Welcome to MalwareRemoval.com,
What if we told you that you could get malware removal help from experts, and that it was 100% free? MalwareRemoval.com provides free support for people with infected computers. Our help, and the tools we use are always 100% free. No hidden catch. We simply enjoy helping others. You enjoy a clean, safe computer.

Malware Removal Instructions

Hijack This Log

MalwareRemoval.com provides free support for people with infected computers. Using plain language that anyone can understand, our community of volunteer experts will walk you through each step.

Unread postby Perculator » May 28th, 2005, 5:20 pm

No problem we forget about ewido and will move on, in an other way. i will examen your log and then reply with a fix, as it is almost midnight now here, i will post the fix tomorrow.
User avatar
Perculator
Regular Member
 
Posts: 470
Joined: March 30th, 2005, 4:55 pm
Location: netherlands
Advertisement
Register to Remove

Unread postby Perculator » May 29th, 2005, 5:04 am

I recommend you print this advice. In safe mode you will not have this page available.


***
Download und run the tool from following link
http://securityresponse.symantec.com/av ... Websch.exe



***
Restart your computer



***
Download CleanUp! here or here.
But don’t use it yet!!!!



***
Please download Nailfix from here:
http://www.noidea.us/easyfile/file.php? ... 5010747824
Unzip it to the desktop but please do NOT run it yet.






***
1. Go to Start->Run and type Services.msc then hit Ok
Scroll down and find the service called:

System Startup Service (SvcProc)


When you find it, double-click on it. In the next window that opens, click the Stop button, then click on properties and under the General Tab, change the Startup Type to Disabled. Now hit Apply and then Ok and close any open windows.



Start Hijack This, Open the Misc tools Section, then click "delete an NT service"

and paste the following bold text in the screen
SvcProc

and click OK



***
    *Restart the computer into safe mode
    *as soon as BIOS is loaded begin tapping the F8 key until the Advanced Options menu appears.(a black and white screen)
    *Use the arrow keys to select the Safe mode menu item
    *press Enter.




***
Once in Safe Mode, please double-click on Nailfix.cmd. Your desktop and icons will disappear and reappear, and a window should open and close very quickly --- this is normal.




***
If you cannot find any of the lines given in Hijack This, don’t worry about that, just proceed with the next line

Run HijackThis, click Do a scan only, and check:



R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://websearch.drsnsrch.com/sidesearch.cgi?id=

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://websearch.drsnsrch.com/sidesearch.cgi?id=

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://websearch.drsnsrch.com/sidesearch.cgi?id=

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://websearch.drsnsrch.com/sidesearch.cgi?id=

R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://websearch.drsnsrch.com/sidesearch.cgi?id=

R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch = http://websearch.drsnsrch.com/sidesearch.cgi?id=

R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = websearch.drsnsrch.com/q.cgi?q=

F2 - REGsystem.ini: Shell=Explorer.exe C:\WINDOWS\Nail.exe

O1 - Hosts: 216.39.69.102 view.atdmt.com

O2 - BHO: Band Class - {01F44A8A-8C97-4325-A378-76E68DC4AB2E} - C:\WINDOWS\systb.dll (file missing)

O2 - BHO: (no name) - {58359010-BF36-11D3-99A2-0050DA2EE1BE} - (no file)

O2 - BHO: (no name) - {83387907-50A3-C7D5-A44C-1FF0C613BD91} - C:\WINDOWS\System32\kfciynaf\hopwoisr.dll

O2 - BHO: Class - {FF3BB3EB-9FF6-0CC2-8A43-6DD043FE9317} - C:\WINDOWS\mslo32.dll (file missing)

O3 - Toolbar: (no name) - {2CDE1A7D-A478-4291-BF31-E1B4C16F92EB} - (no file)


O4 - HKLM\..\Run: [SkyH2] C:\DOCUME~1\Owner\LOCALS~1\Temp\pbsuthd.exe

O4 - HKLM\..\Run: [shnin] C:\DOCUME~1\Owner\LOCALS~1\Temp\kceu.exe

ok the following line in blue you must look very good because its name can be changed, it’s an entry that ends with mwrapi.exe
O4 - HKLM\..\Run: [lrveif] c:\windows\system32\mwrapi.exe

O23 - Service: System Startup Service (SvcProc) - Unknown owner - C:\WINDOWS\svcproc.exe


Close all open windows except for HijackThis and click Fix Checked.



Doubleclick cleanup.exe


Go to option
Select ‘custom’
Put a check at:
    * empty recycle bin
    * Prefetch
    * Temp
    * All users.


Restart your computer in normal mode and please post a new HijackThis log
User avatar
Perculator
Regular Member
 
Posts: 470
Joined: March 30th, 2005, 4:55 pm
Location: netherlands

Unread postby theglobal » May 29th, 2005, 2:48 pm

I performed the tasks you requested. Here's the new hijackthis log.

Logfile of HijackThis v1.99.1
Scan saved at 12:42:46 PM, on 5/29/2005
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\System32\PackethSvc.exe
C:\PROGRA~1\COMMON~1\AOL\ACS\acsd.exe
C:\WINDOWS\System32\spool\drivers\w32x86\3\hpztsb04.exe
C:\WINDOWS\System32\hphmon03.exe
C:\Program Files\NavNT\defwatch.exe
C:\Program Files\Hewlett-Packard\PhotoSmart\Photo Imaging\Hpi_Monitor.exe
C:\Program Files\Hewlett-Packard\PhotoSmart\HP Share-to-Web\hpgs2wnd.exe
C:\WINDOWS\System32\ywrfy\demvb.exe
C:\Program Files\Executive Software\DiskeeperWorkstation\DKService.exe
C:\PROGRA~1\HEWLET~1\PHOTOS~1\HPSHAR~1\hpgs2wnf.exe
C:\Program Files\Iomega\DriveIcons\ImgIcon.exe
C:\Program Files\Real\RealPlayer\RealPlay.exe
C:\Program Files\ewido\security suite\ewidoctrl.exe
C:\WINDOWS\System32\dsso\sqtnm.exe
C:\WINDOWS\System32\hocaeqgj\gvoktn.exe
C:\WINDOWS\System32\eejyvmnd\xnllgwgh.exe
C:\WINDOWS\System32\qjdt\xcrkvu.exe
C:\WINDOWS\System32\bhohktor\odihfl.exe
C:\WINDOWS\System32\chvuxco\doupdxwv.exe
C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
C:\WINDOWS\System32\jimi\rcyjii.exe
C:\WINDOWS\System32\jcplxih\mwtugl.exe
C:\Program Files\NavNT\rtvscan.exe
C:\WINDOWS\System32\mgft\pjubdprf.exe
C:\WINDOWS\System32\onwvixlj\rlqka.exe
C:\WINDOWS\System32\kpphqn\fdqy.exe
C:\WINDOWS\System32\pwxkysx\qalkc.exe
C:\WINDOWS\System32\kevxy\vpnogrfg.exe
C:\WINDOWS\System32\hctycvyj\ovyft.exe
C:\WINDOWS\System32\nwxdmhx\rxlg.exe
C:\WINDOWS\System32\iduvfc\ldkgco.exe
C:\WINDOWS\System32\wqoabeby\xbhgbw.exe
C:\WINDOWS\System32\kgxpv\xqpyix.exe
C:\WINDOWS\System32\jffrknf\twehfrag.exe
C:\WINDOWS\System32\dbdexge\vropfh.exe
C:\WINDOWS\System32\haxjkjf\lpxjns.exe
C:\WINDOWS\System32\fejlai\fcykrqae.exe
C:\WINDOWS\System32\otqyprha\aiyygr.exe
C:\WINDOWS\System32\aqwf\keqfe.exe
C:\WINDOWS\System32\mdcsar\quknrc.exe
C:\WINDOWS\System32\cdocmugl\jehddo.exe
C:\WINDOWS\System32\mnwrfwj\oqpkn.exe
C:\WINDOWS\System32\pafpk\ihdqj.exe
C:\WINDOWS\System32\pirs\rnlt.exe
C:\WINDOWS\System32\bqclh\vysma.exe
C:\WINDOWS\System32\xgfbnlo\rtdbk.exe
C:\WINDOWS\system32\uvknmz.exe
C:\Program Files\Sunbelt Software\CounterSpy Client\sunasServ.exe
C:\WINDOWS\system32\ps2.exe
C:\WINDOWS\System32\fbaceoar\qqeqw.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\nsvsvc\nsvsvc.exe
C:\WINDOWS\wanmpsvc.exe
C:\WINDOWS\system32\picsvr\picsvr.exe
C:\WINDOWS\system32\vnxxow.exe
c:\windows\system32\sfdrrqr.exe
C:\Program Files\NoAds\NoAds.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\AOL Computer Check-Up\ACCAgnt.exe
C:\Program Files\Intuit\QuickBooks Basic\Components\QBAgent\qbdagent2002.exe
C:\Program Files\Common Files\Intuit\QuickBooks\QBUpdate\qbupdate.exe
C:\Program Files\QUICKENW\QWDLLS.EXE
C:\Program Files\WinZip\WZQKPICK.EXE
C:\WINDOWS\System32\HPHipm09.exe
C:\WINDOWS\system32\MsgSys.EXE
C:\WINDOWS\system32\wscntfy.exe
C:\Program Files\HJT\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.hotmail.com/
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = localhost
O2 - BHO: Yahoo! Companion BHO - {02478D38-C3F9-4efb-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn\ycomp5_5_7_1.dll
O3 - Toolbar: Yahoo! Companion - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\ycomp5_5_7_1.dll
O4 - HKLM\..\Run: [Recguard] C:\WINDOWS\SMINST\RECGUARD.EXE
O4 - HKLM\..\Run: [S3TRAY2] S3tray2.exe
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\System32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\System32\hkcmd.exe
O4 - HKLM\..\Run: [HPDJ Taskbar Utility] C:\WINDOWS\System32\spool\drivers\w32x86\3\hpztsb04.exe
O4 - HKLM\..\Run: [HPHmon03] C:\WINDOWS\System32\hphmon03.exe
O4 - HKLM\..\Run: [CXMon] "C:\Program Files\Hewlett-Packard\PhotoSmart\Photo Imaging\Hpi_Monitor.exe"
O4 - HKLM\..\Run: [Share-to-Web Namespace Daemon] C:\Program Files\Hewlett-Packard\PhotoSmart\HP Share-to-Web\hpgs2wnd.exe
O4 - HKLM\..\Run: [checktime] c:\program files\HPSelect\Frontend\ct.exe
O4 - HKLM\..\Run: [Iomega Startup Options] C:\Program Files\Iomega\Common\ImgStart.exe
O4 - HKLM\..\Run: [Iomega Drive Icons] C:\Program Files\Iomega\DriveIcons\ImgIcon.exe
O4 - HKLM\..\Run: [ gSafeOnload[gSafeOnload.length] ] c:\WINDOWS\System32\ gSafeOnload[gSafeOnload.length] = f;
O4 - HKLM\..\Run: [ gSafeOnload[i] c:\WINDOWS\System32\ gSafeOnload[i]();
O4 - HKLM\..\Run: [vptray] C:\Program Files\NavNT\vptray.exe
O4 - HKLM\..\Run: [RealTray] C:\Program Files\Real\RealPlayer\RealPlay.exe SYSTEMBOOTHIDEPLAYER
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [sjkp] C:\WINDOWS\System32\oxsaynow\sjkp.exe
O4 - HKLM\..\Run: [ntmcq] C:\WINDOWS\System32\moqsgf\ntmcq.exe
O4 - HKLM\..\Run: [jtutu] C:\WINDOWS\System32\ybuxb\jtutu.exe
O4 - HKLM\..\Run: [hshatpb] C:\WINDOWS\System32\qboa\hshatpb.exe
O4 - HKLM\..\Run: [evrad] C:\WINDOWS\System32\ynuul\evrad.exe
O4 - HKLM\..\Run: [wsagu] C:\WINDOWS\System32\hahm\wsagu.exe
O4 - HKLM\..\Run: [mhxo] C:\WINDOWS\System32\tlmtptg\mhxo.exe
O4 - HKLM\..\Run: [mefc] C:\WINDOWS\System32\yojsco\mefc.exe
O4 - HKLM\..\Run: [rgif] C:\WINDOWS\System32\hxrkgr\rgif.exe
O4 - HKLM\..\Run: [xcrkvu] C:\WINDOWS\System32\qjdt\xcrkvu.exe
O4 - HKLM\..\Run: [odihfl] C:\WINDOWS\System32\bhohktor\odihfl.exe
O4 - HKLM\..\Run: [oocdnjj] C:\WINDOWS\System32\bpapj\oocdnjj.exe
O4 - HKLM\..\Run: [doupdxwv] C:\WINDOWS\System32\chvuxco\doupdxwv.exe
O4 - HKLM\..\Run: [eimn] C:\WINDOWS\System32\iocotj\eimn.exe
O4 - HKLM\..\Run: [phvxbd] C:\WINDOWS\System32\pxdx\phvxbd.exe
O4 - HKLM\..\Run: [yqxjee] C:\WINDOWS\System32\xjwsh\yqxjee.exe
O4 - HKLM\..\Run: [ZMFGXAox] C:\PROGRA~1\wutorsr\pvptqr.exe
O4 - HKLM\..\Run: [vhodigq] C:\WINDOWS\System32\pwjrjuqe\vhodigq.exe
O4 - HKLM\..\Run: [qivgboox] C:\WINDOWS\System32\fnxfp\qivgboox.exe
O4 - HKLM\..\Run: [mwtugl] C:\WINDOWS\System32\jcplxih\mwtugl.exe
O4 - HKLM\..\Run: [pjubdprf] C:\WINDOWS\System32\mgft\pjubdprf.exe
O4 - HKLM\..\Run: [rlqka] C:\WINDOWS\System32\onwvixlj\rlqka.exe
O4 - HKLM\..\Run: [cexawejh] C:\WINDOWS\System32\amdhfp\cexawejh.exe
O4 - HKLM\..\Run: [reiu] C:\WINDOWS\System32\yslecioe\reiu.exe
O4 - HKLM\..\Run: [klqf] C:\WINDOWS\System32\kaxkgh\klqf.exe
O4 - HKLM\..\Run: [fdqy] C:\WINDOWS\System32\kpphqn\fdqy.exe
O4 - HKLM\..\Run: [ckbu] C:\WINDOWS\System32\ankjifjj\ckbu.exe
O4 - HKLM\..\Run: [qalkc] C:\WINDOWS\System32\pwxkysx\qalkc.exe
O4 - HKLM\..\Run: [vpnogrfg] C:\WINDOWS\System32\kevxy\vpnogrfg.exe
O4 - HKLM\..\Run: [dcejfgtk] C:\WINDOWS\System32\epvnb\dcejfgtk.exe
O4 - HKLM\..\Run: [ntqjhb] C:\WINDOWS\System32\wvaqvd\ntqjhb.exe
O4 - HKLM\..\Run: [rjctdjfj] C:\WINDOWS\System32\wmjsvgnj\rjctdjfj.exe
O4 - HKLM\..\Run: [nruewxrl] C:\WINDOWS\System32\bqwhyme\nruewxrl.exe
O4 - HKLM\..\Run: [ovyft] C:\WINDOWS\System32\hctycvyj\ovyft.exe
O4 - HKLM\..\Run: [rxlg] C:\WINDOWS\System32\nwxdmhx\rxlg.exe
O4 - HKLM\..\Run: [ldkgco] C:\WINDOWS\System32\iduvfc\ldkgco.exe
O4 - HKLM\..\Run: [xbhgbw] C:\WINDOWS\System32\wqoabeby\xbhgbw.exe
O4 - HKLM\..\Run: [xqpyix] C:\WINDOWS\System32\kgxpv\xqpyix.exe
O4 - HKLM\..\Run: [cdpbfu] C:\WINDOWS\System32\eypo\cdpbfu.exe
O4 - HKLM\..\Run: [twehfrag] C:\WINDOWS\System32\jffrknf\twehfrag.exe
O4 - HKLM\..\Run: [vropfh] C:\WINDOWS\System32\dbdexge\vropfh.exe
O4 - HKLM\..\Run: [eyytvw] C:\WINDOWS\System32\jelmu\eyytvw.exe
O4 - HKLM\..\Run: [smrr] C:\WINDOWS\System32\vwwskbjg\smrr.exe
O4 - HKLM\..\Run: [yvay] C:\WINDOWS\System32\anfpsx\yvay.exe
O4 - HKLM\..\Run: [lpxjns] C:\WINDOWS\System32\haxjkjf\lpxjns.exe
O4 - HKLM\..\Run: [fcykrqae] C:\WINDOWS\System32\fejlai\fcykrqae.exe
O4 - HKLM\..\Run: [hiujt] C:\WINDOWS\System32\nucy\hiujt.exe
O4 - HKLM\..\Run: [jyumtrt] C:\WINDOWS\System32\tsjbins\jyumtrt.exe
O4 - HKLM\..\Run: [aiyygr] C:\WINDOWS\System32\otqyprha\aiyygr.exe
O4 - HKLM\..\Run: [keqfe] C:\WINDOWS\System32\aqwf\keqfe.exe
O4 - HKLM\..\Run: [quknrc] C:\WINDOWS\System32\mdcsar\quknrc.exe
O4 - HKLM\..\Run: [jehddo] C:\WINDOWS\System32\cdocmugl\jehddo.exe
O4 - HKLM\..\Run: [xnllgwgh] C:\WINDOWS\System32\eejyvmnd\xnllgwgh.exe
O4 - HKLM\..\Run: [sqtnm] C:\WINDOWS\System32\dsso\sqtnm.exe
O4 - HKLM\..\Run: [rcyjii] C:\WINDOWS\System32\jimi\rcyjii.exe
O4 - HKLM\..\Run: [qqeqw] C:\WINDOWS\System32\fbaceoar\qqeqw.exe
O4 - HKLM\..\Run: [oqpkn] C:\WINDOWS\System32\mnwrfwj\oqpkn.exe
O4 - HKLM\..\Run: [ihdqj] C:\WINDOWS\System32\pafpk\ihdqj.exe
O4 - HKLM\..\Run: [rnlt] C:\WINDOWS\System32\pirs\rnlt.exe
O4 - HKLM\..\Run: [vysma] C:\WINDOWS\System32\bqclh\vysma.exe
O4 - HKLM\..\Run: [gvoktn] C:\WINDOWS\System32\hocaeqgj\gvoktn.exe
O4 - HKLM\..\Run: [demvb] C:\WINDOWS\System32\ywrfy\demvb.exe
O4 - HKLM\..\Run: [rtdbk] C:\WINDOWS\System32\xgfbnlo\rtdbk.exe
O4 - HKLM\..\Run: [KavSvc] C:\WINDOWS\system32\uvknmz.exe reg_run
O4 - HKLM\..\Run: [sunasDTServ] C:\Program Files\Sunbelt Software\CounterSpy Client\sunasDTServ.exe
O4 - HKLM\..\Run: [sunasServ] C:\Program Files\Sunbelt Software\CounterSpy Client\sunasServ.exe
O4 - HKLM\..\Run: [PS2] C:\WINDOWS\system32\ps2.exe
O4 - HKLM\..\Run: [gxhglii] C:\WINDOWS\system32\vqtyuymk\gxhglii.exe
O4 - HKLM\..\Run: [pfoug] C:\WINDOWS\system32\smjvktve\pfoug.exe
O4 - HKLM\..\Run: [Nsv] C:\WINDOWS\system32\nsvsvc\nsvsvc.exe
O4 - HKLM\..\Run: [picsvr] C:\WINDOWS\system32\picsvr\picsvr.exe
O4 - HKLM\..\Run: [version] C:\WINDOWS\system32\vnxxow.exe
O4 - HKLM\..\Run: [Win Server Updt] C:\WINDOWS\wupdt.exe
O4 - HKLM\..\Run: [apgvddr] c:\windows\system32\sfdrrqr.exe
O4 - HKCU\..\Run: [Acme.PCHButton] C:\PROGRA~1\HPINST~1\plugin\bin\PCHButton.exe
O4 - HKCU\..\Run: [Extreme Messenger for AIM] C:\Program Files\Extreme Messenger\ExtremeMessenger.exe nosplash
O4 - HKCU\..\Run: [NoAds] "C:\Program Files\NoAds\NoAds.exe"
O4 - HKCU\..\Run: [MoneyAgent] "c:\Program Files\Microsoft Money\System\Money Express.exe"
O4 - HKCU\..\Run: [ gSafeOnload[gSafeOnload.length] ] c:\WINDOWS\System32\ gSafeOnload[gSafeOnload.length] = f;
O4 - HKCU\..\Run: [ gSafeOnload[i] c:\WINDOWS\System32\ gSafeOnload[i]();
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [AOLCC] "C:\Program Files\AOL Computer Check-Up\ACCAgnt.exe" /startup
O4 - HKCU\..\Run: [Microsoft Works Update Detection] c:\Program Files\Microsoft Works\WkDetect.exe
O4 - HKCU\..\Run: [Adaware Bootup] C:\Documents and Settings\Owner\Desktop\Patrick's Utilities\Lavasoft Ad-Aware\Ad-aware.exe /Auto /Log "C:\Documents and Settings\Owner\Desktop\Patrick's Utilities\Lavasoft Ad-Aware\"
O4 - Global Startup: America Online 9.0 Tray Icon.lnk = C:\Program Files\America Online 9.0\aoltray.exe
O4 - Global Startup: Billminder.lnk = C:\Program Files\QUICKENW\BILLMIND.EXE
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O4 - Global Startup: QuickBooks 2002 Delivery Agent.lnk = C:\Program Files\Intuit\QuickBooks Basic\Components\QBAgent\qbdagent2002.exe
O4 - Global Startup: QuickBooks Update Agent.lnk = C:\Program Files\Common Files\Intuit\QuickBooks\QBUpdate\qbupdate.exe
O4 - Global Startup: Quicken Startup.lnk = C:\Program Files\QUICKENW\QWDLLS.EXE
O4 - Global Startup: WinZip Quick Pick.lnk = C:\Program Files\WinZip\WZQKPICK.EXE
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM95\aim.exe
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\System32\Shdocvw.dll
O9 - Extra button: MoneySide - {E023F504-0C5A-4750-A1E7-A9046DEA8A21} - c:\Program Files\Microsoft Money\System\mnyviewer.dll (file missing)
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O16 - DPF: {0C568603-D79D-11D2-87A7-00C04FF158BB} (BrowseFolderPopup Class) - http://download.mcafee.com/molbin/Shared/MGBrwFld.cab
O16 - DPF: {14B87622-7E19-4EA8-93B3-97215F77A6BC} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/Me ... b28578.cab
O16 - DPF: {2917297F-F02B-4B9D-81DF-494B6333150B} (Minesweeper Flags Class) - http://messenger.zone.msn.com/binary/Mi ... b28578.cab
O16 - DPF: {37DF41B2-61DB-4CAC-A755-CFB3C7EE7F40} (AOL Content Update) - http://esupport.aol.com/help/acp2/engin ... core_1.cab
O16 - DPF: {41F17733-B041-4099-A042-B518BB6A408C} - http://a1540.g.akamai.net/7/1540/52/200 ... taller.exe
O16 - DPF: {4ED9DDF0-7479-4BBE-9335-5A1EDB1D8A21} (McAfee.com Operating System Class) - http://download.mcafee.com/molbin/share ... insctl.cab
O16 - DPF: {8E0D4DE5-3180-4024-A327-4DFAD1796A8D} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/Me ... b28578.cab
O16 - DPF: {B8BE5E93-A60C-4D26-A2DC-220313175592} (ZoneIntro Class) - http://messenger.zone.msn.com/binary/ZI ... b28578.cab
O16 - DPF: {C68F9105-04FD-4B48-B6CC-2A076F711C35} (HpodPCFileCtrl2 Class) - file://E:\MEMDISC\ALBUM_A\VIEW\PLUGIN\HPODPCFC.CAB
O16 - DPF: {D719897A-B07A-4C0C-AEA9-9B663A28DFCB} (iTunesDetector Class) - http://ax.phobos.apple.com.edgesuite.ne ... tector.cab
O16 - DPF: {DA758BB1-5F89-4465-975F-8D7179A4BCF3} (WheelofFortune Object) - http://messenger.zone.msn.com/binary/WoF.cab28578.cab
O20 - Winlogon Notify: NavLogon - C:\WINDOWS\System32\NavLogon.dll
O23 - Service: AOL Connectivity Service (AOL ACS) - America Online, Inc. - C:\PROGRA~1\COMMON~1\AOL\ACS\acsd.exe
O23 - Service: DefWatch - Symantec Corporation - C:\Program Files\NavNT\defwatch.exe
O23 - Service: demvbywrfy - Unknown owner - C:\WINDOWS\System32\ywrfy\demvb.exe
O23 - Service: Diskeeper - Executive Software International, Inc. - C:\Program Files\Executive Software\DiskeeperWorkstation\DKService.exe
O23 - Service: ewido security suite control - ewido networks - C:\Program Files\ewido\security suite\ewidoctrl.exe
O23 - Service: IomegaAccess - Iomega Corporation - C:\WINDOWS\System32\IomegaAccess.exe
O23 - Service: Norton AntiVirus Client (Norton AntiVirus Server) - Symantec Corporation - C:\Program Files\NavNT\rtvscan.exe
O23 - Service: Virtual NIC Service (PackethSvc) - America Online, Inc. - C:\WINDOWS\System32\PackethSvc.exe
O23 - Service: Pml Driver - HP - C:\WINDOWS\System32\HPHipm09.exe
O23 - Service: qqeqwfbaceoar - Unknown owner - C:\WINDOWS\System32\fbaceoar\qqeqw.exe
O23 - Service: WAN Miniport (ATW) Service (WANMiniportService) - America Online, Inc. - C:\WINDOWS\wanmpsvc.exe
theglobal
Regular Member
 
Posts: 85
Joined: March 1st, 2005, 3:55 am

Unread postby Perculator » May 29th, 2005, 5:56 pm

You did a very good job :thumbup:

Step by step, the situation is improving.

As it is midnight now, i will prepare a fix for you and post that tomorrow
User avatar
Perculator
Regular Member
 
Posts: 470
Joined: March 30th, 2005, 4:55 pm
Location: netherlands

Unread postby Perculator » May 30th, 2005, 4:29 pm

We reallly do this step by step, but don’t worry, we’ll get there.


Go to start > run and typ : services.msc en click OK

-In the Services window find: demvbywrfy
-Select/highlight and right click the entry, and choose: Properties
-On the General tab, under Service Status click the Stop button
-Beside: Startup Type, in the drop menu, select: Disabled
-Click Apply, then OK

Repaet this for the following processes,
qqeqwfbaceoar

Close this window now.



***
Open HijackThis to the misc tools section and click the Delete an NT Sevice button. Paste in demvbywrfy and click OK
Repeat that for the following
Qqeqwfbaceoar.


Close Hijack this and reboot the computer



***
Start Hijack This
Click
Open the Misc Tool Session


Now next to the generate startuplist log button, you see two checkboxes, check them both
And then click
generate startuplist log.


Now a notepadfile will open itself, please copy and paste the content of that textfile here on the board, together with a fresh hijack this log.
User avatar
Perculator
Regular Member
 
Posts: 470
Joined: March 30th, 2005, 4:55 pm
Location: netherlands

Unread postby theglobal » May 30th, 2005, 6:28 pm

Here is the startuplist.log

StartupList report, 5/30/2005, 4:19:49 PM
StartupList version: 1.52.2
Started from : C:\Program Files\HJT\HijackThis.EXE
Detected: Windows XP SP2 (WinNT 5.01.2600)
Detected: Internet Explorer v6.00 SP2 (6.00.2900.2180)
* Using default options
* Including empty and uninteresting sections
* Showing rarely important sections
==================================================

Running processes:

C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\System32\PackethSvc.exe
C:\PROGRA~1\COMMON~1\AOL\ACS\acsd.exe
C:\WINDOWS\system32\wjkxbhq\bbxcln.exe
C:\Program Files\NavNT\defwatch.exe
C:\Program Files\Executive Software\DiskeeperWorkstation\DKService.exe
C:\Program Files\ewido\security suite\ewidoctrl.exe
C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
C:\Program Files\NavNT\rtvscan.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\wanmpsvc.exe
C:\WINDOWS\system32\MsgSys.EXE
C:\WINDOWS\Explorer.exe
C:\WINDOWS\system32\wscntfy.exe
C:\WINDOWS\System32\spool\drivers\w32x86\3\hpztsb04.exe
C:\WINDOWS\System32\hphmon03.exe
C:\Program Files\Hewlett-Packard\PhotoSmart\Photo Imaging\Hpi_Monitor.exe
C:\Program Files\Hewlett-Packard\PhotoSmart\HP Share-to-Web\hpgs2wnd.exe
C:\Program Files\Iomega\DriveIcons\ImgIcon.exe
C:\Program Files\Real\RealPlayer\RealPlay.exe
C:\PROGRA~1\HEWLET~1\PHOTOS~1\HPSHAR~1\hpgs2wnf.exe
C:\WINDOWS\system32\wuauclt.exe
C:\WINDOWS\system32\ybvdenni\rqxfkwno.exe
C:\WINDOWS\system32\xvkwciub\dhwli.exe
C:\WINDOWS\system32\nquhop\oabl.exe
C:\WINDOWS\System32\HPHipm09.exe
C:\WINDOWS\System32\qjdt\xcrkvu.exe
C:\WINDOWS\System32\bhohktor\odihfl.exe
C:\WINDOWS\System32\chvuxco\doupdxwv.exe
C:\WINDOWS\System32\jcplxih\mwtugl.exe
C:\WINDOWS\system32\vmiehp\fxcgr.exe
C:\WINDOWS\System32\mgft\pjubdprf.exe
C:\WINDOWS\System32\onwvixlj\rlqka.exe
C:\WINDOWS\System32\kpphqn\fdqy.exe
C:\WINDOWS\System32\pwxkysx\qalkc.exe
C:\WINDOWS\System32\kevxy\vpnogrfg.exe
C:\WINDOWS\System32\hctycvyj\ovyft.exe
C:\WINDOWS\System32\nwxdmhx\rxlg.exe
C:\WINDOWS\System32\iduvfc\ldkgco.exe
C:\WINDOWS\System32\wqoabeby\xbhgbw.exe
C:\WINDOWS\System32\kgxpv\xqpyix.exe
C:\WINDOWS\System32\jffrknf\twehfrag.exe
C:\WINDOWS\System32\dbdexge\vropfh.exe
C:\WINDOWS\System32\haxjkjf\lpxjns.exe
C:\WINDOWS\system32\bwtl\srsg.exe
C:\WINDOWS\System32\fejlai\fcykrqae.exe
C:\WINDOWS\System32\otqyprha\aiyygr.exe
C:\WINDOWS\System32\aqwf\keqfe.exe
C:\WINDOWS\System32\mdcsar\quknrc.exe
C:\WINDOWS\System32\cdocmugl\jehddo.exe
C:\WINDOWS\System32\dsso\sqtnm.exe
C:\WINDOWS\System32\jimi\rcyjii.exe
C:\WINDOWS\System32\mnwrfwj\oqpkn.exe
C:\WINDOWS\System32\pafpk\ihdqj.exe
C:\WINDOWS\System32\pirs\rnlt.exe
C:\WINDOWS\System32\bqclh\vysma.exe
C:\WINDOWS\System32\hocaeqgj\gvoktn.exe
C:\WINDOWS\system32\uvknmz.exe
C:\Program Files\Sunbelt Software\CounterSpy Client\sunasServ.exe
C:\WINDOWS\system32\ps2.exe
C:\WINDOWS\system32\gmas\itjfwe.exe
C:\WINDOWS\system32\nsvsvc\nsvsvc.exe
C:\WINDOWS\system32\picsvr\picsvr.exe
C:\WINDOWS\system32\wsqnbl.exe
C:\Program Files\NoAds\NoAds.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\AOL Computer Check-Up\ACCAgnt.exe
c:\windows\system32\ufgwef.exe
C:\Program Files\Intuit\QuickBooks Basic\Components\QBAgent\qbdagent2002.exe
C:\Program Files\Common Files\Intuit\QuickBooks\QBUpdate\qbupdate.exe
C:\Program Files\QUICKENW\QWDLLS.EXE
C:\Program Files\WinZip\WZQKPICK.EXE
C:\Program Files\HJT\HijackThis.exe

--------------------------------------------------

Listing of startup folders:

Shell folders Startup:
[C:\Documents and Settings\Owner\Start Menu\Programs\Startup]
*No files*

Shell folders AltStartup:
*Folder not found*

User shell folders Startup:
*Folder not found*

User shell folders AltStartup:
*Folder not found*

Shell folders Common Startup:
[C:\Documents and Settings\All Users\Start Menu\Programs\Startup]
America Online 9.0 Tray Icon.lnk = C:\Program Files\America Online 9.0\aoltray.exe
Billminder.lnk = C:\Program Files\QUICKENW\BILLMIND.EXE
Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
QuickBooks 2002 Delivery Agent.lnk = C:\Program Files\Intuit\QuickBooks Basic\Components\QBAgent\qbdagent2002.exe
QuickBooks Update Agent.lnk = C:\Program Files\Common Files\Intuit\QuickBooks\QBUpdate\qbupdate.exe
Quicken Startup.lnk = C:\Program Files\QUICKENW\QWDLLS.EXE
WinZip Quick Pick.lnk = C:\Program Files\WinZip\WZQKPICK.EXE

Shell folders Common AltStartup:
*Folder not found*

User shell folders Common Startup:
*Folder not found*

User shell folders Alternate Common Startup:
*Folder not found*

--------------------------------------------------

Checking Windows NT UserInit:

[HKLM\Software\Microsoft\Windows NT\CurrentVersion\Winlogon]
UserInit = C:\WINDOWS\system32\userinit.exe,

[HKLM\Software\Microsoft\Windows\CurrentVersion\Winlogon]
*Registry key not found*

[HKCU\Software\Microsoft\Windows NT\CurrentVersion\Winlogon]
*Registry value not found*

[HKCU\Software\Microsoft\Windows\CurrentVersion\Winlogon]
*Registry key not found*

--------------------------------------------------

Autorun entries from Registry:
HKLM\Software\Microsoft\Windows\CurrentVersion\Run

Recguard = C:\WINDOWS\SMINST\RECGUARD.EXE
S3TRAY2 = S3tray2.exe
IgfxTray = C:\WINDOWS\System32\igfxtray.exe
HotKeysCmds = C:\WINDOWS\System32\hkcmd.exe
HPDJ Taskbar Utility = C:\WINDOWS\System32\spool\drivers\w32x86\3\hpztsb04.exe
HPHmon03 = C:\WINDOWS\System32\hphmon03.exe
CXMon = "C:\Program Files\Hewlett-Packard\PhotoSmart\Photo Imaging\Hpi_Monitor.exe"
Share-to-Web Namespace Daemon = C:\Program Files\Hewlett-Packard\PhotoSmart\HP Share-to-Web\hpgs2wnd.exe
checktime = c:\program files\HPSelect\Frontend\ct.exe
Iomega Startup Options = C:\Program Files\Iomega\Common\ImgStart.exe
Iomega Drive Icons = C:\Program Files\Iomega\DriveIcons\ImgIcon.exe
vptray = C:\Program Files\NavNT\vptray.exe
RealTray = C:\Program Files\Real\RealPlayer\RealPlay.exe SYSTEMBOOTHIDEPLAYER
QuickTime Task = "C:\Program Files\QuickTime\qttask.exe" -atboottime
sjkp = C:\WINDOWS\System32\oxsaynow\sjkp.exe
ntmcq = C:\WINDOWS\System32\moqsgf\ntmcq.exe
jtutu = C:\WINDOWS\System32\ybuxb\jtutu.exe
hshatpb = C:\WINDOWS\System32\qboa\hshatpb.exe
evrad = C:\WINDOWS\System32\ynuul\evrad.exe
wsagu = C:\WINDOWS\System32\hahm\wsagu.exe
mhxo = C:\WINDOWS\System32\tlmtptg\mhxo.exe
mefc = C:\WINDOWS\System32\yojsco\mefc.exe
rgif = C:\WINDOWS\System32\hxrkgr\rgif.exe
xcrkvu = C:\WINDOWS\System32\qjdt\xcrkvu.exe
odihfl = C:\WINDOWS\System32\bhohktor\odihfl.exe
oocdnjj = C:\WINDOWS\System32\bpapj\oocdnjj.exe
doupdxwv = C:\WINDOWS\System32\chvuxco\doupdxwv.exe
eimn = C:\WINDOWS\System32\iocotj\eimn.exe
phvxbd = C:\WINDOWS\System32\pxdx\phvxbd.exe
yqxjee = C:\WINDOWS\System32\xjwsh\yqxjee.exe
ZMFGXAox = C:\PROGRA~1\wutorsr\pvptqr.exe
vhodigq = C:\WINDOWS\System32\pwjrjuqe\vhodigq.exe
qivgboox = C:\WINDOWS\System32\fnxfp\qivgboox.exe
mwtugl = C:\WINDOWS\System32\jcplxih\mwtugl.exe
pjubdprf = C:\WINDOWS\System32\mgft\pjubdprf.exe
rlqka = C:\WINDOWS\System32\onwvixlj\rlqka.exe
cexawejh = C:\WINDOWS\System32\amdhfp\cexawejh.exe
reiu = C:\WINDOWS\System32\yslecioe\reiu.exe
klqf = C:\WINDOWS\System32\kaxkgh\klqf.exe
fdqy = C:\WINDOWS\System32\kpphqn\fdqy.exe
ckbu = C:\WINDOWS\System32\ankjifjj\ckbu.exe
qalkc = C:\WINDOWS\System32\pwxkysx\qalkc.exe
vpnogrfg = C:\WINDOWS\System32\kevxy\vpnogrfg.exe
dcejfgtk = C:\WINDOWS\System32\epvnb\dcejfgtk.exe
ntqjhb = C:\WINDOWS\System32\wvaqvd\ntqjhb.exe
rjctdjfj = C:\WINDOWS\System32\wmjsvgnj\rjctdjfj.exe
nruewxrl = C:\WINDOWS\System32\bqwhyme\nruewxrl.exe
ovyft = C:\WINDOWS\System32\hctycvyj\ovyft.exe
rxlg = C:\WINDOWS\System32\nwxdmhx\rxlg.exe
ldkgco = C:\WINDOWS\System32\iduvfc\ldkgco.exe
xbhgbw = C:\WINDOWS\System32\wqoabeby\xbhgbw.exe
xqpyix = C:\WINDOWS\System32\kgxpv\xqpyix.exe
cdpbfu = C:\WINDOWS\System32\eypo\cdpbfu.exe
twehfrag = C:\WINDOWS\System32\jffrknf\twehfrag.exe
vropfh = C:\WINDOWS\System32\dbdexge\vropfh.exe
eyytvw = C:\WINDOWS\System32\jelmu\eyytvw.exe
smrr = C:\WINDOWS\System32\vwwskbjg\smrr.exe
yvay = C:\WINDOWS\System32\anfpsx\yvay.exe
lpxjns = C:\WINDOWS\System32\haxjkjf\lpxjns.exe
fcykrqae = C:\WINDOWS\System32\fejlai\fcykrqae.exe
hiujt = C:\WINDOWS\System32\nucy\hiujt.exe
jyumtrt = C:\WINDOWS\System32\tsjbins\jyumtrt.exe
aiyygr = C:\WINDOWS\System32\otqyprha\aiyygr.exe
keqfe = C:\WINDOWS\System32\aqwf\keqfe.exe
quknrc = C:\WINDOWS\System32\mdcsar\quknrc.exe
jehddo = C:\WINDOWS\System32\cdocmugl\jehddo.exe
xnllgwgh = C:\WINDOWS\System32\eejyvmnd\xnllgwgh.exe
sqtnm = C:\WINDOWS\System32\dsso\sqtnm.exe
rcyjii = C:\WINDOWS\System32\jimi\rcyjii.exe
qqeqw = C:\WINDOWS\System32\fbaceoar\qqeqw.exe
oqpkn = C:\WINDOWS\System32\mnwrfwj\oqpkn.exe
ihdqj = C:\WINDOWS\System32\pafpk\ihdqj.exe
rnlt = C:\WINDOWS\System32\pirs\rnlt.exe
vysma = C:\WINDOWS\System32\bqclh\vysma.exe
gvoktn = C:\WINDOWS\System32\hocaeqgj\gvoktn.exe
demvb = C:\WINDOWS\System32\ywrfy\demvb.exe
rtdbk = C:\WINDOWS\System32\xgfbnlo\rtdbk.exe
KavSvc = C:\WINDOWS\system32\uvknmz.exe reg_run
sunasDTServ = C:\Program Files\Sunbelt Software\CounterSpy Client\sunasDTServ.exe
(Default) =
sunasServ = C:\Program Files\Sunbelt Software\CounterSpy Client\sunasServ.exe
PS2 = C:\WINDOWS\system32\ps2.exe
gxhglii = C:\WINDOWS\system32\vqtyuymk\gxhglii.exe
pfoug = C:\WINDOWS\system32\smjvktve\pfoug.exe
Nsv = C:\WINDOWS\system32\nsvsvc\nsvsvc.exe
picsvr = C:\WINDOWS\system32\picsvr\picsvr.exe
version = C:\WINDOWS\system32\wsqnbl.exe
rqxfkwno = C:\WINDOWS\system32\ybvdenni\rqxfkwno.exe
fxcgr = C:\WINDOWS\system32\vmiehp\fxcgr.exe
dhwli = C:\WINDOWS\system32\xvkwciub\dhwli.exe
itjfwe = C:\WINDOWS\system32\gmas\itjfwe.exe
bbxcln = C:\WINDOWS\system32\wjkxbhq\bbxcln.exe
srsg = C:\WINDOWS\system32\bwtl\srsg.exe
oabl = C:\WINDOWS\system32\nquhop\oabl.exe
xpnkrom = c:\windows\system32\ufgwef.exe

--------------------------------------------------

Autorun entries from Registry:
HKLM\Software\Microsoft\Windows\CurrentVersion\RunOnce

*No values found*

--------------------------------------------------

Autorun entries from Registry:
HKLM\Software\Microsoft\Windows\CurrentVersion\RunOnceEx

*No values found*

--------------------------------------------------

Autorun entries from Registry:
HKLM\Software\Microsoft\Windows\CurrentVersion\RunServices

*Registry key not found*

--------------------------------------------------

Autorun entries from Registry:
HKLM\Software\Microsoft\Windows\CurrentVersion\RunServicesOnce

*Registry key not found*

--------------------------------------------------

Autorun entries from Registry:
HKCU\Software\Microsoft\Windows\CurrentVersion\Run

Acme.PCHButton = C:\PROGRA~1\HPINST~1\plugin\bin\PCHButton.exe
Extreme Messenger for AIM = C:\Program Files\Extreme Messenger\ExtremeMessenger.exe nosplash
NoAds = "C:\Program Files\NoAds\NoAds.exe"
MoneyAgent = "c:\Program Files\Microsoft Money\System\Money Express.exe"
ctfmon.exe = C:\WINDOWS\system32\ctfmon.exe
AOLCC = "C:\Program Files\AOL Computer Check-Up\ACCAgnt.exe" /startup
Microsoft Works Update Detection = c:\Program Files\Microsoft Works\WkDetect.exe
Adaware Bootup = C:\Documents and Settings\Owner\Desktop\Patrick's Utilities\Lavasoft Ad-Aware\Ad-aware.exe /Auto /Log "C:\Documents and Settings\Owner\Desktop\Patrick's Utilities\Lavasoft Ad-Aware\"

--------------------------------------------------

Autorun entries from Registry:
HKCU\Software\Microsoft\Windows\CurrentVersion\RunOnce

Web Offer = C:\DOCUME~1\Owner\LOCALS~1\Temp\rlkh.exe

--------------------------------------------------

Autorun entries from Registry:
HKCU\Software\Microsoft\Windows\CurrentVersion\RunOnceEx

*Registry key not found*

--------------------------------------------------

Autorun entries from Registry:
HKCU\Software\Microsoft\Windows\CurrentVersion\RunServices

*No values found*

--------------------------------------------------

Autorun entries from Registry:
HKCU\Software\Microsoft\Windows\CurrentVersion\RunServicesOnce

*Registry key not found*

--------------------------------------------------

Autorun entries from Registry:
HKLM\Software\Microsoft\Windows NT\CurrentVersion\Run

*Registry key not found*

--------------------------------------------------

Autorun entries from Registry:
HKCU\Software\Microsoft\Windows NT\CurrentVersion\Run

*Registry key not found*

--------------------------------------------------

Autorun entries in Registry subkeys of:
HKLM\Software\Microsoft\Windows\CurrentVersion\Run

[OptionalComponents]
*No values found*

--------------------------------------------------

Autorun entries in Registry subkeys of:
HKLM\Software\Microsoft\Windows\CurrentVersion\RunOnce
*No subkeys found*

--------------------------------------------------

Autorun entries in Registry subkeys of:
HKLM\Software\Microsoft\Windows\CurrentVersion\RunOnceEx
*No subkeys found*

--------------------------------------------------

Autorun entries in Registry subkeys of:
HKLM\Software\Microsoft\Windows\CurrentVersion\RunServices
*Registry key not found*

--------------------------------------------------

Autorun entries in Registry subkeys of:
HKLM\Software\Microsoft\Windows\CurrentVersion\RunServicesOnce
*Registry key not found*

--------------------------------------------------

Autorun entries in Registry subkeys of:
HKCU\Software\Microsoft\Windows\CurrentVersion\Run
*No subkeys found*

--------------------------------------------------

Autorun entries in Registry subkeys of:
HKCU\Software\Microsoft\Windows\CurrentVersion\RunOnce
*No subkeys found*

--------------------------------------------------

Autorun entries in Registry subkeys of:
HKCU\Software\Microsoft\Windows\CurrentVersion\RunOnceEx
*Registry key not found*

--------------------------------------------------

Autorun entries in Registry subkeys of:
HKCU\Software\Microsoft\Windows\CurrentVersion\RunServices
*No subkeys found*

--------------------------------------------------

Autorun entries in Registry subkeys of:
HKCU\Software\Microsoft\Windows\CurrentVersion\RunServicesOnce
*Registry key not found*

--------------------------------------------------

Autorun entries in Registry subkeys of:
HKLM\Software\Microsoft\Windows NT\CurrentVersion\Run
*Registry key not found*

--------------------------------------------------

Autorun entries in Registry subkeys of:
HKCU\Software\Microsoft\Windows NT\CurrentVersion\Run
*Registry key not found*

--------------------------------------------------

File association entry for .EXE:
HKEY_CLASSES_ROOT\exefile\shell\open\command

(Default) = "%1" %*

--------------------------------------------------

File association entry for .COM:
HKEY_CLASSES_ROOT\comfile\shell\open\command

(Default) = "%1" %*

--------------------------------------------------

File association entry for .BAT:
HKEY_CLASSES_ROOT\batfile\shell\open\command

(Default) = "%1" %*

--------------------------------------------------

File association entry for .PIF:
HKEY_CLASSES_ROOT\piffile\shell\open\command

(Default) = "%1" %*

--------------------------------------------------

File association entry for .SCR:
HKEY_CLASSES_ROOT\scrfile\shell\open\command

(Default) = "%1" /S

--------------------------------------------------

File association entry for .HTA:
HKEY_CLASSES_ROOT\htafile\shell\open\command

(Default) = C:\WINDOWS\system32\mshta.exe "%1" %*

--------------------------------------------------

File association entry for .TXT:
HKEY_CLASSES_ROOT\txtfile\shell\open\command

(Default) = %SystemRoot%\system32\NOTEPAD.EXE %1

--------------------------------------------------

Enumerating Active Setup stub paths:
HKLM\Software\Microsoft\Active Setup\Installed Components
(* = disabled by HKCU twin)

[158d0f5a-75dc-4029-b857-b4f2e1b10cb7] *
StubPath = C:\WINDOWS\System32\dbnorad.exe

[>{22d6f312-b0f6-11d0-94ab-0080c74c7e95}]
StubPath = C:\WINDOWS\inf\unregmp2.exe /ShowWMP

[>{26923b43-4d38-484f-9b9e-de460746276c}] *
StubPath = %systemroot%\system32\shmgrate.exe OCInstallUserConfigIE

[>{60B49E34-C7CC-11D0-8953-00A0C90347FF}MICROS] *
StubPath = RunDLL32 IEDKCS32.DLL,BrandIE4 SIGNUP

[>{881dd1c5-3dcf-431b-b061-f3f88e8be88a}] *
StubPath = %systemroot%\system32\shmgrate.exe OCInstallUserConfigOE

[{2C7339CF-2B09-4501-B3F3-F3508C9228ED}] *
StubPath = %SystemRoot%\system32\regsvr32.exe /s /n /i:/UserInstall %SystemRoot%\system32\themeui.dll

[{44BBA840-CC51-11CF-AAFA-00AA00B6015C}] *
StubPath = "%ProgramFiles%\Outlook Express\setup50.exe" /APP:OE /CALLER:WINNT /user /install

[{44BBA842-CC51-11CF-AAFA-00AA00B6015B}] *
StubPath = rundll32.exe advpack.dll,LaunchINFSection C:\WINDOWS\INF\msnetmtg.inf,NetMtg.Install.PerUser.NT

[{4b218e3e-bc98-4770-93d3-2731b9329278}] *
StubPath = %SystemRoot%\System32\rundll32.exe setupapi,InstallHinfSection MarketplaceLinkInstall 896 %systemroot%\inf\ie.inf

[{5945c046-1e7d-11d1-bc44-00c04fd912be}] *
StubPath = rundll32.exe advpack.dll,LaunchINFSection C:\WINDOWS\INF\msmsgs.inf,BLC.QuietInstall.PerUser

[{6BF52A52-394A-11d3-B153-00C04F79FAA6}] *
StubPath = rundll32.exe advpack.dll,LaunchINFSection C:\WINDOWS\INF\wmp.inf,PerUserStub

[{7790769C-0471-11d2-AF11-00C04FA35D02}] *
StubPath = "%ProgramFiles%\Outlook Express\setup50.exe" /APP:WAB /CALLER:WINNT /user /install

[{89820200-ECBD-11cf-8B85-00AA005B4340}] *
StubPath = regsvr32.exe /s /n /i:U shell32.dll

[{89820200-ECBD-11cf-8B85-00AA005B4383}] *
StubPath = %SystemRoot%\system32\ie4uinit.exe

[{8b15971b-5355-4c82-8c07-7e181ea07608}] *
StubPath = rundll32.exe advpack.dll,LaunchINFSection C:\WINDOWS\INF\fxsocm.inf,Fax.Install.PerUser

--------------------------------------------------

Enumerating ICQ Agent Autostart apps:
HKCU\Software\Mirabilis\ICQ\Agent\Apps

*Registry key not found*

--------------------------------------------------

Load/Run keys from C:\WINDOWS\WIN.INI:

load=*INI section not found*
run=*INI section not found*

Load/Run keys from Registry:

HKLM\..\Windows NT\CurrentVersion\WinLogon: load=*Registry value not found*
HKLM\..\Windows NT\CurrentVersion\WinLogon: run=*Registry value not found*
HKLM\..\Windows\CurrentVersion\WinLogon: load=*Registry key not found*
HKLM\..\Windows\CurrentVersion\WinLogon: run=*Registry key not found*
HKCU\..\Windows NT\CurrentVersion\WinLogon: load=*Registry value not found*
HKCU\..\Windows NT\CurrentVersion\WinLogon: run=*Registry value not found*
HKCU\..\Windows\CurrentVersion\WinLogon: load=*Registry key not found*
HKCU\..\Windows\CurrentVersion\WinLogon: run=*Registry key not found*
HKCU\..\Windows NT\CurrentVersion\Windows: load=
HKCU\..\Windows NT\CurrentVersion\Windows: run=*Registry value not found*
HKLM\..\Windows NT\CurrentVersion\Windows: load=*Registry value not found*
HKLM\..\Windows NT\CurrentVersion\Windows: run=*Registry value not found*
HKLM\..\Windows NT\CurrentVersion\Windows: AppInit_DLLs=

--------------------------------------------------

Shell & screensaver key from C:\WINDOWS\SYSTEM.INI:

Shell=*INI section not found*
SCRNSAVE.EXE=*INI section not found*
drivers=*INI section not found*

Shell & screensaver key from Registry:

Shell=Explorer.exe C:\WINDOWS\Nail.exe
SCRNSAVE.EXE=C:\WINDOWS\system32\ssmypics.scr
drivers=*Registry value not found*

Policies Shell key:

HKCU\..\Policies: Shell=*Registry key not found*
HKLM\..\Policies: Shell=*Registry value not found*

--------------------------------------------------

Checking for EXPLORER.EXE instances:

C:\WINDOWS\Explorer.exe: PRESENT!

C:\Explorer.exe: not present
C:\WINDOWS\Explorer\Explorer.exe: not present
C:\WINDOWS\System\Explorer.exe: not present
C:\WINDOWS\System32\Explorer.exe: not present
C:\WINDOWS\Command\Explorer.exe: not present
C:\WINDOWS\Fonts\Explorer.exe: not present

--------------------------------------------------

Checking for superhidden extensions:

.lnk: HIDDEN! (arrow overlay: yes)
.pif: HIDDEN! (arrow overlay: yes)
.exe: not hidden
.com: not hidden
.bat: not hidden
.hta: not hidden
.scr: not hidden
.shs: HIDDEN!
.shb: HIDDEN!
.vbs: not hidden
.vbe: not hidden
.wsh: not hidden
.scf: HIDDEN! (arrow overlay: NO!)
.url: HIDDEN! (arrow overlay: yes)
.js: not hidden
.jse: not hidden

--------------------------------------------------

Verifying REGEDIT.EXE integrity:

- Regedit.exe found in C:\WINDOWS
- .reg open command is normal (regedit.exe %1)
- Company name OK: 'Microsoft Corporation'
- Original filename OK: 'REGEDIT.EXE'
- File description: 'Registry Editor'

Registry check passed

--------------------------------------------------

Enumerating Browser Helper Objects:

(no name) - C:\WINDOWS\systb.dll (file missing) - {01F44A8A-8C97-4325-A378-76E68DC4AB2E}
(no name) - C:\Program Files\Yahoo!\Companion\Installs\cpn\ycomp5_5_7_1.dll - {02478D38-C3F9-4efb-9B51-7695ECA05670}

--------------------------------------------------

Enumerating Task Scheduler jobs:

*No jobs found*

--------------------------------------------------

Enumerating Download Program Files:

[Microsoft XML Parser for Java]
CODEBASE = file://C:\WINDOWS\Java\classes\xmldso.cab
OSD = C:\WINDOWS\Downloaded Program Files\Microsoft XML Parser for Java.osd

[QuickTime Object]
InProcServer32 = C:\Program Files\QuickTime\QTPlugin.ocx
CODEBASE = http://www.apple.com/qtactivex/qtplugin.cab

[BrowseFolderPopup Class]
InProcServer32 = C:\WINDOWS\MCBin\Shared\MGBrwFld.dll
CODEBASE = http://download.mcafee.com/molbin/Shared/MGBrwFld.cab

[MessengerStatsClient Class]
InProcServer32 = C:\WINDOWS\Downloaded Program Files\MessengerStatsPAClient.dll
CODEBASE = http://messenger.zone.msn.com/binary/Me ... b28578.cab

[Shockwave ActiveX Control]
InProcServer32 = C:\WINDOWS\SYSTEM32\Macromed\Director\SwDir.dll
CODEBASE = http://download.macromedia.com/pub/shoc ... tor/sw.cab

[Minesweeper Flags Class]
InProcServer32 = C:\WINDOWS\Downloaded Program Files\minesweeper.dll
CODEBASE = http://messenger.zone.msn.com/binary/Mi ... b28578.cab

[YInstStarter Class]
InProcServer32 = C:\WINDOWS\Downloaded Program Files\yinsthelper.dll
CODEBASE = http://download.yahoo.com/dl/installs/yinstc.cab

[{33564D57-0000-0010-8000-00AA00389B71}]
CODEBASE = http://download.microsoft.com/download/ ... mv9VCM.CAB

[AOL Content Update]
InProcServer32 = C:\Program Files\Common Files\AolCoach\en_en\GTDownAO_106.ocx
CODEBASE = http://esupport.aol.com/help/acp2/engin ... core_1.cab

[{41F17733-B041-4099-A042-B518BB6A408C}]
CODEBASE = http://a1540.g.akamai.net/7/1540/52/200 ... taller.exe

[McAfee.com Operating System Class]
InProcServer32 = C:\WINDOWS\System32\mcinsctl.dll
CODEBASE = http://download.mcafee.com/molbin/share ... insctl.cab

[WUWebControl Class]
InProcServer32 = C:\WINDOWS\system32\wuweb.dll
CODEBASE = http://v5.windowsupdate.microsoft.com/v ... 7392481625

[MessengerStatsClient Class]
InProcServer32 = C:\WINDOWS\Downloaded Program Files\messengerstatsclient.dll
CODEBASE = http://messenger.zone.msn.com/binary/Me ... b28578.cab

[{8FFBE65D-2C9C-4669-84BD-5829DC0B603C}]
CODEBASE = http://fpdownload.macromedia.com/get/sh ... rashim.cab

[ZoneIntro Class]
InProcServer32 = C:\WINDOWS\Downloaded Program Files\ZIntro.ocx
CODEBASE = http://messenger.zone.msn.com/binary/ZI ... b28578.cab

[HpodPCFileCtrl2 Class]
InProcServer32 = C:\WINDOWS\Downloaded Program Files\hpodpcfc2.dll
CODEBASE = file://E:\MEMDISC\ALBUM_A\VIEW\PLUGIN\HPODPCFC.CAB

[Shockwave Flash Object]
InProcServer32 = C:\WINDOWS\system32\macromed\flash\flash.ocx
CODEBASE = http://fpdownload.macromedia.com/pub/sh ... wflash.cab

[iTunesDetector Class]
InProcServer32 = C:\WINDOWS\Downloaded Program Files\ITDetector.ocx
CODEBASE = http://ax.phobos.apple.com.edgesuite.ne ... tector.cab

[WheelofFortune Object]
InProcServer32 = C:\WINDOWS\Downloaded Program Files\WoF.ocx
CODEBASE = http://messenger.zone.msn.com/binary/WoF.cab28578.cab

--------------------------------------------------

Enumerating Winsock LSP files:

NameSpace #1: C:\WINDOWS\System32\mswsock.dll
NameSpace #2: C:\WINDOWS\System32\winrnr.dll
NameSpace #3: C:\WINDOWS\System32\mswsock.dll
Protocol #1: C:\WINDOWS\system32\mswsock.dll
Protocol #2: C:\WINDOWS\system32\mswsock.dll
Protocol #3: C:\WINDOWS\system32\mswsock.dll
Protocol #4: C:\WINDOWS\system32\rsvpsp.dll
Protocol #5: C:\WINDOWS\system32\rsvpsp.dll
Protocol #6: C:\WINDOWS\system32\mswsock.dll
Protocol #7: C:\WINDOWS\system32\mswsock.dll
Protocol #8: C:\WINDOWS\system32\mswsock.dll
Protocol #9: C:\WINDOWS\system32\mswsock.dll
Protocol #10: C:\WINDOWS\system32\mswsock.dll
Protocol #11: C:\WINDOWS\system32\mswsock.dll
Protocol #12: C:\WINDOWS\system32\mswsock.dll
Protocol #13: C:\WINDOWS\system32\mswsock.dll
Protocol #14: C:\WINDOWS\system32\mswsock.dll
Protocol #15: C:\WINDOWS\system32\mswsock.dll
Protocol #16: C:\WINDOWS\system32\mswsock.dll
Protocol #17: C:\WINDOWS\system32\mswsock.dll
Protocol #18: C:\WINDOWS\system32\mswsock.dll
Protocol #19: C:\WINDOWS\system32\mswsock.dll
Protocol #20: C:\WINDOWS\system32\mswsock.dll
Protocol #21: C:\WINDOWS\system32\mswsock.dll

