Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Homepage Keeps Switching To About:blank


  • This topic is locked This topic is locked
15 replies to this topic

#1 mfarmer2

mfarmer2

  • Members
  • 8 posts
  • OFFLINE
  •  
  • Local time:10:57 PM

Posted 17 December 2005 - 03:26 PM

Was wondering if anyone can help me get rid of this? I've done all of the recommended preparation prior to posted the following HijackThis log.

Thank you in advance.

Logfile of HijackThis v1.99.1
Scan saved at 3:20:50 PM, on 12/17/2005
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\ipzk32.exe
C:\Program Files\CA\eTrust EZ Armor\eTrust EZ Antivirus\ISafe.exe
C:\WINDOWS\system32\cisvc.exe
C:\WINDOWS\System32\nvsvc32.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\intraport client\vpn5000service.exe
C:\WINDOWS\SYSTEM32\ZoneLabs\vsmon.exe
C:\Program Files\Common Files\Dell\EUSW\Support.exe
C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\Program Files\Java\j2re1.4.2_04\bin\jusched.exe
C:\Program Files\MUSICMATCH\MUSICMATCH Jukebox\mmtask.exe
C:\WINDOWS\System32\spool\drivers\w32x86\3\hpztsb04.exe
C:\WINDOWS\system32\carpserv.exe
C:\Program Files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe
C:\WINDOWS\System32\AUDIOSRV.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\WINDOWS\system32\addqk.exe
C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
C:\WINDOWS\System32\w?wexec.exe
C:\Program Files\CA\eTrust EZ Armor\eTrust EZ Antivirus\VetMsg.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\cidaemon.exe
C:\Documents and Settings\Marty Farmer\My Documents\HiJackThis\HijackThis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.dellnet.com
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\WINDOWS\system32\vpyja.dll/sp.html#12047%everything4find.com
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINDOWS\system32\vpyja.dll/sp.html#12047%everything4find.com
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = res://C:\WINDOWS\system32\vpyja.dll/sp.html#12047%everything4find.com
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\WINDOWS\system32\vpyja.dll/sp.html#12047%everything4find.com
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINDOWS\system32\vpyja.dll/sp.html#12047%everything4find.com
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = res://C:\WINDOWS\system32\vpyja.dll/sp.html#12047%everything4find.com
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = res://C:\WINDOWS\system32\vpyja.dll/sp.html#12047%everything4find.com
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch = http://ie.search.msn.com
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = iexplore
R3 - Default URLSearchHook is missing
O2 - BHO: UberButton Class - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\Program Files\Yahoo!\Common\yiesrvc.dll
O2 - BHO: (no name) - {6001CDF7-6F45-471b-A203-0225615E35A7} - C:\WINDOWS\DH.dll
O2 - BHO: YahooTaggedBM Class - {65D886A2-7CA7-479B-BB95-14D1EFB7946A} - C:\Program Files\Yahoo!\Common\YIeTagBm.dll
O2 - BHO: Class - {A010DBE2-CC3D-9634-88DD-0AC37058D49B} - C:\WINDOWS\system32\netgy32.dll
O2 - BHO: Class - {A47B913E-2FC8-8C92-CFF4-E3D1BB4B3486} - C:\WINDOWS\system32\appdj.dll
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn0\yt.dll
O4 - HKLM\..\Run: [DwlClient] C:\Program Files\Common Files\Dell\EUSW\Support.exe
O4 - HKLM\..\Run: [VirusScan Online] "c:\PROGRA~1\mcafee.com\vso\mcvsshld.exe"
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [SynTPLpr] C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
O4 - HKLM\..\Run: [SynTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\j2re1.4.2_04\bin\jusched.exe
O4 - HKLM\..\Run: [Sc8d] C:\documents and settings\marty farmer\local settings\temp\Sc8d.exe
O4 - HKLM\..\Run: [r3tO36O] lodvw.exe
O4 - HKLM\..\Run: [nwiz] nwiz.exe /installquiet
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [mmtask] C:\Program Files\MUSICMATCH\MUSICMATCH Jukebox\mmtask.exe
O4 - HKLM\..\Run: [Microsoft Works Update Detection] C:\Program Files\Common Files\Microsoft Shared\Works Shared\WkUFind.exe
O4 - HKLM\..\Run: [MCUpdateExe] C:\PROGRA~1\McAfee.com\Agent\McUpdate.exe
O4 - HKLM\..\Run: [MCAgentExe] C:\Program Files\McAfee.com\Agent\mcagent.exe
O4 - HKLM\..\Run: [ksNHv] C:\documents and settings\marty farmer\local settings\temp\ksNHv.exe
O4 - HKLM\..\Run: [HPDJ Taskbar Utility] C:\WINDOWS\System32\spool\drivers\w32x86\3\hpztsb04.exe
O4 - HKLM\..\Run: [CARPService] carpserv.exe
O4 - HKLM\..\Run: [AdaptecDirectCD] "C:\Program Files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe"
O4 - HKLM\..\Run: [84ca82785c93] C:\WINDOWS\System32\AUDIOSRV.exe
O4 - HKLM\..\Run: [iTunesHelper] C:\Program Files\iTunes\iTunesHelper.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [QBRSR] C:\WINDOWS\QuickBrowser.exe
O4 - HKLM\..\Run: [addqk.exe] C:\WINDOWS\system32\addqk.exe
O4 - HKLM\..\Run: [Zone Labs Client] C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
O4 - HKCU\..\Run: [eZWO] C:\PROGRA~1\Web Offer\wo.exe
O4 - HKCU\..\Run: [Cbqh] C:\WINDOWS\System32\w?wexec.exe
O4 - HKCU\..\Run: [Aida] C:\Documents and Settings\Marty Farmer\Application Data\ttuh.exe
O4 - HKCU\..\Run: [a02ERWiFS] lpqsvc.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O8 - Extra context menu item: &Yahoo! Search - file:///C:\Program Files\Yahoo!\Common/ycsrch.htm
O8 - Extra context menu item: Yahoo! &Dictionary - file:///C:\Program Files\Yahoo!\Common/ycdict.htm
O8 - Extra context menu item: Yahoo! &Maps - file:///C:\Program Files\Yahoo!\Common/ycmap.htm
O8 - Extra context menu item: Yahoo! &SMS - file:///C:\Program Files\Yahoo!\Common/ycsms.htm
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_04\bin\npjpi150_04.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_04\bin\npjpi150_04.dll
O9 - Extra button: Yahoo! Services - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\Program Files\Yahoo!\Common\yiesrvc.dll
O9 - Extra button: ICQ Pro - {6224f700-cba3-4071-b251-47cb894244cd} - C:\Program Files\ICQ\ICQ.exe
O9 - Extra 'Tools' menuitem: ICQ - {6224f700-cba3-4071-b251-47cb894244cd} - C:\Program Files\ICQ\ICQ.exe
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\System32\Shdocvw.dll
O9 - Extra button: MoneySide - {E023F504-0C5A-4750-A1E7-A9046DEA8A21} - C:\Program Files\Microsoft Money\System\mnyside.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O15 - Trusted Zone: http://free.aol.com
O16 - DPF: Yahoo! Bingo - http://download.games.yahoo.com/games/clients/y/xt0_x.cab
O16 - DPF: Yahoo! Cribbage - http://download.games.yahoo.com/games/clients/y/it1_x.cab
O16 - DPF: Yahoo! Euchre - http://download.games.yahoo.com/games/clients/y/et0_x.cab
O16 - DPF: {01A88BB1-1174-41EC-ACCB-963509EAE56B} (SysProWmi Class) - http://support.dell.com/systemprofiler/SysPro.CAB
O16 - DPF: {0C568603-D79D-11D2-87A7-00C04FF158BB} (BrowseFolderPopup Class) - http://download.mcafee.com/molbin/Shared/MGBrwFld.cab
O16 - DPF: {30528230-99F7-4BB4-88D8-FA1D4F56A2AB} (YInstStarter Class) - C:\Program Files\Yahoo!\Common\yinsthelper.dll
O16 - DPF: {31B7EB4E-8B4B-11D1-A789-00A0CC6651A8} (Cult3D ActiveX Player) - http://www.cult3d.com/download/cult.cab
O16 - DPF: {63C4C187-E23F-4A20-898C-62CAF22335F8} (WatchOCX.WatchX) - https://www.watchsatellite.tv/members/WatchOCX.CAB
O16 - DPF: {B9191F79-5613-4C76-AA2A-398534BB8999} (YAddBook Class) - http://us.dl1.yimg.com/download.yahoo.com/...utocomplete.cab
O23 - Service: Network Security Service (NSS) ( 11F#`I) - Unknown owner - C:\WINDOWS\system32\ipzk32.exe
O23 - Service: CAISafe - Computer Associates International, Inc. - C:\Program Files\CA\eTrust EZ Armor\eTrust EZ Antivirus\ISafe.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPodService - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: NVIDIA Driver Helper Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe
O23 - Service: VET Message Service (VETMSGNT) - Computer Associates International, Inc. - C:\Program Files\CA\eTrust EZ Armor\eTrust EZ Antivirus\VetMsg.exe
O23 - Service: VPN 5000 Service 1.00.00 (VPN5000Service) - Unknown owner - C:\Program Files\intraport client\vpn5000service.exe
O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs, LLC - C:\WINDOWS\SYSTEM32\ZoneLabs\vsmon.exe

BC AdBot (Login to Remove)

 


m

#2 miekiemoes

miekiemoes

    Malware Killer Dog


  • Malware Response Team
  • 19,420 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Belgium
  • Local time:03:57 AM

Posted 19 December 2005 - 01:21 PM

Hello,

It's better to print out the next instructions or save it in notepad, because you also have to work in safe mode without networking support, so this page wouldn't be available then.
It is also important you don't miss a step and perform everything in the right order!!

Download AboutBuster.
Unzip AboutBuster in an own folder such as C:\AboutBuster.
Start AboutBuster.exe. Click OK, Update, Check For Update and download the updates if present.
Close aboutbuster now, because you may not run it yet, that's for later.
If You are getting an error when updating, please let me know first before you proceed with the next steps.

* Download and install CCleaner
Do not use it yet.

* Download this regfix: HSfix
Unzip it and place it on your desktop, don't use it yet!

* Please download ewido security suite; it is a free version of the program.
  • Install ewido security suite
  • When installing, under "Additional Options" uncheck..
    • Install background guard
    • Install scan via context menu
  • Launch ewido by double-clicking on the icon on your desktop.
  • The program will now open to the main screen.
  • When you run ewido for the first time, you may get a warning "Database could not be found!". Click OK. We will fix this in a moment.
  • You will need to update ewido to the latest definition files.
    • On the left hand side of the main screen click update.
    • Then click on Start Update.
  • The update will start and a progress bar will show the updates being installed.
    (the status bar at the bottom will display ("Update successful")
If you are having problems with the updater, you can use this link to manually update ewido.
ewido manual updates
Don't run it yet.

* Please reboot your system into SAFE MODE.
To get into the Windows XP Safe mode as the computer is booting press and hold your "F8 Key" which should bring up the "Windows Advanced Options Menu". Use your arrow keys to move to "Safe Mode" and press your Enter key.

* Start hijackthis and click scan and put a checkmark next to the following items:

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\WINDOWS\system32\vpyja.dll/sp.html#12047%everything4find.com
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINDOWS\system32\vpyja.dll/sp.html#12047%everything4find.com
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = res://C:\WINDOWS\system32\vpyja.dll/sp.html#12047%everything4find.com
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\WINDOWS\system32\vpyja.dll/sp.html#12047%everything4find.com
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINDOWS\system32\vpyja.dll/sp.html#12047%everything4find.com
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = res://C:\WINDOWS\system32\vpyja.dll/sp.html#12047%everything4find.com
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = res://C:\WINDOWS\system32\vpyja.dll/sp.html#12047%everything4find.com
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = iexplore
R3 - Default URLSearchHook is missing
O2 - BHO: (no name) - {6001CDF7-6F45-471b-A203-0225615E35A7} - C:\WINDOWS\DH.dll
O2 - BHO: Class - {A010DBE2-CC3D-9634-88DD-0AC37058D49B} - C:\WINDOWS\system32\netgy32.dll
O2 - BHO: Class - {A47B913E-2FC8-8C92-CFF4-E3D1BB4B3486} - C:\WINDOWS\system32\appdj.dll
O4 - HKLM\..\Run: [Sc8d] C:\documents and settings\marty farmer\local settings\temp\Sc8d.exe
O4 - HKLM\..\Run: [r3tO36O] lodvw.exe
O4 - HKLM\..\Run: [ksNHv] C:\documents and settings\marty farmer\local settings\temp\ksNHv.exe
O4 - HKLM\..\Run: [84ca82785c93] C:\WINDOWS\System32\AUDIOSRV.exe
O4 - HKLM\..\Run: [QBRSR] C:\WINDOWS\QuickBrowser.exe
O4 - HKLM\..\Run: [addqk.exe] C:\WINDOWS\system32\addqk.exe
O4 - HKCU\..\Run: [eZWO] C:\PROGRA~1\Web Offer\wo.exe
O4 - HKCU\..\Run: [Cbqh] C:\WINDOWS\System32\w?wexec.exe
O4 - HKCU\..\Run: [Aida] C:\Documents and Settings\Marty Farmer\Application Data\ttuh.exe
O4 - HKCU\..\Run: [a02ERWiFS] lpqsvc.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O23 - Service: Network Security Service (NSS) ( 11F#`I) - Unknown owner - C:\WINDOWS\system32\ipzk32.exe


* Close all open windows except hijackthis and click 'Fix Checked'.

* Navigate to and delete the following files if present:

C:\WINDOWS\system32\ipzk32.exe
C:\WINDOWS\System32\AUDIOSRV.exe
C:\WINDOWS\system32\addqk.exe
C:\WINDOWS\QuickBrowser.exe
C:\PROGRAM FILES\Web Offer <== folder
C:\Documents and Settings\Marty Farmer\Application Data\ttuh.exe

* Start Aboutbuster and let it scan.
Let it scan a second and third time until everything is gone.

* Doubleclick on HSfix you downloaded earlier before which is present on your desktop and when it asks you if you want to add the contents to the registry, click yes/ok

* Still in safe mode start Ccleaner.
click "Options", click the "Advanced" tab
Uncheck: "Only delete files older than 48 hrs.", click Ok
Click "Cleaner" and click Run Cleaner (bottom right)

* Now open Ewido Security Suite
Click on scanner

* Click Complete System Scan and the scan will begin.
* During the scan it will prompt you to clean files, click OK
* When the scan is finished, look at the bottom of the screen and click the Save report button.
* Save the report to your desktop

* Close Ewido

* Go to start>Control Panel>Internet Options>tab programs> and click restore websettings.

* Reboot your PC back to normal.

* Perform an onlinescan with Bitdefender and/or Housecall (check here autodelete) and let it delete everything it is finding.

* Post a new hijackthis-log + log from ewido.
AntispywareScanners---Antivirus Scanners---Firewalls---Online Scanners---Prevention---Help! My computer is slow---My Blog---Follow me on Twitter.
My help is ALWAYS FREE, but if you want to donate to help me continue my fight against malware -- click here!
Asking for help via Private Message or Mail will be ignored - So If you need help, post your problem in the forum.

#3 mfarmer2

mfarmer2
  • Topic Starter

  • Members
  • 8 posts
  • OFFLINE
  •  
  • Local time:10:57 PM

Posted 19 December 2005 - 08:12 PM

It didn't seem to work.

Here is the ewido file:

---------------------------------------------------------
ewido anti-malware - Scan report
---------------------------------------------------------

+ Created on: 7:38:15 PM, 12/19/2005
+ Report-Checksum: C0DEB956

+ Scan result:

HKLM\SOFTWARE\Classes\CLSID\{0FBFA147-FFB4-19A8-49F8-D1A17B80E32D} -> Spyware.CoolWebSearch : Cleaned with backup
HKLM\SOFTWARE\Classes\Common.Buttons -> Spyware.WebSearch : Cleaned with backup
HKLM\SOFTWARE\Classes\Interface\{AA4939C3-DECA-4A48-A454-97CD587C0EF5} -> Spyware.ISTBar : Cleaned with backup
HKLM\SOFTWARE\Classes\Interface\{EEE4A2E5-9F56-432F-A6ED-F6F625B551E0} -> Dialer.Generic : Cleaned with backup
HKLM\SOFTWARE\Classes\PROTOCOLS\Name-Space Handler\res -> Spyware.WebSearch : Cleaned with backup
HKLM\SOFTWARE\MaxSpeed -> Spyware.Maxspeed : Cleaned with backup
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\App Management\ARPCache\{120E090D-9136-4b78-8258-F0B44B4BD2AC} -> Spyware.Maxspeed : Cleaned with backup
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\App Management\ARPCache\{8F9FBEB8-D216-4d6c-8D21-513157E09C0D} -> Spyware.Maxspeed : Cleaned with backup
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{120E090D-9136-4b78-8258-F0B44B4BD2AC} -> Spyware.Maxspeed : Cleaned with backup
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{8F9FBEB8-D216-4d6c-8D21-513157E09C0D} -> Spyware.Maxspeed : Cleaned with backup
HKLM\SOFTWARE\Need2Find -> Spyware.Need2Find : Cleaned with backup
HKLM\SOFTWARE\Need2Find\bar -> Spyware.Need2Find : Cleaned with backup
HKLM\SOFTWARE\Need2Find\bar\Partner -> Spyware.Need2Find : Cleaned with backup
HKU\.DEFAULT\Software\TimeSynchonization -> Spyware.DealHelper : Cleaned with backup
HKU\.DEFAULT\Software\TimeSynchonization\Time Synchronize -> Spyware.DealHelper : Cleaned with backup
HKU\.DEFAULT\Software\TimeSynchonization\Time Synchronize\Properties -> Spyware.DealHelper : Cleaned with backup
HKU\.DEFAULT\Software\Toolbar -> Spyware.WebSearch : Cleaned with backup
HKU\.DEFAULT\Software\Toolbar\PlugIns -> Spyware.WebSearch : Cleaned with backup
HKU\.DEFAULT\Software\Toolbar\PlugIns\COMMON -> Spyware.WebSearch : Cleaned with backup
HKU\.DEFAULT\Software\Toolbar\Server -> Spyware.WebSearch : Cleaned with backup
HKU\.DEFAULT\Software\Toolbar\UrlSearchHooks -> Spyware.WebSearch : Cleaned with backup
HKU\S-1-5-21-1970034060-2239264438-4054234144-1006\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{25D8BACF-3DE2-4B48-AE22-D659B8D835B0} -> Spyware.RXToolbar : Cleaned with backup
HKU\S-1-5-21-1970034060-2239264438-4054234144-1006\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{4D1C4E81-A32A-416B-BCDB-33B3EF3617D3} -> Spyware.Need2Find : Cleaned with backup
HKU\S-1-5-21-1970034060-2239264438-4054234144-1006\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{4E7BD74F-2B8D-469E-90F0-F66AB581A933} -> Spyware.MyWebSearch : Cleaned with backup
HKU\S-1-5-21-1970034060-2239264438-4054234144-1006\Software\Need2Find -> Spyware.Need2Find : Cleaned with backup
HKU\S-1-5-21-1970034060-2239264438-4054234144-1006\Software\Need2Find\bar -> Spyware.Need2Find : Cleaned with backup
HKU\S-1-5-18\Software\TimeSynchonization -> Spyware.DealHelper : Cleaned with backup
HKU\S-1-5-18\Software\TimeSynchonization\Time Synchronize -> Spyware.DealHelper : Cleaned with backup
HKU\S-1-5-18\Software\TimeSynchonization\Time Synchronize\Properties -> Spyware.DealHelper : Cleaned with backup
HKU\S-1-5-18\Software\Toolbar -> Spyware.WebSearch : Cleaned with backup
HKU\S-1-5-18\Software\Toolbar\PlugIns -> Spyware.WebSearch : Cleaned with backup
HKU\S-1-5-18\Software\Toolbar\PlugIns\COMMON -> Spyware.WebSearch : Cleaned with backup
HKU\S-1-5-18\Software\Toolbar\Server -> Spyware.WebSearch : Cleaned with backup
HKU\S-1-5-18\Software\Toolbar\UrlSearchHooks -> Spyware.WebSearch : Cleaned with backup
C:\Documents and Settings\Marty Farmer\My Documents\HiJackThis\HijackThis\backups\backup-20051219-175833-300.dll -> Hijacker.Small.jf : Cleaned with backup
C:\Program Files\Need2Find -> Spyware.Need2Find : Cleaned with backup
C:\Program Files\Need2Find\bar -> Spyware.Need2Find : Cleaned with backup
C:\Program Files\Need2Find\bar\History -> Spyware.Need2Find : Cleaned with backup
C:\Program Files\Need2Find\bar\History\search -> Spyware.Need2Find : Cleaned with backup
C:\Program Files\Need2Find\bar\Settings -> Spyware.Need2Find : Cleaned with backup
C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP560\A0064399.exe -> Trojan.QuickBrowser : Cleaned with backup
C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP560\A0064401.exe -> Trojan.QuickBrowser : Cleaned with backup
C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP607\A0068151.dll -> Hijacker.Small.jf : Cleaned with backup
C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP610\A0068230.PIF:vnnrr -> Downloader.Agent.td : Cleaned with backup
C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP611\A0068248.PIF:vnnrr -> Downloader.Agent.td : Cleaned with backup
C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP612\A0068266.exe -> Trojan.Agent.bi : Cleaned with backup
C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP612\A0068267.exe -> Downloader.Agent.td : Cleaned with backup
C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP614\A0069375.exe -> Trojan.Agent.bi : Cleaned with backup
C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP614\A0069404.exe -> Downloader.Agent.td : Cleaned with backup
C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP615\A0069405.PIF:vnnrr -> Downloader.Agent.td : Cleaned with backup
C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP615\A0069424.dll -> Hijacker.Small.jf : Cleaned with backup
C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP615\A0069612.exe -> Trojan.Agent.bi : Cleaned with backup
C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP615\A0069613.exe -> Spyware.IEDriver : Cleaned with backup
C:\WINDOWS\addbl32.exe -> Trojan.Agent.bi : Cleaned with backup
C:\WINDOWS\addrk32.exe -> Trojan.Agent.bi : Cleaned with backup
C:\WINDOWS\addvd32.exe -> Trojan.Agent.bi : Cleaned with backup
C:\WINDOWS\addwg32.exe -> Trojan.Agent.bi : Cleaned with backup
C:\WINDOWS\apips32.exe -> Trojan.Agent.bi : Cleaned with backup
C:\WINDOWS\apiqb.exe -> Trojan.Agent.bi : Cleaned with backup
C:\WINDOWS\apirb.exe -> Trojan.Agent.bi : Cleaned with backup
C:\WINDOWS\apirv32.exe -> Trojan.Agent.bi : Cleaned with backup
C:\WINDOWS\apitn32.exe -> Trojan.Agent.bi : Cleaned with backup
C:\WINDOWS\apiyp32.exe -> Downloader.Agent.td : Cleaned with backup
C:\WINDOWS\apizn.exe -> Trojan.Agent.bi : Cleaned with backup
C:\WINDOWS\atlag32.exe -> Trojan.Agent.bi : Cleaned with backup
C:\WINDOWS\atlbx.exe -> Trojan.Agent.bi : Cleaned with backup
C:\WINDOWS\atldd.exe -> Trojan.Agent.bi : Cleaned with backup
C:\WINDOWS\atlfo32.exe -> Downloader.Agent.td : Cleaned with backup
C:\WINDOWS\atlgy32.exe -> Trojan.Agent.bi : Cleaned with backup
C:\WINDOWS\atljh.exe -> Trojan.Agent.bi : Cleaned with backup
C:\WINDOWS\atlzm.exe -> Trojan.Agent.bi : Cleaned with backup
C:\WINDOWS\d3gn.exe -> Trojan.Agent.bi : Cleaned with backup
C:\WINDOWS\d3no.exe -> Trojan.Agent.bi : Cleaned with backup
C:\WINDOWS\d3ou32.exe -> Trojan.Agent.bi : Cleaned with backup
C:\WINDOWS\dhtmp3.tmp -> Spyware.DealHelper : Cleaned with backup
C:\WINDOWS\EXPLORER.SCF:ubvur -> Downloader.Agent.td : Cleaned with backup
C:\WINDOWS\ieca32.exe -> Downloader.Agent.td : Cleaned with backup
C:\WINDOWS\ieec32.exe -> Trojan.Agent.bi : Cleaned with backup
C:\WINDOWS\iehw32.exe -> Trojan.Agent.bi : Cleaned with backup
C:\WINDOWS\iemd32.exe -> Trojan.Agent.bi : Cleaned with backup
C:\WINDOWS\ipef32.exe -> Trojan.Agent.bi : Cleaned with backup
C:\WINDOWS\ipfd.exe -> Trojan.Agent.bi : Cleaned with backup
C:\WINDOWS\iphn.exe -> Trojan.Agent.bi : Cleaned with backup
C:\WINDOWS\ipku32.exe -> Trojan.Agent.bi : Cleaned with backup
C:\WINDOWS\ipov32.exe -> Trojan.Agent.bi : Cleaned with backup
C:\WINDOWS\iprh32.exe -> Trojan.Agent.bi : Cleaned with backup
C:\WINDOWS\ipym.exe -> Trojan.Agent.bi : Cleaned with backup
C:\WINDOWS\javaba32.exe -> Trojan.Agent.bi : Cleaned with backup
C:\WINDOWS\javage.exe -> Downloader.Agent.td : Cleaned with backup
C:\WINDOWS\javanx32.exe -> Trojan.Agent.bi : Cleaned with backup
C:\WINDOWS\javaqa.exe -> Trojan.Agent.bi : Cleaned with backup
C:\WINDOWS\mfcfa.exe -> Trojan.Agent.bi : Cleaned with backup
C:\WINDOWS\mfchu32.exe -> Trojan.Agent.bi : Cleaned with backup
C:\WINDOWS\mfcuu32.exe -> Trojan.Agent.bi : Cleaned with backup
C:\WINDOWS\MSAGENT\mshqpi.com -> Backdoor.BeastDoor.206 : Cleaned with backup
C:\WINDOWS\msbb.exe -> Trojan.Agent.bi : Cleaned with backup
C:\WINDOWS\msbm32.exe -> Trojan.Agent.bi : Cleaned with backup
C:\WINDOWS\msfw.exe -> Trojan.Agent.bi : Cleaned with backup
C:\WINDOWS\msgb.exe -> Trojan.Agent.bi : Cleaned with backup
C:\WINDOWS\mswp.exe -> Trojan.Agent.bi : Cleaned with backup
C:\WINDOWS\mszr32.exe -> Trojan.Agent.bi : Cleaned with backup
C:\WINDOWS\netjt.exe -> Trojan.Agent.bi : Cleaned with backup
C:\WINDOWS\netmg32.exe -> Trojan.Agent.bi : Cleaned with backup
C:\WINDOWS\netvb.exe -> Downloader.Agent.td : Cleaned with backup
C:\WINDOWS\ntmr.exe -> Trojan.Agent.bi : Cleaned with backup
C:\WINDOWS\ntyz32.exe -> Trojan.Agent.bi : Cleaned with backup
C:\WINDOWS\sdkfm32.exe -> Trojan.Agent.bi : Cleaned with backup
C:\WINDOWS\sdkhz.exe -> Trojan.Agent.bi : Cleaned with backup
C:\WINDOWS\sdkkv.exe -> Trojan.Agent.bi : Cleaned with backup
C:\WINDOWS\sdkne.exe -> Trojan.Agent.bi : Cleaned with backup
C:\WINDOWS\sdkvk.exe -> Trojan.Agent.bi : Cleaned with backup
C:\WINDOWS\sdkwg.exe -> Trojan.Agent.bi : Cleaned with backup
C:\WINDOWS\sysbp.exe -> Trojan.Agent.bi : Cleaned with backup
C:\WINDOWS\sysds.exe -> Trojan.Agent.bi : Cleaned with backup
C:\WINDOWS\sysnc32.exe -> Trojan.Agent.bi : Cleaned with backup
C:\WINDOWS\SYSTEM32\ACCTRES6.exe -> Spyware.UrlSpy : Cleaned with backup
C:\WINDOWS\SYSTEM32\ACLUI907.exe -> Spyware.UrlSpy : Cleaned with backup
C:\WINDOWS\SYSTEM32\addcj32.exe -> Trojan.Agent.bi : Cleaned with backup
C:\WINDOWS\SYSTEM32\addck.exe -> Trojan.Agent.bi : Cleaned with backup
C:\WINDOWS\SYSTEM32\addxm32.exe -> Trojan.Agent.bi : Cleaned with backup
C:\WINDOWS\SYSTEM32\addzq.exe -> Trojan.Agent.bi : Cleaned with backup
C:\WINDOWS\SYSTEM32\apinj32.exe -> Trojan.Agent.bi : Cleaned with backup
C:\WINDOWS\SYSTEM32\apivt32.exe -> Trojan.Agent.bi : Cleaned with backup
C:\WINDOWS\SYSTEM32\apiwc.exe -> Trojan.Agent.bi : Cleaned with backup
C:\WINDOWS\SYSTEM32\appnf.exe -> Trojan.Agent.bi : Cleaned with backup
C:\WINDOWS\SYSTEM32\apppe.exe -> Trojan.Agent.bi : Cleaned with backup
C:\WINDOWS\SYSTEM32\apprl.exe -> Trojan.Agent.bi : Cleaned with backup
C:\WINDOWS\SYSTEM32\appzy.exe -> Trojan.Agent.bi : Cleaned with backup
C:\WINDOWS\SYSTEM32\atlrv.exe -> Trojan.Agent.bi : Cleaned with backup
C:\WINDOWS\SYSTEM32\browser1.exe -> Downloader.3746.A : Cleaned with backup
C:\WINDOWS\SYSTEM32\CDFVIEW4.exe -> Spyware.UrlSpy : Cleaned with backup
C:\WINDOWS\SYSTEM32\crjc32.exe -> Trojan.Agent.bi : Cleaned with backup
C:\WINDOWS\SYSTEM32\crkg32.exe -> Trojan.Agent.bi : Cleaned with backup
C:\WINDOWS\SYSTEM32\crps32.exe -> Downloader.Agent.td : Cleaned with backup
C:\WINDOWS\SYSTEM32\crtd32.exe -> Trojan.Agent.bi : Cleaned with backup
C:\WINDOWS\SYSTEM32\crwx32.exe -> Downloader.Agent.td : Cleaned with backup
C:\WINDOWS\SYSTEM32\d3bu32.exe -> Trojan.Agent.bi : Cleaned with backup
C:\WINDOWS\SYSTEM32\d3cu.exe -> Downloader.Agent.td : Cleaned with backup
C:\WINDOWS\SYSTEM32\d3lk32.exe -> Trojan.Agent.bi : Cleaned with backup
C:\WINDOWS\SYSTEM32\d3lz32.exe -> Trojan.Agent.bi : Cleaned with backup
C:\WINDOWS\SYSTEM32\d3mc.exe -> Trojan.Agent.bi : Cleaned with backup
C:\WINDOWS\SYSTEM32\d3ml32.exe -> Trojan.Agent.bi : Cleaned with backup
C:\WINDOWS\SYSTEM32\d3vy.exe -> Trojan.Agent.bi : Cleaned with backup
C:\WINDOWS\SYSTEM32\d3wd.exe -> Downloader.Agent.td : Cleaned with backup
C:\WINDOWS\SYSTEM32\d3zl.exe -> Trojan.Agent.bi : Cleaned with backup
C:\WINDOWS\SYSTEM32\iejb32.exe -> Trojan.Agent.bi : Cleaned with backup
C:\WINDOWS\SYSTEM32\ieqs.exe -> Trojan.Agent.bi : Cleaned with backup
C:\WINDOWS\SYSTEM32\iezc.exe -> Trojan.Agent.bi : Cleaned with backup
C:\WINDOWS\SYSTEM32\iezset.exe -> Adware.eZula : Cleaned with backup
C:\WINDOWS\SYSTEM32\ipcx.exe -> Trojan.Agent.bi : Cleaned with backup
C:\WINDOWS\SYSTEM32\ipss.exe -> Trojan.Agent.bi : Cleaned with backup
C:\WINDOWS\SYSTEM32\ipwk.exe -> Trojan.Agent.bi : Cleaned with backup
C:\WINDOWS\SYSTEM32\ipyt.exe -> Trojan.Agent.bi : Cleaned with backup
C:\WINDOWS\SYSTEM32\javafp.exe -> Trojan.Agent.bi : Cleaned with backup
C:\WINDOWS\SYSTEM32\mfcbp32.exe -> Trojan.Agent.bi : Cleaned with backup
C:\WINDOWS\SYSTEM32\mfcbs.exe -> Trojan.Agent.bi : Cleaned with backup
C:\WINDOWS\SYSTEM32\mfccw32.exe -> Trojan.Agent.bi : Cleaned with backup
C:\WINDOWS\SYSTEM32\mfcji.exe -> Trojan.Agent.bi : Cleaned with backup
C:\WINDOWS\SYSTEM32\mfcow.exe -> Trojan.Agent.bi : Cleaned with backup
C:\WINDOWS\SYSTEM32\msdn.exe -> Trojan.Agent.bi : Cleaned with backup
C:\WINDOWS\SYSTEM32\mseggo.gif -> Logger.Delf.dx : Cleaned with backup
C:\WINDOWS\SYSTEM32\msfaol.dll -> Spyware.ClientMan : Cleaned with backup
C:\WINDOWS\SYSTEM32\msfbxq.com -> Backdoor.BeastDoor.206 : Cleaned with backup
C:\WINDOWS\SYSTEM32\msiaih.dll -> Spyware.Ipend : Cleaned with backup
C:\WINDOWS\SYSTEM32\msnimk.gif -> Spyware.Ipend : Cleaned with backup
C:\WINDOWS\SYSTEM32\msnj.exe -> Trojan.Agent.bi : Cleaned with backup
C:\WINDOWS\SYSTEM32\msnm.exe -> Trojan.Agent.bi : Cleaned with backup
C:\WINDOWS\SYSTEM32\mswp32.exe -> Trojan.Agent.bi : Cleaned with backup
C:\WINDOWS\SYSTEM32\msxv32.exe -> Trojan.Agent.bi : Cleaned with backup
C:\WINDOWS\SYSTEM32\msyq32.exe -> Trojan.Agent.bi : Cleaned with backup
C:\WINDOWS\SYSTEM32\netco.exe -> Trojan.Agent.bi : Cleaned with backup
C:\WINDOWS\SYSTEM32\netgx.exe -> Trojan.Agent.bi : Cleaned with backup
C:\WINDOWS\SYSTEM32\netrh32.exe -> Trojan.Agent.bi : Cleaned with backup
C:\WINDOWS\SYSTEM32\netst.exe -> Trojan.Agent.bi : Cleaned with backup
C:\WINDOWS\SYSTEM32\nthv32.exe -> Trojan.Agent.bi : Cleaned with backup
C:\WINDOWS\SYSTEM32\ntkp.exe -> Trojan.Agent.bi : Cleaned with backup
C:\WINDOWS\SYSTEM32\ntld.exe -> Trojan.Agent.bi : Cleaned with backup
C:\WINDOWS\SYSTEM32\ntut32.exe -> Trojan.Agent.bi : Cleaned with backup
C:\WINDOWS\SYSTEM32\sdkdc32.exe -> Trojan.Agent.bi : Cleaned with backup
C:\WINDOWS\SYSTEM32\sdkdf32.exe -> Downloader.Agent.td : Cleaned with backup
C:\WINDOWS\SYSTEM32\sdkxw32.exe -> Trojan.Agent.bi : Cleaned with backup
C:\WINDOWS\SYSTEM32\sysby.exe -> Trojan.Agent.bi : Cleaned with backup
C:\WINDOWS\SYSTEM32\syshs32.exe -> Trojan.Agent.bi : Cleaned with backup
C:\WINDOWS\SYSTEM32\sysnm.exe -> Trojan.Agent.bi : Cleaned with backup
C:\WINDOWS\SYSTEM32\sysqe.exe -> Trojan.Agent.bi : Cleaned with backup
C:\WINDOWS\SYSTEM32\sysua32.exe -> Downloader.Agent.td : Cleaned with backup
C:\WINDOWS\SYSTEM32\syswx32.exe -> Trojan.Agent.bi : Cleaned with backup
C:\WINDOWS\SYSTEM32\winsr32.exe -> Downloader.Agent.td : Cleaned with backup
C:\WINDOWS\SYSTEM32\winxv32.exe -> Trojan.Agent.bi : Cleaned with backup
C:\WINDOWS\SYSTEM32\wоwexec.exe -> Spyware.PurityScan : Cleaned with backup
C:\WINDOWS\systn32.exe -> Trojan.Agent.bi : Cleaned with backup
C:\WINDOWS\sysww32.exe -> Trojan.Agent.bi : Cleaned with backup
C:\WINDOWS\winsn.exe -> Trojan.Agent.bi : Cleaned with backup
C:\WINDOWS\_DEFAULT.PIF:vnnrr -> Downloader.Agent.td : Cleaned with backup


::Report End


Here is the HijackThis file:

Logfile of HijackThis v1.99.1
Scan saved at 8:11:52 PM, on 12/19/2005
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\CA\eTrust EZ Armor\eTrust EZ Antivirus\ISafe.exe
C:\WINDOWS\system32\cisvc.exe
C:\Program Files\ewido anti-malware\ewidoctrl.exe
C:\WINDOWS\System32\nvsvc32.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Dell\EUSW\Support.exe
C:\Program Files\CA\eTrust EZ Armor\eTrust EZ Antivirus\VetMsg.exe
C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\Program Files\Java\j2re1.4.2_04\bin\jusched.exe
C:\Program Files\intraport client\vpn5000service.exe
C:\WINDOWS\SYSTEM32\ZoneLabs\vsmon.exe
C:\Program Files\MUSICMATCH\MUSICMATCH Jukebox\mmtask.exe
C:\WINDOWS\system32\carpserv.exe
C:\Program Files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\WINDOWS\system32\sysim32.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\WINDOWS\system32\sysdb.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\cidaemon.exe
C:\WINDOWS\System32\wbem\wmiapsrv.exe
C:\Documents and Settings\Marty Farmer\My Documents\HiJackThis\HijackThis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.dellnet.com
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\WINDOWS\wnket.dll/sp.html#12047%everything4find.com
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINDOWS\wnket.dll/sp.html#12047%everything4find.com
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = res://C:\WINDOWS\wnket.dll/sp.html#12047%everything4find.com
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\WINDOWS\wnket.dll/sp.html#12047%everything4find.com
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINDOWS\wnket.dll/sp.html#12047%everything4find.com
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = res://C:\WINDOWS\wnket.dll/sp.html#12047%everything4find.com
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = res://C:\WINDOWS\wnket.dll/sp.html#12047%everything4find.com
R3 - Default URLSearchHook is missing
O2 - BHO: UberButton Class - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\Program Files\Yahoo!\Common\yiesrvc.dll
O2 - BHO: YahooTaggedBM Class - {65D886A2-7CA7-479B-BB95-14D1EFB7946A} - C:\Program Files\Yahoo!\Common\YIeTagBm.dll
O2 - BHO: Class - {83FF6990-5B3D-C29C-D788-55B22475624D} - C:\WINDOWS\system32\ntyv32.dll
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn0\yt.dll
O4 - HKLM\..\Run: [DwlClient] C:\Program Files\Common Files\Dell\EUSW\Support.exe
O4 - HKLM\..\Run: [VirusScan Online] "c:\PROGRA~1\mcafee.com\vso\mcvsshld.exe"
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [SynTPLpr] C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
O4 - HKLM\..\Run: [SynTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\j2re1.4.2_04\bin\jusched.exe
O4 - HKLM\..\Run: [nwiz] nwiz.exe /installquiet
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [mmtask] C:\Program Files\MUSICMATCH\MUSICMATCH Jukebox\mmtask.exe
O4 - HKLM\..\Run: [Microsoft Works Update Detection] C:\Program Files\Common Files\Microsoft Shared\Works Shared\WkUFind.exe
O4 - HKLM\..\Run: [MCUpdateExe] C:\PROGRA~1\McAfee.com\Agent\McUpdate.exe
O4 - HKLM\..\Run: [MCAgentExe] C:\Program Files\McAfee.com\Agent\mcagent.exe
O4 - HKLM\..\Run: [HPDJ Taskbar Utility] C:\WINDOWS\System32\spool\drivers\w32x86\3\hpztsb04.exe
O4 - HKLM\..\Run: [CARPService] carpserv.exe
O4 - HKLM\..\Run: [AdaptecDirectCD] "C:\Program Files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe"
O4 - HKLM\..\Run: [iTunesHelper] C:\Program Files\iTunes\iTunesHelper.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [Zone Labs Client] C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
O4 - HKLM\..\Run: [sysim32.exe] C:\WINDOWS\system32\sysim32.exe
O8 - Extra context menu item: &Yahoo! Search - file:///C:\Program Files\Yahoo!\Common/ycsrch.htm
O8 - Extra context menu item: Yahoo! &Dictionary - file:///C:\Program Files\Yahoo!\Common/ycdict.htm
O8 - Extra context menu item: Yahoo! &Maps - file:///C:\Program Files\Yahoo!\Common/ycmap.htm
O8 - Extra context menu item: Yahoo! &SMS - file:///C:\Program Files\Yahoo!\Common/ycsms.htm
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_04\bin\npjpi150_04.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_04\bin\npjpi150_04.dll
O9 - Extra button: Yahoo! Services - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\Program Files\Yahoo!\Common\yiesrvc.dll
O9 - Extra button: ICQ Pro - {6224f700-cba3-4071-b251-47cb894244cd} - C:\Program Files\ICQ\ICQ.exe
O9 - Extra 'Tools' menuitem: ICQ - {6224f700-cba3-4071-b251-47cb894244cd} - C:\Program Files\ICQ\ICQ.exe
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\System32\Shdocvw.dll
O9 - Extra button: MoneySide - {E023F504-0C5A-4750-A1E7-A9046DEA8A21} - C:\Program Files\Microsoft Money\System\mnyside.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O15 - Trusted Zone: http://free.aol.com
O16 - DPF: Yahoo! Bingo - http://download.games.yahoo.com/games/clients/y/xt0_x.cab
O16 - DPF: Yahoo! Cribbage - http://download.games.yahoo.com/games/clients/y/it1_x.cab
O16 - DPF: Yahoo! Euchre - http://download.games.yahoo.com/games/clients/y/et0_x.cab
O16 - DPF: {01A88BB1-1174-41EC-ACCB-963509EAE56B} (SysProWmi Class) - http://support.dell.com/systemprofiler/SysPro.CAB
O16 - DPF: {0C568603-D79D-11D2-87A7-00C04FF158BB} (BrowseFolderPopup Class) - http://download.mcafee.com/molbin/Shared/MGBrwFld.cab
O16 - DPF: {30528230-99F7-4BB4-88D8-FA1D4F56A2AB} (YInstStarter Class) - C:\Program Files\Yahoo!\Common\yinsthelper.dll
O16 - DPF: {31B7EB4E-8B4B-11D1-A789-00A0CC6651A8} (Cult3D ActiveX Player) - http://www.cult3d.com/download/cult.cab
O16 - DPF: {63C4C187-E23F-4A20-898C-62CAF22335F8} (WatchOCX.WatchX) - https://www.watchsatellite.tv/members/WatchOCX.CAB
O16 - DPF: {B9191F79-5613-4C76-AA2A-398534BB8999} (YAddBook Class) - http://us.dl1.yimg.com/download.yahoo.com/...utocomplete.cab
O23 - Service: Network Security Service (NSS) ( 11F#`I) - Unknown owner - C:\WINDOWS\system32\sysdb.exe
O23 - Service: CAISafe - Computer Associates International, Inc. - C:\Program Files\CA\eTrust EZ Armor\eTrust EZ Antivirus\ISafe.exe
O23 - Service: ewido security suite control - ewido networks - C:\Program Files\ewido anti-malware\ewidoctrl.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPodService - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: NVIDIA Driver Helper Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe
O23 - Service: VET Message Service (VETMSGNT) - Computer Associates International, Inc. - C:\Program Files\CA\eTrust EZ Armor\eTrust EZ Antivirus\VetMsg.exe
O23 - Service: VPN 5000 Service 1.00.00 (VPN5000Service) - Unknown owner - C:\Program Files\intraport client\vpn5000service.exe
O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs, LLC - C:\WINDOWS\SYSTEM32\ZoneLabs\vsmon.exe

#4 miekiemoes

miekiemoes

    Malware Killer Dog


  • Malware Response Team
  • 19,420 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Belgium
  • Local time:03:57 AM

Posted 20 December 2005 - 01:29 AM

Hello,

It didn't seem to work, because most probably you didn't follow all my steps.. didn't perform it in safe mode, forgot to delete some files..... forgot to use aboutbuster.... I also see you didn't run the online scan as I asked you. I can't stress enough how important EVERY step is...so we have to give this another try.

Print next instructions out.

* Please reboot your system into SAFE MODE.
To get into the Windows XP Safe mode as the computer is booting press and hold your "F8 Key" which should bring up the "Windows Advanced Options Menu". Use your arrow keys to move to "Safe Mode" and press your Enter key.

* Start hijackthis and click scan and put a checkmark next to the following items:

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\WINDOWS\wnket.dll/sp.html#12047%everything4find.com
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINDOWS\wnket.dll/sp.html#12047%everything4find.com
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = res://C:\WINDOWS\wnket.dll/sp.html#12047%everything4find.com
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\WINDOWS\wnket.dll/sp.html#12047%everything4find.com
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINDOWS\wnket.dll/sp.html#12047%everything4find.com
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = res://C:\WINDOWS\wnket.dll/sp.html#12047%everything4find.com
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = res://C:\WINDOWS\wnket.dll/sp.html#12047%everything4find.com
R3 - Default URLSearchHook is missing
O2 - BHO: Class - {83FF6990-5B3D-C29C-D788-55B22475624D} - C:\WINDOWS\system32\ntyv32.dll
O4 - HKLM\..\Run: [sysim32.exe] C:\WINDOWS\system32\sysim32.exe
O23 - Service: Network Security Service (NSS) ( 11F#`I) - Unknown owner - C:\WINDOWS\system32\sysdb.exe


* Close all open windows except hijackthis and click 'Fix Checked'.

* Navigate to and delete the following files if present:

C:\WINDOWS\system32\sysim32.exe
C:\WINDOWS\system32\sysdb.exe

* Go to start >run and type: services.msc and click OK
Scroll down in that list until you find the service Network Security Service (NSS)
Doubleclick on it. In the window that will appear, click on "Stop" (if not greyed out) and change the Startup Type to disabled.
Click apply and OK and close all open windows.

* Start Aboutbuster and let it scan.
Let it scan a second and third time until everything is gone.

* Doubleclick on HSfix you downloaded earlier before which is present on your desktop and when it asks you if you want to add the contents to the registry, click yes/ok

* Still in safe mode start Ccleaner.
click "Options", click the "Advanced" tab
Uncheck: "Only delete files older than 48 hrs.", click Ok
Click "Cleaner" and click Run Cleaner (bottom right)

* Now open Ewido Security Suite
Click on scanner

* Click Complete System Scan and the scan will begin.
* During the scan it will prompt you to clean files, click OK
* When the scan is finished, look at the bottom of the screen and click the Save report button.
* Save the report to your desktop

* Close Ewido

* Go to start>Control Panel>Internet Options>tab programs> and click restore websettings.

* Reboot your PC back to normal.

* Perform an onlinescan with Bitdefender and/or Housecall (check here autodelete) and let it delete everything it is finding.

* Post a new hijackthis-log + log from ewido.

Edited by miekiemoes, 20 December 2005 - 01:29 AM.

AntispywareScanners---Antivirus Scanners---Firewalls---Online Scanners---Prevention---Help! My computer is slow---My Blog---Follow me on Twitter.
My help is ALWAYS FREE, but if you want to donate to help me continue my fight against malware -- click here!
Asking for help via Private Message or Mail will be ignored - So If you need help, post your problem in the forum.

#5 mfarmer2

mfarmer2
  • Topic Starter

  • Members
  • 8 posts
  • OFFLINE
  •  
  • Local time:10:57 PM

Posted 21 December 2005 - 10:04 PM

I did all the steps. Here are the logs.

---------------------------------------------------------
ewido anti-malware - Scan report
---------------------------------------------------------

+ Created on: 6:26:56 PM, 12/21/2005
+ Report-Checksum: ED14944E

+ Scan result:

C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP615\A0070484.exe -> Trojan.Agent.bi : Cleaned with backup
C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP615\A0070485.exe -> Trojan.Agent.bi : Cleaned with backup
C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP615\A0070486.exe -> Trojan.Agent.bi : Cleaned with backup
C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP615\A0070487.exe -> Trojan.Agent.bi : Cleaned with backup
C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP615\A0070488.exe -> Trojan.Agent.bi : Cleaned with backup
C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP615\A0070489.exe -> Trojan.Agent.bi : Cleaned with backup
C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP615\A0070490.exe -> Trojan.Agent.bi : Cleaned with backup
C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP615\A0070491.exe -> Trojan.Agent.bi : Cleaned with backup
C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP615\A0070492.exe -> Trojan.Agent.bi : Cleaned with backup
C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP615\A0070493.exe -> Downloader.Agent.td : Cleaned with backup
C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP615\A0070494.exe -> Trojan.Agent.bi : Cleaned with backup
C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP615\A0070495.exe -> Trojan.Agent.bi : Cleaned with backup
C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP615\A0070496.exe -> Trojan.Agent.bi : Cleaned with backup
C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP615\A0070497.exe -> Trojan.Agent.bi : Cleaned with backup
C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP615\A0070498.exe -> Downloader.Agent.td : Cleaned with backup
C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP615\A0070499.exe -> Trojan.Agent.bi : Cleaned with backup
C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP615\A0070500.exe -> Trojan.Agent.bi : Cleaned with backup
C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP615\A0070501.exe -> Trojan.Agent.bi : Cleaned with backup
C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP615\A0070502.exe -> Trojan.Agent.bi : Cleaned with backup
C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP615\A0070503.exe -> Trojan.Agent.bi : Cleaned with backup
C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP615\A0070504.exe -> Trojan.Agent.bi : Cleaned with backup
C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP615\A0070505.exe -> Downloader.Agent.td : Cleaned with backup
C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP615\A0070506.exe -> Trojan.Agent.bi : Cleaned with backup
C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP615\A0070507.exe -> Trojan.Agent.bi : Cleaned with backup
C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP615\A0070508.exe -> Trojan.Agent.bi : Cleaned with backup
C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP615\A0070509.exe -> Trojan.Agent.bi : Cleaned with backup
C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP615\A0070510.exe -> Trojan.Agent.bi : Cleaned with backup
C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP615\A0070511.exe -> Trojan.Agent.bi : Cleaned with backup
C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP615\A0070512.exe -> Trojan.Agent.bi : Cleaned with backup
C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP615\A0070513.exe -> Trojan.Agent.bi : Cleaned with backup
C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP615\A0070514.exe -> Trojan.Agent.bi : Cleaned with backup
C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP615\A0070515.exe -> Trojan.Agent.bi : Cleaned with backup
C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP615\A0070516.exe -> Trojan.Agent.bi : Cleaned with backup
C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP615\A0070517.exe -> Downloader.Agent.td : Cleaned with backup
C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP615\A0070518.exe -> Trojan.Agent.bi : Cleaned with backup
C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP615\A0070519.exe -> Trojan.Agent.bi : Cleaned with backup
C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP615\A0070520.exe -> Trojan.Agent.bi : Cleaned with backup
C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP615\A0070521.exe -> Trojan.Agent.bi : Cleaned with backup
C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP615\A0070522.exe -> Trojan.Agent.bi : Cleaned with backup
C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP615\A0070523.com -> Backdoor.BeastDoor.206 : Cleaned with backup
C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP615\A0070524.exe -> Trojan.Agent.bi : Cleaned with backup
C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP615\A0070525.exe -> Trojan.Agent.bi : Cleaned with backup
C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP615\A0070526.exe -> Trojan.Agent.bi : Cleaned with backup
C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP615\A0070527.exe -> Trojan.Agent.bi : Cleaned with backup
C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP615\A0070528.exe -> Trojan.Agent.bi : Cleaned with backup
C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP615\A0070529.exe -> Trojan.Agent.bi : Cleaned with backup
C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP615\A0070530.exe -> Trojan.Agent.bi : Cleaned with backup
C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP615\A0070531.exe -> Trojan.Agent.bi : Cleaned with backup
C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP615\A0070532.exe -> Downloader.Agent.td : Cleaned with backup
C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP615\A0070533.exe -> Trojan.Agent.bi : Cleaned with backup
C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP615\A0070534.exe -> Trojan.Agent.bi : Cleaned with backup
C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP615\A0070535.exe -> Trojan.Agent.bi : Cleaned with backup
C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP615\A0070536.exe -> Trojan.Agent.bi : Cleaned with backup
C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP615\A0070537.exe -> Trojan.Agent.bi : Cleaned with backup
C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP615\A0070538.exe -> Trojan.Agent.bi : Cleaned with backup
C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP615\A0070539.exe -> Trojan.Agent.bi : Cleaned with backup
C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP615\A0070540.exe -> Trojan.Agent.bi : Cleaned with backup
C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP615\A0070541.exe -> Trojan.Agent.bi : Cleaned with backup
C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP615\A0070542.exe -> Trojan.Agent.bi : Cleaned with backup
C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP615\A0070543.exe -> Trojan.Agent.bi : Cleaned with backup
C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP615\A0070545.exe -> Spyware.UrlSpy : Cleaned with backup
C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP615\A0070546.exe -> Trojan.Agent.bi : Cleaned with backup
C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP615\A0070547.exe -> Trojan.Agent.bi : Cleaned with backup
C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP615\A0070548.exe -> Trojan.Agent.bi : Cleaned with backup
C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP615\A0070549.exe -> Trojan.Agent.bi : Cleaned with backup
C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP615\A0070550.exe -> Trojan.Agent.bi : Cleaned with backup
C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP615\A0070551.exe -> Trojan.Agent.bi : Cleaned with backup
C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP615\A0070552.exe -> Trojan.Agent.bi : Cleaned with backup
C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP615\A0070553.exe -> Trojan.Agent.bi : Cleaned with backup
C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP615\A0070554.exe -> Trojan.Agent.bi : Cleaned with backup
C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP615\A0070555.exe -> Trojan.Agent.bi : Cleaned with backup
C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP615\A0070556.exe -> Trojan.Agent.bi : Cleaned with backup
C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP615\A0070557.exe -> Trojan.Agent.bi : Cleaned with backup
C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP615\A0070558.exe -> Downloader.3746.A : Cleaned with backup
C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP615\A0070559.exe -> Spyware.UrlSpy : Cleaned with backup
C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP615\A0070560.exe -> Trojan.Agent.bi : Cleaned with backup
C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP615\A0070561.exe -> Trojan.Agent.bi : Cleaned with backup
C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP615\A0070562.exe -> Downloader.Agent.td : Cleaned with backup
C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP615\A0070563.exe -> Trojan.Agent.bi : Cleaned with backup
C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP615\A0070564.exe -> Downloader.Agent.td : Cleaned with backup
C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP615\A0070565.exe -> Trojan.Agent.bi : Cleaned with backup
C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP615\A0070566.exe -> Downloader.Agent.td : Cleaned with backup
C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP615\A0070567.exe -> Trojan.Agent.bi : Cleaned with backup
C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP615\A0070568.exe -> Trojan.Agent.bi : Cleaned with backup
C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP615\A0070569.exe -> Trojan.Agent.bi : Cleaned with backup
C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP615\A0070570.exe -> Trojan.Agent.bi : Cleaned with backup
C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP615\A0070571.exe -> Trojan.Agent.bi : Cleaned with backup
C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP615\A0070572.exe -> Downloader.Agent.td : Cleaned with backup
C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP615\A0070573.exe -> Trojan.Agent.bi : Cleaned with backup
C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP615\A0070574.exe -> Trojan.Agent.bi : Cleaned with backup
C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP615\A0070575.exe -> Trojan.Agent.bi : Cleaned with backup
C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP615\A0070576.exe -> Trojan.Agent.bi : Cleaned with backup
C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP615\A0070578.exe -> Trojan.Agent.bi : Cleaned with backup
C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP615\A0070579.exe -> Trojan.Agent.bi : Cleaned with backup
C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP615\A0070580.exe -> Trojan.Agent.bi : Cleaned with backup
C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP615\A0070581.exe -> Trojan.Agent.bi : Cleaned with backup
C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP615\A0070582.exe -> Trojan.Agent.bi : Cleaned with backup
C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP615\A0070583.exe -> Trojan.Agent.bi : Cleaned with backup
C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP615\A0070584.exe -> Trojan.Agent.bi : Cleaned with backup
C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP615\A0070585.exe -> Trojan.Agent.bi : Cleaned with backup
C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP615\A0070586.exe -> Trojan.Agent.bi : Cleaned with backup
C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP615\A0070587.exe -> Trojan.Agent.bi : Cleaned with backup
C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP615\A0070588.exe -> Trojan.Agent.bi : Cleaned with backup
C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP615\A0070589.dll -> Spyware.ClientMan : Cleaned with backup
C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP615\A0070590.com -> Backdoor.BeastDoor.206 : Cleaned with backup
C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP615\A0070591.dll -> Spyware.Ipend : Cleaned with backup
C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP615\A0070592.exe -> Trojan.Agent.bi : Cleaned with backup
C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP615\A0070593.exe -> Trojan.Agent.bi : Cleaned with backup
C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP615\A0070594.exe -> Trojan.Agent.bi : Cleaned with backup
C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP615\A0070595.exe -> Trojan.Agent.bi : Cleaned with backup
C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP615\A0070596.exe -> Trojan.Agent.bi : Cleaned with backup
C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP615\A0070597.exe -> Trojan.Agent.bi : Cleaned with backup
C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP615\A0070598.exe -> Trojan.Agent.bi : Cleaned with backup
C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP615\A0070599.exe -> Trojan.Agent.bi : Cleaned with backup
C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP615\A0070600.exe -> Trojan.Agent.bi : Cleaned with backup
C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP615\A0070601.exe -> Trojan.Agent.bi : Cleaned with backup
C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP615\A0070602.exe -> Trojan.Agent.bi : Cleaned with backup
C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP615\A0070603.exe -> Trojan.Agent.bi : Cleaned with backup
C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP615\A0070604.exe -> Trojan.Agent.bi : Cleaned with backup
C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP615\A0070605.exe -> Trojan.Agent.bi : Cleaned with backup
C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP615\A0070606.exe -> Downloader.Agent.td : Cleaned with backup
C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP615\A0070607.exe -> Trojan.Agent.bi : Cleaned with backup
C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP615\A0070608.exe -> Trojan.Agent.bi : Cleaned with backup
C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP615\A0070609.exe -> Trojan.Agent.bi : Cleaned with backup
C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP615\A0070610.exe -> Trojan.Agent.bi : Cleaned with backup
C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP615\A0070611.exe -> Trojan.Agent.bi : Cleaned with backup
C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP615\A0070612.exe -> Downloader.Agent.td : Cleaned with backup
C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP615\A0070613.exe -> Trojan.Agent.bi : Cleaned with backup
C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP615\A0070614.exe -> Downloader.Agent.td : Cleaned with backup
C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP615\A0070615.exe -> Trojan.Agent.bi : Cleaned with backup
C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP615\A0070617.exe -> Trojan.Agent.bi : Cleaned with backup
C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP615\A0070618.exe -> Trojan.Agent.bi : Cleaned with backup
C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP615\A0070619.exe -> Trojan.Agent.bi : Cleaned with backup
C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP615\A0070620.PIF:vnnrr -> Downloader.Agent.td : Cleaned with backup
C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP615\A0070660.exe -> Downloader.Agent.td : Cleaned with backup
C:\WINDOWS\BOOTSTAT.DAT:ygcff -> Downloader.Agent.td : Cleaned with backup


::Report End


Logfile of HijackThis v1.99.1
Scan saved at 4:37:40 PM, on 12/21/2005
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\PCHealth\HelpCtr\Binaries\HelpSvc.exe
C:\Documents and Settings\Marty Farmer\My Documents\HiJackThis\HijackThis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.dellnet.com
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\WINDOWS\wnket.dll/sp.html#12047%everything4find.com
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINDOWS\wnket.dll/sp.html#12047%everything4find.com
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = res://C:\WINDOWS\wnket.dll/sp.html#12047%everything4find.com
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\WINDOWS\wnket.dll/sp.html#12047%everything4find.com
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINDOWS\wnket.dll/sp.html#12047%everything4find.com
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = res://C:\WINDOWS\wnket.dll/sp.html#12047%everything4find.com
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = res://C:\WINDOWS\wnket.dll/sp.html#12047%everything4find.com
R3 - Default URLSearchHook is missing
O2 - BHO: UberButton Class - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\Program Files\Yahoo!\Common\yiesrvc.dll
O2 - BHO: YahooTaggedBM Class - {65D886A2-7CA7-479B-BB95-14D1EFB7946A} - C:\Program Files\Yahoo!\Common\YIeTagBm.dll
O2 - BHO: Class - {6CA0E131-B7AC-A1C6-6851-F14261B06791} - C:\WINDOWS\ipeq32.dll
O2 - BHO: Class - {83FF6990-5B3D-C29C-D788-55B22475624D} - C:\WINDOWS\system32\ntyv32.dll
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn0\yt.dll
O4 - HKLM\..\Run: [DwlClient] C:\Program Files\Common Files\Dell\EUSW\Support.exe
O4 - HKLM\..\Run: [VirusScan Online] "c:\PROGRA~1\mcafee.com\vso\mcvsshld.exe"
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [SynTPLpr] C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
O4 - HKLM\..\Run: [SynTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\j2re1.4.2_04\bin\jusched.exe
O4 - HKLM\..\Run: [nwiz] nwiz.exe /installquiet
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [mmtask] C:\Program Files\MUSICMATCH\MUSICMATCH Jukebox\mmtask.exe
O4 - HKLM\..\Run: [Microsoft Works Update Detection] C:\Program Files\Common Files\Microsoft Shared\Works Shared\WkUFind.exe
O4 - HKLM\..\Run: [MCUpdateExe] C:\PROGRA~1\McAfee.com\Agent\McUpdate.exe
O4 - HKLM\..\Run: [MCAgentExe] C:\Program Files\McAfee.com\Agent\mcagent.exe
O4 - HKLM\..\Run: [HPDJ Taskbar Utility] C:\WINDOWS\System32\spool\drivers\w32x86\3\hpztsb04.exe
O4 - HKLM\..\Run: [CARPService] carpserv.exe
O4 - HKLM\..\Run: [AdaptecDirectCD] "C:\Program Files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe"
O4 - HKLM\..\Run: [iTunesHelper] C:\Program Files\iTunes\iTunesHelper.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [Zone Labs Client] C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
O4 - HKLM\..\Run: [sysim32.exe] C:\WINDOWS\system32\sysim32.exe
O8 - Extra context menu item: &Yahoo! Search - file:///C:\Program Files\Yahoo!\Common/ycsrch.htm
O8 - Extra context menu item: Yahoo! &Dictionary - file:///C:\Program Files\Yahoo!\Common/ycdict.htm
O8 - Extra context menu item: Yahoo! &Maps - file:///C:\Program Files\Yahoo!\Common/ycmap.htm
O8 - Extra context menu item: Yahoo! &SMS - file:///C:\Program Files\Yahoo!\Common/ycsms.htm
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_04\bin\npjpi150_04.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_04\bin\npjpi150_04.dll
O9 - Extra button: Yahoo! Services - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\Program Files\Yahoo!\Common\yiesrvc.dll
O9 - Extra button: ICQ Pro - {6224f700-cba3-4071-b251-47cb894244cd} - C:\Program Files\ICQ\ICQ.exe
O9 - Extra 'Tools' menuitem: ICQ - {6224f700-cba3-4071-b251-47cb894244cd} - C:\Program Files\ICQ\ICQ.exe
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\System32\Shdocvw.dll
O9 - Extra button: MoneySide - {E023F504-0C5A-4750-A1E7-A9046DEA8A21} - C:\Program Files\Microsoft Money\System\mnyside.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O15 - Trusted Zone: http://free.aol.com
O16 - DPF: Yahoo! Bingo - http://download.games.yahoo.com/games/clients/y/xt0_x.cab
O16 - DPF: Yahoo! Cribbage - http://download.games.yahoo.com/games/clients/y/it1_x.cab
O16 - DPF: Yahoo! Euchre - http://download.games.yahoo.com/games/clients/y/et0_x.cab
O16 - DPF: {01A88BB1-1174-41EC-ACCB-963509EAE56B} (SysProWmi Class) - http://support.dell.com/systemprofiler/SysPro.CAB
O16 - DPF: {0C568603-D79D-11D2-87A7-00C04FF158BB} (BrowseFolderPopup Class) - http://download.mcafee.com/molbin/Shared/MGBrwFld.cab
O16 - DPF: {30528230-99F7-4BB4-88D8-FA1D4F56A2AB} (YInstStarter Class) - C:\Program Files\Yahoo!\Common\yinsthelper.dll
O16 - DPF: {31B7EB4E-8B4B-11D1-A789-00A0CC6651A8} (Cult3D ActiveX Player) - http://www.cult3d.com/download/cult.cab
O16 - DPF: {63C4C187-E23F-4A20-898C-62CAF22335F8} (WatchOCX.WatchX) - https://www.watchsatellite.tv/members/WatchOCX.CAB
O16 - DPF: {B9191F79-5613-4C76-AA2A-398534BB8999} (YAddBook Class) - http://us.dl1.yimg.com/download.yahoo.com/...utocomplete.cab
O23 - Service: Network Security Service (NSS) ( 11F#`I) - Unknown owner - C:\WINDOWS\system32\sysdb.exe
O23 - Service: CAISafe - Computer Associates International, Inc. - C:\Program Files\CA\eTrust EZ Armor\eTrust EZ Antivirus\ISafe.exe
O23 - Service: ewido security suite control - ewido networks - C:\Program Files\ewido anti-malware\ewidoctrl.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPodService - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: NVIDIA Driver Helper Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe
O23 - Service: VET Message Service (VETMSGNT) - Computer Associates International, Inc. - C:\Program Files\CA\eTrust EZ Armor\eTrust EZ Antivirus\VetMsg.exe
O23 - Service: VPN 5000 Service 1.00.00 (VPN5000Service) - Unknown owner - C:\Program Files\intraport client\vpn5000service.exe
O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs, LLC - C:\WINDOWS\SYSTEM32\ZoneLabs\vsmon.exe

#6 miekiemoes

miekiemoes

    Malware Killer Dog


  • Malware Response Team
  • 19,420 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Belgium
  • Local time:03:57 AM

Posted 22 December 2005 - 01:03 AM

You have chosen Safe mode with networking support.. because I see you posting a log from safe mode here.
Please don't. You really have to go in safe mode without networking support.
Also, I see you are doing this via Remote Assistance. This is NOT going to work and that explains why it fails.

I still can't see you performed the online scan also.
I really want to help you.. or the person you are helping, that's why it is so important you really follow my instructions.
I also see you forgot to check and fix some entries in the log I asked you. Because every entry is still there.

Can you please perform my steps again or explain them to the person you are helping without using remote control?
I also want a hijackthislog made in Normal mode afterwards.

Edited by miekiemoes, 22 December 2005 - 01:03 AM.

AntispywareScanners---Antivirus Scanners---Firewalls---Online Scanners---Prevention---Help! My computer is slow---My Blog---Follow me on Twitter.
My help is ALWAYS FREE, but if you want to donate to help me continue my fight against malware -- click here!
Asking for help via Private Message or Mail will be ignored - So If you need help, post your problem in the forum.

#7 mfarmer2

mfarmer2
  • Topic Starter

  • Members
  • 8 posts
  • OFFLINE
  •  
  • Local time:10:57 PM

Posted 22 December 2005 - 09:06 AM

I am pretty sure that I am doing this in safe mode without networking support. I will verify.

What do you mean that I am doing this via Remote Assistance? I don't understand.

And I used both Online scans.

I did everything that you said in the directions. Have you ever helped someone fix this virus? From what I have read on the internet, this virus is really hard to get rid of. It seems as it is only affected by using Internet Explorer. I have installed Mozilla and it doesn't seem to affect it? Should I uninstall IE and reinstall it?

Thanks for your help.

#8 miekiemoes

miekiemoes

    Malware Killer Dog


  • Malware Response Team
  • 19,420 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Belgium
  • Local time:03:57 AM

Posted 22 December 2005 - 09:23 AM

Yes, I fixed this one for about 50 times, so I don't know what happens in here.
Don't uninstall IE!! because you need it to update your windows.
I don't understand why the entries are still present while I asked you to check and fix them in hijackthis.
Normally, when the infection is present, the filenames change, but it seems like they are exactly the same.
The reason why I asked you if you are doing this for someone else via Remote assistance is because I see next entry in your processes:

C:\WINDOWS\PCHealth\HelpCtr\Binaries\HelpSvc.exe

Have you also performed the step with services.msc? Because the service is still running there.
Also, I can't see in your above log you ran the online scan with Trendmicro or bitdefender.

Can you please post a new hijackthislog made in normal mode?
AntispywareScanners---Antivirus Scanners---Firewalls---Online Scanners---Prevention---Help! My computer is slow---My Blog---Follow me on Twitter.
My help is ALWAYS FREE, but if you want to donate to help me continue my fight against malware -- click here!
Asking for help via Private Message or Mail will be ignored - So If you need help, post your problem in the forum.

#9 mfarmer2

mfarmer2
  • Topic Starter

  • Members
  • 8 posts
  • OFFLINE
  •  
  • Local time:10:57 PM

Posted 22 December 2005 - 09:34 AM

I swear that I did everything you asked.
I did the step with services.msc.

I will try every step again tonight as it takes a long time to do everything.

I will post a HijackThis log prior to starting, in safe mode, and in normal mode.

Anything else you can think of?

#10 miekiemoes

miekiemoes

    Malware Killer Dog


  • Malware Response Team
  • 19,420 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Belgium
  • Local time:03:57 AM

Posted 22 December 2005 - 09:39 AM

Hi, I don't need a log from safe mode, I need one in normal mode.
Also, after booting back to normal mode, perform next:

* Perform an onlinescan with panda: (please use this scanner instead of any other scanner!)
Panda Online
- Once you are on the Panda site click the Scan your PC button
- A new window will open...click the Check Now button
- Enter your Country
- Enter your State/Province
- Enter your e-mail address and click send
- Select either Home User or Company
- Click the big Scan Now button
- If it wants to install an ActiveX component allow it
- It will start downloading the files it requires for the scan (Note: It may take a couple of minutes)
- When download is complete, click on Local Disks to start the scan
- When the scan completes, if anything malicious is detected, click the See Report button, then Save Report and save it to a convenient location.
Post the contents of the Panda scan report together with the hijackthislog.

By the way, here are some threads where I solved it without any problem:

http://forums.spywareinfo.com/index.php?showtopic=64492
http://forums.spywareinfo.com/index.php?showtopic=64284
http://www.bleepingcomputer.com/forums/ind...showtopic=37029
http://www.bleepingcomputer.com/forums/ind...showtopic=37966

Also, don't use your Internet Explorer as long as you are infected. Use firefox instead. Because everytime you open IE, new files are getting downloaded.
AntispywareScanners---Antivirus Scanners---Firewalls---Online Scanners---Prevention---Help! My computer is slow---My Blog---Follow me on Twitter.
My help is ALWAYS FREE, but if you want to donate to help me continue my fight against malware -- click here!
Asking for help via Private Message or Mail will be ignored - So If you need help, post your problem in the forum.

#11 miekiemoes

miekiemoes

    Malware Killer Dog


  • Malware Response Team
  • 19,420 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Belgium
  • Local time:03:57 AM

Posted 22 December 2005 - 11:36 AM

By the way.. what I have been thinking...

I did the step with services.msc.


I hope you disabled the right service though: Network Security Service (NSS) and nothing looking similar, because the other ones are legit.
AntispywareScanners---Antivirus Scanners---Firewalls---Online Scanners---Prevention---Help! My computer is slow---My Blog---Follow me on Twitter.
My help is ALWAYS FREE, but if you want to donate to help me continue my fight against malware -- click here!
Asking for help via Private Message or Mail will be ignored - So If you need help, post your problem in the forum.

#12 mfarmer2

mfarmer2
  • Topic Starter

  • Members
  • 8 posts
  • OFFLINE
  •  
  • Local time:10:57 PM

Posted 22 December 2005 - 10:48 PM

I ran Hijackthis but wasn't sure which items to check and remove.

I ran services.msc, aboutbuster, ccleaner, and ewido.

I then rebooted to normal mode.

I tried using panda but couldn't scan using firefox. So I tried bitdefender and the same. Housecall seemed to freeze up.

Attached is the Hijackthis log in normal mode.

---------------------------------------------------------
ewido anti-malware - Scan report
---------------------------------------------------------

+ Created on: 8:46:20 PM, 12/22/2005
+ Report-Checksum: DE25ACB5

+ Scan result:

No infected objects found.


::Report End

Logfile of HijackThis v1.99.1
Scan saved at 10:47:43 PM, on 12/22/2005
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\CA\eTrust EZ Armor\eTrust EZ Antivirus\ISafe.exe
C:\WINDOWS\system32\cisvc.exe
C:\Program Files\ewido anti-malware\ewidoctrl.exe
C:\WINDOWS\System32\nvsvc32.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\intraport client\vpn5000service.exe
C:\Program Files\Common Files\Dell\EUSW\Support.exe
C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\Program Files\Java\j2re1.4.2_04\bin\jusched.exe
C:\Program Files\MUSICMATCH\MUSICMATCH Jukebox\mmtask.exe
C:\WINDOWS\System32\spool\drivers\w32x86\3\hpztsb04.exe
C:\WINDOWS\system32\carpserv.exe
C:\Program Files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\WINDOWS\system32\javaki.exe
C:\Program Files\CA\eTrust EZ Armor\eTrust EZ Antivirus\VetMsg.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\WINDOWS\system32\javaus.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\cidaemon.exe
C:\WINDOWS\System32\wbem\wmiapsrv.exe
C:\WINDOWS\system32\wscntfy.exe
C:\Documents and Settings\Marty Farmer\My Documents\HiJackThis\HijackThis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.dellnet.com
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = about:blank
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://www.microsoft.com/isapi/redir.dll?prd=ie&ar=iesearch
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.microsoft.com/isapi/redir.dll?p...er=6&ar=msnhome
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.microsoft.com/isapi/redir.dll?p...er=6&ar=msnhome
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://www.microsoft.com/isapi/redir.dll?prd=ie&ar=iesearch
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://www.microsoft.com/isapi/redir.dll?prd=ie&ar=iesearch
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = about:blank
R3 - Default URLSearchHook is missing
O2 - BHO: UberButton Class - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\Program Files\Yahoo!\Common\yiesrvc.dll
O2 - BHO: YahooTaggedBM Class - {65D886A2-7CA7-479B-BB95-14D1EFB7946A} - C:\Program Files\Yahoo!\Common\YIeTagBm.dll
O2 - BHO: Class - {6CA0E131-B7AC-A1C6-6851-F14261B06791} - C:\WINDOWS\ipeq32.dll
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn0\yt.dll
O4 - HKLM\..\Run: [DwlClient] C:\Program Files\Common Files\Dell\EUSW\Support.exe
O4 - HKLM\..\Run: [VirusScan Online] "c:\PROGRA~1\mcafee.com\vso\mcvsshld.exe"
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [SynTPLpr] C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
O4 - HKLM\..\Run: [SynTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\j2re1.4.2_04\bin\jusched.exe
O4 - HKLM\..\Run: [nwiz] nwiz.exe /installquiet
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [mmtask] C:\Program Files\MUSICMATCH\MUSICMATCH Jukebox\mmtask.exe
O4 - HKLM\..\Run: [Microsoft Works Update Detection] C:\Program Files\Common Files\Microsoft Shared\Works Shared\WkUFind.exe
O4 - HKLM\..\Run: [MCUpdateExe] C:\PROGRA~1\McAfee.com\Agent\McUpdate.exe
O4 - HKLM\..\Run: [MCAgentExe] C:\Program Files\McAfee.com\Agent\mcagent.exe
O4 - HKLM\..\Run: [HPDJ Taskbar Utility] C:\WINDOWS\System32\spool\drivers\w32x86\3\hpztsb04.exe
O4 - HKLM\..\Run: [CARPService] carpserv.exe
O4 - HKLM\..\Run: [AdaptecDirectCD] "C:\Program Files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe"
O4 - HKLM\..\Run: [iTunesHelper] C:\Program Files\iTunes\iTunesHelper.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [Zone Labs Client] C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
O4 - HKLM\..\Run: [javaki.exe] C:\WINDOWS\system32\javaki.exe
O8 - Extra context menu item: &Yahoo! Search - file:///C:\Program Files\Yahoo!\Common/ycsrch.htm
O8 - Extra context menu item: Yahoo! &Dictionary - file:///C:\Program Files\Yahoo!\Common/ycdict.htm
O8 - Extra context menu item: Yahoo! &Maps - file:///C:\Program Files\Yahoo!\Common/ycmap.htm
O8 - Extra context menu item: Yahoo! &SMS - file:///C:\Program Files\Yahoo!\Common/ycsms.htm
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_04\bin\npjpi150_04.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_04\bin\npjpi150_04.dll
O9 - Extra button: Yahoo! Services - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\Program Files\Yahoo!\Common\yiesrvc.dll
O9 - Extra button: ICQ Pro - {6224f700-cba3-4071-b251-47cb894244cd} - C:\Program Files\ICQ\ICQ.exe
O9 - Extra 'Tools' menuitem: ICQ - {6224f700-cba3-4071-b251-47cb894244cd} - C:\Program Files\ICQ\ICQ.exe
O9 - Extra button: (no name) - {85d1f590-48f4-11d9-9669-0800200c9a66} - %windir%\bdoscandel.exe (file missing)
O9 - Extra 'Tools' menuitem: Uninstall BitDefender Online Scanner v8 - {85d1f590-48f4-11d9-9669-0800200c9a66} - %windir%\bdoscandel.exe (file missing)
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\System32\Shdocvw.dll
O9 - Extra button: MoneySide - {E023F504-0C5A-4750-A1E7-A9046DEA8A21} - C:\Program Files\Microsoft Money\System\mnyside.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O15 - Trusted Zone: http://free.aol.com
O16 - DPF: Yahoo! Bingo - http://download.games.yahoo.com/games/clients/y/xt0_x.cab
O16 - DPF: Yahoo! Cribbage - http://download.games.yahoo.com/games/clients/y/it1_x.cab
O16 - DPF: Yahoo! Euchre - http://download.games.yahoo.com/games/clients/y/et0_x.cab
O16 - DPF: {01A88BB1-1174-41EC-ACCB-963509EAE56B} (SysProWmi Class) - http://support.dell.com/systemprofiler/SysPro.CAB
O16 - DPF: {0C568603-D79D-11D2-87A7-00C04FF158BB} (BrowseFolderPopup Class) - http://download.mcafee.com/molbin/Shared/MGBrwFld.cab
O16 - DPF: {30528230-99F7-4BB4-88D8-FA1D4F56A2AB} (YInstStarter Class) - C:\Program Files\Yahoo!\Common\yinsthelper.dll
O16 - DPF: {31B7EB4E-8B4B-11D1-A789-00A0CC6651A8} (Cult3D ActiveX Player) - http://www.cult3d.com/download/cult.cab
O16 - DPF: {5D86DDB5-BDF9-441B-9E9E-D4730F4EE499} (BDSCANONLINE Control) - http://download.bitdefender.com/resources/scan8/oscan8.cab
O16 - DPF: {63C4C187-E23F-4A20-898C-62CAF22335F8} (WatchOCX.WatchX) - https://www.watchsatellite.tv/members/WatchOCX.CAB
O16 - DPF: {B9191F79-5613-4C76-AA2A-398534BB8999} (YAddBook Class) - http://us.dl1.yimg.com/download.yahoo.com/...utocomplete.cab
O23 - Service: CAISafe - Computer Associates International, Inc. - C:\Program Files\CA\eTrust EZ Armor\eTrust EZ Antivirus\ISafe.exe
O23 - Service: ewido security suite control - ewido networks - C:\Program Files\ewido anti-malware\ewidoctrl.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPodService - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: NVIDIA Driver Helper Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe
O23 - Service: VET Message Service (VETMSGNT) - Computer Associates International, Inc. - C:\Program Files\CA\eTrust EZ Armor\eTrust EZ Antivirus\VetMsg.exe
O23 - Service: VPN 5000 Service 1.00.00 (VPN5000Service) - Unknown owner - C:\Program Files\intraport client\vpn5000service.exe
O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs, LLC - C:\WINDOWS\SYSTEM32\ZoneLabs\vsmon.exe

#13 miekiemoes

miekiemoes

    Malware Killer Dog


  • Malware Response Team
  • 19,420 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Belgium
  • Local time:03:57 AM

Posted 23 December 2005 - 01:20 AM

Ok,

This is already looking a bit better. The service is gone, but files are still present.

So Boot again in safe mode:

* Start HijackThis, close all open windows leaving only HijackThis running. Place a check against each of the following:

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = about:blank
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = about:blank
R3 - Default URLSearchHook is missing
O2 - BHO: Class - {6CA0E131-B7AC-A1C6-6851-F14261B06791} - C:\WINDOWS\ipeq32.dll
O4 - HKLM\..\Run: [javaki.exe] C:\WINDOWS\system32\javaki.exe


* Click on Fix Checked when finished and exit HijackThis.
Make sure your Internet Explorer is closed when you click Fix Checked!

Delete next files manually:

C:\WINDOWS\system32\javaki.exe
C:\WINDOWS\system32\javaus.exe
C:\WINDOWS\ipeq32.dll

Still in safe mode, run aboutbuster.
Then run Ccleaner

Then boot in normal mode again and post a new hijackthislog.
Try next online scan, this version you can use in Firefox:
http://fr.trendmicro-europe.com/consumer/h...call_launch.php

Post a new hijackthislog.

Edited by miekiemoes, 23 December 2005 - 01:20 AM.

AntispywareScanners---Antivirus Scanners---Firewalls---Online Scanners---Prevention---Help! My computer is slow---My Blog---Follow me on Twitter.
My help is ALWAYS FREE, but if you want to donate to help me continue my fight against malware -- click here!
Asking for help via Private Message or Mail will be ignored - So If you need help, post your problem in the forum.

#14 mfarmer2

mfarmer2
  • Topic Starter

  • Members
  • 8 posts
  • OFFLINE
  •  
  • Local time:10:57 PM

Posted 23 December 2005 - 03:37 PM

Here is the new HijackThis log.


Logfile of HijackThis v1.99.1
Scan saved at 3:32:33 PM, on 12/23/2005
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\CA\eTrust EZ Armor\eTrust EZ Antivirus\ISafe.exe
C:\WINDOWS\system32\cisvc.exe
C:\Program Files\ewido anti-malware\ewidoctrl.exe
C:\WINDOWS\System32\nvsvc32.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\intraport client\vpn5000service.exe
C:\Program Files\Common Files\Dell\EUSW\Support.exe
C:\WINDOWS\SYSTEM32\ZoneLabs\vsmon.exe
C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\Program Files\Java\j2re1.4.2_04\bin\jusched.exe
C:\Program Files\MUSICMATCH\MUSICMATCH Jukebox\mmtask.exe
C:\WINDOWS\System32\spool\drivers\w32x86\3\hpztsb04.exe
C:\WINDOWS\system32\carpserv.exe
C:\Program Files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
C:\Program Files\CA\eTrust EZ Armor\eTrust EZ Antivirus\VetMsg.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\cidaemon.exe
C:\WINDOWS\System32\wbem\wmiapsrv.exe
C:\Documents and Settings\Marty Farmer\My Documents\HiJackThis\HijackThis\HijackThis.exe

O2 - BHO: UberButton Class - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\Program Files\Yahoo!\Common\yiesrvc.dll
O2 - BHO: YahooTaggedBM Class - {65D886A2-7CA7-479B-BB95-14D1EFB7946A} - C:\Program Files\Yahoo!\Common\YIeTagBm.dll
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn0\yt.dll
O4 - HKLM\..\Run: [DwlClient] C:\Program Files\Common Files\Dell\EUSW\Support.exe
O4 - HKLM\..\Run: [VirusScan Online] "c:\PROGRA~1\mcafee.com\vso\mcvsshld.exe"
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [SynTPLpr] C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
O4 - HKLM\..\Run: [SynTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\j2re1.4.2_04\bin\jusched.exe
O4 - HKLM\..\Run: [nwiz] nwiz.exe /installquiet
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [mmtask] C:\Program Files\MUSICMATCH\MUSICMATCH Jukebox\mmtask.exe
O4 - HKLM\..\Run: [Microsoft Works Update Detection] C:\Program Files\Common Files\Microsoft Shared\Works Shared\WkUFind.exe
O4 - HKLM\..\Run: [MCUpdateExe] C:\PROGRA~1\McAfee.com\Agent\McUpdate.exe
O4 - HKLM\..\Run: [MCAgentExe] C:\Program Files\McAfee.com\Agent\mcagent.exe
O4 - HKLM\..\Run: [HPDJ Taskbar Utility] C:\WINDOWS\System32\spool\drivers\w32x86\3\hpztsb04.exe
O4 - HKLM\..\Run: [CARPService] carpserv.exe
O4 - HKLM\..\Run: [AdaptecDirectCD] "C:\Program Files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe"
O4 - HKLM\..\Run: [iTunesHelper] C:\Program Files\iTunes\iTunesHelper.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [Zone Labs Client] C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
O8 - Extra context menu item: &Yahoo! Search - file:///C:\Program Files\Yahoo!\Common/ycsrch.htm
O8 - Extra context menu item: Yahoo! &Dictionary - file:///C:\Program Files\Yahoo!\Common/ycdict.htm
O8 - Extra context menu item: Yahoo! &Maps - file:///C:\Program Files\Yahoo!\Common/ycmap.htm
O8 - Extra context menu item: Yahoo! &SMS - file:///C:\Program Files\Yahoo!\Common/ycsms.htm
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_04\bin\npjpi150_04.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_04\bin\npjpi150_04.dll
O9 - Extra button: Yahoo! Services - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\Program Files\Yahoo!\Common\yiesrvc.dll
O9 - Extra button: ICQ Pro - {6224f700-cba3-4071-b251-47cb894244cd} - C:\Program Files\ICQ\ICQ.exe
O9 - Extra 'Tools' menuitem: ICQ - {6224f700-cba3-4071-b251-47cb894244cd} - C:\Program Files\ICQ\ICQ.exe
O9 - Extra button: (no name) - {85d1f590-48f4-11d9-9669-0800200c9a66} - %windir%\bdoscandel.exe (file missing)
O9 - Extra 'Tools' menuitem: Uninstall BitDefender Online Scanner v8 - {85d1f590-48f4-11d9-9669-0800200c9a66} - %windir%\bdoscandel.exe (file missing)
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\System32\Shdocvw.dll
O9 - Extra button: MoneySide - {E023F504-0C5A-4750-A1E7-A9046DEA8A21} - C:\Program Files\Microsoft Money\System\mnyside.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O15 - Trusted Zone: http://free.aol.com
O16 - DPF: Yahoo! Bingo - http://download.games.yahoo.com/games/clients/y/xt0_x.cab
O16 - DPF: Yahoo! Cribbage - http://download.games.yahoo.com/games/clients/y/it1_x.cab
O16 - DPF: Yahoo! Euchre - http://download.games.yahoo.com/games/clients/y/et0_x.cab
O16 - DPF: {01A88BB1-1174-41EC-ACCB-963509EAE56B} (SysProWmi Class) - http://support.dell.com/systemprofiler/SysPro.CAB
O16 - DPF: {0C568603-D79D-11D2-87A7-00C04FF158BB} (BrowseFolderPopup Class) - http://download.mcafee.com/molbin/Shared/MGBrwFld.cab
O16 - DPF: {30528230-99F7-4BB4-88D8-FA1D4F56A2AB} (YInstStarter Class) - C:\Program Files\Yahoo!\Common\yinsthelper.dll
O16 - DPF: {31B7EB4E-8B4B-11D1-A789-00A0CC6651A8} (Cult3D ActiveX Player) - http://www.cult3d.com/download/cult.cab
O16 - DPF: {5D86DDB5-BDF9-441B-9E9E-D4730F4EE499} (BDSCANONLINE Control) - http://download.bitdefender.com/resources/scan8/oscan8.cab
O16 - DPF: {63C4C187-E23F-4A20-898C-62CAF22335F8} (WatchOCX.WatchX) - https://www.watchsatellite.tv/members/WatchOCX.CAB
O16 - DPF: {B9191F79-5613-4C76-AA2A-398534BB8999} (YAddBook Class) - http://us.dl1.yimg.com/download.yahoo.com/...utocomplete.cab
O23 - Service: CAISafe - Computer Associates International, Inc. - C:\Program Files\CA\eTrust EZ Armor\eTrust EZ Antivirus\ISafe.exe
O23 - Service: ewido security suite control - ewido networks - C:\Program Files\ewido anti-malware\ewidoctrl.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPodService - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: NVIDIA Driver Helper Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe
O23 - Service: VET Message Service (VETMSGNT) - Computer Associates International, Inc. - C:\Program Files\CA\eTrust EZ Armor\eTrust EZ Antivirus\VetMsg.exe
O23 - Service: VPN 5000 Service 1.00.00 (VPN5000Service) - Unknown owner - C:\Program Files\intraport client\vpn5000service.exe
O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs, LLC - C:\WINDOWS\SYSTEM32\ZoneLabs\vsmon.exe

#15 miekiemoes

miekiemoes

    Malware Killer Dog


  • Malware Response Team
  • 19,420 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Belgium
  • Local time:03:57 AM

Posted 23 December 2005 - 04:18 PM

Hello,

I have good news for you, but I think you already noticed this yourself. :thumbsup:

Your log looks clean. Still some little things to perform.

* Download: Hoster
Unzip hoster to an own folder.
Start Hoster.exe.
It could be possible that hoster will tell you that your Hosts file doesn't exist and if you want to create one. Click yes/ok.
If you don't get that prompt/question, click 'Restore Original Hosts' and click OK.

This hijacker is also responsible for changing the ActiveX security settings to allow all.
To fix this...Open Internet Explorer > internet options > security > internet.
Press default level > OK.
Press custom level
In the ActiveX part:
Set "Download signed and unsigned ActiveX controls" to prompt.
Set 'Initialize and Script ActiveX controls not marked as safe" to 'disable'.

Perform a full scan with an updated adaware Se and/or spybot S&d to get rid of the leftovers.

Let me know in your next reply how things are running.
AntispywareScanners---Antivirus Scanners---Firewalls---Online Scanners---Prevention---Help! My computer is slow---My Blog---Follow me on Twitter.
My help is ALWAYS FREE, but if you want to donate to help me continue my fight against malware -- click here!
Asking for help via Private Message or Mail will be ignored - So If you need help, post your problem in the forum.




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users