Welcome to MalwareRemoval.com,
What if we told you that you could get malware removal help from experts, and that it was 100% free? MalwareRemoval.com provides free support for people with infected computers. Our help, and the tools we use are always 100% free. No hidden catch. We simply enjoy helping others. You enjoy a clean, safe computer.

Malware Removal Instructions

HiJack this log, please help me out!

MalwareRemoval.com provides free support for people with infected computers. Using plain language that anyone can understand, our community of volunteer experts will walk you through each step.

HiJack this log, please help me out!

Unread postby Tupids » June 12th, 2005, 7:47 pm

Logfile of HijackThis v1.99.1
Scan saved at 7:43:24 PM, on 6/12/2005
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\PROGRA~1\Toolbar\TBPS.exe
C:\PROGRA~1\Toolbar\PIB.exe
c:\PROGRA~1\Toolbar\radio.exe
C:\Program Files\Dell\Media Experience\PCMService.exe
C:\Program Files\Network Associates\VirusScan\SHSTAT.EXE
C:\Program Files\Network Associates\Common Framework\UpdaterUI.exe
C:\Program Files\Common Files\Network Associates\TalkBack\TBMon.exe
C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe
C:\Program Files\D-Tools\daemon.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\WINDOWS\system32\doc101b.exe
C:\Program Files\WeirdOnTheWeb\WeirdOnTheWeb.exe
C:\Program Files\AIM\aim.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\Dell Support\DSAgnt.exe
C:\WINDOWS\system32\dmrmbed.exe
C:\Program Files\Cas\Client\casclient.exe
C:\Program Files\Digital Line Detect\DLG.exe
C:\Program Files\Network Associates\Common Framework\FrameworkService.exe
C:\Program Files\Network Associates\VirusScan\Mcshield.exe
C:\Program Files\Network Associates\VirusScan\VsTskMgr.exe
C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
C:\Program Files\Lavasoft\Ad-Aware SE Personal\Ad-Aware.exe
C:\Downloaded Install Files\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.dell4me.com/mywaybiz
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://yahoo.com
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://yahoo.com
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
R3 - Default URLSearchHook is missing
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O2 - BHO: VBRunDLL Class - {197B8CA4-E215-46DD-8F33-E0544A80E5C4} - C:\WINDOWS\system32\vbrundll.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O2 - BHO: Ipswitch.WsftpBrowserHelper - {601ED020-FB6C-11D3-87D8-0050DA59922B} - C:\Program Files\WS_FTP Pro\wsbho2K0.dll
O2 - BHO: (no name) - {69660491-0081-15E4-31E1-E6EAC08D62A0} - C:\WINDOWS\system32\FYI\mqqqpjpxca.dll
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\system32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\system32\hkcmd.exe
O4 - HKLM\..\Run: [PCMService] "C:\Program Files\Dell\Media Experience\PCMService.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [ShStatEXE] "C:\Program Files\Network Associates\VirusScan\SHSTAT.EXE" /STANDALONE
O4 - HKLM\..\Run: [McAfeeUpdaterUI] "C:\Program Files\Network Associates\Common Framework\UpdaterUI.exe" /StartedFromRunKey
O4 - HKLM\..\Run: [Network Associates Error Reporting Service] "C:\Program Files\Common Files\Network Associates\TalkBack\TBMon.exe"
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [RemoteControl] "C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe"
O4 - HKLM\..\Run: [DAEMON Tools-1033] "C:\Program Files\D-Tools\daemon.exe" -lang 1033
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [PSof1] C:\WINDOWS\system32\PSof1.exe
O4 - HKLM\..\Run: [47nT35W] doc101b.exe
O4 - HKLM\..\Run: [WeirdOnTheWeb] "C:\Program Files\WeirdOnTheWeb\WeirdOnTheWeb.exe"
O4 - HKLM\..\Run: [regsync] C:\WINDOWS\system32\regsync.exe
O4 - HKLM\..\Run: [TBPS] C:\PROGRA~1\Toolbar\TBPS.exe
O4 - HKLM\..\RunOnce: [TBPS] C:\PROGRA~1\Toolbar\TBPS.exe /boot
O4 - HKCU\..\Run: [AIM] C:\Program Files\AIM\aim.exe -cnetwait.odl
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [DellSupport] "C:\Program Files\Dell Support\DSAgnt.exe" /startup
O4 - HKCU\..\Run: [Lw43RRath] dmrmbed.exe
O4 - HKCU\..\Run: [CAS Client] "C:\Program Files\Cas\Client\casclient.exe"
O4 - Global Startup: Digital Line Detect.lnk = ?
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~4\Office10\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\System32\msjava.dll (file missing)
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\System32\msjava.dll (file missing)
O9 - Extra button: Messenger - {4528BBE0-4E08-11D5-AD55-00010333D0AD} - C:\Program Files\Yahoo!\Messenger\yhexbmes0521.dll
O9 - Extra 'Tools' menuitem: Yahoo! Messenger - {4528BBE0-4E08-11D5-AD55-00010333D0AD} - C:\Program Files\Yahoo!\Messenger\yhexbmes0521.dll
O9 - Extra button: EmpirePoker - {77E68763-4284-41d6-B7E7-B6E1F053A9E7} - C:\Program Files\EmpirePoker\EmpirePoker.exe
O9 - Extra 'Tools' menuitem: EmpirePoker - {77E68763-4284-41d6-B7E7-B6E1F053A9E7} - C:\Program Files\EmpirePoker\EmpirePoker.exe
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe
O9 - Extra button: PartyPoker.com - {B7FE5D70-9AA2-40F1-9C6B-12A255F085E1} - C:\Program Files\PartyPoker\PartyPoker.exe
O9 - Extra 'Tools' menuitem: PartyPoker.com - {B7FE5D70-9AA2-40F1-9C6B-12A255F085E1} - C:\Program Files\PartyPoker\PartyPoker.exe
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\System32\Shdocvw.dll
O9 - Extra button: MUSICMATCH MX Web Player - {d81ca86b-ef63-42af-bee3-4502d9a03c2d} - http://wwws.musicmatch.com/mmz/openWebRadio.html (file missing)
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {47CD99DF-8BCF-4B9B-94EF-02E51B2F79DA} - http://www.alwaysupdatednews.com/install/aun_0036.exe
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://v5.windowsupdate.microsoft.com/v ... 2697510593
O16 - DPF: {EC51659D-721F-4CBF-9CEA-5E776D89CEA9} - http://www.pacimedia.com/install/pcs_0007.exe
O18 - Protocol: ms-help - {314111C7-A502-11D2-BBCA-00C04F8EC294} - C:\Program Files\Common Files\Microsoft Shared\Help\hxds.dll
O18 - Filter: text/html - {8293D547-38DD-4325-B35A-F1817EDFA5FC} - C:\Program Files\Cas\Client\casmf.dll
O20 - Winlogon Notify: igfxcui - C:\WINDOWS\SYSTEM32\igfxsrvc.dll
O23 - Service: McAfee Framework Service (McAfeeFramework) - Network Associates, Inc. - C:\Program Files\Network Associates\Common Framework\FrameworkService.exe
O23 - Service: Network Associates McShield (McShield) - Network Associates, Inc. - C:\Program Files\Network Associates\VirusScan\Mcshield.exe
O23 - Service: Network Associates Task Manager (McTaskManager) - Network Associates, Inc. - C:\Program Files\Network Associates\VirusScan\VsTskMgr.exe
Tupids
Active Member
 
