« previous next »
Pages: [1]

Author Topic: Several problems  (Read 1338 times)

Offline cablegui

  • Newbie
  • *
  • Posts: 6
  • Karma: +0/-0
    • View Profile
Several problems
« on: January 11, 2006, 11:14:28 PM »
I keep on getting pop ups like "trafficsector", "revenuegateway", "hoowah". My computer has become slow too. I had gone to a site to download cracks for a game and thats when all this happened. When I try to shut down I see a program called Doggie which cannot be shut down. I admit I tried to delete some things from the hijack this scan.

My old log is below and I have highlighted what I deleted. I have included my new log after that.

Logfile of HijackThis v1.99.1
Scan saved at 10:24:28 AM, on 10/1/2006
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Symantec AntiVirus\DefWatch.exe
C:\WINDOWS\system32\inetsrv\inetinfo.exe
C:\MATLAB6p1\webserver\bin\win32\matlabserver.exe
C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Symantec AntiVirus\Rtvscan.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\System32\igfxtray.exe
C:\WINDOWS\System32\hkcmd.exe
C:\WINDOWS\zHotkey.exe
C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\PROGRA~1\SYMANT~1\VPTray.exe
C:\Program Files\Hewlett-Packard\Toolbox\StatusClient\StatusClient.exe
C:\Program Files\Hewlett-Packard\HP Software Update\HPWuSchd2.exe
D:\Winamp\winampa.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\Hewlett-Packard\Toolbox\jre\bin\javaw.exe
C:\Program Files\Messenger\msmsgs.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\3M\PSNLite\PsnLite.exe
C:\PROGRA~1\3M\PSNLite\PSNGive.exe
C:\Program Files\Yahoo!\Messenger\ymsgr_tray.exe
C:\WINDOWS\system32\ngpw40.exe
D:\Visual studio\Common7\IDE\devenv.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\PROGRA~1\WINZIP\winzip32.exe
E:\Neville Andrade\HijackThis.exe
C:\WINDOWS\system32\hpbpro.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = about:blank
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O2 - BHO: metaspinner media GmbH - {12FC9A49-CFE0-49AA-BE9E-8F4EEAFC9443} - C:\PROGRA~1\YETISP~1\IEBUTT~1.DLL
O2 - BHO: ngsh35.clsIS - {279A1B41-6CAC-4ABF-B39C-72C8E489F685} - C:\WINDOWS\system32\ngsh35.dll
O2 - BHO: wb - {55BE9F0D-6CAF-4c3e-B125-5A13A8C9D0EC} - C:\WINDOWS\system32\nsi16.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O2 - BHO: (no name) - {7D9CB362-375B-4FB9-8024-E55079CC69D1}" - (no file)
O2 - BHO: (no name) - {83DE62E0-5805-11D8-9B25-00E04C60FAF2} - C:\WINDOWS\2_0_1browserhelper2.dll
O2 - BHO: IRiras Class - {95C60327-8E17-44D6-98EB-7EB70CC606DD} - C:\WINDOWS\system32\iraskxgk.dll
O4 - HKLM\..\Run: [Cmaudio] RunDll32 cmicnfg.cpl,CMICtrlWnd
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\System32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\System32\hkcmd.exe
O4 - HKLM\..\Run: [CHotkey] zHotkey.exe
O4 - HKLM\..\Run: [ShowWnd] ShowWnd.exe
O4 - HKLM\..\Run: [NeroCheck] C:\WINDOWS\system32\\NeroCheck.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe
[color=\"#FF0000\"]O4 - HKLM\..\Run: [searchbar] C:\WINDOWS\system32\vnmispoisn_downloader.exe[/color]
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [vptray] C:\PROGRA~1\SYMANT~1\VPTray.exe
O4 - HKLM\..\Run: [StatusClient 2.6] C:\Program Files\Hewlett-Packard\Toolbox\StatusClient\StatusClient.exe /auto
O4 - HKLM\..\Run: [TomcatStartup 2.5] C:\Program Files\Hewlett-Packard\Toolbox\hpbpsttp.exe
O4 - HKLM\..\Run: [HP Software Update] "C:\Program Files\Hewlett-Packard\HP Software Update\HPWuSchd2.exe"
O4 - HKLM\..\Run: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k
O4 - HKLM\..\Run: [WinampAgent] D:\Winamp\winampa.exe
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe"  -osboot
[color=\"#FF0000\"]O4 - HKLM\..\Run: [elitemedia] C:\WINDOWS\elitemediapop.exe[/color]
[color=\"#FF0000\"]O4 - HKLM\..\Run: [winsync] C:\WINDOWS\system32\owwqpi.exe reg_run[/color]
O4 - HKLM\..\Run: [BrowserUpdateSched] C:\WINDOWS\system32\qwinrsap.exe FI002
[color=\"#FF0000\"]O4 - HKLM\..\Run: [sms_msn40] C:\WINDOWS\system32\sms_msn40.exe
O4 - HKLM\..\Run: [sms_msn] C:\WINDOWS\system32\sms_msn.exe[/color]
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [Yahoo! Pager] C:\Program Files\Yahoo!\Messenger\ypager.exe -quiet
O4 - HKCU\..\Run: [irassync] C:\WINDOWS\system32\irasyncd.exe
O4 - Startup: Zeno.lnk = C:\WINDOWS\system32\qwinrsap.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O4 - Global Startup: Post-it® Software Notes Lite.lnk = C:\Program Files\3M\PSNLite\PsnLite.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra button: (no name) - {9E248641-0E24-4DDB-9A1F-705087832AD6} - C:\WINDOWS\system32\wuauclt.dll
O9 - Extra 'Tools' menuitem: Java - {9E248641-0E24-4DDB-9A1F-705087832AD6} - C:\WINDOWS\system32\wuauclt.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
[color=\"#FF0000\"]O9 - Extra button: (no name) - {6685509E-B47B-4f47-8E16-9A5F3A62F683} - file://C:\Program Files\Ebates_MoeMoneyMaker\Sy350\Tp350\scri350a.htm (file missing) (HKCU)[/color]
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O15  Trusted Zone a hrefhttpawbetanetnucleuscom target_blank relnofollowhttpawbetanetnucleuscoma HKLM
color\">
O17 - HKLM\System\CCS\Services\Tcpip\..\{85F790C2-58D1-470C-B292-08624967206B}: NameServer = 202.149.208.92,202.149.208.11
O18 - Protocol: ms-help - {314111C7-A502-11D2-BBCA-00C04F8EC294} - C:\Program Files\Common Files\Microsoft Shared\Help\hxds.dll
O20 - Winlogon Notify: igfxcui - C:\WINDOWS\SYSTEM32\igfxsrvc.dll
O20 - Winlogon Notify: NavLogon - C:\WINDOWS\system32\NavLogon.dll
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Password Validation (ccPwdSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
O23 - Service: Symantec AntiVirus Definition Watcher (DefWatch) - Symantec Corporation - C:\Program Files\Symantec AntiVirus\DefWatch.exe
[color=\"#FF0000\"]O23 - Service: ISEXEng - Unknown owner - C:\WINDOWS\system32\angelex.exe (file missing)[/color]
O23 - Service: MATLAB Server (matlabserver) - Unknown owner - C:\MATLAB6p1\webserver\bin\win32\matlabserver.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\system32\HPZipm12.exe
O23 - Service: SAVRoam (SavRoam) - symantec - C:\Program Files\Symantec AntiVirus\SavRoam.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: Symantec AntiVirus - Symantec Corporation - C:\Program Files\Symantec AntiVirus\Rtvscan.exe



