Welcome to MalwareRemoval.com,
What if we told you that you could get malware removal help from experts, and that it was 100% free? MalwareRemoval.com provides free support for people with infected computers. Our help, and the tools we use are always 100% free. No hidden catch. We simply enjoy helping others. You enjoy a clean, safe computer.

Malware Removal Instructions

htl posted please assist thanks :)

MalwareRemoval.com provides free support for people with infected computers. Using plain language that anyone can understand, our community of volunteer experts will walk you through each step.

htl posted please assist thanks :)

Unread postby angst2k » May 25th, 2006, 4:17 pm

Thanks in advance-- Steve

Logfile of HijackThis v1.99.1
Scan saved at 4:13:30 PM, on 5/25/2006
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDXP\System32\smss.exe
C:\WINDXP\system32\winlogon.exe
C:\WINDXP\system32\services.exe
C:\WINDXP\system32\lsass.exe
C:\WINDXP\system32\svchost.exe
C:\WINDXP\System32\svchost.exe
C:\WINDXP\system32\LEXBCES.EXE
C:\WINDXP\system32\spoolsv.exe
C:\WINDXP\system32\LEXPPS.EXE
C:\WINDXP\system32\cisvc.exe
C:\Program Files\Cisco Systems\VPN Client\cvpnd.exe
C:\Program Files\NavNT\defwatch.exe
C:\Program Files\ewido anti-malware\ewidoctrl.exe
C:\PROGRA~1\Iomega\System32\AppServices.exe
C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
C:\Program Files\NavNT\rtvscan.exe
C:\WINDXP\System32\svchost.exe
C:\WINDXP\system32\MsgSys.EXE
C:\WINDXP\system32\wscntfy.exe
C:\Program Files\Iomega HotBurn\Autolaunch.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\NavNT\vptray.exe
C:\Program Files\Java\j2re1.4.2_04\bin\jusched.exe
C:\Program Files\Java\j2re1.4.2_04\bin\jucheck.exe
C:\Program Files\HP\HP Software Update\HPWuSchd.exe
C:\Program Files\HP\hpcoretech\hpcmpmgr.exe
C:\Program Files\Muiltmedia keyboard utility\1.1\KbdAp32A.exe
C:\Program Files\Messenger\msmsgs.exe
C:\WINDXP\system32\ctfmon.exe
C:\PROGRA~1\COMMON~1\SSEMBL~1\winspool.exe
C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
C:\WINDXP\System32\svchost.exe
C:\WINDXP\system32\j?vaw.exe
C:\WINDXP\system32\cidaemon.exe
C:\WINDXP\system32\cidaemon.exe
C:\WINDXP\system32\wuauclt.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\PROGRA~1\Netscape\Netscape\Netscp.exe
C:\WINDXP\explorer.exe
C:\Documents and Settings\Stevo\Desktop\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.yahoo.com
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://www.yahoo.com
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = about:blank
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch =
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = about:blank
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page = http://www.yahoo.com
R3 - URLSearchHook: (no name) - {1F1C6D28-A4E2-D831-C00F-DB98BC15F793} - C:\WINDXP\system32\fmeoosam.dll
R3 - URLSearchHook: (no name) - {184F6E79-A9BE-8936-C00F-DB98BC15F7CB} - C:\WINDXP\system32\fmeoosam.dll
N3 - Netscape 7: user_pref("browser.startup.homepage", "http://www.yahoo.com"); (C:\Documents and Settings\Stevo\Application Data\Mozilla\Profiles\default\rlg8wfew.slt\prefs.js)
N3 - Netscape 7: user_pref("browser.search.defaultengine", "engine://C%3A%5CPROGRA%7E1%5CNetscape%5CNetscape%5Csearchplugins%5CSBWeb_01.src"); (C:\Documents and Settings\Stevo\Application Data\Mozilla\Profiles\default\rlg8wfew.slt\prefs.js)
O2 - BHO: (no name) - {184F6E79-A9BE-8936-C00F-DB98BC15F7CB} - C:\WINDXP\system32\fmeoosam.dll
O2 - BHO: (no name) - {1B855240-8893-C969-AE2B-EA35639CB3FF} - C:\WINDXP\system32\qfvcs.dll (file missing)
O2 - BHO: (no name) - {1F1C6D28-A4E2-D831-C00F-DB98BC15F793} - C:\WINDXP\system32\fmeoosam.dll
O2 - BHO: (no name) - {23B3DC58-459D-6346-EC6D-6D2317CDCFC2} - C:\WINDXP\system32\klpirf.dll (file missing)
O2 - BHO: ngsh35.clsIS - {279A1B41-6CAC-4ABF-B39C-72C8E489F685} - C:\WINDXP\system32\ngsh35.dll (file missing)
O2 - BHO: Trecker Class - {39C78B50-7E98-4aa0-B007-D83114EA6E0F} - C:\PROGRA~1\Jalmp\jalmp.dll (file missing)
O2 - BHO: (no name) - {4D94D95B-0F8E-4D78-B05A-3D982A6DBEF1} - C:\WINDXP\system32\qebpj.dll (file missing)
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O2 - BHO: (no name) - {587A852A-52F1-450F-C2FD-671DC293A2FB} - C:\WINDXP\system32\dbc.dll (file missing)
O2 - BHO: (no name) - {5C7B8628-06A8-160E-C2FD-671DC293F3A8} - C:\WINDXP\system32\orv.dll (file missing)
O2 - BHO: (no name) - {75B9E92E-22BE-0939-9D6A-0DB51E5C93C9} - C:\WINDXP\system32\qebpj.dll (file missing)
O2 - BHO: (no name) - {9F4D0C7C-E567-2213-BC35-FF8347F4FE2D} - C:\WINDXP\hqbswuky.dll (file missing)
O2 - BHO: (no name) - {C20E3D11-A6FB-D402-8438-FB4DF0AF2B95} - C:\WINDXP\System32\aviwz.dll (file missing)
O2 - BHO: (no name) - {CCBC496E-D682-F125-FC3F-8BEA18B47BC6} - C:\WINDXP\system32\bage.dll (file missing)
O2 - BHO: (no name) - {FC91796E-FBB7-B01C-D10C-C8C72F8C56F6} - C:\WINDXP\system32\bage.dll (file missing)
O3 - Toolbar: Search - {69AD668A-DF35-2B19-6992-68F3D1C04CD7} - C:\WINDXP\hqbswuky.dll (file missing)
O4 - HKLM\..\Run: [Drag'n'Drop_Autolaunch] "C:\Program Files\Iomega HotBurn\Autolaunch.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [vptray] C:\Program Files\NavNT\vptray.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\j2re1.4.2_04\bin\jusched.exe
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [FLMK08KB] C:\Program Files\Muiltmedia keyboard utility\1.1\MMKEYBD.EXE
O4 - HKLM\..\Run: [HP Software Update] "C:\Program Files\HP\HP Software Update\HPWuSchd.exe"
O4 - HKLM\..\Run: [HP Component Manager] "C:\Program Files\HP\hpcoretech\hpcmpmgr.exe"
O4 - HKLM\..\Run: [Rsfru] C:\Program Files\Faxidrh\Gbazyaw.exe
O4 - HKLM\..\Run: [Network] C:\Program Files\Network\network.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDXP\system32\ctfmon.exe
O4 - HKCU\..\Run: [Mozilla Quick Launch] "C:\Program Files\Netscape\Netscape\Netscp.exe" -turbo
O4 - HKCU\..\Run: [CAS2] "C:\Program Files\System Files\System.exe"
O4 - HKCU\..\Run: [okqi] C:\Program Files\Common Files\okqi\okqim.exe
O4 - HKCU\..\Run: [opmrket] C:\WINDXP\opmrket.exe
O4 - HKCU\..\Run: [Nbyrtf] C:\WINDXP\system32\j?vaw.exe
O4 - HKCU\..\Run: [irssyncd] C:\WINDXP\system32\irssyncd.exe
O4 - HKCU\..\Run: [Ucto] "C:\PROGRA~1\COMMON~1\SSEMBL~1\winspool.exe" -vt tzt
O4 - HKCU\..\Run: [RealPlayer] "C:\Program Files\Real\RealPlayer\realplay.exe" /RunUPGToolCommandReBoot
O4 - Startup: Z_Start.lnk = C:\WINDXP\system32\dwdsregt.exe
O4 - Startup: Zeno.lnk = C:\WINDXP\system32\rwinksap.exe
O4 - Global Startup: HP Digital Imaging Monitor.lnk = C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
O4 - Global Startup: VPN Client.lnk = ?
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Restrictions present
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O8 - Extra context menu item: Download with Go!Zilla - file://C:\Program Files\Go!Zilla\download-with-gozilla.html
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~1\Office10\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\j2re1.4.2_04\bin\npjpi142_04.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\j2re1.4.2_04\bin\npjpi142_04.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~1\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O12 - Plugin for .asp: C:\Program Files\Internet Explorer\PLUGINS\nppdf32.dll
O13 - WWW. Prefix: http://
O13 - Home Prefix:
O13 - Mosaic Prefix:
O13 - FTP Prefix:
O13 - Gopher Prefix:
O16 - DPF: {2BC66F54-93A8-11D3-BEB6-00105AA9B6AE} (Symantec AntiVirus scanner) - http://security.symantec.com/sscv6/Shar ... vSniff.cab
O16 - DPF: {444B911E-6E55-4A11-B3E9-0D3E21AE0437} - http://www.exfol.com/v/1/i/eins002.exe
O16 - DPF: {62475759-9E84-458E-A1AB-5D2C442ADFDE} - http://a1540.g.akamai.net/7/1540/52/200 ... taller.exe
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://v5.windowsupdate.microsoft.com/v ... 5555702763
O16 - DPF: {644E432F-49D3-41A1-8DD5-E099162EEEC5} (Symantec RuFSI Utility Class) - http://security.symantec.com/sscv6/Shar ... /cabsa.cab
O16 - DPF: {94B82441-A413-4E43-8422-D49930E69764} (TLIEFlashObj Class) - https://webchat.dell.com/Media/VisitorC ... EFlash.CAB
O16 - DPF: {9AC54695-69A4-46F1-BE10-10C74F9520D5} - http://cabs.elitemediagroup.net/cabs/mediaview.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{374FCD0E-36DC-4F4A-8A78-602B778DF8CB}: NameServer = 10.0.10.1
O17 - HKLM\System\CCS\Services\Tcpip\..\{A1D6BE43-46A0-4B97-8B62-D080E998EFB0}: NameServer = 10.0.10.1
O18 - Filter: text/html - {2F6E85DC-8D2D-4896-8A4F-7DF8A7B1749D} - C:\PROGRA~1\Jalmp\jalmp.dll
O20 - Winlogon Notify: NavLogon - C:\WINDXP\System32\NavLogon.dll
O23 - Service: Cisco Systems, Inc. VPN Service (CVPND) - Cisco Systems, Inc. - C:\Program Files\Cisco Systems\VPN Client\cvpnd.exe
O23 - Service: DefWatch - Symantec Corporation - C:\Program Files\NavNT\defwatch.exe
O23 - Service: ewido security suite control - ewido networks - C:\Program Files\ewido anti-malware\ewidoctrl.exe
O23 - Service: Iomega App Services - Iomega Corporation - C:\PROGRA~1\Iomega\System32\AppServices.exe
O23 - Service: LexBce Server (LexBceS) - Lexmark International, Inc. - C:\WINDXP\system32\LEXBCES.EXE
O23 - Service: Norton AntiVirus Client (Norton AntiVirus Server) - Symantec Corporation - C:\Program Files\NavNT\rtvscan.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDXP\System32\HPZipm12.exe
angst2k
Regular Member
 
