPointManagerRemoteDatabase Object is locked skipped
C:\WINDOWS\CSC\00000001 Object is locked skipped
C:\WINDOWS\Debug\Netlogon.log Object is locked skipped
C:\WINDOWS\Debug\PASSWD.LOG Object is locked skipped
C:\WINDOWS\Downloaded Program Files\popcaploader.dll Infected: not-a-virus:Downloader.Win32.PopCap.b skipped
C:\WINDOWS\Internet Logs\tvDebug.log Object is locked skipped
C:\WINDOWS\media_motor_bundle.exe/data0002/stream/data0002 Infected: not-a-virus:AdWare.Win32.SideFind.a skipped
C:\WINDOWS\media_motor_bundle.exe/data0002/stream Infected: not-a-virus:AdWare.Win32.SideFind.a skipped
C:\WINDOWS\media_motor_bundle.exe/data0002 Infected: not-a-virus:AdWare.Win32.SideFind.a skipped
C:\WINDOWS\media_motor_bundle.exe/data0003/stream/data0001 Infected: not-a-virus:AdWare.Win32.BHO.ao skipped
C:\WINDOWS\media_motor_bundle.exe/data0003/stream Infected: not-a-virus:AdWare.Win32.BHO.ao skipped
C:\WINDOWS\media_motor_bundle.exe/data0003 Infected: not-a-virus:AdWare.Win32.BHO.ao skipped
C:\WINDOWS\media_motor_bundle.exe NSIS: infected - 6 skipped
C:\WINDOWS\SchedLgU.Txt Object is locked skipped
C:\WINDOWS\SoftwareDistribution\ReportingEvents.log Object is locked skipped
C:\WINDOWS\system32\CatRoot2\edb.log Object is locked skipped
C:\WINDOWS\system32\CatRoot2\edbtmp.log Object is locked skipped
C:\WINDOWS\system32\CatRoot2\tmp.edb Object is locked skipped
C:\WINDOWS\system32\CCM\Logs\CcmExec.log Object is locked skipped
C:\WINDOWS\system32\CCM\Logs\CertificateMaintenance.log Object is locked skipped
C:\WINDOWS\system32\CCM\Logs\ClientIDManagerStartup.log Object is locked skipped
C:\WINDOWS\system32\CCM\Logs\execmgr.log Object is locked skipped
C:\WINDOWS\system32\CCM\Logs\LocationServices.log Object is locked skipped
C:\WINDOWS\system32\CCM\Logs\mtrmgr.log Object is locked skipped
C:\WINDOWS\system32\CCM\Logs\PatchInstall.log Object is locked skipped
C:\WINDOWS\system32\CCM\Logs\PatchUIMonitor.log Object is locked skipped
C:\WINDOWS\system32\CCM\Logs\PolicyAgent.log Object is locked skipped
C:\WINDOWS\system32\CCM\Logs\PolicyAgentProvider.log Object is locked skipped
C:\WINDOWS\system32\CCM\Logs\PolicyEvaluator.log Object is locked skipped
C:\WINDOWS\system32\CCM\Logs\Scheduler.log Object is locked skipped
C:\WINDOWS\system32\CCM\Logs\SrcUpdateMgr.log Object is locked skipped
C:\WINDOWS\system32\CCM\Logs\StatusAgent.log Object is locked skipped
C:\WINDOWS\system32\CCM\ServiceData\Messaging\EndpointQueues\CertificateMaintenanceEndpoint\00000012.msg Object is locked skipped
C:\WINDOWS\system32\CCM\ServiceData\Messaging\EndpointQueues\CertificateMaintenanceEndpoint\00000012.que Object is locked skipped
C:\WINDOWS\system32\CCM\ServiceData\Messaging\EndpointQueues\CTMDTSReply\00000001.msg Object is locked skipped
C:\WINDOWS\system32\CCM\ServiceData\Messaging\EndpointQueues\CTMDTSReply\00000001.que Object is locked skipped
C:\WINDOWS\system32\CCM\ServiceData\Messaging\EndpointQueues\execmgr\00000001.msg Object is locked skipped
C:\WINDOWS\system32\CCM\ServiceData\Messaging\EndpointQueues\execmgr\00000001.que Object is locked skipped
C:\WINDOWS\system32\CCM\ServiceData\Messaging\EndpointQueues\InventoryAgent\00000003.msg Object is locked skipped
C:\WINDOWS\system32\CCM\ServiceData\Messaging\EndpointQueues\InventoryAgent\00000003.que Object is locked skipped
C:\WINDOWS\system32\CCM\ServiceData\Messaging\EndpointQueues\LS_ReplyLocations\00000001.msg Object is locked skipped
C:\WINDOWS\system32\CCM\ServiceData\Messaging\EndpointQueues\LS_ReplyLocations\00000001.que Object is locked skipped
C:\WINDOWS\system32\CCM\ServiceData\Messaging\EndpointQueues\LS_ScheduledCleanup\0000000A.msg Object is locked skipped
