Welcome to MalwareRemoval.com,
What if we told you that you could get malware removal help from experts, and that it was 100% free? MalwareRemoval.com provides free support for people with infected computers. Our help, and the tools we use are always 100% free. No hidden catch. We simply enjoy helping others. You enjoy a clean, safe computer.

Malware Removal Instructions

HiJacked..:(

MalwareRemoval.com provides free support for people with infected computers. Using plain language that anyone can understand, our community of volunteer experts will walk you through each step.

HiJacked..:(

Unread postby itzrandee » June 27th, 2005, 12:05 am

Hey guys,
I've been having continuous popups and my IE explorer has been pretty slow. Also there has been a new toolbar that I did not install.
I've tried using SpyDoctor, Ad-Aware, and Norton Antivirus. Thank you all in advance.

Heres my HJT Log,
Logfile of HijackThis v1.99.1
Scan saved at 10:19:49 PM, on 6/26/2005
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
c:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
c:\Program Files\Norton AntiVirus\navapsvc.exe
C:\WINDOWS\System32\nvsvc32.exe
C:\Program Files\Softex\OmniPass\Omniserv.exe
C:\Program Files\Softex\OmniPass\OPXPApp.exe
C:\WINDOWS\system32\rundll32.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\System32\RUNDLL32.EXE
C:\WINDOWS\System32\rurjmm.exe
C:\WINDOWS\System32\wmdsapi.exe
c:\windows\system32\owwlod.exe
C:\Program Files\WeirdOnTheWeb\WeirdOnTheWeb.exe
C:\Program Files\Media Access\MediaAccK.exe
C:\Program Files\Media Access\MediaAccess.exe
C:\Program Files\Multimedia Card Reader\shwicon2k.exe
C:\Program Files\Common Files\Sonic\Update Manager\sgtray.exe
C:\HP\KBD\KBD.EXE
C:\windows\system\hpsysdrv.exe
C:\WINDOWS\System32\hphmon05.exe
C:\Program Files\HP\HP Software Update\HPWuSchd.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\Program Files\Hewlett-Packard\Digital Imaging\Unload\hpqcmon.exe
C:\WINDOWS\ALCXMNTR.EXE
C:\WINDOWS\System32\RUNDLL32.exe
C:\WINDOWS\system\nvpfbhx.exe
C:\WINDOWS\System32\wkstls.exe
C:\Program Files\Cas\Client\casclient.exe
C:\Program Files\AIM\aim.exe
C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpqtra08.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\Updates from HP\137903\Program\BackWeb-137903.exe
C:\Program Files\interMute\SpamSubtract\SpamSubtract.exe
C:\WINDOWS\System32\wuauclt.exe
C:\Program Files\SBC Self Support Tool\bin\mpbtn.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\HJT\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://websearch.drsnsrch.com/sidesearch.cgi?id=
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://websearch.drsnsrch.com/sidesearch.cgi?id=
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://us9.hpwis.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://srch-us9.hpwis.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://websearch.drsnsrch.com/sidesearch.cgi?id=
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://websearch.drsnsrch.com/sidesearch.cgi?id=
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://us9.hpwis.com/
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://websearch.drsnsrch.com/sidesearch.cgi?id=
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch = http://websearch.drsnsrch.com/sidesearch.cgi?id=
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = websearch.drsnsrch.com/q.cgi?q=
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page = C:\WINDOWS\about.htm
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = localhost
O2 - BHO: CExtension Object - {0019C3E2-DD48-4A6D-ABCD-8D32436323D9} - C:\WINDOWS\cfgmgr52.dll
O2 - BHO: Band Class - {01F44A8A-8C97-4325-A378-76E68DC4AB2E} - C:\WINDOWS\systb.dll
O2 - BHO: RichEditor Class - {F79A2C4B-8776-4ED7-8B2F-4786A4A3500A} - C:\WINDOWS\System32\richedtr.dll
O3 - Toolbar: (no name) - {2CDE1A7D-A478-4291-BF31-E1B4C16F92EB} - (no file)
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\System32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [PSof1] C:\WINDOWS\System32\PSof1.exe
O4 - HKLM\..\Run: [cfgmgr52] RunDLL32.EXE C:\WINDOWS\cfgmgr52.dll,DllRun
O4 - HKLM\..\Run: [richup] C:\WINDOWS\System32\richup.exe
O4 - HKLM\..\Run: [C:\WINDOWS\VCMnet11.exe] C:\WINDOWS\VCMnet11.exe
O4 - HKLM\..\Run: [KavSvc] C:\WINDOWS\System32\rurjmm.exe reg_run
O4 - HKLM\..\Run: [vs2T3tR] wmdsapi.exe
O4 - HKLM\..\Run: [WeirdOnTheWeb] "C:\Program Files\WeirdOnTheWeb\WeirdOnTheWeb.exe"
O4 - HKLM\..\Run: [Media Access] C:\Program Files\Media Access\MediaAccK.exe
O4 - HKLM\..\Run: [Symantec NetDriver Monitor] C:\PROGRA~1\SYMNET~1\SNDMon.exe
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [Sunkist2k] C:\Program Files\Multimedia Card Reader\shwicon2k.exe
O4 - HKLM\..\Run: [StorageGuard] "C:\Program Files\Common Files\Sonic\Update Manager\sgtray.exe" /r
O4 - HKLM\..\Run: [Reminder] "C:\Windows\Creator\Remind_XP.exe"
O4 - HKLM\..\Run: [Recguard] C:\WINDOWS\SMINST\RECGUARD.EXE
O4 - HKLM\..\Run: [PS2] C:\WINDOWS\system32\ps2.exe
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [NAV CfgWiz] c:\PROGRA~1\NORTON~1\Cfgwiz.exe /R
O4 - HKLM\..\Run: [KBD] C:\HP\KBD\KBD.EXE
O4 - HKLM\..\Run: [hpsysdrv] c:\windows\system\hpsysdrv.exe
O4 - HKLM\..\Run: [HPHUPD05] c:\Program Files\Hewlett-Packard\{45B6180B-DCAB-4093-8EE8-6164457517F0}\hphupd05.exe
O4 - HKLM\..\Run: [HPHmon05] C:\WINDOWS\System32\hphmon05.exe
O4 - HKLM\..\Run: [HP Software Update] "c:\Program Files\HP\HP Software Update\HPWuSchd.exe"
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\System32\hkcmd.exe
O4 - HKLM\..\Run: [ccRegVfy] "c:\Program Files\Common Files\Symantec Shared\ccRegVfy.exe"
O4 - HKLM\..\Run: [ccApp] "c:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [CamMonitor] c:\Program Files\Hewlett-Packard\Digital Imaging\\Unload\hpqcmon.exe
O4 - HKLM\..\Run: [AutoTKit] C:\hp\bin\AUTOTKIT.EXE
O4 - HKLM\..\Run: [AlcxMonitor] ALCXMNTR.EXE
O4 - HKLM\..\Run: [AUNPS2] RUNDLL32 AUNPS2.DLL,_Run@16
O4 - HKLM\..\Run: [gyljflo] c:\windows\system32\owwlod.exe r
O4 - HKLM\..\Run: [Win Server Updt] C:\WINDOWS\wupdt.exe
O4 - HKCU\..\Run: [eBt3Rjd7W] wkstls.exe
O4 - HKCU\..\Run: [CAS Client] "C:\Program Files\Cas\Client\casclient.exe"
O4 - HKCU\..\Run: [BackupNotify] c:\Program Files\Hewlett-Packard\Digital Imaging\bin\backupnotify.exe
O4 - HKCU\..\Run: [AIM] C:\Program Files\AIM\aim.exe -cnetwait.odl
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - Startup: spamsubtract.lnk = C:\Program Files\interMute\SpamSubtract\SpamSubtract.exe
O4 - Global Startup: 4Google2.lnk = C:\Program Files\Google Blocker\4google2.exe
O4 - Global Startup: HP Digital Imaging Monitor.lnk = C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpqtra08.exe
O4 - Global Startup: Quicken Scheduled Updates.lnk = C:\Program Files\Quicken\bagent.exe
O4 - Global Startup: SBC Self Support Tool.lnk = C:\Program Files\SBC Self Support Tool\bin\matcli.exe
O4 - Global Startup: Updates from HP.lnk = C:\Program Files\Updates from HP\137903\Program\BackWeb-137903.exe
O8 - Extra context menu item: &Google Search - res://C:\Program Files\Google\GoogleToolbar1.dll/cmsearch.html
O8 - Extra context menu item: &Translate English Word - res://C:\Program Files\Google\GoogleToolbar1.dll/cmwordtrans.html
O8 - Extra context menu item: Backward Links - res://C:\Program Files\Google\GoogleToolbar1.dll/cmbacklinks.html
O8 - Extra context menu item: Cached Snapshot of Page - res://C:\Program Files\Google\GoogleToolbar1.dll/cmcache.html
O8 - Extra context menu item: Similar Pages - res://C:\Program Files\Google\GoogleToolbar1.dll/cmsimilar.html
O8 - Extra context menu item: Translate Page into English - res://C:\Program Files\Google\GoogleToolbar1.dll/cmtrans.html
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\System32\msjava.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\System32\msjava.dll
O9 - Extra button: Spyware Doctor - {2D663D1A-8670-49D9-A1A5-4C56B4E14E84} - C:\PROGRA~1\SPYWAR~1\tools\iesdpb.dll
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe
O9 - Extra button: Related - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINDOWS\web\related.htm
O9 - Extra 'Tools' menuitem: Show &Related Links - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINDOWS\web\related.htm
O16 - DPF: {04E214E5-63AF-4236-83C6-A7ADCBF9BD02} (HouseCall Control) - http://housecall60.trendmicro.com/housecall/xscan60.cab
O18 - Filter: text/html - {8293D547-38DD-4325-B35A-F1817EDFA5FC} - C:\Program Files\Cas\Client\casmf.dll
O20 - Winlogon Notify: igfxcui - C:\WINDOWS\SYSTEM32\igfxsrvc.dll
O20 - Winlogon Notify: Internet Settings - C:\WINDOWS\system32\iUlmdev5.dll
O20 - Winlogon Notify: OPXPGina - C:\Program Files\Softex\OmniPass\opxpgina.dll
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - c:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Password Validation Service (ccPwdSvc) - Symantec Corporation - c:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
O23 - Service: Norton AntiVirus Auto Protect Service (navapsvc) - Symantec Corporation - c:\Program Files\Norton AntiVirus\navapsvc.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe
O23 - Service: Softex OmniPass Service (omniserv) - Unknown owner - C:\Program Files\Softex\OmniPass\Omniserv.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: System Startup Service (SvcProc) - Unknown owner - C:\WINDOWS\svcproc.exe
itzrandee
Active Member
 
Posts: 13
Joined: June 27th, 2005, 12:04 am
Advertisement
Register to Remove

Unread postby P3-450 » June 27th, 2005, 2:10 pm

Hi itzrandee, Welcome to MR :)

I will be taking a look at your log and will return as soon as I can :)
User avatar
P3-450
MRU Honors Grad Emeritus
 
Posts: 514
Joined: April 9th, 2005, 12:53 pm
Location: Leeds, UK

Unread postby itzrandee » June 27th, 2005, 2:31 pm

Thanks P3-450.

Here is an updated HJT log after running trendmicro and spydoctor again.

