WE'RE SURE THAT YOU'LL LOVE US!
Hey there! 
Looks like you're enjoying the discussion, but you're not signed up for an account. When you create an account, we remember exactly what you've read, so you always come right back where you left off. You also get notifications, here and via email, whenever new posts are made. You can like posts to share the love. 
Join 93101 other members! Anybody can ask, anybody can answer. Consistently helpful members may be invited to become staff. Here's how it works. Virus cleanup? Start here -> Malware Removal Forum.
Try What the Tech -- It's free!
Help! HijackThis will not open
Started by
Sunny1
, Jun 02 2006 12:37 PM
22 replies to this topic
#1
Sunny1
-
- Authentic Member
-
- 13 posts
New Member
Posted 02 June 2006 - 12:37 PM
Register to Remove
#2
Micah_6:8
-
- Authentic Member
-
- 10,060 posts
Evilware Emancipator
- Interests:Web (Perl, PHP, JavaScript, HTML) programming, CNC programming, Squashing spyware!
Posted 02 June 2006 - 12:58 PM
Welcome to the forum 
Try this:
Links to Hijack This! v 1.99.1:
Hijack This! (© Merijn) at tools.radiosplace.com
Hijack This! (© Merijn) at spywarewarrior.com
<right-click> on one of the links above, and choose "Save target as", save it as "friday.exe" into the folder you currently have HijackThis! in.
Navigate to that folder, and <double-click> on the "friday.exe" file.
See if it will run.
Try this:
Links to Hijack This! v 1.99.1:
Hijack This! (© Merijn) at tools.radiosplace.com
Hijack This! (© Merijn) at spywarewarrior.com
<right-click> on one of the links above, and choose "Save target as", save it as "friday.exe" into the folder you currently have HijackThis! in.
Navigate to that folder, and <double-click> on the "friday.exe" file.
See if it will run.
Micah 6:8 He hath shewed thee, O man, what is good; and what doth the LORD require of thee, but to do justly, and to love mercy, and to walk humbly with thy God?
The help you receive here is free.
If you wish to show your appreciation, then you may donate to help keep us online.
Want to help others? Join the ClassRoom and learn how.
Download Hijack This! My Website: UnSpyMe!
The help you receive here is free.
If you wish to show your appreciation, then you may donate to help keep us online.
Want to help others? Join the ClassRoom and learn how.
Download Hijack This! My Website: UnSpyMe!
#3
Sunny1
-
- Authentic Member
-
- 13 posts
New Member
Posted 02 June 2006 - 01:00 PM
Its me again. I opened the pc in safe mode. HijackThis opened fine. I retrieved a log.
Logfile of HijackThis v1.99.1
Scan saved at 2:39:54 PM, on 6/2/2006
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\rundll32.exe
C:\WINDOWS\Explorer.EXE
C:\Documents and Settings\Loris\Desktop\HijackThis.exe
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://searchbar.fin...siteyouneed.com
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://searchbar.fin...siteyouneed.com
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://searchbar.fin...siteyouneed.com
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://searchbar.fin...siteyouneed.com
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://searchbar.fin...siteyouneed.com
R3 - URLSearchHook: (no name) - {02EE5B04-F144-47BB-83FB-A60BD91B74A9} - (no file)
F2 - REG:system.ini: Shell=Explorer.exe, C:\WINDOWS\System32\escny.exe
F2 - REG:system.ini: UserInit=userinit.exe,oniqjxa.exe
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll
O4 - HKLM\..\Run: [HP Software Update] C:\Program Files\HP\HP Software Update\HPWuSchd2.exe
O4 - HKLM\..\Run: [Microsoft System Checkup] libsys32.exe
O4 - HKLM\..\Run: [NT Logging Service] syslog32.exe
O4 - HKLM\..\Run: [keyboard] C:\\keyboard25.exe
O4 - HKLM\..\Run: [newname] C:\\newname25.exe
O4 - HKLM\..\Run: [yejjfyfA] C:\WINDOWS\yejjfyfA.exe
O4 - HKLM\..\Run: [TheMonitor] C:\WINDOWS\SYSC00.exe
O4 - HKLM\..\Run: [ms075613-187714] C:\WINDOWS\ms075613-187714.exe
O4 - HKLM\..\Run: [w0989c85.dll] RUNDLL32.EXE w0989c85.dll,I2 0010750700989c85
O4 - HKLM\..\Run: [webHancer Survey Companion] C:\Program Files\webHancer\Programs\whsurvey.exe
O4 - HKLM\..\Run: [defender] C:\\defender25.exe
O4 - HKLM\..\Run: [BrowserUpdateSched] C:\WINDOWS\system32\owinnqez.exe GID003
O4 - HKLM\..\RunServices: [Microsoft System Checkup] libsys32.exe
O4 - HKCU\..\Run: [sys_up1] C:\Program Files\Common Files\svchostsys\svchostsys.exe
O4 - Startup: Desktop Application Director.lnk = C:\OFFICE\SHARED\WPC20\dtwin20.exe
O4 - Startup: Zeno.lnk = C:\WINDOWS\system32\owinnqez.exe
O4 - Global Startup: HP Digital Imaging Monitor.lnk = C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
O4 - Global Startup: HP Image Zone Fast Start.lnk = C:\Program Files\HP\Digital Imaging\bin\hpqthb08.exe
O4 - Global Startup: Microsoft Find Fast.lnk = C:\Program Files\Microsoft Office\Office\FINDFAST.EXE
O4 - Global Startup: Office Startup.lnk = C:\Program Files\Microsoft Office\Office\OSA.EXE
O4 - Global Startup: WinZip Quick Pick.lnk = C:\Program Files\WinZip\WZQKPICK.EXE
O8 - Extra context menu item: &Google Search - res://C:\Program Files\Google\GoogleToolbar1.dll/cmsearch.html
O8 - Extra context menu item: &Translate English Word - res://C:\Program Files\Google\GoogleToolbar1.dll/cmwordtrans.html
O8 - Extra context menu item: Backward Links - res://C:\Program Files\Google\GoogleToolbar1.dll/cmbacklinks.html
O8 - Extra context menu item: Cached Snapshot of Page - res://C:\Program Files\Google\GoogleToolbar1.dll/cmcache.html
O8 - Extra context menu item: Similar Pages - res://C:\Program Files\Google\GoogleToolbar1.dll/cmsimilar.html
O8 - Extra context menu item: Translate Page into English - res://C:\Program Files\Google\GoogleToolbar1.dll/cmtrans.html
O9 - Extra button: (no name) - {4ABF810A-F11D-4169-9D5F-7D274F2270A1} - C:\WINDOWS\System32\dmonwv.dll
O9 - Extra 'Tools' menuitem: Java - {4ABF810A-F11D-4169-9D5F-7D274F2270A1} - C:\WINDOWS\System32\dmonwv.dll
O12 - Plugin for .pdf: C:\Program Files\Internet Explorer\PLUGINS\nppdf32.dll
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.micros...b?1147623380437
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.micros...b?1147623298920
O16 - DPF: {F281A59C-7B65-11D3-8617-0010830243BD} (AcPreview Control) - file://C:\Program Files\AutoCAD 2002\AcPreview.ocx
O20 - Winlogon Notify: App Management - C:\WINDOWS\system32\l8l60i3se8.dll
O23 - Service: aol software (Aol Software) - Unknown owner - C:\WINDOWS\smss.exe
O23 - Service: Command Service (cmdService) - Unknown owner - C:\WINDOWS\TG9yaXMgSiBNYXRoZW55\command.exe
O23 - Service: Network Monitor - Unknown owner - C:\Program Files\Network Monitor\netmon.exe
O23 - Service: NT login service (ntlogin32) - Unknown owner - C:\WINDOWS\System32\libsys32.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\System32\HPZipm12.exe
O23 - Service: Windows Overlay Components - Unknown owner - C:\WINDOWS\yejjfyf.exe
Logfile of HijackThis v1.99.1
Scan saved at 2:39:54 PM, on 6/2/2006
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\rundll32.exe
C:\WINDOWS\Explorer.EXE
C:\Documents and Settings\Loris\Desktop\HijackThis.exe
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://searchbar.fin...siteyouneed.com
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://searchbar.fin...siteyouneed.com
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://searchbar.fin...siteyouneed.com
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://searchbar.fin...siteyouneed.com
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://searchbar.fin...siteyouneed.com
R3 - URLSearchHook: (no name) - {02EE5B04-F144-47BB-83FB-A60BD91B74A9} - (no file)
F2 - REG:system.ini: Shell=Explorer.exe, C:\WINDOWS\System32\escny.exe
F2 - REG:system.ini: UserInit=userinit.exe,oniqjxa.exe
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll
O4 - HKLM\..\Run: [HP Software Update] C:\Program Files\HP\HP Software Update\HPWuSchd2.exe
O4 - HKLM\..\Run: [Microsoft System Checkup] libsys32.exe
O4 - HKLM\..\Run: [NT Logging Service] syslog32.exe
O4 - HKLM\..\Run: [keyboard] C:\\keyboard25.exe
O4 - HKLM\..\Run: [newname] C:\\newname25.exe
O4 - HKLM\..\Run: [yejjfyfA] C:\WINDOWS\yejjfyfA.exe
O4 - HKLM\..\Run: [TheMonitor] C:\WINDOWS\SYSC00.exe
O4 - HKLM\..\Run: [ms075613-187714] C:\WINDOWS\ms075613-187714.exe
O4 - HKLM\..\Run: [w0989c85.dll] RUNDLL32.EXE w0989c85.dll,I2 0010750700989c85
O4 - HKLM\..\Run: [webHancer Survey Companion] C:\Program Files\webHancer\Programs\whsurvey.exe
O4 - HKLM\..\Run: [defender] C:\\defender25.exe
O4 - HKLM\..\Run: [BrowserUpdateSched] C:\WINDOWS\system32\owinnqez.exe GID003
O4 - HKLM\..\RunServices: [Microsoft System Checkup] libsys32.exe
O4 - HKCU\..\Run: [sys_up1] C:\Program Files\Common Files\svchostsys\svchostsys.exe
O4 - Startup: Desktop Application Director.lnk = C:\OFFICE\SHARED\WPC20\dtwin20.exe
O4 - Startup: Zeno.lnk = C:\WINDOWS\system32\owinnqez.exe
O4 - Global Startup: HP Digital Imaging Monitor.lnk = C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
O4 - Global Startup: HP Image Zone Fast Start.lnk = C:\Program Files\HP\Digital Imaging\bin\hpqthb08.exe
O4 - Global Startup: Microsoft Find Fast.lnk = C:\Program Files\Microsoft Office\Office\FINDFAST.EXE
O4 - Global Startup: Office Startup.lnk = C:\Program Files\Microsoft Office\Office\OSA.EXE
O4 - Global Startup: WinZip Quick Pick.lnk = C:\Program Files\WinZip\WZQKPICK.EXE
O8 - Extra context menu item: &Google Search - res://C:\Program Files\Google\GoogleToolbar1.dll/cmsearch.html
O8 - Extra context menu item: &Translate English Word - res://C:\Program Files\Google\GoogleToolbar1.dll/cmwordtrans.html
O8 - Extra context menu item: Backward Links - res://C:\Program Files\Google\GoogleToolbar1.dll/cmbacklinks.html
O8 - Extra context menu item: Cached Snapshot of Page - res://C:\Program Files\Google\GoogleToolbar1.dll/cmcache.html
O8 - Extra context menu item: Similar Pages - res://C:\Program Files\Google\GoogleToolbar1.dll/cmsimilar.html
O8 - Extra context menu item: Translate Page into English - res://C:\Program Files\Google\GoogleToolbar1.dll/cmtrans.html
O9 - Extra button: (no name) - {4ABF810A-F11D-4169-9D5F-7D274F2270A1} - C:\WINDOWS\System32\dmonwv.dll
O9 - Extra 'Tools' menuitem: Java - {4ABF810A-F11D-4169-9D5F-7D274F2270A1} - C:\WINDOWS\System32\dmonwv.dll
O12 - Plugin for .pdf: C:\Program Files\Internet Explorer\PLUGINS\nppdf32.dll
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.micros...b?1147623380437
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.micros...b?1147623298920
O16 - DPF: {F281A59C-7B65-11D3-8617-0010830243BD} (AcPreview Control) - file://C:\Program Files\AutoCAD 2002\AcPreview.ocx
O20 - Winlogon Notify: App Management - C:\WINDOWS\system32\l8l60i3se8.dll
O23 - Service: aol software (Aol Software) - Unknown owner - C:\WINDOWS\smss.exe
O23 - Service: Command Service (cmdService) - Unknown owner - C:\WINDOWS\TG9yaXMgSiBNYXRoZW55\command.exe
O23 - Service: Network Monitor - Unknown owner - C:\Program Files\Network Monitor\netmon.exe
O23 - Service: NT login service (ntlogin32) - Unknown owner - C:\WINDOWS\System32\libsys32.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\System32\HPZipm12.exe
O23 - Service: Windows Overlay Components - Unknown owner - C:\WINDOWS\yejjfyf.exe
#4
Sunny1
-
- Authentic Member
-
- 13 posts
New Member
Posted 02 June 2006 - 01:18 PM
Thank you Micah_6:8
The Nasties were not looking to stop Friday.exe from running
Here is the new log
Logfile of HijackThis v1.99.1
Scan saved at 3:05:52 PM, on 6/2/2006
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\smss.exe
C:\WINDOWS\TG9yaXMgSiBNYXRoZW55\command.exe
C:\WINDOWS\System32\libsys32.exe
C:\WINDOWS\System32\HPZipm12.exe
C:\WINDOWS\yejjfyf.exe
C:\WINDOWS\system32\rundll32.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\HP\HP Software Update\HPWuSchd2.exe
C:\WINDOWS\yejjfyfA.exe
C:\WINDOWS\ms075613-187714.exe
C:\WINDOWS\System32\RUNDLL32.EXE
C:\defender25.exe
C:\Program Files\Common Files\svchostsys\svchostsys.exe
C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
C:\Program Files\Microsoft Office\Office\FINDFAST.EXE
C:\Program Files\Microsoft Office\Office\OSA.EXE
C:\Program Files\WinZip\WZQKPICK.EXE
C:\Program Files\HP\Digital Imaging\bin\hpqimzone.exe
C:\Program Files\HP\Digital Imaging\bin\hpqSTE08.exe
C:\Program Files\HP\Digital Imaging\Product Assistant\bin\hprblog.exe
C:\WINDOWS\system32\NOTEPAD.EXE
C:\Program Files\Internet Explorer\iexplore.exe
C:\Documents and Settings\Loris\My Documents\HijackThis\Friday.exe
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://searchbar.fin...siteyouneed.com
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://searchbar.fin...siteyouneed.com
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://searchbar.fin...siteyouneed.com
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://searchbar.fin...siteyouneed.com
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://searchbar.fin...siteyouneed.com
R3 - URLSearchHook: (no name) - {02EE5B04-F144-47BB-83FB-A60BD91B74A9} - (no file)
F2 - REG:system.ini: Shell=Explorer.exe, C:\WINDOWS\System32\escny.exe
F2 - REG:system.ini: UserInit=userinit.exe,oniqjxa.exe
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll
O4 - HKLM\..\Run: [HP Software Update] C:\Program Files\HP\HP Software Update\HPWuSchd2.exe
O4 - HKLM\..\Run: [Microsoft System Checkup] libsys32.exe
O4 - HKLM\..\Run: [NT Logging Service] syslog32.exe
O4 - HKLM\..\Run: [keyboard] C:\\keyboard25.exe
O4 - HKLM\..\Run: [newname] C:\\newname25.exe
O4 - HKLM\..\Run: [yejjfyfA] C:\WINDOWS\yejjfyfA.exe
O4 - HKLM\..\Run: [TheMonitor] C:\WINDOWS\SYSC00.exe
O4 - HKLM\..\Run: [ms075613-187714] C:\WINDOWS\ms075613-187714.exe
O4 - HKLM\..\Run: [w0989c85.dll] RUNDLL32.EXE w0989c85.dll,I2 0010750700989c85
O4 - HKLM\..\Run: [webHancer Survey Companion] C:\Program Files\webHancer\Programs\whsurvey.exe
O4 - HKLM\..\Run: [defender] C:\\defender25.exe
O4 - HKLM\..\Run: [BrowserUpdateSched] C:\WINDOWS\system32\owinnqez.exe GID003
O4 - HKLM\..\RunServices: [Microsoft System Checkup] libsys32.exe
O4 - HKCU\..\Run: [sys_up1] C:\Program Files\Common Files\svchostsys\svchostsys.exe
O4 - Startup: Desktop Application Director.lnk = C:\OFFICE\SHARED\WPC20\dtwin20.exe
O4 - Startup: Zeno.lnk = C:\WINDOWS\system32\owinnqez.exe
O4 - Global Startup: HP Digital Imaging Monitor.lnk = C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
O4 - Global Startup: HP Image Zone Fast Start.lnk = C:\Program Files\HP\Digital Imaging\bin\hpqthb08.exe
O4 - Global Startup: Microsoft Find Fast.lnk = C:\Program Files\Microsoft Office\Office\FINDFAST.EXE
O4 - Global Startup: Office Startup.lnk = C:\Program Files\Microsoft Office\Office\OSA.EXE
O4 - Global Startup: WinZip Quick Pick.lnk = C:\Program Files\WinZip\WZQKPICK.EXE
O8 - Extra context menu item: &Google Search - res://C:\Program Files\Google\GoogleToolbar1.dll/cmsearch.html
O8 - Extra context menu item: &Translate English Word - res://C:\Program Files\Google\GoogleToolbar1.dll/cmwordtrans.html
O8 - Extra context menu item: Backward Links - res://C:\Program Files\Google\GoogleToolbar1.dll/cmbacklinks.html
O8 - Extra context menu item: Cached Snapshot of Page - res://C:\Program Files\Google\GoogleToolbar1.dll/cmcache.html
O8 - Extra context menu item: Similar Pages - res://C:\Program Files\Google\GoogleToolbar1.dll/cmsimilar.html
O8 - Extra context menu item: Translate Page into English - res://C:\Program Files\Google\GoogleToolbar1.dll/cmtrans.html
O9 - Extra button: (no name) - {4ABF810A-F11D-4169-9D5F-7D274F2270A1} - C:\WINDOWS\System32\dmonwv.dll
O9 - Extra 'Tools' menuitem: Java - {4ABF810A-F11D-4169-9D5F-7D274F2270A1} - C:\WINDOWS\System32\dmonwv.dll
O12 - Plugin for .pdf: C:\Program Files\Internet Explorer\PLUGINS\nppdf32.dll
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.micros...b?1147623380437
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.micros...b?1147623298920
O16 - DPF: {F281A59C-7B65-11D3-8617-0010830243BD} (AcPreview Control) - file://C:\Program Files\AutoCAD 2002\AcPreview.ocx
O17 - HKLM\System\CCS\Services\Tcpip\..\{319A9E64-1E5C-4862-BF4E-735E5BDD26F4}: NameServer = 66.19.192.200 216.126.128.40
O20 - Winlogon Notify: Extensions - C:\WINDOWS\system32\p48q0el5ehq.dll
O23 - Service: aol software (Aol Software) - Unknown owner - C:\WINDOWS\smss.exe
O23 - Service: Command Service (cmdService) - Unknown owner - C:\WINDOWS\TG9yaXMgSiBNYXRoZW55\command.exe
O23 - Service: Network Monitor - Unknown owner - C:\Program Files\Network Monitor\netmon.exe
O23 - Service: NT login service (ntlogin32) - Unknown owner - C:\WINDOWS\System32\libsys32.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\System32\HPZipm12.exe
O23 - Service: Windows Overlay Components - Unknown owner - C:\WINDOWS\yejjfyf.exe
The Nasties were not looking to stop Friday.exe from running
Here is the new log
Logfile of HijackThis v1.99.1
Scan saved at 3:05:52 PM, on 6/2/2006
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\smss.exe
C:\WINDOWS\TG9yaXMgSiBNYXRoZW55\command.exe
C:\WINDOWS\System32\libsys32.exe
C:\WINDOWS\System32\HPZipm12.exe
C:\WINDOWS\yejjfyf.exe
C:\WINDOWS\system32\rundll32.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\HP\HP Software Update\HPWuSchd2.exe
C:\WINDOWS\yejjfyfA.exe
C:\WINDOWS\ms075613-187714.exe
C:\WINDOWS\System32\RUNDLL32.EXE
C:\defender25.exe
C:\Program Files\Common Files\svchostsys\svchostsys.exe
C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
C:\Program Files\Microsoft Office\Office\FINDFAST.EXE
C:\Program Files\Microsoft Office\Office\OSA.EXE
C:\Program Files\WinZip\WZQKPICK.EXE
C:\Program Files\HP\Digital Imaging\bin\hpqimzone.exe
C:\Program Files\HP\Digital Imaging\bin\hpqSTE08.exe
C:\Program Files\HP\Digital Imaging\Product Assistant\bin\hprblog.exe
C:\WINDOWS\system32\NOTEPAD.EXE
C:\Program Files\Internet Explorer\iexplore.exe
C:\Documents and Settings\Loris\My Documents\HijackThis\Friday.exe
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://searchbar.fin...siteyouneed.com
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://searchbar.fin...siteyouneed.com
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://searchbar.fin...siteyouneed.com
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://searchbar.fin...siteyouneed.com
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://searchbar.fin...siteyouneed.com
R3 - URLSearchHook: (no name) - {02EE5B04-F144-47BB-83FB-A60BD91B74A9} - (no file)
F2 - REG:system.ini: Shell=Explorer.exe, C:\WINDOWS\System32\escny.exe
F2 - REG:system.ini: UserInit=userinit.exe,oniqjxa.exe
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll
O4 - HKLM\..\Run: [HP Software Update] C:\Program Files\HP\HP Software Update\HPWuSchd2.exe
O4 - HKLM\..\Run: [Microsoft System Checkup] libsys32.exe
O4 - HKLM\..\Run: [NT Logging Service] syslog32.exe
O4 - HKLM\..\Run: [keyboard] C:\\keyboard25.exe
O4 - HKLM\..\Run: [newname] C:\\newname25.exe
O4 - HKLM\..\Run: [yejjfyfA] C:\WINDOWS\yejjfyfA.exe
O4 - HKLM\..\Run: [TheMonitor] C:\WINDOWS\SYSC00.exe
O4 - HKLM\..\Run: [ms075613-187714] C:\WINDOWS\ms075613-187714.exe
O4 - HKLM\..\Run: [w0989c85.dll] RUNDLL32.EXE w0989c85.dll,I2 0010750700989c85
O4 - HKLM\..\Run: [webHancer Survey Companion] C:\Program Files\webHancer\Programs\whsurvey.exe
O4 - HKLM\..\Run: [defender] C:\\defender25.exe
O4 - HKLM\..\Run: [BrowserUpdateSched] C:\WINDOWS\system32\owinnqez.exe GID003
O4 - HKLM\..\RunServices: [Microsoft System Checkup] libsys32.exe
O4 - HKCU\..\Run: [sys_up1] C:\Program Files\Common Files\svchostsys\svchostsys.exe
O4 - Startup: Desktop Application Director.lnk = C:\OFFICE\SHARED\WPC20\dtwin20.exe
O4 - Startup: Zeno.lnk = C:\WINDOWS\system32\owinnqez.exe
O4 - Global Startup: HP Digital Imaging Monitor.lnk = C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
O4 - Global Startup: HP Image Zone Fast Start.lnk = C:\Program Files\HP\Digital Imaging\bin\hpqthb08.exe
O4 - Global Startup: Microsoft Find Fast.lnk = C:\Program Files\Microsoft Office\Office\FINDFAST.EXE
O4 - Global Startup: Office Startup.lnk = C:\Program Files\Microsoft Office\Office\OSA.EXE
O4 - Global Startup: WinZip Quick Pick.lnk = C:\Program Files\WinZip\WZQKPICK.EXE
O8 - Extra context menu item: &Google Search - res://C:\Program Files\Google\GoogleToolbar1.dll/cmsearch.html
O8 - Extra context menu item: &Translate English Word - res://C:\Program Files\Google\GoogleToolbar1.dll/cmwordtrans.html
O8 - Extra context menu item: Backward Links - res://C:\Program Files\Google\GoogleToolbar1.dll/cmbacklinks.html
O8 - Extra context menu item: Cached Snapshot of Page - res://C:\Program Files\Google\GoogleToolbar1.dll/cmcache.html
O8 - Extra context menu item: Similar Pages - res://C:\Program Files\Google\GoogleToolbar1.dll/cmsimilar.html
O8 - Extra context menu item: Translate Page into English - res://C:\Program Files\Google\GoogleToolbar1.dll/cmtrans.html
O9 - Extra button: (no name) - {4ABF810A-F11D-4169-9D5F-7D274F2270A1} - C:\WINDOWS\System32\dmonwv.dll
O9 - Extra 'Tools' menuitem: Java - {4ABF810A-F11D-4169-9D5F-7D274F2270A1} - C:\WINDOWS\System32\dmonwv.dll
O12 - Plugin for .pdf: C:\Program Files\Internet Explorer\PLUGINS\nppdf32.dll
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.micros...b?1147623380437
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.micros...b?1147623298920
O16 - DPF: {F281A59C-7B65-11D3-8617-0010830243BD} (AcPreview Control) - file://C:\Program Files\AutoCAD 2002\AcPreview.ocx
O17 - HKLM\System\CCS\Services\Tcpip\..\{319A9E64-1E5C-4862-BF4E-735E5BDD26F4}: NameServer = 66.19.192.200 216.126.128.40
O20 - Winlogon Notify: Extensions - C:\WINDOWS\system32\p48q0el5ehq.dll
O23 - Service: aol software (Aol Software) - Unknown owner - C:\WINDOWS\smss.exe
O23 - Service: Command Service (cmdService) - Unknown owner - C:\WINDOWS\TG9yaXMgSiBNYXRoZW55\command.exe
O23 - Service: Network Monitor - Unknown owner - C:\Program Files\Network Monitor\netmon.exe
O23 - Service: NT login service (ntlogin32) - Unknown owner - C:\WINDOWS\System32\libsys32.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\System32\HPZipm12.exe
O23 - Service: Windows Overlay Components - Unknown owner - C:\WINDOWS\yejjfyf.exe
#5
Micah_6:8
-
- Authentic Member
-
- 10,060 posts
Evilware Emancipator
- Interests:Web (Perl, PHP, JavaScript, HTML) programming, CNC programming, Squashing spyware!
Posted 02 June 2006 - 02:31 PM
Please download Look2Me-Destroyer.exe to the Desktop.
-Close all windows before continuing.
-Double-click Look2Me-Destroyer.exe to run it.
-Put a check next to Run this program as a task.
You will receive a message saying: Look2Me-Destroyer will close and re-open…
Click OK
When Look2Me-Destroyer re-opens**, click the Scan for L2M button
(Desktop icons disappear, this is normal.)
Once the program is done scanning, click the Remove L2M button.
(**If Look2Me-Destroyer does not reopen, do the following:
Go to Start > Run, and type in: sc start schedule
Press: Enter)
When a Done Scanning message appears, click OK.
When completed, you will receive this message: Done removing infected files! Look2Me-Destroyer will now shutdown your computer, click OK
The computer will then shutdown.
Turn the computer back on.
Please post the contents of C:\Look2Me-Destroyer.txt and a new HiJackThis log.
There are several other infections present.
You'll probably still have to use "friday.exe" for a bit.
-Close all windows before continuing.
-Double-click Look2Me-Destroyer.exe to run it.
-Put a check next to Run this program as a task.
You will receive a message saying: Look2Me-Destroyer will close and re-open…
Click OK
When Look2Me-Destroyer re-opens**, click the Scan for L2M button
(Desktop icons disappear, this is normal.)
Once the program is done scanning, click the Remove L2M button.
(**If Look2Me-Destroyer does not reopen, do the following:
Go to Start > Run, and type in: sc start schedule
Press: Enter)
When a Done Scanning message appears, click OK.
When completed, you will receive this message: Done removing infected files! Look2Me-Destroyer will now shutdown your computer, click OK
The computer will then shutdown.
Turn the computer back on.
Please post the contents of C:\Look2Me-Destroyer.txt and a new HiJackThis log.
There are several other infections present.
You'll probably still have to use "friday.exe" for a bit.
Micah 6:8 He hath shewed thee, O man, what is good; and what doth the LORD require of thee, but to do justly, and to love mercy, and to walk humbly with thy God?
The help you receive here is free.
If you wish to show your appreciation, then you may donate to help keep us online.
Want to help others? Join the ClassRoom and learn how.
Download Hijack This! My Website: UnSpyMe!
The help you receive here is free.
If you wish to show your appreciation, then you may donate to help keep us online.
Want to help others? Join the ClassRoom and learn how.
Download Hijack This! My Website: UnSpyMe!
#6
Sunny1
-
- Authentic Member
-
- 13 posts
New Member
Posted 02 June 2006 - 06:22 PM
Thanks Micah_6:8
Look2Me-Destroyer would not close and re-open. Even the Start>Run and type in sc start schedule did not restart it. So I borrowed a page from your book and downloaded it again and saved it as Tuesday.exe
So I have the Look2Me-Destroyer.txt followed by another HijackThis log
Look2Me-Destroyer V1.0.12
Scanning for infected files.....
Scan started at 6/2/2006 7:56:07 PM
Infected! C:\WINDOWS\system32\q6rqlg9516.dll
Infected! C:\WINDOWS\system32\sJfrdm.dll
Infected! C:\System Volume Information\_restore{A7D3969A-17E0-4085-880C-313C2F2A765D}\RP17\A0012948.dll
Infected! C:\System Volume Information\_restore{A7D3969A-17E0-4085-880C-313C2F2A765D}\RP17\A0012956.dll
Infected! C:\System Volume Information\_restore{A7D3969A-17E0-4085-880C-313C2F2A765D}\RP17\A0012960.dll
Infected! C:\System Volume Information\_restore{A7D3969A-17E0-4085-880C-313C2F2A765D}\RP17\A0012963.dll
Infected! C:\System Volume Information\_restore{A7D3969A-17E0-4085-880C-313C2F2A765D}\RP17\A0012971.dll
Infected! C:\System Volume Information\_restore{A7D3969A-17E0-4085-880C-313C2F2A765D}\RP17\A0013969.dll
Infected! C:\System Volume Information\_restore{A7D3969A-17E0-4085-880C-313C2F2A765D}\RP17\A0013973.dll
Infected! C:\System Volume Information\_restore{A7D3969A-17E0-4085-880C-313C2F2A765D}\RP17\A0013976.dll
Infected! C:\WINDOWS\system32\acrsvc.dll
Infected! C:\WINDOWS\system32\alferror.dll
Infected! C:\WINDOWS\system32\axpmgr.dll
Infected! C:\WINDOWS\system32\donet.dll
Infected! C:\WINDOWS\system32\dyskmon.dll
Infected! C:\WINDOWS\system32\en8ql1l51.dll
Infected! C:\WINDOWS\system32\fOultrep.dll
Infected! C:\WINDOWS\system32\gp2ql3f51.dll
Infected! C:\WINDOWS\system32\h60q0gd5e60.dll
Infected! C:\WINDOWS\system32\hr6u05j9e.dll
Infected! C:\WINDOWS\system32\hrru0599e.dll
Infected! C:\WINDOWS\system32\ir24l5fq1.dll
Infected! C:\WINDOWS\system32\j60slgd7160.dll
Infected! C:\WINDOWS\system32\kvdlv1.dll
Infected! C:\WINDOWS\system32\l0l60a3sed.dll
Infected! C:\WINDOWS\system32\l4n40e5qeh.dll
Infected! C:\WINDOWS\system32\lv2009fme.dll
Infected! C:\WINDOWS\system32\lv4o09h3e.dll
Infected! C:\WINDOWS\system32\lvj4091qe.dll
Infected! C:\WINDOWS\system32\lvrq0995e.dll
Infected! C:\WINDOWS\system32\mvn0l95m1.dll
Infected! C:\WINDOWS\system32\mvrml9911.dll
Infected! C:\WINDOWS\system32\mzvidctl.dll
Infected! C:\WINDOWS\system32\r48s0el7ehq.dll
Infected! C:\WINDOWS\system32\rhcdll.dll
Infected! C:\WINDOWS\system32\sJfrdm.dll
Infected! C:\WINDOWS\system32\uzrvoica.dll
Infected! C:\WINDOWS\System32\guard.tmp
Attempting to delete infected files...
Attempting to delete: C:\WINDOWS\system32\sJfrdm.dll
C:\WINDOWS\system32\sJfrdm.dll Deleted successfully!
Attempting to delete: C:\System Volume Information\_restore{A7D3969A-17E0-4085-880C-313C2F2A765D}\RP17\A0012948.dll
C:\System Volume Information\_restore{A7D3969A-17E0-4085-880C-313C2F2A765D}\RP17\A0012948.dll Deleted successfully!
Attempting to delete: C:\System Volume Information\_restore{A7D3969A-17E0-4085-880C-313C2F2A765D}\RP17\A0012956.dll
C:\System Volume Information\_restore{A7D3969A-17E0-4085-880C-313C2F2A765D}\RP17\A0012956.dll Deleted successfully!
Attempting to delete: C:\System Volume Information\_restore{A7D3969A-17E0-4085-880C-313C2F2A765D}\RP17\A0012960.dll
C:\System Volume Information\_restore{A7D3969A-17E0-4085-880C-313C2F2A765D}\RP17\A0012960.dll Deleted successfully!
Attempting to delete: C:\System Volume Information\_restore{A7D3969A-17E0-4085-880C-313C2F2A765D}\RP17\A0012963.dll
C:\System Volume Information\_restore{A7D3969A-17E0-4085-880C-313C2F2A765D}\RP17\A0012963.dll Deleted successfully!
Attempting to delete: C:\System Volume Information\_restore{A7D3969A-17E0-4085-880C-313C2F2A765D}\RP17\A0012971.dll
C:\System Volume Information\_restore{A7D3969A-17E0-4085-880C-313C2F2A765D}\RP17\A0012971.dll Deleted successfully!
Attempting to delete: C:\System Volume Information\_restore{A7D3969A-17E0-4085-880C-313C2F2A765D}\RP17\A0013969.dll
C:\System Volume Information\_restore{A7D3969A-17E0-4085-880C-313C2F2A765D}\RP17\A0013969.dll Deleted successfully!
Attempting to delete: C:\System Volume Information\_restore{A7D3969A-17E0-4085-880C-313C2F2A765D}\RP17\A0013973.dll
C:\System Volume Information\_restore{A7D3969A-17E0-4085-880C-313C2F2A765D}\RP17\A0013973.dll Deleted successfully!
Attempting to delete: C:\System Volume Information\_restore{A7D3969A-17E0-4085-880C-313C2F2A765D}\RP17\A0013976.dll
C:\System Volume Information\_restore{A7D3969A-17E0-4085-880C-313C2F2A765D}\RP17\A0013976.dll Deleted successfully!
Attempting to delete: C:\WINDOWS\system32\acrsvc.dll
C:\WINDOWS\system32\acrsvc.dll Deleted successfully!
Attempting to delete: C:\WINDOWS\system32\alferror.dll
C:\WINDOWS\system32\alferror.dll Deleted successfully!
Attempting to delete: C:\WINDOWS\system32\axpmgr.dll
C:\WINDOWS\system32\axpmgr.dll Deleted successfully!
Attempting to delete: C:\WINDOWS\system32\donet.dll
C:\WINDOWS\system32\donet.dll Deleted successfully!
Attempting to delete: C:\WINDOWS\system32\dyskmon.dll
C:\WINDOWS\system32\dyskmon.dll Deleted successfully!
Attempting to delete: C:\WINDOWS\system32\en8ql1l51.dll
C:\WINDOWS\system32\en8ql1l51.dll Deleted successfully!
Attempting to delete: C:\WINDOWS\system32\fOultrep.dll
C:\WINDOWS\system32\fOultrep.dll Deleted successfully!
Attempting to delete: C:\WINDOWS\system32\gp2ql3f51.dll
C:\WINDOWS\system32\gp2ql3f51.dll Deleted successfully!
Attempting to delete: C:\WINDOWS\system32\h60q0gd5e60.dll
C:\WINDOWS\system32\h60q0gd5e60.dll Deleted successfully!
Attempting to delete: C:\WINDOWS\system32\hr6u05j9e.dll
C:\WINDOWS\system32\hr6u05j9e.dll Deleted successfully!
Attempting to delete: C:\WINDOWS\system32\hrru0599e.dll
C:\WINDOWS\system32\hrru0599e.dll Deleted successfully!
Attempting to delete: C:\WINDOWS\system32\ir24l5fq1.dll
C:\WINDOWS\system32\ir24l5fq1.dll Deleted successfully!
Attempting to delete: C:\WINDOWS\system32\j60slgd7160.dll
C:\WINDOWS\system32\j60slgd7160.dll Deleted successfully!
Attempting to delete: C:\WINDOWS\system32\kvdlv1.dll
C:\WINDOWS\system32\kvdlv1.dll Deleted successfully!
Attempting to delete: C:\WINDOWS\system32\l0l60a3sed.dll
C:\WINDOWS\system32\l0l60a3sed.dll Deleted successfully!
Attempting to delete: C:\WINDOWS\system32\l4n40e5qeh.dll
C:\WINDOWS\system32\l4n40e5qeh.dll Deleted successfully!
Attempting to delete: C:\WINDOWS\system32\lv2009fme.dll
C:\WINDOWS\system32\lv2009fme.dll Deleted successfully!
Attempting to delete: C:\WINDOWS\system32\lv4o09h3e.dll
C:\WINDOWS\system32\lv4o09h3e.dll Deleted successfully!
Attempting to delete: C:\WINDOWS\system32\lvj4091qe.dll
C:\WINDOWS\system32\lvj4091qe.dll Deleted successfully!
