View Full Version : Qoologic.bj and possible other malware removal help
Hello. Looking at a friend's laptop, and she appears to have at least one or more nasty problems I can't remove.
Spybot S&D has been thrown against it, Norton, Hijackthis, and others, but the problem keeps coming back on every reboot.
I have tried running Brute Force Uninstaller as suggested elsewhere for automatic removal of Qoologic, but I see that the trojans are back on the next reboot.
The log from Hijackthis appears below. I have listed in bold a couple of the lines that I *think* are the problem, but there may be others. These lines keep coming back. Note that in the text below I have replaced the user's name with "Username" to protect her identity.
Thanks!
Logfile of HijackThis v1.99.1
Scan saved at 2:38:16 PM, on 6/21/2006
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Intel\Wireless\Bin\EvtEng.exe
C:\Program Files\Intel\Wireless\Bin\S24EvMon.exe
C:\Program Files\Intel\Wireless\Bin\WLKeeper.exe
C:\WINDOWS\system32\rundll32.exe
C:\Program Files\Intel\Wireless\Bin\ZcfgSvc.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\PROGRA~1\Intel\Wireless\Bin\1XConfig.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\Symantec Shared\ccProxy.exe
C:\Program Files\Norton Internet Security\Norton AntiVirus\navapsvc.exe
C:\Program Files\Intel\Wireless\Bin\RegSrvc.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
C:\Program Files\Common Files\Symantec Shared\Security Center\SymWSC.exe
C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\Program Files\Intel\Wireless\Bin\ifrmewrk.exe
C:\Program Files\CyberLink\PowerDVD\DVDLauncher.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\Program Files\Common Files\Symantec Shared\Security Center\UsrPrmpt.exe
C:\Program Files\Dell Support\DSAgnt.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\AIM\aim.exe
C:\Documents and Settings\Username\Start Menu\Programs\Startup\CCAPP.EXE
C:\WINDOWS\system32\wuauclt.exe
C:\Documents and Settings\Username\Desktop\hijackthis\HijackThis.exe
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.dell4me.com/mywaybiz
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.dell4me.com/mywaybiz
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.dell4me.com/mywaybiz
F2 - REG:system.ini: Shell=Explorer.exe, C:\WINDOWS\system32\yrrwf.exe
F2 - REG:system.ini: UserInit=C:\WINDOWS\SYSTEM32\Userinit.exe,kmxbpch.exe
O2 - BHO: DosSpecFolder Object - {1AE6D7D5-0C28-4DB6-9FD1-33B870A4C5F2} - C:\WINDOWS\system32\mljgh.dll
O3 - Toolbar: Web assistant - {0B53EAC3-8D69-4b9e-9B19-A37C9A5676A7]} - C:\Program Files\Common Files\Symantec Shared\AdBlocking\NISShExt.dll
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton Internet Security\Norton AntiVirus\NavShExt.dll
O4 - HKLM\..\Run: [SynTPLpr] C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
O4 - HKLM\..\Run: [SynTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
O4 - HKLM\..\Run: [IntelWireless] C:\Program Files\Intel\Wireless\Bin\ifrmewrk.exe /tf Intel PROSet/Wireless
O4 - HKLM\..\Run: [DVDLauncher] "C:\Program Files\CyberLink\PowerDVD\DVDLauncher.exe"
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [IS CfgWiz] C:\Program Files\Common Files\Symantec Shared\cfgwiz.exe /GUID NIS /CMDLINE "REBOOT"
O4 - HKLM\..\Run: [URLLSTCK.exe] C:\Program Files\Norton Internet Security\UrlLstCk.exe
O4 - HKLM\..\Run: [Symantec NetDriver Monitor] C:\PROGRA~1\SYMNET~1\SNDMon.exe /Consumer
O4 - HKLM\..\Run: [SSC_UserPrompt] C:\Program Files\Common Files\Symantec Shared\Security Center\UsrPrmpt.exe
O4 - HKCU\..\Run: [DellSupport] "C:\Program Files\Dell Support\DSAgnt.exe" /startup
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [AIM] C:\Program Files\AIM\aim.exe -cnetwait.odl
O4 - Startup: CCAPP.EXE
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\j2re1.4.2_03\bin\npjpi142_03.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\j2re1.4.2_03\bin\npjpi142_03.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\system32\Shdocvw.dll
O16 - DPF: {7142BA01-8BDF-11CF-9E23-0000E8A37440} (Surround Video Control Object) - http://www.lakeviewoaks.com/svideo.cab
O16 - DPF: {9FC5238F-12C4-454F-B1B5-74599A21DE47} (Webshots Photo Uploader) - http://community.webshots.com/html/WSPhotoUploader.CAB
O20 - Winlogon Notify: IntelWireless - C:\Program Files\Intel\Wireless\Bin\LgNotify.dll
O20 - Winlogon Notify: mljgh - C:\WINDOWS\system32\mljgh.dll
O20 - Winlogon Notify: OptimalLayout - C:\WINDOWS\system32\h44m0eh1eh4.dll
O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\SYSTEM32\WgaLogon.dll
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Network Proxy (ccProxy) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccProxy.exe
O23 - Service: Symantec Password Validation (ccPwdSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
O23 - Service: EvtEng - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\EvtEng.exe
O23 - Service: Norton AntiVirus Auto Protect Service (navapsvc) - Symantec Corporation - C:\Program Files\Norton Internet Security\Norton AntiVirus\navapsvc.exe
O23 - Service: RegSrvc - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\RegSrvc.exe
O23 - Service: Spectrum24 Event Monitor (S24EventMonitor) - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\S24EvMon.exe
O23 - Service: ScriptBlocking Service (SBService) - Symantec Corporation - C:\PROGRA~1\COMMON~1\SYMANT~1\SCRIPT~1\SBServ.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: Symantec Core LC - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
O23 - Service: SymWMI Service (SymWSC) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\Security Center\SymWSC.exe
O23 - Service: WLANKEEPER - Intel® Corporation - C:\Program Files\Intel\Wireless\Bin\WLKeeper.exe
P.S., forgot to mention. As soon as she connects to the Internet, it's popup window hell with ads and all sorts of junk...not so when the machine is offline.
pskelley
2006-06-22, 12:17
Hello and welcome to the forum. If you still need help and are not receiving it elsewhere, I will see what I can do. It will take both our efforts and we must communicate to be effective. You need to know that the Qoologic trojan is only one of your problems. You also have a vundo trojan and a Look2me infection that must be removed first. It is going to take some time and effort to clean you up and because this junk attracts more, I need to suggest you stay offline as much as possible to avoid additional infections. If this works for you then we will start with instructions for removing the Look2me infection.
Winlogon Notify MS-DOS Emulation, Nls, OemStartMenuData, OfficeUpdate,
OptimalLayout, policies, Reinstall, Reliability X random named dll in the System32 folder Variant of Adware.Look2Me
Thanks to Atribune and any others who helped with this fix. The directions must be followed if you wish the fix to work.
Please download Look2Me-Destroyer.exe (http://www.atribune.org/ccount/click.php?id=7) to your desktop.
Close all windows before continuing.
Double-click Look2Me-Destroyer.exe to run it.
Put a check next to Run this program as a task.
You will receive a message saying Look2Me-Destroyer will close and re-open in approximately 10 seconds. Click OK
When Look2Me-Destroyer re-opens, click the Scan for L2M button, your desktop icons will disappear, this is normal.
Once it's done scanning, click the Remove L2M button.
You will receive a Done Scanning message, click OK.
When completed, you will receive this message: Done removing infected files! Look2Me-Destroyer will now shutdown your computer, click OK.
Your computer will then shutdown.
Turn your computer back on.
Please post the contents of C:\Look2Me-Destroyer.txt and a new HiJackThis log.
If Look2Me-Destroyer does not reopen automatically, reboot and try again.
If you receive a message from your firewall about this program accessing the internet please allow it.
If you receive a runtime error '339' please download MSWINSCK.OCX from the link below and place it in your C:\Windows\System32 Directory.
http://www.ascentive.com/support/new/images/lib/MSWINSCK.OCX
More info:
If for some reason Look2Me-Destroyer doesn't reopen check that task scheduler is running.
If it isnt you can use sc.exe to start it
start>run sc start schedule press enter.
Thanks...pskelley
Safer Networking Forums
Pskelley,
Thank you very much for the reply. I am not currently receiving help elsewhere, so I would appreciate help with this. P.S. I notice you are in Clearwater, I happen to be in Tampa!
Just to keep you updated because I know you are busy, I will have access to the infected laptop later today, and I will run the Look2Me Destroyer. I will post an updated Hijackthis log later today, as well as the results of the Look2Me log file.
Thanks again.
pskelley
2006-06-22, 15:57
Well howdy there neighbor:laugh: no problems with the timing, I will work with you, I would just appreciate it if you tell them to limit online activities to checking email until we clean it up. The stuff does attract more junk as I said. Thanks for making me aware.
Phil
Ok, I finally back with the results (didn't have access to the computer yesterday). I've told them not to go online with the computer until we get these removed...
Ran L2M Destroyer, and here is the logfile. (Below that, I'll post a copy of the new Hijackthis logfile). Thanks!
---------------------------------------------------
Look2Me-Destroyer V1.0.12
Scanning for infected files.....
Scan started at 6/23/2006 3:28:04 PM
Infected! C:\WINDOWS\system32\hrr6059se.dll
Infected! C:\System Volume Information\_restore{46DE8921-1D39-44D2-A9E9-64119261F211}\RP115\A0018096.dll
Infected! C:\System Volume Information\_restore{46DE8921-1D39-44D2-A9E9-64119261F211}\RP115\A0019095.dll
Infected! C:\System Volume Information\_restore{46DE8921-1D39-44D2-A9E9-64119261F211}\RP115\A0020092.dll
Infected! C:\System Volume Information\_restore{46DE8921-1D39-44D2-A9E9-64119261F211}\RP115\A0021093.dll
Infected! C:\System Volume Information\_restore{46DE8921-1D39-44D2-A9E9-64119261F211}\RP115\A0021099.dll
Infected! C:\System Volume Information\_restore{46DE8921-1D39-44D2-A9E9-64119261F211}\RP115\A0021103.dll
Infected! C:\System Volume Information\_restore{46DE8921-1D39-44D2-A9E9-64119261F211}\RP115\A0021146.dll
Infected! C:\System Volume Information\_restore{46DE8921-1D39-44D2-A9E9-64119261F211}\RP115\A0021177.dll
Infected! C:\System Volume Information\_restore{46DE8921-1D39-44D2-A9E9-64119261F211}\RP115\A0021178.dll
Infected! C:\System Volume Information\_restore{46DE8921-1D39-44D2-A9E9-64119261F211}\RP115\A0021179.dll
Infected! C:\System Volume Information\_restore{46DE8921-1D39-44D2-A9E9-64119261F211}\RP115\A0021182.dll
Infected! C:\System Volume Information\_restore{46DE8921-1D39-44D2-A9E9-64119261F211}\RP115\A0021183.dll
Infected! C:\System Volume Information\_restore{46DE8921-1D39-44D2-A9E9-64119261F211}\RP115\A0021185.dll
Infected! C:\System Volume Information\_restore{46DE8921-1D39-44D2-A9E9-64119261F211}\RP115\A0021199.dll
Infected! C:\System Volume Information\_restore{46DE8921-1D39-44D2-A9E9-64119261F211}\RP115\A0021216.dll
Infected! C:\System Volume Information\_restore{46DE8921-1D39-44D2-A9E9-64119261F211}\RP115\A0021226.dll
Infected! C:\System Volume Information\_restore{46DE8921-1D39-44D2-A9E9-64119261F211}\RP115\A0021268.dll
Infected! C:\System Volume Information\_restore{46DE8921-1D39-44D2-A9E9-64119261F211}\RP115\A0021286.dll
Infected! C:\System Volume Information\_restore{46DE8921-1D39-44D2-A9E9-64119261F211}\RP116\A0021299.dll
Infected! C:\System Volume Information\_restore{46DE8921-1D39-44D2-A9E9-64119261F211}\RP118\A0021399.dll
Infected! C:\System Volume Information\_restore{46DE8921-1D39-44D2-A9E9-64119261F211}\RP118\A0021406.dll
Infected! C:\System Volume Information\_restore{46DE8921-1D39-44D2-A9E9-64119261F211}\RP120\A0021479.dll
Infected! C:\System Volume Information\_restore{46DE8921-1D39-44D2-A9E9-64119261F211}\RP120\A0021480.dll
Infected! C:\System Volume Information\_restore{46DE8921-1D39-44D2-A9E9-64119261F211}\RP120\A0021485.dll
Infected! C:\System Volume Information\_restore{46DE8921-1D39-44D2-A9E9-64119261F211}\RP120\A0021501.dll
Infected! C:\System Volume Information\_restore{46DE8921-1D39-44D2-A9E9-64119261F211}\RP120\A0021517.dll
Infected! C:\System Volume Information\_restore{46DE8921-1D39-44D2-A9E9-64119261F211}\RP120\A0021518.dll
Infected! C:\System Volume Information\_restore{46DE8921-1D39-44D2-A9E9-64119261F211}\RP120\A0021557.dll
Infected! C:\System Volume Information\_restore{46DE8921-1D39-44D2-A9E9-64119261F211}\RP120\A0021558.dll
Infected! C:\System Volume Information\_restore{46DE8921-1D39-44D2-A9E9-64119261F211}\RP120\A0021592.dll
Infected! C:\System Volume Information\_restore{46DE8921-1D39-44D2-A9E9-64119261F211}\RP120\A0021602.dll
Infected! C:\System Volume Information\_restore{46DE8921-1D39-44D2-A9E9-64119261F211}\RP120\A0021611.dll
Infected! C:\WINDOWS\system32\hrr6059se.dll
Infected! C:\WINDOWS\system32\kxdhela3.dll
Infected! C:\WINDOWS\system32\lvn4095qe.dll
Infected! C:\WINDOWS\system32\muc42u.dll
Infected! C:\WINDOWS\system32\mzident.dll
Infected! C:\WINDOWS\system32\s0880aluedq80.dll
Infected! C:\WINDOWS\system32\smesrv.dll
Infected! C:\WINDOWS\system32\WG9MLRES.dll
Attempting to delete infected files...
Attempting to delete: C:\WINDOWS\system32\hrr6059se.dll
C:\WINDOWS\system32\hrr6059se.dll Deleted successfully!
Attempting to delete: C:\System Volume Information\_restore{46DE8921-1D39-44D2-A9E9-64119261F211}\RP115\A0018096.dll
C:\System Volume Information\_restore{46DE8921-1D39-44D2-A9E9-64119261F211}\RP115\A0018096.dll Deleted successfully!
Attempting to delete: C:\System Volume Information\_restore{46DE8921-1D39-44D2-A9E9-64119261F211}\RP115\A0019095.dll
C:\System Volume Information\_restore{46DE8921-1D39-44D2-A9E9-64119261F211}\RP115\A0019095.dll Deleted successfully!
Attempting to delete: C:\System Volume Information\_restore{46DE8921-1D39-44D2-A9E9-64119261F211}\RP115\A0020092.dll
C:\System Volume Information\_restore{46DE8921-1D39-44D2-A9E9-64119261F211}\RP115\A0020092.dll Deleted successfully!
Attempting to delete: C:\System Volume Information\_restore{46DE8921-1D39-44D2-A9E9-64119261F211}\RP115\A0021093.dll
C:\System Volume Information\_restore{46DE8921-1D39-44D2-A9E9-64119261F211}\RP115\A0021093.dll Deleted successfully!
Attempting to delete: C:\System Volume Information\_restore{46DE8921-1D39-44D2-A9E9-64119261F211}\RP115\A0021099.dll
C:\System Volume Information\_restore{46DE8921-1D39-44D2-A9E9-64119261F211}\RP115\A0021099.dll Deleted successfully!
Attempting to delete: C:\System Volume Information\_restore{46DE8921-1D39-44D2-A9E9-64119261F211}\RP115\A0021103.dll
C:\System Volume Information\_restore{46DE8921-1D39-44D2-A9E9-64119261F211}\RP115\A0021103.dll Deleted successfully!
Attempting to delete: C:\System Volume Information\_restore{46DE8921-1D39-44D2-A9E9-64119261F211}\RP115\A0021146.dll
C:\System Volume Information\_restore{46DE8921-1D39-44D2-A9E9-64119261F211}\RP115\A0021146.dll Deleted successfully!
Attempting to delete: C:\System Volume Information\_restore{46DE8921-1D39-44D2-A9E9-64119261F211}\RP115\A0021177.dll
C:\System Volume Information\_restore{46DE8921-1D39-44D2-A9E9-64119261F211}\RP115\A0021177.dll Deleted successfully!
Attempting to delete: C:\System Volume Information\_restore{46DE8921-1D39-44D2-A9E9-64119261F211}\RP115\A0021178.dll
C:\System Volume Information\_restore{46DE8921-1D39-44D2-A9E9-64119261F211}\RP115\A0021178.dll Deleted successfully!
Attempting to delete: C:\System Volume Information\_restore{46DE8921-1D39-44D2-A9E9-64119261F211}\RP115\A0021179.dll
C:\System Volume Information\_restore{46DE8921-1D39-44D2-A9E9-64119261F211}\RP115\A0021179.dll Deleted successfully!
Attempting to delete: C:\System Volume Information\_restore{46DE8921-1D39-44D2-A9E9-64119261F211}\RP115\A0021182.dll
C:\System Volume Information\_restore{46DE8921-1D39-44D2-A9E9-64119261F211}\RP115\A0021182.dll Deleted successfully!
Attempting to delete: C:\System Volume Information\_restore{46DE8921-1D39-44D2-A9E9-64119261F211}\RP115\A0021183.dll
C:\System Volume Information\_restore{46DE8921-1D39-44D2-A9E9-64119261F211}\RP115\A0021183.dll Deleted successfully!
Attempting to delete: C:\System Volume Information\_restore{46DE8921-1D39-44D2-A9E9-64119261F211}\RP115\A0021185.dll
C:\System Volume Information\_restore{46DE8921-1D39-44D2-A9E9-64119261F211}\RP115\A0021185.dll Deleted successfully!
Attempting to delete: C:\System Volume Information\_restore{46DE8921-1D39-44D2-A9E9-64119261F211}\RP115\A0021199.dll
C:\System Volume Information\_restore{46DE8921-1D39-44D2-A9E9-64119261F211}\RP115\A0021199.dll Deleted successfully!
Attempting to delete: C:\System Volume Information\_restore{46DE8921-1D39-44D2-A9E9-64119261F211}\RP115\A0021216.dll
C:\System Volume Information\_restore{46DE8921-1D39-44D2-A9E9-64119261F211}\RP115\A0021216.dll Deleted successfully!
Attempting to delete: C:\System Volume Information\_restore{46DE8921-1D39-44D2-A9E9-64119261F211}\RP115\A0021226.dll
C:\System Volume Information\_restore{46DE8921-1D39-44D2-A9E9-64119261F211}\RP115\A0021226.dll Deleted successfully!
Attempting to delete: C:\System Volume Information\_restore{46DE8921-1D39-44D2-A9E9-64119261F211}\RP115\A0021268.dll
C:\System Volume Information\_restore{46DE8921-1D39-44D2-A9E9-64119261F211}\RP115\A0021268.dll Deleted successfully!
Attempting to delete: C:\System Volume Information\_restore{46DE8921-1D39-44D2-A9E9-64119261F211}\RP115\A0021286.dll
C:\System Volume Information\_restore{46DE8921-1D39-44D2-A9E9-64119261F211}\RP115\A0021286.dll Deleted successfully!
Attempting to delete: C:\System Volume Information\_restore{46DE8921-1D39-44D2-A9E9-64119261F211}\RP116\A0021299.dll
C:\System Volume Information\_restore{46DE8921-1D39-44D2-A9E9-64119261F211}\RP116\A0021299.dll Deleted successfully!
Attempting to delete: C:\System Volume Information\_restore{46DE8921-1D39-44D2-A9E9-64119261F211}\RP118\A0021399.dll
C:\System Volume Information\_restore{46DE8921-1D39-44D2-A9E9-64119261F211}\RP118\A0021399.dll Deleted successfully!
Attempting to delete: C:\System Volume Information\_restore{46DE8921-1D39-44D2-A9E9-64119261F211}\RP118\A0021406.dll
C:\System Volume Information\_restore{46DE8921-1D39-44D2-A9E9-64119261F211}\RP118\A0021406.dll Deleted successfully!
Attempting to delete: C:\System Volume Information\_restore{46DE8921-1D39-44D2-A9E9-64119261F211}\RP120\A0021479.dll
C:\System Volume Information\_restore{46DE8921-1D39-44D2-A9E9-64119261F211}\RP120\A0021479.dll Deleted successfully!
Attempting to delete: C:\System Volume Information\_restore{46DE8921-1D39-44D2-A9E9-64119261F211}\RP120\A0021480.dll
C:\System Volume Information\_restore{46DE8921-1D39-44D2-A9E9-64119261F211}\RP120\A0021480.dll Deleted successfully!
Attempting to delete: C:\System Volume Information\_restore{46DE8921-1D39-44D2-A9E9-64119261F211}\RP120\A0021485.dll
C:\System Volume Information\_restore{46DE8921-1D39-44D2-A9E9-64119261F211}\RP120\A0021485.dll Deleted successfully!
Attempting to delete: C:\System Volume Information\_restore{46DE8921-1D39-44D2-A9E9-64119261F211}\RP120\A0021501.dll
C:\System Volume Information\_restore{46DE8921-1D39-44D2-A9E9-64119261F211}\RP120\A0021501.dll Deleted successfully!
Attempting to delete: C:\System Volume Information\_restore{46DE8921-1D39-44D2-A9E9-64119261F211}\RP120\A0021517.dll
C:\System Volume Information\_restore{46DE8921-1D39-44D2-A9E9-64119261F211}\RP120\A0021517.dll Deleted successfully!
Attempting to delete: C:\System Volume Information\_restore{46DE8921-1D39-44D2-A9E9-64119261F211}\RP120\A0021518.dll
C:\System Volume Information\_restore{46DE8921-1D39-44D2-A9E9-64119261F211}\RP120\A0021518.dll Deleted successfully!
Attempting to delete: C:\System Volume Information\_restore{46DE8921-1D39-44D2-A9E9-64119261F211}\RP120\A0021557.dll
C:\System Volume Information\_restore{46DE8921-1D39-44D2-A9E9-64119261F211}\RP120\A0021557.dll Deleted successfully!
Attempting to delete: C:\System Volume Information\_restore{46DE8921-1D39-44D2-A9E9-64119261F211}\RP120\A0021558.dll
C:\System Volume Information\_restore{46DE8921-1D39-44D2-A9E9-64119261F211}\RP120\A0021558.dll Deleted successfully!
Attempting to delete: C:\System Volume Information\_restore{46DE8921-1D39-44D2-A9E9-64119261F211}\RP120\A0021592.dll
C:\System Volume Information\_restore{46DE8921-1D39-44D2-A9E9-64119261F211}\RP120\A0021592.dll Deleted successfully!
Attempting to delete: C:\System Volume Information\_restore{46DE8921-1D39-44D2-A9E9-64119261F211}\RP120\A0021602.dll
C:\System Volume Information\_restore{46DE8921-1D39-44D2-A9E9-64119261F211}\RP120\A0021602.dll Deleted successfully!
Attempting to delete: C:\System Volume Information\_restore{46DE8921-1D39-44D2-A9E9-64119261F211}\RP120\A0021611.dll
C:\System Volume Information\_restore{46DE8921-1D39-44D2-A9E9-64119261F211}\RP120\A0021611.dll Deleted successfully!
Attempting to delete: C:\WINDOWS\system32\hrr6059se.dll
C:\WINDOWS\system32\hrr6059se.dll Deleted successfully!
Attempting to delete: C:\WINDOWS\system32\kxdhela3.dll
C:\WINDOWS\system32\kxdhela3.dll Deleted successfully!
Attempting to delete: C:\WINDOWS\system32\lvn4095qe.dll
C:\WINDOWS\system32\lvn4095qe.dll Deleted successfully!
Attempting to delete: C:\WINDOWS\system32\muc42u.dll
C:\WINDOWS\system32\muc42u.dll Deleted successfully!
Attempting to delete: C:\WINDOWS\system32\mzident.dll
C:\WINDOWS\system32\mzident.dll Deleted successfully!
Attempting to delete: C:\WINDOWS\system32\s0880aluedq80.dll
C:\WINDOWS\system32\s0880aluedq80.dll Deleted successfully!
Attempting to delete: C:\WINDOWS\system32\smesrv.dll
C:\WINDOWS\system32\smesrv.dll Deleted successfully!
Attempting to delete: C:\WINDOWS\system32\WG9MLRES.dll
C:\WINDOWS\system32\WG9MLRES.dll Deleted successfully!
Making registry repairs.
Removing: HKLM\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\RunServices
Removing: HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved "{37007DDF-BC54-4195-B3F3-C1A00AEBDFC1}"
HKCR\Clsid\{37007DDF-BC54-4195-B3F3-C1A00AEBDFC1}
Removing: HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved "{3433D7A7-EED9-48D9-89D0-17E4D0A5DA6E}"
HKCR\Clsid\{3433D7A7-EED9-48D9-89D0-17E4D0A5DA6E}
Removing: HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved "{77918680-B28C-4CF3-AB90-D73F2A782DD8}"
HKCR\Clsid\{77918680-B28C-4CF3-AB90-D73F2A782DD8}
Removing: HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved "{89B923D7-ADFA-4557-A12D-38AA2B10CF50}"
HKCR\Clsid\{89B923D7-ADFA-4557-A12D-38AA2B10CF50}
Removing: HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved "{2668E747-CE18-4E80-BF09-7AF0D4C55CE6}"
HKCR\Clsid\{2668E747-CE18-4E80-BF09-7AF0D4C55CE6}
Restoring Windows certificates.
Replaced hosts file with default windows hosts file
Restoring SeDebugPrivilege for Administrators - Succeeded
--------------------------------------------------------------------
(Continued)
Here is a copy of the new Hijackthis logfile:
Logfile of HijackThis v1.99.1
Scan saved at 3:37:39 PM, on 6/23/2006
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Intel\Wireless\Bin\EvtEng.exe
C:\Program Files\Intel\Wireless\Bin\S24EvMon.exe
C:\Program Files\Intel\Wireless\Bin\WLKeeper.exe
C:\Program Files\Intel\Wireless\Bin\ZcfgSvc.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\PROGRA~1\Intel\Wireless\Bin\1XConfig.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\Symantec Shared\ccProxy.exe
C:\Program Files\Norton Internet Security\Norton AntiVirus\navapsvc.exe
C:\Program Files\Intel\Wireless\Bin\RegSrvc.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
C:\Program Files\Common Files\Symantec Shared\Security Center\SymWSC.exe
C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\Program Files\Intel\Wireless\Bin\ifrmewrk.exe
C:\Program Files\CyberLink\PowerDVD\DVDLauncher.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\Program Files\Common Files\Symantec Shared\Security Center\UsrPrmpt.exe
C:\Program Files\Dell Support\DSAgnt.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\AIM\aim.exe
C:\Documents and Settings\Username\Start Menu\Programs\Startup\CCAPP.EXE
C:\WINDOWS\system32\wuauclt.exe
C:\Documents and Settings\Username\Desktop\hijackthis\HijackThis.exe
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.dell4me.com/mywaybiz
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.dell4me.com/mywaybiz
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.dell4me.com/mywaybiz
F2 - REG:system.ini: Shell=Explorer.exe, C:\WINDOWS\system32\yrrwf.exe
F2 - REG:system.ini: UserInit=C:\WINDOWS\SYSTEM32\Userinit.exe,kmxbpch.exe
O2 - BHO: DosSpecFolder Object - {1AE6D7D5-0C28-4DB6-9FD1-33B870A4C5F2} - C:\WINDOWS\system32\mljgh.dll
O3 - Toolbar: Web assistant - {0B53EAC3-8D69-4b9e-9B19-A37C9A5676A7} - C:\Program Files\Common Files\Symantec Shared\AdBlocking\NISShExt.dll
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton Internet Security\Norton AntiVirus\NavShExt.dll
O4 - HKLM\..\Run: [SynTPLpr] C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
O4 - HKLM\..\Run: [SynTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
O4 - HKLM\..\Run: [IntelWireless] C:\Program Files\Intel\Wireless\Bin\ifrmewrk.exe /tf Intel PROSet/Wireless
O4 - HKLM\..\Run: [DVDLauncher] "C:\Program Files\CyberLink\PowerDVD\DVDLauncher.exe"
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [IS CfgWiz] C:\Program Files\Common Files\Symantec Shared\cfgwiz.exe /GUID NIS /CMDLINE "REBOOT"
O4 - HKLM\..\Run: [URLLSTCK.exe] C:\Program Files\Norton Internet Security\UrlLstCk.exe
O4 - HKLM\..\Run: [Symantec NetDriver Monitor] C:\PROGRA~1\SYMNET~1\SNDMon.exe /Consumer
O4 - HKLM\..\Run: [SSC_UserPrompt] C:\Program Files\Common Files\Symantec Shared\Security Center\UsrPrmpt.exe
O4 - HKCU\..\Run: [DellSupport] "C:\Program Files\Dell Support\DSAgnt.exe" /startup
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [AIM] C:\Program Files\AIM\aim.exe -cnetwait.odl
O4 - Startup: CCAPP.EXE
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\j2re1.4.2_03\bin\npjpi142_03.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\j2re1.4.2_03\bin\npjpi142_03.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\system32\Shdocvw.dll
O16 - DPF: {7142BA01-8BDF-11CF-9E23-0000E8A37440} (Surround Video Control Object) - http://www.lakeviewoaks.com/svideo.cab
O16 - DPF: {9FC5238F-12C4-454F-B1B5-74599A21DE47} (Webshots Photo Uploader) - http://community.webshots.com/html/WSPhotoUploader.CAB
O20 - Winlogon Notify: IntelWireless - C:\Program Files\Intel\Wireless\Bin\LgNotify.dll
O20 - Winlogon Notify: mljgh - C:\WINDOWS\system32\mljgh.dll
O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\SYSTEM32\WgaLogon.dll
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Network Proxy (ccProxy) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccProxy.exe
O23 - Service: Symantec Password Validation (ccPwdSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
O23 - Service: EvtEng - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\EvtEng.exe
O23 - Service: Norton AntiVirus Auto Protect Service (navapsvc) - Symantec Corporation - C:\Program Files\Norton Internet Security\Norton AntiVirus\navapsvc.exe
O23 - Service: RegSrvc - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\RegSrvc.exe
O23 - Service: Spectrum24 Event Monitor (S24EventMonitor) - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\S24EvMon.exe
O23 - Service: ScriptBlocking Service (SBService) - Symantec Corporation - C:\PROGRA~1\COMMON~1\SYMANT~1\SCRIPT~1\SBServ.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: Symantec Core LC - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
O23 - Service: SymWMI Service (SymWSC) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\Security Center\SymWSC.exe
O23 - Service: WLANKEEPER - Intel® Corporation - C:\Program Files\Intel\Wireless\Bin\WLKeeper.exe
pskelley
2006-06-23, 22:03
Thanks for returning your information, good job with that fix:bigthumb:
Thanks to Atribune and any others who helped with this fix
Follow these directions, keep me posted of anything you feel I should know as we proceed, thanks.
http://forums.spybot.info/showthread.php?t=4394
Thanks...Phil
Just finished running Vundo - here's the log file from it, and a new hijackthis log....thanks!
-----------------------------------------------------
VundoFix V4.2.84
Running as SYSTEM
from c:\windows\system32\VundoFix.exe
Checking Java version...
Java version is 1.4.2.3
Scan started at 4:46:05 PM 6/23/2006
Listing files found while scanning....
C:\WINDOWS\system32\mljgh.dll
C:\WINDOWS\system32\hgjlm.ini
C:\WINDOWS\system32\hgjlm.bak1
C:\WINDOWS\system32\hgjlm.bak2
C:\WINDOWS\system32\hgjlm.ini2
C:\WINDOWS\system32\hgjlm.tmp
C:\WINDOWS\system32\hgjlm.bak1
C:\WINDOWS\system32\hgjlm.bak2
C:\WINDOWS\system32\hgjlm.tmp
C:\WINDOWS\system32\hgjlm.ini
C:\WINDOWS\system32\hgjlm.ini2
C:\WINDOWS\system32\mljgh.dll
C:\WINDOWS\system32\hgjlm.ini2
C:\WINDOWS\system32\hgjlm.bak2
C:\WINDOWS\system32\hgjlm.tmp
C:\WINDOWS\system32\hgjlm.ini
C:\WINDOWS\system32\hgjlm.ini2
C:\WINDOWS\system32\mljgh.dll
Attempting to delete C:\WINDOWS\system32\mljgh.dll
C:\WINDOWS\system32\mljgh.dll Has been deleted!
Attempting to delete C:\WINDOWS\system32\hgjlm.ini
C:\WINDOWS\system32\hgjlm.ini Has been deleted!
Attempting to delete C:\WINDOWS\system32\hgjlm.bak1
C:\WINDOWS\system32\hgjlm.bak1 Has been deleted!
Attempting to delete C:\WINDOWS\system32\hgjlm.bak2
C:\WINDOWS\system32\hgjlm.bak2 Has been deleted!
Attempting to delete C:\WINDOWS\system32\hgjlm.ini2
C:\WINDOWS\system32\hgjlm.ini2 Has been deleted!
Attempting to delete C:\WINDOWS\system32\hgjlm.tmp
C:\WINDOWS\system32\hgjlm.tmp Has been deleted!
Performing Repairs to the registry.
Done!
------------------------------------------------------------------
Logfile of HijackThis v1.99.1
Scan saved at 4:53:34 PM, on 6/23/2006
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Intel\Wireless\Bin\EvtEng.exe
C:\Program Files\Intel\Wireless\Bin\S24EvMon.exe
C:\Program Files\Intel\Wireless\Bin\ZcfgSvc.exe
C:\Program Files\Intel\Wireless\Bin\WLKeeper.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\WINDOWS\system32\spoolsv.exe
C:\PROGRA~1\Intel\Wireless\Bin\1XConfig.exe
C:\Program Files\Common Files\Symantec Shared\ccProxy.exe
C:\Program Files\Norton Internet Security\Norton AntiVirus\navapsvc.exe
C:\Program Files\Intel\Wireless\Bin\RegSrvc.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
C:\Program Files\Common Files\Symantec Shared\Security Center\SymWSC.exe
C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\Program Files\Intel\Wireless\Bin\ifrmewrk.exe
C:\Program Files\CyberLink\PowerDVD\DVDLauncher.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\Program Files\Common Files\Symantec Shared\Security Center\UsrPrmpt.exe
C:\Program Files\Dell Support\DSAgnt.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\AIM\aim.exe
C:\Documents and Settings\Username\Start Menu\Programs\Startup\CCAPP.EXE
C:\WINDOWS\system32\wuauclt.exe
C:\Documents and Settings\Username\Desktop\hijackthis\HijackThis.exe
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.dell4me.com/mywaybiz
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.dell4me.com/mywaybiz
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.dell4me.com/mywaybiz
F2 - REG:system.ini: Shell=Explorer.exe, C:\WINDOWS\system32\yrrwf.exe
F2 - REG:system.ini: UserInit=C:\WINDOWS\SYSTEM32\Userinit.exe,kmxbpch.exe
O3 - Toolbar: Web assistant - {0B53EAC3-8D69-4b9e-9B19-A37C9A5676A7} - C:\Program Files\Common Files\Symantec Shared\AdBlocking\NISShExt.dll
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton Internet Security\Norton AntiVirus\NavShExt.dll
O4 - HKLM\..\Run: [SynTPLpr] C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
O4 - HKLM\..\Run: [SynTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
O4 - HKLM\..\Run: [IntelWireless] C:\Program Files\Intel\Wireless\Bin\ifrmewrk.exe /tf Intel PROSet/Wireless
O4 - HKLM\..\Run: [DVDLauncher] "C:\Program Files\CyberLink\PowerDVD\DVDLauncher.exe"
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [IS CfgWiz] C:\Program Files\Common Files\Symantec Shared\cfgwiz.exe /GUID NIS /CMDLINE "REBOOT"
O4 - HKLM\..\Run: [URLLSTCK.exe] C:\Program Files\Norton Internet Security\UrlLstCk.exe
O4 - HKLM\..\Run: [Symantec NetDriver Monitor] C:\PROGRA~1\SYMNET~1\SNDMon.exe /Consumer
O4 - HKLM\..\Run: [SSC_UserPrompt] C:\Program Files\Common Files\Symantec Shared\Security Center\UsrPrmpt.exe
O4 - HKCU\..\Run: [DellSupport] "C:\Program Files\Dell Support\DSAgnt.exe" /startup
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [AIM] C:\Program Files\AIM\aim.exe -cnetwait.odl
O4 - Startup: CCAPP.EXE
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\j2re1.4.2_03\bin\npjpi142_03.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\j2re1.4.2_03\bin\npjpi142_03.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\system32\Shdocvw.dll
O16 - DPF: {7142BA01-8BDF-11CF-9E23-0000E8A37440} (Surround Video Control Object) - http://www.lakeviewoaks.com/svideo.cab
O16 - DPF: {9FC5238F-12C4-454F-B1B5-74599A21DE47} (Webshots Photo Uploader) - http://community.webshots.com/html/WSPhotoUploader.CAB
O20 - Winlogon Notify: IntelWireless - C:\Program Files\Intel\Wireless\Bin\LgNotify.dll
O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\SYSTEM32\WgaLogon.dll
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Network Proxy (ccProxy) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccProxy.exe
O23 - Service: Symantec Password Validation (ccPwdSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
O23 - Service: EvtEng - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\EvtEng.exe
O23 - Service: Norton AntiVirus Auto Protect Service (navapsvc) - Symantec Corporation - C:\Program Files\Norton Internet Security\Norton AntiVirus\navapsvc.exe
O23 - Service: RegSrvc - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\RegSrvc.exe
O23 - Service: Spectrum24 Event Monitor (S24EventMonitor) - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\S24EvMon.exe
O23 - Service: ScriptBlocking Service (SBService) - Symantec Corporation - C:\PROGRA~1\COMMON~1\SYMANT~1\SCRIPT~1\SBServ.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: Symantec Core LC - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
O23 - Service: SymWMI Service (SymWSC) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\Security Center\SymWSC.exe
O23 - Service: WLANKEEPER - Intel® Corporation - C:\Program Files\Intel\Wireless\Bin\WLKeeper.exe
pskelley
2006-06-23, 23:07
Looks good, now for the Qoologic trojan, the markers are the F2 lines, if you follow the directions and execute the tools as instructed, they will be gone. Then we will do a little cleaning and get you on your way, thanks.
Thanks to LonnyRJones and anyone else who helped with this fix.
Download Brute Force Uninstaller to your C:\
http://www.merijn.org/files/bfu.zip
Unzip it to a folder of its own (C:\BFU). So BFU should be on your root. In most cases this is C:\
Download qoofix.bat: http://downloads.subratam.org/Lon/qooFix.bat
(rightclick on this link and choose save as)
Place qoofix.bat in your C:\BFU - folder. (Important!)
Doubleclick qooFix.bat, Close all browsers and explorer folders.
Choose option 1 (Qoolfix autofix) and follow the prompts.
Please be patient, it will take about five minutes.
After the PC has restarted please post another hijackthis log.
Thanks...Phil
This topic is closed.
If you need it re-opened please send me a pm and provide a link to the thread.
Applies only to the original topic starter.