Options
Need Help with Winfixer 2005
Can some one please help me with gettign rid of Winfixer 2005 from my system. I did run the Adware personal SE and spybot S&D but not use. Here is the log from Hijackthis scan.
Logfile of HijackThis v1.99.1
Scan saved at 5:34:08 PM, on 10/17/2005
Platform: Windows XP (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 (6.00.2600.0000)
Running processes:
E:\WINDOWS\System32\smss.exe
E:\WINDOWS\system32\winlogon.exe
E:\WINDOWS\system32\services.exe
E:\WINDOWS\system32\lsass.exe
E:\WINDOWS\system32\svchost.exe
E:\WINDOWS\System32\svchost.exe
E:\WINDOWS\system32\spoolsv.exe
E:\PROGRA~1\SYMANT~1\SYMANT~1\DefWatch.exe
E:\PROGRA~1\SYMANT~1\SYMANT~1\Rtvscan.exe
C:\ODI\OStore\BIN\OSCMGR6.EXE
C:\ODI\OStore\BIN\OSSERVER.EXE
E:\Oracle\ora81\bin\dbsnmp.exe
E:\Oracle\ora81\bin\vppdc.exe
E:\Oracle\ora81\Apache\Apache\Apache.exe
E:\Oracle\ora81\BIN\TNSLSNR.exe
e:\oracle\ora81\bin\ORACLE.EXE
e:\oracle\ora81\bin\ORACLE.EXE
E:\PROGRA~1\symantec\LIVEUP~1\savroam.exe
E:\Oracle\ora81\Apache\jdk\bin\java.exe
E:\Oracle\ora81\Apache\Apache\Apache.exe
E:\WINDOWS\Explorer.EXE
E:\Program Files\Apoint2K\Apoint.exe
E:\WINDOWS\System32\00THotkey.exe
E:\Program Files\TOSHIBA\TOSHIBA Controls\TFncKy.exe
E:\WINDOWS\System32\TFNF5.exe
E:\WINDOWS\System32\TPWRTRAY.EXE
E:\Program Files\Apoint2K\Apntex.exe
C:\toshiba\sysstability\tsyssmon.exe
E:\Program Files\TOSHIBA\TouchED\TouchED.Exe
E:\Program Files\D-Link\Air Utility\AirCFG.exe
E:\Program Files\Alpha Networks\ANIWZCS Service\WZCSLDR.exe
E:\PROGRA~1\SYMANT~1\SYMANT~1\vptray.exe
E:\Program Files\Common Files\Real\Update_OB\realsched.exe
E:\Program Files\Messenger\msmsgs.exe
E:\Program Files\Common Files\DataViz\DvzIncMsgr.exe
E:\Program Files\palmOne\Hotsync.exe
E:\PROGRA~1\Yahoo!\MESSEN~1\ymsgr_tray.exe
C:\toshiba\ivp\ism\pinger.exe
E:\WINDOWS\System32\wuauclt.exe
E:\hijackthis_199\HijackThis.exe
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,AutoConfigURL = http://auto-pxy.bdi.gte.com/cgi-bin/getproxy
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
O2 - BHO: MSEvents Object - {52B1DFC7-AAFC-4362-B103-868B0683C697} - E:\WINDOWS\System32\efcbb.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - E:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O2 - BHO: (no name) - {5C8B2A36-3DB1-42A4-A3CB-D426709BBFEB} - (no file)
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - E:\WINDOWS\System32\msdxm.ocx
O4 - HKLM\..\Run: [Apoint] E:\Program Files\Apoint2K\Apoint.exe
O4 - HKLM\..\Run: [00THotkey] E:\WINDOWS\System32\00THotkey.exe
O4 - HKLM\..\Run: [000StTHK] 000StTHK.exe
O4 - HKLM\..\Run: [TFncKy] TFncKy.exe /Type 20
O4 - HKLM\..\Run: [TFNF5] TFNF5.exe
O4 - HKLM\..\Run: [Tpwrtray] TPWRTRAY.EXE
O4 - HKLM\..\Run: [Pinger] c:\toshiba\ivp\ism\pinger.exe /run
O4 - HKLM\..\Run: [TSysSMon] c:\toshiba\sysstability\tsyssmon.exe /detect
O4 - HKLM\..\Run: [TouchED] E:\Program Files\TOSHIBA\TouchED\TouchED.Exe
O4 - HKLM\..\Run: [D-Link Air Utility] E:\Program Files\D-Link\Air Utility\AirCFG.exe
O4 - HKLM\..\Run: [ANIWZCSService] E:\Program Files\Alpha Networks\ANIWZCS Service\WZCSLDR.exe
O4 - HKLM\..\Run: [vptray] E:\PROGRA~1\SYMANT~1\SYMANT~1\vptray.exe
O4 - HKLM\..\Run: [TkBellExe] "E:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKCU\..\Run: [MSMSGS] "E:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [Yahoo! Pager] "E:\PROGRA~1\Yahoo!\MESSEN~1\ypager.exe" -quiet
O4 - Global Startup: DataViz Inc Messenger.lnk = E:\Program Files\Common Files\DataViz\DvzIncMsgr.exe
O4 - Global Startup: HotSync Manager.lnk = E:\Program Files\palmOne\Hotsync.exe
O4 - Global Startup: Microsoft Office.lnk = E:\Program Files\Microsoft Office\Office\OSA9.EXE
O9 - Extra button: Yahoo! Messenger - {E5D12C4E-7B4F-11D3-B5C9-0050045C3C96} - E:\PROGRA~1\Yahoo!\MESSEN~1\YPager.exe
O9 - Extra 'Tools' menuitem: Yahoo! Messenger - {E5D12C4E-7B4F-11D3-B5C9-0050045C3C96} - E:\PROGRA~1\Yahoo!\MESSEN~1\YPager.exe
O12 - Plugin for .spop: E:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O16 - DPF: Yahoo! Freecell Solitaire - http://presence.games.yahoo.com/yog/y/fs10_x.cab
O16 - DPF: Yahoo! Pool 2 - http://download.games.yahoo.com/games/clients/y/pote_x.cab
O16 - DPF: {15AD6789-CDB4-47E1-A9DA-992EE8E6BAD6} - ms-its:mhtml:file://c:\nosunel.mht!http://213.158.119.23/script/lc.chm::/bridge-c46.cab
O16 - DPF: {DF780F87-FF2B-4DF8-92D0-73DB16A1543A} (PopCapLoader Object) - http://download.games.yahoo.com/games/web_games/popcap/bejeweled2/popcaploader_v6.cab
O20 - Winlogon Notify: efcbb - E:\WINDOWS\System32\efcbb.dll
O20 - Winlogon Notify: NavLogon - E:\WINDOWS\System32\NavLogon.dll
O23 - Service: DefWatch - Symantec Corporation - E:\PROGRA~1\SYMANT~1\SYMANT~1\DefWatch.exe
O23 - Service: Contivity VPN Service (ExtranetAccess) - Nortel Networks NA, Inc. - E:\Program Files\Nortel Networks\Extranet_serv.exe
O23 - Service: Symantec AntiVirus Client (Norton AntiVirus Server) - Symantec Corporation - E:\PROGRA~1\SYMANT~1\SYMANT~1\Rtvscan.exe
O23 - Service: ObjectStore Cache Manager R6.0 - eXcelon Corp. - C:\ODI\OStore\BIN\OSCMGR6.EXE
O23 - Service: ObjectStore Server R6.0 - eXcelon Corp. - C:\ODI\OStore\BIN\OSSERVER.EXE
O23 - Service: OracleOraHome81Agent - Oracle Corporation - E:\Oracle\ora81\bin\dbsnmp.exe
O23 - Service: OracleOraHome81ClientCache - Unknown owner - E:\Oracle\ora81\BIN\ONRSD.EXE
O23 - Service: OracleOraHome81DataGatherer - Oracle Corporation - E:\Oracle\ora81\bin\vppdc.exe
O23 - Service: OracleOraHome81HTTPServer - Unknown owner - E:\Oracle\ora81\Apache\Apache\Apache.exe
O23 - Service: OracleOraHome81PagingServer - Unknown owner - E:\Oracle\ora81/bin/pagntsrv.exe
O23 - Service: OracleOraHome81TNSListener - Unknown owner - E:\Oracle\ora81\BIN\TNSLSNR.exe
O23 - Service: OracleServiceDWORACL - Oracle Corporation - e:\oracle\ora81\bin\ORACLE.EXE
O23 - Service: OracleServiceDWORCL - Oracle Corporation - e:\oracle\ora81\bin\ORACLE.EXE
O23 - Service: SAVRoam - symantec - E:\PROGRA~1\symantec\LIVEUP~1\savroam.exe
I appreciate your time and help.
Thank you.
Logfile of HijackThis v1.99.1
Scan saved at 5:34:08 PM, on 10/17/2005
Platform: Windows XP (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 (6.00.2600.0000)
Running processes:
E:\WINDOWS\System32\smss.exe
E:\WINDOWS\system32\winlogon.exe
E:\WINDOWS\system32\services.exe
E:\WINDOWS\system32\lsass.exe
E:\WINDOWS\system32\svchost.exe
E:\WINDOWS\System32\svchost.exe
E:\WINDOWS\system32\spoolsv.exe
E:\PROGRA~1\SYMANT~1\SYMANT~1\DefWatch.exe
E:\PROGRA~1\SYMANT~1\SYMANT~1\Rtvscan.exe
C:\ODI\OStore\BIN\OSCMGR6.EXE
C:\ODI\OStore\BIN\OSSERVER.EXE
E:\Oracle\ora81\bin\dbsnmp.exe
E:\Oracle\ora81\bin\vppdc.exe
E:\Oracle\ora81\Apache\Apache\Apache.exe
E:\Oracle\ora81\BIN\TNSLSNR.exe
e:\oracle\ora81\bin\ORACLE.EXE
e:\oracle\ora81\bin\ORACLE.EXE
E:\PROGRA~1\symantec\LIVEUP~1\savroam.exe
E:\Oracle\ora81\Apache\jdk\bin\java.exe
E:\Oracle\ora81\Apache\Apache\Apache.exe
E:\WINDOWS\Explorer.EXE
E:\Program Files\Apoint2K\Apoint.exe
E:\WINDOWS\System32\00THotkey.exe
E:\Program Files\TOSHIBA\TOSHIBA Controls\TFncKy.exe
E:\WINDOWS\System32\TFNF5.exe
E:\WINDOWS\System32\TPWRTRAY.EXE
E:\Program Files\Apoint2K\Apntex.exe
C:\toshiba\sysstability\tsyssmon.exe
E:\Program Files\TOSHIBA\TouchED\TouchED.Exe
E:\Program Files\D-Link\Air Utility\AirCFG.exe
E:\Program Files\Alpha Networks\ANIWZCS Service\WZCSLDR.exe
E:\PROGRA~1\SYMANT~1\SYMANT~1\vptray.exe
E:\Program Files\Common Files\Real\Update_OB\realsched.exe
E:\Program Files\Messenger\msmsgs.exe
E:\Program Files\Common Files\DataViz\DvzIncMsgr.exe
E:\Program Files\palmOne\Hotsync.exe
E:\PROGRA~1\Yahoo!\MESSEN~1\ymsgr_tray.exe
C:\toshiba\ivp\ism\pinger.exe
E:\WINDOWS\System32\wuauclt.exe
E:\hijackthis_199\HijackThis.exe
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,AutoConfigURL = http://auto-pxy.bdi.gte.com/cgi-bin/getproxy
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
O2 - BHO: MSEvents Object - {52B1DFC7-AAFC-4362-B103-868B0683C697} - E:\WINDOWS\System32\efcbb.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - E:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O2 - BHO: (no name) - {5C8B2A36-3DB1-42A4-A3CB-D426709BBFEB} - (no file)
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - E:\WINDOWS\System32\msdxm.ocx
O4 - HKLM\..\Run: [Apoint] E:\Program Files\Apoint2K\Apoint.exe
O4 - HKLM\..\Run: [00THotkey] E:\WINDOWS\System32\00THotkey.exe
O4 - HKLM\..\Run: [000StTHK] 000StTHK.exe
O4 - HKLM\..\Run: [TFncKy] TFncKy.exe /Type 20
O4 - HKLM\..\Run: [TFNF5] TFNF5.exe
O4 - HKLM\..\Run: [Tpwrtray] TPWRTRAY.EXE
O4 - HKLM\..\Run: [Pinger] c:\toshiba\ivp\ism\pinger.exe /run
O4 - HKLM\..\Run: [TSysSMon] c:\toshiba\sysstability\tsyssmon.exe /detect
O4 - HKLM\..\Run: [TouchED] E:\Program Files\TOSHIBA\TouchED\TouchED.Exe
O4 - HKLM\..\Run: [D-Link Air Utility] E:\Program Files\D-Link\Air Utility\AirCFG.exe
O4 - HKLM\..\Run: [ANIWZCSService] E:\Program Files\Alpha Networks\ANIWZCS Service\WZCSLDR.exe
O4 - HKLM\..\Run: [vptray] E:\PROGRA~1\SYMANT~1\SYMANT~1\vptray.exe
O4 - HKLM\..\Run: [TkBellExe] "E:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKCU\..\Run: [MSMSGS] "E:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [Yahoo! Pager] "E:\PROGRA~1\Yahoo!\MESSEN~1\ypager.exe" -quiet
O4 - Global Startup: DataViz Inc Messenger.lnk = E:\Program Files\Common Files\DataViz\DvzIncMsgr.exe
O4 - Global Startup: HotSync Manager.lnk = E:\Program Files\palmOne\Hotsync.exe
O4 - Global Startup: Microsoft Office.lnk = E:\Program Files\Microsoft Office\Office\OSA9.EXE
O9 - Extra button: Yahoo! Messenger - {E5D12C4E-7B4F-11D3-B5C9-0050045C3C96} - E:\PROGRA~1\Yahoo!\MESSEN~1\YPager.exe
O9 - Extra 'Tools' menuitem: Yahoo! Messenger - {E5D12C4E-7B4F-11D3-B5C9-0050045C3C96} - E:\PROGRA~1\Yahoo!\MESSEN~1\YPager.exe
O12 - Plugin for .spop: E:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O16 - DPF: Yahoo! Freecell Solitaire - http://presence.games.yahoo.com/yog/y/fs10_x.cab
O16 - DPF: Yahoo! Pool 2 - http://download.games.yahoo.com/games/clients/y/pote_x.cab
O16 - DPF: {15AD6789-CDB4-47E1-A9DA-992EE8E6BAD6} - ms-its:mhtml:file://c:\nosunel.mht!http://213.158.119.23/script/lc.chm::/bridge-c46.cab
O16 - DPF: {DF780F87-FF2B-4DF8-92D0-73DB16A1543A} (PopCapLoader Object) - http://download.games.yahoo.com/games/web_games/popcap/bejeweled2/popcaploader_v6.cab
O20 - Winlogon Notify: efcbb - E:\WINDOWS\System32\efcbb.dll
O20 - Winlogon Notify: NavLogon - E:\WINDOWS\System32\NavLogon.dll
O23 - Service: DefWatch - Symantec Corporation - E:\PROGRA~1\SYMANT~1\SYMANT~1\DefWatch.exe
O23 - Service: Contivity VPN Service (ExtranetAccess) - Nortel Networks NA, Inc. - E:\Program Files\Nortel Networks\Extranet_serv.exe
O23 - Service: Symantec AntiVirus Client (Norton AntiVirus Server) - Symantec Corporation - E:\PROGRA~1\SYMANT~1\SYMANT~1\Rtvscan.exe
O23 - Service: ObjectStore Cache Manager R6.0 - eXcelon Corp. - C:\ODI\OStore\BIN\OSCMGR6.EXE
O23 - Service: ObjectStore Server R6.0 - eXcelon Corp. - C:\ODI\OStore\BIN\OSSERVER.EXE
O23 - Service: OracleOraHome81Agent - Oracle Corporation - E:\Oracle\ora81\bin\dbsnmp.exe
O23 - Service: OracleOraHome81ClientCache - Unknown owner - E:\Oracle\ora81\BIN\ONRSD.EXE
O23 - Service: OracleOraHome81DataGatherer - Oracle Corporation - E:\Oracle\ora81\bin\vppdc.exe
O23 - Service: OracleOraHome81HTTPServer - Unknown owner - E:\Oracle\ora81\Apache\Apache\Apache.exe
O23 - Service: OracleOraHome81PagingServer - Unknown owner - E:\Oracle\ora81/bin/pagntsrv.exe
O23 - Service: OracleOraHome81TNSListener - Unknown owner - E:\Oracle\ora81\BIN\TNSLSNR.exe
O23 - Service: OracleServiceDWORACL - Oracle Corporation - e:\oracle\ora81\bin\ORACLE.EXE
O23 - Service: OracleServiceDWORCL - Oracle Corporation - e:\oracle\ora81\bin\ORACLE.EXE
O23 - Service: SAVRoam - symantec - E:\PROGRA~1\symantec\LIVEUP~1\savroam.exe
I appreciate your time and help.
Thank you.
0
Comments
Please download VundoFix.exe to your desktop.
It should look like this
E:\WINDOWS\System32\efcbb.dll
[*]Press Enter to continue with the fix.
[*] Next you will see: [*]At this point please type the following file path (make sure to enter it exactly as below!):
E:\WINDOWS\System32\bbcfe.*
[*]Press Enter to continue with the fix.
[*]The fix will run then HijackThis will open, if it does not open automatically please open it manually.
[*]In HiJackThis, please place a check next to the following items and click FIX CHECKED:
O2 - BHO: MSEvents Object - {52B1DFC7-AAFC-4362-B103-868B0683C697} - E:\WINDOWS\System32\efcbb.dll
O2 - BHO: (no name) - {5C8B2A36-3DB1-42A4-A3CB-D426709BBFEB} - (no file)
O16 - DPF: {15AD6789-CDB4-47E1-A9DA-992EE8E6BAD6} - ms-its:mhtml:file://c:\nosunel.mht!http://213.158.119.23/script/lc.chm::/bridge-c46.cab
O20 - Winlogon Notify: efcbb - E:\WINDOWS\System32\efcbb.dll
[*]After you have fixed these items, close Hijackthis.
[*]Press enter to exit the program then manually reboot your computer.
[*]Once your machine reboots please continue with the instructions below.
Then, please run this online virus scan: ActiveScan
Copy the results of the ActiveScan and paste them here along with a new HiJackThis log and the vundofix.txt file from the vundofix folder into this topic.
1)Vundo.log
VundoFix V2.15 by Atri
Listing files contained in the vundofix folder.
killvundo.bat
process.exe
ReadMe.txt
vundo.reg
vundofix.txt
Filepaths entered
The filepath entered was E:\WINDOWS\System32\efcbb.dll
The second filepath entered was E:\WINDOWS\System32\bbcfe.*
Log from Process
Killing PID 148 'smss.exe'
Error, Cannot find a process with an image name of explorer.exe
Killing PID 224 'winlogon.exe'
Killing PID 224 'winlogon.exe'
Killing PID 224 'winlogon.exe'
Killing PID 224 'winlogon.exe'
Killing PID 224 'winlogon.exe'
E:\WINDOWS\System32\efcbb.dll Deleted sucessfully.
E:\WINDOWS\System32\bbcfe.* Deleted sucessfully.
Fixing Registry
2) HJT Log:
Logfile of HijackThis v1.99.1
Scan saved at 6:14:07 PM, on 10/18/2005
Platform: Windows XP (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 (6.00.2600.0000)
Running processes:
E:\WINDOWS\System32\smss.exe
E:\WINDOWS\system32\winlogon.exe
E:\WINDOWS\system32\services.exe
E:\WINDOWS\system32\lsass.exe
E:\WINDOWS\system32\svchost.exe
E:\WINDOWS\System32\svchost.exe
E:\WINDOWS\system32\spoolsv.exe
E:\PROGRA~1\SYMANT~1\SYMANT~1\DefWatch.exe
E:\PROGRA~1\SYMANT~1\SYMANT~1\Rtvscan.exe
C:\ODI\OStore\BIN\OSCMGR6.EXE
C:\ODI\OStore\BIN\OSSERVER.EXE
E:\Oracle\ora81\bin\dbsnmp.exe
E:\Oracle\ora81\bin\vppdc.exe
E:\Oracle\ora81\Apache\Apache\Apache.exe
E:\Oracle\ora81\BIN\TNSLSNR.exe
e:\oracle\ora81\bin\ORACLE.EXE
e:\oracle\ora81\bin\ORACLE.EXE
E:\PROGRA~1\symantec\LIVEUP~1\savroam.exe
E:\Oracle\ora81\Apache\jdk\bin\java.exe
E:\Oracle\ora81\Apache\Apache\Apache.exe
E:\WINDOWS\Explorer.EXE
E:\Program Files\Apoint2K\Apoint.exe
E:\WINDOWS\System32\00THotkey.exe
E:\Program Files\TOSHIBA\TOSHIBA Controls\TFncKy.exe
E:\WINDOWS\System32\TFNF5.exe
E:\WINDOWS\System32\TPWRTRAY.EXE
E:\Program Files\Apoint2K\Apntex.exe
C:\toshiba\ivp\ism\pinger.exe
C:\toshiba\sysstability\tsyssmon.exe
E:\Program Files\TOSHIBA\TouchED\TouchED.Exe
E:\Program Files\D-Link\Air Utility\AirCFG.exe