C:\WINDOWS\system32\CCM\ServiceData\Messaging\EndpointQueues\LS_ScheduledCleanup\0000000A.que Object is locked skipped
C:\WINDOWS\system32\CCM\ServiceData\Messaging\EndpointQueues\MtrMgr\00000001.msg Object is locked skipped
C:\WINDOWS\system32\CCM\ServiceData\Messaging\EndpointQueues\MtrMgr\00000001.que Object is locked skipped
C:\WINDOWS\system32\CCM\ServiceData\Messaging\EndpointQueues\PatchUIMonitor\00000001.msg Object is locked skipped
C:\WINDOWS\system32\CCM\ServiceData\Messaging\EndpointQueues\PatchUIMonitor\00000001.que Object is locked skipped
C:\WINDOWS\system32\CCM\ServiceData\Messaging\EndpointQueues\PolicyAgent_Cleanup\00000004.msg Object is locked skipped
C:\WINDOWS\system32\CCM\ServiceData\Messaging\EndpointQueues\PolicyAgent_Cleanup\00000004.que Object is locked skipped
C:\WINDOWS\system32\CCM\ServiceData\Messaging\EndpointQueues\PolicyAgent_PolicyDownload\00000001.msg Object is locked skipped
C:\WINDOWS\system32\CCM\ServiceData\Messaging\EndpointQueues\PolicyAgent_PolicyDownload\00000001.que Object is locked skipped
C:\WINDOWS\system32\CCM\ServiceData\Messaging\EndpointQueues\PolicyAgent_PolicyEvaluator\000000E1.msg Object is locked skipped
C:\WINDOWS\system32\CCM\ServiceData\Messaging\EndpointQueues\PolicyAgent_PolicyEvaluator\000000E1.que Object is locked skipped
C:\WINDOWS\system32\CCM\ServiceData\Messaging\EndpointQueues\PolicyAgent_ReplyAssignments\00000002.msg Object is locked skipped
C:\WINDOWS\system32\CCM\ServiceData\Messaging\EndpointQueues\PolicyAgent_ReplyAssignments\00000002.que Object is locked skipped
C:\WINDOWS\system32\CCM\ServiceData\Messaging\EndpointQueues\PolicyAgent_RequestAssignments\0000004Q.msg Object is locked skipped
C:\WINDOWS\system32\CCM\ServiceData\Messaging\EndpointQueues\PolicyAgent_RequestAssignments\0000004Q.que Object is locked skipped
C:\WINDOWS\system32\CCM\ServiceData\Messaging\EndpointQueues\PolicyAgent_ReRequestPolicy\00000001.msg Object is locked skipped
C:\WINDOWS\system32\CCM\ServiceData\Messaging\EndpointQueues\PolicyAgent_ReRequestPolicy\00000001.que Object is locked skipped
C:\WINDOWS\system32\CCM\ServiceData\Messaging\EndpointQueues\RemoteToolsAgent\00000001.msg Object is locked skipped
C:\WINDOWS\system32\CCM\ServiceData\Messaging\EndpointQueues\RemoteToolsAgent\00000001.que Object is locked skipped
C:\WINDOWS\system32\CCM\ServiceData\Messaging\EndpointQueues\SrcUpdateMgr\00000001.msg Object is locked skipped
C:\WINDOWS\system32\CCM\ServiceData\Messaging\EndpointQueues\SrcUpdateMgr\00000001.que Object is locked skipped
C:\WINDOWS\system32\CCM\ServiceData\Messaging\EndpointQueues\SWMTRReportGen\00000001.msg Object is locked skipped
C:\WINDOWS\system32\CCM\ServiceData\Messaging\EndpointQueues\SWMTRReportGen\00000001.que Object is locked skipped
C:\WINDOWS\system32\CCM\ServiceData\Messaging\EndpointQueues\UpdatesInstallMgr\00000001.msg Object is locked skipped
C:\WINDOWS\system32\CCM\ServiceData\Messaging\EndpointQueues\UpdatesInstallMgr\00000001.que Object is locked skipped
C:\WINDOWS\system32\CCM\ServiceData\Messaging\EndpointQueues\UploadProtocol\00000001.msg Object is locked skipped
C:\WINDOWS\system32\CCM\ServiceData\Messaging\EndpointQueues\UploadProtocol\00000001.que Object is locked skipped
C:\WINDOWS\system32\CCM\ServiceData\Messaging\OutgoingQueues\amp_[http]mp_locationmanager\0000001W.msg Object is locked skipped
C:\WINDOWS\system32\CCM\ServiceData\Messaging\OutgoingQueues\amp_[http]mp_locationmanager\0000001W.que Object is locked skipped
C:\WINDOWS\system32\CCM\ServiceData\Messaging\OutgoingQueues\mp_mp_ddrendpoint\00000002.msg Object is locked skipped
C:\WINDOWS\system32\CCM\ServiceData\Messaging\OutgoingQueues\mp_mp_ddrendpoint\00000002.que Object is locked skipped
C:\WINDOWS\system32\CCM\ServiceData\Messaging\OutgoingQueues\mp_mp_hinvendpoint\00000001.msg Object is locked skipped
C:\WINDOWS\system32\CCM\ServiceData\Messaging\OutgoingQueues\mp_mp_hinvendpoint\00000001.que Object is locked skipped
C:\WINDOWS\system32\CCM\ServiceData\Messaging\OutgoingQueues\mp_mp_relayendpoint\00000001.msg Object is locked skipped
C:\WINDOWS\system32\CCM\ServiceData\Messaging\OutgoingQueues\mp_mp_relayendpoint\00000001.que Object is locked skipped
C:\WINDOWS\system32\CCM\ServiceData\Messaging\OutgoingQueues\mp_mp_sinvendpoint\00000001.msg Object is locked skipped
C:\WINDOWS\system32\CCM\ServiceData\Messaging\OutgoingQueues\mp_mp_sinvendpoint\00000001.que Object is locked skipped
C:\WINDOWS\system32\CCM\ServiceData\Messaging\OutgoingQueues\mp_statusreceiver\00000002.msg Object is locked skipped
C:\WINDOWS\system32\CCM\ServiceData\Messaging\OutgoingQueues\mp_statusreceiver\00000002.que Object is locked skipped
C:\WINDOWS\system32\CCM\ServiceData\Messaging\OutgoingQueues\mp_[http]mp_locationmanager\00000001.msg Object is locked skipped
C:\WINDOWS\system32\CCM\ServiceData\Messaging\OutgoingQueues\mp_[http]mp_locationmanager\00000001.que Object is locked skipped
C:\WINDOWS\system32\CCM\ServiceData\Messaging\OutgoingQueues\mp_[http]mp_policymanager\0000004M.msg Object is locked skipped
C:\WINDOWS\system32\CCM\ServiceData\Messaging\OutgoingQueues\mp_[http]mp_policymanager\0000004M.que Object is locked skipped
C:\WINDOWS\system32\config\AppEvent.Evt Object is locked skipped
C:\WINDOWS\system32\config\DEFAULT Object is locked skipped
C:\WINDOWS\system32\config\default.LOG Object is locked skipped
C:\WINDOWS\system32\config\SAM Object is locked skipped
C:\WINDOWS\system32\config\SAM.LOG Object is locked skipped
C:\WINDOWS\system32\config\SecEvent.Evt Object is locked skipped
C:\WINDOWS\system32\config\SECURITY Object is locked skipped
C:\WINDOWS\system32\config\SECURITY.LOG Object is locked skipped
C:\WINDOWS\system32\config\SOFTWARE Object is locked skipped
C:\WINDOWS\system32\config\software.LOG Object is locked skipped
C:\WINDOWS\system32\config\SysEvent.Evt Object is locked skipped
C:\WINDOWS\system32\config\SYSTEM Object is locked skipped
C:\WINDOWS\system32\config\system.LOG Object is locked skipped
C:\WINDOWS\system32\h323log.txt Object is locked skipped
C:\WINDOWS\system32\icon_mediamotor.exe/stream/data0001 Infected: not-a-virus:AdWare.Win32.BHO.ao skipped
C:\WINDOWS\system32\icon_mediamotor.exe/stream Infected: not-a-virus:AdWare.Win32.BHO.ao skipped
C:\WINDOWS\system32\icon_mediamotor.exe NSIS: infected - 2 skipped
C:\WINDOWS\system32\MsDtc\MSDTC.LOG Object is locked skipped
C:\WINDOWS\system32\MsDtc\Trace\dtctrace.log Object is locked skipped
C:\WINDOWS\system32\msmq\storage\QMLog Object is locked skipped
C:\WINDOWS\system32\ts_mediamotor.exe/stream/data0002 Infected: not-a-virus:AdWare.Win32.SideFind.a skipped
C:\WINDOWS\system32\ts_mediamotor.exe/stream Infected: not-a-virus:AdWare.Win32.SideFind.a skipped
C:\WINDOWS\system32\ts_mediamotor.exe NSIS: infected - 2 skipped
C:\WINDOWS\system32\wbem\Repository\FS\INDEX.BTR Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\INDEX.MAP Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\MAPPING.VER Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\MAPPING1.MAP Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\MAPPING2.MAP Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\OBJECTS.DATA Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\OBJECTS.MAP Object is locked skipped
C:\WINDOWS\WindowsUpdate.log Object is locked skipped