Logfile of HijackThis v1.99.1
Scan saved at 11:32:18 AM, on 6/27/2005
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
c:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
c:\Program Files\Norton AntiVirus\navapsvc.exe
C:\WINDOWS\System32\nvsvc32.exe
C:\Program Files\Softex\OmniPass\Omniserv.exe
C:\Program Files\Softex\OmniPass\OPXPApp.exe
C:\WINDOWS\System32\wuauclt.exe
C:\WINDOWS\system32\rundll32.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\System32\RUNDLL32.EXE
C:\WINDOWS\System32\rurjmm.exe
C:\WINDOWS\System32\wmdsapi.exe
C:\Program Files\WeirdOnTheWeb\WeirdOnTheWeb.exe
C:\Program Files\Media Access\MediaAccK.exe
C:\Program Files\Media Access\MediaAccess.exe
C:\Program Files\Multimedia Card Reader\shwicon2k.exe
c:\windows\system32\zqeiol.exe
C:\Program Files\Common Files\Sonic\Update Manager\sgtray.exe
C:\HP\KBD\KBD.EXE
C:\windows\system\hpsysdrv.exe
C:\WINDOWS\System32\hphmon05.exe
C:\Program Files\HP\HP Software Update\HPWuSchd.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\Program Files\Hewlett-Packard\Digital Imaging\Unload\hpqcmon.exe
C:\WINDOWS\ALCXMNTR.EXE
C:\WINDOWS\System32\RUNDLL32.exe
C:\WINDOWS\system\nvpfbhx.exe
C:\WINDOWS\System32\wkstls.exe
C:\Program Files\Cas\Client\casclient.exe
C:\Program Files\AIM+\AIM+.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\AIM\aim.exe
C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpqtra08.exe
C:\Program Files\Updates from HP\137903\Program\BackWeb-137903.exe
C:\Program Files\interMute\SpamSubtract\SpamSubtract.exe
C:\Program Files\SBC Self Support Tool\bin\mpbtn.exe
C:\Program Files\Winamp\Winamp.exe
C:\HJT\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://websearch.drsnsrch.com/sidesearch.cgi?id=
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://websearch.drsnsrch.com/sidesearch.cgi?id=
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://us9.hpwis.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://srch-us9.hpwis.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://websearch.drsnsrch.com/sidesearch.cgi?id=
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://websearch.drsnsrch.com/sidesearch.cgi?id=
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://us9.hpwis.com/
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://websearch.drsnsrch.com/sidesearch.cgi?id=
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch = http://websearch.drsnsrch.com/sidesearch.cgi?id=
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = websearch.drsnsrch.com/q.cgi?q=
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page = C:\WINDOWS\about.htm
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = localhost
O2 - BHO: CExtension Object - {0019C3E2-DD48-4A6D-ABCD-8D32436323D9} - C:\WINDOWS\cfgmgr52.dll
O2 - BHO: Band Class - {01F44A8A-8C97-4325-A378-76E68DC4AB2E} - C:\WINDOWS\systb.dll
O2 - BHO: RichEditor Class - {F79A2C4B-8776-4ED7-8B2F-4786A4A3500A} - C:\WINDOWS\System32\richedtr.dll
O3 - Toolbar: (no name) - {2CDE1A7D-A478-4291-BF31-E1B4C16F92EB} - (no file)
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\System32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [PSof1] C:\WINDOWS\System32\PSof1.exe
O4 - HKLM\..\Run: [cfgmgr52] RunDLL32.EXE C:\WINDOWS\cfgmgr52.dll,DllRun
O4 - HKLM\..\Run: [richup] C:\WINDOWS\System32\richup.exe
O4 - HKLM\..\Run: [C:\WINDOWS\VCMnet11.exe] C:\WINDOWS\VCMnet11.exe
O4 - HKLM\..\Run: [KavSvc] C:\WINDOWS\System32\rurjmm.exe reg_run
O4 - HKLM\..\Run: [vs2T3tR] wmdsapi.exe
O4 - HKLM\..\Run: [WeirdOnTheWeb] "C:\Program Files\WeirdOnTheWeb\WeirdOnTheWeb.exe"
O4 - HKLM\..\Run: [Media Access] C:\Program Files\Media Access\MediaAccK.exe
O4 - HKLM\..\Run: [Symantec NetDriver Monitor] C:\PROGRA~1\SYMNET~1\SNDMon.exe
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [Sunkist2k] C:\Program Files\Multimedia Card Reader\shwicon2k.exe
O4 - HKLM\..\Run: [StorageGuard] "C:\Program Files\Common Files\Sonic\Update Manager\sgtray.exe" /r
O4 - HKLM\..\Run: [Reminder] "C:\Windows\Creator\Remind_XP.exe"
O4 - HKLM\..\Run: [Recguard] C:\WINDOWS\SMINST\RECGUARD.EXE
O4 - HKLM\..\Run: [PS2] C:\WINDOWS\system32\ps2.exe
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [NAV CfgWiz] c:\PROGRA~1\NORTON~1\Cfgwiz.exe /R
O4 - HKLM\..\Run: [KBD] C:\HP\KBD\KBD.EXE
O4 - HKLM\..\Run: [hpsysdrv] c:\windows\system\hpsysdrv.exe
O4 - HKLM\..\Run: [HPHUPD05] c:\Program Files\Hewlett-Packard\{45B6180B-DCAB-4093-8EE8-6164457517F0}\hphupd05.exe
O4 - HKLM\..\Run: [HPHmon05] C:\WINDOWS\System32\hphmon05.exe
O4 - HKLM\..\Run: [HP Software Update] "c:\Program Files\HP\HP Software Update\HPWuSchd.exe"
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\System32\hkcmd.exe
O4 - HKLM\..\Run: [ccRegVfy] "c:\Program Files\Common Files\Symantec Shared\ccRegVfy.exe"
O4 - HKLM\..\Run: [ccApp] "c:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [CamMonitor] c:\Program Files\Hewlett-Packard\Digital Imaging\\Unload\hpqcmon.exe
O4 - HKLM\..\Run: [AutoTKit] C:\hp\bin\AUTOTKIT.EXE
O4 - HKLM\..\Run: [AlcxMonitor] ALCXMNTR.EXE
O4 - HKLM\..\Run: [AUNPS2] RUNDLL32 AUNPS2.DLL,_Run@16
O4 - HKLM\..\Run: [Win Server Updt] C:\WINDOWS\wupdt.exe
O4 - HKLM\..\Run: [cahcon] c:\windows\system32\zqeiol.exe r
O4 - HKCU\..\Run: [eBt3Rjd7W] wkstls.exe
O4 - HKCU\..\Run: [CAS Client] "C:\Program Files\Cas\Client\casclient.exe"
O4 - HKCU\..\Run: [BackupNotify] c:\Program Files\Hewlett-Packard\Digital Imaging\bin\backupnotify.exe
O4 - HKCU\..\Run: [AIM] "C:\Program Files\AIM+\AIM+.exe" -cnetwait.odl
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [PrivacyScanner] C:\Program Files\Privacy Champion\pscan.exe
O4 - Startup: spamsubtract.lnk = C:\Program Files\interMute\SpamSubtract\SpamSubtract.exe
O4 - Global Startup: 4Google2.lnk = C:\Program Files\Google Blocker\4google2.exe
O4 - Global Startup: HP Digital Imaging Monitor.lnk = C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpqtra08.exe
O4 - Global Startup: Quicken Scheduled Updates.lnk = C:\Program Files\Quicken\bagent.exe
O4 - Global Startup: SBC Self Support Tool.lnk = C:\Program Files\SBC Self Support Tool\bin\matcli.exe
O4 - Global Startup: Updates from HP.lnk = C:\Program Files\Updates from HP\137903\Program\BackWeb-137903.exe
O8 - Extra context menu item: &Google Search - res://C:\Program Files\Google\GoogleToolbar1.dll/cmsearch.html
O8 - Extra context menu item: &Translate English Word - res://C:\Program Files\Google\GoogleToolbar1.dll/cmwordtrans.html
O8 - Extra context menu item: Backward Links - res://C:\Program Files\Google\GoogleToolbar1.dll/cmbacklinks.html
O8 - Extra context menu item: Cached Snapshot of Page - res://C:\Program Files\Google\GoogleToolbar1.dll/cmcache.html
O8 - Extra context menu item: Similar Pages - res://C:\Program Files\Google\GoogleToolbar1.dll/cmsimilar.html
O8 - Extra context menu item: Translate Page into English - res://C:\Program Files\Google\GoogleToolbar1.dll/cmtrans.html
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\System32\msjava.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\System32\msjava.dll
O9 - Extra button: Spyware Doctor - {2D663D1A-8670-49D9-A1A5-4C56B4E14E84} - C:\PROGRA~1\SPYWAR~1\tools\iesdpb.dll
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe
O9 - Extra button: Related - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINDOWS\web\related.htm
O9 - Extra 'Tools' menuitem: Show &Related Links - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINDOWS\web\related.htm
O16 - DPF: {04E214E5-63AF-4236-83C6-A7ADCBF9BD02} (HouseCall Control) - http://housecall60.trendmicro.com/housecall/xscan60.cab
O18 - Filter: text/html - {8293D547-38DD-4325-B35A-F1817EDFA5FC} - C:\Program Files\Cas\Client\casmf.dll
O20 - Winlogon Notify: igfxcui - C:\WINDOWS\SYSTEM32\igfxsrvc.dll
O20 - Winlogon Notify: OPXPGina - C:\Program Files\Softex\OmniPass\opxpgina.dll
O20 - Winlogon Notify: URL - C:\WINDOWS\system32\iUlmdev5.dll
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - c:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Password Validation Service (ccPwdSvc) - Symantec Corporation - c:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
O23 - Service: Norton AntiVirus Auto Protect Service (navapsvc) - Symantec Corporation - c:\Program Files\Norton AntiVirus\navapsvc.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe
O23 - Service: Softex OmniPass Service (omniserv) - Unknown owner - C:\Program Files\Softex\OmniPass\Omniserv.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: System Startup Service (SvcProc) - Unknown owner - C:\WINDOWS\svcproc.exe
itzrandee
Active Member
 
Posts: 13
Joined: June 27th, 2005, 12:04 am

Unread postby P3-450 » June 27th, 2005, 2:50 pm

Hi, thanks for the update


===============

Download, unzip to your desktop CWShredder and run it, then:

1. Click "Check For Update"

(If an update isn't available, skip to step #4.)

2. Click "Click here to Download the upate".
3. When the new version has been downloaded, click "Save".
4. Click "Fix ->"


===============

Let's look for, and delete, any program segments(prefetches) that might be present, and are associated with the 'problems' we're trying to remove from this system. To do this, let's:

1) Click "Start | Search", then search for each of these program's base name(s), in all files and folders:

wmdsapi.exe*
MediaAccess.exe*
nvpfbhx.exe*
wkstls.exe*

2) Then if any are found in the 'prefetch' folder, delete them.

Look closely, since the 'base' name will have a bunch of random numbers and letters attached to it.

===============

Go to Add/Remove programs and remove(uninstall) the following, if present:

Web Related

The above could appear anywhere within the entry. Be careful not to remove any personal or system software.

===============

Run HiJackThis then:

1. Click "Config..."
2. Click "Misc Tools"
3. Click "Open Process manager"

-

Next, while holding down the CTRL key, locate (if present) and click on (highlight) each of the following:

C:\WINDOWS\System32\rurjmm.exe
C:\WINDOWS\System32\wmdsapi.exe
C:\Program Files\WeirdOnTheWeb\WeirdOnTheWeb.exe
C:\Program Files\Media Access\MediaAccK.exe
C:\Program Files\Media Access\MediaAccess.exe
c:\windows\system32\zqeiol.exe
C:\WINDOWS\system\nvpfbhx.exe
C:\WINDOWS\System32\wkstls.exe
C:\Program Files\Cas\Client\casclient.exe
C:\Program Files\Updates from HP\137903\Program\BackWeb-137903.exe

Now double-check and make sure that only those item(s) above are highlighted, then click "Kill process". Now, click "Refresh", check again, and repeat this step if any remain.

===============

Now, let's open a command prompt and unregister the dll(s) we're going to remove, by entering the following:

regsvr32 /u cfgmgr52.dll
regsvr32 /u systb.dll
regsvr32 /u richedtr.dll
regsvr32 /u casmf.dll

It's ok, if these aren't found or 'error' out. If you want, just copy and paste the individual lines to the command prompt to save on the typing.

===============

Run HiJackThis and click "Scan", then check(tick) the following, if present:


R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://websearch.drsnsrch.com/sidesearch.cgi?id=
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://websearch.drsnsrch.com/sidesearch.cgi?id=
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://websearch.drsnsrch.com/sidesearch.cgi?id=
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://websearch.drsnsrch.com/sidesearch.cgi?id=
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://websearch.drsnsrch.com/sidesearch.cgi?id=
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch = http://websearch.drsnsrch.com/sidesearch.cgi?id=
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = websearch.drsnsrch.com/q.cgi?q=
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page = C:\WINDOWS\about.htm

O2 - BHO: CExtension Object - {0019C3E2-DD48-4A6D-ABCD-8D32436323D9} - C:\WINDOWS\cfgmgr52.dll
O2 - BHO: Band Class - {01F44A8A-8C97-4325-A378-76E68DC4AB2E} - C:\WINDOWS\systb.dll
O2 - BHO: RichEditor Class - {F79A2C4B-8776-4ED7-8B2F-4786A4A3500A} - C:\WINDOWS\System32\richedtr.dll

O3 - Toolbar: (no name) - {2CDE1A7D-A478-4291-BF31-E1B4C16F92EB} - (no file)

O4 - HKLM\..\Run: [cfgmgr52] RunDLL32.EXE C:\WINDOWS\cfgmgr52.dll,DllRun
O4 - HKLM\..\Run: [richup] C:\WINDOWS\System32\richup.exe
O4 - HKLM\..\Run: [C:\WINDOWS\VCMnet11.exe] C:\WINDOWS\VCMnet11.exe
O4 - HKLM\..\Run: [KavSvc] C:\WINDOWS\System32\rurjmm.exe reg_run
O4 - HKLM\..\Run: [vs2T3tR] wmdsapi.exe
O4 - HKLM\..\Run: [WeirdOnTheWeb] "C:\Program Files\WeirdOnTheWeb\WeirdOnTheWeb.exe"
O4 - HKLM\..\Run: [Media Access] C:\Program Files\Media Access\MediaAccK.exe
O4 - HKLM\..\Run: [AlcxMonitor] ALCXMNTR.EXE
O4 - HKLM\..\Run: [AUNPS2] RUNDLL32 AUNPS2.DLL,_Run@16
O4 - HKLM\..\Run: [Win Server Updt] C:\WINDOWS\wupdt.exe
O4 - HKLM\..\Run: [cahcon] c:\windows\system32\zqeiol.exe r
O4 - HKCU\..\Run: [eBt3Rjd7W] wkstls.exe
O4 - HKCU\..\Run: [CAS Client] "C:\Program Files\Cas\Client\casclient.exe"
O4 - HKCU\..\Run: [PrivacyScanner] C:\Program Files\Privacy Champion\pscan.exe
O4 - Global Startup: Updates from HP.lnk = C:\Program Files\Updates from HP\137903\Program\BackWeb-137903.exe

O9 - Extra button: Related - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINDOWS\web\related.htm
O9 - Extra 'Tools' menuitem: Show &Related Links - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINDOWS\web\related.htm

O18 - Filter: text/html - {8293D547-38DD-4325-B35A-F1817EDFA5FC} - C:\Program Files\Cas\Client\casmf.dll

O20 - Winlogon Notify: URL - C:\WINDOWS\system32\iUlmdev5.dll

O23 - Service: System Startup Service (SvcProc) - Unknown owner - C:\WINDOWS\svcproc.exe


Now, with all windows closed except HiJackThis, click "Fix checked".

===============

Locate and delete the following item(s), if present. Make sure your able to view system and hidden files/ folders:

folders...

C:\Program Files\WeirdOnTheWeb
C:\Program Files\Media Access
C:\Program Files\Cas
C:\Program Files\Updates from HP
C:\Program Files\Privacy Champion

files...

C:\WINDOWS\System32\rurjmm.exe
C:\WINDOWS\System32\wmdsapi.exe
c:\windows\system32\zqeiol.exe
C:\WINDOWS\system\nvpfbhx.exe
C:\WINDOWS\System32\wkstls.exe
C:\WINDOWS\cfgmgr52.dll
C:\WINDOWS\systb.dll
C:\WINDOWS\System32\richedtr.dll
C:\WINDOWS\System32\richup.exe
C:\WINDOWS\VCMnet11.exe
C:\WINDOWS\wupdt.exe
C:\WINDOWS\system32\iUlmdev5.dll
C:\WINDOWS\svcproc.exe

Search for...

wmdsapi.exe
ALCXMNTR.EXE
AUNPS2.DLL
wkstls.exe

...using "Start | Search...".

-

Note that some of these file(s) may or may not be present. If present, and cannot be deleted because they're 'in use', try deleting them from "Safe Mode".

===============

Post back a new log, and let me know how everything goes.
User avatar
P3-450
MRU Honors Grad Emeritus
 
Posts: 514
Joined: April 9th, 2005, 12:53 pm
Location: Leeds, UK

Unread postby itzrandee » June 27th, 2005, 3:34 pm

Thank you,

I haven't deleted AUNPS2.DLL yet because it was "in use". Here is an updated HJT log. Thank you for your time btw.

Logfile of HijackThis v1.99.1
Scan saved at 12:35:35 PM, on 6/27/2005
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
c:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
c:\Program Files\Norton AntiVirus\navapsvc.exe
C:\WINDOWS\System32\nvsvc32.exe
C:\Program Files\Softex\OmniPass\Omniserv.exe
C:\Program Files\Softex\OmniPass\OPXPApp.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\System32\RUNDLL32.EXE
C:\Program Files\Multimedia Card Reader\shwicon2k.exe
c:\windows\system32\lpwabv.exe
C:\HP\KBD\KBD.EXE
C:\windows\system\hpsysdrv.exe
C:\WINDOWS\System32\hphmon05.exe
C:\Program Files\HP\HP Software Update\HPWuSchd.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\Program Files\Hewlett-Packard\Digital Imaging\Unload\hpqcmon.exe
C:\WINDOWS\ALCXMNTR.EXE
C:\WINDOWS\System32\RUNDLL32.exe
C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpqtra08.exe
C:\Program Files\interMute\SpamSubtract\SpamSubtract.exe
C:\Program Files\SBC Self Support Tool\bin\mpbtn.exe
C:\WINDOWS\System32\vavknn.exe
C:\Program Files\Messenger\msmsgs.exe
C:\HJT\HijackThis.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://us9.hpwis.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://srch-us9.hpwis.com/
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://us9.hpwis.com/
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = localhost
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\System32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [PSof1] C:\WINDOWS\System32\PSof1.exe
O4 - HKLM\..\Run: [Symantec NetDriver Monitor] C:\PROGRA~1\SYMNET~1\SNDMon.exe
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [Sunkist2k] C:\Program Files\Multimedia Card Reader\shwicon2k.exe
O4 - HKLM\..\Run: [StorageGuard] "C:\Program Files\Common Files\Sonic\Update Manager\sgtray.exe" /r
O4 - HKLM\..\Run: [Reminder] "C:\Windows\Creator\Remind_XP.exe"
O4 - HKLM\..\Run: [Recguard] C:\WINDOWS\SMINST\RECGUARD.EXE
O4 - HKLM\..\Run: [PS2] C:\WINDOWS\system32\ps2.exe
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [NAV CfgWiz] c:\PROGRA~1\NORTON~1\Cfgwiz.exe /R
O4 - HKLM\..\Run: [KBD] C:\HP\KBD\KBD.EXE
O4 - HKLM\..\Run: [hpsysdrv] c:\windows\system\hpsysdrv.exe
O4 - HKLM\..\Run: [HPHUPD05] c:\Program Files\Hewlett-Packard\{45B6180B-DCAB-4093-8EE8-6164457517F0}\hphupd05.exe
O4 - HKLM\..\Run: [HPHmon05] C:\WINDOWS\System32\hphmon05.exe
O4 - HKLM\..\Run: [HP Software Update] "c:\Program Files\HP\HP Software Update\HPWuSchd.exe"
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\System32\hkcmd.exe
O4 - HKLM\..\Run: [ccRegVfy] "c:\Program Files\Common Files\Symantec Shared\ccRegVfy.exe"
O4 - HKLM\..\Run: [ccApp] "c:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [CamMonitor] c:\Program Files\Hewlett-Packard\Digital Imaging\\Unload\hpqcmon.exe
O4 - HKLM\..\Run: [AutoTKit] C:\hp\bin\AUTOTKIT.EXE
O4 - HKLM\..\Run: [AlcxMonitor] ALCXMNTR.EXE
O4 - HKLM\..\Run: [smdxrs] c:\windows\system32\lpwabv.exe r
O4 - HKLM\..\Run: [KavSvc] C:\WINDOWS\System32\vavknn.exe reg_run
O4 - HKCU\..\Run: [BackupNotify] c:\Program Files\Hewlett-Packard\Digital Imaging\bin\backupnotify.exe
O4 - HKCU\..\Run: [AIM] "C:\Program Files\AIM+\AIM+.exe" -cnetwait.odl
O4 - Startup: spamsubtract.lnk = C:\Program Files\interMute\SpamSubtract\SpamSubtract.exe
O4 - Global Startup: 4Google2.lnk = C:\Program Files\Google Blocker\4google2.exe
O4 - Global Startup: HP Digital Imaging Monitor.lnk = C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpqtra08.exe
O4 - Global Startup: Quicken Scheduled Updates.lnk = C:\Program Files\Quicken\bagent.exe
O4 - Global Startup: SBC Self Support Tool.lnk = C:\Program Files\SBC Self Support Tool\bin\matcli.exe
O8 - Extra context menu item: &Google Search - res://C:\Program Files\Google\GoogleToolbar1.dll/cmsearch.html
O8 - Extra context menu item: &Translate English Word - res://C:\Program Files\Google\GoogleToolbar1.dll/cmwordtrans.html
O8 - Extra context menu item: Backward Links - res://C:\Program Files\Google\GoogleToolbar1.dll/cmbacklinks.html
O8 - Extra context menu item: Cached Snapshot of Page - res://C:\Program Files\Google\GoogleToolbar1.dll/cmcache.html
O8 - Extra context menu item: Similar Pages - res://C:\Program Files\Google\GoogleToolbar1.dll/cmsimilar.html
O8 - Extra context menu item: Translate Page into English - res://C:\Program Files\Google\GoogleToolbar1.dll/cmtrans.html
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\System32\msjava.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\System32\msjava.dll
O9 - Extra button: Spyware Doctor - {2D663D1A-8670-49D9-A1A5-4C56B4E14E84} - C:\PROGRA~1\SPYWAR~1\tools\iesdpb.dll
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe
O16 - DPF: {04E214E5-63AF-4236-83C6-A7ADCBF9BD02} (HouseCall Control) - http://housecall60.trendmicro.com/housecall/xscan60.cab
O20 - Winlogon Notify: igfxcui - C:\WINDOWS\SYSTEM32\igfxsrvc.dll
O20 - Winlogon Notify: OPXPGina - C:\Program Files\Softex\OmniPass\opxpgina.dll
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - c:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Password Validation Service (ccPwdSvc) - Symantec Corporation - c:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
O23 - Service: Norton AntiVirus Auto Protect Service (navapsvc) - Symantec Corporation - c:\Program Files\Norton AntiVirus\navapsvc.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe
O23 - Service: Softex OmniPass Service (omniserv) - Unknown owner - C:\Program Files\Softex\OmniPass\Omniserv.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: System Startup Service (SvcProc) - Unknown owner - C:\WINDOWS\svcproc.exe
itzrandee
Active Member
 
Posts: 13
Joined: June 27th, 2005, 12:04 am

Unread postby P3-450 » June 27th, 2005, 4:12 pm

Hi

You have a Qoologic infection, lets get rid of that, then we will clean up the rest.

Please download the trial version of Ewido Security Suite here:
http://www.ewido.net/en/download/
Install it, and update the definitions to the newest files. Do NOT run a scan yet.

Next, please reboot your computer in Safe Mode by doing the following:
1) Restart your computer
2) After hearing your computer beep once during startup, but before the Windows icon appears, press F8.
3) Instead of Windows loading as normal, a menu should appear
4) Select the first option, to run Windows in Safe Mode.


With all windows and browsers closed

Please run Ewido, and run a full scan. Clean/remove everything it finds. Save the logfile from the scan.


Reboot back into normal mode and post back a new hijackthis log, along with the ewido scan.
User avatar
P3-450
MRU Honors Grad Emeritus
 
Posts: 514
Joined: April 9th, 2005, 12:53 pm
Location: Leeds, UK

Unread postby itzrandee » June 27th, 2005, 4:20 pm

Hi,

When I try to download, it says my current security settings are not allowing me to download. I don't know what security settings they are and thus I don't know how to disable them.. Any ideas?
itzrandee
Active Member
 
Posts: 13
Joined: June 27th, 2005, 12:04 am

Unread postby P3-450 » June 27th, 2005, 4:31 pm

In IE

1. In the browser's Tools menu, select Internet Options.

2. In the Internet Options dialog box, click the Security tab.

3. In the "Select a Web content zone" control, click the Internet icon.

4. In the "Security level for this zone" area, reset security to Medium.

5. Click OK.

Try downloading it now.
User avatar
P3-450
MRU Honors Grad Emeritus
 
Posts: 514
Joined: April 9th, 2005, 12:53 pm
Location: Leeds, UK

Unread postby itzrandee » June 27th, 2005, 6:41 pm

Hi,

Sorry but the scan took a while...
Heres the latest HJT log.

Logfile of HijackThis v1.99.1
Scan saved at 3:39:52 PM, on 6/27/2005
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
c:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\Program Files\ewido\security suite\ewidoctrl.exe
C:\Program Files\ewido\security suite\ewidoguard.exe
c:\Program Files\Norton AntiVirus\navapsvc.exe
C:\WINDOWS\System32\nvsvc32.exe
C:\Program Files\Softex\OmniPass\Omniserv.exe
C:\Program Files\Softex\OmniPass\OPXPApp.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\System32\RUNDLL32.EXE
C:\Program Files\Multimedia Card Reader\shwicon2k.exe
C:\Program Files\Common Files\Sonic\Update Manager\sgtray.exe
C:\HP\KBD\KBD.EXE
C:\windows\system\hpsysdrv.exe
C:\WINDOWS\System32\hphmon05.exe
C:\Program Files\HP\HP Software Update\HPWuSchd.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\Program Files\Hewlett-Packard\Digital Imaging\Unload\hpqcmon.exe
C:\WINDOWS\ALCXMNTR.EXE
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpqtra08.exe
C:\Documents and Settings\All Users\Start Menu\Programs\Startup\ncnk.exe
C:\Program Files\interMute\SpamSubtract\SpamSubtract.exe
C:\Program Files\SBC Self Support Tool\bin\mpbtn.exe
C:\WINDOWS\System32\wuauclt.exe
C:\HJT\HijackThis.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://us9.hpwis.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://srch-us9.hpwis.com/
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://us9.hpwis.com/
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = localhost
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\System32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [PSof1] C:\WINDOWS\System32\PSof1.exe
O4 - HKLM\..\Run: [Symantec NetDriver Monitor] C:\PROGRA~1\SYMNET~1\SNDMon.exe
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [Sunkist2k] C:\Program Files\Multimedia Card Reader\shwicon2k.exe
O4 - HKLM\..\Run: [StorageGuard] "C:\Program Files\Common Files\Sonic\Update Manager\sgtray.exe" /r
O4 - HKLM\..\Run: [Reminder] "C:\Windows\Creator\Remind_XP.exe"
O4 - HKLM\..\Run: [Recguard] C:\WINDOWS\SMINST\RECGUARD.EXE
O4 - HKLM\..\Run: [PS2] C:\WINDOWS\system32\ps2.exe
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [KBD] C:\HP\KBD\KBD.EXE
O4 - HKLM\..\Run: [hpsysdrv] c:\windows\system\hpsysdrv.exe
O4 - HKLM\..\Run: [HPHUPD05] c:\Program Files\Hewlett-Packard\{45B6180B-DCAB-4093-8EE8-6164457517F0}\hphupd05.exe
O4 - HKLM\..\Run: [HPHmon05] C:\WINDOWS\System32\hphmon05.exe
O4 - HKLM\..\Run: [HP Software Update] "c:\Program Files\HP\HP Software Update\HPWuSchd.exe"
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\System32\hkcmd.exe
O4 - HKLM\..\Run: [ccRegVfy] "c:\Program Files\Common Files\Symantec Shared\ccRegVfy.exe"
O4 - HKLM\..\Run: [ccApp] "c:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [CamMonitor] c:\Program Files\Hewlett-Packard\Digital Imaging\\Unload\hpqcmon.exe
O4 - HKLM\..\Run: [AutoTKit] C:\hp\bin\AUTOTKIT.EXE
O4 - HKLM\..\Run: [AlcxMonitor] ALCXMNTR.EXE
O4 - HKLM\..\Run: [KavSvc] C:\WINDOWS\System32\rurjmm.exe reg_run
O4 - HKCU\..\Run: [BackupNotify] c:\Program Files\Hewlett-Packard\Digital Imaging\bin\backupnotify.exe
O4 - HKCU\..\Run: [AIM] C:\Program Files\AIM\aim.exe -cnetwait.odl
O4 - Startup: spamsubtract.lnk = C:\Program Files\interMute\SpamSubtract\SpamSubtract.exe
O4 - Global Startup: 4Google2.lnk = C:\Program Files\Google Blocker\4google2.exe
O4 - Global Startup: HP Digital Imaging Monitor.lnk = C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpqtra08.exe
O4 - Global Startup: Quicken Scheduled Updates.lnk = C:\Program Files\Quicken\bagent.exe
O4 - Global Startup: SBC Self Support Tool.lnk = C:\Program Files\SBC Self Support Tool\bin\matcli.exe
O8 - Extra context menu item: &Google Search - res://C:\Program Files\Google\GoogleToolbar1.dll/cmsearch.html
O8 - Extra context menu item: &Translate English Word - res://C:\Program Files\Google\GoogleToolbar1.dll/cmwordtrans.html
O8 - Extra context menu item: Backward Links - res://C:\Program Files\Google\GoogleToolbar1.dll/cmbacklinks.html
O8 - Extra context menu item: Cached Snapshot of Page - res://C:\Program Files\Google\GoogleToolbar1.dll/cmcache.html
O8 - Extra context menu item: Similar Pages - res://C:\Program Files\Google\GoogleToolbar1.dll/cmsimilar.html
O8 - Extra context menu item: Translate Page into English - res://C:\Program Files\Google\GoogleToolbar1.dll/cmtrans.html
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\System32\msjava.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\System32\msjava.dll
O9 - Extra button: Spyware Doctor - {2D663D1A-8670-49D9-A1A5-4C56B4E14E84} - C:\PROGRA~1\SPYWAR~1\tools\iesdpb.dll
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe
O16 - DPF: {04E214E5-63AF-4236-83C6-A7ADCBF9BD02} (HouseCall Control) - http://housecall60.trendmicro.com/housecall/xscan60.cab
O20 - Winlogon Notify: igfxcui - C:\WINDOWS\SYSTEM32\igfxsrvc.dll
O20 - Winlogon Notify: OPXPGina - C:\Program Files\Softex\OmniPass\opxpgina.dll
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - c:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Password Validation Service (ccPwdSvc) - Symantec Corporation - c:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
O23 - Service: ewido security suite control - ewido networks - C:\Program Files\ewido\security suite\ewidoctrl.exe
O23 - Service: ewido security suite guard - ewido networks - C:\Program Files\ewido\security suite\ewidoguard.exe
O23 - Service: Norton AntiVirus Auto Protect Service (navapsvc) - Symantec Corporation - c:\Program Files\Norton AntiVirus\navapsvc.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe
O23 - Service: Softex OmniPass Service (omniserv) - Unknown owner - C:\Program Files\Softex\OmniPass\Omniserv.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: System Startup Service (SvcProc) - Unknown owner - C:\WINDOWS\svcproc.exe (file missing)

And the ewido log,

---------------------------------------------------------
ewido security suite - Scan report
---------------------------------------------------------

+ Created on: 3:36:21 PM, 6/27/2005
+ Report-Checksum: 6123F158

+ Date of database: 6/27/2005
+ Version of scan engine: v3.0

+ Duration: 116 min
+ Scanned Files: 244807
+ Speed: 35.10 Files/Second
+ Infected files: 190
+ Removed files: 95
+ Files put in quarantine: 95
+ Files that could not be opened: 0
+ Files that could not be cleaned: 95

+ Binder: Yes
+ Crypter: Yes
+ Archives: Yes

+ Scanned items:
C:\
D:\
K:\
C:\
D:\
K:\

+ Scan result:
C:\Documents and Settings\Default User\Cookies\owner@adcontent.gamespy[2].txt -> Spyware.Tracking-Cookie -> Cleaned with backup
C:\Documents and Settings\Default User\Cookies\owner@ads.techtv[1].txt -> Spyware.Tracking-Cookie -> Cleaned with backup
C:\Documents and Settings\Default User\Cookies\owner@atdmt[1].txt -> Spyware.Tracking-Cookie -> Cleaned with backup
C:\Documents and Settings\Default User\Cookies\owner@com[2].txt -> Spyware.Tracking-Cookie -> Cleaned with backup
C:\Documents and Settings\Default User\Cookies\owner@cookie.monster[1].txt -> Spyware.Tracking-Cookie -> Cleaned with backup
C:\Documents and Settings\Default User\Cookies\owner@geocities[2].txt -> Spyware.Tracking-Cookie -> Cleaned with backup
C:\Documents and Settings\Default User\Cookies\owner@mediamgr.ugo[2].txt -> Spyware.Tracking-Cookie -> Cleaned with backup
C:\Documents and Settings\Default User\Cookies\owner@search.msn[1].txt -> Spyware.Tracking-Cookie -> Cleaned with backup
C:\Documents and Settings\Default User\Cookies\owner@us[1].txt -> Spyware.Tracking-Cookie -> Cleaned with backup
C:\Documents and Settings\Lina\Cookies\lina@geocities[1].txt -> Spyware.Tracking-Cookie -> Cleaned with backup
C:\Documents and Settings\Owner.YOUR-XHTR8HVC4P\Cookies\owner@a.websponsors[2].txt -> Spyware.Tracking-Cookie -> Cleaned with backup
C:\Documents and Settings\Owner.YOUR-XHTR8HVC4P\Cookies\owner@adcontent.gamespy[2].txt -> Spyware.Tracking-Cookie -> Cleaned with backup
C:\Documents and Settings\Owner.YOUR-XHTR8HVC4P\Cookies\owner@ads.addynamix[1].txt -> Spyware.Tracking-Cookie -> Cleaned with backup
C:\Documents and Settings\Owner.YOUR-XHTR8HVC4P\Cookies\owner@ads.techtv[1].txt -> Spyware.Tracking-Cookie -> Cleaned with backup
C:\Documents and Settings\Owner.YOUR-XHTR8HVC4P\Cookies\owner@advertising[1].txt -> Spyware.Tracking-Cookie -> Cleaned with backup
C:\Documents and Settings\Owner.YOUR-XHTR8HVC4P\Cookies\owner@atdmt[1].txt -> Spyware.Tracking-Cookie -> Cleaned with backup
C:\Documents and Settings\Owner.YOUR-XHTR8HVC4P\Cookies\owner@atdmt[3].txt -> Spyware.Tracking-Cookie -> Cleaned with backup
C:\Documents and Settings\Owner.YOUR-XHTR8HVC4P\Cookies\owner@cgi-bin[1].txt -> Spyware.Tracking-Cookie -> Cleaned with backup
C:\Documents and Settings\Owner.YOUR-XHTR8HVC4P\Cookies\owner@com[2].txt -> Spyware.Tracking-Cookie -> Cleaned with backup
C:\Documents and Settings\Owner.YOUR-XHTR8HVC4P\Cookies\owner@com[3].txt -> Spyware.Tracking-Cookie -> Cleaned with backup
C:\Documents and Settings\Owner.YOUR-XHTR8HVC4P\Cookies\owner@cookie.monster[1].txt -> Spyware.Tracking-Cookie -> Cleaned with backup
C:\Documents and Settings\Owner.YOUR-XHTR8HVC4P\Cookies\owner@doubleclick[2].txt -> Spyware.Tracking-Cookie -> Cleaned with backup
C:\Documents and Settings\Owner.YOUR-XHTR8HVC4P\Cookies\owner@ehg.hitbox[2].txt -> Spyware.Tracking-Cookie -> Cleaned with backup
C:\Documents and Settings\Owner.YOUR-XHTR8HVC4P\Cookies\owner@fastclick[1].txt -> Spyware.Tracking-Cookie -> Cleaned with backup
C:\Documents and Settings\Owner.YOUR-XHTR8HVC4P\Cookies\owner@geocities[2].txt -> Spyware.Tracking-Cookie -> Cleaned with backup
C:\Documents and Settings\Owner.YOUR-XHTR8HVC4P\Cookies\owner@hit.namimedia[1].txt -> Spyware.Tracking-Cookie -> Cleaned with backup
C:\Documents and Settings\Owner.YOUR-XHTR8HVC4P\Cookies\owner@hitbox[2].txt -> Spyware.Tracking-Cookie -> Cleaned with backup
C:\Documents and Settings\Owner.YOUR-XHTR8HVC4P\Cookies\owner@mediamgr.ugo[2].txt -> Spyware.Tracking-Cookie -> Cleaned with backup
C:\Documents and Settings\Owner.YOUR-XHTR8HVC4P\Cookies\owner@mediaplex[1].txt -> Spyware.Tracking-Cookie -> Cleaned with backup
C:\Documents and Settings\Owner.YOUR-XHTR8HVC4P\Cookies\owner@perf.overture[1].txt -> Spyware.Tracking-Cookie -> Cleaned with backup
C:\Documents and Settings\Owner.YOUR-XHTR8HVC4P\Cookies\owner@search.msn[1].txt -> Spyware.Tracking-Cookie -> Cleaned with backup
C:\Documents and Settings\Owner.YOUR-XHTR8HVC4P\Cookies\owner@search123[1].txt -> Spyware.Tracking-Cookie -> Cleaned with backup
C:\Documents and Settings\Owner.YOUR-XHTR8HVC4P\Cookies\owner@servedby.advertising[2].txt -> Spyware.Tracking-Cookie -> Cleaned with backup
C:\Documents and Settings\Owner.YOUR-XHTR8HVC4P\Cookies\owner@us[1].txt -> Spyware.Tracking-Cookie -> Cleaned with backup
C:\Documents and Settings\Owner.YOUR-XHTR8HVC4P\Cookies\owner@xiti[1].txt -> Spyware.Tracking-Cookie -> Cleaned with backup
C:\Documents and Settings\Owner.YOUR-XHTR8HVC4P\Cookies\owner@z1.adserver[1].txt -> Spyware.Tracking-Cookie -> Cleaned with backup
C:\Documents and Settings\Owner.YOUR-XHTR8HVC4P\Local Settings\Temp\Cookies\owner@atdmt[1].txt -> Spyware.Tracking-Cookie -> Cleaned with backup
C:\Documents and Settings\Owner.YOUR-XHTR8HVC4P\Local Settings\Temp\Cookies\owner@mediaplex[1].txt -> Spyware.Tracking-Cookie -> Cleaned with backup
C:\Documents and Settings\Owner.YOUR-XHTR8HVC4P\Local Settings\Temp\Del29.tmp -> TrojanDownloader.Small.asf -> Cleaned with backup
C:\Documents and Settings\Owner.YOUR-XHTR8HVC4P\Local Settings\Temp\f422406.exe -> TrojanDownloader.Qoologic.n -> Cleaned with backup
C:\Documents and Settings\Owner.YOUR-XHTR8HVC4P\Local Settings\Temp\MediaAccessInstPack.exe -> Spyware.WinAD -> Cleaned with backup
C:\Documents and Settings\Owner.YOUR-XHTR8HVC4P\Local Settings\Temp\nst1A.EXE -> Spyware.SmartPops -> Cleaned with backup
C:\Documents and Settings\Owner.YOUR-XHTR8HVC4P\Local Settings\Temp\pcs_0029.exe -> Spyware.Pacer.b -> Cleaned with backup
C:\Documents and Settings\Owner.YOUR-XHTR8HVC4P\Local Settings\Temp\ptf_0029.exe -> Spyware.Pacer -> Cleaned with backup
C:\Documents and Settings\Owner.YOUR-XHTR8HVC4P\Local Settings\Temp\SSK3_B5 Seedcorn 4.exe -> TrojanDropper.Small.qn -> Cleaned with backup
C:\Documents and Settings\Owner.YOUR-XHTR8HVC4P\Local Settings\Temporary Internet Files\Content.IE5\6S19VNZZ\2.8.7.4[1].exe -> TrojanDownloader.Qoologic.n -> Cleaned with backup
C:\Documents and Settings\Owner.YOUR-XHTR8HVC4P\Local Settings\Temporary Internet Files\Content.IE5\6S19VNZZ\AppWrap[1].exe -> TrojanDownloader.Adload.a -> Cleaned with backup
C:\Documents and Settings\Owner.YOUR-XHTR8HVC4P\Local Settings\Temporary Internet Files\Content.IE5\6S19VNZZ\aurora[1].exe -> Spyware.BetterInternet.c -> Cleaned with backup
C:\Documents and Settings\Owner.YOUR-XHTR8HVC4P\Local Settings\Temporary Internet Files\Content.IE5\6S19VNZZ\inst5[1].exe -> TrojanDownloader.Small.apm -> Cleaned with backup
C:\Documents and Settings\Owner.YOUR-XHTR8HVC4P\Local Settings\Temporary Internet Files\Content.IE5\6S19VNZZ\trk_0029[1].exe -> Spyware.Pacer.e -> Cleaned with backup
C:\Documents and Settings\Owner.YOUR-XHTR8HVC4P\Local Settings\Temporary Internet Files\Content.IE5\PCJQZBPJ\abiuninst[1].exe -> Spyware.BetterInternet -> Cleaned with backup
C:\Documents and Settings\Owner.YOUR-XHTR8HVC4P\Local Settings\Temporary Internet Files\Content.IE5\PCJQZBPJ\npzango[1].dll -> Spyware.WinAD -> Cleaned with backup
C:\Documents and Settings\Owner.YOUR-XHTR8HVC4P\Local Settings\Temporary Internet Files\Content.IE5\PCJQZBPJ\svcproc[1].exe -> Trojan.Stervis.c -> Cleaned with backup
C:\Documents and Settings\Owner.YOUR-XHTR8HVC4P\Local Settings\Temporary Internet Files\Content.IE5\PCJQZBPJ\website[1].ocx -> TrojanDownloader.Agent.ex -> Cleaned with backup
C:\Documents and Settings\Owner.YOUR-XHTR8HVC4P\Local Settings\Temporary Internet Files\Content.IE5\RPGK8VR7\DrPMon[1].dll -> Trojan.Agent.db -> Cleaned with backup
C:\Documents and Settings\Owner.YOUR-XHTR8HVC4P\Local Settings\Temporary Internet Files\Content.IE5\RPGK8VR7\Poller[1].exe -> Spyware.BetterInternet -> Cleaned with backup
C:\Documents and Settings\Owner.YOUR-XHTR8HVC4P\Local Settings\Temporary Internet Files\Content.IE5\RPGK8VR7\trk_0002[1].exe -> Spyware.Pacer -> Cleaned with backup
C:\Documents and Settings\Owner.YOUR-XHTR8HVC4P\Local Settings\Temporary Internet Files\Content.IE5\VCTPBWSW\Nail[1].exe -> Trojan.Nail -> Cleaned with backup
C:\Program Files\CasStub\casstub.exe -> TrojanDownloader.Agent.qg -> Cleaned with backup
C:\Program Files\drvi\gqkknqscwu.dll -> Spyware.SmartPops -> Cleaned with backup
C:\Program Files\drvi\gqkknqscwu.exe -> Spyware.SmartPops -> Cleaned with backup
C:\Program Files\Netscape\Netscape\plugins\npwthost.dll -> Spyware.WildTangent.b -> Cleaned with backup
C:\Program Files\VBouncer\InstallT.exe -> Spyware.VirtualBouncer.c -> Cleaned with backup
C:\Program Files\Windows Media Player\wmplayer.exe.tmp -> TrojanDownloader.Small.apm -> Cleaned with backup
C:\WINDOWS\cfgmgr52.dll -> Spyware.BookedSpace.e -> Cleaned with backup
C:\WINDOWS\hzbfqkvddyi.exe -> Spyware.BetterInternet -> Cleaned with backup
C:\WINDOWS\Nail.exe -> Trojan.Nail -> Cleaned with backup
C:\WINDOWS\svcproc.exe -> Trojan.Stervis.c -> Cleaned with backup
C:\WINDOWS\systb.dll -> Spyware.ImiBar.d -> Cleaned with backup
C:\WINDOWS\system32\AUNPS2.dll -> Spyware.Small.ez -> Cleaned with backup
C:\WINDOWS\system32\bqbnooc.exe -> TrojanDownloader.Qoologic.q -> Cleaned with backup
C:\WINDOWS\system32\config\systemprofile\Cookies\owner@adcontent.gamespy[2].txt -> Spyware.Tracking-Cookie -> Cleaned with backup
C:\WINDOWS\system32\config\systemprofile\Cookies\owner@ads.techtv[1].txt -> Spyware.Tracking-Cookie -> Cleaned with backup
C:\WINDOWS\system32\config\systemprofile\Cookies\owner@atdmt[1].txt -> Spyware.Tracking-Cookie -> Cleaned with backup
C:\WINDOWS\system32\config\systemprofile\Cookies\owner@com[2].txt -> Spyware.Tracking-Cookie -> Cleaned with backup
C:\WINDOWS\system32\config\systemprofile\Cookies\owner@cookie.monster[1].txt -> Spyware.Tracking-Cookie -> Cleaned with backup
C:\WINDOWS\system32\config\systemprofile\Cookies\owner@geocities[2].txt -> Spyware.Tracking-Cookie -> Cleaned with backup
C:\WINDOWS\system32\config\systemprofile\Cookies\owner@mediamgr.ugo[2].txt -> Spyware.Tracking-Cookie -> Cleaned with backup
C:\WINDOWS\system32\config\systemprofile\Cookies\owner@search.msn[1].txt -> Spyware.Tracking-Cookie -> Cleaned with backup
C:\WINDOWS\system32\config\systemprofile\Cookies\owner@us[1].txt -> Spyware.Tracking-Cookie -> Cleaned with backup
C:\WINDOWS\system32\dist001.exe -> TrojanDownloader.Agent.qg -> Cleaned with backup
C:\WINDOWS\system32\DrPMon.dll -> Trojan.Agent.db -> Cleaned with backup
C:\WINDOWS\system32\ide21201.vxd -> Spyware.MediaPass -> Cleaned with backup
C:\WINDOWS\system32\lpwabv.exe -> Spyware.BetterInternet -> Cleaned with backup
C:\WINDOWS\system32\msbe.dll -> Spyware.BargainBuddy.n -> Cleaned with backup
C:\WINDOWS\system32\nsxB6.dll -> Spyware.HotSearchBar -> Cleaned with backup
C:\WINDOWS\system32\pqpkd.dll -> TrojanDownloader.Qoologic.q -> Cleaned with backup
C:\WINDOWS\system32\supdate.dll -> TrojanDownloader.Qoologic.p -> Cleaned with backup
C:\WINDOWS\system32\uci.exe -> TrojanDropper.Agent.hl -> Cleaned with backup
C:\WINDOWS\system32\vavknn.exe -> TrojanDownloader.Qoologic.n -> Cleaned with backup
C:\WINDOWS\system32\wrapperouter.exe -> TrojanDropper.Agent.hl -> Cleaned with backup
C:\WINDOWS\system32\zbziggp.dll -> TrojanDownloader.Qoologic.q -> Cleaned with backup
C:\WINDOWS\System320nst80 -> Spyware.HotSearchBar -> Cleaned with backup
C:\WINDOWS\tdtb.exe -> Trojan.Imiserv.c -> Cleaned with backup
C:\WINDOWS\wupdt.exe -> TrojanDownloader.Intexp.c -> Cleaned with backup