Attempting to delete: C:\WINDOWS\system32\lvrq0995e.dll
C:\WINDOWS\system32\lvrq0995e.dll Deleted successfully!
Attempting to delete: C:\WINDOWS\system32\mvn0l95m1.dll
C:\WINDOWS\system32\mvn0l95m1.dll Deleted successfully!
Attempting to delete: C:\WINDOWS\system32\mvrml9911.dll
C:\WINDOWS\system32\mvrml9911.dll Deleted successfully!
Attempting to delete: C:\WINDOWS\system32\mzvidctl.dll
C:\WINDOWS\system32\mzvidctl.dll Deleted successfully!
Attempting to delete: C:\WINDOWS\system32\r48s0el7ehq.dll
C:\WINDOWS\system32\r48s0el7ehq.dll Deleted successfully!
Attempting to delete: C:\WINDOWS\system32\rhcdll.dll
C:\WINDOWS\system32\rhcdll.dll Deleted successfully!
Attempting to delete: C:\WINDOWS\system32\sJfrdm.dll
C:\WINDOWS\system32\sJfrdm.dll Deleted successfully!
Attempting to delete: C:\WINDOWS\system32\uzrvoica.dll
C:\WINDOWS\system32\uzrvoica.dll Deleted successfully!
Attempting to delete: C:\WINDOWS\System32\guard.tmp
C:\WINDOWS\System32\guard.tmp Deleted successfully!
Making registry repairs.
Removing: HKLM\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\RunOnceEx
Removing: HKLM\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\ShellCompatibility
Removing: HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved "{5C636E6E-1EA7-4728-B7B9-3C4D85990C48}"
HKCR\Clsid\{5C636E6E-1EA7-4728-B7B9-3C4D85990C48}
Removing: HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved "{A9D3A63F-061C-47D7-8549-C6934A767068}"
HKCR\Clsid\{A9D3A63F-061C-47D7-8549-C6934A767068}
Removing: HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved "{489919E2-9E61-43C5-8FA6-137871DEBAFC}"
HKCR\Clsid\{489919E2-9E61-43C5-8FA6-137871DEBAFC}
Removing: HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved "{5CAA5D53-98F6-404A-A2E5-81E0FEDC07E7}"
HKCR\Clsid\{5CAA5D53-98F6-404A-A2E5-81E0FEDC07E7}
Removing: HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved "{4DF55A78-AD08-4255-AC5A-0623F1DB5A33}"
HKCR\Clsid\{4DF55A78-AD08-4255-AC5A-0623F1DB5A33}
Removing: HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved "{5ED71346-D822-4DEA-A4FA-7B5759256EBE}"
HKCR\Clsid\{5ED71346-D822-4DEA-A4FA-7B5759256EBE}
Removing: HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved "{C310E2B3-F520-4922-AEBB-0C9900D0E3D8}"
HKCR\Clsid\{C310E2B3-F520-4922-AEBB-0C9900D0E3D8}
Removing: HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved "{E35DBF3D-9664-4B13-B610-621D224C2D58}"
HKCR\Clsid\{E35DBF3D-9664-4B13-B610-621D224C2D58}
Removing: HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved "{9BA52B8F-3376-4A3A-9E93-2E03270E40DD}"
HKCR\Clsid\{9BA52B8F-3376-4A3A-9E93-2E03270E40DD}
Removing: HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved "{23618C8D-05C8-467A-BF7C-9C2815A5C628}"
HKCR\Clsid\{23618C8D-05C8-467A-BF7C-9C2815A5C628}
Removing: HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved "{AC444F57-86BB-4A14-B76C-DC99F2617A5A}"
HKCR\Clsid\{AC444F57-86BB-4A14-B76C-DC99F2617A5A}
Restoring Windows certificates.
Replaced hosts file with default windows hosts file
Restoring SeDebugPrivilege for Administrators - Succeeded
Logfile of HijackThis v1.99.1
Scan saved at 8:03:14 PM, on 6/2/2006
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\csrss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\System32\alg.exe
C:\WINDOWS\smss.exe
C:\WINDOWS\TG9yaXMgSiBNYXRoZW55\command.exe
C:\WINDOWS\System32\libsys32.exe
C:\WINDOWS\System32\HPZipm12.exe
C:\WINDOWS\yejjfyf.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\HP\HP Software Update\HPWuSchd2.exe
C:\WINDOWS\yejjfyfA.exe
C:\WINDOWS\ms075613-187714.exe
C:\WINDOWS\System32\RUNDLL32.EXE
C:\defender25.exe
C:\WINDOWS\system32\owinnqez.exe
C:\Program Files\Common Files\svchostsys\svchostsys.exe
C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
C:\Program Files\Microsoft Office\Office\FINDFAST.EXE
C:\Program Files\Microsoft Office\Office\OSA.EXE
C:\Program Files\WinZip\WZQKPICK.EXE
C:\Program Files\HP\Digital Imaging\bin\hpqimzone.exe
C:\Program Files\HP\Digital Imaging\bin\hpqSTE08.exe
C:\Program Files\HP\Digital Imaging\Product Assistant\bin\hprblog.exe
C:\WINDOWS\System32\wuauclt.exe
C:\Documents and Settings\Loris\My Documents\HijackThis\Friday.exe
C:\Program Files\Internet Explorer\iexplore.exe
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://searchbar.fin...siteyouneed.com
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://searchbar.fin...siteyouneed.com
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://searchbar.fin...siteyouneed.com
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://searchbar.fin...siteyouneed.com
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://searchbar.fin...siteyouneed.com
R3 - URLSearchHook: (no name) - {02EE5B04-F144-47BB-83FB-A60BD91B74A9} - (no file)
F2 - REG:system.ini: Shell=Explorer.exe, C:\WINDOWS\System32\escny.exe
F2 - REG:system.ini: UserInit=userinit.exe,oniqjxa.exe
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll
O4 - HKLM\..\Run: [HP Software Update] C:\Program Files\HP\HP Software Update\HPWuSchd2.exe
O4 - HKLM\..\Run: [Microsoft System Checkup] libsys32.exe
O4 - HKLM\..\Run: [NT Logging Service] syslog32.exe
O4 - HKLM\..\Run: [keyboard] C:\\keyboard25.exe
O4 - HKLM\..\Run: [newname] C:\\newname25.exe
O4 - HKLM\..\Run: [yejjfyfA] C:\WINDOWS\yejjfyfA.exe
O4 - HKLM\..\Run: [TheMonitor] C:\WINDOWS\SYSC00.exe
O4 - HKLM\..\Run: [ms075613-187714] C:\WINDOWS\ms075613-187714.exe
O4 - HKLM\..\Run: [w0989c85.dll] RUNDLL32.EXE w0989c85.dll,I2 0010750700989c85
O4 - HKLM\..\Run: [webHancer Survey Companion] C:\Program Files\webHancer\Programs\whsurvey.exe
O4 - HKLM\..\Run: [defender] C:\\defender25.exe
O4 - HKLM\..\Run: [BrowserUpdateSched] C:\WINDOWS\system32\owinnqez.exe GID003
O4 - HKLM\..\RunServices: [Microsoft System Checkup] libsys32.exe
O4 - HKCU\..\Run: [sys_up1] C:\Program Files\Common Files\svchostsys\svchostsys.exe
O4 - Startup: Desktop Application Director.lnk = C:\OFFICE\SHARED\WPC20\dtwin20.exe
O4 - Startup: Zeno.lnk = C:\WINDOWS\system32\owinnqez.exe
O4 - Global Startup: HP Digital Imaging Monitor.lnk = C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
O4 - Global Startup: HP Image Zone Fast Start.lnk = C:\Program Files\HP\Digital Imaging\bin\hpqthb08.exe
O4 - Global Startup: Microsoft Find Fast.lnk = C:\Program Files\Microsoft Office\Office\FINDFAST.EXE
O4 - Global Startup: Office Startup.lnk = C:\Program Files\Microsoft Office\Office\OSA.EXE
O4 - Global Startup: WinZip Quick Pick.lnk = C:\Program Files\WinZip\WZQKPICK.EXE
O8 - Extra context menu item: &Google Search - res://C:\Program Files\Google\GoogleToolbar1.dll/cmsearch.html
O8 - Extra context menu item: &Translate English Word - res://C:\Program Files\Google\GoogleToolbar1.dll/cmwordtrans.html
O8 - Extra context menu item: Backward Links - res://C:\Program Files\Google\GoogleToolbar1.dll/cmbacklinks.html
O8 - Extra context menu item: Cached Snapshot of Page - res://C:\Program Files\Google\GoogleToolbar1.dll/cmcache.html
O8 - Extra context menu item: Similar Pages - res://C:\Program Files\Google\GoogleToolbar1.dll/cmsimilar.html
O8 - Extra context menu item: Translate Page into English - res://C:\Program Files\Google\GoogleToolbar1.dll/cmtrans.html
O9 - Extra button: (no name) - {4ABF810A-F11D-4169-9D5F-7D274F2270A1} - C:\WINDOWS\System32\dmonwv.dll
O9 - Extra 'Tools' menuitem: Java - {4ABF810A-F11D-4169-9D5F-7D274F2270A1} - C:\WINDOWS\System32\dmonwv.dll
O12 - Plugin for .pdf: C:\Program Files\Internet Explorer\PLUGINS\nppdf32.dll
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.micros...b?1147623380437
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.micros...b?1147623298920
O16 - DPF: {F281A59C-7B65-11D3-8617-0010830243BD} (AcPreview Control) - file://C:\Program Files\AutoCAD 2002\AcPreview.ocx
O23 - Service: aol software (Aol Software) - Unknown owner - C:\WINDOWS\smss.exe
O23 - Service: Command Service (cmdService) - Unknown owner - C:\WINDOWS\TG9yaXMgSiBNYXRoZW55\command.exe
O23 - Service: Network Monitor - Unknown owner - C:\Program Files\Network Monitor\netmon.exe
O23 - Service: NT login service (ntlogin32) - Unknown owner - C:\WINDOWS\System32\libsys32.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\System32\HPZipm12.exe
O23 - Service: Windows Overlay Components - Unknown owner - C:\WINDOWS\yejjfyf.exe
Look2Me-Destroyer would not close and re-open. Even the Start>Run and type in sc start schedule did not restart it. So I borrowed a page from your book and downloaded it again and saved it as Tuesday.exe
So I have the Look2Me-Destroyer.txt followed by another HijackThis log
Look2Me-Destroyer V1.0.12
Scanning for infected files.....
Scan started at 6/2/2006 7:56:07 PM
Infected! C:\WINDOWS\system32\q6rqlg9516.dll
Infected! C:\WINDOWS\system32\sJfrdm.dll
Infected! C:\System Volume Information\_restore{A7D3969A-17E0-4085-880C-313C2F2A765D}\RP17\A0012948.dll
Infected! C:\System Volume Information\_restore{A7D3969A-17E0-4085-880C-313C2F2A765D}\RP17\A0012956.dll
Infected! C:\System Volume Information\_restore{A7D3969A-17E0-4085-880C-313C2F2A765D}\RP17\A0012960.dll
Infected! C:\System Volume Information\_restore{A7D3969A-17E0-4085-880C-313C2F2A765D}\RP17\A0012963.dll
Infected! C:\System Volume Information\_restore{A7D3969A-17E0-4085-880C-313C2F2A765D}\RP17\A0012971.dll
Infected! C:\System Volume Information\_restore{A7D3969A-17E0-4085-880C-313C2F2A765D}\RP17\A0013969.dll
Infected! C:\System Volume Information\_restore{A7D3969A-17E0-4085-880C-313C2F2A765D}\RP17\A0013973.dll
Infected! C:\System Volume Information\_restore{A7D3969A-17E0-4085-880C-313C2F2A765D}\RP17\A0013976.dll
Infected! C:\WINDOWS\system32\acrsvc.dll
Infected! C:\WINDOWS\system32\alferror.dll
Infected! C:\WINDOWS\system32\axpmgr.dll
Infected! C:\WINDOWS\system32\donet.dll
Infected! C:\WINDOWS\system32\dyskmon.dll
Infected! C:\WINDOWS\system32\en8ql1l51.dll
Infected! C:\WINDOWS\system32\fOultrep.dll
Infected! C:\WINDOWS\system32\gp2ql3f51.dll
Infected! C:\WINDOWS\system32\h60q0gd5e60.dll
Infected! C:\WINDOWS\system32\hr6u05j9e.dll
Infected! C:\WINDOWS\system32\hrru0599e.dll
Infected! C:\WINDOWS\system32\ir24l5fq1.dll
Infected! C:\WINDOWS\system32\j60slgd7160.dll
Infected! C:\WINDOWS\system32\kvdlv1.dll
Infected! C:\WINDOWS\system32\l0l60a3sed.dll
Infected! C:\WINDOWS\system32\l4n40e5qeh.dll
Infected! C:\WINDOWS\system32\lv2009fme.dll
Infected! C:\WINDOWS\system32\lv4o09h3e.dll
Infected! C:\WINDOWS\system32\lvj4091qe.dll
Infected! C:\WINDOWS\system32\lvrq0995e.dll
Infected! C:\WINDOWS\system32\mvn0l95m1.dll
Infected! C:\WINDOWS\system32\mvrml9911.dll
Infected! C:\WINDOWS\system32\mzvidctl.dll
Infected! C:\WINDOWS\system32\r48s0el7ehq.dll
Infected! C:\WINDOWS\system32\rhcdll.dll
Infected! C:\WINDOWS\system32\sJfrdm.dll
Infected! C:\WINDOWS\system32\uzrvoica.dll
Infected! C:\WINDOWS\System32\guard.tmp
Attempting to delete infected files...
Attempting to delete: C:\WINDOWS\system32\sJfrdm.dll
C:\WINDOWS\system32\sJfrdm.dll Deleted successfully!
Attempting to delete: C:\System Volume Information\_restore{A7D3969A-17E0-4085-880C-313C2F2A765D}\RP17\A0012948.dll
C:\System Volume Information\_restore{A7D3969A-17E0-4085-880C-313C2F2A765D}\RP17\A0012948.dll Deleted successfully!
Attempting to delete: C:\System Volume Information\_restore{A7D3969A-17E0-4085-880C-313C2F2A765D}\RP17\A0012956.dll
C:\System Volume Information\_restore{A7D3969A-17E0-4085-880C-313C2F2A765D}\RP17\A0012956.dll Deleted successfully!
Attempting to delete: C:\System Volume Information\_restore{A7D3969A-17E0-4085-880C-313C2F2A765D}\RP17\A0012960.dll
C:\System Volume Information\_restore{A7D3969A-17E0-4085-880C-313C2F2A765D}\RP17\A0012960.dll Deleted successfully!
Attempting to delete: C:\System Volume Information\_restore{A7D3969A-17E0-4085-880C-313C2F2A765D}\RP17\A0012963.dll
C:\System Volume Information\_restore{A7D3969A-17E0-4085-880C-313C2F2A765D}\RP17\A0012963.dll Deleted successfully!
Attempting to delete: C:\System Volume Information\_restore{A7D3969A-17E0-4085-880C-313C2F2A765D}\RP17\A0012971.dll
C:\System Volume Information\_restore{A7D3969A-17E0-4085-880C-313C2F2A765D}\RP17\A0012971.dll Deleted successfully!
Attempting to delete: C:\System Volume Information\_restore{A7D3969A-17E0-4085-880C-313C2F2A765D}\RP17\A0013969.dll
C:\System Volume Information\_restore{A7D3969A-17E0-4085-880C-313C2F2A765D}\RP17\A0013969.dll Deleted successfully!
Attempting to delete: C:\System Volume Information\_restore{A7D3969A-17E0-4085-880C-313C2F2A765D}\RP17\A0013973.dll
C:\System Volume Information\_restore{A7D3969A-17E0-4085-880C-313C2F2A765D}\RP17\A0013973.dll Deleted successfully!
Attempting to delete: C:\System Volume Information\_restore{A7D3969A-17E0-4085-880C-313C2F2A765D}\RP17\A0013976.dll
C:\System Volume Information\_restore{A7D3969A-17E0-4085-880C-313C2F2A765D}\RP17\A0013976.dll Deleted successfully!
Attempting to delete: C:\WINDOWS\system32\acrsvc.dll
C:\WINDOWS\system32\acrsvc.dll Deleted successfully!
Attempting to delete: C:\WINDOWS\system32\alferror.dll
C:\WINDOWS\system32\alferror.dll Deleted successfully!
Attempting to delete: C:\WINDOWS\system32\axpmgr.dll
C:\WINDOWS\system32\axpmgr.dll Deleted successfully!
Attempting to delete: C:\WINDOWS\system32\donet.dll
C:\WINDOWS\system32\donet.dll Deleted successfully!
Attempting to delete: C:\WINDOWS\system32\dyskmon.dll
C:\WINDOWS\system32\dyskmon.dll Deleted successfully!
Attempting to delete: C:\WINDOWS\system32\en8ql1l51.dll
C:\WINDOWS\system32\en8ql1l51.dll Deleted successfully!
Attempting to delete: C:\WINDOWS\system32\fOultrep.dll
C:\WINDOWS\system32\fOultrep.dll Deleted successfully!
Attempting to delete: C:\WINDOWS\system32\gp2ql3f51.dll
C:\WINDOWS\system32\gp2ql3f51.dll Deleted successfully!
Attempting to delete: C:\WINDOWS\system32\h60q0gd5e60.dll
C:\WINDOWS\system32\h60q0gd5e60.dll Deleted successfully!
Attempting to delete: C:\WINDOWS\system32\hr6u05j9e.dll
C:\WINDOWS\system32\hr6u05j9e.dll Deleted successfully!
Attempting to delete: C:\WINDOWS\system32\hrru0599e.dll
C:\WINDOWS\system32\hrru0599e.dll Deleted successfully!
Attempting to delete: C:\WINDOWS\system32\ir24l5fq1.dll
C:\WINDOWS\system32\ir24l5fq1.dll Deleted successfully!
Attempting to delete: C:\WINDOWS\system32\j60slgd7160.dll
C:\WINDOWS\system32\j60slgd7160.dll Deleted successfully!
Attempting to delete: C:\WINDOWS\system32\kvdlv1.dll
C:\WINDOWS\system32\kvdlv1.dll Deleted successfully!
Attempting to delete: C:\WINDOWS\system32\l0l60a3sed.dll
C:\WINDOWS\system32\l0l60a3sed.dll Deleted successfully!
Attempting to delete: C:\WINDOWS\system32\l4n40e5qeh.dll
C:\WINDOWS\system32\l4n40e5qeh.dll Deleted successfully!
Attempting to delete: C:\WINDOWS\system32\lv2009fme.dll
C:\WINDOWS\system32\lv2009fme.dll Deleted successfully!
Attempting to delete: C:\WINDOWS\system32\lv4o09h3e.dll
C:\WINDOWS\system32\lv4o09h3e.dll Deleted successfully!
