mntbike2000

16 Posts

August 13th, 2005 16:00

hjt log - aurora

Logfile of HijackThis v1.99.1
Scan saved at 11:22:20 AM, on 8/13/2005
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.exe
C:\WINDOWS\system32\spoolsv.exe
C:\windows\system\hpsysdrv.exe
C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
C:\WINDOWS\mmxfdll.EXE
C:\WINDOWS\pwslenc.EXE
C:\WINDOWS\system32\a3d59041.exe
C:\HP\KBD\KBD.EXE
C:\Program Files\Common Files\Real\Update_OB\realevent.exe
C:\WINDOWS\XTQCDLL.EXE
C:\WINDOWS\system32\aaanja.exe
C:\Program Files\QuickTime\qttask.exe
C:\WINDOWS\System32\sysmonnt.exe
c:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\WINDOWS\System32\CTsvcCDA.exe
C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
c:\Program Files\Norton AntiVirus\navapsvc.exe
C:\Program Files\Norton SystemWorks\Norton Utilities\NPROTECT.EXE
C:\PROGRA~1\NORTON~2\SPEEDD~1\nopdb.exe
C:\WINDOWS\cozhsvc.exe
C:\WINDOWS\System32\MsPMSPSv.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\Common Files\Real\Update_OB\rnathchk.exe
C:\HJT\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer,(Default) = www.google.com
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://qus7.hpwis.com/
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://srch-qus7.hpwis.com/
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.sltrib.com/sports
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.comcast.net/
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Microsoft Internet Explorer provided by Comcast
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = :0
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
R3 - URLSearchHook: URLSearchHook Class - {37D2CDBF-2AF4-44AA-8113-BD0D2DA3C2B8} - C:\Program Files\JUSearch\SearchEnh1.dll
F2 - REG:system.ini: Shell=Explorer.exe C:\WINDOWS\Nail.exe
F2 - REG:system.ini: UserInit=userinit.exe
O2 - BHO: Band Class - {00F1D395-4744-40f0-A611-980F61AE2C59} - C:\WINDOWS\dsr.dll (file missing)
O2 - BHO: Search Bar - {4E7BD74F-2B8D-469E-A1F6-FC7EB590A97D} - C:\WINDOWS\DOWNLO~1\search3.dll
O2 - BHO: (no name) - {5C8B2A36-3DB1-42A4-A3CB-D426709BBFEB} - (no file)
O2 - BHO: (no name) - {CB77E21E-0062-0E60-E7E1-D41BD80CA100} - C:\RECYCLER\S-1-5-21-2504047931-3360913155-2190084768-1003\Dc41\xvvgglkhuo.dll (file missing)
O3 - Toolbar: Search Bar - {4E7BD74F-2B8D-469E-A1F6-FC7EB590A97D} - C:\WINDOWS\DOWNLO~1\search3.dll
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [StorageGuard] "C:\Program Files\VERITAS Software\Update Manager\sgtray.exe" /r
O4 - HKLM\..\Run: [Recguard] C:\WINDOWS\SMINST\RECGUARD.EXE
O4 - HKLM\..\Run: [PS2] C:\hp\drivers\keyboard\PS2.EXE
O4 - HKLM\..\Run: [hpsysdrv] c:\windows\system\hpsysdrv.exe
O4 - HKLM\..\Run: [ATIPTA] C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
O4 - HKLM\..\Run: [mmxfdll] C:\WINDOWS\mmxfdll.EXE
O4 - HKLM\..\Run: [pwslenc] C:\WINDOWS\pwslenc.EXE
O4 - HKLM\..\Run: [620afaaa4449] C:\WINDOWS\system32\a3d59041.exe
O4 - HKLM\..\Run: [KBD] C:\HP\KBD\KBD.EXE
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\System32\hkcmd.exe
O4 - HKLM\..\Run: [ATIModeChange] Ati2mdxx.exe
O4 - HKLM\..\Run: [XTQCDLL] C:\WINDOWS\XTQCDLL.EXE
O4 - HKLM\..\Run: [UpdReg] C:\WINDOWS\UpdReg.EXE
O4 - HKLM\..\Run: [winsync] C:\WINDOWS\system32\aaanja.exe reg_run
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [UserFaultCheck] %systemroot%\system32\dumprep 0 -u
O4 - HKLM\..\Run: [vyyvsnv] C:\WINDOWS\system32\lzdggwg.exe r
O4 - HKCU\..\Run: [sysmonnt] C:\WINDOWS\System32\sysmonnt
O4 - HKCU\..\Run: [sf] C:\Program Files\sf\sf.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Restrictions present
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O8 - Extra context menu item: &Yahoo! Search - file:///C:\Program Files\Yahoo!\Common/ycsrch.htm
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O8 - Extra context menu item: Yahoo! &Dictionary - file:///C:\Program Files\Yahoo!\Common/ycdict.htm
O8 - Extra context menu item: Yahoo! &Maps - file:///C:\Program Files\Yahoo!\Common/ycdict.htm
O9 - Extra button: Yahoo! Login - {2499216C-4BA5-11D5-BD9C-000103C116D5} - C:\Program Files\Yahoo!\Common\ylogin.dll
O9 - Extra 'Tools' menuitem: Yahoo! Login - {2499216C-4BA5-11D5-BD9C-000103C116D5} - C:\Program Files\Yahoo!\Common\ylogin.dll
O9 - Extra button: Messenger - {4528BBE0-4E08-11D5-AD55-00010333D0AD} - C:\Program Files\Yahoo!\Messenger\yhexbmes0521.dll
O9 - Extra 'Tools' menuitem: Yahoo! Messenger - {4528BBE0-4E08-11D5-AD55-00010333D0AD} - C:\Program Files\Yahoo!\Messenger\yhexbmes0521.dll
O9 - Extra button: ComcastHSI - {669B269B-0D4E-41FB-A3D8-FD67CA94F646} - http://www.comcast.net/ (file missing)
O9 - Extra button: Support - {8828075D-D097-4055-AA02-2DBFA9D85E8A} - http://www.comcastsupport.com/ (file missing)
O9 - Extra button: Help - {97809617-3937-4F84-B335-9BB05EF1A8D4} - http://online.comcast.net/help/ (file missing)
O9 - Extra button: MoneySide - {E023F504-0C5A-4750-A1E7-A9046DEA8A21} - C:\Program Files\Microsoft Money\System\mnyside.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra button: Ebates - {6685509E-B47B-4f47-8E16-9A5F3A62F683} - file://C:\Program Files\Ebates_MoeMoneyMaker\Sy350\Tp350\scri350a.htm (file missing) (HKCU)
O9 - Extra button: WeatherBug - {AF6CABAB-61F9-4f12-A198-B7D41EF1CB52} - C:\Program Files\AWS\WeatherBug\Weather.exe (file missing) (HKCU)
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O16 - DPF: {2B96D5CC-C5B5-49A5-A69D-CC0A30F9028C} - http://wdownload.weatherbug.com/minibug/tricklers/AWS/MiniBugTransporter.cab?
O16 - DPF: {4C39376E-FA9D-4349-BACC-D305C1750EF3} (EPUImageControl Class) - http://tools.ebayimg.com/eps/wl/activex/EPUWALControl_v1-0-3-12.cab
O16 - DPF: {B9191F79-5613-4C76-AA2A-398534BB8999} (YAddBook Class) - http://us.dl1.yimg.com/download.yahoo.com/dl/installs/suite/yautocomplete.cab
O20 - Winlogon Notify: igfxcui - C:\WINDOWS\SYSTEM32\igfxsrvc.dll
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - c:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Password Validation Service (ccPwdSvc) - Symantec Corporation - c:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
O23 - Service: Creative Service for CDROM Access - Creative Technology Ltd - C:\WINDOWS\System32\CTsvcCDA.exe
O23 - Service: iPod Service (iPodService) - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Content Monitoring Tool (msCMTSrvc) - Unknown owner - C:\WINDOWS\system32\msCMTSrvc.exe
O23 - Service: Norton AntiVirus Auto Protect Service (navapsvc) - Symantec Corporation - c:\Program Files\Norton AntiVirus\navapsvc.exe
O23 - Service: Norton Unerase Protection (NProtectService) - Symantec Corporation - C:\Program Files\Norton SystemWorks\Norton Utilities\NPROTECT.EXE
O23 - Service: NVIDIA Driver Helper Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe
O23 - Service: Speed Disk service - Symantec Corporation - C:\PROGRA~1\NORTON~2\SPEEDD~1\nopdb.exe
O23 - Service: System Startup Service (SvcProc) - Unknown owner - C:\WINDOWS\svcproc.exe (file missing)
O23 - Service: Windows VisFx Components - Unknown owner - C:\WINDOWS\cozhsvc.exe

Responses(32)
Solutions(0)

mat2

139 Posts

August 14th, 2005 20:00

Hi there, and welcome to the forums!

You may want to print out these instructions or save them as a text file with Notepad to your desktop because we will be restarting into Safe Mode later on in the fix and you might not be able to access the Internet. Read this instructions carefully and feel free to ask if you're unsure about something The first thing you need to do is the following: Download the trial version of http://www.ewido.net/en/download/. Install it, and update the definitions to the newest files. Do NOT run a scan yet.Download http://www.noidea.us/easyfile/file.php?download=20050515010747824. Unzip it to the desktop but please do NOT run it yet.

Click Start.
Select Shutdown.
Select Restart and click OK.
During restart, hold down the F8 key on your keyboard until the Windows Startup menu appears.
If your PC starts beeping then release the key for a few seconds before holding it down again.
Select Safe Mode from the Startup menu, and press the Enter button on your keyboard.
Windows should start in Safe Mode. If Windows doesn't restart in Safe Mode then please try again.

Once in Safe Mode, please double-click on Nailfix.cmd. Your desktop and icons will disappear and reappear, and a window should open and close very quickly --- this is normal.

Next, run Ewido 1. Click on the Scanner button in the left menu, then click on Complete System Scan. This scan can take quite a while to run.2. If ewido finds anything, it will pop up a notification. We have been finding some cases of false positives with the new version of Ewido, so we need to step through the fixes one-by-one. If Ewido finds something that you KNOW is legitimate (for example, parts of AVG Antivirus, pcAnywhere and the game "Risk" have been flagged), select "none" as the action. DO NOT check "Perform action with all infections". If you are unsure of an entry, select "none" for the time being. I'll see that in the log you will post later and let you know if ewido needs to be run again.3. When the scan finishes, click on "Save Report". This will create a text file. Make sure you know where to find this file again.

Close all programs leaving only HijackThis running. Place a check against each of the following, making sure you get them all and not any others by mistake:

F2 - REG:system.ini: Shell=Explorer.exe C:\WINDOWS\Nail.exe

O2 - BHO: Band Class - {00F1D395-4744-40f0-A611-980F61AE2C59} - C:\WINDOWS\dsr.dll (file missing)

O2 - BHO: Search Bar - {4E7BD74F-2B8D-469E-A1F6-FC7EB590A97D} - C:\WINDOWS\DOWNLO~1\search3.dll

O2 - BHO: (no name) - {CB77E21E-0062-0E60-E7E1-D41BD80CA100} - C:\RECYCLER\S-1-5-21-2504047931-3360913155-2190084768-1003\Dc41\xvvgglkhuo.dll (file missing)

O3 - Toolbar: Search Bar - {4E7BD74F-2B8D-469E-A1F6-FC7EB590A97D} - C:\WINDOWS\DOWNLO~1\search3.dll O4 - HKLM\..\Run: [mmxfdll] C:\WINDOWS\mmxfdll.EXE

O4 - HKLM\..\Run: [pwslenc] C:\WINDOWS\pwslenc.EXE

O4 - HKLM\..\Run: [620afaaa4449] C:\WINDOWS\system32\a3d59041.exe

O4 - HKLM\..\Run: [winsync] C:\WINDOWS\system32\aaanja.exe reg_run

O4 - HKLM\..\Run: [vyyvsnv] C:\WINDOWS\system32\lzdggwg.exe r

O4 - HKCU\..\Run: [sysmonnt] C:\WINDOWS\System32\sysmonnt

O4 - HKCU\..\Run: [sf] C:\Program Files\sf\sf.exe

O9 - Extra button: Ebates - {6685509E-B47B-4f47-8E16-9A5F3A62F683} - file://C:\Program Files\Ebates_MoeMoneyMaker\Sy350\Tp350\scri350a.htm (file missing) (HKCU)

O9 - Extra button: WeatherBug - {AF6CABAB-61F9-4f12-A198-B7D41EF1CB52} - C:\Program Files\AWS\WeatherBug\Weather.exe (file missing) (HKCU)

O16 - DPF: {2B96D5CC-C5B5-49A5-A69D-CC0A30F9028C} - http://wdownload.weatherbug.com/minibug/tricklers/AWS/MiniBugTransporter.cab?

O23 - Service: System Startup Service (SvcProc) - Unknown owner - C:\WINDOWS\svcproc.exe (file missing)

Click on Fix Checked when finished and exit HijackThis.

