Go Back   Cyber Tech Help Support Forums > Software > Malware Removal
Reload this Page Non Stop popups
Register FAQ Calendar Search Today's Active Topics Mark Forums Read

Notices

Malware Removal Discussion about Trojans, viruses, hoaxes, firewalls, spyware, and general Security issues. If you suspect your PC is infected with a virus, trojan or spyware app please include any supporting documentation or logs

Reply
 
Topic Tools
  #1  
Old September 5th, 2006, 01:26 AM
stevedo stevedo is offline
Member
  
Join Date: Oct 2005
O/S: Windows XP Pro
Location: California, Bay Area
Posts: 92
Non Stop popups
Please help, here's my HJT Log:
Logfile of HijackThis v1.99.1
Scan saved at 11:51:05 AM, on 9/4/2006
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\rundll32.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\System32\ctfmon.exe
C:\WINDOWS\Explorer.EXE
C:\Documents and Settings\Steve\Desktop\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Search_URL =
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://searchbar.findthewebsiteyouneed.com
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://searchbar.findthewebsiteyouneed.com
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://us.rd.yahoo.com/customize/ie/.../www.yahoo.com
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://us.rd.yahoo.com/customize/ie/...ch/search.html
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://searchbar.findthewebsiteyouneed.com
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://searchbar.findthewebsiteyouneed.com
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://us.rd.yahoo.com/customize/ie/.../www.yahoo.com
R3 - URLSearchHook: DeskbarBHO - {A8B28872-3324-4CD2-8AA3-7D555C872D96} - C:\Program Files\Deskbar\deskbar.dll
F2 - REG:system.ini: Shell=Explorer.exe, C:\WINDOWS\System32\bttdh.exe
F2 - REG:system.ini: UserInit=C:\WINDOWS\system32\userinit.exe,moahrhb. exe
O3 - Toolbar: Adobe PDF - {47833539-D0C5-4125-9FA8-0819E2EAAC93} - C:\Program Files\Adobe\Acrobat 6.0\Acrobat\AcroIEFavClient.dll
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O3 - Toolbar: ToolBar888 - {CBCC61FA-0221-4ccc-B409-CEE865CACA3A} - C:\Program Files\ToolBar888\MyToolBar.dll
O3 - Toolbar: (no name) - {44BE0690-5429-47f0-85BB-3FFD8020233E} - (no file)
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\System32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [MSConfig] C:\WINDOWS\PCHealth\HelpCtr\Binaries\MSConfig.exe /auto
O4 - HKLM\..\Run: [Windows mplayercodex Services] MSPF.EXE
O4 - HKLM\..\Run: [defender] C:\\dfndrff_15.exe
O4 - HKLM\..\Run: [keyboard] C:\\kybrdff_15.exe
O4 - HKLM\..\Run: [win32097168936672] C:\WINDOWS\win32097168936672.exe
O4 - HKLM\..\Run: [TheMonitor] C:\WINDOWS\Duce6.exe
O4 - HKLM\..\Run: [zmaef988] RUNDLL32.EXE w007e1f1.dll,n 003ef98500000003007e1f1
O4 - HKLM\..\Run: [{1B-B0-0C-C7-ZN}] c:\windows\system32\dwdsregt.exe GEN001
O4 - HKLM\..\Run: [loaddr] C:\topaff.exe
O4 - HKLM\..\Run: [newname] C:\\nwnmff_15.exe
O4 - HKLM\..\Run: [uaruigtA] C:\WINDOWS\uaruigtA.exe
O4 - HKLM\..\Run: [pop06apelt] C:\WINDOWS\thiselt.exe
O4 - HKLM\..\Run: [win32082716893667] C:\WINDOWS\win32082716893667.exe
O4 - HKLM\..\Run: [pop06ap] C:\WINDOWS\pop06ap2.exe
O4 - HKLM\..\Run: [sys016893667271] C:\WINDOWS\sys016893667271.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [ms043667271689] C:\WINDOWS\ms043667271689.exe
O4 - HKLM\..\Run: [MS taskbar] crssr.exe
O4 - HKLM\..\RunServices: [Microsoft Windows schedule] scheduls.exe
O4 - HKLM\..\RunServices: [Microsoft web update] webmsn.exe
O4 - HKLM\..\RunServices: [Windows mplayercodex Services] MSPF.EXE
O4 - HKLM\..\RunServices: [MS taskbar] crssr.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\System32\ctfmon.exe
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
O4 - HKCU\..\Run: [AIM] C:\PROGRA~1\AIM\aim.exe -cnetwait.odl
O4 - HKCU\..\Run: [Windows mplayercodex Services] MSPF.EXE
O4 - HKCU\..\Run: [msnmsgr] "C:\Program Files\MSN Messenger\msnmsgr.exe" /background
O4 - HKCU\..\Run: [MS taskbar] crssr.exe
O4 - HKCU\..\RunServices: [Windows mplayercodex Services] MSPF.EXE
O4 - Startup: LimeWire On Startup.lnk = C:\Program Files\LimeWire\LimeWire.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O8 - Extra context menu item: Yahoo! &Dictionary - file:///C:\Program Files\Yahoo!\Common/ycdict.htm
O8 - Extra context menu item: Yahoo! &Maps - file:///C:\Program Files\Yahoo!\Common/ycmap.htm
O8 - Extra context menu item: Yahoo! &SMS - file:///C:\Program Files\Yahoo!\Common/ycsms.htm
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\npjpi150_06.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\npjpi150_06.dll
O9 - Extra button: (no name) - {4ABF810A-F11D-4169-9D5F-7D274F2270A1} - C:\WINDOWS\System32\dmonwv.dll
O9 - Extra 'Tools' menuitem: Java - {4ABF810A-F11D-4169-9D5F-7D274F2270A1} - C:\WINDOWS\System32\dmonwv.dll
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\PROGRA~1\AIM\aim.exe
O15 - Trusted Zone: *.elitemediagroup.net
O15 - Trusted Zone: *.media-motor.net
O15 - Trusted Zone: *.mmohsix.com
O15 - Trusted Zone: http://click.getmirar.com (HKLM)
O15 - Trusted Zone: http://click.mirarsearch.com (HKLM)
O15 - Trusted Zone: http://redirect.mirarsearch.com (HKLM)
O16 - DPF: {5526B4C6-63D6-41A1-9783-0FABF529859A} (mm06ocx.mm06ocxf) - http://cabs.elitemediagroup.net/cabs/mediaview.cab
O16 - DPF: {8A0DCBDB-6E20-489C-9041-C1E8A0352E75} -
O16 - DPF: {B64F4A7C-97C9-11DA-8BDE-F66BAD1E3F3A} - http://download.cdn.winsoftware.com/...reeInstall.cab
O18 - Protocol: livecall - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL
O23 - Service: COM+ System Service (DLLHOST) - Unknown owner - C:\WINDOWS\system\dllhost.exe
O23 - Service: ewido security suite control - ewido networks - C:\Program Files\ewido anti-malware\ewidoctrl.exe
O23 - Service: HP Port Resolver - Hewlett-Packard Company - C:\WINDOWS\System32\hpbpro.exe
O23 - Service: HP Status Server - Hewlett-Packard Company - C:\WINDOWS\System32\hpboid.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1050\Intel 32\IDriverT.exe
O23 - Service: iPodService - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Intel NCS NetService (NetSvc) - Intel(R) Corporation - C:\Program Files\Intel\NCS\Sync\NetSvc.exe
O23 - Service: nvidGUIv (nvidGUIv2) - Unknown owner - C:\WINDOWS\nvidGUIv.exe (file missing)
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe
O23 - Service: Performance True Type Font (PerfFont) - Unknown owner - C:\WINDOWS\System32\perfont.exe (file missing)
O23 - Service: Remote Procedure Call (RPC) Service (RpcSssvc) - Unknown owner - C:\WINDOWS\System32\RpcSs.exe (file missing)
O23 - Service: Microsoft sdk core (sdk) - Unknown owner - C:\WINDOWS\lsass.exe
O23 - Service: SoundMAX Agent Service (SoundMAX Agent Service (default)) - Analog Devices, Inc. - C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe
Reply With Quote
  #2  
Old September 5th, 2006, 09:15 AM
dahli's Avatar
dahli dahli is offline
CTH Subscriber
  
Join Date: Oct 2004
Location: in a van down by the river
Posts: 5,335
Hello,

Download the trial version of Ewido Security Suite from here and install it.

After installation, double-click the icon on your Desktop to launch Ewido.

On the top of the main screen click Shield. Then click the word active to change it to inactive.

You will need to also update Ewido to the latest definition files. On the top of the main screen click Update. Then click on Start Update. The update will start and a progress bar will show the updates being installed. If you have problems with the updater, you can use this link to manually update Ewido.

Now close Ewido (don't scan just yet).


Reboot into Safe Mode. At startup tap F8 and select Safe Mode (see here).

Make sure all windows are closed and run Ewido. Click Scanner, then click on the Scan tab. Click Complete System Scan to begin scanning. When the scan is complete click Recommended Action and change it to Quarantine. Then click Apply all actions.

Once the scan has finished, click the Save report button, then click Save Report As. This will create a text file. Make sure you know where to find this file again.


Then reboot back to Normal Mode. Run a new scan with HijackThis and post that and the Ewido log back here please.

Download combofix.exe.

Double click combofix.exe & follow the prompts. A window will open with a warning. Type "Y" (and Enter) to start the fix.
When the scan completes it will open a text window. Please copy/paste that log back here together with a new HijackThis log.

