problem with adware, please help (HighjackThis log)

Unknown · March 2006

Hi I’m hoping you can help me as I’ve tried everything I can think of myself. A couple of days ago a host of pop-ups started appearing and my internet browser started randomly re-directing itself to crummy websites. I’ve scanned for spyware and adware, but there is always at least one file that cannot be deleted and the problem never goes away. I have also been getting error messages about “run DLL as an APP” I’m assuming this is linked as the files that cannot be deleted are invariably DLL files.
I browsed a few topics of people that have had similar problems, but could do with some more specific advice as i'm what might be called an everyday PC user.

Anyway, please help me if you can, below is a HijackThis log

Thanks

Logfile of HijackThis v1.99.1
Scan saved at 15:57:32, on 21/03/2006
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\Autodesk Shared\Service\AdskScSrv.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\system32\svchost.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe
C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_FATI9CE.EXE
C:\PROGRA~1\ntl\BROADB~1\SMARTB~1\MotiveSB.exe
C:\Program Files\Network\ipnetwork.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Documents and Settings\All Users\Start Menu\Programs\Startup\wmplayer.exe
C:\Program Files\ntl\broadband medic\bin\mpbtn.exe
C:\WINDOWS\system32\devldr32.exe
C:\Program Files\Lavasoft\Ad-Aware SE Personal\Ad-Aware.exe
C:\WINDOWS\system32\rundll32.exe
C:\WINDOWS\explorer.exe
C:\PROGRA~1\MOZILL~1\FIREFOX.EXE
C:\Documents and Settings\xx\Desktop\hijackthis_199\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.freeserve.com/
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant =
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page = \blank.htm
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Microsoft Internet Explorer provided by Freeserve
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = 127.0.0.1;<local>
F2 - REG:system.ini: UserInit=userinit.exe
O3 - Toolbar: Freeserve - {8B68564D-53FD-4293-B80C-993A9F3988EE} - C:\PROGRA~1\FREESE~1\FSBar\FSBar.dll (file missing)
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [AVG7_EMC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [EPSON Stylus Photo RX420 Series] C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_FATI9CE.EXE /P31 "EPSON Stylus Photo RX420 Series" /O6 "USB001" /M "Stylus Photo RX420"
O4 - HKLM\..\Run: [iTunesHelper] C:\Program Files\iTunes\iTunesHelper.exe
O4 - HKLM\..\Run: [Motive SmartBridge] C:\PROGRA~1\ntl\BROADB~1\SMARTB~1\MotiveSB.exe
O4 - HKLM\..\Run: [wmplayer] C:\Program Files\wmplayer\wmplayer.exe /auto
O4 - HKLM\..\Run: [IpNetwork] C:\Program Files\Network\ipnetwork.exe
O4 - HKLM\..\Run: [winsysupd] C:\windows\winsysupd8.exe
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [gimmygames] C:\windows\gimmygames.exe
O4 - HKLM\..\RunServices: [] p2pnetworking.exe
O4 - HKCU\..\Run: [DNS] C:\Program Files\Common Files\mc-110-12-0000228.exe
O4 - HKCU\..\Run: [CU2] C:\Program Files\Common Files\VCClient\VCMain.exe
O4 - HKCU\..\Run: [CU1] C:\Program Files\Common Files\VCClient\VCClient.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: broadband medic.lnk = C:\Program Files\ntl\broadband medic\bin\matcli.exe
O4 - Global Startup: wmplayer.exe
O8 - Extra context menu item: Search with Freeserve - res://C:\PROGRA~1\FREESE~1\FSBar\FSBar.dll/VSearch.htm
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O14 - IERESET.INF: START_PAGE_URL=http://www.freeserve.com/
O16 - DPF: {8E0D4DE5-3180-4024-A327-4DFAD1796A8D} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/MessengerStatsClient.cab31267.cab
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - "C:\PROGRA~1\MSNMES~1\msgrapp.dll" (file missing)
O20 - Winlogon Notify: Installer - C:\WINDOWS\system32\lvj2091oe.dll
O23 - Service: Autodesk Licensing Service - Unknown owner - C:\Program Files\Common Files\Autodesk Shared\Service\AdskScSrv.exe
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
O23 - Service: iPod Service (iPodService) - Unknown owner - C:\Program Files\iPod\bin\iPodService.exe (file missing)
O23 - Service: Macromedia Licensing Service - Unknown owner - C:\Program Files\Common Files\Macromedia Shared\Service\Macromedia Licensing.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe

skywalker45 · March 2006

Hi,

Please download Look2Me-Destroyer.exe to your desktop.

Close all windows before continuing.
Double-click Look2Me-Destroyer.exe to run it.
Put a check next to Run this program as a task.
You will receive a message saying Look2Me-Destroyer will close and re-open in approximately 10 seconds. Click OK
When Look2Me-Destroyer re-opens, click the Scan for L2M button, your desktop icons will disappear, this is normal.
Once it's done scanning, click the Remove L2M button.
You will receive a Done Scanning message, click OK.
When completed, you will receive this message: Done removing infected files! Look2Me-Destroyer will now shutdown your computer, click OK.
Your computer will then shutdown.
turn your computer back on.
Please post the contents of C:\Look2Me-Destroyer.txt and a new HiJackThis log.

If you receive a message from your firewall about this program accessing the internet please allow it.

If you receive a runtime error '339' please download MSWINSCK.OCX from the link below and place it in your C:\Windows\System32 Directory.
http://www.ascentive.com/support/new/images/lib/MSWINSCK.OCX

theartknife · March 2006

Hey, thanks so much for your reply, i really appreciate the help.

right so far so good, i'd done as you said and the error message i was getting on startup has gone, so that's a step in the right direction.
below is the Look2Me-Destroyer.txt document and a new HiJackThis log

thanks again
************************************************

Look2Me-Destroyer V1.0.11

Scanning for infected files.....
Scan started at 3/21/2006 11:53:11 PM

Infected! C:\WINDOWS\system32\k8800ilme8qa0.dll
Infected! C:\System Volume Information\_restore{DDE10987-CEAA-42C7-AACC-EAD98E87FB8E}\RP275\A0069035.dll
Infected! C:\System Volume Information\_restore{DDE10987-CEAA-42C7-AACC-EAD98E87FB8E}\RP275\A0069037.dll
Infected! C:\System Volume Information\_restore{DDE10987-CEAA-42C7-AACC-EAD98E87FB8E}\RP276\A0069078.dll
Infected! C:\System Volume Information\_restore{DDE10987-CEAA-42C7-AACC-EAD98E87FB8E}\RP276\A0069086.dll
Infected! C:\System Volume Information\_restore{DDE10987-CEAA-42C7-AACC-EAD98E87FB8E}\RP277\A0069104.dll
Infected! C:\System Volume Information\_restore{DDE10987-CEAA-42C7-AACC-EAD98E87FB8E}\RP277\A0069112.dll
Infected! C:\System Volume Information\_restore{DDE10987-CEAA-42C7-AACC-EAD98E87FB8E}\RP277\A0069125.dll
Infected! C:\System Volume Information\_restore{DDE10987-CEAA-42C7-AACC-EAD98E87FB8E}\RP277\A0069169.dll
Infected! C:\System Volume Information\_restore{DDE10987-CEAA-42C7-AACC-EAD98E87FB8E}\RP277\A0069423.dll
Infected! C:\System Volume Information\_restore{DDE10987-CEAA-42C7-AACC-EAD98E87FB8E}\RP277\A0069424.dll
Infected! C:\System Volume Information\_restore{DDE10987-CEAA-42C7-AACC-EAD98E87FB8E}\RP277\A0069434.dll
Infected! C:\System Volume Information\_restore{DDE10987-CEAA-42C7-AACC-EAD98E87FB8E}\RP277\A0069443.dll
Infected! C:\System Volume Information\_restore{DDE10987-CEAA-42C7-AACC-EAD98E87FB8E}\RP277\A0069459.dll
Infected! C:\System Volume Information\_restore{DDE10987-CEAA-42C7-AACC-EAD98E87FB8E}\RP277\A0069468.dll
Infected! C:\System Volume Information\_restore{DDE10987-CEAA-42C7-AACC-EAD98E87FB8E}\RP277\A0069469.dll
Infected! C:\WINDOWS\system32\en66l1js1.dll
Infected! C:\WINDOWS\system32\gui32.dll
Infected! C:\WINDOWS\system32\ir0ol5d31.dll
Infected! C:\WINDOWS\system32\k8800ilme8qa0.dll
Infected! C:\WINDOWS\system32\guard.tmp

Attempting to delete infected files...

Attempting to delete: C:\WINDOWS\system32\k8800ilme8qa0.dll
C:\WINDOWS\system32\k8800ilme8qa0.dll Deleted successfully!

Attempting to delete: C:\System Volume Information\_restore{DDE10987-CEAA-42C7-AACC-EAD98E87FB8E}\RP275\A0069035.dll
C:\System Volume Information\_restore{DDE10987-CEAA-42C7-AACC-EAD98E87FB8E}\RP275\A0069035.dll Deleted successfully!

Attempting to delete: C:\System Volume Information\_restore{DDE10987-CEAA-42C7-AACC-EAD98E87FB8E}\RP275\A0069037.dll
C:\System Volume Information\_restore{DDE10987-CEAA-42C7-AACC-EAD98E87FB8E}\RP275\A0069037.dll Deleted successfully!

