Sluggish Computer with PopUps

WinPFind & TrackGoo Reports

UPX!
FSG!
PEC2
PECompact2
Umonitor
qoologic
aspack
PTech
urllogic
ad-beh
ad-behNior.com
sYVLLSAKY
_rtneg3
SAHAgent
buddy.exe
ZepMon
aurora.exe
;2x(V]@BMD
Tlji7Mk
urllogic
KavSvc
69.59.186.63
209.66.67.134
66.63.167.97
66.63.167.77
abetterinternet.com
8B!7F\(T
testpopup
web-nex
yourkey
winsync
rec2_run
WARNING: not all files found by this scanner are bad. Consult with a knowledgable person before proceeding.

If you see a message in the titlebar saying "not responding" you can ignore it. Windows is throwing this message up even though the program is still running. As long as the hard disk is working then the program is running.

»»»»»»»»»»»»»»»»»»»»»»»» Files found »»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»

Checking %SystemDrive% folder...

Checking %ProgramFilesDir% folder...

Checking %WinDir% folder...

Checking %System% folder...

Checking %System%\Drivers folder and sub-folders...

Checking the Windows folder for system and hidden files within the last 60 days...
7/22/2005 10:15:00 AM 54156 QTFont.qfn
6/22/2005 8:36:00 PM 10820 nocontnt.GID
7/24/2005 12:08:16 PM 1146880 system.LOG
7/24/2005 12:08:16 PM 86016 software.LOG
7/24/2005 12:08:16 PM 8192 default.LOG
7/24/2005 12:09:56 PM 1024 SAM.LOG
7/24/2005 12:09:20 PM 20480 SECURITY.LOG
7/17/2005 5:11:06 AM 67 desktop.ini
7/17/2005 5:11:06 AM 67 desktop.ini
7/17/2005 5:11:06 AM 67 desktop.ini
7/17/2005 5:11:06 AM 67 desktop.ini
7/17/2005 5:11:06 AM 67 desktop.ini
6/30/2005 2:45:50 PM 24 Preferred
6/30/2005 2:45:50 PM 388 e4d3cfb4-9b02-4140-8705-ca34aeb7e554
7/24/2005 12:08:06 PM 6 SA.DAT
7/11/2005 10:13:32 AM 192 RUTASK.job
7/11/2005 11:24:58 PM 27136 drmv2.lic
7/14/2005 12:05:52 AM 10240 drmv2.sst
7/11/2005 11:24:56 PM 3072 drmv2.licIndex
5/29/2005 12:41:26 PM 0 oem26.inf
5/29/2005 12:41:26 PM 0 oem26.PNF

»»»»»»»»»»»»»»»»»»»»»»»» Checking Startup Folders »»»»»»»»»»»»»»»»»»»»»

Checking files in %ALLUSERSPROFILE%\Startup folder...
8/31/2004 10:11:34 AM 779 C:\Documents and Settings\All Users\Start Menu\Programs\Startup\hpoddt01.exe.lnk
10/18/2002 12:13:44 AM 1493 C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Microsoft Office.lnk
8/31/2004 10:48:40 AM 779 C:\Documents and Settings\All Users\Start Menu\Programs\Startup\officejet 6100.lnk
10/19/2002 9:27:36 PM 843 C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Symantec Fax Starter Edition Port.lnk

Checking files in %ALLUSERSPROFILE%\Application Data folder...
8/31/2004 10:28:24 AM 752 C:\Documents and Settings\All Users\Application Data\hpzinstall.log

Checking files in %USERPROFILE%\Startup folder...

Checking files in %USERPROFILE%\Application Data folder...
5/21/2005 8:20:32 AM 57 C:\Documents and Settings\Customer\Application Data\Sskcwrd.dll
5/20/2005 12:11:16 PM 374474 C:\Documents and Settings\Customer\Application Data\Sskknwrd.dll
5/21/2005 8:20:32 AM 40 C:\Documents and Settings\Customer\Application Data\Sskuknwrd.dll
6/14/2005 8:28:28 PM 83 C:\Documents and Settings\Customer\Application Data\sversion.ini

»»»»»»»»»»»»»»»»»»»»»»»» Registry Entries Found »»»»»»»»»»»»»»»»»»»»»»»

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\User Agent\Post Platform

HKEY_CLASSES_ROOT\*\shellex\ContextMenuHandlers
HKEY_CLASSES_ROOT\*\shellex\ContextMenuHandlers\ewido
{57BD36D7-CE32-4600-9B1C-1A0C47EFC02E} = C:\Program Files\ewido\security suite\context.dll
HKEY_CLASSES_ROOT\*\shellex\ContextMenuHandlers\fxgnymkf
{d898d780-e12d-4af2-a585-6a4b0e5b9d6f} =
HKEY_CLASSES_ROOT\*\shellex\ContextMenuHandlers\Offline Files
{750fdf0e-2a26-11d1-a3ea-080036587f03} = %SystemRoot%\System32\cscui.dll
HKEY_CLASSES_ROOT\*\shellex\ContextMenuHandlers\Open With
{09799AFB-AD67-11d1-ABCD-00C04FC30936} = %SystemRoot%\system32\SHELL32.dll
HKEY_CLASSES_ROOT\*\shellex\ContextMenuHandlers\Open With EncryptionMenu
{A470F8CF-A1E8-4f65-8335-227475AA5C46} = %SystemRoot%\system32\SHELL32.dll
HKEY_CLASSES_ROOT\*\shellex\ContextMenuHandlers\Symantec.Norton.Antivirus.IEContextMenu
{5345A4D5-41EB-4A2F-9616-CE1D4F6C35B2} = C:\Program Files\Norton SystemWorks\Norton Antivirus\NavShExt.dll
HKEY_CLASSES_ROOT\*\shellex\ContextMenuHandlers\WinZip
{E0D79304-84BE-11CE-9641-444553540000} = C:\DOCUME~1\CUSTOMER\DESKTOP\WINZIP\WZSHLSTB.DLL
HKEY_CLASSES_ROOT\*\shellex\ContextMenuHandlers\Yahoo! Mail
{5464D816-CF16-4784-B9F3-75C0DB52B499} = C:\PROGRA~1\YAHOO!\Common\ymmapi.dll
HKEY_CLASSES_ROOT\*\shellex\ContextMenuHandlers\{a2a9545d-a0c2-42b4-9708-a0b2badd77c8}
Start Menu Pin = %SystemRoot%\system32\SHELL32.dll

HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Folder\shellex\ContextMenuHandlers
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Folder\shellex\ContextMenuHandlers\BullGuard Antivirus v4
{B5FB6487-7E79-4816-B73B-8A65E41971DA} =
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Folder\shellex\ContextMenuHandlers\Symantec.Norton.Antivirus.IEContextMenu
{5345A4D5-41EB-4A2F-9616-CE1D4F6C35B2} = C:\Program Files\Norton SystemWorks\Norton Antivirus\NavShExt.dll
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Folder\shellex\ContextMenuHandlers\WinZip
{E0D79304-84BE-11CE-9641-444553540000} = C:\DOCUME~1\CUSTOMER\DESKTOP\WINZIP\WZSHLSTB.DLL

HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Folder\shellex\ColumnHandlers
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Folder\shellex\ColumnHandlers\{0D2E74C4-3C34-11d2-A27E-00C04FC30871}
= %SystemRoot%\system32\SHELL32.dll
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Folder\shellex\ColumnHandlers\{24F14F01-7B1C-11d1-838f-0000F80461CF}
= %SystemRoot%\system32\SHELL32.dll
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Folder\shellex\ColumnHandlers\{24F14F02-7B1C-11d1-838f-0000F80461CF}
= %SystemRoot%\system32\SHELL32.dll
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Folder\shellex\ColumnHandlers\{66742402-F9B9-11D1-A202-0000F81FEDEE}
= %SystemRoot%\system32\SHELL32.dll
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Folder\shellex\ColumnHandlers\{6EC11407-5B2E-4E25-8BDF-77445B52AB37}
=

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
HPDJ Taskbar Utility C:\WINDOWS\System32\spool\drivers\w32x86\3\hpztsb07.exe
SSC_UserPrompt C:\Program Files\Common Files\Symantec Shared\Security Center\UsrPrmpt.exe
ccApp "C:\Program Files\Common Files\Symantec Shared\ccApp.exe "
Symantec NetDriver Monitor C:\PROGRA~1\SYMNET~1\SNDMon.exe /Consumer
QuickTime Task "C:\Program Files\QuickTime\qttask.exe" -atboottime
ViewMgr C:\Program Files\Viewpoint\Viewpoint Manager\ViewMgr.exe

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\OptionalComponents
IMAIL
MAPI
MSFS

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnceEx

HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
MSMSGS "C:\Program Files\Messenger\msmsgs.exe" /background

HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer\Run
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Network
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\NonEnum
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\NonEnum\{BDEADF00-C265-11D0-BCED-00A0C90AB50F}
= C:\PROGRA~1\COMMON~1\MICROS~1\WEBFOL~1\MSONSEXT.DLL
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\NonEnum\{6DFD7C5C-2451-11d3-A299-00C04F8EF6AF}
=
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\NonEnum\{0DF44EAA-FF21-4412-828E-260A8728E7F1}
=
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Ratings
Key é 7§ª®0Q¡¿Ã§ZHC
FileName0 C:\WINDOWS\System32\RSACi.rat
WarnOnOff 1
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Ratings\.Default
Allow_Unknowns 0
PleaseMom 1
Enabled 0
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Ratings\.Default\http://www.rsac.org/ratingsv01.html
v 0
s 0
n 0
l 0
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Ratings\PICSRules
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Ratings\PICSRules\.Default
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\system
dontdisplaylastusername 0
legalnoticecaption
legalnoticetext
shutdownwithoutlogon 1
undockwithoutlogon 1
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\policies
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer
NoDriveTypeAutoRun 145

 

Trachgoo Report

REGEDIT4

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"HPDJ Taskbar Utility "= "C:\\WINDOWS\\System32\\spool\\drivers\\w32x86\\3\\hpztsb07.exe "
"SSC_UserPrompt "= "C:\\Program Files\\Common Files\\Symantec Shared\\Security Center\\UsrPrmpt.exe "
"ccApp "= "\ "C:\\Program Files\\Common Files\\Symantec Shared\\ccApp.exe\" "
"Symantec NetDriver Monitor "= "C:\\PROGRA~1\\SYMNET~1\\SNDMon.exe /Consumer "
"QuickTime Task "= "\ "C:\\Program Files\\QuickTime\\qttask.exe\" -atboottime "
"ViewMgr "= "C:\\Program Files\\Viewpoint\\Viewpoint Manager\\ViewMgr.exe "

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\AutorunsDisabled]
"USRpdA "= "C:\\WINDOWS\\SYSTEM32\\USRmlnkA.exe RunServices \\Device\\3cpipe-USRpdA "
"Share-to-Web Namespace Daemon "= "C:\\Program Files\\Hewlett-Packard\\PhotoSmart\\HP Share-to-Web\\hpgs2wnd.exe "
"POINTER "= "C:\\Program Files\\Microsoft Hardware\\Mouse\\point32.exe "
"QD FastAndSafe "=" "
"ezShieldProtector for Px "= "C:\\WINDOWS\\System32\\ezSP_Px.exe "
"CXMon "= "\ "C:\\Program Files\\Hewlett-Packard\\PhotoSmart\\Photo Imaging\\Hpi_Monitor.exe\" "
"QuickTime Task "= "\ "C:\\Program Files\\QuickTime\\qttask.exe\" -atboottime "

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\OptionalComponents]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\OptionalComponents\IMAIL]
"Installed "= "1 "

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\OptionalComponents\MAPI]
"NoChange "= "1 "
"Installed "= "1 "

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\OptionalComponents\MSFS]
"Installed "= "1 "

-----------------
HKEY_CLASSES_ROOT\*\shellex\ContextMenuHandlers


Subkey --- ewido
{57BD36D7-CE32-4600-9B1C-1A0C47EFC02E}
C:\Program Files\ewido\security suite\context.dll

Subkey --- fxgnymkf
{d898d780-e12d-4af2-a585-6a4b0e5b9d6f}


Subkey --- Offline Files
{750fdf0e-2a26-11d1-a3ea-080036587f03}
C:\WINDOWS\System32\cscui.dll

Subkey --- Open With
{09799AFB-AD67-11d1-ABCD-00C04FC30936}
C:\WINDOWS\system32\SHELL32.dll

Subkey --- Open With EncryptionMenu
{A470F8CF-A1E8-4f65-8335-227475AA5C46}
C:\WINDOWS\system32\SHELL32.dll

Subkey --- Symantec.Norton.Antivirus.IEContextMenu
{5345A4D5-41EB-4A2F-9616-CE1D4F6C35B2}
C:\Program Files\Norton SystemWorks\Norton Antivirus\NavShExt.dll

Subkey --- WinZip
{E0D79304-84BE-11CE-9641-444553540000}
C:\DOCUME~1\CUSTOMER\DESKTOP\WINZIP\WZSHLSTB.DLL

Subkey --- Yahoo! Mail
{5464D816-CF16-4784-B9F3-75C0DB52B499}
C:\PROGRA~1\YAHOO!\Common\ymmapi.dll

Subkey --- {a2a9545d-a0c2-42b4-9708-a0b2badd77c8}
Start Menu Pin
C:\WINDOWS\system32\SHELL32.dll

=====================

HKEY_CLASSES_ROOT\Folder\shellex\ColumnHandlers


Subkey --- {0D2E74C4-3C34-11d2-A27E-00C04FC30871}
C:\WINDOWS\system32\SHELL32.dll