Posts: 19
Joined: January 6th, 2006, 10:20 pm
Location: Florider
Advertisement
Register to Remove

Unread postby jwbirdsong » May 26th, 2006, 2:13 am

First of all, you will need to print out this post and/or save a copy as a text file in Notepad; that way you have a hard copy of these instructions; you can not have IE/Firefox/any browser open during the fix

  • You will need to update ewido to the latest definition files:
    • On the left hand side of the main screen click update.
    • Then click on Start Update.
  • The update will start and a progress bar will show the updates being installed.
    (the status bar at the bottom will display "Update successful")
  • Close Ewido
If you are having problems with the updater, you can use this link to manually update ewido.
Ewido manual updates

Please run HijackThis and click "Scan." Place checks next to the following entries:

R3 - URLSearchHook: (no name) - {1F1C6D28-A4E2-D831-C00F-DB98BC15F793} - C:\WINDXP\system32\fmeoosam.dll
R3 - URLSearchHook: (no name) - {184F6E79-A9BE-8936-C00F-DB98BC15F7CB} - C:\WINDXP\system32\fmeoosam.dll
O2 - BHO: (no name) - {184F6E79-A9BE-8936-C00F-DB98BC15F7CB} - C:\WINDXP\system32\fmeoosam.dll
O2 - BHO: (no name) - {1B855240-8893-C969-AE2B-EA35639CB3FF} - C:\WINDXP\system32\qfvcs.dll (file missing)
O2 - BHO: (no name) - {1F1C6D28-A4E2-D831-C00F-DB98BC15F793} - C:\WINDXP\system32\fmeoosam.dll
O2 - BHO: (no name) - {23B3DC58-459D-6346-EC6D-6D2317CDCFC2} - C:\WINDXP\system32\klpirf.dll (file missing)
O2 - BHO: ngsh35.clsIS - {279A1B41-6CAC-4ABF-B39C-72C8E489F685} - C:\WINDXP\system32\ngsh35.dll (file missing)
O2 - BHO: Trecker Class - {39C78B50-7E98-4aa0-B007-D83114EA6E0F} - C:\PROGRA~1\Jalmp\jalmp.dll (file missing)
O2 - BHO: (no name) - {4D94D95B-0F8E-4D78-B05A-3D982A6DBEF1} - C:\WINDXP\system32\qebpj.dll (file missing)
O2 - BHO: (no name) - {587A852A-52F1-450F-C2FD-671DC293A2FB} - C:\WINDXP\system32\dbc.dll (file missing)
O2 - BHO: (no name) - {5C7B8628-06A8-160E-C2FD-671DC293F3A8} - C:\WINDXP\system32\orv.dll (file missing)
O2 - BHO: (no name) - {75B9E92E-22BE-0939-9D6A-0DB51E5C93C9} - C:\WINDXP\system32\qebpj.dll (file missing)
O2 - BHO: (no name) - {9F4D0C7C-E567-2213-BC35-FF8347F4FE2D} - C:\WINDXP\hqbswuky.dll (file missing)
O2 - BHO: (no name) - {C20E3D11-A6FB-D402-8438-FB4DF0AF2B95} - C:\WINDXP\System32\aviwz.dll (file missing)
O2 - BHO: (no name) - {CCBC496E-D682-F125-FC3F-8BEA18B47BC6} - C:\WINDXP\system32\bage.dll (file missing)
O2 - BHO: (no name) - {FC91796E-FBB7-B01C-D10C-C8C72F8C56F6} - C:\WINDXP\system32\bage.dll (file missing)
O3 - Toolbar: Search - {69AD668A-DF35-2B19-6992-68F3D1C04CD7} - C:\WINDXP\hqbswuky.dll (file missing)
O4 - HKLM\..\Run: [Rsfru] C:\Program Files\Faxidrh\Gbazyaw.exe
O4 - HKLM\..\Run: [Network] C:\Program Files\Network\network.exe
O4 - HKCU\..\Run: [CAS2] "C:\Program Files\System Files\System.exe"
O4 - HKCU\..\Run: [okqi] C:\Program Files\Common Files\okqi\okqim.exe
O4 - HKCU\..\Run: [opmrket] C:\WINDXP\opmrket.exe
O4 - HKCU\..\Run: [Nbyrtf] C:\WINDXP\system32\j?vaw.exe
O4 - HKCU\..\Run: [irssyncd] C:\WINDXP\system32\irssyncd.exe
O4 - HKCU\..\Run: [Ucto] "C:\PROGRA~1\COMMON~1\SSEMBL~1\winspool.exe" -vt tzt
O16 - DPF: {444B911E-6E55-4A11-B3E9-0D3E21AE0437} - http://www.exfol.com/v/1/i/eins002.exe
O16 - DPF: {9AC54695-69A4-46F1-BE10-10C74F9520D5} - http://cabs.elitemediagroup.net/cabs/mediaview.cab
O18 - Filter: text/html - {2F6E85DC-8D2D-4896-8A4F-7DF8A7B1749D} - C:\PROGRA~1\Jalmp\jalmp.dll [/list]


Close all browser and other windows except for HijackThis, and click "Fix Checked".

Next, please reboot your computer in Safe Mode by doing the following:
  • Restart your computer
  • After hearing your computer beep once during startup, but before the Windows icon appears, tap F8.
  • Instead of Windows loading as normal, a menu should appear
  • Select the first option, to run Windows in Safe Mode.

For additional help in booting into Safe Mode, see the following site:
http://www.pchell.com/support/safemode.shtml

Start Ewido Anti-Malware
  • Click on scanner. (Note: Do not start any programs or open any windows while Ewido is scanning)
  • Click on Complete System Scan, the scan will now begin.
  • While the scan is in progress you will be promted to clean files, click OK.
  • When it asks if you want to clean the first file, put a checkmark in the lower left corner of the box that says "Perform action on all infections", then choose clean and click OK.
  • Once the scan has completed, there will be a button located at the bottom of the screen named Save Report.
  • Click Save Report.
  • Now save the report .txt file to your desktop.
  • Close Ewido

When Ewido is finished scanning; reboot back to normal mode and run this online virus scan:(MUST use IE) ActiveScan
  • Once you are on the Panda site click the Scan your PC button
  • A new window will open...click the Check Now button
    - Enter your Country
    - Enter your State/Province
    - Enter your e-mail address and click send(*NOTE it's perfectly safe to do so..You will NOT be spammed from this)
    - Select either Home User or Company
  • Click the big Scan Now button
  • If/when you get a notice that Panda wants to install an ActiveX component allow it
  • It will start downloading the files it requires for the scan (Note: It may take a couple of minutes)
  • When download is complete, click on Local Disks to start the scan
  • When the scan completes, if anything is detected, click the See Report button, then Save Report and save it to a convenient location like your desktop.
.

Post
  • The Ewido log
  • A new HijackThis log
  • Panda results
in your next reply here.
User avatar
jwbirdsong
Regular Member
 
Posts: 138
Joined: October 14th, 2005, 3:44 am

New logs

Unread postby angst2k » May 26th, 2006, 10:24 pm

Thank you very much, here is new htl:

Logfile of HijackThis v1.99.1
Scan saved at 10:18:56 PM, on 5/26/2006
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.5346.0005)

Running processes:
C:\WINDXP\System32\smss.exe
C:\WINDXP\system32\winlogon.exe
C:\WINDXP\system32\services.exe
C:\WINDXP\system32\lsass.exe
C:\WINDXP\system32\svchost.exe
C:\WINDXP\System32\svchost.exe
C:\WINDXP\system32\LEXBCES.EXE
C:\WINDXP\system32\spoolsv.exe
C:\WINDXP\system32\LEXPPS.EXE
C:\WINDXP\system32\cisvc.exe
C:\Program Files\Cisco Systems\VPN Client\cvpnd.exe
C:\Program Files\NavNT\defwatch.exe
C:\Program Files\ewido anti-malware\ewidoctrl.exe
C:\PROGRA~1\Iomega\System32\AppServices.exe
C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
C:\Program Files\NavNT\rtvscan.exe
C:\WINDXP\System32\svchost.exe
C:\WINDXP\Explorer.EXE
C:\WINDXP\system32\wscntfy.exe
C:\WINDXP\system32\MsgSys.EXE
C:\Program Files\Iomega HotBurn\Autolaunch.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\NavNT\vptray.exe
C:\Program Files\Java\j2re1.4.2_04\bin\jusched.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\Java\j2re1.4.2_04\bin\jucheck.exe
C:\WINDXP\System32\svchost.exe
C:\Program Files\HP\HP Software Update\HPWuSchd.exe
C:\Program Files\Muiltmedia keyboard utility\1.1\KbdAp32A.exe
C:\Program Files\HP\hpcoretech\hpcmpmgr.exe
C:\Program Files\Messenger\msmsgs.exe
C:\WINDXP\system32\ctfmon.exe
C:\WINDXP\system32\j?vaw.exe
C:\PROGRA~1\COMMON~1\SSEMBL~1\winspool.exe
C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
C:\WINDXP\system32\wuauclt.exe
C:\WINDXP\system32\HPZinw12.exe
C:\WINDXP\system32\cidaemon.exe
C:\WINDXP\system32\cidaemon.exe
C:\Program Files\HP\hpcoretech\comp\hpdarc.exe
C:\WINDXP\System32\WISPTIS.EXE
C:\PROGRA~1\Netscape\Netscape\Netscp.exe
C:\Documents and Settings\Stevo\Desktop\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=54729
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://www.yahoo.com
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=55245&clcid={SUB_CLCID}
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch =
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = about:blank
R3 - URLSearchHook: (no name) - {1F1C6D28-A4E2-D831-C00F-DB98BC15F793} - (no file)
R3 - URLSearchHook: (no name) - {184F6E79-A9BE-8936-C00F-DB98BC15F7CB} - (no file)
N3 - Netscape 7: user_pref("browser.startup.homepage", "http://www.yahoo.com"); (C:\Documents and Settings\Stevo\Application Data\Mozilla\Profiles\default\rlg8wfew.slt\prefs.js)
N3 - Netscape 7: user_pref("browser.search.defaultengine", "engine://C%3A%5CPROGRA%7E1%5CNetscape%5CNetscape%5Csearchplugins%5CSBWeb_01.src"); (C:\Documents and Settings\Stevo\Application Data\Mozilla\Profiles\default\rlg8wfew.slt\prefs.js)
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O4 - HKLM\..\Run: [Drag'n'Drop_Autolaunch] "C:\Program Files\Iomega HotBurn\Autolaunch.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [vptray] C:\Program Files\NavNT\vptray.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\j2re1.4.2_04\bin\jusched.exe
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [FLMK08KB] C:\Program Files\Muiltmedia keyboard utility\1.1\MMKEYBD.EXE
O4 - HKLM\..\Run: [HP Software Update] "C:\Program Files\HP\HP Software Update\HPWuSchd.exe"
O4 - HKLM\..\Run: [HP Component Manager] "C:\Program Files\HP\hpcoretech\hpcmpmgr.exe"
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDXP\system32\ctfmon.exe
O4 - HKCU\..\Run: [Mozilla Quick Launch] "C:\Program Files\Netscape\Netscape\Netscp.exe" -turbo
O4 - HKCU\..\Run: [CAS2] "C:\Program Files\System Files\System.exe"
O4 - HKCU\..\Run: [okqi] C:\Program Files\Common Files\okqi\okqim.exe
O4 - HKCU\..\Run: [opmrket] C:\WINDXP\opmrket.exe
O4 - HKCU\..\Run: [Nbyrtf] C:\WINDXP\system32\j?vaw.exe
O4 - HKCU\..\Run: [irssyncd] C:\WINDXP\system32\irssyncd.exe
O4 - HKCU\..\Run: [Ucto] "C:\PROGRA~1\COMMON~1\SSEMBL~1\winspool.exe" -vt tzt
O4 - HKCU\..\Run: [RealPlayer] "C:\Program Files\Real\RealPlayer\realplay.exe" /RunUPGToolCommandReBoot
O4 - Startup: Z_Start.lnk = C:\WINDXP\system32\dwdsregt.exe
O4 - Startup: Zeno.lnk = C:\WINDXP\system32\rwinksap.exe
O4 - Global Startup: HP Digital Imaging Monitor.lnk = C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
O4 - Global Startup: VPN Client.lnk = ?
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Restrictions present
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O8 - Extra context menu item: Download with Go!Zilla - file://C:\Program Files\Go!Zilla\download-with-gozilla.html
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~1\Office10\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\j2re1.4.2_04\bin\npjpi142_04.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\j2re1.4.2_04\bin\npjpi142_04.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~1\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O11 - Options group: [INTERNATIONAL] International*
O12 - Plugin for .asp: C:\Program Files\Internet Explorer\PLUGINS\nppdf32.dll
O13 - WWW. Prefix: http://
O15 - Trusted Zone: http://www.pandasoftware.com
O16 - DPF: {2BC66F54-93A8-11D3-BEB6-00105AA9B6AE} (Symantec AntiVirus scanner) - http://security.symantec.com/sscv6/Shar ... vSniff.cab
O16 - DPF: {62475759-9E84-458E-A1AB-5D2C442ADFDE} - http://a1540.g.akamai.net/7/1540/52/200 ... taller.exe
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://v5.windowsupdate.microsoft.com/v ... 5555702763
O16 - DPF: {644E432F-49D3-41A1-8DD5-E099162EEEC5} (Symantec RuFSI Utility Class) - http://security.symantec.com/sscv6/Shar ... /cabsa.cab
O16 - DPF: {94B82441-A413-4E43-8422-D49930E69764} (TLIEFlashObj Class) - https://webchat.dell.com/Media/VisitorC ... EFlash.CAB
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/activescan ... asinst.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{374FCD0E-36DC-4F4A-8A78-602B778DF8CB}: NameServer = 10.0.10.1
O17 - HKLM\System\CCS\Services\Tcpip\..\{A1D6BE43-46A0-4B97-8B62-D080E998EFB0}: NameServer = 10.0.10.1
O20 - Winlogon Notify: NavLogon - C:\WINDXP\System32\NavLogon.dll
O23 - Service: Cisco Systems, Inc. VPN Service (CVPND) - Cisco Systems, Inc. - C:\Program Files\Cisco Systems\VPN Client\cvpnd.exe
O23 - Service: DefWatch - Symantec Corporation - C:\Program Files\NavNT\defwatch.exe
O23 - Service: ewido security suite control - ewido networks - C:\Program Files\ewido anti-malware\ewidoctrl.exe
O23 - Service: Iomega App Services - Iomega Corporation - C:\PROGRA~1\Iomega\System32\AppServices.exe
O23 - Service: LexBce Server (LexBceS) - Lexmark International, Inc. - C:\WINDXP\system32\LEXBCES.EXE
O23 - Service: Norton AntiVirus Client (Norton AntiVirus Server) - Symantec Corporation - C:\Program Files\NavNT\rtvscan.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDXP\System32\HPZipm12.exe

EWIDO log:

---------------------------------------------------------
ewido anti-malware - Scan report
---------------------------------------------------------

+ Created on: 2:50:50 PM, 5/26/2006
+ Report-Checksum: 4045F0B7

+ Scan result:

HKLM\SOFTWARE\Classes\Interface\{39C78B50-7E98-4AA0-B007-D83114EA6E0F} -> Adware.Generic : Cleaned with backup
HKU\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{01EB5130-FC0C-4D75-B9CE-4801B1B854F5} -> Adware.Begin2Search : Cleaned with backup
HKU\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{2296428D-C133-4928-B76A-A200FF409572} -> Adware.Generic : Cleaned with backup
HKU\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{279A1B41-6CAC-4ABF-B39C-72C8E489F685} -> Adware.AdBlaster : Cleaned with backup
HKU\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{55BE9F0D-6CAF-4C3E-B125-5A13A8C9D0EC} -> Adware.Generic : Cleaned with backup
HKU\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{6001CDF7-6F45-471B-A203-0225615E35A7} -> Adware.Generic : Cleaned with backup
HKU\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{95C60327-8E17-44D6-98EB-7EB70CC606DD} -> Adware.SafeSurfing : Cleaned with backup
HKU\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{9ADE0443-2AB2-4B23-A3F8-AC520773DE12} -> Adware.Begin2Search : Cleaned with backup
HKU\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{C5AF2622-8C75-4DFB-9693-23AB7686A456} -> Adware.Generic : Cleaned with backup
HKU\S-1-5-21-57989841-746137067-1957994488-1003\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{01EB5130-FC0C-4D75-B9CE-4801B1B854F5} -> Adware.Begin2Search : Cleaned with backup
HKU\S-1-5-21-57989841-746137067-1957994488-1003\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{279A1B41-6CAC-4ABF-B39C-72C8E489F685} -> Adware.AdBlaster : Cleaned with backup
HKU\S-1-5-21-57989841-746137067-1957994488-1003\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{39C78B50-7E98-4AA0-B007-D83114EA6E0F} -> Adware.Generic : Cleaned with backup
HKU\S-1-5-18\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{01EB5130-FC0C-4D75-B9CE-4801B1B854F5} -> Adware.Begin2Search : Cleaned with backup
HKU\S-1-5-18\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{2296428D-C133-4928-B76A-A200FF409572} -> Adware.Generic : Cleaned with backup
HKU\S-1-5-18\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{279A1B41-6CAC-4ABF-B39C-72C8E489F685} -> Adware.AdBlaster : Cleaned with backup
HKU\S-1-5-18\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{55BE9F0D-6CAF-4C3E-B125-5A13A8C9D0EC} -> Adware.Generic : Cleaned with backup
HKU\S-1-5-18\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{6001CDF7-6F45-471B-A203-0225615E35A7} -> Adware.Generic : Cleaned with backup
HKU\S-1-5-18\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{95C60327-8E17-44D6-98EB-7EB70CC606DD} -> Adware.SafeSurfing : Cleaned with backup
HKU\S-1-5-18\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{9ADE0443-2AB2-4B23-A3F8-AC520773DE12} -> Adware.Begin2Search : Cleaned with backup
HKU\S-1-5-18\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{C5AF2622-8C75-4DFB-9693-23AB7686A456} -> Adware.Generic : Cleaned with backup
C:\WINDOWS\cpbrkpie.ocx -> Adware.Coupons : Cleaned with backup
C:\WINDOWS\Profiles\stevo2k\Cookies\stevo@yadro[1].txt -> TrackingCookie.Yadro : Cleaned with backup
C:\WINDOWS\Profiles\stevo2k\Cookies\stevo@www.web-stat[1].txt -> TrackingCookie.Web-stat : Cleaned with backup
C:\WINDOWS\Profiles\stevo2k\Cookies\stevo@www.web-stat[2].txt -> TrackingCookie.Web-stat : Cleaned with backup
C:\Program Files\KaZaA\PerfectNavUninstall.exe -> Downloader.Keenval.e : Cleaned with backup
C:\Program Files\Network\network.exe -> Adware.Maxifiles : Cleaned with backup
C:\WINDXP\system32\b2search.exe -> Adware.EZula : Cleaned with backup
C:\WINDXP\system32\nsj4A.dll -> Adware.EZula : Cleaned with backup
C:\WINDXP\JUSTIN2.exe -> Adware.EZula : Cleaned with backup
C:\Documents and Settings\Stevo\Desktop\backups\backup-20060526-072138-893.dll -> Adware.PurityScan : Cleaned with backup
C:\Documents and Settings\Stevo\Desktop\backups\backup-20060526-072138-374.dll -> Adware.PurityScan : Cleaned with backup
:mozilla.7:C:\Documents and Settings\Stevo\Application Data\Mozilla\Profiles\default\rlg8wfew.slt\cookies.txt -> TrackingCookie.Advertising : Cleaned with backup
:mozilla.8:C:\Documents and Settings\Stevo\Application Data\Mozilla\Profiles\default\rlg8wfew.slt\cookies.txt -> TrackingCookie.Advertising : Cleaned with backup
:mozilla.9:C:\Documents and Settings\Stevo\Application Data\Mozilla\Profiles\default\rlg8wfew.slt\cookies.txt -> TrackingCookie.Advertising : Cleaned with backup
:mozilla.10:C:\Documents and Settings\Stevo\Application Data\Mozilla\Profiles\default\rlg8wfew.slt\cookies.txt -> TrackingCookie.Advertising : Cleaned with backup
:mozilla.11:C:\Documents and Settings\Stevo\Application Data\Mozilla\Profiles\default\rlg8wfew.slt\cookies.txt -> TrackingCookie.Bluestreak : Cleaned with backup
:mozilla.13:C:\Documents and Settings\Stevo\Application Data\Mozilla\Profiles\default\rlg8wfew.slt\cookies.txt -> TrackingCookie.2o7 : Cleaned with backup
:mozilla.14:C:\Documents and Settings\Stevo\Application Data\Mozilla\Profiles\default\rlg8wfew.slt\cookies.txt -> TrackingCookie.2o7 : Cleaned with backup
:mozilla.15:C:\Documents and Settings\Stevo\Application Data\Mozilla\Profiles\default\rlg8wfew.slt\cookies.txt -> TrackingCookie.2o7 : Cleaned with backup
:mozilla.16:C:\Documents and Settings\Stevo\Application Data\Mozilla\Profiles\default\rlg8wfew.slt\cookies.txt -> TrackingCookie.2o7 : Cleaned with backup
-> : Error during cleaning
:mozilla.22:C:\Documents and Settings\Stevo\Application Data\Mozilla\Profiles\default\rlg8wfew.slt\cookies.txt -> TrackingCookie.Doubleclick : Cleaned with backup
:mozilla.36:C:\Documents and Settings\Stevo\Application Data\Mozilla\Profiles\default\rlg8wfew.slt\cookies.txt -> TrackingCookie.Webtrendslive : Cleaned with backup
:mozilla.40:C:\Documents and Settings\Stevo\Application Data\Mozilla\Profiles\default\rlg8wfew.slt\cookies.txt -> TrackingCookie.Burstnet : Cleaned with backup
:mozilla.41:C:\Documents and Settings\Stevo\Application Data\Mozilla\Profiles\default\rlg8wfew.slt\cookies.txt -> TrackingCookie.Tribalfusion : Cleaned with backup
:mozilla.43:C:\Documents and Settings\Stevo\Application Data\Mozilla\Profiles\default\rlg8wfew.slt\cookies.txt -> TrackingCookie.Trafficmp : Cleaned with backup
:mozilla.44:C:\Documents and Settings\Stevo\Application Data\Mozilla\Profiles\default\rlg8wfew.slt\cookies.txt -> TrackingCookie.Adrevolver : Cleaned with backup
:mozilla.45:C:\Documents and Settings\Stevo\Application Data\Mozilla\Profiles\default\rlg8wfew.slt\cookies.txt -> TrackingCookie.Adrevolver : Cleaned with backup
:mozilla.46:C:\Documents and Settings\Stevo\Application Data\Mozilla\Profiles\default\rlg8wfew.slt\cookies.txt -> TrackingCookie.Zedo : Cleaned with backup
:mozilla.47:C:\Documents and Settings\Stevo\Application Data\Mozilla\Profiles\default\rlg8wfew.slt\cookies.txt -> TrackingCookie.Tacoda : Cleaned with backup
:mozilla.48:C:\Documents and Settings\Stevo\Application Data\Mozilla\Profiles\default\rlg8wfew.slt\cookies.txt -> TrackingCookie.Valueclick : Cleaned with backup
:mozilla.50:C:\Documents and Settings\Stevo\Application Data\Mozilla\Profiles\default\rlg8wfew.slt\cookies.txt -> TrackingCookie.Tacoda : Cleaned with backup
:mozilla.51:C:\Documents and Settings\Stevo\Application Data\Mozilla\Profiles\default\rlg8wfew.slt\cookies.txt -> TrackingCookie.Valueclick : Cleaned with backup
:mozilla.90:C:\Documents and Settings\Stevo\Application Data\Mozilla\Profiles\default\rlg8wfew.slt\cookies.txt -> TrackingCookie.Hitbox : Cleaned with backup
-> : Error during cleaning
:mozilla.92:C:\Documents and Settings\Stevo\Application Data\Mozilla\Profiles\default\rlg8wfew.slt\cookies.txt -> TrackingCookie.Hitbox : Cleaned with backup
:mozilla.93:C:\Documents and Settings\Stevo\Application Data\Mozilla\Profiles\default\rlg8wfew.slt\cookies.txt -> TrackingCookie.Mediaplex : Cleaned with backup
:mozilla.94:C:\Documents and Settings\Stevo\Application Data\Mozilla\Profiles\default\rlg8wfew.slt\cookies.txt -> TrackingCookie.Mediaplex : Cleaned with backup
:mozilla.95:C:\Documents and Settings\Stevo\Application Data\Mozilla\Profiles\default\rlg8wfew.slt\cookies.txt -> TrackingCookie.Sexcounter : Cleaned with backup
:mozilla.96:C:\Documents and Settings\Stevo\Application Data\Mozilla\Profiles\default\rlg8wfew.slt\cookies.txt -> TrackingCookie.Sexcounter : Cleaned with backup
:mozilla.97:C:\Documents and Settings\Stevo\Application Data\Mozilla\Profiles\default\rlg8wfew.slt\cookies.txt -> TrackingCookie.Sexcounter : Cleaned with backup
:mozilla.98:C:\Documents and Settings\Stevo\Application Data\Mozilla\Profiles\default\rlg8wfew.slt\cookies.txt -> TrackingCookie.Sexcounter : Cleaned with backup
:mozilla.99:C:\Documents and Settings\Stevo\Application Data\Mozilla\Profiles\default\rlg8wfew.slt\cookies.txt -> TrackingCookie.Sexcounter : Cleaned with backup
:mozilla.100:C:\Documents and Settings\Stevo\Application Data\Mozilla\Profiles\default\rlg8wfew.slt\cookies.txt -> TrackingCookie.Sexcounter : Cleaned with backup
:mozilla.101:C:\Documents and Settings\Stevo\Application Data\Mozilla\Profiles\default\rlg8wfew.slt\cookies.txt -> TrackingCookie.Sexcounter : Cleaned with backup
:mozilla.102:C:\Documents and Settings\Stevo\Application Data\Mozilla\Profiles\default\rlg8wfew.slt\cookies.txt -> TrackingCookie.Sexcounter : Cleaned with backup
:mozilla.103:C:\Documents and Settings\Stevo\Application Data\Mozilla\Profiles\default\rlg8wfew.slt\cookies.txt -> TrackingCookie.Sexcounter : Cleaned with backup
:mozilla.104:C:\Documents and Settings\Stevo\Application Data\Mozilla\Profiles\default\rlg8wfew.slt\cookies.txt -> TrackingCookie.Sexcounter : Cleaned with backup
:mozilla.105:C:\Documents and Settings\Stevo\Application Data\Mozilla\Profiles\default\rlg8wfew.slt\cookies.txt -> TrackingCookie.Sexcounter : Cleaned with backup
:mozilla.106:C:\Documents and Settings\Stevo\Application Data\Mozilla\Profiles\default\rlg8wfew.slt\cookies.txt -> TrackingCookie.Sexcounter : Cleaned with backup
:mozilla.107:C:\Documents and Settings\Stevo\Application Data\Mozilla\Profiles\default\rlg8wfew.slt\cookies.txt -> TrackingCookie.Sexcounter : Cleaned with backup
:mozilla.108:C:\Documents and Settings\Stevo\Application Data\Mozilla\Profiles\default\rlg8wfew.slt\cookies.txt -> TrackingCookie.Sexcounter : Cleaned with backup
:mozilla.109:C:\Documents and Settings\Stevo\Application Data\Mozilla\Profiles\default\rlg8wfew.slt\cookies.txt -> TrackingCookie.Sexcounter : Cleaned with backup
:mozilla.110:C:\Documents and Settings\Stevo\Application Data\Mozilla\Profiles\default\rlg8wfew.slt\cookies.txt -> TrackingCookie.Sexcounter : Cleaned with backup
:mozilla.111:C:\Documents and Settings\Stevo\Application Data\Mozilla\Profiles\default\rlg8wfew.slt\cookies.txt -> TrackingCookie.Sexcounter : Cleaned with backup
:mozilla.112:C:\Documents and Settings\Stevo\Application Data\Mozilla\Profiles\default\rlg8wfew.slt\cookies.txt -> TrackingCookie.Sexcounter : Cleaned with backup
:mozilla.113:C:\Documents and Settings\Stevo\Application Data\Mozilla\Profiles\default\rlg8wfew.slt\cookies.txt -> TrackingCookie.Sexcounter : Cleaned with backup
:mozilla.114:C:\Documents and Settings\Stevo\Application Data\Mozilla\Profiles\default\rlg8wfew.slt\cookies.txt -> TrackingCookie.Sexcounter : Cleaned with backup
:mozilla.116:C:\Documents and Settings\Stevo\Application Data\Mozilla\Profiles\default\rlg8wfew.slt\cookies.txt -> TrackingCookie.Sextracker : Cleaned with backup
:mozilla.117:C:\Documents and Settings\Stevo\Application Data\Mozilla\Profiles\default\rlg8wfew.slt\cookies.txt -> TrackingCookie.Sextracker : Cleaned with backup
:mozilla.118:C:\Documents and Settings\Stevo\Application Data\Mozilla\Profiles\default\rlg8wfew.slt\cookies.txt -> TrackingCookie.Sexlist : Cleaned with backup
:mozilla.119:C:\Documents and Settings\Stevo\Application Data\Mozilla\Profiles\default\rlg8wfew.slt\cookies.txt -> TrackingCookie.Sexlist : Cleaned with backup
:mozilla.120:C:\Documents and Settings\Stevo\Application Data\Mozilla\Profiles\default\rlg8wfew.slt\cookies.txt -> TrackingCookie.Sexlist : Cleaned with backup
:mozilla.121:C:\Documents and Settings\Stevo\Application Data\Mozilla\Profiles\default\rlg8wfew.slt\cookies.txt -> TrackingCookie.Sexlist : Cleaned with backup
:mozilla.136:C:\Documents and Settings\Stevo\Application Data\Mozilla\Profiles\default\rlg8wfew.slt\cookies.txt -> TrackingCookie.Fastclick : Cleaned with backup
:mozilla.147:C:\Documents and Settings\Stevo\Application Data\Mozilla\Profiles\default\rlg8wfew.slt\cookies.txt -> TrackingCookie.Masterstats : Cleaned with backup
:mozilla.153:C:\Documents and Settings\Stevo\Application Data\Mozilla\Profiles\default\rlg8wfew.slt\cookies.txt -> TrackingCookie.Clickzs : Cleaned with backup
:mozilla.154:C:\Documents and Settings\Stevo\Application Data\Mozilla\Profiles\default\rlg8wfew.slt\cookies.txt -> TrackingCookie.Clickzs : Cleaned with backup
:mozilla.170:C:\Documents and Settings\Stevo\Application Data\Mozilla\Profiles\default\rlg8wfew.slt\cookies.txt -> TrackingCookie.Questionmarket : Cleaned with backup