C:\Documents and Settings\Default User\Cookies\owner@adcontent.gamespy[2].txt -> Spyware.Tracking-Cookie -> Error during cleaning
C:\Documents and Settings\Default User\Cookies\owner@ads.techtv[1].txt -> Spyware.Tracking-Cookie -> Error during cleaning
C:\Documents and Settings\Default User\Cookies\owner@atdmt[1].txt -> Spyware.Tracking-Cookie -> Error during cleaning
C:\Documents and Settings\Default User\Cookies\owner@com[2].txt -> Spyware.Tracking-Cookie -> Error during cleaning
C:\Documents and Settings\Default User\Cookies\owner@cookie.monster[1].txt -> Spyware.Tracking-Cookie -> Error during cleaning
C:\Documents and Settings\Default User\Cookies\owner@geocities[2].txt -> Spyware.Tracking-Cookie -> Error during cleaning
C:\Documents and Settings\Default User\Cookies\owner@mediamgr.ugo[2].txt -> Spyware.Tracking-Cookie -> Error during cleaning
C:\Documents and Settings\Default User\Cookies\owner@search.msn[1].txt -> Spyware.Tracking-Cookie -> Error during cleaning
C:\Documents and Settings\Default User\Cookies\owner@us[1].txt -> Spyware.Tracking-Cookie -> Error during cleaning
C:\Documents and Settings\Lina\Cookies\lina@geocities[1].txt -> Spyware.Tracking-Cookie -> Error during cleaning
C:\Documents and Settings\Owner.YOUR-XHTR8HVC4P\Cookies\owner@a.websponsors[2].txt -> Spyware.Tracking-Cookie -> Error during cleaning
C:\Documents and Settings\Owner.YOUR-XHTR8HVC4P\Cookies\owner@adcontent.gamespy[2].txt -> Spyware.Tracking-Cookie -> Error during cleaning
C:\Documents and Settings\Owner.YOUR-XHTR8HVC4P\Cookies\owner@ads.addynamix[1].txt -> Spyware.Tracking-Cookie -> Error during cleaning
C:\Documents and Settings\Owner.YOUR-XHTR8HVC4P\Cookies\owner@ads.techtv[1].txt -> Spyware.Tracking-Cookie -> Error during cleaning
C:\Documents and Settings\Owner.YOUR-XHTR8HVC4P\Cookies\owner@advertising[1].txt -> Spyware.Tracking-Cookie -> Error during cleaning
C:\Documents and Settings\Owner.YOUR-XHTR8HVC4P\Cookies\owner@atdmt[1].txt -> Spyware.Tracking-Cookie -> Error during cleaning
C:\Documents and Settings\Owner.YOUR-XHTR8HVC4P\Cookies\owner@atdmt[3].txt -> Spyware.Tracking-Cookie -> Error during cleaning
C:\Documents and Settings\Owner.YOUR-XHTR8HVC4P\Cookies\owner@cgi-bin[1].txt -> Spyware.Tracking-Cookie -> Error during cleaning
C:\Documents and Settings\Owner.YOUR-XHTR8HVC4P\Cookies\owner@com[2].txt -> Spyware.Tracking-Cookie -> Error during cleaning
C:\Documents and Settings\Owner.YOUR-XHTR8HVC4P\Cookies\owner@com[3].txt -> Spyware.Tracking-Cookie -> Error during cleaning
C:\Documents and Settings\Owner.YOUR-XHTR8HVC4P\Cookies\owner@cookie.monster[1].txt -> Spyware.Tracking-Cookie -> Error during cleaning
C:\Documents and Settings\Owner.YOUR-XHTR8HVC4P\Cookies\owner@doubleclick[2].txt -> Spyware.Tracking-Cookie -> Error during cleaning
C:\Documents and Settings\Owner.YOUR-XHTR8HVC4P\Cookies\owner@ehg.hitbox[2].txt -> Spyware.Tracking-Cookie -> Error during cleaning
C:\Documents and Settings\Owner.YOUR-XHTR8HVC4P\Cookies\owner@fastclick[1].txt -> Spyware.Tracking-Cookie -> Error during cleaning
C:\Documents and Settings\Owner.YOUR-XHTR8HVC4P\Cookies\owner@geocities[2].txt -> Spyware.Tracking-Cookie -> Error during cleaning
C:\Documents and Settings\Owner.YOUR-XHTR8HVC4P\Cookies\owner@hit.namimedia[1].txt -> Spyware.Tracking-Cookie -> Error during cleaning
C:\Documents and Settings\Owner.YOUR-XHTR8HVC4P\Cookies\owner@hitbox[2].txt -> Spyware.Tracking-Cookie -> Error during cleaning
C:\Documents and Settings\Owner.YOUR-XHTR8HVC4P\Cookies\owner@mediamgr.ugo[2].txt -> Spyware.Tracking-Cookie -> Error during cleaning
C:\Documents and Settings\Owner.YOUR-XHTR8HVC4P\Cookies\owner@mediaplex[1].txt -> Spyware.Tracking-Cookie -> Error during cleaning
C:\Documents and Settings\Owner.YOUR-XHTR8HVC4P\Cookies\owner@perf.overture[1].txt -> Spyware.Tracking-Cookie -> Error during cleaning
C:\Documents and Settings\Owner.YOUR-XHTR8HVC4P\Cookies\owner@search.msn[1].txt -> Spyware.Tracking-Cookie -> Error during cleaning
C:\Documents and Settings\Owner.YOUR-XHTR8HVC4P\Cookies\owner@search123[1].txt -> Spyware.Tracking-Cookie -> Error during cleaning
C:\Documents and Settings\Owner.YOUR-XHTR8HVC4P\Cookies\owner@servedby.advertising[2].txt -> Spyware.Tracking-Cookie -> Error during cleaning
C:\Documents and Settings\Owner.YOUR-XHTR8HVC4P\Cookies\owner@us[1].txt -> Spyware.Tracking-Cookie -> Error during cleaning
C:\Documents and Settings\Owner.YOUR-XHTR8HVC4P\Cookies\owner@xiti[1].txt -> Spyware.Tracking-Cookie -> Error during cleaning
C:\Documents and Settings\Owner.YOUR-XHTR8HVC4P\Cookies\owner@z1.adserver[1].txt -> Spyware.Tracking-Cookie -> Error during cleaning
C:\Documents and Settings\Owner.YOUR-XHTR8HVC4P\Local Settings\Temp\Cookies\owner@atdmt[1].txt -> Spyware.Tracking-Cookie -> Error during cleaning
C:\Documents and Settings\Owner.YOUR-XHTR8HVC4P\Local Settings\Temp\Cookies\owner@mediaplex[1].txt -> Spyware.Tracking-Cookie -> Error during cleaning
C:\Documents and Settings\Owner.YOUR-XHTR8HVC4P\Local Settings\Temp\Del29.tmp -> TrojanDownloader.Small.asf -> Error during cleaning
C:\Documents and Settings\Owner.YOUR-XHTR8HVC4P\Local Settings\Temp\f422406.exe -> TrojanDownloader.Qoologic.n -> Error during cleaning
C:\Documents and Settings\Owner.YOUR-XHTR8HVC4P\Local Settings\Temp\MediaAccessInstPack.exe -> Spyware.WinAD -> Error during cleaning
C:\Documents and Settings\Owner.YOUR-XHTR8HVC4P\Local Settings\Temp\nst1A.EXE -> Spyware.SmartPops -> Error during cleaning
C:\Documents and Settings\Owner.YOUR-XHTR8HVC4P\Local Settings\Temp\pcs_0029.exe -> Spyware.Pacer.b -> Error during cleaning
C:\Documents and Settings\Owner.YOUR-XHTR8HVC4P\Local Settings\Temp\ptf_0029.exe -> Spyware.Pacer -> Error during cleaning
C:\Documents and Settings\Owner.YOUR-XHTR8HVC4P\Local Settings\Temp\SSK3_B5 Seedcorn 4.exe -> TrojanDropper.Small.qn -> Error during cleaning
C:\Documents and Settings\Owner.YOUR-XHTR8HVC4P\Local Settings\Temporary Internet Files\Content.IE5\6S19VNZZ\2.8.7.4[1].exe -> TrojanDownloader.Qoologic.n -> Error during cleaning
C:\Documents and Settings\Owner.YOUR-XHTR8HVC4P\Local Settings\Temporary Internet Files\Content.IE5\6S19VNZZ\AppWrap[1].exe -> TrojanDownloader.Adload.a -> Error during cleaning
C:\Documents and Settings\Owner.YOUR-XHTR8HVC4P\Local Settings\Temporary Internet Files\Content.IE5\6S19VNZZ\aurora[1].exe -> Spyware.BetterInternet.c -> Error during cleaning
C:\Documents and Settings\Owner.YOUR-XHTR8HVC4P\Local Settings\Temporary Internet Files\Content.IE5\6S19VNZZ\inst5[1].exe -> TrojanDownloader.Small.apm -> Error during cleaning
C:\Documents and Settings\Owner.YOUR-XHTR8HVC4P\Local Settings\Temporary Internet Files\Content.IE5\6S19VNZZ\trk_0029[1].exe -> Spyware.Pacer.e -> Error during cleaning
C:\Documents and Settings\Owner.YOUR-XHTR8HVC4P\Local Settings\Temporary Internet Files\Content.IE5\PCJQZBPJ\abiuninst[1].exe -> Spyware.BetterInternet -> Error during cleaning
C:\Documents and Settings\Owner.YOUR-XHTR8HVC4P\Local Settings\Temporary Internet Files\Content.IE5\PCJQZBPJ\npzango[1].dll -> Spyware.WinAD -> Error during cleaning
C:\Documents and Settings\Owner.YOUR-XHTR8HVC4P\Local Settings\Temporary Internet Files\Content.IE5\PCJQZBPJ\svcproc[1].exe -> Trojan.Stervis.c -> Error during cleaning
C:\Documents and Settings\Owner.YOUR-XHTR8HVC4P\Local Settings\Temporary Internet Files\Content.IE5\PCJQZBPJ\website[1].ocx -> TrojanDownloader.Agent.ex -> Error during cleaning
C:\Documents and Settings\Owner.YOUR-XHTR8HVC4P\Local Settings\Temporary Internet Files\Content.IE5\RPGK8VR7\DrPMon[1].dll -> Trojan.Agent.db -> Error during cleaning
C:\Documents and Settings\Owner.YOUR-XHTR8HVC4P\Local Settings\Temporary Internet Files\Content.IE5\RPGK8VR7\Poller[1].exe -> Spyware.BetterInternet -> Error during cleaning
C:\Documents and Settings\Owner.YOUR-XHTR8HVC4P\Local Settings\Temporary Internet Files\Content.IE5\RPGK8VR7\trk_0002[1].exe -> Spyware.Pacer -> Error during cleaning
C:\Documents and Settings\Owner.YOUR-XHTR8HVC4P\Local Settings\Temporary Internet Files\Content.IE5\VCTPBWSW\Nail[1].exe -> Trojan.Nail -> Error during cleaning
C:\Program Files\CasStub\casstub.exe -> TrojanDownloader.Agent.qg -> Error during cleaning
C:\Program Files\drvi\gqkknqscwu.dll -> Spyware.SmartPops -> Error during cleaning
C:\Program Files\drvi\gqkknqscwu.exe -> Spyware.SmartPops -> Error during cleaning
C:\Program Files\Netscape\Netscape\plugins\npwthost.dll -> Spyware.WildTangent.b -> Error during cleaning
C:\Program Files\VBouncer\InstallT.exe -> Spyware.VirtualBouncer.c -> Error during cleaning
C:\Program Files\Windows Media Player\wmplayer.exe.tmp -> TrojanDownloader.Small.apm -> Error during cleaning
C:\WINDOWS\cfgmgr52.dll -> Spyware.BookedSpace.e -> Error during cleaning
C:\WINDOWS\hzbfqkvddyi.exe -> Spyware.BetterInternet -> Error during cleaning
C:\WINDOWS\Nail.exe -> Trojan.Nail -> Error during cleaning
C:\WINDOWS\svcproc.exe -> Trojan.Stervis.c -> Error during cleaning
C:\WINDOWS\systb.dll -> Spyware.ImiBar.d -> Error during cleaning
C:\WINDOWS\system32\AUNPS2.dll -> Spyware.Small.ez -> Error during cleaning
C:\WINDOWS\system32\bqbnooc.exe -> TrojanDownloader.Qoologic.q -> Error during cleaning
C:\WINDOWS\system32\config\systemprofile\Cookies\owner@adcontent.gamespy[2].txt -> Spyware.Tracking-Cookie -> Error during cleaning
C:\WINDOWS\system32\config\systemprofile\Cookies\owner@ads.techtv[1].txt -> Spyware.Tracking-Cookie -> Error during cleaning
C:\WINDOWS\system32\config\systemprofile\Cookies\owner@atdmt[1].txt -> Spyware.Tracking-Cookie -> Error during cleaning
C:\WINDOWS\system32\config\systemprofile\Cookies\owner@com[2].txt -> Spyware.Tracking-Cookie -> Error during cleaning
C:\WINDOWS\system32\config\systemprofile\Cookies\owner@cookie.monster[1].txt -> Spyware.Tracking-Cookie -> Error during cleaning
C:\WINDOWS\system32\config\systemprofile\Cookies\owner@geocities[2].txt -> Spyware.Tracking-Cookie -> Error during cleaning
C:\WINDOWS\system32\config\systemprofile\Cookies\owner@mediamgr.ugo[2].txt -> Spyware.Tracking-Cookie -> Error during cleaning
C:\WINDOWS\system32\config\systemprofile\Cookies\owner@search.msn[1].txt -> Spyware.Tracking-Cookie -> Error during cleaning
C:\WINDOWS\system32\config\systemprofile\Cookies\owner@us[1].txt -> Spyware.Tracking-Cookie -> Error during cleaning
C:\WINDOWS\system32\dist001.exe -> TrojanDownloader.Agent.qg -> Error during cleaning
C:\WINDOWS\system32\DrPMon.dll -> Trojan.Agent.db -> Error during cleaning
C:\WINDOWS\system32\ide21201.vxd -> Spyware.MediaPass -> Error during cleaning
C:\WINDOWS\system32\lpwabv.exe -> Spyware.BetterInternet -> Error during cleaning
C:\WINDOWS\system32\msbe.dll -> Spyware.BargainBuddy.n -> Error during cleaning
C:\WINDOWS\system32\nsxB6.dll -> Spyware.HotSearchBar -> Error during cleaning
C:\WINDOWS\system32\pqpkd.dll -> TrojanDownloader.Qoologic.q -> Error during cleaning
C:\WINDOWS\system32\supdate.dll -> TrojanDownloader.Qoologic.p -> Error during cleaning
C:\WINDOWS\system32\uci.exe -> TrojanDropper.Agent.hl -> Error during cleaning
C:\WINDOWS\system32\vavknn.exe -> TrojanDownloader.Qoologic.n -> Error during cleaning
C:\WINDOWS\system32\wrapperouter.exe -> TrojanDropper.Agent.hl -> Error during cleaning
C:\WINDOWS\system32\zbziggp.dll -> TrojanDownloader.Qoologic.q -> Error during cleaning
C:\WINDOWS\System320nst80 -> Spyware.HotSearchBar -> Error during cleaning
C:\WINDOWS\tdtb.exe -> Trojan.Imiserv.c -> Error during cleaning
C:\WINDOWS\wupdt.exe -> TrojanDownloader.Intexp.c -> Error during cleaning


::Report End
itzrandee
Active Member
 
Posts: 13
Joined: June 27th, 2005, 12:04 am

Unread postby P3-450 » June 28th, 2005, 2:26 pm

Hi

Unfortunatly Ewido did not kill it.

We will have to do it manually im afraid.

Please Download RKFiles.zip

Create a new folder C:\Antispyware\RKFiles
Extract the contents of RKFiles.zip into the new folder you just created.

Next, Create a new Folder on Desktop. Name that Folder QOOLOGIC
Please download Findqoologic into the new Folder, and then unzip it into the new Folder.

Restart to safe mode. (tap f8 key during bootup)

Open the C:\Antispyware\RKFiles folder
Double click on RKFILES.BAT

Give it time to run. this may take a while.
Save the text file it creates.
It should save by default to C:\Log.txt

Next, open the QOOLOGIC Folder and Locate and double-click the Find-Qoologic.bat file to run it.
Wait until a text file opens, post it in a reply to your thread after doing the rest of what follows here.
It'll take a while to run a full scan so please be patient.

Restart into regular Windows mode and post the contents of C:\log.txt and the find-qoologic results.
User avatar
P3-450
MRU Honors Grad Emeritus
 
Posts: 514
Joined: April 9th, 2005, 12:53 pm
Location: Leeds, UK

Unread postby itzrandee » June 28th, 2005, 7:10 pm

Hi,
Sorry for my late response. I have done the RKFiles part of your instructions but when I get to Find Qoologic .bat file it gives me an error saying:

C:\Windows\System32\cmd.exe
C:\Windows\System32\Autoexec.NT. The system file is not suitable for running MS-DOS and Microsoft Windows applictions. Chose 'Close' to terminate the application.

There are 2 options in the error, close and ignore. I've tried clicking them both but they don't seem to do what you have instructed.
itzrandee
Active Member
 
Posts: 13
Joined: June 27th, 2005, 12:04 am

Unread postby P3-450 » June 28th, 2005, 7:22 pm

ok

Navigate to

C:\Windows\Repair

Look for autoexec.nt and right click on the file and then click on Copy.

Navigate to

C:\Windows\System32 and paste the file into that folder.


Then try it again
User avatar
P3-450
MRU Honors Grad Emeritus
 
Posts: 514
Joined: April 9th, 2005, 12:53 pm
Location: Leeds, UK

Unread postby itzrandee » June 28th, 2005, 7:35 pm

Hi,

QOOLOGIC log,

PLEASE NOTE THAT ALL FILES FOUND BY THIS METHOD ARE NOT BAD FILES, There WILL be LEGIT FILES LISTED PLEASE BE CAREFUL WHILE FIXING. IF YOU ARE UNSURE OF WHAT IT IS LEAVE THEM ALONE.
some examples are MRT.EXE NTDLL.DLL.
»»»»»»»»»»»»»»»»»»»»»»»» Files found »»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»

* KavSvc C:\WINDOWS\System32\RCRPUUE.DLL
* KavSvc C:\WINDOWS\System32\UVUWN.DLL
* aspack C:\WINDOWS\System32\PYPAV.DAT
* aspack C:\WINDOWS\System32\BQBNOOC.EXE
* aspack C:\WINDOWS\System32\RURJMM.EXE
* aspack C:\WINDOWS\System32\RCRPUUE.DLL
* aspack C:\WINDOWS\System32\UVUWN.DLL
* aspack C:\WINDOWS\System32\REDIT.CPL
* UPX! C:\WINDOWS\System32\ADLINS~1.EXE
* UPX! C:\WINDOWS\System32\PSOF1.EXE
* aspack C:\WINDOWS\VSAPI32.DLL
* UPX! C:\WINDOWS\BROWSER.EXE
* UPX! C:\WINDOWS\TSC.EXE
* UPX! C:\WINDOWS\RMAGEN~1.DLL
* UPX! C:\WINDOWS\VSAPI32.DLL
»»»»»»»»»»»»»»»»»»»»»»»» startup files»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»

* exe C:\docume~1\alluse~1\startm~1\programs\startup\NCNK.EXE

»»»»»»»»»»»»»»»»»»»»»»»» Checking Global Startup »»»»»»»»»»»»»»»»»»»»»»

(fstarts by IMM - test ver. 0.001) NOT using address check -- 0x77f75fae

Global Startup:
C:\Documents and Settings\All Users\Start Menu\Programs\Startup
.
..
4Google2.lnk
desktop.ini
HP Digital Imaging Monitor.lnk
ncnk.exe
Quicken Scheduled Updates.lnk
SBC Self Support Tool.lnk

User Startup:
C:\Documents and Settings\Owner.YOUR-XHTR8HVC4P\Start Menu\Programs\Startup
.
..
desktop.ini
spamsubtract.lnk

»»»»»»»»»»»»»»»»»»»»»»»» Registry Entries Found »»»»»»»»»»»»»»»»»»»»»»»

! REG.EXE VERSION 3.0

HKEY_CLASSES_ROOT\*\shellex\ContextMenuHandlers

HKEY_CLASSES_ROOT\*\shellex\ContextMenuHandlers\ewido
<NO NAME> REG_SZ {57BD36D7-CE32-4600-9B1C-1A0C47EFC02E}

HKEY_CLASSES_ROOT\*\shellex\ContextMenuHandlers\fkfnqqgn
<NO NAME> REG_SZ {eba36df6-ccd0-402d-a919-8c012e5f002a}

HKEY_CLASSES_ROOT\*\shellex\ContextMenuHandlers\Offline Files
<NO NAME> REG_SZ {750fdf0e-2a26-11d1-a3ea-080036587f03}

HKEY_CLASSES_ROOT\*\shellex\ContextMenuHandlers\Open With
<NO NAME> REG_SZ {09799AFB-AD67-11d1-ABCD-00C04FC30936}

HKEY_CLASSES_ROOT\*\shellex\ContextMenuHandlers\Open With EncryptionMenu
<NO NAME> REG_SZ {A470F8CF-A1E8-4f65-8335-227475AA5C46}

HKEY_CLASSES_ROOT\*\shellex\ContextMenuHandlers\OPShellE
<NO NAME> REG_SZ {CCFE56EE-C7DE-44EE-A160-4553A5A912C9}

HKEY_CLASSES_ROOT\*\shellex\ContextMenuHandlers\Symantec.Norton.Antivirus.IEContextMenu
<NO NAME> REG_SZ {5345A4D5-41EB-4A2F-9616-CE1D4F6C35B2}

HKEY_CLASSES_ROOT\*\shellex\ContextMenuHandlers\{a2a9545d-a0c2-42b4-9708-a0b2badd77c8}
<NO NAME> REG_SZ Start Menu Pin

and the RKFiles log,

C:\Antispyware\RKFiles

PLEASE NOTE THAT ALL FILES FOUND BY THIS METHOD ARE NOT BAD FILES, THERE MIGHT BE LEGIT FILES LISTED AND PLEASE BE CAREFUL WHILE FIXING. IF YOU ARE UNSURE OF WHAT IT IS LEAVE THEM ALONE.
Files Found in system Folder............
------------------------
C:\WINDOWS\system32\adlinstallwin32.exe: UPX!
C:\WINDOWS\system32\PSof1.exe: UPX!
C:\WINDOWS\system32\dfrg.msc: AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAQAAAAAwGpEc213
C:\WINDOWS\system32\DivX.dll: PEC2

Files Found in all users startup Folder............
------------------------
Files Found in all users windows Folder............
------------------------
C:\WINDOWS\browser.exe: UPX!
C:\WINDOWS\RMAgentOutput.dll: UPX!
C:\WINDOWS\tsc.exe: UPX!
C:\WINDOWS\vsapi32.dll: UPX!t4
Finished
bye

Thank you.
itzrandee
Active Member
 
Posts: 13
Joined: June 27th, 2005, 12:04 am

Unread postby P3-450 » June 29th, 2005, 12:06 pm

Please copy the following instructions to a notepad file and save them because you won't be able to see this page.
Keep the notepad file Open

When asked below, you will need to be Offline and NO IE windows open. When ready to start the fix, unplug your cat-5 wire from machine if you are on cable or a network.


    [1] Download the Pocket Killbox.
    [2] Unzip the contents of KillBox.zip to a convenient location.
    [3] Disconnect from internet and shut down all running programs
    [4] Double-click on KillBox.exe. and keep killbox Open.
    (Important to keep killbox and notepad file open)
    [4a] Use task manager to end process on all instances of explorer.exe
    Your desktop will disappear but that's normal. It will come back after Reboot part of this fix.
    [5] Click "Delete on Reboot" box.
    [6] Paste this file into the top "Full Path of File to Delete" box.
    • C:\WINDOWS\System32\RCRPUUE.DLL
    [7] Click the "Delete File" button (Red Circle with White X)
    [8] Click "No" at the "Process and Reboot Now" prompt.
    [9] Click "OK" at the Pending Reboot prompt.
    [10] Repeat steps 5-9 above for these files:
    • C:\WINDOWS\System32\UVUWN.DLL
    • C:\WINDOWS\System32\PYPAV.DAT
    • C:\WINDOWS\System32\BQBNOOC.EXE
    • C:\WINDOWS\System32\RURJMM.EXE
    • C:\WINDOWS\System32\RCRPUUE.DLL
    • C:\WINDOWS\System32\UVUWN.DLL
    • C:\WINDOWS\System32\REDIT.CPL
    • C:\WINDOWS\System32\PSOF1.EXE
    [11] Click "Delete on Reboot" box.
    [12] Paste this file into the top "Full Path of File to Delete" box.
    • C:\docume~1\alluse~1\startm~1\programs\startup\NCNK.EXE
    [13] Click the "Delete File" button which looks like a stop sign.
    [14] Click "Yes" at the "Process and Reboot Now" prompt.
    [15] Click "Yes" at the Pending Operations prompt to restart your computer. Allow machine to reboot.
    [16] Once restarted...Double-click on qoologic.bat and post the new log.txt.

Please Do Not reboot until I reply back.

Note that we may have to repeat this process a few times to completely kill off all of the files.
User avatar
P3-450
MRU Honors Grad Emeritus
 
Posts: 514
Joined: April 9th, 2005, 12:53 pm
Location: Leeds, UK

Unread postby itzrandee » June 29th, 2005, 2:16 pm

Hi,

PLEASE NOTE THAT ALL FILES FOUND BY THIS METHOD ARE NOT BAD FILES, There WILL be LEGIT FILES LISTED PLEASE BE CAREFUL WHILE FIXING. IF YOU ARE UNSURE OF WHAT IT IS LEAVE THEM ALONE.
some examples are MRT.EXE NTDLL.DLL.
»»»»»»»»»»»»»»»»»»»»»»»» Files found »»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»

* UPX! C:\WINDOWS\System32\ADLINS~1.EXE
* aspack C:\WINDOWS\VSAPI32.DLL
* UPX! C:\WINDOWS\BROWSER.EXE
* UPX! C:\WINDOWS\TSC.EXE
* UPX! C:\WINDOWS\RMAGEN~1.DLL
* UPX! C:\WINDOWS\VSAPI32.DLL
»»»»»»»»»»»»»»»»»»»»»»»» startup files»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»


»»»»»»»»»»»»»»»»»»»»»»»» Checking Global Startup »»»»»»»»»»»»»»»»»»»»»»

(fstarts by IMM - test ver. 0.001) NOT using address check -- 0x77f75fae

Global Startup:
C:\Documents and Settings\All Users\Start Menu\Programs\Startup
.
..
4Google2.lnk
desktop.ini
HP Digital Imaging Monitor.lnk
Quicken Scheduled Updates.lnk
SBC Self Support Tool.lnk

User Startup:
C:\Documents and Settings\Owner.YOUR-XHTR8HVC4P\Start Menu\Programs\Startup
.
..
desktop.ini
spamsubtract.lnk

»»»»»»»»»»»»»»»»»»»»»»»» Registry Entries Found »»»»»»»»»»»»»»»»»»»»»»»

! REG.EXE VERSION 3.0

HKEY_CLASSES_ROOT\*\shellex\ContextMenuHandlers

HKEY_CLASSES_ROOT\*\shellex\ContextMenuHandlers\ewido
<NO NAME> REG_SZ {57BD36D7-CE32-4600-9B1C-1A0C47EFC02E}

HKEY_CLASSES_ROOT\*\shellex\ContextMenuHandlers\fkfnqqgn
<NO NAME> REG_SZ {eba36df6-ccd0-402d-a919-8c012e5f002a}

HKEY_CLASSES_ROOT\*\shellex\ContextMenuHandlers\Offline Files
<NO NAME> REG_SZ {750fdf0e-2a26-11d1-a3ea-080036587f03}

HKEY_CLASSES_ROOT\*\shellex\ContextMenuHandlers\Open With
<NO NAME> REG_SZ {09799AFB-AD67-11d1-ABCD-00C04FC30936}

HKEY_CLASSES_ROOT\*\shellex\ContextMenuHandlers\Open With EncryptionMenu
<NO NAME> REG_SZ {A470F8CF-A1E8-4f65-8335-227475AA5C46}

HKEY_CLASSES_ROOT\*\shellex\ContextMenuHandlers\OPShellE
<NO NAME> REG_SZ {CCFE56EE-C7DE-44EE-A160-4553A5A912C9}

HKEY_CLASSES_ROOT\*\shellex\ContextMenuHandlers\Symantec.Norton.Antivirus.IEContextMenu
<NO NAME> REG_SZ {5345A4D5-41EB-4A2F-9616-CE1D4F6C35B2}

HKEY_CLASSES_ROOT\*\shellex\ContextMenuHandlers\{a2a9545d-a0c2-42b4-9708-a0b2badd77c8}
<NO NAME> REG_SZ Start Menu Pin

Thank you
itzrandee
Active Member
 
Posts: 13
Joined: June 27th, 2005, 12:04 am
Advertisement
Register to Remove

Next

  • Similar Topics
    Replies
    Views
    Last post

Return to Infected? Virus, malware, adware, ransomware, oh my!



Who is online

Users browsing this forum: No registered users and 295 guests

Contact us:

Advertisements do not imply our endorsement of that product or service. Register to remove all ads. The forum is run by volunteers who donate their time and expertise. We make every attempt to ensure that the help and advice posted is accurate and will not cause harm to your computer. However, we do not guarantee that they are accurate and they are to be used at your own risk. All trademarks are the property of their respective owners.

Member site: UNITE Against Malware