Win32:Trojan-gen. again!

Posted 2/22/2005 9:07 PM
#10246
User avatar

Raist Member

Date Joined Nov 2016
Total Posts: 7
Hi all!
I'm aware that his subject has already been posted by matty_k. Tried to do what destroyer suggested but somehow this didn't work. Although what I have is a bit different, it's called Win32:Trojan-gen. {UPX!}
Before I did what he suggested, I tried to delete manually which didn't work. Everytime I deleted it, the Trojan would just reappear in a new file. For example, the infected file was c:\ documentssetting\local\...\win4.tmp, after I deleted this file, the infected file would reappear as: C:\...\win5.tmp. DOes anyone know how I can remove this trojan?? Oh, by the way, I'm using Avast!
I would highly appreciated any reply.
Thanks everyone!
Raist
<!-- / message -->
Posted 2/22/2005 9:24 PM
#10247
User avatar

Emilio (SVK) Advanced member

Date Joined Nov 2016
Total Posts: 1162
Hi....

Download HijackThis
https://danborg.org/spy/HJT/hijackthis.exe
Put HJT in a permanent folder. Here's how to make the folder:
Click My Computer, then C:\
In the menu bar, File->New->Folder.
That will create a folder named New Folder, which you can rename to "HJT" . Now you have C:\HJT\ folder. Put your HijackThis.exe there, and double click to run it.
Push - Do a systemscan and save a logfile - button
and Highlight the Entire Log by pressing Ctrl+A and Copy it. Post log here
Emilio[sup]29[/sup]

>Hijackthis<>FireFox<
Posted 2/22/2005 9:45 PM
#10250
User avatar

Raist Member

Date Joined Nov 2016
Total Posts: 7
thanks emilio,

did that, seems like i got more virus than I know (ezula and nkvdus). Tried to get rid of these 2 before but somehow that didn't work either. I would be very greatful if you could tell me about these 2 as well! Thanks very very much! Here's my log:

Logfile of HijackThis v1.99.1
Scan saved at 10:38:10 PM, on 2/22/2005
Platform: Windows XP (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 (6.00.2600.0000)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
D:\Personal\Alwil Software\Avast4\aswUpdSv.exe
D:\Personal\Alwil Software\Avast4\ashServ.exe
C:\Program Files\Kerio\Personal Firewall 4\kpf4ss.exe
C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
C:\Program Files\Norton SystemWorks\Norton Utilities\NPROTECT.EXE
C:\WINDOWS\System32\nvsvc32.exe
C:\PROGRA~1\NORTON~1\SPEEDD~1\nopdb.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Kerio\Personal Firewall 4\kpf4gui.exe
C:\Program Files\Kerio\Personal Firewall 4\kpf4gui.exe
C:\PROGRA~1\EzButton\CP888M1.EXE
C:\Program Files\Apoint2K\Apoint.exe
C:\WINDOWS\System32\CePMTray.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\SMSC\Seticon.exe
C:\Program Files\Apoint2K\Apntex.exe
D:\Personal\iRiver\iHP100\iHPDetect.exe
C:\WINDOWS\System32\rundll32.exe
D:\Personal\Alwil Software\Avast4\ashMaiSv.exe
D:\Personal\ALWILS~1\Avast4\ashDisp.exe
C:\Program Files\Viewpoint\Viewpoint Manager\ViewMgr.exe
C:\WINDOWS\system32\msupdate.cmd
C:\WINDOWS\System32\ctfmon.exe
C:\Program Files\Messenger\msmsgs.exe
C:\PROGRA~1\ezula\mmod.exe
D:\Personal\Adobe\Acrobat 6.0\Distillr\acrotray.exe
C:\Program Files\TOSHIBA\NetDevSw\NetDevSW.exe
D:\Personal\Webshots\WebshotsTray.exe
C:\WINDOWS\system32\ntvdm.exe
D:\PERSONAL\T-ONLINE\BSW4\ToDuCAlC.EXE
c:\progra~1\intern~1\iexplore.exe
D:\Personal\Hijackthis\hijackthis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer,Search = https://nkvd.us/1507/
R1 - HKCU\Software\Microsoft\Internet Explorer,SearchURL = https://nkvd.us/1507/
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = https://nkvd.us/1507/
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = https://nkvd.us/1507/
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = https://lookfor.cc/sp.php?pin=10001
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = https://lookfor.cc/sp.php?pin=10001
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = https://www.amazon.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = https://lookfor.cc?pin=10001
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = https://lookfor.cc/sp.php?pin=10001
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = https://lookfor.cc/sp.php?pin=10001
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = https://lookfor.cc/sp.php?pin=10001
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = https://lookfor.cc?pin=10001
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = https://nkvd.us/1507/
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,CustomizeSearch = https://nkvd.us/1507/
N3 - Netscape 7: user_pref("browser.startup.homepage", "https://home.netscape.com/bookmark/7_0/home.html"); (C:\Documents and Settings\me\Application Data\Mozilla\Profiles\default\ab80symz.slt\prefs.js)
N3 - Netscape 7: user_pref("browser.search.defaultengine", "engine://D%3A%5CPersonal%5CNetscape%5CNetscape%5Csearchplugins%5CSBWeb_01.src"); (C:\Documents and Settings\me\Application Data\Mozilla\Profiles\default\ab80symz.slt\prefs.js)
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - D:\Personal\Adobe\Acrobat 6.0\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: URLLink Class - {4A2AACF3-ADF6-11D5-98A9-00E018981B9E} - C:\Program Files\NewDotNet\newdotnet6_38.dll
O2 - BHO: (no name) - {6ACD11BD-4CA0-4283-A8D8-872B9BA289B6} - (no file)
O2 - BHO: AcroIEToolbarHelper Class - {AE7CD045-E861-484f-8273-0445EE161910} - D:\Personal\Adobe\Acrobat 6.0\Acrobat\AcroIEFavClient.dll
O2 - BHO: OsbornTech Popup Blocker - {FF1BF4C7-4E08-4A28-A43F-9D60A9F7A880} - (no file)
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O3 - Toolbar: Adobe PDF - {47833539-D0C5-4125-9FA8-0819E2EAAC93} - D:\Personal\Adobe\Acrobat 6.0\Acrobat\AcroIEFavClient.dll
O4 - HKLM\..\Run: [CP888M1] C:\PROGRA~1\EzButton\CP888M1.EXE
O4 - HKLM\..\Run: [Apoint] C:\Program Files\Apoint2K\Apoint.exe
O4 - HKLM\..\Run: [CeEPOWER] C:\WINDOWS\System32\CePMTray.exe
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE NvQTwk,NvCplDaemon initialize
O4 - HKLM\..\Run: [b3dUpdate] C:\WINDOWS\BDE\Update\Zupdate.EXE -silent -p "C:\WINDOWS\BDE\Update" -s setup.cab
O4 - HKLM\..\Run: [QuickTime Task] "D:\personal\quicktime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [SetIcon] C:\Program Files\SMSC\Seticon.exe
O4 - HKLM\..\Run: [QD FastAndSafe] C:\PROGRA~1\NORTON~1\NORTON~2\QDCSFS.exe /startup
O4 - HKLM\..\Run: [iHP-100] D:\Personal\iRiver\iHP100\iHPDetect.exe
O4 - HKLM\..\Run: [Overnet] D:\Personal\eDonkey2000\edonkey2000.exe -t
O4 - HKLM\..\Run: [SSC_UserPrompt] C:\Program Files\Common Files\Symantec Shared\Security Center\UsrPrmpt.exe
O4 - HKLM\..\Run: [New.net Startup] rundll32 C:\PROGRA~1\NEWDOT~1\NEWDOT~1.DLL,NewDotNetStartup -s
O4 - HKLM\..\Run: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k
O4 - HKLM\..\Run: [avast!] D:\Personal\ALWILS~1\Avast4\ashDisp.exe
O4 - HKLM\..\Run: [NeroCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [ViewMgr] C:\Program Files\Viewpoint\Viewpoint Manager\ViewMgr.exe
O4 - HKLM\..\Run: [WinTimer] "C:\WINDOWS\system32\msupdate.cmd"
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\System32\ctfmon.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [eZmmod] C:\PROGRA~1\ezula\mmod.exe
O4 - Startup: Norton System Doctor.LNK = C:\Program Files\Norton SystemWorks\Norton Utilities\SYSDOC32.EXE
O4 - Startup: Webshots.lnk = D:\Personal\Webshots\WebshotsTray.exe
O4 - Global Startup: Acrobat Assistant.lnk = D:\Personal\Adobe\Acrobat 6.0\Distillr\acrotray.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O4 - Global Startup: Network Device Switch.lnk = ?
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\System32\msjava.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\System32\msjava.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O9 - Extra 'Tools' menuitem: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O10 - Hijacked Internet access by New.Net
O10 - Hijacked Internet access by New.Net
O10 - Hijacked Internet access by New.Net
O10 - Hijacked Internet access by New.Net
O10 - Hijacked Internet access by New.Net
O16 - DPF: {41F17733-B041-4099-A042-B518BB6A408C} - https://a1540.g.akamai.net/7/1540/52/20020713/qtinstall.info.apple.com/samantha/us/win/QuickTimeInstaller.exe
O16 - DPF: {CAFEEFAC-0014-0000-0000-ABCDEFFEDCBA} (Java Runtime Environment 1.4.0) -
O16 - DPF: {E7DBFB6C-113A-47CF-B278-F5C6AF4DE1BD} - https://download.abacast.com/download/files/abasetup.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{14790E8C-D129-4D7E-AC0A-8EE54A45CAAB}: NameServer = 217.237.151.161 217.237.151.33
O17 - HKLM\System\CS1\Services\Tcpip\..\{14790E8C-D129-4D7E-AC0A-8EE54A45CAAB}: NameServer = 217.237.151.161 217.237.151.33
O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - Unknown owner - D:\Personal\Alwil Software\Avast4\aswUpdSv.exe
O23 - Service: avast! Antivirus - Unknown owner - D:\Personal\Alwil Software\Avast4\ashServ.exe
O23 - Service: avast! Mail Scanner - Unknown owner - D:\Personal\Alwil Software\Avast4\ashMaiSv.exe" /service (file missing)
O23 - Service: Kerio Personal Firewall 4 (KPF4) - Kerio Technologies - C:\Program Files\Kerio\Personal Firewall 4\kpf4ss.exe
O23 - Service: Norton Unerase Protection (NProtectService) - Symantec Corporation - C:\Program Files\Norton SystemWorks\Norton Utilities\NPROTECT.EXE
O23 - Service: NVIDIA Driver Helper Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe
O23 - Service: Speed Disk service - Symantec Corporation - C:\PROGRA~1\NORTON~1\SPEEDD~1\nopdb.exe
O23 - Service: SymWMI Service (SymWSC) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\Security Center\SymWSC.exe
O23 - Service: Trlokom OmniVPN (trlokom_omnivpn) - Unknown owner - D:\Personal\Firewall\OMNIVP~1\Trlokom\OmniVPN\APPLIC~1\\configmgr (file missing)

Thanks very very much!

