1. Computer problem? Tech Support Guy is completely free -- paid for by advertisers and donations. Click here to join today! If you're new to Tech Support Guy, we highly recommend that you visit our Guide for New Members.

Windows Explorer has encountered a problem and needs to close.

Discussion in 'Virus & Other Malware Removal' started by ComputersAndMe, Jul 25, 2006.

Thread Status:
Not open for further replies.
Advertisement
  1. ComputersAndMe

    ComputersAndMe Thread Starter

    Joined:
    Jul 25, 2006
    Messages:
    6
    Error Signature

    AppName: explorer.exe
    AppVer: 6.0.2900.2180
    ModName: nqrsda.dll
    ModVer: 0.0.0.0
    Offset: 0003d005

    Hey Guys, I recently was searching for games on the internet and then i entered this one site and BAM virus...It automatically made me restart and than right when it opens into the window screen it says "Windows Explorer has encountered a problem and needs to close." I've tried many things like replacing the explorer.exe file with a clean one but that didn't work. That up there is the data the error report got...Any suggestions? Thnx for helping! Try not to use big words as i am not so good with my computer language. Here's my hijack log

    Logfile of HijackThis v1.99.1
    Scan saved at 11:27:51 PM, on 7/25/2006
    Platform: Windows XP SP2 (WinNT 5.01.2600)
    MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

    Running processes:
    C:\WINDOWS\System32\smss.exe
    C:\WINDOWS\system32\winlogon.exe
    C:\WINDOWS\system32\services.exe
    C:\WINDOWS\system32\lsass.exe
    C:\WINDOWS\system32\svchost.exe
    C:\WINDOWS\System32\svchost.exe
    C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
    C:\Program Files\Norton Internet Security\ISSVC.exe
    C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
    C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
    C:\WINDOWS\system32\spoolsv.exe
    C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
    C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
    C:\Program Files\Norton Internet Security\Norton AntiVirus\navapsvc.exe
    C:\WINDOWS\system32\nvsvc32.exe
    C:\WINDOWS\system32\sdpasvc.exe
    C:\WINDOWS\System32\svchost.exe
    C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
    C:\Program Files\MSN Messenger\msnmsgr.exe
    C:\Program Files\Internet Explorer\iexplore.exe
    C:\WINDOWS\system32\taskmgr.exe
    D:\HijackThis.exe

    R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page = \blank.htm
    O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
    O2 - BHO: PCTools Site Guard - {5C8B2A36-3DB1-42A4-A3CB-D426709BBFEB} - C:\PROGRA~1\SPYWAR~1\tools\iesdsg.dll
    O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
    O2 - BHO: Related Page - {9A9C9B69-F908-4AAB-8D0C-10EA8997F37E} - C:\WINDOWS\system32\WinNB57.dll
    O2 - BHO: CNisExtBho Class - {9ECB9560-04F9-4bbc-943D-298DDF1699E1} - C:\Program Files\Common Files\Symantec Shared\AdBlocking\NISShExt.dll
    O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar1.dll
    O2 - BHO: PCTools Browser Monitor - {B56A7D7D-6927-48C8-A975-17DF180C71AC} - C:\PROGRA~1\SPYWAR~1\tools\iesdpb.dll
    O2 - BHO: CNavExtBho Class - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\Norton Internet Security\Norton AntiVirus\NavShExt.dll
    O3 - Toolbar: Norton Internet Security - {0B53EAC3-8D69-4b9e-9B19-A37C9A5676A7} - C:\Program Files\Common Files\Symantec Shared\AdBlocking\NISShExt.dll
    O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton Internet Security\Norton AntiVirus\NavShExt.dll
    O3 - Toolbar: Easy-WebPrint - {327C2873-E90D-4c37-AA9D-10AC9BABA46C} - C:\Program Files\Canon\Easy-WebPrint\Toolband.dll
    O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll
    O3 - Toolbar: (no name) - {9A9C9B68-F908-4AAB-8D0C-10EA8997F37E} - (no file)
    O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
    O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
    O4 - HKLM\..\Run: [TCASUTIEXE] TCAUDIAG.exe -off
    O4 - HKLM\..\Run: [Symantec NetDriver Monitor] C:\PROGRA~1\SYMNET~1\SNDMon.exe
    O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
    O4 - HKLM\..\Run: [D-Link Air USB Utility] C:\Program Files\D-Link\Air USB Utility\AirCFG.exe
    O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe /STARTUP
    O4 - HKLM\..\Run: [AVG7_EMC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
    O4 - HKLM\..\Run: [Easy-PrintToolBox] C:\Program Files\Canon\Easy-PrintToolBox\BJPSMAIN.EXE /logon
    O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe
    O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
    O4 - HKLM\..\Run: [LogitechVideoRepair] C:\Program Files\Logitech\Video\ISStart.exe
    O4 - HKLM\..\Run: [LogitechVideoTray] C:\Program Files\Logitech\Video\LogiTray.exe
    O4 - HKLM\..\Run: [SurfAccuracy] C:\Program Files\SurfAccuracy\SAcc.exe
    O4 - HKLM\..\Run: [APD123] C:\WINDOWS\system32\APD123.exe
    O4 - HKLM\..\Run: [DAEMON Tools] "C:\Program Files\DAEMON Tools\daemon.exe" -lang 1033
    O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
    O4 - HKLM\..\Run: [defender] c:\\dfndref_7.exe
    O4 - HKLM\..\Run: [keyboard] c:\\kybrdef_7.exe
    O4 - HKLM\..\Run: [pop06apelt] C:\WINDOWS\thiselt.exe
    O4 - HKLM\..\Run: [MTBar] C:\WINDOWS\mirar.exe
    O4 - HKLM\..\Run: [pop06ap] C:\WINDOWS\pop06ap2.exe
    O4 - HKLM\..\Run: [aamf78db] RUNDLL32.EXE w6d9e64a.dll,n 001f78da0000000a6d9e64a
    O4 - HKLM\..\Run: [newname] c:\\nwnmef_7.exe
    O4 - HKCU\..\Run: [Spyware Doctor] "C:\Program Files\Spyware Doctor\swdoctor.exe" /Q
    O4 - HKCU\..\Run: [WinFixer 2005] C:\Program Files\WinFixer 2005\wfx5.exe /scan
    O4 - Startup: LimeWire On Startup.lnk = D:\Downloads\Movies\LimeWire\LimeWire.exe
    O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
    O8 - Extra context menu item: &Google Search - res://c:\program files\google\GoogleToolbar1.dll/cmsearch.html
    O8 - Extra context menu item: &Translate English Word - res://c:\program files\google\GoogleToolbar1.dll/cmwordtrans.html
    O8 - Extra context menu item: Backward Links - res://c:\program files\google\GoogleToolbar1.dll/cmbacklinks.html
    O8 - Extra context menu item: Cached Snapshot of Page - res://c:\program files\google\GoogleToolbar1.dll/cmcache.html
    O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
    O8 - Extra context menu item: Easy-WebPrint Add To Print List - res://C:\Program Files\Canon\Easy-WebPrint\Resource.dll/RC_AddToList.html
    O8 - Extra context menu item: Easy-WebPrint High Speed Print - res://C:\Program Files\Canon\Easy-WebPrint\Resource.dll/RC_HSPrint.html
    O8 - Extra context menu item: Easy-WebPrint Preview - res://C:\Program Files\Canon\Easy-WebPrint\Resource.dll/RC_Preview.html
    O8 - Extra context menu item: Easy-WebPrint Print - res://C:\Program Files\Canon\Easy-WebPrint\Resource.dll/RC_Print.html
    O8 - Extra context menu item: Similar Pages - res://c:\program files\google\GoogleToolbar1.dll/cmsimilar.html
    O8 - Extra context menu item: Translate Page into English - res://c:\program files\google\GoogleToolbar1.dll/cmtrans.html
    O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
    O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
    O9 - Extra button: Spyware Doctor - {2D663D1A-8670-49D9-A1A5-4C56B4E14E84} - C:\PROGRA~1\SPYWAR~1\tools\iesdpb.dll
    O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
    O9 - Extra button: PartyPoker.com - {B7FE5D70-9AA2-40F1-9C6B-12A255F085E1} - C:\Program Files\PartyPoker\PartyPoker.exe (file missing)
    O9 - Extra 'Tools' menuitem: PartyPoker.com - {B7FE5D70-9AA2-40F1-9C6B-12A255F085E1} - C:\Program Files\PartyPoker\PartyPoker.exe (file missing)
    O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
    O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
    O15 - Trusted Zone: *.mmohsix.com
    O15 - Trusted Zone: http://*.buddybuddy.co.kr (HKLM)
    O15 - Trusted Zone: http://ny.contentmatch.net (HKLM)
    O15 - Trusted Zone: http://awbeta.net-nucleus.com (HKLM)
    O16 - DPF: Yahoo! Chess - http://download.games.yahoo.com/games/clients/y/ct2_x.cab
    O16 - DPF: Yahoo! Poker - http://download.games.yahoo.com/games/clients/y/pt3_x.cab
    O16 - DPF: {00B71CFB-6864-4346-A978-C0A14556272C} (Checkers Class) - http://messenger.zone.msn.com/binary/msgrchkr.cab31267.cab
    O16 - DPF: {09F1ADAC-76D8-4D0F-99A5-5C907DADB988} - http://www.systemdoctor.com/download/2006/cab/SystemDoctor2006FreeInstall.cab
    O16 - DPF: {14B87622-7E19-4EA8-93B3-97215F77A6BC} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/MessengerStatsPAClient.cab31267.cab
    O16 - DPF: {1754A1BA-A1DF-4F10-B199-AA55AA1A120F} (InstallerBehaviorFactory Class) - https://signup.msn.com/pages/MsnInstC.cab
    O16 - DPF: {26098EA2-C95D-48EA-89B4-63C5A63BD42F} - http://www.pacimedia.com/install/pcs_0009.exe
    O16 - DPF: {2917297F-F02B-4B9D-81DF-494B6333150B} (Minesweeper Flags Class) - http://messenger.zone.msn.com/binary/MineSweeper.cab31267.cab
    O16 - DPF: {2931566C-B8A6-46C5-BF4D-E6AB9251E953} (Nexon Package Manager Control) - http://file.nx.com/activex/public_new/nxpm.cab
    O16 - DPF: {36F46B1E-11B7-4221-B4F7-F1FC9687E7F6} (MBox Control) - http://kr.music.yahoo.com/m_box/component/mbox.cab
    O16 - DPF: {413F8CE5-45E8-4946-B781-CBEB8580DED9} (GifMaker Class) - http://img.yahoo.co.kr/ycabinet/cab/photoXYahoo2.cab
    O16 - DPF: {5526B4C6-63D6-41A1-9783-0FABF529859A} (mm06ocx.mm06ocxf) - http://cabs.elitemediagroup.net/cabs/mediaview.cab
    O16 - DPF: {5F3B3060-09E0-44C6-86F7-BC7B02B57BEE} - http://downloads.shopathomeselect.com/wardmedia/grinstall_wm1001_sp2.cab
    O16 - DPF: {644E432F-49D3-41A1-8DD5-E099162EEEC5} (Symantec RuFSI Utility Class) - http://security.symantec.com/sscv6/SharedContent/common/bin/cabsa.cab
    O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1125715671671
    O16 - DPF: {6FC8738C-1723-4990-BD6E-5633AD3BC6E8} - http://down.c-zero.co.kr/cab1/CZInstall.CAB
    O16 - DPF: {7F494820-7B17-4CDC-8ABB-C907298CD743} (AtlCtrl Class) - http://www.yesicon.com/yes0001.cab
    O16 - DPF: {8E0D4DE5-3180-4024-A327-4DFAD1796A8D} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/MessengerStatsClient.cab31267.cab
    O16 - DPF: {8FCDF9D9-A28B-480F-8C3D-581F119A8AB8} (MediaGatewayX) - http://static.zangocash.com/cab/Zango/ie/bridge-c10.cab
    O16 - DPF: {938527D1-CDB7-4147-998A-B20FCA5CC976} (Cdmcco Class) - http://cafeimg.hanmail.net/cab9_1/dmcc2.cab
    O16 - DPF: {A00B2A53-60D9-4477-ADA3-60490770C5E0} (UploadList Control) - http://wwl207.daum.net/hanmail-ax/hanmail.cab
    O16 - DPF: {A1426AC5-8CE5-4A00-B71E-011D35709AC6} (Progetto1.int_ver34) - http://advnt01.com/dialer/int_ver34.CAB
    O16 - DPF: {A8F2B9BD-A6A0-486A-9744-18920D898429} (ScorchPlugin Class) - http://www.sibelius.com/download/software/win/ActiveXPlugin.cab
    O16 - DPF: {B005D02C-E461-4851-8A79-C7FDC8563C07} (BBNPort Class) - http://www.buddybuddy.co.kr/cab/BBNPort.cab
    O16 - DPF: {B38870E4-7ECB-40DA-8C6A-595F0A5519FF} (MsnMessengerSetupDownloadControl Class) - http://messenger.msn.com/download/MsnMessengerSetupDownloader.cab
    O16 - DPF: {B8BE5E93-A60C-4D26-A2DC-220313175592} (ZoneIntro Class) - http://zone.msn.com/binFramework/v10/ZIntro.cab34246.cab
    O16 - DPF: {B959F5AD-247B-4F3F-AEE6-8E9D6A2614E3} (Mcam100v2ClientAX Control) - http://www.mcam.co.kr/File/demo/mcam100v2/ax/Mcam100v2ClientAX.cab
    O16 - DPF: {B9A7CB61-0060-430E-B76F-CDB83D7F680C} (YEditor for Yahoo Korea) - http://img.yahoo.co.kr/blog/jweditor/JwEditorPro_YahooKorea_2_3_3_6.cab
    O16 - DPF: {BD393C14-72AD-4790-A095-76522973D6B8} (CBreakshotControl Class) - http://messenger.zone.msn.com/binary/Bankshot.cab31267.cab
    O16 - DPF: {D5D4E25D-544D-4E31-9C84-C97EED5F6900} (HMPaintingMailAX Class) - http://wwl700.daum.net/hanmail-ax/HM_paintmail.cab
    O16 - DPF: {D6FCA8ED-4715-43DE-9BD2-2789778A5B09} (NPKCX Control) - http://nprotect1.gravity.co.kr/nprotect/nPKeyCrypt/npkcx.cab
    O16 - DPF: {DF780F87-FF2B-4DF8-92D0-73DB16A1543A} (PopCapLoader Object) - http://download.games.yahoo.com/games/web_games/popcap/insaniquarium/popcaploader_v6.cab
    O16 - DPF: {E11C38F7-81AE-4D00-845F-ECB91E23035F} (EChat Control) - http://eroomchat.korea.com/chat/eChat.cab
    O16 - DPF: {E1CDC08F-F464-4682-AE6A-7689451387C0} (CAFE multiupload control) - http://cafeimg.hanmail.net/activex/dmcm.cab
    O16 - DPF: {EF99BD32-C1FB-11D2-892F-0090271D4F88} - http://us.dl1.yimg.com/download.companion.yahoo.com/dl/toolbar/yiebio5_3_18_0.cab
    O16 - DPF: {F6BF0D00-0B2A-4A75-BF7B-F385591623AF} (Solitaire Showdown Class) - http://messenger.zone.msn.com/binary/SolitaireShowdown.cab31267.cab
    O18 - Protocol: livecall - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL
    O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL
    O18 - Filter: text/html - {3551784B-E99A-474f-B782-3EC814442918} - C:\WINDOWS\system32\qlink32.dll
    O20 - Winlogon Notify: Shell Extensions - C:\WINDOWS\system32\nprsit.dll
    O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
    O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
    O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
    O23 - Service: Symantec Network Proxy (ccProxy) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccProxy.exe
    O23 - Service: Symantec Password Validation (ccPwdSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
    O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
    O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
    O23 - Service: ISSvc (ISSVC) - Symantec Corporation - C:\Program Files\Norton Internet Security\ISSVC.exe
    O23 - Service: Norton AntiVirus Auto-Protect Service (navapsvc) - Symantec Corporation - C:\Program Files\Norton Internet Security\Norton AntiVirus\navapsvc.exe
    O23 - Service: npkcsvc - INCA Internet Co., Ltd. - C:\WINDOWS\system32\npkcsvc.exe
    O23 - Service: NVIDIA Driver Helper Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
    O23 - Service: SAVScan - Symantec Corporation - C:\Program Files\Norton Internet Security\Norton AntiVirus\SAVScan.exe
    O23 - Service: ScriptBlocking Service (SBService) - Symantec Corporation - C:\PROGRA~1\COMMON~1\SYMANT~1\SCRIPT~1\SBServ.exe
    O23 - Service: SDPAUMS server service (SDPASVC) - Matsushita Electric Industrial Co.,Ltd. - C:\WINDOWS\system32\sdpasvc.exe
    O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
    O23 - Service: Symantec SPBBCSvc (SPBBCSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
    O23 - Service: Symantec Core LC - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
     
