View Full Version : pt. 1 can't get rid of Smitfraud-C, DyFuCA, and Deskbar
I have Smitfraud-C, DyFuCA, and Deskbar and can't get rid of them. I followed the instructions for Smitfraud:SpyAxe, etc. and post the log below for the Smitfraud fix. The logs for ewido, and HJT will follow in other posts (too long). I will be very grateful for advice.
SmitFraudFix v2.83
Scan done at 22:50:11.56, Tue 09/05/2006
Run from C:\Documents and Settings\Owner\Desktop\smitfraud\SmitfraudFix
OS: Microsoft Windows XP [Version 5.1.2600] - Windows_NT
Fix ran in safe mode
»»»»»»»»»»»»»»»»»»»»»»»» Before SmitFraudFix
!!!Attention, following keys are not inevitably infected!!!
SrchSTS.exe by S!Ri
Search SharedTaskScheduler's .dll
»»»»»»»»»»»»»»»»»»»»»»»» Killing process
»»»»»»»»»»»»»»»»»»»»»»»» Generic Renos Fix
GenericRenosFix by S!Ri
»»»»»»»»»»»»»»»»»»»»»»»» Deleting infected files
»»»»»»»»»»»»»»»»»»»»»»»» Deleting Temp Files
»»»»»»»»»»»»»»»»»»»»»»»» Registry Cleaning
Registry Cleaning done.
»»»»»»»»»»»»»»»»»»»»»»»» After SmitFraudFix
!!!Attention, following keys are not inevitably infected!!!
SrchSTS.exe by S!Ri
Search SharedTaskScheduler's .dll
»»»»»»»»»»»»»»»»»»»»»»»» End
This is the first half of the ewido log. The second half and the HJT log will follow next ...
---------------------------------------------------------
ewido anti-spyware - Scan Report
---------------------------------------------------------
+ Created at: 12:05:32 AM 9/6/2006
+ Scan result:
C:\Program Files\PestPatrol\Quarantine\20040920162649875.zip/temp/msbb.exe -> Adware.180Solutions : Cleaned with backup (quarantined).
C:\Program Files\PestPatrol\Quarantine\20041030133314859.zip/WINNT/180ax.exe -> Adware.180Solutions : Cleaned with backup (quarantined).
C:\Program Files\Common Files\{10603F8F-07D0-1033-0817-020522200001}\Update.exe -> Adware.Agent : Cleaned with backup (quarantined).
C:\Program Files\PestPatrol\Quarantine\20040920163047312.zip/Program Files/bullseye network/bin/bargains.exe -> Adware.BargainBuddy : Cleaned with backup (quarantined).
C:\Program Files\PestPatrol\Quarantine\20040920163047312.zip/WINNT/system32/apuc.dll -> Adware.BargainBuddy : Cleaned with backup (quarantined).
C:\Program Files\PestPatrol\Quarantine\20040920163047312.zip/temp/cdt_bbi8016.exe -> Adware.BargainBuddy : Cleaned with backup (quarantined).
C:\Program Files\PestPatrol\Quarantine\20050305173943.zip/WINNT/system32/exdl.exe -> Adware.BargainBuddy : Cleaned with backup (quarantined).
C:\Program Files\PestPatrol\Quarantine\20050305173943.zip/WINNT/system32/exul.exe -> Adware.BargainBuddy : Cleaned with backup (quarantined).
C:\WINNT\system32\BO2802040113.dll -> Adware.BargainBuddy : Cleaned with backup (quarantined).
C:\WINNT\system32\KVIF_11.dll -> Adware.BargainBuddy : Cleaned with backup (quarantined).
C:\WINNT\system32\Lycos.dll -> Adware.BargainBuddy : Cleaned with backup (quarantined).
C:\WINNT\system32\msbb321.dll -> Adware.BargainBuddy : Cleaned with backup (quarantined).
C:\Program Files\PestPatrol\Quarantine\20040920232111390.zip/temp/lc.exe -> Adware.BetterInternet : Cleaned with backup (quarantined).
C:\Program Files\PestPatrol\Quarantine\20040920163047312.zip/Program Files/winad client/winclt.exe -> Adware.CaptainCode : Cleaned with backup (quarantined).
C:\Program Files\PestPatrol\Quarantine\20060830200349.zip/WINNT/IA/command.exe -> Adware.CommAd : Cleaned with backup (quarantined).
C:\Program Files\PestPatrol\Quarantine\20060830200402.zip/WINNT/IA/command.exe -> Adware.CommAd : Cleaned with backup (quarantined).
C:\Program Files\PestPatrol\Quarantine\20060830200415.zip/WINNT/IA/command.exe -> Adware.CommAd : Cleaned with backup (quarantined).
C:\Program Files\PestPatrol\Quarantine\20060830200430.zip/WINNT/IA/command.exe -> Adware.CommAd : Cleaned with backup (quarantined).
C:\Program Files\PestPatrol\Quarantine\20060830231000.zip/WINNT/IA/command.exe -> Adware.CommAd : Cleaned with backup (quarantined).
C:\Program Files\PestPatrol\Quarantine\20060831065157.zip/WINNT/IA/asappsrv.dll -> Adware.CommAd : Cleaned with backup (quarantined).
C:\Program Files\PestPatrol\Quarantine\20060831223301.zip/WINNT/IA/asappsrv.dll -> Adware.CommAd : Cleaned with backup (quarantined).
C:\Program Files\PestPatrol\Quarantine\20060831223301.zip/WINNT/IA/command.exe -> Adware.CommAd : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{0193FC1C-0A70-478B-8107-B531B8E70CAB}\RP992\A0340516.exe -> Adware.CommAd : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{0193FC1C-0A70-478B-8107-B531B8E70CAB}\RP992\A0340541.dll -> Adware.CommAd : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{0193FC1C-0A70-478B-8107-B531B8E70CAB}\RP992\A0340588.dll -> Adware.CommAd : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{0193FC1C-0A70-478B-8107-B531B8E70CAB}\RP992\A0340589.exe -> Adware.CommAd : Cleaned with backup (quarantined).
C:\WINNT\IA\command.to_be_deleted -> Adware.CommAd : Cleaned with backup (quarantined).
C:\WINNT\system32\KVIF_11.exe -> Adware.EZula : Cleaned with backup (quarantined).
C:\Program Files\PestPatrol\Quarantine\20040920162649875.zip/WINNT/system32/ATPartners.dll -> Adware.F1Organizer : Cleaned with backup (quarantined).
C:\WINNT\system32\fckec980.dll -> Adware.F1Organizer : Cleaned with backup (quarantined).
C:\Program Files\PestPatrol\Quarantine\20040920162649875.zip/Program Files/web_rebates/webrebates0.exe -> Adware.HelpExpress : Cleaned with backup (quarantined).
C:\Program Files\PestPatrol\Quarantine\20060830231000.zip/Documents and Settings/LocalService/Local Settings/Temporary Internet Files/Content.IE5/CV6XGL4J/Installer[1].exe -> Adware.Look2Me : Cleaned with backup (quarantined).
C:\Program Files\PestPatrol\Quarantine\20060831065157.zip/Installer3.exe -> Adware.Look2Me : Cleaned with backup (quarantined).
C:\Program Files\PestPatrol\Quarantine\20060831065157.zip/WINNT/system32/dp3j.dll -> Adware.Look2Me : Cleaned with backup (quarantined).
C:\Program Files\PestPatrol\Quarantine\20060831065157.zip/WINNT/system32/euentlog.dll -> Adware.Look2Me : Cleaned with backup (quarantined).
C:\Program Files\PestPatrol\Quarantine\20060831065157.zip/warebundlenewer.exe -> Adware.Look2Me : Cleaned with backup (quarantined).
C:\Program Files\PestPatrol\Quarantine\20060831223301.zip/Documents and Settings/LocalService/Local Settings/Temporary Internet Files/Content.IE5/OF8HMXOP/Installer[1].exe -> Adware.Look2Me : Cleaned with backup (quarantined).
C:\Program Files\PestPatrol\Quarantine\20060831223301.zip/Installer3.exe -> Adware.Look2Me : Cleaned with backup (quarantined).
C:\Program Files\PestPatrol\Quarantine\20060831223301.zip/WINNT/system32/dbkquoui.dll -> Adware.Look2Me : Cleaned with backup (quarantined).
C:\Program Files\PestPatrol\Quarantine\20060831223301.zip/WINNT/system32/dunmodem.dll -> Adware.Look2Me : Cleaned with backup (quarantined).
C:\Program Files\PestPatrol\Quarantine\20060831223301.zip/WINNT/system32/n0p40a7qed.dll -> Adware.Look2Me : Cleaned with backup (quarantined).
C:\Program Files\PestPatrol\Quarantine\20060831223301.zip/warebundlenewer.exe -> Adware.Look2Me : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{0193FC1C-0A70-478B-8107-B531B8E70CAB}\RP1000\A0341317.dll -> Adware.Look2Me : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{0193FC1C-0A70-478B-8107-B531B8E70CAB}\RP1000\A0341323.dll -> Adware.Look2Me : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{0193FC1C-0A70-478B-8107-B531B8E70CAB}\RP1000\A0341837.dll -> Adware.Look2Me : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{0193FC1C-0A70-478B-8107-B531B8E70CAB}\RP1002\A0341912.dll -> Adware.Look2Me : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{0193FC1C-0A70-478B-8107-B531B8E70CAB}\RP1002\A0341920.dll -> Adware.Look2Me : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{0193FC1C-0A70-478B-8107-B531B8E70CAB}\RP992\A0340520.dll -> Adware.Look2Me : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{0193FC1C-0A70-478B-8107-B531B8E70CAB}\RP992\A0340521.dll -> Adware.Look2Me : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{0193FC1C-0A70-478B-8107-B531B8E70CAB}\RP992\A0340532.exe -> Adware.Look2Me : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{0193FC1C-0A70-478B-8107-B531B8E70CAB}\RP992\A0340533.exe -> Adware.Look2Me : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{0193FC1C-0A70-478B-8107-B531B8E70CAB}\RP992\A0340534.dll -> Adware.Look2Me : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{0193FC1C-0A70-478B-8107-B531B8E70CAB}\RP992\A0340535.dll -> Adware.Look2Me : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{0193FC1C-0A70-478B-8107-B531B8E70CAB}\RP992\A0340581.dll -> Adware.Look2Me : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{0193FC1C-0A70-478B-8107-B531B8E70CAB}\RP992\A0340582.dll -> Adware.Look2Me : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{0193FC1C-0A70-478B-8107-B531B8E70CAB}\RP992\A0340586.exe -> Adware.Look2Me : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{0193FC1C-0A70-478B-8107-B531B8E70CAB}\RP992\A0340587.exe -> Adware.Look2Me : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{0193FC1C-0A70-478B-8107-B531B8E70CAB}\RP992\A0340591.dll -> Adware.Look2Me : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{0193FC1C-0A70-478B-8107-B531B8E70CAB}\RP992\A0340592.dll -> Adware.Look2Me : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{0193FC1C-0A70-478B-8107-B531B8E70CAB}\RP992\A0340593.dll -> Adware.Look2Me : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{0193FC1C-0A70-478B-8107-B531B8E70CAB}\RP992\A0340678.dll -> Adware.Look2Me : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{0193FC1C-0A70-478B-8107-B531B8E70CAB}\RP993\A0340740.dll -> Adware.Look2Me : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{0193FC1C-0A70-478B-8107-B531B8E70CAB}\RP993\A0340752.dll -> Adware.Look2Me : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{0193FC1C-0A70-478B-8107-B531B8E70CAB}\RP993\A0340765.dll -> Adware.Look2Me : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{0193FC1C-0A70-478B-8107-B531B8E70CAB}\RP993\A0340769.dll -> Adware.Look2Me : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{0193FC1C-0A70-478B-8107-B531B8E70CAB}\RP993\A0340782.dll -> Adware.Look2Me : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{0193FC1C-0A70-478B-8107-B531B8E70CAB}\RP993\A0340787.dll -> Adware.Look2Me : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{0193FC1C-0A70-478B-8107-B531B8E70CAB}\RP993\A0340815.dll -> Adware.Look2Me : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{0193FC1C-0A70-478B-8107-B531B8E70CAB}\RP993\A0340820.dll -> Adware.Look2Me : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{0193FC1C-0A70-478B-8107-B531B8E70CAB}\RP994\A0340875.dll -> Adware.Look2Me : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{0193FC1C-0A70-478B-8107-B531B8E70CAB}\RP994\A0340879.dll -> Adware.Look2Me : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{0193FC1C-0A70-478B-8107-B531B8E70CAB}\RP994\A0340902.dll -> Adware.Look2Me : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{0193FC1C-0A70-478B-8107-B531B8E70CAB}\RP994\A0340910.dll -> Adware.Look2Me : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{0193FC1C-0A70-478B-8107-B531B8E70CAB}\RP994\A0340916.dll -> Adware.Look2Me : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{0193FC1C-0A70-478B-8107-B531B8E70CAB}\RP994\A0340930.dll -> Adware.Look2Me : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{0193FC1C-0A70-478B-8107-B531B8E70CAB}\RP999\A0341142.dll -> Adware.Look2Me : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{0193FC1C-0A70-478B-8107-B531B8E70CAB}\RP999\A0341148.dll -> Adware.Look2Me : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{0193FC1C-0A70-478B-8107-B531B8E70CAB}\RP999\A0341150.dll -> Adware.Look2Me : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{0193FC1C-0A70-478B-8107-B531B8E70CAB}\RP999\A0341182.dll -> Adware.Look2Me : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{0193FC1C-0A70-478B-8107-B531B8E70CAB}\RP999\A0341186.dll -> Adware.Look2Me : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{0193FC1C-0A70-478B-8107-B531B8E70CAB}\RP999\A0341201.dll -> Adware.Look2Me : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{0193FC1C-0A70-478B-8107-B531B8E70CAB}\RP999\A0341208.dll -> Adware.Look2Me : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{0193FC1C-0A70-478B-8107-B531B8E70CAB}\RP999\A0341214.dll -> Adware.Look2Me : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{0193FC1C-0A70-478B-8107-B531B8E70CAB}\RP999\A0341230.dll -> Adware.Look2Me : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{0193FC1C-0A70-478B-8107-B531B8E70CAB}\RP999\A0341241.dll -> Adware.Look2Me : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{0193FC1C-0A70-478B-8107-B531B8E70CAB}\RP999\A0341270.dll -> Adware.Look2Me : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{0193FC1C-0A70-478B-8107-B531B8E70CAB}\RP999\A0341282.dll -> Adware.Look2Me : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{0193FC1C-0A70-478B-8107-B531B8E70CAB}\RP999\A0341297.dll -> Adware.Look2Me : Cleaned with backup (quarantined).
C:\WINNT\system32\BB2802040113.dll -> Adware.Look2Me : Cleaned with backup (quarantined).
C:\WINNT\system32\PzePgHlp.dll -> Adware.Look2Me : Cleaned with backup (quarantined).
C:\WINNT\system32\calbact.dll -> Adware.Look2Me : Cleaned with backup (quarantined).
C:\WINNT\system32\cyyptsvc.dll -> Adware.Look2Me : Cleaned with backup (quarantined).
C:\WINNT\system32\dn2801fue.dll -> Adware.Look2Me : Cleaned with backup (quarantined).
C:\WINNT\system32\fn4021hmg.dll -> Adware.Look2Me : Cleaned with backup (quarantined).
C:\WINNT\system32\hrr4059qe.dll -> Adware.Look2Me : Cleaned with backup (quarantined).
C:\WINNT\system32\i4jq0e15eh.dll -> Adware.Look2Me : Cleaned with backup (quarantined).
C:\WINNT\system32\i6420ghoe64c0.dll -> Adware.Look2Me : Cleaned with backup (quarantined).
C:\WINNT\system32\irlol5331.dll -> Adware.Look2Me : Cleaned with backup (quarantined).
C:\WINNT\system32\midtclog.dll -> Adware.Look2Me : Cleaned with backup (quarantined).
C:\WINNT\system32\msdocs.to_be_deleted -> Adware.Look2Me : Cleaned with backup (quarantined).
C:\WINNT\system32\myiole16.dll -> Adware.Look2Me : Cleaned with backup (quarantined).
C:\WINNT\system32\n44s0eh7eh4.dll -> Adware.Look2Me : Cleaned with backup (quarantined).
C:\WINNT\system32\nqlanui2.dll -> Adware.Look2Me : Cleaned with backup (quarantined).
C:\WINNT\system32\sforage.dll -> Adware.Look2Me : Cleaned with backup (quarantined).
[676] C:\WINNT\system32\wxhisn.dll -> Adware.Look2Me : Error during cleaning.
[752] C:\WINNT\system32\wxhisn.dll -> Adware.Look2Me : Error during cleaning.
HKLM\SOFTWARE\Classes\DyFuCA_BH.BHObj -> Adware.MoneyTree : Error during cleaning.
HKLM\SOFTWARE\Classes\DyFuCA_BH.BHObj.1 -> Adware.MoneyTree : Error during cleaning.
HKLM\SOFTWARE\Classes\DyFuCA_BH.BHObj\CLSID -> Adware.MoneyTree : Error during cleaning.
HKLM\SOFTWARE\Classes\DyFuCA_BH.BHObj\CurVer -> Adware.MoneyTree : Error during cleaning.
C:\Program Files\PestPatrol\Quarantine\20060831223301.zip/WINNT/Temp/BundleInstall.exe -> Adware.Relevant : Cleaned with backup (quarantined).
C:\Program Files\PestPatrol\Quarantine\20060831223301.zip/WINNT/system32/rk.bin -> Adware.RK : Cleaned with backup (quarantined).
C:\Program Files\PestPatrol\Quarantine\20060831223301.zip/WINNT/system32/rlls.dll -> Adware.RK : Cleaned with backup (quarantined).
C:\Program Files\PestPatrol\Quarantine\20060831223301.zip/WINNT/system32/rlvknlg.exe -> Adware.RK : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{0193FC1C-0A70-478B-8107-B531B8E70CAB}\RP992\A0340594.dll -> Adware.RK : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{0193FC1C-0A70-478B-8107-B531B8E70CAB}\RP992\A0340595.exe -> Adware.RK : Cleaned with backup (quarantined).
C:\WINNT\system32\KDP1b46.dll -> Adware.SafeGuard : Cleaned with backup (quarantined).
C:\WINNT\system32\KDP3a9d.dll -> Adware.SafeGuard : Cleaned with backup (quarantined).
C:\WINNT\system32\sfg_3bf8.dll -> Adware.SafeGuard : Cleaned with backup (quarantined).
C:\WINNT\system32\sfg_417d.dll -> Adware.SafeGuard : Cleaned with backup (quarantined).
C:\QUARANTINE\20040907165059875.zip/Documents and Settings/Chingun/locals~1/temp/bundle.exe -> Adware.Sahat : Cleaned with backup (quarantined).
C:\Program Files\PestPatrol\Quarantine\20050902154739.zip/Program Files/vvsn/vvsn.exe -> Adware.SaveNow : Cleaned with backup (quarantined).
C:\Program Files\PestPatrol\Quarantine\20060830231000.zip/Program Files/toolbar888/MyToolBar.dll -> Adware.Softomate : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{0193FC1C-0A70-478B-8107-B531B8E70CAB}\RP992\A0340509.dll -> Adware.Softomate : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{0193FC1C-0A70-478B-8107-B531B8E70CAB}\RP992\A0340556.dll -> Adware.Softomate : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{0193FC1C-0A70-478B-8107-B531B8E70CAB}\RP993\A0340804.dll -> Adware.Softomate : Cleaned with backup (quarantined).
C:\Program Files\PestPatrol\Quarantine\20060830231000.zip/WINNT/system32/repairs303169590.dll -> Adware.SurfSide : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{0193FC1C-0A70-478B-8107-B531B8E70CAB}\RP992\A0340496.dll -> Adware.SurfSide : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{0193FC1C-0A70-478B-8107-B531B8E70CAB}\RP992\A0340497.dll -> Adware.SurfSide : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{0193FC1C-0A70-478B-8107-B531B8E70CAB}\RP992\A0340498.exe -> Adware.SurfSide : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{0193FC1C-0A70-478B-8107-B531B8E70CAB}\RP992\A0340519.dll -> Adware.SurfSide : Cleaned with backup (quarantined).
C:\Program Files\PestPatrol\Quarantine\20060831065157.zip/Program Files/Common Files/owzo/owzod/owzoc.dll -> Adware.TargetServer : Cleaned with backup (quarantined).
Okay, here is the remainder of the ewido log ...
C:\System Volume Information\_restore{0193FC1C-0A70-478B-8107-B531B8E70CAB}\RP992\A0340537.dll -> Adware.TargetServer : Cleaned with backup (quarantined).
C:\Documents and Settings\LocalService\Local Settings\Temporary Internet Files\Content.IE5\6D6DMNUT\ucmoreiex[1].exe/IUCMORE.DLL -> Adware.Ucmore : Cleaned with backup (quarantined).
C:\Documents and Settings\LocalService\Local Settings\Temporary Internet Files\Content.IE5\6D6DMNUT\ucmoreiex[1].exe/UCMTSAIE.DLL -> Adware.Ucmore : Cleaned with backup (quarantined).
C:\Documents and Settings\LocalService\Local Settings\Temporary Internet Files\Content.IE5\6D6DMNUT\ucmoreiex[1].exe/empty_00000001 -> Adware.Ucmore : Cleaned with backup (quarantined).
C:\Program Files\PestPatrol\Quarantine\20060830231000.zip/Program Files/thesearchaccelerator/IUCmore.dll -> Adware.Ucmore : Cleaned with backup (quarantined).
C:\Program Files\PestPatrol\Quarantine\20060830231000.zip/Program Files/thesearchaccelerator/UCMTSAIE.dll -> Adware.Ucmore : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{0193FC1C-0A70-478B-8107-B531B8E70CAB}\RP992\A0340503.dll -> Adware.Ucmore : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{0193FC1C-0A70-478B-8107-B531B8E70CAB}\RP992\A0340506.dll -> Adware.Ucmore : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{0193FC1C-0A70-478B-8107-B531B8E70CAB}\RP993\A0340805.exe/IUCMORE.DLL -> Adware.Ucmore : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{0193FC1C-0A70-478B-8107-B531B8E70CAB}\RP993\A0340805.exe/UCMTSAIE.DLL -> Adware.Ucmore : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{0193FC1C-0A70-478B-8107-B531B8E70CAB}\RP993\A0340805.exe/empty_00000001 -> Adware.Ucmore : Cleaned with backup (quarantined).
C:\WINNT\system32\BO2806040128.exe -> Adware.VirtualBouncer : Cleaned with backup (quarantined).
C:\QUARANTINE\20040907165059875.zip/Program Files/webHancer/Programs/SET3C2.tmp -> Adware.WebHancer : Cleaned with backup (quarantined).
C:\QUARANTINE\20040907165059875.zip/Program Files/webHancer/Programs/SET3C4.tmp -> Adware.WebHancer : Cleaned with backup (quarantined).
C:\QUARANTINE\20040907165059875.zip/Program Files/webHancer/Programs/SET3C6.tmp -> Adware.WebHancer : Cleaned with backup (quarantined).
C:\QUARANTINE\20040907165059875.zip/Program Files/webhancer/programs/whAgent.exe -> Adware.WebHancer : Cleaned with backup (quarantined).
C:\QUARANTINE\20040907165059875.zip/Program Files/webhancer/programs/whSurvey.exe -> Adware.WebHancer : Cleaned with backup (quarantined).
C:\QUARANTINE\20040907165059875.zip/Program Files/webhancer/programs/whiehlpr.dll -> Adware.WebHancer : Cleaned with backup (quarantined).
C:\QUARANTINE\20040907165059875.zip/Program Files/whinstall/Webhdll.dll -> Adware.WebHancer : Cleaned with backup (quarantined).
C:\QUARANTINE\20040907165059875.zip/Program Files/whinstall/WhAgent.exe -> Adware.WebHancer : Cleaned with backup (quarantined).
C:\QUARANTINE\20040907165059875.zip/Program Files/whinstall/WhSurvey.exe -> Adware.WebHancer : Cleaned with backup (quarantined).
C:\QUARANTINE\20040907165059875.zip/Program Files/whinstall/whInstaller.exe -> Adware.WebHancer : Cleaned with backup (quarantined).
C:\QUARANTINE\20040907165059875.zip/Program Files/whinstall/whiehlpr.dll -> Adware.WebHancer : Cleaned with backup (quarantined).
C:\QUARANTINE\20040907165059875.zip/WINNT/lastgood/whInstaller.exe -> Adware.WebHancer : Cleaned with backup (quarantined).
C:\QUARANTINE\20040907165059875.zip/WINNT/webhdll.dll -> Adware.WebHancer : Cleaned with backup (quarantined).
C:\QUARANTINE\20040907165059875.zip/WINNT/whInstaller.exe -> Adware.WebHancer : Cleaned with backup (quarantined).
C:\QUARANTINE\20040907174450937.zip/Documents and Settings/Chingun/Local Settings/Temporary Internet Files/Content.IE5/TLYZIGWL/whCC-MOTOR[1].exe/WhAgent.exe -> Adware.WebHancer : Cleaned with backup (quarantined).
C:\QUARANTINE\20040907174450937.zip/WINNT/webhdll.dll -> Adware.WebHancer : Cleaned with backup (quarantined).
C:\QUARANTINE\20040912015127493.zip/WINNT/whCC-MOTOR.exe/WhAgent.exe -> Adware.WebHancer : Cleaned with backup (quarantined).
C:\WINNT\prelimhanse.exe -> Adware.WebHancer : Cleaned with backup (quarantined).
C:\Program Files\PestPatrol\Quarantine\20040920162649875.zip/Program Files/web_rebates/disp1150.exe -> Adware.WebRebates : Cleaned with backup (quarantined).
C:\Program Files\PestPatrol\Quarantine\20040920162649875.zip/Program Files/web_rebates/webrebates1.exe -> Adware.WebRebates : Cleaned with backup (quarantined).
C:\Program Files\PestPatrol\Quarantine\20040920163047312.zip/Documents and Settings/Chingun/Local Settings/Temp/djtopr1150.exe -> Adware.WebRebates : Cleaned with backup (quarantined).
C:\Program Files\PestPatrol\Quarantine\20040920163047312.zip/Program Files/web_rebates/disp1150.exe -> Adware.WebRebates : Cleaned with backup (quarantined).
C:\Program Files\PestPatrol\Quarantine\20040920163047312.zip/Program Files/web_rebates/webrebates0.exe -> Adware.WebRebates : Cleaned with backup (quarantined).
C:\Program Files\PestPatrol\Quarantine\20040920163047312.zip/Program Files/web_rebates/webrebates1.exe -> Adware.WebRebates : Cleaned with backup (quarantined).
C:\Program Files\PestPatrol\Quarantine\20040920232111390.zip/WINNT/system32/WebRebates_Auto_InstallSilent.exe -> Adware.WebRebates : Cleaned with backup (quarantined).
C:\Program Files\PestPatrol\Quarantine\20040920162649875.zip/Program Files/winad client/clientcom.dll -> Adware.WinAD : Cleaned with backup (quarantined).
C:\Program Files\PestPatrol\Quarantine\20040920162649875.zip/Program Files/winad client/winad.exe -> Adware.WinAD : Cleaned with backup (quarantined).
C:\Documents and Settings\LocalService\Local Settings\Temporary Internet Files\Content.IE5\QRKXINQP\TIGEN001[1].exe -> Adware.ZenoSearch : Cleaned with backup (quarantined).
C:\Program Files\PestPatrol\Quarantine\20060831220330.zip/WINNT/system32/dwdsregt.exe -> Adware.ZenoSearch : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{0193FC1C-0A70-478B-8107-B531B8E70CAB}\RP992\A0340579.exe -> Adware.ZenoSearch : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{0193FC1C-0A70-478B-8107-B531B8E70CAB}\RP994\A0340897.exe -> Adware.ZenoSearch : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{0193FC1C-0A70-478B-8107-B531B8E70CAB}\RP994\A0340899.exe -> Adware.ZenoSearch : Cleaned with backup (quarantined).
C:\TIGEN001.exe -> Adware.ZenoSearch : Cleaned with backup (quarantined).
C:\Program Files\PestPatrol\Quarantine\20060902162838.zip/Documents and Settings/Owner/Local Settings/Temporary Internet Files/Content.IE5/C14TM3OT/AppWrap[1].exe -> Adware.Zestyfind : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{0193FC1C-0A70-478B-8107-B531B8E70CAB}\RP994\A0340859.exe -> Adware.Zestyfind : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{0193FC1C-0A70-478B-8107-B531B8E70CAB}\RP999\A0341205.exe -> Adware.Zestyfind : Cleaned with backup (quarantined).
C:\Documents and Settings\LocalService\Local Settings\Temporary Internet Files\Content.IE5\QRKXINQP\dca[2].exe -> Downloader.Adload.aj : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{0193FC1C-0A70-478B-8107-B531B8E70CAB}\RP992\A0340553.exe -> Downloader.Adload.aj : Cleaned with backup (quarantined).
C:\dca.exe -> Downloader.Adload.aj : Cleaned with backup (quarantined).
C:\wear.exe -> Downloader.Adload.aj : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{0193FC1C-0A70-478B-8107-B531B8E70CAB}\RP993\A0340811.exe -> Downloader.Agent.aqx : Cleaned with backup (quarantined).
C:\Program Files\PestPatrol\Quarantine\20060830231000.zip/Documents and Settings/LocalService/Local Settings/Temporary Internet Files/Content.IE5/OF8HMXOP/nem220[1].dll -> Downloader.Dyfuca : Cleaned with backup (quarantined).
C:\Program Files\PestPatrol\Quarantine\20060830231000.zip/WINNT/nem220.dll -> Downloader.Dyfuca : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{0193FC1C-0A70-478B-8107-B531B8E70CAB}\RP992\A0340515.dll -> Downloader.Dyfuca : Cleaned with backup (quarantined).
C:\Program Files\PestPatrol\Quarantine\20060830231000.zip/Program Files/internet optimizer/optimize.exe -> Downloader.Dyfuca.ey : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{0193FC1C-0A70-478B-8107-B531B8E70CAB}\RP992\A0340495.exe -> Downloader.Dyfuca.ey : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{0193FC1C-0A70-478B-8107-B531B8E70CAB}\RP993\A0340812.exe -> Downloader.Dyfuca.ey : Cleaned with backup (quarantined).
C:\814.exe -> Downloader.Dyfuca.fb : Cleaned with backup (quarantined).
C:\Documents and Settings\LocalService\Local Settings\Temporary Internet Files\Content.IE5\CV6XGL4J\814[1].exe -> Downloader.Dyfuca.fb : Cleaned with backup (quarantined).
C:\Program Files\PestPatrol\Quarantine\20040920162649875.zip/Program Files/common files/updater/delupdat.exe -> Downloader.Keenval : Cleaned with backup (quarantined).
C:\Program Files\PestPatrol\Quarantine\20040920162649875.zip/Program Files/common files/updater/sui.exe -> Downloader.Keenval : Cleaned with backup (quarantined).
C:\Program Files\PestPatrol\Quarantine\20040920162649875.zip/Program Files/common files/updater/wupdater.exe -> Downloader.Keenval : Cleaned with backup (quarantined).
C:\WINNT\system32\setup_incred_10.exe -> Downloader.Keenval : Cleaned with backup (quarantined).
C:\Program Files\PestPatrol\Quarantine\20040920162649875.zip/Program Files/incred~1/bho/IncFindBHO.dll -> Downloader.Keenval.e : Cleaned with backup (quarantined).
C:\Documents and Settings\LocalService\Local Settings\Temporary Internet Files\Content.IE5\QRKXINQP\MTE3NDI6ODoxNg[1].exe -> Downloader.Small.buy : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{0193FC1C-0A70-478B-8107-B531B8E70CAB}\RP993\A0340806.exe -> Downloader.Small.buy : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{0193FC1C-0A70-478B-8107-B531B8E70CAB}\RP994\A0340891.exe -> Downloader.Small.buy : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{0193FC1C-0A70-478B-8107-B531B8E70CAB}\RP989\A0340373.pif -> Downloader.Small.dpl : Cleaned with backup (quarantined).
C:\Program Files\PestPatrol\Quarantine\20041109231738812.zip/WINNT/system32/TVM_B5B1.exe -> Downloader.Small.wk : Cleaned with backup (quarantined).
C:\Program Files\PestPatrol\Quarantine\20060831065157.zip/Program Files/Common Files/owzo/owzop.exe -> Downloader.TSUpdate.f : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{0193FC1C-0A70-478B-8107-B531B8E70CAB}\RP992\A0340540.exe -> Downloader.TSUpdate.f : Cleaned with backup (quarantined).
C:\Program Files\PestPatrol\Quarantine\20060831065157.zip/Program Files/Common Files/owzo/owzoa.exe -> Downloader.TSUpdate.l : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{0193FC1C-0A70-478B-8107-B531B8E70CAB}\RP991\A0340482.exe -> Downloader.TSUpdate.l : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{0193FC1C-0A70-478B-8107-B531B8E70CAB}\RP992\A0340536.exe -> Downloader.TSUpdate.l : Cleaned with backup (quarantined).
C:\Program Files\PestPatrol\Quarantine\20060831065157.zip/Program Files/Common Files/owzo/owzom.exe -> Downloader.TSUpdate.n : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{0193FC1C-0A70-478B-8107-B531B8E70CAB}\RP992\A0340539.exe -> Downloader.TSUpdate.n : Cleaned with backup (quarantined).
C:\Documents and Settings\LocalService\Local Settings\Temporary Internet Files\Content.IE5\CV6XGL4J\stub_113_4_0_4_0[1].exe -> Downloader.TSUpdate.o : Cleaned with backup (quarantined).
C:\Program Files\Common Files\misc002\141.exe -> Downloader.TSUpdate.o : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{0193FC1C-0A70-478B-8107-B531B8E70CAB}\RP993\A0340810.exe -> Downloader.TSUpdate.o : Cleaned with backup (quarantined).
C:\Program Files\PestPatrol\Quarantine\20060831065157.zip/Program Files/Common Files/owzo/owzol.exe -> Downloader.TSUpdate.r : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{0193FC1C-0A70-478B-8107-B531B8E70CAB}\RP991\A0340481.exe -> Downloader.TSUpdate.r : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{0193FC1C-0A70-478B-8107-B531B8E70CAB}\RP992\A0340538.exe -> Downloader.TSUpdate.r : Cleaned with backup (quarantined).
C:\Documents and Settings\LocalService\Local Settings\Temporary Internet Files\Content.IE5\QRKXINQP\kybrdff_15[1].exe -> Downloader.VB.alg : Cleaned with backup (quarantined).
C:\kybrdff_15.exe -> Downloader.VB.alg : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{0193FC1C-0A70-478B-8107-B531B8E70CAB}\RP994\A0340892.exe -> Downloader.VB.alt : Cleaned with backup (quarantined).
C:\QUARANTINE\20040907165059875.zip/WINNT/wast2.exe -> Downloader.Wiser : Cleaned with backup (quarantined).
C:\QUARANTINE\20040907174450937.zip/WINNT/wast2.exe -> Downloader.Wiser : Cleaned with backup (quarantined).
C:\Program Files\PestPatrol\Quarantine\20040920163047312.zip/temp/installer2.exe -> Dropper.Delf.dj : Cleaned with backup (quarantined).
C:\Program Files\PestPatrol\Quarantine\20040920232111390.zip/WINNT/UnstSA2.exe -> Dropper.Delf.z : Cleaned with backup (quarantined).
C:\WINNT\system32\bdlGs.dll -> Dropper.Small.abe : Cleaned with backup (quarantined).
C:\WINNT\system32\in10b6s.dll -> Dropper.Small.abe : Cleaned with backup (quarantined).
C:\Documents and Settings\LocalService\Local Settings\Temporary Internet Files\Content.IE5\QRKXINQP\SS1001[1].exe -> Dropper.Small.qn : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{0193FC1C-0A70-478B-8107-B531B8E70CAB}\RP993\A0340809.exe -> Dropper.Small.qn : Cleaned with backup (quarantined).
C:\WINNT\system32\SplWbr.dll -> Dropper.Small.sf : Cleaned with backup (quarantined).
C:\Program Files\PestPatrol\Quarantine\20040920163047312.zip/WINNT/2_0_1browserhelper2.dll -> Hijacker.Delf.r : Cleaned with backup (quarantined).
C:\Program Files\PestPatrol\Quarantine\20060830231000.zip/Program Files/network monitor/netmon.exe -> Not-A-Virus.Monitor.Win32.NetMon.a : Ignored.
C:\Program Files\PestPatrol\Quarantine\20060831220330.zip/Program Files/network monitor/netmon.exe -> Not-A-Virus.Monitor.Win32.NetMon.a : Ignored.
C:\System Volume Information\_restore{0193FC1C-0A70-478B-8107-B531B8E70CAB}\RP992\A0340512.exe -> Not-A-Virus.Monitor.Win32.NetMon.a : Ignored.
C:\System Volume Information\_restore{0193FC1C-0A70-478B-8107-B531B8E70CAB}\RP992\A0340574.exe -> Not-A-Virus.Monitor.Win32.NetMon.a : Ignored.
C:\Program Files\PestPatrol\Quarantine\20060902162838.zip/winnt/temp/cookies/owner@2o7[2].txt -> TrackingCookie.2o7 : Cleaned.
C:\Documents and Settings\Chingun\Cookies\chingun@adrevolver[1].txt -> TrackingCookie.Adrevolver : Cleaned.
C:\Program Files\PestPatrol\Quarantine\20060902162838.zip/winnt/temp/cookies/owner@advertising[1].txt -> TrackingCookie.Advertising : Cleaned.
C:\Documents and Settings\Amara\Local Settings\Temp\Cookies\amara@atdmt[2].txt -> TrackingCookie.Atdmt : Cleaned.
C:\Program Files\PestPatrol\Quarantine\20060902162838.zip/winnt/temp/cookies/owner@atdmt[2].txt -> TrackingCookie.Atdmt : Cleaned.
C:\Documents and Settings\Chingun\Cookies\chingun@www.burstbeacon[2].txt -> TrackingCookie.Burstbeacon : Cleaned.
C:\Documents and Settings\Chingun\Cookies\chingun@cz2.clickzs[2].txt -> TrackingCookie.Clickzs : Cleaned.
C:\Documents and Settings\Chingun\Cookies\chingun@cz3.clickzs[2].txt -> TrackingCookie.Clickzs : Cleaned.
C:\Documents and Settings\Chingun\Cookies\chingun@cz9.clickzs[2].txt -> TrackingCookie.Clickzs : Cleaned.
C:\Documents and Settings\Chingun\Cookies\chingun@vip2.clickzs[2].txt -> TrackingCookie.Clickzs : Cleaned.
C:\Documents and Settings\Owner\Local Settings\Temp\Cookies\owner@com[1].txt -> TrackingCookie.Com : Cleaned.
C:\Documents and Settings\Amara\Local Settings\Temp\Cookies\amara@doubleclick[1].txt -> TrackingCookie.Doubleclick : Cleaned.
C:\Program Files\PestPatrol\Quarantine\20060902162838.zip/winnt/temp/cookies/owner@doubleclick[1].txt -> TrackingCookie.Doubleclick : Cleaned.
C:\Documents and Settings\Chingun\Cookies\chingun@adopt.euroclick[2].txt -> TrackingCookie.Euroclick : Cleaned.
C:\Documents and Settings\Amara\Local Settings\Temp\Cookies\amara@ehg-dig.hitbox[2].txt -> TrackingCookie.Hitbox : Cleaned.
C:\Documents and Settings\Amara\Local Settings\Temp\Cookies\amara@ehg-legonewyorkinc.hitbox[2].txt -> TrackingCookie.Hitbox : Cleaned.
C:\Documents and Settings\Amara\Local Settings\Temp\Cookies\amara@hitbox[2].txt -> TrackingCookie.Hitbox : Cleaned.
C:\Documents and Settings\Chingun\Cookies\chingun@image.masterstats[1].txt -> TrackingCookie.Masterstats : Cleaned.
C:\Program Files\PestPatrol\Quarantine\20060902162838.zip/winnt/temp/cookies/owner@mediaplex[1].txt -> TrackingCookie.Mediaplex : Cleaned.
C:\Documents and Settings\Chingun\Cookies\chingun@perf.overture[1].txt -> TrackingCookie.Overture : Cleaned.
C:\Documents and Settings\Chingun\Cookies\chingun@cs.sexcounter[2].txt -> TrackingCookie.Sexcounter : Cleaned.
C:\Documents and Settings\Chingun\Cookies\chingun@anad.tacoda[2].txt -> TrackingCookie.Tacoda : Cleaned.
C:\Documents and Settings\Chingun\Cookies\chingun@anat.tacoda[1].txt -> TrackingCookie.Tacoda : Cleaned.
C:\QUARANTINE\20040907165059875.zip/WINNT/hzefd.exe -> Trojan.VB.kz : Cleaned with backup (quarantined).
C:\QUARANTINE\20040907174450937.zip/Documents and Settings/Chingun/Local Settings/Temporary Internet Files/Content.IE5/Y1WBA525/9-7[1].exe -> Trojan.VB.kz : Cleaned with backup (quarantined).
C:\QUARANTINE\20040912015127493.zip/WINNT/rbfnakf.exe -> Trojan.VB.kz : Cleaned with backup (quarantined).
C:\WINNT\uni_ehhhh.exe -> Trojan.VB.tg : Cleaned with backup (quarantined).
C:\QUARANTINE\T-872159-Guitar Pro 5 Full Realistic Sound Engi.zip.Vir/Setup.exe -> Worm.VB.an : Cleaned with backup (quarantined).
C:\QUARANTINE\T-872159-Medal of Honor Allied Assault Breakthrough.zip.Vir/Setup.exe -> Worm.VB.an : Cleaned with backup (quarantined).
::Report end
and now, finally, is the HJT log.
As I wrote in part 1, I am very very grateful for any help with this mess.
Logfile of HijackThis v1.99.1
Scan saved at 12:22:38 AM, on 9/6/2006
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Running processes:
C:\WINNT\System32\smss.exe
C:\WINNT\system32\winlogon.exe
C:\WINNT\system32\services.exe
C:\WINNT\system32\lsass.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\System32\svchost.exe
C:\WINNT\system32\spoolsv.exe
C:\WINNT\System32\drivers\CDAC11BA.EXE
C:\Program Files\ewido anti-spyware 4.0\guard.exe
C:\Program Files\Network Associates\Common Framework\FrameworkService.exe
C:\Program Files\Network Associates\VirusScan\mcshield.exe
C:\Program Files\Network Associates\VirusScan\vstskmgr.exe
C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
C:\PROGRA~1\AT&TGL~1\NetCfgSv.EXE
C:\WINNT\rundll.exe
C:\WINNT\System32\svchost.exe
C:\WINNT\System32\svchost.exe
C:\WINNT\Explorer.EXE
C:\WINNT\system32\wuauclt.exe
C:\WINNT\System32\hkcmd.exe
C:\WINNT\system32\SK9910DM.EXE
C:\WINNT\GWMDMMSG.exe
C:\Program Files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe
C:\WINNT\system32\spool\drivers\w32x86\3\hpztsb07.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\Network Associates\VirusScan\SHSTAT.EXE
C:\Program Files\Network Associates\Common Framework\UpdaterUI.exe
C:\Program Files\Java\jre1.5.0_03\bin\jusched.exe
C:\PROGRA~1\Yahoo!\browser\ybrwicon.exe
C:\PROGRA~1\VERIZO~1\HELPSU~1\VERIZO~1.EXE
C:\PROGRA~1\VERIZO~1\HELPSU~1\SMARTB~1\MotiveSB.exe
C:\Program Files\Common Files\AOL\1152923123\ee\AOLSoftware.exe
C:\PROGRA~1\Yahoo!\browser\ycommon.exe
C:\Program Files\ewido anti-spyware 4.0\ewido.exe
C:\Program Files\Common Files\Verizon Online\ConnMgr\cmisrv.exe
C:\WINNT\system32\ctfmon.exe
C:\Program Files\Microsoft Office\Office10\msoffice.exe
C:\Program Files\Yahoo!\Messenger\ymsgr_tray.exe
C:\WINNT\system32\rundll32.exe
C:\WINNT\system32\DllHost.exe
C:\Documents and Settings\Owner\Desktop\hijackthis\HijackThis.exe
C:\Program Files\Common Files\Verizon Online\AppMgr\vzOpenUIServer.exe
C:\Program Files\Common Files\MotiveBrowser\MotiveBrowser.exe
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = about:blank
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://red.clientapps.yahoo.com/customize/ie/defaults/sb/sbcydsl/*http://www.yahoo.com/search/ie.html
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://red.clientapps.yahoo.com/customize/ie/defaults/sp/sbcydsl/*http://www.yahoo.com
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://wapp.verizon.net/bookmarks/bmredir.asp?region=all&bw=dsl&cd=7.0yahoo&bm=yh_home
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://red.clientapps.yahoo.com/customize/ie/defaults/su/sbcydsl/*http://www.yahoo.com
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page = C:\windows\system32\blank.htm
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = 127.0.0.1;http://localhost
R3 - Default URLSearchHook is missing
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O3 - Toolbar: AOL Toolbar - {DE9C389F-3316-41A7-809B-AA305ED9D922} - C:\Program Files\AOL\AOL Toolbar 3.1\aoltb.dll
O4 - HKLM\..\Run: [IgfxTray] C:\WINNT\System32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINNT\System32\hkcmd.exe
O4 - HKLM\..\Run: [Hot Key Kbd 9910 Daemon] SK9910DM.EXE
O4 - HKLM\..\Run: [GWMDMMSG] GWMDMMSG.exe
O4 - HKLM\..\Run: [Keyboard Preload Check] C:\OEMDRVRS\KEYB\Preload.exe /DEVID: /CLASS:Keyboard /RunValue:"Keyboard Preload Check"
O4 - HKLM\..\Run: [AdaptecDirectCD] "C:\Program Files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe"
O4 - HKLM\..\Run: [HPDJ Taskbar Utility] C:\WINNT\system32\spool\drivers\w32x86\3\hpztsb07.exe
O4 - HKLM\..\Run: [Kazaa Download Accelerator Updater] regsvr32 /s C:\WINNT\System32\kdpupd.dll
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [ViewMgr] C:\Program Files\Viewpoint\Viewpoint Manager\ViewMgr.exe
O4 - HKLM\..\Run: [PCShield] regsvr32 /s "C:\WINNT\System32\sfg_417d.dll"
O4 - HKLM\..\Run: [ShStatEXE] "C:\Program Files\Network Associates\VirusScan\SHSTAT.EXE" /STANDALONE
O4 - HKLM\..\Run: [McAfeeUpdaterUI] "C:\Program Files\Network Associates\Common Framework\UpdaterUI.exe" /StartedFromRunKey
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_03\bin\jusched.exe
O4 - HKLM\..\Run: [YBrowser] C:\PROGRA~1\Yahoo!\browser\ybrwicon.exe
O4 - HKLM\..\Run: [A Verizon App] C:\PROGRA~1\VERIZO~1\HELPSU~1\VERIZO~1.EXE
O4 - HKLM\..\Run: [Motive SmartBridge] C:\PROGRA~1\VERIZO~1\HELPSU~1\SMARTB~1\MotiveSB.exe
O4 - HKLM\..\Run: [HostManager] C:\Program Files\Common Files\AOL\1152923123\ee\AOLSoftware.exe
O4 - HKLM\..\Run: [IPHSend] C:\Program Files\Common Files\AOL\IPHSend\IPHSend.exe
O4 - HKLM\..\Run: [loaddr] C:\topaff.exe
O4 - HKLM\..\Run: [!ewido] "C:\Program Files\ewido anti-spyware 4.0\ewido.exe" /minimized
O4 - HKCU\..\Run: [Microsoft Works Update Detection] C:\Program Files\Microsoft Works\WkDetect.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINNT\system32\ctfmon.exe
O4 - HKCU\..\Run: [PCShield] regsvr32 /s "C:\WINNT\System32\sfg_417d.dll"
O4 - HKCU\..\Run: [RealPlayer] "C:\Documents and Settings\Chingun\My Documents\download\download\redchingun\realplay.exe" /RunUPGToolCommandReBoot
O4 - HKCU\..\Run: [Yahoo! Pager] "C:\Program Files\Yahoo!\Messenger\ypager.exe" -quiet
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O8 - Extra context menu item: &AOL Toolbar Search - c:\program files\aol\aol toolbar 3.1\resources\en-US\local\search.html
O8 - Extra context menu item: &Google Search - res://c:\program files\google\GoogleToolbar2.dll/cmsearch.html
O8 - Extra context menu item: &Translate English Word - res://c:\program files\google\GoogleToolbar2.dll/cmwordtrans.html
O8 - Extra context menu item: Backward Links - res://c:\program files\google\GoogleToolbar2.dll/cmbacklinks.html
O8 - Extra context menu item: Cached Snapshot of Page - res://c:\program files\google\GoogleToolbar2.dll/cmcache.html
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MI1933~1\Office10\EXCEL.EXE/3000
O8 - Extra context menu item: Similar Pages - res://c:\program files\google\GoogleToolbar2.dll/cmsimilar.html
O8 - Extra context menu item: Translate Page into English - res://c:\program files\google\GoogleToolbar2.dll/cmtrans.html
O9 - Extra button: AOL Toolbar - {3369AF0D-62E9-4bda-8103-B4C75499B578} - C:\Program Files\AOL\AOL Toolbar 3.1\aoltb.dll
O9 - Extra button: Verizon Yahoo! Services - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\Program Files\Yahoo!\Common\yiesrvc.dll
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINNT\System32\Shdocvw.dll
O9 - Extra button: MoneySide - {E023F504-0C5A-4750-A1E7-A9046DEA8A21} - C:\Program Files\Microsoft Money\System\mnyviewer.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {1E2941E3-8E63-11D4-9D5A-00902742D6E0} (iNotes Class) - https://edgemail.worldbank.org/iNotes.cab
O16 - DPF: {3BFFE033-BF43-11D5-A271-00A024A51325} (iNotes6 Class) - https://edgemail.worldbank.org/iNotes6.cab
O16 - DPF: {41F17733-B041-4099-A042-B518BB6A408C} - http://a1540.g.akamai.net/7/1540/52/20030530/qtinstall.info.apple.com/bonnie/us/win/QuickTimeInstaller.exe
O16 - DPF: {56336BCB-3D8A-11D6-A00B-0050DA18DE71} - http://software-dl.real.com/198ab9965c08b8ec8500/netzip/RdxIE601.cab
O16 - DPF: {72770C4F-967D-4517-982B-92D6B9015649} (DigWebHelper Class) - http://photos.msn.com/resources/neutral/controls/DigWebX.cab?9,0,712,0
O16 - DPF: {739E8D90-2F4C-43AD-A1B8-66C356FCEA35} (RunExeActiveX.RunExe) - hcp://system/RunExeActiveX.CAB
O16 - DPF: {8714912E-380D-11D5-B8AA-00D0B78F3D48} (Yahoo! Webcam Upload Wrapper) - http://chat.yahoo.com/cab/yuplapp.cab
O16 - DPF: {8FD68625-2346-418A-8899-67CB36B1917F} (McciSM Class) - http://supportcenter.verizon.net/euserv/jsp/VOLAWeb.cab
O16 - DPF: {9600F64D-755F-11D4-A47F-0001023E6D5A} (Shutterfly Picture Upload Plugin) - http://web1.shutterfly.com/downloads/Uploader.cab
O16 - DPF: {99CDFD87-F97A-42E1-9C13-D18220D90AD1} (StartFirstControl.CheckFirst) - hcp://system/StartFirstControl.CAB
O16 - DPF: {9FC5238F-12C4-454F-B1B5-74599A21DE47} (Webshots Photo Uploader) - http://community.webshots.com/html/WSPhotoUploader.CAB
O16 - DPF: {AB86CE53-AC9F-449F-9399-D8ABCA09EC09} (Get_ActiveX Control) - https://h17000.www1.hp.com/ewfrf-JAVA/Secure/HPGetDownloadManager.ocx
O16 - DPF: {CAFEEFAC-0014-0001-0002-ABCDEFFEDCBA} (Java Runtime Environment 1.4.1_02) -
O16 - DPF: {D44C75D8-C827-473E-8F68-A77E42500782} (Uploader Class) - http://www.ritzpix.com/upload/WebUploadClient.cab
O16 - DPF: {E0CE16CB-741C-4B24-8D04-A817856E07F4} - http://cabs.roings.com/cabs/awaybox.cab
O16 - DPF: {E5168F0C-8591-11D4-BCDF-006008B7FEA4} - http://www.plato.com/pwln/02000050/cab/pwlninst.cab
O16 - DPF: {EB387D2F-E27B-4D36-979E-847D1036C65D} (QDiagHUpdateObj Class) - http://h30043.www3.hp.com/hpdj/en/check/qdiagh.cab?326
O16 - DPF: {FA3662C3-B8E8-11D6-A667-0010B556D978} (IWinAmpActiveX Class) - http://cdn.digitalcity.com/_media/dalaillama/ampx.cab
O20 - Winlogon Notify: CSCSettings - C:\WINNT\system32\j44o0eh3eh4.dll (file missing)
O20 - Winlogon Notify: MS-DOS Emulation - C:\WINNT\system32\fpr0039me.dll
O21 - SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - C:\WINNT\system32\WPDShServiceObj.dll
O23 - Service: C-DillaCdaC11BA - Macrovision - C:\WINNT\System32\drivers\CDAC11BA.EXE
O23 - Service: ewido anti-spyware 4.0 guard - Anti-Malware Development a.s. - C:\Program Files\ewido anti-spyware 4.0\guard.exe
O23 - Service: McAfee Framework Service (McAfeeFramework) - Network Associates, Inc. - C:\Program Files\Network Associates\Common Framework\FrameworkService.exe
O23 - Service: Network Associates McShield (McShield) - Network Associates, Inc. - C:\Program Files\Network Associates\VirusScan\mcshield.exe
O23 - Service: Network Associates Task Manager (McTaskManager) - Network Associates, Inc. - C:\Program Files\Network Associates\VirusScan\vstskmgr.exe
O23 - Service: Network Configuration Service (NetCfgSvr) - AT&T - C:\PROGRA~1\AT&TGL~1\NetCfgSv.EXE
O23 - Service: Intel(R) NMS (NMSSvc) - Intel Corporation - C:\WINNT\System32\NMSSvc.exe
O23 - Service: PictureTaker - Unknown owner - c:\fixit\pt\PCTKRNT.SYS (file missing)
O23 - Service: PrismXL - Unknown owner - C:\Program Files\Common Files\Lanovation\PrismXL\PRISMXL.SYS (file missing)
O23 - Service: rundll.exe - Unknown owner - C:\WINNT\rundll.exe
LonnyRJones
2006-09-11, 23:21
Hello
Please download Look2Me-Destroyer.exe to your to the root drive, eg: Local Disk C: or partition where your operating system is installed.
http://www.atribune.org/content/view/28/
Close all windows before continuing.
Double-click Look2Me-Destroyer.exe to run it.
Put a check next to Run this program as a task.
You will receive a message saying Look2Me-Destroyer will close and re-open in approximately 1 to five minute's. Click OK
When Look2Me-Destroyer re-opens, click the Scan for L2M button, your desktop icons will disappear, this is normal.
Once it's done scanning, click the Remove L2M button.
You will receive a Done Scanning message, click OK.
When completed, you will receive this message: Done removing infected files! Look2Me-Destroyer will now shutdown your computer, click OK.
Your computer will then shutdown.
Wait about Four minutes, Turn your computer back on.
Please post the contents of Look2Me-Destroyer.txt and a new HiJackThis log.
Thanks for your help. Attached are the logs from Look2MeDestroyer and HijackThis.
>>
Look2Me-Destroyer V1.0.12
Scanning for infected files.....
Scan started at 9/11/2006 8:14:14 PM
Infected! C:\System Volume Information\_restore{0193FC1C-0A70-478B-8107-B531B8E70CAB}\RP1002\A0341934.dll
Infected! C:\System Volume Information\_restore{0193FC1C-0A70-478B-8107-B531B8E70CAB}\RP1002\A0341935.dll
Infected! C:\System Volume Information\_restore{0193FC1C-0A70-478B-8107-B531B8E70CAB}\RP1002\A0341936.dll
Infected! C:\System Volume Information\_restore{0193FC1C-0A70-478B-8107-B531B8E70CAB}\RP1002\A0341937.dll
Infected! C:\System Volume Information\_restore{0193FC1C-0A70-478B-8107-B531B8E70CAB}\RP1002\A0341938.dll
Infected! C:\System Volume Information\_restore{0193FC1C-0A70-478B-8107-B531B8E70CAB}\RP1002\A0341939.dll
Infected! C:\System Volume Information\_restore{0193FC1C-0A70-478B-8107-B531B8E70CAB}\RP1002\A0341940.dll
Infected! C:\System Volume Information\_restore{0193FC1C-0A70-478B-8107-B531B8E70CAB}\RP1002\A0341941.dll
Infected! C:\System Volume Information\_restore{0193FC1C-0A70-478B-8107-B531B8E70CAB}\RP1002\A0341942.dll
Infected! C:\System Volume Information\_restore{0193FC1C-0A70-478B-8107-B531B8E70CAB}\RP1002\A0341943.dll
Infected! C:\System Volume Information\_restore{0193FC1C-0A70-478B-8107-B531B8E70CAB}\RP1002\A0341944.dll
Infected! C:\System Volume Information\_restore{0193FC1C-0A70-478B-8107-B531B8E70CAB}\RP1002\A0341945.dll
Infected! C:\System Volume Information\_restore{0193FC1C-0A70-478B-8107-B531B8E70CAB}\RP1002\A0341946.dll
Infected! C:\System Volume Information\_restore{0193FC1C-0A70-478B-8107-B531B8E70CAB}\RP1002\A0341947.dll
Infected! C:\System Volume Information\_restore{0193FC1C-0A70-478B-8107-B531B8E70CAB}\RP1002\A0341948.dll
Infected! C:\System Volume Information\_restore{0193FC1C-0A70-478B-8107-B531B8E70CAB}\RP1002\A0341966.dll
Infected! C:\System Volume Information\_restore{0193FC1C-0A70-478B-8107-B531B8E70CAB}\RP1002\A0341980.dll
Infected! C:\System Volume Information\_restore{0193FC1C-0A70-478B-8107-B531B8E70CAB}\RP1002\A0341995.dll
Infected! C:\WINNT\system32\irpql5751.dll
Infected! C:\WINNT\system32\wxhisn.dll
Infected! C:\WINNT\system32\guard.tmp
Attempting to delete infected files...
Attempting to delete: C:\System Volume Information\_restore{0193FC1C-0A70-478B-8107-B531B8E70CAB}\RP1002\A0341934.dll
C:\System Volume Information\_restore{0193FC1C-0A70-478B-8107-B531B8E70CAB}\RP1002\A0341934.dll Deleted successfully!
Attempting to delete: C:\System Volume Information\_restore{0193FC1C-0A70-478B-8107-B531B8E70CAB}\RP1002\A0341935.dll
C:\System Volume Information\_restore{0193FC1C-0A70-478B-8107-B531B8E70CAB}\RP1002\A0341935.dll Deleted successfully!
Attempting to delete: C:\System Volume Information\_restore{0193FC1C-0A70-478B-8107-B531B8E70CAB}\RP1002\A0341936.dll
C:\System Volume Information\_restore{0193FC1C-0A70-478B-8107-B531B8E70CAB}\RP1002\A0341936.dll Deleted successfully!
Attempting to delete: C:\System Volume Information\_restore{0193FC1C-0A70-478B-8107-B531B8E70CAB}\RP1002\A0341937.dll
C:\System Volume Information\_restore{0193FC1C-0A70-478B-8107-B531B8E70CAB}\RP1002\A0341937.dll Deleted successfully!
Attempting to delete: C:\System Volume Information\_restore{0193FC1C-0A70-478B-8107-B531B8E70CAB}\RP1002\A0341938.dll
C:\System Volume Information\_restore{0193FC1C-0A70-478B-8107-B531B8E70CAB}\RP1002\A0341938.dll Deleted successfully!
Attempting to delete: C:\System Volume Information\_restore{0193FC1C-0A70-478B-8107-B531B8E70CAB}\RP1002\A0341939.dll
C:\System Volume Information\_restore{0193FC1C-0A70-478B-8107-B531B8E70CAB}\RP1002\A0341939.dll Deleted successfully!
Attempting to delete: C:\System Volume Information\_restore{0193FC1C-0A70-478B-8107-B531B8E70CAB}\RP1002\A0341940.dll
C:\System Volume Information\_restore{0193FC1C-0A70-478B-8107-B531B8E70CAB}\RP1002\A0341940.dll Deleted successfully!
Attempting to delete: C:\System Volume Information\_restore{0193FC1C-0A70-478B-8107-B531B8E70CAB}\RP1002\A0341941.dll
C:\System Volume Information\_restore{0193FC1C-0A70-478B-8107-B531B8E70CAB}\RP1002\A0341941.dll Deleted successfully!
Attempting to delete: C:\System Volume Information\_restore{0193FC1C-0A70-478B-8107-B531B8E70CAB}\RP1002\A0341942.dll
C:\System Volume Information\_restore{0193FC1C-0A70-478B-8107-B531B8E70CAB}\RP1002\A0341942.dll Deleted successfully!
Attempting to delete: C:\System Volume Information\_restore{0193FC1C-0A70-478B-8107-B531B8E70CAB}\RP1002\A0341943.dll
C:\System Volume Information\_restore{0193FC1C-0A70-478B-8107-B531B8E70CAB}\RP1002\A0341943.dll Deleted successfully!
Attempting to delete: C:\System Volume Information\_restore{0193FC1C-0A70-478B-8107-B531B8E70CAB}\RP1002\A0341944.dll
C:\System Volume Information\_restore{0193FC1C-0A70-478B-8107-B531B8E70CAB}\RP1002\A0341944.dll Deleted successfully!
Attempting to delete: C:\System Volume Information\_restore{0193FC1C-0A70-478B-8107-B531B8E70CAB}\RP1002\A0341945.dll
C:\System Volume Information\_restore{0193FC1C-0A70-478B-8107-B531B8E70CAB}\RP1002\A0341945.dll Deleted successfully!
Attempting to delete: C:\System Volume Information\_restore{0193FC1C-0A70-478B-8107-B531B8E70CAB}\RP1002\A0341946.dll
C:\System Volume Information\_restore{0193FC1C-0A70-478B-8107-B531B8E70CAB}\RP1002\A0341946.dll Deleted successfully!
Attempting to delete: C:\System Volume Information\_restore{0193FC1C-0A70-478B-8107-B531B8E70CAB}\RP1002\A0341947.dll
C:\System Volume Information\_restore{0193FC1C-0A70-478B-8107-B531B8E70CAB}\RP1002\A0341947.dll Deleted successfully!
Attempting to delete: C:\System Volume Information\_restore{0193FC1C-0A70-478B-8107-B531B8E70CAB}\RP1002\A0341948.dll
C:\System Volume Information\_restore{0193FC1C-0A70-478B-8107-B531B8E70CAB}\RP1002\A0341948.dll Deleted successfully!
Attempting to delete: C:\System Volume Information\_restore{0193FC1C-0A70-478B-8107-B531B8E70CAB}\RP1002\A0341966.dll
C:\System Volume Information\_restore{0193FC1C-0A70-478B-8107-B531B8E70CAB}\RP1002\A0341966.dll Deleted successfully!
Attempting to delete: C:\System Volume Information\_restore{0193FC1C-0A70-478B-8107-B531B8E70CAB}\RP1002\A0341980.dll
C:\System Volume Information\_restore{0193FC1C-0A70-478B-8107-B531B8E70CAB}\RP1002\A0341980.dll Deleted successfully!
Attempting to delete: C:\System Volume Information\_restore{0193FC1C-0A70-478B-8107-B531B8E70CAB}\RP1002\A0341995.dll
C:\System Volume Information\_restore{0193FC1C-0A70-478B-8107-B531B8E70CAB}\RP1002\A0341995.dll Deleted successfully!
Attempting to delete: C:\WINNT\system32\irpql5751.dll
C:\WINNT\system32\irpql5751.dll Deleted successfully!
Attempting to delete: C:\WINNT\system32\wxhisn.dll
C:\WINNT\system32\wxhisn.dll Deleted successfully!
Attempting to delete: C:\WINNT\system32\guard.tmp
C:\WINNT\system32\guard.tmp Deleted successfully!
Making registry repairs.
Removing: HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved "{59E3744C-3BD7-4FAC-B54B-93C8CAC78799}"
HKCR\Clsid\{59E3744C-3BD7-4FAC-B54B-93C8CAC78799}
Removing: HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved "{F07A44E3-AE41-4DE8-A683-3C5F6458F0A2}"
HKCR\Clsid\{F07A44E3-AE41-4DE8-A683-3C5F6458F0A2}
Removing: HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved "{653F3F88-53BE-44F1-8BE3-5F167FDE84C4}"
HKCR\Clsid\{653F3F88-53BE-44F1-8BE3-5F167FDE84C4}
Removing: HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved "{27FB0297-F4EA-4EC8-9F4F-60FC1EB861A4}"
HKCR\Clsid\{27FB0297-F4EA-4EC8-9F4F-60FC1EB861A4}
Removing: HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved "{A7E52ED8-1A98-4483-8818-3075CED8E135}"
HKCR\Clsid\{A7E52ED8-1A98-4483-8818-3075CED8E135}
Removing: HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved "{D5746700-2D58-44A9-B604-44CC552685FA}"
HKCR\Clsid\{D5746700-2D58-44A9-B604-44CC552685FA}
Removing: HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved "{73C19128-95C2-43D4-8F0E-1AD928FB4434}"
HKCR\Clsid\{73C19128-95C2-43D4-8F0E-1AD928FB4434}
Restoring Windows certificates.
Replaced hosts file with default windows hosts file
Restoring SeDebugPrivilege for Administrators - Succeeded
>>>>>>>>>>>>>>>
Logfile of HijackThis v1.99.1
Scan saved at 8:36:12 PM, on 9/11/2006
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Running processes:
C:\WINNT\System32\smss.exe
C:\WINNT\system32\winlogon.exe
C:\WINNT\system32\services.exe
C:\WINNT\system32\lsass.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\System32\svchost.exe
C:\WINNT\system32\ZoneLabs\vsmon.exe
C:\WINNT\system32\spoolsv.exe
C:\WINNT\System32\drivers\CDAC11BA.EXE
C:\Program Files\ewido anti-spyware 4.0\guard.exe
C:\Program Files\Network Associates\Common Framework\FrameworkService.exe
C:\Program Files\Network Associates\VirusScan\mcshield.exe
C:\Program Files\Network Associates\VirusScan\vstskmgr.exe
C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
C:\PROGRA~1\AT&TGL~1\NetCfgSv.EXE
C:\WINNT\Explorer.EXE
C:\WINNT\rundll.exe
C:\WINNT\System32\svchost.exe
C:\WINNT\System32\hkcmd.exe
C:\WINNT\system32\SK9910DM.EXE
C:\WINNT\GWMDMMSG.exe
C:\Program Files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe
C:\WINNT\system32\spool\drivers\w32x86\3\hpztsb07.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\Network Associates\VirusScan\SHSTAT.EXE
C:\Program Files\Network Associates\Common Framework\UpdaterUI.exe
C:\Program Files\Java\jre1.5.0_03\bin\jusched.exe
C:\PROGRA~1\Yahoo!\browser\ybrwicon.exe
C:\PROGRA~1\VERIZO~1\HELPSU~1\VERIZO~1.EXE
C:\PROGRA~1\VERIZO~1\HELPSU~1\SMARTB~1\MotiveSB.exe
C:\Program Files\Common Files\AOL\1152923123\ee\AOLSoftware.exe
C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
C:\PROGRA~1\Yahoo!\browser\ycommon.exe
C:\WINNT\system32\ctfmon.exe
C:\Program Files\Common Files\Verizon Online\ConnMgr\cmisrv.exe
C:\WINNT\system32\wuauclt.exe
C:\WINNT\System32\svchost.exe
C:\WINNT\system32\DllHost.exe
C:\Program Files\Common Files\Verizon Online\AppMgr\vzOpenUIServer.exe
C:\Program Files\Common Files\MotiveBrowser\MotiveBrowser.exe
C:\Documents and Settings\Owner\Desktop\hijackthis\HijackThis.exe
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = about:blank
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://red.clientapps.yahoo.com/customize/ie/defaults/sb/sbcydsl/*http://www.yahoo.com/search/ie.html
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://red.clientapps.yahoo.com/customize/ie/defaults/sp/sbcydsl/*http://www.yahoo.com
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.washingtonpost.com/
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://red.clientapps.yahoo.com/customize/ie/defaults/su/sbcydsl/*http://www.yahoo.com
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page = C:\windows\system32\blank.htm
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = 127.0.0.1;http://localhost
R3 - Default URLSearchHook is missing
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O3 - Toolbar: AOL Toolbar - {DE9C389F-3316-41A7-809B-AA305ED9D922} - C:\Program Files\AOL\AOL Toolbar 3.1\aoltb.dll
O4 - HKLM\..\Run: [IgfxTray] C:\WINNT\System32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINNT\System32\hkcmd.exe
O4 - HKLM\..\Run: [Hot Key Kbd 9910 Daemon] SK9910DM.EXE
O4 - HKLM\..\Run: [GWMDMMSG] GWMDMMSG.exe
O4 - HKLM\..\Run: [Keyboard Preload Check] C:\OEMDRVRS\KEYB\Preload.exe /DEVID: /CLASS:Keyboard /RunValue:"Keyboard Preload Check"
O4 - HKLM\..\Run: [AdaptecDirectCD] "C:\Program Files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe"
O4 - HKLM\..\Run: [HPDJ Taskbar Utility] C:\WINNT\system32\spool\drivers\w32x86\3\hpztsb07.exe
O4 - HKLM\..\Run: [Kazaa Download Accelerator Updater] regsvr32 /s C:\WINNT\System32\kdpupd.dll
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [ViewMgr] C:\Program Files\Viewpoint\Viewpoint Manager\ViewMgr.exe
O4 - HKLM\..\Run: [PCShield] regsvr32 /s "C:\WINNT\System32\sfg_417d.dll"
O4 - HKLM\..\Run: [ShStatEXE] "C:\Program Files\Network Associates\VirusScan\SHSTAT.EXE" /STANDALONE
O4 - HKLM\..\Run: [McAfeeUpdaterUI] "C:\Program Files\Network Associates\Common Framework\UpdaterUI.exe" /StartedFromRunKey
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_03\bin\jusched.exe
O4 - HKLM\..\Run: [YBrowser] C:\PROGRA~1\Yahoo!\browser\ybrwicon.exe
O4 - HKLM\..\Run: [A Verizon App] C:\PROGRA~1\VERIZO~1\HELPSU~1\VERIZO~1.EXE
O4 - HKLM\..\Run: [Motive SmartBridge] C:\PROGRA~1\VERIZO~1\HELPSU~1\SMARTB~1\MotiveSB.exe
O4 - HKLM\..\Run: [HostManager] C:\Program Files\Common Files\AOL\1152923123\ee\AOLSoftware.exe
O4 - HKLM\..\Run: [IPHSend] C:\Program Files\Common Files\AOL\IPHSend\IPHSend.exe
O4 - HKLM\..\Run: [loaddr] C:\topaff.exe
O4 - HKLM\..\Run: [Zone Labs Client] "C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe"
O4 - HKCU\..\Run: [Microsoft Works Update Detection] C:\Program Files\Microsoft Works\WkDetect.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINNT\system32\ctfmon.exe
O4 - HKCU\..\Run: [PCShield] regsvr32 /s "C:\WINNT\System32\sfg_417d.dll"
O4 - HKCU\..\Run: [RealPlayer] "C:\Documents and Settings\Chingun\My Documents\download\download\redchingun\realplay.exe" /RunUPGToolCommandReBoot
O4 - HKCU\..\Run: [Yahoo! Pager] "C:\Program Files\Yahoo!\Messenger\ypager.exe" -quiet
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O8 - Extra context menu item: &AOL Toolbar Search - c:\program files\aol\aol toolbar 3.1\resources\en-US\local\search.html
O8 - Extra context menu item: &Google Search - res://c:\program files\google\GoogleToolbar2.dll/cmsearch.html
O8 - Extra context menu item: &Translate English Word - res://c:\program files\google\GoogleToolbar2.dll/cmwordtrans.html
O8 - Extra context menu item: Backward Links - res://c:\program files\google\GoogleToolbar2.dll/cmbacklinks.html
O8 - Extra context menu item: Cached Snapshot of Page - res://c:\program files\google\GoogleToolbar2.dll/cmcache.html
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MI1933~1\Office10\EXCEL.EXE/3000
O8 - Extra context menu item: Similar Pages - res://c:\program files\google\GoogleToolbar2.dll/cmsimilar.html
O8 - Extra context menu item: Translate Page into English - res://c:\program files\google\GoogleToolbar2.dll/cmtrans.html
O9 - Extra button: AOL Toolbar - {3369AF0D-62E9-4bda-8103-B4C75499B578} - C:\Program Files\AOL\AOL Toolbar 3.1\aoltb.dll
O9 - Extra button: Verizon Yahoo! Services - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\Program Files\Yahoo!\Common\yiesrvc.dll
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINNT\System32\Shdocvw.dll
O9 - Extra button: MoneySide - {E023F504-0C5A-4750-A1E7-A9046DEA8A21} - C:\Program Files\Microsoft Money\System\mnyviewer.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {1E2941E3-8E63-11D4-9D5A-00902742D6E0} (iNotes Class) - https://edgemail.worldbank.org/iNotes.cab
O16 - DPF: {3BFFE033-BF43-11D5-A271-00A024A51325} (iNotes6 Class) - https://edgemail.worldbank.org/iNotes6.cab
O16 - DPF: {41F17733-B041-4099-A042-B518BB6A408C} - http://a1540.g.akamai.net/7/1540/52/20030530/qtinstall.info.apple.com/bonnie/us/win/QuickTimeInstaller.exe
O16 - DPF: {56336BCB-3D8A-11D6-A00B-0050DA18DE71} - http://software-dl.real.com/198ab9965c08b8ec8500/netzip/RdxIE601.cab
O16 - DPF: {72770C4F-967D-4517-982B-92D6B9015649} (DigWebHelper Class) - http://photos.msn.com/resources/neutral/controls/DigWebX.cab?9,0,712,0
O16 - DPF: {739E8D90-2F4C-43AD-A1B8-66C356FCEA35} (RunExeActiveX.RunExe) - hcp://system/RunExeActiveX.CAB
O16 - DPF: {8714912E-380D-11D5-B8AA-00D0B78F3D48} (Yahoo! Webcam Upload Wrapper) - http://chat.yahoo.com/cab/yuplapp.cab
O16 - DPF: {8FD68625-2346-418A-8899-67CB36B1917F} (McciSM Class) - http://supportcenter.verizon.net/euserv/jsp/VOLAWeb.cab
O16 - DPF: {9600F64D-755F-11D4-A47F-0001023E6D5A} (Shutterfly Picture Upload Plugin) - http://web1.shutterfly.com/downloads/Uploader.cab
O16 - DPF: {99CDFD87-F97A-42E1-9C13-D18220D90AD1} (StartFirstControl.CheckFirst) - hcp://system/StartFirstControl.CAB
O16 - DPF: {9FC5238F-12C4-454F-B1B5-74599A21DE47} (Webshots Photo Uploader) - http://community.webshots.com/html/WSPhotoUploader.CAB
O16 - DPF: {AB86CE53-AC9F-449F-9399-D8ABCA09EC09} (Get_ActiveX Control) - https://h17000.www1.hp.com/ewfrf-JAVA/Secure/HPGetDownloadManager.ocx
O16 - DPF: {CAFEEFAC-0014-0001-0002-ABCDEFFEDCBA} (Java Runtime Environment 1.4.1_02) -
O16 - DPF: {D44C75D8-C827-473E-8F68-A77E42500782} (Uploader Class) - http://www.ritzpix.com/upload/WebUploadClient.cab
O16 - DPF: {E0CE16CB-741C-4B24-8D04-A817856E07F4} - http://cabs.roings.com/cabs/awaybox.cab
O16 - DPF: {E5168F0C-8591-11D4-BCDF-006008B7FEA4} - http://www.plato.com/pwln/02000050/cab/pwlninst.cab
O16 - DPF: {EB387D2F-E27B-4D36-979E-847D1036C65D} (QDiagHUpdateObj Class) - http://h30043.www3.hp.com/hpdj/en/check/qdiagh.cab?326
O16 - DPF: {FA3662C3-B8E8-11D6-A667-0010B556D978} (IWinAmpActiveX Class) - http://cdn.digitalcity.com/_media/dalaillama/ampx.cab
O20 - Winlogon Notify: WgaLogon - C:\WINNT\SYSTEM32\WgaLogon.dll
O21 - SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - C:\WINNT\system32\WPDShServiceObj.dll
O23 - Service: C-DillaCdaC11BA - Macrovision - C:\WINNT\System32\drivers\CDAC11BA.EXE
O23 - Service: ewido anti-spyware 4.0 guard - Anti-Malware Development a.s. - C:\Program Files\ewido anti-spyware 4.0\guard.exe
O23 - Service: McAfee Framework Service (McAfeeFramework) - Network Associates, Inc. - C:\Program Files\Network Associates\Common Framework\FrameworkService.exe
O23 - Service: Network Associates McShield (McShield) - Network Associates, Inc. - C:\Program Files\Network Associates\VirusScan\mcshield.exe
O23 - Service: Network Associates Task Manager (McTaskManager) - Network Associates, Inc. - C:\Program Files\Network Associates\VirusScan\vstskmgr.exe
O23 - Service: Network Configuration Service (NetCfgSvr) - AT&T - C:\PROGRA~1\AT&TGL~1\NetCfgSv.EXE
O23 - Service: Intel(R) NMS (NMSSvc) - Intel Corporation - C:\WINNT\System32\NMSSvc.exe
O23 - Service: PictureTaker - Unknown owner - c:\fixit\pt\PCTKRNT.SYS (file missing)
O23 - Service: PrismXL - Unknown owner - C:\Program Files\Common Files\Lanovation\PrismXL\PRISMXL.SYS (file missing)
O23 - Service: rundll.exe - Unknown owner - C:\WINNT\rundll.exe
O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs, LLC - C:\WINNT\system32\ZoneLabs\vsmon.exe
LonnyRJones
2006-09-12, 04:17
Start Hijackthis and place a check next to these items If there.
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://red.clientapps.yahoo.com/cust...search/ie.html
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://red.clientapps.yahoo.com/cust.../www.yahoo.com
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://red.clientapps.yahoo.com/cust.../www.yahoo.com
R3 - Default URLSearchHook is missing
O4 - HKLM\..\Run: [Kazaa Download Accelerator Updater] regsvr32 /s C:\WINNT\System32\kdpupd.dll
O4 - HKLM\..\Run: [loaddr] C:\topaff.exe
O4 - HKCU\..\Run: [PCShield] regsvr32 /s "C:\WINNT\System32\sfg_417d.dll"
O16 - DPF: {56336BCB-3D8A-11D6-A00B-0050DA18DE71} - http://software-dl.real.com/198ab996...p/RdxIE601.cab
O16 - DPF: {E0CE16CB-741C-4B24-8D04-A817856E07F4} - http://cabs.roings.com/cabs/awaybox.cab
====================================
Hit fix checked and close Hijackthis.
Download SDFix (http://downloads.andymanchesta.com/RemovalTools/SDFix.zip) and save it to your desktop.
Please then reboot your computer in Safe Mode by doing the following :
Restart your computer
After hearing your computer beep once during startup, but before the Windows icon appears, tap the F8 key continually;
Instead of Windows loading as normal, a menu with options should appear;
Select the first option, to run Windows in Safe Mode, then press "Enter".
Choose your usual account.
In Safe Mode, right click the SDFix.zip folder and choose Extract All,
Open the extracted folder and double click RunThis.bat to start the script.
Type Y to begin the script.
It will remove the Trojan Services then make some repairs to the registry and prompt you to press any key to Reboot.
Press any Key and it will restart the PC.
Your system will take longer that normal to restart as the fixtool will be running and removing files.
When the desktop loads the Fixtool will complete the removal and display Finished, then press any key to end the script and load your desktop icons.
Finally open the SDFix folder on your desktop and copy and paste the contents of the results file Report.txt back onto the forum with a new HijackThis log
Thanks. The logs for SDFix and HJT follow:
SDFix: Version 1.21
-------------------------
Scan Time / Date: 23:12:37.93 / Mon 09/11/2006
Microsoft Windows XP [Version 5.1.2600]
Running from: C:\Documents and Settings\Owner\Desktop\SDFix\SDFix
Stage One...
Checking Services...
Service Name:
------------------
rundll.exe
File Path:
------------
"C:\WINNT\rundll.exe"
Removing Services:
------------------------
rundll.exe ... deleted
Repairing Registry...
Restoring Default Hosts File...
Stage One Complete
Rebooting!
Stage Two...
Registry Cleaning Finished...
Checking For Malware Files:
----------------------------------
C:\DOCUME~1\LOCALS~1\LOCALS~1\TEMPOR~1\CONTENT.IE5\CV6XGL4J\NWNMFF~1.EXE
C:\DOCUME~1\LOCALS~1\LOCALS~1\TEMPOR~1\CONTENT.IE5\QRKXINQP\NWNMFF~1.EXE
C:\NWNMFF~2.EXE
C:\WINNT\rundll.exe
Backing Up and Removing any Files Found...
Final Check:
Remaining Services:
------------------------
Remaining Files:
-------------------
FINISHED
>>>>>>>>>>>>>
Logfile of HijackThis v1.99.1
Scan saved at 6:20:59 AM, on 9/12/2006
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Running processes:
C:\WINNT\System32\smss.exe
C:\WINNT\system32\winlogon.exe
C:\WINNT\system32\services.exe
C:\WINNT\system32\lsass.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\System32\svchost.exe
C:\WINNT\system32\ZoneLabs\vsmon.exe
C:\WINNT\system32\spoolsv.exe
C:\WINNT\System32\drivers\CDAC11BA.EXE
C:\Program Files\ewido anti-spyware 4.0\guard.exe
C:\Program Files\Network Associates\Common Framework\FrameworkService.exe
C:\Program Files\Network Associates\VirusScan\mcshield.exe
C:\Program Files\Network Associates\VirusScan\vstskmgr.exe
C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
C:\PROGRA~1\AT&TGL~1\NetCfgSv.EXE
C:\WINNT\System32\NMSSvc.exe
C:\WINNT\System32\svchost.exe
C:\WINNT\System32\svchost.exe
C:\WINNT\Explorer.EXE
C:\WINNT\system32\wscntfy.exe
C:\WINNT\system32\notepad.exe
C:\WINNT\System32\hkcmd.exe
C:\WINNT\system32\SK9910DM.EXE
C:\WINNT\GWMDMMSG.exe
C:\Program Files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe
C:\WINNT\system32\spool\drivers\w32x86\3\hpztsb07.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\Network Associates\VirusScan\SHSTAT.EXE
C:\Program Files\Network Associates\Common Framework\UpdaterUI.exe
C:\Program Files\Java\jre1.5.0_03\bin\jusched.exe
C:\PROGRA~1\Yahoo!\browser\ybrwicon.exe
C:\PROGRA~1\VERIZO~1\HELPSU~1\VERIZO~1.EXE
C:\PROGRA~1\VERIZO~1\HELPSU~1\SMARTB~1\MotiveSB.exe
C:\Program Files\Common Files\AOL\1152923123\ee\AOLSoftware.exe
C:\PROGRA~1\Yahoo!\browser\ycommon.exe
C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
C:\WINNT\system32\ctfmon.exe
C:\Program Files\Common Files\Verizon Online\ConnMgr\cmisrv.exe
C:\Program Files\Yahoo!\Messenger\ymsgr_tray.exe
C:\WINNT\system32\DllHost.exe
C:\Program Files\Common Files\Verizon Online\AppMgr\vzOpenUIServer.exe
C:\Program Files\Common Files\MotiveBrowser\MotiveBrowser.exe
C:\Documents and Settings\Owner\Desktop\hijackthis\HijackThis.exe
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = about:blank
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.washingtonpost.com/
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page = C:\windows\system32\blank.htm
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = 127.0.0.1;http://localhost
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O3 - Toolbar: AOL Toolbar - {DE9C389F-3316-41A7-809B-AA305ED9D922} - C:\Program Files\AOL\AOL Toolbar 3.1\aoltb.dll
O4 - HKLM\..\Run: [IgfxTray] C:\WINNT\System32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINNT\System32\hkcmd.exe
O4 - HKLM\..\Run: [Hot Key Kbd 9910 Daemon] SK9910DM.EXE
O4 - HKLM\..\Run: [GWMDMMSG] GWMDMMSG.exe
O4 - HKLM\..\Run: [Keyboard Preload Check] C:\OEMDRVRS\KEYB\Preload.exe /DEVID: /CLASS:Keyboard /RunValue:"Keyboard Preload Check"
O4 - HKLM\..\Run: [AdaptecDirectCD] "C:\Program Files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe"
O4 - HKLM\..\Run: [HPDJ Taskbar Utility] C:\WINNT\system32\spool\drivers\w32x86\3\hpztsb07.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [ViewMgr] C:\Program Files\Viewpoint\Viewpoint Manager\ViewMgr.exe
O4 - HKLM\..\Run: [ShStatEXE] "C:\Program Files\Network Associates\VirusScan\SHSTAT.EXE" /STANDALONE
O4 - HKLM\..\Run: [McAfeeUpdaterUI] "C:\Program Files\Network Associates\Common Framework\UpdaterUI.exe" /StartedFromRunKey
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_03\bin\jusched.exe
O4 - HKLM\..\Run: [YBrowser] C:\PROGRA~1\Yahoo!\browser\ybrwicon.exe
O4 - HKLM\..\Run: [A Verizon App] C:\PROGRA~1\VERIZO~1\HELPSU~1\VERIZO~1.EXE
O4 - HKLM\..\Run: [Motive SmartBridge] C:\PROGRA~1\VERIZO~1\HELPSU~1\SMARTB~1\MotiveSB.exe
O4 - HKLM\..\Run: [HostManager] C:\Program Files\Common Files\AOL\1152923123\ee\AOLSoftware.exe
O4 - HKLM\..\Run: [IPHSend] C:\Program Files\Common Files\AOL\IPHSend\IPHSend.exe
O4 - HKLM\..\Run: [Zone Labs Client] "C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe"
O4 - HKCU\..\Run: [Microsoft Works Update Detection] C:\Program Files\Microsoft Works\WkDetect.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINNT\system32\ctfmon.exe
O4 - HKCU\..\Run: [PCShield] regsvr32 /s "C:\WINNT\System32\sfg_417d.dll"
O4 - HKCU\..\Run: [RealPlayer] "C:\Documents and Settings\Chingun\My Documents\download\download\redchingun\realplay.exe" /RunUPGToolCommandReBoot
O4 - HKCU\..\Run: [Yahoo! Pager] "C:\Program Files\Yahoo!\Messenger\ypager.exe" -quiet
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O8 - Extra context menu item: &AOL Toolbar Search - c:\program files\aol\aol toolbar 3.1\resources\en-US\local\search.html
O8 - Extra context menu item: &Google Search - res://c:\program files\google\GoogleToolbar2.dll/cmsearch.html
O8 - Extra context menu item: &Translate English Word - res://c:\program files\google\GoogleToolbar2.dll/cmwordtrans.html
O8 - Extra context menu item: Backward Links - res://c:\program files\google\GoogleToolbar2.dll/cmbacklinks.html
O8 - Extra context menu item: Cached Snapshot of Page - res://c:\program files\google\GoogleToolbar2.dll/cmcache.html
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MI1933~1\Office10\EXCEL.EXE/3000
O8 - Extra context menu item: Similar Pages - res://c:\program files\google\GoogleToolbar2.dll/cmsimilar.html
O8 - Extra context menu item: Translate Page into English - res://c:\program files\google\GoogleToolbar2.dll/cmtrans.html
O9 - Extra button: AOL Toolbar - {3369AF0D-62E9-4bda-8103-B4C75499B578} - C:\Program Files\AOL\AOL Toolbar 3.1\aoltb.dll
O9 - Extra button: Verizon Yahoo! Services - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\Program Files\Yahoo!\Common\yiesrvc.dll
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINNT\System32\Shdocvw.dll
O9 - Extra button: MoneySide - {E023F504-0C5A-4750-A1E7-A9046DEA8A21} - C:\Program Files\Microsoft Money\System\mnyviewer.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {1E2941E3-8E63-11D4-9D5A-00902742D6E0} (iNotes Class) - https://edgemail.worldbank.org/iNotes.cab
O16 - DPF: {3BFFE033-BF43-11D5-A271-00A024A51325} (iNotes6 Class) - https://edgemail.worldbank.org/iNotes6.cab
O16 - DPF: {41F17733-B041-4099-A042-B518BB6A408C} - http://a1540.g.akamai.net/7/1540/52/20030530/qtinstall.info.apple.com/bonnie/us/win/QuickTimeInstaller.exe
O16 - DPF: {56336BCB-3D8A-11D6-A00B-0050DA18DE71} - http://software-dl.real.com/198ab9965c08b8ec8500/netzip/RdxIE601.cab
O16 - DPF: {72770C4F-967D-4517-982B-92D6B9015649} (DigWebHelper Class) - http://photos.msn.com/resources/neutral/controls/DigWebX.cab?9,0,712,0
O16 - DPF: {739E8D90-2F4C-43AD-A1B8-66C356FCEA35} (RunExeActiveX.RunExe) - hcp://system/RunExeActiveX.CAB
O16 - DPF: {8714912E-380D-11D5-B8AA-00D0B78F3D48} (Yahoo! Webcam Upload Wrapper) - http://chat.yahoo.com/cab/yuplapp.cab
O16 - DPF: {8FD68625-2346-418A-8899-67CB36B1917F} (McciSM Class) - http://supportcenter.verizon.net/euserv/jsp/VOLAWeb.cab
O16 - DPF: {9600F64D-755F-11D4-A47F-0001023E6D5A} (Shutterfly Picture Upload Plugin) - http://web1.shutterfly.com/downloads/Uploader.cab
O16 - DPF: {99CDFD87-F97A-42E1-9C13-D18220D90AD1} (StartFirstControl.CheckFirst) - hcp://system/StartFirstControl.CAB
O16 - DPF: {9FC5238F-12C4-454F-B1B5-74599A21DE47} (Webshots Photo Uploader) - http://community.webshots.com/html/WSPhotoUploader.CAB
O16 - DPF: {AB86CE53-AC9F-449F-9399-D8ABCA09EC09} (Get_ActiveX Control) - https://h17000.www1.hp.com/ewfrf-JAVA/Secure/HPGetDownloadManager.ocx
O16 - DPF: {CAFEEFAC-0014-0001-0002-ABCDEFFEDCBA} (Java Runtime Environment 1.4.1_02) -
O16 - DPF: {D44C75D8-C827-473E-8F68-A77E42500782} (Uploader Class) - http://www.ritzpix.com/upload/WebUploadClient.cab
O16 - DPF: {E0CE16CB-741C-4B24-8D04-A817856E07F4} - http://cabs.roings.com/cabs/awaybox.cab
O16 - DPF: {E5168F0C-8591-11D4-BCDF-006008B7FEA4} - http://www.plato.com/pwln/02000050/cab/pwlninst.cab
O16 - DPF: {EB387D2F-E27B-4D36-979E-847D1036C65D} (QDiagHUpdateObj Class) - http://h30043.www3.hp.com/hpdj/en/check/qdiagh.cab?326
O16 - DPF: {FA3662C3-B8E8-11D6-A667-0010B556D978} (IWinAmpActiveX Class) - http://cdn.digitalcity.com/_media/dalaillama/ampx.cab
O20 - Winlogon Notify: WgaLogon - C:\WINNT\SYSTEM32\WgaLogon.dll
O21 - SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - C:\WINNT\system32\WPDShServiceObj.dll
O23 - Service: C-DillaCdaC11BA - Macrovision - C:\WINNT\System32\drivers\CDAC11BA.EXE
O23 - Service: ewido anti-spyware 4.0 guard - Anti-Malware Development a.s. - C:\Program Files\ewido anti-spyware 4.0\guard.exe
O23 - Service: McAfee Framework Service (McAfeeFramework) - Network Associates, Inc. - C:\Program Files\Network Associates\Common Framework\FrameworkService.exe
O23 - Service: Network Associates McShield (McShield) - Network Associates, Inc. - C:\Program Files\Network Associates\VirusScan\mcshield.exe
O23 - Service: Network Associates Task Manager (McTaskManager) - Network Associates, Inc. - C:\Program Files\Network Associates\VirusScan\vstskmgr.exe
O23 - Service: Network Configuration Service (NetCfgSvr) - AT&T - C:\PROGRA~1\AT&TGL~1\NetCfgSv.EXE
O23 - Service: Intel(R) NMS (NMSSvc) - Intel Corporation - C:\WINNT\System32\NMSSvc.exe
O23 - Service: PictureTaker - Unknown owner - c:\fixit\pt\PCTKRNT.SYS (file missing)
O23 - Service: PrismXL - Unknown owner - C:\Program Files\Common Files\Lanovation\PrismXL\PRISMXL.SYS (file missing)
O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs, LLC - C:\WINNT\system32\ZoneLabs\vsmon.exe
LonnyRJones
2006-09-12, 22:15
Looks like you missed these, Start Hijackthis and place a check next to these items If there.
O4 - HKCU\..\Run: [PCShield] regsvr32 /s "C:\WINNT\System32\sfg_417d.dll"
O16 - DPF: {E0CE16CB-741C-4B24-8D04-A817856E07F4} - http://cabs.roings.com/cabs/awaybox.cab
====================================
Hit fix checked and close Hijackthis.
Restart the PC
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Install SpywareBlaster (By JavaCool): http://www.javacoolsoftware.com/spywareblaster.html
Update suns java manualy
Sun Java "Java Runtime Environment (JRE) 5.0 Update 8" is Available:
http://forums.spybot.info/showpost.php?p=12880&postcount=2
Afterwards it's important to uninstall the old version's via addremove programs.
Use the PC for a full day then Post a fresh hijackthis log please, be sure to mention any current problems.
Many thanks. New hijack this log attached.
>>
Logfile of HijackThis v1.99.1
Scan saved at 8:56:31 PM, on 9/14/2006
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Running processes:
C:\WINNT\System32\smss.exe
C:\WINNT\system32\winlogon.exe
C:\WINNT\system32\services.exe
C:\WINNT\system32\lsass.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\System32\svchost.exe
C:\WINNT\system32\ZoneLabs\vsmon.exe
C:\WINNT\Explorer.EXE
C:\WINNT\system32\spoolsv.exe
C:\WINNT\System32\hkcmd.exe
C:\WINNT\system32\SK9910DM.EXE
C:\WINNT\GWMDMMSG.exe
C:\Program Files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe
C:\WINNT\system32\spool\drivers\w32x86\3\hpztsb07.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\Network Associates\VirusScan\SHSTAT.EXE
C:\Program Files\Network Associates\Common Framework\UpdaterUI.exe
C:\PROGRA~1\Yahoo!\browser\ybrwicon.exe
C:\PROGRA~1\VERIZO~1\HELPSU~1\VERIZO~1.EXE
C:\PROGRA~1\VERIZO~1\HELPSU~1\SMARTB~1\MotiveSB.exe
C:\Program Files\Common Files\AOL\1152923123\ee\AOLSoftware.exe
C:\PROGRA~1\Yahoo!\browser\ycommon.exe
C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
C:\WINNT\System32\drivers\CDAC11BA.EXE
C:\Program Files\Java\jre1.5.0_08\bin\jusched.exe
C:\Program Files\ewido anti-spyware 4.0\guard.exe
C:\WINNT\system32\ctfmon.exe
C:\Program Files\Network Associates\Common Framework\FrameworkService.exe
C:\Program Files\Network Associates\VirusScan\mcshield.exe
C:\Program Files\Network Associates\VirusScan\vstskmgr.exe
C:\Program Files\Common Files\Verizon Online\ConnMgr\cmisrv.exe
C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
C:\PROGRA~1\AT&TGL~1\NetCfgSv.EXE
C:\WINNT\System32\NMSSvc.exe
C:\Program Files\Yahoo!\Messenger\ymsgr_tray.exe
C:\WINNT\System32\svchost.exe
C:\WINNT\System32\svchost.exe
C:\WINNT\system32\DllHost.exe
C:\Program Files\Common Files\Verizon Online\AppMgr\vzOpenUIServer.exe
C:\Program Files\Common Files\MotiveBrowser\MotiveBrowser.exe
C:\Documents and Settings\Owner\Desktop\hijackthis\HijackThis.exe
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = about:blank
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.washingtonpost.com/
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page = C:\windows\system32\blank.htm
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = 127.0.0.1;http://localhost
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O3 - Toolbar: AOL Toolbar - {DE9C389F-3316-41A7-809B-AA305ED9D922} - C:\Program Files\AOL\AOL Toolbar 3.1\aoltb.dll
O4 - HKLM\..\Run: [IgfxTray] C:\WINNT\System32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINNT\System32\hkcmd.exe
O4 - HKLM\..\Run: [Hot Key Kbd 9910 Daemon] SK9910DM.EXE
O4 - HKLM\..\Run: [GWMDMMSG] GWMDMMSG.exe
O4 - HKLM\..\Run: [Keyboard Preload Check] C:\OEMDRVRS\KEYB\Preload.exe /DEVID: /CLASS:Keyboard /RunValue:"Keyboard Preload Check"
O4 - HKLM\..\Run: [AdaptecDirectCD] "C:\Program Files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe"
O4 - HKLM\..\Run: [HPDJ Taskbar Utility] C:\WINNT\system32\spool\drivers\w32x86\3\hpztsb07.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [ViewMgr] C:\Program Files\Viewpoint\Viewpoint Manager\ViewMgr.exe
O4 - HKLM\..\Run: [ShStatEXE] "C:\Program Files\Network Associates\VirusScan\SHSTAT.EXE" /STANDALONE
O4 - HKLM\..\Run: [McAfeeUpdaterUI] "C:\Program Files\Network Associates\Common Framework\UpdaterUI.exe" /StartedFromRunKey
O4 - HKLM\..\Run: [YBrowser] C:\PROGRA~1\Yahoo!\browser\ybrwicon.exe
O4 - HKLM\..\Run: [A Verizon App] C:\PROGRA~1\VERIZO~1\HELPSU~1\VERIZO~1.EXE
O4 - HKLM\..\Run: [Motive SmartBridge] C:\PROGRA~1\VERIZO~1\HELPSU~1\SMARTB~1\MotiveSB.exe
O4 - HKLM\..\Run: [HostManager] C:\Program Files\Common Files\AOL\1152923123\ee\AOLSoftware.exe
O4 - HKLM\..\Run: [IPHSend] C:\Program Files\Common Files\AOL\IPHSend\IPHSend.exe
O4 - HKLM\..\Run: [Zone Labs Client] "C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe"
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.5.0_08\bin\jusched.exe"
O4 - HKCU\..\Run: [Microsoft Works Update Detection] C:\Program Files\Microsoft Works\WkDetect.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINNT\system32\ctfmon.exe
O4 - HKCU\..\Run: [RealPlayer] "C:\Documents and Settings\Chingun\My Documents\download\download\redchingun\realplay.exe" /RunUPGToolCommandReBoot
O4 - HKCU\..\Run: [Yahoo! Pager] "C:\Program Files\Yahoo!\Messenger\ypager.exe" -quiet
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O8 - Extra context menu item: &AOL Toolbar Search - c:\program files\aol\aol toolbar 3.1\resources\en-US\local\search.html
O8 - Extra context menu item: &Google Search - res://c:\program files\google\GoogleToolbar2.dll/cmsearch.html
O8 - Extra context menu item: &Translate English Word - res://c:\program files\google\GoogleToolbar2.dll/cmwordtrans.html
O8 - Extra context menu item: Backward Links - res://c:\program files\google\GoogleToolbar2.dll/cmbacklinks.html
O8 - Extra context menu item: Cached Snapshot of Page - res://c:\program files\google\GoogleToolbar2.dll/cmcache.html
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MI1933~1\Office10\EXCEL.EXE/3000
O8 - Extra context menu item: Similar Pages - res://c:\program files\google\GoogleToolbar2.dll/cmsimilar.html
O8 - Extra context menu item: Translate Page into English - res://c:\program files\google\GoogleToolbar2.dll/cmtrans.html
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_08\bin\npjpi150_08.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_08\bin\npjpi150_08.dll
O9 - Extra button: AOL Toolbar - {3369AF0D-62E9-4bda-8103-B4C75499B578} - C:\Program Files\AOL\AOL Toolbar 3.1\aoltb.dll
O9 - Extra button: Verizon Yahoo! Services - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\Program Files\Yahoo!\Common\yiesrvc.dll
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINNT\System32\Shdocvw.dll
O9 - Extra button: MoneySide - {E023F504-0C5A-4750-A1E7-A9046DEA8A21} - C:\Program Files\Microsoft Money\System\mnyviewer.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {1E2941E3-8E63-11D4-9D5A-00902742D6E0} (iNotes Class) - https://edgemail.worldbank.org/iNotes.cab
O16 - DPF: {3BFFE033-BF43-11D5-A271-00A024A51325} (iNotes6 Class) - https://edgemail.worldbank.org/iNotes6.cab
O16 - DPF: {41F17733-B041-4099-A042-B518BB6A408C} - http://a1540.g.akamai.net/7/1540/52/20030530/qtinstall.info.apple.com/bonnie/us/win/QuickTimeInstaller.exe
O16 - DPF: {56336BCB-3D8A-11D6-A00B-0050DA18DE71} - http://software-dl.real.com/198ab9965c08b8ec8500/netzip/RdxIE601.cab
O16 - DPF: {72770C4F-967D-4517-982B-92D6B9015649} (DigWebHelper Class) - http://photos.msn.com/resources/neutral/controls/DigWebX.cab?9,0,712,0
O16 - DPF: {739E8D90-2F4C-43AD-A1B8-66C356FCEA35} (RunExeActiveX.RunExe) - hcp://system/RunExeActiveX.CAB
O16 - DPF: {8714912E-380D-11D5-B8AA-00D0B78F3D48} (Yahoo! Webcam Upload Wrapper) - http://chat.yahoo.com/cab/yuplapp.cab
O16 - DPF: {8FD68625-2346-418A-8899-67CB36B1917F} (McciSM Class) - http://supportcenter.verizon.net/euserv/jsp/VOLAWeb.cab
O16 - DPF: {9600F64D-755F-11D4-A47F-0001023E6D5A} (Shutterfly Picture Upload Plugin) - http://web1.shutterfly.com/downloads/Uploader.cab
O16 - DPF: {99CDFD87-F97A-42E1-9C13-D18220D90AD1} (StartFirstControl.CheckFirst) - hcp://system/StartFirstControl.CAB
O16 - DPF: {9FC5238F-12C4-454F-B1B5-74599A21DE47} (Webshots Photo Uploader) - http://community.webshots.com/html/WSPhotoUploader.CAB
O16 - DPF: {AB86CE53-AC9F-449F-9399-D8ABCA09EC09} (Get_ActiveX Control) - https://h17000.www1.hp.com/ewfrf-JAVA/Secure/HPGetDownloadManager.ocx
O16 - DPF: {CAFEEFAC-0014-0001-0002-ABCDEFFEDCBA} (Java Runtime Environment 1.4.1_02) -
O16 - DPF: {D44C75D8-C827-473E-8F68-A77E42500782} (Uploader Class) - http://www.ritzpix.com/upload/WebUploadClient.cab
O16 - DPF: {E5168F0C-8591-11D4-BCDF-006008B7FEA4} - http://www.plato.com/pwln/02000050/cab/pwlninst.cab
O16 - DPF: {EB387D2F-E27B-4D36-979E-847D1036C65D} (QDiagHUpdateObj Class) - http://h30043.www3.hp.com/hpdj/en/check/qdiagh.cab?326
O16 - DPF: {FA3662C3-B8E8-11D6-A667-0010B556D978} (IWinAmpActiveX Class) - http://cdn.digitalcity.com/_media/dalaillama/ampx.cab
O20 - Winlogon Notify: WgaLogon - C:\WINNT\SYSTEM32\WgaLogon.dll
O21 - SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - C:\WINNT\system32\WPDShServiceObj.dll
O23 - Service: C-DillaCdaC11BA - Macrovision - C:\WINNT\System32\drivers\CDAC11BA.EXE
O23 - Service: ewido anti-spyware 4.0 guard - Anti-Malware Development a.s. - C:\Program Files\ewido anti-spyware 4.0\guard.exe
O23 - Service: McAfee Framework Service (McAfeeFramework) - Network Associates, Inc. - C:\Program Files\Network Associates\Common Framework\FrameworkService.exe
O23 - Service: Network Associates McShield (McShield) - Network Associates, Inc. - C:\Program Files\Network Associates\VirusScan\mcshield.exe
O23 - Service: Network Associates Task Manager (McTaskManager) - Network Associates, Inc. - C:\Program Files\Network Associates\VirusScan\vstskmgr.exe
O23 - Service: Network Configuration Service (NetCfgSvr) - AT&T - C:\PROGRA~1\AT&TGL~1\NetCfgSv.EXE
O23 - Service: Intel(R) NMS (NMSSvc) - Intel Corporation - C:\WINNT\System32\NMSSvc.exe
O23 - Service: PictureTaker - Unknown owner - c:\fixit\pt\PCTKRNT.SYS (file missing)
O23 - Service: PrismXL - Unknown owner - C:\Program Files\Common Files\Lanovation\PrismXL\PRISMXL.SYS (file missing)
O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs, LLC - C:\WINNT\system32\ZoneLabs\vsmon.exe
I hope I didn't just mess up this long process, but I ran Spybot Search and Destroy, thinking everything was nice and clean now, but many problems came up, including Smitfraud-C, DyFuCA, and Deskbar and they still can't be fixed. Please tell me I don't have to start over....
LonnyRJones
2006-09-15, 08:29
Thats ok
Post a SpyBot results report.
Run SpyBot check for problems, when its finished right click and choose copy results
(not full report) to clipboard and past that back here please.
Thanks. Here are the SSD results:
Deskbar: Root class (Registry key, fixing failed)
HKEY_LOCAL_MACHINE\Software\Classes\DBTB00001.deskbarBHO.1
Deskbar: Root class (Registry key, fixing failed)
HKEY_LOCAL_MACHINE\Software\Classes\DBTB00001.DeskbarEnabler.1
Deskbar: Root class (Registry key, fixing failed)
HKEY_LOCAL_MACHINE\Software\Classes\DBTB00001.DBTB00001
Deskbar: Root class (Registry key, fixing failed)
HKEY_LOCAL_MACHINE\Software\Classes\DBTB00001.DBTB00001.1
Deskbar: Root class (Registry key, fixing failed)
HKEY_LOCAL_MACHINE\Software\Classes\DBTB00001.DeskBar
Deskbar: Root class (Registry key, fixing failed)
HKEY_LOCAL_MACHINE\Software\Classes\DBTB00001.DeskBar.1
Deskbar: Root class (Registry key, fixing failed)
HKEY_LOCAL_MACHINE\Software\Classes\DBTB00001.deskbarBHO
Deskbar: Root class (Registry key, fixing failed)
HKEY_LOCAL_MACHINE\Software\Classes\DBTB00001.DeskbarEnabler
DyFuCA: Root class (Registry key, fixing failed)
HKEY_LOCAL_MACHINE\Software\Classes\DyFuCA_BH.BHObj
DyFuCA: Root class (Registry key, fixing failed)
HKEY_LOCAL_MACHINE\Software\Classes\DyFuCA_BH.BHObj.1
Smitfraud-C.: Root class (Registry key, fixing failed)
HKEY_LOCAL_MACHINE\Software\Classes\MyToolBar.MyToolBarObj
Smitfraud-C.: Root class (Registry key, fixing failed)
HKEY_LOCAL_MACHINE\Software\Classes\MyToolBar.MyToolBarObj.1
--- Spybot - Search & Destroy version: 1.4 (build: 20050523) ---
2005-05-31 blindman.exe (1.0.0.1)
2005-05-31 SpybotSD.exe (1.4.0.3)
2005-05-31 TeaTimer.exe (1.4.0.2)
2006-09-02 unins000.exe (51.41.0.0)
2005-05-31 Update.exe (1.4.0.0)
2006-02-06 advcheck.dll (1.0.2.0)
2005-05-31 aports.dll (2.1.0.0)
2005-05-31 borlndmm.dll (7.0.4.453)
2005-05-31 delphimm.dll (7.0.4.453)
2005-05-31 SDHelper.dll (1.4.0.0)
2006-02-20 Tools.dll (2.0.0.2)
2005-05-31 UnzDll.dll (1.73.1.1)
2005-05-31 ZipDll.dll (1.73.2.0)
2006-09-15 Includes\Cookies.sbi (*)
2006-09-15 Includes\Dialer.sbi (*)
2006-09-15 Includes\Hijackers.sbi (*)
2006-09-15 Includes\Keyloggers.sbi (*)
2006-09-15 Includes\Malware.sbi (*)
2006-09-15 Includes\PUPS.sbi (*)
2006-09-15 Includes\Revision.sbi (*)
2006-09-15 Includes\Security.sbi (*)
2006-09-15 Includes\Spybots.sbi (*)
2005-02-17 Includes\Tracks.uti
2006-09-15 Includes\Trojans.sbi (*)
LonnyRJones
2006-09-16, 12:19
Your in an account that has administrator rights ?
Try safe mode log in as administrator then check for and fix any problems found with SpyBot.
Let me know if it still said (Registry key, fixing failed) for those same items ?
Once back in normal mode
Post a combofix log
1. Download this file - combofix.exe
http://download.bleepingcomputer.com/sUBs/combofix.exe
2. Double click combofix.exe & follow the prompts.
3. When finished, it shall produce a log for you. Post that log in your next reply
Note:
Do not mouseclick combofix's window whilst it's running. That may cause it to stall
If the log is large You might need to post half in one reply half in another.
Thanks. Yes, I am using an account with administrator rights. I ran SSD in safe mode and got the same results: these three bugs consistently turn up and consistently can not be fixed. "Registry key, fixing failed".
Here is the log from combofix:
Owner - 06-09-16 11:54:44.12 Service Pack 2
ComboFix 06.09.14 - Running from: C:\Documents and Settings\Owner\Desktop
(((((((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
C:\deskbar2.exe
C:\Program Files\Common Files\misc002
C:\WINNT\system32\crunner
C:\Program Files\Common Files\{10603F8F-07D0-1033-0817-020522200001}
((((((((((((((((((((((((((((((( Files Created from 2006-08-16 to 2006-09-16 ))))))))))))))))))))))))))))))))))
2006-09-11 20:09 40,960 --a------ C:\Look2Me-Destroyer.exe
2006-08-31 16:11 8,464 --a------ C:\WINNT\system32\sporder.dll
2006-08-31 15:59 928 --a------ C:\WINNT\system32\winpfg32.sys
2006-08-31 15:59 126,976 --a------ C:\WINNT\system32\ieserv.exe
2006-08-30 19:57 342,622 --a------ C:\803_104.exe
2006-08-30 19:56 215,308 --a------ C:\WINNT\srvpiqpywv.exe
2006-08-28 16:55 1,390,080 --a------ C:\WINNT\system32\sdba.exe
(((((((((((((((((((((((((((((((((((((((((((((((( Find3M Report )))))))))))))))))))))))))))))))))))))))))))))))))))))
2006-09-16 11:56 -------- d-------- C:\Program Files\Common Files
2006-09-12 20:21 -------- d-------- C:\Program Files\Java
2006-09-12 20:09 -------- d-------- C:\Documents and Settings\Owner\Application Data\Sun
2006-09-12 20:02 -------- d-------- C:\Program Files\SpywareBlaster
2006-09-11 20:13 -------- d-------- C:\Program Files\ewido anti-spyware 4.0
2006-09-08 15:11 -------- d-------- C:\Program Files\Zone Labs
2006-09-07 18:19 -------- d-------- C:\Program Files\PestPatrol
2006-09-05 22:03 -------- d-------- C:\Program Files\Common Files\Microsoft Shared
2006-09-05 22:01 -------- d-------- C:\Program Files\AIM
2006-09-05 21:10 -------- d-------- C:\Program Files\CCleaner
2006-09-02 22:45 -------- d-------- C:\Program Files\Symantec
2006-09-02 22:45 -------- d-------- C:\Program Files\Common Files\Symantec Shared
2006-09-02 22:43 -------- d--h----- C:\Program Files\InstallShield Installation Information
2006-09-02 22:40 -------- d-------- C:\Program Files\Common Files\Wise Installation Wizard
2006-09-02 20:02 404 --a------ C:\PPCleanDeleteAtReboot.bat
2006-09-01 23:40 139 --a------ C:\DeleteAtReboot.bat
2006-09-01 22:25 -------- d-------- C:\Documents and Settings\Owner\Application Data\Yahoo!
2006-08-31 06:52 -------- d-------- C:\Program Files\Common Files\owzo
2006-08-21 08:21 16896 --a------ C:\WINNT\system32\fltlib.dll
2006-08-21 05:14 23040 --a------ C:\WINNT\system32\fltmc.exe
2006-08-21 05:14 128896 --------- C:\WINNT\system32\drivers\fltmgr.sys
2006-08-17 01:15 -------- d-------- C:\Program Files\Internet Explorer
2006-08-16 22:31 -------- d-------- C:\Documents and Settings\Owner\Application Data\acccore
2006-08-15 15:26 -------- d-------- C:\Program Files\Guitar Pro 5(2)
2006-08-15 15:23 -------- d-------- C:\Program Files\ItsDeductibleEX
2006-08-15 15:23 -------- d-------- C:\Program Files\CoffeeCup Software
2006-08-15 08:30 -------- d-------- C:\Program Files\Microsoft Money
2006-08-07 08:41 77672 --a------ C:\Documents and Settings\Owner\Application Data\GDIPFONTCACHEV1.DAT
2006-07-30 22:49 -------- d-------- C:\Documents and Settings\Owner\Application Data\Motive
2006-07-28 23:35 -------- d-------- C:\Program Files\Trellix Corporation
2006-07-27 09:24 679424 --------- C:\WINNT\system32\inetcomm.dll
2006-07-21 22:54 -------- d-------- C:\Program Files\Warcraft III
2006-07-21 04:24 72704 --------- C:\WINNT\system32\hlink.dll
2006-06-22 01:06 69120 --------- C:\WINNT\system32\ciodm.dll
2006-06-22 01:06 1435648 --------- C:\WINNT\system32\query.dll
(((((((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))
*Note* empty entries are not shown
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Microsoft Works Update Detection"="C:\\Program Files\\Microsoft Works\\WkDetect.exe"
"ctfmon.exe"="C:\\WINNT\\system32\\ctfmon.exe"
"RealPlayer"="\"C:\\Documents and Settings\\Chingun\\My Documents\\download\\download\\redchingun\\realplay.exe\" /RunUPGToolCommandReBoot"
"Yahoo! Pager"="\"C:\\Program Files\\Yahoo!\\Messenger\\ypager.exe\" -quiet"
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"IgfxTray"="C:\\WINNT\\System32\\igfxtray.exe"
"HotKeysCmds"="C:\\WINNT\\System32\\hkcmd.exe"
"Hot Key Kbd 9910 Daemon"="SK9910DM.EXE"
"GWMDMMSG"="GWMDMMSG.exe"
"Keyboard Preload Check"="C:\\OEMDRVRS\\KEYB\\Preload.exe /DEVID: /CLASS:Keyboard /RunValue:\"Keyboard Preload Check\""
"AdaptecDirectCD"="\"C:\\Program Files\\Roxio\\Easy CD Creator 5\\DirectCD\\DirectCD.exe\""
"HPDJ Taskbar Utility"="C:\\WINNT\\system32\\spool\\drivers\\w32x86\\3\\hpztsb07.exe"
"QuickTime Task"="\"C:\\Program Files\\QuickTime\\qttask.exe\" -atboottime"
"TkBellExe"="\"C:\\Program Files\\Common Files\\Real\\Update_OB\\realsched.exe\" -osboot"
"ViewMgr"="C:\\Program Files\\Viewpoint\\Viewpoint Manager\\ViewMgr.exe"
"ShStatEXE"="\"C:\\Program Files\\Network Associates\\VirusScan\\SHSTAT.EXE\" /STANDALONE"
"McAfeeUpdaterUI"="\"C:\\Program Files\\Network Associates\\Common Framework\\UpdaterUI.exe\" /StartedFromRunKey"
"YBrowser"="C:\\PROGRA~1\\Yahoo!\\browser\\ybrwicon.exe"
"A Verizon App"="C:\\PROGRA~1\\VERIZO~1\\HELPSU~1\\VERIZO~1.EXE"
"Motive SmartBridge"="C:\\PROGRA~1\\VERIZO~1\\HELPSU~1\\SMARTB~1\\MotiveSB.exe"
"HostManager"="C:\\Program Files\\Common Files\\AOL\\1152923123\\ee\\AOLSoftware.exe"
"IPHSend"="C:\\Program Files\\Common Files\\AOL\\IPHSend\\IPHSend.exe"
"Zone Labs Client"="\"C:\\Program Files\\Zone Labs\\ZoneAlarm\\zlclient.exe\""
"SunJavaUpdateSched"="\"C:\\Program Files\\Java\\jre1.5.0_08\\bin\\jusched.exe\""
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\OptionalComponents]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\OptionalComponents\IMAIL]
"Installed"="1"
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\OptionalComponents\MAPI]
"Installed"="1"
"NoChange"="1"
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\OptionalComponents\MSFS]
"Installed"="1"
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Internet Explorer\Desktop\Components]
"DeskHtmlVersion"=dword:00000110
"DeskHtmlMinorVersion"=dword:00000005
"Settings"=dword:00000001
"GeneralFlags"=dword:00000001
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Internet Explorer\Desktop\Components\0]
"Source"="About:Home"
"SubscribedURL"="About:Home"
"FriendlyName"="My Current Home Page"
"Flags"=dword:00000002
"Position"=hex:2c,00,00,00,cc,00,00,00,00,00,00,00,34,03,00,00,e2,02,00,00,00,\
00,00,00,01,00,00,00,01,00,00,00,01,00,00,00,00,00,00,00,00,00,00,00
"CurrentState"=hex:04,00,00,40
"OriginalStateInfo"=hex:18,00,00,00,ff,ff,00,00,ff,ff,00,00,ff,ff,ff,ff,ff,ff,\
ff,ff,04,00,00,00
"RestoredStateInfo"=hex:18,00,00,00,f2,01,00,00,b9,00,00,00,7c,00,00,00,72,00,\
00,00,01,00,00,00
[HKEY_USERS\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"owzo"="C:\\Program Files\\Common Files\\owzo\\owzom.exe"
"cprocsvc"="C:\\WINNT\\system32\\crunner\\cproc.exe"
"PCShield"="regsvr32 /s \"C:\\WINNT\\System32\\sfg_417d.dll\""
[HKEY_USERS\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Runonce]
"Del11047"=""
[HKEY_USERS\S-1-5-18\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"owzo"="C:\\Program Files\\Common Files\\owzo\\owzom.exe"
"cprocsvc"="C:\\WINNT\\system32\\crunner\\cproc.exe"
"PCShield"="regsvr32 /s \"C:\\WINNT\\System32\\sfg_417d.dll\""
[HKEY_USERS\S-1-5-18\SOFTWARE\Microsoft\Windows\CurrentVersion\Runonce]
"Del11047"=""
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\shellexecutehooks]
"{AEB6717E-7E19-11d0-97EE-00C04FD91972}"=""
"{57B86673-276A-48B2-BAE7-C6DBB3020EB8}"="ewido anti-spyware 4.0"
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\explorer]
"NoDriveTypeAutoRun"=dword:00000091
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\explorer\Run]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\system]
"dontdisplaylastusername"=dword:00000000
"legalnoticecaption"=""
"legalnoticetext"=""
"shutdownwithoutlogon"=dword:00000001
"undockwithoutlogon"=dword:00000001
[HKEY_USERS\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\explorer]
"NoDriveTypeAutoRun"=dword:00000091
"CDRAutoRun"=dword:00000000
[HKEY_USERS\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\explorer\Run]
"{10603F8F-07D0-1033-0817-020522200001}"="\"C:\\Program Files\\Common Files\\{10603F8F-07D0-1033-0817-020522200001}\\Update.exe\" mc-110-12-0000509"
[HKEY_USERS\S-1-5-18\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\explorer]
"NoDriveTypeAutoRun"=dword:00000091
"CDRAutoRun"=dword:00000000
[HKEY_USERS\S-1-5-18\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\explorer\Run]
"{10603F8F-07D0-1033-0817-020522200001}"="\"C:\\Program Files\\Common Files\\{10603F8F-07D0-1033-0817-020522200001}\\Update.exe\" mc-110-12-0000509"
[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad]
"PostBootReminder"="{7849596a-48ea-486e-8937-a2a3009f31a9}"
"CDBurn"="{fbeb8a05-beee-4442-804e-409d6c4515e9}"
"WebCheck"="{E6FB5E20-DE35-11CF-9C87-00AA005127ED}"
"SysTray"="{35CEC8A3-2BE6-11D2-8773-92E220524153}"
"WPDShServiceObj"="{AAA288BA-9A4C-45B0-95D7-94D524869DB5}"
HKEY_LOCAL_MACHINE\system\currentcontrolset\control\securityproviders
securityproviders REG_SZ msapsspc.dll, schannel.dll, digest.dll, msnsspc.dll
Contents of the 'Scheduled Tasks' folder
C:\WINNT\tasks\FRU Task #Hewlett-Packard#Deskjet#5550.job
Completion time: Sat 09/16/2006 11:56:37.04
ComboFix.txt
LonnyRJones
2006-09-16, 20:16
Launch Notepad (not wordpad), and copy and paste the contents of the code box below into a new text file.
Save it as file name: "fixme.reg" (not including the quotes). Save as file type: All files (*.*) and save it on your Desktop.
REGEDIT4
;
[-HKEY_USERS\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\explorer\Run]
[-HKEY_USERS\S-1-5-18\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\explorer\Run]
[HKEY_USERS\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"owzo"=-
"cprocsvc"=-
"PCShield"=-
[HKEY_USERS\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Runonce]
"Del11047"=-
[HKEY_USERS\S-1-5-18\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"owzo"=-
"cprocsvc"=-
"PCShield"=-
[HKEY_USERS\S-1-5-18\SOFTWARE\Microsoft\Windows\CurrentVersion\Runonce]
"Del11047"=-
;
Now double-click on the fixme.reg file you saved and click on the Yes button when it asks if you would like to merge the information. Once you get a successful message delete fixme.reg.
Delete these files and folder
C:\WINNT\system32\winpfg32.sys
C:\WINNT\system32\ieserv.exe
C:\803_104.exe
C:\WINNT\srvpiqpywv.exe
C:\WINNT\system32\sdba.exe
C:\Program Files\Common Files\owzo
You wont need look2me destroyer tool , delete it.
C:\Look2Me-Destroyer.exe
Check for and fix any problems found with SpyBot twice.
Let me know if those items show on the second scan .
Thanks. I followed the instructions and ren spybot several times, including at boot and in safe mode, and these three bugs are always found but never fixed.
LonnyRJones
2006-09-17, 07:00
Hi
Those infections from post 13 dont seam to be active, Unless your already familur and confident working with the windows registry editor i suggest you just ignore those items.
Okay. Thanks for all of your help.
This topic has been closed to prevent others with similar issues posting in it.
If you need it re-opened please send me or your helper a private message (pm) and provide a link to the thread. :)
Applies only to the original topic starter.