Scan process completed.



ActiveScan log:


Incident Status Location

Adware:adware/commad Not disinfected c:\windows\system32\atmtd.dll._
Spyware:spyware/surfsidekick Not disinfected C:\Documents and Settings\Administrator\Application Data\Sskuknwrd.dll
Adware:adware/consumeralertsystem Not disinfected c:\program files\System Files
Adware:adware/sqwire Not disinfected Windows Registry
Spyware:spyware/media-motor Not disinfected Windows Registry
Adware:adware/popupsearches Not disinfected Windows Registry
Adware:adware/mirar Not disinfected Windows Registry
Adware:adware/sidesearch Not disinfected Windows Registry
Adware:adware/dollarrevenue Not disinfected Windows Registry
Adware:adware/dyfuca Not disinfected Windows Registry
Spyware:Cookie/Atwola Not disinfected C:\Documents and Settings\euro423\Cookies\euro423@atwola[1].txt
Spyware:Cookie/did-it Not disinfected C:\Documents and Settings\euro423\Cookies\euro423@did-it[1].txt
Spyware:Cookie/Go Not disinfected C:\Documents and Settings\euro423\Cookies\euro423@go[2].txt
Spyware:Cookie/Lop Not disinfected C:\Documents and Settings\euro423\Cookies\euro423@mp3search[2].txt
Spyware:Cookie/Target Not disinfected C:\Documents and Settings\euro423\Cookies\euro423@target[1].txt
Spyware:Cookie/Xiti Not disinfected C:\Documents and Settings\euro423\Cookies\euro423@xiti[1].txt


Please let me know your thougths :thumbsup:
Thanks!

