hijacked browser toolbar not removed and still active

Greetings,

My IE 6 has a toolbar that should not be there with an uninstall option at the side. If clicked, goes to multiple gambling sites/porn sites.

I just ran Spybot, found a lot of files and duly deleted. Restarted my machine and launched IE but the tool bar is still there and still active.

KIndly advise.

Thanks and regards,
Vincent.

My report:

--- Report generated: 2006-05-09 05:34 ---

Sfonditalia: Settings (Registry change, fixed)
HKEY_USERS\S-1-5-21-789336058-436374069-682003330-500\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Domains\archiviosex.net\www\*!=W=4

Sfonditalia: Settings (Registry change, fixed)
HKEY_USERS\S-1-5-21-789336058-436374069-682003330-500\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Domains\redfunny.com\www\*!=W=4

Sfonditalia: Settings (Registry change, fixed)
HKEY_USERS\S-1-5-21-789336058-436374069-682003330-500\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Domains\skymasters.biz\www\*!=W=4

Sfonditalia: Link (File, fixed)
C:\Documents and Settings\Administrator\My Documents\WinMoviePlugIn.lnk

CnsMin: Settings (Registry value, fixed)
HKEY_USERS\S-1-5-21-789336058-436374069-682003330-500\Software\Microsoft\Internet Explorer\Main\CNSEnable

CnsMin: Settings (Registry value, fixed)
HKEY_USERS\S-1-5-21-789336058-436374069-682003330-500\Software\Microsoft\Internet Explorer\Main\CNSHint

CnsMin: Settings (Registry value, fixed)
HKEY_USERS\S-1-5-21-789336058-436374069-682003330-500\Software\Microsoft\Internet Explorer\Main\CNSList

CnsMin: Settings (Registry value, fixed)
HKEY_USERS\S-1-5-21-789336058-436374069-682003330-500\Software\Microsoft\Internet Explorer\Main\CNSMenu

CnsMin: Settings (Registry value, fixed)
HKEY_USERS\S-1-5-21-789336058-436374069-682003330-500\Software\Microsoft\Internet Explorer\Main\CNSReset

CnsMin: Library (File, fixed)
C:\WINDOWS\Downloaded Program Files\CnsMin.dll

ISearchTech.YSB: Module usage (Registry key, fixed)
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\ModuleUsage\C:/WINDOWS/Downloaded Program Files/YSBactivex.dll

Smitfraud-C.: Settings (Registry value, fixed)
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\SharedTaskScheduler\{0656A137-B161-CADD-9777-E37A75727E78}

SurfSideKick: User settings (Registry value, fixed)
HKEY_USERS\S-1-5-21-789336058-436374069-682003330-500\Software\Microsoft\Internet Explorer\Security\rpt

UnSpyPc: Settings (Registry key, fixed)
HKEY_USERS\S-1-5-21-789336058-436374069-682003330-500\Software\UnSpyPC

UnSpyPc: Uninstall settings (Registry key, fixed)
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\UnSpyPC

UnSpyPc: Settings (Registry key, fixed)
HKEY_LOCAL_MACHINE\SOFTWARE\UnSpyPC

UnSpyPc: Program directory (Directory, fixed)
C:\Program Files\UnSpyPC\

UnSpyPc: Data (File, fixed)
C:\Program Files\UnSpyPC\wover.dat

WareOut: User settings (Registry key, fixed)
HKEY_USERS\S-1-5-21-789336058-436374069-682003330-500\Software\Microsoft\Internet Explorer\Extensions\{BF69DF00-2734-477F-8257-27CD04F88779}

Windows Security Center.SP2Update: Settings (Registry change, nothing done)
HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate\DoNotAllowXPSP2!=dword:0

Windows Security Center.UpdateDisableNotify: Settings (Registry change, nothing done)
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\UpdatesDisableNotify!=dword:0

FindSpy.A: Sound file (File, fixed)
C:\WINDOWS\balloon.wav

CnsMin: User settings (Registry value, fixed)
HKEY_USERS\S-1-5-21-789336058-436374069-682003330-500\Software\Microsoft\Internet Explorer\Main\CNSAutoUpdate

Pipas.A: Settings (Registry key, fixed)
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ruins

MediaPlex: Tracking cookie (Internet Explorer: Administrator) (Cookie, fixed)


CnsMin: Tracking cookie (Firefox: default) (Cookie, fixed)


Avenue A, Inc.: Tracking cookie (Firefox: default) (Cookie, fixed)


FastClick: Tracking cookie (Firefox: default) (Cookie, fixed)


FastClick: Tracking cookie (Firefox: default) (Cookie, fixed)



--- Spybot - Search & Destroy version: 1.4 (build: 20050523) ---

2005-05-31 blindman.exe (1.0.0.1)
2005-05-31 SpybotSD.exe (1.4.0.3)
2005-05-31 TeaTimer.exe (1.4.0.2)
2006-05-09 unins000.exe (51.41.0.0)
2005-05-31 Update.exe (1.4.0.0)
2006-02-06 advcheck.dll (1.0.2.0)
2005-05-31 aports.dll (2.1.0.0)
2005-05-31 borlndmm.dll (7.0.4.453)
2005-05-31 delphimm.dll (7.0.4.453)
2005-05-31 SDHelper.dll (1.4.0.0)
2006-02-20 Tools.dll (2.0.0.2)
2005-05-31 UnzDll.dll (1.73.1.1)
2005-05-31 ZipDll.dll (1.73.2.0)
2006-05-05 Includes\Cookies.sbi (*)
2006-05-05 Includes\Dialer.sbi (*)
2006-05-05 Includes\Hijackers.sbi (*)
2006-05-05 Includes\Keyloggers.sbi (*)
2004-11-29 Includes\LSP.sbi (*)
2006-05-05 Includes\Malware.sbi (*)
2006-05-05 Includes\PUPS.sbi (*)
2006-05-05 Includes\Revision.sbi (*)
2006-05-05 Includes\Security.sbi (*)
2006-05-05 Includes\Spybots.sbi (*)
2005-02-17 Includes\Tracks.uti
2006-05-05 Includes\Trojans.sbi (*)

