Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

"about:blank" Hijacked My Start Page And Other Pop-ups


  • This topic is locked This topic is locked
5 replies to this topic

#1 Gary L

Gary L

  • Members
  • 3 posts
  • OFFLINE
  •  
  • Local time:11:22 PM

Posted 02 January 2006 - 07:39 PM

Hello, and happy new year. I ran Hijackthis and hope someone can help. My Internet Explorer start page has been hijacked by something called "about:blank" that appears to be a search engine for spam (why would anyone search for spam??). I can change the homepage via the usual method but the next time I start IE it's back to "about:blank".

I'm also getting a pop-up window occasionally that seems to try to find the topic of the page I'm looking at and then gives me a link to some more junk advertisements. It says something like: "searching for weather?" or "Searching for adware blocker?", etc.

The third problem is a Window that pops up from time to time that calls itself the Windows security center (or something like that) that tells me that my system is infected, and ask if I want to learn how to fix it. The first time I clicked OK and it took me to some vendor trying to sell an adware blocker. I also have a similar baloon that pops up from the tray by the clock along with a red shield symbol.

Finally, I have a couple of links that have added themselves to my favorites list. When I run adware removers it gets rid of them but they keep coming back. The links are for "Seven days of free porn", "search the web", "only sex website", and a folder called "Sites about".

I have run through the "Preparation guide for use before posting a Hijackthis log" (scanned with ad-aware SE, spybot, McAfee Stinger, etc.) and run Norton antivirus (full version with subscription) several times. Norton gets rid of some files that always come back after restart, and it finds but can't erase 2 files called mfcrv32.exe and wintx32.exe from C:\winnt\system32\ (I can't erase them manually either.

OK, here is my Hijackthis log:

------------------------------------------------------
Logfile of HijackThis v1.99.1
Scan saved at 4:16:15 PM, on 1/2/2006
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINNT\System32\smss.exe
C:\WINNT\system32\winlogon.exe
C:\WINNT\system32\services.exe
C:\WINNT\system32\lsass.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\System32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\WINNT\Explorer.EXE
C:\WINNT\system32\spoolsv.exe
C:\WINNT\system32\SK9910DM.EXE
C:\WINNT\GWMDMMSG.exe
C:\Program Files\Adaptec\Easy CD Creator 5\DirectCD\DirectCD.exe
C:\Program Files\Iomega\DriveIcons\ImgIcon.exe
C:\Program Files\BroadJump\Client Foundation\CFD.exe
C:\WINNT\system32\iemz.exe
C:\Program Files\Support.com\bin\tgcmd.exe
C:\Program Files\Microsoft IntelliPoint\point32.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\Program Files\Viewpoint\Viewpoint Manager\ViewMgr.exe
C:\Program Files\Java\jre1.5.0_04\bin\jusched.exe
C:\WINNT\system32\wintx32.exe
C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
C:\WINNT\system32\rundll32.exe
C:\Program Files\Iomega\AutoDisk\AD2KClient.exe
C:\WINNT\System32\cisvc.exe
C:\Program Files\ewido anti-malware\ewidoctrl.exe
C:\Program Files\ewido anti-malware\ewidoguard.exe
C:\WINNT\System32\gearsec.exe
C:\PROGRA~1\Iomega\System32\ActivityDisk.exe
C:\Program Files\Norton AntiVirus\navapsvc.exe
C:\Program Files\Norton AntiVirus\IWP\NPFMntor.exe
C:\WINNT\system32\nvsvc32.exe
C:\Program Files\Common Files\Panda Software\PavShld\pavprsrv.exe
C:\WINNT\System32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
C:\WINNT\system32\ZoneLabs\vsmon.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\WINNT\system32\cidaemon.exe
C:\Program Files\HijackThis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\WINNT\system32\osdhx.dll/sp.html#77035%resultposition.net
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINNT\system32\osdhx.dll/sp.html#77035%resultposition.net
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = res://C:\WINNT\system32\osdhx.dll/sp.html#77035%resultposition.net
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\WINNT\system32\osdhx.dll/sp.html#77035%resultposition.net
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINNT\system32\osdhx.dll/sp.html#77035%resultposition.net
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = res://C:\WINNT\system32\osdhx.dll/sp.html#77035%resultposition.net
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = res://C:\WINNT\system32\osdhx.dll/sp.html#77035%resultposition.net
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://us.rd.yahoo.com/customize/ie/defaul...//www.yahoo.com
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Microsoft Internet Explorer presented by Comcast
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = :0
R3 - Default URLSearchHook is missing
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {1209B7C2-CD57-40FC-B7B3-9C64C2731CBA} - C:\WINNT\system32\jefm.dll (file missing)
O2 - BHO: Class - {2FBEE8D2-7AF2-0AB9-8174-C704E39A865F} - C:\WINNT\system32\msvf.dll (file missing)
O2 - BHO: Class - {3138A30F-5C5A-97F0-3DED-DD571397D9FC} - C:\WINNT\system32\msdu32.dll (file missing)
O2 - BHO: Class - {4A2FCD1F-704D-FF9B-E64F-CBD77FE19E5B} - C:\WINNT\winmh32.dll
O2 - BHO: Class - {4B7FF0DA-BA44-74F9-3DA2-18D6E89CD04B} - C:\WINNT\system32\atlbq32.dll (file missing)
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: UberButton Class - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\Program Files\Yahoo!\Common\yiesrvc.dll
O2 - BHO: YahooTaggedBM Class - {65D886A2-7CA7-479B-BB95-14D1EFB7946A} - C:\Program Files\Yahoo!\Common\YIeTagBm.dll
O2 - BHO: Class - {7A66D0FF-9707-2E41-A80D-7DE113BDAC8B} - C:\WINNT\system32\sdkdn32.dll (file missing)
O2 - BHO: Class - {7C13DECD-564B-3A25-5EA2-852A73A447BC} - C:\WINNT\system32\appqe32.dll
O2 - BHO: Class - {8797D539-4033-EDBC-C44B-E206516A6CE9} - C:\WINNT\system32\criz.dll (file missing)
O2 - BHO: Class - {B770C455-757F-090A-BEF9-713F25A1729A} - C:\WINNT\apirl32.dll (file missing)
O2 - BHO: CNavExtBho Class - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O2 - BHO: Class - {CDFB04E1-4059-ABA7-541C-57D4512FBA72} - C:\WINNT\iecz.dll (file missing)
O2 - BHO: Class - {EF4A8C43-094E-7E4F-541B-E2C88E71457C} - C:\WINNT\system32\iezl32.dll
O2 - BHO: Class - {F2F8DD4A-9FFB-EABC-D625-4E2A75A166B2} - C:\WINNT\sysnn.dll (file missing)
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn1\yt.dll
O3 - Toolbar: Zango Toolbar - {EA0D26BD-9029-431A-86E0-83152D67828A} - C:\Program Files\Zango Programs\Zango Toolbar\ZangoTB.dll (file missing)
O4 - HKLM\..\Run: [Hot Key Kbd 9910 Daemon] SK9910DM.EXE
O4 - HKLM\..\Run: [GWMDMMSG] GWMDMMSG.exe
O4 - HKLM\..\Run: [Keyboard Preload Check] C:\OEMDRVRS\KEYB\Preload.exe /DEVID: /CLASS:Keyboard /RunValue:"Keyboard Preload Check"
O4 - HKLM\..\Run: [GWMDMpi] C:\WINNT\GWMDMpi.exe
O4 - HKLM\..\Run: [AdaptecDirectCD] "C:\Program Files\Adaptec\Easy CD Creator 5\DirectCD\DirectCD.exe"
O4 - HKLM\..\Run: [Microsoft Works Portfolio] C:\Program Files\Microsoft Works\WksSb.exe /AllUsers
O4 - HKLM\..\Run: [Microsoft Works Update Detection] C:\Program Files\Microsoft Works\WkDetect.exe
O4 - HKLM\..\Run: [WorksFUD] C:\Program Files\Microsoft Works\wkfud.exe
O4 - HKLM\..\Run: [Iomega Startup Options] C:\Program Files\Iomega\Common\ImgStart.exe
O4 - HKLM\..\Run: [Iomega Drive Icons] C:\Program Files\Iomega\DriveIcons\ImgIcon.exe
O4 - HKLM\..\Run: [Mirabilis ICQ] C:\Program Files\ICQ\NDetect.exe
O4 - HKLM\..\Run: [NeroCheck] C:\WINNT\system32\NeroCheck.exe
O4 - HKLM\..\Run: [HPDJ Taskbar Utility] C:\WINNT\System32\spool\drivers\w32x86\3\hpztsb04.exe
O4 - HKLM\..\Run: [IPInSightMonitor 01] "C:\Program Files\SBC Yahoo!\Connection Manager\IP InSight\IPMon32.exe"
O4 - HKLM\..\Run: [BJCFD] C:\Program Files\BroadJump\Client Foundation\CFD.exe
O4 - HKLM\..\Run: [tgcmdprovidersbc] "C:\Program Files\Support.com\bin\tgcmd.exe" /server /startmonitor /deaf /nosystray
O4 - HKLM\..\Run: [IntelliPoint] "C:\Program Files\Microsoft IntelliPoint\point32.exe"
O4 - HKLM\..\Run: [iTunesHelper] C:\Program Files\iTunes\iTunesHelper.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [tgcmd] "C:\Program Files\Support.com\bin\tgcmd.exe" /server
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINNT\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINNT\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [Symantec NetDriver Monitor] C:\PROGRA~1\SYMNET~1\SNDMon.exe /Consumer
O4 - HKLM\..\Run: [masqform.exe] C:\Program Files\PureEdge\Viewer 6.0\masqform.exe -UpdateCurrentUser
O4 - HKLM\..\Run: [ViewMgr] C:\Program Files\Viewpoint\Viewpoint Manager\ViewMgr.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_04\bin\jusched.exe
O4 - HKLM\..\Run: [20.tmp] C:\DOCUME~1\Gary\LOCALS~1\Temp\20.tmp.exe
O4 - HKLM\..\Run: [21.tmp] C:\DOCUME~1\Gary\LOCALS~1\Temp\21.tmp.exe
O4 - HKLM\..\Run: [21.tmp.exe] C:\DOCUME~1\Gary\LOCALS~1\Temp\21.tmp.exe
O4 - HKLM\..\Run: [20.tmp.exe] C:\DOCUME~1\Gary\LOCALS~1\Temp\20.tmp.exe
O4 - HKLM\..\Run: [addgt32.exe] C:\WINNT\addgt32.exe
O4 - HKLM\..\Run: [d3dq32.exe] C:\WINNT\system32\d3dq32.exe
O4 - HKLM\..\Run: [ntaz.exe] C:\WINNT\system32\ntaz.exe
O4 - HKLM\..\Run: [sysnn.exe] C:\WINNT\sysnn.exe
O4 - HKLM\..\Run: [mfcxa.exe] C:\WINNT\mfcxa.exe
O4 - HKLM\..\Run: [d3fc.exe] C:\WINNT\system32\d3fc.exe
O4 - HKLM\..\Run: [wintx32.exe] C:\WINNT\system32\wintx32.exe
O4 - HKLM\..\Run: [Zone Labs Client] C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
O4 - HKLM\..\RunOnce: [Pest Cleaning] "C:\Program Files\Yahoo!\YPSR\ppclean.exe" "clean" "smartfinder" "2"
O4 - HKCU\..\Run: [Iomega Active Disk] C:\Program Files\Iomega\AutoDisk\AD2KClient.exe
O8 - Extra context menu item: &Yahoo! Search - file:///C:\Program Files\Yahoo!\Common/ycsrch.htm
O8 - Extra context menu item: Download with GetRight - C:\Program Files\GetRight\GRdownload.htm
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~3\OFFICE11\EXCEL.EXE/3000
O8 - Extra context menu item: Open with GetRight Browser - C:\Program Files\GetRight\GRbrowse.htm
O8 - Extra context menu item: Yahoo! &Dictionary - file:///C:\Program Files\Yahoo!\Common/ycdict.htm
O8 - Extra context menu item: Yahoo! &Maps - file:///C:\Program Files\Yahoo!\Common/ycmap.htm
O8 - Extra context menu item: Yahoo! &SMS - file:///C:\Program Files\Yahoo!\Common/ycsms.htm
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_04\bin\npjpi150_04.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_04\bin\npjpi150_04.dll
O9 - Extra button: Yahoo! Services - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\Program Files\Yahoo!\Common\yiesrvc.dll
O9 - Extra button: ComcastHSI - {669B269B-0D4E-41FB-A3D8-FD67CA94F646} - http://www.comcast.net/ (file missing)
O9 - Extra button: (no name) - {85d1f590-48f4-11d9-9669-0800200c9a66} - %windir%\bdoscandel.exe (file missing)
O9 - Extra 'Tools' menuitem: Uninstall BitDefender Online Scanner v8 - {85d1f590-48f4-11d9-9669-0800200c9a66} - %windir%\bdoscandel.exe (file missing)
O9 - Extra button: Support - {8828075D-D097-4055-AA02-2DBFA9D85E8A} - http://www.comcastsupport.com/ (file missing)
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~3\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Help - {97809617-3937-4F84-B335-9BB05EF1A8D4} - http://online.comcast.net/help/ (file missing)
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINNT\System32\Shdocvw.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O12 - Plugin for .pdf: C:\Program Files\Internet Explorer\PLUGINS\nppdf32.dll
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O14 - IERESET.INF: START_PAGE_URL=http://www.worldnet.att.net
O16 - DPF: Yahoo! Chat - http://us.chat1.yimg.com/us.yimg.com/i/cha...t/c381/chat.cab
O16 - DPF: Yahoo! NFL GameChannel StatTracker - http://aud3.sports.sc5.yahoo.com/java/y/nflgcst1016_x.cab
O16 - DPF: Yahoo! Trivia - http://download.games.yahoo.com/games/clients/y/tvt0_x.cab
O16 - DPF: {03F998B2-0E00-11D3-A498-00104B6EB52E} (MetaStreamCtl Class) - https://components.viewpoint.com/MTSInstall...d/pc/index.html
O16 - DPF: {156BF4B7-AE3A-4365-BD88-95A75AF8F09D} (HPSDDX Class) - http://www.hp.com/cpso-support-new/SDD/hpsddObjSigned.cab
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {30528230-99F7-4BB4-88D8-FA1D4F56A2AB} (YInstStarter Class) - C:\Program Files\Yahoo!\Common\yinsthelper.dll
O16 - DPF: {3CC943C7-3C99-11D4-8135-0050041A5144} (RunExeActiveX.UserControl1) - file://C:\Program Files\Gateway\HelpSpot\RunExeActiveX.CAB
O16 - DPF: {41F17733-B041-4099-A042-B518BB6A408C} - http://a1540.g.akamai.net/7/1540/52/200212...meInstaller.exe
O16 - DPF: {56336BCB-3D8A-11D6-A00B-0050DA18DE71} - http://207.188.7.150/05c45ccdb32c496fcb04/...ip/RdxIE601.cab
O16 - DPF: {5D86DDB5-BDF9-441B-9E9E-D4730F4EE499} (BDSCANONLINE Control) - http://download.bitdefender.com/resources/scan8/oscan8.cab
O16 - DPF: {64D01C7F-810D-446E-A07E-365764235644} (AtlAtomadersCtlAttrib Class) - http://kraisoft.com/files/realone/atomaders.cab
O16 - DPF: {6D5FCFCB-FA6C-4CFB-9918-5F0A9F7365F2} - http://www.gigex.com/tv/igor/gigexagent.dll
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftupdat...b?1124985557693
O16 - DPF: {6E5A37BF-FD42-463A-877C-4EB7002E68AE} (Housecall ActiveX 6.5) - http://eu-housecall.trendmicro-europe.com/...ivex/hcImpl.cab
O16 - DPF: {7D1E9C49-BD6A-11D3-87A8-009027A35D73} (Yahoo! Audio UI1) - http://chat.yahoo.com/cab/yacsui.cab
O16 - DPF: {7F8C8173-AD80-4807-AA75-5672F22B4582} (ICSScanner Class) - http://download.zonelabs.com/bin/promotion...canner37500.cab
O16 - DPF: {8FCDF9D9-A28B-480F-8C3D-581F119A8AB8} - http://static.zangocash.com/cab/Zango/ie/bridge-c18.cab
O16 - DPF: {99CDFD87-F97A-42E1-9C13-D18220D90AD1} (StartFirstControl.CheckFirst) - file://C:\Program Files\Gateway\HelpSpot\StartFirstControl.CAB
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/activescan/as5free/asinst.cab
O16 - DPF: {A93D84FD-641F-43AE-B963-E6FA84BE7FE7} (LinkSys Content Update) - http://www.linksysfix.com/check/netset/install/gtdownls.cab
O16 - DPF: {AB29A544-D6B4-4E36-A1F8-D3E34FC7B00A} (WTHoster Class) - http://install.wildtangent.com/bgn/partner...are/install.cab
O16 - DPF: {CE37E095-ACFF-4380-A856-A560D389E5E1} (XPLControlProject.XPLControl) - file://C:\Program Files\Gateway\HelpSpot\XPLControl.CAB
O16 - DPF: {D9EA64B2-B966-E177-332C-78B69886526D} (MNPerformer Class) - http://download.newaol.com/bkpromo/downloa...formerSetup.cab
O16 - DPF: {DBA230D1-8467-4e69-987E-5FAE815A3B45} -
O16 - DPF: {E13F1132-4CA0-4005-84D3-51406E27D269} (BTDownloadCtrl Control) - http://www.shockwave.com/content/thinktank...ownloadCtrl.cab
O16 - DPF: {E504EE6E-47C6-11D5-B8AB-00D0B78F3D48} (Yahoo! Webcam Viewer Wrapper) - http://chat.yahoo.com/cab/yvwrctl.cab
O16 - DPF: {E7F2A7C5-E0FA-48F7-9893-DF78DDF131F2} (MC3LibControl.TclControl) - http://www.jeppesen.com/mvcontrol/mc3lib.cab
O23 - Service: Workstation NetLogon Service ( 11F#`I) - Unknown owner - C:\WINNT\system32\iemz.exe
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Password Validation (ccPwdSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
O23 - Service: ewido security suite control - ewido networks - C:\Program Files\ewido anti-malware\ewidoctrl.exe
O23 - Service: ewido security suite guard - ewido networks - C:\Program Files\ewido anti-malware\ewidoguard.exe
O23 - Service: Gear Security Service (GEARSecurity) - GEAR Software - C:\WINNT\System32\gearsec.exe
O23 - Service: IMAPI CD-Burning COM Service (ImapiService) - Roxio Inc. - C:\WINNT\System32\ImapiRox.exe
O23 - Service: Iomega Activity Disk2 - Iomega Corporation - C:\PROGRA~1\Iomega\System32\ActivityDisk.exe
O23 - Service: iPod Service (iPodService) - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Norton AntiVirus Auto-Protect Service (navapsvc) - Symantec Corporation - C:\Program Files\Norton AntiVirus\navapsvc.exe
O23 - Service: Norton AntiVirus Firewall Monitor Service (NPFMntor) - Symantec Corporation - C:\Program Files\Norton AntiVirus\IWP\NPFMntor.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINNT\system32\nvsvc32.exe
O23 - Service: Panda Process Protection Service (PavPrSrv) - Panda Software - C:\Program Files\Common Files\Panda Software\PavShld\pavprsrv.exe
O23 - Service: PictureTaker - Unknown owner - c:\fixit\pt\PCTKRNT.SYS (file missing)
O23 - Service: SAVScan - Symantec Corporation - C:\Program Files\Norton AntiVirus\SAVScan.exe
O23 - Service: ScriptBlocking Service (SBService) - Symantec Corporation - C:\PROGRA~1\COMMON~1\SYMANT~1\SCRIPT~1\SBServ.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: Symantec SPBBCSvc (SPBBCSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
O23 - Service: Symantec Core LC - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs, LLC - C:\WINNT\system32\ZoneLabs\vsmon.exe

BC AdBot (Login to Remove)

 


#2 Gary L

Gary L
  • Topic Starter

  • Members
  • 3 posts
  • OFFLINE
  •  
  • Local time:11:22 PM

Posted 02 January 2006 - 09:08 PM

Here's the exact text from the balloon that pops up from the tray next to the clock:

"Your computer might be at risk
*Your virus protection is bad
*Spyware activity detected

Click this balloon to fix this problem"

#3 miekiemoes

miekiemoes

    Malware Killer Dog


  • Malware Response Team
  • 19,420 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Belgium
  • Local time:09:22 AM

Posted 03 January 2006 - 08:18 AM

Hello, looks like you were dealing with a desktop hijacker before as well, or a least you're dealing with some leftovers -- the popups from the system tray.

It's better to print out the next instructions or save it in notepad, because you also have to work in safe mode without networking support, so this page wouldn't be available then.
It is also important you don't miss a step and perform everything in the right order!!

I see you have Viewpoint installed.
Viewpoint Manager is considered as foistware instead of malware since it is installed without users approval but doesn't spy or do anything "bad". This will change from what we know in 2006 read this article: http://www.clickz.com/news/article.php/3561546
I suggest you remove the program now. Go to Start > Settings > Control Panel > Add/Remove Programs and remove the following programs if present.
  • Viewpoint
  • Viewpoint Manager
  • Viewpoint Media Player
Download AboutBuster.
Unzip AboutBuster.
Read here how to unzip/extract properly:
http://metallica.geekstogo.com/xpcompressedexplanation.html
You may not run it aboutbuster yet, that's for later.

* Download and install CCleaner
Do not use it yet.

* Download this regfix: HSfix
Unzip it and place it on your desktop, don't use it yet!

I see you already have Ewido installed. Please update it, but don't run the scan yet.

* Download smitRem and save the file to your desktop.
Doubleclick it and choose install. This will create a new folder on your desktop with the name smitrem.

* Please reboot your system into SAFE MODE.
To get into the Windows XP Safe mode as the computer is booting press and hold your "F8 Key" which should bring up the "Windows Advanced Options Menu". Use your arrow keys to move to "Safe Mode" and press your Enter key.

* Start hijackthis and click scan and put a checkmark next to the following items:

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\WINNT\system32\osdhx.dll/sp.html#77035%resultposition.net
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINNT\system32\osdhx.dll/sp.html#77035%resultposition.net
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = res://C:\WINNT\system32\osdhx.dll/sp.html#77035%resultposition.net
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\WINNT\system32\osdhx.dll/sp.html#77035%resultposition.net
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINNT\system32\osdhx.dll/sp.html#77035%resultposition.net
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = res://C:\WINNT\system32\osdhx.dll/sp.html#77035%resultposition.net
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = res://C:\WINNT\system32\osdhx.dll/sp.html#77035%resultposition.net
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = :0
R3 - Default URLSearchHook is missing
O2 - BHO: (no name) - {1209B7C2-CD57-40FC-B7B3-9C64C2731CBA} - C:\WINNT\system32\jefm.dll (file missing)
O2 - BHO: Class - {2FBEE8D2-7AF2-0AB9-8174-C704E39A865F} - C:\WINNT\system32\msvf.dll (file missing)
O2 - BHO: Class - {3138A30F-5C5A-97F0-3DED-DD571397D9FC} - C:\WINNT\system32\msdu32.dll (file missing)
O2 - BHO: Class - {4A2FCD1F-704D-FF9B-E64F-CBD77FE19E5B} - C:\WINNT\winmh32.dll
O2 - BHO: Class - {4B7FF0DA-BA44-74F9-3DA2-18D6E89CD04B} - C:\WINNT\system32\atlbq32.dll (file missing)
O2 - BHO: Class - {7A66D0FF-9707-2E41-A80D-7DE113BDAC8B} - C:\WINNT\system32\sdkdn32.dll (file missing)
O2 - BHO: Class - {7C13DECD-564B-3A25-5EA2-852A73A447BC} - C:\WINNT\system32\appqe32.dll
O2 - BHO: Class - {8797D539-4033-EDBC-C44B-E206516A6CE9} - C:\WINNT\system32\criz.dll (file missing)
O2 - BHO: Class - {B770C455-757F-090A-BEF9-713F25A1729A} - C:\WINNT\apirl32.dll (file missing)
O2 - BHO: Class - {CDFB04E1-4059-ABA7-541C-57D4512FBA72} - C:\WINNT\iecz.dll (file missing)
O2 - BHO: Class - {EF4A8C43-094E-7E4F-541B-E2C88E71457C} - C:\WINNT\system32\iezl32.dll
O2 - BHO: Class - {F2F8DD4A-9FFB-EABC-D625-4E2A75A166B2} - C:\WINNT\sysnn.dll (file missing)
O3 - Toolbar: Zango Toolbar - {EA0D26BD-9029-431A-86E0-83152D67828A} - C:\Program Files\Zango Programs\Zango Toolbar\ZangoTB.dll (file missing)
O4 - HKLM\..\Run: [ViewMgr] C:\Program Files\Viewpoint\Viewpoint Manager\ViewMgr.exe
O4 - HKLM\..\Run: [20.tmp] C:\DOCUME~1\Gary\LOCALS~1\Temp\20.tmp.exe
O4 - HKLM\..\Run: [21.tmp] C:\DOCUME~1\Gary\LOCALS~1\Temp\21.tmp.exe
O4 - HKLM\..\Run: [21.tmp.exe] C:\DOCUME~1\Gary\LOCALS~1\Temp\21.tmp.exe
O4 - HKLM\..\Run: [20.tmp.exe] C:\DOCUME~1\Gary\LOCALS~1\Temp\20.tmp.exe
O4 - HKLM\..\Run: [addgt32.exe] C:\WINNT\addgt32.exe
O4 - HKLM\..\Run: [d3dq32.exe] C:\WINNT\system32\d3dq32.exe
O4 - HKLM\..\Run: [ntaz.exe] C:\WINNT\system32\ntaz.exe
O4 - HKLM\..\Run: [sysnn.exe] C:\WINNT\sysnn.exe
O4 - HKLM\..\Run: [mfcxa.exe] C:\WINNT\mfcxa.exe
O4 - HKLM\..\Run: [d3fc.exe] C:\WINNT\system32\d3fc.exe
O4 - HKLM\..\Run: [wintx32.exe] C:\WINNT\system32\wintx32.exe
O16 - DPF: {03F998B2-0E00-11D3-A498-00104B6EB52E} (MetaStreamCtl Class) - https://components.viewpoint.com/MTSInstall...d/pc/index.html
O16 - DPF: {3CC943C7-3C99-11D4-8135-0050041A5144} (RunExeActiveX.UserControl1) - file://C:\Program Files\Gateway\HelpSpot\RunExeActiveX.CAB
O16 - DPF: {56336BCB-3D8A-11D6-A00B-0050DA18DE71} - http://207.188.7.150/05c45ccdb32c496fcb04/...ip/RdxIE601.cab
O16 - DPF: {64D01C7F-810D-446E-A07E-365764235644} (AtlAtomadersCtlAttrib Class) - http://kraisoft.com/files/realone/atomaders.cab
O16 - DPF: {6D5FCFCB-FA6C-4CFB-9918-5F0A9F7365F2} - http://www.gigex.com/tv/igor/gigexagent.dll
O16 - DPF: {8FCDF9D9-A28B-480F-8C3D-581F119A8AB8} - http://static.zangocash.com/cab/Zango/ie/bridge-c18.cab
O16 - DPF: {99CDFD87-F97A-42E1-9C13-D18220D90AD1} (StartFirstControl.CheckFirst) - file://C:\Program Files\Gateway\HelpSpot\StartFirstControl.CAB
O16 - DPF: {AB29A544-D6B4-4E36-A1F8-D3E34FC7B00A} (WTHoster Class) - http://install.wildtangent.com/bgn/partner...are/install.cab
O16 - DPF: {CE37E095-ACFF-4380-A856-A560D389E5E1} (XPLControlProject.XPLControl) - file://C:\Program Files\Gateway\HelpSpot\XPLControl.CAB
O16 - DPF: {DBA230D1-8467-4e69-987E-5FAE815A3B45} -
O16 - DPF: {E7F2A7C5-E0FA-48F7-9893-DF78DDF131F2} (MC3LibControl.TclControl) - http://www.jeppesen.com/mvcontrol/mc3lib.cab
O23 - Service: Workstation NetLogon Service ( 11F#`I) - Unknown owner - C:\WINNT\system32\iemz.exe


* Close all open windows except hijackthis and click 'Fix Checked'.

* Start Aboutbuster and let it scan.
The log will be saved in the aboutbuster-folder
If you get any error using aboutbuster, it's important you let me know afterwards in your next reply.
So skip this step in case of error and proceed with the next step of this fix.

* Doubleclick on HSfix you downloaded earlier before which is present on your desktop and when it asks you if you want to add the contents to the registry, click yes/ok

* Open the smitRem folder, then double click the RunThis.bat file to start the tool. Follow the prompts on screen.
Wait for the tool to complete and disk cleanup to finish.

* Still in safe mode start Ccleaner.
click "Options", click the "Advanced" tab
Uncheck: "Only delete files older than 48 hrs.", click Ok
Click "Cleaner" and click Run Cleaner (bottom right)

* Now open Ewido anti-malware
Click on scanner

* Click Complete System Scan and the scan will begin.
* During the scan it will prompt you to clean files, click OK
* When the scan is finished, look at the bottom of the screen and click the Save report button.
* Save the report to your desktop

* Close Ewido

* Go to start > control panel > Display properties > Desktop > Customize Desktop... > Web tab > uncheck and delete everything you find in there. (except for "My current home page")

* Reboot back into Normal Mode.

* Perform an onlinescan with panda: (please use this scanner instead of any other scanner!)
Panda Online
- Once you are on the Panda site click the Scan your PC button
- A new window will open...click the Check Now button
- Enter your Country
- Enter your State/Province
- Enter your e-mail address and click send
- Select either Home User or Company
- Click the big Scan Now button
- If it wants to install an ActiveX component allow it
- It will start downloading the files it requires for the scan (Note: It may take a couple of minutes)
- When download is complete, click on Local Disks to start the scan
- When the scan completes, if anything malicious is detected, click the See Report button, then Save Report and save it to a convenient location.
Post the contents of the Panda scan report, along with a new HijackThis Log, the contents of smitfiles.txt which is present on your Homedrive (C:\ in most cases) + the aboutbuster-log which will be present in the aboutbuster-folder. and the Ewido Log by using Add Reply.
So I need 5 logs in your next reply. If you can't post them in one post, use two posts instead.
AntispywareScanners---Antivirus Scanners---Firewalls---Online Scanners---Prevention---Help! My computer is slow---My Blog---Follow me on Twitter.
My help is ALWAYS FREE, but if you want to donate to help me continue my fight against malware -- click here!
Asking for help via Private Message or Mail will be ignored - So If you need help, post your problem in the forum.

#4 Gary L

Gary L
  • Topic Starter

  • Members
  • 3 posts
  • OFFLINE
  •  
  • Local time:11:22 PM

Posted 04 January 2006 - 08:30 PM

Hello, and thank you! :thumbsup: Yes, I did have a desktop hijacker but I was able to get rid of some of the simptoms but the rest I would have never figured out by myself. Thanks also for the info on Viewpoint.

*Panda did not detect anything malicious so there was no report available.

*HijackThis created this new log:

Logfile of HijackThis v1.99.1
Scan saved at 6:54:56 AM, on 1/4/2006
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINNT\System32\smss.exe
C:\WINNT\system32\winlogon.exe
C:\WINNT\system32\services.exe
C:\WINNT\system32\lsass.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\System32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\WINNT\Explorer.EXE
C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\WINNT\system32\spoolsv.exe
C:\WINNT\System32\cisvc.exe
C:\Program Files\ewido anti-malware\ewidoctrl.exe
C:\Program Files\ewido anti-malware\ewidoguard.exe
C:\WINNT\system32\SK9910DM.EXE
C:\WINNT\GWMDMMSG.exe
C:\WINNT\System32\gearsec.exe
C:\Program Files\Adaptec\Easy CD Creator 5\DirectCD\DirectCD.exe
C:\PROGRA~1\Iomega\System32\ActivityDisk.exe
C:\Program Files\Norton AntiVirus\navapsvc.exe
C:\Program Files\Iomega\DriveIcons\ImgIcon.exe
C:\Program Files\Norton AntiVirus\IWP\NPFMntor.exe
C:\Program Files\BroadJump\Client Foundation\CFD.exe
C:\Program Files\Support.com\bin\tgcmd.exe
C:\Program Files\Microsoft IntelliPoint\point32.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\WINNT\system32\nvsvc32.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\Program Files\Common Files\Panda Software\PavShld\pavprsrv.exe
C:\WINNT\System32\svchost.exe
C:\Program Files\Java\jre1.5.0_04\bin\jusched.exe
C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
C:\WINNT\system32\rundll32.exe
C:\Program Files\Iomega\AutoDisk\AD2KClient.exe
C:\WINNT\system32\ZoneLabs\vsmon.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\WINNT\system32\cidaemon.exe
C:\WINNT\system32\zstatus.exe
C:\Program Files\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://us.rd.yahoo.com/customize/ie/defaul...//www.yahoo.com
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Microsoft Internet Explorer presented by Comcast
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: UberButton Class - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\Program Files\Yahoo!\Common\yiesrvc.dll
O2 - BHO: YahooTaggedBM Class - {65D886A2-7CA7-479B-BB95-14D1EFB7946A} - C:\Program Files\Yahoo!\Common\YIeTagBm.dll
O2 - BHO: Class - {BBF8181F-5DEB-4824-9AF7-F0A72CC371EB} - C:\WINNT\ntzx.dll (file missing)
O2 - BHO: CNavExtBho Class - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn1\yt.dll
O4 - HKLM\..\Run: [Hot Key Kbd 9910 Daemon] SK9910DM.EXE
O4 - HKLM\..\Run: [GWMDMMSG] GWMDMMSG.exe
O4 - HKLM\..\Run: [Keyboard Preload Check] C:\OEMDRVRS\KEYB\Preload.exe /DEVID: /CLASS:Keyboard /RunValue:"Keyboard Preload Check"
O4 - HKLM\..\Run: [GWMDMpi] C:\WINNT\GWMDMpi.exe
O4 - HKLM\..\Run: [AdaptecDirectCD] "C:\Program Files\Adaptec\Easy CD Creator 5\DirectCD\DirectCD.exe"
O4 - HKLM\..\Run: [Microsoft Works Portfolio] C:\Program Files\Microsoft Works\WksSb.exe /AllUsers
O4 - HKLM\..\Run: [Microsoft Works Update Detection] C:\Program Files\Microsoft Works\WkDetect.exe
O4 - HKLM\..\Run: [WorksFUD] C:\Program Files\Microsoft Works\wkfud.exe
O4 - HKLM\..\Run: [Iomega Startup Options] C:\Program Files\Iomega\Common\ImgStart.exe
O4 - HKLM\..\Run: [Iomega Drive Icons] C:\Program Files\Iomega\DriveIcons\ImgIcon.exe
O4 - HKLM\..\Run: [Mirabilis ICQ] C:\Program Files\ICQ\NDetect.exe
O4 - HKLM\..\Run: [NeroCheck] C:\WINNT\system32\NeroCheck.exe
O4 - HKLM\..\Run: [HPDJ Taskbar Utility] C:\WINNT\System32\spool\drivers\w32x86\3\hpztsb04.exe
O4 - HKLM\..\Run: [IPInSightMonitor 01] "C:\Program Files\SBC Yahoo!\Connection Manager\IP InSight\IPMon32.exe"
O4 - HKLM\..\Run: [BJCFD] C:\Program Files\BroadJump\Client Foundation\CFD.exe
O4 - HKLM\..\Run: [tgcmdprovidersbc] "C:\Program Files\Support.com\bin\tgcmd.exe" /server /startmonitor /deaf /nosystray
O4 - HKLM\..\Run: [IntelliPoint] "C:\Program Files\Microsoft IntelliPoint\point32.exe"
O4 - HKLM\..\Run: [iTunesHelper] C:\Program Files\iTunes\iTunesHelper.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [tgcmd] "C:\Program Files\Support.com\bin\tgcmd.exe" /server
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINNT\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINNT\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [Symantec NetDriver Monitor] C:\PROGRA~1\SYMNET~1\SNDMon.exe /Consumer
O4 - HKLM\..\Run: [masqform.exe] C:\Program Files\PureEdge\Viewer 6.0\masqform.exe -UpdateCurrentUser
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_04\bin\jusched.exe
O4 - HKLM\..\Run: [Zone Labs Client] C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
O4 - HKCU\..\Run: [Iomega Active Disk] C:\Program Files\Iomega\AutoDisk\AD2KClient.exe
O8 - Extra context menu item: &Yahoo! Search - file:///C:\Program Files\Yahoo!\Common/ycsrch.htm
O8 - Extra context menu item: Download with GetRight - C:\Program Files\GetRight\GRdownload.htm
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~3\OFFICE11\EXCEL.EXE/3000
O8 - Extra context menu item: Open with GetRight Browser - C:\Program Files\GetRight\GRbrowse.htm
O8 - Extra context menu item: Yahoo! &Dictionary - file:///C:\Program Files\Yahoo!\Common/ycdict.htm
O8 - Extra context menu item: Yahoo! &Maps - file:///C:\Program Files\Yahoo!\Common/ycmap.htm
O8 - Extra context menu item: Yahoo! &SMS - file:///C:\Program Files\Yahoo!\Common/ycsms.htm
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_04\bin\npjpi150_04.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_04\bin\npjpi150_04.dll
O9 - Extra button: Yahoo! Services - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\Program Files\Yahoo!\Common\yiesrvc.dll
O9 - Extra button: ComcastHSI - {669B269B-0D4E-41FB-A3D8-FD67CA94F646} - http://www.comcast.net/ (file missing)
O9 - Extra button: (no name) - {85d1f590-48f4-11d9-9669-0800200c9a66} - %windir%\bdoscandel.exe (file missing)
O9 - Extra 'Tools' menuitem: Uninstall BitDefender Online Scanner v8 - {85d1f590-48f4-11d9-9669-0800200c9a66} - %windir%\bdoscandel.exe (file missing)
O9 - Extra button: Support - {8828075D-D097-4055-AA02-2DBFA9D85E8A} - http://www.comcastsupport.com/ (file missing)
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~3\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Help - {97809617-3937-4F84-B335-9BB05EF1A8D4} - http://online.comcast.net/help/ (file missing)
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINNT\System32\Shdocvw.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O12 - Plugin for .pdf: C:\Program Files\Internet Explorer\PLUGINS\nppdf32.dll
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O14 - IERESET.INF: START_PAGE_URL=http://www.worldnet.att.net
O16 - DPF: Yahoo! Chat - http://us.chat1.yimg.com/us.yimg.com/i/cha...t/c381/chat.cab
O16 - DPF: Yahoo! NFL GameChannel StatTracker - http://aud3.sports.sc5.yahoo.com/java/y/nflgcst1016_x.cab
O16 - DPF: Yahoo! Trivia - http://download.games.yahoo.com/games/clients/y/tvt0_x.cab
O16 - DPF: {156BF4B7-AE3A-4365-BD88-95A75AF8F09D} (HPSDDX Class) - http://www.hp.com/cpso-support-new/SDD/hpsddObjSigned.cab
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {30528230-99F7-4BB4-88D8-FA1D4F56A2AB} (YInstStarter Class) - C:\Program Files\Yahoo!\Common\yinsthelper.dll
O16 - DPF: {41F17733-B041-4099-A042-B518BB6A408C} - http://a1540.g.akamai.net/7/1540/52/200212...meInstaller.exe
O16 - DPF: {5D86DDB5-BDF9-441B-9E9E-D4730F4EE499} (BDSCANONLINE Control) - http://download.bitdefender.com/resources/scan8/oscan8.cab
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftupdat...b?1124985557693
O16 - DPF: {6E5A37BF-FD42-463A-877C-4EB7002E68AE} (Housecall ActiveX 6.5) - http://eu-housecall.trendmicro-europe.com/...ivex/hcImpl.cab
O16 - DPF: {7D1E9C49-BD6A-11D3-87A8-009027A35D73} (Yahoo! Audio UI1) - http://chat.yahoo.com/cab/yacsui.cab
O16 - DPF: {7F8C8173-AD80-4807-AA75-5672F22B4582} (ICSScanner Class) - http://download.zonelabs.com/bin/promotion...canner37500.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/activescan/as5free/asinst.cab
O16 - DPF: {A93D84FD-641F-43AE-B963-E6FA84BE7FE7} (LinkSys Content Update) - http://www.linksysfix.com/check/netset/install/gtdownls.cab
O16 - DPF: {D9EA64B2-B966-E177-332C-78B69886526D} (MNPerformer Class) - http://download.newaol.com/bkpromo/downloa...formerSetup.cab
O16 - DPF: {E13F1132-4CA0-4005-84D3-51406E27D269} (BTDownloadCtrl Control) - http://www.shockwave.com/content/thinktank...ownloadCtrl.cab
O16 - DPF: {E504EE6E-47C6-11D5-B8AB-00D0B78F3D48} (Yahoo! Webcam Viewer Wrapper) - http://chat.yahoo.com/cab/yvwrctl.cab
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Password Validation (ccPwdSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
O23 - Service: ewido security suite control - ewido networks - C:\Program Files\ewido anti-malware\ewidoctrl.exe
O23 - Service: ewido security suite guard - ewido networks - C:\Program Files\ewido anti-malware\ewidoguard.exe
O23 - Service: Gear Security Service (GEARSecurity) - GEAR Software - C:\WINNT\System32\gearsec.exe
O23 - Service: IMAPI CD-Burning COM Service (ImapiService) - Roxio Inc. - C:\WINNT\System32\ImapiRox.exe
O23 - Service: Iomega Activity Disk2 - Iomega Corporation - C:\PROGRA~1\Iomega\System32\ActivityDisk.exe
O23 - Service: iPod Service (iPodService) - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Norton AntiVirus Auto-Protect Service (navapsvc) - Symantec Corporation - C:\Program Files\Norton AntiVirus\navapsvc.exe
O23 - Service: Norton AntiVirus Firewall Monitor Service (NPFMntor) - Symantec Corporation - C:\Program Files\Norton AntiVirus\IWP\NPFMntor.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINNT\system32\nvsvc32.exe
O23 - Service: Panda Process Protection Service (PavPrSrv) - Panda Software - C:\Program Files\Common Files\Panda Software\PavShld\pavprsrv.exe
O23 - Service: PictureTaker - Unknown owner - c:\fixit\pt\PCTKRNT.SYS (file missing)
O23 - Service: SAVScan - Symantec Corporation - C:\Program Files\Norton AntiVirus\SAVScan.exe
O23 - Service: ScriptBlocking Service (SBService) - Symantec Corporation - C:\PROGRA~1\COMMON~1\SYMANT~1\SCRIPT~1\SBServ.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: Symantec SPBBCSvc (SPBBCSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
O23 - Service: Symantec Core LC - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs, LLC - C:\WINNT\system32\ZoneLabs\vsmon.exe
----------------------------------------------------

*smitfiles.txt:


smitRem log file
version 2.8

by noahdfear


Microsoft Windows XP [Version 5.1.2600]
The current date is: Tue 01/03/2006
The current time is: 17:39:17.09

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

checking for ShudderLTD key

ShudderLTD key not present!

checking for PSGuard.com key


PSGuard.com key not present!

spyaxe uninstaller NOT present
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

Existing Pre-run Files


~~~ Program Files ~~~



~~~ Shortcuts ~~~



~~~ Favorites ~~~



~~~ system32 folder ~~~



~~~ Icons in System32 ~~~



~~~ Windows directory ~~~



~~~ Drive root ~~~


~~~ Miscellaneous Files/folders ~~~




~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~



Command Line Process Viewer/Killer/Suspender for Windows NT/2000/XP V2.03
Copyright© 2002-2003 Craig.Peacock@beyondlogic.org
Killing PID 1320 'explorer.exe'
Killing PID 1320 'explorer.exe'

Starting registry repairs

Deleting files


Remaining Post-run Files


~~~ Program Files ~~~



~~~ Shortcuts ~~~



~~~ Favorites ~~~



~~~ system32 folder ~~~



~~~ Icons in System32 ~~~



~~~ Windows directory ~~~



~~~ Drive root ~~~



~~~ Miscellaneous Files/folders ~~~




~~~ Wininet.dll ~~~

CLEAN! :flowers:

--------------------------------------------------------------

*Aboutbuster-log:

AboutBuster 6.0
Scan started on [1/3/2006] at [5:28:08 PM]
-------------------------------------------------------------
Internet Explorer Instances Terminated!
HomeSearch Service stopped if present
-------------------------------------------------------------
Removed Stream! C:\WINNT\ARTGALRY.CAG:ezzsde
Removed Stream! C:\WINNT\bdoscandellang.ini:wargfo
Removed Stream! C:\WINNT\clock.avi:hbuqbb
Removed Stream! C:\WINNT\cmsetacl.log:hajwl
Removed Stream! C:\WINNT\desktop.ini:swxhdn
Removed Stream! C:\WINNT\DtcInstall.log:huuxha
Removed Stream! C:\WINNT\explorer.scf:pspwi
Removed Stream! C:\WINNT\FONT11.JTF:bopcjn
Removed Stream! C:\WINNT\FONT17.JTF:svkuhs
Removed Stream! C:\WINNT\FONT34.JTF:mpsmgh
Removed Stream! C:\WINNT\FONT82.JTF:npgrxq
Removed Stream! C:\WINNT\Gary.pcb:cjygc
Removed Stream! C:\WINNT\iis6.log:ummuzu
Removed Stream! C:\WINNT\KB817778.log:krclvu
Removed Stream! C:\WINNT\KB825119.log:ztqetg
Removed Stream! C:\WINNT\KB828035.log:kuarnq
Removed Stream! C:\WINNT\KB839645.log:jnczco
Removed Stream! C:\WINNT\KB842773.log:cqyruu
Removed Stream! C:\WINNT\KB886185.log:nrbcqo
Removed Stream! C:\WINNT\KB890859.log:ftxvfy
Removed Stream! C:\WINNT\KB893756.log:vkkph
Removed Stream! C:\WINNT\KB893803v2.log:mavbz
Removed Stream! C:\WINNT\KB896428.log:avucqw
Removed Stream! C:\WINNT\KB898461.log:hcrzqt
Removed Stream! C:\WINNT\KB901214.log:dpqspt
Removed Stream! C:\WINNT\KB902400.log:seujmg
Removed Stream! C:\WINNT\KB902400.log:wqhwpv
Removed Stream! C:\WINNT\Mav8Ext.log:stchtu
Removed Stream! C:\WINNT\medctroc.Log:qnxdq
Removed Stream! C:\WINNT\MSOClip.232:bpiwng
Removed Stream! C:\WINNT\nsw.log:uqsbpq
Removed Stream! C:\WINNT\ntbtlog.txt:vwxnsg
Removed Stream! C:\WINNT\NWRGSTRY.INI:dthvnz
Removed Stream! C:\WINNT\olgjl.txt:rxtvao
Removed Stream! C:\WINNT\PICTAKER.LOG:bqfoxj
Removed Stream! C:\WINNT\progman.ini:aeqtvy
Removed Stream! C:\WINNT\Q309691.log:iegte
Removed Stream! C:\WINNT\Q309691.log:mglsya
Removed Stream! C:\WINNT\Q313450.log:ceokl
Removed Stream! C:\WINNT\Q315000.log:sxrda
Removed Stream! C:\WINNT\Q315000.log:xiocum
Removed Stream! C:\WINNT\Q323255.log:ohpcqq
Removed Stream! C:\WINNT\Q329170.log:qipyjl
Removed Stream! C:\WINNT\Q810565.log:wtaonn
Removed Stream! C:\WINNT\Q819696.log:rnwlll
Removed Stream! C:\WINNT\setuperr.log:fkieqi
Removed Stream! C:\WINNT\setuplog.txt:ndvaqp
Removed Stream! C:\WINNT\Soap Bubbles.bmp:yfylmk
Removed Stream! C:\WINNT\stub15.ini:czujch
Removed Stream! C:\WINNT\stub21.ini:hyrznu
Removed Stream! C:\WINNT\stub22.ini:ecyho
Removed Stream! C:\WINNT\stub24.ini:aycehe
Removed Stream! C:\WINNT\stub27.ini:szvkjp
Removed Stream! C:\WINNT\stub30.ini:kanxer
Removed Stream! C:\WINNT\stub31.ini:ieufn
Removed Stream! C:\WINNT\stub32.ini:zauuyh
Removed Stream! C:\WINNT\stub35.ini:jafzbr
Removed Stream! C:\WINNT\stub44.ini:bnzgfr
Removed Stream! C:\WINNT\stub47.ini:tnsmzb
Removed Stream! C:\WINNT\stub55.ini:vtezwx
Removed Stream! C:\WINNT\stub58.ini:nuxfqa
Removed Stream! C:\WINNT\stub60.ini:yupkkk
Removed Stream! C:\WINNT\stub8.ini:ycclns
Removed Stream! C:\WINNT\vminst.log:liaks
Removed Stream! C:\WINNT\wgedit.ini:xzfiug
Removed Stream! C:\WINNT\winnt256.bmp:cgpctf
Removed Stream! C:\WINNT\winnt256.bmp:glwiq
Removed Stream! C:\WINNT\WMSysPr9.prx:uhhhvh
Removed Stream! C:\WINNT\~GLC0000.TMP:puswty
Removed Stream! C:\WINNT\~GLC0003.TMP:giihom
Removed Stream! C:\WINNT\~GLC0003.TMP:ohqcmc
Removed Stream! C:\WINNT\~GLC0003.TMP:udhqbw
Removed Stream! C:\WINNT\~GLC0003.TMP:zrdnah
-------------------------------------------------------------
Removed File! : C:\WINNT\appdq32.exe
Removed File! : C:\WINNT\atlpk32.exe
Removed File! : C:\WINNT\atlwm32.exe
Removed File! : C:\WINNT\bapxt.log
Removed File! : C:\WINNT\cbxfv.log
Removed File! : C:\WINNT\d3fp32.exe
Removed File! : C:\WINNT\d3vp32.exe
Removed File! : C:\WINNT\faxtz.dat
Removed File! : C:\WINNT\gpayo.log
Removed File! : C:\WINNT\higps.log
Removed File! : C:\WINNT\ieta.exe
Removed File! : C:\WINNT\javaqn.exe
Removed File! : C:\WINNT\javasl32.exe
Removed File! : C:\WINNT\kkcnj.txt
Removed File! : C:\WINNT\mfctf32.exe
Removed File! : C:\WINNT\mfyft.dll
Removed File! : C:\WINNT\netsm32.exe
Removed File! : C:\WINNT\netwu32.exe
Removed File! : C:\WINNT\ntdv.exe
Removed File! : C:\WINNT\ntot32.exe
Removed File! : C:\WINNT\ntzb32.exe
Removed File! : C:\WINNT\ntzx.dll
Removed File! : C:\WINNT\nvyxk.txt
Removed File! : C:\WINNT\olgjl.txt
Removed File! : C:\WINNT\qcimv.log
Removed File! : C:\WINNT\qvaxm.log
Removed File! : C:\WINNT\rxtva.dat
Removed File! : C:\WINNT\sdkqc32.exe
Removed File! : C:\WINNT\sysbe.exe
Removed File! : C:\WINNT\sysby.exe
Removed File! : C:\WINNT\sysqb32.exe
Removed File! : C:\WINNT\txasx.txt
Removed File! : C:\WINNT\vtezw.dat
Removed File! : C:\WINNT\wineb.exe
Removed File! : C:\WINNT\zauuy.dat
Removed File! : C:\WINNT\system32\addjv32.exe
Removed File! : C:\WINNT\system32\addqj.exe
Removed File! : C:\WINNT\system32\addzi.exe
Removed File! : C:\WINNT\system32\apips.exe
Removed File! : C:\WINNT\system32\appcb32.exe
Removed File! : C:\WINNT\system32\appgo.exe
Removed File! : C:\WINNT\system32\appsb32.exe
Removed File! : C:\WINNT\system32\appzq32.exe
Removed File! : C:\WINNT\system32\atlvx32.exe
Removed File! : C:\WINNT\system32\bolyy.txt
Removed File! : C:\WINNT\system32\crfi32.exe
Removed File! : C:\WINNT\system32\crpy32.exe
Removed File! : C:\WINNT\system32\d3dk.exe
Removed File! : C:\WINNT\system32\d3do32.exe
Removed File! : C:\WINNT\system32\d3rf.exe
Removed File! : C:\WINNT\system32\d3zu32.exe
Removed File! : C:\WINNT\system32\iemz.exe
Removed File! : C:\WINNT\system32\ievr32.exe
Removed File! : C:\WINNT\system32\ipfp32.exe
Removed File! : C:\WINNT\system32\ipik.exe
Removed File! : C:\WINNT\system32\ipqz.exe
Removed File! : C:\WINNT\system32\iput.exe
Removed File! : C:\WINNT\system32\javanh.exe
Removed File! : C:\WINNT\system32\mfcoe.exe
Removed File! : C:\WINNT\system32\mfcrv32.exe
Removed File! : C:\WINNT\system32\msjc.exe
Removed File! : C:\WINNT\system32\ndaxr.txt
Removed File! : C:\WINNT\system32\ntsk32.exe
Removed File! : C:\WINNT\system32\nuxfq.txt
Removed File! : C:\WINNT\system32\oawku.dll
Removed File! : C:\WINNT\system32\osdhx.dll
Removed File! : C:\WINNT\system32\sdkhf.exe
Removed File! : C:\WINNT\system32\sdkne32.exe
Removed File! : C:\WINNT\system32\sysfj32.exe
Removed File! : C:\WINNT\system32\sysfo32.exe
Removed File! : C:\WINNT\system32\winnv32.exe
Removed File! : C:\WINNT\system32\winqu.exe
Removed File! : C:\WINNT\system32\wintx32.exe
Removed File! : C:\WINNT\system32\zjzum.log
-------------------------------------------------------------
Removed Temp Files
Internet Explorer Settings Reset!
-------------------------------------------------------------
Scan was COMPLETED SUCCESSFULLY at 5:36:33 PM

-----------------------------------------------------------------------------------

*Ewido Log:

---------------------------------------------------------
ewido anti-malware - Scan report
---------------------------------------------------------

+ Created on: 8:10:07 PM, 1/3/2006
+ Report-Checksum: D4F9D4B9

+ Scan result:

HKLM\SOFTWARE\Classes\CLSID\{676575DD-4D46-911D-8037-9B10D6EE8BB5} -> Spyware.CoolWebSearch : Cleaned without backup
HKLM\SOFTWARE\Classes\CLSID\{C69CDB11-E654-F1B7-D3C1-E67DFB32D233} -> Spyware.LZIO : Cleaned without backup
HKU\S-1-5-21-869365757-3833581854-4065617495-1005\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{7A66D0FF-9707-2E41-A80D-7DE113BDAC8B} -> Spyware.CoolWebSearch : Cleaned without backup
C:\Program Files\HijackThis\backups\backup-20060103-172621-297.dll -> Downloader.Agent.bc : Cleaned without backup
C:\Program Files\HijackThis\backups\backup-20060103-172621-333.dll -> Downloader.Agent.bc : Cleaned without backup
C:\Program Files\HijackThis\backups\backup-20060103-172621-365.dll -> Downloader.Agent.bc : Cleaned without backup
C:\Program Files\Yahoo!\YPSR\Quarantine\ppq20.tmp -> Spyware.Cookie.Findwhat : Cleaned without backup
C:\Program Files\Yahoo!\YPSR\Quarantine\ppq2C.tmp -> Spyware.Cookie.247realmedia : Cleaned without backup
C:\Program Files\Yahoo!\YPSR\Quarantine\ppq2D.tmp -> Spyware.Cookie.2o7 : Cleaned without backup
C:\Program Files\Yahoo!\YPSR\Quarantine\ppq31.tmp -> Spyware.Cookie.Adtech : Cleaned without backup
C:\Program Files\Yahoo!\YPSR\Quarantine\ppq32.tmp -> Spyware.Cookie.Advertising : Cleaned without backup
C:\Program Files\Yahoo!\YPSR\Quarantine\ppq33.tmp -> Spyware.Cookie.Atdmt : Cleaned without backup
C:\Program Files\Yahoo!\YPSR\Quarantine\ppq35.tmp -> Spyware.Cookie.Bfast : Cleaned without backup
C:\Program Files\Yahoo!\YPSR\Quarantine\ppq36.tmp -> Spyware.Cookie.Bluestreak : Cleaned without backup
C:\Program Files\Yahoo!\YPSR\Quarantine\ppq37.tmp -> Spyware.Cookie.Serving-sys : Cleaned without backup
C:\Program Files\Yahoo!\YPSR\Quarantine\ppq38.tmp -> Spyware.Cookie.Burstnet : Cleaned without backup
C:\Program Files\Yahoo!\YPSR\Quarantine\ppq39.tmp -> Spyware.Cookie.Casalemedia : Cleaned without backup
C:\Program Files\Yahoo!\YPSR\Quarantine\ppq3A.tmp -> Spyware.Cookie.Centrport : Cleaned without backup
C:\Program Files\Yahoo!\YPSR\Quarantine\ppq3D.tmp -> Spyware.Cookie.Com : Cleaned without backup
C:\Program Files\Yahoo!\YPSR\Quarantine\ppq3E.tmp -> Spyware.Cookie.Pro-market : Cleaned without backup
C:\Program Files\Yahoo!\YPSR\Quarantine\ppq3F.tmp -> Spyware.Cookie.Coremetrics : Cleaned without backup
C:\Program Files\Yahoo!\YPSR\Quarantine\ppq42.tmp -> Spyware.Cookie.Doubleclick : Cleaned without backup
C:\Program Files\Yahoo!\YPSR\Quarantine\ppq43.tmp -> Spyware.Cookie.Ru4 : Cleaned without backup
C:\Program Files\Yahoo!\YPSR\Quarantine\ppq44.tmp -> Spyware.Cookie.Hitbox : Cleaned without backup
C:\Program Files\Yahoo!\YPSR\Quarantine\ppq45.tmp -> Spyware.Cookie.Hitbox : Cleaned without backup
C:\Program Files\Yahoo!\YPSR\Quarantine\ppq46.tmp -> Spyware.Cookie.Falkag : Cleaned without backup
C:\Program Files\Yahoo!\YPSR\Quarantine\ppq47.tmp -> Spyware.Cookie.Fastclick : Cleaned without backup
C:\Program Files\Yahoo!\YPSR\Quarantine\ppq48.tmp -> Spyware.Cookie.Hitbox : Cleaned without backup
C:\Program Files\Yahoo!\YPSR\Quarantine\ppq49.tmp -> Spyware.Cookie.Hitbox : Cleaned without backup
C:\Program Files\Yahoo!\YPSR\Quarantine\ppq4A.tmp -> Spyware.Cookie.Hitbox : Cleaned without backup
C:\Program Files\Yahoo!\YPSR\Quarantine\ppq4B.tmp -> Spyware.Cookie.Hitbox : Cleaned without backup
C:\Program Files\Yahoo!\YPSR\Quarantine\ppq4C.tmp -> Spyware.Cookie.Hitbox : Cleaned without backup
C:\Program Files\Yahoo!\YPSR\Quarantine\ppq4E.tmp -> Spyware.Cookie.Linksynergy : Cleaned without backup
C:\Program Files\Yahoo!\YPSR\Quarantine\ppq50.tmp -> Spyware.Cookie.Mediaplex : Cleaned without backup
C:\Program Files\Yahoo!\YPSR\Quarantine\ppq51.tmp -> Spyware.Cookie.Paycounter : Cleaned without backup
C:\Program Files\Yahoo!\YPSR\Quarantine\ppq52.tmp -> Spyware.Cookie.Qksrv : Cleaned without backup
C:\Program Files\Yahoo!\YPSR\Quarantine\ppq53.tmp -> Spyware.Cookie.Questionmarket : Cleaned without backup
C:\Program Files\Yahoo!\YPSR\Quarantine\ppq54.tmp -> Spyware.Cookie.Bridgetrack : Cleaned without backup
C:\Program Files\Yahoo!\YPSR\Quarantine\ppq56.tmp -> Spyware.Cookie.Advertising : Cleaned without backup
C:\Program Files\Yahoo!\YPSR\Quarantine\ppq57.tmp -> Spyware.Cookie.Serving-sys : Cleaned without backup
C:\Program Files\Yahoo!\YPSR\Quarantine\ppq58.tmp -> Spyware.Cookie.Sexlist : Cleaned without backup
C:\Program Files\Yahoo!\YPSR\Quarantine\ppq59.tmp -> Spyware.Cookie.Sextracker : Cleaned without backup
C:\Program Files\Yahoo!\YPSR\Quarantine\ppq5A.tmp -> Spyware.Cookie.Sextracker : Cleaned without backup
C:\Program Files\Yahoo!\YPSR\Quarantine\ppq5B.tmp -> Spyware.Cookie.Sextracker : Cleaned without backup
C:\Program Files\Yahoo!\YPSR\Quarantine\ppq5C.tmp -> Spyware.Cookie.Sextracker : Cleaned without backup
C:\Program Files\Yahoo!\YPSR\Quarantine\ppq5D.tmp -> Spyware.Cookie.Sextracker : Cleaned without backup
C:\Program Files\Yahoo!\YPSR\Quarantine\ppq5E.tmp -> Spyware.Cookie.Sextracker : Cleaned without backup
C:\Program Files\Yahoo!\YPSR\Quarantine\ppq5F.tmp -> Spyware.Cookie.Sextracker : Cleaned without backup
C:\Program Files\Yahoo!\YPSR\Quarantine\ppq60.tmp -> Spyware.Cookie.Sextracker : Cleaned without backup
C:\Program Files\Yahoo!\YPSR\Quarantine\ppq61.tmp -> Spyware.Cookie.Sextracker : Cleaned without backup
C:\Program Files\Yahoo!\YPSR\Quarantine\ppq62.tmp -> Spyware.Cookie.Sextracker : Cleaned without backup
C:\Program Files\Yahoo!\YPSR\Quarantine\ppq63.tmp -> Spyware.Cookie.Sextracker : Cleaned without backup
C:\Program Files\Yahoo!\YPSR\Quarantine\ppq64.tmp -> Spyware.Cookie.Sextracker : Cleaned without backup
C:\Program Files\Yahoo!\YPSR\Quarantine\ppq65.tmp -> Spyware.Cookie.Sextracker : Cleaned without backup
C:\Program Files\Yahoo!\YPSR\Quarantine\ppq66.tmp -> Spyware.Cookie.Sextracker : Cleaned without backup
C:\Program Files\Yahoo!\YPSR\Quarantine\ppq67.tmp -> Spyware.Cookie.Spylog : Cleaned without backup
C:\Program Files\Yahoo!\YPSR\Quarantine\ppq68.tmp -> Spyware.Cookie.Statcounter : Cleaned without backup
C:\Program Files\Yahoo!\YPSR\Quarantine\ppq69.tmp -> Spyware.Cookie.Targetnet : Cleaned without backup
C:\Program Files\Yahoo!\YPSR\Quarantine\ppq6A.tmp -> Spyware.Cookie.Tradedoubler : Cleaned without backup
C:\Program Files\Yahoo!\YPSR\Quarantine\ppq6B.tmp -> Spyware.Cookie.Trafficmp : Cleaned without backup
C:\Program Files\Yahoo!\YPSR\Quarantine\ppq6D.tmp -> Spyware.Cookie.Tribalfusion : Cleaned without backup
C:\Program Files\Yahoo!\YPSR\Quarantine\ppq6E.tmp -> Spyware.Cookie.Valueclick : Cleaned without backup
C:\Program Files\Yahoo!\YPSR\Quarantine\ppq6F.tmp -> Spyware.Cookie.Weborama : Cleaned without backup
C:\Program Files\Yahoo!\YPSR\Quarantine\ppq70.tmp -> Spyware.Cookie.Webtrendslive : Cleaned without backup
C:\Program Files\Yahoo!\YPSR\Quarantine\ppq71.tmp -> Spyware.Cookie.Xxxcounter : Cleaned without backup
C:\Program Files\Yahoo!\YPSR\Quarantine\ppq72.tmp -> Spyware.Cookie.Adserver : Cleaned without backup


::Report End

#5 miekiemoes

miekiemoes

    Malware Killer Dog


  • Malware Response Team
  • 19,420 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Belgium
  • Local time:09:22 AM

Posted 05 January 2006 - 12:59 AM

Well, that is looking a lot better! :thumbsup:
Only some small things to perform...

Check and fix next leftover in hijackthis:

O2 - BHO: Class - {BBF8181F-5DEB-4824-9AF7-F0A72CC371EB} - C:\WINNT\ntzx.dll (file missing)

* Download: Hoster
Unzip hoster to an own folder.
Start Hoster.exe.
It could be possible that hoster will tell you that your Hosts file doesn't exist and if you want to create one. Click yes/ok.
If you don't get that prompt/question, click 'Restore Original Hosts' and click OK.

This hijacker is also responsible for changing the ActiveX security settings to allow all.
To fix this...Open Internet Explorer > internet options > security > internet.
Press default level > OK.
Press custom level
In the ActiveX part:
Set "Download signed and unsigned ActiveX controls" to prompt.
Set 'Initialize and Script ActiveX controls not marked as safe" to 'disable'.

Perform a full scan with an updated adaware Se and/or spybot S&d to get rid of the leftovers.

Let me know in your next reply how things are running now.
AntispywareScanners---Antivirus Scanners---Firewalls---Online Scanners---Prevention---Help! My computer is slow---My Blog---Follow me on Twitter.
My help is ALWAYS FREE, but if you want to donate to help me continue my fight against malware -- click here!
Asking for help via Private Message or Mail will be ignored - So If you need help, post your problem in the forum.

#6 miekiemoes

miekiemoes

    Malware Killer Dog


  • Malware Response Team
  • 19,420 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Belgium
  • Local time:09:22 AM

Posted 08 January 2006 - 05:10 AM

Since this issue appears resolved ... this Topic is closed.

If you need this topic reopened, please request this by sending the moderating team
a PM with the address of the thread. This applies only to the original topic starter.

Everyone else please begin a New Topic.
AntispywareScanners---Antivirus Scanners---Firewalls---Online Scanners---Prevention---Help! My computer is slow---My Blog---Follow me on Twitter.
My help is ALWAYS FREE, but if you want to donate to help me continue my fight against malware -- click here!
Asking for help via Private Message or Mail will be ignored - So If you need help, post your problem in the forum.




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users