Another GOOGLE Redirect Problem

Sorry I have been away for a few days. I ran two online scans and this is what Panda found:


Incident Location

Adware:adware/azesearch c:\windows\system32\azebar.xml
Adware:adware/securityerror c:\windows\system32\ot.ico
Adware:adware/dollarrevenue c:\windows\gimmygames.dat
Potentially unwanted tool:application/bestoffer c:\windows\smdat32m.sys
Adware:adware/windowenhancer c:\windows\system32\SBUtils
Adware:adware/commad Windows Registry
Potentially unwanted tool:application/need2find hkey_current_user\software\Need2Find
Potentially unwanted tool:application/mywebsearch hkey_classes_root\clsid\{9AFB8248-617F-460d-9366-D71CDEDA3179}
Adware:adware/dyfuca
Windows Registry
Adware:adware/ist.istbar
Windows Registry
Adware:adware/sqwire
Windows Registry
Adware:adware/vaultsearch
Windows Registry
Spyware:Cookie/Hitbox
C:\Documents and Settings\Jamie\Cookies\jamie@hitbox[1].txt
Spyware:Cookie/Mysearch
C:\Documents and Settings\Jamie\Cookies\jamie@mysearch[2].txt
Spyware:Cookie/Tribalfusion
C:\Documents and Settings\Jamie\Local Settings\Temp\Cookies\jamie@tribalfusion[2].txt
Potentially unwanted tool:Application/VirusBursters
C:\Documents and Settings\Jamie\Local Settings\Temp\vbDB.exe[VirusBursters.exe]
Spyware:Cookie/Advnt
C:\Documents and Settings\Lisa\Cookies\lisa@www.advnt01[1].txt
Potentially unwanted tool:Application/NirCmd.A C:\fixwareout\FindT\nircmd.exe
Adware:Adware/eZula
C:\mti-hits.exe[èÇ]
Adware:Adware/DollarRevenue
C:\Program Files\Common Files\{38AD34D5-095A-1033-0706-050313200001}\Uninst.exe
Spyware:Cookie/Rn11 C:\WINDOWS\Temp\Cookies\jamie@rn11[2].txt
Adware:Adware/Maxifiles
C:\WINDOWS\Temp\nsc21.tmp\nsProcess.dll
Adware:Adware/Maxifiles C:\WINDOWS\Temp\nscAD.tmp\nsProcess.dll
Adware:Adware/Maxifiles
C:\WINDOWS\Temp\nsx52.tmp\nsProcess.dll




Logfile of HijackThis v1.99.1
Scan saved at 5:46:39 PM, on 2/22/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe
C:\WINDOWS\system32\ICO.EXE
C:\WINDOWS\system32\igfxpers.exe
C:\WINDOWS\system32\hkcmd.exe
C:\Program Files\BroadJump\Client Foundation\CFD.exe
C:\Program Files\Webroot\Spy Sweeper\SpySweeperUI.exe
C:\WINDOWS\system32\FSRremoS.EXE
C:\WINDOWS\system32\Pelmiced.exe
C:\Program Files\Webroot\Spy Sweeper\SSU.EXE
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Hijackthis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.ca/
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = 127.0.0.1
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
R3 - URLSearchHook: (no name) - {25CC7CC0-BE77-BCA8-2C53-BDCE19B9B6C6} - (no file)
F2 - REG:system.ini: UserInit=userinit.exe
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {0C111361-F1C5-115A-7EBB-05D7FB77F8D9} - C:\WINDOWS\system32\bghbisd.dll
O2 - BHO: (no name) - {2850EEDB-4CF2-6EC6-8BFE-0B679136EE6E} - C:\WINDOWS\system32\dprhzee.dll
O2 - BHO: (no name) - {33EC245E-2A07-A599-1ED9-07A627B37491} - C:\WINDOWS\system32\gappoud.dll
O2 - BHO: (no name) - {55A24E64-4F14-3948-8B3B-0B72AE7EFA24} - C:\WINDOWS\system32\zoixagc.dll
O3 - Toolbar: &ESPN - {AE6F2894-AF10-4C9C-B16E-1DFC6FF8C0C6} - C:\Program Files\ESPN\Toolbar\DIGToolBar.dll
O4 - HKLM\..\Run: [Mouse Suite 98 Daemon] ICO.EXE
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\system32\igfxtray.exe
O4 - HKLM\..\Run: [Persistence] C:\WINDOWS\system32\igfxpers.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\system32\hkcmd.exe
O4 - HKLM\..\Run: [BJCFD] "C:\Program Files\BroadJump\Client Foundation\CFD.exe"
O4 - HKLM\..\Run: [!AVG Anti-Spyware] "C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe" /minimized
O4 - HKLM\..\Run: [SpySweeper] C:\Program Files\Webroot\Spy Sweeper\SpySweeperUI.exe /startintray
O4 - HKLM\..\RunServices: [virtual-ie] winlogi.exe
O8 - Extra context menu item: &Block this popup - C:\Program Files\F-Secure Internet Security\Anti-Spyware\blockpopups.htm
O8 - Extra context menu item: &Search - http://kl.bar.need2find.com/KL/menusearch.html?p=KL
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O9 - Extra button: (no name) - Software - (no file)
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\System32\msjava.dll
O9 - Extra 'Tools' menuitem: IBM Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\System32\msjava.dll
O9 - Extra button: (no name) - {85d1f590-48f4-11d9-9669-0800200c9a66} - %windir%\bdoscandel.exe (file missing)
O9 - Extra 'Tools' menuitem: Uninstall BitDefender Online Scanner v8 - {85d1f590-48f4-11d9-9669-0800200c9a66} - %windir%\bdoscandel.exe (file missing)
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: PartyPoker.com - {B7FE5D70-9AA2-40F1-9C6B-12A255F085E1} - C:\Program Files\PartyGaming\PartyPoker\RunApp.exe (file missing)
O9 - Extra 'Tools' menuitem: PartyPoker.com - {B7FE5D70-9AA2-40F1-9C6B-12A255F085E1} - C:\Program Files\PartyGaming\PartyPoker\RunApp.exe (file missing)
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe (file missing)
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe (file missing)
O11 - Options group: [JAVA_IBM] Java (IBM)
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O16 - DPF: RaptisoftGameLoader - http://www.miniclip.com/hamsterball/raptisoftgameloader.cab
O16 - DPF: {1D6711C8-7154-40BB-8380-3DEA45B69CBF} -
O16 - DPF: {200B3EE9-7242-4EFD-B1E4-D97EE825BA53} (VerifyGMN Class) - http://h20270.www2.hp.com/ediags/gmn/install/hpobjinstaller_gmn.cab
O16 - DPF: {215B8138-A3CF-44C5-803F-8226143CFC0A} (Trend Micro ActiveX Scan Agent 6.6) - http://housecall65.trendmicro.com/housecall/applet/html/native/x86/win32/activex/hcImpl.cab
O16 - DPF: {5D86DDB5-BDF9-441B-9E9E-D4730F4EE499} (BDSCANONLINE Control) - http://download.bitdefender.com/resources/scan8/oscan8.cab
O16 - DPF: {6E5A37BF-FD42-463A-877C-4EB7002E68AE} (Housecall ActiveX 6.5) - http://housecall65.trendmicro.com/housecall/applet/html/native/x86/win32/activex/hcImpl.cab
O16 - DPF: {74FFE28D-2378-11D5-990C-006094235084} (IBM Access Support) - http://www-307.ibm.com/pc/support/IbmEgath.cab
O16 - DPF: {7B297BFD-85E4-4092-B2AF-16A91B2EA103} (WScanCtl Class) - http://www3.ca.com/securityadvisor/virusinfo/webscan.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/activescan/as5free/asinst.cab
O16 - DPF: {AB86CE53-AC9F-449F-9399-D8ABCA09EC09} (Get_ActiveX Control) - https://h17000.www1.hp.com/ewfrf-JAVA/Secure/HPGetDownloadManager.ocx
O16 - DPF: {F04A8AE2-A59D-11D2-8792-00C04F8EF29D} (Hotmail Attachments Control) - http://by103fd.bay103.hotmail.msn.com/activex/HMAtchmt.ocx
O16 - DPF: {F127B9BA-89EA-4B04-9C67-2074A9DF61FD} (Photo Upload Plugin Class) - http://costco.pnimedia.com/upload/activex/v2_0_0_9/PCAXSetupv2.0.0.9.cab?
O20 - Winlogon Notify: igfxcui - C:\WINDOWS\SYSTEM32\igfxdev.dll
O20 - Winlogon Notify: WRNotifier - C:\WINDOWS\SYSTEM32\WRLogonNTF.dll
O21 - SSODL: archenteric - {d7bdd42a-7e69-4bb8-aac3-d76ff65a3aa3} - (no file)
O23 - Service: AVG Anti-Spyware Guard - Anti-Malware Development a.s. - C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\System32\HPZipm12.exe
O23 - Service: SoundMAX Agent Service (SoundMAX Agent Service (default)) - Unknown owner - C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe (file missing)
O23 - Service: Webroot Spy Sweeper Engine (WebrootSpySweeperService) - Webroot Software, Inc. - C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe[/SIZE]
 
