Jump to content

Build Theme!
  •  
  • Infected?

WE'RE SURE THAT YOU'LL LOVE US!

Hey there! :wub: Looks like you're enjoying the discussion, but you're not signed up for an account. When you create an account, we remember exactly what you've read, so you always come right back where you left off. You also get notifications, here and via email, whenever new posts are made. You can like posts to share the love. :D Join 93099 other members! Anybody can ask, anybody can answer. Consistently helpful members may be invited to become staff. Here's how it works. Virus cleanup? Start here -> Malware Removal Forum.

Try What the Tech -- It's free!


Photo

Qoologic Trojan HJT log


  • This topic is locked This topic is locked
13 replies to this topic

#1 tpaudet

tpaudet

    New Member

  • Authentic Member
  • Pip
  • 9 posts

Posted 02 April 2006 - 06:24 PM

Micro Trend online scan found 6 instances of TROJ_QOOLOGIC with .AI; AL; AN, etc.. Norton found a few things, but did not find the QOOLOGIC trojan, below is the HJT log.

Logfile of HijackThis v1.99.1
Scan saved at 5:38:37 PM, on 4/2/2006
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\LEXBCES.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\LEXPPS.EXE
C:\WINDOWS\system32\rundll32.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\WINDOWS\System32\hkcmd.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\Program Files\QUICKENW\QAGENT.EXE
C:\Program Files\MUSICMATCH\MUSICMATCH Jukebox\mmtask.exe
C:\windows\mousepad7.exe
C:\Program Files\Java\jre1.5.0\bin\jusched.exe
C:\Program Files\EarthLink TotalAccess\TaskPanl.exe
C:\Program Files\FinePixViewer\QuickDCF.exe
C:\WINDOWS\system32\mrtMngr.EXE
C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe
C:\Program Files\Common Files\Symantec Shared\ccProxy.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\Program Files\EarthLink TotalAccess\WENGINE\wmonitor.exe
C:\Program Files\ewido anti-malware\ewidoctrl.exe
C:\Program Files\Norton Internet Security\ISSVC.exe
C:\Program Files\Norton Internet Security\Norton AntiVirus\navapsvc.exe
C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Documents and Settings\Owner\Desktop\HiJackThis\hijackthis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://start.earthlink.net
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://www.earthlink...ton/search.html
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://www.dell.com/
R3 - URLSearchHook: SrchHook Class - {44F9B173-041C-4825-A9B9-D914BD9DCBB3} - C:\Program Files\EarthLink TotalAccess\ElnIE.dll
R3 - URLSearchHook: (no name) - ~CFBFAE00-17A6-11D0-99CB-00C04FD64497} - (no file)
F2 - REG:system.ini: Shell=Explorer.exe, C:\WINDOWS\system32\atmtw.exe
F2 - REG:system.ini: UserInit=C:\WINDOWS\system32\userinit.exe,lptxhly.exe
O3 - Toolbar: Norton Internet Security - {0B53EAC3-8D69-4b9e-9B19-A37C9A5676A7} - C:\Program Files\Common Files\Symantec Shared\AdBlocking\NISShExt.dll
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton Internet Security\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar2.dll
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [MMTray] C:\PROGRA~1\MUSICM~1\MUSICM~1\mm_tray.exe
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\System32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\System32\hkcmd.exe
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [Symantec NetDriver Monitor] C:\PROGRA~1\SYMNET~1\SNDMon.exe /Consumer
O4 - HKLM\..\Run: [XoftSpy] C:\Program Files\XoftSpy\XoftSpy.exe -s
O4 - HKLM\..\Run: [REGSHAVE] C:\Program Files\REGSHAVE\REGSHAVE.EXE /AUTORUN
O4 - HKLM\..\Run: [QAGENT] C:\Program Files\QUICKENW\QAGENT.EXE
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [mmtask] "C:\Program Files\MUSICMATCH\MUSICMATCH Jukebox\mmtask.exe"
O4 - HKLM\..\Run: [Google Desktop Search] "C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe" /startup
O4 - HKLM\..\Run: [mousepad] C:\windows\mousepad7.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0\bin\jusched.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [E6TaskPanel] "C:\Program Files\EarthLink TotalAccess\TaskPanl.exe" -winstart
O4 - Global Startup: Exif Launcher.lnk = C:\Program Files\FinePixViewer\QuickDCF.exe
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O8 - Extra context menu item: &Google Search - res://c:\program files\google\GoogleToolbar2.dll/cmsearch.html
O8 - Extra context menu item: &Translate English Word - res://c:\program files\google\GoogleToolbar2.dll/cmwordtrans.html
O8 - Extra context menu item: Backward Links - res://c:\program files\google\GoogleToolbar2.dll/cmbacklinks.html
O8 - Extra context menu item: Cached Snapshot of Page - res://c:\program files\google\GoogleToolbar2.dll/cmcache.html
O8 - Extra context menu item: Similar Pages - res://c:\program files\google\GoogleToolbar2.dll/cmsimilar.html
O8 - Extra context menu item: Translate Page into English - res://c:\program files\google\GoogleToolbar2.dll/cmtrans.html
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0\bin\npjpi150.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0\bin\npjpi150.dll
O9 - Extra button: (no name) - {4ABF810A-F11D-4169-9D5F-7D274F2270A1} - (no file)
O9 - Extra 'Tools' menuitem: Java - {4ABF810A-F11D-4169-9D5F-7D274F2270A1} - (no file)
O9 - Extra button: (no name) - {85d1f590-48f4-11d9-9669-0800200c9a66} - %windir%\bdoscandel.exe (file missing)
O9 - Extra 'Tools' menuitem: Uninstall BitDefender Online Scanner v8 - {85d1f590-48f4-11d9-9669-0800200c9a66} - %windir%\bdoscandel.exe (file missing)
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O10 - Broken Internet access because of LSP provider 'c:\program files\newdotnet\newdotnet7_22.dll' missing
O16 - DPF: Yahoo! Literati - http://download.game...nts/y/tt3_x.cab
O16 - DPF: Yahoo! MahJong Solitaire - http://download.game...s/y/mjst4_x.cab
O16 - DPF: {0E5F0222-96B9-11D3-8997-00104BD12D94} (PCPitstop Utility) - http://www.pcpitstop...p/PCPitStop.CAB
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft....k/?linkid=39204
O16 - DPF: {5D86DDB5-BDF9-441B-9E9E-D4730F4EE499} (BDSCANONLINE Control) - http://download.bitd...can8/oscan8.cab
O16 - DPF: {640B39C1-D713-464F-92C3-75BD972B95EE} - http://www.sidestep....42037/sb02a.cab
O16 - DPF: {7E980B9B-8AE5-466A-B6D6-DA8CF814E78A} (MJLauncherCtrl Class) - http://zone.msn.com/...mjolauncher.cab
O16 - DPF: {8A94C905-FF9D-43B6-8708-F0F22D22B1CB} (Wwlaunch Control) - http://www.worldwinn...ed/wwlaunch.cab
O16 - DPF: {97438FE9-D361-4279-BA82-98CC0877A717} (Cubis Control) - http://www.worldwinn...cubis/cubis.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoft...free/asinst.cab
O16 - DPF: {B8BE5E93-A60C-4D26-A2DC-220313175592} (ZoneIntro Class) - http://zone.msn.com/...ro.cab34246.cab
O16 - DPF: {DF780F87-FF2B-4DF8-92D0-73DB16A1543A} - http://download.game...aploader_v6.cab
O20 - AppInit_DLLs: C:\PROGRA~1\Google\GOOGLE~1\GOEC62~1.DLL
O20 - Winlogon Notify: igfxcui - C:\WINDOWS\SYSTEM32\igfxsrvc.dll
O20 - Winlogon Notify: ModuleUsage - C:\WINDOWS\system32\ir6sl5j71.dll
O23 - Service: Automatic LiveUpdate Scheduler - Symantec Corporation - C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Network Proxy (ccProxy) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccProxy.exe
O23 - Service: Symantec Password Validation (ccPwdSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
O23 - Service: EarthLink Monitor Service (EarthLinkMonitor) - Boingo Wireless, Inc. - C:\Program Files\EarthLink TotalAccess\WENGINE\wmonitor.exe
O23 - Service: ewido security suite control - ewido networks - C:\Program Files\ewido anti-malware\ewidoctrl.exe
O23 - Service: ewido security suite guard - ewido networks - C:\Program Files\ewido anti-malware\ewidoguard.exe
O23 - Service: ISSvc (ISSVC) - Symantec Corporation - C:\Program Files\Norton Internet Security\ISSVC.exe
O23 - Service: LexBce Server (LexBceS) - Lexmark International, Inc. - C:\WINDOWS\system32\LEXBCES.EXE
O23 - Service: LiveUpdate - Symantec Corporation - C:\PROGRA~1\Symantec\LIVEUP~1\LUCOMS~1.EXE
O23 - Service: Norton AntiVirus Auto-Protect Service (navapsvc) - Symantec Corporation - C:\Program Files\Norton Internet Security\Norton AntiVirus\navapsvc.exe
O23 - Service: SAVScan - Symantec Corporation - C:\Program Files\Norton Internet Security\Norton AntiVirus\SAVScan.exe
O23 - Service: ScriptBlocking Service (SBService) - Symantec Corporation - C:\PROGRA~1\COMMON~1\SYMANT~1\SCRIPT~1\SBServ.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: Symantec SPBBCSvc (SPBBCSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
O23 - Service: Symantec Core LC - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe

    Advertisements

Register to Remove


#2 Susan528

Susan528

    SuperMember

  • Authentic Member
  • PipPipPipPipPip
  • 3,194 posts

Posted 02 April 2006 - 07:17 PM

Hello taupet and Welcome to TomCoyote.

Please do the following:

STEP 1.
======
WinsockXPfix
Download WinsockXPfix
Do Not use it yet!
If you encounter problems connecting to the Internet, run this WinsockXPfix. You may not even need to do this but I want you to be aware of this fix if for some reason you cannot connect after rebooting.
Locate the Winsockxpfix.exe and double click and click Run.
The VB_WinFix Win 1.2 window will appear.
Click Fix

STEP 2.
======
New.Net Removal

Please open Add/Remove programs and uninstall New.Net or NewDotNet. If it is not listed, follow these instructions:
  • From a computer that has Internet access, click on NewDotNet Removal
  • If you get "the page cannot be displayed" when clicking on the removal link.
    You may have winhelp's mvps hosts file installed, as www.newdotnet.com is a blocked site
  • Download and save uninstall6_90.exe (New.Net/Support/Uninstall exe file) to the Desktop.
  • Go to the Desktop and double-click on uninstall6_90.exe
  • Click on the OK button.
  • After removal, reboot.
STEP 3.
======
Download and unzip BFUzip from http://www.merijn.org/files/bfu.zip

Run the program and click the Web button as shown here:
Posted Image


Use this URL to copy into the address bar of the Download script window:

http://metallica.gee...alcanshorty.bfu

Execute the script by clicking the Execute button.

If you have any questions about the use of BFU please read here:

http://metallica.gee...structions.html

STEP 4.
======
Please download VundoFix.exe to your desktop.
  • Double-click VundoFix.exe to run it.
  • Click the Scan for Vundo button.
  • Once it's done scanning, click the Remove Vundo button.
  • You will receive a prompt asking if you want to remove the files, click YES
  • Once you click yes, your desktop will go blank as it starts removing Vundo.
  • When completed, it will prompt that it will shutdown your computer, click OK.
  • Turn your computer back on.
  • I will need you to post contents of C:\vundofix.txt later.
STEP 5.
======
Now run this online scan using Internet Explorer:
Kaspersky WebScanner from http://www.kaspersky.com/virusscanner

Next Click on Launch Kaspersky Anti-Virus Web Scanner

You will be prompted to install an ActiveX component from Kaspersky, Click Yes.
  • The program will launch and then begin downloading the latest definition files:
  • Once the files have been downloaded click on NEXT
  • Now click on Scan Settings
  • In the scan settings make that the following are selected:
  • Scan using the following Anti-Virus database:
  • Standard
  • Scan Options:
  • Scan Archives
  • Scan Mail Bases
  • Click OK
  • Now under select a target to scan:
  • Select My Computer
  • This will program will start and scan your system.
  • The scan will take a while so be patient and let it run.
  • Once the scan is complete it will display if your system has been infected.
  • Now click on the Save as Text button:
  • Save the file to your desktop.
Then reboot and post back with a contents of C:\vundofix.txt, information from Kapersky, HijackThis log.
Posted Image

Proud member of ASAP since 2005

The help you receive here is free. If you wish to show your appreciation, then you may donate to help keep us online.

Want to help others? Come join us in the Class Room and learn how.

#3 tpaudet

tpaudet

    New Member

  • Authentic Member
  • Pip
  • 9 posts

Posted 02 April 2006 - 09:19 PM

Kaspersky Log Susan528 than you very much for helping me. I completed the instructions you gave me. I also have a program called ewido anti-malware that is finding the following, but when I click to have it clean it it is not capable. Is it finding pruponj.dll; atmtw.exe; jkvpwf.exe ------------------------------------------------------------------------------- KASPERSKY ON-LINE SCANNER REPORT Sunday, April 02, 2006 10:00:24 PM Operating System: Microsoft Windows XP Home Edition, Service Pack 2 (Build 2600) Kaspersky On-line Scanner version: 5.0.78.0 Kaspersky Anti-Virus database last update: 3/04/2006 Kaspersky Anti-Virus database records: 174404 ------------------------------------------------------------------------------- Scan Settings: Scan using the following antivirus database: standard Scan Archives: true Scan Mail Bases: true Scan Target - My Computer: A:\ C:\ D:\ E:\ Scan Statistics: Total number of scanned objects: 44915 Number of viruses found: 12 Number of infected objects: 32 Number of suspicious objects: 0 Duration of the scan process: 00:52:47 Infected Object Name / Virus Name / Last Action C:\Documents and Settings\Owner\.housecall\Quarantine\atmtw.exe.bac_a00528 Infected: Trojan-Downloader.Win32.Qoologic.bj skipped C:\Documents and Settings\Owner\.housecall\Quarantine\crhqd.exe.bac_a00528 Infected: Trojan-Downloader.Win32.Qoologic.bj skipped C:\Documents and Settings\Owner\.housecall\Quarantine\jkvpwf.exe.bac_a00528 Infected: Trojan-Downloader.Win32.Qoologic.bj skipped C:\Documents and Settings\Owner\.housecall\Quarantine\lptxhly.exe.bac_a00528 Infected: Trojan-Downloader.Win32.Qoologic.bj skipped C:\Documents and Settings\Owner\.housecall\Quarantine\piksj.dat.bac_a00528 Infected: Trojan-Downloader.Win32.Qoologic.bj skipped C:\Documents and Settings\Owner\.housecall\Quarantine\__delete_on_reboot__pruponj.dll.bac_a00528 Infected: Trojan-Downloader.Win32.Qoologic.bj skipped C:\Program Files\Norton Internet Security\Norton AntiVirus\Quarantine\01E23176.exe Infected: Trojan-Downloader.Win32.VB.zg skipped C:\Program Files\Norton Internet Security\Norton AntiVirus\Quarantine\19032973.exe Infected: Trojan-Dropper.Win32.Small.qn skipped C:\Program Files\Norton Internet Security\Norton AntiVirus\Quarantine\2DB560B8.exe Infected: Trojan-Downloader.Win32.PurityScan.be skipped C:\Program Files\Norton Internet Security\Norton AntiVirus\Quarantine\4EDF1E13.exe Infected: Trojan-Dropper.Win32.Small.qn skipped C:\Program Files\Norton Internet Security\Norton AntiVirus\Quarantine\533A4B74.exe Infected: Trojan-Downloader.Win32.Adload.ae skipped C:\Program Files\Norton Internet Security\Norton AntiVirus\Quarantine\64870BD8.exe Infected: Trojan-Downloader.Win32.Adload.ai skipped C:\Program Files\Norton Internet Security\Norton AntiVirus\Quarantine\648A35D4.exe Infected: Trojan-Downloader.Win32.Qoologic.bj skipped C:\Program Files\Norton Internet Security\Norton AntiVirus\Quarantine\648D5FD1.exe Infected: Trojan-Downloader.Win32.Qoologic.at skipped C:\Program Files\Norton Internet Security\Norton AntiVirus\Quarantine\649109CD.exe Infected: Trojan-Downloader.Win32.VB.zg skipped C:\Program Files\Norton Internet Security\Norton AntiVirus\Quarantine\649433CA.exe Infected: Trojan-Downloader.Win32.Small.buy skipped C:\Program Files\Norton Internet Security\Norton AntiVirus\Quarantine\64975DC6.exe Infected: Trojan-Downloader.Win32.Small.buy skipped C:\Program Files\Norton Internet Security\Norton AntiVirus\Quarantine\649B07C2.dat Infected: Trojan-Downloader.Win32.Qoologic.bj skipped C:\Program Files\Norton Internet Security\Norton AntiVirus\Quarantine\649B07C2.exe Infected: Trojan-Downloader.Win32.Adload.ae skipped C:\Program Files\Norton Internet Security\Norton AntiVirus\Quarantine\649E31BF.exe Infected: Trojan-Downloader.Win32.Qoologic.ax skipped C:\Program Files\Norton Internet Security\Norton AntiVirus\Quarantine\64A405B8.exe Infected: Trojan-Downloader.Win32.TSUpdate.o skipped C:\Program Files\Norton Internet Security\Norton AntiVirus\Quarantine\64A82FB4.exe Infected: Trojan-Dropper.Win32.VB.kk skipped C:\Program Files\Norton Internet Security\Norton AntiVirus\Quarantine\6A5B4371.exe Infected: Trojan-Downloader.Win32.Qoologic.ax skipped C:\System Volume Information\_restore{34FA64C6-C1E2-49BB-94BD-B220745C9C6E}\RP2\A0000017.exe Infected: Trojan-Downloader.Win32.Qoologic.bj skipped C:\System Volume Information\_restore{34FA64C6-C1E2-49BB-94BD-B220745C9C6E}\RP2\A0000018.exe Infected: Trojan-Downloader.Win32.Qoologic.bj skipped C:\System Volume Information\_restore{34FA64C6-C1E2-49BB-94BD-B220745C9C6E}\RP2\A0001011.dll Infected: Trojan-Downloader.Win32.Qoologic.bj skipped C:\System Volume Information\_restore{34FA64C6-C1E2-49BB-94BD-B220745C9C6E}\RP2\A0002021.exe Infected: Trojan-Downloader.Win32.Qoologic.bj skipped C:\System Volume Information\_restore{34FA64C6-C1E2-49BB-94BD-B220745C9C6E}\RP2\A0002022.exe Infected: Trojan-Downloader.Win32.Qoologic.bj skipped C:\System Volume Information\_restore{34FA64C6-C1E2-49BB-94BD-B220745C9C6E}\RP2\A0002024.dll Infected: Trojan-Downloader.Win32.Qoologic.bj skipped C:\WINDOWS\mousepad7.exe Infected: Trojan-Downloader.Win32.VB.zw skipped C:\WINDOWS\system32\piksj.dat Infected: Trojan-Downloader.Win32.Qoologic.bj skipped C:\WINDOWS\system32\__delete_on_reboot__pruponj.dll Infected: Trojan-Downloader.Win32.Qoologic.bj skipped Scan process completed.

#4 tpaudet

tpaudet

    New Member

  • Authentic Member
  • Pip
  • 9 posts

Posted 02 April 2006 - 09:20 PM

Hijack this log file

Logfile of HijackThis v1.99.1
Scan saved at 10:05:59 PM, on 4/2/2006
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\LEXBCES.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\LEXPPS.EXE
C:\WINDOWS\system32\rundll32.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\PROGRA~1\MUSICM~1\MUSICM~1\mm_tray.exe
C:\WINDOWS\System32\hkcmd.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\Program Files\QUICKENW\QAGENT.EXE
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\MUSICMATCH\MUSICMATCH Jukebox\mmtask.exe
C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe
C:\windows\mousepad7.exe
C:\Program Files\Java\jre1.5.0\bin\jusched.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\EarthLink TotalAccess\TaskPanl.exe
C:\Program Files\FinePixViewer\QuickDCF.exe
C:\Program Files\Google\Google Desktop Search\GoogleDesktopIndex.exe
C:\WINDOWS\system32\mrtMngr.EXE
C:\Program Files\Google\Google Desktop Search\GoogleDesktopCrawl.exe
C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe
C:\Program Files\Common Files\Symantec Shared\ccProxy.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\Program Files\EarthLink TotalAccess\WENGINE\wmonitor.exe
C:\Program Files\ewido anti-malware\ewidoctrl.exe
C:\Program Files\ewido anti-malware\ewidoguard.exe
C:\Program Files\Norton Internet Security\ISSVC.exe
C:\Program Files\Norton Internet Security\Norton AntiVirus\navapsvc.exe
C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\Google\Google Desktop Search\GoogleDesktopOE.exe
C:\Documents and Settings\Owner\Desktop\HiJackThis\hijackthis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://start.earthlink.net
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://www.earthlink...ton/search.html
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://www.dell.com/
R3 - URLSearchHook: SrchHook Class - {44F9B173-041C-4825-A9B9-D914BD9DCBB3} - C:\Program Files\EarthLink TotalAccess\ElnIE.dll
R3 - URLSearchHook: (no name) - ~CFBFAE00-17A6-11D0-99CB-00C04FD64497} - (no file)
F2 - REG:system.ini: Shell=Explorer.exe, C:\WINDOWS\system32\atmtw.exe
F2 - REG:system.ini: UserInit=C:\WINDOWS\system32\userinit.exe,lptxhly.exe
O3 - Toolbar: Norton Internet Security - {0B53EAC3-8D69-4b9e-9B19-A37C9A5676A7} - C:\Program Files\Common Files\Symantec Shared\AdBlocking\NISShExt.dll
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton Internet Security\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar2.dll
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [MMTray] C:\PROGRA~1\MUSICM~1\MUSICM~1\mm_tray.exe
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\System32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\System32\hkcmd.exe
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [Symantec NetDriver Monitor] C:\PROGRA~1\SYMNET~1\SNDMon.exe /Consumer
O4 - HKLM\..\Run: [REGSHAVE] C:\Program Files\REGSHAVE\REGSHAVE.EXE /AUTORUN
O4 - HKLM\..\Run: [QAGENT] C:\Program Files\QUICKENW\QAGENT.EXE
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [mmtask] "C:\Program Files\MUSICMATCH\MUSICMATCH Jukebox\mmtask.exe"
O4 - HKLM\..\Run: [Google Desktop Search] "C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe" /startup
O4 - HKLM\..\Run: [mousepad] C:\windows\mousepad7.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0\bin\jusched.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [E6TaskPanel] "C:\Program Files\EarthLink TotalAccess\TaskPanl.exe" -winstart
O4 - Global Startup: Exif Launcher.lnk = C:\Program Files\FinePixViewer\QuickDCF.exe
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O8 - Extra context menu item: &Google Search - res://c:\program files\google\GoogleToolbar2.dll/cmsearch.html
O8 - Extra context menu item: &Translate English Word - res://c:\program files\google\GoogleToolbar2.dll/cmwordtrans.html
O8 - Extra context menu item: Backward Links - res://c:\program files\google\GoogleToolbar2.dll/cmbacklinks.html
O8 - Extra context menu item: Cached Snapshot of Page - res://c:\program files\google\GoogleToolbar2.dll/cmcache.html
O8 - Extra context menu item: Similar Pages - res://c:\program files\google\GoogleToolbar2.dll/cmsimilar.html
O8 - Extra context menu item: Translate Page into English - res://c:\program files\google\GoogleToolbar2.dll/cmtrans.html
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0\bin\npjpi150.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0\bin\npjpi150.dll
O9 - Extra button: (no name) - {4ABF810A-F11D-4169-9D5F-7D274F2270A1} - (no file)
O9 - Extra 'Tools' menuitem: Java - {4ABF810A-F11D-4169-9D5F-7D274F2270A1} - (no file)
O9 - Extra button: (no name) - {85d1f590-48f4-11d9-9669-0800200c9a66} - %windir%\bdoscandel.exe (file missing)
O9 - Extra 'Tools' menuitem: Uninstall BitDefender Online Scanner v8 - {85d1f590-48f4-11d9-9669-0800200c9a66} - %windir%\bdoscandel.exe (file missing)
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: Yahoo! Literati - http://download.game...nts/y/tt3_x.cab
O16 - DPF: Yahoo! MahJong Solitaire - http://download.game...s/y/mjst4_x.cab
O16 - DPF: {0E5F0222-96B9-11D3-8997-00104BD12D94} (PCPitstop Utility) - http://www.pcpitstop...p/PCPitStop.CAB
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky...can_unicode.cab
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft....k/?linkid=39204
O16 - DPF: {5D86DDB5-BDF9-441B-9E9E-D4730F4EE499} (BDSCANONLINE Control) - http://download.bitd...can8/oscan8.cab
O16 - DPF: {640B39C1-D713-464F-92C3-75BD972B95EE} - http://www.sidestep....42037/sb02a.cab
O16 - DPF: {7E980B9B-8AE5-466A-B6D6-DA8CF814E78A} (MJLauncherCtrl Class) - http://zone.msn.com/...mjolauncher.cab
O16 - DPF: {8A94C905-FF9D-43B6-8708-F0F22D22B1CB} (Wwlaunch Control) - http://www.worldwinn...ed/wwlaunch.cab
O16 - DPF: {97438FE9-D361-4279-BA82-98CC0877A717} (Cubis Control) - http://www.worldwinn...cubis/cubis.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoft...free/asinst.cab
O16 - DPF: {B8BE5E93-A60C-4D26-A2DC-220313175592} (ZoneIntro Class) - http://zone.msn.com/...ro.cab34246.cab
O16 - DPF: {DF780F87-FF2B-4DF8-92D0-73DB16A1543A} - http://download.game...aploader_v6.cab
O20 - AppInit_DLLs: C:\PROGRA~1\Google\GOOGLE~1\GOEC62~1.DLL
O20 - Winlogon Notify: Fonts - C:\WINDOWS\system32\fpnu0359e.dll
O20 - Winlogon Notify: igfxcui - C:\WINDOWS\SYSTEM32\igfxsrvc.dll
O23 - Service: Automatic LiveUpdate Scheduler - Symantec Corporation - C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Network Proxy (ccProxy) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccProxy.exe
O23 - Service: Symantec Password Validation (ccPwdSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
O23 - Service: EarthLink Monitor Service (EarthLinkMonitor) - Boingo Wireless, Inc. - C:\Program Files\EarthLink TotalAccess\WENGINE\wmonitor.exe
O23 - Service: ewido security suite control - ewido networks - C:\Program Files\ewido anti-malware\ewidoctrl.exe
O23 - Service: ewido security suite guard - ewido networks - C:\Program Files\ewido anti-malware\ewidoguard.exe
O23 - Service: ISSvc (ISSVC) - Symantec Corporation - C:\Program Files\Norton Internet Security\ISSVC.exe
O23 - Service: LexBce Server (LexBceS) - Lexmark International, Inc. - C:\WINDOWS\system32\LEXBCES.EXE
O23 - Service: LiveUpdate - Symantec Corporation - C:\PROGRA~1\Symantec\LIVEUP~1\LUCOMS~1.EXE
O23 - Service: Norton AntiVirus Auto-Protect Service (navapsvc) - Symantec Corporation - C:\Program Files\Norton Internet Security\Norton AntiVirus\navapsvc.exe
O23 - Service: SAVScan - Symantec Corporation - C:\Program Files\Norton Internet Security\Norton AntiVirus\SAVScan.exe
O23 - Service: ScriptBlocking Service (SBService) - Symantec Corporation - C:\PROGRA~1\COMMON~1\SYMANT~1\SCRIPT~1\SBServ.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: Symantec SPBBCSvc (SPBBCSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
O23 - Service: Symantec Core LC - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe

#5 tpaudet

tpaudet

    New Member

  • Authentic Member
  • Pip
  • 9 posts

Posted 02 April 2006 - 09:22 PM

vundofix.txt VundoFix V4.2.43 Checking Java version... Sun Java not detected Scan started at 12:53:04 AM 4/2/2006 Listing files found while scanning.... No infected files were found. VundoFix V4.2.43 Checking Java version... Sun Java not detected Scan started at 3:48:44 AM 4/2/2006 Listing files found while scanning.... No infected files were found. VundoFix V4.2.43 Checking Java version... Sun Java not detected Scan started at 4:05:48 AM 4/2/2006 Listing files found while scanning.... No infected files were found. VundoFix V4.2.43 Checking Java version... Scan started at 4:36:18 PM 4/2/2006 Listing files found while scanning.... No infected files were found. VundoFix V4.2.43 Checking Java version... Scan started at 8:30:13 PM 4/2/2006 Listing files found while scanning.... No infected files were found.

#6 Susan528

Susan528

    SuperMember

  • Authentic Member
  • PipPipPipPipPip
  • 3,194 posts

Posted 03 April 2006 - 07:13 AM

Hello tpaudet,

Let's try the following:

STEP 1.
======
Please download ATF Cleaner by Atribune.

This program is for XP and Windows 2000 only
  • Double-click ATF-Cleaner.exe to run the program.
  • Under Main choose: Select All
  • Click the Empty Selected button.
If you use Firefox browser
  • Click Firefox at the top and choose:Select All
  • Click the Empty Selected button.
  • NOTE: If you would like to keep your saved passwords, please click
  • No at the prompt.
If you use Opera browser
  • Click Opera at the top and choose: Select All
  • Click the Empty Selected button.
  • NOTE:If you would like to keep your saved passwords, please click No at the prompt.
Click Exit on the Main menu to close the program.
For Technical Support, double-click the e-mail address located at the bottom of each menu.

STEP 2.
======
Download and unzip BFUzip from http://www.merijn.org/files/bfu.zip

Run the program and click the Web button as shown here:
Posted Image


Use this URL to copy into the address bar of the Download script window:

http://metallica.gee...alcanshorty.bfu

Execute the script by clicking the Execute button.

If you have any questions about the use of BFU please read here:

http://metallica.gee...structions.html

STEP 3.
======
Please set your system to show all files; please see here if you're unsure how to do this.