Raist
Posted 2/22/2005 10:31 PM
#10253
User avatar

Emilio (SVK) Advanced member

Date Joined Nov 2016
Total Posts: 1162
-------------------------------
little help
-------------------------------
Show hidden files:
https://www.xtra.co.nz/help/0,,4155-1916458,00.html

Safe mode
https://service1.symantec.com/SUPPORT/tsgeninfo.nsf/docid/2001052409420406?OpenDocument&src=sec_doc_nam

Disable System Restore
https://vil.nai.com/vil/SystemHelpDocs/DisableSysRestore.htm
-------------------------------
little help
-------------------------------

Download Mwav (install)
https://www.spywareinfo.dk/download/mwav.exe

Download Ad-Aware SE (install and check for updates)
https://www.download.com/Ad-Aware-SE-Personal-Edition/3000-8022_4-10045910.html?part=dl-ad-aware&subj=dl&tag=top5

Download Spybot search&destroy (install and check for updates)
https://www.safer-networking.org/en/download/index.html

Download Reg Cleaner (install)
https://www.downseek.com/download/21692.asp

CCleaner (install)
https://www.ccleaner.com/

Download Advanced process termination
https://www.diamondcs.com.au/index.php?page=apt
(you don´t have to install it....it´s only executable utility)

Download Dr.Delete
https://www.docsdownloads.com/Tier1/dr-delete.htm

NOT JUST YET DON´T ANY SCAN

1.DISABLE SYSTEM RESTORE

2.REBOOT TO THE SAFE MODE

3.SHOW HIDDEN FILES

4.RUN HIJACKTHIS:
Check these entries in Hijackthis:
R1 - HKCU\Software\Microsoft\Internet Explorer,Search = https://nkvd.us/1507/
R1 - HKCU\Software\Microsoft\Internet Explorer,SearchURL = https://nkvd.us/1507/
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = https://nkvd.us/1507/
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = https://nkvd.us/1507/
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = https://lookfor.cc/sp.php?pin=10001
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = https://lookfor.cc/sp.php?pin=10001
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = https://www.amazon.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = https://lookfor.cc?pin=10001
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = https://lookfor.cc/sp.php?pin=10001
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = https://lookfor.cc/sp.php?pin=10001
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = https://lookfor.cc/sp.php?pin=10001
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = https://lookfor.cc?pin=10001
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = https://nkvd.us/1507/
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,CustomizeSearch = https://nkvd.us/1507/
O2 - BHO: URLLink Class - {4A2AACF3-ADF6-11D5-98A9-00E018981B9E} - C:\Program Files\NewDotNet\newdotnet6_38.dll
O2 - BHO: (no name) - {6ACD11BD-4CA0-4283-A8D8-872B9BA289B6} - (no file)
O4 - HKLM\..\Run: [CP888M1] C:\PROGRA~1\EzButton\CP888M1.EXE
O4 - HKLM\..\Run: [b3dUpdate] C:\WINDOWS\BDE\Update\Zupdate.EXE -silent -p "C:\WINDOWS\BDE\Update" -s setup.cab
O4 - HKLM\..\Run: [QuickTime Task] "D:\personal\quicktime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [New.net Startup] rundll32 C:\PROGRA~1\NEWDOT~1\NEWDOT~1.DLL,NewDotNetStartup -s
O4 - HKLM\..\Run: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k
O4 - HKLM\..\Run: [WinTimer] "C:\WINDOWS\system32\msupdate.cmd"
O4 - HKCU\..\Run: [eZmmod] C:\PROGRA~1\ezula\mmod.exe
O4 - Global Startup: Network Device Switch.lnk = ?
O10 - Hijacked Internet access by New.Net
O10 - Hijacked Internet access by New.Net
O10 - Hijacked Internet access by New.Net
O10 - Hijacked Internet access by New.Net
O10 - Hijacked Internet access by New.Net
O16 - DPF: {41F17733-B041-4099-A042-B518BB6A408C} - https://a1540.g.akamai.net/7/1540/52/20020713/qtinstall.info.apple.com/samantha/us/win/QuickTimeInstaller.exe
O16 - DPF: {CAFEEFAC-0014-0000-0000-ABCDEFFEDCBA} (Java Runtime Environment 1.4.0) -
O16 - DPF: {E7DBFB6C-113A-47CF-B278-F5C6AF4DE1BD} - https://download.abacast.com/download/files/abasetup.cab
O23 - Service: Trlokom OmniVPN (trlokom_omnivpn) - Unknown owner - D:\Personal\Firewall\OMNIVP~1\Trlokom\OmniVPN\APPLIC~1\\configmgr (file missing)
FIX CHECKED......

5.RUN ADVANCED PROCESS TERMINATION
Check if these processes running:
C:\PROGRA~1\EzButton\CP888M1.EXE
C:\WINDOWS\system32\msupdate.cmd
C:\PROGRA~1\ezula\mmod.exe
If yes select them and press ALL in PROCESS CONTROL OPTIONS

RUN HIJACKTHIS AND CHECK IF STILL EXISTS "BAD ENTRIES"
If yes check again
If no folows next steps

6.FIND AND DELETE FILES:
C:\PROGRA~1\EzButton\CP888M1.EXE (also folder EzButton)
C:\WINDOWS\system32\msupdate.cmd
C:\PROGRA~1\ezula\mmod.exe (also folder ezula)
C:\PROGRA~1\NEWDOT~1\NEWDOT~1.DLL (also folder NEWDOTNET)

(If you have some problems with deleting files use Dr.Delete)

7.RUN SCANS:
run scan with Mwav (all scan options)
run scan with Ad-AwareSE (full system scan)
run scan with SpyBot
run scan with RegCleaner (tools---cleanup---do tehm all)

8.CLEANING
RUN CCleaner (analyze-----run cleaner)

9. ENABLE SYSTEM RESTORE

10.REBOOT TO THE NORMAL MODE

let me know if it worked.....
Emilio[sup]29[/sup]

>Hijackthis<>FireFox<
Posted 2/22/2005 10:40 PM
#10256
User avatar

Raist Member

Date Joined Nov 2016
Total Posts: 7
thanks for your quick answer emilio! I'll have to try it tomorrow since it's quite late already. I'll post the result as soon as I'm done with it!
Posted 2/24/2005 4:50 PM
#10364
User avatar

nataly Member

Date Joined Nov 2016
Total Posts: 1
hello!
i'm sorry to bother you Emilio, but i would like to ask for some help too. i have the same problems as Raist, with Win32:Trojan-gen. {UPX!}. i also use avast.
i did all you sugested to do, but because i am not as expert as you are, i would be realy thankful if you would take a quick look at my log to tell me, wich of these files i have to check with hijackThis.
please help!!
thank you

natalija

here it is:




Logfile of HijackThis v1.99.1
Scan saved at 17:03:20, on 24.2.2005
Platform: Windows XP (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 (6.00.2600.0000)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\HJT\hijackthis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = https://www.couldnotfind.com/search_page.html?&account_id=145499
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = https://www.couldnotfind.com/search_page.html?&account_id=145499
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = https://www.najdi.si/
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = https://www.couldnotfind.com/search_page.html?&account_id=145499
R3 - URLSearchHook: (no name) - _{CFBFAE00-17A6-11D0-99CB-00C04FD64497} - (no file)
R3 - URLSearchHook: (no name) - _{5D60FF48-95BE-4956-B4C6-6BB168A70310} - (no file)
O1 - Hosts: 12.129.205.209 search.netscape.com12.129.205.209 sitefinder.verisign.com
O2 - BHO: BTGrabObj Class - {00000000-F09C-02B4-6EC2-AD0300000000} - C:\WINDOWS\BTGrab.dll
O2 - BHO: BHObj Class - {00000010-6F7D-442C-93E3-4A4827C2E4C8} - C:\WINDOWS\nem220.dll (file missing)
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\za virus\s&d\Spybot - Search & Destroy\SDHelper.dll
O2 - BHO: NavErrRedir Class - {5D60FF48-95BE-4956-B4C6-6BB168A70310} - C:\PROGRA~1\INCRED~1\BHO\INCFIN~1.DLL (file missing)
O2 - BHO: (no name) - {83DE62E0-5805-11D8-9B25-00E04C60FAF2} - C:\WINDOWS\2_0_1browserhelper2.dll (file missing)
O2 - BHO: BAHelper Class - {A3FDD654-A057-4971-9844-4ED8E67DBBB8} - C:\Program Files\SideFind\sfbho.dll
O2 - BHO: CHungryBHO Object - {BCF96FB4-5F1B-497B-AECC-910304A55011} - C:\WINDOWS\neti.dll (file missing)
O2 - BHO: (no name) - {C5941EE5-6DFA-11D8-86B0-0002441A9695} - C:\WINDOWS\3_0_1browserhelper3.dll (file missing)
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O3 - Toolbar: 1Ainternet - {3717DF55-0396-463d-98B7-647C7DC6898A} - C:\WINDOWS\System32\1Atoolbar\1Ainternet.dll
O4 - HKLM\..\Run: [mode] E:\NBDriver.exe
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\System32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\System32\hkcmd.exe
O4 - HKLM\..\Run: [SynTPLpr] C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
O4 - HKLM\..\Run: [SynTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
O4 - HKLM\..\Run: [NeroCheck] C:\WINDOWS\System32\\NeroCheck.exe
O4 - HKLM\..\Run: [LXSUPMON] C:\WINDOWS\System32\LXSUPMON.EXE RUN
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [cq8AIGp5p] C:\WINDOWS\ykvmd.exe
O4 - HKLM\..\Run: [Internet Optimizer] "C:\Program Files\Internet Optimizer\optimize.exe"
O4 - HKLM\..\Run: [Power Scan] C:\Program Files\Power Scan\powerscan.exe
O4 - HKLM\..\Run: [BullsEye Network] C:\Program Files\BullsEye Network\bin\bargains.exe
O4 - HKLM\..\Run: [updater] C:\Program Files\Common files\updater\wupdater.exe
O4 - HKLM\..\Run: [qcvfdgvq] c:\windows\system32\qcvfdgvq.exe
O4 - HKLM\..\Run: [farmmext] C:\WINDOWS\farmmext.exe
O4 - HKLM\..\Run: [cq80+żÔÇč]Iú" ‹üžigC:\Program Files\ISTsvc\istsvc.exe] C:\WINDOWS\ykvmd.exe
O4 - HKLM\..\Run: [avast!] C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
O4 - HKLM\..\Run: [Txclxskl] C:\Program Files\Gtftog\Cyalyz.exe
O4 - HKLM\..\Run: [IST Service] C:\Program Files\ISTsvc\istsvc.exe
O4 - HKLM\..\Run: [MSConfig] C:\WINDOWS\PCHealth\HelpCtr\Binaries\MSConfig.exe /auto
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\System32\ctfmon.exe
O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\MSN Messenger\MsnMsgr.Exe" /background
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: SideFind - {10E42047-DEB9-4535-A118-B3F6EC39B807} - C:\Program Files\SideFind\sidefind.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Related - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINDOWS\web\related.htm
O9 - Extra 'Tools' menuitem: Show &Related Links - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINDOWS\web\related.htm
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O9 - Extra 'Tools' menuitem: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O16 - DPF: {2917297F-F02B-4B9D-81DF-494B6333150B} (Minesweeper Flags Class) - https://messenger.zone.msn.com/binary/MineSweeper.cab31267.cab
O16 - DPF: {8E0D4DE5-3180-4024-A327-4DFAD1796A8D} (MessengerStatsClient Class) - https://messenger.zone.msn.com/binary/MessengerStatsClient.cab31267.cab
O16 - DPF: {917623D1-D8E5-11D2-BE8B-00104B06BDE3} (CamImage Class) - https://213.157.224.17/activex/AxisCamControl.cab
O16 - DPF: {B38870E4-7ECB-40DA-8C6A-595F0A5519FF} (MsnMessengerSetupDownloadControl Class) - https://messenger.msn.com/download/MsnMessengerSetupDownloader.cab
O20 - Winlogon Notify: igfxcui - C:\WINDOWS\SYSTEM32\igfxsrvc.dll
O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - Unknown owner - C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
O23 - Service: avast! Antivirus - Unknown owner - C:\Program Files\Alwil Software\Avast4\ashServ.exe
O23 - Service: avast! Mail Scanner - Unknown owner - C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe" /service (file missing)
O23 - Service: LexBce Server (LexBceS) - Lexmark International, Inc. - C:\WINDOWS\system32\LEXBCES.EXE
O23 - Service: SmartLinkService (SLService) - - C:\WINDOWS\SYSTEM32\slserv.exe
Posted 2/24/2005 6:24 PM
#10371
User avatar

