PDA

View Full Version : Trying to get rid of CoolWWWSearch.WCADW (Hijackthis log)



willr666
2005-11-20, 09:25
Ok - can someone _please_ help me here....

Thanks
Will

Here is the Hijackthis log:

Logfile of HijackThis v1.99.1
Scan saved at 2:19:36 AM, on 11/20/2005
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\csrss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\explorer.exe
C:\PROGRA~1\SYMANT~1\SYMANT~1\vptray.exe
C:\Program Files\McAfee\McAfee Shared Components\Guardian\CMGrdian.exe
C:\WINDOWS\system32\paytime.exe
C:\WINDOWS\tool2.exe
C:\windows\adtech2005.exe
C:\WINDOWS\system32\vidmon\vidmon.exe
C:\WINDOWS\system32\paytime.exe
C:\WINDOWS\tool2.exe
C:\PROGRA~1\COMMON~1\wfoo\wfoom.exe
C:\PROGRA~1\COMMON~1\wfoo\wfooa.exe
C:\WINDOWS\d2lsbA\command.exe
C:\Program Files\Symantec_Client_Security\Symantec AntiVirus\DefWatch.exe
C:\Program Files\Executive Software\Diskeeper\DkService.exe
C:\Program Files\ewido\security suite\ewidoctrl.exe
C:\Program Files\ewido\security suite\ewidoguard.exe
C:\WINDOWS\SYSTEM32\GEARSEC.EXE
C:\Program Files\Symantec_Client_Security\Symantec AntiVirus\Rtvscan.exe
C:\Program Files\Common Files\Ulead Systems\DVD\ULCDRSvr.exe
C:\WINDOWS\system32\wscntfy.exe
C:\WINDOWS\System32\alg.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Documents and Settings\will\Desktop\HijackThis.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\WINDOWS\system32\taskmgr.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = c:\secure32.html
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = about:blank
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = about:blank
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = c:\secure32.html
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = c:\secure32.html
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = c:\secure32.html
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = about:blank
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page = c:\secure32.html
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page = c:\secure32.html
F2 - REG:system.ini: Shell=explorer.exe "C:\Program Files\Common Files\Microsoft Shared\Web Folders\ibm00001.exe"
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar1.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll
O4 - HKLM\..\Run: [vptray] C:\PROGRA~1\SYMANT~1\SYMANT~1\vptray.exe
O4 - HKLM\..\Run: [McAfee Guardian] "C:\Program Files\McAfee\McAfee Shared Components\Guardian\CMGrdian.exe" /SU
O4 - HKLM\..\Run: [PayTime] C:\WINDOWS\system32\paytime.exe
O4 - HKLM\..\Run: [timessquare] C:\windows\timessquare.exe
O4 - HKLM\..\Run: [adtech2005] C:\windows\adtech2005.exe
O4 - HKLM\..\Run: [vidmon] C:\WINDOWS\system32\vidmon\vidmon.exe
O4 - HKCU\..\Run: [Shell] "C:\Program Files\Common Files\Microsoft Shared\Web Folders\ibm00001.exe"
O4 - HKCU\..\Run: [PayTime] C:\WINDOWS\system32\paytime.exe
O4 - HKCU\..\Run: [wfoo] C:\PROGRA~1\COMMON~1\wfoo\wfoom.exe
O8 - Extra context menu item: &Google Search - res://c:\program files\google\GoogleToolbar1.dll/cmsearch.html
O8 - Extra context menu item: &Translate English Word - res://c:\program files\google\GoogleToolbar1.dll/cmwordtrans.html
O8 - Extra context menu item: Backward Links - res://c:\program files\google\GoogleToolbar1.dll/cmbacklinks.html
O8 - Extra context menu item: Cached Snapshot of Page - res://c:\program files\google\GoogleToolbar1.dll/cmcache.html
O8 - Extra context menu item: Similar Pages - res://c:\program files\google\GoogleToolbar1.dll/cmsimilar.html
O8 - Extra context menu item: Translate Page into English - res://c:\program files\google\GoogleToolbar1.dll/cmtrans.html
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1121906418046
O16 - DPF: {8B7D2210-CC81-4F59-A486-4409FB485D4A} (RegConfig Class) - http://www2.verizon.net/help/fios_settings/includes/vzTCPConfig.cab
O20 - Winlogon Notify: msupdate - C:\WINDOWS\SYSTEM32\msupdate32.dll
O20 - Winlogon Notify: NavLogon - C:\WINDOWS\system32\NavLogon.dll
O20 - Winlogon Notify: Telephony - C:\WINDOWS\system32\ksdsp.dll (file missing)
O21 - SSODL: SysTray.Exbr - {6368D1FC-6F5C-4f1b-B164-E67214F678E9} - C:\WINDOWS\system32\oehjadlc.dll (file missing)
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe
O23 - Service: Command Service (cmdService) - Unknown owner - C:\WINDOWS\d2lsbA\command.exe
O23 - Service: DefWatch - Symantec Corporation - C:\Program Files\Symantec_Client_Security\Symantec AntiVirus\DefWatch.exe
O23 - Service: Diskeeper - Executive Software International, Inc. - C:\Program Files\Executive Software\Diskeeper\DkService.exe
O23 - Service: ewido security suite control - ewido networks - C:\Program Files\ewido\security suite\ewidoctrl.exe
O23 - Service: ewido security suite guard - ewido networks - C:\Program Files\ewido\security suite\ewidoguard.exe
O23 - Service: GEARSecurity - GEAR Software - C:\WINDOWS\SYSTEM32\GEARSEC.EXE
O23 - Service: Symantec AntiVirus Client (Norton AntiVirus Server) - Symantec Corporation - C:\Program Files\Symantec_Client_Security\Symantec AntiVirus\Rtvscan.exe
O23 - Service: Ulead Burning Helper (UleadBurningHelper) - Ulead Systems, Inc. - C:\Program Files\Common Files\Ulead Systems\DVD\ULCDRSvr.exe

