Windows BBS The Place for Microsoft Windows Support! Windows, Support, Help Site

Go Back   Windows BBS > Security > Malware and Virus Removal
Reload this Page

Having problems w/programs, homepage redirected [Hijackthis log & Getlog xp listed]

Register FAQDonate Mark Forums Read

Malware and Virus Removal Problems removing malware/viruses? Get help from our Malware removal experts.

Register your FREE account to unlock additional features at WindowsBBS.com
Register
Welcome to WindowsBBS.com
Microsoft Windows Support

Mission Statement

WindowsBBS is an online community dedicated to easily accessible technical support for those using Microsoft operating systems and other Windows software.

Our goal is to become the leading resource for computer users that require assistance with their day-to-day computer usage, including full support for networking PC's, virus & malware removal, system upgrades and general support questions.

Discussion Forums
Operating Systems
Windows 7 Windows 7
Windows Vista Windows Vista
Windows XP Windows XP
Windows Server System Windows Server System
Windows 2000 Windows 2000
Windows 95/98/Me/NT Windows 95/98/Me/NT
Internet & Networking
Networking
Internet Explorer
Microsoft Mail
Firefox, Thunderbird
      & SeaMonkey
General Internet
Security
General Security
Malware and Virus
     Removal
Other
Other Software
Hardware
Test Posts
Community
Introductions
General Discussions
Comments
      & Suggestions
News @ WindowsBBS

Forum Sponsor
Image

Closed Thread
Page 1 of 5 1 2345
 
LinkBack Thread Tools
Old 5th May 2005   #1
Inactive
 
Profile:
Join Date: May 2005
Posts: 39
Computer Experience:
Beginner
NBAS1 Reputation Level
Having problems w/programs, homepage redirected [Hijackthis log & Getlog xp listed]
I am having problems opening my antispyware software, I can't even get into Adaware to update it. I think my computer might have picked up some virus or other malicious software, because everytime I try to close down my computer I get an error that a program Win Min is not responding. Here is my Hijackthis log.

Logfile of HijackThis v1.99.1
Scan saved at 1:31:39 PM, on 5/5/2005
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Real\RealPlayer\RealPlay.exe
C:\Program Files\BroadJump\Client Foundation\CFD.exe
C:\PROGRA~1\SBCSEL~1\SMARTB~1\MotiveSB.exe
C:\Program Files\Yahoo!\browser\ybrwicon.exe
C:\Program Files\Visual Networks\Visual IP InSight\SBC\IPClient.exe
C:\Program Files\Visual Networks\Visual IP InSight\SBC\IPMon32.exe
C:\WINDOWS\System32\nwprt.exe
C:\Program Files\Messenger\msmsgs.exe
C:\WINDOWS\System32\RUNDLL32.EXE
C:\PROGRA~1\Yahoo!\browser\ycommon.exe
C:\Program Files\Common Files\Microsoft Shared\Works Shared\wkcalrem.exe
C:\Program Files\Webshots\WebshotsTray.exe
C:\Program Files\APC\APC PowerChute Personal Edition\mainserv.exe
C:\WINDOWS\System32\nvsvc32.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\APC\APC PowerChute Personal Edition\apcsystray.exe
C:\Documents and Settings\Jim\Local Settings\Temp\Temporary Directory 1 for hijackthis.zip\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://w-find.com/sp.htm
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://w-find.com/index.htm
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://w-find.com/index.htm
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://w-find.com/sp.htm
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://w-find.com/index.htm
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = 127.0.0.1
O2 - BHO: (no name) - {016235BE-59D4-4CEB-ADD5-E2378282A1D9} - C:\Program Files\CxtPls\cxtpls.dll (file missing)
O2 - BHO: Yahoo! Companion BHO - {02478D38-C3F9-4efb-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn\ycomp5_6_0_0.dll
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: CNavExtBho Class - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\Norton SystemWorks\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton SystemWorks\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: Yahoo! Companion - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\ycomp5_6_0_0.dll
O4 - HKLM\..\Run: [RealTray] C:\Program Files\Real\RealPlayer\RealPlay.exe SYSTEMBOOTHIDEPLAYER
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [BJCFD] C:\Program Files\BroadJump\Client Foundation\CFD.exe
O4 - HKLM\..\Run: [Motive SmartBridge] C:\PROGRA~1\SBCSEL~1\SMARTB~1\MotiveSB.exe
O4 - HKLM\..\Run: [YBrowser] C:\Program Files\Yahoo!\browser\ybrwicon.exe
O4 - HKLM\..\Run: [IPInSightLAN 02] "C:\Program Files\Visual Networks\Visual IP InSight\SBC\IPClient.exe" -l
O4 - HKLM\..\Run: [IPInSightMonitor 02] "C:\Program Files\Visual Networks\Visual IP InSight\SBC\IPMon32.exe"
O4 - HKLM\..\Run: [t38S38i] nwprt.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\System32\NVMCTRAY.DLL,NvTaskbarInit
O4 - HKCU\..\Run: [c0r2RUGmU] nvihst3g.exe
O4 - HKCU\..\Run: [vqsaijo] c:\windows\kexdlki.exe
O4 - HKCU\..\Run: [vsnitex] c:\windows\kexdlki.exe
O4 - HKCU\..\Run: [cngqmvt] c:\windows\kpvxgji.exe
O4 - HKCU\..\Run: [sjanbmu] c:\windows\kpvxgji.exe
O4 - HKCU\..\Run: [fxgqvpu] c:\windows\kpvxgji.exe
O4 - HKCU\..\Run: [mcwippr] c:\windows\gxkuajq.exe
O4 - HKCU\..\Run: [mqcgyda] c:\windows\gxkuajq.exe
O4 - HKCU\..\Run: [gnuhwqe] c:\windows\gxkuajq.exe
O4 - HKCU\..\Run: [grikwbb] c:\windows\gxkuajq.exe
O4 - HKCU\..\Run: [vwdpnsk] c:\windows\gxkuajq.exe
O4 - HKCU\..\Run: [haptkfu] c:\windows\kuhapqd.exe
O4 - HKCU\..\Run: [lytjcev] c:\windows\kuhapqd.exe
O4 - HKCU\..\Run: [jigkjwq] c:\windows\kuhapqd.exe
O4 - HKCU\..\Run: [gmfgkiw] c:\windows\kuhapqd.exe
O4 - HKCU\..\Run: [nxwaikg] c:\windows\jrqlrhr.exe
O4 - HKCU\..\Run: [xpsbeod] c:\windows\jrqlrhr.exe
O4 - Startup: Webshots.lnk = C:\Program Files\Webshots\WebshotsTray.exe
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: APC UPS Status.lnk = ?
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O4 - Global Startup: Microsoft Works Calendar Reminders.lnk = ?
O9 - Extra button: Microsoft AntiSpyware helper - {330DBEE9-5A6F-471E-A574-3D6BC2A086E1} - C:\WINDOWS\System32\wldr.dll (file missing)
O9 - Extra 'Tools' menuitem: Microsoft AntiSpyware helper - {330DBEE9-5A6F-471E-A574-3D6BC2A086E1} - C:\WINDOWS\System32\wldr.dll (file missing)
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\System32\Shdocvw.dll
O9 - Extra button: Yahoo! Messenger - {E5D12C4E-7B4F-11D3-B5C9-0050045C3C96} - C:\PROGRA~1\Yahoo!\MESSEN~1\YPager.exe
O9 - Extra 'Tools' menuitem: Yahoo! Messenger - {E5D12C4E-7B4F-11D3-B5C9-0050045C3C96} - C:\PROGRA~1\Yahoo!\MESSEN~1\YPager.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O9 - Extra 'Tools' menuitem: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O9 - Extra button: Microsoft AntiSpyware helper - {330DBEE9-5A6F-471E-A574-3D6BC2A086E1} - C:\WINDOWS\System32\wldr.dll (file missing) (HKCU)
O9 - Extra 'Tools' menuitem: Microsoft AntiSpyware helper - {330DBEE9-5A6F-471E-A574-3D6BC2A086E1} - C:\WINDOWS\System32\wldr.dll (file missing) (HKCU)
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?link...67&clcid=0x409
O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (YInstStarter Class) - http://us.dl1.yimg.com/download.yaho...st_current.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://v5.windowsupdate.microsoft.co...?1114213473575
O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai.net/7/840/537/2...ll/xscan53.cab
O16 - DPF: {99410CDE-6F16-42ce-9D49-3807F78F0287} (ClientInstaller Class) - http://www.180searchassistant.com/180saax.cab
O16 - DPF: {A3009861-330C-4E10-822B-39D16EC8829D} (CRAVOnline Object) - http://www.ravantivirus.com/scan/ravonline.cab
O16 - DPF: {FF65677A-8977-48CA-916A-DFF81B037DF3} - http://download.overpro.com/WildApp.cab
O23 - Service: APC UPS Service - American Power Conversion Corporation - C:\Program Files\APC\APC PowerChute Personal Edition\mainserv.exe
O23 - Service: NVIDIA Driver Helper Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe
O23 - Service: ZESOFT - Unknown owner - C:\WINDOWS\zeta.exe (file missing)