My New Scan
--------------

Logfile of HijackThis v1.99.1
Scan saved at 9:22:45 AM, on 12/1/2006
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\System32\igfxtray.exe
C:\WINDOWS\System32\hkcmd.exe
C:\WINDOWS\zHotkey.exe
C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\PROGRA~1\SYMANT~1\VPTray.exe
C:\Program Files\Hewlett-Packard\Toolbox\StatusClient\StatusClient.exe
C:\Program Files\Hewlett-Packard\HP Software Update\HPWuSchd2.exe
D:\Winamp\winampa.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\Symantec AntiVirus\DefWatch.exe
C:\WINDOWS\system32\inetsrv\inetinfo.exe
C:\MATLAB6p1\webserver\bin\win32\matlabserver.exe
C:\Program Files\Messenger\msmsgs.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
C:\Program Files\Hewlett-Packard\Toolbox\jre\bin\javaw.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Symantec AntiVirus\Rtvscan.exe
C:\Program Files\3M\PSNLite\PsnLite.exe
C:\PROGRA~1\3M\PSNLite\PSNGive.exe
C:\Program Files\Yahoo!\Messenger\ymsgr_tray.exe
C:\Program Files\Internet Explorer\iexplore.exe
E:\Neville Andrade\HJT\HijackThis.exe
C:\WINDOWS\system32\hpbpro.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = about:blank
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O2 - BHO: metaspinner media GmbH - {12FC9A49-CFE0-49AA-BE9E-8F4EEAFC9443} - C:\PROGRA~1\YETISP~1\IEBUTT~1.DLL
O2 - BHO: ngsh35.clsIS - {279A1B41-6CAC-4ABF-B39C-72C8E489F685} - C:\WINDOWS\system32\ngsh35.dll
O2 - BHO: wb - {55BE9F0D-6CAF-4c3e-B125-5A13A8C9D0EC} - C:\WINDOWS\system32\nsf4.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O2 - BHO: (no name) - {7D9CB362-375B-4FB9-8024-E55079CC69D1}" - (no file)
O2 - BHO: (no name) - {83DE62E0-5805-11D8-9B25-00E04C60FAF2} - C:\WINDOWS\2_0_1browserhelper2.dll
O2 - BHO: IRiras Class - {95C60327-8E17-44D6-98EB-7EB70CC606DD} - C:\WINDOWS\system32\iraskxgk.dll
O2 - BHO: ohb - {9ADE0443-2AB2-4B23-A3F8-AC520773DE12} - C:\WINDOWS\system32\nsr5.dll
O4 - HKLM\..\Run: [Cmaudio] RunDll32 cmicnfg.cpl,CMICtrlWnd
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\System32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\System32\hkcmd.exe
O4 - HKLM\..\Run: [CHotkey] zHotkey.exe
O4 - HKLM\..\Run: [ShowWnd] ShowWnd.exe
O4 - HKLM\..\Run: [NeroCheck] C:\WINDOWS\system32\\NeroCheck.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [vptray] C:\PROGRA~1\SYMANT~1\VPTray.exe
O4 - HKLM\..\Run: [StatusClient 2.6] C:\Program Files\Hewlett-Packard\Toolbox\StatusClient\StatusClient.exe /auto
O4 - HKLM\..\Run: [TomcatStartup 2.5] C:\Program Files\Hewlett-Packard\Toolbox\hpbpsttp.exe
O4 - HKLM\..\Run: [HP Software Update] "C:\Program Files\Hewlett-Packard\HP Software Update\HPWuSchd2.exe"
O4 - HKLM\..\Run: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k
O4 - HKLM\..\Run: [WinampAgent] D:\Winamp\winampa.exe
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe"  -osboot
O4 - HKLM\..\Run: [BrowserUpdateSched] C:\WINDOWS\system32\qwinrsap.exe FI002
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [Yahoo! Pager] C:\Program Files\Yahoo!\Messenger\ypager.exe -quiet
O4 - HKCU\..\Run: [irassync] C:\WINDOWS\system32\irasyncd.exe
O4 - Startup: Zeno.lnk = C:\WINDOWS\system32\qwinrsap.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O4 - Global Startup: Post-it® Software Notes Lite.lnk = C:\Program Files\3M\PSNLite\PsnLite.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra button: (no name) - {9E248641-0E24-4DDB-9A1F-705087832AD6} - C:\WINDOWS\system32\wuauclt.dll
O9 - Extra 'Tools' menuitem: Java - {9E248641-0E24-4DDB-9A1F-705087832AD6} - C:\WINDOWS\system32\wuauclt.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O17 - HKLM\System\CCS\Services\Tcpip\..\{85F790C2-58D1-470C-B292-08624967206B}: NameServer = 202.149.208.92,202.149.208.11
O18 - Protocol: ms-help - {314111C7-A502-11D2-BBCA-00C04F8EC294} - C:\Program Files\Common Files\Microsoft Shared\Help\hxds.dll
O20 - Winlogon Notify: igfxcui - C:\WINDOWS\SYSTEM32\igfxsrvc.dll
O20 - Winlogon Notify: NavLogon - C:\WINDOWS\system32\NavLogon.dll
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Password Validation (ccPwdSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
O23 - Service: Symantec AntiVirus Definition Watcher (DefWatch) - Symantec Corporation - C:\Program Files\Symantec AntiVirus\DefWatch.exe
O23 - Service: MATLAB Server (matlabserver) - Unknown owner - C:\MATLAB6p1\webserver\bin\win32\matlabserver.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\system32\HPZipm12.exe
O23 - Service: SAVRoam (SavRoam) - symantec - C:\Program Files\Symantec AntiVirus\SavRoam.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: Symantec AntiVirus - Symantec Corporation - C:\Program Files\Symantec AntiVirus\Rtvscan.exe
Logged