Click Start. Open My Computer. Select the Tools menu and click Folder Options. Select the View Tab. Under the Hidden files and folders heading select "Show hidden files and folders". Uncheck the "Hide protected operating system files (recommended)" option. Uncheck the "Hide file extensions for known file types" option. Click Yes to confirm. Click OK.

Search for and delete these files (if present):

C:\WINDOWS\System32\sysmonnt.exe

C:\WINDOWS\system32\lzdggwg.exe

C:\WINDOWS\system32\a3d59041.exe

C:\WINDOWS\pwslenc.EXE

Post back a fresh HijackThis log and Ewido log as well , we will then take another look.

Mat2

Image hosted by Photobucket.com

Message Edited by mat2 on 08-14-200510:33 PM

Message Edited by mat2 on 08-14-2005 10:34 PM

mat2

139 Posts

August 14th, 2005 20:00

Hi &Welcome

I would be glad to help you with your computer problems. HijackThis logs take awhile to research. Please be patient with me. I know that you want your problems solved quicky, and I will work hard to help you.

Please observe these rules while we work:

1. If you don't know, stop and ask! Don't keep going on.

2. Please reply to this thread. Do not start a new topic. If you can do those two things, everything should go smoothly

Mat2

Image hosted by Photobucket.com

mntbike2000

16 Posts

August 15th, 2005 14:00

---------------------------------------------------------
ewido security suite - Scan report
---------------------------------------------------------

+ Created on: 8:24:29 AM, 8/15/2005
+ Report-Checksum: E8D1493E

+ Scan result:

HKLM\SOFTWARE\Classes\AppID\{0DC5CD7C-F653-4417-AA43-D457BE3A9622} -> Spyware.BookedSpace : Ignored
HKLM\SOFTWARE\Classes\CLSID\{4E7BD74F-2B8D-469E-A1F6-FC7EB590A97D} -> Spyware.Hijacker.Generic : Ignored
HKLM\SOFTWARE\Classes\PROTOCOLS\Name-Space Handler\res -> Spyware.WebSearch : Ignored
HKLM\SOFTWARE\Microsoft\Code Store Database\Distribution Units\{2B96D5CC-C5B5-49A5-A69D-CC0A30F9028C} -> Spyware.MiniBug : Ignored
HKLM\SOFTWARE\Microsoft\Internet Explorer\Main\ins -> Spyware.WebRebates : Ignored
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{4E7BD74F-2B8D-469E-A1F6-FC7EB590A97D} -> Spyware.Hijacker.Generic : Ignored
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\WinDH -> Spyware.DealHelper : Ignored
HKU\.DEFAULT\Software\toolbar -> Spyware.WebSearch : Ignored
HKU\S-1-5-21-2504047931-3360913155-2190084768-1003\Software\Microsoft\Internet Explorer\Extensions\{6685509E-B47B-4f47-8E16-9A5F3A62F683} -> Spyware.MoneyMaker : Ignored
HKU\S-1-5-21-2504047931-3360913155-2190084768-1003\Software\Microsoft\Windows\CurrentVersion\Ext\Settings\{0019C3E2-DD48-4A6D-ABCD-8D32436323D9} -> Spyware.BookedSpace : Ignored
HKU\S-1-5-21-2504047931-3360913155-2190084768-1003\Software\Microsoft\Windows\CurrentVersion\Ext\Settings\{4E7BD74F-2B8D-469E-A1F6-FC7EB590A97D} -> Spyware.Hijacker.Generic : Ignored
HKU\S-1-5-21-2504047931-3360913155-2190084768-1003\Software\Microsoft\Windows\CurrentVersion\Ext\Settings\{6685509E-B47B-4F47-8E16-9A5F3A62F683} -> Spyware.MoneyMaker : Ignored
HKU\S-1-5-21-2504047931-3360913155-2190084768-1003\Software\Microsoft\Windows\CurrentVersion\Ext\Settings\{8952A998-1E7E-4716-B23D-3DBE03910972} -> Spyware.HuntBar : Ignored
HKU\S-1-5-21-2504047931-3360913155-2190084768-1003\Software\Microsoft\Windows\CurrentVersion\Ext\Settings\{999A06FF-10EF-4A29-8640-69E99882C26B} -> Spyware.Begin2Search : Ignored
HKU\S-1-5-21-2504047931-3360913155-2190084768-1003\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{00000000-59D4-4008-9058-080011001200} -> Spyware.VX2 : Ignored
HKU\S-1-5-21-2504047931-3360913155-2190084768-1003\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{00000010-6F7D-442C-93E3-4A4827C2E4C8} -> Spyware.InternetOptimizer : Ignored
HKU\S-1-5-21-2504047931-3360913155-2190084768-1003\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{0019C3E2-DD48-4A6D-ABCD-8D32436323D9} -> Spyware.BookedSpace : Ignored
HKU\S-1-5-21-2504047931-3360913155-2190084768-1003\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{00A0A40C-F432-4C59-BA11-B25D142C7AB7} -> Spyware.ClientMan : Ignored
HKU\S-1-5-21-2504047931-3360913155-2190084768-1003\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{016235BE-59D4-4CEB-ADD5-E2378282A1D9} -> Spyware.AproposMedia : Ignored
HKU\S-1-5-21-2504047931-3360913155-2190084768-1003\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{01F44A8A-8C97-4325-A378-76E68DC4AB2E} -> Spyware.IEPlugin : Ignored
HKU\S-1-5-21-2504047931-3360913155-2190084768-1003\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{0982868C-47F0-4EFB-A664-C7B0B1015808} -> Spyware.ClientMan : Ignored
HKU\S-1-5-21-2504047931-3360913155-2190084768-1003\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{12EE7A5E-0674-42F9-A76A-000000004D00} -> Spyware.BrowserAid : Ignored
HKU\S-1-5-21-2504047931-3360913155-2190084768-1003\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{12EE7A5E-0674-42F9-A76B-000000004D00} -> Spyware.BrowserAid : Ignored
HKU\S-1-5-21-2504047931-3360913155-2190084768-1003\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{1E1B2879-88FF-11D2-8D96-D7ACAC95951F} -> Spyware.CommonName : Ignored
HKU\S-1-5-21-2504047931-3360913155-2190084768-1003\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{25F7FA20-3FC3-11D7-B487-00D05990014C} -> Spyware.ClientMan : Ignored
HKU\S-1-5-21-2504047931-3360913155-2190084768-1003\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{28CAEFF3-0F18-4036-B504-51D73BD81ABC} -> Spyware.SearchMiracle : Ignored
HKU\S-1-5-21-2504047931-3360913155-2190084768-1003\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{2B96D5CC-C5B5-49A5-A69D-CC0A30F9028C} -> Spyware.MiniBug : Ignored
HKU\S-1-5-21-2504047931-3360913155-2190084768-1003\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{339BB23F-A864-48C0-A59F-29EA915965EC} -> Spyware.HuntBar : Ignored
HKU\S-1-5-21-2504047931-3360913155-2190084768-1003\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{3643ABC2-21BF-46B9-B230-F247DB0C6FD6} -> Spyware.E2Give : Ignored
HKU\S-1-5-21-2504047931-3360913155-2190084768-1003\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{36A59337-6EEF-40AE-94B1-ED443A0C4740} -> Spyware.BetterInternet : Ignored
HKU\S-1-5-21-2504047931-3360913155-2190084768-1003\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{4E7BD74F-2B8D-469E-A1F6-FC7EB590A97D} -> Spyware.Hijacker.Generic : Ignored
HKU\S-1-5-21-2504047931-3360913155-2190084768-1003\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{6685509E-B47B-4F47-8E16-9A5F3A62F683} -> Spyware.MoneyMaker : Ignored
HKU\S-1-5-21-2504047931-3360913155-2190084768-1003\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{79849612-A98F-45B8-95E9-4D13C7B6B35C} -> Spyware.Crazywinnings : Ignored
HKU\S-1-5-21-2504047931-3360913155-2190084768-1003\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{832BEBED-C3DA-4534-A2C2-B2FFF220C820} -> Spyware.Hijacker.Generic : Ignored
HKU\S-1-5-21-2504047931-3360913155-2190084768-1003\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{87766247-311C-43B4-8499-3D5FEC94A183} -> Spyware.HuntBar : Ignored
HKU\S-1-5-21-2504047931-3360913155-2190084768-1003\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{8952A998-1E7E-4716-B23D-3DBE03910972} -> Spyware.HuntBar : Ignored
HKU\S-1-5-21-2504047931-3360913155-2190084768-1003\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{9056A11F-5EA6-4A67-BDE9-8D3C7C453DAC} -> Spyware.FizzleWizzle : Ignored
HKU\S-1-5-21-2504047931-3360913155-2190084768-1003\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{94927A13-4AAA-476A-989D-392456427688} -> Spyware.ClientMan : Ignored
HKU\S-1-5-21-2504047931-3360913155-2190084768-1003\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{999A06FF-10EF-4A29-8640-69E99882C26B} -> Spyware.Begin2Search : Ignored
HKU\S-1-5-21-2504047931-3360913155-2190084768-1003\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{9DBAFCCF-592F-FFFF-FFFF-00608CEC297B} -> Spyware.BargainBuddy : Ignored
HKU\S-1-5-21-2504047931-3360913155-2190084768-1003\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{AEECBFDA-12FA-4881-BDCE-8C3E1CE4B344} -> Spyware.BargainBuddy : Ignored
HKU\S-1-5-21-2504047931-3360913155-2190084768-1003\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{C109664B-CEB1-420B-B353-D55A561536DD} -> Spyware.AdShooter : Ignored
HKU\S-1-5-21-2504047931-3360913155-2190084768-1003\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{CC916B4B-BE44-4026-A19D-8C74BBD23361} -> Spyware.ClientMan : Ignored
HKU\S-1-5-21-2504047931-3360913155-2190084768-1003\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{CE188402-6EE7-4022-8868-AB25173A3E14} -> Spyware.BargainBuddy : Ignored
HKU\S-1-5-21-2504047931-3360913155-2190084768-1003\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{F4E04583-354E-4076-BE7D-ED6A80FD66DA} -> Spyware.BargainBuddy : Ignored
HKU\S-1-5-21-2504047931-3360913155-2190084768-1003\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{FCADDC14-BD46-408A-9842-CDBE1C6D37EB} -> Spyware.ClientMan : Ignored
HKU\S-1-5-21-2504047931-3360913155-2190084768-1003\Software\WinUpdt -> Spyware.SecondThought : Ignored
HKU\S-1-5-21-2504047931-3360913155-2190084768-1003\Software\_rtneg2 -> Spyware.Begin2Search : Ignored
HKU\S-1-5-21-2504047931-3360913155-2190084768-1003\Software\_rtneg2\eeennn -> Spyware.Begin2Search : Ignored
HKU\S-1-5-21-2504047931-3360913155-2190084768-1003\Software\_rtneg2\kkws -> Spyware.Begin2Search : Ignored
HKU\S-1-5-21-2504047931-3360913155-2190084768-1003\Software\_rtneg2\ppops -> Spyware.Begin2Search : Ignored
HKU\S-1-5-21-2504047931-3360913155-2190084768-1003\Software\_rtneg2\reel -> Spyware.Begin2Search : Ignored
HKU\S-1-5-21-2504047931-3360913155-2190084768-1003\Software\_rtneg2\ssites -> Spyware.Begin2Search : Ignored
HKU\S-1-5-21-2504047931-3360913155-2190084768-1003\Software\{12EE7A5E-0674-42f9-A76B-000000004D00} -> Spyware.BrowserAid : Ignored
HKU\S-1-5-18\Software\toolbar -> Spyware.WebSearch : Ignored
C:\Documents and Settings\All Users\Application Data\Authentium\Curtains150\Quarantine\Quarantine\ppq112.tmp -> Spyware.MyWay : Ignored
C:\Documents and Settings\All Users\Application Data\Authentium\Curtains150\Quarantine\Quarantine\ppq113.tmp -> Spyware.MyWay : Ignored
C:\Documents and Settings\All Users\Application Data\Authentium\Curtains150\Quarantine\Quarantine\ppq114.tmp -> Spyware.MyWay : Ignored
C:\Documents and Settings\All Users\Application Data\Authentium\Curtains150\Quarantine\Quarantine\ppq115.tmp -> TrojanDownloader.Small.aly : Ignored
C:\Documents and Settings\All Users\Application Data\Authentium\Curtains150\Quarantine\Quarantine\ppq116.tmp -> TrojanDownloader.Braidupdate.d : Ignored
C:\Documents and Settings\All Users\Application Data\Authentium\Curtains150\Quarantine\Quarantine\ppq117.tmp -> TrojanDownloader.Agent.hw : Ignored
C:\Documents and Settings\All Users\Application Data\Authentium\Curtains150\Quarantine\Quarantine\ppq2D.tmp -> Spyware.Cookie.2o7 : Ignored
C:\Documents and Settings\All Users\Application Data\Authentium\Curtains150\Quarantine\Quarantine\ppq30.tmp -> Spyware.Cookie.Advertising : Ignored
C:\Documents and Settings\All Users\Application Data\Authentium\Curtains150\Quarantine\Quarantine\ppq31.tmp -> Spyware.Cookie.Atdmt : Ignored
C:\Documents and Settings\All Users\Application Data\Authentium\Curtains150\Quarantine\Quarantine\ppq33.tmp -> Spyware.Cookie.Bfast : Ignored
C:\Documents and Settings\All Users\Application Data\Authentium\Curtains150\Quarantine\Quarantine\ppq34.tmp -> Spyware.Cookie.Bluestreak : Ignored
C:\Documents and Settings\All Users\Application Data\Authentium\Curtains150\Quarantine\Quarantine\ppq35.tmp -> Spyware.Cookie.Burstnet : Ignored
C:\Documents and Settings\All Users\Application Data\Authentium\Curtains150\Quarantine\Quarantine\ppq37.tmp -> Spyware.Cookie.Coremetrics : Ignored
C:\Documents and Settings\All Users\Application Data\Authentium\Curtains150\Quarantine\Quarantine\ppq38.tmp -> Spyware.Cookie.Doubleclick : Ignored
C:\Documents and Settings\All Users\Application Data\Authentium\Curtains150\Quarantine\Quarantine\ppq39.tmp -> Spyware.Cookie.Ru4 : Ignored
C:\Documents and Settings\All Users\Application Data\Authentium\Curtains150\Quarantine\Quarantine\ppq3A.tmp -> Spyware.Cookie.Hitbox : Ignored
C:\Documents and Settings\All Users\Application Data\Authentium\Curtains150\Quarantine\Quarantine\ppq3B.tmp -> Spyware.Cookie.Hitbox : Ignored
C:\Documents and Settings\All Users\Application Data\Authentium\Curtains150\Quarantine\Quarantine\ppq3C.tmp -> Spyware.Cookie.Fastclick : Ignored
C:\Documents and Settings\All Users\Application Data\Authentium\Curtains150\Quarantine\Quarantine\ppq3D.tmp -> Spyware.Cookie.Mediaplex : Ignored
C:\Documents and Settings\All Users\Application Data\Authentium\Curtains150\Quarantine\Quarantine\ppq3E.tmp -> Spyware.Cookie.Questionmarket : Ignored
C:\Documents and Settings\All Users\Application Data\Authentium\Curtains150\Quarantine\Quarantine\ppq3F.tmp -> Spyware.Cookie.Revenue : Ignored
C:\Documents and Settings\All Users\Application Data\Authentium\Curtains150\Quarantine\Quarantine\ppq41.tmp -> Spyware.Cookie.Advertising : Ignored
C:\Documents and Settings\All Users\Application Data\Authentium\Curtains150\Quarantine\Quarantine\ppq42.tmp -> Spyware.Cookie.Targetnet : Ignored
C:\Documents and Settings\All Users\Application Data\Authentium\Curtains150\Quarantine\Quarantine\ppq43.tmp -> Spyware.Cookie.Trafficmp : Ignored
C:\Documents and Settings\All Users\Application Data\Authentium\Curtains150\Quarantine\Quarantine\ppq44.tmp -> Spyware.Cookie.Tribalfusion : Ignored
C:\Documents and Settings\All Users\Application Data\Authentium\Curtains150\Quarantine\Quarantine\ppq45.tmp -> Spyware.Cookie.Valueclick : Ignored
C:\Documents and Settings\All Users\Application Data\Authentium\Curtains150\Quarantine\Quarantine\ppq46.tmp -> Spyware.Cookie.Adserver : Ignored
C:\Documents and Settings\All Users\Application Data\Authentium\Curtains150\Quarantine\Quarantine\ppq51.tmp\EECH1.bsx -> Spyware.BookedSpace : Ignored
C:\Documents and Settings\All Users\Application Data\Authentium\Curtains150\Quarantine\Quarantine\ppq51.tmp\SPZ3.bsx -> Spyware.BookedSpace : Ignored
C:\Documents and Settings\All Users\Application Data\Authentium\Curtains150\Quarantine\Quarantine\ppq60.tmp\MediaPassC.dll -> Spyware.WinAD : Ignored
C:\Documents and Settings\All Users\Application Data\Authentium\Curtains150\Quarantine\Quarantine\ppq73.tmp -> TrojanDownloader.Apropo.r : Ignored
C:\Documents and Settings\All Users\Application Data\Authentium\Curtains150\Quarantine\Quarantine\ppq75.tmp -> Trojan.Small.i : Ignored
C:\Documents and Settings\All Users\Application Data\Authentium\Curtains150\Quarantine\Quarantine\ppq76.tmp -> Trojan.Small.i : Ignored
C:\Documents and Settings\All Users\Application Data\Authentium\Curtains150\Quarantine\Quarantine\ppq83.tmp -> Adware.BetterInternet : Ignored
C:\Documents and Settings\All Users\Application Data\Authentium\Curtains150\Quarantine\Quarantine\ppq8C.tmp -> Spyware.EliteBar : Ignored
C:\Documents and Settings\All Users\Application Data\Authentium\Curtains150\Quarantine\Quarantine\ppq8F.tmp -> Spyware.Hijacker.Generic : Ignored
C:\Documents and Settings\All Users\Application Data\Authentium\Curtains150\Quarantine\Quarantine\ppqB0.tmp -> Trojan.Pakes : Ignored
C:\Documents and Settings\All Users\Application Data\Authentium\Curtains150\Quarantine\Quarantine\ppqB2.tmp -> Trojan.Pakes : Ignored
C:\Documents and Settings\All Users\Application Data\Authentium\Curtains150\Quarantine\Quarantine\ppqB6.tmp -> Spyware.180Solutions : Ignored
C:\Documents and Settings\All Users\Application Data\Authentium\Curtains150\Quarantine\Quarantine\ppqE9.tmp -> Trojan.Pakes : Ignored
C:\Documents and Settings\All Users\Application Data\Authentium\Curtains150\Quarantine\Quarantine\ppqEA.tmp -> Trojan.Pakes : Ignored
C:\Documents and Settings\All Users\Application Data\Authentium\Curtains150\Quarantine\Quarantine\ppqEC.tmp -> Spyware.MediaPass : Ignored
C:\Documents and Settings\All Users\Application Data\Authentium\Curtains150\Quarantine\Quarantine\ppqED.tmp -> Spyware.WinAD : Ignored
C:\Documents and Settings\All Users\Application Data\Authentium\Curtains150\Quarantine\Quarantine\ppqF8.tmp -> Spyware.Hijacker.Generic : Ignored
C:\Documents and Settings\All Users\Application Data\Authentium\Curtains150\Quarantine\Quarantine\ppqF9.tmp -> Spyware.Hijacker.Generic : Ignored
C:\Documents and Settings\All Users\Application Data\Authentium\Curtains150\Quarantine\Quarantine\ppqFB.tmp/Program Files/AdDestroyer/AdDestroyer.exe -> Spyware.VirtualBouncer : Ignored
C:\Documents and Settings\All Users\Application Data\Authentium\Curtains150\Quarantine\Quarantine\ppqFC.tmp -> Spyware.AproposMedia : Ignored
C:\Documents and Settings\All Users\Application Data\Authentium\Curtains150\Quarantine\Quarantine\ppqFF.tmp/C:/WINDOWS/System32/mscb.dll -> Spyware.BargainBuddy : Ignored
C:\Documents and Settings\All Users\Application Data\Authentium\Curtains150\Quarantine\Quarantine\ppqFF.tmp/C:/Program Files/CashBack/bin/cashback.exe -> Spyware.BargainBuddy : Ignored

