Post by: bonedoc on November 12, 2005, 10:02:08 PM
O4 - HKLM\..\Run: [winsync] C:\WINDOWS\system32\pqaawi.exe reg_run
O4 - HKLM\..\Run: [oedaeeh] C:\WINDOWS\oedaeeh.exe
and the stupid web-nexus thing.
THanks a bunch
chris
--------------------------
Logfile of HijackThis v1.99.1
Scan saved at 9:58:38 PM, on 11/12/2005
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\HP\hpcoretech\hpcmpmgr.exe
C:\PROGRA~1\Grisoft\AVG7\avgcc.exe
C:\Program Files\HP DVD\Umbrella\DVDTray.exe
C:\Program Files\Lavasoft\Ad-Aware SE Professional\Ad-Watch.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Documents and Settings\chris\Desktop\hijackthis.exe
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = localhost
R3 - URLSearchHook: (no name) - {B811A8D9-94B3-9534-136A-74D4345106D1} - C:\WINDOWS\Oqulumfr.dll
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {5C8B2A36-3DB1-42A4-A3CB-D426709BBFEB} - (no file)
O2 - BHO: AcroIEToolbarHelper Class - {AE7CD045-E861-484f-8273-0445EE161910} - C:\Program Files\Adobe\Acrobat 6.0\Acrobat\AcroIEFavClient.dll
O2 - BHO: DictateBHO - {E12A882B-F14F-4440-9BC0-84A5EB766605} - C:\WINDOWS\DOWNLO~1\DICTAT~1.DLL
O3 - Toolbar: TouchWorks Dictate - {6F60C5C5-61B3-4378-8902-ED9497663AC9} - C:\WINDOWS\DOWNLO~1\DICTAT~1.DLL
O3 - Toolbar: Adobe PDF - {47833539-D0C5-4125-9FA8-0819E2EAAC93} - C:\Program Files\Adobe\Acrobat 6.0\Acrobat\AcroIEFavClient.dll
O4 - HKLM\..\Run: [HP Component Manager] "C:\Program Files\HP\hpcoretech\hpcmpmgr.exe"
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVG7\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [AVG7_RegCleaner] C:\PROGRA~1\Grisoft\AVG7\avgregcl.exe /BOOT
O4 - HKLM\..\Run: [DVDTray] "C:\Program Files\HP DVD\Umbrella\DVDTray.exe"
O4 - HKLM\..\Run: [nForce Tray Options] sstray.exe /r
O4 - HKLM\..\Run: [APD123] C:\WINDOWS\system32\APD123.exe
O4 - HKLM\..\Run: [DVDBitSet] "C:\Program Files\HP DVD\Umbrella\DVDBitSet.exe" /NOUI
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\j2re1.4.2_04\bin\jusched.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [HPHUPD06] C:\Program Files\HP\{AAC4FC36-8F89-4587-8DD3-EBC57C83374D}\hphupd06.exe
O4 - HKLM\..\Run: [winsync] C:\WINDOWS\system32\pqaawi.exe reg_run
O4 - HKLM\..\Run: [oedaeeh] C:\WINDOWS\oedaeeh.exe
O4 - HKCU\..\Run: [SpyRemover TeaTimer] C:\Program Files\SpyRemover\TeaTimer.exe
O4 - HKCU\..\Run: [AWMON] "C:\Program Files\Lavasoft\Ad-Aware SE Professional\Ad-Watch.exe"
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~3\Office10\EXCEL.EXE/3000
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {019D5592-3928-4DE4-BAA2-1F2E5EEF4CF6} (Engine Class) - https://emr.kcms.msu.edu/Touchworks/AHSCompressionEngine.cab (http://\"https://emr.kcms.msu.edu/Touchworks/AHSCompressionEngine.cab\")
O16 - DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} (MSN Photo Upload Tool) - http://by103fd.bay103.Email (http://\"http://by103fd.bay103.Email\") Removed.msn.com/resources/MsnPUpld.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsupdate/...b?1121630781625 (http://\"http://update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1121630781625\")
O16 - DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} -
O16 - DPF: {A325C946-0C71-4098-AC94-46694E46CEB4} (TerminalID Class) - https://emr.kcms.msu.edu/ahsweb/IDXWF/Context/IDXTools.cab (http://\"https://emr.kcms.msu.edu/ahsweb/IDXWF/Context/IDXTools.cab\")
O16 - DPF: {B7B8B614-6A5C-4140-A303-43CEB589D6A5} (TWRTFControl) - https://emr.kcms.msu.edu/TouchWorks/DocWork.../Note/TWRTF.cab (http://\"https://emr.kcms.msu.edu/TouchWorks/DocWorks/CHWorks/Note/TWRTF.cab\")
O16 - DPF: {B7EA9615-586E-4193-9C3C-A29CA577E040} (DictateBandInstaller) - https://emr.kcms.msu.edu/Touchworks/DictateBar.cab (http://\"https://emr.kcms.msu.edu/Touchworks/DictateBar.cab\")
O16 - DPF: {B8BE5E93-A60C-4D26-A2DC-220313175592} (ZoneIntro Class) - http://zone.msn.com/binFramework/v10/ZIntro.cab34246.cab (http://\"http://zone.msn.com/binFramework/v10/ZIntro.cab34246.cab\")
O16 - DPF: {CAFEEFAC-0014-0002-0000-ABCDEFFEDCBA} -
O16 - DPF: {CAFEEFAC-0014-0002-0004-ABCDEFFEDCBA} -
O16 - DPF: {CE10AD66-84BC-46A9-9424-C863199C0408} (AIC_ViewerAS2.Viewer) - https://emr.kcms.msu.edu/TouchWorks//Docwor...aic_viewer2.cab (http://\"https://emr.kcms.msu.edu/TouchWorks//Docworks/Chworks/Note/aic_viewer2.cab\")
O16 - DPF: {D14CA9D7-7C03-4E39-B076-0F3E852E705B} (Clipboard Class) - https://emr.kcms.msu.edu/ahsweb/IDXWF/Context/IDXWFCB.cab (http://\"https://emr.kcms.msu.edu/ahsweb/IDXWF/Context/IDXWFCB.cab\")
O16 - DPF: {D77EF652-9A6B-40C8-A4B9-1C0697C6CF41} (TikGames Online Control) - http://zone.msn.com/bingame/shpo/default/shapo.cab (http://\"http://zone.msn.com/bingame/shpo/default/shapo.cab\")
O16 - DPF: {DB893839-10F0-4AF9-92FA-B23528F530AF} - http://deposito.hostance.net/dialer/1044446.exe (http://\"http://deposito.hostance.net/dialer/1044446.exe\")
O16 - DPF: {DF780F87-FF2B-4DF8-92D0-73DB16A1543A} (PopCapLoader Object) - http://download.games.yahoo.com/games/web_...aploader_v6.cab (http://\"http://download.games.yahoo.com/games/web_games/popcap/bejeweled2/popcaploader_v6.cab\")
O16 - DPF: {EB387D2F-E27B-4D36-979E-847D1036C65D} (QDiagHUpdateObj Class) - http://h30043.www3.hp.com/ps/en/check/qdiagh.cab?326 (http://\"http://h30043.www3.hp.com/ps/en/check/qdiagh.cab?326\")
O16 - DPF: {EE7747CC-FFC7-4845-9178-DEF33578F752} (IDXTimeOut Class) - https://emr.kcms.msu.edu/ahsweb/IDXWF/Context/IDXTools.cab (http://\"https://emr.kcms.msu.edu/ahsweb/IDXWF/Context/IDXTools.cab\")
O16 - DPF: {EECF9899-FC3A-4841-986F-30B874921B36} (BrowserObj Class) - https://emr.kcms.msu.edu/ahsweb/IDXWF/Context/IDXBrowser.cab (http://\"https://emr.kcms.msu.edu/ahsweb/IDXWF/Context/IDXBrowser.cab\")
O16 - DPF: {F80B9305-A013-11D2-BD23-00A024978908} (Accurad Image Control) - https://pacs.bronsonhg.org/public/accuradimage.cab (http://\"https://pacs.bronsonhg.org/public/accuradimage.cab\")
O18 - Filter: text/html - {8253D547-38DD-4325-B35A-F1817EDFA5F5} - C:\Program Files\System Files\plugin.dll
O23 - Service: Adobe LM Service - Unknown owner - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
O23 - Service: Command Service (cmdService) - Unknown owner - C:\WINDOWS\Q2hyaXM\command.exe (file missing)
O23 - Service: HP Port Resolver - Hewlett-Packard Company - C:\WINDOWS\System32\hpbpro.exe
O23 - Service: HP Status Server - Hewlett-Packard Company - C:\WINDOWS\System32\hpboid.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\System32\HPZipm12.exe
Post by: guestolo on November 12, 2005, 11:17:51 PM
Download Trackqoo.zip (http://\"http://www.bleepingcomputer.com/files/mosaic1/Trackqoo.zip\")
Save it to the Desktop
Double Click on "Track qoo.vbs"
Note - If you Antivirus has Script Blocking, you will get a Pop Up Windows asking you what to do. Allow this Entire Script to Run, its harmless!
