Need help, way beyond my skills

K

kelset

New member
I had a friend bring me his computer that had no stop popups.
I ran spybot and it removed everything but 2 command service items, that continued to come back after multiple reboots and cleanings.

Any help would be appreciated.

here are the requested logs from hijackthis and pandasoft

Logfile of HijackThis v1.99.1
Scan saved at 7:25:41 PM, on 11/8/2006
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\APC\APC PowerChute Personal Edition\mainserv.exe
C:\Program Files\Cherry\CDI\CDI.exe
C:\WINDOWS\system32\inetsrv\inetinfo.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Analog Devices\Core\smax4pnp.exe
C:\WINDOWS\system32\hkcmd.exe
C:\Program Files\Java\j2re1.4.2_03\bin\jusched.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\Dell Support\DSAgnt.exe
C:\WINDOWS\?racle\d?xplore.exe
C:\PROGRA~1\COMMON~1\FNTS~1\alg.exe
C:\Program Files\Imagistics\Printer Status Monitor\Smon.exe
C:\PROGRA~1\BOOK4G~1\_tomsagn.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\APC\APC PowerChute Personal Edition\apcsystray.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\hijack\HijakThs.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.dell.ca/myway
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = about:blank
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.winnipegweather.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = about:blank
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://www.dell.ca/myway
R3 - URLSearchHook: (no name) - {D1BD559E-BF5B-ED81-2D70-BE89195563C0} - C:\WINDOWS\system32\jnouvhr.dll
F2 - REG:system.ini: UserInit=userinit.exe
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O2 - BHO: (no name) - {D1BD559E-BF5B-ED81-2D70-BE89195563C0} - C:\WINDOWS\system32\jnouvhr.dll
O4 - HKLM\..\Run: [SoundMAXPnP] C:\Program Files\Analog Devices\Core\smax4pnp.exe
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\system32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\system32\hkcmd.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\j2re1.4.2_03\bin\jusched.exe
O4 - HKLM\..\Run: [StartAgent] C:\Program Files\Book4golf\StartHost.exe
O4 - HKLM\..\Run: [{96-6E-E3-3B-ZN}] C:\windows\system32\omdsregl.exe GEN001
O4 - HKLM\..\Run: [ExploreUpdSched] C:\WINDOWS\system32\nwinnpex.exe GEN001
O4 - HKLM\..\Run: [Microsoft Windows System] syshost.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\RunServices: [Microsoft Windows System] syshost.exe
O4 - HKCU\..\Run: [DellSupport] "C:\Program Files\Dell Support\DSAgnt.exe" /startup
O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\MSN Messenger\MsnMsgr.Exe" /background
O4 - HKCU\..\Run: [Cfrhhhvt] C:\WINDOWS\?racle\d?xplore.exe
O4 - HKCU\..\Run: [srshost.exe] C:\WINDOWS\system32\srshost.exe
O4 - HKCU\..\Run: [Cshb] "C:\PROGRA~1\COMMON~1\FNTS~1\alg.exe" -vt ndrv
O4 - Startup: Shortcut to Listener.exe.lnk = C:\Program Files\Book4golf\Listener.exe
O4 - Global Startup: APC UPS Status.lnk = ?
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O4 - Global Startup: Printer Status Monitor.lnk = C:\Program Files\Imagistics\Printer Status Monitor\Smon.exe
O8 - Extra context menu item: Send to Keyman - C:\Program Files\Cherry\KeyMan\IEMenuExtKeyman.html
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\j2re1.4.2_03\bin\npjpi142_03.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\j2re1.4.2_03\bin\npjpi142_03.dll
O9 - Extra button: (no name) - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - (no file)
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe (file missing)
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe (file missing)
O16 - DPF: {00000000-0709-0000-0000-000330050660} - http://207.234.185.217/aboxinst_int21.exe
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {215B8138-A3CF-44C5-803F-8226143CFC0A} (Trend Micro ActiveX Scan Agent 6.5) - http://housecall65.trendmicro.com/housecall/applet/html/native/x86/win32/activex/hcImpl.cab
O16 - DPF: {A1426AC5-8CE5-4A00-B71E-011D35709AC6} - http://advnt01.com/dialer/int_ver34.CAB
O16 - DPF: {A89551E8-992E-48D0-A90C-3E78CF66B217} - http://housecall65.trendmicro.com/housecall/applet/html/native/x86/win32/activex/hcImpl.cab
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - https://fpdownload.macromedia.com/get/shockwave/cabs/flash/swflash.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{7DAD7A6E-6207-4E54-BF11-646707A692A0}: NameServer = 192.168.0.1
O20 - Winlogon Notify: ShellServiceObjectDelayLoad - C:\WINDOWS\system32\nalanui.dll (file missing)
O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\SYSTEM32\WgaLogon.dll
O23 - Service: APC UPS Service - American Power Conversion Corporation - C:\Program Files\APC\APC PowerChute Personal Edition\mainserv.exe
O23 - Service: Cherry Device Interface - Cherry Gmbh, Auerbach Germany, www.cherry.de - C:\Program Files\Cherry\CDI\CDI.exe
O23 - Service: Intel NCS NetService (NetSvc) - Intel(R) Corporation - C:\Program Files\Intel\PROSetWired\NCS\Sync\NetSvc.exe
 
