Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Surfsidekick 3 Infection


  • Please log in to reply
21 replies to this topic

#1 MamaRamona

MamaRamona

  • Members
  • 67 posts
  • OFFLINE
  •  
  • Local time:12:46 AM

Posted 21 June 2006 - 04:00 AM

hello,

I seem to have this 'surfsidekick 3' on my computer, and have tried to rid it through Ad-Aware, Spybot, Ewido, and Killbox, but none of them have successfully deleted it from my computer. My computer is now running very slow, with continuous popups. The following is my HiJack This log. I put checks next to the SurfSidekick 3 lines to try to fix them, but they have returned.

Thanks in advance for your help.

Logfile of HijackThis v1.99.1
Scan saved at 4:57:55 AM, on 6/21/2006
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\csrss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\LEXBCES.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\LEXPPS.EXE
C:\Program Files\QuickTime\qttask.exe
C:\WINDOWS\thiselt.exe
C:\Program Files\AIM\aim.exe
C:\WINDOWS\System32\kbdhco.exe
C:\WINDOWS\System32\kbdhco.exe
C:\PROGRA~1\COMMON~1\AOL\ACS\AOLacsd.exe
C:\Program Files\Yahoo!\Antivirus\ISafe.exe
C:\WINDOWS\System32\DVDRAMSV.exe
C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\wdfmgr.exe
C:\Program Files\Yahoo!\Antivirus\VetMsg.exe
C:\WINDOWS\wanmpsvc.exe
C:\WINDOWS\System32\wuauclt.exe
C:\Program Files\Hewlett-Packard\HP Share-to-Web\hpgs2wnf.exe
C:\Program Files\America Online 9.0b\waol.exe
C:\Program Files\America Online 9.0b\shellmon.exe
C:\Program Files\Common Files\Aol\aoltpspd.exe
C:\Program Files\Hijackthis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.myspace.com/
R3 - URLSearchHook: (no name) - {02EE5B04-F144-47BB-83FB-A60BD91B74A9} - C:\Program Files\SurfSideKick 3\SskBho.dll
O2 - BHO: Yahoo! Toolbar Helper - {02478D38-C3F9-4EFB-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O2 - BHO: Oddbot - {2B896072-F6E3-4FF7-ADE6-43D5BEC6557C} - C:\WINDOWS\System32\nodeipproc.dll
O2 - BHO: CControl Object - {3643ABC2-21BF-46B9-B230-F247DB0C6FD6} - C:\Program Files\E2G\IeBHOs.dll (file missing)
O2 - BHO: UberButton Class - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\Program Files\Yahoo!\Common\yiesrvc.dll
O2 - BHO: YahooTaggedBM Class - {65D886A2-7CA7-479B-BB95-14D1EFB7946A} - C:\Program Files\Yahoo!\Common\YIeTagBm.dll
O2 - BHO: AOL Toolbar Launcher - {7C554162-8CB7-45A4-B8F4-8EA1C75885F9} - C:\Program Files\AOL\AOL Toolbar 3.1\aoltb.dll
O2 - BHO: SidebarAutoLaunch Class - {F2AA9440-6328-4933-B7C9-A6CCDF9CBF6D} - C:\Program Files\Yahoo!\browser\YSidebarIEBHO.dll
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O3 - Toolbar: AOL Toolbar - {DE9C389F-3316-41A7-809B-AA305ED9D922} - C:\Program Files\AOL\AOL Toolbar 3.1\aoltb.dll
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [pop06apelt] C:\WINDOWS\thiselt.exe
O4 - HKLM\..\Run: [SurfSideKick 3] C:\Program Files\SurfSideKick 3\Ssk.exe
O4 - HKLM\..\RunServices: [SystemTools]
O4 - HKCU\..\Run: [WinMedia] C:\WINDOWS\System32\vxgame6.exe3072.exe
O4 - HKCU\..\Run: [AIM] C:\Program Files\AIM\aim.exe -cnetwait.odl
O4 - HKCU\..\Run: [kbdhco] C:\WINDOWS\System32\kbdhco.exe
O4 - HKCU\..\Run: [SurfSideKick 3] C:\Program Files\SurfSideKick 3\Ssk.exe
O4 - HKCU\..\RunOnce: [kbdhco] C:\WINDOWS\System32\kbdhco.exe
O8 - Extra context menu item: &AOL Toolbar Search - c:\program files\aol\aol toolbar 3.1\resources\en-US\local\search.html
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~3\Office10\EXCEL.EXE/3000
O9 - Extra button: AOL Toolbar - {3369AF0D-62E9-4bda-8103-B4C75499B578} - C:\Program Files\AOL\AOL Toolbar 3.1\aoltb.dll
O9 - Extra button: Verizon Yahoo! Services - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\Program Files\Yahoo!\Common\yiesrvc.dll
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\System32\Shdocvw.dll
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O16 - DPF: {26FCCDF9-A7E1-452A-A73D-7BF7B4D0BA6C} (AOL Pictures Uploader Class) - http://pictures.aolcdn.com/ap/Resources/1....ns.10.1.0.0.cab
O16 - DPF: {406B5949-7190-4245-91A9-30A17DE16AD0} (Snapfish Activia) - http://www.costcophotocenter.com/CostcoActivia.cab
O16 - DPF: {427273CC-764E-11D3-823D-006097F90453} (Pixami Image Editor Control) - http://www.photoworks.com/pixami/BPImageEditor.cab
O16 - DPF: {4EC99A0B-E57C-4FBE-B9C4-8428424FBF88} - http://supportcenter.verizon.net/euserv/jsp/VOLAWeb.cab
O16 - DPF: {5526B4C6-63D6-41A1-9783-0FABF529859A} (mm06ocx.mm06ocxf) - http://cabs.elitemediagroup.net/cabs/mediaview.cab
O16 - DPF: {6E5A37BF-FD42-463A-877C-4EB7002E68AE} (Housecall ActiveX 6.5) - http://eu-housecall.trendmicro-europe.com/...ivex/hcImpl.cab
O16 - DPF: {6F750200-1362-4815-A476-88533DE61D0C} (Ofoto Upload Manager Class) - http://www.kodakgallery.com/downloads/BUM/..._1/axofupld.cab
O16 - DPF: {8A0DCBDB-6E20-489C-9041-C1E8A0352E75} - http://awbeta.net-nucleus.com/FIX/WinATS.cab
O16 - DPF: {8FD68625-2346-418A-8899-67CB36B1917F} (McciSM Class) - http://supportcenter.verizon.net/euserv/jsp/VOLAWeb.cab
O16 - DPF: {90051A81-3018-4826-8B38-DD60B6B53F9C} (Snapfish File Upload ActiveX Control) - http://www.costcophotocenter.com/CostcoUpload.cab
O16 - DPF: {9600F64D-755F-11D4-A47F-0001023E6D5A} (Shutterfly Picture Upload Plugin) - http://web1.shutterfly.com/downloads/Uploader.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/activescan/as5free/asinst.cab
O16 - DPF: {C915801D-6F00-49CD-8A9A-8DE5C11ADDC1} (Pixami Drag/Drop Upload UI Control) - http://www.photoworks.com/pixami/DragDropUploader.cab
O16 - DPF: {F919FBD3-A96B-4679-AF26-F551439BB5FD} - mk:@MSITStore:C:\DOCUME~1\MARISA~1\LOCALS~1\Temp\winfix.chm::/SystemDoctor2006FreeInstall.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{A9616C3A-8F19-4BCB-BFE6-BD2699BCD41D}: NameServer = 205.188.146.145
O20 - AppInit_DLLs: repairs303169590.dll
O20 - Winlogon Notify: artm_newreg - C:\Documents and Settings\All Users\Documents\Settings\artm_new.dll
O21 - SSODL: DCOM Server - {2C1CD3D7-86AC-4068-93BC-A02304BB8C34} - (no file)
O23 - Service: Adobe LM Service - Unknown owner - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: AOL Connectivity Service (AOL ACS) - America Online, Inc. - C:\PROGRA~1\COMMON~1\AOL\ACS\AOLacsd.exe
O23 - Service: AOL Spyware Protection Service (AOLService) - Unknown owner - C:\PROGRA~1\COMMON~1\AOL\AOLSPY~1\\aolserv.exe (file missing)
O23 - Service: C-DillaSrv - C-Dilla Ltd - C:\WINDOWS\System32\DRIVERS\CDANTSRV.EXE
O23 - Service: CAISafe - Computer Associates International, Inc. - C:\Program Files\Yahoo!\Antivirus\ISafe.exe
O23 - Service: DVD-RAM_Service - Matsubleepa Electric Industrial Co., Ltd. - C:\WINDOWS\System32\DVDRAMSV.exe
O23 - Service: ewido security suite control - ewido networks - C:\Program Files\ewido\security suite\ewidoctrl.exe
O23 - Service: ewido security suite guard - ewido networks - C:\Program Files\ewido\security suite\ewidoguard.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPodService - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: LexBce Server (LexBceS) - Lexmark International, Inc. - C:\WINDOWS\system32\LEXBCES.EXE
O23 - Service: SoundMAX Agent Service (SoundMAX Agent Service (default)) - Analog Devices, Inc. - C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe
O23 - Service: Sony SPTI Service (SPTISRV) - Sony Corporation - C:\PROGRA~1\COMMON~1\SONYSH~1\AVLib\Sptisrv.exe
O23 - Service: VET Message Service (VETMSGNT) - Computer Associates International, Inc. - C:\Program Files\Yahoo!\Antivirus\VetMsg.exe
O23 - Service: WAN Miniport (ATW) Service (WANMiniportService) - America Online, Inc. - C:\WINDOWS\wanmpsvc.exe
O23 - Service: YPCService - Yahoo! Inc. - C:\WINDOWS\system32\YPCSER~1.EXE

BC AdBot (Login to Remove)

 


#2 MFDnSC

MFDnSC

    Ret. Director I/T


  • Members
  • 4,310 posts
  • OFFLINE
  •  
  • Local time:11:46 PM

Posted 21 June 2006 - 09:29 AM

Follow the direction here and when done post a new HiJack log

http://www.bleepingcomputer.com/forums/t/9549/how-to-remove-surfsidekick-2-or-3-and-vcclient/
"Nothing could be finer than to be in South Carolina ............"

Member ASAP

#3 MamaRamona

MamaRamona
  • Topic Starter

  • Members
  • 67 posts
  • OFFLINE
  •  
  • Local time:12:46 AM

Posted 21 June 2006 - 03:09 PM

New HJT log...

Logfile of HijackThis v1.99.1
Scan saved at 4:05:54 PM, on 6/21/2006
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\WINDOWS\system32\LEXBCES.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\LEXPPS.EXE
C:\Program Files\QuickTime\qttask.exe
C:\WINDOWS\thiselt.exe
C:\Program Files\AIM\aim.exe
C:\WINDOWS\System32\kbdhco.exe
C:\WINDOWS\System32\kbdhco.exe
C:\PROGRA~1\COMMON~1\AOL\ACS\AOLacsd.exe
C:\Program Files\Yahoo!\Antivirus\ISafe.exe
C:\WINDOWS\System32\DVDRAMSV.exe
C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Yahoo!\Antivirus\VetMsg.exe
C:\WINDOWS\wanmpsvc.exe
C:\WINDOWS\System32\services.exe
C:\Program Files\Common Files\AOL\1139464748\ee\aolsoftware.exe
c:\program files\common files\aol\1139464748\ee\aexplore.exe
c:\program files\common files\aol\1139464748\ee\services\antiSpywareApp\ver2_0_7\AOLSP Scheduler.exe
c:\program files\common files\aol\1139464748\ee\aolsoftware.exe
C:\WINDOWS\System32\wuauclt.exe
C:\Program Files\ewido\security suite\SecuritySuite.exe
C:\Program Files\Hijackthis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.myspace.com/
R3 - Default URLSearchHook is missing
O2 - BHO: Yahoo! Toolbar Helper - {02478D38-C3F9-4EFB-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O2 - BHO: Oddbot - {2B896072-F6E3-4FF7-ADE6-43D5BEC6557C} - C:\WINDOWS\System32\nodeipproc.dll
O2 - BHO: CControl Object - {3643ABC2-21BF-46B9-B230-F247DB0C6FD6} - C:\Program Files\E2G\IeBHOs.dll (file missing)
O2 - BHO: UberButton Class - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\Program Files\Yahoo!\Common\yiesrvc.dll
O2 - BHO: YahooTaggedBM Class - {65D886A2-7CA7-479B-BB95-14D1EFB7946A} - C:\Program Files\Yahoo!\Common\YIeTagBm.dll
O2 - BHO: AOL Toolbar Launcher - {7C554162-8CB7-45A4-B8F4-8EA1C75885F9} - C:\Program Files\AOL\AOL Toolbar 3.1\aoltb.dll
O2 - BHO: SidebarAutoLaunch Class - {F2AA9440-6328-4933-B7C9-A6CCDF9CBF6D} - C:\Program Files\Yahoo!\browser\YSidebarIEBHO.dll
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O3 - Toolbar: AOL Toolbar - {DE9C389F-3316-41A7-809B-AA305ED9D922} - C:\Program Files\AOL\AOL Toolbar 3.1\aoltb.dll
O4 - HKLM\..\RunServices: [SystemTools]
O4 - HKCU\..\Run: [kbdhco] C:\WINDOWS\System32\kbdhco.exe
O4 - HKCU\..\Run: [WinMedia] C:\WINDOWS\System32\vxgame6.exe3072.exe
O4 - HKCU\..\RunOnce: [kbdhco] C:\WINDOWS\System32\kbdhco.exe
O8 - Extra context menu item: &AOL Toolbar Search - c:\program files\aol\aol toolbar 3.1\resources\en-US\local\search.html
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~3\Office10\EXCEL.EXE/3000
O9 - Extra button: AOL Toolbar - {3369AF0D-62E9-4bda-8103-B4C75499B578} - C:\Program Files\AOL\AOL Toolbar 3.1\aoltb.dll
O9 - Extra button: Verizon Yahoo! Services - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\Program Files\Yahoo!\Common\yiesrvc.dll
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\System32\Shdocvw.dll
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O16 - DPF: {26FCCDF9-A7E1-452A-A73D-7BF7B4D0BA6C} (AOL Pictures Uploader Class) - http://pictures.aolcdn.com/ap/Resources/1....ns.10.1.0.0.cab
O16 - DPF: {406B5949-7190-4245-91A9-30A17DE16AD0} (Snapfish Activia) - http://www.costcophotocenter.com/CostcoActivia.cab
O16 - DPF: {427273CC-764E-11D3-823D-006097F90453} (Pixami Image Editor Control) - http://www.photoworks.com/pixami/BPImageEditor.cab
O16 - DPF: {4EC99A0B-E57C-4FBE-B9C4-8428424FBF88} - http://supportcenter.verizon.net/euserv/jsp/VOLAWeb.cab
O16 - DPF: {5526B4C6-63D6-41A1-9783-0FABF529859A} (mm06ocx.mm06ocxf) - http://cabs.elitemediagroup.net/cabs/mediaview.cab
O16 - DPF: {6E5A37BF-FD42-463A-877C-4EB7002E68AE} (Housecall ActiveX 6.5) - http://eu-housecall.trendmicro-europe.com/...ivex/hcImpl.cab
O16 - DPF: {6F750200-1362-4815-A476-88533DE61D0C} (Ofoto Upload Manager Class) - http://www.kodakgallery.com/downloads/BUM/..._1/axofupld.cab
O16 - DPF: {8A0DCBDB-6E20-489C-9041-C1E8A0352E75} - http://awbeta.net-nucleus.com/FIX/WinATS.cab
O16 - DPF: {8FD68625-2346-418A-8899-67CB36B1917F} (McciSM Class) - http://supportcenter.verizon.net/euserv/jsp/VOLAWeb.cab
O16 - DPF: {90051A81-3018-4826-8B38-DD60B6B53F9C} (Snapfish File Upload ActiveX Control) - http://www.costcophotocenter.com/CostcoUpload.cab
O16 - DPF: {9600F64D-755F-11D4-A47F-0001023E6D5A} (Shutterfly Picture Upload Plugin) - http://web1.shutterfly.com/downloads/Uploader.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/activescan/as5free/asinst.cab
O16 - DPF: {C915801D-6F00-49CD-8A9A-8DE5C11ADDC1} (Pixami Drag/Drop Upload UI Control) - http://www.photoworks.com/pixami/DragDropUploader.cab
O16 - DPF: {F919FBD3-A96B-4679-AF26-F551439BB5FD} - mk:@MSITStore:C:\DOCUME~1\MARISA~1\LOCALS~1\Temp\winfix.chm::/SystemDoctor2006FreeInstall.cab
O20 - AppInit_DLLs: inicfg32.dll
O20 - Winlogon Notify: artm_newreg - C:\Documents and Settings\All Users\Documents\Settings\artm_new.dll
O21 - SSODL: DCOM Server - {2C1CD3D7-86AC-4068-93BC-A02304BB8C34} - (no file)
O23 - Service: Adobe LM Service - Unknown owner - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: AOL Connectivity Service (AOL ACS) - America Online, Inc. - C:\PROGRA~1\COMMON~1\AOL\ACS\AOLacsd.exe
O23 - Service: AOL Spyware Protection Service (AOLService) - Unknown owner - C:\PROGRA~1\COMMON~1\AOL\AOLSPY~1\\aolserv.exe (file missing)
O23 - Service: C-DillaSrv - C-Dilla Ltd - C:\WINDOWS\System32\DRIVERS\CDANTSRV.EXE
O23 - Service: CAISafe - Computer Associates International, Inc. - C:\Program Files\Yahoo!\Antivirus\ISafe.exe
O23 - Service: DVD-RAM_Service - Matsubleepa Electric Industrial Co., Ltd. - C:\WINDOWS\System32\DVDRAMSV.exe
O23 - Service: ewido security suite control - ewido networks - C:\Program Files\ewido\security suite\ewidoctrl.exe
O23 - Service: ewido security suite guard - ewido networks - C:\Program Files\ewido\security suite\ewidoguard.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPodService - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: LexBce Server (LexBceS) - Lexmark International, Inc. - C:\WINDOWS\system32\LEXBCES.EXE
O23 - Service: SoundMAX Agent Service (SoundMAX Agent Service (default)) - Analog Devices, Inc. - C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe
O23 - Service: Sony SPTI Service (SPTISRV) - Sony Corporation - C:\PROGRA~1\COMMON~1\SONYSH~1\AVLib\Sptisrv.exe
O23 - Service: VET Message Service (VETMSGNT) - Computer Associates International, Inc. - C:\Program Files\Yahoo!\Antivirus\VetMsg.exe
O23 - Service: WAN Miniport (ATW) Service (WANMiniportService) - America Online, Inc. - C:\WINDOWS\wanmpsvc.exe
O23 - Service: YPCService - Yahoo! Inc. - C:\WINDOWS\system32\YPCSER~1.EXE


And results from latest Ewido scan...

---------------------------------------------------------
ewido anti-malware - Scan report
---------------------------------------------------------

+ Created on: 4:08:40 PM, 6/21/2006
+ Report-Checksum: B00167AA

+ Scan result:

HKLM\SOFTWARE\Classes\IeBHOs.Control -> Adware.E2G : Cleaned with backup
HKLM\SOFTWARE\Classes\IeBHOs.Control\CLSID -> Adware.E2G : Cleaned with backup
HKLM\SOFTWARE\Classes\IeBHOs.Control\CurVer -> Adware.E2G : Cleaned with backup
HKLM\SOFTWARE\Classes\IeBHOs.Control.1 -> Adware.E2G : Cleaned with backup
[728] C:\WINDOWS\System32\inicfg32.dll -> Adware.E2give : Error during cleaning
[780] C:\WINDOWS\system32\inicfg32.dll -> Adware.E2give : Error during cleaning
[792] C:\WINDOWS\system32\inicfg32.dll -> Adware.E2give : Error during cleaning
[984] C:\WINDOWS\system32\inicfg32.dll -> Adware.E2give : Error during cleaning
[1080] C:\WINDOWS\System32\inicfg32.dll -> Adware.E2give : Error during cleaning
[1204] C:\WINDOWS\System32\inicfg32.dll -> Adware.E2give : Error during cleaning
[1296] C:\WINDOWS\System32\inicfg32.dll -> Adware.E2give : Error during cleaning
[1356] C:\WINDOWS\System32\inicfg32.dll -> Adware.E2give : Error during cleaning
[1788] C:\WINDOWS\system32\inicfg32.dll -> Adware.E2give : Error during cleaning
[1796] C:\WINDOWS\System32\inicfg32.dll -> Adware.E2give : Error during cleaning
[260] C:\WINDOWS\System32\inicfg32.dll -> Adware.E2give : Error during cleaning
[464] C:\WINDOWS\System32\inicfg32.dll -> Adware.E2give : Error during cleaning
[568] C:\WINDOWS\System32\inicfg32.dll -> Adware.E2give : Error during cleaning
[700] C:\WINDOWS\System32\inicfg32.dll -> Adware.E2give : Error during cleaning
[796] C:\WINDOWS\System32\inicfg32.dll -> Adware.E2give : Error during cleaning
[1064] C:\WINDOWS\System32\inicfg32.dll -> Adware.E2give : Error during cleaning
[2200] C:\WINDOWS\System32\inicfg32.dll -> Adware.E2give : Error during cleaning
[2552] C:\WINDOWS\System32\inicfg32.dll -> Adware.E2give : Error during cleaning
[2712] C:\WINDOWS\System32\inicfg32.dll -> Adware.E2give : Error during cleaning
[2756] C:\WINDOWS\System32\inicfg32.dll -> Adware.E2give : Error during cleaning
[2772] C:\WINDOWS\System32\inicfg32.dll -> Adware.E2give : Error during cleaning
[2864] C:\WINDOWS\System32\inicfg32.dll -> Adware.E2give : Error during cleaning
C:\WINDOWS\system32\inicfg32.dll -> Adware.E2give : Error during cleaning
C:\WINDOWS\system32\nsy7D.dll -> Adware.Ezula : Cleaned with backup
C:\Documents and Settings\Marisa Diver\Cookies\marisa diver@2o7[2].txt -> TrackingCookie.2o7 : Cleaned with backup
C:\Documents and Settings\Marisa Diver\Cookies\marisa diver@ad.yieldmanager[1].txt -> TrackingCookie.Yieldmanager : Cleaned with backup
C:\Documents and Settings\Marisa Diver\Cookies\marisa diver@ads.addynamix[1].txt -> TrackingCookie.Addynamix : Cleaned with backup
C:\Documents and Settings\Marisa Diver\Cookies\marisa diver@as-eu.falkag[2].txt -> TrackingCookie.Falkag : Cleaned with backup
C:\Documents and Settings\Marisa Diver\Cookies\marisa diver@burstnet[1].txt -> TrackingCookie.Burstnet : Cleaned with backup
C:\Documents and Settings\Marisa Diver\Cookies\marisa diver@casalemedia[1].txt -> TrackingCookie.Casalemedia : Cleaned with backup
C:\Documents and Settings\Marisa Diver\Cookies\marisa diver@data1.perf.overture[1].txt -> TrackingCookie.Overture : Cleaned with backup
C:\Documents and Settings\Marisa Diver\Cookies\marisa diver@e-2dj6wfloeldzmeo.stats.esomniture[2].txt -> TrackingCookie.Esomniture : Cleaned with backup
C:\Documents and Settings\Marisa Diver\Cookies\marisa diver@edge.ru4[2].txt -> TrackingCookie.Ru4 : Cleaned with backup
C:\Documents and Settings\Marisa Diver\Cookies\marisa diver@kmpads[2].txt -> TrackingCookie.Kmpads : Cleaned with backup
C:\Documents and Settings\Marisa Diver\Cookies\marisa diver@perf.overture[1].txt -> TrackingCookie.Overture : Cleaned with backup
C:\Documents and Settings\Marisa Diver\Cookies\marisa diver@questionmarket[1].txt -> TrackingCookie.Questionmarket : Cleaned with backup
C:\Documents and Settings\Marisa Diver\Cookies\marisa diver@revenue[2].txt -> TrackingCookie.Revenue : Cleaned with backup
C:\Documents and Settings\Marisa Diver\Cookies\marisa diver@statcounter[1].txt -> TrackingCookie.Statcounter : Cleaned with backup
C:\Documents and Settings\Marisa Diver\Cookies\marisa diver@trafficmp[1].txt -> TrackingCookie.Trafficmp : Cleaned with backup
C:\Documents and Settings\Marisa Diver\Cookies\marisa diver@tribalfusion[2].txt -> TrackingCookie.Tribalfusion : Cleaned with backup
C:\Documents and Settings\Marisa Diver\Cookies\marisa diver@www.burstbeacon[2].txt -> TrackingCookie.Burstbeacon : Cleaned with backup
C:\Documents and Settings\Marisa Diver\Cookies\marisa diver@www.burstnet[1].txt -> TrackingCookie.Burstnet : Cleaned with backup
C:\Documents and Settings\Marisa Diver\Cookies\marisa diver@z1.adserver[1].txt -> TrackingCookie.Adserver : Cleaned with backup
C:\Documents and Settings\Marisa Diver\Cookies\marisa diver@zedo[1].txt -> TrackingCookie.Zedo : Cleaned with backup


::Report End

#4 MFDnSC

MFDnSC

    Ret. Director I/T


  • Members
  • 4,310 posts
  • OFFLINE
  •  
  • Local time:11:46 PM

Posted 21 June 2006 - 03:39 PM

Please download E2TakeOut by Rubber Ducky from here:

http://www.malwarebytes.org/E2TakeOut.zip
· Extract the file to your Desktop
· Double click E2TakeOut.exe
· Click the Begin Removal button
· Wait until the program is finished scanning
· Once done, it will produce a popup stating that the infection has been found and you need to reboot you computer to complete the removal
· Reboot your computer
· Once your computer has rebooted E2TakeOut will open and produce a report
· Please copy/paste that report into your next reply
"Nothing could be finer than to be in South Carolina ............"

Member ASAP

#5 MamaRamona

MamaRamona
  • Topic Starter

  • Members
  • 67 posts
  • OFFLINE
  •  
  • Local time:12:46 AM

Posted 21 June 2006 - 05:01 PM

E2TakeOut v1.00 [http://www.malwarebytes.org]

Removed! C:\WINDOWS\System32\inicfg32.dll
Removed directory and files! C:\Program Files\E2G
Removed orphaned leftovers
AppInit key reset

#6 MamaRamona

MamaRamona
  • Topic Starter

  • Members
  • 67 posts
  • OFFLINE
  •  
  • Local time:12:46 AM

Posted 21 June 2006 - 05:02 PM

Edited because of double post

Edited by MamaRamona, 21 June 2006 - 05:05 PM.


#7 MFDnSC

MFDnSC

    Ret. Director I/T


  • Members
  • 4,310 posts
  • OFFLINE
  •  
  • Local time:11:46 PM

Posted 21 June 2006 - 05:20 PM

New Hijack log pls
"Nothing could be finer than to be in South Carolina ............"

Member ASAP

#8 MamaRamona

MamaRamona
  • Topic Starter

  • Members
  • 67 posts
  • OFFLINE
  •  
  • Local time:12:46 AM

Posted 21 June 2006 - 05:57 PM

Logfile of HijackThis v1.99.1
Scan saved at 6:56:04 PM, on 6/21/2006
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\WINDOWS\system32\LEXBCES.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\LEXPPS.EXE
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\System32\kbdhco.exe
C:\WINDOWS\System32\kbdhco.exe
C:\PROGRA~1\COMMON~1\AOL\ACS\AOLacsd.exe
C:\Program Files\Yahoo!\Antivirus\ISafe.exe
C:\WINDOWS\System32\DVDRAMSV.exe
C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Yahoo!\Antivirus\VetMsg.exe
C:\WINDOWS\wanmpsvc.exe
C:\WINDOWS\System32\wuauclt.exe
C:\WINDOWS\TEMP\art2BF6.tmp
C:\Program Files\Common Files\AOL\1139464748\ee\aolsoftware.exe
c:\program files\common files\aol\1139464748\ee\services\antiSpywareApp\ver2_0_7\AOLSP Scheduler.exe
c:\program files\common files\aol\1139464748\ee\aolsoftware.exe
C:\Program Files\ewido\security suite\SecuritySuite.exe
C:\Program Files\America Online 9.0b\waol.exe
C:\Program Files\America Online 9.0b\shellmon.exe
C:\Program Files\Common Files\Aol\aoltpspd.exe
C:\Program Files\Hijackthis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.myspace.com/
R3 - Default URLSearchHook is missing
O2 - BHO: Yahoo! Toolbar Helper - {02478D38-C3F9-4EFB-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O2 - BHO: Oddbot - {2B896072-F6E3-4FF7-ADE6-43D5BEC6557C} - C:\WINDOWS\System32\nodeipproc.dll
O2 - BHO: CControl Object - {3643ABC2-21BF-46B9-B230-F247DB0C6FD6} - C:\Program Files\E2G\IeBHOs.dll
O2 - BHO: UberButton Class - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\Program Files\Yahoo!\Common\yiesrvc.dll
O2 - BHO: YahooTaggedBM Class - {65D886A2-7CA7-479B-BB95-14D1EFB7946A} - C:\Program Files\Yahoo!\Common\YIeTagBm.dll
O2 - BHO: AOL Toolbar Launcher - {7C554162-8CB7-45A4-B8F4-8EA1C75885F9} - C:\Program Files\AOL\AOL Toolbar 3.1\aoltb.dll
O2 - BHO: SidebarAutoLaunch Class - {F2AA9440-6328-4933-B7C9-A6CCDF9CBF6D} - C:\Program Files\Yahoo!\browser\YSidebarIEBHO.dll
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O3 - Toolbar: AOL Toolbar - {DE9C389F-3316-41A7-809B-AA305ED9D922} - C:\Program Files\AOL\AOL Toolbar 3.1\aoltb.dll
O4 - HKLM\..\Run: [spoolsvv] C:\WINDOWS\System32\spoolsvv.exe
O4 - HKLM\..\RunServices: [SystemTools]
O4 - HKCU\..\Run: [WinMedia] C:\WINDOWS\System32\vxgame6.exe3072.exe
O4 - HKCU\..\Run: [kbdhco] C:\WINDOWS\System32\kbdhco.exe
O4 - HKCU\..\RunOnce: [kbdhco] C:\WINDOWS\System32\kbdhco.exe
O8 - Extra context menu item: &AOL Toolbar Search - c:\program files\aol\aol toolbar 3.1\resources\en-US\local\search.html
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~3\Office10\EXCEL.EXE/3000
O9 - Extra button: AOL Toolbar - {3369AF0D-62E9-4bda-8103-B4C75499B578} - C:\Program Files\AOL\AOL Toolbar 3.1\aoltb.dll
O9 - Extra button: Verizon Yahoo! Services - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\Program Files\Yahoo!\Common\yiesrvc.dll
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\System32\Shdocvw.dll
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O16 - DPF: {26FCCDF9-A7E1-452A-A73D-7BF7B4D0BA6C} (AOL Pictures Uploader Class) - http://pictures.aolcdn.com/ap/Resources/1....ns.10.1.0.0.cab
O16 - DPF: {406B5949-7190-4245-91A9-30A17DE16AD0} (Snapfish Activia) - http://www.costcophotocenter.com/CostcoActivia.cab
O16 - DPF: {427273CC-764E-11D3-823D-006097F90453} (Pixami Image Editor Control) - http://www.photoworks.com/pixami/BPImageEditor.cab
O16 - DPF: {4EC99A0B-E57C-4FBE-B9C4-8428424FBF88} - http://supportcenter.verizon.net/euserv/jsp/VOLAWeb.cab
O16 - DPF: {5526B4C6-63D6-41A1-9783-0FABF529859A} (mm06ocx.mm06ocxf) - http://cabs.elitemediagroup.net/cabs/mediaview.cab
O16 - DPF: {6E5A37BF-FD42-463A-877C-4EB7002E68AE} (Housecall ActiveX 6.5) - http://eu-housecall.trendmicro-europe.com/...ivex/hcImpl.cab
O16 - DPF: {6F750200-1362-4815-A476-88533DE61D0C} (Ofoto Upload Manager Class) - http://www.kodakgallery.com/downloads/BUM/..._1/axofupld.cab
O16 - DPF: {8A0DCBDB-6E20-489C-9041-C1E8A0352E75} - http://awbeta.net-nucleus.com/FIX/WinATS.cab
O16 - DPF: {8FD68625-2346-418A-8899-67CB36B1917F} (McciSM Class) - http://supportcenter.verizon.net/euserv/jsp/VOLAWeb.cab
O16 - DPF: {90051A81-3018-4826-8B38-DD60B6B53F9C} (Snapfish File Upload ActiveX Control) - http://www.costcophotocenter.com/CostcoUpload.cab
O16 - DPF: {9600F64D-755F-11D4-A47F-0001023E6D5A} (Shutterfly Picture Upload Plugin) - http://web1.shutterfly.com/downloads/Uploader.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/activescan/as5free/asinst.cab
O16 - DPF: {C915801D-6F00-49CD-8A9A-8DE5C11ADDC1} (Pixami Drag/Drop Upload UI Control) - http://www.photoworks.com/pixami/DragDropUploader.cab
O16 - DPF: {F919FBD3-A96B-4679-AF26-F551439BB5FD} - mk:@MSITStore:C:\DOCUME~1\MARISA~1\LOCALS~1\Temp\winfix.chm::/SystemDoctor2006FreeInstall.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{A9616C3A-8F19-4BCB-BFE6-BD2699BCD41D}: NameServer = 205.188.146.145
O20 - AppInit_DLLs: inicfg32.dll
O20 - Winlogon Notify: artm_newreg - C:\Documents and Settings\All Users\Documents\Settings\artm_new.dll
O21 - SSODL: DCOM Server - {2C1CD3D7-86AC-4068-93BC-A02304BB8C34} - (no file)
O23 - Service: Adobe LM Service - Unknown owner - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: AOL Connectivity Service (AOL ACS) - America Online, Inc. - C:\PROGRA~1\COMMON~1\AOL\ACS\AOLacsd.exe
O23 - Service: AOL Spyware Protection Service (AOLService) - Unknown owner - C:\PROGRA~1\COMMON~1\AOL\AOLSPY~1\\aolserv.exe (file missing)
O23 - Service: C-DillaSrv - C-Dilla Ltd - C:\WINDOWS\System32\DRIVERS\CDANTSRV.EXE
O23 - Service: CAISafe - Computer Associates International, Inc. - C:\Program Files\Yahoo!\Antivirus\ISafe.exe
O23 - Service: DVD-RAM_Service - Matsubleepa Electric Industrial Co., Ltd. - C:\WINDOWS\System32\DVDRAMSV.exe
O23 - Service: ewido security suite control - ewido networks - C:\Program Files\ewido\security suite\ewidoctrl.exe
O23 - Service: ewido security suite guard - ewido networks - C:\Program Files\ewido\security suite\ewidoguard.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPodService - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: LexBce Server (LexBceS) - Lexmark International, Inc. - C:\WINDOWS\system32\LEXBCES.EXE
O23 - Service: SoundMAX Agent Service (SoundMAX Agent Service (default)) - Analog Devices, Inc. - C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe
O23 - Service: Sony SPTI Service (SPTISRV) - Sony Corporation - C:\PROGRA~1\COMMON~1\SONYSH~1\AVLib\Sptisrv.exe
O23 - Service: VET Message Service (VETMSGNT) - Computer Associates International, Inc. - C:\Program Files\Yahoo!\Antivirus\VetMsg.exe
O23 - Service: WAN Miniport (ATW) Service (WANMiniportService) - America Online, Inc. - C:\WINDOWS\wanmpsvc.exe
O23 - Service: YPCService - Yahoo! Inc. - C:\WINDOWS\system32\YPCSER~1.EXE


ALSO Ewido...

---------------------------------------------------------
ewido anti-malware - Scan report
---------------------------------------------------------

+ Created on: 6:58:52 PM, 6/21/2006
+ Report-Checksum: 2A0F2952

+ Scan result:

HKLM\SOFTWARE\Classes\IeBHOs.Control -> Adware.E2G : Error during cleaning
HKLM\SOFTWARE\Classes\IeBHOs.Control\CLSID -> Adware.E2G : Error during cleaning
HKLM\SOFTWARE\Classes\IeBHOs.Control\CurVer -> Adware.E2G : Error during cleaning
HKLM\SOFTWARE\Classes\IeBHOs.Control.1 -> Adware.E2G : Error during cleaning
[588] C:\WINDOWS\comdlj32.dll -> Proxy.Agent.ji : Cleaned with backup
[732] C:\WINDOWS\comdlj32.dll -> Proxy.Agent.ji : Error during cleaning
[776] C:\WINDOWS\comdlj32.dll -> Proxy.Agent.ji : Error during cleaning
[788] C:\WINDOWS\comdlj32.dll -> Proxy.Agent.ji : Error during cleaning
[952] C:\WINDOWS\comdlj32.dll -> Proxy.Agent.ji : Error during cleaning
[1040] C:\WINDOWS\comdlj32.dll -> Proxy.Agent.ji : Error during cleaning
[1168] C:\WINDOWS\comdlj32.dll -> Proxy.Agent.ji : Error during cleaning
[1228] C:\WINDOWS\comdlj32.dll -> Proxy.Agent.ji : Error during cleaning
[1244] C:\WINDOWS\comdlj32.dll -> Proxy.Agent.ji : Error during cleaning
[1664] C:\WINDOWS\comdlj32.dll -> Proxy.Agent.ji : Error during cleaning
[1704] C:\WINDOWS\comdlj32.dll -> Proxy.Agent.ji : Error during cleaning
[1712] C:\WINDOWS\comdlj32.dll -> Proxy.Agent.ji : Error during cleaning
[1720] C:\WINDOWS\comdlj32.dll -> Proxy.Agent.ji : Error during cleaning
[1968] C:\WINDOWS\System32\inicfg32.dll -> Adware.E2give : Error during cleaning
[156] C:\WINDOWS\comdlj32.dll -> Proxy.Agent.ji : Error during cleaning
[240] C:\WINDOWS\comdlj32.dll -> Proxy.Agent.ji : Error during cleaning
[268] C:\WINDOWS\comdlj32.dll -> Proxy.Agent.ji : Error during cleaning
[392] C:\WINDOWS\comdlj32.dll -> Proxy.Agent.ji : Error during cleaning
[436] C:\WINDOWS\comdlj32.dll -> Proxy.Agent.ji : Error during cleaning
[556] C:\WINDOWS\comdlj32.dll -> Proxy.Agent.ji : Error during cleaning
[584] C:\WINDOWS\comdlj32.dll -> Proxy.Agent.ji : Error during cleaning
[648] C:\WINDOWS\comdlj32.dll -> Proxy.Agent.ji : Error during cleaning
[672] C:\WINDOWS\comdlj32.dll -> Proxy.Agent.ji : Error during cleaning
[2012] C:\WINDOWS\comdlj32.dll -> Proxy.Agent.ji : Error during cleaning
[1632] C:\WINDOWS\comdlj32.dll -> Proxy.Agent.ji : Error during cleaning
[2080] C:\WINDOWS\comdlj32.dll -> Proxy.Agent.ji : Error during cleaning
[3428] C:\WINDOWS\System32\inicfg32.dll -> Adware.E2give : Error during cleaning
[3784] C:\WINDOWS\System32\inicfg32.dll -> Adware.E2give : Error during cleaning
[756] C:\WINDOWS\System32\inicfg32.dll -> Adware.E2give : Error during cleaning
[3852] C:\WINDOWS\System32\inicfg32.dll -> Adware.E2give : Error during cleaning
C:\WINDOWS\comdlj32.dll -> Proxy.Agent.ji : Cleaned with backup
C:\WINDOWS\system32\inicfg32.dll -> Adware.E2give : Error during cleaning
C:\Documents and Settings\Marisa Diver\Cookies\marisa diver@2o7[2].txt -> TrackingCookie.2o7 : Cleaned with backup
C:\Documents and Settings\Marisa Diver\Cookies\marisa diver@ad.yieldmanager[2].txt -> TrackingCookie.Yieldmanager : Cleaned with backup
C:\Documents and Settings\Marisa Diver\Cookies\marisa diver@as.casalemedia[1].txt -> TrackingCookie.Casalemedia : Cleaned with backup
C:\Documents and Settings\Marisa Diver\Cookies\marisa diver@casalemedia[1].txt -> TrackingCookie.Casalemedia : Cleaned with backup
C:\Documents and Settings\Marisa Diver\Cookies\marisa diver@edge.ru4[2].txt -> TrackingCookie.Ru4 : Cleaned with backup
C:\Documents and Settings\Marisa Diver\Cookies\marisa diver@questionmarket[2].txt -> TrackingCookie.Questionmarket : Cleaned with backup


::Report End

Edited by MamaRamona, 21 June 2006 - 06:01 PM.


#9 MFDnSC

MFDnSC

    Ret. Director I/T


  • Members
  • 4,310 posts
  • OFFLINE
  •  
  • Local time:11:46 PM

Posted 21 June 2006 - 07:10 PM

1. Download this file :

http://download.bleepingcomputer.com/sUBs/combofix.exe
http://www.techsupportforum.com/sectools/combofix.exe

2. Double click combofix.exe & follow the prompts.
3. When finished, it shall produce a log for you. Post that log in your next reply

Note:
Do not mouseclick combofix's window while its running. That may cause it to stall
======================
Run this again

· Double click E2TakeOut.exe
· Click the Begin Removal button
· Wait until the program is finished scanning
· Once done, it will produce a popup stating that the infection has been found and you need to reboot you computer to complete the removal
· Reboot your computer
· Once your computer has rebooted E2TakeOut will open and produce a report
· Please copy/paste that report into your next reply
======================

You may want to print this or save it to notepad as we will go to safe mode.

Fix these with HJT – mark them, close IE, click fix checked

R3 - Default URLSearchHook is missing

O2 - BHO: Oddbot - {2B896072-F6E3-4FF7-ADE6-43D5BEC6557C} - C:\WINDOWS\System32\nodeipproc.dll

O2 - BHO: CControl Object - {3643ABC2-21BF-46B9-B230-F247DB0C6FD6} - C:\Program Files\E2G\IeBHOs.dll

O4 - HKLM\..\Run: [spoolsvv] C:\WINDOWS\System32\spoolsvv.exe

O4 - HKLM\..\RunServices: [SystemTools]

O4 - HKCU\..\Run: [WinMedia] C:\WINDOWS\System32\vxgame6.exe3072.exe

O4 - HKCU\..\Run: [kbdhco] C:\WINDOWS\System32\kbdhco.exe

O4 - HKCU\..\RunOnce: [kbdhco] C:\WINDOWS\System32\kbdhco.exe

O16 - DPF: {5526B4C6-63D6-41A1-9783-0FABF529859A} (mm06ocx.mm06ocxf) - http://cabs.elitemediagroup.net/cabs/mediaview.cab

O20 - AppInit_DLLs: inicfg32.dll

O20 - Winlogon Notify: artm_newreg - C:\Documents and Settings\All Users\Documents\Settings\artm_new.dll

O21 - SSODL: DCOM Server - {2C1CD3D7-86AC-4068-93BC-A02304BB8C34} - (no file)

DownLoad http://www.downloads.subratam.org/KillBox.zip

Restart your computer into safe mode now. (Tapping F8 at the first black screen) Perform the following steps in safe mode:

Double-click on Killbox.exe to run it. Now put a tick by Delete on reboot. çimportant

In the "Full Path of File to Delete" box, copy and paste each of the following lines one at a time then click on the button that has the red circle with the X in the middle after you enter each file. It will ask for confimation to delete the file. Click Yes. Continue with that same procedure until you have copied and pasted all of these in the "Paste Full Path of File to Delete" box.

C:\WINDOWS\System32\nodeipproc.dll
C:\Program Files\E2G
C:\WINDOWS\System32\spoolsvv.exe
C:\WINDOWS\System32\vxgame6.exe3072.exe
C:\WINDOWS\System32\kbdhco.exe
C:\Documents and Settings\All Users\Documents\Settings\artm_new.dll


Note: It is possible that Killbox will tell you that one or more files do not exist. If that happens, just continue on with all the files. Be sure you don't miss any.

START – RUN – type in %temp% OK - Edit – Select all – File – Delete

Delete everything in the C:\Windows\Temp folder or C:\WINNT\temp

Not all temp files will delete and that is normal
Empty the recycle bin
Boot and post a new log from normal NOT safe mode

Please give feedback on what worked/didn’t work and the current status of your system
"Nothing could be finer than to be in South Carolina ............"

Member ASAP

#10 MamaRamona

MamaRamona
  • Topic Starter

  • Members
  • 67 posts
  • OFFLINE
  •  
  • Local time:12:46 AM

Posted 23 June 2006 - 08:27 AM

For some reason, the combofix.txt log will not open for me. I did all that was suggested above, but it appears that some of the items I attempted to delete in Killbox are still on the computer. In terms of performance, my computer is working somewhat better, with fewer popups, however my current version of AOL is not working, and overall, things are still somewhat slow. The following are the results of the above steps and a new Ewido scan ...

E2Takeout...

E2TakeOut v1.00 [http://www.malwarebytes.org]

Removed! C:\WINDOWS\System32\inicfg32.dll
Removed directory and files! C:\Program Files\E2G
Removed orphaned leftovers
AppInit key reset

----------------------------------------------------------------

HJT log...

Logfile of HijackThis v1.99.1
Scan saved at 9:15:55 AM, on 6/23/2006
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\LEXBCES.EXE
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\LEXPPS.EXE
C:\PROGRA~1\COMMON~1\AOL\ACS\AOLacsd.exe
C:\Program Files\Yahoo!\Antivirus\ISafe.exe
C:\WINDOWS\System32\DVDRAMSV.exe
C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Yahoo!\Antivirus\VetMsg.exe
C:\WINDOWS\wanmpsvc.exe
C:\Program Files\Hijackthis\HijackThis.exe
C:\WINDOWS\System32\wuauclt.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.myspace.com/
O2 - BHO: Yahoo! Toolbar Helper - {02478D38-C3F9-4EFB-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O2 - BHO: CControl Object - {3643ABC2-21BF-46B9-B230-F247DB0C6FD6} - C:\Program Files\E2G\IeBHOs.dll (file missing)
O2 - BHO: UberButton Class - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\Program Files\Yahoo!\Common\yiesrvc.dll
O2 - BHO: YahooTaggedBM Class - {65D886A2-7CA7-479B-BB95-14D1EFB7946A} - C:\Program Files\Yahoo!\Common\YIeTagBm.dll
O2 - BHO: AOL Toolbar Launcher - {7C554162-8CB7-45A4-B8F4-8EA1C75885F9} - C:\Program Files\AOL\AOL Toolbar 3.1\aoltb.dll
O2 - BHO: SidebarAutoLaunch Class - {F2AA9440-6328-4933-B7C9-A6CCDF9CBF6D} - C:\Program Files\Yahoo!\browser\YSidebarIEBHO.dll
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O3 - Toolbar: AOL Toolbar - {DE9C389F-3316-41A7-809B-AA305ED9D922} - C:\Program Files\AOL\AOL Toolbar 3.1\aoltb.dll
O4 - HKLM\..\RunServices: [SystemTools]
O4 - HKCU\..\Run: [WinMedia] C:\WINDOWS\System32\vxgame6.exe3072.exe
O8 - Extra context menu item: &AOL Toolbar Search - c:\program files\aol\aol toolbar 3.1\resources\en-US\local\search.html
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~3\Office10\EXCEL.EXE/3000
O9 - Extra button: AOL Toolbar - {3369AF0D-62E9-4bda-8103-B4C75499B578} - C:\Program Files\AOL\AOL Toolbar 3.1\aoltb.dll
O9 - Extra button: Verizon Yahoo! Services - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\Program Files\Yahoo!\Common\yiesrvc.dll
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\System32\Shdocvw.dll
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O16 - DPF: {26FCCDF9-A7E1-452A-A73D-7BF7B4D0BA6C} (AOL Pictures Uploader Class) - http://pictures.aolcdn.com/ap/Resources/1....ns.10.1.0.0.cab
O16 - DPF: {406B5949-7190-4245-91A9-30A17DE16AD0} (Snapfish Activia) - http://www.costcophotocenter.com/CostcoActivia.cab
O16 - DPF: {427273CC-764E-11D3-823D-006097F90453} (Pixami Image Editor Control) - http://www.photoworks.com/pixami/BPImageEditor.cab
O16 - DPF: {4EC99A0B-E57C-4FBE-B9C4-8428424FBF88} - http://supportcenter.verizon.net/euserv/jsp/VOLAWeb.cab
O16 - DPF: {5526B4C6-63D6-41A1-9783-0FABF529859A} (mm06ocx.mm06ocxf) - http://cabs.elitemediagroup.net/cabs/mediaview.cab
O16 - DPF: {6E5A37BF-FD42-463A-877C-4EB7002E68AE} (Housecall ActiveX 6.5) - http://eu-housecall.trendmicro-europe.com/...ivex/hcImpl.cab
O16 - DPF: {6F750200-1362-4815-A476-88533DE61D0C} (Ofoto Upload Manager Class) - http://www.kodakgallery.com/downloads/BUM/..._1/axofupld.cab
O16 - DPF: {8A0DCBDB-6E20-489C-9041-C1E8A0352E75} - http://awbeta.net-nucleus.com/FIX/WinATS.cab
O16 - DPF: {8FD68625-2346-418A-8899-67CB36B1917F} (McciSM Class) - http://supportcenter.verizon.net/euserv/jsp/VOLAWeb.cab
O16 - DPF: {90051A81-3018-4826-8B38-DD60B6B53F9C} (Snapfish File Upload ActiveX Control) - http://www.costcophotocenter.com/CostcoUpload.cab
O16 - DPF: {9600F64D-755F-11D4-A47F-0001023E6D5A} (Shutterfly Picture Upload Plugin) - http://web1.shutterfly.com/downloads/Uploader.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/activescan/as5free/asinst.cab
O16 - DPF: {C915801D-6F00-49CD-8A9A-8DE5C11ADDC1} (Pixami Drag/Drop Upload UI Control) - http://www.photoworks.com/pixami/DragDropUploader.cab
O16 - DPF: {F919FBD3-A96B-4679-AF26-F551439BB5FD} - mk:@MSITStore:C:\DOCUME~1\MARISA~1\LOCALS~1\Temp\winfix.chm::/SystemDoctor2006FreeInstall.cab
O20 - AppInit_DLLs: inicfg32.dll
O20 - Winlogon Notify: artm_newreg - C:\Documents and Settings\All Users\Documents\Settings\artm_new.dll (file missing)
O21 - SSODL: DCOM Server - {2C1CD3D7-86AC-4068-93BC-A02304BB8C34} - (no file)
O23 - Service: Adobe LM Service - Unknown owner - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: AOL Connectivity Service (AOL ACS) - America Online, Inc. - C:\PROGRA~1\COMMON~1\AOL\ACS\AOLacsd.exe
O23 - Service: AOL Spyware Protection Service (AOLService) - Unknown owner - C:\PROGRA~1\COMMON~1\AOL\AOLSPY~1\\aolserv.exe (file missing)
O23 - Service: C-DillaSrv - C-Dilla Ltd - C:\WINDOWS\System32\DRIVERS\CDANTSRV.EXE
O23 - Service: CAISafe - Computer Associates International, Inc. - C:\Program Files\Yahoo!\Antivirus\ISafe.exe
O23 - Service: DVD-RAM_Service - Matsubleepa Electric Industrial Co., Ltd. - C:\WINDOWS\System32\DVDRAMSV.exe
O23 - Service: ewido security suite control - ewido networks - C:\Program Files\ewido\security suite\ewidoctrl.exe
O23 - Service: ewido security suite guard - ewido networks - C:\Program Files\ewido\security suite\ewidoguard.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPodService - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: LexBce Server (LexBceS) - Lexmark International, Inc. - C:\WINDOWS\system32\LEXBCES.EXE
O23 - Service: SoundMAX Agent Service (SoundMAX Agent Service (default)) - Analog Devices, Inc. - C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe
O23 - Service: Sony SPTI Service (SPTISRV) - Sony Corporation - C:\PROGRA~1\COMMON~1\SONYSH~1\AVLib\Sptisrv.exe
O23 - Service: VET Message Service (VETMSGNT) - Computer Associates International, Inc. - C:\Program Files\Yahoo!\Antivirus\VetMsg.exe
O23 - Service: WAN Miniport (ATW) Service (WANMiniportService) - America Online, Inc. - C:\WINDOWS\wanmpsvc.exe
O23 - Service: YPCService - Yahoo! Inc. - C:\WINDOWS\system32\YPCSER~1.EXE

-----------------------------------------------------------

Ewido Scan...

---------------------------------------------------------
ewido anti-malware - Scan report
---------------------------------------------------------

+ Created on: 8:38:03 AM, 6/23/2006
+ Report-Checksum: F8137C6E

+ Scan result:

HKLM\SOFTWARE\Classes\IeBHOs.Control -> Adware.E2G : Error during cleaning
HKLM\SOFTWARE\Classes\IeBHOs.Control\CLSID -> Adware.E2G : Error during cleaning
HKLM\SOFTWARE\Classes\IeBHOs.Control\CurVer -> Adware.E2G : Error during cleaning
HKLM\SOFTWARE\Classes\IeBHOs.Control.1 -> Adware.E2G : Error during cleaning
C:\WINDOWS\comdlj32.dll -> Proxy.Agent.ji : Cleaned with backup
C:\WINDOWS\system32\inicfg32.dll -> Adware.E2give : Error during cleaning
C:\Documents and Settings\Marisa Diver\Cookies\marisa diver@2o7[2].txt -> TrackingCookie.2o7 : Cleaned with backup
C:\Documents and Settings\Marisa Diver\Cookies\marisa diver@ad.yieldmanager[2].txt -> TrackingCookie.Yieldmanager : Cleaned with backup
C:\Documents and Settings\Marisa Diver\Cookies\marisa diver@adopt.specificclick[2].txt -> TrackingCookie.Specificclick : Cleaned with backup
C:\Documents and Settings\Marisa Diver\Cookies\marisa diver@anad.tacoda[1].txt -> TrackingCookie.Tacoda : Cleaned with backup
C:\Documents and Settings\Marisa Diver\Cookies\marisa diver@as-us.falkag[2].txt -> TrackingCookie.Falkag : Cleaned with backup
C:\Documents and Settings\Marisa Diver\Cookies\marisa diver@burstnet[2].txt -> TrackingCookie.Burstnet : Cleaned with backup
C:\Documents and Settings\Marisa Diver\Cookies\marisa diver@casalemedia[1].txt -> TrackingCookie.Casalemedia : Cleaned with backup
C:\Documents and Settings\Marisa Diver\Cookies\marisa diver@e-2dj6wjkyoocjehq.stats.esomniture[1].txt -> TrackingCookie.Esomniture : Cleaned with backup
C:\Documents and Settings\Marisa Diver\Cookies\marisa diver@edge.ru4[1].txt -> TrackingCookie.Ru4 : Cleaned with backup
C:\Documents and Settings\Marisa Diver\Cookies\marisa diver@questionmarket[2].txt -> TrackingCookie.Questionmarket : Cleaned with backup
C:\Documents and Settings\Marisa Diver\Cookies\marisa diver@serving-sys[1].txt -> TrackingCookie.Serving-sys : Cleaned with backup
C:\Documents and Settings\Marisa Diver\Cookies\marisa diver@statcounter[1].txt -> TrackingCookie.Statcounter : Cleaned with backup
C:\Documents and Settings\Marisa Diver\Cookies\marisa diver@tacoda[2].txt -> TrackingCookie.Tacoda : Cleaned with backup
C:\Documents and Settings\Marisa Diver\Cookies\marisa diver@trafficmp[2].txt -> TrackingCookie.Trafficmp : Cleaned with backup
C:\Documents and Settings\Marisa Diver\Cookies\marisa diver@tribalfusion[2].txt -> TrackingCookie.Tribalfusion : Cleaned with backup
C:\Documents and Settings\Marisa Diver\Cookies\marisa diver@www.burstbeacon[2].txt -> TrackingCookie.Burstbeacon : Cleaned with backup
C:\Documents and Settings\Marisa Diver\Cookies\marisa diver@www.burstnet[1].txt -> TrackingCookie.Burstnet : Cleaned with backup
C:\Documents and Settings\Marisa Diver\Cookies\marisa diver@z1.adserver[1].txt -> TrackingCookie.Adserver : Cleaned with backup
C:\Documents and Settings\Marisa Diver\Cookies\marisa diver@zedo[2].txt -> TrackingCookie.Zedo : Cleaned with backup


::Report End

#11 MFDnSC

MFDnSC

    Ret. Director I/T


  • Members
  • 4,310 posts
  • OFFLINE
  •  
  • Local time:11:46 PM

Posted 23 June 2006 - 10:45 AM

You may want to print this or save it to notepad as we will go to safe mode.

Fix these with HJT – mark them, close IE, click fix checked

O2 - BHO: CControl Object - {3643ABC2-21BF-46B9-B230-F247DB0C6FD6} - C:\Program Files\E2G\IeBHOs.dll (file missing)

O4 - HKLM\..\RunServices: [SystemTools]

O4 - HKCU\..\Run: [WinMedia] C:\WINDOWS\System32\vxgame6.exe3072.exe

O16 - DPF: {5526B4C6-63D6-41A1-9783-0FABF529859A} (mm06ocx.mm06ocxf) - http://cabs.elitemediagroup.net/cabs/mediaview.cab

O16 - DPF: {8A0DCBDB-6E20-489C-9041-C1E8A0352E75} - http://awbeta.net-nucleus.com/FIX/WinATS.cab

O16 - DPF: {F919FBD3-A96B-4679-AF26-F551439BB5FD} - mk:@MSITStore:C:\DOCUME~1\MARISA~1\LOCALS~1\Temp\winfix.chm::/SystemDoctor2006FreeInstall.cab

O20 - AppInit_DLLs: inicfg32.dll

O20 - Winlogon Notify: artm_newreg - C:\Documents and Settings\All Users\Documents\Settings\artm_new.dll (file missing)

O21 - SSODL: DCOM Server - {2C1CD3D7-86AC-4068-93BC-A02304BB8C34} - (no file)

DownLoad http://www.downloads.subratam.org/KillBox.zip

Restart your computer into safe mode now. (Tapping F8 at the first black screen) Perform the following steps in safe mode:

Double-click on Killbox.exe to run it. Now put a tick by Standard File Kill. In the "Full Path of File to Delete" box, copy and paste each of the following lines one at a time then click on the button that has the red circle with the X in the middle after you enter each file. It will ask for confimation to delete the file. Click Yes. Continue with that same procedure until you have copied and pasted all of these in the "Paste Full Path of File to Delete" box.

C:\WINDOWS\System32\vxgame6.exe3072.exe

Note: It is possible that Killbox will tell you that one or more files do not exist. If that happens, just continue on with all the files. Be sure you don't miss any.

START – RUN – type in %temp% OK - Edit – Select all – File – Delete

Delete everything in the C:\Windows\Temp folder or C:\WINNT\temp

Not all temp files will delete and that is normal
Empty the recycle bin
Boot and post a new log from normal NOT safe mode

Please give feedback on what worked/didn’t work and the current status of your system
"Nothing could be finer than to be in South Carolina ............"

Member ASAP

#12 MamaRamona

MamaRamona
  • Topic Starter

  • Members
  • 67 posts
  • OFFLINE
  •  
  • Local time:12:46 AM

Posted 23 June 2006 - 12:48 PM

When trying to fix the suggested files in HJT, the following message appeared for O20 - AppInit_DLLs: inicfg32.dll ... "error #5 - Invalid procedure call or argument."

Also, when trying to delete the following in Killbox C:\WINDOWS\System32\vxgame6.exe3072.exe, I got the message that the file does not exist.


New HJT...

Logfile of HijackThis v1.99.1
Scan saved at 1:40:03 PM, on 6/23/2006
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\LEXBCES.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\LEXPPS.EXE
C:\PROGRA~1\COMMON~1\AOL\ACS\AOLacsd.exe
C:\Program Files\Yahoo!\Antivirus\ISafe.exe
C:\WINDOWS\System32\DVDRAMSV.exe
C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Yahoo!\Antivirus\VetMsg.exe
C:\WINDOWS\wanmpsvc.exe
C:\WINDOWS\System32\wuauclt.exe
C:\WINDOWS\System32\wuauclt.exe
C:\Program Files\Hijackthis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.myspace.com/
O2 - BHO: Yahoo! Toolbar Helper - {02478D38-C3F9-4EFB-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O2 - BHO: CControl Object - {3643ABC2-21BF-46B9-B230-F247DB0C6FD6} - C:\Program Files\E2G\IeBHOs.dll (file missing)
O2 - BHO: UberButton Class - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\Program Files\Yahoo!\Common\yiesrvc.dll
O2 - BHO: YahooTaggedBM Class - {65D886A2-7CA7-479B-BB95-14D1EFB7946A} - C:\Program Files\Yahoo!\Common\YIeTagBm.dll
O2 - BHO: AOL Toolbar Launcher - {7C554162-8CB7-45A4-B8F4-8EA1C75885F9} - C:\Program Files\AOL\AOL Toolbar 3.1\aoltb.dll
O2 - BHO: SidebarAutoLaunch Class - {F2AA9440-6328-4933-B7C9-A6CCDF9CBF6D} - C:\Program Files\Yahoo!\browser\YSidebarIEBHO.dll
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O3 - Toolbar: AOL Toolbar - {DE9C389F-3316-41A7-809B-AA305ED9D922} - C:\Program Files\AOL\AOL Toolbar 3.1\aoltb.dll
O4 - HKLM\..\RunServices: [SystemTools]
O4 - HKCU\..\Run: [WinMedia] C:\WINDOWS\System32\vxgame6.exe3072.exe
O8 - Extra context menu item: &AOL Toolbar Search - c:\program files\aol\aol toolbar 3.1\resources\en-US\local\search.html
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~3\Office10\EXCEL.EXE/3000
O9 - Extra button: AOL Toolbar - {3369AF0D-62E9-4bda-8103-B4C75499B578} - C:\Program Files\AOL\AOL Toolbar 3.1\aoltb.dll
O9 - Extra button: Verizon Yahoo! Services - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\Program Files\Yahoo!\Common\yiesrvc.dll
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\System32\Shdocvw.dll
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O16 - DPF: {26FCCDF9-A7E1-452A-A73D-7BF7B4D0BA6C} (AOL Pictures Uploader Class) - http://pictures.aolcdn.com/ap/Resources/1....ns.10.1.0.0.cab
O16 - DPF: {406B5949-7190-4245-91A9-30A17DE16AD0} (Snapfish Activia) - http://www.costcophotocenter.com/CostcoActivia.cab
O16 - DPF: {427273CC-764E-11D3-823D-006097F90453} (Pixami Image Editor Control) - http://www.photoworks.com/pixami/BPImageEditor.cab
O16 - DPF: {4EC99A0B-E57C-4FBE-B9C4-8428424FBF88} - http://supportcenter.verizon.net/euserv/jsp/VOLAWeb.cab
O16 - DPF: {5526B4C6-63D6-41A1-9783-0FABF529859A} (mm06ocx.mm06ocxf) - http://cabs.elitemediagroup.net/cabs/mediaview.cab
O16 - DPF: {6E5A37BF-FD42-463A-877C-4EB7002E68AE} (Housecall ActiveX 6.5) - http://eu-housecall.trendmicro-europe.com/...ivex/hcImpl.cab
O16 - DPF: {6F750200-1362-4815-A476-88533DE61D0C} (Ofoto Upload Manager Class) - http://www.kodakgallery.com/downloads/BUM/..._1/axofupld.cab
O16 - DPF: {8A0DCBDB-6E20-489C-9041-C1E8A0352E75} - http://awbeta.net-nucleus.com/FIX/WinATS.cab
O16 - DPF: {8FD68625-2346-418A-8899-67CB36B1917F} (McciSM Class) - http://supportcenter.verizon.net/euserv/jsp/VOLAWeb.cab
O16 - DPF: {90051A81-3018-4826-8B38-DD60B6B53F9C} (Snapfish File Upload ActiveX Control) - http://www.costcophotocenter.com/CostcoUpload.cab
O16 - DPF: {9600F64D-755F-11D4-A47F-0001023E6D5A} (Shutterfly Picture Upload Plugin) - http://web1.shutterfly.com/downloads/Uploader.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/activescan/as5free/asinst.cab
O16 - DPF: {C915801D-6F00-49CD-8A9A-8DE5C11ADDC1} (Pixami Drag/Drop Upload UI Control) - http://www.photoworks.com/pixami/DragDropUploader.cab
O16 - DPF: {F919FBD3-A96B-4679-AF26-F551439BB5FD} - mk:@MSITStore:C:\DOCUME~1\MARISA~1\LOCALS~1\Temp\winfix.chm::/SystemDoctor2006FreeInstall.cab
O20 - AppInit_DLLs: inicfg32.dll
O20 - Winlogon Notify: artm_newreg - C:\Documents and Settings\All Users\Documents\Settings\artm_new.dll (file missing)
O21 - SSODL: DCOM Server - {2C1CD3D7-86AC-4068-93BC-A02304BB8C34} - (no file)
O23 - Service: Adobe LM Service - Unknown owner - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: AOL Connectivity Service (AOL ACS) - America Online, Inc. - C:\PROGRA~1\COMMON~1\AOL\ACS\AOLacsd.exe
O23 - Service: AOL Spyware Protection Service (AOLService) - Unknown owner - C:\PROGRA~1\COMMON~1\AOL\AOLSPY~1\\aolserv.exe (file missing)
O23 - Service: C-DillaSrv - C-Dilla Ltd - C:\WINDOWS\System32\DRIVERS\CDANTSRV.EXE
O23 - Service: CAISafe - Computer Associates International, Inc. - C:\Program Files\Yahoo!\Antivirus\ISafe.exe
O23 - Service: DVD-RAM_Service - Matsubleepa Electric Industrial Co., Ltd. - C:\WINDOWS\System32\DVDRAMSV.exe
O23 - Service: ewido security suite control - ewido networks - C:\Program Files\ewido\security suite\ewidoctrl.exe
O23 - Service: ewido security suite guard - ewido networks - C:\Program Files\ewido\security suite\ewidoguard.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPodService - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: LexBce Server (LexBceS) - Lexmark International, Inc. - C:\WINDOWS\system32\LEXBCES.EXE
O23 - Service: SoundMAX Agent Service (SoundMAX Agent Service (default)) - Analog Devices, Inc. - C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe
O23 - Service: Sony SPTI Service (SPTISRV) - Sony Corporation - C:\PROGRA~1\COMMON~1\SONYSH~1\AVLib\Sptisrv.exe
O23 - Service: VET Message Service (VETMSGNT) - Computer Associates International, Inc. - C:\Program Files\Yahoo!\Antivirus\VetMsg.exe
O23 - Service: WAN Miniport (ATW) Service (WANMiniportService) - America Online, Inc. - C:\WINDOWS\wanmpsvc.exe
O23 - Service: YPCService - Yahoo! Inc. - C:\WINDOWS\system32\YPCSER~1.EXE

#13 MFDnSC

MFDnSC

    Ret. Director I/T


  • Members
  • 4,310 posts
  • OFFLINE
  •  
  • Local time:11:46 PM

Posted 23 June 2006 - 03:45 PM

Go to the link below and download the trial version of SpySweeper:

SpySweeper http://www.webroot.com/consumer/products/s...4129&ac=tsg

* Click the Free Trial link under "SpySweeper" to download the program.
* Install it. Once the program is installed, it will open.
* It will prompt you to update to the latest definitions, click Yes.
* Once the definitions are installed, click Options on the left side.
* Click the Sweep Options tab.
* Under What to Sweep please put a check next to the following:
o Sweep Memory
o Sweep Registry
o Sweep Cookies
o Sweep All User Accounts
o Enable Direct Disk Sweeping
o Sweep Contents of Compressed Files
o Sweep for Rootkits

o Please UNCHECK Do not Sweep System Restore Folder.

* Click Sweep Now on the left side.
* Click the Start button.
* When it's done scanning, click the Next button.
* Make sure everything has a check next to it, then click the Next button.
* It will remove all of the items found.
* Click Session Log in the upper right corner, copy everything in that window.
* Click the Summary tab and click Finish.
* Paste the contents of the session log you copied into your next reply.
Also post a new Hijack This log.
"Nothing could be finer than to be in South Carolina ............"

Member ASAP

#14 MamaRamona

MamaRamona
  • Topic Starter

  • Members
  • 67 posts
  • OFFLINE
  •  
  • Local time:12:46 AM

Posted 24 June 2006 - 03:41 AM

SPYSWEEPER LOG...

********
3:03 AM: | Start of Session, Saturday, June 24, 2006 |
3:03 AM: Spy Sweeper started
3:03 AM: Sweep initiated using definitions version 706
3:03 AM: Starting Memory Sweep
3:04 AM: Found Adware: e2g
3:04 AM: Detected running threat: C:\WINDOWS\system32\inicfg32.dll (ID = 288919)
3:08 AM: Memory Sweep Complete, Elapsed Time: 00:04:35
3:08 AM: Starting Registry Sweep
3:08 AM: HKCR\appid\iebhos.dll\ (1 subtraces) (ID = 125406)
3:08 AM: HKCR\appid\{3b99f202-145a-4e5a-ac7b-88a36910bf5e}\ (1 subtraces) (ID = 125407)
3:08 AM: HKCR\clsid\{3643abc2-21bf-46b9-b230-f247db0c6fd6}\ (14 subtraces) (ID = 125441)
3:08 AM: HKCR\iebhos.control.1\ (3 subtraces) (ID = 125444)
3:08 AM: HKCR\iebhos.control\ (5 subtraces) (ID = 125445)
3:08 AM: HKLM\software\classes\appid\iebhos.dll\ (1 subtraces) (ID = 125446)
3:08 AM: HKLM\software\classes\appid\{3b99f202-145a-4e5a-ac7b-88a36910bf5e}\ (1 subtraces) (ID = 125447)
3:08 AM: HKLM\software\classes\clsid\{3643abc2-21bf-46b9-b230-f247db0c6fd6}\ (14 subtraces) (ID = 125481)
3:08 AM: HKLM\software\classes\iebhos.control.1\ (3 subtraces) (ID = 125482)
3:08 AM: HKLM\software\classes\iebhos.control\ (5 subtraces) (ID = 125483)
3:08 AM: HKLM\software\classes\typelib\{3b99f202-145a-4e5a-ac7b-88a36910bf5e}\ (9 subtraces) (ID = 125484)
3:08 AM: HKLM\software\e2g\ (5 subtraces) (ID = 125485)
3:08 AM: HKLM\software\microsoft\windows\currentversion\explorer\browser helper objects\{3643abc2-21bf-46b9-b230-f247db0c6fd6}\ (ID = 125492)
3:08 AM: HKCR\typelib\{3b99f202-145a-4e5a-ac7b-88a36910bf5e}\ (9 subtraces) (ID = 125529)
3:08 AM: Found Adware: purityscan
3:08 AM: HKLM\software\microsoft\windows\currentversion\moduleusage\c:/windows/downloaded program files/mediaticketsinstaller.ocx\ (2 subtraces) (ID = 137986)
3:08 AM: HKLM\software\microsoft\windows\currentversion\shareddlls\ || c:\windows\downloaded program files\mediaticketsinstaller.ocx (ID = 139077)
3:08 AM: Found Trojan Horse: trojan-backdoor-msdcom32
3:08 AM: HKLM\software\microsoft\windows\currentversion\shellserviceobjectdelayload\ || dcom server (ID = 385950)
3:08 AM: HKLM\software\microsoft\windows\currentversion\shellserviceobjectdelayload\ || dcom server (ID = 484007)
3:08 AM: HKLM\software\microsoft\windows\currentversion\explorer\sharedtaskscheduler\ || {2c1cd3d7-86ac-4068-93bc-a02304bb8c34} (ID = 510271)
3:08 AM: Found Adware: enbrowser
3:08 AM: HKLM\software\system\sysold\ (2 subtraces) (ID = 926808)
3:08 AM: Found Adware: security toolbar
3:08 AM: HKLM\software\microsoft\windows\currentversion\uninstall\security toolbar\ (2 subtraces) (ID = 1035010)
3:08 AM: Found Adware: mirar webband
3:08 AM: HKLM\software\microsoft\windows\currentversion\shareddlls\ || c:\windows\system32\winats.dll (ID = 1055333)
3:08 AM: HKLM\software\microsoft\windows\currentversion\moduleusage\c:/windows/system32/winats.dll\ (2 subtraces) (ID = 1066860)
3:08 AM: HKLM\software\microsoft\windows\currentversion\uninstall\elitemediagroupoin\ (2 subtraces) (ID = 1070163)
3:08 AM: Found Adware: elitemediagroup-mediamotor
3:08 AM: HKLM\software\microsoft\code store database\distribution units\{8a0dcbdb-6e20-489c-9041-c1e8a0352e75}\ (11 subtraces) (ID = 1074498)
3:08 AM: Found Adware: winantispyware 2005
3:08 AM: HKLM\system\currentcontrolset\control\safeboot\minimal\d_kmd.sys\ (1 subtraces) (ID = 1137425)
3:08 AM: HKLM\system\currentcontrolset\control\safeboot\network\d_kmd.sys\ (1 subtraces) (ID = 1137427)
3:08 AM: HKLM\software\microsoft\windows\currentversion\shellserviceobjectdelayload\ || dcom server (ID = 1144322)
3:08 AM: Found Trojan Horse: trojan-phisher-metafisher
3:08 AM: HKLM\software\microsoft\windows\currentversion\control panel\load\ (6 subtraces) (ID = 1150937)
3:08 AM: Found Adware: 180search assistant/zango
3:08 AM: HKCR\saix.installercaller.1\ (3 subtraces) (ID = 1156609)
3:08 AM: HKCR\saix.installercaller\ (5 subtraces) (ID = 1156613)
3:08 AM: HKLM\software\classes\saix.installercaller.1\ (3 subtraces) (ID = 1156657)
3:08 AM: HKLM\software\classes\saix.installercaller\ (5 subtraces) (ID = 1156661)
3:08 AM: HKLM\software\microsoft\windows\currentversion\moduleusage\c:/windows/downloaded program files/saix.dll\ (2 subtraces) (ID = 1156667)
3:08 AM: HKLM\software\microsoft\windows\currentversion\shareddlls\ || c:\windows\downloaded program files\saix.dll (ID = 1156675)
3:08 AM: Found Adware: winantivirus pro
3:08 AM: HKLM\software\winantivirus pro 2006\ (ID = 1216196)
3:08 AM: HKCR\mm06ocx.mm06ocxf\ (3 subtraces) (ID = 1323762)
3:08 AM: HKCR\clsid\{5526b4c6-63d6-41a1-9783-0fabf529859a}\ (27 subtraces) (ID = 1323770)
3:08 AM: HKCR\typelib\{d13decbb-52f8-4bf4-ba6c-b0cc603963c9}\ (9 subtraces) (ID = 1323794)
3:08 AM: HKLM\software\classes\mm06ocx.mm06ocxf\ (3 subtraces) (ID = 1323810)
3:08 AM: HKLM\software\classes\clsid\{5526b4c6-63d6-41a1-9783-0fabf529859a}\ (27 subtraces) (ID = 1323818)
3:08 AM: HKLM\software\classes\typelib\{d13decbb-52f8-4bf4-ba6c-b0cc603963c9}\ (9 subtraces) (ID = 1323842)
3:08 AM: HKLM\software\microsoft\code store database\distribution units\{5526b4c6-63d6-41a1-9783-0fabf529859a}\ (13 subtraces) (ID = 1323895)
3:08 AM: Found Trojan Horse: trojan-backdoor-forbot
3:08 AM: HKLM\system\controlset001\services\ntndis\ (11 subtraces) (ID = 1335340)
3:08 AM: HKLM\system\currentcontrolset\services\ntndis\ (11 subtraces) (ID = 1335361)
3:08 AM: HKCR\interface\{41e1565d-b7a8-4251-bd79-e6c5facb2b5f}\ (7 subtraces) (ID = 1497876)
3:08 AM: HKCR\interface\{db312456-e762-4369-844a-aed9006b1b2f}\ (7 subtraces) (ID = 1497938)
3:08 AM: Found Trojan Horse: trojan-backdoor-cyn
3:08 AM: HKLM\software\microsoft\windows nt\currentversion\winlogon\notify\artm_newreg\ (4 subtraces) (ID = 1499383)
3:08 AM: HKLM\software\microsoft\windows nt\currentversion\windows\ || appinit_dlls (ID = 1499942)
3:08 AM: HKLM\software\classes\interface\{41e1565d-b7a8-4251-bd79-e6c5facb2b5f}\ (7 subtraces) (ID = 1502038)
3:08 AM: HKLM\software\classes\interface\{db312456-e762-4369-844a-aed9006b1b2f}\ (7 subtraces) (ID = 1502064)
3:08 AM: HKU\S-1-5-21-1062605415-1666023415-699853098-1005\software\ptech\ (4 subtraces) (ID = 125528)
3:08 AM: HKU\S-1-5-21-1062605415-1666023415-699853098-1005\software\system\sysuid\ (1 subtraces) (ID = 731748)
3:08 AM: Found Trojan Horse: trojan-backdoor-adagoe
3:08 AM: HKU\S-1-5-21-1062605415-1666023415-699853098-1005\software\microsoft\windows\currentversion\run\ || winmedia (ID = 1333205)
3:08 AM: Registry Sweep Complete, Elapsed Time:00:00:17
3:08 AM: Starting Cookie Sweep
3:08 AM: Found Spy Cookie: 2o7.net cookie
3:08 AM: marisa diver@2o7[1].txt (ID = 1957)
3:08 AM: Found Spy Cookie: 888 cookie
3:08 AM: marisa diver@888[1].txt (ID = 2019)
3:08 AM: marisa diver@888[2].txt (ID = 2019)
3:08 AM: Found Spy Cookie: websponsors cookie
3:08 AM: marisa diver@a.websponsors[1].txt (ID = 3665)
3:08 AM: Found Spy Cookie: about cookie
3:08 AM: marisa diver@about[1].txt (ID = 2037)
3:08 AM: Found Spy Cookie: adecn cookie
3:08 AM: marisa diver@adecn[1].txt (ID = 2063)
3:08 AM: Found Spy Cookie: adknowledge cookie
3:08 AM: marisa diver@adknowledge[2].txt (ID = 2072)
3:08 AM: Found Spy Cookie: aptimus cookie
3:08 AM: marisa diver@aptimus[2].txt (ID = 2233)
3:08 AM: Found Spy Cookie: ask cookie
3:08 AM: marisa diver@ask[1].txt (ID = 2245)
3:08 AM: Found Spy Cookie: atwola cookie
3:08 AM: marisa diver@atwola[1].txt (ID = 2255)
3:08 AM: Found Spy Cookie: belnk cookie
3:08 AM: marisa diver@belnk[1].txt (ID = 2292)
3:08 AM: Found Spy Cookie: bizrate cookie
3:08 AM: marisa diver@bizrate[2].txt (ID = 2308)
3:08 AM: Found Spy Cookie: casalemedia cookie
3:08 AM: marisa diver@casalemedia[1].txt (ID = 2354)
3:08 AM: Found Spy Cookie: cassava cookie
3:08 AM: marisa diver@cassava[1].txt (ID = 2362)
3:08 AM: marisa diver@dist.belnk[2].txt (ID = 2293)
3:08 AM: Found Spy Cookie: ru4 cookie
3:08 AM: marisa diver@edge.ru4[2].txt (ID = 3269)
3:08 AM: Found Spy Cookie: exitexchange cookie
3:08 AM: marisa diver@exitexchange[1].txt (ID = 2633)
3:08 AM: marisa diver@experts.about[1].txt (ID = 2038)
3:08 AM: Found Spy Cookie: fortunecity cookie
3:08 AM: marisa diver@fortunecity[2].txt (ID = 2686)
3:08 AM: Found Spy Cookie: go.com cookie
3:08 AM: marisa diver@go[1].txt (ID = 2728)
3:08 AM: Found Spy Cookie: clickandtrack cookie
3:08 AM: marisa diver@hits.clickandtrack[2].txt (ID = 2397)
3:08 AM: Found Spy Cookie: mywebsearch cookie
3:08 AM: marisa diver@mywebsearch[2].txt (ID = 3051)
3:08 AM: marisa diver@network.aptimus[1].txt (ID = 2235)
3:08 AM: Found Spy Cookie: realmedia cookie
3:08 AM: marisa diver@network.realmedia[2].txt (ID = 3236)
3:08 AM: Found Spy Cookie: nextag cookie
3:08 AM: marisa diver@nextag[1].txt (ID = 5014)
3:08 AM: Found Spy Cookie: offeroptimizer cookie
3:08 AM: marisa diver@offeroptimizer[2].txt (ID = 3087)
3:08 AM: Found Spy Cookie: partypoker cookie
3:08 AM: marisa diver@partypoker[1].txt (ID = 3111)
3:08 AM: Found Spy Cookie: pricegrabber cookie
3:08 AM: marisa diver@pricegrabber[2].txt (ID = 3185)
3:08 AM: marisa diver@realmedia[1].txt (ID = 3235)
3:08 AM: Found Spy Cookie: dealtime cookie
3:08 AM: marisa diver@stat.dealtime[2].txt (ID = 2506)
3:08 AM: Found Spy Cookie: trafficmp cookie
3:08 AM: marisa diver@trafficmp[2].txt (ID = 3581)
3:08 AM: Found Spy Cookie: tribalfusion cookie
3:08 AM: marisa diver@tribalfusion[1].txt (ID = 3589)
3:08 AM: marisa diver@tvplex.go[1].txt (ID = 2729)
3:08 AM: Found Spy Cookie: videodome cookie
3:08 AM: marisa diver@videodome[1].txt (ID = 3638)
3:08 AM: marisa diver@www.888[1].txt (ID = 2020)
3:08 AM: Found Spy Cookie: xiti cookie
3:08 AM: marisa diver@xiti[1].txt (ID = 3717)
3:08 AM: Found Spy Cookie: zedo cookie
3:08 AM: marisa diver@zedo[1].txt (ID = 3762)
3:08 AM: Cookie Sweep Complete, Elapsed Time: 00:00:01
3:09 AM: Starting File Sweep
3:09 AM: c:\program files\e2g (ID = -2147481074)
3:09 AM: a0172288.sys (ID = 290931)
3:09 AM: Found Trojan Horse: trojan-backdoor-5sec
3:09 AM: a0264803.dll (ID = 271760)
3:09 AM: Found Trojan Horse: trojan-downloader-evko.biz
3:09 AM: a0165953.exe (ID = 290922)
3:09 AM: a0173286.sys (ID = 290931)
3:09 AM: a0265803.dll (ID = 271760)
3:09 AM: a0263756.dll (ID = 271760)
3:09 AM: a0173292.sys (ID = 290931)
3:09 AM: Found Trojan Horse: trojan-backdoor-satellite
3:09 AM: a0167031.exe (ID = 306151)
3:09 AM: backup-20060622-235141-303.inf (ID = 297265)
3:09 AM: a0165955.exe (ID = 289297)
3:09 AM: Found Trojan Horse: trojan-downloader-asdbiz.biz
3:09 AM: a0167026.exe (ID = 80237)
3:09 AM: a0266931.dll (ID = 271760)
3:09 AM: a0170198.sys (ID = 290931)
3:09 AM: a0265818.dll (ID = 271760)
3:09 AM: safe.tlb (ID = 310783)
3:09 AM: a0174307.sys (ID = 290931)
3:09 AM: a0169174.sys (ID = 290931)
3:10 AM: a0168174.sys (ID = 290931)
3:10 AM: a0171247.sys (ID = 290931)
3:10 AM: a0263625.dll (ID = 271760)
3:10 AM: a0169199.sys (ID = 290931)
3:10 AM: a0167016.exe (ID = 297799)
3:10 AM: a0171288.sys (ID = 290931)
3:10 AM: a0263635.dll (ID = 271760)
3:10 AM: a0167017.exe (ID = 301428)
3:11 AM: a0165956.exe (ID = 297461)
3:11 AM: amm06.inf (ID = 297265)
3:11 AM: a0203787.exe (ID = 301428)
3:11 AM: a0165957.exe (ID = 301428)
3:11 AM: a0170248.sys (ID = 290931)
3:11 AM: Found Adware: spyware soft stop fakealert
3:11 AM: a0203704.dll (ID = 298514)
3:12 AM: a0203788.exe (ID = 300143)
3:12 AM: a0173287.exe (ID = 306239)
3:12 AM: Found Trojan Horse: trojan-downloader-terula
3:12 AM: a0169198.dll (ID = 284165)
3:12 AM: backup-20060623-132406-291.inf (ID = 297265)
3:12 AM: a0167008.dll (ID = 284165)
3:12 AM: kbdhco.exe (ID = 304838)
3:13 AM: a0265816.dll (ID = 288919)
3:13 AM: dxvwsyfy.exe (ID = 315951)
3:13 AM: yoinsi.exe (ID = 213483)
3:14 AM: dxvwvxiw.exe (ID = 315951)
3:14 AM: a0174312.sys (ID = 290931)
3:15 AM: dxvwtbjr.exe (ID = 315951)
3:15 AM: dxvwcsdg.exe (ID = 315951)
3:15 AM: a0175310.sys (ID = 290931)
3:15 AM: a0167025.exe (ID = 301390)
3:15 AM: Found Adware: spysheriff fakealert
3:15 AM: secure32.html (ID = 184319)
3:15 AM: dxvwhhjw.exe (ID = 315951)
3:15 AM: Found Trojan Horse: trojan-downloader-vip
3:15 AM: a0167009.exe (ID = 294532)
3:15 AM: Found Trojan Horse: trojan-backdoor-us15info
3:15 AM: a0166999.exe (ID = 183857)
3:15 AM: a0167006.exe (ID = 287338)
3:15 AM: a0175315.sys (ID = 290931)
3:15 AM: a0262349.exe (ID = 296330)
3:15 AM: a0263804.dll (ID = 288919)
3:15 AM: Found Adware: surfsidekick
3:15 AM: a0263736.dll (ID = 304383)
3:16 AM: a0203707.exe (ID = 294532)
3:16 AM: dxvwzidi.exe (ID = 315951)
3:16 AM: a0203716.dll (ID = 288202)
3:16 AM: a0262524.dll (ID = 304383)
3:17 AM: mfex-1.dat (ID = 306160)
3:17 AM: Found Adware: ezula ilookup
3:17 AM: justin2a.exe (ID = 279493)
3:17 AM: a0203710.dll (ID = 288202)
3:17 AM: a0203712.dll (ID = 295119)
3:17 AM: backup-20060622-235141-543.dll (ID = 214221)
3:17 AM: backup-20060622-235141-303.dll (ID = 306160)
3:18 AM: backup-20060623-132406-291.dll (ID = 306160)
3:18 AM: a0203719.exe (ID = 306239)
3:18 AM: Found Adware: mediamotor - popuppers
3:18 AM: unstall.exe (ID = 304324)
3:19 AM: a0171267.sys (ID = 290931)
3:19 AM: dxvwhtxb.exe (ID = 315951)
3:19 AM: backup-20060623-091218-449.dll (ID = 214221)
3:19 AM: a0165959.exe (ID = 287338)
3:20 AM: a0263805.dll (ID = 271760)
3:21 AM: a0262621.dll (ID = 271760)
3:21 AM: a0263737.dll (ID = 304384)
3:22 AM: a0169193.exe (ID = 287338)
3:23 AM: Found Adware: sicro dialer
3:23 AM: switchagreement.txt (ID = 76024)
3:24 AM: a0167007.exe (ID = 301668)
3:24 AM: dxvwzwli.exe (ID = 315951)
3:24 AM: amm06.ocx (ID = 306160)
3:26 AM: a0233199.exe (ID = 299865)
3:26 AM: a0262525.dll (ID = 304384)
3:27 AM: a0262551.exe (ID = 303011)
3:28 AM: a0262523.exe (ID = 304385)
3:28 AM: a0265812.dll (ID = 214221)
3:29 AM: a0266967.dll (ID = 214221)
3:30 AM: uni_ehhh.exe (ID = 296335)
3:30 AM: a0266946.dll (ID = 214221)
3:30 AM: Found Trojan Horse: trojan-downloader-game4all.biz
3:30 AM: dlh9jkdq7.exe (ID = 311181)
3:30 AM: a0263689.dll (ID = 271760)
3:31 AM: dxvwvptm.exe (ID = 315951)
3:31 AM: Found Adware: system doctor 2006
3:31 AM: sd2006.exe (ID = 306302)
3:31 AM: Found Adware: bravesentry fakealert
3:31 AM: a0203715.exe (ID = 297973)
3:31 AM: iebhos.dll (ID = 214221)
3:31 AM: a0257401.exe (ID = 242074)
3:31 AM: unin101.exe (ID = 296334)
3:31 AM: dxvwrtyl.exe (ID = 315951)
3:31 AM: dxvwbnmc.exe (ID = 315951)
3:32 AM: Found Trojan Horse: trojan-downloader-vj
3:32 AM: a0203713.exe (ID = 295237)
3:34 AM: Found Adware: internetoptimizer
3:34 AM: a0262352.exe (ID = 288489)
3:34 AM: dxvwulns.exe (ID = 315951)
3:34 AM: elitemediagroupoinuninstaller.exe (ID = 213484)
3:35 AM: a0203714.exe (ID = 288204)
3:38 AM: a0249293.exe (ID = 298392)
3:39 AM: dxvwfghs.exe (ID = 315951)
3:39 AM: a0261386.exe (ID = 296336)
3:40 AM: a0262350.exe (ID = 296329)
3:41 AM: a0262580.exe (ID = 304385)
3:42 AM: a0203705.exe (ID = 289297)
3:42 AM: a0187576.dll (ID = 298514)
3:42 AM: a0187575.exe (ID = 289297)
3:42 AM: a0203750.exe (ID = 297973)
3:42 AM: Found Trojan Horse: trojan-downloader-galapoper
3:42 AM: a0203751.exe (ID = 300016)
3:42 AM: a0203752.exe (ID = 300107)
3:42 AM: a0203706.exe (ID = 301668)
3:43 AM: a0203786.exe (ID = 287338)
3:43 AM: dxvwekvp.exe (ID = 315951)
3:45 AM: a0165954.exe (ID = 242074)
3:45 AM: amm06.inf (ID = 297265)
3:45 AM: a0203789.exe (ID = 80237)
3:47 AM: d_kmd.sys (ID = 238540)
3:48 AM: a0203718.dll (ID = 295119)
3:48 AM: inicfg32.dll (ID = 288919)
3:48 AM: amm06.ocx (ID = 306160)
3:49 AM: a0167027.exe (ID = 290922)
3:51 AM: a0203790.exe (ID = 289297)
3:51 AM: a0169191.exe (ID = 289297)
3:52 AM: a0262581.exe (ID = 304385)
3:53 AM: a0263799.dll (ID = 214221)
3:54 AM: a0262412.exe (ID = 306302)
3:56 AM: secure32.html (ID = 184319)
3:58 AM: dlh9jkdq1.exe (ID = 289300)
3:58 AM: ntndis.sys (ID = 290931)
3:59 AM: a0265843.exe (ID = 304838)
3:59 AM: Found Adware: elitemediagroup-pop64
3:59 AM: thiselt.exe (ID = 296393)
4:00 AM: a0262592.dll (ID = 288919)
4:00 AM: a0262557.dll (ID = 302237)
4:00 AM: a0262558.dll (ID = 304383)
4:00 AM: a0262559.dll (ID = 304384)
4:00 AM: a0262560.exe (ID = 304385)
4:00 AM: Found Adware: webhancer
4:00 AM: a0262448.exe (ID = 83849)
4:00 AM: a0262454.dll (ID = 288919)
4:00 AM: a0257400.exe (ID = 303912)
4:00 AM: a0262488.exe (ID = 300086)
4:02 AM: uwa6p_0001_n822m1605netinstaller.exe (ID = 308695)
4:02 AM: usdr6_0001_d09m0706netinstaller.exe (ID = 315815)
4:03 AM: a0262489.exe (ID = 306300)
4:03 AM: a0262452.exe (ID = 83849)
4:03 AM: tagasuarus2.exe (ID = 301974)
4:03 AM: a0262582.dll (ID = 299522)
4:03 AM: a0262487.dll (ID = 300090)
4:03 AM: a0262453.exe (ID = 300092)
4:03 AM: Found Adware: logih adware
4:03 AM: start.inf (ID = 183606)
4:03 AM: backup-20060623-132407-797.inf (ID = 208224)
4:05 AM: a0262450.ini (ID = 188794)
4:05 AM: a0262457.ini (ID = 188799)
4:05 AM: winats.inf (ID = 208224)
4:05 AM: Found System Monitor: potentially rootkit-masked files
4:05 AM: ntndis.exe (ID = 0)
4:08 AM: File Sweep Complete, Elapsed Time: 00:59:44
4:08 AM: Full Sweep has completed. Elapsed time 01:04:48
4:08 AM: Traces Found: 519
4:19 AM: Removal process initiated
4:20 AM: Quarantining All Traces: 180search assistant/zango
4:20 AM: Quarantining All Traces: potentially rootkit-masked files
4:20 AM: Quarantining All Traces: purityscan
4:20 AM: Quarantining All Traces: spysheriff fakealert
4:20 AM: Quarantining All Traces: trojan-backdoor-5sec
4:20 AM: Quarantining All Traces: trojan-backdoor-cyn
4:20 AM: Quarantining All Traces: trojan-backdoor-forbot
4:20 AM: Quarantining All Traces: trojan-backdoor-msdcom32
4:21 AM: Quarantining All Traces: trojan-backdoor-satellite
4:21 AM: Quarantining All Traces: trojan-backdoor-us15info
4:21 AM: Quarantining All Traces: trojan-downloader-game4all.biz
4:21 AM: Quarantining All Traces: trojan-downloader-vj
4:21 AM: Quarantining All Traces: bravesentry fakealert
4:21 AM: Quarantining All Traces: e2g
4:21 AM: e2g is in use. It will be removed on reboot.
4:21 AM: inicfg32.dll is in use. It will be removed on reboot.
4:21 AM: C:\WINDOWS\system32\inicfg32.dll is in use. It will be removed on reboot.
4:21 AM: Quarantining All Traces: elitemediagroup-mediamotor
4:21 AM: Quarantining All Traces: enbrowser
4:21 AM: Quarantining All Traces: internetoptimizer
4:21 AM: Quarantining All Traces: spyware soft stop fakealert
4:21 AM: Quarantining All Traces: surfsidekick
4:21 AM: Quarantining All Traces: trojan-backdoor-adagoe
4:21 AM: Quarantining All Traces: trojan-downloader-asdbiz.biz
4:21 AM: Quarantining All Traces: trojan-downloader-evko.biz
4:21 AM: Quarantining All Traces: trojan-downloader-galapoper
4:21 AM: Quarantining All Traces: trojan-downloader-terula
4:21 AM: Quarantining All Traces: trojan-downloader-vip
4:21 AM: Quarantining All Traces: trojan-phisher-metafisher
4:21 AM: Quarantining All Traces: elitemediagroup-pop64
4:21 AM: Quarantining All Traces: ezula ilookup
4:21 AM: Quarantining All Traces: logih adware
4:21 AM: Quarantining All Traces: mediamotor - popuppers
4:21 AM: Quarantining All Traces: mirar webband
4:21 AM: Quarantining All Traces: security toolbar
4:21 AM: Quarantining All Traces: sicro dialer
4:21 AM: Quarantining All Traces: system doctor 2006
4:21 AM: Quarantining All Traces: webhancer
4:21 AM: Quarantining All Traces: winantivirus pro
4:21 AM: Quarantining All Traces: 2o7.net cookie
4:21 AM: Quarantining All Traces: 888 cookie
4:21 AM: Quarantining All Traces: about cookie
4:21 AM: Quarantining All Traces: adecn cookie
4:21 AM: Quarantining All Traces: adknowledge cookie
4:21 AM: Quarantining All Traces: aptimus cookie
4:21 AM: Quarantining All Traces: ask cookie
4:21 AM: Quarantining All Traces: atwola cookie
4:21 AM: Quarantining All Traces: belnk cookie
4:21 AM: Quarantining All Traces: bizrate cookie
4:21 AM: Quarantining All Traces: casalemedia cookie
4:21 AM: Quarantining All Traces: cassava cookie
4:21 AM: Quarantining All Traces: clickandtrack cookie
4:21 AM: Quarantining All Traces: dealtime cookie
4:21 AM: Quarantining All Traces: exitexchange cookie
4:21 AM: Quarantining All Traces: fortunecity cookie
4:21 AM: Quarantining All Traces: go.com cookie
4:22 AM: Quarantining All Traces: mywebsearch cookie
4:22 AM: Quarantining All Traces: nextag cookie
4:22 AM: Quarantining All Traces: offeroptimizer cookie
4:22 AM: Quarantining All Traces: partypoker cookie
4:22 AM: Quarantining All Traces: pricegrabber cookie
4:22 AM: Quarantining All Traces: realmedia cookie
4:22 AM: Quarantining All Traces: ru4 cookie
4:22 AM: Quarantining All Traces: trafficmp cookie
4:22 AM: Quarantining All Traces: tribalfusion cookie
4:22 AM: Quarantining All Traces: videodome cookie
4:22 AM: Quarantining All Traces: websponsors cookie
4:22 AM: Quarantining All Traces: winantispyware 2005
4:22 AM: Quarantining All Traces: xiti cookie
4:22 AM: Quarantining All Traces: zedo cookie
4:22 AM: Warning: Launched explorer.exe
4:22 AM: Warning: Quarantine process could not restart Explorer.
4:22 AM: Removal process completed. Elapsed time 00:03:03
********
2:58 AM: | Start of Session, Saturday, June 24, 2006 |
2:58 AM: Spy Sweeper started
2:59 AM: Your spyware definitions have been updated.
3:03 AM: | End of Session, Saturday, June 24, 2006 |

-------------------------------------------------------------------------------------------

SUBSEQUENT HJT LOG (following reboot) ...

Logfile of HijackThis v1.99.1
Scan saved at 4:38:55 AM, on 6/24/2006
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\LEXBCES.EXE
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\LEXPPS.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\PROGRA~1\COMMON~1\AOL\ACS\AOLacsd.exe
C:\Program Files\Yahoo!\Antivirus\ISafe.exe
C:\WINDOWS\System32\DVDRAMSV.exe
C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Webroot\Spy Sweeper\WRSSSDK.exe
C:\Program Files\Yahoo!\Antivirus\VetMsg.exe
C:\WINDOWS\wanmpsvc.exe
C:\WINDOWS\System32\wuauclt.exe
C:\WINDOWS\System32\wuauclt.exe
C:\Program Files\Common Files\AOL\1139464748\ee\aolsoftware.exe
c:\program files\common files\aol\1139464748\ee\aexplore.exe
c:\program files\common files\aol\1139464748\ee\services\antiSpywareApp\ver2_0_7\AOLSP Scheduler.exe
c:\program files\common files\aol\1139464748\ee\aolsoftware.exe
C:\Program Files\ewido\security suite\SecuritySuite.exe
C:\Program Files\Hijackthis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.myspace.com/
O2 - BHO: Yahoo! Toolbar Helper - {02478D38-C3F9-4EFB-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O2 - BHO: CControl Object - {3643ABC2-21BF-46B9-B230-F247DB0C6FD6} - C:\Program Files\E2G\IeBHOs.dll
O2 - BHO: UberButton Class - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\Program Files\Yahoo!\Common\yiesrvc.dll
O2 - BHO: YahooTaggedBM Class - {65D886A2-7CA7-479B-BB95-14D1EFB7946A} - C:\Program Files\Yahoo!\Common\YIeTagBm.dll
O2 - BHO: AOL Toolbar Launcher - {7C554162-8CB7-45A4-B8F4-8EA1C75885F9} - C:\Program Files\AOL\AOL Toolbar 3.1\aoltb.dll
O2 - BHO: SidebarAutoLaunch Class - {F2AA9440-6328-4933-B7C9-A6CCDF9CBF6D} - C:\Program Files\Yahoo!\browser\YSidebarIEBHO.dll
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O3 - Toolbar: AOL Toolbar - {DE9C389F-3316-41A7-809B-AA305ED9D922} - C:\Program Files\AOL\AOL Toolbar 3.1\aoltb.dll
O4 - HKLM\..\Run: [MSConfig] C:\WINDOWS\PCHealth\HelpCtr\Binaries\MSConfig.exe /auto
O4 - HKLM\..\RunServices: [SystemTools]
O8 - Extra context menu item: &AOL Toolbar Search - c:\program files\aol\aol toolbar 3.1\resources\en-US\local\search.html
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~3\Office10\EXCEL.EXE/3000
O9 - Extra button: AOL Toolbar - {3369AF0D-62E9-4bda-8103-B4C75499B578} - C:\Program Files\AOL\AOL Toolbar 3.1\aoltb.dll
O9 - Extra button: Verizon Yahoo! Services - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\Program Files\Yahoo!\Common\yiesrvc.dll
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\System32\Shdocvw.dll
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O16 - DPF: {26FCCDF9-A7E1-452A-A73D-7BF7B4D0BA6C} (AOL Pictures Uploader Class) - http://pictures.aolcdn.com/ap/Resources/1....ns.10.1.0.0.cab
O16 - DPF: {406B5949-7190-4245-91A9-30A17DE16AD0} (Snapfish Activia) - http://www.costcophotocenter.com/CostcoActivia.cab
O16 - DPF: {427273CC-764E-11D3-823D-006097F90453} (Pixami Image Editor Control) - http://www.photoworks.com/pixami/BPImageEditor.cab
O16 - DPF: {4EC99A0B-E57C-4FBE-B9C4-8428424FBF88} - http://supportcenter.verizon.net/euserv/jsp/VOLAWeb.cab
O16 - DPF: {6E5A37BF-FD42-463A-877C-4EB7002E68AE} (Housecall ActiveX 6.5) - http://eu-housecall.trendmicro-europe.com/...ivex/hcImpl.cab
O16 - DPF: {6F750200-1362-4815-A476-88533DE61D0C} (Ofoto Upload Manager Class) - http://www.kodakgallery.com/downloads/BUM/..._1/axofupld.cab
O16 - DPF: {8FD68625-2346-418A-8899-67CB36B1917F} (McciSM Class) - http://supportcenter.verizon.net/euserv/jsp/VOLAWeb.cab
O16 - DPF: {90051A81-3018-4826-8B38-DD60B6B53F9C} (Snapfish File Upload ActiveX Control) - http://www.costcophotocenter.com/CostcoUpload.cab
O16 - DPF: {9600F64D-755F-11D4-A47F-0001023E6D5A} (Shutterfly Picture Upload Plugin) - http://web1.shutterfly.com/downloads/Uploader.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/activescan/as5free/asinst.cab
O16 - DPF: {C915801D-6F00-49CD-8A9A-8DE5C11ADDC1} (Pixami Drag/Drop Upload UI Control) - http://www.photoworks.com/pixami/DragDropUploader.cab
O16 - DPF: {F919FBD3-A96B-4679-AF26-F551439BB5FD} - mk:@MSITStore:C:\DOCUME~1\MARISA~1\LOCALS~1\Temp\winfix.chm::/SystemDoctor2006FreeInstall.cab
O20 - AppInit_DLLs: inicfg32.dll
O20 - Winlogon Notify: WRNotifier - C:\WINDOWS\SYSTEM32\WRLogonNTF.dll
O23 - Service: Adobe LM Service - Unknown owner - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: AOL Connectivity Service (AOL ACS) - America Online, Inc. - C:\PROGRA~1\COMMON~1\AOL\ACS\AOLacsd.exe
O23 - Service: AOL Spyware Protection Service (AOLService) - Unknown owner - C:\PROGRA~1\COMMON~1\AOL\AOLSPY~1\\aolserv.exe (file missing)
O23 - Service: C-DillaSrv - C-Dilla Ltd - C:\WINDOWS\System32\DRIVERS\CDANTSRV.EXE
O23 - Service: CAISafe - Computer Associates International, Inc. - C:\Program Files\Yahoo!\Antivirus\ISafe.exe
O23 - Service: DVD-RAM_Service - Matsubleepa Electric Industrial Co., Ltd. - C:\WINDOWS\System32\DVDRAMSV.exe
O23 - Service: ewido security suite control - ewido networks - C:\Program Files\ewido\security suite\ewidoctrl.exe
O23 - Service: ewido security suite guard - ewido networks - C:\Program Files\ewido\security suite\ewidoguard.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPodService - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: LexBce Server (LexBceS) - Lexmark International, Inc. - C:\WINDOWS\system32\LEXBCES.EXE
O23 - Service: SoundMAX Agent Service (SoundMAX Agent Service (default)) - Analog Devices, Inc. - C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe
O23 - Service: Sony SPTI Service (SPTISRV) - Sony Corporation - C:\PROGRA~1\COMMON~1\SONYSH~1\AVLib\Sptisrv.exe
O23 - Service: Webroot Spy Sweeper Engine (svcWRSSSDK) - Webroot Software, Inc. - C:\Program Files\Webroot\Spy Sweeper\WRSSSDK.exe
O23 - Service: VET Message Service (VETMSGNT) - Computer Associates International, Inc. - C:\Program Files\Yahoo!\Antivirus\VetMsg.exe
O23 - Service: WAN Miniport (ATW) Service (WANMiniportService) - America Online, Inc. - C:\WINDOWS\wanmpsvc.exe
O23 - Service: YPCService - Yahoo! Inc. - C:\WINDOWS\system32\YPCSER~1.EXE

Edited by MamaRamona, 24 June 2006 - 04:34 AM.


#15 MFDnSC

MFDnSC

    Ret. Director I/T


  • Members
  • 4,310 posts
  • OFFLINE
  •  
  • Local time:11:46 PM

Posted 24 June 2006 - 09:03 AM

You may want to print this or save it to notepad as we will go to safe mode.

Fix these with HJT – mark them, close IE, click fix checked

O2 - BHO: CControl Object - {3643ABC2-21BF-46B9-B230-F247DB0C6FD6} - C:\Program Files\E2G\IeBHOs.dll

O4 - HKLM\..\RunServices: [SystemTools]

O16 - DPF: {F919FBD3-A96B-4679-AF26-F551439BB5FD} - mk:@MSITStore:C:\DOCUME~1\MARISA~1\LOCALS~1\Temp\winfix.chm::/SystemDoctor2006FreeInstall.cab

O20 - AppInit_DLLs: inicfg32.dll

DownLoad http://www.downloads.subratam.org/KillBox.zip

Restart your computer into safe mode now. (Tapping F8 at the first black screen) Perform the following steps in safe mode:

Double-click on Killbox.exe to run it. Now put a tick by DELETE ON REBOOT. In the "Full Path of File to Delete" box, copy and paste each of the following lines one at a time then click on the button that has the red circle with the X in the middle after you enter each file. It will ask for confimation to delete the file. Click Yes. Continue with that same procedure until you have copied and pasted all of these in the "Paste Full Path of File to Delete" box.

C:\WINDOWS\System32\inicfg32.dll
C:\Program Files\E2G

Note: It is possible that Killbox will tell you that one or more files do not exist. If that happens, just continue on with all the files. Be sure you don't miss any.

START – RUN – type in %temp% OK - Edit – Select all – File – Delete

Delete everything in the C:\Windows\Temp folder or C:\WINNT\temp

Not all temp files will delete and that is normal
Empty the recycle bin
Boot and post a new log from normal NOT safe mode

Please give feedback on what worked/didn’t work and the current status of your system
"Nothing could be finer than to be in South Carolina ............"

Member ASAP




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users