Offline guestolo

  • Site Donator
  • Administrator
  • Hero Member
  • *****
  • Posts: 16034
  • Karma: +1/-0
    • View Profile
    • http://
Several problems
« Reply #1 on: January 11, 2006, 11:24:42 PM »
Can you do the following please
I just want to check on a few things, let we'll get some tools to clean you up

Open Hijackthis>>Open Misc tools section>>Open Uninstall manager
Click the SAVE LIST button
Save this list to your desktop then copy and paste back here the whole contents, thanks
Logged

Do you want to post your own logs from FRST?

Follow the instructions posted http://www.thetechguide.com/forum/index.php/topic/22942-please-read-how-to-post-logs-from-frst/\'>Click Here

Offline cablegui

  • Newbie
  • *
  • Posts: 6
  • Karma: +0/-0
    • View Profile
Several problems
« Reply #2 on: January 11, 2006, 11:34:09 PM »
Here is the list. Thanks for your time.



Adobe Acrobat 5.0
Adobe Reader 6.0
AFPL Ghostscript 8.13
AFPL Ghostscript Fonts
C-Media 3D Audio
dotNETToggle
Google Earth
GSview 4.6
HijackThis 1.99.1
hp LaserJet 1010 Series
hp LaserJet 1160/1320 series
HP Software Update
HQuote
Intel® Extreme Graphics Driver
J2SE Runtime Environment 5.0 Update 6
Java 2 Runtime Environment, SE v1.4.2_05
Learn Microsoft Visual Basic 6.0 Now
LiveUpdate 2.0 (Symantec Corporation)
Macromedia Shockwave Player
MATLAB 6.1
Microsoft .NET Framework (English)
Microsoft .NET Framework (English) v1.0.3705
Microsoft .NET Framework 1.0 Hotfix (KB886906)
Microsoft .NET Framework 1.1
Microsoft Office XP Professional
Microsoft Visual Basic 6.0 Enterprise Edition
Microsoft Visual Studio .NET Enterprise Architect - English
Microsoft Web Publishing Wizard 1.53
Multimedia Keyboard Driver
Nero - Burning Rom
PivotTable
Post-it® Software Notes Lite
Publicon 1.0
QuickTime
RealPlayer
RTLSetup for Realtek RTL8139/810x Family NIC 3.00
Screensavers Installer
Security Update for Windows XP (KB883939)
Security Update for Windows XP (KB890046)
Security Update for Windows XP (KB893756)
Security Update for Windows XP (KB896358)
Security Update for Windows XP (KB896422)
Security Update for Windows XP (KB896423)
Security Update for Windows XP (KB896424)
Security Update for Windows XP (KB896428)
Security Update for Windows XP (KB896688)
Security Update for Windows XP (KB899587)
Security Update for Windows XP (KB899588)
Security Update for Windows XP (KB899589)
Security Update for Windows XP (KB899591)
Security Update for Windows XP (KB900725)
Security Update for Windows XP (KB901017)
Security Update for Windows XP (KB901214)
Security Update for Windows XP (KB902400)
Security Update for Windows XP (KB903235)
Security Update for Windows XP (KB904706)
Security Update for Windows XP (KB905414)
Security Update for Windows XP (KB905749)
Security Update for Windows XP (KB905915)
Security Update for Windows XP (KB908519)
Security Update for Windows XP (KB912919)
Symantec AntiVirus
The Options Toolbox v5.0
Update for Windows XP (KB894391)
Update for Windows XP (KB896727)
Update for Windows XP (KB898461)
Update for Windows XP (KB910437)
Winamp (remove only)
Windows Installer 3.1 (KB893803)
Windows Installer 3.1 (KB893803)
Windows Media Format Runtime
Windows Media Player 10
Windows SR 2.0
Windows XP Hotfix - KB834707
Windows XP Hotfix - KB867282
Windows XP Hotfix - KB873333
Windows XP Hotfix - KB873339
Windows XP Hotfix - KB885250
Windows XP Hotfix - KB885835
Windows XP Hotfix - KB885836
Windows XP Hotfix - KB885884
Windows XP Hotfix - KB886185
Windows XP Hotfix - KB887472
Windows XP Hotfix - KB887742
Windows XP Hotfix - KB888113
Windows XP Hotfix - KB888302
Windows XP Hotfix - KB890047
Windows XP Hotfix - KB890175
Windows XP Hotfix - KB890859
Windows XP Hotfix - KB890923
Windows XP Hotfix - KB891781
Windows XP Hotfix - KB893066
Windows XP Hotfix - KB893086
Windows XP Service Pack 2
WinJumble
WinZip
Yahoo! Messenger
YETISPORTS Pingu Throw D.C.
Logged

Offline guestolo

  • Site Donator
  • Administrator
  • Hero Member
  • *****
  • Posts: 16034
  • Karma: +1/-0
    • View Profile
    • http://
Several problems
« Reply #3 on: January 12, 2006, 12:10:38 AM »
Can you do the following please

==Download and Install
Windows Cleanup! 4.0
Don't run this yet

==Please download miekiemoes' LQfix batch here:
http://users.telenet.be/bluepatchy/miekiem...tools/LQfix.zip
Unzip it to the desktop but do NOT run it yet.

==Download and then Install
Ewido anti-malware 3.5

When installing, under "Additional Options" Uncheck "Install background guard" and "Install scan via context menu".

From the main ewido screen, click on Update in the left menu, then click the Start update button.
After the update finishes (the status bar at the bottom will display "Update successful")
Close out Ewido for now, we'll need it later
If for some reason the Updater won't work can you manually download the
Updates from this link after you have Ewido installed
http://www.ewido.net/en/download/updates/

==Download and Install Ad-Aware SE Personal 1.06
Open Ad-Aware, ensure to click the  check for updates now link and Connect to download the latest updates
Don't run a scan yet

Save the rest of these instructions to a Notepad file saved to your desktop or Print them out for use in safe mode

Do a "System scan only" with Hijackthis and put a check next to these entries:

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = about:blank
O2 - BHO: metaspinner media GmbH - {12FC9A49-CFE0-49AA-BE9E-8F4EEAFC9443} - C:\PROGRA~1\YETISP~1\IEBUTT~1.DLL
O2 - BHO: ngsh35.clsIS - {279A1B41-6CAC-4ABF-B39C-72C8E489F685} - C:\WINDOWS\system32\ngsh35.dll
O2 - BHO: wb - {55BE9F0D-6CAF-4c3e-B125-5A13A8C9D0EC} - C:\WINDOWS\system32\nsi16.dll

O2 - BHO: (no name) - {7D9CB362-375B-4FB9-8024-E55079CC69D1}" - (no file)
O2 - BHO: (no name) - {83DE62E0-5805-11D8-9B25-00E04C60FAF2} - C:\WINDOWS\2_0_1browserhelper2.dll
O2 - BHO: IRiras Class - {95C60327-8E17-44D6-98EB-7EB70CC606DD} - C:\WINDOWS\system32\iraskxgk.dll

O4 - HKLM\..\Run: [ShowWnd] ShowWnd.exe
O4 - HKLM\..\Run: [searchbar] C:\WINDOWS\system32\vnmispoisn_downloader.exe
O4 - HKLM\..\Run: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k
O4 - HKLM\..\Run: [elitemedia] C:\WINDOWS\elitemediapop.exe
O4 - HKLM\..\Run: [winsync] C:\WINDOWS\system32\owwqpi.exe reg_run
O4 - HKLM\..\Run: [BrowserUpdateSched] C:\WINDOWS\system32\qwinrsap.exe FI002
O4 - HKLM\..\Run: [sms_msn40] C:\WINDOWS\system32\sms_msn40.exe
O4 - HKLM\..\Run: [sms_msn] C:\WINDOWS\system32\sms_msn.exe
O4 - HKCU\..\Run: [irassync] C:\WINDOWS\system32\irasyncd.exe
O4 - Startup: Zeno.lnk = C:\WINDOWS\system32\qwinrsap.exe

O9 - Extra button: (no name) - {6685509E-B47B-4f47-8E16-9A5F3A62F683} - file://C:\Program Files\Ebates_MoeMoneyMaker\Sy350\Tp350\scri350a.htm (file missing) (HKCU)

After you have ticked the above entry, close All other open windows
Including this one
Leave Hijackthis open and click FIX CHECKED
OK the prompt and exit Hijackthis

RESTART your Computer in SAFE MODE
You can do this by tapping the F8 key as the system is restarting, just before Windows loads
Choose Safe mode from the startup menu

Access your add/remove programs and remove if you can
Screensavers Installer <-Not sure what this one is related too, if you didn't purposely download it, remove it
Windows SR 2.0

==Double click on LQFix.bat you unzipped earlier to your desktop
Let it finish, A window will open and close

==Open Cleanup! by double-clicking the icon on your desktop (or from the Start > All Programs menu).
Set the program up as follows:
Click "Options..."
Move the arrow down to "Custom CleanUp!"
Put a check next to the following (Make sure nothing else is checked!):

    * Empty Recycle Bins
    * Delete Cookies
    * Delete Prefetch files
    * Cleanup! All Users

Click OK
Press the CleanUp! button to start the program.
When it's done, decline to log off or restart the computer

==Open Ewido Security Suite
Click on the Scanner button on the left menu
Select Complete System Scan
*If Ewido finds something it will prompt you with "Infected Object found"
Ensure the following are Selected
  *1. Perform Action = Remove
  *2. Create Encrypted Backup in Quarantine (Recommended)
  *3. Perform action with all infections
  Then click OK
When Ewido has finished it's scan click the "Save Report" button
Save the report to desktop
Exit Ewido
Don't open any windows as Ewido is running, let it do it's job please

Afterwards, run this scanner, it won't take as long as Ewido
Open Ad-Aware Se 1.06
Click the radio button to "Perform a Full system scan" then click NEXT
When it's finished scanning
At this point you should either right click on the screen and and choose the "Select All" Objects option or individually put a checkmark in each objects checkbox
click on the Next button. Ad-Aware SE will now present you with a confirmation box as to whether or not you would like to remove the objects you have just selected. Press the "OK" button


Reboot back to Normal mode

Can you post back the following please

1. Post back a fresh hijackthis log
2. Post the whole contents of the Ewido report
3. In addition could you do the following please
Download Trackqoo.zip
Save it to the Desktop

Double Click on "Track qoo.vbs"

Note - If you Antivirus has Script Blocking, you will get a Pop Up Windows asking you what to do. Allow this Entire Script to Run, its harmless!

Wait a few seconds and a notepad page will pop up, Copy & Paste those results and place them in the next post

Also, Download Find-Qoologic.zip  and save it to your Desktop.

UNZIP the files inside into their own folder called FindQoologic to the desktop

Open the FindQoologic folder.
Locate and double-click the Find-Qoologic.bat file to run it.
Choose option 1  for Run Findqoologic by typing 1 and pressing enter.
This will scan your system.
Wait until a text opens.
Post this in your next reply

Please try and post all the logs I have asked for, thanks
« Last Edit: January 12, 2006, 12:15:22 AM by guestolo »
Logged

Do you want to post your own logs from FRST?

Follow the instructions posted http://www.thetechguide.com/forum/index.php/topic/22942-please-read-how-to-post-logs-from-frst/\'>Click Here

Offline cablegui

  • Newbie
  • *
  • Posts: 6
  • Karma: +0/-0
    • View Profile
Several problems
« Reply #4 on: January 13, 2006, 12:37:11 AM »
Bump

Hi Guestolo Here are the 4 reports you told me to get. I followed your instructions. Everything seems to be fine now. I don't get any pop ups any more.


________________________________________________________________________________
________________________________________________________________________________
_
________________________________________________________________________________
_
________________________________________________________________________________
_
________________________________________________________________________________
_
________________________________________________________________________________
_
________________________________________________________________________________
_
__________________________________________________________

---------------------------------------------------------
 ewido anti-malware - Scan report
---------------------------------------------------------

 + Created on:         10:14:45 AM, 13/1/2006
 + Report-Checksum:      B9AE4794

 + Scan result:

   HKLM\SOFTWARE\Classes\Bridge.brdg -> Spyware.BlazeFind : Cleaned with backup
   HKLM\SOFTWARE\Classes\Bridge.brdg\CLSID -> Spyware.BlazeFind : Cleaned with backup
   HKLM\SOFTWARE\Classes\Bridge.brdg\CurVer -> Spyware.BlazeFind : Cleaned with backup
   HKLM\SOFTWARE\Classes\Bridge.brdg.1 -> Spyware.BlazeFind : Cleaned with backup
   HKLM\SOFTWARE\Classes\CLSID\{2B96D5CC-C5B5-49A5-A69D-CC0A30F9028C} -> Spyware.MiniBug : Cleaned with backup
   HKLM\SOFTWARE\Classes\CLSID\{6EC11407-5B2E-4E25-8BDF-77445B52AB37} -> Spyware.VX2 : Cleaned with backup
   HKLM\SOFTWARE\Classes\CLSID\{80BB7465-A638-43B5-9827-8E8FE38DFCC1} -> Spyware.BlazeFind : Cleaned with backup
   HKLM\SOFTWARE\Classes\CLSID\{9A9C9B68-F908-4AAB-8D0C-10EA8997F37E} -> Spyware.Mirar : Cleaned with backup
   HKLM\SOFTWARE\Classes\CLSID\{9C691A33-7DDA-4C2F-BE4C-C176083F35CF} -> Spyware.WinFavorites : Cleaned with backup
   HKLM\SOFTWARE\Classes\CLSID\{BFC9677B-8006-4336-9D49-2C797AEFCB9E} -> Dialer.Generic : Cleaned with backup
   HKLM\SOFTWARE\Classes\Folder\shellex\ColumnHandlers\{6EC11407-5B2E-4E25-8BDF-77445B52AB37} -> Spyware.VX2 : Cleaned with backup
   HKLM\SOFTWARE\Classes\Interface\{4FDBDBAD-FEFE-4C4C-9CC1-1181052AFB12} -> Spyware.BlazeFind : Cleaned with backup
   HKLM\SOFTWARE\Classes\Interface\{B88A3AF1-4F1B-4400-8FFB-3FCB108CE115} -> Spyware.BlazeFind : Cleaned with backup
   HKLM\SOFTWARE\Classes\Jao.jao -> Spyware.BlazeFind : Cleaned with backup
   HKLM\SOFTWARE\Classes\Jao.jao\CLSID -> Spyware.BlazeFind : Cleaned with backup
   HKLM\SOFTWARE\Classes\Jao.jao\CurVer -> Spyware.BlazeFind : Cleaned with backup
   HKLM\SOFTWARE\Classes\Jao.jao.1 -> Spyware.BlazeFind : Cleaned with backup
   HKLM\SOFTWARE\Classes\TypeLib\{C094876D-1B0E-46FA-B6A6-7FFC0F970C27} -> Spyware.BlazeFind : Cleaned with backup
   HKLM\SOFTWARE\Classes\TypeLib\{DDAF2479-6F00-4599-998A-3ED75686C6D0} -> Spyware.BlazeFind : Cleaned with backup
   HKLM\SOFTWARE\Microsoft\Internet Explorer\Extensions\{9E248641-0E24-4DDB-9A1F-705087832AD6}\\CLSID -> Spyware.VX2 : Cleaned with backup
   HKLM\SOFTWARE\Microsoft\Internet Explorer\Main\ins -> Spyware.WebRebates : Cleaned with backup
   HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\App Management\ARPCache\{8A0DCBDA-6E20-489C-9041-C1E8A0352E75} -> Spyware.NetNucleus : Cleaned with backup
   HKLM\SYSTEM\CurrentControlSet\Services\ISEXEng -> Spyware.BargainBuddy : Cleaned with backup
   HKLM\SYSTEM\CurrentControlSet\Services\ISEXEng\Security -> Spyware.BargainBuddy : Cleaned with backup
   HKLM\SYSTEM\CurrentControlSet\Services\ISEXEng\Enum -> Spyware.BargainBuddy : Cleaned with backup
   HKU\.DEFAULT\Software\Microsoft\Internet Explorer\Extensions\{6685509E-B47B-4f47-8E16-9A5F3A62F683} -> Spyware.MoneyMaker : Cleaned with backup
   HKU\S-1-5-21-2000478354-1715567821-1801674531-1003\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{6685509E-B47B-4F47-8E16-9A5F3A62F683} -> Spyware.MoneyMaker : Cleaned with backup
   HKU\S-1-5-21-2000478354-1715567821-1801674531-1003\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{83DE62E0-5805-11D8-9B25-00E04C60FAF2} -> Spyware.BlazeFind : Cleaned with backup
   HKU\S-1-5-21-2000478354-1715567821-1801674531-1003\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{9A9C9B68-F908-4AAB-8D0C-10EA8997F37E} -> Spyware.Mirar : Cleaned with backup
   HKU\S-1-5-21-2000478354-1715567821-1801674531-1003\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{9A9C9B69-F908-4AAB-8D0C-10EA8997F37E} -> Spyware.NetNucleus : Cleaned with backup
   HKU\S-1-5-18\Software\Microsoft\Internet Explorer\Extensions\{6685509E-B47B-4f47-8E16-9A5F3A62F683} -> Spyware.MoneyMaker : Cleaned with backup
   [756] C:\WINDOWS\system32\wuauclt.dll -> Downloader.Small : Cleaned with backup
   C:\Documents and Settings\All Users\Start Menu\Programs\Startup\qxxw.exe -> Downloader.Qoologic.be : Cleaned with backup
   C:\Documents and Settings\mata\Cookies\mata@abetterinternet[1].txt -> Spyware.Cookie.Abetterinternet : Cleaned with backup
   C:\Documents and Settings\mata\Cookies\mata@abetterinternet[2].txt -> Spyware.Cookie.Abetterinternet : Cleaned with backup
   C:\Documents and Settings\mata\Cookies\mata@atdmt[2].txt -> Spyware.Cookie.Atdmt : Cleaned with backup