--------------------------------------------------

Enumerating Windows NT/2000/XP services

aaplxwc: \??\C:\WINDOWS\System32\fvwnrh\aaplxwc (manual start)
Microsoft ACPI Driver: system32\DRIVERS\ACPI.sys (system)
Microsoft Kernel Acoustic Echo Canceller: system32\drivers\aec.sys (manual start)
AFD Networking Support Environment: \SystemRoot\System32\drivers\afd.sys (system)
Intel AGP Bus Filter: System32\DRIVERS\agp440.sys (system)
Alerter: %SystemRoot%\system32\svchost.exe -k LocalService (disabled)
Application Layer Gateway Service: %SystemRoot%\System32\alg.exe (manual start)
AMD AGP Bus Filter Driver: System32\DRIVERS\amdagp.sys (system)
AOL Connectivity Service: C:\PROGRA~1\COMMON~1\AOL\ACS\acsd.exe (autostart)
Application Management: %SystemRoot%\system32\svchost.exe -k netsvcs (manual start)
1394 ARP Client Protocol: System32\DRIVERS\arp1394.sys (manual start)
RAS Asynchronous Media Driver: System32\DRIVERS\asyncmac.sys (manual start)
Standard IDE/ESDI Hard Disk Controller: system32\DRIVERS\atapi.sys (system)
ATM ARP Client Protocol: System32\DRIVERS\atmarpc.sys (manual start)
Windows Audio: %SystemRoot%\System32\svchost.exe -k netsvcs (autostart)
Audio Stub Driver: System32\DRIVERS\audstub.sys (manual start)
bbxclnwjkxbhq: C:\WINDOWS\system32\wjkxbhq\bbxcln.exe (autostart)
Background Intelligent Transfer Service: %SystemRoot%\system32\svchost.exe -k netsvcs (manual start)
Computer Browser: %SystemRoot%\system32\svchost.exe -k netsvcs (autostart)
CD-ROM Driver: System32\DRIVERS\cdrom.sys (system)
cdwygit: \??\C:\WINDOWS\System32\wvaqvd\cdwygit (manual start)
cgeapepfc: C:\WINDOWS\System32\epfc\cgeap.exe (disabled)
Indexing Service: %SystemRoot%\system32\cisvc.exe (manual start)
ClipBook: %SystemRoot%\system32\clipsrv.exe (disabled)
COM+ System Application: C:\WINDOWS\system32\dllhost.exe /Processid:{02D4B3F1-FD88-11D1-960D-00805FC79235} (manual start)
coxialg: \??\C:\WINDOWS\system32\bwtl\coxialg (manual start)
Cryptographic Services: %SystemRoot%\system32\svchost.exe -k netsvcs (autostart)
cwpgvyo: \??\C:\WINDOWS\System32\knpp\cwpgvyo (manual start)
DCOM Server Process Launcher: %SystemRoot%\system32\svchost -k DcomLaunch (autostart)
DefWatch: C:\Program Files\NavNT\defwatch.exe (autostart)
DHCP Client: %SystemRoot%\system32\svchost.exe -k netsvcs (autostart)
Disk Driver: System32\DRIVERS\disk.sys (system)
Diskeeper: C:\Program Files\Executive Software\DiskeeperWorkstation\DKService.exe (autostart)
Logical Disk Manager Administrative Service: %SystemRoot%\System32\dmadmin.exe /com (manual start)
dmboot: System32\drivers\dmboot.sys (disabled)
Logical Disk Manager: %SystemRoot%\System32\svchost.exe -k netsvcs (manual start)
Microsoft Kernel DLS Syntheiszer: system32\drivers\DMusic.sys (manual start)
DNS Client: %SystemRoot%\system32\svchost.exe -k NetworkService (autostart)
MS IEEE-1284.4 Driver: System32\DRIVERS\Dot4.sys (manual start)
Dot4 HPH09: System32\DRIVERS\hphid409.sys (manual start)
Print Class Driver for IEEE-1284.4: System32\DRIVERS\Dot4Prt.sys (manual start)
Print Class Driver for IEEE-1284.4 HPH09: System32\DRIVERS\hphipr09.sys (manual start)
Storage Class Driver for IEEE-1284.4 (HPH09): System32\Drivers\hphs2k09.sys (manual start)
Dot4USB Filter Dot4USB Filter: System32\DRIVERS\dot4usb.sys (manual start)
Dot4Usb HPH09: System32\drivers\hphius09.sys (manual start)
Microsoft Kernel DRM Audio Descrambler: system32\drivers\drmkaud.sys (manual start)
Intel(R) PRO Adapter Driver: System32\DRIVERS\e100b325.sys (manual start)
Error Reporting Service: %SystemRoot%\System32\svchost.exe -k netsvcs (autostart)
euuofbmcufmyo: C:\WINDOWS\System32\cufmyo\euuofbm.exe (disabled)
Event Log: %SystemRoot%\system32\services.exe (autostart)
COM+ Event System: C:\WINDOWS\system32\svchost.exe -k netsvcs (manual start)
ewido security suite control: C:\Program Files\ewido\security suite\ewidoctrl.exe (autostart)
ewido security suite driver: \??\C:\Program Files\ewido\security suite\guard.sys (system)
ewido security suite guard: C:\Program Files\ewido\security suite\ewidoguard.exe (disabled)
Fast User Switching Compatibility: %SystemRoot%\System32\svchost.exe -k netsvcs (manual start)
Fax: %systemroot%\system32\fxssvc.exe (autostart)
Floppy Disk Controller Driver: system32\DRIVERS\fdc.sys (manual start)
floextc: \??\C:\WINDOWS\System32\unobi\floextc.sys (manual start)
Floppy Disk Driver: System32\DRIVERS\flpydisk.sys (manual start)
FltMgr: system32\DRIVERS\fltMgr.sys (system)
FREEDOM Miniport: System32\DRIVERS\FREEDOM.SYS (manual start)
Volume Manager Driver: system32\DRIVERS\ftdisk.sys (system)
fvhqcxt: \??\C:\WINDOWS\System32\ynuul\fvhqcxt.sys (manual start)
Game Port Enumerator: System32\DRIVERS\gameenum.sys (manual start)
gkjvabx: \??\C:\WINDOWS\System32\deksifb\gkjvabx (manual start)
Generic Packet Classifier: System32\DRIVERS\msgpc.sys (manual start)
greenstdSystem32: C:\WINDOWS\System32\greenstd.exe (disabled)
guxcwli: \??\C:\WINDOWS\System32\fnxfp\guxcwli.sys (manual start)
Help and Support: %SystemRoot%\System32\svchost.exe -k netsvcs (autostart)
Human Interface Device Access: %SystemRoot%\System32\svchost.exe -k netsvcs (autostart)
Microsoft HID Class Driver: system32\DRIVERS\hidusb.sys (manual start)
HTTP: System32\Drivers\HTTP.sys (manual start)
HTTP SSL: %SystemRoot%\System32\svchost.exe -k HTTPFilter (manual start)
hunknse: \??\C:\WINDOWS\System32\qxqbfxv\hunknse (manual start)
hvjaakq: \??\C:\WINDOWS\System32\iocotj\hvjaakq (manual start)
i8042 Keyboard and PS/2 Mouse Port Driver: System32\DRIVERS\i8042prt.sys (system)
i81x: System32\DRIVERS\i81xnt5.sys (manual start)
iAimFP0: System32\DRIVERS\wADV01nt.sys (manual start)
iAimFP1: System32\DRIVERS\wADV02NT.sys (manual start)
iAimFP2: System32\DRIVERS\wADV05NT.sys (manual start)
iAimFP3: System32\DRIVERS\wSiINTxx.sys (manual start)
iAimFP4: System32\DRIVERS\wVchNTxx.sys (manual start)
iAimTV0: System32\DRIVERS\wATV01nt.sys (manual start)
iAimTV1: System32\DRIVERS\wATV02NT.sys (manual start)
iAimTV3: System32\DRIVERS\wATV04nt.sys (manual start)
iAimTV4: System32\DRIVERS\wCh7xxNT.sys (manual start)
idcmupd: \??\C:\WINDOWS\System32\epvnb\idcmupd (manual start)
iejtaaq: \??\C:\WINDOWS\System32\ojtmcbrq\iejtaaq (manual start)
ihojjxcejlsiq: C:\WINDOWS\System32\jlsiq\ihojjxce.exe (disabled)
CD-Burning Filter Driver: system32\DRIVERS\imapi.sys (system)
IMAPI CD-Burning COM Service: C:\WINDOWS\system32\imapi.exe (manual start)
imxqrcx: \??\C:\WINDOWS\System32\caubra\imxqrcx (manual start)
IntelIde: system32\DRIVERS\intelide.sys (system)
IomegaAccess: C:\WINDOWS\System32\IomegaAccess.exe /S (autostart)
IPv6 Windows Firewall Driver: system32\DRIVERS\Ip6Fw.sys (manual start)
IP Traffic Filter Driver: System32\DRIVERS\ipfltdrv.sys (manual start)
IP in IP Tunnel Driver: System32\DRIVERS\ipinip.sys (manual start)
IP Network Address Translator: system32\DRIVERS\ipnat.sys (manual start)
IPSEC driver: System32\DRIVERS\ipsec.sys (system)
IR Enumerator Service: System32\DRIVERS\irenum.sys (manual start)
PnP ISA/EISA Bus Driver: system32\DRIVERS\isapnp.sys (system)
Keyboard Class Driver: System32\DRIVERS\kbdclass.sys (system)
Keyboard HID Driver: System32\DRIVERS\kbdhid.sys (system)
kjwyfwm: \??\C:\WINDOWS\System32\nucy\kjwyfwm (manual start)
kkyumfcxhvvmpv: C:\WINDOWS\System32\xhvvmpv\kkyumfc.exe (disabled)
Microsoft Kernel Wave Audio Mixer: system32\drivers\kmixer.sys (manual start)
koowegv: \??\C:\WINDOWS\System32\oqleuyht\koowegv (manual start)
Server: %SystemRoot%\system32\svchost.exe -k netsvcs (autostart)
Workstation: %SystemRoot%\system32\svchost.exe -k netsvcs (autostart)
lhidgco: \??\C:\WINDOWS\System32\eejyvmnd\lhidgco (manual start)
TCP/IP NetBIOS Helper: %SystemRoot%\system32\svchost.exe -k LocalService (autostart)
lsyaljj: \??\C:\WINDOWS\System32\ankjifjj\lsyaljj (manual start)
LT Modem Driver: System32\DRIVERS\ltmdmnt.sys (manual start)
lxbfcaa: \??\C:\WINDOWS\System32\ckevux\lxbfcaa (manual start)
Machine Debug Manager: "C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe" (autostart)
: C:\WINDOWS\System32\yojsco\mefc.exe (system)
Messenger: %SystemRoot%\system32\svchost.exe -k netsvcs (disabled)
NetMeeting Remote Desktop Sharing: C:\WINDOWS\System32\mnmsrvc.exe (manual start)
Mouse Class Driver: System32\DRIVERS\mouclass.sys (system)
Mouse HID Driver: System32\DRIVERS\mouhid.sys (manual start)
WebDav Client Redirector: System32\DRIVERS\mrxdav.sys (manual start)
MRXSMB: System32\DRIVERS\mrxsmb.sys (system)
Distributed Transaction Coordinator: C:\WINDOWS\System32\msdtc.exe (manual start)
Windows Installer: C:\WINDOWS\system32\msiexec.exe /V (manual start)
Microsoft Streaming Service Proxy: system32\drivers\MSKSSRV.sys (manual start)
Microsoft Streaming Clock Proxy: system32\drivers\MSPCLOCK.sys (manual start)
Microsoft Streaming Quality Manager Proxy: system32\drivers\MSPQM.sys (manual start)
Microsoft System Management BIOS Driver: system32\DRIVERS\mssmbios.sys (manual start)
Microsoft MPU-401 MIDI UART Driver: system32\drivers\msmpu401.sys (manual start)
mtpacyl: \??\C:\WINDOWS\System32\ytjggmcp\mtpacyl (manual start)
NAVAP: \??\C:\Program Files\NavNT\NAVAP.sys (manual start)
NAVAPEL: \??\C:\Program Files\NavNT\NAVAPEL.SYS (autostart)
NAVENG: \??\C:\PROGRA~1\COMMON~1\SYMANT~1\VIRUSD~1\20050518.008\NAVENG.sys (manual start)
NAVEX15: \??\C:\PROGRA~1\COMMON~1\SYMANT~1\VIRUSD~1\20050518.008\NAVEX15.sys (manual start)
Remote Access NDIS TAPI Driver: System32\DRIVERS\ndistapi.sys (manual start)
NDIS Usermode I/O Protocol: System32\DRIVERS\ndisuio.sys (manual start)
Remote Access NDIS WAN Driver: System32\DRIVERS\ndiswan.sys (manual start)
NetBIOS Interface: System32\DRIVERS\netbios.sys (system)
NetBios over Tcpip: System32\DRIVERS\netbt.sys (system)
Network DDE: %SystemRoot%\system32\netdde.exe (disabled)
Network DDE DSDM: %SystemRoot%\system32\netdde.exe (disabled)
Net Logon: %SystemRoot%\system32\lsass.exe (manual start)
Network Connections: %SystemRoot%\System32\svchost.exe -k netsvcs (manual start)
nghilpp: \??\C:\WINDOWS\system32\smjvktve\nghilpp.sys (manual start)
ngixuid: \??\C:\WINDOWS\System32\egrmglfb\ngixuid (manual start)
1394 Net Driver: System32\DRIVERS\nic1394.sys (manual start)
Network Location Awareness (NLA): %SystemRoot%\system32\svchost.exe -k netsvcs (manual start)
Network Monitor Driver: System32\DRIVERS\NMnt.sys (manual start)
Norton AntiVirus Client: C:\Program Files\NavNT\rtvscan.exe (autostart)
NT LM Security Support Provider: %SystemRoot%\system32\lsass.exe (manual start)
Removable Storage: %SystemRoot%\system32\svchost.exe -k netsvcs (manual start)
nv: System32\DRIVERS\nv4_mini.sys (manual start)
nv4: System32\DRIVERS\nv4.sys (manual start)
IPX Traffic Filter Driver: System32\DRIVERS\nwlnkflt.sys (manual start)
IPX Traffic Forwarder Driver: System32\DRIVERS\nwlnkfwd.sys (manual start)
occxuyoi: C:\WINDOWS\System32\uyoi\occx.exe (disabled)
odsutph: \??\C:\WINDOWS\System32\rgcmlusq\odsutph (manual start)
OHCI Compliant IEEE 1394 Host Controller: system32\DRIVERS\ohci1394.sys (system)
onkiaba: \??\C:\WINDOWS\System32\xjwsh\onkiaba (manual start)
oqvhucoqleuyht: C:\WINDOWS\System32\oqleuyht\oqvhuc.exe (disabled)
: C:\WINDOWS\System32\gudl\oubvvw.exe (system)
ovekyvhxcffaqksm: C:\WINDOWS\System32\cffaqksm\ovekyvhx.exe (disabled)
Virtual NIC Service: C:\WINDOWS\System32\PackethSvc.exe (autostart)
Parallel port driver: System32\DRIVERS\parport.sys (manual start)
PcdrNt: \SystemRoot\System32\drivers\PcdrNt.sys (manual start)
PCI Bus Driver: system32\DRIVERS\pci.sys (system)
Padus ASPI Shell: system32\drivers\pfc.sys (manual start)
pisgnegrmglfb: C:\WINDOWS\System32\egrmglfb\pisgn.exe (disabled)
Plug and Play: %SystemRoot%\system32\services.exe (autostart)
Pml Driver: C:\WINDOWS\System32\HPHipm09.exe (manual start)
IPSEC Services: %SystemRoot%\system32\lsass.exe (autostart)
WAN Miniport (PPTP): System32\DRIVERS\raspptp.sys (manual start)
Processor Driver: System32\DRIVERS\processr.sys (system)
Protected Storage: %SystemRoot%\system32\lsass.exe (autostart)
PS2: System32\DRIVERS\PS2.sys (manual start)
QoS Packet Scheduler: System32\DRIVERS\psched.sys (manual start)
Direct Parallel Link Driver: System32\DRIVERS\ptilink.sys (manual start)
pwixake: \??\C:\WINDOWS\System32\pwjrjuqe\pwixake.sys (manual start)
PxHelp20: System32\DRIVERS\PxHelp20.sys (system)
qaptyhiahu: C:\WINDOWS\System32\hiahu\qapty.exe (disabled)
qmaknddlpkf: C:\WINDOWS\System32\dlpkf\qmaknd.exe (disabled)
Remote Access Auto Connection Driver: System32\DRIVERS\rasacd.sys (system)
Remote Access Auto Connection Manager: %SystemRoot%\system32\svchost.exe -k netsvcs (disabled)
WAN Miniport (L2TP): System32\DRIVERS\rasl2tp.sys (manual start)
Remote Access Connection Manager: %SystemRoot%\system32\svchost.exe -k netsvcs (manual start)
Remote Access PPPOE Driver: System32\DRIVERS\raspppoe.sys (manual start)
Direct Parallel: System32\DRIVERS\raspti.sys (manual start)
rcfoays: \??\C:\WINDOWS\System32\qxqbfxv\rcfoays.sys (manual start)
Rdbss: System32\DRIVERS\rdbss.sys (system)
RDPCDD: System32\DRIVERS\RDPCDD.sys (system)
Remote Desktop Help Session Manager: C:\WINDOWS\system32\sessmgr.exe (manual start)
Digital CD Audio Playback Filter Driver: System32\DRIVERS\redbook.sys (system)
Routing and Remote Access: %SystemRoot%\system32\svchost.exe -k netsvcs (disabled)
rfacgyndcanmapm: C:\WINDOWS\System32\dcanmapm\rfacgyn.exe (disabled)
Remote Procedure Call (RPC) Locator: %SystemRoot%\system32\locator.exe (manual start)
Remote Procedure Call (RPC): %SystemRoot%\system32\svchost -k rpcss (autostart)
rsjstpp: \??\C:\WINDOWS\System32\jlsiq\rsjstpp (manual start)
QoS RSVP: %SystemRoot%\system32\rsvp.exe (manual start)
S3SavageNB: System32\DRIVERS\s3gnbm.sys (manual start)
sakdmeq: \??\C:\WINDOWS\System32\tsjbins\sakdmeq (manual start)
Security Accounts Manager: %SystemRoot%\system32\lsass.exe (autostart)
SbcpHid: \??\C:\WINDOWS\System32\Drivers\SbcpHid.sys (system)
Smart Card Helper: %SystemRoot%\System32\SCardSvr.exe (manual start)
Smart Card: %SystemRoot%\System32\SCardSvr.exe (manual start)
Task Scheduler: %SystemRoot%\System32\svchost.exe -k netsvcs (autostart)
scyienvwhxvora: C:\WINDOWS\System32\hxvora\scyienvw.exe (disabled)
Secdrv: System32\DRIVERS\secdrv.sys (manual start)
Secondary Logon: %SystemRoot%\System32\svchost.exe -k netsvcs (autostart)
System Event Notification: %SystemRoot%\system32\svchost.exe -k netsvcs (autostart)
Serenum Filter Driver: system32\DRIVERS\serenum.sys (manual start)
Serial port driver: system32\DRIVERS\serial.sys (system)
sgwktgj: \??\C:\WINDOWS\System32\ghttvrl\sgwktgj.sys (manual start)
Windows Firewall/Internet Connection Sharing (ICS): %SystemRoot%\system32\svchost.exe -k netsvcs (autostart)
Shell Hardware Detection: %SystemRoot%\System32\svchost.exe -k netsvcs (autostart)
smwdm: system32\drivers\smwdm.sys (manual start)
Microsoft Kernel Audio Splitter: system32\drivers\splitter.sys (manual start)
Print Spooler: %SystemRoot%\system32\spoolsv.exe (autostart)
System Restore Filter Driver: System32\DRIVERS\sr.sys (system)
System Restore Service: %SystemRoot%\system32\svchost.exe -k netsvcs (autostart)
srsgbwtl: C:\WINDOWS\system32\bwtl\srsg.exe (autostart)
Srv: System32\DRIVERS\srv.sys (manual start)
SSDP Discovery Service: %SystemRoot%\system32\svchost.exe -k LocalService (manual start)
Still Serial Digital Camera Driver: System32\DRIVERS\serscan.sys (manual start)
Windows Image Acquisition (WIA): %SystemRoot%\system32\svchost.exe -k imgsvc (autostart)
suvoacnssftuej: C:\WINDOWS\System32\sftuej\suvoacns.exe (disabled)
System Startup Service : C:\WINDOWS\svcproc.exe (autostart)
Software Bus Driver: System32\DRIVERS\swenum.sys (manual start)
Microsoft Kernel GS Wavetable Synthesizer: system32\drivers\swmidi.sys (manual start)
MS Software Shadow Copy Provider: C:\WINDOWS\system32\dllhost.exe /Processid:{D0D945C7-5A6E-485E-A49A-2478DC8DF4E3} (manual start)
SymEvent: \??\C:\Program Files\Symantec\SYMEVENT.SYS (manual start)
Microsoft Kernel System Audio Device: system32\drivers\sysaudio.sys (manual start)
Performance Logs and Alerts: %SystemRoot%\system32\smlogsvc.exe (manual start)
Telephony: %SystemRoot%\System32\svchost.exe -k netsvcs (manual start)
TCP/IP Protocol Driver: System32\DRIVERS\tcpip.sys (system)
tdccvsk: \??\C:\WINDOWS\System32\hxrkgr\tdccvsk.sys (manual start)
Terminal Device Driver: System32\DRIVERS\termdd.sys (system)
Terminal Services: %SystemRoot%\System32\svchost -k DComLaunch (manual start)
Themes: %SystemRoot%\System32\svchost.exe -k netsvcs (autostart)
tmsdbfckevux: C:\WINDOWS\System32\ckevux\tmsdbf.exe (disabled)
Distributed Link Tracking Client: %SystemRoot%\system32\svchost.exe -k netsvcs (autostart)
udinjmx: \??\C:\WINDOWS\System32\cufmyo\udinjmx (manual start)
Microcode Update Driver: System32\DRIVERS\update.sys (manual start)
Universal Plug and Play Device Host: %SystemRoot%\system32\svchost.exe -k LocalService (manual start)
Uninterruptible Power Supply: %SystemRoot%\System32\ups.exe (manual start)
Microsoft USB Generic Parent Driver: System32\DRIVERS\usbccgp.sys (manual start)
Microsoft USB Standard Hub Driver: system32\DRIVERS\usbhub.sys (manual start)
USB Scanner Driver: System32\DRIVERS\usbscan.sys (manual start)
USB Mass Storage Driver: system32\DRIVERS\USBSTOR.SYS (manual start)
Microsoft USB Universal Host Controller Miniport Driver: system32\DRIVERS\usbuhci.sys (manual start)
USB Remote NDIS Network Device Driver: System32\DRIVERS\usb8023.sys (manual start)
uyiriwu: \??\C:\WINDOWS\System32\jelmu\uyiriwu (manual start)
vburfghttvrl: C:\WINDOWS\System32\ghttvrl\vburf.exe (disabled)
vdmoinbn: C:\WINDOWS\System32\inbn\vdmo.exe (disabled)
vecapin: \??\C:\WINDOWS\System32\fjje\vecapin.sys (manual start)
VgaSave: \SystemRoot\System32\drivers\vga.sys (system)
VIA AGP Bus Filter: System32\DRIVERS\viaagp.sys (system)
ViaIde: System32\DRIVERS\viaide.sys (system)
vlibgrt: \??\C:\WINDOWS\system32\nquhop\vlibgrt (manual start)
vnymjxlqxqbfxv: C:\WINDOWS\System32\qxqbfxv\vnymjxl.exe (disabled)
Volume Shadow Copy: %SystemRoot%\System32\vssvc.exe (manual start)
Windows Time: %SystemRoot%\System32\svchost.exe -k netsvcs (autostart)
Remote Access IP ARP Driver: System32\DRIVERS\wanarp.sys (manual start)
WAN Miniport (ATW): System32\DRIVERS\wanatw4.sys (manual start)
WAN Network Driver: System32\DRIVERS\wandrv.sys (manual start)
WAN Miniport (ATW) Service: "C:\WINDOWS\wanmpsvc.exe" (autostart)
Microsoft WINMM WDM Audio Compatibility Driver: system32\drivers\wdmaud.sys (manual start)
WebClient: %SystemRoot%\system32\svchost.exe -k LocalService (autostart)
wfjstlq: \??\C:\WINDOWS\System32\inbn\wfjstlq (manual start)
Windows Management Instrumentation: %systemroot%\system32\svchost.exe -k netsvcs (autostart)
Portable Media Serial Number Service: %SystemRoot%\System32\svchost.exe -k netsvcs (manual start)
WMI Performance Adapter: C:\WINDOWS\system32\wbem\wmiapsrv.exe (manual start)
Windows Socket 2.0 Non-IFS Service Provider Support Environment: \SystemRoot\System32\drivers\ws2ifsl.sys (system)
Security Center: %SystemRoot%\System32\svchost.exe -k netsvcs (autostart)
Automatic Updates: %systemroot%\system32\svchost.exe -k netsvcs (autostart)
Wireless Zero Configuration: %SystemRoot%\System32\svchost.exe -k netsvcs (autostart)
xikhcnl: \??\C:\WINDOWS\System32\bbsgmgq\xikhcnl (manual start)
xmfeooo: \??\C:\WINDOWS\System32\fbaceoar\xmfeooo (manual start)
Network Provisioning Service: %SystemRoot%\System32\svchost.exe -k netsvcs (manual start)
xoynson: \??\C:\WINDOWS\System32\kaxkgh\xoynson (manual start)
xvehhlt: \??\C:\WINDOWS\System32\eypo\xvehhlt.sys (manual start)
ycwkblbrvpieg: C:\WINDOWS\System32\brvpieg\ycwkbl.exe (disabled)
yyaxgmhfjje: C:\WINDOWS\System32\fjje\yyaxgmh.exe (disabled)
ZipToA: C:\WINDOWS\System32\ZipToA.exe /S (disabled)