::Report End

PANDA log:


Incident Status Location

Adware:Adware/ShoppingCommunity Not disinfected C:\WINDOWS\SYSTEM\moconfig.exe
Spyware:Cookie/Atwola Not disinfected C:\WINDOWS\Profiles\stevo2k\Cookies\stevo@atwola[1].txt
Spyware:Cookie/Kazaa Networks Not disinfected C:\WINDOWS\Profiles\stevo2k\Cookies\stevo@desktop.kazaa[2].txt
Spyware:Cookie/WebPower Not disinfected C:\WINDOWS\Profiles\stevo2k\Cookies\stevo@webpower[2].txt
Spyware:Cookie/Kazaa Networks Not disinfected C:\WINDOWS\Profiles\stevo2k\Cookies\stevo@desktop.kazaa[1].txt
Spyware:Cookie/Kazaa Networks Not disinfected C:\WINDOWS\Profiles\stevo2k\Cookies\stevo@desktop.kazaa[5].txt
Spyware:Cookie/Outster Not disinfected C:\WINDOWS\Profiles\stevo2k\Cookies\stevo@outster[2].txt
Spyware:Cookie/Toplist Not disinfected C:\WINDOWS\Profiles\stevo2k\Cookies\stevo@toplist[1].txt
Spyware:Cookie/WebPower Not disinfected C:\WINDOWS\Profiles\stevo2k\Cookies\stevo@webpower[3].txt
Spyware:Cookie/Kazaa Networks Not disinfected C:\WINDOWS\Profiles\stevo2k\Cookies\anyuser@desktop.kazaa[1].txt
Spyware:Cookie/Com.com Not disinfected C:\WINDOWS\Profiles\stevo2k\Cookies\stevo@uol.com[2].txt
Spyware:Cookie/Kazaa Networks Not disinfected C:\WINDOWS\Profiles\stevo2k\Cookies\stevo@desktop.kazaa[9].txt
Spyware:Cookie/Xmts Not disinfected C:\WINDOWS\Profiles\stevo2k\Cookies\stevo@xmts[1].txt
Spyware:Cookie/Kazaa Networks Not disinfected C:\WINDOWS\Profiles\stevo2k\Cookies\stevo@desktop.kazaa[6].txt
Spyware:Cookie/888 Not disinfected C:\WINDOWS\Profiles\stevo2k\Cookies\stevo@888[2].txt
Spyware:Cookie/Ccbill Not disinfected C:\WINDOWS\Profiles\stevo2k\Cookies\stevo@ccbill[2].txt
Spyware:Cookie/Kazaa Networks Not disinfected C:\WINDOWS\Profiles\stevo2k\Cookies\stevo@desktop.kazaa[3].txt
Spyware:Cookie/Kazaa Networks Not disinfected C:\WINDOWS\Profiles\stevo2k\Cookies\stevo@desktop.kazaa[4].txt
Spyware:Cookie/LinkExchange Not disinfected C:\WINDOWS\Profiles\stevo2k\Cookies\anyuser@linkexchange[1].txt
Spyware:Cookie/Rn11 Not disinfected C:\WINDOWS\Profiles\stevo2k\Cookies\stevo@rn11[1].txt
Spyware:Cookie/Kazaa Networks Not disinfected C:\WINDOWS\Profiles\stevo2k\Cookies\stevo@desktop.kazaa[8].txt
Spyware:Cookie/Toplist Not disinfected C:\WINDOWS\Profiles\stevo2k\Cookies\stevo@toplist[2].txt
Spyware:Cookie/WebPower Not disinfected C:\WINDOWS\Profiles\stevo2k\Cookies\stevo@webpower[1].txt
Spyware:Cookie/Target Not disinfected C:\WINDOWS\Profiles\stevo2k\Cookies\stevo@target[1].txt
Spyware:Cookie/TeensForCash Not disinfected C:\WINDOWS\Profiles\stevo2k\Cookies\stevo@www.teensforcash[1].txt
Spyware:Cookie/Gorillanation Not disinfected C:\WINDOWS\Profiles\stevo2k\Cookies\stevo@ads.gorillanation[1].txt
Spyware:Cookie/Atwola Not disinfected C:\WINDOWS\Profiles\stevo2k\Cookies\stevo@atwola[2].txt
Spyware:Cookie/Com.com Not disinfected C:\WINDOWS\Profiles\stevo2k\Cookies\stevo@www.netgate.com[1].txt
Spyware:Cookie/64.62.232 Not disinfected C:\WINDOWS\Profiles\stevo2k\Cookies\stevo@64.62.232[1].txt
Spyware:Cookie/MyWay Not disinfected C:\WINDOWS\Profiles\stevo2k\Cookies\stevo@www.xzoomy[1].txt
Spyware:Cookie/Santa Monica networks inc Not disinfected C:\WINDOWS\Profiles\stevo2k\Cookies\stevo@smni[2].txt
Spyware:Cookie/Pollstar Not disinfected C:\WINDOWS\Profiles\stevo2k\Cookies\stevo@pollstar[2].txt
Adware:Adware/PurityScan Not disinfected C:\Program Files\Common Files\?ssembly\winspool.exe
Spyware:Spyware/LinkReplacer Not disinfected C:\Program Files\Jalmp\uninstall.exe
Hacktool:Flooder Program Not disinfected C:\old\TRiBE7\Tools\EF29.EXE
Spyware:Cookie/Cd Freaks Not disinfected C:\old\Recycled\NPROTECT\00071379.TXT
Spyware:Cookie/Go Not disinfected C:\old\Recycled\NPROTECT\00070139.TXT
Spyware:Cookie/Go Not disinfected C:\old\Recycled\NPROTECT\00070140.TXT
Spyware:Cookie/Go Not disinfected C:\old\Recycled\NPROTECT\00070141.TXT
Spyware:Cookie/Go Not disinfected C:\old\Recycled\NPROTECT\00070142.TXT
Spyware:Cookie/Go Not disinfected C:\old\Recycled\NPROTECT\00070143.TXT
Spyware:Cookie/Go Not disinfected C:\old\Recycled\NPROTECT\00070144.TXT
Spyware:Cookie/Go Not disinfected C:\old\Recycled\NPROTECT\00070145.TXT
Spyware:Cookie/Go Not disinfected C:\old\Recycled\NPROTECT\00070146.TXT
Spyware:Cookie/Go Not disinfected C:\old\Recycled\NPROTECT\00070147.TXT
Spyware:Cookie/Go Not disinfected C:\old\Recycled\NPROTECT\00070148.TXT
Spyware:Cookie/Go Not disinfected C:\old\Recycled\NPROTECT\00070149.TXT
Spyware:Cookie/Go Not disinfected C:\old\Recycled\NPROTECT\00070150.TXT
Spyware:Cookie/Go Not disinfected C:\old\Recycled\NPROTECT\00070151.TXT
Spyware:Cookie/Go Not disinfected C:\old\Recycled\NPROTECT\00070152.TXT
Spyware:Cookie/Go Not disinfected C:\old\Recycled\NPROTECT\00070153.TXT
Spyware:Cookie/Go Not disinfected C:\old\Recycled\NPROTECT\00070154.TXT
Spyware:Cookie/Go Not disinfected C:\old\Recycled\NPROTECT\00070155.TXT
Spyware:Cookie/Go Not disinfected C:\old\Recycled\NPROTECT\00070156.TXT
Spyware:Cookie/Go Not disinfected C:\old\Recycled\NPROTECT\00070157.TXT
Spyware:Cookie/Go Not disinfected C:\old\Recycled\NPROTECT\00070158.TXT
Spyware:Cookie/Go Not disinfected C:\old\Recycled\NPROTECT\00070159.TXT
Spyware:Cookie/Go Not disinfected C:\old\Recycled\NPROTECT\00070170.TXT
Spyware:Cookie/Go Not disinfected C:\old\Recycled\NPROTECT\00070171.TXT
Adware:Adware/SaveNow Not disinfected C:\old\Recycled\NPROTECT\00071182.EXE
Spyware:Spyware/Conducent-Timesink Not disinfected C:\old\Program Files\Crystal Art Software\Crystal FTP\TSUninstaller.exe
Spyware:Cookie/Hypercount Not disinfected C:\old\old2\RECYCLED\NPROTECT\00062963.TXT
Spyware:Cookie/LinkExchange Not disinfected C:\oldserver\WINDOWS\Cookies\stevo@linkexchange[1].txt
Spyware:Spyware/SafeSurf Not disinfected C:\WINDXP\system32\irsinst.exe[ExtractDLL.dll]
Spyware:Spyware/SafeSurf Not disinfected C:\WINDXP\system32\unirimon.exe
Adware:Adware/YazzleSudoku Not disinfected C:\WINDXP\system32\GS_SilentSudokuInstaller.exe[GS_SudokuInstaller.exe]
Adware:Adware/YazzleSudoku Not disinfected C:\WINDXP\system32\GS_SilentSudokuInstaller.exe[GS_SudokuInstaller.exe][Sudoku.exe]
Adware:Adware/IPInsight Not disinfected C:\WINDXP\inf\conscorr.inf