Wait a few seconds and a notepad page will pop up, Copy & Paste those results and place them in the next post
Also, Download Find-Qoologic.zip (http://\"http://downloads.subratam.org/Find-Qoologic.zip\") and save it to your Desktop.
UNZIP the files inside into their own folder called FindQoologic to the desktop
Open the FindQoologic folder.
Locate and double-click the Find-Qoologic.bat file to run it.
Choose option 1 for Run Findqoologic by typing 1 and pressing enter.
This will scan your system.
Wait until a text opens.
Post this in your next reply
Post by: bonedoc on November 14, 2005, 08:16:21 PM
____
REGEDIT4
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"HP Component Manager"="\"C:\\Program Files\\HP\\hpcoretech\\hpcmpmgr.exe\""
"AVG7_CC"="C:\\PROGRA~1\\Grisoft\\AVG7\\avgcc.exe /STARTUP"
"AVG7_RegCleaner"="C:\\PROGRA~1\\Grisoft\\AVG7\\avgregcl.exe /BOOT"
"DVDTray"="\"C:\\Program Files\\HP DVD\\Umbrella\\DVDTray.exe\""
"nForce Tray Options"="sstray.exe /r"
"APD123"="C:\\WINDOWS\\system32\\APD123.exe"
"DVDBitSet"="\"C:\\Program Files\\HP DVD\\Umbrella\\DVDBitSet.exe\" /NOUI"
"SunJavaUpdateSched"="C:\\Program Files\\Java\\j2re1.4.2_04\\bin\\jusched.exe"
"QuickTime Task"="\"C:\\Program Files\\QuickTime\\qttask.exe\" -atboottime"
"HPHUPD06"="C:\\Program Files\\HP\\{AAC4FC36-8F89-4587-8DD3-EBC57C83374D}\\hphupd06.exe"
"winsync"="C:\\WINDOWS\\system32\\pqaawi.exe reg_run"
"oedaeeh"="C:\\WINDOWS\\oedaeeh.exe"
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\OptionalComponents]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\OptionalComponents\IMAIL]
"Installed"="1"
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\OptionalComponents\MAPI]
"Installed"="1"
"NoChange"="1"
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\OptionalComponents\MSFS]
"Installed"="1"
-----------------
HKEY_CLASSES_ROOT\*\shellex\ContextMenuHandlers
Subkey --- Adobe.Acrobat.ContextMenu
{D25B2CAB-8A9A-4517-A9B2-CB5F68A5A802}
C:\Program Files\Adobe\Acrobat 6.0\Acrobat Elements\ContextMenu.dll
Subkey --- AVG7 Shell Extension
{9F97547E-4609-42C5-AE0C-81C61FFAEBC3}
C:\Program Files\Grisoft\AVG7\avgse.dll
Subkey --- EzCddax
{46E22146-59C0-4136-9233-52E412E2B428}
C:\Program Files\Easy CD-DA Extractor 8\ezcddax8.dll
Subkey --- msyyfnqm
{9ea60b27-572a-4dcd-a993-c8919caf377c}
C:\WINDOWS\system32\kqmmf.dll
Subkey --- Offline Files
{750fdf0e-2a26-11d1-a3ea-080036587f03}
C:\WINDOWS\System32\cscui.dll
Subkey --- Open With
{09799AFB-AD67-11d1-ABCD-00C04FC30936}
C:\WINDOWS\system32\SHELL32.dll
Subkey --- Open With EncryptionMenu
{A470F8CF-A1E8-4f65-8335-227475AA5C46}
C:\WINDOWS\system32\SHELL32.dll
Subkey --- WinRAR
{B41DB860-8EE4-11D2-9906-E49FADC173CA}
C:\Program Files\WinRAR\rarext.dll
Subkey --- {a2a9545d-a0c2-42b4-9708-a0b2badd77c8}
Start Menu Pin
C:\WINDOWS\system32\SHELL32.dll
=====================
HKEY_CLASSES_ROOT\Folder\shellex\ColumnHandlers
Subkey --- {0D2E74C4-3C34-11d2-A27E-00C04FC30871}
C:\WINDOWS\system32\SHELL32.dll
Subkey --- {24F14F01-7B1C-11d1-838f-0000F80461CF}
C:\WINDOWS\system32\SHELL32.dll
Subkey --- {24F14F02-7B1C-11d1-838f-0000F80461CF}
C:\WINDOWS\system32\SHELL32.dll
Subkey --- {66742402-F9B9-11D1-A202-0000F81FEDEE}
C:\WINDOWS\system32\SHELL32.dll
==============================
C:\Documents and Settings\All Users\Start Menu\Programs\Startup
desktop.ini
owzz.exe
==============================
C:\Documents and Settings\chris\Start Menu\Programs\Startup
desktop.ini
owzz.exe
desktop.ini
==============================
C:\WINDOWS\system32 cpl files
access.cpl Microsoft Corporation
appwiz.cpl Microsoft Corporation
bthprops.cpl Microsoft Corporation
desk.cpl Microsoft Corporation
firewall.cpl Microsoft Corporation
hdwwiz.cpl Microsoft Corporation
ImageDrive.cpl Ahead Software AG
inetcpl.cpl Microsoft Corporation
intl.cpl Microsoft Corporation
irprops.cpl Microsoft Corporation
joy.cpl Microsoft Corporation
main.cpl Microsoft Corporation
mmsys.cpl Microsoft Corporation
ncpa.cpl Microsoft Corporation
netsetup.cpl Microsoft Corporation
nusrmgr.cpl Microsoft Corporation
nwc.cpl Microsoft Corporation
odbccp32.cpl Microsoft Corporation
powercfg.cpl Microsoft Corporation
QuickTime.cpl Apple Computer, Inc.
sscpl.cpl NVIDIA Corporation
sysdm.cpl Microsoft Corporation
telephon.cpl Microsoft Corporation
timedate.cpl Microsoft Corporation
vgactl.cpl
wscui.cpl Microsoft Corporation
wuaucpl.cpl Microsoft Corporation
------------------------------------------
Find Qoologic last edited 11/11/2005
Running from
C:\Documents and Settings\chris\Desktop\Find-Qoologic
PLEASE NOTE THAT ALL FILES FOUND BY THIS METHOD ARE NOT BAD FILES, There WILL be LEGIT FILES LISTED PLEASE BE CAREFUL WHILE FIXING. IF YOU ARE UNSURE OF WHAT IT IS LEAVE THEM ALONE.
»»»»»»»»»»»»»»»»»»»»»»»» Files found »»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»
»»»»»»»»»»»»»»»»»»»»»»»» startup files»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»
* exe C:\docume~1\alluse~1\startm~1\programs\startup\OWZZ.EXE
»»»»»»»»»»»»»»»»»»»»»»»» Checking Global Startup »»»»»»»»»»»»»»»»»»»»»»
(fstarts by IMM - test ver. 0.001) NOT using address check -- 0x7c90df5e
Global Startup:
C:\Documents and Settings\All Users\Start Menu\Programs\Startup
.
..
desktop.ini
owzz.exe
User Startup:
C:\Documents and Settings\chris\Start Menu\Programs\Startup
.
..
desktop.ini
»»»»» Search by size and name...
»»»»» Files found by this method are not necessarily bad...
C:\WINDOWS\SYSTEM32\VGACTL.CPL
C:\WINDOWS\SYSTEM32\WUAUCLT.DLL
C:\WINDOWS\NECCVO.DAT
C:\WINDOWS\SYSTEM32\PQAAWI.EXE
C:\WINDOWS\SYSTEM32\WGUUP.DAT
C:\WINDOWS\SYSTEM32\KQMMF.DLL
C:\WINDOWS\SYSTEM32\ISPPEOA.DLL
C:\WINDOWS\SYSTEM32\JVVVFSC.EXE
C:\DOCUME~1\ALLUSE~1\STARTM~1\PROGRAMS\STARTUP\OWZZ.EXE
.....
.....
SteelWerX Registry Console Tool RC-2
Written by Bobbi Flekman
.....
[HKEY_CLASSES_ROOT\*\shellex\ContextMenuHandlers\msyyfnqm]
@="{9ea60b27-572a-4dcd-a993-c8919caf377c}"
[-HKEY_CLASSES_ROOT\CLSID\{incert csdl here}]
[-HKEY_CLASSES_ROOT\CLSID\{6EC11407-5B2E-4E25-8BDF-77445B52AB37}]
[-HKEY_CLASSES_ROOT\Folder\shellex\ColumnHandlers\{6EC11407-5B2E-4E25-8BDF-77445B52AB37}]
.....
[HKEY_LOCAL_MACHINE\Software\qstat]
.....
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"winsync"="C:\\WINDOWS\\system32\\pqaawi.exe reg_run"
.....
[-HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Extensions\{9E248641-0E24-4DDB-9A1F-705087832AD6}]
Post by: guestolo on November 14, 2005, 10:02:52 PM
==Download and Install this small program
to help clean your temp folders,cookies, etc...
Windows Cleanup! 4.0 (http://\"http://downloads.stevengould.org/cleanup/CleanUp40.exe\")
Don't run it yet
==Download and then Install
Ewido Security Suite (http://\"http://download.ewido.net/ewido-setup.exe\")
When installing, under "Additional Options" Uncheck "Install background guard" and "Install scan via context menu".
From the main ewido screen, click on Update in the left menu, then click the Start update button.
After the update finishes (the status bar at the bottom will display "Update successful")
Close out Ewido for now, we'll need it later
If for some reason the Updater won't work can you manually download the
Updates from this link after you have Ewido installed
http://www.ewido.net/en/download/updates/ (http://\"http://www.ewido.net/en/download/updates/\")
Download Pocket Killbox
From one of these loactions
http://www.downloads.subratam.org/KillBox.exe (http://\"http://www.downloads.subratam.org/KillBox.exe\")
http://www.atribune.org/downloads/KillBox.exe (http://\"http://www.atribune.org/downloads/KillBox.exe\")
In the event you have killbox, I need you too download this version
Download AproposFix from here:
http://swandog46.geekstogo.com/aproposfix.exe (http://\"http://swandog46.geekstogo.com/aproposfix.exe\")
Save it to your desktop but do NOT run it yet.
Open Notepad (START>>>RUN>>>type in notepad)
Hit OK
Copy the contents of the CODE box to notepad, not including the word "code"
But make sure you include Regedit4
In Notepad click FILE>>SAVE AS
IMPORTANT>>>Change the Save as Type to All Files.
Name the file as fix.reg
Save this file on the desktop, well need this later, don't run it yet
Code: [Select]
REGEDIT4
[-HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Extensions\{9E248641-0E24-4DDB-9A1F-705087832AD6}]
[-HKEY_CLASSES_ROOT\CLSID\{6EC11407-5B2E-4E25-8BDF-77445B52AB37}]
[-HKEY_CLASSES_ROOT\CLSID\{9ea60b27-572a-4dcd-a993-c8919caf377c}]
[-HKEY_CLASSES_ROOT\Folder\shellex\ColumnHandlers\{6EC11407-5B2E-4E25-8BDF-77445B52AB37}]
[-HKEY_CLASSES_ROOT\*\shellex\ContextMenuHandlers\msyyfnqm]
[-HKEY_LOCAL_MACHINE\Software\qstat]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"APD123"=-
"winsync"=-
"oedaeeh"=- Please Save these next instructions to a Notepad file and save it to your Desktop for reference
I need you to disconnect from the Internet
I also need you to disable Ad-aware's Adwatch as it will probably get in the way of any fixes we try
You can reenable it once we know your clean
Open AdAware SE.
Go to AdWatch User Interface.
Go to Tools and Preferences.
At the bottom of the screen you will see 2 options Active and Automatic.
Active: This will turn Ad-Watch On\Off without closing it.
Automatic: Suspicious activity will be blocked automatically.
Uncheck both options.
RESTART your Computer in SAFE MODE (http://\"http://service1.symantec.com/SUPPORT/tsgeninfo.nsf/docid/2001060608000039?OpenDocument&ExpandSection=4#_Section4\")
You can do this by tapping the F8 key as the system is restarting, just before Windows loads, or use the link
I supplied for an alternative method
Once in safe mode
Double-click aproposfix.exe and unzip it to the desktop. Open the aproposfix folder on your desktop and run RunThis.bat. Follow the prompts.
Go to START>>RUN>>copy and paste the following into the Open box and hit OK
sc stop cmdService
and then do the same for this one
sc delete cmdService
Double-click on Killbox.exe to run it.
Now put a tick by Standard File Kill.
In the "Full Path of File to Delete" box, copy and paste each of the following lines one at a time then click on the button that has the red circle with the X in the middle after you enter each file.
It will ask for confimation to delete the file.
Click Yes.
Continue with that same procedure until you have copied and pasted all of these in the "Paste Full Path of File to Delete" box.
Paths to file names below
===============================
C:\WINDOWS\Oqulumfr.dll
C:\WINDOWS\system32\APD123.exe
C:\WINDOWS\system32\pqaawi.exe
C:\WINDOWS\oedaeeh.exe
C:\WINDOWS\Q2hyaXM\command.exe
C:\WINDOWS\SYSTEM32\VGACTL.CPL
C:\WINDOWS\SYSTEM32\WUAUCLT.DLL
C:\WINDOWS\NECCVO.DAT
C:\WINDOWS\SYSTEM32\PQAAWI.EXE
C:\WINDOWS\SYSTEM32\WGUUP.DAT
C:\WINDOWS\SYSTEM32\KQMMF.DLL
C:\WINDOWS\SYSTEM32\ISPPEOA.DLL
C:\WINDOWS\SYSTEM32\JVVVFSC.EXE
C:\Documents and Settings\All Users\Start Menu\Programs\Startup\owzz.exe
C:\Documents and Settings\chris\Start Menu\Programs\Startup\owzz.exe
============================================
Note: It is possible that Killbox will tell you that one or more files do not exist.
If that happens, just continue on with all the files.
Find and delete this folder if found
C:\WINDOWS\Q2hyaXM <-this folder
Stay in safe mode
==Open Cleanup! by double-clicking the icon on your desktop (or from the Start > All Programs menu).
Set the program up as follows:
Click "Options..."
Move the arrow down to "Custom CleanUp!"
Put a check next to the following (Make sure nothing else is checked!):
* Empty Recycle Bins
* Delete Cookies
* Delete Prefetch files
* Cleanup! All Users
Click OK
Press the CleanUp! button to start the program.
When it's done, decline to log off or restart the computer
==Open Ewido Security Suite
Click on the Scanner button on the left menu
Select Complete System Scan
*If Ewido finds something it will prompt you with "Infected Object found"
Ensure the following are Selected
*1. Perform Action = Remove
*2. Create Encrypted Backup in Quarantine (Recommended)
*3. Perform action with all infections
Then click OK
When Ewido has finished it's scan click the "Save Report" button
Save the report to desktop
Exit Ewido
Do another scan with Hijackthis and put a check next to these entries:
R3 - URLSearchHook: (no name) - {B811A8D9-94B3-9534-136A-74D4345106D1} - C:\WINDOWS\Oqulumfr.dll
O2 - BHO: (no name) - {5C8B2A36-3DB1-42A4-A3CB-D426709BBFEB} - (no file)
O4 - HKCU\..\Run: [SpyRemover TeaTimer] C:\Program Files\SpyRemover\TeaTimer.exe
O16 - DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} -
O16 - DPF: {CAFEEFAC-0014-0002-0000-ABCDEFFEDCBA} -
O16 - DPF: {CAFEEFAC-0014-0002-0004-ABCDEFFEDCBA} -
O16 - DPF: {DB893839-10F0-4AF9-92FA-B23528F530AF} - http://deposito.hostance.net/dialer/1044446.exe (http://\"http://deposito.hostance.net/dialer/1044446.exe\")
O18 - Filter: text/html - {8253D547-38DD-4325-B35A-F1817EDFA5F5} - C:\Program Files\System Files\plugin.dll
After you have ticked the above entries, close All other open windows,
Leave Hijackthis open and click FIX CHECKED
OK the prompt and exit Hijackthis
Double click on fix.reg and allow to Merge to the registry
Reboot back to Normal mode
I need to see a few logs, please post them all
1..Run hijackthis again and post a fresh log
2..Post the Whole Report from Ewido's you saved earlier
3.. Run FindQoologic.bat again, choosing option 1 and post the contents of the text file
4. The entire contents of the log.txt file in the aproposfix folder.
Post by: bonedoc on November 16, 2005, 10:57:12 PM
/smile.gif\' class=\'bbc_emoticon\' alt=\':)\' /> Logfile of HijackThis v1.99.1
Scan saved at 10:53:06 PM, on 11/16/2005
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
C:\Program Files\ewido\security suite\ewidoctrl.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\HP\hpcoretech\hpcmpmgr.exe
C:\PROGRA~1\Grisoft\AVG7\avgcc.exe
C:\Program Files\HP DVD\Umbrella\DVDTray.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\NOTEPAD.EXE
C:\WINDOWS\system32\wuauclt.exe
C:\Documents and Settings\chris\Desktop\hijackthis.exe
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = localhost
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: AcroIEToolbarHelper Class - {AE7CD045-E861-484f-8273-0445EE161910} - C:\Program Files\Adobe\Acrobat 6.0\Acrobat\AcroIEFavClient.dll
O2 - BHO: DictateBHO - {E12A882B-F14F-4440-9BC0-84A5EB766605} - C:\WINDOWS\DOWNLO~1\DICTAT~1.DLL
O3 - Toolbar: TouchWorks Dictate - {6F60C5C5-61B3-4378-8902-ED9497663AC9} - C:\WINDOWS\DOWNLO~1\DICTAT~1.DLL
O3 - Toolbar: Adobe PDF - {47833539-D0C5-4125-9FA8-0819E2EAAC93} - C:\Program Files\Adobe\Acrobat 6.0\Acrobat\AcroIEFavClient.dll
O4 - HKLM\..\Run: [HP Component Manager] "C:\Program Files\HP\hpcoretech\hpcmpmgr.exe"
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVG7\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [AVG7_RegCleaner] C:\PROGRA~1\Grisoft\AVG7\avgregcl.exe /BOOT
O4 - HKLM\..\Run: [DVDTray] "C:\Program Files\HP DVD\Umbrella\DVDTray.exe"
O4 - HKLM\..\Run: [nForce Tray Options] sstray.exe /r
O4 - HKLM\..\Run: [DVDBitSet] "C:\Program Files\HP DVD\Umbrella\DVDBitSet.exe" /NOUI
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\j2re1.4.2_04\bin\jusched.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [HPHUPD06] C:\Program Files\HP\{AAC4FC36-8F89-4587-8DD3-EBC57C83374D}\hphupd06.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~3\Office10\EXCEL.EXE/3000
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {019D5592-3928-4DE4-BAA2-1F2E5EEF4CF6} (Engine Class) - https://emr.kcms.msu.edu/Touchworks/AHSCompressionEngine.cab (http://\"https://emr.kcms.msu.edu/Touchworks/AHSCompressionEngine.cab\")
O16 - DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} (MSN Photo Upload Tool) - http://by103fd.bay103.Email (http://\"http://by103fd.bay103.Email\") Removed.msn.com/resources/MsnPUpld.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsupdate/...b?1121630781625 (http://\"http://update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1121630781625\")
O16 - DPF: {A325C946-0C71-4098-AC94-46694E46CEB4} (TerminalID Class) - https://emr.kcms.msu.edu/ahsweb/IDXWF/Context/IDXTools.cab (http://\"https://emr.kcms.msu.edu/ahsweb/IDXWF/Context/IDXTools.cab\")
O16 - DPF: {B7B8B614-6A5C-4140-A303-43CEB589D6A5} (TWRTFControl) - https://emr.kcms.msu.edu/TouchWorks/DocWork.../Note/TWRTF.cab (http://\"https://emr.kcms.msu.edu/TouchWorks/DocWorks/CHWorks/Note/TWRTF.cab\")
O16 - DPF: {B7EA9615-586E-4193-9C3C-A29CA577E040} (DictateBandInstaller) - https://emr.kcms.msu.edu/Touchworks/DictateBar.cab (http://\"https://emr.kcms.msu.edu/Touchworks/DictateBar.cab\")
O16 - DPF: {B8BE5E93-A60C-4D26-A2DC-220313175592} (ZoneIntro Class) - http://zone.msn.com/binFramework/v10/ZIntro.cab34246.cab (http://\"http://zone.msn.com/binFramework/v10/ZIntro.cab34246.cab\")
O16 - DPF: {CE10AD66-84BC-46A9-9424-C863199C0408} (AIC_ViewerAS2.Viewer) - https://emr.kcms.msu.edu/TouchWorks//Docwor...aic_viewer2.cab (http://\"https://emr.kcms.msu.edu/TouchWorks//Docworks/Chworks/Note/aic_viewer2.cab\")
O16 - DPF: {D14CA9D7-7C03-4E39-B076-0F3E852E705B} (Clipboard Class) - https://emr.kcms.msu.edu/ahsweb/IDXWF/Context/IDXWFCB.cab (http://\"https://emr.kcms.msu.edu/ahsweb/IDXWF/Context/IDXWFCB.cab\")
O16 - DPF: {D77EF652-9A6B-40C8-A4B9-1C0697C6CF41} -
O16 - DPF: {DF780F87-FF2B-4DF8-92D0-73DB16A1543A} -
O16 - DPF: {EB387D2F-E27B-4D36-979E-847D1036C65D} (QDiagHUpdateObj Class) - http://h30043.www3.hp.com/ps/en/check/qdiagh.cab?326 (http://\"http://h30043.www3.hp.com/ps/en/check/qdiagh.cab?326\")
O16 - DPF: {EE7747CC-FFC7-4845-9178-DEF33578F752} (IDXTimeOut Class) - https://emr.kcms.msu.edu/ahsweb/IDXWF/Context/IDXTools.cab (http://\"https://emr.kcms.msu.edu/ahsweb/IDXWF/Context/IDXTools.cab\")
O16 - DPF: {EECF9899-FC3A-4841-986F-30B874921B36} (BrowserObj Class) - https://emr.kcms.msu.edu/ahsweb/IDXWF/Context/IDXBrowser.cab (http://\"https://emr.kcms.msu.edu/ahsweb/IDXWF/Context/IDXBrowser.cab\")
O16 - DPF: {F80B9305-A013-11D2-BD23-00A024978908} (Accurad Image Control) - https://pacs.bronsonhg.org/public/accuradimage.cab (http://\"https://pacs.bronsonhg.org/public/accuradimage.cab\")
O23 - Service: Adobe LM Service - Unknown owner - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
O23 - Service: ewido security suite control - ewido networks - C:\Program Files\ewido\security suite\ewidoctrl.exe
O23 - Service: HP Port Resolver - Hewlett-Packard Company - C:\WINDOWS\System32\hpbpro.exe
O23 - Service: HP Status Server - Hewlett-Packard Company - C:\WINDOWS\System32\hpboid.exe
O23 - Service: iPod Service (iPodService) - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\System32\HPZipm12.exe
---------------------------------------
---------------------------------------------------------
ewido security suite - Scan report
---------------------------------------------------------
+ Created on: 10:43:10 PM, 11/16/2005
+ Report-Checksum: DE1BCE50
+ Scan result:
No infected objects found.
::Report End
-------------------------------------------
Log of AproposFix v1
************
Running from directory:
C:\Documents and Settings\chris\Desktop\aproposfix
************
Registry entries found:
************
No service found!
Removing hidden folder:
No folder found!
Deleting files:
Backing up files:
Done!
Removing registry entries:
REGEDIT4
Done!
Finished!
-----------------------------------
Find Qoologic last edited 11/11/2005
Running from
C:\Documents and Settings\chris\Desktop\Find-Qoologic
PLEASE NOTE THAT ALL FILES FOUND BY THIS METHOD ARE NOT BAD FILES, There WILL be LEGIT FILES LISTED PLEASE BE CAREFUL WHILE FIXING. IF YOU ARE UNSURE OF WHAT IT IS LEAVE THEM ALONE.
»»»»»»»»»»»»»»»»»»»»»»»» Files found »»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»
»»»»»»»»»»»»»»»»»»»»»»»» startup files»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»
»»»»»»»»»»»»»»»»»»»»»»»» Checking Global Startup »»»»»»»»»»»»»»»»»»»»»»
(fstarts by IMM - test ver. 0.001) NOT using address check -- 0x7c90df5e
Global Startup:
C:\Documents and Settings\All Users\Start Menu\Programs\Startup
.
..
desktop.ini
User Startup:
C:\Documents and Settings\chris\Start Menu\Programs\Startup
.
..
desktop.ini
»»»»» Search by size and name...
»»»»» Files found by this method are not necessarily bad...
C:\WINDOWS\SYSTEM32\WUAUCLT.DLL
.....
.....
SteelWerX Registry Console Tool RC-2
Written by Bobbi Flekman
.....
[-HKEY_CLASSES_ROOT\CLSID\{incert csdl here}]
[-HKEY_CLASSES_ROOT\CLSID\{6EC11407-5B2E-4E25-8BDF-77445B52AB37}]
[-HKEY_CLASSES_ROOT\Folder\shellex\ColumnHandlers\{6EC11407-5B2E-4E25-8BDF-77445B52AB37}]
.....
.....
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
.....
[-HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Extensions\{9E248641-0E24-4DDB-9A1F-705087832AD6}]
Post by: guestolo on November 16, 2005, 11:36:49 PM
Still need to get rid of a file
Can you open Hijackthis>>Open Misc tools section>>Open "Delete File on Reboot"
In the File name field copy and paste the next text in bold and click the OPEN button
C:\WINDOWS\SYSTEM32\WUAUCLT.DLL
Hijackthis should prompt you the file will be deleted on Reboot>>OK this but don't Reboot yet
Instead
Do another scan with Hijackthis and put a check next to these entries:
O16 - DPF: {D77EF652-9A6B-40C8-A4B9-1C0697C6CF41} -
O16 - DPF: {DF780F87-FF2B-4DF8-92D0-73DB16A1543A} -
After you have ticked the above entries, close All other open windows, including this one
Leave Hijackthis open and click FIX CHECKED
OK the prompt and exit Hijackthis
Reboot the computer
Back in Windows
Can you do the following one more time
Run FindQoologic.bat again, choosing option 1 and post the contents of the text file
Also, from my signature below, take the time to run an Online Virus scan at Panda's
Choose to scan "Local disks"
When the scan is done choose to SAVE A REPORT
Save the report and then come back here and post the contents
Also post a fresh hijackthis log
Post by: bonedoc on November 17, 2005, 08:12:50 PM
Scan saved at 6:16:15 PM, on 11/17/2005
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
C:\Program Files\ewido\security suite\ewidoctrl.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\HP\hpcoretech\hpcmpmgr.exe
C:\PROGRA~1\Grisoft\AVG7\avgcc.exe
C:\Program Files\HP DVD\Umbrella\DVDTray.exe
C:\Program Files\HP\hpcoretech\comp\hptskmgr.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Documents and Settings\chris\Desktop\hijackthis.exe
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = localhost
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: AcroIEToolbarHelper Class - {AE7CD045-E861-484f-8273-0445EE161910} - C:\Program Files\Adobe\Acrobat 6.0\Acrobat\AcroIEFavClient.dll
O2 - BHO: DictateBHO - {E12A882B-F14F-4440-9BC0-84A5EB766605} - C:\WINDOWS\DOWNLO~1\DICTAT~1.DLL
O3 - Toolbar: TouchWorks Dictate - {6F60C5C5-61B3-4378-8902-ED9497663AC9} - C:\WINDOWS\DOWNLO~1\DICTAT~1.DLL
O3 - Toolbar: Adobe PDF - {47833539-D0C5-4125-9FA8-0819E2EAAC93} - C:\Program Files\Adobe\Acrobat 6.0\Acrobat\AcroIEFavClient.dll
O4 - HKLM\..\Run: [HP Component Manager] "C:\Program Files\HP\hpcoretech\hpcmpmgr.exe"
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVG7\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [AVG7_RegCleaner] C:\PROGRA~1\Grisoft\AVG7\avgregcl.exe /BOOT
O4 - HKLM\..\Run: [DVDTray] "C:\Program Files\HP DVD\Umbrella\DVDTray.exe"
O4 - HKLM\..\Run: [nForce Tray Options] sstray.exe /r
O4 - HKLM\..\Run: [DVDBitSet] "C:\Program Files\HP DVD\Umbrella\DVDBitSet.exe" /NOUI
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\j2re1.4.2_04\bin\jusched.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [HPHUPD06] C:\Program Files\HP\{AAC4FC36-8F89-4587-8DD3-EBC57C83374D}\hphupd06.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~3\Office10\EXCEL.EXE/3000
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {019D5592-3928-4DE4-BAA2-1F2E5EEF4CF6} (Engine Class) - https://emr.kcms.msu.edu/Touchworks/AHSCompressionEngine.cab (http://\"https://emr.kcms.msu.edu/Touchworks/AHSCompressionEngine.cab\")
O16 - DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} (MSN Photo Upload Tool) - http://by103fd.bay103.Email (http://\"http://by103fd.bay103.Email\") Removed.msn.com/resources/MsnPUpld.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsupdate/...b?1121630781625 (http://\"http://update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1121630781625\")
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/activescan/as5free/asinst.cab (http://\"http://acs.pandasoftware.com/activescan/as5free/asinst.cab\")
O16 - DPF: {A325C946-0C71-4098-AC94-46694E46CEB4} (TerminalID Class) - https://emr.kcms.msu.edu/ahsweb/IDXWF/Context/IDXTools.cab (http://\"https://emr.kcms.msu.edu/ahsweb/IDXWF/Context/IDXTools.cab\")
O16 - DPF: {B7B8B614-6A5C-4140-A303-43CEB589D6A5} (TWRTFControl) - https://emr.kcms.msu.edu/TouchWorks/DocWork.../Note/TWRTF.cab (http://\"https://emr.kcms.msu.edu/TouchWorks/DocWorks/CHWorks/Note/TWRTF.cab\")
O16 - DPF: {B7EA9615-586E-4193-9C3C-A29CA577E040} (DictateBandInstaller) - https://emr.kcms.msu.edu/Touchworks/DictateBar.cab (http://\"https://emr.kcms.msu.edu/Touchworks/DictateBar.cab\")
O16 - DPF: {B8BE5E93-A60C-4D26-A2DC-220313175592} (ZoneIntro Class) - http://zone.msn.com/binFramework/v10/ZIntro.cab34246.cab (http://\"http://zone.msn.com/binFramework/v10/ZIntro.cab34246.cab\")
O16 - DPF: {CE10AD66-84BC-46A9-9424-C863199C0408} (AIC_ViewerAS2.Viewer) - https://emr.kcms.msu.edu/TouchWorks//Docwor...aic_viewer2.cab (http://\"https://emr.kcms.msu.edu/TouchWorks//Docworks/Chworks/Note/aic_viewer2.cab\")
O16 - DPF: {D14CA9D7-7C03-4E39-B076-0F3E852E705B} (Clipboard Class) - https://emr.kcms.msu.edu/ahsweb/IDXWF/Context/IDXWFCB.cab (http://\"https://emr.kcms.msu.edu/ahsweb/IDXWF/Context/IDXWFCB.cab\")
O16 - DPF: {EB387D2F-E27B-4D36-979E-847D1036C65D} (QDiagHUpdateObj Class) - http://h30043.www3.hp.com/ps/en/check/qdiagh.cab?326 (http://\"http://h30043.www3.hp.com/ps/en/check/qdiagh.cab?326\")
O16 - DPF: {EE7747CC-FFC7-4845-9178-DEF33578F752} (IDXTimeOut Class) - https://emr.kcms.msu.edu/ahsweb/IDXWF/Context/IDXTools.cab (http://\"https://emr.kcms.msu.edu/ahsweb/IDXWF/Context/IDXTools.cab\")
O16 - DPF: {EECF9899-FC3A-4841-986F-30B874921B36} (BrowserObj Class) - https://emr.kcms.msu.edu/ahsweb/IDXWF/Context/IDXBrowser.cab (http://\"https://emr.kcms.msu.edu/ahsweb/IDXWF/Context/IDXBrowser.cab\")
O16 - DPF: {F80B9305-A013-11D2-BD23-00A024978908} (Accurad Image Control) - https://pacs.bronsonhg.org/public/accuradimage.cab (http://\"https://pacs.bronsonhg.org/public/accuradimage.cab\")
O23 - Service: Adobe LM Service - Unknown owner - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
O23 - Service: ewido security suite control - ewido networks - C:\Program Files\ewido\security suite\ewidoctrl.exe
O23 - Service: HP Port Resolver - Hewlett-Packard Company - C:\WINDOWS\System32\hpbpro.exe
O23 - Service: HP Status Server - Hewlett-Packard Company - C:\WINDOWS\System32\hpboid.exe
O23 - Service: iPod Service (iPodService) - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\System32\HPZipm12.exe
---------------------\
Find Qoologic last edited 11/11/2005
Running from
C:\Documents and Settings\chris\Desktop\Find-Qoologic
PLEASE NOTE THAT ALL FILES FOUND BY THIS METHOD ARE NOT BAD FILES, There WILL be LEGIT FILES LISTED PLEASE BE CAREFUL WHILE FIXING. IF YOU ARE UNSURE OF WHAT IT IS LEAVE THEM ALONE.
