954,176 Members — Technology Publication meets Social Media
Username:
Password:
Lost login information?
Have something to say? Contribute New Article Reply to this Article
6 Years Ago
0

Another "Aurora me too"...sorry

Here are my reports from Ewido and HijackThis. They were generated in Safe Mode, as suggested in other threads. Before scanning the system with the two above I run Nailfix. No popups so far, but a message at startup saying that a module cannot be be found by rundll.

Would anybody help me understand the contents of the two logfiles? Thanks in advance.

Logfile of HijackThis v1.99.1
Scan saved at 9:22:30 PM, on 6/2/2005
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\explorer.exe
C:\Program Files\hijackthis\HijackThis.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://red.clientapps.yahoo.com/customize/ie/defaults/stp/ymsgr*http://my.yahoo.com
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://red.clientapps.yahoo.com/customize/ie/defaults/su/ymsgr6/*http://www.yahoo.com
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://red.clientapps.yahoo.com/customize/ie/defaults/stp/ymsgr*http://my.yahoo.com
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = :0
R3 - URLSearchHook: (no name) - _{8952A998-1E7E-4716-B23D-3DBE03910972} - (no file)
O2 - BHO: Yahoo! Companion BHO - {02478D38-C3F9-4efb-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn1\ycomp5_5_7_0.dll
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {51082128-B9B7-B51B-BB19-C9EE8980B9BF} - C:\WINDOWS\system32\lqu.dll (file missing)
O2 - BHO: IeCaptureBho Object - {7c1ce531-09e9-4fc5-9803-1c2956615786} - C:\Program Files\Google\Google Desktop Search\GoogleDesktopIE.dll
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn1\ycomp5_5_7_0.dll
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [Dit] Dit.exe
O4 - HKLM\..\Run: [NeroCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [InCD] C:\Program Files\Ahead\InCD\InCD.exe
O4 - HKLM\..\Run: [Agent] C:\Program Files\Medion\PowerVCR II\Agent.exe
O4 - HKLM\..\Run: [Remote_Agent] C:\Program Files\Medion\PowerVCR II\RemoteAgent.exe
O4 - HKLM\..\Run: [ShStatEXE] "C:\Program Files\Network Associates\VirusScan\SHSTAT.EXE" /STANDALONE
O4 - HKLM\..\Run: [McAfeeUpdaterUI] "C:\Program Files\Network Associates\Common Framework\UpdaterUI.exe" /StartedFromRunKey
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\j2re1.4.2_04\bin\jusched.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [AlcFDMonitor] C:\WINDOWS\ALCFDRTM.EXE
O4 - HKLM\..\Run: [3] C:\documents and settings\alessia\local settings\temp\3.exe
O4 - HKLM\..\Run: [Open Site] "C:\Program Files\Open Site\opensite.exe"
O4 - HKLM\..\Run: [oF7] C:\documents and settings\rino\local settings\temp\oF7.exe
O4 - HKLM\..\Run: [gcqdf] C:\documents and settings\alessia\local settings\temp\gcqdf.exe
O4 - HKLM\..\Run: [q6bYXh] C:\documents and settings\alessia\local settings\temp\q6bYXh.exe
O4 - HKLM\..\Run: [Hyw7aeXO] C:\documents and settings\alessia\local settings\temp\Hyw7aeXO.exe
O4 - HKLM\..\Run: [98D0CE0C16B1] rundll32.exe D0CE0C16B1,D0CE0C16B1
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [o6USPRl] C:\windows\system32\o6USPRl.exe
O4 - HKLM\..\Run: [mXMLIK.exe] c:\windows\system32\mXMLIK.exe
O4 - HKLM\..\Run: [4JATK3@4#AJHRM] C:\WINDOWS\system32\Kqxpex.exe
O4 - HKCU\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\System32\NVMCTRAY.DLL,NvTaskbarInit
O4 - HKCU\..\Run: [Yahoo! Pager] C:\PROGRA~1\Yahoo!\MESSEN~1\ypager.exe -quiet
O4 - HKCU\..\Run: [Google Desktop Search] "C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe" /startup
O4 - HKCU\..\Run: [Skype] "C:\Program Files\Skype\Phone\Skype.exe" /nosplash /minimized
O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\j2re1.4.2_04\bin\npjpi142_04.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\j2re1.4.2_04\bin\npjpi142_04.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra button: Ebates - {6685509E-B47B-4f47-8E16-9A5F3A62F683} - file://C:\Program Files\Ebates_MoeMoneyMaker\Sy350\Tp350\scri350a.htm (file missing) (HKCU)
O16 - DPF: {01113300-3E00-11D2-8470-0060089874ED} (Support.com Configuration Class) - http://www.comcastsupport.com/sdccommon/download/tgctlcm.cab
O16 - DPF: {56336BCB-3D8A-11D6-A00B-0050DA18DE71} (RdxIE Class) - http://software-dl.real.com/021e0f24d1dd34b98c19/netzip/RdxIE601.cab
O16 - DPF: {72D59B9C-1E59-4958-803A-ABDEE2D4CFA6} (DivX Player) - http://download.divx.com/player/DivXPlayerInstaller.exe
O16 - DPF: {A17E30C4-A9BA-11D4-8673-60DB54C10000} (YahooYMailTo Class) - http://us.dl1.yimg.com/download.yahoo.com/dl/installs/yse/ymmapi_416.dll
O16 - DPF: {B9191F79-5613-4C76-AA2A-398534BB8999} - http://us.dl1.yimg.com/download.yahoo.com/dl/installs/suite/yautocomplete.cab
O16 - DPF: {E0CE16CB-741C-4B24-8D04-A817856E07F4} - http://cabs.roings.com/cabs/budicon.cab
O16 - DPF: {E62A47D8-74B1-4A93-963A-E5E43B7CC5C2} (UCSearch.ucUCSearch) - http://www.zuvio.com/opnste/UCSearch.CAB
O16 - DPF: {F00F4763-7355-4725-82F7-0DA94A256D46} (IMDownloader Class) - http://www2.incredimail.com/contents/setup/downloader/imloader.cab
O16 - DPF: {FE1A240F-B247-4E06-A600-30E28F5AF3A0} - http://toolbar2.globalwebsearch.com/winenc32.cab
O23 - Service: ewido security suite control - ewido networks - C:\Program Files\ewido\security suite\ewidoctrl.exe
O23 - Service: ewido security suite guard - ewido networks - C:\Program Files\ewido\security suite\ewidoguard.exe
O23 - Service: iPod Service (iPodService) - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: McAfee Framework Service (McAfeeFramework) - Network Associates, Inc. - C:\Program Files\Network Associates\Common Framework\FrameworkService.exe
O23 - Service: Network Associates McShield (McShield) - Network Associates, Inc. - C:\Program Files\Network Associates\VirusScan\Mcshield.exe
O23 - Service: Network Associates Task Manager (McTaskManager) - Network Associates, Inc. - C:\Program Files\Network Associates\VirusScan\VsTskMgr.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe

---------------------------------------------------------
ewido security suite - Scan report
---------------------------------------------------------

+ Created on: 9:17:04 PM, 6/2/2005
+ Report-Checksum: 26E5C01D

+ Date of database: 6/2/2005
+ Version of scan engine: v3.0

+ Duration: 89 min
+ Scanned Files: 188131
+ Speed: 35.09 Files/Second
+ Infected files: 113
+ Removed files: 113
+ Files put in quarantine: 113
+ Files that could not be opened: 0
+ Files that could not be cleaned: 0

+ Binder: Yes
+ Crypter: Yes
+ Archives: Yes

+ Scanned items:
C:\
D:\
K:\
L:\
M:\

+ Scan result:
C:\cxtpls_loader.exe -> TrojanDownloader.Apropo.ab -> Cleaned with backup
C:\Documents and Settings\LocalService\Cookies\rino@S005-01-9-28-233860-106434[2].txt -> Spyware.Tracking-Cookie -> Cleaned with backup
C:\Documents and Settings\Rino\Cookies\rino@ads.as4x.tmcs[2].txt -> Spyware.Tracking-Cookie -> Cleaned with backup
C:\Documents and Settings\Rino\Cookies\rino@ads.guardian.co[2].txt -> Spyware.Tracking-Cookie -> Cleaned with backup
C:\Documents and Settings\Rino\Cookies\rino@advertising[1].txt -> Spyware.Tracking-Cookie -> Cleaned with backup
C:\Documents and Settings\Rino\Cookies\rino@atdmt[1].txt -> Spyware.Tracking-Cookie -> Cleaned with backup
C:\Documents and Settings\Rino\Cookies\rino@guide.real[1].txt -> Spyware.Tracking-Cookie -> Cleaned with backup
C:\Documents and Settings\Rino\Cookies\rino@realguide.real[1].txt -> Spyware.Tracking-Cookie -> Cleaned with backup
C:\Documents and Settings\Rino\Cookies\rino@servedby.advertising[1].txt -> Spyware.Tracking-Cookie -> Cleaned with backup
C:\Documents and Settings\Rino\Cookies\rino@www.ebates[2].txt -> Spyware.Tracking-Cookie -> Cleaned with backup
C:\Documents and Settings\Rino\Local Settings\Temp\Del2C.tmp -> Spyware.180Solutions.e -> Cleaned with backup
C:\Documents and Settings\Rino\Local Settings\Temp\jAl.dll -> Spyware.Midadle.b -> Cleaned with backup
C:\Documents and Settings\Rino\Local Settings\Temp\mm_reco.exe -> Spyware.BetterInternet -> Cleaned with backup
C:\Documents and Settings\Rino\Local Settings\Temp\temp.fr0021 -> Spyware.IBISToolbar -> Cleaned with backup
C:\Documents and Settings\Rino\Local Settings\Temp\temp.fr643C\WSup.exe -> Spyware.Wintol -> Cleaned with backup
C:\Documents and Settings\Rino\Local Settings\Temp\temp.fr7BB6\common.dll -> Spyware.WebSearch.f -> Cleaned with backup
C:\Documents and Settings\Rino\Local Settings\Temp\temp.frD4BC -> Spyware.IBISToolbar -> Cleaned with backup
C:\Documents and Settings\Rino\Local Settings\Temp\THI10F1.tmp\mxTarget.dll -> Spyware.BiSpy.o -> Cleaned with backup
C:\Program Files\AWS\WeatherBug\MiniBugTransporter.dll -> Spyware.Wheaterbug.a -> Cleaned with backup
C:\Program Files\Yahoo!\YPSR\Quarantine\ppq19.tmp -> TrojanDownloader.TSUpdate.f -> Cleaned with backup
C:\Program Files\Yahoo!\YPSR\Quarantine\ppq1B.tmp -> TrojanDownloader.Dyfuca.ak -> Cleaned with backup
C:\Program Files\Yahoo!\YPSR\Quarantine\ppq1C.tmp -> TrojanDownloader.Rameh.c -> Cleaned with backup
C:\Program Files\Yahoo!\YPSR\Quarantine\ppq1F.tmp -> Spyware.VirtualBouncer.g -> Cleaned with backup
C:\Program Files\Yahoo!\YPSR\Quarantine\ppq6.tmp -> Spyware.Tracking-Cookie -> Cleaned with backup
C:\WINDOWS\Buddy.exe -> Spyware.BetterInternet -> Cleaned with backup
C:\WINDOWS\docsygxhhy.exe -> Spyware.BetterInternet -> Cleaned with backup
C:\WINDOWS\Downloaded Program Files\RCXAE.tmp -> Spyware.180Solutions.g -> Cleaned with backup
C:\WINDOWS\htpatch.exe -> Not-A-Virus.Tool.HTPatch.a -> Cleaned with backup
C:\WINDOWS\prelimhanse.exe -> Spyware.WebHancer -> Cleaned with backup
C:\WINDOWS\system32\D0CE0C16B1.DLL -> Spyware.Agent.dh -> Cleaned with backup
C:\WINDOWS\system32\e6f1873b.dll -> TrojanDownloader.Braidupdate.d -> Cleaned with backup