Here is the getlogxp


! REG.EXE VERSION 3.0

HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
MSMSGS REG_SZ "C:\Program Files\Messenger\msmsgs.exe" /background
NvMediaCenter REG_SZ RUNDLL32.EXE C:\WINDOWS\System32\NVMCTRAY.DLL,NvTaskbarInit
c0r2RUGmU REG_SZ nvihst3g.exe
vqsaijo REG_SZ c:\windows\kexdlki.exe
vsnitex REG_SZ c:\windows\kexdlki.exe
cngqmvt REG_SZ c:\windows\kpvxgji.exe
sjanbmu REG_SZ c:\windows\kpvxgji.exe
fxgqvpu REG_SZ c:\windows\kpvxgji.exe
mcwippr REG_SZ c:\windows\gxkuajq.exe
mqcgyda REG_SZ c:\windows\gxkuajq.exe
gnuhwqe REG_SZ c:\windows\gxkuajq.exe
grikwbb REG_SZ c:\windows\gxkuajq.exe
vwdpnsk REG_SZ c:\windows\gxkuajq.exe
haptkfu REG_SZ c:\windows\kuhapqd.exe
lytjcev REG_SZ c:\windows\kuhapqd.exe
jigkjwq REG_SZ c:\windows\kuhapqd.exe
gmfgkiw REG_SZ c:\windows\kuhapqd.exe
nxwaikg REG_SZ c:\windows\jrqlrhr.exe
xpsbeod REG_SZ c:\windows\jrqlrhr.exe

! REG.EXE VERSION 3.0

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
RealTray REG_SZ C:\Program Files\Real\RealPlayer\RealPlay.exe SYSTEMBOOTHIDEPLAYER
NvCplDaemon REG_SZ RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup
nwiz REG_SZ nwiz.exe /install
BJCFD REG_SZ C:\Program Files\BroadJump\Client Foundation\CFD.exe
Motive SmartBridge REG_SZ C:\PROGRA~1\SBCSEL~1\SMARTB~1\MotiveSB.exe
YBrowser REG_SZ C:\Program Files\Yahoo!\browser\ybrwicon.exe
IPInSightLAN 02 REG_SZ "C:\Program Files\Visual Networks\Visual IP InSight\SBC\IPClient.exe" -l
IPInSightMonitor 02 REG_SZ "C:\Program Files\Visual Networks\Visual IP InSight\SBC\IPMon32.exe"
Security Shedule REG_SZ C:\WINDOWS\System32\pentstrm.exe
t38S38i REG_SZ nwprt.exe

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\OptionalCo mponents

! REG.EXE VERSION 3.0

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Ad-Aware SE Personal

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Addr essBook

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Bran ding

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Broa dJump Client Foundation

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Conn ection Manager

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Dire ctAnimation

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Dire ctDrawEx

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Font core

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Hija ckThis

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\ICW

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\IE40

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\IE4D ata

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\IE5B AKEX

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\IEDa ta

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\KB81 0243

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\KB81 7778

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\KB82 0291

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\KB82 1253

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\KB82 2603

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\KB82 3182

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\KB82 4105

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\KB82 4141

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\KB82 5119

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\KB82 6939

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\KB82 6942

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\KB82 8035

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\KB82 9558

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\KB84 2773

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Live Reg

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Live Update

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Micr osoft NetShow Player 2.0

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Mobi leOptionPack

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\MPla yer2

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\MsJa vaVM

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\NetM eeting

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Nort on CleanSweep

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Nort on Speed Disk

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Nort on Utilities

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\NVID IA

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\oeup date

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Outl ookExpress

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\PCHe alth

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\PROS et

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Q322 011

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Q327 979

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Q814 995

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Q819 696

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Q828 026

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Real Player 6.0

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\SBC Self Support Tool

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\SBC Yahoo! Applications

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\SBC Yahoo! Base Components

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\SBC Yahoo! Dial Connection Manager

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\SBC Yahoo! DSL

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\SBC Yahoo! Messenger

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\SBC Yahoo! UMUninstaller

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\SBC. MCCInstall

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Sche dulingAgent

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Shoc kwaveFlash

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Spyb ot - Search & Destroy_is1

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Webs hots

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Webs ter's World Encyclopedia 2001

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Wind ows XP Service Pack

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Yaho o! Anti-Spy

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Yaho o! Companion

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\YIns tHelper

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{000 30409-78E1-11D2-B60F-006097C998E7}

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{000 40409-78E1-11D2-B60F-006097C998E7}

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{097 346E0-6A51-11D1-AD16-00A0C95E0503}(SBC)

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{11B 569C2-4BF6-4ED0-9D17-A4273943CB24}

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{17A F6086-77CC-4598-9332-7E71591C41CA}

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{350 C97B0-3D7C-4EE8-BAA9-00BCB3D54227}

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{43C 3D832-AC96-463A-2003-1B8D1BFA252F}

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{43D CF766-6838-4F9A-8C91-D92DA586DFA7}

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{563 64334-9530-11D2-BFFC-00C04FA329AA}

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{58D D5143-4417-4F43-A7DD-5B8B29CEDBEA}

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{5A0 C892E-FD1C-4203-941E-0956AED20A6A}

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{AC7 6BA86-7AD7-1033-7B44-A70000000000}

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{C8D 79874-7F2B-4346-99F1-DAA8AABF9DCA}

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{CB2 F7EDD-9D1F-43C1-90FC-4F52EAE172A1}

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{FCE 65C4E-B0E8-4FBD-AD16-EDCBE6CD591F}
Last edited by NBAS1; 6th May 2005 at 00:25. Reason: Additional information to include.
NBAS1 is offline  
Didn't find the information you thought to find?
Check out these Similar Threads
Old 6th May 2005   #2
Inactive
 
Profile:
Join Date: May 2005
Posts: 39
Computer Experience:
Beginner
NBAS1 Reputation Level
Whatever is causing my problems with my computer, has even gone so far as to change my background to what looks like a giant pop up. This is getting annoying now. Anyone have any tips ?
NBAS1 is offline  
Old 7th May 2005   #3
Inactive
 
Profile:
Join Date: May 2005
Posts: 39
Computer Experience:
Beginner
NBAS1 Reputation Level
I have tried to install some new antivirus software, in safe mode, but nothing I have tried has been allowed to install in safe mode. I have tried to install in standard mode and each time, I double click on the software to install, the installation wizard starts and I am able to click on the "I agree" box , and shortly after the application stops it's installation without any warning or error message, and my screen goes back to the desktop view. I am having no luck on my own with anything.
NBAS1 is offline  
Old 7th May 2005   #4
Staff
 
noahdfear's Avatar
 
Profile:
Join Date: Apr 2003
Location: New Bremen, Ohio U.S.A.
Posts: 12,524
Computer Experience:
~@<*+
noahdfear Reputation Levelnoahdfear Reputation Levelnoahdfear Reputation Levelnoahdfear Reputation Levelnoahdfear Reputation Levelnoahdfear Reputation Levelnoahdfear Reputation Levelnoahdfear Reputation Levelnoahdfear Reputation Levelnoahdfear Reputation Levelnoahdfear Reputation Level

My System

Try running Panda ActiveScan and/or Bit-Defender to see if it can cleanup anything then post a new HijackThis log.

I'm away from home so have little access and time, but will check back in on you.
noahdfear is offline  
Old 10th May 2005   #5
Inactive
 
Profile:
Join Date: May 2005
Posts: 39
Computer Experience:
Beginner
NBAS1 Reputation Level
I used the Panda scanner and was not allowed to transmit, 2 suspected files to them. I was prompted to check my internet connection and to press "OK" each time I did as instructed I was told to check my connection. I did both scans and here is the new Hijackthis log.


Logfile of HijackThis v1.99.1
Scan saved at 11:37:30 AM, on 5/10/2005
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Real\RealPlayer\RealPlay.exe
C:\Program Files\BroadJump\Client Foundation\CFD.exe
C:\PROGRA~1\SBCSEL~1\SMARTB~1\MotiveSB.exe
C:\Program Files\Yahoo!\browser\ybrwicon.exe
C:\Program Files\Visual Networks\Visual IP InSight\SBC\IPClient.exe
C:\Program Files\Visual Networks\Visual IP InSight\SBC\IPMon32.exe
C:\Program Files\Messenger\msmsgs.exe
C:\WINDOWS\System32\tsardssp.exe
C:\windows\kexdlki.exe
C:\PROGRA~1\Yahoo!\browser\ycommon.exe
C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
C:\Program Files\Common Files\Microsoft Shared\Works Shared\wkcalrem.exe
C:\Program Files\Webshots\WebshotsTray.exe
C:\Documents and Settings\Jim\Start Menu\Programs\Startup\winupdate10761038[1].exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\WINDOWS\System32\nvsvc32.exe
C:\WINDOWS\System32\svchost.exe
C:\DOCUME~1\Jim\LOCALS~1\Temp\tmpF.tmp
C:\Program Files\Internet Explorer\iexplore.exe
C:\WINDOWS\System32\rundll32.exe
C:\WINDOWS\System32\lvshftla.exe
C:\Documents and Settings\Jim\Desktop\HIJACK THIS\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://w-find.com/sp.htm
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://w-find.com/index.htm
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://w-find.com/index.htm
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://w-find.com/sp.htm
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://w-find.com/index.htm
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = 127.0.0.1
O2 - BHO: Yahoo! Companion BHO - {02478D38-C3F9-4efb-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn\ycomp5_6_0_0.dll
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: CNavExtBho Class - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\Norton SystemWorks\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton SystemWorks\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: Yahoo! Companion - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\ycomp5_6_0_0.dll
O4 - HKLM\..\Run: [RealTray] C:\Program Files\Real\RealPlayer\RealPlay.exe SYSTEMBOOTHIDEPLAYER
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [BJCFD] C:\Program Files\BroadJump\Client Foundation\CFD.exe
O4 - HKLM\..\Run: [Motive SmartBridge] C:\PROGRA~1\SBCSEL~1\SMARTB~1\MotiveSB.exe
O4 - HKLM\..\Run: [YBrowser] C:\Program Files\Yahoo!\browser\ybrwicon.exe
O4 - HKLM\..\Run: [IPInSightLAN 02] "C:\Program Files\Visual Networks\Visual IP InSight\SBC\IPClient.exe" -l
O4 - HKLM\..\Run: [IPInSightMonitor 02] "C:\Program Files\Visual Networks\Visual IP InSight\SBC\IPMon32.exe"
O4 - HKLM\..\RunOnce: [Srv32 spool service] C:\WINDOWS\System32\spoolsrv32.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [c0r2RUGmU] tsardssp.exe
O4 - HKCU\..\Run: [vqsaijo] c:\windows\kexdlki.exe
O4 - HKCU\..\Run: [vsnitex] c:\windows\kexdlki.exe
O4 - HKCU\..\Run: [cngqmvt] c:\windows\kpvxgji.exe
O4 - HKCU\..\Run: [sjanbmu] c:\windows\kpvxgji.exe
O4 - HKCU\..\Run: [fxgqvpu] c:\windows\kpvxgji.exe
O4 - HKCU\..\Run: [mcwippr] c:\windows\gxkuajq.exe
O4 - HKCU\..\Run: [mqcgyda] c:\windows\gxkuajq.exe
O4 - HKCU\..\Run: [gnuhwqe] c:\windows\gxkuajq.exe
O4 - HKCU\..\Run: [grikwbb] c:\windows\gxkuajq.exe
O4 - HKCU\..\Run: [vwdpnsk] c:\windows\gxkuajq.exe
O4 - HKCU\..\Run: [haptkfu] c:\windows\kuhapqd.exe
O4 - HKCU\..\Run: [lytjcev] c:\windows\kuhapqd.exe
O4 - HKCU\..\Run: [jigkjwq] c:\windows\kuhapqd.exe
O4 - HKCU\..\Run: [gmfgkiw] c:\windows\kuhapqd.exe
O4 - HKCU\..\Run: [nxwaikg] c:\windows\jrqlrhr.exe
O4 - HKCU\..\Run: [xpsbeod] c:\windows\jrqlrhr.exe
O4 - HKCU\..\Run: [yxmkqga] c:\windows\wuyfowg.exe
O4 - HKCU\..\Run: [nffnsel] c:\windows\wuyfowg.exe
O4 - HKCU\..\Run: [dyumloo] c:\windows\wuyfowg.exe
O4 - HKCU\..\Run: [njiiusg] c:\windows\rmpkuim.exe
O4 - HKCU\..\Run: [tpwfclu] c:\windows\omhuxfb.exe
O4 - HKCU\..\Run: [mlnjjpy] c:\windows\omhuxfb.exe
O4 - HKCU\..\Run: [hupjidg] c:\windows\vfrrjvd.exe
O4 - HKCU\..\Run: [nuckuoi] c:\windows\vfrrjvd.exe
O4 - HKCU\..\Run: [iqosktl] c:\windows\vfrrjvd.exe
O4 - HKCU\..\Run: [ounsuvd] c:\windows\awkadbr.exe
O4 - HKCU\..\Run: [ecviqno] c:\windows\qbwdhuw.exe
O4 - HKCU\..\Run: [ppnhlls] c:\windows\qbwdhuw.exe
O4 - HKCU\..\Run: [sjnicjf] c:\windows\qbwdhuw.exe
O4 - HKCU\..\Run: [hjjcqhm] c:\windows\qbwdhuw.exe
O4 - HKCU\..\Run: [xolkirh] c:\windows\ugbunew.exe
O4 - HKCU\..\Run: [ukbspcj] c:\windows\rcehlcy.exe
O4 - HKCU\..\Run: [ftigavj] c:\windows\irarkau.exe
O4 - HKCU\..\Run: [qrrklqi] c:\windows\rcehlcy.exe
O4 - HKCU\..\Run: [equcloa] c:\windows\irarkau.exe
O4 - HKCU\..\Run: [gyhrame] c:\windows\obssiqc.exe
O4 - HKCU\..\Run: [ydxmfvr] c:\windows\wielicn.exe
O4 - HKCU\..\Run: [qonasgj] c:\windows\obssiqc.exe
O4 - HKCU\..\Run: [xopiggf] c:\windows\wielicn.exe
O4 - HKCU\..\Run: [oylbddy] c:\windows\ipihqwp.exe
O4 - HKCU\..\Run: [pqjgsyv] c:\windows\ipihqwp.exe
O4 - HKCU\..\Run: [dvcdrjb] c:\windows\ipihqwp.exe
O4 - HKCU\..\Run: [kjwkpww] c:\windows\ipihqwp.exe
O4 - HKCU\..\Run: [eykkbsj] c:\windows\ipihqwp.exe
O4 - HKCU\..\Run: [ysrwjfj] c:\windows\ipihqwp.exe
O4 - HKCU\..\Run: [vflfvgb] c:\windows\ipihqwp.exe
O4 - HKCU\..\Run: [mpufhvx] c:\windows\kkiaifr.exe
O4 - HKCU\..\RunOnce: [Srv32 spool service] C:\WINDOWS\System32\spoolsrv32.exe
O4 - Startup: Webshots.lnk = C:\Program Files\Webshots\WebshotsTray.exe
O4 - Startup: winupdate10761038[1].exe
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O4 - Global Startup: Microsoft Works Calendar Reminders.lnk = ?
O9 - Extra button: Microsoft AntiSpyware helper - {330DBEE9-5A6F-471E-A574-3D6BC2A086E1} - C:\WINDOWS\System32\wldr.dll (file missing)
O9 - Extra 'Tools' menuitem: Microsoft AntiSpyware helper - {330DBEE9-5A6F-471E-A574-3D6BC2A086E1} - C:\WINDOWS\System32\wldr.dll (file missing)
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\System32\Shdocvw.dll
O9 - Extra button: Yahoo! Messenger - {E5D12C4E-7B4F-11D3-B5C9-0050045C3C96} - C:\PROGRA~1\Yahoo!\MESSEN~1\YPager.exe
O9 - Extra 'Tools' menuitem: Yahoo! Messenger - {E5D12C4E-7B4F-11D3-B5C9-0050045C3C96} - C:\PROGRA~1\Yahoo!\MESSEN~1\YPager.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O9 - Extra 'Tools' menuitem: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O9 - Extra button: Microsoft AntiSpyware helper - {330DBEE9-5A6F-471E-A574-3D6BC2A086E1} - C:\WINDOWS\System32\wldr.dll (file missing) (HKCU)
O9 - Extra 'Tools' menuitem: Microsoft AntiSpyware helper - {330DBEE9-5A6F-471E-A574-3D6BC2A086E1} - C:\WINDOWS\System32\wldr.dll (file missing) (HKCU)
O10 - Unknown file in Winsock LSP: c:\windows\system32\flsmngr.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\flsmngr.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\flsmngr.dll
O16 - DPF: {80DD2229-B8E4-4C77-B72F-F22972D723EA} (AvxScanOnline Control) - http://www.bitdefender.com/scan/Msie/bitdefender.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://www.pandasoftware.com/activescan/as5/asinst.cab
O16 - DPF: {A3009861-330C-4E10-822B-39D16EC8829D} (CRAVOnline Object) - http://www.ravantivirus.com/scan/ravonline.cab
O23 - Service: NVIDIA Driver Helper Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe
O23 - Service: ZESOFT - Unknown owner - C:\WINDOWS\zeta.exe (file missing)
NBAS1 is offline  
Old 10th May 2005   #6
Inactive
 
Profile:
Join Date: May 2005
Posts: 39
Computer Experience:
Beginner
NBAS1 Reputation Level
After looking over the Hijackthis log, I used Hijackthis to fix these files.
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://w-find.com/sp.htm
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://w-find.com/index.htm
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://w-find.com/index.htm
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://w-find.com/sp.htm
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://w-find.com/index.htm
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Int ernet Settings,ProxyOverride = 127.0.0.1


So far it has fixed the problem of the hijacked start page on internet explorer. But I am still concerned about the "Trojans" that the scanners could not disinfect, or clean. Also, I am not able to install any of the new antispyware software that I have downloaded . The same problem I have been having since the start. Plus I do not have the "pop-up" style background anymore. It has reverted to what was there prior.
Last edited by NBAS1; 10th May 2005 at 20:55. Reason: Forgot to add some information.
NBAS1 is offline  
Old 10th May 2005   #7
Inactive
 
Profile:
Join Date: May 2005
Posts: 39
Computer Experience:
Beginner
NBAS1 Reputation Level
Ignore that part about using Hijackthis to "fix" my hijacked homepage. I rebooted into safe mode and ran adaware and spybot, I then rebooted into normal mode and when I opened up internet explorer, I was back to my new hijacked homepage.
NBAS1 is offline  
Old 11th May 2005   #8
Staff
 
noahdfear's Avatar
 
Profile:
Join Date: Apr 2003
Location: New Bremen, Ohio U.S.A.
Posts: 12,524
Computer Experience:
~@<*+
noahdfear Reputation Levelnoahdfear Reputation Levelnoahdfear Reputation Levelnoahdfear Reputation Levelnoahdfear Reputation Levelnoahdfear Reputation Levelnoahdfear Reputation Levelnoahdfear Reputation Levelnoahdfear Reputation Levelnoahdfear Reputation Levelnoahdfear Reputation Level

My System

You have multiple infections here, and we'll attempt to get them all at once. You should print this out and/or save it to text. Saving to text will allow you to copy/paste the filepaths below when using the Killbox.