Hi

Download a self-extracting copy of HijackThis from :-
http://downloads.malwareremoval.com/hijackthis_sfx.exe
1. save it to your Desktop.
2. Double-click on the file hijackthis_sfx.exe and it will self-extract into its own folder,
C:\Program Files\HijackThis
3. Go to this folder and run the hijackthis.exe file
4. click Do a system scan and save a logfile
5. Copy & paste the logfile into your next post here...

steam

Thank you for your response. Hijack results:

Logfile of HijackThis v1.99.1
Scan saved at 5:06:04 PM, on 5/10/2006
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\csrss.exe
C:\WINDOWS\SYSTEM32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\SYSTEM32\Ati2evxx.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\Trend Micro\Internet Security 2005\pccguide.exe
C:\Program Files\MUSICMATCH\MUSICMATCH Jukebox\mmtask.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\Yahoo!\Messenger\ypager.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\InterVideo\Common\Bin\WinCinemaMgr.exe
C:\Program Files\Common Files\Autodesk Shared\Service\AdskScSrv.exe
C:\WINDOWS\System32\drivers\CDAC11BA.EXE
C:\WINDOWS\System32\DRIVERS\CDANTSRV.EXE
C:\Program Files\DCPFLICS\DCPFLICS.exe
C:\Program Files\EPSON\ESM2\eEBSVC.exe
C:\PROGRA~1\cebas\ip-clamp\ipclamp.exe
C:\WINDOWS\runservice.exe
C:\PROGRA~1\TRENDM~1\INTERN~1\PcCtlCom.exe
C:\WINDOWS\system32\slserv.exe
C:\WINDOWS\System32\Tablet.exe
C:\PROGRA~1\TRENDM~1\INTERN~1\Tmntsrv.exe
C:\PROGRA~1\TRENDM~1\INTERN~1\tmproxy.exe
C:\Program Files\Common Files\Ulead Systems\DVD\ULCDRSvr.exe
C:\WINDOWS\system32\wdfmgr.exe
C:\PROGRA~1\TRENDM~1\INTERN~1\TmPfw.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\wuauclt.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\PROGRA~1\MOZILL~1\FIREFOX.EXE
C:\Program Files\MSN Messenger\msnmsgr.exe
C:\Documents and Settings\Administrator\Desktop\hijackthis_sfx.exe
C:\Program Files\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.hotmail.com/
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://www.findin.org/
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,CustomizeSearch = http://www.findin.org/
O1 - Hosts: localhost 127.0.0.1
O2 - BHO: (no name) - {02DCA195-602B-4B1F-83FF-381B7E804BDB} - C:\WINDOWS\system32\HDBHO.dll
O2 - BHO: SearchToolbar - {08BEC6AA-49FC-4379-3587-4B21E286C19E} - C:\WINDOWS\system32\ksnhb.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: UberButton Class - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\Program Files\Yahoo!\Common\yiesrvc.dll
O2 - BHO: YahooTaggedBM Class - {65D886A2-7CA7-479B-BB95-14D1EFB7946A} - C:\Program Files\Yahoo!\Common\YIeTagBm.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar1.dll
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O3 - Toolbar: SearchToolbar - {08BEC6AA-49FC-4379-3587-4B21E286C19E} - C:\WINDOWS\system32\ksnhb.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll
O4 - HKLM\..\Run: [FRYMXINS] "C:\Program Files\ATI Technologies\Fire GL 3D Studio Max\atiimxgl"
O4 - HKLM\..\Run: [ATIPTA] C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [pccguide.exe] "C:\Program Files\Trend Micro\Internet Security 2005\pccguide.exe"
O4 - HKLM\..\Run: [mmtask] C:\Program Files\MUSICMATCH\MUSICMATCH Jukebox\mmtask.exe
O4 - HKLM\..\Run: [CorelDRAW Graphics Suite 11b] D:\corel\Languages\EN\Programs\Registration.exe /title="CorelDRAW Graphics Suite 12" /date=122805 serial=DR12WEX-1504397-KTY lang=EN
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k
O4 - HKCU\..\Run: [Yahoo! Pager] C:\Program Files\Yahoo!\Messenger\ypager.exe -quiet
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [UnSpyPC] "C:\Program Files\UnSpyPC\UnSpyPC.exe"
O4 - Startup: Adobe Gamma.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: InterVideo WinCinema Manager.lnk = C:\Program Files\InterVideo\Common\Bin\WinCinemaMgr.exe
O8 - Extra context menu item: &Google Search - res://C:\Program Files\Google\GoogleToolbar1.dll/cmsearch.html