   C:\Documents and Settings\mata\Cookies\mata@tribalfusion[1].txt -> Spyware.Cookie.Tribalfusion : Cleaned with backup
   C:\Documents and Settings\mata\Cookies\[email protected][1].txt -> Spyware.Cookie.Adserver : Cleaned with backup
   C:\Documents and Settings\mata\Local Settings\Temp\adwsetup_upd.exe -> Dropper.Agent.abb : Cleaned with backup
   C:\Documents and Settings\mata\Local Settings\Temp\btgrab.cab/polall1b.exe -> Trojan.Agent.ay : Cleaned with backup
   C:\Documents and Settings\mata\Local Settings\Temp\btnetw3.exe -> Not-A-Virus.Hoax.Win32.SpyWare.b : Cleaned with backup
   C:\Documents and Settings\mata\Local Settings\Temp\DrTemp\ceres.cab/ceres.dll -> Adware.BetterInternet : Cleaned with backup
   C:\Documents and Settings\mata\Local Settings\Temp\DrTemp\ceres.cab/spike.exe -> Trojan.Agent.cb : Cleaned with backup
   C:\Documents and Settings\mata\Local Settings\Temp\DrTemp\ceres.dll -> Adware.BetterInternet : Cleaned with backup
   C:\Documents and Settings\mata\Local Settings\Temp\DrTemp\INTLRECO.exe -> Adware.BetterInternet : Cleaned with backup
   C:\Documents and Settings\mata\Local Settings\Temp\DrTemp\mm_reco.exe -> Adware.BetterInternet : Cleaned with backup
   C:\Documents and Settings\mata\Local Settings\Temp\lc.exe -> Adware.BetterInternet : Cleaned with backup
   C:\Documents and Settings\mata\Local Settings\Temp\polall1b.exe -> Trojan.Agent.ay : Cleaned with backup
   C:\Documents and Settings\mata\Local Settings\Temp\selassix.tmp -> Spyware.SafeSurfing : Cleaned with backup
   C:\Documents and Settings\mata\Local Settings\Temp\THI2777.tmp\farmmext.cab/farmmext.exe -> Spyware.ConsCorr : Cleaned with backup
   C:\Documents and Settings\mata\Local Settings\Temp\THI2777.tmp\farmmext.exe -> Spyware.ConsCorr : Cleaned with backup
   C:\Documents and Settings\mata\Local Settings\Temp\THI6883.tmp\btgrab.cab/BTGrab.dll -> Spyware.BiSpy : Cleaned with backup
   C:\Documents and Settings\mata\Local Settings\Temp\THI6883.tmp\btgrab.cab/polall1b.exe -> Dropper.Small.pv : Cleaned with backup
   C:\Documents and Settings\mata\Local Settings\Temp\THI6883.tmp\BTGrab.dll -> Spyware.BiSpy : Cleaned with backup
   C:\Documents and Settings\mata\Local Settings\Temp\THI6883.tmp\polall1b.exe -> Dropper.Small.pv : Cleaned with backup
   C:\Documents and Settings\mata\Local Settings\Temporary Internet Files\Content.IE5\E50R2PU5\rcverlib[1].exe -> Downloader.Qoologic.ax : Cleaned with backup
   C:\WINDOWS\2_0_1browserhelper2.dll -> Spyware.Hijacker.Generic : Cleaned with backup
   C:\WINDOWS\inst_FI002.exe -> Spyware.ZenoSearch : Cleaned with backup
   C:\WINDOWS\justin.exe -> Adware.EZula : Cleaned with backup
   C:\WINDOWS\Sngsh40.dll -> Adware.AdBlaster : Cleaned with backup
   C:\WINDOWS\system32\a.exe -> Logger.Briss.c : Cleaned with backup
   C:\WINDOWS\system32\bffvjsv.exe -> Downloader.Qoologic.be : Cleaned with backup
   C:\WINDOWS\system32\bridge.dll -> Logger.Briss.h : Cleaned with backup
   C:\WINDOWS\system32\drivers\erssdd.sys -> Trojan.Rootkit.Agent.af : Cleaned with backup
   C:\WINDOWS\system32\dwdsregt.exe -> Spyware.ZenoSearch : Cleaned with backup
   C:\WINDOWS\system32\instsrv.exe -> Spyware.BargainBuddy : Cleaned with backup
   C:\WINDOWS\system32\irasyncd.exe -> Spyware.SafeSurfing : Cleaned with backup
   C:\WINDOWS\system32\irismon.dll -> Spyware.SafeSurfing : Cleaned with backup
   C:\WINDOWS\system32\irsmwsod.dll -> Adware.SafeSurfing : Cleaned with backup
   C:\WINDOWS\system32\jao.dll -> Logger.Briss.h : Cleaned with backup
   C:\WINDOWS\system32\kffqk.dll -> Downloader.Qoologic.be : Cleaned with backup
   C:\WINDOWS\system32\msclock32.dll -> Adware.NaviPromo : Cleaned with backup
   C:\WINDOWS\system32\msplock32.dll -> Adware.NaviPromo : Cleaned with backup
   C:\WINDOWS\system32\ngsh40.dll -> Adware.AdBlaster : Cleaned with backup
   C:\WINDOWS\system32\nsf4.dll -> Adware.EZula : Cleaned with backup
   C:\WINDOWS\system32\nsi16.dll -> Adware.EZula : Cleaned with backup
   C:\WINDOWS\system32\nsr5.dll -> Spyware.HotSearchBar : Cleaned with backup
   C:\WINDOWS\system32\nsu141.dll -> Adware.EZula : Cleaned with backup
   C:\WINDOWS\system32\nsx32.dll -> Adware.EZula : Cleaned with backup
   C:\WINDOWS\system32\owwqpi.exe -> Downloader.Qoologic.be : Cleaned with backup
   C:\WINDOWS\system32\qwinrsap.exe -> Adware.ZenoSearch : Cleaned with backup
   C:\WINDOWS\system32\rastmon.dll -> Spyware.SafeSurfing : Cleaned with backup
   C:\WINDOWS\system32\ueesiop.dll -> Downloader.Qoologic.be : Cleaned with backup
   C:\WINDOWS\system32\vgactl.cpl -> Downloader.Qoologic.ad : Cleaned with backup
   C:\WINDOWS\system32\wuauclt.dll -> Downloader.Small : Cleaned with backup
   C:\WINDOWS\system32\yppgw.dat -> Downloader.Qoologic.be : Cleaned with backup
   C:\WINDOWS\UnstSA2.exe -> Dropper.Delf.z : Cleaned with backup
   E:\Neville Andrade\HJT\backups\backup-20060113-085754-167.dll -> Spyware.SafeSurfing : Cleaned with backup
   E:\Neville Andrade\HJT\backups\backup-20060113-085754-171.dll -> Adware.EZula : Cleaned with backup
   E:\Neville Andrade\HJT\backups\backup-20060113-085754-866.dll -> Spyware.Hijacker.Generic : Cleaned with backup


::Report End


________________________________________________________________________________
________________________________________________________________________________
_
________________________________________________________________________________
_
________________________________________________________________________________
_
________________________________________________________________________________
_
________________________________________________________________________________
_
________________________________________________________________________________
_
__________________________________________________________


Find Qoologic last edited 01/08/2006
Running from
E:\Neville Andrade\Solution to comp problem\Find-Qoologic
PLEASE NOTE THAT ALL FILES FOUND BY THIS METHOD ARE NOT BAD FILES, There WILL be LEGIT FILES LISTED PLEASE BE CAREFUL WHILE FIXING. IF YOU ARE UNSURE OF WHAT IT IS LEAVE THEM ALONE.
»»»»»»»»»»»»»»»»»» Search by size and name»»»»»»»»»»»»»»»»»»»»»»»»»»»»»
 
C:\WINDOWS\SYSTEM32\MSXML3A.DLL
C:\WINDOWS\WVVENO.DAT
»»»»»»»»»»»»»»»»»»»»»»»» Checking Global Startup »»»»»»»»»»»»»»»»»»»»»»
.....
.....
SteelWerX Registry Console Tool RC-2
Written by Bobbi Flekman
.....
[HKEY_CLASSES_ROOT\*\shellex\ContextMenuHandlers\kffsmnyn]
@="{2792b7de-27a6-4009-b3bd-49ec97a62b89}"

[HKEY_CLASSES_ROOT\*\shellex\ContextMenuHandlers\LDVPMenu]
@="{BDA77241-42F6-11d0-85E2-00AA001FE28C}"

[-HKEY_CLASSES_ROOT\CLSID\{incert csdl here}]
[-HKEY_CLASSES_ROOT\CLSID\{6EC11407-5B2E-4E25-8BDF-77445B52AB37}]
[-HKEY_CLASSES_ROOT\Folder\shellex\ColumnHandlers\{6EC11407-5B2E-4E25-8BDF-77445B52AB37}]
[-HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\WebNexus]
.....
[HKEY_LOCAL_MACHINE\Software\qstat]
.....
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
.....
[-HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Extensions\{9E248641-0E24-4DDB-9A1F-705087832AD6}]

________________________________________________________________________________
________________________________________________________________________________
_
________________________________________________________________________________
_
________________________________________________________________________________
_
________________________________________________________________________________
_
________________________________________________________________________________
_
________________________________________________________________________________
_
__________________________________________________________



Logfile of HijackThis v1.99.1
Scan saved at 10:48:18 AM, on 13/1/2006
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\System32\hkcmd.exe
C:\WINDOWS\zHotkey.exe
C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\PROGRA~1\SYMANT~1\VPTray.exe
C:\Program Files\Hewlett-Packard\Toolbox\StatusClient\StatusClient.exe
C:\Program Files\Hewlett-Packard\HP Software Update\HPWuSchd2.exe
D:\Winamp\winampa.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\Messenger\msmsgs.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Symantec AntiVirus\DefWatch.exe
C:\Program Files\Hewlett-Packard\Toolbox\jre\bin\javaw.exe
d:\ewido anti-malware\ewidoctrl.exe
C:\Program Files\3M\PSNLite\PsnLite.exe
C:\WINDOWS\system32\inetsrv\inetinfo.exe
C:\MATLAB6p1\webserver\bin\win32\matlabserver.exe
C:\PROGRA~1\3M\PSNLite\PSNGive.exe
C:\Program Files\Yahoo!\Messenger\ymsgr_tray.exe
C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Symantec AntiVirus\Rtvscan.exe
E:\Neville Andrade\HJT\HijackThis.exe

O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O4 - HKLM\..\Run: [Cmaudio] RunDll32 cmicnfg.cpl,CMICtrlWnd
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\System32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\System32\hkcmd.exe
O4 - HKLM\..\Run: [CHotkey] zHotkey.exe
O4 - HKLM\..\Run: [NeroCheck] C:\WINDOWS\system32\\NeroCheck.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [vptray] C:\PROGRA~1\SYMANT~1\VPTray.exe
O4 - HKLM\..\Run: [StatusClient 2.6] C:\Program Files\Hewlett-Packard\Toolbox\StatusClient\StatusClient.exe /auto
O4 - HKLM\..\Run: [TomcatStartup 2.5] C:\Program Files\Hewlett-Packard\Toolbox\hpbpsttp.exe
O4 - HKLM\..\Run: [HP Software Update] "C:\Program Files\Hewlett-Packard\HP Software Update\HPWuSchd2.exe"
O4 - HKLM\..\Run: [rmpedjhsc] c:\windows\system32\rmpedjhsc.exe rmpedjhsc
O4 - HKLM\..\Run: [WinampAgent] D:\Winamp\winampa.exe
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe"  -osboot
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [Yahoo! Pager] C:\Program Files\Yahoo!\Messenger\ypager.exe -quiet
O4 - HKCU\..\Run: [irssyncd] C:\WINDOWS\system32\irssyncd.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O4 - Global Startup: Post-it® Software Notes Lite.lnk = C:\Program Files\3M\PSNLite\PsnLite.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra button: (no name) - {9E248641-0E24-4DDB-9A1F-705087832AD6} - (no file)
O9 - Extra 'Tools' menuitem: Java - {9E248641-0E24-4DDB-9A1F-705087832AD6} - (no file)
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O17 - HKLM\System\CCS\Services\Tcpip\..\{85F790C2-58D1-470C-B292-08624967206B}: NameServer = 202.149.208.92,202.149.208.11
O18 - Protocol: ms-help - {314111C7-A502-11D2-BBCA-00C04F8EC294} - C:\Program Files\Common Files\Microsoft Shared\Help\hxds.dll
O20 - Winlogon Notify: igfxcui - C:\WINDOWS\SYSTEM32\igfxsrvc.dll
O20 - Winlogon Notify: NavLogon - C:\WINDOWS\system32\NavLogon.dll
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Password Validation (ccPwdSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
O23 - Service: Symantec AntiVirus Definition Watcher (DefWatch) - Symantec Corporation - C:\Program Files\Symantec AntiVirus\DefWatch.exe
O23 - Service: ewido security suite control - ewido networks - d:\ewido anti-malware\ewidoctrl.exe
O23 - Service: MATLAB Server (matlabserver) - Unknown owner - C:\MATLAB6p1\webserver\bin\win32\matlabserver.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\system32\HPZipm12.exe
O23 - Service: SAVRoam (SavRoam) - symantec - C:\Program Files\Symantec AntiVirus\SavRoam.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: Symantec AntiVirus - Symantec Corporation - C:\Program Files\Symantec AntiVirus\Rtvscan.exe


________________________________________________________________________________
________________________________________________________________________________
_
________________________________________________________________________________
_
________________________________________________________________________________
_
________________________________________________________________________________
_
________________________________________________________________________________
_
________________________________________________________________________________
_
__________________________________________________________


Track qoo report

REGEDIT4

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Cmaudio"="RunDll32 cmicnfg.cpl,CMICtrlWnd"
"IgfxTray"="C:\\WINDOWS\\System32\\igfxtray.exe"
"HotKeysCmds"="C:\\WINDOWS\\System32\\hkcmd.exe"
"CHotkey"="zHotkey.exe"
"NeroCheck"="C:\\WINDOWS\\system32\\\\NeroCheck.exe"
"SunJavaUpdateSched"="C:\\Program Files\\Java\\jre1.5.0_06\\bin\\jusched.exe"
"QuickTime Task"="\"C:\\Program Files\\QuickTime\\qttask.exe\" -atboottime"
"ccApp"="\"C:\\Program Files\\Common Files\\Symantec Shared\\ccApp.exe\""
"vptray"="C:\\PROGRA~1\\SYMANT~1\\VPTray.exe"
"StatusClient 2.6"="C:\\Program Files\\Hewlett-Packard\\Toolbox\\StatusClient\\StatusClient.exe /auto"
"TomcatStartup 2.5"="C:\\Program Files\\Hewlett-Packard\\Toolbox\\hpbpsttp.exe"
"HP Software Update"="\"C:\\Program Files\\Hewlett-Packard\\HP Software Update\\HPWuSchd2.exe\""
@=""
"rmpedjhsc"="c:\\windows\\system32\\rmpedjhsc.exe rmpedjhsc"
"WinampAgent"="D:\\Winamp\\winampa.exe"
"TkBellExe"="\"C:\\Program Files\\Common Files\\Real\\Update_OB\\realsched.exe\"  -osboot"

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\OptionalComponents]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\OptionalComponents\IMAIL]
"Installed"="1"

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\OptionalComponents\MAPI]
"Installed"="1"
"NoChange"="1"

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\OptionalComponents\MSFS]
"Installed"="1"

-----------------
HKEY_CLASSES_ROOT\*\shellex\ContextMenuHandlers


Subkey --- ewido
{57BD36D7-CE32-4600-9B1C-1A0C47EFC02E}
d:\ewido anti-malware\context.dll

Subkey --- kffsmnyn
{2792b7de-27a6-4009-b3bd-49ec97a62b89}
C:\WINDOWS\system32\kffqk.dll

Subkey --- LDVPMenu
{BDA77241-42F6-11d0-85E2-00AA001FE28C}
C:\Program Files\Common Files\Symantec Shared\SSC\vpshell2.dll

Subkey --- Offline Files
{750fdf0e-2a26-11d1-a3ea-080036587f03}
C:\WINDOWS\System32\cscui.dll

Subkey --- Open With
{09799AFB-AD67-11d1-ABCD-00C04FC30936}
C:\WINDOWS\system32\SHELL32.dll

Subkey --- Open With EncryptionMenu
{A470F8CF-A1E8-4f65-8335-227475AA5C46}
C:\WINDOWS\system32\SHELL32.dll

Subkey --- WinZip
{E0D79304-84BE-11CE-9641-444553540000}
C:\PROGRA~1\WINZIP\WZSHLSTB.DLL

Subkey --- {a2a9545d-a0c2-42b4-9708-a0b2badd77c8}
Start Menu Pin
C:\WINDOWS\system32\SHELL32.dll

=====================

HKEY_CLASSES_ROOT\Folder\shellex\ColumnHandlers


Subkey --- {0D2E74C4-3C34-11d2-A27E-00C04FC30871}
C:\WINDOWS\system32\SHELL32.dll

Subkey --- {24F14F01-7B1C-11d1-838f-0000F80461CF}
C:\WINDOWS\system32\SHELL32.dll

Subkey --- {24F14F02-7B1C-11d1-838f-0000F80461CF}
C:\WINDOWS\system32\SHELL32.dll

Subkey --- {66742402-F9B9-11D1-A202-0000F81FEDEE}
C:\WINDOWS\system32\SHELL32.dll

==============================
C:\Documents and Settings\All Users\Start Menu\Programs\Startup

desktop.ini
Microsoft Office.lnk
Post-it® Software Notes Lite.lnk
==============================
C:\Documents and Settings\mata\Start Menu\Programs\Startup

desktop.ini
Microsoft Office.lnk
Post-it® Software Notes Lite.lnk
desktop.ini
==============================
C:\WINDOWS\system32 cpl files


access.cpl                    Microsoft Corporation
appwiz.cpl                    Microsoft Corporation
bthprops.cpl                  Microsoft Corporation
desk.cpl                      Microsoft Corporation
firewall.cpl                  Microsoft Corporation
hdwwiz.cpl                    Microsoft Corporation
igfxcpl.cpl                   Intel Corporation
inetcpl.cpl                   Microsoft Corporation
intl.cpl                      Microsoft Corporation
irprops.cpl                   Microsoft Corporation
joy.cpl                       Microsoft Corporation
jpicpl32.cpl                  Sun Microsystems, Inc.
main.cpl                      Microsoft Corporation
mmsys.cpl                     Microsoft Corporation
ncpa.cpl                      Microsoft Corporation
netsetup.cpl                  Microsoft Corporation
nusrmgr.cpl                   Microsoft Corporation
nwc.cpl                       Microsoft Corporation
odbccp32.cpl                  Microsoft Corporation
powercfg.cpl                  Microsoft Corporation
QuickTime.cpl                 Apple Computer, Inc.
sysdm.cpl                     Microsoft Corporation
telephon.cpl                  Microsoft Corporation
timedate.cpl                  Microsoft Corporation
wscui.cpl                     Microsoft Corporation
wuaucpl.cpl                   Microsoft Corporation
Logged
Pages: [1]
« previous next »