»»»»»»»»»»»»»»»»»»»»»»»» Files found »»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»
»»»»»»»»»»»»»»»»»»»»»»»» startup files»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»
»»»»»»»»»»»»»»»»»»»»»»»» Checking Global Startup »»»»»»»»»»»»»»»»»»»»»»
(fstarts by IMM - test ver. 0.001) NOT using address check -- 0x7c90df5e
Global Startup:
C:\Documents and Settings\All Users\Start Menu\Programs\Startup
.
..
desktop.ini
User Startup:
C:\Documents and Settings\chris\Start Menu\Programs\Startup
.
..
desktop.ini
»»»»» Search by size and name...
»»»»» Files found by this method are not necessarily bad...
.....
.....
SteelWerX Registry Console Tool RC-2
Written by Bobbi Flekman
.....
[-HKEY_CLASSES_ROOT\CLSID\{incert csdl here}]
[-HKEY_CLASSES_ROOT\CLSID\{6EC11407-5B2E-4E25-8BDF-77445B52AB37}]
[-HKEY_CLASSES_ROOT\Folder\shellex\ColumnHandlers\{6EC11407-5B2E-4E25-8BDF-77445B52AB37}]
.....
.....
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
.....
[-HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Extensions\{9E248641-0E24-4DDB-9A1F-705087832AD6}]
---------------------------------------------------------------
Incident Status Location
Adware:Adware/BookedSpace No disinfected C:\!KillBox\Oqulumfr.dll
Adware:Adware/ClkOptimizer No disinfected C:\!KillBox\owzz.exe
Adware:Adware/ClkOptimizer No disinfected C:\!KillBox\pqaawi.exe
Adware:Adware/ClkOptimizer No disinfected C:\!KillBox\WGUUP.DAT
Virus:Exploit/ByteVerify Disinfected C:\Documents and Settings\chris\Application Data\Sun\Java\Deployment\cache\javapi\v1.0\jar\classload.jar-19061f19-19e4f6fb.zip[GetAccess.class]
Virus:Exploit/ByteVerify Disinfected C:\Documents and Settings\chris\Application Data\Sun\Java\Deployment\cache\javapi\v1.0\jar\classload.jar-19061f19-19e4f6fb.zip[InsecureClassLoader.class]
Virus:Exploit/ByteVerify Disinfected C:\Documents and Settings\chris\Application Data\Sun\Java\Deployment\cache\javapi\v1.0\jar\classload.jar-19061f19-19e4f6fb.zip[Dummy.class]
Virus:Exploit/ByteVerify Disinfected C:\Documents and Settings\chris\Application Data\Sun\Java\Deployment\cache\javapi\v1.0\jar\classload.jar-19061f19-19e4f6fb.zip[Installer.class]
Virus:Exploit/ByteVerify Disinfected C:\Documents and Settings\chris\Application Data\Sun\Java\Deployment\cache\javapi\v1.0\jar\classload.jar-26de0658-654e1476.zip[GetAccess.class]
Virus:Exploit/ByteVerify Disinfected C:\Documents and Settings\chris\Application Data\Sun\Java\Deployment\cache\javapi\v1.0\jar\classload.jar-26de0658-654e1476.zip[InsecureClassLoader.class]
Virus:Exploit/ByteVerify Disinfected C:\Documents and Settings\chris\Application Data\Sun\Java\Deployment\cache\javapi\v1.0\jar\classload.jar-26de0658-654e1476.zip[Dummy.class]
Virus:Exploit/ByteVerify Disinfected C:\Documents and Settings\chris\Application Data\Sun\Java\Deployment\cache\javapi\v1.0\jar\classload.jar-26de0658-654e1476.zip[Installer.class]
Adware:Adware/ConsumerAlertSystemNo disinfected C:\Program Files\System Files\plugin.dll
Adware:adware/ncase No disinfected C:\WINDOWS\180ax_gdf.dat
Spyware:spyware/virtumonde No disinfected C:\WINDOWS\bsx32.ini
Adware:adware/bookedspace No disinfected C:\WINDOWS\bxxs5.dll
Spyware:Spyware/Media-motor No disinfected C:\WINDOWS\Downloaded Program Files\mm63.INF
Adware:adware program No disinfected C:\WINDOWS\system32\atmtd.dll
Spyware:spyware/adclicker No disinfected C:\WINDOWS\usta33.ini
Post by: guestolo on November 18, 2005, 06:16:49 PM
Enter the Windows Control Panel and double click on the Java Icon
Under the General tab
Delete Files>>OK it
Or
Under the Cache tab>>Clear Cache
Can you copy and paste these instructions to Notepad again
Reboot back into safe mode
Double-click on Killbox.exe to run it.
Now put a tick by Standard File Kill.
In the "Full Path of File to Delete" box, copy and paste each of the following lines one at a time then click on the button that has the red circle with the X in the middle after you enter each file.
It will ask for confimation to delete the file.
Click Yes.
Continue with that same procedure until you have copied and pasted all of these in the "Paste Full Path of File to Delete" box.
Paths to file names below
===============================
C:\WINDOWS\180ax_gdf.dat
C:\WINDOWS\bsx32.ini
C:\WINDOWS\bxxs5.dll
C:\WINDOWS\Downloaded Program Files\mm63.INF
C:\WINDOWS\system32\atmtd.dll
C:\WINDOWS\usta33.ini
C:\Program Files\System Files\plugin.dll
============================================
Note: It is possible that Killbox will tell you that one or more files do not exist.
If that happens, just continue on with all the files.
Find and delete this folder if found
C:\Program Files\System Files <-this folder
Reboot back to Normal mode and post one more hijackthis log
Let me know how things are running
Post by: bonedoc on November 19, 2005, 08:05:29 PM
Scan saved at 8:04:50 PM, on 11/19/2005
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
C:\Program Files\ewido\security suite\ewidoctrl.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\userinit.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\HP\hpcoretech\hpcmpmgr.exe
C:\PROGRA~1\Grisoft\AVG7\avgcc.exe
C:\Program Files\HP DVD\Umbrella\DVDTray.exe
C:\WINDOWS\System32\svchost.exe
C:\Documents and Settings\chris\Desktop\hijackthis.exe
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = localhost
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: AcroIEToolbarHelper Class - {AE7CD045-E861-484f-8273-0445EE161910} - C:\Program Files\Adobe\Acrobat 6.0\Acrobat\AcroIEFavClient.dll
O2 - BHO: DictateBHO - {E12A882B-F14F-4440-9BC0-84A5EB766605} - C:\WINDOWS\DOWNLO~1\DICTAT~1.DLL
O3 - Toolbar: TouchWorks Dictate - {6F60C5C5-61B3-4378-8902-ED9497663AC9} - C:\WINDOWS\DOWNLO~1\DICTAT~1.DLL
O3 - Toolbar: Adobe PDF - {47833539-D0C5-4125-9FA8-0819E2EAAC93} - C:\Program Files\Adobe\Acrobat 6.0\Acrobat\AcroIEFavClient.dll
O4 - HKLM\..\Run: [HP Component Manager] "C:\Program Files\HP\hpcoretech\hpcmpmgr.exe"
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVG7\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [AVG7_RegCleaner] C:\PROGRA~1\Grisoft\AVG7\avgregcl.exe /BOOT
O4 - HKLM\..\Run: [DVDTray] "C:\Program Files\HP DVD\Umbrella\DVDTray.exe"
O4 - HKLM\..\Run: [nForce Tray Options] sstray.exe /r
O4 - HKLM\..\Run: [DVDBitSet] "C:\Program Files\HP DVD\Umbrella\DVDBitSet.exe" /NOUI
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\j2re1.4.2_04\bin\jusched.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [HPHUPD06] C:\Program Files\HP\{AAC4FC36-8F89-4587-8DD3-EBC57C83374D}\hphupd06.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~3\Office10\EXCEL.EXE/3000
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {019D5592-3928-4DE4-BAA2-1F2E5EEF4CF6} (Engine Class) - https://emr.kcms.msu.edu/Touchworks/AHSCompressionEngine.cab (http://\"https://emr.kcms.msu.edu/Touchworks/AHSCompressionEngine.cab\")
O16 - DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} (MSN Photo Upload Tool) - http://by103fd.bay103.Email (http://\"http://by103fd.bay103.Email\") Removed.msn.com/resources/MsnPUpld.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsupdate/...b?1121630781625 (http://\"http://update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1121630781625\")
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/activescan/as5free/asinst.cab (http://\"http://acs.pandasoftware.com/activescan/as5free/asinst.cab\")
O16 - DPF: {A325C946-0C71-4098-AC94-46694E46CEB4} (TerminalID Class) - https://emr.kcms.msu.edu/ahsweb/IDXWF/Context/IDXTools.cab (http://\"https://emr.kcms.msu.edu/ahsweb/IDXWF/Context/IDXTools.cab\")
O16 - DPF: {B7B8B614-6A5C-4140-A303-43CEB589D6A5} (TWRTFControl) - https://emr.kcms.msu.edu/TouchWorks/DocWork.../Note/TWRTF.cab (http://\"https://emr.kcms.msu.edu/TouchWorks/DocWorks/CHWorks/Note/TWRTF.cab\")
O16 - DPF: {B7EA9615-586E-4193-9C3C-A29CA577E040} (DictateBandInstaller) - https://emr.kcms.msu.edu/Touchworks/DictateBar.cab (http://\"https://emr.kcms.msu.edu/Touchworks/DictateBar.cab\")
O16 - DPF: {B8BE5E93-A60C-4D26-A2DC-220313175592} (ZoneIntro Class) - http://zone.msn.com/binFramework/v10/ZIntro.cab34246.cab (http://\"http://zone.msn.com/binFramework/v10/ZIntro.cab34246.cab\")
O16 - DPF: {CE10AD66-84BC-46A9-9424-C863199C0408} (AIC_ViewerAS2.Viewer) - https://emr.kcms.msu.edu/TouchWorks//Docwor...aic_viewer2.cab (http://\"https://emr.kcms.msu.edu/TouchWorks//Docworks/Chworks/Note/aic_viewer2.cab\")
O16 - DPF: {D14CA9D7-7C03-4E39-B076-0F3E852E705B} (Clipboard Class) - https://emr.kcms.msu.edu/ahsweb/IDXWF/Context/IDXWFCB.cab (http://\"https://emr.kcms.msu.edu/ahsweb/IDXWF/Context/IDXWFCB.cab\")
O16 - DPF: {EB387D2F-E27B-4D36-979E-847D1036C65D} (QDiagHUpdateObj Class) - http://h30043.www3.hp.com/ps/en/check/qdiagh.cab?326 (http://\"http://h30043.www3.hp.com/ps/en/check/qdiagh.cab?326\")
O16 - DPF: {EE7747CC-FFC7-4845-9178-DEF33578F752} (IDXTimeOut Class) - https://emr.kcms.msu.edu/ahsweb/IDXWF/Context/IDXTools.cab (http://\"https://emr.kcms.msu.edu/ahsweb/IDXWF/Context/IDXTools.cab\")
O16 - DPF: {EECF9899-FC3A-4841-986F-30B874921B36} (BrowserObj Class) - https://emr.kcms.msu.edu/ahsweb/IDXWF/Context/IDXBrowser.cab (http://\"https://emr.kcms.msu.edu/ahsweb/IDXWF/Context/IDXBrowser.cab\")
O16 - DPF: {F80B9305-A013-11D2-BD23-00A024978908} (Accurad Image Control) - https://pacs.bronsonhg.org/public/accuradimage.cab (http://\"https://pacs.bronsonhg.org/public/accuradimage.cab\")
O23 - Service: Adobe LM Service - Unknown owner - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
O23 - Service: ewido security suite control - ewido networks - C:\Program Files\ewido\security suite\ewidoctrl.exe
O23 - Service: HP Port Resolver - Hewlett-Packard Company - C:\WINDOWS\System32\hpbpro.exe
O23 - Service: HP Status Server - Hewlett-Packard Company - C:\WINDOWS\System32\hpboid.exe
O23 - Service: iPod Service (iPodService) - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\System32\HPZipm12.exe
Post by: guestolo on November 19, 2005, 09:35:39 PM
If everything is running better, please do the following
You should disable system restore>>Reboot your computer>>and then reenable it
This will clear all your restore points and ensure you don't restore any nasties
How to Disable and Re-enable System Restore feature (http://\"http://vil.nai.com/vil/SystemHelpDocs/DisableSysRestore.htm\")
Once System Restore is reenabled
You should set up protection against future attacks
SpywareBlaster 3.4 by JavaCool (http://\"http://www.javacoolsoftware.com/spywareblaster.html\")
*Will block bad ActiveX Controls
*Block Malevolent cookies in Internet Explorer and Firefox
*Restrict actions of potentially dangerous sites in Internet Explorer
After installation, Check for updates and then click the "Enable all protection"
IE-SPYAD puts over 5000 sites in your restricted zone so you'll be protected when you visit innocent-looking sites that aren't actually innocent at all.
Here is a tutorial and download link
TUTORIAL==Link to Tutorial (http://\"http://www.bleepingcomputer.com/forums/index.php?showtutorial=53\")
Download link (http://\"https://netfiles.uiuc.edu/ehowes/www/resource.htm#IESPYAD\")
Scroll down too IE-SPYAD (original) or
IE-SPYAD2>>Use one or the other
With both, Check for updates every couple of weeks
Keep the link to IE-Spyad bookmarked so you can check for updates
SpywareBlaster, after every update just simply click the "enable all protection"
IE-Spyad is compatible with SP2
Quote
If you ever need any orthopedic surgery advice, feel free to askI may take you up on that someday
(http://www.bildschirmarbeiter.com/images/krank.gif)
Stay safe
/biggrin.gif\' class=\'bbc_emoticon\' alt=\':D\' />
Post by: bonedoc on November 19, 2005, 11:47:00 PM
Post by: guestolo on November 20, 2005, 12:41:16 AM
Left click to highlight WebNexus
Then select the "Delete this Entry" button
YES to the prompt
Exit Hijackthis
Check your Add/Remove programs
EDIT>>Forgot to add, go back and enable Ad-Watch