Attempting to delete: C:\System Volume Information\_restore{DDE10987-CEAA-42C7-AACC-EAD98E87FB8E}\RP276\A0069078.dll
C:\System Volume Information\_restore{DDE10987-CEAA-42C7-AACC-EAD98E87FB8E}\RP276\A0069078.dll Deleted successfully!

Attempting to delete: C:\System Volume Information\_restore{DDE10987-CEAA-42C7-AACC-EAD98E87FB8E}\RP276\A0069086.dll
C:\System Volume Information\_restore{DDE10987-CEAA-42C7-AACC-EAD98E87FB8E}\RP276\A0069086.dll Deleted successfully!

Attempting to delete: C:\System Volume Information\_restore{DDE10987-CEAA-42C7-AACC-EAD98E87FB8E}\RP277\A0069104.dll
C:\System Volume Information\_restore{DDE10987-CEAA-42C7-AACC-EAD98E87FB8E}\RP277\A0069104.dll Deleted successfully!

Attempting to delete: C:\System Volume Information\_restore{DDE10987-CEAA-42C7-AACC-EAD98E87FB8E}\RP277\A0069112.dll
C:\System Volume Information\_restore{DDE10987-CEAA-42C7-AACC-EAD98E87FB8E}\RP277\A0069112.dll Deleted successfully!

Attempting to delete: C:\System Volume Information\_restore{DDE10987-CEAA-42C7-AACC-EAD98E87FB8E}\RP277\A0069125.dll
C:\System Volume Information\_restore{DDE10987-CEAA-42C7-AACC-EAD98E87FB8E}\RP277\A0069125.dll Deleted successfully!

Attempting to delete: C:\System Volume Information\_restore{DDE10987-CEAA-42C7-AACC-EAD98E87FB8E}\RP277\A0069169.dll
C:\System Volume Information\_restore{DDE10987-CEAA-42C7-AACC-EAD98E87FB8E}\RP277\A0069169.dll Deleted successfully!

Attempting to delete: C:\System Volume Information\_restore{DDE10987-CEAA-42C7-AACC-EAD98E87FB8E}\RP277\A0069423.dll
C:\System Volume Information\_restore{DDE10987-CEAA-42C7-AACC-EAD98E87FB8E}\RP277\A0069423.dll Deleted successfully!

Attempting to delete: C:\System Volume Information\_restore{DDE10987-CEAA-42C7-AACC-EAD98E87FB8E}\RP277\A0069424.dll
C:\System Volume Information\_restore{DDE10987-CEAA-42C7-AACC-EAD98E87FB8E}\RP277\A0069424.dll Deleted successfully!

Attempting to delete: C:\System Volume Information\_restore{DDE10987-CEAA-42C7-AACC-EAD98E87FB8E}\RP277\A0069434.dll
C:\System Volume Information\_restore{DDE10987-CEAA-42C7-AACC-EAD98E87FB8E}\RP277\A0069434.dll Deleted successfully!

Attempting to delete: C:\System Volume Information\_restore{DDE10987-CEAA-42C7-AACC-EAD98E87FB8E}\RP277\A0069443.dll
C:\System Volume Information\_restore{DDE10987-CEAA-42C7-AACC-EAD98E87FB8E}\RP277\A0069443.dll Deleted successfully!

Attempting to delete: C:\System Volume Information\_restore{DDE10987-CEAA-42C7-AACC-EAD98E87FB8E}\RP277\A0069459.dll
C:\System Volume Information\_restore{DDE10987-CEAA-42C7-AACC-EAD98E87FB8E}\RP277\A0069459.dll Deleted successfully!

Attempting to delete: C:\System Volume Information\_restore{DDE10987-CEAA-42C7-AACC-EAD98E87FB8E}\RP277\A0069468.dll
C:\System Volume Information\_restore{DDE10987-CEAA-42C7-AACC-EAD98E87FB8E}\RP277\A0069468.dll Deleted successfully!

Attempting to delete: C:\System Volume Information\_restore{DDE10987-CEAA-42C7-AACC-EAD98E87FB8E}\RP277\A0069469.dll
C:\System Volume Information\_restore{DDE10987-CEAA-42C7-AACC-EAD98E87FB8E}\RP277\A0069469.dll Deleted successfully!

Attempting to delete: C:\WINDOWS\system32\en66l1js1.dll
C:\WINDOWS\system32\en66l1js1.dll Deleted successfully!

Attempting to delete: C:\WINDOWS\system32\gui32.dll
C:\WINDOWS\system32\gui32.dll Deleted successfully!

Attempting to delete: C:\WINDOWS\system32\ir0ol5d31.dll
C:\WINDOWS\system32\ir0ol5d31.dll Deleted successfully!

