Qoofix And Hijackthis Log Files

[aligom]

Qoofix v1.03 by http://www.malwarebytes.org

> Scan started on

[8/26/2006] at [6:30:10 PM]

> -------------------------------------------------------------

> Terminated module: tdhbrfm.dll found in Qoofix.exe (2536)

> Terminated module: tdhbrfm.dll found in Explorer.EXE (172)

> Terminated module: tdhbrfm.dll found in THGuard.exe (736)

> Terminated module: tdhbrfm.dll found in ewido.exe (1524)

> Terminated module: tdhbrfm.dll found in swdoctor.exe (1424)

> Terminated module: tdhbrfm.dll found in Ymsgr_tray.exe (1992)

> Terminated module: tdhbrfm.dll found in ycommon.exe (4036)

> Terminated module: tdhbrfm.dll found in ybrwicon.exe (4076)

> Terminated module: tdhbrfm.dll found in nvhabw.exe (2392)

> Terminated module: tdhbrfm.dll found in dfxeb.exe (2372)

> Terminated module: tdhbrfm.dll found in dfxeb.exe (2040)

> Terminated module: tdhbrfm.dll found in dfxeb.exe (2208)

> Terminated module: tdhbrfm.dll found in ccApp.exe (724)

> -------------------------------------------------------------

> E:\WINDOWS\System32\stvem.dat will be deleted on reboot!

> E:\WINDOWS\System32\obfilcb.exe will be deleted on reboot!

> E:\WINDOWS\System32\tdhbrfm.dll will be deleted on reboot!

> E:\Documents and Settings\All Users\Start

Menu\Programs\Startup\fesbh.exe will be deleted on reboot!

>

> User prompted YES to reboot, system now rebooting...

> -------------------------------------------------------------

> Scan COMPLETED SUCCESSFULLY on [8/26/2006] at [6:32:55 PM]

>

> Note: Some registry keys may have been removed.

>

>

> Logfile of HijackThis v1.99.1

> Scan saved at 6:43:07 PM, on 8/26/2006

> Platform: Windows XP SP1 (WinNT 5.01.2600)

> MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

>

> Running processes:

> E:\WINDOWS\System32\smss.exe

> E:\WINDOWS\system32\csrss.exe

> E:\WINDOWS\system32\winlogon.exe

> E:\WINDOWS\system32\services.exe

> E:\WINDOWS\system32\lsass.exe

> E:\WINDOWS\system32\svchost.exe

> E:\WINDOWS\System32\svchost.exe

> E:\WINDOWS\System32\svchost.exe

> E:\WINDOWS\System32\svchost.exe

> E:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe

> E:\Program Files\Norton Internet Security\ISSVC.exe

> E:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe

> E:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe

> E:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe

> E:\WINDOWS\system32\spoolsv.exe

> E:\WINDOWS\System32\PackethSvc.exe

> E:\Program Files\ewido anti-spyware 4.0\guard.exe

> E:\WINDOWS\System32\nvsvc32.exe

> E:\Program Files\Spyware Doctor\sdhelp.exe

> E:\WINDOWS\System32\svchost.exe

> E:\WINDOWS\System32\wdfmgr.exe

> E:\WINDOWS\Explorer.EXE

> E:\Program Files\TrojanHunter 4.5\THGuard.exe

> E:\Program Files\Common Files\Symantec Shared\ccApp.exe

> E:\Program Files\ewido anti-spyware 4.0\ewido.exe

> E:\Program Files\Spyware Doctor\swdoctor.exe

> E:\Program Files\Yahoo!\Messenger\ymsgr_tray.exe

> E:\Documents and Settings\Curt\Desktop\hijack\HijackThis.exe

> E:\Documents and Settings\Curt\Desktop\hijack\HijackThis.exe

>

> R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet

Settings,ProxyOverride = 127.0.0.1

> R3 - URLSearchHook: (no name) -

{02EE5B04-F144-47BB-83FB-A60BD91B74A9} - (no file)

> O1 - Hosts: localhost 127.0.0.1

> O2 - BHO: EarthLink ScamBlocker V2 -

{15F4D456-5BAA-4076-8486-EECB38CD3E57} - E:\Program Files\EarthLink\Toolbar\EScamBlk.dll (file missing)

