PDA

View Full Version : mr.findalot and cmd service help needed!



jaimerd
2006-08-27, 22:23
Hi, like many others I am having a heck of a time with this command service! When trying to open a page, I am often redirected to this mr.findalot. Don't know much at all about computers but here is my hjt log file. Any help will be greatly appreciated!
Logfile of HijackThis v1.99.1
Scan saved at 12:19:51 PM, on 8/27/2006
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\rundll32.exe
C:\WINDOWS\system32\spoolsv.exe
c:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
c:\Program Files\Norton Personal Firewall\NISUM.EXE
C:\WINDOWS\Explorer.EXE
C:\Program Files\Java\j2re1.4.2_03\bin\jusched.exe
C:\windows\system\hpsysdrv.exe
C:\WINDOWS\System32\hkcmd.exe
c:\Program Files\Norton Personal Firewall\ccPxySvc.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\hphmon05.exe
C:\HP\KBD\KBD.EXE
C:\WINDOWS\LTMSG.exe
C:\WINDOWS\ALCXMNTR.EXE
C:\WINDOWS\System32\spool\drivers\w32x86\3\hpztsb09.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\QuickTime\qttask.exe
C:\dfndred_7.exe
C:\WINDOWS\SYSC00.exe
C:\WINDOWS\hkwpsbwA.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\WINDOWS\System32\cvn0.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\WINDOWS\System32\n9nyb.exe
C:\WINDOWS\System32\ghynf.exe
C:\Program Files\Compaq Connections\1940576\Program\BackWeb-1940576.exe
C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
C:\Program Files\interMute\PopSubtract\PopSub.exe
C:\Program Files\interMute\SpamSubtract\SpamSub.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\WINDOWS\System32\HPZipm12.exe
C:\Documents and Settings\Owner\Desktop\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://qus10.hpwis.com/
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://orangecounty.cox.net/cci/home
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://qus10.hpwis.com/
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://www.mrfindalot.com/search.asp?si=
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch = http://www.mrfindalot.com/search.asp?si=
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = localhost
R3 - Default URLSearchHook is missing
F2 - REG:system.ini: Shell=Explorer.exe, C:\WINDOWS\System32\uxbgs.exe
F2 - REG:system.ini: UserInit=userinit.exe,gtikdtt.exe
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O3 - Toolbar: &Yahoo! Companion - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Common\ycomp5,1,1,0.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar2.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\j2re1.4.2_03\bin\jusched.exe
O4 - HKLM\..\Run: [hpsysdrv] c:\windows\system\hpsysdrv.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\System32\hkcmd.exe
O4 - HKLM\..\Run: [HPHUPD05] c:\Program Files\HP\{45B6180B-DCAB-4093-8EE8-6164457517F0}\hphupd05.exe
O4 - HKLM\..\Run: [HPHmon05] C:\WINDOWS\System32\hphmon05.exe
O4 - HKLM\..\Run: [KBD] C:\HP\KBD\KBD.EXE
O4 - HKLM\..\Run: [UpdateManager] "C:\Program Files\Common Files\Sonic\Update Manager\sgtray.exe" /r
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [Recguard] C:\WINDOWS\SMINST\RECGUARD.EXE
O4 - HKLM\..\Run: [VTTimer] VTTimer.exe
O4 - HKLM\..\Run: [LTMSG] LTMSG.exe 7
O4 - HKLM\..\Run: [PS2] C:\WINDOWS\system32\ps2.exe
O4 - HKLM\..\Run: [AlcxMonitor] ALCXMNTR.EXE
O4 - HKLM\..\Run: [HPDJ Taskbar Utility] C:\WINDOWS\System32\spool\drivers\w32x86\3\hpztsb09.exe
O4 - HKLM\..\Run: [MCUpdateExe] C:\PROGRA~1\McAfee.com\Agent\McUpdate.exe
O4 - HKLM\..\Run: [MCAgentExe] C:\PROGRA~1\McAfee.com\Agent\McAgent.exe
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [ftexc] C:\WINDOWS\System32\mptft.exe
O4 - HKLM\..\Run: [defender] C:\\dfndred_7.exe
O4 - HKLM\..\Run: [keyboard] C:\\kybrded_7.exe
O4 - HKLM\..\Run: [TheMonitor] C:\WINDOWS\SYSC00.exe
O4 - HKLM\..\Run: [hkwpsbwA] C:\WINDOWS\hkwpsbwA.exe
O4 - HKLM\..\Run: [utadaa6b] RUNDLL32.EXE w0cf4249.dll,n 001daa6a000000030cf4249
O4 - HKLM\..\Run: [w0cfd998.dll] RUNDLL32.EXE w0cfd998.dll,I2 001daa6a00cfd998
O4 - HKLM\..\Run: [xload] "C:\WINDOWS\xload.exe"
O4 - HKLM\..\Run: [pop06apelt] C:\WINDOWS\thiselt.exe
O4 - HKLM\..\Run: [ad8rIU3s] C:\WINDOWS\System32\cvn0.exe
O4 - HKLM\..\Run: [ccApp] "c:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [ccRegVfy] "c:\Program Files\Common Files\Symantec Shared\ccRegVfy.exe"
O4 - HKLM\..\Run: [Symantec NetDriver Monitor] C:\PROGRA~1\SYMNET~1\SNDMon.exe
O4 - HKCU\..\Run: [CAS2] "C:\Program Files\System Files\System.exe"
O4 - HKCU\..\Run: [Notn] "C:\Program Files\apsi\wtta.exe" -vt yazb
O4 - Startup: spamsubtract.lnk = C:\Program Files\interMute\SpamSubtract\SpamSub.exe
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: Compaq Connections.lnk = C:\Program Files\Compaq Connections\1940576\Program\BackWeb-1940576.exe
O4 - Global Startup: HP Digital Imaging Monitor.lnk = C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O4 - Global Startup: PopSubtract.lnk = C:\Program Files\interMute\PopSubtract\PopSub.exe
O4 - Global Startup: Quicken Scheduled Updates.lnk = C:\Program Files\Quicken\bagent.exe
O8 - Extra context menu item: &Google Search - res://C:\Program Files\Google\GoogleToolbar2.dll/cmsearch.html
O8 - Extra context menu item: &Translate English Word - res://C:\Program Files\Google\GoogleToolbar2.dll/cmwordtrans.html
O8 - Extra context menu item: Backward Links - res://C:\Program Files\Google\GoogleToolbar2.dll/cmbacklinks.html
O8 - Extra context menu item: Cached Snapshot of Page - res://C:\Program Files\Google\GoogleToolbar2.dll/cmcache.html
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~4\OFFICE11\EXCEL.EXE/3000
O8 - Extra context menu item: Similar Pages - res://C:\Program Files\Google\GoogleToolbar2.dll/cmsimilar.html
O8 - Extra context menu item: Translate Page into English - res://C:\Program Files\Google\GoogleToolbar2.dll/cmtrans.html
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\System32\msjava.dll (file missing)
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\System32\msjava.dll (file missing)
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~4\OFFICE11\REFIEBAR.DLL
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe
O12 - Plugin for .m4v: C:\Program Files\Internet Explorer\PLUGINS\npqtplugin5.dll
O15 - Trusted Zone: *.elitemediagroup.net
O15 - Trusted Zone: *.sxload.com
O18 - Filter: text/html - (no CLSID) - (no file)
O20 - Winlogon Notify: Uninstall - C:\WINDOWS\system32\fn0021dmg.dll
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - c:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Password Validation Service (ccPwdSvc) - Symantec Corporation - c:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
O23 - Service: Symantec Proxy Service (ccPxySvc) - Symantec Corporation - c:\Program Files\Norton Personal Firewall\ccPxySvc.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPodService - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Norton Personal Firewall Accounts Manager (NISUM) - Symantec Corporation - c:\Program Files\Norton Personal Firewall\NISUM.EXE
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\System32\HPZipm12.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe

pskelley
2006-08-29, 03:25
Welcome to the forum. If you still need help and are not receiving it elsewhere, you need to know that you have a badly infected computer on your hands. I can see three major infections and I need to suggest that you keep the computer offline as much as possible, this junk will attract more. If this works for you we will start with this infection.
O20 - Winlogon Notify: Uninstall - C:\WINDOWS\system32\fn0021dmg.dll
Winlogon Notify Uninstall, URL, WebCheck, WindowsUpdate, SharedDLLs,
MCD, FS Templates X random named dll in the System32 folder Variant of Adware.Look2Me

Thanks to Atribune and any others who helped with this fix.

Please download Look2Me-Destroyer.exe (http://www.atribune.org/ccount/click.php?id=7) to your desktop.
Close all windows before continuing.
Double-click Look2Me-Destroyer.exe to run it.
Put a check next to Run this program as a task.
You will receive a message saying Look2Me-Destroyer will close and re-open in approximately 10 seconds. Click OK
When Look2Me-Destroyer re-opens, click the Scan for L2M button, your desktop icons will disappear, this is normal.
Once it's done scanning, click the Remove L2M button.
You will receive a Done Scanning message, click OK.
When completed, you will receive this message: Done removing infected files! Look2Me-Destroyer will now shutdown your computer, click OK.
Your computer will then shutdown.
Turn your computer back on.
Please post the contents of C:\Look2Me-Destroyer.txt and a new HiJackThis log.

If Look2Me-Destroyer does not reopen automatically, reboot and try again.

If you receive a message from your firewall about this program accessing the internet please allow it.

If you receive a runtime error '339' please download MSWINSCK.OCX from the link below and place it in your C:\Windows\System32 Directory.
http://www.ascentive.com/support/new/images/lib/MSWINSCK.OCX

More info:

If for some reason Look2Me-Destroyer doesn't reopen check that task scheduler is running.
If it isnt you can use sc.exe to start it

start>run sc start schedule press enter.

Make sure you restart the computer and then post the two logs bolded above along with any comments you think will help.

Thanks

jaimerd
2006-08-29, 08:49
Thank you for your help! I have done what you suggested and here are my new logs. Unfortunately, I do not know how to access the Look2me log. I did run it and deleted stuff, but I do not remember what was deleted! I am so sorry! I am pretty inept when it comes to this kind of thing. Jaime
Logfile of HijackThis v1.99.1
Scan saved at 10:44:32 PM, on 8/28/2006
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
c:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
c:\Program Files\Norton Personal Firewall\NISUM.EXE
C:\Program Files\Java\j2re1.4.2_03\bin\jusched.exe
C:\windows\system\hpsysdrv.exe
C:\WINDOWS\System32\hkcmd.exe
C:\WINDOWS\System32\hphmon05.exe
C:\HP\KBD\KBD.EXE
C:\Program Files\Common Files\Sonic\Update Manager\sgtray.exe
C:\WINDOWS\LTMSG.exe
C:\WINDOWS\ALCXMNTR.EXE
C:\WINDOWS\System32\spool\drivers\w32x86\3\hpztsb09.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\QuickTime\qttask.exe
C:\dfndred_7.exe
C:\WINDOWS\SYSC00.exe
C:\WINDOWS\hkwpsbwA.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\Program Files\Compaq Connections\1940576\Program\BackWeb-1940576.exe
C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
C:\Program Files\interMute\PopSubtract\PopSub.exe
c:\Program Files\Norton Personal Firewall\ccPxySvc.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\WINDOWS\System32\HPZipm12.exe
C:\Program Files\interMute\SpamSubtract\SpamSub.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\WINDOWS\System32\wuauclt.exe
C:\Documents and Settings\Owner\Desktop\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://qus10.hpwis.com/
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://orangecounty.cox.net/cci/home
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://qus10.hpwis.com/
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://www.mrfindalot.com/search.asp?si=
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch = http://www.mrfindalot.com/search.asp?si=
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = localhost
R3 - Default URLSearchHook is missing
F2 - REG:system.ini: Shell=Explorer.exe, C:\WINDOWS\System32\uxbgs.exe
F2 - REG:system.ini: UserInit=C:\WINDOWS\System32\Userinit.exe,gtikdtt.exe
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O3 - Toolbar: &Yahoo! Companion - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Common\ycomp5,1,1,0.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar2.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\j2re1.4.2_03\bin\jusched.exe
O4 - HKLM\..\Run: [hpsysdrv] c:\windows\system\hpsysdrv.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\System32\hkcmd.exe
O4 - HKLM\..\Run: [HPHUPD05] c:\Program Files\HP\{45B6180B-DCAB-4093-8EE8-6164457517F0}\hphupd05.exe
O4 - HKLM\..\Run: [HPHmon05] C:\WINDOWS\System32\hphmon05.exe
O4 - HKLM\..\Run: [KBD] C:\HP\KBD\KBD.EXE
O4 - HKLM\..\Run: [UpdateManager] "C:\Program Files\Common Files\Sonic\Update Manager\sgtray.exe" /r
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [Recguard] C:\WINDOWS\SMINST\RECGUARD.EXE
O4 - HKLM\..\Run: [VTTimer] VTTimer.exe
O4 - HKLM\..\Run: [LTMSG] LTMSG.exe 7
O4 - HKLM\..\Run: [PS2] C:\WINDOWS\system32\ps2.exe
O4 - HKLM\..\Run: [AlcxMonitor] ALCXMNTR.EXE
O4 - HKLM\..\Run: [HPDJ Taskbar Utility] C:\WINDOWS\System32\spool\drivers\w32x86\3\hpztsb09.exe
O4 - HKLM\..\Run: [MCUpdateExe] C:\PROGRA~1\McAfee.com\Agent\McUpdate.exe
O4 - HKLM\..\Run: [MCAgentExe] C:\PROGRA~1\McAfee.com\Agent\McAgent.exe
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [ftexc] C:\WINDOWS\System32\mptft.exe
O4 - HKLM\..\Run: [defender] C:\\dfndred_7.exe
O4 - HKLM\..\Run: [keyboard] C:\\kybrded_7.exe
O4 - HKLM\..\Run: [TheMonitor] C:\WINDOWS\SYSC00.exe
O4 - HKLM\..\Run: [hkwpsbwA] C:\WINDOWS\hkwpsbwA.exe
O4 - HKLM\..\Run: [utadaa6b] RUNDLL32.EXE w0cf4249.dll,n 001daa6a000000030cf4249
O4 - HKLM\..\Run: [w0cfd998.dll] RUNDLL32.EXE w0cfd998.dll,I2 001daa6a00cfd998
O4 - HKLM\..\Run: [xload] "C:\WINDOWS\xload.exe"
O4 - HKLM\..\Run: [pop06apelt] C:\WINDOWS\thiselt.exe
O4 - HKLM\..\Run: [ad8rIU3s] C:\WINDOWS\System32\cvn0.exe
O4 - HKLM\..\Run: [ccApp] "c:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [ccRegVfy] "c:\Program Files\Common Files\Symantec Shared\ccRegVfy.exe"
O4 - HKLM\..\Run: [Symantec NetDriver Monitor] C:\PROGRA~1\SYMNET~1\SNDMon.exe
O4 - HKLM\..\Run: [egotrm] C:\WINDOWS\System32\fokcso.exe reg_run
O4 - HKCU\..\Run: [CAS2] "C:\Program Files\System Files\System.exe"
O4 - HKCU\..\Run: [Notn] "C:\Program Files\apsi\wtta.exe" -vt yazb
O4 - HKCU\..\Run: [bdvvt] C:\WINDOWS\System32\fokcso.exe reg_run
O4 - Startup: spamsubtract.lnk = C:\Program Files\interMute\SpamSubtract\SpamSub.exe
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: Compaq Connections.lnk = C:\Program Files\Compaq Connections\1940576\Program\BackWeb-1940576.exe
O4 - Global Startup: HP Digital Imaging Monitor.lnk = C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O4 - Global Startup: PopSubtract.lnk = C:\Program Files\interMute\PopSubtract\PopSub.exe
O4 - Global Startup: Quicken Scheduled Updates.lnk = C:\Program Files\Quicken\bagent.exe
O8 - Extra context menu item: &Google Search - res://C:\Program Files\Google\GoogleToolbar2.dll/cmsearch.html
O8 - Extra context menu item: &Translate English Word - res://C:\Program Files\Google\GoogleToolbar2.dll/cmwordtrans.html
O8 - Extra context menu item: Backward Links - res://C:\Program Files\Google\GoogleToolbar2.dll/cmbacklinks.html
O8 - Extra context menu item: Cached Snapshot of Page - res://C:\Program Files\Google\GoogleToolbar2.dll/cmcache.html
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~4\OFFICE11\EXCEL.EXE/3000
O8 - Extra context menu item: Similar Pages - res://C:\Program Files\Google\GoogleToolbar2.dll/cmsimilar.html
O8 - Extra context menu item: Translate Page into English - res://C:\Program Files\Google\GoogleToolbar2.dll/cmtrans.html
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\System32\msjava.dll (file missing)
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\System32\msjava.dll (file missing)
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~4\OFFICE11\REFIEBAR.DLL
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe
O12 - Plugin for .m4v: C:\Program Files\Internet Explorer\PLUGINS\npqtplugin5.dll
O15 - Trusted Zone: *.elitemediagroup.net
O15 - Trusted Zone: *.sxload.com
O18 - Filter: text/html - (no CLSID) - (no file)
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - c:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Password Validation Service (ccPwdSvc) - Symantec Corporation - c:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
O23 - Service: Symantec Proxy Service (ccPxySvc) - Symantec Corporation - c:\Program Files\Norton Personal Firewall\ccPxySvc.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPodService - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Norton Personal Firewall Accounts Manager (NISUM) - Symantec Corporation - c:\Program Files\Norton Personal Firewall\NISUM.EXE
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\System32\HPZipm12.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe

pskelley
2006-08-29, 13:43
Good Morning Jaime:) It is so important when dealing with complex instructions that you take your time, read and understand the instructions and follow them to the letter. This file: C:\Look2Me-Destroyer.txt should be in the folder where you placed Look2me-Destroyer. Please look in that folder and post that file. It is important that I see that information, thanks.

1) Move HJT from the Desktop for safety. I prefer C:\HJT\HijackThis.exe, if you need additional instructions use these: http://russelltexas.com/malware/createhjtfolder.htm

2) Start > Control Panel > Add Remove programs and uninstall PuritySCAN By OIN, OIN or OuterInfo, while there look at the programs and uninstall any you know do not belong there. If you are unsure, let me know and I will look. If you do not see any of those then download and run this uninstaller:
http://www.outerinfo.com/howto.html

Thanks to Metallica and anyone else who helped with this fix.

3) 1. Please download Ewido Anti-Malware (http://www.ewido.net/en/download/)
Install ewido anti-malware
Launch ewido, there should be an icon on your desktop, double-click it.
The program will now open to the main screen.
When you run ewido for the first time, you may get a warning "Database could not be found!". Click OK. We will fix this in a moment.

You will need to update ewido to the latest definition files.
On the left hand side of the main screen click update.
Then click on Start Update.

The update will start and a progress bar will show the updates being installed.
(the status bar at the bottom will display ("Update successful")
Exit Ewido, do not run the scan yet!
If you are having problems with the updater, you can use this link to manually update ewido.
ewido manual updates (http://download.ewido.net/ewido-signatures-full-current.exe)

2. Please download Brute Force Uninstaller (http://www.merijn.org/files/bfu.zip) to your desktop.
Right click the BFU folder on your desktop, and choose Extract All
Click "Next"
In the box to choose where to extract the files to,
Click "Browse"
Click on the + sign next to "My Computer"
Click on "Local Disk (C: ) or whatever your primary drive is
Click "Make New Folder"
Type in BFU
Click "Next", and Uncheck the "Show Extracted Files" box and then click "Finish".
3. RIGHT-CLICK HERE (http://metallica.geekstogo.com/alcanshorty.bfu) and choose "Save As" (in IE it's "Save Target As") in order to download Alcra PLUS Remover.
Save it in the same folder you made earlier (c:\BFU).

Do not do anything with these yet!

Reboot your computer into Safe Mode. You can do this by restarting your computer and continually tapping F8 until a menu appears. Highlight Safe Mode and hit enter.

4. Once in Safe Mode, Open Ewido:
Click on scanner
Click on Complete System Scan and the scan will begin.
You will be prompted to clean the first infection.
Select "Perform action on all infections", then proceed.
Once the scan has completed, there will be a button located on the bottom of the screen named Save report
Click Save report.
Save the report .txt file to your desktop or a location where you can find it easily.
Close ewido anti-malware.

5. Then, please go to Start > My Computer and navigate to the C:\BFU folder.
Start the Brute Force Uninstaller by doubleclicking BFU.exe
Behind the scriptline to execute field click the folder icon http://metallica.geekstogo.com/foldericon.png and select alcanshorty.bfu
Press Execute and let the program do it’s job. (You ought to see a progress bar if you did this correctly.)
Wait for the complete script execution box to pop up and press OK.
Press exit to terminate the BFU program.
Reboot into normal windows and post the contents of Ewido text report that you saved and a new HiJackThis log.

Thanks

jaimerd
2006-08-29, 17:38
When I did this last night I did not see any log from Look2Me. This morning I tried the whole thing again and one popped up on my desktop so I ran Hijack This again and here are the logs. I will try your other suggestions when I get home tonight. Again, thank you so much for your help as this has been driving me completely insane! Jaime

Look2Me-Destroyer V1.0.12

Scanning for infected files.....
Scan started at 8/29/2006 7:01:08 AM

Infected! C:\System Volume Information\_restore{88A9728D-068D-4BE5-99BD-49CC3FD4BC94}\RP86\A0050624.dll
Infected! C:\System Volume Information\_restore{88A9728D-068D-4BE5-99BD-49CC3FD4BC94}\RP86\A0050625.dll
Infected! C:\System Volume Information\_restore{88A9728D-068D-4BE5-99BD-49CC3FD4BC94}\RP86\A0050626.dll
Infected! C:\System Volume Information\_restore{88A9728D-068D-4BE5-99BD-49CC3FD4BC94}\RP86\A0050627.dll
Infected! C:\System Volume Information\_restore{88A9728D-068D-4BE5-99BD-49CC3FD4BC94}\RP86\A0050628.dll
Infected! C:\System Volume Information\_restore{88A9728D-068D-4BE5-99BD-49CC3FD4BC94}\RP86\A0050629.dll
Infected! C:\System Volume Information\_restore{88A9728D-068D-4BE5-99BD-49CC3FD4BC94}\RP86\A0050630.dll
Infected! C:\System Volume Information\_restore{88A9728D-068D-4BE5-99BD-49CC3FD4BC94}\RP86\A0050631.dll
Infected! C:\System Volume Information\_restore{88A9728D-068D-4BE5-99BD-49CC3FD4BC94}\RP86\A0050632.dll
Infected! C:\System Volume Information\_restore{88A9728D-068D-4BE5-99BD-49CC3FD4BC94}\RP86\A0050633.dll
Infected! C:\System Volume Information\_restore{88A9728D-068D-4BE5-99BD-49CC3FD4BC94}\RP86\A0050634.dll
Infected! C:\System Volume Information\_restore{88A9728D-068D-4BE5-99BD-49CC3FD4BC94}\RP86\A0050635.dll
Infected! C:\System Volume Information\_restore{88A9728D-068D-4BE5-99BD-49CC3FD4BC94}\RP86\A0050636.dll
Infected! C:\System Volume Information\_restore{88A9728D-068D-4BE5-99BD-49CC3FD4BC94}\RP86\A0050637.dll
Infected! C:\System Volume Information\_restore{88A9728D-068D-4BE5-99BD-49CC3FD4BC94}\RP86\A0050638.dll
Infected! C:\System Volume Information\_restore{88A9728D-068D-4BE5-99BD-49CC3FD4BC94}\RP86\A0050639.dll
Infected! C:\System Volume Information\_restore{88A9728D-068D-4BE5-99BD-49CC3FD4BC94}\RP86\A0050640.dll
Infected! C:\System Volume Information\_restore{88A9728D-068D-4BE5-99BD-49CC3FD4BC94}\RP86\A0050641.dll
Infected! C:\System Volume Information\_restore{88A9728D-068D-4BE5-99BD-49CC3FD4BC94}\RP86\A0050642.dll

Attempting to delete infected files...

Attempting to delete: C:\System Volume Information\_restore{88A9728D-068D-4BE5-99BD-49CC3FD4BC94}\RP86\A0050624.dll
C:\System Volume Information\_restore{88A9728D-068D-4BE5-99BD-49CC3FD4BC94}\RP86\A0050624.dll Deleted successfully!

Attempting to delete: C:\System Volume Information\_restore{88A9728D-068D-4BE5-99BD-49CC3FD4BC94}\RP86\A0050625.dll
C:\System Volume Information\_restore{88A9728D-068D-4BE5-99BD-49CC3FD4BC94}\RP86\A0050625.dll Deleted successfully!

Attempting to delete: C:\System Volume Information\_restore{88A9728D-068D-4BE5-99BD-49CC3FD4BC94}\RP86\A0050626.dll
C:\System Volume Information\_restore{88A9728D-068D-4BE5-99BD-49CC3FD4BC94}\RP86\A0050626.dll Deleted successfully!

Attempting to delete: C:\System Volume Information\_restore{88A9728D-068D-4BE5-99BD-49CC3FD4BC94}\RP86\A0050627.dll
C:\System Volume Information\_restore{88A9728D-068D-4BE5-99BD-49CC3FD4BC94}\RP86\A0050627.dll Deleted successfully!

Attempting to delete: C:\System Volume Information\_restore{88A9728D-068D-4BE5-99BD-49CC3FD4BC94}\RP86\A0050628.dll
C:\System Volume Information\_restore{88A9728D-068D-4BE5-99BD-49CC3FD4BC94}\RP86\A0050628.dll Deleted successfully!

Attempting to delete: C:\System Volume Information\_restore{88A9728D-068D-4BE5-99BD-49CC3FD4BC94}\RP86\A0050629.dll
C:\System Volume Information\_restore{88A9728D-068D-4BE5-99BD-49CC3FD4BC94}\RP86\A0050629.dll Deleted successfully!

Attempting to delete: C:\System Volume Information\_restore{88A9728D-068D-4BE5-99BD-49CC3FD4BC94}\RP86\A0050630.dll
C:\System Volume Information\_restore{88A9728D-068D-4BE5-99BD-49CC3FD4BC94}\RP86\A0050630.dll Deleted successfully!

Attempting to delete: C:\System Volume Information\_restore{88A9728D-068D-4BE5-99BD-49CC3FD4BC94}\RP86\A0050631.dll
C:\System Volume Information\_restore{88A9728D-068D-4BE5-99BD-49CC3FD4BC94}\RP86\A0050631.dll Deleted successfully!

Attempting to delete: C:\System Volume Information\_restore{88A9728D-068D-4BE5-99BD-49CC3FD4BC94}\RP86\A0050632.dll
C:\System Volume Information\_restore{88A9728D-068D-4BE5-99BD-49CC3FD4BC94}\RP86\A0050632.dll Deleted successfully!

Attempting to delete: C:\System Volume Information\_restore{88A9728D-068D-4BE5-99BD-49CC3FD4BC94}\RP86\A0050633.dll
C:\System Volume Information\_restore{88A9728D-068D-4BE5-99BD-49CC3FD4BC94}\RP86\A0050633.dll Deleted successfully!

Attempting to delete: C:\System Volume Information\_restore{88A9728D-068D-4BE5-99BD-49CC3FD4BC94}\RP86\A0050634.dll
C:\System Volume Information\_restore{88A9728D-068D-4BE5-99BD-49CC3FD4BC94}\RP86\A0050634.dll Deleted successfully!

Attempting to delete: C:\System Volume Information\_restore{88A9728D-068D-4BE5-99BD-49CC3FD4BC94}\RP86\A0050635.dll
C:\System Volume Information\_restore{88A9728D-068D-4BE5-99BD-49CC3FD4BC94}\RP86\A0050635.dll Deleted successfully!

Attempting to delete: C:\System Volume Information\_restore{88A9728D-068D-4BE5-99BD-49CC3FD4BC94}\RP86\A0050636.dll
C:\System Volume Information\_restore{88A9728D-068D-4BE5-99BD-49CC3FD4BC94}\RP86\A0050636.dll Deleted successfully!

Attempting to delete: C:\System Volume Information\_restore{88A9728D-068D-4BE5-99BD-49CC3FD4BC94}\RP86\A0050637.dll
C:\System Volume Information\_restore{88A9728D-068D-4BE5-99BD-49CC3FD4BC94}\RP86\A0050637.dll Deleted successfully!

Attempting to delete: C:\System Volume Information\_restore{88A9728D-068D-4BE5-99BD-49CC3FD4BC94}\RP86\A0050638.dll
C:\System Volume Information\_restore{88A9728D-068D-4BE5-99BD-49CC3FD4BC94}\RP86\A0050638.dll Deleted successfully!

Attempting to delete: C:\System Volume Information\_restore{88A9728D-068D-4BE5-99BD-49CC3FD4BC94}\RP86\A0050639.dll
C:\System Volume Information\_restore{88A9728D-068D-4BE5-99BD-49CC3FD4BC94}\RP86\A0050639.dll Deleted successfully!

Attempting to delete: C:\System Volume Information\_restore{88A9728D-068D-4BE5-99BD-49CC3FD4BC94}\RP86\A0050640.dll
C:\System Volume Information\_restore{88A9728D-068D-4BE5-99BD-49CC3FD4BC94}\RP86\A0050640.dll Deleted successfully!

Attempting to delete: C:\System Volume Information\_restore{88A9728D-068D-4BE5-99BD-49CC3FD4BC94}\RP86\A0050641.dll
C:\System Volume Information\_restore{88A9728D-068D-4BE5-99BD-49CC3FD4BC94}\RP86\A0050641.dll Deleted successfully!

Attempting to delete: C:\System Volume Information\_restore{88A9728D-068D-4BE5-99BD-49CC3FD4BC94}\RP86\A0050642.dll
C:\System Volume Information\_restore{88A9728D-068D-4BE5-99BD-49CC3FD4BC94}\RP86\A0050642.dll Deleted successfully!

Making registry repairs.


Restoring Windows certificates.

Replaced hosts file with default windows hosts file


Restoring SeDebugPrivilege for Administrators - Succeeded
Logfile of HijackThis v1.99.1
Scan saved at 7:32:45 AM, on 8/29/2006
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
c:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
c:\Program Files\Norton Personal Firewall\NISUM.EXE
C:\Program Files\Java\j2re1.4.2_03\bin\jusched.exe
C:\windows\system\hpsysdrv.exe
C:\WINDOWS\System32\hkcmd.exe
C:\WINDOWS\System32\hphmon05.exe
C:\HP\KBD\KBD.EXE
C:\Program Files\Common Files\Sonic\Update Manager\sgtray.exe
C:\WINDOWS\LTMSG.exe
C:\WINDOWS\ALCXMNTR.EXE
C:\WINDOWS\System32\spool\drivers\w32x86\3\hpztsb09.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\QuickTime\qttask.exe
C:\dfndred_7.exe
C:\WINDOWS\SYSC00.exe
C:\WINDOWS\hkwpsbwA.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
C:\Program Files\Compaq Connections\1940576\Program\BackWeb-1940576.exe
C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
C:\Program Files\interMute\PopSubtract\PopSub.exe
C:\Program Files\interMute\SpamSubtract\SpamSub.exe
c:\Program Files\Norton Personal Firewall\ccPxySvc.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\WINDOWS\System32\HPZipm12.exe
C:\WINDOWS\System32\wuauclt.exe
C:\Documents and Settings\Owner\Desktop\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://qus10.hpwis.com/
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://orangecounty.cox.net/cci/home
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://qus10.hpwis.com/
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://www.mrfindalot.com/search.asp?si=
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch = http://www.mrfindalot.com/search.asp?si=
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = localhost
R3 - Default URLSearchHook is missing
F2 - REG:system.ini: Shell=Explorer.exe, C:\WINDOWS\System32\uxbgs.exe
F2 - REG:system.ini: UserInit=C:\WINDOWS\System32\Userinit.exe,gtikdtt.exe
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O3 - Toolbar: &Yahoo! Companion - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Common\ycomp5,1,1,0.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar2.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\j2re1.4.2_03\bin\jusched.exe
O4 - HKLM\..\Run: [hpsysdrv] c:\windows\system\hpsysdrv.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\System32\hkcmd.exe
O4 - HKLM\..\Run: [HPHUPD05] c:\Program Files\HP\{45B6180B-DCAB-4093-8EE8-6164457517F0}\hphupd05.exe
O4 - HKLM\..\Run: [HPHmon05] C:\WINDOWS\System32\hphmon05.exe
O4 - HKLM\..\Run: [KBD] C:\HP\KBD\KBD.EXE
O4 - HKLM\..\Run: [UpdateManager] "C:\Program Files\Common Files\Sonic\Update Manager\sgtray.exe" /r
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [Recguard] C:\WINDOWS\SMINST\RECGUARD.EXE
O4 - HKLM\..\Run: [VTTimer] VTTimer.exe
O4 - HKLM\..\Run: [LTMSG] LTMSG.exe 7
O4 - HKLM\..\Run: [PS2] C:\WINDOWS\system32\ps2.exe
O4 - HKLM\..\Run: [AlcxMonitor] ALCXMNTR.EXE
O4 - HKLM\..\Run: [HPDJ Taskbar Utility] C:\WINDOWS\System32\spool\drivers\w32x86\3\hpztsb09.exe
O4 - HKLM\..\Run: [MCUpdateExe] C:\PROGRA~1\McAfee.com\Agent\McUpdate.exe
O4 - HKLM\..\Run: [MCAgentExe] C:\PROGRA~1\McAfee.com\Agent\McAgent.exe
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [ftexc] C:\WINDOWS\System32\mptft.exe
O4 - HKLM\..\Run: [defender] C:\\dfndred_7.exe
O4 - HKLM\..\Run: [keyboard] C:\\kybrded_7.exe
O4 - HKLM\..\Run: [TheMonitor] C:\WINDOWS\SYSC00.exe
O4 - HKLM\..\Run: [hkwpsbwA] C:\WINDOWS\hkwpsbwA.exe
O4 - HKLM\..\Run: [utadaa6b] RUNDLL32.EXE w0cf4249.dll,n 001daa6a000000030cf4249
O4 - HKLM\..\Run: [w0cfd998.dll] RUNDLL32.EXE w0cfd998.dll,I2 001daa6a00cfd998
O4 - HKLM\..\Run: [xload] "C:\WINDOWS\xload.exe"
O4 - HKLM\..\Run: [pop06apelt] C:\WINDOWS\thiselt.exe
O4 - HKLM\..\Run: [ad8rIU3s] C:\WINDOWS\System32\cvn0.exe
O4 - HKLM\..\Run: [ccApp] "c:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [ccRegVfy] "c:\Program Files\Common Files\Symantec Shared\ccRegVfy.exe"
O4 - HKLM\..\Run: [Symantec NetDriver Monitor] C:\PROGRA~1\SYMNET~1\SNDMon.exe
O4 - HKLM\..\Run: [egotrm] C:\WINDOWS\System32\fokcso.exe reg_run
O4 - HKCU\..\Run: [CAS2] "C:\Program Files\System Files\System.exe"
O4 - HKCU\..\Run: [Notn] "C:\Program Files\apsi\wtta.exe" -vt yazb
O4 - HKCU\..\Run: [bdvvt] C:\WINDOWS\System32\fokcso.exe reg_run
O4 - Startup: spamsubtract.lnk = C:\Program Files\interMute\SpamSubtract\SpamSub.exe
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: Compaq Connections.lnk = C:\Program Files\Compaq Connections\1940576\Program\BackWeb-1940576.exe
O4 - Global Startup: HP Digital Imaging Monitor.lnk = C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O4 - Global Startup: PopSubtract.lnk = C:\Program Files\interMute\PopSubtract\PopSub.exe
O4 - Global Startup: Quicken Scheduled Updates.lnk = C:\Program Files\Quicken\bagent.exe
O8 - Extra context menu item: &Google Search - res://C:\Program Files\Google\GoogleToolbar2.dll/cmsearch.html
O8 - Extra context menu item: &Translate English Word - res://C:\Program Files\Google\GoogleToolbar2.dll/cmwordtrans.html
O8 - Extra context menu item: Backward Links - res://C:\Program Files\Google\GoogleToolbar2.dll/cmbacklinks.html
O8 - Extra context menu item: Cached Snapshot of Page - res://C:\Program Files\Google\GoogleToolbar2.dll/cmcache.html
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~4\OFFICE11\EXCEL.EXE/3000
O8 - Extra context menu item: Similar Pages - res://C:\Program Files\Google\GoogleToolbar2.dll/cmsimilar.html
O8 - Extra context menu item: Translate Page into English - res://C:\Program Files\Google\GoogleToolbar2.dll/cmtrans.html
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\System32\msjava.dll (file missing)
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\System32\msjava.dll (file missing)
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~4\OFFICE11\REFIEBAR.DLL
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe
O12 - Plugin for .m4v: C:\Program Files\Internet Explorer\PLUGINS\npqtplugin5.dll
O15 - Trusted Zone: *.elitemediagroup.net
O15 - Trusted Zone: *.sxload.com
O18 - Filter: text/html - (no CLSID) - (no file)
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - c:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Password Validation Service (ccPwdSvc) - Symantec Corporation - c:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
O23 - Service: Symantec Proxy Service (ccPxySvc) - Symantec Corporation - c:\Program Files\Norton Personal Firewall\ccPxySvc.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPodService - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Norton Personal Firewall Accounts Manager (NISUM) - Symantec Corporation - c:\Program Files\Norton Personal Firewall\NISUM.EXE
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\System32\HPZipm12.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe

pskelley
2006-08-29, 21:03
OK and thanks for the feedback, as you can see your System Restore (C:\System Volume Information\_restore) is badly infected, we will clean that out before we are done. Looks like the tool removed Look2Me. That next step is not a "suggestion" it is a standard fix for the malware you have and we still have a Qoologic trojan to look at. Remember to stay offline with the computer except when you are troubleshooting the problem or you are very likely to pick up additional infections.

Thanks

jaimerd
2006-08-30, 07:37
Here is the ewido report and a new HijackThis log. I am not allowed to send this in one reply, so I am going to have to break up the ewido into two messages. Also wanted to mention that every time that I turn on my computer I get the message that w0cfd998.dll and w0cf4249.dll were unable to open. Not really sure what these are. Thanks again, Jaime

ewido anti-spyware - Scan Report
---------------------------------------------------------

+ Created at: 9:12:34 PM 8/29/2006

+ Scan result:



C:\WINDOWS\system32\nfcflpmj.dll -> Adware.Agent : No action taken.
C:\RECYCLER\S-1-5-21-1697684330-1914380842-3422009625-500\Dc1037.fr4779 -> Adware.Apropos : No action taken.
C:\WINDOWS\system32\nodeipproc.dll -> Adware.BHO : No action taken.
C:\WINDOWS\system32\utadaa6b.dll -> Adware.IEHelper : No action taken.
C:\Documents and Settings\Stephanie\Application Data\wtta.exe -> Adware.PurityScan : No action taken.
HKLM\SOFTWARE\Clickspring -> Adware.PurityScan : No action taken.
C:\WINDOWS\System32bez6n4r21.exe -> Adware.SearchAssistant : No action taken.
C:\WINDOWS\System32ghynf.exe -> Adware.SearchAssistant : No action taken.
C:\WINDOWS\system32\bez6n4r21.exe -> Adware.SearchAssistant : No action taken.
C:\WINDOWS\system32\cvn0.exe -> Adware.SearchAssistant : No action taken.
C:\WINDOWS\system32\ghynf.exe -> Adware.SearchAssistant : No action taken.
C:\WINDOWS\System32n9nyb.exe -> Adware.Suggestor : No action taken.
C:\WINDOWS\system32\n9nyb.exe -> Adware.Suggestor : No action taken.
C:\WINDOWS\system32\dmonwv.dll_tobedeleted -> Downloader.Agent.agw : No action taken.
C:\WINDOWS\system32\ddabxvv.dll -> Downloader.Agent.anm : No action taken.
C:\WINDOWS\system32\ddayayy.dll -> Downloader.Agent.anm : No action taken.
C:\WINDOWS\system32\pmkhebb.dll -> Downloader.Agent.anm : No action taken.
C:\WINDOWS\system32\comtUI.dll -> Downloader.ConHook.aa : No action taken.
C:\WINDOWS\lt.exe -> Downloader.Small.ajc : No action taken.
C:\WINDOWS\unin101.exe -> Downloader.VB.tw : No action taken.
C:\WINDOWS\system32\jkhff.exe -> Dropper.Agent.amr : No action taken.
C:\WINDOWS\Downloaded Program Files\CONFLICT.1\MediaTicketsInstaller.ocx -> Dropper.PurityScan.ae : No action taken.
C:\WINDOWS\bundles\SSK_B5.EXE -> Dropper.SurfSide.a : No action taken.
C:\Documents and Settings\Owner\Local Settings\Temporary Internet Files\Content.IE5\5BMCKILK\popup[1].php -> Hijacker.Agent.a : No action taken.
C:\Documents and Settings\Owner\Local Settings\Temporary Internet Files\Content.IE5\5BMCKILK\popup[2].php -> Hijacker.Agent.a : No action taken.
C:\Documents and Settings\Owner\Local Settings\Temporary Internet Files\Content.IE5\5BMCKILK\popup[3].php -> Hijacker.Agent.a : No action taken.
C:\Documents and Settings\Owner\Local Settings\Temporary Internet Files\Content.IE5\5BMCKILK\popup[4].php -> Hijacker.Agent.a : No action taken.
C:\Documents and Settings\Owner\Local Settings\Temporary Internet Files\Content.IE5\5BMCKILK\popup[5].php -> Hijacker.Agent.a : No action taken.
C:\Documents and Settings\Owner\Local Settings\Temporary Internet Files\Content.IE5\5BMCKILK\popup[6].php -> Hijacker.Agent.a : No action taken.
C:\Documents and Settings\Owner\Local Settings\Temporary Internet Files\Content.IE5\5BMCKILK\popup[7].php -> Hijacker.Agent.a : No action taken.
C:\Documents and Settings\Owner\Local Settings\Temporary Internet Files\Content.IE5\5BMCKILK\popup[8].php -> Hijacker.Agent.a : No action taken.
C:\Documents and Settings\Owner\Local Settings\Temporary Internet Files\Content.IE5\5BMCKILK\popup[9].php -> Hijacker.Agent.a : No action taken.
C:\Documents and Settings\Owner\Local Settings\Temporary Internet Files\Content.IE5\89ERWVYH\popup[1].php -> Hijacker.Agent.a : No action taken.
C:\Documents and Settings\Owner\Local Settings\Temporary Internet Files\Content.IE5\89ERWVYH\popup[2].php -> Hijacker.Agent.a : No action taken.
C:\Documents and Settings\Owner\Local Settings\Temporary Internet Files\Content.IE5\89ERWVYH\popup[3].php -> Hijacker.Agent.a : No action taken.
C:\Documents and Settings\Owner\Local Settings\Temporary Internet Files\Content.IE5\89ERWVYH\popup[4].php -> Hijacker.Agent.a : No action taken.
C:\Documents and Settings\Owner\Local Settings\Temporary Internet Files\Content.IE5\89ERWVYH\popup[5].php -> Hijacker.Agent.a : No action taken.
C:\Documents and Settings\Owner\Local Settings\Temporary Internet Files\Content.IE5\89ERWVYH\popup[6].php -> Hijacker.Agent.a : No action taken.
C:\Documents and Settings\Owner\Local Settings\Temporary Internet Files\Content.IE5\89ERWVYH\popup[7].php -> Hijacker.Agent.a : No action taken.
C:\Documents and Settings\Owner\Local Settings\Temporary Internet Files\Content.IE5\89ERWVYH\popup[8].php -> Hijacker.Agent.a : No action taken.
C:\Documents and Settings\Owner\Local Settings\Temporary Internet Files\Content.IE5\8HAD8OVW\popup[1].php -> Hijacker.Agent.a : No action taken.
C:\Documents and Settings\Owner\Local Settings\Temporary Internet Files\Content.IE5\8HAD8OVW\popup[2].php -> Hijacker.Agent.a : No action taken.
C:\Documents and Settings\Owner\Local Settings\Temporary Internet Files\Content.IE5\8HAD8OVW\popup[3].php -> Hijacker.Agent.a : No action taken.
C:\Documents and Settings\Owner\Local Settings\Temporary Internet Files\Content.IE5\8HAD8OVW\popup[4].php -> Hijacker.Agent.a : No action taken.
C:\Documents and Settings\Owner\Local Settings\Temporary Internet Files\Content.IE5\8HAD8OVW\popup[5].php -> Hijacker.Agent.a : No action taken.
C:\Documents and Settings\Owner\Local Settings\Temporary Internet Files\Content.IE5\8HAD8OVW\popup[6].php -> Hijacker.Agent.a : No action taken.
C:\Documents and Settings\Owner\Local Settings\Temporary Internet Files\Content.IE5\8HAD8OVW\popup[7].php -> Hijacker.Agent.a : No action taken.
C:\Documents and Settings\Owner\Local Settings\Temporary Internet Files\Content.IE5\8HAD8OVW\popup[8].php -> Hijacker.Agent.a : No action taken.
C:\Documents and Settings\Owner\Local Settings\Temporary Internet Files\Content.IE5\8HAD8OVW\popup[9].php -> Hijacker.Agent.a : No action taken.
C:\Documents and Settings\Owner\Local Settings\Temporary Internet Files\Content.IE5\9G7ZF5KC\popup[10].php -> Hijacker.Agent.a : No action taken.
C:\Documents and Settings\Owner\Local Settings\Temporary Internet Files\Content.IE5\9G7ZF5KC\popup[11].php -> Hijacker.Agent.a : No action taken.
C:\Documents and Settings\Owner\Local Settings\Temporary Internet Files\Content.IE5\9G7ZF5KC\popup[2].php -> Hijacker.Agent.a : No action taken.
C:\Documents and Settings\Owner\Local Settings\Temporary Internet Files\Content.IE5\9G7ZF5KC\popup[3].php -> Hijacker.Agent.a : No action taken.
C:\Documents and Settings\Owner\Local Settings\Temporary Internet Files\Content.IE5\9G7ZF5KC\popup[4].php -> Hijacker.Agent.a : No action taken.
C:\Documents and Settings\Owner\Local Settings\Temporary Internet Files\Content.IE5\9G7ZF5KC\popup[5].php -> Hijacker.Agent.a : No action taken.
C:\Documents and Settings\Owner\Local Settings\Temporary Internet Files\Content.IE5\9G7ZF5KC\popup[6].php -> Hijacker.Agent.a : No action taken.
C:\Documents and Settings\Owner\Local Settings\Temporary Internet Files\Content.IE5\9G7ZF5KC\popup[7].php -> Hijacker.Agent.a : No action taken.
C:\Documents and Settings\Owner\Local Settings\Temporary Internet Files\Content.IE5\9G7ZF5KC\popup[8].php -> Hijacker.Agent.a : No action taken.
C:\Documents and Settings\Owner\Local Settings\Temporary Internet Files\Content.IE5\9G7ZF5KC\popup[9].php -> Hijacker.Agent.a : No action taken.
C:\Documents and Settings\Owner\Local Settings\Temporary Internet Files\Content.IE5\AT22ZHO3\popup[1].php -> Hijacker.Agent.a : No action taken.
C:\Documents and Settings\Owner\Local Settings\Temporary Internet Files\Content.IE5\AT22ZHO3\popup[2].php -> Hijacker.Agent.a : No action taken.
C:\Documents and Settings\Owner\Local Settings\Temporary Internet Files\Content.IE5\AXTIRQLO\popup[10].php -> Hijacker.Agent.a : No action taken.
C:\Documents and Settings\Owner\Local Settings\Temporary Internet Files\Content.IE5\AXTIRQLO\popup[11].php -> Hijacker.Agent.a : No action taken.
C:\Documents and Settings\Owner\Local Settings\Temporary Internet Files\Content.IE5\AXTIRQLO\popup[1].php -> Hijacker.Agent.a : No action taken.
C:\Documents and Settings\Owner\Local Settings\Temporary Internet Files\Content.IE5\AXTIRQLO\popup[2].php -> Hijacker.Agent.a : No action taken.
C:\Documents and Settings\Owner\Local Settings\Temporary Internet Files\Content.IE5\AXTIRQLO\popup[3].php -> Hijacker.Agent.a : No action taken.
C:\Documents and Settings\Owner\Local Settings\Temporary Internet Files\Content.IE5\AXTIRQLO\popup[4].php -> Hijacker.Agent.a : No action taken.
C:\Documents and Settings\Owner\Local Settings\Temporary Internet Files\Content.IE5\AXTIRQLO\popup[5].php -> Hijacker.Agent.a : No action taken.
C:\Documents and Settings\Owner\Local Settings\Temporary Internet Files\Content.IE5\AXTIRQLO\popup[6].php -> Hijacker.Agent.a : No action taken.
C:\Documents and Settings\Owner\Local Settings\Temporary Internet Files\Content.IE5\AXTIRQLO\popup[7].php -> Hijacker.Agent.a : No action taken.
C:\Documents and Settings\Owner\Local Settings\Temporary Internet Files\Content.IE5\AXTIRQLO\popup[8].php -> Hijacker.Agent.a : No action taken.
C:\Documents and Settings\Owner\Local Settings\Temporary Internet Files\Content.IE5\AXTIRQLO\popup[9].php -> Hijacker.Agent.a : No action taken.
C:\Documents and Settings\Owner\Local Settings\Temporary Internet Files\Content.IE5\E9UPY7W1\popup[1].php -> Hijacker.Agent.a : No action taken.
C:\Documents and Settings\Owner\Local Settings\Temporary Internet Files\Content.IE5\E9UPY7W1\popup[2].php -> Hijacker.Agent.a : No action taken.
C:\Documents and Settings\Owner\Local Settings\Temporary Internet Files\Content.IE5\E9UPY7W1\popup[3].php -> Hijacker.Agent.a : No action taken.
C:\Documents and Settings\Owner\Local Settings\Temporary Internet Files\Content.IE5\E9UPY7W1\popup[4].php -> Hijacker.Agent.a : No action taken.
C:\Documents and Settings\Owner\Local Settings\Temporary Internet Files\Content.IE5\E9UPY7W1\popup[5].php -> Hijacker.Agent.a : No action taken.
C:\Documents and Settings\Owner\Local Settings\Temporary Internet Files\Content.IE5\E9UPY7W1\popup[6].php -> Hijacker.Agent.a : No action taken.
C:\Documents and Settings\Owner\Local Settings\Temporary Internet Files\Content.IE5\E9UPY7W1\popup[7].php -> Hijacker.Agent.a : No action taken.
C:\Documents and Settings\Owner\Local Settings\Temporary Internet Files\Content.IE5\GEXHTBQ4\popup[10].php -> Hijacker.Agent.a : No action taken.
C:\Documents and Settings\Owner\Local Settings\Temporary Internet Files\Content.IE5\GEXHTBQ4\popup[1].php -> Hijacker.Agent.a : No action taken.
C:\Documents and Settings\Owner\Local Settings\Temporary Internet Files\Content.IE5\GEXHTBQ4\popup[2].php -> Hijacker.Agent.a : No action taken.
C:\Documents and Settings\Owner\Local Settings\Temporary Internet Files\Content.IE5\GEXHTBQ4\popup[3].php -> Hijacker.Agent.a : No action taken.
C:\Documents and Settings\Owner\Local Settings\Temporary Internet Files\Content.IE5\GEXHTBQ4\popup[4].php -> Hijacker.Agent.a : No action taken.
C:\Documents and Settings\Owner\Local Settings\Temporary Internet Files\Content.IE5\GEXHTBQ4\popup[5].php -> Hijacker.Agent.a : No action taken.
C:\Documents and Settings\Owner\Local Settings\Temporary Internet Files\Content.IE5\GEXHTBQ4\popup[6].php -> Hijacker.Agent.a : No action taken.
C:\Documents and Settings\Owner\Local Settings\Temporary Internet Files\Content.IE5\GEXHTBQ4\popup[7].php -> Hijacker.Agent.a : No action taken.
C:\Documents and Settings\Owner\Local Settings\Temporary Internet Files\Content.IE5\GEXHTBQ4\popup[8].php -> Hijacker.Agent.a : No action taken.
C:\Documents and Settings\Owner\Local Settings\Temporary Internet Files\Content.IE5\GEXHTBQ4\popup[9].php -> Hijacker.Agent.a : No action taken.
C:\Documents and Settings\Owner\Local Settings\Temporary Internet Files\Content.IE5\L10FYDC1\popup[1].php -> Hijacker.Agent.a : No action taken.
C:\Documents and Settings\Owner\Local Settings\Temporary Internet Files\Content.IE5\L10FYDC1\popup[2].php -> Hijacker.Agent.a : No action taken.
C:\Documents and Settings\Owner\Local Settings\Temporary Internet Files\Content.IE5\L10FYDC1\popup[3].php -> Hijacker.Agent.a : No action taken.
C:\Documents and Settings\Owner\Local Settings\Temporary Internet Files\Content.IE5\LBJB1TWE\popup[1].php -> Hijacker.Agent.a : No action taken.
C:\Documents and Settings\Owner\Local Settings\Temporary Internet Files\Content.IE5\LBJB1TWE\popup[3].php -> Hijacker.Agent.a : No action taken.
C:\Documents and Settings\Owner\Local Settings\Temporary Internet Files\Content.IE5\LBJB1TWE\popup[4].php -> Hijacker.Agent.a : No action taken.
C:\Documents and Settings\Owner\Local Settings\Temporary Internet Files\Content.IE5\LKD4TZUU\popup[12].php -> Hijacker.Agent.a : No action taken.

jaimerd
2006-08-30, 07:38
C:\Documents and Settings\Owner\Local Settings\Temporary Internet Files\Content.IE5\LKD4TZUU\popup[1].php -> Hijacker.Agent.a : No action taken.
C:\Documents and Settings\Owner\Local Settings\Temporary Internet Files\Content.IE5\LKD4TZUU\popup[2].php -> Hijacker.Agent.a : No action taken.
C:\Documents and Settings\Owner\Local Settings\Temporary Internet Files\Content.IE5\LKD4TZUU\popup[3].php -> Hijacker.Agent.a : No action taken.
C:\Documents and Settings\Owner\Local Settings\Temporary Internet Files\Content.IE5\LKD4TZUU\popup[4].php -> Hijacker.Agent.a : No action taken.
C:\Documents and Settings\Owner\Local Settings\Temporary Internet Files\Content.IE5\LKD4TZUU\popup[5].php -> Hijacker.Agent.a : No action taken.
C:\Documents and Settings\Owner\Local Settings\Temporary Internet Files\Content.IE5\LKD4TZUU\popup[6].php -> Hijacker.Agent.a : No action taken.
C:\Documents and Settings\Owner\Local Settings\Temporary Internet Files\Content.IE5\LKD4TZUU\popup[7].php -> Hijacker.Agent.a : No action taken.
C:\Documents and Settings\Owner\Local Settings\Temporary Internet Files\Content.IE5\LKD4TZUU\popup[8].php -> Hijacker.Agent.a : No action taken.
C:\Documents and Settings\Owner\Local Settings\Temporary Internet Files\Content.IE5\NIOR31G1\popup[1].php -> Hijacker.Agent.a : No action taken.
C:\Documents and Settings\Owner\Local Settings\Temporary Internet Files\Content.IE5\NIOR31G1\popup[2].php -> Hijacker.Agent.a : No action taken.
C:\Documents and Settings\Owner\Local Settings\Temporary Internet Files\Content.IE5\NIOR31G1\popup[3].php -> Hijacker.Agent.a : No action taken.
C:\Documents and Settings\Owner\Local Settings\Temporary Internet Files\Content.IE5\NIOR31G1\popup[4].php -> Hijacker.Agent.a : No action taken.
C:\Documents and Settings\Owner\Local Settings\Temporary Internet Files\Content.IE5\NIOR31G1\popup[5].php -> Hijacker.Agent.a : No action taken.
C:\Documents and Settings\Owner\Local Settings\Temporary Internet Files\Content.IE5\NIOR31G1\popup[6].php -> Hijacker.Agent.a : No action taken.
C:\Documents and Settings\Owner\Local Settings\Temporary Internet Files\Content.IE5\NIOR31G1\popup[7].php -> Hijacker.Agent.a : No action taken.
C:\Documents and Settings\Owner\Local Settings\Temporary Internet Files\Content.IE5\OJHR6YV5\popup[1].php -> Hijacker.Agent.a : No action taken.
C:\Documents and Settings\Owner\Local Settings\Temporary Internet Files\Content.IE5\OJHR6YV5\popup[2].php -> Hijacker.Agent.a : No action taken.
C:\Documents and Settings\Owner\Local Settings\Temporary Internet Files\Content.IE5\OJHR6YV5\popup[3].php -> Hijacker.Agent.a : No action taken.
C:\Documents and Settings\Owner\Local Settings\Temporary Internet Files\Content.IE5\OJHR6YV5\popup[4].php -> Hijacker.Agent.a : No action taken.
C:\Documents and Settings\Owner\Local Settings\Temporary Internet Files\Content.IE5\OJHR6YV5\popup[5].php -> Hijacker.Agent.a : No action taken.
C:\Documents and Settings\Owner\Local Settings\Temporary Internet Files\Content.IE5\OJHR6YV5\popup[6].php -> Hijacker.Agent.a : No action taken.
C:\Documents and Settings\Owner\Local Settings\Temporary Internet Files\Content.IE5\OJHR6YV5\popup[7].php -> Hijacker.Agent.a : No action taken.
C:\Documents and Settings\Owner\Local Settings\Temporary Internet Files\Content.IE5\OJHR6YV5\popup[8].php -> Hijacker.Agent.a : No action taken.
C:\Documents and Settings\Owner\Local Settings\Temporary Internet Files\Content.IE5\OJHR6YV5\popup[9].php -> Hijacker.Agent.a : No action taken.
C:\Documents and Settings\Owner\Local Settings\Temporary Internet Files\Content.IE5\QPT2JYLO\popup[10].php -> Hijacker.Agent.a : No action taken.
C:\Documents and Settings\Owner\Local Settings\Temporary Internet Files\Content.IE5\QPT2JYLO\popup[1].php -> Hijacker.Agent.a : No action taken.
C:\Documents and Settings\Owner\Local Settings\Temporary Internet Files\Content.IE5\QPT2JYLO\popup[2].php -> Hijacker.Agent.a : No action taken.
C:\Documents and Settings\Owner\Local Settings\Temporary Internet Files\Content.IE5\QPT2JYLO\popup[3].php -> Hijacker.Agent.a : No action taken.
C:\Documents and Settings\Owner\Local Settings\Temporary Internet Files\Content.IE5\QPT2JYLO\popup[4].php -> Hijacker.Agent.a : No action taken.
C:\Documents and Settings\Owner\Local Settings\Temporary Internet Files\Content.IE5\QPT2JYLO\popup[5].php -> Hijacker.Agent.a : No action taken.
C:\Documents and Settings\Owner\Local Settings\Temporary Internet Files\Content.IE5\QPT2JYLO\popup[6].php -> Hijacker.Agent.a : No action taken.
C:\Documents and Settings\Owner\Local Settings\Temporary Internet Files\Content.IE5\QPT2JYLO\popup[7].php -> Hijacker.Agent.a : No action taken.
C:\Documents and Settings\Owner\Local Settings\Temporary Internet Files\Content.IE5\QPT2JYLO\popup[8].php -> Hijacker.Agent.a : No action taken.
C:\Documents and Settings\Owner\Local Settings\Temporary Internet Files\Content.IE5\QPT2JYLO\popup[9].php -> Hijacker.Agent.a : No action taken.
C:\Documents and Settings\Owner\Local Settings\Temporary Internet Files\Content.IE5\UHIHSLE7\popup[1].php -> Hijacker.Agent.a : No action taken.
C:\Documents and Settings\Owner\Local Settings\Temporary Internet Files\Content.IE5\UHIHSLE7\popup[2].php -> Hijacker.Agent.a : No action taken.
C:\Documents and Settings\Owner\Local Settings\Temporary Internet Files\Content.IE5\UHIHSLE7\popup[3].php -> Hijacker.Agent.a : No action taken.
C:\Documents and Settings\Owner\Local Settings\Temporary Internet Files\Content.IE5\UHIHSLE7\popup[4].php -> Hijacker.Agent.a : No action taken.
C:\Documents and Settings\Owner\Local Settings\Temporary Internet Files\Content.IE5\W7TVQE3T\popup[1].php -> Hijacker.Agent.a : No action taken.
C:\Documents and Settings\Owner\Local Settings\Temporary Internet Files\Content.IE5\W7TVQE3T\popup[2].php -> Hijacker.Agent.a : No action taken.
C:\Documents and Settings\Owner\Local Settings\Temporary Internet Files\Content.IE5\W7TVQE3T\popup[3].php -> Hijacker.Agent.a : No action taken.
C:\Documents and Settings\Owner\Local Settings\Temporary Internet Files\Content.IE5\W7TVQE3T\popup[4].php -> Hijacker.Agent.a : No action taken.
C:\Documents and Settings\Owner\Local Settings\Temporary Internet Files\Content.IE5\W7TVQE3T\popup[6].php -> Hijacker.Agent.a : No action taken.
C:\Documents and Settings\Owner\Local Settings\Temporary Internet Files\Content.IE5\W7TVQE3T\popup[7].php -> Hijacker.Agent.a : No action taken.
C:\Documents and Settings\Owner\Local Settings\Temporary Internet Files\Content.IE5\X37V150E\popup[1].php -> Hijacker.Agent.a : No action taken.
C:\Documents and Settings\Owner\Local Settings\Temporary Internet Files\Content.IE5\X37V150E\popup[2].php -> Hijacker.Agent.a : No action taken.
C:\Documents and Settings\Owner\Local Settings\Temporary Internet Files\Content.IE5\X37V150E\popup[3].php -> Hijacker.Agent.a : No action taken.
C:\Documents and Settings\Owner\Local Settings\Temporary Internet Files\Content.IE5\X37V150E\popup[4].php -> Hijacker.Agent.a : No action taken.
C:\Documents and Settings\Owner\Local Settings\Temporary Internet Files\Content.IE5\X37V150E\popup[5].php -> Hijacker.Agent.a : No action taken.
C:\Documents and Settings\Owner\Local Settings\Temporary Internet Files\Content.IE5\X37V150E\popup[6].php -> Hijacker.Agent.a : No action taken.
C:\Documents and Settings\Owner\Local Settings\Temporary Internet Files\Content.IE5\YWHBVQTR\popup[1].php -> Hijacker.Agent.a : No action taken.
C:\Documents and Settings\Owner\Local Settings\Temporary Internet Files\Content.IE5\YWHBVQTR\popup[2].php -> Hijacker.Agent.a : No action taken.
C:\Documents and Settings\Owner\Local Settings\Temporary Internet Files\Content.IE5\YWHBVQTR\popup[3].php -> Hijacker.Agent.a : No action taken.
C:\Documents and Settings\Owner\Local Settings\Temporary Internet Files\Content.IE5\YWHBVQTR\popup[4].php -> Hijacker.Agent.a : No action taken.
C:\Documents and Settings\Owner\Local Settings\Temporary Internet Files\Content.IE5\YWHBVQTR\popup[5].php -> Hijacker.Agent.a : No action taken.
C:\Documents and Settings\Owner\Local Settings\Temporary Internet Files\Content.IE5\YWHBVQTR\popup[6].php -> Hijacker.Agent.a : No action taken.
C:\Documents and Settings\Owner\Local Settings\Temporary Internet Files\Content.IE5\YWHBVQTR\popup[7].php -> Hijacker.Agent.a : No action taken.
C:\Documents and Settings\Owner\Local Settings\Temporary Internet Files\Content.IE5\Z7HUQAVJ\popup[1].php -> Hijacker.Agent.a : No action taken.
C:\Documents and Settings\Owner\Local Settings\Temporary Internet Files\Content.IE5\Z7HUQAVJ\popup[2].php -> Hijacker.Agent.a : No action taken.
C:\Documents and Settings\Owner\Local Settings\Temporary Internet Files\Content.IE5\Z7HUQAVJ\popup[3].php -> Hijacker.Agent.a : No action taken.
C:\Documents and Settings\Owner\Local Settings\Temporary Internet Files\Content.IE5\Z7HUQAVJ\popup[4].php -> Hijacker.Agent.a : No action taken.
C:\Documents and Settings\Owner\Local Settings\Temporary Internet Files\Content.IE5\Z7HUQAVJ\popup[5].php -> Hijacker.Agent.a : No action taken.
C:\Documents and Settings\Owner\Local Settings\Temporary Internet Files\Content.IE5\Z7HUQAVJ\popup[7].php -> Hijacker.Agent.a : No action taken.
C:\Documents and Settings\Owner\Local Settings\Temporary Internet Files\Content.IE5\Z7HUQAVJ\popup[8].php -> Hijacker.Agent.a : No action taken.
C:\Documents and Settings\Owner\Local Settings\Temporary Internet Files\Content.IE5\ZEG3J1CX\popup[1].php -> Hijacker.Agent.a : No action taken.
C:\Documents and Settings\Owner\Local Settings\Temporary Internet Files\Content.IE5\ZEG3J1CX\popup[2].php -> Hijacker.Agent.a : No action taken.
C:\Documents and Settings\Owner\Local Settings\Temporary Internet Files\Content.IE5\ZEG3J1CX\popup[3].php -> Hijacker.Agent.a : No action taken.
C:\Documents and Settings\Owner\Local Settings\Temporary Internet Files\Content.IE5\ZEG3J1CX\popup[4].php -> Hijacker.Agent.a : No action taken.
C:\Documents and Settings\Owner\Local Settings\Temporary Internet Files\Content.IE5\ZEG3J1CX\popup[5].php -> Hijacker.Agent.a : No action taken.
C:\Documents and Settings\Owner\Local Settings\Temporary Internet Files\Content.IE5\ZEG3J1CX\popup[6].php -> Hijacker.Agent.a : No action taken.
C:\Documents and Settings\Owner\Local Settings\Temporary Internet Files\Content.IE5\ZEG3J1CX\popup[7].php -> Hijacker.Agent.a : No action taken.
C:\Documents and Settings\Owner\Local Settings\Temporary Internet Files\Content.IE5\ZEG3J1CX\popup[8].php -> Hijacker.Agent.a : No action taken.
C:\Documents and Settings\Owner\Local Settings\Temporary Internet Files\Content.IE5\ZEG3J1CX\popup[9].php -> Hijacker.Agent.a : No action taken.
C:\WINDOWS\Helper101.dll -> Hijacker.Delf.r : No action taken.
C:\Program Files\MSN Gaming Zone\meje.html -> Hijacker.Small.jf : No action taken.
C:\Program Files\Online Services\pololibu.html -> Hijacker.Small.jf : No action taken.
C:\Documents and Settings\Owner\Local Settings\Temporary Internet Files\Content.IE5\YWHBVQTR\WinAntiVirusPro2006ScannerInstall[1].cab/UWA6P_0001_N68M2301NetInstaller.exe -> Not-A-Virus.Downloader.Win32.WinFixer.d : No action taken.

jaimerd
2006-08-30, 07:47
C:\Documents and Settings\Default User\Cookies\owner@msnportal.112.2o7[1].txt -> TrackingCookie.2o7 : No action taken.
C:\Documents and Settings\Owner\Cookies\owner@2o7[1].txt -> TrackingCookie.2o7 : No action taken.
C:\Documents and Settings\Owner\Cookies\owner@coxhsi.112.2o7[1].txt -> TrackingCookie.2o7 : No action taken.
C:\WINDOWS\system32\config\systemprofile\Cookies\owner@msnportal.112.2o7[1].txt -> TrackingCookie.2o7 : No action taken.
C:\Documents and Settings\Owner\Cookies\owner@ads.addynamix[2].txt -> TrackingCookie.Addynamix : No action taken.
C:\Documents and Settings\Owner\Cookies\owner@adrevolver[1].txt -> TrackingCookie.Adrevolver : No action taken.
C:\Documents and Settings\Owner\Cookies\owner@www.adtrak[2].txt -> TrackingCookie.Adtrak : No action taken.
C:\Documents and Settings\Owner\Cookies\owner@atdmt[2].txt -> TrackingCookie.Atdmt : No action taken.
C:\Documents and Settings\Owner\Cookies\owner@casalemedia[2].txt -> TrackingCookie.Casalemedia : No action taken.
C:\Documents and Settings\Owner\Cookies\owner@cpvfeed[1].txt -> TrackingCookie.Cpvfeed : No action taken.
C:\Documents and Settings\Owner\Cookies\owner@doubleclick[1].txt -> TrackingCookie.Doubleclick : No action taken.
C:\Documents and Settings\Owner\Cookies\owner@adopt.euroclick[1].txt -> TrackingCookie.Euroclick : No action taken.
C:\Documents and Settings\Owner\Cookies\owner@findwhat[1].txt -> TrackingCookie.Findwhat : No action taken.
C:\Documents and Settings\LocalService\Cookies\system@c.goclick[2].txt -> TrackingCookie.Goclick : No action taken.
C:\Documents and Settings\Owner\Cookies\owner@counter.hitslink[2].txt -> TrackingCookie.Hitslink : No action taken.
C:\Documents and Settings\Owner\Cookies\owner@mediaplex[1].txt -> TrackingCookie.Mediaplex : No action taken.
C:\Documents and Settings\Owner\Cookies\owner@stats1.reliablestats[1].txt -> TrackingCookie.Reliablestats : No action taken.
C:\Documents and Settings\Owner\Cookies\owner@revenue[2].txt -> TrackingCookie.Revenue : No action taken.
C:\Documents and Settings\Owner\Cookies\owner@edge.ru4[1].txt -> TrackingCookie.Ru4 : No action taken.
C:\Documents and Settings\Owner\Cookies\owner@banners.searchingbooth[1].txt -> TrackingCookie.Searchingbooth : No action taken.
C:\Documents and Settings\Owner\Cookies\owner@adopt.specificclick[2].txt -> TrackingCookie.Specificclick : No action taken.
C:\Documents and Settings\Owner\Cookies\owner@statcounter[2].txt -> TrackingCookie.Statcounter : No action taken.
C:\Documents and Settings\Owner\Cookies\owner@targetnet[1].txt -> TrackingCookie.Targetnet : No action taken.
C:\Documents and Settings\Owner\Cookies\owner@trafficmp[2].txt -> TrackingCookie.Trafficmp : No action taken.
C:\Documents and Settings\Owner\Cookies\owner@tribalfusion[1].txt -> TrackingCookie.Tribalfusion : No action taken.
C:\Documents and Settings\Owner\Cookies\owner@c5.zedo[1].txt -> TrackingCookie.Zedo : No action taken.
C:\Documents and Settings\Owner\Cookies\owner@zedo[1].txt -> TrackingCookie.Zedo : No action taken.
C:\WINDOWS\system32\redist.dll -> Trojan.Agent.sx : No action taken.
C:\RECYCLER\S-1-5-21-1697684330-1914380842-3422009625-500\Dc1018.fr529F -> Trojan.Pakes : No action taken.
C:\RECYCLER\S-1-5-21-1697684330-1914380842-3422009625-500\Dc1024.fr1051 -> Trojan.Pakes : No action taken.
C:\RECYCLER\S-1-5-21-1697684330-1914380842-3422009625-500\Dc1042.fr5836 -> Trojan.Pakes : No action taken.
C:\RECYCLER\S-1-5-21-1697684330-1914380842-3422009625-500\Dc1070.frBB31 -> Trojan.Pakes : No action taken.
C:\RECYCLER\S-1-5-21-1697684330-1914380842-3422009625-500\Dc1072.frBDEA -> Trojan.Pakes : No action taken.
C:\RECYCLER\S-1-5-21-1697684330-1914380842-3422009625-500\Dc1089.frD201 -> Trojan.Pakes : No action taken.
C:\RECYCLER\S-1-5-21-1697684330-1914380842-3422009625-500\Dc1090.frD229 -> Trojan.Pakes : No action taken.
C:\RECYCLER\S-1-5-21-1697684330-1914380842-3422009625-500\Dc947.fr4BB2 -> Trojan.Pakes : No action taken.
C:\RECYCLER\S-1-5-21-1697684330-1914380842-3422009625-500\Dc979.fr9D87 -> Trojan.Pakes : No action taken.
C:\RECYCLER\S-1-5-21-1697684330-1914380842-3422009625-500\Dc990.fr37F7 -> Trojan.Pakes : No action taken.
C:\WINDOWS\system32\nr1rnqm8.exe -> Trojan.Runner.j : No action taken.
C:\WINDOWS\CCZoop05.exe -> Trojan.VB.tg : No action taken.
C:\WINDOWS\uni_eh.exe -> Trojan.VB.tg : No action taken.


::Report end

jaimerd
2006-08-30, 07:49
Sorry that it is in so many pieces! I hope that you can make sense of it and help me! Jaime

Logfile of HijackThis v1.99.1
Scan saved at 9:47:43 PM, on 8/29/2006
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
c:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
c:\Program Files\Norton Personal Firewall\NISUM.EXE
C:\Program Files\Java\j2re1.4.2_03\bin\jusched.exe
C:\windows\system\hpsysdrv.exe
C:\WINDOWS\System32\hkcmd.exe
C:\WINDOWS\System32\hphmon05.exe
C:\HP\KBD\KBD.EXE
C:\WINDOWS\LTMSG.exe
C:\WINDOWS\ALCXMNTR.EXE
C:\WINDOWS\System32\spool\drivers\w32x86\3\hpztsb09.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\Program Files\ewido anti-spyware 4.0\ewido.exe
c:\Program Files\Norton Personal Firewall\ccPxySvc.exe
C:\Program Files\ewido anti-spyware 4.0\guard.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\HPZipm12.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\Compaq Connections\1940576\Program\BackWeb-1940576.exe
C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
C:\Program Files\interMute\PopSubtract\PopSub.exe
C:\Program Files\interMute\SpamSubtract\SpamSub.exe
C:\WINDOWS\System32\wuauclt.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Documents and Settings\Owner\Desktop\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://qus10.hpwis.com/
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://orangecounty.cox.net/cci/home
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://qus10.hpwis.com/
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://www.mrfindalot.com/search.asp?si=
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch = http://www.mrfindalot.com/search.asp?si=
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = localhost
F2 - REG:system.ini: Shell=Explorer.exe, C:\WINDOWS\System32\uxbgs.exe
F2 - REG:system.ini: UserInit=C:\WINDOWS\System32\Userinit.exe,gtikdtt.exe
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O3 - Toolbar: &Yahoo! Companion - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Common\ycomp5,1,1,0.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar2.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\j2re1.4.2_03\bin\jusched.exe
O4 - HKLM\..\Run: [hpsysdrv] c:\windows\system\hpsysdrv.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\System32\hkcmd.exe
O4 - HKLM\..\Run: [HPHUPD05] c:\Program Files\HP\{45B6180B-DCAB-4093-8EE8-6164457517F0}\hphupd05.exe
O4 - HKLM\..\Run: [HPHmon05] C:\WINDOWS\System32\hphmon05.exe
O4 - HKLM\..\Run: [KBD] C:\HP\KBD\KBD.EXE
O4 - HKLM\..\Run: [UpdateManager] "C:\Program Files\Common Files\Sonic\Update Manager\sgtray.exe" /r
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [Recguard] C:\WINDOWS\SMINST\RECGUARD.EXE
O4 - HKLM\..\Run: [VTTimer] VTTimer.exe
O4 - HKLM\..\Run: [LTMSG] LTMSG.exe 7
O4 - HKLM\..\Run: [PS2] C:\WINDOWS\system32\ps2.exe
O4 - HKLM\..\Run: [AlcxMonitor] ALCXMNTR.EXE
O4 - HKLM\..\Run: [HPDJ Taskbar Utility] C:\WINDOWS\System32\spool\drivers\w32x86\3\hpztsb09.exe
O4 - HKLM\..\Run: [MCUpdateExe] C:\PROGRA~1\McAfee.com\Agent\McUpdate.exe
O4 - HKLM\..\Run: [MCAgentExe] C:\PROGRA~1\McAfee.com\Agent\McAgent.exe
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [ftexc] C:\WINDOWS\System32\mptft.exe
O4 - HKLM\..\Run: [utadaa6b] RUNDLL32.EXE w0cf4249.dll,n 001daa6a000000030cf4249
O4 - HKLM\..\Run: [w0cfd998.dll] RUNDLL32.EXE w0cfd998.dll,I2 001daa6a00cfd998
O4 - HKLM\..\Run: [xload] "C:\WINDOWS\xload.exe"
O4 - HKLM\..\Run: [ccApp] "c:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [ccRegVfy] "c:\Program Files\Common Files\Symantec Shared\ccRegVfy.exe"
O4 - HKLM\..\Run: [Symantec NetDriver Monitor] C:\PROGRA~1\SYMNET~1\SNDMon.exe
O4 - HKLM\..\Run: [egotrm] C:\WINDOWS\System32\fokcso.exe reg_run
O4 - HKLM\..\Run: [!ewido] "C:\Program Files\ewido anti-spyware 4.0\ewido.exe" /minimized
O4 - HKCU\..\Run: [bdvvt] C:\WINDOWS\System32\fokcso.exe reg_run
O4 - Startup: spamsubtract.lnk = C:\Program Files\interMute\SpamSubtract\SpamSub.exe
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: Compaq Connections.lnk = C:\Program Files\Compaq Connections\1940576\Program\BackWeb-1940576.exe
O4 - Global Startup: HP Digital Imaging Monitor.lnk = C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O4 - Global Startup: PopSubtract.lnk = C:\Program Files\interMute\PopSubtract\PopSub.exe
O4 - Global Startup: Quicken Scheduled Updates.lnk = C:\Program Files\Quicken\bagent.exe
O8 - Extra context menu item: &Google Search - res://C:\Program Files\Google\GoogleToolbar2.dll/cmsearch.html
O8 - Extra context menu item: &Translate English Word - res://C:\Program Files\Google\GoogleToolbar2.dll/cmwordtrans.html
O8 - Extra context menu item: Backward Links - res://C:\Program Files\Google\GoogleToolbar2.dll/cmbacklinks.html
O8 - Extra context menu item: Cached Snapshot of Page - res://C:\Program Files\Google\GoogleToolbar2.dll/cmcache.html
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~4\OFFICE11\EXCEL.EXE/3000
O8 - Extra context menu item: Similar Pages - res://C:\Program Files\Google\GoogleToolbar2.dll/cmsimilar.html
O8 - Extra context menu item: Translate Page into English - res://C:\Program Files\Google\GoogleToolbar2.dll/cmtrans.html
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\System32\msjava.dll (file missing)
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\System32\msjava.dll (file missing)
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~4\OFFICE11\REFIEBAR.DLL
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe
O12 - Plugin for .m4v: C:\Program Files\Internet Explorer\PLUGINS\npqtplugin5.dll
O15 - Trusted Zone: *.elitemediagroup.net
O15 - Trusted Zone: *.sxload.com
O18 - Filter: text/html - (no CLSID) - (no file)
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - c:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Password Validation Service (ccPwdSvc) - Symantec Corporation - c:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
O23 - Service: Symantec Proxy Service (ccPxySvc) - Symantec Corporation - c:\Program Files\Norton Personal Firewall\ccPxySvc.exe
O23 - Service: ewido anti-spyware 4.0 guard - Anti-Malware Development a.s. - C:\Program Files\ewido anti-spyware 4.0\guard.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPodService - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Norton Personal Firewall Accounts Manager (NISUM) - Symantec Corporation - c:\Program Files\Norton Personal Firewall\NISUM.EXE
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\System32\HPZipm12.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe

pskelley
2006-08-30, 13:40
Jaime:( when you ran ewido you choose to "no action taken" taking no action when bad stuff was located. Please run it again and this time delete what it finds unless you know it is not bad. I do not need to see TrackingCookies or C:\RECYCLER\ so you may edit them out before posting the log. Just make sure you delete those cookies this time. You can also open the recycle bin and delete the contents.

I will also need to see a new HJT log AFTER you have run ewido and rebooted.

Thanks

jaimerd
2006-08-31, 04:11
Well, now I remember why I never deal with the computer...I am completely clueless when it comes to this stuff! Thank you for your incredible patience. Here is the new log. Thanks, Jaime
ewido anti-spyware - Scan Report
---------------------------------------------------------

+ Created at: 6:06:37 PM 8/30/2006

+ Scan result:



C:\WINDOWS\system32\nfcflpmj.dll -> Adware.Agent : Cleaned with backup (quarantined).
C:\RECYCLER\S-1-5-21-1697684330-1914380842-3422009625-500\Dc1037.fr4779 -> Adware.Apropos : Cleaned with backup (quarantined).
C:\WINDOWS\system32\nodeipproc.dll -> Adware.BHO : Cleaned with backup (quarantined).
C:\WINDOWS\system32\utadaa6b.dll -> Adware.IEHelper : Cleaned with backup (quarantined).
C:\Documents and Settings\Stephanie\Application Data\wtta.exe -> Adware.PurityScan : Cleaned with backup (quarantined).
HKLM\SOFTWARE\Clickspring -> Adware.PurityScan : Cleaned with backup (quarantined).
C:\WINDOWS\system32\dmonwv.dll_tobedeleted -> Downloader.Agent.agw : Cleaned with backup (quarantined).
C:\WINDOWS\system32\ddabxvv.dll -> Downloader.Agent.anm : Cleaned with backup (quarantined).
C:\WINDOWS\system32\ddayayy.dll -> Downloader.Agent.anm : Cleaned with backup (quarantined).
C:\WINDOWS\system32\pmkhebb.dll -> Downloader.Agent.anm : Cleaned with backup (quarantined).
C:\WINDOWS\system32\comtUI.dll -> Downloader.ConHook.aa : Cleaned with backup (quarantined).
C:\WINDOWS\lt.exe -> Downloader.Small.ajc : Cleaned with backup (quarantined).
C:\WINDOWS\unin101.exe -> Downloader.VB.tw : Cleaned with backup (quarantined).
C:\WINDOWS\system32\jkhff.exe -> Dropper.Agent.amr : Cleaned with backup (quarantined).
C:\WINDOWS\Downloaded Program Files\CONFLICT.1\MediaTicketsInstaller.ocx -> Dropper.PurityScan.ae : Cleaned with backup (quarantined).
C:\WINDOWS\bundles\SSK_B5.EXE -> Dropper.SurfSide.a : Cleaned with backup (quarantined).
C:\WINDOWS\Helper101.dll -> Hijacker.Delf.r : Cleaned with backup (quarantined).
C:\Program Files\MSN Gaming Zone\meje.html -> Hijacker.Small.jf : Cleaned with backup (quarantined).
C:\Program Files\Online Services\pololibu.html -> Hijacker.Small.jf : Cleaned with backup (quarantined).
::Report end

jaimerd
2006-08-31, 04:12
Here is the new HijackThis log.
Logfile of HijackThis v1.99.1
Scan saved at 6:11:28 PM, on 8/30/2006
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
c:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
c:\Program Files\Norton Personal Firewall\NISUM.EXE
C:\Program Files\Java\j2re1.4.2_03\bin\jusched.exe
C:\windows\system\hpsysdrv.exe
C:\WINDOWS\System32\hkcmd.exe
C:\WINDOWS\System32\hphmon05.exe
C:\HP\KBD\KBD.EXE
C:\WINDOWS\LTMSG.exe
C:\WINDOWS\ALCXMNTR.EXE
C:\WINDOWS\System32\spool\drivers\w32x86\3\hpztsb09.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\QuickTime\qttask.exe
c:\Program Files\Norton Personal Firewall\ccPxySvc.exe
C:\Program Files\ewido anti-spyware 4.0\guard.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\WINDOWS\System32\wuauclt.exe
C:\Program Files\ewido anti-spyware 4.0\ewido.exe
C:\Program Files\Compaq Connections\1940576\Program\BackWeb-1940576.exe
C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
C:\Program Files\interMute\PopSubtract\PopSub.exe
C:\Program Files\interMute\SpamSubtract\SpamSub.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Documents and Settings\Owner\Desktop\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://qus10.hpwis.com/
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://orangecounty.cox.net/cci/home
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://qus10.hpwis.com/
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://www.mrfindalot.com/search.asp?si=
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch = http://www.mrfindalot.com/search.asp?si=
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = localhost
F2 - REG:system.ini: Shell=Explorer.exe, C:\WINDOWS\System32\uxbgs.exe
F2 - REG:system.ini: UserInit=C:\WINDOWS\System32\Userinit.exe,gtikdtt.exe
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O3 - Toolbar: &Yahoo! Companion - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Common\ycomp5,1,1,0.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar2.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\j2re1.4.2_03\bin\jusched.exe
O4 - HKLM\..\Run: [hpsysdrv] c:\windows\system\hpsysdrv.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\System32\hkcmd.exe
O4 - HKLM\..\Run: [HPHUPD05] c:\Program Files\HP\{45B6180B-DCAB-4093-8EE8-6164457517F0}\hphupd05.exe
O4 - HKLM\..\Run: [HPHmon05] C:\WINDOWS\System32\hphmon05.exe
O4 - HKLM\..\Run: [KBD] C:\HP\KBD\KBD.EXE
O4 - HKLM\..\Run: [UpdateManager] "C:\Program Files\Common Files\Sonic\Update Manager\sgtray.exe" /r
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [Recguard] C:\WINDOWS\SMINST\RECGUARD.EXE
O4 - HKLM\..\Run: [VTTimer] VTTimer.exe
O4 - HKLM\..\Run: [LTMSG] LTMSG.exe 7
O4 - HKLM\..\Run: [PS2] C:\WINDOWS\system32\ps2.exe
O4 - HKLM\..\Run: [AlcxMonitor] ALCXMNTR.EXE
O4 - HKLM\..\Run: [HPDJ Taskbar Utility] C:\WINDOWS\System32\spool\drivers\w32x86\3\hpztsb09.exe
O4 - HKLM\..\Run: [MCUpdateExe] C:\PROGRA~1\McAfee.com\Agent\McUpdate.exe
O4 - HKLM\..\Run: [MCAgentExe] C:\PROGRA~1\McAfee.com\Agent\McAgent.exe
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [ftexc] C:\WINDOWS\System32\mptft.exe
O4 - HKLM\..\Run: [utadaa6b] RUNDLL32.EXE w0cf4249.dll,n 001daa6a000000030cf4249
O4 - HKLM\..\Run: [w0cfd998.dll] RUNDLL32.EXE w0cfd998.dll,I2 001daa6a00cfd998
O4 - HKLM\..\Run: [xload] "C:\WINDOWS\xload.exe"
O4 - HKLM\..\Run: [ccApp] "c:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [ccRegVfy] "c:\Program Files\Common Files\Symantec Shared\ccRegVfy.exe"
O4 - HKLM\..\Run: [Symantec NetDriver Monitor] C:\PROGRA~1\SYMNET~1\SNDMon.exe
O4 - HKLM\..\Run: [egotrm] C:\WINDOWS\System32\fokcso.exe reg_run
O4 - HKLM\..\Run: [!ewido] "C:\Program Files\ewido anti-spyware 4.0\ewido.exe" /minimized
O4 - HKCU\..\Run: [bdvvt] C:\WINDOWS\System32\fokcso.exe reg_run
O4 - Startup: spamsubtract.lnk = C:\Program Files\interMute\SpamSubtract\SpamSub.exe
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: Compaq Connections.lnk = C:\Program Files\Compaq Connections\1940576\Program\BackWeb-1940576.exe
O4 - Global Startup: HP Digital Imaging Monitor.lnk = C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O4 - Global Startup: PopSubtract.lnk = C:\Program Files\interMute\PopSubtract\PopSub.exe
O4 - Global Startup: Quicken Scheduled Updates.lnk = C:\Program Files\Quicken\bagent.exe
O8 - Extra context menu item: &Google Search - res://C:\Program Files\Google\GoogleToolbar2.dll/cmsearch.html
O8 - Extra context menu item: &Translate English Word - res://C:\Program Files\Google\GoogleToolbar2.dll/cmwordtrans.html
O8 - Extra context menu item: Backward Links - res://C:\Program Files\Google\GoogleToolbar2.dll/cmbacklinks.html
O8 - Extra context menu item: Cached Snapshot of Page - res://C:\Program Files\Google\GoogleToolbar2.dll/cmcache.html
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~4\OFFICE11\EXCEL.EXE/3000
O8 - Extra context menu item: Similar Pages - res://C:\Program Files\Google\GoogleToolbar2.dll/cmsimilar.html
O8 - Extra context menu item: Translate Page into English - res://C:\Program Files\Google\GoogleToolbar2.dll/cmtrans.html
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\System32\msjava.dll (file missing)
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\System32\msjava.dll (file missing)
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~4\OFFICE11\REFIEBAR.DLL
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe
O12 - Plugin for .m4v: C:\Program Files\Internet Explorer\PLUGINS\npqtplugin5.dll
O15 - Trusted Zone: *.elitemediagroup.net
O15 - Trusted Zone: *.sxload.com
O18 - Filter: text/html - (no CLSID) - (no file)
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - c:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Password Validation Service (ccPwdSvc) - Symantec Corporation - c:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
O23 - Service: Symantec Proxy Service (ccPxySvc) - Symantec Corporation - c:\Program Files\Norton Personal Firewall\ccPxySvc.exe
O23 - Service: ewido anti-spyware 4.0 guard - Anti-Malware Development a.s. - C:\Program Files\ewido anti-spyware 4.0\guard.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPodService - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Norton Personal Firewall Accounts Manager (NISUM) - Symantec Corporation - c:\Program Files\Norton Personal Firewall\NISUM.EXE
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\System32\HPZipm12.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe

jaimerd
2006-08-31, 04:22
Ummm...sorry again! Ignore that last HijackThis log. This is the correct one. Jaime

jaimerd
2006-08-31, 04:23
Logfile of HijackThis v1.99.1
Scan saved at 6:20:05 PM, on 8/30/2006
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
c:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
c:\Program Files\Norton Personal Firewall\NISUM.EXE
C:\Program Files\Java\j2re1.4.2_03\bin\jusched.exe
C:\windows\system\hpsysdrv.exe
C:\WINDOWS\System32\hkcmd.exe
C:\WINDOWS\System32\hphmon05.exe
C:\HP\KBD\KBD.EXE
C:\Program Files\Common Files\Sonic\Update Manager\sgtray.exe
C:\WINDOWS\LTMSG.exe
C:\WINDOWS\ALCXMNTR.EXE
C:\WINDOWS\System32\spool\drivers\w32x86\3\hpztsb09.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
c:\Program Files\Norton Personal Firewall\ccPxySvc.exe
C:\Program Files\ewido anti-spyware 4.0\guard.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\ewido anti-spyware 4.0\ewido.exe
C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
C:\WINDOWS\System32\wuauclt.exe
C:\Program Files\Compaq Connections\1940576\Program\BackWeb-1940576.exe
C:\Documents and Settings\Owner\Desktop\HijackThis.exe
C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
C:\Program Files\interMute\PopSubtract\PopSub.exe
C:\Program Files\interMute\SpamSubtract\SpamSub.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://qus10.hpwis.com/
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://orangecounty.cox.net/cci/home
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://qus10.hpwis.com/
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://www.mrfindalot.com/search.asp?si=
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch = http://www.mrfindalot.com/search.asp?si=
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = localhost
F2 - REG:system.ini: Shell=Explorer.exe, C:\WINDOWS\System32\uxbgs.exe
F2 - REG:system.ini: UserInit=C:\WINDOWS\System32\Userinit.exe,gtikdtt.exe
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O3 - Toolbar: &Yahoo! Companion - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Common\ycomp5,1,1,0.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar2.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\j2re1.4.2_03\bin\jusched.exe
O4 - HKLM\..\Run: [hpsysdrv] c:\windows\system\hpsysdrv.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\System32\hkcmd.exe
O4 - HKLM\..\Run: [HPHUPD05] c:\Program Files\HP\{45B6180B-DCAB-4093-8EE8-6164457517F0}\hphupd05.exe
O4 - HKLM\..\Run: [HPHmon05] C:\WINDOWS\System32\hphmon05.exe
O4 - HKLM\..\Run: [KBD] C:\HP\KBD\KBD.EXE
O4 - HKLM\..\Run: [UpdateManager] "C:\Program Files\Common Files\Sonic\Update Manager\sgtray.exe" /r
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [Recguard] C:\WINDOWS\SMINST\RECGUARD.EXE
O4 - HKLM\..\Run: [VTTimer] VTTimer.exe
O4 - HKLM\..\Run: [LTMSG] LTMSG.exe 7
O4 - HKLM\..\Run: [PS2] C:\WINDOWS\system32\ps2.exe
O4 - HKLM\..\Run: [AlcxMonitor] ALCXMNTR.EXE
O4 - HKLM\..\Run: [HPDJ Taskbar Utility] C:\WINDOWS\System32\spool\drivers\w32x86\3\hpztsb09.exe
O4 - HKLM\..\Run: [MCUpdateExe] C:\PROGRA~1\McAfee.com\Agent\McUpdate.exe
O4 - HKLM\..\Run: [MCAgentExe] C:\PROGRA~1\McAfee.com\Agent\McAgent.exe
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [ftexc] C:\WINDOWS\System32\mptft.exe
O4 - HKLM\..\Run: [utadaa6b] RUNDLL32.EXE w0cf4249.dll,n 001daa6a000000030cf4249
O4 - HKLM\..\Run: [w0cfd998.dll] RUNDLL32.EXE w0cfd998.dll,I2 001daa6a00cfd998
O4 - HKLM\..\Run: [xload] "C:\WINDOWS\xload.exe"
O4 - HKLM\..\Run: [ccApp] "c:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [ccRegVfy] "c:\Program Files\Common Files\Symantec Shared\ccRegVfy.exe"
O4 - HKLM\..\Run: [Symantec NetDriver Monitor] C:\PROGRA~1\SYMNET~1\SNDMon.exe
O4 - HKLM\..\Run: [egotrm] C:\WINDOWS\System32\fokcso.exe reg_run
O4 - HKLM\..\Run: [!ewido] "C:\Program Files\ewido anti-spyware 4.0\ewido.exe" /minimized
O4 - HKCU\..\Run: [bdvvt] C:\WINDOWS\System32\fokcso.exe reg_run
O4 - Startup: spamsubtract.lnk = C:\Program Files\interMute\SpamSubtract\SpamSub.exe
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: Compaq Connections.lnk = C:\Program Files\Compaq Connections\1940576\Program\BackWeb-1940576.exe
O4 - Global Startup: HP Digital Imaging Monitor.lnk = C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O4 - Global Startup: PopSubtract.lnk = C:\Program Files\interMute\PopSubtract\PopSub.exe
O4 - Global Startup: Quicken Scheduled Updates.lnk = C:\Program Files\Quicken\bagent.exe
O8 - Extra context menu item: &Google Search - res://C:\Program Files\Google\GoogleToolbar2.dll/cmsearch.html
O8 - Extra context menu item: &Translate English Word - res://C:\Program Files\Google\GoogleToolbar2.dll/cmwordtrans.html
O8 - Extra context menu item: Backward Links - res://C:\Program Files\Google\GoogleToolbar2.dll/cmbacklinks.html
O8 - Extra context menu item: Cached Snapshot of Page - res://C:\Program Files\Google\GoogleToolbar2.dll/cmcache.html
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~4\OFFICE11\EXCEL.EXE/3000
O8 - Extra context menu item: Similar Pages - res://C:\Program Files\Google\GoogleToolbar2.dll/cmsimilar.html
O8 - Extra context menu item: Translate Page into English - res://C:\Program Files\Google\GoogleToolbar2.dll/cmtrans.html
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\System32\msjava.dll (file missing)
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\System32\msjava.dll (file missing)
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~4\OFFICE11\REFIEBAR.DLL
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe
O12 - Plugin for .m4v: C:\Program Files\Internet Explorer\PLUGINS\npqtplugin5.dll
O15 - Trusted Zone: *.elitemediagroup.net
O15 - Trusted Zone: *.sxload.com
O18 - Filter: text/html - (no CLSID) - (no file)
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - c:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Password Validation Service (ccPwdSvc) - Symantec Corporation - c:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
O23 - Service: Symantec Proxy Service (ccPxySvc) - Symantec Corporation - c:\Program Files\Norton Personal Firewall\ccPxySvc.exe
O23 - Service: ewido anti-spyware 4.0 guard - Anti-Malware Development a.s. - C:\Program Files\ewido anti-spyware 4.0\guard.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPodService - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Norton Personal Firewall Accounts Manager (NISUM) - Symantec Corporation - c:\Program Files\Norton Personal Firewall\NISUM.EXE
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\System32\HPZipm12.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe

pskelley
2006-08-31, 13:45
Thanks, that ewido scan looked a lot better:bigthumb: When you post something you want to remove, just hit the edit key at the bottem,remove the unwanted information and edit in what you wanted.

Please read the instructions and follow them carefully.

C:\Program Files\Java\j2re1.4.2_03\ <<< Java is badly out of date and can get you infected. Read this information: http://forums.spybot.info/showpost.php?p=12880&postcount=2

1) How to make files and folders visible:
Click Start > Open My Computer.
Select the Tools menu and click Folder Options.
Select the View Tab. Under the Hidden files and folders heading, select Show hidden files and folders.
Uncheck: Hide file extensions for known file types
Uncheck the Hide protected operating system files (recommended) option.
Click Yes to confirm.
Click OK.

2) Please download ATF Cleaner by Atribune
http://www.atribune.org/content/view/25/2/
Save it to your Desktop. We will use this later.

3) First disable Ewido, as it might be trying to interfere with changes we must make.
Under 'Your security status', if the real time protection is active, deactivate it by clicking 'real time protection' until the status says 'inactive'

4) Open HijackThis and choose "Do a system scan only" then check the box in front of these line items:

R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://www.mrfindalot.com/search.asp?si=
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch = http://www.mrfindalot.com/search.asp?si=
F2 - REG:system.ini: Shell=Explorer.exe, C:\WINDOWS\System32\uxbgs.exe
F2 - REG:system.ini: UserInit=C:\WINDOWS\System32\Userinit.exe,gtikdtt.exe
O4 - HKLM\..\Run: [AlcxMonitor] ALCXMNTR.EXE
O4 - HKLM\..\Run: [ftexc] C:\WINDOWS\System32\mptft.exe
O4 - HKLM\..\Run: [utadaa6b] RUNDLL32.EXE w0cf4249.dll,n 001daa6a000000030cf4249
O4 - HKLM\..\Run: [w0cfd998.dll] RUNDLL32.EXE w0cfd998.dll,I2 001daa6a00cfd998
O4 - HKLM\..\Run: [xload] "C:\WINDOWS\xload.exe"
O4 - HKLM\..\Run: [egotrm] C:\WINDOWS\System32\fokcso.exe reg_run
O4 - HKCU\..\Run: [bdvvt] C:\WINDOWS\System32\fokcso.exe reg_run
O15 - Trusted Zone: *.elitemediagroup.net
O15 - Trusted Zone: *.sxload.com
O18 - Filter: text/html - (no CLSID) - (no file)

Close all programs but HJT and all browser windows, then click on "Fix Checked"

5) RIGHT Click on Start then click on Explore. Locate and delete these items:

C:\WINDOWS\xload.exe <<< file

C:\WINDOWS\System32\fokcso.exe <<< file

C:\WINDOWS\System32\gtikdtt.exe <<< file

C:\WINDOWS\System32\mptft.exe <<< file

C:\WINDOWS\System32\uxbgs.exe <<< file

6) Run ATF Cleaner
Double-click ATF-Cleaner.exe to run the program.
Click Select All found at the bottom of the list.
Click the Empty Selected button.
Click Exit on the Main menu to close the program.

7) Open Hijackthis.
Click the "Open the Misc Tools" section Button.
Click the "Open Uninstall Manager" Button.
Click the "Save list..." Button.
Save it to your desktop. Copy and paste the contents into your reply.

Restart the computer and post a new HJT log, the uninstall list and any comments you think will help.

Thanks:)

jaimerd
2006-08-31, 18:19
I got up to the part in your last suggestion that asked me to locate and delete files from the Start>Explore menu. I am unable to find these files. I am sure that they are on my computer because I have seen uxbgs. exe many times. Please tell me how to locate and delete these. I tried searching. Thank you, Jaime

pskelley
2006-08-31, 18:59
If you followed all directions here: 1) How to make files and folders visible:
and you can't locate them, HJT may have removed them for you. Continue with the rest of the instructions. Thanks

jaimerd
2006-09-01, 04:48
Well, things are definitely starting to look better! I no longer am directed to mr.findalot when I go online. I tried again looking for the exe files that you told me to look for and was still unable to locate them. I am also not getting the notice that w0cfd998.dll and w0cf4249.dll are trying to open. A weird thing that is still happening is that all of my icons have red backgrounds and there are a couple of seconds after my screen saver comes on that the entire background is red. Here is my new HJT log and the uninstall list. Hope it looks better! Thanks again, Jaime
Logfile of HijackThis v1.99.1
Scan saved at 6:42:10 PM, on 8/31/2006
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
c:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\WINDOWS\Explorer.EXE
c:\Program Files\Norton Personal Firewall\NISUM.EXE
C:\windows\system\hpsysdrv.exe
C:\WINDOWS\System32\hkcmd.exe
C:\WINDOWS\System32\hphmon05.exe
C:\HP\KBD\KBD.EXE
C:\Program Files\Common Files\Sonic\Update Manager\sgtray.exe
C:\WINDOWS\LTMSG.exe
C:\WINDOWS\System32\spool\drivers\w32x86\3\hpztsb09.exe
c:\Program Files\Norton Personal Firewall\ccPxySvc.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\ewido anti-spyware 4.0\guard.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\Program Files\ewido anti-spyware 4.0\ewido.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
C:\Program Files\Compaq Connections\1940576\Program\BackWeb-1940576.exe
C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
C:\Program Files\interMute\PopSubtract\PopSub.exe
C:\Program Files\interMute\SpamSubtract\SpamSub.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Documents and Settings\Owner\Desktop\HijackThis.exe
C:\WINDOWS\System32\wuauclt.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://qus10.hpwis.com/
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://orangecounty.cox.net/cci/home
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://qus10.hpwis.com/
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = localhost
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O3 - Toolbar: &Yahoo! Companion - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Common\ycomp5,1,1,0.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar2.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O4 - HKLM\..\Run: [hpsysdrv] c:\windows\system\hpsysdrv.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\System32\hkcmd.exe
O4 - HKLM\..\Run: [HPHUPD05] c:\Program Files\HP\{45B6180B-DCAB-4093-8EE8-6164457517F0}\hphupd05.exe
O4 - HKLM\..\Run: [HPHmon05] C:\WINDOWS\System32\hphmon05.exe
O4 - HKLM\..\Run: [KBD] C:\HP\KBD\KBD.EXE
O4 - HKLM\..\Run: [UpdateManager] "C:\Program Files\Common Files\Sonic\Update Manager\sgtray.exe" /r
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [Recguard] C:\WINDOWS\SMINST\RECGUARD.EXE
O4 - HKLM\..\Run: [VTTimer] VTTimer.exe
O4 - HKLM\..\Run: [LTMSG] LTMSG.exe 7
O4 - HKLM\..\Run: [PS2] C:\WINDOWS\system32\ps2.exe
O4 - HKLM\..\Run: [HPDJ Taskbar Utility] C:\WINDOWS\System32\spool\drivers\w32x86\3\hpztsb09.exe
O4 - HKLM\..\Run: [MCUpdateExe] C:\PROGRA~1\McAfee.com\Agent\McUpdate.exe
O4 - HKLM\..\Run: [MCAgentExe] C:\PROGRA~1\McAfee.com\Agent\McAgent.exe
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [ccApp] "c:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [ccRegVfy] "c:\Program Files\Common Files\Symantec Shared\ccRegVfy.exe"
O4 - HKLM\..\Run: [Symantec NetDriver Monitor] C:\PROGRA~1\SYMNET~1\SNDMon.exe
O4 - HKLM\..\Run: [!ewido] "C:\Program Files\ewido anti-spyware 4.0\ewido.exe" /minimized
O4 - Startup: spamsubtract.lnk = C:\Program Files\interMute\SpamSubtract\SpamSub.exe
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: Compaq Connections.lnk = C:\Program Files\Compaq Connections\1940576\Program\BackWeb-1940576.exe
O4 - Global Startup: HP Digital Imaging Monitor.lnk = C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O4 - Global Startup: PopSubtract.lnk = C:\Program Files\interMute\PopSubtract\PopSub.exe
O4 - Global Startup: Quicken Scheduled Updates.lnk = C:\Program Files\Quicken\bagent.exe
O8 - Extra context menu item: &Google Search - res://C:\Program Files\Google\GoogleToolbar2.dll/cmsearch.html
O8 - Extra context menu item: &Translate English Word - res://C:\Program Files\Google\GoogleToolbar2.dll/cmwordtrans.html
O8 - Extra context menu item: Backward Links - res://C:\Program Files\Google\GoogleToolbar2.dll/cmbacklinks.html
O8 - Extra context menu item: Cached Snapshot of Page - res://C:\Program Files\Google\GoogleToolbar2.dll/cmcache.html
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~4\OFFICE11\EXCEL.EXE/3000
O8 - Extra context menu item: Similar Pages - res://C:\Program Files\Google\GoogleToolbar2.dll/cmsimilar.html
O8 - Extra context menu item: Translate Page into English - res://C:\Program Files\Google\GoogleToolbar2.dll/cmtrans.html
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~4\OFFICE11\REFIEBAR.DLL
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe
O12 - Plugin for .m4v: C:\Program Files\Internet Explorer\PLUGINS\npqtplugin5.dll
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - c:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Password Validation Service (ccPwdSvc) - Symantec Corporation - c:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
O23 - Service: Symantec Proxy Service (ccPxySvc) - Symantec Corporation - c:\Program Files\Norton Personal Firewall\ccPxySvc.exe
O23 - Service: ewido anti-spyware 4.0 guard - Anti-Malware Development a.s. - C:\Program Files\ewido anti-spyware 4.0\guard.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPodService - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Norton Personal Firewall Accounts Manager (NISUM) - Symantec Corporation - c:\Program Files\Norton Personal Firewall\NISUM.EXE
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\System32\HPZipm12.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe

jaimerd
2006-09-01, 04:49
Adobe Photoshop Album Starter Edition
Adobe Reader 7.0.8
Compaq Connections
Compaq Instant Support
Compaq Organize
Easy Internet Sign-up
ewido anti-spyware 4.0
Google Toolbar for Internet Explorer
HijackThis 1.99.1
HP Deskjet Preloaded Printer Drivers
HP Image Zone 3.5
HP Photo & Imaging 3.5 - HP Devices
HP PSC & OfficeJet 3.0
HP Software Update
Icons
Intel(R) Extreme Graphics 2 Driver
IntelliMover Data Transfer Demo
Internet Explorer Q832894
iTunes
KBD
LiveReg (Symantec Corporation)
LiveUpdate 1.90 (Symantec Corporation)
Macromedia Flash Player 8
MediaTickets by OIN
Memories Disc Creator 2.0
Microsoft .NET Framework 1.1
Microsoft Money 2004
Microsoft Money 2004 System Pack
Microsoft Office Standard Edition 2003
Microsoft Plus! Digital Media Edition
Microsoft Word 2002
Microsoft Works 2003 Setup Launcher
Microsoft Works 7.0
Microsoft Works Suite Add-in for Microsoft Word
MSN Music Assistant
MUSICMATCH® Jukebox
Norton Personal Firewall
NVIDIA GART Driver
Outlook Express Update Q330994
PC-Doctor for Windows
Photosmart 140,240,7200,7600,7700,7900 Series
PopSubtract
PS2
Python 2.2 combined Win32 extensions
Python 2.2.1
Quicken 2004
QuickTime
RealOne Player
RecordNow!
SiteError Search
Sonic Update Manager
SpamSubtract
Spybot - Search & Destroy 1.4
Viewpoint Media Player (Remove Only)
Windows Media Format Runtime
Windows Media Player 10
Windows XP Hotfix - KB821431
Windows XP Hotfix - KB823182
Windows XP Hotfix - KB825119
Windows XP Hotfix - KB828028
Windows XP Hotfix (SP2) [See q329256 for more information]
Windows XP Hotfix (SP2) Q327979
Windows XP Hotfix (SP2) Q329112
Windows XP Hotfix (SP2) Q329909
Windows XP Hotfix (SP2) Q331958
Windows XP Hotfix (SP2) Q811789
Windows XP Hotfix (SP2) Q814995
Windows XP Hotfix (SP2) Q815485
Windows XP Hotfix (SP2) Q817357
Yahoo! Companion
Zone Deluxe Games

pskelley
2006-09-01, 05:14
I see HJT is still on the Desktop: C:\Documents and Settings\Owner\Desktop\HijackThis.exe Please put it here: C:\HJT\HijackTHis.exe for safety.

You want to check all security programs, this junk will corrupt the programs. Make sure they are working right or check with technical support about how to uninstall and download them again.

HJT is clean, so I posting this information for you now:
Here is some great information from Tony Klein, Texruss, ChrisRLG and Grinler to help you stay clean and safe online:
http://forums.spybot.info/showthread.php?t=279
http://russelltexas.com/malware/allclear.htm
http://forum.malwareremoval.com/viewtopic.php?t=14
http://www.bleepingcomputer.com/forums/topict2520.html
http://cybercoyote.org/security/not-admin.shtml

ewido is a great program but it does use some resources. Once the trial is over you can update and use the scanner for as long as you wish, but unless you purchase it you should turn it off completely so it does not run unless you start it manually.

System Restore does not know the good files from the bad. In case bad stuff has gotten into your System Restore files, follow the instructions in this link to get clean System Restore files. Turn it off, reboot then turn it back on:
http://service1.symantec.com/SUPPORT/tsgeninfo.nsf/docid/2001111912274039?Open&src=sec_doc_nam

Your uninstall list:
Earlier when we were uninstalling PurityScan, this is one of the programs you were looking for:
MediaTickets by OIN <<< uninstall that junk quickly

Everything else looks ok as far as malware goes. I suggest you look at the list and if you see programs you no longer need or use, uninstall them. When we are done, make sure you give the computer a good maintenance cleaning, scan disk and defragmentation.

The Desktop, icons, etc. sounds like the setting have been changed, try these first:

1) 1. Click Start, and then click Control Panel.
2. Double-click Display, click the Desktop tab, and then click Customize Desktop.
3. Select Restore Defaults

2) Right-click on the desktop
Click on the Properties item
When the Properties dialog comes up click on the Web tab
If Show Web content on my Active Desktop is checked then click on the page in the box below and click the Delete button
Uncheck the checkbox in front of Show Web content on my Active Desktop
Click the Apply button and then the Ok button

Run the computer and let me have feedback in the morning, make sure you run Spybot to see if the command.exe issue still exists, if so let me know.

Thanks

jaimerd
2006-09-01, 08:20
Ok, I did the system restore thing, removed MediaTickets, and moved HJT to the file that you suggested. I then ran spybot after rebooting and sure enough Command Service is still there! It was the only thing found, so that is good, but still... I also fixed my icons which makes me much happier! That red made me think that bad things were happening! Let me know what you think I should do next. Thanks, Jaime

pskelley
2006-09-01, 13:09
Thanks for the feedback, let's do this:
Please download and unzip Ren-cmdservice to your Desktop.
It will only work correctly if the folder is placed on your Desktop and extracted !!.
http://downloads.subratam.org/Lon/ren-cmdservice.zip

Open the ren-cmdservice folder by doubleclicking it and then doubleclick the
ren-cmdservice.bat file to run the program.
A text will open when it is finished, Post it please.
Then restart the PC run spybot check for and fix any problems found.

I would review all of the instrutions in the various posts to make sure you completed everything, especially the links I posted in this last post, then don't get infected anymore.

Safe surfing...tashi:) will close the topic in a day for so.

Thanks...pskelley
Safer Networking Forums
http://www.spybot.info/en/donate/index.html
If you are reading this information...thank a teacher,
If you are reading it in English...thank a soldier.

jaimerd
2006-09-03, 19:22
Good morning! Thanks again for all of your help...I needed it! When trying to open the unzip Ren-cmdservice I was unable. The page is not available. I do not know it's my computer or something on their end. Can you please suggest another way to download it? Thanks, Jaime

pskelley
2006-09-03, 19:40
I apologize, I can not open that link either and will let Lonny know. Please give this tool by Marckie a try.

Please download delcmdservice
http://users.telenet.be/marcvn/tools/delcmdservice.zip
and save it to your Desktop.
Unzip the content to your Desktop (a folder named delcmdservice)
Double-click on the delcmdservice folder
Double-click on delreg.bat to launch the tool
When the tool has finished, please reboot your computer.

Thanks

jaimerd
2006-09-04, 00:40
I did what you last suggested and am still showing Command Service when spybot runs. I don't know if this is really a problem or if I should just live with it. Any other suggestions, or am I good to go? Thanks a million, Jaime

pskelley
2006-09-04, 00:55
Jaime, read those instructions carefully, it has to be run from the Desktop to work. If you did it correctly, then please wait until I hear back from Lonny. I PM'ed him earlier and as soon as he let's me know the site with his fix is up and running I will post that fact for you. And it is really not a problem just leftovers from a poor removal by another removal tool, it can do you no harm.

Thanks:)

pskelley
2006-09-04, 03:37
Here you go, make sure to follow the instructions and let me know how it goes.

Please download and unzip Ren-cmdservice to your Desktop.
It will only work correctly if the folder is placed on your Desktop and extracted !!.

http://www.bleepingcomputer.com/files/lonny/ren-cmdservice.zip

Open the ren-cmdservice folder by doubleclicking it and then doubleclick the
ren-cmdservice.bat file to run the program.
A text will open when it is finished, Post it please.
Then restart the PC run spybot check for and fix any problems found.

Thanks

jaimerd
2006-09-05, 03:50
I think that I have finally gotten rid of everything!!! Here is the last post. Again, thank you so much! Jaime
Running from C:\Documents and Settings\Owner\Desktop\ren-cmdservice
No Image Path Listed in Registry

-----------------
Deleting cmdservice key
cmdservice key deleted
..
-----------------
Commandline utilities (SWReg and SWSC)
Written by Bobbi Flekman © 2005
-----------------
Finised, Post this text then
Please Restart your PC
ren-cmdservice.bat edited 6-25-2006

pskelley
2006-09-05, 03:55
Jaime, thanks for your hard work:bigthumb: and patience too, tashi:) may close this topic when time permits.

Phil

jaimerd
2006-09-05, 04:51
It is official! I ran Spybot and there was no Command service. I am also no longer being re-directed to other sites, there are no pop-ups, and my computer is running much closer to normal speed. I want to thank you one last for all of your time and patience. I don't know thing one about computers but with your help I was able to get rid of these pesky things. Thank you so much, Jaime

tashi
2006-09-05, 19:15
Cheers. :bigthumb:

As the problem appears to be resolved this topic has been archived.

If you need it re-opened please send me or your helper a private message (pm) and provide a link to the thread; this applies only to the original topic starter.

Glad we could help.