-----

mntbike2000

16 Posts

August 15th, 2005 14:00

Thanks for the help Mat2!

I completed the instructions and have attached a fresh HJT log and Ewido log (separate post, it's very large)

Note I did not find two of the .exe files you had me looking for

O4 - HKLM\..\Run: [vyyvsnv] C:\WINDOWS\system32\lzdggwg.exe r

O23 - Service: System Startup Service (SvcProc) - Unknown owner - C:\WINDOWS\svcproc.exe (file missing)

Logfile of HijackThis v1.99.1
Scan saved at 8:56:47 AM, on 8/15/2005
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\VERITAS Software\Update Manager\sgtray.exe
C:\windows\system\hpsysdrv.exe
C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
C:\WINDOWS\mmxfdll.EXE
C:\HP\KBD\KBD.EXE
C:\WINDOWS\XTQCDLL.EXE
C:\Program Files\Common Files\Real\Update_OB\rnathchk.exe
C:\Program Files\QuickTime\qttask.exe
C:\WINDOWS\system32\aaanja.exe
c:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\WINDOWS\System32\CTsvcCDA.exe
C:\Program Files\ewido\security suite\ewidoctrl.exe
C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
c:\Program Files\Norton AntiVirus\navapsvc.exe
C:\Program Files\Norton SystemWorks\Norton Utilities\NPROTECT.EXE
C:\PROGRA~1\NORTON~2\SPEEDD~1\nopdb.exe
C:\WINDOWS\cozhsvc.exe
C:\WINDOWS\System32\MsPMSPSv.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Documents and Settings\Owner\Desktop\HijackThis.exe
C:\WINDOWS\system32\wuauclt.exe

R1 - HKCU\Software\Microsoft\Internet Explorer,(Default) = www.google.com
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://qus7.hpwis.com/
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://srch-qus7.hpwis.com/
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.sltrib.com/sports
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.comcast.net/
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Microsoft Internet Explorer provided by Comcast
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = :0
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
R3 - URLSearchHook: URLSearchHook Class - {37D2CDBF-2AF4-44AA-8113-BD0D2DA3C2B8} - C:\Program Files\JUSearch\SearchEnh1.dll
F2 - REG:system.ini: UserInit=userinit.exe
O2 - BHO: (no name) - {5C8B2A36-3DB1-42A4-A3CB-D426709BBFEB} - (no file)
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [StorageGuard] "C:\Program Files\VERITAS Software\Update Manager\sgtray.exe" /r
O4 - HKLM\..\Run: [Recguard] C:\WINDOWS\SMINST\RECGUARD.EXE
O4 - HKLM\..\Run: [PS2] C:\hp\drivers\keyboard\PS2.EXE
O4 - HKLM\..\Run: [hpsysdrv] c:\windows\system\hpsysdrv.exe
O4 - HKLM\..\Run: [ATIPTA] C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
O4 - HKLM\..\Run: [mmxfdll] C:\WINDOWS\mmxfdll.EXE
O4 - HKLM\..\Run: [KBD] C:\HP\KBD\KBD.EXE
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\System32\hkcmd.exe
O4 - HKLM\..\Run: [ATIModeChange] Ati2mdxx.exe
O4 - HKLM\..\Run: [XTQCDLL] C:\WINDOWS\XTQCDLL.EXE
O4 - HKLM\..\Run: [UpdReg] C:\WINDOWS\UpdReg.EXE
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [UserFaultCheck] %systemroot%\system32\dumprep 0 -u
O4 - HKLM\..\Run: [winsync] C:\WINDOWS\system32\aaanja.exe reg_run
O4 - HKLM\..\Run: [barncgy] C:\WINDOWS\system32\mdilhq.exe r
O4 - HKLM\..\Run: [pwslenc] C:\WINDOWS\pwslenc.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Restrictions present
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O8 - Extra context menu item: &Yahoo! Search - file:///C:\Program Files\Yahoo!\Common/ycsrch.htm
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O8 - Extra context menu item: Yahoo! &Dictionary - file:///C:\Program Files\Yahoo!\Common/ycdict.htm
O8 - Extra context menu item: Yahoo! &Maps - file:///C:\Program Files\Yahoo!\Common/ycdict.htm
O9 - Extra button: Yahoo! Login - {2499216C-4BA5-11D5-BD9C-000103C116D5} - C:\Program Files\Yahoo!\Common\ylogin.dll
O9 - Extra 'Tools' menuitem: Yahoo! Login - {2499216C-4BA5-11D5-BD9C-000103C116D5} - C:\Program Files\Yahoo!\Common\ylogin.dll
O9 - Extra button: Messenger - {4528BBE0-4E08-11D5-AD55-00010333D0AD} - C:\Program Files\Yahoo!\Messenger\yhexbmes0521.dll
O9 - Extra 'Tools' menuitem: Yahoo! Messenger - {4528BBE0-4E08-11D5-AD55-00010333D0AD} - C:\Program Files\Yahoo!\Messenger\yhexbmes0521.dll
O9 - Extra button: ComcastHSI - {669B269B-0D4E-41FB-A3D8-FD67CA94F646} - http://www.comcast.net/ (file missing)
O9 - Extra button: Support - {8828075D-D097-4055-AA02-2DBFA9D85E8A} - http://www.comcastsupport.com/ (file missing)
O9 - Extra button: Help - {97809617-3937-4F84-B335-9BB05EF1A8D4} - http://online.comcast.net/help/ (file missing)
O9 - Extra button: MoneySide - {E023F504-0C5A-4750-A1E7-A9046DEA8A21} - C:\Program Files\Microsoft Money\System\mnyside.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O16 - DPF: {4C39376E-FA9D-4349-BACC-D305C1750EF3} (EPUImageControl Class) - http://tools.ebayimg.com/eps/wl/activex/EPUWALControl_v1-0-3-12.cab
O16 - DPF: {B9191F79-5613-4C76-AA2A-398534BB8999} (YAddBook Class) - http://us.dl1.yimg.com/download.yahoo.com/dl/installs/suite/yautocomplete.cab
O20 - Winlogon Notify: igfxcui - C:\WINDOWS\SYSTEM32\igfxsrvc.dll
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - c:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Password Validation Service (ccPwdSvc) - Symantec Corporation - c:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
O23 - Service: Creative Service for CDROM Access - Creative Technology Ltd - C:\WINDOWS\System32\CTsvcCDA.exe
O23 - Service: ewido security suite control - ewido networks - C:\Program Files\ewido\security suite\ewidoctrl.exe
O23 - Service: iPod Service (iPodService) - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Content Monitoring Tool (msCMTSrvc) - Unknown owner - C:\WINDOWS\system32\msCMTSrvc.exe
O23 - Service: Norton AntiVirus Auto Protect Service (navapsvc) - Symantec Corporation - c:\Program Files\Norton AntiVirus\navapsvc.exe
O23 - Service: Norton Unerase Protection (NProtectService) - Symantec Corporation - C:\Program Files\Norton SystemWorks\Norton Utilities\NPROTECT.EXE
O23 - Service: NVIDIA Driver Helper Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe
O23 - Service: Speed Disk service - Symantec Corporation - C:\PROGRA~1\NORTON~2\SPEEDD~1\nopdb.exe
O23 - Service: Windows VisFx Components - Unknown owner - C:\WINDOWS\cozhsvc.exe

mat2

139 Posts

August 15th, 2005 14:00

Thanks for your logs, i will go over them and reply shortly.

mntbike2000

16 Posts

August 15th, 2005 14:00

C:\Documents and Settings\All Users\Application Data\Authentium\Curtains150\Quarantine\Quarantine\ppqFF.tmp/C:/Program Files/CashBack/bin/cb.exe -> Spyware.CashBack : Ignored
C:\Documents and Settings\All Users\Application Data\Authentium\Curtains150\Quarantine\Quarantine\ppqFF.tmp/C:/Program Files/CashBack/bin/flash.exe -> Spyware.CashBack : Ignored
C:\Documents and Settings\All Users\Application Data\msw\BMan.exe -> Spyware.MSWSearch : Ignored
C:\Documents and Settings\All Users\Application Data\msw\BMan1.exe -> Spyware.Searcher : Ignored
C:\Documents and Settings\All Users\Start Menu\Programs\Startup\ddda.exe -> TrojanDownloader.Qoologic.n : Ignored
C:\Documents and Settings\Owner\Cookies\owner@247realmedia[1].txt -> Spyware.Cookie.247realmedia : Ignored
C:\Documents and Settings\Owner\Cookies\owner@2o7[1].txt -> Spyware.Cookie.2o7 : Ignored
C:\Documents and Settings\Owner\Cookies\owner@abetterinternet[1].txt -> Spyware.Cookie.Abetterinternet : Ignored
C:\Documents and Settings\Owner\Cookies\owner@adopt.specificclick[2].txt -> Spyware.Cookie.Specificclick : Ignored
C:\Documents and Settings\Owner\Cookies\owner@ads.addynamix[1].txt -> Spyware.Cookie.Addynamix : Ignored
C:\Documents and Settings\Owner\Cookies\owner@ads.pointroll[2].txt -> Spyware.Cookie.Pointroll : Ignored
C:\Documents and Settings\Owner\Cookies\owner@advertising[2].txt -> Spyware.Cookie.Advertising : Ignored
C:\Documents and Settings\Owner\Cookies\owner@as-us.falkag[1].txt -> Spyware.Cookie.Falkag : Ignored
C:\Documents and Settings\Owner\Cookies\owner@atdmt[2].txt -> Spyware.Cookie.Atdmt : Ignored
C:\Documents and Settings\Owner\Cookies\owner@bfast[1].txt -> Spyware.Cookie.Bfast : Ignored
C:\Documents and Settings\Owner\Cookies\owner@burstnet[2].txt -> Spyware.Cookie.Burstnet : Ignored
C:\Documents and Settings\Owner\Cookies\owner@cz4.clickzs[2].txt -> Spyware.Cookie.Clickzs : Ignored
C:\Documents and Settings\Owner\Cookies\owner@cz6.clickzs[2].txt -> Spyware.Cookie.Clickzs : Ignored
C:\Documents and Settings\Owner\Cookies\owner@cz8.clickzs[1].txt -> Spyware.Cookie.Clickzs : Ignored
C:\Documents and Settings\Owner\Cookies\owner@doubleclick[1].txt -> Spyware.Cookie.Doubleclick : Ignored
C:\Documents and Settings\Owner\Cookies\owner@e-2dj6wfkyujdjmeo.stats.esomniture[1].txt -> Spyware.Cookie.Esomniture : Ignored
C:\Documents and Settings\Owner\Cookies\owner@e-2dj6wgkiqgcjcfo.stats.esomniture[1].txt -> Spyware.Cookie.Esomniture : Ignored
C:\Documents and Settings\Owner\Cookies\owner@e-2dj6wjkycodpcdp.stats.esomniture[2].txt -> Spyware.Cookie.Esomniture : Ignored
C:\Documents and Settings\Owner\Cookies\owner@e-2dj6wjkygocjebq.stats.esomniture[2].txt -> Spyware.Cookie.Esomniture : Ignored
C:\Documents and Settings\Owner\Cookies\owner@ehg-playboy.hitbox[1].txt -> Spyware.Cookie.Hitbox : Ignored
C:\Documents and Settings\Owner\Cookies\owner@fastclick[1].txt -> Spyware.Cookie.Fastclick : Ignored
C:\Documents and Settings\Owner\Cookies\owner@goldenpalace[2].txt -> Spyware.Cookie.Goldenpalace : Ignored
C:\Documents and Settings\Owner\Cookies\owner@hitbox[2].txt -> Spyware.Cookie.Hitbox : Ignored
C:\Documents and Settings\Owner\Cookies\owner@image.masterstats[1].txt -> Spyware.Cookie.Masterstats : Ignored
C:\Documents and Settings\Owner\Cookies\owner@mediaplex[1].txt -> Spyware.Cookie.Mediaplex : Ignored
C:\Documents and Settings\Owner\Cookies\owner@oewabox[1].txt -> Spyware.Cookie.Oewabox : Ignored
C:\Documents and Settings\Owner\Cookies\owner@paypopup[1].txt -> Spyware.Cookie.Paypopup : Ignored
C:\Documents and Settings\Owner\Cookies\owner@phg.hitbox[1].txt -> Spyware.Cookie.Hitbox : Ignored
C:\Documents and Settings\Owner\Cookies\owner@questionmarket[1].txt -> Spyware.Cookie.Questionmarket : Ignored
C:\Documents and Settings\Owner\Cookies\owner@rccl.bridgetrack[1].txt -> Spyware.Cookie.Bridgetrack : Ignored
C:\Documents and Settings\Owner\Cookies\owner@rotator.adjuggler[1].txt -> Spyware.Cookie.Adjuggler : Ignored
C:\Documents and Settings\Owner\Cookies\owner@servedby.advertising[2].txt -> Spyware.Cookie.Advertising : Ignored
C:\Documents and Settings\Owner\Cookies\owner@shopathomeselect[2].txt -> Spyware.Cookie.Shopathomeselect : Ignored
C:\Documents and Settings\Owner\Cookies\owner@statcounter[2].txt -> Spyware.Cookie.Statcounter : Ignored
C:\Documents and Settings\Owner\Cookies\owner@statse.webtrendslive[1].txt -> Spyware.Cookie.Webtrendslive : Ignored
C:\Documents and Settings\Owner\Cookies\owner@trafficmp[1].txt -> Spyware.Cookie.Trafficmp : Ignored
C:\Documents and Settings\Owner\Cookies\owner@tribalfusion[2].txt -> Spyware.Cookie.Tribalfusion : Ignored
C:\Documents and Settings\Owner\Cookies\owner@valueclick[2].txt -> Spyware.Cookie.Valueclick : Ignored
C:\Documents and Settings\Owner\Cookies\owner@vip.clickzs[2].txt -> Spyware.Cookie.Clickzs : Ignored
C:\Documents and Settings\Owner\Cookies\owner@web4.realtracker[2].txt -> Spyware.Cookie.Realtracker : Ignored
C:\Documents and Settings\Owner\Cookies\owner@www.belstat[2].txt -> Spyware.Cookie.Belstat : Ignored
C:\Documents and Settings\Owner\Cookies\owner@www.burstnet[2].txt -> Spyware.Cookie.Burstnet : Ignored
C:\Documents and Settings\Owner\Cookies\owner@www.myaffiliateprogram[2].txt -> Spyware.Cookie.Myaffiliateprogram : Ignored
C:\Documents and Settings\Owner\Cookies\owner@www.shopathomeselect[1].txt -> Spyware.Cookie.Shopathomeselect : Ignored
C:\Documents and Settings\Owner\Cookies\owner@yieldmanager[1].txt -> Spyware.Cookie.Yieldmanager : Ignored
C:\Documents and Settings\Owner\Cookies\owner@z1.adserver[1].txt -> Spyware.Cookie.Adserver : Ignored
C:\Documents and Settings\Owner\Local Settings\Temp\AAE\aurareco.exe -> Adware.BetterInternet : Ignored
C:\Documents and Settings\Owner\Local Settings\Temp\ckz.tmp13f8d89c\SilentInstallW32.exe -> Spyware.GogoTools : Ignored
C:\Documents and Settings\Owner\Local Settings\Temp\ckz.tmp13f8e638\SilentInstallW32.exe -> Spyware.GogoTools : Ignored
C:\Documents and Settings\Owner\Local Settings\Temp\ckz.tmp13f8ec14\SilentInstallW32.exe -> Spyware.GogoTools : Ignored
C:\Documents and Settings\Owner\Local Settings\Temp\ckz.tmpeafe24\SilentInstallW32.exe -> Spyware.GogoTools : Ignored
C:\Documents and Settings\Owner\Local Settings\Temp\f1486322906.exe -> TrojanDownloader.Qoologic.n : Ignored
C:\Documents and Settings\Owner\Local Settings\Temp\f16052781.exe -> TrojanDownloader.Qoologic.q : Ignored
C:\Documents and Settings\Owner\Local Settings\Temp\f16053187.exe -> TrojanDownloader.Qoologic.n : Ignored
C:\Documents and Settings\Owner\Local Settings\Temp\f347097171.exe -> TrojanDownloader.Qoologic.n : Ignored
C:\Documents and Settings\Owner\Local Settings\Temp\FGX\aurareco.exe -> Adware.BetterInternet : Ignored
C:\Documents and Settings\Owner\Local Settings\Temp\nst24.EXE -> Spyware.SmartPops : Ignored
C:\Documents and Settings\Owner\Local Settings\Temp\PEY\aurareco.exe -> Adware.BetterInternet : Ignored
C:\Documents and Settings\Owner\Local Settings\Temp\temp.fr0076 -> Adware.BetterInternet : Ignored
C:\Documents and Settings\Owner\Local Settings\Temp\temp.fr475D -> TrojanDownloader.Apropo.w : Ignored
C:\Documents and Settings\Owner\Local Settings\Temp\temp.fr961E\WSup.exe -> Spyware.Wintools : Ignored
C:\Documents and Settings\Owner\Local Settings\Temp\temp.fr961E\WToolsA.exe -> Spyware.Wintools : Ignored
C:\Documents and Settings\Owner\Local Settings\Temp\temp.frA07A -> Adware.BetterInternet : Ignored
C:\Documents and Settings\Owner\Local Settings\Temp\temp.frA841\PIB.exe -> Spyware.WebSearch : Ignored
C:\Documents and Settings\Owner\Local Settings\Temp\temp.frCAA3 -> Adware.BetterInternet : Ignored
C:\Documents and Settings\Owner\Local Settings\Temp\temp.frE244 -> Adware.BetterInternet : Ignored
C:\Documents and Settings\Owner\Local Settings\Temp\toc_0011.exe -> TrojanDownloader.Agent.jq : Ignored
C:\Documents and Settings\Owner\Local Settings\Temp\toc_0032.exe -> TrojanDownloader.Agent.jq : Ignored
C:\Documents and Settings\Owner\Local Settings\Temp\TUC\aurareco.exe -> Adware.BetterInternet : Ignored
C:\Documents and Settings\Owner\Local Settings\Temp\uninstall.exe -> Spyware.EliteBar : Ignored
C:\Documents and Settings\Owner\Local Settings\Temp\XBT\aurareco.exe -> Adware.BetterInternet : Ignored
C:\Documents and Settings\Owner\Local Settings\Temp\XMM\aurareco.exe -> Adware.BetterInternet : Ignored
C:\Documents and Settings\Owner\Local Settings\Temp\XSQ\aurareco.exe -> Adware.BetterInternet : Ignored
C:\Documents and Settings\Owner\Local Settings\Temp\YJH\aurareco.exe -> Adware.BetterInternet : Ignored
C:\Documents and Settings\Owner\Local Settings\Temp\ZCB\aurareco.exe -> Adware.BetterInternet : Ignored
C:\Documents and Settings\Owner\Local Settings\Temporary Internet Files\Content.IE5\G5AVQRKH\banner[2].cab/banner.dll -> Spyware.Banex : Ignored
C:\Documents and Settings\Owner\Local Settings\Temporary Internet Files\Content.IE5\I5GRQ165\protector_update[1].exe -> Spyware.Hijacker.Generic : Ignored
C:\Documents and Settings\Owner\Local Settings\Temporary Internet Files\Content.IE5\S1S5UN8D\protector_update[1].exe -> Spyware.Hijacker.Generic : Ignored
C:\Documents and Settings\Owner\Local Settings\Temporary Internet Files\Content.IE5\S3JLTFZS\aun_0032[1].exe -> TrojanDownloader.Small.akz : Ignored
C:\Documents and Settings\Owner\Local Settings\Temporary Internet Files\Content.IE5\S3JLTFZS\joysaver[1].cab/m67m.ocx -> Spyware.MediaMotor : Ignored
C:\Documents and Settings\Owner\Local Settings\Temporary Internet Files\Content.IE5\U96DK7OV\banner[2].cab/banner.dll -> Spyware.Banex : Ignored
C:\Documents and Settings\Owner\Local Settings\Temporary Internet Files\Content.IE5\WXG4T6B3\banner[1].cab/banner.dll -> Spyware.Banex : Ignored
C:\Program Files\Common Files\qwoi\qwoil.exe -> TrojanDownloader.TSUpdate.j : Ignored
C:\Program Files\Common Files\qwoi\qwoip.exe -> Spyware.Xupiter : Ignored
C:\Program Files\Windows Media Player\wmplayer.exe.tmp -> Spyware.Pacer : Ignored
C:\RECYCLER\NPROTECT\00034839.exe -> Adware.BetterInternet : Ignored
C:\RECYCLER\NPROTECT\00034841.exe -> Adware.BetterInternet : Ignored
C:\RECYCLER\NPROTECT\00034842.exe -> Adware.BetterInternet : Ignored
C:\RECYCLER\NPROTECT\00034908.exe -> Trojan.Agent.cp : Ignored
C:\RECYCLER\NPROTECT\00034910.exe -> Adware.BetterInternet : Ignored
C:\RECYCLER\NPROTECT\00034911.exe -> Trojan.Agent.cp : Ignored
C:\RECYCLER\NPROTECT\00034913.exe -> Trojan.Agent.cp : Ignored
C:\RECYCLER\NPROTECT\00034915.exe -> Trojan.Agent.cp : Ignored
C:\RECYCLER\NPROTECT\00034916.exe -> Trojan.Agent.cp : Ignored
C:\RECYCLER\NPROTECT\00034920.exe -> Trojan.Agent.cp : Ignored
C:\RECYCLER\NPROTECT\00034922.exe -> Trojan.Agent.cp : Ignored
C:\RECYCLER\NPROTECT\00034923.exe -> Trojan.Agent.cp : Ignored
C:\WINDOWS\cfgmgr52\EECH1.bsx -> Spyware.BookedSpace : Ignored
C:\WINDOWS\cfgmgr52\SPZ3.bsx -> Spyware.BookedSpace : Ignored
C:\WINDOWS\cfgmgr52.dll -> Spyware.BookedSpace : Ignored
C:\WINDOWS\cozhsvc.exe -> TrojanDropper.Agent.mu : Ignored
C:\WINDOWS\dinst.exe -> TrojanDownloader.Intexp.d : Ignored
C:\WINDOWS\dsr.exe -> Trojan.Imiserv.c : Ignored
C:\WINDOWS\mmxfdll.exe -> TrojanDownloader.VB.hj : Ignored
C:\WINDOWS\pss\ddda.exeCommon Startup -> TrojanDownloader.Qoologic.n : Ignored
C:\WINDOWS\pwslenc.exe -> TrojanDownloader.VB.hj : Ignored
C:\WINDOWS\stwlcvrd.exe -> Spyware.BookedSpace : Ignored
C:\WINDOWS\system32\a3d59041.exe -> Spyware.UrlSpy : Ignored
C:\WINDOWS\system32\aaanja.exe -> TrojanDownloader.Qoologic.n : Ignored
C:\WINDOWS\system32\activeds.exe -> Spyware.UrlSpy : Ignored
C:\WINDOWS\system32\adsnt474.exe -> Spyware.UrlSpy : Ignored
C:\WINDOWS\system32\AUNPS2.dll -> Spyware.Hijacker.Generic : Ignored
C:\WINDOWS\system32\Cache\Advtg.exe -> Adware.eZula : Ignored
C:\WINDOWS\system32\Cache\AUNIcons.exe -> TrojanDownloader.Agent.jq : Ignored
C:\WINDOWS\system32\Cache\bs5-va-egihsg.exe -> Spyware.BookedSpace.c : Ignored
C:\WINDOWS\system32\Cache\bs51-egihsg51-va.exe -> Spyware.BookedSpace.e : Ignored
C:\WINDOWS\system32\Cache\dist006.exe -> TrojanDownloader.VB.eu : Ignored
C:\WINDOWS\system32\Cache\HelperInstall.exe -> TrojanDropper.Delf.z : Ignored
C:\WINDOWS\system32\Cache\InstallAPS.exe -> TrojanDropper.Agent.lu : Ignored
C:\WINDOWS\system32\Cache\installer_MARKETING17.exe -> TrojanDownloader.Adload.a : Ignored
C:\WINDOWS\system32\Cache\MTE0MzA6ODoxMg.exe -> Spyware.iSearch : Ignored
C:\WINDOWS\system32\Cache\omi-ic-setup.exe -> TrojanDropper.Agent.hn : Ignored
C:\WINDOWS\system32\Cache\optimize.exe -> TrojanDownloader.Dyfuca : Ignored
C:\WINDOWS\system32\Cache\optimize1.exe -> TrojanDownloader.Dyfuca : Ignored
C:\WINDOWS\system32\Cache\pop.exe -> Spyware.WinAD : Ignored
C:\WINDOWS\system32\Cache\Pop1.exe -> TrojanDropper.Agent.hl : Ignored
C:\WINDOWS\system32\Cache\setup1024.exe -> TrojanDropper.Agent.hl : Ignored
C:\WINDOWS\system32\Cache\thin-8-3-x-x.exe -> Adware.BetterInternet : Ignored
C:\WINDOWS\system32\Cache\tool2_162813.exe -> Spyware.Beginto.c : Ignored
C:\WINDOWS\system32\Cache\tool5-fran-one.exe -> Spyware.HotSearchBar.e : Ignored
C:\WINDOWS\system32\Cache\trafficgen-fran.exe -> Spyware.HotSearchBar.d : Ignored
C:\WINDOWS\system32\Cache\trgen_fran-162813.exe -> Spyware.HotSearchBar.d : Ignored
C:\WINDOWS\system32\Cache\ven_d1.exe -> TrojanDownloader.IstBar : Ignored
C:\WINDOWS\system32\cccabro.exe -> TrojanDownloader.Qoologic.n : Ignored
C:\WINDOWS\system32\config\systemprofile\Local Settings\Temporary Internet Files\Content.IE5\YC059TEA\protector_update[1].exe -> Spyware.Hijacker.Generic : Ignored
C:\WINDOWS\system32\conres.cpl -> TrojanDownloader.Qoologic.p : Ignored
C:\WINDOWS\system32\D0CE0C16B1.DLL -> Spyware.Hijacker.Generic : Ignored
C:\WINDOWS\system32\datadx.dll -> TrojanDownloader.Qoologic.p : Ignored
C:\WINDOWS\system32\dddaj.dll -> TrojanDownloader.Qoologic.n : Ignored
C:\WINDOWS\system32\dun.exe -> Spyware.DealHelper : Ignored
C:\WINDOWS\system32\eliteabb32.exe -> Spyware.Hijacker.Generic : Ignored
C:\WINDOWS\system32\elitebon32.exe -> Spyware.Hijacker.Generic : Ignored
C:\WINDOWS\system32\eliteclr32.exe -> Spyware.Hijacker.Generic : Ignored
C:\WINDOWS\system32\eliteehl32.exe -> Spyware.Hijacker.Generic : Ignored
C:\WINDOWS\system32\elitefjd32.exe -> Spyware.Hijacker.Generic : Ignored
C:\WINDOWS\system32\eliteftb32.exe -> Spyware.Hijacker.Generic : Ignored
C:\WINDOWS\system32\elitekjh32.exe -> Spyware.Hijacker.Generic : Ignored
C:\WINDOWS\system32\elitelgy32.exe -> Spyware.Hijacker.Generic : Ignored
C:\WINDOWS\system32\elitemlj32.exe -> Spyware.Hijacker.Generic : Ignored
C:\WINDOWS\system32\elitesul32.exe -> Spyware.Hijacker.Generic : Ignored
C:\WINDOWS\system32\eliteuzl32.exe -> Spyware.Hijacker.Generic : Ignored
C:\WINDOWS\system32\elitevmj32.exe -> Spyware.Hijacker.Generic : Ignored
C:\WINDOWS\system32\elitevtb32.exe -> Spyware.Hijacker.Generic : Ignored
C:\WINDOWS\system32\elitewrx32.exe -> Spyware.Hijacker.Generic : Ignored
C:\WINDOWS\system32\elitewva32.exe -> Spyware.Hijacker.Generic : Ignored
C:\WINDOWS\system32\elitexib32.exe -> Spyware.Hijacker.Generic : Ignored
C:\WINDOWS\system32\eliteycn32.exe -> Spyware.Hijacker.Generic : Ignored
C:\WINDOWS\system32\eliteyub32.exe -> Spyware.Hijacker.Generic : Ignored
C:\WINDOWS\system32\fffsdjl.dll -> TrojanDownloader.Qoologic.n : Ignored
C:\WINDOWS\system32\msCMTsrvc.exe -> TrojanDownloader.Presario : Ignored
C:\WINDOWS\system32\mseggo.gif -> TrojanSpy.Delf.dx : Ignored
C:\WINDOWS\system32\msnimk.gif -> Spyware.Ipend : Ignored
C:\WINDOWS\system32\pinstaller.exe -> Spyware.UrlSpy : Ignored
C:\WINDOWS\system32\pppxzhg.dll.tmp -> TrojanDownloader.Qoologic.q : Ignored
C:\WINDOWS\system32\qqqup.dat -> TrojanDownloader.Qoologic.n : Ignored
C:\WINDOWS\system32\rtneg2.dll -> Spyware.Beginto : Ignored
C:\WINDOWS\system32\supdate.dll -> TrojanDownloader.Qoologic.p : Ignored
C:\WINDOWS\system32\sysmonnt.exe -> Trojan.VB.tq : Ignored
C:\WINDOWS\system32\temperror32.dat -> Spyware.Hijacker.Generic : Ignored
C:\WINDOWS\system32\ysoctx.exe -> Trojan.Agent.cp : Ignored
C:\WINDOWS\tct101.dll -> TrojanDownloader.Dyfuca.eg : Ignored
C:\WINDOWS\toanlnr.exe -> Adware.BetterInternet : Ignored
C:\WINDOWS\visfxun.exe -> TrojanDownloader.VB.kd : Ignored
C:\WINDOWS\vvyusgorfrn.exe -> Adware.BetterInternet : Ignored
C:\Documents and Settings\Owner\Cookies\owner@ad.yieldmanager[1].txt -> Spyware.Cookie.Yieldmanager : Cleaned with backup

::Report End

mat2

139 Posts

August 15th, 2005 15:00

Hi there, and welcome to the forums!

You are running HijackThis from the Desktop; please create a new folder for it and move the program into the new folder as follows

We'll need to move HiJackThis.exe from the desktop and into a directory of its own, preferably C:\HJT (creating the folder if necessary). The reason behind this is that HJT creates backups of every "fix" we do in the folder it's running in. If we happen to "fix" something and need it later on, there is a very good chance that, by that time, that TEMP directory could be purged and our backups would be lost. If you need a detailed tutorial or just a better explanation as to why, please http://russelltexas.com/malware/createhjtfolder.htm.