pandasoft log part 1/3

Incident Status Location

Adware:Adware/PurityScan Not disinfected c:\progra~1\common~1\fnts~1\alg.exe
Adware:adware/mediatickets Not disinfected C:\WINDOWS\system32\oins.exe
Adware:adware/mirar Not disinfected c:\windows\system32\WinNB58.dll
Spyware:spyware/surfsidekick Not disinfected C:\Documents and Settings\Elmhurst\Local Settings\Temporary Internet Files\Ssk.log
Adware:adware/dollarrevenue Not disinfected c:\windows\keyboard1.dat
Adware:adware/look2me Not disinfected Windows Registry
Adware:adware/commad Not disinfected Windows Registry
Dialer:dialer.asl Not disinfected HKEY_LOCAL_MACHINE\Software\Microsoft\Code Store Database\Distribution Units\{A1426AC5-8CE5-4A00-B71E-011D35709AC6}
Adware:adware/searchexe Not disinfected Windows Registry
Spyware:Cookie/RealMedia Not disinfected C:\Documents and Settings\Elmhurst\Cookies\elmhurst@247realmedia[1].txt
Spyware:Cookie/2o7 Not disinfected C:\Documents and Settings\Elmhurst\Cookies\elmhurst@2o7[1].txt
Spyware:Cookie/AdDynamix Not disinfected C:\Documents and Settings\Elmhurst\Cookies\elmhurst@ads.addynamix[1].txt
Spyware:Cookie/PointRoll Not disinfected C:\Documents and Settings\Elmhurst\Cookies\elmhurst@ads.pointroll[1].txt
Spyware:Cookie/Adtech Not disinfected C:\Documents and Settings\Elmhurst\Cookies\elmhurst@adtech[2].txt
Spyware:Cookie/Falkag Not disinfected C:\Documents and Settings\Elmhurst\Cookies\elmhurst@as-eu.falkag[1].txt
Spyware:Cookie/Atwola Not disinfected C:\Documents and Settings\Elmhurst\Cookies\elmhurst@atwola[1].txt
Spyware:Cookie/bravenetA Not disinfected C:\Documents and Settings\Elmhurst\Cookies\elmhurst@bravenet[2].txt
Spyware:Cookie/Casinotropez Not disinfected C:\Documents and Settings\Elmhurst\Cookies\elmhurst@casinotropez[2].txt
Spyware:Cookie/Bridgetrack Not disinfected C:\Documents and Settings\Elmhurst\Cookies\elmhurst@citi.bridgetrack[1].txt
Spyware:Cookie/DriveCleaner Not disinfected C:\Documents and Settings\Elmhurst\Cookies\elmhurst@drivecleaner[2].txt
Spyware:Cookie/Go Not disinfected C:\Documents and Settings\Elmhurst\Cookies\elmhurst@go[2].txt
Spyware:Cookie/Overture Not disinfected C:\Documents and Settings\Elmhurst\Cookies\elmhurst@overture[2].txt
Spyware:Cookie/Overture Not disinfected C:\Documents and Settings\Elmhurst\Cookies\elmhurst@perf.overture[1].txt
Spyware:Cookie/QkSrv Not disinfected C:\Documents and Settings\Elmhurst\Cookies\elmhurst@qksrv[1].txt
Spyware:Cookie/QuestionMarket Not disinfected C:\Documents and Settings\Elmhurst\Cookies\elmhurst@questionmarket[1].txt
Spyware:Cookie/RealMedia Not disinfected C:\Documents and Settings\Elmhurst\Cookies\elmhurst@realmedia[2].txt
Spyware:Cookie/Server.iad.Liveperson Not disinfected C:\Documents and Settings\Elmhurst\Cookies\elmhurst@server.iad.liveperson[2].txt
Spyware:Cookie/Serving-sys Not disinfected C:\Documents and Settings\Elmhurst\Cookies\elmhurst@serving-sys[2].txt
Spyware:Cookie/DriveCleaner Not disinfected C:\Documents and Settings\Elmhurst\Cookies\elmhurst@stats.drivecleaner[2].txt
Spyware:Cookie/Reliablestats Not disinfected C:\Documents and Settings\Elmhurst\Cookies\elmhurst@stats1.reliablestats[1].txt
Spyware:Cookie/Traffic Marketplace Not disinfected C:\Documents and Settings\Elmhurst\Cookies\elmhurst@trafficmp[1].txt
Spyware:Cookie/Tribalfusion Not disinfected C:\Documents and Settings\Elmhurst\Cookies\elmhurst@tribalfusion[1].txt
Spyware:Cookie/Advnt Not disinfected C:\Documents and Settings\Elmhurst\Cookies\elmhurst@www.advnt01[1].txt
Spyware:Cookie/BurstBeacon Not disinfected C:\Documents and Settings\Elmhurst\Cookies\elmhurst@www.burstbeacon[1].txt
Adware:Adware/PurityScan Not disinfected C:\Documents and Settings\Elmhurst\Local Settings\Temp\!update.exe
Spyware:Cookie/Atlas DMT Not disinfected C:\Documents and Settings\Elmhurst\Local Settings\Temp\Cookies\elmhurst@atdmt[2].txt
Spyware:Cookie/nCase Not disinfected C:\Documents and Settings\Elmhurst\Local Settings\Temp\Cookies\elmhurst@banners.searchingbooth[1].txt
Spyware:Cookie/Com.com Not disinfected C:\Documents and Settings\Elmhurst\Local Settings\Temp\Cookies\elmhurst@com[1].txt
Spyware:Cookie/DriveCleaner Not disinfected C:\Documents and Settings\Elmhurst\Local Settings\Temp\Cookies\elmhurst@drivecleaner[1].txt
Spyware:Cookie/ErrorSafe Not disinfected C:\Documents and Settings\Elmhurst\Local Settings\Temp\Cookies\elmhurst@errorsafe[1].txt
Spyware:Cookie/Kmpads Not disinfected C:\Documents and Settings\Elmhurst\Local Settings\Temp\Cookies\elmhurst@kmpads[1].txt
Spyware:Cookie/Diglnk Not disinfected C:\Documents and Settings\Elmhurst\Local Settings\Temp\Cookies\elmhurst@mbop[1].txt
Spyware:Cookie/Mediaplex Not disinfected C:\Documents and Settings\Elmhurst\Local Settings\Temp\Cookies\elmhurst@mediaplex[1].txt
 