Before trying to proceed, download the HostsFileReader and unzip, then open. Click the Reset Default button.

Download the Symantec W32.Beagle@mm Removal Tool. Save it to your desktop.

Download the stand-alone CWShredder 2.14 from here. Save it to the desktop.

Download LSPFix.exe, saving it to your desktop.

Download and install SpywareBlaster. Enable all protections, check for updates and enable them too. Then download IESpyad.exe, double click to extract (it extracts to C:\IESpyad by default), open the folder, double click the ie-ads.reg file and allow it to merge into the registry.

Please download the attachment smitfraud1.zip. Save it to your desktop. If it saves as attachment.php, right click and rename to smitfraud1.zip You may need to enable viewing extensions for known file types to see the zip and php extensions. To do that, open My Computer and click Tools on the menu, then folder options. Click the view tab of the window that opens, uncheck the box to Hide extensions...... and click OK. Now right click the zip and extract the smitfraud1 folder to your desktop.

Download Pocket Killbox from here: http://www.downloads.subratam.org/KillBox.zip

Extract the file to a folder, then open and double-click on Killbox.exe to run it. In the "Paste Full Path of File to Delete" box, copy and paste the following:

C:\WINDOWS\System32\tsardssp.exe

Check the box to delete on reboot and click the red X to the right. Click Yes, then NO to the reboot now prompt. Copy the next filepath, paste it in the box, and repeat the above steps. When all of the below filepaths are done, allow it to reboot.

C:\windows\kexdlki.exe
C:\DOCUME~1\Jim\LOCALS~1\Temp\tmpF.tmp
C:\WINDOWS\System32\lvshftla.exe
C:\WINDOWS\System32\spoolsrv32.exe
C:\DOCUME~1\Jim\Start Menu\Programs\Startup\winupdate10761038[1].exe



After reboot, scan again with HijackThis and place a check next to the following entries. Close ALL other windows and click fix.

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://w-find.com/sp.htm
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://w-find.com/index.htm
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://w-find.com/index.htm
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://w-find.com/sp.htm
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://w-find.com/index.htm
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Int ernet Settings,ProxyOverride = 127.0.0.1
O4 - HKLM\..\RunOnce: [Srv32 spool service] C:\WINDOWS\System32\spoolsrv32.exe
O4 - HKCU\..\Run: [c0r2RUGmU] tsardssp.exe
O4 - HKCU\..\Run: [vqsaijo] c:\windows\kexdlki.exe
O4 - HKCU\..\Run: [vsnitex] c:\windows\kexdlki.exe
O4 - HKCU\..\Run: [cngqmvt] c:\windows\kpvxgji.exe
O4 - HKCU\..\Run: [sjanbmu] c:\windows\kpvxgji.exe
O4 - HKCU\..\Run: [fxgqvpu] c:\windows\kpvxgji.exe
O4 - HKCU\..\Run: [mcwippr] c:\windows\gxkuajq.exe
O4 - HKCU\..\Run: [mqcgyda] c:\windows\gxkuajq.exe
O4 - HKCU\..\Run: [gnuhwqe] c:\windows\gxkuajq.exe
O4 - HKCU\..\Run: [grikwbb] c:\windows\gxkuajq.exe
O4 - HKCU\..\Run: [vwdpnsk] c:\windows\gxkuajq.exe
O4 - HKCU\..\Run: [haptkfu] c:\windows\kuhapqd.exe
O4 - HKCU\..\Run: [lytjcev] c:\windows\kuhapqd.exe
O4 - HKCU\..\Run: [jigkjwq] c:\windows\kuhapqd.exe
O4 - HKCU\..\Run: [gmfgkiw] c:\windows\kuhapqd.exe
O4 - HKCU\..\Run: [nxwaikg] c:\windows\jrqlrhr.exe
O4 - HKCU\..\Run: [xpsbeod] c:\windows\jrqlrhr.exe
O4 - HKCU\..\Run: [yxmkqga] c:\windows\wuyfowg.exe
O4 - HKCU\..\Run: [nffnsel] c:\windows\wuyfowg.exe
O4 - HKCU\..\Run: [dyumloo] c:\windows\wuyfowg.exe
O4 - HKCU\..\Run: [njiiusg] c:\windows\rmpkuim.exe
O4 - HKCU\..\Run: [tpwfclu] c:\windows\omhuxfb.exe
O4 - HKCU\..\Run: [mlnjjpy] c:\windows\omhuxfb.exe
O4 - HKCU\..\Run: [hupjidg] c:\windows\vfrrjvd.exe
O4 - HKCU\..\Run: [nuckuoi] c:\windows\vfrrjvd.exe
O4 - HKCU\..\Run: [iqosktl] c:\windows\vfrrjvd.exe
O4 - HKCU\..\Run: [ounsuvd] c:\windows\awkadbr.exe
O4 - HKCU\..\Run: [ecviqno] c:\windows\qbwdhuw.exe
O4 - HKCU\..\Run: [ppnhlls] c:\windows\qbwdhuw.exe
O4 - HKCU\..\Run: [sjnicjf] c:\windows\qbwdhuw.exe
O4 - HKCU\..\Run: [hjjcqhm] c:\windows\qbwdhuw.exe
O4 - HKCU\..\Run: [xolkirh] c:\windows\ugbunew.exe
O4 - HKCU\..\Run: [ukbspcj] c:\windows\rcehlcy.exe
O4 - HKCU\..\Run: [ftigavj] c:\windows\irarkau.exe
O4 - HKCU\..\Run: [qrrklqi] c:\windows\rcehlcy.exe
O4 - HKCU\..\Run: [equcloa] c:\windows\irarkau.exe
O4 - HKCU\..\Run: [gyhrame] c:\windows\obssiqc.exe
O4 - HKCU\..\Run: [ydxmfvr] c:\windows\wielicn.exe
O4 - HKCU\..\Run: [qonasgj] c:\windows\obssiqc.exe
O4 - HKCU\..\Run: [xopiggf] c:\windows\wielicn.exe
O4 - HKCU\..\Run: [oylbddy] c:\windows\ipihqwp.exe
O4 - HKCU\..\Run: [pqjgsyv] c:\windows\ipihqwp.exe
O4 - HKCU\..\Run: [dvcdrjb] c:\windows\ipihqwp.exe
O4 - HKCU\..\Run: [kjwkpww] c:\windows\ipihqwp.exe
O4 - HKCU\..\Run: [eykkbsj] c:\windows\ipihqwp.exe
O4 - HKCU\..\Run: [ysrwjfj] c:\windows\ipihqwp.exe
O4 - HKCU\..\Run: [vflfvgb] c:\windows\ipihqwp.exe
O4 - HKCU\..\Run: [mpufhvx] c:\windows\kkiaifr.exe
O4 - HKCU\..\RunOnce: [Srv32 spool service] C:\WINDOWS\System32\spoolsrv32.exe
O4 - Startup: winupdate10761038[1].exe
O9 - Extra button: Microsoft AntiSpyware helper - {330DBEE9-5A6F-471E-A574-3D6BC2A086E1} - C:\WINDOWS\System32\wldr.dll (file missing)
O9 - Extra 'Tools' menuitem: Microsoft AntiSpyware helper - {330DBEE9-5A6F-471E-A574-3D6BC2A086E1} - C:\WINDOWS\System32\wldr.dll (file missing)
O9 - Extra button: Microsoft AntiSpyware helper - {330DBEE9-5A6F-471E-A574-3D6BC2A086E1} - C:\WINDOWS\System32\wldr.dll (file missing) (HKCU)
O9 - Extra 'Tools' menuitem: Microsoft AntiSpyware helper - {330DBEE9-5A6F-471E-A574-3D6BC2A086E1} - C:\WINDOWS\System32\wldr.dll (file missing) (HKCU)
O23 - Service: ZESOFT - Unknown owner - C:\WINDOWS\zeta.exe (file missing)

Either reboot and repeatedly tap F8 to enable the start menu and select safe mode, or go to start>run and type msconfig, hit enter. On the boot.ini tab, check the box next to /safeboot and click OK. Click yes to restart. This will restart your computer in safe mode. Logon to your user account.

Open CWShredder, close ALL other windows and click fix. Exit.

Open HijackThis to the Misc Tools section, then click the Delete an NT Service button. Type in ZESOFT and click OK. Close HijackThis.

Open the smitfraud1 folder and double click the RunThis.bat file to start the tool. Follow the prompts. When the tool completes, if you used msconfig, uncheck the /safeboot box and click ok to reboot. Upon reboot you will be greeted with a message window from the System Configuration Utility. Check the box not to use and don't show, then click OK. If you used F8, just reboot back into Windows.

Double click the LSPFix.exe to run. If the file flsmngr.dll is present, make sure it is in the remove column, check the box I know what I'm doing and click finish.

Open My Computer, right click Local disk C: and choose properties, then disk cleanup. Check all boxes except compress old files and click OK.

Now run the Symantec W32.Beagle@mm Removal Tool.

Reboot, scan again with HijackThis and post the new log.