O8 - Extra context menu item: &Translate English Word - res://C:\Program Files\Google\GoogleToolbar1.dll/cmwordtrans.html
O8 - Extra context menu item: &Yahoo! Search - file:///C:\Program Files\Yahoo!\Common/ycsrch.htm
O8 - Extra context menu item: Backward Links - res://C:\Program Files\Google\GoogleToolbar1.dll/cmbacklinks.html
O8 - Extra context menu item: Cached Snapshot of Page - res://C:\Program Files\Google\GoogleToolbar1.dll/cmcache.html
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O8 - Extra context menu item: Similar Pages - res://C:\Program Files\Google\GoogleToolbar1.dll/cmsimilar.html
O8 - Extra context menu item: Translate Page into English - res://C:\Program Files\Google\GoogleToolbar1.dll/cmtrans.html
O8 - Extra context menu item: Yahoo! &Dictionary - file:///C:\Program Files\Yahoo!\Common/ycdict.htm
O8 - Extra context menu item: Yahoo! &Maps - file:///C:\Program Files\Yahoo!\Common/ycmap.htm
O8 - Extra context menu item: Yahoo! &SMS - file:///C:\Program Files\Yahoo!\Common/ycsms.htm
O9 - Extra button: Yahoo! Services - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\Program Files\Yahoo!\Common\yiesrvc.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O16 - DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} (MSN Photo Upload Tool) - http://by18fd.bay18.hotmail.msn.com/resources/MsnPUpld.cab
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1135418250625
O17 - HKLM\System\CCS\Services\Tcpip\..\{AC5AAC3C-B1AB-4732-AA33-CDEA7B151589}: NameServer = 85.255.115.84,85.255.112.221
O17 - HKLM\System\CCS\Services\Tcpip\..\{E671E59D-00BD-45E8-8520-02DA3F890BCF}: NameServer = 85.255.115.84,85.255.112.221
O17 - HKLM\System\CCS\Services\Tcpip\..\{EB82600F-96B2-4178-A53E-D848E26C61B4}: NameServer = 85.255.115.84,85.255.112.221
O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\SYSTEM32\WgaLogon.dll
O23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: Autodesk Licensing Service - Unknown owner - C:\Program Files\Common Files\Autodesk Shared\Service\AdskScSrv.exe
O23 - Service: C-DillaCdaC11BA - Macrovision - C:\WINDOWS\System32\drivers\CDAC11BA.EXE
O23 - Service: C-DillaSrv - C-Dilla Ltd - C:\WINDOWS\System32\DRIVERS\CDANTSRV.EXE
O23 - Service: DCPFLICS - Unknown owner - C:\Program Files\DCPFLICS\DCPFLICS.exe
O23 - Service: EpsonBidirectionalService - Unknown owner - C:\Program Files\EPSON\ESM2\eEBSVC.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: IPCLAMP by cebas Computer GmbH (IPClampService) - Unknown owner - C:\PROGRA~1\cebas\ip-clamp\ipclamp.exe
O23 - Service: iPodService - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: LicCtrl Service (LicCtrlService) - Unknown owner - C:\WINDOWS\runservice.exe
O23 - Service: Macromedia Licensing Service - Macromedia - C:\Program Files\Common Files\Macromedia Shared\Service\Macromedia Licensing.exe
O23 - Service: Trend Micro Central Control Component (PcCtlCom) - Trend Micro Incorporated. - C:\PROGRA~1\TRENDM~1\INTERN~1\PcCtlCom.exe
O23 - Service: Remote Packet Capture Protocol v.0 (experimental) (rpcapd) - Unknown owner - %ProgramFiles%\WinPcap\rpcapd.exe" -d -f "%ProgramFiles%\WinPcap\rpcapd.ini (file missing)
O23 - Service: SmartLinkService (SLService) - Smart Link - C:\WINDOWS\SYSTEM32\slserv.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: TabletService - Wacom Technology, Corp. - C:\WINDOWS\System32\Tablet.exe
O23 - Service: Trend Micro Real-time Service (Tmntsrv) - Trend Micro Incorporated. - C:\PROGRA~1\TRENDM~1\INTERN~1\Tmntsrv.exe
O23 - Service: Trend Micro Personal Firewall (TmPfw) - Trend Micro Inc. - C:\PROGRA~1\TRENDM~1\INTERN~1\TmPfw.exe
O23 - Service: Trend Micro Proxy Service (tmproxy) - Trend Micro Inc. - C:\PROGRA~1\TRENDM~1\INTERN~1\tmproxy.exe
O23 - Service: Ulead Burning Helper (UleadBurningHelper) - Ulead Systems, Inc. - C:\Program Files\Common Files\Ulead Systems\DVD\ULCDRSvr.exe

Redid the hijack as google was not on previously. The unwanted bar is somehow attached to google's.

Logfile of HijackThis v1.99.1
Scan saved at 5:11:59 PM, on 5/10/2006
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\csrss.exe
C:\WINDOWS\SYSTEM32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\SYSTEM32\Ati2evxx.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\Trend Micro\Internet Security 2005\pccguide.exe
C:\Program Files\MUSICMATCH\MUSICMATCH Jukebox\mmtask.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\Yahoo!\Messenger\ypager.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\InterVideo\Common\Bin\WinCinemaMgr.exe
C:\Program Files\Common Files\Autodesk Shared\Service\AdskScSrv.exe
C:\WINDOWS\System32\drivers\CDAC11BA.EXE
C:\WINDOWS\System32\DRIVERS\CDANTSRV.EXE
C:\Program Files\DCPFLICS\DCPFLICS.exe
C:\Program Files\EPSON\ESM2\eEBSVC.exe
C:\PROGRA~1\cebas\ip-clamp\ipclamp.exe
C:\WINDOWS\runservice.exe
C:\PROGRA~1\TRENDM~1\INTERN~1\PcCtlCom.exe
C:\WINDOWS\system32\slserv.exe
C:\WINDOWS\System32\Tablet.exe
C:\PROGRA~1\TRENDM~1\INTERN~1\Tmntsrv.exe
C:\PROGRA~1\TRENDM~1\INTERN~1\tmproxy.exe
C:\Program Files\Common Files\Ulead Systems\DVD\ULCDRSvr.exe
C:\WINDOWS\system32\wdfmgr.exe
C:\PROGRA~1\TRENDM~1\INTERN~1\TmPfw.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\wuauclt.exe
C:\WINDOWS\System32\svchost.exe
C:\PROGRA~1\MOZILL~1\FIREFOX.EXE
C:\Program Files\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.hotmail.com/
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://www.findin.org/
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,CustomizeSearch = http://www.findin.org/
O1 - Hosts: localhost 127.0.0.1
O2 - BHO: (no name) - {02DCA195-602B-4B1F-83FF-381B7E804BDB} - C:\WINDOWS\system32\HDBHO.dll
O2 - BHO: SearchToolbar - {08BEC6AA-49FC-4379-3587-4B21E286C19E} - C:\WINDOWS\system32\ksnhb.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: UberButton Class - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\Program Files\Yahoo!\Common\yiesrvc.dll
O2 - BHO: YahooTaggedBM Class - {65D886A2-7CA7-479B-BB95-14D1EFB7946A} - C:\Program Files\Yahoo!\Common\YIeTagBm.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar1.dll
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O3 - Toolbar: SearchToolbar - {08BEC6AA-49FC-4379-3587-4B21E286C19E} - C:\WINDOWS\system32\ksnhb.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll
O4 - HKLM\..\Run: [FRYMXINS] "C:\Program Files\ATI Technologies\Fire GL 3D Studio Max\atiimxgl"
O4 - HKLM\..\Run: [ATIPTA] C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [pccguide.exe] "C:\Program Files\Trend Micro\Internet Security 2005\pccguide.exe"
O4 - HKLM\..\Run: [mmtask] C:\Program Files\MUSICMATCH\MUSICMATCH Jukebox\mmtask.exe
O4 - HKLM\..\Run: [CorelDRAW Graphics Suite 11b] D:\corel\Languages\EN\Programs\Registration.exe /title="CorelDRAW Graphics Suite 12" /date=122805 serial=DR12WEX-1504397-KTY lang=EN
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k
O4 - HKCU\..\Run: [Yahoo! Pager] C:\Program Files\Yahoo!\Messenger\ypager.exe -quiet
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [UnSpyPC] "C:\Program Files\UnSpyPC\UnSpyPC.exe"
O4 - Startup: Adobe Gamma.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: InterVideo WinCinema Manager.lnk = C:\Program Files\InterVideo\Common\Bin\WinCinemaMgr.exe
O8 - Extra context menu item: &Google Search - res://C:\Program Files\Google\GoogleToolbar1.dll/cmsearch.html
O8 - Extra context menu item: &Translate English Word - res://C:\Program Files\Google\GoogleToolbar1.dll/cmwordtrans.html
O8 - Extra context menu item: &Yahoo! Search - file:///C:\Program Files\Yahoo!\Common/ycsrch.htm
O8 - Extra context menu item: Backward Links - res://C:\Program Files\Google\GoogleToolbar1.dll/cmbacklinks.html
O8 - Extra context menu item: Cached Snapshot of Page - res://C:\Program Files\Google\GoogleToolbar1.dll/cmcache.html
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O8 - Extra context menu item: Similar Pages - res://C:\Program Files\Google\GoogleToolbar1.dll/cmsimilar.html
O8 - Extra context menu item: Translate Page into English - res://C:\Program Files\Google\GoogleToolbar1.dll/cmtrans.html
O8 - Extra context menu item: Yahoo! &Dictionary - file:///C:\Program Files\Yahoo!\Common/ycdict.htm
O8 - Extra context menu item: Yahoo! &Maps - file:///C:\Program Files\Yahoo!\Common/ycmap.htm
O8 - Extra context menu item: Yahoo! &SMS - file:///C:\Program Files\Yahoo!\Common/ycsms.htm
O9 - Extra button: Yahoo! Services - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\Program Files\Yahoo!\Common\yiesrvc.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O16 - DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} (MSN Photo Upload Tool) - http://by18fd.bay18.hotmail.msn.com/resources/MsnPUpld.cab
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1135418250625
O17 - HKLM\System\CCS\Services\Tcpip\..\{AC5AAC3C-B1AB-4732-AA33-CDEA7B151589}: NameServer = 85.255.115.84,85.255.112.221
O17 - HKLM\System\CCS\Services\Tcpip\..\{E671E59D-00BD-45E8-8520-02DA3F890BCF}: NameServer = 85.255.115.84,85.255.112.221
O17 - HKLM\System\CCS\Services\Tcpip\..\{EB82600F-96B2-4178-A53E-D848E26C61B4}: NameServer = 85.255.115.84,85.255.112.221
O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\SYSTEM32\WgaLogon.dll
O23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: Autodesk Licensing Service - Unknown owner - C:\Program Files\Common Files\Autodesk Shared\Service\AdskScSrv.exe
O23 - Service: C-DillaCdaC11BA - Macrovision - C:\WINDOWS\System32\drivers\CDAC11BA.EXE
O23 - Service: C-DillaSrv - C-Dilla Ltd - C:\WINDOWS\System32\DRIVERS\CDANTSRV.EXE
O23 - Service: DCPFLICS - Unknown owner - C:\Program Files\DCPFLICS\DCPFLICS.exe
O23 - Service: EpsonBidirectionalService - Unknown owner - C:\Program Files\EPSON\ESM2\eEBSVC.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: IPCLAMP by cebas Computer GmbH (IPClampService) - Unknown owner - C:\PROGRA~1\cebas\ip-clamp\ipclamp.exe
O23 - Service: iPodService - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: LicCtrl Service (LicCtrlService) - Unknown owner - C:\WINDOWS\runservice.exe
O23 - Service: Macromedia Licensing Service - Macromedia - C:\Program Files\Common Files\Macromedia Shared\Service\Macromedia Licensing.exe
O23 - Service: Trend Micro Central Control Component (PcCtlCom) - Trend Micro Incorporated. - C:\PROGRA~1\TRENDM~1\INTERN~1\PcCtlCom.exe
O23 - Service: Remote Packet Capture Protocol v.0 (experimental) (rpcapd) - Unknown owner - %ProgramFiles%\WinPcap\rpcapd.exe" -d -f "%ProgramFiles%\WinPcap\rpcapd.ini (file missing)
O23 - Service: SmartLinkService (SLService) - Smart Link - C:\WINDOWS\SYSTEM32\slserv.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: TabletService - Wacom Technology, Corp. - C:\WINDOWS\System32\Tablet.exe
O23 - Service: Trend Micro Real-time Service (Tmntsrv) - Trend Micro Incorporated. - C:\PROGRA~1\TRENDM~1\INTERN~1\Tmntsrv.exe
O23 - Service: Trend Micro Personal Firewall (TmPfw) - Trend Micro Inc. - C:\PROGRA~1\TRENDM~1\INTERN~1\TmPfw.exe
O23 - Service: Trend Micro Proxy Service (tmproxy) - Trend Micro Inc. - C:\PROGRA~1\TRENDM~1\INTERN~1\tmproxy.exe
O23 - Service: Ulead Burning Helper (UleadBurningHelper) - Ulead Systems, Inc. - C:\Program Files\Common Files\Ulead Systems\DVD\ULCDRSvr.exe

HI

First go to Add/remove programs in the control panel and uninstall UnSpyPC it is a rogue program...

http://www.spywarewarrior.com/rogue_anti-spyware.htm

Then...

Disconnect from the internet Close ALL browser windows (including this one) - run hijackthis and tick to fix (check the box next to) the list below.........when all are ticked (checked) click the Fix Checked button at the bottom. :-

R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://www.findin.org/
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,CustomizeSearch = http://www.findin.org/


O2 - BHO: SearchToolbar - {08BEC6AA-49FC-4379-3587-4B21E286C19E} - C:\WINDOWS\system32\ksnhb.dll

O3 - Toolbar: SearchToolbar - {08BEC6AA-49FC-4379-3587-4B21E286C19E} - C:\WINDOWS\system32\ksnhb.dll

O4 - HKCU\..\Run: [UnSpyPC] "C:\Program Files\UnSpyPC\UnSpyPC.exe"

O17 - HKLM\System\CCS\Services\Tcpip\..\{AC5AAC3C-B1AB-4732-AA33-CDEA7B151589}: NameServer = 85.255.115.84,85.255.112.221
O17 - HKLM\System\CCS\Services\Tcpip\..\{E671E59D-00BD-45E8-8520-02DA3F890BCF}: NameServer = 85.255.115.84,85.255.112.221
O17 - HKLM\System\CCS\Services\Tcpip\..\{EB82600F-96B2-4178-A53E-D848E26C61B4}: NameServer = 85.255.115.84,85.255.112.221


Reboot then delete the following files (if found) :-

C:\WINDOWS\system32\ksnhb.dll ... file

C:\Program Files\UnSpyPC ... folder

cheers

steam

Thank you for the help. My system is clear.

After removal of malware, windows explorer keeps hanging

Greetings,

After having remove spyware and malware with help from here (thank you!) from my windows xp pro, it seems that whenever I open a few windows (not Browser windows) my computer hangs, i.e perpetual sand timer and nothing works except ctrl alt delete and I have to restart.

After clicking Restart, either "ending pccguide.exe or ending explorer.exe" windows pops up and I have to press "end now" before it will restart.

If I don't open any XP windows, everything seems to work fine.
Any idea how to fix this?

You're very welcome

Happy surfing

steam

Merged post seven to this thread

steamwiz will continue with you vincent1

Thanks Lonny :wink::

vincent1 ... It's not unusual to receive an "ending process" box for an application, when shutting down windows .. it shouldn't happen, but it sometimes does, this is because the application has not been properly released from memory...in fact it's "stuck" in memory...

pccguide.exe is part of your Trend Micro\Internet Security 2005 program (don't ask me exactly what is does)

explorer.exe is your windows shell, desktop, taskbar etc,

First I'd like you to post a new hijackthis log...

Did you delete this file C:\WINDOWS\system32\ksnhb.dll like I asked you too ?

