Jump to content

Build Theme!
  •  
  • Infected?

WE'RE SURE THAT YOU'LL LOVE US!

Hey there! :wub: Looks like you're enjoying the discussion, but you're not signed up for an account. When you create an account, we remember exactly what you've read, so you always come right back where you left off. You also get notifications, here and via email, whenever new posts are made. You can like posts to share the love. :D Join 93099 other members! Anybody can ask, anybody can answer. Consistently helpful members may be invited to become staff. Here's how it works. Virus cleanup? Start here -> Malware Removal Forum.

Try What the Tech -- It's free!


Photo

02142006 23:31 - HJT Log


  • This topic is locked This topic is locked
35 replies to this topic

#16 MccM

MccM

    Authentic Member

  • Authentic Member
  • PipPip
  • 25 posts

Posted 22 February 2006 - 01:17 AM

So I made sure ewido was up to date. There were no updates available. I'm still seeing our little poqrpr.exe nemesis. In the ewido it asked me to delete that infection and I unchecked the encrypt checkbox and said remove. Apparently it didn't get rid of it. This poqrpr.exe seems impossible to remove. What can we do???

Here's the Hijackthis log

Logfile of HijackThis v1.99.1
Scan saved at 12:11:56 AM, on 2/22/2006
Platform: Windows 2000 SP4 (WinNT 5.00.2195)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINNT\System32\smss.exe
C:\WINNT\system32\csrss.exe
C:\WINNT\system32\winlogon.exe
C:\WINNT\system32\services.exe
C:\WINNT\system32\lsass.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\system32\spoolsv.exe
C:\Program Files\Symantec_Client_Security\Symantec AntiVirus\DefWatch.exe
C:\WINNT\System32\svchost.exe
C:\Program Files\ewido anti-malware\ewidoctrl.exe
C:\WINNT\system32\hidserv.exe
C:\Program Files\Symantec_Client_Security\Symantec AntiVirus\Rtvscan.exe
C:\WINNT\system32\nvsvc32.exe
C:\WINNT\system32\regsvc.exe
C:\WINNT\system32\MSTask.exe
C:\WINNT\system32\stisvc.exe
C:\WINNT\System32\WBEM\WinMgmt.exe
C:\Program Files\TightVNC\WinVNC.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\System32\inetsrv\inetinfo.exe
C:\WINNT\Explorer.EXE
C:\PROGRA~1\SYMANT~1\SYMANT~1\vptray.exe
C:\WINNT\Logi_MwX.Exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\Adobe\Photoshop Album Starter Edition\3.0\Apps\apdproxy.exe
C:\Program Files\Microsoft IntelliType Pro\itype.exe
C:\WINNT\system32\LVCOMSX.EXE
C:\Drivers&Stuff\LogitechWebCam\LogiTray.exe
C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe
C:\Program Files\a-squared\a2guard.exe
C:\Program Files\MSN Messenger\msnmsgr.exe
C:\Program Files\Apache Group\Apache2\bin\ApacheMonitor.exe
C:\Drivers&Stuff\LogitechWebCam\FxSvr2.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\hijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://google.com/
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = 127.0.0.1
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINNT\System32\msdxm.ocx
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn0\yt.dll
O4 - HKLM\..\Run: [Synchronization Manager] mobsync.exe /logon
O4 - HKLM\..\Run: [vptray] C:\PROGRA~1\SYMANT~1\SYMANT~1\vptray.exe
O4 - HKLM\..\Run: [Logitech Utility] Logi_MwX.Exe
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINNT\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINNT\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [Adobe Photo Downloader] "C:\Program Files\Adobe\Photoshop Album Starter Edition\3.0\Apps\apdproxy.exe"
O4 - HKLM\..\Run: [itype] "C:\Program Files\Microsoft IntelliType Pro\itype.exe"
O4 - HKLM\..\Run: [LVCOMSX] C:\WINNT\system32\LVCOMSX.EXE
O4 - HKLM\..\Run: [LogitechVideoRepair] C:\Drivers&Stuff\LogitechWebCam\ISStart.exe
O4 - HKLM\..\Run: [LogitechVideoTray] C:\Drivers&Stuff\LogitechWebCam\LogiTray.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe
O4 - HKLM\..\Run: [winsync] C:\WINNT\system32\poqrpr.exe reg_run
O4 - HKLM\..\Run: [WinVNC] "C:\Program Files\TightVNC\WinVNC.exe" -servicehelper
O4 - HKCU\..\Run: [LogitechSoftwareUpdate] C:\Drivers&Stuff\LogitechWebCam\ManifestEngine.exe boot
O4 - HKCU\..\Run: [a-squared] "C:\Program Files\a-squared\a2guard.exe"
O4 - HKCU\..\Run: [msnmsgr] "C:\Program Files\MSN Messenger\msnmsgr.exe" /background
O4 - Startup: Rainlendar.lnk = D:\Utilities\Rainlender\Rainlendar\Rainlendar.exe
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: Monitor Apache Servers.lnk = C:\Program Files\Apache Group\Apache2\bin\ApacheMonitor.exe
O4 - Global Startup: Service Manager.lnk = C:\Program Files\Microsoft SQL Server\80\Tools\Binn\sqlmangr.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~3\OFFICE11\EXCEL.EXE/3000
O8 - Extra context menu item: Search &Dictionary - C:\Program files\Lexico\Toolbar\dictionary.htm
O8 - Extra context menu item: Search &Thesaurus - C:\Program files\Lexico\Toolbar\thesaurus.htm
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINNT\System32\msjava.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINNT\System32\msjava.dll
O9 - Extra button: Run WinHTTrack - {36ECAF82-3300-8F84-092E-AFF36D6C7040} - D:\DevApps\WinHTTrack\WinHTTrackIEBar.dll
O9 - Extra 'Tools' menuitem: Launch WinHTTrack - {36ECAF82-3300-8F84-092E-AFF36D6C7040} - D:\DevApps\WinHTTrack\WinHTTrackIEBar.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~3\OFFICE11\REFIEBAR.DLL
O12 - Plugin for .bcf: C:\Program Files\Internet Explorer\Plugins\NPBelv32.dll
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O16 - DPF: {00B71CFB-6864-4346-A978-C0A14556272C} (Checkers Class) - http://messenger.zon...kr.cab31267.cab
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky...can_unicode.cab
O16 - DPF: {2917297F-F02B-4B9D-81DF-494B6333150B} (Minesweeper Flags Class) - http://messenger.zon...er.cab31267.cab
O16 - DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} (MSN Photo Upload Tool) - http://spaces.msn.co...ad/MsnPUpld.cab
O16 - DPF: {62475759-9E84-458E-A1AB-5D2C442ADFDE} - http://a1540.g.akama...meInstaller.exe
O16 - DPF: {8E0D4DE5-3180-4024-A327-4DFAD1796A8D} (MessengerStatsClient Class) - http://messenger.zon...nt.cab31267.cab
O16 - DPF: {A243F6C2-34D2-4549-BCCD-A7BEF759B236} (Seekford Solutions, Inc.'s ssiPictureUploader Control) - http://img.funtigo.c...ureUploader.cab
O16 - DPF: {F0E2D69A-DC2F-4E9B-A993-684FB1C21DBC} - http://dictionary.re...lbar/lexico.cab
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: Domain = calgary.chartwelltechnology.com
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: Domain = calgary.chartwelltechnology.com
O17 - HKLM\System\CS2\Services\Tcpip\Parameters: Domain = calgary.chartwelltechnology.com
O23 - Service: pcAnywhere Host Service (awhost32) - Unknown owner - D:\DevApps\pcAnywhere10\awhost32.exe (file missing)
O23 - Service: DefWatch - Symantec Corporation - C:\Program Files\Symantec_Client_Security\Symantec AntiVirus\DefWatch.exe
O23 - Service: Logical Disk Manager Administrative Service (dmadmin) - VERITAS Software Corp. - C:\WINNT\System32\dmadmin.exe
O23 - Service: ewido security suite control - ewido networks - C:\Program Files\ewido anti-malware\ewidoctrl.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPodService - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Macromedia Licensing Service - Unknown owner - C:\Program Files\Common Files\Macromedia Shared\Service\Macromedia Licensing.exe
O23 - Service: Symantec AntiVirus Client (Norton AntiVirus Server) - Symantec Corporation - C:\Program Files\Symantec_Client_Security\Symantec AntiVirus\Rtvscan.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINNT\system32\nvsvc32.exe
O23 - Service: SBHookSvc - Unknown owner - D:\UTILIT~1\TELUSE~1\SMARTB~1\SBHookSvc.exe (file missing)
O23 - Service: VNC Server (winvnc) - Unknown owner - C:\Program Files\TightVNC\WinVNC.exe" -service (file missing)

And here's the ewido log....

---------------------------------------------------------
ewido anti-malware - Scan report
---------------------------------------------------------

+ Created on: 11:47:27 PM, 2/21/2006
+ Report-Checksum: A14BA55F

+ Scan result:

HKLM\SOFTWARE\Effective-i -> Adware.EffectiveBrandToolbar : Cleaned without backup
HKLM\SOFTWARE\Effective-i\TheSearchAccelerator -> Adware.EffectiveBrandToolbar : Cleaned without backup
HKLM\SOFTWARE\Effective-i\TheSearchAccelerator\IE5 -> Adware.EffectiveBrandToolbar : Cleaned without backup
HKLM\SOFTWARE\eXactUtil -> Adware.BargainBuddy : Cleaned without backup
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\UCmore - The Search Accelerator -> Adware.UCmore : Cleaned without backup
HKLM\SOFTWARE\SurfSideKick3 -> Adware.SurfSide : Cleaned without backup
HKLM\SOFTWARE\SurfSideKick3\Internet Explorer -> Adware.SurfSide : Cleaned without backup
HKU\S-1-5-21-3077576019-2355979638-4132696707-1132\Software\DNS -> Adware.Shorty : Cleaned without backup
HKU\S-1-5-21-3077576019-2355979638-4132696707-1132\Software\Effective-i -> Adware.EffectiveBrandToolbar : Cleaned without backup
HKU\S-1-5-21-3077576019-2355979638-4132696707-1132\Software\Effective-i\TheSearchAccelerator -> Adware.EffectiveBrandToolbar : Cleaned without backup
HKU\S-1-5-21-3077576019-2355979638-4132696707-1132\Software\Effective-i\TheSearchAccelerator\IE5 -> Adware.EffectiveBrandToolbar : Cleaned without backup
HKU\S-1-5-21-3077576019-2355979638-4132696707-1132\Software\SurfSideKick3 -> Adware.SurfSide : Cleaned without backup
HKU\S-1-5-21-3077576019-2355979638-4132696707-1132\Software\SurfSideKick3\Internet Explorer -> Adware.SurfSide : Cleaned without backup
:mozilla.20:C:\Documents and Settings\mccm\Application Data\Mozilla\Firefox\Profiles\default.35u\cookies.txt -> TrackingCookie.Tribalfusion : Cleaned without backup
:mozilla.21:C:\Documents and Settings\mccm\Application Data\Mozilla\Firefox\Profiles\default.35u\cookies.txt -> TrackingCookie.Advertising : Cleaned without backup
:mozilla.22:C:\Documents and Settings\mccm\Application Data\Mozilla\Firefox\Profiles\default.35u\cookies.txt -> TrackingCookie.Tribalfusion : Cleaned without backup
:mozilla.23:C:\Documents and Settings\mccm\Application Data\Mozilla\Firefox\Profiles\default.35u\cookies.txt -> TrackingCookie.Atdmt : Cleaned without backup
:mozilla.25:C:\Documents and Settings\mccm\Application Data\Mozilla\Firefox\Profiles\default.35u\cookies.txt -> TrackingCookie.Doubleclick : Cleaned without backup
:mozilla.26:C:\Documents and Settings\mccm\Application Data\Mozilla\Firefox\Profiles\default.35u\cookies.txt -> TrackingCookie.Adserver : Cleaned without backup
:mozilla.27:C:\Documents and Settings\mccm\Application Data\Mozilla\Firefox\Profiles\default.35u\cookies.txt -> TrackingCookie.Adserver : Cleaned without backup
:mozilla.28:C:\Documents and Settings\mccm\Application Data\Mozilla\Firefox\Profiles\default.35u\cookies.txt -> TrackingCookie.Fastclick : Cleaned without backup
:mozilla.29:C:\Documents and Settings\mccm\Application Data\Mozilla\Firefox\Profiles\default.35u\cookies.txt -> TrackingCookie.Fastclick : Cleaned without backup
:mozilla.30:C:\Documents and Settings\mccm\Application Data\Mozilla\Firefox\Profiles\default.35u\cookies.txt -> TrackingCookie.Fastclick : Cleaned without backup
:mozilla.31:C:\Documents and Settings\mccm\Application Data\Mozilla\Firefox\Profiles\default.35u\cookies.txt -> TrackingCookie.Fastclick : Cleaned without backup
:mozilla.32:C:\Documents and Settings\mccm\Application Data\Mozilla\Firefox\Profiles\default.35u\cookies.txt -> TrackingCookie.Yieldmanager : Cleaned without backup
:mozilla.33:C:\Documents and Settings\mccm\Application Data\Mozilla\Firefox\Profiles\default.35u\cookies.txt -> TrackingCookie.Yieldmanager : Cleaned without backup
:mozilla.34:C:\Documents and Settings\mccm\Application Data\Mozilla\Firefox\Profiles\default.35u\cookies.txt -> TrackingCookie.Yieldmanager : Cleaned without backup
:mozilla.35:C:\Documents and Settings\mccm\Application Data\Mozilla\Firefox\Profiles\default.35u\cookies.txt -> TrackingCookie.Yieldmanager : Cleaned without backup
:mozilla.36:C:\Documents and Settings\mccm\Application Data\Mozilla\Firefox\Profiles\default.35u\cookies.txt -> TrackingCookie.Yieldmanager : Cleaned without backup
:mozilla.37:C:\Documents and Settings\mccm\Application Data\Mozilla\Firefox\Profiles\default.35u\cookies.txt -> TrackingCookie.Yieldmanager : Cleaned without backup
:mozilla.41:C:\Documents and Settings\mccm\Application Data\Mozilla\Firefox\Profiles\default.35u\cookies.txt -> TrackingCookie.Yieldmanager : Cleaned without backup
:mozilla.44:C:\Documents and Settings\mccm\Application Data\Mozilla\Firefox\Profiles\default.35u\cookies.txt -> TrackingCookie.Zedo : Cleaned without backup
:mozilla.45:C:\Documents and Settings\mccm\Application Data\Mozilla\Firefox\Profiles\default.35u\cookies.txt -> TrackingCookie.Zedo : Cleaned without backup
:mozilla.46:C:\Documents and Settings\mccm\Application Data\Mozilla\Firefox\Profiles\default.35u\cookies.txt -> TrackingCookie.Zedo : Cleaned without backup
:mozilla.47:C:\Documents and Settings\mccm\Application Data\Mozilla\Firefox\Profiles\default.35u\cookies.txt -> TrackingCookie.Zedo : Cleaned without backup
:mozilla.48:C:\Documents and Settings\mccm\Application Data\Mozilla\Firefox\Profiles\default.35u\cookies.txt -> TrackingCookie.Zedo : Cleaned without backup
:mozilla.50:C:\Documents and Settings\mccm\Application Data\Mozilla\Firefox\Profiles\default.35u\cookies.txt -> TrackingCookie.Targetnet : Cleaned without backup
:mozilla.51:C:\Documents and Settings\mccm\Application Data\Mozilla\Firefox\Profiles\default.35u\cookies.txt -> TrackingCookie.Targetnet : Cleaned without backup
:mozilla.52:C:\Documents and Settings\mccm\Application Data\Mozilla\Firefox\Profiles\default.35u\cookies.txt -> TrackingCookie.Targetnet : Cleaned without backup
:mozilla.61:C:\Documents and Settings\mccm\Application Data\Mozilla\Firefox\Profiles\default.35u\cookies.txt -> TrackingCookie.247realmedia : Cleaned without backup
:mozilla.62:C:\Documents and Settings\mccm\Application Data\Mozilla\Firefox\Profiles\default.35u\cookies.txt -> TrackingCookie.Trafficmp : Cleaned without backup
:mozilla.63:C:\Documents and Settings\mccm\Application Data\Mozilla\Firefox\Profiles\default.35u\cookies.txt -> TrackingCookie.Trafficmp : Cleaned without backup
:mozilla.64:C:\Documents and Settings\mccm\Application Data\Mozilla\Firefox\Profiles\default.35u\cookies.txt -> TrackingCookie.Trafficmp : Cleaned without backup
:mozilla.65:C:\Documents and Settings\mccm\Application Data\Mozilla\Firefox\Profiles\default.35u\cookies.txt -> TrackingCookie.Trafficmp : Cleaned without backup
:mozilla.66:C:\Documents and Settings\mccm\Application Data\Mozilla\Firefox\Profiles\default.35u\cookies.txt -> TrackingCookie.Trafficmp : Cleaned without backup
:mozilla.67:C:\Documents and Settings\mccm\Application Data\Mozilla\Firefox\Profiles\default.35u\cookies.txt -> TrackingCookie.Trafficmp : Cleaned without backup
:mozilla.68:C:\Documents and Settings\mccm\Application Data\Mozilla\Firefox\Profiles\default.35u\cookies.txt -> TrackingCookie.Trafficmp : Cleaned without backup
:mozilla.76:C:\Documents and Settings\mccm\Application Data\Mozilla\Firefox\Profiles\default.35u\cookies.txt -> TrackingCookie.Falkag : Cleaned without backup
:mozilla.77:C:\Documents and Settings\mccm\Application Data\Mozilla\Firefox\Profiles\default.35u\cookies.txt -> TrackingCookie.Falkag : Cleaned without backup
:mozilla.78:C:\Documents and Settings\mccm\Application Data\Mozilla\Firefox\Profiles\default.35u\cookies.txt -> TrackingCookie.Falkag : Cleaned without backup
:mozilla.79:C:\Documents and Settings\mccm\Application Data\Mozilla\Firefox\Profiles\default.35u\cookies.txt -> TrackingCookie.Falkag : Cleaned without backup
:mozilla.80:C:\Documents and Settings\mccm\Application Data\Mozilla\Firefox\Profiles\default.35u\cookies.txt -> TrackingCookie.Falkag : Cleaned without backup
:mozilla.81:C:\Documents and Settings\mccm\Application Data\Mozilla\Firefox\Profiles\default.35u\cookies.txt -> TrackingCookie.Falkag : Cleaned without backup
:mozilla.82:C:\Documents and Settings\mccm\Application Data\Mozilla\Firefox\Profiles\default.35u\cookies.txt -> TrackingCookie.Falkag : Cleaned without backup
:mozilla.83:C:\Documents and Settings\mccm\Application Data\Mozilla\Firefox\Profiles\default.35u\cookies.txt -> TrackingCookie.Falkag : Cleaned without backup
:mozilla.84:C:\Documents and Settings\mccm\Application Data\Mozilla\Firefox\Profiles\default.35u\cookies.txt -> TrackingCookie.Falkag : Cleaned without backup
:mozilla.85:C:\Documents and Settings\mccm\Application Data\Mozilla\Firefox\Profiles\default.35u\cookies.txt -> TrackingCookie.Falkag : Cleaned without backup
:mozilla.86:C:\Documents and Settings\mccm\Application Data\Mozilla\Firefox\Profiles\default.35u\cookies.txt -> TrackingCookie.Falkag : Cleaned without backup
:mozilla.87:C:\Documents and Settings\mccm\Application Data\Mozilla\Firefox\Profiles\default.35u\cookies.txt -> TrackingCookie.Mediaplex : Cleaned without backup
:mozilla.95:C:\Documents and Settings\mccm\Application Data\Mozilla\Firefox\Profiles\default.35u\cookies.txt -> TrackingCookie.Webtrendslive : Cleaned without backup
:mozilla.97:C:\Documents and Settings\mccm\Application Data\Mozilla\Firefox\Profiles\default.35u\cookies.txt -> TrackingCookie.Webtrendslive : Cleaned without backup
:mozilla.104:C:\Documents and Settings\mccm\Application Data\Mozilla\Firefox\Profiles\default.35u\cookies.txt -> TrackingCookie.Paypopup : Cleaned without backup
:mozilla.105:C:\Documents and Settings\mccm\Application Data\Mozilla\Firefox\Profiles\default.35u\cookies.txt -> TrackingCookie.Paypopup : Cleaned without backup
:mozilla.106:C:\Documents and Settings\mccm\Application Data\Mozilla\Firefox\Profiles\default.35u\cookies.txt -> TrackingCookie.Paypopup : Cleaned without backup
:mozilla.107:C:\Documents and Settings\mccm\Application Data\Mozilla\Firefox\Profiles\default.35u\cookies.txt -> TrackingCookie.Paypopup : Cleaned without backup
:mozilla.108:C:\Documents and Settings\mccm\Application Data\Mozilla\Firefox\Profiles\default.35u\cookies.txt -> TrackingCookie.Paypopup : Cleaned without backup
:mozilla.109:C:\Documents and Settings\mccm\Application Data\Mozilla\Firefox\Profiles\default.35u\cookies.txt -> TrackingCookie.Paypopup : Cleaned without backup
:mozilla.110:C:\Documents and Settings\mccm\Application Data\Mozilla\Firefox\Profiles\default.35u\cookies.txt -> TrackingCookie.Paypopup : Cleaned without backup
:mozilla.111:C:\Documents and Settings\mccm\Application Data\Mozilla\Firefox\Profiles\default.35u\cookies.txt -> TrackingCookie.Paypopup : Cleaned without backup
:mozilla.112:C:\Documents and Settings\mccm\Application Data\Mozilla\Firefox\Profiles\default.35u\cookies.txt -> TrackingCookie.Paypopup : Cleaned without backup
:mozilla.113:C:\Documents and Settings\mccm\Application Data\Mozilla\Firefox\Profiles\default.35u\cookies.txt -> TrackingCookie.Paypopup : Cleaned without backup
:mozilla.114:C:\Documents and Settings\mccm\Application Data\Mozilla\Firefox\Profiles\default.35u\cookies.txt -> TrackingCookie.Paypopup : Cleaned without backup
:mozilla.115:C:\Documents and Settings\mccm\Application Data\Mozilla\Firefox\Profiles\default.35u\cookies.txt -> TrackingCookie.Paypopup : Cleaned without backup
:mozilla.116:C:\Documents and Settings\mccm\Application Data\Mozilla\Firefox\Profiles\default.35u\cookies.txt -> TrackingCookie.Paypopup : Cleaned without backup
:mozilla.117:C:\Documents and Settings\mccm\Application Data\Mozilla\Firefox\Profiles\default.35u\cookies.txt -> TrackingCookie.Paypopup : Cleaned without backup
:mozilla.118:C:\Documents and Settings\mccm\Application Data\Mozilla\Firefox\Profiles\default.35u\cookies.txt -> TrackingCookie.Paypopup : Cleaned without backup
:mozilla.119:C:\Documents and Settings\mccm\Application Data\Mozilla\Firefox\Profiles\default.35u\cookies.txt -> TrackingCookie.Paypopup : Cleaned without backup
:mozilla.120:C:\Documents and Settings\mccm\Application Data\Mozilla\Firefox\Profiles\default.35u\cookies.txt -> TrackingCookie.Paypopup : Cleaned without backup
:mozilla.121:C:\Documents and Settings\mccm\Application Data\Mozilla\Firefox\Profiles\default.35u\cookies.txt -> TrackingCookie.Paypopup : Cleaned without backup
:mozilla.122:C:\Documents and Settings\mccm\Application Data\Mozilla\Firefox\Profiles\default.35u\cookies.txt -> TrackingCookie.Paypopup : Cleaned without backup
:mozilla.123:C:\Documents and Settings\mccm\Application Data\Mozilla\Firefox\Profiles\default.35u\cookies.txt -> TrackingCookie.Paypopup : Cleaned without backup
:mozilla.124:C:\Documents and Settings\mccm\Application Data\Mozilla\Firefox\Profiles\default.35u\cookies.txt -> TrackingCookie.Paypopup : Cleaned without backup
:mozilla.125:C:\Documents and Settings\mccm\Application Data\Mozilla\Firefox\Profiles\default.35u\cookies.txt -> TrackingCookie.Paypopup : Cleaned without backup
:mozilla.126:C:\Documents and Settings\mccm\Application Data\Mozilla\Firefox\Profiles\default.35u\cookies.txt -> TrackingCookie.Statcounter : Cleaned without backup
:mozilla.127:C:\Documents and Settings\mccm\Application Data\Mozilla\Firefox\Profiles\default.35u\cookies.txt -> TrackingCookie.Paypopup : Cleaned without backup
:mozilla.128:C:\Documents and Settings\mccm\Application Data\Mozilla\Firefox\Profiles\default.35u\cookies.txt -> TrackingCookie.Paypopup : Cleaned without backup
:mozilla.129:C:\Documents and Settings\mccm\Application Data\Mozilla\Firefox\Profiles\default.35u\cookies.txt -> TrackingCookie.Paypopup : Cleaned without backup
:mozilla.130:C:\Documents and Settings\mccm\Application Data\Mozilla\Firefox\Profiles\default.35u\cookies.txt -> TrackingCookie.Statcounter : Cleaned without backup
:mozilla.131:C:\Documents and Settings\mccm\Application Data\Mozilla\Firefox\Profiles\default.35u\cookies.txt -> TrackingCookie.Statcounter : Cleaned without backup
:mozilla.135:C:\Documents and Settings\mccm\Application Data\Mozilla\Firefox\Profiles\default.35u\cookies.txt -> TrackingCookie.Sitestat : Cleaned without backup
:mozilla.136:C:\Documents and Settings\mccm\Application Data\Mozilla\Firefox\Profiles\default.35u\cookies.txt -> TrackingCookie.Sitestat : Cleaned without backup
:mozilla.161:C:\Documents and Settings\mccm\Application Data\Mozilla\Firefox\Profiles\default.35u\cookies.txt -> TrackingCookie.2o7 : Cleaned without backup
:mozilla.162:C:\Documents and Settings\mccm\Application Data\Mozilla\Firefox\Profiles\default.35u\cookies.txt -> TrackingCookie.2o7 : Cleaned without backup
:mozilla.163:C:\Documents and Settings\mccm\Application Data\Mozilla\Firefox\Profiles\default.35u\cookies.txt -> TrackingCookie.2o7 : Cleaned without backup
:mozilla.164:C:\Documents and Settings\mccm\Application Data\Mozilla\Firefox\Profiles\default.35u\cookies.txt -> TrackingCookie.2o7 : Cleaned without backup
:mozilla.165:C:\Documents and Settings\mccm\Application Data\Mozilla\Firefox\Profiles\default.35u\cookies.txt -> TrackingCookie.2o7 : Cleaned without backup
:mozilla.168:C:\Documents and Settings\mccm\Application Data\Mozilla\Firefox\Profiles\default.35u\cookies.txt -> TrackingCookie.Addynamix : Cleaned without backup
:mozilla.210:C:\Documents and Settings\mccm\Application Data\Mozilla\Firefox\Profiles\default.35u\cookies.txt -> TrackingCookie.Googleadservices : Cleaned without backup
:mozilla.211:C:\Documents and Settings\mccm\Application Data\Mozilla\Firefox\Profiles\default.35u\cookies.txt -> TrackingCookie.Linkbuddies : Cleaned without backup
:mozilla.214:C:\Documents and Settings\mccm\Application Data\Mozilla\Firefox\Profiles\default.35u\cookies.txt -> TrackingCookie.Reliablestats : Cleaned without backup
:mozilla.215:C:\Documents and Settings\mccm\Application Data\Mozilla\Firefox\Profiles\default.35u\cookies.txt -> TrackingCookie.Reliablestats : Cleaned without backup
:mozilla.216:C:\Documents and Settings\mccm\Application Data\Mozilla\Firefox\Profiles\default.35u\cookies.txt -> TrackingCookie.Reliablestats : Cleaned without backup
:mozilla.217:C:\Documents and Settings\mccm\Application Data\Mozilla\Firefox\Profiles\default.35u\cookies.txt -> TrackingCookie.Reliablestats : Cleaned without backup
:mozilla.218:C:\Documents and Settings\mccm\Application Data\Mozilla\Firefox\Profiles\default.35u\cookies.txt -> TrackingCookie.Reliablestats : Cleaned without backup
:mozilla.219:C:\Documents and Settings\mccm\Application Data\Mozilla\Firefox\Profiles\default.35u\cookies.txt -> TrackingCookie.Reliablestats : Cleaned without backup
:mozilla.220:C:\Documents and Settings\mccm\Application Data\Mozilla\Firefox\Profiles\default.35u\cookies.txt -> TrackingCookie.Cpvfeed : Cleaned without backup
:mozilla.234:C:\Documents and Settings\mccm\Application Data\Mozilla\Firefox\Profiles\default.35u\cookies.txt -> TrackingCookie.2o7 : Cleaned without backup
:mozilla.249:C:\Documents and Settings\mccm\Application Data\Mozilla\Firefox\Profiles\default.35u\cookies.txt -> TrackingCookie.Revenue : Cleaned without backup
:mozilla.270:C:\Documents and Settings\mccm\Application Data\Mozilla\Firefox\Profiles\default.35u\cookies.txt -> TrackingCookie.Kmpads : Cleaned without backup
:mozilla.271:C:\Documents and Settings\mccm\Application Data\Mozilla\Firefox\Profiles\default.35u\cookies.txt -> TrackingCookie.Kmpads : Cleaned without backup
:mozilla.272:C:\Documents and Settings\mccm\Application Data\Mozilla\Firefox\Profiles\default.35u\cookies.txt -> TrackingCookie.Overture : Cleaned without backup
:mozilla.301:C:\Documents and Settings\mccm\Application Data\Mozilla\Firefox\Profiles\default.35u\cookies.txt -> TrackingCookie.Spylog : Cleaned without backup
C:\Documents and Settings\mccm\Cookies\mccm@2o7[1].txt -> TrackingCookie.2o7 : Cleaned without backup
C:\Documents and Settings\mccm\Cookies\mccm@ad.yieldmanager[2].txt -> TrackingCookie.Yieldmanager : Cleaned without backup
C:\Documents and Settings\mccm\Cookies\mccm@ads.addynamix[2].txt -> TrackingCookie.Addynamix : Cleaned without backup
C:\Documents and Settings\mccm\Cookies\mccm@as-us.falkag[1].txt -> TrackingCookie.Falkag : Cleaned without backup
C:\Documents and Settings\mccm\Cookies\mccm@bluestreak[1].txt -> TrackingCookie.Bluestreak : Cleaned without backup
C:\Documents and Settings\mccm\Cookies\mccm@casalemedia[1].txt -> TrackingCookie.Casalemedia : Cleaned without backup
C:\Documents and Settings\mccm\Cookies\mccm@cpvfeed[1].txt -> TrackingCookie.Cpvfeed : Cleaned without backup
C:\Documents and Settings\mccm\Cookies\mccm@data1.perf.overture[1].txt -> TrackingCookie.Overture : Cleaned without backup
C:\Documents and Settings\mccm\Cookies\mccm@findwhat[1].txt -> TrackingCookie.Findwhat : Cleaned without backup
C:\Documents and Settings\mccm\Cookies\mccm@kmpads[2].txt -> TrackingCookie.Kmpads : Cleaned without backup
C:\Documents and Settings\mccm\Cookies\mccm@partygaming.122.2o7[1].txt -> TrackingCookie.2o7 : Cleaned without backup
C:\Documents and Settings\mccm\Cookies\mccm@paypopup[1].txt -> TrackingCookie.Paypopup : Cleaned without backup
C:\Documents and Settings\mccm\Cookies\mccm@perf.overture[1].txt -> TrackingCookie.Overture : Cleaned without backup
C:\Documents and Settings\mccm\Cookies\mccm@server.iad.liveperson[2].txt -> TrackingCookie.Liveperson : Cleaned without backup
C:\Documents and Settings\mccm\Cookies\mccm@starware[2].txt -> TrackingCookie.Starware : Cleaned without backup
C:\Documents and Settings\mccm\Cookies\mccm@statcounter[2].txt -> TrackingCookie.Statcounter : Cleaned without backup
C:\Documents and Settings\mccm\Cookies\mccm@stats1.reliablestats[2].txt -> TrackingCookie.Reliablestats : Cleaned without backup
C:\Documents and Settings\mccm\Cookies\mccm@tribalfusion[2].txt -> TrackingCookie.Tribalfusion : Cleaned without backup
C:\Documents and Settings\mccm\Cookies\mccm@z1.adserver[2].txt -> TrackingCookie.Adserver : Cleaned without backup
C:\Documents and Settings\mccm\Cookies\mccm@zedo[1].txt -> TrackingCookie.Zedo : Cleaned without backup
C:\Documents and Settings\mccm\Local Settings\Temp\f225033.exe -> Downloader.Qoologic.at : Cleaned without backup
C:\Documents and Settings\mccm\Local Settings\Temp\tm35709.exe -> Downloader.Qoologic.ax : Cleaned without backup
C:\Documents and Settings\mccm\Local Settings\Temporary Internet Files\Content.IE5\TFZZ1TCQ\ErrorSafeFreeInstall[1].cab/UERS_0001_N68M1801NetInstaller.exe -> Not-A-Virus.Downloader.Win32.WinFixer.d : Cleaned without backup
C:\Documents and Settings\mccm\Local Settings\Temporary Internet Files\Content.IE5\UXZ4TGVU\rcverlib[1].exe -> Downloader.Qoologic.ax : Cleaned without backup
C:\gimmygames10.exe -> Trojan.VB.ajj : Cleaned without backup
C:\gimmygames9.exe -> Downloader.VB.ww : Cleaned without backup
C:\install.exe -> Dropper.Agent.aed : Cleaned without backup
C:\Installer.exe -> Adware.Look2Me : Cleaned without backup
C:\MTE3NDI6ODoxNg.exe -> Downloader.Small.buy : Cleaned without backup
C:\Program Files\Common Files\InetGet\mc-110-12-0000137.exe -> Dropper.Agent.aac : Cleaned without backup
C:\Program Files\Common Files\mqwo\mqwom.exe -> Downloader.TSUpdate.n : Cleaned without backup
C:\Program Files\Common Files\VCClient\installer.exe -> Downloader.Qoologic.at : Cleaned without backup
C:\Program Files\Common Files\Windows\mc-110-12-0000137.exe -> Dropper.Agent.aac : Cleaned without backup
C:\Program Files\Network Monitor\netmon.exe -> Not-A-Virus.Monitor.Win32.NetMon.a : Cleaned without backup
C:\Program Files\TheSearchAccelerator -> Adware.UCmore : Cleaned without backup
C:\Program Files\TheSearchAccelerator\INSTALL.LOG -> Adware.UCmore : Cleaned without backup
C:\Program Files\TheSearchAccelerator\IUCmore.dll -> Adware.UCmore : Cleaned without backup
C:\Program Files\TheSearchAccelerator\logo.ico -> Adware.UCmore : Cleaned without backup
C:\Program Files\TheSearchAccelerator\TBlogin.users.ucmore.com.4.5.40.0 -> Adware.UCmore : Cleaned without backup
C:\Program Files\TheSearchAccelerator\toolbar.cfg -> Adware.UCmore : Cleaned without backup
C:\Program Files\TheSearchAccelerator\UCMTSAIE.dll -> Adware.UCmore : Cleaned without backup
C:\Program Files\TheSearchAccelerator\UNWISE.EXE -> Adware.UCmore : Cleaned without backup
C:\Program Files\Toolbar888\ToolBar888.dll -> Adware.Softomate : Cleaned without backup
C:\stub_113_4_0_4_0.exe -> Downloader.TSUpdate.o : Cleaned without backup
C:\ucmoreiex.exe/UCMTSAIE.DLL -> Adware.Ucmore : Cleaned without backup
C:\ucmoreiex.exe/IUCMORE.DLL -> Adware.Ucmore : Cleaned without backup
C:\visfx500.exe -> Dropper.Agent.aie : Cleaned without backup
C:\WINDOWS\gimmygames.exe -> Downloader.VB.wd : Cleaned without backup
C:\WINDOWS\gimmygames10.exe -> Trojan.VB.ajj : Cleaned without backup
C:\WINDOWS\gimmygames9.exe -> Downloader.VB.ww : Cleaned without backup
C:\WINDOWS\winsysban10.exe -> Hijacker.VB.ld : Cleaned without backup
C:\WINDOWS\winsysban8.exe -> Hijacker.VB.lg : Cleaned without backup
C:\WINDOWS\winsysupd10.exe -> Downloader.VB.wg : Cleaned without backup
C:\WINDOWS\winsysupd8.exe -> Hijacker.StartPage.ahg : Cleaned without backup
C:\WINDOWS\winsysupd9.exe -> Downloader.VB.wy : Cleaned without backup
C:\WINNT\bar.exe -> Adware.IeSearchBar : Cleaned without backup
C:\WINNT\ccc.exe -> Downloader.MlFree : Cleaned without backup
C:\WINNT\pms111x.exe -> Downloader.VB.tw : Cleaned without backup
C:\WINNT\Q2hhcnR3ZWxsIFRlY2hub2xvZ3k\asappsrv.dll -> Adware.CommAd : Cleaned without backup
C:\WINNT\Q2hhcnR3ZWxsIFRlY2hub2xvZ3k\command.exe -> Adware.CommAd : Cleaned without backup
C:\WINNT\SYSC00.exe -> Trojan.VB.tg : Cleaned without backup
C:\WINNT\system32\c36bHs.dll/bi.dll -> Adware.BiSpy : Cleaned without backup
C:\WINNT\system32\c36bHs.dll/biprep.exe -> Adware.BiSpy : Cleaned without backup
C:\WINNT\system32\c36bHs.dll/bi.dll -> Adware.BiSpy : Cleaned without backup
C:\WINNT\system32\c36bHs.dll/biprep.exe -> Adware.BiSpy : Cleaned without backup
C:\WINNT\system32\ddm3dia.dll -> Backdoor.Adbreak.d : Cleaned without backup
C:\WINNT\system32\exdl.exe -> Adware.BargainBuddy : Cleaned without backup
C:\WINNT\system32\exul.exe -> Adware.BargainBuddy : Cleaned without backup
C:\WINNT\system32\javexulm.vxd -> Adware.BargainBuddy : Cleaned without backup
C:\WINNT\system32\mpxdqlcy.dll -> Trojan.Goldid : Cleaned without backup
C:\WINNT\system32\mqexdlm.srg -> Adware.BargainBuddy : Cleaned without backup
C:\WINNT\system32\NWDENB32.DLL -> Adware.Look2Me : Cleaned without backup
C:\WINNT\system32\sahagent1007.exe -> Adware.Sahat : Cleaned without backup
C:\WINNT\system32\vgactl.cpl -> Downloader.Qoologic.at : Cleaned without backup
C:\WINNT\system32\wuauclt.dll -> Downloader.Qoologic.at : Cleaned without backup
C:\WINNT\system32\wygbw.dat -> Downloader.Qoologic.at : Cleaned without backup
C:\WINNT\unin101.exe -> Trojan.VB.tg : Cleaned without backup
C:\WINNT\uni_eh.exe -> Trojan.VB.tg : Cleaned without backup
C:\WINNT\win32093-399609882006.exe -> Downloader.VB.tw : Cleaned without backup
D:\cwh\casino\default\bank\netgiroStunnel\Win32\libssl32.dll -> Not-A-Virus.NetTool.Win32.STunnel.404 : Cleaned without backup
D:\CWH_HEAD\CWH6_4\bin\bank\netgiroStunnel\Win32\libssl32.dll -> Not-A-Virus.NetTool.Win32.STunnel.404 : Cleaned without backup
D:\CWH_HEAD\CWH6_4\bin\download_proxy\libssl32.dll -> Not-A-Virus.NetTool.Win32.STunnel.404 : Cleaned without backup
D:\CWH_HEAD\gaming\bin\bank\netgiroStunnel\Win32\libssl32.dll -> Not-A-Virus.NetTool.Win32.STunnel.404 : Cleaned without backup
D:\CWH_HEAD\gaming\bin\download_proxy\libssl32.dll -> Not-A-Virus.NetTool.Win32.STunnel.404 : Cleaned without backup
D:\CWH_HEAD\web\webapps\casino\build\default\bank\netgiroStunnel\Win32\libssl32.dll -> Not-A-Virus.NetTool.Win32.STunnel.404 : Cleaned without backup
D:\CWH_HEAD\web\webapps\casino\dist\distributed\casino.zip/default/bank/netgiroStunnel/Win32/libssl32.dll -> Not-A-Virus.NetTool.Win32.STunnel.404 : Cleaned without backup
D:\CWH_HEAD\web\webapps\casino\web\default\bank\netgiroStunnel\Win32\libssl32.dll -> Not-A-Virus.NetTool.Win32.STunnel.404 : Cleaned without backup
D:\Utilities\AveryDesignPro\DesignPro Limited Edition 5.2.1201.zip/Setup.exe -> Worm.VB.dw : Cleaned without backup


