View Full Version : cmdservice and others
Burpstein
2006-03-18, 22:28
Hello, for the past week my computer has been swamped with malware. Popups appear out of nowhere, and Ctrl-Alt-Delete does not bring up the task manager. I have tried various free spyware/adware removal programs, but I am unable to remove cmdservice, and the other ones keep coming back after I remove them.
Here is my HijackThis log:
Logfile of HijackThis v1.99.1
Scan saved at 4:12:30 PM, on 3/18/2006
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Unable to get Internet Explorer version!
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\drivers\CDAC11BA.EXE
C:\WINDOWS\system32\crypserv.exe
C:\WINDOWS\runservice.exe
C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\rundll32.exe
C:\WINDOWS\system32\wscntfy.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\Smtray.exe
C:\Program Files\Java\jre1.5.0_05\bin\jusched.exe
C:\Program Files\HP\hpcoretech\hpcmpmgr.exe
C:\Program Files\D-Tools\daemon.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\outlook\outlook.exe
C:\WINDOWS\SYSC00.exe
C:\WINDOWS\system32\dgfgql.exe
C:\mousepad2.exe
C:\WINDOWS\system32\klsx9e.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\EQAdvice\EQAdvice.exe
C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
C:\Program Files\Common Files\efax\Dllcmd32.exe
C:\WINDOWS\system32\twinprag.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\SpyCatcher 2006\Scheduler daemon.exe
C:\Documents and Settings\Lee\Desktop\hijackthis\HijackThis.exe
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.comcast.net
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = about:blank
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = about:blank
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Microsoft Internet Explorer provided by Comcast
R3 - Default URLSearchHook is missing
F2 - REG:system.ini: UserInit=userinit.exe
O2 - BHO: Yvakt Class - {0DEADE31-9A37-48B2-921A-7825EA93D32A} - C:\WINDOWS\system32\wdc1n.dll
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton Internet Security Professional\Norton AntiVirus\NavShExt.dll (file missing)
O3 - Toolbar: Dictionary.com - {11359F4A-B191-42D7-905A-594F8CF0387B} - C:\WINDOWS\Downloaded Program Files\lexbar.dll (file missing)
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\windows\googletoolbar1.dll
O4 - HKLM\..\Run: [UpdateMgr.exe] "C:\Program Files\EarthLink 5.0\updatemgr.exe" /NOCM
O4 - HKLM\..\Run: [Smapp] Smtray.exe
O4 - HKLM\..\Run: [Promon.exe] Promon.exe
O4 - HKLM\..\Run: [NAV Agent] C:\PROGRA~1\NORTON~1\navapw32.exe
O4 - HKLM\..\Run: [ConMgr.exe] "C:\Program Files\EarthLink 5.0\ConMgr.exe"
O4 - HKLM\..\Run: [REGSHAVE] C:\Program Files\REGSHAVE\REGSHAVE.EXE /AUTORUN
O4 - HKLM\..\Run: [ComcastSUPPORT] C:\Program Files\Support.com\bin\tgkill.exe /cleaneahtioga /start
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_05\bin\jusched.exe
O4 - HKLM\..\Run: [HP Component Manager] "C:\Program Files\HP\hpcoretech\hpcmpmgr.exe"
O4 - HKLM\..\Run: [HP Software Update] "C:\Program Files\HP\HP Software Update\HPWuSchd2.exe"
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [DAEMON Tools-1033] "C:\Program Files\D-Tools\daemon.exe" -lang 1033
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [SSBkgdUpdate] C:\Program Files\Common Files\Scansoft Shared\SSBkgdUpdate\SSBkgdupdate.exe -Embedding -boot
O4 - HKLM\..\Run: [DNS7reminder] "C:\Program Files\ScanSoft\NaturallySpeaking8\Program\ereg.exe" -r "C:\Program Files\ScanSoft\NaturallySpeaking8\Program\ereg.ini"
O4 - HKLM\..\Run: [outlook] C:\Program Files\outlook\outlook.exe /auto
O4 - HKLM\..\Run: [keyboard] C:\\keyboard2.exe
O4 - HKLM\..\Run: [TheMonitor] C:\WINDOWS\SYSC00.exe
O4 - HKLM\..\Run: [NJv7jy] "C:\WINDOWS\system32\dgfgql.exe"
O4 - HKLM\..\Run: [mousepad] C:\\mousepad2.exe
O4 - HKLM\..\Run: [newname] C:\\newname2.exe
O4 - HKLM\..\Run: [SpyCatcher Reminder] "C:\Program Files\SpyCatcher 2006\SpyCatcher.exe" reminder
O4 - HKLM\..\Run: [BrowserUpdateSched] C:\WINDOWS\system32\twinprag.exe CORN001
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [EQAdvice] "C:\Program Files\EQAdvice\EQAdvice.exe"
O4 - Startup: Scheduler.lnk = C:\Program Files\SpyCatcher 2006\Scheduler daemon.exe
O4 - Startup: Zeno.lnk = C:\WINDOWS\system32\twinprag.exe
O4 - Startup: Z_Start.lnk = C:\WINDOWS\system32\qodsregr.exe
O4 - Global Startup: Adobe Gamma Loader.exe.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: HotSync Manager.lnk = C:\Palm\HOTSYNC.EXE
O4 - Global Startup: HP Digital Imaging Monitor.lnk = C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
O4 - Global Startup: Live Menu.lnk = C:\Program Files\Common Files\efax\Dllcmd32.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O4 - Global Startup: SpyCatcher Protector.lnk = C:\Program Files\SpyCatcher 2006\Protector.exe
O8 - Extra context menu item: &Google Search - res://c:\windows\GoogleToolbar1.dll/cmsearch.html
O8 - Extra context menu item: &Translate English Word - res://c:\windows\GoogleToolbar1.dll/cmwordtrans.html
O8 - Extra context menu item: Backward Links - res://c:\windows\GoogleToolbar1.dll/cmbacklinks.html
O8 - Extra context menu item: Cached Snapshot of Page - res://c:\windows\GoogleToolbar1.dll/cmcache.html
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O8 - Extra context menu item: Similar Pages - res://c:\windows\GoogleToolbar1.dll/cmsimilar.html
O8 - Extra context menu item: SirSearch - file://C:\Program Files\PWRSMND1\Cache\SelectedContextSearch.htm
O8 - Extra context menu item: Translate Page into English - res://c:\windows\GoogleToolbar1.dll/cmtrans.html
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_05\bin\npjpi150_05.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_05\bin\npjpi150_05.dll
O9 - Extra button: (no name) - {85d1f590-48f4-11d9-9669-0800200c9a66} - %windir%\bdoscandel.exe (file missing)
O9 - Extra 'Tools' menuitem: Uninstall BitDefender Online Scanner v8 - {85d1f590-48f4-11d9-9669-0800200c9a66} - %windir%\bdoscandel.exe (file missing)
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\instant messenger\aim.exe (file missing)
O9 - Extra button: (no name) - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - (no file)
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O9 - Extra button: Support - {87618698-C571-45E8-9DB6-BE51757E19C0} - http://www.comcastsupport.com (file missing) (HKCU)
O9 - Extra button: Help - {8E31A4E1-ADF0-43B1-AF16-2033ECAB7061} - http://www.comcast.net/memberservices/ (file missing) (HKCU)
O9 - Extra button: ComcastHSI - {E5535229-420A-4FCF-9546-5D26300D3EDD} - http://www.comcast.net (file missing) (HKCU)
O12 - Plugin for .pdf: C:\Program Files\Internet Explorer\PLUGINS\nppdf32.dll
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O14 - IERESET.INF: START_PAGE_URL=http://www.comcast.net
O16 - DPF: {54771E6F-A5A2-4413-8FB8-7B8F85398174} - http://dl.lygo.com/Sidesearch/en_US/Lycos/Sidesearch.cab
O16 - DPF: {5D86DDB5-BDF9-441B-9E9E-D4730F4EE499} (BDSCANONLINE Control) - http://download.bitdefender.com/resources/scan8/oscan8.cab
O16 - DPF: {8EDAD21C-3584-4E66-A8AB-EB0E5584767D} - http://toolbar.google.com/data/GoogleActivate.cab
O16 - DPF: {B24F0664-7DDA-40B6-B38C-A4FD68DE8685} (CentraDownloaderCtl Class) - http://171.64.22.130/main/Install/en/US/CentraDownloader.cab
O16 - DPF: {F0E2D69A-DC2F-4E9B-A993-684FB1C21DBC} - http://dictionary.reference.com/tools/toolbar/lexico.cab
O18 - Protocol: ms-help - {314111C7-A502-11D2-BBCA-00C04F8EC294} - C:\Program Files\Common Files\Microsoft Shared\Help\hxds.dll
O18 - Filter: text/html - {BA576CDE-9949-4473-A8F7-6C17C2A7E600} - C:\WINDOWS\system32\wdc1n.dll
O20 - AppInit_DLLs: interceptor.dll
O20 - Winlogon Notify: MediaContentIndex - C:\WINDOWS\system32\h0l20a3oed.dll
O23 - Service: C-DillaCdaC11BA - C-Dilla Ltd - C:\WINDOWS\system32\drivers\CDAC11BA.EXE
O23 - Service: Crypkey License - Kenonic Controls Ltd. - C:\WINDOWS\SYSTEM32\crypserv.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPodService - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: LicCtrl Service (LicCtrlService) - Unknown owner - C:\WINDOWS\runservice.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\system32\HPZipm12.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
steamwiz
2006-03-19, 01:12
HI
please download and run Look2Me-Destroyer by Atribune
Follow the instructions here :-
http://www.atribune.org/content/view/28/
Please post the contents of C:\Look2Me-Destroyer.txt and a new HiJackThis log.
cheers
steam
Burpstein
2006-03-19, 15:23
Ok, here is the Look2Me-Destroyer file:
Look2Me-Destroyer V1.0.11
Scanning for infected files.....
Scan started at 3/19/2006 8:47:03 AM
Infected! C:\WINDOWS\system32\i060lajm1doa.dll
Infected! C:\System Volume Information\_restore{761596A8-B5E4-496E-8201-F971A1F3C1E7}\RP1158\A0420830.dll
Infected! C:\System Volume Information\_restore{761596A8-B5E4-496E-8201-F971A1F3C1E7}\RP1158\A0420831.dll
Infected! C:\System Volume Information\_restore{761596A8-B5E4-496E-8201-F971A1F3C1E7}\RP1160\A0420858.dll
Infected! C:\System Volume Information\_restore{761596A8-B5E4-496E-8201-F971A1F3C1E7}\RP1160\A0423869.dll
Infected! C:\System Volume Information\_restore{761596A8-B5E4-496E-8201-F971A1F3C1E7}\RP1160\A0423874.dll
Infected! C:\WINDOWS\system32\brhci.dll
Infected! C:\WINDOWS\system32\fp0203doe.dll
Infected! C:\WINDOWS\system32\i060lajm1doa.dll
Infected! C:\WINDOWS\system32\jtlo0733e.dll
Infected! C:\WINDOWS\system32\kddgae.dll
Infected! C:\WINDOWS\system32\kedfc.dll
Infected! C:\WINDOWS\system32\lv0m09d1e.dll
Infected! C:\WINDOWS\system32\mgiavi32.dll
Infected! C:\WINDOWS\system32\mvlul9391.dll
Infected! C:\WINDOWS\system32\nxmssvc.dll
Infected! C:\WINDOWS\system32\pApgasvc.dll
Infected! C:\WINDOWS\system32\trflog.dll
Infected! C:\WINDOWS\system32\guard.tmp
Attempting to delete infected files...
Attempting to delete: C:\WINDOWS\system32\i060lajm1doa.dll
C:\WINDOWS\system32\i060lajm1doa.dll Deleted successfully!
Attempting to delete: C:\System Volume Information\_restore{761596A8-B5E4-496E-8201-F971A1F3C1E7}\RP1158\A0420830.dll
C:\System Volume Information\_restore{761596A8-B5E4-496E-8201-F971A1F3C1E7}\RP1158\A0420830.dll Deleted successfully!
Attempting to delete: C:\System Volume Information\_restore{761596A8-B5E4-496E-8201-F971A1F3C1E7}\RP1158\A0420831.dll
C:\System Volume Information\_restore{761596A8-B5E4-496E-8201-F971A1F3C1E7}\RP1158\A0420831.dll Deleted successfully!
Attempting to delete: C:\System Volume Information\_restore{761596A8-B5E4-496E-8201-F971A1F3C1E7}\RP1160\A0420858.dll
C:\System Volume Information\_restore{761596A8-B5E4-496E-8201-F971A1F3C1E7}\RP1160\A0420858.dll Deleted successfully!
Attempting to delete: C:\System Volume Information\_restore{761596A8-B5E4-496E-8201-F971A1F3C1E7}\RP1160\A0423869.dll
C:\System Volume Information\_restore{761596A8-B5E4-496E-8201-F971A1F3C1E7}\RP1160\A0423869.dll Deleted successfully!
Attempting to delete: C:\System Volume Information\_restore{761596A8-B5E4-496E-8201-F971A1F3C1E7}\RP1160\A0423874.dll
C:\System Volume Information\_restore{761596A8-B5E4-496E-8201-F971A1F3C1E7}\RP1160\A0423874.dll Deleted successfully!
Attempting to delete: C:\WINDOWS\system32\brhci.dll
C:\WINDOWS\system32\brhci.dll Deleted successfully!
Attempting to delete: C:\WINDOWS\system32\fp0203doe.dll
C:\WINDOWS\system32\fp0203doe.dll Deleted successfully!
Attempting to delete: C:\WINDOWS\system32\i060lajm1doa.dll
C:\WINDOWS\system32\i060lajm1doa.dll Deleted successfully!
Attempting to delete: C:\WINDOWS\system32\jtlo0733e.dll
C:\WINDOWS\system32\jtlo0733e.dll Deleted successfully!
Attempting to delete: C:\WINDOWS\system32\kddgae.dll
C:\WINDOWS\system32\kddgae.dll Deleted successfully!
Attempting to delete: C:\WINDOWS\system32\kedfc.dll
C:\WINDOWS\system32\kedfc.dll Deleted successfully!
Attempting to delete: C:\WINDOWS\system32\lv0m09d1e.dll
C:\WINDOWS\system32\lv0m09d1e.dll Deleted successfully!
Attempting to delete: C:\WINDOWS\system32\mgiavi32.dll
C:\WINDOWS\system32\mgiavi32.dll Deleted successfully!
Attempting to delete: C:\WINDOWS\system32\mvlul9391.dll
C:\WINDOWS\system32\mvlul9391.dll Deleted successfully!
Attempting to delete: C:\WINDOWS\system32\nxmssvc.dll
C:\WINDOWS\system32\nxmssvc.dll Deleted successfully!
Attempting to delete: C:\WINDOWS\system32\pApgasvc.dll
C:\WINDOWS\system32\pApgasvc.dll Deleted successfully!
Attempting to delete: C:\WINDOWS\system32\trflog.dll
C:\WINDOWS\system32\trflog.dll Deleted successfully!
Attempting to delete: C:\WINDOWS\system32\guard.tmp
C:\WINDOWS\system32\guard.tmp Deleted successfully!
Making registry repairs.
Removing: HKLM\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\Hints
Removing: HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved "{8436F0E4-36C3-4357-9C4C-26FD75068C83}"
HKCR\Clsid\{8436F0E4-36C3-4357-9C4C-26FD75068C83}
Removing: HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved "{B9192987-8D5D-47F1-843B-AC2A5D5409C1}"
HKCR\Clsid\{B9192987-8D5D-47F1-843B-AC2A5D5409C1}
Removing: HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved "{897BAF75-D9F4-46FD-A921-D38282E7C0F5}"
HKCR\Clsid\{897BAF75-D9F4-46FD-A921-D38282E7C0F5}
Removing: HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved "{1A4C9928-74B9-4694-9C2B-B17F063A45C6}"
HKCR\Clsid\{1A4C9928-74B9-4694-9C2B-B17F063A45C6}
Removing: HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved "{86A8B8E9-A48E-46B9-8304-FE554E22727F}"
HKCR\Clsid\{86A8B8E9-A48E-46B9-8304-FE554E22727F}
Restoring Windows certificates.
Replaced hosts file with default windows hosts file
Restoring SeDebugPrivilege for Administrators - Succeeded
And the new HijackThis Log:
Logfile of HijackThis v1.99.1
Scan saved at 9:15:07 AM, on 3/19/2006
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Unable to get Internet Explorer version!