> O2 - BHO: EarthLink PopUp Blocker V2 -

{512ACF1B-64D9-4928-B382-A80556F28DB4} - E:\Program Files\EarthLink\Toolbar\ElnkPuB.dll (file

missing)

> O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} -

E:\PROGRA~1\SPYBOT~1\SDHelper.dll (file missing)

> O2 - BHO: UberButton Class - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} -

E:\Program Files\Yahoo!\Common\yiesrvc.dll

> O2 - BHO: PCTools Site Guard - {5C8B2A36-3DB1-42A4-A3CB-D426709BBFEB}

- E:\PROGRA~1\SPYWAR~1\tools\iesdsg.dll

> O2 - BHO: YahooTaggedBM Class -

{65D886A2-7CA7-479B-BB95-14D1EFB7946A} - E:\Program Files\Yahoo!\Common\YIeTagBm.dll

> O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} -

E:\Program Files\Java\jre1.5.0_06\bin\ssv.dll

> O2 - BHO: Earthlink Protection BHO -

{9579D574-D4D8-4335-9560-FE8641A013BD} - E:\Program Files\EarthLink\Toolbar\ProtctIE.dll (file missing)

> O2 - BHO: Norton Internet Security -

{9ECB9560-04F9-4bbc-943D-298DDF1699E1} - E:\Program Files\Common Files\Symantec

Shared\AdBlocking\NISShExt.dll

> O2 - BHO: PCTools Browser Monitor -

{B56A7D7D-6927-48C8-A975-17DF180C71AC} - E:\PROGRA~1\SPYWAR~1\tools\iesdpb.dll

> O2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-FADC6B084872} -

E:\Program Files\Norton Internet Security\Norton AntiVirus\NavShExt.dll

> O2 - BHO: Uninstall Legacy Earthlink Toolbar -

{E713904C-DF05-4C79-BBAD-02DB923253BE} - E:\Program Files\EarthLink\Toolbar\uninsttb.dll

(file missing)

> O2 - BHO: SidebarAutoLaunch Class -

{F2AA9440-6328-4933-B7C9-A6CCDF9CBF6D} - E:\Program Files\Yahoo!\browser\YSidebarIEBHO.dll

> O3 - Toolbar: Easy-WebPrint - {327C2873-E90D-4c37-AA9D-10AC9BABA46C}

- E:\Program Files\Canon\Easy-WebPrint\Toolband.dll

> O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} -

E:\WINDOWS\System32\msdxm.ocx

> O3 - Toolbar: EarthLink Toolbar -

{C7768536-96F8-4001-B1A2-90EE21279187} - E:\Program Files\EarthLink\Toolbar\Toolbar.dll (file missing)

> O3 - Toolbar: Norton Internet Security -

{0B53EAC3-8D69-4b9e-9B19-A37C9A5676A7} - E:\Program Files\Common Files\Symantec

Shared\AdBlocking\NISShExt.dll

> O3 - Toolbar: Norton AntiVirus -

{42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - E:\Program Files\Norton Internet Security\Norton

AntiVirus\NavShExt.dll

> O4 - HKLM\..\Run: [KernelFaultCheck] %systemroot%\system32\dumprep 0

-k

> O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE

E:\WINDOWS\System32\NvCpl.dll,NvStartup

> O4 - HKLM\..\Run: [THGuard] "E:\Program Files\TrojanHunter

4.5\THGuard.exe"

> O4 - HKLM\..\Run: [ccApp] "E:\Program Files\Common Files\Symantec

Shared\ccApp.exe"