Attempting to delete: C:\WINDOWS\system32\k8800ilme8qa0.dll
C:\WINDOWS\system32\k8800ilme8qa0.dll Deleted successfully!

Attempting to delete: C:\WINDOWS\system32\guard.tmp
C:\WINDOWS\system32\guard.tmp Deleted successfully!

Making registry repairs.

Removing: HKLM\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\RunServices

Removing: HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved "{8362D848-18D3-48E0-98A4-73759F9D7E3C}"
HKCR\Clsid\{8362D848-18D3-48E0-98A4-73759F9D7E3C}

Removing: HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved "{A2CAB27C-31F7-4B87-9A20-F0321E54481F}"
HKCR\Clsid\{A2CAB27C-31F7-4B87-9A20-F0321E54481F}

Removing: HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved "{BCC70DF8-7F76-4284-AC64-9D461671859E}"
HKCR\Clsid\{BCC70DF8-7F76-4284-AC64-9D461671859E}

Restoring Windows certificates.

Replaced hosts file with default windows hosts file

Restoring SeDebugPrivilege for Administrators - Succeeded

****************************************************

Logfile of HijackThis v1.99.1
Scan saved at 00:02:55, on 22/03/2006
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\Autodesk Shared\Service\AdskScSrv.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe
C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_FATI9CE.EXE
C:\PROGRA~1\ntl\BROADB~1\SMARTB~1\MotiveSB.exe
C:\Program Files\Network\ipnetwork.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Documents and Settings\All Users\Start Menu\Programs\Startup\wmplayer.exe
C:\Program Files\ntl\broadband medic\bin\mpbtn.exe
C:\WINDOWS\system32\devldr32.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Documents and Settings\xx\Desktop\hijackthis_199\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.freeserve.com/
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant =
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page = \blank.htm
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Microsoft Internet Explorer provided by Freeserve
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = 127.0.0.1;<local>
F2 - REG:system.ini: UserInit=userinit.exe
O3 - Toolbar: Freeserve - {8B68564D-53FD-4293-B80C-993A9F3988EE} - C:\PROGRA~1\FREESE~1\FSBar\FSBar.dll (file missing)
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [AVG7_EMC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [EPSON Stylus Photo RX420 Series] C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_FATI9CE.EXE /P31 "EPSON Stylus Photo RX420 Series" /O6 "USB001" /M "Stylus Photo RX420"
O4 - HKLM\..\Run: [iTunesHelper] C:\Program Files\iTunes\iTunesHelper.exe
O4 - HKLM\..\Run: [Motive SmartBridge] C:\PROGRA~1\ntl\BROADB~1\SMARTB~1\MotiveSB.exe
O4 - HKLM\..\Run: [wmplayer] C:\Program Files\wmplayer\wmplayer.exe /auto
O4 - HKLM\..\Run: [IpNetwork] C:\Program Files\Network\ipnetwork.exe
O4 - HKLM\..\Run: [winsysupd] C:\windows\winsysupd8.exe
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [gimmygames] C:\windows\gimmygames.exe
O4 - HKLM\..\RunServices: [] p2pnetworking.exe
O4 - HKCU\..\Run: [DNS] C:\Program Files\Common Files\mc-110-12-0000228.exe
O4 - HKCU\..\Run: [CU2] C:\Program Files\Common Files\VCClient\VCMain.exe
O4 - HKCU\..\Run: [CU1] C:\Program Files\Common Files\VCClient\VCClient.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: broadband medic.lnk = C:\Program Files\ntl\broadband medic\bin\matcli.exe
O4 - Global Startup: wmplayer.exe
O8 - Extra context menu item: Search with Freeserve - res://C:\PROGRA~1\FREESE~1\FSBar\FSBar.dll/VSearch.htm
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O14 - IERESET.INF: START_PAGE_URL=http://www.freeserve.com/
O16 - DPF: {8E0D4DE5-3180-4024-A327-4DFAD1796A8D} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/MessengerStatsClient.cab31267.cab
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - "C:\PROGRA~1\MSNMES~1\msgrapp.dll" (file missing)
O23 - Service: Autodesk Licensing Service - Unknown owner - C:\Program Files\Common Files\Autodesk Shared\Service\AdskScSrv.exe
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
O23 - Service: iPod Service (iPodService) - Unknown owner - C:\Program Files\iPod\bin\iPodService.exe (file missing)
O23 - Service: Macromedia Licensing Service - Unknown owner - C:\Program Files\Common Files\Macromedia Shared\Service\Macromedia Licensing.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe

skywalker45 · March 2006

OK log is looking better. I think we might be able to take care of the rest without using any more tools, but we'll see. You might want to print these instructions as you will not have access to the internet for part of this fix. First make sure you can view all hidden files and folders explained below:

Click "Start".
Click "My Computer".
Select the "Tools" menu and click "Folder Options".
Select the "View" tab.
Under the "Hidden files and folders" heading, select "Show hidden files and folders".
Uncheck the "Hide protected operating system files (recommended)" option.
Click "Yes" to confirm.
Uncheck the "Hide file extensions for known file types".
Click "OK".