C:\WINDOWS\system32\Epoc.exe -> Backdoor.VB.nb -> Cleaned with backup
C:\WINDOWS\system32\fpmat78.dll -> TrojanDownloader.Rameh.c -> Cleaned with backup
C:\WINDOWS\system32\lqu.dll -> Spyware.PurityScan.ak -> Cleaned with backup
C:\WINDOWS\system32\Poller.exe.vir -> Trojan.Agent.cp -> Cleaned with backup
C:\WINDOWS\system32\Qxi7.exe -> Backdoor.VB.nb -> Cleaned with backup
C:\WINDOWS\system32\Rnfiy4co.exe -> Backdoor.VB.nb -> Cleaned with backup
C:\WINDOWS\system32\Tcmo3IDd.exe -> Backdoor.VB.nb -> Cleaned with backup
C:\WINDOWS\system32\UbaM7.exe -> Backdoor.VB.nb -> Cleaned with backup
C:\WINDOWS\system32\Xzm0JgoS.exe -> Backdoor.VB.nb -> Cleaned with backup
C:\WINDOWS\system32\υserinit.exe -> Spyware.PurityScan.am -> Cleaned with backup
C:\WINDOWS\wt\wtvh.dll -> Spyware.WildTangent.b -> Cleaned with backup
D:\backup maxtor 1st partition\Documents and Settings\Alessia\Cookies\alessia@713779[1].txt -> Spyware.Tracking-Cookie -> Cleaned with backup
D:\backup maxtor 1st partition\Documents and Settings\Alessia\Cookies\alessia@ads.monster[2].txt -> Spyware.Tracking-Cookie -> Cleaned with backup
D:\backup maxtor 1st partition\Documents and Settings\Alessia\Cookies\alessia@com[1].txt -> Spyware.Tracking-Cookie -> Cleaned with backup
D:\backup maxtor 1st partition\Documents and Settings\Alessia\Cookies\alessia@cookie.monster[1].txt -> Spyware.Tracking-Cookie -> Cleaned with backup
D:\backup maxtor 1st partition\Documents and Settings\Alessia\Cookies\alessia@exitfuel[1].txt -> Spyware.Tracking-Cookie -> Cleaned with backup
D:\backup maxtor 1st partition\Documents and Settings\Alessia\Cookies\alessia@geocities[1].txt -> Spyware.Tracking-Cookie -> Cleaned with backup
D:\backup maxtor 1st partition\Documents and Settings\Alessia\Cookies\alessia@media[2].txt -> Spyware.Tracking-Cookie -> Cleaned with backup
D:\backup maxtor 1st partition\Documents and Settings\Alessia\Cookies\alessia@S0012-01-1-7-217494-47679[1].txt -> Spyware.Tracking-Cookie -> Cleaned with backup
D:\backup maxtor 1st partition\Documents and Settings\Alessia\Cookies\alessia@S0014-01-2-16-217494-54117[1].txt -> Spyware.Tracking-Cookie -> Cleaned with backup
D:\backup maxtor 1st partition\Documents and Settings\Alessia\Cookies\alessia@S129915[2].txt -> Spyware.Tracking-Cookie -> Cleaned with backup
D:\backup maxtor 1st partition\Documents and Settings\Alessia\Cookies\alessia@S130376[1].txt -> Spyware.Tracking-Cookie -> Cleaned with backup
D:\backup maxtor 1st partition\Documents and Settings\Alessia\Cookies\alessia@S149983[1].txt -> Spyware.Tracking-Cookie -> Cleaned with backup
D:\backup maxtor 1st partition\Documents and Settings\Alessia\Cookies\alessia@S150263[1].txt -> Spyware.Tracking-Cookie -> Cleaned with backup
D:\backup maxtor 1st partition\Documents and Settings\Alessia\Cookies\alessia@search.msn[2].txt -> Spyware.Tracking-Cookie -> Cleaned with backup
D:\backup maxtor 1st partition\Documents and Settings\Alessia\Cookies\alessia@specificpop[1].txt -> Spyware.Tracking-Cookie -> Cleaned with backup
D:\backup maxtor 1st partition\Documents and Settings\Debbie\Cookies\debbie@33707992[2].txt -> Spyware.Tracking-Cookie -> Cleaned with backup
D:\backup maxtor 1st partition\Documents and Settings\Debbie\Cookies\debbie@45652814[2].txt -> Spyware.Tracking-Cookie -> Cleaned with backup
D:\backup maxtor 1st partition\Documents and Settings\Debbie\Cookies\debbie@53401622[2].txt -> Spyware.Tracking-Cookie -> Cleaned with backup
D:\backup maxtor 1st partition\Documents and Settings\Debbie\Cookies\debbie@59176631[2].txt -> Spyware.Tracking-Cookie -> Cleaned with backup
D:\backup maxtor 1st partition\Documents and Settings\Debbie\Cookies\debbie@63676511[2].txt -> Spyware.Tracking-Cookie -> Cleaned with backup