#8 didom

didom

  • Members
  • 1,389 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:04:03 PM

Posted 12 August 2006 - 03:36 PM

Please print out or copy this page to Notepad. Make sure to work through the fixes in the exact order in which they are mentioned below. If there's anything that you don't understand, ask your question(s) before proceeding with the fixes.

Step #1

Please run Notepad and copy the following text into a new file:

attrib -r -s -h %systemdrive%\RECYCLER
del %systemdrive%\RECYCLER
attrib -r -s -h %systemdrive%\RECYCLED
del %systemdrive%\RECYCLED
shutdown /r /t 0 /f

Save the file as recyclerem.bat and make sure the "Save as type" field says "All files".
This is how the batch must look afterwards: Posted Image

Double-Click on the file recyclerem.bat, a small DOS type window should open and close immediately.
You can answer any questions with "Yes".

Step #2

We need to make sure all hidden files are showing so please:
  • Click Start.
  • Open My Computer.
  • Select the Tools menu and click Folder Options.
  • Select the View tab.
  • Under the Hidden files and folders heading select Show hidden files and folders.
  • Uncheck the Hide file extensions for known types option.
  • Uncheck the Hide protected operating system files (recommended) option.
  • Click Yes to confirm.
  • Click OK.
Step #3

Reboot Your System in Safe Mode:
  • Restart the computer.
  • As soon as BIOS is loaded begin tapping the F8 key until the Advanced Options menu appears.
  • Use the arrow keys to select the Safe Mode menu item.
  • Press the Enter key.
Step #4

Find and delete these files and folders (if they are still there):
c:\windows\system32\atmtd.dll._
C:\WINDOWS\media_motor_bundle.exe
C:\WINDOWS\system32\ts_mediamotor.exe
C:\WINDOWS\system32\icon_mediamotor.exe
C:\WINDOWS\Downloaded Program Files\popcaploader.dll
c:\program files\System Files
C:\Documents and Settings\Administrator\Application Data\Sskuknwrd.dll



Reboot your computer normally.

Step #5

Start HijackThis, perform a new scan and save the log file.

Use the Add Reply button to post your new logs back here along with details of any problems you encountered performing the above steps and I will review it when it comes in.

Please tell me how your computer is running now!

#9 Sunshine1271

Sunshine1271
  • Topic Starter

  • Members
  • 6 posts
  • OFFLINE
  •  
  • Local time:11:03 AM

Posted 12 August 2006 - 08:06 PM

Ok, I did have all those files that I deleted in safe mode that you listed on your last reply.
Everything seems to be running GREAT! Here is the lastest hijack log - what can I do to keep it running this
good and how can I protect myself (and my computer ;)) in the future from this happening again?

Thanks so much for your help... Please let me know your thoughts on future protection and the log below.

