| Forum Home | ||||
| Press F1 | ||||
| Thread ID: 68127 | 2006-04-18 18:29:00 | Help with Spyware Quake Removal..... | bushkadesigns (10236) | Press F1 |
| Post ID | Timestamp | Content | User | ||
| 447229 | 2006-04-18 18:29:00 | Hi, my machine's been infected with Spyware Quake, any help would be appreciated in how to remove. It's caused all sorts of nastiness to pop up as well and I'm having no luck getting rid of any of itit. Here's the Hijack log. Thanks for your help, bushka Logfile of HijackThis v1.99.1 Scan saved at 1:26:49 PM, on 4/18/2006 Platform: Windows XP SP2 (WinNT 5.01.2600) MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180) Running processes: C:\WINDOWS\System32\smss.exe C:\WINDOWS\system32\winlogon.exe C:\WINDOWS\system32\services.exe C:\WINDOWS\system32\lsass.exe C:\WINDOWS\system32\svchost.exe C:\WINDOWS\System32\svchost.exe C:\WINDOWS\Explorer.EXE C:\WINDOWS\system32\LEXBCES.EXE C:\WINDOWS\system32\spoolsv.exe C:\WINDOWS\system32\LEXPPS.EXE C:\WINDOWS\system32\mssearchnet.exe C:\WINDOWS\system32\nvctrl.exe C:\windows\system\hpsysdrv.exe C:\WINDOWS\System32\hkcmd.exe C:\WINDOWS\system32\ps2.exe C:\WINDOWS\System32\igfxtray.exe C:\PROGRA~1\SYMANT~1\SYMANT~1\vptray.exe C:\Program Files\Viewpoint\Viewpoint Manager\ViewMgr.exe C:\Program Files\Common Files\Microsoft Shared\Works Shared\WkUFind.exe C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe C:\Program Files\Common Files\Real\Update_OB\realsched.exe C:\Program Files\iTunes\iTunesHelper.exe C:\Program Files\QuickTime\qttask.exe C:\PROGRA~1\SYMANT~1\SYMANT~1\DefWatch.exe C:\PROGRA~1\SYMANT~1\SYMANT~1\Rtvscan.exe C:\Program Files\KODAK\Kodak EasyShare software\bin\EasyShare.exe C:\Program Files\Sony Corporation\Picture Package\Picture Package Menu\SonyTray.exe C:\Program Files\Sony Corporation\Picture Package\Picture Package Applications\Residence.exe C:\Program Files\iPod\bin\iPodService.exe C:\Program Files\SpywareQuake.com\Spyware-Quake.exe C:\Program Files\SpywareQuake.com\Spyware-Quake.exe C:\Program Files\Mozilla Firefox\firefox.exe C:\WINDOWS\TEMP\winBC2.tmp.exe C:\Documents and Settings\Owner\Desktop\HijackThis.exe R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://qus10.hpwis.com/ R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://srch-qus10.hpwis.com/ R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = www.google.com R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://www.google.com R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = www.microsoft.com R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = www.google.com R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = www.google.com R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Int ernet Settings,ProxyOverride = localhost O2 - BHO: (no name) - {8d83b16e-0de1-452b-ac52-96ec0b34aa4b} - C:\WINDOWS\system32\hp72DE.tmp O3 - Toolbar: Viewpoint Toolbar - {F8AD5AA5-D966-4667-9DAF-2561D68B2012} - C:\Program Files\Viewpoint\Viewpoint Toolbar\ViewBar.dll O3 - Toolbar: My Search Bar - {014DA6C9-189F-421a-88CD-07CFE51CFF10} - C:\Program Files\MySearch\bar\1.bin\S4BAR.DLL (file missing) O4 - HKLM\..\Run: [hpsysdrv] c:\windows\system\hpsysdrv.exe O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\System32\hkcmd.exe O4 - HKLM\..\Run: [UpdateManager] "C:\Program Files\Common Files\Sonic\Update Manager\sgtray.exe" /r O4 - HKLM\..\Run: [Recguard] C:\WINDOWS\SMINST\RECGUARD.EXE O4 - HKLM\..\Run: [VTTimer] VTTimer.exe O4 - HKLM\..\Run: [PS2] C:\WINDOWS\system32\ps2.exe O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\System32\igfxtray.exe O4 - HKLM\..\Run: [AlcxMonitor] ALCXMNTR.EXE O4 - HKLM\..\Run: [vptray] C:\PROGRA~1\SYMANT~1\SYMANT~1\vptray.exe O4 - HKLM\..\Run: [ViewMgr] C:\Program Files\Viewpoint\Viewpoint Manager\ViewMgr.exe O4 - HKLM\..\Run: [Microsoft Works Update Detection] C:\Program Files\Common Files\Microsoft Shared\Works Shared\WkUFind.exe O4 - HKLM\..\Run: [ISUSPM Startup] C:\PROGRA~1\COMMON~1\INSTAL~1\UPDATE~1\ISUSPM.exe -startup O4 - HKLM\..\Run: [ISUSScheduler] "C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe" -start O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe" O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime O4 - HKLM\..\Run: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k O4 - HKLM\..\Run: [SpywareQuake.com] C:\Program Files\SpywareQuake.com\Spyware-Quake.exe /h O4 - HKCU\..\Run: [msnmsgr] "C:\Program Files\MSN Messenger\msnmsgr.exe" /background O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe O4 - Global Startup: AdwareFilter Background Protection.lnk = C:\Program Files\AdwareFilter\AdwareFilter.exe O4 - Global Startup: Compaq Connections.lnk = C:\Program Files\Compaq Connections\1940576\Program\BackWeb-1940576.exe O4 - Global Startup: Kodak EasyShare software.lnk = C:\Program Files\KODAK\Kodak EasyShare software\bin\EasyShare.exe O4 - Global Startup: Kodak software updater.lnk = C:\Program Files\KODAK\KODAK Software Updater\7288971\Program\Kodak Software Updater.exe O4 - Global Startup: Picture Package Menu.lnk = ? O4 - Global Startup: Picture Package VCD Maker.lnk = ? O4 - Global Startup: Quicken Scheduled Updates.lnk = C:\Program Files\Quicken\bagent.exe O8 - Extra context menu item: &Viewpoint Search - res://C:\Program Files\Viewpoint\Viewpoint Toolbar\ViewBar.dll/CXTSEARCH.HTML O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~4\OFFICE11\EXCEL.EXE/3000 O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\System32\msjava.dll (file missing) O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\System32\msjava.dll (file missing) O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~4\OFFICE11\REFIEBAR.DLL O9 - Extra button: Share in Hello - {B13B4423-2647-4cfc-A4B3-C7D56CB83487} - C:\Program Files\Hello\PicasaCapture.dll O9 - Extra 'Tools' menuitem: Share in H&ello - {B13B4423-2647-4cfc-A4B3-C7D56CB83487} - C:\Program Files\Hello\PicasaCapture.dll O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe O16 - DPF: {00000000-0000-0000-0000-100000000002} - code.jcash.biz O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - go.microsoft.com O16 - DPF: {5ED80217-570B-4DA9-BF44-BE107C0EC166} (Windows Live Safety Center Base Module) - scan.safety.live.com O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - fpdownload.macromedia.com O20 - Winlogon Notify: igfxcui - C:\WINDOWS\SYSTEM32\igfxsrvc.dll O20 - Winlogon Notify: NavLogon - C:\WINDOWS\System32\NavLogon.dll O20 - Winlogon Notify: winhdn32 - C:\WINDOWS\SYSTEM32\winhdn32.dll O23 - Service: DefWatch - Symantec Corporation - C:\PROGRA~1\SYMANT~1\SYMANT~1\DefWatch.exe O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe O23 - Service: iPodService - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe O23 - Service: LexBce Server (LexBceS) - Lexmark International, Inc. - C:\WINDOWS\system32\LEXBCES.EXE O23 - Service: Macromedia Licensing Service - Unknown owner - C:\Program Files\Common Files\Macromedia Shared\Service\Macromedia Licensing.exe O23 - Service: Symantec AntiVirus Client (Norton AntiVirus Server) - Symantec Corporation - C:\PROGRA~1\SYMANT~1\SYMANT~1\Rtvscan.exe |
bushkadesigns (10236) | ||
| 447230 | 2006-04-18 21:22:00 | Have a read through this (malwareremoval.com) page. | CYaBro (73) | ||
| 447231 | 2006-04-18 21:43:00 | Boot into safe mode, run hijackthis again, these entries and tick fix checked. C:\WINDOWS\system32\nvctrl.exe - This belongs to a trojan. - Delete this file in safe mode. C:\Program Files\SpywareQuake.com\Spyware-Quake.exe - See if this appears in Add/remove programs. Uninstall it if it is. C:\Program Files\SpywareQuake.com\Spyware-Quake.exe - Same as above. Follow the info here (securityresponse.symantec.com) O3 - Toolbar: My Search Bar - {014DA6C9-189F-421a-88CD-07CFE51CFF10} - C:\Program Files\MySearch\bar\1.bin\S4BAR.DLL (file missing) O4 - HKLM\..\Run: [AlcxMonitor] ALCXMNTR.EXE - This isnt nasty but isnt needed in startup O4 - HKLM\..\Run: [SpywareQuake.com] C:\Program Files\SpywareQuake.com\Spyware-Quake.exe /h O4 - HKLM\..\Run: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime O4 - HKCU\..\Run: [msnmsgr] "C:\Program Files\MSN Messenger\msnmsgr.exe" /background O8 - Extra context menu item: &Viewpoint Search - res://C:\Program Files\Viewpoint\Viewpoint Toolbar\ViewBar.dll/CXTSEARCH.HTML O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\System32\msjava.dll (file missing) O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\System32\msjava.dll (file missing) O16 - DPF: {00000000-0000-0000-0000-100000000002} - code.jcash.biz O20 - Winlogon Notify: winhdn32 - C:\WINDOWS\SYSTEM32\winhdn32.dll - This belongs to a trojan and possibly a dialler. - Tick this then click on fix checked. Then delete this file in safe mode. |
Speedy Gonzales (78) | ||
| 447232 | 2006-04-19 01:49:00 | You should keep these... O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\System32\msjava.dll (file missing) O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\System32\msjava.dll (file missing) They are not missing.Its a fault with HJT. ----------------------- With this one O20 - Winlogon Notify: winhdn32 download Look2Me-Destroyer.exe (www.atribune.org) to your desktop and close all windows before continuing. Doubleclick Look2Me-Destroyer.exe to run it and put a check next to Run this program as a task. You will receive a message saying Look2Me-Destroyer will close and re-open in approximately 10 seconds. Click OK. When Look2Me-Destroyer re-opens, click the Scan for L2M button, your desktop icons will disappear, this is normal. Once it's done scanning, click the Remove L2M button. You will receive a Done Scanning message, click OK. When completed, you will receive this message: Done removing infected files! Look2Me-Destroyer will now shutdown your computer, click OK. Your computer will then shutdown. Restart your computer and please post the contents of C:\Look2Me-Destroyer.txt If you receive a message from your firewall about this program accessing the internet please allow it. If you receive a runtime error '339' please download MSWINSCK.OCX from the link below and place it in your C:\Windows\System32 Directory. www.ascentive.com |
Pancake (6359) | ||
| 447233 | 2006-04-19 02:22:00 | To fully remove all the files from SpywareQuake Download smitRem.exe (noahdfear.geekstogo.com)from here and save the file to your desktop. Doubleclick on the file and extract it to it's own folder. Next, download the trial version of Ewido Security Suite (www.ewido.net) from here and install it. When installing, under "Additional Options" uncheck "Install Background Guard" and "Install scan via context menu". Launch Ewido, (there should be an icon on your desktop, doubleclick it). The program will now go to the main screen. You will need to update Ewido to the latest definition files. On the left hand side of the main screen click update and then click on Start Update. The update will start and a progress bar will show the updates being installed. If you have problems with the updater, you can use this link to manually update ewido. ewido manual updates www.ewido.net Do not run a scan yet. Download FixSF.reg from here www.bleepingcomputer.com (rightclick and choose "Save File As' or "Save Link As") and save the file to your desktop. Doubleclick on it and ok the prompt to merge with your registry. When you have done this, boot into Safe Mode open the smitRem folder and then doubleclick RunThis.bat file to start the tool. Follow the prompts on screen. Wait for the tool to complete and disk cleanup to finish. The tool will create a log named smitfiles.txt in the root of your drive, eg; Local Disk C: or partition where your operating system is installed. Please post that log along with all others requested in your next reply. Run Ewido. Click on scanner and click Complete System Scan and the scan will begin. During the scan it will prompt you to clean files, click OK. When it asks if you want to clean the first file, put a check in the lower left corner of the box that says "Perform action on all infections" then choose clean and click OK. When the scan is finished, click the Save report button at the bottom of the screen. Save the report to your desktop and close Ewido Save the contents of the smitfiles.txt log and the Ewido Log. Post them back here.You may have to make a couple of posts to do this. __________________ |
Pancake (6359) | ||
| 447234 | 2006-06-03 16:35:00 | as the instructions that was posted, i followed them and my comptuer is spyware free, here are the text file contents: smitRem © log file version 2 . 9 by noahdfear Microsoft Windows XP [Version 5 . 1 . 2600] "IE"="6 . 0000" The current date is: Sat 06/03/2006 The current time is: 1:25:48 . 68 Running from D:\Documents and Settings\any\smitRem ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Pre-run SharedTask Export (GetSTS . exe) SharedTaskScheduler exporter by Lawrence Abrams (Grinler) Copyright(C) 2006 BleepingComputer . com Registry Pseudo-Format Mode (Not a valid reg file): [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\Curr entVersion\Explorer\SharedTaskScheduler] "{438755C2-A8BA-11D1-B96B-00A0C90312E1}"="Browseui preloader" "{8C7461EF-2B13-11d2-BE35-3078302C2030}"="Component Categories cache daemon" [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{438755C 2-A8BA-11D1-B96B-00A0C90312E1}\InProcServer32] @="%SystemRoot%\System32\browseui . dll" [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{8C7461E F-2B13-11d2-BE35-3078302C2030}\InProcServer32] @="%SystemRoot%\System32\browseui . dll" ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ checking for ShudderLTD key ShudderLTD key not present! checking for PSGuard . com key PSGuard . com key not present! checking for WinHound . com key WinHound . com key not present! spyaxe uninstaller NOT present Winhound uninstaller NOT present SpywareStrike uninstaller NOT present AlfaCleaner uninstaller NOT present SpyFalcon uninstaller NOT present SpywareQuake uninstaller NOT present SpywareSheriff uninstaller NOT present ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Existing Pre-run Files ~~~ Program Files ~~~ ~~~ Shortcuts ~~~ ~~~ Favorites ~~~ Antivirus Test Online . url ~~~ system32 folder ~~~ hvnwm . dll regperf . exe simpole . tlb stdole3 . tlb dcomcfg . exe amcompat . tlb nscompat . tlb 1024 dir ld**** . tmp hp*** . tmp ~~~ Icons in System32 ~~~ ot . ico ~~~ Windows directory ~~~ ~~~ Drive root ~~~ ~~~ Miscellaneous Files/folders ~~~ ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Command Line Process Viewer/Killer/Suspender for Windows NT/2000/XP V2 . 03 Copyright(C) 2002-2003 Craig . Peacock@beyondlogic . org Killing PID 688 'explorer . exe' Starting registry repairs Registry repairs complete ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ SharedTask Export after registry fix (GetSTS . exe) SharedTaskScheduler exporter by Lawrence Abrams (Grinler) Copyright(C) 2006 BleepingComputer . com Registry Pseudo-Format Mode (Not a valid reg file): [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\Curr entVersion\Explorer\SharedTaskScheduler] "{438755C2-A8BA-11D1-B96B-00A0C90312E1}"="Browseui preloader" "{8C7461EF-2B13-11d2-BE35-3078302C2030}"="Component Categories cache daemon" [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{438755C 2-A8BA-11D1-B96B-00A0C90312E1}\InProcServer32] @="%SystemRoot%\System32\browseui . dll" [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{8C7461E F-2B13-11d2-BE35-3078302C2030}\InProcServer32] @="%SystemRoot%\System32\browseui . dll" ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Deleting files ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Remaining Post-run Files ~~~ Program Files ~~~ ~~~ Shortcuts ~~~ ~~~ Favorites ~~~ ~~~ system32 folder ~~~ ~~~ Icons in System32 ~~~ ~~~ Windows directory ~~~ ~~~ Drive root ~~~ ~~~ Miscellaneous Files/folders ~~~ ~~~ Wininet . dll ~~~ CLEAN! :) and the ewido text file: --------------------------------------------------------- ewido anti-malware - Scan report --------------------------------------------------------- + Created on: 11:07:09 AM, 6/3/2006 + Report-Checksum: D8733A57 + Scan result: :mozilla . 14:D:\Documents and Settings\any\Application Data\Mozilla\Firefox\Profiles\uvwfbjun . default\coo kies . txt -> TrackingCookie . Statcounter : Cleaned with backup D:\WINDOWS\Downloaded Program Files\UWA6P_0001_N822M1605NetInstaller . exe -> Not-A-Virus . Downloader . Win32 . WinFixer . j : Cleaned with backup ::Report End Thank god that drama is over . . . 2 1/2 hours beginning and 2 overnight scans later and its done . . . thanks |
datigger252 (10237) | ||
| 447235 | 2006-06-04 01:00:00 | Can you post a new HJT log so we can see if its all gone.... | Pancake (6359) | ||
| 447236 | 2006-06-06 04:45:00 | hello . i've followed these instructions fully but when i restarted i still see the pop up notifications in my system tray so im guessing the Quake spyware was not removed? any help is appreciated thank you . i can provide you with my ewido log too but for now here is my hijack log: Logfile of HijackThis v1 . 99 . 1 Scan saved at 11:44:32 PM, on 6/5/2006 Platform: Windows XP SP2 (WinNT 5 . 01 . 2600) MSIE: Internet Explorer v6 . 00 SP2 (6 . 00 . 2900 . 2180) Running processes: C:\WINDOWS\System32\smss . exe C:\WINDOWS\system32\winlogon . exe C:\WINDOWS\system32\services . exe C:\WINDOWS\system32\lsass . exe C:\WINDOWS\System32\Ati2evxx . exe C:\WINDOWS\system32\svchost . exe C:\WINDOWS\System32\svchost . exe C:\WINDOWS\system32\LEXBCES . EXE C:\WINDOWS\system32\spoolsv . exe C:\WINDOWS\system32\Ati2evxx . exe C:\WINDOWS\system32\LEXPPS . EXE C:\WINDOWS\Explorer . EXE C:\Program Files\ATI Technologies\ATI . ACE\cli . exe C:\Program Files\Winamp\winampa . exe C:\PROGRA~1\DATACA~1\FLashKsk . exe C:\WINDOWS\System32\LXSUPMON . EXE C:\WINDOWS\BCMSMMSG . exe C:\Program Files\Java\jre1 . 5 . 0_06\bin\jusched . exe C:\Program Files\Common Files\Microsoft Shared\Works Shared\WkUFind . exe C:\Program Files\Viewpoint\Viewpoint Manager\ViewMgr . exe C:\WINDOWS\system32\bedea4c . exe C:\Program Files\ewido anti-malware\ewidoctrl . exe C:\Program Files\ATI Technologies\ATI . ACE\CLI . exe C:\Program Files\AIM\aim . exe C:\WINDOWS\system32\wscntfy . exe C:\Program Files\Mozilla Firefox\firefox . exe D:\Documents and Settings\Master\My Documents\download\HJT199\HijackThis . exe O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7 . 0\ActiveX\AcroIEHelper . dll O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1 . 5 . 0_06\bin\ssv . dll O4 - HKLM\ . . \Run: [ATICCC] "C:\Program Files\ATI Technologies\ATI . ACE\cli . exe" runtime O4 - HKLM\ . . \Run: [WinampAgent] C:\Program Files\Winamp\winampa . exe O4 - HKLM\ . . \Run: [DataCaching] C:\PROGRA~1\DATACA~1\FLashKsk . exe O4 - HKLM\ . . \Run: [LXSUPMON] C:\WINDOWS\System32\LXSUPMON . EXE RUN O4 - HKLM\ . . \Run: [BCMSMMSG] BCMSMMSG . exe O4 - HKLM\ . . \Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1 . 5 . 0_06\bin\jusched . exe O4 - HKLM\ . . \Run: [Microsoft Works Update Detection] C:\Program Files\Common Files\Microsoft Shared\Works Shared\WkUFind . exe O4 - HKLM\ . . \Run: [ViewMgr] C:\Program Files\Viewpoint\Viewpoint Manager\ViewMgr . exe O4 - HKLM\ . . \Run: [RoxioEngineUtility] "C:\Program Files\Common Files\Roxio Shared\System\EngUtil . exe" O4 - HKLM\ . . \Run: [bedea4c . exe] C:\WINDOWS\system32\bedea4c . exe O4 - HKCU\ . . \Run: [bedea4c . exe] C:\Documents and Settings\GeniuZ\Local Settings\Application Data\bedea4c . exe O4 - Global Startup: Adobe Reader Speed Launch . lnk = C:\Program Files\Adobe\Acrobat 7 . 0\Reader\reader_sl . exe O4 - Global Startup: ATI CATALYST System Tray . lnk = C:\Program Files\ATI Technologies\ATI . ACE\CLI . exe O4 - Global Startup: Microsoft Office . lnk = C:\Program Files\Microsoft Office\Office\OSA9 . EXE O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1 . 5 . 0_06\bin\ssv . dll O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1 . 5 . 0_06\bin\ssv . dll O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim . exe O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs . exe O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs . exe O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\SYSTEM32\WgaLogon . dll O23 - Service: Ati HotKey Poller - ATI Technologies Inc . - C:\WINDOWS\System32\Ati2evxx . exe O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag . exe O23 - Service: ewido security suite control - ewido networks - C:\Program Files\ewido anti-malware\ewidoctrl . exe O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1050\Intel 32\IDriverT . exe O23 - Service: LexBce Server (LexBceS) - Lexmark International, Inc . - C:\WINDOWS\system32\LEXBCES . EXE |
imageniuz (10238) | ||
| 447237 | 2006-06-06 05:02:00 | C:\WINDOWS\system32\bedea4c.exe O4 - HKLM\..\Run: [bedea4c.exe] C:\WINDOWS\system32\bedea4c.exe O4 - HKCU\..\Run: [bedea4c.exe] C:\Documents and Settings\GeniuZ\Local Settings\Application Data\bedea4c.exe these are suspect. check what they are for. also install antivirus and firewall. there are plenty of good free ones adavailable. |
tweak'e (69) | ||
| 447238 | 2006-06-06 07:25:00 | Run HJT and remove these itema and delete the (red) file. O4 - HKLM\..\Run: [bedea4c.exe] C:\WINDOWS\system32\bedea4c.exe O4 - HKCU\..\Run: [bedea4c.exe] C:\Documents and Settings\GeniuZ\Local Settings\Application Data\bedea4c.exe C:\WINDOWS\system32\bedea4c.exe |
Pancake (6359) | ||
| 1 2 | |||||