D:\backup maxtor 1st partition\Documents and Settings\Debbie\Cookies\debbie@6966407[2].txt -> Spyware.Tracking-Cookie -> Cleaned with backup
D:\backup maxtor 1st partition\Documents and Settings\Debbie\Cookies\debbie@843040[2].txt -> Spyware.Tracking-Cookie -> Cleaned with backup
D:\backup maxtor 1st partition\Documents and Settings\Debbie\Cookies\debbie@adopt.hotbar[1].txt -> Spyware.Tracking-Cookie -> Cleaned with backup
D:\backup maxtor 1st partition\Documents and Settings\Debbie\Cookies\debbie@ads.as4x.tmcs[1].txt -> Spyware.Tracking-Cookie -> Cleaned with backup
D:\backup maxtor 1st partition\Documents and Settings\Debbie\Cookies\debbie@ads.businessweek[1].txt -> Spyware.Tracking-Cookie -> Cleaned with backup
D:\backup maxtor 1st partition\Documents and Settings\Debbie\Cookies\debbie@ads.guardian.co[1].txt -> Spyware.Tracking-Cookie -> Cleaned with backup
D:\backup maxtor 1st partition\Documents and Settings\Debbie\Cookies\debbie@ads.monster[2].txt -> Spyware.Tracking-Cookie -> Cleaned with backup
D:\backup maxtor 1st partition\Documents and Settings\Debbie\Cookies\debbie@ads.specificclick[1].txt -> Spyware.Tracking-Cookie -> Cleaned with backup
D:\backup maxtor 1st partition\Documents and Settings\Debbie\Cookies\debbie@ads.telegraph.co[1].txt -> Spyware.Tracking-Cookie -> Cleaned with backup
D:\backup maxtor 1st partition\Documents and Settings\Debbie\Cookies\debbie@ads4.clearchannel[2].txt -> Spyware.Tracking-Cookie -> Cleaned with backup
D:\backup maxtor 1st partition\Documents and Settings\Debbie\Cookies\debbie@adsremote.scripps[2].txt -> Spyware.Tracking-Cookie -> Cleaned with backup
D:\backup maxtor 1st partition\Documents and Settings\Debbie\Cookies\debbie@adv.webmd[1].txt -> Spyware.Tracking-Cookie -> Cleaned with backup
D:\backup maxtor 1st partition\Documents and Settings\Debbie\Cookies\debbie@buy.rpts[2].txt -> Spyware.Tracking-Cookie -> Cleaned with backup
D:\backup maxtor 1st partition\Documents and Settings\Debbie\Cookies\debbie@com[2].txt -> Spyware.Tracking-Cookie -> Cleaned with backup
D:\backup maxtor 1st partition\Documents and Settings\Debbie\Cookies\debbie@cookie.monster[1].txt -> Spyware.Tracking-Cookie -> Cleaned with backup
D:\backup maxtor 1st partition\Documents and Settings\Debbie\Cookies\debbie@cz6.clickzs[2].txt -> Spyware.Tracking-Cookie -> Cleaned with backup
D:\backup maxtor 1st partition\Documents and Settings\Debbie\Cookies\debbie@cz8.clickzs[1].txt -> Spyware.Tracking-Cookie -> Cleaned with backup
D:\backup maxtor 1st partition\Documents and Settings\Debbie\Cookies\debbie@dcs06mqp0oifwz7nihkvjql18_9j6m[2].txt -> Spyware.Tracking-Cookie -> Cleaned with backup
D:\backup maxtor 1st partition\Documents and Settings\Debbie\Cookies\debbie@dcsg07hinpifwz3wy8eqs4slv_7t7h[1].txt -> Spyware.Tracking-Cookie -> Cleaned with backup
D:\backup maxtor 1st partition\Documents and Settings\Debbie\Cookies\debbie@dcshfx5gloifwzvxiz6ywz3r7_5o1l[2].txt -> Spyware.Tracking-Cookie -> Cleaned with backup
D:\backup maxtor 1st partition\Documents and Settings\Debbie\Cookies\debbie@dcsk50o4ppifwzri43z3zpag9_7d6h[2].txt -> Spyware.Tracking-Cookie -> Cleaned with backup
D:\backup maxtor 1st partition\Documents and Settings\Debbie\Cookies\debbie@dcslcvny1oifwzrqi727s7ceh_1x4g[2].txt -> Spyware.Tracking-Cookie -> Cleaned with backup
D:\backup maxtor 1st partition\Documents and Settings\Debbie\Cookies\debbie@dcsq537tboifwzzc1768f34r7_1s1h[2].txt -> Spyware.Tracking-Cookie -> Cleaned with backup
D:\backup maxtor 1st partition\Documents and Settings\Debbie\Cookies\debbie@exitexchange[2].txt -> Spyware.Tracking-Cookie -> Cleaned with backup
D:\backup maxtor 1st partition\Documents and Settings\Debbie\Cookies\debbie@exitfuel[1].txt -> Spyware.Tracking-Cookie -> Cleaned with backup
D:\backup maxtor 1st partition\Documents and Settings\Debbie\Cookies\debbie@geocities[1].txt -> Spyware.Tracking-Cookie -> Cleaned with backup
D:\backup maxtor 1st partition\Documents and Settings\Debbie\Cookies\debbie@gostats[1].txt -> Spyware.Tracking-Cookie -> Cleaned with backup
D:\backup maxtor 1st partition\Documents and Settings\Debbie\Cookies\debbie@hb.lycos[1].txt -> Spyware.Tracking-Cookie -> Cleaned with backup
D:\backup maxtor 1st partition\Documents and Settings\Debbie\Cookies\debbie@hotbar[1].txt -> Spyware.Tracking-Cookie -> Cleaned with backup
D:\backup maxtor 1st partition\Documents and Settings\Debbie\Cookies\debbie@linkexchange[2].txt -> Spyware.Tracking-Cookie -> Cleaned with backup
D:\backup maxtor 1st partition\Documents and Settings\Debbie\Cookies\debbie@link[1].txt -> Spyware.Tracking-Cookie -> Cleaned with backup
D:\backup maxtor 1st partition\Documents and Settings\Debbie\Cookies\debbie@listen.real[1].txt -> Spyware.Tracking-Cookie -> Cleaned with backup
D:\backup maxtor 1st partition\Documents and Settings\Debbie\Cookies\debbie@mediamgr.ugo[2].txt -> Spyware.Tracking-Cookie -> Cleaned with backup
D:\backup maxtor 1st partition\Documents and Settings\Debbie\Cookies\debbie@media[1].txt -> Spyware.Tracking-Cookie -> Cleaned with backup
D:\backup maxtor 1st partition\Documents and Settings\Debbie\Cookies\debbie@orbitz.rpts[1].txt -> Spyware.Tracking-Cookie -> Cleaned with backup
D:\backup maxtor 1st partition\Documents and Settings\Debbie\Cookies\debbie@realguide.real[1].txt -> Spyware.Tracking-Cookie -> Cleaned with backup
D:\backup maxtor 1st partition\Documents and Settings\Debbie\Cookies\debbie@S005-01-8-30-256517-100295[1].txt -> Spyware.Tracking-Cookie -> Cleaned with backup
D:\backup maxtor 1st partition\Documents and Settings\Debbie\Cookies\debbie@S005-01-9-4-256517-101276[1].txt -> Spyware.Tracking-Cookie -> Cleaned with backup
D:\backup maxtor 1st partition\Documents and Settings\Debbie\Cookies\debbie@S005-01-9-4-275483-101362[2].txt -> Spyware.Tracking-Cookie -> Cleaned with backup
D:\backup maxtor 1st partition\Documents and Settings\Debbie\Cookies\debbie@S005-01-9-4-275483-101370[2].txt -> Spyware.Tracking-Cookie -> Cleaned with backup
D:\backup maxtor 1st partition\Documents and Settings\Debbie\Cookies\debbie@S109821[2].txt -> Spyware.Tracking-Cookie -> Cleaned with backup
D:\backup maxtor 1st partition\Documents and Settings\Debbie\Cookies\debbie@S131010[2].txt -> Spyware.Tracking-Cookie -> Cleaned with backup
D:\backup maxtor 1st partition\Documents and Settings\Debbie\Cookies\debbie@S141753[1].txt -> Spyware.Tracking-Cookie -> Cleaned with backup
D:\backup maxtor 1st partition\Documents and Settings\Debbie\Cookies\debbie@S144524[1].txt -> Spyware.Tracking-Cookie -> Cleaned with backup
D:\backup maxtor 1st partition\Documents and Settings\Debbie\Cookies\debbie@S147034[1].txt -> Spyware.Tracking-Cookie -> Cleaned with backup
D:\backup maxtor 1st partition\Documents and Settings\Debbie\Cookies\debbie@S150263[1].txt -> Spyware.Tracking-Cookie -> Cleaned with backup
D:\backup maxtor 1st partition\Documents and Settings\Debbie\Cookies\debbie@search.msn[1].txt -> Spyware.Tracking-Cookie -> Cleaned with backup
D:\backup maxtor 1st partition\Documents and Settings\Debbie\Cookies\debbie@specificpop[1].txt -> Spyware.Tracking-Cookie -> Cleaned with backup
D:\backup maxtor 1st partition\Documents and Settings\Debbie\Cookies\debbie@stats.klsoft[1].txt -> Spyware.Tracking-Cookie -> Cleaned with backup
D:\backup maxtor 1st partition\Documents and Settings\Debbie\Cookies\debbie@track-star[1].txt -> Spyware.Tracking-Cookie -> Cleaned with backup
D:\backup maxtor 1st partition\Documents and Settings\Debbie\Cookies\debbie@xiti[1].txt -> Spyware.Tracking-Cookie -> Cleaned with backup