Attempting to delete: C:\WINDOWS\system32\lvj4091qe.dll
C:\WINDOWS\system32\lvj4091qe.dll Deleted successfully!
Attempting to delete: C:\WINDOWS\system32\lvrq0995e.dll
C:\WINDOWS\system32\lvrq0995e.dll Deleted successfully!
Attempting to delete: C:\WINDOWS\system32\mvn0l95m1.dll
C:\WINDOWS\system32\mvn0l95m1.dll Deleted successfully!
Attempting to delete: C:\WINDOWS\system32\mvrml9911.dll
C:\WINDOWS\system32\mvrml9911.dll Deleted successfully!
Attempting to delete: C:\WINDOWS\system32\mzvidctl.dll
C:\WINDOWS\system32\mzvidctl.dll Deleted successfully!
Attempting to delete: C:\WINDOWS\system32\r48s0el7ehq.dll
C:\WINDOWS\system32\r48s0el7ehq.dll Deleted successfully!
Attempting to delete: C:\WINDOWS\system32\rhcdll.dll
C:\WINDOWS\system32\rhcdll.dll Deleted successfully!
Attempting to delete: C:\WINDOWS\system32\sJfrdm.dll
C:\WINDOWS\system32\sJfrdm.dll Deleted successfully!
Attempting to delete: C:\WINDOWS\system32\uzrvoica.dll
C:\WINDOWS\system32\uzrvoica.dll Deleted successfully!
Attempting to delete: C:\WINDOWS\System32\guard.tmp
C:\WINDOWS\System32\guard.tmp Deleted successfully!
Making registry repairs.
Removing: HKLM\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\RunOnceEx
Removing: HKLM\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\ShellCompatibility
Removing: HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved "{5C636E6E-1EA7-4728-B7B9-3C4D85990C48}"
HKCR\Clsid\{5C636E6E-1EA7-4728-B7B9-3C4D85990C48}
Removing: HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved "{A9D3A63F-061C-47D7-8549-C6934A767068}"
HKCR\Clsid\{A9D3A63F-061C-47D7-8549-C6934A767068}
Removing: HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved "{489919E2-9E61-43C5-8FA6-137871DEBAFC}"
HKCR\Clsid\{489919E2-9E61-43C5-8FA6-137871DEBAFC}
Removing: HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved "{5CAA5D53-98F6-404A-A2E5-81E0FEDC07E7}"
HKCR\Clsid\{5CAA5D53-98F6-404A-A2E5-81E0FEDC07E7}
Removing: HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved "{4DF55A78-AD08-4255-AC5A-0623F1DB5A33}"
HKCR\Clsid\{4DF55A78-AD08-4255-AC5A-0623F1DB5A33}
Removing: HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved "{5ED71346-D822-4DEA-A4FA-7B5759256EBE}"
HKCR\Clsid\{5ED71346-D822-4DEA-A4FA-7B5759256EBE}
Removing: HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved "{C310E2B3-F520-4922-AEBB-0C9900D0E3D8}"
HKCR\Clsid\{C310E2B3-F520-4922-AEBB-0C9900D0E3D8}
Removing: HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved "{E35DBF3D-9664-4B13-B610-621D224C2D58}"
HKCR\Clsid\{E35DBF3D-9664-4B13-B610-621D224C2D58}
Removing: HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved "{9BA52B8F-3376-4A3A-9E93-2E03270E40DD}"
HKCR\Clsid\{9BA52B8F-3376-4A3A-9E93-2E03270E40DD}
Removing: HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved "{23618C8D-05C8-467A-BF7C-9C2815A5C628}"
HKCR\Clsid\{23618C8D-05C8-467A-BF7C-9C2815A5C628}
Removing: HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved "{AC444F57-86BB-4A14-B76C-DC99F2617A5A}"
HKCR\Clsid\{AC444F57-86BB-4A14-B76C-DC99F2617A5A}
Restoring Windows certificates.
Replaced hosts file with default windows hosts file
Restoring SeDebugPrivilege for Administrators - Succeeded
Logfile of HijackThis v1.99.1
Scan saved at 8:03:14 PM, on 6/2/2006
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\csrss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\System32\alg.exe
C:\WINDOWS\smss.exe
C:\WINDOWS\TG9yaXMgSiBNYXRoZW55\command.exe
C:\WINDOWS\System32\libsys32.exe
C:\WINDOWS\System32\HPZipm12.exe
C:\WINDOWS\yejjfyf.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\HP\HP Software Update\HPWuSchd2.exe
C:\WINDOWS\yejjfyfA.exe
C:\WINDOWS\ms075613-187714.exe
C:\WINDOWS\System32\RUNDLL32.EXE
C:\defender25.exe
C:\WINDOWS\system32\owinnqez.exe
C:\Program Files\Common Files\svchostsys\svchostsys.exe
C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
C:\Program Files\Microsoft Office\Office\FINDFAST.EXE
C:\Program Files\Microsoft Office\Office\OSA.EXE
C:\Program Files\WinZip\WZQKPICK.EXE
C:\Program Files\HP\Digital Imaging\bin\hpqimzone.exe
C:\Program Files\HP\Digital Imaging\bin\hpqSTE08.exe
C:\Program Files\HP\Digital Imaging\Product Assistant\bin\hprblog.exe
C:\WINDOWS\System32\wuauclt.exe
C:\Documents and Settings\Loris\My Documents\HijackThis\Friday.exe
C:\Program Files\Internet Explorer\iexplore.exe
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://searchbar.fin...siteyouneed.com
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://searchbar.fin...siteyouneed.com
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://searchbar.fin...siteyouneed.com
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://searchbar.fin...siteyouneed.com
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://searchbar.fin...siteyouneed.com
R3 - URLSearchHook: (no name) - {02EE5B04-F144-47BB-83FB-A60BD91B74A9} - (no file)
F2 - REG:system.ini: Shell=Explorer.exe, C:\WINDOWS\System32\escny.exe
F2 - REG:system.ini: UserInit=userinit.exe,oniqjxa.exe
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll
O4 - HKLM\..\Run: [HP Software Update] C:\Program Files\HP\HP Software Update\HPWuSchd2.exe
O4 - HKLM\..\Run: [Microsoft System Checkup] libsys32.exe
O4 - HKLM\..\Run: [NT Logging Service] syslog32.exe
O4 - HKLM\..\Run: [keyboard] C:\\keyboard25.exe
O4 - HKLM\..\Run: [newname] C:\\newname25.exe
O4 - HKLM\..\Run: [yejjfyfA] C:\WINDOWS\yejjfyfA.exe
O4 - HKLM\..\Run: [TheMonitor] C:\WINDOWS\SYSC00.exe
O4 - HKLM\..\Run: [ms075613-187714] C:\WINDOWS\ms075613-187714.exe
O4 - HKLM\..\Run: [w0989c85.dll] RUNDLL32.EXE w0989c85.dll,I2 0010750700989c85
O4 - HKLM\..\Run: [webHancer Survey Companion] C:\Program Files\webHancer\Programs\whsurvey.exe
O4 - HKLM\..\Run: [defender] C:\\defender25.exe
O4 - HKLM\..\Run: [BrowserUpdateSched] C:\WINDOWS\system32\owinnqez.exe GID003
O4 - HKLM\..\RunServices: [Microsoft System Checkup] libsys32.exe
O4 - HKCU\..\Run: [sys_up1] C:\Program Files\Common Files\svchostsys\svchostsys.exe
O4 - Startup: Desktop Application Director.lnk = C:\OFFICE\SHARED\WPC20\dtwin20.exe
O4 - Startup: Zeno.lnk = C:\WINDOWS\system32\owinnqez.exe
O4 - Global Startup: HP Digital Imaging Monitor.lnk = C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
O4 - Global Startup: HP Image Zone Fast Start.lnk = C:\Program Files\HP\Digital Imaging\bin\hpqthb08.exe
O4 - Global Startup: Microsoft Find Fast.lnk = C:\Program Files\Microsoft Office\Office\FINDFAST.EXE
O4 - Global Startup: Office Startup.lnk = C:\Program Files\Microsoft Office\Office\OSA.EXE
O4 - Global Startup: WinZip Quick Pick.lnk = C:\Program Files\WinZip\WZQKPICK.EXE
O8 - Extra context menu item: &Google Search - res://C:\Program Files\Google\GoogleToolbar1.dll/cmsearch.html
O8 - Extra context menu item: &Translate English Word - res://C:\Program Files\Google\GoogleToolbar1.dll/cmwordtrans.html
O8 - Extra context menu item: Backward Links - res://C:\Program Files\Google\GoogleToolbar1.dll/cmbacklinks.html
O8 - Extra context menu item: Cached Snapshot of Page - res://C:\Program Files\Google\GoogleToolbar1.dll/cmcache.html
O8 - Extra context menu item: Similar Pages - res://C:\Program Files\Google\GoogleToolbar1.dll/cmsimilar.html
O8 - Extra context menu item: Translate Page into English - res://C:\Program Files\Google\GoogleToolbar1.dll/cmtrans.html
O9 - Extra button: (no name) - {4ABF810A-F11D-4169-9D5F-7D274F2270A1} - C:\WINDOWS\System32\dmonwv.dll
O9 - Extra 'Tools' menuitem: Java - {4ABF810A-F11D-4169-9D5F-7D274F2270A1} - C:\WINDOWS\System32\dmonwv.dll
O12 - Plugin for .pdf: C:\Program Files\Internet Explorer\PLUGINS\nppdf32.dll
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.micros...b?1147623380437
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.micros...b?1147623298920
O16 - DPF: {F281A59C-7B65-11D3-8617-0010830243BD} (AcPreview Control) - file://C:\Program Files\AutoCAD 2002\AcPreview.ocx
O23 - Service: aol software (Aol Software) - Unknown owner - C:\WINDOWS\smss.exe
O23 - Service: Command Service (cmdService) - Unknown owner - C:\WINDOWS\TG9yaXMgSiBNYXRoZW55\command.exe
O23 - Service: Network Monitor - Unknown owner - C:\Program Files\Network Monitor\netmon.exe
O23 - Service: NT login service (ntlogin32) - Unknown owner - C:\WINDOWS\System32\libsys32.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\System32\HPZipm12.exe
O23 - Service: Windows Overlay Components - Unknown owner - C:\WINDOWS\yejjfyf.exe
#7
Micah_6:8
-
- Authentic Member
-
- 10,060 posts
Evilware Emancipator
- Interests:Web (Perl, PHP, JavaScript, HTML) programming, CNC programming, Squashing spyware!
Posted 02 June 2006 - 06:40 PM
BRILLIANT!!!Look2Me-Destroyer would not close and re-open. Even the Start>Run and type in sc start schedule did not restart it. So I borrowed a page from your book and downloaded it again and saved it as Tuesday.exe
CLOSE ALL WINDOWS (even this one) AND PROGRAMS!!!!
Run Hijack This! (or "friday.exe")
Click "Do a systen scan only".
Then "check" the box to the left of these item(s):
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://searchbar.fin...siteyouneed.com
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://searchbar.fin...siteyouneed.com
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://searchbar.fin...siteyouneed.com
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://searchbar.fin...siteyouneed.com
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://searchbar.fin...siteyouneed.com
R3 - URLSearchHook: (no name) - {02EE5B04-F144-47BB-83FB-A60BD91B74A9} - (no file)
F2 - REG:system.ini: Shell=Explorer.exe, C:\WINDOWS\System32\escny.exe
F2 - REG:system.ini: UserInit=userinit.exe,oniqjxa.exe
O4 - HKLM\..\Run: [Microsoft System Checkup] libsys32.exe
O4 - HKLM\..\Run: [NT Logging Service] syslog32.exe
O4 - HKLM\..\Run: [keyboard] C:\\keyboard25.exe
O4 - HKLM\..\Run: [newname] C:\\newname25.exe
O4 - HKLM\..\Run: [yejjfyfA] C:\WINDOWS\yejjfyfA.exe
O4 - HKLM\..\Run: [TheMonitor] C:\WINDOWS\SYSC00.exe
O4 - HKLM\..\Run: [ms075613-187714] C:\WINDOWS\ms075613-187714.exe
O4 - HKLM\..\Run: [w0989c85.dll] RUNDLL32.EXE w0989c85.dll,I2 0010750700989c85
O4 - HKLM\..\Run: [webHancer Survey Companion] C:\Program Files\webHancer\Programs\whsurvey.exe
O4 - HKLM\..\Run: [defender] C:\\defender25.exe
O4 - HKLM\..\Run: [BrowserUpdateSched] C:\WINDOWS\system32\owinnqez.exe GID003
O4 - HKLM\..\RunServices: [Microsoft System Checkup] libsys32.exe
O4 - HKCU\..\Run: [sys_up1] C:\Program Files\Common Files\svchostsys\svchostsys.exe
O4 - Startup: Zeno.lnk = C:\WINDOWS\system32\owinnqez.exe
O9 - Extra button: (no name) - {4ABF810A-F11D-4169-9D5F-7D274F2270A1} - C:\WINDOWS\System32\dmonwv.dll
O9 - Extra 'Tools' menuitem: Java - {4ABF810A-F11D-4169-9D5F-7D274F2270A1} - C:\WINDOWS\System32\dmonwv.dll
O23 - Service: aol software (Aol Software) - Unknown owner - C:\WINDOWS\smss.exe
O23 - Service: Command Service (cmdService) - Unknown owner - C:\WINDOWS\TG9yaXMgSiBNYXRoZW55\command.exe
O23 - Service: Windows Overlay Components - Unknown owner - C:\WINDOWS\yejjfyf.exe
Then click "Fix checked" and close Hijack This!.
Now, please go to:
Start --> Run
In the box type in services.msc then hit < Enter > (or click OK)
In the Name column look for:
aol software (Aol Software)
< Double-click > it.
In the dialogue box that pops up, check in the Path to executable box.
It should say: C:\WINDOWS\smss.exe
That's how to be sure you have the right one.
Now, click Stop to stop that rogue process.
In the Startup type box, change it to Disabled.
Click Apply then OK
In the Name column look for:
Command Service (cmdService)
< Double-click > it.
In the dialogue box that pops up, check in the Path to executable box.
It should say: C:\WINDOWS\TG9yaXMgSiBNYXRoZW55\command.exe
That's how to be sure you have the right one.
Now, click Stop to stop that rogue process.
In the Startup type box, change it to Disabled.
Click Apply then OK
In the Name column look for:
Windows Overlay Components
< Double-click > it.
In the dialogue box that pops up, check in the Path to executable box.
It should say: C:\WINDOWS\yejjfyf.exe
That's how to be sure you have the right one.
Now, click Stop to stop that rogue process.
In the Startup type box, change it to Disabled.
Click Apply then OK
Close the services.msc window.
Reboot in "safe" mode.
Delete all of the following noted (in red) file(s)/FOLDER(s) you can find:
c:\defender25.exe <--- file
c:\keyboard25.exe <--- file
c:\newname25.exe <--- file
c:\program files\common files\svchostsys <--- FOLDER
c:\program files\webhancer <--- FOLDER
c:\windows\ms075613-187714.exe <--- file
c:\windows\smss.exe <--- file
(CAUTION: DELETE THIS "SMSS.EXE" FILE ONLY!!!)
c:\windows\sysc00.exe <--- file
c:\windows\system32\dmonwv.dll <--- file
c:\windows\system32\libsys32.exe <--- file
c:\windows\system32\owinnqez.exe <--- file
c:\windows\tg9yaxmgsibnyxrozw55 <--- FOLDER
c:\windows\yejjfyf.exe <--- file
c:\windows\yejjfyfa.exe <--- file
syslog32.exe <--- file
w0989c85.dll <--- file
Some malware files may be "hidden".
Be sure to show hidden files when looking for these file(s) and/or folder(s).
Reboot in normal mode and "copy/paste" a new HijackThis! log file into this thread.
Micah 6:8 He hath shewed thee, O man, what is good; and what doth the LORD require of thee, but to do justly, and to love mercy, and to walk humbly with thy God?
The help you receive here is free.
If you wish to show your appreciation, then you may donate to help keep us online.
Want to help others? Join the ClassRoom and learn how.
Download Hijack This! My Website: UnSpyMe!
The help you receive here is free.
If you wish to show your appreciation, then you may donate to help keep us online.
Want to help others? Join the ClassRoom and learn how.
Download Hijack This! My Website: UnSpyMe!
#8
Sunny1
-
- Authentic Member
-
- 13 posts
New Member
Posted 03 June 2006 - 07:01 AM
This is the strangest experience ever with a computer. I tried to run HijackThis, no go. So I ran “Friday.exe. Browser windows started to pop up. I X’d them but they kept coming. I tried the “close group” option. The numbers went down then more popped up. At 61 windows I shut down the computer. I had to reboot in safe mode. It was as if the computer was demon possessed. It was bad.
It is getting better, slowly. I am still getting popups and unwanted browser windows. 6 at the moment.
HijackThis did not find:
O4 - HKLM\..\Run: [webHancer Survey Companion] C:\Program Files\webHancer\Programs\whsurvey.exe
I did not find
c:\program files\webhancer <--- FOLDER
Found c:\windows\system32\smss.exe I left it alone
c:\windows\smss.exe <--- file
(CAUTION: DELETE THIS "SMSS.EXE" FILE ONLY!!!)
