I need some quick help and maybe some detailed help after that. My home computer was infected with viruses and/or spyware and I was getting a lot of error messages upon start-up. I ran Spybot and Ad-aware, which were already installed on my computer, and they seemed to clear out a lot of stuff. But I was still getting some error messages upon starting Windows, such as "Wintask has performed an illegal operation and will be shut down." Then I downloaded and ran two other programs based on something I read on another troubleshooting site....programs called a-squared and CleanUp! I deleted everything they found. CleanUp, in particular, deleted a lot of files. Now I can't connect to the Internet at all. I get the error messages "The page cannot be displayed" and "Cannot find server or DNS error" when I try to connect. I looked at everything I could find to check out my DSL connection and it seems to be good and working fine. I still get one error message upon starting Windows: "Error loading C:\\WINDOWS\CFGMGR52.DLL". Now I can't download any more software such as Hijack This without the Internet connection. I'm posting this from another computer. I am running Internet Explorer 6.0 and Windows 98 from a Gateway computer. I don't know much at all about technology or how to troubleshoot this. What should I do next?
Do not press the "CleanUp!" button until you have decided what folders you want to clean.
Probably a little late now.
Cleanup has been known to delete things that it shouldn't and it looks like that is what has happened to you.
AFAIK it permanently deletes them too.
Try this;
Download and run Winsockfix from here http://www.softpedia.com/get/Tweak/Network-Tweak/WinSockFix.shtml
Thanks! I ran Winsockfix and it worked. Now I have Internet access again. I am still getting the message "Error loading WINDOWS\CFGMGR52.DLL" upon start-up. Is there anything I can try next to fix that? Thanks again for responding.
Download HijackThis self-extracting zip version from here. Once downloaded, double click on the file & it will install into it's own, permanent folder.
Start HJT & press the "Do a system scan and save a log file" button. When the scan is finished a window will pop up giving you the option of where to save it. Save it to desktop where it is easy to access. Open the log file and copy the entire contents of the file & paste it into the body of your post. DO NOT FIX ANYTHING YET. Most of what is there is necessary for the running of your system.
Thanks, crunchie. Here is the HijackThis logfile.
Logfile of HijackThis v1.99.1
Scan saved at 4:27:41 PM, on 7/4/05
Platform: Windows 98 Gold (Win9x 4.10.1998)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)
Running processes:
C:\WINDOWS\SYSTEM\KERNEL32.DLL
C:\WINDOWS\SYSTEM\MSGSRV32.EXE
C:\WINDOWS\SYSTEM\MPREXE.EXE
C:\WINDOWS\SYSTEM\MSTASK.EXE
C:\WINDOWS\SYSTEM\mmtask.tsk
c:\windows\SYSTEM\KB891711\KB891711.EXE
C:\WINDOWS\EXPLORER.EXE
C:\WINDOWS\RUNDLL32.EXE
C:\WINDOWS\TASKMON.EXE
C:\WINDOWS\SYSTEM\SYSTRAY.EXE
C:\WINDOWS\STARTER.EXE
C:\PROGRAM FILES\BROADJUMP\CLIENT FOUNDATION\CFD.EXE
C:\PROGRAM FILES\PANICWARE\POP-UP STOPPER\DPPS2.EXE
C:\WINDOWS\RNNKPJ.EXE
C:\PROGRAM FILES\WEIRDONTHEWEB\WEIRDONTHEWEB.EXE
C:\PROGRAM FILES\MEDIA ACCESS\MEDIAACCK.EXE
C:\PROGRAM FILES\CAS\CLIENT\CASCLIENT.EXE
C:\PROGRAM FILES\MEDIA ACCESS\MEDIAACCESS.EXE
C:\PROGRAM FILES\THE HELPSPOT!\FAWGRD32.EXE
C:\PROGRAM FILES\PALM\HOTSYNC.EXE
C:\PROGRAM FILES\THE HELPSPOT!\FA_GD32.EXE
C:\WINDOWS\SYSTEM\DDHELP.EXE
C:\WINDOWS\SYSTEM\PSTORES.EXE
C:\PROGRAM FILES\EFFICIENT NETWORKS\ENTERNET 300\APP\ENTERNET.EXE
C:\PROGRAM FILES\COMMON FILES\REAL\UPDATE_OB\REALSCHED.EXE
C:\PROGRAM FILES\HIJACKTHIS\HIJACKTHIS.EXE
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,SearchAssistant = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,SearchAssistant = about:blank
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Microsoft Internet Explorer provided by Charter featuring MSN
R3 - Default URLSearchHook is missing
O3 - Toolbar: &EliteBar - {825CF5BD-8862-4430-B771-0C15C5CA8DEF} - C:\WINDOWS\EliteToolBar\EliteToolBar version 60.dll
O4 - HKLM\..\Run: [ScanRegistry] c:\windows\scanregw.exe /autorun
O4 - HKLM\..\Run: [TaskMonitor] c:\windows\taskmon.exe
O4 - HKLM\..\Run: [SystemTray] SysTray.Exe
O4 - HKLM\..\Run: [EnsoniqMixer] starter.exe
O4 - HKLM\..\Run: [BJCFD] C:\Program Files\BroadJump\Client Foundation\CFD.exe
O4 - HKLM\..\Run: [TkBellExe] C:\Program Files\Common Files\Real\Update_OB\realsched.exe -osboot
O4 - HKLM\..\Run: [Pop-Up Stopper] "C:\PROGRAM FILES\PANICWARE\POP-UP STOPPER\DPPS2.EXE"
O4 - HKLM\..\Run: [PSof1] C:\WINDOWS\SYSTEM\PSof1.exe
O4 - HKLM\..\Run: [cfgmgr52] RunDLL32.EXE C:\WINDOWS\CFGMGR52.DLL,DllRun
O4 - HKLM\..\Run: [KavSvc] C:\WINDOWS\rnnkpj.exe reg_run
O4 - HKLM\..\Run: [WeirdOnTheWeb] "C:\PROGRAM FILES\WEIRDONTHEWEB\WEIRDONTHEWEB.EXE"
O4 - HKLM\..\Run: [Media Access] C:\PROGRAM FILES\MEDIA ACCESS\MediaAccK.exe
O4 - HKLM\..\RunServices: [SchedulingAgent] mstask.exe
O4 - HKLM\..\RunServices: [KB891711] c:\windows\SYSTEM\KB891711\KB891711.EXE
O4 - HKCU\..\Run: [CAS Client] "C:\Program Files\Cas\Client\casclient.exe"
O4 - HKCU\..\Run: [180ClientStubInstall] "C:\TEMP\STUBINSTALLER6480.EXE"
O4 - Startup: Windows Guardian.LNK = C:\Program Files\the HelpSpot!\Fawgrd32.exe
O4 - Startup: HotSync Manager.lnk = C:\Program Files\Palm\HOTSYNC.EXE
O4 - Startup: nppd.exe
O8 - Extra context menu item: &Google Search - res://C:\WINDOWS\DOWNLOADED PROGRAM FILES\GOOGLETOOLBAR_EN_1.1.63-DELEON.DLL/cmsearch.html
O8 - Extra context menu item: Cac&hed Snapshot of Page - res://C:\WINDOWS\DOWNLOADED PROGRAM FILES\GOOGLETOOLBAR_EN_1.1.63-DELEON.DLL/cmcache.html
O8 - Extra context menu item: Si&milar Pages - res://C:\WINDOWS\DOWNLOADED PROGRAM FILES\GOOGLETOOLBAR_EN_1.1.63-DELEON.DLL/cmsimilar.html
O8 - Extra context menu item: Backward &Links - res://C:\WINDOWS\DOWNLOADED PROGRAM FILES\GOOGLETOOLBAR_EN_1.1.63-DELEON.DLL/cmbacklinks.html
O8 - Extra context menu item: Translate Page - res://C:\WINDOWS\DOWNLOADED PROGRAM FILES\GOOGLETOOLBAR_EN_1.1.63-DELEON.DLL/cmtrans.html
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O9 - Extra 'Tools' menuitem: MSN Messenger Service - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O9 - Extra button: SideStep - {3E230861-5C87-11D3-A1C6-00105A1B41B8} - C:\WINDOWS\DOWNLOADED PROGRAM FILES\SBCIE026.DLL
O9 - Extra button: Messenger - {4528BBE0-4E08-11D5-AD55-00010333D0AD} - C:\PROGRAM FILES\YAHOO!\MESSENGER\YHEXBMES0521.DLL
O9 - Extra 'Tools' menuitem: Yahoo! Messenger - {4528BBE0-4E08-11D5-AD55-00010333D0AD} - C:\PROGRAM FILES\YAHOO!\MESSENGER\YHEXBMES0521.DLL
O12 - Plugin for .bmp: C:\PROGRA~1\INTERN~1\PLUGINS\npqtplugin.dll
O12 - Plugin for .avi: C:\PROGRA~1\INTERN~1\PLUGINS\npqtplugin.dll
O12 - Plugin for .spop: C:\PROGRA~1\INTERN~1\Plugins\NPDocBox.dll
O16 - DPF: {4248083C-9656-11D2-8B7F-00105A17847A} - http://downloads.mplayer.com/MplayerAutoInstaller.exe
O16 - DPF: {E504EE6E-47C6-11D5-B8AB-00D0B78F3D48} (Yahoo! Webcam Viewer Wrapper) - http://chat.yahoo.com/cab/yvwrctl.cab
O16 - DPF: {B8BE5E93-A60C-4D26-A2DC-220313175592} (ZoneIntro Class) - http://zone.msn.com/binFramework/v10/ZIntro.cab34246.cab
O16 - DPF: {DF780F87-FF2B-4DF8-92D0-73DB16A1543A} (PopCapLoader Object) - http://zone.msn.com/bingame/dim2/default/popcaploader_v6.cab
O16 - DPF: {8714912E-380D-11D5-B8AA-00D0B78F3D48} (Yahoo! Webcam Upload Wrapper) - http://chat.yahoo.com/cab/yuplapp.cab
O18 - Filter: text/html - {8293D547-38DD-4325-B35A-F1817EDFA5FC} - C:\PROGRAM FILES\CAS\CLIENT\CASMF.DLL
robertonline,
you have a lot of crap there :).
===============
Please visit at least two of the following sites for an online virus scan:
BitDefender Free Online Virus Scan
http://www.bitdefender.com/scan/licence.php
Make sure you tick AutoClean under Scan Options.
Panda ActiveScan
http://www.pandasoftware.com/activescan/com/activescan_principal.htm
Make sure you tick Disinfect automatically under Scan Options.
Housecall at TrendMicro
http://housecall.trendmicro.com/housecall/start_corp.asp
Make sure you tick Auto Clean.
When it completes, post back the full filename of any files that cannot be cleaned or deleted.
eTrust Antivirus Web Scanner
http://www3.ca.com/securityadvisor/virusinfo/scan.aspx
===============
Now, let's open a command prompt by going to the start menu and then select 'Run'.
In the box that pops up type in 'cmd'. The command prompt will open.
OR
You can go to Start -> Programs -> Accessories -> Command Prompt. Unregister the dll(s) we're going to remove, by entering the following:
regsvr32 /u EliteToolBar version 60.dll
regsvr32 /u CASMF.DLL
It's ok, if these aren't found or 'error' out. If you want, just copy and paste the individual lines to the command prompt to save typing them in.
===============
Go to Add/Remove programs and remove(uninstall) the following, if present:
Elite Toolbar
SideFind
The above could appear anywhere within the entry. Be careful not to remove any personal or system software.
===============
Run HiJackThis then:
1. Click "Open the Misc Tools Section"
2. Click "Open Process manager"
-
Next, while holding down the CTRL key, locate (if present) and click on (highlight) each of the following:
C:\WINDOWS\RNNKPJ.EXE
C:\PROGRAM FILES\MEDIA ACCESS\MEDIAACCK.EXE
C:\PROGRAM FILES\CAS\CLIENT\CASCLIENT.EXE
C:\PROGRAM FILES\MEDIA ACCESS\MEDIAACCESS.EXE
Now double-check and make sure that only those item(s) above are highlighted, then click "Kill process". Now, click "Refresh", check again, and repeat this step if any remain.