Adware:Adware/ConsumerAlertSystem Not disinfected C:\WINDXP\pf78.exe
Adware:Adware/ISearch Not disinfected C:\WINDXP\Downloaded Program Files\initial.inf
Adware:Adware/IST.YourSiteBar Not disinfected C:\WINDXP\Downloaded Program Files\ysbactivex.inf
Adware:Adware Program Not disinfected C:\WINDXP\Downloaded Program Files\WildApp.inf
Adware:adware/sidesearch Not disinfected C:\WINDXP\sepsd.bin
Spyware:application/bestoffer Not disinfected C:\WINDXP\smdat32m.sys
Adware:Adware/CommAd Not disinfected C:\WINDXP\U3RldmU\oal5xAo.vbs
Spyware:Spyware/MarketScore Not disinfected C:\WINDXP\rlvknlg.exe
Adware:adware/elitebar Not disinfected C:\WINDXP\eliteunstall.exe
Adware:Adware/PurityScan Not disinfected C:\Documents and Settings\Stevo\Local Settings\Temp\!update.exe
Adware:adware/zenosearch Not disinfected C:\Documents and Settings\Stevo\Start Menu\Programs\Startup\Zeno.lnk
Spyware:Cookie/Doubleclick Not disinfected C:\Documents and Settings\Stevo\Cookies\stevo@doubleclick[1].txt
Spyware:Cookie/Adserver Not disinfected C:\Documents and Settings\Stevo\Cookies\stevo@z1.adserver[1].txt
Spyware:Cookie/Reliablestats Not disinfected C:\Documents and Settings\Stevo\Cookies\stevo@stats1.reliablestats[2].txt
Spyware:Cookie/Zedo Not disinfected C:\Documents and Settings\Stevo\Cookies\stevo@zedo[2].txt
Spyware:Cookie/Hbmediapro Not disinfected C:\Documents and Settings\Stevo\Cookies\stevo@adopt.hbmediapro[2].txt
Virus:Exploit/ByteVerify Disinfected C:\Documents and Settings\Stevo\Application Data\Sun\Java\Deployment\cache\javapi\v1.0\jar\archive.jar-2f3daa29-7ffa0144.zip[BlackBox.class]
Virus:Exploit/ByteVerify Disinfected C:\Documents and Settings\Stevo\Application Data\Sun\Java\Deployment\cache\javapi\v1.0\jar\archive.jar-2f3daa29-7ffa0144.zip[VB.class]
Virus:Exploit/ByteVerify Disinfected C:\Documents and Settings\Stevo\Application Data\Sun\Java\Deployment\cache\javapi\v1.0\jar\archive.jar-2f3daa29-7ffa0144.zip[Dummy.class]
Virus:Exploit/ByteVerify Disinfected C:\Documents and Settings\Stevo\Application Data\Sun\Java\Deployment\cache\javapi\v1.0\jar\archive.jar-2f3daa29-7ffa0144.zip[Beyond.class]
Virus:Exploit/ByteVerify Disinfected C:\Documents and Settings\Stevo\Application Data\Sun\Java\Deployment\cache\javapi\v1.0\jar\archive.jar-77626e25-562ba50a.zip[BlackBox.class]
Virus:Exploit/ByteVerify Disinfected C:\Documents and Settings\Stevo\Application Data\Sun\Java\Deployment\cache\javapi\v1.0\jar\archive.jar-77626e25-562ba50a.zip[VB.class]
Virus:Exploit/ByteVerify Disinfected C:\Documents and Settings\Stevo\Application Data\Sun\Java\Deployment\cache\javapi\v1.0\jar\archive.jar-77626e25-562ba50a.zip[Dummy.class]
Virus:Exploit/ByteVerify Disinfected C:\Documents and Settings\Stevo\Application Data\Sun\Java\Deployment\cache\javapi\v1.0\jar\archive.jar-77626e25-562ba50a.zip[Beyond.class]
Spyware:Cookie/Advertising Not disinfected C:\Documents and Settings\Stevo\Application Data\Mozilla\Profiles\default\rlg8wfew.slt\cookies.txt[.advertising.com/]
Spyware:Cookie/Doubleclick Not disinfected C:\Documents and Settings\Stevo\Application Data\Mozilla\Profiles\default\rlg8wfew.slt\cookies.txt[.doubleclick.net/]
Spyware:Cookie/cs.sexcounter Not disinfected C:\Documents and Settings\Stevo\Application Data\Mozilla\Profiles\default\rlg8wfew.slt\cookies.txt[.cs.sexcounter.com/]
Spyware:Cookie/PayCounter Not disinfected C:\Documents and Settings\Stevo\Application Data\Mozilla\Profiles\default\rlg8wfew.slt\cookies.txt[.paycounter.com/]
Spyware:Cookie/SexList Not disinfected C:\Documents and Settings\Stevo\Application Data\Mozilla\Profiles\default\rlg8wfew.slt\cookies.txt[.sexlist.com/]
Spyware:Cookie/adultfriendfinder Not disinfected C:\Documents and Settings\Stevo\Application Data\Mozilla\Profiles\default\rlg8wfew.slt\cookies.txt[.adultfriendfinder.com/]
Spyware:Cookie/Sextracker Not disinfected C:\Documents and Settings\Stevo\Application Data\Mozilla\Profiles\default\rlg8wfew.slt\cookies.txt[.sextracker.com/]
Spyware:Cookie/adultfriendfinder Not disinfected C:\Documents and Settings\Stevo\Application Data\Mozilla\Profiles\default\rlg8wfew.slt\cookies.txt[.adultfriendfinder.com/]
Spyware:Cookie/Sextracker Not disinfected C:\Documents and Settings\Stevo\Application Data\Mozilla\Profiles\default\rlg8wfew.slt\cookies.txt[counter9.sextracker.com/]
Spyware:Cookie/2o7 Not disinfected C:\Documents and Settings\Stevo\Application Data\Mozilla\Profiles\default\rlg8wfew.slt\cookies.txt[.microsofteup.112.2o7.net/]
Spyware:Cookie/Atlas DMT Not disinfected C:\Documents and Settings\Stevo\Application Data\Mozilla\Profiles\default\rlg8wfew.slt\cookies.txt[.atdmt.com/]
Spyware:Cookie/Atwola Not disinfected C:\Documents and Settings\Stevo\Application Data\Mozilla\Profiles\default\rlg8wfew.slt\cookies.txt[.atwola.com/]
Spyware:Cookie/RealMedia Not disinfected C:\Documents and Settings\Stevo\Application Data\Mozilla\Profiles\default\rlg8wfew.slt\cookies.txt[.realmedia.com/]
Adware:adware/tvmedia Not disinfected C:\Documents and Settings\Stevo\Application Data\tvmknwrd.dll
Virus:Exploit/ByteVerify Disinfected C:\Documents and Settings\Stevo\.jpi_cache\jar\1.0\ar3.jar-3cd8601-64debc02.zip[Gummy.class]
Virus:Exploit/ByteVerify Disinfected C:\Documents and Settings\Stevo\.jpi_cache\jar\1.0\ar3.jar-3cd8601-64debc02.zip[Counter.class]
Virus:Exploit/ByteVerify Disinfected C:\Documents and Settings\Stevo\.jpi_cache\jar\1.0\ar3.jar-3cd8601-64debc02.zip[VerifierBug.class]
Adware:Adware/IST.ISTBar Not disinfected C:\Documents and Settings\Stevo\.jpi_cache\jar\1.0\javainstaller.jar-4514e5ea-14715262.zip[javainstaller/InstallerApplet.class]
Virus:Exploit/ByteVerify Disinfected C:\Documents and Settings\Stevo\.jpi_cache\jar\1.0\loaderadv569.jar-560641e0-4eda4d94.zip[Counter.class]
Virus:Exploit/ByteVerify Disinfected C:\Documents and Settings\Stevo\.jpi_cache\jar\1.0\loaderadv569.jar-560641e0-4eda4d94.zip[Dummy.class]
Virus:Exploit/ByteVerify Disinfected C:\Documents and Settings\Stevo\.jpi_cache\jar\1.0\loaderadv569.jar-560641e0-4eda4d94.zip[Matrix.class]
Virus:Exploit/ByteVerify Disinfected C:\Documents and Settings\Stevo\.jpi_cache\jar\1.0\loaderadv569.jar-560641e0-4eda4d94.zip[Parser.class]
angst2k
Regular Member
 
Posts: 19
Joined: January 6th, 2006, 10:20 pm
Location: Florider

Unread postby jwbirdsong » May 28th, 2006, 9:25 am

Looking better but still a bit of work to do.

Again, make sure to print out this post and/or save a copy as a text file in Notepad; that way you have a hard copy of these instructions; you can not have IE/Firefox/any browser open during the fix

Please enable viewing of hidden files as follows:
1) Go to My Computer, and click on the "Tools" menu
2) Click "Folder options"
3) Select the "View" tab
4) Make sure "Show hidden files and folders" is selected
5) Make sure "Hide extensions for known file types" is unchecked
6) Make sure "Hide protected operating system files (recommended)" is unchecked

Download KillBox http://www.downloads.subratam.org/KillBox.zip.
Place it in a folder on your Desktop.
Help with unzipping files is HERE

In the main screen of Pocket KillBox, go to Tools in the top menu bar, and select: Delete Temp Files. Use the drop down box and clear ALL profiles this way.

Back at the main Killbox screen check the box that says 'End Explorer Shell While Killing File'. Next click on 'Delete on Reboot'. Click the button marked ALL FILES(lower right of Killbox) Left click and drag cursor to highlight ALL files listed in the quote box below, right click and choose copy. Go back to KillBox. Go to File->Paste from Clipboard and then hit the button with a red circle and white X. Confirm to delete and when asked if you want to reboot, say Yes:

C:\WINDOWS\SYSTEM\moconfig.exe
C:\Program Files\Common Files\?ssembly\winspool.exe
C:\Program Files\Jalmp\uninstall.exe
C:\oldserver\WINDOWS\Cookies\stevo@linkexchange[1].txt
C:\old\Program Files\Crystal Art Software\Crystal FTP\TSUninstaller.exe
C:\WINDXP\system32\irsinst.exe
C:\WINDXP\system32\unirimon.exe
C:\WINDXP\system32\GS_SilentSudokuInstaller.exe
C:\WINDXP\inf\conscorr.inf
C:\WINDXP\pf78.exe
C:\WINDXP\Downloaded Program Files\initial.inf
C:\WINDXP\Downloaded Program Files\ysbactivex.inf
C:\WINDXP\Downloaded Program Files\WildApp.inf
C:\WINDXP\sepsd.bin
C:\WINDXP\smdat32m.sys
C:\WINDXP\U3RldmU\oal5xAo.vbs
C:\WINDXP\rlvknlg.exe
C:\WINDXP\eliteunstall.exe
C:\Documents and Settings\Stevo\Local Settings\Temp\!update.exe
C:\Documents and Settings\Stevo\Application Data\tvmknwrd.dll
C:\Program Files\Network\network.exe
C:\WINDXP\system32\j?vaw.exe
C:\WINDXP\system32\irssyncd.exe
C:\PROGRA~1\COMMON~1\SSEMBL~1\winspool.exe
C:\Program Files\Network\network.exe


If you get a PendingOperations message, ignore/close it and restart your computer manually.

As the computer is restarting..reboot to Safe Mode by doing the following:
  • After hearing your computer beep once during startup, but before the Windows icon appears, tap F8.
  • Instead of Windows loading as normal, a menu should appear
  • Select the first option, to run Windows in Safe Mode.

For additional help in booting into Safe Mode, see the following site:
http://www.pchell.com/support/safemode.shtml

Next, delete the following folders (if they exist):
C:\Program Files\Common Files\okqi
C:\WINDXP\U3RldmU
C:\Program Files\Jalmp\

Please run HijackThis and click "Scan." Place checks next to the following entries:

  • R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch =
  • R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = about:blank
  • R3 - URLSearchHook: (no name) - {1F1C6D28-A4E2-D831-C00F-DB98BC15F793} - (no file)
  • R3 - URLSearchHook: (no name) - {184F6E79-A9BE-8936-C00F-DB98BC15F7CB} - (no file)
  • O4 - HKCU\..\Run: [CAS2] "C:\Program Files\System Files\System.exe"
  • O4 - HKCU\..\Run: [okqi] C:\Program Files\Common Files\okqi\okqim.exe
  • O4 - HKCU\..\Run: [opmrket] C:\WINDXP\opmrket.exe
  • O4 - HKCU\..\Run: [Nbyrtf] C:\WINDXP\system32\j?vaw.exe
  • O4 - HKCU\..\Run: [irssyncd] C:\WINDXP\system32\irssyncd.exe
  • O4 - HKCU\..\Run: [Ucto] "C:\PROGRA~1\COMMON~1\SSEMBL~1\winspool.exe" -vt tzt
  • O4 - Startup: Z_Start.lnk = C:\WINDXP\system32\dwdsregt.exe
  • O4 - Startup: Zeno.lnk = C:\WINDXP\system32\rwinksap.exe

You may also optionally check the following entries for removal:
All of the following are UN-needed to run at startup. They can be ran as needed; saving system resources for better uses.

O4 - HKCU\..\Run: [RealPlayer] "C:\Program Files\Real\RealPlayer\realplay.exe" /RunUPGToolCommandReBoot
O4 - Global Startup: HP Digital Imaging Monitor.lnk = C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
<<---HUGE resource hog

Close all browser and other windows except for HijackThis, and click "Fix Checked".

Reboot back to Normal mode

Copy everything inside the quote box below (starting with dir) and paste it into notepad. Go up to "File > Save As" and click the drop-down box to change the "Save As Type" to "All Files". Save it as findfile.bat on your Desktop.

dir C:\WINDXP\system32\j?vaw.exe /a h > files.txt
notepad files.txt


Locate findfile.bat on your Desktop and double-click on it. It will open Notepad with some text in it. Please post the contents of that Notepad here along with a new HiJackThis log.
User avatar
jwbirdsong
Regular Member
 
Posts: 138
Joined: October 14th, 2005, 3:44 am

Here's the latest, many thanks

Unread postby angst2k » May 28th, 2006, 2:22 pm

Thanks again!

Here's the stuff:

Volume in drive C is DISK1PART01
Volume Serial Number is 7BC9-5ACD

Directory of C:\WINDXP\system32

05/08/2006 03:43 PM 409,600 j?vaw.exe
02/22/2004 10:52 PM 28,779 javaw.exe
2 File(s) 438,379 bytes

Directory of C:\Documents and Settings\Stevo\Desktop


Logfile of HijackThis v1.99.1
Scan saved at 2:17:40 PM, on 5/28/2006
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.5346.0005)

Running processes:
C:\WINDXP\System32\smss.exe
C:\WINDXP\system32\winlogon.exe
C:\WINDXP\system32\services.exe
C:\WINDXP\system32\savedump.exe
C:\WINDXP\system32\lsass.exe
C:\WINDXP\system32\svchost.exe
C:\WINDXP\System32\svchost.exe
C:\WINDXP\system32\LEXBCES.EXE
C:\WINDXP\system32\spoolsv.exe
C:\WINDXP\system32\LEXPPS.EXE
C:\WINDXP\system32\cisvc.exe
C:\Program Files\Cisco Systems\VPN Client\cvpnd.exe
C:\Program Files\NavNT\defwatch.exe
C:\Program Files\ewido anti-malware\ewidoctrl.exe
C:\PROGRA~1\Iomega\System32\AppServices.exe
C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
C:\Program Files\NavNT\rtvscan.exe
C:\WINDXP\System32\svchost.exe
C:\WINDXP\Explorer.EXE
C:\Program Files\Iomega HotBurn\Autolaunch.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\NavNT\vptray.exe
C:\Program Files\Java\j2re1.4.2_04\bin\jusched.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\HP\HP Software Update\HPWuSchd.exe
C:\Program Files\HP\hpcoretech\hpcmpmgr.exe
C:\Program Files\Messenger\msmsgs.exe
C:\WINDXP\system32\ctfmon.exe
C:\Program Files\Netscape\Netscape\Netscp.exe
C:\WINDXP\system32\MsgSys.EXE
C:\Program Files\Muiltmedia keyboard utility\1.1\KbdAp32A.exe
C:\WINDXP\system32\NOTEPAD.EXE
C:\WINDXP\system32\wscntfy.exe
C:\WINDXP\system32\wuauclt.exe
C:\WINDXP\System32\svchost.exe
C:\WINDXP\system32\wuauclt.exe
C:\Documents and Settings\Stevo\Desktop\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=54729
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://www.yahoo.com
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=55245&clcid={SUB_CLCID}
N3 - Netscape 7: user_pref("browser.startup.homepage", "http://www.yahoo.com"); (C:\Documents and Settings\Stevo\Application Data\Mozilla\Profiles\default\rlg8wfew.slt\prefs.js)
N3 - Netscape 7: user_pref("browser.search.defaultengine", "engine://C%3A%5CPROGRA%7E1%5CNetscape%5CNetscape%5Csearchplugins%5CSBWeb_01.src"); (C:\Documents and Settings\Stevo\Application Data\Mozilla\Profiles\default\rlg8wfew.slt\prefs.js)
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O4 - HKLM\..\Run: [Drag'n'Drop_Autolaunch] "C:\Program Files\Iomega HotBurn\Autolaunch.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [vptray] C:\Program Files\NavNT\vptray.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\j2re1.4.2_04\bin\jusched.exe
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [FLMK08KB] C:\Program Files\Muiltmedia keyboard utility\1.1\MMKEYBD.EXE
O4 - HKLM\..\Run: [HP Software Update] "C:\Program Files\HP\HP Software Update\HPWuSchd.exe"
O4 - HKLM\..\Run: [HP Component Manager] "C:\Program Files\HP\hpcoretech\hpcmpmgr.exe"
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDXP\system32\ctfmon.exe
O4 - HKCU\..\Run: [Mozilla Quick Launch] "C:\Program Files\Netscape\Netscape\Netscp.exe" -turbo
O4 - Global Startup: VPN Client.lnk = ?
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Restrictions present
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O8 - Extra context menu item: Download with Go!Zilla - file://C:\Program Files\Go!Zilla\download-with-gozilla.html
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~1\Office10\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\j2re1.4.2_04\bin\npjpi142_04.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\j2re1.4.2_04\bin\npjpi142_04.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~1\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O11 - Options group: [INTERNATIONAL] International*
O12 - Plugin for .asp: C:\Program Files\Internet Explorer\PLUGINS\nppdf32.dll
O13 - WWW. Prefix: http://
O15 - Trusted Zone: http://www.pandasoftware.com
O16 - DPF: {2BC66F54-93A8-11D3-BEB6-00105AA9B6AE} (Symantec AntiVirus scanner) - http://security.symantec.com/sscv6/Shar ... vSniff.cab
O16 - DPF: {62475759-9E84-458E-A1AB-5D2C442ADFDE} - http://a1540.g.akamai.net/7/1540/52/200 ... taller.exe
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://v5.windowsupdate.microsoft.com/v ... 5555702763
O16 - DPF: {644E432F-49D3-41A1-8DD5-E099162EEEC5} (Symantec RuFSI Utility Class) - http://security.symantec.com/sscv6/Shar ... /cabsa.cab
O16 - DPF: {94B82441-A413-4E43-8422-D49930E69764} (TLIEFlashObj Class) - https://webchat.dell.com/Media/VisitorC ... EFlash.CAB
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/activescan ... asinst.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{374FCD0E-36DC-4F4A-8A78-602B778DF8CB}: NameServer = 10.0.10.1
O17 - HKLM\System\CCS\Services\Tcpip\..\{A1D6BE43-46A0-4B97-8B62-D080E998EFB0}: NameServer = 10.0.10.1
O20 - Winlogon Notify: NavLogon - C:\WINDXP\System32\NavLogon.dll
O23 - Service: Cisco Systems, Inc. VPN Service (CVPND) - Cisco Systems, Inc. - C:\Program Files\Cisco Systems\VPN Client\cvpnd.exe
O23 - Service: DefWatch - Symantec Corporation - C:\Program Files\NavNT\defwatch.exe
O23 - Service: ewido security suite control - ewido networks - C:\Program Files\ewido anti-malware\ewidoctrl.exe
O23 - Service: Iomega App Services - Iomega Corporation - C:\PROGRA~1\Iomega\System32\AppServices.exe
O23 - Service: LexBce Server (LexBceS) - Lexmark International, Inc. - C:\WINDXP\system32\LEXBCES.EXE
O23 - Service: Norton AntiVirus Client (Norton AntiVirus Server) - Symantec Corporation - C:\Program Files\NavNT\rtvscan.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDXP\System32\HPZipm12.exe
angst2k
Regular Member
 
Posts: 19
Joined: January 6th, 2006, 10:20 pm
Location: Florider

Unread postby jwbirdsong » May 28th, 2006, 5:32 pm

One more file to delete....go to your C:\windows\system32 folder and find the j?vaw.exe file...the ? MAY be any letter and it could WELL be an a..giving you 2 javaw.exe in that directory......using the properites of the file, delete the one that is 409,600 bytes in size and was created on 05/08/2006 03:43 PM.

You should also update your Java by following the procedure HERE

Spend a day or so browsing and then post a final(?) HijackThis log along with any comments/concerns on how your computer is running; I'll have some advise on how to stay Malware free then.
User avatar
jwbirdsong
Regular Member
 
Posts: 138
Joined: October 14th, 2005, 3:44 am

Unread postby NonSuch » June 11th, 2006, 1:57 am

This topic is now closed due to inactivity. If you wish it reopened, please send us an email to 'admin at malwareremoval.com' with a link to your thread.

You can help support this site from this link :
Donations For Malware Removal

Do not bother contacting us if you are not the topic starter. A valid, working link to the closed topic is required along with the user name used. If the user name does not match the one in the thread linked, the email will be deleted.
User avatar
NonSuch
Administrator
Administrator
 
Posts: 28747
Joined: February 23rd, 2005, 7:08 am
Location: California
Advertisement
Register to Remove


Return to Infected? Virus, malware, adware, ransomware, oh my!



Who is online

Users browsing this forum: No registered users and 487 guests

Contact us:

Advertisements do not imply our endorsement of that product or service. Register to remove all ads. The forum is run by volunteers who donate their time and expertise. We make every attempt to ensure that the help and advice posted is accurate and will not cause harm to your computer. However, we do not guarantee that they are accurate and they are to be used at your own risk. All trademarks are the property of their respective owners.

Member site: UNITE Against Malware