Computer Help and Spyware Removal Computer Help and Spyware Removal Computer Help and Spyware Removal Computer Help Forums Windows Startup Programs Database Spyware and Malware Removal Guides Computer Tutorials Uninstall Database File Database Computer Glossary Computer Resources
 

Welcome Guest ( Log In | Click here to Register a free account now! )



Register a free account to unlock additional features at BleepingComputer.com
Welcome to Bleeping Computer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.
Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.
MalwareByte's Anti-Malware Download

Important Announcement: We have two terrific contests running on the site that I wanted all our members and guests to know about.

The first contest is the HP Magic Giveaway, which is underway as of November 28th. More information can be found at this topic, which will be updated very soon with further information.

The second contests, is for the chance to win two Seagate FreeAgent external hard drives. More information about this contest can be found here.

These are both amazing contests and I suggest everyone submit an entry for them.

- BleepingComputer Management

> Forum Guidelines

Read this topic before posting a log.


DO NOT post a ComboFix log unless requested to.


Only members of the HijackThis Team or Moderators are allowed to help people with logs. Anyone else should refrain from posting to another user's log.


When posting a log please put the type of infection you have in the topic title. IE: Winfixer, Virtumonde, WinTools, WebSearch, Home Search Assistant, etc.


Do not bump your topic. We try to resolve logs on a first come/first served basis. By bumping your log you will be pushed back in line due to the new date of your bump.

2 Pages V   1 2 >  
Closed TopicStart new topic
> Infected With Look2me, I Believe, Lots of popups including: cheapress, dofact, yourtruths, ad.yieldmanag
simgirl678
post Aug 28 2006, 10:31 AM
Post #1


New Member
*

Group: Members
Posts: 13
Joined: 5-August 06
Member No.: 79,513
Hello. Last week I posted here about a popup problem I've been having for about a month. Some of the popups/popunders are: Amaena, ad.yieldmanager, adfarm, drivecleaner, ilead.itrack, mpmediaholdings, cheappress, newsalone, dofact, greatbulletin, gojournalists, realrealities, img.mediaplex and yourtruths. They are constantly coming up every few minutes whenever I am online. Also, a file called Duce6, which according to a google search is some kind of Trojan, keeps coming back as a process under ctrl-alt-del, and in C:\WINDOWS\Duce6. At the moment its not there, as I deleted yet again, so I'm not sure if it will come back. Whenever I run Ad-Aware, things like Look2Me and Webhancer are found, which I delete, but it always says that some files could not be deleted. So far, I've run Ad-Aware and Spybot Search & Destroy.

Anyways, here is my logfile.

Logfile of HijackThis v1.99.1
Scan saved at 11:29:42 AM, on 28/08/2006
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\LEXBCES.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\LEXPPS.EXE
C:\WINDOWS\system32\rundll32.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\BCMSMMSG.exe
C:\WINDOWS\System32\DSentry.exe
C:\Program Files\MUSICMATCH\MUSICMATCH Jukebox\mm_tray.exe
C:\PROGRA~1\mcafee.com\agent\mcagent.exe
C:\Program Files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe
C:\PROGRA~1\mcafee.com\vso\mcvsshld.exe
C:\Program Files\Lexmark X5100 Series\lxbabmgr.exe
C:\PROGRA~1\NETASS~1\SMARTB~1\MotiveSB.exe
C:\Program Files\Visual Networks\Visual IP InSight\Sympatico Consumer\IPClient.exe
C:\Program Files\MUSICMATCH\MUSICMATCH Jukebox\mmtask.exe
C:\Program Files\Microsoft Hardware\Mouse\point32.exe
C:\Program Files\Lexmark X5100 Series\lxbabmon.exe
C:\Program Files\Visual Networks\Visual IP InSight\Sympatico Consumer\IPMon32.exe
C:\Program Files\MessengerPlus! 3\MsgPlus.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\Java\jre1.5.0_03\bin\jusched.exe
C:\Program Files\HP\HP Software Update\HPWuSchd2.exe
C:\WINDOWS\sys0229337283.exe
C:\WINDOWS\win320883293372.exe
C:\WINDOWS\sys0132933728.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
C:\Program Files\Kodak\Kodak EasyShare software\bin\EasyShare.exe
C:\Program Files\Nikon\PictureProject\NkbMonitor.exe
C:\Program Files\WinZip\WZQKPICK.EXE
C:\Program Files\Creative\SBLive\Diagnostics\diagent.exe
C:\Program Files\NetAssistant\bin\mpbtn.exe
C:\Program Files\HP\Digital Imaging\bin\hpqimzone.exe
C:\WINDOWS\System32\CTsvcCDA.exe
c:\PROGRA~1\mcafee.com\vso\mcvsrte.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\Program Files\MSN Messenger\msnmsgr.exe
C:\WINDOWS\System32\nvsvc32.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\wanmpsvc.exe
C:\WINDOWS\System32\MsPMSPSv.exe
C:\Program Files\HP\Digital Imaging\bin\hpqSTE08.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\WINDOWS\system32\DllHost.exe
c:\PROGRA~1\mcafee.com\vso\mcshield.exe
C:\Program Files\HP\Digital Imaging\Product Assistant\bin\hprblog.exe
C:\Program Files\Visual Networks\Visual IP InSight\Sympatico Consumer\IPClient.exe
C:\WINDOWS\ms0537283293.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\HijackThis\HijackThis.exe
C:\PROGRAM FILES\INTERNET EXPLORER\IEXPLORE.EXE

R1 - HKCU\Software\Microsoft\Internet Explorer,SearchURL = http://www.begin2search.com/sidesearch.html
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://g.msn.ca/0SEENCA/SAOS01
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.ca/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,SearchAssistant = about:blank
R3 - URLSearchHook: (no name) - _{20EC3D2D-33C1-4C9D-BC37-C2D500688DA2} - (no file)
R3 - URLSearchHook: (no name) - _{02EE5B04-F144-47BB-83FB-A60BD91B74A9} - (no file)
R3 - URLSearchHook: (no name) - {02EE5B04-F144-47BB-83FB-A60BD91B74A9} - (no file)
F2 - REG:system.ini: UserInit=userinit.exe
O3 - Toolbar: (no name) - {825A649A-197B-1495-3951-EEAEB7EB47F6} - (no file)
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [BCMSMMSG] BCMSMMSG.exe
O4 - HKLM\..\Run: [diagent] "C:\Program Files\Creative\SBLive\Diagnostics\diagent.exe" startup
O4 - HKLM\..\Run: [UpdReg] C:\WINDOWS\UpdReg.EXE
O4 - HKLM\..\Run: [DVDSentry] C:\WINDOWS\System32\DSentry.exe
O4 - HKLM\..\Run: [RealTray] C:\Program Files\Real\RealPlayer\RealPlay.exe SYSTEMBOOTHIDEPLAYER
O4 - HKLM\..\Run: [MMTray] C:\Program Files\MUSICMATCH\MUSICMATCH Jukebox\mm_tray.exe
O4 - HKLM\..\Run: [MCAgentExe] c:\PROGRA~1\mcafee.com\agent\mcagent.exe
O4 - HKLM\..\Run: [MCUpdateExe] C:\PROGRA~1\mcafee.com\agent\McUpdate.exe
O4 - HKLM\..\Run: [AdaptecDirectCD] "C:\Program Files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe"
O4 - HKLM\..\Run: [VirusScan Online] "c:\PROGRA~1\mcafee.com\vso\mcvsshld.exe"
O4 - HKLM\..\Run: [Lexmark X5100 Series] "C:\Program Files\Lexmark X5100 Series\lxbabmgr.exe"
O4 - HKLM\..\Run: [Motive SmartBridge] C:\PROGRA~1\NETASS~1\SMARTB~1\MotiveSB.exe
O4 - HKLM\..\Run: [IPInSightLAN 01] "C:\Program Files\Visual Networks\Visual IP InSight\Sympatico Consumer\IPClient.exe" -l
O4 - HKLM\..\Run: [mmtask] C:\Program Files\MUSICMATCH\MUSICMATCH Jukebox\mmtask.exe
O4 - HKLM\..\Run: [VSOCheckTask] "c:\PROGRA~1\mcafee.com\vso\mcmnhdlr.exe" /checktask
O4 - HKLM\..\Run: [POINTER] point32.exe
O4 - HKLM\..\Run: [ovegcxz] C:\WINDOWS\System32\wwkmylm.exe
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [dkz] C:\WINDOWS\dkz.exe
O4 - HKLM\..\Run: [ti2cqaga] C:\WINDOWS\system32\ti2cqaga.exe
O4 - HKLM\..\Run: [IPInSightMonitor 01] "C:\Program Files\Visual Networks\Visual IP InSight\Sympatico Consumer\IPMon32.exe"
O4 - HKLM\..\Run: [MessengerPlus3] "C:\Program Files\MessengerPlus! 3\MsgPlus.exe"
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_03\bin\jusched.exe
O4 - HKLM\..\Run: [HPHUPD08] C:\Program Files\HP\Digital Imaging\{33D6CC28-9F75-4d1b-A11D-98895B3A3729}\hphupd08.exe
O4 - HKLM\..\Run: [HP Software Update] C:\Program Files\HP\HP Software Update\HPWuSchd2.exe
O4 - HKLM\..\Run: [keyboard] C:\\kybrdff_7.exe
O4 - HKLM\..\Run: [pop06ap] C:\WINDOWS\pop06ap2.exe
O4 - HKLM\..\Run: [plflgffA] C:\WINDOWS\plflgffA.exe
O4 - HKLM\..\Run: [njgijfcA] C:\WINDOWS\njgijfcA.exe
O4 - HKLM\..\Run: [xload] "C:\WINDOWS\xload.exe"
O4 - HKLM\..\Run: [ms0537283293] C:\WINDOWS\ms0537283293.exe
O4 - HKLM\..\Run: [win320728329337] C:\WINDOWS\win320728329337.exe
O4 - HKLM\..\Run: [webHancer Survey Companion] C:\Program Files\webHancer\Programs\whsurvey.exe
O4 - HKLM\..\Run: [sys0229337283] C:\WINDOWS\sys0229337283.exe
O4 - HKLM\..\Run: [win320883293372] C:\WINDOWS\win320883293372.exe
O4 - HKLM\..\Run: [sys0132933728] C:\WINDOWS\sys0132933728.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [MessengerPlus3] "C:\Program Files\MessengerPlus! 3\MsgPlus.exe" /WinStart
O4 - HKCU\..\Run: [msnmsgr] "C:\Program Files\MSN Messenger\msnmsgr.exe" /background
O4 - Global Startup: AOL 7.0 Tray Icon.lnk = C:\Program Files\AOL 7.0\aoltray.exe
O4 - Global Startup: HP Digital Imaging Monitor.lnk = C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
O4 - Global Startup: HP Image Zone Fast Start.lnk = C:\Program Files\HP\Digital Imaging\bin\hpqthb08.exe
O4 - Global Startup: Kodak EasyShare software.lnk = C:\Program Files\Kodak\Kodak EasyShare software\bin\EasyShare.exe
O4 - Global Startup: NetAssistant.lnk = C:\Program Files\NetAssistant\bin\matcli.exe
O4 - Global Startup: NkbMonitor.exe.lnk = C:\Program Files\Nikon\PictureProject\NkbMonitor.exe
O4 - Global Startup: WinZip Quick Pick.lnk = C:\Program Files\WinZip\WZQKPICK.EXE
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~3\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {4ABF810A-F11D-4169-9D5F-7D274F2270A1} - C:\WINDOWS\system32\dmonwv.dll (file missing)
O9 - Extra 'Tools' menuitem: Java - {4ABF810A-F11D-4169-9D5F-7D274F2270A1} - C:\WINDOWS\system32\dmonwv.dll (file missing)
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~3\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\System32\Shdocvw.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O15 - Trusted Zone: *.sxload.com
O15 - Trusted Zone: *.adgate.info (HKLM)
O15 - Trusted Zone: *.adsextend.net (HKLM)
O15 - Trusted Zone: *.dollarrevenue.com (HKLM)
O15 - Trusted Zone: *.elitemediagroup.net (HKLM)
O15 - Trusted Zone: *.imagesrvr.com (HKLM)
O15 - Trusted Zone: *.matcash.com (HKLM)
O15 - Trusted Zone: *.media-motor.com (HKLM)
O15 - Trusted Zone: *.mediatickets.net (HKLM)
O15 - Trusted Zone: *.snipernet.biz (HKLM)
O15 - Trusted Zone: *.systemdoctor.com (HKLM)
O15 - Trusted Zone: *.winantivirus.com (HKLM)
O16 - DPF: {00B71CFB-6864-4346-A978-C0A14556272C} (Checkers Class) - http://messenger.zone.msn.com/binary/msgrchkr.cab
O16 - DPF: {09F1ADAC-76D8-4D0F-99A5-5C907DADB988} - http://www.systemdoctor.com/download/2006/...FreeInstall.cab
O16 - DPF: {14B87622-7E19-4EA8-93B3-97215F77A6BC} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/Messe...nt.cab31267.cab
O16 - DPF: {1D0D9077-3798-49BB-9058-393499174D5D} - file://c:\counter.cab
O16 - DPF: {2917297F-F02B-4B9D-81DF-494B6333150B} (Minesweeper Flags Class) - http://messenger.zone.msn.com/binary/MineSweeper.cab
O16 - DPF: {42F2C9BA-614F-47C0-B3E3-ECFD34EED658} - http://promo.dollarrevenue.com/activex/pro...138302D2D2D.exe
O16 - DPF: {4ED9DDF0-7479-4BBE-9335-5A1EDB1D8A21} (McAfee.com Operating System Class) - http://bin.mcafee.com/molbin/shared/mcinsc...72/mcinsctl.cab
O16 - DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} (MSN Photo Upload Tool) - http://by102fd.bay102.hotmail.msn.com/resources/MsnPUpld.cab
O16 - DPF: {5526B4C6-63D6-41A1-9783-0FABF529859A} - mk:@MSITStore:C:\DOCUME~1\Georgia\LOCALS~1\Temp\mma.chm::/joysavsht.cab
O16 - DPF: {62475759-9E84-458E-A1AB-5D2C442ADFDE} - http://a1540.g.akamai.net/7/1540/52/200305...meInstaller.exe
O16 - DPF: {665585FD-2068-4C5E-A6D3-53AC3270ECD4} (FileSharingCtrl Class) - http://appdirectory.messenger.msn.com/AppD...sharingctrl.cab
O16 - DPF: {68A2C3BD-7809-11D3-8ACF-0050046F2F9A} (AXELPlayer Class) - http://www.mindavenue.com/Downloads/AXELPlayerAX_Win32.cab
O16 - DPF: {8A0DCBDB-6E20-489C-9041-C1E8A0352E75} - http://awbeta.net-nucleus.com/FIX/WinATS.cab
O16 - DPF: {8E0D4DE5-3180-4024-A327-4DFAD1796A8D} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/Messe...StatsClient.cab
O16 - DPF: {B38870E4-7ECB-40DA-8C6A-595F0A5519FF} (MsnMessengerSetupDownloadControl Class) - http://messenger.msn.com/download/MsnMesse...pDownloader.cab
O16 - DPF: {B8BE5E93-A60C-4D26-A2DC-220313175592} (ZoneIntro Class) - http://messenger.zone.msn.com/binary/ZIntro.cab32846.cab
O16 - DPF: {BCC0FF27-31D9-4614-A68E-C18E1ADA4389} (DwnldGroupMgr Class) - http://bin.mcafee.com/molbin/shared/mcgdmg...,15/mcgdmgr.cab
O16 - DPF: {F6BF0D00-0B2A-4A75-BF7B-F385591623AF} (Solitaire Showdown Class) - http://messenger.zone.msn.com/binary/SolitaireShowdown.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{CBE2EB50-9EAB-4076-9F69-17C7C8BC3FE8}: NameServer = 67.69.184.235 67.69.184.84
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - "C:\PROGRA~1\MSNMES~1\msgrapp.dll" (file missing)
O20 - Winlogon Notify: Telephony - C:\WINDOWS\system32\f6j20g1oe6.dll
O23 - Service: Creative Service for CDROM Access - Creative Technology Ltd - C:\WINDOWS\System32\CTsvcCDA.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPodService - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: LexBce Server (LexBceS) - Lexmark International, Inc. - C:\WINDOWS\system32\LEXBCES.EXE
O23 - Service: McAfee.com McShield (McShield) - Unknown owner - c:\PROGRA~1\mcafee.com\vso\mcshield.exe
O23 - Service: McAfee SecurityCenter Update Manager (mcupdmgr.exe) - Networks Associates Technology, Inc - C:\PROGRA~1\McAfee.com\Agent\mcupdmgr.exe
O23 - Service: McAfee.com VirusScan Online Realtime Engine (MCVSRte) - Networks Associates Technology, Inc - c:\PROGRA~1\mcafee.com\vso\mcvsrte.exe
O23 - Service: Network Monitor - Unknown owner - C:\Program Files\Network Monitor\netmon.exe (file missing)
O23 - Service: Intel® NMS (NMSSvc) - Intel Corporation - C:\WINDOWS\System32\NMSSvc.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\system32\HPZipm12.exe
O23 - Service: WAN Miniport (ATW) Service (WANMiniportService) - America Online, Inc. - C:\WINDOWS\wanmpsvc.exe
O23 - Service: Windows Overlay Components - Unknown owner - C:\WINDOWS\plflgff.exe (file missing)

Thanks for any help!!

This post has been edited by simgirl678: Aug 28 2006, 10:37 AM
Go to the top of the page
 
+Quote Post
miekiemoes
post Aug 28 2006, 02:46 PM
Post #2


Malware Killer Dog
******

Group: HJT Team
Posts: 16,105
Joined: 18-February 05
From: Belgium
Member No.: 12,408
Hello,

Your system is terribly infected. Problem with these infections nowadays is, it causes a lot of damage. Even if we clean the malware off your system, I can't guarantee that your system will be clean afterwards, because these infections/bundles leave a lot of leftovers behind that most scanners won't even recognise and logs won't show.
Also, I can't promise you we can repair all the damage it caused... Even after cleaning the malware, you can still get errors afterwards because of the damage. Solving these is not always possible since it will be searching for a needle in a haystack to find the right cause and solution.
So, we can try to clean this up and do what we can, but keep in mind that we can't solve ALL problems this malware already caused.

It's better to print out the next instructions or save them in notepad, because you also have to work in safe mode without networking support, so this page wouldn't be available then.
It is also important you don't miss a step and perform everything in the right order!!

Please download VundoFix.exe to your C:\.
  • Double-click VundoFix.exe to run it.
  • Click the Scan for Vundo button.
  • Once it's done scanning, click the Remove Vundo button.
  • You will receive a prompt asking if you want to remove the files, click YES
  • Once you click yes, your desktop will go blank as it starts removing Vundo.
  • When completed, it will prompt that it will shutdown your computer, click OK.
  • Turn your computer back on.
* Download Brute Force Uninstaller.
Unzip it to a folder of it’s own (c:\BFU).
Read here how to unzip/extract properly:
http://metallica.geekstogo.com/xpcompressedexplanation.html
Start the Brute Force Uninstaller by doubleclicking BFU.exe

Next to the 'scriptfile to execute'-window you'll see a little icon as shown in next picture:
When you click that icon, a little window will open that says: 'Please enter the full URL to the sript you want to execute'
In the field, copy and paste next URL:

http://metallica.geekstogo.com/alcanshorty.bfu

Click Ok.
Then click execute in Brute Force Uninstaller.

Extra note:
If nothing happens after pressing the Execute button, this means that the script didn't download. In that case, download the script
( alcanshorty.bfu ) manually from above url ( rightclick on it and choose 'save as' and save it in your BFU-folder). Then start BFU.exe again and click the browse button next to the 'scriptfile to execute'-window
Browse to the script you downloaded and Click Ok and Execute in Brute Force Uninstaller.

Wait for the complete script execution box to popup and press OK.
Press exit to terminate the BFU program.

-------------------------

Please download, install, and update Ewido anti-spyware
  • Load Ewido and then click the Update tab at the top. Under Manual Update click Start update.
  • After the update finishes (the status bar at the bottom will display "Update successful")
Don't use Ewido yet.

* Start HijackThis, close all open windows leaving only HijackThis running. Place a check against each of the following:

R1 - HKCU\Software\Microsoft\Internet Explorer,SearchURL = http://www.begin2search.com/sidesearch.html
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,SearchAssistant = about:blank
R3 - URLSearchHook: (no name) - _{20EC3D2D-33C1-4C9D-BC37-C2D500688DA2} - (no file)
R3 - URLSearchHook: (no name) - _{02EE5B04-F144-47BB-83FB-A60BD91B74A9} - (no file)
R3 - URLSearchHook: (no name) - {02EE5B04-F144-47BB-83FB-A60BD91B74A9} - (no file)
O3 - Toolbar: (no name) - {825A649A-197B-1495-3951-EEAEB7EB47F6} - (no file)
O4 - HKLM\..\Run: [ovegcxz] C:\WINDOWS\System32\wwkmylm.exe
O4 - HKLM\..\Run: [dkz] C:\WINDOWS\dkz.exe
O4 - HKLM\..\Run: [ti2cqaga] C:\WINDOWS\system32\ti2cqaga.exe
O4 - HKLM\..\Run: [keyboard] C:\\kybrdff_7.exe
O4 - HKLM\..\Run: [pop06ap] C:\WINDOWS\pop06ap2.exe
O4 - HKLM\..\Run: [plflgffA] C:\WINDOWS\plflgffA.exe
O4 - HKLM\..\Run: [njgijfcA] C:\WINDOWS\njgijfcA.exe
O4 - HKLM\..\Run: [xload] "C:\WINDOWS\xload.exe"
O4 - HKLM\..\Run: [ms0537283293] C:\WINDOWS\ms0537283293.exe
O4 - HKLM\..\Run: [win320728329337] C:\WINDOWS\win320728329337.exe
O4 - HKLM\..\Run: [webHancer Survey Companion] C:\Program Files\webHancer\Programs\whsurvey.exe
O4 - HKLM\..\Run: [sys0229337283] C:\WINDOWS\sys0229337283.exe
O4 - HKLM\..\Run: [win320883293372] C:\WINDOWS\win320883293372.exe
O4 - HKLM\..\Run: [sys0132933728] C:\WINDOWS\sys0132933728.exe
O9 - Extra button: (no name) - {4ABF810A-F11D-4169-9D5F-7D274F2270A1} - C:\WINDOWS\system32\dmonwv.dll (file missing)
O9 - Extra 'Tools' menuitem: Java - {4ABF810A-F11D-4169-9D5F-7D274F2270A1} - C:\WINDOWS\system32\dmonwv.dll (file missing)
O15 - Trusted Zone: *.sxload.com
O15 - Trusted Zone: *.adgate.info (HKLM)
O15 - Trusted Zone: *.adsextend.net (HKLM)
O15 - Trusted Zone: *.dollarrevenue.com (HKLM)
O15 - Trusted Zone: *.elitemediagroup.net (HKLM)
O15 - Trusted Zone: *.imagesrvr.com (HKLM)
O15 - Trusted Zone: *.matcash.com (HKLM)
O15 - Trusted Zone: *.media-motor.com (HKLM)
O15 - Trusted Zone: *.mediatickets.net (HKLM)
O15 - Trusted Zone: *.snipernet.biz (HKLM)
O15 - Trusted Zone: *.systemdoctor.com (HKLM)
O15 - Trusted Zone: *.winantivirus.com (HKLM)
O16 - DPF: {09F1ADAC-76D8-4D0F-99A5-5C907DADB988} - http://www.systemdoctor.com/download/2006/...FreeInstall.cab
O16 - DPF: {1D0D9077-3798-49BB-9058-393499174D5D} - file://c:\counter.cab
O16 - DPF: {42F2C9BA-614F-47C0-B3E3-ECFD34EED658} - http://promo.dollarrevenue.com/activex/pro...138302D2D2D.exe
O16 - DPF: {5526B4C6-63D6-41A1-9783-0FABF529859A} - mk:@MSITStore:C:\DOCUME~1\Georgia\LOCALS~1\Temp\mma.chm::/joysavsht.cab
O16 - DPF: {68A2C3BD-7809-11D3-8ACF-0050046F2F9A} (AXELPlayer Class) - http://www.mindavenue.com/Downloads/AXELPlayerAX_Win32.cab
O16 - DPF: {8A0DCBDB-6E20-489C-9041-C1E8A0352E75} - http://awbeta.net-nucleus.com/FIX/WinATS.cab
O20 - Winlogon Notify: Telephony - C:\WINDOWS\system32\f6j20g1oe6.dll
O23 - Service: Network Monitor - Unknown owner - C:\Program Files\Network Monitor\netmon.exe (file missing)
O23 - Service: Windows Overlay Components - Unknown owner - C:\WINDOWS\plflgff.exe (file missing)

* Click on Fix Checked when finished and exit HijackThis.
Make sure your Internet Explorer is closed when you click Fix Checked!

-------------------------

* Reboot into Safe Mode`: ( without networking support !)
°To get into the Safe mode as the computer is booting press and hold your "F8 Key". Use your arrow keys to move to "Safe Mode" and press your Enter key.

* Please set your system to show all files.
Click Start.
Open My Computer.
Select the Tools menu and click Folder Options.
Select the View Tab. Under the Hidden files and folders heading, select Show hidden files and folders.
Uncheck: Hide file extensions for known file types
Uncheck the Hide protected operating system files (recommended) option.
Click Yes to confirm.
Click OK.

* Using Windows Explorer, locate the following files/folders, and delete them if still present:

C:\WINDOWS\sys0229337283.exe
C:\WINDOWS\win320883293372.exe
C:\WINDOWS\sys0132933728.exe
C:\WINDOWS\ms0537283293.exe
C:\WINDOWS\System32\wwkmylm.exe
C:\WINDOWS\dkz.exe
C:\WINDOWS\system32\ti2cqaga.exe
C:\WINDOWS\pop06ap2.exe
C:\WINDOWS\plflgffA.exe
C:\WINDOWS\njgijfcA.exe
C:\WINDOWS\xload.exe
C:\WINDOWS\win320728329337.exe
---------------------------
Still in safe mode...
* Clean your Cache and Cookies in IE:
  • Close all instances of Outlook Express and Internet Explorer
  • Go to Control Panel > Internet Options > General tab
  • Click the "Delete Cookies" button
  • Next to it, Click the "Delete Files" button
  • When prompted, place a check in: "Delete all offline content", click OK
* Clean your Cache and Cookies in Firefox (In case you also have Firefox installed):
  • Go to Tools > Options.
  • Click Privacy in the menu on the left side of the Options window.
  • Click the Clear button located to the right of each option (History, Cookies, Cache).
  • Click OK to close the Options window
    Alternatively, you can clear all information stored while browsing by clicking Clear All.
    A confirmation dialog box will be shown before clearing the information.
* Clean other Temporary files + Recycle bin
  • Go to start > run and type: cleanmgr and click ok.
  • Let it scan your system for files to remove.
  • Make sure Temporary Files, Temporary Internet Files, and Recycle Bin are the only things checked.
  • Press OK to remove them.
------------------------
* Start Ewido...
  • Click on the Scanner tab at the top. Click the "Settings" tab and then change the recommended action to Quarantine and click Automatically generate report after every scan. Click back to the "Scan" tab and then click on Complete System Scan. This scan can take quite a while to run, so be prepared.
  • Ewido will list any infections found on the left hand side. When the scan has finished, it will automatically set the recommended action. Click the Apply all actions button. Ewido will display "All actions have been applied" on the right hand side.
  • Click on "Save Report", then "Save Report As". This will create a text file. Make sure you know where to find this file again (like on the Desktop).
  • Close Ewido.
--------------------
* Reboot your system back to normal mode.

* Download Combofix to your desktop.
Doubleclick combo.exe
Follow the prompts.
Don't click on the window while the fix is running, because that will cause your system to hang.

When finished and after reboot, it should open a log, combofix.txt.
Post this log in your next reply together with the contents of ewido-log present on your desktop, the contents of C:\vundofix.txt and a new HiJackThis log.
You may need several replies to post the logs...


--------------------
AntispywareScanners---Antivirus Scanners---Firewalls---Online Scanners---Prevention---Help! My computer is slow---My Blog.
My help is ALWAYS FREE, but if you want to donate to help me continue my fight against malware -- click here!
Asking for help via Private Message or Mail will be ignored - So If you need help, post your problem in the forum.
Go to the top of the page
 
+Quote Post
simgirl678
post Aug 28 2006, 07:13 PM
Post #3


New Member
*

Group: Members
Posts: 13
Joined: 5-August 06
Member No.: 79,513
I didn't realize that it was so bad. sad.gif I hope that I didn't make it worse when I tried manually removing some of the problems a while ago. Thank you so much for your help and I really hope that I can clean up all of the damage, even though it sounds like I can't. I'm not doing all of this right now because I want to try doing everything at one time, so I be back soon to do everything. Thanks again!

This post has been edited by simgirl678: Aug 28 2006, 10:02 PM
Go to the top of the page
 
+Quote Post
simgirl678
post Aug 28 2006, 10:02 PM
Post #4


New Member
*

Group: Members
Posts: 13
Joined: 5-August 06
Member No.: 79,513
Just to add something, Duce6 is back again because I've restarted the computer since I last posted. Should I post a new Hijackthis log? Thanks.
Go to the top of the page
 
+Quote Post
miekiemoes
post Aug 28 2006, 11:53 PM
Post #5


Malware Killer Dog
******

Group: HJT Team
Posts: 16,105
Joined: 18-February 05
From: Belgium
Member No.: 12,408
No, no need to post a new hijackthislog now. Just perform my steps as I told you and also delete Duce6 while in safe mode.

Then we'll see afterwards what's still left over and will deal with it. That's why it is important you follow all my steps in the right order and post the logs afterwards. Don't worry if some things won't get fixed yet...

This post has been edited by miekiemoes: Aug 28 2006, 11:54 PM


--------------------
AntispywareScanners---Antivirus Scanners---Firewalls---Online Scanners---Prevention---Help! My computer is slow---My Blog.
My help is ALWAYS FREE, but if you want to donate to help me continue my fight against malware -- click here!
Asking for help via Private Message or Mail will be ignored - So If you need help, post your problem in the forum.
Go to the top of the page
 
+Quote Post
simgirl678
post Aug 29 2006, 06:08 PM
Post #6


New Member
*

Group: Members
Posts: 13
Joined: 5-August 06
Member No.: 79,513
Ok, thanks for your help. I just have a question about the step where I put a check beside all of those items in Hijackthis and then click fixed. To get to that part of Hijackthis do I click on "None of the above, just start the program"? smile.gif

Edit: Well, since I was pretty sure that that was where I had to go to check off all of those things, I decided to click there, so right now I'm checking them all off. However, a couple of things that you listed are not there:
O4 - HKLM\..\Run: [keyboard] C:\\kybrdff_7.exe
O4 - HKLM\..\Run: [ms0537283293] C:\WINDOWS\ms0537283293.exe
O4 - HKLM\..\Run: [win320883293372] C:\WINDOWS\win320883293372.exe

Uh, is that bad?

This post has been edited by simgirl678: Aug 29 2006, 06:24 PM
Go to the top of the page
 
+Quote Post
simgirl678
post Aug 29 2006, 09:05 PM
Post #7


New Member
*

Group: Members
Posts: 13
Joined: 5-August 06
Member No.: 79,513
Ok, I finally finished all the steps. (The Ewido scan takes so long!!) First of all though, when I was in safe mode deleting all of those files, I deleted the ones that were there that I was supposed to delete, but there was a file called win3206728329332006.exe, so it's name is close to some other bad files. However, I didn't delete it because it wasn't listed. Should I have deleted it? Also, when Ewido was quarantining all of the bad files, it said that it couldn't quarantine one with look2me in it's name, and a message came up at one point, which I took a screenshot of, and am posting. Anyways, here are the requested logs. smile.gif

Gwen - 06-08-29 21:32:38.78
ComboFix 06.08.27BT - Running from: C:\Documents and Settings\Gwen\Desktop

((((((((((((((((((((((((((((((((((((((((((((( Look2Me's Log ))))))))))))))))))))))))))))))))))))))))))))))))))

REGISTRY ENTRIES REMOVED:

[HKEY_CLASSES_ROOT\CLSID\{2C95DBEE-BE9F-4BE9-A6AE-3BFC164EAFD2}]
@=""

[HKEY_CLASSES_ROOT\CLSID\{2C95DBEE-BE9F-4BE9-A6AE-3BFC164EAFD2}\Implemented Categories]
@=""

[HKEY_CLASSES_ROOT\CLSID\{2C95DBEE-BE9F-4BE9-A6AE-3BFC164EAFD2}\Implemented Categories\{00021492-0000-0000-C000-000000000046}]
@=""

[HKEY_CLASSES_ROOT\CLSID\{2C95DBEE-BE9F-4BE9-A6AE-3BFC164EAFD2}\InprocServer32]
@="C:\\WINDOWS\\system32\\guard.tmp"
"ThreadingModel"="Apartment"

[HKEY_CLASSES_ROOT\CLSID\{289498BE-77F7-4D2C-9186-AFA9C9289D5D}]
@=""

[HKEY_CLASSES_ROOT\CLSID\{289498BE-77F7-4D2C-9186-AFA9C9289D5D}\Implemented Categories]
@=""

[HKEY_CLASSES_ROOT\CLSID\{289498BE-77F7-4D2C-9186-AFA9C9289D5D}\Implemented Categories\{00021492-0000-0000-C000-000000000046}]
@=""

[HKEY_CLASSES_ROOT\CLSID\{289498BE-77F7-4D2C-9186-AFA9C9289D5D}\InprocServer32]
@="C:\\WINDOWS\\system32\\FQSRCH.DLL"
"ThreadingModel"="Apartment"

[HKEY_CLASSES_ROOT\CLSID\{CF4BC4F1-4993-4B3E-A2C7-D59ABEBB39BC}]
@=""

[HKEY_CLASSES_ROOT\CLSID\{CF4BC4F1-4993-4B3E-A2C7-D59ABEBB39BC}\Implemented Categories]
@=""

[HKEY_CLASSES_ROOT\CLSID\{CF4BC4F1-4993-4B3E-A2C7-D59ABEBB39BC}\Implemented Categories\{00021492-0000-0000-C000-000000000046}]
@=""

[HKEY_CLASSES_ROOT\CLSID\{CF4BC4F1-4993-4B3E-A2C7-D59ABEBB39BC}\InprocServer32]
@="C:\\WINDOWS\\system32\\guard.tmp"
"ThreadingModel"="Apartment"

[HKEY_CLASSES_ROOT\CLSID\{0F9A3F0F-7B97-4633-95D4-A69D669ACAFE}]
@=""

[HKEY_CLASSES_ROOT\CLSID\{0F9A3F0F-7B97-4633-95D4-A69D669ACAFE}\Implemented Categories]
@=""

[HKEY_CLASSES_ROOT\CLSID\{0F9A3F0F-7B97-4633-95D4-A69D669ACAFE}\Implemented Categories\{00021492-0000-0000-C000-000000000046}]
@=""

[HKEY_CLASSES_ROOT\CLSID\{0F9A3F0F-7B97-4633-95D4-A69D669ACAFE}\InprocServer32]
@="C:\\WINDOWS\\system32\\npprovau.dll"
"ThreadingModel"="Apartment"

[HKEY_CLASSES_ROOT\CLSID\{3FE45AD4-B707-4F26-93A4-DFFBEC8964C6}]
@=""

[HKEY_CLASSES_ROOT\CLSID\{3FE45AD4-B707-4F26-93A4-DFFBEC8964C6}\Implemented Categories]
@=""

[HKEY_CLASSES_ROOT\CLSID\{3FE45AD4-B707-4F26-93A4-DFFBEC8964C6}\Implemented Categories\{00021492-0000-0000-C000-000000000046}]
@=""

[HKEY_CLASSES_ROOT\CLSID\{3FE45AD4-B707-4F26-93A4-DFFBEC8964C6}\InprocServer32]
@="C:\\WINDOWS\\system32\\guard.tmp"
"ThreadingModel"="Apartment"

[HKEY_CLASSES_ROOT\CLSID\{89922CC9-10F6-46AE-A8FE-A028C90DF5E8}]
@=""

[HKEY_CLASSES_ROOT\CLSID\{89922CC9-10F6-46AE-A8FE-A028C90DF5E8}\Implemented Categories]
@=""

[HKEY_CLASSES_ROOT\CLSID\{89922CC9-10F6-46AE-A8FE-A028C90DF5E8}\Implemented Categories\{00021492-0000-0000-C000-000000000046}]
@=""

[HKEY_CLASSES_ROOT\CLSID\{89922CC9-10F6-46AE-A8FE-A028C90DF5E8}\InprocServer32]
@="C:\\WINDOWS\\system32\\guard.tmp"
"ThreadingModel"="Apartment"

[HKEY_CLASSES_ROOT\CLSID\{3366A978-D5D3-4A20-B4D2-A749793CCCA1}]
@=""

[HKEY_CLASSES_ROOT\CLSID\{3366A978-D5D3-4A20-B4D2-A749793CCCA1}\Implemented Categories]
@=""

[HKEY_CLASSES_ROOT\CLSID\{3366A978-D5D3-4A20-B4D2-A749793CCCA1}\Implemented Categories\{00021492-0000-0000-C000-000000000046}]
@=""

[HKEY_CLASSES_ROOT\CLSID\{3366A978-D5D3-4A20-B4D2-A749793CCCA1}\InprocServer32]
@="C:\\WINDOWS\\system32\\KLDRO.DLL"
"ThreadingModel"="Apartment"

[HKEY_CLASSES_ROOT\CLSID\{4621EC6B-590C-4DB5-814D-A20B64426B15}]
@=""

[HKEY_CLASSES_ROOT\CLSID\{4621EC6B-590C-4DB5-814D-A20B64426B15}\Implemented Categories]
@=""

[HKEY_CLASSES_ROOT\CLSID\{4621EC6B-590C-4DB5-814D-A20B64426B15}\Implemented Categories\{00021492-0000-0000-C000-000000000046}]
@=""

[HKEY_CLASSES_ROOT\CLSID\{4621EC6B-590C-4DB5-814D-A20B64426B15}\InprocServer32]
@="C:\\WINDOWS\\system32\\irmp.dll"
"ThreadingModel"="Apartment"

[HKEY_CLASSES_ROOT\CLSID\{D9E87011-2BA2-4233-B85A-710EEECCD640}]
@=""

[HKEY_CLASSES_ROOT\CLSID\{D9E87011-2BA2-4233-B85A-710EEECCD640}\Implemented Categories]
@=""

[HKEY_CLASSES_ROOT\CLSID\{D9E87011-2BA2-4233-B85A-710EEECCD640}\Implemented Categories\{00021492-0000-0000-C000-000000000046}]
@=""

[HKEY_CLASSES_ROOT\CLSID\{D9E87011-2BA2-4233-B85A-710EEECCD640}\InprocServer32]
@="C:\\WINDOWS\\system32\\RCVPSP.DLL"
"ThreadingModel"="Apartment"

[HKEY_CLASSES_ROOT\CLSID\{75314B2B-1F8A-4765-A088-3A70511BED4A}]
@=""

[HKEY_CLASSES_ROOT\CLSID\{75314B2B-1F8A-4765-A088-3A70511BED4A}\Implemented Categories]
@=""

[HKEY_CLASSES_ROOT\CLSID\{75314B2B-1F8A-4765-A088-3A70511BED4A}\Implemented Categories\{00021492-0000-0000-C000-000000000046}]
@=""

[HKEY_CLASSES_ROOT\CLSID\{75314B2B-1F8A-4765-A088-3A70511BED4A}\InprocServer32]
@="C:\\WINDOWS\\system32\\mhtscax.dll"
"ThreadingModel"="Apartment"

[HKEY_CLASSES_ROOT\CLSID\{101F52E7-60DB-43DF-83C1-7C758552A78F}]
@=""

[HKEY_CLASSES_ROOT\CLSID\{101F52E7-60DB-43DF-83C1-7C758552A78F}\Implemented Categories]
@=""

[HKEY_CLASSES_ROOT\CLSID\{101F52E7-60DB-43DF-83C1-7C758552A78F}\Implemented Categories\{00021492-0000-0000-C000-000000000046}]
@=""

[HKEY_CLASSES_ROOT\CLSID\{101F52E7-60DB-43DF-83C1-7C758552A78F}\InprocServer32]
@="C:\\WINDOWS\\system32\\guard.tmp"
"ThreadingModel"="Apartment"

[HKEY_CLASSES_ROOT\CLSID\{87585E41-38B1-4E6D-B287-69EBE5F3EBA4}]
@=""

[HKEY_CLASSES_ROOT\CLSID\{87585E41-38B1-4E6D-B287-69EBE5F3EBA4}\Implemented Categories]
@=""

[HKEY_CLASSES_ROOT\CLSID\{87585E41-38B1-4E6D-B287-69EBE5F3EBA4}\Implemented Categories\{00021492-0000-0000-C000-000000000046}]
@=""

[HKEY_CLASSES_ROOT\CLSID\{87585E41-38B1-4E6D-B287-69EBE5F3EBA4}\InprocServer32]
@="C:\\WINDOWS\\system32\\rCschap.dll"
"ThreadingModel"="Apartment"

[HKEY_CLASSES_ROOT\CLSID\{19AB1B11-A300-485F-A44F-F9C1C4138010}]
@=""

[HKEY_CLASSES_ROOT\CLSID\{19AB1B11-A300-485F-A44F-F9C1C4138010}\Implemented Categories]
@=""

[HKEY_CLASSES_ROOT\CLSID\{19AB1B11-A300-485F-A44F-F9C1C4138010}\Implemented Categories\{00021492-0000-0000-C000-000000000046}]
@=""

[HKEY_CLASSES_ROOT\CLSID\{19AB1B11-A300-485F-A44F-F9C1C4138010}\InprocServer32]
@="C:\\WINDOWS\\system32\\mpmxsdk.dll"
"ThreadingModel"="Apartment"

[HKEY_CLASSES_ROOT\CLSID\{E0DF6AA3-2A80-4C4B-AB5D-B9B8FFD5F4F1}]
@=""

[HKEY_CLASSES_ROOT\CLSID\{E0DF6AA3-2A80-4C4B-AB5D-B9B8FFD5F4F1}\Implemented Categories]
@=""

[HKEY_CLASSES_ROOT\CLSID\{E0DF6AA3-2A80-4C4B-AB5D-B9B8FFD5F4F1}\Implemented Categories\{00021492-0000-0000-C000-000000000046}]
@=""

[HKEY_CLASSES_ROOT\CLSID\{E0DF6AA3-2A80-4C4B-AB5D-B9B8FFD5F4F1}\InprocServer32]
@="C:\\WINDOWS\\system32\\jrcript.dll"
"ThreadingModel"="Apartment"

[HKEY_CLASSES_ROOT\CLSID\{F1B85E6B-8A87-4D4F-9EC7-6928EFBCBEBF}]
@=""

[HKEY_CLASSES_ROOT\CLSID\{F1B85E6B-8A87-4D4F-9EC7-6928EFBCBEBF}\Implemented Categories]
@=""

[HKEY_CLASSES_ROOT\CLSID\{F1B85E6B-8A87-4D4F-9EC7-6928EFBCBEBF}\Implemented Categories\{00021492-0000-0000-C000-000000000046}]
@=""

[HKEY_CLASSES_ROOT\CLSID\{F1B85E6B-8A87-4D4F-9EC7-6928EFBCBEBF}\InprocServer32]
@="C:\\WINDOWS\\system32\\rjpsnd.dll"
"ThreadingModel"="Apartment"

[HKEY_CLASSES_ROOT\CLSID\{8E38053B-9D85-4D8D-A50E-0C89B0835E36}]
@=""

[HKEY_CLASSES_ROOT\CLSID\{8E38053B-9D85-4D8D-A50E-0C89B0835E36}\Implemented Categories]
@=""

[HKEY_CLASSES_ROOT\CLSID\{8E38053B-9D85-4D8D-A50E-0C89B0835E36}\Implemented Categories\{00021492-0000-0000-C000-000000000046}]
@=""

[HKEY_CLASSES_ROOT\CLSID\{8E38053B-9D85-4D8D-A50E-0C89B0835E36}\InprocServer32]
@="C:\\WINDOWS\\system32\\MNVCRT20.DLL"
"ThreadingModel"="Apartment"

[HKEY_CLASSES_ROOT\CLSID\{88C82B53-082E-48A1-AD82-E3B9C711577A}]
@=""

[HKEY_CLASSES_ROOT\CLSID\{88C82B53-082E-48A1-AD82-E3B9C711577A}\Implemented Categories]
@=""

[HKEY_CLASSES_ROOT\CLSID\{88C82B53-082E-48A1-AD82-E3B9C711577A}\Implemented Categories\{00021492-0000-0000-C000-000000000046}]
@=""

[HKEY_CLASSES_ROOT\CLSID\{88C82B53-082E-48A1-AD82-E3B9C711577A}\InprocServer32]
@="C:\\WINDOWS\\system32\\pgofmap.dll"
"ThreadingModel"="Apartment"

[HKEY_CLASSES_ROOT\CLSID\{E86E1B04-AB92-45BB-8923-8B55E1EF82AF}]
@=""

[HKEY_CLASSES_ROOT\CLSID\{E86E1B04-AB92-45BB-8923-8B55E1EF82AF}\Implemented Categories]
@=""

[HKEY_CLASSES_ROOT\CLSID\{E86E1B04-AB92-45BB-8923-8B55E1EF82AF}\Implemented Categories\{00021492-0000-0000-C000-000000000046}]
@=""

[HKEY_CLASSES_ROOT\CLSID\{E86E1B04-AB92-45BB-8923-8B55E1EF82AF}\InprocServer32]
@="C:\\WINDOWS\\system32\\mcapsspc.dll"
"ThreadingModel"="Apartment"

[HKEY_CLASSES_ROOT\CLSID\{ABEB76B2-55C2-4C6C-A874-26D1410000E8}]
@=""

[HKEY_CLASSES_ROOT\CLSID\{ABEB76B2-55C2-4C6C-A874-26D1410000E8}\Implemented Categories]
@=""

[HKEY_CLASSES_ROOT\CLSID\{ABEB76B2-55C2-4C6C-A874-26D1410000E8}\Implemented Categories\{00021492-0000-0000-C000-000000000046}]
@=""

[HKEY_CLASSES_ROOT\CLSID\{ABEB76B2-55C2-4C6C-A874-26D1410000E8}\InprocServer32]
@="C:\\WINDOWS\\system32\\mrjet35.dll"
"ThreadingModel"="Apartment"

[HKEY_CLASSES_ROOT\CLSID\{B95A0A39-791D-4D77-AFFB-4B7C4CE0D361}]
@=""

[HKEY_CLASSES_ROOT\CLSID\{B95A0A39-791D-4D77-AFFB-4B7C4CE0D361}\Implemented Categories]
@=""

[HKEY_CLASSES_ROOT\CLSID\{B95A0A39-791D-4D77-AFFB-4B7C4CE0D361}\Implemented Categories\{00021492-0000-0000-C000-000000000046}]
@=""

[HKEY_CLASSES_ROOT\CLSID\{B95A0A39-791D-4D77-AFFB-4B7C4CE0D361}\InprocServer32]
@="C:\\WINDOWS\\system32\\MBVIDC32.DLL"
"ThreadingModel"="Apartment"

[HKEY_CLASSES_ROOT\CLSID\{B7340BAD-68D1-4745-A32F-58AC6B11ECFC}]
@=""

[HKEY_CLASSES_ROOT\CLSID\{B7340BAD-68D1-4745-A32F-58AC6B11ECFC}\Implemented Categories]
@=""

[HKEY_CLASSES_ROOT\CLSID\{B7340BAD-68D1-4745-A32F-58AC6B11ECFC}\Implemented Categories\{00021492-0000-0000-C000-000000000046}]
@=""

[HKEY_CLASSES_ROOT\CLSID\{B7340BAD-68D1-4745-A32F-58AC6B11ECFC}\InprocServer32]
@="C:\\WINDOWS\\system32\\dcraw.dll"
"ThreadingModel"="Apartment"

[HKEY_CLASSES_ROOT\CLSID\{CDE1FB82-585D-4897-BE23-04EA02646991}]
@=""

[HKEY_CLASSES_ROOT\CLSID\{CDE1FB82-585D-4897-BE23-04EA02646991}\Implemented Categories]
@=""

[HKEY_CLASSES_ROOT\CLSID\{CDE1FB82-585D-4897-BE23-04EA02646991}\Implemented Categories\{00021492-0000-0000-C000-000000000046}]
@=""

[HKEY_CLASSES_ROOT\CLSID\{CDE1FB82-585D-4897-BE23-04EA02646991}\InprocServer32]
@="C:\\WINDOWS\\system32\\mycories.dll"
"ThreadingModel"="Apartment"

[HKEY_CLASSES_ROOT\CLSID\{490E208F-8247-49B7-890D-725E850BE096}]
@=""

[HKEY_CLASSES_ROOT\CLSID\{490E208F-8247-49B7-890D-725E850BE096}\Implemented Categories]
@=""

[HKEY_CLASSES_ROOT\CLSID\{490E208F-8247-49B7-890D-725E850BE096}\Implemented Categories\{00021492-0000-0000-C000-000000000046}]
@=""

[HKEY_CLASSES_ROOT\CLSID\{490E208F-8247-49B7-890D-725E850BE096}\InprocServer32]
@="C:\\WINDOWS\\system32\\guard.tmp"
"ThreadingModel"="Apartment"

[HKEY_CLASSES_ROOT\CLSID\{87C3089B-BAA0-4398-AE70-A8D2F4E6689D}]
@=""

[HKEY_CLASSES_ROOT\CLSID\{87C3089B-BAA0-4398-AE70-A8D2F4E6689D}\Implemented Categories]
@=""

[HKEY_CLASSES_ROOT\CLSID\{87C3089B-BAA0-4398-AE70-A8D2F4E6689D}\Implemented Categories\{00021492-0000-0000-C000-000000000046}]
@=""

[HKEY_CLASSES_ROOT\CLSID\{87C3089B-BAA0-4398-AE70-A8D2F4E6689D}\InprocServer32]
@="C:\\WINDOWS\\system32\\rQstls.dll"
"ThreadingModel"="Apartment"

[HKEY_CLASSES_ROOT\CLSID\{E24BBF3F-50FF-42DB-B5A3-FCA399D80E40}]
@=""

[HKEY_CLASSES_ROOT\CLSID\{E24BBF3F-50FF-42DB-B5A3-FCA399D80E40}\Implemented Categories]
@=""

[HKEY_CLASSES_ROOT\CLSID\{E24BBF3F-50FF-42DB-B5A3-FCA399D80E40}\Implemented Categories\{00021492-0000-0000-C000-000000000046}]
@=""

[HKEY_CLASSES_ROOT\CLSID\{E24BBF3F-50FF-42DB-B5A3-FCA399D80E40}\InprocServer32]
@="C:\\WINDOWS\\system32\\llcalsec.dll"
"ThreadingModel"="Apartment"

[HKEY_CLASSES_ROOT\CLSID\{474CB9A3-32F4-464F-84AB-7B370B87D432}]
@=""

[HKEY_CLASSES_ROOT\CLSID\{474CB9A3-32F4-464F-84AB-7B370B87D432}\Implemented Categories]
@=""

[HKEY_CLASSES_ROOT\CLSID\{474CB9A3-32F4-464F-84AB-7B370B87D432}\Implemented Categories\{00021492-0000-0000-C000-000000000046}]
@=""

[HKEY_CLASSES_ROOT\CLSID\{474CB9A3-32F4-464F-84AB-7B370B87D432}\InprocServer32]
@="C:\\WINDOWS\\system32\\guard.tmp"
"ThreadingModel"="Apartment"

* * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * *


FILES REMOVED:

C:\WINDOWS\SYSTEM32\dn2401fqe.dll
C:\WINDOWS\SYSTEM32\lvnq0955e.dll
C:\WINDOWS\SYSTEM32\guard.tmp


Granting sedebugprivilege to Administrators ... successful


((((((((((((((((((((((((((((((((((((((((((((( Qoologic's Log )))))))))))))))))))))))))))))))))))))))))))))))))))


* * * PRE-RUN - Filepaths from Locate * * * * * * * * * * * * * * * * * * * * * * * * * * * * * *


2006-08-05 17:09 8464 --a------ C:\WINDOWS\SYSTEM32\sporder.dll


* * * POST-RUN - Files in the Quarantine folder * * * * * * * * * * * * * * * * * * * * * * * * *



DO NOT DELETE ANY FILES FROM THIS DIRECTORY UNLESS INSTRUCTED TO


((((((((((((((((((((((((((((((((((((((((((( E-Give / Ssk's Log )))))))))))))))))))))))))))))))))))))))))))))))))


C:\Documents and Settings\Georgia\Application Data\Sskcwrd.dll
C:\Documents and Settings\Georgia\Application Data\Sskknwrd.dll


* * * POST RUN FILES/FOLDERS * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * *


(((((((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))


C:\Documents and Settings\LocalService\Application Data\NetMon
C:\Documents and Settings\NetworkService\Application Data\NetMon


((((((((((((((((((((((((((((((( Files Created from 2006-07-29 to 2006-08-29 ))))))))))))))))))))))))))))))))))


2006-08-28 23:34 85,504 --a------ C:\VundoFix.exe
2006-08-28 23:10 159,744 --a------ C:\WINDOWS\win3206728329332006.exe
2006-08-05 17:09 8,464 --a------ C:\WINDOWS\SYSTEM32\sporder.dll


(((((((((((((((((((((((((((((((((((((((((((((((( Find3M Report )))))))))))))))))))))))))))))))))))))))))))))))))))))


2006-08-29 21:21 -------- d-------- C:\Program Files\MSN Gaming Zone
2006-08-29 19:29 -------- d-------- C:\Program Files\HijackThis
2006-08-29 18:58 -------- d-------- C:\Program Files\ewido anti-spyware 4.0
2006-08-08 20:45 -------- d-------- C:\Program Files\Nancy Drew
2006-08-06 21:04 -------- d-------- C:\Program Files\ComPlus Applications
2006-08-06 21:04 -------- d-------- C:\Program Files\Common Files
2006-08-06 21:03 -------- d-------- C:\Program Files\MSN
2006-08-05 17:34 -------- d-------- C:\Documents and Settings\Gwen\Application Data\Lavasoft
2006-08-03 10:42 -------- d-------- C:\Documents and Settings\Gwen\Application Data\MSN6


(((((((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))

*Note* empty entries are not shown

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"NvCplDaemon"="RUNDLL32.EXE C:\\WINDOWS\\System32\\NvCpl.dll,NvStartup"
"BCMSMMSG"="BCMSMMSG.exe"
"diagent"="\"C:\\Program Files\\Creative\\SBLive\\Diagnostics\\diagent.exe\" startup"
"UpdReg"="C:\\WINDOWS\\UpdReg.EXE"
"DVDSentry"="C:\\WINDOWS\\System32\\DSentry.exe"
"RealTray"="C:\\Program Files\\Real\\RealPlayer\\RealPlay.exe SYSTEMBOOTHIDEPLAYER"
"MMTray"="C:\\Program Files\\MUSICMATCH\\MUSICMATCH Jukebox\\mm_tray.exe"
"MCAgentExe"="c:\\PROGRA~1\\mcafee.com\\agent\\mcagent.exe"
"MCUpdateExe"="C:\\PROGRA~1\\mcafee.com\\agent\\McUpdate.exe"
"AdaptecDirectCD"="\"C:\\Program Files\\Roxio\\Easy CD Creator 5\\DirectCD\\DirectCD.exe\""
"VirusScan Online"="\"c:\\PROGRA~1\\mcafee.com\\vso\\mcvsshld.exe\""
"Lexmark X5100 Series"="\"C:\\Program Files\\Lexmark X5100 Series\\lxbabmgr.exe\""
"Motive SmartBridge"="C:\\PROGRA~1\\NETASS~1\\SMARTB~1\\MotiveSB.exe"
"IPInSightLAN 01"="\"C:\\Program Files\\Visual Networks\\Visual IP InSight\\Sympatico Consumer\\IPClient.exe\" -l"
"mmtask"="C:\\Program Files\\MUSICMATCH\\MUSICMATCH Jukebox\\mmtask.exe"
"VSOCheckTask"="\"c:\\PROGRA~1\\mcafee.com\\vso\\mcmnhdlr.exe\" /checktask"
"POINTER"="point32.exe"
"nwiz"="nwiz.exe /install"
"IPInSightMonitor 01"="\"C:\\Program Files\\Visual Networks\\Visual IP InSight\\Sympatico Consumer\\IPMon32.exe\""
"MessengerPlus3"="\"C:\\Program Files\\MessengerPlus! 3\\MsgPlus.exe\""
"iTunesHelper"="\"C:\\Program Files\\iTunes\\iTunesHelper.exe\""
"QuickTime Task"="\"C:\\Program Files\\QuickTime\\qttask.exe\" -atboottime"
"SunJavaUpdateSched"="C:\\Program Files\\Java\\jre1.5.0_03\\bin\\jusched.exe"
"HPHUPD08"="C:\\Program Files\\HP\\Digital Imaging\\{33D6CC28-9F75-4d1b-A11D-98895B3A3729}\\hphupd08.exe"
"HP Software Update"="C:\\Program Files\\HP\\HP Software Update\\HPWuSchd2.exe"
"!ewido"="\"C:\\Program Files\\ewido anti-spyware 4.0\\ewido.exe\" /minimized"

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\OptionalComponents]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\OptionalComponents\IMAIL]
"Installed"="1"

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\OptionalComponents\MAPI]
"Installed"="1"
"NoChange"="1"

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\OptionalComponents\MSFS]
"Installed"="1"

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="C:\\WINDOWS\\system32\\ctfmon.exe"
"MessengerPlus3"="\"C:\\Program Files\\MessengerPlus! 3\\MsgPlus.exe\" /WinStart"
"msnmsgr"="\"C:\\Program Files\\MSN Messenger\\msnmsgr.exe\" /background"

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Runonceex]
@=""

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\explorer]
@=""
"NoDriveTypeAutoRun"=hex:5f,00,00,00

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\explorer\run]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\system]
"dontdisplaylastusername"=dword:00000000
"legalnoticecaption"=""
"legalnoticetext"=""
"shutdownwithoutlogon"=dword:00000001
"undockwithoutlogon"=dword:00000001

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\explorer]
"NoDriveTypeAutoRun"=dword:00000091

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\explorer\Run]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Internet Explorer\Desktop\Components]
"DeskHtmlVersion"=dword:00000110
"DeskHtmlMinorVersion"=dword:00000005
"Settings"=dword:00000001
"GeneralFlags"=dword:00000005

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Internet Explorer\Desktop\Components\0]
"Source"="About:Home"
"SubscribedURL"="About:Home"
"FriendlyName"="My Current Home Page"
"Flags"=dword:00000002
"Position"=hex:2c,00,00,00,cc,00,00,00,00,00,00,00,34,03,00,00,e2,02,00,00,00,\
00,00,00,01,00,00,00,01,00,00,00,01,00,00,00,00,00,00,00,00,00,00,00
"CurrentState"=hex:04,00,00,40
"OriginalStateInfo"=hex:18,00,00,00,38,01,00,00,00,00,00,00,c8,02,00,00,e2,02,\
00,00,04,00,00,40
"RestoredStateInfo"=hex:18,00,00,00,38,01,00,00,00,00,00,00,c8,02,00,00,e2,02,\
00,00,01,00,00,00

[HKEY_USERS\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Runonce]
"RunNarrator"=""

[HKEY_USERS\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\explorer]
"NoDriveTypeAutoRun"=dword:00000091
"CDRAutoRun"=dword:00000000

[HKEY_USERS\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\explorer\Run]

[HKEY_USERS\S-1-5-18\SOFTWARE\Microsoft\Windows\CurrentVersion\Runonce]
"RunNarrator"=""

[HKEY_USERS\S-1-5-18\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\explorer]
"NoDriveTypeAutoRun"=dword:00000091
"CDRAutoRun"=dword:00000000

[HKEY_USERS\S-1-5-18\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\explorer\Run]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\shellexecutehooks]
"{AEB6717E-7E19-11d0-97EE-00C04FD91972}"=""
"{57B86673-276A-48B2-BAE7-C6DBB3020EB8}"="ewido anti-spyware 4.0"



Contents of the 'Scheduled Tasks' folder
C:\WINDOWS\tasks\ISP signup reminder 1.job
C:\WINDOWS\tasks\ISP signup reminder 2.job
C:\WINDOWS\tasks\ISP signup reminder 3.job
C:\WINDOWS\tasks\McAfee.com Update Check (D8VQYV21-Owner).job
C:\WINDOWS\tasks\McAfee.com Update Check (Removed-Chris).job
C:\WINDOWS\tasks\McAfee.com Update Check (Removed-Georgia).job
C:\WINDOWS\tasks\McAfee.com Update Check (Removed-Gwen).job
C:\WINDOWS\tasks\McAfee.com Update Check (Removed-Yvonne).job

Completion time: 29/08/2006 21:44:26.35
ComboFix.txt


Thats the combofix log . I'm also attaching the picture of the message from Ewido. smile.gif Btw, I said no to the message... In my next post I will attach the ewido log, the vundofix log and my new Hijackthis log.



This post has been edited by Orange Blossom: Mar 30 2008, 09:54 PM
Reason for edit: Edit out personal information. ~ OB
Go to the top of the page
 
+Quote Post
simgirl678
post Aug 29 2006, 09:08 PM
Post #8


New Member
*

Group: Members
Posts: 13
Joined: 5-August 06
Member No.: 79,513
---------------------------------------------------------
ewido anti-spyware - Scan Report
---------------------------------------------------------

+ Created at: 9:23:35 PM 29/08/2006

+ Scan result:



C:\WINDOWS\SYSTEM32\BO2802040113.dll -> Adware.BargainBuddy : Cleaned with backup (quarantined).
C:\WINDOWS\SYSTEM32\bH.dll -> Adware.BargainBuddy : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP194\A0072618.exe -> Adware.ClickSpring : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP194\A0072279.dll -> Adware.DotCom : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP194\A0072539.dll -> Adware.DotCom : Cleaned with backup (quarantined).
C:\WINDOWS\toolbar_nieuw13.dll -> Adware.DotCom : Cleaned with backup (quarantined).
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\App Management\ARPCache\ISTbarISTbar -> Adware.HotBar : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP194\A0072370.dll -> Adware.Look2Me : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP194\A0072436.dll -> Adware.Look2Me : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP194\A0072443.dll -> Adware.Look2Me : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP194\A0072455.dll -> Adware.Look2Me : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP194\A0072472.dll -> Adware.Look2Me : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP194\A0072488.dll -> Adware.Look2Me : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP194\A0072508.dll -> Adware.Look2Me : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP194\A0072568.dll -> Adware.Look2Me : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP194\A0072583.dll -> Adware.Look2Me : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP194\A0072623.dll -> Adware.Look2Me : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP194\A0072660.dll -> Adware.Look2Me : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP194\A0072719.dll -> Adware.Look2Me : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP194\A0072732.dll -> Adware.Look2Me : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP194\A0072753.dll -> Adware.Look2Me : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP194\A0072793.dll -> Adware.Look2Me : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP194\A0072810.dll -> Adware.Look2Me : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP194\A0072822.dll -> Adware.Look2Me : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP194\A0072831.dll -> Adware.Look2Me : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP194\A0072840.dll -> Adware.Look2Me : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP194\A0072857.dll -> Adware.Look2Me : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP194\A0072864.DLL -> Adware.Look2Me : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP