Skip to main content
Start a Conversation

Unsolved

This post is more than 5 years old

ewrmets

29 Posts

1573

October 10th, 2006 23:00

HiJack this log

Logfile of HijackThis v1.99.1
Scan saved at 8:21:25 PM, on 10/10/2006
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\ibmpmsvc.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Windows Defender\MsMpEng.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Intel\Wireless\Bin\EvtEng.exe
C:\Program Files\Intel\Wireless\Bin\S24EvMon.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\AOL\ACS\AOLAcsd.exe
C:\Program Files\Common Files\AOL\TopSpeed\2.0\aoltsmon.exe
C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
C:\Program Files\Cisco Systems\VPN Client\cvpnd.exe
C:\Program Files\IBM\IBM Rapid Restore Ultra\rrpcsb.exe
C:\WINDOWS\runservice.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\Program Files\Microsoft SQL Server\MSSQL$MICROSOFTBCM\Binn\sqlservr.exe
C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\HPZipm12.exe
C:\WINDOWS\System32\QCONSVC.EXE
C:\Program Files\Intel\Wireless\Bin\RegSrvc.exe
C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\TPHDEXLG.EXE
C:\WINDOWS\system32\TpKmpSVC.exe
C:\WINDOWS\system32\wscntfy.exe
C:\WINDOWS\system32\TpShocks.exe
C:\WINDOWS\system32\rundll32.exe
C:\Program Files\Common Files\AOL\1125339851\ee\AOLSoftware.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\WINDOWS\system32\rundll32.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\Internet Explorer\iexplore.exe
c:\program files\common files\aol\1125339851\ee\services\antiSpywareApp\ver2_0_25_1\AOLSP Scheduler.exe
c:\program files\common files\aol\1125339851\ee\aolsoftware.exe
C:\WINDOWS\system32\spoolsvv.exe
C:\windows\system32\_mzu_stonedrv3.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\AIM\aim.exe
c:\program files\common files\aol\1125339851\ee\aim6.exe
C:\Program Files\Google\GoogleToolbarNotifier\1.0.720.3640\GoogleToolbarNotifier.exe
C:\Program Files\Yahoo!\Messenger\ymsgr_tray.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\MSN Messenger\msnmsgr.exe
C:\DOCUME~1\Eric\LOCALS~1\Temp\5EA16384.exe
C:\WINDOWS\system32\services.exe
C:\Program Files\Digital Line Detect\DLG.exe
C:\Program Files\America Online 9.0\waol.exe
C:\Program Files\America Online 9.0\shellmon.exe
C:\Documents and Settings\Eric\Local Settings\Temporary Internet Files\Content.IE5\Z3933DGK\vundofix[1].exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\hijackthis\HijackThis.exe
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.msnbc.msn.com/
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,AutoConfigURL = http://www.bu.edu/proxy/law.pac  
R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn0\yt.dll
F2 - REG:system.ini: UserInit=userinit.exe
O2 - BHO: Yahoo! Toolbar Helper - {02478D38-C3F9-4EFB-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn0\yt.dll
O2 - BHO: (no name) - {412199EF-77FB-80C8-487C-0228E7B8E6C8} - C:\WINDOWS\system32\alitvze.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: Yahoo! IE Services Button - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\Program Files\Yahoo!\Common\yiesrvc.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar2.dll
O3 - Toolbar: AOL Toolbar - {4982D40A-C53B-4615-B15B-B5B5E98D167C} - C:\Program Files\AOL Toolbar\toolbar.dll
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn0\yt.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar2.dll
O4 - HKLM\..\Run: [SynTPLpr] C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
O4 - HKLM\..\Run: [SynTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
O4 - HKLM\..\Run: [TPKMAPHELPER] C:\Program Files\ThinkPad\Utilities\TpKmapAp.exe -helper
O4 - HKLM\..\Run: [TpShocks] TpShocks.exe
O4 - HKLM\..\Run: [TP4EX] tp4ex.exe
O4 - HKLM\..\Run: [ATIPTA] C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
O4 - HKLM\..\Run: [UC_Start] C:\Program Files\IBM\Updater\\ucstartup.exe
O4 - HKLM\..\Run: [ibmmessages] C:\Program Files\IBM\Messages By IBM\ibmmessages.exe
O4 - HKLM\..\Run: [QCTRAY] C:\Program Files\ThinkPad\ConnectUtilities\QCTRAY.EXE
O4 - HKLM\..\Run: [QCWLICON] C:\Program Files\ThinkPad\ConnectUtilities\QCWLICON.EXE
O4 - HKLM\..\Run: [PWRMGRTR] rundll32 C:\PROGRA~1\ThinkPad\UTILIT~1\PWRMGRTR.DLL,PwrMgrBkGndMonitor
O4 - HKLM\..\Run: [HostManager] C:\Program Files\Common Files\AOL\1125339851\ee\AOLSoftware.exe
O4 - HKLM\..\Run: [DIGStream] C:\Program Files\DIGStream\digstream.exe
O4 - HKLM\..\Run: [IPHSend] C:\Program Files\Common Files\AOL\IPHSend\IPHSend.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [rtscuse.dll] C:\WINDOWS\system32\rundll32.exe C:\WINDOWS\system32\rtscuse.dll,wqyflbd
O4 - HKLM\..\Run: [spoolsvv] C:\WINDOWS\system32\spoolsvv.exe
O4 - HKLM\..\Run: [_mzu_stonedrv3] c:\windows\system32\_mzu_stonedrv3.exe
O4 - HKLM\..\Run: [!AVG Anti-Spyware] "C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe" /minimized
O4 - HKLM\..\RunServices: [_mzu_stonedrv3] c:\windows\system32\_mzu_stonedrv3.exe
O4 - HKCU\..\Run: [ibmmessages] C:\Program Files\IBM\Messages By IBM\ibmmessages.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [AIM] C:\Program Files\AIM\aim.exe -cnetwait.odl
O4 - HKCU\..\Run: [AOL Fast Start] "C:\Program Files\America Online 9.0\AOL.EXE" -b
O4 - HKCU\..\Run: [Aim6] "C:\Program Files\Common Files\AOL\Launch\AOLLaunch.exe" /d locale=en-US ee://aol/imApp
O4 - HKCU\..\Run: [Yahoo! Pager] "C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe" -quiet
O4 - HKCU\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\1.0.720.3640\GoogleToolbarNotifier.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [msnmsgr] "C:\Program Files\MSN Messenger\msnmsgr.exe" /background
O4 - HKCU\..\Run: [Windows update loader] C:\Windows\xpupdate.exe
O4 - HKCU\..\Run: [_mzu_stonedrv3] c:\windows\system32\_mzu_stonedrv3.exe
O4 - HKCU\..\Run: [WinMedia] C:\DOCUME~1\Eric\LOCALS~1\Temp\5EA3072.exe
O4 - HKCU\..\Run: [Winsvr] C:\DOCUME~1\Eric\LOCALS~1\Temp\5EA16384.exe
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: Cisco Systems VPN Client.lnk = C:\Program Files\Cisco Systems\VPN Client\vpngui.exe
O4 - Global Startup: Digital Line Detect.lnk = ?
O8 - Extra context menu item: &AOL Toolbar search - res://C:\Program Files\AOL Toolbar\toolbar.dll/SEARCH.HTML
O8 - Extra context menu item: &Google Search - res://c:\program files\google\GoogleToolbar1.dll/cmsearch.html
O8 - Extra context menu item: &Translate English Word - res://c:\program files\google\GoogleToolbar1.dll/cmwordtrans.html
O8 - Extra context menu item: &Yahoo! Search - file:///C:\Program Files\Yahoo!\Common/ycsrch.htm
O8 - Extra context menu item: Backward Links - res://c:\program files\google\GoogleToolbar1.dll/cmbacklinks.html
O8 - Extra context menu item: Cached Snapshot of Page - res://c:\program files\google\GoogleToolbar1.dll/cmcache.html
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O8 - Extra context menu item: Similar Pages - res://c:\program files\google\GoogleToolbar1.dll/cmsimilar.html
O8 - Extra context menu item: Translate Page into English - res://c:\program files\google\GoogleToolbar1.dll/cmtrans.html
O8 - Extra context menu item: Yahoo! &Dictionary - file:///C:\Program Files\Yahoo!\Common/ycdict.htm
O8 - Extra context menu item: Yahoo! &Maps - file:///C:\Program Files\Yahoo!\Common/ycmap.htm
O8 - Extra context menu item: Yahoo! &SMS - file:///C:\Program Files\Yahoo!\Common/ycsms.htm
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\IBM\Java142\jre\bin\NPJPI142.dll
O9 - Extra 'Tools' menuitem: IBM Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\IBM\Java142\jre\bin\NPJPI142.dll
O9 - Extra button: AOL Toolbar - {4982D40A-C53B-4615-B15B-B5B5E98D167C} - C:\Program Files\AOL Toolbar\toolbar.dll
O9 - Extra 'Tools' menuitem: AOL Toolbar - {4982D40A-C53B-4615-B15B-B5B5E98D167C} - C:\Program Files\AOL Toolbar\toolbar.dll
O9 - Extra button: Yahoo! Services - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\Program Files\Yahoo!\Common\yiesrvc.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe
O9 - Extra button: PartyPoker.com - {B7FE5D70-9AA2-40F1-9C6B-12A255F085E1} - C:\Program Files\PartyGaming\PartyPoker\RunApp.exe
O9 - Extra 'Tools' menuitem: PartyPoker.com - {B7FE5D70-9AA2-40F1-9C6B-12A255F085E1} - C:\Program Files\PartyGaming\PartyPoker\RunApp.exe
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\system32\Shdocvw.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O11 - Options group: [JAVA_IBM] Java (IBM)
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=48835
O16 - DPF: {1F2F4C9E-6F09-47BC-970D-3C54734667FE} (LSSupCtl Class) - http://www.symantec.com/techsupp/asa/ctrl/LSSupCtl.cab
O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (YInstStarter Class) - C:\Program Files\Yahoo!\Common\yinsthelper.dll
O16 - DPF: {3451DEDE-631F-421C-8127-FD793AFC6CC8} (ActiveDataInfo Class) - http://www.symantec.com/techsupp/asa/ctrl/SymAData.cab
O16 - DPF: {44990200-3C9D-426D-81DF-AAB636FA4345} (Symantec SmartIssue) - http://www.symantec.com/techsupp/asa/ctrl/tgctlsi.cab
O16 - DPF: {44990301-3C9D-426D-81DF-AAB636FA4345} (Symantec Script Runner Class) - http://www.symantec.com/techsupp/asa/ctrl/tgctlsr.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/activescan/as5free/asinst.cab
O16 - DPF: {9E17A5F9-2B9C-4C66-A592-199A4BA1FBC8} (AIM UPF Control) - http://pictures06.aim.com/ygp/aol/plugin/upf/AOLUPF.en-US-AIM.9.5.1.8.cab
O16 - DPF: {B38870E4-7ECB-40DA-8C6A-595F0A5519FF} (MsnMessengerSetupDownloadControl Class) - http://messenger.msn.com/download/MsnMessengerSetupDownloader.cab
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - "C:\PROGRA~1\MSNMES~1\msgrapp.dll" (file missing)
O20 - AppInit_DLLs: 
O20 - Winlogon Notify: QConGina - C:\WINDOWS\SYSTEM32\QConGina.dll
O20 - Winlogon Notify: tphotkey - C:\WINDOWS\SYSTEM32\tphklock.dll
O21 - SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - C:\WINDOWS\system32\WPDShServiceObj.dll
O23 - Service: AOL Connectivity Service (AOL ACS) - America Online - C:\Program Files\Common Files\AOL\ACS\AOLAcsd.exe
O23 - Service: AOL TopSpeed Monitor (AOL TopSpeedMonitor) - America Online, Inc - C:\Program Files\Common Files\AOL\TopSpeed\2.0\aoltsmon.exe
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: Automatic LiveUpdate Scheduler - Symantec Corporation - C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe
O23 - Service: AVG Anti-Spyware Guard - Anti-Malware Development a.s. - C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
O23 - Service: Cisco Systems, Inc. VPN Service (CVPND) - Cisco Systems, Inc. - C:\Program Files\Cisco Systems\VPN Client\cvpnd.exe
O23 - Service: EvtEng - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\EvtEng.exe
O23 - Service: IBM Rapid Restore Ultra Service - Unknown owner - C:\Program Files\IBM\IBM Rapid Restore Ultra\rrpcsb.exe
O23 - Service: IBM PM Service (IBMPMSVC) - Unknown owner - C:\WINDOWS\system32\ibmpmsvc.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPod Service - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: LicCtrl Service (LicCtrlService) - Unknown owner - C:\WINDOWS\runservice.exe
O23 - Service: LiveUpdate - Symantec Corporation - C:\PROGRA~1\Symantec\LIVEUP~1\LUCOMS~1.EXE
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\HPZipm12.exe
O23 - Service: IBM PSA Access Driver Control (PsaSrv) - Unknown owner - C:\WINDOWS\system32\PsaSrv.exe (file missing)
O23 - Service: QCONSVC - IBM Corp. - C:\WINDOWS\System32\QCONSVC.EXE
O23 - Service: RegSrvc - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\RegSrvc.exe
O23 - Service: Spectrum24 Event Monitor (S24EventMonitor) - Intel Corporation  - C:\Program Files\Intel\Wireless\Bin\S24EvMon.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: IBM HDD APS Logging Service (TPHDEXLGSVC) - IBM Corporation - C:\WINDOWS\System32\TPHDEXLG.EXE
O23 - Service: IBM KCU Service (TpKmpSVC) - Unknown owner - C:\WINDOWS\system32\TpKmpSVC.exe
 

