1. Computer problem? Tech Support Guy is completely free -- paid for by advertisers and donations. Click here to join today! If you're new to Tech Support Guy, we highly recommend that you visit our Guide for New Members.

blue desktop wont go away...

Discussion in 'Virus & Other Malware Removal' started by RawkNRoll, Jan 22, 2007.

Thread Status:
Not open for further replies.
Advertisement
  1. RawkNRoll

    RawkNRoll Thread Starter

    Joined:
    Jan 22, 2007
    Messages:
    5
    Well, basically I decided to use internet explorer as opposed to firefox to do some late night surfing, and suddenly out of the lower right hand corner a bubble came up (emerging from a big red X) saying something along the lines of "your computer has been infected by spyware etc etc," something along those lines (sorry for being really vague, i don't remember the specifics). I ran an Ad-Aware scan and a symantic anti virus scan. Found no viruses but i did find some critical objects running the Ad-Aware scan, quarantined it and the red X and bubble went away. Well i turned on the comp today and the desktop was completely blue. It'll flash my regular desktop at first but once the icons come up the desktop just goes blue. I was told to run a hijackthis scan and show someone of professional knowledge this, so here ya go (hope it helps at all..)



    Logfile of HijackThis v1.99.1
    Scan saved at 5:34:36 PM, on 1/22/2007
    Platform: Windows XP (WinNT 5.01.2600)
    MSIE: Internet Explorer v6.00 (6.00.2600.0000)

    Running processes:
    C:\WINDOWS\System32\smss.exe
    C:\WINDOWS\system32\winlogon.exe
    C:\WINDOWS\system32\services.exe
    C:\WINDOWS\system32\lsass.exe
    C:\WINDOWS\system32\svchost.exe
    C:\WINDOWS\System32\svchost.exe
    C:\WINDOWS\system32\spoolsv.exe
    C:\PROGRA~1\COMMON~1\AOL\ACS\acsd.exe
    C:\WINDOWS\Explorer.EXE
    C:\WINDOWS\System32\Drivers\bwcsrv.exe
    C:\Program Files\BUFFALO\Client Manager3\bwsvc\bwsvc.exe
    C:\PROGRA~1\SYMANT~1\SYMANT~1\DefWatch.exe
    C:\PROGRA~1\SYMANT~1\SYMANT~1\Rtvscan.exe
    C:\PROGRA~1\SYMANT~1\SYMANT~1\vptray.exe
    C:\WINDOWS\wanmpsvc.exe
    C:\Program Files\BUFFALO\Client Manager3\cm3_tray.exe
    C:\WINDOWS\System32\wuauclt.exe
    C:\Program Files\Mozilla Firefox\firefox.exe
    C:\Program Files\Internet Explorer\iexplore.exe
    C:\Program Files\Hijackthis\HijackThis.exe

    R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
    O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
    O4 - HKLM\..\Run: [vptray] C:\PROGRA~1\SYMANT~1\SYMANT~1\vptray.exe
    O4 - HKLM\..\Run: [SemanticInsight] C:\Program Files\RXToolBar\Semantic Insight\SemanticInsight.exe
    O4 - HKLM\..\Run: [DllRunning] rundll32.exe "C:\WINDOWS\System32\tgydjvnp.dll",setvm
    O4 - HKCU\..\Run: [Windows installer] C:\winstall.exe
    O4 - Global Startup: America Online 9.0 Tray Icon.lnk = C:\Program Files\America Online 9.0\aoltray.exe
    O4 - Global Startup: ClientManager3.lnk = C:\Program Files\BUFFALO\Client Manager3\cm3_tray.exe
    O8 - Extra context menu item: &Search - http://kl.bar.need2find.com/KL/menusearch.html?p=KL
    O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
    O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_04\bin\npjpi150_04.dll
    O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_04\bin\npjpi150_04.dll
    O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe
    O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\System32\Shdocvw.dll
    O18 - Filter: text/html - (no CLSID) - (no file)
    O23 - Service: AOL Connectivity Service (AOL ACS) - America Online, Inc. - C:\PROGRA~1\COMMON~1\AOL\ACS\acsd.exe
    O23 - Service: BUFFALO Wireless Configuration Service (bwcsrv) - Unknown owner - C:\WINDOWS\System32\Drivers\bwcsrv.exe
    O23 - Service: Bwsvc - BUFFALO INC. - C:\Program Files\BUFFALO\Client Manager3\bwsvc\bwsvc.exe
    O23 - Service: DefWatch - Symantec Corporation - C:\PROGRA~1\SYMANT~1\SYMANT~1\DefWatch.exe
    O23 - Service: Symantec AntiVirus Client (Norton AntiVirus Server) - Symantec Corporation - C:\PROGRA~1\SYMANT~1\SYMANT~1\Rtvscan.exe
    O23 - Service: WAN Miniport (ATW) Service (WANMiniportService) - America Online, Inc. - C:\WINDOWS\wanmpsvc.exe


    Any help would be appreciated, thanks all
     
  2. dvk01

    dvk01 Moderator Malware Specialist

    Joined:
    Dec 14, 2002
    Messages:
    56,236
    First Name:
    Derek
    Download Combofix to your desktop:

    * Double-click combofix.exe & follow the prompts.
    * When finished, it shall produce a log for you. Post that log in your next reply.


    Note:
    Do not mouseclick combofix's window whilst it's running. That may cause it to stall.
     
  3. RawkNRoll

    RawkNRoll Thread Starter

    Joined:
    Jan 22, 2007
    Messages:
    5
    Sorry it took so long to reply..

    ComboFix 07-01-21 - Running from: "C:\Program Files\Mozilla Firefox"

    (((((((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))


    C:\DOCUME~1\Dave\Application Data\Install.dat
    C:\DOCUME~1\Dave\Application Data\SearchToolbarCorp


    ((((((((((((((((((((((((((((((( Files Created from 2006-12-22 to 2007-01-22 ))))))))))))))))))))))))))))))))))


    2007-01-22 17:15 118,804 --a------ C:\WINDOWS\system32\tgydjvnp.dll
    2007-01-22 16:47 118,804 --a------ C:\WINDOWS\system32\mfwqsdcy.dll
    2007-01-22 16:35 <DIR> d-------- C:\Program Files\Hijackthis
    2007-01-22 00:47 17,920 --a------ C:\WINDOWS\system32\xlibgfl254.dll
    2007-01-22 00:47 <DIR> d-------- C:\DOCUME~1\Dave\Application Data\ultra
    2007-01-19 15:37 118,804 --a------ C:\WINDOWS\system32\lugkecew.dll
    2007-01-19 15:16 372,480 -ra------ C:\WINDOWS\system32\drivers\BCMWL5.SYS
    2007-01-19 15:16 19,840 -ra------ C:\WINDOWS\system32\drivers\BWCDRV.SYS
    2007-01-19 15:16 <DIR> d-------- C:\WINDOWS\LastGood
    2007-01-19 15:15 993,839 ---hs---- C:\WINDOWS\system\crad.ini2
    2007-01-19 15:07 <DIR> d-------- C:\WINDOWS\pss
    2007-01-19 15:00 <DIR> d-------- C:\WINDOWS\LastGood.Tmp
    2007-01-17 01:17 <DIR> d-------- C:\DOCUME~1\Dave\Application Data\Viewpoint
    2007-01-12 00:22 1,536 --a------ C:\WINDOWS\system32\bwsvc_event.dll
    2007-01-12 00:21 9,600 -ra------ C:\WINDOWS\system32\BUFADPT.SYS
    2007-01-12 00:21 20,747 --a------ C:\WINDOWS\system32\drivers\AegisP.sys
    2007-01-12 00:21 <DIR> d-------- C:\Program Files\BUFFALO
    2007-01-11 15:43 73,728 --a------ C:\WINDOWS\system32\drivers\bwcsrv.exe
    2007-01-11 15:43 15,360 --a------ C:\WINDOWS\system32\BWCINST.DLL
    2007-01-09 18:44 132,116 --a------ C:\WINDOWS\system32\dugajopo.dll
    2007-01-09 17:12 132,116 --a------ C:\WINDOWS\system32\rqvxqcds.dll
    2007-01-07 15:57 132,116 --a------ C:\WINDOWS\system32\ywdvhkhw.dll
    2007-01-05 23:39 81,684 --a------ C:\WINDOWS\system32\ixqkddmy.dll
    2007-01-05 23:36 132,116 --a------ C:\WINDOWS\system32\hyxpfalt.dll
    2006-12-28 23:08 <DIR> d-------- C:\Program Files\users
    2006-12-28 21:17 90,112 --a------ C:\WINDOWS\unvise32.exe
    2006-12-28 21:14 <DIR> d-------- C:\Program Files\Mosby Nursing Assistant
    2006-12-22 02:11 844,875 ---hs---- C:\WINDOWS\system\crad.bak1


    (((((((((((((((((((((((((((((((((((((((((((((((( Find3M Report )))))))))))))))))))))))))))))))))))))))))))))))))))))