Scan with HijackThis. Place a check against each of the following:
R3 - URLSearchHook: (no name) - ~CFBFAE00-17A6-11D0-99CB-00C04FD64497} - (no file)
F2 - REG:system.ini: Shell=Explorer.exe, C:\WINDOWS\system32\atmtw.exe
O4 - HKLM\..\Run: [mousepad] C:\windows\mousepad7.exe
O9 - Extra 'Tools' menuitem: Java - {4ABF810A-F11D-4169-9D5F-7D274F2270A1} - (no file)
O16 - DPF: {640B39C1-D713-464F-92C3-75BD972B95EE} - http://www.sidestep....42037/sb02a.cab
O20 - Winlogon Notify: Fonts - C:\WINDOWS\system32\fpnu0359e.dll

Close all windows or browsers except for Hijackthis. Click on Fix Checked when finished and exit HijackThis.

STEP 4.
======
Delete Files with Killbox

Download Pocket Killbox from http://www.downloads...org/KillBox.zip and unzip it; save it to your Desktop. DO NOT RUN IT YET.
==========
Double-click on KillBox.exe to launch the program. It is the red circle with a large white X in it
- Highlight the files in bold RED below and press the Ctrl key and the C key at the same time to copy them to the clipboard
C:\windows\mousepad7.exe
C:\WINDOWS\system32\atmtw.exe
C:\WINDOWS\system32\piksj.dat
C:\WINDOWS\system32\__delete_on_reboot__pruponj.dll
C:\WINDOWS\system32\fpnu0359e.dll


In Killbox click on the File menu and then the Paste from Clipboard item
in the Full Path of File to Delete field drop down the arrow and make sure that all of the files are listed
(Please note that the tool checks your computer for the presence of the files pasted into the box so if files are not present, it is possible that you might not see all files you pasted into the box.)
Click the option to Delete on Reboot
- If not greyed out click the checkbox for Unregister .dll Before Deleting
- click End Explorer Shell while Killing File
- Now click on the red button with a white 'X' in the middle to delete the files
- Click Yes when it says all files will be deleted on the next reboot
- Click Yes when it asks if you want to reboot now
(Note: If you get a "PendingFileRenameOperations Registry Data has been Removed by External Process!" message then just reboot manually)

Note: Killbox will let you know if a file does not exist. If that happens, just continue on.

If you have any issues with this method you can copy and paste the lines one at a time into the killbox top box. Then click the "Single File" button. Then click the Red X ...and for the confirmation message that will appear, you will need to click Yes. A second message will ask to Reboot now? you will need to click No until the last one at which time you click yes to allow the reboot.

Please run Kapersky and ewido again and post the results along with a fresh hijackthis log. I would like to compare ewido and Kapersky logs please.
Posted Image

Proud member of ASAP since 2005

The help you receive here is free. If you wish to show your appreciation, then you may donate to help keep us online.

Want to help others? Come join us in the Class Room and learn how.

#7 tpaudet

tpaudet

    New Member

  • Authentic Member
  • Pip
  • 9 posts

Posted 03 April 2006 - 09:57 PM

Kapersky Log file Hello Susan I had class tonight sorry I wasn't able to complete this earlier. Below are my logs thanks for all your help. Tomorrow after work I will run whatever you want me to run right when I get home. Tim ------------------------------------------------------------------------------- KASPERSKY ON-LINE SCANNER REPORT Monday, April 03, 2006 10:47:20 PM Operating System: Microsoft Windows XP Home Edition, Service Pack 2 (Build 2600) Kaspersky On-line Scanner version: 5.0.78.0 Kaspersky Anti-Virus database last update: 4/04/2006 Kaspersky Anti-Virus database records: 174754 ------------------------------------------------------------------------------- Scan Settings: Scan using the following antivirus database: standard Scan Archives: true Scan Mail Bases: true Scan Target - My Computer: A:\ C:\ D:\ E:\ Scan Statistics: Total number of scanned objects: 45829 Number of viruses found: 12 Number of infected objects: 42 Number of suspicious objects: 0 Duration of the scan process: 00:50:43 Infected Object Name / Virus Name / Last Action C:\Documents and Settings\Owner\.housecall\Quarantine\atmtw.exe.bac_a00528 Infected: Trojan-Downloader.Win32.Qoologic.bj skipped C:\Documents and Settings\Owner\.housecall\Quarantine\crhqd.exe.bac_a00528 Infected: Trojan-Downloader.Win32.Qoologic.bj skipped C:\Documents and Settings\Owner\.housecall\Quarantine\jkvpwf.exe.bac_a00528 Infected: Trojan-Downloader.Win32.Qoologic.bj skipped C:\Documents and Settings\Owner\.housecall\Quarantine\lptxhly.exe.bac_a00528 Infected: Trojan-Downloader.Win32.Qoologic.bj skipped C:\Documents and Settings\Owner\.housecall\Quarantine\piksj.dat.bac_a00528 Infected: Trojan-Downloader.Win32.Qoologic.bj skipped C:\Documents and Settings\Owner\.housecall\Quarantine\__delete_on_reboot__pruponj.dll.bac_a00528 Infected: Trojan-Downloader.Win32.Qoologic.bj skipped C:\Program Files\Norton Internet Security\Norton AntiVirus\Quarantine\01E23176.exe Infected: Trojan-Downloader.Win32.VB.zg skipped C:\Program Files\Norton Internet Security\Norton AntiVirus\Quarantine\19032973.exe Infected: Trojan-Dropper.Win32.Small.qn skipped C:\Program Files\Norton Internet Security\Norton AntiVirus\Quarantine\1C224B38.exe Infected: Trojan-Downloader.Win32.Qoologic.bj skipped C:\Program Files\Norton Internet Security\Norton AntiVirus\Quarantine\1C2B492D.dat Infected: Trojan-Downloader.Win32.Qoologic.bj skipped C:\Program Files\Norton Internet Security\Norton AntiVirus\Quarantine\2DB560B8.exe Infected: Trojan-Downloader.Win32.PurityScan.be skipped C:\Program Files\Norton Internet Security\Norton AntiVirus\Quarantine\4EDF1E13.exe Infected: Trojan-Dropper.Win32.Small.qn skipped C:\Program Files\Norton Internet Security\Norton AntiVirus\Quarantine\533A4B74.exe Infected: Trojan-Downloader.Win32.Adload.ae skipped C:\Program Files\Norton Internet Security\Norton AntiVirus\Quarantine\64870BD8.exe Infected: Trojan-Downloader.Win32.Adload.ai skipped C:\Program Files\Norton Internet Security\Norton AntiVirus\Quarantine\648A35D4.exe Infected: Trojan-Downloader.Win32.Qoologic.bj skipped C:\Program Files\Norton Internet Security\Norton AntiVirus\Quarantine\648D5FD1.exe Infected: Trojan-Downloader.Win32.Qoologic.at skipped C:\Program Files\Norton Internet Security\Norton AntiVirus\Quarantine\649109CD.exe Infected: Trojan-Downloader.Win32.VB.zg skipped C:\Program Files\Norton Internet Security\Norton AntiVirus\Quarantine\649433CA.exe Infected: Trojan-Downloader.Win32.Small.buy skipped C:\Program Files\Norton Internet Security\Norton AntiVirus\Quarantine\64975DC6.exe Infected: Trojan-Downloader.Win32.Small.buy skipped C:\Program Files\Norton Internet Security\Norton AntiVirus\Quarantine\649B07C2.dat Infected: Trojan-Downloader.Win32.Qoologic.bj skipped C:\Program Files\Norton Internet Security\Norton AntiVirus\Quarantine\649B07C2.exe Infected: Trojan-Downloader.Win32.Adload.ae skipped C:\Program Files\Norton Internet Security\Norton AntiVirus\Quarantine\649E31BF.exe Infected: Trojan-Downloader.Win32.Qoologic.ax skipped C:\Program Files\Norton Internet Security\Norton AntiVirus\Quarantine\64A405B8.exe Infected: Trojan-Downloader.Win32.TSUpdate.o skipped C:\Program Files\Norton Internet Security\Norton AntiVirus\Quarantine\64A82FB4.exe Infected: Trojan-Dropper.Win32.VB.kk skipped C:\Program Files\Norton Internet Security\Norton AntiVirus\Quarantine\6A5B4371.exe Infected: Trojan-Downloader.Win32.Qoologic.ax skipped C:\System Volume Information\_restore{34FA64C6-C1E2-49BB-94BD-B220745C9C6E}\RP2\A0000017.exe Infected: Trojan-Downloader.Win32.Qoologic.bj skipped C:\System Volume Information\_restore{34FA64C6-C1E2-49BB-94BD-B220745C9C6E}\RP2\A0000018.exe Infected: Trojan-Downloader.Win32.Qoologic.bj skipped C:\System Volume Information\_restore{34FA64C6-C1E2-49BB-94BD-B220745C9C6E}\RP2\A0001011.dll Infected: Trojan-Downloader.Win32.Qoologic.bj skipped C:\System Volume Information\_restore{34FA64C6-C1E2-49BB-94BD-B220745C9C6E}\RP2\A0002021.exe Infected: Trojan-Downloader.Win32.Qoologic.bj skipped C:\System Volume Information\_restore{34FA64C6-C1E2-49BB-94BD-B220745C9C6E}\RP2\A0002022.exe Infected: Trojan-Downloader.Win32.Qoologic.bj skipped C:\System Volume Information\_restore{34FA64C6-C1E2-49BB-94BD-B220745C9C6E}\RP2\A0002024.dll Infected: Trojan-Downloader.Win32.Qoologic.bj skipped C:\System Volume Information\_restore{34FA64C6-C1E2-49BB-94BD-B220745C9C6E}\RP2\A0002050.dll Infected: Trojan-Downloader.Win32.Qoologic.bj skipped C:\System Volume Information\_restore{34FA64C6-C1E2-49BB-94BD-B220745C9C6E}\RP2\A0002060.exe Infected: Trojan-Downloader.Win32.Qoologic.bj skipped C:\System Volume Information\_restore{34FA64C6-C1E2-49BB-94BD-B220745C9C6E}\RP3\A0002078.exe Infected: Trojan-Downloader.Win32.Qoologic.bj skipped C:\System Volume Information\_restore{34FA64C6-C1E2-49BB-94BD-B220745C9C6E}\RP3\A0002089.dll Infected: Trojan-Downloader.Win32.Qoologic.bj skipped C:\System Volume Information\_restore{34FA64C6-C1E2-49BB-94BD-B220745C9C6E}\RP3\A0002090.exe Infected: Trojan-Downloader.Win32.Qoologic.bj skipped C:\System Volume Information\_restore{34FA64C6-C1E2-49BB-94BD-B220745C9C6E}\RP3\A0002091.dll Infected: Trojan-Downloader.Win32.Qoologic.bj skipped C:\System Volume Information\_restore{34FA64C6-C1E2-49BB-94BD-B220745C9C6E}\RP3\A0002092.exe Infected: Trojan.Win32.VB.ali skipped C:\System Volume Information\_restore{34FA64C6-C1E2-49BB-94BD-B220745C9C6E}\RP3\A0002093.exe Infected: Trojan-Downloader.Win32.Qoologic.bj skipped C:\System Volume Information\_restore{34FA64C6-C1E2-49BB-94BD-B220745C9C6E}\RP3\A0002101.exe Infected: Trojan.Win32.VB.ali skipped C:\System Volume Information\_restore{34FA64C6-C1E2-49BB-94BD-B220745C9C6E}\RP3\A0002102.dll Infected: Trojan-Downloader.Win32.Qoologic.bj skipped C:\WINDOWS\system32\__delete_on_reboot__pruponj.dll Infected: Trojan-Downloader.Win32.Qoologic.bj skipped Scan process completed.

#8 tpaudet

tpaudet

    New Member

  • Authentic Member
  • Pip
  • 9 posts

Posted 03 April 2006 - 09:58 PM

Hijack this log file


Logfile of HijackThis v1.99.1
Scan saved at 4:53:01 PM, on 4/3/2006
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\rundll32.exe
C:\WINDOWS\system32\LEXBCES.EXE
C:\WINDOWS\system32\LEXPPS.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe
C:\Program Files\Common Files\Symantec Shared\ccProxy.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\Program Files\EarthLink TotalAccess\WENGINE\wmonitor.exe
C:\Program Files\ewido anti-malware\ewidoctrl.exe
C:\Program Files\ewido anti-malware\ewidoguard.exe
C:\Program Files\Norton Internet Security\ISSVC.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\Norton Internet Security\Norton AntiVirus\navapsvc.exe
C:\PROGRA~1\MUSICM~1\MUSICM~1\mm_tray.exe
C:\WINDOWS\System32\hkcmd.exe
C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\Program Files\QUICKENW\QAGENT.EXE
C:\WINDOWS\system32\mrtMngr.EXE
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\MUSICMATCH\MUSICMATCH Jukebox\mmtask.exe
C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe
C:\Program Files\Java\jre1.5.0\bin\jusched.exe
C:\Program Files\Google\Google Desktop Search\GoogleDesktopIndex.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\EarthLink TotalAccess\TaskPanl.exe
C:\Program Files\Google\Google Desktop Search\GoogleDesktopCrawl.exe
C:\Program Files\FinePixViewer\QuickDCF.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\Google\Google Desktop Search\GoogleDesktopOE.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\Program Files\Symantec\LiveUpdate\AUpdate.exe
C:\PROGRA~1\Symantec\LIVEUP~1\LUCOMS~1.EXE
C:\Documents and Settings\Owner\Desktop\HiJackThis\hijackthis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://start.earthlink.net
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://www.earthlink...ton/search.html
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://www.dell.com/
R3 - URLSearchHook: SrchHook Class - {44F9B173-041C-4825-A9B9-D914BD9DCBB3} - C:\Program Files\EarthLink TotalAccess\ElnIE.dll
F2 - REG:system.ini: Shell=Explorer.exe, C:\WINDOWS\system32\atmtw.exe
F2 - REG:system.ini: UserInit=C:\WINDOWS\system32\userinit.exe,lptxhly.exe
O3 - Toolbar: Norton Internet Security - {0B53EAC3-8D69-4b9e-9B19-A37C9A5676A7} - C:\Program Files\Common Files\Symantec Shared\AdBlocking\NISShExt.dll
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton Internet Security\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar2.dll
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [MMTray] C:\PROGRA~1\MUSICM~1\MUSICM~1\mm_tray.exe
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\System32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\System32\hkcmd.exe
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [Symantec NetDriver Monitor] C:\PROGRA~1\SYMNET~1\SNDMon.exe /Consumer
O4 - HKLM\..\Run: [REGSHAVE] C:\Program Files\REGSHAVE\REGSHAVE.EXE /AUTORUN
O4 - HKLM\..\Run: [QAGENT] C:\Program Files\QUICKENW\QAGENT.EXE
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [mmtask] "C:\Program Files\MUSICMATCH\MUSICMATCH Jukebox\mmtask.exe"
O4 - HKLM\..\Run: [Google Desktop Search] "C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe" /startup
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0\bin\jusched.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [E6TaskPanel] "C:\Program Files\EarthLink TotalAccess\TaskPanl.exe" -winstart
O4 - Global Startup: Exif Launcher.lnk = C:\Program Files\FinePixViewer\QuickDCF.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O8 - Extra context menu item: &Google Search - res://c:\program files\google\GoogleToolbar2.dll/cmsearch.html
O8 - Extra context menu item: &Translate English Word - res://c:\program files\google\GoogleToolbar2.dll/cmwordtrans.html
O8 - Extra context menu item: Backward Links - res://c:\program files\google\GoogleToolbar2.dll/cmbacklinks.html
O8 - Extra context menu item: Cached Snapshot of Page - res://c:\program files\google\GoogleToolbar2.dll/cmcache.html
O8 - Extra context menu item: Similar Pages - res://c:\program files\google\GoogleToolbar2.dll/cmsimilar.html
O8 - Extra context menu item: Translate Page into English - res://c:\program files\google\GoogleToolbar2.dll/cmtrans.html
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0\bin\npjpi150.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0\bin\npjpi150.dll
O9 - Extra button: (no name) - {85d1f590-48f4-11d9-9669-0800200c9a66} - %windir%\bdoscandel.exe (file missing)
O9 - Extra 'Tools' menuitem: Uninstall BitDefender Online Scanner v8 - {85d1f590-48f4-11d9-9669-0800200c9a66} - %windir%\bdoscandel.exe (file missing)
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: Yahoo! Literati - http://download.game...nts/y/tt3_x.cab
O16 - DPF: Yahoo! MahJong Solitaire - http://download.game...s/y/mjst4_x.cab
O16 - DPF: {0E5F0222-96B9-11D3-8997-00104BD12D94} (PCPitstop Utility) - http://www.pcpitstop...p/PCPitStop.CAB
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky...can_unicode.cab
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft....k/?linkid=39204
O16 - DPF: {5D86DDB5-BDF9-441B-9E9E-D4730F4EE499} (BDSCANONLINE Control) - http://download.bitd...can8/oscan8.cab
O16 - DPF: {7E980B9B-8AE5-466A-B6D6-DA8CF814E78A} (MJLauncherCtrl Class) - http://zone.msn.com/...mjolauncher.cab
O16 - DPF: {8A94C905-FF9D-43B6-8708-F0F22D22B1CB} (Wwlaunch Control) - http://www.worldwinn...ed/wwlaunch.cab
O16 - DPF: {97438FE9-D361-4279-BA82-98CC0877A717} (Cubis Control) - http://www.worldwinn...cubis/cubis.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoft...free/asinst.cab
O16 - DPF: {B8BE5E93-A60C-4D26-A2DC-220313175592} (ZoneIntro Class) - http://zone.msn.com/...ro.cab34246.cab
O16 - DPF: {DF780F87-FF2B-4DF8-92D0-73DB16A1543A} - http://download.game...aploader_v6.cab
O20 - AppInit_DLLs: C:\PROGRA~1\Google\GOOGLE~1\GOEC62~1.DLL
O20 - Winlogon Notify: Extensions - C:\WINDOWS\system32\enl0l13m1.dll
O20 - Winlogon Notify: igfxcui - C:\WINDOWS\SYSTEM32\igfxsrvc.dll
O23 - Service: Automatic LiveUpdate Scheduler - Symantec Corporation - C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Network Proxy (ccProxy) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccProxy.exe
O23 - Service: Symantec Password Validation (ccPwdSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
O23 - Service: EarthLink Monitor Service (EarthLinkMonitor) - Boingo Wireless, Inc. - C:\Program Files\EarthLink TotalAccess\WENGINE\wmonitor.exe
O23 - Service: ewido security suite control - ewido networks - C:\Program Files\ewido anti-malware\ewidoctrl.exe
O23 - Service: ewido security suite guard - ewido networks - C:\Program Files\ewido anti-malware\ewidoguard.exe
O23 - Service: ISSvc (ISSVC) - Symantec Corporation - C:\Program Files\Norton Internet Security\ISSVC.exe
O23 - Service: LexBce Server (LexBceS) - Lexmark International, Inc. - C:\WINDOWS\system32\LEXBCES.EXE
O23 - Service: LiveUpdate - Symantec Corporation - C:\PROGRA~1\Symantec\LIVEUP~1\LUCOMS~1.EXE
O23 - Service: Norton AntiVirus Auto-Protect Service (navapsvc) - Symantec Corporation - C:\Program Files\Norton Internet Security\Norton AntiVirus\navapsvc.exe
O23 - Service: SAVScan - Symantec Corporation - C:\Program Files\Norton Internet Security\Norton AntiVirus\SAVScan.exe
O23 - Service: ScriptBlocking Service (SBService) - Symantec Corporation - C:\PROGRA~1\COMMON~1\SYMANT~1\SCRIPT~1\SBServ.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: Symantec SPBBCSvc (SPBBCSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
O23 - Service: Symantec Core LC - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe

#9 tpaudet

tpaudet

    New Member

  • Authentic Member
  • Pip
  • 9 posts

Posted 03 April 2006 - 10:08 PM

ewido log file --------------------------------------------------------- ewido anti-malware - Scan report --------------------------------------------------------- + Created on: 9:52:42 PM, 4/3/2006 + Report-Checksum: F773CFB1 + Scan result: [1052] C:\WINDOWS\system32\pespl.dll -> Adware.Look2Me : Error during cleaning [1388] C:\WINDOWS\system32\pespl.dll -> Adware.Look2Me : Error during cleaning [1984] C:\WINDOWS\system32\pruponj.dll -> Downloader.Qoologic.bj : Cleaned with backup [2000] C:\WINDOWS\system32\pruponj.dll -> Downloader.Qoologic.bj : Error during cleaning [2044] C:\WINDOWS\system32\pruponj.dll -> Downloader.Qoologic.bj : Error during cleaning [924] C:\WINDOWS\system32\pruponj.dll -> Downloader.Qoologic.bj : Error during cleaning [1280] C:\WINDOWS\system32\pruponj.dll -> Downloader.Qoologic.bj : Error during cleaning [1844] C:\WINDOWS\system32\pruponj.dll -> Downloader.Qoologic.bj : Error during cleaning [1876] C:\WINDOWS\system32\pruponj.dll -> Downloader.Qoologic.bj : Error during cleaning [1264] C:\WINDOWS\system32\pruponj.dll -> Downloader.Qoologic.bj : Error during cleaning [2072] C:\WINDOWS\system32\pruponj.dll -> Downloader.Qoologic.bj : Error during cleaning [2108] C:\WINDOWS\system32\pruponj.dll -> Downloader.Qoologic.bj : Error during cleaning [2148] C:\WINDOWS\system32\pruponj.dll -> Downloader.Qoologic.bj : Error during cleaning [2216] C:\WINDOWS\system32\pruponj.dll -> Downloader.Qoologic.bj : Error during cleaning [2264] C:\WINDOWS\system32\pruponj.dll -> Downloader.Qoologic.bj : Error during cleaning [2376] C:\WINDOWS\system32\pruponj.dll -> Downloader.Qoologic.bj : Error during cleaning [4008] C:\WINDOWS\system32\pruponj.dll -> Downloader.Qoologic.bj : Error during cleaning C:\!KillBox\( 1) -> Downloader.Qoologic.bj : Cleaned with backup C:\!KillBox\mousepad7.exe -> Downloader.VB.zw : Cleaned with backup C:\!KillBox\__delete_on_reboot__pruponj.dll -> Downloader.Qoologic.bj : Cleaned with backup C:\Documents and Settings\Owner\Desktop\uninstall6_90.exe -> Adware.NewDotNet : Cleaned with backup C:\Documents and Settings\Owner\Local Settings\Temp\Cookies\owner@ad.yieldmanager[2].txt -> TrackingCookie.Yieldmanager : Cleaned with backup C:\Documents and Settings\Owner\Local Settings\Temp\Cookies\owner@atdmt[2].txt -> TrackingCookie.Atdmt : Cleaned with backup C:\Documents and Settings\Owner\Local Settings\Temp\Cookies\owner@cpvfeed[1].txt -> TrackingCookie.Cpvfeed : Cleaned with backup C:\Documents and Settings\Owner\Local Settings\Temp\Cookies\owner@doubleclick[1].txt -> TrackingCookie.Doubleclick : Cleaned with backup C:\Documents and Settings\Owner\Local Settings\Temp\Cookies\owner@trafficmp[1].txt -> TrackingCookie.Trafficmp : Cleaned with backup C:\WINDOWS\system32\piksj.dat -> Downloader.Qoologic.bj : Cleaned with backup ::Report End

#10 Susan528

Susan528

    SuperMember

  • Authentic Member
  • PipPipPipPipPip
  • 3,194 posts

Posted 04 April 2006 - 03:49 AM

Hello tpaudet,

Please do the following so I can obtain the infomation to attack the Qoologic monster.

STEP 1.
======
Download WinPFind and Trackqoo
Please download the following tools to assist us in removing this infection.
Do not run programs until asked
Download WinPFind.zip
  • Right Click the Zip Folder and Select "Extract All"
  • Extract it somewhere you will remember like the Desktop
  • Don’t do anything with it yet!
Download Trackqoo.zip
  • Right Click the Zip Folder and Select "Extract All"
  • Extract it somewhere you will remember like the Desktop
  • Don’t do anything with it yet!
STEP 2.
======
Run WinPFind
Reboot into Safe Mode
Restart your computer and as soon as it starts booting up again continuously tap F8. A menu should come up where you will be given the option to enter Safe Mode.

Doubleclick WinPFind.exe
  • Click "Start Scan"
  • It will scan the entire System, so please be patient!
  • Once the Scan is Complete
  • Go to the WinPFind folder
  • Locate WinPFind.txt
  • Place those results in the next post
STEP 3.
======
Run Trackqoo
- Reboot into "Normal Mode"
- Double Click on Track qoo.vbs to run it (Note: If your Antivirus has Script Blocking, you will get a Pop Up Windows asking you what to do. Allow this Entire Script to Run)
- Wait a few seconds and a notepad page will pop up, "Save" the file as trackqoo.txt.
STEP 4.
======
Post Results
Post back a new fresh HJT log
Post the WinPFind.txt file
Post the Trackqoo.txt file
Posted Image

Proud member of ASAP since 2005

The help you receive here is free. If you wish to show your appreciation, then you may donate to help keep us online.

Want to help others? Come join us in the Class Room and learn how.

#11 tpaudet

tpaudet

    New Member

  • Authentic Member
  • Pip
  • 9 posts

Posted 04 April 2006 - 07:47 PM

Susan528 thanks for your help. Hopefully you will find what you need in the logs. Tim

Track qoo log file

REGEDIT4

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"TkBellExe"="\"C:\\Program Files\\Common Files\\Real\\Update_OB\\realsched.exe\" -osboot"
"MMTray"="C:\\PROGRA~1\\MUSICM~1\\MUSICM~1\\mm_tray.exe"
"IgfxTray"="C:\\WINDOWS\\System32\\igfxtray.exe"
"HotKeysCmds"="C:\\WINDOWS\\System32\\hkcmd.exe"
"NeroFilterCheck"="C:\\WINDOWS\\system32\\NeroCheck.exe"
"ccApp"="\"C:\\Program Files\\Common Files\\Symantec Shared\\ccApp.exe\""
"Symantec NetDriver Monitor"="C:\\PROGRA~1\\SYMNET~1\\SNDMon.exe /Consumer"
"REGSHAVE"="C:\\Program Files\\REGSHAVE\\REGSHAVE.EXE /AUTORUN"
"QAGENT"="C:\\Program Files\\QUICKENW\\QAGENT.EXE"
"QuickTime Task"="\"C:\\Program Files\\QuickTime\\qttask.exe\" -atboottime"
"mmtask"="\"C:\\Program Files\\MUSICMATCH\\MUSICMATCH Jukebox\\mmtask.exe\""
"Google Desktop Search"="\"C:\\Program Files\\Google\\Google Desktop Search\\GoogleDesktop.exe\" /startup"
"SunJavaUpdateSched"="C:\\Program Files\\Java\\jre1.5.0\\bin\\jusched.exe"
"jcahwd"="C:\\WINDOWS\\system32\\jkvpwf.exe reg_run"

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\OptionalComponents]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\OptionalComponents\IMAIL]
"Installed"="1"

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\OptionalComponents\MAPI]
"Installed"="1"
"NoChange"="1"

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\OptionalComponents\MSFS]
"Installed"="1"

-----------------
HKEY_CLASSES_ROOT\*\shellex\ContextMenuHandlers


Subkey --- ewido
{57BD36D7-CE32-4600-9B1C-1A0C47EFC02E}
C:\Program Files\ewido anti-malware\context.dll

Subkey --- Offline Files
{750fdf0e-2a26-11d1-a3ea-080036587f03}
C:\WINDOWS\System32\cscui.dll

Subkey --- Open With
{09799AFB-AD67-11d1-ABCD-00C04FC30936}
C:\WINDOWS\system32\SHELL32.dll

Subkey --- Open With EncryptionMenu
{A470F8CF-A1E8-4f65-8335-227475AA5C46}
C:\WINDOWS\system32\SHELL32.dll

Subkey --- Symantec.Norton.Antivirus.IEContextMenu
{5345A4D5-41EB-4A2F-9616-CE1D4F6C35B2}
C:\Program Files\Norton Internet Security\Norton AntiVirus\NavShExt.dll

Subkey --- {a2a9545d-a0c2-42b4-9708-a0b2badd77c8}
Start Menu Pin
C:\WINDOWS\system32\SHELL32.dll

=====================

HKEY_CLASSES_ROOT\Folder\shellex\ColumnHandlers


Subkey --- {0D2E74C4-3C34-11d2-A27E-00C04FC30871}
C:\WINDOWS\system32\SHELL32.dll

Subkey --- {24F14F01-7B1C-11d1-838f-0000F80461CF}
C:\WINDOWS\system32\SHELL32.dll

Subkey --- {24F14F02-7B1C-11d1-838f-0000F80461CF}
C:\WINDOWS\system32\SHELL32.dll

Subkey --- {66742402-F9B9-11D1-A202-0000F81FEDEE}
C:\WINDOWS\system32\SHELL32.dll

Subkey --- {CE3A44D8-BC88-4D62-A890-42D96245F8D6}


==============================
C:\Documents and Settings\All Users\Start Menu\Programs\Startup

desktop.ini
Exif Launcher.lnk
Microsoft Office.lnk
==============================
C:\Documents and Settings\Owner\Start Menu\Programs\Startup

desktop.ini
Exif Launcher.lnk
Microsoft Office.lnk
desktop.ini
==============================
C:\WINDOWS\system32 cpl files


access.cpl Microsoft Corporation
appwiz.cpl Microsoft Corporation
bdeadmin.cpl Borland Software Corporation
bthprops.cpl Microsoft Corporation
desk.cpl Microsoft Corporation
firewall.cpl Microsoft Corporation
hdwwiz.cpl Microsoft Corporation
igfxcpl.cpl Intel Corporation
inetcpl.cpl Microsoft Corporation
intl.cpl Microsoft Corporation
irprops.cpl Microsoft Corporation
joy.cpl Microsoft Corporation
jpicpl32.cpl Sun Microsystems, Inc.
main.cpl Microsoft Corporation
mmsys.cpl Microsoft Corporation
ncpa.cpl Microsoft Corporation
netsetup.cpl Microsoft Corporation
nusrmgr.cpl Microsoft Corporation
odbccp32.cpl Microsoft Corporation
powercfg.cpl Microsoft Corporation
QuickTime.cpl Apple Computer, Inc.
sysdm.cpl Microsoft Corporation
telephon.cpl Microsoft Corporation
timedate.cpl Microsoft Corporation
wscui.cpl Microsoft Corporation
wuaucpl.cpl Microsoft Corporation

XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX
XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX

WinPFind Logfile

WARNING: not all files found by this scanner are bad. Consult with a knowledgable person before proceeding.

If you see a message in the titlebar saying "Not responding..." you can ignore it. Windows somethimes displays this message due to the high volume of disk I/O. As long as the hard disk light is flashing, the program is still working properly.

»»»»»»»»»»»»»»»»» Windows OS and Versions »»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»
Product Name: Microsoft Windows XP Current Build: Service Pack 2 Current Build Number: 2600
Internet Explorer Version: 6.0.2900.2180

»»»»»»»»»»»»»»»»» Checking Selected Standard Folders »»»»»»»»»»»»»»»»»»»»

Checking %SystemDrive% folder...
qoologic 4/2/2006 5:00:46 PM 204131 C:\WinPFind.zip

Checking %ProgramFilesDir% folder...

Checking %WinDir% folder...

Checking %System% folder...
PEC2 9/3/2002 11:30:40 AM 41397 C:\WINDOWS\SYSTEM32\dfrg.msc
WinShutDown 4/4/2006 8:09:28 PM R S 234130 C:\WINDOWS\SYSTEM32\ipmui.dll
ad-w-a-r-e.com 4/4/2006 8:09:28 PM R S 234130 C:\WINDOWS\SYSTEM32\ipmui.dll
WinShutDown 4/3/2006 11:29:54 PM R S 235157 C:\WINDOWS\SYSTEM32\kt20l7fm1.dll
ad-w-a-r-e.com 4/3/2006 11:29:54 PM R S 235157 C:\WINDOWS\SYSTEM32\kt20l7fm1.dll
PTech 8/29/2005 1:27:12 PM 520968 C:\WINDOWS\SYSTEM32\LegitCheckControl.DLL
PECompact2 3/9/2006 7:10:36 PM 4799320 C:\WINDOWS\SYSTEM32\MRT.exe
aspack 3/9/2006 7:10:36 PM 4799320 C:\WINDOWS\SYSTEM32\MRT.exe
aspack 8/4/2004 2:56:36 AM 708096 C:\WINDOWS\SYSTEM32\ntdll.dll
Umonitor 8/4/2004 2:56:44 AM 657920 C:\WINDOWS\SYSTEM32\rasdlg.dll
WinShutDown 4/3/2006 4:44:26 PM R S 235979 C:\WINDOWS\SYSTEM32\s8puli7918.dll
ad-w-a-r-e.com 4/3/2006 4:44:26 PM R S 235979 C:\WINDOWS\SYSTEM32\s8puli7918.dll
winsync 9/3/2002 12:10:48 PM 1309184 C:\WINDOWS\SYSTEM32\wbdbase.deu

Checking %System%\Drivers folder and sub-folders...
PTech 8/4/2004 12:41:38 AM 1309184 C:\WINDOWS\SYSTEM32\drivers\mtlstrm.sys

Items found in C:\WINDOWS\SYSTEM32\drivers\etc\hosts
127.0.0.1 www.qoologic.com
127.0.0.1 www.urllogic.com


Checking the Windows folder and sub-folders for system and hidden files within the last 60 days...
4/4/2006 8:20:30 PM S 2048 C:\WINDOWS\bootstat.dat
4/4/2006 8:13:00 PM H 0 C:\WINDOWS\LastGood\INF\oem46.inf
4/4/2006 8:13:00 PM H 0 C:\WINDOWS\LastGood\INF\oem46.PNF
4/4/2006 8:09:28 PM R S 234130 C:\WINDOWS\system32\ipmui.dll
4/3/2006 11:29:54 PM R S 235157 C:\WINDOWS\system32\kt20l7fm1.dll
4/4/2006 8:09:28 PM R S 234318 C:\WINDOWS\system32\l88m0il1e8q.dll
4/4/2006 8:19:28 PM R S 234130 C:\WINDOWS\system32\n0p4la7q1d.dll
4/3/2006 4:44:26 PM R S 235979 C:\WINDOWS\system32\s8puli7918.dll
4/4/2006 8:20:52 PM R S 234318 C:\WINDOWS\system32\wdcltui.dll
4/4/2006 8:20:54 PM H 32768 C:\WINDOWS\system32\config\default.LOG
4/4/2006 8:20:50 PM H 1024 C:\WINDOWS\system32\config\SAM.LOG
4/4/2006 8:20:32 PM H 12288 C:\WINDOWS\system32\config\SECURITY.LOG
4/4/2006 8:20:54 PM H 155648 C:\WINDOWS\system32\config\software.LOG
4/4/2006 8:20:40 PM H 925696 C:\WINDOWS\system32\config\system.LOG
4/3/2006 11:19:44 PM H 1024 C:\WINDOWS\system32\config\systemprofile\ntuser.dat.LOG
4/2/2006 12:23:04 AM HS 388 C:\WINDOWS\system32\Microsoft\Protect\S-1-5-18\User\34fc30a1-b61e-4c60-8857-fa82dd67e734
4/2/2006 12:23:04 AM HS 24 C:\WINDOWS\system32\Microsoft\Protect\S-1-5-18\User\Preferred
4/4/2006 8:19:16 PM H 6 C:\WINDOWS\Tasks\SA.DAT
4/2/2006 4:56:46 PM HS 113 C:\WINDOWS\Temp\History\History.IE5\desktop.ini
4/2/2006 4:56:46 PM HS 67 C:\WINDOWS\Temp\Temporary Internet Files\Content.IE5\desktop.ini

Checking for CPL files...
Microsoft Corporation 8/4/2004 2:56:58 AM 68608 C:\WINDOWS\SYSTEM32\access.cpl
Microsoft Corporation 8/4/2004 2:56:58 AM 549888 C:\WINDOWS\SYSTEM32\appwiz.cpl
5/11/2001 183808 C:\WINDOWS\SYSTEM32\bdeadmin.cpl
Microsoft Corporation 8/4/2004 2:56:58 AM 110592 C:\WINDOWS\SYSTEM32\bthprops.cpl
Microsoft Corporation 8/4/2004 2:56:58 AM 135168 C:\WINDOWS\SYSTEM32\desk.cpl
Microsoft Corporation 8/4/2004 2:56:58 AM 80384 C:\WINDOWS\SYSTEM32\firewall.cpl
Microsoft Corporation 8/4/2004 2:56:58 AM 155136 C:\WINDOWS\SYSTEM32\hdwwiz.cpl
Intel Corporation 4/7/2003 12:14:30 AM 94208 C:\WINDOWS\SYSTEM32\igfxcpl.cpl
Microsoft Corporation 8/4/2004 2:56:58 AM 358400 C:\WINDOWS\SYSTEM32\inetcpl.cpl
Microsoft Corporation 8/4/2004 2:56:58 AM 129536 C:\WINDOWS\SYSTEM32\intl.cpl
Microsoft Corporation 8/4/2004 2:56:58 AM 380416 C:\WINDOWS\SYSTEM32\irprops.cpl
Microsoft Corporation 8/4/2004 2:56:58 AM 68608 C:\WINDOWS\SYSTEM32\joy.cpl
Sun Microsystems, Inc. 4/2/2006 2:49:50 PM 49262 C:\WINDOWS\SYSTEM32\jpicpl32.cpl
Microsoft Corporation 9/3/2002 11:40:02 AM 187904 C:\WINDOWS\SYSTEM32\main.cpl
Microsoft Corporation 8/4/2004 2:56:58 AM 618496 C:\WINDOWS\SYSTEM32\mmsys.cpl
Microsoft Corporation 9/3/2002 11:47:04 AM 35840 C:\WINDOWS\SYSTEM32\ncpa.cpl
Microsoft Corporation 8/4/2004 2:56:58 AM 25600 C:\WINDOWS\SYSTEM32\netsetup.cpl
Microsoft Corporation 8/4/2004 2:56:58 AM 257024 C:\WINDOWS\SYSTEM32\nusrmgr.cpl
Microsoft Corporation 8/4/2004 2:56:58 AM 32768 C:\WINDOWS\SYSTEM32\odbccp32.cpl
Microsoft Corporation 8/4/2004 2:56:58 AM 114688 C:\WINDOWS\SYSTEM32\powercfg.cpl
Apple Computer, Inc. 12/12/2001 11:05:14 AM 287232 C:\WINDOWS\SYSTEM32\QuickTime.cpl
Microsoft Corporation 8/4/2004 2:56:58 AM 298496 C:\WINDOWS\SYSTEM32\sysdm.cpl
Microsoft Corporation 9/3/2002 12:06:38 PM 28160 C:\WINDOWS\SYSTEM32\telephon.cpl
Microsoft Corporation 8/4/2004 2:56:58 AM 94208 C:\WINDOWS\SYSTEM32\timedate.cpl
Microsoft Corporation 8/4/2004 2:56:58 AM 148480 C:\WINDOWS\SYSTEM32\wscui.cpl
Microsoft Corporation 5/26/2005 4:16:30 AM 174360 C:\WINDOWS\SYSTEM32\wuaucpl.cpl
Microsoft Corporation 9/3/2002 11:40:02 AM 187904 C:\WINDOWS\SYSTEM32\dllcache\main.cpl
Microsoft Corporation 9/3/2002 11:47:04 AM 35840 C:\WINDOWS\SYSTEM32\dllcache\ncpa.cpl
Microsoft Corporation 9/3/2002 12:06:38 PM 28160 C:\WINDOWS\SYSTEM32\dllcache\telephon.cpl
Intel Corporation 4/7/2003 12:14:30 AM 94208 C:\WINDOWS\SYSTEM32\ReinstallBackups\0000\DriverFiles\igfxcpl.cpl
Intel Corporation 4/7/2003 12:14:30 AM 94208 C:\WINDOWS\SYSTEM32\ReinstallBackups\0004\DriverFiles\igfxcpl.cpl

»»»»»»»»»»»»»»»»» Checking Selected Startup Folders »»»»»»»»»»»»»»»»»»»»»

Checking files in %ALLUSERSPROFILE%\Startup folder...
6/25/2005 10:19:02 AM HS 84 C:\Documents and Settings\All Users\Start Menu\Programs\Startup\desktop.ini
7/7/2005 6:57:46 PM 1609 C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Exif Launcher.lnk
4/2/2006 10:59:32 PM 1730 C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Microsoft Office.lnk

Checking files in %ALLUSERSPROFILE%\Application Data folder...
6/25/2005 5:00:00 AM HS 62 C:\Documents and Settings\All Users\Application Data\desktop.ini

Checking files in %USERPROFILE%\Startup folder...
6/25/2005 10:19:02 AM HS 84 C:\Documents and Settings\Owner\Start Menu\Programs\Startup\desktop.ini

Checking files in %USERPROFILE%\Application Data folder...
6/25/2005 5:00:00 AM HS 62 C:\Documents and Settings\Owner\Application Data\desktop.ini
6/26/2005 12:42:56 AM 12358 C:\Documents and Settings\Owner\Application Data\PFP110JCM.{PB
6/26/2005 12:42:56 AM 61678 C:\Documents and Settings\Owner\Application Data\PFP110JPR.{PB

»»»»»»»»»»»»»»»»» Checking Selected Registry Keys »»»»»»»»»»»»»»»»»»»»»»»

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\User Agent\Post Platform]
=

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved]
{7E5BE638-E3B2-4DF3-8632-021E637E9A65} = C:\WINDOWS\system32\wdcltui.dll
{978F0747-161B-4681-AE17-1C5CA1AA46F2} =

[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved]

[HKEY_CLASSES_ROOT\*\shellex\ContextMenuHandlers]
HKEY_CLASSES_ROOT\*\shellex\ContextMenuHandlers\ewido
{57BD36D7-CE32-4600-9B1C-1A0C47EFC02E} = C:\Program Files\ewido anti-malware\context.dll
HKEY_CLASSES_ROOT\*\shellex\ContextMenuHandlers\Offline Files
{750fdf0e-2a26-11d1-a3ea-080036587f03} = %SystemRoot%\System32\cscui.dll
HKEY_CLASSES_ROOT\*\shellex\ContextMenuHandlers\Open With
{09799AFB-AD67-11d1-ABCD-00C04FC30936} = %SystemRoot%\system32\SHELL32.dll
HKEY_CLASSES_ROOT\*\shellex\ContextMenuHandlers\Open With EncryptionMenu
{A470F8CF-A1E8-4f65-8335-227475AA5C46} = %SystemRoot%\system32\SHELL32.dll
HKEY_CLASSES_ROOT\*\shellex\ContextMenuHandlers\Symantec.Norton.Antivirus.IEContextMenu
{5345A4D5-41EB-4A2F-9616-CE1D4F6C35B2} = C:\Program Files\Norton Internet Security\Norton AntiVirus\NavShExt.dll
HKEY_CLASSES_ROOT\*\shellex\ContextMenuHandlers\{a2a9545d-a0c2-42b4-9708-a0b2badd77c8}
Start Menu Pin = %SystemRoot%\system32\SHELL32.dll

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Folder\shellex\ContextMenuHandlers]
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Folder\shellex\ContextMenuHandlers\Symantec.Norton.Antivirus.IEContextMenu
{5345A4D5-41EB-4A2F-9616-CE1D4F6C35B2} = C:\Program Files\Norton Internet Security\Norton AntiVirus\NavShExt.dll

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Directory\shellex\ContextMenuHandlers]
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Directory\shellex\ContextMenuHandlers\EncryptionMenu
{A470F8CF-A1E8-4f65-8335-227475AA5C46} = %SystemRoot%\system32\SHELL32.dll
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Directory\shellex\ContextMenuHandlers\ewido
{57BD36D7-CE32-4600-9B1C-1A0C47EFC02E} = C:\Program Files\ewido anti-malware\context.dll
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Directory\shellex\ContextMenuHandlers\Offline Files
{750fdf0e-2a26-11d1-a3ea-080036587f03} = %SystemRoot%\System32\cscui.dll
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Directory\shellex\ContextMenuHandlers\QuickFinderMenu
{C0E10002-0028-0004-C0E1-C0E1C0E1C0E1} = C:\Program Files\WordPerfect Office 11\Programs\PFSE110.DLL
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Directory\shellex\ContextMenuHandlers\Sharing
{f81e9010-6ea4-11ce-a7ff-00aa003ca9f6} = ntshrui.dll

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Folder\shellex\ColumnHandlers]
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Folder\shellex\ColumnHandlers\{0D2E74C4-3C34-11d2-A27E-00C04FC30871}
= %SystemRoot%\system32\SHELL32.dll
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Folder\shellex\ColumnHandlers\{24F14F01-7B1C-11d1-838f-0000F80461CF}
= %SystemRoot%\system32\SHELL32.dll
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Folder\shellex\ColumnHandlers\{24F14F02-7B1C-11d1-838f-0000F80461CF}
= %SystemRoot%\system32\SHELL32.dll
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Folder\shellex\ColumnHandlers\{66742402-F9B9-11D1-A202-0000F81FEDEE}
= %SystemRoot%\system32\SHELL32.dll
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Folder\shellex\ColumnHandlers\{CE3A44D8-BC88-4D62-A890-42D96245F8D6}
=

[HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Explorer Bars]
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Explorer Bars\{4D5C8C25-D075-11d0-B416-00C04FB90376}
&Tip of the Day = %SystemRoot%\System32\shdocvw.dll
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Explorer Bars\{83B28A74-640D-48F4-9F51-E80EED7CC7E0}
=

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\ToolBar]
{0B53EAC3-8D69-4b9e-9B19-A37C9A5676A7} = Norton Internet Security : C:\Program Files\Common Files\Symantec Shared\AdBlocking\NISShExt.dll
{42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} = Norton AntiVirus : C:\Program Files\Norton Internet Security\Norton AntiVirus\NavShExt.dll
{EF99BD32-C1FB-11D2-892F-0090271D4F88} = Yahoo! Toolbar : C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
{2318C2B1-4965-11d4-9B18-009027A5CD4F} = &Google : c:\program files\google\googletoolbar2.dll

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Extensions]
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Extensions\{08B0E5C0-4FCB-11CF-AAA5-00401C608501}
MenuText = Sun Java Console : C:\Program Files\Java\jre1.5.0\bin\npjpi150.dll
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Extensions\{85d1f590-48f4-11d9-9669-0800200c9a66}
MenuText = Uninstall BitDefender Online Scanner v8 :
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Extensions\{FB5F1910-F110-11d2-BB9E-00C04F795683}
ButtonText = Messenger : C:\Program Files\Messenger\msmsgs.exe

[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Explorer Bars]
HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Explorer Bars\{30D02401-6A81-11D0-8274-00C04FD5AE38}
Search Band = %SystemRoot%\System32\browseui.dll
HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Explorer Bars\{32683183-48a0-441b-a342-7c2a440a9478}
=
HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Explorer Bars\{C4EE31F3-4768-11D2-BE5C-00A0C9A83DA1}
File Search Explorer Band = %SystemRoot%\system32\SHELL32.dll

[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Toolbar]
HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Toolbar\ShellBrowser
{42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} = Norton AntiVirus : C:\Program Files\Norton Internet Security\Norton AntiVirus\NavShExt.dll
{C7768536-96F8-4001-B1A2-90EE21279187} = :
HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser
{01E04581-4EEE-11D0-BFE9-00AA005B4383} = &Address : %SystemRoot%\System32\browseui.dll
{0E5CBF21-D15F-11D0-8301-00AA005B4383} = &Links : %SystemRoot%\system32\SHELL32.dll
{C7768536-96F8-4001-B1A2-90EE21279187} = :
{0B53EAC3-8D69-4B9E-9B19-A37C9A5676A7} = Norton Internet Security : C:\Program Files\Common Files\Symantec Shared\AdBlocking\NISShExt.dll
{EF99BD32-C1FB-11D2-892F-0090271D4F88} = Yahoo! Toolbar : C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
{2318C2B1-4965-11D4-9B18-009027A5CD4F} = &Google : c:\program files\google\googletoolbar2.dll

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
TkBellExe "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
MMTray C:\PROGRA~1\MUSICM~1\MUSICM~1\mm_tray.exe
IgfxTray C:\WINDOWS\System32\igfxtray.exe
HotKeysCmds C:\WINDOWS\System32\hkcmd.exe
NeroFilterCheck C:\WINDOWS\system32\NeroCheck.exe
ccApp "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
Symantec NetDriver Monitor C:\PROGRA~1\SYMNET~1\SNDMon.exe /Consumer
REGSHAVE C:\Program Files\REGSHAVE\REGSHAVE.EXE /AUTORUN
QAGENT C:\Program Files\QUICKENW\QAGENT.EXE
QuickTime Task "C:\Program Files\QuickTime\qttask.exe" -atboottime
mmtask "C:\Program Files\MUSICMATCH\MUSICMATCH Jukebox\mmtask.exe"
Google Desktop Search "C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe" /startup
SunJavaUpdateSched C:\Program Files\Java\jre1.5.0\bin\jusched.exe
SunJavaUpdateSched C:\Program Files\Java\jre1.5.0\bin\jusched.exe

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\OptionalComponents]
IMAIL Installed = 1
MAPI Installed = 1
MSFS Installed = 1

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnceEx]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunServices]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunServicesOnce]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
MSMSGS "C:\Program Files\Messenger\msmsgs.exe" /background
E6TaskPanel "C:\Program Files\EarthLink TotalAccess\TaskPanl.exe" -winstart
E6TaskPanel "C:\Program Files\EarthLink TotalAccess\TaskPanl.exe" -winstart

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\RunServices]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\RunServicesOnce]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows\load]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows\run]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSConfig]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies]

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\NonEnum
{BDEADF00-C265-11D0-BCED-00A0C90AB50F} = C:\PROGRA~1\COMMON~1\MICROS~1\WEBFOL~1\MSONSEXT.DLL
{6DFD7C5C-2451-11d3-A299-00C04F8EF6AF} =
{0DF44EAA-FF21-4412-828E-260A8728E7F1} =


HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Ratings

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\system
dontdisplaylastusername 0
legalnoticecaption
legalnoticetext
shutdownwithoutlogon 1
undockwithoutlogon 1


[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\policies]

HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer
NoDriveTypeAutoRun 145


[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad]
PostBootReminder {7849596a-48ea-486e-8937-a2a3009f31a9} = %SystemRoot%\system32\SHELL32.dll
CDBurn {fbeb8a05-beee-4442-804e-409d6c4515e9} = %SystemRoot%\system32\SHELL32.dll
WebCheck {E6FB5E20-DE35-11CF-9C87-00AA005127ED} = %SystemRoot%\System32\webcheck.dll
SysTray {35CEC8A3-2BE6-11D2-8773-92E220524153} = C:\WINDOWS\System32\stobject.dll

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon]
UserInit = C:\WINDOWS\system32\userinit.exe,lptxhly.exe
Shell = Explorer.exe, C:\WINDOWS\system32\atmtw.exe
System =

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\crypt32chain
= crypt32.dll

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\cryptnet
= cryptnet.dll

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\cscdll
= cscdll.dll

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\igfxcui
= igfxsrvc.dll

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\Reinstall
= C:\WINDOWS\system32\l88m0il1e8q.dll

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\ScCertProp
= wlnotify.dll

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\Schedule
= wlnotify.dll

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\sclgntfy
= sclgntfy.dll

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\SensLogn
= WlNotify.dll

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\termsrv
= wlnotify.dll

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\wlballoon
= wlnotify.dll

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options]
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Your Image File Name Here without a path
Debugger = ntsd -d

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows]
AppInit_DLLs C:\PROGRA~1\Google\GOOGLE~1\GOEC62~1.DLL


»»»»»»»»»»»»»»»»»»»»»»»» Scan Complete »»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»
WinPFind v1.4.1 - Log file written to "WinPFind.Txt" in the WinPFind folder.
Scan completed on 4/4/2006 8:28:11 PM

XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX
XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX

Hijack this logfile

Logfile of HijackThis v1.99.1
Scan saved at 8:34:19 PM, on 4/4/2006
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\rundll32.exe
C:\WINDOWS\system32\LEXBCES.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\LEXPPS.EXE
C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe
C:\Program Files\Common Files\Symantec Shared\ccProxy.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\Program Files\EarthLink TotalAccess\WENGINE\wmonitor.exe
C:\Program Files\ewido anti-malware\ewidoctrl.exe
C:\Program Files\ewido anti-malware\ewidoguard.exe
C:\Program Files\Norton Internet Security\ISSVC.exe
C:\Program Files\Norton Internet Security\Norton AntiVirus\navapsvc.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\WINDOWS\System32\hkcmd.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\Program Files\QUICKENW\QAGENT.EXE
C:\Program Files\MUSICMATCH\MUSICMATCH Jukebox\mmtask.exe
C:\Program Files\Java\jre1.5.0\bin\jusched.exe
C:\Program Files\EarthLink TotalAccess\TaskPanl.exe
C:\Program Files\FinePixViewer\QuickDCF.exe
C:\WINDOWS\system32\mrtMngr.EXE
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Documents and Settings\Owner\Desktop\HiJackThis\hijackthis\HijackThis.exe
C:\WINDOWS\system32\Notepad.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://start.earthlink.net
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://www.earthlink...ton/search.html
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://www.dell.com/
R3 - URLSearchHook: SrchHook Class - {44F9B173-041C-4825-A9B9-D914BD9DCBB3} - C:\Program Files\EarthLink TotalAccess\ElnIE.dll
F2 - REG:system.ini: Shell=Explorer.exe, C:\WINDOWS\system32\atmtw.exe
F2 - REG:system.ini: UserInit=C:\WINDOWS\system32\userinit.exe,lptxhly.exe
O3 - Toolbar: Norton Internet Security - {0B53EAC3-8D69-4b9e-9B19-A37C9A5676A7} - C:\Program Files\Common Files\Symantec Shared\AdBlocking\NISShExt.dll
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton Internet Security\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar2.dll
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [MMTray] C:\PROGRA~1\MUSICM~1\MUSICM~1\mm_tray.exe
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\System32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\System32\hkcmd.exe
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [Symantec NetDriver Monitor] C:\PROGRA~1\SYMNET~1\SNDMon.exe /Consumer
O4 - HKLM\..\Run: [REGSHAVE] C:\Program Files\REGSHAVE\REGSHAVE.EXE /AUTORUN
O4 - HKLM\..\Run: [QAGENT] C:\Program Files\QUICKENW\QAGENT.EXE
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [mmtask] "C:\Program Files\MUSICMATCH\MUSICMATCH Jukebox\mmtask.exe"
O4 - HKLM\..\Run: [Google Desktop Search] "C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe" /startup
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0\bin\jusched.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [E6TaskPanel] "C:\Program Files\EarthLink TotalAccess\TaskPanl.exe" -winstart
O4 - Global Startup: Exif Launcher.lnk = C:\Program Files\FinePixViewer\QuickDCF.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O8 - Extra context menu item: &Google Search - res://c:\program files\google\GoogleToolbar2.dll/cmsearch.html
O8 - Extra context menu item: &Translate English Word - res://c:\program files\google\GoogleToolbar2.dll/cmwordtrans.html
O8 - Extra context menu item: Backward Links - res://c:\program files\google\GoogleToolbar2.dll/cmbacklinks.html
O8 - Extra context menu item: Cached Snapshot of Page - res://c:\program files\google\GoogleToolbar2.dll/cmcache.html
O8 - Extra context menu item: Similar Pages - res://c:\program files\google\GoogleToolbar2.dll/cmsimilar.html
O8 - Extra context menu item: Translate Page into English - res://c:\program files\google\GoogleToolbar2.dll/cmtrans.html
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0\bin\npjpi150.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0\bin\npjpi150.dll
O9 - Extra button: (no name) - {85d1f590-48f4-11d9-9669-0800200c9a66} - %windir%\bdoscandel.exe (file missing)
O9 - Extra 'Tools' menuitem: Uninstall BitDefender Online Scanner v8 - {85d1f590-48f4-11d9-9669-0800200c9a66} - %windir%\bdoscandel.exe (file missing)
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: Yahoo! Literati - http://download.game...nts/y/tt3_x.cab
O16 - DPF: Yahoo! MahJong Solitaire - http://download.game...s/y/mjst4_x.cab
O16 - DPF: {0E5F0222-96B9-11D3-8997-00104BD12D94} (PCPitstop Utility) - http://www.pcpitstop...p/PCPitStop.CAB
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky...can_unicode.cab
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft....k/?linkid=39204
O16 - DPF: {5D86DDB5-BDF9-441B-9E9E-D4730F4EE499} (BDSCANONLINE Control) - http://download.bitd...can8/oscan8.cab
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.micros...b?1144199699609
O16 - DPF: {7E980B9B-8AE5-466A-B6D6-DA8CF814E78A} (MJLauncherCtrl Class) - http://zone.msn.com/...mjolauncher.cab
O16 - DPF: {8A94C905-FF9D-43B6-8708-F0F22D22B1CB} (Wwlaunch Control) - http://www.worldwinn...ed/wwlaunch.cab
O16 - DPF: {97438FE9-D361-4279-BA82-98CC0877A717} (Cubis Control) - http://www.worldwinn...cubis/cubis.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoft...free/asinst.cab
O16 - DPF: {B8BE5E93-A60C-4D26-A2DC-220313175592} (ZoneIntro Class) - http://zone.msn.com/...ro.cab34246.cab
O16 - DPF: {DF780F87-FF2B-4DF8-92D0-73DB16A1543A} - http://download.game...aploader_v6.cab
O20 - AppInit_DLLs: C:\PROGRA~1\Google\GOOGLE~1\GOEC62~1.DLL
O20 - Winlogon Notify: igfxcui - C:\WINDOWS\SYSTEM32\igfxsrvc.dll
O20 - Winlogon Notify: MediaContentIndex - C:\WINDOWS\system32\n0p4la7q1d.dll
O23 - Service: Automatic LiveUpdate Scheduler - Symantec Corporation - C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Network Proxy (ccProxy) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccProxy.exe
O23 - Service: Symantec Password Validation (ccPwdSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
O23 - Service: EarthLink Monitor Service (EarthLinkMonitor) - Boingo Wireless, Inc. - C:\Program Files\EarthLink TotalAccess\WENGINE\wmonitor.exe
O23 - Service: ewido security suite control - ewido networks - C:\Program Files\ewido anti-malware\ewidoctrl.exe
O23 - Service: ewido security suite guard - ewido networks - C:\Program Files\ewido anti-malware\ewidoguard.exe
O23 - Service: ISSvc (ISSVC) - Symantec Corporation - C:\Program Files\Norton Internet Security\ISSVC.exe
O23 - Service: LexBce Server (LexBceS) - Lexmark International, Inc. - C:\WINDOWS\system32\LEXBCES.EXE
O23 - Service: LiveUpdate - Symantec Corporation - C:\PROGRA~1\Symantec\LIVEUP~1\LUCOMS~1.EXE
O23 - Service: Norton AntiVirus Auto-Protect Service (navapsvc) - Symantec Corporation - C:\Program Files\Norton Internet Security\Norton AntiVirus\navapsvc.exe
O23 - Service: SAVScan - Symantec Corporation - C:\Program Files\Norton Internet Security\Norton AntiVirus\SAVScan.exe
O23 - Service: ScriptBlocking Service (SBService) - Symantec Corporation - C:\PROGRA~1\COMMON~1\SYMANT~1\SCRIPT~1\SBServ.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: Symantec SPBBCSvc (SPBBCSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
O23 - Service: Symantec Core LC - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe

#12 Susan528

Susan528

    SuperMember

  • Authentic Member
  • PipPipPipPipPip
  • 3,194 posts

Posted 06 April 2006 - 04:20 AM

Hello tpaudet,

I am working on another fix but meanwhile please do the following:

Please download Look2Me-Destroyer.exe to your desktop.
  • Close all windows before continuing.
  • Double-click Look2Me-Destroyer.exe to run it.
  • Put a check next to Run this program as a task .
  • You will receive a message saying Look2Me-Destroyer will close and re-open in approximately 10 seconds. Click OK
  • When Look2Me-Destroyer re-opens, click the Scan for L2M button , your desktop icons will disappear, this is normal.
  • Once it's done scanning, click the Remove L2M button[/b.]
  • You will receive a Done Scanning message, click OK .
  • When completed, you will receive this message: Done removing infected files! Look2Me-Destroyer will now shutdown your computer, click OK .
  • Your computer will then shutdown.
  • Turn your computer back on.
  • Please post the contents of C:\Look2Me-Destroyer.txt and a new HiJackThis log.