::Report End

Rino
Newbie Poster
5 posts since Jun 2005
Reputation Points: 10
Solved Threads: 0
 
6 Years Ago
0

Rino,

Hello! and welcome to the Daniweb forums :).

-

You'll need to download uninst.exe to remove the 'peper' infection, then:

1. run uninst.exe ... (first pass).
2. reboot your computer.
3. run uninst.exe ... (final pass).

Note: You must have an active internet connection, each time this program is run, for it to properly work.

===============

Go to www.trendmicro.com , and then:

1. Click "Free Online Scan".
2. Click "Scan now, it's free".

It'll take a few minutes to download (especially with a dialup connection), so be patient. When it's down:

1. Select all available drives.
2. Check(tick) "Auto Clean".
3. Click "Scan".

When it completes, post back the full filename of any files that cannot be cleaned or deleted.

===============

Run HiJackThis, click "Scan", then check(tick) the following, if present:

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://red.clientapps.yahoo.com/cus...://my.yahoo.com
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://red.clientapps.yahoo.com/cus...//www.yahoo.com
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://red.clientapps.yahoo.com/cus...://my.yahoo.com

R3 - URLSearchHook: (no name) - _{8952A998-1E7E-4716-B23D-3DBE03910972} - (no file)

O2 - BHO: (no name) - {51082128-B9B7-B51B-BB19-C9EE8980B9BF} - C:\WINDOWS\system32\lqu.dll (file missing)

O4 - HKLM\..\Run: [3] C:\documents and settings\alessia\local settings\temp\3.exe
O4 - HKLM\..\Run: [Open Site] "C:\Program Files\Open Site\opensite.exe"
O4 - HKLM\..\Run: [oF7] C:\documents and settings\rino\local settings\temp\oF7.exe
O4 - HKLM\..\Run: [gcqdf] C:\documents and settings\alessia\local settings\temp\gcqdf.exe
O4 - HKLM\..\Run: [q6bYXh] C:\documents and settings\alessia\local settings\temp\q6bYXh.exe
O4 - HKLM\..\Run: [Hyw7aeXO] C:\documents and settings\alessia\local settings\temp\Hyw7aeXO.exe
O4 - HKLM\..\Run: [98D0CE0C16B1] rundll32.exe D0CE0C16B1,D0CE0C16B1
O4 - HKLM\..\Run: [o6USPRl] C:\windows\system32\o6USPRl.exe
O4 - HKLM\..\Run: [mXMLIK.exe] c:\windows\system32\mXMLIK.exe
O4 - HKLM\..\Run: [4JATK3@4#AJHRM] C:\WINDOWS\system32\Kqxpex.exe

O9 - Extra button: Ebates - {6685509E-B47B-4f47-8E16-9A5F3A62F683} - file://C:\Program Files\Ebates_MoeMoneyMaker\Sy350\Tp350\scri350a.htm (file missing) (HKCU)

O16 - DPF: {56336BCB-3D8A-11D6-A00B-0050DA18DE71} (RdxIE Class) - http://software-dl.real.com/021e0f2...ip/RdxIE601.cab
O16 - DPF: {E0CE16CB-741C-4B24-8D04-A817856E07F4} - http://cabs.roings.com/cabs/budicon.cab
O16 - DPF: {E62A47D8-74B1-4A93-963A-E5E43B7CC5C2} (UCSearch.ucUCSearch) - http://www.zuvio.com/opnste/UCSearch.CAB
O16 - DPF: {FE1A240F-B247-4E06-A600-30E28F5AF3A0} - http://toolbar2.globalwebsearch.com/winenc32.cab


Now, with all windows closed except HiJackThis, click "Fix checked".

===============

Locate and delete the following item(s), if present. Make sure your able to view system and hidden files/ folders:

folders...