-S

Logfile of HijackThis v1.99.1
Scan saved at 8:57:51 PM, on 8/12/2006
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\ibmpmsvc.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Windows Defender\MsMpEng.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Intel\Wireless\Bin\EvtEng.exe
C:\Program Files\Intel\Wireless\Bin\S24EvMon.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\PROGRA~1\ThinkPad\PkgMgr\HOTKEY\TPHKMGR.exe
C:\Program Files\ThinkPad\PkgMgr\HOTKEY\TPONSCR.exe
C:\Program Files\ThinkPad\PkgMgr\HOTKEY_1\TpScrex.exe
C:\PROGRA~1\ThinkPad\UTILIT~1\EzEjMnAp.Exe
C:\WINDOWS\system32\dla\tfswctrl.exe
C:\Program Files\IBM\Messages By IBM\ibmmessages.exe
C:\IBMTOOLS\UTILS\ibmprc.exe
C:\Program Files\ThinkPad\ConnectUtilities\QCWLICON.EXE
C:\WINDOWS\system32\rundll32.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\PROGRA~1\SYMANT~1\VPTray.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\ewido anti-spyware 4.0\ewido.exe
C:\Program Files\Windows Defender\MSASCui.exe
C:\Program Files\Messenger\msmsgs.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Adobe\Acrobat 5.0\Distillr\AcroTray.exe
C:\Program Files\Digital Line Detect\DLG.exe
C:\Program Files\Cisco Systems\VPN Client\cvpnd.exe
C:\Program Files\Symantec AntiVirus\DefWatch.exe
C:\Program Files\Microsoft SQL Server\80\Tools\Binn\sqlmangr.exe
C:\Program Files\ewido anti-spyware 4.0\guard.exe
C:\Program Files\IBM\IBM Rapid Restore Ultra\rrpcsb.exe
C:\WINDOWS\system32\inetsrv\inetinfo.exe
C:\Program Files\iPass\iPassConnect CPS_Regular\iPCAgent.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\WINDOWS\System32\QCONSVC.EXE
C:\Program Files\Intel\Wireless\Bin\RegSrvc.exe
C:\Program Files\iPass\iPassConnect CPS_Regular\downloader\ipccheck.exe
C:\Program Files\Symantec AntiVirus\Rtvscan.exe
C:\WINDOWS\System32\TPHDEXLG.EXE
C:\WINDOWS\system32\TpKmpSVC.exe
C:\WINDOWS\system32\CCM\CLICOMP\RemCtrl\Wuser32.exe
C:\WINDOWS\system32\mqsvc.exe
C:\WINDOWS\system32\CCM\CcmExec.exe
C:\WINDOWS\system32\mqtgsvc.exe
C:\WINDOWS\system32\wuauclt.exe
C:\WINDOWS\system32\msiexec.exe
C:\Hijack\HijackThis.exe

O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll
O4 - HKLM\..\Run: [SynTPLpr] C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
O4 - HKLM\..\Run: [SynTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
O4 - HKLM\..\Run: [TPKMAPHELPER] C:\Program Files\ThinkPad\Utilities\TpKmapAp.exe -helper
O4 - HKLM\..\Run: [TPHOTKEY] C:\PROGRA~1\ThinkPad\PkgMgr\HOTKEY\TPHKMGR.exe
O4 - HKLM\..\Run: [EZEJMNAP] C:\PROGRA~1\ThinkPad\UTILIT~1\EzEjMnAp.Exe
O4 - HKLM\..\Run: [ATIPTA] C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
O4 - HKLM\..\Run: [UC_Start] C:\Program Files\IBM\Updater\\ucstartup.exe
O4 - HKLM\..\Run: [UpdateManager] "C:\Program Files\Common Files\Sonic\Update Manager\sgtray.exe" /r
O4 - HKLM\..\Run: [dla] C:\WINDOWS\system32\dla\tfswctrl.exe
O4 - HKLM\..\Run: [ibmmessages] C:\Program Files\IBM\Messages By IBM\\ibmmessages.exe
O4 - HKLM\..\Run: [IBMPRC] C:\IBMTOOLS\UTILS\ibmprc.exe
O4 - HKLM\..\Run: [QCWLICON] C:\Program Files\ThinkPad\ConnectUtilities\QCWLICON.EXE
O4 - HKLM\..\Run: [PWRMGRTR] rundll32 C:\PROGRA~1\ThinkPad\UTILIT~1\PWRMGRTR.DLL,PwrMgrBkGndMonitor
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [vptray] C:\PROGRA~1\SYMANT~1\VPTray.exe
O4 - HKLM\..\Run: [MsmqIntCert] regsvr32 /s mqrt.dll
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [!ewido] "C:\Program Files\ewido anti-spyware 4.0\ewido.exe" /minimized
O4 - HKLM\..\Run: [Windows Defender] "C:\Program Files\Windows Defender\MSASCui.exe" -hide
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [ibmmessages] C:\Program Files\IBM\Messages By IBM\ibmmessages.exe
O4 - Global Startup: Acrobat Assistant.lnk = C:\Program Files\Adobe\Acrobat 5.0\Distillr\AcroTray.exe
O4 - Global Startup: Cisco Systems VPN Client.lnk = C:\Program Files\Cisco Systems\VPN Client\vpngui.exe
O4 - Global Startup: Digital Line Detect.lnk = ?
O4 - Global Startup: iPassConnect CPS_Regular.lnk = C:\Program Files\iPass\iPassConnect CPS_Regular\IPassConnectGUI.exe
O4 - Global Startup: Service Manager.lnk = C:\Program Files\Microsoft SQL Server\80\Tools\Binn\sqlmangr.exe
O8 - Extra context menu item: &Google Search - res://c:\program files\google\GoogleToolbar1.dll/cmsearch.html
O8 - Extra context menu item: &Translate English Word - res://c:\program files\google\GoogleToolbar1.dll/cmwordtrans.html
O8 - Extra context menu item: Backward Links - res://c:\program files\google\GoogleToolbar1.dll/cmbacklinks.html
O8 - Extra context menu item: Cached Snapshot of Page - res://c:\program files\google\GoogleToolbar1.dll/cmcache.html
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O8 - Extra context menu item: Similar Pages - res://c:\program files\google\GoogleToolbar1.dll/cmsimilar.html
O8 - Extra context menu item: Translate Page into English - res://c:\program files\google\GoogleToolbar1.dll/cmtrans.html
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\IBM\Java142\jre\bin\NPJPI142.dll
O9 - Extra 'Tools' menuitem: IBM Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\IBM\Java142\jre\bin\NPJPI142.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O10 - Unknown file in Winsock LSP: c:\windows\system32\betsp.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\betsp.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\betsp.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\betsp.dll
O11 - Options group: [JAVA_IBM] Java (IBM)
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky.com/kos/eng/partner/d...can_unicode.cab
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {5EDB10D9-7E95-4833-A218-62F375DAFCF1} (Aventail Installer ) - https://thetrain.choicepoint.com/postauthI/epi.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/activescan/as5free/asinst.cab
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: Domain = na.choicepoint.net
O17 - HKLM\Software\..\Telephony: DomainName = na.choicepoint.net
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: Domain = na.choicepoint.net
O20 - Winlogon Notify: NavLogon - C:\WINDOWS\system32\NavLogon.dll
O20 - Winlogon Notify: QConGina - C:\WINDOWS\SYSTEM32\QConGina.dll
O20 - Winlogon Notify: tphotkey - C:\WINDOWS\SYSTEM32\tphklock.dll
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Password Validation (ccPwdSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
O23 - Service: CI Remote Service Provider (CI RemoteServiceProvider) - - c:\program files\insurity\commercial intellisys\comps\remoteserviceprovider.exe
O23 - Service: Cisco Systems, Inc. VPN Service (CVPND) - Cisco Systems, Inc. - C:\Program Files\Cisco Systems\VPN Client\cvpnd.exe
O23 - Service: Symantec AntiVirus Definition Watcher (DefWatch) - Symantec Corporation - C:\Program Files\Symantec AntiVirus\DefWatch.exe
O23 - Service: EvtEng - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\EvtEng.exe
O23 - Service: ewido anti-spyware 4.0 guard - Anti-Malware Development a.s. - C:\Program Files\ewido anti-spyware 4.0\guard.exe
O23 - Service: IBM Rapid Restore Ultra Service - Unknown owner - C:\Program Files\IBM\IBM Rapid Restore Ultra\rrpcsb.exe
O23 - Service: IBM PM Service (IBMPMSVC) - Unknown owner - C:\WINDOWS\system32\ibmpmsvc.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPassConnectEngine - iPass - C:\Program Files\iPass\iPassConnect CPS_Regular\iPassConnectEngine.exe
O23 - Service: iPCAgent - iPass, Inc. - C:\Program Files\iPass\iPassConnect CPS_Regular\iPCAgent.exe
O23 - Service: iPodService - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: IBM PSA Access Driver Control (PsaSrv) - Unknown owner - C:\WINDOWS\system32\PsaSrv.exe (file missing)
O23 - Service: QCONSVC - IBM Corp. - C:\WINDOWS\System32\QCONSVC.EXE
O23 - Service: RegSrvc - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\RegSrvc.exe
O23 - Service: Spectrum24 Event Monitor (S24EventMonitor) - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\S24EvMon.exe
O23 - Service: SAVRoam (SavRoam) - symantec - C:\Program Files\Symantec AntiVirus\SavRoam.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: Symantec AntiVirus - Symantec Corporation - C:\Program Files\Symantec AntiVirus\Rtvscan.exe
O23 - Service: IBM HDD APS Logging Service (TPHDEXLGSVC) - IBM Corporation - C:\WINDOWS\System32\TPHDEXLG.EXE
O23 - Service: IBM KCU Service (TpKmpSVC) - Unknown owner - C:\WINDOWS\system32\TpKmpSVC.exe