    2007-01-22 18:45 -------- d-------- C:\Program Files\mozilla firefox
    2007-01-19 17:50 -------- d-------- C:\Program Files\vstoolbar
    2007-01-19 14:56 -------- d---s---- C:\DOCUME~1\Dave\Application Data\microsoft
    2007-01-17 21:59 -------- d-------- C:\Program Files\quicktime
    2007-01-17 21:59 -------- d-------- C:\Program Files\messenger
    2007-01-17 21:59 -------- d-------- C:\Program Files\hp dla
    2007-01-10 17:39 -------- d--h----- C:\Program Files\installshield installation information
    2006-12-28 21:17 118639 --a------ C:\Program Files\uninstal.log
    2006-12-17 17:41 -------- d-------- C:\Program Files\america online 9.0
    2006-12-13 17:14 118804 --a------ C:\WINDOWS\system32\llowqwdo.dll
    2006-11-27 23:47 -------- d-------- C:\Program Files\gch guitar academy
    2006-10-22 22:48 67604 --a------ C:\WINDOWS\system32\ibfgjiaq.exe


    (((((((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))

    *Note* empty entries & legit default entries are not shown

    [HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run]
    "vptray"="C:\\PROGRA~1\\SYMANT~1\\SYMANT~1\\vptray.exe"
    "SemanticInsight"="C:\\Program Files\\RXToolBar\\Semantic Insight\\SemanticInsight.exe"
    "DllRunning"="rundll32.exe \"C:\\WINDOWS\\System32\\tgydjvnp.dll\",setvm"

    [HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run\OptionalComponents]

    [HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run\OptionalComponents\IMAIL]
    "Installed"="1"

    [HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run\OptionalComponents\MAPI]
    "Installed"="1"
    "NoChange"="1"

    [HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run\OptionalComponents\MSFS]
    "Installed"="1"

    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder]

    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Adobe Reader Speed Launch.lnk]
    "path"="C:\\Documents and Settings\\All Users\\Start Menu\\Programs\\Startup\\Adobe Reader Speed Launch.lnk"
    "backup"="C:\\WINDOWS\\pss\\Adobe Reader Speed Launch.lnkCommon Startup"
    "location"="Common Startup"
    "command"="C:\\PROGRA~1\\Adobe\\ACROBA~1.0\\Reader\\READER~1.EXE "
    "item"="Adobe Reader Speed Launch"

    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Microsoft Office.lnk]
    "path"="C:\\Documents and Settings\\All Users\\Start Menu\\Programs\\Startup\\Microsoft Office.lnk"
    "backup"="C:\\WINDOWS\\pss\\Microsoft Office.lnkCommon Startup"
    "location"="Common Startup"
    "command"="C:\\PROGRA~1\\MICROS~2\\Office10\\OSA.EXE -b -l"
    "item"="Microsoft Office"

    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^MiniMavis.lnk]
    "path"="C:\\Documents and Settings\\All Users\\Start Menu\\Programs\\Startup\\MiniMavis.lnk"
    "backup"="C:\\WINDOWS\\pss\\MiniMavis.lnkCommon Startup"
    "location"="Common Startup"
    "command"="C:\\PROGRA~1\\BRODER~1\\MAVISB~1\\MINIMA~1.EXE Main"
    "item"="MiniMavis"

    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg]

    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\dla]
    "key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
    "item"="tfswctrl"
    "hkey"="HKLM"
    "command"="C:\\WINDOWS\\system32\\dla\\tfswctrl.exe"
    "inimapping"="0"

    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\DllRunning]
    "key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
    "item"="lugkecew"
    "hkey"="HKLM"
    "command"="rundll32.exe \"C:\\WINDOWS\\System32\\lugkecew.dll\",setvm"
    "inimapping"="0"

    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\FreeRAM XP]
    "key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
    "item"="FreeRAM XP Pro"
    "hkey"="HKCU"
    "command"="\"C:\\Program Files\\YourWare Solutions\\FreeRAM XP Pro\\FreeRAM XP Pro.exe\" -win"
    "inimapping"="0"

    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\HP CD-DVD]
    "key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
    "item"="hpcdtray"
    "hkey"="HKLM"
    "command"="C:\\Program Files\\HP CD-DVD\\Umbrella\\hpcdtray.exe"
    "inimapping"="0"

    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\HP DLA]
    "key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
    "item"="dlatray"
    "hkey"="HKLM"
    "command"="\"C:\\Program Files\\HP DLA\\dlatray.exe\" /t"
    "inimapping"="0"

    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MSMSGS]
    "key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
    "item"="msmsgs"
    "hkey"="HKCU"
    "command"="\"C:\\Program Files\\Messenger\\msmsgs.exe\" /background"
    "inimapping"="0"

    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]
    "key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
    "item"="qttask"
    "hkey"="HKLM"
    "command"="\"C:\\Program Files\\QuickTime\\qttask.exe\" -atboottime"
    "inimapping"="0"

    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\RealTray]
    "key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
    "item"="RealPlay"
    "hkey"="HKLM"
    "command"="C:\\Program Files\\Real\\RealPlayer\\RealPlay.exe SYSTEMBOOTHIDEPLAYER"
    "inimapping"="0"

    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SunJavaUpdateSched]
    "key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
    "item"="jusched"
    "hkey"="HKLM"
    "command"="C:\\Program Files\\Java\\jre1.5.0_04\\bin\\jusched.exe"
    "inimapping"="0"

    [HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\system]
    "Wallpaper"=""

    [HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\explorer]
    "NoActiveDesktop"=dword:00000000
    "ForceActiveDesktopOn"=dword:00000001

    [HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\explorer\run]

    HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\darc

    [HKEY_LOCAL_MACHINE\system\currentcontrolset\control\securityproviders]
    "SecurityProviders"="msapsspc.dll, schannel.dll, digest.dll, msnsspc.dll, xlibgfl254.dll"


    [HKEY_LOCAL_MACHINE\software\Microsoft\Windows NT\CurrentVersion\Svchost]
    LocalService REG_MULTI_SZ Alerter\0WebClient\0LmHosts\0RemoteRegistry\0upnphost\0SSDPSRV\0\0
    NetworkService REG_MULTI_SZ DnsCache\0\0
    rpcss REG_MULTI_SZ RpcSs\0\0
    imgsvc REG_MULTI_SZ StiSvc\0\0
    termsvcs REG_MULTI_SZ TermService\0\0


    Completion time: 07-01-22 18:52:32
     
  4. dvk01

    dvk01 Moderator Malware Specialist

    Joined:
    Dec 14, 2002
    Messages:
    56,236
    First Name:
    Derek
    Please download
    VundoFix.exe
    to your desktop.
    • Double-click VundoFix.exe to run it.
    • Click the Scan for Vundo button.
    • Once it's done scanning, click the Remove Vundo button.
    • You will receive a prompt asking if you want to remove the files, click YES
    • Once you click yes, your desktop will go blank as it starts removing Vundo.
    • When completed, it will prompt that it will reboot your computer, click OK.
    • Please post the contents of C:\vundofix.txt and a new HiJackThis log.

    Note: It is possible that VundoFix encountered a file it could not remove.
    In this case, VundoFix will run on reboot, simply follow the above instructions starting from "Click the Scan for Vundo button."
    when VundoFix appears at reboot.
     
  5. RawkNRoll

    RawkNRoll Thread Starter

    Joined:
    Jan 22, 2007
    Messages:
    5
    undoFix V6.3.2

    Checking Java version...

    Java version is 1.5.0.4

    Scan started at 6:32:16 PM 1/23/2007

    Listing files found while scanning....

    C:\WINDOWS\system\crad.bak1
    C:\WINDOWS\system\crad.bak2
    C:\WINDOWS\system\crad.ini
    C:\WINDOWS\system\crad.ini2
    C:\WINDOWS\system\crad.tmp
    C:\WINDOWS\system\darc.dll
    C:\WINDOWS\System32\glaehhuj.dll
    C:\WINDOWS\System32\hgwrlkmx.dll
    C:\WINDOWS\system32\ixqkddmy.dll
    C:\WINDOWS\system32\llowqwdo.dll
    C:\WINDOWS\system32\lugkecew.dll
    C:\WINDOWS\System32\lyejpvbr.dll
    C:\WINDOWS\system32\mfwqsdcy.dll
    C:\WINDOWS\system32\odwqwoll.ini
    C:\WINDOWS\system32\pnvjdygt.ini
    C:\WINDOWS\System32\qckuofhd.dll
    C:\WINDOWS\system32\shaipaxq.exe
    C:\WINDOWS\system32\tgydjvnp.dll
    C:\WINDOWS\system32\wecekgul.ini
    C:\WINDOWS\System32\xvjgfxcu.dll
    C:\WINDOWS\system32\ycdsqwfm.ini

    Beginning removal...

    Attempting to delete C:\WINDOWS\system\crad.bak1
    C:\WINDOWS\system\crad.bak1 Has been deleted!

    Attempting to delete C:\WINDOWS\system\crad.bak2
    C:\WINDOWS\system\crad.bak2 Has been deleted!

    Attempting to delete C:\WINDOWS\system\crad.ini
    C:\WINDOWS\system\crad.ini Has been deleted!

    Attempting to delete C:\WINDOWS\system\crad.ini2
    C:\WINDOWS\system\crad.ini2 Has been deleted!

    Attempting to delete C:\WINDOWS\system\crad.tmp
    C:\WINDOWS\system\crad.tmp Has been deleted!

    Attempting to delete C:\WINDOWS\system\darc.dll
    C:\WINDOWS\system\darc.dll Has been deleted!

    Attempting to delete C:\WINDOWS\system32\ixqkddmy.dll
    C:\WINDOWS\system32\ixqkddmy.dll Has been deleted!

    Attempting to delete C:\WINDOWS\system32\llowqwdo.dll
    C:\WINDOWS\system32\llowqwdo.dll Has been deleted!

    Attempting to delete C:\WINDOWS\system32\lugkecew.dll
    C:\WINDOWS\system32\lugkecew.dll Has been deleted!

    Attempting to delete C:\WINDOWS\system32\mfwqsdcy.dll
    C:\WINDOWS\system32\mfwqsdcy.dll Has been deleted!

    Attempting to delete C:\WINDOWS\system32\odwqwoll.ini
    C:\WINDOWS\system32\odwqwoll.ini Has been deleted!

    Attempting to delete C:\WINDOWS\system32\pnvjdygt.ini
    C:\WINDOWS\system32\pnvjdygt.ini Has been deleted!

    Attempting to delete C:\WINDOWS\system32\shaipaxq.exe
    C:\WINDOWS\system32\shaipaxq.exe Has been deleted!

    Attempting to delete C:\WINDOWS\system32\tgydjvnp.dll
    C:\WINDOWS\system32\tgydjvnp.dll Has been deleted!

    Attempting to delete C:\WINDOWS\system32\wecekgul.ini
    C:\WINDOWS\system32\wecekgul.ini Has been deleted!

    Attempting to delete C:\WINDOWS\system32\ycdsqwfm.ini
    C:\WINDOWS\system32\ycdsqwfm.ini Has been deleted!

    Performing Repairs to the registry.
    Done!




    Logfile of HijackThis v1.99.1
    Scan saved at 6:55:53 PM, on 1/23/2007
    Platform: Windows XP (WinNT 5.01.2600)
    MSIE: Internet Explorer v6.00 (6.00.2600.0000)

    Running processes:
    C:\WINDOWS\System32\smss.exe
    C:\WINDOWS\system32\winlogon.exe
    C:\WINDOWS\system32\services.exe
    C:\WINDOWS\system32\lsass.exe
    C:\WINDOWS\system32\svchost.exe
    C:\WINDOWS\System32\svchost.exe
    C:\WINDOWS\system32\spoolsv.exe
    C:\PROGRA~1\COMMON~1\AOL\ACS\acsd.exe
    C:\WINDOWS\Explorer.EXE
    C:\WINDOWS\System32\Drivers\bwcsrv.exe
    C:\Program Files\BUFFALO\Client Manager3\bwsvc\bwsvc.exe
    C:\PROGRA~1\SYMANT~1\SYMANT~1\DefWatch.exe
    C:\PROGRA~1\SYMANT~1\SYMANT~1\Rtvscan.exe
    C:\WINDOWS\wanmpsvc.exe
    C:\PROGRA~1\SYMANT~1\SYMANT~1\vptray.exe
    C:\winstall.exe
    C:\Program Files\BUFFALO\Client Manager3\cm3_tray.exe
    C:\WINDOWS\System32\wuauclt.exe
    C:\Program Files\Mozilla Firefox\firefox.exe
    C:\Program Files\PestTrap\PestTrap.exe
    C:\Program Files\Hijackthis\HijackThis.exe

    R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
    O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
    O2 - BHO: Need2Find Bar BHO - {4D1C4E81-A32A-416b-BCDB-33B3EF3617D3} - C:\Program Files\Need2Find\bar\1.bin\ND2FNBAR.DLL
    O2 - BHO: (no name) - {72332373-A267-4E67-9E42-22124ECCF17B} - C:\WINDOWS\system\darc.dll (file missing)
    O2 - BHO: (no name) - {7DA39570-5FD2-4f18-94B4-20730CB3F727} - C:\WINDOWS\System32\lyejpvbr.dll (file missing)
    O2 - BHO: (no name) - {F7AD8D6E-A10C-4702-B865-3789F740D22f} - C:\WINDOWS\System32\ypbagnce.dll (file missing)
    O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
    O4 - HKLM\..\Run: [vptray] C:\PROGRA~1\SYMANT~1\SYMANT~1\vptray.exe
    O4 - HKLM\..\Run: [SemanticInsight] C:\Program Files\RXToolBar\Semantic Insight\SemanticInsight.exe
    O4 - HKCU\..\Run: [Windows installer] C:\winstall.exe
    O4 - HKCU\..\Run: [PestTrap] C:\Program Files\PestTrap\PestTrap.exe
    O4 - Global Startup: America Online 9.0 Tray Icon.lnk = C:\Program Files\America Online 9.0\aoltray.exe
    O4 - Global Startup: ClientManager3.lnk = C:\Program Files\BUFFALO\Client Manager3\cm3_tray.exe
    O8 - Extra context menu item: &Search - http://kl.bar.need2find.com/KL/menusearch.html?p=KL
    O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
    O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_04\bin\npjpi150_04.dll
    O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_04\bin\npjpi150_04.dll
    O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe
    O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\System32\Shdocvw.dll
    O18 - Filter: text/html - (no CLSID) - (no file)
    O20 - Winlogon Notify: NavLogon - C:\WINDOWS\System32\NavLogon.dll
    O23 - Service: AOL Connectivity Service (AOL ACS) - America Online, Inc. - C:\PROGRA~1\COMMON~1\AOL\ACS\acsd.exe
    O23 - Service: BUFFALO Wireless Configuration Service (bwcsrv) - Unknown owner - C:\WINDOWS\System32\Drivers\bwcsrv.exe
    O23 - Service: Bwsvc - BUFFALO INC. - C:\Program Files\BUFFALO\Client Manager3\bwsvc\bwsvc.exe
    O23 - Service: DefWatch - Symantec Corporation - C:\PROGRA~1\SYMANT~1\SYMANT~1\DefWatch.exe
    O23 - Service: Symantec AntiVirus Client (Norton AntiVirus Server) - Symantec Corporation - C:\PROGRA~1\SYMANT~1\SYMANT~1\Rtvscan.exe
    O23 - Service: WAN Miniport (ATW) Service (WANMiniportService) - America Online, Inc. - C:\WINDOWS\wanmpsvc.exe
     
  6. dvk01

    dvk01 Moderator Malware Specialist

    Joined:
    Dec 14, 2002
    Messages:
    56,236
    First Name:
    Derek
    next

    Please download WebRoot SpySweeper from HERE (It's a 2 week trial):
    • Click the Free Trial link under "Downloads/SpySweeper" to download the program.
    • Install it. Once the program is installed, it will open.
    • It will prompt you to update to the latest definitions, click Yes.
    • Once the definitions are installed, click Options on the left side.
    • Click the Sweep Options tab.
    • Under What to Sweep please put a check next to the following:
      • Sweep Memory Objects
      • Sweep Windows Registry
      • Sweep Cookies
      • Sweep All User Accounts
      • Enable Direct Disk Sweeping
      • Sweep Compressed Files
      • Sweep for Rootkits
      • Please UNCHECK Sweep System Restore Folder.
    • Click Sweep Now on the left side.
    • Click the Start button.
    • When it's done scanning, click the Next button.
    • Make sure everything has a check next to it, then click the Next button.
    • It will remove all of the items found.
    • Click Session Log in the upper right corner, copy everything in that window.
    • Click the Summary tab and click Finish.
    • Paste the contents of the session log you copied into your next reply.
    Also post a new Hijack This log.
     
  7. RawkNRoll

    RawkNRoll Thread Starter

    Joined:
    Jan 22, 2007
    Messages:
    5
    9:19 PM: Removal process completed. Elapsed time 00:00:52
    9:19 PM: Quarantining All Traces: yadro cookie
    9:19 PM: Quarantining All Traces: xren_cj cookie
    9:19 PM: Quarantining All Traces: xiti cookie
    9:19 PM: Quarantining All Traces: seeq cookie
    9:19 PM: Quarantining All Traces: zango cookie
    9:19 PM: Quarantining All Traces: xxx69 cookie
    9:19 PM: Quarantining All Traces: winantiviruspro cookie
    9:19 PM: Quarantining All Traces: teenax cookie
    9:19 PM: Quarantining All Traces: myaffiliateprogram.com cookie
    9:18 PM: Quarantining All Traces: www.mature-post cookie
    9:18 PM: Quarantining All Traces: frenchcum cookie
    9:18 PM: Quarantining All Traces: www.club-nikki cookie
    9:18 PM: Quarantining All Traces: clickxchange adware cookie
    9:18 PM: Quarantining All Traces: burstbeacon cookie
    9:18 PM: Quarantining All Traces: webpower cookie
    9:18 PM: Quarantining All Traces: ugo cookie
    9:18 PM: Quarantining All Traces: trb.com cookie
    9:18 PM: Quarantining All Traces: adrevolver cookie
    9:18 PM: Quarantining All Traces: toplist cookie
    9:18 PM: Quarantining All Traces: clicktracks cookie
    9:18 PM: Quarantining All Traces: reliablestats cookie
    9:18 PM: Quarantining All Traces: servlet cookie
    9:18 PM: Quarantining All Traces: searchadnetwork cookie
    9:18 PM: Quarantining All Traces: tvguide cookie
    9:18 PM: Quarantining All Traces: directtrack cookie
    9:18 PM: Quarantining All Traces: moviemonster cookie
    9:18 PM: Quarantining All Traces: pricegrabber cookie
    9:18 PM: Quarantining All Traces: passion cookie
    9:18 PM: Quarantining All Traces: partypoker cookie
    9:18 PM: Quarantining All Traces: outster cookie
    9:18 PM: Quarantining All Traces: offeroptimizer cookie
    9:18 PM: Quarantining All Traces: nextag cookie
    9:18 PM: Quarantining All Traces: mygeek cookie
    9:18 PM: Quarantining All Traces: monstermarketplace cookie
    9:18 PM: Quarantining All Traces: webtrends cookie
    9:18 PM: Quarantining All Traces: kinghost cookie
    9:18 PM: Quarantining All Traces: sb01 cookie
    9:18 PM: Quarantining All Traces: infospace cookie
    9:18 PM: Quarantining All Traces: ic-live cookie
    9:18 PM: Quarantining All Traces: screensavers.com cookie
    9:18 PM: Quarantining All Traces: hypertracker.com cookie
    9:18 PM: Quarantining All Traces: homestore cookie
    9:18 PM: Quarantining All Traces: clickandtrack cookie
    9:18 PM: Quarantining All Traces: herfirstanalsex cookie
    9:18 PM: Quarantining All Traces: gangbangsquad cookie
    9:18 PM: Quarantining All Traces: wegcash cookie
    9:18 PM: Quarantining All Traces: fastcompany cookie
    9:18 PM: Quarantining All Traces: exitexchange cookie
    9:18 PM: Quarantining All Traces: did-it cookie
    9:18 PM: Quarantining All Traces: dealtime cookie
    9:18 PM: Quarantining All Traces: overture cookie
    9:18 PM: Quarantining All Traces: danni cookie
    9:18 PM: Quarantining All Traces: clickzs cookie
    9:18 PM: Quarantining All Traces: customer cookie
    9:18 PM: Quarantining All Traces: 360i cookie
    9:18 PM: Quarantining All Traces: sexsuche cookie
    9:18 PM: Quarantining All Traces: cliks cookie
    9:18 PM: Quarantining All Traces: ccbill cookie
    9:18 PM: Quarantining All Traces: cassava cookie
    9:18 PM: Quarantining All Traces: callwave cookie
    9:18 PM: Quarantining All Traces: gostats cookie
    9:18 PM: Quarantining All Traces: goclick cookie
    9:18 PM: Quarantining All Traces: enhance cookie
    9:18 PM: Quarantining All Traces: burstnet cookie
    9:18 PM: Quarantining All Traces: btgrab cookie
    9:18 PM: Quarantining All Traces: tripod cookie
    9:18 PM: Quarantining All Traces: bizrate cookie
    9:18 PM: Quarantining All Traces: banner cookie
    9:18 PM: Quarantining All Traces: bannerspace cookie
    9:18 PM: Quarantining All Traces: a cookie
    9:18 PM: Quarantining All Traces: azjmp cookie
    9:18 PM: Quarantining All Traces: belnk cookie
    9:18 PM: Quarantining All Traces: ask cookie
    9:18 PM: Quarantining All Traces: askmen cookie
    9:18 PM: Quarantining All Traces: atwola cookie
    9:18 PM: Quarantining All Traces: tacoda cookie
    9:18 PM: Quarantining All Traces: adultrevenueservice cookie
    9:18 PM: Quarantining All Traces: bpath cookie
    9:18 PM: Quarantining All Traces: cc214142 cookie
    9:18 PM: Quarantining All Traces: belointeractive cookie
    9:18 PM: Quarantining All Traces: specificclick.com cookie
    9:18 PM: Quarantining All Traces: hbmediapro cookie
    9:18 PM: Quarantining All Traces: adlegend cookie
    9:18 PM: Quarantining All Traces: adknowledge cookie
    9:18 PM: Quarantining All Traces: adjuggler cookie
    9:18 PM: Quarantining All Traces: adecn cookie
    9:18 PM: Quarantining All Traces: yieldmanager cookie
    9:18 PM: Quarantining All Traces: about cookie
    9:18 PM: Quarantining All Traces: go.com cookie
    9:18 PM: Quarantining All Traces: websponsors cookie
    9:18 PM: Quarantining All Traces: whenu savenow
    9:18 PM: Quarantining All Traces: pesttrap
    9:18 PM: Quarantining All Traces: rx toolbar
    9:18 PM: Quarantining All Traces: trojan-downloader-pacisoft
    9:18 PM: Quarantining All Traces: maxifiles
    9:18 PM: Quarantining All Traces: Java/DownLdr-A
    9:18 PM: Quarantining All Traces: Troj/Counto-H
    9:18 PM: Quarantining All Traces: spysheriff fakealert
    9:18 PM: Quarantining All Traces: vs toolbar
    9:18 PM: Quarantining All Traces: virtumonde
    9:18 PM: Removal process initiated
    9:16 PM: Traces Found: 184
    9:16 PM: Custom Sweep has completed. Elapsed time 01:08:13
    9:16 PM: File Sweep Complete, Elapsed Time: 00:55:27
    9:11 PM: C:\Documents and Settings\Dave\Application Data\Sun\Java\Deployment\cache\javapi\v1.0\jar\nRT.jar-1f442ed4-5c4584a4.zip (ID = 0)
    9:11 PM: C:\Documents and Settings\Dave\Application Data\Sun\Java\Deployment\cache\javapi\v1.0\jar\eRT.jar-526002f4-3c3cda8e.zip (ID = 0)
    9:11 PM: Found Java/DownLdr-A: Java/DownLdr-A
    9:10 PM: Warning: Failed to access drive D:
    9:00 PM: Warning: AntiVirus engine returned [File Encrypted] on [c:\program files\adobe\acrobat 7.0\reader\messages\enu\rdrmsgenu.pdf]
    9:00 PM: Warning: AntiVirus engine returned [File Encrypted] on [c:\program files\adobe\acrobat 7.0\reader\messages\enu\read0600win_enuyhoo0010.pdf]
    9:00 PM: Warning: AntiVirus engine returned [File Encrypted] on [c:\program files\adobe\acrobat 7.0\reader\websearch\websearchenu.pdf]
    9:00 PM: C:\WINDOWS\system32\ibfgjiaq.exe (ID = 539)
    9:00 PM: C:\VundoFix Backups\shaipaxq.exe.bad (ID = 539)
    8:59 PM: C:\VundoFix Backups\ixqkddmy.dll.bad (ID = 0)
    8:59 PM: Found Troj/Counto-H: Troj/Counto-H
    8:59 PM: Warning: AntiVirus engine returned [File Encrypted] on [c:\documents and settings\dave\application data\adobe\acrobat\7.0\messages\enu\read0700win_enuadbe0700.pdf]
    8:54 PM: Warning: Failed to open file "c:\documents and settings\dave\application data\mozilla\firefox\profiles\tz4ljccn.default\parent.lock". The operation completed successfully
    8:54 PM: Warning: AntiVirus engine returned [File Encrypted] on [c:\documents and settings\dave\my documents\exe files\aawsepersonal.exe]
    8:43 PM: C:\Program Files\Windows Media Player\wmplayer.exe.tmp (ID = 198606)
    8:43 PM: Found Trojan Horse: trojan-downloader-pacisoft
    8:42 PM: Warning: AntiVirus engine returned [Access Denied] on [c:\pagefile.sys]
    8:39 PM: Warning: AntiVirus engine returned [Access Denied] on [c:\hiberfil.sys]
    8:36 PM: Warning: AntiVirus engine returned [File Encrypted] on [c:\program files\lavasoft\ad-aware se personal\skins\ad-aware se default.ask]
    8:31 PM: Warning: AntiVirus engine returned [File Encrypted] on [c:\program files\adobe\acrobat 7.0\reader\messages\rdrmsgsplash.pdf]
    8:21 PM: C:\Program Files\VSToolbar (ID = 2147531659)
    8:20 PM: Starting File Sweep
    8:20 PM: Warning: Failed to access drive A:
    8:20 PM: Cookie Sweep Complete, Elapsed Time: 00:00:06
    8:20 PM: c:\documents and settings\dave\cookies\[email protected][2].txt (ID = 3749)
    8:20 PM: c:\documents and settings\dave\cookies\[email protected][2].txt (ID = 3743)
    8:20 PM: Found Spy Cookie: yadro cookie
    8:20 PM: c:\documents and settings\dave\cookies\[email protected]_cj[1].txt (ID = 3723)
    8:20 PM: Found Spy Cookie: xren_cj cookie
    8:20 PM: c:\documents and settings\dave\cookies\[email protected][1].txt (ID = 3717)
    8:20 PM: Found Spy Cookie: xiti cookie
    8:20 PM: c:\documents and settings\dave\cookies\[email protected][1].txt (ID = 3332)
    8:20 PM: Found Spy Cookie: seeq cookie
    8:20 PM: c:\documents and settings\dave\cookies\[email protected][1].txt (ID = 3761)
    8:20 PM: Found Spy Cookie: zango cookie
    8:20 PM: c:\documents and settings\dave\cookies\[email protected][1].txt (ID = 3732)
    8:20 PM: Found Spy Cookie: xxx69 cookie
    8:20 PM: c:\documents and settings\dave\cookies\[email protected][1].txt (ID = 3690)
    8:20 PM: Found Spy Cookie: winantiviruspro cookie
    8:20 PM: c:\documents and settings\dave\cookies\[email protected][2].txt (ID = 3504)
    8:20 PM: Found Spy Cookie: teenax cookie
    8:20 PM: c:\documents and settings\dave\cookies\[email protected][1].txt (ID = 3312)
    8:20 PM: c:\documents and settings\dave\cookies\[email protected][2].txt (ID = 3298)
    8:20 PM: c:\documents and settings\dave\cookies\[email protected][2].txt (ID = 3032)
    8:20 PM: Found Spy Cookie: myaffiliateprogram.com cookie
    8:20 PM: c:\documents and settings\dave\cookies\[email protected][1].txt (ID = 3703)
    8:20 PM: Found Spy Cookie: www.mature-post cookie
    8:20 PM: c:\documents and settings\dave\cookies\[email protected][2].txt (ID = 2707)
    8:20 PM: Found Spy Cookie: frenchcum cookie
    8:20 PM: c:\documents and settings\dave\cookies\[email protected][1].txt (ID = 2657)
    8:20 PM: c:\documents and settings\dave\cookies\[email protected][2].txt (ID = 2420)
    8:20 PM: Found Spy Cookie: www.club-nikki cookie
    8:20 PM: c:\documents and settings\dave\cookies\[email protected][1].txt (ID = 2409)
    8:20 PM: Found Spy Cookie: clickxchange adware cookie
    8:20 PM: c:\documents and settings\dave\cookies\[email protected][1].txt (ID = 2337)
    8:20 PM: c:\documents and settings\dave\cookies\[email protected][2].txt (ID = 2335)
    8:20 PM: Found Spy Cookie: burstbeacon cookie
    8:20 PM: c:\documents and settings\dave\cookies\[email protected][1].txt (ID = 2729)
    8:20 PM: c:\documents and settings\dave\cookies\[email protected][1].txt (ID = 2038)
    8:20 PM: c:\documents and settings\dave\cookies\[email protected][2].txt (ID = 3660)
    8:20 PM: Found Spy Cookie: webpower cookie
    8:20 PM: c:\documents and settings\dave\cookies\[email protected][1].txt (ID = 3592)
    8:20 PM: c:\documents and settings\dave\cookies\[email protected][1].txt (ID = 2413)
    8:20 PM: c:\documents and settings\dave\cookies\[email protected][2].txt (ID = 3608)
    8:20 PM: Found Spy Cookie: ugo cookie
    8:20 PM: c:\documents and settings\dave\cookies\[email protected][2].txt (ID = 3599)
    8:20 PM: c:\documents and settings\dave\cookies\[email protected][2].txt (ID = 3587)
    8:20 PM: Found Spy Cookie: trb.com cookie
    8:20 PM: c:\documents and settings\dave\cookies\[email protected][1].txt (ID = 2089)
    8:20 PM: Found Spy Cookie: adrevolver cookie
    8:20 PM: c:\documents and settings\dave\cookies\[email protected][2].txt (ID = 3557)
    8:20 PM: Found Spy Cookie: toplist cookie
    8:20 PM: c:\documents and settings\dave\cookies\[email protected][1].txt (ID = 2070)
    8:20 PM: c:\documents and settings\dave\cookies\[email protected][1].txt (ID = 2038)
    8:20 PM: c:\documents and settings\dave\cookies\[email protected][1].txt (ID = 2295)
    8:20 PM: c:\documents and settings\dave\cookies\[email protected][1].txt (ID = 6444)
    8:20 PM: c:\documents and settings\dave\cookies\[email protected][1].txt (ID = 2407)
    8:20 PM: Found Spy Cookie: clicktracks cookie
    8:20 PM: c:\documents and settings\dave\cookies\[email protected][2].txt (ID = 3254)
    8:20 PM: Found Spy Cookie: reliablestats cookie
    8:20 PM: c:\documents and settings\dave\cookies\[email protected][2].txt (ID = 2729)
    8:20 PM: c:\documents and settings\dave\cookies\[email protected][4].txt (ID = 3345)
    8:20 PM: c:\documents and settings\dave\cookies\[email protected][2].txt (ID = 3345)
    8:20 PM: c:\documents and settings\dave\cookies\[email protected][1].txt (ID = 3345)
    8:20 PM: Found Spy Cookie: servlet cookie
    8:20 PM: c:\documents and settings\dave\cookies\[email protected][2].txt (ID = 3311)
    8:20 PM: Found Spy Cookie: searchadnetwork cookie
    8:20 PM: c:\documents and settings\dave\cookies\[email protected][2].txt (ID = 2038)
    8:20 PM: c:\documents and settings\dave\cookies\[email protected][1].txt (ID = 3600)
    8:20 PM: c:\documents and settings\dave\cookies\[email protected][1].txt (ID = 3600)
    8:20 PM: Found Spy Cookie: tvguide cookie
    8:20 PM: c:\documents and settings\dave\cookies\[email protected][1].txt (ID = 2729)
    8:20 PM: c:\documents and settings\dave\cookies\[email protected][1].txt (ID = 2729)
    8:20 PM: c:\documents and settings\dave\cookies\[email protected][2].txt (ID = 2528)
    8:20 PM: c:\documents and settings\dave\cookies\[email protected][1].txt (ID = 2528)
    8:20 PM: Found Spy Cookie: directtrack cookie
    8:20 PM: c:\documents and settings\dave\cookies\[email protected][2].txt (ID = 2729)
    8:20 PM: c:\documents and settings\dave\cookies\[email protected][2].txt (ID = 3011)
    8:20 PM: Found Spy Cookie: moviemonster cookie
    8:20 PM: c:\documents and settings\dave\cookies\[email protected][2].txt (ID = 3682)
    8:20 PM: c:\documents and settings\dave\cookies\[email protected][1].txt (ID = 3185)
    8:20 PM: c:\documents and settings\dave\cookies\[email protected][1].txt (ID = 2038)
    8:20 PM: c:\documents and settings\dave\cookies\[email protected][1].txt (ID = 3186)
    8:20 PM: Found Spy Cookie: pricegrabber cookie
    8:20 PM: c:\documents and settings\dave\cookies\[email protected][2].txt (ID = 3113)
    8:20 PM: Found Spy Cookie: passion cookie
    8:20 PM: c:\documents and settings\dave\cookies\[email protected][1].txt (ID = 3111)
    8:20 PM: Found Spy Cookie: partypoker cookie
    8:20 PM: c:\documents and settings\dave\cookies\[email protected][2].txt (ID = 3103)
    8:20 PM: Found Spy Cookie: outster cookie
    8:20 PM: c:\documents and settings\dave\cookies\[email protected][1].txt (ID = 2038)
    8:20 PM: c:\documents and settings\dave\cookies\[email protected][1].txt (ID = 3087)
    8:20 PM: Found Spy Cookie: offeroptimizer cookie
    8:20 PM: c:\documents and settings\dave\cookies\[email protected][1].txt (ID = 2038)
    8:20 PM: c:\documents and settings\dave\cookies\[email protected][2].txt (ID = 5014)
    8:20 PM: Found Spy Cookie: nextag cookie
    8:20 PM: c:\documents and settings\dave\cookies\[email protected][2].txt (ID = 2295)
    8:20 PM: c:\documents and settings\dave\cookies\[email protected][2].txt (ID = 3041)
    8:20 PM: Found Spy Cookie: mygeek cookie
    8:20 PM: c:\documents and settings\dave\cookies\[email protected][1].txt (ID = 2038)
    8:20 PM: c:\documents and settings\dave\cookies\[email protected][2].txt (ID = 2038)
    8:20 PM: c:\documents and settings\dave\cookies\[email protected][2].txt (ID = 3006)
    8:20 PM: c:\documents and settings\dave\cookies\[email protected][1].txt (ID = 3006)
    8:20 PM: Found Spy Cookie: monstermarketplace cookie
    8:20 PM: c:\documents and settings\dave\cookies\[email protected][2].txt (ID = 2038)
    8:20 PM: c:\documents and settings\dave\cookies\[email protected][2].txt (ID = 3669)
    8:20 PM: Found Spy Cookie: webtrends cookie
    8:20 PM: c:\documents and settings\dave\cookies\[email protected][1].txt (ID = 2903)
    8:20 PM: Found Spy Cookie: kinghost cookie
    8:20 PM: c:\documents and settings\dave\cookies\[email protected][2].txt (ID = 3288)
    8:20 PM: Found Spy Cookie: sb01 cookie
    8:20 PM: c:\documents and settings\dave\cookies\[email protected][1].txt (ID = 2038)
    8:20 PM: c:\documents and settings\dave\cookies\[email protected][1].txt (ID = 2865)
    8:20 PM: Found Spy Cookie: infospace cookie
    8:20 PM: c:\documents and settings\dave\cookies\[email protected][1].txt (ID = 2821)
    8:20 PM: Found Spy Cookie: ic-live cookie
    8:20 PM: c:\documents and settings\dave\cookies\[email protected][2].txt (ID = 3298)
    8:20 PM: Found Spy Cookie: screensavers.com cookie
    8:20 PM: c:\documents and settings\dave\cookies\[email protected][1].txt (ID = 2817)
    8:20 PM: Found Spy Cookie: hypertracker.com cookie
    8:20 PM: c:\documents and settings\dave\cookies\[email protected][1].txt (ID = 2038)
    8:20 PM: c:\documents and settings\dave\cookies\[email protected][2].txt (ID = 2793)
    8:20 PM: Found Spy Cookie: homestore cookie
    8:20 PM: c:\documents and settings\dave\cookies\[email protected][1].txt (ID = 2038)
    8:20 PM: c:\documents and settings\dave\cookies\[email protected][2].txt (ID = 2397)
    8:20 PM: Found Spy Cookie: clickandtrack cookie
    8:20 PM: c:\documents and settings\dave\cookies\[email protected][2].txt (ID = 2769)
    8:20 PM: Found Spy Cookie: herfirstanalsex cookie
    8:20 PM: c:\documents and settings\dave\cookies\[email protected][2].txt (ID = 2767)
    8:20 PM: c:\documents and settings\dave\cookies\[email protected][1].txt (ID = 2038)
    8:20 PM: c:\documents and settings\dave\cookies\[email protected][1].txt (ID = 2038)
    8:20 PM: c:\documents and settings\dave\cookies\[email protected][2].txt (ID = 2728)
    8:20 PM: c:\documents and settings\dave\cookies\[email protected][1].txt (ID = 2747)
    8:20 PM: c:\documents and settings\dave\cookies\[email protected][1].txt (ID = 2038)
    8:20 PM: c:\documents and settings\dave\cookies\[email protected][2].txt (ID = 2720)
    8:20 PM: Found Spy Cookie: gangbangsquad cookie
    8:20 PM: c:\documents and settings\dave\cookies\[email protected][1].txt (ID = 2494)
    8:20 PM: c:\documents and settings\dave\cookies\[email protected][1].txt (ID = 3682)
    8:20 PM: Found Spy Cookie: wegcash cookie
    8:20 PM: c:\documents and settings\dave\cookies\[email protected][1].txt (ID = 2655)
    8:20 PM: Found Spy Cookie: fastcompany cookie
    8:20 PM: c:\documents and settings\dave\cookies\[email protected][1].txt (ID = 2729)
    8:20 PM: c:\documents and settings\dave\cookies\[email protected][1].txt (ID = 2038)
    8:20 PM: c:\documents and settings\dave\cookies\[email protected][2].txt (ID = 2633)
    8:20 PM: Found Spy Cookie: exitexchange cookie
    8:20 PM: c:\documents and settings\dave\cookies\[email protected][1].txt (ID = 2038)
    8:20 PM: c:\documents and settings\dave\cookies\[email protected][2].txt (ID = 2729)
    8:20 PM: c:\documents and settings\dave\cookies\[email protected][2].txt (ID = 2293)
    8:20 PM: c:\documents and settings\dave\cookies\[email protected][2].txt (ID = 2523)
    8:20 PM: Found Spy Cookie: did-it cookie
    8:20 PM: c:\documents and settings\dave\cookies\[email protected][2].txt (ID = 2505)
    8:20 PM: Found Spy Cookie: dealtime cookie
    8:20 PM: c:\documents and settings\dave\cookies\[email protected][2].txt (ID = 3106)
    8:20 PM: c:\documents and settings\dave\cookies\[email protected][1].txt (ID = 3106)
    8:20 PM: c:\documents and settings\dave\cookies\[email protected][2].txt (ID = 3106)
    8:20 PM: c:\documents and settings\dave\cookies\[email protected][1].txt (ID = 3106)
    8:20 PM: Found Spy Cookie: overture cookie
    8:20 PM: c:\documents and settings\dave\cookies\[email protected][1].txt (ID = 2493)
    8:20 PM: Found Spy Cookie: danni cookie
    8:20 PM: c:\documents and settings\dave\cookies\[email protected][2].txt (ID = 2413)
    8:20 PM: c:\documents and settings\dave\cookies\[email protected][1].txt (ID = 2413)
    8:20 PM: c:\documents and settings\dave\cookies\[email protected][2].txt (ID = 2413)
    8:20 PM: c:\documents and settings\dave\cookies\[email protected][2].txt (ID = 2413)
    8:20 PM: c:\documents and settings\dave\cookies\[email protected][2].txt (ID = 2413)
    8:20 PM: c:\documents and settings\dave\cookies\[email protected][1].txt (ID = 2413)
    8:20 PM: Found Spy Cookie: clickzs cookie
    8:20 PM: c:\documents and settings\dave\cookies\[email protected][1].txt (ID = 2481)
    8:20 PM: Found Spy Cookie: customer cookie
    8:20 PM: c:\documents and settings\dave\cookies\[email protected][2].txt (ID = 1962)
    8:20 PM: Found Spy Cookie: 360i cookie
    8:20 PM: c:\documents and settings\dave\cookies\[email protected][1].txt (ID = 3360)
    8:20 PM: Found Spy Cookie: sexsuche cookie
    8:20 PM: c:\documents and settings\dave\cookies\[email protected][2].txt (ID = 2414)
    8:20 PM: Found Spy Cookie: cliks cookie
    8:20 PM: c:\documents and settings\dave\cookies\[email protected][1].txt (ID = 2369)
    8:20 PM: Found Spy Cookie: ccbill cookie
    8:20 PM: c:\documents and settings\dave\cookies\[email protected][1].txt (ID = 2362)
    8:20 PM: Found Spy Cookie: cassava cookie
    8:20 PM: c:\documents and settings\dave\cookies\[email protected][1].txt (ID = 2342)
    8:20 PM: Found Spy Cookie: callwave cookie
    8:20 PM: c:\documents and settings\dave\cookies\[email protected][2].txt (ID = 2748)
    8:20 PM: Found Spy Cookie: gostats cookie
    8:20 PM: c:\documents and settings\dave\cookies\[email protected][2].txt (ID = 2733)
    8:20 PM: Found Spy Cookie: goclick cookie
    8:20 PM: c:\documents and settings\dave\cookies\[email protected][2].txt (ID = 2614)
    8:20 PM: Found Spy Cookie: enhance cookie
    8:20 PM: c:\documents and settings\dave\cookies\[email protected][1].txt (ID = 2336)
    8:20 PM: Found Spy Cookie: burstnet cookie
    8:20 PM: c:\documents and settings\dave\cookies\[email protected][1].txt (ID = 2333)
    8:20 PM: Found Spy Cookie: btgrab cookie
    8:20 PM: c:\documents and settings\dave\cookies\[email protected][1].txt (ID = 2038)
    8:20 PM: c:\documents and settings\dave\cookies\[email protected][1].txt (ID = 3592)
    8:20 PM: Found Spy Cookie: tripod cookie
    8:20 PM: c:\documents and settings\dave\cookies\[email protected][1].txt (ID = 2308)
    8:20 PM: Found Spy Cookie: bizrate cookie
    8:20 PM: c:\documents and settings\dave\cookies\[email protected][1].txt (ID = 2294)
    8:20 PM: c:\documents and settings\dave\cookies\[email protected][1].txt (ID = 2292)
    8:20 PM: c:\documents and settings\dave\cookies\[email protected][2].txt (ID = 2038)
    8:20 PM: c:\documents and settings\dave\cookies\[email protected][1].txt (ID = 2276)
    8:20 PM: Found Spy Cookie: banner cookie
    8:20 PM: c:\documents and settings\dave\cookies\[email protected][1].txt (ID = 2284)
    8:20 PM: Found Spy Cookie: bannerspace cookie
    8:20 PM: c:\documents and settings\dave\cookies\[email protected][1].txt (ID = 2027)
    8:20 PM: Found Spy Cookie: a cookie
    8:20 PM: c:\documents and settings\dave\cookies\[email protected][2].txt (ID = 2270)
    8:20 PM: Found Spy Cookie: azjmp cookie
    8:20 PM: c:\documents and settings\dave\cookies\[email protected][1].txt (ID = 2255)
    8:20 PM: c:\documents and settings\dave\cookies\[email protected][1].txt (ID = 2293)
    8:20 PM: Found Spy Cookie: belnk cookie
    8:20 PM: c:\documents and settings\dave\cookies\[email protected][1].txt (ID = 2245)
    8:20 PM: Found Spy Cookie: ask cookie
    8:20 PM: c:\documents and settings\dave\cookies\[email protected][1].txt (ID = 2247)
    8:20 PM: Found Spy Cookie: askmen cookie
    8:20 PM: c:\documents and settings\dave\cookies\[email protected][2].txt (ID = 2256)
    8:20 PM: Found Spy Cookie: atwola cookie
    8:20 PM: c:\documents and settings\dave\cookies\[email protected][1].txt (ID = 2038)
    8:20 PM: c:\documents and settings\dave\cookies\[email protected][1].txt (ID = 6445)
    8:20 PM: c:\documents and settings\dave\cookies\[email protected][1].txt (ID = 6445)
    8:20 PM: Found Spy Cookie: tacoda cookie
    8:20 PM: c:\documents and settings\dave\cookies\[email protected][1].txt (ID = 2038)
    8:20 PM: c:\documents and settings\dave\cookies\[email protected][2].txt (ID = 2167)
    8:20 PM: Found Spy Cookie: adultrevenueservice cookie
    8:20 PM: c:\documents and settings\dave\cookies\[email protected][2].txt (ID = 2321)
    8:20 PM: Found Spy Cookie: bpath cookie
    8:20 PM: c:\documents and settings\dave\cookies\[email protected][1].txt (ID = 2367)
    8:20 PM: Found Spy Cookie: cc214142 cookie
    8:20 PM: c:\documents and settings\dave\cookies\[email protected][2].txt (ID = 2295)
    8:20 PM: Found Spy Cookie: belointeractive cookie
    8:20 PM: c:\documents and settings\dave\cookies\[email protected][1].txt (ID = 3400)
    8:20 PM: Found Spy Cookie: specificclick.com cookie
    8:20 PM: c:\documents and settings\dave\cookies\[email protected][2].txt (ID = 2768)
    8:20 PM: Found Spy Cookie: hbmediapro cookie
    8:20 PM: c:\documents and settings\dave\cookies\[email protected][2].txt (ID = 2074)
    8:20 PM: Found Spy Cookie: adlegend cookie
    8:20 PM: c:\documents and settings\dave\cookies\[email protected][1].txt (ID = 2072)
    8:20 PM: Found Spy Cookie: adknowledge cookie
    8:20 PM: c:\documents and settings\dave\cookies\[email protected][1].txt (ID = 2069)
    8:20 PM: Found Spy Cookie: adjuggler cookie
    8:20 PM: c:\documents and settings\dave\cookies\[email protected][1].txt (ID = 2063)
    8:20 PM: Found Spy Cookie: adecn cookie
    8:20 PM: c:\documents and settings\dave\cookies\[email protected][2].txt (ID = 3751)
    8:20 PM: Found Spy Cookie: yieldmanager cookie
    8:20 PM: c:\documents and settings\dave\cookies\[email protected][3].txt (ID = 2037)
    8:20 PM: c:\documents and settings\dave\cookies\[email protected][2].txt (ID = 2037)
    8:20 PM: Found Spy Cookie: about cookie
    8:20 PM: c:\documents and settings\dave\cookies\[email protected][1].txt (ID = 2729)
    8:20 PM: Found Spy Cookie: go.com cookie
    8:20 PM: c:\documents and settings\dave\cookies\[email protected][1].txt (ID = 3665)
    8:20 PM: Found Spy Cookie: websponsors cookie
    8:20 PM: Starting Cookie Sweep
    8:20 PM: Registry Sweep Complete, Elapsed Time:00:00:49
    8:20 PM: HKU\S-1-5-21-1547161642-484763869-1343024091-1003\atlmon.reusablecomp.5\ (ID = 1589917)
    8:20 PM: HKU\S-1-5-21-1547161642-484763869-1343024091-1003\software\microsoft\windows\currentversion\run\ || pesttrap (ID = 1134881)
    8:20 PM: Found Adware: pesttrap
    8:19 PM: HKLM\software\classes\clsid\{013a653b-49a6-4f76-8b68-e4875ea6ba54}\ (ID = 1911573)
    8:19 PM: HKCR\clsid\{013a653b-49a6-4f76-8b68-e4875ea6ba54}\ (ID = 1911569)
    8:19 PM: HKLM\software\microsoft\windows\currentversion\explorer\browser helper objects\{7da39570-5fd2-4f18-94b4-20730cb3f727}\ (ID = 1910316)
    8:19 PM: HKLM\software\classes\clsid\{7da39570-5fd2-4f18-94b4-20730cb3f727}\ (ID = 1909462)
    8:19 PM: HKCR\clsid\{7da39570-5fd2-4f18-94b4-20730cb3f727}\ (ID = 1909458)
    8:19 PM: HKLM\software\classes\clsid\{3fd6b99c-a275-46ea-8fd1-3d63986e51e4}\ (ID = 1895276)
    8:19 PM: HKCR\clsid\{3fd6b99c-a275-46ea-8fd1-3d63986e51e4}\ (ID = 1895271)
    8:19 PM: HKLM\software\classes\clsid\{f18f04b0-9cf1-4b93-b004-77a288bee28b}\ (ID = 1827777)
    8:19 PM: HKCR\clsid\{f18f04b0-9cf1-4b93-b004-77a288bee28b}\ (ID = 1827773)
    8:19 PM: HKLM\software\microsoft\juan\ (ID = 1781228)
    8:19 PM: Found Adware: maxifiles
    8:19 PM: HKLM\software\classes\clsid\{b7672baf-e9a3-49b6-86b2-c81719a18a4c}\ (ID = 1697697)
    8:19 PM: HKCR\clsid\{b7672baf-e9a3-49b6-86b2-c81719a18a4c}\ (ID = 1697618)
    8:19 PM: HKLM\software\microsoft\windows\currentversion\run\ || semanticinsight (ID = 1134762)
    8:19 PM: Found Adware: rx toolbar
    8:19 PM: HKLM\software\classes\wusn.1\ (ID = 635554)
    8:19 PM: HKCR\wusn.1\ (ID = 635412)
    8:19 PM: HKCR\wusn.1\ (ID = 140463)
    8:19 PM: Found Adware: whenu savenow
    8:19 PM: Starting Registry Sweep
    8:19 PM: Memory Sweep Complete, Elapsed Time: 00:10:48
    8:08 PM: Warning: AntiVirus engine returned [Access Denied] on [C:\WINDOWS\System32\ypbagnce.dll]
    8:08 PM: Warning: AntiVirus engine returned [Access Denied] on [C:\WINDOWS\System32\lyejpvbr.dll]
    8:08 PM: Warning: AntiVirus engine returned [Access Denied] on [C:\WINDOWS\system\darc.dll]
    8:08 PM: Starting Memory Sweep
    8:08 PM: HKU\S-1-5-21-1547161642-484763869-1343024091-1003\software\microsoft\windows\currentversion\run\ || windows installer (ID = 1247030)
    8:08 PM: Found Adware: spysheriff fakealert
    8:08 PM: HKLM\software\classes\clsid\{3fd6b99c-a275-46ea-8fd1-3d63986e51e4}\inprocserver32\ (ID = 1895994)
    8:08 PM: HKLM\software\classes\clsid\{f18f04b0-9cf1-4b93-b004-77a288bee28b}\inprocserver32\ (ID = 1848260)
    8:08 PM: Found Adware: vs toolbar
    8:08 PM: HKCR\clsid\{b7672baf-e9a3-49b6-86b2-c81719a18a4c}\inprocserver32\ (ID = 1738138)
    8:08 PM: Found Adware: virtumonde
    8:08 PM: Start Custom Sweep
    8:08 PM: Sweep initiated using definitions version 844
    8:08 PM: Spy Sweeper 5.2.3.2138 started
    8:08 PM: | Start of Session, Tuesday, January 23, 2007 |
    ********
    8:08 PM: | End of Session, Tuesday, January 23, 2007 |
    8:06 PM: Your virus definitions have been updated.
    8:05 PM: Informational: Loaded AntiVirus Engine: 2.41.0; SDK Version: 4.13; Virus Definitions: 1/18/2007 12:34:56 PM (GMT)
    8:04 PM: Your spyware definitions have been updated.
    7:59 PM: IE Security Shield: found: C:\PROGRA~1\SYMANT~1\SYMANT~1\VPTRAY.EXE -- IE Security modification denied
    Keylogger: Off
    BHO Shield: On
    IE Security Shield: On
    Alternate Data Stream (ADS) Execution Shield: On
    Startup Shield: On
    Common Ad Sites: Off
    Hosts File Shield: On
    Internet Communication Shield: On
    ActiveX Shield: On
    Windows Messenger Service Shield: On
    IE Favorites Shield: On
    Spy Installation Shield: On
    Memory Shield: On
    IE Hijack Shield: On
    IE Tracking Cookies Shield: Off
    7:55 PM: Shield States
    7:55 PM: Spyware Definitions: 816
    7:55 PM: Warning: Virus definitions files are invalid, please update your virus definitions. 220
    7:54 PM: Spy Sweeper 5.2.3.2138 started
    7:54 PM: Spy Sweeper 5.2.3.2138 started
    7:54 PM: | Start of Session, Tuesday, January 23, 2007 |
    ******
     
  8. RawkNRoll

    RawkNRoll Thread Starter

    Joined:
    Jan 22, 2007
    Messages:
    5
    Logfile of HijackThis v1.99.1
    Scan saved at 9:22:40 PM, on 1/23/2007
    Platform: Windows XP (WinNT 5.01.2600)
    MSIE: Internet Explorer v6.00 (6.00.2600.0000)

    Running processes:
    C:\WINDOWS\System32\smss.exe
    C:\WINDOWS\system32\winlogon.exe
    C:\WINDOWS\system32\services.exe
    C:\WINDOWS\system32\lsass.exe
    C:\WINDOWS\system32\svchost.exe
    C:\WINDOWS\System32\svchost.exe
    C:\WINDOWS\system32\spoolsv.exe
    C:\PROGRA~1\COMMON~1\AOL\ACS\acsd.exe
    C:\WINDOWS\Explorer.EXE
    C:\WINDOWS\System32\Drivers\bwcsrv.exe
    C:\Program Files\BUFFALO\Client Manager3\bwsvc\bwsvc.exe
    C:\PROGRA~1\SYMANT~1\SYMANT~1\DefWatch.exe
    C:\PROGRA~1\SYMANT~1\SYMANT~1\Rtvscan.exe
    C:\PROGRA~1\SYMANT~1\SYMANT~1\vptray.exe
    C:\WINDOWS\wanmpsvc.exe
    C:\Program Files\Webroot\Spy Sweeper\SpySweeperUI.exe
    C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe
    C:\Program Files\BUFFALO\Client Manager3\cm3_tray.exe
    C:\PROGRA~1\MOZILL~1\FIREFOX.EXE
    C:\WINDOWS\System32\wuauclt.exe
    C:\Program Files\Webroot\Spy Sweeper\SSU.EXE
    C:\Program Files\Hijackthis\HijackThis.exe

    R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
    O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
    O2 - BHO: Need2Find Bar BHO - {4D1C4E81-A32A-416b-BCDB-33B3EF3617D3} - C:\Program Files\Need2Find\bar\1.bin\ND2FNBAR.DLL
    O2 - BHO: (no name) - {72332373-A267-4E67-9E42-22124ECCF17B} - C:\WINDOWS\system\darc.dll (file missing)
    O2 - BHO: (no name) - {F7AD8D6E-A10C-4702-B865-3789F740D22f} - C:\WINDOWS\System32\ypbagnce.dll (file missing)
    O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
    O4 - HKLM\..\Run: [vptray] C:\PROGRA~1\SYMANT~1\SYMANT~1\vptray.exe
    O4 - HKLM\..\Run: [SpySweeper] "C:\Program Files\Webroot\Spy Sweeper\SpySweeperUI.exe" /startintray
    O4 - Global Startup: America Online 9.0 Tray Icon.lnk = C:\Program Files\America Online 9.0\aoltray.exe
    O4 - Global Startup: ClientManager3.lnk = C:\Program Files\BUFFALO\Client Manager3\cm3_tray.exe
    O8 - Extra context menu item: &Search - http://kl.bar.need2find.com/KL/menusearch.html?p=KL
    O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
    O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_04\bin\npjpi150_04.dll
    O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_04\bin\npjpi150_04.dll
    O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe
    O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\System32\Shdocvw.dll
    O18 - Filter: text/html - (no CLSID) - (no file)
    O20 - Winlogon Notify: NavLogon - C:\WINDOWS\System32\NavLogon.dll
    O20 - Winlogon Notify: WRNotifier - C:\WINDOWS\SYSTEM32\WRLogonNTF.dll
    O23 - Service: AOL Connectivity Service (AOL ACS) - America Online, Inc. - C:\PROGRA~1\COMMON~1\AOL\ACS\acsd.exe
    O23 - Service: BUFFALO Wireless Configuration Service (bwcsrv) - Unknown owner - C:\WINDOWS\System32\Drivers\bwcsrv.exe
    O23 - Service: Bwsvc - BUFFALO INC. - C:\Program Files\BUFFALO\Client Manager3\bwsvc\bwsvc.exe
    O23 - Service: DefWatch - Symantec Corporation - C:\PROGRA~1\SYMANT~1\SYMANT~1\DefWatch.exe
    O23 - Service: Symantec AntiVirus Client (Norton AntiVirus Server) - Symantec Corporation - C:\PROGRA~1\SYMANT~1\SYMANT~1\Rtvscan.exe
    O23 - Service: WAN Miniport (ATW) Service (WANMiniportService) - America Online, Inc. - C:\WINDOWS\wanmpsvc.exe
    O23 - Service: Webroot Spy Sweeper Engine (WebrootSpySweeperService) - Webroot Software, Inc. - C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe
     
  9. dvk01

    dvk01 Moderator Malware Specialist

    Joined:
    Dec 14, 2002
    Messages:
    56,236
    First Name:
    Derek
    well spysweeper found & fixed quite a lot

    Download pocket killbox from http://www.thespykiller.co.uk/files/killbox.exe & put it on the desktop where you can find it easily


    Run hijackthis, put a tick in the box beside these entries listed below and ONLY these entries, double check to make sure, then make sure all browser & email windows are closed and press fix checked


    O2 - BHO: Need2Find Bar BHO - {4D1C4E81-A32A-416b-BCDB-33B3EF3617D3} - C:\Program Files\Need2Find\bar\1.bin\ND2FNBAR.DLL
    O2 - BHO: (no name) - {72332373-A267-4E67-9E42-22124ECCF17B} - C:\WINDOWS\system\darc.dll (file missing)
    O2 - BHO: (no name) - {F7AD8D6E-A10C-4702-B865-3789F740D22f} - C:\WINDOWS\System32\ypbagnce.dll (file missing)
    O8 - Extra context menu item: &Search - http://kl.bar.need2find.com/KL/menusearch.html?p=KL
    O18 - Filter: text/html - (no CLSID) - (no file)
    O20 - Winlogon Notify: NavLogon - C:\WINDOWS\System32\NavLogon.dll
    O20 - Winlogon Notify: WRNotifier - C:\WINDOWS\SYSTEM32\WRLogonNTF.dll



    now Start killbox, paste the first file listed below into the full pathname and file to delete box

    The file name will appear in the window, select delete on reboot , press the red X button, say yes to the prompt and NOto reboot now then repeat for each file in turn

    [Note: Killbox makes backups of all deleted files & folders in a folder called C:\!killbox ] If Killbox tells you any files are missing don't worry but make a note and let us know in your next reply

    C:\Program Files\Need2Find\

    Then on killbox top bar press tools/delete temp files, in the pop up box towards the middle is a drop down box containing a list of all user accounts on this drop down user account box, select your account, select ALL options it will allow you to, then then press delete selected temp files , then repeat for every user account listed in that drop down box

    then reboot
     
  10. dvk01

    dvk01 Moderator Malware Specialist

    Joined:
    Dec 14, 2002
    Messages:
    56,236
    First Name:
    Derek
    next why are you still on XP gold with no service packs
    You should be on SP2 by now

    • Please go here using Internet Explorer.
    • Click on "Windows Validation Assistant"
    • Click on the "Validate Now" button.
    • Be patient while the ActiveX loads, do not click on any links.
    • Read the instructions on this page while it's loading. You will be prompted to install - click YES.
    • Enter your product key then click "continue"
    • When it says "Validation Complete" please click "Continue to return to your previous activity"
    • Copy what it says and paste it here.
     
  11. Sponsor

As Seen On
As Seen On...

Welcome to Tech Support Guy!

Are you looking for the solution to your computer problem? Join our site today to ask your question. This site is completely free -- paid for by advertisers and donations.

If you're not already familiar with forums, watch our Welcome Guide to get started.

Join over 733,556 other people just like you!

Loading...
Thread Status:
Not open for further replies.

Short URL to this thread: https://techguy.org/537504

  1. This site uses cookies to help personalise content, tailor your experience and to keep you logged in if you register.
    By continuing to use this site, you are consenting to our use of cookies.
    Dismiss Notice