bamajim

10.4K Posts

October 11th, 2006 14:00


ewrmets

1. Go here and Download AVG Anti-Spyware
( 30 day free trial version) Save it to Your Desktop
 
Double Click AVG Anti-Spyware-setup
(It will create its own folder)
Once the program starts You will be at the Status menu
  • Under "Your computers Security"
    Click change status on Resident shield to inactive
    Click Update now (next to last update)
    After the update loads
    Under Automatic updates Uncheck download and install updates automatically(recommended)
    (you can always select maual updates the next day)
At the top toolbar Click Scanner Then the settings tab
  • Under How to act? Set default action for detected malwareTo Quarantine
    Under how to scan All boxes should be checked
    Under Possibly unwanted software All boxes should be checked
    Under reports Select Automatically generate report after every scan
    Uncheck Only if threats were found
    Under what to scan Scan every file should be highlited
Exit AVG(But do not run it yet)

2. Please download Brute Force Uninstaller to your desktop.

  • Right click the BFU folder on your desktop, and choose Extract All
  • Click "Next"
  • In the box to choose where to extract the files to,
  • Click "Browse"
  • Click on the + sign next to "My Computer"
  • Click on "Local Disk (C: ) or whatever your primary drive is
  • Click "Make New Folder"
  • Type in BFU
  • Click "Next", and Uncheck the "Show Extracted Files" box and then click "Finish".

3. RIGHT-CLICK HERE and choose "Save As" (in IE it's "Save Target As" ) in order to download Alcra PLUS Remover.
Save it in the same folder you made earlier (c:\BFU).

Reboot into Safe Mode
This can be done by
  • Restart your PC, and after it starts, but before you see the Windows Splash screen
    Begin tapping the F8 key twice a second untill you reach another menu screen (black background with white menu choices)
    Use your arrow keys and select Safe Mode and then Enter
4. Run AVG Anti-Spyware
  • Click scanner
    Select Complete system scan

Once the scan finishes
  • Select Apply all actions (The items found will be quarantined)
    Click save report as (Another window will open)
    Save it to your desktop
    (By default It will be saved in the AVG folder as)
    C:\Program Files\Grisoft\AVG anti-spyware 7.5\Reports

Exit AVG

5. Then, please go to Start > My Computer and navigate to the C:\BFU folder.

  • Start the Brute Force Uninstaller by doubleclicking BFU.exe
  • Behind the scriptline to execute field click the folder icon user posted imageand select alcanshorty.bfu
  • Press Execute and let the program do it’s job. (You ought to see a progress bar if you did this correctly.)
  • Wait for the complete script execution box to pop up and press OK.
  • Press exit to terminate the BFU program.

Reboot your PC in Normal Mode->>Re run Hijackthis and post a fresh Hijackthis log.
  • Double click the report-scan txt. you saved to your desktop
    It will open in Notepad
    Copy and paste that report as a reply to this thread
Your reply should include
  • a fresh hijackthis log
    your report_scan.txt from AVG
    bamajim   Graduate of Malware Removal University

    ALgal

    1.2K Posts

    October 11th, 2006 14:00

    Sorry bamajim- you beat me to it!

    Message Edited by ALgal on 10-11-2006 10:57 AM

    ewrmets

    29 Posts

    October 11th, 2006 19:00

    Logfile of HijackThis v1.99.1
    Scan saved at 4:09:29 PM, on 10/11/2006
    Platform: Windows XP SP2 (WinNT 5.01.2600)
    MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
    Running processes:
    C:\WINDOWS\System32\smss.exe
    C:\WINDOWS\system32\winlogon.exe
    C:\WINDOWS\system32\services.exe
    C:\WINDOWS\system32\lsass.exe
    C:\WINDOWS\system32\ibmpmsvc.exe
    C:\WINDOWS\system32\Ati2evxx.exe
    C:\WINDOWS\system32\svchost.exe
    C:\Program Files\Windows Defender\MsMpEng.exe
    C:\WINDOWS\System32\svchost.exe
    C:\Program Files\Intel\Wireless\Bin\EvtEng.exe
    C:\Program Files\Intel\Wireless\Bin\S24EvMon.exe
    C:\WINDOWS\system32\Ati2evxx.exe
    C:\WINDOWS\Explorer.EXE
    C:\WINDOWS\system32\spoolsv.exe
    C:\Program Files\Common Files\AOL\ACS\AOLAcsd.exe
    C:\Program Files\Common Files\AOL\TopSpeed\2.0\aoltsmon.exe
    C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe
    C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
    C:\Program Files\Cisco Systems\VPN Client\cvpnd.exe
    C:\Program Files\IBM\IBM Rapid Restore Ultra\rrpcsb.exe
    C:\WINDOWS\runservice.exe
    C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
    C:\Program Files\Microsoft SQL Server\MSSQL$MICROSOFTBCM\Binn\sqlservr.exe
    C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\HPZipm12.exe
    C:\WINDOWS\System32\QCONSVC.EXE
    C:\Program Files\Intel\Wireless\Bin\RegSrvc.exe
    C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
    C:\WINDOWS\system32\svchost.exe
    C:\WINDOWS\System32\TPHDEXLG.EXE
    C:\WINDOWS\system32\TpKmpSVC.exe
    C:\WINDOWS\system32\wscntfy.exe
    C:\WINDOWS\system32\TpShocks.exe
    C:\WINDOWS\system32\rundll32.exe
    C:\Program Files\Common Files\AOL\1125339851\ee\AOLSoftware.exe
    C:\Program Files\QuickTime\qttask.exe
    C:\Program Files\iTunes\iTunesHelper.exe
    C:\WINDOWS\system32\rundll32.exe
    C:\windows\system32\_mzu_stonedrv3.exe
    C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe
    C:\WINDOWS\system32\ctfmon.exe
    C:\Program Files\AIM\aim.exe
    C:\Program Files\Google\GoogleToolbarNotifier\1.0.720.3640\GoogleToolbarNotifier.exe
    C:\Program Files\Messenger\msmsgs.exe
    C:\Program Files\MSN Messenger\msnmsgr.exe
    C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
    C:\Program Files\Digital Line Detect\DLG.exe
    C:\Program Files\iPod\bin\iPodService.exe
    C:\Program Files\Yahoo!\Messenger\ymsgr_tray.exe
    c:\program files\common files\aol\1125339851\ee\services\antiSpywareApp\ver2_0_25_1\AOLSP Scheduler.exe
    c:\program files\common files\aol\1125339851\ee\aolsoftware.exe
    C:\WINDOWS\system32\wuauclt.exe
    C:\hijackthis\HijackThis.exe
    R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.msnbc.msn.com/
    R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,AutoConfigURL = http://www.bu.edu/proxy/law.pac  
    R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn0\yt.dll
    F2 - REG:system.ini: UserInit=userinit.exe
    O2 - BHO: Yahoo! Toolbar Helper - {02478D38-C3F9-4EFB-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn0\yt.dll
    O2 - BHO: (no name) - {412199EF-77FB-80C8-487C-0228E7B8E6C8} - C:\WINDOWS\system32\alitvze.dll
    O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
    O2 - BHO: Yahoo! IE Services Button - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\Program Files\Yahoo!\Common\yiesrvc.dll
    O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar2.dll
    O3 - Toolbar: AOL Toolbar - {4982D40A-C53B-4615-B15B-B5B5E98D167C} - C:\Program Files\AOL Toolbar\toolbar.dll
    O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn0\yt.dll
    O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar2.dll
    O4 - HKLM\..\Run: [SynTPLpr] C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
    O4 - HKLM\..\Run: [SynTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
    O4 - HKLM\..\Run: [TPKMAPHELPER] C:\Program Files\ThinkPad\Utilities\TpKmapAp.exe -helper
    O4 - HKLM\..\Run: [TpShocks] TpShocks.exe
    O4 - HKLM\..\Run: [TP4EX] tp4ex.exe
    O4 - HKLM\..\Run: [ATIPTA] C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
    O4 - HKLM\..\Run: [UC_Start] C:\Program Files\IBM\Updater\\ucstartup.exe
    O4 - HKLM\..\Run: [ibmmessages] C:\Program Files\IBM\Messages By IBM\ibmmessages.exe
    O4 - HKLM\..\Run: [QCTRAY] C:\Program Files\ThinkPad\ConnectUtilities\QCTRAY.EXE
    O4 - HKLM\..\Run: [QCWLICON] C:\Program Files\ThinkPad\ConnectUtilities\QCWLICON.EXE
    O4 - HKLM\..\Run: [PWRMGRTR] rundll32 C:\PROGRA~1\ThinkPad\UTILIT~1\PWRMGRTR.DLL,PwrMgrBkGndMonitor
    O4 - HKLM\..\Run: [HostManager] C:\Program Files\Common Files\AOL\1125339851\ee\AOLSoftware.exe
    O4 - HKLM\..\Run: [DIGStream] C:\Program Files\DIGStream\digstream.exe
    O4 - HKLM\..\Run: [IPHSend] C:\Program Files\Common Files\AOL\IPHSend\IPHSend.exe
    O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
    O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
    O4 - HKLM\..\Run: [rtscuse.dll] C:\WINDOWS\system32\rundll32.exe C:\WINDOWS\system32\rtscuse.dll,wqyflbd
    O4 - HKLM\..\Run: [_mzu_stonedrv3] c:\windows\system32\_mzu_stonedrv3.exe
    O4 - HKLM\..\Run: [!AVG Anti-Spyware] "C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe" /minimized
    O4 - HKLM\..\RunServices: [_mzu_stonedrv3] c:\windows\system32\_mzu_stonedrv3.exe
    O4 - HKCU\..\Run: [ibmmessages] C:\Program Files\IBM\Messages By IBM\ibmmessages.exe
    O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
    O4 - HKCU\..\Run: [AIM] C:\Program Files\AIM\aim.exe -cnetwait.odl
    O4 - HKCU\..\Run: [AOL Fast Start] "C:\Program Files\America Online 9.0\AOL.EXE" -b
    O4 - HKCU\..\Run: [Aim6] "C:\Program Files\Common Files\AOL\Launch\AOLLaunch.exe" /d locale=en-US ee://aol/imApp
    O4 - HKCU\..\Run: [Yahoo! Pager] "C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe" -quiet
    O4 - HKCU\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\1.0.720.3640\GoogleToolbarNotifier.exe
    O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
    O4 - HKCU\..\Run: [msnmsgr] "C:\Program Files\MSN Messenger\msnmsgr.exe" /background
    O4 - HKCU\..\Run: [_mzu_stonedrv3] c:\windows\system32\_mzu_stonedrv3.exe
    O4 - HKCU\..\Run: [Winsvr] C:\DOCUME~1\Eric\LOCALS~1\Temp\5EA16384.exe
    O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
    O4 - Global Startup: Cisco Systems VPN Client.lnk = C:\Program Files\Cisco Systems\VPN Client\vpngui.exe
    O4 - Global Startup: Digital Line Detect.lnk = ?
    O8 - Extra context menu item: &AOL Toolbar search - res://C:\Program Files\AOL Toolbar\toolbar.dll/SEARCH.HTML
    O8 - Extra context menu item: &Google Search - res://c:\program files\google\GoogleToolbar1.dll/cmsearch.html
    O8 - Extra context menu item: &Translate English Word - res://c:\program files\google\GoogleToolbar1.dll/cmwordtrans.html
    O8 - Extra context menu item: &Yahoo! Search - file:///C:\Program Files\Yahoo!\Common/ycsrch.htm
    O8 - Extra context menu item: Backward Links - res://c:\program files\google\GoogleToolbar1.dll/cmbacklinks.html
    O8 - Extra context menu item: Cached Snapshot of Page - res://c:\program files\google\GoogleToolbar1.dll/cmcache.html
    O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
    O8 - Extra context menu item: Similar Pages - res://c:\program files\google\GoogleToolbar1.dll/cmsimilar.html
    O8 - Extra context menu item: Translate Page into English - res://c:\program files\google\GoogleToolbar1.dll/cmtrans.html
    O8 - Extra context menu item: Yahoo! &Dictionary - file:///C:\Program Files\Yahoo!\Common/ycdict.htm
    O8 - Extra context menu item: Yahoo! &Maps - file:///C:\Program Files\Yahoo!\Common/ycmap.htm
    O8 - Extra context menu item: Yahoo! &SMS - file:///C:\Program Files\Yahoo!\Common/ycsms.htm
    O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\IBM\Java142\jre\bin\NPJPI142.dll
    O9 - Extra 'Tools' menuitem: IBM Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\IBM\Java142\jre\bin\NPJPI142.dll
    O9 - Extra button: AOL Toolbar - {4982D40A-C53B-4615-B15B-B5B5E98D167C} - C:\Program Files\AOL Toolbar\toolbar.dll
    O9 - Extra 'Tools' menuitem: AOL Toolbar - {4982D40A-C53B-4615-B15B-B5B5E98D167C} - C:\Program Files\AOL Toolbar\toolbar.dll
    O9 - Extra button: Yahoo! Services - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\Program Files\Yahoo!\Common\yiesrvc.dll
    O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
    O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe
    O9 - Extra button: PartyPoker.com - {B7FE5D70-9AA2-40F1-9C6B-12A255F085E1} - C:\Program Files\PartyGaming\PartyPoker\RunApp.exe
    O9 - Extra 'Tools' menuitem: PartyPoker.com - {B7FE5D70-9AA2-40F1-9C6B-12A255F085E1} - C:\Program Files\PartyGaming\PartyPoker\RunApp.exe
    O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\system32\Shdocvw.dll
    O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
    O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
    O11 - Options group: [JAVA_IBM] Java (IBM)
    O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=48835
    O16 - DPF: {1F2F4C9E-6F09-47BC-970D-3C54734667FE} (LSSupCtl Class) - http://www.symantec.com/techsupp/asa/ctrl/LSSupCtl.cab
    O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (YInstStarter Class) - C:\Program Files\Yahoo!\Common\yinsthelper.dll
    O16 - DPF: {3451DEDE-631F-421C-8127-FD793AFC6CC8} (ActiveDataInfo Class) - http://www.symantec.com/techsupp/asa/ctrl/SymAData.cab
    O16 - DPF: {44990200-3C9D-426D-81DF-AAB636FA4345} (Symantec SmartIssue) - http://www.symantec.com/techsupp/asa/ctrl/tgctlsi.cab
    O16 - DPF: {44990301-3C9D-426D-81DF-AAB636FA4345} (Symantec Script Runner Class) - http://www.symantec.com/techsupp/asa/ctrl/tgctlsr.cab
    O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/activescan/as5free/asinst.cab
    O16 - DPF: {9E17A5F9-2B9C-4C66-A592-199A4BA1FBC8} (AIM UPF Control) - http://pictures06.aim.com/ygp/aol/plugin/upf/AOLUPF.en-US-AIM.9.5.1.8.cab
    O16 - DPF: {B38870E4-7ECB-40DA-8C6A-595F0A5519FF} (MsnMessengerSetupDownloadControl Class) - http://messenger.msn.com/download/MsnMessengerSetupDownloader.cab
    O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - "C:\PROGRA~1\MSNMES~1\msgrapp.dll" (file missing)
    O20 - AppInit_DLLs: 
    O20 - Winlogon Notify: QConGina - C:\WINDOWS\SYSTEM32\QConGina.dll
    O20 - Winlogon Notify: tphotkey - C:\WINDOWS\SYSTEM32\tphklock.dll
    O21 - SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - C:\WINDOWS\system32\WPDShServiceObj.dll
    O23 - Service: AOL Connectivity Service (AOL ACS) - America Online - C:\Program Files\Common Files\AOL\ACS\AOLAcsd.exe
    O23 - Service: AOL TopSpeed Monitor (AOL TopSpeedMonitor) - America Online, Inc - C:\Program Files\Common Files\AOL\TopSpeed\2.0\aoltsmon.exe
    O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
    O23 - Service: Automatic LiveUpdate Scheduler - Symantec Corporation - C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe
    O23 - Service: AVG Anti-Spyware Guard - Anti-Malware Development a.s. - C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
    O23 - Service: Cisco Systems, Inc. VPN Service (CVPND) - Cisco Systems, Inc. - C:\Program Files\Cisco Systems\VPN Client\cvpnd.exe
    O23 - Service: EvtEng - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\EvtEng.exe
    O23 - Service: IBM Rapid Restore Ultra Service - Unknown owner - C:\Program Files\IBM\IBM Rapid Restore Ultra\rrpcsb.exe
    O23 - Service: IBM PM Service (IBMPMSVC) - Unknown owner - C:\WINDOWS\system32\ibmpmsvc.exe
    O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
    O23 - Service: iPod Service - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
    O23 - Service: LicCtrl Service (LicCtrlService) - Unknown owner - C:\WINDOWS\runservice.exe
    O23 - Service: LiveUpdate - Symantec Corporation - C:\PROGRA~1\Symantec\LIVEUP~1\LUCOMS~1.EXE
    O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\HPZipm12.exe
    O23 - Service: IBM PSA Access Driver Control (PsaSrv) - Unknown owner - C:\WINDOWS\system32\PsaSrv.exe (file missing)
    O23 - Service: QCONSVC - IBM Corp. - C:\WINDOWS\System32\QCONSVC.EXE
    O23 - Service: RegSrvc - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\RegSrvc.exe
    O23 - Service: Spectrum24 Event Monitor (S24EventMonitor) - Intel Corporation  - C:\Program Files\Intel\Wireless\Bin\S24EvMon.exe
    O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
    O23 - Service: IBM HDD APS Logging Service (TPHDEXLGSVC) - IBM Corporation - C:\WINDOWS\System32\TPHDEXLG.EXE
    O23 - Service: IBM KCU Service (TpKmpSVC) - Unknown owner - C:\WINDOWS\system32\TpKmpSVC.exe
     

    ewrmets

    29 Posts

    October 11th, 2006 19:00

    I ran AVG before this, and it deleted a lot of the bad stuff.
     
     Created at: 4:00:26 PM 10/11/2006
     + Scan result: 
     
    C:\Documents and Settings\Eric\Cookies\eric@2o7[1].txt -> TrackingCookie.2o7 : Cleaned.
    C:\Documents and Settings\Eric\Cookies\eric@adbrite[2].txt -> TrackingCookie.Adbrite : Cleaned.
    C:\Documents and Settings\Eric\Cookies\eric@ads.addynamix[1].txt -> TrackingCookie.Addynamix : Cleaned.
    C:\Documents and Settings\Eric\Cookies\eric@advertising[2].txt -> TrackingCookie.Advertising : Cleaned.
    C:\Documents and Settings\Eric\Cookies\eric@atdmt[2].txt -> TrackingCookie.Atdmt : Cleaned.
    C:\Documents and Settings\Eric\Cookies\eric@www.burstbeacon[2].txt -> TrackingCookie.Burstbeacon : Cleaned.
    C:\Documents and Settings\Eric\Cookies\eric@burstnet[2].txt -> TrackingCookie.Burstnet : Cleaned.
    C:\Documents and Settings\Eric\Cookies\eric@www.burstnet[1].txt -> TrackingCookie.Burstnet : Cleaned.
    C:\Documents and Settings\Eric\Cookies\eric@doubleclick[1].txt -> TrackingCookie.Doubleclick : Cleaned.
    C:\Documents and Settings\Eric\Cookies\eric@fastclick[1].txt -> TrackingCookie.Fastclick : Cleaned.
    C:\Documents and Settings\Eric\Cookies\eric@media.fastclick[2].txt -> TrackingCookie.Fastclick : Cleaned.
    C:\Documents and Settings\Eric\Cookies\eric@ehg-dig.hitbox[2].txt -> TrackingCookie.Hitbox : Cleaned.
    C:\Documents and Settings\Eric\Cookies\eric@hitbox[1].txt -> TrackingCookie.Hitbox : Cleaned.
    C:\Documents and Settings\Eric\Cookies\eric@mediaplex[1].txt -> TrackingCookie.Mediaplex : Cleaned.
    C:\Documents and Settings\Eric\Cookies\eric@.serving-sys[1].txt -> TrackingCookie.Serving-sys : Cleaned.
    C:\Documents and Settings\Eric\Cookies\eric@serving-sys[1].txt -> TrackingCookie.Serving-sys : Cleaned.
    C:\Documents and Settings\Eric\Cookies\eric@statcounter[1].txt -> TrackingCookie.Statcounter : Cleaned.
    C:\Documents and Settings\Eric\Cookies\eric@tribalfusion[2].txt -> TrackingCookie.Tribalfusion : Cleaned.
    C:\Documents and Settings\Eric\Cookies\eric@reduxads.valuead[1].txt -> TrackingCookie.Valuead : Cleaned.
    C:\Documents and Settings\Eric\Cookies\eric@ad.yieldmanager[2].txt -> TrackingCookie.Yieldmanager : Cleaned.
    C:\Documents and Settings\Eric\Cookies\eric@zedo[2].txt -> TrackingCookie.Zedo : Cleaned.

    ::Report end
     

    bamajim

    10.4K Posts

    October 11th, 2006 20:00


    ewrmets

    I noticed you already had AVG, but I needed it to be run in that sequence.

    First Download CCleaner from here to clean temp files from your computer.

    • Double click on the file to start the installation of the program.
    • Select your language and click OK, then next.
    • Read the license agreement and click I Agree.
    • Click next to use the default install location. Click Install then finish to complete installation.
    • Double click the CCleaner shortcut on the desktop to start the program.
    • On the "Windows" tab, under "Internet Explorer," uncheck "Cookies" if you do not want them deleted. (If deleted, you will likely need to reenter your passwords at all sites where a cookie is used to recognize you when you visit).
    • If you use either the Firefox or Mozilla browsers, the box to uncheck for "Cookies" is on the Applications tab, under Firefox/Mozilla.
    • Click on the "Options" icon at the left side of the window, then click on "Advanced." deselect "Only delete files in Windows Temp folders older than 48 hours."
    • Click on the "Cleaner" icon on the left side of the window, then click Run Cleaner to run the program.
    • Caution: It is not recommended that you use the "Issues" feature unless you are very familiar with the registry as it has been known to find legitimate items.
    • After CCleaner has completed its process, click Exit.

    Next Please download the Killbox.
    • 1) Save it to the desktop and run it.
      2) Select " Delete on Reboot", and then select "All files".
      3) Copy the file names below to the clipboard by highlighting them and pressing Control-C:

      • C:\WINDOWS\system32\rtscuse.dll
        C:\windows\system32\_mzu_stonedrv3.exe
        C:\WINDOWS\system32\alitvze.dll

      4) Return to Killbox, go to the File menu, and choose " Paste from Clipboard".
      5) Click the red-and-white " Delete File" button.  Click " Yes" at the Delete on Reboot prompt.  Click " No" at the Pending Operations prompt.
    Do not reboot yet

    Next Rerun Hijackthis and place checks beside the following entries
    • O2 - BHO: (no name) - {412199EF-77FB-80C8-487C-0228E7B8E6C8} - C:\WINDOWS\system32\alitvze.dll
      O4 - HKLM\..\Run: [rtscuse.dll] C:\WINDOWS\system32\rundll32.exe C:\WINDOWS\system32\rtscuse.dll,wqyflbd
      O4 - HKLM\..\Run: [_mzu_stonedrv3] c:\windows\system32\_mzu_stonedrv3.exe
      O4 - HKCU\..\Run: [_mzu_stonedrv3] c:\windows\system32\_mzu_stonedrv3.exe
      O4 - HKCU\..\Run: [Winsvr] C:\DOCUME~1\Eric\LOCALS~1\Temp\5EA16384.exe

    Close all other open windows except Hijackthis and Select " Fix checked"

    Reboot your PC->>Rerun Hijackthis and post a fresh Hijackthis log
     
    bamajim   Graduate of Malware Removal University

    ewrmets

    29 Posts

    October 14th, 2006 14:00

    looking thru my system32, i still have this file MZU_DRV.sys
     
    I imagine this is a trojan...what should I do with it?

    ewrmets

    29 Posts

    October 14th, 2006 14:00

    I'm getting constant Windows serious error messages now. I don't know if this is related to the spyware but I think it is. Here is my latest log.
     
    Logfile of HijackThis v1.99.1
    Scan saved at 11:34:08 AM, on 10/14/2006
    Platform: Windows XP SP2 (WinNT 5.01.2600)
    MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
    Running processes:
    C:\WINDOWS\System32\smss.exe
    C:\WINDOWS\system32\winlogon.exe
    C:\WINDOWS\system32\services.exe
    C:\WINDOWS\system32\lsass.exe
    C:\WINDOWS\system32\svchost.exe
    C:\Program Files\Windows Defender\MsMpEng.exe
    C:\WINDOWS\system32\svchost.exe
    C:\WINDOWS\Explorer.EXE
    C:\Program Files\America Online 9.0\waol.exe
    C:\Program Files\Internet Explorer\iexplore.exe
    C:\Program Files\Common Files\AOL\ACS\AOLacsd.exe
    C:\WINDOWS\system32\ctfmon.exe
    C:\Program Files\America Online 9.0\shellmon.exe
    C:\hijackthis\HijackThis.exe
    R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.msnbc.msn.com/
    R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn0\yt.dll
    F2 - REG:system.ini: UserInit=userinit.exe
    O2 - BHO: Yahoo! Toolbar Helper - {02478D38-C3F9-4EFB-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn0\yt.dll
    O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
    O2 - BHO: Yahoo! IE Services Button - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\Program Files\Yahoo!\Common\yiesrvc.dll
    O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar2.dll
    O3 - Toolbar: AOL Toolbar - {4982D40A-C53B-4615-B15B-B5B5E98D167C} - C:\Program Files\AOL Toolbar\toolbar.dll
    O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn0\yt.dll
    O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar2.dll
    O4 - HKLM\..\Run: [SynTPLpr] C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
    O4 - HKLM\..\Run: [SynTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
    O4 - HKLM\..\Run: [TPKMAPHELPER] C:\Program Files\ThinkPad\Utilities\TpKmapAp.exe -helper
    O4 - HKLM\..\Run: [TpShocks] TpShocks.exe
    O4 - HKLM\..\Run: [TP4EX] tp4ex.exe
    O4 - HKLM\..\Run: [ATIPTA] C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
    O4 - HKLM\..\Run: [UC_Start] C:\Program Files\IBM\Updater\\ucstartup.exe
    O4 - HKLM\..\Run: [ibmmessages] C:\Program Files\IBM\Messages By IBM\ibmmessages.exe
    O4 - HKLM\..\Run: [QCTRAY] C:\Program Files\ThinkPad\ConnectUtilities\QCTRAY.EXE
    O4 - HKLM\..\Run: [QCWLICON] C:\Program Files\ThinkPad\ConnectUtilities\QCWLICON.EXE
    O4 - HKLM\..\Run: [PWRMGRTR] rundll32 C:\PROGRA~1\ThinkPad\UTILIT~1\PWRMGRTR.DLL,PwrMgrBkGndMonitor
    O4 - HKLM\..\Run: [HostManager] C:\Program Files\Common Files\AOL\1125339851\ee\AOLSoftware.exe
    O4 - HKLM\..\Run: [DIGStream] C:\Program Files\DIGStream\digstream.exe
    O4 - HKLM\..\Run: [IPHSend] C:\Program Files\Common Files\AOL\IPHSend\IPHSend.exe
    O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
    O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
    O4 - HKLM\..\Run: [!AVG Anti-Spyware] "C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe" /minimized
    O4 - HKLM\..\Run: [ShStatEXE] "C:\Program Files\Network Associates\VirusScan\SHSTAT.EXE" /STANDALONE
    O4 - HKLM\..\Run: [McAfeeUpdaterUI] "C:\Program Files\Network Associates\Common Framework\UpdaterUI.exe" /StartedFromRunKey
    O4 - HKLM\..\Run: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k
    O4 - HKLM\..\RunServices: [_mzu_stonedrv3] c:\windows\system32\_mzu_stonedrv3.exe
    O4 - HKCU\..\Run: [ibmmessages] C:\Program Files\IBM\Messages By IBM\ibmmessages.exe
    O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
    O4 - HKCU\..\Run: [AIM] C:\Program Files\AIM\aim.exe -cnetwait.odl
    O4 - HKCU\..\Run: [AOL Fast Start] "C:\Program Files\America Online 9.0\AOL.EXE" -b
    O4 - HKCU\..\Run: [Aim6] "C:\Program Files\Common Files\AOL\Launch\AOLLaunch.exe" /d locale=en-US ee://aol/imApp
    O4 - HKCU\..\Run: [Yahoo! Pager] "C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe" -quiet
    O4 - HKCU\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\1.0.720.3640\GoogleToolbarNotifier.exe
    O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
    O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
    O4 - Global Startup: Cisco Systems VPN Client.lnk = C:\Program Files\Cisco Systems\VPN Client\vpngui.exe
    O4 - Global Startup: Digital Line Detect.lnk = ?
    O8 - Extra context menu item: &AOL Toolbar search - res://C:\Program Files\AOL Toolbar\toolbar.dll/SEARCH.HTML
    O8 - Extra context menu item: &Google Search - res://c:\program files\google\GoogleToolbar1.dll/cmsearch.html
    O8 - Extra context menu item: &Translate English Word - res://c:\program files\google\GoogleToolbar1.dll/cmwordtrans.html
    O8 - Extra context menu item: &Yahoo! Search - file:///C:\Program Files\Yahoo!\Common/ycsrch.htm
    O8 - Extra context menu item: Backward Links - res://c:\program files\google\GoogleToolbar1.dll/cmbacklinks.html
    O8 - Extra context menu item: Cached Snapshot of Page - res://c:\program files\google\GoogleToolbar1.dll/cmcache.html
    O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
    O8 - Extra context menu item: Similar Pages - res://c:\program files\google\GoogleToolbar1.dll/cmsimilar.html
    O8 - Extra context menu item: Translate Page into English - res://c:\program files\google\GoogleToolbar1.dll/cmtrans.html
    O8 - Extra context menu item: Yahoo! &Dictionary - file:///C:\Program Files\Yahoo!\Common/ycdict.htm
    O8 - Extra context menu item: Yahoo! &Maps - file:///C:\Program Files\Yahoo!\Common/ycmap.htm
    O8 - Extra context menu item: Yahoo! &SMS - file:///C:\Program Files\Yahoo!\Common/ycsms.htm
    O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\IBM\Java142\jre\bin\NPJPI142.dll
    O9 - Extra 'Tools' menuitem: IBM Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\IBM\Java142\jre\bin\NPJPI142.dll
    O9 - Extra button: AOL Toolbar - {4982D40A-C53B-4615-B15B-B5B5E98D167C} - C:\Program Files\AOL Toolbar\toolbar.dll
    O9 - Extra 'Tools' menuitem: AOL Toolbar - {4982D40A-C53B-4615-B15B-B5B5E98D167C} - C:\Program Files\AOL Toolbar\toolbar.dll
    O9 - Extra button: Yahoo! Services - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\Program Files\Yahoo!\Common\yiesrvc.dll
    O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
    O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe
    O9 - Extra button: PartyPoker.com - {B7FE5D70-9AA2-40F1-9C6B-12A255F085E1} - C:\Program Files\PartyGaming\PartyPoker\RunApp.exe
    O9 - Extra 'Tools' menuitem: PartyPoker.com - {B7FE5D70-9AA2-40F1-9C6B-12A255F085E1} - C:\Program Files\PartyGaming\PartyPoker\RunApp.exe
    O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\system32\Shdocvw.dll
    O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
    O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
    O11 - Options group: [JAVA_IBM] Java (IBM)
    O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=48835
    O16 - DPF: {1F2F4C9E-6F09-47BC-970D-3C54734667FE} (LSSupCtl Class) - http://www.symantec.com/techsupp/asa/ctrl/LSSupCtl.cab
    O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (YInstStarter Class) - C:\Program Files\Yahoo!\Common\yinsthelper.dll
    O16 - DPF: {3451DEDE-631F-421C-8127-FD793AFC6CC8} (ActiveDataInfo Class) - http://www.symantec.com/techsupp/asa/ctrl/SymAData.cab
    O16 - DPF: {44990200-3C9D-426D-81DF-AAB636FA4345} (Symantec SmartIssue) - http://www.symantec.com/techsupp/asa/ctrl/tgctlsi.cab
    O16 - DPF: {44990301-3C9D-426D-81DF-AAB636FA4345} (Symantec Script Runner Class) - http://www.symantec.com/techsupp/asa/ctrl/tgctlsr.cab
    O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1160680905265
    O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/activescan/as5free/asinst.cab
    O16 - DPF: {9E17A5F9-2B9C-4C66-A592-199A4BA1FBC8} (AIM UPF Control) - http://pictures06.aim.com/ygp/aol/plugin/upf/AOLUPF.en-US-AIM.9.5.1.8.cab
    O16 - DPF: {B38870E4-7ECB-40DA-8C6A-595F0A5519FF} (MsnMessengerSetupDownloadControl Class) - http://messenger.msn.com/download/MsnMessengerSetupDownloader.cab
    O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - "C:\PROGRA~1\MSNMES~1\msgrapp.dll" (file missing)
    O20 - AppInit_DLLs: 
    O20 - Winlogon Notify: QConGina - C:\WINDOWS\SYSTEM32\QConGina.dll
    O20 - Winlogon Notify: tphotkey - C:\WINDOWS\SYSTEM32\tphklock.dll
    O21 - SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - C:\WINDOWS\system32\WPDShServiceObj.dll
    O23 - Service: AOL Connectivity Service (AOL ACS) - America Online - C:\Program Files\Common Files\AOL\ACS\AOLAcsd.exe
    O23 - Service: AOL TopSpeed Monitor (AOL TopSpeedMonitor) - America Online, Inc - C:\Program Files\Common Files\AOL\TopSpeed\2.0\aoltsmon.exe
    O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
    O23 - Service: Automatic LiveUpdate Scheduler - Symantec Corporation - C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe
    O23 - Service: AVG Anti-Spyware Guard - Anti-Malware Development a.s. - C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
    O23 - Service: Cisco Systems, Inc. VPN Service (CVPND) - Cisco Systems, Inc. - C:\Program Files\Cisco Systems\VPN Client\cvpnd.exe
    O23 - Service: EvtEng - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\EvtEng.exe
    O23 - Service: IBM Rapid Restore Ultra Service - Unknown owner - C:\Program Files\IBM\IBM Rapid Restore Ultra\rrpcsb.exe
    O23 - Service: IBM PM Service (IBMPMSVC) - Unknown owner - C:\WINDOWS\system32\ibmpmsvc.exe
    O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
    O23 - Service: iPod Service - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
    O23 - Service: LicCtrl Service (LicCtrlService) - Unknown owner - C:\WINDOWS\runservice.exe
    O23 - Service: LiveUpdate - Symantec Corporation - C:\PROGRA~1\Symantec\LIVEUP~1\LUCOMS~1.EXE
    O23 - Service: McAfee Framework Service (McAfeeFramework) - Network Associates, Inc. - C:\Program Files\Network Associates\Common Framework\FrameworkService.exe
    O23 - Service: Network Associates McShield (McShield) - Network Associates, Inc. - C:\Program Files\Network Associates\VirusScan\mcshield.exe
    O23 - Service: Network Associates Task Manager (McTaskManager) - Network Associates, Inc. - C:\Program Files\Network Associates\VirusScan\vstskmgr.exe
    O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\HPZipm12.exe
    O23 - Service: IBM PSA Access Driver Control (PsaSrv) - Unknown owner - C:\WINDOWS\system32\PsaSrv.exe (file missing)
    O23 - Service: QCONSVC - IBM Corp. - C:\WINDOWS\System32\QCONSVC.EXE
    O23 - Service: RegSrvc - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\RegSrvc.exe
    O23 - Service: Spectrum24 Event Monitor (S24EventMonitor) - Intel Corporation  - C:\Program Files\Intel\Wireless\Bin\S24EvMon.exe
    O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
    O23 - Service: IBM HDD APS Logging Service (TPHDEXLGSVC) - IBM Corporation - C:\WINDOWS\System32\TPHDEXLG.EXE
    O23 - Service: IBM KCU Service (TpKmpSVC) - Unknown owner - C:\WINDOWS\system32\TpKmpSVC.exe
     

    ewrmets

    29 Posts

    October 14th, 2006 18:00

    I also have image1.gif.exe and taskdir.exe in my system32 folder

    bamajim

    10.4K Posts

    October 15th, 2006 23:00

    ewrments

    Of the files you mentioned
    • C:\WINDOWS\system32\image1.gif.exe
      C:\WINDOWS\system32\taskdir.exe
      C:\WINDOWS\System32\MZU_DRV.sys

    The first 2 can be deleted, lets hold off on the third fro a bit, as it is a drv.system file.

    Run an online virus scan called Kaspersky from HERE.
    • 1. Click on " Kaspersky Online Scanner"
      2. A new smaller window will pop up. Press on " Accept". After reading the contents.
      3. Now Kaspersky will update the anti-virus database. Let it run.
      4. Click on " Next"->>" Scan Settings", and make sure the database is set to " extended". And check both the scan options. Then click OK.
      5. Then click on " My Computer". And the scan will start.
      6. Once finished, save a log as ". txt" to the desktop.

    Copy and post the results of the Kaspersky Online scan
     
    bamajim   Graduate of Malware Removal University




    ewrmets

    29 Posts

    October 17th, 2006 17:00

    This is the error message I saw that I am getting by looking at the event log, before my computer gives me the blue screen and autoreboots.

    The description for Event ID ( 19011 ) in Source ( MSSQL$MICROSOFTBCM ) cannot be found. The local computer may not have the necessary registry information or message DLL files to display messages from a remote computer. You may be able to use the /AUXSOURCE= flag to retrieve this description; see Help and Support for details. The following information is part of the event: (SpnRegister) : Error 1355.

    bamajim

    10.4K Posts

    October 17th, 2006 18:00

    ewrmets
     
    May or may not be spyware related, I see some infected files, but nothing that would crash the PC.
     
    Are you able to get into Safe Mode?
     
    bamajim   Graduate of Malware Removal University

    ewrmets

    29 Posts

    October 17th, 2006 19:00

    -------------------------------------------------------------------------------
    KASPERSKY ONLINE SCANNER REPORT
    Tuesday, October 17, 2006 4:48:48 PM
    Operating System: Microsoft Windows XP Professional, Service Pack 2 (Build 2600)
    Kaspersky Online Scanner version: 5.0.83.0
    Kaspersky Anti-Virus database last update: 17/10/2006
    Kaspersky Anti-Virus database records: 232548
    -------------------------------------------------------------------------------

    Scan Settings:
    Scan using the following antivirus database: extended
    Scan Archives: true
    Scan Mail Bases: true

    Scan Target - My Computer:
    C:\
    D:\

    Scan Statistics:
    Total number of scanned objects: 100270
    Number of viruses found: 18
    Number of infected objects: 59 / 0
    Number of suspicious objects: 0
    Duration of the scan process: 02:31:57

    Infected Object Name / Virus Name / Last Action
    C:\!KillBox\ALITVZE.0LL Infected: Trojan-Downloader.Win32.Busky.i skipped
    C:\!KillBox\alitvze.dll( 1) Infected: Trojan-Downloader.Win32.Busky.i skipped
    C:\!KillBox\_MZU_STONEDRV3.0XE Infected: Trojan-Dropper.Win32.Agent.axo skipped
    C:\!KillBox\_mzu_stonedrv3.exe( 2) Infected: Trojan-Dropper.Win32.Agent.axo skipped
    C:\Documents and Settings\All Users\Application Data\AOL\TopSpeed\2.0\aolstderr.txt Object is locked skipped
    C:\Documents and Settings\All Users\Application Data\AOL\TopSpeed\2.0\aolstdout.txt Object is locked skipped
    C:\Documents and Settings\All Users\Application Data\AOL\TopSpeed\2.0\aoltsmon.lock Object is locked skipped
    C:\Documents and Settings\All Users\Application Data\AOL\TopSpeed\2.0\cache.db Object is locked skipped
    C:\Documents and Settings\All Users\Application Data\AOL\TopSpeed\2.0\server.lock Object is locked skipped
    C:\Documents and Settings\All Users\Application Data\AOL\UserProfiles\All Users\cls\common.cls Object is locked skipped
    C:\Documents and Settings\All Users\Application Data\Microsoft\Network\Downloader\qmgr0.dat Object is locked skipped
    C:\Documents and Settings\All Users\Application Data\Microsoft\Network\Downloader\qmgr1.dat Object is locked skipped
    C:\Documents and Settings\All Users\Application Data\Network Associates\BOPDATA\_Date-20061017_Time-113248015_EnterceptExceptions.dat Object is locked skipped
    C:\Documents and Settings\All Users\Application Data\Network Associates\BOPDATA\_Date-20061017_Time-113248015_EnterceptRules.dat Object is locked skipped
    C:\Documents and Settings\All Users\Application Data\Network Associates\Common Framework\Db\Agent_IBM-8ED559565E4.log Object is locked skipped
    C:\Documents and Settings\All Users\Application Data\Network Associates\Common Framework\Db\PrdMgr_IBM-8ED559565E4.log Object is locked skipped
    C:\Documents and Settings\All Users\Application Data\Network Associates\VirusScan\AccessProtectionLog.txt Object is locked skipped
    C:\Documents and Settings\All Users\Application Data\Network Associates\VirusScan\BufferOverflowProtectionLog.txt Object is locked skipped
    C:\Documents and Settings\All Users\Application Data\Network Associates\VirusScan\OnAccessScanLog.txt Object is locked skipped
    C:\Documents and Settings\All Users\Application Data\Symantec\LiveUpdate\2006-10-17_Log.ALUSchedulerSvc.LiveUpdate Object is locked skipped
    C:\Documents and Settings\Eric\Application Data\Mozilla\Firefox\Profiles\5l3plxs2.default\cert8.db Object is locked skipped
    C:\Documents and Settings\Eric\Application Data\Mozilla\Firefox\Profiles\5l3plxs2.default\formhistory.dat Object is locked skipped
    C:\Documents and Settings\Eric\Application Data\Mozilla\Firefox\Profiles\5l3plxs2.default\history.dat Object is locked skipped
    C:\Documents and Settings\Eric\Application Data\Mozilla\Firefox\Profiles\5l3plxs2.default\key3.db Object is locked skipped
    C:\Documents and Settings\Eric\Application Data\Mozilla\Firefox\Profiles\5l3plxs2.default\parent.lock Object is locked skipped
    C:\Documents and Settings\Eric\Cookies\index.dat Object is locked skipped
    C:\Documents and Settings\Eric\Local Settings\Application Data\AOL\UserProfiles\All Users\cls\common.cls Object is locked skipped
    C:\Documents and Settings\Eric\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat Object is locked skipped
    C:\Documents and Settings\Eric\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped
    C:\Documents and Settings\Eric\Local Settings\Application Data\Mozilla\Firefox\Profiles\5l3plxs2.default\Cache\_CACHE_001_ Object is locked skipped
    C:\Documents and Settings\Eric\Local Settings\Application Data\Mozilla\Firefox\Profiles\5l3plxs2.default\Cache\_CACHE_002_ Object is locked skipped
    C:\Documents and Settings\Eric\Local Settings\Application Data\Mozilla\Firefox\Profiles\5l3plxs2.default\Cache\_CACHE_003_ Object is locked skipped
    C:\Documents and Settings\Eric\Local Settings\Application Data\Mozilla\Firefox\Profiles\5l3plxs2.default\Cache\_CACHE_MAP_ Object is locked skipped
    C:\Documents and Settings\Eric\Local Settings\History\History.IE5\index.dat Object is locked skipped
    C:\Documents and Settings\Eric\Local Settings\History\History.IE5\MSHist012006101720061018\index.dat Object is locked skipped
    C:\Documents and Settings\Eric\Local Settings\Temporary Internet Files\Content.IE5\index.dat Object is locked skipped
    C:\Documents and Settings\Eric\ntuser.dat Object is locked skipped
    C:\Documents and Settings\Eric\ntuser.dat.LOG Object is locked skipped
    C:\Documents and Settings\LocalService\Cookies\index.dat Object is locked skipped
    C:\Documents and Settings\LocalService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat Object is locked skipped
    C:\Documents and Settings\LocalService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped
    C:\Documents and Settings\LocalService\Local Settings\History\History.IE5\index.dat Object is locked skipped
    C:\Documents and Settings\LocalService\Local Settings\Temporary Internet Files\Content.IE5\index.dat Object is locked skipped
    C:\Documents and Settings\LocalService\NTUSER.DAT Object is locked skipped
    C:\Documents and Settings\LocalService\ntuser.dat.LOG Object is locked skipped
    C:\Documents and Settings\NetworkService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat Object is locked skipped
    C:\Documents and Settings\NetworkService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped
    C:\Documents and Settings\NetworkService\NTUSER.DAT Object is locked skipped
    C:\Documents and Settings\NetworkService\ntuser.dat.LOG Object is locked skipped
    C:\hijackthis\backups\BACKUP-20061011-202557-873.0LL Infected: Trojan-Downloader.Win32.Busky.i skipped
    C:\Program Files\Microsoft SQL Server\MSSQL$MICROSOFTBCM\Data\master.mdf Object is locked skipped
    C:\Program Files\Microsoft SQL Server\MSSQL$MICROSOFTBCM\Data\mastlog.ldf Object is locked skipped
    C:\Program Files\Microsoft SQL Server\MSSQL$MICROSOFTBCM\Data\model.mdf Object is locked skipped
    C:\Program Files\Microsoft SQL Server\MSSQL$MICROSOFTBCM\Data\modellog.ldf Object is locked skipped
    C:\Program Files\Microsoft SQL Server\MSSQL$MICROSOFTBCM\Data\tempdb.mdf Object is locked skipped
    C:\Program Files\Microsoft SQL Server\MSSQL$MICROSOFTBCM\Data\templog.ldf Object is locked skipped
    C:\Program Files\Microsoft SQL Server\MSSQL$MICROSOFTBCM\LOG\ERRORLOG Object is locked skipped
    C:\QUARANTINE\count.jar-ad16d65-3113de18.zip.Vir/BlackBox.class Infected: Exploit.Java.ByteVerify skipped
    C:\QUARANTINE\count.jar-ad16d65-3113de18.zip.Vir/VerifierBug.class Infected: Exploit.Java.ByteVerify skipped
    C:\QUARANTINE\count.jar-ad16d65-3113de18.zip.Vir/Beyond.class Infected: Trojan-Downloader.Java.OpenConnection.aa skipped
    C:\QUARANTINE\count.jar-ad16d65-3113de18.zip.Vir ZIP: infected - 3 skipped
    C:\QUARANTINE\java.jar-debb6b6-3249f638.zip.Vir/GetAccess.class Infected: Trojan-Downloader.Java.OpenConnection.aj skipped
    C:\QUARANTINE\java.jar-debb6b6-3249f638.zip.Vir/Installer.class Infected: Trojan-Downloader.Java.OpenConnection.aj skipped
    C:\QUARANTINE\java.jar-debb6b6-3249f638.zip.Vir ZIP: infected - 2 skipped
    C:\RECYCLER\S-1-5-21-2625220729-1855562266-3622855798-1005\Dc123.old Infected: Trojan-Proxy.Win32.Small.bo skipped
    C:\RECYCLER\S-1-5-21-2625220729-1855562266-3622855798-1005\Dc124.old Infected: Trojan-Proxy.Win32.Small.bo skipped
    C:\RECYCLER\S-1-5-21-2625220729-1855562266-3622855798-1005\Dc3557.0XE Infected: Trojan-Proxy.Win32.Lager.dt skipped
    C:\System Volume Information\_restore{5D527826-05BD-4A83-8416-28ACDDA14001}\RP264\A0050659.exe/data0002 Infected: Trojan-Downloader.Win32.VB.tw skipped
    C:\System Volume Information\_restore{5D527826-05BD-4A83-8416-28ACDDA14001}\RP264\A0050659.exe/data0003 Infected: Trojan.Win32.VB.tg skipped
    C:\System Volume Information\_restore{5D527826-05BD-4A83-8416-28ACDDA14001}\RP264\A0050659.exe/data0006 Infected: Trojan.Win32.VB.tg skipped
    C:\System Volume Information\_restore{5D527826-05BD-4A83-8416-28ACDDA14001}\RP264\A0050659.exe/data0007 Infected: Trojan.Win32.VB.tg skipped
    C:\System Volume Information\_restore{5D527826-05BD-4A83-8416-28ACDDA14001}\RP264\A0050659.exe NSIS: infected - 4 skipped
    C:\System Volume Information\_restore{5D527826-05BD-4A83-8416-28ACDDA14001}\RP272\A0059491.0LL Infected: Trojan.Win32.Crypt.o skipped
    C:\System Volume Information\_restore{5D527826-05BD-4A83-8416-28ACDDA14001}\RP278\A0060606.0LL Infected: Trojan.Win32.Crypt.o skipped
    C:\System Volume Information\_restore{5D527826-05BD-4A83-8416-28ACDDA14001}\RP287\A0064217.0XE Infected: Trojan-Downloader.Win32.Small.abd skipped
    C:\System Volume Information\_restore{5D527826-05BD-4A83-8416-28ACDDA14001}\RP287\A0064218.0XE Infected: Trojan-Dropper.Win32.Agent.hl skipped
    C:\System Volume Information\_restore{5D527826-05BD-4A83-8416-28ACDDA14001}\RP287\A0064219.0LL Infected: Trojan.Win32.Crypt.o skipped
    C:\System Volume Information\_restore{5D527826-05BD-4A83-8416-28ACDDA14001}\RP287\A0064220.0LL Infected: Trojan-Downloader.Win32.Agent.yf skipped
    C:\System Volume Information\_restore{5D527826-05BD-4A83-8416-28ACDDA14001}\RP287\A0064221.0LL Infected: Trojan-Downloader.Win32.Agent.yf skipped
    C:\System Volume Information\_restore{5D527826-05BD-4A83-8416-28ACDDA14001}\RP287\A0064222.0LL Infected: Trojan-Downloader.Win32.Agent.yf skipped
    C:\System Volume Information\_restore{5D527826-05BD-4A83-8416-28ACDDA14001}\RP287\A0064223.0LL Infected: Trojan-Downloader.Win32.Agent.yf skipped
    C:\System Volume Information\_restore{5D527826-05BD-4A83-8416-28ACDDA14001}\RP287\A0064224.0LL Infected: Trojan-Downloader.Win32.Agent.yf skipped
    C:\System Volume Information\_restore{5D527826-05BD-4A83-8416-28ACDDA14001}\RP287\A0064225.0LL Infected: Trojan-Downloader.Win32.Agent.yf skipped
    C:\System Volume Information\_restore{5D527826-05BD-4A83-8416-28ACDDA14001}\RP287\A0064226.0LL Infected: Trojan-Downloader.Win32.Agent.yf skipped
    C:\System Volume Information\_restore{5D527826-05BD-4A83-8416-28ACDDA14001}\RP314\A0067935.0LL Infected: Trojan-Proxy.Win32.Agent.ji skipped
    C:\System Volume Information\_restore{5D527826-05BD-4A83-8416-28ACDDA14001}\RP314\A0067959.exe Infected: not-virus:Hoax.Win32.Renos.fm skipped
    C:\System Volume Information\_restore{5D527826-05BD-4A83-8416-28ACDDA14001}\RP314\A0068926.0LL Infected: Trojan-Proxy.Win32.Agent.ji skipped
    C:\System Volume Information\_restore{5D527826-05BD-4A83-8416-28ACDDA14001}\RP314\A0068968.0XE Infected: Trojan-Proxy.Win32.Agent.ji skipped
    C:\System Volume Information\_restore{5D527826-05BD-4A83-8416-28ACDDA14001}\RP314\A0068969.0XE Infected: Trojan-Proxy.Win32.Lager.dt skipped
    C:\System Volume Information\_restore{5D527826-05BD-4A83-8416-28ACDDA14001}\RP314\A0069048.0XE Infected: Trojan-Downloader.Win32.Tibs.im skipped
    C:\System Volume Information\_restore{5D527826-05BD-4A83-8416-28ACDDA14001}\RP314\A0069049.0XE Infected: Trojan-Downloader.Win32.Tibs.im skipped
    C:\System Volume Information\_restore{5D527826-05BD-4A83-8416-28ACDDA14001}\RP314\A0069050.exe Infected: not-virus:Hoax.Win32.Renos.fm skipped
    C:\System Volume Information\_restore{5D527826-05BD-4A83-8416-28ACDDA14001}\RP314\A0069051.0XE Infected: Trojan-Downloader.Win32.Small.dul skipped
    C:\System Volume Information\_restore{5D527826-05BD-4A83-8416-28ACDDA14001}\RP314\A0069052.0XE Infected: Trojan-Proxy.Win32.Agent.ji skipped
    C:\System Volume Information\_restore{5D527826-05BD-4A83-8416-28ACDDA14001}\RP314\A0070499.0XE Infected: Trojan-Dropper.Win32.Agent.axo skipped
    C:\System Volume Information\_restore{5D527826-05BD-4A83-8416-28ACDDA14001}\RP314\A0070500.0LL Infected: Trojan-Downloader.Win32.Busky.i skipped
    C:\System Volume Information\_restore{5D527826-05BD-4A83-8416-28ACDDA14001}\RP339\A0091848.0YS Infected: Trojan-Proxy.Win32.Small.bo skipped
    C:\System Volume Information\_restore{5D527826-05BD-4A83-8416-28ACDDA14001}\RP340\A0092891.0XE Infected: Trojan-Proxy.Win32.Lager.dt skipped
    C:\System Volume Information\_restore{5D527826-05BD-4A83-8416-28ACDDA14001}\RP340\A0092898.dll Infected: Trojan-Proxy.Win32.Agent.ji skipped
    C:\System Volume Information\_restore{5D527826-05BD-4A83-8416-28ACDDA14001}\RP340\A0092899.dll Infected: Trojan-Downloader.Win32.Busky.i skipped
    C:\System Volume Information\_restore{5D527826-05BD-4A83-8416-28ACDDA14001}\RP340\A0092900.dll Infected: Trojan-Downloader.Win32.Busky.i skipped
    C:\System Volume Information\_restore{5D527826-05BD-4A83-8416-28ACDDA14001}\RP340\A0092901.exe Infected: Trojan-Dropper.Win32.Agent.axo skipped
    C:\System Volume Information\_restore{5D527826-05BD-4A83-8416-28ACDDA14001}\RP348\change.log Object is locked skipped
    C:\WINDOWS\COMDLJ32.0LL Infected: Trojan-Proxy.Win32.Agent.ji skipped
    C:\WINDOWS\Debug\PASSWD.LOG Object is locked skipped
    C:\WINDOWS\Eim03.exe/stream/data0002 Infected: not-a-virus:AdWare.Win32.EZula.cc skipped
    C:\WINDOWS\Eim03.exe/stream Infected: not-a-virus:AdWare.Win32.EZula.cc skipped
    C:\WINDOWS\Eim03.exe NSIS: infected - 2 skipped
    C:\WINDOWS\Internet Logs\tvDebug.log Object is locked skipped
    C:\WINDOWS\SchedLgU.Txt Object is locked skipped
    C:\WINDOWS\SoftwareDistribution\ReportingEvents.log Object is locked skipped
    C:\WINDOWS\Sti_Trace.log Object is locked skipped
    C:\WINDOWS\system32\CatRoot2\edb.log Object is locked skipped
    C:\WINDOWS\system32\CatRoot2\tmp.edb Object is locked skipped
    C:\WINDOWS\system32\config\AppEvent.Evt Object is locked skipped
    C:\WINDOWS\system32\config\DEFAULT Object is locked skipped
    C:\WINDOWS\system32\config\default.LOG Object is locked skipped
    C:\WINDOWS\system32\config\SAM Object is locked skipped
    C:\WINDOWS\system32\config\SAM.LOG Object is locked skipped
    C:\WINDOWS\system32\config\SecEvent.Evt Object is locked skipped
    C:\WINDOWS\system32\config\SECURITY Object is locked skipped
    C:\WINDOWS\system32\config\SECURITY.LOG Object is locked skipped
    C:\WINDOWS\system32\config\SOFTWARE Object is locked skipped
    C:\WINDOWS\system32\config\software.LOG Object is locked skipped
    C:\WINDOWS\system32\config\SysEvent.Evt Object is locked skipped
    C:\WINDOWS\system32\config\SYSTEM Object is locked skipped
    C:\WINDOWS\system32\config\system.LOG Object is locked skipped
    C:\WINDOWS\system32\h323log.txt Object is locked skipped
    C:\WINDOWS\system32\mmf.sys Object is locked skipped
    C:\WINDOWS\system32\Tagasuarus5.exe/data0002 Infected: Trojan-Downloader.Win32.VB.tw skipped
    C:\WINDOWS\system32\Tagasuarus5.exe/data0003 Infected: Trojan.Win32.VB.tg skipped
    C:\WINDOWS\system32\Tagasuarus5.exe/data0006 Infected: Trojan.Win32.VB.tg skipped
    C:\WINDOWS\system32\Tagasuarus5.exe/data0007 Infected: Trojan.Win32.VB.tg skipped
    C:\WINDOWS\system32\Tagasuarus5.exe NSIS: infected - 4 skipped
    C:\WINDOWS\system32\wbem\Repository\FS\INDEX.BTR Object is locked skipped
    C:\WINDOWS\system32\wbem\Repository\FS\INDEX.MAP Object is locked skipped
    C:\WINDOWS\system32\wbem\Repository\FS\MAPPING.VER Object is locked skipped
    C:\WINDOWS\system32\wbem\Repository\FS\MAPPING1.MAP Object is locked skipped
    C:\WINDOWS\system32\wbem\Repository\FS\MAPPING2.MAP Object is locked skipped
    C:\WINDOWS\system32\wbem\Repository\FS\OBJECTS.DATA Object is locked skipped
    C:\WINDOWS\system32\wbem\Repository\FS\OBJECTS.MAP Object is locked skipped
    C:\WINDOWS\Temp\Perflib_Perfdata_434.dat Object is locked skipped
    C:\WINDOWS\wiadebug.log Object is locked skipped
    C:\WINDOWS\wiaservc.log Object is locked skipped
    C:\WINDOWS\WindowsUpdate.log Object is locked skipped

    Scan process completed.

    ewrmets

    29 Posts

    October 17th, 2006 19:00

    I think it is spyware related cuz it did not occur until after a tried to fight this spyware. I can get into safe mode and also can run in normal. I just get that blue screen and autoreboot a few times a day.

    bamajim

    10.4K Posts

    October 17th, 2006 20:00


    ewrmets

    First Using Windows Explorer
    • (Right click on "Start," select "Explore," and you will see the "tree' of file folders in the left side of the window. Click on the "+" next to any folder name to expand its contents)
    Locate and delete the following files

    C:\WINDOWS\system32\Tagasuarus5.exe
    C:\WINDOWS\Eim03.exe
    C:\WINDOWS\COMDLJ32.0LL
    Close windows explorer->>Reboot your PC->>Rerun Hijackthis and post a fresh Hijackthis log

    Next Here is a LINK to address the error message you are receiving
     
    bamajim   Graduate of Malware Removal University




    Was this post helpful?

    View All

    0 events found

    No Events found!

    Top