::Report End

Any Ideas???

    Advertisements

Register to Remove


#17 Siggyx

Siggyx

    SuperHelper

  • Authentic Member
  • PipPipPipPipPipPip
  • 6,776 posts

Posted 22 February 2006 - 09:41 PM

Download TheKillbox from here http://www.downloads...org/KillBox.zip Save to your Desktop and double click it to open it up. In the 'Enter Full Path and Filename to Delete' box, copy and paste these entries one by one, clicking 'Find and Kill This File' after each one:

C:\WINNT\system32\poqrpr.exe reg_run

Then reboot and a new hijackthis log please.

#18 MccM

MccM

    Authentic Member

  • Authentic Member
  • PipPip
  • 25 posts

Posted 23 February 2006 - 12:06 AM

Sig, I'm wondering if this poqrpr.exe is a Qoologic trojan? I tried with the Killbox and I don't think it worked. I even selected the delete on reboot after the first try. If the poqrpr.exe is part of the Qoologic family, isn't there a program called Scan Spyware that we can try? Anyways, here's my hijackthis log...it still has the poqrpr.exe in the log. I didn't see it materialize in the C:\WINNT\System32 directory like it was last night.

Logfile of HijackThis v1.99.1
Scan saved at 11:01:47 PM, on 2/22/2006
Platform: Windows 2000 SP4 (WinNT 5.00.2195)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINNT\System32\smss.exe
C:\WINNT\system32\csrss.exe
C:\WINNT\system32\winlogon.exe
C:\WINNT\system32\services.exe
C:\WINNT\system32\lsass.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\system32\spoolsv.exe
C:\Program Files\Symantec_Client_Security\Symantec AntiVirus\DefWatch.exe
C:\WINNT\System32\svchost.exe
C:\Program Files\ewido anti-malware\ewidoctrl.exe
C:\WINNT\system32\hidserv.exe
C:\Program Files\Symantec_Client_Security\Symantec AntiVirus\Rtvscan.exe
C:\WINNT\system32\nvsvc32.exe
C:\WINNT\system32\regsvc.exe
C:\WINNT\system32\MSTask.exe
C:\WINNT\system32\stisvc.exe
C:\WINNT\System32\WBEM\WinMgmt.exe
C:\Program Files\TightVNC\WinVNC.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\System32\inetsrv\inetinfo.exe
C:\WINNT\Explorer.EXE
C:\PROGRA~1\SYMANT~1\SYMANT~1\vptray.exe
C:\WINNT\Logi_MwX.Exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\Adobe\Photoshop Album Starter Edition\3.0\Apps\apdproxy.exe
C:\Program Files\Microsoft IntelliType Pro\itype.exe
C:\WINNT\system32\LVCOMSX.EXE
C:\Drivers&Stuff\LogitechWebCam\LogiTray.exe
C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe
C:\Program Files\a-squared\a2guard.exe
C:\Program Files\MSN Messenger\msnmsgr.exe
C:\Program Files\Apache Group\Apache2\bin\ApacheMonitor.exe
C:\Program Files\Microsoft SQL Server\80\Tools\Binn\sqlmangr.exe
D:\Utilities\Rainlender\Rainlendar\Rainlendar.exe
C:\Drivers&Stuff\LogitechWebCam\FxSvr2.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\WINNT\system32\taskmgr.exe
C:\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://google.com/
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = 127.0.0.1
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINNT\System32\msdxm.ocx
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn0\yt.dll
O4 - HKLM\..\Run: [Synchronization Manager] mobsync.exe /logon
O4 - HKLM\..\Run: [vptray] C:\PROGRA~1\SYMANT~1\SYMANT~1\vptray.exe
O4 - HKLM\..\Run: [Logitech Utility] Logi_MwX.Exe
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINNT\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINNT\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [Adobe Photo Downloader] "C:\Program Files\Adobe\Photoshop Album Starter Edition\3.0\Apps\apdproxy.exe"
O4 - HKLM\..\Run: [itype] "C:\Program Files\Microsoft IntelliType Pro\itype.exe"
O4 - HKLM\..\Run: [LVCOMSX] C:\WINNT\system32\LVCOMSX.EXE
O4 - HKLM\..\Run: [LogitechVideoRepair] C:\Drivers&Stuff\LogitechWebCam\ISStart.exe
O4 - HKLM\..\Run: [LogitechVideoTray] C:\Drivers&Stuff\LogitechWebCam\LogiTray.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe
O4 - HKLM\..\Run: [WinVNC] "C:\Program Files\TightVNC\WinVNC.exe" -servicehelper
O4 - HKLM\..\Run: [winsync] C:\WINNT\system32\poqrpr.exe reg_run
O4 - HKCU\..\Run: [LogitechSoftwareUpdate] C:\Drivers&Stuff\LogitechWebCam\ManifestEngine.exe boot
O4 - HKCU\..\Run: [a-squared] "C:\Program Files\a-squared\a2guard.exe"
O4 - HKCU\..\Run: [msnmsgr] "C:\Program Files\MSN Messenger\msnmsgr.exe" /background
O4 - Startup: Rainlendar.lnk = D:\Utilities\Rainlender\Rainlendar\Rainlendar.exe
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: Monitor Apache Servers.lnk = C:\Program Files\Apache Group\Apache2\bin\ApacheMonitor.exe
O4 - Global Startup: Service Manager.lnk = C:\Program Files\Microsoft SQL Server\80\Tools\Binn\sqlmangr.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~3\OFFICE11\EXCEL.EXE/3000
O8 - Extra context menu item: Search &Dictionary - C:\Program files\Lexico\Toolbar\dictionary.htm
O8 - Extra context menu item: Search &Thesaurus - C:\Program files\Lexico\Toolbar\thesaurus.htm
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINNT\System32\msjava.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINNT\System32\msjava.dll
O9 - Extra button: Run WinHTTrack - {36ECAF82-3300-8F84-092E-AFF36D6C7040} - D:\DevApps\WinHTTrack\WinHTTrackIEBar.dll
O9 - Extra 'Tools' menuitem: Launch WinHTTrack - {36ECAF82-3300-8F84-092E-AFF36D6C7040} - D:\DevApps\WinHTTrack\WinHTTrackIEBar.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~3\OFFICE11\REFIEBAR.DLL
O12 - Plugin for .bcf: C:\Program Files\Internet Explorer\Plugins\NPBelv32.dll
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O16 - DPF: {00B71CFB-6864-4346-A978-C0A14556272C} (Checkers Class) - http://messenger.zon...kr.cab31267.cab
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky...can_unicode.cab
O16 - DPF: {2917297F-F02B-4B9D-81DF-494B6333150B} (Minesweeper Flags Class) - http://messenger.zon...er.cab31267.cab
O16 - DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} (MSN Photo Upload Tool) - http://spaces.msn.co...ad/MsnPUpld.cab
O16 - DPF: {62475759-9E84-458E-A1AB-5D2C442ADFDE} - http://a1540.g.akama...meInstaller.exe
O16 - DPF: {8E0D4DE5-3180-4024-A327-4DFAD1796A8D} (MessengerStatsClient Class) - http://messenger.zon...nt.cab31267.cab
O16 - DPF: {A243F6C2-34D2-4549-BCCD-A7BEF759B236} (Seekford Solutions, Inc.'s ssiPictureUploader Control) - http://img.funtigo.c...ureUploader.cab
O16 - DPF: {F0E2D69A-DC2F-4E9B-A993-684FB1C21DBC} - http://dictionary.re...lbar/lexico.cab
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: Domain = calgary.chartwelltechnology.com
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: Domain = calgary.chartwelltechnology.com
O17 - HKLM\System\CS2\Services\Tcpip\Parameters: Domain = calgary.chartwelltechnology.com
O23 - Service: pcAnywhere Host Service (awhost32) - Unknown owner - D:\DevApps\pcAnywhere10\awhost32.exe (file missing)
O23 - Service: DefWatch - Symantec Corporation - C:\Program Files\Symantec_Client_Security\Symantec AntiVirus\DefWatch.exe
O23 - Service: Logical Disk Manager Administrative Service (dmadmin) - VERITAS Software Corp. - C:\WINNT\System32\dmadmin.exe
O23 - Service: ewido security suite control - ewido networks - C:\Program Files\ewido anti-malware\ewidoctrl.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPodService - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Macromedia Licensing Service - Unknown owner - C:\Program Files\Common Files\Macromedia Shared\Service\Macromedia Licensing.exe
O23 - Service: Symantec AntiVirus Client (Norton AntiVirus Server) - Symantec Corporation - C:\Program Files\Symantec_Client_Security\Symantec AntiVirus\Rtvscan.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINNT\system32\nvsvc32.exe
O23 - Service: SBHookSvc - Unknown owner - D:\UTILIT~1\TELUSE~1\SMARTB~1\SBHookSvc.exe (file missing)
O23 - Service: VNC Server (winvnc) - Unknown owner - C:\Program Files\TightVNC\WinVNC.exe" -service (file missing)

#19 Siggyx

Siggyx

    SuperHelper

  • Authentic Member
  • PipPipPipPipPipPip
  • 6,776 posts

Posted 23 February 2006 - 09:22 PM

It is Qoologic but ewido should get it. Ow well

Download Find-Qoologic.zip >>> http://downloads.sub...nd-Qoologic.zip and save it to your Desktop.
UNZIP the files inside into their own folder called FindQoologic to the desktop

Open the FindQoologic folder.
Locate and double-click the Find-Qoologic.bat file to run it.
Choose option 1 for Run Findqoologic by typing 1 and pressing enter.
This will scan your system.
Wait until a text opens.
Post this in your next reply

#20 MccM

MccM

    Authentic Member

  • Authentic Member
  • PipPip
  • 25 posts

Posted 24 February 2006 - 11:11 AM

K, here it is... Find Qoologic last edited 01/08/2006 Running from C:\Documents and Settings\mccm\Desktop\Find-Qoologic PLEASE NOTE THAT ALL FILES FOUND BY THIS METHOD ARE NOT BAD FILES, There WILL be LEGIT FILES LISTED PLEASE BE CAREFUL WHILE FIXING. IF YOU ARE UNSURE OF WHAT IT IS LEAVE THEM ALONE. »»»»»»»»»»»»»»»»»» Search by size and name»»»»»»»»»»»»»»»»»»»»»»»»»»»»» C:\WINNT\SYSTEM32\PSLOGL~1.EXE C:\WINNT\SYSTEM32\JBVDJDD.EXE C:\WINNT\SYSTEM32\POQRPR.EXE C:\WINNT\NWELNL.DAT »»»»»»»»»»»»»»»»»»»»»»»» Checking Global Startup »»»»»»»»»»»»»»»»»»»»»» C:\DOCUME~1\ALLUSE~1\STARTM~1\PROGRAMS\STARTUP\OQWG.EXE ..... ..... SteelWerX Registry Console Tool RC-2 Written by Bobbi Flekman ..... [HKEY_CLASSES_ROOT\*\shellex\ContextMenuHandlers\LDVPMenu] @="{BDA77241-42F6-11d0-85E2-00AA001FE28C}" [HKEY_CLASSES_ROOT\*\shellex\ContextMenuHandlers\mkstmtxq] @="{73fd088d-a493-4120-a694-c9e285050fe6}" [-HKEY_CLASSES_ROOT\CLSID\{incert csdl here}] [-HKEY_CLASSES_ROOT\CLSID\{6EC11407-5B2E-4E25-8BDF-77445B52AB37}] [-HKEY_CLASSES_ROOT\Folder\shellex\ColumnHandlers\{6EC11407-5B2E-4E25-8BDF-77445B52AB37}] [-HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\WebNexus] ..... ..... [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] "winsync"="C:\\WINNT\\system32\\poqrpr.exe reg_run" ..... [-HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Extensions\{9E248641-0E24-4DDB-9A1F-705087832AD6}]

#21 Siggyx

Siggyx

    SuperHelper

  • Authentic Member
  • PipPipPipPipPipPip
  • 6,776 posts

Posted 25 February 2006 - 02:33 PM

Download Pocket Killbox version 2.0.0.175
http://www.atribune....ads/KillBox.exe
If you already have Killbox first ensure it is this version !.

Then double-click on the killbox.exe program.


Start Killbox and click on Tools->Delete Temp Files.
Then select the option labeled Delete on reboot.

Do not close killbox, and open notepad, by clicking on Start, then Run, and typing notepad.exe and pressing the OK button.


When notepad is open, copy and paste the following bolded text into the notepad screen. You do this by highlighting each of the below bolded filenames and then pressing Control-C on your keyboard. Then click on the open notepad windows and press Control-V to paste the contents into the notepad.

C:\WINNT\SYSTEM32\PSLOGL~1.EXE
C:\WINNT\SYSTEM32\JBVDJDD.EXE
C:\WINNT\SYSTEM32\POQRPR.EXE
C:\WINNT\NWELNL.DAT


Return to Killbox, go to the File menu and select Paste from Clipboard.


Still in Killbox, click the red-and-white Delete File button. Click Yes at the Delete on Reboot prompt. Click No at the Pending Operations prompt.

If your computer does not restart automatically, please restart it manually.

Then a new FindQoologic log please.

#22 MccM

MccM

    Authentic Member

  • Authentic Member
  • PipPip
  • 25 posts

Posted 26 February 2006 - 03:45 AM

Still there methinks.... Run Qoologic log: Find Qoologic last edited 01/08/2006 Running from C:\Documents and Settings\mccm\Desktop\Find-Qoologic PLEASE NOTE THAT ALL FILES FOUND BY THIS METHOD ARE NOT BAD FILES, There WILL be LEGIT FILES LISTED PLEASE BE CAREFUL WHILE FIXING. IF YOU ARE UNSURE OF WHAT IT IS LEAVE THEM ALONE. »»»»»»»»»»»»»»»»»» Search by size and name»»»»»»»»»»»»»»»»»»»»»»»»»»»»» C:\WINNT\SYSTEM32\JBVDJDD.EXE C:\WINNT\SYSTEM32\POQRPR.EXE »»»»»»»»»»»»»»»»»»»»»»»» Checking Global Startup »»»»»»»»»»»»»»»»»»»»»» C:\DOCUME~1\ALLUSE~1\STARTM~1\PROGRAMS\STARTUP\OQWG.EXE ..... ..... SteelWerX Registry Console Tool RC-2 Written by Bobbi Flekman ..... [HKEY_CLASSES_ROOT\*\shellex\ContextMenuHandlers\LDVPMenu] @="{BDA77241-42F6-11d0-85E2-00AA001FE28C}" [HKEY_CLASSES_ROOT\*\shellex\ContextMenuHandlers\mkstmtxq] @="{73fd088d-a493-4120-a694-c9e285050fe6}" [-HKEY_CLASSES_ROOT\CLSID\{incert csdl here}] [-HKEY_CLASSES_ROOT\CLSID\{6EC11407-5B2E-4E25-8BDF-77445B52AB37}] [-HKEY_CLASSES_ROOT\Folder\shellex\ColumnHandlers\{6EC11407-5B2E-4E25-8BDF-77445B52AB37}] [-HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\WebNexus] ..... ..... [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] "winsync"="C:\\WINNT\\system32\\poqrpr.exe reg_run" ..... [-HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Extensions\{9E248641-0E24-4DDB-9A1F-705087832AD6}]

#23 Siggyx

Siggyx

    SuperHelper

  • Authentic Member
  • PipPipPipPipPipPip
  • 6,776 posts

Posted 26 February 2006 - 10:55 AM

First, Disconnect from the Internet!!

(Please copy these instructions to NotePad for copy/paste use, since you will be off the Internet.)
____
Next, launch Notepad, and copy/paste all the blue REGEDIT below to it
Save in: Desktop
File Name: fixme.reg
Save as Type: All files
Click: Save


REGEDIT4

[-HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]


Back on the Desktop, double-click on the fixme.reg file you just saved and click on Yes when asked to merge the information.

Now, extract KillBox (downloaded earlier) from the zip file and double-click on KillBox.exe to run it.

In the main screen of Pocket KillBox, go to Tools in the top menu bar, and select: Delete Temp Files.

Back at the main screen of KillBox, select the option: Delete on Reboot

In the Full Path of File to Delete box, copy and paste this entry:

C:\WINNT\SYSTEM32\JBVDJDD.EXE
C:\WINNT\SYSTEM32\POQRPR.EXE

Press the button with a red circle and a white X.
When asked to Reboot, select Yes!!

Then a new hijackthis log and qoologic log please.

Edited by Siggyx, 26 February 2006 - 10:55 AM.


#24 MccM

MccM

    Authentic Member

  • Authentic Member
  • PipPip
  • 25 posts

Posted 26 February 2006 - 12:11 PM

Find Qoologic Log...

Find Qoologic last edited 01/08/2006
Running from
C:\Documents and Settings\mccm\Desktop\Find-Qoologic
PLEASE NOTE THAT ALL FILES FOUND BY THIS METHOD ARE NOT BAD FILES, There WILL be LEGIT FILES LISTED PLEASE BE CAREFUL WHILE FIXING. IF YOU ARE UNSURE OF WHAT IT IS LEAVE THEM ALONE.
»»»»»»»»»»»»»»»»»» Search by size and name»»»»»»»»»»»»»»»»»»»»»»»»»»»»»

»»»»»»»»»»»»»»»»»»»»»»»» Checking Global Startup »»»»»»»»»»»»»»»»»»»»»»
.....
.....
SteelWerX Registry Console Tool RC-2
Written by Bobbi Flekman
.....
[HKEY_CLASSES_ROOT\*\shellex\ContextMenuHandlers\LDVPMenu]
@="{BDA77241-42F6-11d0-85E2-00AA001FE28C}"

[HKEY_CLASSES_ROOT\*\shellex\ContextMenuHandlers\mkstmtxq]
@="{73fd088d-a493-4120-a694-c9e285050fe6}"

[-HKEY_CLASSES_ROOT\CLSID\{incert csdl here}]
[-HKEY_CLASSES_ROOT\CLSID\{6EC11407-5B2E-4E25-8BDF-77445B52AB37}]
[-HKEY_CLASSES_ROOT\Folder\shellex\ColumnHandlers\{6EC11407-5B2E-4E25-8BDF-77445B52AB37}]
[-HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\WebNexus]
.....
.....
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"winsync"="C:\\WINNT\\system32\\poqrpr.exe reg_run"
.....
[-HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Extensions\{9E248641-0E24-4DDB-9A1F-705087832AD6}]



Hijackthis Log...

Logfile of HijackThis v1.99.1
Scan saved at 11:05:57 AM, on 2/26/2006
Platform: Windows 2000 SP4 (WinNT 5.00.2195)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINNT\System32\smss.exe
C:\WINNT\system32\csrss.exe
C:\WINNT\system32\winlogon.exe
C:\WINNT\system32\services.exe
C:\WINNT\system32\lsass.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\system32\spoolsv.exe
C:\Program Files\Symantec_Client_Security\Symantec AntiVirus\DefWatch.exe
C:\WINNT\System32\svchost.exe
C:\Program Files\ewido anti-malware\ewidoctrl.exe
C:\WINNT\system32\hidserv.exe
C:\Program Files\Symantec_Client_Security\Symantec AntiVirus\Rtvscan.exe
C:\WINNT\system32\nvsvc32.exe
C:\WINNT\system32\regsvc.exe
C:\WINNT\system32\MSTask.exe
C:\WINNT\system32\stisvc.exe
C:\WINNT\System32\WBEM\WinMgmt.exe
C:\Program Files\TightVNC\WinVNC.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\System32\inetsrv\inetinfo.exe
C:\WINNT\Explorer.EXE
C:\PROGRA~1\SYMANT~1\SYMANT~1\vptray.exe
C:\WINNT\Logi_MwX.Exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\Adobe\Photoshop Album Starter Edition\3.0\Apps\apdproxy.exe
C:\Program Files\Microsoft IntelliType Pro\itype.exe
C:\WINNT\system32\LVCOMSX.EXE
C:\Drivers&Stuff\LogitechWebCam\LogiTray.exe
C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe
C:\Program Files\a-squared\a2guard.exe
C:\Program Files\MSN Messenger\msnmsgr.exe
C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
C:\Drivers&Stuff\LogitechWebCam\FxSvr2.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\WINNT\system32\notepad.exe
C:\hijackthis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://google.com/
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = 127.0.0.1
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINNT\System32\msdxm.ocx
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn0\yt.dll
O4 - HKLM\..\Run: [Synchronization Manager] mobsync.exe /logon
O4 - HKLM\..\Run: [vptray] C:\PROGRA~1\SYMANT~1\SYMANT~1\vptray.exe
O4 - HKLM\..\Run: [Logitech Utility] Logi_MwX.Exe
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINNT\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINNT\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [Adobe Photo Downloader] "C:\Program Files\Adobe\Photoshop Album Starter Edition\3.0\Apps\apdproxy.exe"
O4 - HKLM\..\Run: [itype] "C:\Program Files\Microsoft IntelliType Pro\itype.exe"
O4 - HKLM\..\Run: [LVCOMSX] C:\WINNT\system32\LVCOMSX.EXE
O4 - HKLM\..\Run: [LogitechVideoRepair] C:\Drivers&Stuff\LogitechWebCam\ISStart.exe
O4 - HKLM\..\Run: [LogitechVideoTray] C:\Drivers&Stuff\LogitechWebCam\LogiTray.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe
O4 - HKLM\..\Run: [WinVNC] "C:\Program Files\TightVNC\WinVNC.exe" -servicehelper
O4 - HKLM\..\Run: [winsync] C:\WINNT\system32\poqrpr.exe reg_run
O4 - HKCU\..\Run: [LogitechSoftwareUpdate] C:\Drivers&Stuff\LogitechWebCam\ManifestEngine.exe boot
O4 - HKCU\..\Run: [a-squared] "C:\Program Files\a-squared\a2guard.exe"
O4 - HKCU\..\Run: [msnmsgr] "C:\Program Files\MSN Messenger\msnmsgr.exe" /background
O4 - Startup: Rainlendar.lnk = D:\Utilities\Rainlender\Rainlendar\Rainlendar.exe
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: Monitor Apache Servers.lnk = C:\Program Files\Apache Group\Apache2\bin\ApacheMonitor.exe
O4 - Global Startup: Service Manager.lnk = C:\Program Files\Microsoft SQL Server\80\Tools\Binn\sqlmangr.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~3\OFFICE11\EXCEL.EXE/3000
O8 - Extra context menu item: Search &Dictionary - C:\Program files\Lexico\Toolbar\dictionary.htm
O8 - Extra context menu item: Search &Thesaurus - C:\Program files\Lexico\Toolbar\thesaurus.htm
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINNT\System32\msjava.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINNT\System32\msjava.dll
O9 - Extra button: Run WinHTTrack - {36ECAF82-3300-8F84-092E-AFF36D6C7040} - D:\DevApps\WinHTTrack\WinHTTrackIEBar.dll
O9 - Extra 'Tools' menuitem: Launch WinHTTrack - {36ECAF82-3300-8F84-092E-AFF36D6C7040} - D:\DevApps\WinHTTrack\WinHTTrackIEBar.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~3\OFFICE11\REFIEBAR.DLL
O12 - Plugin for .bcf: C:\Program Files\Internet Explorer\Plugins\NPBelv32.dll
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O16 - DPF: {00B71CFB-6864-4346-A978-C0A14556272C} (Checkers Class) - http://messenger.zon...kr.cab31267.cab
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky...can_unicode.cab
O16 - DPF: {2917297F-F02B-4B9D-81DF-494B6333150B} (Minesweeper Flags Class) - http://messenger.zon...er.cab31267.cab
O16 - DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} (MSN Photo Upload Tool) - http://spaces.msn.co...ad/MsnPUpld.cab
O16 - DPF: {62475759-9E84-458E-A1AB-5D2C442ADFDE} - http://a1540.g.akama...meInstaller.exe
O16 - DPF: {8E0D4DE5-3180-4024-A327-4DFAD1796A8D} (MessengerStatsClient Class) - http://messenger.zon...nt.cab31267.cab
O16 - DPF: {A243F6C2-34D2-4549-BCCD-A7BEF759B236} (Seekford Solutions, Inc.'s ssiPictureUploader Control) - http://img.funtigo.c...ureUploader.cab
O16 - DPF: {F0E2D69A-DC2F-4E9B-A993-684FB1C21DBC} - http://dictionary.re...lbar/lexico.cab
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: Domain = calgary.chartwelltechnology.com
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: Domain = calgary.chartwelltechnology.com
O17 - HKLM\System\CS2\Services\Tcpip\Parameters: Domain = calgary.chartwelltechnology.com
O23 - Service: pcAnywhere Host Service (awhost32) - Unknown owner - D:\DevApps\pcAnywhere10\awhost32.exe (file missing)
O23 - Service: DefWatch - Symantec Corporation - C:\Program Files\Symantec_Client_Security\Symantec AntiVirus\DefWatch.exe
O23 - Service: Logical Disk Manager Administrative Service (dmadmin) - VERITAS Software Corp. - C:\WINNT\System32\dmadmin.exe
O23 - Service: ewido security suite control - ewido networks - C:\Program Files\ewido anti-malware\ewidoctrl.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPodService - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Macromedia Licensing Service - Unknown owner - C:\Program Files\Common Files\Macromedia Shared\Service\Macromedia Licensing.exe
O23 - Service: Symantec AntiVirus Client (Norton AntiVirus Server) - Symantec Corporation - C:\Program Files\Symantec_Client_Security\Symantec AntiVirus\Rtvscan.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINNT\system32\nvsvc32.exe
O23 - Service: SBHookSvc - Unknown owner - D:\UTILIT~1\TELUSE~1\SMARTB~1\SBHookSvc.exe (file missing)
O23 - Service: VNC Server (winvnc) - Unknown owner - C:\Program Files\TightVNC\WinVNC.exe" -service (file missing)

#25 MccM

MccM

    Authentic Member

  • Authentic Member
  • PipPip
  • 25 posts

Posted 26 February 2006 - 12:46 PM

K, I went and ran that fixme.reg file again and it wiped out the CurrentVersion\Run directory. I rebooted and the CurrentVersion Run key is no longer there period. The poqrpr.exe file is no longer there too which is good. I'm wondering if I run that fixme.reg file again, will it put the 'Run' key back for I'll need it to have my other programs run at startup?

Anyways, here is the Qoologic log and Hijackthis log respectively...

Find Qoologic last edited 01/08/2006
Running from
C:\Documents and Settings\mccm\Desktop\Find-Qoologic
PLEASE NOTE THAT ALL FILES FOUND BY THIS METHOD ARE NOT BAD FILES, There WILL be LEGIT FILES LISTED PLEASE BE CAREFUL WHILE FIXING. IF YOU ARE UNSURE OF WHAT IT IS LEAVE THEM ALONE.
»»»»»»»»»»»»»»»»»» Search by size and name»»»»»»»»»»»»»»»»»»»»»»»»»»»»»

»»»»»»»»»»»»»»»»»»»»»»»» Checking Global Startup »»»»»»»»»»»»»»»»»»»»»»
.....
.....
SteelWerX Registry Console Tool RC-2
Written by Bobbi Flekman
.....
[HKEY_CLASSES_ROOT\*\shellex\ContextMenuHandlers\LDVPMenu]
@="{BDA77241-42F6-11d0-85E2-00AA001FE28C}"

[HKEY_CLASSES_ROOT\*\shellex\ContextMenuHandlers\mkstmtxq]
@="{73fd088d-a493-4120-a694-c9e285050fe6}"

[-HKEY_CLASSES_ROOT\CLSID\{incert csdl here}]
[-HKEY_CLASSES_ROOT\CLSID\{6EC11407-5B2E-4E25-8BDF-77445B52AB37}]
[-HKEY_CLASSES_ROOT\Folder\shellex\ColumnHandlers\{6EC11407-5B2E-4E25-8BDF-77445B52AB37}]
[-HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\WebNexus]
.....
.....
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
.....
[-HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Extensions\{9E248641-0E24-4DDB-9A1F-705087832AD6}]


---------------------------------------------------------------------------------------------------------------------------

Logfile of HijackThis v1.99.1
Scan saved at 11:38:30 AM, on 2/26/2006
Platform: Windows 2000 SP4 (WinNT 5.00.2195)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINNT\System32\smss.exe
C:\WINNT\system32\csrss.exe
C:\WINNT\system32\winlogon.exe
C:\WINNT\system32\services.exe
C:\WINNT\system32\lsass.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\system32\spoolsv.exe
C:\Program Files\Symantec_Client_Security\Symantec AntiVirus\DefWatch.exe
C:\WINNT\System32\svchost.exe
C:\Program Files\ewido anti-malware\ewidoctrl.exe
C:\WINNT\system32\hidserv.exe
C:\Program Files\Symantec_Client_Security\Symantec AntiVirus\Rtvscan.exe
C:\WINNT\system32\nvsvc32.exe
C:\WINNT\system32\regsvc.exe
C:\WINNT\system32\MSTask.exe
C:\WINNT\system32\stisvc.exe
C:\WINNT\System32\WBEM\WinMgmt.exe
C:\Program Files\TightVNC\WinVNC.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\System32\inetsrv\inetinfo.exe
C:\WINNT\Explorer.EXE
C:\Program Files\a-squared\a2guard.exe
C:\Program Files\MSN Messenger\msnmsgr.exe
C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
C:\WINNT\system32\LVComsX.exe
C:\hijackthis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://google.com/
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = 127.0.0.1
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINNT\System32\msdxm.ocx
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn0\yt.dll
O4 - HKCU\..\Run: [LogitechSoftwareUpdate] C:\Drivers&Stuff\LogitechWebCam\ManifestEngine.exe boot
O4 - HKCU\..\Run: [a-squared] "C:\Program Files\a-squared\a2guard.exe"
O4 - HKCU\..\Run: [msnmsgr] "C:\Program Files\MSN Messenger\msnmsgr.exe" /background
O4 - Startup: Rainlendar.lnk = D:\Utilities\Rainlender\Rainlendar\Rainlendar.exe
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: Monitor Apache Servers.lnk = C:\Program Files\Apache Group\Apache2\bin\ApacheMonitor.exe
O4 - Global Startup: Service Manager.lnk = C:\Program Files\Microsoft SQL Server\80\Tools\Binn\sqlmangr.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~3\OFFICE11\EXCEL.EXE/3000
O8 - Extra context menu item: Search &Dictionary - C:\Program files\Lexico\Toolbar\dictionary.htm
O8 - Extra context menu item: Search &Thesaurus - C:\Program files\Lexico\Toolbar\thesaurus.htm
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINNT\System32\msjava.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINNT\System32\msjava.dll
O9 - Extra button: Run WinHTTrack - {36ECAF82-3300-8F84-092E-AFF36D6C7040} - D:\DevApps\WinHTTrack\WinHTTrackIEBar.dll
O9 - Extra 'Tools' menuitem: Launch WinHTTrack - {36ECAF82-3300-8F84-092E-AFF36D6C7040} - D:\DevApps\WinHTTrack\WinHTTrackIEBar.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~3\OFFICE11\REFIEBAR.DLL
O12 - Plugin for .bcf: C:\Program Files\Internet Explorer\Plugins\NPBelv32.dll
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O16 - DPF: {00B71CFB-6864-4346-A978-C0A14556272C} (Checkers Class) - http://messenger.zon...kr.cab31267.cab
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky...can_unicode.cab
O16 - DPF: {2917297F-F02B-4B9D-81DF-494B6333150B} (Minesweeper Flags Class) - http://messenger.zon...er.cab31267.cab
O16 - DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} (MSN Photo Upload Tool) - http://spaces.msn.co...ad/MsnPUpld.cab
O16 - DPF: {62475759-9E84-458E-A1AB-5D2C442ADFDE} - http://a1540.g.akama...meInstaller.exe
O16 - DPF: {8E0D4DE5-3180-4024-A327-4DFAD1796A8D} (MessengerStatsClient Class) - http://messenger.zon...nt.cab31267.cab
O16 - DPF: {A243F6C2-34D2-4549-BCCD-A7BEF759B236} (Seekford Solutions, Inc.'s ssiPictureUploader Control) - http://img.funtigo.c...ureUploader.cab
O16 - DPF: {F0E2D69A-DC2F-4E9B-A993-684FB1C21DBC} - http://dictionary.re...lbar/lexico.cab
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: Domain = calgary.chartwelltechnology.com
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: Domain = calgary.chartwelltechnology.com
O17 - HKLM\System\CS2\Services\Tcpip\Parameters: Domain = calgary.chartwelltechnology.com
O23 - Service: pcAnywhere Host Service (awhost32) - Unknown owner - D:\DevApps\pcAnywhere10\awhost32.exe (file missing)
O23 - Service: DefWatch - Symantec Corporation - C:\Program Files\Symantec_Client_Security\Symantec AntiVirus\DefWatch.exe
O23 - Service: Logical Disk Manager Administrative Service (dmadmin) - VERITAS Software Corp. - C:\WINNT\System32\dmadmin.exe
O23 - Service: ewido security suite control - ewido networks - C:\Program Files\ewido anti-malware\ewidoctrl.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPodService - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Macromedia Licensing Service - Unknown owner - C:\Program Files\Common Files\Macromedia Shared\Service\Macromedia Licensing.exe
O23 - Service: Symantec AntiVirus Client (Norton AntiVirus Server) - Symantec Corporation - C:\Program Files\Symantec_Client_Security\Symantec AntiVirus\Rtvscan.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINNT\system32\nvsvc32.exe
O23 - Service: SBHookSvc - Unknown owner - D:\UTILIT~1\TELUSE~1\SMARTB~1\SBHookSvc.exe (file missing)
O23 - Service: VNC Server (winvnc) - Unknown owner - C:\Program Files\TightVNC\WinVNC.exe" -service (file missing)

    Advertisements

Register to Remove


#26 MccM

MccM

    Authentic Member

  • Authentic Member
  • PipPip
  • 25 posts

Posted 28 February 2006 - 12:21 AM

Sig, This keeps coming up on a2 Guard Alert! I keep hitting Delete file and/or Deny Program, but it keeps coming up. I don't think this little foe has dissapeared from my pc. C:\WINNT\system32\poqrpr.exe Trojan-Downloader.Win32.Qoologic.ax

#27 Siggyx

Siggyx

    SuperHelper

  • Authentic Member
  • PipPipPipPipPipPip
  • 6,776 posts

Posted 02 March 2006 - 12:20 AM

Sorry I have been out of town on business. Boot to safe mode and scan Ewido, then post the ewido log and a new hijackthis log please.

#28 MccM

MccM

    Authentic Member

  • Authentic Member
  • PipPip
  • 25 posts

Posted 03 March 2006 - 09:40 AM

report....

---------------------------------------------------------
ewido anti-malware - Scan report
---------------------------------------------------------

+ Created on: 11:47:27 PM, 2/21/2006
+ Report-Checksum: A14BA55F

+ Scan result:

HKLM\SOFTWARE\Effective-i -> Adware.EffectiveBrandToolbar : Cleaned without backup
HKLM\SOFTWARE\Effective-i\TheSearchAccelerator -> Adware.EffectiveBrandToolbar : Cleaned without backup
HKLM\SOFTWARE\Effective-i\TheSearchAccelerator\IE5 -> Adware.EffectiveBrandToolbar : Cleaned without backup
HKLM\SOFTWARE\eXactUtil -> Adware.BargainBuddy : Cleaned without backup
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\UCmore - The Search Accelerator -> Adware.UCmore : Cleaned without backup
HKLM\SOFTWARE\SurfSideKick3 -> Adware.SurfSide : Cleaned without backup
HKLM\SOFTWARE\SurfSideKick3\Internet Explorer -> Adware.SurfSide : Cleaned without backup
HKU\S-1-5-21-3077576019-2355979638-4132696707-1132\Software\DNS -> Adware.Shorty : Cleaned without backup
HKU\S-1-5-21-3077576019-2355979638-4132696707-1132\Software\Effective-i -> Adware.EffectiveBrandToolbar : Cleaned without backup
HKU\S-1-5-21-3077576019-2355979638-4132696707-1132\Software\Effective-i\TheSearchAccelerator -> Adware.EffectiveBrandToolbar : Cleaned without backup
HKU\S-1-5-21-3077576019-2355979638-4132696707-1132\Software\Effective-i\TheSearchAccelerator\IE5 -> Adware.EffectiveBrandToolbar : Cleaned without backup
HKU\S-1-5-21-3077576019-2355979638-4132696707-1132\Software\SurfSideKick3 -> Adware.SurfSide : Cleaned without backup
HKU\S-1-5-21-3077576019-2355979638-4132696707-1132\Software\SurfSideKick3\Internet Explorer -> Adware.SurfSide : Cleaned without backup
:mozilla.20:C:\Documents and Settings\mccm\Application Data\Mozilla\Firefox\Profiles\default.35u\cookies.txt -> TrackingCookie.Tribalfusion : Cleaned without backup
:mozilla.21:C:\Documents and Settings\mccm\Application Data\Mozilla\Firefox\Profiles\default.35u\cookies.txt -> TrackingCookie.Advertising : Cleaned without backup
:mozilla.22:C:\Documents and Settings\mccm\Application Data\Mozilla\Firefox\Profiles\default.35u\cookies.txt -> TrackingCookie.Tribalfusion : Cleaned without backup
:mozilla.23:C:\Documents and Settings\mccm\Application Data\Mozilla\Firefox\Profiles\default.35u\cookies.txt -> TrackingCookie.Atdmt : Cleaned without backup
:mozilla.25:C:\Documents and Settings\mccm\Application Data\Mozilla\Firefox\Profiles\default.35u\cookies.txt -> TrackingCookie.Doubleclick : Cleaned without backup
:mozilla.26:C:\Documents and Settings\mccm\Application Data\Mozilla\Firefox\Profiles\default.35u\cookies.txt -> TrackingCookie.Adserver : Cleaned without backup
:mozilla.27:C:\Documents and Settings\mccm\Application Data\Mozilla\Firefox\Profiles\default.35u\cookies.txt -> TrackingCookie.Adserver : Cleaned without backup
:mozilla.28:C:\Documents and Settings\mccm\Application Data\Mozilla\Firefox\Profiles\default.35u\cookies.txt -> TrackingCookie.Fastclick : Cleaned without backup
:mozilla.29:C:\Documents and Settings\mccm\Application Data\Mozilla\Firefox\Profiles\default.35u\cookies.txt -> TrackingCookie.Fastclick : Cleaned without backup
:mozilla.30:C:\Documents and Settings\mccm\Application Data\Mozilla\Firefox\Profiles\default.35u\cookies.txt -> TrackingCookie.Fastclick : Cleaned without backup
:mozilla.31:C:\Documents and Settings\mccm\Application Data\Mozilla\Firefox\Profiles\default.35u\cookies.txt -> TrackingCookie.Fastclick : Cleaned without backup
:mozilla.32:C:\Documents and Settings\mccm\Application Data\Mozilla\Firefox\Profiles\default.35u\cookies.txt -> TrackingCookie.Yieldmanager : Cleaned without backup
:mozilla.33:C:\Documents and Settings\mccm\Application Data\Mozilla\Firefox\Profiles\default.35u\cookies.txt -> TrackingCookie.Yieldmanager : Cleaned without backup
:mozilla.34:C:\Documents and Settings\mccm\Application Data\Mozilla\Firefox\Profiles\default.35u\cookies.txt -> TrackingCookie.Yieldmanager : Cleaned without backup
:mozilla.35:C:\Documents and Settings\mccm\Application Data\Mozilla\Firefox\Profiles\default.35u\cookies.txt -> TrackingCookie.Yieldmanager : Cleaned without backup
:mozilla.36:C:\Documents and Settings\mccm\Application Data\Mozilla\Firefox\Profiles\default.35u\cookies.txt -> TrackingCookie.Yieldmanager : Cleaned without backup
:mozilla.37:C:\Documents and Settings\mccm\Application Data\Mozilla\Firefox\Profiles\default.35u\cookies.txt -> TrackingCookie.Yieldmanager : Cleaned without backup
:mozilla.41:C:\Documents and Settings\mccm\Application Data\Mozilla\Firefox\Profiles\default.35u\cookies.txt -> TrackingCookie.Yieldmanager : Cleaned without backup
:mozilla.44:C:\Documents and Settings\mccm\Application Data\Mozilla\Firefox\Profiles\default.35u\cookies.txt -> TrackingCookie.Zedo : Cleaned without backup
:mozilla.45:C:\Documents and Settings\mccm\Application Data\Mozilla\Firefox\Profiles\default.35u\cookies.txt -> TrackingCookie.Zedo : Cleaned without backup
:mozilla.46:C:\Documents and Settings\mccm\Application Data\Mozilla\Firefox\Profiles\default.35u\cookies.txt -> TrackingCookie.Zedo : Cleaned without backup
:mozilla.47:C:\Documents and Settings\mccm\Application Data\Mozilla\Firefox\Profiles\default.35u\cookies.txt -> TrackingCookie.Zedo : Cleaned without backup
:mozilla.48:C:\Documents and Settings\mccm\Application Data\Mozilla\Firefox\Profiles\default.35u\cookies.txt -> TrackingCookie.Zedo : Cleaned without backup
:mozilla.50:C:\Documents and Settings\mccm\Application Data\Mozilla\Firefox\Profiles\default.35u\cookies.txt -> TrackingCookie.Targetnet : Cleaned without backup
:mozilla.51:C:\Documents and Settings\mccm\Application Data\Mozilla\Firefox\Profiles\default.35u\cookies.txt -> TrackingCookie.Targetnet : Cleaned without backup
:mozilla.52:C:\Documents and Settings\mccm\Application Data\Mozilla\Firefox\Profiles\default.35u\cookies.txt -> TrackingCookie.Targetnet : Cleaned without backup
:mozilla.61:C:\Documents and Settings\mccm\Application Data\Mozilla\Firefox\Profiles\default.35u\cookies.txt -> TrackingCookie.247realmedia : Cleaned without backup
:mozilla.62:C:\Documents and Settings\mccm\Application Data\Mozilla\Firefox\Profiles\default.35u\cookies.txt -> TrackingCookie.Trafficmp : Cleaned without backup
:mozilla.63:C:\Documents and Settings\mccm\Application Data\Mozilla\Firefox\Profiles\default.35u\cookies.txt -> TrackingCookie.Trafficmp : Cleaned without backup
:mozilla.64:C:\Documents and Settings\mccm\Application Data\Mozilla\Firefox\Profiles\default.35u\cookies.txt -> TrackingCookie.Trafficmp : Cleaned without backup
:mozilla.65:C:\Documents and Settings\mccm\Application Data\Mozilla\Firefox\Profiles\default.35u\cookies.txt -> TrackingCookie.Trafficmp : Cleaned without backup
:mozilla.66:C:\Documents and Settings\mccm\Application Data\Mozilla\Firefox\Profiles\default.35u\cookies.txt -> TrackingCookie.Trafficmp : Cleaned without backup
:mozilla.67:C:\Documents and Settings\mccm\Application Data\Mozilla\Firefox\Profiles\default.35u\cookies.txt -> TrackingCookie.Trafficmp : Cleaned without backup
:mozilla.68:C:\Documents and Settings\mccm\Application Data\Mozilla\Firefox\Profiles\default.35u\cookies.txt -> TrackingCookie.Trafficmp : Cleaned without backup
:mozilla.76:C:\Documents and Settings\mccm\Application Data\Mozilla\Firefox\Profiles\default.35u\cookies.txt -> TrackingCookie.Falkag : Cleaned without backup
:mozilla.77:C:\Documents and Settings\mccm\Application Data\Mozilla\Firefox\Profiles\default.35u\cookies.txt -> TrackingCookie.Falkag : Cleaned without backup
:mozilla.78:C:\Documents and Settings\mccm\Application Data\Mozilla\Firefox\Profiles\default.35u\cookies.txt -> TrackingCookie.Falkag : Cleaned without backup
:mozilla.79:C:\Documents and Settings\mccm\Application Data\Mozilla\Firefox\Profiles\default.35u\cookies.txt -> TrackingCookie.Falkag : Cleaned without backup
:mozilla.80:C:\Documents and Settings\mccm\Application Data\Mozilla\Firefox\Profiles\default.35u\cookies.txt -> TrackingCookie.Falkag : Cleaned without backup
:mozilla.81:C:\Documents and Settings\mccm\Application Data\Mozilla\Firefox\Profiles\default.35u\cookies.txt -> TrackingCookie.Falkag : Cleaned without backup
:mozilla.82:C:\Documents and Settings\mccm\Application Data\Mozilla\Firefox\Profiles\default.35u\cookies.txt -> TrackingCookie.Falkag : Cleaned without backup
:mozilla.83:C:\Documents and Settings\mccm\Application Data\Mozilla\Firefox\Profiles\default.35u\cookies.txt -> TrackingCookie.Falkag : Cleaned without backup
:mozilla.84:C:\Documents and Settings\mccm\Application Data\Mozilla\Firefox\Profiles\default.35u\cookies.txt -> TrackingCookie.Falkag : Cleaned without backup
:mozilla.85:C:\Documents and Settings\mccm\Application Data\Mozilla\Firefox\Profiles\default.35u\cookies.txt -> TrackingCookie.Falkag : Cleaned without backup
:mozilla.86:C:\Documents and Settings\mccm\Application Data\Mozilla\Firefox\Profiles\default.35u\cookies.txt -> TrackingCookie.Falkag : Cleaned without backup
:mozilla.87:C:\Documents and Settings\mccm\Application Data\Mozilla\Firefox\Profiles\default.35u\cookies.txt -> TrackingCookie.Mediaplex : Cleaned without backup
:mozilla.95:C:\Documents and Settings\mccm\Application Data\Mozilla\Firefox\Profiles\default.35u\cookies.txt -> TrackingCookie.Webtrendslive : Cleaned without backup
:mozilla.97:C:\Documents and Settings\mccm\Application Data\Mozilla\Firefox\Profiles\default.35u\cookies.txt -> TrackingCookie.Webtrendslive : Cleaned without backup
:mozilla.104:C:\Documents and Settings\mccm\Application Data\Mozilla\Firefox\Profiles\default.35u\cookies.txt -> TrackingCookie.Paypopup : Cleaned without backup
:mozilla.105:C:\Documents and Settings\mccm\Application Data\Mozilla\Firefox\Profiles\default.35u\cookies.txt -> TrackingCookie.Paypopup : Cleaned without backup
:mozilla.106:C:\Documents and Settings\mccm\Application Data\Mozilla\Firefox\Profiles\default.35u\cookies.txt -> TrackingCookie.Paypopup : Cleaned without backup
:mozilla.107:C:\Documents and Settings\mccm\Application Data\Mozilla\Firefox\Profiles\default.35u\cookies.txt -> TrackingCookie.Paypopup : Cleaned without backup
:mozilla.108:C:\Documents and Settings\mccm\Application Data\Mozilla\Firefox\Profiles\default.35u\cookies.txt -> TrackingCookie.Paypopup : Cleaned without backup
:mozilla.109:C:\Documents and Settings\mccm\Application Data\Mozilla\Firefox\Profiles\default.35u\cookies.txt -> TrackingCookie.Paypopup : Cleaned without backup
:mozilla.110:C:\Documents and Settings\mccm\Application Data\Mozilla\Firefox\Profiles\default.35u\cookies.txt -> TrackingCookie.Paypopup : Cleaned without backup
:mozilla.111:C:\Documents and Settings\mccm\Application Data\Mozilla\Firefox\Profiles\default.35u\cookies.txt -> TrackingCookie.Paypopup : Cleaned without backup
:mozilla.112:C:\Documents and Settings\mccm\Application Data\Mozilla\Firefox\Profiles\default.35u\cookies.txt -> TrackingCookie.Paypopup : Cleaned without backup
:mozilla.113:C:\Documents and Settings\mccm\Application Data\Mozilla\Firefox\Profiles\default.35u\cookies.txt -> TrackingCookie.Paypopup : Cleaned without backup
:mozilla.114:C:\Documents and Settings\mccm\Application Data\Mozilla\Firefox\Profiles\default.35u\cookies.txt -> TrackingCookie.Paypopup : Cleaned without backup
:mozilla.115:C:\Documents and Settings\mccm\Application Data\Mozilla\Firefox\Profiles\default.35u\cookies.txt -> TrackingCookie.Paypopup : Cleaned without backup
:mozilla.116:C:\Documents and Settings\mccm\Application Data\Mozilla\Firefox\Profiles\default.35u\cookies.txt -> TrackingCookie.Paypopup : Cleaned without backup
:mozilla.117:C:\Documents and Settings\mccm\Application Data\Mozilla\Firefox\Profiles\default.35u\cookies.txt -> TrackingCookie.Paypopup : Cleaned without backup
:mozilla.118:C:\Documents and Settings\mccm\Application Data\Mozilla\Firefox\Profiles\default.35u\cookies.txt -> TrackingCookie.Paypopup : Cleaned without backup
:mozilla.119:C:\Documents and Settings\mccm\Application Data\Mozilla\Firefox\Profiles\default.35u\cookies.txt -> TrackingCookie.Paypopup : Cleaned without backup
:mozilla.120:C:\Documents and Settings\mccm\Application Data\Mozilla\Firefox\Profiles\default.35u\cookies.txt -> TrackingCookie.Paypopup : Cleaned without backup
:mozilla.121:C:\Documents and Settings\mccm\Application Data\Mozilla\Firefox\Profiles\default.35u\cookies.txt -> TrackingCookie.Paypopup : Cleaned without backup
:mozilla.122:C:\Documents and Settings\mccm\Application Data\Mozilla\Firefox\Profiles\default.35u\cookies.txt -> TrackingCookie.Paypopup : Cleaned without backup
:mozilla.123:C:\Documents and Settings\mccm\Application Data\Mozilla\Firefox\Profiles\default.35u\cookies.txt -> TrackingCookie.Paypopup : Cleaned without backup
:mozilla.124:C:\Documents and Settings\mccm\Application Data\Mozilla\Firefox\Profiles\default.35u\cookies.txt -> TrackingCookie.Paypopup : Cleaned without backup
:mozilla.125:C:\Documents and Settings\mccm\Application Data\Mozilla\Firefox\Profiles\default.35u\cookies.txt -> TrackingCookie.Paypopup : Cleaned without backup
:mozilla.126:C:\Documents and Settings\mccm\Application Data\Mozilla\Firefox\Profiles\default.35u\cookies.txt -> TrackingCookie.Statcounter : Cleaned without backup
:mozilla.127:C:\Documents and Settings\mccm\Application Data\Mozilla\Firefox\Profiles\default.35u\cookies.txt -> TrackingCookie.Paypopup : Cleaned without backup
:mozilla.128:C:\Documents and Settings\mccm\Application Data\Mozilla\Firefox\Profiles\default.35u\cookies.txt -> TrackingCookie.Paypopup : Cleaned without backup
:mozilla.129:C:\Documents and Settings\mccm\Application Data\Mozilla\Firefox\Profiles\default.35u\cookies.txt -> TrackingCookie.Paypopup : Cleaned without backup
:mozilla.130:C:\Documents and Settings\mccm\Application Data\Mozilla\Firefox\Profiles\default.35u\cookies.txt -> TrackingCookie.Statcounter : Cleaned without backup
:mozilla.131:C:\Documents and Settings\mccm\Application Data\Mozilla\Firefox\Profiles\default.35u\cookies.txt -> TrackingCookie.Statcounter : Cleaned without backup
:mozilla.135:C:\Documents and Settings\mccm\Application Data\Mozilla\Firefox\Profiles\default.35u\cookies.txt -> TrackingCookie.Sitestat : Cleaned without backup
:mozilla.136:C:\Documents and Settings\mccm\Application Data\Mozilla\Firefox\Profiles\default.35u\cookies.txt -> TrackingCookie.Sitestat : Cleaned without backup
:mozilla.161:C:\Documents and Settings\mccm\Application Data\Mozilla\Firefox\Profiles\default.35u\cookies.txt -> TrackingCookie.2o7 : Cleaned without backup
:mozilla.162:C:\Documents and Settings\mccm\Application Data\Mozilla\Firefox\Profiles\default.35u\cookies.txt -> TrackingCookie.2o7 : Cleaned without backup
:mozilla.163:C:\Documents and Settings\mccm\Application Data\Mozilla\Firefox\Profiles\default.35u\cookies.txt -> TrackingCookie.2o7 : Cleaned without backup
:mozilla.164:C:\Documents and Settings\mccm\Application Data\Mozilla\Firefox\Profiles\default.35u\cookies.txt -> TrackingCookie.2o7 : Cleaned without backup
:mozilla.165:C:\Documents and Settings\mccm\Application Data\Mozilla\Firefox\Profiles\default.35u\cookies.txt -> TrackingCookie.2o7 : Cleaned without backup
:mozilla.168:C:\Documents and Settings\mccm\Application Data\Mozilla\Firefox\Profiles\default.35u\cookies.txt -> TrackingCookie.Addynamix : Cleaned without backup
:mozilla.210:C:\Documents and Settings\mccm\Application Data\Mozilla\Firefox\Profiles\default.35u\cookies.txt -> TrackingCookie.Googleadservices : Cleaned without backup
:mozilla.211:C:\Documents and Settings\mccm\Application Data\Mozilla\Firefox\Profiles\default.35u\cookies.txt -> TrackingCookie.Linkbuddies : Cleaned without backup
:mozilla.214:C:\Documents and Settings\mccm\Application Data\Mozilla\Firefox\Profiles\default.35u\cookies.txt -> TrackingCookie.Reliablestats : Cleaned without backup
:mozilla.215:C:\Documents and Settings\mccm\Application Data\Mozilla\Firefox\Profiles\default.35u\cookies.txt -> TrackingCookie.Reliablestats : Cleaned without backup
:mozilla.216:C:\Documents and Settings\mccm\Application Data\Mozilla\Firefox\Profiles\default.35u\cookies.txt -> TrackingCookie.Reliablestats : Cleaned without backup
:mozilla.217:C:\Documents and Settings\mccm\Application Data\Mozilla\Firefox\Profiles\default.35u\cookies.txt -> TrackingCookie.Reliablestats : Cleaned without backup
:mozilla.218:C:\Documents and Settings\mccm\Application Data\Mozilla\Firefox\Profiles\default.35u\cookies.txt -> TrackingCookie.Reliablestats : Cleaned without backup
:mozilla.219:C:\Documents and Settings\mccm\Application Data\Mozilla\Firefox\Profiles\default.35u\cookies.txt -> TrackingCookie.Reliablestats : Cleaned without backup
:mozilla.220:C:\Documents and Settings\mccm\Application Data\Mozilla\Firefox\Profiles\default.35u\cookies.txt -> TrackingCookie.Cpvfeed : Cleaned without backup
:mozilla.234:C:\Documents and Settings\mccm\Application Data\Mozilla\Firefox\Profiles\default.35u\cookies.txt -> TrackingCookie.2o7 : Cleaned without backup
:mozilla.249:C:\Documents and Settings\mccm\Application Data\Mozilla\Firefox\Profiles\default.35u\cookies.txt -> TrackingCookie.Revenue : Cleaned without backup
:mozilla.270:C:\Documents and Settings\mccm\Application Data\Mozilla\Firefox\Profiles\default.35u\cookies.txt -> TrackingCookie.Kmpads : Cleaned without backup
:mozilla.271:C:\Documents and Settings\mccm\Application Data\Mozilla\Firefox\Profiles\default.35u\cookies.txt -> TrackingCookie.Kmpads : Cleaned without backup
:mozilla.272:C:\Documents and Settings\mccm\Application Data\Mozilla\Firefox\Profiles\default.35u\cookies.txt -> TrackingCookie.Overture : Cleaned without backup
:mozilla.301:C:\Documents and Settings\mccm\Application Data\Mozilla\Firefox\Profiles\default.35u\cookies.txt -> TrackingCookie.Spylog : Cleaned without backup
C:\Documents and Settings\mccm\Cookies\mccm@2o7[1].txt -> TrackingCookie.2o7 : Cleaned without backup
C:\Documents and Settings\mccm\Cookies\mccm@ad.yieldmanager[2].txt -> TrackingCookie.Yieldmanager : Cleaned without backup
C:\Documents and Settings\mccm\Cookies\mccm@ads.addynamix[2].txt -> TrackingCookie.Addynamix : Cleaned without backup
C:\Documents and Settings\mccm\Cookies\mccm@as-us.falkag[1].txt -> TrackingCookie.Falkag : Cleaned without backup
C:\Documents and Settings\mccm\Cookies\mccm@bluestreak[1].txt -> TrackingCookie.Bluestreak : Cleaned without backup
C:\Documents and Settings\mccm\Cookies\mccm@casalemedia[1].txt -> TrackingCookie.Casalemedia : Cleaned without backup
C:\Documents and Settings\mccm\Cookies\mccm@cpvfeed[1].txt -> TrackingCookie.Cpvfeed : Cleaned without backup
C:\Documents and Settings\mccm\Cookies\mccm@data1.perf.overture[1].txt -> TrackingCookie.Overture : Cleaned without backup
C:\Documents and Settings\mccm\Cookies\mccm@findwhat[1].txt -> TrackingCookie.Findwhat : Cleaned without backup
C:\Documents and Settings\mccm\Cookies\mccm@kmpads[2].txt -> TrackingCookie.Kmpads : Cleaned without backup
C:\Documents and Settings\mccm\Cookies\mccm@partygaming.122.2o7[1].txt -> TrackingCookie.2o7 : Cleaned without backup
C:\Documents and Settings\mccm\Cookies\mccm@paypopup[1].txt -> TrackingCookie.Paypopup : Cleaned without backup
C:\Documents and Settings\mccm\Cookies\mccm@perf.overture[1].txt -> TrackingCookie.Overture : Cleaned without backup
C:\Documents and Settings\mccm\Cookies\mccm@server.iad.liveperson[2].txt -> TrackingCookie.Liveperson : Cleaned without backup
C:\Documents and Settings\mccm\Cookies\mccm@starware[2].txt -> TrackingCookie.Starware : Cleaned without backup
C:\Documents and Settings\mccm\Cookies\mccm@statcounter[2].txt -> TrackingCookie.Statcounter : Cleaned without backup
C:\Documents and Settings\mccm\Cookies\mccm@stats1.reliablestats[2].txt -> TrackingCookie.Reliablestats : Cleaned without backup
C:\Documents and Settings\mccm\Cookies\mccm@tribalfusion[2].txt -> TrackingCookie.Tribalfusion : Cleaned without backup
C:\Documents and Settings\mccm\Cookies\mccm@z1.adserver[2].txt -> TrackingCookie.Adserver : Cleaned without backup
C:\Documents and Settings\mccm\Cookies\mccm@zedo[1].txt -> TrackingCookie.Zedo : Cleaned without backup
C:\Documents and Settings\mccm\Local Settings\Temp\f225033.exe -> Downloader.Qoologic.at : Cleaned without backup
C:\Documents and Settings\mccm\Local Settings\Temp\tm35709.exe -> Downloader.Qoologic.ax : Cleaned without backup
C:\Documents and Settings\mccm\Local Settings\Temporary Internet Files\Content.IE5\TFZZ1TCQ\ErrorSafeFreeInstall[1].cab/UERS_0001_N68M1801NetInstaller.exe -> Not-A-Virus.Downloader.Win32.WinFixer.d : Cleaned without backup
C:\Documents and Settings\mccm\Local Settings\Temporary Internet Files\Content.IE5\UXZ4TGVU\rcverlib[1].exe -> Downloader.Qoologic.ax : Cleaned without backup
C:\gimmygames10.exe -> Trojan.VB.ajj : Cleaned without backup
C:\gimmygames9.exe -> Downloader.VB.ww : Cleaned without backup
C:\install.exe -> Dropper.Agent.aed : Cleaned without backup
C:\Installer.exe -> Adware.Look2Me : Cleaned without backup
C:\MTE3NDI6ODoxNg.exe -> Downloader.Small.buy : Cleaned without backup
C:\Program Files\Common Files\InetGet\mc-110-12-0000137.exe -> Dropper.Agent.aac : Cleaned without backup
C:\Program Files\Common Files\mqwo\mqwom.exe -> Downloader.TSUpdate.n : Cleaned without backup
C:\Program Files\Common Files\VCClient\installer.exe -> Downloader.Qoologic.at : Cleaned without backup
C:\Program Files\Common Files\Windows\mc-110-12-0000137.exe -> Dropper.Agent.aac : Cleaned without backup
C:\Program Files\Network Monitor\netmon.exe -> Not-A-Virus.Monitor.Win32.NetMon.a : Cleaned without backup
C:\Program Files\TheSearchAccelerator -> Adware.UCmore : Cleaned without backup
C:\Program Files\TheSearchAccelerator\INSTALL.LOG -> Adware.UCmore : Cleaned without backup
C:\Program Files\TheSearchAccelerator\IUCmore.dll -> Adware.UCmore : Cleaned without backup
C:\Program Files\TheSearchAccelerator\logo.ico -> Adware.UCmore : Cleaned without backup
C:\Program Files\TheSearchAccelerator\TBlogin.users.ucmore.com.4.5.40.0 -> Adware.UCmore : Cleaned without backup
C:\Program Files\TheSearchAccelerator\toolbar.cfg -> Adware.UCmore : Cleaned without backup
C:\Program Files\TheSearchAccelerator\UCMTSAIE.dll -> Adware.UCmore : Cleaned without backup
C:\Program Files\TheSearchAccelerator\UNWISE.EXE -> Adware.UCmore : Cleaned without backup
C:\Program Files\Toolbar888\ToolBar888.dll -> Adware.Softomate : Cleaned without backup
C:\stub_113_4_0_4_0.exe -> Downloader.TSUpdate.o : Cleaned without backup
C:\ucmoreiex.exe/UCMTSAIE.DLL -> Adware.Ucmore : Cleaned without backup
C:\ucmoreiex.exe/IUCMORE.DLL -> Adware.Ucmore : Cleaned without backup
C:\visfx500.exe -> Dropper.Agent.aie : Cleaned without backup
C:\WINDOWS\gimmygames.exe -> Downloader.VB.wd : Cleaned without backup
C:\WINDOWS\gimmygames10.exe -> Trojan.VB.ajj : Cleaned without backup
C:\WINDOWS\gimmygames9.exe -> Downloader.VB.ww : Cleaned without backup
C:\WINDOWS\winsysban10.exe -> Hijacker.VB.ld : Cleaned without backup
C:\WINDOWS\winsysban8.exe -> Hijacker.VB.lg : Cleaned without backup
C:\WINDOWS\winsysupd10.exe -> Downloader.VB.wg : Cleaned without backup
C:\WINDOWS\winsysupd8.exe -> Hijacker.StartPage.ahg : Cleaned without backup
C:\WINDOWS\winsysupd9.exe -> Downloader.VB.wy : Cleaned without backup
C:\WINNT\bar.exe -> Adware.IeSearchBar : Cleaned without backup
C:\WINNT\ccc.exe -> Downloader.MlFree : Cleaned without backup
C:\WINNT\pms111x.exe -> Downloader.VB.tw : Cleaned without backup
C:\WINNT\Q2hhcnR3ZWxsIFRlY2hub2xvZ3k\asappsrv.dll -> Adware.CommAd : Cleaned without backup
C:\WINNT\Q2hhcnR3ZWxsIFRlY2hub2xvZ3k\command.exe -> Adware.CommAd : Cleaned without backup
C:\WINNT\SYSC00.exe -> Trojan.VB.tg : Cleaned without backup
C:\WINNT\system32\c36bHs.dll/bi.dll -> Adware.BiSpy : Cleaned without backup
C:\WINNT\system32\c36bHs.dll/biprep.exe -> Adware.BiSpy : Cleaned without backup
C:\WINNT\system32\c36bHs.dll/bi.dll -> Adware.BiSpy : Cleaned without backup
C:\WINNT\system32\c36bHs.dll/biprep.exe -> Adware.BiSpy : Cleaned without backup
C:\WINNT\system32\ddm3dia.dll -> Backdoor.Adbreak.d : Cleaned without backup
C:\WINNT\system32\exdl.exe -> Adware.BargainBuddy : Cleaned without backup
C:\WINNT\system32\exul.exe -> Adware.BargainBuddy : Cleaned without backup
C:\WINNT\system32\javexulm.vxd -> Adware.BargainBuddy : Cleaned without backup
C:\WINNT\system32\mpxdqlcy.dll -> Trojan.Goldid : Cleaned without backup
C:\WINNT\system32\mqexdlm.srg -> Adware.BargainBuddy : Cleaned without backup
C:\WINNT\system32\NWDENB32.DLL -> Adware.Look2Me : Cleaned without backup
C:\WINNT\system32\sahagent1007.exe -> Adware.Sahat : Cleaned without backup
C:\WINNT\system32\vgactl.cpl -> Downloader.Qoologic.at : Cleaned without backup
C:\WINNT\system32\wuauclt.dll -> Downloader.Qoologic.at : Cleaned without backup
C:\WINNT\system32\wygbw.dat -> Downloader.Qoologic.at : Cleaned without backup
C:\WINNT\unin101.exe -> Trojan.VB.tg : Cleaned without backup
C:\WINNT\uni_eh.exe -> Trojan.VB.tg : Cleaned without backup
C:\WINNT\win32093-399609882006.exe -> Downloader.VB.tw : Cleaned without backup
D:\cwh\casino\default\bank\netgiroStunnel\Win32\libssl32.dll -> Not-A-Virus.NetTool.Win32.STunnel.404 : Cleaned without backup
D:\CWH_HEAD\CWH6_4\bin\bank\netgiroStunnel\Win32\libssl32.dll -> Not-A-Virus.NetTool.Win32.STunnel.404 : Cleaned without backup
D:\CWH_HEAD\CWH6_4\bin\download_proxy\libssl32.dll -> Not-A-Virus.NetTool.Win32.STunnel.404 : Cleaned without backup
D:\CWH_HEAD\gaming\bin\bank\netgiroStunnel\Win32\libssl32.dll -> Not-A-Virus.NetTool.Win32.STunnel.404 : Cleaned without backup
D:\CWH_HEAD\gaming\bin\download_proxy\libssl32.dll -> Not-A-Virus.NetTool.Win32.STunnel.404 : Cleaned without backup
D:\CWH_HEAD\web\webapps\casino\build\default\bank\netgiroStunnel\Win32\libssl32.dll -> Not-A-Virus.NetTool.Win32.STunnel.404 : Cleaned without backup
D:\CWH_HEAD\web\webapps\casino\dist\distributed\casino.zip/default/bank/netgiroStunnel/Win32/libssl32.dll -> Not-A-Virus.NetTool.Win32.STunnel.404 : Cleaned without backup
D:\CWH_HEAD\web\webapps\casino\web\default\bank\netgiroStunnel\Win32\libssl32.dll -> Not-A-Virus.NetTool.Win32.STunnel.404 : Cleaned without backup
D:\Utilities\AveryDesignPro\DesignPro Limited Edition 5.2.1201.zip/Setup.exe -> Worm.VB.dw : Cleaned without backup


::Report End


hijackthis report

Logfile of HijackThis v1.99.1
Scan saved at 8:32:18 AM, on 3/3/2006
Platform: Windows 2000 SP4 (WinNT 5.00.2195)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINNT\System32\smss.exe
C:\WINNT\system32\csrss.exe
C:\WINNT\system32\winlogon.exe
C:\WINNT\system32\services.exe
C:\WINNT\system32\lsass.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\system32\spoolsv.exe
C:\Program Files\Symantec_Client_Security\Symantec AntiVirus\DefWatch.exe
C:\WINNT\System32\svchost.exe
C:\Program Files\ewido anti-malware\ewidoctrl.exe
C:\WINNT\system32\hidserv.exe
C:\Program Files\Symantec_Client_Security\Symantec AntiVirus\Rtvscan.exe
C:\WINNT\system32\nvsvc32.exe
C:\WINNT\system32\regsvc.exe
C:\WINNT\system32\MSTask.exe
C:\WINNT\system32\stisvc.exe
C:\WINNT\System32\WBEM\WinMgmt.exe
C:\Program Files\TightVNC\WinVNC.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\System32\inetsrv\inetinfo.exe
C:\WINNT\Explorer.EXE
C:\Program Files\Adobe\Photoshop Album Starter Edition\3.0\Apps\apdproxy.exe
C:\Program Files\a-squared\a2guard.exe
C:\Program Files\MSN Messenger\msnmsgr.exe
C:\WINNT\system32\LVComsX.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\hijackthis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://google.com/
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = 127.0.0.1
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINNT\System32\msdxm.ocx
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn0\yt.dll
O4 - HKLM\..\Run: [Adobe Photo Downloader] "C:\Program Files\Adobe\Photoshop Album Starter Edition\3.0\Apps\apdproxy.exe"
O4 - HKLM\..\Run: [Synchronization Manager] mobsync.exe /logon
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINNT\system32\NvCpl.dll,NvStartup
O4 - HKCU\..\Run: [LogitechSoftwareUpdate] C:\Drivers&Stuff\LogitechWebCam\ManifestEngine.exe boot
O4 - HKCU\..\Run: [a-squared] "C:\Program Files\a-squared\a2guard.exe"
O4 - HKCU\..\Run: [msnmsgr] "C:\Program Files\MSN Messenger\msnmsgr.exe" /background
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: Monitor Apache Servers.lnk = C:\Program Files\Apache Group\Apache2\bin\ApacheMonitor.exe
O4 - Global Startup: Service Manager.lnk = C:\Program Files\Microsoft SQL Server\80\Tools\Binn\sqlmangr.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~3\OFFICE11\EXCEL.EXE/3000
O8 - Extra context menu item: Search &Dictionary - C:\Program files\Lexico\Toolbar\dictionary.htm
O8 - Extra context menu item: Search &Thesaurus - C:\Program files\Lexico\Toolbar\thesaurus.htm
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINNT\System32\msjava.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINNT\System32\msjava.dll
O9 - Extra button: Run WinHTTrack - {36ECAF82-3300-8F84-092E-AFF36D6C7040} - D:\DevApps\WinHTTrack\WinHTTrackIEBar.dll
O9 - Extra 'Tools' menuitem: Launch WinHTTrack - {36ECAF82-3300-8F84-092E-AFF36D6C7040} - D:\DevApps\WinHTTrack\WinHTTrackIEBar.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~3\OFFICE11\REFIEBAR.DLL
O12 - Plugin for .bcf: C:\Program Files\Internet Explorer\Plugins\NPBelv32.dll
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O16 - DPF: {00B71CFB-6864-4346-A978-C0A14556272C} (Checkers Class) - http://messenger.zon...kr.cab31267.cab
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky...can_unicode.cab
O16 - DPF: {2917297F-F02B-4B9D-81DF-494B6333150B} (Minesweeper Flags Class) - http://messenger.zon...er.cab31267.cab
O16 - DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} (MSN Photo Upload Tool) - http://spaces.msn.co...ad/MsnPUpld.cab
O16 - DPF: {62475759-9E84-458E-A1AB-5D2C442ADFDE} - http://a1540.g.akama...meInstaller.exe
O16 - DPF: {8E0D4DE5-3180-4024-A327-4DFAD1796A8D} (MessengerStatsClient Class) - http://messenger.zon...nt.cab31267.cab
O16 - DPF: {A243F6C2-34D2-4549-BCCD-A7BEF759B236} (Seekford Solutions, Inc.'s ssiPictureUploader Control) - http://img.funtigo.c...ureUploader.cab
O16 - DPF: {F0E2D69A-DC2F-4E9B-A993-684FB1C21DBC} - http://dictionary.re...lbar/lexico.cab
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: Domain = calgary.chartwelltechnology.com
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: Domain = calgary.chartwelltechnology.com
O17 - HKLM\System\CS2\Services\Tcpip\Parameters: Domain = calgary.chartwelltechnology.com
O23 - Service: pcAnywhere Host Service (awhost32) - Unknown owner - D:\DevApps\pcAnywhere10\awhost32.exe (file missing)
O23 - Service: DefWatch - Symantec Corporation - C:\Program Files\Symantec_Client_Security\Symantec AntiVirus\DefWatch.exe
O23 - Service: Logical Disk Manager Administrative Service (dmadmin) - VERITAS Software Corp. - C:\WINNT\System32\dmadmin.exe
O23 - Service: ewido security suite control - ewido networks - C:\Program Files\ewido anti-malware\ewidoctrl.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPodService - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Macromedia Licensing Service - Unknown owner - C:\Program Files\Common Files\Macromedia Shared\Service\Macromedia Licensing.exe
O23 - Service: Symantec AntiVirus Client (Norton AntiVirus Server) - Symantec Corporation - C:\Program Files\Symantec_Client_Security\Symantec AntiVirus\Rtvscan.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINNT\system32\nvsvc32.exe
O23 - Service: SBHookSvc - Unknown owner - D:\UTILIT~1\TELUSE~1\SMARTB~1\SBHookSvc.exe (file missing)
O23 - Service: VNC Server (winvnc) - Unknown owner - C:\Program Files\TightVNC\WinVNC.exe" -service (file missing)


I ran FindQoologic and it's still there...

Find Qoologic last edited 01/08/2006
Running from
C:\Documents and Settings\mccm\Desktop\Find-Qoologic
PLEASE NOTE THAT ALL FILES FOUND BY THIS METHOD ARE NOT BAD FILES, There WILL be LEGIT FILES LISTED PLEASE BE CAREFUL WHILE FIXING. IF YOU ARE UNSURE OF WHAT IT IS LEAVE THEM ALONE.
»»»»»»»»»»»»»»»»»» Search by size and name»»»»»»»»»»»»»»»»»»»»»»»»»»»»»

C:\WINNT\SYSTEM32\JBVDJDD.EXE
C:\WINNT\SYSTEM32\POQRPR.EXE
»»»»»»»»»»»»»»»»»»»»»»»» Checking Global Startup »»»»»»»»»»»»»»»»»»»»»»
.....
.....
SteelWerX Registry Console Tool RC-2
Written by Bobbi Flekman
.....
[HKEY_CLASSES_ROOT\*\shellex\ContextMenuHandlers\LDVPMenu]
@="{BDA77241-42F6-11d0-85E2-00AA001FE28C}"

[HKEY_CLASSES_ROOT\*\shellex\ContextMenuHandlers\mkstmtxq]
@="{73fd088d-a493-4120-a694-c9e285050fe6}"

[-HKEY_CLASSES_ROOT\CLSID\{incert csdl here}]
[-HKEY_CLASSES_ROOT\CLSID\{6EC11407-5B2E-4E25-8BDF-77445B52AB37}]
[-HKEY_CLASSES_ROOT\Folder\shellex\ColumnHandlers\{6EC11407-5B2E-4E25-8BDF-77445B52AB37}]
[-HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\WebNexus]
.....
.....
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
.....
[-HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Extensions\{9E248641-0E24-4DDB-9A1F-705087832AD6}]

I don't know Sig...this just will not go away...

#29 Siggyx

Siggyx

    SuperHelper

  • Authentic Member
  • PipPipPipPipPipPip
  • 6,776 posts

Posted 04 March 2006 - 12:19 AM

Lets see if Spysweeper ccan help, it does sometimes.

Please download WebRoot SpySweeper from HERE >>> http://www.webroot.c...ode=af1&rc=3597 (It's a 2 week trial):
Click the Free Trial link under to "SpySweeper" to download the program.
Install it. Once the program is installed, it will open.
It will prompt you to update to the latest definitions, click Yes.
Once the definitions are installed, click Options on the left side.
Click the Sweep Options tab.
Under What to Sweep please put a check next to the following:
Sweep Memory
Sweep Registry
Sweep Cookies
Sweep All User Accounts
Enable Direct Disk Sweeping
Sweep Contents of Compressed Files
Sweep for Rootkits
Please UNCHECK Do not Sweep System Restore Folder.
Click Sweep Now on the left side.
Click the Start button.
When it's done scanning, click the Next button.
Make sure everything has a check next to it, then click the Next button.
It will remove all of the items found.
Click Session Log in the upper right corner, copy everything in that window.
Click the Summary tab and click Finish.
Paste the contents of the session log you copied into your next reply as well as a new hijackthsi log please.

#30 MccM

MccM

    Authentic Member

  • Authentic Member
  • PipPip
  • 25 posts

Posted 04 March 2006 - 12:45 PM

HJT log...
Logfile of HijackThis v1.99.1
Scan saved at 11:41:45 AM, on 3/4/2006
Platform: Windows 2000 SP4 (WinNT 5.00.2195)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINNT\System32\smss.exe
C:\WINNT\system32\csrss.exe
C:\WINNT\system32\winlogon.exe
C:\WINNT\system32\services.exe
C:\WINNT\system32\lsass.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\system32\spoolsv.exe
C:\Program Files\Symantec_Client_Security\Symantec AntiVirus\DefWatch.exe
C:\WINNT\System32\svchost.exe
C:\Program Files\ewido anti-malware\ewidoctrl.exe
C:\WINNT\system32\hidserv.exe
C:\Program Files\Symantec_Client_Security\Symantec AntiVirus\Rtvscan.exe
C:\WINNT\system32\nvsvc32.exe
C:\WINNT\system32\regsvc.exe
C:\WINNT\system32\MSTask.exe
C:\WINNT\system32\stisvc.exe
D:\Utilities\Ad-aware6\Spy Sweeper\WRSSSDK.exe
C:\WINNT\System32\WBEM\WinMgmt.exe
C:\Program Files\TightVNC\WinVNC.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\System32\inetsrv\inetinfo.exe
C:\WINNT\Explorer.EXE
C:\Program Files\Adobe\Photoshop Album Starter Edition\3.0\Apps\apdproxy.exe
C:\WINNT\system32\mobsync.exe
C:\Program Files\a-squared\a2guard.exe
C:\Program Files\MSN Messenger\msnmsgr.exe
C:\Program Files\Apache Group\Apache2\bin\ApacheMonitor.exe
C:\Program Files\Microsoft SQL Server\80\Tools\Binn\sqlmangr.exe
D:\Utilities\Ad-aware6\Spy Sweeper\SpySweeper.exe
C:\WINNT\system32\LVComsX.exe
C:\hijackthis\HijackThis.exe
C:\Program Files\Mozilla Firefox\firefox.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://google.com/
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = 127.0.0.1
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINNT\System32\msdxm.ocx
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn0\yt.dll
O4 - HKLM\..\Run: [Adobe Photo Downloader] "C:\Program Files\Adobe\Photoshop Album Starter Edition\3.0\Apps\apdproxy.exe"
O4 - HKLM\..\Run: [Synchronization Manager] mobsync.exe /logon
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINNT\system32\NvCpl.dll,NvStartup
O4 - HKCU\..\Run: [LogitechSoftwareUpdate] C:\Drivers&Stuff\LogitechWebCam\ManifestEngine.exe boot
O4 - HKCU\..\Run: [a-squared] "C:\Program Files\a-squared\a2guard.exe"
O4 - HKCU\..\Run: [msnmsgr] "C:\Program Files\MSN Messenger\msnmsgr.exe" /background
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: Monitor Apache Servers.lnk = C:\Program Files\Apache Group\Apache2\bin\ApacheMonitor.exe
O4 - Global Startup: Service Manager.lnk = C:\Program Files\Microsoft SQL Server\80\Tools\Binn\sqlmangr.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~3\OFFICE11\EXCEL.EXE/3000
O8 - Extra context menu item: Search &Dictionary - C:\Program files\Lexico\Toolbar\dictionary.htm
O8 - Extra context menu item: Search &Thesaurus - C:\Program files\Lexico\Toolbar\thesaurus.htm
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINNT\System32\msjava.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINNT\System32\msjava.dll
O9 - Extra button: Run WinHTTrack - {36ECAF82-3300-8F84-092E-AFF36D6C7040} - D:\DevApps\WinHTTrack\WinHTTrackIEBar.dll
O9 - Extra 'Tools' menuitem: Launch WinHTTrack - {36ECAF82-3300-8F84-092E-AFF36D6C7040} - D:\DevApps\WinHTTrack\WinHTTrackIEBar.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~3\OFFICE11\REFIEBAR.DLL
O12 - Plugin for .bcf: C:\Program Files\Internet Explorer\Plugins\NPBelv32.dll
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O16 - DPF: {00B71CFB-6864-4346-A978-C0A14556272C} (Checkers Class) - http://messenger.zon...kr.cab31267.cab
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky...can_unicode.cab
O16 - DPF: {2917297F-F02B-4B9D-81DF-494B6333150B} (Minesweeper Flags Class) - http://messenger.zon...er.cab31267.cab
O16 - DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} (MSN Photo Upload Tool) - http://spaces.msn.co...ad/MsnPUpld.cab
O16 - DPF: {62475759-9E84-458E-A1AB-5D2C442ADFDE} - http://a1540.g.akama...meInstaller.exe
O16 - DPF: {8E0D4DE5-3180-4024-A327-4DFAD1796A8D} (MessengerStatsClient Class) - http://messenger.zon...nt.cab31267.cab
O16 - DPF: {A243F6C2-34D2-4549-BCCD-A7BEF759B236} (Seekford Solutions, Inc.'s ssiPictureUploader Control) - http://img.funtigo.c...ureUploader.cab
O16 - DPF: {F0E2D69A-DC2F-4E9B-A993-684FB1C21DBC} - http://dictionary.re...lbar/lexico.cab
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: Domain = calgary.chartwelltechnology.com
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: Domain = calgary.chartwelltechnology.com
O17 - HKLM\System\CS2\Services\Tcpip\Parameters: Domain = calgary.chartwelltechnology.com
O20 - Winlogon Notify: WRNotifier - C:\WINNT\SYSTEM32\WRLogonNTF.dll
O23 - Service: pcAnywhere Host Service (awhost32) - Unknown owner - D:\DevApps\pcAnywhere10\awhost32.exe (file missing)
O23 - Service: DefWatch - Symantec Corporation - C:\Program Files\Symantec_Client_Security\Symantec AntiVirus\DefWatch.exe
O23 - Service: Logical Disk Manager Administrative Service (dmadmin) - VERITAS Software Corp. - C:\WINNT\System32\dmadmin.exe
O23 - Service: ewido security suite control - ewido networks - C:\Program Files\ewido anti-malware\ewidoctrl.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPodService - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Macromedia Licensing Service - Unknown owner - C:\Program Files\Common Files\Macromedia Shared\Service\Macromedia Licensing.exe
O23 - Service: Symantec AntiVirus Client (Norton AntiVirus Server) - Symantec Corporation - C:\Program Files\Symantec_Client_Security\Symantec AntiVirus\Rtvscan.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINNT\system32\nvsvc32.exe
O23 - Service: SBHookSvc - Unknown owner - D:\UTILIT~1\TELUSE~1\SMARTB~1\SBHookSvc.exe (file missing)
O23 - Service: Webroot Spy Sweeper Engine (svcWRSSSDK) - Webroot Software, Inc. - D:\Utilities\Ad-aware6\Spy Sweeper\WRSSSDK.exe
O23 - Service: VNC Server (winvnc) - Unknown owner - C:\Program Files\TightVNC\WinVNC.exe" -service (file missing)

SpySweeper Session Log...
********
9:58 AM: | Start of Session, Saturday, March 04, 2006 |
9:58 AM: Spy Sweeper started
9:58 AM: Sweep initiated using definitions version 625
9:59 AM: Starting Memory Sweep
10:06 AM: Found Adware: clkoptimizer
10:06 AM: Detected running threat: C:\WINNT\system32\kkqrk.dll (ID = 216840)
10:08 AM: Memory Sweep Complete, Elapsed Time: 00:09:10
10:08 AM: Starting Registry Sweep
10:08 AM: Found Adware: elitemediagroup-mediamotor
10:08 AM: HKLM\software\ssprint\ (2 subtraces) (ID = 140214)
10:08 AM: Found Adware: safesurf
10:08 AM: HKLM\software\microsoft\windows\currentversion\app paths\sshelp.dll\ (2 subtraces) (ID = 140388)
10:08 AM: HKLM\software\microsoft\windows\currentversion\app paths\ssup.exe\ (2 subtraces) (ID = 140389)
10:08 AM: Found Adware: surfsidekick
10:08 AM: HKLM\software\microsoft\internet explorer\urlsearchhooks\ || {02ee5b04-f144-47bb-83fb-a60bd91b74a9} (ID = 143400)
10:08 AM: Found Adware: command
10:08 AM: HKLM\system\currentcontrolset\enum\root\legacy_cmdservice\0000\ (6 subtraces) (ID = 1016064)
10:08 AM: HKLM\system\currentcontrolset\enum\root\legacy_cmdservice\ (8 subtraces) (ID = 1016072)
10:08 AM: HKLM\software\microsoft\windows\currentversion\uninstall\{a394e835-c8d6-4b4b-884b-d2709059f3be}\ (7 subtraces) (ID = 1110756)
10:08 AM: Found Adware: maxifiles
10:08 AM: HKCR\xbtb04715.ietoolbar.1\ (3 subtraces) (ID = 1156344)
10:08 AM: HKCR\xbtb04715.ietoolbar\ (5 subtraces) (ID = 1156348)
10:08 AM: HKCR\toolband.xbtb04715.1\ (3 subtraces) (ID = 1156354)
10:08 AM: HKCR\toolband.xbtb04715\ (5 subtraces) (ID = 1156358)
10:08 AM: HKCR\xbtb04715.xbtb04715.1\ (3 subtraces) (ID = 1156364)
10:08 AM: HKCR\xbtb04715.xbtb04715\ (5 subtraces) (ID = 1156368)
10:08 AM: HKCR\clsid\{a8b0bded-64a5-495b-97da-42c0301e229b}\ (11 subtraces) (ID = 1156379)
10:08 AM: HKCR\typelib\{75e46ee7-404b-48ec-9326-c654f21f65bf}\ (9 subtraces) (ID = 1156391)
10:08 AM: HKLM\software\classes\toolband.xbtb04715\ (5 subtraces) (ID = 1156475)
10:08 AM: HKLM\software\classes\xbtb04715.xbtb04715.1\ (3 subtraces) (ID = 1156481)
10:08 AM: HKLM\software\classes\xbtb04715.xbtb04715\ (5 subtraces) (ID = 1156485)
10:08 AM: HKLM\software\classes\clsid\{a8b0bded-64a5-495b-97da-42c0301e229b}\ (11 subtraces) (ID = 1156496)
10:08 AM: HKLM\software\classes\typelib\{75e46ee7-404b-48ec-9326-c654f21f65bf}\ (9 subtraces) (ID = 1156508)
10:08 AM: HKLM\software\microsoft\windows\currentversion\uninstall\xbtb04715.xbtb04715toolbar\ (2 subtraces) (ID = 1156519)
10:08 AM: HKLM\software\classes\xbtb04715.ietoolbar.1\ (3 subtraces) (ID = 1156524)
10:08 AM: HKLM\software\classes\xbtb04715.ietoolbar\ (5 subtraces) (ID = 1156528)
10:08 AM: HKLM\software\classes\toolband.xbtb04715.1\ (3 subtraces) (ID = 1156534)
10:08 AM: Found Adware: ezula ilookup
10:08 AM: HKCR\le.toy24\ (5 subtraces) (ID = 1157594)
10:08 AM: HKCR\le.toy24.1\ (3 subtraces) (ID = 1157600)
10:08 AM: HKCR\onone.thegimp\ (5 subtraces) (ID = 1157604)
10:08 AM: HKCR\onone.thegimp.1\ (3 subtraces) (ID = 1157610)
10:08 AM: HKCR\clsid\{10049d2a-2965-4e4f-8c7e-cb33ad95feb7}\ (11 subtraces) (ID = 1157626)
10:08 AM: HKCR\typelib\{82910ce3-d86a-435a-a519-6a8c369855d3}\ (9 subtraces) (ID = 1157638)
10:08 AM: HKLM\software\classes\le.toy24\ (5 subtraces) (ID = 1157650)
10:08 AM: HKLM\software\classes\le.toy24.1\ (3 subtraces) (ID = 1157656)
10:08 AM: HKLM\software\classes\onone.thegimp\ (5 subtraces) (ID = 1157660)
10:08 AM: HKLM\software\classes\onone.thegimp.1\ (3 subtraces) (ID = 1157666)
10:08 AM: HKLM\software\classes\clsid\{10049d2a-2965-4e4f-8c7e-cb33ad95feb7}\ (11 subtraces) (ID = 1157683)
10:08 AM: HKLM\software\classes\typelib\{82910ce3-d86a-435a-a519-6a8c369855d3}\ (9 subtraces) (ID = 1157695)
10:08 AM: HKLM\software\microsoft\bit1ocker\ (1 subtraces) (ID = 1157705)
10:09 AM: Found Adware: findthewebsiteyouneed hijack
10:09 AM: HKU\S-1-5-21-3077576019-2355979638-4132696707-1132\software\microsoft\internet explorer\search\searchassistant explorer\main\ || default_search_url (ID = 555437)
10:09 AM: Found Adware: enbrowser
10:09 AM: HKU\S-1-5-21-3077576019-2355979638-4132696707-1132\software\system\sysuid\ (1 subtraces) (ID = 731748)
10:09 AM: HKU\S-1-5-21-3077576019-2355979638-4132696707-1132\software\xbtb04715\ (71 subtraces) (ID = 1156401)
10:09 AM: Registry Sweep Complete, Elapsed Time:00:00:38
10:09 AM: Starting Cookie Sweep
10:09 AM: Found Spy Cookie: tribalfusion cookie
10:09 AM: mccm@a.tribalfusion[1].txt (ID = 3590)
10:09 AM: Found Spy Cookie: yieldmanager cookie
10:09 AM: mccm@ad.yieldmanager[1].txt (ID = 3751)
10:09 AM: Found Spy Cookie: adecn cookie
10:09 AM: mccm@adecn[1].txt (ID = 2063)
10:09 AM: Found Spy Cookie: adknowledge cookie
10:09 AM: mccm@adknowledge[2].txt (ID = 2072)
10:09 AM: Found Spy Cookie: casalemedia cookie
10:09 AM: mccm@casalemedia[2].txt (ID = 2354)
10:09 AM: Found Spy Cookie: overture cookie
10:09 AM: mccm@data4.perf.overture[1].txt (ID = 3106)
10:09 AM: mccm@perf.overture[1].txt (ID = 3106)
10:09 AM: Found Spy Cookie: realmedia cookie
10:09 AM: mccm@realmedia[2].txt (ID = 3235)
10:09 AM: Found Spy Cookie: serving-sys cookie
10:09 AM: mccm@serving-sys[2].txt (ID = 3343)
10:09 AM: Found Spy Cookie: tacoda cookie
10:09 AM: mccm@tacoda[1].txt (ID = 6444)
10:09 AM: Found Spy Cookie: trafficmp cookie
10:09 AM: mccm@trafficmp[2].txt (ID = 3581)
10:09 AM: mccm@tribalfusion[2].txt (ID = 3589)
10:09 AM: Found Spy Cookie: adserver cookie
10:09 AM: mccm@z1.adserver[1].txt (ID = 2142)
10:09 AM: Cookie Sweep Complete, Elapsed Time: 00:00:01
10:09 AM: Starting File Sweep
10:09 AM: Found Trojan Horse: trojan downloader matcash
10:09 AM: c:\program files\outlook (ID = -2147454834)
10:09 AM: c:\program files\network monitor (ID = -2147459771)
10:09 AM: c:\program files\common files\vcclient (8 subtraces) (ID = -2147461290)
10:09 AM: c:\program files\toolbar888 (8 subtraces) (ID = -2147456311)
10:09 AM: c:\program files\common files\inetget (1 subtraces) (ID = -2147477182)
10:09 AM: Found System Monitor: msn sniffer
10:09 AM: msn sniffer.lnk (ID = 70176)
10:09 AM: Found Adware: targetsaver
10:09 AM: mqwoc.dll (ID = 195129)
10:13 AM: iuspipn.dll (ID = 216821)
10:27 AM: mc-110-12-0000228.exe (ID = 246327)
10:32 AM: wygbw.dat (ID = 209705)
10:33 AM: kkqrk.dll (ID = 216840)
10:36 AM: poqrpr.exe( 1) (ID = 209705)
10:36 AM: basis.xml (ID = 244764)
10:36 AM: poqrpr.exe (ID = 209705)
10:36 AM: vocabulary (ID = 78283)
10:37 AM: mc-110-12-0000137.exe (ID = 243410)
10:37 AM: vcmain.exe (ID = 212830)
10:37 AM: tagasaurus.exe (ID = 244271)
10:37 AM: nse2ee.dll (ID = 245257)
10:37 AM: vcclient.exe (ID = 212828)
10:37 AM: ss1001.exe (ID = 216718)
10:37 AM: poqrpr.exe (ID = 209705)
10:37 AM: dc5.exe (ID = 216822)
10:37 AM: tsuninst.exe (ID = 193501)
10:37 AM: vcupdate.exe (ID = 212831)
10:37 AM: uninstall_nmon.vbs (ID = 231442)
10:37 AM: freeprodtb.exe (ID = 244762)
10:37 AM: pf78.exe (ID = 244430)
10:37 AM: vcupdate.exe.config (ID = 212361)
10:37 AM: class-barrel (ID = 78229)
10:38 AM: autoit3.exe (ID = 185254)
10:38 AM: jbvdjdd.exe (ID = 216822)
10:38 AM: freeprodtb.exe (ID = 244762)
10:38 AM: Found Adware: directrevenue-abetterinternet
10:38 AM: belt.inf (ID = 83154)
10:38 AM: biini.inf (ID = 83199)
10:38 AM: clientupdater.bat (ID = 212353)
10:38 AM: vcclient.exe.config (ID = 212358)
10:38 AM: Warning: Failed to read ADS-MFT entry 357245
10:38 AM: Warning: Failed to read ADS-MFT entry 354595
10:38 AM: Warning: Failed to read ADS-MFT entry 357244
10:38 AM: Warning: Failed to read ADS-MFT entry 307726
10:38 AM: Warning: Failed to read ADS-MFT entry 307727
10:38 AM: Warning: Failed to read ADS-MFT entry 270730
10:38 AM: Warning: Failed to read ADS-MFT entry 141508
10:38 AM: Warning: Failed to read ADS-MFT entry 141509
10:38 AM: Warning: Failed to read ADS-MFT entry 141491
10:38 AM: Warning: Failed to read ADS-MFT entry 141492
10:38 AM: Warning: Failed to read ADS-MFT entry 141493
10:38 AM: Warning: Failed to read ADS-MFT entry 144591
10:38 AM: Warning: Failed to read ADS-MFT entry 254327
10:38 AM: Warning: Failed to read ADS-MFT entry 254328
10:38 AM: Warning: Failed to read ADS-MFT entry 254331
10:38 AM: Warning: Failed to read ADS-MFT entry 254332
10:38 AM: Warning: Failed to read ADS-MFT entry 255172
10:38 AM: Warning: Failed to read ADS-MFT entry 169716
10:38 AM: Warning: Failed to read ADS-MFT entry 254328
10:38 AM: Warning: Failed to read ADS-MFT entry 254331
10:38 AM: Warning: Failed to read ADS-MFT entry 254332
10:38 AM: Warning: Failed to read ADS-MFT entry 255172
10:38 AM: Warning: Failed to read ADS-MFT entry 169716
10:38 AM: Warning: Failed to read ADS-MFT entry 150606
10:38 AM: Warning: Failed to read ADS-MFT entry 150609
10:38 AM: Warning: Failed to read ADS-MFT entry 150612
10:38 AM: Warning: Failed to read ADS-MFT entry 150615
10:38 AM: Warning: Failed to read ADS-MFT entry 154026
10:38 AM: Warning: Failed to read ADS-MFT entry 154476
10:38 AM: Warning: Failed to read ADS-MFT entry 154483
10:38 AM: Warning: Failed to read ADS-MFT entry 154484
10:38 AM: Warning: Failed to read ADS-MFT entry 154489
10:38 AM: Warning: Failed to read ADS-MFT entry 154490
10:38 AM: Warning: Failed to read ADS-MFT entry 154491
10:38 AM: Warning: Failed to read ADS-MFT entry 154494
10:38 AM: Warning: Failed to read ADS-MFT entry 156241
10:38 AM: Warning: Failed to read ADS-MFT entry 156233
10:38 AM: Warning: Failed to read ADS-MFT entry 156234
10:38 AM: Warning: Failed to read ADS-MFT entry 156243
10:38 AM: Warning: Failed to read ADS-MFT entry 156278
10:38 AM: Warning: Failed to read ADS-MFT entry 156279
10:38 AM: Warning: Failed to read ADS-MFT entry 156280
10:38 AM: Warning: Failed to read ADS-MFT entry 157333
10:38 AM: Warning: Failed to read ADS-MFT entry 157570
10:38 AM: Warning: Failed to read ADS-MFT entry 157624
10:38 AM: Warning: Failed to read ADS-MFT entry 157773
10:38 AM: Warning: Failed to read ADS-MFT entry 157782
10:38 AM: Warning: Failed to read ADS-MFT entry 157798
10:38 AM: Warning: Failed to read ADS-MFT entry 157805
10:38 AM: Warning: Failed to read ADS-MFT entry 157806
10:38 AM: Warning: Failed to read ADS-MFT entry 159139
10:38 AM: Warning: Failed to read ADS-MFT entry 159142
10:38 AM: Warning: Failed to read ADS-MFT entry 159147
10:38 AM: Warning: Failed to read ADS-MFT entry 160766
10:38 AM: Warning: Failed to read ADS-MFT entry 280720
10:38 AM: Warning: Failed to read ADS-MFT entry 280720
10:38 AM: Warning: Failed to read ADS-MFT entry 280720
10:38 AM: Warning: Failed to read ADS-MFT entry 280735
10:38 AM: Warning: Failed to read ADS-MFT entry 280736
10:46 AM: msnsniffer_trial_setup.exe (ID = 135536)
10:52 AM: Warning: Failed to read ADS-MFT entry 254327
10:52 AM: Warning: Failed to read ADS-MFT entry 254328
10:52 AM: Warning: Failed to read ADS-MFT entry 254331
10:52 AM: Warning: Failed to read ADS-MFT entry 254332
10:52 AM: Warning: Failed to read ADS-MFT entry 255172
10:52 AM: Warning: Failed to read ADS-MFT entry 169716
10:57 AM: Warning: Unhandled Archive Type
10:58 AM: Warning: Cannot create file "C:\WINNT\Temp\142SST9.1\docs\manual\api\org\apache\tools\zip\". The system cannot find the path specified
11:05 AM: File Sweep Complete, Elapsed Time: 00:56:47
11:05 AM: Full Sweep has completed. Elapsed time 01:07:02
11:05 AM: Traces Found: 371
11:14 AM: Removal process initiated
11:15 AM: Spy Installation Shield: found: Adware: clkoptimizer, version 1.0.0.0 -- Execution Denied
11:15 AM: Quarantining All Traces: clkoptimizer
11:15 AM: clkoptimizer is in use. It will be removed on reboot.
11:15 AM: kkqrk.dll is in use. It will be removed on reboot.
11:15 AM: Quarantining All Traces: directrevenue-abetterinternet
11:15 AM: Quarantining All Traces: msn sniffer
11:15 AM: Quarantining All Traces: trojan downloader matcash
11:15 AM: Quarantining All Traces: elitemediagroup-mediamotor
11:15 AM: Quarantining All Traces: enbrowser
11:15 AM: Quarantining All Traces: maxifiles
11:16 AM: maxifiles is in use. It will be removed on reboot.
11:16 AM: freeprodtb.exe is in use. It will be removed on reboot.
11:16 AM: Quarantining All Traces: surfsidekick
11:16 AM: Quarantining All Traces: command
11:16 AM: Quarantining All Traces: ezula ilookup
11:16 AM: Quarantining All Traces: findthewebsiteyouneed hijack
11:16 AM: Quarantining All Traces: safesurf
11:16 AM: Quarantining All Traces: targetsaver
11:16 AM: Quarantining All Traces: adecn cookie
11:16 AM: Quarantining All Traces: adknowledge cookie
11:16 AM: Quarantining All Traces: adserver cookie
11:16 AM: Quarantining All Traces: casalemedia cookie
11:16 AM: Quarantining All Traces: overture cookie
11:16 AM: Quarantining All Traces: realmedia cookie
11:16 AM: Quarantining All Traces: serving-sys cookie
11:16 AM: Quarantining All Traces: tacoda cookie
11:16 AM: Quarantining All Traces: trafficmp cookie
11:16 AM: Quarantining All Traces: tribalfusion cookie
11:16 AM: Quarantining All Traces: yieldmanager cookie
11:16 AM: Quarantining All Traces: clkoptimizer
11:17 AM: Preparing to restart your computer. Please wait...
11:17 AM: Removal process completed. Elapsed time 00:02:36
11:38 AM: Deletion from quarantine initiated
11:38 AM: Processing: adecn cookie
11:38 AM: Processing: adknowledge cookie
11:38 AM: Processing: adserver cookie
11:38 AM: Processing: casalemedia cookie
11:38 AM: Processing: clkoptimizer
11:38 AM: Processing: command
11:38 AM: Processing: directrevenue-abetterinternet
11:38 AM: Processing: elitemediagroup-mediamotor
11:38 AM: Processing: enbrowser
11:38 AM: Processing: ezula ilookup
11:38 AM: Processing: findthewebsiteyouneed hijack
11:38 AM: Processing: maxifiles
11:38 AM: Processing: msn sniffer
11:38 AM: Processing: overture cookie
11:38 AM: Processing: realmedia cookie
11:38 AM: Processing: safesurf
11:38 AM: Processing: serving-sys cookie
11:38 AM: Processing: surfsidekick
11:38 AM: Processing: tacoda cookie
11:38 AM: Processing: targetsaver
11:38 AM: Processing: trafficmp cookie
11:38 AM: Processing: tribalfusion cookie
11:38 AM: Processing: trojan downloader matcash
11:38 AM: Processing: yieldmanager cookie
11:38 AM: Deletion from quarantine completed. Elapsed time 00:00:07
********
9:47 AM: | Start of Session, Saturday, March 04, 2006 |
9:47 AM: Spy Sweeper started
9:55 AM: Your spyware definitions have been updated.
9:58 AM: Memory Shield: Found: Memory-resident threat clkoptimizer, version 1.0.0.0
9:58 AM: Detected running threat: clkoptimizer
9:58 AM: | End of Session, Saturday, March 04, 2006 |

Related Topics



0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users