===============
Still in HiJackThis, click "Scan", then check(tick) the following, if present:
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,SearchAssistant = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,SearchAssistant = about:blank
R3 - Default URLSearchHook is missing
O3 - Toolbar: &EliteBar - {825CF5BD-8862-4430-B771-0C15C5CA8DEF} - C:\WINDOWS\EliteToolBar\EliteToolBar version 60.dll
O4 - HKLM\..\Run: [cfgmgr52] RunDLL32.EXE C:\WINDOWS\CFGMGR52.DLL,DllRun
O4 - HKLM\..\Run: [KavSvc] C:\WINDOWS\rnnkpj.exe reg_run
O4 - HKLM\..\Run: [Media Access] C:\PROGRAM FILES\MEDIA ACCESS\MediaAccK.exe
O4 - HKCU\..\Run: [CAS Client] "C:\Program Files\Cas\Client\casclient.exe"
O4 - HKCU\..\Run: [180ClientStubInstall] "C:\TEMP\STUBINSTALLER6480.EXE"
O9 - Extra button: SideStep - {3E230861-5C87-11D3-A1C6-00105A1B41B8} - C:\WINDOWS\DOWNLOADED PROGRAM FILES\SBCIE026.DLL
O18 - Filter: text/html - {8293D547-38DD-4325-B35A-F1817EDFA5FC} - C:\PROGRAM FILES\CAS\CLIENT\CASMF.DLL
Now, close all instances of Internet Explorer and any other windows you have open except HiJackThis, click "Fix checked".
===============
Locate and delete the following item(s), if present. Make sure you are able to view system and hidden files/ folders:
folders...
C:\PROGRAM FILES\MEDIA ACCESS
C:\PROGRAM FILES\CAS
C:\WINDOWS\EliteToolBar
files...
C:\WINDOWS\RNNKPJ.EXE
C:\WINDOWS\CFGMGR52.DLL
C:\TEMP\STUBINSTALLER6480.EXE
C:\WINDOWS\DOWNLOADED PROGRAM FILES\SBCIE026.DLL
-
Note that some of these file(s)/folder(s) may or may not be present. If present, and cannot be deleted because they're 'in use', try deleting them in "Safe Mode".
-
Reboot.
===============
After rebooting, rescan with hijackthis and post back a new log. Please let me know how your pc is now.
Thanks! I will do all of this, but it may be a while before I report back with the results because I will be away from home for about 2 weeks. I'll begin today and go through all the steps carefully.
I did everything on the list above that I could find or make work, and here is the new log. Let me know what you think, and if I need to give it some more attention. Thanks!
Logfile of HijackThis v1.99.1
Scan saved at 8:58:23 PM, on 7/9/05
Platform: Windows 98 Gold (Win9x 4.10.1998)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)
Running processes:
C:\WINDOWS\SYSTEM\KERNEL32.DLL
C:\WINDOWS\SYSTEM\MSGSRV32.EXE
C:\WINDOWS\SYSTEM\MPREXE.EXE
C:\WINDOWS\SYSTEM\MSTASK.EXE
C:\WINDOWS\SYSTEM\mmtask.tsk
c:\windows\SYSTEM\KB891711\KB891711.EXE
C:\WINDOWS\EXPLORER.EXE
C:\WINDOWS\RUNDLL32.EXE
C:\WINDOWS\TASKMON.EXE
C:\WINDOWS\SYSTEM\SYSTRAY.EXE
C:\WINDOWS\STARTER.EXE
C:\PROGRAM FILES\BROADJUMP\CLIENT FOUNDATION\CFD.EXE
C:\PROGRAM FILES\COMMON FILES\REAL\UPDATE_OB\REALSCHED.EXE
C:\PROGRAM FILES\PANICWARE\POP-UP STOPPER\DPPS2.EXE
C:\PROGRAM FILES\WEIRDONTHEWEB\WEIRDONTHEWEB.EXE
C:\WINDOWS\RUNDLL32.EXE
C:\WINDOWS\RNNKPJ.EXE
C:\PROGRAM FILES\THE HELPSPOT!\FAWGRD32.EXE
C:\PROGRAM FILES\PALM\HOTSYNC.EXE
C:\PROGRAM FILES\THE HELPSPOT!\FA_GD32.EXE
C:\PROGRAM FILES\EFFICIENT NETWORKS\ENTERNET 300\APP\ENTERNET.EXE
C:\WINDOWS\SYSTEM\DDHELP.EXE
C:\PROGRAM FILES\HIJACKTHIS\HIJACKTHIS.EXE
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Microsoft Internet Explorer provided by Charter featuring MSN
O4 - HKLM\..\Run: [ScanRegistry] c:\windows\scanregw.exe /autorun
O4 - HKLM\..\Run: [TaskMonitor] c:\windows\taskmon.exe
O4 - HKLM\..\Run: [SystemTray] SysTray.Exe
O4 - HKLM\..\Run: [EnsoniqMixer] starter.exe
O4 - HKLM\..\Run: [BJCFD] C:\Program Files\BroadJump\Client Foundation\CFD.exe
O4 - HKLM\..\Run: [TkBellExe] C:\Program Files\Common Files\Real\Update_OB\realsched.exe -osboot
O4 - HKLM\..\Run: [Pop-Up Stopper] "C:\PROGRAM FILES\PANICWARE\POP-UP STOPPER\DPPS2.EXE"
O4 - HKLM\..\Run: [PSof1] C:\WINDOWS\SYSTEM\PSof1.exe
O4 - HKLM\..\Run: [WeirdOnTheWeb] "C:\PROGRAM FILES\WEIRDONTHEWEB\WEIRDONTHEWEB.EXE"
O4 - HKLM\..\Run: [autoupdate] rundll32 C:\WINDOWS\SYSTEM\SUPDATE.DLL,SHStart
O4 - HKLM\..\Run: [Media Access] C:\PROGRAM FILES\MEDIA ACCESS\MediaAccK.exe
O4 - HKLM\..\Run: [KavSvc] C:\WINDOWS\rnnkpj.exe reg_run
O4 - HKLM\..\RunServices: [SchedulingAgent] mstask.exe
O4 - HKLM\..\RunServices: [KB891711] c:\windows\SYSTEM\KB891711\KB891711.EXE
O4 - Startup: Windows Guardian.LNK = C:\Program Files\the HelpSpot!\Fawgrd32.exe
O4 - Startup: HotSync Manager.lnk = C:\Program Files\Palm\HOTSYNC.EXE
O4 - Startup: nppd.exe
O8 - Extra context menu item: &Google Search - res://C:\WINDOWS\DOWNLOADED PROGRAM FILES\GOOGLETOOLBAR_EN_1.1.63-DELEON.DLL/cmsearch.html
O8 - Extra context menu item: Cac&hed Snapshot of Page - res://C:\WINDOWS\DOWNLOADED PROGRAM FILES\GOOGLETOOLBAR_EN_1.1.63-DELEON.DLL/cmcache.html
O8 - Extra context menu item: Si&milar Pages - res://C:\WINDOWS\DOWNLOADED PROGRAM FILES\GOOGLETOOLBAR_EN_1.1.63-DELEON.DLL/cmsimilar.html
O8 - Extra context menu item: Backward &Links - res://C:\WINDOWS\DOWNLOADED PROGRAM FILES\GOOGLETOOLBAR_EN_1.1.63-DELEON.DLL/cmbacklinks.html
O8 - Extra context menu item: Translate Page - res://C:\WINDOWS\DOWNLOADED PROGRAM FILES\GOOGLETOOLBAR_EN_1.1.63-DELEON.DLL/cmtrans.html
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O9 - Extra 'Tools' menuitem: MSN Messenger Service - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O9 - Extra button: Messenger - {4528BBE0-4E08-11D5-AD55-00010333D0AD} - C:\PROGRAM FILES\YAHOO!\MESSENGER\YHEXBMES0521.DLL
O9 - Extra 'Tools' menuitem: Yahoo! Messenger - {4528BBE0-4E08-11D5-AD55-00010333D0AD} - C:\PROGRAM FILES\YAHOO!\MESSENGER\YHEXBMES0521.DLL
O9 - Extra button: (no name) - {85d1f590-48f4-11d9-9669-0800200c9a66} - %windir%\bdoscandel.exe (file missing)
O9 - Extra 'Tools' menuitem: Uninstall BitDefender Online Scanner v8 - {85d1f590-48f4-11d9-9669-0800200c9a66} - %windir%\bdoscandel.exe (file missing)
O12 - Plugin for .bmp: C:\PROGRA~1\INTERN~1\PLUGINS\npqtplugin.dll
O12 - Plugin for .avi: C:\PROGRA~1\INTERN~1\PLUGINS\npqtplugin.dll
O12 - Plugin for .spop: C:\PROGRA~1\INTERN~1\Plugins\NPDocBox.dll
O16 - DPF: {4248083C-9656-11D2-8B7F-00105A17847A} - http://downloads.mplayer.com/MplayerAutoInstaller.exe
O16 - DPF: {E504EE6E-47C6-11D5-B8AB-00D0B78F3D48} (Yahoo! Webcam Viewer Wrapper) - http://chat.yahoo.com/cab/yvwrctl.cab
O16 - DPF: {B8BE5E93-A60C-4D26-A2DC-220313175592} (ZoneIntro Class) - http://zone.msn.com/binFramework/v10/ZIntro.cab34246.cab
O16 - DPF: {DF780F87-FF2B-4DF8-92D0-73DB16A1543A} (PopCapLoader Object) - http://zone.msn.com/bingame/dim2/default/popcaploader_v6.cab
O16 - DPF: {8714912E-380D-11D5-B8AA-00D0B78F3D48} (Yahoo! Webcam Upload Wrapper) - http://chat.yahoo.com/cab/yuplapp.cab
O16 - DPF: {5D86DDB5-BDF9-441B-9E9E-D4730F4EE499} (BDSCANONLINE Control) - http://www.bitdefender.com/scan8/oscan8.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://www.pandasoftware.com/activescan/as5/asinst.cab
O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai.net/7/840/537/2004061001/housecall.trendmicro.com/housecall/xscan53.cab
O16 - DPF: {7B297BFD-85E4-4092-B2AF-16A91B2EA103} (WScanCtl Class) - http://www3.ca.com/securityadvisor/virusinfo/webscan.cab
Please go here and download Find_qoologic.zip by baskar1234. Unzip the folder and go to the new qoologic folder and doubleclick on qoologic.bat to run it. It will take a few minutes to scan your drive so be patient. When it has finished, open My Computer, doubleclick on C: and copy and paste the contents of the below logs in this thread.
C:\log.txt
C:\win.txt
C:\start.txt
-
Download rkfiles.zip
http://skads.org/special/rkfiles.zip
Unzip the contents to a permanent folder.
Reboot in Safe mode.
Doubleclick rkfiles.bat
It will scan for a while, so please be patient.
Wait till the DOS window closes and reboot back to normal mode.
To save some time, could you please have each of the files that rkfiles finds, uploaded for an online scan here;
Post the contents of C:\log.txt in your next reply.
ECHO is off
PLEASE NOTE THAT ALL FILES FOUND BY THIS METHOD ARE NOT BAD FILES, THERE MIGHT BE LEGIT FILES LISTED AND PLEASE BE CAREFUL WHILE FIXING. IF YOU ARE UNSURE OF WHAT IT IS LEAVE THEM ALONE.
Files Found in system Folder............
------------------------
Files Found in all users startup Folder............
------------------------
Did you run Find_qoologic.zip as well?
Yes, I downloaded and ran qoologic.zip. I also downloaded rkfiles.zip, but I have to admit I don't know how to run it in safe mode, so I didn't do that part yet.
So.where is the log from qoologic.zip?
For rkfiles, boot into safe mode by tapping f8 whilst starting your computer. If done right you will get a screen asking what you want to do. One of the options will be to boot into safe mode. Highlight that and hit enter.
Once in safe mode doubleclick rkfiles.bat
It will scan for a while, so please be patient.
Wait till the DOS window closes and reboot back to normal mode.
I think I did all this. Here is the log from C:\log.txt.
ECHO is off
PLEASE NOTE THAT ALL FILES FOUND BY THIS METHOD ARE NOT BAD FILES, THERE MIGHT BE LEGIT FILES LISTED AND PLEASE BE CAREFUL WHILE FIXING. IF YOU ARE UNSURE OF WHAT IT IS LEAVE THEM ALONE.
Files Found in system Folder............
------------------------
C:\WINDOWS\SYSTEM\Hot Sex Live-uninstall.exe: UPX!
C:\WINDOWS\SYSTEM\mfcsubs.dll: dwProvSpec2
Files Found in all users startup Folder............
------------------------
Files Found in all users windows Folder............
------------------------
C:\WINDOWS\vsapi32.dll: UPX!t4
C:\WINDOWS\tsc.exe: UPX!
Finished
bye
Here is the log from C:\win.txt.
C:\WINDOWS\SYSTEM\Hot Sex Live-uninstall.exe: UPX!
C:\WINDOWS\SYSTEM\mfcsubs.dll: dwProvSpec2
C:\start.txt is empty.
Let's have a go at this;
===============
Run HiJackThis then:
1. Click "Open the Misc Tools Section"
2. Click "Open Process manager"
-
Next, while holding down the CTRL key, locate (if present) and click on (highlight) each of the following:
C:\WINDOWS\RNNKPJ.EXE
Now double-check and make sure that only those item(s) above are highlighted, then click "Kill process". Now, click "Refresh", check again, and repeat this step if any remain.
===============
Still in HiJackThis, click "Scan", then check(tick) the following, if present:
O4 - HKLM\..\Run: [autoupdate] rundll32 C:\WINDOWS\SYSTEM\SUPDATE.DLL,SHStart
O4 - HKLM\..\Run: [Media Access] C:\PROGRAM FILES\MEDIA ACCESS\MediaAccK.exe
O4 - HKLM\..\Run: [KavSvc] C:\WINDOWS\rnnkpj.exe reg_run
Now, close all instances of Internet Explorer and any other windows you have open except HiJackThis, click "Fix checked".
===============
Locate and delete the following item(s), if present. Make sure you are able to view system and hidden files/ folders:
folders...
C:\PROGRAM FILES\MEDIA ACCESS
files...
C:\WINDOWS\RNNKPJ.EXE
C:\WINDOWS\SYSTEM\SUPDATE.DLL
-
Note that some of these file(s)/folder(s) may or may not be present. If present, and cannot be deleted because they're 'in use', try deleting them in "Safe Mode".
-
Reboot.
===============
After rebooting, rescan with hijackthis and post back a new log. Please let me know how your pc is now.
Thanks again for your patience. I think I did all this. When I rebooted, I got the error message "Error loading C:\WINDOWS\SYSTEM\SUPDATE.DLL" Here is the HijackThis scan log:
Logfile of HijackThis v1.99.1
Scan saved at 5:29:36 PM, on 7/11/05
Platform: Windows 98 Gold (Win9x 4.10.1998)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)
Running processes:
C:\WINDOWS\SYSTEM\KERNEL32.DLL
C:\WINDOWS\SYSTEM\MSGSRV32.EXE
C:\WINDOWS\SYSTEM\MPREXE.EXE
C:\WINDOWS\SYSTEM\MSTASK.EXE
C:\WINDOWS\SYSTEM\mmtask.tsk
c:\windows\SYSTEM\KB891711\KB891711.EXE
C:\WINDOWS\EXPLORER.EXE
C:\WINDOWS\RUNDLL32.EXE
C:\WINDOWS\TASKMON.EXE
C:\WINDOWS\SYSTEM\SYSTRAY.EXE
C:\WINDOWS\STARTER.EXE
C:\PROGRAM FILES\BROADJUMP\CLIENT FOUNDATION\CFD.EXE
C:\PROGRAM FILES\COMMON FILES\REAL\UPDATE_OB\REALSCHED.EXE
C:\PROGRAM FILES\PANICWARE\POP-UP STOPPER\DPPS2.EXE
C:\PROGRAM FILES\WEIRDONTHEWEB\WEIRDONTHEWEB.EXE
C:\PROGRAM FILES\THE HELPSPOT!\FAWGRD32.EXE
C:\PROGRAM FILES\PALM\HOTSYNC.EXE
C:\WINDOWS\START MENU\PROGRAMS\STARTUP\NPPD.EXE
C:\PROGRAM FILES\THE HELPSPOT!\FA_GD32.EXE
C:\PROGRAM FILES\EFFICIENT NETWORKS\ENTERNET 300\APP\ENTERNET.EXE
C:\PROGRAM FILES\INTERNET EXPLORER\IEXPLORE.EXE
C:\WINDOWS\SYSTEM\DDHELP.EXE
C:\PROGRAM FILES\HIJACKTHIS\HIJACKTHIS.EXE
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Microsoft Internet Explorer provided by Charter featuring MSN
O4 - HKLM\..\Run: [ScanRegistry] c:\windows\scanregw.exe /autorun
O4 - HKLM\..\Run: [TaskMonitor] c:\windows\taskmon.exe
O4 - HKLM\..\Run: [SystemTray] SysTray.Exe
O4 - HKLM\..\Run: [EnsoniqMixer] starter.exe
O4 - HKLM\..\Run: [BJCFD] C:\Program Files\BroadJump\Client Foundation\CFD.exe
O4 - HKLM\..\Run: [TkBellExe] C:\Program Files\Common Files\Real\Update_OB\realsched.exe -osboot
O4 - HKLM\..\Run: [Pop-Up Stopper] "C:\PROGRAM FILES\PANICWARE\POP-UP STOPPER\DPPS2.EXE"
O4 - HKLM\..\Run: [PSof1] C:\WINDOWS\SYSTEM\PSof1.exe
O4 - HKLM\..\Run: [WeirdOnTheWeb] "C:\PROGRAM FILES\WEIRDONTHEWEB\WEIRDONTHEWEB.EXE"
O4 - HKLM\..\Run: [autoupdate] rundll32 C:\WINDOWS\SYSTEM\SUPDATE.DLL,SHStart
O4 - HKLM\..\Run: [Media Access] C:\PROGRAM FILES\MEDIA ACCESS\MediaAccK.exe
O4 - HKLM\..\Run: [KavSvc] C:\WINDOWS\rnnkpj.exe reg_run
O4 - HKLM\..\RunServices: [SchedulingAgent] mstask.exe
O4 - HKLM\..\RunServices: [KB891711] c:\windows\SYSTEM\KB891711\KB891711.EXE
O4 - Startup: Windows Guardian.LNK = C:\Program Files\the HelpSpot!\Fawgrd32.exe
O4 - Startup: HotSync Manager.lnk = C:\Program Files\Palm\HOTSYNC.EXE
O4 - Startup: nppd.exe
O8 - Extra context menu item: &Google Search - res://C:\WINDOWS\DOWNLOADED PROGRAM FILES\GOOGLETOOLBAR_EN_1.1.63-DELEON.DLL/cmsearch.html
O8 - Extra context menu item: Cac&hed Snapshot of Page - res://C:\WINDOWS\DOWNLOADED PROGRAM FILES\GOOGLETOOLBAR_EN_1.1.63-DELEON.DLL/cmcache.html
O8 - Extra context menu item: Si&milar Pages - res://C:\WINDOWS\DOWNLOADED PROGRAM FILES\GOOGLETOOLBAR_EN_1.1.63-DELEON.DLL/cmsimilar.html
O8 - Extra context menu item: Backward &Links - res://C:\WINDOWS\DOWNLOADED PROGRAM FILES\GOOGLETOOLBAR_EN_1.1.63-DELEON.DLL/cmbacklinks.html
O8 - Extra context menu item: Translate Page - res://C:\WINDOWS\DOWNLOADED PROGRAM FILES\GOOGLETOOLBAR_EN_1.1.63-DELEON.DLL/cmtrans.html
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O9 - Extra 'Tools' menuitem: MSN Messenger Service - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O9 - Extra button: Messenger - {4528BBE0-4E08-11D5-AD55-00010333D0AD} - C:\PROGRAM FILES\YAHOO!\MESSENGER\YHEXBMES0521.DLL
O9 - Extra 'Tools' menuitem: Yahoo! Messenger - {4528BBE0-4E08-11D5-AD55-00010333D0AD} - C:\PROGRAM FILES\YAHOO!\MESSENGER\YHEXBMES0521.DLL
O9 - Extra button: (no name) - {85d1f590-48f4-11d9-9669-0800200c9a66} - %windir%\bdoscandel.exe (file missing)
O9 - Extra 'Tools' menuitem: Uninstall BitDefender Online Scanner v8 - {85d1f590-48f4-11d9-9669-0800200c9a66} - %windir%\bdoscandel.exe (file missing)
O12 - Plugin for .bmp: C:\PROGRA~1\INTERN~1\PLUGINS\npqtplugin.dll
O12 - Plugin for .avi: C:\PROGRA~1\INTERN~1\PLUGINS\npqtplugin.dll
O12 - Plugin for .spop: C:\PROGRA~1\INTERN~1\Plugins\NPDocBox.dll
O16 - DPF: {4248083C-9656-11D2-8B7F-00105A17847A} - http://downloads.mplayer.com/MplayerAutoInstaller.exe
O16 - DPF: {E504EE6E-47C6-11D5-B8AB-00D0B78F3D48} (Yahoo! Webcam Viewer Wrapper) - http://chat.yahoo.com/cab/yvwrctl.cab
O16 - DPF: {B8BE5E93-A60C-4D26-A2DC-220313175592} (ZoneIntro Class) - http://zone.msn.com/binFramework/v10/ZIntro.cab34246.cab
O16 - DPF: {DF780F87-FF2B-4DF8-92D0-73DB16A1543A} (PopCapLoader Object) - http://zone.msn.com/bingame/dim2/default/popcaploader_v6.cab
O16 - DPF: {8714912E-380D-11D5-B8AA-00D0B78F3D48} (Yahoo! Webcam Upload Wrapper) - http://chat.yahoo.com/cab/yuplapp.cab
O16 - DPF: {5D86DDB5-BDF9-441B-9E9E-D4730F4EE499} (BDSCANONLINE Control) - http://www.bitdefender.com/scan8/oscan8.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://www.pandasoftware.com/activescan/as5/asinst.cab
O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai.net/7/840/537/2004061001/housecall.trendmicro.com/housecall/xscan53.cab
O16 - DPF: {7B297BFD-85E4-4092-B2AF-16A91B2EA103} (WScanCtl Class) - http://www3.ca.com/securityadvisor/virusinfo/webscan.cab
Please do the following.
-
Download Pocket KillBox: http://www.downloads.subratam.org/KillBox.exe
Put it somewhere easy to find (like your desktop). Double click the KillBox program to launch it ...
Go to Tools > Delete Temp Files > Click "OK"
Now select "Replace on Reboot" and "Use Dummy" in the first column.
Next copy/paste the following into the "Full Path to Delete" box:
C:\WINDOWS\rnnkpj.exe
Click the Red Button with the White x on it.
Click the "Delete File" button, and when asked to reboot, answer 'NO.'
Repeat the above for this too;
C:\PROGRAM FILES\MEDIA ACCESS\MediaAccK.exe
Click the Red Button with the White x on it.
Click the "Delete File" button, and allow your computer to reboot.
Next, close all open windows, and run HJT once again. Fix these items:
O4 - HKLM\..\Run: [autoupdate] rundll32 C:\WINDOWS\SYSTEM\SUPDATE.DLL,SHStart
O4 - HKLM\..\Run: [Media Access] C:\PROGRAM FILES\MEDIA ACCESS\MediaAccK.exe
O4 - HKLM\..\Run: [KavSvc] C:\WINDOWS\rnnkpj.exe reg_run
Now manually delete the C:\PROGRAM FILES\MEDIA ACCESS folder.
Reboot again, and post a fresh HJT log.
I may have messed this up. I ran KillBox.exe and inserted the file names, but after I clicked the red button with the white x, there was no prompt to reboot the computer. I tried to close all the open windows so I could reboot it myself. KillBox had opened a DOS window and it was running through a series of messages saying "All files in this directory will be deleted!" as if it were automatically deleting a bunch of stuff. I couldn't exit or quit that window. More than an hour later, it's still doing it.
Hmmm. I haven't had that happen before. Open Task Manager and end process on the killbox. Rescan with hijackthis and post another log please.
OK, here is another log. I ended the program and rebooted. I was able to fix/delete some of the files you mentioned with Hijack This, but cannot find the Media Access folder under Program Files to delete it.
Logfile of HijackThis v1.99.1
Scan saved at 4:43:06 PM, on 7/12/05
Platform: Windows 98 Gold (Win9x 4.10.1998)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)
Running processes:
C:\WINDOWS\SYSTEM\KERNEL32.DLL
C:\WINDOWS\SYSTEM\MSGSRV32.EXE
C:\WINDOWS\SYSTEM\MPREXE.EXE
C:\WINDOWS\SYSTEM\MSTASK.EXE
C:\WINDOWS\SYSTEM\mmtask.tsk
c:\windows\SYSTEM\KB891711\KB891711.EXE
C:\WINDOWS\EXPLORER.EXE
C:\WINDOWS\RUNDLL32.EXE
C:\WINDOWS\TASKMON.EXE
C:\WINDOWS\SYSTEM\SYSTRAY.EXE
C:\WINDOWS\STARTER.EXE
C:\PROGRAM FILES\BROADJUMP\CLIENT FOUNDATION\CFD.EXE
C:\PROGRAM FILES\COMMON FILES\REAL\UPDATE_OB\REALSCHED.EXE
C:\PROGRAM FILES\PANICWARE\POP-UP STOPPER\DPPS2.EXE
C:\PROGRAM FILES\WEIRDONTHEWEB\WEIRDONTHEWEB.EXE
C:\PROGRAM FILES\EFFICIENT NETWORKS\ENTERNET 300\APP\ENTERNET.EXE
C:\PROGRAM FILES\THE HELPSPOT!\FAWGRD32.EXE
C:\PROGRAM FILES\PALM\HOTSYNC.EXE
C:\PROGRAM FILES\THE HELPSPOT!\FA_GD32.EXE
C:\WINDOWS\SYSTEM\DDHELP.EXE
C:\PROGRAM FILES\HIJACKTHIS\HIJACKTHIS.EXE
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Microsoft Internet Explorer provided by Charter featuring MSN
O4 - HKLM\..\Run: [ScanRegistry] c:\windows\scanregw.exe /autorun
O4 - HKLM\..\Run: [TaskMonitor] c:\windows\taskmon.exe
O4 - HKLM\..\Run: [SystemTray] SysTray.Exe
O4 - HKLM\..\Run: [EnsoniqMixer] starter.exe
O4 - HKLM\..\Run: [BJCFD] C:\Program Files\BroadJump\Client Foundation\CFD.exe
O4 - HKLM\..\Run: [TkBellExe] C:\Program Files\Common Files\Real\Update_OB\realsched.exe -osboot
O4 - HKLM\..\Run: [Pop-Up Stopper] "C:\PROGRAM FILES\PANICWARE\POP-UP STOPPER\DPPS2.EXE"
O4 - HKLM\..\Run: [PSof1] C:\WINDOWS\SYSTEM\PSof1.exe
O4 - HKLM\..\Run: [WeirdOnTheWeb] "C:\PROGRAM FILES\WEIRDONTHEWEB\WEIRDONTHEWEB.EXE"
O4 - HKLM\..\RunServices: [SchedulingAgent] mstask.exe
O4 - HKLM\..\RunServices: [KB891711] c:\windows\SYSTEM\KB891711\KB891711.EXE
O4 - Startup: Windows Guardian.LNK = C:\Program Files\the HelpSpot!\Fawgrd32.exe
O4 - Startup: HotSync Manager.lnk = C:\Program Files\Palm\HOTSYNC.EXE
O4 - Startup: nppd.exe
O8 - Extra context menu item: &Google Search - res://C:\WINDOWS\DOWNLOADED PROGRAM FILES\GOOGLETOOLBAR_EN_1.1.63-DELEON.DLL/cmsearch.html
O8 - Extra context menu item: Cac&hed Snapshot of Page - res://C:\WINDOWS\DOWNLOADED PROGRAM FILES\GOOGLETOOLBAR_EN_1.1.63-DELEON.DLL/cmcache.html
O8 - Extra context menu item: Si&milar Pages - res://C:\WINDOWS\DOWNLOADED PROGRAM FILES\GOOGLETOOLBAR_EN_1.1.63-DELEON.DLL/cmsimilar.html
O8 - Extra context menu item: Backward &Links - res://C:\WINDOWS\DOWNLOADED PROGRAM FILES\GOOGLETOOLBAR_EN_1.1.63-DELEON.DLL/cmbacklinks.html
O8 - Extra context menu item: Translate Page - res://C:\WINDOWS\DOWNLOADED PROGRAM FILES\GOOGLETOOLBAR_EN_1.1.63-DELEON.DLL/cmtrans.html
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O9 - Extra 'Tools' menuitem: MSN Messenger Service - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O9 - Extra button: Messenger - {4528BBE0-4E08-11D5-AD55-00010333D0AD} - C:\PROGRAM FILES\YAHOO!\MESSENGER\YHEXBMES0521.DLL
O9 - Extra 'Tools' menuitem: Yahoo! Messenger - {4528BBE0-4E08-11D5-AD55-00010333D0AD} - C:\PROGRAM FILES\YAHOO!\MESSENGER\YHEXBMES0521.DLL
O9 - Extra button: (no name) - {85d1f590-48f4-11d9-9669-0800200c9a66} - %windir%\bdoscandel.exe (file missing)
O9 - Extra 'Tools' menuitem: Uninstall BitDefender Online Scanner v8 - {85d1f590-48f4-11d9-9669-0800200c9a66} - %windir%\bdoscandel.exe (file missing)
O12 - Plugin for .bmp: C:\PROGRA~1\INTERN~1\PLUGINS\npqtplugin.dll
O12 - Plugin for .avi: C:\PROGRA~1\INTERN~1\PLUGINS\npqtplugin.dll
O12 - Plugin for .spop: C:\PROGRA~1\INTERN~1\Plugins\NPDocBox.dll
O16 - DPF: {4248083C-9656-11D2-8B7F-00105A17847A} - http://downloads.mplayer.com/MplayerAutoInstaller.exe
O16 - DPF: {E504EE6E-47C6-11D5-B8AB-00D0B78F3D48} (Yahoo! Webcam Viewer Wrapper) - http://chat.yahoo.com/cab/yvwrctl.cab
O16 - DPF: {B8BE5E93-A60C-4D26-A2DC-220313175592} (ZoneIntro Class) - http://zone.msn.com/binFramework/v10/ZIntro.cab34246.cab
O16 - DPF: {DF780F87-FF2B-4DF8-92D0-73DB16A1543A} (PopCapLoader Object) - http://zone.msn.com/bingame/dim2/default/popcaploader_v6.cab
O16 - DPF: {8714912E-380D-11D5-B8AA-00D0B78F3D48} (Yahoo! Webcam Upload Wrapper) - http://chat.yahoo.com/cab/yuplapp.cab
O16 - DPF: {5D86DDB5-BDF9-441B-9E9E-D4730F4EE499} (BDSCANONLINE Control) - http://www.bitdefender.com/scan8/oscan8.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://www.pandasoftware.com/activescan/as5/asinst.cab
O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai.net/7/840/537/2004061001/housecall.trendmicro.com/housecall/xscan53.cab
O16 - DPF: {7B297BFD-85E4-4092-B2AF-16A91B2EA103} (WScanCtl Class) - http://www3.ca.com/securityadvisor/virusinfo/webscan.cab
I need you to have this file scanned; nppd.exe
I am not sure of the full path to the file, but this is the path in W2K; C:\Documents and Settings\Default User\Start Menu\Programs\Startup
Post the results back here.
Here it is....
Service load: 0% 100%
File: nppd.exe
Status: INFECTED/MALWARE (Note: this file has been scanned before. Therefore, this file's scan results will not be stored in the database)
MD5 0d1fa8377c32c52636885be97ded1a50
Packers detected: ASPACK
Scanner results
AntiVir Found TR/Dldr.Qoologic.U
ArcaVir Found Trojan.Asp.A02
Avast Found Win32:Qoologic-M
AVG Antivirus Found Downloader.Qoologic.CA
BitDefender Found nothing
ClamAV Found nothing
Dr.Web Found Trojan.MulDrop.2456
F-Prot Antivirus Found nothing
Fortinet Found Adware/Qoolaid
Kaspersky Anti-Virus Found Trojan-Downloader.Win32.Qoologic.u
NOD32 Found Win32/TrojanDownloader.Qoologic
Norman Virus Control Found nothing
UNA Found TrojanDownloader.Win32.Qoologic
VBA32 Found Trojan.MulDrop.2456
Ok. You need to manually delete that file. If you cannot do it in normal mode, you will have to go into safe mode and do it. Once deleted, run hijackthis and 'fix' that line.
Reboot and post a new log.
I deleted the file 3 times, once in safe mode and twice the regular way. It seems to reappear every time I reboot. I ran Hijack This and can't find the file on any line there to fix it. Here is the new log. What do you think?
Logfile of HijackThis v1.99.1
Scan saved at 11:06:34 AM, on 7/13/05
Platform: Windows 98 Gold (Win9x 4.10.1998)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)
Running processes:
C:\WINDOWS\SYSTEM\KERNEL32.DLL
C:\WINDOWS\SYSTEM\MSGSRV32.EXE
C:\WINDOWS\SYSTEM\MPREXE.EXE
C:\WINDOWS\SYSTEM\MSTASK.EXE
C:\WINDOWS\SYSTEM\mmtask.tsk
c:\windows\SYSTEM\KB891711\KB891711.EXE
C:\WINDOWS\EXPLORER.EXE
C:\WINDOWS\RUNDLL32.EXE
C:\WINDOWS\TASKMON.EXE
C:\WINDOWS\SYSTEM\SYSTRAY.EXE
C:\WINDOWS\STARTER.EXE
C:\PROGRAM FILES\BROADJUMP\CLIENT FOUNDATION\CFD.EXE
C:\PROGRAM FILES\COMMON FILES\REAL\UPDATE_OB\REALSCHED.EXE
C:\PROGRAM FILES\PANICWARE\POP-UP STOPPER\DPPS2.EXE
C:\PROGRAM FILES\WEIRDONTHEWEB\WEIRDONTHEWEB.EXE
C:\WINDOWS\RNNKPJ.EXE
C:\WINDOWS\RUNDLL32.EXE
C:\PROGRAM FILES\THE HELPSPOT!\FAWGRD32.EXE
C:\PROGRAM FILES\PALM\HOTSYNC.EXE
C:\PROGRAM FILES\THE HELPSPOT!\FA_GD32.EXE
C:\PROGRAM FILES\EFFICIENT NETWORKS\ENTERNET 300\APP\ENTERNET.EXE
C:\WINDOWS\SYSTEM\DDHELP.EXE
C:\PROGRAM FILES\HIJACKTHIS\HIJACKTHIS.EXE
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Microsoft Internet Explorer provided by Charter featuring MSN
O4 - HKLM\..\Run: [ScanRegistry] c:\windows\scanregw.exe /autorun
O4 - HKLM\..\Run: [TaskMonitor] c:\windows\taskmon.exe
O4 - HKLM\..\Run: [SystemTray] SysTray.Exe
O4 - HKLM\..\Run: [EnsoniqMixer] starter.exe
O4 - HKLM\..\Run: [BJCFD] C:\Program Files\BroadJump\Client Foundation\CFD.exe
O4 - HKLM\..\Run: [TkBellExe] C:\Program Files\Common Files\Real\Update_OB\realsched.exe -osboot
O4 - HKLM\..\Run: [Pop-Up Stopper] "C:\PROGRAM FILES\PANICWARE\POP-UP STOPPER\DPPS2.EXE"
O4 - HKLM\..\Run: [PSof1] C:\WINDOWS\SYSTEM\PSof1.exe
O4 - HKLM\..\Run: [WeirdOnTheWeb] "C:\PROGRAM FILES\WEIRDONTHEWEB\WEIRDONTHEWEB.EXE"
O4 - HKLM\..\Run: [KavSvc] C:\WINDOWS\rnnkpj.exe reg_run
O4 - HKLM\..\Run: [autoupdate] rundll32 C:\WINDOWS\SYSTEM\SUPDATE.DLL,SHStart
O4 - HKLM\..\RunServices: [SchedulingAgent] mstask.exe
O4 - HKLM\..\RunServices: [KB891711] c:\windows\SYSTEM\KB891711\KB891711.EXE
O4 - Startup: Windows Guardian.LNK = C:\Program Files\the HelpSpot!\Fawgrd32.exe
O4 - Startup: HotSync Manager.lnk = C:\Program Files\Palm\HOTSYNC.EXE
O8 - Extra context menu item: &Google Search - res://C:\WINDOWS\DOWNLOADED PROGRAM FILES\GOOGLETOOLBAR_EN_1.1.63-DELEON.DLL/cmsearch.html
O8 - Extra context menu item: Cac&hed Snapshot of Page - res://C:\WINDOWS\DOWNLOADED PROGRAM FILES\GOOGLETOOLBAR_EN_1.1.63-DELEON.DLL/cmcache.html
O8 - Extra context menu item: Si&milar Pages - res://C:\WINDOWS\DOWNLOADED PROGRAM FILES\GOOGLETOOLBAR_EN_1.1.63-DELEON.DLL/cmsimilar.html
O8 - Extra context menu item: Backward &Links - res://C:\WINDOWS\DOWNLOADED PROGRAM FILES\GOOGLETOOLBAR_EN_1.1.63-DELEON.DLL/cmbacklinks.html
O8 - Extra context menu item: Translate Page - res://C:\WINDOWS\DOWNLOADED PROGRAM FILES\GOOGLETOOLBAR_EN_1.1.63-DELEON.DLL/cmtrans.html
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O9 - Extra 'Tools' menuitem: MSN Messenger Service - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O9 - Extra button: Messenger - {4528BBE0-4E08-11D5-AD55-00010333D0AD} - C:\PROGRAM FILES\YAHOO!\MESSENGER\YHEXBMES0521.DLL
O9 - Extra 'Tools' menuitem: Yahoo! Messenger - {4528BBE0-4E08-11D5-AD55-00010333D0AD} - C:\PROGRAM FILES\YAHOO!\MESSENGER\YHEXBMES0521.DLL
O9 - Extra button: (no name) - {85d1f590-48f4-11d9-9669-0800200c9a66} - %windir%\bdoscandel.exe (file missing)
O9 - Extra 'Tools' menuitem: Uninstall BitDefender Online Scanner v8 - {85d1f590-48f4-11d9-9669-0800200c9a66} - %windir%\bdoscandel.exe (file missing)
O12 - Plugin for .bmp: C:\PROGRA~1\INTERN~1\PLUGINS\npqtplugin.dll
O12 - Plugin for .avi: C:\PROGRA~1\INTERN~1\PLUGINS\npqtplugin.dll
O12 - Plugin for .spop: C:\PROGRA~1\INTERN~1\Plugins\NPDocBox.dll
O16 - DPF: {4248083C-9656-11D2-8B7F-00105A17847A} - http://downloads.mplayer.com/MplayerAutoInstaller.exe
O16 - DPF: {E504EE6E-47C6-11D5-B8AB-00D0B78F3D48} (Yahoo! Webcam Viewer Wrapper) - http://chat.yahoo.com/cab/yvwrctl.cab
O16 - DPF: {B8BE5E93-A60C-4D26-A2DC-220313175592} (ZoneIntro Class) - http://zone.msn.com/binFramework/v10/ZIntro.cab34246.cab
O16 - DPF: {DF780F87-FF2B-4DF8-92D0-73DB16A1543A} (PopCapLoader Object) - http://zone.msn.com/bingame/dim2/default/popcaploader_v6.cab
O16 - DPF: {8714912E-380D-11D5-B8AA-00D0B78F3D48} (Yahoo! Webcam Upload Wrapper) - http://chat.yahoo.com/cab/yuplapp.cab
O16 - DPF: {5D86DDB5-BDF9-441B-9E9E-D4730F4EE499} (BDSCANONLINE Control) - http://www.bitdefender.com/scan8/oscan8.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://www.pandasoftware.com/activescan/as5/asinst.cab
O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai.net/7/840/537/2004061001/housecall.trendmicro.com/housecall/xscan53.cab
O16 - DPF: {7B297BFD-85E4-4092-B2AF-16A91B2EA103} (WScanCtl Class) - http://www3.ca.com/securityadvisor/virusinfo/webscan.cab
Still there :(.
Please visit Panda and post back the log that is created:
Panda ActiveScan
http://www.pandasoftware.com/activescan/com/activescan_principal.htm
Make sure you tick Disinfect automatically under Scan Options.
I ran Panda and the log is below. The summary said it found 214 infected files and disinfected 1 file. While it was running I got a pop-up error message that said "Explorer has performed an illegal operation and will be shut down." I also got another pop-up about choosing profile settings, or something like that. I ignored both of those and rebooted.
Incident Status Location
Adware:Adware/AdBehavior No disinfected C:\WINDOWS\ROOEIPP.DLL
Adware:Adware/Look2Me No disinfected C:\WINDOWS\SYSTEM\LAFIL80N.DLL
Adware:Adware/Look2Me No disinfected C:\WINDOWS\SYSTEM\ARICAP.DLL
Adware:Adware/Weirdontheweb No disinfected C:\PROGRAM FILES\WEIRDONTHEWEB\WEIRDONTHEWEB.EXE
Adware:Adware/AdBehavior No disinfected C:\WINDOWS\RNNKPJ.EXE
Adware:Adware/AdBehavior No disinfected C:\WINDOWS\SYSTEM\SUPDATE.DLL
Adware:Adware/Weirdontheweb No disinfected C:\PROGRA~1\WEIRDO~1\WEIRDO~1.EXE
Adware:Adware/AdBehavior No disinfected C:\WINDOWS\RNNKPJ.EXE
Adware:Adware/AdBehavior No disinfected C:\WINDOWS\SYSTEM\SUPDATE.DLL
Adware:Adware/Ucmore No disinfected C:\WINDOWS\ucmoreiex.exe
Adware:Adware/SaveNow No disinfected C:\Program Files\Save
Adware:Adware/Gator No disinfected C:\GatorPatch.log
Spyware:Spyware/BetterInet No disinfected C:\WINDOWS\susp.???
Adware:Adware/WinTools No disinfected C:\Program Files\WebSearch
Adware:Adware/AdDestroyer No disinfected C:\WINDOWS\All Users\Application Data\AdDestroyer
Adware:Adware/IPInsight No disinfected C:\WINDOWS\alchem.???
Adware:Adware/DealHelper No disinfected Windows Registry
Adware:Adware/MSView No disinfected C:\WINDOWS\inf\msview.inf
Spyware:Spyware/Media-motor No disinfected Windows Registry
Adware:Adware/Twain-Tech No disinfected C:\WINDOWS\inf\twaintec.inf
Adware:Adware/SideStep No disinfected C:\WINDOWS\Start Menu\Programs\SideStep
Adware:Adware/WUpd No disinfected C:\WINDOWS\SYSTEM\ide21201.vxd
Adware:Adware/EliteBar No disinfected Windows Registry
Adware:Adware/ClockSync No disinfected C:\Program Files\ClockSync
Spyware:Spyware/Virtumonde No disinfected C:\WINDOWS\dpusys.ini
Spyware:Spyware/SurfSideKick No disinfected Windows Registry
Adware:Adware/Weirdontheweb No disinfected C:\Program Files\WeirdOnTheWeb
Adware:Adware/AdBehavior No disinfected C:\RECYCLED\DC1.EXE
Adware:Adware/AdBehavior No disinfected C:\RECYCLED\DC2.EXE
Adware:Adware/SideStep No disinfected C:\WINDOWS\Desktop\SideStep.lnk
Spyware:Spyware/Support No disinfected C:\WINDOWS\Desktop\Charter.exe[support.zip][1519616_5dbb20689_][tgcmd.exe]
Adware:Adware/Look2Me No disinfected C:\WINDOWS\SYSTEM\IB50_QC.DLL
Adware:Adware/Look2Me No disinfected C:\WINDOWS\SYSTEM\UpdInst.exe
Adware:Adware/Look2Me No disinfected C:\WINDOWS\SYSTEM\WWAUTO8.DLL
Adware:Adware/Look2Me No disinfected C:\WINDOWS\SYSTEM\sfpdate.dll
Adware:Adware/Look2Me No disinfected C:\WINDOWS\SYSTEM\IOM32.DLL
Adware:Adware/Look2Me No disinfected C:\WINDOWS\SYSTEM\DIDRM.DLL
Adware:Adware/AdBehavior No disinfected C:\WINDOWS\SYSTEM\qool3.exe
Spyware:Spyware/BetterInet No disinfected C:\WINDOWS\SYSTEM\QBUninstaller.exe
Adware:Adware/Look2Me No disinfected C:\WINDOWS\SYSTEM\iwctl.dll
Adware:Adware/AdBehavior No disinfected C:\WINDOWS\SYSTEM\redit.cpl
Adware:Adware/WUpd No disinfected C:\WINDOWS\SYSTEM\ide21201.vxd
Adware:Adware/Look2Me No disinfected C:\WINDOWS\SYSTEM\Lwonardo da Vinci.dll
Adware:Adware/Look2Me No disinfected C:\WINDOWS\SYSTEM\SENCENG.DLL
Adware:Adware/Look2Me No disinfected C:\WINDOWS\SYSTEM\TCPIUI.DLL
Adware:Adware/Look2Me No disinfected C:\WINDOWS\SYSTEM\IZ50_QCX.DLL
Adware:Adware/Look2Me No disinfected C:\WINDOWS\SYSTEM\WBPOADMN.DLL
Adware:Adware/Look2Me No disinfected C:\WINDOWS\SYSTEM\eutier2.dll
Adware:Adware/Look2Me No disinfected C:\WINDOWS\SYSTEM\mcimsg.dll
Adware:Adware/Look2Me No disinfected C:\WINDOWS\SYSTEM\SXEM0409.DLL
Adware:Adware/Look2Me No disinfected C:\WINDOWS\SYSTEM\DHEML.DLL
Adware:Adware/Look2Me No disinfected C:\WINDOWS\SYSTEM\UEER.EXE
Adware:Adware/Look2Me No disinfected C:\WINDOWS\SYSTEM\lytga80n.dll
Adware:Adware/Look2Me No disinfected C:\WINDOWS\SYSTEM\lafil80n.DLL
Adware:Adware/Look2Me No disinfected C:\WINDOWS\SYSTEM\lxwfx80n.dll
Adware:Adware/Look2Me No disinfected C:\WINDOWS\SYSTEM\ibengine.dll
Adware:Adware/Look2Me No disinfected C:\WINDOWS\SYSTEM\mrxcat.dll
Adware:Adware/Look2Me No disinfected C:\WINDOWS\SYSTEM\OATEXT32.DLL
Adware:Adware/Look2Me No disinfected C:\WINDOWS\SYSTEM\qeartz.dll
Adware:Adware/Look2Me No disinfected C:\WINDOWS\SYSTEM\CJRVIDDC.DLL
Adware:Adware/Look2Me No disinfected C:\WINDOWS\SYSTEM\IFROP.DLL
Adware:Adware/Look2Me No disinfected C:\WINDOWS\SYSTEM\MXR.DLL
Adware:Adware/Look2Me No disinfected C:\WINDOWS\SYSTEM\mmdtc.dll
Adware:Adware/Look2Me No disinfected C:\WINDOWS\SYSTEM\GQU32.DLL
Adware:Adware/Look2Me No disinfected C:\WINDOWS\SYSTEM\ovbccu32.dll
Adware:Adware/Look2Me No disinfected C:\WINDOWS\SYSTEM\OSENGL32.DLL
Adware:Adware/Look2Me No disinfected C:\WINDOWS\SYSTEM\cgrtc.dll
Adware:Adware/Look2Me No disinfected C:\WINDOWS\SYSTEM\MBCANS32.DLL
Adware:Adware/Look2Me No disinfected C:\WINDOWS\SYSTEM\myxcat.dll
Adware:Adware/AdBehavior No disinfected C:\WINDOWS\SYSTEM\supdate.dll
Adware:Adware/Look2Me No disinfected C:\WINDOWS\SYSTEM\MGC42ENU.DLL
Adware:Adware/Look2Me No disinfected C:\WINDOWS\SYSTEM\MYXML3A.DLL
Adware:Adware/Look2Me No disinfected C:\WINDOWS\SYSTEM\ARICAP.DLL
Adware:Adware/Look2Me No disinfected C:\WINDOWS\TEMP\upd205.exe
Adware:Adware/MSView No disinfected C:\WINDOWS\INF\MSVIEW.INF
Adware:Adware/Twain-Tech No disinfected C:\WINDOWS\INF\TWAINTEC.INF
Adware:Adware/IPInsight No disinfected C:\WINDOWS\INF\ALCHEM.INF
Adware:Adware/SideStep No disinfected C:\WINDOWS\Application Data\Microsoft\Internet Explorer\Quick Launch\SideStep.lnk
Adware:Adware/SideStep No disinfected C:\WINDOWS\Downloaded Program Files\SbCIe01f.dll
Adware:Adware/SideStep No disinfected C:\WINDOWS\Downloaded Program Files\SbCIe01f.inf
Adware:Adware/SideStep No disinfected C:\WINDOWS\Downloaded Program Files\SbCIe01c.dll
Adware:Adware/SideStep No disinfected C:\WINDOWS\Downloaded Program Files\SbCIe01e.dll
Adware:Adware/SideStep No disinfected C:\WINDOWS\Downloaded Program Files\SbCIe01e.inf
Adware:Adware/SideStep No disinfected C:\WINDOWS\Downloaded Program Files\SbCIe01c.inf
Adware:Adware/SideStep No disinfected C:\WINDOWS\Downloaded Program Files\SbCIe01a.dll
Adware:Adware/SideStep No disinfected C:\WINDOWS\Downloaded Program Files\SbCIe01a.inf
Adware:Adware/SideStep No disinfected C:\WINDOWS\Downloaded Program Files\SbCIe025.dll
Adware:Adware/SideStep No disinfected C:\WINDOWS\Downloaded Program Files\SbCIe025.inf
Adware:Adware/SideStep No disinfected C:\WINDOWS\Downloaded Program Files\SbCIe026.dll
Adware:Adware/SideStep No disinfected C:\WINDOWS\Downloaded Program Files\SbCIe026.inf
Adware:Adware/PopCapLoader No disinfected C:\WINDOWS\Downloaded Program Files\popcaploader.inf
Adware:Adware/Look2Me No disinfected C:\WINDOWS\Temporary Internet Files\Content.IE5\Y5DMNQ18\upd205[1].exe
Virus:Trj/Qhost.Y Disinfected C:\WINDOWS\hosts
Spyware:Spyware/BetterInet No disinfected C:\WINDOWS\SUSP.INI
Adware:Adware/Gator No disinfected C:\WINDOWS\GatorPatch.log
Adware:Adware/IPInsight No disinfected C:\WINDOWS\ALCHEM.INI
Spyware:Spyware/Virtumonde No disinfected C:\WINDOWS\dpusys.ini
Adware:Adware/BookedSpace No disinfected C:\WINDOWS\ayyxnxly.exe
Adware:Adware/AdBehavior No disinfected C:\WINDOWS\rnnkpj.exe
Adware:Adware/AdBehavior No disinfected C:\WINDOWS\rooeipp.dll
Adware:Adware/AdBehavior No disinfected C:\WINDOWS\pbbqk.dat
Adware:Adware/QoolAid No disinfected C:\WINDOWS\brrcmnn.exe
Adware:Adware/Ucmore No disinfected C:\WINDOWS\ucmoreiex.exe
Adware:Adware/AdBehavior No disinfected C:\WINDOWS\uqqrs.dll
Spyware:Spyware/Support No disinfected C:\Program Files\Support.com\bin\tgcmd.exe
Adware:Adware/TopMoxie No disinfected C:\Program Files\websearch\System\Code\a.class
Adware:Adware/TopMoxie No disinfected C:\Program Files\websearch\System\Code\b.class
Adware:Adware/MoeMoney No disinfected C:\Program Files\websearch\System\Code\ba.class
Adware:Adware/TopMoxie No disinfected C:\Program Files\websearch\System\Code\bb.class
Adware:Adware/MoeMoney No disinfected C:\Program Files\websearch\System\Code\bc.class
Adware:Adware/MoeMoney No disinfected C:\Program Files\websearch\System\Code\bd.class
Adware:Adware/MoeMoney No disinfected C:\Program Files\websearch\System\Code\be.class
Adware:Adware/MoeMoney No disinfected C:\Program Files\websearch\System\Code\bf.class
Adware:Adware/MoeMoney No disinfected C:\Program Files\websearch\System\Code\bg.class
Adware:Adware/MoeMoney No disinfected C:\Program Files\websearch\System\Code\bh.class
Adware:Adware/MoeMoney No disinfected C:\Program Files\websearch\System\Code\bi.class
Adware:Adware/MoeMoney No disinfected C:\Program Files\websearch\System\Code\bj.class
Adware:Adware/MoeMoney No disinfected C:\Program Files\websearch\System\Code\bk.class
Adware:Adware/MoeMoney No disinfected C:\Program Files\websearch\System\Code\bl.class
Adware:Adware/MoeMoney No disinfected C:\Program Files\websearch\System\Code\bm.class
Adware:Adware/TopMoxie No disinfected C:\Program Files\websearch\System\Code\bn.class
Adware:Adware/MoeMoney No disinfected C:\Program Files\websearch\System\Code\bo.class
Adware:Adware/MoeMoney No disinfected C:\Program Files\websearch\System\Code\bp.class
Adware:Adware/TopMoxie No disinfected C:\Program Files\websearch\System\Code\bq.class
Adware:Adware/MoeMoney No disinfected C:\Program Files\websearch\System\Code\br.class
Adware:Adware/MoeMoney No disinfected C:\Program Files\websearch\System\Code\bs.class
Adware:Adware/MoeMoney No disinfected C:\Program Files\websearch\System\Code\bt.class
Adware:Adware/MoeMoney No disinfected C:\Program Files\websearch\System\Code\bu.class
Adware:Adware/MoeMoney No disinfected C:\Program Files\websearch\System\Code\bv.class
Adware:Adware/MoeMoney No disinfected C:\Program Files\websearch\System\Code\bw.class
Adware:Adware/MoeMoney No disinfected C:\Program Files\websearch\System\Code\bx.class
Adware:Adware/MoeMoney No disinfected C:\Program Files\websearch\System\Code\by.class
Adware:Adware/MoeMoney No disinfected C:\Program Files\websearch\System\Code\bz.class
Adware:Adware/MoeMoney No disinfected C:\Program Files\websearch\System\Code\c.class
Adware:Adware/MoeMoney No disinfected C:\Program Files\websearch\System\Code\ca.class
Adware:Adware/MoeMoney No disinfected C:\Program Files\websearch\System\Code\cb.class
Adware:Adware/MoeMoney No disinfected C:\Program Files\websearch\System\Code\cc.class
Adware:Adware/TopMoxie No disinfected C:\Program Files\websearch\System\Code\cd.class
Adware:Adware/MoeMoney No disinfected C:\Program Files\websearch\System\Code\ce.class
Adware:Adware/MoeMoney No disinfected C:\Program Files\websearch\System\Code\cf.class
Adware:Adware/MoeMoney No disinfected C:\Program Files\websearch\System\Code\cg.class
Adware:Adware/MoeMoney No disinfected C:\Program Files\websearch\System\Code\ch.class
Adware:Adware/MoeMoney No disinfected C:\Program Files\websearch\System\Code\ci.class
Adware:Adware/MoeMoney No disinfected C:\Program Files\websearch\System\Code\cj.class
Adware:Adware/MoeMoney No disinfected C:\Program Files\websearch\System\Code\ck.class
Adware:Adware/MoeMoney No disinfected C:\Program Files\websearch\System\Code\cl.class
Adware:Adware/MoeMoney No disinfected C:\Program Files\websearch\System\Code\cm.class
Adware:Adware/MoeMoney No disinfected C:\Program Files\websearch\System\Code\cn.class
Adware:Adware/MoeMoney No disinfected C:\Program Files\websearch\System\Code\co.class
Adware:Adware/MoeMoney No disinfected C:\Program Files\websearch\System\Code\cp.class
Adware:Adware/MoeMoney No disinfected C:\Program Files\websearch\System\Code\cq.class
Adware:Adware/MoeMoney No disinfected C:\Program Files\websearch\System\Code\cr.class
Adware:Adware/TopMoxie No disinfected C:\Program Files\websearch\System\Code\cs.class
Adware:Adware/MoeMoney No disinfected C:\Program Files\websearch\System\Code\ct.class
Adware:Adware/MoeMoney No disinfected C:\Program Files\websearch\System\Code\cu.class
Adware:Adware/MoeMoney No disinfected C:\Program Files\websearch\System\Code\cv.class
Adware:Adware/MoeMoney No disinfected C:\Program Files\websearch\System\Code\cw.class
Adware:Adware/MoeMoney No disinfected C:\Program Files\websearch\System\Code\cx.class
Adware:Adware/MoeMoney No disinfected C:\Program Files\websearch\System\Code\cy.class
Adware:Adware/MoeMoney No disinfected C:\Program Files\websearch\System\Code\cz.class
Adware:Adware/TopMoxie No disinfected C:\Program Files\websearch\System\Code\d.class
Adware:Adware/MoeMoney No disinfected C:\Program Files\websearch\System\Code\da.class
Adware:Adware/TopMoxie No disinfected C:\Program Files\websearch\System\Code\db.class
Adware:Adware/TopMoxie No disinfected C:\Program Files\websearch\System\Code\dc.class
Adware:Adware/MoeMoney No disinfected C:\Program Files\websearch\System\Code\dd.class
Adware:Adware/MoeMoney No disinfected C:\Program Files\websearch\System\Code\de.class
Adware:Adware/MoeMoney No disinfected C:\Program Files\websearch\System\Code\df.class
Adware:Adware/MoeMoney No disinfected C:\Program Files\websearch\System\Code\dg.class
Adware:Adware/MoeMoney No disinfected C:\Program Files\websearch\System\Code\dh.class
Adware:Adware/TopMoxie No disinfected C:\Program Files\websearch\System\Code\di.class
Adware:Adware/MoeMoney No disinfected C:\Program Files\websearch\System\Code\dj.class
Adware:Adware/MoeMoney No disinfected C:\Program Files\websearch\System\Code\dk.class
Adware:Adware/MoeMoney No disinfected C:\Program Files\websearch\System\Code\dl.class
Adware:Adware/TopMoxie No disinfected C:\Program Files\websearch\System\Code\dm.class
Adware:Adware/MoeMoney No disinfected C:\Program Files\websearch\System\Code\dn.class
Adware:Adware/MoeMoney No disinfected C:\Program Files\websearch\System\Code\dp.class
Adware:Adware/MoeMoney No disinfected C:\Program Files\websearch\System\Code\dq.class
Adware:Adware/MoeMoney No disinfected C:\Program Files\websearch\System\Code\dr.class
Adware:Adware/MoeMoney No disinfected C:\Program Files\websearch\System\Code\ds.class
Adware:Adware/MoeMoney No disinfected C:\Program Files\websearch\System\Code\dt.class
Adware:Adware/TopMoxie No disinfected C:\Program Files\websearch\System\Code\du.class
Adware:Adware/MoeMoney No disinfected C:\Program Files\websearch\System\Code\dv.class
Adware:Adware/TopMoxie No disinfected C:\Program Files\websearch\System\Code\dw.class
Adware:Adware/TopMoxie No disinfected C:\Program Files\websearch\System\Code\dx.class
Adware:Adware/MoeMoney No disinfected C:\Program Files\websearch\System\Code\dy.class
Adware:Adware/MoeMoney No disinfected C:\Program Files\websearch\System\Code\dz.class
Adware:Adware/MoeMoney No disinfected C:\Program Files\websearch\System\Code\e.class
Adware:Adware/MoeMoney No disinfected C:\Program Files\websearch\System\Code\ea.class
Adware:Adware/MoeMoney No disinfected C:\Program Files\websearch\System\Code\eb.class
Adware:Adware/MoeMoney No disinfected C:\Program Files\websearch\System\Code\ec.class
Adware:Adware/MoeMoney No disinfected C:\Program Files\websearch\System\Code\ed.class
Adware:Adware/TopMoxie No disinfected C:\Program Files\websearch\System\Code\f.class
Adware:Adware/MoeMoney No disinfected C:\Program Files\websearch\System\Code\g.class
Adware:Adware/TopMoxie No disinfected C:\Program Files\websearch\System\Code\h.class
Adware:Adware/TopMoxie No disinfected C:\Program Files\websearch\System\Code\i.class
Adware:Adware/TopMoxie No disinfected C:\Program Files\websearch\System\Code\j.class
Adware:Adware/MoeMoney No disinfected C:\Program Files\websearch\System\Code\k.class
Adware:Adware/TopMoxie No disinfected C:\Program Files\websearch\System\Code\l.class
Adware:Adware/TopMoxie No disinfected C:\Program Files\websearch\System\Code\m.class
Adware:Adware/MoeMoney No disinfected C:\Program Files\websearch\System\Code\Main.class
Adware:Adware/MoeMoney No disinfected C:\Program Files\websearch\System\Code\n.class
Adware:Adware/TopMoxie No disinfected C:\Program Files\websearch\System\Code\p.class
Adware:Adware/TopMoxie No disinfected C:\Program Files\websearch\System\Code\q.class
Adware:Adware/TopMoxie No disinfected C:\Program Files\websearch\System\Code\r.class
Adware:Adware/TopMoxie No disinfected C:\Program Files\websearch\System\Code\s.class
Adware:Adware/TopMoxie No disinfected C:\Program Files\websearch\System\Code\t.class
Adware:Adware/TopMoxie No disinfected C:\Program Files\websearch\System\Code\u.class
Adware:Adware/TopMoxie No disinfected C:\Program Files\websearch\System\Code\w.class
Adware:Adware/MoeMoney No disinfected C:\Program Files\websearch\System\Code\x.class
Adware:Adware/MoeMoney No disinfected C:\Program Files\websearch\System\Code\y.class
Adware:Adware/TopMoxie No disinfected C:\Program Files\websearch\websearch1.exe
Adware:Adware/Weirdontheweb No disinfected C:\Program Files\WeirdOnTheWeb\weirdontheweb.exe
Spyware:Spyware/Support No disinfected C:\BJVTI\Setup\support\support.zip[1519616_5dbb20689_][tgcmd.exe]
Adware:Adware/Gator No disinfected C:\GatorPatch.log
Uninstall weirdontheweb from add/remove programs.
----
download the VX cleaner plug in for Adaware. Install it, then open Adaware & go to *add-ons* & run the plug-in. If anything is found, select *clean system* & when done, reboot & run Adaware & let it finish the clean-up. Reboot again.
http://www.lavasoftusa.com/software/plugins/vx2cleaner.shtml
----
Go here and download FindIt.zip to your Desktop, unzip it and open the FindIt folder and doubleclick on find.bat. Let it run (please be patient, it will take a few minutes) and when it has finished gathering info, it will generate a file called Output.txt. Please copy it and paste it back in this thread.
Thank you, crunchie.
I uninstalled weirdontheweb, no problem.
I downloaded the VX2 plug-in, no problem. When I open Adaware, I can see the plug-in available, but it won't let me click on it to run it. I ran Adaware anyway, and it quarantined a few more files.
I ran FindIt and here is the log:
Warning! This utility will find legitimate files in addition to malware.
Do not remove anything unless you are sure you know what you're doing.
------- System Files in System Directory -------
Volume in drive C has no label
Volume Serial Number is 5C8D-579D
Directory of C:\WINDOWS\SYSTEM
IF50_32 DLL 227,104 07-09-05 4:59p IF50_32.DLL
ITAGEHLP DLL 227,104 07-09-05 4:59p ITAGEHLP.DLL
DHEML DLL 227,104 07-09-05 4:59p DHEML.DLL
UEER EXE 227,104 07-09-05 4:59p UEER.EXE
LAFIL80N DLL 227,104 07-09-05 4:59p lafil80n.DLL
IBENGINE DLL 227,104 07-09-05 4:59p ibengine.dll
MRXCAT DLL 227,104 07-09-05 4:59p mrxcat.dll
OATEXT32 DLL 227,104 07-09-05 4:59p OATEXT32.DLL
QEARTZ DLL 227,104 07-09-05 4:59p qeartz.dll
CJRVIDDC DLL 227,104 07-09-05 4:59p CJRVIDDC.DLL
IFROP DLL 227,104 07-09-05 4:59p IFROP.DLL
MXR DLL 227,104 07-09-05 4:59p MXR.DLL
MMDTC DLL 227,104 07-09-05 4:59p mmdtc.dll
GQU32 DLL 227,104 07-09-05 4:59p GQU32.DLL
OVBCCU32 DLL 227,104 07-09-05 4:59p ovbccu32.dll
OSENGL32 DLL 227,104 07-09-05 4:59p OSENGL32.DLL
CGRTC DLL 227,104 07-09-05 4:59p cgrtc.dll
MBCANS32 DLL 227,104 07-09-05 4:59p MBCANS32.DLL
MYXCAT DLL 227,104 07-09-05 4:59p myxcat.dll
MGC42ENU DLL 227,104 07-09-05 4:59p MGC42ENU.DLL
MYXML3A DLL 227,104 07-09-05 4:59p MYXML3A.DLL
ARICAP DLL 227,104 07-09-05 4:59p ARICAP.DLL
IB50_QC DLL 226,592 06-01-05 9:53p IB50_QC.DLL
WWAUTO8 DLL 226,592 06-01-05 9:53p WWAUTO8.DLL
SFPDATE DLL 226,592 06-01-05 9:53p sfpdate.dll
IOM32 DLL 226,592 06-01-05 9:53p IOM32.DLL
DIDRM DLL 226,592 06-01-05 9:53p DIDRM.DLL
IWCTL DLL 226,592 06-01-05 9:53p iwctl.dll
LWONAR~1 DLL 226,592 06-01-05 9:53p Lwonardo da Vinci.dll
SENCENG DLL 226,592 06-01-05 9:53p SENCENG.DLL
TCPIUI DLL 226,592 06-01-05 9:53p TCPIUI.DLL
IZ50_QCX DLL 226,592 06-01-05 9:53p IZ50_QCX.DLL
WBPOADMN DLL 226,592 06-01-05 9:53p WBPOADMN.DLL
EUTIER2 DLL 226,592 06-01-05 9:53p eutier2.dll
MCIMSG DLL 226,592 06-01-05 9:53p mcimsg.dll
SXEM0409 DLL 226,592 06-01-05 9:53p SXEM0409.DLL
LYTGA80N DLL 226,592 06-01-05 9:53p lytga80n.dll
37 file(s) 8,395,168 bytes
0 dir(s) 3,140.75 MB free
------- Hidden Files in System Directory -------
Volume in drive C has no label
Volume Serial Number is 5C8D-579D
Directory of C:\WINDOWS\SYSTEM
FFASTLOG TXT 23,127 12-13-02 4:27p FFASTLOG.TXT
1 file(s) 23,127 bytes
0 dir(s) 3,140.75 MB free
---------------- User Agent ------------
REGEDIT4
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\User Agent\Post Platform]
"{210CB1F6-C7A5-4D7C-1EB3-F62CB4D6F75B}"=""
------------------ Locate.com Results ------------------
C:\WINDOWS\SYSTEM\
ib50_qc.dll Wed Jun 1 2005 9:53:36p ..S.R 226,592 221.28 K
wwauto8.dll Wed Jun 1 2005 9:53:36p ..S.R 226,592 221.28 K
sfpdate.dll Wed Jun 1 2005 9:53:36p ..S.R 226,592 221.28 K
iom32.dll Wed Jun 1 2005 9:53:36p ..S.R 226,592 221.28 K
didrm.dll Wed Jun 1 2005 9:53:36p ..S.R 226,592 221.28 K
iwctl.dll Wed Jun 1 2005 9:53:36p ..S.R 226,592 221.28 K
if50_32.dll Sat Jul 9 2005 4:59:50p ..S.R 227,104 221.78 K
itagehlp.dll Sat Jul 9 2005 4:59:50p ..S.R 227,104 221.78 K
lwonar~1.dll Wed Jun 1 2005 9:53:36p ..S.R 226,592 221.28 K
senceng.dll Wed Jun 1 2005 9:53:36p ..S.R 226,592 221.28 K
tcpiui.dll Wed Jun 1 2005 9:53:36p ..S.R 226,592 221.28 K
iz50_qcx.dll Wed Jun 1 2005 9:53:36p ..S.R 226,592 221.28 K
wbpoadmn.dll Wed Jun 1 2005 9:53:36p ..S.R 226,592 221.28 K
eutier2.dll Wed Jun 1 2005 9:53:36p ..S.R 226,592 221.28 K
mcimsg.dll Wed Jun 1 2005 9:53:36p ..S.R 226,592 221.28 K
sxem0409.dll Wed Jun 1 2005 9:53:36p ..S.R 226,592 221.28 K
dheml.dll Sat Jul 9 2005 4:59:50p ..S.R 227,104 221.78 K
ueer.exe Sat Jul 9 2005 4:59:50p ..S.R 227,104 221.78 K
lytga80n.dll Wed Jun 1 2005 9:53:36p ..S.R 226,592 221.28 K
lafil80n.dll Sat Jul 9 2005 4:59:50p ..S.R 227,104 221.78 K
ibengine.dll Sat Jul 9 2005 4:59:50p ..S.R 227,104 221.78 K
mrxcat.dll Sat Jul 9 2005 4:59:50p ..S.R 227,104 221.78 K
oatext32.dll Sat Jul 9 2005 4:59:50p ..S.R 227,104 221.78 K
qeartz.dll Sat Jul 9 2005 4:59:50p ..S.R 227,104 221.78 K
cjrviddc.dll Sat Jul 9 2005 4:59:50p ..S.R 227,104 221.78 K
ifrop.dll Sat Jul 9 2005 4:59:50p ..S.R 227,104 221.78 K
mxr.dll Sat Jul 9 2005 4:59:50p ..S.R 227,104 221.78 K
mmdtc.dll Sat Jul 9 2005 4:59:50p ..S.R 227,104 221.78 K
gqu32.dll Sat Jul 9 2005 4:59:50p ..S.R 227,104 221.78 K
ovbccu32.dll Sat Jul 9 2005 4:59:50p ..S.R 227,104 221.78 K
osengl32.dll Sat Jul 9 2005 4:59:50p ..S.R 227,104 221.78 K
cgrtc.dll Sat Jul 9 2005 4:59:50p ..S.R 227,104 221.78 K
mbcans32.dll Sat Jul 9 2005 4:59:50p ..S.R 227,104 221.78 K
myxcat.dll Sat Jul 9 2005 4:59:50p ..S.R 227,104 221.78 K
mgc42enu.dll Sat Jul 9 2005 4:59:50p ..S.R 227,104 221.78 K
myxml3a.dll Sat Jul 9 2005 4:59:50p ..S.R 227,104 221.78 K
aricap.dll Sat Jul 9 2005 4:59:50p ..S.R 227,104 221.78 K
37 items found: 37 files, 0 directories.
Total of file sizes: 8,395,168 bytes 8.00 M
------------ Strings.exe Qoologic Results ------------
C:\WINDOWS\hosts: 127.0.0.1 www.qoologic.com
C:\WINDOWS\hosts.bak: 127.0.0.1 www.qoologic.com
C:\WINDOWS\USER.DAT: findqoologic
C:\WINDOWS\LPT$VPN.715: TROJ_QOOLOGIC.E
C:\WINDOWS\LPT$VPN.715: TROJ_QOOLOGIC.D
C:\WINDOWS\LPT$VPN.715: TROJ_QOOLOGIC.G
C:\WINDOWS\LPT$VPN.715: TROJ_QOOLOGIC.C
C:\WINDOWS\LPT$VPN.715: TROJ_QOOLOGIC.B
C:\WINDOWS\LPT$VPN.715: TROJ_QOOLOGIC.A
C:\WINDOWS\VPTNFILE.715: TROJ_QOOLOGIC.E
C:\WINDOWS\VPTNFILE.715: TROJ_QOOLOGIC.D
C:\WINDOWS\VPTNFILE.715: TROJ_QOOLOGIC.G
C:\WINDOWS\VPTNFILE.715: TROJ_QOOLOGIC.C
C:\WINDOWS\VPTNFILE.715: TROJ_QOOLOGIC.B
C:\WINDOWS\VPTNFILE.715: TROJ_QOOLOGIC.A
C:\WINDOWS\SYSTEM\qool3.exe: qoologic
-------------- Strings.exe Aspack Results -------------
C:\WINDOWS\vsapi32.dll: ASPACK EXE
C:\WINDOWS\vsapi32.dll: ASPACK2 EXE
C:\WINDOWS\vsapi32.dll: ASPack 1.08.04
C:\WINDOWS\vsapi32.dll: ASPack 1.08.03
C:\WINDOWS\vsapi32.dll: ASPack 1.08.02b
C:\WINDOWS\vsapi32.dll: ASPack 1.08.01
C:\WINDOWS\vsapi32.dll: ASPack 1.08
C:\WINDOWS\vsapi32.dll: ASPack 1.07b
C:\WINDOWS\vsapi32.dll: ASPack 1.61
C:\WINDOWS\vsapi32.dll: ASPack 1.05b
C:\WINDOWS\vsapi32.dll: ASPack 1.03
C:\WINDOWS\vsapi32.dll: ASPack 1.02
C:\WINDOWS\vsapi32.dll: ASPack 1.01
C:\WINDOWS\vsapi32.dll: ASPack 1.00
C:\WINDOWS\SYSTEM\qool3.exe: .aspack
C:\WINDOWS\SYSTEM\qool3.exe: .aspack
C:\WINDOWS\SYSTEM\qool3.exe: .aspack
C:\WINDOWS\SYSTEM\supdate.dll: .aspack
----------------- HKLM Run Key ------------------
-------------- Strings.exe Umonitor Results -------------
REGEDIT4
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ScanRegistry"="c:\\windows\\scanregw.exe /autorun"
"TaskMonitor"="c:\\windows\\taskmon.exe"
"SystemTray"="SysTray.Exe"
"EnsoniqMixer"="starter.exe"
"BJCFD"="C:\\Program Files\\BroadJump\\Client Foundation\\CFD.exe"
"TkBellExe"="C:\\Program Files\\Common Files\\Real\\Update_OB\\realsched.exe -osboot"
"Pop-Up Stopper"="\"C:\\PROGRAM FILES\\PANICWARE\\POP-UP STOPPER\\DPPS2.EXE\""
"PSof1"="C:\\WINDOWS\\SYSTEM\\PSof1.exe"
"KavSvc"="C:\\WINDOWS\\rnnkpj.exe reg_run"
"autoupdate"="rundll32 C:\\WINDOWS\\SYSTEM\\SUPDATE.DLL,SHStart"
"winsync"="C:\\WINDOWS\\jaaabr.exe reg_run"
http://downloads.subratam.org/VX2Finder9x(126).exe
1.) Scan with the finder, select files it finds and delete them.
2.) During the deletion the utility will end both Rundll32 & explorer.exe processes, so when all files are gone;
3.) Click the restore desktop button to get the desktop back.
4.) Click UserAgent$ to delete last registry item.
5.) Clear the contents of your C:\Windows\Temp folder
6.) Run Adaware again in safe mode this time.
7.) Reboot normally and post another Findit log please.
I scanned with the finder but it didn't identify any files for me to delete. I deleted all the Windows\Temp files. I couldn't run Adaware in safe mode. For some reason my mouse doesn't work in safe mode and I couldn't make it work by manipulating the curser with arrows. Here is the FindIt log. Should I do anything else? Thanks.
Warning! This utility will find legitimate files in addition to malware.
Do not remove anything unless you are sure you know what you're doing.
------- System Files in System Directory -------
Volume in drive C has no label
Volume Serial Number is 5C8D-579D
Directory of C:\WINDOWS\SYSTEM
IF50_32 DLL 227,104 07-09-05 4:59p IF50_32.DLL
JST DLL 227,104 07-09-05 4:59p JST.DLL
DHEML DLL 227,104 07-09-05 4:59p DHEML.DLL
UEER EXE 227,104 07-09-05 4:59p UEER.EXE
LAFIL80N DLL 227,104 07-09-05 4:59p lafil80n.DLL
IBENGINE DLL 227,104 07-09-05 4:59p ibengine.dll
MRXCAT DLL 227,104 07-09-05 4:59p mrxcat.dll
OATEXT32 DLL 227,104 07-09-05 4:59p OATEXT32.DLL
QEARTZ DLL 227,104 07-09-05 4:59p qeartz.dll
CJRVIDDC DLL 227,104 07-09-05 4:59p CJRVIDDC.DLL
IFROP DLL 227,104 07-09-05 4:59p IFROP.DLL
MXR DLL 227,104 07-09-05 4:59p MXR.DLL
MMDTC DLL 227,104 07-09-05 4:59p mmdtc.dll
GQU32 DLL 227,104 07-09-05 4:59p GQU32.DLL
OVBCCU32 DLL 227,104 07-09-05 4:59p ovbccu32.dll
OSENGL32 DLL 227,104 07-09-05 4:59p OSENGL32.DLL
CGRTC DLL 227,104 07-09-05 4:59p cgrtc.dll
MBCANS32 DLL 227,104 07-09-05 4:59p MBCANS32.DLL
MYXCAT DLL 227,104 07-09-05 4:59p myxcat.dll
MGC42ENU DLL 227,104 07-09-05 4:59p MGC42ENU.DLL
MYXML3A DLL 227,104 07-09-05 4:59p MYXML3A.DLL
ARICAP DLL 227,104 07-09-05 4:59p ARICAP.DLL
HNINK DLL 227,104 07-09-05 4:59p HNINK.DLL
IB50_QC DLL 226,592 06-01-05 9:53p IB50_QC.DLL
WWAUTO8 DLL 226,592 06-01-05 9:53p WWAUTO8.DLL
SFPDATE DLL 226,592 06-01-05 9:53p sfpdate.dll
IOM32 DLL 226,592 06-01-05 9:53p IOM32.DLL
DIDRM DLL 226,592 06-01-05 9:53p DIDRM.DLL
IWCTL DLL 226,592 06-01-05 9:53p iwctl.dll
LWONAR~1 DLL 226,592 06-01-05 9:53p Lwonardo da Vinci.dll
SENCENG DLL 226,592 06-01-05 9:53p SENCENG.DLL
TCPIUI DLL 226,592 06-01-05 9:53p TCPIUI.DLL
IZ50_QCX DLL 226,592 06-01-05 9:53p IZ50_QCX.DLL
WBPOADMN DLL 226,592 06-01-05 9:53p WBPOADMN.DLL
EUTIER2 DLL 226,592 06-01-05 9:53p eutier2.dll
MCIMSG DLL 226,592 06-01-05 9:53p mcimsg.dll
SXEM0409 DLL 226,592 06-01-05 9:53p SXEM0409.DLL
LYTGA80N DLL 226,592 06-01-05 9:53p lytga80n.dll
38 file(s) 8,622,272 bytes
0 dir(s) 3,090.33 MB free
------- Hidden Files in System Directory -------
Volume in drive C has no label
Volume Serial Number is 5C8D-579D
Directory of C:\WINDOWS\SYSTEM
FFASTLOG TXT 23,127 12-13-02 4:27p FFASTLOG.TXT
1 file(s) 23,127 bytes
0 dir(s) 3,090.33 MB free
---------------- User Agent ------------
REGEDIT4
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\User Agent\Post Platform]
"{210CB1F6-C7A5-4D7C-1EB3-F62CB4D6F75B}"=""
------------------ Locate.com Results ------------------
C:\WINDOWS\SYSTEM\
ib50_qc.dll Wed Jun 1 2005 9:53:36p ..S.R 226,592 221.28 K
wwauto8.dll Wed Jun 1 2005 9:53:36p ..S.R 226,592 221.28 K
sfpdate.dll Wed Jun 1 2005 9:53:36p ..S.R 226,592 221.28 K
iom32.dll Wed Jun 1 2005 9:53:36p ..S.R 226,592 221.28 K
didrm.dll Wed Jun 1 2005 9:53:36p ..S.R 226,592 221.28 K
iwctl.dll Wed Jun 1 2005 9:53:36p ..S.R 226,592 221.28 K
if50_32.dll Sat Jul 9 2005 4:59:50p ..S.R 227,104 221.78 K
jst.dll Sat Jul 9 2005 4:59:50p ..S.R 227,104 221.78 K
lwonar~1.dll Wed Jun 1 2005 9:53:36p ..S.R 226,592 221.28 K
senceng.dll Wed Jun 1 2005 9:53:36p ..S.R 226,592 221.28 K
tcpiui.dll Wed Jun 1 2005 9:53:36p ..S.R 226,592 221.28 K
iz50_qcx.dll Wed Jun 1 2005 9:53:36p ..S.R 226,592 221.28 K
wbpoadmn.dll Wed Jun 1 2005 9:53:36p ..S.R 226,592 221.28 K
eutier2.dll Wed Jun 1 2005 9:53:36p ..S.R 226,592 221.28 K
mcimsg.dll Wed Jun 1 2005 9:53:36p ..S.R 226,592 221.28 K
sxem0409.dll Wed Jun 1 2005 9:53:36p ..S.R 226,592 221.28 K
dheml.dll Sat Jul 9 2005 4:59:50p ..S.R 227,104 221.78 K
ueer.exe Sat Jul 9 2005 4:59:50p ..S.R 227,104 221.78 K
lytga80n.dll Wed Jun 1 2005 9:53:36p ..S.R 226,592 221.28 K
lafil80n.dll Sat Jul 9 2005 4:59:50p ..S.R 227,104 221.78 K
ibengine.dll Sat Jul 9 2005 4:59:50p ..S.R 227,104 221.78 K
mrxcat.dll Sat Jul 9 2005 4:59:50p ..S.R 227,104 221.78 K
oatext32.dll Sat Jul 9 2005 4:59:50p ..S.R 227,104 221.78 K
qeartz.dll Sat Jul 9 2005 4:59:50p ..S.R 227,104 221.78 K
cjrviddc.dll Sat Jul 9 2005 4:59:50p ..S.R 227,104 221.78 K
ifrop.dll Sat Jul 9 2005 4:59:50p ..S.R 227,104 221.78 K
mxr.dll Sat Jul 9 2005 4:59:50p ..S.R 227,104 221.78 K
mmdtc.dll Sat Jul 9 2005 4:59:50p ..S.R 227,104 221.78 K
gqu32.dll Sat Jul 9 2005 4:59:50p ..S.R 227,104 221.78 K
ovbccu32.dll Sat Jul 9 2005 4:59:50p ..S.R 227,104 221.78 K
osengl32.dll Sat Jul 9 2005 4:59:50p ..S.R 227,104 221.78 K
cgrtc.dll Sat Jul 9 2005 4:59:50p ..S.R 227,104 221.78 K
mbcans32.dll Sat Jul 9 2005 4:59:50p ..S.R 227,104 221.78 K
myxcat.dll Sat Jul 9 2005 4:59:50p ..S.R 227,104 221.78 K
mgc42enu.dll Sat Jul 9 2005 4:59:50p ..S.R 227,104 221.78 K
myxml3a.dll Sat Jul 9 2005 4:59:50p ..S.R 227,104 221.78 K
aricap.dll Sat Jul 9 2005 4:59:50p ..S.R 227,104 221.78 K
hnink.dll Sat Jul 9 2005 4:59:50p ..S.R 227,104 221.78 K
38 items found: 38 files, 0 directories.
Total of file sizes: 8,622,272 bytes 8.22 M
------------ Strings.exe Qoologic Results ------------
C:\WINDOWS\hosts: 127.0.0.1 www.qoologic.com
C:\WINDOWS\hosts.bak: 127.0.0.1 www.qoologic.com
C:\WINDOWS\USER.DAT: findqoologic
C:\WINDOWS\LPT$VPN.715: TROJ_QOOLOGIC.E
C:\WINDOWS\LPT$VPN.715: TROJ_QOOLOGIC.D
C:\WINDOWS\LPT$VPN.715: TROJ_QOOLOGIC.G
C:\WINDOWS\LPT$VPN.715: TROJ_QOOLOGIC.C
C:\WINDOWS\LPT$VPN.715: TROJ_QOOLOGIC.B
C:\WINDOWS\LPT$VPN.715: TROJ_QOOLOGIC.A
C:\WINDOWS\VPTNFILE.715: TROJ_QOOLOGIC.E
C:\WINDOWS\VPTNFILE.715: TROJ_QOOLOGIC.D
C:\WINDOWS\VPTNFILE.715: TROJ_QOOLOGIC.G
C:\WINDOWS\VPTNFILE.715: TROJ_QOOLOGIC.C
C:\WINDOWS\VPTNFILE.715: TROJ_QOOLOGIC.B
C:\WINDOWS\VPTNFILE.715: TROJ_QOOLOGIC.A
C:\WINDOWS\SYSTEM\qool3.exe: qoologic
-------------- Strings.exe Aspack Results -------------
C:\WINDOWS\vsapi32.dll: ASPACK EXE
C:\WINDOWS\vsapi32.dll: ASPACK2 EXE
C:\WINDOWS\vsapi32.dll: ASPack 1.08.04
C:\WINDOWS\vsapi32.dll: ASPack 1.08.03
C:\WINDOWS\vsapi32.dll: ASPack 1.08.02b
C:\WINDOWS\vsapi32.dll: ASPack 1.08.01
C:\WINDOWS\vsapi32.dll: ASPack 1.08
C:\WINDOWS\vsapi32.dll: ASPack 1.07b
C:\WINDOWS\vsapi32.dll: ASPack 1.61
C:\WINDOWS\vsapi32.dll: ASPack 1.05b
C:\WINDOWS\vsapi32.dll: ASPack 1.03
C:\WINDOWS\vsapi32.dll: ASPack 1.02
C:\WINDOWS\vsapi32.dll: ASPack 1.01
C:\WINDOWS\vsapi32.dll: ASPack 1.00
C:\WINDOWS\SYSTEM\qool3.exe: .aspack
C:\WINDOWS\SYSTEM\qool3.exe: .aspack
C:\WINDOWS\SYSTEM\qool3.exe: .aspack
C:\WINDOWS\SYSTEM\supdate.dll: .aspack
----------------- HKLM Run Key ------------------
-------------- Strings.exe Umonitor Results -------------
REGEDIT4
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ScanRegistry"="c:\\windows\\scanregw.exe /autorun"
"TaskMonitor"="c:\\windows\\taskmon.exe"
"SystemTray"="SysTray.Exe"
"EnsoniqMixer"="starter.exe"
"BJCFD"="C:\\Program Files\\BroadJump\\Client Foundation\\CFD.exe"
"TkBellExe"="C:\\Program Files\\Common Files\\Real\\Update_OB\\realsched.exe -osboot"
"Pop-Up Stopper"="\"C:\\PROGRAM FILES\\PANICWARE\\POP-UP STOPPER\\DPPS2.EXE\""
"PSof1"="C:\\WINDOWS\\SYSTEM\\PSof1.exe"
"KavSvc"="C:\\WINDOWS\\rnnkpj.exe reg_run"
"autoupdate"="rundll32 C:\\WINDOWS\\SYSTEM\\SUPDATE.DLL,SHStart"
"winsync"="C:\\WINDOWS\\jaaabr.exe reg_run"
We're a friendly, industry-focused community of developers, IT pros, digital marketers, and technology enthusiasts meeting, networking, learning, and sharing knowledge.