willr666
2005-11-20, 09:26
Oh and I have Desktop.ActiveDesktop too (that I can't get rid of...)

LonnyRJones
2005-11-20, 11:50
Hi Will
Welcome to the forum
lest check first with a log from blacklite
Download and run blacklite
F-Secure Blacklight: http://www.f-secure.com/blacklight/try.shtml
leave [X]scan through windows explorer checked,
click > scan then > next, next again then exit
there will be a new txt near blacklite. post it please.

willr666
2005-11-20, 17:16
I am running ewido too (FYI)

Ran blacklite, but the log is about 30x the character limit... here is the very beginning - if there is something I can search for.... (or if you have other ideas how to get this log to you...)


11/20/05 09:58:24 [Info]: BlackLight Engine 1.0.25 initialized
11/20/05 09:58:24 [Info]: OS: 5.1 build 2600 (Service Pack 2)
11/20/05 09:58:25 [Note]: 4019 4
11/20/05 09:58:25 [Note]: 4005 0
11/20/05 09:58:29 [Note]: 4006 0
11/20/05 09:58:29 [Note]: 4011 1968
11/20/05 09:58:30 [Note]: 4018 156
11/20/05 09:58:30 [Info]: Hidden process: C:\WINDOWS\SYSTEM32\ASYQDVD.EXE
11/20/05 09:58:30 [Note]: 4018 204
11/20/05 09:58:30 [Info]: Hidden process: C:\PROGRAM FILES\QUIINTEL\OCCSENS.EXE
11/20/05 09:58:30 [Note]: FSRAW library version 1.7.1013
11/20/05 09:58:31 [Info]: Hidden file: C:\Program Files\Quiintel\ace.dll
11/20/05 09:58:31 [Note]: 4002 0
11/20/05 09:58:31 [Note]: 4003 1
11/20/05 09:58:31 [Note]: 10002 3
11/20/05 09:58:31 [Info]: Hidden file: C:\Program Files\Quiintel\AI_19-11-2005.log
11/20/05 09:58:31 [Note]: 4002 0
11/20/05 09:58:31 [Note]: 4003 1
11/20/05 09:58:31 [Note]: 10002 3
11/20/05 09:58:31 [Info]: Hidden file: C:\Program Files\Quiintel\AI_20-11-2005.log
11/20/05 09:58:31 [Note]: 4002 0
11/20/05 09:58:31 [Note]: 4003 1
11/20/05 09:58:31 [Note]: 10002 3
11/20/05 09:58:31 [Info]: Hidden file: C:\Program Files\Quiintel\Cache\00000029_43800f53_0001312d
11/20/05 09:58:31 [Note]: 4002 0
11/20/05 09:58:31 [Note]: 4003 1
11/20/05 09:58:31 [Note]: 10002 3
11/20/05 09:58:31 [Info]: Hidden file: C:\Program Files\Quiintel\Cache\00000029_43801f74_0007a120
11/20/05 09:58:31 [Note]: 4002 0
11/20/05 09:58:31 [Note]: 4003 1
11/20/05 09:58:31 [Note]: 10002 3
11/20/05 09:58:31 [Info]: Hidden file: C:\Program Files\Quiintel\Cache\0000007b_438004d2_00007a12
11/20/05 09:58:31 [Note]: 4002 0
11/20/05 09:58:31 [Note]: 4003 1
11/20/05 09:58:31 [Note]: 10002 3
11/20/05 09:58:31 [Info]: Hidden file: C:\Program Files\Quiintel\Cache\0000008c_438004c2_000c28cb
11/20/05 09:58:31 [Note]: 4002 0
11/20/05 09:58:31 [Note]: 4003 1
11/20/05 09:58:31 [Note]: 10002 3
11/20/05 09:58:31 [Info]: Hidden file: C:\Program Files\Quiintel\Cache\0000008e_438004be_0001ab3f
11/20/05 09:58:31 [Note]: 4002 0
11/20/05 09:58:31 [Note]: 4003 1
11/20/05 09:58:31 [Note]: 10002 3
11/20/05 09:58:31 [Info]: Hidden file: C:\Program Files\Quiintel\Cache\00000094_4380065f_00040d99
11/20/05 09:58:31 [Note]: 4002 0
11/20/05 09:58:31 [Note]: 4003 1
11/20/05 09:58:31 [Note]: 10002 3
11/20/05 09:58:31 [Info]: Hidden file: C:\Program Files\Quiintel\Cache\00000099_43800f92_00094c5f
11/20/05 09:58:31 [Note]: 4002 0
11/20/05 09:58:31 [Note]: 4003 1
11/20/05 09:58:31 [Note]: 10002 3
11/20/05 09:58:31 [Info]: Hidden file: C:\Program Files\Quiintel\Cache\00000099_4380219e_000f0537
11/20/05 09:58:31 [Note]: 4002 0
11/20/05 09:58:31 [Note]: 4003 1
11/20/05 09:58:31 [Note]: 10002 3