E:\Program Files\Alpha Networks\ANIWZCS Service\WZCSLDR.exe
E:\PROGRA~1\SYMANT~1\SYMANT~1\vptray.exe
E:\Program Files\Common Files\Real\Update_OB\realsched.exe
E:\Program Files\Messenger\msmsgs.exe
E:\Program Files\Common Files\DataViz\DvzIncMsgr.exe
E:\Program Files\palmOne\Hotsync.exe
E:\WINDOWS\System32\wuauclt.exe
E:\Program Files\Internet Explorer\iexplore.exe
E:\PROGRA~1\Yahoo!\MESSEN~1\ymsgr_tray.exe
E:\Program Files\UltraEdit\uedit32.exe
E:\Program Files\UltraEdit\uedit32.exe
E:\hijackthis_199\HijackThis.exe
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,AutoConfigURL = http://auto-pxy.bdi.gte.com/cgi-bin/getproxy
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - E:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O2 - BHO: (no name) - {5C8B2A36-3DB1-42A4-A3CB-D426709BBFEB} - (no file)
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - E:\WINDOWS\System32\msdxm.ocx
O4 - HKLM\..\Run: [Apoint] E:\Program Files\Apoint2K\Apoint.exe
O4 - HKLM\..\Run: [00THotkey] E:\WINDOWS\System32\00THotkey.exe
O4 - HKLM\..\Run: [000StTHK] 000StTHK.exe
O4 - HKLM\..\Run: [TFncKy] TFncKy.exe /Type 20
O4 - HKLM\..\Run: [TFNF5] TFNF5.exe
O4 - HKLM\..\Run: [Tpwrtray] TPWRTRAY.EXE
O4 - HKLM\..\Run: [Pinger] c:\toshiba\ivp\ism\pinger.exe /run
O4 - HKLM\..\Run: [TSysSMon] c:\toshiba\sysstability\tsyssmon.exe /detect
O4 - HKLM\..\Run: [TouchED] E:\Program Files\TOSHIBA\TouchED\TouchED.Exe
O4 - HKLM\..\Run: [D-Link Air Utility] E:\Program Files\D-Link\Air Utility\AirCFG.exe
O4 - HKLM\..\Run: [ANIWZCSService] E:\Program Files\Alpha Networks\ANIWZCS Service\WZCSLDR.exe
O4 - HKLM\..\Run: [vptray] E:\PROGRA~1\SYMANT~1\SYMANT~1\vptray.exe
O4 - HKLM\..\Run: [TkBellExe] "E:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKCU\..\Run: [MSMSGS] "E:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [Yahoo! Pager] "E:\PROGRA~1\Yahoo!\MESSEN~1\ypager.exe" -quiet
O4 - Global Startup: DataViz Inc Messenger.lnk = E:\Program Files\Common Files\DataViz\DvzIncMsgr.exe
O4 - Global Startup: HotSync Manager.lnk = E:\Program Files\palmOne\Hotsync.exe
O4 - Global Startup: Microsoft Office.lnk = E:\Program Files\Microsoft Office\Office\OSA9.EXE
O9 - Extra button: Yahoo! Messenger - {E5D12C4E-7B4F-11D3-B5C9-0050045C3C96} - E:\PROGRA~1\Yahoo!\MESSEN~1\YPager.exe
O9 - Extra 'Tools' menuitem: Yahoo! Messenger - {E5D12C4E-7B4F-11D3-B5C9-0050045C3C96} - E:\PROGRA~1\Yahoo!\MESSEN~1\YPager.exe
O12 - Plugin for .spop: E:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O16 - DPF: Yahoo! Freecell Solitaire - http://presence.games.yahoo.com/yog/y/fs10_x.cab
O16 - DPF: Yahoo! Pool 2 - http://download.games.yahoo.com/games/clients/y/pote_x.cab
O16 - DPF: {15AD6789-CDB4-47E1-A9DA-992EE8E6BAD6} - ms-its:mhtml:file://c:\nosunel.mht!http://213.158.119.23/script/lc.chm::/bridge-c46.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/activescan/as5free/asinst.cab
O16 - DPF: {DF780F87-FF2B-4DF8-92D0-73DB16A1543A} (PopCapLoader Object) - http://download.games.yahoo.com/games/web_games/popcap/bejeweled2/popcaploader_v6.cab
O20 - Winlogon Notify: efcbb - E:\WINDOWS\System32\efcbb.dll (file missing)
O20 - Winlogon Notify: NavLogon - E:\WINDOWS\System32\NavLogon.dll
O23 - Service: DefWatch - Symantec Corporation - E:\PROGRA~1\SYMANT~1\SYMANT~1\DefWatch.exe
O23 - Service: Contivity VPN Service (ExtranetAccess) - Nortel Networks NA, Inc. - E:\Program Files\Nortel Networks\Extranet_serv.exe
O23 - Service: Symantec AntiVirus Client (Norton AntiVirus Server) - Symantec Corporation - E:\PROGRA~1\SYMANT~1\SYMANT~1\Rtvscan.exe
O23 - Service: ObjectStore Cache Manager R6.0 - eXcelon Corp. - C:\ODI\OStore\BIN\OSCMGR6.EXE
O23 - Service: ObjectStore Server R6.0 - eXcelon Corp. - C:\ODI\OStore\BIN\OSSERVER.EXE
O23 - Service: OracleOraHome81Agent - Oracle Corporation - E:\Oracle\ora81\bin\dbsnmp.exe
O23 - Service: OracleOraHome81ClientCache - Unknown owner - E:\Oracle\ora81\BIN\ONRSD.EXE
O23 - Service: OracleOraHome81DataGatherer - Oracle Corporation - E:\Oracle\ora81\bin\vppdc.exe
O23 - Service: OracleOraHome81HTTPServer - Unknown owner - E:\Oracle\ora81\Apache\Apache\Apache.exe
O23 - Service: OracleOraHome81PagingServer - Unknown owner - E:\Oracle\ora81/bin/pagntsrv.exe
O23 - Service: OracleOraHome81TNSListener - Unknown owner - E:\Oracle\ora81\BIN\TNSLSNR.exe
O23 - Service: OracleServiceDWORACL - Oracle Corporation - e:\oracle\ora81\bin\ORACLE.EXE
O23 - Service: OracleServiceDWORCL - Oracle Corporation - e:\oracle\ora81\bin\ORACLE.EXE
O23 - Service: SAVRoam - symantec - E:\PROGRA~1\symantec\LIVEUP~1\savroam.exe
3) Active Scan.Log
Incident Status Location
Adware:Adware/Pacimedia No disinfected C:\Program Files\Windows Media Player\wmplayer.exe
Adware:Adware/Adtomi No disinfected C:\RECYCLER\S-1-5-21-299502267-152049171-1060284298-1003\Dc1.exe
Adware:Adware/WUpd No disinfected E:\Documents and Settings\JYOTHI\Local Settings\Temp\ICD3.tmp\MediaGatewayX.dll
Adware:Adware/WUpd No disinfected E:\Documents and Settings\JYOTHI\Local Settings\Temp\MediaGateway.exe
Adware:adware/wupd No disinfected E:\WINDOWS\system32\ide21201.vxd
Thanks again for all your help.
===============
When we're done cleaning off your system, I'd recommend that you install all the critical windows updates available from Microsoft, up to service pack 1. This will help to make your system more secure and prevent many 'problems' from reoccurring in the future.
===============
Run HiJackThis, click "Scan", then check(tick) the following, if present:
O2 - BHO: (no name) - {5C8B2A36-3DB1-42A4-A3CB-D426709BBFEB} - (no file)
O16 - DPF: {15AD6789-CDB4-47E1-A9DA-992EE8E6BAD6} - ms-its:mhtml:file://c:\nosunel.mht!http://213.158.119.23/script/lc.chm::/bridge-c46.cab
O20 - Winlogon Notify: efcbb - E:\WINDOWS\System32\efcbb.dll (file missing)
Now, close all instances of Internet Explorer and any other windows you have open except HiJackThis, click "Fix checked".
===============
To help protect your system from hostile ActiveX content, or special 'downloadable' files:
Download, install and keep updated, SpywareBlaster. If you've installed it for the first time:
1) Check for any available updates; if present, they'll be automatically downloaded and installed.
2) Next, "Enable all protection".
3) Exit the program.
-
Note: Remember to regularly check for updates.
===============
After rebooting, rescan with hijackthis and post back a new log. Please let me know how your pc is now.
==
Run those files that activescan found through jotti's for confirmation.
http://virusscan.jotti.org/