Hi

Please follow the instructions in this link to remove the Alcan Worm from your computer :-

http://www.geekstogo.com/forum/How_...fects_of_the_Alcra_aka_Alcan_Worm-t98929.html

THEN...

Download: SmitfraudFix.zip from :-

http://siri.urz.free.fr/Fix/SmitfraudFix.zip (the file contains both English and French versions)

1. Download to your desktop
2. unzip the zip file to your desktop (they will be extracted to a folder called SmitfraudFix
3. Double-click smitfraudfix.cmd
4. Select 1 and hit Enter to create a report of the infected files
5. find the C:\rapport.txt file and post the contents in your next post here...

This is just a start ... there will be a lot more to do...

steam
 
Just would like to say how much I appreciate your help so far, it is GREATLY appreciated.


SmitFraudFix v2.144

Scan done at 22:15:18.56, Sun 02/25/2007
Run from C:\SmitfraudFix\SmitfraudFix
OS: Microsoft Windows XP [Version 5.1.2600] - Windows_NT
The filesystem type is NTFS
Fix run in normal mode

»»»»»»»»»»»»»»»»»»»»»»»» hosts


»»»»»»»»»»»»»»»»»»»»»»»» C:\


»»»»»»»»»»»»»»»»»»»»»»»» C:\WINDOWS

C:\WINDOWS\timessquare1.dat FOUND !

»»»»»»»»»»»»»»»»»»»»»»»» C:\WINDOWS\system


»»»»»»»»»»»»»»»»»»»»»»»» C:\WINDOWS\Web


»»»»»»»»»»»»»»»»»»»»»»»» C:\WINDOWS\system32

C:\WINDOWS\system32\ot.ico FOUND !
C:\WINDOWS\system32\components\flx?.dll FOUND !
C:\WINDOWS\system32\components\flx??.dll FOUND !
C:\WINDOWS\system32\components\flx???.dll FOUND !

»»»»»»»»»»»»»»»»»»»»»»»» C:\WINDOWS\system32\LogFiles


»»»»»»»»»»»»»»»»»»»»»»»» C:\Documents and Settings\Jamie


»»»»»»»»»»»»»»»»»»»»»»»» C:\Documents and Settings\Jamie\Application Data


»»»»»»»»»»»»»»»»»»»»»»»» Start Menu

C:\DOCUME~1\ALLUSE~1\STARTM~1\Online Security Guide.url FOUND !
C:\DOCUME~1\ALLUSE~1\STARTM~1\Security Troubleshooting.url FOUND !

»»»»»»»»»»»»»»»»»»»»»»»» C:\DOCUME~1\Jamie\FAVORI~1


»»»»»»»»»»»»»»»»»»»»»»»» Desktop


»»»»»»»»»»»»»»»»»»»»»»»» C:\Program Files


»»»»»»»»»»»»»»»»»»»»»»»» Corrupted keys


»»»»»»»»»»»»»»»»»»»»»»»» Desktop Components

[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Desktop\Components\0]
"Source"="about:home"
"SubscribedURL"=""
"FriendlyName"=""

[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Desktop\Components\1]
"Source"="About:Home"
"SubscribedURL"="About:Home"
"FriendlyName"="My Current Home Page"

»»»»»»»»»»»»»»»»»»»»»»»» Sharedtaskscheduler
!!!Attention, following keys are not inevitably infected!!!

SrchSTS.exe by S!Ri
Search SharedTaskScheduler's .dll

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\SharedTaskScheduler]
"{d7bdd42a-7e69-4bb8-aac3-d76ff65a3aa3}"="archenteric"



»»»»»»»»»»»»»»»»»»»»»»»» AppInit_DLLs
!!!Attention, following keys are not inevitably infected!!!

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows]
"AppInit_DLLs"=""


»»»»»»»»»»»»»»»»»»»»»»»» Winlogon.System
!!!Attention, following keys are not inevitably infected!!!

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon]
"System"=""


»»»»»»»»»»»»»»»»»»»»»»»» pe386-msguard-lzx32-huy32


»»»»»»»»»»»»»»»»»»»»»»»» Scanning wininet.dll infection


»»»»»»»»»»»»»»»»»»»»»»»» End
 
HI

1. Reboot into >>>safe mode
2. Double-click smitfraudfix.cmd
3. Select 2 and hit Enter to delete infected files
4. You will be prompted: Do you want to clean the registry ? answer Y (yes) and hit Enter in order to remove the Desktop background and clean registry keys associated with the infection
5. The tool will now check if wininet.dll is infected. You may be prompted to replace the infected file (if found): Replace infected file ? answer Y (yes) and hit Enter to restore a clean file
6. A reboot may be needed to finish the cleaning process. The report can be found at the root of the system drive, usually at C:\rapport.txt ... Post the contents of the C:\rapport.txt file in your next post here... + a new hijackthis log.

process.exe is detected by some antivirus programs (AntiVir, Dr.Web, Kaspersky) as a "RiskTool". It is not a virus, but a program used to stop system processes. Antivirus programs cannot distinguish between "good" and "malicious" use of such programs, therefore they may alert the user.
http://www.beyondlogic.org/consulting/processutil/processutil.htm

steam
 
SmitFraudFix v2.144

Scan done at 20:43:41.21, Mon 02/26/2007
Run from C:\SmitfraudFix\SmitfraudFix
OS: Microsoft Windows XP [Version 5.1.2600] - Windows_NT
The filesystem type is NTFS
Fix run in safe mode

»»»»»»»»»»»»»»»»»»»»»»»» SharedTaskScheduler Before SmitFraudFix
!!!Attention, following keys are not inevitably infected!!!

SrchSTS.exe by S!Ri
Search SharedTaskScheduler's .dll

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\SharedTaskScheduler]
"{d7bdd42a-7e69-4bb8-aac3-d76ff65a3aa3}"="archenteric"


»»»»»»»»»»»»»»»»»»»»»»»» Killing process


»»»»»»»»»»»»»»»»»»»»»»»» hosts

127.0.0.1 localhost

»»»»»»»»»»»»»»»»»»»»»»»» Generic Renos Fix

GenericRenosFix by S!Ri


»»»»»»»»»»»»»»»»»»»»»»»» Deleting infected files

C:\WINDOWS\timessquare1.dat Deleted
C:\WINDOWS\system32\ot.ico Deleted
C:\WINDOWS\system32\components\flx?.dll Deleted
C:\WINDOWS\system32\components\flx??.dll Deleted
C:\DOCUME~1\ALLUSE~1\STARTM~1\Online Security Guide.url Deleted
C:\DOCUME~1\ALLUSE~1\STARTM~1\Security Troubleshooting.url Deleted

»»»»»»»»»»»»»»»»»»»»»»»» Deleting Temp Files


»»»»»»»»»»»»»»»»»»»»»»»» Winlogon.System
!!!Attention, following keys are not inevitably infected!!!

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon]
"System"=""


»»»»»»»»»»»»»»»»»»»»»»»» Registry Cleaning

Registry Cleaning done.

»»»»»»»»»»»»»»»»»»»»»»»» SharedTaskScheduler After SmitFraudFix
!!!Attention, following keys are not inevitably infected!!!

SrchSTS.exe by S!Ri
Search SharedTaskScheduler's .dll


»»»»»»»»»»»»»»»»»»»»»»»» End

Logfile of HijackThis v1.99.1
Scan saved at 8:58:34 PM, on 2/26/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe
C:\WINDOWS\system32\ICO.EXE
C:\WINDOWS\system32\igfxpers.exe
C:\WINDOWS\system32\hkcmd.exe
C:\Program Files\BroadJump\Client Foundation\CFD.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe
C:\WINDOWS\system32\FSRremoS.EXE
C:\WINDOWS\system32\Pelmiced.exe
C:\Program Files\Webroot\Spy Sweeper\SpySweeperUI.exe
C:\Program Files\Webroot\Spy Sweeper\SSU.EXE
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Hijackthis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.ca/
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = 127.0.0.1
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
R3 - URLSearchHook: (no name) - {25CC7CC0-BE77-BCA8-2C53-BDCE19B9B6C6} - (no file)
F2 - REG:system.ini: UserInit=userinit.exe
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {0C111361-F1C5-115A-7EBB-05D7FB77F8D9} - C:\WINDOWS\system32\bghbisd.dll
O2 - BHO: (no name) - {2850EEDB-4CF2-6EC6-8BFE-0B679136EE6E} - C:\WINDOWS\system32\dprhzee.dll
O2 - BHO: (no name) - {33EC245E-2A07-A599-1ED9-07A627B37491} - C:\WINDOWS\system32\gappoud.dll
O2 - BHO: (no name) - {55A24E64-4F14-3948-8B3B-0B72AE7EFA24} - C:\WINDOWS\system32\zoixagc.dll
O3 - Toolbar: &ESPN - {AE6F2894-AF10-4C9C-B16E-1DFC6FF8C0C6} - C:\Program Files\ESPN\Toolbar\DIGToolBar.dll
O4 - HKLM\..\Run: [Mouse Suite 98 Daemon] ICO.EXE
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\system32\igfxtray.exe
O4 - HKLM\..\Run: [Persistence] C:\WINDOWS\system32\igfxpers.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\system32\hkcmd.exe
O4 - HKLM\..\Run: [BJCFD] "C:\Program Files\BroadJump\Client Foundation\CFD.exe"
O4 - HKLM\..\Run: [!AVG Anti-Spyware] "C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe" /minimized
O4 - HKLM\..\Run: [SpySweeper] "C:\Program Files\Webroot\Spy Sweeper\SpySweeperUI.exe" /startintray
O8 - Extra context menu item: &Block this popup - C:\Program Files\F-Secure Internet Security\Anti-Spyware\blockpopups.htm
O8 - Extra context menu item: &Search - http://kl.bar.need2find.com/KL/menusearch.html?p=KL
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O9 - Extra button: (no name) - Software - (no file)
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\System32\msjava.dll
O9 - Extra 'Tools' menuitem: IBM Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\System32\msjava.dll
O9 - Extra button: (no name) - {85d1f590-48f4-11d9-9669-0800200c9a66} - %windir%\bdoscandel.exe (file missing)
O9 - Extra 'Tools' menuitem: Uninstall BitDefender Online Scanner v8 - {85d1f590-48f4-11d9-9669-0800200c9a66} - %windir%\bdoscandel.exe (file missing)
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: PartyPoker.com - {B7FE5D70-9AA2-40F1-9C6B-12A255F085E1} - C:\Program Files\PartyGaming\PartyPoker\RunApp.exe (file missing)
O9 - Extra 'Tools' menuitem: PartyPoker.com - {B7FE5D70-9AA2-40F1-9C6B-12A255F085E1} - C:\Program Files\PartyGaming\PartyPoker\RunApp.exe (file missing)
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe (file missing)
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe (file missing)
O11 - Options group: [JAVA_IBM] Java (IBM)
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O16 - DPF: RaptisoftGameLoader - http://www.miniclip.com/hamsterball/raptisoftgameloader.cab
O16 - DPF: {1D6711C8-7154-40BB-8380-3DEA45B69CBF} -
O16 - DPF: {200B3EE9-7242-4EFD-B1E4-D97EE825BA53} (VerifyGMN Class) - http://h20270.www2.hp.com/ediags/gmn/install/hpobjinstaller_gmn.cab
O16 - DPF: {215B8138-A3CF-44C5-803F-8226143CFC0A} (Trend Micro ActiveX Scan Agent 6.6) - http://housecall65.trendmicro.com/housecall/applet/html/native/x86/win32/activex/hcImpl.cab
O16 - DPF: {5D86DDB5-BDF9-441B-9E9E-D4730F4EE499} (BDSCANONLINE Control) - http://download.bitdefender.com/resources/scan8/oscan8.cab
O16 - DPF: {6E5A37BF-FD42-463A-877C-4EB7002E68AE} (Housecall ActiveX 6.5) - http://housecall65.trendmicro.com/housecall/applet/html/native/x86/win32/activex/hcImpl.cab
O16 - DPF: {74FFE28D-2378-11D5-990C-006094235084} (IBM Access Support) - http://www-307.ibm.com/pc/support/IbmEgath.cab
O16 - DPF: {7B297BFD-85E4-4092-B2AF-16A91B2EA103} (WScanCtl Class) - http://www3.ca.com/securityadvisor/virusinfo/webscan.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/activescan/as5free/asinst.cab
O16 - DPF: {AB86CE53-AC9F-449F-9399-D8ABCA09EC09} (Get_ActiveX Control) - https://h17000.www1.hp.com/ewfrf-JAVA/Secure/HPGetDownloadManager.ocx
O16 - DPF: {F04A8AE2-A59D-11D2-8792-00C04F8EF29D} (Hotmail Attachments Control) - http://by103fd.bay103.hotmail.msn.com/activex/HMAtchmt.ocx
O16 - DPF: {F127B9BA-89EA-4B04-9C67-2074A9DF61FD} (Photo Upload Plugin Class) - http://costco.pnimedia.com/upload/activex/v2_0_0_9/PCAXSetupv2.0.0.9.cab?
O20 - Winlogon Notify: igfxcui - C:\WINDOWS\SYSTEM32\igfxdev.dll
O20 - Winlogon Notify: WRNotifier - C:\WINDOWS\SYSTEM32\WRLogonNTF.dll
O23 - Service: AVG Anti-Spyware Guard - Anti-Malware Development a.s. - C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\System32\HPZipm12.exe
O23 - Service: SoundMAX Agent Service (SoundMAX Agent Service (default)) - Unknown owner - C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe (file missing)
O23 - Service: Webroot Spy Sweeper Engine (WebrootSpySweeperService) - Webroot Software, Inc. - C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe
 
HI

Disconnect from the internet Close ALL browser windows (including this one) - run hijackthis and tick to fix (check the box next to) the list below.........when all are ticked (checked) click the Fix Checked button at the bottom. :-


R3 - URLSearchHook: (no name) - {25CC7CC0-BE77-BCA8-2C53-BDCE19B9B6C6} - (no file)

O2 - BHO: (no name) - {0C111361-F1C5-115A-7EBB-05D7FB77F8D9} - C:\WINDOWS\system32\bghbisd.dll
O2 - BHO: (no name) - {2850EEDB-4CF2-6EC6-8BFE-0B679136EE6E} - C:\WINDOWS\system32\dprhzee.dll
O2 - BHO: (no name) - {33EC245E-2A07-A599-1ED9-07A627B37491} - C:\WINDOWS\system32\gappoud.dll
O2 - BHO: (no name) - {55A24E64-4F14-3948-8B3B-0B72AE7EFA24} - C:\WINDOWS\system32\zoixagc.dll

O8 - Extra context menu item: &Search - http://kl.bar.need2find.com/KL/menusearch.html?p=KL


THEN...

Download CCleaner from :-

http://www.filehippo.com/download_ccleaner/ (click the download tab)

During the installation be sure to UN-check the box for "Ccleaner Yahoo Toolbar" unless you want it.

doubleclick the ccsetup.exe file and install the program...

After installing, go to Start > programs > CCleaner > Options > Advanced > UNCHECK "Only delete files in Windows Temp folder older than 48 hours"

Make sure the "windows" tab is selected

Under "internet explorer" tick...

Temporary internet files
Cookies* > see Note below
History
Recently typed URL's (leave this unticked if you DON'T want to clear the drop down list in the address window of IE)
Delete index.dat files
Last download location
Autocomplete form history


under "Windows explorer" these are optional, but you can safely tick them all if you wish, they are only "most recently used lists"

Other explorer MRU's (leave this unticked if you DON'T want to clear lists such as the start\run list)

under "System"

Tick ALL these ...


under "Advanced"

no need to tick any of these (but you can if you want, and realise what they do)


Applications tab...

These will mostly clean out old log files for these applications...

Clean:- (if you use them)

Firefox/Mozilla (optional - leave the cookies - see note)
Opera
Sun Java
ZoneAlarm
...
Personally I clean everything in the applications tab... but you tick what you want...

Note: *If there are any cookies you want to keep (if you remove the cookie for a site you require a password for, you will need to re-enter your password when you next visit that site) ... click options > cookies > then keep the cookies you want.

click "analyse" if you want to see a list of what is going to be removed, before it is removed.

Or

click "run cleaner" to let it get on with it's work... clicking this will result in the following pop-up

"This process will permanently delete files from your system. Are you sure you wish to proceed?"

click OK.

THEN.....

You should print these instructions or save these to a text file. Follow these instructions carefully.

Please download AVG Anti-Spyware to your Desktop or to your usual Download Folder.
http://www.ewido.net/en/download/
  • Install AVG Anti-Spyware by double clicking the installer.
  • Follow the prompts. Make sure that Launch AVG Anti-Spyware is checked.
  • On the main screen under Your Computer's security.
    • Click on Change state next to Resident shield. It should now change to inactive.
    • Click on Change state next to Automatic updates. It should now change to inactive.
    • Next to Last Update, click on Update now. (You will need an active internet connection to perform this)
    • Wait until you see the Update succesfull message.
  • Right-click the AVG Anti-Spyware Tray Icon and uncheck Start with Windows.
  • Right-click the AVG Anti-Spyware Tray Icon and select Exit. Confirm by clicking Yes.
If you are having problems with the updater, you can use this link to manually update ewido.
AVG Anti-Spyware manual updates.
Download the Full database to your Desktop or to your usual Download Folder and install it by double clicking the file. Make sure that AVG Anti-Spyware is closed before installing the update.

---

Restart your computer to the safe mode:
  • Restart your computer
  • Start tapping the F8 key when the computer restarts.
  • When the start menu opens, choose Safe mode
  • Press Enter. The computer then begins to start in Safe mode.

---

Close ALL open Windows / Programs / Folders. Please start AVG Anti-Spyware and run a full scan.
  • Click on Scanner on the toolbar.
  • Click on the Settings tab.
    • Under How to act?
      • Click on Recommended Action and choose Quarantine from the popup menu.
    • Under How to scan?
      • All checkboxes should be ticked.
    • Under Possibly unwanted software:
      • All checkboxes should be ticked.
    • Under Reports:
      • Select Automatically generate report after every scan and uncheck Only if threats were found.
    • Under What to scan?
      • Select Scan every file.
  • Click on the Scan tab.
  • Click on Complete System Scan to start the scan process.
  • Let the program scan the machine.
  • When the scan has finished, follow the instructions below.
    IMPORTANT : Don't click on the "Save Scan Report" button before you did hit the "Apply all Actions" button.
    • Make sure that Set all elements to: shows Quarantine (1), if not click on the link and choose Quarantine from the popup menu. (2)
    • At the bottom of the window click on the Apply all Actions button. (3)
      scanavgjk2.jpg
  • When done, click the Save Scan Report button. (4)
    • Click the Save Report as button.
    • Save the report to your Desktop.
  • Right-click the AVG Anti-Spyware Tray Icon and select Exit. Confirm by clicking Yes.
Reboot in Normal Mode.

---

please post the following logs -:
- AVG's report
- a fresh HijackThis log

steam
 
---------------------------------------------------------
AVG Anti-Spyware - Scan Report
---------------------------------------------------------

+ Created at: 8:25:09 PM 3/1/2007

+ Scan result:



C:\System Volume Information\_restore{81D97640-A600-45A6-B0D3-BD06AB5A81A7}\RP612\A0065468.dll -> Adware.Virtumonde : No action taken.
C:\Documents and Settings\Lisa\Cookies\lisa@cpvfeed[2].txt -> TrackingCookie.Cpvfeed : No action taken.
C:\Documents and Settings\Lisa\Cookies\lisa@need2find[2].txt -> TrackingCookie.Need2find : No action taken.
C:\System Volume Information\_restore{81D97640-A600-45A6-B0D3-BD06AB5A81A7}\RP612\A0065464.exe -> Trojan.Dialer.qs : No action taken.
C:\System Volume Information\_restore{81D97640-A600-45A6-B0D3-BD06AB5A81A7}\RP612\A0065465.exe -> Trojan.Small : No action taken.


::Report end

Logfile of HijackThis v1.99.1
Scan saved at 8:31:35 PM, on 3/1/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\ICO.EXE
C:\WINDOWS\system32\igfxpers.exe
C:\WINDOWS\system32\hkcmd.exe
C:\WINDOWS\system32\FSRremoS.EXE
C:\Program Files\BroadJump\Client Foundation\CFD.exe
C:\Program Files\Webroot\Spy Sweeper\SpySweeperUI.exe
C:\WINDOWS\system32\Pelmiced.exe
C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe
C:\Program Files\Webroot\Spy Sweeper\SSU.EXE
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Hijackthis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.ca/
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = 127.0.0.1
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
R3 - URLSearchHook: (no name) - {25CC7CC0-BE77-BCA8-2C53-BDCE19B9B6C6} - (no file)
R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
F2 - REG:system.ini: UserInit=userinit.exe
O2 - BHO: Yahoo! Toolbar Helper - {02478D38-C3F9-4EFB-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O3 - Toolbar: &ESPN - {AE6F2894-AF10-4C9C-B16E-1DFC6FF8C0C6} - C:\Program Files\ESPN\Toolbar\DIGToolBar.dll
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O4 - HKLM\..\Run: [Mouse Suite 98 Daemon] ICO.EXE
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\system32\igfxtray.exe
O4 - HKLM\..\Run: [Persistence] C:\WINDOWS\system32\igfxpers.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\system32\hkcmd.exe
O4 - HKLM\..\Run: [BJCFD] "C:\Program Files\BroadJump\Client Foundation\CFD.exe"
O4 - HKLM\..\Run: [SpySweeper] C:\Program Files\Webroot\Spy Sweeper\SpySweeperUI.exe /startintray
O8 - Extra context menu item: &Block this popup - C:\Program Files\F-Secure Internet Security\Anti-Spyware\blockpopups.htm
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O9 - Extra button: (no name) - Software - (no file)
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\System32\msjava.dll
O9 - Extra 'Tools' menuitem: IBM Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\System32\msjava.dll
O9 - Extra button: (no name) - {85d1f590-48f4-11d9-9669-0800200c9a66} - %windir%\bdoscandel.exe (file missing)
O9 - Extra 'Tools' menuitem: Uninstall BitDefender Online Scanner v8 - {85d1f590-48f4-11d9-9669-0800200c9a66} - %windir%\bdoscandel.exe (file missing)
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: PartyPoker.com - {B7FE5D70-9AA2-40F1-9C6B-12A255F085E1} - C:\Program Files\PartyGaming\PartyPoker\RunApp.exe (file missing)
O9 - Extra 'Tools' menuitem: PartyPoker.com - {B7FE5D70-9AA2-40F1-9C6B-12A255F085E1} - C:\Program Files\PartyGaming\PartyPoker\RunApp.exe (file missing)
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe (file missing)
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe (file missing)
O11 - Options group: [JAVA_IBM] Java (IBM)
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O16 - DPF: RaptisoftGameLoader - http://www.miniclip.com/hamsterball/raptisoftgameloader.cab
O16 - DPF: {1D6711C8-7154-40BB-8380-3DEA45B69CBF} -
O16 - DPF: {200B3EE9-7242-4EFD-B1E4-D97EE825BA53} (VerifyGMN Class) - http://h20270.www2.hp.com/ediags/gmn/install/hpobjinstaller_gmn.cab
O16 - DPF: {215B8138-A3CF-44C5-803F-8226143CFC0A} (Trend Micro ActiveX Scan Agent 6.6) - http://housecall65.trendmicro.com/housecall/applet/html/native/x86/win32/activex/hcImpl.cab
O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (YInstStarter Class) - C:\Program Files\Yahoo!\Common\yinsthelper.dll
O16 - DPF: {5D86DDB5-BDF9-441B-9E9E-D4730F4EE499} (BDSCANONLINE Control) - http://download.bitdefender.com/resources/scan8/oscan8.cab
O16 - DPF: {6E5A37BF-FD42-463A-877C-4EB7002E68AE} (Housecall ActiveX 6.5) - http://housecall65.trendmicro.com/housecall/applet/html/native/x86/win32/activex/hcImpl.cab
O16 - DPF: {74FFE28D-2378-11D5-990C-006094235084} (IBM Access Support) - http://www-307.ibm.com/pc/support/IbmEgath.cab
O16 - DPF: {7B297BFD-85E4-4092-B2AF-16A91B2EA103} (WScanCtl Class) - http://www3.ca.com/securityadvisor/virusinfo/webscan.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/activescan/as5free/asinst.cab
O16 - DPF: {AB86CE53-AC9F-449F-9399-D8ABCA09EC09} (Get_ActiveX Control) - https://h17000.www1.hp.com/ewfrf-JAVA/Secure/HPGetDownloadManager.ocx
O16 - DPF: {F04A8AE2-A59D-11D2-8792-00C04F8EF29D} (Hotmail Attachments Control) - http://by103fd.bay103.hotmail.msn.com/activex/HMAtchmt.ocx
O16 - DPF: {F127B9BA-89EA-4B04-9C67-2074A9DF61FD} (Photo Upload Plugin Class) - http://costco.pnimedia.com/upload/activex/v2_0_0_9/PCAXSetupv2.0.0.9.cab?
O20 - Winlogon Notify: igfxcui - C:\WINDOWS\SYSTEM32\igfxdev.dll
O20 - Winlogon Notify: WRNotifier - C:\WINDOWS\SYSTEM32\WRLogonNTF.dll
O23 - Service: AVG Anti-Spyware Guard - Anti-Malware Development a.s. - C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\System32\HPZipm12.exe
O23 - Service: SoundMAX Agent Service (SoundMAX Agent Service (default)) - Unknown owner - C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe (file missing)
O23 - Service: Webroot Spy Sweeper Engine (WebrootSpySweeperService) - Webroot Software, Inc. - C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe
 
HI

Is your problem resolved ?

just a little cleaning up to do... run AVG Anti-Spyware again & make sure you quarantine all it finds...

steam
 
Hello Steam,

My problem is FIXED!!!! I am VERY grateful for all of your help. I will run AVG again and make sure everything is okay.

Thanks again
 
HI

You're very welcome :)

Run hijackthis & fix this :-

R3 - URLSearchHook: (no name) - {25CC7CC0-BE77-BCA8-2C53-BDCE19B9B6C6} - (no file)

Then run the Pandascan again & post the new log...

steam
 
Incident Status Location

Adware:adware/azesearch Not disinfected c:\windows\system32\azebar.xml
Potentially unwanted tool:application/bestoffer Not disinfected c:\windows\smdat32m.sys
Adware:adware/windowenhancer Not disinfected c:\windows\system32\SBUtils
Adware:adware/commad Not disinfected Windows Registry
Potentially unwanted tool:application/need2find Not disinfected hkey_current_user\software\Need2Find
Potentially unwanted tool:application/mywebsearch Not disinfected hkey_classes_root\clsid\{9AFB8248-617F-460d-9366-D71CDEDA3179}
Adware:adware/dyfuca Not disinfected Windows Registry
Adware:adware/ist.istbar Not disinfected Windows Registry
Adware:adware/sqwire Not disinfected Windows Registry
Spyware:Cookie/cs.sexcounter Not disinfected C:\Documents and Settings\Jamie\Cookies\jamie@cs.sexcounter[2].txt
Spyware:Cookie/Doubleclick Not disinfected C:\Documents and Settings\Jamie\Cookies\jamie@doubleclick[1].txt
Spyware:Cookie/Hitbox Not disinfected C:\Documents and Settings\Jamie\Cookies\jamie@hitbox[2].txt
Spyware:Cookie/Hitbox Not disinfected C:\Documents and Settings\Jamie\Cookies\jamie@phg.hitbox[1].txt
Potentially unwanted tool:Application/Processor Not disinfected C:\Documents and Settings\Jamie\Desktop\SmitfraudFix.zip[SmitfraudFix/Process.exe]
Spyware:Cookie/Advnt Not disinfected C:\Documents and Settings\Lisa\Cookies\lisa@www.advnt01[1].txt
Potentially unwanted tool:Application/NirCmd.A Not disinfected C:\fixwareout\FindT\nircmd.exe
Adware:Adware/eZula Not disinfected C:\mti-hits.exe[²èÇ]
Adware:Adware/DollarRevenue Not disinfected C:\Program Files\Common Files\{38AD34D5-095A-1033-0706-050313200001}\Uninst.exe
Potentially unwanted tool:Application/Processor Not disinfected C:\SmitfraudFix\SmitfraudFix\Process.exe
 
Please Download SUPERantispyware

http://www.superantispyware.com/downloadfile.html?productid=SUPERANTISPYWAREFREE

Load SUPERantispyware and click the check for updates button.

Once the update is finished click the scan your computer button.

Check Perform Complete Scan and then next.

Superantispyware will now scan your computer and when its finished it will list all the infections it has found.

Make sure that they all have a check next to them and press next.

Click finish and you will be taken back to the main interface.

Click Preferences and then click the statistics/logs tab. Click the dated log and press view log and a text file will appear.

Copy and paste the log to this thread.

steam
 
SUPERAntiSpyware Scan Log
Generated 03/10/2007 at 11:05 AM

Application Version : 3.6.1000

Core Rules Database Version : 3197
Trace Rules Database Version: 1207

Scan type : Complete Scan
Total Scan Time : 00:42:16

Memory items scanned : 361
Memory threats detected : 0
Registry items scanned : 5159
Registry threats detected : 18
File items scanned : 37757
File threats detected : 45

Adware.Tracking Cookie
C:\Documents and Settings\Jamie\Cookies\jamie@hitbox[2].txt
C:\Documents and Settings\Jamie\Cookies\jamie@ehg-optionetics.hitbox[1].txt
C:\Documents and Settings\Jamie\Cookies\jamie@1070468660[2].txt
C:\Documents and Settings\Jamie\Cookies\jamie@1071712319[1].txt
C:\Documents and Settings\Jamie\Cookies\jamie@ehg-queenslanddpc.hitbox[2].txt
C:\Documents and Settings\Jamie\Cookies\jamie@media.sensis.com[1].txt
C:\Documents and Settings\Jamie\Cookies\jamie@counter.auctionworks[1].txt
C:\Documents and Settings\Jamie\Cookies\jamie@76767130[2].txt
C:\Documents and Settings\Jamie\Cookies\jamie@cs.sexcounter[2].txt
C:\Documents and Settings\Jamie\Cookies\jamie@roiservice[1].txt
C:\Documents and Settings\Jamie\Cookies\jamie@phg.hitbox[1].txt
C:\Documents and Settings\Jamie\Cookies\jamie@e-2dj6wjl4olajmfp.stats.esomniture[2].txt
C:\Documents and Settings\Lisa\Cookies\lisa@adcentriconline[1].txt
C:\Documents and Settings\Lisa\Cookies\lisa@ads.mytelus[1].txt
C:\Documents and Settings\Lisa\Cookies\lisa@adv.webmd[1].txt
C:\Documents and Settings\Lisa\Cookies\lisa@cpvfeed[2].txt
C:\Documents and Settings\Lisa\Cookies\lisa@indexstats[2].txt
C:\Documents and Settings\Lisa\Cookies\lisa@media101.sitebrand[2].txt
C:\Documents and Settings\Lisa\Cookies\lisa@winantispyware[2].txt
C:\Documents and Settings\Lisa\Cookies\lisa@www.winantispyware[1].txt

Adware.ZToolbar
C:\WINDOWS\system32\azebar.xml

Trojan.NetMon/DNSChange
HKLM\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_NETWORK_MONITOR
HKLM\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_NETWORK_MONITOR#NextInstance
HKLM\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_NETWORK_MONITOR\0000
HKLM\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_NETWORK_MONITOR\0000#Service
HKLM\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_NETWORK_MONITOR\0000#Legacy
HKLM\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_NETWORK_MONITOR\0000#ConfigFlags
HKLM\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_NETWORK_MONITOR\0000#Class
HKLM\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_NETWORK_MONITOR\0000#ClassGUID
HKLM\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_NETWORK_MONITOR\0000#DeviceDesc

Trojan.Windows Overlay Components/SysMon
HKLM\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_WINDOWS_OVERLAY_COMPONENTS
HKLM\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_WINDOWS_OVERLAY_COMPONENTS#NextInstance
HKLM\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_WINDOWS_OVERLAY_COMPONENTS\0000
HKLM\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_WINDOWS_OVERLAY_COMPONENTS\0000#Service
HKLM\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_WINDOWS_OVERLAY_COMPONENTS\0000#Legacy
HKLM\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_WINDOWS_OVERLAY_COMPONENTS\0000#ConfigFlags
HKLM\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_WINDOWS_OVERLAY_COMPONENTS\0000#Class
HKLM\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_WINDOWS_OVERLAY_COMPONENTS\0000#ClassGUID
HKLM\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_WINDOWS_OVERLAY_COMPONENTS\0000#DeviceDesc

Malware.SpywareBot
C:\Program Files\SpywareBot

Browser Hijacker.Favorites
C:\DOCUMENTS AND SETTINGS\LISA\FAVORITES\ANTIVIRUS TEST ONLINE.URL

Trojan.Downloader-DoneDU
C:\PROGRAM FILES\HIJACKTHIS\BACKUPS\BACKUP-20070301-165234-438.DLL
C:\PROGRAM FILES\HIJACKTHIS\BACKUPS\BACKUP-20070301-165234-513.DLL
C:\PROGRAM FILES\HIJACKTHIS\BACKUPS\BACKUP-20070301-165234-748.DLL
C:\PROGRAM FILES\HIJACKTHIS\BACKUPS\BACKUP-20070301-165234-789.DLL
C:\SYSTEM VOLUME INFORMATION\_RESTORE{81D97640-A600-45A6-B0D3-BD06AB5A81A7}\RP622\A0065688.DLL
C:\SYSTEM VOLUME INFORMATION\_RESTORE{81D97640-A600-45A6-B0D3-BD06AB5A81A7}\RP622\A0065689.DLL
C:\SYSTEM VOLUME INFORMATION\_RESTORE{81D97640-A600-45A6-B0D3-BD06AB5A81A7}\RP622\A0065690.DLL
C:\SYSTEM VOLUME INFORMATION\_RESTORE{81D97640-A600-45A6-B0D3-BD06AB5A81A7}\RP622\A0065691.DLL
C:\WINDOWS\SYSTEM32\EQSCSWB.DLL
C:\WINDOWS\SYSTEM32\FNQIWJN.DLL
C:\WINDOWS\SYSTEM32\HDUVGWH.DLL
C:\WINDOWS\SYSTEM32\TQODQTE.DLL

Unclassified.Unknown Origin/System
C:\SYSTEM VOLUME INFORMATION\_RESTORE{81D97640-A600-45A6-B0D3-BD06AB5A81A7}\RP612\A0065464.EXE

Trojan.Unknown Origin
C:\SYSTEM VOLUME INFORMATION\_RESTORE{81D97640-A600-45A6-B0D3-BD06AB5A81A7}\RP612\A0065465.EXE
C:\WINDOWS\SB_AFFILIATE.INI

Trojan.Downloader-RNFSave
C:\SYSTEM VOLUME INFORMATION\_RESTORE{81D97640-A600-45A6-B0D3-BD06AB5A81A7}\RP612\A0065468.DLL

Adware.TrustInCash
C:\WINDOWS\ADULT.ICO
C:\WINDOWS\CASINO.ICO
C:\WINDOWS\SPYWAREREMOVAL.ICO

Adware.Unknown Origin
C:\WINDOWS\SHOPPING.ICO

Adware.DollarRevenue
C:\Documents and Settings\Lisa\Local Settings\Temporary Internet Files\Content.IE5\MHGJXFM1\smartload_d[1].htm
C:\Documents and Settings\Lisa\Local Settings\Temporary Internet Files\Content.IE5\GMFN0D2C\smartload[1].htm
 
Hi jjbubbs.

I think real time stuff must have called steam away, if you still need assistance I can ask another helper to follow up.

Please let me know by sending me a PM. (private message)

Thanks.
 
Hi jjbubbs

Uninstall from add/remove programs if present:

SpywareBot

Empty Internet Explorer temporary internet files and cookies.

First we'll need to backup registry:

Start -> Run -> regedit -> ok. Then File -> Export. Give it a name and press Save.

Go in regedit here:

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Enum\Root

Find these:

LEGACY_NETWORK_MONITOR
LEGACY_WINDOWS_OVERLAY_COMPONENTS

Go to edit -> permissions. Highlight admin and give a full control there (checkmark in full control "allow").

Delete those keys (right-click -> delete)

Delete these:

C:\WINDOWS\system32\azebar.xml
C:\Program Files\Common Files\{38AD34D5-095A-1033-0706-050313200001}
C:\DOCUMENTS AND SETTINGS\LISA\FAVORITES\ANTIVIRUS TEST ONLINE.URL
C:\Program Files\SpywareBot
C:\WINDOWS\SYSTEM32\EQSCSWB.DLL
C:\WINDOWS\SYSTEM32\FNQIWJN.DLL
C:\WINDOWS\SYSTEM32\HDUVGWH.DLL
C:\WINDOWS\SYSTEM32\TQODQTE.DLL
C:\WINDOWS\ADULT.ICO
C:\WINDOWS\CASINO.ICO
C:\WINDOWS\SPYWAREREMOVAL.ICO
C:\WINDOWS\SHOPPING.ICO
C:\mti-hits.exe
C:\WINDOWS\SB_AFFILIATE.INI

Run another scan with superantispyware and post its report here, please
 
Hello Shaba,

Thank you first of all for taking over for Steamwiz, not sure what happend to him. Anyway, I searched for the HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Enum\Root,
but was unable to locate these two files in there;
LEGACY_NETWORK_MONITOR
LEGACY_WINDOWS_OVERLAY_COMPONENTS

So I went
EDIT -> FIND and found each one and deleted them.

I was also unable to find any of the files that you asked me to delete. Is there something that I am not doing to find these files? I went
MY COMPUTER -> EXPLORE and found nothing.
Then I searched for them and found nothing.

I figure that I must be missing something in order to locate the files.

Thanks again and here is the scan:

SUPERAntiSpyware Scan Log
Generated 04/06/2007 at 09:53 PM

Application Version : 3.6.1000

Core Rules Database Version : 3197
Trace Rules Database Version: 1207

Scan type : Complete Scan
Total Scan Time : 01:20:31

Memory items scanned : 374
Memory threats detected : 0
Registry items scanned : 5169
Registry threats detected : 4
File items scanned : 37686
File threats detected : 34

Adware.Tracking Cookie
C:\Documents and Settings\Jamie\Cookies\jamie@hitbox[2].txt
C:\Documents and Settings\Jamie\Cookies\jamie@ehg-optionetics.hitbox[2].txt
C:\Documents and Settings\Jamie\Cookies\jamie@image.masterstats[1].txt
C:\Documents and Settings\Jamie\Cookies\jamie@mb[1].txt
C:\Documents and Settings\Jamie\Cookies\jamie@e-2dj6wfkiwkcjabp.stats.esomniture[2].txt
C:\Documents and Settings\Jamie\Cookies\jamie@ads.blubster[1].txt
C:\Documents and Settings\Jamie\Cookies\jamie@media.sensis.com[1].txt
C:\Documents and Settings\Jamie\Cookies\jamie@counter.auctionworks[1].txt
C:\Documents and Settings\Jamie\Cookies\jamie@vhost.oddcast[2].txt
C:\Documents and Settings\Jamie\Cookies\jamie@e-2dj6wfkowhd5cbp.stats.esomniture[1].txt
C:\Documents and Settings\Jamie\Cookies\jamie@adbrite[2].txt
C:\Documents and Settings\Jamie\Cookies\jamie@1071861175[2].txt
C:\Documents and Settings\Jamie\Cookies\jamie@75190831[1].txt
C:\Documents and Settings\Jamie\Cookies\jamie@oddcast[2].txt
C:\Documents and Settings\Jamie\Cookies\jamie@ads.monster[1].txt
C:\Documents and Settings\Jamie\Cookies\jamie@webstat[1].txt
C:\Documents and Settings\Jamie\Cookies\jamie@e-2dj6wjkogjcjwao.stats.esomniture[2].txt
C:\Documents and Settings\Jamie\Cookies\jamie@e-2dj6waligoazsap.stats.esomniture[2].txt
C:\Documents and Settings\Jamie\Cookies\jamie@1072659779[1].txt
C:\Documents and Settings\Jamie\Cookies\jamie@1067030926[1].txt
C:\Documents and Settings\Jamie\Cookies\jamie@cs.sexcounter[2].txt
C:\Documents and Settings\Jamie\Cookies\jamie@ad.sensismediasmart.com[1].txt
C:\Documents and Settings\Jamie\Cookies\jamie@ehg-optionsxpress.hitbox[2].txt
C:\Documents and Settings\Jamie\Cookies\jamie@mb[2].txt
C:\Documents and Settings\Jamie\Cookies\jamie@e-2dj6wak4qndpwhp.stats.esomniture[2].txt
C:\Documents and Settings\Jamie\Cookies\jamie@e-2dj6wjnygodjscq.stats.esomniture[2].txt

Trojan.NewDotNet
HKU\S-1-5-21-2657841008-3867914367-792641540-1007\Software\New.net

Browser Hijacker.Internet Explorer Settings Hijack
HKU\S-1-5-21-2657841008-3867914367-792641540-1007\Software\Microsoft\Internet Explorer\Main#Start Page [ http://www.findthewebsiteyouneed.com ]
HKU\S-1-5-21-2657841008-3867914367-792641540-1007\Software\Microsoft\Internet Explorer\Main#Search Page [ http://searchbar.findthewebsiteyouneed.com ]
HKU\S-1-5-21-2657841008-3867914367-792641540-1007\Software\Microsoft\Internet Explorer\Main#Search Bar [ http://searchbar.findthewebsiteyouneed.com ]

Trojan.Downloader-DoneDU
C:\SYSTEM VOLUME INFORMATION\_RESTORE{81D97640-A600-45A6-B0D3-BD06AB5A81A7}\RP630\A0065755.DLL
C:\SYSTEM VOLUME INFORMATION\_RESTORE{81D97640-A600-45A6-B0D3-BD06AB5A81A7}\RP630\A0065756.DLL
C:\SYSTEM VOLUME INFORMATION\_RESTORE{81D97640-A600-45A6-B0D3-BD06AB5A81A7}\RP630\A0065757.DLL
C:\SYSTEM VOLUME INFORMATION\_RESTORE{81D97640-A600-45A6-B0D3-BD06AB5A81A7}\RP630\A0065758.DLL
C:\SYSTEM VOLUME INFORMATION\_RESTORE{81D97640-A600-45A6-B0D3-BD06AB5A81A7}\RP630\A0065759.DLL
C:\SYSTEM VOLUME INFORMATION\_RESTORE{81D97640-A600-45A6-B0D3-BD06AB5A81A7}\RP630\A0065760.DLL
C:\SYSTEM VOLUME INFORMATION\_RESTORE{81D97640-A600-45A6-B0D3-BD06AB5A81A7}\RP630\A0065761.DLL
C:\SYSTEM VOLUME INFORMATION\_RESTORE{81D97640-A600-45A6-B0D3-BD06AB5A81A7}\RP630\A0065762.DLL
 
Hi

Delete this registry key:

(HKU = HKEY_USERS)

HKU\S-1-5-21-2657841008-3867914367-792641540-1007\Software\New.net

Delete these registry values:

HKU\S-1-5-21-2657841008-3867914367-792641540-1007\Software\Microsoft\Internet Explorer\Main#Start Page [ http://www.findthewebsiteyouneed.com ]
HKU\S-1-5-21-2657841008-3867914367-792641540-1007\Software\Microsoft\Internet Explorer\Main#Search Page [ http://searchbar.findthewebsiteyouneed.com ]
HKU\S-1-5-21-2657841008-3867914367-792641540-1007\Software\Microsoft\Internet Explorer\Main#Search Bar [ http://searchbar.findthewebsiteyouneed.com ]

Run another scan with superantispyware and post its report here with a fresh HijackThis log, please
 
You must log in or register to reply here.
Back
Top