11/20/05 09:58:31 [Info]: Hidden file: C:\Program Files\Quiintel\Cache\000000c1_438004a3_00053ec6
11/20/05 09:58:31 [Note]: 4002 0
11/20/05 09:58:31 [Note]: 4003 1
11/20/05 09:58:31 [Note]: 10002 3
11/20/05 09:58:31 [Info]: Hidden file: C:\Program Files\Quiintel\Cache\000000e5_43800f20_000e1113
11/20/05 09:58:31 [Note]: 4002 0
11/20/05 09:58:31 [Note]: 4003 1
11/20/05 09:58:31 [Note]: 10002 3
11/20/05 09:58:31 [Info]: Hidden file: C:\Program Files\Quiintel\Cache\000000eb_438004c1_000af79e
11/20/05 09:58:31 [Note]: 4002 0
11/20/05 09:58:31 [Note]: 4003 1
11/20/05 09:58:31 [Note]: 10002 3
11/20/05 09:58:31 [Info]: Hidden file: C:\Program Files\Quiintel\Cache\000000f8_43800690_000a037a
11/20/05 09:58:31 [Note]: 4002 0
11/20/05 09:58:31 [Note]: 4003 1
11/20/05 09:58:31 [Note]: 10002 3
11/20/05 09:58:31 [Info]: Hidden file: C:\Program Files\Quiintel\Cache\00000120_4380040a_000d59f8
11/20/05 09:58:31 [Note]: 4002 0
11/20/05 09:58:31 [Note]: 4003 1
11/20/05 09:58:31 [Note]: 10002 3
11/20/05 09:58:31 [Info]: Hidden file: C:\Program Files\Quiintel\Cache\00000120_438021c4_000e1113
11/20/05 09:58:31 [Note]: 4002 0
11/20/05 09:58:31 [Note]: 4003 1
11/20/05 09:58:31 [Note]: 10002 3
11/20/05 09:58:31 [Info]: Hidden file: C:\Program Files\Quiintel\Cache\00000124_43800f93_000c28cb
11/20/05 09:58:31 [Note]: 4002 0
11/20/05 09:58:31 [Note]: 4003 1
11/20/05 09:58:31 [Note]: 10002 3
11/20/05 09:58:31 [Info]: Hidden file: C:\Program Files\Quiintel\Cache\00000124_4380219f_00031975
11/20/05 09:58:31 [Note]: 4002 0
11/20/05 09:58:31 [Note]: 4003 1
11/20/05 09:58:31 [Note]: 10002 3
11/20/05 09:58:31 [Info]: Hidden file: C:\Program Files\Quiintel\Cache\0000012c_43800519_0002625a
11/20/05 09:58:31 [Note]: 4002 0
11/20/05 09:58:31 [Note]: 4003 1
11/20/05 09:58:31 [Note]: 10002 3
11/20/05 09:58:31 [Info]: Hidden file: C:\Program Files\Quiintel\Cache\0000412f_438004a1_000ca2dd
11/20/05 09:58:31 [Note]: 4002 0
11/20/05 09:58:31 [Note]: 4003 1
11/20/05 09:58:31 [Note]: 10002 3
11/20/05 09:58:31 [Info]: Hidden file: C:\Program Files\Quiintel\Cache\00004101_43800519_000e4e1c
11/20/05 09:58:31 [Note]: 4002 0
11/20/05 09:58:31 [Note]: 4003 1
11/20/05 09:58:31 [Note]: 10002 3
11/20/05 09:58:31 [Info]: Hidden file: C:\Program Files\Quiintel\Cache\000041da_43800660_000cdfe6
11/20/05 09:58:31 [Note]: 4002 0
11/20/05 09:58:31 [Note]: 4003 1
11/20/05 09:58:31 [Note]: 10002 3
11/20/05 09:58:31 [Info]: Hidden file: C:\Program Files\Quiintel\Cache\0000421d_43800f20_00090f56
11/20/05 09:58:31 [Note]: 4002 0
11/20/05 09:58:31 [Note]: 4003 1
11/20/05 09:58:31 [Note]: 10002 3
11/20/05 09:58:31 [Info]: Hidden file: C:\Program Files\Quiintel\Cache\0000422d_4380042a_000501bd
11/20/05 09:58:31 [Note]: 4002 0
11/20/05 09:58:31 [Note]: 4003 1
11/20/05 09:58:31 [Note]: 10002 3
11/20/05 09:58:31 [Info]: Hidden file: C:\Program Files\Quiintel\Cache\00004230_4380041c_000d59f8
11/20/05 09:58:31 [Note]: 4002 0
11/20/05 09:58:31 [Note]: 4003 1
11/20/05 09:58:31 [Note]: 10002 3
11/20/05 09:58:31 [Info]: Hidden file: C:\Program Files\Quiintel\Cache\00004242_438004ea_0003567e
11/20/05 09:58:31 [Note]: 4002 0
11/20/05 09:58:31 [Note]: 4003 1
11/20/05 09:58:31 [Note]: 10002 3
11/20/05 09:58:31 [Info]: Hidden file: C:\Program Files\Quiintel\Cache\0000424c_438004eb_00076417
11/20/05 09:58:31 [Note]: 4002 0
11/20/05 09:58:31 [Note]: 4003 1
11/20/05 09:58:31 [Note]: 10002 3
11/20/05 09:58:31 [Info]: Hidden file: C:\Program Files\Quiintel\Cache\0000428b_43800401_000d59f8
11/20/05 09:58:31 [Note]: 4002 0
11/20/05 09:58:31 [Note]: 4003 1
11/20/05 09:58:31 [Note]: 10002 3
11/20/05 09:58:31 [Info]: Hidden file: C:\Program Files\Quiintel\Cache\0000428b_438021a7_000d1cef
11/20/05 09:58:31 [Note]: 4002 0
11/20/05 09:58:31 [Note]: 4003 1
11/20/05 09:58:31 [Note]: 10002 3
11/20/05 09:58:31 [Info]: Hidden file: C:\Program Files\Quiintel\Cache\000042be_438004cc_000f0537
11/20/05 09:58:31 [Note]: 4002 0
11/20/05 09:58:31 [Note]: 4003 1
11/20/05 09:58:31 [Note]: 10002 3
11/20/05 09:58:31 [Info]: Hidden file: C:\Program Files\Quiintel\Cache\000042d6_43800672_000632ea
11/20/05 09:58:31 [Note]: 4002 0
11/20/05 09:58:31 [Note]: 4003 1
11/20/05 09:58:31 [Note]: 10002 3
11/20/05 09:58:31 [Info]: Hidden file: C:\Program Files\Quiintel\Cache\000042e4_43800688_00066ff3
11/20/05 09:58:31 [Note]: 4002 0
11/20/05 09:58:31 [Note]: 4003 1
11/20/05 09:58:31 [Note]: 10002 3
11/20/05 09:58:31 [Info]: Hidden file: C:\Program Files\Quiintel\Cache\00005f32_43800410_000dd40a
11/20/05 09:58:31 [Note]: 4002 0
11/20/05 09:58:31 [Note]: 4003 1
11/20/05 09:58:31 [Note]: 10002 3
11/20/05 09:58:31 [Info]: Hidden file: C:\Program Files\Quiintel\Cache\00005f49_43800413_00022551
11/20/05 09:58:31 [Note]: 4002 0
11/20/05 09:58:31 [Note]: 4003 1
11/20/05 09:58:31 [Note]: 10002 3
11/20/05 09:58:31 [Info]: Hidden file: C:\Program Files\Quiintel\Cache\00005fa8_438004a4_000f0537
11/20/05 09:58:31 [Note]: 4002 0
11/20/05 09:58:31 [Note]: 4003 1
11/20/05 09:58:31 [Note]: 10002 3
11/20/05 09:58:31 [Info]: Hidden file: C:\Program Files\Quiintel\Cache\00006014_438004d2_0007de29
11/20/05 09:58:31 [Note]: 4002 0
11/20/05 09:58:31 [Note]: 4003 1
11/20/05 09:58:31 [Note]: 10002 3
11/20/05 09:58:31 [Info]: Hidden file: C:\Program Files\Quiintel\Cache\00006032_4380041d_0002dc6c
11/20/05 09:58:31 [Note]: 4002 0
11/20/05 09:58:31 [Note]: 4003 1
11/20/05 09:58:31 [Note]: 10002 3
11/20/05 09:58:31 [Info]: Hidden file: C:\Program Files\Quiintel\Cache\00006032_438023ad_000b34a7
11/20/05 09:58:31 [Note]: 4002 0
11/20/05 09:58:31 [Note]: 4003 1
11/20/05 09:58:31 [Note]: 10002 3
11/20/05 09:58:31 [Info]: Hidden file: C:\Program Files\Quiintel\Cache\00006048_4380047a_00081b32
11/20/05 09:58:31 [Note]: 4002 0
11/20/05 09:58:31 [Note]: 4003 1
11/20/05 09:58:31 [Note]: 10002 3
11/20/05 09:58:31 [Info]: Hidden file: C:\Program Files\Quiintel\Cache\00006092_43800692_000aba95
11/20/05 09:58:31 [Note]: 4002 0
11/20/05 09:58:31 [Note]: 4003 1
11/20/05 09:58:31 [Note]: 10002 3
11/20/05 09:58:31 [Info]: Hidden file: C:\Program Files\Quiintel\Cache\000060be_43800652_0007270e
11/20/05 09:58:31 [Note]: 4002 0
11/20/05 09:58:31 [Note]: 4003 1
11/20/05 09:58:31 [Note]: 10002 3
11/20/05 09:58:31 [Info]: Hidden file: C:\Program Files\Quiintel\Cache\000060bf_43800428_000d59f8
11/20/05 09:58:31 [Note]: 4002 0
11/20/05 09:58:31 [Note]: 4003 1
11/20/05 09:58:31 [Note]: 10002 3
11/20/05 09:58:31 [Info]: Hidden file: C:\Program Files\Quiintel\Cache\000060bf_438023c6_0000b71b
11/20/05 09:58:31 [Note]: 4002 0
11/20/05 09:58:31 [Note]: 4003 1
11/20/05 09:58:31 [Note]: 10002 3
11/20/05 09:58:31 [Info]: Hidden file: C:\Program Files\Quiintel\Cache\00006117_4380051a_0006ea05
11/20/05 09:58:31 [Note]: 4002 0
11/20/05 09:58:31 [Note]: 4003 1
11/20/05 09:58:31 [Note]: 10002 3
]: Hidden file: C:\Program Files\Quiintel\Cache\

willr666
2005-11-20, 17:18
More interesting excerpts from blacklite:
11/20/05 09:58:40 [Info]: Hidden file: C:\Program Files\Quiintel\Cache\00003ea4_43800659_00090f56
11/20/05 09:58:40 [Note]: 4002 0
11/20/05 09:58:40 [Note]: 4003 1
11/20/05 09:58:40 [Note]: 10002 3
11/20/05 09:58:40 [Info]: Hidden file: C:\Program Files\Quiintel\Cache\00003ed5_43800670_00094c5f
11/20/05 09:58:40 [Note]: 4002 0
11/20/05 09:58:40 [Note]: 4003 1
11/20/05 09:58:40 [Note]: 10002 3
11/20/05 09:58:40 [Info]: Hidden file: C:\Program Files\Quiintel\Cache\00003ee9_438004a4_000b34a7
11/20/05 09:58:40 [Note]: 4002 0
11/20/05 09:58:40 [Note]: 4003 1
11/20/05 09:58:40 [Note]: 10002 3
11/20/05 09:58:40 [Info]: Hidden file: C:\Program Files\Quiintel\data.bin
11/20/05 09:58:40 [Note]: 4002 0
11/20/05 09:58:40 [Note]: 4003 1
11/20/05 09:58:40 [Note]: 10002 3
11/20/05 09:58:40 [Info]: Hidden file: C:\PROGRAM FILES\QUIINTEL\OCCSENS.EXE
11/20/05 09:58:40 [Note]: 4002 0
11/20/05 09:58:40 [Note]: 4003 1
11/20/05 09:58:40 [Note]: 10002 3
11/20/05 09:58:40 [Info]: Hidden file: C:\Program Files\Quiintel\qoses.exe
11/20/05 09:58:40 [Note]: 4002 0
11/20/05 09:58:40 [Note]: 4003 1
11/20/05 09:58:40 [Note]: 10002 3
11/20/05 09:58:40 [Info]: Hidden file: C:\Program Files\Quiintel\WinGenerics.dll
11/20/05 09:58:40 [Note]: 4002 0
11/20/05 09:58:40 [Note]: 4003 1

and

11/20/05 09:58:50 [Note]: 10002 3
11/20/05 09:58:51 [Info]: Hidden file: C:\WINDOWS\system32\drivers\mskbport.sys
11/20/05 09:58:51 [Note]: 4002 0
11/20/05 09:58:51 [Note]: 4003 1
11/20/05 09:58:51 [Note]: 10002 1
11/20/05 09:58:54 [Info]: Hidden file: C:\WINDOWS\SYSTEM32\ASYQDVD.EXE
11/20/05 09:58:54 [Note]: 4002 0
11/20/05 09:58:54 [Note]: 4003 1
11/20/05 09:58:54 [Note]: 10002 1

LonnyRJones
2005-11-20, 22:34
Hi

Make a folder at this location C:\antispware and place hijackthis.exe there!!


Set windows to show hidden extensions file's and folder's.
click for> instructions<. (http://www.xtra.co.nz/help/0,,4155-1916458,00.html)
You may want to print out these instructions for reference, since you will have to restart your computer during the fix.
Please download AproposFix from here:
http://swandog46.geekstogo.com/aproposfix.exe
Save it to your desktop but do NOT run it yet.

Start Hijackthis and place a check next to these items If there.
Close all browser windows and shut down all other programs that show in the taskbar. (even Folders)
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = c:\secure32.html
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = about:blank
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = about:blank
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = c:\secure32.html
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = c:\secure32.html
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = c:\secure32.html
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = about:blank
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page = c:\secure32.html
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page = c:\secure32.html
F2 - REG:system.ini: Shell=explorer.exe "C:\Program Files\Common Files\Microsoft Shared\Web Folders\ibm00001.exe"
O4 - HKLM\..\Run: [PayTime] C:\WINDOWS\system32\paytime.exe
O4 - HKLM\..\Run: [timessquare] C:\windows\timessquare.exe
O4 - HKLM\..\Run: [adtech2005] C:\windows\adtech2005.exe
O4 - HKLM\..\Run: [vidmon] C:\WINDOWS\system32\vidmon\vidmon.exe
O4 - HKCU\..\Run: [Shell] "C:\Program Files\Common Files\Microsoft Shared\Web Folders\ibm00001.exe"
O4 - HKCU\..\Run: [PayTime] C:\WINDOWS\system32\paytime.exe
O4 - HKCU\..\Run: [wfoo] C:\PROGRA~1\COMMON~1\wfoo\wfoom.exe
O20 - Winlogon Notify: msupdate - C:\WINDOWS\SYSTEM32\msupdate32.dll
O20 - Winlogon Notify: Telephony - C:\WINDOWS\system32\ksdsp.dll (file missing)
====================================
Hit fix checked and close Hijackthis.

Then please reboot your computer in Safe Mode by doing the following:
1) Restart your computer
2) After hearing your computer beep once during startup, but before the Windows icon appears, press F8.
3) Instead of Windows loading as normal, a menu should appear
4) Select the first option, to run Windows in Safe Mode.
If you miss safe mode try again

Once in Safe Mode, please double-click aproposfix.exe and unzip it to the desktop. Open the aproposfix folder on your desktop and run RunThis.bat. Follow the prompts.

When the tool is finished, Do a full scan with Ewido, SpyBot, your antivirus program one at a time.

Find and delete (ONLY THESE EXACT) files and folder's (If present)
C:\WINDOWS\system32\mspostsp.exe
C:\WINDOWS\system32\msupdate32.dll
c:\windows\system32\mdms.exe
C:\WINDOWS\system32\child.dll
C:\WINDOWS\system32\floop32.dll
C:\WINDOWS\system32\latest.exe
C:\WINDOWS\system32\paytime.exe
C:\WINDOWS\system32\sysvcs.exe
C:\WINDOWS\system32\temploader.exe
C:\WINDOWS\system32\winacpi.dll
C:\WINDOWS\system32\winuc386.exe
C:\WINDOWS\system32\zlbw.dll
C:\WINDOWS\system32\~update.exe
C:\WINDOWS\B.tmp
C:\WINDOWS\desktop.html
C:\WINDOWS\hammer.exe
C:\WINDOWS\kl.exe
C:\WINDOWS\ms1.exe
C:\WINDOWS\secure32.html
C:\WINDOWS\sstray.exe
C:\WINDOWS\tool2.exe
C:\WINDOWS\tool3.exe
C:\WINDOWS\tool4.exe
C:\WINDOWS\tool5.exe
C:\WINDOWS\uniq
C:\WINDOWS\toolbar.exe
C:\WINDOWS\winext.exe
C:\windows\timessquare.exe
C:\windows\adtech2005.exe
C:\Program Files\Common Files\Microsoft Shared\Web Folders\ibm00001.exe
c:\secure32.html
these folders >
C:\WINDOWS\d2lsbA\command.exe
C:\WINDOWS\system32\vidmon\vidmon.exe
C:\Program Files\Common Files\wfoo\wfoom.exe


Open a command prompt , as in start run type cmd, type in
sc delete cmdService
hit enter type exit hit enter

In the windows Control Panel click Display > Desktop > Customize Desktop > Web > Uncheck "Security"
if present. Now back on the first tab of display you can change your wallpaper.

Reboot back into normal mode, and post a new HijackThis log, along with the entire contents of the log.txt file in the aproposfix folder.

willr666
2005-11-21, 00:58
Ok - here are the notes:
Approposfix generated an IP error (I did not boot into safe mode with networking)
Ewido found and corrected 26 items
Spybot found: Desktop.ActiveDesktop and Smitfraud-C
Symantic AV found no viruses
From the list of files to delete I found:
Desktop.html (x2)
Secure32.html (x2)
uniq

Here is the Hijackthis log:
Logfile of HijackThis v1.99.1
Scan saved at 5:52:07 PM, on 11/20/2005
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\Explorer.EXE
C:\PROGRA~1\SYMANT~1\SYMANT~1\vptray.exe
C:\Program Files\McAfee\McAfee Shared Components\Guardian\CMGrdian.exe
C:\Program Files\Symantec_Client_Security\Symantec AntiVirus\DefWatch.exe
C:\Program Files\Executive Software\Diskeeper\DkService.exe
C:\Program Files\ewido\security suite\ewidoctrl.exe
C:\Program Files\ewido\security suite\ewidoguard.exe
C:\WINDOWS\SYSTEM32\GEARSEC.EXE
C:\Program Files\Symantec_Client_Security\Symantec AntiVirus\Rtvscan.exe
C:\Program Files\Common Files\Ulead Systems\DVD\ULCDRSvr.exe
C:\WINDOWS\system32\imapi.exe
C:\WINDOWS\system32\wscntfy.exe
C:\Antispyware\HijackThis.exe

O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar1.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll
O4 - HKLM\..\Run: [vptray] C:\PROGRA~1\SYMANT~1\SYMANT~1\vptray.exe
O4 - HKLM\..\Run: [McAfee Guardian] "C:\Program Files\McAfee\McAfee Shared Components\Guardian\CMGrdian.exe" /SU
O8 - Extra context menu item: &Google Search - res://c:\program files\google\GoogleToolbar1.dll/cmsearch.html
O8 - Extra context menu item: &Translate English Word - res://c:\program files\google\GoogleToolbar1.dll/cmwordtrans.html
O8 - Extra context menu item: Backward Links - res://c:\program files\google\GoogleToolbar1.dll/cmbacklinks.html
O8 - Extra context menu item: Cached Snapshot of Page - res://c:\program files\google\GoogleToolbar1.dll/cmcache.html
O8 - Extra context menu item: Similar Pages - res://c:\program files\google\GoogleToolbar1.dll/cmsimilar.html
O8 - Extra context menu item: Translate Page into English - res://c:\program files\google\GoogleToolbar1.dll/cmtrans.html
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1121906418046
O16 - DPF: {8B7D2210-CC81-4F59-A486-4409FB485D4A} (RegConfig Class) - http://www2.verizon.net/help/fios_settings/includes/vzTCPConfig.cab
O20 - Winlogon Notify: NavLogon - C:\WINDOWS\system32\NavLogon.dll
O21 - SSODL: SysTray.Exbr - {6368D1FC-6F5C-4f1b-B164-E67214F678E9} - C:\WINDOWS\system32\oehjadlc.dll (file missing)
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe
O23 - Service: DefWatch - Symantec Corporation - C:\Program Files\Symantec_Client_Security\Symantec AntiVirus\DefWatch.exe
O23 - Service: Diskeeper - Executive Software International, Inc. - C:\Program Files\Executive Software\Diskeeper\DkService.exe
O23 - Service: ewido security suite control - ewido networks - C:\Program Files\ewido\security suite\ewidoctrl.exe
O23 - Service: ewido security suite guard - ewido networks - C:\Program Files\ewido\security suite\ewidoguard.exe
O23 - Service: GEARSecurity - GEAR Software - C:\WINDOWS\SYSTEM32\GEARSEC.EXE
O23 - Service: Symantec AntiVirus Client (Norton AntiVirus Server) - Symantec Corporation - C:\Program Files\Symantec_Client_Security\Symantec AntiVirus\Rtvscan.exe
O23 - Service: Ulead Burning Helper (UleadBurningHelper) - Ulead Systems, Inc. - C:\Program Files\Common Files\Ulead Systems\DVD\ULCDRSvr.exe

Here is the log for approposfix:
Log of AproposFix v1

************

Running from directory:
C:\Documents and Settings\will\Desktop\aproposfix

************

Registry entries found:

[HKEY_LOCAL_MACHINE\Software\CrTTEAB9gN79]
@=".qpO0OKZaaZaabaHMHV.QUZaaZpca5v q\\51aRXRSDLgfaCQHUDQRaLRJAONQSbRXR"
"Device"="\\\\.\\iniwPrv"
"DriverPath"="C:\\WINDOWS\\system32\\drivers\\mskbport.sys"
"DriverName"="PDCpRpl"
"HideUninstallerName"="C:\\Program Files\\Quiintel\\qoses.exe"
"HDll"="C:\\WINDOWS\\system32\\odeights.dll"
"ServerAddress"="adchannel.contextplus.net"
"LegalNote"="http://adchannel.contextplus.net/legal-note/nonbranded.html"
"PartnerId"="CP.LAV"
"InstallationId"="{Xa56007f-fede-163b-9e3a-0a3a70f1b977}"
"PageFiltering"=dword:00000001
"CrMnTmt"=dword:0036ee80
"ClientName"="C:\\Program Files\\Quiintel\\occsens.exe"
"AutoUpdater"="C:\\WINDOWS\\system32\\asyqdvd.exe"
"Version"="2.0.128"

************

Removing hidden service:
Service PDCpRpl removed.

Removing hidden folder:
Deletion of folder Quiintel succeeded!

Deleting files:

Deletion of file C:\WINDOWS\system32\drivers\mskbport.sys succeeded!
Deletion of file C:\WINDOWS\system32\asyqdvd.exe succeeded!
Deletion of file C:\WINDOWS\system32\odeights.dll succeeded!

Backing up files:
Done!

Removing registry entries:

REGEDIT4

[-HKEY_CURRENT_USER\Software\CrTTEAB9gN79]
[-HKEY_LOCAL_MACHINE\Software\CrTTEAB9gN79]

Done!

Finished!

LonnyRJones
2005-11-21, 01:46
Looks good

Have HJT fix this item
O21 - SSODL: SysTray.Exbr - {6368D1FC-6F5C-4f1b-B164-E67214F678E9} - C:\WINDOWS\system32\oehjadlc.dll (file missing)


Hows is your desktop behaving ? any other problems ?

willr666
2005-11-21, 02:43
Thanks Lonny!!!!

Right now I am not experiencing the flood of IE windows that were opening.

Is there anything else I should be on the lookout for (or use to make sure?)

Thank you very much,
Will

LonnyRJones
2005-11-21, 07:38
Are you using mcaffe antivirus and Norton ?

Next: Take some preventative measures
Put in place a good hosts file http://www.mvps.org/winhelp2002/hosts.htm
How To Download and Extract the HOSTS file: http://www.mvps.org/winhelp2002/hosts2.htm
How did that go ?
To help avoid reinfection see "So how did I get infected in the first place?"
http://forums.spybot.info/showthread.php?t=279