Raist Member

Date Joined Nov 2016
Total Posts: 7
Hi Emilio, it's me again.

I tried what you suggested but i think something went wrong. As soon as I boot my computer and the window screen appears, it would say "could not start DB server: socket( failed)" and afterwards whole bunch of messages would appear from avast!. In addition to that, I cannot serve on the net. I can connect but whenever I trid to connect Internet Explorer, IE would say that it cannot find the page. I'm typing this from another computer. PLease help!!

Thanks!
Posted 2/24/2005 10:30 PM
#10390
User avatar

Emilio (SVK) Advanced member

Date Joined Nov 2016
Total Posts: 1162
download on other comp utility WinsockXPfix and copy to your PC...

Download WinsockXPfix
https://www.spychecker.com/download/download_winsockxpfix.html

run this utility.....after taht reboot...

or at the first try this: (TCP/IP reset to defaults)
1.START
2.RUN
3.TYPE: netsh int ip reset c:\resetlog.txt
4.REBOOT

post new log after that......
----------------------------------------------------------------------
Emilio[sup]29[/sup]

>Hijackthis<>FireFox<
Posted 2/24/2005 10:52 PM
#10393
User avatar

Emilio (SVK) Advanced member

Date Joined Nov 2016
Total Posts: 1162
(for Natalija)

Ahoj Natalija....pekné meno

.....procedure will be similar like a for Raist case...so download mentioned programs and utilities.....

after that start here.....

1.DISABLE SYSTEM RESTORE

2.REBOOT TO THE SAFE MODE

3.SHOW HIDDEN FILES

4.RUN HIJACKTHIS:
Check these entries in Hijackthis:
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = https://www.couldnotfind.com/search_page.html?&account_id=145499
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = https://www.couldnotfind.com/search_page.html?&account_id=145499
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = https://www.couldnotfind.com/search_page.html?&account_id=145499
R3 - URLSearchHook: (no name) - _{CFBFAE00-17A6-11D0-99CB-00C04FD64497} - (no file)
R3 - URLSearchHook: (no name) - _{5D60FF48-95BE-4956-B4C6-6BB168A70310} - (no file)
O1 - Hosts: 12.129.205.209 search.netscape.com12.129.205.209 sitefinder.verisign.com
O2 - BHO: BTGrabObj Class - {00000000-F09C-02B4-6EC2-AD0300000000} - C:\WINDOWS\BTGrab.dll
O2 - BHO: BHObj Class - {00000010-6F7D-442C-93E3-4A4827C2E4C8} - C:\WINDOWS\nem220.dll (file missing
O2 - BHO: NavErrRedir Class - {5D60FF48-95BE-4956-B4C6-6BB168A70310} - C:\PROGRA~1\INCRED~1\BHO\INCFIN~1.DLL (file missing)
O2 - BHO: (no name) - {83DE62E0-5805-11D8-9B25-00E04C60FAF2} - C:\WINDOWS\2_0_1browserhelper2.dll (file missing)
O2 - BHO: BAHelper Class - {A3FDD654-A057-4971-9844-4ED8E67DBBB8} - C:\Program Files\SideFind\sfbho.dll
O2 - BHO: CHungryBHO Object - {BCF96FB4-5F1B-497B-AECC-910304A55011} - C:\WINDOWS\neti.dll (file missing)
O2 - BHO: (no name) - {C5941EE5-6DFA-11D8-86B0-0002441A9695} - C:\WINDOWS\3_0_1browserhelper3.dll (file missing)
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [cq8AIGp5p] C:\WINDOWS\ykvmd.exe
O4 - HKLM\..\Run: [Internet Optimizer] "C:\Program Files\Internet Optimizer\optimize.exe"
O4 - HKLM\..\Run: [Power Scan] C:\Program Files\Power Scan\powerscan.exe
O4 - HKLM\..\Run: [BullsEye Network] C:\Program Files\BullsEye Network\bin\bargains.exe
O4 - HKLM\..\Run: [updater] C:\Program Files\Common files\updater\wupdater.exe
O4 - HKLM\..\Run: [qcvfdgvq] c:\windows\system32\qcvfdgvq.exe
O4 - HKLM\..\Run: [farmmext] C:\WINDOWS\farmmext.exe
O4 - HKLM\..\Run: [cq80+żÔÇč]Iú" ‹üžigC:\Program Files\ISTsvc\istsvc.exe] C:\WINDOWS\ykvmd.exe
O4 - HKLM\..\Run: [Txclxskl] C:\Program Files\Gtftog\Cyalyz.exe
O4 - HKLM\..\Run: [IST Service] C:\Program Files\ISTsvc\istsvc.exe
O9 - Extra button: SideFind - {10E42047-DEB9-4535-A118-B3F6EC39B807} - C:\Program Files\SideFind\sidefind.dll
O9 - Extra button: Related - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINDOWS\web\related.htm
O9 - Extra 'Tools' menuitem: Show &Related Links - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINDOWS\web\related.htm
O16 - DPF: {917623D1-D8E5-11D2-BE8B-00104B06BDE3} (CamImage Class) - https://213.157.224.17/activex/AxisCamControl.cab
O23 - Service: avast! Mail Scanner - Unknown owner - C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe" /service (file missing)
FIX CHECKED......

5.RUN ADVANCED PROCESS TERMINATION
Check if these processes running:
C:\WINDOWS\ykvmd.exe
C:\Program Files\Internet Optimizer\optimize.exe
C:\Program Files\Power Scan\powerscan.exe
C:\Program Files\BullsEye Network\bin\bargains.exe
C:\Program Files\Common files\updater\wupdater.exe
C:\windows\system32\qcvfdgvq.exe
C:\WINDOWS\farmmext.exe
C:\Program Files\ISTsvc\istsvc.exe
C:\Program Files\Gtftog\Cyalyz.exe
C:\Program Files\ISTsvc\istsvc.exe
If yes select them and press ALL in PROCESS CONTROL OPTIONS

RUN HIJACKTHIS AND CHECK IF STILL EXISTS "BAD ENTRIES"
If yes check again
If no folows next steps

6.FIND AND DELETE FILES:
C:\WINDOWS\ykvmd.exe
C:\Program Files\Internet Optimizer\optimize.exe (also folder Internet Optimizer)
C:\Program Files\Power Scan\powerscan.exe (also folder Power Scan)
C:\Program Files\BullsEye Network\bin\bargains.exe (also folder BullsEye Network)
C:\Program Files\Common files\updater\wupdater.exe (also folder updater)
C:\windows\system32\qcvfdgvq.exe
C:\WINDOWS\farmmext.exe
C:\Program Files\ISTsvc\istsvc.exe (also folder ISTsvc)
C:\Program Files\Gtftog\Cyalyz.exe (also folder Gtftog)
C:\Program Files\SideFind\sfbho.dll
C:\Program Files\SideFind\sidefind.dll (also folder SideFind)
C:\WINDOWS\BTGrab.dll

(If you have some problems with deleting files use Dr.Delete)

7.RUN SCANS:
run scan with Mwav (all scan options)
run scan with Ad-AwareSE (full system scan)
run scan with SpyBot
run scan with RegCleaner (tools---cleanup---do tehm all)

8.CLEANING
RUN CCleaner (analyze-----run cleaner)

9.REBOOT TO THE NORMAL MODE

10. ONLINE SCAN:
before you do that disable your antivirus program....

do active online scan on: https://www.pandasoftware.com/activescan/com/activescan_principal.htm

11.ENABLE SYSTEM RESTORE

12.REBOOT

let me know if it worked.....
Emilio[sup]29[/sup]

>Hijackthis<>FireFox<
Posted 2/25/2005 7:41 PM
#10452
User avatar

Raist Member

Date Joined Nov 2016
Total Posts: 7
Hi Emilio, it worked!! thanks! looks like the win32:Trojan.gen is gone too. at least I haven't seen any warning from avast yet. The only thing is that now whenever I double click on my internet connection (t-online, I live in germany), a warning which says it detects new.net application and asked me whether I want to uninstall this programme. Even if I say yes, the warning would appear again as soon as I double click on t-online button again. it just says that the anyway, it would be great if you can help me again. here's my new log.

Logfile of HijackThis v1.99.1
Scan saved at 8:29:25 PM, on 2/25/2005
Platform: Windows XP (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 (6.00.2600.0000)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
D:\Personal\Alwil Software\Avast4\aswUpdSv.exe
D:\Personal\Alwil Software\Avast4\ashServ.exe
C:\Program Files\Kerio\Personal Firewall 4\kpf4ss.exe
C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
C:\Program Files\Norton SystemWorks\Norton Utilities\NPROTECT.EXE
C:\WINDOWS\System32\nvsvc32.exe
C:\PROGRA~1\NORTON~1\SPEEDD~1\nopdb.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Kerio\Personal Firewall 4\kpf4gui.exe
C:\Program Files\Kerio\Personal Firewall 4\kpf4gui.exe
C:\Program Files\Apoint2K\Apoint.exe
C:\WINDOWS\System32\CePMTray.exe
C:\Program Files\Apoint2K\Apntex.exe
C:\Program Files\SMSC\Seticon.exe
D:\Personal\iRiver\iHP100\iHPDetect.exe
D:\Personal\ALWILS~1\Avast4\ashDisp.exe
C:\WINDOWS\System32\ctfmon.exe
C:\Program Files\Messenger\msmsgs.exe
D:\Personal\Adobe\Acrobat 6.0\Distillr\acrotray.exe
D:\Personal\Alwil Software\Avast4\ashMaiSv.exe
C:\WINDOWS\system32\ntvdm.exe
D:\Personal\Hijackthis\hijackthis.exe

N3 - Netscape 7: user_pref("browser.startup.homepage", "https://home.netscape.com/bookmark/7_0/home.html"); (C:\Documents and Settings\me\Application Data\Mozilla\Profiles\default\ab80symz.slt\prefs.js)
N3 - Netscape 7: user_pref("browser.search.defaultengine", "engine://D%3A%5CPersonal%5CNetscape%5CNetscape%5Csearchplugins%5CSBWeb_01.src"); (C:\Documents and Settings\me\Application Data\Mozilla\Profiles\default\ab80symz.slt\prefs.js)
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - D:\Personal\Adobe\Acrobat 6.0\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - D:\Personal\Overnet\incoming\Spybot - Search & Destroy\SDHelper.dll
O2 - BHO: AcroIEToolbarHelper Class - {AE7CD045-E861-484f-8273-0445EE161910} - D:\Personal\Adobe\Acrobat 6.0\Acrobat\AcroIEFavClient.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O3 - Toolbar: Adobe PDF - {47833539-D0C5-4125-9FA8-0819E2EAAC93} - D:\Personal\Adobe\Acrobat 6.0\Acrobat\AcroIEFavClient.dll
O4 - HKLM\..\Run: [Apoint] C:\Program Files\Apoint2K\Apoint.exe
O4 - HKLM\..\Run: [CeEPOWER] C:\WINDOWS\System32\CePMTray.exe
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE NvQTwk,NvCplDaemon initialize
O4 - HKLM\..\Run: [SetIcon] C:\Program Files\SMSC\Seticon.exe
O4 - HKLM\..\Run: [QD FastAndSafe] C:\PROGRA~1\NORTON~1\NORTON~2\QDCSFS.exe /startup
O4 - HKLM\..\Run: [iHP-100] D:\Personal\iRiver\iHP100\iHPDetect.exe
O4 - HKLM\..\Run: [Overnet] D:\Personal\eDonkey2000\edonkey2000.exe -t
O4 - HKLM\..\Run: [SSC_UserPrompt] C:\Program Files\Common Files\Symantec Shared\Security Center\UsrPrmpt.exe
O4 - HKLM\..\Run: [avast!] D:\Personal\ALWILS~1\Avast4\ashDisp.exe
O4 - HKLM\..\Run: [NeroCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\System32\ctfmon.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - Startup: Norton System Doctor.LNK = C:\Program Files\Norton SystemWorks\Norton Utilities\SYSDOC32.EXE
O4 - Global Startup: Acrobat Assistant.lnk = D:\Personal\Adobe\Acrobat 6.0\Distillr\acrotray.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\System32\msjava.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\System32\msjava.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O9 - Extra 'Tools' menuitem: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - Unknown owner - D:\Personal\Alwil Software\Avast4\aswUpdSv.exe
O23 - Service: avast! Antivirus - Unknown owner - D:\Personal\Alwil Software\Avast4\ashServ.exe
O23 - Service: avast! Mail Scanner - Unknown owner - D:\Personal\Alwil Software\Avast4\ashMaiSv.exe" /service (file missing)
O23 - Service: Kerio Personal Firewall 4 (KPF4) - Kerio Technologies - C:\Program Files\Kerio\Personal Firewall 4\kpf4ss.exe
O23 - Service: Norton Unerase Protection (NProtectService) - Symantec Corporation - C:\Program Files\Norton SystemWorks\Norton Utilities\NPROTECT.EXE
O23 - Service: NVIDIA Driver Helper Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe
O23 - Service: Speed Disk service - Symantec Corporation - C:\PROGRA~1\NORTON~1\SPEEDD~1\nopdb.exe
O23 - Service: SymWMI Service (SymWSC) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\Security Center\SymWSC.exe
O23 - Service: Trlokom OmniVPN (trlokom_omnivpn) - Unknown owner - D:\Personal\Firewall\OMNIVP~1\Trlokom\OmniVPN\APPLIC~1\\configmgr (file missing)

thanks very much emilio!!
Posted 2/25/2005 9:45 PM
#10455
User avatar

Emilio (SVK) Advanced member

Date Joined Nov 2016
Total Posts: 1162
your log is clean......

just check:
O23 - Service: avast! Mail Scanner - Unknown owner - D:\Personal\Alwil Software\Avast4\ashMaiSv.exe" /service (file missing)
O23 - Service: Trlokom OmniVPN (trlokom_omnivpn) - Unknown owner - D:\Personal\Firewall\OMNIVP~1\Trlokom\OmniVPN\APPLIC~1\\configmgr (file missing)
FIX CHECKED.....

try to look at the Add/Remove programs if there is NewDotNet(new.net)....and uninstall New.net

try to rescan with Ad-AwareSE and SpyBot they could remove new.net entries and files....

----------------------------------------------------------
Another solution:
Download LSPfix
https://danborg.org/spy/Newnet/LSPfix.exe
https://www.bleepingcomputer.com/forums/index.php?showtutorial=59

run it....unregister all newdotnet entries (dll)

run regedit.......
HKEY_CLASSES_ROOT\CLSID
delete the keys:
4A2AACF3-ADF6-11D5-98A9-00E018981B9E
DD521A1D-1F98-11D4-9676-00E018981B9E
DD770A75-CE18-11D5-98D8-00E018981B9E

HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run
delete the new.net value.....

HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects
delete:
4A2AACF3-ADF6-11D5-98A9-00E018981B9E

after that reboot and try to find NewDotNet folder then delete also newdotnet.dll files......
Emilio[sup]29[/sup]

>Hijackthis<>FireFox<
Posted 2/25/2005 11:32 PM
#10460
User avatar

Raist Member

Date Joined Nov 2016
Total Posts: 7
thanks again for your reply. Tried to do what you suggested, unfortunately I haven't been able to find any newdot nor any new.net application files at all. They're neither in LSPfix nor in regedit. Any idea where else they could be? I tried to look for the newdotnet folder but couldn't find any either.
Posted 2/26/2005 12:58 AM
#10466
User avatar

Emilio (SVK) Advanced member

Date Joined Nov 2016
Total Posts: 1162
From which program you getting the warnings? (from firewall or antivirus)
Emilio[sup]29[/sup]

>Hijackthis<>FireFox<
Posted 2/26/2005 8:58 PM
#10515
User avatar

Raist Member

Date Joined Nov 2016
Total Posts: 7
Hi Emilio! sorry didn't manage to reply earlier. Fixed the problem. Somehow the new. net file is installed in my internet provider folder, don't really know how it got there. Anyway, problem's fixed. Thanks Emilio, you're the greatest!!!!!!!!!!!!!!
Posted 2/27/2005 5:42 AM
#10526
User avatar

neverfail Member

Date Joined Nov 2016
Total Posts: 3
Hello, I just joined and am having the same problem with this virus. I was hoping someone could help me understand what hijack this is reporting. Here is my log.

Logfile of HijackThis v1.99.1
Scan saved at 12:37:38 AM, on 2/27/2005
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINNT\System32\smss.exe
C:\WINNT\system32\winlogon.exe
C:\WINNT\system32\services.exe
C:\WINNT\system32\lsass.exe
C:\WINNT\system32\svchost.exe
C:\Program Files\Sygate\SPF\smc.exe
C:\WINNT\System32\svchost.exe
C:\WINNT\system32\LEXBCES.EXE
C:\WINNT\system32\spoolsv.exe
C:\WINNT\system32\LEXPPS.EXE
C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
C:\Program Files\Alwil Software\Avast4\ashServ.exe
C:\WINNT\System32\svchost.exe
C:\WINNT\System32\MsPMSPSv.exe
C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
C:\WINNT\Explorer.EXE
C:\WINNT\System32\hkcmd.exe
C:\Program Files\Java\j2re1.4.2_03\bin\jusched.exe
C:\WINNT\System32\LXSUPMON.EXE
C:\Program Files\Microsoft IntelliType Pro\type32.exe
C:\Program Files\Microsoft IntelliPoint\point32.exe
C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
C:\winnt\system32\RxJGKXOc.exe
C:\WINNT\System32\admparse.exe
C:\WINNT\system32\RxJGKXOc.exe
C:\WINNT\system32\msupdate.cmd
C:\Documents and Settings\Owner\Application Data\dees.exe
C:\WINNT\System32\?ttrib.exe
C:\Documents and Settings\Owner\Local Settings\Temporary Internet Files\Content.IE5\ABC18FAH\hijackthis[1].exe
C:\Program Files\Internet Explorer\iexplore.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = https://www.yahoo.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = [url=https://red.clientapps.yahoo.com/customize/ie/defaults/sb/ymsgr/*https://www.yahoo.com/ext/search/search.html]https://red.clientapps.yahoo.com/customize/ie/defaults/sb/ymsgr/*https://www.yahoo.com/ext/search/search.html[/url]
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = https://www.yahoo.com/
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant =
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page = C:\WINNT\about.htm
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = https://www.gateway.net/
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Microsoft Internet Explorer provided by Comcast
O2 - BHO: Yahoo! Companion BHO - {02478D38-C3F9-4efb-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn\ycomp5_3_16_0.dll
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {243B17DE-77C7-46BF-B94B-0B5F309A0E64} - C:\Program Files\Microsoft Money\System\mnyside.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O2 - BHO: (no name) - {5C8B2A36-3DB1-42A4-A3CB-D426709BBFEB} - (no file)
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar1.dll
O2 - BHO: Band Class - {C5183ABC-EB6E-4E05-B8C9-500A16B6CF94} - C:\Program Files\SEP\sep.dll
O2 - BHO: (no name) - {E3D0A764-33AC-6278-8B2C-4BE60A8B02C2} - C:\WINNT\System32\ymdkejct.dll
O2 - BHO: (no name) - {FDD3B846-8D59-4ffb-8758-209B6AD74ACC} - (no file)
O3 - Toolbar: Yahoo! Companion - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\ycomp5_3_16_0.dll
O3 - Toolbar: (no name) - {BA52B914-B692-46c4-B683-905236F6F655} - (no file)
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINNT\System32\msdxm.ocx
O3 - Toolbar: Band Class - {C5183ABC-EB6E-4E05-B8C9-500A16B6CF94} - C:\Program Files\SEP\sep.dll
O4 - HKLM\..\Run: [IgfxTray] C:\WINNT\System32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINNT\System32\hkcmd.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\j2re1.4.2_03\bin\jusched.exe
O4 - HKLM\..\Run: [LXSUPMON] C:\WINNT\System32\LXSUPMON.EXE RUN
O4 - HKLM\..\Run: [type32] "C:\Program Files\Microsoft IntelliType Pro\type32.exe"
O4 - HKLM\..\Run: [IntelliPoint] "C:\Program Files\Microsoft IntelliPoint\point32.exe"
O4 - HKLM\..\Run: [avast!] C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
O4 - HKLM\..\Run: [RxJGKXOc.exe] c:\winnt\system32\RxJGKXOc.exe
O4 - HKLM\..\Run: [a398a28e26ff] C:\WINNT\System32\admparse.exe
O4 - HKLM\..\Run: [SmcService] C:\PROGRA~1\Sygate\SPF\smc.exe -startgui
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [Preview AdService] C:\Program Files\Preview AdService\PrevAdServ.exe
O4 - HKLM\..\Run: [WinTimer] "C:\WINNT\system32\msupdate.cmd"
O4 - HKCU\..\Run: [MoneyAgent] "C:\Program Files\Microsoft Money\System\mnyexpr.exe"
O4 - HKCU\..\Run: [Ltho] C:\Documents and Settings\Owner\Application Data\dees.exe
O4 - HKCU\..\Run: [Mktman] C:\WINNT\System32\?ttrib.exe
O4 - HKCU\..\Run: [Registry Cleaner] "C:\Program Files\Registry Cleaner\RegClean.exe"
O4 - HKCU\..\Run: [Evidence Eliminator] C:\Program Files\Evidence Eliminator\ee.exe /m
O4 - Global Startup: LimeWire 4.2.6.lnk = C:\Program Files\LimeWire\LimeWire 4.2.6\LimeWire.exe
O8 - Extra context menu item: &Google Search - res://C:\Program Files\Google\GoogleToolbar1.dll/cmsearch.html
O8 - Extra context menu item: &Highlight - C:\WINNT\WEB\highlight.htm
O8 - Extra context menu item: &Links List - C:\WINNT\WEB\urllist.htm
O8 - Extra context menu item: &Web Search - C:\WINNT\WEB\selsearch.htm
O8 - Extra context menu item: Backward Links - res://C:\Program Files\Google\GoogleToolbar1.dll/cmbacklinks.html
O8 - Extra context menu item: Cached Snapshot of Page - res://C:\Program Files\Google\GoogleToolbar1.dll/cmcache.html
O8 - Extra context menu item: I&mages List - C:\WINNT\Web\imglist.htm
O8 - Extra context menu item: LimeShop Preferences - https://www.comcast.net/ (file missing)
O9 - Extra button: Support - {8828075D-D097-4055-AA02-2DBFA9D85E8A} - https://www.comcastsupport.com/ (file missing)
O9 - Extra button: Help - {97809617-3937-4F84-B335-9BB05EF1A8D4} - https://online.comcast.net/help/ (file missing)
O9 - Extra button: (no name) - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - (no file)
O9 - Extra button: MoneySide - {E023F504-0C5A-4750-A1E7-A9046DEA8A21} - C:\Program Files\Microsoft Money\System\mnyside.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O9 - Extra 'Tools' menuitem: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O16 - DPF: HushEncryptionEngine - https://mailserver1.hushmail.com/shared/HushEncryptionEngine.cab
O16 - DPF: {2253F320-AB68-4A07-917D-4F12D8884A06} (ChainCast VMR Client Proxy) - https://64.124.45.181/downloads/ccpm_0237.cab
O16 - DPF: {2B96D5CC-C5B5-49A5-A69D-CC0A30F9028C} (MiniBugTransporterX Class) - https://wdownload.weatherbug.com/minibug/tricklers/AWS/MiniBugTransporter.cab?
O16 - DPF: {30528230-99F7-4BB4-88D8-FA1D4F56A2AB} (YInstStarter Class) - https://us.dl1.yimg.com/download.yahoo.com/dl/installs/yinst0401.cab
O16 - DPF: {41F17733-B041-4099-A042-B518BB6A408C} - https://a1540.g.akamai.net/7/1540/52/20030530/qtinstall.info.apple.com/bonnie/us/win/QuickTimeInstaller.exe
O16 - DPF: {511073AD-BE56-4D43-AE68-93390514385E} (TechToolsActivex.TechTools) - https://207.188.7.150/25b2036f14d229e14622/netzip/RdxIE601.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - https://v5.windowsupdate.microsoft.com/v5consumer/V5Controls/en/x86/client/wuweb_site.cab?1104046569171
O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - https://a840.g.akamai.net/7/840/537/0fb5e03023def1/housecall.antivirus.com/housecall/xscan53.cab
O16 - DPF: {A17E30C4-A9BA-11D4-8673-60DB54C10000} (YahooYMailTo Class) - https://us.dl1.yimg.com/download.yahoo.com/dl/installs/yse/ymmapi_416.dll
O16 - DPF: {B8BE5E93-A60C-4D26-A2DC-220313175592} (ZoneIntro Class) - https://zone.msn.com/binFramework/v10/ZIntro.cab34246.cab
O16 - DPF: {CC05BC12-2AA2-4AC7-AC81-0E40F83B1ADF} (Live365Player Class) - https://www.live365.com/players/play365.cab
O16 - DPF: {EF99BD32-C1FB-11D2-892F-0090271D4F88} (Yahoo! Companion) - https://us.dl1.yimg.com/download.companion.yahoo.com/dl/toolbar/yiebio5_1_6_0.cab
O19 - User stylesheet: (file missing)
O20 - Winlogon Notify: igfxcui - C:\WINNT\SYSTEM32\igfxsrvc.dll
O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - Unknown owner - C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
O23 - Service: avast! Antivirus - Unknown owner - C:\Program Files\Alwil Software\Avast4\ashServ.exe
O23 - Service: avast! Mail Scanner - Unknown owner - C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe" /service (file missing)
O23 - Service: avast! Web Scanner - Unknown owner - C:\Program Files\Alwil Software\Avast4\ashWebSv.exe" /service (file missing)
O23 - Service: LexBce Server (LexBceS) - Lexmark International, Inc. - C:\WINNT\system32\LEXBCES.EXE
O23 - Service: Intel NCS NetService (NetSvc) - Intel(R) Corporation - C:\Program Files\Intel\NCS\Sync\NetSvc.exe
O23 - Service: Sygate Personal Firewall (SmcService) - Sygate Technologies, Inc. - C:\Program Files\Sygate\SPF\smc.exe

Thanks for any help!!
Posted 3/2/2005 2:06 AM
#10632
User avatar

neverfail Member

Date Joined Nov 2016
Total Posts: 3
ttp. I really need help with this. Anyone. Thanks............nf
Posted 3/2/2005 7:09 AM
#10637
User avatar

Emilio (SVK) Advanced member

Date Joined Nov 2016
Total Posts: 1162
(for neverfail)

Hi Neverfail

[green]------------------------------------[/green]
Show hidden files:
www.xtra.co.nz/help/0,,4155-1916458,00.html

Safe mode
service1.symantec.com/SUPPORT/tsgeninfo.nsf/docid/2001052409420406?OpenDocument&src=sec_doc_nam

Disable System Restore
vil.nai.com/vil/SystemHelpDocs/DisableSysRestore.htm
[green]-------------------------------------[/green]

Download Ad-Aware SE (install and check for update)
www.download.com/Ad-Aware-SE-Personal-Edition/3000-8022_4-10045910.html?part=dl-ad-aware&subj=dl&tag=top5

Download Spybot search&destroy(install and check for update)
www.safer-networking.org/en/download/index.html

Download stand-alone version of CWShreder v2.13
www.intermute.com/spysubtract/cwshredder_download.html

Download SysClean (sysclean.com file)
www.trendmicro.com/ftp/products/tsc/sysclean.com
Download pattern file for SysClean (unpack and copy with sysclean.com to the same folder)
www.trendmicro.com/download/pattern.asp

Download CCleaner
www.ccleaner.com/

Download Advanced process termination
www.diamondcs.com.au/index.php?page=apt
(you don´t have to install it....it´s only executable utility)

[3][blue]Procedure:[/blue] [/3]
1.DISABLE SYSTEM RESTORE

2.REBOOT TO THE SAFE MODE

3.SHOW HIDDEN FILES

4.RUN HIJACKTHIS
check:
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = file://C:\WINNT\System32\SearchBar.htm
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = https://red.clientapps.yahoo.com/customize/ie/defaults/sb/ymsgr/*https://www.yahoo.com/ext/search/search.html
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant =
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page = C:\WINNT\about.htm
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = https://www.gateway.net/
O2 - BHO: (no name) - {5C8B2A36-3DB1-42A4-A3CB-D426709BBFEB} - (no file)
O2 - BHO: Band Class - {C5183ABC-EB6E-4E05-B8C9-500A16B6CF94} - C:\Program Files\SEP\sep.dll
O2 - BHO: (no name) - {E3D0A764-33AC-6278-8B2C-4BE60A8B02C2} - C:\WINNT\System32\ymdkejct.dll
O2 - BHO: (no name) - {FDD3B846-8D59-4ffb-8758-209B6AD74ACC} - (no file)
O3 - Toolbar: (no name) - {BA52B914-B692-46c4-B683-905236F6F655} - (no file)
O3 - Toolbar: Band Class - {C5183ABC-EB6E-4E05-B8C9-500A16B6CF94} - C:\Program Files\SEP\sep.dll
O4 - HKLM\..\Run: [RxJGKXOc.exe] c:\winnt\system32\RxJGKXOc.exe
O4 - HKLM\..\Run: [a398a28e26ff] C:\WINNT\System32\admparse.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [Preview AdService] C:\Program Files\Preview AdService\PrevAdServ.exe
O4 - HKLM\..\Run: [WinTimer] "C:\WINNT\system32\msupdate.cmd"
O4 - HKCU\..\Run: [Ltho] C:\Documents and Settings\Owner\Application Data\dees.exe
O4 - HKCU\..\Run: [Mktman] C:\WINNT\System32\?ttrib.exe
O9 - Extra button: ComcastHSI - {669B269B-0D4E-41FB-A3D8-FD67CA94F646} - https://www.comcast.net/ (file missing)
O9 - Extra button: Support - {8828075D-D097-4055-AA02-2DBFA9D85E8A} - https://www.comcastsupport.com/ (file missing)
O9 - Extra button: Help - {97809617-3937-4F84-B335-9BB05EF1A8D4} - https://online.comcast.net/help/ (file missing)
O9 - Extra button: (no name) - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - (no file)
O16 - DPF: {2253F320-AB68-4A07-917D-4F12D8884A06} (ChainCast VMR Client Proxy) - https://64.124.45.181/downloads/ccpm_0237.cab
O16 - DPF: {2B96D5CC-C5B5-49A5-A69D-CC0A30F9028C} (MiniBugTransporterX Class) - https://wdownload.weatherbug.com/minibug/tricklers/AWS/MiniBugTransporter.cab?
O16 - DPF: {41F17733-B041-4099-A042-B518BB6A408C} - https://a1540.g.akamai.net/7/1540/52/20030530/qtinstall.info.apple.com/bonnie/us/win/QuickTimeInstaller.exe
O16 - DPF: {511073AD-BE56-4D43-AE68-93390514385E} (TechToolsActivex.TechTools) - file://C:\Program Files\gateway\helpspot\TechTools.CAB
O16 - DPF: {56336BCB-3D8A-11D6-A00B-0050DA18DE71} (RdxIE Class) - https://207.188.7.150/25b2036f14d229e14622/netzip/RdxIE601.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - https://v5.windowsupdate.microsoft.com/v5consumer/V5Controls/en/x86/client/wuweb_site.cab?1104046569171
O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - https://a840.g.akamai.net/7/840/537/0fb5e03023def1/housecall.antivirus.com/housecall/xscan53.cab
O16 - DPF: {CC05BC12-2AA2-4AC7-AC81-0E40F83B1ADF} (Live365Player Class) - https://www.live365.com/players/play365.cab
O19 - User stylesheet: (file missing)
O23 - Service: avast! Mail Scanner - Unknown owner - C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe" /service (file missing)
O23 - Service: avast! Web Scanner - Unknown owner - C:\Program Files\Alwil Software\Avast4\ashWebSv.exe" /service (file missing)
FIX CHECKED.........

5.RUN ADVANCED PROCESS TERMINATION
Check if these rpocess are still running:
C:\winnt\system32\RxJGKXOc.exe
C:\WINNT\System32\admparse.exe
C:\Program Files\Preview AdService\PrevAdServ.exe
C:\WINNT\system32\msupdate.cmd
C:\Documents and Settings\Owner\Application Data\dees.exe
C:\WINNT\System32\?ttrib.exe
If yes kill them.....select and press "ALL" button in PROCESS CONTROL OPTIONS

6.FIND AND DELETE THESE FILES:(some files may not exists)
C:\winnt\system32\RxJGKXOc.exe
C:\WINNT\System32\admparse.exe
C:\Program Files\Preview AdService\PrevAdServ.exe (also folder Preview AdService)
C:\WINNT\system32\msupdate.cmd
C:\Documents and Settings\Owner\Application Data\dees.exe
C:\WINNT\System32\?ttrib.exe

7.SCANS:
run scan with Ad-AwareSE (full system scan, scan volume for ADS)
run scan with SpyBot
run scan with CWShreder
run scan with SysClean

8.CLEANING
run CCleaner (analyze---run cleaner)

9.ENABLE SYSTEM RESTORE

10.REBOOT

let me know if it worked....
Emilio[sup]29[/sup]

>Hijackthis<>FireFox<
Posted 3/2/2005 7:47 AM
#10640
User avatar

Azlan Member

Date Joined Nov 2016
Total Posts: 3
Hi Emilio, I'm afraid I think I may be in the same boat as the others. Would really appreciate if you would have a look at my logfile and tell me what I can do to get this damn virus off my PC. Appreciate it very much, thanks....


Logfile of HijackThis v1.99.1
Scan saved at 6:06:27 PM, on 2/03/2005
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
D:\WINDOWS\System32\smss.exe
D:\WINDOWS\system32\winlogon.exe
D:\WINDOWS\system32\services.exe
D:\WINDOWS\system32\lsass.exe
D:\WINDOWS\system32\svchost.exe
D:\WINDOWS\System32\svchost.exe
D:\Program Files\Sygate\SPF\smc.exe
D:\WINDOWS\system32\spoolsv.exe
D:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
D:\Program Files\Alwil Software\Avast4\ashServ.exe
D:\WINDOWS\System32\nvsvc32.exe
D:\WINDOWS\System32\svchost.exe
D:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
D:\Program Files\Alwil Software\Avast4\ashWebSv.exe
D:\WINDOWS\Explorer.EXE
D:\Program Files\Logitech\iTouch\iTouch.exe
D:\PROGRA~1\Logitech\MOUSEW~1\SYSTEM\EM_EXEC.EXE
C:\Program Files\MUSICMATCH\MUSICMATCH Jukebox\mm_tray.exe
D:\WINDOWS\System32\RunDll32.exe
D:\WINDOWS\AGRSMMSG.exe
D:\program files\search-assistant\saap.exe
D:\Program Files\QuickTime\qttask.exe
D:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
D:\Program Files\HP\HP Software Update\HPWuSchd.exe
D:\Program Files\HP\hpcoretech\hpcmpmgr.exe
D:\Program Files\MSN Apps\Updater\01.02.3000.1001\en-au\msnappau.exe
D:\WINDOWS\System32\ctfmon.exe
D:\WINDOWS\System32\RUNDLL32.EXE
D:\Program Files\Logitech\Desktop Messenger\8876480\Program\LogitechDesktopMessenger.exe
D:\Program Files\MSN Messenger\MsnMsgr.Exe
D:\Program Files\Adobe\Acrobat 5.0\Distillr\AcroTray.exe
D:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
D:\Program Files\Microsoft Office\Office\FINDFAST.EXE
D:\Program Files\Nikon\NkView6\NkvMon.exe
D:\Program Files\Microsoft Office\Office\OSA.EXE
C:\Program Files\WinZip\WZQKPICK.EXE
D:\WINDOWS\System32\HPZipm12.exe
D:\WINDOWS\System32\wuauclt.exe
D:\Program Files\Internet Explorer\IEXPLORE.EXE
D:\Program Files\Internet Explorer\IEXPLORE.EXE
D:\Program Files\HP\hpcoretech\comp\hpdarc.exe
D:\HJT\hijackthis.exe

R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = localhost
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - D:\Program Files\Adobe\Acrobat 6.0\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - D:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: ST - {9394EDE7-C8B5-483E-8773-474BF36AF6E4} - D:\Program Files\MSN Apps\ST\01.02.3000.1002\en-xu\stmain.dll
O2 - BHO: D:\WINDOWS\lbbho.dll - {A092C03F-6E08-41E8-8A92-D7CCF2F78ABE} - D:\WINDOWS\lbbho.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - d:\program files\google\googletoolbar2.dll
O2 - BHO: AcroIEToolbarHelper Class - {AE7CD045-E861-484f-8273-0445EE161910} - D:\Program Files\Adobe\Acrobat 6.0\Acrobat\AcroIEFavClient.dll
O2 - BHO: MSNToolBandBHO - {BDBD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - D:\Program Files\MSN Apps\MSN Toolbar\01.02.3000.1001\en-us\msntb.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - D:\WINDOWS\System32\msdxm.ocx
O3 - Toolbar: (no name) - {0494D0D9-F8E0-41ad-92A3-14154ECE70AC} - (no file)
O3 - Toolbar: Adobe PDF - {47833539-D0C5-4125-9FA8-0819E2EAAC93} - D:\Program Files\Adobe\Acrobat 6.0\Acrobat\AcroIEFavClient.dll
O3 - Toolbar: MSN - {BDAD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - D:\Program Files\MSN Apps\MSN Toolbar\01.02.3000.1001\en-us\msntb.dll
O3 - Toolbar: My Search Bar - {014DA6C9-189F-421a-88CD-07CFE51CFF10} - D:\Program Files\MySearch\bar\1.bin\S4BAR.DLL (file missing)
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - d:\program files\google\googletoolbar2.dll
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE D:\WINDOWS\System32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [NeroCheck] D:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [zBrowser Launcher] D:\Program Files\Logitech\iTouch\iTouch.exe
O4 - HKLM\..\Run: [EM_EXEC] D:\PROGRA~1\Logitech\MOUSEW~1\SYSTEM\EM_EXEC.EXE
O4 - HKLM\..\Run: [MMTray] C:\Program Files\MUSICMATCH\MUSICMATCH Jukebox\mm_tray.exe
O4 - HKLM\..\Run: [Cmaudio] RunDll32 cmicnfg.cpl,CMICtrlWnd
O4 - HKLM\..\Run: [AGRSMMSG] AGRSMMSG.exe
O4 - HKLM\..\Run: [win update] wapdate.exe
O4 - HKLM\..\Run: [SVX Control Service] svxhost.exe
O4 - HKLM\..\Run: [Microsoft Update Machine] Winregs32.exe
O4 - HKLM\..\Run: [Cryptographic Service] D:\WINDOWS\System32\mqquvifs.exe
O4 - HKLM\..\Run: [saap] d:\program files\search-assistant\saap.exe
O4 - HKLM\..\Run: [QuickTime Task] "D:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [avast!] D:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
O4 - HKLM\..\Run: [HP Software Update] "D:\Program Files\HP\HP Software Update\HPWuSchd.exe"
O4 - HKLM\..\Run: [HP Component Manager] "D:\Program Files\HP\hpcoretech\hpcmpmgr.exe"
O4 - HKLM\..\Run: [SmcService] D:\PROGRA~1\Sygate\SPF\smc.exe -startgui
O4 - HKLM\..\Run: [msnappau] "D:\Program Files\MSN Apps\Updater\01.02.3000.1001\en-au\msnappau.exe"
O4 - HKLM\..\RunServices: [win update] wapdate.exe
O4 - HKLM\..\RunServices: [SVX Control Service] svxhost.exe
O4 - HKLM\..\RunServices: [Microsoft Update Machine] Winregs32.exe
O4 - HKCU\..\Run: [CTFMON.EXE] D:\WINDOWS\System32\ctfmon.exe
O4 - HKCU\..\Run: [NvMediaCenter] RUNDLL32.EXE D:\WINDOWS\System32\NVMCTRAY.DLL,NvTaskbarInit
O4 - HKCU\..\Run: [LDM] D:\Program Files\Logitech\Desktop Messenger\8876480\Program\LogitechDesktopMessenger.exe
O4 - HKCU\..\Run: [Auto updat] crsrs.exe
O4 - HKCU\..\Run: [SVX Control Service] svxhost.exe
O4 - HKCU\..\Run: [win update] wapdate.exe
O4 - HKCU\..\Run: [Microsoft Update Machine] Winregs32.exe
O4 - HKCU\..\Run: [MsnMsgr] "D:\Program Files\MSN Messenger\MsnMsgr.Exe" /background
O4 - Global Startup: Acrobat Assistant.lnk = D:\Program Files\Adobe\Acrobat 5.0\Distillr\AcroTray.exe
O4 - Global Startup: HP Digital Imaging Monitor.lnk = D:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
O4 - Global Startup: Logitech Desktop Messenger.lnk = D:\Program Files\Logitech\Desktop Messenger\8876480\Program\LDMConf.exe
O4 - Global Startup: Microsoft Find Fast.lnk = D:\Program Files\Microsoft Office\Office\FINDFAST.EXE
O4 - Global Startup: NkvMon.exe.lnk = D:\Program Files\Nikon\NkView6\NkvMon.exe
O4 - Global Startup: Office Startup.lnk = D:\Program Files\Microsoft Office\Office\OSA.EXE
O4 - Global Startup: WinZip Quick Pick.lnk = C:\Program Files\WinZip\WZQKPICK.EXE
O8 - Extra context menu item: &Google Search - res://d:\program files\google\GoogleToolbar2.dll/cmsearch.html
O8 - Extra context menu item: Backward Links - res://d:\program files\google\GoogleToolbar2.dll/cmbacklinks.html
O8 - Extra context menu item: Cached Snapshot of Page - res://d:\program files\google\GoogleToolbar2.dll/cmcache.html
O8 - Extra context menu item: E&xport to Microsoft Excel - res://D:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O8 - Extra context menu item: Similar Pages - res://d:\program files\google\GoogleToolbar2.dll/cmsimilar.html
O8 - Extra context menu item: Translate into English - res://d:\program files\google\GoogleToolbar2.dll/cmtrans.html
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - D:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O17 - HKLM\System\CCS\Services\Tcpip\..\{80282556-A4AA-4AD9-9E7D-D0E6D38FE361}: NameServer = 203.12.160.35 203.12.160.36
O18 - Protocol: bw+0 - {2B5686A3-0D9D-402C-89A6-415754E1E8AF} - D:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bw+0s - {2B5686A3-0D9D-402C-89A6-415754E1E8AF} - D:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bw-0 - {2B5686A3-0D9D-402C-89A6-415754E1E8AF} - D:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bw-0s - {2B5686A3-0D9D-402C-89A6-415754E1E8AF} - D:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bw00 - {2B5686A3-0D9D-402C-89A6-415754E1E8AF} - D:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bw00s - {2B5686A3-0D9D-402C-89A6-415754E1E8AF} - D:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bw10 - {2B5686A3-0D9D-402C-89A6-415754E1E8AF} - D:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bw10s - {2B5686A3-0D9D-402C-89A6-415754E1E8AF} - D:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bw20 - {2B5686A3-0D9D-402C-89A6-415754E1E8AF} - D:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bw20s - {2B5686A3-0D9D-402C-89A6-415754E1E8AF} - D:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bw30 - {2B5686A3-0D9D-402C-89A6-415754E1E8AF} - D:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bw30s - {2B5686A3-0D9D-402C-89A6-415754E1E8AF} - D:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bw40 - {2B5686A3-0D9D-402C-89A6-415754E1E8AF} - D:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bw40s - {2B5686A3-0D9D-402C-89A6-415754E1E8AF} - D:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bw50 - {2B5686A3-0D9D-402C-89A6-415754E1E8AF} - D:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bw50s - {2B5686A3-0D9D-402C-89A6-415754E1E8AF} - D:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bw60 - {2B5686A3-0D9D-402C-89A6-415754E1E8AF} - D:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bw60s - {2B5686A3-0D9D-402C-89A6-415754E1E8AF} - D:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bw70 - {2B5686A3-0D9D-402C-89A6-415754E1E8AF} - D:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bw70s - {2B5686A3-0D9D-402C-89A6-415754E1E8AF} - D:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bw80 - {2B5686A3-0D9D-402C-89A6-415754E1E8AF} - D:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bw80s - {2B5686A3-0D9D-402C-89A6-415754E1E8AF} - D:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bw90 - {2B5686A3-0D9D-402C-89A6-415754E1E8AF} - D:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bw90s - {2B5686A3-0D9D-402C-89A6-415754E1E8AF} - D:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwa0 - {2B5686A3-0D9D-402C-89A6-415754E1E8AF} - D:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwa0s - {2B5686A3-0D9D-402C-89A6-415754E1E8AF} - D:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwb0 - {2B5686A3-0D9D-402C-89A6-415754E1E8AF} - D:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwb0s - {2B5686A3-0D9D-402C-89A6-415754E1E8AF} - D:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwc0 - {2B5686A3-0D9D-402C-89A6-415754E1E8AF} - D:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwc0s - {2B5686A3-0D9D-402C-89A6-415754E1E8AF} - D:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwd0 - {2B5686A3-0D9D-402C-89A6-415754E1E8AF} - D:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwd0s - {2B5686A3-0D9D-402C-89A6-415754E1E8AF} - D:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwe0 - {2B5686A3-0D9D-402C-89A6-415754E1E8AF} - D:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwe0s - {2B5686A3-0D9D-402C-89A6-415754E1E8AF} - D:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwf0 - {2B5686A3-0D9D-402C-89A6-415754E1E8AF} - D:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwf0s - {2B5686A3-0D9D-402C-89A6-415754E1E8AF} - D:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwfile-8876480 - {9462A756-7B47-47BC-8C80-C34B9B80B32B} - D:\Program Files\Logitech\Desktop Messenger\8876480\Program\GAPlugProtocol-8876480.dll
O18 - Protocol: bwg0 - {2B5686A3-0D9D-402C-89A6-415754E1E8AF} - D:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwg0s - {2B5686A3-0D9D-402C-89A6-415754E1E8AF} - D:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwh0 - {2B5686A3-0D9D-402C-89A6-415754E1E8AF} - D:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwh0s - {2B5686A3-0D9D-402C-89A6-415754E1E8AF} - D:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwi0 - {2B5686A3-0D9D-402C-89A6-415754E1E8AF} - D:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwi0s - {2B5686A3-0D9D-402C-89A6-415754E1E8AF} - D:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwj0 - {2B5686A3-0D9D-402C-89A6-415754E1E8AF} - D:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwj0s - {2B5686A3-0D9D-402C-89A6-415754E1E8AF} - D:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwk0 - {2B5686A3-0D9D-402C-89A6-415754E1E8AF} - D:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwk0s - {2B5686A3-0D9D-402C-89A6-415754E1E8AF} - D:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwl0 - {2B5686A3-0D9D-402C-89A6-415754E1E8AF} - D:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwl0s - {2B5686A3-0D9D-402C-89A6-415754E1E8AF} - D:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwm0 - {2B5686A3-0D9D-402C-89A6-415754E1E8AF} - D:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwm0s - {2B5686A3-0D9D-402C-89A6-415754E1E8AF} - D:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwn0 - {2B5686A3-0D9D-402C-89A6-415754E1E8AF} - D:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwn0s - {2B5686A3-0D9D-402C-89A6-415754E1E8AF} - D:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwo0 - {2B5686A3-0D9D-402C-89A6-415754E1E8AF} - D:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwo0s - {2B5686A3-0D9D-402C-89A6-415754E1E8AF} - D:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwp0 - {2B5686A3-0D9D-402C-89A6-415754E1E8AF} - D:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwp0s - {2B5686A3-0D9D-402C-89A6-415754E1E8AF} - D:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwq0 - {2B5686A3-0D9D-402C-89A6-415754E1E8AF} - D:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwq0s - {2B5686A3-0D9D-402C-89A6-415754E1E8AF} - D:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwr0 - {2B5686A3-0D9D-402C-89A6-415754E1E8AF} - D:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwr0s - {2B5686A3-0D9D-402C-89A6-415754E1E8AF} - D:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bws0 - {2B5686A3-0D9D-402C-89A6-415754E1E8AF} - D:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bws0s - {2B5686A3-0D9D-402C-89A6-415754E1E8AF} - D:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwt0 - {2B5686A3-0D9D-402C-89A6-415754E1E8AF} - D:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwt0s - {2B5686A3-0D9D-402C-89A6-415754E1E8AF} - D:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwu0 - {2B5686A3-0D9D-402C-89A6-415754E1E8AF} - D:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwu0s - {2B5686A3-0D9D-402C-89A6-415754E1E8AF} - D:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwv0 - {2B5686A3-0D9D-402C-89A6-415754E1E8AF} - D:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwv0s - {2B5686A3-0D9D-402C-89A6-415754E1E8AF} - D:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bww0 - {2B5686A3-0D9D-402C-89A6-415754E1E8AF} - D:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bww0s - {2B5686A3-0D9D-402C-89A6-415754E1E8AF} - D:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwx0 - {2B5686A3-0D9D-402C-89A6-415754E1E8AF} - D:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwx0s - {2B5686A3-0D9D-402C-89A6-415754E1E8AF} - D:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwy0 - {2B5686A3-0D9D-402C-89A6-415754E1E8AF} - D:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwy0s - {2B5686A3-0D9D-402C-89A6-415754E1E8AF} - D:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwz0 - {2B5686A3-0D9D-402C-89A6-415754E1E8AF} - D:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwz0s - {2B5686A3-0D9D-402C-89A6-415754E1E8AF} - D:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: offline-8876480 - {2B5686A3-0D9D-402C-89A6-415754E1E8AF} - D:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - Unknown owner - D:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
O23 - Service: avast! Antivirus - Unknown owner - D:\Program Files\Alwil Software\Avast4\ashServ.exe
O23 - Service: avast! Mail Scanner - Unknown owner - D:\Program Files\Alwil Software\Avast4\ashMaiSv.exe" /service (file missing)
O23 - Service: avast! Web Scanner - Unknown owner - D:\Program Files\Alwil Software\Avast4\ashWebSv.exe" /service (file missing)
O23 - Service: NVIDIA Driver Helper Service (NVSvc) - NVIDIA Corporation - D:\WINDOWS\System32\nvsvc32.exe
O23 - Service: Pml Driver HPZ12 - HP - D:\WINDOWS\System32\HPZipm12.exe
O23 - Service: Sygate Personal Firewall (SmcService) - Sygate Technologies, Inc. - D:\Program Files\Sygate\SPF\smc.exe
Posted 3/2/2005 8:39 AM
#10642
User avatar

Emilio (SVK) Advanced member

Date Joined Nov 2016
Total Posts: 1162
(for Azlan)

Hi Azlan

[green]------------------------------------[/green]
Show hidden files:
www.xtra.co.nz/help/0,,4155-1916458,00.html

Safe mode
service1.symantec.com/SUPPORT/tsgeninfo.nsf/docid/2001052409420406?OpenDocument&src=sec_doc_nam

Disable System Restore
vil.nai.com/vil/SystemHelpDocs/DisableSysRestore.htm
[green]-------------------------------------[/green]

Download Ad-Aware SE (install and check for update)
www.download.com/Ad-Aware-SE-Personal-Edition/3000-8022_4-10045910.html?part=dl-ad-aware&subj=dl&tag=top5

Download Spybot search&destroy(install and check for update)
www.safer-networking.org/en/download/index.html

Download SysClean (sysclean.com file)
www.trendmicro.com/ftp/products/tsc/sysclean.com
Download pattern file for SysClean (unpack and copy with sysclean.com to the same folder)
www.trendmicro.com/download/pattern.asp

Download lsat Stinger version
https://vil.nai.com/vil/averttools.asp#stinger

Download CCleaner
www.ccleaner.com/

Download Advanced process termination
www.diamondcs.com.au/index.php?page=apt
(you don´t have to install it....it´s only executable utility)

[3][blue]Procedure: [/blue][/3]
1.DISABLE SYSTEM RESTORE

2.REBOOT TO THE SAFE MODE

3.SHOW HIDDEN FILES

4.RUN HIJACKTHIS
Check:
O2 - BHO: D:\WINDOWS\lbbho.dll - {A092C03F-6E08-41E8-8A92-D7CCF2F78ABE} - D:\WINDOWS\lbbho.dll
O3 - Toolbar: (no name) - {0494D0D9-F8E0-41ad-92A3-14154ECE70AC} - (no file)
O3 - Toolbar: My Search Bar - {014DA6C9-189F-421a-88CD-07CFE51CFF10} - D:\Program Files\MySearch\bar\1.bin\S4BAR.DLL (file missing)
O4 - HKLM\..\Run: [win update] wapdate.exe
O4 - HKLM\..\Run: [SVX Control Service] svxhost.exe
O4 - HKLM\..\Run: [Microsoft Update Machine] Winregs32.exe
O4 - HKLM\..\Run: [Cryptographic Service] D:\WINDOWS\System32\mqquvifs.exe
O4 - HKLM\..\Run: [saap] d:\program files\search-assistant\saap.exe
O4 - HKLM\..\Run: [QuickTime Task] "D:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\RunServices: [win update] wapdate.exe
O4 - HKLM\..\RunServices: [SVX Control Service] svxhost.exe
O4 - HKLM\..\RunServices: [Microsoft Update Machine] Winregs32.exe
O4 - HKCU\..\Run: [Auto updat] crsrs.exe
O4 - HKCU\..\Run: [SVX Control Service] svxhost.exe
O4 - HKCU\..\Run: [win update] wapdate.exe
O4 - HKCU\..\Run: [Microsoft Update Machine] Winregs32.exe
O23 - Service: avast! Mail Scanner - Unknown owner - D:\Program Files\Alwil Software\Avast4\ashMaiSv.exe" /service (file missing)
O23 - Service: avast! Web Scanner - Unknown owner - D:\Program Files\Alwil Software\Avast4\ashWebSv.exe" /service (file missing)
FIX CHECKED.........

5.RUN ADVANCED PROCESS TERMINATION
Check if these processes are still running:
wapdate.exe
crsrs.exe
svxhost.exe
Winregs32.exe
D:\WINDOWS\System32\mqquvifs.exe
D:\program files\search-assistant\saap.exe
If yes kill them.....select and press "ALL" button in PROCESS CONTROL OPTIONS

6.FIND AND DELETE THESE FILES:(some files may not exists)
wapdate.exe
crsrs.exe
svxhost.exe
Winregs32.exe
D:\WINDOWS\System32\mqquvifs.exe
D:\program files\search-assistant\saap.exe äalso folder search-assistant)
D:\WINDOWS\lbbho.dll

7.SCANS:
run scan with Ad-AwareSE (full system scan, scan volume for ADS)
run scan with SpyBot
run scan with Stinger
run scan with SysClean

8.CLEANING
run CCleaner (analyze---run cleaner)

9.ENABLE SYSTEM RESTORE

10.REBOOT

let me know if it worked....
Emilio[sup]29[/sup]

>Hijackthis<>FireFox<
Posted 3/2/2005 8:58 AM
#10644
User avatar

Azlan Member

Date Joined Nov 2016
Total Posts: 3
Thanks Emilio, will do what you say and let you know how it goes. Thanks a bunch.

Azlan
Posted 3/3/2005 7:26 AM
#10669
User avatar

Moonbeam_Faery Member

Date Joined Nov 2016
Total Posts: 2
I also am having a "Win32:Trojan-gen. {UPX!}" problem.

Here is my HJT log:

Logfile of HijackThis v1.99.1
Scan saved at 11:22:45 PM, on 3/2/2005
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
C:\WINDOWS\system32\Atievxx.exe
C:\Program Files\Alwil Software\Avast4\ashServ.exe
C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
C:\WINDOWS\tbljqmnj.exe
C:\Program Files\MSN Messenger\MsnMsgr.Exe
C:\Program Files\Common Files\Microsoft Shared\Works Shared\wkcalrem.exe
C:\Program Files\Linksys\Wireless-B Notebook Adapter\WPC11Cfg.exe
C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
C:\Program Files\Yahoo!\Messenger\YPager.exe
C:\Program Files\AIM\aim.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\HJT\hijackthis.exe

O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O4 - HKLM\..\Run: [avast!] C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
O4 - HKLM\..\Run: [WorksFUD] C:\Program Files\Microsoft Works\wkfud.exe
O4 - HKLM\..\Run: [Microsoft Works Portfolio] C:\Program Files\Microsoft Works\WksSb.exe /AllUsers
O4 - HKLM\..\Run: [Microsoft Works Update Detection] C:\Program Files\Microsoft Works\WkDetect.exe
O4 - HKLM\..\Run: [f0BCnqH] C:\WINDOWS\tbljqmnj.exe
O4 - HKLM\..\Run: [-
] C:\WINDOWS\tbljqmnj.exe
O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\MSN Messenger\MsnMsgr.Exe" /background
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O4 - Global Startup: Microsoft Works Calendar Reminders.lnk = ?
O4 - Global Startup: Wireless-B Notebook Adapter Utility.lnk = C:\Program Files\Linksys\Wireless-B Notebook Adapter\WPC11Cfg.exe
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - https://v5.windowsupdate.microsoft.com/v5consumer/V5Controls/en/x86/client/wuweb_site.cab?1104342875685
O16 - DPF: {B38870E4-7ECB-40DA-8C6A-595F0A5519FF} (MsnMessengerSetupDownloadControl Class) - https://messenger.msn.com/download/MsnMessengerSetupDownloader.cab
O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - Unknown owner - C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
O23 - Service: avast! Antivirus - Unknown owner - C:\Program Files\Alwil Software\Avast4\ashServ.exe
O23 - Service: avast! Mail Scanner - Unknown owner - C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe" /service (file missing)
O23 - Service: avast! Web Scanner - Unknown owner - C:\Program Files\Alwil Software\Avast4\ashWebSv.exe" /service (file missing)

Would very much appreciate some help. The avast popup warning is driving me nuts.
Thanks,
Megan
Posted 3/3/2005 9:25 AM
#10671
User avatar

Emilio (SVK) Advanced member

Date Joined Nov 2016
Total Posts: 1162
(for Moonbeam Faery)

Hi....

[green]-------------------------------[/green]
Show hidden files:
https://www.xtra.co.nz/help/0,,4155-1916458,00.html

Safe mode
https://service1.symantec.com/SUPPORT/tsgeninfo.nsf/docid/2001052409420406?OpenDocument&src=sec_doc_nam

Disable System Restore
https://vil.nai.com/vil/SystemHelpDocs/DisableSysRestore.htm
[green]-------------------------------[/green]

Download Mwav (install)
https://www.spywareinfo.dk/download/mwav.exe

Download SysClean (sysclean.com file)
https://www.trendmicro.com/ftp/products/tsc/sysclean.com
Download pattern file for SysClean (unpack and copy with sysclean.com to the same folder)
https://www.trendmicro.com/download/pattern.asp

Download Ad-Aware SE (install and check for updates)
https://www.download.com/Ad-Aware-SE-Personal-Edition/3000-8022_4-10045910.html?part=dl-ad-aware&subj=dl&tag=top5

Download Spybot search&destroy (install and check for updates)
https://www.safer-networking.org/en/download/index.html

Download last Stinger version
https://vil.nai.com/vil/averttools.asp#stinger

CCleaner (install)
https://www.ccleaner.com/

Download Advanced process termination
https://www.diamondcs.com.au/index.php?page=apt
(you don´t have to install it....it´s only executable utility)

[3][blue]Procedure: [/blue] [/3]
1.DISABLE SYSTEM RESTORE

2.REBOOT TO THE SAFE MODE

3.SHOW HIDDEN FILES

4.RUN HIJACKTHIS:
Check:
O4 - HKLM\..\Run: [f0BCnqH] C:\WINDOWS\tbljqmnj.exe
O4 - HKLM\..\Run: [-
] C:\WINDOWS\tbljqmnj.exe
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - https://v5.windowsupdate.microsoft.com/v5consumer/V5Controls/en/x86/client/wuweb_site.cab?1104342875685
O23 - Service: avast! Mail Scanner - Unknown owner - C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe" /service (file missing)
O23 - Service: avast! Web Scanner - Unknown owner - C:\Program Files\Alwil Software\Avast4\ashWebSv.exe" /service (file missing)
FIX CHECKED.......

5.RUN ADVANCED PROCESS TERMINATION
Check if this process is still running:
C:\WINDOWS\tbljqmnj.exe
If yes kill him.....select and press "ALL" button in PROCESS CONTROL OPTIONS

6.DELETE THIS FILE:
C:\WINDOWS\tbljqmnj.exe

7.SCANS:
run scan with Ad-AwareSE (full system scan, scan volume for ADS)
run scan with SpyBot
run scan with Mwav (all scan options)
run scan with Stinger
run scan with SysClean

8.CLEANING
run CCleaner (analyze---run cleaner)

9.ENABLE SYSTEM RESTORE

10.REBOOT

let me know if it worked....post new log here
Emilio[sup]29[/sup]

>Hijackthis<>FireFox<
Posted 3/3/2005 7:55 PM
#10688
User avatar

neverfail Member

Date Joined Nov 2016
Total Posts: 3
Thanks for the help. It appears to have worked. Twenty minutes of browsing and no virus. I really appreciate the assistance. Take care...........nf
Posted 3/3/2005 7:58 PM
#10689
User avatar

Emilio (SVK) Advanced member

Date Joined Nov 2016
Total Posts: 1162
(to Neverfail)
post log to Private message...thx
Emilio[sup]29[/sup]

>Hijackthis<>FireFox<
Posted 3/4/2005 6:01 AM
#10700
User avatar

Azlan Member

Date Joined Nov 2016
Total Posts: 3
Hi Emilio, I think the virus is gone so thank you very much. You are a legend! Only thing now is everytime I boot the PC wants to configure my FAX but I don't even have a fax machine or the software for it. Thanks again for your help.




Azlan
  • Unread posts or replies
  • No unread posts or replies
  • Unread Posts (Read Only Forum)
  • No Unread Posts (Read Only Forum)

Forum Information

Currently it is Tuesday, July 17, 2018, 9:24 AM (GMT +2)
There are a total of 61,629 posts in 13,570 threads.
In the last 3 days there were 0 new threads and 1 reply posts.

Who's online

This forum has 38,349 registered members. Please welcome our newest member, rogger007.
There are currently no users on-line.
We use cookies to ensure that we give you the best experience on our website. By continuing to browse, we are assuming that you have no objection in accepting cookies. You can change your cookie settings at any time.