C:\Program Files\Open Site

files...

C:\documents and settings\alessia\local settings\temp\3.exe
C:\documents and settings\rino\local settings\temp\oF7.exe
C:\documents and settings\alessia\local settings\temp\gcqdf.exe
C:\documents and settings\alessia\local settings\temp\q6bYXh.exe
C:\documents and settings\alessia\local settings\temp\Hyw7aeXO.exe
C:\windows\system32\o6USPRl.exe
c:\windows\system32\mXMLIK.exe
C:\WINDOWS\system32\Kqxpex.exe

search for...

D0CE0C16B1 and D0CE0C16B1

-

Note that some of these file(s)/folder(s) may or may not be present. If present, and cannot be deleted because they're 'in use', try deleting them in " Safe Mode ".

-

Reboot.

===============

To help protect your system from hostile ActiveX content, or special 'downloadable' files:

Download, install and keep updated, SpywareBlaster . If you've installed it for the first time:

1) Check for any available updates; if present, they'll be automatically downloaded and installed.
2) Next, "Enable all protection".
3) Exit the program.

-

Note: Remember to regularly check for updates.

===============

After rebooting, rescan with hijackthis and post back a new log. Let me know how everything goes.

crunchie
Most Valuable Poster
Moderator
20,095 posts since Feb 2004
Reputation Points: 1,142
Solved Threads: 985
 
6 Years Ago
0

Crunchie,
Thank you very much. I never received such clear and concise set of instrunctions!!! I'm at work now, as soon as I get home I'll give it a try and let you know how it goes. Thanks, again.

Rino
Newbie Poster
5 posts since Jun 2005
Reputation Points: 10
Solved Threads: 0
 
6 Years Ago
0

No worries :).

crunchie
Most Valuable Poster
Moderator
20,095 posts since Feb 2004
Reputation Points: 1,142
Solved Threads: 985
 
6 Years Ago
0

Hi.
Here is my new Hijackthis report. A couple of things:
1) uninst.exe runs quite fast and I'm not sure what does it do
2) in the ..\..\local settings\temp directory I cannot see a oF7.exe, but I see a of7.dll; should I delete that?

Finally, I now have Ad-Aware, SpyBot, VirusScan and now, per Crunchie suggestion, SpywareBlaster - I usually run then weekly or so, and I keep them updated. Anything else?

Again, I really appreciate your help.

Logfile of HijackThis v1.99.1
Scan saved at 2:02:26 PM, on 6/4/2005
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\ewido\security suite\ewidoctrl.exe
C:\Program Files\ewido\security suite\ewidoguard.exe
C:\Program Files\Network Associates\Common Framework\FrameworkService.exe
C:\Program Files\Network Associates\VirusScan\Mcshield.exe
C:\Program Files\Network Associates\VirusScan\VsTskMgr.exe
C:\WINDOWS\System32\nvsvc32.exe
C:\WINDOWS\System32\tcpsvcs.exe
C:\WINDOWS\System32\snmp.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Ahead\InCD\InCD.exe
C:\WINDOWS\system32\rundll32.exe
C:\Program Files\Medion\PowerVCR II\Agent.exe
C:\Program Files\Network Associates\VirusScan\SHSTAT.EXE
C:\Program Files\Network Associates\Common Framework\UpdaterUI.exe
C:\Program Files\Java\j2re1.4.2_04\bin\jusched.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\WINDOWS\SOUNDMAN.EXE
C:\WINDOWS\ALCFDRTM.EXE
C:\Program Files\iTunes\iTunesHelper.exe
C:\WINDOWS\system32\RUNDLL32.EXE
C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Google\Google Desktop Search\GoogleDesktopIndex.exe
C:\Program Files\Google\Google Desktop Search\GoogleDesktopCrawl.exe
C:\Program Files\hijackthis\HijackThis.exe

R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant =
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch =
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = :0
O2 - BHO: Yahoo! Companion BHO - {02478D38-C3F9-4efb-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn1\ycomp5_5_7_0.dll
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: IeCaptureBho Object - {7c1ce531-09e9-4fc5-9803-1c2956615786} - C:\Program Files\Google\Google Desktop Search\GoogleDesktopIE.dll
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn1\ycomp5_5_7_0.dll
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [Dit] Dit.exe
O4 - HKLM\..\Run: [NeroCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [InCD] C:\Program Files\Ahead\InCD\InCD.exe
O4 - HKLM\..\Run: [Agent] C:\Program Files\Medion\PowerVCR II\Agent.exe
O4 - HKLM\..\Run: [Remote_Agent] C:\Program Files\Medion\PowerVCR II\RemoteAgent.exe
O4 - HKLM\..\Run: [ShStatEXE] "C:\Program Files\Network Associates\VirusScan\SHSTAT.EXE" /STANDALONE
O4 - HKLM\..\Run: [McAfeeUpdaterUI] "C:\Program Files\Network Associates\Common Framework\UpdaterUI.exe" /StartedFromRunKey
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\j2re1.4.2_04\bin\jusched.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [AlcFDMonitor] C:\WINDOWS\ALCFDRTM.EXE
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKCU\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\System32\NVMCTRAY.DLL,NvTaskbarInit
O4 - HKCU\..\Run: [Yahoo! Pager] C:\PROGRA~1\Yahoo!\MESSEN~1\ypager.exe -quiet
O4 - HKCU\..\Run: [Google Desktop Search] "C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe" /startup
O4 - HKCU\..\Run: [Skype] "C:\Program Files\Skype\Phone\Skype.exe" /nosplash /minimized
O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\j2re1.4.2_04\bin\npjpi142_04.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\j2re1.4.2_04\bin\npjpi142_04.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {01113300-3E00-11D2-8470-0060089874ED} (Support.com Configuration Class) - http://www.comcastsupport.com/sdccommon/download/tgctlcm.cab
O16 - DPF: {04E214E5-63AF-4236-83C6-A7ADCBF9BD02} (HouseCall Control) - http://housecall60.trendmicro.com/housecall/xscan60.cab
O16 - DPF: {72D59B9C-1E59-4958-803A-ABDEE2D4CFA6} (DivX Player) - http://download.divx.com/player/DivXPlayerInstaller.exe
O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai.net/7/840/537/2004061001/housecall.trendmicro.com/housecall/xscan53.cab
O16 - DPF: {A17E30C4-A9BA-11D4-8673-60DB54C10000} (YahooYMailTo Class) - http://us.dl1.yimg.com/download.yahoo.com/dl/installs/yse/ymmapi_416.dll
O16 - DPF: {B9191F79-5613-4C76-AA2A-398534BB8999} - http://us.dl1.yimg.com/download.yahoo.com/dl/installs/suite/yautocomplete.cab
O16 - DPF: {F00F4763-7355-4725-82F7-0DA94A256D46} (IMDownloader Class) - http://www2.incredimail.com/contents/setup/downloader/imloader.cab
O23 - Service: ewido security suite control - ewido networks - C:\Program Files\ewido\security suite\ewidoctrl.exe
O23 - Service: ewido security suite guard - ewido networks - C:\Program Files\ewido\security suite\ewidoguard.exe
O23 - Service: iPod Service (iPodService) - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: McAfee Framework Service (McAfeeFramework) - Network Associates, Inc. - C:\Program Files\Network Associates\Common Framework\FrameworkService.exe
O23 - Service: Network Associates McShield (McShield) - Network Associates, Inc. - C:\Program Files\Network Associates\VirusScan\Mcshield.exe
O23 - Service: Network Associates Task Manager (McTaskManager) - Network Associates, Inc. - C:\Program Files\Network Associates\VirusScan\VsTskMgr.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe

Rino
Newbie Poster
5 posts since Jun 2005
Reputation Points: 10
Solved Threads: 0
 
6 Years Ago
0

uninst.exe removes the peper trojan :).

Congratulations! Your log looks clean - good work!

===============

Now that your PC is clean you need to follow these easy steps to keeping it this way:

Secure your Internet Explorer by going here and following the instructions there.

Better yet, use an alternative browser! Download FireFox and give it a run. It is far more secure than Internet Explorer. Or, you can get Opera which in my opinion, is better still.

Use a firewall to help prevent your PC's control being usurped by undesireables. There is a link to a good, free firewall in my signature.

[color=blue]Install and keep updated, Ad-Aware SE, and Spybot S&D.
Run them both on a regular basis, following the manufacturer's recommendations.

Install an anti-virus. There are some good, free AV's available today. Make sure that it is updated regularly and have it scan your system often.

Check for Windows Updates. Microsoft regularly post updates for your systems safe running. Make sure to take advantage of this. Reboot when installed and return to make sure there are no others.

Clear your Temp folders.
Clear out your Temporary internet files and other temp files.
Go to Start > Settings > Control Panel >Internet Options.
Under the General tab click the Delete temporary internet files,
delete all Offline content as well. Clear out Cookies.

Also, go to Start > Find/search > Files or folders > in the named box, type: *.tmp and choose Edit > select all -> File > delete.

Empty/delete the entire contents of the C:\Windows\temp folder and C:\temp folder, if you have one. (Contents but not the folder itself.)

C:\Documents and Settings\username\Local Settings\Temp\

In order to view these files you may have to select 'show hidden files/folders.' Instructions on how to here.

Empty the Recycle Bin.

===============

If you have any more problems, post back.

-

Happy surfing,

crunchie.

crunchie
Most Valuable Poster
Moderator
20,095 posts since Feb 2004
Reputation Points: 1,142
Solved Threads: 985
 
6 Years Ago
0

Thanks Crunchie. Great work!!!

Rino
Newbie Poster
5 posts since Jun 2005
Reputation Points: 10
Solved Threads: 0
 
6 Years Ago
0

You too :).

crunchie
Most Valuable Poster
Moderator
20,095 posts since Feb 2004
Reputation Points: 1,142
Solved Threads: 985
 

This question has already been solved

Post: Markdown Syntax: Formatting Help
You
 
© 2012 DaniWeb® LLC
Home | About Us | Contact Us | Terms of Service | Advertising Opportunities
RSS Feed RSS Feed