pandasoft log part 2/3

Spyware:Cookie/2o7 Not disinfected C:\Documents and Settings\Elmhurst\Local Settings\Temp\Cookies\elmhurst@microsofteup.112.2o7[1].txt
Spyware:Cookie/WUpd Not disinfected C:\Documents and Settings\Elmhurst\Local Settings\Temp\Cookies\elmhurst@revenue[1].txt
Spyware:Cookie/Searchportal Not disinfected C:\Documents and Settings\Elmhurst\Local Settings\Temp\Cookies\elmhurst@searchportal.information[1].txt
Spyware:Cookie/DriveCleaner Not disinfected C:\Documents and Settings\Elmhurst\Local Settings\Temp\Cookies\elmhurst@stats.drivecleaner[2].txt
Spyware:Cookie/Reliablestats Not disinfected C:\Documents and Settings\Elmhurst\Local Settings\Temp\Cookies\elmhurst@stats1.reliablestats[2].txt
Spyware:Cookie/Mammamediasolutions Not disinfected C:\Documents and Settings\Elmhurst\Local Settings\Temp\Cookies\elmhurst@targetnet[1].txt
Spyware:Cookie/TargetSaver Not disinfected C:\Documents and Settings\Elmhurst\Local Settings\Temp\Cookies\elmhurst@targetsaver[2].txt
Spyware:Cookie/Winantivirus Not disinfected C:\Documents and Settings\Elmhurst\Local Settings\Temp\Cookies\elmhurst@winantivirus[2].txt
Spyware:Cookie/Advnt Not disinfected C:\Documents and Settings\Elmhurst\Local Settings\Temp\Cookies\elmhurst@www.advnt01[1].txt
Spyware:Cookie/DriveCleaner Not disinfected C:\Documents and Settings\Elmhurst\Local Settings\Temp\Cookies\elmhurst@www.drivecleaner[1].txt
Spyware:Cookie/ErrorSafe Not disinfected C:\Documents and Settings\Elmhurst\Local Settings\Temp\Cookies\elmhurst@www.errorsafe[1].txt
Spyware:Cookie/Systemdoctor Not disinfected C:\Documents and Settings\Elmhurst\Local Settings\Temp\Cookies\elmhurst@www.systemdoctor[1].txt
Spyware:Cookie/Winantivirus Not disinfected C:\Documents and Settings\Elmhurst\Local Settings\Temp\Cookies\elmhurst@www.winantivirus[2].txt
Spyware:Spyware/SurfSideKick Not disinfected C:\Documents and Settings\Elmhurst\Local Settings\Temp\da827.tmp
Adware:Adware/Mirar Not disinfected C:\Documents and Settings\Elmhurst\Local Settings\Temp\mit7F7.tmp[NNBar_VCSetup_876075.exe]
Adware:Adware/Mirar Not disinfected C:\Documents and Settings\Elmhurst\Local Settings\Temp\mit7F7.tmp.cab[NNBar_VCSetup_876075.exe]
Spyware:Spyware/Media-motor Not disinfected C:\Documents and Settings\Elmhurst\Local Settings\Temp\mmxsnet.exe
Adware:Adware/Mirar Not disinfected C:\Documents and Settings\Elmhurst\Local Settings\Temp\NNBar_VCSetup_876075.exe
Potentially unwanted tool:Application/SystemDoctor2006 Not disinfected C:\Documents and Settings\Elmhurst\Local Settings\Temp\SystemDoctor2006FreeInstall.exe
Adware:Adware/WebHancer Not disinfected C:\Documents and Settings\Elmhurst\Local Settings\Temp\temp.frD9B1
Adware:Adware/Gmter Not disinfected C:\Documents and Settings\Elmhurst\Local Settings\Temp\Temporary Internet Files\Content.IE5\8LAB0PQ3\popup[10].htm
Adware:Adware/Gmter Not disinfected C:\Documents and Settings\Elmhurst\Local Settings\Temp\Temporary Internet Files\Content.IE5\8LAB0PQ3\popup[11].htm
Adware:Adware/Gmter Not disinfected C:\Documents and Settings\Elmhurst\Local Settings\Temp\Temporary Internet Files\Content.IE5\8LAB0PQ3\popup[12].htm
Adware:Adware/Gmter Not disinfected C:\Documents and Settings\Elmhurst\Local Settings\Temp\Temporary Internet Files\Content.IE5\8LAB0PQ3\popup[13].htm
Adware:Adware/Gmter Not disinfected C:\Documents and Settings\Elmhurst\Local Settings\Temp\Temporary Internet Files\Content.IE5\8LAB0PQ3\popup[3].htm
Adware:Adware/Gmter Not disinfected C:\Documents and Settings\Elmhurst\Local Settings\Temp\Temporary Internet Files\Content.IE5\8LAB0PQ3\popup[4].htm
Adware:Adware/Gmter Not disinfected C:\Documents and Settings\Elmhurst\Local Settings\Temp\Temporary Internet Files\Content.IE5\8LAB0PQ3\popup[5].htm
Adware:Adware/Gmter Not disinfected C:\Documents and Settings\Elmhurst\Local Settings\Temp\Temporary Internet Files\Content.IE5\C1ANKX2F\popup[12].htm
Adware:Adware/Gmter Not disinfected C:\Documents and Settings\Elmhurst\Local Settings\Temp\Temporary Internet Files\Content.IE5\C1ANKX2F\popup[3].htm
Adware:Adware/Gmter Not disinfected C:\Documents and Settings\Elmhurst\Local Settings\Temp\Temporary Internet Files\Content.IE5\C1ANKX2F\popup[6].htm
Adware:Adware/Gmter Not disinfected C:\Documents and Settings\Elmhurst\Local Settings\Temp\Temporary Internet Files\Content.IE5\CPERGH67\popup[10].htm
Adware:Adware/Gmter Not disinfected C:\Documents and Settings\Elmhurst\Local Settings\Temp\Temporary Internet Files\Content.IE5\CPERGH67\popup[11].htm
Adware:Adware/Gmter Not disinfected C:\Documents and Settings\Elmhurst\Local Settings\Temp\Temporary Internet Files\Content.IE5\CPERGH67\popup[5].htm
Adware:Adware/Gmter Not disinfected C:\Documents and Settings\Elmhurst\Local Settings\Temp\Temporary Internet Files\Content.IE5\CPERGH67\popup[6].htm
Adware:Adware/Gmter Not disinfected C:\Documents and Settings\Elmhurst\Local Settings\Temp\Temporary Internet Files\Content.IE5\CPERGH67\popup[7].htm
Adware:Adware/Gmter Not disinfected C:\Documents and Settings\Elmhurst\Local Settings\Temp\Temporary Internet Files\Content.IE5\G163WTAV\popup[1].htm
Adware:Adware/Gmter Not disinfected C:\Documents and Settings\Elmhurst\Local Settings\Temp\Temporary Internet Files\Content.IE5\G163WTAV\popup[2].htm
Adware:Adware/Gmter Not disinfected C:\Documents and Settings\Elmhurst\Local Settings\Temp\Temporary Internet Files\Content.IE5\G163WTAV\popup[4].htm
Adware:Adware/Gmter Not disinfected C:\Documents and Settings\Elmhurst\Local Settings\Temp\Temporary Internet Files\Content.IE5\G163WTAV\popup[5].htm
Adware:Adware/Gmter Not disinfected C:\Documents and Settings\Elmhurst\Local Settings\Temp\Temporary Internet Files\Content.IE5\GT2FS5ER\popup[13].htm
Adware:Adware/Gmter Not disinfected C:\Documents and Settings\Elmhurst\Local Settings\Temp\Temporary Internet Files\Content.IE5\GT2FS5ER\popup[1].htm
Adware:Adware/Gmter Not disinfected C:\Documents and Settings\Elmhurst\Local Settings\Temp\Temporary Internet Files\Content.IE5\GT2FS5ER\popup[2].htm
Adware:Adware/Gmter Not disinfected C:\Documents and Settings\Elmhurst\Local Settings\Temp\Temporary Internet Files\Content.IE5\GT2FS5ER\popup[4].htm
Adware:Adware/Gmter Not disinfected C:\Documents and Settings\Elmhurst\Local Settings\Temp\Temporary Internet Files\Content.IE5\GT2FS5ER\popup[5].htm
Adware:Adware/Gmter Not disinfected C:\Documents and Settings\Elmhurst\Local Settings\Temp\Temporary Internet Files\Content.IE5\GT67KLAN\popup[10].htm
Adware:Adware/Gmter Not disinfected C:\Documents and Settings\Elmhurst\Local Settings\Temp\Temporary Internet Files\Content.IE5\GT67KLAN\popup[11].htm
Adware:Adware/Gmter Not disinfected C:\Documents and Settings\Elmhurst\Local Settings\Temp\Temporary Internet Files\Content.IE5\GT67KLAN\popup[17].htm
 