--------------------------------------------------

Enumerating Windows NT logon/logoff scripts:
*No scripts set to run*

Windows NT checkdisk command:
BootExecute = autocheck autochk *

Windows NT 'Wininit.ini':
PendingFileRenameOperations: *Registry value not found*

--------------------------------------------------

Enumerating ShellServiceObjectDelayLoad items:

PostBootReminder: C:\WINDOWS\system32\SHELL32.dll
CDBurn: C:\WINDOWS\system32\SHELL32.dll
WebCheck: C:\WINDOWS\system32\webcheck.dll
SysTray: C:\WINDOWS\system32\stobject.dll

--------------------------------------------------
Autorun entries from Registry:
HKCU\Software\Microsoft\Windows\CurrentVersion\policies\Explorer\Run

newpws = C:\WINDOWS\System32\newpws.exe
krxf.exe = C:\WINDOWS\system\krxf.exe

--------------------------------------------------

Autorun entries from Registry:
HKLM\Software\Microsoft\Windows\CurrentVersion\policies\Explorer\Run

*No values found*

--------------------------------------------------

End of report, 48,198 bytes
Report generated in 0.265 seconds

Command line options:
/verbose - to add additional info on each section
/complete - to include empty sections and unsuspicious data
/full - to include several rarely-important sections
/force9x - to include Win9x-only startups even if running on WinNT
/forcent - to include WinNT-only startups even if running on Win9x
/forceall - to include all Win9x and WinNT startups, regardless of platform
/history - to list version history only

---------------------------------------------------------------------------
And, the HijackThis log... :)


Logfile of HijackThis v1.99.1
Scan saved at 4:26:57 PM, on 5/30/2005
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\System32\PackethSvc.exe
C:\PROGRA~1\COMMON~1\AOL\ACS\acsd.exe
C:\WINDOWS\system32\wjkxbhq\bbxcln.exe
C:\Program Files\NavNT\defwatch.exe
C:\Program Files\Executive Software\DiskeeperWorkstation\DKService.exe
C:\Program Files\ewido\security suite\ewidoctrl.exe
C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
C:\Program Files\NavNT\rtvscan.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\wanmpsvc.exe
C:\WINDOWS\system32\MsgSys.EXE
C:\WINDOWS\Explorer.exe
C:\WINDOWS\system32\wscntfy.exe
C:\WINDOWS\System32\spool\drivers\w32x86\3\hpztsb04.exe
C:\WINDOWS\System32\hphmon03.exe
C:\Program Files\Hewlett-Packard\PhotoSmart\Photo Imaging\Hpi_Monitor.exe
C:\Program Files\Hewlett-Packard\PhotoSmart\HP Share-to-Web\hpgs2wnd.exe
C:\Program Files\Iomega\DriveIcons\ImgIcon.exe
C:\Program Files\Real\RealPlayer\RealPlay.exe
C:\PROGRA~1\HEWLET~1\PHOTOS~1\HPSHAR~1\hpgs2wnf.exe
C:\WINDOWS\system32\ybvdenni\rqxfkwno.exe
C:\WINDOWS\system32\xvkwciub\dhwli.exe
C:\WINDOWS\system32\nquhop\oabl.exe
C:\WINDOWS\System32\HPHipm09.exe
C:\WINDOWS\System32\qjdt\xcrkvu.exe
C:\WINDOWS\System32\bhohktor\odihfl.exe
C:\WINDOWS\System32\chvuxco\doupdxwv.exe
C:\WINDOWS\System32\jcplxih\mwtugl.exe
C:\WINDOWS\system32\vmiehp\fxcgr.exe
C:\WINDOWS\System32\mgft\pjubdprf.exe
C:\WINDOWS\System32\onwvixlj\rlqka.exe
C:\WINDOWS\System32\kpphqn\fdqy.exe
C:\WINDOWS\System32\pwxkysx\qalkc.exe
C:\WINDOWS\System32\kevxy\vpnogrfg.exe
C:\WINDOWS\System32\hctycvyj\ovyft.exe
C:\WINDOWS\System32\nwxdmhx\rxlg.exe
C:\WINDOWS\System32\iduvfc\ldkgco.exe
C:\WINDOWS\System32\wqoabeby\xbhgbw.exe
C:\WINDOWS\System32\kgxpv\xqpyix.exe
C:\WINDOWS\System32\jffrknf\twehfrag.exe
C:\WINDOWS\System32\dbdexge\vropfh.exe
C:\WINDOWS\System32\haxjkjf\lpxjns.exe
C:\WINDOWS\system32\bwtl\srsg.exe
C:\WINDOWS\System32\fejlai\fcykrqae.exe
C:\WINDOWS\System32\otqyprha\aiyygr.exe
C:\WINDOWS\System32\aqwf\keqfe.exe
C:\WINDOWS\System32\mdcsar\quknrc.exe
C:\WINDOWS\System32\cdocmugl\jehddo.exe
C:\WINDOWS\System32\dsso\sqtnm.exe
C:\WINDOWS\System32\jimi\rcyjii.exe
C:\WINDOWS\System32\mnwrfwj\oqpkn.exe
C:\WINDOWS\System32\pafpk\ihdqj.exe
C:\WINDOWS\System32\pirs\rnlt.exe
C:\WINDOWS\System32\bqclh\vysma.exe
C:\WINDOWS\System32\hocaeqgj\gvoktn.exe
C:\WINDOWS\system32\uvknmz.exe
C:\Program Files\Sunbelt Software\CounterSpy Client\sunasServ.exe
C:\WINDOWS\system32\ps2.exe
C:\WINDOWS\system32\gmas\itjfwe.exe
C:\WINDOWS\system32\nsvsvc\nsvsvc.exe
C:\WINDOWS\system32\picsvr\picsvr.exe
C:\WINDOWS\system32\wsqnbl.exe
C:\Program Files\NoAds\NoAds.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\AOL Computer Check-Up\ACCAgnt.exe
c:\windows\system32\ufgwef.exe
C:\Program Files\Intuit\QuickBooks Basic\Components\QBAgent\qbdagent2002.exe
C:\Program Files\Common Files\Intuit\QuickBooks\QBUpdate\qbupdate.exe
C:\Program Files\QUICKENW\QWDLLS.EXE
C:\Program Files\WinZip\WZQKPICK.EXE
C:\WINDOWS\system32\notepad.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\WINDOWS\system32\axpfbho.exe
C:\DOCUME~1\Owner\LOCALS~1\Temp\nndbu.exe
C:\DOCUME~1\Owner\LOCALS~1\Temp\gnxjmxom.exe
C:\DOCUME~1\Owner\LOCALS~1\Temp\gnxjmxom.exe
C:\DOCUME~1\Owner\LOCALS~1\Temp\gnxjmxom.exe
C:\DOCUME~1\Owner\LOCALS~1\Temp\sdlnfw.exe
C:\DOCUME~1\Owner\LOCALS~1\Temp\wpaokubj.exe
C:\WINDOWS\explorer.exe
C:\Program Files\HJT\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://websearch.drsnsrch.com/sidesearch.cgi?id=
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://websearch.drsnsrch.com/sidesearch.cgi?id=
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.hotmail.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://websearch.drsnsrch.com/sidesearch.cgi?id=
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://websearch.drsnsrch.com/sidesearch.cgi?id=
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://websearch.drsnsrch.com/sidesearch.cgi?id=
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch = http://websearch.drsnsrch.com/sidesearch.cgi?id=
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = websearch.drsnsrch.com/q.cgi?q=
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = localhost
F2 - REG:system.ini: Shell=Explorer.exe C:\WINDOWS\Nail.exe
O1 - Hosts: 216.39.69.102 view.atdmt.com
O2 - BHO: Band Class - {01F44A8A-8C97-4325-A378-76E68DC4AB2E} - C:\WINDOWS\systb.dll (file missing)
O2 - BHO: Yahoo! Companion BHO - {02478D38-C3F9-4efb-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn\ycomp5_5_7_1.dll
O2 - BHO: (no name) - {F5C88987-35F5-ECA8-B7BB-592F28062E2E} - C:\WINDOWS\system32\ncbmtlxj\swcijjvg.dll
O3 - Toolbar: Yahoo! Companion - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\ycomp5_5_7_1.dll
O3 - Toolbar: (no name) - {2CDE1A7D-A478-4291-BF31-E1B4C16F92EB} - (no file)
O4 - HKLM\..\Run: [Recguard] C:\WINDOWS\SMINST\RECGUARD.EXE
O4 - HKLM\..\Run: [S3TRAY2] S3tray2.exe
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\System32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\System32\hkcmd.exe
O4 - HKLM\..\Run: [HPDJ Taskbar Utility] C:\WINDOWS\System32\spool\drivers\w32x86\3\hpztsb04.exe
O4 - HKLM\..\Run: [HPHmon03] C:\WINDOWS\System32\hphmon03.exe
O4 - HKLM\..\Run: [CXMon] "C:\Program Files\Hewlett-Packard\PhotoSmart\Photo Imaging\Hpi_Monitor.exe"
O4 - HKLM\..\Run: [Share-to-Web Namespace Daemon] C:\Program Files\Hewlett-Packard\PhotoSmart\HP Share-to-Web\hpgs2wnd.exe
O4 - HKLM\..\Run: [checktime] c:\program files\HPSelect\Frontend\ct.exe
O4 - HKLM\..\Run: [Iomega Startup Options] C:\Program Files\Iomega\Common\ImgStart.exe
O4 - HKLM\..\Run: [Iomega Drive Icons] C:\Program Files\Iomega\DriveIcons\ImgIcon.exe
O4 - HKLM\..\Run: [ gSafeOnload[gSafeOnload.length] ] c:\WINDOWS\System32\ gSafeOnload[gSafeOnload.length] = f;
O4 - HKLM\..\Run: [ gSafeOnload[i] c:\WINDOWS\System32\ gSafeOnload[i]();
O4 - HKLM\..\Run: [vptray] C:\Program Files\NavNT\vptray.exe
O4 - HKLM\..\Run: [RealTray] C:\Program Files\Real\RealPlayer\RealPlay.exe SYSTEMBOOTHIDEPLAYER
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [sjkp] C:\WINDOWS\System32\oxsaynow\sjkp.exe
O4 - HKLM\..\Run: [ntmcq] C:\WINDOWS\System32\moqsgf\ntmcq.exe
O4 - HKLM\..\Run: [jtutu] C:\WINDOWS\System32\ybuxb\jtutu.exe
O4 - HKLM\..\Run: [hshatpb] C:\WINDOWS\System32\qboa\hshatpb.exe
O4 - HKLM\..\Run: [evrad] C:\WINDOWS\System32\ynuul\evrad.exe
O4 - HKLM\..\Run: [wsagu] C:\WINDOWS\System32\hahm\wsagu.exe
O4 - HKLM\..\Run: [mhxo] C:\WINDOWS\System32\tlmtptg\mhxo.exe
O4 - HKLM\..\Run: [mefc] C:\WINDOWS\System32\yojsco\mefc.exe
O4 - HKLM\..\Run: [rgif] C:\WINDOWS\System32\hxrkgr\rgif.exe
O4 - HKLM\..\Run: [xcrkvu] C:\WINDOWS\System32\qjdt\xcrkvu.exe
O4 - HKLM\..\Run: [odihfl] C:\WINDOWS\System32\bhohktor\odihfl.exe
O4 - HKLM\..\Run: [oocdnjj] C:\WINDOWS\System32\bpapj\oocdnjj.exe
O4 - HKLM\..\Run: [doupdxwv] C:\WINDOWS\System32\chvuxco\doupdxwv.exe
O4 - HKLM\..\Run: [eimn] C:\WINDOWS\System32\iocotj\eimn.exe
O4 - HKLM\..\Run: [phvxbd] C:\WINDOWS\System32\pxdx\phvxbd.exe
O4 - HKLM\..\Run: [yqxjee] C:\WINDOWS\System32\xjwsh\yqxjee.exe
O4 - HKLM\..\Run: [ZMFGXAox] C:\PROGRA~1\wutorsr\pvptqr.exe
O4 - HKLM\..\Run: [vhodigq] C:\WINDOWS\System32\pwjrjuqe\vhodigq.exe
O4 - HKLM\..\Run: [qivgboox] C:\WINDOWS\System32\fnxfp\qivgboox.exe
O4 - HKLM\..\Run: [mwtugl] C:\WINDOWS\System32\jcplxih\mwtugl.exe
O4 - HKLM\..\Run: [pjubdprf] C:\WINDOWS\System32\mgft\pjubdprf.exe
O4 - HKLM\..\Run: [rlqka] C:\WINDOWS\System32\onwvixlj\rlqka.exe
O4 - HKLM\..\Run: [cexawejh] C:\WINDOWS\System32\amdhfp\cexawejh.exe
O4 - HKLM\..\Run: [reiu] C:\WINDOWS\System32\yslecioe\reiu.exe
O4 - HKLM\..\Run: [klqf] C:\WINDOWS\System32\kaxkgh\klqf.exe
O4 - HKLM\..\Run: [fdqy] C:\WINDOWS\System32\kpphqn\fdqy.exe
O4 - HKLM\..\Run: [ckbu] C:\WINDOWS\System32\ankjifjj\ckbu.exe
O4 - HKLM\..\Run: [qalkc] C:\WINDOWS\System32\pwxkysx\qalkc.exe
O4 - HKLM\..\Run: [vpnogrfg] C:\WINDOWS\System32\kevxy\vpnogrfg.exe
O4 - HKLM\..\Run: [dcejfgtk] C:\WINDOWS\System32\epvnb\dcejfgtk.exe
O4 - HKLM\..\Run: [ntqjhb] C:\WINDOWS\System32\wvaqvd\ntqjhb.exe
O4 - HKLM\..\Run: [rjctdjfj] C:\WINDOWS\System32\wmjsvgnj\rjctdjfj.exe
O4 - HKLM\..\Run: [nruewxrl] C:\WINDOWS\System32\bqwhyme\nruewxrl.exe
O4 - HKLM\..\Run: [ovyft] C:\WINDOWS\System32\hctycvyj\ovyft.exe
O4 - HKLM\..\Run: [rxlg] C:\WINDOWS\System32\nwxdmhx\rxlg.exe
O4 - HKLM\..\Run: [ldkgco] C:\WINDOWS\System32\iduvfc\ldkgco.exe
O4 - HKLM\..\Run: [xbhgbw] C:\WINDOWS\System32\wqoabeby\xbhgbw.exe
O4 - HKLM\..\Run: [xqpyix] C:\WINDOWS\System32\kgxpv\xqpyix.exe
O4 - HKLM\..\Run: [cdpbfu] C:\WINDOWS\System32\eypo\cdpbfu.exe
O4 - HKLM\..\Run: [twehfrag] C:\WINDOWS\System32\jffrknf\twehfrag.exe
O4 - HKLM\..\Run: [vropfh] C:\WINDOWS\System32\dbdexge\vropfh.exe
O4 - HKLM\..\Run: [eyytvw] C:\WINDOWS\System32\jelmu\eyytvw.exe
O4 - HKLM\..\Run: [smrr] C:\WINDOWS\System32\vwwskbjg\smrr.exe
O4 - HKLM\..\Run: [yvay] C:\WINDOWS\System32\anfpsx\yvay.exe
O4 - HKLM\..\Run: [lpxjns] C:\WINDOWS\System32\haxjkjf\lpxjns.exe
O4 - HKLM\..\Run: [fcykrqae] C:\WINDOWS\System32\fejlai\fcykrqae.exe
O4 - HKLM\..\Run: [hiujt] C:\WINDOWS\System32\nucy\hiujt.exe
O4 - HKLM\..\Run: [jyumtrt] C:\WINDOWS\System32\tsjbins\jyumtrt.exe
O4 - HKLM\..\Run: [aiyygr] C:\WINDOWS\System32\otqyprha\aiyygr.exe
O4 - HKLM\..\Run: [keqfe] C:\WINDOWS\System32\aqwf\keqfe.exe
O4 - HKLM\..\Run: [quknrc] C:\WINDOWS\System32\mdcsar\quknrc.exe
O4 - HKLM\..\Run: [jehddo] C:\WINDOWS\System32\cdocmugl\jehddo.exe
O4 - HKLM\..\Run: [xnllgwgh] C:\WINDOWS\System32\eejyvmnd\xnllgwgh.exe
O4 - HKLM\..\Run: [sqtnm] C:\WINDOWS\System32\dsso\sqtnm.exe
O4 - HKLM\..\Run: [rcyjii] C:\WINDOWS\System32\jimi\rcyjii.exe
O4 - HKLM\..\Run: [qqeqw] C:\WINDOWS\System32\fbaceoar\qqeqw.exe
O4 - HKLM\..\Run: [oqpkn] C:\WINDOWS\System32\mnwrfwj\oqpkn.exe
O4 - HKLM\..\Run: [ihdqj] C:\WINDOWS\System32\pafpk\ihdqj.exe
O4 - HKLM\..\Run: [rnlt] C:\WINDOWS\System32\pirs\rnlt.exe
O4 - HKLM\..\Run: [vysma] C:\WINDOWS\System32\bqclh\vysma.exe
O4 - HKLM\..\Run: [gvoktn] C:\WINDOWS\System32\hocaeqgj\gvoktn.exe
O4 - HKLM\..\Run: [demvb] C:\WINDOWS\System32\ywrfy\demvb.exe
O4 - HKLM\..\Run: [rtdbk] C:\WINDOWS\System32\xgfbnlo\rtdbk.exe
O4 - HKLM\..\Run: [KavSvc] C:\WINDOWS\system32\uvknmz.exe reg_run
O4 - HKLM\..\Run: [sunasDTServ] C:\Program Files\Sunbelt Software\CounterSpy Client\sunasDTServ.exe
O4 - HKLM\..\Run: [sunasServ] C:\Program Files\Sunbelt Software\CounterSpy Client\sunasServ.exe
O4 - HKLM\..\Run: [PS2] C:\WINDOWS\system32\ps2.exe
O4 - HKLM\..\Run: [gxhglii] C:\WINDOWS\system32\vqtyuymk\gxhglii.exe
O4 - HKLM\..\Run: [pfoug] C:\WINDOWS\system32\smjvktve\pfoug.exe
O4 - HKLM\..\Run: [Nsv] C:\WINDOWS\system32\nsvsvc\nsvsvc.exe
O4 - HKLM\..\Run: [picsvr] C:\WINDOWS\system32\picsvr\picsvr.exe
O4 - HKLM\..\Run: [version] C:\WINDOWS\system32\sdlnfw.exe
O4 - HKLM\..\Run: [rqxfkwno] C:\WINDOWS\system32\ybvdenni\rqxfkwno.exe
O4 - HKLM\..\Run: [fxcgr] C:\WINDOWS\system32\vmiehp\fxcgr.exe
O4 - HKLM\..\Run: [dhwli] C:\WINDOWS\system32\xvkwciub\dhwli.exe
O4 - HKLM\..\Run: [itjfwe] C:\WINDOWS\system32\gmas\itjfwe.exe
O4 - HKLM\..\Run: [bbxcln] C:\WINDOWS\system32\wjkxbhq\bbxcln.exe
O4 - HKLM\..\Run: [srsg] C:\WINDOWS\system32\bwtl\srsg.exe
O4 - HKLM\..\Run: [oabl] C:\WINDOWS\system32\nquhop\oabl.exe
O4 - HKLM\..\Run: [xpnkrom] c:\windows\system32\ufgwef.exe
O4 - HKLM\..\Run: [SkyH2] C:\DOCUME~1\Owner\LOCALS~1\Temp\wpaokubj.exe
O4 - HKCU\..\Run: [Acme.PCHButton] C:\PROGRA~1\HPINST~1\plugin\bin\PCHButton.exe
O4 - HKCU\..\Run: [Extreme Messenger for AIM] C:\Program Files\Extreme Messenger\ExtremeMessenger.exe nosplash
O4 - HKCU\..\Run: [NoAds] "C:\Program Files\NoAds\NoAds.exe"
O4 - HKCU\..\Run: [MoneyAgent] "c:\Program Files\Microsoft Money\System\Money Express.exe"
O4 - HKCU\..\Run: [ gSafeOnload[gSafeOnload.length] ] c:\WINDOWS\System32\ gSafeOnload[gSafeOnload.length] = f;
O4 - HKCU\..\Run: [ gSafeOnload[i] c:\WINDOWS\System32\ gSafeOnload[i]();
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [AOLCC] "C:\Program Files\AOL Computer Check-Up\ACCAgnt.exe" /startup
O4 - HKCU\..\Run: [Microsoft Works Update Detection] c:\Program Files\Microsoft Works\WkDetect.exe
O4 - HKCU\..\Run: [Adaware Bootup] C:\Documents and Settings\Owner\Desktop\Patrick's Utilities\Lavasoft Ad-Aware\Ad-aware.exe /Auto /Log "C:\Documents and Settings\Owner\Desktop\Patrick's Utilities\Lavasoft Ad-Aware\"
O4 - HKCU\..\RunOnce: [Web Offer] C:\DOCUME~1\Owner\LOCALS~1\Temp\rlkh.exe
O4 - Global Startup: America Online 9.0 Tray Icon.lnk = C:\Program Files\America Online 9.0\aoltray.exe
O4 - Global Startup: Billminder.lnk = C:\Program Files\QUICKENW\BILLMIND.EXE
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O4 - Global Startup: QuickBooks 2002 Delivery Agent.lnk = C:\Program Files\Intuit\QuickBooks Basic\Components\QBAgent\qbdagent2002.exe
O4 - Global Startup: QuickBooks Update Agent.lnk = C:\Program Files\Common Files\Intuit\QuickBooks\QBUpdate\qbupdate.exe
O4 - Global Startup: Quicken Startup.lnk = C:\Program Files\QUICKENW\QWDLLS.EXE
O4 - Global Startup: WinZip Quick Pick.lnk = C:\Program Files\WinZip\WZQKPICK.EXE
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM95\aim.exe
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\System32\Shdocvw.dll
O9 - Extra button: MoneySide - {E023F504-0C5A-4750-A1E7-A9046DEA8A21} - c:\Program Files\Microsoft Money\System\mnyviewer.dll (file missing)
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O16 - DPF: {0C568603-D79D-11D2-87A7-00C04FF158BB} (BrowseFolderPopup Class) - http://download.mcafee.com/molbin/Shared/MGBrwFld.cab
O16 - DPF: {14B87622-7E19-4EA8-93B3-97215F77A6BC} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/Me ... b28578.cab
O16 - DPF: {2917297F-F02B-4B9D-81DF-494B6333150B} (Minesweeper Flags Class) - http://messenger.zone.msn.com/binary/Mi ... b28578.cab
O16 - DPF: {37DF41B2-61DB-4CAC-A755-CFB3C7EE7F40} (AOL Content Update) - http://esupport.aol.com/help/acp2/engin ... core_1.cab
O16 - DPF: {41F17733-B041-4099-A042-B518BB6A408C} - http://a1540.g.akamai.net/7/1540/52/200 ... taller.exe
O16 - DPF: {4ED9DDF0-7479-4BBE-9335-5A1EDB1D8A21} (McAfee.com Operating System Class) - http://download.mcafee.com/molbin/share ... insctl.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://v5.windowsupdate.microsoft.com/v ... 7392481625
O16 - DPF: {8E0D4DE5-3180-4024-A327-4DFAD1796A8D} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/Me ... b28578.cab
O16 - DPF: {B8BE5E93-A60C-4D26-A2DC-220313175592} (ZoneIntro Class) - http://messenger.zone.msn.com/binary/ZI ... b28578.cab
O16 - DPF: {C68F9105-04FD-4B48-B6CC-2A076F711C35} (HpodPCFileCtrl2 Class) - file://E:\MEMDISC\ALBUM_A\VIEW\PLUGIN\HPODPCFC.CAB
O16 - DPF: {D719897A-B07A-4C0C-AEA9-9B663A28DFCB} (iTunesDetector Class) - http://ax.phobos.apple.com.edgesuite.ne ... tector.cab
O16 - DPF: {DA758BB1-5F89-4465-975F-8D7179A4BCF3} (WheelofFortune Object) - http://messenger.zone.msn.com/binary/WoF.cab28578.cab
O20 - Winlogon Notify: NavLogon - C:\WINDOWS\System32\NavLogon.dll
O23 - Service: AOL Connectivity Service (AOL ACS) - America Online, Inc. - C:\PROGRA~1\COMMON~1\AOL\ACS\acsd.exe
O23 - Service: bbxclnwjkxbhq - Unknown owner - C:\WINDOWS\system32\wjkxbhq\bbxcln.exe
O23 - Service: DefWatch - Symantec Corporation - C:\Program Files\NavNT\defwatch.exe
O23 - Service: Diskeeper - Executive Software International, Inc. - C:\Program Files\Executive Software\DiskeeperWorkstation\DKService.exe
O23 - Service: ewido security suite control - ewido networks - C:\Program Files\ewido\security suite\ewidoctrl.exe
O23 - Service: IomegaAccess - Iomega Corporation - C:\WINDOWS\System32\IomegaAccess.exe
O23 - Service: Norton AntiVirus Client (Norton AntiVirus Server) - Symantec Corporation - C:\Program Files\NavNT\rtvscan.exe
O23 - Service: Virtual NIC Service (PackethSvc) - America Online, Inc. - C:\WINDOWS\System32\PackethSvc.exe
O23 - Service: Pml Driver - HP - C:\WINDOWS\System32\HPHipm09.exe
O23 - Service: srsgbwtl - Unknown owner - C:\WINDOWS\system32\bwtl\srsg.exe
O23 - Service: System Startup Service (SvcProc) - Unknown owner - C:\WINDOWS\svcproc.exe
O23 - Service: WAN Miniport (ATW) Service (WANMiniportService) - America Online, Inc. - C:\WINDOWS\wanmpsvc.exe
theglobal
Regular Member
 
Posts: 85
Joined: March 1st, 2005, 3:55 am

Unread postby Perculator » May 31st, 2005, 5:34 am

Open hijack this.
Click Open the misc Tools session
Click open uninstall manager
then press the button save list at the right of the little white screen.
post the content of the textfile which will be opened on this board.


Run cleanup again.

log out and log back in.

run hijack this and place a fresh log on this board .

some infections came back...but don't worry.
I'll try in the mean time to investigate every entry you have on your computer, it's neede that i know what programs are installed cause, something keeps the infections alive.


i want to ask you to keep the computer running apart from the times i tell you to restart is that possible?
might it be possible if you stick an hour or two on this forum to get this thing fixed

I would appreciate it when you stick around on the forum maybe end of this afternoon or this evening.
User avatar
Perculator
Regular Member
 
Posts: 470
Joined: March 30th, 2005, 4:55 pm
Location: netherlands

Unread postby theglobal » June 2nd, 2005, 10:24 pm

I'm sorry to have been away, but will be back in the next day. I agree with your suggestion on staying on the forum to fix this continuing problem. I agree it will be done.

Please let me know the days and your local time that you expect to be on the forum. I will arrange to be available at that time. Thank you very much for your hard work and effort.
theglobal
Regular Member
 
Posts: 85
Joined: March 1st, 2005, 3:55 am

Unread postby ChrisRLG » June 3rd, 2005, 3:53 am

When you both can fix a time - why not use the chatroom - at the top of this forum, it will provide realtime talking between you both.

Do make sure you have an extra window open for it rather than just the only IE window open.

May even be others in the room to help you brain storm a fix.
ChrisRLG
Administrator Emeritus
 
Posts: 17759
Joined: December 16th, 2004, 10:04 am
Location: Southend, Essex, UK

Unread postby Perculator » June 3rd, 2005, 3:49 pm

ChrisRLG wrote:When you both can fix a time - why not use the chatroom - at the top of this forum, it will provide realtime talking between you both.

Do make sure you have an extra window open for it rather than just the only IE window open.

May even be others in the room to help you brain storm a fix.



Well ok i have enabled java for this very special occassion i will be going to check every while at this forum to see if the global is there.

Because i have to learn and work on other sites too, i will not be present all the time, but please be patient.....i will check all the time.

Please drop down a message when you're here i will be informed by email.....
User avatar
Perculator
Regular Member
 
Posts: 470
Joined: March 30th, 2005, 4:55 pm
Location: netherlands

Unread postby theglobal » June 4th, 2005, 1:13 am

i'm posting the uninstal manager listing here... i will run cleanup and post that in the morning.. it's near midnight here now. then we will get together on the chart and get to work!

Thanks!

----------------------------------
Actiontec Gateway
Ad-Aware SE Personal
Adobe Acrobat 5.0
America Online (Choose which version to remove)
AOL Coach Version 1.0(Build:20040229.1 en)
AOL Coach Version 2.0(Build:20041026.5 en)
AOL Computer Check-Up
AOL Instant Messenger
CC_ccProxyExt
ccCommon
CCleaner (remove only)
ccPxyCore
CleanUp!
CounterSpy
Dex Yellow & White Pages v4.5.3
DiskeeperWorkstation
Display Utility
ewido security suite
Family Lawyer 7.0
HijackThis 1.99.1
hp center
HP Instant Support
HP Learning Adventure
HP Photo Imaging Software
HP Photo Printing Software
hp photosmart printer series (Remove only)
HP RecordNow
HP Share-to-Web
Inactive HP Printer Drivers (Remove only)
InternetOffers
Iomega Quik Floppy Copy
IomegaWare
IrfanView (remove only)
KazooStudio
Lernout & Hauspie TruVoice American English TTS Engine
LiveReg (Symantec Corporation)
LiveUpdate 2.6 (Symantec Corporation)
Macromedia Shockwave Player
Microsoft Money 2002
Microsoft Office XP Media Content
Microsoft Office XP Professional
Microsoft Works 6.0
Microsoft Works and Money 2002 Setup Launcher
MovieShop
MSN Messenger 6.1
MSRedist
MUSICMATCH Jukebox
My Global Search Bar
My Photo Center
Need2Find Bar
NoAds
Norton AntiSpam
Norton AntiSpam
Norton AntiVirus 2005
Norton Internet Security
Norton Internet Security
Norton Internet Security
Norton Internet Security
Norton Internet Security
Norton Internet Security
Norton Internet Security
Norton Internet Security
Norton Internet Security 2005 (Symantec Corporation)
Norton WMI Update
Norton WMI Update
PC-Doctor for Windows
PrintMaster Gold 4.00
PS2
QuickBooks Basic 2002
QuickBooks Basic Edition 2004
Quicken 2002 Deluxe
QuickPayroll
QuickTime
RealPlayer Basic
S3 Gamma
S3 Savage4 Family Display Switch2 Utility
SPBBC
Spybot - Search & Destroy 1.2
SpywareBlaster v3.3
SureThing CD Labeler - Stomper Edition 32 bit
Symantec Script Blocking Installer
SymNet
Tcl 8.0.5 for Windows
The Print Shop Photo Workshop
USB
Viewpoint Media Player
Windows AFA Internet Enhancement
Windows Installer 3.1 (KB893803)
Windows XP Hotfix - KB873333
Windows XP Hotfix - KB873339
Windows XP Hotfix - KB885250
Windows XP Hotfix - KB885835
Windows XP Hotfix - KB885836
Windows XP Hotfix - KB885884
Windows XP Hotfix - KB886185
Windows XP Hotfix - KB887472
Windows XP Hotfix - KB887742
Windows XP Hotfix - KB888113
Windows XP Hotfix - KB888302
Windows XP Hotfix - KB890175
Windows XP Hotfix - KB890859
Windows XP Hotfix - KB890923
Windows XP Hotfix - KB891781
Windows XP Hotfix - KB893066
Windows XP Hotfix - KB893086
WinZip
Yahoo! Toolbar

-------------------------------------
theglobal
Regular Member
 
Posts: 85
Joined: March 1st, 2005, 3:55 am

Unread postby theglobal » June 4th, 2005, 1:34 am

I forgot Cleanup runs so fast.. so, i ran a new hijackThis ... here's the log... as requested

---------------------------------------
Logfile of HijackThis v1.99.1
Scan saved at 11:32:03 PM, on 6/3/2005
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\ccProxy.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\Program Files\Norton Internet Security\ISSVC.exe
C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\System32\spool\drivers\w32x86\3\hpztsb04.exe
C:\WINDOWS\System32\hphmon03.exe
C:\Program Files\Hewlett-Packard\PhotoSmart\Photo Imaging\Hpi_Monitor.exe
C:\Program Files\Hewlett-Packard\PhotoSmart\HP Share-to-Web\hpgs2wnd.exe
C:\PROGRA~1\HEWLET~1\PHOTOS~1\HPSHAR~1\hpgs2wnf.exe
C:\Program Files\Iomega\DriveIcons\ImgIcon.exe
C:\Program Files\Real\RealPlayer\RealPlay.exe
C:\WINDOWS\system32\yfsh\tgbhcyu.exe
C:\WINDOWS\system32\fjdgn\sdlwgew.exe
C:\WINDOWS\System32\PackethSvc.exe
C:\WINDOWS\system32\vowd\woqffuhn.exe
C:\WINDOWS\System32\mdcsar\quknrc.exe
C:\WINDOWS\System32\cdocmugl\jehddo.exe
C:\PROGRA~1\COMMON~1\AOL\ACS\acsd.exe
C:\WINDOWS\System32\dsso\sqtnm.exe
C:\WINDOWS\System32\jimi\rcyjii.exe
C:\WINDOWS\System32\pafpk\ihdqj.exe
C:\WINDOWS\System32\pirs\rnlt.exe
C:\WINDOWS\system32\uvknmz.exe
C:\WINDOWS\system32\ps2.exe
C:\WINDOWS\system32\ybvdenni\rqxfkwno.exe
C:\WINDOWS\system32\vmiehp\fxcgr.exe
C:\WINDOWS\system32\xvkwciub\dhwli.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\Program Files\Executive Software\DiskeeperWorkstation\DKService.exe
C:\WINDOWS\system32\onjcuvuh\pqpraat.exe
C:\WINDOWS\system32\vrhkp\tyls.exe
C:\WINDOWS\system32\vlxk\pkiwocny.exe
C:\WINDOWS\system32\qeov\gfnjxbuc.exe
C:\WINDOWS\system32\wvnxkho\bwkthfes.exe
C:\WINDOWS\system32\cxbity\oqjunb.exe
C:\WINDOWS\system32\taff\txdnb.exe
C:\WINDOWS\system32\bgpm\mdjsj.exe
C:\Program Files\ewido\security suite\ewidoctrl.exe
C:\WINDOWS\system32\vqwxl\cgkma.exe
C:\WINDOWS\system32\wlyhdgm\mdxmf.exe
C:\WINDOWS\system32\gixtyq\viewdpwi.exe
C:\WINDOWS\system32\facsg\nrkpj.exe
C:\WINDOWS\system32\mgvpeyc\hiofvb.exe
C:\WINDOWS\system32\xceugt\tklf.exe
C:\WINDOWS\system32\egfj\tcflqnp.exe
C:\WINDOWS\system32\sjdjcn\vnqbjvu.exe
C:\WINDOWS\system32\qawt\lkggauw.exe
C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
C:\WINDOWS\system32\calcr\rlki.exe
C:\WINDOWS\system32\nicxjyrx\elfake.exe
C:\WINDOWS\system32\ctnlgcl\xiuhm.exe
C:\WINDOWS\system32\wwfjx\ckrobjo.exe
C:\WINDOWS\system32\jmtk\xxqifeif.exe
C:\WINDOWS\system32\rpoyqw\ouhy.exe
C:\WINDOWS\system32\uulytbb\kfon.exe
C:\WINDOWS\system32\phxehnx\kuhfsd.exe
C:\WINDOWS\system32\nmdfkxb\kvtqwo.exe
C:\WINDOWS\system32\jylh\pmnhy.exe
C:\WINDOWS\system32\bqnchw\gfqcg.exe
C:\WINDOWS\system32\ljrlbn\yulp.exe
C:\WINDOWS\system32\xqiyog\scpf.exe
C:\WINDOWS\system32\hsvbja\konas.exe
C:\WINDOWS\system32\aevp\lguqwecj.exe
C:\WINDOWS\system32\yeaq\hyqf.exe
C:\WINDOWS\system32\qjtcrw\gnrjk.exe
C:\WINDOWS\system32\spdvraas\ttlyl.exe
C:\WINDOWS\system32\pkfqx\wlesa.exe
C:\WINDOWS\system32\lxhgi\cbwcy.exe
C:\WINDOWS\system32\ekusvu\vqipmwit.exe
C:\WINDOWS\system32\qrctpab\apxq.exe
C:\WINDOWS\system32\ueiyecy\wdiae.exe
C:\WINDOWS\system32\tiqlnndh\cxeiwvod.exe
C:\WINDOWS\system32\ivhgnf\ioij.exe
C:\WINDOWS\system32\saxegp\svaihkau.exe
C:\WINDOWS\system32\urqe\utlpweav.exe
C:\Program Files\Norton Internet Security\Norton AntiVirus\navapsvc.exe
C:\WINDOWS\system32\bvgxvlr\qvcok.exe
C:\WINDOWS\system32\gdgj\sokw.exe
C:\WINDOWS\system32\kouuli\fcjj.exe
C:\WINDOWS\system32\lkmjj\legdts.exe
C:\WINDOWS\system32\bovyld\ehjauxju.exe
C:\WINDOWS\system32\iphfh\gxhnv.exe
C:\WINDOWS\system32\osxxyr\wiwoabda.exe
C:\Program Files\Sunbelt Software\CounterSpy Client\sunasDTServ.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
C:\Program Files\Sunbelt Software\CounterSpy Client\sunasServ.exe
C:\Program Files\NoAds\NoAds.exe
C:\WINDOWS\system32\lytjm\teobfdqb.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\AOL Computer Check-Up\ACCAgnt.exe
C:\WINDOWS\wanmpsvc.exe
C:\WINDOWS\system32\nxalrua\yunje.exe
C:\Program Files\Intuit\QuickBooks Basic\Components\QBAgent\qbdagent2002.exe
C:\Program Files\Common Files\Intuit\QuickBooks\QBUpdate\qbupdate.exe
C:\Program Files\QUICKENW\QWDLLS.EXE
C:\Program Files\WinZip\WZQKPICK.EXE
C:\WINDOWS\System32\HPHipm09.exe
C:\Program Files\Messenger\msmsgs.exe
C:\WINDOWS\system32\wscntfy.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\HJT\HijackThis.exe
C:\WINDOWS\system32\dwwin.exe