    If you receive a message from your firewall about this program accessing the internet please allow it.

    If you receive a runtime error '339'. please download MSWINSCK.OCX from the link below and place it in your C:\Windows\System32. Directory
    http://www.ascentive...ib/MSWINSCK.OCX

    Let's see what the latest ewido scan will show.
    ======
    Ewido Trojan Scanner
    Please download, install, and update the NEW free version of Ewido trojan scanner:
    [list=1]
  • When installing, under "Additional Options" uncheck "Install background guard" and "Install scan via context menu".
  • When you run ewido for the first time, you may get a warning "Database could not be found!". Click OK. We will fix this in a moment.
  • From the main ewido screen, click on update in the left menu, then click the Start update button.
  • After the update finishes (the status bar at the bottom will display "Update successful")
  • Click on the Scanner button in the left menu, then click on Complete System Scan. This scan can take quite a while to run.
  • If ewido finds anything, it will pop up a notification. Select "clean" and check the boxes "Perform action with all infections" and "Create encrypted backup" before clicking on OK.
  • When the scan finishes, click on [b]"Save Report". This will create a text file. Make sure you know where to find this file again.
Please post the results of the Look2me and the ewido scan, with a new hijackthis log.
Posted Image

Proud member of ASAP since 2005

The help you receive here is free. If you wish to show your appreciation, then you may donate to help keep us online.

Want to help others? Come join us in the Class Room and learn how.

#13 tpaudet

tpaudet

    New Member

  • Authentic Member
  • Pip
  • 9 posts

Posted 06 April 2006 - 06:12 PM

Wow the look 2 me destroyer took care of alot of things. It seems much much better now. ewido only found one thing.

7:04 PM 4/6/2006
Look2Me-Destroyer V1.0.12

Scanning for infected files.....
Scan started at 4/6/2006 6:10:03 PM

Infected! C:\WINDOWS\system32\n0p4la7q1d.dll
Infected! C:\System Volume Information\_restore{34FA64C6-C1E2-49BB-94BD-B220745C9C6E}\RP2\A0000011.dll
Infected! C:\System Volume Information\_restore{34FA64C6-C1E2-49BB-94BD-B220745C9C6E}\RP2\A0000016.dll
Infected! C:\System Volume Information\_restore{34FA64C6-C1E2-49BB-94BD-B220745C9C6E}\RP2\A0002015.dll
Infected! C:\System Volume Information\_restore{34FA64C6-C1E2-49BB-94BD-B220745C9C6E}\RP2\A0002020.dll
Infected! C:\System Volume Information\_restore{34FA64C6-C1E2-49BB-94BD-B220745C9C6E}\RP2\A0002025.dll
Infected! C:\System Volume Information\_restore{34FA64C6-C1E2-49BB-94BD-B220745C9C6E}\RP2\A0002030.dll
Infected! C:\System Volume Information\_restore{34FA64C6-C1E2-49BB-94BD-B220745C9C6E}\RP2\A0002033.dll
Infected! C:\System Volume Information\_restore{34FA64C6-C1E2-49BB-94BD-B220745C9C6E}\RP2\A0002038.dll
Infected! C:\System Volume Information\_restore{34FA64C6-C1E2-49BB-94BD-B220745C9C6E}\RP2\A0002041.dll
Infected! C:\System Volume Information\_restore{34FA64C6-C1E2-49BB-94BD-B220745C9C6E}\RP2\A0002046.dll
Infected! C:\System Volume Information\_restore{34FA64C6-C1E2-49BB-94BD-B220745C9C6E}\RP2\A0002051.dll
Infected! C:\System Volume Information\_restore{34FA64C6-C1E2-49BB-94BD-B220745C9C6E}\RP2\A0002058.dll
Infected! C:\System Volume Information\_restore{34FA64C6-C1E2-49BB-94BD-B220745C9C6E}\RP3\A0002079.dll
Infected! C:\System Volume Information\_restore{34FA64C6-C1E2-49BB-94BD-B220745C9C6E}\RP3\A0002080.dll
Infected! C:\System Volume Information\_restore{34FA64C6-C1E2-49BB-94BD-B220745C9C6E}\RP3\A0002081.dll
Infected! C:\System Volume Information\_restore{34FA64C6-C1E2-49BB-94BD-B220745C9C6E}\RP3\A0002082.dll
Infected! C:\System Volume Information\_restore{34FA64C6-C1E2-49BB-94BD-B220745C9C6E}\RP3\A0002083.dll
Infected! C:\System Volume Information\_restore{34FA64C6-C1E2-49BB-94BD-B220745C9C6E}\RP3\A0002084.dll
Infected! C:\System Volume Information\_restore{34FA64C6-C1E2-49BB-94BD-B220745C9C6E}\RP3\A0002085.dll
Infected! C:\System Volume Information\_restore{34FA64C6-C1E2-49BB-94BD-B220745C9C6E}\RP3\A0002086.dll
Infected! C:\System Volume Information\_restore{34FA64C6-C1E2-49BB-94BD-B220745C9C6E}\RP3\A0002094.dll
Infected! C:\System Volume Information\_restore{34FA64C6-C1E2-49BB-94BD-B220745C9C6E}\RP3\A0002099.dll
Infected! C:\System Volume Information\_restore{34FA64C6-C1E2-49BB-94BD-B220745C9C6E}\RP3\A0003097.dll
Infected! C:\System Volume Information\_restore{34FA64C6-C1E2-49BB-94BD-B220745C9C6E}\RP4\A0004099.dll
Infected! C:\System Volume Information\_restore{34FA64C6-C1E2-49BB-94BD-B220745C9C6E}\RP5\A0004104.dll
Infected! C:\System Volume Information\_restore{34FA64C6-C1E2-49BB-94BD-B220745C9C6E}\RP5\A0004108.dll
Infected! C:\System Volume Information\_restore{34FA64C6-C1E2-49BB-94BD-B220745C9C6E}\RP5\A0004122.dll
Infected! C:\System Volume Information\_restore{34FA64C6-C1E2-49BB-94BD-B220745C9C6E}\RP5\A0004151.dll
Infected! C:\System Volume Information\_restore{34FA64C6-C1E2-49BB-94BD-B220745C9C6E}\RP5\A0004152.dll
Infected! C:\System Volume Information\_restore{34FA64C6-C1E2-49BB-94BD-B220745C9C6E}\RP5\A0004153.dll
Infected! C:\System Volume Information\_restore{34FA64C6-C1E2-49BB-94BD-B220745C9C6E}\RP6\A0004162.dll
Infected! C:\WINDOWS\system32\kudlv.dll
Infected! C:\WINDOWS\system32\lv8m09l1e.dll
Infected! C:\WINDOWS\system32\n0p4la7q1d.dll

Attempting to delete infected files...

Attempting to delete: C:\WINDOWS\system32\n0p4la7q1d.dll
C:\WINDOWS\system32\n0p4la7q1d.dll Deleted successfully!

Attempting to delete: C:\System Volume Information\_restore{34FA64C6-C1E2-49BB-94BD-B220745C9C6E}\RP2\A0000011.dll
C:\System Volume Information\_restore{34FA64C6-C1E2-49BB-94BD-B220745C9C6E}\RP2\A0000011.dll Deleted successfully!

Attempting to delete: C:\System Volume Information\_restore{34FA64C6-C1E2-49BB-94BD-B220745C9C6E}\RP2\A0000016.dll
C:\System Volume Information\_restore{34FA64C6-C1E2-49BB-94BD-B220745C9C6E}\RP2\A0000016.dll Deleted successfully!

Attempting to delete: C:\System Volume Information\_restore{34FA64C6-C1E2-49BB-94BD-B220745C9C6E}\RP2\A0002015.dll
C:\System Volume Information\_restore{34FA64C6-C1E2-49BB-94BD-B220745C9C6E}\RP2\A0002015.dll Deleted successfully!

Attempting to delete: C:\System Volume Information\_restore{34FA64C6-C1E2-49BB-94BD-B220745C9C6E}\RP2\A0002020.dll
C:\System Volume Information\_restore{34FA64C6-C1E2-49BB-94BD-B220745C9C6E}\RP2\A0002020.dll Deleted successfully!

Attempting to delete: C:\System Volume Information\_restore{34FA64C6-C1E2-49BB-94BD-B220745C9C6E}\RP2\A0002025.dll
C:\System Volume Information\_restore{34FA64C6-C1E2-49BB-94BD-B220745C9C6E}\RP2\A0002025.dll Deleted successfully!

Attempting to delete: C:\System Volume Information\_restore{34FA64C6-C1E2-49BB-94BD-B220745C9C6E}\RP2\A0002030.dll
C:\System Volume Information\_restore{34FA64C6-C1E2-49BB-94BD-B220745C9C6E}\RP2\A0002030.dll Deleted successfully!

Attempting to delete: C:\System Volume Information\_restore{34FA64C6-C1E2-49BB-94BD-B220745C9C6E}\RP2\A0002033.dll
C:\System Volume Information\_restore{34FA64C6-C1E2-49BB-94BD-B220745C9C6E}\RP2\A0002033.dll Deleted successfully!

Attempting to delete: C:\System Volume Information\_restore{34FA64C6-C1E2-49BB-94BD-B220745C9C6E}\RP2\A0002038.dll
C:\System Volume Information\_restore{34FA64C6-C1E2-49BB-94BD-B220745C9C6E}\RP2\A0002038.dll Deleted successfully!

Attempting to delete: C:\System Volume Information\_restore{34FA64C6-C1E2-49BB-94BD-B220745C9C6E}\RP2\A0002041.dll
C:\System Volume Information\_restore{34FA64C6-C1E2-49BB-94BD-B220745C9C6E}\RP2\A0002041.dll Deleted successfully!

Attempting to delete: C:\System Volume Information\_restore{34FA64C6-C1E2-49BB-94BD-B220745C9C6E}\RP2\A0002046.dll
C:\System Volume Information\_restore{34FA64C6-C1E2-49BB-94BD-B220745C9C6E}\RP2\A0002046.dll Deleted successfully!

Attempting to delete: C:\System Volume Information\_restore{34FA64C6-C1E2-49BB-94BD-B220745C9C6E}\RP2\A0002051.dll
C:\System Volume Information\_restore{34FA64C6-C1E2-49BB-94BD-B220745C9C6E}\RP2\A0002051.dll Deleted successfully!

Attempting to delete: C:\System Volume Information\_restore{34FA64C6-C1E2-49BB-94BD-B220745C9C6E}\RP2\A0002058.dll
C:\System Volume Information\_restore{34FA64C6-C1E2-49BB-94BD-B220745C9C6E}\RP2\A0002058.dll Deleted successfully!

Attempting to delete: C:\System Volume Information\_restore{34FA64C6-C1E2-49BB-94BD-B220745C9C6E}\RP3\A0002079.dll
C:\System Volume Information\_restore{34FA64C6-C1E2-49BB-94BD-B220745C9C6E}\RP3\A0002079.dll Deleted successfully!

Attempting to delete: C:\System Volume Information\_restore{34FA64C6-C1E2-49BB-94BD-B220745C9C6E}\RP3\A0002080.dll
C:\System Volume Information\_restore{34FA64C6-C1E2-49BB-94BD-B220745C9C6E}\RP3\A0002080.dll Deleted successfully!

Attempting to delete: C:\System Volume Information\_restore{34FA64C6-C1E2-49BB-94BD-B220745C9C6E}\RP3\A0002081.dll
C:\System Volume Information\_restore{34FA64C6-C1E2-49BB-94BD-B220745C9C6E}\RP3\A0002081.dll Deleted successfully!

Attempting to delete: C:\System Volume Information\_restore{34FA64C6-C1E2-49BB-94BD-B220745C9C6E}\RP3\A0002082.dll
C:\System Volume Information\_restore{34FA64C6-C1E2-49BB-94BD-B220745C9C6E}\RP3\A0002082.dll Deleted successfully!

Attempting to delete: C:\System Volume Information\_restore{34FA64C6-C1E2-49BB-94BD-B220745C9C6E}\RP3\A0002083.dll
C:\System Volume Information\_restore{34FA64C6-C1E2-49BB-94BD-B220745C9C6E}\RP3\A0002083.dll Deleted successfully!

Attempting to delete: C:\System Volume Information\_restore{34FA64C6-C1E2-49BB-94BD-B220745C9C6E}\RP3\A0002084.dll
C:\System Volume Information\_restore{34FA64C6-C1E2-49BB-94BD-B220745C9C6E}\RP3\A0002084.dll Deleted successfully!

Attempting to delete: C:\System Volume Information\_restore{34FA64C6-C1E2-49BB-94BD-B220745C9C6E}\RP3\A0002085.dll
C:\System Volume Information\_restore{34FA64C6-C1E2-49BB-94BD-B220745C9C6E}\RP3\A0002085.dll Deleted successfully!

Attempting to delete: C:\System Volume Information\_restore{34FA64C6-C1E2-49BB-94BD-B220745C9C6E}\RP3\A0002086.dll
C:\System Volume Information\_restore{34FA64C6-C1E2-49BB-94BD-B220745C9C6E}\RP3\A0002086.dll Deleted successfully!

Attempting to delete: C:\System Volume Information\_restore{34FA64C6-C1E2-49BB-94BD-B220745C9C6E}\RP3\A0002094.dll
C:\System Volume Information\_restore{34FA64C6-C1E2-49BB-94BD-B220745C9C6E}\RP3\A0002094.dll Deleted successfully!

Attempting to delete: C:\System Volume Information\_restore{34FA64C6-C1E2-49BB-94BD-B220745C9C6E}\RP3\A0002099.dll
C:\System Volume Information\_restore{34FA64C6-C1E2-49BB-94BD-B220745C9C6E}\RP3\A0002099.dll Deleted successfully!

Attempting to delete: C:\System Volume Information\_restore{34FA64C6-C1E2-49BB-94BD-B220745C9C6E}\RP3\A0003097.dll
C:\System Volume Information\_restore{34FA64C6-C1E2-49BB-94BD-B220745C9C6E}\RP3\A0003097.dll Deleted successfully!

Attempting to delete: C:\System Volume Information\_restore{34FA64C6-C1E2-49BB-94BD-B220745C9C6E}\RP4\A0004099.dll
C:\System Volume Information\_restore{34FA64C6-C1E2-49BB-94BD-B220745C9C6E}\RP4\A0004099.dll Deleted successfully!

Attempting to delete: C:\System Volume Information\_restore{34FA64C6-C1E2-49BB-94BD-B220745C9C6E}\RP5\A0004104.dll
C:\System Volume Information\_restore{34FA64C6-C1E2-49BB-94BD-B220745C9C6E}\RP5\A0004104.dll Deleted successfully!

Attempting to delete: C:\System Volume Information\_restore{34FA64C6-C1E2-49BB-94BD-B220745C9C6E}\RP5\A0004108.dll
C:\System Volume Information\_restore{34FA64C6-C1E2-49BB-94BD-B220745C9C6E}\RP5\A0004108.dll Deleted successfully!

