PDA

View Full Version : cmdservice



russisbored
2006-04-22, 20:58
Howdy all, I've been reading these forums and seen a lot of people complaing about cmdservice. I have the same problem, the two registry keys that I can't delete. I would rather have someone help me with it than risk doing something wrong on my computer, so could someone please help me. I get occasional popups while online, and sometimes (though not lately so I don't have the information on them) my symantec antivirus pops up telling me there was a virus and it deleted it, only to have the same one show up again. I run spybot and adware and keep them updated, but they can't delete the files. Neither could my moveonboot. any help would be hot.
Here's my hijackthis log:
Logfile of HijackThis v1.99.1
Scan saved at 1:54:43 PM, on 4/22/2006
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\ibmpmsvc.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Intel\Wireless\Bin\EvtEng.exe
C:\Program Files\Intel\Wireless\Bin\S24EvMon.exe
C:\WINDOWS\system32\LEXBCES.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\LEXPPS.EXE
C:\PROGRA~1\SYMANT~1\SYMANT~1\DefWatch.exe
C:\Program Files\IBM\IBM Rapid Restore Ultra\rrpcsb.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\PROGRA~1\SYMANT~1\SYMANT~1\Rtvscan.exe
C:\WINDOWS\System32\QCONSVC.EXE
C:\Program Files\Intel\Wireless\Bin\RegSrvc.exe
C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe
C:\WINDOWS\System32\TPHDEXLG.EXE
C:\WINDOWS\system32\TpKmpSVC.exe
C:\WINDOWS\Explorer.EXE
C:\PROGRA~1\SYMANT~1\SYMANT~1\vptray.exe
C:\Program Files\Analog Devices\SoundMAX\SMax4PNP.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\ObjectDock\ObjectDock.exe
C:\Program Files\Microsoft Office\OFFICE11\OUTLOOK.EXE
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\HijackThis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://www.houghton.edu/
R3 - Default URLSearchHook is missing
F2 - REG:system.ini: Shell=Explorer.exe, C:\WINDOWS\system32\effcc.exe
F2 - REG:system.ini: UserInit=C:\WINDOWS\system32\userinit.exe,oamgngm.exe
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O4 - HKLM\..\Run: [vptray] C:\PROGRA~1\SYMANT~1\SYMANT~1\vptray.exe
O4 - HKLM\..\Run: [AGRSMMSG] AGRSMMSG.exe
O4 - HKLM\..\Run: [SynTPLpr] C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
O4 - HKLM\..\Run: [SynTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
O4 - HKLM\..\Run: [SoundMAXPnP] C:\Program Files\Analog Devices\SoundMAX\SMax4PNP.exe
O4 - HKLM\..\Run: [SoundMAX] "C:\Program Files\Analog Devices\SoundMAX\Smax4.exe" /tray
O4 - HKLM\..\Run: [PRONoMgrWired] C:\Program Files\Intel\PROSetWired\NCS\PROSet\PRONoMgr.exe
O4 - HKLM\..\Run: [BMMGAG] RunDll32 C:\PROGRA~1\ThinkPad\UTILIT~1\pwrmonit.dll,StartPwrMonitor
O4 - HKLM\..\Run: [BMMLREF] C:\Program Files\ThinkPad\Utilities\BMMLREF.EXE
O4 - HKLM\..\Run: [BMMMONWND] rundll32.exe C:\PROGRA~1\ThinkPad\UTILIT~1\BatInfEx.dll,BMMAutonomicMonitor
O4 - HKLM\..\Run: [BLOG] rundll32.exe C:\PROGRA~1\ThinkPad\UTILIT~1\BatLogEx.DLL,StartBattLog
O4 - HKLM\..\Run: [TpShocks] TpShocks.exe
O4 - HKLM\..\Run: [TPHOTKEY] C:\PROGRA~1\Lenovo\PkgMgr\HOTKEY\TPHKMGR.exe
O4 - HKLM\..\Run: [TPKMAPHELPER] C:\Program Files\ThinkPad\Utilities\TpKmapAp.exe -helper
O4 - HKLM\..\Run: [TP4EX] tp4ex.exe
O4 - HKLM\..\Run: [UpdateManager] "C:\Program Files\Common Files\Sonic\Update Manager\sgtray.exe" /r
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [IBMPRC] C:\IBMTOOLS\UTILS\ibmprc.exe
O4 - HKLM\..\Run: [QCTRAY] C:\Program Files\ThinkPad\ConnectUtilities\QCTRAY.EXE
O4 - HKLM\..\Run: [QCWLICON] C:\Program Files\ThinkPad\ConnectUtilities\QCWLICON.EXE
O4 - HKLM\..\Run: [TPKBDLED] C:\WINDOWS\system32\TpScrLk.exe
O4 - HKLM\..\Run: [EZEJMNAP] C:\PROGRA~1\ThinkPad\UTILIT~1\EzEjMnAp.Exe
O4 - HKLM\..\Run: [Google Desktop Search] "C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe" /startup
O4 - HKLM\..\Run: [Picasa Media Detector] C:\Program Files\Picasa2\PicasaMediaDetector.exe
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [MessengerPlus3] "C:\Program Files\MessengerPlus! 3\MsgPlus.exe"
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe
O4 - HKLM\..\Run: [Alt-Tab Thingy] "C:\Program Files\Alt-Tab Thingy v3\attmain.exe"
O4 - HKLM\..\Run: [DAEMON Tools] "C:\Program Files\DAEMON Tools\daemon.exe" -lang 1033
O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\MSN Messenger\MsnMsgr.Exe" /background
O4 - HKCU\..\Run: [Rrcr] "C:\DOCUME~1\JOSHUA~1.RUS\JUNKTH~1\CROSOF~1.NET\winword.exe" -vt yazr
O4 - HKCU\..\Run: [Bkpbzq] C:\Documents and Settings\Joshua.Russell\Junk that's wanted\?racle\l?ass.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - Startup: Adobe Gamma.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Startup: Stardock ObjectDock.lnk = C:\Program Files\ObjectDock\ObjectDock.exe
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: Google Updater.lnk = C:\Program Files\Google\Google Updater\1.1.454.29157\GoogleUpdater.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\npjpi150_06.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\npjpi150_06.dll
O9 - Extra button: (no name) - {4ABF810A-F11D-4169-9D5F-7D274F2270A1} - C:\WINDOWS\system32\dmonwv.dll
O9 - Extra 'Tools' menuitem: Java - {4ABF810A-F11D-4169-9D5F-7D274F2270A1} - C:\WINDOWS\system32\dmonwv.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~3\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Software Installer - {D1A4DEBD-C2EE-449f-B9FB-E8409F9A0BC5} - C:\Program Files\Lenovo\PkgMgr\\PkgMgr.exe
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1133470882359
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: Domain = houghton.edu
O17 - HKLM\Software\..\Telephony: DomainName = houghton.edu
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: Domain = houghton.edu
O17 - HKLM\System\CS2\Services\Tcpip\Parameters: Domain = houghton.edu
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - "C:\PROGRA~1\MSNMES~1\msgrapp.dll" (file missing)
O20 - AppInit_DLLs: C:\PROGRA~1\Google\GOOGLE~3\GOEC62~1.DLL
O20 - Winlogon Notify: NavLogon - C:\WINDOWS\system32\NavLogon.dll
O20 - Winlogon Notify: QConGina - C:\WINDOWS\SYSTEM32\QConGina.dll
O20 - Winlogon Notify: ShellServiceObjectDelayLoad - C:\WINDOWS\system32\ombcbcp.dll (file missing)
O20 - Winlogon Notify: tpfnf2 - C:\WINDOWS\SYSTEM32\notifyf2.dll
O20 - Winlogon Notify: tphotkey - C:\WINDOWS\SYSTEM32\tphklock.dll
O23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: DefWatch - Symantec Corporation - C:\PROGRA~1\SYMANT~1\SYMANT~1\DefWatch.exe
O23 - Service: EvtEng - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\EvtEng.exe
O23 - Service: IBM Rapid Restore Ultra Service - Unknown owner - C:\Program Files\IBM\IBM Rapid Restore Ultra\rrpcsb.exe
O23 - Service: ThinkPad PM Service (IBMPMSVC) - Unknown owner - C:\WINDOWS\system32\ibmpmsvc.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1150\Intel 32\IDriverT.exe
O23 - Service: LexBce Server (LexBceS) - Lexmark International, Inc. - C:\WINDOWS\system32\LEXBCES.EXE
O23 - Service: Intel NCS NetService (NetSvc) - Intel(R) Corporation - C:\Program Files\Intel\PROSetWired\NCS\Sync\NetSvc.exe
O23 - Service: Symantec AntiVirus Client (Norton AntiVirus Server) - Symantec Corporation - C:\PROGRA~1\SYMANT~1\SYMANT~1\Rtvscan.exe
O23 - Service: IBM PSA Access Driver Control (PsaSrv) - Unknown owner - C:\WINDOWS\system32\PsaSrv.exe (file missing)
O23 - Service: QCONSVC - Lenovo - C:\WINDOWS\System32\QCONSVC.EXE
O23 - Service: RegSrvc - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\RegSrvc.exe
O23 - Service: Spectrum24 Event Monitor (S24EventMonitor) - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\S24EvMon.exe
O23 - Service: SoundMAX Agent Service (SoundMAX Agent Service (default)) - Analog Devices, Inc. - C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe
O23 - Service: ThinkPad HDD APS Logging Service (TPHDEXLGSVC) - Lenovo. - C:\WINDOWS\System32\TPHDEXLG.EXE
O23 - Service: IBM KCU Service (TpKmpSVC) - Unknown owner - C:\WINDOWS\system32\TpKmpSVC.exe

hope someone can help. That would be wonderful.

russisbored
2006-04-22, 21:43
ok, so I restarted my computer just now and symantec antivirus notification pops up:
Scan type: Realtime Protection Scan
Event: Virus Found!
Virus name: Download.Trojan
File: C:\WINDOWS\system32\oamgngm.exe
Location: C:\WINDOWS\system32
Computer: L5296
User: Joshua.Russell
Action taken: Delete succeeded : Access denied
Date found: Saturday, April 22, 2006 2:02:08 PM

Only i know it's not really deleted, because it comes back every time I reboot. And I've searched for it and can't find it on the computer. Where is it coming from, and how do I make it go away?

illukka
2006-04-23, 23:09
hi
Welcome,
Please follow the instructions provided, you may want to print out these instructions and use them as a reference.

Please download ewido anti malware (http://www.ewido.net/en/download/) it is a free version of the program.
Install ewido security suite
When installing, under "Additional Options" uncheck..
Install background guard
Install scan via context menu

Launch ewido, there should be an icon on your desktop, double-click it.
The program will now open to the main screen.
When you run ewido for the first time, you may get a warning "Database could not be found!". Click OK. We will fix this in a moment.

You will need to update ewido to the latest definition files.
On the left hand side of the main screen click update.
Then click on Start Update.

The update will start and a progress bar will show the updates being installed.
(the status bar at the bottom will display ("Update successful")
If you are having problems with the updater, you can use this link to manually update ewido.
ewido manual updates (http://www.ewido.net/en/download/updates/)

Once the updates are installed do the following:

reboot your computer in SafeMode by doing the following:
Restart your computer
After hearing your computer beep once during startup, but before the Windows icon appears, press F8.
Instead of Windows loading as normal, a menu should appear
Select the first option, to run Windows in Safe Mode.


then launch ewido:

Click on scanner
Click on Complete System Scan and the scan will begin.
You will be prompted to clean the first infection.
Select "Perform action on all infections", then proceed.
Once the scan has completed, there will be a button located on the bottom of the screen named Save report
Click Save report.
Save the report .txt file to your desktop or a location where you can find it easily.

Close ewido anti malware.

reboot back to normal mode, post the ewido report and a log from a fresh hjt scan

russisbored
2006-04-24, 23:28
---------------------------------------------------------
ewido anti-malware - Scan report
---------------------------------------------------------

+ Created on: 4:15:53 PM, 4/24/2006
+ Report-Checksum: B29AE5AA

+ Scan result:

[652] C:\WINDOWS\system32\tcoxtjx.dll -> Downloader.Qoologic.bj : Cleaned with backup
C:\413_615.exe -> Trojan.Small : Cleaned with backup
:mozilla.42:C:\Documents and Settings\Joshua.Russell\Application Data\Mozilla\Firefox\Profiles\10gdwnvf.default\cookies.txt -> TrackingCookie.Hotlog : Cleaned with backup
:mozilla.48:C:\Documents and Settings\Joshua.Russell\Application Data\Mozilla\Firefox\Profiles\10gdwnvf.default\cookies.txt -> TrackingCookie.Googleadservices : Cleaned with backup
:mozilla.49:C:\Documents and Settings\Joshua.Russell\Application Data\Mozilla\Firefox\Profiles\10gdwnvf.default\cookies.txt -> TrackingCookie.Statcounter : Cleaned with backup
:mozilla.50:C:\Documents and Settings\Joshua.Russell\Application Data\Mozilla\Firefox\Profiles\10gdwnvf.default\cookies.txt -> TrackingCookie.Statcounter : Cleaned with backup
:mozilla.103:C:\Documents and Settings\Joshua.Russell\Application Data\Mozilla\Firefox\Profiles\10gdwnvf.default\cookies.txt -> TrackingCookie.Com : Cleaned with backup
:mozilla.104:C:\Documents and Settings\Joshua.Russell\Application Data\Mozilla\Firefox\Profiles\10gdwnvf.default\cookies.txt -> TrackingCookie.Com : Cleaned with backup
:mozilla.109:C:\Documents and Settings\Joshua.Russell\Application Data\Mozilla\Firefox\Profiles\10gdwnvf.default\cookies.txt -> TrackingCookie.Com : Cleaned with backup
:mozilla.115:C:\Documents and Settings\Joshua.Russell\Application Data\Mozilla\Firefox\Profiles\10gdwnvf.default\cookies.txt -> TrackingCookie.Cpvfeed : Cleaned with backup
C:\Documents and Settings\Joshua.Russell\Cookies\joshua.russell@ad.yieldmanager[1].txt -> TrackingCookie.Yieldmanager : Cleaned with backup
C:\Documents and Settings\Joshua.Russell\Cookies\joshua.russell@adopt.specificclick[2].txt -> TrackingCookie.Specificclick : Cleaned with backup
C:\Documents and Settings\Joshua.Russell\Cookies\joshua.russell@adrevolver[1].txt -> TrackingCookie.Adrevolver : Cleaned with backup
C:\Documents and Settings\Joshua.Russell\Cookies\joshua.russell@ads.addynamix[2].txt -> TrackingCookie.Addynamix : Cleaned with backup
C:\Documents and Settings\Joshua.Russell\Cookies\joshua.russell@as-eu.falkag[2].txt -> TrackingCookie.Falkag : Cleaned with backup
C:\Documents and Settings\Joshua.Russell\Cookies\joshua.russell@as-us.falkag[1].txt -> TrackingCookie.Falkag : Cleaned with backup
C:\Documents and Settings\Joshua.Russell\Cookies\joshua.russell@as1.falkag[1].txt -> TrackingCookie.Falkag : Cleaned with backup
C:\Documents and Settings\Joshua.Russell\Cookies\joshua.russell@bluestreak[1].txt -> TrackingCookie.Bluestreak : Cleaned with backup
C:\Documents and Settings\Joshua.Russell\Cookies\joshua.russell@cbs.112.2o7[1].txt -> TrackingCookie.2o7 : Cleaned with backup
C:\Documents and Settings\Joshua.Russell\Cookies\joshua.russell@kmpads[1].txt -> TrackingCookie.Kmpads : Cleaned with backup
C:\Documents and Settings\Joshua.Russell\Cookies\joshua.russell@login.tracking101[2].txt -> TrackingCookie.Tracking101 : Cleaned with backup
C:\Documents and Settings\Joshua.Russell\Cookies\joshua.russell@media.adrevolver[1].txt -> TrackingCookie.Adrevolver : Cleaned with backup
C:\Documents and Settings\Joshua.Russell\Cookies\joshua.russell@partygaming.122.2o7[1].txt -> TrackingCookie.2o7 : Cleaned with backup
C:\Documents and Settings\Joshua.Russell\Cookies\joshua.russell@paypopup[1].txt -> TrackingCookie.Paypopup : Cleaned with backup
C:\Documents and Settings\Joshua.Russell\Cookies\joshua.russell@revenue[1].txt -> TrackingCookie.Revenue : Cleaned with backup
C:\Documents and Settings\Joshua.Russell\Cookies\joshua.russell@tradedoubler[1].txt -> TrackingCookie.Tradedoubler : Cleaned with backup
C:\Documents and Settings\Joshua.Russell\Cookies\joshua.russell@trafficmp[1].txt -> TrackingCookie.Trafficmp : Cleaned with backup
C:\Documents and Settings\Joshua.Russell\Cookies\joshua.russell@tribalfusion[1].txt -> TrackingCookie.Tribalfusion : Cleaned with backup
C:\Documents and Settings\Joshua.Russell\Cookies\joshua.russell@zedo[2].txt -> TrackingCookie.Zedo : Cleaned with backup
C:\Documents and Settings\Joshua.Russell\Local Settings\Temp\i8B.tmp -> Adware.SurfSide : Cleaned with backup
C:\NNSCAA638.EXE -> Adware.NewDotNet : Cleaned with backup
C:\RECYCLER\S-1-5-21-1748916705-189427906-316617838-18524\Dc308.exe -> Downloader.Adload.ap : Cleaned with backup
C:\visfx500.exe -> Dropper.Agent.aie : Cleaned with backup
C:\WINDOWS\NDNuninstall7_22.exe -> Adware.NewDotNet : Cleaned with backup
C:\WINDOWS\system32\dmonwv.dll -> Downloader.Agent.agw : Cleaned with backup
C:\WINDOWS\system32\mivuwgdi.dll -> Adware.PurityScan : Cleaned with backup
C:\WINDOWS\system32\ssdbo.dat -> Downloader.Qoologic.bj : Cleaned with backup
C:\WINDOWS\unwn.exe -> Trojan.Qoologic : Cleaned with backup


