Jump to content


Photo

Pop-ups and Taking Over Search Windows


  • This topic is locked This topic is locked
14 replies to this topic

#1 terps54424

terps54424

    Member

  • Full Member
  • Pip
  • 13 posts

Posted 24 May 2007 - 05:47 PM

Hello,

I'd like to thank everyone in advance for taking the time to read this.

I've been experiencing a ton of pop-ups recently, all of which are coming up as IE windows, while I'm using Firefox. Typically it will happen not when I open a new browser window, but when I go to one of my bookmarks. I would give a name for the infection, but the addresses on the pop-ups are different every time (although a majority seem to have to do with "gaming" or "arcade" sites).

I'm also seeing that if I go to google and attempt to search for all or part of the web address in the pop-up, I will then get a smaller pop-up (no address bar) where my search word is scattered all over the page. I hope this helps as far as a description goes. I have already run Ad-aware and Spybot, and that hasn't resolved the issue (or I wouldn't be here :)).

Thank you again for any help you can offer.

Edited by terps54424, 24 May 2007 - 05:49 PM.


#2 terps54424

terps54424

    Member

  • Full Member
  • Pip
  • 13 posts

Posted 24 May 2007 - 05:48 PM

My HJT log:



Logfile of HijackThis v1.99.1
Scan saved at 6:49:09 PM, on 5/24/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Intel\Wireless\Bin\EvtEng.exe
C:\Program Files\Intel\Wireless\Bin\S24EvMon.exe
C:\Program Files\Intel\Wireless\Bin\WLKeeper.exe
C:\Program Files\Intel\Wireless\Bin\ZcfgSvc.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\runservice.exe
C:\Program Files\Dell\NICCONFIGSVC\NICCONFIGSVC.exe
C:\Program Files\Intel\Wireless\Bin\RegSrvc.exe
c:\program files\verizon wireless\venturi\Client\ventc.exe
C:\Program Files\Apoint\Apoint.exe
C:\Program Files\Java\jre1.5.0_03\bin\jusched.exe
C:\WINDOWS\system32\wscntfy.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\pasystem\pasystem.exe
C:\Program Files\Digital Line Detect\DLG.exe
C:\Program Files\Kodak\Kodak EasyShare software\bin\EasyShare.exe
C:\PROGRA~1\Intel\Wireless\Bin\1XConfig.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\AIM\aim.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\HJT\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.dell4me.com/myway
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://espn.go.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.dell4me.com/myway
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.dell4me.com/myway
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://www.dell4me.com/myway
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O2 - BHO: DriveLetterAccess - {5CA3D70E-1895-11CF-8E15-001234567890} - C:\WINDOWS\system32\dla\tfswshx.dll
O4 - HKLM\..\Run: [Apoint] C:\Program Files\Apoint\Apoint.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_03\bin\jusched.exe
O4 - HKLM\..\Run: [IntelWireless] C:\Program Files\Intel\Wireless\Bin\ifrmewrk.exe /tf Intel PROSet/Wireless
O4 - HKLM\..\Run: [ATIPTA] C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
O4 - HKLM\..\Run: [DVDLauncher] "C:\Program Files\CyberLink\PowerDVD\DVDLauncher.exe"
O4 - HKLM\..\Run: [RealTray] C:\Program Files\Real\RealPlayer\RealPlay.exe SYSTEMBOOTHIDEPLAYER
O4 - HKLM\..\Run: [dla] C:\WINDOWS\system32\dla\tfswctrl.exe
O4 - HKLM\..\Run: [ISUSPM Startup] C:\PROGRA~1\COMMON~1\INSTAL~1\UPDATE~1\ISUSPM.exe -startup
O4 - HKLM\..\Run: [ISUSScheduler] "C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe" -start
O4 - HKLM\..\Run: [WinampAgent] "C:\Program Files\Winamp\Winampa.exe"
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [ms05112051-1670] C:\WINDOWS\ms05112051-1670.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [krqk] C:\PROGRA~1\COMMON~1\krqk\krqkm.exe
O4 - HKCU\..\Run: [PaSystem] "C:\Program Files\pasystem\pasystem.exe"
O4 - Global Startup: Digital Line Detect.lnk = ?
O4 - Global Startup: Kodak EasyShare software.lnk = C:\Program Files\Kodak\Kodak EasyShare software\bin\EasyShare.exe
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\j2re1.4.2_03\bin\npjpi142_03.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\j2re1.4.2_03\bin\npjpi142_03.dll
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe
O9 - Extra button: PartyPoker.com - {B7FE5D70-9AA2-40F1-9C6B-12A255F085E1} - C:\Program Files\PartyGaming\PartyPoker\RunApp.exe
O9 - Extra 'Tools' menuitem: PartyPoker.com - {B7FE5D70-9AA2-40F1-9C6B-12A255F085E1} - C:\Program Files\PartyGaming\PartyPoker\RunApp.exe
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\system32\Shdocvw.dll
O9 - Extra button: PartyPoker.net - {F4430FE8-2638-42e5-B849-800749B94EED} - C:\Program Files\PartyGaming.Net\PartyPokerNet\RunPF.exe (file missing)
O9 - Extra 'Tools' menuitem: PartyPoker.net - {F4430FE8-2638-42e5-B849-800749B94EED} - C:\Program Files\PartyGaming.Net\PartyPokerNet\RunPF.exe (file missing)
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: ActiveGS.cab - http://www.virtualap...rg/activegs.cab
O20 - Winlogon Notify: IntelWireless - C:\Program Files\Intel\Wireless\Bin\LgNotify.dll
O23 - Service: Ati HotKey Poller - Unknown owner - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: COM+ Messages - Unknown owner - C:\WINDOWS\system32\svchosts.exe" -e te-110-12-0000213 (file missing)
O23 - Service: EvtEng - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\EvtEng.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPodService - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Kodak Camera Connection Software (KodakCCS) - Eastman Kodak Company - C:\WINDOWS\system32\drivers\KodakCCS.exe
O23 - Service: LicCtrl Service (LicCtrlService) - Unknown owner - C:\WINDOWS\runservice.exe
O23 - Service: Net Agent - Unknown owner - C:\WINDOWS\dls0523pmw.exe
O23 - Service: NICCONFIGSVC - Dell Inc. - C:\Program Files\Dell\NICCONFIGSVC\NICCONFIGSVC.exe
O23 - Service: RegSrvc - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\RegSrvc.exe
O23 - Service: Spectrum24 Event Monitor (S24EventMonitor) - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\S24EvMon.exe
O23 - Service: Venturi Client (Venturi2) - Venturi Wireless - c:\program files\verizon wireless\venturi\Client\ventc.exe
O23 - Service: WLANKEEPER - Intel® Corporation - C:\Program Files\Intel\Wireless\Bin\WLKeeper.exe

#3 SWI Support Robot

SWI Support Robot

    Helper robot

  • SWI Bot
  • PipPipPipPipPip
  • 23,523 posts

Posted 27 May 2007 - 06:30 AM

Welcome to SWI. We apologize for the delay; our helpers have been very busy.
If you have not received help after 3 days, please CLICK HERE, and post a link to your log and the date it was originally posted.

Thank you for your patience.

[this is an automated reply]
This is an automated message. It does not count as help.

#4 jedi

jedi

    aequam memento rebus in arduis servare mentem

  • Emeritus
  • PipPipPipPipPip
  • 15,830 posts

Posted 30 May 2007 - 01:07 PM

Hi,

Download SDFix and save it to your desktop.

Please then reboot your computer in Safe Mode by doing the following :
  • Restart your computer
  • After hearing your computer beep once during startup, but before the Windows icon appears, tap the F8 key continually;
  • Instead of Windows loading as normal, a menu with options should appear;
  • Select the first option, to run Windows in Safe Mode, then press "Enter".
  • Choose your usual account.
  • In Safe Mode, right click the SDFix.zip folder and choose Extract All,
  • Open the extracted folder and double click RunThis.bat to start the script.
  • Type Y to begin the script.
  • It will remove the Trojan Services then make some repairs to the registry and prompt you to press any key to Reboot.
  • Press any Key and it will restart the PC.
  • Your system will take longer that normal to restart as the fixtool will be running and removing files.
  • When the desktop loads the Fixtool will complete the removal and display Finished, then press any key to end the script and load your desktop icons.
  • Finally open the SDFix folder on your desktop and copy and paste the contents of the results file Report.txt here.
Next:

Download Dr.Web CureIt to the desktop:
ftp://ftp.drweb.com/pub/drweb/cureit/drweb-cureit.exe
Next, please reboot your computer in Safe Mode by doing the following:
1) Restart your computer
2) After hearing your computer beep once during startup, but before the Windows icon appears, press F8.
3) Instead of Windows loading as normal, a menu should appear
4) Select the first option, to run Windows in Safe Mode.

For additional help in booting into Safe Mode, see the following site:
http://www.pchell.co.../safemode.shtml
  • Doubleclick the drweb-cureit.exe file and Allow to run the express scan
  • This will scan the files currently running in memory and when something is found, click the yes button when it asks you if you want to cure it. This is only a short scan.
  • Once the short scan has finished, mark the drives that you want to scan.
  • Select all drives. A red dot shows which drives have been chosen.
  • Click the green arrow at the right, and the scan will start.
  • Click 'Yes to all' if it asks if you want to cure/move the file.
  • When the scan has finished, look if you can click next icon next to the files found: Posted Image
  • If so, click it and then click the next icon right below and select Move incurable as you'll see in next image:
    Posted Image
    This will move it to the %userprofile%\DoctorWeb\quarantaine-folder if it can't be cured. (this in case if we need samples)
  • After selecting, in the Dr.Web CureIt menu on top, click file and choose save report list
  • Save the report to your desktop. The report will be called DrWeb.csv
  • Close Dr.Web Cureit.
  • Reboot your computer!! Because it could be possible that files in use will be moved/deleted during reboot.
  • After reboot, post the contents of the log from Dr.Web you saved previously in your next reply, along with the SDFix report and a fresh HiJackThis log.
jedi
jedi

My help is free, but if you wish to help keep these forums running please consider a donation, see This Topic for details.

#5 terps54424

terps54424

    Member

  • Full Member
  • Pip
  • 13 posts

Posted 02 June 2007 - 12:00 PM

Thank you again jedi for taking the time to help. Sorry for the delay, as I was out on business for the week...

DrWeb:

apoint.exe;c:\program files\apoint;Trojan.LowZones.193;Deleted.;
atiptaxx.exe;c:\program files\ati technologies\ati control panel;Trojan.LowZones.193;Deleted.;
issch.exe;c:\program files\common files\installshield\updateservice;Trojan.LowZones.193;Deleted.;
isuspm.exe;c:\program files\common files\installshield\updateservice;Trojan.LowZones.193;Deleted.;
dvdlauncher.exe;c:\program files\cyberlink\powerdvd;Trojan.LowZones.193;Deleted.;
ifrmewrk.exe;c:\program files\intel\wireless\bin;Trojan.LowZones.193;Deleted.;
ituneshelper.exe;c:\program files\itunes;Trojan.LowZones.193;Deleted.;
qttask.exe;c:\program files\quicktime;Trojan.LowZones.193;Deleted.;
realplay.exe;c:\program files\real\realplayer;Trojan.LowZones.193;Deleted.;
winampa.exe;c:\program files\winamp;Trojan.LowZones.193;Deleted.;
ms05112051-1670.exe;c:\windows;BackDoor.Generic.1372;Deleted.;
tfswctrl.exe;c:\windows\system32\dla;Trojan.LowZones.193;Deleted.;
!update.exe;C:\Documents and Settings\LBJ\Local Settings\Temp;Adware.ClickSpring;Incurable.Moved.;
abc123eMPya.exe;C:\Documents and Settings\LBJ\Local Settings\Temp;Trojan.Fakealert;Deleted.;
abc123HzCua.exe;C:\Documents and Settings\LBJ\Local Settings\Temp;Trojan.Fakealert;Deleted.;
upd34.exe;C:\Documents and Settings\LBJ\Local Settings\Temp;Trojan.MulDrop.6074;Deleted.;
upd[1].exe;C:\Documents and Settings\LBJ\Local Settings\Temporary Internet Files\Content.IE5\IZ0ZIXMX;Trojan.MulDrop.6074;Deleted.;
sc[1].php;C:\Documents and Settings\LBJ\Local Settings\Temporary Internet Files\Content.IE5\STKLA38L;Trojan.Fakealert;Deleted.;
GTDownDE_87.ocx;C:\i386;Adware.Gdown;Incurable.Moved.;
Yazzle1122OinAdmin.exe;C:\Program Files\Common Files;Adware.ClickSpring;Incurable.Moved.;
system.dll;C:\Program Files\Common Files\{9C741CCD-0255-1033-0118-050408160001};Trojan.DownLoader.19109;Deleted.;
system.dll;C:\Program Files\Common Files\{9C741CCD-0256-1033-0118-050408160001};Trojan.DownLoader.19109;Deleted.;
system.dll;C:\Program Files\Common Files\{9C741CCD-063A-1033-0118-050408160001};Trojan.DownLoader.19109;Deleted.;
jusched.exe;C:\Program Files\Java\j2re1.4.2_03\bin;Trojan.LowZones.193;Deleted.;
system.dll;C:\RECYCLER\S-1-5-18\Dc1;Adware.Softomate;Incurable.Moved.;
Update.exe;C:\RECYCLER\S-1-5-18\Dc1;Trojan.DownLoader.14828;Deleted.;
ipwins.dll;C:\RECYCLER\S-1-5-21-1304943599-2640792928-3479869655-1006\Dc10;Trojan.Rond;Deleted.;
ipwins.exe;C:\RECYCLER\S-1-5-21-1304943599-2640792928-3479869655-1006\Dc10;Trojan.Rond;Deleted.;
UnInstall.exe;C:\RECYCLER\S-1-5-21-1304943599-2640792928-3479869655-1006\Dc10;Trojan.Rond;Deleted.;
ipwins.dll;C:\RECYCLER\S-1-5-21-1304943599-2640792928-3479869655-1006\Dc14;Trojan.Rond;Deleted.;
ipwins.exe;C:\RECYCLER\S-1-5-21-1304943599-2640792928-3479869655-1006\Dc14;Trojan.Rond;Deleted.;
UnInstall.exe;C:\RECYCLER\S-1-5-21-1304943599-2640792928-3479869655-1006\Dc14;Trojan.Rond;Deleted.;
ipwins.dll;C:\RECYCLER\S-1-5-21-1304943599-2640792928-3479869655-1006\Dc2;Adware.Maxifiles;Incurable.Moved.;
ipwins.exe;C:\RECYCLER\S-1-5-21-1304943599-2640792928-3479869655-1006\Dc2;Adware.Maxifiles;Incurable.Moved.;
ipwins.dll;C:\RECYCLER\S-1-5-21-1304943599-2640792928-3479869655-1006\Dc3;Trojan.Rond;Deleted.;
UnInstall.exe;C:\RECYCLER\S-1-5-21-1304943599-2640792928-3479869655-1006\Dc3;Trojan.Rond;Deleted.;
ipwins.dll;C:\RECYCLER\S-1-5-21-1304943599-2640792928-3479869655-1006\Dc4;Trojan.Rond;Deleted.;
ipwins.exe;C:\RECYCLER\S-1-5-21-1304943599-2640792928-3479869655-1006\Dc4;Trojan.Rond;Deleted.;
UnInstall.exe;C:\RECYCLER\S-1-5-21-1304943599-2640792928-3479869655-1006\Dc4;Trojan.Rond;Deleted.;
ipwins.dll;C:\RECYCLER\S-1-5-21-1304943599-2640792928-3479869655-1006\Dc5;Trojan.Rond;Deleted.;
ipwins.exe;C:\RECYCLER\S-1-5-21-1304943599-2640792928-3479869655-1006\Dc5;Trojan.Rond;Deleted.;
UnInstall.exe;C:\RECYCLER\S-1-5-21-1304943599-2640792928-3479869655-1006\Dc5;Trojan.Rond;Deleted.;
Process.exe;C:\SDFix\apps;Tool.Prockill;Incurable.Moved.;
A0007931.exe;C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP537;Adware.WebHancer;Incurable.Moved.;
A0007932.dll;C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP537;Adware.WebHancer;Incurable.Moved.;
A0007934.exe;C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP537;Adware.WebHancer;Incurable.Moved.;
A0007935.exe;C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP537;Adware.WebHancer;Incurable.Moved.;
A0007936.dll;C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP537;Adware.WebHancer;Incurable.Moved.;
MFEX-1.DAT;C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP538\snapshot;Adware.WebHancer;Incurable.Moved.;
MFEX-2.DAT;C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP538\snapshot;Adware.WebHancer;Incurable.Moved.;
MFEX-3.DAT;C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP538\snapshot;Adware.WebHancer;Incurable.Moved.;
MFEX-6.DAT;C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP538\snapshot;Adware.WebHancer;Incurable.Moved.;
MFEX-7.DAT;C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP538\snapshot;Adware.WebHancer;Incurable.Moved.;
MFEX-8.DAT;C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP538\snapshot;Adware.WebHancer;Incurable.Moved.;
MFEX-1.DAT;C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP539\snapshot;Adware.WebHancer;Incurable.Moved.;
MFEX-2.DAT;C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP539\snapshot;Adware.WebHancer;Incurable.Moved.;
MFEX-3.DAT;C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP539\snapshot;Adware.WebHancer;Incurable.Moved.;
MFEX-6.DAT;C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP539\snapshot;Adware.WebHancer;Incurable.Moved.;
MFEX-7.DAT;C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP539\snapshot;Adware.WebHancer;Incurable.Moved.;
MFEX-8.DAT;C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP539\snapshot;Adware.WebHancer;Incurable.Moved.;
MFEX-1.DAT;C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP540\snapshot;Adware.WebHancer;Incurable.Moved.;
MFEX-2.DAT;C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP540\snapshot;Adware.WebHancer;Incurable.Moved.;
MFEX-3.DAT;C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP540\snapshot;Adware.WebHancer;Incurable.Moved.;
MFEX-6.DAT;C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP540\snapshot;Adware.WebHancer;Incurable.Moved.;
MFEX-7.DAT;C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP540\snapshot;Adware.WebHancer;Incurable.Moved.;
MFEX-8.DAT;C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP540\snapshot;Adware.WebHancer;Incurable.Moved.;
MFEX-1.DAT;C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP541\snapshot;Adware.WebHancer;Incurable.Moved.;
MFEX-2.DAT;C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP541\snapshot;Adware.WebHancer;Incurable.Moved.;
MFEX-3.DAT;C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP541\snapshot;Adware.WebHancer;Incurable.Moved.;
MFEX-6.DAT;C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP541\snapshot;Adware.WebHancer;Incurable.Moved.;
MFEX-7.DAT;C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP541\snapshot;Adware.WebHancer;Incurable.Moved.;
MFEX-8.DAT;C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP541\snapshot;Adware.WebHancer;Incurable.Moved.;
MFEX-1.DAT;C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP542\snapshot;Adware.WebHancer;Incurable.Moved.;
MFEX-2.DAT;C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP542\snapshot;Adware.WebHancer;Incurable.Moved.;
MFEX-3.DAT;C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP542\snapshot;Adware.WebHancer;Incurable.Moved.;
MFEX-6.DAT;C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP542\snapshot;Adware.WebHancer;Incurable.Moved.;
MFEX-7.DAT;C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP542\snapshot;Adware.WebHancer;Incurable.Moved.;
MFEX-8.DAT;C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP542\snapshot;Adware.WebHancer;Incurable.Moved.;
MFEX-1.DAT;C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP543\snapshot;Adware.WebHancer;Incurable.Moved.;
MFEX-2.DAT;C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP543\snapshot;Adware.WebHancer;Incurable.Moved.;
MFEX-3.DAT;C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP543\snapshot;Adware.WebHancer;Incurable.Moved.;
MFEX-6.DAT;C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP543\snapshot;Adware.WebHancer;Incurable.Moved.;
MFEX-7.DAT;C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP543\snapshot;Adware.WebHancer;Incurable.Moved.;
MFEX-8.DAT;C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP543\snapshot;Adware.WebHancer;Incurable.Moved.;
A0007954.exe;C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP544;Adware.WebHancer;Incurable.Moved.;
A0007955.dll;C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP544;Adware.WebHancer;Incurable.Moved.;
A0007969.exe;C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP544;Adware.WebHancer;Incurable.Moved.;
MFEX-1.DAT;C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP544\snapshot;Adware.WebHancer;Incurable.Moved.;
MFEX-2.DAT;C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP544\snapshot;Adware.WebHancer;Incurable.Moved.;
MFEX-3.DAT;C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP544\snapshot;Adware.WebHancer;Incurable.Moved.;
MFEX-6.DAT;C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP544\snapshot;Adware.WebHancer;Incurable.Moved.;
MFEX-7.DAT;C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP544\snapshot;Adware.WebHancer;Incurable.Moved.;
MFEX-8.DAT;C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP544\snapshot;Adware.WebHancer;Incurable.Moved.;
A0007976.exe;C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP545;Adware.WebHancer;Incurable.Moved.;
A0007977.dll;C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP545;Adware.WebHancer;Incurable.Moved.;
A0007978.dll;C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP545;Adware.WebHancer;Incurable.Moved.;
A0007990.exe;C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP545;Adware.WebHancer;Incurable.Moved.;
MFEX-3.DAT;C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP545\snapshot;Adware.WebHancer;Incurable.Moved.;
MFEX-4.DAT;C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP545\snapshot;Adware.WebHancer;Incurable.Moved.;
MFEX-5.DAT;C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP545\snapshot;Adware.WebHancer;Incurable.Moved.;
A0007999.dll;C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP548;Adware.WebHancer;Incurable.Moved.;
A0008000.dll;C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP548;Adware.WebHancer;Incurable.Moved.;
MFEX-2.DAT;C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP549\snapshot;Adware.WebHancer;Incurable.Moved.;
MFEX-3.DAT;C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP549\snapshot;Adware.WebHancer;Incurable.Moved.;
A0008016.dll;C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP550;Adware.WebHancer;Incurable.Moved.;
A0008017.exe;C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP550;Adware.WebHancer;Incurable.Moved.;
A0008018.dll;C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP550;Adware.WebHancer;Incurable.Moved.;
MFEX-2.DAT;C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP550\snapshot;Adware.WebHancer;Incurable.Moved.;
MFEX-3.DAT;C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP550\snapshot;Adware.WebHancer;Incurable.Moved.;
A0008246.exe;C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP568;Adware.WebHancer;Incurable.Moved.;
A0008247.dll;C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP568;Adware.WebHancer;Incurable.Moved.;
A0008249.exe;C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP568;Adware.WebHancer;Incurable.Moved.;
A0008250.dll;C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP568;Adware.WebHancer;Incurable.Moved.;
A0008255.exe;C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP568;Adware.WebHancer;Incurable.Moved.;
A0008258.exe;C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP568;BackDoor.Generic.1372;Deleted.;
A0008259.dll;C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP568;Adware.WebHancer;Incurable.Moved.;
A0008526.exe;C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP577;Trojan.Proxy.493;Deleted.;
A0008527.exe;C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP577;Adware.Macfa;Incurable.Moved.;
A0008528.exe;C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP577;Trojan.DownLoader.17040;Deleted.;
A0008529.exe;C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP577;Trojan.Rond;Deleted.;
A0008530.dll;C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP577;Trojan.Rond;Deleted.;
A0008531.exe;C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP577;Trojan.Rond;Deleted.;
A0008532.exe;C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP577;Trojan.DownLoader.17040;Deleted.;
A0008533.exe;C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP577;Trojan.DownLoader.17040;Deleted.;
A0008539.dll;C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP577;Trojan.Proxy.493;Deleted.;
A0009108.exe;C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP598;Trojan.LowZones.193;Deleted.;
A0009109.exe;C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP598;Trojan.LowZones.193;Deleted.;
A0009110.exe;C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP598;Trojan.LowZones.193;Deleted.;
A0009111.exe;C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP598;Trojan.LowZones.193;Deleted.;
A0009112.exe;C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP598;Trojan.LowZones.193;Deleted.;
A0009113.exe;C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP598;Trojan.LowZones.193;Deleted.;
A0009114.exe;C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP598;Trojan.LowZones.193;Deleted.;
A0009115.exe;C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP598;Trojan.LowZones.193;Deleted.;
A0009116.exe;C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP598;Trojan.LowZones.193;Deleted.;
A0009117.exe;C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP598;Trojan.LowZones.193;Deleted.;
A0009118.exe;C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP598;BackDoor.Generic.1372;Deleted.;
A0009119.exe;C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP598;Trojan.LowZones.193;Deleted.;
A0009120.dll;C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP598;Trojan.DownLoader.19109;Deleted.;
A0009121.dll;C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP598;Trojan.DownLoader.19109;Deleted.;
A0009122.dll;C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP598;Trojan.DownLoader.19109;Deleted.;
A0009123.exe;C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP598;Trojan.LowZones.193;Deleted.;
A0009124.exe;C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP598;Trojan.DownLoader.14828;Deleted.;
A0009125.dll;C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP598;Trojan.Rond;Deleted.;
A0009126.exe;C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP598;Trojan.Rond;Deleted.;
A0009127.exe;C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP598;Trojan.Rond;Deleted.;
A0009128.dll;C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP598;Trojan.Rond;Deleted.;
A0009129.exe;C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP598;Trojan.Rond;Deleted.;
A0009130.exe;C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP598;Trojan.Rond;Deleted.;
A0009131.dll;C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP598;Trojan.Rond;Deleted.;
A0009132.exe;C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP598;Trojan.Rond;Deleted.;
A0009133.dll;C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP598;Trojan.Rond;Deleted.;
A0009134.exe;C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP598;Trojan.Rond;Deleted.;
A0009135.exe;C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP598;Trojan.Rond;Deleted.;
A0009136.dll;C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP598;Trojan.Rond;Deleted.;
A0009137.exe;C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP598;Trojan.Rond;Deleted.;
A0009138.exe;C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP598;Trojan.Rond;Deleted.;
109uninst.exe;C:\WINDOWS;Trojan.Click.1166;Deleted.;
a.exe;C:\WINDOWS\system32;Trojan.DownLoader.12125;Deleted.;
GTDownDE_87.ocx;C:\WINDOWS\system32;Adware.Gdown;Incurable.Moved.;
core.sys;C:\WINDOWS\system32\drivers;Trojan.NtRootKit.239;Deleted.;



SD Fix:


SDFix: Version 1.85

Run by LBJ - Wed 05/30/2007 - 18:46:56.42

Microsoft Windows XP [Version 5.1.2600]

Running From: C:\SDFix

Safe Mode:
Checking Services:

Name:
COM+ Messages
core

ImagePath:
"C:\WINDOWS\system32\svchosts.exe" -e te-110-12-0000213
system32\drivers\core.sys

COM+ Messages - Deleted
core - Deleted



Restoring Windows Registry Values
Restoring Windows Default Hosts File

Rebooting...


Normal Mode:
Checking Files:

No Trojan Files Found




Removing Temp Files...

ADS Check:

Checking if ADS is attached to system32 Folder
C:\WINDOWS\system32
No streams found.

Checking if ADS is attached to svchost.exe
C:\WINDOWS\system32\svchost.exe
No streams found.



Final Check:

Remaining Services:
------------------



Authorized Application Key Export:

[HKEY_LOCAL_MACHINE\system\currentcontrolset\services\sharedaccess\parameters\firewallpolicy\standardprofile\authorizedapplications\list]
"%windir%\\system32\\sessmgr.exe"="%windir%\\system32\\sessmgr.exe:*:enabled:@xpsp2res.dll,-22019"
"C:\\Program Files\\Common Files\\AOL\\ACS\\AOLacsd.exe"="C:\\Program Files\\Common Files\\AOL\\ACS\\AOLacsd.exe:*:Enabled:AOL"
"C:\\Program Files\\Common Files\\AOL\\ACS\\AOLDial.exe"="C:\\Program Files\\Common Files\\AOL\\ACS\\AOLDial.exe:*:Enabled:AOL"
"C:\\Program Files\\America Online 9.0\\waol.exe"="C:\\Program Files\\America Online 9.0\\waol.exe:*:Enabled:AOL"
"C:\\StubInstaller.exe"="C:\\StubInstaller.exe:*:Disabled:LimeWire swarmed installer"
"C:\\Program Files\\Kodak\\Kodak EasyShare software\\bin\\EasyShare.exe"="C:\\Program Files\\Kodak\\Kodak EasyShare software\\bin\\EasyShare.exe:*:Enabled:EasyShare"
"C:\\Program Files\\AIM\\aim.exe"="C:\\Program Files\\AIM\\aim.exe:*:Enabled:AOL Instant Messenger"
"C:\\Program Files\\Internet Explorer\\IEXPLORE.EXE"="C:\\Program Files\\Internet Explorer\\IEXPLORE.EXE:*:Enabled:Internet Explorer"
"C:\\Program Files\\Kodak\\KODAK Software Updater\\7288971\\Program\\Kodak Software Updater.exe"="C:\\Program Files\\Kodak\\KODAK Software Updater\\7288971\\Program\\Kodak Software Updater.exe:*:Enabled:Kodak Software Updater"
"C:\\Program Files\\iTunes\\iTunes.exe"="C:\\Program Files\\iTunes\\iTunes.exe:*:Enabled:iTunes"
"C:\\WINDOWS\\system32\\a.exe"="C:\\WINDOWS\\system32\\a.exe:*:ENABLED:0"
"C:\\Program Files\\LimeWire\\LimeWire.exe"="C:\\Program Files\\LimeWire\\LimeWire.exe:*:Enabled:LimeWire"
"C:\\Program Files\\SopCast\\SopCast.exe"="C:\\Program Files\\SopCast\\SopCast.exe:*:Enabled:SopCast Main Application"
"C:\\Documents and Settings\\LBJ\\Application Data\\SopCast\\adv\\SopAdver.exe"="C:\\Documents and Settings\\LBJ\\Application Data\\SopCast\\adv\\SopAdver.exe:*:Enabled:SopCast Adver"

[HKEY_LOCAL_MACHINE\system\currentcontrolset\services\sharedaccess\parameters\firewallpolicy\domainprofile\authorizedapplications\list]
"%windir%\\system32\\sessmgr.exe"="%windir%\\system32\\sessmgr.exe:*:enabled:@xpsp2res.dll,-22019"
"C:\\Program Files\\Common Files\\AOL\\ACS\\AOLacsd.exe"="C:\\Program Files\\Common Files\\AOL\\ACS\\AOLacsd.exe:*:Enabled:AOL"
"C:\\Program Files\\Common Files\\AOL\\ACS\\AOLDial.exe"="C:\\Program Files\\Common Files\\AOL\\ACS\\AOLDial.exe:*:Enabled:AOL"
"C:\\Program Files\\America Online 9.0\\waol.exe"="C:\\Program Files\\America Online 9.0\\waol.exe:*:Enabled:AOL"
"C:\\Program Files\\AIM\\aim.exe"="C:\\Program Files\\AIM\\aim.exe:*:Enabled:AOL Instant Messenger"

Remaining Files:
---------------


Checking For Files with Hidden Attributes:

C:\Program Files\Common Files\Yazzle1122OinAdmin.exe
C:\Program Files\Common Files\Yazzle1122OinUninstaller.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\WINDOWS\system32\mmf.sys
C:\Documents and Settings\All Users\Application Data\GTek\GTUpdate\AUpdate\Channels\ch1\lock.tmp
C:\Documents and Settings\All Users\Application Data\GTek\GTUpdate\AUpdate\Channels\ch2\lock.tmp
C:\Documents and Settings\All Users\Application Data\GTek\GTUpdate\AUpdate\Channels\ch3\lock.tmp
C:\Documents and Settings\All Users\Application Data\GTek\GTUpdate\AUpdate\Channels\ch4\lock.tmp

Finished


HJT:

Logfile of HijackThis v1.99.1
Scan saved at 12:54:54 PM, on 6/2/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Intel\Wireless\Bin\EvtEng.exe
C:\Program Files\Intel\Wireless\Bin\S24EvMon.exe
C:\Program Files\Intel\Wireless\Bin\WLKeeper.exe
C:\Program Files\Intel\Wireless\Bin\ZcfgSvc.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\runservice.exe
C:\WINDOWS\dls0523pmw.exe
C:\Program Files\Dell\NICCONFIGSVC\NICCONFIGSVC.exe
C:\Program Files\Intel\Wireless\Bin\RegSrvc.exe
c:\program files\verizon wireless\venturi\Client\ventc.exe
C:\Program Files\Java\jre1.5.0_03\bin\jusched.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\pasystem\pasystem.exe
C:\PROGRA~1\Intel\Wireless\Bin\1XConfig.exe
C:\Program Files\Digital Line Detect\DLG.exe
C:\Program Files\Kodak\Kodak EasyShare software\bin\EasyShare.exe
C:\WINDOWS\system32\wscntfy.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\wuauclt.exe
C:\HJT\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.dell4me.com/myway
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://espn.go.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.dell4me.com/myway
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.dell4me.com/myway
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://www.dell4me.com/myway
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O2 - BHO: DriveLetterAccess - {5CA3D70E-1895-11CF-8E15-001234567890} - C:\WINDOWS\system32\dla\tfswshx.dll
O4 - HKLM\..\Run: [Apoint] C:\Program Files\Apoint\Apoint.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_03\bin\jusched.exe
O4 - HKLM\..\Run: [IntelWireless] C:\Program Files\Intel\Wireless\Bin\ifrmewrk.exe /tf Intel PROSet/Wireless
O4 - HKLM\..\Run: [ATIPTA] C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
O4 - HKLM\..\Run: [RealTray] C:\Program Files\Real\RealPlayer\RealPlay.exe SYSTEMBOOTHIDEPLAYER
O4 - HKLM\..\Run: [ISUSPM Startup] C:\PROGRA~1\COMMON~1\INSTAL~1\UPDATE~1\ISUSPM.exe -startup
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [krqk] C:\PROGRA~1\COMMON~1\krqk\krqkm.exe
O4 - HKCU\..\Run: [PaSystem] "C:\Program Files\pasystem\pasystem.exe"
O4 - Global Startup: Digital Line Detect.lnk = ?
O4 - Global Startup: Kodak EasyShare software.lnk = C:\Program Files\Kodak\Kodak EasyShare software\bin\EasyShare.exe
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\j2re1.4.2_03\bin\npjpi142_03.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\j2re1.4.2_03\bin\npjpi142_03.dll
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe
O9 - Extra button: PartyPoker.com - {B7FE5D70-9AA2-40F1-9C6B-12A255F085E1} - C:\Program Files\PartyGaming\PartyPoker\RunApp.exe
O9 - Extra 'Tools' menuitem: PartyPoker.com - {B7FE5D70-9AA2-40F1-9C6B-12A255F085E1} - C:\Program Files\PartyGaming\PartyPoker\RunApp.exe
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\system32\Shdocvw.dll
O9 - Extra button: PartyPoker.net - {F4430FE8-2638-42e5-B849-800749B94EED} - C:\Program Files\PartyGaming.Net\PartyPokerNet\RunPF.exe (file missing)
O9 - Extra 'Tools' menuitem: PartyPoker.net - {F4430FE8-2638-42e5-B849-800749B94EED} - C:\Program Files\PartyGaming.Net\PartyPokerNet\RunPF.exe (file missing)
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: ActiveGS.cab - http://www.virtualap...rg/activegs.cab
O20 - Winlogon Notify: IntelWireless - C:\Program Files\Intel\Wireless\Bin\LgNotify.dll
O23 - Service: Ati HotKey Poller - Unknown owner - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: EvtEng - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\EvtEng.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPodService - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Kodak Camera Connection Software (KodakCCS) - Eastman Kodak Company - C:\WINDOWS\system32\drivers\KodakCCS.exe
O23 - Service: LicCtrl Service (LicCtrlService) - Unknown owner - C:\WINDOWS\runservice.exe
O23 - Service: Net Agent - Unknown owner - C:\WINDOWS\dls0523pmw.exe
O23 - Service: NICCONFIGSVC - Dell Inc. - C:\Program Files\Dell\NICCONFIGSVC\NICCONFIGSVC.exe
O23 - Service: RegSrvc - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\RegSrvc.exe
O23 - Service: Spectrum24 Event Monitor (S24EventMonitor) - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\S24EvMon.exe
O23 - Service: Venturi Client (Venturi2) - Venturi Wireless - c:\program files\verizon wireless\venturi\Client\ventc.exe
O23 - Service: WLANKEEPER - Intel® Corporation - C:\Program Files\Intel\Wireless\Bin\WLKeeper.exe

#6 jedi

jedi

    aequam memento rebus in arduis servare mentem

  • Emeritus
  • PipPipPipPipPip
  • 15,830 posts

Posted 02 June 2007 - 12:37 PM

Hi again,

1. Download this file - ComboFix
2. Double click combofix.exe & follow the prompts.
3. When finished, it will produce a log for you. Post that log in your next reply

Note:
Do not mouseclick combofix's window whilst it's running. That may cause it to stall

Also:

Download GMER from here:
http://www.majorgeek...GMER_d5198.html

Unzip it to desktop.

Open the program and click on the Rootkit tab.
Make sure all the boxes on the right of the screen are checked, apart from ‘Show All’.
Click on Scan.
When the scan has run click Copy and paste the results (if any) into this thread.

jedi
jedi

My help is free, but if you wish to help keep these forums running please consider a donation, see This Topic for details.

#7 terps54424

terps54424

    Member

  • Full Member
  • Pip
  • 13 posts

Posted 02 June 2007 - 01:25 PM

ComboFix:

"LBJ" - 2007-06-02 14:05:09 Service Pack 2
ComboFix 07-05.27.BV - Running from: "C:\Program Files\Mozilla Firefox\"


(((((((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))


"C:\Program Files\Common Files\Yazzle1122OinUninstaller.exe"
"C:\WINDOWS\system32\unsvchosts.lzma"
"C:\WINDOWS\uni_e6h.exe"
"C:\WINDOWS\system32\drivers\core.cache.dsk"
"C:\WINDOWS\rau001978.exe"
"C:\WINDOWS\dls0523pmw.exe"
"C:\Program Files\Common Files\{9C741~3"
"C:\Program Files\Common Files\{9C741~2"
"C:\Program Files\Common Files\{9C741~1"

-- Purity Folders:

C:\WINDOWS\system32\YSTEM~1
C:\WINDOWS\YSTEM~1
C:\WINDOWS\ASKS~1
C:\Program Files\Common Files\FNTS~1
C:\Program Files\Common Files\ASKS~1
C:\Program Files\SCURIT~1
C:\DOCUME~1\LBJ\APPLIC~1\ICROSO~1.NET



((((((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))


-------\LEGACY_CMDSERVICE
-------\LEGACY_NETWORK_MONITOR
-------\LEGACY_NET_AGENT
-------\Net Agent


((((((((((((((((((((((((((((((( Files Created from 2007-05-02 to 2007-06-02 ))))))))))))))))))))))))))))))))))


2007-06-02 11:19 <DIR> d-------- C:\Documents and Settings\LBJ\DoctorWeb
2007-06-02 11:19 <DIR> d-------- C:\DOCUME~1\LBJ\DoctorWeb
2007-05-27 18:15 77,312 --a------ C:\WINDOWS\ua2.dll
2007-05-24 18:14 <DIR> d-------- C:\HJT
2007-05-11 10:29 <DIR> d-------- C:\DOCUME~1\LBJ\APPLIC~1\Lavasoft
2007-05-10 11:04 <DIR> d-------- C:\Program Files\Lavasoft
2007-05-10 11:04 <DIR> d-------- C:\Program Files\Common Files\Wise Installation Wizard


(((((((((((((((((((((((((((((((((((((((((((((((( Find3M Report )))))))))))))))))))))))))))))))))))))))))))))))))))))

2007-06-02 18:10:48 1,433 --sha-w C:\WINDOWS\system32\mmf.sys
2007-06-02 15:20:20 -------- d-----w C:\Program Files\Winamp
2007-06-02 15:20:17 -------- d-----w C:\Program Files\QuickTime
2007-06-02 15:20:14 -------- d-----w C:\Program Files\iTunes
2007-06-02 15:19:59 -------- d-----w C:\Program Files\Apoint
2007-06-01 01:17:59 -------- d-----w C:\Program Files\VideoLAN
2007-05-10 14:57:24 -------- d-----w C:\Program Files\Viewpoint
2007-05-01 09:54:51 217,903 ----a-w C:\WINDOWS\Setup105.exe
2007-04-25 22:29:06 -------- d-----w C:\DOCUME~1\LBJ\APPLIC~1\SopCast
2007-04-25 22:28:44 -------- d-----w C:\Program Files\SopCast
2007-04-23 23:52:17 -------- d-----w C:\Program Files\Solecismic Software
2007-04-17 23:07:27 -------- d-----w C:\DOCUME~1\LBJ\APPLIC~1\vlc
2007-04-14 14:15:32 -------- d-----w C:\Program Files\pasystem
2005-07-29 21:24:26 472 --sha-r C:\WINDOWS\TEJK\nHL4.vbs


(((((((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))


*Note* empty entries & legit default entries are not shown

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects]
{06849E9F-C8D7-4D59-B87D-784B7D6BE0B3}=C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll [2003-11-03 15:17]
{53707962-6F74-2D53-2644-206D7942484F}=C:\Program Files\Spybot - Search & Destroy\SDHelper.dll [2005-05-31 01:04]
{5CA3D70E-1895-11CF-8E15-001234567890}=C:\WINDOWS\system32\dla\tfswshx.dll [2004-12-06 02:05]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Apoint"="C:\Program Files\Apoint\Apoint.exe" []
"SunJavaUpdateSched"="C:\Program Files\Java\jre1.5.0_03\bin\jusched.exe" [2005-04-13 04:48]
"IntelWireless"="C:\Program Files\Intel\Wireless\Bin\ifrmewrk.exe" []
"ATIPTA"="C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe" []
"RealTray"="C:\Program Files\Real\RealPlayer\RealPlay.exe" []
"ISUSPM Startup"="C:\PROGRA~1\COMMON~1\INSTAL~1\UPDATE~1\ISUSPM.exe" []

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"MSMSGS"="C:\Program Files\Messenger\msmsgs.exe" [2004-10-13 12:24]
"krqk"="C:\PROGRA~1\COMMON~1\krqk\krqkm.exe" []
"PaSystem"="C:\Program Files\pasystem\pasystem.exe" [2007-04-11 19:07]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\IntelWireless]
C:\Program Files\Intel\Wireless\Bin\LgNotify.dll

HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost *netsvcs*


********************************************************************

catchme 0.3.692 W2K/XP/Vista - userland rootkit detector by Gmer, http://www.gmer.net
Rootkit scan 2007-06-02 14:11:03
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0


********************************************************************

Completion time: 2007-06-02 14:12:08 - machine was rebooted
C:\ComboFix-quarantined-files.txt ... 2007-06-02 14:12

--- E O F ---

GMER:

GMER 1.0.12.12244 - http://www.gmer.net
Rootkit scan 2007-06-02 14:24:36
Windows 5.1.2600 Service Pack 2


---- Kernel code sections - GMER 1.0.12 ----

? C:\WINDOWS\system32\DRIVERS\update.sys
? C:\WINDOWS\system32\Drivers\PROCEXP90.SYS The system cannot find the file specified.

---- Devices - GMER 1.0.12 ----

Device \FileSystem\Fastfat \Fat IRP_MJ_CREATE F1ED4C8A
Device \FileSystem\Fastfat \Fat IRP_MJ_CLOSE F1ED17C8
Device \FileSystem\Fastfat \Fat IRP_MJ_READ F1ECD60A
Device \FileSystem\Fastfat \Fat IRP_MJ_WRITE F1ECDAED
Device \FileSystem\Fastfat \Fat IRP_MJ_QUERY_INFORMATION F1ED8958
Device \FileSystem\Fastfat \Fat IRP_MJ_SET_INFORMATION F1EDB821
Device \FileSystem\Fastfat \Fat IRP_MJ_QUERY_EA F1EE438A
Device \FileSystem\Fastfat \Fat IRP_MJ_SET_EA F1EE3D49
Device \FileSystem\Fastfat \Fat IRP_MJ_FLUSH_BUFFERS F1EDDBBE
Device \FileSystem\Fastfat \Fat IRP_MJ_QUERY_VOLUME_INFORMATION F1EDE331
Device \FileSystem\Fastfat \Fat IRP_MJ_SET_VOLUME_INFORMATION F1EEC4F4
Device \FileSystem\Fastfat \Fat IRP_MJ_DIRECTORY_CONTROL F1ED4B37
Device \FileSystem\Fastfat \Fat IRP_MJ_FILE_SYSTEM_CONTROL F1ED0948
Device \FileSystem\Fastfat \Fat IRP_MJ_DEVICE_CONTROL F1EDA46B
Device \FileSystem\Fastfat \Fat IRP_MJ_SHUTDOWN F1EEB79D
Device \FileSystem\Fastfat \Fat IRP_MJ_LOCK_CONTROL F1EEAC4A
Device \FileSystem\Fastfat \Fat IRP_MJ_CLEANUP F1ED12FD
Device \FileSystem\Fastfat \Fat IRP_MJ_PNP F1EEB1DB
Device \FileSystem\Fastfat \Fat FastIoCheckIfPossible F1EE61F9
Device \FileSystem\Fs_Rec \FileSystem\UdfsCdRomRecognizer IRP_MJ_FILE_SYSTEM_CONTROL [F2DB3701] tfsnifs.sys
Device \FileSystem\Fs_Rec \FileSystem\FatCdRomRecognizer IRP_MJ_FILE_SYSTEM_CONTROL [F2DB3701] tfsnifs.sys
Device \FileSystem\Fs_Rec \FileSystem\CdfsRecognizer IRP_MJ_FILE_SYSTEM_CONTROL [F2DB3701] tfsnifs.sys
Device \FileSystem\Fs_Rec \FileSystem\FatDiskRecognizer IRP_MJ_FILE_SYSTEM_CONTROL [F2DB3701] tfsnifs.sys
Device \FileSystem\Fs_Rec \FileSystem\UdfsDiskRecognizer IRP_MJ_FILE_SYSTEM_CONTROL [F2DB3701] tfsnifs.sys
Device \FileSystem\Cdfs \Cdfs IRP_MJ_FILE_SYSTEM_CONTROL [F2DB389D] tfsnifs.sys

---- Registry - GMER 1.0.12 ----

Reg \Registry\MACHINE\SOFTWARE\LicCtrl\LicCtrl\LicCtrl\LicCtrl

---- EOF - GMER 1.0.12 ----

#8 jedi

jedi

    aequam memento rebus in arduis servare mentem

  • Emeritus
  • PipPipPipPipPip
  • 15,830 posts

Posted 02 June 2007 - 06:33 PM

Hi again,

Please run Notepad and paste the following text into a new file, do not include the word ‘quote’:

REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"krqk"=-
PaSystem"=-


Save the file to the desktop as fix.reg and make sure the "Save as Type" field says "All Files". Then please go to the desktop and double-click on fix.reg, and click Yes to merge it with the registry.

Next:

Search for and delete these folders:

C:\Program Files\Common Files\krqk
C:\Program Files\pasystem


Next:

Please do the following:
Run a BitDefender Online scan Here and post the results.

Please also post a fresh HiJackThis log.

jedi
jedi

My help is free, but if you wish to help keep these forums running please consider a donation, see This Topic for details.

#9 terps54424

terps54424

    Member

  • Full Member
  • Pip
  • 13 posts

Posted 03 June 2007 - 10:15 AM

I deleted the folders and then went to do the BitDefender online scan. I was told I needed IE4+ to do so, so I downloaded IE7. I was prompted to restart to complete the installation, and I did that. When it rebooted, nothing came up to finish the install, nor could I try to run IE7 from anywhere. So I tried downloading again and found the same thing to happen after a reboot. I then downloaded the trial version of the software and ran an offline scan -- hopefully that is okay and provides the same function. That report is listed below. If I do need to figure out the way to do the online scan, please let me know.


//-----------------------------------------------------------------
//
// Product BitDefender Antivirus v10
// Product 10.2
//
// Created on: 03/06/2007 10:36:58
//
//-----------------------------------------------------------------


Virus Statistics

Scan path : C:\
Folders : 4329
Files : 46651
Memory processes scanned : 14
Archives : 4
Runtime packers : 1129
Identified viruses : 10
Infected files : 68
Memory processes infected : 0
Suspect files : 0
Warnings : 0
Disinfected files : 0
Deleted files : 3
Moved files : 66
I/O errors : 8
Scan time : 00:30:55
Scan speed (files/sec) : 25

Spyware Statistics

Registry keys scanned : 1665
Registry keys infected : 1
Cookies scanned : 716
Cookies infected : 0
Spyware files infected : 0
Spyware threats detected : 1


Virus definitions : 532320
Scan plugins : 16
Archive plugins : 41
Unpack plugins : 6
Mail plugins : 6
System plugins : 5

Virus scan options

Detection
[X] Scan boot sectors
[X] Memory Processes
[ ] Scan archives
[X] Scan runtime packers
[X] Scan email

File mask
[X] Programs
[ ] All files
[ ] User defined extensions:
[ ] Exclude extensions: ;

Action

Infected objects
[ ] Ignore
[X] Disinfect
[ ] Delete
[ ] Move to quarantine
[ ] Prompt user

Second action
[ ] Ignore
[ ] Delete
[X] Move to quarantine
[ ] Prompt user

Virus scan options
[X] Enable warnings
[ ] Enable heuristics
[ ] Show all files in log
[X] Report file: C:\Documents and Settings\All Users\Application Data\Bitdefender\Desktop\Profiles\Logs\full_scan\1180881417.log

Spyware scan options

[X] Scan for riskware
[ ] Skip dial and applications from scan
[X] Registry keys
[X] Cookies


Summary:

<System>=>HKEY_LOCAL_MACHINE\SOFTWARE\MAGNET Detected: magne3t
<System>=>HKEY_LOCAL_MACHINE\SOFTWARE\MAGNET Deleted
<System> Archive repacking successfully completed (actions successfully applied)
C:\Documents and Settings\LBJ\DoctorWeb\Quarantine\A0007931.exe Infected: Trojan.Dloader.AFR
C:\Documents and Settings\LBJ\DoctorWeb\Quarantine\A0007931.exe Disinfection failed
C:\Documents and Settings\LBJ\DoctorWeb\Quarantine\A0007931.exe Moved
C:\Documents and Settings\LBJ\DoctorWeb\Quarantine\A0007932.dll Detected: Adware.WebHancer.P
C:\Documents and Settings\LBJ\DoctorWeb\Quarantine\A0007932.dll Disinfection failed
C:\Documents and Settings\LBJ\DoctorWeb\Quarantine\A0007932.dll Moved
C:\Documents and Settings\LBJ\DoctorWeb\Quarantine\A0007934.exe Detected: Adware.Webhancer.AB
C:\Documents and Settings\LBJ\DoctorWeb\Quarantine\A0007934.exe Disinfection failed
C:\Documents and Settings\LBJ\DoctorWeb\Quarantine\A0007934.exe Moved
C:\Documents and Settings\LBJ\DoctorWeb\Quarantine\A0007935.exe Infected: Trojan.Dloader.AFR
C:\Documents and Settings\LBJ\DoctorWeb\Quarantine\A0007935.exe Disinfection failed
C:\Documents and Settings\LBJ\DoctorWeb\Quarantine\A0007935.exe Moved
C:\Documents and Settings\LBJ\DoctorWeb\Quarantine\A0007936.dll Detected: Adware.WebHancer.P
C:\Documents and Settings\LBJ\DoctorWeb\Quarantine\A0007936.dll Disinfection failed
C:\Documents and Settings\LBJ\DoctorWeb\Quarantine\A0007936.dll Moved
C:\Documents and Settings\LBJ\DoctorWeb\Quarantine\A0007954.exe Infected: Trojan.Dloader.AFR
C:\Documents and Settings\LBJ\DoctorWeb\Quarantine\A0007954.exe Disinfection failed
C:\Documents and Settings\LBJ\DoctorWeb\Quarantine\A0007954.exe Moved
C:\Documents and Settings\LBJ\DoctorWeb\Quarantine\A0007955.dll Detected: Adware.WebHancer.P
C:\Documents and Settings\LBJ\DoctorWeb\Quarantine\A0007955.dll Disinfection failed
C:\Documents and Settings\LBJ\DoctorWeb\Quarantine\A0007955.dll Moved
C:\Documents and Settings\LBJ\DoctorWeb\Quarantine\A0007969.exe Detected: Adware.Webhancer.AB
C:\Documents and Settings\LBJ\DoctorWeb\Quarantine\A0007969.exe Disinfection failed
C:\Documents and Settings\LBJ\DoctorWeb\Quarantine\A0007969.exe Moved
C:\Documents and Settings\LBJ\DoctorWeb\Quarantine\A0007976.exe Detected: Adware.Webhancer.S
C:\Documents and Settings\LBJ\DoctorWeb\Quarantine\A0007976.exe Disinfection failed
C:\Documents and Settings\LBJ\DoctorWeb\Quarantine\A0007976.exe Moved
C:\Documents and Settings\LBJ\DoctorWeb\Quarantine\A0007977.dll Detected: Adware.WebHancer.P
C:\Documents and Settings\LBJ\DoctorWeb\Quarantine\A0007977.dll Disinfection failed
C:\Documents and Settings\LBJ\DoctorWeb\Quarantine\A0007977.dll Moved
C:\Documents and Settings\LBJ\DoctorWeb\Quarantine\A0007978.dll Detected: Application.Spyware.Webhancer.D
C:\Documents and Settings\LBJ\DoctorWeb\Quarantine\A0007978.dll Disinfection failed
C:\Documents and Settings\LBJ\DoctorWeb\Quarantine\A0007978.dll Moved
C:\Documents and Settings\LBJ\DoctorWeb\Quarantine\A0007990.exe Detected: Adware.Webhancer.AB
C:\Documents and Settings\LBJ\DoctorWeb\Quarantine\A0007990.exe Disinfection failed
C:\Documents and Settings\LBJ\DoctorWeb\Quarantine\A0007990.exe Moved
C:\Documents and Settings\LBJ\DoctorWeb\Quarantine\A0007999.dll Detected: Application.Spyware.Webhancer.D
C:\Documents and Settings\LBJ\DoctorWeb\Quarantine\A0007999.dll Disinfection failed
C:\Documents and Settings\LBJ\DoctorWeb\Quarantine\A0007999.dll Moved
C:\Documents and Settings\LBJ\DoctorWeb\Quarantine\A0008000.dll Detected: Application.Spyware.Webhancer.D
C:\Documents and Settings\LBJ\DoctorWeb\Quarantine\A0008000.dll Disinfection failed
C:\Documents and Settings\LBJ\DoctorWeb\Quarantine\A0008000.dll Moved
C:\Documents and Settings\LBJ\DoctorWeb\Quarantine\A0008016.dll Detected: Application.Spyware.Webhancer.D
C:\Documents and Settings\LBJ\DoctorWeb\Quarantine\A0008016.dll Disinfection failed
C:\Documents and Settings\LBJ\DoctorWeb\Quarantine\A0008016.dll Moved
C:\Documents and Settings\LBJ\DoctorWeb\Quarantine\A0008017.exe Infected: Trojan.Dloader.AFR
C:\Documents and Settings\LBJ\DoctorWeb\Quarantine\A0008017.exe Disinfection failed
C:\Documents and Settings\LBJ\DoctorWeb\Quarantine\A0008017.exe Moved
C:\Documents and Settings\LBJ\DoctorWeb\Quarantine\A0008018.dll Detected: Adware.WebHancer.P
C:\Documents and Settings\LBJ\DoctorWeb\Quarantine\A0008018.dll Disinfection failed
C:\Documents and Settings\LBJ\DoctorWeb\Quarantine\A0008018.dll Moved
C:\Documents and Settings\LBJ\DoctorWeb\Quarantine\A0008249.exe Detected: Adware.Webhancer.AB
C:\Documents and Settings\LBJ\DoctorWeb\Quarantine\A0008249.exe Disinfection failed
C:\Documents and Settings\LBJ\DoctorWeb\Quarantine\A0008249.exe Moved
C:\Documents and Settings\LBJ\DoctorWeb\Quarantine\A0008255.exe Infected: Trojan.Dloader.AFR
C:\Documents and Settings\LBJ\DoctorWeb\Quarantine\A0008255.exe Disinfection failed
C:\Documents and Settings\LBJ\DoctorWeb\Quarantine\A0008255.exe Moved
C:\Documents and Settings\LBJ\DoctorWeb\Quarantine\A0008527.exe Infected: Trojan.Downloader.Agent.ARA
C:\Documents and Settings\LBJ\DoctorWeb\Quarantine\A0008527.exe Disinfection failed
C:\Documents and Settings\LBJ\DoctorWeb\Quarantine\A0008527.exe Moved
C:\Documents and Settings\LBJ\DoctorWeb\Quarantine\ipwins.dll Detected: Adware.CommAd.A
C:\Documents and Settings\LBJ\DoctorWeb\Quarantine\ipwins.dll Deleted
C:\Documents and Settings\LBJ\DoctorWeb\Quarantine\ipwins.exe Detected: Adware.CommAd.A
C:\Documents and Settings\LBJ\DoctorWeb\Quarantine\ipwins.exe Deleted
C:\Documents and Settings\LBJ\DoctorWeb\Quarantine\MFEX-1.DAT Detected: Adware.Webhancer.S
C:\Documents and Settings\LBJ\DoctorWeb\Quarantine\MFEX-1.DAT Disinfection failed
C:\Documents and Settings\LBJ\DoctorWeb\Quarantine\MFEX-1.DAT Moved
C:\Documents and Settings\LBJ\DoctorWeb\Quarantine\MFEX-1_0.DAT Detected: Adware.Webhancer.S
C:\Documents and Settings\LBJ\DoctorWeb\Quarantine\MFEX-1_0.DAT Disinfection failed
C:\Documents and Settings\LBJ\DoctorWeb\Quarantine\MFEX-1_0.DAT Moved
C:\Documents and Settings\LBJ\DoctorWeb\Quarantine\MFEX-1_1.DAT Detected: Adware.Webhancer.S
C:\Documents and Settings\LBJ\DoctorWeb\Quarantine\MFEX-1_1.DAT Disinfection failed
C:\Documents and Settings\LBJ\DoctorWeb\Quarantine\MFEX-1_1.DAT Moved
C:\Documents and Settings\LBJ\DoctorWeb\Quarantine\MFEX-1_2.DAT Detected: Adware.Webhancer.S
C:\Documents and Settings\LBJ\DoctorWeb\Quarantine\MFEX-1_2.DAT Disinfection failed
C:\Documents and Settings\LBJ\DoctorWeb\Quarantine\MFEX-1_2.DAT Moved
C:\Documents and Settings\LBJ\DoctorWeb\Quarantine\MFEX-1_3.DAT Detected: Adware.Webhancer.S
C:\Documents and Settings\LBJ\DoctorWeb\Quarantine\MFEX-1_3.DAT Disinfection failed
C:\Documents and Settings\LBJ\DoctorWeb\Quarantine\MFEX-1_3.DAT Moved
C:\Documents and Settings\LBJ\DoctorWeb\Quarantine\MFEX-1_4.DAT Detected: Adware.Webhancer.S
C:\Documents and Settings\LBJ\DoctorWeb\Quarantine\MFEX-1_4.DAT Disinfection failed
C:\Documents and Settings\LBJ\DoctorWeb\Quarantine\MFEX-1_4.DAT Moved
C:\Documents and Settings\LBJ\DoctorWeb\Quarantine\MFEX-1_5.DAT Detected: Adware.Webhancer.S
C:\Documents and Settings\LBJ\DoctorWeb\Quarantine\MFEX-1_5.DAT Disinfection failed
C:\Documents and Settings\LBJ\DoctorWeb\Quarantine\MFEX-1_5.DAT Moved
C:\Documents and Settings\LBJ\DoctorWeb\Quarantine\MFEX-2.DAT Detected: Adware.WebHancer.P
C:\Documents and Settings\LBJ\DoctorWeb\Quarantine\MFEX-2.DAT Disinfection failed
C:\Documents and Settings\LBJ\DoctorWeb\Quarantine\MFEX-2.DAT Moved
C:\Documents and Settings\LBJ\DoctorWeb\Quarantine\MFEX-2_0.DAT Detected: Adware.WebHancer.P
C:\Documents and Settings\LBJ\DoctorWeb\Quarantine\MFEX-2_0.DAT Disinfection failed
C:\Documents and Settings\LBJ\DoctorWeb\Quarantine\MFEX-2_0.DAT Moved
C:\Documents and Settings\LBJ\DoctorWeb\Quarantine\MFEX-2_1.DAT Detected: Adware.WebHancer.P
C:\Documents and Settings\LBJ\DoctorWeb\Quarantine\MFEX-2_1.DAT Disinfection failed
C:\Documents and Settings\LBJ\DoctorWeb\Quarantine\MFEX-2_1.DAT Moved
C:\Documents and Settings\LBJ\DoctorWeb\Quarantine\MFEX-2_2.DAT Detected: Adware.WebHancer.P
C:\Documents and Settings\LBJ\DoctorWeb\Quarantine\MFEX-2_2.DAT Disinfection failed
C:\Documents and Settings\LBJ\DoctorWeb\Quarantine\MFEX-2_2.DAT Moved
C:\Documents and Settings\LBJ\DoctorWeb\Quarantine\MFEX-2_3.DAT Detected: Adware.WebHancer.P
C:\Documents and Settings\LBJ\DoctorWeb\Quarantine\MFEX-2_3.DAT Disinfection failed
C:\Documents and Settings\LBJ\DoctorWeb\Quarantine\MFEX-2_3.DAT Moved
C:\Documents and Settings\LBJ\DoctorWeb\Quarantine\MFEX-2_4.DAT Detected: Adware.WebHancer.P
C:\Documents and Settings\LBJ\DoctorWeb\Quarantine\MFEX-2_4.DAT Disinfection failed
C:\Documents and Settings\LBJ\DoctorWeb\Quarantine\MFEX-2_4.DAT Moved
C:\Documents and Settings\LBJ\DoctorWeb\Quarantine\MFEX-2_5.DAT Detected: Adware.WebHancer.P
C:\Documents and Settings\LBJ\DoctorWeb\Quarantine\MFEX-2_5.DAT Disinfection failed
C:\Documents and Settings\LBJ\DoctorWeb\Quarantine\MFEX-2_5.DAT Moved
C:\Documents and Settings\LBJ\DoctorWeb\Quarantine\MFEX-3.DAT Detected: Application.Spyware.Webhancer.D
C:\Documents and Settings\LBJ\DoctorWeb\Quarantine\MFEX-3.DAT Disinfection failed
C:\Documents and Settings\LBJ\DoctorWeb\Quarantine\MFEX-3.DAT Moved
C:\Documents and Settings\LBJ\DoctorWeb\Quarantine\MFEX-3_0.DAT Detected: Application.Spyware.Webhancer.D
C:\Documents and Settings\LBJ\DoctorWeb\Quarantine\MFEX-3_0.DAT Disinfection failed
C:\Documents and Settings\LBJ\DoctorWeb\Quarantine\MFEX-3_0.DAT Moved
C:\Documents and Settings\LBJ\DoctorWeb\Quarantine\MFEX-3_1.DAT Detected: Application.Spyware.Webhancer.D
C:\Documents and Settings\LBJ\DoctorWeb\Quarantine\MFEX-3_1.DAT Disinfection failed
C:\Documents and Settings\LBJ\DoctorWeb\Quarantine\MFEX-3_1.DAT Moved
C:\Documents and Settings\LBJ\DoctorWeb\Quarantine\MFEX-3_2.DAT Detected: Application.Spyware.Webhancer.D
C:\Documents and Settings\LBJ\DoctorWeb\Quarantine\MFEX-3_2.DAT Disinfection failed
C:\Documents and Settings\LBJ\DoctorWeb\Quarantine\MFEX-3_2.DAT Moved
C:\Documents and Settings\LBJ\DoctorWeb\Quarantine\MFEX-3_3.DAT Detected: Application.Spyware.Webhancer.D
C:\Documents and Settings\LBJ\DoctorWeb\Quarantine\MFEX-3_3.DAT Disinfection failed
C:\Documents and Settings\LBJ\DoctorWeb\Quarantine\MFEX-3_3.DAT Moved
C:\Documents and Settings\LBJ\DoctorWeb\Quarantine\MFEX-3_4.DAT Detected: Application.Spyware.Webhancer.D
C:\Documents and Settings\LBJ\DoctorWeb\Quarantine\MFEX-3_4.DAT Disinfection failed
C:\Documents and Settings\LBJ\DoctorWeb\Quarantine\MFEX-3_4.DAT Moved
C:\Documents and Settings\LBJ\DoctorWeb\Quarantine\MFEX-3_5.DAT Detected: Application.Spyware.Webhancer.D
C:\Documents and Settings\LBJ\DoctorWeb\Quarantine\MFEX-3_5.DAT Disinfection failed
C:\Documents and Settings\LBJ\DoctorWeb\Quarantine\MFEX-3_5.DAT Moved
C:\Documents and Settings\LBJ\DoctorWeb\Quarantine\MFEX-5.DAT Detected: Application.Spyware.Webhancer.D
C:\Documents and Settings\LBJ\DoctorWeb\Quarantine\MFEX-5.DAT Disinfection failed
C:\Documents and Settings\LBJ\DoctorWeb\Quarantine\MFEX-5.DAT Moved
C:\Documents and Settings\LBJ\DoctorWeb\Quarantine\MFEX-6.DAT Detected: Adware.Webhancer.S
C:\Documents and Settings\LBJ\DoctorWeb\Quarantine\MFEX-6.DAT Disinfection failed
C:\Documents and Settings\LBJ\DoctorWeb\Quarantine\MFEX-6.DAT Moved
C:\Documents and Settings\LBJ\DoctorWeb\Quarantine\MFEX-6_0.DAT Detected: Adware.Webhancer.S
C:\Documents and Settings\LBJ\DoctorWeb\Quarantine\MFEX-6_0.DAT Disinfection failed
C:\Documents and Settings\LBJ\DoctorWeb\Quarantine\MFEX-6_0.DAT Moved
C:\Documents and Settings\LBJ\DoctorWeb\Quarantine\MFEX-6_1.DAT Detected: Adware.Webhancer.S
C:\Documents and Settings\LBJ\DoctorWeb\Quarantine\MFEX-6_1.DAT Disinfection failed
C:\Documents and Settings\LBJ\DoctorWeb\Quarantine\MFEX-6_1.DAT Moved
C:\Documents and Settings\LBJ\DoctorWeb\Quarantine\MFEX-6_2.DAT Detected: Adware.Webhancer.S
C:\Documents and Settings\LBJ\DoctorWeb\Quarantine\MFEX-6_2.DAT Disinfection failed
C:\Documents and Settings\LBJ\DoctorWeb\Quarantine\MFEX-6_2.DAT Moved
C:\Documents and Settings\LBJ\DoctorWeb\Quarantine\MFEX-6_3.DAT Detected: Adware.Webhancer.S
C:\Documents and Settings\LBJ\DoctorWeb\Quarantine\MFEX-6_3.DAT Disinfection failed
C:\Documents and Settings\LBJ\DoctorWeb\Quarantine\MFEX-6_3.DAT Moved
C:\Documents and Settings\LBJ\DoctorWeb\Quarantine\MFEX-6_4.DAT Detected: Adware.Webhancer.S
C:\Documents and Settings\LBJ\DoctorWeb\Quarantine\MFEX-6_4.DAT Disinfection failed
C:\Documents and Settings\LBJ\DoctorWeb\Quarantine\MFEX-6_4.DAT Moved
C:\Documents and Settings\LBJ\DoctorWeb\Quarantine\MFEX-6_5.DAT Detected: Adware.Webhancer.S
C:\Documents and Settings\LBJ\DoctorWeb\Quarantine\MFEX-6_5.DAT Disinfection failed
C:\Documents and Settings\LBJ\DoctorWeb\Quarantine\MFEX-6_5.DAT Moved
C:\Documents and Settings\LBJ\DoctorWeb\Quarantine\MFEX-7.DAT Detected: Adware.WebHancer.P
C:\Documents and Settings\LBJ\DoctorWeb\Quarantine\MFEX-7.DAT Disinfection failed
C:\Documents and Settings\LBJ\DoctorWeb\Quarantine\MFEX-7.DAT Moved
C:\Documents and Settings\LBJ\DoctorWeb\Quarantine\MFEX-7_0.DAT Detected: Adware.WebHancer.P
C:\Documents and Settings\LBJ\DoctorWeb\Quarantine\MFEX-7_0.DAT Disinfection failed
C:\Documents and Settings\LBJ\DoctorWeb\Quarantine\MFEX-7_0.DAT Moved
C:\Documents and Settings\LBJ\DoctorWeb\Quarantine\MFEX-7_1.DAT Detected: Adware.WebHancer.P
C:\Documents and Settings\LBJ\DoctorWeb\Quarantine\MFEX-7_1.DAT Disinfection failed
C:\Documents and Settings\LBJ\DoctorWeb\Quarantine\MFEX-7_1.DAT Moved
C:\Documents and Settings\LBJ\DoctorWeb\Quarantine\MFEX-7_2.DAT Detected: Adware.WebHancer.P
C:\Documents and Settings\LBJ\DoctorWeb\Quarantine\MFEX-7_2.DAT Disinfection failed
C:\Documents and Settings\LBJ\DoctorWeb\Quarantine\MFEX-7_2.DAT Moved
C:\Documents and Settings\LBJ\DoctorWeb\Quarantine\MFEX-7_3.DAT Detected: Adware.WebHancer.P
C:\Documents and Settings\LBJ\DoctorWeb\Quarantine\MFEX-7_3.DAT Disinfection failed
C:\Documents and Settings\LBJ\DoctorWeb\Quarantine\MFEX-7_3.DAT Moved
C:\Documents and Settings\LBJ\DoctorWeb\Quarantine\MFEX-7_4.DAT Detected: Adware.WebHancer.P
C:\Documents and Settings\LBJ\DoctorWeb\Quarantine\MFEX-7_4.DAT Disinfection failed
C:\Documents and Settings\LBJ\DoctorWeb\Quarantine\MFEX-7_4.DAT Moved
C:\Documents and Settings\LBJ\DoctorWeb\Quarantine\MFEX-7_5.DAT Detected: Adware.WebHancer.P
C:\Documents and Settings\LBJ\DoctorWeb\Quarantine\MFEX-7_5.DAT Disinfection failed
C:\Documents and Settings\LBJ\DoctorWeb\Quarantine\MFEX-7_5.DAT Moved
C:\Documents and Settings\LBJ\DoctorWeb\Quarantine\MFEX-8.DAT Detected: Application.Spyware.Webhancer.D
C:\Documents and Settings\LBJ\DoctorWeb\Quarantine\MFEX-8.DAT Disinfection failed
C:\Documents and Settings\LBJ\DoctorWeb\Quarantine\MFEX-8.DAT Moved
C:\Documents and Settings\LBJ\DoctorWeb\Quarantine\MFEX-8_0.DAT Detected: Application.Spyware.Webhancer.D
C:\Documents and Settings\LBJ\DoctorWeb\Quarantine\MFEX-8_0.DAT Disinfection failed
C:\Documents and Settings\LBJ\DoctorWeb\Quarantine\MFEX-8_0.DAT Moved
C:\Documents and Settings\LBJ\DoctorWeb\Quarantine\MFEX-8_1.DAT Detected: Application.Spyware.Webhancer.D
C:\Documents and Settings\LBJ\DoctorWeb\Quarantine\MFEX-8_1.DAT Disinfection failed
C:\Documents and Settings\LBJ\DoctorWeb\Quarantine\MFEX-8_1.DAT Moved
C:\Documents and Settings\LBJ\DoctorWeb\Quarantine\MFEX-8_2.DAT Detected: Application.Spyware.Webhancer.D
C:\Documents and Settings\LBJ\DoctorWeb\Quarantine\MFEX-8_2.DAT Disinfection failed
C:\Documents and Settings\LBJ\DoctorWeb\Quarantine\MFEX-8_2.DAT Moved
C:\Documents and Settings\LBJ\DoctorWeb\Quarantine\MFEX-8_3.DAT Detected: Application.Spyware.Webhancer.D
C:\Documents and Settings\LBJ\DoctorWeb\Quarantine\MFEX-8_3.DAT Disinfection failed
C:\Documents and Settings\LBJ\DoctorWeb\Quarantine\MFEX-8_3.DAT Moved
C:\Documents and Settings\LBJ\DoctorWeb\Quarantine\MFEX-8_4.DAT Detected: Application.Spyware.Webhancer.D
C:\Documents and Settings\LBJ\DoctorWeb\Quarantine\MFEX-8_4.DAT Disinfection failed
C:\Documents and Settings\LBJ\DoctorWeb\Quarantine\MFEX-8_4.DAT Moved
C:\Documents and Settings\LBJ\DoctorWeb\Quarantine\MFEX-8_5.DAT Detected: Application.Spyware.Webhancer.D
C:\Documents and Settings\LBJ\DoctorWeb\Quarantine\MFEX-8_5.DAT Disinfection failed
C:\Documents and Settings\LBJ\DoctorWeb\Quarantine\MFEX-8_5.DAT Moved
C:\Documents and Settings\LBJ\DoctorWeb\Quarantine\system.dll Detected: Adware.Softomate.D
C:\Documents and Settings\LBJ\DoctorWeb\Quarantine\system.dll Disinfection failed
C:\Documents and Settings\LBJ\DoctorWeb\Quarantine\system.dll Moved
C:\Documents and Settings\LBJ\DoctorWeb\Quarantine\Yazzle1122OinAdmin.exe Infected: Trojan.Downloader.PurityScan.AR
C:\Documents and Settings\LBJ\DoctorWeb\Quarantine\Yazzle1122OinAdmin.exe Disinfection failed
C:\Documents and Settings\LBJ\DoctorWeb\Quarantine\Yazzle1122OinAdmin.exe Moved
C:\WINDOWS\TEJK\nHL4.vbs Detected: Adware.Isearch.D
C:\WINDOWS\TEJK\nHL4.vbs Disinfection failed
C:\WINDOWS\TEJK\nHL4.vbs Moved


Logfile of HijackThis v1.99.1
Scan saved at 11:11:51 AM, on 6/3/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.5730.0011)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Intel\Wireless\Bin\EvtEng.exe
C:\Program Files\Intel\Wireless\Bin\S24EvMon.exe
C:\Program Files\Intel\Wireless\Bin\WLKeeper.exe
C:\Program Files\Intel\Wireless\Bin\ZcfgSvc.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\runservice.exe
C:\Program Files\Dell\NICCONFIGSVC\NICCONFIGSVC.exe
C:\Program Files\Intel\Wireless\Bin\RegSrvc.exe
c:\program files\verizon wireless\venturi\Client\ventc.exe
C:\PROGRA~1\Intel\Wireless\Bin\1XConfig.exe
C:\WINDOWS\system32\wscntfy.exe
C:\Program Files\Java\jre1.5.0_03\bin\jusched.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\Digital Line Detect\DLG.exe
C:\Program Files\Kodak\Kodak EasyShare software\bin\EasyShare.exe
C:\Program Files\AIM\aim.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\Common Files\Softwin\BitDefender Communicator\xcommsvr.exe
C:\Program Files\Common Files\Softwin\BitDefender Scan Server\bdss.exe
C:\Program Files\Softwin\BitDefender10\vsserv.exe
C:\Program Files\Common Files\Softwin\BitDefender Update Service\livesrv.exe
C:\Program Files\Softwin\BitDefender10\bdagent.exe
C:\Program Files\Softwin\BitDefender10\bdmcon.exe
C:\Program Files\Softwin\BitDefender10\bdlite.exe
C:\WINDOWS\notepad.exe
C:\HJT\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://espn.go.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft....k/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft....k/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft....k/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft....k/?LinkId=69157
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://www.dell4me.com/myway
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O2 - BHO: DriveLetterAccess - {5CA3D70E-1895-11CF-8E15-001234567890} - C:\WINDOWS\system32\dla\tfswshx.dll
O4 - HKLM\..\Run: [Apoint] C:\Program Files\Apoint\Apoint.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_03\bin\jusched.exe
O4 - HKLM\..\Run: [IntelWireless] C:\Program Files\Intel\Wireless\Bin\ifrmewrk.exe /tf Intel PROSet/Wireless
O4 - HKLM\..\Run: [ATIPTA] C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
O4 - HKLM\..\Run: [RealTray] C:\Program Files\Real\RealPlayer\RealPlay.exe SYSTEMBOOTHIDEPLAYER
O4 - HKLM\..\Run: [ISUSPM Startup] C:\PROGRA~1\COMMON~1\INSTAL~1\UPDATE~1\ISUSPM.exe -startup
O4 - HKLM\..\Run: [BDMCon] "C:\Program Files\Softwin\BitDefender10\bdmcon.exe" /reg
O4 - HKLM\..\Run: [BDAgent] "C:\Program Files\Softwin\BitDefender10\bdagent.exe"
O4 - HKLM\..\RunOnce: [NoIE4StubProcessing] C:\WINDOWS\system32\reg.exe DELETE "HKLM\SOFTWARE\Microsoft\Active Setup\Installed Components" /v "NoIE4StubProcessing" /f
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [PaSystem] "C:\Program Files\pasystem\pasystem.exe"
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - Global Startup: Digital Line Detect.lnk = ?
O4 - Global Startup: Kodak EasyShare software.lnk = C:\Program Files\Kodak\Kodak EasyShare software\bin\EasyShare.exe
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\j2re1.4.2_03\bin\npjpi142_03.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\j2re1.4.2_03\bin\npjpi142_03.dll
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe
O9 - Extra button: PartyPoker.com - {B7FE5D70-9AA2-40F1-9C6B-12A255F085E1} - C:\Program Files\PartyGaming\PartyPoker\RunApp.exe
O9 - Extra 'Tools' menuitem: PartyPoker.com - {B7FE5D70-9AA2-40F1-9C6B-12A255F085E1} - C:\Program Files\PartyGaming\PartyPoker\RunApp.exe
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\system32\Shdocvw.dll
O9 - Extra button: PartyPoker.net - {F4430FE8-2638-42e5-B849-800749B94EED} - C:\Program Files\PartyGaming.Net\PartyPokerNet\RunPF.exe (file missing)
O9 - Extra 'Tools' menuitem: PartyPoker.net - {F4430FE8-2638-42e5-B849-800749B94EED} - C:\Program Files\PartyGaming.Net\PartyPokerNet\RunPF.exe (file missing)
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O11 - Options group: [INTERNATIONAL] International*
O16 - DPF: ActiveGS.cab - http://www.virtualap...rg/activegs.cab
O20 - Winlogon Notify: IntelWireless - C:\Program Files\Intel\Wireless\Bin\LgNotify.dll
O23 - Service: Ati HotKey Poller - Unknown owner - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: BitDefender Scan Server (bdss) - Unknown owner - C:\Program Files\Common Files\Softwin\BitDefender Scan Server\bdss.exe" /service (file missing)
O23 - Service: EvtEng - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\EvtEng.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPodService - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Kodak Camera Connection Software (KodakCCS) - Eastman Kodak Company - C:\WINDOWS\system32\drivers\KodakCCS.exe
O23 - Service: LicCtrl Service (LicCtrlService) - Unknown owner - C:\WINDOWS\runservice.exe
O23 - Service: BitDefender Desktop Update Service (LIVESRV) - Unknown owner - C:\Program Files\Common Files\Softwin\BitDefender Update Service\livesrv.exe" /service (file missing)
O23 - Service: NICCONFIGSVC - Dell Inc. - C:\Program Files\Dell\NICCONFIGSVC\NICCONFIGSVC.exe
O23 - Service: RegSrvc - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\RegSrvc.exe
O23 - Service: Spectrum24 Event Monitor (S24EventMonitor) - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\S24EvMon.exe
O23 - Service: Venturi Client (Venturi2) - Venturi Wireless - c:\program files\verizon wireless\venturi\Client\ventc.exe
O23 - Service: BitDefender Virus Shield (VSSERV) - Unknown owner - C:\Program Files\Softwin\BitDefender10\vsserv.exe" /service (file missing)
O23 - Service: WLANKEEPER - Intel® Corporation - C:\Program Files\Intel\Wireless\Bin\WLKeeper.exe
O23 - Service: BitDefender Communicator (XCOMM) - Unknown owner - C:\Program Files\Common Files\Softwin\BitDefender Communicator\xcommsvr.exe" /service (file missing)

#10 jedi

jedi

    aequam memento rebus in arduis servare mentem

  • Emeritus
  • PipPipPipPipPip
  • 15,830 posts

Posted 03 June 2007 - 10:32 AM

Hi again,

hopefully that is okay and provides the same function.

Yes, that's fine.

Go to Start->Run and type in notepad and hit OK. Then copy and paste the following into Notepad:

sc stop LicCtrlService
sc delete LicCtrlService

Click File > Save As > Save as Type 'All Files' and name the file delete.bat then save to desktop. Go to the file delete.bat and doubleclick on it. Ok any prompts.

Scan with HiJackThis and put a check in the box next to the following items, if present:

O4 - HKCU\..\Run: [PaSystem] "C:\Program Files\pasystem\pasystem.exe"
O23 - Service: LicCtrl Service (LicCtrlService) - Unknown owner - C:\WINDOWS\runservice.exe


Close all browsers and windows, click on ‘fix selected’ and allow HJT to fix these entries.

Restart.

Scan again with HJT, (with all browsers and windows closed) and post the new log in this thread.

jedi
jedi

My help is free, but if you wish to help keep these forums running please consider a donation, see This Topic for details.

#11 terps54424

terps54424

    Member

  • Full Member
  • Pip
  • 13 posts

Posted 03 June 2007 - 01:14 PM

Hi...thanks for the continued help. When I ran the delete.bat file, there were no prompts...the window opened and closed very quickly, and I couldn't read what the few lines were. Also, only the first entry was in the HJT log. Here's the newest one:

Logfile of HijackThis v1.99.1
Scan saved at 2:09:04 PM, on 6/3/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.5730.0011)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Intel\Wireless\Bin\EvtEng.exe
C:\Program Files\Intel\Wireless\Bin\S24EvMon.exe
C:\Program Files\Intel\Wireless\Bin\WLKeeper.exe
C:\Program Files\Intel\Wireless\Bin\ZcfgSvc.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Dell\NICCONFIGSVC\NICCONFIGSVC.exe
C:\Program Files\Java\jre1.5.0_03\bin\jusched.exe
C:\Program Files\Intel\Wireless\Bin\RegSrvc.exe
C:\Program Files\Softwin\BitDefender10\bdmcon.exe
C:\Program Files\Softwin\BitDefender10\bdagent.exe
C:\Program Files\Messenger\msmsgs.exe
c:\program files\verizon wireless\venturi\Client\ventc.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Digital Line Detect\DLG.exe
C:\Program Files\Kodak\Kodak EasyShare software\bin\EasyShare.exe
C:\Program Files\Common Files\Softwin\BitDefender Communicator\xcommsvr.exe
C:\PROGRA~1\Intel\Wireless\Bin\1XConfig.exe
C:\Program Files\Common Files\Softwin\BitDefender Update Service\livesrv.exe
C:\Program Files\Common Files\Softwin\BitDefender Scan Server\bdss.exe
C:\Program Files\Softwin\BitDefender10\vsserv.exe
C:\WINDOWS\system32\wuauclt.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\wscntfy.exe
C:\HJT\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://espn.go.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft....k/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft....k/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft....k/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft....k/?LinkId=69157
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://www.dell4me.com/myway
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O2 - BHO: DriveLetterAccess - {5CA3D70E-1895-11CF-8E15-001234567890} - C:\WINDOWS\system32\dla\tfswshx.dll
O4 - HKLM\..\Run: [Apoint] C:\Program Files\Apoint\Apoint.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_03\bin\jusched.exe
O4 - HKLM\..\Run: [IntelWireless] C:\Program Files\Intel\Wireless\Bin\ifrmewrk.exe /tf Intel PROSet/Wireless
O4 - HKLM\..\Run: [ATIPTA] C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
O4 - HKLM\..\Run: [RealTray] C:\Program Files\Real\RealPlayer\RealPlay.exe SYSTEMBOOTHIDEPLAYER
O4 - HKLM\..\Run: [ISUSPM Startup] C:\PROGRA~1\COMMON~1\INSTAL~1\UPDATE~1\ISUSPM.exe -startup
O4 - HKLM\..\Run: [BDMCon] "C:\Program Files\Softwin\BitDefender10\bdmcon.exe" /reg
O4 - HKLM\..\Run: [BDAgent] "C:\Program Files\Softwin\BitDefender10\bdagent.exe"
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - Global Startup: Digital Line Detect.lnk = ?
O4 - Global Startup: Kodak EasyShare software.lnk = C:\Program Files\Kodak\Kodak EasyShare software\bin\EasyShare.exe
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\j2re1.4.2_03\bin\npjpi142_03.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\j2re1.4.2_03\bin\npjpi142_03.dll
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe
O9 - Extra button: PartyPoker.com - {B7FE5D70-9AA2-40F1-9C6B-12A255F085E1} - C:\Program Files\PartyGaming\PartyPoker\RunApp.exe
O9 - Extra 'Tools' menuitem: PartyPoker.com - {B7FE5D70-9AA2-40F1-9C6B-12A255F085E1} - C:\Program Files\PartyGaming\PartyPoker\RunApp.exe
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\system32\Shdocvw.dll
O9 - Extra button: PartyPoker.net - {F4430FE8-2638-42e5-B849-800749B94EED} - C:\Program Files\PartyGaming.Net\PartyPokerNet\RunPF.exe (file missing)
O9 - Extra 'Tools' menuitem: PartyPoker.net - {F4430FE8-2638-42e5-B849-800749B94EED} - C:\Program Files\PartyGaming.Net\PartyPokerNet\RunPF.exe (file missing)
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O11 - Options group: [INTERNATIONAL] International*
O16 - DPF: ActiveGS.cab - http://www.virtualap...rg/activegs.cab
O20 - Winlogon Notify: IntelWireless - C:\Program Files\Intel\Wireless\Bin\LgNotify.dll
O23 - Service: Ati HotKey Poller - Unknown owner - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: BitDefender Scan Server (bdss) - Unknown owner - C:\Program Files\Common Files\Softwin\BitDefender Scan Server\bdss.exe" /service (file missing)
O23 - Service: EvtEng - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\EvtEng.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPodService - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Kodak Camera Connection Software (KodakCCS) - Eastman Kodak Company - C:\WINDOWS\system32\drivers\KodakCCS.exe
O23 - Service: BitDefender Desktop Update Service (LIVESRV) - Unknown owner - C:\Program Files\Common Files\Softwin\BitDefender Update Service\livesrv.exe" /service (file missing)
O23 - Service: NICCONFIGSVC - Dell Inc. - C:\Program Files\Dell\NICCONFIGSVC\NICCONFIGSVC.exe
O23 - Service: RegSrvc - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\RegSrvc.exe
O23 - Service: Spectrum24 Event Monitor (S24EventMonitor) - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\S24EvMon.exe
O23 - Service: Venturi Client (Venturi2) - Venturi Wireless - c:\program files\verizon wireless\venturi\Client\ventc.exe
O23 - Service: BitDefender Virus Shield (VSSERV) - Unknown owner - C:\Program Files\Softwin\BitDefender10\vsserv.exe" /service (file missing)
O23 - Service: WLANKEEPER - Intel® Corporation - C:\Program Files\Intel\Wireless\Bin\WLKeeper.exe
O23 - Service: BitDefender Communicator (XCOMM) - Unknown owner - C:\Program Files\Common Files\Softwin\BitDefender Communicator\xcommsvr.exe" /service (file missing)

#12 jedi

jedi

    aequam memento rebus in arduis servare mentem

  • Emeritus
  • PipPipPipPipPip
  • 15,830 posts

Posted 03 June 2007 - 01:23 PM

Hi,

Also, only the first entry was in the HJT log

That's good, the batch file was meant to kill the other one. :thumbsup:

Ok, the log looks clean, how's the PC performing now.

jedi
jedi

My help is free, but if you wish to help keep these forums running please consider a donation, see This Topic for details.

#13 terps54424

terps54424

    Member

  • Full Member
  • Pip
  • 13 posts

Posted 03 June 2007 - 03:06 PM

Hi,

Also, only the first entry was in the HJT log

That's good, the batch file was meant to kill the other one. :thumbsup:

Ok, the log looks clean, how's the PC performing now.

jedi


Everything looks good :). Thank you for your help!

#14 jedi

jedi

    aequam memento rebus in arduis servare mentem

  • Emeritus
  • PipPipPipPipPip
  • 15,830 posts

Posted 04 June 2007 - 05:52 AM

You're welcome. :D

You may find this a useful read:

How did I get infected?

jedi :wave:
jedi

My help is free, but if you wish to help keep these forums running please consider a donation, see This Topic for details.

#15 jedi

jedi

    aequam memento rebus in arduis servare mentem

  • Emeritus
  • PipPipPipPipPip
  • 15,830 posts

Posted 08 June 2007 - 07:50 AM

Glad we could help. :)

If you need this topic reopened, please tell the moderating team by replying here with the address of the thread. This applies only to the original topic starter. Everyone else please begin a New Topic.
jedi

My help is free, but if you wish to help keep these forums running please consider a donation, see This Topic for details.




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users

Member of ASAP and UNITE
Support SpywareInfo Forum - click the button