Next run Hijack This again and put a check (tick) next to the following entries:

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page = \blank.htm

O4 - HKLM\..\Run: [winsysupd] C:\windows\winsysupd8.exe
O4 - HKLM\..\Run: [gimmygames] C:\windows\gimmygames.exe
O4 - HKLM\..\RunServices: [] p2pnetworking.exe
O4 - HKCU\..\Run: [DNS] C:\Program Files\Common Files\mc-110-12-0000228.exe
O4 - HKCU\..\Run: [CU2] C:\Program Files\Common Files\VCClient\VCMain.exe
O4 - HKCU\..\Run: [CU1] C:\Program Files\Common Files\VCClient\VCClient.exe

Close all other browsers/windows and click Fix Checked. Close Hijack This.

Next restart the PC in safe mode. Do this by rebooting and then begin repeatedly tapping the F8 key. Keep tapping the F8 key until the advanced boot options menu appears. Scroll with the arrow keys to the top choice which is safe mode. Press enter.

Once in safe mode use Windows Explorer to navigate to the following folders. In all cases when I ask you to delete a file or folder do not be alarmed if they don't exist:

Go to this folder:

C:\Program Files\Common Files\

Find and delete the following file and/or folders:

mc-110-12-0000228.exe<---This file.
VCClient<---This folder.

Navigate to this folder:

C:\windows\

Delete these files:

winsysupd8.exe
gimmygames.exe

Using the Windows Search feature please search for the following file (be sure to include hidden files in your search):

p2pnetworking.exe

Delete all instances of that file that you find.

Next reboot the PC in normal mode and post another Hijack This log.

theartknife · March 2006

great, my system is allready running much more smoothly and no more pop-ups. I carried out your instructions, the HiJackThis log is below.
Just a couple of other things, when i rebooted my after doing everything you advised, freeprodtb downloaded a .exe file onto my desktop and my AVG anti virus software caught a couple of warnings of infected objects as follows..
C:\Windows\system32\dr.exe
C:\Windows\system32\xxx.exe

not sure if this is relevant, but thought i would mention it.

thanks again.

******************************
Logfile of HijackThis v1.99.1
Scan saved at 02:16:29, on 22/03/2006
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\Autodesk Shared\Service\AdskScSrv.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe
C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_FATI9CE.EXE
C:\PROGRA~1\ntl\BROADB~1\SMARTB~1\MotiveSB.exe
C:\Program Files\Network\ipnetwork.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Documents and Settings\All Users\Start Menu\Programs\Startup\wmplayer.exe
C:\Program Files\ntl\broadband medic\bin\mpbtn.exe
C:\WINDOWS\system32\devldr32.exe
C:\Program Files\Common Files\Windows\services32.exe
C:\PROGRA~1\MOZILL~1\FIREFOX.EXE
C:\Documents and Settings\xx\Desktop\hijackthis_199\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.freeserve.com/
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant =
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page = \blank.htm
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Microsoft Internet Explorer provided by Freeserve
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = 127.0.0.1;<local>
F2 - REG:system.ini: UserInit=userinit.exe
O2 - BHO: XBTB04715 - {A8B0BDED-64A5-495b-97DA-42C0301E229B} - C:\PROGRA~1\TOOLBA~1\TOOLBA~1.DLL
O3 - Toolbar: Freeserve - {8B68564D-53FD-4293-B80C-993A9F3988EE} - C:\PROGRA~1\FREESE~1\FSBar\FSBar.dll (file missing)
O3 - Toolbar: Toolbar888 - {77FBF9B8-1D37-4FF2-9CED-192D8E3ABA6F} - C:\Program Files\Toolbar888\ToolBar888.dll
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [AVG7_EMC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [EPSON Stylus Photo RX420 Series] C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_FATI9CE.EXE /P31 "EPSON Stylus Photo RX420 Series" /O6 "USB001" /M "Stylus Photo RX420"
O4 - HKLM\..\Run: [iTunesHelper] C:\Program Files\iTunes\iTunesHelper.exe
O4 - HKLM\..\Run: [Motive SmartBridge] C:\PROGRA~1\ntl\BROADB~1\SMARTB~1\MotiveSB.exe
O4 - HKLM\..\Run: [wmplayer] p2pnetworking.exe
O4 - HKLM\..\Run: [IpNetwork] C:\Program Files\Network\ipnetwork.exe
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\RunServices: [wmplayer] p2pnetworking.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [services32] C:\Program Files\Common Files\Windows\mc-110-12-0000140.exe
O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: broadband medic.lnk = C:\Program Files\ntl\broadband medic\bin\matcli.exe
O4 - Global Startup: wmplayer.exe
O8 - Extra context menu item: Search with Freeserve - res://C:\PROGRA~1\FREESE~1\FSBar\FSBar.dll/VSearch.htm
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O14 - IERESET.INF: START_PAGE_URL=http://www.freeserve.com/
O16 - DPF: {8E0D4DE5-3180-4024-A327-4DFAD1796A8D} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/MessengerStatsClient.cab31267.cab
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - "C:\PROGRA~1\MSNMES~1\msgrapp.dll" (file missing)
O23 - Service: Autodesk Licensing Service - Unknown owner - C:\Program Files\Common Files\Autodesk Shared\Service\AdskScSrv.exe
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
O23 - Service: iPod Service (iPodService) - Unknown owner - C:\Program Files\iPod\bin\iPodService.exe (file missing)
O23 - Service: Macromedia Licensing Service - Unknown owner - C:\Program Files\Common Files\Macromedia Shared\Service\Macromedia Licensing.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe

skywalker45 · March 2006

Well we might need to bring out some more muscle. Please download Ewido Anti-Malware from my signature below. Install the program and set it up according to the instructions below:

You will need to update ewido to the latest definition files.

On the left hand side of the main screen click update
Click on Start

The update will start and a progress bar will show the updates being installed. After the updates are installed, exit ewido.

Once the updates are installed do the following:
If you have an "always on" connection to the internet, physically disconnect that connection until you are finished with Safe Mode and have rebooted back into normal mode.
Reboot into Safe Mode, you can do this by restarting your computer, then contiunally tapping F8 until a menu appears. Use your up arrow key to highlight Safe Mode, then hit enter. Then, run ewido.
Close all open windows/programs/folders. Have nothing else open while ewido performs its scan!
Click on scanner
Click on Settings
- Under "How to scan" all boxes should be selected
- Under "Possibly unwanted software" all boxes should be selected
- Under "What to scan" select scan every file
- Click OK
Click on Complete system scan
Let the program scan the machine
If ewido finds anything, it will pop up a notification. Please check the box that says Perform action with all infections

Once the scan has completed, there will be a button located on the bottom of the screen named Save report.
Click Save report
Save the report to your desktop
Exit ewido

Reboot the PC into normal mode and post the Ewido log and a fresh Hijack This log.

theartknife · March 2006

ok, done and done. This time i got a DOS interface window and a new error message on startup as follows.

C:Docume~1\xx\setup.exe
C:\WINDOWS\SYSTEM32\AUTOEXE.NT. The system file is not suitable for running MS-DOS and Microsoft Windows applications. Choose 'Close to terminate the application.

again, not sure if this is relevant, but thought it might be worth mentioning.

and so the reports...

*****************************************************

ewido anti-malware - Scan report

+ Created on: 10:06:56, 22/03/2006
+ Report-Checksum: BCAB2A7B

+ Scan result:

HKLM\SOFTWARE\Microsoft\Internet Explorer\Main\ins -> Adware.WebRebates : Cleaned with backup
HKU\S-1-5-21-1957994488-1708537768-1343024091-1003\Software\DNS -> Adware.Shorty : Cleaned with backup
C:\Documents and Settings\All Users\Start Menu\Programs\Startup\wmplayer.exe -> Dropper.VB.me : Cleaned with backup
:mozilla.16:C:\Documents and Settings\xx\Application Data\Mozilla\Firefox\Profiles\wgkpom19.default\cookies.txt -> TrackingCookie.Doubleclick : Cleaned with backup
:mozilla.17:C:\Documents and Settings\xx\Application Data\Mozilla\Firefox\Profiles\wgkpom19.default\cookies.txt -> TrackingCookie.Questionmarket : Cleaned with backup
:mozilla.19:C:\Documents and Settings\xx\Application Data\Mozilla\Firefox\Profiles\wgkpom19.default\cookies.txt -> TrackingCookie.Atdmt : Cleaned with backup
:mozilla.22:C:\Documents and Settings\xx\Application Data\Mozilla\Firefox\Profiles\wgkpom19.default\cookies.txt -> TrackingCookie.Mediaplex : Cleaned with backup
:mozilla.24:C:\Documents and Settings\xx\Application Data\Mozilla\Firefox\Profiles\wgkpom19.default\cookies.txt -> TrackingCookie.Advertising : Cleaned with backup
:mozilla.25:C:\Documents and Settings\xx\Application Data\Mozilla\Firefox\Profiles\wgkpom19.default\cookies.txt -> TrackingCookie.Advertising : Cleaned with backup
:mozilla.26:C:\Documents and Settings\xx\Application Data\Mozilla\Firefox\Profiles\wgkpom19.default\cookies.txt -> TrackingCookie.Advertising : Cleaned with backup
:mozilla.27:C:\Documents and Settings\xx\Application Data\Mozilla\Firefox\Profiles\wgkpom19.default\cookies.txt -> TrackingCookie.Advertising : Cleaned with backup
:mozilla.37:C:\Documents and Settings\xx\Application Data\Mozilla\Firefox\Profiles\wgkpom19.default\cookies.txt -> TrackingCookie.Tribalfusion : Cleaned with backup
:mozilla.43:C:\Documents and Settings\xx\Application Data\Mozilla\Firefox\Profiles\wgkpom19.default\cookies.txt -> TrackingCookie.Casalemedia : Cleaned with backup
:mozilla.45:C:\Documents and Settings\xx\Application Data\Mozilla\Firefox\Profiles\wgkpom19.default\cookies.txt -> TrackingCookie.Casalemedia : Cleaned with backup
:mozilla.46:C:\Documents and Settings\xx\Application Data\Mozilla\Firefox\Profiles\wgkpom19.default\cookies.txt -> TrackingCookie.Casalemedia : Cleaned with backup
:mozilla.47:C:\Documents and Settings\xx\Application Data\Mozilla\Firefox\Profiles\wgkpom19.default\cookies.txt -> TrackingCookie.Casalemedia : Cleaned with backup
:mozilla.48:C:\Documents and Settings\xx\Application Data\Mozilla\Firefox\Profiles\wgkpom19.default\cookies.txt -> TrackingCookie.Casalemedia : Cleaned with backup
:mozilla.49:C:\Documents and Settings\xx\Application Data\Mozilla\Firefox\Profiles\wgkpom19.default\cookies.txt -> TrackingCookie.Adrevolver : Cleaned with backup
:mozilla.50:C:\Documents and Settings\xx\Application Data\Mozilla\Firefox\Profiles\wgkpom19.default\cookies.txt -> TrackingCookie.Adrevolver : Cleaned with backup
:mozilla.51:C:\Documents and Settings\xx\Application Data\Mozilla\Firefox\Profiles\wgkpom19.default\cookies.txt -> TrackingCookie.Adrevolver : Cleaned with backup
:mozilla.52:C:\Documents and Settings\xx\Application Data\Mozilla\Firefox\Profiles\wgkpom19.default\cookies.txt -> TrackingCookie.Adrevolver : Cleaned with backup
:mozilla.53:C:\Documents and Settings\xx\Application Data\Mozilla\Firefox\Profiles\wgkpom19.default\cookies.txt -> TrackingCookie.Adrevolver : Cleaned with backup
:mozilla.54:C:\Documents and Settings\xx\Application Data\Mozilla\Firefox\Profiles\wgkpom19.default\cookies.txt -> TrackingCookie.Yieldmanager : Cleaned with backup
:mozilla.55:C:\Documents and Settings\xx\Application Data\Mozilla\Firefox\Profiles\wgkpom19.default\cookies.txt -> TrackingCookie.Yieldmanager : Cleaned with backup
:mozilla.56:C:\Documents and Settings\xx\Application Data\Mozilla\Firefox\Profiles\wgkpom19.default\cookies.txt -> TrackingCookie.Yieldmanager : Cleaned with backup
:mozilla.57:C:\Documents and Settings\xx\Application Data\Mozilla\Firefox\Profiles\wgkpom19.default\cookies.txt -> TrackingCookie.Yieldmanager : Cleaned with backup
:mozilla.58:C:\Documents and Settings\xx\Application Data\Mozilla\Firefox\Profiles\wgkpom19.default\cookies.txt -> TrackingCookie.Valueclick : Cleaned with backup
:mozilla.62:C:\Documents and Settings\xx\Application Data\Mozilla\Firefox\Profiles\wgkpom19.default\cookies.txt -> TrackingCookie.Sitestat : Cleaned with backup