Did not find
c:\windows\sysc00.exe <--- file
Found this file but it would not let me delete it. Access denied
c:\windows\system32\dmonwv.dll <--- file
Found this ones evil twin c:\windows\system32\owinqqez.exe I deleted it
c:\windows\system32\owinnqez.exe <--- file
Did not find
c:\windows\tg9yaxmgsibnyxrozw55 <--- FOLDER
Did not find
c:\windows\yejjfyf.exe <--- file
Did not find
c:\windows\yejjfyfa.exe <--- file
Did not find
syslog32.exe <--- file
Did not find
w0989c85.dll <--- file
HijackThis log as follows
Logfile of HijackThis v1.99.1
Scan saved at 8:06:31 AM, on 6/3/2006
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Network Monitor\netmon.exe
C:\WINDOWS\System32\HPZipm12.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\HP\HP Software Update\HPWuSchd2.exe
C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
C:\Program Files\Microsoft Office\Office\FINDFAST.EXE
C:\Program Files\Microsoft Office\Office\OSA.EXE
C:\Program Files\WinZip\WZQKPICK.EXE
C:\WINDOWS\system32\ntvdm.exe
C:\WINDOWS\System32\wuauclt.exe
C:\Program Files\HP\Digital Imaging\bin\hpqSTE08.exe
C:\Program Files\HP\Digital Imaging\Product Assistant\bin\hprblog.exe
C:\Program Files\HP\Digital Imaging\bin\hpqimzone.exe
C:\Documents and Settings\Loris\Desktop\HijackThis.exe
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/
F2 - REG:system.ini: Shell=Explorer.exe, C:\WINDOWS\System32\escny.exe
F2 - REG:system.ini: UserInit=C:\WINDOWS\SYSTEM32\Userinit.exe,oniqjxa.exe
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll
O4 - HKLM\..\Run: [HP Software Update] C:\Program Files\HP\HP Software Update\HPWuSchd2.exe
O4 - Startup: Desktop Application Director.lnk = C:\OFFICE\SHARED\WPC20\dtwin20.exe
O4 - Global Startup: HP Digital Imaging Monitor.lnk = C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
O4 - Global Startup: HP Image Zone Fast Start.lnk = C:\Program Files\HP\Digital Imaging\bin\hpqthb08.exe
O4 - Global Startup: Microsoft Find Fast.lnk = C:\Program Files\Microsoft Office\Office\FINDFAST.EXE
O4 - Global Startup: Office Startup.lnk = C:\Program Files\Microsoft Office\Office\OSA.EXE
O4 - Global Startup: WinZip Quick Pick.lnk = C:\Program Files\WinZip\WZQKPICK.EXE
O8 - Extra context menu item: &Google Search - res://C:\Program Files\Google\GoogleToolbar1.dll/cmsearch.html
O8 - Extra context menu item: &Translate English Word - res://C:\Program Files\Google\GoogleToolbar1.dll/cmwordtrans.html
O8 - Extra context menu item: Backward Links - res://C:\Program Files\Google\GoogleToolbar1.dll/cmbacklinks.html
O8 - Extra context menu item: Cached Snapshot of Page - res://C:\Program Files\Google\GoogleToolbar1.dll/cmcache.html
O8 - Extra context menu item: Similar Pages - res://C:\Program Files\Google\GoogleToolbar1.dll/cmsimilar.html
O8 - Extra context menu item: Translate Page into English - res://C:\Program Files\Google\GoogleToolbar1.dll/cmtrans.html
O12 - Plugin for .pdf: C:\Program Files\Internet Explorer\PLUGINS\nppdf32.dll
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.micros...b?1147623380437
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.micros...b?1147623298920
O16 - DPF: {F281A59C-7B65-11D3-8617-0010830243BD} (AcPreview Control) - file://C:\Program Files\AutoCAD 2002\AcPreview.ocx
O23 - Service: Network Monitor - Unknown owner - C:\Program Files\Network Monitor\netmon.exe
O23 - Service: NT login service (ntlogin32) - Unknown owner - C:\WINDOWS\System32\libsys32.exe (file missing)
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\System32\HPZipm12.exe
It is getting better, slowly. I am still getting popups and unwanted browser windows. 6 at the moment.
HijackThis did not find:
O4 - HKLM\..\Run: [webHancer Survey Companion] C:\Program Files\webHancer\Programs\whsurvey.exe
I did not find
c:\program files\webhancer <--- FOLDER
Found c:\windows\system32\smss.exe I left it alone
c:\windows\smss.exe <--- file
(CAUTION: DELETE THIS "SMSS.EXE" FILE ONLY!!!)
Did not find
c:\windows\sysc00.exe <--- file
Found this file but it would not let me delete it. Access denied
c:\windows\system32\dmonwv.dll <--- file
Found this ones evil twin c:\windows\system32\owinqqez.exe I deleted it
c:\windows\system32\owinnqez.exe <--- file
Did not find
c:\windows\tg9yaxmgsibnyxrozw55 <--- FOLDER
Did not find
c:\windows\yejjfyf.exe <--- file
Did not find
c:\windows\yejjfyfa.exe <--- file
Did not find
syslog32.exe <--- file
Did not find
w0989c85.dll <--- file
HijackThis log as follows
Logfile of HijackThis v1.99.1
Scan saved at 8:06:31 AM, on 6/3/2006
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Network Monitor\netmon.exe
C:\WINDOWS\System32\HPZipm12.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\HP\HP Software Update\HPWuSchd2.exe
C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
C:\Program Files\Microsoft Office\Office\FINDFAST.EXE
C:\Program Files\Microsoft Office\Office\OSA.EXE
C:\Program Files\WinZip\WZQKPICK.EXE
C:\WINDOWS\system32\ntvdm.exe
C:\WINDOWS\System32\wuauclt.exe
C:\Program Files\HP\Digital Imaging\bin\hpqSTE08.exe
C:\Program Files\HP\Digital Imaging\Product Assistant\bin\hprblog.exe
C:\Program Files\HP\Digital Imaging\bin\hpqimzone.exe
C:\Documents and Settings\Loris\Desktop\HijackThis.exe
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/
F2 - REG:system.ini: Shell=Explorer.exe, C:\WINDOWS\System32\escny.exe
F2 - REG:system.ini: UserInit=C:\WINDOWS\SYSTEM32\Userinit.exe,oniqjxa.exe
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll
O4 - HKLM\..\Run: [HP Software Update] C:\Program Files\HP\HP Software Update\HPWuSchd2.exe
O4 - Startup: Desktop Application Director.lnk = C:\OFFICE\SHARED\WPC20\dtwin20.exe
O4 - Global Startup: HP Digital Imaging Monitor.lnk = C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
O4 - Global Startup: HP Image Zone Fast Start.lnk = C:\Program Files\HP\Digital Imaging\bin\hpqthb08.exe
O4 - Global Startup: Microsoft Find Fast.lnk = C:\Program Files\Microsoft Office\Office\FINDFAST.EXE
O4 - Global Startup: Office Startup.lnk = C:\Program Files\Microsoft Office\Office\OSA.EXE
O4 - Global Startup: WinZip Quick Pick.lnk = C:\Program Files\WinZip\WZQKPICK.EXE
O8 - Extra context menu item: &Google Search - res://C:\Program Files\Google\GoogleToolbar1.dll/cmsearch.html
O8 - Extra context menu item: &Translate English Word - res://C:\Program Files\Google\GoogleToolbar1.dll/cmwordtrans.html
O8 - Extra context menu item: Backward Links - res://C:\Program Files\Google\GoogleToolbar1.dll/cmbacklinks.html
O8 - Extra context menu item: Cached Snapshot of Page - res://C:\Program Files\Google\GoogleToolbar1.dll/cmcache.html
O8 - Extra context menu item: Similar Pages - res://C:\Program Files\Google\GoogleToolbar1.dll/cmsimilar.html
O8 - Extra context menu item: Translate Page into English - res://C:\Program Files\Google\GoogleToolbar1.dll/cmtrans.html
O12 - Plugin for .pdf: C:\Program Files\Internet Explorer\PLUGINS\nppdf32.dll
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.micros...b?1147623380437
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.micros...b?1147623298920
O16 - DPF: {F281A59C-7B65-11D3-8617-0010830243BD} (AcPreview Control) - file://C:\Program Files\AutoCAD 2002\AcPreview.ocx
O23 - Service: Network Monitor - Unknown owner - C:\Program Files\Network Monitor\netmon.exe
O23 - Service: NT login service (ntlogin32) - Unknown owner - C:\WINDOWS\System32\libsys32.exe (file missing)
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\System32\HPZipm12.exe
#9
Micah_6:8
-
- Authentic Member
-
- 10,060 posts
Evilware Emancipator
- Interests:Web (Perl, PHP, JavaScript, HTML) programming, CNC programming, Squashing spyware!
Posted 03 June 2006 - 07:23 AM
Please download the trial version of Ewido anti-malware 3.5 from here:
Ewido 3.5
Once finished updating, close Ewido.
If you are having problems with the updater, you can use this link to manually update ewido.
Ewido manual updates. Make sure to close Ewido before installing the update.
Reboot your computer in Safe Mode.
______________________________
Clean out your Temporary Internet files. Proceed like this:
Empty the Recycle Bin by right-clicking the Recycle Bin icon on your Desktop, and then clicking Empty Recycle Bin.
Close ALL open Windows / Programs / Folders. Please start Ewido, and run a full scan.
Once the scan has completed, there will be a button located on the bottom of the screen named Save Report.
Please post:
Ewido 3.5
- Install Ewido anti-malware.
- When installing, under Additional Options uncheck Install background guard and Install scan via context menu.
- When you run Ewido for the first time, you could get a warning "Database could not be found!". Click Ok.
- The program will prompt you to update. Click the Ok button.
- The program will now go to the main screen.
- On the left-hand side of the main screen click the Update Button.
- Click on Start.
Once finished updating, close Ewido.
If you are having problems with the updater, you can use this link to manually update ewido.
Ewido manual updates. Make sure to close Ewido before installing the update.
Reboot your computer in Safe Mode.
- If the computer is running, shut down Windows, and then turn off the power.
- Wait 30 seconds, and then turn the computer on.
- Start tapping the F8 key. The Windows Advanced Options Menu appears. If you begin tapping the F8 key too soon, some computers display a "keyboard error" message. To resolve this, restart the computer and try again.
- Ensure that the Safe Mode option is selected.
- Press Enter. The computer then begins to start in Safe mode.
- Login on your usual account.
______________________________
Clean out your Temporary Internet files. Proceed like this:
- Quit Internet Explorer and quit any instances of Windows Explorer.
- Click Start, click Control Panel, and then double-click Internet Options.
- On the General tab, click Delete Files under Temporary Internet Files.
- In the Delete Files dialog box, tick the Delete all offline content check box , and then click OK.
- On the General tab, click Delete Cookies under Temporary Internet Files, and then click OK.
- Click on the Programs tab then click the Reset Web Settings button. Click Apply then OK.
- Click OK.
Empty the Recycle Bin by right-clicking the Recycle Bin icon on your Desktop, and then clicking Empty Recycle Bin.
Close ALL open Windows / Programs / Folders. Please start Ewido, and run a full scan.
- Click on Scanner
- Click on Settings
- Under How to scan all boxes should be checked
- Under Unwanted Software all boxes should be checked
- Under What to scan select Scan every file
- Click on Ok
- Click on Complete System Scan to start the scan process.
- Let the program scan the machine.
Once the scan has completed, there will be a button located on the bottom of the screen named Save Report.
- Click Save Report button
- Save the report to your Desktop
Please post:
- Ewido log
- A new HijackThis log
Micah 6:8 He hath shewed thee, O man, what is good; and what doth the LORD require of thee, but to do justly, and to love mercy, and to walk humbly with thy God?
The help you receive here is free.
If you wish to show your appreciation, then you may donate to help keep us online.
Want to help others? Join the ClassRoom and learn how.
Download Hijack This! My Website: UnSpyMe!
The help you receive here is free.
If you wish to show your appreciation, then you may donate to help keep us online.
Want to help others? Join the ClassRoom and learn how.
Download Hijack This! My Website: UnSpyMe!
#10
Sunny1
-
- Authentic Member
-
- 13 posts
New Member
Posted 03 June 2006 - 09:25 AM
I will impliment your latest instuctions ASAP
One other problem. I was checking out a Yahoo group I participate on. I was as happy as a mud puppy in a swamp when a box appeared in front of my face announcing that I had 30 seconds to save. It said
This shutdown was initiated by NT AUTHORITY SYSTEM c:\windows\system32\lsass.exe has terminated unexpetedly statis code -1073741819 ISA shell [export version] encountered a problem and needed to close
It shut off the computer and rebooted. When I logged on there was a box asking if I wanted to send or don't send an error report to microsoft. So I clicked send. It claimed it had sent the report so I clicked "more information" so I could figure out what the problem was. It came back with a box that said that The specified path does not exist. Check the path and try again.
And now as I type this I have 8 intruder IE windows.
Sunny1
Register to Remove
#11
Sunny1
-
- Authentic Member
-
- 13 posts
New Member
Posted 03 June 2006 - 02:17 PM
Hi again Micah_6:8
Sorry I took so long. Life happens
Ewido log
---------------------------------------------------------
ewido anti-malware - Scan report
---------------------------------------------------------
+ Created on: 3:54:08 PM, 6/3/2006
+ Report-Checksum: 93223CBD
+ Scan result:
HKLM\SOFTWARE\SurfSideKick3 -> Adware.SurfSide : Cleaned with backup
HKLM\SOFTWARE\SurfSideKick3\Internet Explorer -> Adware.SurfSide : Cleaned with backup
HKU\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Policies\AMeOpt -> Adware.InternetOptimizer : Cleaned with backup
HKU\.DEFAULT\Software\SurfSideKick3 -> Adware.SurfSide : Cleaned with backup
HKU\.DEFAULT\Software\SurfSideKick3\Internet Explorer -> Adware.SurfSide : Cleaned with backup
HKU\S-1-5-21-2000478354-492894223-1957994488-1003\Software\SurfSideKick3 -> Adware.SurfSide : Cleaned with backup
HKU\S-1-5-21-2000478354-492894223-1957994488-1003\Software\SurfSideKick3\Internet Explorer -> Adware.SurfSide : Cleaned with backup
HKU\S-1-5-18\Software\Microsoft\Windows\CurrentVersion\Policies\AMeOpt -> Adware.InternetOptimizer : Cleaned with backup
HKU\S-1-5-18\Software\SurfSideKick3 -> Adware.SurfSide : Cleaned with backup
HKU\S-1-5-18\Software\SurfSideKick3\Internet Explorer -> Adware.SurfSide : Cleaned with backup
[704] C:\WINDOWS\System32\dmonwv.dll -> Downloader.Agent.agw : Cleaned with backup
C:\ac2_0003.exe -> Downloader.Small.cpu : Cleaned with backup
C:\comscore.exe -> Dropper.Agent.hl : Cleaned with backup
C:\Documents and Settings\LocalService.NT AUTHORITY\Cookies\system@banners.searchingbooth[1].txt -> TrackingCookie.Searchingbooth : Cleaned with backup
C:\Documents and Settings\LocalService.NT AUTHORITY\Cookies\system@media.top-banners[1].txt -> TrackingCookie.Top-banners : Cleaned with backup
C:\Documents and Settings\LocalService.NT AUTHORITY\Desktop\TagASaurus.exe -> Hijacker.Small : Cleaned with backup
C:\Documents and Settings\LocalService.NT AUTHORITY\Local Settings\Temporary Internet Files\Content.IE5\1EF034WD\ac2[1].txt -> Downloader.Agent.ahv : Cleaned with backup
C:\Documents and Settings\LocalService.NT AUTHORITY\Local Settings\Temporary Internet Files\Content.IE5\1EF034WD\defender24[1].exe -> Hijacker.VB.ly : Cleaned with backup
C:\Documents and Settings\LocalService.NT AUTHORITY\Local Settings\Temporary Internet Files\Content.IE5\1EF034WD\drsmartload46a[1].exe -> Downloader.Adload.bq : Cleaned with backup
C:\Documents and Settings\LocalService.NT AUTHORITY\Local Settings\Temporary Internet Files\Content.IE5\1EF034WD\drsmartload[2].exe -> Downloader.Adload.bt : Cleaned with backup
C:\Documents and Settings\LocalService.NT AUTHORITY\Local Settings\Temporary Internet Files\Content.IE5\1EF034WD\Installer[2].exe -> Adware.Look2Me : Cleaned with backup