#10 didom

didom

  • Members
  • 1,389 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:04:03 PM

Posted 13 August 2006 - 07:43 AM

This log looks clean!
  • Don't forget to re-hide all files and folders. To re-hide all files and folders:
    • Open My Computer.
    • Select the Tools menu and click Folder Options.
    • Select the View Tab.
    • Under the Hidden files and folders heading deselect "Show hidden files and folders".
    • Check the Hide protected operating system files (recommended) option.
    • Click Yes to confirm.
    • Click OK.
  • This is a good time to set up protection against further attacks. Read the article behind this link "How did I get infected". If you don't already have them, you need an antivirus that is updated, a good firewall for example Kerio Personal Firewall or ZoneLabs Zone Alarm, a spyware blocker like SpywareBlaster and also IE-Spyads and spyware detection (Ad-aware SE and SpyBot S+D). All of these have good free versions available... be very cautious about any security software that advertises in popups or other intrusive ways, they are not only usually useless, but also often have malware in them....

    Instead of Internet Explorer, use a different browser like Opera, Mozilla or Firefox.

    Last, but not least, you need to keep Windows and Internet Explorer up to date by getting all the latest security patches that protects your computer.

    This can be accessed by going to http://windowsupdate.microsoft.com and following the prompts. If you are running Windows XP make sure you get updated to SP-2!!

    Please post back if you are still having any problems....

    Posted Image


#11 Sunshine1271

Sunshine1271
  • Topic Starter

  • Members
  • 6 posts
  • OFFLINE
  •  
  • Local time:11:03 AM

Posted 14 August 2006 - 09:36 AM

THANK YOU SOOOOO MUCH! I really do appreciate all you have helped me with. It was a pleasure to work with you through this -you made it pretty painless.... I thought my pc was a gonner :thumbsup:

You are simply amazing! Take care and thanks for all the advice! (where do you learn this stuff!?!?)

:flowers:

#12 didom

didom

  • Members
  • 1,389 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:04:03 PM

Posted 14 August 2006 - 09:44 AM

THANK YOU SOOOOO MUCH! I really do appreciate all you have helped me with. It was a pleasure to work with you through this -you made it pretty painless.... I thought my pc was a gonner. You are simply amazing! Take care and thanks for all the advice!

Thanks! You're welcome :thumbsup:

(where do you learn this stuff!?!?)

Well there are some online malware school where you can learn the ropes and advance to Helper. Experts and others will be there to guide you and answer your questions. A lot of good info there.




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users