Subkey --- {24F14F01-7B1C-11d1-838f-0000F80461CF}
C:\WINDOWS\system32\SHELL32.dll

Subkey --- {24F14F02-7B1C-11d1-838f-0000F80461CF}
C:\WINDOWS\system32\SHELL32.dll

Subkey --- {66742402-F9B9-11D1-A202-0000F81FEDEE}
C:\WINDOWS\system32\SHELL32.dll

Subkey --- {6EC11407-5B2E-4E25-8BDF-77445B52AB37}
C:\WINDOWS\System32\datadx.dll

==============================
C:\Documents and Settings\All Users\Start Menu\Programs\Startup

desktop.ini
Microsoft Office.lnk
hpoddt01.exe.lnk
officejet 6100.lnk
Symantec Fax Starter Edition Port.lnk
==============================
C:\Documents and Settings\Customer\Start Menu\Programs\Startup

desktop.ini
Microsoft Office.lnk
hpoddt01.exe.lnk
officejet 6100.lnk
Symantec Fax Starter Edition Port.lnk
desktop.ini
==============================
C:\WINDOWS\SYSTEM32 cpl files


s32lucp1.cpl Symantec Corporation
desk.cpl Microsoft Corporation
appwiz.cpl Microsoft Corporation
hdwwiz.cpl Microsoft Corporation
intl.cpl Microsoft Corporation
main.cpl Microsoft Corporation
mmsys.cpl Microsoft Corporation
ncpa.cpl Microsoft Corporation
nusrmgr.cpl Microsoft Corporation
nwc.cpl Microsoft Corporation
odbccp32.cpl Microsoft Corporation
powercfg.cpl Microsoft Corporation
sysdm.cpl Microsoft Corporation
telephon.cpl Microsoft Corporation
timedate.cpl Microsoft Corporation
jpicpl32.cpl Sun Microsystems, Inc.
wuaucpl.cpl Microsoft Corporation
QuickTime.cpl Apple Computer, Inc.
inetcpl.cpl Microsoft Corporation
joy.cpl Microsoft Corporation
access.cpl Microsoft Corporation
conres.cpl
Sorry but I ran out of room. Thanks Dave

 

I'll get something posted for you tonight. Hang in there!

 

Save this to text so you can access it in safe mode.

Copy the contents of the quote box below to a blank notepad. Make sure the formatting remains the same.
Close it, saving to your desktop as:

File name: fixqoo.reg
Save As Type: All Files

Check for updates to Ewido.

Reboot to safe mode.

Go to C:\windows\tasks and have a look.

Do you see this task ?

RUTASK.job

If you do, delete it. If not, do the following:

Most likely it is invisible and needs to be unhidden.

Click Start>run and type cmd to open a command prompt, paste in this command then press enter.

attrib -s -h -r C:\windows\tasks\*.job

Close the command prompt and open the windows\tasks folder.

Delete this task:
RUTASK.job

Search for and delete the following files in bold.
ru.exe (possibly C:\Windows or C:\Windows\system32)
C:\Documents and Settings\Customer\Application Data\Sskcwrd.dll
C:\Documents and Settings\Customer\Application Data\Sskknwrd.dll
C:\Documents and Settings\Customer\Application Data\Sskuknwrd.dll
C:\WINDOWS\System32\conres.cpl
C:\WINDOWS\System32\datadx.dll

Run Ewido as previously instructed here.

Reboot and run Panda again. Post the scan log, as well as the Ewido log and a new HijackThis log.

 

New HJT Log,Ewido & Panda Scan Reports

Logfile of HijackThis v1.99.1
Scan saved at 8:04:46 PM, on 7/27/2005
Platform: Windows XP (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2600.0000)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\System32\spool\drivers\w32x86\3\hpztsb07.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\Viewpoint\Viewpoint Manager\ViewMgr.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpotdd01.exe
C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hposol08.exe
C:\Program Files\Microsoft Office\Office\1033\OLFSNT40.EXE
C:\Program Files\Hewlett-Packard\PhotoSmart\HP Share-to-Web\hpgs2wnd.exe
C:\Program Files\ewido\security suite\ewidoctrl.exe
C:\PROGRA~1\HEWLET~1\PHOTOS~1\HPSHAR~1\hpgs2wnf.exe
C:\Program Files\Norton SystemWorks\Norton Antivirus\navapsvc.exe
C:\PROGRA~1\NORTON~1\NORTON~2\NPROTECT.EXE
C:\WINDOWS\System32\tcpsvcs.exe
C:\WINDOWS\System32\snmp.exe
C:\PROGRA~1\NORTON~1\NORTON~2\SPEEDD~1\NOPDB.EXE
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpoevm08.exe
C:\WINDOWS\System32\MsPMSPSv.exe
C:\WINDOWS\System32\mqsvc.exe
C:\WINDOWS\System32\mqtgsvc.exe
C:\WINDOWS\System32\HPZipm12.exe
C:\Program Files\ewido\security suite\ewidoguard.exe
C:\HJT\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =
N3 - Netscape 7: # Mozilla User Preferences

/* Do not edit this file.
*
* If you make changes to this file while the browser is running,
* the changes will be overwritten when the browser exits.
*
* To make a manual change to preferences, you can visit the URL about:config
* For more information, see http://www.mozilla.org/unix/customizing.html#prefs
*/

user_pref( "aim.session.firsttime ", false);
user_pref( "browser.activation.checkedNNFlag ", true);
user_pref( "browser.bookmarks.added_static_root ", true);
user_pref( "browser.search.defaultengine ", "engine://C%3A%5CProgram%20Files%5CNetscape%5CNetscape%5Csearchplugins%5CSBWeb_01.src ");
user_pref( "browser.startup.homepage ", "yahoo.com ");
user_pref( "browser.startup.homepage_override.mstone ", "rv:1.7.2 ");
user_pref( "dom.disable_open_during_load ", true);
user_pref( "intl.charsetmenu.browser.cache ", "UTF-8, ISO-8859-1 ");
user_pref( "network.cookie.prefsMigrated ", true);
user_pref( "prefs.converted-to-utf8 ", true);
user_pref( "privacy.popups.first_popup ", false);
u
N3 - Netscape 7: # Mozilla User Preferences

/* Do not edit this file.
*
* If you make changes to this file while the browser is running,
* the changes will be overwritten when the browser exits.
*
* To make a manual change to preferences, you can visit the URL about:config
* For more information, see http://www.mozilla.org/unix/customizing.html#prefs
*/

user_pref( "aim.session.firsttime ", false);
user_pref( "browser.activation.checkedNNFlag ", true);
user_pref( "browser.bookmarks.added_static_root ", true);
user_pref( "browser.search.defaultengine ", "engine://C%3A%5CProgram%20Files%5CNetscape%5CNetscape%5Csearchplugins%5CSBWeb_01.src ");
user_pref( "browser.startup.homepage ", "yahoo.com ");
user_pref( "browser.startup.homepage_override.mstone ", "rv:1.7.2 ");
user_pref( "dom.disable_open_during_load ", true);
user_pref( "intl.charsetmenu.browser.cache ", "UTF-8, ISO-8859-1 ");
user_pref( "network.cookie.prefsMigrated ", true);
user_pref( "prefs.converted-to-utf8 ", true);
user_pref( "privacy.popups.first_popup ", false);
u
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton SystemWorks\Norton Antivirus\NavShExt.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O4 - HKLM\..\Run: [HPDJ Taskbar Utility] C:\WINDOWS\System32\spool\drivers\w32x86\3\hpztsb07.exe
O4 - HKLM\..\Run: [SSC_UserPrompt] C:\Program Files\Common Files\Symantec Shared\Security Center\UsrPrmpt.exe
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe "
O4 - HKLM\..\Run: [Symantec NetDriver Monitor] C:\PROGRA~1\SYMNET~1\SNDMon.exe /Consumer
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [ViewMgr] C:\Program Files\Viewpoint\Viewpoint Manager\ViewMgr.exe
O4 - HKLM\..\Run: [SBAutoUpdate] "C:\Program Files\SpywareBlaster\sbautoupdate.exe "
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O4 - Global Startup: hpoddt01.exe.lnk = ?
O4 - Global Startup: officejet 6100.lnk = ?
O4 - Global Startup: Symantec Fax Starter Edition Port.lnk = C:\Program Files\Microsoft Office\Office\1033\OLFSNT40.EXE
O8 - Extra context menu item: &Dictionary - http://files.db3nf.com/scripts/ie.htm
O8 - Extra context menu item: &Encyclopedia - http://files.db3nf.com/scripts/ie-e.htm
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_02\bin\npjpi150_02.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_02\bin\npjpi150_02.dll
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O16 - DPF: {04E214E5-63AF-4236-83C6-A7ADCBF9BD02} (HouseCall Control) - http://housecall60.trendmicro.com/housecall/xscan60.cab
O16 - DPF: {238F6F83-B8B4-11CF-8771-00A024541EE3} (Citrix ICA Client) - https://ctx.jmfamily.com/Citrix/ICAWEB/en/ica32/wficac.cab
O16 - DPF: {4208FB4D-4E53-4F5A-BF7A-3E047DDB5281} (ActiveX Control) - http://www.icannnews.com/app/ST/ActiveX.ocx
O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai.net/7/840/537/2004061001/housecall.trendmicro.com/housecall/xscan53.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://www.pandasoftware.com/activescan/as5/asinst.cab
O16 - DPF: {A93D84FD-641F-43AE-B963-E6FA84BE7FE7} (LinkSys Content Update) - http://www.linksysfix.com/netcheck/24/install/gtdownls.cab
O16 - DPF: {C4847596-972C-11D0-9567-00A0C9273C2A} (Crystal Report Viewer Control) - http://performancetrac.jmfefinancial.com/reports/ss/viewers/activeXViewer/activexviewer.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{EB49BDAE-5D47-4AFB-B70B-38D5547DCEA0}: NameServer = 198.77.116.8
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Password Validation (ccPwdSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
O23 - Service: ewido security suite control - ewido networks - C:\Program Files\ewido\security suite\ewidoctrl.exe
O23 - Service: ewido security suite guard - ewido networks - C:\Program Files\ewido\security suite\ewidoguard.exe
O23 - Service: iPod Service (iPodService) - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Norton AntiVirus Auto Protect Service (navapsvc) - Symantec Corporation - C:\Program Files\Norton SystemWorks\Norton Antivirus\navapsvc.exe
O23 - Service: Norton Unerase Protection (NProtectService) - Symantec Corporation - C:\PROGRA~1\NORTON~1\NORTON~2\NPROTECT.EXE
O23 - Service: PACSPTISVR - Unknown owner - C:\PROGRA~1\COMMON~1\SONYSH~1\AVLib\PACSPT~1.EXE
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\System32\HPZipm12.exe
O23 - Service: ScriptBlocking Service (SBService) - Symantec Corporation - C:\PROGRA~1\COMMON~1\SYMANT~1\SCRIPT~1\SBServ.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: Speed Disk service - Symantec Corporation - C:\PROGRA~1\NORTON~1\NORTON~2\SPEEDD~1\NOPDB.EXE
O23 - Service: Sony SPTI Service (SPTISRV) - Sony Corporation - C:\PROGRA~1\COMMON~1\SONYSH~1\AVLib\Sptisrv.exe
O23 - Service: System Startup Service (SvcProc) - Unknown owner - c:\windows\SvcProc.exe (file missing)
O23 - Service: Symantec Core LC - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
O23 - Service: SymWMI Service (SymWSC) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\Security Center\SymWSC.exe

ewido security suite - Scan report
---------------------------------------------------------

+ Created on: 2:25:42 AM, 7/27/2005
+ Report-Checksum: 6B5A7856

+ Scan result:

HKLM\SOFTWARE\Altnet -> Spyware.Altnet : Error during cleaning
HKLM\SOFTWARE\Altnet\Dashboard -> Spyware.Altnet : Error during cleaning
HKLM\SOFTWARE\Altnet\Dashboard\Messages -> Spyware.Altnet : Error during cleaning
HKLM\SOFTWARE\Classes\CLSID\{6EC11407-5B2E-4E25-8BDF-77445B52AB37} -> Spyware.VX2 : Cleaned with backup
HKLM\SOFTWARE\Classes\Folder\shellex\ColumnHandlers\{6EC11407-5B2E-4E25-8BDF-77445B52AB37} -> Spyware.VX2 : Cleaned with backup
HKU\S-1-5-21-776561741-842925246-1389519059-1003\Software\Mvu -> Spyware.Delfin : Cleaned with backup
HKU\S-1-5-21-776561741-842925246-1389519059-1003\Software\{12EE7A5E-0674-42f9-A76B-000000004D00} -> Spyware.BrowserAid : Cleaned with backup
C:\WINDOWS\SYSTEM32\bmcnadq.exe -> TrojanDownloader.Qoologic.n : Cleaned with backup
C:\WINDOWS\SYSTEM32\__delete_on_reboot__datadx.dll -> TrojanDownloader.Qoologic.p : Cleaned with backup
C:\WINDOWS\hsqvqvl.exe -> Adware.BetterInternet : Cleaned with backup
C:\Documents and Settings\Customer\Local Settings\Temporary Internet Files\Content.IE5\0LIV4D6Z\recinst[1].exe -> TrojanDownloader.Qoologic.x : Cleaned with backup
C:\Documents and Settings\Customer\Cookies\customer@questionmarket[1].txt -> Spyware.Cookie.Questionmarket : Cleaned with backup
C:\Documents and Settings\Customer\Cookies\customer@edge.ru4[2].txt -> Spyware.Cookie.Ru4 : Cleaned with backup
C:\Documents and Settings\Customer\Cookies\customer@servedby.advertising[2].txt -> Spyware.Cookie.Advertising : Cleaned with backup
C:\Documents and Settings\Customer\Cookies\customer@bluestreak[2].txt -> Spyware.Cookie.Bluestreak : Cleaned with backup
C:\Documents and Settings\Customer\Cookies\customer@trafficmp[1].txt -> Spyware.Cookie.Trafficmp : Cleaned with backup
C:\Documents and Settings\Customer\Cookies\customer@valueclick[1].txt -> Spyware.Cookie.Valueclick : Cleaned with backup
C:\Documents and Settings\Customer\Cookies\customer@tradedoubler[1].txt -> Spyware.Cookie.Tradedoubler : Cleaned with backup
C:\Documents and Settings\Customer\Cookies\customer@z1.adserver[1].txt -> Spyware.Cookie.Adserver : Cleaned with backup
C:\Documents and Settings\Customer\Cookies\customer@mediaplex[2].txt -> Spyware.Cookie.Mediaplex : Cleaned with backup
C:\Documents and Settings\Customer\Cookies\customer@ads.pointroll[2].txt -> Spyware.Cookie.Pointroll : Cleaned with backup
C:\Documents and Settings\Customer\Cookies\customer@advertising[1].txt -> Spyware.Cookie.Advertising : Cleaned with backup
C:\Documents and Settings\Customer\Cookies\customer@ad.yieldmanager[2].txt -> Spyware.Cookie.Yieldmanager : Cleaned with backup
C:\Documents and Settings\Customer\Cookies\customer@hitbox[2].txt -> Spyware.Cookie.Hitbox : Cleaned with backup
C:\Documents and Settings\Customer\Cookies\customer@ehg-crain.hitbox[1].txt -> Spyware.Cookie.Hitbox : Cleaned with backup
C:\Documents and Settings\Customer\Cookies\customer@2o7[2].txt -> Spyware.Cookie.2o7 : Cleaned with backup
C:\Documents and Settings\David\Cookies\david@a-1shz2prbmdj6wvny-1sez2pra2dj6wjl4sjczglqq-1dj6x9ny-1seq-2-2.stats.esomniture[2].txt -> Spyware.Cookie.Esomniture : Cleaned with backup
C:\Recycled\Dc10\backup.zip/riutetab.dll -> Spyware.Look2Me : Error during cleaning
C:\Recycled\Dc10\backup.zip/wywfaxui.dll -> Spyware.Look2Me : Error during cleaning
C:\Recycled\Dc54.cpl -> TrojanDownloader.Qoologic.p : Cleaned with backup


::Report End


Incident Status Location

Adware:Adware/ClkOptimizer No disinfected C:\WINDOWS\SYSTEM32\__delete_on_reboot__datadx.dll
Adware:Adware/Gator No disinfected C:\WINDOWS\Downloaded Program Files\CONFLICT.2\HDPlugin1019.inf
Virus:Trj/Downloader.CYL No disinfected C:\Documents and Settings\D&D'S\Local Settings\Temporary Internet Files\Content.IE5\RLQIS925\126[1].chm[Table of Contents.hhc]
Adware:Adware/XPlugin No disinfected C:\Documents and Settings\D&D'S\Local Settings\Temporary Internet Files\Content.IE5\RLQIS925\126[1].chm[file.exe]
Adware:Adware/MSSearch No disinfected C:\Documents and Settings\D&D'S\Local Settings\Temporary Internet Files\Content.IE5\RLQIS925\126[1].chm[q.htm]
Adware:Adware/E2Give No disinfected C:\HJT\backups\backup-20050706-154534-168.dll
Adware:Adware/Look2Me No disinfected C:\Recycled\Dc10\backup.zip[riutetab.dll]
Adware:Adware/Look2Me No disinfected C:\Recycled\Dc10\backup.zip[wywfaxui.dll]
Adware:Adware/Look2Me No disinfected C:\Recycled\Dc10\backup.zip[guard.tmp]
Do I need to subscribe to Ewido and or Panda for Maxiimum Benefits?

 

Ugghhh.........I messed up and didn't have you merge the reg file created!

Please double click the fixgoo.reg and allow it to merge into the registry. You can then delete it.

Open C:\WINDOWS\Downloaded Program Files and delete the folder CONFLICT.2 Let me know if you don't see it.

Open Internet Options in the control panel and delete the Temporary Internet Files. Check the box for offline content as well.

Please delete the TrackQoo.vbs and empty the recycle bin.

Lets make sure we got all of this qoologic infection.

Download FindQ.zip Save it to your Desktop.
http://forums.net-integration.net/index.php?act=Attach&type=post&id=153912

Open the Folder and double-click the Find-Q.bat file to run it. Wait for a text to open. Post the contents here.

Download and save to your desktop.
http://forums.subratam.org/index.php?act=A...e=post&id=39295
Doubleclick qoo 1.vbs and post it's contents also in your next reply.

No need to purchase Ewido. It will remain as the freeware version after the trial period, which means the guard process will no longer work, but the scanner will be just as effective.

 

Reg Filed created

I just merged the REG FILE however i was unsuccessful in seeing the folder CONFLICT.2 I cleared the temp files as well as offline content. I emptied the recycle bin but I wasn't clear as to where I needed to delete the TrackQoo.vbs from. When I tried to open the folder for Find-Q.bat file, I got this message: 16 bit Ms-Dos Subsystem C;\WINDOWS\System32\cmd.exe C:\WINDOWS\system32\Autoexec.nt The system file is not supported for running MS-Dos and Microsoft Windows applications. Choose close to terminate the program. I even tried clicking on IGNORE with no luck. When I downloaded http://forums.subratam.org/index.ph...e=post&id=39295 I could not find the qoo 1.vbs
Thanks for your patience!

 

We'll get back to the conflict2 folder.

The TrackQoo.vbs was the one I previously re-posted a link for. Probably on your desktop.

Don't know why the qoo1.vbs link didn't post right.....trying again. Extract the file and run.

http://forums.subratam.org/index.php?act=Attach&type=post&id=39295


Download and run the following fix for the autoexec.nt error, then try the Find-Q.bat again.

http://www.visualtour.com/downloads/xp_fix.exe

 

Reports

REGEDIT4

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"HPDJ Taskbar Utility "= "C:\\WINDOWS\\System32\\spool\\drivers\\w32x86\\3\\hpztsb07.exe "
"SSC_UserPrompt "= "C:\\Program Files\\Common Files\\Symantec Shared\\Security Center\\UsrPrmpt.exe "
"ccApp "= "\ "C:\\Program Files\\Common Files\\Symantec Shared\\ccApp.exe\" "
"Symantec NetDriver Monitor "= "C:\\PROGRA~1\\SYMNET~1\\SNDMon.exe /Consumer "
"QuickTime Task "= "\ "C:\\Program Files\\QuickTime\\qttask.exe\" -atboottime "
"ViewMgr "= "C:\\Program Files\\Viewpoint\\Viewpoint Manager\\ViewMgr.exe "
"SBAutoUpdate "= "\ "C:\\Program Files\\SpywareBlaster\\sbautoupdate.exe\" "

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\AutorunsDisabled]
"USRpdA "= "C:\\WINDOWS\\SYSTEM32\\USRmlnkA.exe RunServices \\Device\\3cpipe-USRpdA "
"Share-to-Web Namespace Daemon "= "C:\\Program Files\\Hewlett-Packard\\PhotoSmart\\HP Share-to-Web\\hpgs2wnd.exe "
"POINTER "= "C:\\Program Files\\Microsoft Hardware\\Mouse\\point32.exe "
"QD FastAndSafe "=" "
"ezShieldProtector for Px "= "C:\\WINDOWS\\System32\\ezSP_Px.exe "
"CXMon "= "\ "C:\\Program Files\\Hewlett-Packard\\PhotoSmart\\Photo Imaging\\Hpi_Monitor.exe\" "
"QuickTime Task "= "\ "C:\\Program Files\\QuickTime\\qttask.exe\" -atboottime "

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\OptionalComponents]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\OptionalComponents\IMAIL]
"Installed "= "1 "

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\OptionalComponents\MAPI]
"NoChange "= "1 "
"Installed "= "1 "

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\OptionalComponents\MSFS]
"Installed "= "1 "

-----------------
»»»» Search by size...

C:\WINDOWS\SYSTEM32\__DELE~1.DLL
C:\DOCUME~1\CUSTOMER\LOCALS~1\TEMP\WINPFIND.EXE
C:\DOCUME~1\CUSTOMER\LOCALS~1\TEMP\WINPFIND\WINPFIND.EXE
C:\DOCUME~1\CUSTOMER\LOCALS~1\TEMP\WMDM\COOKIES\_ISTMP1.DIR\_ISTMP0.DIR\ISUNINST.EXE
C:\DOCUME~1\CUSTOMER\LOCALS~1\TEMP\WMDM\COOKIES\_ISTMP3.DIR\_ISTMP0.DIR\ISUNINST.EXE

 

Reports

Is there anything else I need to do with the computer based on the reports I posted? Thank you so much for your help. I really appreciate it.