I would also like you to download MWAV. Save it to your desktop and double click to open. Check the boxes for Memory, Registry, Startup Folders, System Folders, Services, Drive, All Local Drives and Scan All Files, then click scan. When it completes, copy the lower window labled Virus Log Information and post it here.

smitfraud.zip
noahdfear is offline  
Old 11th May 2005   #9
Inactive
 
Profile:
Join Date: May 2005
Posts: 39
Computer Experience:
Beginner
NBAS1 Reputation Level
I followed your instructions . Here is the Hijackthis log. It looks like some of the entries are still there. I will post the virus log when it is finished running. Thanks for the help so far.


Logfile of HijackThis v1.99.1
Scan saved at 12:59:07 PM, on 5/11/2005
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Real\RealPlayer\RealPlay.exe
C:\Program Files\BroadJump\Client Foundation\CFD.exe
C:\PROGRA~1\SBCSEL~1\SMARTB~1\MotiveSB.exe
C:\Program Files\Yahoo!\browser\ybrwicon.exe
C:\Program Files\Visual Networks\Visual IP InSight\SBC\IPClient.exe
C:\Program Files\Visual Networks\Visual IP InSight\SBC\IPMon32.exe
C:\Program Files\Messenger\msmsgs.exe
C:\PROGRA~1\Yahoo!\browser\ycommon.exe
C:\Program Files\Common Files\Microsoft Shared\Works Shared\wkcalrem.exe
C:\Program Files\interMute\SpySubtract\SpySub.exe
C:\Program Files\Webshots\WebshotsTray.exe
C:\WINDOWS\System32\nvsvc32.exe
C:\WINDOWS\System32\svchost.exe
C:\DOCUME~1\Jim\LOCALS~1\Temp\mwavscan.com
C:\DOCUME~1\Jim\LOCALS~1\Temp\kavss.exe
C:\Program Files\Yahoo!\browser\ybrowser.exe
C:\Documents and Settings\Jim\Desktop\HIJACK THIS\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://w-find.com/sp.htm
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://w-find.com/index.htm
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://w-find.com/index.htm
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://w-find.com/sp.htm
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://w-find.com/index.htm
O2 - BHO: Yahoo! Companion BHO - {02478D38-C3F9-4efb-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn\ycomp5_6_0_0.dll
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: Loader Class - {2E246FAE-8420-11D9-870D-000C2917DE7F} - C:\WINDOWS\SYSTEM\Loader.dll
O2 - BHO: CNavExtBho Class - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\Norton SystemWorks\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton SystemWorks\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: Yahoo! Companion - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\ycomp5_6_0_0.dll
O4 - HKLM\..\Run: [RealTray] C:\Program Files\Real\RealPlayer\RealPlay.exe SYSTEMBOOTHIDEPLAYER
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [BJCFD] C:\Program Files\BroadJump\Client Foundation\CFD.exe
O4 - HKLM\..\Run: [Motive SmartBridge] C:\PROGRA~1\SBCSEL~1\SMARTB~1\MotiveSB.exe
O4 - HKLM\..\Run: [YBrowser] C:\Program Files\Yahoo!\browser\ybrwicon.exe
O4 - HKLM\..\Run: [IPInSightLAN 02] "C:\Program Files\Visual Networks\Visual IP InSight\SBC\IPClient.exe" -l
O4 - HKLM\..\Run: [IPInSightMonitor 02] "C:\Program Files\Visual Networks\Visual IP InSight\SBC\IPMon32.exe"
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [yowctkp] c:\windows\kkiaifr.exe
O4 - HKCU\..\Run: [iubykis] c:\windows\alkntgw.exe
O4 - HKCU\..\Run: [vmkwfbm] c:\windows\alkntgw.exe
O4 - HKCU\..\Run: [tvpreci] c:\windows\alkntgw.exe
O4 - HKCU\..\Run: [rtmjbqt] c:\windows\alkntgw.exe
O4 - HKCU\..\Run: [pqkhigo] c:\windows\alkntgw.exe
O4 - HKCU\..\Run: [lgonbkb] c:\windows\alkntgw.exe
O4 - HKCU\..\Run: [dbxuhjl] c:\windows\alkntgw.exe
O4 - HKCU\..\Run: [bvghhht] c:\windows\alkntgw.exe
O4 - HKCU\..\Run: [voukwjn] c:\windows\alkntgw.exe
O4 - HKCU\..\Run: [xslssnr] c:\windows\alkntgw.exe
O4 - HKCU\..\Run: [mppgrdx] c:\windows\alkntgw.exe
O4 - HKCU\..\Run: [pbgdqkm] c:\windows\alkntgw.exe
O4 - HKCU\..\Run: [qgtgqwa] c:\windows\alkntgw.exe
O4 - HKCU\..\Run: [utbhnsi] c:\windows\alkntgw.exe
O4 - HKCU\..\Run: [ygfkwfl] c:\windows\alkntgw.exe
O4 - HKCU\..\Run: [fyrimdn] c:\windows\alkntgw.exe
O4 - HKCU\..\Run: [tlnpkgy] c:\windows\alkntgw.exe
O4 - HKCU\..\Run: [rapqihi] c:\windows\alkntgw.exe
O4 - HKCU\..\Run: [jgrhskm] c:\windows\alkntgw.exe
O4 - HKCU\..\Run: [ytgefwp] c:\windows\alkntgw.exe
O4 - HKCU\..\Run: [wuirdaf] c:\windows\alkntgw.exe
O4 - HKCU\..\Run: [gifeqjw] c:\windows\alkntgw.exe
O4 - HKCU\..\Run: [tbsqdop] c:\windows\alkntgw.exe
O4 - HKCU\..\Run: [wusyjkc] c:\windows\alkntgw.exe
O4 - HKCU\..\Run: [plxcxgw] c:\windows\alkntgw.exe
O4 - HKCU\..\Run: [erdklmp] c:\windows\alkntgw.exe
O4 - HKCU\..\Run: [svejevy] c:\windows\alkntgw.exe
O4 - HKCU\..\Run: [emagrgl] c:\windows\xdofafm.exe
O4 - HKCU\..\Run: [kvoxcyg] c:\windows\xdofafm.exe
O4 - HKCU\..\Run: [fsdygja] c:\windows\xdofafm.exe
O4 - HKCU\..\Run: [dbxvkmu] c:\windows\xdofafm.exe
O4 - HKCU\..\Run: [gikquny] c:\windows\xdofafm.exe
O4 - HKCU\..\Run: [gevjqga] c:\windows\xdofafm.exe
O4 - HKCU\..\Run: [guyfeui] c:\windows\wsfroko.exe
O4 - HKCU\..\Run: [kixviui] c:\windows\dddupgg.exe
O4 - HKCU\..\Run: [gnajrmu] c:\windows\dddupgg.exe
O4 - HKCU\..\Run: [ggmvfeq] c:\windows\dddupgg.exe
O4 - HKCU\..\Run: [drcojxs] c:\windows\dddupgg.exe
O4 - HKCU\..\Run: [nagefca] c:\windows\dddupgg.exe
O4 - HKCU\..\Run: [ithyacd] c:\windows\kopktgt.exe
O4 - HKCU\..\Run: [hxsyspr] c:\windows\kopktgt.exe
O4 - HKCU\..\Run: [xnelcum] c:\windows\kopktgt.exe
O4 - HKCU\..\Run: [miloeqw] c:\windows\kopktgt.exe
O4 - HKCU\..\Run: [qstasbi] c:\windows\kopktgt.exe
O4 - HKCU\..\Run: [fkfscqk] c:\windows\kopktgt.exe
O4 - HKCU\..\Run: [pxhonql] c:\windows\kopktgt.exe
O4 - HKCU\..\Run: [jjhlskt] c:\windows\kopktgt.exe
O4 - HKCU\..\Run: [baofpgy] c:\windows\kopktgt.exe
O4 - HKCU\..\Run: [vfjaejm] c:\windows\kopktgt.exe
O4 - HKCU\..\Run: [qfflthj] c:\windows\kopktgt.exe
O4 - HKCU\..\Run: [yohnakd] c:\windows\kopktgt.exe
O4 - HKCU\..\Run: [qlipbkf] c:\windows\kopktgt.exe
O4 - HKCU\..\Run: [nppvqto] c:\windows\kopktgt.exe
O4 - HKCU\..\Run: [ffqteyd] c:\windows\kopktgt.exe
O4 - HKCU\..\Run: [etnrchd] c:\windows\kopktgt.exe
O4 - HKCU\..\Run: [oqglgeb] c:\windows\kopktgt.exe
O4 - HKCU\..\Run: [nbjahfb] c:\windows\kopktgt.exe
O4 - HKCU\..\Run: [opyojce] c:\windows\kopktgt.exe
O4 - HKCU\..\Run: [bktyevt] c:\windows\kopktgt.exe
O4 - HKCU\..\Run: [xugkkpe] c:\windows\kopktgt.exe
O4 - HKCU\..\Run: [nvqsenm] c:\windows\tamrcmc.exe
O4 - HKCU\..\Run: [exwhpfq] c:\windows\tamrcmc.exe
O4 - HKCU\..\Run: [vkadgsu] c:\windows\tamrcmc.exe
O4 - HKCU\..\Run: [mdfbwdu] c:\windows\tamrcmc.exe
O4 - HKCU\..\Run: [ktjjeum] c:\windows\tamrcmc.exe
O4 - HKCU\..\Run: [pikikgc] c:\windows\tamrcmc.exe
O4 - HKCU\..\Run: [xqaykop] c:\windows\tamrcmc.exe
O4 - Startup: Webshots.lnk = C:\Program Files\Webshots\WebshotsTray.exe
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O4 - Global Startup: Microsoft Works Calendar Reminders.lnk = ?
O4 - Global Startup: SpySubtract.lnk = C:\Program Files\interMute\SpySubtract\SpySub.exe
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\System32\Shdocvw.dll
O9 - Extra button: Yahoo! Messenger - {E5D12C4E-7B4F-11D3-B5C9-0050045C3C96} - C:\PROGRA~1\Yahoo!\MESSEN~1\YPager.exe
O9 - Extra 'Tools' menuitem: Yahoo! Messenger - {E5D12C4E-7B4F-11D3-B5C9-0050045C3C96} - C:\PROGRA~1\Yahoo!\MESSEN~1\YPager.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {7774FB30-AF13-5454-B967-732E52AC5811} - http://69.50.182.94/1/rdgUS1882.exe
O16 - DPF: {80DD2229-B8E4-4C77-B72F-F22972D723EA} (AvxScanOnline Control) - http://www.bitdefender.com/scan/Msie/bitdefender.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://www.pandasoftware.com/activescan/as5/asinst.cab
O16 - DPF: {A3009861-330C-4E10-822B-39D16EC8829D} (CRAVOnline Object) - http://www.ravantivirus.com/scan/ravonline.cab
O23 - Service: NVIDIA Driver Helper Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe
NBAS1 is offline  
Old 11th May 2005   #10
Inactive
 
Profile:
Join Date: May 2005
Posts: 39
Computer Experience:
Beginner
NBAS1 Reputation Level
Here is the virus log.



File C:\WINDOWS\System32\thun32.dll infected by "Trojan-Proxy.Win32.Small.bk" Virus. Action Taken: No Action Taken.
File C:\WINDOWS\system32\brown32k.dll infected by "Backdoor.Win32.PPdoor.j" Virus. Action Taken: No Action Taken.
File C:\WINDOWS\system32\brown32k.dll infected by "Backdoor.Win32.PPdoor.j" Virus. Action Taken: No Action Taken.
File C:\WINDOWS\SYSTEM\Loader.dll infected by "Trojan-Downloader.Win32.Agent.li" Virus. Action Taken: No Action Taken.
File C:\WINDOWS\System32\thun32.dll infected by "Trojan-Proxy.Win32.Small.bk" Virus. Action Taken: No Action Taken.
File System Found infected by "mxoaldr Spyware/Adware" Virus. Action Taken: No Action Taken.
File System Found infected by "cws.therealsearch Spyware/Adware" Virus. Action Taken: No Action Taken.
File C:\WINDOWS\cxtpls_loader.exe.tcf infected by "not-a-virus:AdWare.Apropos.b" Virus. Action Taken: No Action Taken.
File C:\WINDOWS\shop1004.exe.tcf infected by "not-a-virus:AdWare.Sahat.m" Virus. Action Taken: No Action Taken.
File C:\WINDOWS\system32\c_93rint.dll infected by "Backdoor.Win32.PPdoor.j" Virus. Action Taken: No Action Taken.
File C:\WINDOWS\system32\djrhbaaa.exe infected by "Trojan-Dropper.Win32.Small.wv" Virus. Action Taken: No Action Taken.
File C:\WINDOWS\system32\glskaaaa.exe infected by "Trojan-Dropper.Win32.Agent.ii" Virus. Action Taken: No Action Taken.
File C:\WINDOWS\system32\srpcsrv32.dll infected by "Trojan-Downloader.Win32.Adload.g" Virus. Action Taken: No Action Taken.
File C:\WINDOWS\system32\xehgyudv.exe infected by "Trojan-Dropper.Win32.Agent.ii" Virus. Action Taken: No Action Taken.
File C:\WINDOWS\system32\ybnqworg.exe infected by "Trojan-Dropper.Win32.Small.wv" Virus. Action Taken: No Action Taken.
File C:\AOL Instant Messenger\AIM95.exe tagged as not-a-virus:Tool.Win32.Reboot. No Action Taken.
File C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\TIBS.zip infected by "Password-protected-EXE" Virus. Action Taken: No Action Taken.
File C:\WINDOWS\cxtpls_loader.exe.tcf infected by "not-a-virus:AdWare.Apropos.b" Virus. Action Taken: No Action Taken.
File C:\WINDOWS\shop1004.exe.tcf infected by "not-a-virus:AdWare.Sahat.m" Virus. Action Taken: No Action Taken.
File C:\WINDOWS\system32\c_93rint.dll infected by "Backdoor.Win32.PPdoor.j" Virus. Action Taken: No Action Taken.
File C:\WINDOWS\system32\djrhbaaa.exe infected by "Trojan-Dropper.Win32.Small.wv" Virus. Action Taken: No Action Taken.
File C:\WINDOWS\system32\glskaaaa.exe infected by "Trojan-Dropper.Win32.Agent.ii" Virus. Action Taken: No Action Taken.
File C:\WINDOWS\system32\srpcsrv32.dll infected by "Trojan-Downloader.Win32.Adload.g" Virus. Action Taken: No Action Taken.
File C:\WINDOWS\system32\xehgyudv.exe infected by "Trojan-Dropper.Win32.Agent.ii" Virus. Action Taken: No Action Taken.
File C:\WINDOWS\system32\ybnqworg.exe infected by "Trojan-Dropper.Win32.Small.wv" Virus. Action Taken: No Action Taken.
NBAS1 is offline  
Old 12th May 2005   #11
Staff
 
noahdfear's Avatar
 
Profile:
Join Date: Apr 2003
Location: New Bremen, Ohio U.S.A.
Posts: 12,524
Computer Experience:
~@<*+
noahdfear Reputation Levelnoahdfear Reputation Levelnoahdfear Reputation Levelnoahdfear Reputation Levelnoahdfear Reputation Levelnoahdfear Reputation Levelnoahdfear Reputation Levelnoahdfear Reputation Levelnoahdfear Reputation Levelnoahdfear Reputation Levelnoahdfear Reputation Level

My System

Highlight and copy the entire following list of filepaths in bold, open Killbox and check delete on reboot, then click File>copy from clipboard, then click the red X. Close all other windows then click yes to process and reboot.

C:\WINDOWS\System32\thun32.dll
C:\WINDOWS\system32\brown32k.dll
C:\WINDOWS\system32\brown32k.dll
C:\WINDOWS\SYSTEM\Loader.dll
C:\WINDOWS\System32\thun32.dll
C:\WINDOWS\cxtpls_loader.exe.tcf
C:\WINDOWS\shop1004.exe.tcf
C:\WINDOWS\system32\c_93rint.dll
C:\WINDOWS\system32\djrhbaaa.exe
C:\WINDOWS\system32\glskaaaa.exe
C:\WINDOWS\system32\srpcsrv32.dll
C:\WINDOWS\system32\xehgyudv.exe
C:\WINDOWS\system32\ybnqworg.exe
C:\WINDOWS\cxtpls_loader.exe.tcf
C:\WINDOWS\shop1004.exe.tcf
C:\WINDOWS\system32\c_93rint.dll
C:\WINDOWS\system32\djrhbaaa.exe
C:\WINDOWS\system32\glskaaaa.exe
C:\WINDOWS\system32\srpcsrv32.dll
C:\WINDOWS\system32\xehgyudv.exe
C:\WINDOWS\system32\ybnqworg.exe


Scan with HijackThis, check the following entries and click fix. (all 04 HKCU entries)

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://w-find.com/sp.htm
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://w-find.com/index.htm
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://w-find.com/index.htm
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://w-find.com/sp.htm
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://w-find.com/index.htm
O2 - BHO: Loader Class - {2E246FAE-8420-11D9-870D-000C2917DE7F} - C:\WINDOWS\SYSTEM\Loader.dll
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [yowctkp] c:\windows\kkiaifr.exe
O4 - HKCU\..\Run: [iubykis] c:\windows\alkntgw.exe
O4 - HKCU\..\Run: [vmkwfbm] c:\windows\alkntgw.exe
O4 - HKCU\..\Run: [tvpreci] c:\windows\alkntgw.exe
O4 - HKCU\..\Run: [rtmjbqt] c:\windows\alkntgw.exe
O4 - HKCU\..\Run: [pqkhigo] c:\windows\alkntgw.exe
O4 - HKCU\..\Run: [lgonbkb] c:\windows\alkntgw.exe
O4 - HKCU\..\Run: [dbxuhjl] c:\windows\alkntgw.exe
O4 - HKCU\..\Run: [bvghhht] c:\windows\alkntgw.exe
O4 - HKCU\..\Run: [voukwjn] c:\windows\alkntgw.exe
O4 - HKCU\..\Run: [xslssnr] c:\windows\alkntgw.exe
O4 - HKCU\..\Run: [mppgrdx] c:\windows\alkntgw.exe
O4 - HKCU\..\Run: [pbgdqkm] c:\windows\alkntgw.exe
O4 - HKCU\..\Run: [qgtgqwa] c:\windows\alkntgw.exe
O4 - HKCU\..\Run: [utbhnsi] c:\windows\alkntgw.exe
O4 - HKCU\..\Run: [ygfkwfl] c:\windows\alkntgw.exe
O4 - HKCU\..\Run: [fyrimdn] c:\windows\alkntgw.exe
O4 - HKCU\..\Run: [tlnpkgy] c:\windows\alkntgw.exe
O4 - HKCU\..\Run: [rapqihi] c:\windows\alkntgw.exe
O4 - HKCU\..\Run: [jgrhskm] c:\windows\alkntgw.exe
O4 - HKCU\..\Run: [ytgefwp] c:\windows\alkntgw.exe
O4 - HKCU\..\Run: [wuirdaf] c:\windows\alkntgw.exe
O4 - HKCU\..\Run: [gifeqjw] c:\windows\alkntgw.exe
O4 - HKCU\..\Run: [tbsqdop] c:\windows\alkntgw.exe
O4 - HKCU\..\Run: [wusyjkc] c:\windows\alkntgw.exe
O4 - HKCU\..\Run: [plxcxgw] c:\windows\alkntgw.exe
O4 - HKCU\..\Run: [erdklmp] c:\windows\alkntgw.exe
O4 - HKCU\..\Run: [svejevy] c:\windows\alkntgw.exe
O4 - HKCU\..\Run: [emagrgl] c:\windows\xdofafm.exe
O4 - HKCU\..\Run: [kvoxcyg] c:\windows\xdofafm.exe
O4 - HKCU\..\Run: [fsdygja] c:\windows\xdofafm.exe
O4 - HKCU\..\Run: [dbxvkmu] c:\windows\xdofafm.exe
O4 - HKCU\..\Run: [gikquny] c:\windows\xdofafm.exe
O4 - HKCU\..\Run: [gevjqga] c:\windows\xdofafm.exe
O4 - HKCU\..\Run: [guyfeui] c:\windows\wsfroko.exe
O4 - HKCU\..\Run: [kixviui] c:\windows\dddupgg.exe
O4 - HKCU\..\Run: [gnajrmu] c:\windows\dddupgg.exe
O4 - HKCU\..\Run: [ggmvfeq] c:\windows\dddupgg.exe
O4 - HKCU\..\Run: [drcojxs] c:\windows\dddupgg.exe
O4 - HKCU\..\Run: [nagefca] c:\windows\dddupgg.exe
O4 - HKCU\..\Run: [ithyacd] c:\windows\kopktgt.exe
O4 - HKCU\..\Run: [hxsyspr] c:\windows\kopktgt.exe
O4 - HKCU\..\Run: [xnelcum] c:\windows\kopktgt.exe
O4 - HKCU\..\Run: [miloeqw] c:\windows\kopktgt.exe
O4 - HKCU\..\Run: [qstasbi] c:\windows\kopktgt.exe
O4 - HKCU\..\Run: [fkfscqk] c:\windows\kopktgt.exe
O4 - HKCU\..\Run: [pxhonql] c:\windows\kopktgt.exe
O4 - HKCU\..\Run: [jjhlskt] c:\windows\kopktgt.exe
O4 - HKCU\..\Run: [baofpgy] c:\windows\kopktgt.exe
O4 - HKCU\..\Run: [vfjaejm] c:\windows\kopktgt.exe
O4 - HKCU\..\Run: [qfflthj] c:\windows\kopktgt.exe
O4 - HKCU\..\Run: [yohnakd] c:\windows\kopktgt.exe
O4 - HKCU\..\Run: [qlipbkf] c:\windows\kopktgt.exe
O4 - HKCU\..\Run: [nppvqto] c:\windows\kopktgt.exe
O4 - HKCU\..\Run: [ffqteyd] c:\windows\kopktgt.exe
O4 - HKCU\..\Run: [etnrchd] c:\windows\kopktgt.exe
O4 - HKCU\..\Run: [oqglgeb] c:\windows\kopktgt.exe
O4 - HKCU\..\Run: [nbjahfb] c:\windows\kopktgt.exe
O4 - HKCU\..\Run: [opyojce] c:\windows\kopktgt.exe
O4 - HKCU\..\Run: [bktyevt] c:\windows\kopktgt.exe
O4 - HKCU\..\Run: [xugkkpe] c:\windows\kopktgt.exe
O4 - HKCU\..\Run: [nvqsenm] c:\windows\tamrcmc.exe
O4 - HKCU\..\Run: [exwhpfq] c:\windows\tamrcmc.exe
O4 - HKCU\..\Run: [vkadgsu] c:\windows\tamrcmc.exe
O4 - HKCU\..\Run: [mdfbwdu] c:\windows\tamrcmc.exe
O4 - HKCU\..\Run: [ktjjeum] c:\windows\tamrcmc.exe
O4 - HKCU\..\Run: [pikikgc] c:\windows\tamrcmc.exe
O4 - HKCU\..\Run: [xqaykop] c:\windows\tamrcmc.exe
O16 - DPF: {7774FB30-AF13-5454-B967-732E52AC5811} - http://69.50.182.94/1/rdgUS1882.exe

Update both Spybot and Ad-aware. Scan with Spybot and remove all it finds. Run Ad-aware in full scan mode and remove all it finds. Reboot and post a new HijackThis log.
noahdfear is offline  
Old 12th May 2005   #12
Inactive
 
Profile:
Join Date: May 2005
Posts: 39
Computer Experience:
Beginner
NBAS1 Reputation Level
Error when using Killbox
When I told Killbox to restart my computer I get a message stating "PendingFileRenameOperations Registry Data Has Been Removed By External Process". Should I still follow through with the remainder of task?
NBAS1 is offline  
Old 12th May 2005   #13
Inactive
 
Profile:
Join Date: May 2005
Posts: 39
Computer Experience:
Beginner
NBAS1 Reputation Level
I went ahead and did the hijack this scan again. I checked all items and told it to "fix" . After it was done, I rebooted and ran a hijack this scan again and some of the items were still there. Here is the new Hijackthis log.

Logfile of HijackThis v1.99.1
Scan saved at 4:03:46 PM, on 5/11/2005
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Real\RealPlayer\RealPlay.exe
C:\Program Files\BroadJump\Client Foundation\CFD.exe
C:\PROGRA~1\SBCSEL~1\SMARTB~1\MotiveSB.exe
C:\Program Files\Yahoo!\browser\ybrwicon.exe
C:\Program Files\Visual Networks\Visual IP InSight\SBC\IPClient.exe
C:\Program Files\Visual Networks\Visual IP InSight\SBC\IPMon32.exe
C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
C:\PROGRA~1\Yahoo!\browser\ycommon.exe
C:\Program Files\Common Files\Microsoft Shared\Works Shared\wkcalrem.exe
C:\Program Files\interMute\SpySubtract\SpySub.exe
C:\Program Files\Webshots\WebshotsTray.exe
C:\WINDOWS\System32\nvsvc32.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Yahoo!\browser\ybrowser.exe
C:\Program Files\Yahoo!\Messenger\YPAGER.EXE
C:\Documents and Settings\Jim\Desktop\HIJACK THIS\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://w-find.com/sp.htm
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://w-find.com/index.htm
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://w-find.com/index.htm
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://w-find.com/sp.htm
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://w-find.com/index.htm
O2 - BHO: Yahoo! Companion BHO - {02478D38-C3F9-4efb-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn\ycomp5_6_0_0.dll
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: CNavExtBho Class - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\Norton SystemWorks\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton SystemWorks\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: Yahoo! Companion - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\ycomp5_6_0_0.dll
O4 - HKLM\..\Run: [RealTray] C:\Program Files\Real\RealPlayer\RealPlay.exe SYSTEMBOOTHIDEPLAYER
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [BJCFD] C:\Program Files\BroadJump\Client Foundation\CFD.exe
O4 - HKLM\..\Run: [Motive SmartBridge] C:\PROGRA~1\SBCSEL~1\SMARTB~1\MotiveSB.exe
O4 - HKLM\..\Run: [YBrowser] C:\Program Files\Yahoo!\browser\ybrwicon.exe
O4 - HKLM\..\Run: [IPInSightLAN 02] "C:\Program Files\Visual Networks\Visual IP InSight\SBC\IPClient.exe" -l
O4 - HKLM\..\Run: [IPInSightMonitor 02] "C:\Program Files\Visual Networks\Visual IP InSight\SBC\IPMon32.exe"
O4 - HKCU\..\Run: [kiiegag] c:\windows\cnkcksx.exe
O4 - Startup: Webshots.lnk = C:\Program Files\Webshots\WebshotsTray.exe
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O4 - Global Startup: Microsoft Works Calendar Reminders.lnk = ?
O4 - Global Startup: SpySubtract.lnk = C:\Program Files\interMute\SpySubtract\SpySub.exe
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\System32\Shdocvw.dll
O9 - Extra button: Yahoo! Messenger - {E5D12C4E-7B4F-11D3-B5C9-0050045C3C96} - C:\PROGRA~1\Yahoo!\MESSEN~1\YPager.exe
O9 - Extra 'Tools' menuitem: Yahoo! Messenger - {E5D12C4E-7B4F-11D3-B5C9-0050045C3C96} - C:\PROGRA~1\Yahoo!\MESSEN~1\YPager.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {80DD2229-B8E4-4C77-B72F-F22972D723EA} (AvxScanOnline Control) - http://www.bitdefender.com/scan/Msie/bitdefender.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://www.pandasoftware.com/activescan/as5/asinst.cab
O16 - DPF: {A3009861-330C-4E10-822B-39D16EC8829D} (CRAVOnline Object) - http://www.ravantivirus.com/scan/ravonline.cab
O23 - Service: NVIDIA Driver Helper Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe
Last edited by NBAS1; 12th May 2005 at 01:05. Reason: spelling
NBAS1 is offline  
Old 12th May 2005   #14
Staff
 
noahdfear's Avatar
 
Profile:
Join Date: Apr 2003
Location: New Bremen, Ohio U.S.A.
Posts: 12,524
Computer Experience:
~@<*+
noahdfear Reputation Levelnoahdfear Reputation Levelnoahdfear Reputation Levelnoahdfear Reputation Levelnoahdfear Reputation Levelnoahdfear Reputation Levelnoahdfear Reputation Levelnoahdfear Reputation Levelnoahdfear Reputation Levelnoahdfear Reputation Levelnoahdfear Reputation Level

My System

Copy the contents of the quote box below to a blank notepad. Close it, saving to your desktop as

File name: delfiles.bat
Save As Type: All Files

Quote:
attrib -h -r -s C:\WINDOWS\System32\thun32.dll
del C:\WINDOWS\System32\thun32.dll
attrib -h -r -s C:\WINDOWS\system32\brown32k.dll
del C:\WINDOWS\system32\brown32k.dll
attrib -h -r -s C:\WINDOWS\system32\brown32k.dll
del C:\WINDOWS\system32\brown32k.dll
attrib -h -r -s C:\WINDOWS\System32\thun32.dll
del C:\WINDOWS\System32\thun32.dll
attrib -h -r -s C:\WINDOWS\system32\c_93rint.dll
del C:\WINDOWS\system32\c_93rint.dll
attrib -h -r -s C:\WINDOWS\system32\djrhbaaa.exe
del C:\WINDOWS\system32\djrhbaaa.exe
attrib -h -r -s C:\WINDOWS\system32\glskaaaa.exe
del C:\WINDOWS\system32\glskaaaa.exe
attrib -h -r -s C:\WINDOWS\system32\srpcsrv32.dll
del C:\WINDOWS\system32\srpcsrv32.dll
attrib -h -r -s C:\WINDOWS\system32\xehgyudv.exe
del C:\WINDOWS\system32\xehgyudv.exe
attrib -h -r -s C:\WINDOWS\system32\ybnqworg.exe
del C:\WINDOWS\system32\ybnqworg.exe
attrib -h -r -s C:\WINDOWS\system32\c_93rint.dll
del C:\WINDOWS\system32\c_93rint.dll
attrib -h -r -s C:\WINDOWS\system32\djrhbaaa.exe
del C:\WINDOWS\system32\djrhbaaa.exe
attrib -h -r -s C:\WINDOWS\system32\glskaaaa.exe
del C:\WINDOWS\system32\glskaaaa.exe
attrib -h -r -s C:\WINDOWS\system32\srpcsrv32.dll
del C:\WINDOWS\system32\srpcsrv32.dll
attrib -h -r -s C:\WINDOWS\system32\xehgyudv.exe
del C:\WINDOWS\system32\xehgyudv.exe
attrib -h -r -s C:\WINDOWS\system32\ybnqworg.exe
del C:\WINDOWS\system32\ybnqworg.exe
attrib -h -r -s C:\WINDOWS\SYSTEM\Loader.dll
del C:\WINDOWS\SYSTEM\Loader.dll
attrib -h -r -s C:\WINDOWS\cxtpls_loader.exe.tcf
del C:\WINDOWS\cxtpls_loader.exe.tcf
attrib -h -r -s C:\WINDOWS\shop1004.exe.tcf
del C:\WINDOWS\shop1004.exe.tcf
attrib -h -r -s C:\WINDOWS\cxtpls_loader.exe.tcf
del C:\WINDOWS\cxtpls_loader.exe.tcf
attrib -h -r -s C:\WINDOWS\cxtpls_loader.exe.tcf
del C:\WINDOWS\cxtpls_loader.exe.tcf
attrib -h -r -s C:\WINDOWS\cnkcksx.exe
del C:\WINDOWS\cnkcksx.exe
Reboot to safe mode and double click the file to run. You should be prompted to delete each file. Type a Y and hit enter for each. Make note of any errors.

Scan again with HijackThis and fix the following entries.

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://w-find.com/sp.htm
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://w-find.com/index.htm
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://w-find.com/index.htm
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://w-find.com/sp.htm
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://w-find.com/index.htm
O4 - HKCU\..\Run: [kiiegag] c:\windows\cnkcksx.exe

Reboot back into Windows and scan again with HJT, then post the log and any errors with the bat file.
noahdfear is offline  
Old 12th May 2005   #15
Inactive
 
Profile:
Join Date: May 2005
Posts: 39
Computer Experience:
Beginner
NBAS1 Reputation Level
When I ran the bat file it opened up a window looking like dos and the file ran without prompting me to delete any files. I ran it twice, just to see what was being displayed, as it ran pretty fast, and after each file to be deleted it either said "can not find" or "file not found". Here is the new Hijackthis log.

Logfile of HijackThis v1.99.1
Scan saved at 9:59:43 AM, on 5/12/2005
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Real\RealPlayer\RealPlay.exe
C:\Program Files\BroadJump\Client Foundation\CFD.exe
C:\Program Files\Yahoo!\browser\ybrwicon.exe
C:\Program Files\Visual Networks\Visual IP InSight\SBC\IPClient.exe
C:\Program Files\Visual Networks\Visual IP InSight\SBC\IPMon32.exe
C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
C:\Program Files\Common Files\Microsoft Shared\Works Shared\wkcalrem.exe
C:\Program Files\interMute\SpySubtract\SpySub.exe
C:\Program Files\Webshots\WebshotsTray.exe
C:\PROGRA~1\Yahoo!\browser\ycommon.exe
C:\WINDOWS\System32\nvsvc32.exe
C:\WINDOWS\System32\svchost.exe
C:\Documents and Settings\Jim\Desktop\HIJACK THIS\HijackThis.exe

O2 - BHO: Yahoo! Companion BHO - {02478D38-C3F9-4efb-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn\ycomp5_6_0_0.dll
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: CNavExtBho Class - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\Norton SystemWorks\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton SystemWorks\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: Yahoo! Companion - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\ycomp5_6_0_0.dll
O4 - HKLM\..\Run: [RealTray] C:\Program Files\Real\RealPlayer\RealPlay.exe SYSTEMBOOTHIDEPLAYER
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [BJCFD] C:\Program Files\BroadJump\Client Foundation\CFD.exe
O4 - HKLM\..\Run: [Motive SmartBridge] C:\PROGRA~1\SBCSEL~1\SMARTB~1\MotiveSB.exe
O4 - HKLM\..\Run: [YBrowser] C:\Program Files\Yahoo!\browser\ybrwicon.exe
O4 - HKLM\..\Run: [IPInSightLAN 02] "C:\Program Files\Visual Networks\Visual IP InSight\SBC\IPClient.exe" -l
O4 - HKLM\..\Run: [IPInSightMonitor 02] "C:\Program Files\Visual Networks\Visual IP InSight\SBC\IPMon32.exe"
O4 - Startup: Webshots.lnk = C:\Program Files\Webshots\WebshotsTray.exe
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O4 - Global Startup: Microsoft Works Calendar Reminders.lnk = ?
O4 - Global Startup: SpySubtract.lnk = C:\Program Files\interMute\SpySubtract\SpySub.exe
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\System32\Shdocvw.dll
O9 - Extra button: Yahoo! Messenger - {E5D12C4E-7B4F-11D3-B5C9-0050045C3C96} - C:\PROGRA~1\Yahoo!\MESSEN~1\YPager.exe
O9 - Extra 'Tools' menuitem: Yahoo! Messenger - {E5D12C4E-7B4F-11D3-B5C9-0050045C3C96} - C:\PROGRA~1\Yahoo!\MESSEN~1\YPager.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {80DD2229-B8E4-4C77-B72F-F22972D723EA} (AvxScanOnline Control) - http://www.bitdefender.com/scan/Msie/bitdefender.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://www.pandasoftware.com/activescan/as5/asinst.cab
O16 - DPF: {A3009861-330C-4E10-822B-39D16EC8829D} (CRAVOnline Object) - http://www.ravantivirus.com/scan/ravonline.cab
O23 - Service: NVIDIA Driver Helper Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe
NBAS1 is offline  
Closed Thread
Page 1 of 5 1 2345

« ClickSpring Malware - how to remove? | Cant stop TSL installing. »
Thread Tools


Similar Threads
Thread Thread Starter Forum Replies Last Post
IE popup windows and spyware problems (hijackthis log posted) terin Malware and Virus Removal 11 12th February 2005 04:51
Problems accessing a chat room sandilew General Internet 9 3rd February 2005 20:49
Program Installation Problems in XP Pro ejmadsen Windows XP 1 8th December 2002 04:21
virtual memory is dangerously low Cards0903 Windows XP 7 22nd November 2002 22:41
Are you having problems accessing Windows Update? Paul Windows XP 10 13th October 2002 04:27


All times are GMT +1. The time now is 12:34.




Advertise - Contact Us - Windows BBS - Archive - Privacy Statement - Top

Advertisements do not imply our endorsement of the product or service advertised.
Powered by vBulletin® Version 3.8.4
Copyright ©2000 - 2009, Jelsoft Enterprises Ltd.
Content Relevant URLs by vBSEO 3.3.2
Copyright © 2002 - 2009 WindowsBBS.com. All rights reserved.
Terms of Use, Legal Information & Privacy Policy
[]

1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32