::Report End

Logfile of HijackThis v1.99.1
Scan saved at 4:23:47 PM, on 4/24/2006
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\ibmpmsvc.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Intel\Wireless\Bin\EvtEng.exe
C:\Program Files\Intel\Wireless\Bin\S24EvMon.exe
C:\WINDOWS\system32\LEXBCES.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\LEXPPS.EXE
C:\PROGRA~1\SYMANT~1\SYMANT~1\DefWatch.exe
C:\Program Files\ewido anti-malware\ewidoctrl.exe
C:\Program Files\IBM\IBM Rapid Restore Ultra\rrpcsb.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\PROGRA~1\SYMANT~1\SYMANT~1\Rtvscan.exe
C:\WINDOWS\System32\QCONSVC.EXE
C:\Program Files\Intel\Wireless\Bin\RegSrvc.exe
C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe
C:\WINDOWS\System32\TPHDEXLG.EXE
C:\WINDOWS\system32\TpKmpSVC.exe
C:\WINDOWS\system32\wuauclt.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\Explorer.EXE
C:\PROGRA~1\SYMANT~1\SYMANT~1\vptray.exe
C:\WINDOWS\AGRSMMSG.exe
C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\Program Files\Analog Devices\SoundMAX\SMax4PNP.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Intel\PROSetWired\NCS\PROSet\PRONoMgr.exe
C:\WINDOWS\system32\RunDll32.exe
C:\WINDOWS\system32\rundll32.exe
C:\WINDOWS\system32\TpShocks.exe
C:\PROGRA~1\Lenovo\PkgMgr\HOTKEY\TPHKMGR.exe
C:\Program Files\Lenovo\PkgMgr\HOTKEY\TPONSCR.exe
C:\Program Files\Lenovo\PkgMgr\HOTKEY_1\TpScrex.exe
C:\IBMTOOLS\UTILS\ibmprc.exe
C:\Program Files\ThinkPad\ConnectUtilities\QCTRAY.EXE
C:\Program Files\ThinkPad\ConnectUtilities\QCWLICON.EXE
C:\WINDOWS\system32\TpScrLk.exe
C:\PROGRA~1\ThinkPad\UTILIT~1\EzEjMnAp.Exe
C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe
C:\Program Files\Picasa2\PicasaMediaDetector.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Google\Google Desktop Search\GoogleDesktopIndex.exe
C:\Program Files\MessengerPlus! 3\MsgPlus.exe
C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe
C:\Program Files\Alt-Tab Thingy v3\attmain.exe
C:\Program Files\DAEMON Tools\daemon.exe
C:\Program Files\MSN Messenger\MsnMsgr.Exe
C:\DOCUME~1\JOSHUA~1.RUS\JUNKTH~1\CROSOF~1.NET\winword.exe
C:\Documents and Settings\Joshua.Russell\Junk that's wanted\?racle\l?ass.exe
C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
C:\Program Files\Google\Google Desktop Search\GoogleDesktopDisplay.exe
C:\Program Files\Google\Google Updater\1.1.454.29157\GoogleUpdater.exe
C:\Program Files\ObjectDock\ObjectDock.exe
C:\Program Files\Google\Google Desktop Search\GoogleDesktopCrawl.exe
C:\WINDOWS\system32\NOTEPAD.EXE
C:\Program Files\HijackThis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://www.houghton.edu/
R3 - Default URLSearchHook is missing
F2 - REG:system.ini: Shell=Explorer.exe, C:\WINDOWS\system32\effcc.exe
F2 - REG:system.ini: UserInit=C:\WINDOWS\system32\userinit.exe,oamgngm.exe
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O4 - HKLM\..\Run: [vptray] C:\PROGRA~1\SYMANT~1\SYMANT~1\vptray.exe
O4 - HKLM\..\Run: [AGRSMMSG] AGRSMMSG.exe
O4 - HKLM\..\Run: [SynTPLpr] C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
O4 - HKLM\..\Run: [SynTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
O4 - HKLM\..\Run: [SoundMAXPnP] C:\Program Files\Analog Devices\SoundMAX\SMax4PNP.exe
O4 - HKLM\..\Run: [SoundMAX] "C:\Program Files\Analog Devices\SoundMAX\Smax4.exe" /tray
O4 - HKLM\..\Run: [PRONoMgrWired] C:\Program Files\Intel\PROSetWired\NCS\PROSet\PRONoMgr.exe
O4 - HKLM\..\Run: [BMMGAG] RunDll32 C:\PROGRA~1\ThinkPad\UTILIT~1\pwrmonit.dll,StartPwrMonitor
O4 - HKLM\..\Run: [BMMLREF] C:\Program Files\ThinkPad\Utilities\BMMLREF.EXE
O4 - HKLM\..\Run: [BMMMONWND] rundll32.exe C:\PROGRA~1\ThinkPad\UTILIT~1\BatInfEx.dll,BMMAutonomicMonitor
O4 - HKLM\..\Run: [BLOG] rundll32.exe C:\PROGRA~1\ThinkPad\UTILIT~1\BatLogEx.DLL,StartBattLog
O4 - HKLM\..\Run: [TpShocks] TpShocks.exe
O4 - HKLM\..\Run: [TPHOTKEY] C:\PROGRA~1\Lenovo\PkgMgr\HOTKEY\TPHKMGR.exe
O4 - HKLM\..\Run: [TPKMAPHELPER] C:\Program Files\ThinkPad\Utilities\TpKmapAp.exe -helper
O4 - HKLM\..\Run: [TP4EX] tp4ex.exe
O4 - HKLM\..\Run: [UpdateManager] "C:\Program Files\Common Files\Sonic\Update Manager\sgtray.exe" /r
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [IBMPRC] C:\IBMTOOLS\UTILS\ibmprc.exe
O4 - HKLM\..\Run: [QCTRAY] C:\Program Files\ThinkPad\ConnectUtilities\QCTRAY.EXE
O4 - HKLM\..\Run: [QCWLICON] C:\Program Files\ThinkPad\ConnectUtilities\QCWLICON.EXE
O4 - HKLM\..\Run: [TPKBDLED] C:\WINDOWS\system32\TpScrLk.exe
O4 - HKLM\..\Run: [EZEJMNAP] C:\PROGRA~1\ThinkPad\UTILIT~1\EzEjMnAp.Exe
O4 - HKLM\..\Run: [Google Desktop Search] "C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe"

/startup
O4 - HKLM\..\Run: [Picasa Media Detector] C:\Program Files\Picasa2\PicasaMediaDetector.exe
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [MessengerPlus3] "C:\Program Files\MessengerPlus! 3\MsgPlus.exe"
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe
O4 - HKLM\..\Run: [Alt-Tab Thingy] "C:\Program Files\Alt-Tab Thingy v3\attmain.exe"
O4 - HKLM\..\Run: [DAEMON Tools] "C:\Program Files\DAEMON Tools\daemon.exe" -lang 1033
O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\MSN Messenger\MsnMsgr.Exe" /background
O4 - HKCU\..\Run: [Rrcr] "C:\DOCUME~1\JOSHUA~1.RUS\JUNKTH~1\CROSOF~1.NET\winword.exe" -vt yazr
O4 - HKCU\..\Run: [Bkpbzq] C:\Documents and Settings\Joshua.Russell\Junk that's wanted\?racle\l?ass.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - Startup: Adobe Gamma.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Startup: Stardock ObjectDock.lnk = C:\Program Files\ObjectDock\ObjectDock.exe
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat

7.0\Reader\reader_sl.exe
O4 - Global Startup: Google Updater.lnk = C:\Program Files\Google\Google

Updater\1.1.454.29157\GoogleUpdater.exe
O8 - Extra context menu item: E&xport to Microsoft Excel -

res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program

Files\Java\jre1.5.0_06\bin\npjpi150_06.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program

Files\Java\jre1.5.0_06\bin\npjpi150_06.dll
O9 - Extra button: (no name) - {4ABF810A-F11D-4169-9D5F-7D274F2270A1} - C:\WINDOWS\system32\dmonwv.dll

(file missing)
O9 - Extra 'Tools' menuitem: Java - {4ABF810A-F11D-4169-9D5F-7D274F2270A1} - C:\WINDOWS\system32\dmonwv.dll

(file missing)
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} -

C:\PROGRA~1\MICROS~3\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Software Installer - {D1A4DEBD-C2EE-449f-B9FB-E8409F9A0BC5} - C:\Program

Files\Lenovo\PkgMgr\\PkgMgr.exe
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) -

http://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1133470882359
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: Domain = houghton.edu
O17 - HKLM\Software\..\Telephony: DomainName = houghton.edu
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: Domain = houghton.edu
O17 - HKLM\System\CS2\Services\Tcpip\Parameters: Domain = houghton.edu
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - "C:\PROGRA~1\MSNMES~1\msgrapp.dll" (file

missing)
O20 - AppInit_DLLs: C:\PROGRA~1\Google\GOOGLE~3\GOEC62~1.DLL
O20 - Winlogon Notify: NavLogon - C:\WINDOWS\system32\NavLogon.dll
O20 - Winlogon Notify: QConGina - C:\WINDOWS\SYSTEM32\QConGina.dll
O20 - Winlogon Notify: ShellServiceObjectDelayLoad - C:\WINDOWS\system32\ombcbcp.dll (file missing)
O20 - Winlogon Notify: tpfnf2 - C:\WINDOWS\SYSTEM32\notifyf2.dll
O20 - Winlogon Notify: tphotkey - C:\WINDOWS\SYSTEM32\tphklock.dll
O23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files\Common Files\Adobe Systems

Shared\Service\Adobelmsvc.exe
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: DefWatch - Symantec Corporation - C:\PROGRA~1\SYMANT~1\SYMANT~1\DefWatch.exe
O23 - Service: EvtEng - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\EvtEng.exe
O23 - Service: ewido security suite control - ewido networks - C:\Program Files\ewido

anti-malware\ewidoctrl.exe
O23 - Service: IBM Rapid Restore Ultra Service - Unknown owner - C:\Program Files\IBM\IBM Rapid Restore

Ultra\rrpcsb.exe
O23 - Service: ThinkPad PM Service (IBMPMSVC) - Unknown owner - C:\WINDOWS\system32\ibmpmsvc.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common

Files\InstallShield\Driver\1150\Intel 32\IDriverT.exe
O23 - Service: LexBce Server (LexBceS) - Lexmark International, Inc. - C:\WINDOWS\system32\LEXBCES.EXE
O23 - Service: Intel NCS NetService (NetSvc) - Intel(R) Corporation - C:\Program

Files\Intel\PROSetWired\NCS\Sync\NetSvc.exe
O23 - Service: Symantec AntiVirus Client (Norton AntiVirus Server) - Symantec Corporation -

C:\PROGRA~1\SYMANT~1\SYMANT~1\Rtvscan.exe
O23 - Service: IBM PSA Access Driver Control (PsaSrv) - Unknown owner - C:\WINDOWS\system32\PsaSrv.exe

(file missing)
O23 - Service: QCONSVC - Lenovo - C:\WINDOWS\System32\QCONSVC.EXE
O23 - Service: RegSrvc - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\RegSrvc.exe
O23 - Service: Spectrum24 Event Monitor (S24EventMonitor) - Intel Corporation - C:\Program

Files\Intel\Wireless\Bin\S24EvMon.exe
O23 - Service: SoundMAX Agent Service (SoundMAX Agent Service (default)) - Analog Devices, Inc. -

C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe
O23 - Service: ThinkPad HDD APS Logging Service (TPHDEXLGSVC) - Lenovo. - C:\WINDOWS\System32\TPHDEXLG.EXE
O23 - Service: IBM KCU Service (TpKmpSVC) - Unknown owner - C:\WINDOWS\system32\TpKmpSVC.exe


oh, and the same virus popped up again when I restarted

russisbored
2006-04-24, 23:29
By the way, thanks alot for the help, and I hope we can get this whole thing fixed.

illukka
2006-04-24, 23:31
hi

lets check one thing before we proceed ( that'll be tomorrow, its midnight here )

Download and Save Blacklight (http://www.f-secure.com/blacklight/try.shtml) to your desktop:

Double-click blbeta.exe then accept the agreement, click > scan then > next

You'll see a list of all items found. There will also be a log on your desktop with the name fsbl.xxxxxxx.log (the xxxxxxx stand for numbers).

Copy and paste this log in your next reply. Don't choose the rename option yet! I want to see the log first, because legitimate items can also be present there, such as "wbemtest.exe"

russisbored
2006-04-25, 02:21
"F-Secure Blacklight was unable to acquire necessary priveleges (SeDebugPrivelege)."

illukka
2006-04-25, 08:13
hi

lets first fix that error:
Please download NTrights.zip (http://www10.brinkster.com/expl0iter/freeatlast/NTrights.zip) by freeatlast.
If you can't access it, download NTrights.zip via here: http://www10.brinkster.com/expl0iter/freeatlast/dumprights.htm
Save it on your desktop.
Unzip/extract it.
Read here how to unzip/extract properly:
http://metallica.geekstogo.com/xpcompressedexplanation.html
Open the NTrights-folder
Double click on the Debug.bat file to run it, follow any prompts it asks.

REBOOT

Doubleclick the Debug.bat again after reboot.