A caution - do not touch your mouse/keyboard until the scan has completed. The scan will temporarily disable your desktop, and if interrupted may leave your desktop disabled. If this occurs, please reboot to restore the desktop.
Reply With Quote
  #3  
Old September 6th, 2006, 04:39 PM
stevedo stevedo is offline
Member
  
Join Date: Oct 2005
O/S: Windows XP Pro
Location: California, Bay Area
Posts: 92
In order: Ewido, then HJT, Combofix, then hjt after combofix.
ewido anti-malware - Scan report
+ Created on: 3:57:57 AM, 9/6/2006
+ Report-Checksum: 7706F010
+ Scan result:
HKLM\SOFTWARE\WinHound.com -> Spyware.WinHound : Error during cleaning
HKLM\SOFTWARE\WinHound.com\WinHound -> Spyware.WinHound : Error during cleaning
HKLM\SOFTWARE\WinHound.com\WinHound\WinHound -> Spyware.WinHound : Error during cleaning
HKLM\SOFTWARE\WinHound.com\WinHound\WinHound\Licen se -> Spyware.WinHound : Cleaned with backup
[660] C:\WINDOWS\System32\qqcyykm.dll -> Downloader.Qoologic.bj : Cleaned with backup
C:\Documents and Settings\LocalService\Cookies\system@ad.yieldmanag er[1].txt -> TrackingCookie.Yieldmanager : Cleaned with backup
C:\Documents and Settings\LocalService\Cookies\system@adbrite[2].txt -> TrackingCookie.Adbrite : Cleaned with backup
C:\Documents and Settings\LocalService\Cookies\system@admarketplace[1].txt -> TrackingCookie.Admarketplace : Cleaned with backup
C:\Documents and Settings\LocalService\Cookies\system@adopt.specifi cclick[2].txt -> TrackingCookie.Specificclick : Cleaned with backup
C:\Documents and Settings\LocalService\Cookies\system@banners.searc hingbooth[1].txt -> TrackingCookie.Searchingbooth : Cleaned with backup
C:\Documents and Settings\LocalService\Cookies\system@cpvfeed[2].txt -> TrackingCookie.Cpvfeed : Cleaned with backup
C:\Documents and Settings\LocalService\Cookies\system@media.top-banners[1].txt -> TrackingCookie.Top-banners : Cleaned with backup
C:\Documents and Settings\LocalService\Cookies\system@partygaming.1 22.2o7[1].txt -> TrackingCookie.2o7 : Cleaned with backup
C:\Documents and Settings\LocalService\Cookies\system@searchingboot h[2].txt -> TrackingCookie.Searchingbooth : Cleaned with backup
C:\Documents and Settings\LocalService\Cookies\system@stats1.reliab lestats[2].txt -> TrackingCookie.Reliablestats : Cleaned with backup
C:\Documents and Settings\LocalService\Cookies\system@www.adtrak[1].txt -> TrackingCookie.Adtrak : Cleaned with backup
C:\Documents and Settings\LocalService\Cookies\system@www.myaffilia teprogram[1].txt -> TrackingCookie.Myaffiliateprogram : Cleaned with backup
C:\Documents and Settings\LocalService\Cookies\system@www.popuptraf fic[2].txt -> TrackingCookie.Popuptraffic : Cleaned with backup
C:\Documents and Settings\LocalService\Desktop\TagASaurus.exe -> Hijacker.Small : Cleaned with backup
C:\Documents and Settings\LocalService\Local Settings\Temporary Internet Files\Content.IE5\0LQFCTQJ\803_104[1].exe -> Dropper.Mudrop.bq : Cleaned with backup
C:\Documents and Settings\LocalService\Local Settings\Temporary Internet Files\Content.IE5\0LQFCTQJ\drsmartload45a[1].exe -> Downloader.VB.alt : Cleaned with backup
C:\Documents and Settings\LocalService\Local Settings\Temporary Internet Files\Content.IE5\0LQFCTQJ\hppcs[1].exe -> Dropper.PurityScan.g : Cleaned with backup
C:\Documents and Settings\LocalService\Local Settings\Temporary Internet Files\Content.IE5\0LQFCTQJ\WinAntiVirusPro2006Free Install[1].cab/UWA6P_0001_N91M1807NetInstaller.exe -> Not-A-Virus.Downloader.Win32.WinFixer.o : Cleaned with backup
C:\Documents and Settings\LocalService\Local Settings\Temporary Internet Files\Content.IE5\ODQ38HAN\al3[2].txt -> Downloader.Small : Cleaned with backup
C:\Documents and Settings\LocalService\Local Settings\Temporary Internet Files\Content.IE5\ODQ38HAN\drsmartload849a[1].exe -> Downloader.VB.alt : Cleaned with backup
C:\Documents and Settings\LocalService\Local Settings\Temporary Internet Files\Content.IE5\ODQ38HAN\installerwnus[1].exe -> Downloader.Qoologic.at : Cleaned with backup
C:\Documents and Settings\LocalService\Local Settings\Temporary Internet Files\Content.IE5\ODQ38HAN\thiselt[1].exe -> Adware.Agent : Cleaned with backup
C:\Documents and Settings\LocalService\Local Settings\Temporary Internet Files\Content.IE5\S9IBOPA3\dfndrff_15[1].exe -> Adware.DollarRevenue : Cleaned with backup
C:\Documents and Settings\LocalService\Local Settings\Temporary Internet Files\Content.IE5\S9IBOPA3\drsmartload46a[1].exe -> Downloader.VB.alt : Cleaned with backup
C:\Documents and Settings\LocalService\Local Settings\Temporary Internet Files\Content.IE5\S9IBOPA3\em[1].ocx -> Adware.MediaMotor : Cleaned with backup
C:\Documents and Settings\LocalService\Local Settings\Temporary Internet Files\Content.IE5\S9IBOPA3\reptile1[1].exe -> Backdoor.Aimbot.dn : Cleaned with backup
C:\Documents and Settings\LocalService\Local Settings\Temporary Internet Files\Content.IE5\S9IBOPA3\TIGEN001[1].exe -> Adware.ZenoSearch : Cleaned with backup
C:\Documents and Settings\LocalService\Local Settings\Temporary Internet Files\Content.IE5\S9IBOPA3\unstall[1].exe -> Adware.MediaMotor : Cleaned with backup
C:\Documents and Settings\LocalService\Local Settings\Temporary Internet Files\Content.IE5\WPQ3GPQJ\814[1].exe -> Downloader.Dyfuca.fb : Cleaned with backup
C:\Documents and Settings\LocalService\Local Settings\Temporary Internet Files\Content.IE5\WPQ3GPQJ\ac3_0002[1].exe -> Downloader.Small.cyh : Cleaned with backup
C:\Documents and Settings\LocalService\Local Settings\Temporary Internet Files\Content.IE5\WPQ3GPQJ\ac3_0003[1].exe -> Downloader.Small.cyh : Cleaned with backup
C:\Documents and Settings\LocalService\Local Settings\Temporary Internet Files\Content.IE5\WPQ3GPQJ\amm06[1].ocx -> Adware.MediaMotor : Cleaned with backup
C:\Documents and Settings\LocalService\Local Settings\Temporary Internet Files\Content.IE5\WPQ3GPQJ\idlemg[1].exe -> Downloader.Small.buy : Cleaned with backup
C:\Documents and Settings\LocalService\Local Settings\Temporary Internet Files\Content.IE5\WPQ3GPQJ\kybrdff_15[1].exe -> Downloader.VB.alg : Cleaned with backup
C:\Documents and Settings\LocalService\Local Settings\Temporary Internet Files\Content.IE5\WPQ3GPQJ\loader[1].exe -> Downloader.VB.agk : Cleaned with backup
C:\Documents and Settings\LocalService\Local Settings\Temporary Internet Files\Content.IE5\WPQ3GPQJ\MirarSetup_876075[1].exe -> Adware.SaveNow : Cleaned with backup
C:\Documents and Settings\LocalService\Local Settings\Temporary Internet Files\Content.IE5\WPQ3GPQJ\new[1].exe -> Backdoor.Rbot.arw : Cleaned with backup
C:\Documents and Settings\LocalService\Local Settings\Temporary Internet Files\Content.IE5\WPQ3GPQJ\new[2].exe -> Backdoor.Rbot.arw : Cleaned with backup
C:\Documents and Settings\LocalService\Local Settings\Temporary Internet Files\Content.IE5\WPQ3GPQJ\optimize[1].exe -> Downloader.Dyfuca.ey : Cleaned with backup
C:\Documents and Settings\LocalService\Local Settings\Temporary Internet Files\Content.IE5\WPQ3GPQJ\topaff[1].exe -> Downloader.Agent.aqx : Cleaned with backup
C:\Documents and Settings\Steve\Local Settings\Temp\temp.fr5CDE -> Adware.Look2Me : Cleaned with backup
C:\Documents and Settings\Steve\Local Settings\Temporary Internet Files\Content.IE5\6RQBKF4D\installerwnus[1].exe -> Downloader.Qoologic.at : Cleaned with backup
C:\Documents and Settings\Steve\Local Settings\Temporary Internet Files\Content.IE5\C16RGX6R\xp-cydoor-728[1].swf -> Not-A-Virus.Hoax.SWF.Alerter.a : Cleaned with backup
C:\Program Files\Batty2\Batty2.dll -> Adware.CASClient : Cleaned with backup
C:\Program Files\Batty2\Batty2.exe -> Adware.CASClient : Cleaned with backup
C:\Program Files\CMFibula\CMFibula.exe -> Adware.CASClient : Cleaned with backup
C:\Program Files\Common Files\misc002\141.exe -> Downloader.TSUpdate.o : Cleaned with backup
C:\Program Files\Common Files\umrm\umrma.exe -> Downloader.TSUpdate.l : Cleaned with backup
C:\Program Files\Common Files\umrm\umrml.exe -> Downloader.TSUpdate.r : Cleaned with backup
C:\Program Files\Common Files\umrm\umrmm.exe -> Downloader.TSUpdate.n : Cleaned with backup
C:\Program Files\Common Files\umrm\umrmp.exe -> Downloader.TSUpdate.f : Cleaned with backup
C:\Program Files\Common Files\{64B1B0C7-0D3F-1033-0322-041214040001}\Update.exe -> Adware.Agent : Cleaned with backup
C:\Program Files\Deskbar\deskbar.dll_tobedeleted -> Adware.Softomate : Cleaned with backup
C:\Program Files\Messenger\mejeha.html -> Hijacker.Small.jf : Cleaned with backup
C:\Program Files\PSLister\PSLister.exe -> Adware.PurityScan : Cleaned with backup
C:\Program Files\Windows Media Player\polo.html -> Hijacker.Small.jf : Cleaned with backup
C:\Program Files\Yahoo!\YPSR\Quarantine\ppq10.tmp -> TrackingCookie.2o7 : Cleaned with backup
C:\Program Files\Yahoo!\YPSR\Quarantine\ppq11.tmp -> TrackingCookie.Questionmarket : Cleaned with backup
C:\Program Files\Yahoo!\YPSR\Quarantine\ppq13.tmp -> TrackingCookie.Bridgetrack : Cleaned with backup
C:\Program Files\Yahoo!\YPSR\Quarantine\ppq14.tmp -> TrackingCookie.Spylog : Cleaned with backup
C:\Program Files\Yahoo!\YPSR\Quarantine\ppq17.tmp -> TrackingCookie.Zedo : Cleaned with backup
C:\Program Files\Yahoo!\YPSR\Quarantine\ppq18.tmp -> TrackingCookie.Falkag : Cleaned with backup
C:\Program Files\Yahoo!\YPSR\Quarantine\ppq19.tmp -> TrackingCookie.Casalemedia : Cleaned with backup
C:\Program Files\Yahoo!\YPSR\Quarantine\ppq1A.tmp -> TrackingCookie.Ru4 : Cleaned with backup
C:\Program Files\Yahoo!\YPSR\Quarantine\ppq1B.tmp -> TrackingCookie.Questionmarket : Cleaned with backup
C:\Program Files\Yahoo!\YPSR\Quarantine\ppq1C.tmp -> TrackingCookie.Statcounter : Cleaned with backup
C:\Program Files\Yahoo!\YPSR\Quarantine\ppq1D.tmp -> TrackingCookie.Tradedoubler : Cleaned with backup
C:\Program Files\Yahoo!\YPSR\Quarantine\ppq1E.tmp -> TrackingCookie.Trafficmp : Cleaned with backup
C:\Program Files\Yahoo!\YPSR\Quarantine\ppq23.tmp -> TrackingCookie.Tribalfusion : Cleaned with backup
C:\Program Files\Yahoo!\YPSR\Quarantine\ppq24.tmp -> TrackingCookie.Adserver : Cleaned with backup
C:\Program Files\Yahoo!\YPSR\Quarantine\ppq26.tmp -> TrackingCookie.Revenue : Cleaned with backup
C:\Program Files\Yahoo!\YPSR\Quarantine\ppq27.tmp -> TrackingCookie.Com : Cleaned with backup
C:\Program Files\Yahoo!\YPSR\Quarantine\ppq28.tmp -> TrackingCookie.Falkag : Cleaned with backup
C:\Program Files\Yahoo!\YPSR\Quarantine\ppq2A.tmp -> TrackingCookie.Bluestreak : Cleaned with backup
C:\Program Files\Yahoo!\YPSR\Quarantine\ppq2C.tmp -> TrackingCookie.Casalemedia : Cleaned with backup
C:\Program Files\Yahoo!\YPSR\Quarantine\ppq32.tmp -> TrackingCookie.Qksrv : Cleaned with backup
C:\Program Files\Yahoo!\YPSR\Quarantine\ppq35.tmp -> TrackingCookie.Trafficmp : Cleaned with backup
C:\Program Files\Yahoo!\YPSR\Quarantine\ppq36.tmp -> TrackingCookie.Targetnet : Cleaned with backup
C:\Program Files\Yahoo!\YPSR\Quarantine\ppq38.tmp -> TrackingCookie.Atdmt : Cleaned with backup
C:\Program Files\Yahoo!\YPSR\Quarantine\ppq3A.tmp -> TrackingCookie.Hitbox : Cleaned with backup
C:\Program Files\Yahoo!\YPSR\Quarantine\ppq3B.tmp -> TrackingCookie.Falkag : Cleaned with backup
C:\Program Files\Yahoo!\YPSR\Quarantine\ppq44.tmp -> Downloader.Dyfuca.ey : Cleaned with backup
C:\Program Files\Yahoo!\YPSR\Quarantine\ppq5.tmp -> TrackingCookie.2o7 : Cleaned with backup
C:\Program Files\Yahoo!\YPSR\Quarantine\ppq51.tmp -> Adware.ZenoSearch : Cleaned with backup
C:\Program Files\Yahoo!\YPSR\Quarantine\ppq6.tmp -> TrackingCookie.Ru4 : Cleaned with backup
C:\Program Files\Yahoo!\YPSR\Quarantine\ppq6B.tmp -> TrackingCookie.Mediaplex : Cleaned with backup
C:\Program Files\Yahoo!\YPSR\Quarantine\ppq6C.tmp -> TrackingCookie.Statcounter : Cleaned with backup
C:\Program Files\Yahoo!\YPSR\Quarantine\ppq7.tmp -> TrackingCookie.Realtracker : Cleaned with backup
C:\Program Files\Yahoo!\YPSR\Quarantine\ppq8.tmp -> TrackingCookie.Tradedoubler : Cleaned with backup
C:\Program Files\Yahoo!\YPSR\Quarantine\ppq9.tmp -> TrackingCookie.Trafficmp : Cleaned with backup
C:\Program Files\Yahoo!\YPSR\Quarantine\ppqA.tmp -> TrackingCookie.Tribalfusion : Cleaned with backup
C:\Program Files\Yahoo!\YPSR\Quarantine\ppqAB.tmp -> TrackingCookie.Bfast : Cleaned with backup
C:\Program Files\Yahoo!\YPSR\Quarantine\ppqAC.tmp -> TrackingCookie.Fastclick : Cleaned with backup
C:\Program Files\Yahoo!\YPSR\Quarantine\ppqAD.tmp -> TrackingCookie.Hitbox : Cleaned with backup
C:\Program Files\Yahoo!\YPSR\Quarantine\ppqAE.tmp -> TrackingCookie.Hitbox : Cleaned with backup
C:\Program Files\Yahoo!\YPSR\Quarantine\ppqAF.tmp -> TrackingCookie.Realtracker : Cleaned with backup
C:\Program Files\Yahoo!\YPSR\Quarantine\ppqC.tmp -> TrackingCookie.Bluestreak : Cleaned with backup
C:\Program Files\Yahoo!\YPSR\Quarantine\ppqD.tmp -> TrackingCookie.Serving-sys : Cleaned with backup
C:\Program Files\Yahoo!\YPSR\Quarantine\ppqE.tmp -> TrackingCookie.Zedo : Cleaned with backup
C:\RECYCLER\S-1-5-21-1343024091-1078145449-682003330-1003\Dc100.dll -> Adware.Look2Me : Cleaned with backup
C:\RECYCLER\S-1-5-21-1343024091-1078145449-682003330-1003\Dc102.dat -> Downloader.Qoologic.bj : Cleaned with backup
C:\RECYCLER\S-1-5-21-1343024091-1078145449-682003330-1003\Dc103.dll -> Adware.Look2Me : Cleaned with backup
C:\RECYCLER\S-1-5-21-1343024091-1078145449-682003330-1003\Dc105.sys -> Backdoor.Aimbot.af : Cleaned with backup
C:\RECYCLER\S-1-5-21-1343024091-1078145449-682003330-1003\Dc106.tmp -> Adware.Look2Me : Cleaned with backup
C:\RECYCLER\S-1-5-21-1343024091-1078145449-682003330-1003\Dc25.exe -> Downloader.VB.alg : Cleaned with backup
C:\RECYCLER\S-1-5-21-1343024091-1078145449-682003330-1003\Dc26.exe -> Downloader.Dyfuca.fb : Cleaned with backup
C:\RECYCLER\S-1-5-21-1343024091-1078145449-682003330-1003\Dc27.exe -> Downloader.Small.cyh : Cleaned with backup
C:\RECYCLER\S-1-5-21-1343024091-1078145449-682003330-1003\Dc28.exe -> Adware.ZenoSearch : Cleaned with backup
C:\RECYCLER\S-1-5-21-1343024091-1078145449-682003330-1003\Dc29.exe -> Downloader.Agent.aqx : Cleaned with backup
C:\RECYCLER\S-1-5-21-1343024091-1078145449-682003330-1003\Dc30.exe -> Downloader.Qoologic.at : Cleaned with backup
C:\RECYCLER\S-1-5-21-1343024091-1078145449-682003330-1003\Dc31.exe -> Adware.DollarRevenue : Cleaned with backup
C:\RECYCLER\S-1-5-21-1343024091-1078145449-682003330-1003\Dc32.exe -> Backdoor.SdBot.atp : Cleaned with backup
C:\RECYCLER\S-1-5-21-1343024091-1078145449-682003330-1003\Dc33.bat -> Trojan.Zapchast : Cleaned with backup
C:\RECYCLER\S-1-5-21-1343024091-1078145449-682003330-1003\Dc34.exe -> Dropper.PurityScan.g : Cleaned with backup
C:\RECYCLER\S-1-5-21-1343024091-1078145449-682003330-1003\Dc35.exe -> Backdoor.Rbot.arw : Cleaned with backup
C:\RECYCLER\S-1-5-21-1343024091-1078145449-682003330-1003\Dc36.exe -> Backdoor.Rbot.arw : Cleaned with backup
C:\RECYCLER\S-1-5-21-1343024091-1078145449-682003330-1003\Dc38.exe -> Dropper.Mudrop.bq : Cleaned with backup
C:\RECYCLER\S-1-5-21-1343024091-1078145449-682003330-1003\Dc58.exe -> Adware.SaveNow : Cleaned with backup
C:\RECYCLER\S-1-5-21-1343024091-1078145449-682003330-1003\Dc59.exe -> Downloader.Small.cyh : Cleaned with backup
C:\RECYCLER\S-1-5-21-1343024091-1078145449-682003330-1003\Dc61.exe -> Adware.EliteMedia : Cleaned with backup
C:\RECYCLER\S-1-5-21-1343024091-1078145449-682003330-1003\Dc64.exe -> Downloader.Dyfuca.ey : Cleaned with backup
C:\RECYCLER\S-1-5-21-1343024091-1078145449-682003330-1003\Dc65.exe -> Downloader.Dyfuca.ey : Cleaned with backup
C:\RECYCLER\S-1-5-21-1343024091-1078145449-682003330-1003\Dc66.exe -> Downloader.VB.alu : Cleaned with backup
C:\RECYCLER\S-1-5-21-1343024091-1078145449-682003330-1003\Dc69.exe -> Trojan.VB.tg : Cleaned with backup
C:\RECYCLER\S-1-5-21-1343024091-1078145449-682003330-1003\Dc70.exe -> Trojan.VB.tg : Cleaned with backup
C:\RECYCLER\S-1-5-21-1343024091-1078145449-682003330-1003\Dc71.exe -> Adware.Agent : Cleaned with backup
C:\RECYCLER\S-1-5-21-1343024091-1078145449-682003330-1003\Dc83.exe -> Backdoor.SdBot.aad : Cleaned with backup
C:\RECYCLER\S-1-5-21-1343024091-1078145449-682003330-1003\Dc84.exe -> Backdoor.SdBot.qm : Cleaned with backup
C:\RECYCLER\S-1-5-21-1343024091-1078145449-682003330-1003\Dc86.exe -> Backdoor.Aimbot.dn : Cleaned with backup
C:\RECYCLER\S-1-5-21-1343024091-1078145449-682003330-1003\Dc95.dll_tobedeleted -> Downloader.Small : Cleaned with backup
C:\RECYCLER\S-1-5-21-1343024091-1078145449-682003330-1003\Dc96.dll_tobedeleted -> Downloader.Agent.agw : Cleaned with backup
C:\RECYCLER\S-1-5-21-1343024091-1078145449-682003330-1003\Dc99.dll -> Adware.Look2Me : Cleaned with backup
C:\RECYCLER\S-1-5-21-1343024091-1078145449-682003330-500\Dc133.exe -> Backdoor.Rbot : Cleaned with backup
C:\RECYCLER\S-1-5-21-1343024091-1078145449-682003330-500\Dc134.exe -> Backdoor.Rbot.avm : Cleaned with backup
C:\RECYCLER\S-1-5-21-1343024091-1078145449-682003330-500\Dc136.exe -> Backdoor.IRCBot.st : Cleaned with backup
C:\RECYCLER\S-1-5-21-1343024091-1078145449-682003330-500\Dc137.exe -> Backdoor.SdBot.qm : Cleaned with backup
C:\RECYCLER\S-1-5-21-1343024091-1078145449-682003330-500\Dc138.exe -> Backdoor.SdBot.qm : Cleaned with backup
Reply With Quote
  #4  
Old September 6th, 2006, 04:39 PM
stevedo stevedo is offline
Member
  
Join Date: Oct 2005
O/S: Windows XP Pro
Location: California, Bay Area
Posts: 92
Continued:

C:\RECYCLER\S-1-5-21-1343024091-1078145449-682003330-500\Dc139.exe -> Backdoor.SdBot.qm : Cleaned with backup
C:\RECYCLER\S-1-5-21-1343024091-1078145449-682003330-500\Dc140.exe -> Backdoor.SdBot.aad : Cleaned with backup
C:\RECYCLER\S-1-5-21-1343024091-1078145449-682003330-500\Dc141.exe -> Backdoor.SdBot.aad : Cleaned with backup
C:\RECYCLER\S-1-5-21-1343024091-1078145449-682003330-500\Dc142.exe -> Backdoor.Rbot.adf : Cleaned with backup
C:\RECYCLER\S-1-5-21-1343024091-1078145449-682003330-500\Dc143.exe -> Backdoor.Aimbot.dn : Cleaned with backup
C:\RECYCLER\S-1-5-21-1343024091-1078145449-682003330-500\Dc144.exe -> Backdoor.Aimbot.dn : Cleaned with backup
C:\RECYCLER\S-1-5-21-1343024091-1078145449-682003330-500\Dc145.exe -> Backdoor.Aimbot.dn : Cleaned with backup
C:\RECYCLER\S-1-5-21-1343024091-1078145449-682003330-500\Dc146.exe -> Backdoor.Aimbot.dn : Cleaned with backup
C:\RECYCLER\S-1-5-21-1343024091-1078145449-682003330-500\Dc147.exe -> Backdoor.SdBot.qm : Cleaned with backup
C:\RECYCLER\S-1-5-21-1343024091-1078145449-682003330-500\Dc151.sys -> Backdoor.Aimbot.af : Cleaned with backup
C:\RECYCLER\S-1-5-21-1343024091-1078145449-682003330-500\Dc52.dll -> Adware.Sud : Cleaned with backup
C:\RECYCLER\S-1-5-21-1343024091-1078145449-682003330-500\Dc72.exe -> Adware.ZenoSearch : Cleaned with backup
C:\RECYCLER\S-1-5-21-1343024091-1078145449-682003330-500\Dc80.exe -> Downloader.Small : Cleaned with backup
C:\RECYCLER\S-1-5-21-1343024091-1078145449-682003330-500\Dc87\webhost2.exe -> Adware.Agent : Cleaned with backup
C:\WINDOWS\amm06.ocx -> Adware.MediaMotor : Cleaned with backup
C:\WINDOWS\Downloaded Program Files\UWA6P_0001_N91M1807NetInstaller.exe -> Not-A-Virus.Downloader.Win32.WinFixer.o : Cleaned with backup
C:\WINDOWS\em.ocx -> Adware.MediaMotor : Cleaned with backup
C:\WINDOWS\LastGood\amm06.ocx -> Adware.MediaMotor : Cleaned with backup
C:\WINDOWS\lsass.exe_tobedeleted -> Backdoor.SdBot.xd : Cleaned with backup
C:\WINDOWS\msexplore.exe -> Backdoor.Aimbot.dn : Cleaned with backup
C:\WINDOWS\Msmgs.exe -> Backdoor.Rbot.ayl : Cleaned with backup
C:\WINDOWS\Msnweb.exe -> Backdoor.Rbot.avc : Cleaned with backup
C:\WINDOWS\msnwebmgr.exe -> Backdoor.Rbot.avc : Cleaned with backup
C:\WINDOWS\offun.exe -> Downloader.VB.nw : Cleaned with backup
C:\WINDOWS\pss\droan.exeCommon Startup -> Downloader.Qoologic.bj : Cleaned with backup
C:\WINDOWS\system32\BattyRun2.dll -> Adware.CASClient : Cleaned with backup
C:\WINDOWS\system32\config\systemprofile\Local Settings\Temporary Internet Files\Content.IE5\0PYZ4DI7\rp5[1].exe -> Backdoor.Aimbot.cy : Cleaned with backup
C:\WINDOWS\system32\config\systemprofile\Local Settings\Temporary Internet Files\Content.IE5\0PYZ4DI7\sp1[1].exe -> Backdoor.SdBot.atp : Cleaned with backup
C:\WINDOWS\system32\config\systemprofile\Local Settings\Temporary Internet Files\Content.IE5\GHA3CLA7\New[1].exe -> Backdoor.SdBot.xd : Cleaned with backup
C:\WINDOWS\system32\config\systemprofile\Local Settings\Temporary Internet Files\Content.IE5\GHA3CLA7\sp1[1].exe -> Backdoor.Bifrose.tv : Cleaned with backup
C:\WINDOWS\system32\config\systemprofile\Local Settings\Temporary Internet Files\Content.IE5\KLAJOPMR\sp1[1].exe -> Backdoor.Bifrose.tv : Cleaned with backup
C:\WINDOWS\system32\MPp.EXE -> Backdoor.SdBot.aop : Cleaned with backup
C:\WINDOWS\system32\MSPF.EXE -> Backdoor.SdBot.aop : Cleaned with backup
C:\WINDOWS\system32\qhrct.dat -> Downloader.Qoologic.bj : Cleaned with backup
C:\WINDOWS\system32\rofl.sys -> Backdoor.Aimbot.af : Cleaned with backup
C:\WINDOWS\system32\setup_12588.exe -> Backdoor.Rbot.avc : Cleaned with backup
C:\WINDOWS\taskshed.exe -> Backdoor.Aimbot.ae : Cleaned with backup
C:\WINDOWS\Temp\BundleInstall.exe -> Adware.Relevant : Cleaned with backup
C:\WINDOWS\Temp\da13.tmp -> Adware.SurfSide : Cleaned with backup
C:\WINDOWS\Temp\eltfuntarg.exe -> Backdoor.Small : Cleaned with backup
C:\WINDOWS\Temp\f735359.exe -> Downloader.Qoologic.bj : Cleaned with backup
C:\WINDOWS\Temp\GLB17.tmp/empty_00000001 -> Adware.Ucmore : Cleaned with backup
C:\WINDOWS\Temp\mmxp2passion.exe -> Adware.MediaMotor : Cleaned with backup
C:\WINDOWS\Temp\stdrun2.exe -> Downloader.Small : Cleaned with backup
C:\WINDOWS\Temp\stdrun4.exe -> Downloader.Small.cyh : Cleaned with backup
C:\WINDOWS\Temp\stdrun5.exe -> Trojan.LdPinch.atp : Cleaned with backup
C:\WINDOWS\Temp\stdrun8.exe -> Trojan.LdPinch.arr : Cleaned with backup
C:\WINDOWS\unstall.exe -> Adware.MediaMotor : Cleaned with backup
C:\WINDOWS\win32ssr.exe -> Backdoor.Aimbot.cy : Cleaned with backup
::Report End
Reply With Quote
  #5  
Old September 6th, 2006, 04:42 PM
stevedo stevedo is offline
Member
  
Join Date: Oct 2005
O/S: Windows XP Pro
Location: California, Bay Area
Posts: 92
Continued:

Logfile of HijackThis v1.99.1
Scan saved at 5:15:24 AM, on 9/6/2006
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system\dllhost.exe
C:\Program Files\ewido anti-malware\ewidoctrl.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\Program Files\Microsoft SQL Server\MSSQL$MICROSOFTBCM\Binn\sqlservr.exe
C:\WINDOWS\System32\nvsvc32.exe
C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\System32\ctfmon.exe
C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
C:\Program Files\MSN Messenger\msnmsgr.exe
C:\Documents and Settings\Steve\Desktop\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://us.rd.yahoo.com/customize/ie/.../www.yahoo.com
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://us.rd.yahoo.com/customize/ie/...ch/search.html
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://us.rd.yahoo.com/customize/ie/.../www.yahoo.com
F2 - REG:system.ini: Shell=Explorer.exe, C:\WINDOWS\System32\bttdh.exe
F2 - REG:system.ini: UserInit=C:\WINDOWS\SYSTEM32\Userinit.exe,moahrhb. exe
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {070DA93D-E51C-4207-BE80-3DFB27A4FB3C} - (no file)
O2 - BHO: (no name) - {10A04627-AFAD-48C7-8779-60FA252D8125} - (no file)
O2 - BHO: (no name) - {29389124-0536-4A80-9D1E-9C652F794FDA} - (no file)
O2 - BHO: (no name) - {31100BB2-E1A7-445D-913F-2C8B2E8C9547} - (no file)
O2 - BHO: (no name) - {3313C033-5C93-4476-A81A-880C0AF4B607} - (no file)
O2 - BHO: (no name) - {38F94AC4-168D-458C-A650-9A10E0BF2C08} - (no file)
O2 - BHO: (no name) - {3ED71CE9-8C91-490D-AD34-B47C5727B7D5} - (no file)
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: (no name) - {58619B2A-5E64-4874-92C4-53486132F9EB} - (no file)
O2 - BHO: (no name) - {59AB8276-7E35-46BF-874C-78F22CD56E55} - (no file)
O2 - BHO: (no name) - {62028556-8AEB-4870-8A28-8BBAB8D52999} - (no file)
O2 - BHO: (no name) - {62957FB1-0C7A-49AB-A80A-AE3D7F3E977E} - (no file)
O2 - BHO: (no name) - {6882BE75-5A7A-4D03-A446-6C2DF4CAD8BE} - (no file)
O2 - BHO: (no name) - {90E51F65-BA0F-4674-9A99-7E2E0BE89D47} - (no file)
O2 - BHO: (no name) - {94C926CD-774E-47CF-BB09-E1FEF1A065DB} - (no file)
O2 - BHO: (no name) - {A8B28872-3324-4CD2-8AA3-7D555C872D96} - (no file)
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar1.dll
O2 - BHO: (no name) - {ABF95885-A691-414A-A3A0-C1492626BB18} - (no file)
O2 - BHO: AcroIEToolbarHelper Class - {AE7CD045-E861-484f-8273-0445EE161910} - C:\Program Files\Adobe\Acrobat 6.0\Acrobat\AcroIEFavClient.dll
O2 - BHO: (no name) - {B3D86720-11FA-492E-97E0-7411E80EF26D} - (no file)
O2 - BHO: (no name) - {CE210371-6813-4551-BCDE-D19386A8D865} - (no file)
O2 - BHO: (no name) - {E50CC174-4095-460C-8949-0E47CE012C0C} - (no file)
O2 - BHO: (no name) - {EA3537CF-4EA0-4AA0-A116-2B4F1F4681E7} - (no file)
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\System32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [MS taskbar] crssr.exe
O4 - HKLM\..\RunServices: [Microsoft Windows schedule] scheduls.exe
O4 - HKLM\..\RunServices: [MS taskbar] crssr.exe
O4 - HKLM\..\RunServices: [Microsoft web update] webmsn.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\System32\ctfmon.exe
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
O4 - HKCU\..\Run: [msnmsgr] "C:\Program Files\MSN Messenger\msnmsgr.exe" /background
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\PROGRA~1\AIM\aim.exe
O16 - DPF: {5526B4C6-63D6-41A1-9783-0FABF529859A} - http://cabs.elitemediagroup.net/cabs/mediaview.cab
O16 - DPF: {8A0DCBDB-6E20-489C-9041-C1E8A0352E75} -
O16 - DPF: {B64F4A7C-97C9-11DA-8BDE-F66BAD1E3F3A} - http://download.cdn.winsoftware.com/...reeInstall.cab
O18 - Protocol: livecall - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL
O23 - Service: COM+ System Service (DLLHOST) - Unknown owner - C:\WINDOWS\system\dllhost.exe
O23 - Service: ewido security suite control - ewido networks - C:\Program Files\ewido anti-malware\ewidoctrl.exe
O23 - Service: HP Port Resolver - Hewlett-Packard Company - C:\WINDOWS\System32\hpbpro.exe
O23 - Service: HP Status Server - Hewlett-Packard Company - C:\WINDOWS\System32\hpboid.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1050\Intel 32\IDriverT.exe
O23 - Service: iPodService - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Intel NCS NetService (NetSvc) - Intel(R) Corporation - C:\Program Files\Intel\NCS\Sync\NetSvc.exe
O23 - Service: nvidGUIv (nvidGUIv2) - Unknown owner - C:\WINDOWS\nvidGUIv.exe (file missing)
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe
O23 - Service: Remote Index (Remote Call Procedure) - Unknown owner - C:\WINDOWS\msexplore.exe (file missing)
O23 - Service: Remote Procedure Call (RPC) Service (RpcSssvc) - Unknown owner - C:\WINDOWS\System32\RpcSs.exe (file missing)
O23 - Service: Microsoft sdk core (sdk) - Unknown owner - C:\WINDOWS\lsass.exe (file missing)
O23 - Service: SoundMAX Agent Service (SoundMAX Agent Service (default)) - Analog Devices, Inc. - C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe
Reply With Quote
  #6  
Old September 6th, 2006, 04:42 PM
stevedo stevedo is offline
Member
  
Join Date: Oct 2005
O/S: Windows XP Pro
Location: California, Bay Area
Posts: 92
Steve - 06-09-06 5:18:53.64
ComboFix 06.09.04BT - Running from: C:\Documents and Settings\Steve\My Documents

Microsoft Windows XP [Version 5.1.2600]

((((((((((((((((((((((((((((((((((((((((((((( Qoologic's Log )))))))))))))))))))))))))))))))))))))))))))))))))) )


* * * PRE-RUN - Filepaths extracted from the Registry * * * * * * * * * * * * * * * * * * * * * *


O4 - HKEY_CURRENT_USER\...\Run C:\WINDOWS\system32\kjcyhc.exe
O4 - HKEY_LOCAL_MACHINE\...\Run C:\WINDOWS\System32\kjcyhc.exe
F2 -REG:system.ini: Shell C:\WINDOWS\System32\bttdh.exe
F2 -REG:system.ini: UserInit C:\WINDOWS\system32\moahrhb.exe


* * * PRE-RUN - Filepaths extracted by Memory Dump * * * * * * * * * * * * * * * * * * * * * *


2006-09-02 15:44 127488 C:\WINDOWS\system32\kjcyhc.exe
2006-09-06 05:14 51712 C:\WINDOWS\system32\qqcyykm.dll
2006-09-02 15:44 23552 C:\WINDOWS\system32\moahrhb.exe
2006-09-02 15:44 127488 C:\Documents and Settings\All Users\Start Menu\Programs\Startup\droan.exe
2006-09-03 22:28 538 C:\WINDOWS\jfjfy.dll
2006-09-06 05:14 127488 C:\WINDOWS\system32\qhrct.dat
2006-09-02 15:44 28672 C:\WINDOWS\system32\bttdh.exe


* * * POST-RUN - Files in the Quarantine folder * * * * * * * * * * * * * * * * * * * * * * * * *


06-09-02 15:44 127488 droan.exe.qoo
06-09-02 15:44 127488 kjcyhc.exe.qoo
06-09-06 05:14 127488 qhrct.dat.qoo
06-09-06 05:14 51712 qqcyykm.dll.qoo
06-09-02 15:44 28672 bttdh.exe.qoo
06-09-02 15:44 23552 moahrhb.exe.qoo
06-09-03 22:28 53 voweno.dat.qoo

DO NOT DELETE ANY FILES FROM THIS DIRECTORY UNLESS INSTRUCTED TO


(((((((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))


C:\WINDOWS\keyboard1.dat
C:\deskbar3.exe
C:\WINDOWS\system32\aaa00000.sys
C:\Program Files\batty2
C:\Program Files\cmfibula
C:\Program Files\Deskbar
C:\Program Files\PSLister
C:\WINDOWS\system32\crunner
C:\Program Files\Common Files\{64B1B0C7-0D3F-1033-0322-041214040001}


((((((((((((((((((((((((((((((( Files Created from 2006-08-06 to 2006-09-06 ))))))))))))))))))))))))))))))))))


2006-09-03 22:16 49,700 --a------ C:\WINDOWS\system32\winsecure.exe
2006-09-03 10:36 45,568 -r-hs---- C:\WINDOWS\svchost.exe
2006-09-02 22:02 159,744 --a------ C:\WINDOWS\sys016893667271.exe
2006-09-02 15:51 126,976 --a------ C:\WINDOWS\system32\ieserv.exe
2006-09-02 15:50 215,308 --a------ C:\WINDOWS\Setup90.exe
2006-09-02 15:49 186,219 --a------ C:\WINDOWS\srvymnnmbu.exe
2006-09-02 15:45 186,223 --a------ C:\WINDOWS\srvhhjxwjh.exe
2006-09-02 15:44 538 --a------ C:\WINDOWS\jfjfy.dll
2006-09-02 15:40 215,308 --a------ C:\WINDOWS\srvmdhpzvq.exe
2006-09-02 01:20 40,973 ---h----- C:\WINDOWS\system32\ssqrstq.dll
2006-09-01 21:57 699,272 ---hs---- C:\WINDOWS\system32\prutv.bak1
2006-08-29 17:10 321 --a------ C:\zzkzdz.exe
2006-08-16 23:59 778,240 C:\WINDOWS\system32Petz 5.scr
2006-08-14 17:52 78,848 --a------ C:\WINDOWS\system32\nse2B.dll


(((((((((((((((((((((((((((((((((((((((((((((((( Find3M Report )))))))))))))))))))))))))))))))))))))))))))))))))) )))


2006-09-06 05:19 -------- d-a------ C:\Program Files\Common Files
2006-09-06 03:57 -------- d-------- C:\Program Files\Windows Media Player
2006-09-06 03:57 -------- d-------- C:\Program Files\Messenger
2006-09-06 03:57 -------- d-------- C:\Program Files\Common Files\misc002
2006-09-05 23:14 -------- d-------- C:\Program Files\ewido anti-malware
2006-09-05 19:30 -------- d-------- C:\Program Files\IrfanView
2006-09-05 07:16 -------- d-------- C:\Program Files\Windows NT
2006-09-02 15:41 -------- d-------- C:\Program Files\Common Files\umrm
2006-09-01 20:49 -------- d-------- C:\Program Files\eMule
2006-08-29 16:58 133120 --a------ C:\WINDOWS\system32\sfc_os.dll
2006-08-28 22:10 -------- d-------- C:\Documents and Settings\Steve\Application Data\Skype
2006-08-25 22:53 -------- d-------- C:\Documents and Settings\Steve\Application Data\IMVU
2006-08-25 22:41 -------- d-------- C:\Program Files\World of Warcraft
2006-08-17 00:31 -------- d--h----- C:\Program Files\InstallShield Installation Information
2006-08-17 00:31 -------- d-------- C:\Program Files\LucasArts
2006-08-17 00:01 -------- d-------- C:\Program Files\directx
2006-08-16 23:59 -------- d-------- C:\Program Files\Ubi Soft
2006-07-08 19:54 -------- d---s---- C:\Documents and Settings\Steve\Application Data\Microsoft
2006-07-08 19:54 -------- d-------- C:\Program Files\Real
2006-07-08 19:54 -------- d-------- C:\Program Files\Common Files\Microsoft Shared
2006-07-08 19:53 -------- d-------- C:\Program Files\MSN Messenger
2006-06-16 14:34 48936 --a------ C:\WINDOWS\system32\sirenacm.dll


(((((((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))

*Note* empty entries are not shown

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\Curr entVersion\Run]
"NvCplDaemon"="RUNDLL32.EXE C:\\WINDOWS\\System32\\NvCpl.dll,NvStartup"
"NvMediaCenter"="RUNDLL32.EXE C:\\WINDOWS\\System32\\NvMcTray.dll,NvTaskbarInit"
"MS taskbar"="crssr.exe"

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\Curre ntVersion\Run]
"ctfmon.exe"="C:\\WINDOWS\\System32\\ctfmon.ex e"
"SpybotSD TeaTimer"="C:\\Program Files\\Spybot - Search & Destroy\\TeaTimer.exe"
"msnmsgr"="\"C:\\Program Files\\MSN Messenger\\msnmsgr.exe\" /background"

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\Curr entVersion\Runservices]
"Microsoft Windows schedule"="scheduls.exe"
"MS taskbar"="crssr.exe"
"Microsoft web update"="webmsn.exe"

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\Curr entVersion\Runservices-]
"AdobeReaderPros"="sysmsn.exe"
"Microsoft Windows Message Service"="winsms.exe"
"Microsoft NetDDE Control"="spoolsvc.exe"

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\Curr entVersion\policies\system]
"dontdisplaylastusername"=dword:00000000
"legalnoticecaption"=""
"legalnoticetext"=""
"shutdownwithoutlogon"=dword:00000001
"undockwithoutlogon"=dword:00000001

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\Curre ntVersion\policies\explorer]
"NoDriveTypeAutoRun"=dword:00000091

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\Curre ntVersion\policies\explorer\Run]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Internet Explorer\Desktop\Components]
"DeskHtmlVersion"=dword:00000110
"DeskHtmlMinorVersion"=dword:00000005
"Settings"=dword:00000001
"GeneralFlags"=dword:00000001

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Internet Explorer\Desktop\Components\0]
"Source"="About:Home"
"SubscribedURL"="About:Home"
"FriendlyName"="My Current Home Page"
"Flags"=dword:00000002
"Position"=hex:2c,00,00,00,cc,00,00,00,00,00,00,00 ,34,03,00,00,de,02,00,00,00,\
00,00,00,01,00,00,00,01,00,00,00,01,00,00,00,00,00 ,00,00,00,00,00,00
"CurrentState"=hex:04,00,00,40
"OriginalStateInfo"=hex:18,00,00,00,ff,ff,00,00,ff ,ff,00,00,ff,ff,ff,ff,ff,ff,\
ff,ff,04,00,00,00
"RestoredStateInfo"=hex:18,00,00,00,6a,02,00,00,23 ,00,00,00,a4,00,00,00,9a,00,\
00,00,01,00,00,00

[HKEY_USERS\.DEFAULT\SOFTWARE\Microsoft\Windows\Cur rentVersion\Run]
"Windows CMS Protocol"="cmss.exe"
"MS taskbar"="crssr.exe"
"Windows mplayercodex Services"="MSPF.EXE"
"Windows Securenet"="MPp.EXE"
"umrm"="C:\\PROGRA~1\\COMMON~1\\umrm\\umrmm.ex e"
"gxnri"="C:\\WINDOWS\\System32\\kjcyhc.exe reg_run"
"PSLister"="\"C:\\Program Files\\PSLister\\PSLister.exe\""
"CMFibula"="\"C:\\Program Files\\CMFibula\\CMFibula.exe\""
"cprocsvc"="C:\\WINDOWS\\System32\\crunner\\cproc. exe"

[HKEY_USERS\.DEFAULT\SOFTWARE\Microsoft\Windows\Cur rentVersion\Runonce]
"Del41"=""

[HKEY_USERS\.DEFAULT\SOFTWARE\Microsoft\Windows\Cur rentVersion\Runservices]
"Windows mplayercodex Services"="MSPF.EXE"
"Windows Securenet"="MPp.EXE"

[HKEY_USERS\.DEFAULT\SOFTWARE\Microsoft\Windows\Cur rentVersion\policies\explorer]
"NoDriveTypeAutoRun"=dword:00000091

[HKEY_USERS\.DEFAULT\SOFTWARE\Microsoft\Windows\Cur rentVersion\policies\explorer\Run]
"{64B1B0C7-0D3F-1033-0322-041214040001}"="\"C:\\Program Files\\Common Files\\{64B1B0C7-0D3F-1033-0322-041214040001}\\Update.exe\" mc-110-12-0000509"

[HKEY_USERS\S-1-5-18\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Windows CMS Protocol"="cmss.exe"
"MS taskbar"="crssr.exe"
"Windows mplayercodex Services"="MSPF.EXE"
"Windows Securenet"="MPp.EXE"
"umrm"="C:\\PROGRA~1\\COMMON~1\\umrm\\umrmm.ex e"
"gxnri"="C:\\WINDOWS\\System32\\kjcyhc.exe reg_run"
"PSLister"="\"C:\\Program Files\\PSLister\\PSLister.exe\""
"CMFibula"="\"C:\\Program Files\\CMFibula\\CMFibula.exe\""
"cprocsvc"="C:\\WINDOWS\\System32\\crunner\\cproc. exe"

[HKEY_USERS\S-1-5-18\SOFTWARE\Microsoft\Windows\CurrentVersion\Runon ce]
"Del41"=""

[HKEY_USERS\S-1-5-18\SOFTWARE\Microsoft\Windows\CurrentVersion\Runse rvices]
"Windows mplayercodex Services"="MSPF.EXE"
"Windows Securenet"="MPp.EXE"

[HKEY_USERS\S-1-5-18\SOFTWARE\Microsoft\Windows\CurrentVersion\polic ies\explorer]
"NoDriveTypeAutoRun"=dword:00000091

[HKEY_USERS\S-1-5-18\SOFTWARE\Microsoft\Windows\CurrentVersion\polic ies\explorer\Run]
"{64B1B0C7-0D3F-1033-0322-041214040001}"="\"C:\\Program Files\\Common Files\\{64B1B0C7-0D3F-1033-0322-041214040001}\\Update.exe\" mc-110-12-0000509"

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\Curr entVersion\Explorer\shellexecutehooks]
"{AEB6717E-7E19-11d0-97EE-00C04FD91972}"=""
"{54D9498B-CF93-414F-8984-8CE7FDE0D391}"="ewido shell guard"
"{B3D86720-11FA-492E-97E0-7411E80EF26D}"=""

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSCONFIG\Startupfolder]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSCONFIG\Startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Acrobat Assistant.lnk.disabled]
"path"="C:\\Documents and Settings\\All Users\\Start Menu\\Programs\\Startup\\Acrobat Assistant.lnk.disabled"
"backup"="C:\\WINDOWS\\pss\\Acrobat Assistant.lnk.disabledCommon Startup"
"location"="Common Startup"
"command"="C:\\Documents and Settings\\All Users\\Start Menu\\Programs\\Startup\\Acrobat Assistant.lnk.disabled"
"item"="Acrobat Assistant.lnk"

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSCONFIG\Startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^droan.exe]
"path"="C:\\Documents and Settings\\All Users\\Start Menu\\Programs\\Startup\\droan.exe"
"backup"="C:\\WINDOWS\\pss\\droan.exeCommon Startup"
"location"="Common Startup"
"command"="C:\\Documents and Settings\\All Users\\Start Menu\\Programs\\Startup\\droan.exe"
"item"="droan"

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSCONFIG\Startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^InterVideo Scheduler server.lnk.disabled]
"path"="C:\\Documents and Settings\\All Users\\Start Menu\\Programs\\Startup\\InterVideo Scheduler server.lnk.disabled"
"backup"="C:\\WINDOWS\\pss\\InterVideo Scheduler server.lnk.disabledCommon Startup"
"location"="Common Startup"
"command"="C:\\Documents and Settings\\All Users\\Start Menu\\Programs\\Startup\\InterVideo Scheduler server.lnk.disabled"
"item"="InterVideo Scheduler server.lnk"

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSCONFIG\Startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^InterVideo WinCinema Manager.lnk.disabled]
"path"="C:\\Documents and Settings\\All Users\\Start Menu\\Programs\\Startup\\InterVideo WinCinema Manager.lnk.disabled"
"backup"="C:\\WINDOWS\\pss\\InterVideo WinCinema Manager.lnk.disabledCommon Startup"
"location"="Common Startup"
"command"="C:\\Documents and Settings\\All Users\\Start Menu\\Programs\\Startup\\InterVideo WinCinema Manager.lnk.disabled"
"item"="InterVideo WinCinema Manager.lnk"

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSCONFIG\Startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^nkcu.exe]
"path"="C:\\Documents and Settings\\All Users\\Start Menu\\Programs\\Startup\\nkcu.exe"
"backup"="C:\\WINDOWS\\pss\\nkcu.exeCommon Startup"
"location"="Common Startup"
"command"="C:\\Documents and Settings\\All Users\\Start Menu\\Programs\\Startup\\nkcu.exe"
"item"="nkcu"

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSCONFIG\Startupfolder\C:^Documents and Settings^Steve^Start Menu^Programs^Startup^LimeWire On Startup.lnk]
"path"="C:\\Documents and Settings\\Steve\\Start Menu\\Programs\\Startup\\LimeWire On Startup.lnk"
"backup"="C:\\WINDOWS\\pss\\LimeWire On Startup.lnkStartup"
"location"="Startup"
"command"="C:\\Program Files\\LimeWire\\LimeWire.exe -startup"
"item"="LimeWire On Startup"

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSCONFIG\Startupfolder\C:^Documents and Settings^Steve^Start Menu^Programs^Startup^Zeno.lnk]
"path"="C:\\Documents and Settings\\Steve\\Start Menu\\Programs\\Startup\\Zeno.lnk"
"backup"="C:\\WINDOWS\\pss\\Zeno.lnkStartup"
"location"="Startup"
"command"="C:\\WINDOWS\\system32\\rwinosai.exe FI002"
"item"="Zeno"

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSCONFIG\Startupfolder\C:^Documents and Settings^Steve^Start Menu^Programs^Startup^Z_Start.lnk]
"path"="C:\\Documents and Settings\\Steve\\Start Menu\\Programs\\Startup\\Z_Start.lnk"
"backup"="C:\\WINDOWS\\pss\\Z_Start.lnkStartup "
"location"="Startup"
"command"="C:\\WINDOWS\\system32\\dwdsregt.exe FI002"
"item"="Z_Start"

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSCONFIG\Startupreg]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersio n\\Run"
"item"=""
"hkey"="HKLM"
"command"=""
"inimapping"="0"

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSCONFIG\Startupreg\AIM]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersio n\\Run"
"item"="aim"
"hkey"="HKCU"
"command"="C:\\PROGRA~1\\AIM\\aim.exe -cnetwait.odl"
"inimapping"="0"

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSCONFIG\Startupreg\Aim6]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersio n\\Run"
"item"="AOLLaunch"
"hkey"="HKCU"
"command"="\"C:\\Program Files\\Common Files\\AOL\\Launch\\AOLLaunch.exe\" /d locale=en-US ee://aol/imApp"
"inimapping"="0"

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSCONFIG\Startupreg\gxnri]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersio n\\Run"
"item"="kjcyhc"
"hkey"="HKCU"
"command"="C:\\WINDOWS\\System32\\kjcyhc.exe reg_run"
"inimapping"="0"

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSCONFIG\Startupreg\irssyncd]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersio n\\Run"
"item"="irssyncd"
"hkey"="HKCU"
"command"="C:\\WINDOWS\\System32\\irssyncd.exe "
"inimapping"="0"

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSCONFIG\Startupreg\kbgqha]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersio n\\Run"
"item"="kjcyhc"
"hkey"="HKLM"
"command"="C:\\WINDOWS\\System32\\kjcyhc.exe reg_run"
"inimapping"="0"

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSCONFIG\Startupreg\Microsoft Windows schedule]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersio n\\Run"
"item"="scheduls"
"hkey"="HKLM"
"command"="scheduls.exe"
"inimapping"="0"

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSCONFIG\Startupreg\MS taskbar]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersio n\\Run"
"item"="crssr"
"hkey"="HKCU"
"command"="crssr.exe"
"inimapping"="0"

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSCONFIG\Startupreg\nwiz]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersio n\\Run"
"item"="nwiz"
"hkey"="HKLM"
"command"="nwiz.exe /install"
"inimapping"="0"

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSCONFIG\Startupreg\ObjectLoader]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersio n\\Run"
"item"="5F"
"hkey"="HKLM"
"command"="C:\\WINDOWS\\system32\\5F.tmp"
"inimapping"="0"

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSCONFIG\Startupreg\QuickTime Task]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersio n\\Run"
"item"="qttask"
"hkey"="HKLM"
"command"="\"C:\\Program Files\\QuickTime\\qttask.exe\" -atboottime"
"inimapping"="0"

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSCONFIG\Startupreg\services32]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersio n\\Run"
"item"="mc-110-12-0000230"
"hkey"="HKCU"
"command"="C:\\Program Files\\Common Files\\Windows\\mc-110-12-0000230.exe"
"inimapping"="0"

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSCONFIG\Startupreg\Steam]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersio n\\Run"
"item"=""
"hkey"="HKCU"
"command"=""
"inimapping"="0"

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSCONFIG\Startupreg\umrm]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersio n\\Run"
"item"="umrmm"
"hkey"="HKCU"
"command"="C:\\PROGRA~1\\COMMON~1\\umrm\\umrmm.exe "
"inimapping"="0"

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSCONFIG\Startupreg\Windows mplayercodex Services]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersio n\\Run"
"item"="MSPF"
"hkey"="HKLM"
"command"="MSPF.EXE"
"inimapping"="0"

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSCONFIG\Startupreg\WinSock]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersio n\\Run"
"item"="6"
"hkey"="HKLM"
"command"="C:\\WINDOWS\\system32\\6.tmp"
"inimapping"="0"

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSCONFIG\Startupreg\winsync]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersio n\\Run"
"item"="lgdxsg"
"hkey"="HKLM"
"command"="C:\\WINDOWS\\System32\\lgdxsg.exe reg_run"
"inimapping"="0"

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSCONFIG\Startupreg\Yahoo! Pager]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersio n\\Run"
"item"="ypager"
"hkey"="HKCU"
"command"="C:\\Program Files\\Yahoo!\\Messenger\\ypager.exe -quiet"
"inimapping"="0"

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\Curr entVersion\Run-]
"BrowserUpdateSched"="C:\\WINDOWS\\System32\\rwino sai.exe FI002"
"AdobeReaderPros"="sysmsn.exe"
"0cw80lwc.dll"="RUNDLL32.EXE 0cw80lwc.dll,b 666875"
"{1B-B0-0C-C7-ZN}"="C:\\windows\\system32\\rndsregn.exe FI002"
"FastTVSync"="\"C:\\Program Files\\Common Files\\InterVideo\\FastTVSync\\FastTVSync.exe\""
"HostManager"="C:\\Program Files\\Common Files\\AOL\\1135579048\\ee\\AOLSoftware.exe"
"Microsoft Windows Message Service"="winsms.exe"
"IpNetwork"="C:\\Program Files\\Network\\ipnetwork.exe"
"intell32.exe"="C:\\WINDOWS\\System32\\intell32.ex e"
"elitemedia"="C:\\WINDOWS\\elitemediapop.exe"
"COM Service"="C:\\WINDOWS\\System32\\comsvcs.exe"
"susse"="\"C:\\WINDOWS\\System32\\hpsw.exe\""
"ObjectLoader"="C:\\WINDOWS\\system32\\5D.tmp"
"Winsock2 driver"="SYSADWARE.EXE"
"WinHound"="C:\\Program Files\\WinHound\\WinHound.exe"
"winsync"="C:\\WINDOWS\\System32\\lgdxsg.exe reg_run"
"WinSock"="C:\\WINDOWS\\system32\\3D.tmp"
"Microsoft NetDDE Control"="spoolsvc.exe"
Completion time: Wed 09/06/2006 5:23:48.76
ComboFix.txt
Reply With Quote
  #7  
Old September 6th, 2006, 04:43 PM
stevedo stevedo is offline
Member
  
Join Date: Oct 2005
O/S: Windows XP Pro
Location: California, Bay Area
Posts: 92
Logfile of HijackThis v1.99.1
Scan saved at 5:26:09 AM, on 9/6/2006
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system\dllhost.exe
C:\Program Files\ewido anti-malware\ewidoctrl.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\Program Files\Microsoft SQL Server\MSSQL$MICROSOFTBCM\Binn\sqlservr.exe
C:\WINDOWS\System32\nvsvc32.exe
C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\System32\ctfmon.exe
C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
C:\Program Files\MSN Messenger\msnmsgr.exe
C:\Documents and Settings\Steve\Desktop\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://us.rd.yahoo.com/customize/ie/.../www.yahoo.com
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://us.rd.yahoo.com/customize/ie/...ch/search.html
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://us.rd.yahoo.com/customize/ie/.../www.yahoo.com
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {070DA93D-E51C-4207-BE80-3DFB27A4FB3C} - (no file)
O2 - BHO: (no name) - {10A04627-AFAD-48C7-8779-60FA252D8125} - (no file)
O2 - BHO: (no name) - {29389124-0536-4A80-9D1E-9C652F794FDA} - (no file)
O2 - BHO: (no name) - {31100BB2-E1A7-445D-913F-2C8B2E8C9547} - (no file)
O2 - BHO: (no name) - {3313C033-5C93-4476-A81A-880C0AF4B607} - (no file)
O2 - BHO: (no name) - {38F94AC4-168D-458C-A650-9A10E0BF2C08} - (no file)
O2 - BHO: (no name) - {3ED71CE9-8C91-490D-AD34-B47C5727B7D5} - (no file)
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: (no name) - {58619B2A-5E64-4874-92C4-53486132F9EB} - (no file)
O2 - BHO: (no name) - {59AB8276-7E35-46BF-874C-78F22CD56E55} - (no file)
O2 - BHO: (no name) - {62028556-8AEB-4870-8A28-8BBAB8D52999} - (no file)
O2 - BHO: (no name) - {62957FB1-0C7A-49AB-A80A-AE3D7F3E977E} - (no file)
O2 - BHO: (no name) - {6882BE75-5A7A-4D03-A446-6C2DF4CAD8BE} - (no file)
O2 - BHO: (no name) - {90E51F65-BA0F-4674-9A99-7E2E0BE89D47} - (no file)
O2 - BHO: (no name) - {94C926CD-774E-47CF-BB09-E1FEF1A065DB} - (no file)
O2 - BHO: (no name) - {A8B28872-3324-4CD2-8AA3-7D555C872D96} - (no file)
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar1.dll
O2 - BHO: (no name) - {ABF95885-A691-414A-A3A0-C1492626BB18} - (no file)
O2 - BHO: AcroIEToolbarHelper Class - {AE7CD045-E861-484f-8273-0445EE161910} - C:\Program Files\Adobe\Acrobat 6.0\Acrobat\AcroIEFavClient.dll
O2 - BHO: (no name) - {B3D86720-11FA-492E-97E0-7411E80EF26D} - (no file)
O2 - BHO: (no name) - {CE210371-6813-4551-BCDE-D19386A8D865} - (no file)
O2 - BHO: (no name) - {E50CC174-4095-460C-8949-0E47CE012C0C} - (no file)
O2 - BHO: (no name) - {EA3537CF-4EA0-4AA0-A116-2B4F1F4681E7} - (no file)
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\System32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [MS taskbar] crssr.exe
O4 - HKLM\..\RunServices: [Microsoft Windows schedule] scheduls.exe
O4 - HKLM\..\RunServices: [MS taskbar] crssr.exe
O4 - HKLM\..\RunServices: [Microsoft web update] webmsn.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\System32\ctfmon.exe
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
O4 - HKCU\..\Run: [msnmsgr] "C:\Program Files\MSN Messenger\msnmsgr.exe" /background
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\PROGRA~1\AIM\aim.exe
O16 - DPF: {5526B4C6-63D6-41A1-9783-0FABF529859A} - http://cabs.elitemediagroup.net/cabs/mediaview.cab
O16 - DPF: {8A0DCBDB-6E20-489C-9041-C1E8A0352E75} -
O16 - DPF: {B64F4A7C-97C9-11DA-8BDE-F66BAD1E3F3A} - http://download.cdn.winsoftware.com/...reeInstall.cab
O18 - Protocol: livecall - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL
O23 - Service: COM+ System Service (DLLHOST) - Unknown owner - C:\WINDOWS\system\dllhost.exe
O23 - Service: ewido security suite control - ewido networks - C:\Program Files\ewido anti-malware\ewidoctrl.exe
O23 - Service: HP Port Resolver - Hewlett-Packard Company - C:\WINDOWS\System32\hpbpro.exe
O23 - Service: HP Status Server - Hewlett-Packard Company - C:\WINDOWS\System32\hpboid.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1050\Intel 32\IDriverT.exe
O23 - Service: iPodService - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Intel NCS NetService (NetSvc) - Intel(R) Corporation - C:\Program Files\Intel\NCS\Sync\NetSvc.exe
O23 - Service: nvidGUIv (nvidGUIv2) - Unknown owner - C:\WINDOWS\nvidGUIv.exe (file missing)
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe
O23 - Service: Remote Index (Remote Call Procedure) - Unknown owner - C:\WINDOWS\msexplore.exe (file missing)
O23 - Service: Remote Procedure Call (RPC) Service (RpcSssvc) - Unknown owner - C:\WINDOWS\System32\RpcSs.exe (file missing)
O23 - Service: Microsoft sdk core (sdk) - Unknown owner - C:\WINDOWS\lsass.exe (file missing)
O23 - Service: SoundMAX Agent Service (SoundMAX Agent Service (default)) - Analog Devices, Inc. - C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe

THANKS SO FAR!!!
Reply With Quote
  #8  
Old September 8th, 2006, 03:45 PM
dahli's Avatar
dahli dahli is offline
CTH Subscriber
  
Join Date: Oct 2004
Location: in a van down by the river
Posts: 5,335
Run HijackThis and check the following:

O2 - BHO: (no name) - {070DA93D-E51C-4207-BE80-3DFB27A4FB3C} - (no file)
O2 - BHO: (no name) - {10A04627-AFAD-48C7-8779-60FA252D8125} - (no file)
O2 - BHO: (no name) - {29389124-0536-4A80-9D1E-9C652F794FDA} - (no file)
O2 - BHO: (no name) - {31100BB2-E1A7-445D-913F-2C8B2E8C9547} - (no file)
O2 - BHO: (no name) - {3313C033-5C93-4476-A81A-880C0AF4B607} - (no file)
O2 - BHO: (no name) - {38F94AC4-168D-458C-A650-9A10E0BF2C08} - (no file)
O2 - BHO: (no name) - {3ED71CE9-8C91-490D-AD34-B47C5727B7D5} - (no file)
O2 - BHO: (no name) - {58619B2A-5E64-4874-92C4-53486132F9EB} - (no file)
O2 - BHO: (no name) - {59AB8276-7E35-46BF-874C-78F22CD56E55} - (no file)
O2 - BHO: (no name) - {62028556-8AEB-4870-8A28-8BBAB8D52999} - (no file)
O2 - BHO: (no name) - {62957FB1-0C7A-49AB-A80A-AE3D7F3E977E} - (no file)
O2 - BHO: (no name) - {6882BE75-5A7A-4D03-A446-6C2DF4CAD8BE} - (no file)
O2 - BHO: (no name) - {90E51F65-BA0F-4674-9A99-7E2E0BE89D47} - (no file)
O2 - BHO: (no name) - {94C926CD-774E-47CF-BB09-E1FEF1A065DB} - (no file)
O2 - BHO: (no name) - {A8B28872-3324-4CD2-8AA3-7D555C872D96} - (no file)
O2 - BHO: (no name) - {B3D86720-11FA-492E-97E0-7411E80EF26D} - (no file)
O2 - BHO: (no name) - {CE210371-6813-4551-BCDE-D19386A8D865} - (no file)
O2 - BHO: (no name) - {E50CC174-4095-460C-8949-0E47CE012C0C} - (no file)
O2 - BHO: (no name) - {EA3537CF-4EA0-4AA0-A116-2B4F1F4681E7} - (no file)

Click FIX CHECKED

Post a new HijackThis log
Reply With Quote
  #9  
Old September 9th, 2006, 09:57 PM
stevedo stevedo is offline
Member
  
Join Date: Oct 2005
O/S: Windows XP Pro
Location: California, Bay Area
Posts: 92
I've tried several times to fix the above items, but they keep appearing.

here's the log:
Logfile of HijackThis v1.99.1
Scan saved at 11:04:17 AM, on 9/9/2006
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\csrss.exe
C:\WINDOWS\system\dllhost.exe
C:\Program Files\ewido anti-malware\ewidoctrl.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\Program Files\Microsoft SQL Server\MSSQL$MICROSOFTBCM\Binn\sqlservr.exe
C:\WINDOWS\System32\nvsvc32.exe
C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\win32082716893667.exe
C:\WINDOWS\Duce6.exe
C:\Program Files\QuickTime\qttask.exe
C:\WINDOWS\System32\ctfmon.exe
C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
C:\Program Files\MSN Messenger\msnmsgr.exe
C:\Documents and Settings\Steve\Desktop\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Search_URL =
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://searchbar.findthewebsiteyouneed.com
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://searchbar.findthewebsiteyouneed.com
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://us.rd.yahoo.com/customize/ie/.../www.yahoo.com
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://us.rd.yahoo.com/customize/ie/...ch/search.html
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://searchbar.findthewebsiteyouneed.com
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://searchbar.findthewebsiteyouneed.com
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://us.rd.yahoo.com/customize/ie/.../www.yahoo.com
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {070DA93D-E51C-4207-BE80-3DFB27A4FB3C} - (no file)
O2 - BHO: (no name) - {10A04627-AFAD-48C7-8779-60FA252D8125} - (no file)
O2 - BHO: (no name) - {29389124-0536-4A80-9D1E-9C652F794FDA} - (no file)
O2 - BHO: (no name) - {31100BB2-E1A7-445D-913F-2C8B2E8C9547} - (no file)
O2 - BHO: (no name) - {3313C033-5C93-4476-A81A-880C0AF4B607} - (no file)
O2 - BHO: (no name) - {38F94AC4-168D-458C-A650-9A10E0BF2C08} - (no file)
O2 - BHO: (no name) - {3ED71CE9-8C91-490D-AD34-B47C5727B7D5} - (no file)
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - (no file)
O2 - BHO: (no name) - {58619B2A-5E64-4874-92C4-53486132F9EB} - (no file)
O2 - BHO: (no name) - {59AB8276-7E35-46BF-874C-78F22CD56E55} - (no file)
O2 - BHO: (no name) - {62028556-8AEB-4870-8A28-8BBAB8D52999} - (no file)
O2 - BHO: (no name) - {62957FB1-0C7A-49AB-A80A-AE3D7F3E977E} - (no file)
O2 - BHO: (no name) - {6882BE75-5A7A-4D03-A446-6C2DF4CAD8BE} - (no file)
O2 - BHO: (no name) - {90E51F65-BA0F-4674-9A99-7E2E0BE89D47} - (no file)
O2 - BHO: (no name) - {94C926CD-774E-47CF-BB09-E1FEF1A065DB} - (no file)
O2 - BHO: (no name) - {A8B28872-3324-4CD2-8AA3-7D555C872D96} - (no file)
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar1.dll
O2 - BHO: (no name) - {ABF95885-A691-414A-A3A0-C1492626BB18} - (no file)
O2 - BHO: AcroIEToolbarHelper Class - {AE7CD045-E861-484f-8273-0445EE161910} - C:\Program Files\Adobe\Acrobat 6.0\Acrobat\AcroIEFavClient.dll
O2 - BHO: (no name) - {B3D86720-11FA-492E-97E0-7411E80EF26D} - (no file)
O2 - BHO: (no name) - {CE210371-6813-4551-BCDE-D19386A8D865} - (no file)
O2 - BHO: (no name) - {E50CC174-4095-460C-8949-0E47CE012C0C} - (no file)
O2 - BHO: (no name) - {EA3537CF-4EA0-4AA0-A116-2B4F1F4681E7} - (no file)
O3 - Toolbar: (no name) - {44BE0690-5429-47f0-85BB-3FFD8020233E} - (no file)
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\System32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [MS taskbar] crssr.exe
O4 - HKLM\..\Run: [Windows mplayercodex Services] MSPF.EXE
O4 - HKLM\..\Run: [defender] C:\\dfndrff_15.exe
O4 - HKLM\..\Run: [keyboard] C:\\kybrdff_15.exe
O4 - HKLM\..\Run: [zmaef988] RUNDLL32.EXE w007e1f1.dll,n 003ef98500000003007e1f1
O4 - HKLM\..\Run: [{1B-B0-0C-C7-ZN}] c:\windows\system32\dwdsregt.exe GEN001
O4 - HKLM\..\Run: [loaddr] C:\topaff.exe
O4 - HKLM\..\Run: [win32082716893667] C:\WINDOWS\win32082716893667.exe
O4 - HKLM\..\Run: [TheMonitor] C:\WINDOWS\Duce6.exe
O4 - HKLM\..\Run: [win32097168936672] C:\WINDOWS\win32097168936672.exe
O4 - HKLM\..\Run: [sys016893667271] C:\WINDOWS\sys016893667271.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [ms043667271689] C:\WINDOWS\ms043667271689.exe
O4 - HKLM\..\Run: [newname] C:\\nwnmff_15.exe
O4 - HKLM\..\Run: [uaruigtA] C:\WINDOWS\uaruigtA.exe
O4 - HKLM\..\Run: [pop06apelt] C:\WINDOWS\thiselt.exe
O4 - HKLM\..\Run: [pop06ap] C:\WINDOWS\pop06ap2.exe
O4 - HKLM\..\RunServices: [Microsoft Windows schedule] scheduls.exe
O4 - HKLM\..\RunServices: [MS taskbar] crssr.exe
O4 - HKLM\..\RunServices: [Microsoft web update] webmsn.exe
O4 - HKLM\..\RunServices: [Windows mplayercodex Services] MSPF.EXE
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\System32\ctfmon.exe
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
O4 - HKCU\..\Run: [msnmsgr] "C:\Program Files\MSN Messenger\msnmsgr.exe" /background
O4 - HKCU\..\Run: [Windows mplayercodex Services] MSPF.EXE
O4 - HKCU\..\Run: [MS taskbar] crssr.exe
O4 - HKCU\..\RunServices: [Windows mplayercodex Services] MSPF.EXE
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\PROGRA~1\AIM\aim.exe
O16 - DPF: {5526B4C6-63D6-41A1-9783-0FABF529859A} - http://cabs.elitemediagroup.net/cabs/mediaview.cab
O16 - DPF: {8A0DCBDB-6E20-489C-9041-C1E8A0352E75} -
O16 - DPF: {B64F4A7C-97C9-11DA-8BDE-F66BAD1E3F3A} - http://download.cdn.winsoftware.com/...reeInstall.cab
O18 - Protocol: livecall - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL
O23 - Service: Clients Server Runtime Process - Unknown owner - C:\WINDOWS\csrss.exe
O23 - Service: COM+ System Service (DLLHOST) - Unknown owner - C:\WINDOWS\system\dllhost.exe
O23 - Service: ewido security suite control - ewido networks - C:\Program Files\ewido anti-malware\ewidoctrl.exe
O23 - Service: HP Port Resolver - Hewlett-Packard Company - C:\WINDOWS\System32\hpbpro.exe
O23 - Service: HP Status Server - Hewlett-Packard Company - C:\WINDOWS\System32\hpboid.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1050\Intel 32\IDriverT.exe
O23 - Service: iPodService - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Intel NCS NetService (NetSvc) - Intel(R) Corporation - C:\Program Files\Intel\NCS\Sync\NetSvc.exe
O23 - Service: nvidGUIv (nvidGUIv2) - Unknown owner - C:\WINDOWS\nvidGUIv.exe (file missing)
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe
O23 - Service: Remote Index (Remote Call Procedure) - Unknown owner - C:\WINDOWS\msexplore.exe (file missing)
O23 - Service: Remote Procedure Call (RPC) Service (RpcSssvc) - Unknown owner - C:\WINDOWS\System32\RpcSs.exe (file missing)
O23 - Service: Microsoft sdk core (sdk) - Unknown owner - C:\WINDOWS\lsass.exe (file missing)
O23 - Service: SoundMAX Agent Service (SoundMAX Agent Service (default)) - Analog Devices, Inc. - C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe
Reply With Quote
  #10  
Old September 10th, 2006, 09:56 PM
dahli's Avatar
dahli dahli is offline
CTH Subscriber
  
Join Date: Oct 2004
Location: in a van down by the river
Posts: 5,335
Please disable Spybot's TeaTimer and try again.
Reply With Quote
  #11  
Old September 10th, 2006, 09:57 PM
dahli's Avatar
dahli dahli is offline
CTH Subscriber
  
Join Date: Oct 2004
Location: in a van down by the river
Posts: 5,335
* Please download Brute Force Uninstaller to your desktop.
  • Right click the BFU folder on your desktop, and choose Extract All
  • Click "Next"
  • In the box to choose where to extract the files to,
  • Click "Browse"
  • Click on the + sign next to "My Computer"
  • Click on "Local Disk (C or whatever your primary drive is
  • Click "Make New Folder"
  • Type in BFU
  • Click "Next", and Uncheck the "Show Extracted Files" box and then click "Finish".
* RIGHT-CLICK HERE and choose "Save As" (in IE it's "Save Target As") in order to download Alcra PLUS Remover.
Save it in the same folder you made earlier (c:\BFU).

Do not do anything with these yet!

* Reboot your computer into Safe Mode. You can do this by restarting your computer and continually tapping F8 until a menu appears. Highlight Safe Mode and hit enter.

Then, please go to Start > My Computer and navigate to the C:\BFU folder.
  • Start the Brute Force Uninstaller by doubleclicking BFU.exe
  • Behind the scriptline to execute field click the folder icon and select alcanshorty.bfu
  • Press Execute and let the program do it’s job. (You ought to see a progress bar if you did this correctly.)
  • Wait for the complete script execution box to pop up and press OK.
  • Press exit to terminate the BFU program.
Reboot into normal windows and post a new HijackThis log.
Reply With Quote
Reply

Bookmarks

« Previous Topic | Next Topic »
Topic Tools

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts
BB code is On
Smilies are On
[IMG] code is On
HTML code is Off
Forum Jump

Similar Topics
Topic Topic Starter Forum Replies Last Post
Popups non stop ..avast cant heal tyghtwad Malware Removal 2 July 22nd, 2008 09:37 AM
AD Popups appearing and I cant stop them 2Deano Malware Removal 1 June 4th, 2006 04:23 AM
Need Help: How do I stop the popups that have the window sign Agguy7 Windows 98 1 February 6th, 2006 07:27 PM
popups that just wont stop johnny_ Malware Removal 48 January 26th, 2006 10:15 PM
Can't stop spyware popups katime Malware Removal 2 January 12th, 2006 05:49 AM


All times are GMT +1. The time now is 02:27 PM.