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\drivers\CDAC11BA.EXE
C:\WINDOWS\system32\crypserv.exe
C:\WINDOWS\runservice.exe
C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\bmlpovb.exe
C:\WINDOWS\system32\wscntfy.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Java\jre1.5.0_05\bin\jusched.exe
C:\Program Files\HP\hpcoretech\hpcmpmgr.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\outlook\outlook.exe
C:\WINDOWS\SYSC00.exe
C:\WINDOWS\system32\dgfgql.exe
C:\windows\mousepad3.exe
C:\WINDOWS\system32\klsx9e.exe
C:\WINDOWS\system32\twinprag.exe
C:\WINDOWS\system32\winlog.exe
C:\WINDOWS\system32\rundll32.exe
C:\WINDOWS\bmlpovbA.exe
C:\WINDOWS\errorhandler.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\EQAdvice\EQAdvice.exe
C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
C:\Program Files\Common Files\efax\Dllcmd32.exe
C:\Documents and Settings\Lee\Desktop\hijackthis\HijackThis.exe
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://searchbar.findthewebsiteyouneed.com
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://searchbar.findthewebsiteyouneed.com
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://searchbar.findthewebsiteyouneed.com
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.findthewebsiteyouneed.com
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.comcast.net
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://searchbar.findthewebsiteyouneed.com
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://searchbar.findthewebsiteyouneed.com
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Microsoft Internet Explorer provided by Comcast
R3 - Default URLSearchHook is missing
F2 - REG:system.ini: Shell=Explorer.exe, C:\WINDOWS\system32\jgiay.exe
F2 - REG:system.ini: UserInit=userinit.exe,ubodjwi.exe
O2 - BHO: Yvakt Class - {0DEADE31-9A37-48B2-921A-7825EA93D32A} - C:\WINDOWS\system32\wdc1n.dll
O2 - BHO: URLLink - {4A2AACF3-ADF6-11D5-98A9-00E018981B9E} - C:\Program Files\NewDotNet\newdotnet7_22.dll
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton Internet Security Professional\Norton AntiVirus\NavShExt.dll (file missing)
O3 - Toolbar: Dictionary.com - {11359F4A-B191-42D7-905A-594F8CF0387B} - C:\WINDOWS\Downloaded Program Files\lexbar.dll (file missing)
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\windows\googletoolbar1.dll
O4 - HKLM\..\Run: [UpdateMgr.exe] "C:\Program Files\EarthLink 5.0\updatemgr.exe" /NOCM
O4 - HKLM\..\Run: [Smapp] Smtray.exe
O4 - HKLM\..\Run: [Promon.exe] Promon.exe
O4 - HKLM\..\Run: [NAV Agent] C:\PROGRA~1\NORTON~1\navapw32.exe
O4 - HKLM\..\Run: [ConMgr.exe] "C:\Program Files\EarthLink 5.0\ConMgr.exe"
O4 - HKLM\..\Run: [REGSHAVE] C:\Program Files\REGSHAVE\REGSHAVE.EXE /AUTORUN
O4 - HKLM\..\Run: [ComcastSUPPORT] C:\Program Files\Support.com\bin\tgkill.exe /cleaneahtioga /start
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_05\bin\jusched.exe
O4 - HKLM\..\Run: [HP Component Manager] "C:\Program Files\HP\hpcoretech\hpcmpmgr.exe"
O4 - HKLM\..\Run: [HP Software Update] "C:\Program Files\HP\HP Software Update\HPWuSchd2.exe"
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [DAEMON Tools-1033] "C:\Program Files\D-Tools\daemon.exe" -lang 1033
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [SSBkgdUpdate] C:\Program Files\Common Files\Scansoft Shared\SSBkgdUpdate\SSBkgdupdate.exe -Embedding -boot
O4 - HKLM\..\Run: [DNS7reminder] "C:\Program Files\ScanSoft\NaturallySpeaking8\Program\ereg.exe" -r "C:\Program Files\ScanSoft\NaturallySpeaking8\Program\ereg.ini"
O4 - HKLM\..\Run: [outlook] C:\Program Files\outlook\outlook.exe /auto
O4 - HKLM\..\Run: [keyboard] C:\windows\keyboard3.exe
O4 - HKLM\..\Run: [TheMonitor] C:\WINDOWS\SYSC00.exe
O4 - HKLM\..\Run: [NJv7jy] "C:\WINDOWS\system32\dgfgql.exe"
O4 - HKLM\..\Run: [mousepad] C:\windows\mousepad3.exe
O4 - HKLM\..\Run: [newname] C:\windows\newname3.exe
O4 - HKLM\..\Run: [SpyCatcher Reminder] "C:\Program Files\SpyCatcher 2006\SpyCatcher.exe" reminder
O4 - HKLM\..\Run: [BrowserUpdateSched] C:\WINDOWS\system32\twinprag.exe CORN001
O4 - HKLM\..\Run: [winlog] winlog.exe
O4 - HKLM\..\Run: [Internet Optimizer] "C:\Program Files\Internet Optimizer\optimize.exe"
O4 - HKLM\..\Run: [New.net Startup] rundll32 C:\PROGRA~1\NEWDOT~1\NEWDOT~2.DLL,ClientStartup -s
O4 - HKLM\..\Run: [bmlpovbA] C:\WINDOWS\bmlpovbA.exe
O4 - HKLM\..\Run: [errorhandler] C:\WINDOWS\errorhandler.exe
O4 - HKLM\..\RunServices: [winlog] winlog.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [EQAdvice] "C:\Program Files\EQAdvice\EQAdvice.exe"
O4 - Startup: Scheduler.lnk = C:\Program Files\SpyCatcher 2006\Scheduler daemon.exe
O4 - Startup: Zeno.lnk = C:\WINDOWS\system32\twinprag.exe
O4 - Startup: Z_Start.lnk = C:\WINDOWS\system32\qodsregr.exe
O4 - Global Startup: Adobe Gamma Loader.exe.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: HotSync Manager.lnk = C:\Palm\HOTSYNC.EXE
O4 - Global Startup: HP Digital Imaging Monitor.lnk = C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
O4 - Global Startup: Live Menu.lnk = C:\Program Files\Common Files\efax\Dllcmd32.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O4 - Global Startup: SpyCatcher Protector.lnk = C:\Program Files\SpyCatcher 2006\Protector.exe
O8 - Extra context menu item: &Google Search - res://c:\windows\GoogleToolbar1.dll/cmsearch.html
O8 - Extra context menu item: &Translate English Word - res://c:\windows\GoogleToolbar1.dll/cmwordtrans.html
O8 - Extra context menu item: Backward Links - res://c:\windows\GoogleToolbar1.dll/cmbacklinks.html
O8 - Extra context menu item: Cached Snapshot of Page - res://c:\windows\GoogleToolbar1.dll/cmcache.html
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O8 - Extra context menu item: Similar Pages - res://c:\windows\GoogleToolbar1.dll/cmsimilar.html
O8 - Extra context menu item: SirSearch - file://C:\Program Files\PWRSMND1\Cache\SelectedContextSearch.htm
O8 - Extra context menu item: Translate Page into English - res://c:\windows\GoogleToolbar1.dll/cmtrans.html
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_05\bin\npjpi150_05.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_05\bin\npjpi150_05.dll
O9 - Extra button: (no name) - {4ABF810A-F11D-4169-9D5F-7D274F2270A1} - C:\WINDOWS\system32\dmonwv.dll
O9 - Extra 'Tools' menuitem: Java - {4ABF810A-F11D-4169-9D5F-7D274F2270A1} - C:\WINDOWS\system32\dmonwv.dll
O9 - Extra button: (no name) - {85d1f590-48f4-11d9-9669-0800200c9a66} - %windir%\bdoscandel.exe (file missing)
O9 - Extra 'Tools' menuitem: Uninstall BitDefender Online Scanner v8 - {85d1f590-48f4-11d9-9669-0800200c9a66} - %windir%\bdoscandel.exe (file missing)
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\instant messenger\aim.exe (file missing)
O9 - Extra button: (no name) - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - (no file)
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O9 - Extra button: Support - {87618698-C571-45E8-9DB6-BE51757E19C0} - http://www.comcastsupport.com (file missing) (HKCU)
O9 - Extra button: Help - {8E31A4E1-ADF0-43B1-AF16-2033ECAB7061} - http://www.comcast.net/memberservices/ (file missing) (HKCU)
O9 - Extra button: ComcastHSI - {E5535229-420A-4FCF-9546-5D26300D3EDD} - http://www.comcast.net (file missing) (HKCU)
O10 - Broken Internet access because of LSP provider 'c:\program files\newdotnet\newdotnet7_22.dll' missing
O12 - Plugin for .pdf: C:\Program Files\Internet Explorer\PLUGINS\nppdf32.dll
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O14 - IERESET.INF: START_PAGE_URL=http://www.comcast.net
O16 - DPF: {54771E6F-A5A2-4413-8FB8-7B8F85398174} - http://dl.lygo.com/Sidesearch/en_US/Lycos/Sidesearch.cab
O16 - DPF: {5D86DDB5-BDF9-441B-9E9E-D4730F4EE499} (BDSCANONLINE Control) - http://download.bitdefender.com/resources/scan8/oscan8.cab
O16 - DPF: {8EDAD21C-3584-4E66-A8AB-EB0E5584767D} - http://toolbar.google.com/data/GoogleActivate.cab
O16 - DPF: {B24F0664-7DDA-40B6-B38C-A4FD68DE8685} (CentraDownloaderCtl Class) - http://171.64.22.130/main/Install/en/US/CentraDownloader.cab
O16 - DPF: {F0E2D69A-DC2F-4E9B-A993-684FB1C21DBC} - http://dictionary.reference.com/tools/toolbar/lexico.cab
O18 - Protocol: ms-help - {314111C7-A502-11D2-BBCA-00C04F8EC294} - C:\Program Files\Common Files\Microsoft Shared\Help\hxds.dll
O18 - Filter: text/html - {BA576CDE-9949-4473-A8F7-6C17C2A7E600} - C:\WINDOWS\system32\wdc1n.dll
O20 - AppInit_DLLs: interceptor.dll
O23 - Service: C-DillaCdaC11BA - C-Dilla Ltd - C:\WINDOWS\system32\drivers\CDAC11BA.EXE
O23 - Service: Crypkey License - Kenonic Controls Ltd. - C:\WINDOWS\SYSTEM32\crypserv.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPodService - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: LicCtrl Service (LicCtrlService) - Unknown owner - C:\WINDOWS\runservice.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\system32\HPZipm12.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: Windows Overlay Components - Unknown owner - C:\WINDOWS\bmlpovb.exe
steamwiz
2006-03-19, 20:51
HI
Please download and run these :-
Download CCleaner from :-
http://www.filehippo.com/download_ccleaner/ (click the download tab)
During the installation be sure to UN-check the box for "Ccleaner Yahoo Toolbar" unless you want it.
doubleclick the ccsetup.exe file and install the program...
After installing, go to Start > programs > CCleaner > Options > Advanced > UNCHECK "Only delete files in Windows Temp folder older than 48 hours"
Make sure the "windows" tab is selected
Under "internet explorer" tick...
Temporary internet files
Cookies* > see Note below
History
Recently typed URL's (leave this unticked if you DON'T want to clear the drop down list in the address window of IE)
Delete index.dat files
Last download location
Autocomplete form history
under "Windows explorer" these are optional, but you can safely tick them all if you wish, they are only "most recently used lists"
Other explorer MRU's (leave this unticked if you DON'T want to clear lists such as the start\run list)
under "System"
Tick ALL these ...
under "Advanced"
no need to tick any of these (but you can if you want, and realise what they do)
Applications tab...
These will mostly clean out old log files for these applications...
Clean:- (if you use them)
Firefox/Mozilla (optional - leave the cookies - see note)
Opera
Sun Java
ZoneAlarm
...
Personally I clean everything in the applications tab... but you tick what you want...
Note: *If there are any cookies you want to keep (if you remove the cookie for a site you require a password for, you will need to re-enter your passward when you next visit that site) ... click options > cookies > then keep the cookies you want.
click "analyse" if you want to see a list of what is going to be removed, before it is removed.
Or
click "run cleaner" to let it get on with it's work... clicking this will result in the following pop-up
"This process will permanently delete files from your system. Are you sure you wish to proceed?"
click OK.
THEN........
Download ewido security suite (http://www.ewido.net/en/download/)install, update and run it.
Please set up as :-
1. When installing, under "Additional Options" uncheck "Install background guard" and "Install scan via context menu".
2. Run Ewido --- When you run it for the first time, you will get a warning "Database could not be found!". Click OK. We will fix this in a moment.
3. From the main ewido screen, click on update in the left menu, then click the Start update button.
4. After the update finishes (the status bar at the bottom will display "Update successful")
5. You may need to manually update the definitions which you can get HERE (http://www.ewido.net/en/download/updates/)
6. Exit Ewido. DO NOT scan yet.
Boot into safemode...and scan with Ewido
7. Click on the Scanner button in the left menu, then click on Complete System Scan. This scan can take quite a while to run.
8. If ewido finds anything, it will pop up a notification. We have been finding some cases of false positives with the new version of Ewido, so we need to step through the fixes one-by-one. If Ewido finds something that you KNOW is legitimate (for example, parts of AVG Antivirus, AOL pcAnywhere and the game "Risk" have been flagged), select "none" as the action. DO NOT check "Perform action with all infections". If you are unsure of an entry, select "none" for the time being. I'll see that in the log you will post later and let you know if ewido needs to be run again.
9. Once the ewido scan has completed, there will be a button located on the bottom of the screen called Save report.
Important - You need to click "Save report" and Save it to your desktop, or you wont have a log
reboot
post a new hijackthis log + the ewido log
cheers
steam
Burpstein
2006-03-22, 00:41
Ok, here is the HijackThis log:
Logfile of HijackThis v1.99.1
Scan saved at 6:35:46 PM, on 3/21/2006
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Unable to get Internet Explorer version!
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\drivers\CDAC11BA.EXE
C:\WINDOWS\system32\crypserv.exe
C:\Program Files\ewido anti-malware\ewidoctrl.exe
C:\WINDOWS\runservice.exe
C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Network Monitor\netmon.exe
C:\WINDOWS\LQ\command.exe
C:\WINDOWS\system32\wscntfy.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\rundll32.exe
C:\Program Files\Java\jre1.5.0_05\bin\jusched.exe
C:\Program Files\HP\HP Software Update\HPWuSchd2.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\windows\mousepad4.exe
C:\WINDOWS\bmlpovbA.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\WINDOWS\errorhandler.exe
C:\Program Files\Internet Optimizer\optimize.exe
C:\WINDOWS\SYSC00.exe
C:\WINDOWS\ms05261254878.exe
C:\WINDOWS\system32\slk8x2peu.exe
C:\windows\system32\qodsregr.exe
C:\WINDOWS\system32\wintask.exe
C:\Program Files\webHancer\Programs\whagent.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Common Files\Windows\services32.exe
C:\WINDOWS\system32\twinprag.exe
C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Common Files\efax\Dllcmd32.exe
C:\Documents and Settings\All Users\Start Menu\Programs\Startup\wmplayer.exe
C:\Program Files\Flock\flock\flock.exe
C:\Documents and Settings\Burp\Desktop\hijackthis\HijackThis.exe
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://searchbar.findthewebsiteyouneed.com
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://searchbar.findthewebsiteyouneed.com
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://searchbar.findthewebsiteyouneed.com
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.findthewebsiteyouneed.com
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.comcast.net
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://searchbar.findthewebsiteyouneed.com
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://searchbar.findthewebsiteyouneed.com
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Microsoft Internet Explorer provided by Comcast
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = sas.ne2.attbb.net:8000
R3 - URLSearchHook: (no name) - _{CFBFAE00-17A6-11D0-99CB-00C04FD64497} - (no file)
F2 - REG:system.ini: Shell=Explorer.exe, C:\WINDOWS\system32\jgiay.exe
F2 - REG:system.ini: UserInit=userinit.exe,ubodjwi.exe
O2 - BHO: BHObj Class - {00000010-6F7D-442C-93E3-4A4827C2E4C8} - C:\WINDOWS\nem220.dll
O2 - BHO: XBTB04715 - {A8B0BDED-64A5-495b-97DA-42C0301E229B} - C:\PROGRA~1\TOOLBA~1\tbu02640\TOOLBA~1.DLL
O2 - BHO: WhIeHelperObj Class - {c900b400-cdfe-11d3-976a-00e02913a9e0} - C:\Program Files\webHancer\programs\whiehlpr.dll
O2 - BHO: Yvakt Class - {DAAC59E5-093D-4D24-A105-55BFE4ACDE14} - C:\WINDOWS\system32\w9seq.dll
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton Internet Security Professional\Norton AntiVirus\NavShExt.dll (file missing)
O3 - Toolbar: Dictionary.com - {11359F4A-B191-42D7-905A-594F8CF0387B} - C:\WINDOWS\Downloaded Program Files\lexbar.dll (file missing)
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\windows\googletoolbar1.dll
O3 - Toolbar: Toolbar888 - {77FBF9B8-1D37-4FF2-9CED-192D8E3ABA6F} - C:\Program Files\Toolbar888\tbu02640\ToolBar888.dll
O4 - HKLM\..\Run: [UpdateMgr.exe] "C:\Program Files\EarthLink 5.0\updatemgr.exe" /NOCM
O4 - HKLM\..\Run: [Smapp] Smtray.exe
O4 - HKLM\..\Run: [Promon.exe] Promon.exe
O4 - HKLM\..\Run: [NAV Agent] C:\PROGRA~1\NORTON~1\navapw32.exe
O4 - HKLM\..\Run: [ConMgr.exe] "C:\Program Files\EarthLink 5.0\ConMgr.exe"
O4 - HKLM\..\Run: [REGSHAVE] C:\Program Files\REGSHAVE\REGSHAVE.EXE /AUTORUN
O4 - HKLM\..\Run: [ComcastSUPPORT] C:\Program Files\Support.com\bin\tgkill.exe /cleaneahtioga /start
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_05\bin\jusched.exe
O4 - HKLM\..\Run: [HP Software Update] "C:\Program Files\HP\HP Software Update\HPWuSchd2.exe"
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [DAEMON Tools-1033] "C:\Program Files\D-Tools\daemon.exe" -lang 1033
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [SSBkgdUpdate] C:\Program Files\Common Files\Scansoft Shared\SSBkgdUpdate\SSBkgdupdate.exe -Embedding -boot
O4 - HKLM\..\Run: [DNS7reminder] "C:\Program Files\ScanSoft\NaturallySpeaking8\Program\ereg.exe" -r "C:\Program Files\ScanSoft\NaturallySpeaking8\Program\ereg.ini"
O4 - HKLM\..\Run: [outlook] C:\Program Files\outlook\outlook.exe /auto
O4 - HKLM\..\Run: [keyboard] C:\windows\keyboard4.exe
O4 - HKLM\..\Run: [mousepad] C:\windows\mousepad4.exe
O4 - HKLM\..\Run: [newname] C:\windows\newname4.exe
O4 - HKLM\..\Run: [New.net Startup] rundll32 C:\PROGRA~1\NEWDOT~1\NEWDOT~2.DLL,ClientStartup -s
O4 - HKLM\..\Run: [bmlpovbA] C:\WINDOWS\bmlpovbA.exe
O4 - HKLM\..\Run: [errorhandler] C:\WINDOWS\errorhandler.exe
O4 - HKLM\..\Run: [BJCFD] C:\Program Files\BroadJump\Client Foundation\CFD.exe
O4 - HKLM\..\Run: [loadadv64] C:\WINDOWS\system32\loadadv64
O4 - HKLM\..\Run: [59WV] C:\windows\eee2.exe
O4 - HKLM\..\Run: [BrowserUpdateSched] C:\WINDOWS\system32\twinprag.exe CORN001
O4 - HKLM\..\Run: [wmplayer] p2pnetworking.exe
O4 - HKLM\..\Run: [Internet Optimizer] "C:\Program Files\Internet Optimizer\optimize.exe"
O4 - HKLM\..\Run: [TheMonitor] C:\WINDOWS\SYSC00.exe
O4 - HKLM\..\Run: [sys01487826125] C:\WINDOWS\sys01487826125.exe
O4 - HKLM\..\Run: [ms05261254878] C:\WINDOWS\ms05261254878.exe
O4 - HKLM\..\Run: [q8lg] "C:\WINDOWS\system32\slk8x2peu.exe"
O4 - HKLM\..\Run: [{5C-C2-21-14-ZN}] C:\windows\system32\qodsregr.exe CORN001
O4 - HKLM\..\Run: [WinTask driver] C:\WINDOWS\system32\wintask.exe
O4 - HKLM\..\Run: [webHancer Agent] C:\Program Files\webHancer\Programs\whagent.exe
O4 - HKLM\..\Run: [webHancer Survey Companion] C:\Program Files\webHancer\Programs\whsurvey.exe
O4 - HKLM\..\RunServices: [wmplayer] p2pnetworking.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [services32] C:\Program Files\Common Files\Windows\mc-110-12-0000140.exe
O4 - Startup: Zeno.lnk = C:\WINDOWS\system32\twinprag.exe
O4 - Startup: Z_Start.lnk = C:\ZICORN001.exe
O4 - Global Startup: Adobe Gamma Loader.exe.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: HotSync Manager.lnk = C:\Palm\HOTSYNC.EXE
O4 - Global Startup: HP Digital Imaging Monitor.lnk = C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
O4 - Global Startup: Live Menu.lnk = C:\Program Files\Common Files\efax\Dllcmd32.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O4 - Global Startup: wmplayer.exe
O8 - Extra context menu item: &Google Search - res://c:\windows\GoogleToolbar1.dll/cmsearch.html
O8 - Extra context menu item: &Translate English Word - res://c:\windows\GoogleToolbar1.dll/cmwordtrans.html
O8 - Extra context menu item: Backward Links - res://c:\windows\GoogleToolbar1.dll/cmbacklinks.html
O8 - Extra context menu item: Cached Snapshot of Page - res://c:\windows\GoogleToolbar1.dll/cmcache.html
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O8 - Extra context menu item: Search &Dictionary - C:\Program files\Lexico\Toolbar\dictionary.htm
O8 - Extra context menu item: Search &Thesaurus - C:\Program files\Lexico\Toolbar\thesaurus.htm
O8 - Extra context menu item: Similar Pages - res://c:\windows\GoogleToolbar1.dll/cmsimilar.html
O8 - Extra context menu item: Translate Page into English - res://c:\windows\GoogleToolbar1.dll/cmtrans.html
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_05\bin\npjpi150_05.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_05\bin\npjpi150_05.dll
O9 - Extra button: (no name) - {4ABF810A-F11D-4169-9D5F-7D274F2270A1} - C:\WINDOWS\system32\dmonwv.dll (file missing)
O9 - Extra 'Tools' menuitem: Java - {4ABF810A-F11D-4169-9D5F-7D274F2270A1} - C:\WINDOWS\system32\dmonwv.dll (file missing)
O9 - Extra button: (no name) - {85d1f590-48f4-11d9-9669-0800200c9a66} - %windir%\bdoscandel.exe (file missing)
O9 - Extra 'Tools' menuitem: Uninstall BitDefender Online Scanner v8 - {85d1f590-48f4-11d9-9669-0800200c9a66} - %windir%\bdoscandel.exe (file missing)
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\instant messenger\aim.exe (file missing)
O9 - Extra button: (no name) - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - (no file)
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O9 - Extra button: Support - {49949780-79A3-462A-9C49-80AC94FB793E} - http://www.comcastsupport.com (file missing) (HKCU)
O9 - Extra button: ComcastHSI - {4B2AF492-A636-48FE-BD23-C88E8E6E23D5} - http://www.comcast.net (file missing) (HKCU)
O9 - Extra button: Help - {F75EE9CB-1322-4170-BDCA-7C60342BB71D} - http://www.comcast.net/memberservices/ (file missing) (HKCU)
O10 - Hijacked Internet access by WebHancer
O10 - Hijacked Internet access by WebHancer
O10 - Hijacked Internet access by WebHancer
O12 - Plugin for .pdf: C:\Program Files\Internet Explorer\PLUGINS\nppdf32.dll
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O14 - IERESET.INF: START_PAGE_URL=http://www.comcast.net
O15 - Trusted Zone: *.media-motor.net
O15 - Trusted Zone: *.popuppers.com
O15 - Trusted Zone: http://click.getmirar.com (HKLM)
O15 - Trusted Zone: http://click.mirarsearch.com (HKLM)
O15 - Trusted Zone: http://redirect.mirarsearch.com (HKLM)
O16 - DPF: {54771E6F-A5A2-4413-8FB8-7B8F85398174} - http://dl.lygo.com/Sidesearch/en_US/Lycos/Sidesearch.cab
O16 - DPF: {5D86DDB5-BDF9-441B-9E9E-D4730F4EE499} (BDSCANONLINE Control) - http://download.bitdefender.com/resources/scan8/oscan8.cab
O16 - DPF: {8A0DCBDB-6E20-489C-9041-C1E8A0352E75} (Mirar_Dummy_ATS1 Class) - http://awbeta.net-nucleus.com/FIX/WinATS.cab
O16 - DPF: {8EDAD21C-3584-4E66-A8AB-EB0E5584767D} - http://toolbar.google.com/data/GoogleActivate.cab
O16 - DPF: {B24F0664-7DDA-40B6-B38C-A4FD68DE8685} (CentraDownloaderCtl Class) - http://171.64.22.130/main/Install/en/US/CentraDownloader.cab
O16 - DPF: {F0E2D69A-DC2F-4E9B-A993-684FB1C21DBC} - http://dictionary.reference.com/tools/toolbar/lexico.cab
O18 - Protocol: ms-help - {314111C7-A502-11D2-BBCA-00C04F8EC294} - C:\Program Files\Common Files\Microsoft Shared\Help\hxds.dll
O18 - Filter: text/html - {CEA53356-C414-4331-A35E-AA4CE9D8DFA2} - C:\WINDOWS\system32\w9seq.dll
O20 - Winlogon Notify: MCD - C:\WINDOWS\system32\vcrsion.dll
O20 - Winlogon Notify: Run - C:\WINDOWS\
O23 - Service: C-DillaCdaC11BA - C-Dilla Ltd - C:\WINDOWS\system32\drivers\CDAC11BA.EXE
O23 - Service: Command Service (cmdService) - Unknown owner - C:\WINDOWS\LQ\command.exe
O23 - Service: Crypkey License - Kenonic Controls Ltd. - C:\WINDOWS\SYSTEM32\crypserv.exe
O23 - Service: ewido security suite control - ewido networks - C:\Program Files\ewido anti-malware\ewidoctrl.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPodService - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: LicCtrl Service (LicCtrlService) - Unknown owner - C:\WINDOWS\runservice.exe
O23 - Service: Network Monitor - Unknown owner - C:\Program Files\Network Monitor\netmon.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\system32\HPZipm12.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: Windows Overlay Components - Unknown owner - C:\WINDOWS\bmlpovb.exe
The ewido log is too long to post. Is there some other way I can get it to you?
steamwiz
2006-03-24, 23:06
Hi
Sorry for the late reply ... each log you post has more infections than the previous one, despite you running malware removal programs, I have no doubt you log has changed even more for the worse...
If you still require assistance...
Please do this :-
First go to add/remove programs in the Control panel and uninstall new.net or newdot
(it could be either New.net Application or New.net Domains)
Then uninstall Webhancer
REBOOT...
1. You still have a VX2 infection, so run the Look2Me-Destroyer again ... save & post the log...
---
then do this :-
1. Go to C:\ and create a new folder, call it BFU
2. So that you have c:\BFU
3. Download Brute Force Uninstaller. By Merijn author of Hijackthis.
http://www.merijn.org/files/bfu.zip
4. Unzip it to the folder you created (c:\BFU)
So that you now have c:\BFU\BFU.exe
Doubleclick on BFU.exe, Click the round green icon (open script URL)
copy then paste in the following bold line into the "Scriptfile to download" box :-
http://metallica.geekstogo.com/p2pnetwork.bfu
Press execute and let it do it’s job.
Wait for the completed script execution box to pop-up and press OK.
If the script is really executed you should have seen a progress bar.
click "save"
IN "filename" enter "log.txt"
Click "save"
The log.txt will be in the C:\BFU\ folder ...
click exit to exit the BFU program.
Please Copy & Paste the text from the file into your next post here
---
Run ewidoagain in safemode... this time allow it to delete all it finds (unless you are certain an entry is safe to leave)
Save the log again...
You can e-mail both of the ewido logs to me here :- (zip them first)
steamwizAThelp2go.com ... replace AT with @
---
THEN...
Do a free on-line virus scan here :-
Panda Activescan (http://www.pandasoftware.com/activescan/)<<<< click here
and here :-
Houscall (http://housecall.trendmicro.com/)<<<< click here
Do both scans <<< Important
Delete all infected files found ... if houscall lists them as uncleanable ... click the "delete" button.
---
THEN...
Run Spybot and Adaware again...
---
THEN...
Run hijackthis again and post a new log + all the other logs I have asked for...
I realise this is a lot at once, but if we continue to do it a bit at a time, we are not going to get on top of it.
cheers
steam
Due to lack of a response this topic will be archived.