It will create a log.
If the log says:
"Granting SeDebugPrivilege to Administrators ... successful", you must be ok and things restored well.

then try blacklight again

russisbored
2006-04-28, 02:32
04/27/06 19:01:42 [Note]: 10002 3
04/27/06 19:01:42 [Info]: Hidden file: c:\minint\Fonts\8514fixr.fon
04/27/06 19:01:42 [Note]: 7002 0
04/27/06 19:01:42 [Note]: 7003 1
04/27/06 19:01:42 [Note]: 10002 3
04/27/06 19:01:42 [Info]: Hidden file: c:\minint\Fonts\8514fixt.fon
04/27/06 19:01:42 [Note]: 7002 0
04/27/06 19:01:42 [Note]: 7003 1
04/27/06 19:01:42 [Note]: 10002 3
04/27/06 19:01:42 [Info]: Hidden file: c:\minint\Fonts\8514oem.fon
04/27/06 19:01:42 [Note]: 7002 0
04/27/06 19:01:42 [Note]: 7003 1
04/27/06 19:01:42 [Note]: 10002 3
04/27/06 19:01:42 [Info]: Hidden file: c:\minint\Fonts\8514oeme.fon
04/27/06 19:01:42 [Note]: 7002 0
04/27/06 19:01:42 [Note]: 7003 1
04/27/06 19:01:42 [Note]: 10002 3
04/27/06 19:01:42 [Info]: Hidden file: c:\minint\Fonts\8514oemg.fon
04/27/06 19:01:42 [Note]: 7002 0
04/27/06 19:01:42 [Note]: 7003 1
04/27/06 19:01:42 [Note]: 10002 3
04/27/06 19:01:42 [Info]: Hidden file: c:\minint\Fonts\8514oemr.fon
04/27/06 19:01:42 [Note]: 7002 0
04/27/06 19:01:42 [Note]: 7003 1
04/27/06 19:01:42 [Note]: 10002 3
04/27/06 19:01:42 [Info]: Hidden file: c:\minint\Fonts\8514oemt.fon
04/27/06 19:01:42 [Note]: 7002 0
04/27/06 19:01:42 [Note]: 7003 1
04/27/06 19:01:42 [Note]: 10002 3
04/27/06 19:01:42 [Info]: Hidden file: c:\minint\Fonts\8514sys.fon
04/27/06 19:01:42 [Note]: 7002 0
04/27/06 19:01:42 [Note]: 7003 1
04/27/06 19:01:42 [Note]: 10002 3
04/27/06 19:01:42 [Info]: Hidden file: c:\minint\Fonts\8514syse.fon
04/27/06 19:01:42 [Note]: 7002 0
04/27/06 19:01:42 [Note]: 7003 1
04/27/06 19:01:42 [Note]: 10002 3
04/27/06 19:01:42 [Info]: Hidden file: c:\minint\Fonts\8514sysg.fon
04/27/06 19:01:42 [Note]: 7002 0
04/27/06 19:01:42 [Note]: 7003 1
04/27/06 19:01:42 [Note]: 10002 3
04/27/06 19:01:42 [Info]: Hidden file: c:\minint\Fonts\8514sysr.fon
04/27/06 19:01:42 [Note]: 7002 0
04/27/06 19:01:42 [Note]: 7003 1
04/27/06 19:01:42 [Note]: 10002 3
04/27/06 19:01:42 [Info]: Hidden file: c:\minint\Fonts\8514syst.fon
04/27/06 19:01:42 [Note]: 7002 0
04/27/06 19:01:42 [Note]: 7003 1
04/27/06 19:01:42 [Note]: 10002 3
04/27/06 19:01:42 [Info]: Hidden file: c:\minint\Fonts\85855.fon
04/27/06 19:01:42 [Note]: 7002 0
04/27/06 19:01:42 [Note]: 7003 1
04/27/06 19:01:42 [Note]: 10002 3
04/27/06 19:01:42 [Info]: Hidden file: c:\minint\Fonts\85f1255.fon
04/27/06 19:01:42 [Note]: 7002 0
04/27/06 19:01:42 [Note]: 7003 1
04/27/06 19:01:42 [Note]: 10002 3
04/27/06 19:01:42 [Info]: Hidden file: c:\minint\Fonts\85f1256.fon
04/27/06 19:01:42 [Note]: 7002 0
04/27/06 19:01:42 [Note]: 7003 1
04/27/06 19:01:42 [Note]: 10002 3
04/27/06 19:01:42 [Info]: Hidden file: c:\minint\Fonts\85s1255.fon
04/27/06 19:01:42 [Note]: 7002 0
04/27/06 19:01:42 [Note]: 7003 1
04/27/06 19:01:42 [Note]: 10002 3
04/27/06 19:01:42 [Info]: Hidden file: c:\minint\Fonts\85s1256.fon
04/27/06 19:01:42 [Note]: 7002 0
04/27/06 19:01:42 [Note]: 7003 1
04/27/06 19:01:42 [Note]: 10002 3
04/27/06 19:01:42 [Info]: Hidden file: c:\minint\Fonts\85s874.fon
04/27/06 19:01:42 [Note]: 7002 0
04/27/06 19:01:42 [Note]: 7003 1
04/27/06 19:01:42 [Note]: 10002 3
04/27/06 19:01:42 [Info]: Hidden file: c:\minint\Fonts\ahronbd.ttf
04/27/06 19:01:42 [Note]: 7002 0
04/27/06 19:01:42 [Note]: 7003 1
04/27/06 19:01:42 [Note]: 10002 3
04/27/06 19:01:42 [Info]: Hidden file: c:\minint\Fonts\andlso.ttf
04/27/06 19:01:42 [Note]: 7002 0
04/27/06 19:01:42 [Note]: 7003 1
04/27/06 19:01:42 [Note]: 10002 3
04/27/06 19:01:42 [Info]: Hidden file: c:\minint\Fonts\angsa.ttf
04/27/06 19:01:42 [Note]: 7002 0
04/27/06 19:01:42 [Note]: 7003 1
04/27/06 19:01:42 [Note]: 10002 3
04/27/06 19:01:42 [Info]: Hidden file: c:\minint\Fonts\angsab.ttf
04/27/06 19:01:42 [Note]: 7002 0
04/27/06 19:01:42 [Note]: 7003 1
04/27/06 19:01:42 [Note]: 10002 3
04/27/06 19:01:42 [Info]: Hidden file: c:\minint\Fonts\angsai.ttf