pandasoft log part 3/3

Adware:Adware/Gmter Not disinfected C:\Documents and Settings\Elmhurst\Local Settings\Temp\Temporary Internet Files\Content.IE5\GT67KLAN\popup[19].htm
Adware:Adware/Gmter Not disinfected C:\Documents and Settings\Elmhurst\Local Settings\Temp\Temporary Internet Files\Content.IE5\GT67KLAN\popup[20].htm
Adware:Adware/Gmter Not disinfected C:\Documents and Settings\Elmhurst\Local Settings\Temp\Temporary Internet Files\Content.IE5\GT67KLAN\popup[21].htm
Adware:Adware/Gmter Not disinfected C:\Documents and Settings\Elmhurst\Local Settings\Temp\Temporary Internet Files\Content.IE5\GT67KLAN\popup[4].htm
Adware:Adware/Gmter Not disinfected C:\Documents and Settings\Elmhurst\Local Settings\Temp\Temporary Internet Files\Content.IE5\GT67KLAN\popup[7].htm
Adware:Adware/Gmter Not disinfected C:\Documents and Settings\Elmhurst\Local Settings\Temp\Temporary Internet Files\Content.IE5\KF7FQC23\popup[19].htm
Adware:Adware/Gmter Not disinfected C:\Documents and Settings\Elmhurst\Local Settings\Temp\Temporary Internet Files\Content.IE5\KF7FQC23\popup[1].htm
Adware:Adware/Gmter Not disinfected C:\Documents and Settings\Elmhurst\Local Settings\Temp\Temporary Internet Files\Content.IE5\KF7FQC23\popup[2].htm
Adware:Adware/Gmter Not disinfected C:\Documents and Settings\Elmhurst\Local Settings\Temp\Temporary Internet Files\Content.IE5\KF7FQC23\popup[3].htm
Adware:Adware/Gmter Not disinfected C:\Documents and Settings\Elmhurst\Local Settings\Temp\Temporary Internet Files\Content.IE5\KF7FQC23\popup[4].htm
Adware:Adware/Gmter Not disinfected C:\Documents and Settings\Elmhurst\Local Settings\Temp\Temporary Internet Files\Content.IE5\O52VWD2R\popup[19].htm
Adware:Adware/Gmter Not disinfected C:\Documents and Settings\Elmhurst\Local Settings\Temp\Temporary Internet Files\Content.IE5\O52VWD2R\popup[4].htm
Adware:Adware/Gmter Not disinfected C:\Documents and Settings\Elmhurst\Local Settings\Temp\Temporary Internet Files\Content.IE5\O52VWD2R\popup[6].htm
Adware:Adware/Gmter Not disinfected C:\Documents and Settings\Elmhurst\Local Settings\Temp\Temporary Internet Files\Content.IE5\O52VWD2R\popup[7].htm
Adware:Adware/Gmter Not disinfected C:\Documents and Settings\Elmhurst\Local Settings\Temp\Temporary Internet Files\Content.IE5\O52VWD2R\popup[9].htm
Adware:Adware/PurityScan Not disinfected C:\Documents and Settings\Elmhurst\Local Settings\Temporary Internet Files\Content.IE5\79EXBXTO\!update-4295[1].0000
Adware:Adware/PurityScan Not disinfected C:\Program Files\Common Files\F?nts\alg.exe
Virus:Trj/PayClicker.EC Not disinfected C:\WINDOWS\Eim03.exe[²íÇ]
Adware:Adware/MediaTickets Not disinfected C:\WINDOWS\mtuninst.exe
Adware:Adware/Look2Me Not disinfected C:\WINDOWS\system32\lvp0097me.dll
Virus:Trj/PayClicker.EC Disinfected C:\WINDOWS\system32\nsw7F5.dll
Spyware:Cookie/888 Not disinfected C:\WINDOWS\Temp\Cookies\elmhurst@888[1].txt
Spyware:Cookie/888 Not disinfected C:\WINDOWS\Temp\Cookies\elmhurst@888[2].txt
Spyware:Cookie/Enhance Not disinfected C:\WINDOWS\Temp\Cookies\elmhurst@c.enhance[1].txt
Spyware:Cookie/Cassava Not disinfected C:\WINDOWS\Temp\Cookies\elmhurst@cassava[1].txt
Spyware:Cookie/DriveCleaner Not disinfected C:\WINDOWS\Temp\Cookies\elmhurst@drivecleaner[1].txt
Spyware:Cookie/ErrorSafe Not disinfected C:\WINDOWS\Temp\Cookies\elmhurst@errorsafe[1].txt
Spyware:Cookie/Kmpads Not disinfected C:\WINDOWS\Temp\Cookies\elmhurst@kmpads[2].txt
Spyware:Cookie/Mediaplex Not disinfected C:\WINDOWS\Temp\Cookies\elmhurst@mediaplex[1].txt
Spyware:Cookie/DriveCleaner Not disinfected C:\WINDOWS\Temp\Cookies\elmhurst@stats.drivecleaner[2].txt
Spyware:Cookie/Reliablestats Not disinfected C:\WINDOWS\Temp\Cookies\elmhurst@stats1.reliablestats[1].txt
Spyware:Cookie/Winantivirus Not disinfected C:\WINDOWS\Temp\Cookies\elmhurst@winantivirus[2].txt
Spyware:Cookie/ErrorSafe Not disinfected C:\WINDOWS\Temp\Cookies\elmhurst@www.errorsafe[1].txt
Spyware:Cookie/Winantivirus Not disinfected C:\WINDOWS\Temp\Cookies\elmhurst@www.winantivirus[1].txt
Adware:Adware/Gmter Not disinfected C:\WINDOWS\Temp\Temporary Internet Files\Content.IE5\T4O4GVRY\popup[1].htm
Possible Virus. Renamed C:\WINDOWS\?racle\d?xplore.exe
 
Welcome to the forum, you friend has a pretty good mess here. It is not a good idea to do third party fixes like this, we find many of them get archived for lack of response.
Advise your friend to keep the computer offline as much as possible until it is clean. Make sure you tell them about cleaning out temp Internet files and cookies. Let's use a couple of tools to help us.

1) Please download ATF Cleaner by Atribune
http://www.atribune.org/content/view/25/2/
Save it to your Desktop. We will use this later.

2) Thanks to andymanchesta and anyone else who helped with the fix.

Download SDFix and save it to your Desktop.

Double click SDFix.exe and choose Install to extract it to its own folder on the Desktop. Please then reboot your computer in Safe Mode by doing the following :
  • Restart your computer
  • After hearing your computer beep once during startup, but before the Windows icon appears, tap the F8 key continually;
  • Instead of Windows loading as normal, the Advanced Options Menu should appear;
  • Select the first option, to run Windows in Safe Mode, then press Enter.
  • Choose your usual account.
  • Open the extracted SDFix folder and double click RunThis.bat to start the script.
  • Type Y to begin the cleanup process.
  • It will remove any Trojan Services or Registry Entries found then prompt you to press any key to Reboot.
  • Press any Key and it will restart the PC.
  • When the PC restarts the Fixtool will run again and complete the removal process then display Finished, press any key to end the script and load your desktop icons.
  • Once the desktop icons load the SDFix report will open on screen and also save into the SDFix folder as Report.txt.
  • Finally copy and paste the contents of the results file Report.txt back onto the forum with a new HijackThis log

(save those logs until the instructions are finished)

3) Thanks to sUBs and anyone who helped with this fix.

1. Download ComboFix.exe using either of these links:

* bleepingcomputer.com
http://download.bleepingcomputer.com/sUBs/combofix.exe
* techsupportforum.com
http://www.techsupportforum.com/sectools/combofix.exe
2. Double click on combofix.exe & follow the prompts.

3. When finished, it shall produce a log for you. Post that log & a fresh HJT log in your next reply

Note: Do not mouseclick combofix's window whilst it's running. That may cause it to stall

If the log is large You might need to post half in one reply half in another.

3) Run ATF Cleaner
Double-click ATF-Cleaner.exe to run the program.
Click Select All found at the bottom of the list.
Click the Empty Selected button.
Click Exit on the Main menu to close the program.

Restart the computer and post the Report.txt from SDFix, the log from combofix and a new Panda scan log.

Thanks
 
I will do all this on Friday for them, since that is when I will be able to get to his place again. I have told him to avoid using the internet till then.

I should have the info posted friday evening for review.
 
when extracting SDFix I recieve this error from WinRAR

! C:\Documents and Settings\Kelset\Desktop\Files for Fix\SDFix.exe: CRC failed in SDFix\apps\unzip.exe. The file is corrupt
! C:\Documents and Settings\Kelset\Desktop\Files for Fix\SDFix.exe: Unexpected end of archive

any suggestions welcome.
 