Please set your system to show all files;

Click Start.
Open My Computer.
Select the Tools menu and click Folder Options.
Select the View Tab.
Under the Hidden files and folders heading select Show hidden files and folders.
Uncheck the Hide protected operating system files (recommended) option.
Click Yes to confirm.
Click OK.

Close all programs leaving only HijackThis running. Place a check against each of the following, making sure you get them all and not any others by mistake:

O4 - HKLM\..\Run: [mmxfdll] C:\WINDOWS\mmxfdll.EXE

O4 - HKLM\..\Run: [winsync] C:\WINDOWS\system32\aaanja.exe reg_run

O4 - HKLM\..\Run: [barncgy] C:\WINDOWS\system32\mdilhq.exe r

O4 - HKLM\..\Run: [pwslenc] C:\WINDOWS\pwslenc.exe

Click on Fix Checked when finished and exit HijackThis.

Note: This line may have mutated on you: O4 - HKLM\..\Run: [barncgy] C:\WINDOWS\system32\mdilhq.exe r, If it isn't in the scan... look for a line that similar... randomly named... with an "r" after the "exe". You will need to fix that line. Write the filename down as well as you will need that later. Don't include the "r" after the "exe".

- Click Start.
- Select Shutdown.
- Select Restart and click OK.
- During restart, hold down the F8 key on your keyboard until the Windows Startup menu appears.
- If your PC starts beeping then release the key for a few seconds before holding it down again.
- Select Safe Mode from the Startup menu, and press the Enter button on your keyboard.
- Windows should start in Safe Mode. If Windows doesn't restart in Safe Mode then please try again.
Using Windows Explorer, locate the following files/folders, and delete them:

C:\WINDOWS\mmxfdll.EXE

C:\WINDOWS\XTQCDLL.EXE

C:\WINDOWS\system32\aaanja.exe

C:\WINDOWS\cozhsvc.exe

C:\WINDOWS\system32\mdilhq.exe

Exit Explorer, and reboot as normal afterwards.

Note: Again... this one may have mutated on you:C:\WINDOWS\system32\mdilhq.exe, if so... use the filename you wrote down earlier in place of this one

Post back a fresh HijackThis log and we will take another look.

Mat2

Image hosted by Photobucket.com

mntbike2000

16 Posts

August 15th, 2005 16:00

did not locate 2 files;

C:\WINDOWS\cozhsvc.exe
C:\WINDOWS\system32\aaanja.exe

Logfile of HijackThis v1.99.1
Scan saved at 11:00:09 AM, on 8/15/2005
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\VERITAS Software\Update Manager\sgtray.exe
C:\windows\system\hpsysdrv.exe
C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
C:\HP\KBD\KBD.EXE
C:\Program Files\QuickTime\qttask.exe
C:\WINDOWS\system32\aaanja.exe
C:\Program Files\Common Files\Real\Update_OB\rnathchk.exe
c:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\WINDOWS\System32\CTsvcCDA.exe
C:\Program Files\ewido\security suite\ewidoctrl.exe
C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
c:\Program Files\Norton AntiVirus\navapsvc.exe
C:\Program Files\Norton SystemWorks\Norton Utilities\NPROTECT.EXE
C:\PROGRA~1\NORTON~2\SPEEDD~1\nopdb.exe
C:\WINDOWS\cozhsvc.exe
C:\WINDOWS\System32\MsPMSPSv.exe
C:\WINDOWS\system32\notepad.exe
C:\WINDOWS\system32\wuauclt.exe
C:\HJT\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer,(Default) = www.google.com
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://qus7.hpwis.com/
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://srch-qus7.hpwis.com/
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.sltrib.com/sports
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.comcast.net/
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Microsoft Internet Explorer provided by Comcast
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = :0
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
R3 - URLSearchHook: URLSearchHook Class - {37D2CDBF-2AF4-44AA-8113-BD0D2DA3C2B8} - C:\Program Files\JUSearch\SearchEnh1.dll
F2 - REG:system.ini: UserInit=userinit.exe
O2 - BHO: (no name) - {5C8B2A36-3DB1-42A4-A3CB-D426709BBFEB} - (no file)
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [StorageGuard] "C:\Program Files\VERITAS Software\Update Manager\sgtray.exe" /r
O4 - HKLM\..\Run: [Recguard] C:\WINDOWS\SMINST\RECGUARD.EXE
O4 - HKLM\..\Run: [PS2] C:\hp\drivers\keyboard\PS2.EXE
O4 - HKLM\..\Run: [hpsysdrv] c:\windows\system\hpsysdrv.exe
O4 - HKLM\..\Run: [ATIPTA] C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
O4 - HKLM\..\Run: [KBD] C:\HP\KBD\KBD.EXE
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\System32\hkcmd.exe
O4 - HKLM\..\Run: [ATIModeChange] Ati2mdxx.exe
O4 - HKLM\..\Run: [XTQCDLL] C:\WINDOWS\XTQCDLL.EXE
O4 - HKLM\..\Run: [UpdReg] C:\WINDOWS\UpdReg.EXE
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [UserFaultCheck] %systemroot%\system32\dumprep 0 -u
O4 - HKLM\..\Run: [winsync] C:\WINDOWS\system32\aaanja.exe reg_run
O4 - HKLM\..\Run: [dqlrdll] C:\WINDOWS\dqlrdll.exe
O4 - HKLM\..\Run: [pwslenc] C:\WINDOWS\pwslenc.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Restrictions present
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O8 - Extra context menu item: &Yahoo! Search - file:///C:\Program Files\Yahoo!\Common/ycsrch.htm
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O8 - Extra context menu item: Yahoo! &Dictionary - file:///C:\Program Files\Yahoo!\Common/ycdict.htm
O8 - Extra context menu item: Yahoo! &Maps - file:///C:\Program Files\Yahoo!\Common/ycdict.htm
O9 - Extra button: Yahoo! Login - {2499216C-4BA5-11D5-BD9C-000103C116D5} - C:\Program Files\Yahoo!\Common\ylogin.dll
O9 - Extra 'Tools' menuitem: Yahoo! Login - {2499216C-4BA5-11D5-BD9C-000103C116D5} - C:\Program Files\Yahoo!\Common\ylogin.dll
O9 - Extra button: Messenger - {4528BBE0-4E08-11D5-AD55-00010333D0AD} - C:\Program Files\Yahoo!\Messenger\yhexbmes0521.dll
O9 - Extra 'Tools' menuitem: Yahoo! Messenger - {4528BBE0-4E08-11D5-AD55-00010333D0AD} - C:\Program Files\Yahoo!\Messenger\yhexbmes0521.dll
O9 - Extra button: ComcastHSI - {669B269B-0D4E-41FB-A3D8-FD67CA94F646} - http://www.comcast.net/ (file missing)
O9 - Extra button: Support - {8828075D-D097-4055-AA02-2DBFA9D85E8A} - http://www.comcastsupport.com/ (file missing)
O9 - Extra button: Help - {97809617-3937-4F84-B335-9BB05EF1A8D4} - http://online.comcast.net/help/ (file missing)
O9 - Extra button: MoneySide - {E023F504-0C5A-4750-A1E7-A9046DEA8A21} - C:\Program Files\Microsoft Money\System\mnyside.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O16 - DPF: {4C39376E-FA9D-4349-BACC-D305C1750EF3} (EPUImageControl Class) - http://tools.ebayimg.com/eps/wl/activex/EPUWALControl_v1-0-3-12.cab
O16 - DPF: {B9191F79-5613-4C76-AA2A-398534BB8999} (YAddBook Class) - http://us.dl1.yimg.com/download.yahoo.com/dl/installs/suite/yautocomplete.cab
O20 - Winlogon Notify: igfxcui - C:\WINDOWS\SYSTEM32\igfxsrvc.dll
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - c:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Password Validation Service (ccPwdSvc) - Symantec Corporation - c:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
O23 - Service: Creative Service for CDROM Access - Creative Technology Ltd - C:\WINDOWS\System32\CTsvcCDA.exe
O23 - Service: ewido security suite control - ewido networks - C:\Program Files\ewido\security suite\ewidoctrl.exe
O23 - Service: iPod Service (iPodService) - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Content Monitoring Tool (msCMTSrvc) - Unknown owner - C:\WINDOWS\system32\msCMTSrvc.exe
O23 - Service: Norton AntiVirus Auto Protect Service (navapsvc) - Symantec Corporation - c:\Program Files\Norton AntiVirus\navapsvc.exe
O23 - Service: Norton Unerase Protection (NProtectService) - Symantec Corporation - C:\Program Files\Norton SystemWorks\Norton Utilities\NPROTECT.EXE
O23 - Service: NVIDIA Driver Helper Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe
O23 - Service: Speed Disk service - Symantec Corporation - C:\PROGRA~1\NORTON~2\SPEEDD~1\nopdb.exe
O23 - Service: Windows VisFx Components - Unknown owner - C:\WINDOWS\cozhsvc.exe

mntbike2000

16 Posts

August 15th, 2005 16:00

Ran Killbox with the two files from previous post.

Logfile of HijackThis v1.99.1
Scan saved at 11:57:04 AM, on 8/15/2005
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\VERITAS Software\Update Manager\sgtray.exe
C:\windows\system\hpsysdrv.exe
C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
C:\HP\KBD\KBD.EXE
C:\Program Files\QuickTime\qttask.exe
C:\WINDOWS\system32\aaanja.exe
C:\WINDOWS\dqlrdll.exe
C:\WINDOWS\pwslenc.exe
c:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\WINDOWS\System32\CTsvcCDA.exe
C:\Program Files\ewido\security suite\ewidoctrl.exe
C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
c:\Program Files\Norton AntiVirus\navapsvc.exe
C:\Program Files\Norton SystemWorks\Norton Utilities\NPROTECT.EXE
C:\PROGRA~1\NORTON~2\SPEEDD~1\nopdb.exe
C:\WINDOWS\System32\MsPMSPSv.exe
C:\WINDOWS\system32\wuauclt.exe
C:\HJT\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer,(Default) = www.google.com
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://qus7.hpwis.com/
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://srch-qus7.hpwis.com/
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.sltrib.com/sports
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.comcast.net/
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Microsoft Internet Explorer provided by Comcast
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = :0
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
R3 - URLSearchHook: URLSearchHook Class - {37D2CDBF-2AF4-44AA-8113-BD0D2DA3C2B8} - C:\Program Files\JUSearch\SearchEnh1.dll
F2 - REG:system.ini: UserInit=userinit.exe
O2 - BHO: (no name) - {5C8B2A36-3DB1-42A4-A3CB-D426709BBFEB} - (no file)
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [StorageGuard] "C:\Program Files\VERITAS Software\Update Manager\sgtray.exe" /r
O4 - HKLM\..\Run: [Recguard] C:\WINDOWS\SMINST\RECGUARD.EXE
O4 - HKLM\..\Run: [PS2] C:\hp\drivers\keyboard\PS2.EXE
O4 - HKLM\..\Run: [hpsysdrv] c:\windows\system\hpsysdrv.exe
O4 - HKLM\..\Run: [ATIPTA] C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
O4 - HKLM\..\Run: [KBD] C:\HP\KBD\KBD.EXE
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\System32\hkcmd.exe
O4 - HKLM\..\Run: [ATIModeChange] Ati2mdxx.exe
O4 - HKLM\..\Run: [XTQCDLL] C:\WINDOWS\XTQCDLL.EXE
O4 - HKLM\..\Run: [UpdReg] C:\WINDOWS\UpdReg.EXE
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [UserFaultCheck] %systemroot%\system32\dumprep 0 -u
O4 - HKLM\..\Run: [winsync] C:\WINDOWS\system32\aaanja.exe reg_run
O4 - HKLM\..\Run: [dqlrdll] C:\WINDOWS\dqlrdll.EXE
O4 - HKLM\..\Run: [pwslenc] C:\WINDOWS\pwslenc.EXE
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Restrictions present
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O8 - Extra context menu item: &Yahoo! Search - file:///C:\Program Files\Yahoo!\Common/ycsrch.htm
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O8 - Extra context menu item: Yahoo! &Dictionary - file:///C:\Program Files\Yahoo!\Common/ycdict.htm
O8 - Extra context menu item: Yahoo! &Maps - file:///C:\Program Files\Yahoo!\Common/ycdict.htm
O9 - Extra button: Yahoo! Login - {2499216C-4BA5-11D5-BD9C-000103C116D5} - C:\Program Files\Yahoo!\Common\ylogin.dll
O9 - Extra 'Tools' menuitem: Yahoo! Login - {2499216C-4BA5-11D5-BD9C-000103C116D5} - C:\Program Files\Yahoo!\Common\ylogin.dll
O9 - Extra button: Messenger - {4528BBE0-4E08-11D5-AD55-00010333D0AD} - C:\Program Files\Yahoo!\Messenger\yhexbmes0521.dll
O9 - Extra 'Tools' menuitem: Yahoo! Messenger - {4528BBE0-4E08-11D5-AD55-00010333D0AD} - C:\Program Files\Yahoo!\Messenger\yhexbmes0521.dll
O9 - Extra button: ComcastHSI - {669B269B-0D4E-41FB-A3D8-FD67CA94F646} - http://www.comcast.net/ (file missing)
O9 - Extra button: Support - {8828075D-D097-4055-AA02-2DBFA9D85E8A} - http://www.comcastsupport.com/ (file missing)
O9 - Extra button: Help - {97809617-3937-4F84-B335-9BB05EF1A8D4} - http://online.comcast.net/help/ (file missing)
O9 - Extra button: MoneySide - {E023F504-0C5A-4750-A1E7-A9046DEA8A21} - C:\Program Files\Microsoft Money\System\mnyside.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O16 - DPF: {4C39376E-FA9D-4349-BACC-D305C1750EF3} (EPUImageControl Class) - http://tools.ebayimg.com/eps/wl/activex/EPUWALControl_v1-0-3-12.cab
O16 - DPF: {B9191F79-5613-4C76-AA2A-398534BB8999} (YAddBook Class) - http://us.dl1.yimg.com/download.yahoo.com/dl/installs/suite/yautocomplete.cab
O20 - Winlogon Notify: igfxcui - C:\WINDOWS\SYSTEM32\igfxsrvc.dll
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - c:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Password Validation Service (ccPwdSvc) - Symantec Corporation - c:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
O23 - Service: Creative Service for CDROM Access - Creative Technology Ltd - C:\WINDOWS\System32\CTsvcCDA.exe
O23 - Service: ewido security suite control - ewido networks - C:\Program Files\ewido\security suite\ewidoctrl.exe
O23 - Service: iPod Service (iPodService) - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Content Monitoring Tool (msCMTSrvc) - Unknown owner - C:\WINDOWS\system32\msCMTSrvc.exe
O23 - Service: Norton AntiVirus Auto Protect Service (navapsvc) - Symantec Corporation - c:\Program Files\Norton AntiVirus\navapsvc.exe
O23 - Service: Norton Unerase Protection (NProtectService) - Symantec Corporation - C:\Program Files\Norton SystemWorks\Norton Utilities\NPROTECT.EXE
O23 - Service: NVIDIA Driver Helper Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe
O23 - Service: Speed Disk service - Symantec Corporation - C:\PROGRA~1\NORTON~2\SPEEDD~1\nopdb.exe
O23 - Service: Windows VisFx Components - Unknown owner - C:\WINDOWS\cozhsvc.exe (file missing)

mat2

139 Posts

August 15th, 2005 16:00

Hi

mntbike2000 wrote:
did not locate 2 files;

C:\WINDOWS\cozhsvc.exe C:\WINDOWS\system32\aaanja.exe

In your last reply you mentioned that you could not find two files, this is because when you used HJT to run the fix, it removed them itself. If for some reason it didn't then you would have found them in the instructions for manual removal.

Download Killbox from here http://http://www.bleepingcomputer.com/files/killbox.php and unzip it; save it to your Desktop.

Run it, and click the radio button that says Delete a file on reboot. For each of the files you could not delete, paste C:\WINDOWS\system32\aaanja.exe into the full path of file to delete box and click the red circle with a white cross in it. The program will ask you if you want to reboot; say No each time until the last one has been pasted in whereupon you should answer Yes. Let the system reboot.

Then do another HJT scan and post the log back here, thanks

Mat2

Image hosted by Photobucket.com

Message Edited by mat2 on 08-15-2005 06:20 PM

mat2

139 Posts

August 15th, 2005 17:00

Thanks for the latest log

Please Download RKFiles from here http://skads.org/special/rkfiles.zip

Create a new folder C:\Antispyware\RKFiles Extract the contents of RKFiles.zip into the new folder you just created.

Next, Create a new Folder on Desktop. Name that Folder QOOLOGIC

Please download Findqoologic from here http://forums.net-integration.net/index.php?act=Attach&type=post&id=134981 into the new Folder, and then unzip it into the new Folder.

Restart to safe mode. (tap F8 key during bootup)

Open the C:\Antispyware\RKFiles folder Double click on RKFILES.BAT Give it time to run. this may take a while. Save the text file it creates. It should save by default to C:\Log.txt

Next, open the QOOLOGIC Folder and Locate and double-click the Find-Qoologic.bat file to run it. Wait until a text file opens, post it in a reply to your thread after doing the rest of what follows here. It'll take a while to run a full scan so please be patient.

Restart into regular Windows mode and post the contents of C:\log.txt and the find-qoologic results. Also a HJT log aswell.

Mat2

Image hosted by Photobucket.com

mntbike2000

16 Posts

August 15th, 2005 18:00

HJT, Log.txt & qoologic logs

Logfile of HijackThis v1.99.1
Scan saved at 1:39:41 PM, on 8/15/2005
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\VERITAS Software\Update Manager\sgtray.exe
C:\windows\system\hpsysdrv.exe
C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
C:\HP\KBD\KBD.EXE
C:\Program Files\Common Files\Real\Update_OB\rnathchk.exe
C:\Program Files\QuickTime\qttask.exe
C:\WINDOWS\system32\aaanja.exe
C:\WINDOWS\dqlrdll.EXE
C:\WINDOWS\pwslenc.EXE
c:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\WINDOWS\System32\CTsvcCDA.exe
C:\Program Files\ewido\security suite\ewidoctrl.exe
C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
c:\Program Files\Norton AntiVirus\navapsvc.exe
C:\Program Files\Norton SystemWorks\Norton Utilities\NPROTECT.EXE
C:\PROGRA~1\NORTON~2\SPEEDD~1\nopdb.exe
C:\WINDOWS\System32\MsPMSPSv.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\HJT\HijackThis.exe
C:\WINDOWS\system32\wuauclt.exe

R1 - HKCU\Software\Microsoft\Internet Explorer,(Default) = www.google.com
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://qus7.hpwis.com/
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://srch-qus7.hpwis.com/
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.sltrib.com/sports
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.comcast.net/
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Microsoft Internet Explorer provided by Comcast
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = :0
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
R3 - URLSearchHook: URLSearchHook Class - {37D2CDBF-2AF4-44AA-8113-BD0D2DA3C2B8} - C:\Program Files\JUSearch\SearchEnh1.dll
F2 - REG:system.ini: UserInit=userinit.exe
O2 - BHO: (no name) - {5C8B2A36-3DB1-42A4-A3CB-D426709BBFEB} - (no file)
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [StorageGuard] "C:\Program Files\VERITAS Software\Update Manager\sgtray.exe" /r
O4 - HKLM\..\Run: [Recguard] C:\WINDOWS\SMINST\RECGUARD.EXE
O4 - HKLM\..\Run: [PS2] C:\hp\drivers\keyboard\PS2.EXE
O4 - HKLM\..\Run: [hpsysdrv] c:\windows\system\hpsysdrv.exe
O4 - HKLM\..\Run: [ATIPTA] C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
O4 - HKLM\..\Run: [KBD] C:\HP\KBD\KBD.EXE
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\System32\hkcmd.exe
O4 - HKLM\..\Run: [ATIModeChange] Ati2mdxx.exe
O4 - HKLM\..\Run: [XTQCDLL] C:\WINDOWS\XTQCDLL.EXE
O4 - HKLM\..\Run: [UpdReg] C:\WINDOWS\UpdReg.EXE
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [UserFaultCheck] %systemroot%\system32\dumprep 0 -u
O4 - HKLM\..\Run: [winsync] C:\WINDOWS\system32\aaanja.exe reg_run
O4 - HKLM\..\Run: [dqlrdll] C:\WINDOWS\dqlrdll.EXE
O4 - HKLM\..\Run: [pwslenc] C:\WINDOWS\pwslenc.EXE
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Restrictions present
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O8 - Extra context menu item: &Yahoo! Search - file:///C:\Program Files\Yahoo!\Common/ycsrch.htm
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O8 - Extra context menu item: Yahoo! &Dictionary - file:///C:\Program Files\Yahoo!\Common/ycdict.htm
O8 - Extra context menu item: Yahoo! &Maps - file:///C:\Program Files\Yahoo!\Common/ycdict.htm
O9 - Extra button: Yahoo! Login - {2499216C-4BA5-11D5-BD9C-000103C116D5} - C:\Program Files\Yahoo!\Common\ylogin.dll
O9 - Extra 'Tools' menuitem: Yahoo! Login - {2499216C-4BA5-11D5-BD9C-000103C116D5} - C:\Program Files\Yahoo!\Common\ylogin.dll
O9 - Extra button: Messenger - {4528BBE0-4E08-11D5-AD55-00010333D0AD} - C:\Program Files\Yahoo!\Messenger\yhexbmes0521.dll
O9 - Extra 'Tools' menuitem: Yahoo! Messenger - {4528BBE0-4E08-11D5-AD55-00010333D0AD} - C:\Program Files\Yahoo!\Messenger\yhexbmes0521.dll
O9 - Extra button: ComcastHSI - {669B269B-0D4E-41FB-A3D8-FD67CA94F646} - http://www.comcast.net/ (file missing)
O9 - Extra button: Support - {8828075D-D097-4055-AA02-2DBFA9D85E8A} - http://www.comcastsupport.com/ (file missing)
O9 - Extra button: Help - {97809617-3937-4F84-B335-9BB05EF1A8D4} - http://online.comcast.net/help/ (file missing)
O9 - Extra button: MoneySide - {E023F504-0C5A-4750-A1E7-A9046DEA8A21} - C:\Program Files\Microsoft Money\System\mnyside.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O16 - DPF: {4C39376E-FA9D-4349-BACC-D305C1750EF3} (EPUImageControl Class) - http://tools.ebayimg.com/eps/wl/activex/EPUWALControl_v1-0-3-12.cab
O16 - DPF: {B9191F79-5613-4C76-AA2A-398534BB8999} (YAddBook Class) - http://us.dl1.yimg.com/download.yahoo.com/dl/installs/suite/yautocomplete.cab
O20 - Winlogon Notify: igfxcui - C:\WINDOWS\SYSTEM32\igfxsrvc.dll
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - c:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Password Validation Service (ccPwdSvc) - Symantec Corporation - c:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
O23 - Service: Creative Service for CDROM Access - Creative Technology Ltd - C:\WINDOWS\System32\CTsvcCDA.exe
O23 - Service: ewido security suite control - ewido networks - C:\Program Files\ewido\security suite\ewidoctrl.exe
O23 - Service: iPod Service (iPodService) - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Content Monitoring Tool (msCMTSrvc) - Unknown owner - C:\WINDOWS\system32\msCMTSrvc.exe
O23 - Service: Norton AntiVirus Auto Protect Service (navapsvc) - Symantec Corporation - c:\Program Files\Norton AntiVirus\navapsvc.exe
O23 - Service: Norton Unerase Protection (NProtectService) - Symantec Corporation - C:\Program Files\Norton SystemWorks\Norton Utilities\NPROTECT.EXE
O23 - Service: NVIDIA Driver Helper Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe
O23 - Service: Speed Disk service - Symantec Corporation - C:\PROGRA~1\NORTON~2\SPEEDD~1\nopdb.exe
O23 - Service: Windows VisFx Components - Unknown owner - C:\WINDOWS\cozhsvc.exe (file missing)

C:\Antispyware\rkfiles

PLEASE NOTE THAT ALL FILES FOUND BY THIS METHOD ARE NOT BAD FILES, THERE MIGHT BE LEGIT FILES LISTED AND PLEASE BE CAREFUL WHILE FIXING. IF YOU ARE UNSURE OF WHAT IT IS LEAVE THEM ALONE.
Files Found in system Folder............
------------------------
C:\WINDOWS\system32\AUNPS2.dll: UPX!
C:\WINDOWS\system32\msdjgk.dll: UPX!
C:\WINDOWS\system32\mseggo.gif: UPX!
C:\WINDOWS\system32\msiaih.dll: UPX!
C:\WINDOWS\system32\msnimk.gif: UPX!
C:\WINDOWS\system32\pppxzhg.dll.tmp: UPX!
C:\WINDOWS\system32\supdate.dll: UPX!
C:\WINDOWS\system32\eliteabb32.exe: FSG!
C:\WINDOWS\system32\elitebon32.exe: FSG!
C:\WINDOWS\system32\eliteclr32.exe: FSG!
C:\WINDOWS\system32\eliteehl32.exe: FSG!
C:\WINDOWS\system32\elitefjd32.exe: FSG!
C:\WINDOWS\system32\eliteftb32.exe: FSG!
C:\WINDOWS\system32\elitelgy32.exe: FSG!
C:\WINDOWS\system32\elitesul32.exe: FSG!
C:\WINDOWS\system32\eliteuzl32.exe: FSG!
C:\WINDOWS\system32\elitevmj32.exe: FSG!
C:\WINDOWS\system32\elitevtb32.exe: FSG!
C:\WINDOWS\system32\elitewrx32.exe: FSG!
C:\WINDOWS\system32\elitewva32.exe: FSG!
C:\WINDOWS\system32\elitexib32.exe: FSG!
C:\WINDOWS\system32\eliteycn32.exe: FSG!
C:\WINDOWS\system32\eliteyub32.exe: FSG!
C:\WINDOWS\system32\temperror32.dat: FSG!
C:\WINDOWS\system32\dfrg.msc: AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAQAAAAAwGpEc213

Files Found in all users startup Folder............
------------------------
Files Found in all users windows Folder............
------------------------
C:\WINDOWS\dsr.exe: UPX!
C:\WINDOWS\sfita.exe: UPX!
C:\WINDOWS\tct101.dll: UPX!
C:\WINDOWS\vvyusgorfrn.exe: UPX!
Finished
bye

PLEASE NOTE THAT ALL FILES FOUND BY THIS METHOD ARE NOT BAD FILES, There WILL be LEGIT FILES LISTED PLEASE BE CAREFUL WHILE FIXING. IF YOU ARE UNSURE OF WHAT IT IS LEAVE THEM ALONE.
some examples are MRT.EXE NTDLL.DLL.
»»»»»»»»»»»»»»»»»»»»»»»» Files found »»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»

* web-nex C:\WINDOWS\System32\DATADX.DLL
* web-nex C:\WINDOWS\System32\DDDAJ.DLL
* web-nex C:\WINDOWS\System32\FFFSDJL.DLL
* web-nex C:\WINDOWS\System32\PPPXZH~1.TMP
* winsync   C:\WINDOWS\System32\DATADX.DLL
* winsync   C:\WINDOWS\System32\DDDAJ.DLL
* winsync   C:\WINDOWS\System32\FFFSDJL.DLL
* rec2_run C:\WINDOWS\System32\DATADX.DLL
* KavSvc C:\WINDOWS\System32\PPPXZH~1.TMP
* KavSvc C:\WINDOWS\System32\SUPDATE.DLL
* conres.cpl C:\WINDOWS\System32\CONRES.CPL
* datadx.dll   C:\WINDOWS\System32\DATADX.DLL
»»»»»»»»»»»»»»»»»»»»»»»» Packed files »»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»

* UPX! C:\WINDOWS\System32\AUNPS2.DLL
* UPX! C:\WINDOWS\System32\MSDJGK.DLL
* UPX! C:\WINDOWS\System32\MSEGGO.GIF
* UPX! C:\WINDOWS\System32\MSIAIH.DLL
* UPX! C:\WINDOWS\System32\MSNIMK.GIF
* UPX! C:\WINDOWS\System32\PPPXZH~1.TMP
* UPX! C:\WINDOWS\System32\SUPDATE.DLL
* UPX! C:\WINDOWS\DSR.EXE
* UPX! C:\WINDOWS\SFITA.EXE
* UPX! C:\WINDOWS\TCT101.DLL
* UPX! C:\WINDOWS\VVYUSG~1.EXE
* aspack C:\WINDOWS\System32\MRT.EXE
* aspack C:\WINDOWS\System32\NTDLL.DLL
* aspack C:\WINDOWS\System32\SAIE_KYF.DAT
»»»»»»»»»»»»»»»»»»»»»»»» startup files»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»

* exe C:\docume~1\alluse~1\startm~1\programs\startup\DDDA.EXE

»»»»»»»»»»»»»»»»»»»»»»»» Checking Global Startup »»»»»»»»»»»»»»»»»»»»»»

(fstarts by IMM - test ver. 0.001) NOT using address check -- 0x7c90df5e

Global Startup:
C:\Documents and Settings\All Users\Start Menu\Programs\Startup
.
..
ddda.exe
desktop.ini
Microsoft Office.lnk

User Startup:
C:\Documents and Settings\Owner\Start Menu\Programs\Startup
.
..
desktop.ini

mat2

139 Posts

August 15th, 2005 20:00

Thanks for the logs

It seams you have a Qoologic infection which seams to be very stub-ban to leave.

The next thing i would suggest is to do an online scan from here http://www.kaspersky.com/virusscanner to see what comes up.

Mat2

Image hosted by Photobucket.com

Message Edited by mat2 on 08-15-2005 10:25 PM

mat2

139 Posts

August 15th, 2005 21:00

Download LQFix. Unzip of to the desktop. Do Not Use until later

1. Restart your computer. As your computer restarts, repeatedly press the F8 key on your keyboard until the Windows Advanced Options menu appears.

2. Use the arrow key to select Safe Mode, and then press ENTER.

3. Use an arrow key to select an operating system and press ENTER. 4. When prompted whether you want your Windows to run in safe mode, click Yes. Once you have restarted in Safe mode,

Run LQFix

Next please run HijackThis, click Scan, and check the following:

O4 - HKLM\..\Run: C:\WINDOWS\XTQCDLL.EXE

O4 - HKLM\..\Run: C:\WINDOWS\system32\aaanja.exe reg_run

O4 - HKLM\..\Run: C:\WINDOWS\dqlrdll.EXE

O4 - HKLM\..\Run: C:\WINDOWS\pwslenc.EXE

O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Restrictions present

O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present

O23 - Service: Windows VisFx Components - Unknown owner - C:\WINDOWS\cozhsvc.exe (file missing)

Press Fix Checked, HJT will prompt you to confirm if you would like to remove those items, select Yes

Click Start. Open My Computer. Select the Tools menu and click Folder Options.

Select the View Tab. Under the Hidden files and folders heading select "Show hidden files and folders". Uncheck the "Hide protected operating system files (recommended)" option.

Uncheck the "Hide file extensions for known file types" option. Click Yes to confirm. Click OK.

Please delete these files using Windows Explorer(if present):

C:\WINDOWS\system32\aaanja.exe

C:\WINDOWS\dqlrdll.EXE

C:\WINDOWS\pwslenc.EXE

C:\WINDOWS\XTQCDLL.EXE

Next, open the QOOLOGIC Folder and Locate and double-click the Find-Qoologic.bat file to run it. Wait until a text file opens, It'll take a while to run a full scan so please be patient.

Reboot and post a new HJT log along with a new FindQoologic log, back here, thanks

Mat2

Image hosted by Photobucket.com

Message Edited by mat2 on 08-15-2005 11:43 PM

mntbike2000

16 Posts

August 15th, 2005 22:00

Thanks for the continued help....here are the logs

Logfile of HijackThis v1.99.1
Scan saved at 5:48:15 PM, on 8/15/2005
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\VERITAS Software\Update Manager\sgtray.exe
C:\windows\system\hpsysdrv.exe
C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
C:\HP\KBD\KBD.EXE
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\Common Files\Real\Update_OB\rnathchk.exe
C:\WINDOWS\system32\aaanja.exe
c:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\WINDOWS\System32\CTsvcCDA.exe
C:\Program Files\ewido\security suite\ewidoctrl.exe
C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
c:\Program Files\Norton AntiVirus\navapsvc.exe
C:\Program Files\Norton SystemWorks\Norton Utilities\NPROTECT.EXE
C:\PROGRA~1\NORTON~2\SPEEDD~1\nopdb.exe
C:\WINDOWS\System32\MsPMSPSv.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\WINDOWS\system32\wuauclt.exe
C:\HJT\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer,(Default) = www.google.com
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://qus7.hpwis.com/
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://srch-qus7.hpwis.com/
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.sltrib.com/sports
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.comcast.net/
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Microsoft Internet Explorer provided by Comcast
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = :0
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
R3 - URLSearchHook: URLSearchHook Class - {37D2CDBF-2AF4-44AA-8113-BD0D2DA3C2B8} - C:\Program Files\JUSearch\SearchEnh1.dll
F2 - REG:system.ini: UserInit=userinit.exe
O2 - BHO: (no name) - {5C8B2A36-3DB1-42A4-A3CB-D426709BBFEB} - (no file)
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [StorageGuard] "C:\Program Files\VERITAS Software\Update Manager\sgtray.exe" /r
O4 - HKLM\..\Run: [Recguard] C:\WINDOWS\SMINST\RECGUARD.EXE
O4 - HKLM\..\Run: [PS2] C:\hp\drivers\keyboard\PS2.EXE
O4 - HKLM\..\Run: [hpsysdrv] c:\windows\system\hpsysdrv.exe
O4 - HKLM\..\Run: [ATIPTA] C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
O4 - HKLM\..\Run: [KBD] C:\HP\KBD\KBD.EXE
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\System32\hkcmd.exe
O4 - HKLM\..\Run: [ATIModeChange] Ati2mdxx.exe
O4 - HKLM\..\Run: [UpdReg] C:\WINDOWS\UpdReg.EXE
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [UserFaultCheck] %systemroot%\system32\dumprep 0 -u
O4 - HKLM\..\Run: [winsync] C:\WINDOWS\system32\aaanja.exe reg_run
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O8 - Extra context menu item: &Yahoo! Search - file:///C:\Program Files\Yahoo!\Common/ycsrch.htm
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O8 - Extra context menu item: Yahoo! &Dictionary - file:///C:\Program Files\Yahoo!\Common/ycdict.htm
O8 - Extra context menu item: Yahoo! &Maps - file:///C:\Program Files\Yahoo!\Common/ycdict.htm
O9 - Extra button: Yahoo! Login - {2499216C-4BA5-11D5-BD9C-000103C116D5} - C:\Program Files\Yahoo!\Common\ylogin.dll
O9 - Extra 'Tools' menuitem: Yahoo! Login - {2499216C-4BA5-11D5-BD9C-000103C116D5} - C:\Program Files\Yahoo!\Common\ylogin.dll
O9 - Extra button: Messenger - {4528BBE0-4E08-11D5-AD55-00010333D0AD} - C:\Program Files\Yahoo!\Messenger\yhexbmes0521.dll
O9 - Extra 'Tools' menuitem: Yahoo! Messenger - {4528BBE0-4E08-11D5-AD55-00010333D0AD} - C:\Program Files\Yahoo!\Messenger\yhexbmes0521.dll
O9 - Extra button: ComcastHSI - {669B269B-0D4E-41FB-A3D8-FD67CA94F646} - http://www.comcast.net/ (file missing)
O9 - Extra button: Support - {8828075D-D097-4055-AA02-2DBFA9D85E8A} - http://www.comcastsupport.com/ (file missing)
O9 - Extra button: Help - {97809617-3937-4F84-B335-9BB05EF1A8D4} - http://online.comcast.net/help/ (file missing)
O9 - Extra button: MoneySide - {E023F504-0C5A-4750-A1E7-A9046DEA8A21} - C:\Program Files\Microsoft Money\System\mnyside.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky.com/downloads/kws/kavwebscan_unicode.cab
O16 - DPF: {4C39376E-FA9D-4349-BACC-D305C1750EF3} (EPUImageControl Class) - http://tools.ebayimg.com/eps/wl/activex/EPUWALControl_v1-0-3-12.cab
O16 - DPF: {B9191F79-5613-4C76-AA2A-398534BB8999} (YAddBook Class) - http://us.dl1.yimg.com/download.yahoo.com/dl/installs/suite/yautocomplete.cab
O20 - Winlogon Notify: igfxcui - C:\WINDOWS\SYSTEM32\igfxsrvc.dll
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - c:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Password Validation Service (ccPwdSvc) - Symantec Corporation - c:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
O23 - Service: Creative Service for CDROM Access - Creative Technology Ltd - C:\WINDOWS\System32\CTsvcCDA.exe
O23 - Service: ewido security suite control - ewido networks - C:\Program Files\ewido\security suite\ewidoctrl.exe
O23 - Service: iPod Service (iPodService) - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Content Monitoring Tool (msCMTSrvc) - Unknown owner - C:\WINDOWS\system32\msCMTSrvc.exe
O23 - Service: Norton AntiVirus Auto Protect Service (navapsvc) - Symantec Corporation - c:\Program Files\Norton AntiVirus\navapsvc.exe
O23 - Service: Norton Unerase Protection (NProtectService) - Symantec Corporation - C:\Program Files\Norton SystemWorks\Norton Utilities\NPROTECT.EXE
O23 - Service: NVIDIA Driver Helper Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe
O23 - Service: Speed Disk service - Symantec Corporation - C:\PROGRA~1\NORTON~2\SPEEDD~1\nopdb.exe

* exe C:\docume~1\alluse~1\startm~1\programs\startup\DDDA.EXE

»»»»»»»»»»»»»»»»»»»»»»»» Checking Global Startup »»»»»»»»»»»»»»»»»»»»»»

(fstarts by IMM - test ver. 0.001) NOT using address check -- 0x7c90df5e

Global Startup:
C:\Documents and Settings\All Users\Start Menu\Programs\Startup
.
..
ddda.exe
desktop.ini
Microsoft Office.lnk

User Startup:
C:\Documents and Settings\Owner\Start Menu\Programs\Startup
.
..
desktop.ini

View All

0 events found

No Events found!

Virus & Spyware

hjt log - aurora

Was this post helpful?