Posts: 3
Joined: June 12th, 2005, 7:46 pm
Advertisement
Register to Remove

Re: HiJack this log, please help me out!

Unread postby Perculator » June 13th, 2005, 1:33 am

Welcome to Malwareremoval.com

I want you to first run these two virusscans, make sure, you restart your computer after each scan.
The last scan, the pandascan, will make a log, make sure you save it and post the content of it back in your next reply

Online virusscans

Housecall

Restart your computer

Panda virus check

Restart your computer

Now run hijack This and place a fresh log on this board, together with the panda log.
User avatar
Perculator
Regular Member
 
Posts: 470
Joined: March 30th, 2005, 4:55 pm
Location: netherlands

Unread postby Tupids » June 13th, 2005, 3:48 pm

thank for you the help.

here is the panda log:

Incident Status Location

Adware:Adware/WinTools No disinfected C:\PROGRA~1\Toolbar\common.dll
Adware:Adware/WinTools No disinfected C:\PROGRA~1\Toolbar\toolbar.dll
Adware:Adware/MyWebSearch No disinfected C:\PROGRA~1\Toolbar\TBPSSvc.exe
Adware:Adware/MyWebSearch No disinfected C:\WINDOWS\TEMP\BOytxfA3.exe
Adware:Adware/Pacimedia No disinfected C:\WINDOWS\system32\PSof1.exe
Adware:Adware/Novo No disinfected C:\WINDOWS\system32\FYI\mqqqpjpxca.dll
Adware:Adware/DownloadWare No disinfected C:\WINDOWS\system32\FYI\mqqqpjpxca.exe
Adware:Adware/Pacimedia No disinfected C:\WINDOWS\system32\PSof1.exe
Adware:Adware/SaveNow No disinfected Windows Registry
Spyware:Spyware/BetterInet No disinfected C:\WINDOWS\system32\in10b6s.dll
Adware:Adware/BookedSpace No disinfected C:\DOCUME~1\JAMESD~1\LOCALS~1\Temp\bs*.tmpbsx32
Adware:Adware/Apropos No disinfected Windows Registry
Adware:Adware/IEPlugin No disinfected C:\WINDOWS\wupdt.exe
Adware:Adware/Fizzle No disinfected C:\Program Files\FwBarTemp
Adware:Adware/MyWebSearch No disinfected Windows Registry
Adware:Adware/Kingporn No disinfected C:\DOCUME~1\JAMESD~1\LOCALS~1\Temp\ExtractDLL.dll
Adware:Adware/Novo No disinfected Windows Registry
Virus:Exploit/ByteVerify Disinfected C:\Documents and Settings\James Dostie\Application Data\Sun\Java\Deployment\cache\javapi\v1.0\jar\archive.jar-57080127-186c6169.zip[BlackBox.class]
Virus:Exploit/ByteVerify Disinfected C:\Documents and Settings\James Dostie\Application Data\Sun\Java\Deployment\cache\javapi\v1.0\jar\archive.jar-57080127-186c6169.zip[VB.class]
Virus:Exploit/ByteVerify Disinfected C:\Documents and Settings\James Dostie\Application Data\Sun\Java\Deployment\cache\javapi\v1.0\jar\archive.jar-57080127-186c6169.zip[Dummy.class]
Virus:Exploit/ByteVerify Disinfected C:\Documents and Settings\James Dostie\Application Data\Sun\Java\Deployment\cache\javapi\v1.0\jar\archive.jar-57080127-186c6169.zip[Beyond.class]
Virus:Exploit/ByteVerify Disinfected C:\Documents and Settings\James Dostie\Application Data\Sun\Java\Deployment\cache\javapi\v1.0\jar\archive.jar-66c3ff89-71988385.zip[BlackBox.class]
Virus:Exploit/ByteVerify Disinfected C:\Documents and Settings\James Dostie\Application Data\Sun\Java\Deployment\cache\javapi\v1.0\jar\archive.jar-66c3ff89-71988385.zip[VB.class]
Virus:Exploit/ByteVerify Disinfected C:\Documents and Settings\James Dostie\Application Data\Sun\Java\Deployment\cache\javapi\v1.0\jar\archive.jar-66c3ff89-71988385.zip[Dummy.class]
Virus:Exploit/ByteVerify Disinfected C:\Documents and Settings\James Dostie\Application Data\Sun\Java\Deployment\cache\javapi\v1.0\jar\archive.jar-66c3ff89-71988385.zip[Beyond.class]
Virus:Exploit/ByteVerify Disinfected C:\Documents and Settings\James Dostie\Application Data\Sun\Java\Deployment\cache\javapi\v1.0\jar\classload.jar-53d6da01-637082f6.zip[GetAccess.class]
Virus:Exploit/ByteVerify Disinfected C:\Documents and Settings\James Dostie\Application Data\Sun\Java\Deployment\cache\javapi\v1.0\jar\classload.jar-53d6da01-637082f6.zip[InsecureClassLoader.class]
Virus:Exploit/ByteVerify Disinfected C:\Documents and Settings\James Dostie\Application Data\Sun\Java\Deployment\cache\javapi\v1.0\jar\classload.jar-53d6da01-637082f6.zip[Dummy.class]
Virus:Exploit/ByteVerify Disinfected C:\Documents and Settings\James Dostie\Application Data\Sun\Java\Deployment\cache\javapi\v1.0\jar\classload.jar-53d6da01-637082f6.zip[Installer.class]
Virus:Exploit/ByteVerify Disinfected C:\Documents and Settings\James Dostie\Application Data\Sun\Java\Deployment\cache\javapi\v1.0\jar\count.jar-394a7981-13f7529d.zip[BlackBox.class]
Virus:Exploit/ByteVerify Disinfected C:\Documents and Settings\James Dostie\Application Data\Sun\Java\Deployment\cache\javapi\v1.0\jar\count.jar-394a7981-13f7529d.zip[VerifierBug.class]
Virus:Exploit/ByteVerify Disinfected C:\Documents and Settings\James Dostie\Application Data\Sun\Java\Deployment\cache\javapi\v1.0\jar\count.jar-394a7981-13f7529d.zip[Dummy.class]
Virus:Exploit/ByteVerify Disinfected C:\Documents and Settings\James Dostie\Application Data\Sun\Java\Deployment\cache\javapi\v1.0\jar\count.jar-394a7981-13f7529d.zip[Beyond.class]
Adware:Adware/nCase No disinfected C:\Documents and Settings\James Dostie\Local Settings\Temp\1801.exe
Virus:Trj/Downloader.BYZ Disinfected C:\Documents and Settings\James Dostie\Local Settings\Temp\Del95.tmp
Spyware:Spyware/SafeSurf No disinfected C:\Documents and Settings\James Dostie\Local Settings\Temp\ExtractDLL.dll
Adware:Adware/DownloadWare No disinfected C:\Documents and Settings\James Dostie\Local Settings\Temp\nstD7.EXE
Adware:Adware/nCase No disinfected C:\Documents and Settings\James Dostie\Local Settings\Temp\res3.tmp
Adware:Adware/Apropos No disinfected C:\Documents and Settings\James Dostie\Local Settings\Temp\temp.fr6C92
Adware:Adware/MyWebSearch No disinfected C:\Documents and Settings\James Dostie\Local Settings\Temporary Internet Files\Content.IE5\ATGZMX2T\TBPSSvc[1].cab[TBPSSvc.exe]
Adware:Adware/WinTools No disinfected C:\Documents and Settings\James Dostie\Local Settings\Temporary Internet Files\Content.IE5\K50N0FGB\tb3[1].cab[toolbar.dll]
Spyware:Spyware/BetterInet No disinfected C:\Documents and Settings\James Dostie\Local Settings\Temporary Internet Files\Content.IE5\LOOVPPCD\abiuninst[1].exe
Adware:Adware/MyWebSearch No disinfected C:\Documents and Settings\James Dostie\Local Settings\Temporary Internet Files\Content.IE5\LOOVPPCD\newmajorse2[1].cab
Adware:Adware/MyWebSearch No disinfected C:\Documents and Settings\James Dostie\Local Settings\Temporary Internet Files\Content.IE5\LOOVPPCD\newmajorse2[1].cab[newmajorse2.txt]
Virus:Trj/Lowzones.AI No disinfected C:\Downloaded Install Files\clonedvd[1].v2.4.3.5.incl.keygen-orion.rar[reg.exe]
Possible Virus. No disinfected C:\Program Files\Course Technology\SAM 2003\Core2.5\png2swf.exe
Adware:Adware/WinTools No disinfected C:\Program Files\Toolbar\common.dll
Adware:Adware/MyWebSearch No disinfected C:\Program Files\Toolbar\TBPSSvc.exe
Adware:Adware/WinTools No disinfected C:\Program Files\Toolbar\toolbar.dll
Adware:Adware/Weirdontheweb No disinfected C:\Program Files\WeirdOnTheWeb\weirdontheweb.exe
Adware:Adware/Pacimedia No disinfected C:\WINDOWS\Downloaded Program Files\pcs_0002.exe
Adware:Adware/Beginto No disinfected C:\WINDOWS\SYSTEM32\btnetw-ventura-hot_246765.exe
Adware:Adware/Apropos No disinfected C:\WINDOWS\SYSTEM32\cxtpls_loader.exe
Adware:Adware/Novo No disinfected C:\WINDOWS\SYSTEM32\FYI\mqqqpjpxca.dll
Adware:Adware/DownloadWare No disinfected C:\WINDOWS\SYSTEM32\FYI\mqqqpjpxca.exe
Spyware:Spyware/BetterInet No disinfected C:\WINDOWS\SYSTEM32\in10b6s.dll
Adware:Adware/Pacimedia No disinfected C:\WINDOWS\SYSTEM32\PSof1.exe
Adware:Adware/SAHAgent No disinfected C:\WINDOWS\SYSTEM32\xmlparse.dll
Adware:Adware/SAHAgent No disinfected C:\WINDOWS\SYSTEM32\xmltok.dll
Adware:Adware/MyWebSearch No disinfected C:\WINDOWS\Temp\BOytxfA3.exe
Adware:Adware/IEPlugin No disinfected C:\WINDOWS\wupdt.exe


HERE IS THE HIJACK THIS LOG:

Logfile of HijackThis v1.99.1
Scan saved at 3:49:19 PM, on 6/13/2005
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Dell\Media Experience\PCMService.exe
C:\Program Files\Network Associates\VirusScan\SHSTAT.EXE
C:\Program Files\Network Associates\Common Framework\UpdaterUI.exe
C:\Program Files\Common Files\Network Associates\TalkBack\TBMon.exe
C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe
C:\Program Files\D-Tools\daemon.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\WINDOWS\system32\PSof1.exe
C:\WINDOWS\system32\doc101b.exe
C:\PROGRA~1\Toolbar\TBPS.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\Dell Support\DSAgnt.exe
C:\WINDOWS\system32\dmrmbed.exe
C:\Program Files\Cas\Client\casclient.exe
C:\Program Files\Digital Line Detect\DLG.exe
C:\PROGRA~1\Toolbar\PIB.exe
c:\PROGRA~1\Toolbar\radio.exe
C:\Program Files\Network Associates\Common Framework\FrameworkService.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\WINDOWS\system32\FYI\mqqqpjpxca.exe
C:\Program Files\Network Associates\VirusScan\Mcshield.exe
C:\Program Files\Network Associates\VirusScan\VsTskMgr.exe
C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
C:\WINDOWS\TEMP\PN6ykw4d.exe
c:\PROGRA~1\Toolbar\WSG.exe
C:\PROGRA~1\Toolbar\TBPSSvc.exe
C:\WINDOWS\system32\wuauclt.exe
C:\PROGRA~1\AIM\aim.exe
C:\WINDOWS\system32\NOTEPAD.EXE
C:\Downloaded Install Files\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.dell4me.com/mywaybiz
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://www.websearch.com/ie.aspx?tb_id=50216
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://yahoo.com
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,SearchAssistant = http://www.websearch.com/ie.aspx?tb_id=50216
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,CustomizeSearch = res://C:\PROGRA~1\Toolbar\toolbar.dll/sa
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://yahoo.com
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://www.websearch.com/ie.aspx?tb_id=50216
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch = res://C:\PROGRA~1\Toolbar\toolbar.dll/sa
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
R3 - URLSearchHook: (no name) - {8952A998-1E7E-4716-B23D-3DBE03910972} - C:\PROGRA~1\Toolbar\toolbar.dll
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {0E77A08C-7B84-E0B4-C4F0-F6AB20D8A1E6} - C:\WINDOWS\system32\FYI\mqqqpjpxca.dll
O2 - BHO: VBRunDLL Class - {197B8CA4-E215-46DD-8F33-E0544A80E5C4} - C:\WINDOWS\system32\vbrundll.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O2 - BHO: Ipswitch.WsftpBrowserHelper - {601ED020-FB6C-11D3-87D8-0050DA59922B} - C:\Program Files\WS_FTP Pro\wsbho2K0.dll
O2 - BHO: (no name) - {8952A998-1E7E-4716-B23D-3DBE03910972} - C:\PROGRA~1\Toolbar\toolbar.dll
O3 - Toolbar: &Search Toolbar - {339BB23F-A864-48C0-A59F-29EA915965EC} - C:\PROGRA~1\Toolbar\toolbar.dll
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\system32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\system32\hkcmd.exe
O4 - HKLM\..\Run: [PCMService] "C:\Program Files\Dell\Media Experience\PCMService.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [ShStatEXE] "C:\Program Files\Network Associates\VirusScan\SHSTAT.EXE" /STANDALONE
O4 - HKLM\..\Run: [McAfeeUpdaterUI] "C:\Program Files\Network Associates\Common Framework\UpdaterUI.exe" /StartedFromRunKey
O4 - HKLM\..\Run: [Network Associates Error Reporting Service] "C:\Program Files\Common Files\Network Associates\TalkBack\TBMon.exe"
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [RemoteControl] "C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe"
O4 - HKLM\..\Run: [DAEMON Tools-1033] "C:\Program Files\D-Tools\daemon.exe" -lang 1033
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [PSof1] C:\WINDOWS\system32\PSof1.exe
O4 - HKLM\..\Run: [47nT35W] doc101b.exe
O4 - HKLM\..\Run: [regsync] C:\WINDOWS\system32\regsync.exe
O4 - HKLM\..\Run: [TBPS] C:\PROGRA~1\Toolbar\TBPS.exe
O4 - HKCU\..\Run: [AIM] C:\PROGRA~1\AIM\aim.exe -cnetwait.odl
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [DellSupport] "C:\Program Files\Dell Support\DSAgnt.exe" /startup
O4 - HKCU\..\Run: [Lw43RRath] dmrmbed.exe
O4 - HKCU\..\Run: [CAS Client] "C:\Program Files\Cas\Client\casclient.exe"
O4 - Global Startup: Digital Line Detect.lnk = ?
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~4\Office10\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\System32\msjava.dll (file missing)
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\System32\msjava.dll (file missing)
O9 - Extra button: Messenger - {4528BBE0-4E08-11D5-AD55-00010333D0AD} - C:\Program Files\Yahoo!\Messenger\yhexbmes0521.dll
O9 - Extra 'Tools' menuitem: Yahoo! Messenger - {4528BBE0-4E08-11D5-AD55-00010333D0AD} - C:\Program Files\Yahoo!\Messenger\yhexbmes0521.dll
O9 - Extra button: EmpirePoker - {77E68763-4284-41d6-B7E7-B6E1F053A9E7} - C:\Program Files\EmpirePoker\EmpirePoker.exe
O9 - Extra 'Tools' menuitem: EmpirePoker - {77E68763-4284-41d6-B7E7-B6E1F053A9E7} - C:\Program Files\EmpirePoker\EmpirePoker.exe
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\PROGRA~1\AIM\aim.exe
O9 - Extra button: PartyPoker.com - {B7FE5D70-9AA2-40F1-9C6B-12A255F085E1} - C:\Program Files\PartyPoker\PartyPoker.exe
O9 - Extra 'Tools' menuitem: PartyPoker.com - {B7FE5D70-9AA2-40F1-9C6B-12A255F085E1} - C:\Program Files\PartyPoker\PartyPoker.exe
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\System32\Shdocvw.dll
O9 - Extra button: MUSICMATCH MX Web Player - {d81ca86b-ef63-42af-bee3-4502d9a03c2d} - http://wwws.musicmatch.com/mmz/openWebRadio.html (file missing)
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {47CD99DF-8BCF-4B9B-94EF-02E51B2F79DA} - http://www.alwaysupdatednews.com/install/aun_0036.exe
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://v5.windowsupdate.microsoft.com/v ... 2697510593
O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai.net/7/840/537/2004 ... scan53.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://www.pandasoftware.com/activescan/as5/asinst.cab
O16 - DPF: {EC51659D-721F-4CBF-9CEA-5E776D89CEA9} - http://www.pacimedia.com/install/pcs_0007.exe
O18 - Protocol: ms-help - {314111C7-A502-11D2-BBCA-00C04F8EC294} - C:\Program Files\Common Files\Microsoft Shared\Help\hxds.dll
O18 - Protocol: tpro - {FF76A5DA-6158-4439-99FF-EDC1B3FE100C} - C:\PROGRA~1\Toolbar\toolbar.dll
O18 - Filter: text/html - {8293D547-38DD-4325-B35A-F1817EDFA5FC} - C:\Program Files\Cas\Client\casmf.dll
O20 - Winlogon Notify: igfxcui - C:\WINDOWS\SYSTEM32\igfxsrvc.dll
O23 - Service: McAfee Framework Service (McAfeeFramework) - Network Associates, Inc. - C:\Program Files\Network Associates\Common Framework\FrameworkService.exe
O23 - Service: Network Associates McShield (McShield) - Network Associates, Inc. - C:\Program Files\Network Associates\VirusScan\Mcshield.exe
O23 - Service: Network Associates Task Manager (McTaskManager) - Network Associates, Inc. - C:\Program Files\Network Associates\VirusScan\VsTskMgr.exe
O23 - Service: WebSeach Toolbar support NT service (TBPSSvc) - Unknown owner - C:\PROGRA~1\Toolbar\TBPSSvc.exe
Tupids
Active Member
 
Posts: 3
Joined: June 12th, 2005, 7:46 pm

Unread postby Perculator » June 14th, 2005, 5:00 am

Ok I have seen enough.

Download Panda trial and run it.
note switch off your mcaffee while running the scan.

It will now remove everything.

Restart your computer
Run hijack this and place a fresh lg on this board, together with the panda log
User avatar
Perculator
Regular Member
 
Posts: 470
Joined: March 30th, 2005, 4:55 pm
Location: netherlands

Unread postby Tupids » June 14th, 2005, 2:53 pm

After running that program most of the spyware seems to have been removed, thank you!

Here is the new panda log

Panda Platinum 2005 Internet Security incident report
Filter selected:Virus detected, Suspicious file, Dangerous file, Script execution, Phone connection, Connection attempt, Port scan attack, Denial of service attack, Spoofing, Attacking IP address blocked, Enabled, Disabled, Update, Scan started, Scan complete, Date: All
INCIDENT NOTIFIED BY DATE-TIME RESULT ADDITIONAL INFORMATION
-------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------
Adware detected: Adware/Novo Antivirus protection 06/14/05 14:50:31 Disinfected Path: c:\windows\system32\fyi\mqqqpjpxca.dll
Connection attempt Firewall protection 06/14/05 14:49:39 Blocked Source IP address: 192.168.2.1
Scan complete On-demand antivirus scan 06/14/05 14:40:13 Scan: My Computer
Adware detected: Adware/Beginto On-demand antivirus scan 06/14/05 14:38:35 Disinfected Path: C:\WINDOWS\SYSTEM32\btnetw-ventura-hot_246765.exe
Adware detected: Adware/Pacimedia On-demand antivirus scan 06/14/05 14:35:30 Disinfected Path: C:\WINDOWS\Downloaded Program Files\pcs_0002.exe
Adware detected: Adware/DownloadWare Antivirus protection 06/14/05 14:30:40 Disinfected Path: c:\docume~1\jamesd~1\locals~1\temp\nstd7.exe
Adware detected: Adware/nCase Antivirus protection 06/14/05 14:30:38 Disinfected Path: c:\docume~1\jamesd~1\locals~1\temp\1801.exe
Adware detected: Adware/DownloadWare Antivirus protection 06/14/05 14:29:41 Disinfected Path: c:\windows\system32\fyi\mqqqpjpxca.exe
Adware detected: Adware/Novo Antivirus protection 06/14/05 14:29:35 Disinfected Path: c:\windows\system32\fyi\mqqqpjpxca.dll
Adware detected: Adware/Weirdontheweb On-demand antivirus scan 06/14/05 14:29:15 Disinfected Path: C:\Program Files\WeirdOnTheWeb\weirdontheweb.exe
Adware detected: Adware/MyWebSearch Antivirus protection 06/14/05 14:28:56 Disinfected Path: c:\windows\temp\xkmsmwre.exe
Adware detected: Adware/WinTools On-demand antivirus scan 06/14/05 14:28:28 Disinfected Path: C:\Program Files\Toolbar\toolbar.dll
Adware detected: Adware/MyWebSearch On-demand antivirus scan 06/14/05 14:28:27 Disinfected Path: C:\Program Files\Toolbar\TBPSSvc.exe
Adware detected: Adware/SAHAgent Antivirus protection 06/14/05 14:20:16 Disinfected Path: c:\windows\system32\xmltok.dll
Adware detected: Adware/SAHAgent Antivirus protection 06/14/05 14:20:13 Disinfected Path: c:\windows\system32\xmlparse.dll
Spyware detected: Spyware/Dyfuca Antivirus protection 06/14/05 14:12:03 Disinfected Path: c:\windows\system32\regsync.exe
Adware detected: Adware/Pacimedia Antivirus protection 06/14/05 14:10:57 Disinfected Path: c:\windows\system32\psof1.exe
Adware detected: Adware/MyWebSearch Antivirus protection 06/14/05 14:02:32 Disinfected Path: c:\program files\toolbar\tbpssvc.exe
Adware detected: Adware/WinTools Antivirus protection 06/14/05 14:02:27 Disinfected Path: c:\program files\toolbar\toolbar.dll
Adware detected: Adware/WinTools Antivirus protection 06/14/05 14:02:16 Disinfected Path: c:\progra~1\toolbar\common.dll
Adware detected: Adware/WinTools Antivirus protection 06/14/05 14:01:47 Disinfected Path: c:\progra~1\toolbar\toolbar.dll
Adware detected: Adware/MyWebSearch Antivirus protection 06/14/05 14:01:45 Disinfected Path: c:\progra~1\toolbar\tbpssvc.exe
Adware detected: Adware/WinTools Antivirus protection 06/14/05 14:01:43 Disinfected Path: c:\progra~1\toolbar\common.dll
Virus detected: Trj/Lowzones.AI On-demand antivirus scan 06/14/05 13:57:05 Notified Path: C:\Downloaded Install Files\clonedvd[1].v2.4.3.5.incl.keygen-orion.rar[reg.exe]
Adware detected: Adware/Apropos Antivirus protection 06/14/05 13:54:01 Disinfected Path: c:\windows\system32\cxtpls_loader.exe
Adware detected: Adware/Apropos On-demand antivirus scan 06/14/05 13:52:48 Disinfected Path: C:\Program Files\AutoUpdate
Adware detected: Adware/BookedSpace On-demand antivirus scan 06/14/05 13:52:43 Disinfected Path: C:\DOCUME~1\JAMESD~1\LOCALS~1\Temp\bs*.tmpbsx32
Adware detected: Adware/SAHAgent On-demand antivirus scan 06/14/05 13:52:38 Disinfected Path: Windows registry
Adware detected: Adware/SaveNow On-demand antivirus scan 06/14/05 13:52:27 Disinfected Path: Windows registry
Scan started On-demand antivirus scan 06/14/05 13:51:49 Scan: My Computer
Here is the HiJack Log


Logfile of HijackThis v1.99.1
Scan saved at 2:54:06 PM, on 6/14/2005
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\csrss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Panda Software\Panda Platinum 2005 Internet Security\PavProt.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Network Associates\Common Framework\FrameworkService.exe
C:\Program Files\Network Associates\VirusScan\Mcshield.exe
C:\PROGRA~1\NETWOR~1\COMMON~1\naPrdMgr.exe
C:\Program Files\Network Associates\VirusScan\VsTskMgr.exe
C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
C:\Program Files\Panda Software\Panda Platinum 2005 Internet Security\PaSSrv.exe
C:\Program Files\Panda Software\Panda Platinum 2005 Internet Security\Firewall\PavFires.exe
C:\Program Files\Panda Software\Panda Platinum 2005 Internet Security\PavFnSvr.exe
C:\Program Files\Panda Software\Panda Platinum 2005 Internet Security\Pavkre.exe
C:\Program Files\Common Files\Panda Software\PavShld\pavprsrv.exe
C:\Program Files\Panda Software\Panda Platinum 2005 Internet Security\pavsrv51.exe
C:\Program Files\Panda Software\Panda Platinum 2005 Internet Security\AVENGINE.EXE
C:\Program Files\Panda Software\Panda Platinum 2005 Internet Security\prevsrv.exe
C:\Program Files\Panda Software\Panda Platinum 2005 Internet Security\PsImSvc.exe
C:\WINDOWS\system32\wdfmgr.exe
C:\Program Files\Panda Software\Panda Platinum 2005 Internet Security\apvxdwin.exe
C:\WINDOWS\System32\alg.exe
C:\Program Files\Dell\Media Experience\PCMService.exe
C:\Program Files\Network Associates\VirusScan\SHSTAT.EXE
C:\Program Files\Network Associates\Common Framework\UpdaterUI.exe
C:\Program Files\Common Files\Network Associates\TalkBack\TBMon.exe
C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe
C:\Program Files\D-Tools\daemon.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\WINDOWS\system32\cssodem.exe
C:\PROGRA~1\AIM\aim.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\Dell Support\DSAgnt.exe
C:\WINDOWS\system32\crtautou.exe
C:\Program Files\Cas\Client\casclient.exe
C:\Program Files\Digital Line Detect\DLG.exe
C:\Program Files\Panda Software\Panda Platinum 2005 Internet Security\SRVLOAD.EXE
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\Panda Software\Panda Platinum 2005 Internet Security\WebProxy.exe
C:\WINDOWS\regedit.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Downloaded Install Files\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.dell4me.com/mywaybiz
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://yahoo.com
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://yahoo.com
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
R3 - Default URLSearchHook is missing
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O2 - BHO: VBRunDLL Class - {197B8CA4-E215-46DD-8F33-E0544A80E5C4} - C:\WINDOWS\system32\vbrundll.dll
O2 - BHO: (no name) - {4677581E-291E-6284-38A5-1063B8F90EDC} - C:\WINDOWS\system32\FYI\mqqqpjpxca.dll (file missing)
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O2 - BHO: Ipswitch.WsftpBrowserHelper - {601ED020-FB6C-11D3-87D8-0050DA59922B} - C:\Program Files\WS_FTP Pro\wsbho2K0.dll
O2 - BHO: (no name) - {8952A998-1E7E-4716-B23D-3DBE03910972} - C:\PROGRA~1\Toolbar\toolbar.dll (file missing)
O3 - Toolbar: &Search Toolbar - {339BB23F-A864-48C0-A59F-29EA915965EC} - C:\PROGRA~1\Toolbar\toolbar.dll (file missing)
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\system32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\system32\hkcmd.exe
O4 - HKLM\..\Run: [PCMService] "C:\Program Files\Dell\Media Experience\PCMService.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [ShStatEXE] "C:\Program Files\Network Associates\VirusScan\SHSTAT.EXE" /STANDALONE
O4 - HKLM\..\Run: [McAfeeUpdaterUI] "C:\Program Files\Network Associates\Common Framework\UpdaterUI.exe" /StartedFromRunKey
O4 - HKLM\..\Run: [Network Associates Error Reporting Service] "C:\Program Files\Common Files\Network Associates\TalkBack\TBMon.exe"
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [RemoteControl] "C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe"
O4 - HKLM\..\Run: [DAEMON Tools-1033] "C:\Program Files\D-Tools\daemon.exe" -lang 1033
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [47nT35W] cssodem.exe
O4 - HKLM\..\Run: [SCANINICIO] "C:\Program Files\Panda Software\Panda Platinum 2005 Internet Security\Inicio.exe"
O4 - HKLM\..\Run: [APVXDWIN] "C:\Program Files\Panda Software\Panda Platinum 2005 Internet Security\APVXDWIN.EXE" /s
O4 - HKLM\..\Run: [UpgConfVer] "C:\Program Files\Panda Software\Panda Platinum 2005 Internet Security\UpgConf.exe" /v:9.02.01
O4 - HKLM\..\Run: [TBPS] C:\PROGRA~1\Toolbar\TBPS.exe
O4 - HKLM\..\RunServices: [PANDA ANTISPAM SERVER SERVICE] "C:\Program Files\Panda Software\Panda Platinum 2005 Internet Security\PasSrv.exe"
O4 - HKCU\..\Run: [AIM] C:\PROGRA~1\AIM\aim.exe -cnetwait.odl
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [DellSupport] "C:\Program Files\Dell Support\DSAgnt.exe" /startup
O4 - HKCU\..\Run: [Lw43RRath] crtautou.exe
O4 - HKCU\..\Run: [CAS Client] "C:\Program Files\Cas\Client\casclient.exe"
O4 - Global Startup: Digital Line Detect.lnk = ?
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~4\Office10\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\System32\msjava.dll (file missing)
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\System32\msjava.dll (file missing)
O9 - Extra button: Messenger - {4528BBE0-4E08-11D5-AD55-00010333D0AD} - C:\Program Files\Yahoo!\Messenger\yhexbmes0521.dll
O9 - Extra 'Tools' menuitem: Yahoo! Messenger - {4528BBE0-4E08-11D5-AD55-00010333D0AD} - C:\Program Files\Yahoo!\Messenger\yhexbmes0521.dll
O9 - Extra button: EmpirePoker - {77E68763-4284-41d6-B7E7-B6E1F053A9E7} - C:\Program Files\EmpirePoker\EmpirePoker.exe
O9 - Extra 'Tools' menuitem: EmpirePoker - {77E68763-4284-41d6-B7E7-B6E1F053A9E7} - C:\Program Files\EmpirePoker\EmpirePoker.exe
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\PROGRA~1\AIM\aim.exe
O9 - Extra button: PartyPoker.com - {B7FE5D70-9AA2-40F1-9C6B-12A255F085E1} - C:\Program Files\PartyPoker\PartyPoker.exe
O9 - Extra 'Tools' menuitem: PartyPoker.com - {B7FE5D70-9AA2-40F1-9C6B-12A255F085E1} - C:\Program Files\PartyPoker\PartyPoker.exe
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\System32\Shdocvw.dll
O9 - Extra button: MUSICMATCH MX Web Player - {d81ca86b-ef63-42af-bee3-4502d9a03c2d} - http://wwws.musicmatch.com/mmz/openWebRadio.html (file missing)
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {47CD99DF-8BCF-4B9B-94EF-02E51B2F79DA} - http://www.alwaysupdatednews.com/install/aun_0036.exe
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://v5.windowsupdate.microsoft.com/v ... 2697510593
O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai.net/7/840/537/2004 ... scan53.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://www.pandasoftware.com/activescan/as5/asinst.cab
O16 - DPF: {EC51659D-721F-4CBF-9CEA-5E776D89CEA9} - http://www.pacimedia.com/install/pcs_0007.exe
O18 - Protocol: ms-help - {314111C7-A502-11D2-BBCA-00C04F8EC294} - C:\Program Files\Common Files\Microsoft Shared\Help\hxds.dll
O18 - Protocol: tpro - {FF76A5DA-6158-4439-99FF-EDC1B3FE100C} - C:\PROGRA~1\Toolbar\toolbar.dll (file missing)
O18 - Filter: text/html - {8293D547-38DD-4325-B35A-F1817EDFA5FC} - C:\Program Files\Cas\Client\casmf.dll
O20 - Winlogon Notify: igfxcui - C:\WINDOWS\SYSTEM32\igfxsrvc.dll
O23 - Service: McAfee Framework Service (McAfeeFramework) - Network Associates, Inc. - C:\Program Files\Network Associates\Common Framework\FrameworkService.exe
O23 - Service: Network Associates McShield (McShield) - Network Associates, Inc. - C:\Program Files\Network Associates\VirusScan\Mcshield.exe
O23 - Service: Network Associates Task Manager (McTaskManager) - Network Associates, Inc. - C:\Program Files\Network Associates\VirusScan\VsTskMgr.exe
O23 - Service: Panda Antispam Server Service (PASSRV) - Unknown owner - C:\Program Files\Panda Software\Panda Platinum 2005 Internet Security\PaSSrv.exe
O23 - Service: Panda Firewall Service (PAVFIRES) - Panda Software - C:\Program Files\Panda Software\Panda Platinum 2005 Internet Security\Firewall\PavFires.exe
O23 - Service: Panda Function Service (PAVFNSVR) - Panda Software - C:\Program Files\Panda Software\Panda Platinum 2005 Internet Security\PavFnSvr.exe
O23 - Service: Panda Pavkre (Pavkre) - Panda Software - C:\Program Files\Panda Software\Panda Platinum 2005 Internet Security\Pavkre.exe
O23 - Service: Panda PavProt (PavProt) - Panda Software - C:\Program Files\Panda Software\Panda Platinum 2005 Internet Security\PavProt.exe
O23 - Service: Panda Process Protection Service (PavPrSrv) - Panda Software - C:\Program Files\Common Files\Panda Software\PavShld\pavprsrv.exe
O23 - Service: Panda anti-virus service (PAVSRV) - Panda Software - C:\Program Files\Panda Software\Panda Platinum 2005 Internet Security\pavsrv51.exe
O23 - Service: Panda Preventium+ Service (PREVSRV) - Panda Software - C:\Program Files\Panda Software\Panda Platinum 2005 Internet Security\prevsrv.exe
O23 - Service: Panda IManager Service (PSIMSVC) - Panda Software Internacional - C:\Program Files\Panda Software\Panda Platinum 2005 Internet Security\PsImSvc.exe
Tupids
Active Member
 
Posts: 3
Joined: June 12th, 2005, 7:46 pm

Unread postby Perculator » June 14th, 2005, 5:06 pm

CleanUp! here or here.
Don’t use it yet, we’ll do that later on.

Start hijack this and put a check at the following

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.dell4me.com/mywaybiz

R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =

R3 - Default URLSearchHook is missing

O2 - BHO: VBRunDLL Class - {197B8CA4-E215-46DD-8F33-E0544A80E5C4} - C:\WINDOWS\system32\vbrundll.dll

O2 - BHO: (no name) - {4677581E-291E-6284-38A5-1063B8F90EDC} - C:\WINDOWS\system32\FYI\mqqqpjpxca.dll (file missing)

O2 - BHO: (no name) - {8952A998-1E7E-4716-B23D-3DBE03910972} - C:\PROGRA~1\Toolbar\toolbar.dll (file missing)

O3 - Toolbar: &Search Toolbar - {339BB23F-A864-48C0-A59F-29EA915965EC} - C:\PROGRA~1\Toolbar\toolbar.dll (file missing)

O4 - HKLM\..\Run: [47nT35W] cssodem.exe

O4 - HKLM\..\Run: [TBPS] C:\PROGRA~1\Toolbar\TBPS.exe

4 - HKCU\..\Run: [Lw43RRath] crtautou.exe

O4 - HKCU\..\Run: [CAS Client] "C:\Program Files\Cas\Client\casclient.exe"

O9 - Extra button: EmpirePoker - {77E68763-4284-41d6-B7E7-B6E1F053A9E7} - C:\Program Files\EmpirePoker\EmpirePoker.exe

O9 - Extra 'Tools' menuitem: EmpirePoker - {77E68763-4284-41d6-B7E7-B6E1F053A9E7} - C:\Program Files\EmpirePoker\EmpirePoker.exe

O9 - Extra button: PartyPoker.com - {B7FE5D70-9AA2-40F1-9C6B-12A255F085E1} - C:\Program Files\PartyPoker\PartyPoker.exe

O9 - Extra 'Tools' menuitem: PartyPoker.com - {B7FE5D70-9AA2-40F1-9C6B-12A255F085E1} - C:\Program Files\PartyPoker\PartyPoker.exe

O16 - DPF: {47CD99DF-8BCF-4B9B-94EF-02E51B2F79DA} - http://www.alwaysupdatednews.com/install/aun_0036.exe

O16 - DPF: {EC51659D-721F-4CBF-9CEA-5E776D89CEA9} - http://www.pacimedia.com/install/pcs_0007.exe

O18 - Protocol: tpro - {FF76A5DA-6158-4439-99FF-EDC1B3FE100C} - C:\PROGRA~1\Toolbar\toolbar.dll (file missing)

O18 - Filter: text/html - {8293D547-38DD-4325-B35A-F1817EDFA5FC} - C:\Program Files\Cas\Client\casmf.dl

close all windows except Hijack This and click Fix Checked

close Hijack this

Remove the following folders
c:\windows\system32\fyi
C:\Program Files\WeirdOnTheWeb
C:\Program Files\Toolbar
C:\Program Files\Cas
C:\Program Files\PartyPoker

And there seems to be a problem with this file
C:\Downloaded Install Files\clonedvd[1].v2.4.3.5.incl.keygen-orion.rar[reg.exe]

Also remove these files

C:\WINDOWS\system32\cssodem.exe
C:\WINDOWS\system32\crtautou.exe

doubleclick the file cleanup312.exe.

Go to option
Select ‘custom’
Put a check to:
    * Cookies
    * Prefetch
    * Temp
    * All users.

Press 'cleanup!'


Restart your computer

Run hijack This and place a fresh log on this board
User avatar
Perculator
Regular Member
 
Posts: 470
Joined: March 30th, 2005, 4:55 pm
Location: netherlands

Unread postby ChrisRLG » July 6th, 2005, 8:48 am

Whilst we appreciate that you may be busy, it has been 14 days or more since we heard from you.

Infections can change and fresh instructions will now need to be given. This topic is now closed, if you still require assistance then please start a new topic in the Malware Removal Forum

If you wish this topic reopened, please send us an email to 'admin at malwareremoval.com' with a link to your thread.

You can help support this site from this link :
Donations For Malware Removal

Do not bother contacting us if you are not the topic starter. A valid,
working link to the closed topic is required along with the user name used.
If the user name does not match the one in the thread linked, the email will be deleted.
ChrisRLG
Administrator Emeritus
 
Posts: 17759
Joined: December 16th, 2004, 10:04 am
Location: Southend, Essex, UK
Advertisement
Register to Remove


Return to Infected? Virus, malware, adware, ransomware, oh my!



Who is online

Users browsing this forum: No registered users and 340 guests

Contact us:

Advertisements do not imply our endorsement of that product or service. Register to remove all ads. The forum is run by volunteers who donate their time and expertise. We make every attempt to ensure that the help and advice posted is accurate and will not cause harm to your computer. However, we do not guarantee that they are accurate and they are to be used at your own risk. All trademarks are the property of their respective owners.

Member site: UNITE Against Malware