And when running the program, it starts to extract files then I recieve error:

CRC failed in SDFix\apps\unzip.exe
Unexpected end of archive
 
There is nothing wrong with that file, I use it all of the time. You need to wait until you can download it to the Desktop of the computer you are going to run it on. I have no idea what will happen if you try to copy to a CD or other media.

Download SDFix and save it to your Desktop.

Double click SDFix.exe and choose Install to extract it to its own folder on the Desktop. Please then reboot your computer in Safe Mode by doing the following :
Click to expand...

Thanks
 
The most important part of this fix if we are to be successful, and a remote repair is hard to do, will be your ability to follow exactly the instructions I post for you. If you are not going to take the time to read and follow the directions, perhaps we should not continue with this repair. Thanks
 
Just figured I would download put the files onto a USB stick and take to the infected computer insted of going on the internet on it again.

Ill post the info on friday and do nothing till I'm at the computer.
 
Report.txt 1/1

SDFix: Version 1.40
-------------------

Scan run on:
Fri 11/17/2006

Time:
05:36 PM

Microsoft Windows XP [Version 5.1.2600]

Running from: C:\Documents and Settings\Elmhurst\Desktop\SDFix

Stage One...

Checking Services...

Name:
-----

Path:
----


Repairing Registry...


Restoring Default Hosts File...

Stage One Complete

Rebooting...

Stage Two...

Checking For Malware:
--------------------


Backing Up and Removing any Files Found...

Final Check:

Services:
---------


Files:
------


Any files removed are saved to the SDFix\backups Folder

FINISHED
 
HijackThis log 1/1

Logfile of HijackThis v1.99.1
Scan saved at 5:47:02 PM, on 11/17/2006
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\APC\APC PowerChute Personal Edition\mainserv.exe
C:\Program Files\Cherry\CDI\CDI.exe
C:\WINDOWS\system32\inetsrv\inetinfo.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\wscntfy.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\Analog Devices\Core\smax4pnp.exe
C:\WINDOWS\system32\hkcmd.exe
C:\Program Files\Java\j2re1.4.2_03\bin\jusched.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\Dell Support\DSAgnt.exe
C:\Program Files\Imagistics\Printer Status Monitor\Smon.exe
C:\PROGRA~1\BOOK4G~1\_tomsagn.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\APC\APC PowerChute Personal Edition\apcsystray.exe
C:\hijack\HijakThs.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.dell.ca/myway
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = about:blank
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.winnipegweather.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = about:blank
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://www.dell.ca/myway
R3 - URLSearchHook: (no name) - {5F9B76CE-9F02-C58E-7D25-CBCE6DB2BAC2} - C:\WINDOWS\system32\oimz.dll
R3 - URLSearchHook: (no name) - _{CFBFAE00-17A6-11D0-99CB-00C04FD64497} - (no file)
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O2 - BHO: (no name) - {5F9B76CE-9F02-C58E-7D25-CBCE6DB2BAC2} - C:\WINDOWS\system32\oimz.dll
O4 - HKLM\..\Run: [SoundMAXPnP] C:\Program Files\Analog Devices\Core\smax4pnp.exe
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\system32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\system32\hkcmd.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\j2re1.4.2_03\bin\jusched.exe
O4 - HKLM\..\Run: [StartAgent] C:\Program Files\Book4golf\StartHost.exe
O4 - HKLM\..\Run: [{96-6E-E3-3B-ZN}] C:\windows\system32\omdsregl.exe GEN001
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKCU\..\Run: [DellSupport] "C:\Program Files\Dell Support\DSAgnt.exe" /startup
O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\MSN Messenger\MsnMsgr.Exe" /background
O4 - HKCU\..\Run: [Cfrhhhvt] C:\WINDOWS\?racle\d?xplore.exe
O4 - HKCU\..\Run: [Cshb] "C:\PROGRA~1\COMMON~1\FNTS~1\alg.exe" -vt ndrv
O4 - Startup: Shortcut to Listener.exe.lnk = C:\Program Files\Book4golf\Listener.exe
O4 - Global Startup: APC UPS Status.lnk = ?
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O4 - Global Startup: Printer Status Monitor.lnk = C:\Program Files\Imagistics\Printer Status Monitor\Smon.exe
O8 - Extra context menu item: Send to Keyman - C:\Program Files\Cherry\KeyMan\IEMenuExtKeyman.html
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\j2re1.4.2_03\bin\npjpi142_03.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\j2re1.4.2_03\bin\npjpi142_03.dll
O9 - Extra button: (no name) - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - (no file)
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe (file missing)
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe (file missing)
O16 - DPF: {00000000-0709-0000-0000-000330050660} - http://207.234.185.217/aboxinst_int21.exe
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {215B8138-A3CF-44C5-803F-8226143CFC0A} (Trend Micro ActiveX Scan Agent 6.5) - http://housecall65.trendmicro.com/housecall/applet/html/native/x86/win32/activex/hcImpl.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/activescan/as5free/asinst.cab
O16 - DPF: {A1426AC5-8CE5-4A00-B71E-011D35709AC6} - http://advnt01.com/dialer/int_ver34.CAB
O16 - DPF: {A89551E8-992E-48D0-A90C-3E78CF66B217} - http://housecall65.trendmicro.com/housecall/applet/html/native/x86/win32/activex/hcImpl.cab
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - https://fpdownload.macromedia.com/get/shockwave/cabs/flash/swflash.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{7DAD7A6E-6207-4E54-BF11-646707A692A0}: NameServer = 192.168.0.1
O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\SYSTEM32\WgaLogon.dll
O23 - Service: APC UPS Service - American Power Conversion Corporation - C:\Program Files\APC\APC PowerChute Personal Edition\mainserv.exe
O23 - Service: Cherry Device Interface - Cherry Gmbh, Auerbach Germany, www.cherry.de - C:\Program Files\Cherry\CDI\CDI.exe
O23 - Service: Intel NCS NetService (NetSvc) - Intel(R) Corporation - C:\Program Files\Intel\PROSetWired\NCS\Sync\NetSvc.exe
 
Combofix.txt 1/1

Elmhurst - 06-11-17 17:41:39.76 Service Pack 2
ComboFix 06.11.9 - Running from: "C:\Documents and Settings\Elmhurst\Desktop"

((((((((((((((((((((((((((((((((((((((((((((( Look2Me's Log ))))))))))))))))))))))))))))))))))))))))))))))))))

REGISTRY ENTRIES REMOVED:

[HKEY_CLASSES_ROOT\clsid\{C287DDFB-005E-496F-A405-AD642E779B03}]
@=""

[HKEY_CLASSES_ROOT\clsid\{C287DDFB-005E-496F-A405-AD642E779B03}\Implemented Categories]
@=""

[HKEY_CLASSES_ROOT\clsid\{C287DDFB-005E-496F-A405-AD642E779B03}\Implemented Categories\{00021492-0000-0000-C000-000000000046}]
@=""

[HKEY_CLASSES_ROOT\clsid\{C287DDFB-005E-496F-A405-AD642E779B03}\InprocServer32]
@="C:\\WINDOWS\\system32\\MEIMUSIC.DLL"
"ThreadingModel"="Apartment"

[HKEY_CLASSES_ROOT\clsid\{BDE68454-4D8D-4239-A0DC-D81AE8C553AC}]
@=""

[HKEY_CLASSES_ROOT\clsid\{BDE68454-4D8D-4239-A0DC-D81AE8C553AC}\Implemented Categories]
@=""