It's OK if you did (it's malware) but the dll may still be in memory and causing the problem...

It's also possible you have new malware attached to explorer.exe

steam

Hi

Please do this for me as well...

Please download & run blacklight Rootkit diagnostic tool from :-

http://www.f-secure.com/blacklight/try.shtml

click I ACCEPT

click download > save it to your desktop

then ...

1. Double-click blbeta.exe

2. Accept the agreement > click next

3. click scan

4. A list of all items found will be displayed, or it will say "No hidden items found"

if anything is found do NOT elect to rename or clean anything, as legitimate entries could be found - click close

5. if you see "No hidden items found" click next then exit

On your desktop you will now see a log file, it will look something like this fsbl-20060105183235.log

6. open the log file and paste the contents into a post here... (if the log is too large to paste, then please attach it)

steam

Hi Steam,

Thank you for your response. Ran the diagnostic and log duly posted:

05/14/06 22:16:33 [Info]: BlackLight Engine 1.0.36 initialized
05/14/06 22:16:33 [Info]: OS: 5.1 build 2600 (Service Pack 2)
05/14/06 22:16:33 [Note]: 7019 4
05/14/06 22:16:33 [Note]: 7005 0
05/14/06 22:17:01 [Note]: 7006 0
05/14/06 22:17:01 [Note]: 7011 128
05/14/06 22:17:02 [Note]: 7026 0
05/14/06 22:17:02 [Note]: 7026 0
05/14/06 22:17:09 [Note]: FSRAW library version 1.7.1015
05/14/06 22:17:30 [Info]: Hidden file: c:\Program Files\CyberLink DVD Solution\PowerDVD\cltest.exe
05/14/06 22:17:30 [Note]: 10002 1
05/14/06 22:18:31 [Info]: Hidden file: c:\WINDOWS\system32\cssjc.exe
05/14/06 22:18:31 [Note]: 7002 32
05/14/06 22:18:31 [Note]: 7003 1
05/14/06 22:18:31 [Note]: 10002 1
05/14/06 22:18:32 [Info]: Hidden file: c:\WINDOWS\system32\favset.exe
05/14/06 22:18:32 [Note]: 10002 1
05/14/06 22:18:33 [Info]: Hidden file: c:\WINDOWS\system32\filesafer23.exe
05/14/06 22:18:33 [Note]: 10002 1
05/14/06 22:18:33 [Info]: Hidden file: c:\WINDOWS\system32\howiper.exe
05/14/06 22:18:33 [Note]: 10002 1
05/14/06 22:18:36 [Info]: Hidden file: c:\WINDOWS\system32\pppcgm.exe
05/14/06 22:18:36 [Note]: 10002 1
05/14/06 22:18:38 [Info]: Hidden file: c:\WINDOWS\system32\sphlp32.exe
05/14/06 22:18:38 [Note]: 10002 1
05/14/06 22:18:39 [Info]: Hidden file: c:\WINDOWS\system32\dmqrg.exe
05/14/06 22:18:39 [Note]: 7002 32
05/14/06 22:18:39 [Note]: 7003 1
05/14/06 22:18:39 [Note]: 10002 1
05/14/06 22:19:20 [Info]: Hidden file: c:\WINDOWS\system32\wbem\wbemtest.exe
05/14/06 22:19:20 [Note]: 10002 1
05/14/06 22:21:04 [Note]: 7007 0

Thanks and regards,
Vincent1

HI

1. Download Pocket KillBox .. http://www.help2go.com/modules.php?name=Forums&file=download&id=378 (unzip to the desktop)

2. Run the Killbox.exe file

check the box "Delete on Reboot"

copy and paste the following bold lines into the "Full Path of File to Delete" box in Killbox (one at a time) ...after each

one,click the red button with the white X on it.

Say yes to "delete on reboot" and NO to reboot now, untill you have entered ALL the files, then say "yes" to

reboot now...

c:\WINDOWS\system32\cssjc.exe
c:\WINDOWS\system32\favset.exe
c:\WINDOWS\system32\filesafer23.exe
c:\WINDOWS\system32\howiper.exe
c:\WINDOWS\system32\pppcgm.exe
c:\WINDOWS\system32\sphlp32.exe
c:\WINDOWS\system32\dmqrg.exe

Let it reboot - If you get a PendingOperations message (reboot manualy) ...

THEN...

Print out these instructions for reference, since you will have to restart your computer during the fix.

1. Please download FixWareout from one of these sites:-

http://forums.subratam.org/index.php?act=Attach&type=post&id=43811
http://swandog46.geekstogo.com/Fixwareout.exe

2. Save it to your desktop and run it.

3. Click Next > then Install > then make sure "Run fixit" is checked and click Finish.

4. The fix will begin, follow the prompts.

5. You will be asked to reboot your computer, please do so. Your system may take longer than usual to load this is

normal.

6. When your system reboots (BE patient), follow the prompts. Afterwards, HijackThis may launch. Please Close HijackThis,

and click OK to proceed.

At the end of the fix, you may need to restart your computer again, restart if prompted.