R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = localhost
O1 - Hosts: 216.39.69.102 view.atdmt.com
O2 - BHO: Yahoo! Companion BHO - {02478D38-C3F9-4efb-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn\ycomp5_5_7_1.dll
O2 - BHO: Norton Internet Security - {9ECB9560-04F9-4bbc-943D-298DDF1699E1} - C:\Program Files\Common Files\Symantec Shared\AdBlocking\NISShExt.dll
O2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\Norton Internet Security\Norton AntiVirus\NavShExt.dll
O2 - BHO: (no name) - {F5C88987-35F5-ECA8-B7BB-592F28062E2E} - C:\WINDOWS\system32\ncbmtlxj\swcijjvg.dll
O3 - Toolbar: Yahoo! Companion - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\ycomp5_5_7_1.dll
O3 - Toolbar: Norton Internet Security - {0B53EAC3-8D69-4b9e-9B19-A37C9A5676A7} - C:\Program Files\Common Files\Symantec Shared\AdBlocking\NISShExt.dll
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton Internet Security\Norton AntiVirus\NavShExt.dll
O4 - HKLM\..\Run: [Recguard] C:\WINDOWS\SMINST\RECGUARD.EXE
O4 - HKLM\..\Run: [S3TRAY2] S3tray2.exe
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\System32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\System32\hkcmd.exe
O4 - HKLM\..\Run: [HPDJ Taskbar Utility] C:\WINDOWS\System32\spool\drivers\w32x86\3\hpztsb04.exe
O4 - HKLM\..\Run: [HPHmon03] C:\WINDOWS\System32\hphmon03.exe
O4 - HKLM\..\Run: [CXMon] "C:\Program Files\Hewlett-Packard\PhotoSmart\Photo Imaging\Hpi_Monitor.exe"
O4 - HKLM\..\Run: [Share-to-Web Namespace Daemon] C:\Program Files\Hewlett-Packard\PhotoSmart\HP Share-to-Web\hpgs2wnd.exe
O4 - HKLM\..\Run: [checktime] c:\program files\HPSelect\Frontend\ct.exe
O4 - HKLM\..\Run: [Iomega Startup Options] C:\Program Files\Iomega\Common\ImgStart.exe
O4 - HKLM\..\Run: [Iomega Drive Icons] C:\Program Files\Iomega\DriveIcons\ImgIcon.exe
O4 - HKLM\..\Run: [ gSafeOnload[gSafeOnload.length] ] c:\WINDOWS\System32\ gSafeOnload[gSafeOnload.length] = f;
O4 - HKLM\..\Run: [ gSafeOnload[i] c:\WINDOWS\System32\ gSafeOnload[i]();
O4 - HKLM\..\Run: [RealTray] C:\Program Files\Real\RealPlayer\RealPlay.exe SYSTEMBOOTHIDEPLAYER
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [sjkp] C:\WINDOWS\System32\oxsaynow\sjkp.exe
O4 - HKLM\..\Run: [ntmcq] C:\WINDOWS\System32\moqsgf\ntmcq.exe
O4 - HKLM\..\Run: [hshatpb] C:\WINDOWS\System32\qboa\hshatpb.exe
O4 - HKLM\..\Run: [wsagu] C:\WINDOWS\System32\hahm\wsagu.exe
O4 - HKLM\..\Run: [mhxo] C:\WINDOWS\System32\tlmtptg\mhxo.exe
O4 - HKLM\..\Run: [xcrkvu] C:\WINDOWS\System32\qjdt\xcrkvu.exe
O4 - HKLM\..\Run: [oocdnjj] C:\WINDOWS\System32\bpapj\oocdnjj.exe
O4 - HKLM\..\Run: [phvxbd] C:\WINDOWS\System32\pxdx\phvxbd.exe
O4 - HKLM\..\Run: [ZMFGXAox] C:\PROGRA~1\wutorsr\pvptqr.exe
O4 - HKLM\..\Run: [cexawejh] C:\WINDOWS\System32\amdhfp\cexawejh.exe
O4 - HKLM\..\Run: [reiu] C:\WINDOWS\System32\yslecioe\reiu.exe
O4 - HKLM\..\Run: [rjctdjfj] C:\WINDOWS\System32\wmjsvgnj\rjctdjfj.exe
O4 - HKLM\..\Run: [nruewxrl] C:\WINDOWS\System32\bqwhyme\nruewxrl.exe
O4 - HKLM\..\Run: [ovyft] C:\WINDOWS\System32\hctycvyj\ovyft.exe
O4 - HKLM\..\Run: [rxlg] C:\WINDOWS\System32\nwxdmhx\rxlg.exe
O4 - HKLM\..\Run: [xbhgbw] C:\WINDOWS\System32\wqoabeby\xbhgbw.exe
O4 - HKLM\..\Run: [twehfrag] C:\WINDOWS\System32\jffrknf\twehfrag.exe
O4 - HKLM\..\Run: [vropfh] C:\WINDOWS\System32\dbdexge\vropfh.exe
O4 - HKLM\..\Run: [smrr] C:\WINDOWS\System32\vwwskbjg\smrr.exe
O4 - HKLM\..\Run: [yvay] C:\WINDOWS\System32\anfpsx\yvay.exe
O4 - HKLM\..\Run: [fcykrqae] C:\WINDOWS\System32\fejlai\fcykrqae.exe
O4 - HKLM\..\Run: [aiyygr] C:\WINDOWS\System32\otqyprha\aiyygr.exe
O4 - HKLM\..\Run: [keqfe] C:\WINDOWS\System32\aqwf\keqfe.exe
O4 - HKLM\..\Run: [quknrc] C:\WINDOWS\System32\mdcsar\quknrc.exe
O4 - HKLM\..\Run: [jehddo] C:\WINDOWS\System32\cdocmugl\jehddo.exe
O4 - HKLM\..\Run: [sqtnm] C:\WINDOWS\System32\dsso\sqtnm.exe
O4 - HKLM\..\Run: [rcyjii] C:\WINDOWS\System32\jimi\rcyjii.exe
O4 - HKLM\..\Run: [ihdqj] C:\WINDOWS\System32\pafpk\ihdqj.exe
O4 - HKLM\..\Run: [rnlt] C:\WINDOWS\System32\pirs\rnlt.exe
O4 - HKLM\..\Run: [demvb] C:\WINDOWS\System32\ywrfy\demvb.exe
O4 - HKLM\..\Run: [KavSvc] C:\WINDOWS\system32\uvknmz.exe reg_run
O4 - HKLM\..\Run: [PS2] C:\WINDOWS\system32\ps2.exe
O4 - HKLM\..\Run: [gxhglii] C:\WINDOWS\system32\vqtyuymk\gxhglii.exe
O4 - HKLM\..\Run: [rqxfkwno] C:\WINDOWS\system32\ybvdenni\rqxfkwno.exe
O4 - HKLM\..\Run: [fxcgr] C:\WINDOWS\system32\vmiehp\fxcgr.exe
O4 - HKLM\..\Run: [dhwli] C:\WINDOWS\system32\xvkwciub\dhwli.exe
O4 - HKLM\..\Run: [SkyH2] C:\DOCUME~1\Owner\LOCALS~1\Temp\wpaokubj.exe
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [Symantec NetDriver Monitor] C:\PROGRA~1\SYMNET~1\SNDMon.exe /Consumer
O4 - HKLM\..\Run: [ttwry] C:\WINDOWS\system32\gxsqffh\ttwry.exe
O4 - HKLM\..\Run: [pqpraat] C:\WINDOWS\system32\onjcuvuh\pqpraat.exe
O4 - HKLM\..\Run: [vmyhlxyb] C:\WINDOWS\system32\gcdrysgr\vmyhlxyb.exe
O4 - HKLM\..\Run: [pkiwocny] C:\WINDOWS\system32\vlxk\pkiwocny.exe
O4 - HKLM\..\Run: [gfnjxbuc] C:\WINDOWS\system32\qeov\gfnjxbuc.exe
O4 - HKLM\..\Run: [bwkthfes] C:\WINDOWS\system32\wvnxkho\bwkthfes.exe
O4 - HKLM\..\Run: [oqjunb] C:\WINDOWS\system32\cxbity\oqjunb.exe
O4 - HKLM\..\Run: [txdnb] C:\WINDOWS\system32\taff\txdnb.exe
O4 - HKLM\..\Run: [mdjsj] C:\WINDOWS\system32\bgpm\mdjsj.exe
O4 - HKLM\..\Run: [cgkma] C:\WINDOWS\system32\vqwxl\cgkma.exe
O4 - HKLM\..\Run: [mdxmf] C:\WINDOWS\system32\wlyhdgm\mdxmf.exe
O4 - HKLM\..\Run: [viewdpwi] C:\WINDOWS\system32\gixtyq\viewdpwi.exe
O4 - HKLM\..\Run: [nrkpj] C:\WINDOWS\system32\facsg\nrkpj.exe
O4 - HKLM\..\Run: [hiofvb] C:\WINDOWS\system32\mgvpeyc\hiofvb.exe
O4 - HKLM\..\Run: [tklf] C:\WINDOWS\system32\xceugt\tklf.exe
O4 - HKLM\..\Run: [tcflqnp] C:\WINDOWS\system32\egfj\tcflqnp.exe
O4 - HKLM\..\Run: [vnqbjvu] C:\WINDOWS\system32\sjdjcn\vnqbjvu.exe
O4 - HKLM\..\Run: [lkggauw] C:\WINDOWS\system32\qawt\lkggauw.exe
O4 - HKLM\..\Run: [rlki] C:\WINDOWS\system32\calcr\rlki.exe
O4 - HKLM\..\Run: [elfake] C:\WINDOWS\system32\nicxjyrx\elfake.exe
O4 - HKLM\..\Run: [xiuhm] C:\WINDOWS\system32\ctnlgcl\xiuhm.exe
O4 - HKLM\..\Run: [ckrobjo] C:\WINDOWS\system32\wwfjx\ckrobjo.exe
O4 - HKLM\..\Run: [xxqifeif] C:\WINDOWS\system32\jmtk\xxqifeif.exe
O4 - HKLM\..\Run: [ouhy] C:\WINDOWS\system32\rpoyqw\ouhy.exe
O4 - HKLM\..\Run: [gyjjmvsy] C:\WINDOWS\system32\gnuhw\gyjjmvsy.exe
O4 - HKLM\..\Run: [taafmk] C:\WINDOWS\system32\vrqwovt\taafmk.exe
O4 - HKLM\..\Run: [kuhfsd] C:\WINDOWS\system32\phxehnx\kuhfsd.exe
O4 - HKLM\..\Run: [kvtqwo] C:\WINDOWS\system32\nmdfkxb\kvtqwo.exe
O4 - HKLM\..\Run: [pmnhy] C:\WINDOWS\system32\jylh\pmnhy.exe
O4 - HKLM\..\Run: [gfqcg] C:\WINDOWS\system32\bqnchw\gfqcg.exe
O4 - HKLM\..\Run: [yulp] C:\WINDOWS\system32\ljrlbn\yulp.exe
O4 - HKLM\..\Run: [scpf] C:\WINDOWS\system32\xqiyog\scpf.exe
O4 - HKLM\..\Run: [konas] C:\WINDOWS\system32\hsvbja\konas.exe
O4 - HKLM\..\Run: [lguqwecj] C:\WINDOWS\system32\aevp\lguqwecj.exe
O4 - HKLM\..\Run: [hyqf] C:\WINDOWS\system32\yeaq\hyqf.exe
O4 - HKLM\..\Run: [gnrjk] C:\WINDOWS\system32\qjtcrw\gnrjk.exe
O4 - HKLM\..\Run: [ttlyl] C:\WINDOWS\system32\spdvraas\ttlyl.exe
O4 - HKLM\..\Run: [wlesa] C:\WINDOWS\system32\pkfqx\wlesa.exe
O4 - HKLM\..\Run: [cbwcy] C:\WINDOWS\system32\lxhgi\cbwcy.exe
O4 - HKLM\..\Run: [vqipmwit] C:\WINDOWS\system32\ekusvu\vqipmwit.exe
O4 - HKLM\..\Run: [apxq] C:\WINDOWS\system32\qrctpab\apxq.exe
O4 - HKLM\..\Run: [wdiae] C:\WINDOWS\system32\ueiyecy\wdiae.exe
O4 - HKLM\..\Run: [cxeiwvod] C:\WINDOWS\system32\tiqlnndh\cxeiwvod.exe
O4 - HKLM\..\Run: [ioij] C:\WINDOWS\system32\ivhgnf\ioij.exe
O4 - HKLM\..\Run: [svaihkau] C:\WINDOWS\system32\saxegp\svaihkau.exe
O4 - HKLM\..\Run: [utlpweav] C:\WINDOWS\system32\urqe\utlpweav.exe
O4 - HKLM\..\Run: [qvcok] C:\WINDOWS\system32\bvgxvlr\qvcok.exe
O4 - HKLM\..\Run: [sokw] C:\WINDOWS\system32\gdgj\sokw.exe
O4 - HKLM\..\Run: [fcjj] C:\WINDOWS\system32\kouuli\fcjj.exe
O4 - HKLM\..\Run: [legdts] C:\WINDOWS\system32\lkmjj\legdts.exe
O4 - HKLM\..\Run: [ehjauxju] C:\WINDOWS\system32\bovyld\ehjauxju.exe
O4 - HKLM\..\Run: [gxhnv] C:\WINDOWS\system32\iphfh\gxhnv.exe
O4 - HKLM\..\Run: [teobfdqb] C:\WINDOWS\system32\lytjm\teobfdqb.exe
O4 - HKLM\..\Run: [tyls] C:\WINDOWS\system32\vrhkp\tyls.exe
O4 - HKLM\..\Run: [wiwoabda] C:\WINDOWS\system32\osxxyr\wiwoabda.exe
O4 - HKLM\..\Run: [woqffuhn] C:\WINDOWS\system32\vowd\woqffuhn.exe
O4 - HKLM\..\Run: [sdlwgew] C:\WINDOWS\system32\fjdgn\sdlwgew.exe
O4 - HKLM\..\Run: [tgbhcyu] C:\WINDOWS\system32\yfsh\tgbhcyu.exe
O4 - HKLM\..\Run: [gtsk] C:\WINDOWS\system32\qpeuujr\gtsk.exe
O4 - HKLM\..\Run: [yunje] C:\WINDOWS\system32\nxalrua\yunje.exe
O4 - HKLM\..\Run: [kfon] C:\WINDOWS\system32\uulytbb\kfon.exe
O4 - HKLM\..\Run: [sunasDTServ] C:\Program Files\Sunbelt Software\CounterSpy Client\sunasDTServ.exe
O4 - HKLM\..\Run: [sunasServ] C:\Program Files\Sunbelt Software\CounterSpy Client\sunasServ.exe
O4 - HKCU\..\Run: [Acme.PCHButton] C:\PROGRA~1\HPINST~1\plugin\bin\PCHButton.exe
O4 - HKCU\..\Run: [Extreme Messenger for AIM] C:\Program Files\Extreme Messenger\ExtremeMessenger.exe nosplash
O4 - HKCU\..\Run: [NoAds] "C:\Program Files\NoAds\NoAds.exe"
O4 - HKCU\..\Run: [MoneyAgent] "c:\Program Files\Microsoft Money\System\Money Express.exe"
O4 - HKCU\..\Run: [ gSafeOnload[gSafeOnload.length] ] c:\WINDOWS\System32\ gSafeOnload[gSafeOnload.length] = f;
O4 - HKCU\..\Run: [ gSafeOnload[i] c:\WINDOWS\System32\ gSafeOnload[i]();
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [AOLCC] "C:\Program Files\AOL Computer Check-Up\ACCAgnt.exe" /startup
O4 - HKCU\..\Run: [Adaware Bootup] C:\Documents and Settings\Owner\Desktop\Patrick's Utilities\Lavasoft Ad-Aware\Ad-aware.exe /Auto /Log "C:\Documents and Settings\Owner\Desktop\Patrick's Utilities\Lavasoft Ad-Aware\"
O4 - Global Startup: America Online 9.0 Tray Icon.lnk = C:\Program Files\America Online 9.0\aoltray.exe
O4 - Global Startup: Billminder.lnk = C:\Program Files\QUICKENW\BILLMIND.EXE
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O4 - Global Startup: QuickBooks 2002 Delivery Agent.lnk = C:\Program Files\Intuit\QuickBooks Basic\Components\QBAgent\qbdagent2002.exe
O4 - Global Startup: QuickBooks Update Agent.lnk = C:\Program Files\Common Files\Intuit\QuickBooks\QBUpdate\qbupdate.exe
O4 - Global Startup: Quicken Startup.lnk = C:\Program Files\QUICKENW\QWDLLS.EXE
O4 - Global Startup: WinZip Quick Pick.lnk = C:\Program Files\WinZip\WZQKPICK.EXE
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM95\aim.exe
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\System32\Shdocvw.dll
O9 - Extra button: MoneySide - {E023F504-0C5A-4750-A1E7-A9046DEA8A21} - c:\Program Files\Microsoft Money\System\mnyviewer.dll (file missing)
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O16 - DPF: {0C568603-D79D-11D2-87A7-00C04FF158BB} (BrowseFolderPopup Class) - http://download.mcafee.com/molbin/Shared/MGBrwFld.cab
O16 - DPF: {14B87622-7E19-4EA8-93B3-97215F77A6BC} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/Me ... b28578.cab
O16 - DPF: {2917297F-F02B-4B9D-81DF-494B6333150B} (Minesweeper Flags Class) - http://messenger.zone.msn.com/binary/Mi ... b28578.cab
O16 - DPF: {2BC66F54-93A8-11D3-BEB6-00105AA9B6AE} (Symantec AntiVirus scanner) - http://security.symantec.com/sscv6/Shar ... vSniff.cab
O16 - DPF: {37DF41B2-61DB-4CAC-A755-CFB3C7EE7F40} (AOL Content Update) - http://esupport.aol.com/help/acp2/engin ... core_1.cab
O16 - DPF: {41F17733-B041-4099-A042-B518BB6A408C} - http://a1540.g.akamai.net/7/1540/52/200 ... taller.exe
O16 - DPF: {4ED9DDF0-7479-4BBE-9335-5A1EDB1D8A21} (McAfee.com Operating System Class) - http://download.mcafee.com/molbin/share ... insctl.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://v5.windowsupdate.microsoft.com/v ... 7392481625
O16 - DPF: {644E432F-49D3-41A1-8DD5-E099162EEEC5} (Symantec RuFSI Utility Class) - http://security.symantec.com/sscv6/Shar ... /cabsa.cab
O16 - DPF: {8E0D4DE5-3180-4024-A327-4DFAD1796A8D} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/Me ... b28578.cab
O16 - DPF: {B8BE5E93-A60C-4D26-A2DC-220313175592} (ZoneIntro Class) - http://messenger.zone.msn.com/binary/ZI ... b28578.cab
O16 - DPF: {C68F9105-04FD-4B48-B6CC-2A076F711C35} (HpodPCFileCtrl2 Class) - file://E:\MEMDISC\ALBUM_A\VIEW\PLUGIN\HPODPCFC.CAB
O16 - DPF: {D719897A-B07A-4C0C-AEA9-9B663A28DFCB} (iTunesDetector Class) - http://ax.phobos.apple.com.edgesuite.ne ... tector.cab
O16 - DPF: {DA758BB1-5F89-4465-975F-8D7179A4BCF3} (WheelofFortune Object) - http://messenger.zone.msn.com/binary/WoF.cab28578.cab
O20 - Winlogon Notify: NavLogon - C:\WINDOWS\System32\NavLogon.dll
O23 - Service: AOL Connectivity Service (AOL ACS) - America Online, Inc. - C:\PROGRA~1\COMMON~1\AOL\ACS\acsd.exe
O23 - Service: bbxclnwjkxbhq - Unknown owner - C:\WINDOWS\system32\wjkxbhq\bbxcln.exe (file missing)
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Network Proxy (ccProxy) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccProxy.exe
O23 - Service: Symantec Password Validation (ccPwdSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
O23 - Service: dcejfgtkepvnb - Unknown owner - C:\WINDOWS\System32\epvnb\dcejfgtk.exe (file missing)
O23 - Service: Diskeeper - Executive Software International, Inc. - C:\Program Files\Executive Software\DiskeeperWorkstation\DKService.exe
O23 - Service: eimniocotj - Unknown owner - C:\WINDOWS\System32\iocotj\eimn.exe (file missing)
O23 - Service: ewido security suite control - ewido networks - C:\Program Files\ewido\security suite\ewidoctrl.exe
O23 - Service: IomegaAccess - Iomega Corporation - C:\WINDOWS\System32\IomegaAccess.exe
O23 - Service: ISSvc (ISSVC) - Symantec Corporation - C:\Program Files\Norton Internet Security\ISSVC.exe
O23 - Service: klqfkaxkgh - Unknown owner - C:\WINDOWS\System32\kaxkgh\klqf.exe (file missing)
O23 - Service: Norton AntiVirus Auto-Protect Service (navapsvc) - Symantec Corporation - C:\Program Files\Norton Internet Security\Norton AntiVirus\navapsvc.exe
O23 - Service: Virtual NIC Service (PackethSvc) - America Online, Inc. - C:\WINDOWS\System32\PackethSvc.exe
O23 - Service: Pml Driver - HP - C:\WINDOWS\System32\HPHipm09.exe
O23 - Service: qqeqwfbaceoar - Unknown owner - C:\WINDOWS\System32\fbaceoar\qqeqw.exe (file missing)
O23 - Service: SAVScan - Symantec Corporation - C:\Program Files\Norton Internet Security\Norton AntiVirus\SAVScan.exe
O23 - Service: ScriptBlocking Service (SBService) - Symantec Corporation - C:\PROGRA~1\COMMON~1\SYMANT~1\SCRIPT~1\SBServ.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: Symantec SPBBCSvc (SPBBCSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
O23 - Service: srsgbwtl - Unknown owner - C:\WINDOWS\system32\bwtl\srsg.exe (file missing)
O23 - Service: Symantec Core LC - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
O23 - Service: taafmkvrqwovt - Unknown owner - C:\WINDOWS\system32\vrqwovt\taafmk.exe
O23 - Service: teobfdqblytjm - Unknown owner - C:\WINDOWS\system32\lytjm\teobfdqb.exe
O23 - Service: vmyhlxybgcdrysgr - Unknown owner - C:\WINDOWS\system32\gcdrysgr\vmyhlxyb.exe
O23 - Service: WAN Miniport (ATW) Service (WANMiniportService) - America Online, Inc. - C:\WINDOWS\wanmpsvc.exe
O23 - Service: yunjenxalrua - Unknown owner - C:\WINDOWS\system32\nxalrua\yunje.exe

------------------------------------------
theglobal
Regular Member
 
Posts: 85
Joined: March 1st, 2005, 3:55 am

Unread postby Perculator » June 4th, 2005, 4:56 am

it's now 11.00 in the morning here and i am writing a fix from where we can work from.
please note that it is importantthaty you are not switching off your computer, only when i say so.
this is due to the reinfections.

when a step won't work don't lose time, just go on with the next step
if you have to delete a file or foolder just go on with the next file or folder.

i hope we can sort it out today
User avatar
Perculator
Regular Member
 
Posts: 470
Joined: March 30th, 2005, 4:55 pm
Location: netherlands

Unread postby Perculator » June 4th, 2005, 7:09 am

Make sure you print out this advise, because we are going into safemode, and then you won't have access to this document, you can aslo put this advise in a textdocument and save it on your desktop.
you are going to delete a lot of files in this document, make sure you get them all.



Ok first we are trying to uninstall some programs

Go to :
Start
Control Panel
Add/remove programs


Look in he list for

InternetOffers

Select it by clicking on it
And click the change/remove button.
Repeat that for the following programs.
My Global Search Bar
Need2Find Bar

I ALSO WANT YOU TOOK LOOK IN THAT LIST FOR PROGRAMS YOU DON’T KNOW OR SEEMD TO BE MALICIOUS, REPORT THAT ALSO IN YOUR ANSWER


Restart your computer!!!!!!!!!!!!


Go to start > run and typ : services.msc en click OK

-In the Services window find: eimniocotj
-Select/highlight and right click the entry, and choose: Properties
-On the General tab, under Service Status click the Stop button
-Beside: Startup Type, in the drop menu, select: Disabled
-Click Apply, then OK
Repeat that for the following
klqfkaxkgh
qqeqwfbaceoar
srsgbwtl
taafmkvrqwovt
teobfdqblytjm
vmyhlxybgcdrysgr
yunjenxalrua


Open HijackThis to the misc tools section and click the Delete an NT Sevice button. Paste in eimniocotj and click OK
Repeat that for the following
klqfkaxkgh
qqeqwfbaceoar
srsgbwtl
taafmkvrqwovt
teobfdqblytjm
vmyhlxybgcdrysgr
yunjenxalrua


Restart your computer in safe mode!!!
    *Restart the computer.
    *as soon as BIOS is loaded begin tapping the F8 key until the Advanced Options menu appears.(a black and white screen)
    *Use the arrow keys to select the Safe mode menu item
    *press Enter.


We need to make sure all hidden files are showing so please:
    * Click Start.
    * Open My Computer.
    * Select the Tools menu and click Folder Options.
    * Select the View Tab.
    * Under the Hidden files and folders heading select Show hidden files and folders.
    * Uncheck the Hide protected operating system files (recommended) option.
    * Click Yes to confirm.
    * Click OK.




Run Hijack This choose Do s scan only and put a check at the following lines

O2 - BHO: (no name) - {F5C88987-35F5-ECA8-B7BB-592F28062E2E} - C:\WINDOWS\system32\ncbmtlxj\swcijjvg.dll

O4 - HKLM\..\Run: [sjkp] C:\WINDOWS\System32\oxsaynow\sjkp.exe

O4 - HKLM\..\Run: [ntmcq] C:\WINDOWS\System32\moqsgf\ntmcq.exe

O4 - HKLM\..\Run: [hshatpb] C:\WINDOWS\System32\qboa\hshatpb.exe

O4 - HKLM\..\Run: [wsagu] C:\WINDOWS\System32\hahm\wsagu.exe

O4 - HKLM\..\Run: [mhxo] C:\WINDOWS\System32\tlmtptg\mhxo.exe

O4 - HKLM\..\Run: [xcrkvu] C:\WINDOWS\System32\qjdt\xcrkvu.exe

O4 - HKLM\..\Run: [oocdnjj] C:\WINDOWS\System32\bpapj\oocdnjj.exe

O4 - HKLM\..\Run: [phvxbd] C:\WINDOWS\System32\pxdx\phvxbd.exe

O4 - HKLM\..\Run: [ZMFGXAox] C:\PROGRA~1\wutorsr\pvptqr.exe

O4 - HKLM\..\Run: [cexawejh]
C:\WINDOWS\System32\amdhfp\cexawejh.exe

O4 - HKLM\..\Run: [reiu] C:\WINDOWS\System32\yslecioe\reiu.exe

O4 - HKLM\..\Run: [rjctdjfj] C:\WINDOWS\System32\wmjsvgnj\rjctdjfj.exe

O4 - HKLM\..\Run: [nruewxrl]
C:\WINDOWS\System32\bqwhyme\nruewxrl.exe

O4 - HKLM\..\Run: [ovyft] C:\WINDOWS\System32\hctycvyj\ovyft.exe

O4 - HKLM\..\Run: [rxlg] C:\WINDOWS\System32\nwxdmhx\rxlg.exe

O4 - HKLM\..\Run: [xbhgbw] C:\WINDOWS\System32\wqoabeby\xbhgbw.exe

O4 - HKLM\..\Run: [twehfrag] C:\WINDOWS\System32\jffrknf\twehfrag.exe

O4 - HKLM\..\Run: [vropfh] C:\WINDOWS\System32\dbdexge\vropfh.exe

O4 - HKLM\..\Run: [smrr] C:\WINDOWS\System32\vwwskbjg\smrr.exe

O4 - HKLM\..\Run: [yvay] C:\WINDOWS\System32\anfpsx\yvay.exe

O4 - HKLM\..\Run: [fcykrqae] C:\WINDOWS\System32\fejlai\fcykrqae.exe

O4 - HKLM\..\Run: [aiyygr] C:\WINDOWS\System32\otqyprha\aiyygr.exe

O4 - HKLM\..\Run: [keqfe] C:\WINDOWS\System32\aqwf\keqfe.exe

O4 - HKLM\..\Run: [quknrc] C:\WINDOWS\System32\mdcsar\quknrc.exe

O4 - HKLM\..\Run: [jehddo] C:\WINDOWS\System32\cdocmugl\jehddo.exe

O4 - HKLM\..\Run: [sqtnm] C:\WINDOWS\System32\dsso\sqtnm.exe

O4 - HKLM\..\Run: [rcyjii] C:\WINDOWS\System32\jimi\rcyjii.exe

O4 - HKLM\..\Run: [ihdqj] C:\WINDOWS\System32\pafpk\ihdqj.exe

O4 - HKLM\..\Run: [rnlt] C:\WINDOWS\System32\pirs\rnlt.exe


O4 - HKLM\..\Run: [demvb] C:\WINDOWS\System32\ywrfy\demvb.exe

O4 - HKLM\..\Run: [gxhglii] C:\WINDOWS\system32\vqtyuymk\gxhglii.exe

O4 - HKLM\..\Run: [rqxfkwno] C:\WINDOWS\system32\ybvdenni\rqxfkwno.exe

O4 - HKLM\..\Run: [fxcgr] C:\WINDOWS\system32\vmiehp\fxcgr.exe

O4 - HKLM\..\Run: [dhwli] C:\WINDOWS\system32\xvkwciub\dhwli.exe

O4 - HKLM\..\Run: [SkyH2] C:\DOCUME~1\Owner\LOCALS~1\Temp\wpaokubj.exe

O4 - HKLM\..\Run: [ttwry] C:\WINDOWS\system32\gxsqffh\ttwry.exe

O4 - HKLM\..\Run: [pqpraat] C:\WINDOWS\system32\onjcuvuh\pqpraat.exe

O4 - HKLM\..\Run: [vmyhlxyb] C:\WINDOWS\system32\gcdrysgr\vmyhlxyb.exe

O4 - HKLM\..\Run: [pkiwocny] C:\WINDOWS\system32\vlxk\pkiwocny.exe

O4 - HKLM\..\Run: [gfnjxbuc] C:\WINDOWS\system32\qeov\gfnjxbuc.exe

O4 - HKLM\..\Run: [bwkthfes] C:\WINDOWS\system32\wvnxkho\bwkthfes.exe

O4 - HKLM\..\Run: [oqjunb] C:\WINDOWS\system32\cxbity\oqjunb.exe

O4 - HKLM\..\Run: [txdnb] C:\WINDOWS\system32\taff\txdnb.exe

O4 - HKLM\..\Run: [mdjsj] C:\WINDOWS\system32\bgpm\mdjsj.exe

O4 - HKLM\..\Run: [cgkma] C:\WINDOWS\system32\vqwxl\cgkma.exe

O4 - HKLM\..\Run: [mdxmf] C:\WINDOWS\system32\wlyhdgm\mdxmf.exe

O4 - HKLM\..\Run: [viewdpwi] C:\WINDOWS\system32\gixtyq\viewdpwi.exe

O4 - HKLM\..\Run: [nrkpj] C:\WINDOWS\system32\facsg\nrkpj.exe

O4 - HKLM\..\Run: [hiofvb] C:\WINDOWS\system32\mgvpeyc\hiofvb.exe

O4 - HKLM\..\Run: [tklf] C:\WINDOWS\system32\xceugt\tklf.exe

O4 - HKLM\..\Run: [tcflqnp] C:\WINDOWS\system32\egfj\tcflqnp.exe

O4 - HKLM\..\Run: [vnqbjvu] C:\WINDOWS\system32\sjdjcn\vnqbjvu.exe

O4 - HKLM\..\Run: [lkggauw] C:\WINDOWS\system32\qawt\lkggauw.exe

O4 - HKLM\..\Run: [rlki] C:\WINDOWS\system32\calcr\rlki.exe

O4 - HKLM\..\Run: [elfake] C:\WINDOWS\system32\nicxjyrx\elfake.exe

O4 - HKLM\..\Run: [xiuhm] C:\WINDOWS\system32\ctnlgcl\xiuhm.exe

O4 - HKLM\..\Run: [ckrobjo] C:\WINDOWS\system32\wwfjx\ckrobjo.exe

O4 - HKLM\..\Run: [xxqifeif] C:\WINDOWS\system32\jmtk\xxqifeif.exe

O4 - HKLM\..\Run: [ouhy] C:\WINDOWS\system32\rpoyqw\ouhy.exe

O4 - HKLM\..\Run: [gyjjmvsy] C:\WINDOWS\system32\gnuhw\gyjjmvsy.exe

O4 - HKLM\..\Run: [taafmk] C:\WINDOWS\system32\vrqwovt\taafmk.exe

O4 - HKLM\..\Run: [kuhfsd] C:\WINDOWS\system32\phxehnx\kuhfsd.exe

O4 - HKLM\..\Run: [kvtqwo] C:\WINDOWS\system32\nmdfkxb\kvtqwo.exe

O4 - HKLM\..\Run: [pmnhy] C:\WINDOWS\system32\jylh\pmnhy.exe

O4 - HKLM\..\Run: [gfqcg] C:\WINDOWS\system32\bqnchw\gfqcg.exe

O4 - HKLM\..\Run: [yulp] C:\WINDOWS\system32\ljrlbn\yulp.exe

O4 - HKLM\..\Run: [scpf] C:\WINDOWS\system32\xqiyog\scpf.exe

O4 - HKLM\..\Run: [konas] C:\WINDOWS\system32\hsvbja\konas.exe

O4 - HKLM\..\Run: [lguqwecj] C:\WINDOWS\system32\aevp\lguqwecj.exe

O4 - HKLM\..\Run: [hyqf] C:\WINDOWS\system32\yeaq\hyqf.exe

O4 - HKLM\..\Run: [gnrjk] C:\WINDOWS\system32\qjtcrw\gnrjk.exe

O4 - HKLM\..\Run: [ttlyl] C:\WINDOWS\system32\spdvraas\ttlyl.exe

O4 - HKLM\..\Run: [wlesa] C:\WINDOWS\system32\pkfqx\wlesa.exe

O4 - HKLM\..\Run: [cbwcy] C:\WINDOWS\system32\lxhgi\cbwcy.exe

O4 - HKLM\..\Run: [vqipmwit] C:\WINDOWS\system32\ekusvu\vqipmwit.exe

O4 - HKLM\..\Run: [apxq] C:\WINDOWS\system32\qrctpab\apxq.exe

O4 - HKLM\..\Run: [wdiae] C:\WINDOWS\system32\ueiyecy\wdiae.exe

O4 - HKLM\..\Run: [cxeiwvod] C:\WINDOWS\system32\tiqlnndh\cxeiwvod.exe

O4 - HKLM\..\Run: [ioij] C:\WINDOWS\system32\ivhgnf\ioij.exe

O4 - HKLM\..\Run: [svaihkau] C:\WINDOWS\system32\saxegp\svaihkau.exe

O4 - HKLM\..\Run: [utlpweav] C:\WINDOWS\system32\urqe\utlpweav.exe

O4 - HKLM\..\Run: [qvcok] C:\WINDOWS\system32\bvgxvlr\qvcok.exe

O4 - HKLM\..\Run: [sokw] C:\WINDOWS\system32\gdgj\sokw.exe

O4 - HKLM\..\Run: [fcjj] C:\WINDOWS\system32\kouuli\fcjj.exe

O4 - HKLM\..\Run: [legdts] C:\WINDOWS\system32\lkmjj\legdts.exe

O4 - HKLM\..\Run: [ehjauxju] C:\WINDOWS\system32\bovyld\ehjauxju.exe

O4 - HKLM\..\Run: [gxhnv] C:\WINDOWS\system32\iphfh\gxhnv.exe

O4 - HKLM\..\Run: [teobfdqb] C:\WINDOWS\system32\lytjm\teobfdqb.exe

O4 - HKLM\..\Run: [tyls] C:\WINDOWS\system32\vrhkp\tyls.exe

O4 - HKLM\..\Run: [wiwoabda] C:\WINDOWS\system32\osxxyr\wiwoabda.exe

O4 - HKLM\..\Run: [woqffuhn] C:\WINDOWS\system32\vowd\woqffuhn.exe

O4 - HKLM\..\Run: [sdlwgew] C:\WINDOWS\system32\fjdgn\sdlwgew.exe

O4 - HKLM\..\Run: [tgbhcyu] C:\WINDOWS\system32\yfsh\tgbhcyu.exe

O4 - HKLM\..\Run: [gtsk] C:\WINDOWS\system32\qpeuujr\gtsk.exe

O4 - HKLM\..\Run: [yunje] C:\WINDOWS\system32\nxalrua\yunje.exe

O4 - HKLM\..\Run: [kfon] C:\WINDOWS\system32\uulytbb\kfon.exe

O23 - Service: bbxclnwjkxbhq - Unknown owner - C:\WINDOWS\system32\wjkxbhq\bbxcln.exe (file missing)

O23 - Service: dcejfgtkepvnb - Unknown owner - C:\WINDOWS\System32\epvnb\dcejfgtk.exe (file missing)

O23 - Service: eimniocotj - Unknown owner - C:\WINDOWS\System32\iocotj\eimn.exe (file missing)

O23 - Service: klqfkaxkgh - Unknown owner - C:\WINDOWS\System32\kaxkgh\klqf.exe (file missing)

O23 - Service: qqeqwfbaceoar - Unknown owner - C:\WINDOWS\System32\fbaceoar\qqeqw.exe (file missing)

O23 - Service: srsgbwtl - Unknown owner - C:\WINDOWS\system32\bwtl\srsg.exe (file missing)

O23 - Service: taafmkvrqwovt - Unknown owner - C:\WINDOWS\system32\vrqwovt\taafmk.exe

O23 - Service: teobfdqblytjm - Unknown owner - C:\WINDOWS\system32\lytjm\teobfdqb.exe

O23 - Service: vmyhlxybgcdrysgr - Unknown owner - C:\WINDOWS\system32\gcdrysgr\vmyhlxyb.exe

O23 - Service: yunjenxalrua - Unknown owner - C:\WINDOWS\system32\nxalrua\yunje.exe

Now click fix Checked and close Hijack This.

Now look for the following /folders and delete them, if you can not find a certain file/folder don’t worry and proceed with the next one, also don’t worry if a it gives a message that a ceratin file is in use then proceed with deleting the next folder.


These folders
C:\WINDOWS\system32\wjkxbhq
C:\WINDOWS\System32\epvnb
C:\WINDOWS\System32\iocotj
C:\WINDOWS\System32\kaxkgh
C:\WINDOWS\System32\fbaceoar
C:\WINDOWS\system32\bwtl
C:\WINDOWS\system32\vrqwovt
C:\WINDOWS\system32\lytjm
C:\WINDOWS\system32\gcdrysgr
C:\WINDOWS\system32\nxalrua
C:\WINDOWS\system32\ncbmtlxj
C:\WINDOWS\System32\oxsaynow
C:\WINDOWS\System32\moqsgf
C:\WINDOWS\System32\qboa
C:\WINDOWS\System32\hahm
C:\WINDOWS\System32\tlmtptg
C:\WINDOWS\System32\qjdt
C:\WINDOWS\System32\bpapj
C:\WINDOWS\System32\pxdx
C:\Program Files\wutorsr
C:\WINDOWS\System32\wqoabeby
C:\WINDOWS\System32\yslecioe
C:\WINDOWS\System32\wmjsvgnj
C:\WINDOWS\System32\bqwhyme
C:\WINDOWS\System32\hctycvyj
C:\WINDOWS\System32\nwxdmhx
C:\WINDOWS\System32\wqoabeby
C:\WINDOWS\System32\jffrknf
C:\WINDOWS\System32\dbdexge
C:\WINDOWS\System32\vwwskbjg
C:\WINDOWS\System32\anfpsx
C:\WINDOWS\System32\fejlai
C:\WINDOWS\System32\otqyprha
C:\WINDOWS\System32\aqwf
C:\WINDOWS\System32\mdcsar
C:\WINDOWS\System32\cdocmugl
C:\WINDOWS\System32\dsso
C:\WINDOWS\System32\jimi
C:\WINDOWS\System32\pafpk
C:\WINDOWS\System32\pirs
C:\WINDOWS\System32\ywrfy
C:\WINDOWS\system32\vqtyuymk
C:\WINDOWS\system32\ybvdenni
C:\WINDOWS\system32\vmiehp
C:\WINDOWS\system32\xvkwciub
C:\WINDOWS\system32\gxsqffh
C:\WINDOWS\system32\onjcuvuh
C:\WINDOWS\system32\gcdrysgr
C:\WINDOWS\system32\vlxk
C:\WINDOWS\system32\qeov
C:\WINDOWS\system32\wvnxkho
C:\WINDOWS\system32\cxbity
C:\WINDOWS\system32\taff
C:\WINDOWS\system32\bgpm
C:\WINDOWS\system32\vqwxl
C:\WINDOWS\system32\wlyhdgm
C:\WINDOWS\system32\gixtyq
C:\WINDOWS\system32\facsg
C:\WINDOWS\system32\mgvpeyc
C:\WINDOWS\system32\xceugt
C:\WINDOWS\system32\egfj
C:\WINDOWS\system32\sjdjcn
C:\WINDOWS\system32\qawt
C:\WINDOWS\system32\calcr
C:\WINDOWS\system32\nicxjyrx
C:\WINDOWS\system32\ctnlgcl
C:\WINDOWS\system32\wwfjx
C:\WINDOWS\system32\jmtk
C:\WINDOWS\system32\rpoyqw
C:\WINDOWS\system32\gnuhw
C:\WINDOWS\system32\vrqwovt
C:\WINDOWS\system32\phxehnx
C:\WINDOWS\system32\nmdfkxb
C:\WINDOWS\system32\jylh
C:\WINDOWS\system32\bqnchw
C:\WINDOWS\system32\ljrlbn
C:\WINDOWS\system32\xqiyog
C:\WINDOWS\system32\hsvbja
C:\WINDOWS\system32\aevp
C:\WINDOWS\system32\yeaq
C:\WINDOWS\system32\qjtcrw
C:\WINDOWS\system32\spdvraas
C:\WINDOWS\system32\pkfqx
C:\WINDOWS\system32\lxhgi
C:\WINDOWS\system32\ekusvu
C:\WINDOWS\system32\qrctpab
C:\WINDOWS\system32\ueiyecy
C:\WINDOWS\system32\tiqlnndh
C:\WINDOWS\system32\ivhgnf
C:\WINDOWS\system32\saxegp
C:\WINDOWS\system32\urqe
C:\WINDOWS\system32\bvgxvlr
C:\WINDOWS\system32\gdgj
C:\WINDOWS\system32\kouuli
C:\WINDOWS\system32\lkmjj
C:\WINDOWS\system32\bovyld
C:\WINDOWS\system32\iphfh
C:\WINDOWS\system32\lytjm
C:\WINDOWS\system32\vrhkp
C:\WINDOWS\system32\osxxyr
C:\WINDOWS\system32\vowd
C:\WINDOWS\system32\fjdgn
C:\WINDOWS\system32\yfsh
C:\WINDOWS\system32\qpeuujr
C:\WINDOWS\system32\nxalrua
C:\WINDOWS\system32\uulytbb
C:\WINDOWS\system32\wjkxbhq
C:\WINDOWS\System32\epvnb
C:\WINDOWS\System32\iocotj
C:\WINDOWS\System32\kaxkgh
C:\WINDOWS\System32\fbaceoar
C:\WINDOWS\system32\bwtl
C:\WINDOWS\system32\vrqwovt
C:\WINDOWS\system32\gcdrysgr
C:\WINDOWS\system32\nxalrua



Now go to:
Start
Run

And type %windir%/temp the windowstemp folder will open, select everything and press delete and then ok

Again go to:
Start
Run

Now type %temp%, a temp folder will open itself, select everything in it and press delete, then click ok


Restart your computer!!!!!!!!!!

Run Hijack This and come back with a fresh log
User avatar
Perculator
Regular Member
 
Posts: 470
Joined: March 30th, 2005, 4:55 pm
Location: netherlands

Unread postby theglobal » June 4th, 2005, 11:34 am

It is now 9:30 am (SAT) here.. I am getting to work on fix in next 20 min. I will have a separate computer to work from in the chat room.
theglobal
Regular Member
 
Posts: 85
Joined: March 1st, 2005, 3:55 am
Advertisement
Register to Remove

PreviousNext

  • Similar Topics
    Replies
    Views
    Last post

Return to Infected? Virus, malware, adware, ransomware, oh my!



Who is online

Users browsing this forum: No registered users and 31 guests

Contact us:

Advertisements do not imply our endorsement of that product or service. Register to remove all ads. The forum is run by volunteers who donate their time and expertise. We make every attempt to ensure that the help and advice posted is accurate and will not cause harm to your computer. However, we do not guarantee that they are accurate and they are to be used at your own risk. All trademarks are the property of their respective owners.

Member site: UNITE Against Malware