C:\Documents and Settings\LocalService.NT AUTHORITY\Local Settings\Temporary Internet Files\Content.IE5\1EF034WD\keyboard22[1].exe -> Backdoor.VB.ary : Cleaned with backup
C:\Documents and Settings\LocalService.NT AUTHORITY\Local Settings\Temporary Internet Files\Content.IE5\1EF034WD\newname22[1].exe -> Hijacker.VB.no : Cleaned with backup
C:\Documents and Settings\LocalService.NT AUTHORITY\Local Settings\Temporary Internet Files\Content.IE5\1EF034WD\SS1001[1].exe -> Dropper.Small.qn : Cleaned with backup
C:\Documents and Settings\LocalService.NT AUTHORITY\Local Settings\Temporary Internet Files\Content.IE5\1EF034WD\ZIGID003[1].exe -> Adware.ZenoSearch : Cleaned with backup
C:\Documents and Settings\LocalService.NT AUTHORITY\Local Settings\Temporary Internet Files\Content.IE5\6675IXQN\comscore[1].exe -> Dropper.Agent.hl : Cleaned with backup
C:\Documents and Settings\LocalService.NT AUTHORITY\Local Settings\Temporary Internet Files\Content.IE5\6675IXQN\defender22[1].exe -> Hijacker.VB.ly : Cleaned with backup
C:\Documents and Settings\LocalService.NT AUTHORITY\Local Settings\Temporary Internet Files\Content.IE5\6675IXQN\defender25[1].exe -> Downloader.Adload.bx : Cleaned with backup
C:\Documents and Settings\LocalService.NT AUTHORITY\Local Settings\Temporary Internet Files\Content.IE5\6675IXQN\drsmartload45a[1].exe -> Downloader.Adload.bq : Cleaned with backup
C:\Documents and Settings\LocalService.NT AUTHORITY\Local Settings\Temporary Internet Files\Content.IE5\6675IXQN\drsmartload[1].exe -> Downloader.Adload.bv : Cleaned with backup
C:\Documents and Settings\LocalService.NT AUTHORITY\Local Settings\Temporary Internet Files\Content.IE5\6675IXQN\keyboard23[1].exe -> Backdoor.VB.ary : Cleaned with backup
C:\Documents and Settings\LocalService.NT AUTHORITY\Local Settings\Temporary Internet Files\Content.IE5\6675IXQN\keyboard24[1].exe -> Backdoor.VB.ary : Cleaned with backup
C:\Documents and Settings\LocalService.NT AUTHORITY\Local Settings\Temporary Internet Files\Content.IE5\6675IXQN\numbsoft[1].exe -> Dropper.Agent.hl : Cleaned with backup
C:\Documents and Settings\LocalService.NT AUTHORITY\Local Settings\Temporary Internet Files\Content.IE5\6675IXQN\visfx500[1].exe -> Dropper.Agent.aie : Cleaned with backup
C:\Documents and Settings\LocalService.NT AUTHORITY\Local Settings\Temporary Internet Files\Content.IE5\6675IXQN\webnexmk[1].exe -> Dropper.Agent.hl : Cleaned with backup
C:\Documents and Settings\LocalService.NT AUTHORITY\Local Settings\Temporary Internet Files\Content.IE5\QX3GGBIF\ac2_0003[1].exe -> Downloader.Small.cpu : Cleaned with backup
C:\Documents and Settings\LocalService.NT AUTHORITY\Local Settings\Temporary Internet Files\Content.IE5\QX3GGBIF\comscore[1].exe -> Dropper.Agent.hl : Cleaned with backup
C:\Documents and Settings\LocalService.NT AUTHORITY\Local Settings\Temporary Internet Files\Content.IE5\QX3GGBIF\defender23[1].exe -> Downloader.VB.adw : Cleaned with backup
C:\Documents and Settings\LocalService.NT AUTHORITY\Local Settings\Temporary Internet Files\Content.IE5\QX3GGBIF\drsmartload44a[1].exe -> Downloader.Adload.bq : Cleaned with backup
C:\Documents and Settings\LocalService.NT AUTHORITY\Local Settings\Temporary Internet Files\Content.IE5\QX3GGBIF\drsmartload849a[1].exe -> Downloader.Adload.bq : Cleaned with backup
C:\Documents and Settings\LocalService.NT AUTHORITY\Local Settings\Temporary Internet Files\Content.IE5\QX3GGBIF\drsmartload849a[2].exe -> Downloader.Adload.bo : Cleaned with backup
C:\Documents and Settings\LocalService.NT AUTHORITY\Local Settings\Temporary Internet Files\Content.IE5\QX3GGBIF\installerwnus[1].exe -> Downloader.Qoologic.at : Cleaned with backup
C:\Documents and Settings\LocalService.NT AUTHORITY\Local Settings\Temporary Internet Files\Content.IE5\QX3GGBIF\keyboard25[1].exe -> Hijacker.StartPage.aju : Cleaned with backup
C:\Documents and Settings\LocalService.NT AUTHORITY\Local Settings\Temporary Internet Files\Content.IE5\QX3GGBIF\MTE3NDI6ODoxNg[1].exe -> Downloader.Small.buy : Cleaned with backup
C:\Documents and Settings\LocalService.NT AUTHORITY\Local Settings\Temporary Internet Files\Content.IE5\QX3GGBIF\newname23[1].exe -> Downloader.VB.adw : Cleaned with backup
C:\Documents and Settings\LocalService.NT AUTHORITY\Local Settings\Temporary Internet Files\Content.IE5\USTU186A\drift[1].exe -> Backdoor.SdBot.xd : Cleaned with backup
C:\Documents and Settings\LocalService.NT AUTHORITY\Local Settings\Temporary Internet Files\Content.IE5\USTU186A\drma[1].exe -> Downloader.Adload.bo : Cleaned with backup
C:\Documents and Settings\LocalService.NT AUTHORITY\Local Settings\Temporary Internet Files\Content.IE5\USTU186A\newname24[1].exe -> Downloader.VB.adw : Cleaned with backup
C:\Documents and Settings\LocalService.NT AUTHORITY\Local Settings\Temporary Internet Files\Content.IE5\USTU186A\newname25[1].exe -> Downloader.VB.abm : Cleaned with backup
C:\Documents and Settings\LocalService.NT AUTHORITY\Local Settings\Temporary Internet Files\Content.IE5\USTU186A\NNSCAA638[1].EXE -> Adware.NewDotNet : Cleaned with backup
C:\Documents and Settings\LocalService.NT AUTHORITY\Local Settings\Temporary Internet Files\Content.IE5\USTU186A\reloc[1].exe -> Backdoor.SdBot.xd : Cleaned with backup
C:\Documents and Settings\LocalService.NT AUTHORITY\Local Settings\Temporary Internet Files\Content.IE5\USTU186A\stub_113_4_0_4_0[1].exe -> Downloader.TSUpdate.o : Cleaned with backup
C:\Documents and Settings\Loris\Local Settings\Temp\daED.tmp -> Adware.SurfSide : Cleaned with backup
C:\Documents and Settings\Loris\Local Settings\Temp\daF2.tmp -> Adware.SurfSide : Cleaned with backup
C:\Documents and Settings\Loris\Local Settings\Temp\i5F.tmp -> Adware.SurfSide : Cleaned with backup
C:\Documents and Settings\Loris\Local Settings\Temp\i68.tmp -> Adware.SurfSide : Cleaned with backup
C:\Documents and Settings\Loris\Local Settings\Temp\temp.fr1152 -> Adware.Look2Me : Cleaned with backup
C:\Documents and Settings\Loris\Local Settings\Temp\temp.fr1F7E -> Adware.Look2Me : Cleaned with backup
C:\Documents and Settings\Loris\Local Settings\Temp\temp.fr2BEC -> Hijacker.VB.ij : Cleaned with backup
C:\Documents and Settings\Loris\Local Settings\Temp\temp.fr2E8B -> Adware.Look2Me : Cleaned with backup
C:\Documents and Settings\Loris\Local Settings\Temp\temp.fr3ED4 -> Adware.Look2Me : Cleaned with backup
C:\Documents and Settings\Loris\Local Settings\Temp\temp.fr4834 -> Adware.Look2Me : Cleaned with backup
C:\Documents and Settings\Loris\Local Settings\Temp\temp.fr5968 -> Adware.Look2Me : Cleaned with backup
C:\Documents and Settings\Loris\Local Settings\Temp\temp.fr5C78 -> Adware.Look2Me : Cleaned with backup
C:\Documents and Settings\Loris\Local Settings\Temp\temp.fr612A -> Adware.Look2Me : Cleaned with backup
C:\Documents and Settings\Loris\Local Settings\Temp\temp.fr6AE0 -> Adware.Look2Me : Cleaned with backup
C:\Documents and Settings\Loris\Local Settings\Temp\temp.fr72AB -> Adware.Look2Me : Cleaned with backup
C:\Documents and Settings\Loris\Local Settings\Temp\temp.frCE99 -> Adware.Look2Me : Cleaned with backup
C:\Documents and Settings\Loris\Local Settings\Temp\temp.frD1BC -> Adware.Look2Me : Cleaned with backup
C:\drsmartload1.exe -> Downloader.Adload.bv : Cleaned with backup
C:\drsmartload849a.exe -> Downloader.Adload.bo : Cleaned with backup
C:\MTE3NDI6ODoxNg.exe -> Downloader.Small.buy : Cleaned with backup
C:\NNSCAA638.EXE -> Adware.NewDotNet : Cleaned with backup
C:\numbsoft.exe -> Dropper.Agent.hl : Cleaned with backup
C:\Program Files\Common Files\misc001\webhc1.exe/whAgent.exe -> Adware.WebHancer : Cleaned with backup
C:\Program Files\Common Files\Μicrosoft\wuaclt.exe -> Downloader.PurityScan.cl : Cleaned with backup
C:\Program Files\Messenger\horelod.dll -> Downloader.Small.ctp : Cleaned with backup
C:\Program Files\Network Monitor\netmon.exe -> Not-A-Virus.Monitor.Win32.NetMon.a : Cleaned with backup
C:\Program Files\PECarlin\PECarlin.exe -> Adware.CASClient : Cleaned with backup
C:\Program Files\Snowball Wars\SnowballWars.exe -> Dropper.VB.mz : Cleaned with backup
C:\SS1001.exe -> Dropper.Small.qn : Cleaned with backup
C:\stub_113_4_0_4_0.exe -> Downloader.TSUpdate.o : Cleaned with backup
C:\warebundle.exe -> Adware.Look2Me : Cleaned with backup
C:\webnexmk.exe -> Dropper.Agent.hl : Cleaned with backup
C:\WINDOWS\drsmartload45a.exe -> Downloader.Adload.bq : Cleaned with backup
C:\WINDOWS\drsmartload46a.exe -> Downloader.Adload.bq : Cleaned with backup
C:\WINDOWS\drsmartload849a.exe -> Downloader.Adload.bq : Cleaned with backup
C:\WINDOWS\icont.exe -> Adware.AdURL : Cleaned with backup
C:\WINDOWS\installerwnus.exe -> Downloader.Qoologic.at : Cleaned with backup
C:\WINDOWS\MTE3NDI6ODoxNg.exe -> Downloader.Small.buy : Cleaned with backup
C:\WINDOWS\NDNuninstall6_38.exe -> Adware.NewDotNet : Cleaned with backup
C:\WINDOWS\offun.exe -> Downloader.VB.nw : Cleaned with backup
C:\WINDOWS\services.exe -> Backdoor.SdBot.xd : Cleaned with backup
C:\WINDOWS\smss.exe -> Backdoor.SdBot.xd : Cleaned with backup
C:\WINDOWS\spoolsv.exe -> Backdoor.SdBot.xd : Cleaned with backup
C:\WINDOWS\system32\cool.exe -> Backdoor.SdBot : Cleaned with backup
C:\WINDOWS\system32\dmonwv.dll -> Downloader.Agent.agw : Cleaned with backup
C:\WINDOWS\system32\dwdsregt.exe -> Adware.ZenoSearch : Cleaned with backup
C:\WINDOWS\system32\f.exe -> Heuristic.Win32.Morphine-Crypted : Cleaned with backup
C:\WINDOWS\system32\lwintqez.exe -> Adware.ZenoSearch : Cleaned with backup
C:\WINDOWS\system32\pkdsregk.exe -> Adware.ZenoSearch : Cleaned with backup
C:\WINDOWS\system32\pmdsregs.exe -> Adware.ZenoSearch : Cleaned with backup
C:\WINDOWS\system32\pndsregj.exe -> Adware.ZenoSearch : Cleaned with backup
C:\WINDOWS\system32\pndsregk.exe -> Adware.ZenoSearch : Cleaned with backup
C:\WINDOWS\system32\ppdsregp.exe -> Adware.ZenoSearch : Cleaned with backup
C:\WINDOWS\system32\psdsregr.exe -> Adware.ZenoSearch : Cleaned with backup
C:\WINDOWS\system32\rwinpqez.exe -> Adware.ZenoSearch : Cleaned with backup
C:\WINDOWS\system32\setup_57007.exe -> Backdoor.SdBot.xd : Cleaned with backup
C:\WINDOWS\system32\setup_65506.exe -> Backdoor.SdBot.xd : Cleaned with backup
C:\WINDOWS\system32\setup_78713.exe -> Backdoor.SdBot.xd : Cleaned with backup
C:\WINDOWS\system32\sgamk.dat -> Downloader.Qoologic.bj : Cleaned with backup
C:\WINDOWS\system32\swinlqez.exe -> Adware.ZenoSearch : Cleaned with backup
C:\WINDOWS\system32\swinoqez.exe -> Adware.ZenoSearch : Cleaned with backup
C:\WINDOWS\system32\twinoqez.exe -> Adware.ZenoSearch : Cleaned with backup
C:\WINDOWS\system32\w0035d51.dll -> Downloader.Agent.ahv : Cleaned with backup
C:\WINDOWS\system32\w01b38cf.dll -> Downloader.Agent.ahv : Cleaned with backup
C:\WINDOWS\system32\w0266f11.dll -> Downloader.Agent.ahv : Cleaned with backup
C:\WINDOWS\system32\w0989c85.dll -> Downloader.Agent.ahv : Cleaned with backup
C:\WINDOWS\system32\ZICORN003.exe -> Adware.ZenoSearch : Cleaned with backup
C:\WINDOWS\Temp\ac2_0004.exe -> Downloader.Small.cpu : Cleaned with backup
C:\WINDOWS\Temp\bw2.com -> Adware.AdURL : Cleaned with backup
C:\WINDOWS\Temp\i47.tmp -> Adware.SurfSide : Cleaned with backup
C:\WINDOWS\Temp\i5C.tmp -> Adware.SurfSide : Cleaned with backup
C:\WINDOWS\Temp\i8B.tmp -> Adware.SurfSide : Cleaned with backup
C:\WINDOWS\Temp\pre.exe -> Dropper.Agent.hl : Cleaned with backup
C:\WINDOWS\TG9yaXMgSiBNYXRoZW55\asappsrv.dll -> Adware.CommAd : Cleaned with backup
C:\WINDOWS\TG9yaXMgSiBNYXRoZW55\command.exe -> Adware.CommAd : Cleaned with backup
C:\WINDOWS\unin101.exe -> Trojan.VB.tg : Cleaned with backup
C:\WINDOWS\uni_eh.exe -> Trojan.VB.tg : Cleaned with backup
C:\WINDOWS\unwn.exe -> Trojan.Qoologic : Cleaned with backup
C:\WINDOWS\visfx500.exe -> Dropper.Agent.aie : Cleaned with backup
C:\WINDOWS\yejjfyf.exe -> Hijacker.VB.ij : Cleaned with backup
C:\WINDOWS\yejjfyfA.exe -> Hijacker.VB.ij : Cleaned with backup
C:\ZIGID003.exe -> Adware.ZenoSearch : Cleaned with backup
::Report End
HijackThis log
Logfile of HijackThis v1.99.1
Scan saved at 3:59:08 PM, on 6/3/2006
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\ewido anti-malware\ewidoctrl.exe
C:\WINDOWS\System32\HPZipm12.exe
C:\WINDOWS\System32\wuauclt.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\HP\HP Software Update\HPWuSchd2.exe
C:\WINDOWS\System32\wuauclt.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
C:\Program Files\Microsoft Office\Office\FINDFAST.EXE
C:\Program Files\Microsoft Office\Office\OSA.EXE
C:\Program Files\WinZip\WZQKPICK.EXE
C:\WINDOWS\system32\ntvdm.exe
C:\Program Files\HP\Digital Imaging\bin\hpqimzone.exe
C:\Program Files\HP\Digital Imaging\bin\hpqSTE08.exe
C:\Program Files\HP\Digital Imaging\Product Assistant\bin\hprblog.exe
C:\Documents and Settings\Loris\Desktop\HijackThis.exe
F2 - REG:system.ini: Shell=Explorer.exe, C:\WINDOWS\System32\escny.exe
F2 - REG:system.ini: UserInit=C:\WINDOWS\SYSTEM32\Userinit.exe,oniqjxa.exe
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll
O4 - HKLM\..\Run: [HP Software Update] C:\Program Files\HP\HP Software Update\HPWuSchd2.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - Startup: Desktop Application Director.lnk = C:\OFFICE\SHARED\WPC20\dtwin20.exe
O4 - Global Startup: HP Digital Imaging Monitor.lnk = C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
O4 - Global Startup: HP Image Zone Fast Start.lnk = C:\Program Files\HP\Digital Imaging\bin\hpqthb08.exe
O4 - Global Startup: Microsoft Find Fast.lnk = C:\Program Files\Microsoft Office\Office\FINDFAST.EXE
O4 - Global Startup: Office Startup.lnk = C:\Program Files\Microsoft Office\Office\OSA.EXE
O4 - Global Startup: WinZip Quick Pick.lnk = C:\Program Files\WinZip\WZQKPICK.EXE
O8 - Extra context menu item: &Google Search - res://C:\Program Files\Google\GoogleToolbar1.dll/cmsearch.html
O8 - Extra context menu item: &Translate English Word - res://C:\Program Files\Google\GoogleToolbar1.dll/cmwordtrans.html
O8 - Extra context menu item: Backward Links - res://C:\Program Files\Google\GoogleToolbar1.dll/cmbacklinks.html
O8 - Extra context menu item: Cached Snapshot of Page - res://C:\Program Files\Google\GoogleToolbar1.dll/cmcache.html
O8 - Extra context menu item: Similar Pages - res://C:\Program Files\Google\GoogleToolbar1.dll/cmsimilar.html
O8 - Extra context menu item: Translate Page into English - res://C:\Program Files\Google\GoogleToolbar1.dll/cmtrans.html
O12 - Plugin for .pdf: C:\Program Files\Internet Explorer\PLUGINS\nppdf32.dll
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.micros...b?1147623380437
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.micros...b?1147623298920
O16 - DPF: {F281A59C-7B65-11D3-8617-0010830243BD} (AcPreview Control) - file://C:\Program Files\AutoCAD 2002\AcPreview.ocx
O23 - Service: ewido security suite control - ewido networks - C:\Program Files\ewido anti-malware\ewidoctrl.exe
O23 - Service: Network Monitor - Unknown owner - C:\Program Files\Network Monitor\netmon.exe (file missing)
O23 - Service: NT login service (ntlogin32) - Unknown owner - C:\WINDOWS\System32\libsys32.exe (file missing)
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\System32\HPZipm12.exe
Thank you for your kindness. Isaiah 1:17 comes to mind Thank you for pleading the case of this widow and protecting me from the bad guys.
Sunny1
Sorry I took so long. Life happens
Ewido log
---------------------------------------------------------
ewido anti-malware - Scan report
---------------------------------------------------------
+ Created on: 3:54:08 PM, 6/3/2006
+ Report-Checksum: 93223CBD
+ Scan result:
HKLM\SOFTWARE\SurfSideKick3 -> Adware.SurfSide : Cleaned with backup
HKLM\SOFTWARE\SurfSideKick3\Internet Explorer -> Adware.SurfSide : Cleaned with backup
HKU\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Policies\AMeOpt -> Adware.InternetOptimizer : Cleaned with backup
HKU\.DEFAULT\Software\SurfSideKick3 -> Adware.SurfSide : Cleaned with backup
HKU\.DEFAULT\Software\SurfSideKick3\Internet Explorer -> Adware.SurfSide : Cleaned with backup
HKU\S-1-5-21-2000478354-492894223-1957994488-1003\Software\SurfSideKick3 -> Adware.SurfSide : Cleaned with backup
HKU\S-1-5-21-2000478354-492894223-1957994488-1003\Software\SurfSideKick3\Internet Explorer -> Adware.SurfSide : Cleaned with backup
HKU\S-1-5-18\Software\Microsoft\Windows\CurrentVersion\Policies\AMeOpt -> Adware.InternetOptimizer : Cleaned with backup
HKU\S-1-5-18\Software\SurfSideKick3 -> Adware.SurfSide : Cleaned with backup
HKU\S-1-5-18\Software\SurfSideKick3\Internet Explorer -> Adware.SurfSide : Cleaned with backup
[704] C:\WINDOWS\System32\dmonwv.dll -> Downloader.Agent.agw : Cleaned with backup
C:\ac2_0003.exe -> Downloader.Small.cpu : Cleaned with backup
C:\comscore.exe -> Dropper.Agent.hl : Cleaned with backup
C:\Documents and Settings\LocalService.NT AUTHORITY\Cookies\system@banners.searchingbooth[1].txt -> TrackingCookie.Searchingbooth : Cleaned with backup
C:\Documents and Settings\LocalService.NT AUTHORITY\Cookies\system@media.top-banners[1].txt -> TrackingCookie.Top-banners : Cleaned with backup
C:\Documents and Settings\LocalService.NT AUTHORITY\Desktop\TagASaurus.exe -> Hijacker.Small : Cleaned with backup
C:\Documents and Settings\LocalService.NT AUTHORITY\Local Settings\Temporary Internet Files\Content.IE5\1EF034WD\ac2[1].txt -> Downloader.Agent.ahv : Cleaned with backup
C:\Documents and Settings\LocalService.NT AUTHORITY\Local Settings\Temporary Internet Files\Content.IE5\1EF034WD\defender24[1].exe -> Hijacker.VB.ly : Cleaned with backup
C:\Documents and Settings\LocalService.NT AUTHORITY\Local Settings\Temporary Internet Files\Content.IE5\1EF034WD\drsmartload46a[1].exe -> Downloader.Adload.bq : Cleaned with backup
C:\Documents and Settings\LocalService.NT AUTHORITY\Local Settings\Temporary Internet Files\Content.IE5\1EF034WD\drsmartload[2].exe -> Downloader.Adload.bt : Cleaned with backup
C:\Documents and Settings\LocalService.NT AUTHORITY\Local Settings\Temporary Internet Files\Content.IE5\1EF034WD\Installer[2].exe -> Adware.Look2Me : Cleaned with backup
C:\Documents and Settings\LocalService.NT AUTHORITY\Local Settings\Temporary Internet Files\Content.IE5\1EF034WD\keyboard22[1].exe -> Backdoor.VB.ary : Cleaned with backup
C:\Documents and Settings\LocalService.NT AUTHORITY\Local Settings\Temporary Internet Files\Content.IE5\1EF034WD\newname22[1].exe -> Hijacker.VB.no : Cleaned with backup
C:\Documents and Settings\LocalService.NT AUTHORITY\Local Settings\Temporary Internet Files\Content.IE5\1EF034WD\SS1001[1].exe -> Dropper.Small.qn : Cleaned with backup
C:\Documents and Settings\LocalService.NT AUTHORITY\Local Settings\Temporary Internet Files\Content.IE5\1EF034WD\ZIGID003[1].exe -> Adware.ZenoSearch : Cleaned with backup
C:\Documents and Settings\LocalService.NT AUTHORITY\Local Settings\Temporary Internet Files\Content.IE5\6675IXQN\comscore[1].exe -> Dropper.Agent.hl : Cleaned with backup
C:\Documents and Settings\LocalService.NT AUTHORITY\Local Settings\Temporary Internet Files\Content.IE5\6675IXQN\defender22[1].exe -> Hijacker.VB.ly : Cleaned with backup
C:\Documents and Settings\LocalService.NT AUTHORITY\Local Settings\Temporary Internet Files\Content.IE5\6675IXQN\defender25[1].exe -> Downloader.Adload.bx : Cleaned with backup
C:\Documents and Settings\LocalService.NT AUTHORITY\Local Settings\Temporary Internet Files\Content.IE5\6675IXQN\drsmartload45a[1].exe -> Downloader.Adload.bq : Cleaned with backup
C:\Documents and Settings\LocalService.NT AUTHORITY\Local Settings\Temporary Internet Files\Content.IE5\6675IXQN\drsmartload[1].exe -> Downloader.Adload.bv : Cleaned with backup
C:\Documents and Settings\LocalService.NT AUTHORITY\Local Settings\Temporary Internet Files\Content.IE5\6675IXQN\keyboard23[1].exe -> Backdoor.VB.ary : Cleaned with backup
C:\Documents and Settings\LocalService.NT AUTHORITY\Local Settings\Temporary Internet Files\Content.IE5\6675IXQN\keyboard24[1].exe -> Backdoor.VB.ary : Cleaned with backup
C:\Documents and Settings\LocalService.NT AUTHORITY\Local Settings\Temporary Internet Files\Content.IE5\6675IXQN\numbsoft[1].exe -> Dropper.Agent.hl : Cleaned with backup
C:\Documents and Settings\LocalService.NT AUTHORITY\Local Settings\Temporary Internet Files\Content.IE5\6675IXQN\visfx500[1].exe -> Dropper.Agent.aie : Cleaned with backup
C:\Documents and Settings\LocalService.NT AUTHORITY\Local Settings\Temporary Internet Files\Content.IE5\6675IXQN\webnexmk[1].exe -> Dropper.Agent.hl : Cleaned with backup
C:\Documents and Settings\LocalService.NT AUTHORITY\Local Settings\Temporary Internet Files\Content.IE5\QX3GGBIF\ac2_0003[1].exe -> Downloader.Small.cpu : Cleaned with backup
C:\Documents and Settings\LocalService.NT AUTHORITY\Local Settings\Temporary Internet Files\Content.IE5\QX3GGBIF\comscore[1].exe -> Dropper.Agent.hl : Cleaned with backup
C:\Documents and Settings\LocalService.NT AUTHORITY\Local Settings\Temporary Internet Files\Content.IE5\QX3GGBIF\defender23[1].exe -> Downloader.VB.adw : Cleaned with backup
C:\Documents and Settings\LocalService.NT AUTHORITY\Local Settings\Temporary Internet Files\Content.IE5\QX3GGBIF\drsmartload44a[1].exe -> Downloader.Adload.bq : Cleaned with backup
C:\Documents and Settings\LocalService.NT AUTHORITY\Local Settings\Temporary Internet Files\Content.IE5\QX3GGBIF\drsmartload849a[1].exe -> Downloader.Adload.bq : Cleaned with backup
C:\Documents and Settings\LocalService.NT AUTHORITY\Local Settings\Temporary Internet Files\Content.IE5\QX3GGBIF\drsmartload849a[2].exe -> Downloader.Adload.bo : Cleaned with backup
C:\Documents and Settings\LocalService.NT AUTHORITY\Local Settings\Temporary Internet Files\Content.IE5\QX3GGBIF\installerwnus[1].exe -> Downloader.Qoologic.at : Cleaned with backup
C:\Documents and Settings\LocalService.NT AUTHORITY\Local Settings\Temporary Internet Files\Content.IE5\QX3GGBIF\keyboard25[1].exe -> Hijacker.StartPage.aju : Cleaned with backup
C:\Documents and Settings\LocalService.NT AUTHORITY\Local Settings\Temporary Internet Files\Content.IE5\QX3GGBIF\MTE3NDI6ODoxNg[1].exe -> Downloader.Small.buy : Cleaned with backup
C:\Documents and Settings\LocalService.NT AUTHORITY\Local Settings\Temporary Internet Files\Content.IE5\QX3GGBIF\newname23[1].exe -> Downloader.VB.adw : Cleaned with backup
C:\Documents and Settings\LocalService.NT AUTHORITY\Local Settings\Temporary Internet Files\Content.IE5\USTU186A\drift[1].exe -> Backdoor.SdBot.xd : Cleaned with backup
C:\Documents and Settings\LocalService.NT AUTHORITY\Local Settings\Temporary Internet Files\Content.IE5\USTU186A\drma[1].exe -> Downloader.Adload.bo : Cleaned with backup
C:\Documents and Settings\LocalService.NT AUTHORITY\Local Settings\Temporary Internet Files\Content.IE5\USTU186A\newname24[1].exe -> Downloader.VB.adw : Cleaned with backup
C:\Documents and Settings\LocalService.NT AUTHORITY\Local Settings\Temporary Internet Files\Content.IE5\USTU186A\newname25[1].exe -> Downloader.VB.abm : Cleaned with backup
C:\Documents and Settings\LocalService.NT AUTHORITY\Local Settings\Temporary Internet Files\Content.IE5\USTU186A\NNSCAA638[1].EXE -> Adware.NewDotNet : Cleaned with backup
C:\Documents and Settings\LocalService.NT AUTHORITY\Local Settings\Temporary Internet Files\Content.IE5\USTU186A\reloc[1].exe -> Backdoor.SdBot.xd : Cleaned with backup
C:\Documents and Settings\LocalService.NT AUTHORITY\Local Settings\Temporary Internet Files\Content.IE5\USTU186A\stub_113_4_0_4_0[1].exe -> Downloader.TSUpdate.o : Cleaned with backup
C:\Documents and Settings\Loris\Local Settings\Temp\daED.tmp -> Adware.SurfSide : Cleaned with backup
C:\Documents and Settings\Loris\Local Settings\Temp\daF2.tmp -> Adware.SurfSide : Cleaned with backup
C:\Documents and Settings\Loris\Local Settings\Temp\i5F.tmp -> Adware.SurfSide : Cleaned with backup
C:\Documents and Settings\Loris\Local Settings\Temp\i68.tmp -> Adware.SurfSide : Cleaned with backup
C:\Documents and Settings\Loris\Local Settings\Temp\temp.fr1152 -> Adware.Look2Me : Cleaned with backup
C:\Documents and Settings\Loris\Local Settings\Temp\temp.fr1F7E -> Adware.Look2Me : Cleaned with backup
C:\Documents and Settings\Loris\Local Settings\Temp\temp.fr2BEC -> Hijacker.VB.ij : Cleaned with backup
C:\Documents and Settings\Loris\Local Settings\Temp\temp.fr2E8B -> Adware.Look2Me : Cleaned with backup
C:\Documents and Settings\Loris\Local Settings\Temp\temp.fr3ED4 -> Adware.Look2Me : Cleaned with backup
C:\Documents and Settings\Loris\Local Settings\Temp\temp.fr4834 -> Adware.Look2Me : Cleaned with backup
C:\Documents and Settings\Loris\Local Settings\Temp\temp.fr5968 -> Adware.Look2Me : Cleaned with backup
C:\Documents and Settings\Loris\Local Settings\Temp\temp.fr5C78 -> Adware.Look2Me : Cleaned with backup
C:\Documents and Settings\Loris\Local Settings\Temp\temp.fr612A -> Adware.Look2Me : Cleaned with backup
C:\Documents and Settings\Loris\Local Settings\Temp\temp.fr6AE0 -> Adware.Look2Me : Cleaned with backup
C:\Documents and Settings\Loris\Local Settings\Temp\temp.fr72AB -> Adware.Look2Me : Cleaned with backup
C:\Documents and Settings\Loris\Local Settings\Temp\temp.frCE99 -> Adware.Look2Me : Cleaned with backup
C:\Documents and Settings\Loris\Local Settings\Temp\temp.frD1BC -> Adware.Look2Me : Cleaned with backup
C:\drsmartload1.exe -> Downloader.Adload.bv : Cleaned with backup
C:\drsmartload849a.exe -> Downloader.Adload.bo : Cleaned with backup
C:\MTE3NDI6ODoxNg.exe -> Downloader.Small.buy : Cleaned with backup
C:\NNSCAA638.EXE -> Adware.NewDotNet : Cleaned with backup
C:\numbsoft.exe -> Dropper.Agent.hl : Cleaned with backup
C:\Program Files\Common Files\misc001\webhc1.exe/whAgent.exe -> Adware.WebHancer : Cleaned with backup
C:\Program Files\Common Files\Μicrosoft\wuaclt.exe -> Downloader.PurityScan.cl : Cleaned with backup
C:\Program Files\Messenger\horelod.dll -> Downloader.Small.ctp : Cleaned with backup
C:\Program Files\Network Monitor\netmon.exe -> Not-A-Virus.Monitor.Win32.NetMon.a : Cleaned with backup
C:\Program Files\PECarlin\PECarlin.exe -> Adware.CASClient : Cleaned with backup
C:\Program Files\Snowball Wars\SnowballWars.exe -> Dropper.VB.mz : Cleaned with backup
C:\SS1001.exe -> Dropper.Small.qn : Cleaned with backup
C:\stub_113_4_0_4_0.exe -> Downloader.TSUpdate.o : Cleaned with backup
C:\warebundle.exe -> Adware.Look2Me : Cleaned with backup
C:\webnexmk.exe -> Dropper.Agent.hl : Cleaned with backup
C:\WINDOWS\drsmartload45a.exe -> Downloader.Adload.bq : Cleaned with backup
C:\WINDOWS\drsmartload46a.exe -> Downloader.Adload.bq : Cleaned with backup
C:\WINDOWS\drsmartload849a.exe -> Downloader.Adload.bq : Cleaned with backup
C:\WINDOWS\icont.exe -> Adware.AdURL : Cleaned with backup
C:\WINDOWS\installerwnus.exe -> Downloader.Qoologic.at : Cleaned with backup
C:\WINDOWS\MTE3NDI6ODoxNg.exe -> Downloader.Small.buy : Cleaned with backup
C:\WINDOWS\NDNuninstall6_38.exe -> Adware.NewDotNet : Cleaned with backup
C:\WINDOWS\offun.exe -> Downloader.VB.nw : Cleaned with backup
C:\WINDOWS\services.exe -> Backdoor.SdBot.xd : Cleaned with backup
C:\WINDOWS\smss.exe -> Backdoor.SdBot.xd : Cleaned with backup
C:\WINDOWS\spoolsv.exe -> Backdoor.SdBot.xd : Cleaned with backup
C:\WINDOWS\system32\cool.exe -> Backdoor.SdBot : Cleaned with backup
C:\WINDOWS\system32\dmonwv.dll -> Downloader.Agent.agw : Cleaned with backup
C:\WINDOWS\system32\dwdsregt.exe -> Adware.ZenoSearch : Cleaned with backup
C:\WINDOWS\system32\f.exe -> Heuristic.Win32.Morphine-Crypted : Cleaned with backup
C:\WINDOWS\system32\lwintqez.exe -> Adware.ZenoSearch : Cleaned with backup
C:\WINDOWS\system32\pkdsregk.exe -> Adware.ZenoSearch : Cleaned with backup
C:\WINDOWS\system32\pmdsregs.exe -> Adware.ZenoSearch : Cleaned with backup
C:\WINDOWS\system32\pndsregj.exe -> Adware.ZenoSearch : Cleaned with backup
C:\WINDOWS\system32\pndsregk.exe -> Adware.ZenoSearch : Cleaned with backup
C:\WINDOWS\system32\ppdsregp.exe -> Adware.ZenoSearch : Cleaned with backup
C:\WINDOWS\system32\psdsregr.exe -> Adware.ZenoSearch : Cleaned with backup
C:\WINDOWS\system32\rwinpqez.exe -> Adware.ZenoSearch : Cleaned with backup
C:\WINDOWS\system32\setup_57007.exe -> Backdoor.SdBot.xd : Cleaned with backup
C:\WINDOWS\system32\setup_65506.exe -> Backdoor.SdBot.xd : Cleaned with backup
C:\WINDOWS\system32\setup_78713.exe -> Backdoor.SdBot.xd : Cleaned with backup
C:\WINDOWS\system32\sgamk.dat -> Downloader.Qoologic.bj : Cleaned with backup
C:\WINDOWS\system32\swinlqez.exe -> Adware.ZenoSearch : Cleaned with backup
C:\WINDOWS\system32\swinoqez.exe -> Adware.ZenoSearch : Cleaned with backup
C:\WINDOWS\system32\twinoqez.exe -> Adware.ZenoSearch : Cleaned with backup
C:\WINDOWS\system32\w0035d51.dll -> Downloader.Agent.ahv : Cleaned with backup
C:\WINDOWS\system32\w01b38cf.dll -> Downloader.Agent.ahv : Cleaned with backup
C:\WINDOWS\system32\w0266f11.dll -> Downloader.Agent.ahv : Cleaned with backup
C:\WINDOWS\system32\w0989c85.dll -> Downloader.Agent.ahv : Cleaned with backup
C:\WINDOWS\system32\ZICORN003.exe -> Adware.ZenoSearch : Cleaned with backup
C:\WINDOWS\Temp\ac2_0004.exe -> Downloader.Small.cpu : Cleaned with backup
C:\WINDOWS\Temp\bw2.com -> Adware.AdURL : Cleaned with backup
C:\WINDOWS\Temp\i47.tmp -> Adware.SurfSide : Cleaned with backup
C:\WINDOWS\Temp\i5C.tmp -> Adware.SurfSide : Cleaned with backup
C:\WINDOWS\Temp\i8B.tmp -> Adware.SurfSide : Cleaned with backup
C:\WINDOWS\Temp\pre.exe -> Dropper.Agent.hl : Cleaned with backup
C:\WINDOWS\TG9yaXMgSiBNYXRoZW55\asappsrv.dll -> Adware.CommAd : Cleaned with backup
C:\WINDOWS\TG9yaXMgSiBNYXRoZW55\command.exe -> Adware.CommAd : Cleaned with backup
C:\WINDOWS\unin101.exe -> Trojan.VB.tg : Cleaned with backup
C:\WINDOWS\uni_eh.exe -> Trojan.VB.tg : Cleaned with backup
C:\WINDOWS\unwn.exe -> Trojan.Qoologic : Cleaned with backup
C:\WINDOWS\visfx500.exe -> Dropper.Agent.aie : Cleaned with backup
C:\WINDOWS\yejjfyf.exe -> Hijacker.VB.ij : Cleaned with backup
C:\WINDOWS\yejjfyfA.exe -> Hijacker.VB.ij : Cleaned with backup
C:\ZIGID003.exe -> Adware.ZenoSearch : Cleaned with backup
::Report End
HijackThis log
Logfile of HijackThis v1.99.1
Scan saved at 3:59:08 PM, on 6/3/2006
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\ewido anti-malware\ewidoctrl.exe
C:\WINDOWS\System32\HPZipm12.exe
C:\WINDOWS\System32\wuauclt.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\HP\HP Software Update\HPWuSchd2.exe
C:\WINDOWS\System32\wuauclt.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
C:\Program Files\Microsoft Office\Office\FINDFAST.EXE
C:\Program Files\Microsoft Office\Office\OSA.EXE
C:\Program Files\WinZip\WZQKPICK.EXE
C:\WINDOWS\system32\ntvdm.exe
C:\Program Files\HP\Digital Imaging\bin\hpqimzone.exe
C:\Program Files\HP\Digital Imaging\bin\hpqSTE08.exe
C:\Program Files\HP\Digital Imaging\Product Assistant\bin\hprblog.exe
C:\Documents and Settings\Loris\Desktop\HijackThis.exe
F2 - REG:system.ini: Shell=Explorer.exe, C:\WINDOWS\System32\escny.exe
F2 - REG:system.ini: UserInit=C:\WINDOWS\SYSTEM32\Userinit.exe,oniqjxa.exe
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll
O4 - HKLM\..\Run: [HP Software Update] C:\Program Files\HP\HP Software Update\HPWuSchd2.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - Startup: Desktop Application Director.lnk = C:\OFFICE\SHARED\WPC20\dtwin20.exe
O4 - Global Startup: HP Digital Imaging Monitor.lnk = C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
O4 - Global Startup: HP Image Zone Fast Start.lnk = C:\Program Files\HP\Digital Imaging\bin\hpqthb08.exe
O4 - Global Startup: Microsoft Find Fast.lnk = C:\Program Files\Microsoft Office\Office\FINDFAST.EXE
O4 - Global Startup: Office Startup.lnk = C:\Program Files\Microsoft Office\Office\OSA.EXE
O4 - Global Startup: WinZip Quick Pick.lnk = C:\Program Files\WinZip\WZQKPICK.EXE
O8 - Extra context menu item: &Google Search - res://C:\Program Files\Google\GoogleToolbar1.dll/cmsearch.html
O8 - Extra context menu item: &Translate English Word - res://C:\Program Files\Google\GoogleToolbar1.dll/cmwordtrans.html
O8 - Extra context menu item: Backward Links - res://C:\Program Files\Google\GoogleToolbar1.dll/cmbacklinks.html
O8 - Extra context menu item: Cached Snapshot of Page - res://C:\Program Files\Google\GoogleToolbar1.dll/cmcache.html
O8 - Extra context menu item: Similar Pages - res://C:\Program Files\Google\GoogleToolbar1.dll/cmsimilar.html
O8 - Extra context menu item: Translate Page into English - res://C:\Program Files\Google\GoogleToolbar1.dll/cmtrans.html
O12 - Plugin for .pdf: C:\Program Files\Internet Explorer\PLUGINS\nppdf32.dll
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.micros...b?1147623380437
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.micros...b?1147623298920
O16 - DPF: {F281A59C-7B65-11D3-8617-0010830243BD} (AcPreview Control) - file://C:\Program Files\AutoCAD 2002\AcPreview.ocx
O23 - Service: ewido security suite control - ewido networks - C:\Program Files\ewido anti-malware\ewidoctrl.exe
O23 - Service: Network Monitor - Unknown owner - C:\Program Files\Network Monitor\netmon.exe (file missing)
O23 - Service: NT login service (ntlogin32) - Unknown owner - C:\WINDOWS\System32\libsys32.exe (file missing)
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\System32\HPZipm12.exe
Thank you for your kindness. Isaiah 1:17 comes to mind Thank you for pleading the case of this widow and protecting me from the bad guys.
Sunny1
#12
Micah_6:8
-
- Authentic Member
-
- 10,060 posts
Evilware Emancipator
- Interests:Web (Perl, PHP, JavaScript, HTML) programming, CNC programming, Squashing spyware!
Posted 03 June 2006 - 02:22 PM
CLOSE ALL WINDOWS (even this one) AND PROGRAMS!!!!
Run Hijack This!
Click "Do a systen scan only".
Then "check" the box to the left of these item(s):
F2 - REG:system.ini: Shell=Explorer.exe, C:\WINDOWS\System32\escny.exe
F2 - REG:system.ini: UserInit=C:\WINDOWS\SYSTEM32\Userinit.exe,oniqjxa.exe
O23 - Service: NT login service (ntlogin32) - Unknown owner - C:\WINDOWS\System32\libsys32.exe (file missing)
Then click "Fix checked" and close Hijack This!.
Reboot in "safe" mode.
Delete all of the following noted (in red) file(s)/FOLDER(s) you can find:
C:\WINDOWS\System32\escny.exe <-- file
C:\WINDOWS\TG9yaXMgSiBNYXRoZW55 <-- FOLDER
Some malware files may be "hidden".
Be sure to show hidden files when looking for these file(s) and/or folder(s).
Reboot in normal mode and "copy/paste" a new HijackThis! log file into this thread.
Run Hijack This!
Click "Do a systen scan only".
Then "check" the box to the left of these item(s):
F2 - REG:system.ini: Shell=Explorer.exe, C:\WINDOWS\System32\escny.exe
F2 - REG:system.ini: UserInit=C:\WINDOWS\SYSTEM32\Userinit.exe,oniqjxa.exe
O23 - Service: NT login service (ntlogin32) - Unknown owner - C:\WINDOWS\System32\libsys32.exe (file missing)
Then click "Fix checked" and close Hijack This!.
Reboot in "safe" mode.
Delete all of the following noted (in red) file(s)/FOLDER(s) you can find:
C:\WINDOWS\System32\escny.exe <-- file
C:\WINDOWS\TG9yaXMgSiBNYXRoZW55 <-- FOLDER
Some malware files may be "hidden".
Be sure to show hidden files when looking for these file(s) and/or folder(s).
Reboot in normal mode and "copy/paste" a new HijackThis! log file into this thread.
Edited by Micah_6:8, 03 June 2006 - 02:59 PM.
Micah 6:8 He hath shewed thee, O man, what is good; and what doth the LORD require of thee, but to do justly, and to love mercy, and to walk humbly with thy God?
The help you receive here is free.
If you wish to show your appreciation, then you may donate to help keep us online.
Want to help others? Join the ClassRoom and learn how.
Download Hijack This! My Website: UnSpyMe!
The help you receive here is free.
If you wish to show your appreciation, then you may donate to help keep us online.
Want to help others? Join the ClassRoom and learn how.
Download Hijack This! My Website: UnSpyMe!
#13
Sunny1
-
- Authentic Member
-
- 13 posts
New Member
Posted 03 June 2006 - 04:44 PM
I did as instructed but the items are still in the HijackThis log
I did a search for escny.exe results were no file found except in
c:\windows\PREFETCH\escny.exe-38B4EEFA.pf
I put it in the recycle bin
HijackThis log as follows:
Logfile of HijackThis v1.99.1
Scan saved at 6:28:17 PM, on 6/3/2006
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\ewido anti-malware\ewidoctrl.exe
C:\WINDOWS\System32\HPZipm12.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\HP\HP Software Update\HPWuSchd2.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
C:\Program Files\Microsoft Office\Office\FINDFAST.EXE
C:\Program Files\Microsoft Office\Office\OSA.EXE
C:\Program Files\WinZip\WZQKPICK.EXE
C:\WINDOWS\system32\ntvdm.exe
C:\Program Files\HP\Digital Imaging\bin\hpqSTE08.exe
C:\Program Files\HP\Digital Imaging\Product Assistant\bin\hprblog.exe
C:\WINDOWS\System32\wuauclt.exe
C:\Documents and Settings\Loris\Desktop\HijackThis.exe
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/
F2 - REG:system.ini: Shell=Explorer.exe, C:\WINDOWS\System32\escny.exe
F2 - REG:system.ini: UserInit=C:\WINDOWS\SYSTEM32\Userinit.exe,oniqjxa.exe
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll
O4 - HKLM\..\Run: [HP Software Update] C:\Program Files\HP\HP Software Update\HPWuSchd2.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - Startup: Desktop Application Director.lnk = C:\OFFICE\SHARED\WPC20\dtwin20.exe
O4 - Global Startup: HP Digital Imaging Monitor.lnk = C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
O4 - Global Startup: HP Image Zone Fast Start.lnk = C:\Program Files\HP\Digital Imaging\bin\hpqthb08.exe
O4 - Global Startup: Microsoft Find Fast.lnk = C:\Program Files\Microsoft Office\Office\FINDFAST.EXE
O4 - Global Startup: Office Startup.lnk = C:\Program Files\Microsoft Office\Office\OSA.EXE
O4 - Global Startup: WinZip Quick Pick.lnk = C:\Program Files\WinZip\WZQKPICK.EXE
O8 - Extra context menu item: &Google Search - res://C:\Program Files\Google\GoogleToolbar1.dll/cmsearch.html
O8 - Extra context menu item: &Translate English Word - res://C:\Program Files\Google\GoogleToolbar1.dll/cmwordtrans.html
O8 - Extra context menu item: Backward Links - res://C:\Program Files\Google\GoogleToolbar1.dll/cmbacklinks.html
O8 - Extra context menu item: Cached Snapshot of Page - res://C:\Program Files\Google\GoogleToolbar1.dll/cmcache.html
O8 - Extra context menu item: Similar Pages - res://C:\Program Files\Google\GoogleToolbar1.dll/cmsimilar.html
O8 - Extra context menu item: Translate Page into English - res://C:\Program Files\Google\GoogleToolbar1.dll/cmtrans.html
O12 - Plugin for .pdf: C:\Program Files\Internet Explorer\PLUGINS\nppdf32.dll
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.micros...b?1147623380437
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.micros...b?1147623298920
O16 - DPF: {F281A59C-7B65-11D3-8617-0010830243BD} (AcPreview Control) - file://C:\Program Files\AutoCAD 2002\AcPreview.ocx
O23 - Service: ewido security suite control - ewido networks - C:\Program Files\ewido anti-malware\ewidoctrl.exe
O23 - Service: Network Monitor - Unknown owner - C:\Program Files\Network Monitor\netmon.exe (file missing)
O23 - Service: NT login service (ntlogin32) - Unknown owner - C:\WINDOWS\System32\libsys32.exe (file missing)
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\System32\HPZipm12.exe
I did a search for escny.exe results were no file found except in
c:\windows\PREFETCH\escny.exe-38B4EEFA.pf
I put it in the recycle bin
HijackThis log as follows:
Logfile of HijackThis v1.99.1
Scan saved at 6:28:17 PM, on 6/3/2006
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\ewido anti-malware\ewidoctrl.exe
C:\WINDOWS\System32\HPZipm12.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\HP\HP Software Update\HPWuSchd2.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
C:\Program Files\Microsoft Office\Office\FINDFAST.EXE
C:\Program Files\Microsoft Office\Office\OSA.EXE
C:\Program Files\WinZip\WZQKPICK.EXE
C:\WINDOWS\system32\ntvdm.exe
C:\Program Files\HP\Digital Imaging\bin\hpqSTE08.exe
C:\Program Files\HP\Digital Imaging\Product Assistant\bin\hprblog.exe
C:\WINDOWS\System32\wuauclt.exe
C:\Documents and Settings\Loris\Desktop\HijackThis.exe
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/
F2 - REG:system.ini: Shell=Explorer.exe, C:\WINDOWS\System32\escny.exe
F2 - REG:system.ini: UserInit=C:\WINDOWS\SYSTEM32\Userinit.exe,oniqjxa.exe
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll
O4 - HKLM\..\Run: [HP Software Update] C:\Program Files\HP\HP Software Update\HPWuSchd2.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - Startup: Desktop Application Director.lnk = C:\OFFICE\SHARED\WPC20\dtwin20.exe
O4 - Global Startup: HP Digital Imaging Monitor.lnk = C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
O4 - Global Startup: HP Image Zone Fast Start.lnk = C:\Program Files\HP\Digital Imaging\bin\hpqthb08.exe
O4 - Global Startup: Microsoft Find Fast.lnk = C:\Program Files\Microsoft Office\Office\FINDFAST.EXE
O4 - Global Startup: Office Startup.lnk = C:\Program Files\Microsoft Office\Office\OSA.EXE
O4 - Global Startup: WinZip Quick Pick.lnk = C:\Program Files\WinZip\WZQKPICK.EXE
O8 - Extra context menu item: &Google Search - res://C:\Program Files\Google\GoogleToolbar1.dll/cmsearch.html
O8 - Extra context menu item: &Translate English Word - res://C:\Program Files\Google\GoogleToolbar1.dll/cmwordtrans.html
O8 - Extra context menu item: Backward Links - res://C:\Program Files\Google\GoogleToolbar1.dll/cmbacklinks.html
O8 - Extra context menu item: Cached Snapshot of Page - res://C:\Program Files\Google\GoogleToolbar1.dll/cmcache.html
O8 - Extra context menu item: Similar Pages - res://C:\Program Files\Google\GoogleToolbar1.dll/cmsimilar.html
O8 - Extra context menu item: Translate Page into English - res://C:\Program Files\Google\GoogleToolbar1.dll/cmtrans.html
O12 - Plugin for .pdf: C:\Program Files\Internet Explorer\PLUGINS\nppdf32.dll
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.micros...b?1147623380437
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.micros...b?1147623298920
O16 - DPF: {F281A59C-7B65-11D3-8617-0010830243BD} (AcPreview Control) - file://C:\Program Files\AutoCAD 2002\AcPreview.ocx
O23 - Service: ewido security suite control - ewido networks - C:\Program Files\ewido anti-malware\ewidoctrl.exe
O23 - Service: Network Monitor - Unknown owner - C:\Program Files\Network Monitor\netmon.exe (file missing)
O23 - Service: NT login service (ntlogin32) - Unknown owner - C:\WINDOWS\System32\libsys32.exe (file missing)
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\System32\HPZipm12.exe
#14
Micah_6:8
-
- Authentic Member
-
- 10,060 posts
Evilware Emancipator
- Interests:Web (Perl, PHP, JavaScript, HTML) programming, CNC programming, Squashing spyware!
Posted 03 June 2006 - 05:23 PM
- Download Brute Force Uninstaller to your C:\
- Unzip it to a folder of its own (C:\BFU). So BFU should be on your root. In most cases this is C:\
- Download qoofix.bat (rightclick on this link and choose save as)
- Place qoofix.bat in your C:\BFU - folder. (Important!)
- Doubleclick qooFix.bat, Close all browsers and explorer folders.
- Choose option 1 (Qoolfix autofix) and follow the prompts.
- Please be patient, it will take about five minutes.
- After the PC has restarted, "fix" the items below with HijackThis! (if they still exist):
F2 - REG:system.ini: Shell=Explorer.exe, C:\WINDOWS\System32\escny.exe
F2 - REG:system.ini: UserInit=C:\WINDOWS\SYSTEM32\Userinit.exe,oniqjxa.exe
- Boot in "safe" mode, and run Ewido once more.
- Boot in regular mode and post a new HijackThis! log.
Edited by Micah_6:8, 03 June 2006 - 07:16 PM.
Micah 6:8 He hath shewed thee, O man, what is good; and what doth the LORD require of thee, but to do justly, and to love mercy, and to walk humbly with thy God?
The help you receive here is free.
If you wish to show your appreciation, then you may donate to help keep us online.
Want to help others? Join the ClassRoom and learn how.
Download Hijack This! My Website: UnSpyMe!
The help you receive here is free.
If you wish to show your appreciation, then you may donate to help keep us online.
Want to help others? Join the ClassRoom and learn how.
Download Hijack This! My Website: UnSpyMe!
#15
Sunny1
-
- Authentic Member
-
- 13 posts
New Member
Posted 03 June 2006 - 10:37 PM
I did as instructed. Here is the latest HijackThis log I am going to sleep
Sunny1
Logfile of HijackThis v1.99.1
Scan saved at 12:19:29 AM, on 6/4/2006
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\ewido anti-malware\ewidoctrl.exe
C:\WINDOWS\System32\HPZipm12.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\HP\HP Software Update\HPWuSchd2.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
C:\Program Files\Microsoft Office\Office\FINDFAST.EXE
C:\Program Files\Microsoft Office\Office\OSA.EXE
C:\Program Files\WinZip\WZQKPICK.EXE
C:\WINDOWS\system32\ntvdm.exe
C:\Program Files\HP\Digital Imaging\bin\hpqSTE08.exe
C:\Program Files\HP\Digital Imaging\Product Assistant\bin\hprblog.exe
C:\WINDOWS\System32\wuauclt.exe
C:\Program Files\HP\Digital Imaging\bin\hpqimzone.exe
C:\Documents and Settings\Loris\Desktop\HijackThis.exe
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll
O4 - HKLM\..\Run: [HP Software Update] C:\Program Files\HP\HP Software Update\HPWuSchd2.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - Startup: Desktop Application Director.lnk = C:\OFFICE\SHARED\WPC20\dtwin20.exe
O4 - Global Startup: HP Digital Imaging Monitor.lnk = C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
O4 - Global Startup: HP Image Zone Fast Start.lnk = C:\Program Files\HP\Digital Imaging\bin\hpqthb08.exe
O4 - Global Startup: Microsoft Find Fast.lnk = C:\Program Files\Microsoft Office\Office\FINDFAST.EXE
O4 - Global Startup: Office Startup.lnk = C:\Program Files\Microsoft Office\Office\OSA.EXE
O4 - Global Startup: WinZip Quick Pick.lnk = C:\Program Files\WinZip\WZQKPICK.EXE
O8 - Extra context menu item: &Google Search - res://C:\Program Files\Google\GoogleToolbar1.dll/cmsearch.html
O8 - Extra context menu item: &Translate English Word - res://C:\Program Files\Google\GoogleToolbar1.dll/cmwordtrans.html
O8 - Extra context menu item: Backward Links - res://C:\Program Files\Google\GoogleToolbar1.dll/cmbacklinks.html
O8 - Extra context menu item: Cached Snapshot of Page - res://C:\Program Files\Google\GoogleToolbar1.dll/cmcache.html
O8 - Extra context menu item: Similar Pages - res://C:\Program Files\Google\GoogleToolbar1.dll/cmsimilar.html
O8 - Extra context menu item: Translate Page into English - res://C:\Program Files\Google\GoogleToolbar1.dll/cmtrans.html
O12 - Plugin for .pdf: C:\Program Files\Internet Explorer\PLUGINS\nppdf32.dll
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.micros...b?1147623380437
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.micros...b?1147623298920
O16 - DPF: {F281A59C-7B65-11D3-8617-0010830243BD} (AcPreview Control) - file://C:\Program Files\AutoCAD 2002\AcPreview.ocx
O23 - Service: ewido security suite control - ewido networks - C:\Program Files\ewido anti-malware\ewidoctrl.exe
O23 - Service: Network Monitor - Unknown owner - C:\Program Files\Network Monitor\netmon.exe (file missing)
O23 - Service: NT login service (ntlogin32) - Unknown owner - C:\WINDOWS\System32\libsys32.exe (file missing)
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\System32\HPZipm12.exe
Sunny1
Logfile of HijackThis v1.99.1
Scan saved at 12:19:29 AM, on 6/4/2006
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\ewido anti-malware\ewidoctrl.exe
C:\WINDOWS\System32\HPZipm12.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\HP\HP Software Update\HPWuSchd2.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
C:\Program Files\Microsoft Office\Office\FINDFAST.EXE
C:\Program Files\Microsoft Office\Office\OSA.EXE
C:\Program Files\WinZip\WZQKPICK.EXE
C:\WINDOWS\system32\ntvdm.exe
C:\Program Files\HP\Digital Imaging\bin\hpqSTE08.exe
C:\Program Files\HP\Digital Imaging\Product Assistant\bin\hprblog.exe
C:\WINDOWS\System32\wuauclt.exe
C:\Program Files\HP\Digital Imaging\bin\hpqimzone.exe
C:\Documents and Settings\Loris\Desktop\HijackThis.exe
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll
O4 - HKLM\..\Run: [HP Software Update] C:\Program Files\HP\HP Software Update\HPWuSchd2.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - Startup: Desktop Application Director.lnk = C:\OFFICE\SHARED\WPC20\dtwin20.exe
O4 - Global Startup: HP Digital Imaging Monitor.lnk = C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
O4 - Global Startup: HP Image Zone Fast Start.lnk = C:\Program Files\HP\Digital Imaging\bin\hpqthb08.exe
O4 - Global Startup: Microsoft Find Fast.lnk = C:\Program Files\Microsoft Office\Office\FINDFAST.EXE
O4 - Global Startup: Office Startup.lnk = C:\Program Files\Microsoft Office\Office\OSA.EXE
O4 - Global Startup: WinZip Quick Pick.lnk = C:\Program Files\WinZip\WZQKPICK.EXE
O8 - Extra context menu item: &Google Search - res://C:\Program Files\Google\GoogleToolbar1.dll/cmsearch.html
O8 - Extra context menu item: &Translate English Word - res://C:\Program Files\Google\GoogleToolbar1.dll/cmwordtrans.html
O8 - Extra context menu item: Backward Links - res://C:\Program Files\Google\GoogleToolbar1.dll/cmbacklinks.html
O8 - Extra context menu item: Cached Snapshot of Page - res://C:\Program Files\Google\GoogleToolbar1.dll/cmcache.html
O8 - Extra context menu item: Similar Pages - res://C:\Program Files\Google\GoogleToolbar1.dll/cmsimilar.html
O8 - Extra context menu item: Translate Page into English - res://C:\Program Files\Google\GoogleToolbar1.dll/cmtrans.html
O12 - Plugin for .pdf: C:\Program Files\Internet Explorer\PLUGINS\nppdf32.dll
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.micros...b?1147623380437
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.micros...b?1147623298920
O16 - DPF: {F281A59C-7B65-11D3-8617-0010830243BD} (AcPreview Control) - file://C:\Program Files\AutoCAD 2002\AcPreview.ocx
O23 - Service: ewido security suite control - ewido networks - C:\Program Files\ewido anti-malware\ewidoctrl.exe
O23 - Service: Network Monitor - Unknown owner - C:\Program Files\Network Monitor\netmon.exe (file missing)
O23 - Service: NT login service (ntlogin32) - Unknown owner - C:\WINDOWS\System32\libsys32.exe (file missing)
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\System32\HPZipm12.exe
0 user(s) are reading this topic
0 members, 0 guests, 0 anonymous users