Finally, please post the contents of :-

C:\fixwareout\report.txt
A new HijackThis log.

steam

HI Steamwiz,

I did as instructed until Run Fix it for Fixwareout, the programme did not ask to reboot after that and this is the report that came out immediately:

Check for missing files
.....
C:\WINDOWS\system32\AUTOEXEC.NT not there
.....
End check for missing files
.....
VXD Check
REGEDIT4

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\VirtualDeviceDrivers]
"VDD"=hex(7):43,3a,5c,50,52,4f,47,52,41,7e,31,5c,53,79,6d,61,6e,74,65,63,5c,53,\
33,32,45,56,4e,54,31,2e,44,4c,4c,00,52,4e,42,4f,56,44,44,2e,44,4c,4c,00,00
.....
End vxd check
.....
please post this at the forum


Kindly advise.

some of my Google search results are still being diverted to elsewhere when clicked. So something must still be active.

Diverted to places like:
http://www.casinocaesar.com/
http://oldhetaira.com/books.cfm?nft=1&t=4&p=4

Thanks for your assistance.

HI vincent

Please go here :-

http://www.tech-forums.net/computer/topic/29806.html

Download the appropriate exe file for your Operating system... doubleclick on the exe file you downloaded and it will replace the file...

Then please follow the instructions for running FixWareout again...

cheers

steam

Hello Steamwiz,

Done as instructed.

Regards,
Vincent.

Reports below:

Fixwareout ver 1.003
Last edited 04/26/2006
Post this report in the forums please

Reg Entries that were deleted
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ruins\xammd
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Urls\xedocne
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Urls\gib_ogol
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Urls\repiwoh
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Urls\llun
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Urls\23plhps
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Urls\mgcppp
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Urls\tesvaf
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Urls\32refaselif
...

Microsoft (R) Windows Script Host Version 5.6
Random Runs removed from HKLM
"dmmax.exe"=-
...

PLEASE NOTE, There WILL be LEGIT FILES LISTED. IF YOU ARE UNSURE OF WHAT IT IS LEAVE THEM ALONE.
Example ipsec6.exe is lagitamate

»»»»» Search by size and names...
* csr.exe C:\WINDOWS\System32\CSUYU.EXE

»»»»» Misc files

»»»»» Checking for older varients covered by the Rem3 tool

»»»»»
Search five digit cs, dm and jb files
This WILL/CAN also list Legit Files, Submit them at Virustotal
C:\WINDOWS\SYSTEM32\CSUYU.EXE 51,262 2006-05-09
C:\WINDOWS\SYSTEM32\DMMAX.EXE 44,045 2004-08-04



Logfile of HijackThis v1.99.1
Scan saved at 12:25:48 AM, on 5/16/2006
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\SYSTEM32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\SYSTEM32\Ati2evxx.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Common Files\Autodesk Shared\Service\AdskScSrv.exe
C:\WINDOWS\System32\drivers\CDAC11BA.EXE
C:\WINDOWS\System32\DRIVERS\CDANTSRV.EXE
C:\Program Files\DCPFLICS\DCPFLICS.exe
C:\Program Files\EPSON\ESM2\eEBSVC.exe
C:\PROGRA~1\cebas\ip-clamp\ipclamp.exe
C:\WINDOWS\runservice.exe
C:\PROGRA~1\TRENDM~1\INTERN~1\PcCtlCom.exe
C:\WINDOWS\system32\slserv.exe
C:\WINDOWS\System32\Tablet.exe
C:\PROGRA~1\TRENDM~1\INTERN~1\Tmntsrv.exe
C:\PROGRA~1\TRENDM~1\INTERN~1\tmproxy.exe
C:\Program Files\Common Files\Ulead Systems\DVD\ULCDRSvr.exe
C:\PROGRA~1\TRENDM~1\INTERN~1\TmPfw.exe
C:\PROGRA~1\TRENDM~1\INTERN~1\PccGuide.exe
C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\MUSICMATCH\MUSICMATCH Jukebox\mmtask.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\Yahoo!\Messenger\ypager.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\InterVideo\Common\Bin\WinCinemaMgr.exe
C:\PROGRA~1\MOZILL~1\FIREFOX.EXE
C:\PROGRA~1\TRENDM~1\INTERN~1\pcclient.exe
C:\Program Files\HijackThis\HijackThis.exe

