WE'RE SURE THAT YOU'LL LOVE US!

Hey there! :wub: Looks like you're enjoying the discussion, but you're not signed up for an account. When you create an account, we remember exactly what you've read, so you always come right back where you left off. You also get notifications, here and via email, whenever new posts are made. You can like posts to share the love. Join 93101 other members! Anybody can ask, anybody can answer. Consistently helpful members may be invited to become staff. Here's how it works. Virus cleanup? Start here -> Malware Removal Forum.

Try What the Tech -- It's free!

Javascript Disabled Detected

You currently have javascript disabled. Several functions may not work. Please re-enable javascript to access full functionality.

CHOPHAR.A won't go away

Started by Atriedi , Jan 05 2006 06:59 AM

This topic is locked

13 replies to this topic

#1 Atriedi

New Member

New Member
7 posts

Posted 05 January 2006 - 06:59 AM

Hi

I have Trend Micro OfficeScan installed. Every time I startup my PC it pops up and tells me that it has found a virus. The virus cannot be cleaned, so the file is deleted. The file is C:\WINDOWS\inet20003\alg.exe and it is subsequently not to be found in the folder. This pop-up occurs in random intervals. At the same time I can see more and more iexplore.exe-processes appearing. Each of these takes 15-25MB of memory and eventually they have used it all. I can kill these processes manually (only oneat a time sadly) but they just reappear.

The Trend Micro scanner tells me it is the CHOPHAR.A Trojan-virus and that in order to remove it all I have to do is disable System Restore (which I have done) andthen scan the PC again. I have scanned my PC (which takes almost an hour, and the scanner finds nothing. I have downloaded other Trojan removers, but none have worked for me.

Last thing I have done is to download the HJT and following another post on this forum I have "fixed" my PC. But the virus is still there. I still get the Trend Micro-pop-up and theiexplore.exe-processes keep coming.

Here is a HJT log I have just created - any help is appreciated:

Logfile of HijackThis v1.99.1
Scan saved at 13:19:07, on 05-01-2006
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\wltrysvc.exe
C:\WINDOWS\System32\bcmwltry.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Programmer\Dell\Bluetooth Software\bin\btwdins.exe
C:\Programmer\Cisco Systems\VPN Client\cvpnd.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\inetsrv\inetinfo.exe
C:\Programmer\Fælles filer\Microsoft Shared\VS7Debug\mdm.exe
C:\Programmer\Trend Micro\OfficeScan Client\ntrtscan.exe
C:\WINDOWS\System32\svchost.exe
C:\Programmer\Trend Micro\OfficeScan Client\tmlisten.exe
C:\Programmer\Trend Micro\OfficeScan Client\OfcPfwSvc.exe
C:\WINDOWS\TEMP\RHFB3F.EXE
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\inet20003\services.exe
C:\Programmer\ATI Technologies\ATI Control Panel\atiptaxx.exe
C:\WINDOWS\system32\rundll32.exe
C:\Programmer\Trend Micro\OfficeScan Client\pccntmon.exe
C:\Programmer\Apoint\Apoint.exe
C:\WINDOWS\system32\WLTRAY.exe
C:\Programmer\Apoint\Apntex.exe
C:\Programmer\QuickTime\qttask.exe
C:\Programmer\Java\jre1.5.0_06\bin\jusched.exe
C:\Programmer\Dell\QuickSet\Quickset.exe
C:\Programmer\D-Tools\daemon.exe
C:\Programmer\Microsoft IntelliType Pro\type32.exe
C:\Programmer\Microsoft IntelliPoint\point32.exe
C:\Programmer\Winamp\winampa.exe
C:\Programmer\Windows Media Connect 2\WMCCFG.exe
C:\WINDOWS\system32\ctfmon.exe
C:\WINDOWS\inet20003\mm4.exe
C:\Programmer\MSN Messenger\MsnMsgr.Exe
C:\Programmer\TaskSwitchXP\TaskSwitchXP.exe
C:\WINDOWS\ServicePackFiles\i386\IExplore.exe
C:\Programmer\Skype\Phone\Skype.exe
C:\WINDOWS\ServicePackFiles\i386\IExplore.exe
C:\WINDOWS\ServicePackFiles\i386\IExplore.exe
C:\Programmer\Dell\Bluetooth Software\BTTray.exe
C:\WINDOWS\ServicePackFiles\i386\IExplore.exe
C:\WINDOWS\ServicePackFiles\i386\IExplore.exe
C:\Programmer\Microsoft SQL Server\80\Tools\Binn\sqlmangr.exe
C:\PROGRA~1\Dell\BLUETO~1\BTSTAC~1.EXE
C:\Programmer\Trend Micro\OfficeScan Client\pccntupd.exe
C:\WINDOWS\system32\taskmgr.exe
C:\Documents and Settings\MPE\Skrivebord\ProcExpl\procexp.exe
C:\Documents and Settings\MPE\Skrivebord\HijackThis.exe
C:\PROGRA~1\MOZILL~1\FIREFOX.EXE

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = c:\secure32.html
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Hyperlinks
R3 - Default URLSearchHook is missing
F3 - REG:win.ini: run=C:\WINDOWS\inet20003\services.exe
O2 - BHO: HelperObject Class - {00C6482D-C502-44C8-8409-FCE54AD9C208} - C:\Programmer\TechSmith\SnagIt 7\SnagItBHO.dll
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Programmer\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {5321E378-FFAD-4999-8C62-03CA8155F0B3} - (no file)
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Programmer\Java\jre1.5.0_06\bin\ssv.dll
O3 - Toolbar: SnagIt - {8FF5E183-ABDE-46EB-B09E-D2AAB95CABE3} - C:\Programmer\TechSmith\SnagIt 7\SnagItIEAddin.dll
O4 - HKLM\..\Run: [IMJPMIG8.1] "C:\WINDOWS\IME\imjp8_1\IMJPMIG.EXE" /Spoil /RemAdvDef /Migration32
O4 - HKLM\..\Run: [PHIME2002ASync] C:\WINDOWS\System32\IME\TINTLGNT\TINTSETP.EXE /SYNC
O4 - HKLM\..\Run: [PHIME2002A] C:\WINDOWS\System32\IME\TINTLGNT\TINTSETP.EXE /IMEName
O4 - HKLM\..\Run: [ATIPTA] C:\Programmer\ATI Technologies\ATI Control Panel\atiptaxx.exe
O4 - HKLM\..\Run: [BluetoothAuthenticationAgent] rundll32.exe bthprops.cpl,,BluetoothAuthenticationAgent
O4 - HKLM\..\Run: [OfficeScanNT Monitor] "C:\Programmer\Trend Micro\OfficeScan Client\pccntmon.exe" -HideWindow
O4 - HKLM\..\Run: [Apoint] C:\Programmer\Apoint\Apoint.exe
O4 - HKLM\..\Run: [Dell Wireless Manager UI] C:\WINDOWS\system32\WLTRAY
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Programmer\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Programmer\Java\jre1.5.0_06\bin\jusched.exe
O4 - HKLM\..\Run: [Dell QuickSet] C:\Programmer\Dell\QuickSet\Quickset.exe
O4 - HKLM\..\Run: [DAEMON Tools-1033] "C:\Programmer\D-Tools\daemon.exe" -lang 1033
O4 - HKLM\..\Run: [type32] "C:\Programmer\Microsoft IntelliType Pro\type32.exe"
O4 - HKLM\..\Run: [IntelliPoint] "C:\Programmer\Microsoft IntelliPoint\point32.exe"
O4 - HKLM\..\Run: [WinampAgent] C:\Programmer\Winamp\winampa.exe
O4 - HKLM\..\Run: [Windows Media Connect 2] "C:\Programmer\Windows Media Connect 2\WMCCFG.exe" /StartQuiet
O4 - HKLM\..\Run: [TrojanScanner] C:\Programmer\Trojan Remover\Trjscan.exe
O4 - HKLM\..\Run: [xp_system] C:\WINDOWS\inet20003\services.exe
O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [MsnMsgr] "C:\Programmer\MSN Messenger\MsnMsgr.Exe" /background
O4 - HKCU\..\Run: [TaskSwitchXP] C:\Programmer\TaskSwitchXP\TaskSwitchXP.exe
O4 - HKCU\..\Run: [Skype] "C:\Programmer\Skype\Phone\Skype.exe" /nosplash /minimized
O4 - HKCU\..\Run: [xp_system] C:\WINDOWS\inet20003\services.exe
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Programmer\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: BTTray.lnk = ?
O4 - Global Startup: Cisco Systems VPN Client.lnk = C:\Programmer\Cisco Systems\VPN Client\vpngui.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Programmer\Microsoft Office\Office10\OSA.EXE
O4 - Global Startup: Service Manager.lnk = C:\Programmer\Microsoft SQL Server\80\Tools\Binn\sqlmangr.exe
O4 - Global User Startup: Adobe Reader Speed Launch.lnk = C:\Programmer\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global User Startup: BTTray.lnk = ?
O4 - Global User Startup: Cisco Systems VPN Client.lnk = C:\Programmer\Cisco Systems\VPN Client\vpngui.exe
O4 - Global User Startup: Microsoft Office.lnk = C:\Programmer\Microsoft Office\Office10\OSA.EXE
O4 - Global User Startup: Service Manager.lnk = C:\Programmer\Microsoft SQL Server\80\Tools\Binn\sqlmangr.exe
O8 - Extra context menu item: E&ksporter til Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O8 - Extra context menu item: Edit with Altova X&MLSpy - C:\Programmer\Altova\XMLSpy2005\spy.htm
O8 - Extra context menu item: Send To &Bluetooth - C:\Programmer\Dell\Bluetooth Software\btsendto_ie_ctx.htm
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Programmer\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Programmer\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra button: Edit with Altova X&MLSpy - {2222EF56-F49E-4d07-A14E-8D2B08766958} - C:\Programmer\Altova\XMLSpy2005\spy.htm
O9 - Extra 'Tools' menuitem: Edit with Altova X&MLSpy - {2222EF56-F49E-4d07-A14E-8D2B08766958} - C:\Programmer\Altova\XMLSpy2005\spy.htm
O9 - Extra button: Opslag - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: @btrez.dll,-4015 - {CCA281CA-C863-46ef-9331-5C8D4460577F} - C:\Programmer\Dell\Bluetooth Software\btsendto_ie.htm
O9 - Extra 'Tools' menuitem: @btrez.dll,-4017 - {CCA281CA-C863-46ef-9331-5C8D4460577F} - C:\Programmer\Dell\Bluetooth Software\btsendto_ie.htm
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Programmer\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Programmer\Messenger\msmsgs.exe
O15 - Trusted Zone: http://intranet.ciber.dk
O15 - Trusted Zone: *.sf-anytime.com
O15 - Trusted Zone: *.trendmicro.com
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft....k/?linkid=39204
O16 - DPF: {41F17733-B041-4099-A042-B518BB6A408C} - http://appldnld.m7z....llInstaller.exe
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.micros...b?1121004860114
O16 - DPF: {6E5A37BF-FD42-463A-877C-4EB7002E68AE} (Housecall ActiveX 6.5) - http://housecall65.t...ivex/hcImpl.cab
O18 - Protocol: ms-help - {314111C7-A502-11D2-BBCA-00C04F8EC294} - C:\Programmer\Fælles filer\Microsoft Shared\Help\hxds.dll
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - "C:\PROGRA~1\MSNMES~1\msgrapp.dll" (file missing)
O18 - Protocol: widimg - {EE7C2AFF-5742-44FF-BD0E-E521B0D3C3BA} - C:\WINDOWS\system32\btxppanel.dll
O23 - Service: Ati HotKey Poller - Unknown owner - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: Bluetooth Service (btwdins) - WIDCOMM, Inc. - C:\Programmer\Dell\Bluetooth Software\bin\btwdins.exe
O23 - Service: Cisco Systems, Inc. VPN Service (CVPND) - Cisco Systems, Inc. - C:\Programmer\Cisco Systems\VPN Client\cvpnd.exe
O23 - Service: OfficeScanNT RealTime Scan (ntrtscan) - Trend Micro Inc. - C:\Programmer\Trend Micro\OfficeScan Client\ntrtscan.exe
O23 - Service: OfficeScanNT Personal Firewall (OfcPfwSvc) - Trend Micro Inc. - C:\Programmer\Trend Micro\OfficeScan Client\OfcPfwSvc.exe
O23 - Service: OracleOraHome92ClientCache - Unknown owner - C:\Programmer\oracle\ora92\BIN\ONRSD.EXE
O23 - Service: OracleOraHome92SNMPPeerEncapsulator - Unknown owner - C:\Programmer\oracle\ora92\BIN\ENCSVC.EXE
O23 - Service: OracleOraHome92SNMPPeerMasterAgent - Unknown owner - C:\Programmer\oracle\ora92\BIN\AGNTSVC.EXE
O23 - Service: OracleOraHome92TNSListenerMPE_LISTENER - Unknown owner - C:\Programmer\oracle\ora92\BIN\TNSLSNR.exe
O23 - Service: OfficeScanNT Listener (tmlisten) - Trend Micro Inc. - C:\Programmer\Trend Micro\OfficeScan Client\tmlisten.exe
O23 - Service: Apache Tomcat (Tomcat5) - Unknown owner - C:\Programmer\Apache Software Foundation\Tomcat 5.5\bin\tomcat5.exe" //RS//Tomcat5 (file missing)
O23 - Service: Dell Wireless WLAN Tray Service (wltrysvc) - Unknown owner - C:\WINDOWS\System32\wltrysvc.exe

I have "fixed" the "O2 - BHO: (no name) - {5321E378-FFAD-4999-8C62-03CA8155F0B3} - (no file)" several times, but it keeps reappearing.

Edited by Atriedi, 05 January 2006 - 07:18 AM.

Advertisements

Register to Remove

#2 LDTate

Grand Poobah

Root Admin
57,211 posts

Posted 10 January 2006 - 04:30 PM

Hello Atriedi, welcome to the forum. Sorry about the delay in responding

If you still need help, Scan again with HijackThis, and copy/paste" a new log file into this thread.

The forum is run by volunteers who donate their time and expertise.

Want to help others? Join the ClassRoom and learn how.

Logs will be closed if you haven't replied within 3 days

If you would like to for the help you received.

Proud graduate of TC/WTT Classroom

#3 Atriedi

New Member

New Member
7 posts

Posted 10 January 2006 - 05:39 PM

Situation hasn't changed for me, sadly. I have gotten used to regularly killing all iexplore-processes to conserve some memory.

Here'se a fresh HJT-scan-log:

Logfile of HijackThis v1.99.1
Scan saved at 00:32:58, on 11-01-2006
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\wltrysvc.exe
C:\WINDOWS\System32\bcmwltry.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Programmer\Dell\Bluetooth Software\bin\btwdins.exe
C:\Programmer\Cisco Systems\VPN Client\cvpnd.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\inetsrv\inetinfo.exe
C:\Programmer\Fælles filer\Microsoft Shared\VS7Debug\mdm.exe
C:\Programmer\Trend Micro\OfficeScan Client\ntrtscan.exe
C:\WINDOWS\System32\svchost.exe
C:\Programmer\Trend Micro\OfficeScan Client\tmlisten.exe
C:\Programmer\Trend Micro\OfficeScan Client\OfcPfwSvc.exe
C:\WINDOWS\TEMP\VU742C.EXE
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\inet20003\services.exe
C:\Programmer\ATI Technologies\ATI Control Panel\atiptaxx.exe
C:\WINDOWS\system32\rundll32.exe
C:\Programmer\Trend Micro\OfficeScan Client\pccntmon.exe
C:\Programmer\Apoint\Apoint.exe
C:\WINDOWS\system32\WLTRAY.exe
C:\Programmer\QuickTime\qttask.exe
C:\Programmer\Java\jre1.5.0_06\bin\jusched.exe
C:\Programmer\Dell\QuickSet\Quickset.exe
C:\Programmer\D-Tools\daemon.exe
C:\Programmer\Apoint\Apntex.exe
C:\Programmer\Microsoft IntelliType Pro\type32.exe
C:\Programmer\Microsoft IntelliPoint\point32.exe
C:\Programmer\Winamp\winampa.exe
C:\Programmer\Windows Media Connect 2\WMCCFG.exe
C:\WINDOWS\system32\ctfmon.exe
C:\WINDOWS\inet20003\mm4.exe
C:\Programmer\MSN Messenger\MsnMsgr.Exe
C:\Programmer\TaskSwitchXP\TaskSwitchXP.exe
C:\WINDOWS\ServicePackFiles\i386\IExplore.exe
C:\Programmer\Skype\Phone\Skype.exe
C:\WINDOWS\ServicePackFiles\i386\IExplore.exe
C:\WINDOWS\ServicePackFiles\i386\IExplore.exe
C:\WINDOWS\ServicePackFiles\i386\IExplore.exe
C:\WINDOWS\ServicePackFiles\i386\IExplore.exe
C:\WINDOWS\ServicePackFiles\i386\IExplore.exe
C:\WINDOWS\ServicePackFiles\i386\IExplore.exe
C:\WINDOWS\ServicePackFiles\i386\IExplore.exe
C:\WINDOWS\ServicePackFiles\i386\IExplore.exe
C:\WINDOWS\ServicePackFiles\i386\IExplore.exe
C:\WINDOWS\ServicePackFiles\i386\IExplore.exe
C:\WINDOWS\ServicePackFiles\i386\IExplore.exe
C:\WINDOWS\ServicePackFiles\i386\IExplore.exe
C:\Programmer\Dell\Bluetooth Software\BTTray.exe
C:\Programmer\Microsoft SQL Server\80\Tools\Binn\sqlmangr.exe
C:\PROGRA~1\Dell\BLUETO~1\BTSTAC~1.EXE
C:\Programmer\Trend Micro\OfficeScan Client\pccntupd.exe
C:\Documents and Settings\MPE\Skrivebord\HijackThis.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = c:\secure32.html
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Hyperlinks
R3 - Default URLSearchHook is missing
F3 - REG:win.ini: run=C:\WINDOWS\inet20003\services.exe
O2 - BHO: HelperObject Class - {00C6482D-C502-44C8-8409-FCE54AD9C208} - C:\Programmer\TechSmith\SnagIt 7\SnagItBHO.dll
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Programmer\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {5321E378-FFAD-4999-8C62-03CA8155F0B3} - (no file)
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Programmer\Java\jre1.5.0_06\bin\ssv.dll
O3 - Toolbar: SnagIt - {8FF5E183-ABDE-46EB-B09E-D2AAB95CABE3} - C:\Programmer\TechSmith\SnagIt 7\SnagItIEAddin.dll
O4 - HKLM\..\Run: [IMJPMIG8.1] "C:\WINDOWS\IME\imjp8_1\IMJPMIG.EXE" /Spoil /RemAdvDef /Migration32
O4 - HKLM\..\Run: [PHIME2002ASync] C:\WINDOWS\System32\IME\TINTLGNT\TINTSETP.EXE /SYNC
O4 - HKLM\..\Run: [PHIME2002A] C:\WINDOWS\System32\IME\TINTLGNT\TINTSETP.EXE /IMEName
O4 - HKLM\..\Run: [ATIPTA] C:\Programmer\ATI Technologies\ATI Control Panel\atiptaxx.exe
O4 - HKLM\..\Run: [BluetoothAuthenticationAgent] rundll32.exe bthprops.cpl,,BluetoothAuthenticationAgent
O4 - HKLM\..\Run: [OfficeScanNT Monitor] "C:\Programmer\Trend Micro\OfficeScan Client\pccntmon.exe" -HideWindow
O4 - HKLM\..\Run: [Apoint] C:\Programmer\Apoint\Apoint.exe
O4 - HKLM\..\Run: [Dell Wireless Manager UI] C:\WINDOWS\system32\WLTRAY
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Programmer\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Programmer\Java\jre1.5.0_06\bin\jusched.exe
O4 - HKLM\..\Run: [Dell QuickSet] C:\Programmer\Dell\QuickSet\Quickset.exe
O4 - HKLM\..\Run: [DAEMON Tools-1033] "C:\Programmer\D-Tools\daemon.exe" -lang 1033
O4 - HKLM\..\Run: [type32] "C:\Programmer\Microsoft IntelliType Pro\type32.exe"
O4 - HKLM\..\Run: [IntelliPoint] "C:\Programmer\Microsoft IntelliPoint\point32.exe"
O4 - HKLM\..\Run: [WinampAgent] C:\Programmer\Winamp\winampa.exe
O4 - HKLM\..\Run: [Windows Media Connect 2] "C:\Programmer\Windows Media Connect 2\WMCCFG.exe" /StartQuiet
O4 - HKLM\..\Run: [xp_system] C:\WINDOWS\inet20003\services.exe
O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [MsnMsgr] "C:\Programmer\MSN Messenger\MsnMsgr.Exe" /background
O4 - HKCU\..\Run: [TaskSwitchXP] C:\Programmer\TaskSwitchXP\TaskSwitchXP.exe
O4 - HKCU\..\Run: [Skype] "C:\Programmer\Skype\Phone\Skype.exe" /nosplash /minimized
O4 - HKCU\..\Run: [xp_system] C:\WINDOWS\inet20003\services.exe
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Programmer\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: BTTray.lnk = ?
O4 - Global Startup: Cisco Systems VPN Client.lnk = C:\Programmer\Cisco Systems\VPN Client\vpngui.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Programmer\Microsoft Office\Office10\OSA.EXE
O4 - Global Startup: Service Manager.lnk = C:\Programmer\Microsoft SQL Server\80\Tools\Binn\sqlmangr.exe
O4 - Global User Startup: Adobe Reader Speed Launch.lnk = C:\Programmer\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global User Startup: BTTray.lnk = ?
O4 - Global User Startup: Cisco Systems VPN Client.lnk = C:\Programmer\Cisco Systems\VPN Client\vpngui.exe
O4 - Global User Startup: Microsoft Office.lnk = C:\Programmer\Microsoft Office\Office10\OSA.EXE
O4 - Global User Startup: Service Manager.lnk = C:\Programmer\Microsoft SQL Server\80\Tools\Binn\sqlmangr.exe
O8 - Extra context menu item: E&ksporter til Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O8 - Extra context menu item: Edit with Altova X&MLSpy - C:\Programmer\Altova\XMLSpy2005\spy.htm
O8 - Extra context menu item: Send To &Bluetooth - C:\Programmer\Dell\Bluetooth Software\btsendto_ie_ctx.htm
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Programmer\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Programmer\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra button: Edit with Altova X&MLSpy - {2222EF56-F49E-4d07-A14E-8D2B08766958} - C:\Programmer\Altova\XMLSpy2005\spy.htm
O9 - Extra 'Tools' menuitem: Edit with Altova X&MLSpy - {2222EF56-F49E-4d07-A14E-8D2B08766958} - C:\Programmer\Altova\XMLSpy2005\spy.htm
O9 - Extra button: Opslag - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: @btrez.dll,-4015 - {CCA281CA-C863-46ef-9331-5C8D4460577F} - C:\Programmer\Dell\Bluetooth Software\btsendto_ie.htm
O9 - Extra 'Tools' menuitem: @btrez.dll,-4017 - {CCA281CA-C863-46ef-9331-5C8D4460577F} - C:\Programmer\Dell\Bluetooth Software\btsendto_ie.htm
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Programmer\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Programmer\Messenger\msmsgs.exe
O15 - Trusted Zone: http://intranet.ciber.dk
O15 - Trusted Zone: *.sf-anytime.com
O15 - Trusted Zone: *.trendmicro.com
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft....k/?linkid=39204
O16 - DPF: {41F17733-B041-4099-A042-B518BB6A408C} - http://appldnld.m7z....llInstaller.exe
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.micros...b?1121004860114
O16 - DPF: {6E5A37BF-FD42-463A-877C-4EB7002E68AE} (Housecall ActiveX 6.5) - http://housecall65.t...ivex/hcImpl.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{835CF17D-3846-4013-B605-5BF0D6C2850A}: NameServer = 10.128.28.254
O18 - Protocol: ms-help - {314111C7-A502-11D2-BBCA-00C04F8EC294} - C:\Programmer\Fælles filer\Microsoft Shared\Help\hxds.dll
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - "C:\PROGRA~1\MSNMES~1\msgrapp.dll" (file missing)
O18 - Protocol: widimg - {EE7C2AFF-5742-44FF-BD0E-E521B0D3C3BA} - C:\WINDOWS\system32\btxppanel.dll
O23 - Service: Ati HotKey Poller - Unknown owner - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: Bluetooth Service (btwdins) - WIDCOMM, Inc. - C:\Programmer\Dell\Bluetooth Software\bin\btwdins.exe
O23 - Service: Cisco Systems, Inc. VPN Service (CVPND) - Cisco Systems, Inc. - C:\Programmer\Cisco Systems\VPN Client\cvpnd.exe
O23 - Service: OfficeScanNT RealTime Scan (ntrtscan) - Trend Micro Inc. - C:\Programmer\Trend Micro\OfficeScan Client\ntrtscan.exe
O23 - Service: OfficeScanNT Personal Firewall (OfcPfwSvc) - Trend Micro Inc. - C:\Programmer\Trend Micro\OfficeScan Client\OfcPfwSvc.exe
O23 - Service: OracleOraHome92ClientCache - Unknown owner - C:\Programmer\oracle\ora92\BIN\ONRSD.EXE
O23 - Service: OracleOraHome92SNMPPeerEncapsulator - Unknown owner - C:\Programmer\oracle\ora92\BIN\ENCSVC.EXE
O23 - Service: OracleOraHome92SNMPPeerMasterAgent - Unknown owner - C:\Programmer\oracle\ora92\BIN\AGNTSVC.EXE
O23 - Service: OracleOraHome92TNSListenerMPE_LISTENER - Unknown owner - C:\Programmer\oracle\ora92\BIN\TNSLSNR.exe
O23 - Service: OfficeScanNT Listener (tmlisten) - Trend Micro Inc. - C:\Programmer\Trend Micro\OfficeScan Client\tmlisten.exe
O23 - Service: Apache Tomcat (Tomcat5) - Unknown owner - C:\Programmer\Apache Software Foundation\Tomcat 5.5\bin\tomcat5.exe" //RS//Tomcat5 (file missing)
O23 - Service: Dell Wireless WLAN Tray Service (wltrysvc) - Unknown owner - C:\WINDOWS\System32\wltrysvc.exe

Appreciate any help =)

#4 LDTate

Grand Poobah

Root Admin
57,211 posts

Posted 10 January 2006 - 05:55 PM

Please download ewido Security Suite

Install ewido security suite
When installing, under "Additional Options" uncheck "Install background guard" and "Install scan via context menu."
Launch ewido, there should be a big "E" icon on your desktop, double-click it.
The program will prompt you to update click the "OK" button
The program will now go to the main screen

You will need to update ewido to the latest definition files.
On the left hand side of the main screen click update
Click on Start

The update will start and a progress bar will show the updates being installed. After the updates are installed, exit ewido.

Once the updates are installed do the following:
If you have an "always on" connection to the internet, physically disconnect that connection until you are finished with Safe Mode and have rebooted back into normal mode.
Reboot into Safe Mode, you can do this by restarting your computer, then contiunally tapping F8 until a menu appears. Use your up arrow key to highlight Safe Mode, then hit enter. Then, run ewido.
Close all open windows/programs/folders. Have nothing else open while ewido performs its scan!
Click on scanner
Click on Settings
- Under "How to scan" all boxes should be selected
- Under "Possibly unwanted software" all boxes should be selected
- Under "What to scan" select scan every file
- Click OK
Click on Complete system scan
Let the program scan the machine
If ewido finds anything, it will pop up a notification. NOTE: We have been finding some cases of false positives with the new version of Ewido, so we need to step through the fixes one-by-one. If Ewido finds something that you KNOW is legitimate (for example, parts of AVG Antivirus, AOL, pcAnywhere and the game "Risk" have been flagged. In particular, watch for alerts that have the word "Heuristic" in them - if you recognize the file name as "friendly," these may actually be false positives) select "none" as the action. DO NOT check "Perform action with all infections." If you are unsure of an entry, select "none" for the time being. I'll see that in the log you will post later and let you know if ewido needs to be run again.

Once the scan has completed, there will be a button located on the bottom of the screen named Save report.
Click Save report
Save the report to your desktop
Exit ewido

Restart your computer in normal mode and please post a new HijackThis log, as well as the log from the Ewido scan.

The forum is run by volunteers who donate their time and expertise.

Want to help others? Join the ClassRoom and learn how.

Logs will be closed if you haven't replied within 3 days

If you would like to for the help you received.

Proud graduate of TC/WTT Classroom

#5 Atriedi

New Member

New Member
7 posts

Posted 11 January 2006 - 06:17 AM

I followed your instructions. It found 251 infected files (mostly spyware but also a lot of Trojans) and I clicked on eachand every one of them. The full scan lastes more than 2 hours and tragically when Ewido starts cleaning files it crashes after having cleaned the first 82. Thus I have no log to present you as I never got the chance to save one. Every time I start Ewido now it crashes immediately.

The virus is still present - here's a fresh HJT-log in case:

Logfile of HijackThis v1.99.1
Scan saved at 13:16:26, on 11-01-2006
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\wltrysvc.exe
C:\WINDOWS\System32\bcmwltry.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Programmer\Dell\Bluetooth Software\bin\btwdins.exe
C:\Programmer\Cisco Systems\VPN Client\cvpnd.exe
C:\Programmer\ewido anti-malware\ewidoctrl.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\inetsrv\inetinfo.exe
C:\Programmer\Fælles filer\Microsoft Shared\VS7Debug\mdm.exe
C:\Programmer\Trend Micro\OfficeScan Client\ntrtscan.exe
C:\WINDOWS\System32\svchost.exe
C:\Programmer\Trend Micro\OfficeScan Client\tmlisten.exe
C:\Programmer\Trend Micro\OfficeScan Client\OfcPfwSvc.exe
C:\WINDOWS\TEMP\LJA5CD.EXE
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\inet20003\services.exe
C:\Programmer\ATI Technologies\ATI Control Panel\atiptaxx.exe
C:\WINDOWS\system32\rundll32.exe
C:\Programmer\Trend Micro\OfficeScan Client\pccntmon.exe
C:\Programmer\Apoint\Apoint.exe
C:\WINDOWS\system32\WLTRAY.exe
C:\Programmer\QuickTime\qttask.exe
C:\Programmer\Apoint\Apntex.exe
C:\Programmer\Java\jre1.5.0_06\bin\jusched.exe
C:\Programmer\Dell\QuickSet\Quickset.exe
C:\Programmer\D-Tools\daemon.exe
C:\Programmer\Microsoft IntelliType Pro\type32.exe
C:\Programmer\Microsoft IntelliPoint\point32.exe
C:\Programmer\Winamp\winampa.exe
C:\WINDOWS\inet20003\mm4.exe
C:\Programmer\Windows Media Connect 2\WMCCFG.exe
C:\WINDOWS\system32\ctfmon.exe
C:\WINDOWS\ServicePackFiles\i386\IExplore.exe
C:\Programmer\MSN Messenger\MsnMsgr.Exe
C:\Programmer\TaskSwitchXP\TaskSwitchXP.exe
C:\WINDOWS\ServicePackFiles\i386\IExplore.exe
C:\Programmer\Skype\Phone\Skype.exe
C:\WINDOWS\ServicePackFiles\i386\IExplore.exe
C:\WINDOWS\ServicePackFiles\i386\IExplore.exe
C:\Programmer\Dell\Bluetooth Software\BTTray.exe
C:\Programmer\Microsoft SQL Server\80\Tools\Binn\sqlmangr.exe
C:\PROGRA~1\Dell\BLUETO~1\BTSTAC~1.EXE
C:\Programmer\Trend Micro\OfficeScan Client\pccntupd.exe
C:\Programmer\Microsoft Office\OFFICE11\OUTLOOK.EXE
C:\Programmer\Mozilla Firefox\firefox.exe
C:\Programmer\Microsoft Office\OFFICE11\WINWORD.EXE
C:\Programmer\totalcmd\TOTALCMD.EXE
C:\Documents and Settings\MPE\Skrivebord\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://slashdot.org/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = c:\secure32.html
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Hyperlinks
R3 - Default URLSearchHook is missing
F3 - REG:win.ini: run=C:\WINDOWS\inet20003\services.exe
O2 - BHO: HelperObject Class - {00C6482D-C502-44C8-8409-FCE54AD9C208} - C:\Programmer\TechSmith\SnagIt 7\SnagItBHO.dll
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Programmer\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {5321E378-FFAD-4999-8C62-03CA8155F0B3} - (no file)
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Programmer\Java\jre1.5.0_06\bin\ssv.dll
O3 - Toolbar: SnagIt - {8FF5E183-ABDE-46EB-B09E-D2AAB95CABE3} - C:\Programmer\TechSmith\SnagIt 7\SnagItIEAddin.dll
O4 - HKLM\..\Run: [IMJPMIG8.1] "C:\WINDOWS\IME\imjp8_1\IMJPMIG.EXE" /Spoil /RemAdvDef /Migration32
O4 - HKLM\..\Run: [PHIME2002ASync] C:\WINDOWS\System32\IME\TINTLGNT\TINTSETP.EXE /SYNC
O4 - HKLM\..\Run: [PHIME2002A] C:\WINDOWS\System32\IME\TINTLGNT\TINTSETP.EXE /IMEName
O4 - HKLM\..\Run: [ATIPTA] C:\Programmer\ATI Technologies\ATI Control Panel\atiptaxx.exe
O4 - HKLM\..\Run: [BluetoothAuthenticationAgent] rundll32.exe bthprops.cpl,,BluetoothAuthenticationAgent
O4 - HKLM\..\Run: [OfficeScanNT Monitor] "C:\Programmer\Trend Micro\OfficeScan Client\pccntmon.exe" -HideWindow
O4 - HKLM\..\Run: [Apoint] C:\Programmer\Apoint\Apoint.exe
O4 - HKLM\..\Run: [Dell Wireless Manager UI] C:\WINDOWS\system32\WLTRAY
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Programmer\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Programmer\Java\jre1.5.0_06\bin\jusched.exe
O4 - HKLM\..\Run: [Dell QuickSet] C:\Programmer\Dell\QuickSet\Quickset.exe
O4 - HKLM\..\Run: [DAEMON Tools-1033] "C:\Programmer\D-Tools\daemon.exe" -lang 1033
O4 - HKLM\..\Run: [type32] "C:\Programmer\Microsoft IntelliType Pro\type32.exe"
O4 - HKLM\..\Run: [IntelliPoint] "C:\Programmer\Microsoft IntelliPoint\point32.exe"
O4 - HKLM\..\Run: [WinampAgent] C:\Programmer\Winamp\winampa.exe
O4 - HKLM\..\Run: [Windows Media Connect 2] "C:\Programmer\Windows Media Connect 2\WMCCFG.exe" /StartQuiet
O4 - HKLM\..\Run: [xp_system] C:\WINDOWS\inet20003\services.exe
O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [MsnMsgr] "C:\Programmer\MSN Messenger\MsnMsgr.Exe" /background
O4 - HKCU\..\Run: [TaskSwitchXP] C:\Programmer\TaskSwitchXP\TaskSwitchXP.exe
O4 - HKCU\..\Run: [Skype] "C:\Programmer\Skype\Phone\Skype.exe" /nosplash /minimized
O4 - HKCU\..\Run: [xp_system] C:\WINDOWS\inet20003\services.exe
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Programmer\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: BTTray.lnk = ?
O4 - Global Startup: Cisco Systems VPN Client.lnk = C:\Programmer\Cisco Systems\VPN Client\vpngui.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Programmer\Microsoft Office\Office10\OSA.EXE
O4 - Global Startup: Service Manager.lnk = C:\Programmer\Microsoft SQL Server\80\Tools\Binn\sqlmangr.exe
O4 - Global User Startup: Adobe Reader Speed Launch.lnk = C:\Programmer\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global User Startup: BTTray.lnk = ?
O4 - Global User Startup: Cisco Systems VPN Client.lnk = C:\Programmer\Cisco Systems\VPN Client\vpngui.exe
O4 - Global User Startup: Microsoft Office.lnk = C:\Programmer\Microsoft Office\Office10\OSA.EXE
O4 - Global User Startup: Service Manager.lnk = C:\Programmer\Microsoft SQL Server\80\Tools\Binn\sqlmangr.exe
O8 - Extra context menu item: E&ksporter til Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O8 - Extra context menu item: Edit with Altova X&MLSpy - C:\Programmer\Altova\XMLSpy2005\spy.htm
O8 - Extra context menu item: Send To &Bluetooth - C:\Programmer\Dell\Bluetooth Software\btsendto_ie_ctx.htm
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Programmer\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Programmer\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra button: Edit with Altova X&MLSpy - {2222EF56-F49E-4d07-A14E-8D2B08766958} - C:\Programmer\Altova\XMLSpy2005\spy.htm
O9 - Extra 'Tools' menuitem: Edit with Altova X&MLSpy - {2222EF56-F49E-4d07-A14E-8D2B08766958} - C:\Programmer\Altova\XMLSpy2005\spy.htm
O9 - Extra button: Opslag - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: @btrez.dll,-4015 - {CCA281CA-C863-46ef-9331-5C8D4460577F} - C:\Programmer\Dell\Bluetooth Software\btsendto_ie.htm
O9 - Extra 'Tools' menuitem: @btrez.dll,-4017 - {CCA281CA-C863-46ef-9331-5C8D4460577F} - C:\Programmer\Dell\Bluetooth Software\btsendto_ie.htm
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Programmer\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Programmer\Messenger\msmsgs.exe
O15 - Trusted Zone: http://intranet.ciber.dk
O15 - Trusted Zone: *.sf-anytime.com
O15 - Trusted Zone: *.trendmicro.com
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft....k/?linkid=39204
O16 - DPF: {41F17733-B041-4099-A042-B518BB6A408C} - http://appldnld.m7z....llInstaller.exe
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.micros...b?1121004860114
O16 - DPF: {6E5A37BF-FD42-463A-877C-4EB7002E68AE} (Housecall ActiveX 6.5) - http://housecall65.t...ivex/hcImpl.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{835CF17D-3846-4013-B605-5BF0D6C2850A}: NameServer = 10.128.28.254
O18 - Protocol: ms-help - {314111C7-A502-11D2-BBCA-00C04F8EC294} - C:\Programmer\Fælles filer\Microsoft Shared\Help\hxds.dll
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - "C:\PROGRA~1\MSNMES~1\msgrapp.dll" (file missing)
O18 - Protocol: widimg - {EE7C2AFF-5742-44FF-BD0E-E521B0D3C3BA} - C:\WINDOWS\system32\btxppanel.dll
O23 - Service: Ati HotKey Poller - Unknown owner - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: Bluetooth Service (btwdins) - WIDCOMM, Inc. - C:\Programmer\Dell\Bluetooth Software\bin\btwdins.exe
O23 - Service: Cisco Systems, Inc. VPN Service (CVPND) - Cisco Systems, Inc. - C:\Programmer\Cisco Systems\VPN Client\cvpnd.exe
O23 - Service: ewido security suite control - ewido networks - C:\Programmer\ewido anti-malware\ewidoctrl.exe
O23 - Service: OfficeScanNT RealTime Scan (ntrtscan) - Trend Micro Inc. - C:\Programmer\Trend Micro\OfficeScan Client\ntrtscan.exe
O23 - Service: OfficeScanNT Personal Firewall (OfcPfwSvc) - Trend Micro Inc. - C:\Programmer\Trend Micro\OfficeScan Client\OfcPfwSvc.exe
O23 - Service: OracleOraHome92ClientCache - Unknown owner - C:\Programmer\oracle\ora92\BIN\ONRSD.EXE
O23 - Service: OracleOraHome92SNMPPeerEncapsulator - Unknown owner - C:\Programmer\oracle\ora92\BIN\ENCSVC.EXE
O23 - Service: OracleOraHome92SNMPPeerMasterAgent - Unknown owner - C:\Programmer\oracle\ora92\BIN\AGNTSVC.EXE
O23 - Service: OracleOraHome92TNSListenerMPE_LISTENER - Unknown owner - C:\Programmer\oracle\ora92\BIN\TNSLSNR.exe
O23 - Service: OfficeScanNT Listener (tmlisten) - Trend Micro Inc. - C:\Programmer\Trend Micro\OfficeScan Client\tmlisten.exe
O23 - Service: Apache Tomcat (Tomcat5) - Unknown owner - C:\Programmer\Apache Software Foundation\Tomcat 5.5\bin\tomcat5.exe" //RS//Tomcat5 (file missing)
O23 - Service: Dell Wireless WLAN Tray Service (wltrysvc) - Unknown owner - C:\WINDOWS\System32\wltrysvc.exe

#6 LDTate

Grand Poobah

Root Admin
57,211 posts

Posted 11 January 2006 - 04:15 PM

Download this file from the link to your desktop.
http://www.mvps.org/.../DelDomains.inf

Right-click on the deldomains.inf file and select 'Install'

Once it is finished your Zones should be reset.

Note, if you use SpywareBlaster and/or IE/Spyads, it will be necessary to re-install the protection both afford. For SpywareBlaster, run the program and re-protect all items. For IE/Spyads, run the batch file and reinstall the protection

Next I suggest you do this:

Run hijackthis. Hit None of the above, Click Do a System Scan Only. Put a Check in the box on the left side on these:

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = c:\secure32.html

R3 - Default URLSearchHook is missing

F3 - REG:win.ini: run=C:\WINDOWS\inet20003\services.exe

O2 - BHO: (no name) - {5321E378-FFAD-4999-8C62-03CA8155F0B3} - (no file)

O4 - HKLM\..\Run: [xp_system] C:\WINDOWS\inet20003\services.exe

O4 - HKCU\..\Run: [xp_system] C:\WINDOWS\inet20003\services.exe

O4 - Global Startup: Microsoft Office.lnk = C:\Programmer\Microsoft Office\Office10\OSA.EXE

O4 - Global User Startup: Microsoft Office.lnk = C:\Programmer\Microsoft Office\Office10\OSA.EXE

O16 - DPF: {41F17733-B041-4099-A042-B518BB6A408C} - http://appldnld.m7z....llInstaller.exe

Close ALL windows and browsers except HijackThis and click "Fix checked"

Delete these Files if listed:
C:\WINDOWS\inet20003\services.exe

1. Open My Computer
2. Right click on your hard drive that you wish to clean (C drive, for example)
3. In the context menu that opens, select properties
4. Under the general tab you should select Disk Cleanup
5. Windows will scan your drive which will take a few seconds/minutes
6. A box will display the various files you can remove.
Check all boxes except compress old files (If listed)
7. Click OK and windows will comply.

Restart your computer.

Reboot and "copy/paste" a new log file into this thread.
Also please describe how your computer behaves at the moment.

The forum is run by volunteers who donate their time and expertise.

Want to help others? Join the ClassRoom and learn how.

Logs will be closed if you haven't replied within 3 days

If you would like to for the help you received.

Proud graduate of TC/WTT Classroom

#7 Atriedi

New Member

New Member
7 posts

Posted 12 January 2006 - 04:08 AM

Well, well, well...

The Trend-virus-warning I normally got at startup no longer appears, and the sneaky iexplore.exe-processes that ate away my memory are gone... I would say you have cured my PC!!!

You have my eternal gratitude =)

The PC is still a _very_ long time at starting up but that may not have anything to do with a virus. This is my work-PC so I have a load of different SQL-servers, BizTalk-servers and whatnot that launch at startup.

A fresh HJT scan:

Logfile of HijackThis v1.99.1
Scan saved at 09:42:43, on 12-01-2006
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\wltrysvc.exe
C:\WINDOWS\System32\bcmwltry.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Programmer\Dell\Bluetooth Software\bin\btwdins.exe
C:\Programmer\Cisco Systems\VPN Client\cvpnd.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\inetsrv\inetinfo.exe
C:\Programmer\Fælles filer\Microsoft Shared\VS7Debug\mdm.exe
C:\Programmer\Trend Micro\OfficeScan Client\ntrtscan.exe
C:\WINDOWS\System32\svchost.exe
C:\Programmer\Trend Micro\OfficeScan Client\tmlisten.exe
C:\Programmer\Trend Micro\OfficeScan Client\OfcPfwSvc.exe
C:\WINDOWS\TEMP\VBBAC2.EXE
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\Explorer.EXE
C:\Programmer\ATI Technologies\ATI Control Panel\atiptaxx.exe
C:\WINDOWS\system32\rundll32.exe
C:\Programmer\Trend Micro\OfficeScan Client\pccntmon.exe
C:\Programmer\Apoint\Apoint.exe
C:\WINDOWS\system32\WLTRAY.exe
C:\Programmer\QuickTime\qttask.exe
C:\Programmer\Java\jre1.5.0_06\bin\jusched.exe
C:\Programmer\Dell\QuickSet\Quickset.exe
C:\Programmer\D-Tools\daemon.exe
C:\Programmer\Apoint\Apntex.exe
C:\Programmer\Microsoft IntelliType Pro\type32.exe
C:\Programmer\Microsoft IntelliPoint\point32.exe
C:\Programmer\Winamp\winampa.exe
C:\Programmer\Windows Media Connect 2\WMCCFG.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Programmer\MSN Messenger\MsnMsgr.Exe
C:\Programmer\TaskSwitchXP\TaskSwitchXP.exe
C:\Programmer\Skype\Phone\Skype.exe
C:\Programmer\Dell\Bluetooth Software\BTTray.exe
C:\Programmer\Microsoft SQL Server\80\Tools\Binn\sqlmangr.exe
C:\PROGRA~1\Dell\BLUETO~1\BTSTAC~1.EXE
C:\Programmer\Trend Micro\OfficeScan Client\pccntupd.exe
C:\WINDOWS\system32\taskmgr.exe
C:\Programmer\Microsoft Office\OFFICE11\OUTLOOK.EXE
C:\Programmer\Mozilla Firefox\firefox.exe
C:\Programmer\Microsoft Office\OFFICE11\WINWORD.EXE
C:\Programmer\totalcmd\TOTALCMD.EXE
C:\Documents and Settings\MPE\Skrivebord\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://slashdot.org/
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Hyperlinks
O2 - BHO: HelperObject Class - {00C6482D-C502-44C8-8409-FCE54AD9C208} - C:\Programmer\TechSmith\SnagIt 7\SnagItBHO.dll
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Programmer\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Programmer\Java\jre1.5.0_06\bin\ssv.dll
O3 - Toolbar: SnagIt - {8FF5E183-ABDE-46EB-B09E-D2AAB95CABE3} - C:\Programmer\TechSmith\SnagIt 7\SnagItIEAddin.dll
O4 - HKLM\..\Run: [IMJPMIG8.1] "C:\WINDOWS\IME\imjp8_1\IMJPMIG.EXE" /Spoil /RemAdvDef /Migration32
O4 - HKLM\..\Run: [PHIME2002ASync] C:\WINDOWS\System32\IME\TINTLGNT\TINTSETP.EXE /SYNC
O4 - HKLM\..\Run: [PHIME2002A] C:\WINDOWS\System32\IME\TINTLGNT\TINTSETP.EXE /IMEName
O4 - HKLM\..\Run: [ATIPTA] C:\Programmer\ATI Technologies\ATI Control Panel\atiptaxx.exe
O4 - HKLM\..\Run: [BluetoothAuthenticationAgent] rundll32.exe bthprops.cpl,,BluetoothAuthenticationAgent
O4 - HKLM\..\Run: [OfficeScanNT Monitor] "C:\Programmer\Trend Micro\OfficeScan Client\pccntmon.exe" -HideWindow
O4 - HKLM\..\Run: [Apoint] C:\Programmer\Apoint\Apoint.exe
O4 - HKLM\..\Run: [Dell Wireless Manager UI] C:\WINDOWS\system32\WLTRAY
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Programmer\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Programmer\Java\jre1.5.0_06\bin\jusched.exe
O4 - HKLM\..\Run: [Dell QuickSet] C:\Programmer\Dell\QuickSet\Quickset.exe
O4 - HKLM\..\Run: [DAEMON Tools-1033] "C:\Programmer\D-Tools\daemon.exe" -lang 1033
O4 - HKLM\..\Run: [type32] "C:\Programmer\Microsoft IntelliType Pro\type32.exe"
O4 - HKLM\..\Run: [IntelliPoint] "C:\Programmer\Microsoft IntelliPoint\point32.exe"
O4 - HKLM\..\Run: [WinampAgent] C:\Programmer\Winamp\winampa.exe
O4 - HKLM\..\Run: [Windows Media Connect 2] "C:\Programmer\Windows Media Connect 2\WMCCFG.exe" /StartQuiet
O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [MsnMsgr] "C:\Programmer\MSN Messenger\MsnMsgr.Exe" /background
O4 - HKCU\..\Run: [TaskSwitchXP] C:\Programmer\TaskSwitchXP\TaskSwitchXP.exe
O4 - HKCU\..\Run: [Skype] "C:\Programmer\Skype\Phone\Skype.exe" /nosplash /minimized
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Programmer\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: BTTray.lnk = ?
O4 - Global Startup: Cisco Systems VPN Client.lnk = C:\Programmer\Cisco Systems\VPN Client\vpngui.exe
O4 - Global Startup: Service Manager.lnk = C:\Programmer\Microsoft SQL Server\80\Tools\Binn\sqlmangr.exe
O4 - Global User Startup: Adobe Reader Speed Launch.lnk = C:\Programmer\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global User Startup: BTTray.lnk = ?
O4 - Global User Startup: Cisco Systems VPN Client.lnk = C:\Programmer\Cisco Systems\VPN Client\vpngui.exe
O4 - Global User Startup: Service Manager.lnk = C:\Programmer\Microsoft SQL Server\80\Tools\Binn\sqlmangr.exe
O8 - Extra context menu item: E&ksporter til Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O8 - Extra context menu item: Edit with Altova X&MLSpy - C:\Programmer\Altova\XMLSpy2005\spy.htm
O8 - Extra context menu item: Send To &Bluetooth - C:\Programmer\Dell\Bluetooth Software\btsendto_ie_ctx.htm
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Programmer\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Programmer\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra button: Edit with Altova X&MLSpy - {2222EF56-F49E-4d07-A14E-8D2B08766958} - C:\Programmer\Altova\XMLSpy2005\spy.htm
O9 - Extra 'Tools' menuitem: Edit with Altova X&MLSpy - {2222EF56-F49E-4d07-A14E-8D2B08766958} - C:\Programmer\Altova\XMLSpy2005\spy.htm
O9 - Extra button: Opslag - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: @btrez.dll,-4015 - {CCA281CA-C863-46ef-9331-5C8D4460577F} - C:\Programmer\Dell\Bluetooth Software\btsendto_ie.htm
O9 - Extra 'Tools' menuitem: @btrez.dll,-4017 - {CCA281CA-C863-46ef-9331-5C8D4460577F} - C:\Programmer\Dell\Bluetooth Software\btsendto_ie.htm
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Programmer\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Programmer\Messenger\msmsgs.exe
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft....k/?linkid=39204
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.micros...b?1121004860114
O16 - DPF: {6E5A37BF-FD42-463A-877C-4EB7002E68AE} (Housecall ActiveX 6.5) - http://housecall65.t...ivex/hcImpl.cab
O18 - Protocol: ms-help - {314111C7-A502-11D2-BBCA-00C04F8EC294} - C:\Programmer\Fælles filer\Microsoft Shared\Help\hxds.dll
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - "C:\PROGRA~1\MSNMES~1\msgrapp.dll" (file missing)
O18 - Protocol: widimg - {EE7C2AFF-5742-44FF-BD0E-E521B0D3C3BA} - C:\WINDOWS\system32\btxppanel.dll
O23 - Service: Ati HotKey Poller - Unknown owner - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: Bluetooth Service (btwdins) - WIDCOMM, Inc. - C:\Programmer\Dell\Bluetooth Software\bin\btwdins.exe
O23 - Service: Cisco Systems, Inc. VPN Service (CVPND) - Cisco Systems, Inc. - C:\Programmer\Cisco Systems\VPN Client\cvpnd.exe
O23 - Service: OfficeScanNT RealTime Scan (ntrtscan) - Trend Micro Inc. - C:\Programmer\Trend Micro\OfficeScan Client\ntrtscan.exe
O23 - Service: OfficeScanNT Personal Firewall (OfcPfwSvc) - Trend Micro Inc. - C:\Programmer\Trend Micro\OfficeScan Client\OfcPfwSvc.exe
O23 - Service: OracleOraHome92ClientCache - Unknown owner - C:\Programmer\oracle\ora92\BIN\ONRSD.EXE
O23 - Service: OracleOraHome92SNMPPeerEncapsulator - Unknown owner - C:\Programmer\oracle\ora92\BIN\ENCSVC.EXE
O23 - Service: OracleOraHome92SNMPPeerMasterAgent - Unknown owner - C:\Programmer\oracle\ora92\BIN\AGNTSVC.EXE
O23 - Service: OracleOraHome92TNSListenerMPE_LISTENER - Unknown owner - C:\Programmer\oracle\ora92\BIN\TNSLSNR.exe
O23 - Service: OfficeScanNT Listener (tmlisten) - Trend Micro Inc. - C:\Programmer\Trend Micro\OfficeScan Client\tmlisten.exe
O23 - Service: Apache Tomcat (Tomcat5) - Unknown owner - C:\Programmer\Apache Software Foundation\Tomcat 5.5\bin\tomcat5.exe" //RS//Tomcat5 (file missing)
O23 - Service: Dell Wireless WLAN Tray Service (wltrysvc) - Unknown owner - C:\WINDOWS\System32\wltrysvc.exe

Edited by Atriedi, 12 January 2006 - 04:11 AM.

#8 Atriedi

New Member

New Member
7 posts

Posted 12 January 2006 - 08:06 AM

Just for fun (and my own peaceof mind) I did a new scan with ewido. It still found a lot of spyware-cookies, and sadly also four reports of Trojans: C:\WINDOWS\country.exe, C:\WINDOWS\hosts, C:\WINDOWS\tool4.exe and C:\WINDOWS\tool5.exe Anything I should be concerned about?

#9 LDTate

Grand Poobah

Root Admin
57,211 posts

Posted 12 January 2006 - 03:36 PM

lets see if this will help.

Backup your Registry...
- Press "CTRL - ALT - DEL" keys all at the same time to start "Task Manager"
- In the Task Manager window click on "File", then from the drop-down menu select "New Task (Run...)"
- In the "Create New Task" window enter\type "regedit" (without quotes)
- Once Regedit opens click on the FILE menu and select Export
- Save the file as backup. Save the file somewhere you will remember and not delete.
IMPORTANT: make sure to set the export range to ALL

I recommend you download RegSeeker. Extract it to it's own folder, open and double click RegSeeker.exe to start the program. Maximize the window and click clean registry. Check all sections and click OK. When the scan is complete, verify the backup box in lower left corner is checked and click the select all button, then select all again. Then right click within the search results and select delete. Run it again and again, deleting everything it finds until it finds nothing. Reboot and make sure your programs are working properly, control panel and add/remove programs windows open, etc (basically just do a quick check of everything). In the event anything was 'broken', you can open RegSeeker, click backups and double click any/all files to put the information back. A reboot may be required for the effects to be seen. Reboot When done.

The forum is run by volunteers who donate their time and expertise.

Want to help others? Join the ClassRoom and learn how.

Logs will be closed if you haven't replied within 3 days

If you would like to for the help you received.

Proud graduate of TC/WTT Classroom

#10 Atriedi

New Member

New Member
7 posts

Posted 16 January 2006 - 05:10 AM

It is done.

Everything seems to be working OK.

A fresh HJT-scan-report and an Ewido report as well (if I select "Do nothing" for every action, the program doesn't crash at the end andI can save the report:

HJT:
----------------------------
Logfile of HijackThis v1.99.1
Scan saved at 09:28:24, on 16-01-2006
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\wltrysvc.exe
C:\WINDOWS\System32\bcmwltry.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Programmer\Dell\Bluetooth Software\bin\btwdins.exe
C:\Programmer\Cisco Systems\VPN Client\cvpnd.exe
C:\Programmer\ewido anti-malware\ewidoctrl.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\inetsrv\inetinfo.exe
C:\Programmer\Fælles filer\Microsoft Shared\VS7Debug\mdm.exe
C:\Programmer\Trend Micro\OfficeScan Client\ntrtscan.exe
C:\WINDOWS\System32\svchost.exe
C:\Programmer\Trend Micro\OfficeScan Client\tmlisten.exe
C:\Programmer\Trend Micro\OfficeScan Client\OfcPfwSvc.exe
C:\WINDOWS\TEMP\TG8678.EXE
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\Explorer.EXE
C:\Programmer\ATI Technologies\ATI Control Panel\atiptaxx.exe
C:\WINDOWS\system32\rundll32.exe
C:\Programmer\Trend Micro\OfficeScan Client\pccntmon.exe
C:\Programmer\Apoint\Apoint.exe
C:\WINDOWS\system32\WLTRAY.exe
C:\Programmer\QuickTime\qttask.exe
C:\Programmer\Java\jre1.5.0_06\bin\jusched.exe
C:\Programmer\Apoint\Apntex.exe
C:\Programmer\Dell\QuickSet\Quickset.exe
C:\Programmer\D-Tools\daemon.exe
C:\Programmer\Microsoft IntelliType Pro\type32.exe
C:\Programmer\Microsoft IntelliPoint\point32.exe
C:\Programmer\Winamp\winampa.exe
C:\Programmer\Windows Media Connect 2\WMCCFG.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Programmer\MSN Messenger\MsnMsgr.Exe
C:\Programmer\TaskSwitchXP\TaskSwitchXP.exe
C:\Programmer\Skype\Phone\Skype.exe
C:\Programmer\Microsoft Office\OFFICE11\OUTLOOK.EXE
C:\Programmer\Dell\Bluetooth Software\BTTray.exe
C:\Programmer\Microsoft SQL Server\80\Tools\Binn\sqlmangr.exe
C:\PROGRA~1\Dell\BLUETO~1\BTSTAC~1.EXE
C:\Programmer\Trend Micro\OfficeScan Client\pccntupd.exe
C:\Programmer\Mozilla Firefox\firefox.exe
C:\Programmer\Microsoft Office\OFFICE11\WINWORD.EXE
C:\Programmer\Microsoft Office\OFFICE11\EXCEL.EXE
C:\Programmer\Internet Explorer\iexplore.exe
C:\Documents and Settings\MPE\Skrivebord\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://slashdot.org/
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page =
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Hyperlinks
O2 - BHO: HelperObject Class - {00C6482D-C502-44C8-8409-FCE54AD9C208} - C:\Programmer\TechSmith\SnagIt 7\SnagItBHO.dll
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Programmer\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Programmer\Java\jre1.5.0_06\bin\ssv.dll
O3 - Toolbar: SnagIt - {8FF5E183-ABDE-46EB-B09E-D2AAB95CABE3} - C:\Programmer\TechSmith\SnagIt 7\SnagItIEAddin.dll
O4 - HKLM\..\Run: [IMJPMIG8.1] "C:\WINDOWS\IME\imjp8_1\IMJPMIG.EXE" /Spoil /RemAdvDef /Migration32
O4 - HKLM\..\Run: [PHIME2002ASync] C:\WINDOWS\System32\IME\TINTLGNT\TINTSETP.EXE /SYNC
O4 - HKLM\..\Run: [PHIME2002A] C:\WINDOWS\System32\IME\TINTLGNT\TINTSETP.EXE /IMEName
O4 - HKLM\..\Run: [ATIPTA] C:\Programmer\ATI Technologies\ATI Control Panel\atiptaxx.exe
O4 - HKLM\..\Run: [BluetoothAuthenticationAgent] rundll32.exe bthprops.cpl,,BluetoothAuthenticationAgent
O4 - HKLM\..\Run: [OfficeScanNT Monitor] "C:\Programmer\Trend Micro\OfficeScan Client\pccntmon.exe" -HideWindow
O4 - HKLM\..\Run: [Apoint] C:\Programmer\Apoint\Apoint.exe
O4 - HKLM\..\Run: [Dell Wireless Manager UI] C:\WINDOWS\system32\WLTRAY
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Programmer\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Programmer\Java\jre1.5.0_06\bin\jusched.exe
O4 - HKLM\..\Run: [Dell QuickSet] C:\Programmer\Dell\QuickSet\Quickset.exe
O4 - HKLM\..\Run: [DAEMON Tools-1033] "C:\Programmer\D-Tools\daemon.exe" -lang 1033
O4 - HKLM\..\Run: [type32] "C:\Programmer\Microsoft IntelliType Pro\type32.exe"
O4 - HKLM\..\Run: [IntelliPoint] "C:\Programmer\Microsoft IntelliPoint\point32.exe"
O4 - HKLM\..\Run: [WinampAgent] C:\Programmer\Winamp\winampa.exe
O4 - HKLM\..\Run: [Windows Media Connect 2] "C:\Programmer\Windows Media Connect 2\WMCCFG.exe" /StartQuiet
O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [MsnMsgr] "C:\Programmer\MSN Messenger\MsnMsgr.Exe" /background
O4 - HKCU\..\Run: [TaskSwitchXP] C:\Programmer\TaskSwitchXP\TaskSwitchXP.exe
O4 - HKCU\..\Run: [Skype] "C:\Programmer\Skype\Phone\Skype.exe" /nosplash /minimized
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Programmer\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: BTTray.lnk = ?
O4 - Global Startup: Cisco Systems VPN Client.lnk = C:\Programmer\Cisco Systems\VPN Client\vpngui.exe
O4 - Global Startup: Service Manager.lnk = C:\Programmer\Microsoft SQL Server\80\Tools\Binn\sqlmangr.exe
O4 - Global User Startup: Adobe Reader Speed Launch.lnk = C:\Programmer\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global User Startup: BTTray.lnk = ?
O4 - Global User Startup: Cisco Systems VPN Client.lnk = C:\Programmer\Cisco Systems\VPN Client\vpngui.exe
O4 - Global User Startup: Service Manager.lnk = C:\Programmer\Microsoft SQL Server\80\Tools\Binn\sqlmangr.exe
O8 - Extra context menu item: E&ksporter til Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O8 - Extra context menu item: Edit with Altova X&MLSpy - C:\Programmer\Altova\XMLSpy2005\spy.htm
O8 - Extra context menu item: Send To &Bluetooth - C:\Programmer\Dell\Bluetooth Software\btsendto_ie_ctx.htm
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Programmer\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Programmer\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra button: Edit with Altova X&MLSpy - {2222EF56-F49E-4d07-A14E-8D2B08766958} - C:\Programmer\Altova\XMLSpy2005\spy.htm
O9 - Extra 'Tools' menuitem: Edit with Altova X&MLSpy - {2222EF56-F49E-4d07-A14E-8D2B08766958} - C:\Programmer\Altova\XMLSpy2005\spy.htm
O9 - Extra button: Opslag - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: @btrez.dll,-4015 - {CCA281CA-C863-46ef-9331-5C8D4460577F} - C:\Programmer\Dell\Bluetooth Software\btsendto_ie.htm
O9 - Extra 'Tools' menuitem: @btrez.dll,-4017 - {CCA281CA-C863-46ef-9331-5C8D4460577F} - C:\Programmer\Dell\Bluetooth Software\btsendto_ie.htm
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Programmer\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Programmer\Messenger\msmsgs.exe
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft....k/?linkid=39204
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.micros...b?1121004860114
O16 - DPF: {6E5A37BF-FD42-463A-877C-4EB7002E68AE} (Housecall ActiveX 6.5) - http://housecall65.t...ivex/hcImpl.cab
O18 - Protocol: ms-help - {314111C7-A502-11D2-BBCA-00C04F8EC294} - C:\Programmer\Fælles filer\Microsoft Shared\Help\hxds.dll
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - "C:\PROGRA~1\MSNMES~1\msgrapp.dll" (file missing)
O18 - Protocol: widimg - {EE7C2AFF-5742-44FF-BD0E-E521B0D3C3BA} - C:\WINDOWS\system32\btxppanel.dll
O23 - Service: Ati HotKey Poller - Unknown owner - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: Bluetooth Service (btwdins) - WIDCOMM, Inc. - C:\Programmer\Dell\Bluetooth Software\bin\btwdins.exe
O23 - Service: Cisco Systems, Inc. VPN Service (CVPND) - Cisco Systems, Inc. - C:\Programmer\Cisco Systems\VPN Client\cvpnd.exe
O23 - Service: ewido security suite control - ewido networks - C:\Programmer\ewido anti-malware\ewidoctrl.exe
O23 - Service: OfficeScanNT RealTime Scan (ntrtscan) - Trend Micro Inc. - C:\Programmer\Trend Micro\OfficeScan Client\ntrtscan.exe
O23 - Service: OfficeScanNT Personal Firewall (OfcPfwSvc) - Trend Micro Inc. - C:\Programmer\Trend Micro\OfficeScan Client\OfcPfwSvc.exe
O23 - Service: OracleOraHome92ClientCache - Unknown owner - C:\Programmer\oracle\ora92\BIN\ONRSD.EXE
O23 - Service: OracleOraHome92SNMPPeerEncapsulator - Unknown owner - C:\Programmer\oracle\ora92\BIN\ENCSVC.EXE
O23 - Service: OracleOraHome92SNMPPeerMasterAgent - Unknown owner - C:\Programmer\oracle\ora92\BIN\AGNTSVC.EXE
O23 - Service: OracleOraHome92TNSListenerMPE_LISTENER - Unknown owner - C:\Programmer\oracle\ora92\BIN\TNSLSNR.exe
O23 - Service: OfficeScanNT Listener (tmlisten) - Trend Micro Inc. - C:\Programmer\Trend Micro\OfficeScan Client\tmlisten.exe
O23 - Service: Apache Tomcat (Tomcat5) - Unknown owner - C:\Programmer\Apache Software Foundation\Tomcat 5.5\bin\tomcat5.exe" //RS//Tomcat5 (file missing)
O23 - Service: Dell Wireless WLAN Tray Service (wltrysvc) - Unknown owner - C:\WINDOWS\System32\wltrysvc.exe

Ewido:
------------------------------
---------------------------------------------------------
ewido anti-malware - Scanningsrapport
---------------------------------------------------------

+ Oprettet den: 12:03:12, ෘ
+ Rapport-Checksum: C57404C0

+ Scanningsresultat:
:mozilla.8:C:\Documents and Settings\MPE\Application Data\Mozilla\Firefox\Profiles\uk34d6hg.default\cookies.txt -> Spyware.Cookie.Fastclick : Ignoreret
:mozilla.9:C:\Documents and Settings\MPE\Application Data\Mozilla\Firefox\Profiles\uk34d6hg.default\cookies.txt -> Spyware.Cookie.Fastclick : Ignoreret
:mozilla.10:C:\Documents and Settings\MPE\Application Data\Mozilla\Firefox\Profiles\uk34d6hg.default\cookies.txt -> Spyware.Cookie.Fastclick : Ignoreret
:mozilla.11:C:\Documents and Settings\MPE\Application Data\Mozilla\Firefox\Profiles\uk34d6hg.default\cookies.txt -> Spyware.Cookie.Fastclick : Ignoreret
:mozilla.12:C:\Documents and Settings\MPE\Application Data\Mozilla\Firefox\Profiles\uk34d6hg.default\cookies.txt -> Spyware.Cookie.Yieldmanager : Ignoreret
:mozilla.13:C:\Documents and Settings\MPE\Application Data\Mozilla\Firefox\Profiles\uk34d6hg.default\cookies.txt -> Spyware.Cookie.Yieldmanager : Ignoreret
:mozilla.14:C:\Documents and Settings\MPE\Application Data\Mozilla\Firefox\Profiles\uk34d6hg.default\cookies.txt -> Spyware.Cookie.Yieldmanager : Ignoreret
:mozilla.15:C:\Documents and Settings\MPE\Application Data\Mozilla\Firefox\Profiles\uk34d6hg.default\cookies.txt -> Spyware.Cookie.Yieldmanager : Ignoreret
:mozilla.49:C:\Documents and Settings\MPE\Application Data\Mozilla\Firefox\Profiles\uk34d6hg.default\cookies.txt -> Spyware.Cookie.Burstnet : Ignoreret
:mozilla.50:C:\Documents and Settings\MPE\Application Data\Mozilla\Firefox\Profiles\uk34d6hg.default\cookies.txt -> Spyware.Cookie.Burstnet : Ignoreret
:mozilla.51:C:\Documents and Settings\MPE\Application Data\Mozilla\Firefox\Profiles\uk34d6hg.default\cookies.txt -> Spyware.Cookie.Burstnet : Ignoreret
:mozilla.59:C:\Documents and Settings\MPE\Application Data\Mozilla\Firefox\Profiles\uk34d6hg.default\cookies.txt -> Spyware.Cookie.Yieldmanager : Ignoreret
:mozilla.60:C:\Documents and Settings\MPE\Application Data\Mozilla\Firefox\Profiles\uk34d6hg.default\cookies.txt -> Spyware.Cookie.Yieldmanager : Ignoreret
:mozilla.61:C:\Documents and Settings\MPE\Application Data\Mozilla\Firefox\Profiles\uk34d6hg.default\cookies.txt -> Spyware.Cookie.Yieldmanager : Ignoreret
:mozilla.62:C:\Documents and Settings\MPE\Application Data\Mozilla\Firefox\Profiles\uk34d6hg.default\cookies.txt -> Spyware.Cookie.Yieldmanager : Ignoreret
:mozilla.63:C:\Documents and Settings\MPE\Application Data\Mozilla\Firefox\Profiles\uk34d6hg.default\cookies.txt -> Spyware.Cookie.Yieldmanager : Ignoreret
:mozilla.68:C:\Documents and Settings\MPE\Application Data\Mozilla\Firefox\Profiles\uk34d6hg.default\cookies.txt -> Spyware.Cookie.Tribalfusion : Ignoreret
:mozilla.73:C:\Documents and Settings\MPE\Application Data\Mozilla\Firefox\Profiles\uk34d6hg.default\cookies.txt -> Spyware.Cookie.Liveperson : Ignoreret
:mozilla.74:C:\Documents and Settings\MPE\Application Data\Mozilla\Firefox\Profiles\uk34d6hg.default\cookies.txt -> Spyware.Cookie.Liveperson : Ignoreret
:mozilla.75:C:\Documents and Settings\MPE\Application Data\Mozilla\Firefox\Profiles\uk34d6hg.default\cookies.txt -> Spyware.Cookie.Liveperson : Ignoreret
:mozilla.76:C:\Documents and Settings\MPE\Application Data\Mozilla\Firefox\Profiles\uk34d6hg.default\cookies.txt -> Spyware.Cookie.Liveperson : Ignoreret
:mozilla.83:C:\Documents and Settings\MPE\Application Data\Mozilla\Firefox\Profiles\uk34d6hg.default\cookies.txt -> Spyware.Cookie.Statcounter : Ignoreret
:mozilla.84:C:\Documents and Settings\MPE\Application Data\Mozilla\Firefox\Profiles\uk34d6hg.default\cookies.txt -> Spyware.Cookie.Statcounter : Ignoreret
:mozilla.109:C:\Documents and Settings\MPE\Application Data\Mozilla\Firefox\Profiles\uk34d6hg.default\cookies.txt -> Spyware.Cookie.Serving-sys : Ignoreret
:mozilla.110:C:\Documents and Settings\MPE\Application Data\Mozilla\Firefox\Profiles\uk34d6hg.default\cookies.txt -> Spyware.Cookie.Serving-sys : Ignoreret
:mozilla.111:C:\Documents and Settings\MPE\Application Data\Mozilla\Firefox\Profiles\uk34d6hg.default\cookies.txt -> Spyware.Cookie.Serving-sys : Ignoreret
:mozilla.112:C:\Documents and Settings\MPE\Application Data\Mozilla\Firefox\Profiles\uk34d6hg.default\cookies.txt -> Spyware.Cookie.Serving-sys : Ignoreret
:mozilla.113:C:\Documents and Settings\MPE\Application Data\Mozilla\Firefox\Profiles\uk34d6hg.default\cookies.txt -> Spyware.Cookie.Doubleclick : Ignoreret
:mozilla.139:C:\Documents and Settings\MPE\Application Data\Mozilla\Firefox\Profiles\uk34d6hg.default\cookies.txt -> Spyware.Cookie.Com : Ignoreret
:mozilla.140:C:\Documents and Settings\MPE\Application Data\Mozilla\Firefox\Profiles\uk34d6hg.default\cookies.txt -> Spyware.Cookie.Com : Ignoreret
:mozilla.164:C:\Documents and Settings\MPE\Application Data\Mozilla\Firefox\Profiles\uk34d6hg.default\cookies.txt -> Spyware.Cookie.Overture : Ignoreret
:mozilla.165:C:\Documents and Settings\MPE\Application Data\Mozilla\Firefox\Profiles\uk34d6hg.default\cookies.txt -> Spyware.Cookie.Overture : Ignoreret
:mozilla.166:C:\Documents and Settings\MPE\Application Data\Mozilla\Firefox\Profiles\uk34d6hg.default\cookies.txt -> Spyware.Cookie.Myaffiliateprogram : Ignoreret
:mozilla.190:C:\Documents and Settings\MPE\Application Data\Mozilla\Firefox\Profiles\uk34d6hg.default\cookies.txt -> Spyware.Cookie.Advertising : Ignoreret
:mozilla.191:C:\Documents and Settings\MPE\Application Data\Mozilla\Firefox\Profiles\uk34d6hg.default\cookies.txt -> Spyware.Cookie.Advertising : Ignoreret
:mozilla.192:C:\Documents and Settings\MPE\Application Data\Mozilla\Firefox\Profiles\uk34d6hg.default\cookies.txt -> Spyware.Cookie.Advertising : Ignoreret
:mozilla.193:C:\Documents and Settings\MPE\Application Data\Mozilla\Firefox\Profiles\uk34d6hg.default\cookies.txt -> Spyware.Cookie.Advertising : Ignoreret
:mozilla.194:C:\Documents and Settings\MPE\Application Data\Mozilla\Firefox\Profiles\uk34d6hg.default\cookies.txt -> Spyware.Cookie.Advertising : Ignoreret
:mozilla.195:C:\Documents and Settings\MPE\Application Data\Mozilla\Firefox\Profiles\uk34d6hg.default\cookies.txt -> Spyware.Cookie.Advertising : Ignoreret
:mozilla.196:C:\Documents and Settings\MPE\Application Data\Mozilla\Firefox\Profiles\uk34d6hg.default\cookies.txt -> Spyware.Cookie.Adtech : Ignoreret
:mozilla.197:C:\Documents and Settings\MPE\Application Data\Mozilla\Firefox\Profiles\uk34d6hg.default\cookies.txt -> Spyware.Cookie.Adtech : Ignoreret
:mozilla.217:C:\Documents and Settings\MPE\Application Data\Mozilla\Firefox\Profiles\uk34d6hg.default\cookies.txt -> Spyware.Cookie.Webtrendslive : Ignoreret
:mozilla.239:C:\Documents and Settings\MPE\Application Data\Mozilla\Firefox\Profiles\uk34d6hg.default\cookies.txt -> Spyware.Cookie.Googleadservices : Ignoreret
:mozilla.245:C:\Documents and Settings\MPE\Application Data\Mozilla\Firefox\Profiles\uk34d6hg.default\cookies.txt -> Spyware.Cookie.Falkag : Ignoreret
:mozilla.260:C:\Documents and Settings\MPE\Application Data\Mozilla\Firefox\Profiles\uk34d6hg.default\cookies.txt -> Spyware.Cookie.2o7 : Ignoreret
:mozilla.261:C:\Documents and Settings\MPE\Application Data\Mozilla\Firefox\Profiles\uk34d6hg.default\cookies.txt -> Spyware.Cookie.2o7 : Ignoreret
:mozilla.262:C:\Documents and Settings\MPE\Application Data\Mozilla\Firefox\Profiles\uk34d6hg.default\cookies.txt -> Spyware.Cookie.2o7 : Ignoreret
:mozilla.263:C:\Documents and Settings\MPE\Application Data\Mozilla\Firefox\Profiles\uk34d6hg.default\cookies.txt -> Spyware.Cookie.2o7 : Ignoreret
:mozilla.264:C:\Documents and Settings\MPE\Application Data\Mozilla\Firefox\Profiles\uk34d6hg.default\cookies.txt -> Spyware.Cookie.2o7 : Ignoreret
:mozilla.265:C:\Documents and Settings\MPE\Application Data\Mozilla\Firefox\Profiles\uk34d6hg.default\cookies.txt -> Spyware.Cookie.2o7 : Ignoreret
:mozilla.266:C:\Documents and Settings\MPE\Application Data\Mozilla\Firefox\Profiles\uk34d6hg.default\cookies.txt -> Spyware.Cookie.2o7 : Ignoreret
:mozilla.267:C:\Documents and Settings\MPE\Application Data\Mozilla\Firefox\Profiles\uk34d6hg.default\cookies.txt -> Spyware.Cookie.2o7 : Ignoreret
:mozilla.268:C:\Documents and Settings\MPE\Application Data\Mozilla\Firefox\Profiles\uk34d6hg.default\cookies.txt -> Spyware.Cookie.2o7 : Ignoreret
:mozilla.269:C:\Documents and Settings\MPE\Application Data\Mozilla\Firefox\Profiles\uk34d6hg.default\cookies.txt -> Spyware.Cookie.2o7 : Ignoreret
:mozilla.270:C:\Documents and Settings\MPE\Application Data\Mozilla\Firefox\Profiles\uk34d6hg.default\cookies.txt -> Spyware.Cookie.2o7 : Ignoreret
:mozilla.271:C:\Documents and Settings\MPE\Application Data\Mozilla\Firefox\Profiles\uk34d6hg.default\cookies.txt -> Spyware.Cookie.2o7 : Ignoreret
:mozilla.272:C:\Documents and Settings\MPE\Application Data\Mozilla\Firefox\Profiles\uk34d6hg.default\cookies.txt -> Spyware.Cookie.2o7 : Ignoreret
:mozilla.273:C:\Documents and Settings\MPE\Application Data\Mozilla\Firefox\Profiles\uk34d6hg.default\cookies.txt -> Spyware.Cookie.2o7 : Ignoreret
:mozilla.274:C:\Documents and Settings\MPE\Application Data\Mozilla\Firefox\Profiles\uk34d6hg.default\cookies.txt -> Spyware.Cookie.2o7 : Ignoreret
:mozilla.275:C:\Documents and Settings\MPE\Application Data\Mozilla\Firefox\Profiles\uk34d6hg.default\cookies.txt -> Spyware.Cookie.2o7 : Ignoreret
:mozilla.276:C:\Documents and Settings\MPE\Application Data\Mozilla\Firefox\Profiles\uk34d6hg.default\cookies.txt -> Spyware.Cookie.2o7 : Ignoreret
:mozilla.277:C:\Documents and Settings\MPE\Application Data\Mozilla\Firefox\Profiles\uk34d6hg.default\cookies.txt -> Spyware.Cookie.2o7 : Ignoreret
:mozilla.278:C:\Documents and Settings\MPE\Application Data\Mozilla\Firefox\Profiles\uk34d6hg.default\cookies.txt -> Spyware.Cookie.2o7 : Ignoreret
:mozilla.279:C:\Documents and Settings\MPE\Application Data\Mozilla\Firefox\Profiles\uk34d6hg.default\cookies.txt -> Spyware.Cookie.2o7 : Ignoreret
:mozilla.280:C:\Documents and Settings\MPE\Application Data\Mozilla\Firefox\Profiles\uk34d6hg.default\cookies.txt -> Spyware.Cookie.2o7 : Ignoreret
:mozilla.281:C:\Documents and Settings\MPE\Application Data\Mozilla\Firefox\Profiles\uk34d6hg.default\cookies.txt -> Spyware.Cookie.2o7 : Ignoreret
:mozilla.282:C:\Documents and Settings\MPE\Application Data\Mozilla\Firefox\Profiles\uk34d6hg.default\cookies.txt -> Spyware.Cookie.2o7 : Ignoreret
:mozilla.305:C:\Documents and Settings\MPE\Application Data\Mozilla\Firefox\Profiles\uk34d6hg.default\cookies.txt -> Spyware.Cookie.Revenue : Ignoreret
:mozilla.321:C:\Documents and Settings\MPE\Application Data\Mozilla\Firefox\Profiles\uk34d6hg.default\cookies.txt -> Spyware.Cookie.Trafficmp : Ignoreret
:mozilla.322:C:\Documents and Settings\MPE\Application Data\Mozilla\Firefox\Profiles\uk34d6hg.default\cookies.txt -> Spyware.Cookie.Trafficmp : Ignoreret
:mozilla.323:C:\Documents and Settings\MPE\Application Data\Mozilla\Firefox\Profiles\uk34d6hg.default\cookies.txt -> Spyware.Cookie.Trafficmp : Ignoreret
:mozilla.324:C:\Documents and Settings\MPE\Application Data\Mozilla\Firefox\Profiles\uk34d6hg.default\cookies.txt -> Spyware.Cookie.Trafficmp : Ignoreret
:mozilla.325:C:\Documents and Settings\MPE\Application Data\Mozilla\Firefox\Profiles\uk34d6hg.default\cookies.txt -> Spyware.Cookie.Trafficmp : Ignoreret
:mozilla.326:C:\Documents and Settings\MPE\Application Data\Mozilla\Firefox\Profiles\uk34d6hg.default\cookies.txt -> Spyware.Cookie.Trafficmp : Ignoreret
:mozilla.376:C:\Documents and Settings\MPE\Application Data\Mozilla\Firefox\Profiles\uk34d6hg.default\cookies.txt -> Spyware.Cookie.Atdmt : Ignoreret
:mozilla.385:C:\Documents and Settings\MPE\Application Data\Mozilla\Firefox\Profiles\uk34d6hg.default\cookies.txt -> Spyware.Cookie.Casalemedia : Ignoreret
:mozilla.386:C:\Documents and Settings\MPE\Application Data\Mozilla\Firefox\Profiles\uk34d6hg.default\cookies.txt -> Spyware.Cookie.Casalemedia : Ignoreret
:mozilla.387:C:\Documents and Settings\MPE\Application Data\Mozilla\Firefox\Profiles\uk34d6hg.default\cookies.txt -> Spyware.Cookie.Casalemedia : Ignoreret
:mozilla.388:C:\Documents and Settings\MPE\Application Data\Mozilla\Firefox\Profiles\uk34d6hg.default\cookies.txt -> Spyware.Cookie.Casalemedia : Ignoreret
:mozilla.389:C:\Documents and Settings\MPE\Application Data\Mozilla\Firefox\Profiles\uk34d6hg.default\cookies.txt -> Spyware.Cookie.Casalemedia : Ignoreret
:mozilla.390:C:\Documents and Settings\MPE\Application Data\Mozilla\Firefox\Profiles\uk34d6hg.default\cookies.txt -> Spyware.Cookie.Casalemedia : Ignoreret
:mozilla.391:C:\Documents and Settings\MPE\Application Data\Mozilla\Firefox\Profiles\uk34d6hg.default\cookies.txt -> Spyware.Cookie.Casalemedia : Ignoreret
:mozilla.395:C:\Documents and Settings\MPE\Application Data\Mozilla\Firefox\Profiles\uk34d6hg.default\cookies.txt -> Spyware.Cookie.Valueclick : Ignoreret
:mozilla.396:C:\Documents and Settings\MPE\Application Data\Mozilla\Firefox\Profiles\uk34d6hg.default\cookies.txt -> Spyware.Cookie.Valueclick : Ignoreret
:mozilla.431:C:\Documents and Settings\MPE\Application Data\Mozilla\Firefox\Profiles\uk34d6hg.default\cookies.txt -> Spyware.Cookie.Adserver : Ignoreret
:mozilla.432:C:\Documents and Settings\MPE\Application Data\Mozilla\Firefox\Profiles\uk34d6hg.default\cookies.txt -> Spyware.Cookie.Adserver : Ignoreret
:mozilla.433:C:\Documents and Settings\MPE\Application Data\Mozilla\Firefox\Profiles\uk34d6hg.default\cookies.txt -> Spyware.Cookie.Adserver : Ignoreret
:mozilla.434:C:\Documents and Settings\MPE\Application Data\Mozilla\Firefox\Profiles\uk34d6hg.default\cookies.txt -> Spyware.Cookie.Adserver : Ignoreret
:mozilla.435:C:\Documents and Settings\MPE\Application Data\Mozilla\Firefox\Profiles\uk34d6hg.default\cookies.txt -> Spyware.Cookie.Adserver : Ignoreret
:mozilla.436:C:\Documents and Settings\MPE\Application Data\Mozilla\Firefox\Profiles\uk34d6hg.default\cookies.txt -> Spyware.Cookie.Adserver : Ignoreret
:mozilla.437:C:\Documents and Settings\MPE\Application Data\Mozilla\Firefox\Profiles\uk34d6hg.default\cookies.txt -> Spyware.Cookie.Adserver : Ignoreret
:mozilla.438:C:\Documents and Settings\MPE\Application Data\Mozilla\Firefox\Profiles\uk34d6hg.default\cookies.txt -> Spyware.Cookie.Adserver : Ignoreret
:mozilla.439:C:\Documents and Settings\MPE\Application Data\Mozilla\Firefox\Profiles\uk34d6hg.default\cookies.txt -> Spyware.Cookie.Adserver : Ignoreret
:mozilla.442:C:\Documents and Settings\MPE\Application Data\Mozilla\Firefox\Profiles\uk34d6hg.default\cookies.txt -> Spyware.Cookie.Onestat : Ignoreret
:mozilla.443:C:\Documents and Settings\MPE\Application Data\Mozilla\Firefox\Profiles\uk34d6hg.default\cookies.txt -> Spyware.Cookie.Onestat : Ignoreret
:mozilla.444:C:\Documents and Settings\MPE\Application Data\Mozilla\Firefox\Profiles\uk34d6hg.default\cookies.txt -> Spyware.Cookie.Onestat : Ignoreret
:mozilla.445:C:\Documents and Settings\MPE\Application Data\Mozilla\Firefox\Profiles\uk34d6hg.default\cookies.txt -> Spyware.Cookie.Onestat : Ignoreret
:mozilla.446:C:\Documents and Settings\MPE\Application Data\Mozilla\Firefox\Profiles\uk34d6hg.default\cookies.txt -> Spyware.Cookie.Onestat : Ignoreret
:mozilla.447:C:\Documents and Settings\MPE\Application Data\Mozilla\Firefox\Profiles\uk34d6hg.default\cookies.txt -> Spyware.Cookie.Onestat : Ignoreret
:mozilla.464:C:\Documents and Settings\MPE\Application Data\Mozilla\Firefox\Profiles\uk34d6hg.default\cookies.txt -> Spyware.Cookie.Ru4 : Ignoreret
:mozilla.465:C:\Documents and Settings\MPE\Application Data\Mozilla\Firefox\Profiles\uk34d6hg.default\cookies.txt -> Spyware.Cookie.Ru4 : Ignoreret
:mozilla.466:C:\Documents and Settings\MPE\Application Data\Mozilla\Firefox\Profiles\uk34d6hg.default\cookies.txt -> Spyware.Cookie.Ru4 : Ignoreret
:mozilla.467:C:\Documents and Settings\MPE\Application Data\Mozilla\Firefox\Profiles\uk34d6hg.default\cookies.txt -> Spyware.Cookie.Ru4 : Ignoreret
:mozilla.468:C:\Documents and Settings\MPE\Application Data\Mozilla\Firefox\Profiles\uk34d6hg.default\cookies.txt -> Spyware.Cookie.Ru4 : Ignoreret
:mozilla.469:C:\Documents and Settings\MPE\Application Data\Mozilla\Firefox\Profiles\uk34d6hg.default\cookies.txt -> Spyware.Cookie.Ru4 : Ignoreret
:mozilla.541:C:\Documents and Settings\MPE\Application Data\Mozilla\Firefox\Profiles\uk34d6hg.default\cookies.txt -> Spyware.Cookie.Questionmarket : Ignoreret
:mozilla.542:C:\Documents and Settings\MPE\Application Data\Mozilla\Firefox\Profiles\uk34d6hg.default\cookies.txt -> Spyware.Cookie.Questionmarket : Ignoreret
:mozilla.550:C:\Documents and Settings\MPE\Application Data\Mozilla\Firefox\Profiles\uk34d6hg.default\cookies.txt -> Spyware.Cookie.Googleadservices : Ignoreret
:mozilla.555:C:\Documents and Settings\MPE\Application Data\Mozilla\Firefox\Profiles\uk34d6hg.default\cookies.txt -> Spyware.Cookie.Addynamix : Ignoreret
:mozilla.564:C:\Documents and Settings\MPE\Application Data\Mozilla\Firefox\Profiles\uk34d6hg.default\cookies.txt -> Spyware.Cookie.Liveperson : Ignoreret
:mozilla.565:C:\Documents and Settings\MPE\Application Data\Mozilla\Firefox\Profiles\uk34d6hg.default\cookies.txt -> Spyware.Cookie.Liveperson : Ignoreret
:mozilla.595:C:\Documents and Settings\MPE\Application Data\Mozilla\Firefox\Profiles\uk34d6hg.default\cookies.txt -> Spyware.Cookie.Hotlog : Ignoreret
:mozilla.596:C:\Documents and Settings\MPE\Application Data\Mozilla\Firefox\Profiles\uk34d6hg.default\cookies.txt -> Spyware.Cookie.Spylog : Ignoreret
:mozilla.638:C:\Documents and Settings\MPE\Application Data\Mozilla\Firefox\Profiles\uk34d6hg.default\cookies.txt -> Spyware.Cookie.2o7 : Ignoreret
:mozilla.647:C:\Documents and Settings\MPE\Application Data\Mozilla\Firefox\Profiles\uk34d6hg.default\cookies.txt -> Spyware.Cookie.Googleadservices : Ignoreret
:mozilla.648:C:\Documents and Settings\MPE\Application Data\Mozilla\Firefox\Profiles\uk34d6hg.default\cookies.txt -> Spyware.Cookie.2o7 : Ignoreret
:mozilla.660:C:\Documents and Settings\MPE\Application Data\Mozilla\Firefox\Profiles\uk34d6hg.default\cookies.txt -> Spyware.Cookie.247realmedia : Ignoreret
:mozilla.714:C:\Documents and Settings\MPE\Application Data\Mozilla\Firefox\Profiles\uk34d6hg.default\cookies.txt -> Spyware.Cookie.Hitbox : Ignoreret
:mozilla.715:C:\Documents and Settings\MPE\Application Data\Mozilla\Firefox\Profiles\uk34d6hg.default\cookies.txt -> Spyware.Cookie.Hitbox : Ignoreret
:mozilla.716:C:\Documents and Settings\MPE\Application Data\Mozilla\Firefox\Profiles\uk34d6hg.default\cookies.txt -> Spyware.Cookie.Hitbox : Ignoreret
:mozilla.721:C:\Documents and Settings\MPE\Application Data\Mozilla\Firefox\Profiles\uk34d6hg.default\cookies.txt -> Spyware.Cookie.Hitbox : Ignoreret
:mozilla.722:C:\Documents and Settings\MPE\Application Data\Mozilla\Firefox\Profiles\uk34d6hg.default\cookies.txt -> Spyware.Cookie.Hitbox : Ignoreret
:mozilla.729:C:\Documents and Settings\MPE\Application Data\Mozilla\Firefox\Profiles\uk34d6hg.default\cookies.txt -> Spyware.Cookie.Webtrendslive : Ignoreret
:mozilla.730:C:\Documents and Settings\MPE\Application Data\Mozilla\Firefox\Profiles\uk34d6hg.default\cookies.txt -> Spyware.Cookie.Webtrendslive : Ignoreret
:mozilla.744:C:\Documents and Settings\MPE\Application Data\Mozilla\Firefox\Profiles\uk34d6hg.default\cookies.txt -> Spyware.Cookie.Overture : Ignoreret
:mozilla.766:C:\Documents and Settings\MPE\Application Data\Mozilla\Firefox\Profiles\uk34d6hg.default\cookies.txt -> Spyware.Cookie.Hitbox : Ignoreret
:mozilla.767:C:\Documents and Settings\MPE\Application Data\Mozilla\Firefox\Profiles\uk34d6hg.default\cookies.txt -> Spyware.Cookie.Hitbox : Ignoreret
:mozilla.806:C:\Documents and Settings\MPE\Application Data\Mozilla\Firefox\Profiles\uk34d6hg.default\cookies.txt -> Spyware.Cookie.Paycounter : Ignoreret
:mozilla.821:C:\Documents and Settings\MPE\Application Data\Mozilla\Firefox\Profiles\uk34d6hg.default\cookies.txt -> Spyware.Cookie.Euroclick : Ignoreret
C:\Documents and Settings\MPE\Cookies\mpe@ad.adocean[2].txt -> Spyware.Cookie.Adocean : Ignoreret
C:\Documents and Settings\MPE\Cookies\mpe@ad.yieldmanager[1].txt -> Spyware.Cookie.Yieldmanager : Ignoreret
C:\Documents and Settings\MPE\Cookies\mpe@ad1.clickhype[1].txt -> Spyware.Cookie.Clickhype : Ignoreret
C:\Documents and Settings\MPE\Cookies\mpe@as-eu.falkag[2].txt -> Spyware.Cookie.Falkag : Ignoreret
C:\Documents and Settings\MPE\Cookies\mpe@as1.falkag[1].txt -> Spyware.Cookie.Falkag : Ignoreret
C:\Documents and Settings\MPE\Cookies\mpe@atdmt[2].txt -> Spyware.Cookie.Atdmt : Ignoreret
C:\Documents and Settings\MPE\Cookies\mpe@casalemedia[1].txt -> Spyware.Cookie.Casalemedia : Ignoreret
C:\Documents and Settings\MPE\Cookies\mpe@com[2].txt -> Spyware.Cookie.Com : Ignoreret
C:\Documents and Settings\MPE\Cookies\mpe@dbbsrv[1].txt -> Spyware.Cookie.Dbbsrv : Ignoreret
C:\Documents and Settings\MPE\Cookies\mpe@gde.adocean[2].txt -> Spyware.Cookie.Adocean : Ignoreret
C:\Documents and Settings\MPE\Cookies\mpe@image.masterstats[1].txt -> Spyware.Cookie.Masterstats : Ignoreret
C:\Documents and Settings\MPE\Cookies\mpe@ppms.popularix[1].txt -> Spyware.Cookie.Popularix : Ignoreret
C:\Documents and Settings\MPE\Cookies\mpe@programs.wegcash[2].txt -> Spyware.Cookie.Wegcash : Ignoreret
C:\Documents and Settings\MPE\Cookies\mpe@rotator.adjuggler[2].txt -> Spyware.Cookie.Adjuggler : Ignoreret
C:\Documents and Settings\MPE\Cookies\mpe@sel.as-eu.falkag[1].txt -> Spyware.Cookie.Falkag : Ignoreret
C:\Documents and Settings\MPE\Cookies\mpe@www.burstbeacon[2].txt -> Spyware.Cookie.Burstbeacon : Ignoreret
C:\Documents and Settings\MPE\Cookies\mpe@www.goldenpalace[1].txt -> Spyware.Cookie.Goldenpalace : Ignoreret
C:\Documents and Settings\MPE\Cookies\mpe@www.smartadserver[1].txt -> Spyware.Cookie.Smartadserver : Ignoreret
C:\Documents and Settings\MPE\Cookies\mpe@yieldmanager[1].txt -> Spyware.Cookie.Yieldmanager : Ignoreret
C:\Documents and Settings\MPE\Lokale indstillinger\Temp\2C.tmp -> Not-A-Virus.Downloader.Win32.WinFixer.b : Ignoreret
C:\Documents and Settings\MPE\Lokale indstillinger\Temp\2D.tmp -> Downloader.CWS.r : Ignoreret
C:\WINDOWS\country.exe -> Trojan.Small : Ignoreret
C:\WINDOWS\hosts -> Trojan.Qhost.el : Ignoreret
C:\WINDOWS\inet20003\3.00.13.dll -> Spyware.Ihbo : Ignoreret
C:\WINDOWS\inet20003\mm4.exe -> Proxy.Delf.an : Ignoreret
C:\WINDOWS\inet20003\mm4.exe.bak -> Proxy.Delf.an : Ignoreret
C:\WINDOWS\ms1.exe -> Downloader.Tiny.al : Ignoreret
C:\WINDOWS\tool4.exe -> Trojan.Small : Ignoreret
C:\WINDOWS\tool5.exe -> Trojan.Small : Ignoreret

#11 LDTate

Grand Poobah

Root Admin
57,211 posts

Posted 16 January 2006 - 07:13 AM

I suggest you do this:

Restart your computer in Safe Mode.

Press F8 after the Power-On Self Test (POST) is done. If the Windows Advanced Options Menu does not appear, try restarting and then pressing F8 several times after the POST screen.
Choose the Safe Mode option from the Windows Advanced Options Menu then press Enter.

Important: To remove cookies, follow the steps in this section. Do not try to edit the cookies file on your computer.

To remove one or more cookies from your computer:

Open the Tasks menu, choose Privacy & Security, and then choose Cookie Manager.
Choose View Stored Cookies from the submenu. The Cookie Manager window opens with a list of all the cookies stored on your computer.
Select one or more cookies and click Remove Cookie, or click Remove All Cookies.

Delete this Folder
C:\WINDOWS\inet20003

Delete these Files
C:\WINDOWS\country.exe
C:\WINDOWS\hosts
C:\WINDOWS\ms1.exe
C:\WINDOWS\tool4.exe
C:\WINDOWS\tool5.exe

Empty Recycle Bin

Restart your computer.

Now try the Ewido and let it delete everything it finds.

The forum is run by volunteers who donate their time and expertise.

Want to help others? Join the ClassRoom and learn how.

Logs will be closed if you haven't replied within 3 days

If you would like to for the help you received.

Proud graduate of TC/WTT Classroom

#12 Atriedi

New Member

New Member
7 posts

Posted 20 January 2006 - 01:46 AM

Well, I have done it all now. Ewido crashed as usual, but it seems like it cleaned all it found before crashing. My PC seems to be virus free now (thanks =), but it still takes a loooong time for it to start up. Some day, when I don't have work 24/7, I will reinstall Windows and all my programs. It will take forever to reinstall and set up everything again...

Edited by Atriedi, 20 January 2006 - 01:47 AM.

#13 LDTate

Grand Poobah

Root Admin
57,211 posts

Posted 20 January 2006 - 06:49 AM

lets see if this will help speed it up.

Backup your Registry...
- Press "CTRL - ALT - DEL" keys all at the same time to start "Task Manager"
- In the Task Manager window click on "File", then from the drop-down menu select "New Task (Run...)"
- In the "Create New Task" window enter\type "regedit" (without quotes)
- Once Regedit opens click on the FILE menu and select Export
- Save the file as backup. Save the file somewhere you will remember and not delete.
IMPORTANT: make sure to set the export range to ALL

I recommend you download RegSeeker. Extract it to it's own folder, open and double click RegSeeker.exe to start the program. Maximize the window and click clean registry. Check all sections and click OK. When the scan is complete, verify the backup box in lower left corner is checked and click the select all button, then select all again. Then right click within the search results and select delete. Run it again and again, deleting everything it finds until it finds nothing. Reboot and make sure your programs are working properly, control panel and add/remove programs windows open, etc (basically just do a quick check of everything). In the event anything was 'broken', you can open RegSeeker, click backups and double click any/all files to put the information back. A reboot may be required for the effects to be seen. Reboot When done.

The forum is run by volunteers who donate their time and expertise.

Want to help others? Join the ClassRoom and learn how.

Logs will be closed if you haven't replied within 3 days

If you would like to for the help you received.

Proud graduate of TC/WTT Classroom

#14 LDTate

Grand Poobah

Root Admin
57,211 posts

Posted 01 February 2006 - 09:07 PM

Glad we could be of assistance. This topic is now closed. If you wish it reopened, please send us an email (Click for address) with a link to your thread.

Do not bother contacting us if you are not the topic starter. A valid, working link to the closed topic is required along with the user name used. If the user name does not match the one in the thread linked, the email will be deleted.
Make sure you use proper prevention to keep from having problems occur to your computer in the future.

Coyote's Installed programs for prevention:

http://forums.tomcoy...showtopic=31418

The help you receive here is free. If you wish to show your appreciation, then you may donate to help keep us online.

Visit the CoyoteStore http://TomCoyote.org/coyotestore.php

The forum is run by volunteers who donate their time and expertise.

Want to help others? Join the ClassRoom and learn how.

Logs will be closed if you haven't replied within 3 days

If you would like to for the help you received.

Proud graduate of TC/WTT Classroom

Body Background

skin color theme