> O4 - HKLM\..\Run: [sSC_UserPrompt] E:\Program Files\Common

Files\Symantec Shared\Security Center\UsrPrmpt.exe

> O4 - HKLM\..\Run: [!ewido] "E:\Program Files\ewido anti-spyware

4.0\ewido.exe" /minimized

> O4 - HKCU\..\Run: [Microsoft Works Update Detection] E:\Program

Files\Microsoft Works\WkDetect.exe

> O4 - HKCU\..\Run: [Yahoo! Pager] "E:\Program

Files\Yahoo!\Messenger\YahooMessenger.exe" -quiet

> O4 - HKCU\..\Run: [spyware Doctor] "E:\Program Files\Spyware

Doctor\swdoctor.exe" /Q

> O4 - Startup: Connection Manager.lnk = E:\Program

Files\SBC\Connection Manager\CManager.exe

> O8 - Extra context menu item: &eBay Search - res://E:\Program

Files\eBay\eBay Toolbar2\eBayTb.dll/RCSearch.html

> O8 - Extra context menu item: EarthLink Google Search -

res://E:\Program Files\EarthLink\Toolbar\SearchUI.dll/search.html

> O8 - Extra context menu item: Easy-WebPrint Add To Print List -

res://E:\Program Files\Canon\Easy-WebPrint\Resource.dll/RC_AddToList.html

> O8 - Extra context menu item: Easy-WebPrint High Speed Print -

res://E:\Program Files\Canon\Easy-WebPrint\Resource.dll/RC_HSPrint.html

> O8 - Extra context menu item: Easy-WebPrint Preview -

res://E:\Program Files\Canon\Easy-WebPrint\Resource.dll/RC_Preview.html

> O8 - Extra context menu item: Easy-WebPrint Print - res://E:\Program

Files\Canon\Easy-WebPrint\Resource.dll/RC_Print.html

> O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501}

- E:\Program Files\Java\jre1.5.0_06\bin\ssv.dll

> O9 - Extra 'Tools' menuitem: Sun Java Console -

{08B0E5C0-4FCB-11CF-AAA5-00401C608501} - E:\Program Files\Java\jre1.5.0_06\bin\ssv.dll

> O9 - Extra button: Spyware Doctor -

{2D663D1A-8670-49D9-A1A5-4C56B4E14E84} - E:\PROGRA~1\SPYWAR~1\tools\iesdpb.dll

> O9 - Extra button: SBC Yahoo! Services -

{5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - E:\Program Files\Yahoo!\Common\yiesrvc.dll

> O9 - Extra button: Related - {c95fe080-8f5d-11d2-a20b-00aa003c157a} -

E:\WINDOWS\web\related.htm

> O9 - Extra 'Tools' menuitem: Show &Related Links -

{c95fe080-8f5d-11d2-a20b-00aa003c157a} - E:\WINDOWS\web\related.htm

> O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE}

- E:\WINDOWS\System32\Shdocvw.dll

> O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683}

- E:\Program Files\Messenger\MSMSGS.EXE

> O9 - Extra 'Tools' menuitem: Windows Messenger -

{FB5F1910-F110-11d2-BB9E-00C04F795683} - E:\Program Files\Messenger\MSMSGS.EXE

> O10 - Broken Internet access because of LSP provider

'e:\windows\system32\vetredir.dll' missing

> O15 - Trusted Zone: *.elitemediagroup.net

> O15 - Trusted Zone: *.media-motor.net

> O15 - Trusted Zone: *.mmohsix.com

> O17 -

HKLM\System\CCS\Services\Tcpip\..\{83B36327-9AF6-453E-9668-700DE899DBEE}: NameServer = 85.255.114.105

> O17 -

HKLM\System\CCS\Services\Tcpip\..\{AE9DA02E-4A13-44CC-8C0D-71E00AA8DA70}: NameServer = 85.255.114.105

> O17 -

HKLM\System\CCS\Services\Tcpip\..\{E06C9D1F-69DF-4748-84DE-DD9DC9AD79C7}: NameServer = 85.255.114.105

> O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} -

"E:\PROGRA~1\MSNMES~1\msgrapp.dll" (file missing)

> O18 - Filter: text/html - {0F9A5F09-3BFD-40D3-85FE-36227430A374} -

E:\WINDOWS\System32\v199.dll

> O20 - Winlogon Notify: wineek32 - wineek32.dll (file missing)

> O23 - Service: CAISafe - Unknown owner - E:\Program

Files\Yahoo!\Antivirus\ISafe.exe (file missing)

> O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec

Corporation - E:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe

> O23 - Service: Symantec Network Proxy (ccProxy) - Symantec

Corporation - E:\Program Files\Common Files\Symantec Shared\ccProxy.exe

> O23 - Service: Symantec Password Validation (ccPwdSvc) - Symantec

Corporation - E:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe

> O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec

Corporation - E:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe

> O23 - Service: ewido anti-spyware 4.0 guard - Anti-Malware

Development a.s. - E:\Program Files\ewido anti-spyware 4.0\guard.exe

> O23 - Service: ISSvc (ISSVC) - Symantec Corporation - E:\Program

Files\Norton Internet Security\ISSVC.exe

> O23 - Service: Kodak Camera Connection Software (KodakCCS) - Eastman

Kodak Company - E:\WINDOWS\system32\drivers\KodakCCS.exe

> O23 - Service: NVIDIA Driver Helper Service (NVSvc) - NVIDIA

Corporation - E:\WINDOWS\System32\nvsvc32.exe

> O23 - Service: Virtual NIC Service (PackethSvc) - America Online,

Inc. - E:\WINDOWS\System32\PackethSvc.exe

> O23 - Service: SAVScan - Symantec Corporation - E:\Program

Files\Norton Internet Security\Norton AntiVirus\SAVScan.exe

> O23 - Service: ScriptBlocking Service (SBService) - Symantec

Corporation - E:\PROGRA~1\COMMON~1\SYMANT~1\SCRIPT~1\SBServ.exe

> O23 - Service: PC Tools Spyware Doctor (SDhelper) - PC Tools Research

Pty Ltd - E:\Program Files\Spyware Doctor\sdhelp.exe

> O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec

Corporation - E:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe

> O23 - Service: Symantec SPBBCSvc (SPBBCSvc) - Symantec Corporation -

E:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe

> O23 - Service: VET Message Service (VETMSGNT) - Unknown owner -

E:\Program Files\Yahoo!\Antivirus\VetMsg.exe (file missing)

> O23 - Service: YPCService - Unknown owner -

E:\WINDOWS\system32\YPCSER~1.EXE (file missing)

[aligom]

the computer has Downloader.Qoologic.bj and I need help taking it off, the other problem is that the computer doesnt have internet I think relating to this problem, so im using my sister's computer as an aid. thanks

[Chappy]

Hi aligom

Thx for posting the log here.

I don't think there is anyone around at the moment to look at the log for you, but I have notified them that a new log is here so they'll look at it as soon as they come back in.

Sometimes it can take a few days to get everything cleaned out properly, so stick with it when the experts ask you to do things and post new logs.

Good Luck!

[therock247uk]

You may want to print out these instructions for reference, since you will have to restart your computer during the fix.

Please download FixWareout from one of these sites:

http://downloads.subratam.org/Fixwareout.exe

http://www.bleepingcomputer.com/files/lonny/Fixwareout.exe

Save it to your desktop and run it. Click Next, then Install, make sure "Run fixit" is checked and click Finish.

The fix will begin; follow the prompts. You will be asked to reboot your computer; please do so. Your system may take longer than usual to load; this is normal.

Once the desktop loads please post the text that will open (report.txt) and a new Hijackthis log.

[Chappy]

Well, I see they haven't posted back for some time here. It would be good to know if they did as asked or are still having issues, but....oh well, we tried.

[therock247uk]

oh well, we tried.

We did our part though...

[aligom]

FIXWAREOUT LOG

Fixwareout ver 1.003

Last edited 8/11/2006

Post this report in the forums please

Reg Entries that were deleted

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Urls\xedocne

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Urls\gib_ogol

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Urls\repiwoh

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Urls\llun

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Urls\23plhps

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Urls\mgcppp

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Urls\tesvaf

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Urls\32refaselif

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Urls\nlcalik

...

Microsoft ® Windows Script Host Version 5.6

Random Runs removed from HKLM

...

PLEASE NOTE, There WILL be LEGITIMATE FILES LISTED. IF YOU ARE UNSURE OF WHAT IT IS LEAVE THEM ALONE.

»»»»» Searching by size/names...

»»»»»

Search five digit cs, dm and jb files.

This WILL/CAN also list Legit Files, Submit them at Virustotal

Other suspects.

Directory of E:\WINDOWS\system32

»»»»» Misc files.

»»»»» Checking for older varients covered by the Rem3 tool.

HIJACKTHIS LOG

Logfile of HijackThis v1.99.1

Scan saved at 12:16:20 PM, on 9/16/2006

Platform: Windows XP SP1 (WinNT 5.01.2600)

MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:

E:\WINDOWS\System32\smss.exe

E:\WINDOWS\system32\csrss.exe

E:\WINDOWS\system32\winlogon.exe

E:\WINDOWS\system32\services.exe

E:\WINDOWS\system32\lsass.exe

E:\WINDOWS\system32\svchost.exe

E:\WINDOWS\System32\svchost.exe

E:\WINDOWS\System32\svchost.exe

E:\WINDOWS\System32\svchost.exe

E:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe

E:\Program Files\Norton Internet Security\ISSVC.exe

E:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe

E:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe

E:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe

E:\WINDOWS\system32\spoolsv.exe

E:\WINDOWS\System32\PackethSvc.exe

E:\Program Files\ewido anti-spyware 4.0\guard.exe

E:\WINDOWS\System32\nvsvc32.exe

E:\Program Files\Spyware Doctor\sdhelp.exe

E:\WINDOWS\System32\svchost.exe

E:\WINDOWS\System32\wdfmgr.exe

E:\WINDOWS\Explorer.EXE

E:\Program Files\TrojanHunter 4.5\THGuard.exe

E:\Program Files\Common Files\Symantec Shared\ccApp.exe

E:\Program Files\ewido anti-spyware 4.0\ewido.exe

E:\Program Files\Yahoo!\Messenger\ymsgr_tray.exe

E:\Program Files\Spyware Doctor\swdoctor.exe

E:\Documents and Settings\Curt\Application Data\U3\0E210A5151B1C8AB\LaunchPad.exe

E:\Documents and Settings\Curt\Application Data\U3\0E210A5151B1C8AB\285E6953-BF3C-4445-9376-3FE5D7F645B2\Exec\bin\SignupShield.exe

E:\Documents and Settings\Curt\Desktop\hijack\HijackThis.exe

R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = 127.0.0.1

R3 - URLSearchHook: (no name) - {02EE5B04-F144-47BB-83FB-A60BD91B74A9} - (no file)

O2 - BHO: EarthLink ScamBlocker V2 - {15F4D456-5BAA-4076-8486-EECB38CD3E57} - E:\Program Files\EarthLink\Toolbar\EScamBlk.dll (file missing)

O2 - BHO: EarthLink PopUp Blocker V2 - {512ACF1B-64D9-4928-B382-A80556F28DB4} - E:\Program Files\EarthLink\Toolbar\ElnkPuB.dll (file missing)

O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - E:\PROGRA~1\SPYBOT~1\SDHelper.dll (file missing)

O2 - BHO: UberButton Class - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - E:\Program Files\Yahoo!\Common\yiesrvc.dll

O2 - BHO: PCTools Site Guard - {5C8B2A36-3DB1-42A4-A3CB-D426709BBFEB} - E:\PROGRA~1\SPYWAR~1\tools\iesdsg.dll

O2 - BHO: YahooTaggedBM Class - {65D886A2-7CA7-479B-BB95-14D1EFB7946A} - E:\Program Files\Yahoo!\Common\YIeTagBm.dll

O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - E:\Program Files\Java\jre1.5.0_06\bin\ssv.dll

O2 - BHO: Earthlink Protection BHO - {9579D574-D4D8-4335-9560-FE8641A013BD} - E:\Program Files\EarthLink\Toolbar\ProtctIE.dll (file missing)

O2 - BHO: Norton Internet Security - {9ECB9560-04F9-4bbc-943D-298DDF1699E1} - E:\Program Files\Common Files\Symantec Shared\AdBlocking\NISShExt.dll

O2 - BHO: PCTools Browser Monitor - {B56A7D7D-6927-48C8-A975-17DF180C71AC} - E:\PROGRA~1\SPYWAR~1\tools\iesdpb.dll

O2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-FADC6B084872} - E:\Program Files\Norton Internet Security\Norton AntiVirus\NavShExt.dll

O2 - BHO: Uninstall Legacy Earthlink Toolbar - {E713904C-DF05-4C79-BBAD-02DB923253BE} - E:\Program Files\EarthLink\Toolbar\uninsttb.dll (file missing)

O2 - BHO: SidebarAutoLaunch Class - {F2AA9440-6328-4933-B7C9-A6CCDF9CBF6D} - E:\Program Files\Yahoo!\browser\YSidebarIEBHO.dll

O3 - Toolbar: Easy-WebPrint - {327C2873-E90D-4c37-AA9D-10AC9BABA46C} - E:\Program Files\Canon\Easy-WebPrint\Toolband.dll

O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - E:\WINDOWS\System32\msdxm.ocx

O3 - Toolbar: EarthLink Toolbar - {C7768536-96F8-4001-B1A2-90EE21279187} - E:\Program Files\EarthLink\Toolbar\Toolbar.dll (file missing)