  2. JSntgRvr

    JSntgRvr Moderator Malware Specialist

    Joined:
    Jul 1, 2003
    Messages:
    18,552
    First Name:
    José
    Hi, ComputersAndMe. :)

    Welcome to TSG.

    Please download Brute Force Uninstaller to your desktop.
    • Right click the BFU folder on your desktop, and choose Extract All
    • Click "Next"
    • In the box to choose where to extract the files to,
    • Click "Browse"
    • Click on the + sign next to "My Computer"
    • Click on "Local Disk (C:) or whatever your primary drive is
    • Click "Make New Folder"
    • Type in BFU
    • Click "Next", and Uncheck the "Show Extracted Files" box and then click "Finish".
    RIGHT-CLICK HERE and choose "Save As" (in IE it's "Save Target As") in order to download Alcra PLUS Remover.
    Save it in the same folder you made earlier (c:\BFU).

    Do not do anything with these yet!

    Please download ATF Cleaner by Atribune.
    This program is for XP and Windows 2000 only

    • Double-click ATF-Cleaner.exe to run the program.
      Under Main choose: Select All
      Click the Empty Selected button.
    If you use Firefox browser
    • Click Firefox at the top and choose: Select All
      Click the Empty Selected button.
      NOTE: If you would like to keep your saved passwords, please click No at the prompt.
    If you use Opera browser
    • Click Opera at the top and choose: Select All
      Click the Empty Selected button.
      NOTE: If you would like to keep your saved passwords, please click No at the prompt.
    Click Exit on the Main menu to close the program.
    For Technical Support, double-click the e-mail address located at the bottom of each menu.

    Please download ewido anti-spyware from HERE and save that file to your desktop.
    This is a 30 day trial of the program
    1. Once you have downloaded ewido anti-spyware, locate the icon on the desktop and double-click it to launch the set up program.
    2. Once the setup is complete you will need run ewido and update the definition files.
    3. On the main screen select the icon "Update" then select the "Update now" link.
      • Next select the "Start Update" button, the update will start and a progress bar will show the updates being installed.
    4. Once the update has completed select the "Scanner" icon at the top of the screen, then select the "Settings" tab.
    5. Once in the Settings screen click on "Recommended actions" and then select "Quarantine".
    6. Under "Reports"
      • Select "Automatically generate report after every scan"
      • Un-Select "Only if threats were found"
    Close ewido anti-spyware, Do Not run a scan just yet, we will shortly in Safe Mode.

    Now copy these instructions to notepad and save them to your desktop. You will need them to refer to in safe mode.

    Boot into Safe Mode:

    Restart your computer and as soon as it starts booting up again continuously tap F8. A menu should come up where you will be given the option to enter Safe Mode.

    Perform the following steps in safe mode:

    IMPORTANT: Do not open any other windows or programs while ewido is scanning, it may interfere with the scanning proccess:
    • Lauch ewido-anti-spyware by double-clicking the icon on your desktop.
    • Select the "Scanner" icon at the top and then the "Scan" tab then click on "Complete System Scan".
    • ewido will now begin the scanning process, be patient this may take a little time.
      Once the scan is complete do the following:
    • If you have any infections you will prompted, then select "Apply all actions"
    • Next select the "Reports" icon at the top.
    • Select the "Save report as" button in the lower left hand of the screen and save it to a text file on your system (make sure to remember where you saved that file, this is important).
    • Close ewido .
    Then, please go to Start > My Computer and navigate to the C:\BFU folder.
    • Start the Brute Force Uninstaller by doubleclicking BFU.exe
    • Behind the scriptline to execute field click the folder icon [​IMG] and select alcanshorty.bfu
    • Press Execute and let the program do it’s job. (You ought to see a progress bar if you did this correctly.)
    • Wait for the complete script execution box to pop up and press OK.
    • Press exit to terminate the BFU program.
    Restart back into Windows normally now.

    Please go HERE to run Panda's ActiveScan
    • Once you are on the Panda site click the Scan your PC button
    • A new window will open...click the Check Now button
    • Enter your Country
    • Enter your State/Province
    • Enter your e-mail address and click send
    • Select either Home User or Company
    • Click the big Scan Now button
    • If it wants to install an ActiveX component allow it
    • It will start downloading the files it requires for the scan (Note: It may take a couple of minutes)
    • When download is complete, click on My Computer to start the scan
    • When the scan completes, if anything malicious is detected, click the See Report button, then Save Report and save it to a convenient location.
    Post a fresh Hijackthis log along with the Ewido and ActiveScan reports.
     
  3. ComputersAndMe

    ComputersAndMe Thread Starter

    Joined:
    Jul 25, 2006
    Messages:
    6
    Thnx man, it worked although i still got some viruses they should be ok but heres my Hijack Log

    Logfile of HijackThis v1.99.1
    Scan saved at 10:42:07 PM, on 7/26/2006
    Platform: Windows XP SP2 (WinNT 5.01.2600)
    MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

    Running processes:
    C:\WINDOWS\System32\smss.exe
    C:\WINDOWS\system32\csrss.exe
    C:\WINDOWS\system32\winlogon.exe
    C:\WINDOWS\system32\services.exe
    C:\WINDOWS\system32\lsass.exe
    C:\WINDOWS\system32\svchost.exe
    C:\WINDOWS\system32\svchost.exe
    C:\WINDOWS\System32\svchost.exe
    C:\WINDOWS\System32\svchost.exe
    C:\WINDOWS\System32\svchost.exe
    C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
    C:\Program Files\Norton Internet Security\ISSVC.exe
    C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
    C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
    C:\WINDOWS\Explorer.EXE
    C:\WINDOWS\system32\spoolsv.exe
    C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
    C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
    D:\ewido anti-spyware 4.0\guard.exe
    C:\Program Files\Norton Internet Security\Norton AntiVirus\navapsvc.exe
    C:\WINDOWS\system32\nvsvc32.exe
    C:\WINDOWS\system32\sdpasvc.exe
    C:\WINDOWS\System32\svchost.exe
    C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
    C:\WINDOWS\System32\alg.exe
    C:\Program Files\D-Link\Air USB Utility\AirCFG.exe
    C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe
    C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
    C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe
    C:\Program Files\Logitech\Video\LogiTray.exe
    C:\Program Files\DAEMON Tools\daemon.exe
    C:\Program Files\QuickTime\qttask.exe
    C:\WINDOWS\system32\LVComS.exe
    D:\ewido anti-spyware 4.0\ewido.exe
    C:\Program Files\Spyware Doctor\swdoctor.exe
    C:\WINDOWS\System32\svchost.exe
    C:\Program Files\Internet Explorer\iexplore.exe
    D:\HijackThis.exe
     
  4. ComputersAndMe

    ComputersAndMe Thread Starter

    Joined:
    Jul 25, 2006
    Messages:
    6
    This heres my Ewido Report

    ---------------------------------------------------------
    ewido anti-spyware - Scan Report
    ---------------------------------------------------------

    + Created at: 8:59:46 PM 7/26/2006

    + Scan result:



    C:\Documents and Settings\Joseph Choi\Local Settings\Temp\180sainstallersilsais1.exe/clientax.dll -> Adware.180Solutions : Cleaned with backup (quarantined).
    C:\Documents and Settings\Joseph Choi\Local Settings\Temp\res104.tmp -> Adware.180Solutions : Cleaned with backup (quarantined).
    C:\Documents and Settings\Joseph Choi\Local Settings\Temp\resFD.tmp -> Adware.180Solutions : Cleaned with backup (quarantined).
    HKU\S-1-5-21-1757981266-1580436667-839522115-1003\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{56F1D444-11BF-4879-A12B-79CF0177F038} -> Adware.180Solutions : Cleaned with backup (quarantined).
    HKU\S-1-5-21-1757981266-1580436667-839522115-1003\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{EA0D26BD-9029-431A-86E0-83152D67828A} -> Adware.180Solutions : Cleaned with backup (quarantined).
    C:\WINDOWS\thiselt.exe -> Adware.Agent : Cleaned with backup (quarantined).
    HKLM\SOFTWARE\Effective-i -> Adware.EffectiveBrandToolbar : Cleaned with backup (quarantined).
    HKU\S-1-5-21-1757981266-1580436667-839522115-1003\Software\Effective-i -> Adware.EffectiveBrandToolbar : Cleaned with backup (quarantined).
    C:\Documents and Settings\All Users\Application Data\SecTaskMan\nsn4CF.dll.q_8043401_q -> Adware.Ezula : Cleaned with backup (quarantined).
    C:\System Volume Information\_restore{5243E4D7-AC42-457D-BA23-0F9417F14F73}\RP593\A0083187.dll -> Adware.Ezula : Cleaned with backup (quarantined).
    C:\WINDOWS\system32\aamf78db.dll -> Adware.IEHelper : Cleaned with backup (quarantined).
    C:\System Volume Information\_restore{5243E4D7-AC42-457D-BA23-0F9417F14F73}\RP594\A0084263.exe -> Adware.Look2Me : Cleaned with backup (quarantined).
    C:\System Volume Information\_restore{5243E4D7-AC42-457D-BA23-0F9417F14F73}\RP594\A0084269.exe -> Adware.Look2Me : Cleaned with backup (quarantined).
    C:\WINDOWS\system32\nprsit.dll -> Adware.Look2Me : Cleaned with backup (quarantined).
    C:\WINDOWS\system32\nqrsda.dll -> Adware.Look2Me : Cleaned with backup (quarantined).
    C:\Documents and Settings\Joseph Choi\Local Settings\Temp\TMP100.tmp\QLSetup.exe -> Adware.MDH : Cleaned with backup (quarantined).
    C:\System Volume Information\_restore{5243E4D7-AC42-457D-BA23-0F9417F14F73}\RP593\A0083200.exe -> Adware.MediaMotor : Cleaned with backup (quarantined).
    C:\WINDOWS\Downloaded Program Files\amm06.ocx -> Adware.MediaMotor : Cleaned with backup (quarantined).
    C:\WINDOWS\pop06ap2.exe -> Adware.MediaMotor : Cleaned with backup (quarantined).
    C:\Documents and Settings\Joseph Choi\Local Settings\Temp\NNBar_VCSetup_876029.exe -> Adware.Mirar : Cleaned with backup (quarantined).
    C:\Documents and Settings\Joseph Choi\Local Settings\Temp\mit4D0.tmp.cab/NNBar_VCSetup_876029.exe -> Adware.Mirar : Cleaned with backup (quarantined).
    C:\Documents and Settings\Joseph Choi\Local Settings\Temp\mit4D0.tmp/NNBar_VCSetup_876029.exe -> Adware.Mirar : Cleaned with backup (quarantined).
    C:\WINDOWS\876057.exe -> Adware.Mirar : Cleaned with backup (quarantined).
    C:\WINDOWS\system32\WinNB57.dll -> Adware.Mirar : Cleaned with backup (quarantined).
    C:\WINDOWS\mirar.exe -> Adware.NetNucleus : Cleaned with backup (quarantined).
    C:\Documents and Settings\Joseph Choi\Local Settings\Temp\Temporary Internet Files\Content.IE5\4RI3OV4N\pcs_0009[1].exe -> Adware.Pacer : Cleaned with backup (quarantined).
    C:\WINDOWS\system32\qlink32.dll -> Adware.QLF : Cleaned with backup (quarantined).
    C:\Program Files\DAEMON Tools\SetupDTSB.exe -> Adware.SaveNow : Cleaned with backup (quarantined).
    HKLM\SOFTWARE\Classes\AppID\{287A2BAD-6590-4EFF-9BBC-494385664A73} -> Adware.SysProtect : Cleaned with backup (quarantined).
    C:\Documents and Settings\Joseph Choi\Local Settings\Temp\GLB4D6.tmp/empty_00000001 -> Adware.Ucmore : Cleaned with backup (quarantined).
    C:\System Volume Information\_restore{5243E4D7-AC42-457D-BA23-0F9417F14F73}\RP593\A0083205.dll -> Adware.Ucmore : Cleaned with backup (quarantined).
    C:\System Volume Information\_restore{5243E4D7-AC42-457D-BA23-0F9417F14F73}\RP593\A0083206.dll -> Adware.Ucmore : Cleaned with backup (quarantined).
    C:\System Volume Information\_restore{5243E4D7-AC42-457D-BA23-0F9417F14F73}\RP594\A0084267.exe/IUCMORE.DLL -> Adware.Ucmore : Cleaned with backup (quarantined).
    C:\System Volume Information\_restore{5243E4D7-AC42-457D-BA23-0F9417F14F73}\RP594\A0084267.exe/UCMTSAIE.DLL -> Adware.Ucmore : Cleaned with backup (quarantined).
    C:\System Volume Information\_restore{5243E4D7-AC42-457D-BA23-0F9417F14F73}\RP594\A0084267.exe/empty_00000001 -> Adware.Ucmore : Cleaned with backup (quarantined).
    C:\Documents and Settings\All Users\Application Data\SecTaskMan\whiehlpr.dll.q_16C05002_q -> Adware.WebHancer : Cleaned with backup (quarantined).
    C:\System Volume Information\_restore{5243E4D7-AC42-457D-BA23-0F9417F14F73}\RP593\A0083177.exe -> Adware.WebHancer : Cleaned with backup (quarantined).
    C:\System Volume Information\_restore{5243E4D7-AC42-457D-BA23-0F9417F14F73}\RP593\A0083178.dll -> Adware.WebHancer : Cleaned with backup (quarantined).
    C:\System Volume Information\_restore{5243E4D7-AC42-457D-BA23-0F9417F14F73}\RP593\A0083188.exe -> Adware.WebHancer : Cleaned with backup (quarantined).
    C:\System Volume Information\_restore{5243E4D7-AC42-457D-BA23-0F9417F14F73}\RP593\A0083191.dll -> Adware.WebHancer : Cleaned with backup (quarantined).
    C:\System Volume Information\_restore{5243E4D7-AC42-457D-BA23-0F9417F14F73}\RP593\A0083192.exe -> Adware.WebHancer : Cleaned with backup (quarantined).
    C:\System Volume Information\_restore{5243E4D7-AC42-457D-BA23-0F9417F14F73}\RP593\A0083196.exe -> Adware.WebHancer : Cleaned with backup (quarantined).
    C:\System Volume Information\_restore{5243E4D7-AC42-457D-BA23-0F9417F14F73}\RP593\A0083198.exe -> Adware.WebHancer : Cleaned with backup (quarantined).
    C:\System Volume Information\_restore{5243E4D7-AC42-457D-BA23-0F9417F14F73}\RP593\A0083213.dll -> Adware.WebHancer : Cleaned with backup (quarantined).
    C:\WINDOWS\whCC-GIANT.exe/WhAgent.exe -> Adware.WebHancer : Cleaned with backup (quarantined).
    C:\Documents and Settings\Joseph Choi\Local Settings\Temp\ICD7.tmp\MediaGatewayX.dll -> Adware.WinAD : Cleaned with backup (quarantined).
    C:\Documents and Settings\Joseph Choi\Local Settings\Temp\MediaGateway.exe -> Adware.WinAD : Cleaned with backup (quarantined).
    C:\System Volume Information\_restore{5243E4D7-AC42-457D-BA23-0F9417F14F73}\RP594\A0084272.dll -> Adware.Winfixer : Cleaned with backup (quarantined).
    C:\WINDOWS\system32\df_kme.exe -> Adware.Winfixer : Cleaned with backup (quarantined).
    HKLM\SOFTWARE\Classes\AppID\FFWraper.DLL -> Adware.WinFixer : Cleaned with backup (quarantined).
    HKLM\SOFTWARE\Classes\AppID\FixCore.DLL -> Adware.WinFixer : Cleaned with backup (quarantined).
    HKLM\SOFTWARE\Classes\AppID\MMFixCtrl.DLL -> Adware.WinFixer : Cleaned with backup (quarantined).
    HKLM\SOFTWARE\Classes\AppID\compcln.dll -> Adware.WinFixer : Cleaned with backup (quarantined).
    HKLM\SOFTWARE\Classes\CompCleanCore.AppCleaner -> Adware.WinFixer : Cleaned with backup (quarantined).
    HKLM\SOFTWARE\Classes\CompCleanCore.AppCleaner.1 -> Adware.WinFixer : Cleaned with backup (quarantined).
    HKLM\SOFTWARE\Classes\CompCleanCore.AppCleaner\CLSID -> Adware.WinFixer : Cleaned with backup (quarantined).
    HKLM\SOFTWARE\Classes\CompCleanCore.AppCleaner\CurVer -> Adware.WinFixer : Cleaned with backup (quarantined).
    HKLM\SOFTWARE\Classes\CompCleanCore.CCQuickScan -> Adware.WinFixer : Cleaned with backup (quarantined).
    HKLM\SOFTWARE\Classes\CompCleanCore.CCQuickScan.1 -> Adware.WinFixer : Cleaned with backup (quarantined).
    HKLM\SOFTWARE\Classes\CompCleanCore.CCQuickScan\CLSID -> Adware.WinFixer : Cleaned with backup (quarantined).
    HKLM\SOFTWARE\Classes\CompCleanCore.CCQuickScan\CurVer -> Adware.WinFixer : Cleaned with backup (quarantined).
    HKLM\SOFTWARE\Classes\CompCleanCore.FileCleaner -> Adware.WinFixer : Cleaned with backup (quarantined).
    HKLM\SOFTWARE\Classes\CompCleanCore.FileCleaner.1 -> Adware.WinFixer : Cleaned with backup (quarantined).
    HKLM\SOFTWARE\Classes\CompCleanCore.FileCleaner\CLSID -> Adware.WinFixer : Cleaned with backup (quarantined).
    HKLM\SOFTWARE\Classes\CompCleanCore.FileCleaner\CurVer -> Adware.WinFixer : Cleaned with backup (quarantined).
    HKLM\SOFTWARE\Classes\CompCleanCore.InetCleaner -> Adware.WinFixer : Cleaned with backup (quarantined).
    HKLM\SOFTWARE\Classes\CompCleanCore.InetCleaner.1 -> Adware.WinFixer : Cleaned with backup (quarantined).
    HKLM\SOFTWARE\Classes\CompCleanCore.InetCleaner\CLSID -> Adware.WinFixer : Cleaned with backup (quarantined).
    HKLM\SOFTWARE\Classes\CompCleanCore.InetCleaner\CurVer -> Adware.WinFixer : Cleaned with backup (quarantined).
    HKLM\SOFTWARE\Classes\CompCleanCore.RegCleaner -> Adware.WinFixer : Cleaned with backup (quarantined).
    HKLM\SOFTWARE\Classes\CompCleanCore.RegCleaner.1 -> Adware.WinFixer : Cleaned with backup (quarantined).
    HKLM\SOFTWARE\Classes\CompCleanCore.RegCleaner\CLSID -> Adware.WinFixer : Cleaned with backup (quarantined).
    HKLM\SOFTWARE\Classes\CompCleanCore.RegCleaner\CurVer -> Adware.WinFixer : Cleaned with backup (quarantined).
    HKLM\SOFTWARE\Classes\CompCleanCore.SystemCleaner -> Adware.WinFixer : Cleaned with backup (quarantined).
    HKLM\SOFTWARE\Classes\CompCleanCore.SystemCleaner.1 -> Adware.WinFixer : Cleaned with backup (quarantined).
    HKLM\SOFTWARE\Classes\CompCleanCore.SystemCleaner\CLSID -> Adware.WinFixer : Cleaned with backup (quarantined).
    HKLM\SOFTWARE\Classes\CompCleanCore.SystemCleaner\CurVer -> Adware.WinFixer : Cleaned with backup (quarantined).
    HKLM\SOFTWARE\Classes\FFCom.FlFixer -> Adware.WinFixer : Cleaned with backup (quarantined).
    HKLM\SOFTWARE\Classes\FFCom.FlFixer\Clsid -> Adware.WinFixer : Cleaned with backup (quarantined).
    HKLM\SOFTWARE\Classes\FFWraper.FFEnginWraper -> Adware.WinFixer : Cleaned with backup (quarantined).
    HKLM\SOFTWARE\Classes\FFWraper.FFEnginWraper.1 -> Adware.WinFixer : Cleaned with backup (quarantined).
    HKLM\SOFTWARE\Classes\FFWraper.FFEnginWraper\CLSID -> Adware.WinFixer : Cleaned with backup (quarantined).
    HKLM\SOFTWARE\Classes\FFWraper.FFEnginWraper\CurVer -> Adware.WinFixer : Cleaned with backup (quarantined).
    HKLM\SOFTWARE\Classes\FixCore.MMFixCore -> Adware.WinFixer : Cleaned with backup (quarantined).
    HKLM\SOFTWARE\Classes\FixCore.MMFixCore.1 -> Adware.WinFixer : Cleaned with backup (quarantined).
    HKLM\SOFTWARE\Classes\FixCore.MMFixCore\CLSID -> Adware.WinFixer : Cleaned with backup (quarantined).
    HKLM\SOFTWARE\Classes\FixCore.MMFixCore\CurVer -> Adware.WinFixer : Cleaned with backup (quarantined).
    HKLM\SOFTWARE\Classes\MMFixCtrl.CoFixEngine -> Adware.WinFixer : Cleaned with backup (quarantined).
    HKLM\SOFTWARE\Classes\MMFixCtrl.CoFixEngine.1 -> Adware.WinFixer : Cleaned with backup (quarantined).
    HKLM\SOFTWARE\Classes\MMFixCtrl.CoFixEngine\CLSID -> Adware.WinFixer : Cleaned with backup (quarantined).
    HKLM\SOFTWARE\Classes\MMFixCtrl.CoFixEngine\CurVer -> Adware.WinFixer : Cleaned with backup (quarantined).
    HKLM\SOFTWARE\Classes\df_fixer.Fixer -> Adware.WinFixer : Cleaned with backup (quarantined).
    HKLM\SOFTWARE\Classes\df_fixer.Fixer.1 -> Adware.WinFixer : Cleaned with backup (quarantined).
    HKLM\SOFTWARE\Classes\df_fixer.Fixer\CLSID -> Adware.WinFixer : Cleaned with backup (quarantined).
    HKLM\SOFTWARE\Classes\df_fixer.Fixer\CurVer -> Adware.WinFixer : Cleaned with backup (quarantined).
    HKLM\SOFTWARE\WinSoftware\WinFixer 2005 -> Adware.WinFixer : Cleaned with backup (quarantined).
    HKU\S-1-5-21-1757981266-1580436667-839522115-1003\Software\WinSoftware\WinFixer 2005 -> Adware.WinFixer : Cleaned with backup (quarantined).
    HKU\S-1-5-21-1757981266-1580436667-839522115-1003\Software\WinSoftware\WinFixer 2005\Settings -> Adware.WinFixer : Cleaned with backup (quarantined).
    C:\WINDOWS\system32\qsyssw2d.exe -> Adware.ZenoSearch : Cleaned with backup (quarantined).
    C:\WINDOWS\Downloaded Program Files\int_ver34.ocx -> Dialer.VB.j : Cleaned with backup (quarantined).
    C:\System Volume Information\_restore{5243E4D7-AC42-457D-BA23-0F9417F14F73}\RP594\A0084260.exe -> Downloader.Adload.de : Cleaned with backup (quarantined).
    C:\System Volume Information\_restore{5243E4D7-AC42-457D-BA23-0F9417F14F73}\RP594\A0084262.exe -> Downloader.Adload.de : Cleaned with backup (quarantined).
    C:\Documents and Settings\Joseph Choi\Local Settings\Temp\zxinst12.exe -> Downloader.Agent.tq : Cleaned with backup (quarantined).
    C:\WINDOWS\system32\cxdxregt.exe -> Downloader.Agent.tq : Cleaned with backup (quarantined).
    C:\Documents and Settings\Joseph Choi\Local Settings\Temp\Temporary Internet Files\Content.IE5\MBGTSLCH\popup[1].htm -> Downloader.IstBar.ai : Cleaned with backup (quarantined).
    C:\System Volume Information\_restore{5243E4D7-AC42-457D-BA23-0F9417F14F73}\RP594\A0084270.exe -> Downloader.Small : Cleaned with backup (quarantined).
    C:\WINDOWS\system32\w6d9e64a.dll -> Downloader.Small : Cleaned with backup (quarantined).
    C:\System Volume Information\_restore{5243E4D7-AC42-457D-BA23-0F9417F14F73}\RP594\A0084264.exe -> Downloader.VB.air : Cleaned with backup (quarantined).
    C:\System Volume Information\_restore{5243E4D7-AC42-457D-BA23-0F9417F14F73}\RP594\A0084261.exe -> Downloader.VB.aiw : Cleaned with backup (quarantined).
    C:\System Volume Information\_restore{5243E4D7-AC42-457D-BA23-0F9417F14F73}\RP594\A0084265.exe -> Downloader.VB.aiy : Cleaned with backup (quarantined).
    C:\Documents and Settings\Joseph Choi\Local Settings\Temp\pre.exe -> Hijacker.VB.lb : Cleaned with backup (quarantined).
    C:\System Volume Information\_restore{5243E4D7-AC42-457D-BA23-0F9417F14F73}\RP594\A0084259.exe -> Hijacker.VB.ly : Cleaned with backup (quarantined).
    C:\WINDOWS\Downloaded Program Files\UWFX5LP_0001_0803NetInstaller.exe -> Not-A-Virus.Downloader.Win32.Agent.c : Cleaned with backup (quarantined).
    C:\WINDOWS\Downloaded Program Files\popcaploader.dll -> Not-A-Virus.Downloader.Win32.PopCap.b : Cleaned with backup (quarantined).
    C:\Documents and Settings\Joseph Choi\Local Settings\Temp\SystemDoctor2006FreeInstall.exe -> Not-A-Virus.Downloader.Win32.WinFixer.l : Cleaned with backup (quarantined).
    C:\Documents and Settings\Joseph Choi\Local Settings\Temp\mc-110-12-0000103.exe -> Not-A-Virus.Downloader.Win32.WinFixer.l : Cleaned with backup (quarantined).
    C:\Documents and Settings\Joseph Choi\Local Settings\Temporary Internet Files\Content.IE5\NAVID3W4\SystemDoctor2006FreeInstall[2].cab/USDR6_0001_D08M0404NetInstaller.exe -> Not-A-Virus.Downloader.Win32.WinFixer.l : Cleaned with backup (quarantined).
    C:\WINDOWS\Downloaded Program Files\USDR6_0001_D17M1107NetInstaller.exe -> Not-A-Virus.Downloader.Win32.WinFixer.l : Cleaned with backup (quarantined).
    C:\WINDOWS\system32\drivers\df_kmd.sys -> Rootkit.Agent.af : Cleaned with backup (quarantined).
    C:\Documents and Settings\Joseph Choi\Local Settings\Temp\Cookies\joseph [email protected][1].txt -> TrackingCookie.2o7 : Cleaned with backup (quarantined).
    C:\Documents and Settings\Joseph Choi\Local Settings\Temp\Cookies\joseph [email protected][1].txt -> TrackingCookie.Addynamix : Cleaned with backup (quarantined).
    C:\Documents and Settings\Joseph Choi\Local Settings\Temp\Cookies\joseph [email protected][2].txt -> TrackingCookie.Addynamix : Cleaned with backup (quarantined).
    C:\Documents and Settings\Joseph Choi\Local Settings\Temp\Cookies\joseph [email protected][3].txt -> TrackingCookie.Adrevolver : Cleaned with backup (quarantined).
    C:\Documents and Settings\Joseph Choi\Local Settings\Temp\Cookies\joseph [email protected][4].txt -> TrackingCookie.Adrevolver : Cleaned with backup (quarantined).
    C:\Documents and Settings\Joseph Choi\Local Settings\Temp\Cookies\joseph [email protected][2].txt -> TrackingCookie.Advertising : Cleaned with backup (quarantined).
    C:\Documents and Settings\Joseph Choi\Local Settings\Temp\Cookies\joseph [email protected][2].txt -> TrackingCookie.Advertising : Cleaned with backup (quarantined).
    C:\Documents and Settings\Joseph Choi\Local Settings\Temp\Cookies\joseph [email protected][2].txt -> TrackingCookie.Adviva : Cleaned with backup (quarantined).
    C:\Documents and Settings\Joseph Choi\Local Settings\Temp\Cookies\joseph [email protected][2].txt -> TrackingCookie.Atdmt : Cleaned with backup (quarantined).
    C:\Documents and Settings\Joseph Choi\Local Settings\Temp\Cookies\joseph [email protected][1].txt -> TrackingCookie.Bfast : Cleaned with backup (quarantined).
    C:\Documents and Settings\Joseph Choi\Local Settings\Temp\Cookies\joseph [email protected][1].txt -> TrackingCookie.Bluestreak : Cleaned with backup (quarantined).
    C:\Documents and Settings\Joseph Choi\Local Settings\Temp\Cookies\joseph [email protected][2].txt -> TrackingCookie.Burstbeacon : Cleaned with backup (quarantined).
    C:\Documents and Settings\Joseph Choi\Local Settings\Temp\Cookies\joseph [email protected][2].txt -> TrackingCookie.Burstnet : Cleaned with backup (quarantined).
    C:\Documents and Settings\Joseph Choi\Local Settings\Temp\Cookies\joseph [email protected][2].txt -> TrackingCookie.Casalemedia : Cleaned with backup (quarantined).
    C:\Documents and Settings\Joseph Choi\Local Settings\Temp\Cookies\joseph [email protected][2].txt -> TrackingCookie.Com : Cleaned with backup (quarantined).
    C:\Documents and Settings\Joseph Choi\Local Settings\Temp\Cookies\joseph [email protected][2].txt -> TrackingCookie.Cpvfeed : Cleaned with backup (quarantined).
    C:\Documents and Settings\Joseph Choi\Local Settings\Temp\Cookies\joseph [email protected][1].txt -> TrackingCookie.Doubleclick : Cleaned with backup (quarantined).
    C:\Documents and Settings\Joseph Choi\Local Settings\Temp\Cookies\joseph [email protected][2].txt -> TrackingCookie.Enhance : Cleaned with backup (quarantined).
    C:\Documents and Settings\Joseph Choi\Local Settings\Temp\Cookies\joseph [email protected][1].txt -> TrackingCookie.Falkag : Cleaned with backup (quarantined).
    C:\Documents and Settings\Joseph Choi\Local Settings\Temp\Cookies\joseph [email protected][3].txt -> TrackingCookie.Falkag : Cleaned with backup (quarantined).
    C:\Documents and Settings\Joseph Choi\Local Settings\Temp\Cookies\joseph [email protected][1].txt -> TrackingCookie.Falkag : Cleaned with backup (quarantined).
    C:\Documents and Settings\Joseph Choi\Local Settings\Temp\Cookies\joseph [email protected][1].txt -> TrackingCookie.Falkag : Cleaned with backup (quarantined).
    C:\Documents and Settings\Joseph Choi\Local Settings\Temp\Cookies\joseph [email protected][1].txt -> TrackingCookie.Fastclick : Cleaned with backup (quarantined).
    C:\Documents and Settings\Joseph Choi\Local Settings\Temp\Cookies\joseph [email protected][2].txt -> TrackingCookie.Hitbox : Cleaned with backup (quarantined).
    C:\Documents and Settings\Joseph Choi\Local Settings\Temp\Cookies\joseph [email protected][2].txt -> TrackingCookie.Hitbox : Cleaned with backup (quarantined).
    C:\Documents and Settings\Joseph Choi\Local Settings\Temp\Cookies\joseph [email protected][2].txt -> TrackingCookie.Hitbox : Cleaned with backup (quarantined).
    C:\Documents and Settings\Joseph Choi\Local Settings\Temp\Cookies\joseph [email protected][3].txt -> TrackingCookie.Hitbox : Cleaned with backup (quarantined).
    C:\Documents and Settings\Joseph Choi\Local Settings\Temp\Cookies\joseph [email protected][1].txt -> TrackingCookie.Mediaplex : Cleaned with backup (quarantined).
    C:\Documents and Settings\Joseph Choi\Local Settings\Temp\Cookies\joseph [email protected][2].txt -> TrackingCookie.Onestat : Cleaned with backup (quarantined).
    C:\Documents and Settings\Joseph Choi\Local Settings\Temp\Cookies\joseph [email protected][1].txt -> TrackingCookie.Pointroll : Cleaned with backup (quarantined).
    C:\Documents and Settings\Joseph Choi\Local Settings\Temp\Cookies\joseph [email protected][1].txt -> TrackingCookie.Qksrv : Cleaned with backup (quarantined).
    C:\Documents and Settings\Joseph Choi\Local Settings\Temp\Cookies\joseph [email protected][2].txt -> TrackingCookie.Qksrv : Cleaned with backup (quarantined).
    C:\Documents and Settings\Joseph Choi\Local Settings\Temp\Cookies\joseph [email protected][1].txt -> TrackingCookie.Realcastmedia : Cleaned with backup (quarantined).
    C:\Documents and Settings\Joseph Choi\Local Settings\Temp\Cookies\joseph [email protected][3].txt -> TrackingCookie.Realcastmedia : Cleaned with backup (quarantined).
    C:\Documents and Settings\Joseph Choi\Local Settings\Temp\Cookies\joseph [email protected][2].txt -> TrackingCookie.Reliablestats : Cleaned with backup (quarantined).
    C:\Documents and Settings\Joseph Choi\Local Settings\Temp\Cookies\joseph [email protected][2].txt -> TrackingCookie.Revenue : Cleaned with backup (quarantined).
    C:\Documents and Settings\Joseph Choi\Local Settings\Temp\Cookies\joseph [email protected][2].txt -> TrackingCookie.Ru4 : Cleaned with backup (quarantined).
    C:\Documents and Settings\Joseph Choi\Local Settings\Temp\Cookies\joseph [email protected][2].txt -> TrackingCookie.Sexcounter : Cleaned with backup (quarantined).
    C:\Documents and Settings\Joseph Choi\Local Settings\Temp\Cookies\joseph [email protected][1].txt -> TrackingCookie.Sextracker : Cleaned with backup (quarantined).
    C:\Documents and Settings\Joseph Choi\Local Settings\Temp\Cookies\joseph [email protected][1].txt -> TrackingCookie.Sextracker : Cleaned with backup (quarantined).
    C:\Documents and Settings\Joseph Choi\Local Settings\Temp\Cookies\joseph [email protected][2].txt -> TrackingCookie.Spylog : Cleaned with backup (quarantined).
    C:\Documents and Settings\Joseph Choi\Local Settings\Temp\Cookies\joseph [email protected][2].txt -> TrackingCookie.Statcounter : Cleaned with backup (quarantined).
    C:\Documents and Settings\Joseph Choi\Local Settings\Temp\Cookies\joseph [email protected][1].txt -> TrackingCookie.Tacoda : Cleaned with backup (quarantined).
    C:\Documents and Settings\Joseph Choi\Local Settings\Temp\Cookies\joseph [email protected][1].txt -> TrackingCookie.Targetnet : Cleaned with backup (quarantined).
    C:\Documents and Settings\Joseph Choi\Local Settings\Temp\Cookies\joseph [email protected][2].txt -> TrackingCookie.Targetnet : Cleaned with backup (quarantined).
    C:\Documents and Settings\Joseph Choi\Local Settings\Temp\Cookies\joseph [email protected][1].txt -> TrackingCookie.Tradedoubler : Cleaned with backup (quarantined).
    C:\Documents and Settings\Joseph Choi\Local Settings\Temp\Cookies\joseph [email protected][1].txt -> TrackingCookie.Trafficmp : Cleaned with backup (quarantined).
    C:\Documents and Settings\Joseph Choi\Cookies\joseph [email protected][1].txt -> TrackingCookie.Tribalfusion : Cleaned with backup (quarantined).
    C:\Documents and Settings\Joseph Choi\Local Settings\Temp\Cookies\joseph [email protected][1].txt -> TrackingCookie.Tribalfusion : Cleaned with backup (quarantined).
    C:\Documents and Settings\Joseph Choi\Local Settings\Temp\Cookies\joseph [email protected][2].txt -> TrackingCookie.Valueclick : Cleaned with backup (quarantined).
    C:\Documents and Settings\Joseph Choi\Local Settings\Temp\Cookies\joseph [email protected][2].txt -> TrackingCookie.Yadro : Cleaned with backup (quarantined).
    C:\Documents and Settings\Joseph Choi\Local Settings\Temp\Cookies\joseph [email protected][3].txt -> TrackingCookie.Yadro : Cleaned with backup (quarantined).
    C:\Documents and Settings\Joseph Choi\Local Settings\Temp\Cookies\joseph [email protected][1].txt -> TrackingCookie.Yieldmanager : Cleaned with backup (quarantined).
    C:\Documents and Settings\Joseph Choi\Local Settings\Temp\Cookies\joseph [email protected][2].txt -> TrackingCookie.Yieldmanager : Cleaned with backup (quarantined).
    C:\Documents and Settings\Joseph Choi\Local Settings\Temp\Cookies\joseph [email protected][1].txt -> TrackingCookie.Zedo : Cleaned with backup (quarantined).


    ::Report end
     
  5. ComputersAndMe

    ComputersAndMe Thread Starter

    Joined:
    Jul 25, 2006
    Messages:
    6
    Incident Status Location

    Adware:adware/wupd Not disinfected c:\windows\system32\ide21201.vxd
    Adware:adware/dollarrevenue Not disinfected c:\windows\teller2.chk
    Spyware:spyware/media-motor Not disinfected Windows Registry
    Potentially unwanted tool:application/winfixer2005 Not disinfected hkey_current_user\software\WinSoftware
    Adware:adware/mirar Not disinfected Windows Registry
    Adware:adware/surfaccuracy Not disinfected Windows Registry
    Adware:adware/popupsearches Not disinfected Windows Registry
    Adware:adware/searchresults Not disinfected Windows Registry
    Potentially unwanted tool:application/zango Not disinfected hkey_classes_root\clsid\{8FCDF9D9-A28B-480f-8C3D-581F119A8AB8}
    Dialer:dialer.asl Not disinfected hkey_classes_root\clsid\{A1426AC5-8CE5-4A00-B71E-011D35709AC6}
    Adware:adware/transponder Not disinfected Windows Registry
    Adware:adware/ist.yoursitebar Not disinfected Windows Registry
    Adware:adware/cws.aboutblank Not disinfected Windows Registry
    Adware:adware/mediatickets Not disinfected Windows Registry
    Adware:adware/sahagent Not disinfected Windows Registry
    Adware:adware/ist.istbar Not disinfected Windows Registry
    Spyware:Spyware/Media-motor Not disinfected C:\WINDOWS\system32\ts_mediamotor.exe
    Spyware:Spyware/Media-motor Not disinfected C:\WINDOWS\system32\icon_mediamotor.exe
    Dialer:Dialer.GQK Not disinfected C:\WINDOWS\Downloaded Program Files\int_ver34.INF
    Adware:Adware/PurityScan Not disinfected C:\WINDOWS\YazzleBundle-1304.exe
    Spyware:Spyware/Media-motor Not disinfected C:\WINDOWS\media_motor_bundle.exe
    Spyware:Cookie/Statcounter Not disinfected C:\Documents and Settings\Joseph Choi\Cookies\joseph [email protected][2].txt
     
  6. ComputersAndMe

    ComputersAndMe Thread Starter

    Joined:
    Jul 25, 2006
    Messages:
    6
    I'd just like to say thank you...if it wasn't for your kindness i'd still be opening programs through windows task manager. Heh. Thank you and God bless ^^
     
  7. JSntgRvr

    JSntgRvr Moderator Malware Specialist

    Joined:
    Jul 1, 2003
    Messages:
    18,552
    First Name:
    José
    Hi, ComputersAndMe :)

    The Hijackthis log submitted is incompleted. Please re-scan with Hijackthis and Save the report. Post its entire contents in a reply.
     
  8. ComputersAndMe

    ComputersAndMe Thread Starter

    Joined:
    Jul 25, 2006
    Messages:
    6
    Logfile of HijackThis v1.99.1
    Scan saved at 12:07:04 PM, on 7/31/2006
    Platform: Windows XP SP2 (WinNT 5.01.2600)
    MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

    Running processes:
    C:\WINDOWS\System32\smss.exe
    C:\WINDOWS\system32\csrss.exe
    C:\WINDOWS\system32\winlogon.exe
    C:\WINDOWS\system32\services.exe
    C:\WINDOWS\system32\lsass.exe
    C:\WINDOWS\system32\svchost.exe
    C:\WINDOWS\system32\svchost.exe
    C:\WINDOWS\System32\svchost.exe
    C:\WINDOWS\System32\svchost.exe
    C:\WINDOWS\System32\svchost.exe
    C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
    C:\Program Files\Norton Internet Security\ISSVC.exe
    C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
    C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
    C:\WINDOWS\Explorer.EXE
    C:\WINDOWS\system32\spoolsv.exe
    C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
    C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
    D:\ewido anti-spyware 4.0\guard.exe
    C:\Program Files\Norton Internet Security\Norton AntiVirus\navapsvc.exe
    C:\WINDOWS\system32\nvsvc32.exe
    C:\WINDOWS\system32\sdpasvc.exe
    C:\WINDOWS\System32\svchost.exe
    C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
    C:\WINDOWS\System32\alg.exe
    C:\Program Files\D-Link\Air USB Utility\AirCFG.exe
    C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe
    C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
    C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe
    C:\Program Files\Logitech\Video\LogiTray.exe
    C:\Program Files\DAEMON Tools\daemon.exe
    C:\Program Files\QuickTime\qttask.exe
    D:\ewido anti-spyware 4.0\ewido.exe
    C:\Program Files\Spyware Doctor\swdoctor.exe
    C:\WINDOWS\System32\svchost.exe
    C:\WINDOWS\system32\LVComS.exe
    D:\HijackThis.exe

    R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.ca/
    R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page = \blank.htm
    O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
    O2 - BHO: PCTools Site Guard - {5C8B2A36-3DB1-42A4-A3CB-D426709BBFEB} - C:\PROGRA~1\SPYWAR~1\tools\iesdsg.dll
    O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
    O2 - BHO: Related Page - {9A9C9B69-F908-4AAB-8D0C-10EA8997F37E} - C:\WINDOWS\system32\WinNB57.dll (file missing)
    O2 - BHO: CNisExtBho Class - {9ECB9560-04F9-4bbc-943D-298DDF1699E1} - C:\Program Files\Common Files\Symantec Shared\AdBlocking\NISShExt.dll
    O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar1.dll
    O2 - BHO: PCTools Browser Monitor - {B56A7D7D-6927-48C8-A975-17DF180C71AC} - C:\PROGRA~1\SPYWAR~1\tools\iesdpb.dll
    O2 - BHO: CNavExtBho Class - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\Norton Internet Security\Norton AntiVirus\NavShExt.dll
    O3 - Toolbar: Norton Internet Security - {0B53EAC3-8D69-4b9e-9B19-A37C9A5676A7} - C:\Program Files\Common Files\Symantec Shared\AdBlocking\NISShExt.dll
    O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton Internet Security\Norton AntiVirus\NavShExt.dll
    O3 - Toolbar: Easy-WebPrint - {327C2873-E90D-4c37-AA9D-10AC9BABA46C} - C:\Program Files\Canon\Easy-WebPrint\Toolband.dll
    O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll
    O3 - Toolbar: (no name) - {9A9C9B68-F908-4AAB-8D0C-10EA8997F37E} - (no file)
    O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
    O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
    O4 - HKLM\..\Run: [TCASUTIEXE] TCAUDIAG.exe -off
    O4 - HKLM\..\Run: [Symantec NetDriver Monitor] C:\PROGRA~1\SYMNET~1\SNDMon.exe
    O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
    O4 - HKLM\..\Run: [D-Link Air USB Utility] C:\Program Files\D-Link\Air USB Utility\AirCFG.exe
    O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe /STARTUP
    O4 - HKLM\..\Run: [AVG7_EMC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
    O4 - HKLM\..\Run: [Easy-PrintToolBox] C:\Program Files\Canon\Easy-PrintToolBox\BJPSMAIN.EXE /logon
    O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe
    O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
    O4 - HKLM\..\Run: [LogitechVideoRepair] C:\Program Files\Logitech\Video\ISStart.exe
    O4 - HKLM\..\Run: [LogitechVideoTray] C:\Program Files\Logitech\Video\LogiTray.exe
    O4 - HKLM\..\Run: [SurfAccuracy] C:\Program Files\SurfAccuracy\SAcc.exe
    O4 - HKLM\..\Run: [APD123] C:\WINDOWS\system32\APD123.exe
    O4 - HKLM\..\Run: [DAEMON Tools] "C:\Program Files\DAEMON Tools\daemon.exe" -lang 1033
    O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
    O4 - HKLM\..\Run: [aamf78db] RUNDLL32.EXE w6d9e64a.dll,n 001f78da0000000a6d9e64a
    O4 - HKLM\..\Run: [!ewido] "D:\ewido anti-spyware 4.0\ewido.exe" /minimized
    O4 - HKCU\..\Run: [Spyware Doctor] "C:\Program Files\Spyware Doctor\swdoctor.exe" /Q
    O4 - HKCU\..\Run: [WinFixer 2005] C:\Program Files\WinFixer 2005\wfx5.exe /scan
    O4 - Startup: LimeWire On Startup.lnk = D:\Downloads\Movies\LimeWire\LimeWire.exe
    O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
    O8 - Extra context menu item: &Google Search - res://c:\program files\google\GoogleToolbar1.dll/cmsearch.html
    O8 - Extra context menu item: &Translate English Word - res://c:\program files\google\GoogleToolbar1.dll/cmwordtrans.html
    O8 - Extra context menu item: Backward Links - res://c:\program files\google\GoogleToolbar1.dll/cmbacklinks.html
    O8 - Extra context menu item: Cached Snapshot of Page - res://c:\program files\google\GoogleToolbar1.dll/cmcache.html
    O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
    O8 - Extra context menu item: Easy-WebPrint Add To Print List - res://C:\Program Files\Canon\Easy-WebPrint\Resource.dll/RC_AddToList.html
    O8 - Extra context menu item: Easy-WebPrint High Speed Print - res://C:\Program Files\Canon\Easy-WebPrint\Resource.dll/RC_HSPrint.html
    O8 - Extra context menu item: Easy-WebPrint Preview - res://C:\Program Files\Canon\Easy-WebPrint\Resource.dll/RC_Preview.html
    O8 - Extra context menu item: Easy-WebPrint Print - res://C:\Program Files\Canon\Easy-WebPrint\Resource.dll/RC_Print.html
    O8 - Extra context menu item: Similar Pages - res://c:\program files\google\GoogleToolbar1.dll/cmsimilar.html
    O8 - Extra context menu item: Translate Page into English - res://c:\program files\google\GoogleToolbar1.dll/cmtrans.html
    O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
    O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
    O9 - Extra button: Spyware Doctor - {2D663D1A-8670-49D9-A1A5-4C56B4E14E84} - C:\PROGRA~1\SPYWAR~1\tools\iesdpb.dll
    O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
    O9 - Extra button: PartyPoker.com - {B7FE5D70-9AA2-40F1-9C6B-12A255F085E1} - C:\Program Files\PartyPoker\PartyPoker.exe (file missing)
    O9 - Extra 'Tools' menuitem: PartyPoker.com - {B7FE5D70-9AA2-40F1-9C6B-12A255F085E1} - C:\Program Files\PartyPoker\PartyPoker.exe (file missing)
    O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
    O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
    O15 - Trusted Zone: *.mmohsix.com
    O15 - Trusted Zone: http://*.buddybuddy.co.kr (HKLM)
    O15 - Trusted Zone: http://ny.contentmatch.net (HKLM)
    O15 - Trusted Zone: http://awbeta.net-nucleus.com (HKLM)
    O16 - DPF: Yahoo! Chess - http://download.games.yahoo.com/games/clients/y/ct2_x.cab
    O16 - DPF: Yahoo! Poker - http://download.games.yahoo.com/games/clients/y/pt3_x.cab
    O16 - DPF: {00B71CFB-6864-4346-A978-C0A14556272C} (Checkers Class) - http://messenger.zone.msn.com/binary/msgrchkr.cab31267.cab
    O16 - DPF: {09F1ADAC-76D8-4D0F-99A5-5C907DADB988} - http://www.systemdoctor.com/download/2006/cab/SystemDoctor2006FreeInstall.cab
    O16 - DPF: {14B87622-7E19-4EA8-93B3-97215F77A6BC} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/MessengerStatsPAClient.cab31267.cab
    O16 - DPF: {1754A1BA-A1DF-4F10-B199-AA55AA1A120F} (InstallerBehaviorFactory Class) - https://signup.msn.com/pages/MsnInstC.cab
    O16 - DPF: {26098EA2-C95D-48EA-89B4-63C5A63BD42F} - http://www.pacimedia.com/install/pcs_0009.exe
    O16 - DPF: {2917297F-F02B-4B9D-81DF-494B6333150B} (Minesweeper Flags Class) - http://messenger.zone.msn.com/binary/MineSweeper.cab31267.cab
    O16 - DPF: {2931566C-B8A6-46C5-BF4D-E6AB9251E953} (Nexon Package Manager Control) - http://file.nx.com/activex/public_new/nxpm.cab
    O16 - DPF: {36F46B1E-11B7-4221-B4F7-F1FC9687E7F6} (MBox Control) - http://kr.music.yahoo.com/m_box/component/mbox.cab
    O16 - DPF: {413F8CE5-45E8-4946-B781-CBEB8580DED9} (GifMaker Class) - http://img.yahoo.co.kr/ycabinet/cab/photoXYahoo2.cab
    O16 - DPF: {5526B4C6-63D6-41A1-9783-0FABF529859A} (mm06ocx.mm06ocxf) - http://cabs.elitemediagroup.net/cabs/mediaview.cab
    O16 - DPF: {5F3B3060-09E0-44C6-86F7-BC7B02B57BEE} - http://downloads.shopathomeselect.com/wardmedia/grinstall_wm1001_sp2.cab
    O16 - DPF: {644E432F-49D3-41A1-8DD5-E099162EEEC5} (Symantec RuFSI Utility Class) - http://security.symantec.com/sscv6/SharedContent/common/bin/cabsa.cab
    O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1125715671671
    O16 - DPF: {6FC8738C-1723-4990-BD6E-5633AD3BC6E8} - http://down.c-zero.co.kr/cab1/CZInstall.CAB
    O16 - DPF: {7F494820-7B17-4CDC-8ABB-C907298CD743} (AtlCtrl Class) - http://www.yesicon.com/yes0001.cab
    O16 - DPF: {8E0D4DE5-3180-4024-A327-4DFAD1796A8D} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/MessengerStatsClient.cab31267.cab
    O16 - DPF: {8FCDF9D9-A28B-480F-8C3D-581F119A8AB8} (MediaGatewayX) - http://static.zangocash.com/cab/Zango/ie/bridge-c10.cab
    O16 - DPF: {938527D1-CDB7-4147-998A-B20FCA5CC976} (Cdmcco Class) - http://cafeimg.hanmail.net/cab9_1/dmcc2.cab
    O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/activescan/as5free/asinst.cab
    O16 - DPF: {A00B2A53-60D9-4477-ADA3-60490770C5E0} (UploadList Control) - http://wwl207.daum.net/hanmail-ax/hanmail.cab
    O16 - DPF: {A1426AC5-8CE5-4A00-B71E-011D35709AC6} (Progetto1.int_ver34) - http://advnt01.com/dialer/int_ver34.CAB
    O16 - DPF: {A8F2B9BD-A6A0-486A-9744-18920D898429} (ScorchPlugin Class) - http://www.sibelius.com/download/software/win/ActiveXPlugin.cab
    O16 - DPF: {B005D02C-E461-4851-8A79-C7FDC8563C07} (BBNPort Class) - http://www.buddybuddy.co.kr/cab/BBNPort.cab
    O16 - DPF: {B38870E4-7ECB-40DA-8C6A-595F0A5519FF} (MsnMessengerSetupDownloadControl Class) - http://messenger.msn.com/download/MsnMessengerSetupDownloader.cab
    O16 - DPF: {B8BE5E93-A60C-4D26-A2DC-220313175592} (ZoneIntro Class) - http://zone.msn.com/binFramework/v10/ZIntro.cab34246.cab
    O16 - DPF: {B959F5AD-247B-4F3F-AEE6-8E9D6A2614E3} (Mcam100v2ClientAX Control) - http://www.mcam.co.kr/File/demo/mcam100v2/ax/Mcam100v2ClientAX.cab
    O16 - DPF: {B9A7CB61-0060-430E-B76F-CDB83D7F680C} (YEditor for Yahoo Korea) - http://img.yahoo.co.kr/blog/jweditor/JwEditorPro_YahooKorea_2_3_3_6.cab
    O16 - DPF: {BD393C14-72AD-4790-A095-76522973D6B8} (CBreakshotControl Class) - http://messenger.zone.msn.com/binary/Bankshot.cab31267.cab
    O16 - DPF: {D5D4E25D-544D-4E31-9C84-C97EED5F6900} (HMPaintingMailAX Class) - http://wwl700.daum.net/hanmail-ax/HM_paintmail.cab
    O16 - DPF: {D6FCA8ED-4715-43DE-9BD2-2789778A5B09} (NPKCX Control) - http://nprotect1.gravity.co.kr/nprotect/nPKeyCrypt/npkcx.cab
    O16 - DPF: {DF780F87-FF2B-4DF8-92D0-73DB16A1543A} (PopCapLoader Object) - http://download.games.yahoo.com/games/web_games/popcap/insaniquarium/popcaploader_v6.cab
    O16 - DPF: {E11C38F7-81AE-4D00-845F-ECB91E23035F} (EChat Control) - http://eroomchat.korea.com/chat/eChat.cab
    O16 - DPF: {E1CDC08F-F464-4682-AE6A-7689451387C0} (CAFE multiupload control) - http://cafeimg.hanmail.net/activex/dmcm.cab
    O16 - DPF: {EF99BD32-C1FB-11D2-892F-0090271D4F88} - http://us.dl1.yimg.com/download.companion.yahoo.com/dl/toolbar/yiebio5_3_18_0.cab
    O16 - DPF: {F6BF0D00-0B2A-4A75-BF7B-F385591623AF} (Solitaire Showdown Class) - http://messenger.zone.msn.com/binary/SolitaireShowdown.cab31267.cab
    O18 - Protocol: livecall - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL
    O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL
    O18 - Filter: text/html - {3551784B-E99A-474f-B782-3EC814442918} - C:\WINDOWS\system32\qlink32.dll
    O20 - Winlogon Notify: Shell Extensions - C:\WINDOWS\system32\nprsit.dll (file missing)
    O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
    O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
    O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
    O23 - Service: Symantec Network Proxy (ccProxy) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccProxy.exe
    O23 - Service: Symantec Password Validation (ccPwdSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
    O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
    O23 - Service: ewido anti-spyware 4.0 guard - Anti-Malware Development a.s. - D:\ewido anti-spyware 4.0\guard.exe
    O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
    O23 - Service: ISSvc (ISSVC) - Symantec Corporation - C:\Program Files\Norton Internet Security\ISSVC.exe
    O23 - Service: Norton AntiVirus Auto-Protect Service (navapsvc) - Symantec Corporation - C:\Program Files\Norton Internet Security\Norton AntiVirus\navapsvc.exe
    O23 - Service: npkcsvc - INCA Internet Co., Ltd. - C:\WINDOWS\system32\npkcsvc.exe
    O23 - Service: NVIDIA Driver Helper Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
    O23 - Service: SAVScan - Symantec Corporation - C:\Program Files\Norton Internet Security\Norton AntiVirus\SAVScan.exe
    O23 - Service: ScriptBlocking Service (SBService) - Symantec Corporation - C:\PROGRA~1\COMMON~1\SYMANT~1\SCRIPT~1\SBServ.exe
    O23 - Service: SDPAUMS server service (SDPASVC) - Matsushita Electric Industrial Co.,Ltd. - C:\WINDOWS\system32\sdpasvc.exe
    O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
    O23 - Service: Symantec SPBBCSvc (SPBBCSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
    O23 - Service: Symantec Core LC - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
    O23 - Service: WZCBDL Service (WZCBDLService) - Unknown owner - C:\Program Files\WZCBDL Service\WZCBDLS.exe (file missing)
     
  9. JSntgRvr

    JSntgRvr Moderator Malware Specialist

    Joined:
    Jul 1, 2003
    Messages:
    18,552
    First Name:
    José
    Hi, ComputersAndMe :)

    Please download the Killbox by Option^Explicit.

    Note: In the event you already have Killbox, this is a new version that I need you to download.
    • Save it to your desktop.

    The steps that I am about to suggest involve modifying the registry. Modifying the registry can be dangerous so we will make a backup of the registry first.
    Modification of the registry can be EXTREMELY dangerous if you do not know exactly what you are doing so follow the steps that are listed below EXACTLY. if you cannot preform some of these steps or if you have ANY questions please ask BEFORE proceeding.

    Backing Up Your Registry
    1. Go Here and download ERUNT
      (ERUNT (Emergency Recovery Utility NT) is a free program that allows you to keep a complete backup of your registry and restore it when needed.)
    2. Install ERUNT by following the prompts
      (use the default install settings but say no to the portion that asks you to add ERUNT to the start-up folder, if you like you can enable this option later)
    3. Start ERUNT
      (either by double clicking on the desktop icon or choosing to start the program at the end of the setup)
    4. Choose a location for the backup
      (the default location is C:\WINDOWS\ERDNT which is acceptable).
    5. Make sure that at least the first two check boxes are ticked
    6. Press OK
    7. Press YES to create the folder.
    Registry Modifications

    Download the enclosed file and extract its contents to the desktop. It is a Registry Entries file, Regfix.reg. Do nothing with it yet.

    Please re-open HiJackThis and scan. Check the boxes next to all the entries listed below.

    R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page = \blank.htm
    O2 - BHO: Related Page - {9A9C9B69-F908-4AAB-8D0C-10EA8997F37E} - C:\WINDOWS\system32\WinNB57.dll (file missing)
    O3 - Toolbar: (no name) - {9A9C9B68-F908-4AAB-8D0C-10EA8997F37E} - (no file)
    O4 - HKLM\..\Run: [SurfAccuracy] C:\Program Files\SurfAccuracy\SAcc.exe
    O4 - HKLM\..\Run: [APD123] C:\WINDOWS\system32\APD123.exe
    O4 - HKLM\..\Run: [aamf78db] RUNDLL32.EXE w6d9e64a.dll,n 001f78da0000000a6d9e64a
    O4 - HKCU\..\Run: [WinFixer 2005] C:\Program Files\WinFixer 2005\wfx5.exe /scan
    O9 - Extra button: PartyPoker.com - {B7FE5D70-9AA2-40F1-9C6B-12A255F085E1} - C:\Program Files\PartyPoker\PartyPoker.exe (file missing)
    O9 - Extra 'Tools' menuitem: PartyPoker.com - {B7FE5D70-9AA2-40F1-9C6B-12A255F085E1} - C:\Program Files\PartyPoker\PartyPoker.exe (file missing)
    O15 - Trusted Zone: *.mmohsix.com
    O15 - Trusted Zone: http://*.buddybuddy.co.kr (HKLM)
    O15 - Trusted Zone: http://ny.contentmatch.net (HKLM)
    O15 - Trusted Zone: http://awbeta.net-nucleus.com (HKLM)
    O16 - DPF: {26098EA2-C95D-48EA-89B4-63C5A63BD42F} - http://www.pacimedia.com/install/pcs_0009.exe
    O16 - DPF: {5526B4C6-63D6-41A1-9783-0FABF529859A} (mm06ocx.mm06ocxf) - http://cabs.elitemediagroup.net/cabs/mediaview.cab
    O16 - DPF: {5F3B3060-09E0-44C6-86F7-BC7B02B57BEE} - http://downloads.shopathomeselect.co...wm1001_sp2.cab
    O16 - DPF: {8FCDF9D9-A28B-480F-8C3D-581F119A8AB8} (MediaGatewayX) - http://static.zangocash.com/cab/Zango/ie/bridge-c10.cab
    O16 - DPF: {B005D02C-E461-4851-8A79-C7FDC8563C07} (BBNPort Class) - http://www.buddybuddy.co.kr/cab/BBNPort.cab
    O16 - DPF: {B959F5AD-247B-4F3F-AEE6-8E9D6A2614E3} (Mcam100v2ClientAX Control) - http://www.mcam.co.kr/File/demo/mcam...v2ClientAX.cab
    O18 - Filter: text/html - {3551784B-E99A-474f-B782-3EC814442918} - C:\WINDOWS\system32\qlink32.dll
    O20 - Winlogon Notify: Shell Extensions - C:\WINDOWS\system32\nprsit.dll (file missing)

    Now close all windows and browsers, other than HiJackThis, then click Fix Checked.

    Close Hijackthis.

    Double click on the Regfix.reg file on your desktop and select Yes when prompted to merge it into yoour registry.

    Reboot into safe mode.

    Restart your computer and as soon as it starts booting up again continuously tap F8. A menu should come up where you will be given the option to enter Safe Mode.

    Please go to Start > Control Panel > Add/Remove Programs and remove the following (if present):

    WinFixer 2005
    SurfAccuracy
    PartyPoker


    Please note any other programs that you dont recognize in that list in your next response

    Using Windows Explorer (to get there right-click your Start button and go to "Explore"), please delete these folders (if present):

    C:\Program Files\WinFixer 2005
    C:\Program Files\SurfAccuracy
    C:\Program Files\PartyPoker


    Search and delete the following file:

    w6d9e64a.dll
    • Please double-click Killbox.exe to run it.
    • Select:
      • Delete on Reboot
      • then Click on the All Files button.
    • Please copy the file paths below to the clipboard by highlighting ALL of them and pressing CTRL + C (or, after highlighting, right-click and choose copy):

      C:\WINDOWS\system32\ts_mediamotor.exe
      C:\WINDOWS\system32\icon_mediamotor.exe
      C:\WINDOWS\Downloaded Program Files\int_ver34.INF
      C:\WINDOWS\YazzleBundle-1304.exe
      C:\WINDOWS\media_motor_bundle.exe
      c:\windows\system32\ide21201.vxd
      c:\windows\teller2.chk
      C:\WINDOWS\system32\APD123.exe
      C:\WINDOWS\system32\qlink32.dll


    • Return to Killbox, go to the File menu, and choose Paste from Clipboard.
    • Click the red-and-white Delete File button. Click Yes at the Delete on Reboot prompt. Click OK at any PendingFileRenameOperations prompt (and please let me know if you receive this message!).

    If your computer does not restart automatically, please restart it manually.

    If you receive a message such as: "Component 'MsComCtl.ocx' or one of its dependencies not correctly registered: a file is missing or invalid." when trying to run Killbox, click here to download and run missingfilesetup.exe. Then try Killbox again.

    1. Launch Notepad, and copy/paste the contents of the quote box below into a new Notepad file. Save it with file name options.txt and save as file type: all files to your desktop.

    2. Download Registry Search to your desktop.
    • Right click on the compressed RegSearch folder, and choose "Extract All". In the box that pops open, click "Next", then "Next" again, and then "Finish". You now have another RegSearch folder on your desktop.
    • Open the new folder, and double click on regsearch.exe
    • Click "Import" in the lower left corner and browse to the options.txt file that you just saved on your desktop. Do not choose the one in the RegSearch folder itself.
    • Click OK and Registry Search will scan your registry for the file(s), and a Notepad box will open with a report.
    • Please reply here with the entire contents of the Notepad file from RegSearch, along with a fresh Hijackthis log..
     

    Attached Files:

  10. Sponsor

As Seen On
As Seen On...

Welcome to Tech Support Guy!

Are you looking for the solution to your computer problem? Join our site today to ask your question. This site is completely free -- paid for by advertisers and donations.

If you're not already familiar with forums, watch our Welcome Guide to get started.

Join over 733,556 other people just like you!

Loading...
Thread Status:
Not open for further replies.

Short URL to this thread: https://techguy.org/486443

  1. This site uses cookies to help personalise content, tailor your experience and to keep you logged in if you register.
    By continuing to use this site, you are consenting to our use of cookies.
    Dismiss Notice