Attempting to delete: C:\System Volume Information\_restore{34FA64C6-C1E2-49BB-94BD-B220745C9C6E}\RP5\A0004122.dll
C:\System Volume Information\_restore{34FA64C6-C1E2-49BB-94BD-B220745C9C6E}\RP5\A0004122.dll Deleted successfully!

Attempting to delete: C:\System Volume Information\_restore{34FA64C6-C1E2-49BB-94BD-B220745C9C6E}\RP5\A0004151.dll
C:\System Volume Information\_restore{34FA64C6-C1E2-49BB-94BD-B220745C9C6E}\RP5\A0004151.dll Deleted successfully!

Attempting to delete: C:\System Volume Information\_restore{34FA64C6-C1E2-49BB-94BD-B220745C9C6E}\RP5\A0004152.dll
C:\System Volume Information\_restore{34FA64C6-C1E2-49BB-94BD-B220745C9C6E}\RP5\A0004152.dll Deleted successfully!

Attempting to delete: C:\System Volume Information\_restore{34FA64C6-C1E2-49BB-94BD-B220745C9C6E}\RP5\A0004153.dll
C:\System Volume Information\_restore{34FA64C6-C1E2-49BB-94BD-B220745C9C6E}\RP5\A0004153.dll Deleted successfully!

Attempting to delete: C:\System Volume Information\_restore{34FA64C6-C1E2-49BB-94BD-B220745C9C6E}\RP6\A0004162.dll
C:\System Volume Information\_restore{34FA64C6-C1E2-49BB-94BD-B220745C9C6E}\RP6\A0004162.dll Deleted successfully!

Attempting to delete: C:\WINDOWS\system32\kudlv.dll
C:\WINDOWS\system32\kudlv.dll Deleted successfully!

Attempting to delete: C:\WINDOWS\system32\lv8m09l1e.dll
C:\WINDOWS\system32\lv8m09l1e.dll Deleted successfully!

Attempting to delete: C:\WINDOWS\system32\n0p4la7q1d.dll
C:\WINDOWS\system32\n0p4la7q1d.dll Deleted successfully!

Making registry repairs.

Removing: HKLM\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\MediaContentIndex

Removing: HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved "{7E5BE638-E3B2-4DF3-8632-021E637E9A65}"
HKCR\Clsid\{7E5BE638-E3B2-4DF3-8632-021E637E9A65}

Removing: HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved "{978F0747-161B-4681-AE17-1C5CA1AA46F2}"
HKCR\Clsid\{978F0747-161B-4681-AE17-1C5CA1AA46F2}

Restoring Windows certificates.

Replaced hosts file with default windows hosts file


Restoring SeDebugPrivilege for Administrators - Succeeded


XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX
---------------------------------------------------------
ewido anti-malware - Scan report
---------------------------------------------------------

+ Created on: 7:02:19 PM, 4/6/2006
+ Report-Checksum: 6C6B0E36

+ Scan result:

C:\Documents and Settings\Owner\Local Settings\Temp\Cookies\owner@msnportal.112.2o7[1].txt -> TrackingCookie.2o7 : Cleaned with backup


::Report End

XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX
Hijack this log
Logfile of HijackThis v1.99.1
Scan saved at 7:02:50 PM, on 4/6/2006
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\csrss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\LEXBCES.EXE
C:\WINDOWS\system32\LEXPPS.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\WINDOWS\System32\hkcmd.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\Program Files\QUICKENW\QAGENT.EXE
C:\Program Files\MUSICMATCH\MUSICMATCH Jukebox\mmtask.exe
C:\Program Files\Java\jre1.5.0\bin\jusched.exe
C:\Program Files\FinePixViewer\QuickDCF.exe
C:\WINDOWS\system32\mrtMngr.EXE
C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe
C:\Program Files\Common Files\Symantec Shared\ccProxy.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\Program Files\EarthLink TotalAccess\WENGINE\wmonitor.exe
C:\Program Files\Norton Internet Security\ISSVC.exe
C:\Program Files\Norton Internet Security\Norton AntiVirus\navapsvc.exe
C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
C:\WINDOWS\system32\wdfmgr.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\WINDOWS\System32\alg.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\ewido anti-malware\ewidoguard.exe
C:\Program Files\ewido anti-malware\ewidoctrl.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Documents and Settings\Owner\Desktop\HiJackThis\hijackthis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://start.earthlink.net
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://www.earthlink...ton/search.html
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://www.dell.com/
R3 - URLSearchHook: SrchHook Class - {44F9B173-041C-4825-A9B9-D914BD9DCBB3} - C:\Program Files\EarthLink TotalAccess\ElnIE.dll
O3 - Toolbar: Norton Internet Security - {0B53EAC3-8D69-4b9e-9B19-A37C9A5676A7} - C:\Program Files\Common Files\Symantec Shared\AdBlocking\NISShExt.dll
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton Internet Security\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar2.dll
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [MMTray] C:\PROGRA~1\MUSICM~1\MUSICM~1\mm_tray.exe
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\System32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\System32\hkcmd.exe
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [Symantec NetDriver Monitor] C:\PROGRA~1\SYMNET~1\SNDMon.exe /Consumer
O4 - HKLM\..\Run: [REGSHAVE] C:\Program Files\REGSHAVE\REGSHAVE.EXE /AUTORUN
O4 - HKLM\..\Run: [QAGENT] C:\Program Files\QUICKENW\QAGENT.EXE
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [mmtask] "C:\Program Files\MUSICMATCH\MUSICMATCH Jukebox\mmtask.exe"
O4 - HKLM\..\Run: [Google Desktop Search] "C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe" /startup
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0\bin\jusched.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [a-squared] "C:\Program Files\a-squared\a2guard.exe"
O4 - HKCU\..\Run: [E6TaskPanel] "C:\Program Files\EarthLink TotalAccess\TaskPanl.exe" -winstart
O4 - Global Startup: Exif Launcher.lnk = C:\Program Files\FinePixViewer\QuickDCF.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O8 - Extra context menu item: &Google Search - res://c:\program files\google\GoogleToolbar2.dll/cmsearch.html
O8 - Extra context menu item: &Translate English Word - res://c:\program files\google\GoogleToolbar2.dll/cmwordtrans.html
O8 - Extra context menu item: Backward Links - res://c:\program files\google\GoogleToolbar2.dll/cmbacklinks.html
O8 - Extra context menu item: Cached Snapshot of Page - res://c:\program files\google\GoogleToolbar2.dll/cmcache.html
O8 - Extra context menu item: Similar Pages - res://c:\program files\google\GoogleToolbar2.dll/cmsimilar.html
O8 - Extra context menu item: Translate Page into English - res://c:\program files\google\GoogleToolbar2.dll/cmtrans.html
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0\bin\npjpi150.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0\bin\npjpi150.dll
O9 - Extra button: (no name) - {85d1f590-48f4-11d9-9669-0800200c9a66} - %windir%\bdoscandel.exe (file missing)
O9 - Extra 'Tools' menuitem: Uninstall BitDefender Online Scanner v8 - {85d1f590-48f4-11d9-9669-0800200c9a66} - %windir%\bdoscandel.exe (file missing)
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: Yahoo! Literati - http://download.game...nts/y/tt3_x.cab
O16 - DPF: Yahoo! MahJong Solitaire - http://download.game...s/y/mjst4_x.cab
O16 - DPF: {0E5F0222-96B9-11D3-8997-00104BD12D94} (PCPitstop Utility) - http://www.pcpitstop...p/PCPitStop.CAB
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky...can_unicode.cab
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft....k/?linkid=39204
O16 - DPF: {5D86DDB5-BDF9-441B-9E9E-D4730F4EE499} (BDSCANONLINE Control) - http://download.bitd...can8/oscan8.cab
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.micros...b?1144199699609
O16 - DPF: {7E980B9B-8AE5-466A-B6D6-DA8CF814E78A} (MJLauncherCtrl Class) - http://zone.msn.com/...mjolauncher.cab
O16 - DPF: {8A94C905-FF9D-43B6-8708-F0F22D22B1CB} (Wwlaunch Control) - http://www.worldwinn...ed/wwlaunch.cab
O16 - DPF: {97438FE9-D361-4279-BA82-98CC0877A717} (Cubis Control) - http://www.worldwinn...cubis/cubis.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoft...free/asinst.cab
O16 - DPF: {B8BE5E93-A60C-4D26-A2DC-220313175592} (ZoneIntro Class) - http://zone.msn.com/...ro.cab34246.cab
O16 - DPF: {DF780F87-FF2B-4DF8-92D0-73DB16A1543A} - http://download.game...aploader_v6.cab
O20 - AppInit_DLLs: C:\PROGRA~1\Google\GOOGLE~1\GOEC62~1.DLL
O20 - Winlogon Notify: igfxcui - C:\WINDOWS\SYSTEM32\igfxsrvc.dll
O23 - Service: Automatic LiveUpdate Scheduler - Symantec Corporation - C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Network Proxy (ccProxy) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccProxy.exe
O23 - Service: Symantec Password Validation (ccPwdSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
O23 - Service: EarthLink Monitor Service (EarthLinkMonitor) - Boingo Wireless, Inc. - C:\Program Files\EarthLink TotalAccess\WENGINE\wmonitor.exe
O23 - Service: ewido security suite control - ewido networks - C:\Program Files\ewido anti-malware\ewidoctrl.exe
O23 - Service: ewido security suite guard - ewido networks - C:\Program Files\ewido anti-malware\ewidoguard.exe
O23 - Service: ISSvc (ISSVC) - Symantec Corporation - C:\Program Files\Norton Internet Security\ISSVC.exe
O23 - Service: LexBce Server (LexBceS) - Lexmark International, Inc. - C:\WINDOWS\system32\LEXBCES.EXE
O23 - Service: LiveUpdate - Symantec Corporation - C:\PROGRA~1\Symantec\LIVEUP~1\LUCOMS~1.EXE
O23 - Service: Norton AntiVirus Auto-Protect Service (navapsvc) - Symantec Corporation - C:\Program Files\Norton Internet Security\Norton AntiVirus\navapsvc.exe
O23 - Service: SAVScan - Symantec Corporation - C:\Program Files\Norton Internet Security\Norton AntiVirus\SAVScan.exe
O23 - Service: ScriptBlocking Service (SBService) - Symantec Corporation - C:\PROGRA~1\COMMON~1\SYMANT~1\SCRIPT~1\SBServ.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: Symantec SPBBCSvc (SPBBCSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
O23 - Service: Symantec Core LC - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe

#14 Susan528

Susan528

    SuperMember

  • Authentic Member
  • PipPipPipPipPip
  • 3,194 posts

Posted 07 April 2006 - 05:45 PM

Congratulations Tpaudet,

Your hijackthis log appears to be clean and ewido removed the cookie! You have an old release of Java installed so be sure and update your Java. Instructions are below!

Please do the following:

STEP 1.
======
Cleanmgr
To clean temporary files:
  • Go > start > run and type cleanmgr and click OK
  • Scan your system for files to remove.
  • Make sure Temporary Files, Temporary Internet Files and Recycle Bin are the only things checked.
  • Click OK to remove those files.
  • Click Yes to confirm deletion.
STEP 2.( Windows XP only)
======
Prefetch Folder
Open C:\Windows\Prefetch\
Delete All files in this folder but not the Prefetch folder

STEP 3.
======
System Restore for Windows XP
Reset and Re-enable your System Restore to remove infected files that have been backed up by Windows. The files in System Restore are protected to prevent any programs changing those files. This is the only way to clean these files: (You will lose all previous restore points which are likely to be infected)
  • Turn off System Restore.
  • On the Desktop, right-click My Computer.
  • Click Properties.
  • Click the System Restore tab.
  • Check Turn off System Restore.
  • Click Apply, and then click OK.
Reboot.

Turn ON System Restore.
  • On the Desktop, right-click My Computer.
  • Click Properties.
  • Click the System Restore tab.
  • UN-Check *Turn off System Restore*.
  • Click Apply, and then click OK.

STEP 4.
======
DON’T BECOME OVERCONFIDENT WITH ANTIVIRUS APPLICATIONS INSTALLED!!!

http://forum.malware...39eba6ea0b5e8ee

Stay up to date on security patches and be extremely wary of clicking on links and attachments that arrive unbidden in instant messages and e-mail.

"The number one thing the majority of the malicious code we're seeing now does is disable or delete anti-virus and other security software," Dunham said. "In a lot of cases, once the user clicks on that attachment, it's already too late."


Now that you are clean, please follow these simple steps in order to keep your computer clean and secure:
  • Use an AntiVirus Software - It is very important that your computer has an anti-virus software running on your machine. This alone can save you a lot of trouble with malware in the future.


    See this link for a listing of some online & their stand-alone antivirus programs:
    Virus, Spyware, and Malware Protection and Removal Resources

  • Update your AntiVirus Software - It is imperative that you update your Antivirus software at least once a week (Even more if you wish). If you do not update your antivirus software then it will not be able to catch any of the new variants that may come out.

  • Use a Firewall - I can not stress how important it is that you use a Firewall on your computer. Without a firewall your computer is susceptible to being hacked and taken over. Simply using a Firewall in its default configuration can lower your risk greatly.
    For a tutorial on Firewalls and a listing of some available ones see the link below:
    Understanding and Using Firewalls

  • Test your Firewall - Please test your firewall and make sure it is working properly.
    Test Firewall

  • Visit Microsoft's Update Site Frequently - It is important that you visit Windows Updates regularly. This will ensure your computer has always the latest security updates available installed on your computer. If there are new updates to install, install them immediately, reboot your computer, and revisit the site until there are no more critical updates.

  • Install Spybot - Search and Destroy - Install and download Spybot - Search and Destroy with its TeaTimer option. This will provide realtime spyware & hijacker protection on your computer alongside your virus protection. You should also scan your computer with program on a regular basis just as you would an antivirus software.
    A tutorial on installing & using this product can be found here:
    Using Spybot - Search & Destroy to remove Spyware , Malware, and Hijackers

  • Install Ad-Aware - Install and download Ad-Aware. ou should also scan your computer with program on a regular basis just as you would an antivirus software in conjunction with Spybot.
    A tutorial on installing & using this product can be found here:
    Using Ad-aware to remove Spyware, Malware, & Hijackers from Your Computer

  • Install SpywareBlaster - SpywareBlaster will added a large list of programs and sites into your Internet Explorer settings that will protect you from running and downloading known malicious programs.
    A tutorial on installing & using this product can be found here:
    Using SpywareBlaster to protect your computer from Spyware and Malware

  • Update your Java to the latest version. Uninstall any and all versions you have listed in add/remove programs and install the latest version from here: http://www.java.com/en/

  • Update all these programs regularly - Make sure you update all the programs I have listed regularly. Without regular updates you WILL NOT be protected when new malicious programs are released.

  • More info on how to prevent malware you can also find here (By Tony Klein)
    and here: http://wiki.castleco...nt_Re-infection
Follow this list and your potential for being infected again will reduce dramatically.

Thank you for allowing me to assist you.
Posted Image

Proud member of ASAP since 2005

The help you receive here is free. If you wish to show your appreciation, then you may donate to help keep us online.

Want to help others? Come join us in the Class Room and learn how.

Related Topics



0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users