russisbored
2006-04-28, 02:33
04/27/06 19:01:42 [Note]: 7002 0
04/27/06 19:01:42 [Note]: 7003 1
04/27/06 19:01:42 [Note]: 10002 3
04/27/06 19:01:42 [Info]: Hidden file: c:\minint\Fonts\angsau.ttf
04/27/06 19:01:42 [Note]: 7002 0
04/27/06 19:01:42 [Note]: 7003 1
04/27/06 19:01:42 [Note]: 10002 3
04/27/06 19:01:42 [Info]: Hidden file: c:\minint\Fonts\angsaub.ttf
04/27/06 19:01:42 [Note]: 7002 0
04/27/06 19:01:42 [Note]: 7003 1
04/27/06 19:01:42 [Note]: 10002 3
04/27/06 19:01:42 [Info]: Hidden file: c:\minint\Fonts\angsaui.ttf
04/27/06 19:01:42 [Note]: 7002 0
04/27/06 19:01:42 [Note]: 7003 1
04/27/06 19:01:42 [Note]: 10002 3
04/27/06 19:01:42 [Info]: Hidden file: c:\minint\Fonts\angsauz.ttf
04/27/06 19:01:42 [Note]: 7002 0
04/27/06 19:01:42 [Note]: 7003 1
04/27/06 19:01:42 [Note]: 10002 3
04/27/06 19:01:42 [Info]: Hidden file: c:\minint\Fonts\angsaz.ttf
04/27/06 19:01:42 [Note]: 7002 0
04/27/06 19:01:42 [Note]: 7003 1
04/27/06 19:01:42 [Note]: 10002 3
04/27/06 19:01:42 [Info]: Hidden file: c:\minint\Fonts\app850.fon
04/27/06 19:01:42 [Note]: 7002 0
04/27/06 19:01:42 [Note]: 7003 1
04/27/06 19:01:42 [Note]: 10002 3
04/27/06 19:01:42 [Info]: Hidden file: c:\minint\Fonts\app852.fon
04/27/06 19:01:42 [Note]: 7002 0
04/27/06 19:01:42 [Note]: 7003 1
04/27/06 19:01:42 [Note]: 10002 3
04/27/06 19:01:42 [Info]: Hidden file: c:\minint\Fonts\app855.fon
04/27/06 19:01:42 [Note]: 7002 0
04/27/06 19:01:42 [Note]: 7003 1
04/27/06 19:01:42 [Note]: 10002 3
04/27/06 19:01:42 [Info]: Hidden file: c:\minint\Fonts\app857.fon
04/27/06 19:01:42 [Note]: 7002 0
04/27/06 19:01:42 [Note]: 7003 1
04/27/06 19:01:42 [Note]: 10002 3
04/27/06 19:01:42 [Info]: Hidden file: c:\minint\Fonts\app866.fon
04/27/06 19:01:42 [Note]: 7002 0
04/27/06 19:01:42 [Note]: 7003 1
04/27/06 19:01:42 [Note]: 10002 3
04/27/06 19:01:42 [Info]: Hidden file: c:\minint\Fonts\arial.ttf
04/27/06 19:01:42 [Note]: 7002 0
04/27/06 19:01:42 [Note]: 7003 1
04/27/06 19:01:42 [Note]: 10002 3
04/27/06 19:01:42 [Info]: Hidden file: c:\minint\Fonts\arialbi.ttf
04/27/06 19:01:42 [Note]: 7002 0
04/27/06 19:01:42 [Note]: 7003 1
04/27/06 19:01:42 [Note]: 10002 3
04/27/06 19:01:42 [Info]: Hidden file: c:\minint\Fonts\ariali.ttf
04/27/06 19:01:42 [Note]: 7002 0
04/27/06 19:01:42 [Note]: 7003 1
04/27/06 19:01:42 [Note]: 10002 3
04/27/06 19:01:42 [Info]: Hidden file: c:\minint\Fonts\ariblk.ttf
04/27/06 19:01:42 [Note]: 7002 0
04/27/06 19:01:42 [Note]: 7003 1
04/27/06 19:01:42 [Note]: 10002 3
04/27/06 19:01:42 [Info]: Hidden file: c:\minint\Fonts\artrbdo.ttf
04/27/06 19:01:42 [Note]: 7002 0
04/27/06 19:01:42 [Note]: 7003 1
04/27/06 19:01:42 [Note]: 10002 3
04/27/06 19:01:42 [Info]: Hidden file: c:\minint\Fonts\artro.ttf
04/27/06 19:01:42 [Note]: 7002 0
04/27/06 19:01:42 [Note]: 7003 1
04/27/06 19:01:42 [Note]: 10002 3
04/27/06 19:01:42 [Info]: Hidden file: c:\minint\Fonts\browa.ttf
04/27/06 19:01:42 [Note]: 7002 0
04/27/06 19:01:42 [Note]: 7003 1
04/27/06 19:01:42 [Note]: 10002 3
04/27/06 19:01:42 [Info]: Hidden file: c:\minint\Fonts\browab.ttf
04/27/06 19:01:42 [Note]: 7002 0
04/27/06 19:01:42 [Note]: 7003 1
04/27/06 19:01:42 [Note]: 10002 3
04/27/06 19:01:42 [Info]: Hidden file: c:\minint\Fonts\browai.ttf
04/27/06 19:01:42 [Note]: 7002 0
04/27/06 19:01:42 [Note]: 7003 1
04/27/06 19:01:42 [Note]: 10002 3
04/27/06 19:01:42 [Info]: Hidden file: c:\minint\Fonts\browau.ttf
04/27/06 19:01:42 [Note]: 7002 0
04/27/06 19:01:42 [Note]: 7003 1
04/27/06 19:01:42 [Note]: 10002 3
04/27/06 19:01:42 [Info]: Hidden file: c:\minint\Fonts\browaub.ttf
04/27/06 19:01:42 [Note]: 7002 0
04/27/06 19:01:42 [Note]: 7003 1
04/27/06 19:01:42 [Note]: 10002 3
04/27/06 19:01:42 [Info]: Hidden file: c:\minint\Fonts\browaui.ttf
04/27/06 19:01:42 [Note]: 7002 0
04/27/06 19:01:42 [Note]: 7003 1
04/27/06 19:01:42 [Note]: 10002 3
04/27/06 19:01:42 [Info]: Hidden file: c:\minint\Fonts\browauz.ttf
04/27/06 19:01:42 [Note]: 7002 0
04/27/06 19:01:42 [Note]: 7003 1
04/27/06 19:01:42 [Note]: 10002 3
04/27/06 19:01:42 [Info]: Hidden file: c:\minint\Fonts\browaz.ttf
04/27/06 19:01:42 [Note]: 7002 0
04/27/06 19:01:42 [Note]: 7003 1
04/27/06 19:01:42 [Note]: 10002 3
04/27/06 19:01:42 [Info]: Hidden file: c:\minint\Fonts\cga40737.fon
04/27/06 19:01:42 [Note]: 7002 0
04/27/06 19:01:42 [Note]: 7003 1
04/27/06 19:01:42 [Note]: 10002 3
04/27/06 19:01:42 [Info]: Hidden file: c:\minint\Fonts\cga40850.fon
04/27/06 19:01:42 [Note]: 7002 0
04/27/06 19:01:42 [Note]: 7003 1
04/27/06 19:01:42 [Note]: 10002 3
04/27/06 19:01:42 [Info]: Hidden file: c:\minint\Fonts\cga40852.fon
04/27/06 19:01:42 [Note]: 7002 0
04/27/06 19:01:42 [Note]: 7003 1
04/27/06 19:01:42 [Note]: 10002 3
04/27/06 19:01:42 [Info]: Hidden file: c:\minint\Fonts\cga40857.fon
04/27/06 19:01:42 [Note]: 7002 0
04/27/06 19:01:42 [Note]: 7003 1
04/27/06 19:01:42 [Note]: 10002 3
04/27/06 19:01:42 [Info]: Hidden file: c:\minint\Fonts\cga40866.fon
04/27/06 19:01:42 [Note]: 7002 0
04/27/06 19:01:42 [Note]: 7003 1
04/27/06 19:01:42 [Note]: 10002 3
04/27/06 19:01:42 [Info]: Hidden file: c:\minint\Fonts\cga40woa.fon
04/27/06 19:01:42 [Note]: 7002 0
04/27/06 19:01:42 [Note]: 7003 1
04/27/06 19:01:42 [Note]: 10002 3
04/27/06 19:01:42 [Info]: Hidden file: c:\minint\Fonts\cga80737.fon
04/27/06 19:01:42 [Note]: 7002 0
04/27/06 19:01:42 [Note]: 7003 1
04/27/06 19:01:42 [Note]: 10002 3
04/27/06 19:01:42 [Info]: Hidden file: c:\minint\Fonts\cga80850.fon
04/27/06 19:01:42 [Note]: 7002 0
04/27/06 19:01:42 [Note]: 7003 1
04/27/06 19:01:42 [Note]: 10002 3
04/27/06 19:01:42 [Info]: Hidden file: c:\minint\Fonts\cga80852.fon
04/27/06 19:01:42 [Note]: 7002 0
04/27/06 19:01:42 [Note]: 7003 1
04/27/06 19:01:42 [Note]: 10002 3
04/27/06 19:01:42 [Info]: Hidden file: c:\minint\Fonts\cga80857.fon
04/27/06 19:01:42 [Note]: 7002 0
04/27/06 19:01:42 [Note]: 7003 1
04/27/06 19:01:42 [Note]: 10002 3
04/27/06 19:01:42 [Info]: Hidden file: c:\minint\Fonts\cga80866.fon
04/27/06 19:01:42 [Note]: 7002 0
04/27/06 19:01:42 [Note]: 7003 1
04/27/06 19:01:42 [Note]: 10002 3
04/27/06 19:01:42 [Info]: Hidden file: c:\minint\Fonts\cga80869.fon
04/27/06 19:01:42 [Note]: 7002 0
04/27/06 19:01:42 [Note]: 7003 1
04/27/06 19:01:42 [Note]: 10002 3
04/27/06 19:01:42 [Info]: Hidden file: c:\minint\Fonts\cga80woa.fon
04/27/06 19:01:42 [Note]: 7002 0
04/27/06 19:01:42 [Note]: 7003 1
04/27/06 19:01:42 [Note]: 10002 3
04/27/06 19:01:42 [Info]: Hidden file: c:\minint\Fonts\comic.ttf
04/27/06 19:01:42 [Note]: 7002 0
04/27/06 19:01:42 [Note]: 7003 1
04/27/06 19:01:42 [Note]: 10002 3
04/27/06 19:01:42 [Info]: Hidden file: c:\minint\Fonts\comicbd.ttf
04/27/06 19:01:42 [Note]: 7002 0
04/27/06 19:01:42 [Note]: 7003 1
04/27/06 19:01:42 [Note]: 10002 3
04/27/06 19:01:42 [Info]: Hidden file: c:\minint\Fonts\cordia.ttf
04/27/06 19:01:42 [Note]: 7002 0
04/27/06 19:01:42 [Note]: 7003 1
04/27/06 19:01:42 [Note]: 10002 3
04/27/06 19:01:42 [Info]: Hidden file: c:\minint\Fonts\cordiab.ttf
04/27/06 19:01:42 [Note]: 7002 0
04/27/06 19:01:42 [Note]: 7003 1
04/27/06 19:01:42 [Note]: 10002 3
04/27/06 19:01:42 [Info]: Hidden file: c:\minint\Fonts\cordiai.ttf
04/27/06 19:01:42 [Note]: 7002 0
04/27/06 19:01:42 [Note]: 7003 1
04/27/06 19:01:42 [Note]: 10002 3
04/27/06 19:01:42 [Info]: Hidden file: c:\minint\Fonts\cordiau.ttf
04/27/06 19:01:42 [Note]: 7002 0
04/27/06 19:01:42 [Note]: 7003 1
04/27/06 19:01:42 [Note]: 10002 3
04/27/06 19:01:42 [Info]: Hidden file: c:\minint\Fonts\cordiaub.ttf
04/27/06 19:01:42 [Note]: 7002 0
04/27/06 19:01:42 [Note]: 7003 1
04/27/06 19:01:42 [Note]: 10002 3
04/27/06 19:01:42 [Info]: Hidden file: c:\minint\Fonts\cordiaui.ttf
04/27/06 19:01:42 [Note]: 7002 0
04/27/06 19:01:42 [Note]: 7003 1
04/27/06 19:01:42 [Note]: 10002 3
04/27/06 19:01:42 [Info]: Hidden file: c:\minint\Fonts\cordiauz.ttf
04/27/06 19:01:42 [Note]: 7002 0
04/27/06 19:01:42 [Note]: 7003 1
04/27/06 19:01:42 [Note]: 10002 3
04/27/06 19:01:42 [Info]: Hidden file: c:\minint\Fonts\cordiaz.ttf
04/27/06 19:01:42 [Note]: 7002 0
04/27/06 19:01:42 [Note]: 7003 1
04/27/06 19:01:42 [Note]: 10002 3
04/27/06 19:01:42 [Info]: Hidden file: c:\minint\Fonts\coue1256.fon
04/27/06 19:01:42 [Note]: 7002 0
04/27/06 19:01:42 [Note]: 7003 1
04/27/06 19:01:42 [Note]: 10002 3
04/27/06 19:01:42 [Info]: Hidden file: c:\minint\Fonts\couf1255.fon
04/27/06 19:01:42 [Note]: 7002 0
04/27/06 19:01:42 [Note]: 7003 1
04/27/06 19:01:42 [Note]: 10002 3
04/27/06 19:01:42 [Info]: Hidden file: c:\minint\Fonts\couf1256.fon
04/27/06 19:01:42 [Note]: 7002 0
04/27/06 19:01:42 [Note]: 7003 1
04/27/06 19:01:42 [Note]: 10002 3
04/27/06 19:01:42 [Info]: Hidden file: c:\minint\Fonts\cour.ttf
04/27/06 19:01:42 [Note]: 7002 0
04/27/06 19:01:42 [Note]: 7003 1
04/27/06 19:01:42 [Note]: 10002 3
04/27/06 19:01:42 [Info]: Hidden file: c:\minint\Fonts\courbd.ttf
04/27/06 19:01:42 [Note]: 7002 0
04/27/06 19:01:42 [Note]: 7003 1
04/27/06 19:01:42 [Note]: 10002 3
04/27/06 19:01:42 [Info]: Hidden file: c:\minint\Fonts\courbi.ttf
04/27/06 19:01:42 [Note]: 7002 0
04/27/06 19:01:42 [Note]: 7003 1
04/27/06 19:01:42 [Note]: 10002 3
04/27/06 19:01:42 [Info]: Hidden file: c:\minint\Fonts\coure.fon
04/27/06 19:01:42 [Note]: 7002 0
04/27/06 19:01:42 [Note]: 7003 1
04/27/06 19:01:42 [Note]: 10002 3
04/27/06 19:01:42 [Info]: Hidden file: c:\minint\Fonts\couree.fon
04/27/06 19:01:42 [Note]: 7002 0
04/27/06 19:01:42 [Note]: 7003 1
04/27/06 19:01:42 [Note]: 10002 3
04/27/06 19:01:42 [Info]: Hidden file: c:\minint\Fonts\coureg.fon
04/27/06 19:01:42 [Note]: 7002 0
04/27/06 19:01:42 [Note]: 7003 1
04/27/06 19:01:42 [Note]: 10002 3
04/27/06 19:01:42 [Info]: Hidden file: c:\minint\Fonts\courer.fon
04/27/06 19:01:42 [Note]: 7002 0
04/27/06 19:01:42 [Note]: 7003 1
04/27/06 19:01:42 [Note]: 10002 3
04/27/06 19:01:42 [Info]: Hidden file: c:\minint\Fonts\couret.fon
04/27/06 19:01:42 [Note]: 7002 0
04/27/06 19:01:42 [Note]: 7003 1
04/27/06 19:01:42 [Note]: 10002 3
04/27/06 19:01:42 [Info]: Hidden file: c:\minint\Fonts\courf.fon
04/27/06 19:01:42 [Note]: 7002 0
04/27/06 19:01:42 [Note]: 7003 1
04/27/06 19:01:42 [Note]: 10002 3
04/27/06 19:01:42 [Info]: Hidden file: c:\minint\Fonts\courfe.fon
04/27/06 19:01:42 [Note]: 7002 0
04/27/06 19:01:42 [Note]: 7003 1
04/27/06 19:01:42 [Note]: 10002 3
04/27/06 19:01:42 [Info]: Hidden file: c:\minint\Fonts\courfg.fon
04/27/06 19:01:42 [Note]: 7002 0
04/27/06 19:01:42 [Note]: 7003 1
04/27/06 19:01:42 [Note]: 10002 3
04/27/06 19:01:42 [Info]: Hidden file: c:\minint\Fonts\courfr.fon
04/27/06 19:01:42 [Note]: 7002 0
04/27/06 19:01:42 [Note]: 7003 1
04/27/06 19:01:42 [Note]: 10002 3
04/27/06 19:01:42 [Info]: Hidden file: c:\minint\Fonts\courft.fon
04/27/06 19:01:42 [Note]: 7002 0
04/27/06 19:01:42 [Note]: 7003 1
04/27/06 19:01:42 [Note]: 10002 3
04/27/06 19:01:42 [Info]: Hidden file: c:\minint\Fonts\couri.ttf
04/27/06 19:01:42 [Note]: 7002 0
04/27/06 19:01:42 [Note]: 7003 1
04/27/06 19:01:42 [Note]: 10002 3
04/27/06 19:01:42 [Info]: Hidden file: c:\minint\Fonts\david.ttf
04/27/06 19:01:42 [Note]: 7002 0
04/27/06 19:01:42 [Note]: 7003 1
04/27/06 19:01:42 [Note]: 10002 3
04/27/06 19:01:42 [Info]: Hidden file: c:\minint\Fonts\davidtr.ttf
04/27/06 19:01:42 [Note]: 7002 0
04/27/06 19:01:42 [Note]: 7003 1
04/27/06 19:01:42 [Note]: 10002 3
04/27/06 19:01:42 [Info]: Hidden file: c:\minint\Fonts\dos737.fon
04/27/06 19:01:42 [Note]: 7002 0
04/27/06 19:01:42 [Note]: 7003 1
04/27/06 19:01:42 [Note]: 10002 3
04/27/06 19:01:42 [Info]: Hidden file: c:\minint\Fonts\dosapp.fon
04/27/06 19:01:42 [Note]: 7002 0
04/27/06 19:01:42 [Note]: 7003 1
04/27/06 19:01:42 [Note]: 10002 3
04/27/06 19:01:42 [Info]: Hidden file: c:\minint\Fonts\ega40737.fon
04/27/06 19:01:42 [Note]: 7002 0
04/27/06 19:01:42 [Note]: 7003 1
04/27/06 19:01:42 [Note]: 10002 3
04/27/06 19:01:42 [Info]: Hidden file: c:\minint\Fonts\ega40850.fon
04/27/06 19:01:42 [Note]: 7002 0
04/27/06 19:01:42 [Note]: 7003 1
04/27/06 19:01:42 [Note]: 10002 3
04/27/06 19:01:42 [Info]: Hidden file: c:\minint\Fonts\ega40852.fon
04/27/06 19:01:42 [Note]: 7002 0
04/27/06 19:01:42 [Note]: 7003 1
04/27/06 19:01:42 [Note]: 10002 3
04/27/06 19:01:42 [Info]: Hidden file: c:\minint\Fonts\ega40857.fon
04/27/06 19:01:42 [Note]: 7002 0
04/27/06 19:01:42 [Note]: 7003 1
04/27/06 19:01:42 [Note]: 10002 3
04/27/06 19:01:42 [Info]: Hidden file: c:\minint\Fonts\ega40866.fon
04/27/06 19:01:42 [Note]: 7002 0
04/27/06 19:01:42 [Note]: 7003 1
04/27/06 19:01:42 [Note]: 10002 3
04/27/06 19:01:42 [Info]: Hidden file: c:\minint\Fonts\ega40869.fon
04/27/06 19:01:42 [Note]: 7002 0
04/27/06 19:01:42 [Note]: 7003 1
04/27/06 19:01:42 [Note]: 10002 3
04/27/06 19:01:42 [Info]: Hidden file: c:\minint\Fonts\ega40woa.fon
04/27/06 19:01:42 [Note]: 7002 0
04/27/06 19:01:42 [Note]: 7003 1
04/27/06 19:01:42 [Note]: 10002 3
04/27/06 19:01:42 [Info]: Hidden file: c:\minint\Fonts\ega80737.fon
04/27/06 19:01:42 [Note]: 7002 0
04/27/06 19:01:42 [Note]: 7003 1
04/27/06 19:01:42 [Note]: 10002 3
04/27/06 19:01:42 [Info]: Hidden file: c:\minint\Fonts\ega80850.fon
04/27/06 19:01:42 [Note]: 7002 0
04/27/06 19:01:42 [Note]: 7003 1
04/27/06 19:01:42 [Note]: 10002 3
04/27/06 19:01:42 [Info]: Hidden file: c:\minint\Fonts\ega80852.fon
04/27/06 19:01:42 [Note]: 7002 0
04/27/06 19:01:42 [Note]: 7003 1
04/27/06 19:01:42 [Note]: 10002 3
04/27/06 19:01:42 [Info]: Hidden file: c:\minint\Fonts\ega80857.fon
04/27/06 19:01:42 [Note]: 7002 0
04/27/06 19:01:42 [Note]: 7003 1
04/27/06 19:01:42 [Note]: 10002 3
04/27/06 19:01:42 [Info]: Hidden file: c:\minint\Fonts\ega80866.fon
04/27/06 19:01:42 [Note]: 7002 0
04/27/06 19:01:42 [Note]: 7003 1
04/27/06 19:01:42 [Note]: 10002 3
04/27/06 19:01:42 [Info]: Hidden file: c:\minint\Fonts\ega80869.fon
04/27/06 19:01:42 [Note]: 7002 0
04/27/06 19:01:42 [Note]: 7003 1
04/27/06 19:01:42 [Note]: 10002 3
04/27/06 19:01:42 [Info]: Hidden file: c:\minint\Fonts\ega80woa.fon
04/27/06 19:01:42 [Note]: 7002 0
04/27/06 19:01:42 [Note]: 7003 1
04/27/06 19:01:42 [Note]: 10002 3
04/27/06 19:01:42 [Info]: Hidden file: c:\minint\Fonts\estre.ttf
04/27/06 19:01:42 [Note]: 7002 0
04/27/06 19:01:42 [Note]: 7003 1
04/27/06 19:01:42 [Note]: 10002 3
04/27/06 19:01:42 [Info]: Hidden file: c:\minint\Fonts\85f874.fon
04/27/06 19:01:42 [Note]: 7002 0
04/27/06 19:01:42 [Note]: 7003 1
04/27/06 19:01:42 [Note]: 10002 3
04/27/06 19:01:42 [Info]: Hidden file: c:\minint\Fonts\arialbd.ttf
04/27/06 19:01:42 [Note]: 7002 0
04/27/06 19:01:42 [Note]: 7003 1
04/27/06 19:01:42 [Note]: 10002 3
04/27/06 19:01:42 [Info]: Hidden file: c:\minint\Fonts\cga40869.fon
04/27/06 19:01:42 [Note]: 7002 0
04/27/06 19:01:42 [Note]: 7003 1
04/27/06 19:01:42 [Note]: 10002 3
04/27/06 19:01:42 [Info]: Hidden file: c:\minint\Fonts\coue1255.fon
04/27/06 19:01:42 [Note]: 7002 0
04/27/06 19:01:42 [Note]: 7003 1
04/27/06 19:01:42 [Note]: 10002 3
04/27/06 19:01:42 [Info]: Hidden file: c:\minint\Fonts\davidbd.ttf
04/27/06 19:01:42 [Note]: 7002 0
04/27/06 19:01:42 [Note]: 7003 1
04/27/06 19:01:42 [Note]: 10002 3
04/27/06 19:01:42 [Info]: Hidden file: c:\minint\Fonts\framd.ttf
04/27/06 19:01:42 [Note]: 7002 0
04/27/06 19:01:42 [Note]: 7003 1
04/27/06 19:01:42 [Note]: 10002 3
04/27/06 19:01:42 [Info]: Hidden file: c:\minint\Fonts\mriamc.ttf
04/27/06 19:01:42 [Note]: 7002 0
04/27/06 19:01:42 [Note]: 7003 1
04/27/06 19:01:42 [Note]: 10002 3
04/27/06 19:01:42 [Info]: Hidden file: c:\minint\Fonts\serife.fon
04/27/06 19:01:42 [Note]: 7002 0
04/27/06 19:01:42 [Note]: 7003 1
04/27/06 19:01:42 [Note]: 10002 3
04/27/06 19:01:42 [Info]: Hidden file: c:\minint\Fonts\smallee.fon

illukka
2006-05-01, 23:50
hi

Download Brute Force Uninstaller (http://www.merijn.org/files/bfu.zip) to your C:\
Unzip it to a folder of its own (C:\BFU). So BFU should be on your root. In most cases this is C:\
Download qoofix.bat (http://downloads.subratam.org/Lon/qooFix.bat) (rightclick on this link and choose save as)
Place qoofix.bat in your C:\BFU - folder. (Important!)
Doubleclick qooFix.bat, Close all browsers and explorer folders.
Choose option 1 (Qoolfix autofix) and follow the prompts.
Please be patient, it will take about five minutes.
After the PC has restarted please post another hijackthis log.

tashi
2006-05-08, 21:03
This topic has been closed to prevent others with similar issues posting in it.
If you need it re-opened please send me or your helper a pm and provide a link to the thread.