O2 - BHO: (no name) - {02DCA195-602B-4B1F-83FF-381B7E804BDB} - C:\WINDOWS\system32\HDBHO.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: UberButton Class - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\Program Files\Yahoo!\Common\yiesrvc.dll
O2 - BHO: YahooTaggedBM Class - {65D886A2-7CA7-479B-BB95-14D1EFB7946A} - C:\Program Files\Yahoo!\Common\YIeTagBm.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar1.dll
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll
O4 - HKLM\..\Run: [FRYMXINS] "C:\Program Files\ATI Technologies\Fire GL 3D Studio Max\atiimxgl"
O4 - HKLM\..\Run: [ATIPTA] C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [pccguide.exe] "C:\Program Files\Trend Micro\Internet Security 2005\pccguide.exe"
O4 - HKLM\..\Run: [mmtask] C:\Program Files\MUSICMATCH\MUSICMATCH Jukebox\mmtask.exe
O4 - HKLM\..\Run: [CorelDRAW Graphics Suite 11b] D:\corel\Languages\EN\Programs\Registration.exe /title="CorelDRAW Graphics Suite 12" /date=122805 serial=DR12WEX-1504397-KTY lang=EN
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKCU\..\Run: [Yahoo! Pager] C:\Program Files\Yahoo!\Messenger\ypager.exe -quiet
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - Startup: Adobe Gamma.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: InterVideo WinCinema Manager.lnk = C:\Program Files\InterVideo\Common\Bin\WinCinemaMgr.exe
O8 - Extra context menu item: &Google Search - res://C:\Program Files\Google\GoogleToolbar1.dll/cmsearch.html
O8 - Extra context menu item: &Translate English Word - res://C:\Program Files\Google\GoogleToolbar1.dll/cmwordtrans.html
O8 - Extra context menu item: &Yahoo! Search - file:///C:\Program Files\Yahoo!\Common/ycsrch.htm
O8 - Extra context menu item: Backward Links - res://C:\Program Files\Google\GoogleToolbar1.dll/cmbacklinks.html
O8 - Extra context menu item: Cached Snapshot of Page - res://C:\Program Files\Google\GoogleToolbar1.dll/cmcache.html
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O8 - Extra context menu item: Similar Pages - res://C:\Program Files\Google\GoogleToolbar1.dll/cmsimilar.html
O8 - Extra context menu item: Translate Page into English - res://C:\Program Files\Google\GoogleToolbar1.dll/cmtrans.html
O8 - Extra context menu item: Yahoo! &Dictionary - file:///C:\Program Files\Yahoo!\Common/ycdict.htm
O8 - Extra context menu item: Yahoo! &Maps - file:///C:\Program Files\Yahoo!\Common/ycmap.htm
O8 - Extra context menu item: Yahoo! &SMS - file:///C:\Program Files\Yahoo!\Common/ycsms.htm
O9 - Extra button: Yahoo! Services - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\Program Files\Yahoo!\Common\yiesrvc.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O16 - DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} (MSN Photo Upload Tool) - http://by18fd.bay18.hotmail.msn.com/resources/MsnPUpld.cab
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1135418250625
O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\SYSTEM32\WgaLogon.dll
O23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: Autodesk Licensing Service - Unknown owner - C:\Program Files\Common Files\Autodesk Shared\Service\AdskScSrv.exe
O23 - Service: C-DillaCdaC11BA - Macrovision - C:\WINDOWS\System32\drivers\CDAC11BA.EXE
O23 - Service: C-DillaSrv - C-Dilla Ltd - C:\WINDOWS\System32\DRIVERS\CDANTSRV.EXE
O23 - Service: DCPFLICS - Unknown owner - C:\Program Files\DCPFLICS\DCPFLICS.exe
O23 - Service: EpsonBidirectionalService - Unknown owner - C:\Program Files\EPSON\ESM2\eEBSVC.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: IPCLAMP by cebas Computer GmbH (IPClampService) - Unknown owner - C:\PROGRA~1\cebas\ip-clamp\ipclamp.exe
O23 - Service: iPodService - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: LicCtrl Service (LicCtrlService) - Unknown owner - C:\WINDOWS\runservice.exe
O23 - Service: Macromedia Licensing Service - Macromedia - C:\Program Files\Common Files\Macromedia Shared\Service\Macromedia Licensing.exe
O23 - Service: Trend Micro Central Control Component (PcCtlCom) - Trend Micro Incorporated. - C:\PROGRA~1\TRENDM~1\INTERN~1\PcCtlCom.exe
O23 - Service: Remote Packet Capture Protocol v.0 (experimental) (rpcapd) - Unknown owner - %ProgramFiles%\WinPcap\rpcapd.exe" -d -f "%ProgramFiles%\WinPcap\rpcapd.ini (file missing)
O23 - Service: SmartLinkService (SLService) - Smart Link - C:\WINDOWS\SYSTEM32\slserv.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: TabletService - Wacom Technology, Corp. - C:\WINDOWS\System32\Tablet.exe
O23 - Service: Trend Micro Real-time Service (Tmntsrv) - Trend Micro Incorporated. - C:\PROGRA~1\TRENDM~1\INTERN~1\Tmntsrv.exe
O23 - Service: Trend Micro Personal Firewall (TmPfw) - Trend Micro Inc. - C:\PROGRA~1\TRENDM~1\INTERN~1\TmPfw.exe
O23 - Service: Trend Micro Proxy Service (tmproxy) - Trend Micro Inc. - C:\PROGRA~1\TRENDM~1\INTERN~1\tmproxy.exe
O23 - Service: Ulead Burning Helper (UleadBurningHelper) - Ulead Systems, Inc. - C:\Program Files\Common Files\Ulead Systems\DVD\ULCDRSvr.exe

HI

Note these files found by fixwareout :-

C:\WINDOWS\SYSTEM32\CSUYU.EXE 51,262 2006-05-09
C:\WINDOWS\SYSTEM32\DMMAX.EXE 44,045 2004-08-04

The first is abviously a bad file..

Look at the date the second one was created, it looks like it's been on your computer for nearly 2 years...

I want you to get the second file scanned (it's almost certainly malware, but maybe not associated with this infection)

& while you're at it, you may as well scan the first one as well, then we can compare the results...

Please go here :-

http://virusscan.jotti.org/

Upload this file from your computer :-

C:\WINDOWS\SYSTEM32\CSUYU.EXE

copy & paste the above bold line into the "File to upload and scan" box...

or click the browse button and browse to the file on your computer...

Then click the submit button

Then do the same with this :-

C:\WINDOWS\SYSTEM32\DMMAX.EXE


Post back the results

cheers

steam

HI Steamwiz,

Run scan on dmmax.exe and uploaded image file. Jotti went offline before I could scan csuyu.exe. Will post this when jotti comes online again.

Thanks.

have scanned csuyu and results posted: