Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Hijackthis Log: Please Help Diagnose


  • This topic is locked This topic is locked
10 replies to this topic

#1 hmania39

hmania39

  • Members
  • 7 posts
  • OFFLINE
  •  
  • Local time:02:19 AM

Posted 04 August 2006 - 11:22 AM

Logfile of HijackThis v1.99.1
Scan saved at 12:16:22 PM, on 8/4/2006
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\System32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\ATI Technologies\ATI Control

Panel\atiptaxx.exe
C:\WINDOWS\SOUNDMAN.EXE
C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe
C:\Program Files\SlySoft\AnyDVD\AnyDVD.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\pspvideo9\pspvideo9.exe
C:\PROGRA~1\Sony\SONICS~1\SsAAD.exe
C:\dfndrff_7.exe
C:\kybrdff_7.exe
C:\WINDOWS\ms070213-113449.exe
C:\Program Files\MSN Messenger\MsnMsgr.Exe
C:\Program Files\Adobe\Acrobat

7.0\Reader\reader_sl.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Common Files\Sony

Shared\AVLib\SSScsiSV.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\WINDOWS\system32\wuauclt.exe
C:\WINDOWS\system32\rundll32.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Documents and Settings\40 year

old\Desktop\hijackthis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet

Explorer\Main,Default_Search_URL = about:blank
R1 - HKCU\Software\Microsoft\Internet

Explorer\Main,Search Bar = about:blank
R1 - HKCU\Software\Microsoft\Internet

Explorer\Main,Search Page = about:blank
R0 - HKCU\Software\Microsoft\Internet

Explorer\Main,Start Page = http://www.msn.com/
R1 - HKLM\Software\Microsoft\Internet

Explorer\Main,Default_Page_URL =

http://www.microsoft.com/isapi/redir.dll?prd=ie&pver

=6&ar=msnhome
R1 - HKLM\Software\Microsoft\Internet

Explorer\Main,Default_Search_URL =

http://www.microsoft.com/isapi/redir.dll?prd=ie&ar=i

esearch
R1 - HKLM\Software\Microsoft\Internet

Explorer\Main,Search Page = about:blank
R0 - HKLM\Software\Microsoft\Internet

Explorer\Main,Start Page =

http://www.microsoft.com/isapi/redir.dll?prd={SUB_PR

D}&clcid={SUB_CLSID}&pver={SUB_PVER}&ar=home
R0 - HKLM\Software\Microsoft\Internet

Explorer\Search,SearchAssistant = about:blank
R1 - HKCU\Software\Microsoft\Internet Connection

Wizard,ShellNext = iexplore
R3 - Default URLSearchHook is missing
F2 - REG:system.ini: Shell=Explorer.exe,

C:\WINDOWS\system32\pjygs.exe
F2 - REG:system.ini:

UserInit=userinit.exe,begjdrf.exe
O1 - Hosts: 70.86.135.18 WWW.FUTURE-FTA.COM
O1 - Hosts: 70.86.135.18 FUTURE-FTA.COM
O3 - Toolbar: Neopets -

{CD292324-974F-4224-D074-CACA427AA030} -

C:\PROGRA~1\Neopets\Toolbar\Toolbar.dll
O3 - Toolbar: &Google -

{2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program

files\google\googletoolbar2.dll
O3 - Toolbar: (no name) -

{0BF43445-2F28-4351-9252-17FE6E806AA0} - (no file)
O4 - HKLM\..\Run: [ATIPTA] C:\Program Files\ATI

Technologies\ATI Control Panel\atiptaxx.exe
O4 - HKLM\..\Run: [Cmaudio] RunDll32

cmicnfg.cpl,CMICtrlWnd
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [I/O Controllers] svcnet.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program

Files\Java\jre1.5.0_06\bin\jusched.exe
O4 - HKLM\..\Run: [NeroFilterCheck]

C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [AnyDVD] C:\Program

Files\SlySoft\AnyDVD\AnyDVD.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program

Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [PSPVideo9] C:\Program

Files\pspvideo9\pspvideo9.exe -t
O4 - HKLM\..\Run: [SsAAD.exe]

C:\PROGRA~1\Sony\SONICS~1\SsAAD.exe
O4 - HKLM\..\Run: [CloneDVDElbyDelay] "C:\Program

Files\Elaborate Bytes\CloneDVD\ElbyCheck.exe" /L

ElbyDelay
O4 - HKLM\..\Run: [defender] C:\\dfndrff_7.exe
O4 - HKLM\..\Run: [keyboard] C:\\kybrdff_7.exe
O4 - HKLM\..\Run: [ms070213-113449]

C:\WINDOWS\ms070213-113449.exe
O4 - HKLM\..\Run: [dvm38829] RUNDLL32.EXE

w436826a.dll,n 002388270000000a436826a
O4 - HKLM\..\Run: [0204971154188542mcinstcleanup]

C:\DOCUME~1\40YEAR~1\LOCALS~1\Temp\020497~1.EXE

C:\PROGRA~1\COMMON~1\McAfee\INSTAL~1\cleanup.ini

-cleanup -nolog
O4 - HKLM\..\Run: [startkey]

C:\WINDOWS\system32\winlogin.exe
O4 - HKLM\..\Run: [Cleanup] c:\program

files\mcafee.com\shared\mcappins.exe /v=3 /cleanup
O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\MSN

Messenger\MsnMsgr.Exe" /background
O4 - HKCU\..\Run: [I/O Controllers] svcnet.exe
O4 - HKCU\..\Run: [startkey]

C:\WINDOWS\system32\winlogin.exe
O4 - Global Startup: Adobe Gamma Loader.exe.lnk =

C:\Program Files\Common

Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: Adobe Reader Speed Launch.lnk =

C:\Program Files\Adobe\Acrobat

7.0\Reader\reader_sl.exe
O4 - Global Startup: Microsoft Office.lnk =

C:\Program Files\Microsoft Office\Office10\OSA.EXE
O8 - Extra context menu item: &Google Search -

res://c:\program

files\google\GoogleToolbar2.dll/cmsearch.html
O8 - Extra context menu item: &Translate English

Word - res://c:\program

files\google\GoogleToolbar2.dll/cmwordtrans.html
O8 - Extra context menu item: Backward Links -

res://c:\program

files\google\GoogleToolbar2.dll/cmbacklinks.html
O8 - Extra context menu item: Cached Snapshot of

Page - res://c:\program

files\google\GoogleToolbar2.dll/cmcache.html
O8 - Extra context menu item: E&xport to Microsoft

Excel -

res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O8 - Extra context menu item: Similar Pages -

res://c:\program

files\google\GoogleToolbar2.dll/cmsimilar.html
O8 - Extra context menu item: Translate Page into

English - res://c:\program

files\google\GoogleToolbar2.dll/cmtrans.html
O9 - Extra button: (no name) -

{08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program

Files\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console -

{08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program

Files\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra button: (no name) -

{85d1f590-48f4-11d9-9669-0800200c9a66} -

%windir%\bdoscandel.exe (file missing)
O9 - Extra 'Tools' menuitem: Uninstall BitDefender

Online Scanner v8 -

{85d1f590-48f4-11d9-9669-0800200c9a66} -

%windir%\bdoscandel.exe (file missing)
O9 - Extra button: Messenger -

{FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program

Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger -

{FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program

Files\Messenger\msmsgs.exe
O15 - Trusted Zone: *.sxload.com
O15 - Trusted Zone: *.adgate.info (HKLM)
O15 - Trusted Zone: *.dollarrevenue.com (HKLM)
O15 - Trusted Zone: *.elitemediagroup.net (HKLM)
O15 - Trusted Zone: *.imagesrvr.com (HKLM)
O15 - Trusted Zone: *.matcash.com (HKLM)
O15 - Trusted Zone: *.media-motor.com (HKLM)
O15 - Trusted Zone: *.mediatickets.net (HKLM)
O15 - Trusted Zone: *.snipernet.biz (HKLM)
O15 - Trusted Zone: *.systemdoctor.com (HKLM)
O15 - Trusted Zone: *.winantivirus.com (HKLM)
O16 - DPF: {09F1ADAC-76D8-4D0F-99A5-5C907DADB988} -

http://www.systemdoctor.com/download/2006/cab/System

Doctor2006FreeInstall.cab
O16 - DPF: {39B0684F-D7BF-4743-B050-FDC3F48F7E3B} -

http://www.fileplanet.com/fpdlmgr/cabs/FPDC_2.1.2.76

.cab
O16 - DPF: {5526B4C6-63D6-41A1-9783-0FABF529859A} -

mk:@MSITStore:C:\DOCUME~1\Jeremy\LOCALS~1\Temp\mma.c

hm::/joysavsht.cab
O16 - DPF: {5D86DDB5-BDF9-441B-9E9E-D4730F4EE499}

(BDSCANONLINE Control) -

http://download.bitdefender.com/resources/scan8/osca

n8.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C}

(WUWebControl Class) -

http://update.microsoft.com/windowsupdate/v6/V5Contr

ols/en/x86/client/wuweb_site.cab?1134249905516
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1}

(ActiveScan Installer Class) -

http://acs.pandasoftware.com/activescan/as5free/asin

st.cab
O16 - DPF: {C02226EB-A5D7-4B1F-BD7E-635E46C2288D}

(Toontown Installer ActiveX Control) -

http://a.download.toontown.com/sv1.0.20.19/ttinst.ca

b
O16 - DPF: {F919FBD3-A96B-4679-AF26-F551439BB5FD} -

mk:@MSITStore:C:\DOCUME~1\Jeremy\LOCALS~1\Temp\winfi

x.chm::/SystemDoctor2006FreeInstall.cab
O17 -

HKLM\System\CCS\Services\Tcpip\..\{1B3F2D8F-DA80-456

9-B811-962D1214D5B3}: NameServer = 192.168.123.254
O17 -

HKLM\System\CS1\Services\Tcpip\..\{1B3F2D8F-DA80-456

9-B811-962D1214D5B3}: NameServer = 192.168.123.254
O18 - Protocol: livecall -

{828030A1-22C1-4009-854F-8E305202313F} -

C:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL
O18 - Protocol: msnim -

{828030A1-22C1-4009-854F-8E305202313F} -

C:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL
O18 - Filter: text/html -

{7147713B-F7B8-421E-9435-E9380ED7A49E} -

C:\WINDOWS\system32\jycfvd.dll
O20 - Winlogon Notify: SharedDLLs -

C:\WINDOWS\system32\irj0l51m1.dll
O23 - Service: Ati HotKey Poller - ATI Technologies

Inc. - C:\WINDOWS\System32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner -

C:\WINDOWS\system32\ati2sgag.exe
O23 - Service: InstallDriver Table Manager

(IDriverT) - Macrovision Corporation - C:\Program

Files\Common Files\InstallShield\Driver\11\Intel

32\IDriverT.exe
O23 - Service: MSCSPTISRV - Sony Corporation -

C:\Program Files\Common Files\Sony

Shared\AVLib\MSCSPTISRV.exe
O23 - Service: PACSPTISVR - Sony Corporation -

C:\Program Files\Common Files\Sony

Shared\AVLib\PACSPTISVR.exe
O23 - Service: Sony SPTI Service (SPTISRV) - Sony

Corporation - C:\Program Files\Common Files\Sony

Shared\AVLib\SPTISRV.exe
O23 - Service: SonicStage SCSI Service (SSScsiSV) -

Sony Corporation - C:\Program Files\Common

Files\Sony Shared\AVLib\SSScsiSV.exe

BC AdBot (Login to Remove)

 


#2 hmania39

hmania39
  • Topic Starter

  • Members
  • 7 posts
  • OFFLINE
  •  
  • Local time:02:19 AM

Posted 04 August 2006 - 01:51 PM

im getting like 30 pop ups every 5 minutes can someone please help!

#3 -David-

-David-

  • Members
  • 10,603 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:London
  • Local time:07:19 AM

Posted 04 August 2006 - 01:53 PM

Please post a new HijackThis log and in Notepad be sure to click on Format and place a check mark beside "word wrap" so the log will be easier to read.
David

#4 hmania39

hmania39
  • Topic Starter

  • Members
  • 7 posts
  • OFFLINE
  •  
  • Local time:02:19 AM

Posted 05 August 2006 - 06:28 AM

OK thanks. here it is

Logfile of HijackThis v1.99.1
Scan saved at 11:17:06 AM, on 8/4/2006
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\System32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Network Monitor\netmon.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\rundll32.exe
C:\WINDOWS\cysplcs.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
C:\WINDOWS\SOUNDMAN.EXE
C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe
C:\Program Files\SlySoft\AnyDVD\AnyDVD.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\pspvideo9\pspvideo9.exe
C:\PROGRA~1\Sony\SONICS~1\SsAAD.exe
C:\dfndrff_7.exe
C:\kybrdff_7.exe
C:\WINDOWS\cysplcsA.exe
C:\WINDOWS\ms070213-113449.exe
C:\WINDOWS\system32\RUNDLL32.EXE
C:\nwnmff_7.exe
C:\Program Files\MSN Messenger\MsnMsgr.Exe
C:\Program Files\Common Files\Sony Shared\AVLib\SSScsiSV.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\WINDOWS\System32\svchost.exe
C:\Elaborate Bytes\CloneDVD2\CloneDVD2.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\webHancer\Programs\whagent.exe
C:\Documents and Settings\40 year old\Desktop\hijackthis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://searchbar.findthewebsiteyouneed.com
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://searchbar.findthewebsiteyouneed.com
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://searchbar.findthewebsiteyouneed.com
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.msn.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.microsoft.com/isapi/redir.dll?p...&ar=msnhome
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://www.microsoft.com/isapi/redir.dll?p...amp;ar=iesearch
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://searchbar.findthewebsiteyouneed.com
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.microsoft.com/isapi/redir.dll?p...ER}&ar=home
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://searchbar.findthewebsiteyouneed.com
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = iexplore
R3 - URLSearchHook: (no name) - _{02EE5B04-F144-47BB-83FB-A60BD91B74A9} - (no file)
R3 - URLSearchHook: (no name) - {02EE5B04-F144-47BB-83FB-A60BD91B74A9} - (no file)
F2 - REG:system.ini: Shell=Explorer.exe, C:\WINDOWS\system32\pjygs.exe
F2 - REG:system.ini: UserInit=userinit.exe,begjdrf.exe
O1 - Hosts: 70.86.135.18 WWW.FUTURE-FTA.COM
O1 - Hosts: 70.86.135.18 FUTURE-FTA.COM
O2 - BHO: WhIeHelperObj Class - {c900b400-cdfe-11d3-976a-00e02913a9e0} - C:\Program Files\webHancer\programs\whiehlpr.dll
O3 - Toolbar: Neopets - {CD292324-974F-4224-D074-CACA427AA030} - C:\PROGRA~1\Neopets\Toolbar\Toolbar.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar2.dll
O3 - Toolbar: (no name) - {0BF43445-2F28-4351-9252-17FE6E806AA0} - (no file)
O4 - HKLM\..\Run: [ATIPTA] C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
O4 - HKLM\..\Run: [Cmaudio] RunDll32 cmicnfg.cpl,CMICtrlWnd
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [I/O Controllers] svcnet.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [AnyDVD] C:\Program Files\SlySoft\AnyDVD\AnyDVD.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [PSPVideo9] C:\Program Files\pspvideo9\pspvideo9.exe -t
O4 - HKLM\..\Run: [SsAAD.exe] C:\PROGRA~1\Sony\SONICS~1\SsAAD.exe
O4 - HKLM\..\Run: [CloneDVDElbyDelay] "C:\Program Files\Elaborate Bytes\CloneDVD\ElbyCheck.exe" /L ElbyDelay
O4 - HKLM\..\Run: [defender] C:\\dfndrff_7.exe
O4 - HKLM\..\Run: [keyboard] C:\\kybrdff_7.exe
O4 - HKLM\..\Run: [cysplcsA] C:\WINDOWS\cysplcsA.exe
O4 - HKLM\..\Run: [ms070213-113449] C:\WINDOWS\ms070213-113449.exe
O4 - HKLM\..\Run: [dvm38829] RUNDLL32.EXE w436826a.dll,n 002388270000000a436826a
O4 - HKLM\..\Run: [newname] C:\\nwnmff_7.exe
O4 - HKLM\..\Run: [0204971154188542mcinstcleanup] C:\DOCUME~1\40YEAR~1\LOCALS~1\Temp\020497~1.EXE C:\PROGRA~1\COMMON~1\McAfee\INSTAL~1\cleanup.ini -cleanup -nolog
O4 - HKLM\..\Run: [startkey] C:\WINDOWS\system32\winlogin.exe
O4 - HKLM\..\Run: [Cleanup] c:\program files\mcafee.com\shared\mcappins.exe /v=3 /cleanup
O4 - HKLM\..\Run: [webHancer Agent] C:\Program Files\webHancer\Programs\whagent.exe
O4 - HKLM\..\Run: [webHancer Survey Companion] C:\Program Files\webHancer\Programs\whsurvey.exe
O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\MSN Messenger\MsnMsgr.Exe" /background
O4 - HKCU\..\Run: [I/O Controllers] svcnet.exe
O4 - HKCU\..\Run: [startkey] C:\WINDOWS\system32\winlogin.exe
O4 - Global Startup: Adobe Gamma Loader.exe.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O8 - Extra context menu item: &Google Search - res://c:\program files\google\GoogleToolbar2.dll/cmsearch.html
O8 - Extra context menu item: &Translate English Word - res://c:\program files\google\GoogleToolbar2.dll/cmwordtrans.html
O8 - Extra context menu item: Backward Links - res://c:\program files\google\GoogleToolbar2.dll/cmbacklinks.html
O8 - Extra context menu item: Cached Snapshot of Page - res://c:\program files\google\GoogleToolbar2.dll/cmcache.html
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O8 - Extra context menu item: Similar Pages - res://c:\program files\google\GoogleToolbar2.dll/cmsimilar.html
O8 - Extra context menu item: Translate Page into English - res://c:\program files\google\GoogleToolbar2.dll/cmtrans.html
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra button: (no name) - {4ABF810A-F11D-4169-9D5F-7D274F2270A1} - C:\WINDOWS\system32\dmonwv.dll
O9 - Extra 'Tools' menuitem: Java - {4ABF810A-F11D-4169-9D5F-7D274F2270A1} - C:\WINDOWS\system32\dmonwv.dll
O9 - Extra button: (no name) - {85d1f590-48f4-11d9-9669-0800200c9a66} - %windir%\bdoscandel.exe (file missing)
O9 - Extra 'Tools' menuitem: Uninstall BitDefender Online Scanner v8 - {85d1f590-48f4-11d9-9669-0800200c9a66} - %windir%\bdoscandel.exe (file missing)
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O10 - Hijacked Internet access by WebHancer
O10 - Hijacked Internet access by WebHancer
O10 - Hijacked Internet access by WebHancer
O15 - Trusted Zone: *.sxload.com
O15 - Trusted Zone: *.adgate.info (HKLM)
O15 - Trusted Zone: *.dollarrevenue.com (HKLM)
O15 - Trusted Zone: *.elitemediagroup.net (HKLM)
O15 - Trusted Zone: *.imagesrvr.com (HKLM)
O15 - Trusted Zone: *.matcash.com (HKLM)
O15 - Trusted Zone: *.media-motor.com (HKLM)
O15 - Trusted Zone: *.mediatickets.net (HKLM)
O15 - Trusted Zone: *.snipernet.biz (HKLM)
O15 - Trusted Zone: *.systemdoctor.com (HKLM)
O15 - Trusted Zone: *.winantivirus.com (HKLM)
O16 - DPF: {09F1ADAC-76D8-4D0F-99A5-5C907DADB988} - http://www.systemdoctor.com/download/2006/...FreeInstall.cab
O16 - DPF: {39B0684F-D7BF-4743-B050-FDC3F48F7E3B} - http://www.fileplanet.com/fpdlmgr/cabs/FPDC_2.1.2.76.cab
O16 - DPF: {42F2C9BA-614F-47C0-B3E3-ECFD34EED658} - http://promo.dollarrevenue.com/activex/pro...138302D2D2D.exe
O16 - DPF: {5526B4C6-63D6-41A1-9783-0FABF529859A} (mm06ocx.mm06ocxf) - mk:@MSITStore:C:\DOCUME~1\Jeremy\LOCALS~1\Temp\mma.chm::/joysavsht.cab
O16 - DPF: {5D86DDB5-BDF9-441B-9E9E-D4730F4EE499} (BDSCANONLINE Control) - http://download.bitdefender.com/resources/scan8/oscan8.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsupdate/...b?1134249905516
O16 - DPF: {8A0DCBDB-6E20-489C-9041-C1E8A0352E75} - http://awbeta.net-nucleus.com/FIX/WinATS.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/activescan/as5free/asinst.cab
O16 - DPF: {C02226EB-A5D7-4B1F-BD7E-635E46C2288D} (Toontown Installer ActiveX Control) - http://a.download.toontown.com/sv1.0.20.19/ttinst.cab
O16 - DPF: {F919FBD3-A96B-4679-AF26-F551439BB5FD} - mk:@MSITStore:C:\DOCUME~1\Jeremy\LOCALS~1\Temp\winfix.chm::/SystemDoctor2006FreeInstall.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{1B3F2D8F-DA80-4569-B811-962D1214D5B3}: NameServer = 192.168.123.254
O17 - HKLM\System\CS1\Services\Tcpip\..\{1B3F2D8F-DA80-4569-B811-962D1214D5B3}: NameServer = 192.168.123.254
O18 - Protocol: livecall - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL
O18 - Filter: text/html - {7147713B-F7B8-421E-9435-E9380ED7A49E} - C:\WINDOWS\system32\jycfvd.dll
O20 - Winlogon Notify: CSCSettings - C:\WINDOWS\system32\k4lq0e35eh.dll
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\System32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe
O23 - Service: Command Service (cmdService) - Unknown owner - C:\WINDOWS\NDAgeWVhciBvbGQ\command.exe (file missing)
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: MSCSPTISRV - Sony Corporation - C:\Program Files\Common Files\Sony Shared\AVLib\MSCSPTISRV.exe
O23 - Service: Network Monitor - Unknown owner - C:\Program Files\Network Monitor\netmon.exe
O23 - Service: PACSPTISVR - Sony Corporation - C:\Program Files\Common Files\Sony Shared\AVLib\PACSPTISVR.exe
O23 - Service: Sony SPTI Service (SPTISRV) - Sony Corporation - C:\Program Files\Common Files\Sony Shared\AVLib\SPTISRV.exe
O23 - Service: SonicStage SCSI Service (SSScsiSV) - Sony Corporation - C:\Program Files\Common Files\Sony Shared\AVLib\SSScsiSV.exe
O23 - Service: Windows Overlay Components - Unknown owner - C:\WINDOWS\cysplcs.exe

#5 -David-

-David-

  • Members
  • 10,603 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:London
  • Local time:07:19 AM

Posted 05 August 2006 - 03:27 PM

Hello there and welcome to Bleeping Computer's security forum.
My name is David, I will be helping you with your log today.

It is a good idea to print off these instructions:
This will be useful as there is a possibility some of the instructions will need to be carried out where internet access is not available.
You may also like to save these instructions in word/notepad to the desktop where they can be easily found for the same reasons as above.
A print out of the instructions would be a good reference to make sure you don't yet lost.
Also, it is important that you complete the instructions in the right order, and also that you don't miss any steps out!
If you have any queries about the process or just general questions, just ask.

1) You are missing one important program on that computer - an antivirus!
This is somewhat suicidal in today's digital world.
You need to install an antivirus program as soon as you can and run a complete scan of the computer.
AVG and Avast are excellent, free antivirus programs..
Never install more than one antivirus on your system - several together can cause problems and decrease performance.

2) Run HijackThis.
On the first menu, click Open the Misc Tools Section
Click Open Uninstall Manager
Click Save List - Save it anywhere.
A notepad will pop-up after it's saved, please copy everything in that Notepad and paste it here.

3) Download Brute Force Uninstaller.
Unzip it to a folder of itís own (c:\BFU).
Read here how to unzip/extract properly:
http://metallica.geekstogo.com/xpcompressedexplanation.html
Start the Brute Force Uninstaller by doubleclicking BFU.exe

Next to the 'scriptfile to execute'-window you'll see a little icon as shown in next picture: Posted Image
When you click that icon, a little window will open that says: 'Please enter the full URL to the sript you want to execute'
In the field, copy and paste next URL:

http://metallica.geekstogo.com/alcanshorty.bfu

Click Ok.
Then click execute in Brute Force Uninstaller.

Extra note:
If nothing happens after pressing the Execute button, this means that the script didn't download. In that case, download the script ( alcanshorty.bfu ) manually from above url ( rightclick on it and choose 'save as' and save it in your BFU-folder). Then start BFU.exe again and click the browse button next to the 'scriptfile to execute'-window
Browse to the script you downloaded and Click Ok and Execute in Brute Force Uninstaller.


Wait for the complete script execution box to popup and press OK.
Press exit to terminate the BFU program.

4) Please download Ewido Anti-Spyware and save the file to your desktop.
This is a free 30 day trial version of the program.
  • Locate the icon on your desktop and double click it to open the set-up program.
  • Follow the instructions on screen to install Ewido.
  • Run the program and you will meet the main screen.
  • Select the icon "Update" then select the "Update now" link
  • Next click the "Start Update" button; a progress bar will show the updates being installed.
  • Now select the "Scanner" icon at the top of the screen, then select the "Settings" tab.
  • Click on "Recommended actions" and then select "Quarantine".
  • Close the program now, we will be running a scan a bit later.
  • You can go ahead and delete the old setup file from your desktop.
5) Now reboot into Safe Mode.
This can be done tapping the F8 key as soon as you start your computer
You will be brought to a menu where you can choose to boot into safe mode.
Make sure you choose the option without networking support.

6) Launch Ewido by double clicking on the icon on your desktop.
  • Select the "Scanner" icon at the top and then the "Scan" tab.
  • Then click on the "Complete System Scan" button.
  • If you have any infections you will be asked for an action - select "apply all actions".
  • Now select the "Reports" icon at the top.
  • Click "Save Report As" and save the text file to your desktop.
  • Close Ewido and reboot back into normal mode.
7) Download Combofix to your desktop.
Doubleclick combo.exe
Follow the prompts.
Don't click on the window while the fix is running, because that will cause your system to hang.
When finished, it should produce a log, combofix.txt.
Post this log in your next reply together with a new hijackthislog.

So please post back with:
1) A new Hijackthis log
2) The combofix log
3) The uninstall list.
4) The ewido log.

David

#6 hmania39

hmania39
  • Topic Starter

  • Members
  • 7 posts
  • OFFLINE
  •  
  • Local time:02:19 AM

Posted 05 August 2006 - 07:01 PM

OK here it is...

Ad-Aware SE Personal
Adobe Photoshop 5.5
Adobe Reader 7.0.8
Alcohol 120%
AnyDVD
Ares 1.8.8
ATI - Software Uninstall Utility
ATI Control Panel
ATI Display Driver
avast! Antivirus
AviSynth 2.5
Barbie™ Horse Adventures™
BitLord 1.1
Cake Mania (remove only)
Camtasia Studio 3
Channel Master
Client Hack 1.9.2d
CloneDVD
CloneDVD2
C-Media 3D Audio
Craxtion4
Dash Popup Killer v1.0
Diablo II
Disney's Toontown Online
DivX Codec 3.1alpha release
DivX Player
D-Link VGA Webcam
dvdSanta 4.00
Equestriad 2001
File Writer output plugin for WinAMP 2 v1.17© (remove only)
FlashFXP v3
FlashFXP v3.02 (Build 1044) Scene Edition (Repack)
Google Toolbar for Internet Explorer
Guild Wars
HijackThis 1.99.1
Horse and Pony Tycoon 1.13
J2SE Runtime Environment 5.0
J2SE Runtime Environment 5.0 Update 6
Lemonade Tycoon 2 (remove only)
Let's Ride 3 Day Eventing - Championship Season
Let's Ride Corral Club (remove only)
LimeWire 4.10.9
Macromedia Flash Player 8
Macromedia Shockwave Player
Magic ISO Maker v4.6 (build 0124)
Mavis Beacon Teaches Typing 9.0.0
Microsoft .NET Framework 1.1
Microsoft .NET Framework 1.1
Microsoft .NET Framework 1.1 Hotfix (KB886903)
Microsoft .NET Framework 2.0
Microsoft Office XP Professional with FrontPage
mIRC
Mpeg Layer3 Codec FHG-Radium v1.263
MSN Music Assistant
Mystic Island v3.22
Neopets
Nero 6 Ultra Edition
OpenMG Limited Patch 4.2-05-07-27-01
OpenMG Secure Module 4.2.00
Panda ActiveScan
PcBugDoctor 1,0,0,3
Pet Profiles Screen Saver
Petz 4
Petz 5
PetzPlayer
Poogle Analysis Screen Saver
PowerQuest PartitionMagic Pro 7.0
PSP Video 9 1.74
Puppy Luv (remove only)
Realtek AC'97 Audio
Registry Mechanic
Riding Star
Sandlot Games Client Services
Security Update for Microsoft .NET Framework 2.0 (KB917283)
Security Update for Windows Media Player (KB911564)
Security Update for Windows Media Player 10 (KB917734)
Security Update for Windows XP (KB890046)
Security Update for Windows XP (KB893066)
Security Update for Windows XP (KB893756)
Security Update for Windows XP (KB896358)
Security Update for Windows XP (KB896422)
Security Update for Windows XP (KB896423)
Security Update for Windows XP (KB896424)
Security Update for Windows XP (KB896428)
Security Update for Windows XP (KB899587)
Security Update for Windows XP (KB899589)
Security Update for Windows XP (KB899591)
Security Update for Windows XP (KB900725)
Security Update for Windows XP (KB901017)
Security Update for Windows XP (KB901214)
Security Update for Windows XP (KB902400)
Security Update for Windows XP (KB904706)
Security Update for Windows XP (KB905414)
Security Update for Windows XP (KB905749)
Security Update for Windows XP (KB905915)
Security Update for Windows XP (KB908519)
Security Update for Windows XP (KB911562)
Security Update for Windows XP (KB911567)
Security Update for Windows XP (KB911927)
Security Update for Windows XP (KB912919)
Security Update for Windows XP (KB913580)
Security Update for Windows XP (KB914388)
Security Update for Windows XP (KB914389)
Security Update for Windows XP (KB916281)
Security Update for Windows XP (KB917159)
Security Update for Windows XP (KB917344)
Security Update for Windows XP (KB917953)
Security Update for Windows XP (KB918439)
Shrine Circus Tycoon (remove only)
SONIC ADVENTURE DX-Director's Cut
SonicStage 3.2
SpongeBob Diner Dash (remove only)
SpongeBob SquarePants Diner Dash (remove only)
Spybot - Search & Destroy 1.4
TopText iLookup
UO Auto-Map
Update for Windows XP (KB894391)
Update for Windows XP (KB898461)
Update for Windows XP (KB900485)
Update for Windows XP (KB908531)
Update for Windows XP (KB910437)
Update for Windows XP (KB911280)
Update for Windows XP (KB916595)
Ventrilo Client
Winamp (remove only)
Windows Genuine Advantage v1.3.0254.0
Windows Installer 3.1 (KB893803)
Windows Live Messenger
Windows Media Format Runtime
Windows Media Player 10
Windows XP Hotfix - KB873339
Windows XP Hotfix - KB885250
Windows XP Hotfix - KB885835
Windows XP Hotfix - KB885836
Windows XP Hotfix - KB885884
Windows XP Hotfix - KB886185
Windows XP Hotfix - KB887472
Windows XP Hotfix - KB887742
Windows XP Hotfix - KB888113
Windows XP Hotfix - KB888302
Windows XP Hotfix - KB890859
Windows XP Hotfix - KB891781
Windows XP Service Pack 2
WinRAR archiver
World of Warcraft
XLink Kai Evolution 7
XviD MPEG-4 Codec
Zoo Tycoon: Complete Collection

#7 hmania39

hmania39
  • Topic Starter

  • Members
  • 7 posts
  • OFFLINE
  •  
  • Local time:02:19 AM

Posted 05 August 2006 - 09:44 PM

OK sorry here is the rest of the info you wanted.

First the new Hijack log:

Logfile of HijackThis v1.99.1
Scan saved at 10:17:48 PM, on 8/5/2006
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\System32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
C:\Program Files\Alwil Software\Avast4\ashServ.exe
C:\Program Files\ewido anti-spyware 4.0\guard.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\yaicsm.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
C:\WINDOWS\SOUNDMAN.EXE
C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe
C:\Program Files\SlySoft\AnyDVD\AnyDVD.exe
C:\Program Files\pspvideo9\pspvideo9.exe
C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
C:\PROGRA~1\Sony\SONICS~1\SsAAD.exe
C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
C:\Program Files\Common Files\Sony Shared\AVLib\SSScsiSV.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\ewido anti-spyware 4.0\ewido.exe
C:\Program Files\MSN Messenger\MsnMsgr.Exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\WINDOWS\system32\rundll32.exe
C:\Documents and Settings\40 year old\Desktop\hijackthis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://searchbar.findthewebsiteyouneed.com
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://searchbar.findthewebsiteyouneed.com
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://searchbar.findthewebsiteyouneed.com
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.msn.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.microsoft.com/isapi/redir.dll?p...&ar=msnhome
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://www.microsoft.com/isapi/redir.dll?p...amp;ar=iesearch
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://searchbar.findthewebsiteyouneed.com
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.microsoft.com/isapi/redir.dll?p...ER}&ar=home
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://searchbar.findthewebsiteyouneed.com
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = iexplore
R3 - Default URLSearchHook is missing
F2 - REG:system.ini: Shell=Explorer.exe, C:\WINDOWS\system32\pjygs.exe
F2 - REG:system.ini: UserInit=userinit.exe,begjdrf.exe
O1 - Hosts: 70.86.135.18 WWW.FUTURE-FTA.COM
O1 - Hosts: 70.86.135.18 FUTURE-FTA.COM
O3 - Toolbar: Neopets - {CD292324-974F-4224-D074-CACA427AA030} - C:\PROGRA~1\Neopets\Toolbar\Toolbar.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar2.dll
O3 - Toolbar: (no name) - {0BF43445-2F28-4351-9252-17FE6E806AA0} - (no file)
O4 - HKLM\..\Run: [ATIPTA] C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
O4 - HKLM\..\Run: [Cmaudio] RunDll32 cmicnfg.cpl,CMICtrlWnd
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [I/O Controllers] svcnet.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [AnyDVD] C:\Program Files\SlySoft\AnyDVD\AnyDVD.exe
O4 - HKLM\..\Run: [PSPVideo9] C:\Program Files\pspvideo9\pspvideo9.exe -t
O4 - HKLM\..\Run: [SsAAD.exe] C:\PROGRA~1\Sony\SONICS~1\SsAAD.exe
O4 - HKLM\..\Run: [CloneDVDElbyDelay] "C:\Program Files\Elaborate Bytes\CloneDVD\ElbyCheck.exe" /L ElbyDelay
O4 - HKLM\..\Run: [dvm38829] RUNDLL32.EXE w436826a.dll,n 002388270000000a436826a
O4 - HKLM\..\Run: [0204971154188542mcinstcleanup] C:\DOCUME~1\40YEAR~1\LOCALS~1\Temp\020497~1.EXE C:\PROGRA~1\COMMON~1\McAfee\INSTAL~1\cleanup.ini -cleanup -nolog
O4 - HKLM\..\Run: [Cleanup] c:\program files\mcafee.com\shared\mcappins.exe /v=3 /cleanup
O4 - HKLM\..\Run: [avast!] C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
O4 - HKLM\..\Run: [yrmssk] C:\WINDOWS\system32\yaicsm.exe reg_run
O4 - HKLM\..\Run: [!ewido] "C:\Program Files\ewido anti-spyware 4.0\ewido.exe" /minimized
O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\MSN Messenger\MsnMsgr.Exe" /background
O4 - HKCU\..\Run: [I/O Controllers] svcnet.exe
O4 - HKCU\..\Run: [untut] C:\WINDOWS\system32\yaicsm.exe reg_run
O4 - Startup: Dash Popup Killer v1.0.lnk = C:\Program Files\DashPopupKiller\DashPopupKiller.exe
O4 - Global Startup: Adobe Gamma Loader.exe.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O4 - Global Startup: rhtdy.exe
O8 - Extra context menu item: &Google Search - res://c:\program files\google\GoogleToolbar2.dll/cmsearch.html
O8 - Extra context menu item: &Translate English Word - res://c:\program files\google\GoogleToolbar2.dll/cmwordtrans.html
O8 - Extra context menu item: Backward Links - res://c:\program files\google\GoogleToolbar2.dll/cmbacklinks.html
O8 - Extra context menu item: Cached Snapshot of Page - res://c:\program files\google\GoogleToolbar2.dll/cmcache.html
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O8 - Extra context menu item: Similar Pages - res://c:\program files\google\GoogleToolbar2.dll/cmsimilar.html
O8 - Extra context menu item: Translate Page into English - res://c:\program files\google\GoogleToolbar2.dll/cmtrans.html
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra button: (no name) - {85d1f590-48f4-11d9-9669-0800200c9a66} - %windir%\bdoscandel.exe (file missing)
O9 - Extra 'Tools' menuitem: Uninstall BitDefender Online Scanner v8 - {85d1f590-48f4-11d9-9669-0800200c9a66} - %windir%\bdoscandel.exe (file missing)
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O15 - Trusted Zone: *.adgate.info (HKLM)
O15 - Trusted Zone: *.dollarrevenue.com (HKLM)
O15 - Trusted Zone: *.elitemediagroup.net (HKLM)
O15 - Trusted Zone: *.imagesrvr.com (HKLM)
O15 - Trusted Zone: *.matcash.com (HKLM)
O15 - Trusted Zone: *.media-motor.com (HKLM)
O15 - Trusted Zone: *.mediatickets.net (HKLM)
O15 - Trusted Zone: *.snipernet.biz (HKLM)
O15 - Trusted Zone: *.systemdoctor.com (HKLM)
O15 - Trusted Zone: *.winantivirus.com (HKLM)
O16 - DPF: {09F1ADAC-76D8-4D0F-99A5-5C907DADB988} - http://www.systemdoctor.com/download/2006/...FreeInstall.cab
O16 - DPF: {39B0684F-D7BF-4743-B050-FDC3F48F7E3B} - http://www.fileplanet.com/fpdlmgr/cabs/FPDC_2.1.2.76.cab
O16 - DPF: {5526B4C6-63D6-41A1-9783-0FABF529859A} - mk:@MSITStore:C:\DOCUME~1\Jeremy\LOCALS~1\Temp\mma.chm::/joysavsht.cab
O16 - DPF: {5D86DDB5-BDF9-441B-9E9E-D4730F4EE499} (BDSCANONLINE Control) - http://download.bitdefender.com/resources/scan8/oscan8.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsupdate/...b?1134249905516
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/activescan/as5free/asinst.cab
O16 - DPF: {C02226EB-A5D7-4B1F-BD7E-635E46C2288D} (Toontown Installer ActiveX Control) - http://a.download.toontown.com/sv1.0.20.19/ttinst.cab
O16 - DPF: {F919FBD3-A96B-4679-AF26-F551439BB5FD} - mk:@MSITStore:C:\DOCUME~1\Jeremy\LOCALS~1\Temp\winfix.chm::/SystemDoctor2006FreeInstall.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{1B3F2D8F-DA80-4569-B811-962D1214D5B3}: NameServer = 192.168.123.254
O17 - HKLM\System\CS1\Services\Tcpip\..\{1B3F2D8F-DA80-4569-B811-962D1214D5B3}: NameServer = 192.168.123.254
O18 - Protocol: livecall - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL
O18 - Filter: text/html - {7147713B-F7B8-421E-9435-E9380ED7A49E} - C:\WINDOWS\system32\jycfvd.dll
O20 - Winlogon Notify: MediaContentIndex - C:\WINDOWS\system32\lv6409jqe.dll
O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - Unknown owner - C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\System32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe
O23 - Service: avast! Antivirus - Unknown owner - C:\Program Files\Alwil Software\Avast4\ashServ.exe
O23 - Service: avast! Mail Scanner - Unknown owner - C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe" /service (file missing)
O23 - Service: avast! Web Scanner - Unknown owner - C:\Program Files\Alwil Software\Avast4\ashWebSv.exe" /service (file missing)
O23 - Service: ewido anti-spyware 4.0 guard - Anti-Malware Development a.s. - C:\Program Files\ewido anti-spyware 4.0\guard.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: MSCSPTISRV - Sony Corporation - C:\Program Files\Common Files\Sony Shared\AVLib\MSCSPTISRV.exe
O23 - Service: PACSPTISVR - Sony Corporation - C:\Program Files\Common Files\Sony Shared\AVLib\PACSPTISVR.exe
O23 - Service: Sony SPTI Service (SPTISRV) - Sony Corporation - C:\Program Files\Common Files\Sony Shared\AVLib\SPTISRV.exe
O23 - Service: SonicStage SCSI Service (SSScsiSV) - Sony Corporation - C:\Program Files\Common Files\Sony Shared\AVLib\SSScsiSV.exe

Then the combo fix log:

Start Time= Sat 08/05/2006 22:20:20.71
Running from: C:\Documents and Settings\40 year old\Desktop

((((((((((((((((((((((((((((((((((((((((((((( Look2Me's Log ))))))))))))))))))))))))))))))))))))))))))))))))))


HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify
HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\crypt32chain
HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\cryptnet
HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\cscdll
HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\ScCertProp
HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\Schedule
HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\sclgntfy
HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\SensLogn
HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\termsrv
HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\wlballoon
HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\wzcnotif


* * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * *


REGISTRY ENTRIES REMOVED:

[HKEY_CLASSES_ROOT\clsid\{D897548C-93E2-457F-9D27-1D16448B4E09}]
@=""

[HKEY_CLASSES_ROOT\clsid\{D897548C-93E2-457F-9D27-1D16448B4E09}\Implemented Categories]
@=""

[HKEY_CLASSES_ROOT\clsid\{D897548C-93E2-457F-9D27-1D16448B4E09}\Implemented Categories\{00021492-0000-0000-C000-000000000046}]
@=""

[HKEY_CLASSES_ROOT\clsid\{D897548C-93E2-457F-9D27-1D16448B4E09}\InprocServer32]
@="C:\\WINDOWS\\system32\\amwav.dll"
"ThreadingModel"="Apartment"

* * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * *


FILES REMOVED:

C:\WINDOWS\SYSTEM32\lv6409jqe.dll
C:\WINDOWS\SYSTEM32\m6nqlg5516.dll


Granting sedebugprivilege to Administrators ... successful


((((((((((((((((((((((((((((((((((((((((((((( Qoologic's Log )))))))))))))))))))))))))))))))))))))))))))))))))))

22:23:55.49

Not all files found by this method are bad. There may be legitimate files found
This log should be examined by a trained analyst


* * * PRE-RUN - Filepaths extracted from the Registry * * * * * * * * * * * * * * * * * * * * * *


C:\WINDOWS\system32\yaicsm.exe
C:\WINDOWS\system32\begjdrf.exe


* * * PRE-RUN - Filepaths from Locate * * * * * * * * * * * * * * * * * * * * * * * * * * * * * *


2006-08-04 12:11:22 127,488 "C:\WINDOWS\system32\yaicsm.exe"
2006-05-19 08:59:42 148,480 "C:\WINDOWS\system32\dnsapi.dll"
2006-07-18 19:09:32 90,112 "C:\WINDOWS\system32\dpl100.dll"
2006-07-18 19:09:32 344,064 "C:\WINDOWS\system32\dpus11.dll"
2006-07-18 19:09:32 200,704 "C:\WINDOWS\system32\dtu100.dll"
2006-05-10 01:23:00 55,808 "C:\WINDOWS\system32\extmgr.dll"
2006-05-10 01:23:00 96,256 "C:\WINDOWS\system32\inseng.dll"
2006-07-28 10:47:30 176,128 "C:\WINDOWS\system32\jycfvd.dll"
2006-05-19 11:08:32 3,052,544 "C:\WINDOWS\system32\mshtml.dll"
2006-05-10 01:23:02 532,480 "C:\WINDOWS\system32\mstime.dll"
2006-07-18 19:13:54 339,968 "C:\WINDOWS\system32\pxwave.dll"
2006-05-10 01:23:02 613,888 "C:\WINDOWS\system32\urlmon.dll"
2006-05-31 05:02:04 624,640 "C:\WINDOWS\system32\aswBoot.exe"
2006-07-28 21:38:34 23,552 "C:\WINDOWS\system32\begjdrf.exe"
2006-05-10 01:23:00 151,040 "C:\WINDOWS\system32\cdfview.dll"
2006-05-10 01:23:00 357,888 "C:\WINDOWS\system32\dxtmsft.dll"
2006-05-10 01:23:00 205,312 "C:\WINDOWS\system32\dxtrans.dll"
2006-08-05 22:12:24 51,712 "C:\WINDOWS\system32\fhhcjuq.dll"
2006-05-10 01:23:00 251,392 "C:\WINDOWS\system32\iepeers.dll"
2006-06-01 14:47:08 163,840 "C:\WINDOWS\system32\jgdw400.dll"
2006-06-01 14:47:08 27,648 "C:\WINDOWS\system32\jgpl400.dll"
2006-05-18 01:24:26 450,560 "C:\WINDOWS\system32\jscript.dll"
2006-05-10 01:23:00 16,384 "C:\WINDOWS\system32\jsproxy.dll"
2006-07-18 19:13:52 1,044,480 "C:\WINDOWS\system32\libdivx.dll"
2006-05-10 01:23:02 39,424 "C:\WINDOWS\system32\pngfilt.dll"
2006-06-22 06:47:18 181,248 "C:\WINDOWS\system32\rasmans.dll"
2006-05-29 11:30:34 1,494,016 "C:\WINDOWS\system32\shdocvw.dll"
2006-05-10 01:23:02 474,112 "C:\WINDOWS\system32\shlwapi.dll"
2006-07-18 19:13:52 200,704 "C:\WINDOWS\system32\ssldivx.dll"
2006-06-14 21:13:42 102,400 "C:\WINDOWS\system32\tsccvid.dll"
2006-07-18 19:13:54 28,672 "C:\WINDOWS\system32\vxblock.dll"
2006-05-10 01:23:04 658,432 "C:\WINDOWS\system32\wininet.dll"
2006-05-10 01:23:00 1,054,208 "C:\WINDOWS\system32\danim.dll"
2006-07-18 19:09:32 294,912 "C:\WINDOWS\system32\dpu10.dll"
2006-07-18 19:09:32 294,912 "C:\WINDOWS\system32\dpu11.dll"
2006-07-18 19:09:32 57,344 "C:\WINDOWS\system32\dpv11.dll"
2006-07-18 19:13:56 421,888 "C:\WINDOWS\system32\pxdrv.dll"
2006-07-18 19:13:54 172,032 "C:\WINDOWS\system32\pxmas.dll"
2006-06-19 19:32:44 151,552 "C:\WINDOWS\system32\pxwma.dll"
2006-08-05 22:12:24 127,488 "C:\WINDOWS\system32\fwwfe.dat"
2006-08-04 09:24:10 205 "C:\WINDOWS\trnpt.dll"
2006-08-05 22:14:08 291 "C:\WINDOWS\xuoij.dll"
2006-07-28 21:38:28 53 "C:\WINDOWS\nvocpq.dat"
2006-08-05 20:10:58 127,488 "C:\Documents and Settings\All Users\Start Menu\Programs\Startup\rhtdy.exe"


* * * POST-RUN - Files in the Quarantine folder * * * * * * * * * * * * * * * * * * * * * * * * *


08/05/2006 10:12 PM 127,488 fwwfe.dat.vir
08/05/2006 08:10 PM 127,488 rhtdy.exe.vir
08/04/2006 12:11 PM 127,488 yaicsm.exe.vir
08/05/2006 10:12 PM 51,712 fhhcjuq.dll.vir
07/28/2006 09:38 PM 23,552 begjdrf.exe.vir
08/04/2006 09:24 AM 205 trnpt.dll.vir
07/28/2006 09:38 PM 53 nvocpq.dat.vir


DO NOT DELETE ANY FILES FROM THIS DIRECTORY UNLESS INSTRUCTED TO


* * * POST-RUN - Filepaths from Locate * * * * * * * * * * * * * * * * * * * * * * * * * * * * * *


2006-05-31 05:02:04 624,640 "C:\WINDOWS\system32\aswBoot.exe"
2006-05-10 01:23:00 151,040 "C:\WINDOWS\system32\cdfview.dll"
2006-05-10 01:23:00 357,888 "C:\WINDOWS\system32\dxtmsft.dll"
2006-05-10 01:23:00 205,312 "C:\WINDOWS\system32\dxtrans.dll"
2006-05-10 01:23:00 251,392 "C:\WINDOWS\system32\iepeers.dll"
2006-06-01 14:47:08 163,840 "C:\WINDOWS\system32\jgdw400.dll"
2006-06-01 14:47:08 27,648 "C:\WINDOWS\system32\jgpl400.dll"
2006-05-18 01:24:26 450,560 "C:\WINDOWS\system32\jscript.dll"
2006-05-10 01:23:00 16,384 "C:\WINDOWS\system32\jsproxy.dll"
2006-07-18 19:13:52 1,044,480 "C:\WINDOWS\system32\libdivx.dll"
2006-05-10 01:23:02 39,424 "C:\WINDOWS\system32\pngfilt.dll"
2006-06-22 06:47:18 181,248 "C:\WINDOWS\system32\rasmans.dll"
2006-05-29 11:30:34 1,494,016 "C:\WINDOWS\system32\shdocvw.dll"
2006-05-10 01:23:02 474,112 "C:\WINDOWS\system32\shlwapi.dll"
2006-07-18 19:13:52 200,704 "C:\WINDOWS\system32\ssldivx.dll"
2006-06-14 21:13:42 102,400 "C:\WINDOWS\system32\tsccvid.dll"
2006-07-18 19:13:54 28,672 "C:\WINDOWS\system32\vxblock.dll"
2006-05-10 01:23:04 658,432 "C:\WINDOWS\system32\wininet.dll"
2006-05-19 08:59:42 148,480 "C:\WINDOWS\system32\dnsapi.dll"
2006-07-18 19:09:32 90,112 "C:\WINDOWS\system32\dpl100.dll"
2006-07-18 19:09:32 344,064 "C:\WINDOWS\system32\dpus11.dll"
2006-07-18 19:09:32 200,704 "C:\WINDOWS\system32\dtu100.dll"
2006-05-10 01:23:00 55,808 "C:\WINDOWS\system32\extmgr.dll"
2006-05-10 01:23:00 96,256 "C:\WINDOWS\system32\inseng.dll"
2006-07-28 10:47:30 176,128 "C:\WINDOWS\system32\jycfvd.dll"
2006-05-19 11:08:32 3,052,544 "C:\WINDOWS\system32\mshtml.dll"
2006-05-10 01:23:02 532,480 "C:\WINDOWS\system32\mstime.dll"
2006-07-18 19:13:54 339,968 "C:\WINDOWS\system32\pxwave.dll"
2006-05-10 01:23:02 613,888 "C:\WINDOWS\system32\urlmon.dll"
2006-05-10 01:23:00 1,054,208 "C:\WINDOWS\system32\danim.dll"
2006-07-18 19:09:32 294,912 "C:\WINDOWS\system32\dpu10.dll"
2006-07-18 19:09:32 294,912 "C:\WINDOWS\system32\dpu11.dll"
2006-07-18 19:09:32 57,344 "C:\WINDOWS\system32\dpv11.dll"
2006-07-18 19:13:56 421,888 "C:\WINDOWS\system32\pxdrv.dll"
2006-07-18 19:13:54 172,032 "C:\WINDOWS\system32\pxmas.dll"
2006-06-19 19:32:44 151,552 "C:\WINDOWS\system32\pxwma.dll"
2006-08-05 22:14:08 291 "C:\WINDOWS\xuoij.dll"


(((((((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))


C:\Documents and Settings\LocalService\Application Data\NetMon


(((((((((((((((((((((((((((((((((((((((((((((((( Find3M Report )))))))))))))))))))))))))))))))))))))))))))))))))))))


2006-08-05 22:14:08 291 ( A.... ) "C:\WINDOWS\xuoij.dll"
2006-08-05 20:06:32 ( .D... ) "C:\Program Files\ewido anti-spyware 4.0"
2006-08-05 19:46:36 ( .D... ) "C:\Program Files\Alwil Software"
2006-08-04 21:29:06 128370 ( A.... ) "C:\WINDOWS\eZinstall.exe"
2006-08-04 21:28:54 ( .D... ) "C:\Program Files\DashPopupKiller"
2006-08-04 11:56:28 1167 ( A.... ) "C:\WINDOWS\system32\dvm38829.sys"
2006-08-04 11:56:28 1167 ( A.... ) "C:\WINDOWS\system32\dvm38829.sys"
2006-08-04 11:56:28 1167 ( A.... ) "C:\WINDOWS\system32\dvm38829.sys"
2006-08-04 11:43:18 ( .D... ) "C:\Program Files\Spybot - Search & Destroy"
2006-08-04 11:12:40 349149 ( A.... ) "C:\WINDOWS\win32103-1134490212006.exe"
2006-08-04 11:12:40 ( .D... ) "C:\Program Files\webHancer"
2006-08-04 10:45:50 ( .D... ) "C:\Documents and Settings\40 year old\Application Data\SiteAdvisor"
2006-08-04 10:35:52 61952 ( A.... ) "C:\WINDOWS\system32\dvm38829.dll"
2006-08-01 13:12:52 ( .D... ) "C:\Program Files\TechSmith"
2006-08-01 11:55:06 ( .D... ) "C:\Program Files\DivX"
2006-07-29 17:31:08 ( .D... ) "C:\Documents and Settings\40 year old\Application Data\McAfee"
2006-07-29 00:20:16 ( .D... ) "C:\Program Files\McAfee.com"
2006-07-28 22:36:00 ( .D... ) "C:\Program Files\XoftSpy"
2006-07-28 21:40:32 ( .D... ) "C:\Program Files\TClock"
2006-07-28 21:38:34 359634 ( A.... ) "C:\WINDOWS\media_motor_bundle.exe"
2006-07-28 21:38:20 ( .D... ) "C:\Program Files\Common Files\{BC610D9B-07CA-1033-0311-030412310001}"
2006-07-28 10:47:30 176128 ( A.... ) "C:\WINDOWS\system32\jycfvd.dll"
2006-07-25 12:42:30 ( .D... ) "C:\Program Files\Disney"
2006-07-25 11:04:40 ( .D... ) "C:\Program Files\Cake Mania"
2006-07-21 18:55:38 127578 ( A.... ) "C:\WINDOWS\system32\tsuninst.exe"
2006-07-18 19:14:00 3596288 ( A.... ) "C:\WINDOWS\system32\qt-dx331.dll"
2006-07-18 19:13:54 109568 ( ..... ) "C:\WINDOWS\system32\pxinsi64.exe"
2006-07-18 19:13:52 1044480 ( A.... ) "C:\WINDOWS\system32\libdivx.dll"
2006-07-18 19:13:52 200704 ( A.... ) "C:\WINDOWS\system32\ssldivx.dll"
2006-07-18 19:09:32 593920 ( A.... ) "C:\WINDOWS\system32\dpuGUI11.dll"
2006-07-18 19:09:32 344064 ( A.... ) "C:\WINDOWS\system32\dpus11.dll"
2006-07-18 19:09:32 294912 ( A.... ) "C:\WINDOWS\system32\dpu11.dll"
2006-07-18 19:09:32 294912 ( A.... ) "C:\WINDOWS\system32\dpu10.dll"
2006-07-18 19:09:32 200704 ( A.... ) "C:\WINDOWS\system32\dtu100.dll"
2006-07-18 19:09:32 90112 ( A.... ) "C:\WINDOWS\system32\dpl100.dll"
2006-07-18 19:09:32 57344 ( A.... ) "C:\WINDOWS\system32\dpv11.dll"
2006-07-18 19:09:32 53248 ( A.... ) "C:\WINDOWS\system32\dpuGUI10.dll"
2006-07-17 14:38:50 43520 ( A.... ) "C:\WINDOWS\system32\CmdLineExt03.dll"
2006-07-17 14:30:22 ( .D... ) "C:\Program Files\Sega"
2006-07-17 13:16:00 ( .D... ) "C:\Program Files\wgens170"
2006-07-13 16:14:00 19048 ( A.... ) "C:\Documents and Settings\40 year old\Application Data\GDIPFONTCACHEV1.DAT"
2006-07-11 19:11:10 ( .D... ) "C:\Documents and Settings\40 year old\Application Data\Ventrilo"
2006-07-11 19:10:28 ( .D... ) "C:\Program Files\Ventrilo"
2006-07-11 19:10:12 ( .D... ) "C:\Program Files\Common Files\Wise Installation Wizard"
2006-06-21 18:38:40 235228 ( A.... ) "C:\WINDOWS\system32\icon_mediamotor.exe"
2006-06-21 18:38:16 115239 ( A.... ) "C:\WINDOWS\system32\ts_mediamotor.exe"
2006-06-19 19:33:42 ( .D... ) "C:\Program Files\Sony Corporation"
2006-06-19 19:32:44 151552 ( ..... ) "C:\WINDOWS\system32\pxwma.dll"
2006-06-19 19:32:44 108544 ( ..... ) "C:\WINDOWS\system32\pxcpyi64.exe"
2006-06-19 19:31:28 ( .D... ) "C:\Program Files\Sony"
2006-06-19 19:30:52 ( .D... ) "C:\Program Files\Common Files\Sony Shared"
2006-06-19 19:30:52 ( .D... ) "C:\Documents and Settings\40 year old\Application Data\Sony Corporation"
2006-06-16 14:34:44 48936 ( A.... ) "C:\WINDOWS\system32\sirenacm.dll"
2006-06-15 06:42:58 ( .D... ) "C:\Program Files\Horse and Pony Tycoon"
2006-06-14 21:13:42 102400 ( A.... ) "C:\WINDOWS\system32\tsccvid.dll"
2006-05-31 05:02:04 624640 ( A.... ) "C:\WINDOWS\system32\aswBoot.exe"
2006-05-31 04:54:36 90112 ( A.... ) "C:\WINDOWS\system32\AVASTSS.scr"
2006-05-19 08:59:42 148480 ( A.... ) "C:\WINDOWS\system32\dnsapi.dll"
2006-05-19 08:59:42 111616 ( ..... ) "C:\WINDOWS\system32\dhcpcsvc.dll"
2006-05-19 08:59:42 94720 ( A.... ) "C:\WINDOWS\system32\iphlpapi.dll"


(((((((((((((((((((((((((((((((((((((( Files Created - Last 30days )))))))))))))))))))))))))))))))))))))))))))


2006-08-05 19:46 90,112 C:\WINDOWS\system32\AVASTSS.scr
2006-08-05 19:46 624,640 C:\WINDOWS\system32\aswBoot.exe
2006-08-05 19:46 1,060,864 C:\WINDOWS\system32\MFC71.dll
2006-08-04 21:29 65,536 C:\WINDOWS\system32\ezstub.exe
2006-08-04 21:29 128,370 C:\WINDOWS\eZinstall.exe
2006-08-04 11:12 349,149 C:\WINDOWS\win32103-1134490212006.exe
2006-08-01 13:13 102,400 C:\WINDOWS\system32\tsccvid.dll
2006-07-28 21:43 176,128 C:\WINDOWS\system32\jycfvd.dll
2006-07-28 21:39 61,952 C:\WINDOWS\system32\dvm38829.dll
2006-07-28 21:39 127,578 C:\WINDOWS\system32\tsuninst.exe
2006-07-28 21:39 1,167 C:\WINDOWS\system32\dvm38829.sys
2006-07-28 21:38 359,634 C:\WINDOWS\media_motor_bundle.exe
2006-07-28 21:38 291 C:\WINDOWS\xuoij.dll
2006-07-18 19:13 3,596,288 C:\WINDOWS\system32\qt-dx331.dll
2006-07-18 19:13 200,704 C:\WINDOWS\system32\ssldivx.dll
2006-07-18 19:13 1,044,480 C:\WINDOWS\system32\libdivx.dll
2006-07-18 19:09 90,112 C:\WINDOWS\system32\dpl100.dll
2006-07-18 19:09 593,920 C:\WINDOWS\system32\dpuGUI11.dll
2006-07-18 19:09 57,344 C:\WINDOWS\system32\dpv11.dll
2006-07-18 19:09 53,248 C:\WINDOWS\system32\dpuGUI10.dll
2006-07-18 19:09 344,064 C:\WINDOWS\system32\dpus11.dll
2006-07-18 19:09 294,912 C:\WINDOWS\system32\dpu11.dll
2006-07-18 19:09 294,912 C:\WINDOWS\system32\dpu10.dll
2006-07-18 19:09 200,704 C:\WINDOWS\system32\dtu100.dll
2006-06-21 18:38 235,228 C:\WINDOWS\system32\icon_mediamotor.exe
2006-06-21 18:38 115,239 C:\WINDOWS\system32\ts_mediamotor.exe


(((((((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))

*Note* empty entries are not shown

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run]
"ATIPTA"="C:\\Program Files\\ATI Technologies\\ATI Control Panel\\atiptaxx.exe"
"Cmaudio"="RunDll32 cmicnfg.cpl,CMICtrlWnd"
"SoundMan"="SOUNDMAN.EXE"
"I/O Controllers"="svcnet.exe"
"SunJavaUpdateSched"="C:\\Program Files\\Java\\jre1.5.0_06\\bin\\jusched.exe"
"NeroFilterCheck"="C:\\WINDOWS\\system32\\NeroCheck.exe"
"AnyDVD"="C:\\Program Files\\SlySoft\\AnyDVD\\AnyDVD.exe"
"PSPVideo9"="C:\\Program Files\\pspvideo9\\pspvideo9.exe -t"
"SsAAD.exe"="C:\\PROGRA~1\\Sony\\SONICS~1\\SsAAD.exe"
"CloneDVDElbyDelay"="\"C:\\Program Files\\Elaborate Bytes\\CloneDVD\\ElbyCheck.exe\" /L ElbyDelay"
"dvm38829"="RUNDLL32.EXE w436826a.dll,n 002388270000000a436826a"
"0204971154188542mcinstcleanup"="C:\\DOCUME~1\\40YEAR~1\\LOCALS~1\\Temp\\020497~1.EXE C:\\PROGRA~1\\COMMON~1\\McAfee\\INSTAL~1\\cleanup.ini -cleanup -nolog"
"Cleanup"="c:\\program files\\mcafee.com\\shared\\mcappins.exe /v=3 /cleanup"
"avast!"="C:\\PROGRA~1\\ALWILS~1\\Avast4\\ashDisp.exe"
"!ewido"="\"C:\\Program Files\\ewido anti-spyware 4.0\\ewido.exe\" /minimized"

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run\OptionalComponents]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run\OptionalComponents\IMAIL]
"Installed"="1"

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run\OptionalComponents\MAPI]
"Installed"="1"
"NoChange"="1"

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run\OptionalComponents\MSFS]
"Installed"="1"

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\run]
"MsnMsgr"="\"C:\\Program Files\\MSN Messenger\\MsnMsgr.Exe\" /background"
"I/O Controllers"="svcnet.exe"

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\runonceex]
"flags"=dword:00000008

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\runonceex\000]

[HKEY_CURRENT_USER\software\microsoft\internet explorer\desktop\components]
"DeskHtmlVersion"=dword:00000110
"DeskHtmlMinorVersion"=dword:00000005
"Settings"=dword:00000001
"GeneralFlags"=dword:00000001

[HKEY_CURRENT_USER\software\microsoft\internet explorer\desktop\components\0]
"Source"="About:Home"
"SubscribedURL"="About:Home"
"FriendlyName"="My Current Home Page"
"Flags"=dword:00000002
"Position"=hex:2c,00,00,00,00,01,00,00,00,00,00,00,00,04,00,00,c0,03,00,00,00,\
00,00,00,01,00,00,00,01,00,00,00,01,00,00,00,00,00,00,00,00,00,00,00
"CurrentState"=hex:04,00,00,40
"OriginalStateInfo"=hex:18,00,00,00,ff,ff,00,00,ff,ff,00,00,ff,ff,ff,ff,ff,ff,\
ff,ff,04,00,00,00
"RestoredStateInfo"=hex:18,00,00,00,6a,02,00,00,23,00,00,00,a4,00,00,00,9a,00,\
00,00,01,00,00,00

[HKEY_USERS\.default\software\microsoft\windows\currentversion\policies\explorer]
"NoDriveTypeAutoRun"=dword:00000091

[HKEY_USERS\s-1-5-18\software\microsoft\windows\currentversion\policies\explorer]
"NoDriveTypeAutoRun"=dword:00000091

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\sharedtaskscheduler]
"{438755C2-A8BA-11D1-B96B-00A0C90312E1}"="Browseui preloader"
"{8C7461EF-2B13-11d2-BE35-3078302C2030}"="Component Categories cache daemon"

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shellexecutehooks]
"{AEB6717E-7E19-11d0-97EE-00C04FD91972}"=""
"{57B86673-276A-48B2-BAE7-C6DBB3020EB8}"="ewido anti-spyware 4.0"

HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\system
DisableRegistryTools REG_DWORD 0 (0x0)



Contents of the 'Scheduled Tasks' folder
C:\WINDOWS\tasks\XoftSpy.job

Completion time: Sat 08/05/2006 22:36:18.14
ComboFix ver 06.07.15/28 - This logfile is located at C:\ComboFix.txt

Uninstall list you already have in previous post:

and finally Ewido log:

---------------------------------------------------------
ewido anti-spyware - Scan Report
---------------------------------------------------------

+ Created at: 10:10:20 PM 8/5/2006

+ Scan result:



C:\Documents and Settings\40 year old\Start Menu\Programs\EARN -> Adware.eZula : Cleaned with backup (quarantined).
C:\Documents and Settings\40 year old\Start Menu\Programs\EARN\About EARN.lnk -> Adware.eZula : Cleaned with backup (quarantined).
C:\Documents and Settings\40 year old\Start Menu\Programs\EARN\EARN website.url -> Adware.eZula : Cleaned with backup (quarantined).
C:\Program Files\eZula -> Adware.eZula : Cleaned with backup (quarantined).
C:\Program Files\eZula\INSTALL.LOG -> Adware.eZula : Cleaned with backup (quarantined).
C:\Program Files\eZula\Images -> Adware.eZula : Cleaned with backup (quarantined).
C:\Program Files\eZula\Images\Layer_Bottom.gif -> Adware.eZula : Cleaned with backup (quarantined).
C:\Program Files\eZula\Images\Layer_Center.gif -> Adware.eZula : Cleaned with backup (quarantined).
C:\Program Files\eZula\Images\Layer_Top.gif -> Adware.eZula : Cleaned with backup (quarantined).
C:\Program Files\eZula\Images\PopUp_Follow_Left.gif -> Adware.eZula : Cleaned with backup (quarantined).
C:\Program Files\eZula\Images\PopUp_Follow_Off.gif -> Adware.eZula : Cleaned with backup (quarantined).
C:\Program Files\eZula\Images\PopUp_Follow_On.gif -> Adware.eZula : Cleaned with backup (quarantined).
C:\Program Files\eZula\Images\PopUp_Follow_Right.gif -> Adware.eZula : Cleaned with backup (quarantined).
C:\Program Files\eZula\Images\PopUp_Follow_divider.gif -> Adware.eZula : Cleaned with backup (quarantined).
C:\Program Files\eZula\Images\PopUp_Top.gif -> Adware.eZula : Cleaned with backup (quarantined).
C:\Program Files\eZula\Images\PopUp_Top_Bottom.gif -> Adware.eZula : Cleaned with backup (quarantined).
C:\Program Files\eZula\Images\Side_B.gif -> Adware.eZula : Cleaned with backup (quarantined).
C:\Program Files\eZula\Images\Side_L.gif -> Adware.eZula : Cleaned with backup (quarantined).
C:\Program Files\eZula\Images\Side_R.gif -> Adware.eZula : Cleaned with backup (quarantined).
C:\Program Files\eZula\Images\Side_Top.gif -> Adware.eZula : Cleaned with backup (quarantined).
C:\Program Files\eZula\Images\arrow1.gif -> Adware.eZula : Cleaned with backup (quarantined).
C:\Program Files\eZula\Images\arrow2.gif -> Adware.eZula : Cleaned with backup (quarantined).
C:\Program Files\eZula\Images\button_small.gif -> Adware.eZula : Cleaned with backup (quarantined).
C:\Program Files\eZula\Images\icon.gif -> Adware.eZula : Cleaned with backup (quarantined).
C:\Program Files\eZula\Images\new.gif -> Adware.eZula : Cleaned with backup (quarantined).
C:\Program Files\eZula\Images\spacer.gif -> Adware.eZula : Cleaned with backup (quarantined).
C:\Program Files\eZula\UNWISE.EXE -> Adware.eZula : Cleaned with backup (quarantined).
C:\Program Files\eZula\basis.dst -> Adware.eZula : Cleaned with backup (quarantined).
C:\Program Files\eZula\basis.kwd -> Adware.eZula : Cleaned with backup (quarantined).
C:\Program Files\eZula\basis.pu -> Adware.eZula : Cleaned with backup (quarantined).
C:\Program Files\eZula\basis.pu.dyn -> Adware.eZula : Cleaned with backup (quarantined).
C:\Program Files\eZula\basis.rst -> Adware.eZula : Cleaned with backup (quarantined).
C:\Program Files\eZula\eabh.dll -> Adware.eZula : Cleaned with backup (quarantined).
C:\Program Files\eZula\genun.ez -> Adware.eZula : Cleaned with backup (quarantined).
C:\Program Files\eZula\legend.lgn -> Adware.eZula : Cleaned with backup (quarantined).
C:\Program Files\eZula\mmod.exe -> Adware.eZula : Cleaned with backup (quarantined).
C:\Program Files\eZula\param.ez -> Adware.eZula : Cleaned with backup (quarantined).
C:\Program Files\eZula\rwds.rst -> Adware.eZula : Cleaned with backup (quarantined).
C:\Program Files\eZula\search.src -> Adware.eZula : Cleaned with backup (quarantined).
C:\Program Files\eZula\upgrade.vrn -> Adware.eZula : Cleaned with backup (quarantined).
C:\Program Files\eZula\version.vrn -> Adware.eZula : Cleaned with backup (quarantined).
C:\Program Files\eZula\wndbannn.src -> Adware.eZula : Cleaned with backup (quarantined).
C:\WINDOWS\system32\nsl41.dll -> Adware.EZula : Cleaned with backup (quarantined).
HKLM\SOFTWARE\Classes\AppID\eZulaBootExe.EXE -> Adware.Ezula : Cleaned with backup (quarantined).
HKLM\SOFTWARE\Classes\AppID\eZulaMain.EXE -> Adware.Ezula : Cleaned with backup (quarantined).
HKLM\SOFTWARE\Classes\EZulaAgent.PlugProt -> Adware.Ezula : Cleaned with backup (quarantined).
HKLM\SOFTWARE\Classes\EZulaAgent.PlugProt.1 -> Adware.Ezula : Cleaned with backup (quarantined).
HKLM\SOFTWARE\Classes\EZulaAgent.PlugProt\CLSID -> Adware.Ezula : Cleaned with backup (quarantined).
HKLM\SOFTWARE\Classes\EZulaAgent.PlugProt\CurVer -> Adware.Ezula : Cleaned with backup (quarantined).
HKLM\SOFTWARE\Classes\EZulaAgent.eZulaCtrlHost -> Adware.Ezula : Cleaned with backup (quarantined).
HKLM\SOFTWARE\Classes\EZulaAgent.eZulaCtrlHost.1 -> Adware.Ezula : Cleaned with backup (quarantined).
HKLM\SOFTWARE\Classes\EZulaAgent.eZulaCtrlHost\CLSID -> Adware.Ezula : Cleaned with backup (quarantined).
HKLM\SOFTWARE\Classes\EZulaAgent.eZulaCtrlHost\CurVer -> Adware.Ezula : Cleaned with backup (quarantined).
HKLM\SOFTWARE\Classes\EZulaBootExe.InstallCtrl -> Adware.Ezula : Cleaned with backup (quarantined).
HKLM\SOFTWARE\Classes\EZulaBootExe.InstallCtrl.1 -> Adware.Ezula : Cleaned with backup (quarantined).
HKLM\SOFTWARE\Classes\EZulaBootExe.InstallCtrl\CLSID -> Adware.Ezula : Cleaned with backup (quarantined).
HKLM\SOFTWARE\Classes\EZulaBootExe.InstallCtrl\CurVer -> Adware.Ezula : Cleaned with backup (quarantined).
HKLM\SOFTWARE\Classes\EZulaFSearchEng.PopupDisplay -> Adware.Ezula : Cleaned with backup (quarantined).
HKLM\SOFTWARE\Classes\EZulaFSearchEng.PopupDisplay.1 -> Adware.Ezula : Cleaned with backup (quarantined).
HKLM\SOFTWARE\Classes\EZulaFSearchEng.PopupDisplay\CLSID -> Adware.Ezula : Cleaned with backup (quarantined).
HKLM\SOFTWARE\Classes\EZulaFSearchEng.PopupDisplay\CurVer -> Adware.Ezula : Cleaned with backup (quarantined).
HKLM\SOFTWARE\Classes\EZulaFSearchEng.ResultHelper -> Adware.Ezula : Cleaned with backup (quarantined).
HKLM\SOFTWARE\Classes\EZulaFSearchEng.ResultHelper.1 -> Adware.Ezula : Cleaned with backup (quarantined).
HKLM\SOFTWARE\Classes\EZulaFSearchEng.ResultHelper\CLSID -> Adware.Ezula : Cleaned with backup (quarantined).
HKLM\SOFTWARE\Classes\EZulaFSearchEng.ResultHelper\CurVer -> Adware.Ezula : Cleaned with backup (quarantined).
HKLM\SOFTWARE\Classes\EZulaFSearchEng.SearchHelper -> Adware.Ezula : Cleaned with backup (quarantined).
HKLM\SOFTWARE\Classes\EZulaFSearchEng.SearchHelper.1 -> Adware.Ezula : Cleaned with backup (quarantined).
HKLM\SOFTWARE\Classes\EZulaFSearchEng.SearchHelper\CLSID -> Adware.Ezula : Cleaned with backup (quarantined).
HKLM\SOFTWARE\Classes\EZulaFSearchEng.SearchHelper\CurVer -> Adware.Ezula : Cleaned with backup (quarantined).
HKLM\SOFTWARE\Classes\EZulaFSearchEng.eZulaCode -> Adware.Ezula : Cleaned with backup (quarantined).
HKLM\SOFTWARE\Classes\EZulaFSearchEng.eZulaCode.1 -> Adware.Ezula : Cleaned with backup (quarantined).
HKLM\SOFTWARE\Classes\EZulaFSearchEng.eZulaCode\CLSID -> Adware.Ezula : Cleaned with backup (quarantined).
HKLM\SOFTWARE\Classes\EZulaFSearchEng.eZulaCode\CurVer -> Adware.Ezula : Cleaned with backup (quarantined).
HKLM\SOFTWARE\Classes\EZulaFSearchEng.eZulaHash -> Adware.Ezula : Cleaned with backup (quarantined).
HKLM\SOFTWARE\Classes\EZulaFSearchEng.eZulaHash.1 -> Adware.Ezula : Cleaned with backup (quarantined).
HKLM\SOFTWARE\Classes\EZulaFSearchEng.eZulaHash\CLSID -> Adware.Ezula : Cleaned with backup (quarantined).
HKLM\SOFTWARE\Classes\EZulaFSearchEng.eZulaHash\CurVer -> Adware.Ezula : Cleaned with backup (quarantined).
HKLM\SOFTWARE\Classes\EZulaFSearchEng.eZulaSearch -> Adware.Ezula : Cleaned with backup (quarantined).
HKLM\SOFTWARE\Classes\EZulaFSearchEng.eZulaSearch.1 -> Adware.Ezula : Cleaned with backup (quarantined).
HKLM\SOFTWARE\Classes\EZulaFSearchEng.eZulaSearch\CLSID -> Adware.Ezula : Cleaned with backup (quarantined).
HKLM\SOFTWARE\Classes\EZulaFSearchEng.eZulaSearch\CurVer -> Adware.Ezula : Cleaned with backup (quarantined).
HKLM\SOFTWARE\Classes\EZulaMain.TrayIConM -> Adware.Ezula : Cleaned with backup (quarantined).
HKLM\SOFTWARE\Classes\EZulaMain.TrayIConM.1 -> Adware.Ezula : Cleaned with backup (quarantined).
HKLM\SOFTWARE\Classes\EZulaMain.TrayIConM\CLSID -> Adware.Ezula : Cleaned with backup (quarantined).
HKLM\SOFTWARE\Classes\EZulaMain.TrayIConM\CurVer -> Adware.Ezula : Cleaned with backup (quarantined).
HKLM\SOFTWARE\Classes\EZulaMain.eZulaSearchPipe -> Adware.Ezula : Cleaned with backup (quarantined).
HKLM\SOFTWARE\Classes\EZulaMain.eZulaSearchPipe.1 -> Adware.Ezula : Cleaned with backup (quarantined).
HKLM\SOFTWARE\Classes\EZulaMain.eZulaSearchPipe\CLSID -> Adware.Ezula : Cleaned with backup (quarantined).
HKLM\SOFTWARE\Classes\EZulaMain.eZulaSearchPipe\CurVer -> Adware.Ezula : Cleaned with backup (quarantined).
HKLM\SOFTWARE\Classes\eZulaAgent.IEObject -> Adware.Ezula : Cleaned with backup (quarantined).
HKLM\SOFTWARE\Classes\eZulaAgent.IEObject.1 -> Adware.Ezula : Cleaned with backup (quarantined).
HKLM\SOFTWARE\Classes\eZulaAgent.IEObject\CLSID -> Adware.Ezula : Cleaned with backup (quarantined).
HKLM\SOFTWARE\Classes\eZulaAgent.IEObject\CurVer -> Adware.Ezula : Cleaned with backup (quarantined).
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\eZula -> Adware.Ezula : Cleaned with backup (quarantined).
HKU\S-1-5-21-1844237615-1682526488-854245398-1003\Software\eZula -> Adware.Ezula : Cleaned with backup (quarantined).
HKU\S-1-5-21-1844237615-1682526488-854245398-1003\Software\eZula\Setup -> Adware.Ezula : Cleaned with backup (quarantined).
HKU\S-1-5-21-1844237615-1682526488-854245398-1003\Software\eZula\Setup\ID -> Adware.Ezula : Cleaned with backup (quarantined).
HKU\S-1-5-21-1844237615-1682526488-854245398-1003\Software\eZula\Setup\path -> Adware.Ezula : Cleaned with backup (quarantined).
C:\Installer3.exe -> Adware.Look2Me : Cleaned with backup (quarantined).
C:\WINDOWS\system32\amwav.dll -> Adware.Look2Me : Cleaned with backup (quarantined).
C:\WINDOWS\system32\dBd8thk.dll -> Adware.Look2Me : Cleaned with backup (quarantined).
C:\WINDOWS\system32\enj8l11u1.dll -> Adware.Look2Me : Cleaned with backup (quarantined).
C:\WINDOWS\system32\h40q0ed5eh0.dll -> Adware.Look2Me : Cleaned with backup (quarantined).
C:\WINDOWS\system32\lv2q09f5e.dll -> Adware.Look2Me : Cleaned with backup (quarantined).
C:\WINDOWS\system32\m0460ahsed460.dll -> Adware.Look2Me : Cleaned with backup (quarantined).
C:\warebundlenewer.exe -> Adware.Look2Me : Cleaned with backup (quarantined).
[700] C:\WINDOWS\system32\dBd8thk.dll -> Adware.Look2Me : Error during cleaning.
C:\Documents and Settings\Jeremy\Local Settings\Temp\ICD1.tmp\amm06.ocx -> Adware.MediaMotor : Cleaned with backup (quarantined).
C:\Documents and Settings\Jeremy\Local Settings\Temp\ICD2.tmp\amm06.ocx -> Adware.MediaMotor : Cleaned with backup (quarantined).
C:\Documents and Settings\Samm\Local Settings\Temporary Internet Files\Content.IE5\PW9GLRQM\util[1].js -> Adware.MediaMotor : Cleaned with backup (quarantined).
C:\WINDOWS\SET62.tmp -> Adware.MediaMotor : Cleaned with backup (quarantined).
C:\WINDOWS\SET65.tmp -> Adware.MediaMotor : Cleaned with backup (quarantined).
C:\Program Files\Common Files\Sandlot Shared\slghex.dll -> Adware.SpywareStorm : Cleaned with backup (quarantined).
C:\Documents and Settings\Jeremy\Local Settings\Temp\da35.tmp -> Adware.SurfSide : Cleaned with backup (quarantined).
C:\Documents and Settings\Nessy Bessy\Local Settings\Temporary Internet Files\Content.IE5\KP6R09E3\PuppyLuv-dm[1].exe -> Adware.Trymedia : Cleaned with backup (quarantined).
C:\Downloads\LemonadeTycoon2Setup-dm[1].exe -> Adware.Trymedia : Cleaned with backup (quarantined).
C:\Downloads\Petz4-dm[1].exe -> Adware.Trymedia : Cleaned with backup (quarantined).
C:\Downloads\PuppyLuv-dm[1].exe -> Adware.Trymedia : Cleaned with backup (quarantined).
C:\Downloads\ShrineCircusTycoonSetup-dm[1].exe -> Adware.Trymedia : Cleaned with backup (quarantined).
C:\Downloads\SpongeBobDinerDash-dm[1].exe -> Adware.Trymedia : Cleaned with backup (quarantined).
C:\Downloads\TeddyFactory-dm[1].exe -> Adware.Trymedia : Cleaned with backup (quarantined).
C:\Downloads\Twistingo-dm[1].exe -> Adware.Trymedia : Cleaned with backup (quarantined).
E:\LetsRideSetup-dm.exe -> Adware.Trymedia : Cleaned with backup (quarantined).
C:\Documents and Settings\Jeremy\Local Settings\Temp\Temporary Internet Files\Content.IE5\3QP7R92B\3[1].jpg -> Backdoor.Afcore.cq : Cleaned with backup (quarantined).
C:\WINDOWS\system32\hlinywe.dll -> Backdoor.Afcore.cr : Cleaned with backup (quarantined).
C:\Documents and Settings\40 year old\Local Settings\Temp\Temporary Internet Files\Content.IE5\892Z41AN\nwnmff_7[1].exe -> Downloader.Adload.dj : Cleaned with backup (quarantined).
C:\Documents and Settings\40 year old\Local Settings\Temp\Temporary Internet Files\Content.IE5\AZAJ21M3\kybrdff_7[1].exe -> Downloader.Adload.dl : Cleaned with backup (quarantined).
C:\bintheredunthat\kybrdff_7.exe -> Downloader.Adload.dl : Cleaned with backup (quarantined).
C:\WINDOWS\system32\dmonwv.dll_tobedeleted -> Downloader.Agent.agw : Cleaned with backup (quarantined).
C:\Documents and Settings\Jeremy\Local Settings\Temp\!update.exe -> Downloader.PurityScan.cu : Cleaned with backup (quarantined).
C:\Documents and Settings\Jeremy\Local Settings\Temp\sdexe.exe -> Downloader.PurityScan.cu : Cleaned with backup (quarantined).
C:\Documents and Settings\Jeremy\Local Settings\Temp\Temporary Internet Files\Content.IE5\JHPOXACP\rcverlib[1].exe -> Downloader.Qoologic.ax : Cleaned with backup (quarantined).
C:\WINDOWS\Temp\Temporary Internet Files\Content.IE5\EXQ1Y30V\rcverlib[1].exe -> Downloader.Qoologic.ax : Cleaned with backup (quarantined).
C:\WINDOWS\system32\fwwfe.dat -> Downloader.Qoologic.bj : Cleaned with backup (quarantined).
[792] C:\WINDOWS\system32\fhhcjuq.dll -> Downloader.Qoologic.bj : Cleaned with backup (quarantined).
C:\WINDOWS\system32\w436826a.dll_tobedeleted -> Downloader.Small : Cleaned with backup (quarantined).
C:\Documents and Settings\40 year old\Local Settings\Temp\Temporary Internet Files\Content.IE5\AZAJ21M3\drsmartload46a[1].exe -> Downloader.VB.aiw : Cleaned with backup (quarantined).
C:\Documents and Settings\40 year old\Local Settings\Temp\Temporary Internet Files\Content.IE5\ODUROPAJ\drsmartload45a[1].exe -> Downloader.VB.aiw : Cleaned with backup (quarantined).
C:\Documents and Settings\40 year old\Local Settings\Temp\Temporary Internet Files\Content.IE5\W509YFG1\drsmartload849a[1].exe -> Downloader.VB.aiw : Cleaned with backup (quarantined).
C:\WINDOWS\amm06.ocx -> Downloader.VB.bo : Cleaned with backup (quarantined).
C:\Documents and Settings\40 year old\Local Settings\Temp\Temporary Internet Files\Content.IE5\A3WNQP8Z\visfx500[1].exe -> Dropper.Agent.aie : Cleaned with backup (quarantined).
C:\visfx500new.exe -> Dropper.Agent.aie : Cleaned with backup (quarantined).
C:\SS1001newer.exe -> Dropper.Small.qn : Cleaned with backup (quarantined).
C:\Documents and Settings\Jeremy\Local Settings\Temp\Temporary Internet Files\Content.IE5\3QP7R92B\popup[2].htm -> Hijacker.Agent.a : Cleaned with backup (quarantined).
C:\Documents and Settings\Jeremy\Local Settings\Temp\Temporary Internet Files\Content.IE5\3QP7R92B\popup[3].htm -> Hijacker.Agent.a : Cleaned with backup (quarantined).
C:\Documents and Settings\Jeremy\Local Settings\Temp\Temporary Internet Files\Content.IE5\3QP7R92B\popup[4].htm -> Hijacker.Agent.a : Cleaned with backup (quarantined).
C:\Documents and Settings\Jeremy\Local Settings\Temp\Temporary Internet Files\Content.IE5\3QP7R92B\popup[5].htm -> Hijacker.Agent.a : Cleaned with backup (quarantined).
C:\Documents and Settings\Jeremy\Local Settings\Temp\Temporary Internet Files\Content.IE5\8DKEVSNR\popup[1].htm -> Hijacker.Agent.a : Cleaned with backup (quarantined).
C:\Documents and Settings\Jeremy\Local Settings\Temp\Temporary Internet Files\Content.IE5\8DKEVSNR\popup[2].htm -> Hijacker.Agent.a : Cleaned with backup (quarantined).
C:\Documents and Settings\Jeremy\Local Settings\Temp\Temporary Internet Files\Content.IE5\8DKEVSNR\popup[3].htm -> Hijacker.Agent.a : Cleaned with backup (quarantined).
C:\Documents and Settings\Jeremy\Local Settings\Temp\Temporary Internet Files\Content.IE5\8DKEVSNR\popup[4].htm -> Hijacker.Agent.a : Cleaned with backup (quarantined).
C:\Documents and Settings\Jeremy\Local Settings\Temp\Temporary Internet Files\Content.IE5\8DKEVSNR\popup[5].htm -> Hijacker.Agent.a : Cleaned with backup (quarantined).
C:\Documents and Settings\Jeremy\Local Settings\Temp\Temporary Internet Files\Content.IE5\CP3APUJO\popup[3].htm -> Hijacker.Agent.a : Cleaned with backup (quarantined).
C:\Documents and Settings\Jeremy\Local Settings\Temp\Temporary Internet Files\Content.IE5\JHPOXACP\popup[2].htm -> Hijacker.Agent.a : Cleaned with backup (quarantined).
C:\Documents and Settings\Jeremy\Local Settings\Temp\Temporary Internet Files\Content.IE5\JHPOXACP\wallpap[1].exe -> Hijacker.Small.jf : Cleaned with backup (quarantined).
C:\Program Files\MSN\kyze.html -> Hijacker.Small.jf : Cleaned with backup (quarantined).
C:\Program Files\Windows NT\howymy.html -> Hijacker.Small.jf : Cleaned with backup (quarantined).
C:\WINDOWS\Temp\Temporary Internet Files\Content.IE5\U9AB67UN\wallpap[1].exe -> Hijacker.Small.jf : Cleaned with backup (

#8 -David-

-David-

  • Members
  • 10,603 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:London
  • Local time:07:19 AM

Posted 06 August 2006 - 04:04 AM

Sorry to be a nuisance, but it is really important you follow the instructions in the right order.
You ran Hijackthis to save a logfile before running Combofix:

combo fix log:
Start Time= Sat 08/05/2006 22:20:20

Hijackthis:
Scan saved at 10:17:48 PM, on 8/5/2006

So please run a new scan with Combofix, then Hijackthis and post the logs.
Sorry to be inconvenient but it's important.

David :thumbsup:

#9 hmania39

hmania39
  • Topic Starter

  • Members
  • 7 posts
  • OFFLINE
  •  
  • Local time:02:19 AM

Posted 06 August 2006 - 11:09 AM

ok here is the combo fix log

Start Time= Sun 08/06/2006 12:05:21.06
Running from: C:\Documents and Settings\40 year old\Desktop

QuickScan did not find any signs of infected files

(((((((((((((((((((((((((((((((((((((((((((((((( Find3M Report )))))))))))))))))))))))))))))))))))))))))))))))))))))


2006-08-05 22:14:08 291 ( A.... ) "C:\WINDOWS\xuoij.dll"
2006-08-05 20:06:32 ( .D... ) "C:\Program Files\ewido anti-spyware 4.0"
2006-08-05 19:46:36 ( .D... ) "C:\Program Files\Alwil Software"
2006-08-04 21:29:06 128370 ( A.... ) "C:\WINDOWS\eZinstall.exe"
2006-08-04 21:28:54 ( .D... ) "C:\Program Files\DashPopupKiller"
2006-08-04 11:56:28 1167 ( A.... ) "C:\WINDOWS\system32\dvm38829.sys"
2006-08-04 11:56:28 1167 ( A.... ) "C:\WINDOWS\system32\dvm38829.sys"
2006-08-04 11:56:28 1167 ( A.... ) "C:\WINDOWS\system32\dvm38829.sys"
2006-08-04 11:43:18 ( .D... ) "C:\Program Files\Spybot - Search & Destroy"
2006-08-04 11:12:40 349149 ( A.... ) "C:\WINDOWS\win32103-1134490212006.exe"
2006-08-04 11:12:40 ( .D... ) "C:\Program Files\webHancer"
2006-08-04 10:45:50 ( .D... ) "C:\Documents and Settings\40 year old\Application Data\SiteAdvisor"
2006-08-04 10:35:52 61952 ( A.... ) "C:\WINDOWS\system32\dvm38829.dll"
2006-08-01 13:12:52 ( .D... ) "C:\Program Files\TechSmith"
2006-08-01 11:55:06 ( .D... ) "C:\Program Files\DivX"
2006-07-29 17:31:08 ( .D... ) "C:\Documents and Settings\40 year old\Application Data\McAfee"
2006-07-29 00:20:16 ( .D... ) "C:\Program Files\McAfee.com"
2006-07-28 22:36:00 ( .D... ) "C:\Program Files\XoftSpy"
2006-07-28 21:40:32 ( .D... ) "C:\Program Files\TClock"
2006-07-28 21:38:34 359634 ( A.... ) "C:\WINDOWS\media_motor_bundle.exe"
2006-07-28 21:38:20 ( .D... ) "C:\Program Files\Common Files\{BC610D9B-07CA-1033-0311-030412310001}"
2006-07-28 10:47:30 176128 ( A.... ) "C:\WINDOWS\system32\jycfvd.dll"
2006-07-25 12:42:30 ( .D... ) "C:\Program Files\Disney"
2006-07-25 11:04:40 ( .D... ) "C:\Program Files\Cake Mania"
2006-07-21 18:55:38 127578 ( A.... ) "C:\WINDOWS\system32\tsuninst.exe"
2006-07-18 19:14:00 3596288 ( A.... ) "C:\WINDOWS\system32\qt-dx331.dll"
2006-07-18 19:13:54 109568 ( ..... ) "C:\WINDOWS\system32\pxinsi64.exe"
2006-07-18 19:13:52 1044480 ( A.... ) "C:\WINDOWS\system32\libdivx.dll"
2006-07-18 19:13:52 200704 ( A.... ) "C:\WINDOWS\system32\ssldivx.dll"
2006-07-18 19:09:32 593920 ( A.... ) "C:\WINDOWS\system32\dpuGUI11.dll"
2006-07-18 19:09:32 344064 ( A.... ) "C:\WINDOWS\system32\dpus11.dll"
2006-07-18 19:09:32 294912 ( A.... ) "C:\WINDOWS\system32\dpu11.dll"
2006-07-18 19:09:32 294912 ( A.... ) "C:\WINDOWS\system32\dpu10.dll"
2006-07-18 19:09:32 200704 ( A.... ) "C:\WINDOWS\system32\dtu100.dll"
2006-07-18 19:09:32 90112 ( A.... ) "C:\WINDOWS\system32\dpl100.dll"
2006-07-18 19:09:32 57344 ( A.... ) "C:\WINDOWS\system32\dpv11.dll"
2006-07-18 19:09:32 53248 ( A.... ) "C:\WINDOWS\system32\dpuGUI10.dll"
2006-07-17 14:38:50 43520 ( A.... ) "C:\WINDOWS\system32\CmdLineExt03.dll"
2006-07-17 14:30:22 ( .D... ) "C:\Program Files\Sega"
2006-07-17 13:16:00 ( .D... ) "C:\Program Files\wgens170"
2006-07-13 16:14:00 19048 ( A.... ) "C:\Documents and Settings\40 year old\Application Data\GDIPFONTCACHEV1.DAT"
2006-07-11 19:11:10 ( .D... ) "C:\Documents and Settings\40 year old\Application Data\Ventrilo"
2006-07-11 19:10:28 ( .D... ) "C:\Program Files\Ventrilo"
2006-07-11 19:10:12 ( .D... ) "C:\Program Files\Common Files\Wise Installation Wizard"
2006-06-21 18:38:40 235228 ( A.... ) "C:\WINDOWS\system32\icon_mediamotor.exe"
2006-06-21 18:38:16 115239 ( A.... ) "C:\WINDOWS\system32\ts_mediamotor.exe"
2006-06-19 19:33:42 ( .D... ) "C:\Program Files\Sony Corporation"
2006-06-19 19:32:44 151552 ( ..... ) "C:\WINDOWS\system32\pxwma.dll"
2006-06-19 19:32:44 108544 ( ..... ) "C:\WINDOWS\system32\pxcpyi64.exe"
2006-06-19 19:31:28 ( .D... ) "C:\Program Files\Sony"
2006-06-19 19:30:52 ( .D... ) "C:\Program Files\Common Files\Sony Shared"
2006-06-19 19:30:52 ( .D... ) "C:\Documents and Settings\40 year old\Application Data\Sony Corporation"
2006-06-16 14:34:44 48936 ( A.... ) "C:\WINDOWS\system32\sirenacm.dll"
2006-06-15 06:42:58 ( .D... ) "C:\Program Files\Horse and Pony Tycoon"
2006-06-14 21:13:42 102400 ( A.... ) "C:\WINDOWS\system32\tsccvid.dll"
2006-05-31 05:02:04 624640 ( A.... ) "C:\WINDOWS\system32\aswBoot.exe"
2006-05-31 04:54:36 90112 ( A.... ) "C:\WINDOWS\system32\AVASTSS.scr"
2006-05-19 08:59:42 148480 ( A.... ) "C:\WINDOWS\system32\dnsapi.dll"
2006-05-19 08:59:42 111616 ( ..... ) "C:\WINDOWS\system32\dhcpcsvc.dll"
2006-05-19 08:59:42 94720 ( A.... ) "C:\WINDOWS\system32\iphlpapi.dll"


(((((((((((((((((((((((((((((((((((((( Files Created - Last 30days )))))))))))))))))))))))))))))))))))))))))))


2006-08-05 19:46 90,112 C:\WINDOWS\system32\AVASTSS.scr
2006-08-05 19:46 624,640 C:\WINDOWS\system32\aswBoot.exe
2006-08-05 19:46 1,060,864 C:\WINDOWS\system32\MFC71.dll
2006-08-04 21:29 65,536 C:\WINDOWS\system32\ezstub.exe
2006-08-04 21:29 128,370 C:\WINDOWS\eZinstall.exe
2006-08-04 11:12 349,149 C:\WINDOWS\win32103-1134490212006.exe
2006-08-01 13:13 102,400 C:\WINDOWS\system32\tsccvid.dll
2006-07-28 21:43 176,128 C:\WINDOWS\system32\jycfvd.dll
2006-07-28 21:39 61,952 C:\WINDOWS\system32\dvm38829.dll
2006-07-28 21:39 127,578 C:\WINDOWS\system32\tsuninst.exe
2006-07-28 21:39 1,167 C:\WINDOWS\system32\dvm38829.sys
2006-07-28 21:38 359,634 C:\WINDOWS\media_motor_bundle.exe
2006-07-28 21:38 291 C:\WINDOWS\xuoij.dll
2006-07-18 19:13 3,596,288 C:\WINDOWS\system32\qt-dx331.dll
2006-07-18 19:13 200,704 C:\WINDOWS\system32\ssldivx.dll
2006-07-18 19:13 1,044,480 C:\WINDOWS\system32\libdivx.dll
2006-07-18 19:09 90,112 C:\WINDOWS\system32\dpl100.dll
2006-07-18 19:09 593,920 C:\WINDOWS\system32\dpuGUI11.dll
2006-07-18 19:09 57,344 C:\WINDOWS\system32\dpv11.dll
2006-07-18 19:09 53,248 C:\WINDOWS\system32\dpuGUI10.dll
2006-07-18 19:09 344,064 C:\WINDOWS\system32\dpus11.dll
2006-07-18 19:09 294,912 C:\WINDOWS\system32\dpu11.dll
2006-07-18 19:09 294,912 C:\WINDOWS\system32\dpu10.dll
2006-07-18 19:09 200,704 C:\WINDOWS\system32\dtu100.dll


(((((((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))

*Note* empty entries are not shown

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run]
"ATIPTA"="C:\\Program Files\\ATI Technologies\\ATI Control Panel\\atiptaxx.exe"
"Cmaudio"="RunDll32 cmicnfg.cpl,CMICtrlWnd"
"SoundMan"="SOUNDMAN.EXE"
"I/O Controllers"="svcnet.exe"
"SunJavaUpdateSched"="C:\\Program Files\\Java\\jre1.5.0_06\\bin\\jusched.exe"
"NeroFilterCheck"="C:\\WINDOWS\\system32\\NeroCheck.exe"
"AnyDVD"="C:\\Program Files\\SlySoft\\AnyDVD\\AnyDVD.exe"
"PSPVideo9"="C:\\Program Files\\pspvideo9\\pspvideo9.exe -t"
"SsAAD.exe"="C:\\PROGRA~1\\Sony\\SONICS~1\\SsAAD.exe"
"CloneDVDElbyDelay"="\"C:\\Program Files\\Elaborate Bytes\\CloneDVD\\ElbyCheck.exe\" /L ElbyDelay"
"dvm38829"="RUNDLL32.EXE w436826a.dll,n 002388270000000a436826a"
"0204971154188542mcinstcleanup"="C:\\DOCUME~1\\40YEAR~1\\LOCALS~1\\Temp\\020497~1.EXE C:\\PROGRA~1\\COMMON~1\\McAfee\\INSTAL~1\\cleanup.ini -cleanup -nolog"
"avast!"="C:\\PROGRA~1\\ALWILS~1\\Avast4\\ashDisp.exe"
"!ewido"="\"C:\\Program Files\\ewido anti-spyware 4.0\\ewido.exe\" /minimized"

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run\OptionalComponents]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run\OptionalComponents\IMAIL]
"Installed"="1"

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run\OptionalComponents\MAPI]
"Installed"="1"
"NoChange"="1"

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run\OptionalComponents\MSFS]
"Installed"="1"

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\run]
"MsnMsgr"="\"C:\\Program Files\\MSN Messenger\\MsnMsgr.Exe\" /background"
"I/O Controllers"="svcnet.exe"

[HKEY_CURRENT_USER\software\microsoft\internet explorer\desktop\components]
"DeskHtmlVersion"=dword:00000110
"DeskHtmlMinorVersion"=dword:00000005
"Settings"=dword:00000001
"GeneralFlags"=dword:00000001

[HKEY_CURRENT_USER\software\microsoft\internet explorer\desktop\components\0]
"Source"="About:Home"
"SubscribedURL"="About:Home"
"FriendlyName"="My Current Home Page"
"Flags"=dword:00000002
"Position"=hex:2c,00,00,00,00,01,00,00,00,00,00,00,00,04,00,00,c0,03,00,00,00,\
00,00,00,01,00,00,00,01,00,00,00,01,00,00,00,00,00,00,00,00,00,00,00
"CurrentState"=hex:04,00,00,40
"OriginalStateInfo"=hex:18,00,00,00,ff,ff,00,00,ff,ff,00,00,ff,ff,ff,ff,ff,ff,\
ff,ff,04,00,00,00
"RestoredStateInfo"=hex:18,00,00,00,6a,02,00,00,23,00,00,00,a4,00,00,00,9a,00,\
00,00,01,00,00,00

[HKEY_USERS\.default\software\microsoft\windows\currentversion\policies\explorer]
"NoDriveTypeAutoRun"=dword:00000091

[HKEY_USERS\s-1-5-18\software\microsoft\windows\currentversion\policies\explorer]
"NoDriveTypeAutoRun"=dword:00000091

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\sharedtaskscheduler]
"{438755C2-A8BA-11D1-B96B-00A0C90312E1}"="Browseui preloader"
"{8C7461EF-2B13-11d2-BE35-3078302C2030}"="Component Categories cache daemon"

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shellexecutehooks]
"{AEB6717E-7E19-11d0-97EE-00C04FD91972}"=""
"{57B86673-276A-48B2-BAE7-C6DBB3020EB8}"="ewido anti-spyware 4.0"

HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\system
DisableRegistryTools REG_DWORD 0 (0x0)



Contents of the 'Scheduled Tasks' folder
C:\WINDOWS\tasks\XoftSpy.job

Completion time: Sun 08/06/2006 12:05:31.78
ComboFix ver 06.07.15/28 - This logfile is located at C:\ComboFix.txt

ComboFix.2006-08-06.120521.txt


and here is hijack file

Logfile of HijackThis v1.99.1
Scan saved at 12:07:20 PM, on 8/6/2006
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\System32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
C:\Program Files\Alwil Software\Avast4\ashServ.exe
C:\Program Files\ewido anti-spyware 4.0\guard.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
C:\WINDOWS\system32\wscntfy.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
C:\WINDOWS\SOUNDMAN.EXE
C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe
C:\Program Files\SlySoft\AnyDVD\AnyDVD.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\pspvideo9\pspvideo9.exe
C:\PROGRA~1\Sony\SONICS~1\SsAAD.exe
C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
C:\Program Files\Common Files\Sony Shared\AVLib\SSScsiSV.exe
C:\Program Files\ewido anti-spyware 4.0\ewido.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\MSN Messenger\MsnMsgr.Exe
C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
C:\Program Files\DashPopupKiller\DashPopupKiller.exe
C:\WINDOWS\system32\NOTEPAD.EXE
C:\Documents and Settings\40 year old\Desktop\hijackthis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://searchbar.findthewebsiteyouneed.com
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://searchbar.findthewebsiteyouneed.com
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://searchbar.findthewebsiteyouneed.com
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.msn.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.microsoft.com/isapi/redir.dll?p...&ar=msnhome
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://www.microsoft.com/isapi/redir.dll?p...amp;ar=iesearch
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://searchbar.findthewebsiteyouneed.com
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.microsoft.com/isapi/redir.dll?p...ER}&ar=home
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://searchbar.findthewebsiteyouneed.com
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = iexplore
R3 - Default URLSearchHook is missing
O1 - Hosts: 70.86.135.18 WWW.FUTURE-FTA.COM
O1 - Hosts: 70.86.135.18 FUTURE-FTA.COM
O3 - Toolbar: Neopets - {CD292324-974F-4224-D074-CACA427AA030} - C:\PROGRA~1\Neopets\Toolbar\Toolbar.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar2.dll
O3 - Toolbar: (no name) - {0BF43445-2F28-4351-9252-17FE6E806AA0} - (no file)
O4 - HKLM\..\Run: [ATIPTA] C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
O4 - HKLM\..\Run: [Cmaudio] RunDll32 cmicnfg.cpl,CMICtrlWnd
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [I/O Controllers] svcnet.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [AnyDVD] C:\Program Files\SlySoft\AnyDVD\AnyDVD.exe
O4 - HKLM\..\Run: [PSPVideo9] C:\Program Files\pspvideo9\pspvideo9.exe -t
O4 - HKLM\..\Run: [SsAAD.exe] C:\PROGRA~1\Sony\SONICS~1\SsAAD.exe
O4 - HKLM\..\Run: [CloneDVDElbyDelay] "C:\Program Files\Elaborate Bytes\CloneDVD\ElbyCheck.exe" /L ElbyDelay
O4 - HKLM\..\Run: [dvm38829] RUNDLL32.EXE w436826a.dll,n 002388270000000a436826a
O4 - HKLM\..\Run: [0204971154188542mcinstcleanup] C:\DOCUME~1\40YEAR~1\LOCALS~1\Temp\020497~1.EXE C:\PROGRA~1\COMMON~1\McAfee\INSTAL~1\cleanup.ini -cleanup -nolog
O4 - HKLM\..\Run: [avast!] C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
O4 - HKLM\..\Run: [!ewido] "C:\Program Files\ewido anti-spyware 4.0\ewido.exe" /minimized
O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\MSN Messenger\MsnMsgr.Exe" /background
O4 - HKCU\..\Run: [I/O Controllers] svcnet.exe
O4 - Startup: Dash Popup Killer v1.0.lnk = C:\Program Files\DashPopupKiller\DashPopupKiller.exe
O4 - Global Startup: Adobe Gamma Loader.exe.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O8 - Extra context menu item: &Google Search - res://c:\program files\google\GoogleToolbar2.dll/cmsearch.html
O8 - Extra context menu item: &Translate English Word - res://c:\program files\google\GoogleToolbar2.dll/cmwordtrans.html
O8 - Extra context menu item: Backward Links - res://c:\program files\google\GoogleToolbar2.dll/cmbacklinks.html
O8 - Extra context menu item: Cached Snapshot of Page - res://c:\program files\google\GoogleToolbar2.dll/cmcache.html
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O8 - Extra context menu item: Similar Pages - res://c:\program files\google\GoogleToolbar2.dll/cmsimilar.html
O8 - Extra context menu item: Translate Page into English - res://c:\program files\google\GoogleToolbar2.dll/cmtrans.html
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra button: (no name) - {85d1f590-48f4-11d9-9669-0800200c9a66} - %windir%\bdoscandel.exe (file missing)
O9 - Extra 'Tools' menuitem: Uninstall BitDefender Online Scanner v8 - {85d1f590-48f4-11d9-9669-0800200c9a66} - %windir%\bdoscandel.exe (file missing)
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O15 - Trusted Zone: *.adgate.info (HKLM)
O15 - Trusted Zone: *.dollarrevenue.com (HKLM)
O15 - Trusted Zone: *.elitemediagroup.net (HKLM)
O15 - Trusted Zone: *.imagesrvr.com (HKLM)
O15 - Trusted Zone: *.matcash.com (HKLM)
O15 - Trusted Zone: *.media-motor.com (HKLM)
O15 - Trusted Zone: *.mediatickets.net (HKLM)
O15 - Trusted Zone: *.snipernet.biz (HKLM)
O15 - Trusted Zone: *.systemdoctor.com (HKLM)
O15 - Trusted Zone: *.winantivirus.com (HKLM)
O16 - DPF: {09F1ADAC-76D8-4D0F-99A5-5C907DADB988} - http://www.systemdoctor.com/download/2006/...FreeInstall.cab
O16 - DPF: {39B0684F-D7BF-4743-B050-FDC3F48F7E3B} - http://www.fileplanet.com/fpdlmgr/cabs/FPDC_2.1.2.76.cab
O16 - DPF: {5526B4C6-63D6-41A1-9783-0FABF529859A} - mk:@MSITStore:C:\DOCUME~1\Jeremy\LOCALS~1\Temp\mma.chm::/joysavsht.cab
O16 - DPF: {5D86DDB5-BDF9-441B-9E9E-D4730F4EE499} (BDSCANONLINE Control) - http://download.bitdefender.com/resources/scan8/oscan8.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsupdate/...b?1134249905516
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/activescan/as5free/asinst.cab
O16 - DPF: {C02226EB-A5D7-4B1F-BD7E-635E46C2288D} (Toontown Installer ActiveX Control) - http://a.download.toontown.com/sv1.0.20.19/ttinst.cab
O16 - DPF: {F919FBD3-A96B-4679-AF26-F551439BB5FD} - mk:@MSITStore:C:\DOCUME~1\Jeremy\LOCALS~1\Temp\winfix.chm::/SystemDoctor2006FreeInstall.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{1B3F2D8F-DA80-4569-B811-962D1214D5B3}: NameServer = 192.168.123.254
O17 - HKLM\System\CS1\Services\Tcpip\..\{1B3F2D8F-DA80-4569-B811-962D1214D5B3}: NameServer = 192.168.123.254
O18 - Protocol: livecall - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL
O18 - Filter: text/html - {7147713B-F7B8-421E-9435-E9380ED7A49E} - C:\WINDOWS\system32\jycfvd.dll
O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - Unknown owner - C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\System32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe
O23 - Service: avast! Antivirus - Unknown owner - C:\Program Files\Alwil Software\Avast4\ashServ.exe
O23 - Service: avast! Mail Scanner - Unknown owner - C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe" /service (file missing)
O23 - Service: avast! Web Scanner - Unknown owner - C:\Program Files\Alwil Software\Avast4\ashWebSv.exe" /service (file missing)
O23 - Service: ewido anti-spyware 4.0 guard - Anti-Malware Development a.s. - C:\Program Files\ewido anti-spyware 4.0\guard.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: MSCSPTISRV - Sony Corporation - C:\Program Files\Common Files\Sony Shared\AVLib\MSCSPTISRV.exe
O23 - Service: PACSPTISVR - Sony Corporation - C:\Program Files\Common Files\Sony Shared\AVLib\PACSPTISVR.exe
O23 - Service: Sony SPTI Service (SPTISRV) - Sony Corporation - C:\Program Files\Common Files\Sony Shared\AVLib\SPTISRV.exe
O23 - Service: SonicStage SCSI Service (SSScsiSV) - Sony Corporation - C:\Program Files\Common Files\Sony Shared\AVLib\SSScsiSV.exe

thank you

#10 -David-

-David-

  • Members
  • 10,603 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:London
  • Local time:07:19 AM

Posted 06 August 2006 - 02:56 PM

Hello there hmania39!

It is a good idea to print off these instructions:
This will be useful as there is a possibility some of the instructions will need to be carried out where internet access is not available.
You may also like to save these instructions in word/notepad to the desktop where they can be easily found for the same reasons as above.
A print out of the instructions would be a good reference to make sure you don't yet lost.
Also, it is important that you complete the instructions in the right order, and also that you don't miss any steps out!
If you have any queries about the process or just general questions, just ask.

1) Start HijackThis, close all open windows leaving only HijackThis running. Place a check against each of the following if still present:

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://searchbar.findthewebsiteyouneed.com
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://searchbar.findthewebsiteyouneed.com
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://searchbar.findthewebsiteyouneed.com
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://searchbar.findthewebsiteyouneed.com
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://searchbar.findthewebsiteyouneed.com
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://searchbar.findthewebsiteyouneed.com
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://searchbar.findthewebsiteyouneed.com
R3 - Default URLSearchHook is missing
O3 - Toolbar: (no name) - {0BF43445-2F28-4351-9252-17FE6E806AA0} - (no file)
O4 - HKLM\..\Run: [I/O Controllers] svcnet.exe
O4 - HKLM\..\Run: [dvm38829] RUNDLL32.EXE w436826a.dll,n 002388270000000a436826a
O4 - HKCU\..\Run: [I/O Controllers] svcnet.exe
O15 - Trusted Zone: *.adgate.info (HKLM)
O15 - Trusted Zone: *.dollarrevenue.com (HKLM)
O15 - Trusted Zone: *.elitemediagroup.net (HKLM)
O15 - Trusted Zone: *.imagesrvr.com (HKLM)
O15 - Trusted Zone: *.matcash.com (HKLM)
O15 - Trusted Zone: *.media-motor.com (HKLM)
O15 - Trusted Zone: *.mediatickets.net (HKLM)
O15 - Trusted Zone: *.snipernet.biz (HKLM)
O15 - Trusted Zone: *.systemdoctor.com (HKLM)
O15 - Trusted Zone: *.winantivirus.com (HKLM)
O16 - DPF: {09F1ADAC-76D8-4D0F-99A5-5C907DADB988} - http://www.systemdoctor.com/download/2006/...FreeInstall.cab
O16 - DPF: {F919FBD3-A96B-4679-AF26-F551439BB5FD} - mk:@MSITStore:C:\DOCUME~1\Jeremy\LOCALS~1\Temp\winfix.chm::/SystemDoctor2006FreeInstall.cab
O18 - Filter: text/html - {7147713B-F7B8-421E-9435-E9380ED7A49E} - C:\WINDOWS\system32\jycfvd.dll


Click on Fix Checked when finished and exit HijackThis.
Make sure your Internet Explorer is closed when you click Fix Checked!

2) Download KillBox from the following link :
http://www.bleepingcomputer.com/files/killbox.php
Unzip the folder to your desktop.

Start Killbox.exe
Select the "Delete on Reboot" option.
Click on the "All Files" button (!important!),which will then flash green.
Copy the complete text in bold below to the clipboard by highlighting the filepaths and pressing Control + C:

C:\WINDOWS\system32\svcnet.exe
C:\WINDOWS\system32\w436826a.dll
C:\WINDOWS\xuoij.dll
C:\WINDOWS\eZinstall.exe
C:\WINDOWS\system32\dvm38829.sys
C:\WINDOWS\win32103-1134490212006.exe
C:\WINDOWS\system32\dvm38829.dll
C:\WINDOWS\media_motor_bundle.exe
C:\Program Files\Common Files\{BC610D9B-07CA-1033-0311-030412310001}\update.exe
C:\WINDOWS\system32\jycfvd.dll
C:\WINDOWS\system32\tsuninst.exe
C:\WINDOWS\system32\icon_mediamotor.exe
C:\WINDOWS\system32\ts_mediamotor.exe


Open 'file' in the killboxmenu on top and choose Paste from clipboard
You must use the file File menu--pasting by right-clicking the mouse will only enter one file.
Then press the button that looks like a red circle with a white X in it.
Killbox will tell you that all listed files will be removed on next reboot and asks if you would like to Reboot now, click "yes".
Click OK at any Pending File Rename Operations prompt, let me know if there appear.
If you don't get that message, reboot manually.
Your computer should reboot now.

3) Please open notepad and and copy and paste next bold in it:
(don't forget to copy and paste REGEDIT4)

REGEDIT4

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run]
"I/O Controllers"=-
"dvm38829"=-

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\run]
"I/O Controllers"=-

Save this as "fix.reg" Choose to save as *all files and place it on your desktop.
It should look like this: Posted Image
Doubleclick on it and when it asks you if you want to merge the contents to the registry, click yes/ok.

4) Please find and delete the following folders:
C:\Program Files\webHancer
C:\Program Files\TClock
C:\Program Files\Common Files\{BC610D9B-07CA-1033-0311-030412310001}

5) Please reboot and post a new Combofix log and a new Hijackthis log.
Also let me know how the computer is running.
David :thumbsup:

Edited by D-Trojanator, 06 August 2006 - 02:56 PM.


#11 -David-

-David-

  • Members
  • 10,603 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:London
  • Local time:07:19 AM

Posted 20 August 2006 - 09:52 AM

Due to the lack of feedback, this Topic is closed.

If you need this topic reopened, please request this by sending me
a PM with the address of the thread using the link here. This applies only to the original topic starter.

Everyone else please begin a New Topic.




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users