O3 - Toolbar: Norton Internet Security - {0B53EAC3-8D69-4b9e-9B19-A37C9A5676A7} - E:\Program Files\Common Files\Symantec Shared\AdBlocking\NISShExt.dll

O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - E:\Program Files\Norton Internet Security\Norton AntiVirus\NavShExt.dll

O4 - HKLM\..\Run: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k

O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE E:\WINDOWS\System32\NvCpl.dll,NvStartup

O4 - HKLM\..\Run: [THGuard] "E:\Program Files\TrojanHunter 4.5\THGuard.exe"

O4 - HKLM\..\Run: [ccApp] "E:\Program Files\Common Files\Symantec Shared\ccApp.exe"

O4 - HKLM\..\Run: [sSC_UserPrompt] E:\Program Files\Common Files\Symantec Shared\Security Center\UsrPrmpt.exe

O4 - HKLM\..\Run: [!ewido] "E:\Program Files\ewido anti-spyware 4.0\ewido.exe" /minimized

O4 - HKCU\..\Run: [Microsoft Works Update Detection] E:\Program Files\Microsoft Works\WkDetect.exe

O4 - HKCU\..\Run: [Yahoo! Pager] "E:\Program Files\Yahoo!\Messenger\YahooMessenger.exe" -quiet

O4 - HKCU\..\Run: [spyware Doctor] "E:\Program Files\Spyware Doctor\swdoctor.exe" /Q

O4 - Startup: Connection Manager.lnk = E:\Program Files\SBC\Connection Manager\CManager.exe

O8 - Extra context menu item: &eBay Search - res://E:\Program Files\eBay\eBay Toolbar2\eBayTb.dll/RCSearch.html

O8 - Extra context menu item: EarthLink Google Search - res://E:\Program Files\EarthLink\Toolbar\SearchUI.dll/search.html

O8 - Extra context menu item: Easy-WebPrint Add To Print List - res://E:\Program Files\Canon\Easy-WebPrint\Resource.dll/RC_AddToList.html

O8 - Extra context menu item: Easy-WebPrint High Speed Print - res://E:\Program Files\Canon\Easy-WebPrint\Resource.dll/RC_HSPrint.html

O8 - Extra context menu item: Easy-WebPrint Preview - res://E:\Program Files\Canon\Easy-WebPrint\Resource.dll/RC_Preview.html

O8 - Extra context menu item: Easy-WebPrint Print - res://E:\Program Files\Canon\Easy-WebPrint\Resource.dll/RC_Print.html

O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - E:\Program Files\Java\jre1.5.0_06\bin\ssv.dll

O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - E:\Program Files\Java\jre1.5.0_06\bin\ssv.dll

O9 - Extra button: Spyware Doctor - {2D663D1A-8670-49D9-A1A5-4C56B4E14E84} - E:\PROGRA~1\SPYWAR~1\tools\iesdpb.dll

O9 - Extra button: SBC Yahoo! Services - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - E:\Program Files\Yahoo!\Common\yiesrvc.dll

O9 - Extra button: Related - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - E:\WINDOWS\web\related.htm

O9 - Extra 'Tools' menuitem: Show &Related Links - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - E:\WINDOWS\web\related.htm

O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - E:\WINDOWS\System32\Shdocvw.dll

O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - E:\Program Files\Messenger\MSMSGS.EXE

O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - E:\Program Files\Messenger\MSMSGS.EXE

O10 - Broken Internet access because of LSP provider 'e:\windows\system32\vetredir.dll' missing

O15 - Trusted Zone: *.elitemediagroup.net

O15 - Trusted Zone: *.media-motor.net

O15 - Trusted Zone: *.mmohsix.com

O17 - HKLM\System\CCS\Services\Tcpip\..\{83B36327-9AF6-453E-9668-700DE899DBEE}: NameServer = 85.255.114.105

O17 - HKLM\System\CCS\Services\Tcpip\..\{AE9DA02E-4A13-44CC-8C0D-71E00AA8DA70}: NameServer = 85.255.114.105

O17 - HKLM\System\CCS\Services\Tcpip\..\{E06C9D1F-69DF-4748-84DE-DD9DC9AD79C7}: NameServer = 85.255.114.105

O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - "E:\PROGRA~1\MSNMES~1\msgrapp.dll" (file missing)

O18 - Filter: text/html - {0F9A5F09-3BFD-40D3-85FE-36227430A374} - E:\WINDOWS\System32\v199.dll

O20 - Winlogon Notify: wineek32 - wineek32.dll (file missing)

O23 - Service: CAISafe - Unknown owner - E:\Program Files\Yahoo!\Antivirus\ISafe.exe (file missing)

O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - E:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe

O23 - Service: Symantec Network Proxy (ccProxy) - Symantec Corporation - E:\Program Files\Common Files\Symantec Shared\ccProxy.exe

O23 - Service: Symantec Password Validation (ccPwdSvc) - Symantec Corporation - E:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe

O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - E:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe

O23 - Service: ewido anti-spyware 4.0 guard - Anti-Malware Development a.s. - E:\Program Files\ewido anti-spyware 4.0\guard.exe

O23 - Service: ISSvc (ISSVC) - Symantec Corporation - E:\Program Files\Norton Internet Security\ISSVC.exe

O23 - Service: Kodak Camera Connection Software (KodakCCS) - Eastman Kodak Company - E:\WINDOWS\system32\drivers\KodakCCS.exe

O23 - Service: NVIDIA Driver Helper Service (NVSvc) - NVIDIA Corporation - E:\WINDOWS\System32\nvsvc32.exe

O23 - Service: Virtual NIC Service (PackethSvc) - America Online, Inc. - E:\WINDOWS\System32\PackethSvc.exe

O23 - Service: SAVScan - Symantec Corporation - E:\Program Files\Norton Internet Security\Norton AntiVirus\SAVScan.exe

O23 - Service: ScriptBlocking Service (SBService) - Symantec Corporation - E:\PROGRA~1\COMMON~1\SYMANT~1\SCRIPT~1\SBServ.exe

O23 - Service: PC Tools Spyware Doctor (SDhelper) - PC Tools Research Pty Ltd - E:\Program Files\Spyware Doctor\sdhelp.exe

O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - E:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe

O23 - Service: Symantec SPBBCSvc (SPBBCSvc) - Symantec Corporation - E:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe

O23 - Service: VET Message Service (VETMSGNT) - Unknown owner - E:\Program Files\Yahoo!\Antivirus\VetMsg.exe (file missing)

O23 - Service: YPCService - Unknown owner - E:\WINDOWS\system32\YPCSER~1.EXE (file missing)

[therock247uk]

Please download ATF Cleaner by Atribune.

This program is for XP and Windows 2000 only

• Double-click ATF-Cleaner.exe to run the program.
  Under Main choose: Select All
  Click the Empty Selected button.
  

If you use Firefox browser

• Click Firefox at the top and choose: Select All
  Click the Empty Selected button.
  NOTE: If you would like to keep your saved passwords, please click No at the prompt.
  

If you use Opera browser

• Click Opera at the top and choose: Select All
  Click the Empty Selected button.
  NOTE: If you would like to keep your saved passwords, please click No at the prompt.
  

Click Exit on the Main menu to close the program.

For Technical Support, double-click the e-mail address located at the bottom of each menu.

Please go HERE to run Panda's ActiveScan

• Once you are on the Panda site click the Scan your PC button
  
• A new window will open...click the Check Now button
  
• Enter your Country
  
• Enter your State/Province
  
• Enter your e-mail address and click send
  
• Select either Home User or Company
  
• Click the big Scan Now button
  
• If it wants to install an ActiveX component allow it
  
• It will start downloading the files it requires for the scan (Note: It may take a couple of minutes)
  
• When download is complete, click on My Computer to start the scan
  
• When the scan completes, if anything malicious is detected, click the See Report button, then Save Report and save it to a convenient location. Post the contents of the ActiveScan report
  

[aligom]

I will not be able to run Panda's ActiveScan because the infected computer doesn't have internet. I think the virus did this to the computer and not know how to fix it.

[therock247uk]

Download WindPFind

Extract WinPFind.zip to your c:\ folder.

Reboot your computer into Safe Mode

Then open c:\WinPFind and double-click on WinPFind.exe.

When the program is open, click on the Start Scan button to start scanning your computer. Be patient as this scan may take a while.

When it is done, it will show a log and tell you the scan is completed. Reboot your computer back to normal mode and and post the contents of c:\WinPFind\WinPFind.txt as a reply to this topic.