[HKEY_CLASSES_ROOT\clsid\{BDE68454-4D8D-4239-A0DC-D81AE8C553AC}\Implemented Categories\{00021492-0000-0000-C000-000000000046}]
@=""

[HKEY_CLASSES_ROOT\clsid\{BDE68454-4D8D-4239-A0DC-D81AE8C553AC}\InprocServer32]
@="C:\\WINDOWS\\system32\\nalanui.dll"
"ThreadingModel"="Apartment"

* * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * *


FILES REMOVED:

C:\WINDOWS\system32\lvp0097me.dll


Granting sedebugprivilege to Administrators ... successful


((((((((((((((((((((((((((((((((((((((((((( E-Give / Ssk's Log )))))))))))))))))))))))))))))))))))))))))))))))))


C:\Documents and Settings\Elmhurst\Application Data\Sskdmns.dll


* * * POST RUN FILES/FOLDERS * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * *


(((((((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))


C:\WINDOWS\Eim03.exe
C:\WINDOWS\system32\WinNB58.dll

~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~ Purity ~ ~ ~ ~ ~ ~ ~ ~~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~

Folders Quarantined:

C:\QooBox\Purity\Documents and Settings\Elmhurst\Application Data\STEM~1
C:\QooBox\Purity\Documents and Settings\Elmhurst\My Documents\DOBE~1
C:\QooBox\Purity\Program Files\ICROSO~1
C:\QooBox\Purity\Program Files\Common Files\FNTS~1
C:\QooBox\Purity\Program Files\Common Files\FNTS~1\alg.exe
C:\QooBox\Purity\Program Files\Common Files\FNTS~1\FNTS~1
C:\QooBox\Purity\WINDOWS\RACLE~1
C:\QooBox\Purity\WINDOWS\RACLE~1\37F.tmp
C:\QooBox\Purity\WINDOWS\RACLE~1\d?xplore.exe
C:\QooBox\Purity\WINDOWS\RACLE~1\d?xplore_exe.vir


((((((((((((((((((((((((((((((( Files Created from 2006-10-17 to 2006-11-17 ))))))))))))))))))))))))))))))))))


2006-11-09 18:43 131,072 --a------ C:\WINDOWS\system32\oimz.dll
2006-10-24 12:23 8,704 --a------ C:\WINDOWS\system32\kbdjpn.dll
2006-10-24 12:23 8,192 --a------ C:\WINDOWS\system32\kbdkor.dll
2006-10-24 12:23 6,144 --a------ C:\WINDOWS\system32\kbd106.dll
2006-10-24 12:23 6,144 --a------ C:\WINDOWS\system32\kbd101c.dll
2006-10-24 12:23 6,144 --a------ C:\WINDOWS\system32\kbd101b.dll
2006-10-24 12:23 5,632 --a------ C:\WINDOWS\system32\kbd103.dll


(((((((((((((((((((((((((((((((((((((((((((((((( Find3M Report )))))))))))))))))))))))))))))))))))))))))))))))))))))


2006-11-17 17:41 -------- d-------- C:\Program Files\Common Files
2006-11-17 17:40 -------- d-------- C:\Program Files\Book4golf
2006-11-17 12:41 -------- d-------- C:\Program Files\Fore! Reservations
2006-11-15 03:00 -------- d-------- C:\Program Files\Internet Explorer
2006-11-09 18:43 2 --a------ C:\WINDOWS\system32\wtstr.exe
2006-11-08 19:45 -------- d-------- C:\Program Files\QuickTime
2006-11-08 19:43 -------- d-------- C:\Program Files\Dell Support
2006-11-08 18:23 -------- d-------- C:\Documents and Settings\Elmhurst\Application Data\Lavasoft
2006-11-08 18:22 -------- d-------- C:\Program Files\MSN
2006-10-30 19:05 -------- d-------- C:\Program Files\Google
2006-10-30 18:56 -------- d-------- C:\Program Files\Common Files\Real
2006-10-30 18:55 -------- d-------- C:\Program Files\Yahoo!
2006-10-30 18:55 -------- d-------- C:\Documents and Settings\Elmhurst\Application Data\Real
2006-10-30 18:54 -------- d--h----- C:\Program Files\InstallShield Installation Information
2006-10-13 14:42 -------- d-------- C:\Documents and Settings\Elmhurst\Application Data\Google
2006-10-13 06:35 65536 --a------ C:\WINDOWS\system32\nwwks.dll
2006-10-13 06:35 64000 --a------ C:\WINDOWS\system32\nwapi32.dll
2006-10-13 06:35 142336 --a------ C:\WINDOWS\system32\nwprovau.dll
2006-10-13 04:23 163584 --a------ C:\WINDOWS\system32\drivers\nwrdr.sys
2006-10-05 15:19 -------- d-------- C:\Program Files\Common Files\Microsoft Shared
2006-09-12 23:01 1084416 --a------ C:\WINDOWS\system32\msxml3.dll
2006-08-25 09:45 617472 --a------ C:\WINDOWS\system32\comctl32.dll
2006-08-24 13:39 39424 --a------ C:\WINDOWS\mtuninst.exe
2006-08-24 13:39 155136 --a------ C:\WINDOWS\system32\oins.exe
2006-08-24 13:33 838 --a------ C:\WINDOWS\system32\winpfg32.sys
2006-08-24 13:33 1233 --a------ C:\WINDOWS\system32\vrq7eb3a.sys
2006-08-24 13:32 507904 --a------ C:\814.exe
2006-08-24 13:32 214749 --a------ C:\WINDOWS\srvpbjwbvv.exe
2006-08-21 06:21 16896 --a------ C:\WINDOWS\system32\fltlib.dll
2006-08-21 03:14 23040 --a------ C:\WINDOWS\system32\fltmc.exe
2006-08-17 06:28 721920 --a------ C:\WINDOWS\system32\lsasrv.dll
2006-08-17 06:28 132096 --a------ C:\WINDOWS\system32\wkssvc.dll


(((((((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))

*Note* empty entries are not shown

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\run]
"DellSupport"="\"C:\\Program Files\\Dell Support\\DSAgnt.exe\" /startup"
"MsnMsgr"="\"C:\\Program Files\\MSN Messenger\\MsnMsgr.Exe\" /background"
"Cfrhhhvt"="C:\\WINDOWS\\?racle\\d?xplore.exe"
"Cshb"="\"C:\\PROGRA~1\\COMMON~1\\FNTS~1\\alg.exe\" -vt ndrv"

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run]
"SoundMAXPnP"="C:\\Program Files\\Analog Devices\\Core\\smax4pnp.exe"
"IgfxTray"="C:\\WINDOWS\\system32\\igfxtray.exe"
"HotKeysCmds"="C:\\WINDOWS\\system32\\hkcmd.exe"
"SunJavaUpdateSched"="C:\\Program Files\\Java\\j2re1.4.2_03\\bin\\jusched.exe"
"StartAgent"="C:\\Program Files\\Book4golf\\StartHost.exe"
"{96-6E-E3-3B-ZN}"="C:\\windows\\system32\\omdsregl.exe GEN001"
"QuickTime Task"="\"C:\\Program Files\\QuickTime\\qttask.exe\" -atboottime"

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run\OptionalComponents]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run\OptionalComponents\IMAIL]
"Installed"="1"

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run\OptionalComponents\MAPI]
"NoChange"="1"
"Installed"="1"

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run\OptionalComponents\MSFS]
"Installed"="1"

[HKEY_CURRENT_USER\software\microsoft\internet explorer\desktop\components]
"DeskHtmlVersion"=dword:00000110
"DeskHtmlMinorVersion"=dword:00000005
"Settings"=dword:00000001
"GeneralFlags"=dword:00000001

[HKEY_CURRENT_USER\software\microsoft\internet explorer\desktop\components\0]
"Source"="C:\\Program Files\\NetMeeting\\pononuca.html"
"SubscribedURL"=""
"FriendlyName"=""
"Flags"=dword:00002000
"Position"=hex:2c,00,00,00,64,00,00,00,64,00,00,00,58,02,00,00,c8,00,00,00,e8,\
03,00,00,00,00,00,00,00,00,00,00,00,00,00,00,14,00,00,00,14,00,00,00
"CurrentState"=hex:01,00,00,40
"OriginalStateInfo"=hex:18,00,00,00,64,00,00,00,64,00,00,00,58,02,00,00,c8,00,\
00,00,01,00,00,00
"RestoredStateInfo"=hex:00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,\
00,00,00,00,00,00

[HKEY_CURRENT_USER\software\microsoft\internet explorer\desktop\components\1]
"Source"="C:\\Program Files\\Internet Explorer\\mele.html"
"SubscribedURL"=""
"FriendlyName"=""
"Flags"=dword:00002000
"Position"=hex:2c,00,00,00,64,00,00,00,64,00,00,00,58,02,00,00,c8,00,00,00,ea,\
03,00,00,00,00,00,00,00,00,00,00,00,00,00,00,14,00,00,00,14,00,00,00
"CurrentState"=hex:01,00,00,40
"OriginalStateInfo"=hex:18,00,00,00,64,00,00,00,64,00,00,00,58,02,00,00,c8,00,\
00,00,01,00,00,00
"RestoredStateInfo"=hex:00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,\
00,00,00,00,00,00

[HKEY_CURRENT_USER\software\microsoft\internet explorer\desktop\components\2]
"Source"="About:Home"
"SubscribedURL"="About:Home"
"FriendlyName"="My Current Home Page"
"Flags"=dword:00000002
"Position"=hex:2c,00,00,00,cc,00,00,00,00,00,00,00,34,03,00,00,de,02,00,00,00,\
00,00,00,01,00,00,00,01,00,00,00,01,00,00,00,00,00,00,00,00,00,00,00
"CurrentState"=hex:04,00,00,40
"OriginalStateInfo"=hex:18,00,00,00,ff,ff,00,00,ff,ff,00,00,ff,ff,ff,ff,ff,ff,\
ff,ff,04,00,00,00
"RestoredStateInfo"=hex:18,00,00,00,6a,02,00,00,23,00,00,00,a4,00,00,00,9a,00,\
00,00,01,00,00,00

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\sharedtaskscheduler]
"{438755C2-A8BA-11D1-B96B-00A0C90312E1}"="Browseui preloader"
"{8C7461EF-2B13-11d2-BE35-3078302C2030}"="Component Categories cache daemon"

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shellexecutehooks]
"{AEB6717E-7E19-11d0-97EE-00C04FD91972}"=""

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\explorer]
"NoDriveTypeAutoRun"=dword:00000091

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\explorer\Run]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"dontdisplaylastusername"=dword:00000000
"legalnoticecaption"=""
"legalnoticetext"=""
"shutdownwithoutlogon"=dword:00000001
"undockwithoutlogon"=dword:00000001

[HKEY_USERS\.default\software\microsoft\windows\currentversion\policies\explorer]
"NoDriveTypeAutoRun"=dword:00000091

[HKEY_USERS\s-1-5-18\software\microsoft\windows\currentversion\policies\explorer]
"NoDriveTypeAutoRun"=dword:00000091

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\shellserviceobjectdelayload]
"PostBootReminder"="{7849596a-48ea-486e-8937-a2a3009f31a9}"
"CDBurn"="{fbeb8a05-beee-4442-804e-409d6c4515e9}"
"WebCheck"="{E6FB5E20-DE35-11CF-9C87-00AA005127ED}"
"SysTray"="{35CEC8A3-2BE6-11D2-8773-92E220524153}"

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\securityproviders]
"SecurityProviders"="msapsspc.dll, schannel.dll, digest.dll, msnsspc.dll"

Completion time: 06-11-17 17:43:43.68
C:\ComboFix.txt ... 06-11-17 17:43
 
Panda log 1/1

Incident Status Location

Adware:Adware/PurityScan Not disinfected C:\WINDOWS\system32\oimz.dll
Adware:adware/mediatickets Not disinfected C:\WINDOWS\system32\oins.exe
Spyware:spyware/surfsidekick Not disinfected C:\Documents and Settings\Elmhurst\Local Settings\Temporary Internet Files\Ssk.log
Adware:adware/dollarrevenue Not disinfected c:\windows\keyboard1.dat
Adware:adware/commad Not disinfected Windows Registry
Dialer:dialer.asl Not disinfected HKEY_LOCAL_MACHINE\Software\Microsoft\Code Store Database\Distribution Units\{A1426AC5-8CE5-4A00-B71E-011D35709AC6}
Adware:adware/searchexe Not disinfected Windows Registry
Potentially unwanted tool:Application/Processor Not disinfected C:\Documents and Settings\Elmhurst\Desktop\SDFix\apps\Process.exe
Possible Virus. Not disinfected C:\Documents and Settings\Elmhurst\Desktop\SDFix\apps\swsc.exe
Potentially unwanted tool:Application/Processor Not disinfected C:\Documents and Settings\Elmhurst\Desktop\SDFix.exe[SDFix\apps\Process.exe]
Possible Virus. Not disinfected C:\Documents and Settings\Elmhurst\Desktop\SDFix.exe[SDFix\apps\swsc.exe]
Adware:Adware/PurityScan Not disinfected C:\QooBox\Purity\Program Files\Common Files\FNTS~1\alg.exe
Possible Virus. Not disinfected C:\QooBox\Purity\WINDOWS\RACLE~1\37F.tmp
Possible Virus. Renamed C:\QooBox\Purity\WINDOWS\RACLE~1\d?xplore.exe
Possible Virus. Renamed C:\QooBox\Purity\WINDOWS\RACLE~1\d?xplore_exe.vir
Adware:Adware/MediaTickets Not disinfected C:\WINDOWS\mtuninst.exe
 
Thanks for returning the information, the tools did a good job and removed a lot of junk. Let's do this now.

Please scan these files with one or more of these free online scans and delete the ones that scan bad. Please leave them in the recycle bin for a few days to be safe. This means if you use ATF-Cleaner, remove the check from in front of Recycle Bin.

C:\WINDOWS\system32\oimz.dll
C:\WINDOWS\system32\wtstr.exe
C:\WINDOWS\mtuninst.exe
C:\WINDOWS\system32\oins.exe
C:\WINDOWS\system32\winpfg32.sys
C:\WINDOWS\system32\vrq7eb3a.sys
C:\814.exe
C:\WINDOWS\srvpbjwbvv.exe

scanners
http://virusscan.jotti.org/
http://www.kaspersky.com/scanforvirus
http://www.virustotal.com/flash/index_en.html
_______________________________________________________

The Java program is badly out of date and a security risk, see this information:
http://forums.spybot.info/showpost.php?p=12880&postcount=2
C:\Program Files\Java\j2re1.4.2_03\ <<< out of date, please uninstall all old version and update the program.
_________________________________________________________

Start > Control Panel > Add Remove programs and uninstall PuritySCAN By OIN, OIN or OuterInfo or any variation of that. Have your friend look and also uninstall any program they know does not belong there.

After that is done, then do this:
Open Hijackthis.
Click the "Open the Misc Tools" section Button.
Click the "Open Uninstall Manager" Button.
Click the "Save list..." Button.
Save it to your desktop. Copy and paste the contents into your reply.

________________________________________________________


How to make files and folders visible:
Click Start > Open My Computer.
Select the Tools menu and click Folder Options.
Select the View Tab. Under the Hidden files and folders heading, select Show hidden files and folders.
Uncheck: Hide file extensions for known file types
Uncheck the Hide protected operating system files (recommended) option.
Click Yes to confirm.
Click OK.

Open HijackThis and choose "Do a system scan only" then check the box in front of these line items:

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = about:blank
R3 - URLSearchHook: (no name) - {5F9B76CE-9F02-C58E-7D25-CBCE6DB2BAC2} - C:\WINDOWS\system32\oimz.dll
R3 - URLSearchHook: (no name) - _{CFBFAE00-17A6-11D0-99CB-00C04FD64497} - (no file)
O2 - BHO: (no name) - {5F9B76CE-9F02-C58E-7D25-CBCE6DB2BAC2} - C:\WINDOWS\system32\oimz.dll
O4 - HKLM\..\Run: [{96-6E-E3-3B-ZN}] C:\windows\system32\omdsregl.exe GEN001
O4 - HKCU\..\Run: [Cfrhhhvt] C:\WINDOWS\?racle\d?xplore.exe
O4 - HKCU\..\Run: [Cshb] "C:\PROGRA~1\COMMON~1\FNTS~1\alg.exe" -vt ndrv
O16 - DPF: {00000000-0709-0000-0000-000330050660} - http://207.234.185.217/aboxinst_int21.exe
O16 - DPF: {A1426AC5-8CE5-4A00-B71E-011D35709AC6} - http://advnt01.com/dialer/int_ver34.CAB

Close all programs but HJT and all browser windows, then click on "Fix Checked"

RIGHT Click on Start then click on Explore. Locate and delete these items:

(these may be gone, just do not miss them)

C:\windows\system32\omdsregl.exe <<< delete that file

C:\WINDOWS\?racle\ <<< delete that folder

C:\PROGRA~1\COMMON~1\FNTS~1\ delete that folder

Run ATF-Cleaner but do not check the Recycle Bin or Prefetch.
Restart the computer and post the uninstall list from earlier and a new HJT log.

As soon as those logs are posted, the follow the instructions in this link:
http://www.virusvault.co.uk/fusionbb/showtopic.php?tid/33/
Thanks to John McKenna for the tutorial
Please make sure you follow the directions carefully, delete or at least quarantine anything located and make sure to save the Report-Scan.txt. Post that scan as soon as you have it. Let me know how the computer is running.

Thanks
 
Uninstall list 1/1

Adobe Download Manager 2.0 (Remove Only)
Adobe Flash Player 9
Adobe Reader 7.0.7
APC PowerChute Personal Edition
Book4golf.com
Cherry OPOS Support (local edition) V3.0 Build 8
Cherry Tools V4.1 Rev.6 Build 2
Dell Driver Reset Tool
Dell Support 3.1
Fore! Reservations 2006
Fore! Reservations 2006
Fore! Reservations 2006
HijackThis 1.99.1
IIS UrlScan Tool 2.0 (Uninstall)
im3510 PCL6
Imagistics PC-FAX driver
Intel(R) Extreme Graphics 2 Driver
Intel(R) PRO Network Adapters and Drivers
Intel(R) PROSet for Wired Connections
Internet Explorer Default Page
J2SE Runtime Environment 5.0 Update 9
Microsoft .NET Framework 1.1
Microsoft .NET Framework 1.1
Microsoft .NET Framework 1.1 Hotfix (KB886903)
Microsoft Office 2000 Professional
Panda ActiveScan
Printer Administration Utility3.2
Printer Status Monitor Version 3.2
PS-Utility
Security Update for Step By Step Interactive Training (KB898458)
Security Update for Windows Media Player 10 (KB917734)
Security Update for Windows XP (KB890046)
Security Update for Windows XP (KB893756)
Security Update for Windows XP (KB896358)
Security Update for Windows XP (KB896423)
Security Update for Windows XP (KB896424)
Security Update for Windows XP (KB896428)
Security Update for Windows XP (KB899587)
Security Update for Windows XP (KB899589)
Security Update for Windows XP (KB899591)
Security Update for Windows XP (KB900725)
Security Update for Windows XP (KB901017)
Security Update for Windows XP (KB901214)
Security Update for Windows XP (KB902400)
Security Update for Windows XP (KB904706)
Security Update for Windows XP (KB905414)
Security Update for Windows XP (KB905749)
Security Update for Windows XP (KB908519)
Security Update for Windows XP (KB911562)
Security Update for Windows XP (KB911567)
Security Update for Windows XP (KB911927)
Security Update for Windows XP (KB912919)
Security Update for Windows XP (KB913580)
Security Update for Windows XP (KB914388)
Security Update for Windows XP (KB914389)
Security Update for Windows XP (KB917159)
Security Update for Windows XP (KB917344)
Security Update for Windows XP (KB917422)
Security Update for Windows XP (KB917537)
Security Update for Windows XP (KB917953)
Security Update for Windows XP (KB918439)
Security Update for Windows XP (KB918899)
Security Update for Windows XP (KB919007)
Security Update for Windows XP (KB920213)
Security Update for Windows XP (KB920214)
Security Update for Windows XP (KB920670)
Security Update for Windows XP (KB920683)
Security Update for Windows XP (KB920685)
Security Update for Windows XP (KB921398)
Security Update for Windows XP (KB921883)
Security Update for Windows XP (KB922616)
Security Update for Windows XP (KB922760)
Security Update for Windows XP (KB922819)
Security Update for Windows XP (KB923191)
Security Update for Windows XP (KB923414)
Security Update for Windows XP (KB923980)
Security Update for Windows XP (KB924191)
Security Update for Windows XP (KB924270)
Security Update for Windows XP (KB924496)
Security Update for Windows XP (KB925486)
Spybot - Search & Destroy 1.4
Update for Windows XP (KB894391)
Update for Windows XP (KB900485)
Update for Windows XP (KB908531)
Update for Windows XP (KB910437)
Update for Windows XP (KB911280)
Update for Windows XP (KB916595)
Update for Windows XP (KB920872)
Update for Windows XP (KB922582)
Windows Installer 3.1 (KB893803)
Windows Media Format Runtime
Windows Media Player 10
Windows Media Player 10
Windows XP Hotfix - KB873339
Windows XP Hotfix - KB885835
Windows XP Hotfix - KB885836
Windows XP Hotfix - KB886185
Windows XP Hotfix - KB888302
Windows XP Hotfix - KB890859
Windows XP Hotfix - KB891781
 
You must log in or register to reply here.
Back
Top