WE'RE SURE THAT YOU'LL LOVE US!

Hey there! :wub: Looks like you're enjoying the discussion, but you're not signed up for an account. When you create an account, we remember exactly what you've read, so you always come right back where you left off. You also get notifications, here and via email, whenever new posts are made. You can like posts to share the love. Join 93101 other members! Anybody can ask, anybody can answer. Consistently helpful members may be invited to become staff. Here's how it works. Virus cleanup? Start here -> Malware Removal Forum.

Try What the Tech -- It's free!

Javascript Disabled Detected

You currently have javascript disabled. Several functions may not work. Please re-enable javascript to access full functionality.

my laptop computer

Started by wuxier , Feb 06 2006 05:47 PM

This topic is locked

14 replies to this topic

#1 wuxier

New Member

New Member
7 posts

Posted 06 February 2006 - 05:47 PM

Hello,

I mistakenly disabled Norton Anti-Virus and now my browser pops up windows every few minutes. I saw almost everyone recommended hijackthis so I downloaded it. Following is the hijackthis log, can someone please help me?

Thanks,

wuxier

Logfile of HijackThis v1.99.1
Scan saved at 6:45:51 PM, on 2/6/2006
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\ibmpmsvc.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Intel\Wireless\Bin\EvtEng.exe
C:\Program Files\Intel\Wireless\Bin\S24EvMon.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Cisco Systems\VPN Client\cvpnd.exe
C:\Program Files\IBM\IBM Rapid Restore Ultra\rrpcsb.exe
C:\Program Files\Norton AntiVirus\navapsvc.exe
C:\WINDOWS\System32\QCONSVC.EXE
C:\Program Files\Intel\Wireless\Bin\RegSrvc.exe
C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\TpKmpSVC.exe
c:\Program Files\Common Files\Symantec Shared\Security Center\SymWSC.exe
C:\WINDOWS\system32\tp4serv.exe
C:\WINDOWS\system32\igfxtray.exe
C:\WINDOWS\system32\hkcmd.exe
C:\PROGRA~1\ThinkPad\PkgMgr\HOTKEY\TPHKMGR.exe
C:\Program Files\ThinkPad\PkgMgr\HOTKEY\TPONSCR.exe
C:\PROGRA~1\ThinkPad\UTILIT~1\EzEjMnAp.Exe
C:\Program Files\ThinkPad\PkgMgr\HOTKEY_1\TpScrex.exe
C:\WINDOWS\system32\dla\tfswctrl.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\IBMTOOLS\UTILS\ibmprc.exe
C:\WINDOWS\system32\RunDll32.exe
C:\WINDOWS\system32\rundll32.exe
C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe
C:\Program Files\Picasa2\PicasaMediaDetector.exe
C:\Program Files\ThinkPad\ConnectUtilities\QCWLICON.EXE
C:\Program Files\Analog Devices\SoundMAX\SMax4PNP.exe
C:\WINDOWS\system32\TpScrLk.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Adobe\Acrobat 6.0\Distillr\acrotray.exe
C:\Program Files\Digital Line Detect\DLG.exe
C:\WINDOWS\system32\rundll32.exe
C:\WINDOWS\explorer.exe
C:\PROGRA~1\MOZILL~1\FIREFOX.EXE
C:\Program Files\Messenger\msmsgs.exe
C:\Documents and Settings\yuantai\Desktop\HijackThis.exe

O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll
O3 - Toolbar: Adobe PDF - {47833539-D0C5-4125-9FA8-0819E2EAAC93} - C:\Program Files\Adobe\Acrobat 6.0\Acrobat\AcroIEFavClient.dll
O4 - HKLM\..\Run: [S3TRAY2] S3Tray2.exe
O4 - HKLM\..\Run: [TrackPointSrv] tp4serv.exe
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\system32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\system32\hkcmd.exe
O4 - HKLM\..\Run: [TPKMAPHELPER] C:\Program Files\ThinkPad\Utilities\TpKmapAp.exe -helper
O4 - HKLM\..\Run: [TPHOTKEY] C:\PROGRA~1\ThinkPad\PkgMgr\HOTKEY\TPHKMGR.exe
O4 - HKLM\..\Run: [TP4EX] tp4ex.exe
O4 - HKLM\..\Run: [EZEJMNAP] C:\PROGRA~1\ThinkPad\UTILIT~1\EzEjMnAp.Exe
O4 - HKLM\..\Run: [UC_Start] C:\Program Files\IBM\Updater\\ucstartup.exe
O4 - HKLM\..\Run: [UpdateManager] "C:\Program Files\Common Files\Sonic\Update Manager\sgtray.exe" /r
O4 - HKLM\..\Run: [dla] C:\WINDOWS\system32\dla\tfswctrl.exe
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [IBMPRC] C:\IBMTOOLS\UTILS\ibmprc.exe
O4 - HKLM\..\Run: [BMMGAG] RunDll32 C:\PROGRA~1\ThinkPad\UTILIT~1\pwrmonit.dll,StartPwrMonitor
O4 - HKLM\..\Run: [BMMLREF] C:\Program Files\ThinkPad\Utilities\BMMLREF.EXE
O4 - HKLM\..\Run: [BMMMONWND] rundll32.exe C:\PROGRA~1\ThinkPad\UTILIT~1\BatInfEx.dll,BMMAutonomicMonitor
O4 - HKLM\..\Run: [Symantec NetDriver Monitor] C:\PROGRA~1\SYMNET~1\SNDMon.exe /Consumer
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe
O4 - HKLM\..\Run: [Picasa Media Detector] C:\Program Files\Picasa2\PicasaMediaDetector.exe
O4 - HKLM\..\Run: [QCWLICON] C:\Program Files\ThinkPad\ConnectUtilities\QCWLICON.EXE
O4 - HKLM\..\Run: [SoundMAXPnP] C:\Program Files\Analog Devices\SoundMAX\SMax4PNP.exe
O4 - HKLM\..\Run: [SoundMAX] "C:\Program Files\Analog Devices\SoundMAX\Smax4.exe" /tray
O4 - HKLM\..\Run: [TPKBDLED] C:\WINDOWS\system32\TpScrLk.exe
O4 - HKLM\..\Run: [PRONoMgrWired] C:\Program Files\Intel\PROSetWired\NCS\PROSet\PRONoMgr.exe
O4 - HKLM\..\Run: [winsync] C:\WINDOWS\system32\ykocwo.exe reg_run
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - Startup: Cisco Systems VPN Client.lnk = C:\Program Files\Cisco Systems\VPN Client\vpngui.exe
O4 - Global Startup: Acrobat Assistant.lnk = C:\Program Files\Adobe\Acrobat 6.0\Distillr\acrotray.exe
O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: Digital Line Detect.lnk = ?
O8 - Extra context menu item: &Google Search - res://C:\Program Files\Google\GoogleToolbar1.dll/cmsearch.html
O8 - Extra context menu item: &Translate English Word - res://C:\Program Files\Google\GoogleToolbar1.dll/cmwordtrans.html
O8 - Extra context menu item: Backward Links - res://C:\Program Files\Google\GoogleToolbar1.dll/cmbacklinks.html
O8 - Extra context menu item: Cached Snapshot of Page - res://C:\Program Files\Google\GoogleToolbar1.dll/cmcache.html
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O8 - Extra context menu item: Similar Pages - res://C:\Program Files\Google\GoogleToolbar1.dll/cmsimilar.html
O8 - Extra context menu item: Translate Page into English - res://C:\Program Files\Google\GoogleToolbar1.dll/cmtrans.html
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Software Installer - {D1A4DEBD-C2EE-449f-B9FB-E8409F9A0BC5} - C:\Program Files\ThinkPad\PkgMgr\\PkgMgr.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O11 - Options group: [JAVA_IBM] Java (IBM)
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft....k/?linkid=39204
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.micros...b?1133543452560
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.micros...b?1136332236889
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - "C:\PROGRA~1\MSNMES~1\msgrapp.dll" (file missing)
O20 - Winlogon Notify: igfxcui - C:\WINDOWS\SYSTEM32\igfxsrvc.dll
O20 - Winlogon Notify: QConGina - C:\WINDOWS\SYSTEM32\QConGina.dll
O20 - Winlogon Notify: Reinstall - C:\WINDOWS\system32\jt0807due.dll
O20 - Winlogon Notify: tpfnf2 - C:\WINDOWS\SYSTEM32\notifyf2.dll
O20 - Winlogon Notify: tphotkey - C:\WINDOWS\SYSTEM32\tphklock.dll
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Password Validation (ccPwdSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
O23 - Service: Cisco Systems, Inc. VPN Service (CVPND) - Cisco Systems, Inc. - C:\Program Files\Cisco Systems\VPN Client\cvpnd.exe
O23 - Service: EvtEng - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\EvtEng.exe
O23 - Service: IBM Rapid Restore Ultra Service - Unknown owner - C:\Program Files\IBM\IBM Rapid Restore Ultra\rrpcsb.exe
O23 - Service: ThinkPad PM Service (IBMPMSVC) - Unknown owner - C:\WINDOWS\system32\ibmpmsvc.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1050\Intel 32\IDriverT.exe
O23 - Service: Norton AntiVirus Auto Protect Service (navapsvc) - Symantec Corporation - C:\Program Files\Norton AntiVirus\navapsvc.exe
O23 - Service: Intel NCS NetService (NetSvc) - Intel® Corporation - C:\Program Files\Intel\PROSetWired\NCS\Sync\NetSvc.exe
O23 - Service: IBM PSA Access Driver Control (PsaSrv) - Unknown owner - C:\WINDOWS\system32\PsaSrv.exe (file missing)
O23 - Service: QCONSVC - Lenovo - C:\WINDOWS\System32\QCONSVC.EXE
O23 - Service: RegSrvc - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\RegSrvc.exe
O23 - Service: Spectrum24 Event Monitor (S24EventMonitor) - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\S24EvMon.exe
O23 - Service: SAVScan - Symantec Corporation - C:\Program Files\Norton AntiVirus\SAVScan.exe
O23 - Service: ScriptBlocking Service (SBService) - Symantec Corporation - C:\PROGRA~1\COMMON~1\SYMANT~1\SCRIPT~1\SBServ.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: SoundMAX Agent Service (SoundMAX Agent Service (default)) - Analog Devices, Inc. - C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe
O23 - Service: SymWMI Service (SymWSC) - Symantec Corporation - c:\Program Files\Common Files\Symantec Shared\Security Center\SymWSC.exe
O23 - Service: IBM KCU Service (TpKmpSVC) - Unknown owner - C:\WINDOWS\system32\TpKmpSVC.exe

Advertisements

Register to Remove

#2 LDTate

Grand Poobah

Root Admin
57,211 posts

Posted 23 February 2006 - 04:55 PM

Hello wuxier, welcome to the TC Forums.

Please download Look2Me-Destroyer.exe to your desktop.

Close all windows before continuing.
Double-click Look2Me-Destroyer.exe to run it.
Put a check next to Run this program as a task.

You will receive a message saying Look2Me-Destroyer will close and re-open in approximately 10 seconds. Click OK
When Look2Me-Destroyer re-opens, click the Scan for L2M button, your desktop icons will disappear, this is normal.
Once it's done scanning, click the Remove L2M button.

You will receive a Done Scanning message, click OK.
When completed, you will receive this message: Done removing infected files! Look2Me-Destroyer will now shutdown your computer, click OK.
Your computer will then shutdown.

Turn your computer back on.
Please post the contents of C:\Look2Me-Destroyer.txt and a new HiJackThis log.
If you receive a message from your firewall about this program accessing the internet please allow it.

If you receive a runtime error '339' please download MSWINSCK.OCX from the link below and place it in your C:\Windows\System32 Directory.
http://www.ascentive...ib/MSWINSCK.OCX

The forum is run by volunteers who donate their time and expertise.

Want to help others? Join the ClassRoom and learn how.

Logs will be closed if you haven't replied within 3 days

If you would like to for the help you received.

Proud graduate of TC/WTT Classroom

#3 wuxier

New Member

New Member
7 posts

Posted 26 February 2006 - 09:39 AM

Thank you LDTate!

The new HijackThis log is:

Logfile of HijackThis v1.99.1
Scan saved at 10:35:36 AM, on 2/26/2006
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\ibmpmsvc.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Intel\Wireless\Bin\EvtEng.exe
C:\Program Files\Intel\Wireless\Bin\S24EvMon.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Cisco Systems\VPN Client\cvpnd.exe
C:\Program Files\IBM\IBM Rapid Restore Ultra\rrpcsb.exe
C:\Program Files\Norton AntiVirus\navapsvc.exe
C:\WINDOWS\System32\QCONSVC.EXE
C:\Program Files\Intel\Wireless\Bin\RegSrvc.exe
C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\TpKmpSVC.exe
c:\Program Files\Common Files\Symantec Shared\Security Center\SymWSC.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\WINDOWS\system32\RunDll32.exe
C:\WINDOWS\system32\rundll32.exe
C:\Program Files\Picasa2\PicasaMediaDetector.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Adobe\Acrobat 6.0\Distillr\acrotray.exe
C:\Program Files\Digital Line Detect\DLG.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\WINDOWS\system32\wuauclt.exe
C:\HijackThis\HijackThis.exe

O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll
O3 - Toolbar: Adobe PDF - {47833539-D0C5-4125-9FA8-0819E2EAAC93} - C:\Program Files\Adobe\Acrobat 6.0\Acrobat\AcroIEFavClient.dll
O4 - HKLM\..\Run: [S3TRAY2] S3Tray2.exe
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [BMMGAG] RunDll32 C:\PROGRA~1\ThinkPad\UTILIT~1\pwrmonit.dll,StartPwrMonitor
O4 - HKLM\..\Run: [BMMLREF] C:\Program Files\ThinkPad\Utilities\BMMLREF.EXE
O4 - HKLM\..\Run: [BMMMONWND] rundll32.exe C:\PROGRA~1\ThinkPad\UTILIT~1\BatInfEx.dll,BMMAutonomicMonitor
O4 - HKLM\..\Run: [Symantec NetDriver Monitor] C:\PROGRA~1\SYMNET~1\SNDMon.exe /Consumer
O4 - HKLM\..\Run: [Picasa Media Detector] C:\Program Files\Picasa2\PicasaMediaDetector.exe
O4 - HKLM\..\Run: [winsync] C:\WINDOWS\system32\ykocwo.exe reg_run
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - Startup: Cisco Systems VPN Client.lnk = C:\Program Files\Cisco Systems\VPN Client\vpngui.exe
O4 - Global Startup: Acrobat Assistant.lnk = C:\Program Files\Adobe\Acrobat 6.0\Distillr\acrotray.exe
O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: Digital Line Detect.lnk = ?
O8 - Extra context menu item: &Google Search - res://C:\Program Files\Google\GoogleToolbar1.dll/cmsearch.html
O8 - Extra context menu item: &Translate English Word - res://C:\Program Files\Google\GoogleToolbar1.dll/cmwordtrans.html
O8 - Extra context menu item: Backward Links - res://C:\Program Files\Google\GoogleToolbar1.dll/cmbacklinks.html
O8 - Extra context menu item: Cached Snapshot of Page - res://C:\Program Files\Google\GoogleToolbar1.dll/cmcache.html
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O8 - Extra context menu item: Similar Pages - res://C:\Program Files\Google\GoogleToolbar1.dll/cmsimilar.html
O8 - Extra context menu item: Translate Page into English - res://C:\Program Files\Google\GoogleToolbar1.dll/cmtrans.html
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Software Installer - {D1A4DEBD-C2EE-449f-B9FB-E8409F9A0BC5} - C:\Program Files\ThinkPad\PkgMgr\\PkgMgr.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O11 - Options group: [JAVA_IBM] Java (IBM)
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft....k/?linkid=39204
O16 - DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} (MSN Photo Upload Tool) - http://spaces.msn.co...ad/MsnPUpld.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.micros...b?1133543452560
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.micros...b?1136332236889
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - "C:\PROGRA~1\MSNMES~1\msgrapp.dll" (file missing)
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Password Validation (ccPwdSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
O23 - Service: Cisco Systems, Inc. VPN Service (CVPND) - Cisco Systems, Inc. - C:\Program Files\Cisco Systems\VPN Client\cvpnd.exe
O23 - Service: EvtEng - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\EvtEng.exe
O23 - Service: IBM Rapid Restore Ultra Service - Unknown owner - C:\Program Files\IBM\IBM Rapid Restore Ultra\rrpcsb.exe
O23 - Service: ThinkPad PM Service (IBMPMSVC) - Unknown owner - C:\WINDOWS\system32\ibmpmsvc.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1050\Intel 32\IDriverT.exe
O23 - Service: Norton AntiVirus Auto Protect Service (navapsvc) - Symantec Corporation - C:\Program Files\Norton AntiVirus\navapsvc.exe
O23 - Service: Intel NCS NetService (NetSvc) - Intel® Corporation - C:\Program Files\Intel\PROSetWired\NCS\Sync\NetSvc.exe
O23 - Service: IBM PSA Access Driver Control (PsaSrv) - Unknown owner - C:\WINDOWS\system32\PsaSrv.exe (file missing)
O23 - Service: QCONSVC - Lenovo - C:\WINDOWS\System32\QCONSVC.EXE
O23 - Service: RegSrvc - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\RegSrvc.exe
O23 - Service: Spectrum24 Event Monitor (S24EventMonitor) - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\S24EvMon.exe
O23 - Service: SAVScan - Symantec Corporation - C:\Program Files\Norton AntiVirus\SAVScan.exe
O23 - Service: ScriptBlocking Service (SBService) - Symantec Corporation - C:\PROGRA~1\COMMON~1\SYMANT~1\SCRIPT~1\SBServ.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: SoundMAX Agent Service (SoundMAX Agent Service (default)) - Analog Devices, Inc. - C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe
O23 - Service: SymWMI Service (SymWSC) - Symantec Corporation - c:\Program Files\Common Files\Symantec Shared\Security Center\SymWSC.exe
O23 - Service: IBM KCU Service (TpKmpSVC) - Unknown owner - C:\WINDOWS\system32\TpKmpSVC.exe

and the C:\Look2Me-Destroyer.txt is:

Look2Me-Destroyer V1.0.6

Scanning for infected files.....
Scan started at 2/26/2006 10:24:41 AM

Infected! C:\WINDOWS\system32\s4880eluehq80.dll
Infected! C:\System Volume Information\_restore{C49BD92C-9C3F-4BDD-866F-EAF535330B6C}\RP105\A0019923.dll
Infected! C:\System Volume Information\_restore{C49BD92C-9C3F-4BDD-866F-EAF535330B6C}\RP105\A0019952.dll
Infected! C:\System Volume Information\_restore{C49BD92C-9C3F-4BDD-866F-EAF535330B6C}\RP105\A0019962.dll
Infected! C:\System Volume Information\_restore{C49BD92C-9C3F-4BDD-866F-EAF535330B6C}\RP105\A0019964.dll
Infected! C:\System Volume Information\_restore{C49BD92C-9C3F-4BDD-866F-EAF535330B6C}\RP105\A0019994.dll
Infected! C:\System Volume Information\_restore{C49BD92C-9C3F-4BDD-866F-EAF535330B6C}\RP105\A0020376.dll
Infected! C:\System Volume Information\_restore{C49BD92C-9C3F-4BDD-866F-EAF535330B6C}\RP105\A0020390.dll
Infected! C:\System Volume Information\_restore{C49BD92C-9C3F-4BDD-866F-EAF535330B6C}\RP105\A0020402.dll
Infected! C:\System Volume Information\_restore{C49BD92C-9C3F-4BDD-866F-EAF535330B6C}\RP105\A0020423.dll
Infected! C:\System Volume Information\_restore{C49BD92C-9C3F-4BDD-866F-EAF535330B6C}\RP105\A0020429.dll
Infected! C:\System Volume Information\_restore{C49BD92C-9C3F-4BDD-866F-EAF535330B6C}\RP105\A0020451.dll
Infected! C:\System Volume Information\_restore{C49BD92C-9C3F-4BDD-866F-EAF535330B6C}\RP105\A0020462.dll
Infected! C:\System Volume Information\_restore{C49BD92C-9C3F-4BDD-866F-EAF535330B6C}\RP91\A0015482.dll
Infected! C:\System Volume Information\_restore{C49BD92C-9C3F-4BDD-866F-EAF535330B6C}\RP91\A0015493.dll
Infected! C:\System Volume Information\_restore{C49BD92C-9C3F-4BDD-866F-EAF535330B6C}\RP91\A0015554.dll
Infected! C:\System Volume Information\_restore{C49BD92C-9C3F-4BDD-866F-EAF535330B6C}\RP92\A0016620.dll
Infected! C:\System Volume Information\_restore{C49BD92C-9C3F-4BDD-866F-EAF535330B6C}\RP92\A0016627.dll
Infected! C:\System Volume Information\_restore{C49BD92C-9C3F-4BDD-866F-EAF535330B6C}\RP92\A0017586.dll
Infected! C:\System Volume Information\_restore{C49BD92C-9C3F-4BDD-866F-EAF535330B6C}\RP92\A0017622.dll
Infected! C:\System Volume Information\_restore{C49BD92C-9C3F-4BDD-866F-EAF535330B6C}\RP92\A0017631.dll
Infected! C:\System Volume Information\_restore{C49BD92C-9C3F-4BDD-866F-EAF535330B6C}\RP92\A0017634.dll
Infected! C:\System Volume Information\_restore{C49BD92C-9C3F-4BDD-866F-EAF535330B6C}\RP92\A0017643.dll
Infected! C:\System Volume Information\_restore{C49BD92C-9C3F-4BDD-866F-EAF535330B6C}\RP92\A0017661.dll
Infected! C:\System Volume Information\_restore{C49BD92C-9C3F-4BDD-866F-EAF535330B6C}\RP92\A0017671.dll
Infected! C:\System Volume Information\_restore{C49BD92C-9C3F-4BDD-866F-EAF535330B6C}\RP92\A0017680.dll
Infected! C:\System Volume Information\_restore{C49BD92C-9C3F-4BDD-866F-EAF535330B6C}\RP92\A0017687.dll
Infected! C:\System Volume Information\_restore{C49BD92C-9C3F-4BDD-866F-EAF535330B6C}\RP92\A0017693.dll
Infected! C:\System Volume Information\_restore{C49BD92C-9C3F-4BDD-866F-EAF535330B6C}\RP92\A0017695.dll
Infected! C:\System Volume Information\_restore{C49BD92C-9C3F-4BDD-866F-EAF535330B6C}\RP92\A0017702.dll
Infected! C:\System Volume Information\_restore{C49BD92C-9C3F-4BDD-866F-EAF535330B6C}\RP92\A0017709.dll
Infected! C:\System Volume Information\_restore{C49BD92C-9C3F-4BDD-866F-EAF535330B6C}\RP92\A0017735.dll
Infected! C:\System Volume Information\_restore{C49BD92C-9C3F-4BDD-866F-EAF535330B6C}\RP92\A0017772.dll
Infected! C:\System Volume Information\_restore{C49BD92C-9C3F-4BDD-866F-EAF535330B6C}\RP92\A0017773.dll
Infected! C:\System Volume Information\_restore{C49BD92C-9C3F-4BDD-866F-EAF535330B6C}\RP92\A0017774.dll
Infected! C:\System Volume Information\_restore{C49BD92C-9C3F-4BDD-866F-EAF535330B6C}\RP92\A0017775.dll
Infected! C:\System Volume Information\_restore{C49BD92C-9C3F-4BDD-866F-EAF535330B6C}\RP92\A0017776.dll
Infected! C:\System Volume Information\_restore{C49BD92C-9C3F-4BDD-866F-EAF535330B6C}\RP92\A0017777.dll
Infected! C:\System Volume Information\_restore{C49BD92C-9C3F-4BDD-866F-EAF535330B6C}\RP92\A0017778.dll
Infected! C:\System Volume Information\_restore{C49BD92C-9C3F-4BDD-866F-EAF535330B6C}\RP92\A0017779.dll
Infected! C:\System Volume Information\_restore{C49BD92C-9C3F-4BDD-866F-EAF535330B6C}\RP92\A0017780.dll
Infected! C:\System Volume Information\_restore{C49BD92C-9C3F-4BDD-866F-EAF535330B6C}\RP92\A0017821.dll
Infected! C:\System Volume Information\_restore{C49BD92C-9C3F-4BDD-866F-EAF535330B6C}\RP92\A0017836.dll
Infected! C:\System Volume Information\_restore{C49BD92C-9C3F-4BDD-866F-EAF535330B6C}\RP92\A0017846.dll
Infected! C:\System Volume Information\_restore{C49BD92C-9C3F-4BDD-866F-EAF535330B6C}\RP92\A0017855.dll
Infected! C:\System Volume Information\_restore{C49BD92C-9C3F-4BDD-866F-EAF535330B6C}\RP92\A0017877.dll
Infected! C:\System Volume Information\_restore{C49BD92C-9C3F-4BDD-866F-EAF535330B6C}\RP92\A0017901.dll
Infected! C:\System Volume Information\_restore{C49BD92C-9C3F-4BDD-866F-EAF535330B6C}\RP92\A0017923.dll
Infected! C:\System Volume Information\_restore{C49BD92C-9C3F-4BDD-866F-EAF535330B6C}\RP92\A0017948.dll
Infected! C:\System Volume Information\_restore{C49BD92C-9C3F-4BDD-866F-EAF535330B6C}\RP92\A0017968.dll
Infected! C:\System Volume Information\_restore{C49BD92C-9C3F-4BDD-866F-EAF535330B6C}\RP92\A0017988.dll
Infected! C:\System Volume Information\_restore{C49BD92C-9C3F-4BDD-866F-EAF535330B6C}\RP93\A0018036.dll
Infected! C:\System Volume Information\_restore{C49BD92C-9C3F-4BDD-866F-EAF535330B6C}\RP93\A0018049.dll
Infected! C:\System Volume Information\_restore{C49BD92C-9C3F-4BDD-866F-EAF535330B6C}\RP93\A0018215.dll
Infected! C:\System Volume Information\_restore{C49BD92C-9C3F-4BDD-866F-EAF535330B6C}\RP94\A0018231.dll
Infected! C:\System Volume Information\_restore{C49BD92C-9C3F-4BDD-866F-EAF535330B6C}\RP94\A0018250.dll
Infected! C:\System Volume Information\_restore{C49BD92C-9C3F-4BDD-866F-EAF535330B6C}\RP94\A0018263.dll
Infected! C:\System Volume Information\_restore{C49BD92C-9C3F-4BDD-866F-EAF535330B6C}\RP94\A0018271.dll
Infected! C:\System Volume Information\_restore{C49BD92C-9C3F-4BDD-866F-EAF535330B6C}\RP94\A0018287.dll
Infected! C:\System Volume Information\_restore{C49BD92C-9C3F-4BDD-866F-EAF535330B6C}\RP94\A0018302.dll
Infected! C:\System Volume Information\_restore{C49BD92C-9C3F-4BDD-866F-EAF535330B6C}\RP94\A0018318.dll
Infected! C:\System Volume Information\_restore{C49BD92C-9C3F-4BDD-866F-EAF535330B6C}\RP95\A0018331.dll
Infected! C:\System Volume Information\_restore{C49BD92C-9C3F-4BDD-866F-EAF535330B6C}\RP95\A0018355.dll
Infected! C:\System Volume Information\_restore{C49BD92C-9C3F-4BDD-866F-EAF535330B6C}\RP95\A0018388.dll
Infected! C:\System Volume Information\_restore{C49BD92C-9C3F-4BDD-866F-EAF535330B6C}\RP95\A0018389.dll
Infected! C:\System Volume Information\_restore{C49BD92C-9C3F-4BDD-866F-EAF535330B6C}\RP96\A0018412.dll
Infected! C:\System Volume Information\_restore{C49BD92C-9C3F-4BDD-866F-EAF535330B6C}\RP96\A0018413.dll
Infected! C:\WINDOWS\system32\aesldp.dll
Infected! C:\WINDOWS\system32\aoi2dvag.dll
Infected! C:\WINDOWS\system32\ciyptdll.dll
Infected! C:\WINDOWS\system32\dkcpsapi.dll
Infected! C:\WINDOWS\system32\dlound.dll
Infected! C:\WINDOWS\system32\dynmodem.dll
Infected! C:\WINDOWS\system32\egsvc.dll
Infected! C:\WINDOWS\system32\fpp6037se.dll
Infected! C:\WINDOWS\system32\gplql3351.dll
Infected! C:\WINDOWS\system32\h0j4la1q1d.dll
Infected! C:\WINDOWS\system32\hrrs0597e.dll
Infected! C:\WINDOWS\system32\i4jq0e15eh.dll
Infected! C:\WINDOWS\system32\ipircl.dll
Infected! C:\WINDOWS\system32\irr6l59s1.dll
Infected! C:\WINDOWS\system32\j8n20i5oe8.dll
Infected! C:\WINDOWS\system32\jtro0793e.dll
Infected! C:\WINDOWS\system32\kkdycl.dll
Infected! C:\WINDOWS\system32\kydlv1.dll
Infected! C:\WINDOWS\system32\mdorcl32.dll
Infected! C:\WINDOWS\system32\mjexcl40.dll
Infected! C:\WINDOWS\system32\o4nsle571h.dll
Infected! C:\WINDOWS\system32\ppcVSWIA.dll
Infected! C:\WINDOWS\system32\PpogressTrace.dll
Infected! C:\WINDOWS\system32\rIstapi.dll
Infected! C:\WINDOWS\system32\rPsadhlp.dll
Infected! C:\WINDOWS\system32\s4880eluehq80.dll
Infected! C:\WINDOWS\system32\sslsrv32.dll
Infected! C:\WINDOWS\system32\tYpiui.dll
Infected! C:\WINDOWS\system32\u4rule991h.dll
Infected! C:\WINDOWS\system32\ugdmxfrm.dll
Infected! C:\WINDOWS\system32\wkdmtpdr.dll

Attempting to delete infected files...

Attempting to delete: C:\WINDOWS\system32\s4880eluehq80.dll
C:\WINDOWS\system32\s4880eluehq80.dll Deleted successfully!

Attempting to delete: C:\System Volume Information\_restore{C49BD92C-9C3F-4BDD-866F-EAF535330B6C}\RP105\A0019923.dll
C:\System Volume Information\_restore{C49BD92C-9C3F-4BDD-866F-EAF535330B6C}\RP105\A0019923.dll Deleted successfully!

Attempting to delete: C:\System Volume Information\_restore{C49BD92C-9C3F-4BDD-866F-EAF535330B6C}\RP105\A0019952.dll
C:\System Volume Information\_restore{C49BD92C-9C3F-4BDD-866F-EAF535330B6C}\RP105\A0019952.dll Deleted successfully!

Attempting to delete: C:\System Volume Information\_restore{C49BD92C-9C3F-4BDD-866F-EAF535330B6C}\RP105\A0019962.dll
C:\System Volume Information\_restore{C49BD92C-9C3F-4BDD-866F-EAF535330B6C}\RP105\A0019962.dll Deleted successfully!

Attempting to delete: C:\System Volume Information\_restore{C49BD92C-9C3F-4BDD-866F-EAF535330B6C}\RP105\A0019964.dll
C:\System Volume Information\_restore{C49BD92C-9C3F-4BDD-866F-EAF535330B6C}\RP105\A0019964.dll Deleted successfully!

Attempting to delete: C:\System Volume Information\_restore{C49BD92C-9C3F-4BDD-866F-EAF535330B6C}\RP105\A0019994.dll
C:\System Volume Information\_restore{C49BD92C-9C3F-4BDD-866F-EAF535330B6C}\RP105\A0019994.dll Deleted successfully!

Attempting to delete: C:\System Volume Information\_restore{C49BD92C-9C3F-4BDD-866F-EAF535330B6C}\RP105\A0020376.dll
C:\System Volume Information\_restore{C49BD92C-9C3F-4BDD-866F-EAF535330B6C}\RP105\A0020376.dll Deleted successfully!

Attempting to delete: C:\System Volume Information\_restore{C49BD92C-9C3F-4BDD-866F-EAF535330B6C}\RP105\A0020390.dll
C:\System Volume Information\_restore{C49BD92C-9C3F-4BDD-866F-EAF535330B6C}\RP105\A0020390.dll Deleted successfully!

Attempting to delete: C:\System Volume Information\_restore{C49BD92C-9C3F-4BDD-866F-EAF535330B6C}\RP105\A0020402.dll
C:\System Volume Information\_restore{C49BD92C-9C3F-4BDD-866F-EAF535330B6C}\RP105\A0020402.dll Deleted successfully!

Attempting to delete: C:\System Volume Information\_restore{C49BD92C-9C3F-4BDD-866F-EAF535330B6C}\RP105\A0020423.dll
C:\System Volume Information\_restore{C49BD92C-9C3F-4BDD-866F-EAF535330B6C}\RP105\A0020423.dll Deleted successfully!

Attempting to delete: C:\System Volume Information\_restore{C49BD92C-9C3F-4BDD-866F-EAF535330B6C}\RP105\A0020429.dll
C:\System Volume Information\_restore{C49BD92C-9C3F-4BDD-866F-EAF535330B6C}\RP105\A0020429.dll Deleted successfully!

Attempting to delete: C:\System Volume Information\_restore{C49BD92C-9C3F-4BDD-866F-EAF535330B6C}\RP105\A0020451.dll
C:\System Volume Information\_restore{C49BD92C-9C3F-4BDD-866F-EAF535330B6C}\RP105\A0020451.dll Deleted successfully!

Attempting to delete: C:\System Volume Information\_restore{C49BD92C-9C3F-4BDD-866F-EAF535330B6C}\RP105\A0020462.dll
C:\System Volume Information\_restore{C49BD92C-9C3F-4BDD-866F-EAF535330B6C}\RP105\A0020462.dll Deleted successfully!

Attempting to delete: C:\System Volume Information\_restore{C49BD92C-9C3F-4BDD-866F-EAF535330B6C}\RP91\A0015482.dll
C:\System Volume Information\_restore{C49BD92C-9C3F-4BDD-866F-EAF535330B6C}\RP91\A0015482.dll Deleted successfully!

Attempting to delete: C:\System Volume Information\_restore{C49BD92C-9C3F-4BDD-866F-EAF535330B6C}\RP91\A0015493.dll
C:\System Volume Information\_restore{C49BD92C-9C3F-4BDD-866F-EAF535330B6C}\RP91\A0015493.dll Deleted successfully!

Attempting to delete: C:\System Volume Information\_restore{C49BD92C-9C3F-4BDD-866F-EAF535330B6C}\RP91\A0015554.dll
C:\System Volume Information\_restore{C49BD92C-9C3F-4BDD-866F-EAF535330B6C}\RP91\A0015554.dll Deleted successfully!

Attempting to delete: C:\System Volume Information\_restore{C49BD92C-9C3F-4BDD-866F-EAF535330B6C}\RP92\A0016620.dll
C:\System Volume Information\_restore{C49BD92C-9C3F-4BDD-866F-EAF535330B6C}\RP92\A0016620.dll Deleted successfully!

Attempting to delete: C:\System Volume Information\_restore{C49BD92C-9C3F-4BDD-866F-EAF535330B6C}\RP92\A0016627.dll
C:\System Volume Information\_restore{C49BD92C-9C3F-4BDD-866F-EAF535330B6C}\RP92\A0016627.dll Deleted successfully!

Attempting to delete: C:\System Volume Information\_restore{C49BD92C-9C3F-4BDD-866F-EAF535330B6C}\RP92\A0017586.dll
C:\System Volume Information\_restore{C49BD92C-9C3F-4BDD-866F-EAF535330B6C}\RP92\A0017586.dll Deleted successfully!

Attempting to delete: C:\System Volume Information\_restore{C49BD92C-9C3F-4BDD-866F-EAF535330B6C}\RP92\A0017622.dll
C:\System Volume Information\_restore{C49BD92C-9C3F-4BDD-866F-EAF535330B6C}\RP92\A0017622.dll Deleted successfully!

Attempting to delete: C:\System Volume Information\_restore{C49BD92C-9C3F-4BDD-866F-EAF535330B6C}\RP92\A0017631.dll
C:\System Volume Information\_restore{C49BD92C-9C3F-4BDD-866F-EAF535330B6C}\RP92\A0017631.dll Deleted successfully!

Attempting to delete: C:\System Volume Information\_restore{C49BD92C-9C3F-4BDD-866F-EAF535330B6C}\RP92\A0017634.dll
C:\System Volume Information\_restore{C49BD92C-9C3F-4BDD-866F-EAF535330B6C}\RP92\A0017634.dll Deleted successfully!

Attempting to delete: C:\System Volume Information\_restore{C49BD92C-9C3F-4BDD-866F-EAF535330B6C}\RP92\A0017643.dll
C:\System Volume Information\_restore{C49BD92C-9C3F-4BDD-866F-EAF535330B6C}\RP92\A0017643.dll Deleted successfully!

Attempting to delete: C:\System Volume Information\_restore{C49BD92C-9C3F-4BDD-866F-EAF535330B6C}\RP92\A0017661.dll
C:\System Volume Information\_restore{C49BD92C-9C3F-4BDD-866F-EAF535330B6C}\RP92\A0017661.dll Deleted successfully!

Attempting to delete: C:\System Volume Information\_restore{C49BD92C-9C3F-4BDD-866F-EAF535330B6C}\RP92\A0017671.dll
C:\System Volume Information\_restore{C49BD92C-9C3F-4BDD-866F-EAF535330B6C}\RP92\A0017671.dll Deleted successfully!

Attempting to delete: C:\System Volume Information\_restore{C49BD92C-9C3F-4BDD-866F-EAF535330B6C}\RP92\A0017680.dll
C:\System Volume Information\_restore{C49BD92C-9C3F-4BDD-866F-EAF535330B6C}\RP92\A0017680.dll Deleted successfully!

Attempting to delete: C:\System Volume Information\_restore{C49BD92C-9C3F-4BDD-866F-EAF535330B6C}\RP92\A0017687.dll
C:\System Volume Information\_restore{C49BD92C-9C3F-4BDD-866F-EAF535330B6C}\RP92\A0017687.dll Deleted successfully!

Attempting to delete: C:\System Volume Information\_restore{C49BD92C-9C3F-4BDD-866F-EAF535330B6C}\RP92\A0017693.dll
C:\System Volume Information\_restore{C49BD92C-9C3F-4BDD-866F-EAF535330B6C}\RP92\A0017693.dll Deleted successfully!

Attempting to delete: C:\System Volume Information\_restore{C49BD92C-9C3F-4BDD-866F-EAF535330B6C}\RP92\A0017695.dll
C:\System Volume Information\_restore{C49BD92C-9C3F-4BDD-866F-EAF535330B6C}\RP92\A0017695.dll Deleted successfully!

Attempting to delete: C:\System Volume Information\_restore{C49BD92C-9C3F-4BDD-866F-EAF535330B6C}\RP92\A0017702.dll
C:\System Volume Information\_restore{C49BD92C-9C3F-4BDD-866F-EAF535330B6C}\RP92\A0017702.dll Deleted successfully!

Attempting to delete: C:\System Volume Information\_restore{C49BD92C-9C3F-4BDD-866F-EAF535330B6C}\RP92\A0017709.dll
C:\System Volume Information\_restore{C49BD92C-9C3F-4BDD-866F-EAF535330B6C}\RP92\A0017709.dll Deleted successfully!

Attempting to delete: C:\System Volume Information\_restore{C49BD92C-9C3F-4BDD-866F-EAF535330B6C}\RP92\A0017735.dll
C:\System Volume Information\_restore{C49BD92C-9C3F-4BDD-866F-EAF535330B6C}\RP92\A0017735.dll Deleted successfully!

Attempting to delete: C:\System Volume Information\_restore{C49BD92C-9C3F-4BDD-866F-EAF535330B6C}\RP92\A0017772.dll
C:\System Volume Information\_restore{C49BD92C-9C3F-4BDD-866F-EAF535330B6C}\RP92\A0017772.dll Deleted successfully!

Attempting to delete: C:\System Volume Information\_restore{C49BD92C-9C3F-4BDD-866F-EAF535330B6C}\RP92\A0017773.dll
C:\System Volume Information\_restore{C49BD92C-9C3F-4BDD-866F-EAF535330B6C}\RP92\A0017773.dll Deleted successfully!

Attempting to delete: C:\System Volume Information\_restore{C49BD92C-9C3F-4BDD-866F-EAF535330B6C}\RP92\A0017774.dll
C:\System Volume Information\_restore{C49BD92C-9C3F-4BDD-866F-EAF535330B6C}\RP92\A0017774.dll Deleted successfully!

Attempting to delete: C:\System Volume Information\_restore{C49BD92C-9C3F-4BDD-866F-EAF535330B6C}\RP92\A0017775.dll
C:\System Volume Information\_restore{C49BD92C-9C3F-4BDD-866F-EAF535330B6C}\RP92\A0017775.dll Deleted successfully!

Attempting to delete: C:\System Volume Information\_restore{C49BD92C-9C3F-4BDD-866F-EAF535330B6C}\RP92\A0017776.dll
C:\System Volume Information\_restore{C49BD92C-9C3F-4BDD-866F-EAF535330B6C}\RP92\A0017776.dll Deleted successfully!

Attempting to delete: C:\System Volume Information\_restore{C49BD92C-9C3F-4BDD-866F-EAF535330B6C}\RP92\A0017777.dll
C:\System Volume Information\_restore{C49BD92C-9C3F-4BDD-866F-EAF535330B6C}\RP92\A0017777.dll Deleted successfully!

Attempting to delete: C:\System Volume Information\_restore{C49BD92C-9C3F-4BDD-866F-EAF535330B6C}\RP92\A0017778.dll
C:\System Volume Information\_restore{C49BD92C-9C3F-4BDD-866F-EAF535330B6C}\RP92\A0017778.dll Deleted successfully!

Attempting to delete: C:\System Volume Information\_restore{C49BD92C-9C3F-4BDD-866F-EAF535330B6C}\RP92\A0017779.dll
C:\System Volume Information\_restore{C49BD92C-9C3F-4BDD-866F-EAF535330B6C}\RP92\A0017779.dll Deleted successfully!

Attempting to delete: C:\System Volume Information\_restore{C49BD92C-9C3F-4BDD-866F-EAF535330B6C}\RP92\A0017780.dll
C:\System Volume Information\_restore{C49BD92C-9C3F-4BDD-866F-EAF535330B6C}\RP92\A0017780.dll Deleted successfully!

Attempting to delete: C:\System Volume Information\_restore{C49BD92C-9C3F-4BDD-866F-EAF535330B6C}\RP92\A0017821.dll
C:\System Volume Information\_restore{C49BD92C-9C3F-4BDD-866F-EAF535330B6C}\RP92\A0017821.dll Deleted successfully!

Attempting to delete: C:\System Volume Information\_restore{C49BD92C-9C3F-4BDD-866F-EAF535330B6C}\RP92\A0017836.dll
C:\System Volume Information\_restore{C49BD92C-9C3F-4BDD-866F-EAF535330B6C}\RP92\A0017836.dll Deleted successfully!

Attempting to delete: C:\System Volume Information\_restore{C49BD92C-9C3F-4BDD-866F-EAF535330B6C}\RP92\A0017846.dll
C:\System Volume Information\_restore{C49BD92C-9C3F-4BDD-866F-EAF535330B6C}\RP92\A0017846.dll Deleted successfully!

Attempting to delete: C:\System Volume Information\_restore{C49BD92C-9C3F-4BDD-866F-EAF535330B6C}\RP92\A0017855.dll
C:\System Volume Information\_restore{C49BD92C-9C3F-4BDD-866F-EAF535330B6C}\RP92\A0017855.dll Deleted successfully!

Attempting to delete: C:\System Volume Information\_restore{C49BD92C-9C3F-4BDD-866F-EAF535330B6C}\RP92\A0017877.dll
C:\System Volume Information\_restore{C49BD92C-9C3F-4BDD-866F-EAF535330B6C}\RP92\A0017877.dll Deleted successfully!

Attempting to delete: C:\System Volume Information\_restore{C49BD92C-9C3F-4BDD-866F-EAF535330B6C}\RP92\A0017901.dll
C:\System Volume Information\_restore{C49BD92C-9C3F-4BDD-866F-EAF535330B6C}\RP92\A0017901.dll Deleted successfully!

Attempting to delete: C:\System Volume Information\_restore{C49BD92C-9C3F-4BDD-866F-EAF535330B6C}\RP92\A0017923.dll
C:\System Volume Information\_restore{C49BD92C-9C3F-4BDD-866F-EAF535330B6C}\RP92\A0017923.dll Deleted successfully!

Attempting to delete: C:\System Volume Information\_restore{C49BD92C-9C3F-4BDD-866F-EAF535330B6C}\RP92\A0017948.dll
C:\System Volume Information\_restore{C49BD92C-9C3F-4BDD-866F-EAF535330B6C}\RP92\A0017948.dll Deleted successfully!

Attempting to delete: C:\System Volume Information\_restore{C49BD92C-9C3F-4BDD-866F-EAF535330B6C}\RP92\A0017968.dll
C:\System Volume Information\_restore{C49BD92C-9C3F-4BDD-866F-EAF535330B6C}\RP92\A0017968.dll Deleted successfully!

Attempting to delete: C:\System Volume Information\_restore{C49BD92C-9C3F-4BDD-866F-EAF535330B6C}\RP92\A0017988.dll
C:\System Volume Information\_restore{C49BD92C-9C3F-4BDD-866F-EAF535330B6C}\RP92\A0017988.dll Deleted successfully!

Attempting to delete: C:\System Volume Information\_restore{C49BD92C-9C3F-4BDD-866F-EAF535330B6C}\RP93\A0018036.dll
C:\System Volume Information\_restore{C49BD92C-9C3F-4BDD-866F-EAF535330B6C}\RP93\A0018036.dll Deleted successfully!

Attempting to delete: C:\System Volume Information\_restore{C49BD92C-9C3F-4BDD-866F-EAF535330B6C}\RP93\A0018049.dll
C:\System Volume Information\_restore{C49BD92C-9C3F-4BDD-866F-EAF535330B6C}\RP93\A0018049.dll Deleted successfully!

Attempting to delete: C:\System Volume Information\_restore{C49BD92C-9C3F-4BDD-866F-EAF535330B6C}\RP93\A0018215.dll
C:\System Volume Information\_restore{C49BD92C-9C3F-4BDD-866F-EAF535330B6C}\RP93\A0018215.dll Deleted successfully!

Attempting to delete: C:\System Volume Information\_restore{C49BD92C-9C3F-4BDD-866F-EAF535330B6C}\RP94\A0018231.dll
C:\System Volume Information\_restore{C49BD92C-9C3F-4BDD-866F-EAF535330B6C}\RP94\A0018231.dll Deleted successfully!

Attempting to delete: C:\System Volume Information\_restore{C49BD92C-9C3F-4BDD-866F-EAF535330B6C}\RP94\A0018250.dll
C:\System Volume Information\_restore{C49BD92C-9C3F-4BDD-866F-EAF535330B6C}\RP94\A0018250.dll Deleted successfully!

Attempting to delete: C:\System Volume Information\_restore{C49BD92C-9C3F-4BDD-866F-EAF535330B6C}\RP94\A0018263.dll
C:\System Volume Information\_restore{C49BD92C-9C3F-4BDD-866F-EAF535330B6C}\RP94\A0018263.dll Deleted successfully!

Attempting to delete: C:\System Volume Information\_restore{C49BD92C-9C3F-4BDD-866F-EAF535330B6C}\RP94\A0018271.dll
C:\System Volume Information\_restore{C49BD92C-9C3F-4BDD-866F-EAF535330B6C}\RP94\A0018271.dll Deleted successfully!

Attempting to delete: C:\System Volume Information\_restore{C49BD92C-9C3F-4BDD-866F-EAF535330B6C}\RP94\A0018287.dll
C:\System Volume Information\_restore{C49BD92C-9C3F-4BDD-866F-EAF535330B6C}\RP94\A0018287.dll Deleted successfully!

Attempting to delete: C:\System Volume Information\_restore{C49BD92C-9C3F-4BDD-866F-EAF535330B6C}\RP94\A0018302.dll
C:\System Volume Information\_restore{C49BD92C-9C3F-4BDD-866F-EAF535330B6C}\RP94\A0018302.dll Deleted successfully!

Attempting to delete: C:\System Volume Information\_restore{C49BD92C-9C3F-4BDD-866F-EAF535330B6C}\RP94\A0018318.dll
C:\System Volume Information\_restore{C49BD92C-9C3F-4BDD-866F-EAF535330B6C}\RP94\A0018318.dll Deleted successfully!

Attempting to delete: C:\System Volume Information\_restore{C49BD92C-9C3F-4BDD-866F-EAF535330B6C}\RP95\A0018331.dll
C:\System Volume Information\_restore{C49BD92C-9C3F-4BDD-866F-EAF535330B6C}\RP95\A0018331.dll Deleted successfully!

Attempting to delete: C:\System Volume Information\_restore{C49BD92C-9C3F-4BDD-866F-EAF535330B6C}\RP95\A0018355.dll
C:\System Volume Information\_restore{C49BD92C-9C3F-4BDD-866F-EAF535330B6C}\RP95\A0018355.dll Deleted successfully!

Attempting to delete: C:\System Volume Information\_restore{C49BD92C-9C3F-4BDD-866F-EAF535330B6C}\RP95\A0018388.dll
C:\System Volume Information\_restore{C49BD92C-9C3F-4BDD-866F-EAF535330B6C}\RP95\A0018388.dll Deleted successfully!

Attempting to delete: C:\System Volume Information\_restore{C49BD92C-9C3F-4BDD-866F-EAF535330B6C}\RP95\A0018389.dll
C:\System Volume Information\_restore{C49BD92C-9C3F-4BDD-866F-EAF535330B6C}\RP95\A0018389.dll Deleted successfully!

Attempting to delete: C:\System Volume Information\_restore{C49BD92C-9C3F-4BDD-866F-EAF535330B6C}\RP96\A0018412.dll
C:\System Volume Information\_restore{C49BD92C-9C3F-4BDD-866F-EAF535330B6C}\RP96\A0018412.dll Deleted successfully!

Attempting to delete: C:\System Volume Information\_restore{C49BD92C-9C3F-4BDD-866F-EAF535330B6C}\RP96\A0018413.dll
C:\System Volume Information\_restore{C49BD92C-9C3F-4BDD-866F-EAF535330B6C}\RP96\A0018413.dll Deleted successfully!

Attempting to delete: C:\WINDOWS\system32\aesldp.dll
C:\WINDOWS\system32\aesldp.dll Deleted successfully!

Attempting to delete: C:\WINDOWS\system32\aoi2dvag.dll
C:\WINDOWS\system32\aoi2dvag.dll Deleted successfully!

Attempting to delete: C:\WINDOWS\system32\ciyptdll.dll
C:\WINDOWS\system32\ciyptdll.dll Deleted successfully!

Attempting to delete: C:\WINDOWS\system32\dkcpsapi.dll
C:\WINDOWS\system32\dkcpsapi.dll Deleted successfully!

Attempting to delete: C:\WINDOWS\system32\dlound.dll
C:\WINDOWS\system32\dlound.dll Deleted successfully!

Attempting to delete: C:\WINDOWS\system32\dynmodem.dll
C:\WINDOWS\system32\dynmodem.dll Deleted successfully!

Attempting to delete: C:\WINDOWS\system32\egsvc.dll
C:\WINDOWS\system32\egsvc.dll Deleted successfully!

Attempting to delete: C:\WINDOWS\system32\fpp6037se.dll
C:\WINDOWS\system32\fpp6037se.dll Deleted successfully!

Attempting to delete: C:\WINDOWS\system32\gplql3351.dll
C:\WINDOWS\system32\gplql3351.dll Deleted successfully!

Attempting to delete: C:\WINDOWS\system32\h0j4la1q1d.dll
C:\WINDOWS\system32\h0j4la1q1d.dll Deleted successfully!

Attempting to delete: C:\WINDOWS\system32\hrrs0597e.dll
C:\WINDOWS\system32\hrrs0597e.dll Deleted successfully!

Attempting to delete: C:\WINDOWS\system32\i4jq0e15eh.dll
C:\WINDOWS\system32\i4jq0e15eh.dll Deleted successfully!

Attempting to delete: C:\WINDOWS\system32\ipircl.dll
C:\WINDOWS\system32\ipircl.dll Deleted successfully!

Attempting to delete: C:\WINDOWS\system32\irr6l59s1.dll
C:\WINDOWS\system32\irr6l59s1.dll Deleted successfully!

Attempting to delete: C:\WINDOWS\system32\j8n20i5oe8.dll
C:\WINDOWS\system32\j8n20i5oe8.dll Deleted successfully!

Attempting to delete: C:\WINDOWS\system32\jtro0793e.dll
C:\WINDOWS\system32\jtro0793e.dll Deleted successfully!

Attempting to delete: C:\WINDOWS\system32\kkdycl.dll
C:\WINDOWS\system32\kkdycl.dll Deleted successfully!

Attempting to delete: C:\WINDOWS\system32\kydlv1.dll
C:\WINDOWS\system32\kydlv1.dll Deleted successfully!

Attempting to delete: C:\WINDOWS\system32\mdorcl32.dll
C:\WINDOWS\system32\mdorcl32.dll Deleted successfully!

Attempting to delete: C:\WINDOWS\system32\mjexcl40.dll
C:\WINDOWS\system32\mjexcl40.dll Deleted successfully!

Attempting to delete: C:\WINDOWS\system32\o4nsle571h.dll
C:\WINDOWS\system32\o4nsle571h.dll Deleted successfully!

Attempting to delete: C:\WINDOWS\system32\ppcVSWIA.dll
C:\WINDOWS\system32\ppcVSWIA.dll Deleted successfully!

Attempting to delete: C:\WINDOWS\system32\PpogressTrace.dll
C:\WINDOWS\system32\PpogressTrace.dll Deleted successfully!

Attempting to delete: C:\WINDOWS\system32\rIstapi.dll
C:\WINDOWS\system32\rIstapi.dll Deleted successfully!

Attempting to delete: C:\WINDOWS\system32\rPsadhlp.dll
C:\WINDOWS\system32\rPsadhlp.dll Deleted successfully!

Attempting to delete: C:\WINDOWS\system32\s4880eluehq80.dll
C:\WINDOWS\system32\s4880eluehq80.dll Deleted successfully!

Attempting to delete: C:\WINDOWS\system32\sslsrv32.dll
C:\WINDOWS\system32\sslsrv32.dll Deleted successfully!

Attempting to delete: C:\WINDOWS\system32\tYpiui.dll
C:\WINDOWS\system32\tYpiui.dll Deleted successfully!

Attempting to delete: C:\WINDOWS\system32\u4rule991h.dll
C:\WINDOWS\system32\u4rule991h.dll Deleted successfully!

Attempting to delete: C:\WINDOWS\system32\ugdmxfrm.dll
C:\WINDOWS\system32\ugdmxfrm.dll Deleted successfully!

Attempting to delete: C:\WINDOWS\system32\wkdmtpdr.dll
C:\WINDOWS\system32\wkdmtpdr.dll Deleted successfully!

Making registry repairs.

Removing: HKLM\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\SharedDLLs

Restoring Windows certificates.

Replaced hosts file with default windows hosts file

Restoring SeDebugPrivilege for Administrators - Succeeded

Thanks a lot for your time and effort to help!

wuxiser

#4 LDTate

Grand Poobah

Root Admin
57,211 posts

Posted 26 February 2006 - 09:45 AM

I suggest you do this:

Double-click My Computer.
Click the Tools menu, and then click Folder Options.
Click the View tab.
Clear "Hide file extensions for known file types."
Under the "Hidden files" folder, select "Show hidden files and folders."
Clear "Hide protected operating system files."
Click Apply, and then click OK.

Please do not delete anything unless instructed to.

Run hijackthis. Hit None of the above, Click Do a System Scan Only. Put a Check in the box on the left side on these:

O4 - HKLM\..\Run: [winsync] C:\WINDOWS\system32\ykocwo.exe reg_run

Close ALL windows and browsers except HijackThis and click "Fix checked"

Delete these Files if listed:
C:\WINDOWS\system32\ykocwo.exe

Please download ATF Cleaner by Atribune.
Download - ATF Cleaner»
This program is for XP and Windows 2000 only
Double-click ATF-Cleaner.exe to run the program.
Under Main choose: Select All
Click the Empty Selected button.

Reboot and "copy/paste" a new HijackThis log file into this thread.

Also please describe how your computer behaves at the moment.

The forum is run by volunteers who donate their time and expertise.

Want to help others? Join the ClassRoom and learn how.

Logs will be closed if you haven't replied within 3 days

If you would like to for the help you received.

Proud graduate of TC/WTT Classroom

#5 wuxier

New Member

New Member
7 posts

Posted 27 February 2006 - 07:41 PM

Hmmmm, I wasn't able to delete this malious "ykocwo.exe" thing. I changed file type options to view all types, exts, including system files. I ran HijackThis and selected O4 - HKLM\..\Run: [winsync] C:\WINDOWS\system32\ykocwo.exe reg_run and fixed it. Then I went to C:\Windows\systems32, I didn't find this ykocwo.exe file, so I ran ATF cleaner, and then reboot. HijackThis scaned and found it's still there. I then restated again and logged in safe mode as administrator, and found this C:\WINDOWS\system32\ykocwo.exe file. But when I fixed it in HijackThis and tried to delete this file, wired thing happened again, it poped up message box "cannot delete, make sure it's not write protected or disk full", then this file disappeared again. I knew it's still there because when I tried to generate a new empty file in this name, it complaint this file name is already existed. In summary, in my own account I can't see this C:\WINDOWS\system32\ykocwo.exe file. In administrator I can see it but still can't delete it.

#6 LDTate

Grand Poobah

Root Admin
57,211 posts

Posted 27 February 2006 - 07:44 PM

Close all windows and browsers.
Open HijackThis

Click on Open Misc Tools
Click on Delete a File On Reboot
Click once on the file below to select it:
C:\WINDOWS\system32\ykocwo.exe

Click on the Back button to exit Process Manager

Reboot and post a new HJT log.

The forum is run by volunteers who donate their time and expertise.

Want to help others? Join the ClassRoom and learn how.

Logs will be closed if you haven't replied within 3 days

If you would like to for the help you received.

Proud graduate of TC/WTT Classroom

#7 wuxier

New Member

New Member
7 posts

Posted 28 February 2006 - 05:01 PM

Hi LDTate, I tried your suggestion to use HijackThis's delete on reboot tool, it deleted but reappeared again. The creation time is also the time to reboot. I also noticed that in Explorer window it has a way to hide itself. I found it in DOS prompt, but couldn't find it in explorer window using my own account. Using administrator account at first I could find it in explorer window, then when I tried to do something to this file, (rename; or pop up properties menu of this file), it disappeared too after operation. Thanks!

#8 LDTate

Grand Poobah

Root Admin
57,211 posts

Posted 28 February 2006 - 05:04 PM

Please post a new HJT log

The forum is run by volunteers who donate their time and expertise.

Want to help others? Join the ClassRoom and learn how.

Logs will be closed if you haven't replied within 3 days

If you would like to for the help you received.

Proud graduate of TC/WTT Classroom

#9 wuxier

New Member

New Member
7 posts

Posted 01 March 2006 - 04:44 PM

Here is the new log, thanks!

Logfile of HijackThis v1.99.1
Scan saved at 5:42:17 PM, on 3/1/2006
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\ibmpmsvc.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Intel\Wireless\Bin\EvtEng.exe
C:\Program Files\Intel\Wireless\Bin\S24EvMon.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Cisco Systems\VPN Client\cvpnd.exe
C:\Program Files\IBM\IBM Rapid Restore Ultra\rrpcsb.exe
C:\Program Files\Norton AntiVirus\navapsvc.exe
C:\WINDOWS\System32\QCONSVC.EXE
C:\Program Files\Intel\Wireless\Bin\RegSrvc.exe
C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\TpKmpSVC.exe
c:\Program Files\Common Files\Symantec Shared\Security Center\SymWSC.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\WINDOWS\system32\RunDll32.exe
C:\WINDOWS\system32\rundll32.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Adobe\Acrobat 6.0\Distillr\acrotray.exe
C:\Program Files\Digital Line Detect\DLG.exe
C:\WINDOWS\system32\conime.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\Messenger\msmsgs.exe
C:\HijackThis\HijackThis.exe

O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll
O3 - Toolbar: Adobe PDF - {47833539-D0C5-4125-9FA8-0819E2EAAC93} - C:\Program Files\Adobe\Acrobat 6.0\Acrobat\AcroIEFavClient.dll
O4 - HKLM\..\Run: [S3TRAY2] S3Tray2.exe
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [BMMGAG] RunDll32 C:\PROGRA~1\ThinkPad\UTILIT~1\pwrmonit.dll,StartPwrMonitor
O4 - HKLM\..\Run: [BMMLREF] C:\Program Files\ThinkPad\Utilities\BMMLREF.EXE
O4 - HKLM\..\Run: [BMMMONWND] rundll32.exe C:\PROGRA~1\ThinkPad\UTILIT~1\BatInfEx.dll,BMMAutonomicMonitor
O4 - HKLM\..\Run: [Symantec NetDriver Monitor] C:\PROGRA~1\SYMNET~1\SNDMon.exe /Consumer
O4 - HKLM\..\Run: [Picasa Media Detector] C:\Program Files\Picasa2\PicasaMediaDetector.exe
O4 - HKLM\..\Run: [winsync] C:\WINDOWS\system32\ykocwo.exe reg_run
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - Startup: Cisco Systems VPN Client.lnk = C:\Program Files\Cisco Systems\VPN Client\vpngui.exe
O4 - Global Startup: Acrobat Assistant.lnk = C:\Program Files\Adobe\Acrobat 6.0\Distillr\acrotray.exe
O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: Digital Line Detect.lnk = ?
O8 - Extra context menu item: &Google Search - res://C:\Program Files\Google\GoogleToolbar1.dll/cmsearch.html
O8 - Extra context menu item: &Translate English Word - res://C:\Program Files\Google\GoogleToolbar1.dll/cmwordtrans.html
O8 - Extra context menu item: Backward Links - res://C:\Program Files\Google\GoogleToolbar1.dll/cmbacklinks.html
O8 - Extra context menu item: Cached Snapshot of Page - res://C:\Program Files\Google\GoogleToolbar1.dll/cmcache.html
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O8 - Extra context menu item: Similar Pages - res://C:\Program Files\Google\GoogleToolbar1.dll/cmsimilar.html
O8 - Extra context menu item: Translate Page into English - res://C:\Program Files\Google\GoogleToolbar1.dll/cmtrans.html
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Software Installer - {D1A4DEBD-C2EE-449f-B9FB-E8409F9A0BC5} - C:\Program Files\ThinkPad\PkgMgr\\PkgMgr.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O11 - Options group: [JAVA_IBM] Java (IBM)
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft....k/?linkid=39204
O16 - DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} (MSN Photo Upload Tool) - http://spaces.msn.co...ad/MsnPUpld.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.micros...b?1133543452560
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.micros...b?1136332236889
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - "C:\PROGRA~1\MSNMES~1\msgrapp.dll" (file missing)
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Password Validation (ccPwdSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
O23 - Service: Cisco Systems, Inc. VPN Service (CVPND) - Cisco Systems, Inc. - C:\Program Files\Cisco Systems\VPN Client\cvpnd.exe
O23 - Service: EvtEng - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\EvtEng.exe
O23 - Service: IBM Rapid Restore Ultra Service - Unknown owner - C:\Program Files\IBM\IBM Rapid Restore Ultra\rrpcsb.exe
O23 - Service: ThinkPad PM Service (IBMPMSVC) - Unknown owner - C:\WINDOWS\system32\ibmpmsvc.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1050\Intel 32\IDriverT.exe
O23 - Service: Norton AntiVirus Auto Protect Service (navapsvc) - Symantec Corporation - C:\Program Files\Norton AntiVirus\navapsvc.exe
O23 - Service: Intel NCS NetService (NetSvc) - Intel® Corporation - C:\Program Files\Intel\PROSetWired\NCS\Sync\NetSvc.exe
O23 - Service: IBM PSA Access Driver Control (PsaSrv) - Unknown owner - C:\WINDOWS\system32\PsaSrv.exe (file missing)
O23 - Service: QCONSVC - Lenovo - C:\WINDOWS\System32\QCONSVC.EXE
O23 - Service: RegSrvc - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\RegSrvc.exe
O23 - Service: Spectrum24 Event Monitor (S24EventMonitor) - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\S24EvMon.exe
O23 - Service: SAVScan - Symantec Corporation - C:\Program Files\Norton AntiVirus\SAVScan.exe
O23 - Service: ScriptBlocking Service (SBService) - Symantec Corporation - C:\PROGRA~1\COMMON~1\SYMANT~1\SCRIPT~1\SBServ.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: SoundMAX Agent Service (SoundMAX Agent Service (default)) - Analog Devices, Inc. - C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe
O23 - Service: SymWMI Service (SymWSC) - Symantec Corporation - c:\Program Files\Common Files\Symantec Shared\Security Center\SymWSC.exe
O23 - Service: IBM KCU Service (TpKmpSVC) - Unknown owner - C:\WINDOWS\system32\TpKmpSVC.exe

#10 LDTate

Grand Poobah

Root Admin
57,211 posts

Posted 01 March 2006 - 05:24 PM

Lets see if SpySweeper will kill it.

Download the trial version of Spy Sweeper from Here

Install it using the Standard Install option. (You will be asked for your e-mail address, it is safe to give it. If you receive alerts from your firewall, allow all activities for Spy Sweeper)

You will be prompted to check for updated definitions, please do so.
(This may take several minutes)

Click on Options > Sweep Options and check Sweep all Folders on Selected drives. Check Local Disc C. Under What to Sweep, check every box.

Click on Sweep and allow it to fully scan your system.If you are prompted to restart the computer, do so immediately. This is a necessary step to kill the infection!

When the sweep has finished, click Remove. Click Select All and then Next

From 'Results', select the Session Log tab. Click Save to File and save the log somewhere convenient.

Exit Spy Sweeper.

Empty Recycle Bin

Reboot and "copy/paste" a new HJT log as well as the Resullts from Spy Sweeper file into this thread.
Also please describe how your computer behaves at the moment.

The forum is run by volunteers who donate their time and expertise.

Want to help others? Join the ClassRoom and learn how.

Logs will be closed if you haven't replied within 3 days

If you would like to for the help you received.

Proud graduate of TC/WTT Classroom

#11 wuxier

New Member

New Member
7 posts

Posted 02 March 2006 - 12:45 PM

Thanks a lot LDTate, you are a real help! After running a few hours, I haven't found any more pop up windows. And this ykocwo.exe file is finally removed! One more thing may also be result of this cleanup: before my firefox often freeze for a few seconds every 10 minutes or so. Now it seems this problem also went away.

Here is the new HJT log:

Logfile of HijackThis v1.99.1
Scan saved at 1:37:07 PM, on 3/2/2006
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\ibmpmsvc.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Intel\Wireless\Bin\EvtEng.exe
C:\Program Files\Intel\Wireless\Bin\S24EvMon.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Cisco Systems\VPN Client\cvpnd.exe
C:\Program Files\IBM\IBM Rapid Restore Ultra\rrpcsb.exe
C:\Program Files\Norton AntiVirus\navapsvc.exe
C:\WINDOWS\System32\QCONSVC.EXE
C:\Program Files\Intel\Wireless\Bin\RegSrvc.exe
C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Webroot\Spy Sweeper\WRSSSDK.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\WINDOWS\system32\RunDll32.exe
C:\WINDOWS\system32\rundll32.exe
C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Adobe\Acrobat 6.0\Distillr\acrotray.exe
C:\Program Files\Digital Line Detect\DLG.exe
C:\WINDOWS\system32\TpKmpSVC.exe
c:\Program Files\Common Files\Symantec Shared\Security Center\SymWSC.exe
C:\WINDOWS\system32\conime.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\Messenger\msmsgs.exe
C:\HijackThis\HijackThis.exe

O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: Adobe PDF - {47833539-D0C5-4125-9FA8-0819E2EAAC93} - C:\Program Files\Adobe\Acrobat 6.0\Acrobat\AcroIEFavClient.dll
O4 - HKLM\..\Run: [S3TRAY2] S3Tray2.exe
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [BMMGAG] RunDll32 C:\PROGRA~1\ThinkPad\UTILIT~1\pwrmonit.dll,StartPwrMonitor
O4 - HKLM\..\Run: [BMMLREF] C:\Program Files\ThinkPad\Utilities\BMMLREF.EXE
O4 - HKLM\..\Run: [BMMMONWND] rundll32.exe C:\PROGRA~1\ThinkPad\UTILIT~1\BatInfEx.dll,BMMAutonomicMonitor
O4 - HKLM\..\Run: [Symantec NetDriver Monitor] C:\PROGRA~1\SYMNET~1\SNDMon.exe /Consumer
O4 - HKLM\..\Run: [Picasa Media Detector] C:\Program Files\Picasa2\PicasaMediaDetector.exe
O4 - HKLM\..\Run: [SpySweeper] "C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe" /startintray
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - Startup: Cisco Systems VPN Client.lnk = C:\Program Files\Cisco Systems\VPN Client\vpngui.exe
O4 - Global Startup: Acrobat Assistant.lnk = C:\Program Files\Adobe\Acrobat 6.0\Distillr\acrotray.exe
O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: Digital Line Detect.lnk = ?
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Software Installer - {D1A4DEBD-C2EE-449f-B9FB-E8409F9A0BC5} - C:\Program Files\ThinkPad\PkgMgr\\PkgMgr.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O11 - Options group: [JAVA_IBM] Java (IBM)
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft....k/?linkid=39204
O16 - DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} (MSN Photo Upload Tool) - http://spaces.msn.co...ad/MsnPUpld.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.micros...b?1133543452560
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.micros...b?1136332236889
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - "C:\PROGRA~1\MSNMES~1\msgrapp.dll" (file missing)
O20 - Winlogon Notify: WRNotifier - C:\WINDOWS\SYSTEM32\WRLogonNTF.dll
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Password Validation (ccPwdSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
O23 - Service: Cisco Systems, Inc. VPN Service (CVPND) - Cisco Systems, Inc. - C:\Program Files\Cisco Systems\VPN Client\cvpnd.exe
O23 - Service: EvtEng - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\EvtEng.exe
O23 - Service: IBM Rapid Restore Ultra Service - Unknown owner - C:\Program Files\IBM\IBM Rapid Restore Ultra\rrpcsb.exe
O23 - Service: ThinkPad PM Service (IBMPMSVC) - Unknown owner - C:\WINDOWS\system32\ibmpmsvc.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1050\Intel 32\IDriverT.exe
O23 - Service: Norton AntiVirus Auto Protect Service (navapsvc) - Symantec Corporation - C:\Program Files\Norton AntiVirus\navapsvc.exe
O23 - Service: Intel NCS NetService (NetSvc) - Intel® Corporation - C:\Program Files\Intel\PROSetWired\NCS\Sync\NetSvc.exe
O23 - Service: IBM PSA Access Driver Control (PsaSrv) - Unknown owner - C:\WINDOWS\system32\PsaSrv.exe (file missing)
O23 - Service: QCONSVC - Lenovo - C:\WINDOWS\System32\QCONSVC.EXE
O23 - Service: RegSrvc - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\RegSrvc.exe
O23 - Service: Spectrum24 Event Monitor (S24EventMonitor) - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\S24EvMon.exe
O23 - Service: SAVScan - Symantec Corporation - C:\Program Files\Norton AntiVirus\SAVScan.exe
O23 - Service: ScriptBlocking Service (SBService) - Symantec Corporation - C:\PROGRA~1\COMMON~1\SYMANT~1\SCRIPT~1\SBServ.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: SoundMAX Agent Service (SoundMAX Agent Service (default)) - Analog Devices, Inc. - C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe
O23 - Service: Webroot Spy Sweeper Engine (svcWRSSSDK) - Webroot Software, Inc. - C:\Program Files\Webroot\Spy Sweeper\WRSSSDK.exe
O23 - Service: SymWMI Service (SymWSC) - Symantec Corporation - c:\Program Files\Common Files\Symantec Shared\Security Center\SymWSC.exe
O23 - Service: IBM KCU Service (TpKmpSVC) - Unknown owner - C:\WINDOWS\system32\TpKmpSVC.exe

and SpySweeper session log:

********
1:11 PM: | Start of Session, Thursday, March 02, 2006 |
1:11 PM: Spy Sweeper started
1:11 PM: Sweep initiated using definitions version 624
1:11 PM: Starting Memory Sweep
1:14 PM: Memory Sweep Complete, Elapsed Time: 00:02:27
1:14 PM: Starting Registry Sweep
1:14 PM: Registry Sweep Complete, Elapsed Time:00:00:11
1:14 PM: Starting Cookie Sweep
1:14 PM: Cookie Sweep Complete, Elapsed Time: 00:00:01
1:14 PM: Starting File Sweep
1:30 PM: File Sweep Complete, Elapsed Time: 00:15:37
1:30 PM: Full Sweep has completed. Elapsed time 00:18:27
1:30 PM: Traces Found: 0
********
9:17 AM: | Start of Session, Thursday, March 02, 2006 |
9:17 AM: Spy Sweeper started
9:17 AM: Sweep initiated using definitions version 624
9:17 AM: Starting Memory Sweep
9:18 AM: BHO Shield: found: googletoolbar2.dll-- BHO installation denied at user request
9:18 AM: Found Adware: clkoptimizer
9:18 AM: Detected running threat: C:\WINDOWS\system32\qauneup.dll (ID = 188959)
9:20 AM: Detected running threat: C:\WINDOWS\system32\ykocwo.exe (ID = 188701)
9:20 AM: HKLM\Software\Microsoft\Windows\CurrentVersion\Run || winsync (ID = 0)
9:20 AM: Memory Sweep Complete, Elapsed Time: 00:02:32
9:20 AM: Starting Registry Sweep
9:20 AM: Found Adware: cnsmin
9:20 AM: HKLM\software\cnnic\ (ID = 106210)
9:20 AM: HKLM\software\microsoft\windows\currentversion\run\ || winsync (ID = 601545)
9:20 AM: Found Adware: quicklink search toolbar
9:20 AM: HKLM\software\microsoft\windows\currentversion\uninstall\quicklinks\ (2 subtraces) (ID = 909558)
9:20 AM: HKCR\permeation.permeater\ (3 subtraces) (ID = 1133968)
9:20 AM: HKCR\permeation.permeater.1\ (3 subtraces) (ID = 1133972)
9:20 AM: HKCR\permeation.trecker\ (3 subtraces) (ID = 1133976)
9:20 AM: HKCR\permeation.trecker.1\ (3 subtraces) (ID = 1133980)
9:20 AM: HKCR\clsid\{2f6e85dc-8d2d-4896-8a4f-7df8a7b1749d}\ (10 subtraces) (ID = 1133998)
9:20 AM: HKCR\clsid\{39c78b50-7e98-4aa0-b007-d83114ea6e0f}\ (8 subtraces) (ID = 1134010)
9:20 AM: HKCR\typelib\{2f6e85dc-8d2d-4896-8a4f-7df8a7b1749d}\ (9 subtraces) (ID = 1134093)
9:20 AM: HKLM\software\classes\permeation.permeater\ (3 subtraces) (ID = 1134157)
9:20 AM: HKLM\software\classes\permeation.permeater.1\ (3 subtraces) (ID = 1134161)
9:20 AM: HKLM\software\classes\permeation.trecker\ (3 subtraces) (ID = 1134165)
9:20 AM: HKLM\software\classes\permeation.trecker.1\ (3 subtraces) (ID = 1134169)
9:20 AM: HKLM\software\classes\clsid\{2f6e85dc-8d2d-4896-8a4f-7df8a7b1749d}\ (10 subtraces) (ID = 1134187)
9:20 AM: HKLM\software\classes\clsid\{39c78b50-7e98-4aa0-b007-d83114ea6e0f}\ (8 subtraces) (ID = 1134199)
9:20 AM: HKLM\software\classes\typelib\{2f6e85dc-8d2d-4896-8a4f-7df8a7b1749d}\ (9 subtraces) (ID = 1134251)
9:20 AM: HKCR\clsid\{39c78b50-7e98-4aa0-b007-d83114ea6e0f}\inprocserver32\ (ID = 1135242)
9:20 AM: HKU\S-1-5-21-1185328018-2694091760-1918028741-1006\software\cnnic\ (ID = 393376)
9:20 AM: Registry Sweep Complete, Elapsed Time:00:00:13
9:20 AM: Starting Cookie Sweep
9:20 AM: Found Spy Cookie: 888 cookie
9:20 AM: pei@888[2].txt (ID = 2019)
9:20 AM: Found Spy Cookie: yieldmanager cookie
9:20 AM: pei@ad.yieldmanager[1].txt (ID = 3751)
9:20 AM: Found Spy Cookie: adecn cookie
9:20 AM: pei@adecn[1].txt (ID = 2063)
9:20 AM: Found Spy Cookie: adknowledge cookie
9:20 AM: pei@adknowledge[1].txt (ID = 2072)
9:20 AM: Found Spy Cookie: specificclick.com cookie
9:20 AM: pei@adopt.specificclick[2].txt (ID = 3400)
9:20 AM: Found Spy Cookie: addynamix cookie
9:20 AM: pei@ads.addynamix[1].txt (ID = 2062)
9:20 AM: Found Spy Cookie: falkag cookie
9:20 AM: pei@as1.falkag[2].txt (ID = 2650)
9:20 AM: Found Spy Cookie: azjmp cookie
9:20 AM: pei@azjmp[1].txt (ID = 2270)
9:20 AM: Found Spy Cookie: banners cookie
9:20 AM: pei@banners[1].txt (ID = 2282)
9:20 AM: pei@banners[2].txt (ID = 2282)
9:20 AM: pei@banners[3].txt (ID = 2282)
9:20 AM: Found Spy Cookie: bluestreak cookie
9:20 AM: pei@bluestreak[1].txt (ID = 2314)
9:20 AM: Found Spy Cookie: zedo cookie
9:20 AM: pei@c5.zedo[2].txt (ID = 3763)
9:20 AM: Found Spy Cookie: overture cookie
9:20 AM: pei@data3.perf.overture[2].txt (ID = 3106)
9:20 AM: Found Spy Cookie: exitexchange cookie
9:20 AM: pei@exitexchange[2].txt (ID = 2633)
9:20 AM: Found Spy Cookie: clickandtrack cookie
9:20 AM: pei@hits.clickandtrack[2].txt (ID = 2397)
9:20 AM: Found Spy Cookie: maxserving cookie
9:20 AM: pei@maxserving[2].txt (ID = 2966)
9:20 AM: Found Spy Cookie: partypoker cookie
9:20 AM: pei@partypoker[2].txt (ID = 3111)
9:20 AM: pei@perf.overture[1].txt (ID = 3106)
9:20 AM: Found Spy Cookie: realmedia cookie
9:20 AM: pei@realmedia[1].txt (ID = 3235)
9:20 AM: Found Spy Cookie: server.iad.liveperson cookie
9:20 AM: pei@server.iad.liveperson[1].txt (ID = 3341)
9:20 AM: Found Spy Cookie: statcounter cookie
9:20 AM: pei@statcounter[2].txt (ID = 3447)
9:20 AM: Found Spy Cookie: tacoda cookie
9:20 AM: pei@tacoda[1].txt (ID = 6444)
9:20 AM: Found Spy Cookie: trafficmp cookie
9:20 AM: pei@trafficmp[2].txt (ID = 3581)
9:20 AM: Found Spy Cookie: tribalfusion cookie
9:20 AM: pei@tribalfusion[2].txt (ID = 3589)
9:20 AM: Found Spy Cookie: videodome cookie
9:20 AM: pei@videodome[1].txt (ID = 3638)
9:20 AM: Found Spy Cookie: webpower cookie
9:20 AM: pei@webpower[2].txt (ID = 3660)
9:20 AM: Found Spy Cookie: xiti cookie
9:20 AM: pei@xiti[1].txt (ID = 3717)
9:20 AM: Found Spy Cookie: adserver cookie
9:20 AM: pei@z1.adserver[1].txt (ID = 2142)
9:20 AM: pei@zedo[1].txt (ID = 3762)
9:20 AM: yuantai@exitexchange[1].txt (ID = 2633)
9:20 AM: yuantai@realmedia[1].txt (ID = 3235)
9:20 AM: yuantai@trafficmp[1].txt (ID = 3581)
9:20 AM: yuantai@webpower[2].txt (ID = 3660)
9:20 AM: Cookie Sweep Complete, Elapsed Time: 00:00:02
9:20 AM: Starting File Sweep
9:20 AM: Found Trojan Horse: trojan-downloader-qyule
9:20 AM: c:\program files\qyule (1 subtraces) (ID = -2147456308)
9:20 AM: c:\program files\cnnic (ID = -2147477717)
9:20 AM: c:\program files\jalmp (2 subtraces) (ID = -2147459072)
9:25 AM: Found Adware: nictech adware
9:25 AM: appwrap[1].exe (ID = 245751)
9:26 AM: ykocwo.exe (ID = 188701)
9:26 AM: HKLM\Software\Microsoft\Windows\CurrentVersion\Run || winsync (ID = 0)
9:26 AM: piqj.exe (ID = 188701)
9:27 AM: qvykp.dat (ID = 188701)
9:27 AM: kcbdfbv.exe (ID = 188961)
9:28 AM: qauneup.dll (ID = 188959)
9:28 AM: appwrap[1].exe (ID = 245752)
9:32 AM: Found Adware: look2me
9:32 AM: mrrdo20.dll (ID = 159)
9:33 AM: wgse.exe (ID = 238240)
9:33 AM: arpf.cfg (ID = 208796)
9:33 AM: uninstall.exe (ID = 237448)
9:33 AM: Found Adware: targetsaver
9:33 AM: vocabulary (ID = 78283)
9:33 AM: class-barrel (ID = 78229)
9:33 AM: mycpx32r.dll (ID = 159)
9:33 AM: glkwf.dll (ID = 188960)
9:33 AM: icont.exe (ID = 65739)
9:35 AM: File Sweep Complete, Elapsed Time: 00:14:35
9:35 AM: Full Sweep has completed. Elapsed time 00:17:33
9:35 AM: Traces Found: 159
9:43 AM: Removal process initiated
9:44 AM: Quarantining All Traces: clkoptimizer
9:44 AM: clkoptimizer is in use. It will be removed on reboot.
9:44 AM: ykocwo.exe is in use. It will be removed on reboot.
9:44 AM: qauneup.dll is in use. It will be removed on reboot.
9:44 AM: C:\WINDOWS\system32\qauneup.dll is in use. It will be removed on reboot.
9:44 AM: C:\WINDOWS\system32\ykocwo.exe is in use. It will be removed on reboot.
9:44 AM: Quarantining All Traces: look2me
9:44 AM: Quarantining All Traces: cnsmin
9:44 AM: Quarantining All Traces: quicklink search toolbar
9:44 AM: Quarantining All Traces: trojan-downloader-qyule
9:44 AM: Quarantining All Traces: nictech adware
9:44 AM: Quarantining All Traces: targetsaver
9:44 AM: Quarantining All Traces: 888 cookie
9:44 AM: Quarantining All Traces: addynamix cookie
9:44 AM: Quarantining All Traces: adecn cookie
9:44 AM: Quarantining All Traces: adknowledge cookie
9:44 AM: Quarantining All Traces: adserver cookie
9:44 AM: Quarantining All Traces: azjmp cookie
9:44 AM: Quarantining All Traces: banners cookie
9:44 AM: Quarantining All Traces: bluestreak cookie
9:44 AM: Quarantining All Traces: clickandtrack cookie
9:44 AM: Quarantining All Traces: exitexchange cookie
9:44 AM: Quarantining All Traces: falkag cookie
9:44 AM: Quarantining All Traces: maxserving cookie
9:44 AM: Quarantining All Traces: overture cookie
9:44 AM: Quarantining All Traces: partypoker cookie
9:44 AM: Quarantining All Traces: realmedia cookie
9:44 AM: Quarantining All Traces: server.iad.liveperson cookie
9:44 AM: Quarantining All Traces: specificclick.com cookie
9:44 AM: Quarantining All Traces: statcounter cookie
9:44 AM: Quarantining All Traces: tacoda cookie
9:44 AM: Quarantining All Traces: trafficmp cookie
9:44 AM: Quarantining All Traces: tribalfusion cookie
9:44 AM: Quarantining All Traces: videodome cookie
9:44 AM: Quarantining All Traces: webpower cookie
9:44 AM: Quarantining All Traces: xiti cookie
9:44 AM: Quarantining All Traces: yieldmanager cookie
9:44 AM: Quarantining All Traces: zedo cookie
9:44 AM: Warning: Launched explorer.exe
9:44 AM: Warning: Quarantine process could not restart Explorer.
9:45 AM: Preparing to restart your computer. Please wait...
9:45 AM: Removal process completed. Elapsed time 00:01:40
********
9:15 AM: | Start of Session, Thursday, March 02, 2006 |
9:15 AM: Spy Sweeper started
9:16 AM: Your spyware definitions have been updated.
9:17 AM: | End of Session, Thursday, March 02, 2006 |

#12 LDTate

Grand Poobah

Root Admin
57,211 posts

Posted 02 March 2006 - 04:21 PM

Good Job

use Add/Remove Programs and remove Ewido. It's only a 14 day trial version.

Log looks good

How is it running any issues?

Note: This will remove all previous Restore Points

Turn off System Restore:

On the Desktop, right-click My Computer.
Click Properties.
Click the System Restore tab.
Check Turn off System Restore.
Click Apply, and then click OK.

Restart your computer, turn it back on.

On the Desktop, right-click My Computer.
Click Properties.
Click the System Restore tab.
Remove the Check Turn off System Restore.
Click Apply, and then click OK.

Double-click My Computer.
Click the Tools menu, and then click Folder Options.
Click the View tab.
Check "Hide file extensions for known file types."
Under the "Hidden files" folder, Uncheck "Show hidden files and folders."
Check "Hide protected operating system files."
Click Apply, and then click OK.

If you dont have these three programs I would recommend that you get them. Spywareblaster, Spywareguard and IESPY AD. They will add 1000's of sites to your resticted zone and block some hijacks from happening. I also have a FREE FIREWALL and FREE ANTI VIRUS if you need one.

It is critical to have both a firewall and anti virus to protect your system.

Keep your system up to date and run Adaware & Spybot, once a week works, and hopefully you will be ok from here on. Both are available below.

Safe Surfing.

I would also suggest you read this:
So how did I get infected in the first place?
by Tony Klein

The forum is run by volunteers who donate their time and expertise.

Want to help others? Join the ClassRoom and learn how.

Logs will be closed if you haven't replied within 3 days

If you would like to for the help you received.

Proud graduate of TC/WTT Classroom

#13 wuxier

New Member

New Member
7 posts

Posted 03 March 2006 - 08:16 AM

just did all your recommendations. I really appreciate all the help you offered, during this process I also learnt a lot about spyware

Thank you LDTate! Thank you TomCoyote!

#14 LDTate

Grand Poobah

Root Admin
57,211 posts

Posted 03 March 2006 - 03:39 PM

Great job

You're more then welcome. Glad we were able to help Peace be with you :wavey:

The forum is run by volunteers who donate their time and expertise.

Want to help others? Join the ClassRoom and learn how.

Logs will be closed if you haven't replied within 3 days

If you would like to for the help you received.

Proud graduate of TC/WTT Classroom

#15 LDTate

Grand Poobah

Root Admin
57,211 posts

Posted 03 March 2006 - 03:39 PM

Glad we could be of assistance. This topic is now closed. If you wish it reopened, please send us an email (Click for address) with a link to your thread.

Do not bother contacting us if you are not the topic starter. A valid, working link to the closed topic is required along with the user name used. If the user name does not match the one in the thread linked, the email will be deleted.
Make sure you use proper prevention to keep from having problems occur to your computer in the future.

Coyote's Installed programs for prevention:

http://forums.tomcoy...showtopic=31418

The help you receive here is free. If you wish to show your appreciation, then you may donate to help keep us online.

Visit the CoyoteStore http://TomCoyote.org/coyotestore.php

The forum is run by volunteers who donate their time and expertise.

Want to help others? Join the ClassRoom and learn how.

Logs will be closed if you haven't replied within 3 days

If you would like to for the help you received.

Proud graduate of TC/WTT Classroom

Body Background

skin color theme