:mozilla.63:C:\Documents and Settings\xx\Application Data\Mozilla\Firefox\Profiles\wgkpom19.default\cookies.txt -> TrackingCookie.Sitestat : Cleaned with backup
:mozilla.67:C:\Documents and Settings\xx\Application Data\Mozilla\Firefox\Profiles\wgkpom19.default\cookies.txt -> TrackingCookie.Reliablestats : Cleaned with backup
:mozilla.68:C:\Documents and Settings\xx\Application Data\Mozilla\Firefox\Profiles\wgkpom19.default\cookies.txt -> TrackingCookie.Reliablestats : Cleaned with backup
:mozilla.69:C:\Documents and Settings\xx\Application Data\Mozilla\Firefox\Profiles\wgkpom19.default\cookies.txt -> TrackingCookie.Reliablestats : Cleaned with backup
:mozilla.70:C:\Documents and Settings\xx\Application Data\Mozilla\Firefox\Profiles\wgkpom19.default\cookies.txt -> TrackingCookie.Reliablestats : Cleaned with backup
:mozilla.71:C:\Documents and Settings\xx\Application Data\Mozilla\Firefox\Profiles\wgkpom19.default\cookies.txt -> TrackingCookie.Reliablestats : Cleaned with backup
:mozilla.72:C:\Documents and Settings\xx\Application Data\Mozilla\Firefox\Profiles\wgkpom19.default\cookies.txt -> TrackingCookie.Reliablestats : Cleaned with backup
:mozilla.73:C:\Documents and Settings\xx\Application Data\Mozilla\Firefox\Profiles\wgkpom19.default\cookies.txt -> TrackingCookie.Reliablestats : Cleaned with backup
:mozilla.74:C:\Documents and Settings\xx\Application Data\Mozilla\Firefox\Profiles\wgkpom19.default\cookies.txt -> TrackingCookie.Reliablestats : Cleaned with backup
:mozilla.75:C:\Documents and Settings\xx\Application Data\Mozilla\Firefox\Profiles\wgkpom19.default\cookies.txt -> TrackingCookie.Cpvfeed : Cleaned with backup
:mozilla.76:C:\Documents and Settings\xx\Application Data\Mozilla\Firefox\Profiles\wgkpom19.default\cookies.txt -> TrackingCookie.Paypopup : Cleaned with backup
:mozilla.77:C:\Documents and Settings\xx\Application Data\Mozilla\Firefox\Profiles\wgkpom19.default\cookies.txt -> TrackingCookie.Paypopup : Cleaned with backup
:mozilla.78:C:\Documents and Settings\xx\Application Data\Mozilla\Firefox\Profiles\wgkpom19.default\cookies.txt -> TrackingCookie.Paypopup : Cleaned with backup
:mozilla.79:C:\Documents and Settings\xx\Application Data\Mozilla\Firefox\Profiles\wgkpom19.default\cookies.txt -> TrackingCookie.Paypopup : Cleaned with backup
:mozilla.80:C:\Documents and Settings\xx\Application Data\Mozilla\Firefox\Profiles\wgkpom19.default\cookies.txt -> TrackingCookie.Paypopup : Cleaned with backup
:mozilla.81:C:\Documents and Settings\xx\Application Data\Mozilla\Firefox\Profiles\wgkpom19.default\cookies.txt -> TrackingCookie.Paypopup : Cleaned with backup
:mozilla.82:C:\Documents and Settings\xx\Application Data\Mozilla\Firefox\Profiles\wgkpom19.default\cookies.txt -> TrackingCookie.Paypopup : Cleaned with backup
:mozilla.83:C:\Documents and Settings\xx\Application Data\Mozilla\Firefox\Profiles\wgkpom19.default\cookies.txt -> TrackingCookie.Paypopup : Cleaned with backup
:mozilla.84:C:\Documents and Settings\xx\Application Data\Mozilla\Firefox\Profiles\wgkpom19.default\cookies.txt -> TrackingCookie.Paypopup : Cleaned with backup
:mozilla.85:C:\Documents and Settings\xx\Application Data\Mozilla\Firefox\Profiles\wgkpom19.default\cookies.txt -> TrackingCookie.Paypopup : Cleaned with backup
:mozilla.101:C:\Documents and Settings\xx\Application Data\Mozilla\Firefox\Profiles\wgkpom19.default\cookies.txt -> TrackingCookie.Liveperson : Cleaned with backup
:mozilla.107:C:\Documents and Settings\xx\Application Data\Mozilla\Firefox\Profiles\wgkpom19.default\cookies.txt -> TrackingCookie.Myaffiliateprogram : Cleaned with backup
:mozilla.108:C:\Documents and Settings\xx\Application Data\Mozilla\Firefox\Profiles\wgkpom19.default\cookies.txt -> TrackingCookie.Myaffiliateprogram : Cleaned with backup
:mozilla.115:C:\Documents and Settings\xx\Application Data\Mozilla\Firefox\Profiles\wgkpom19.default\cookies.txt -> TrackingCookie.Adjuggler : Cleaned with backup
:mozilla.119:C:\Documents and Settings\xx\Application Data\Mozilla\Firefox\Profiles\wgkpom19.default\cookies.txt -> TrackingCookie.Fastclick : Cleaned with backup
:mozilla.120:C:\Documents and Settings\xx\Application Data\Mozilla\Firefox\Profiles\wgkpom19.default\cookies.txt -> TrackingCookie.Fastclick : Cleaned with backup
:mozilla.121:C:\Documents and Settings\xx\Application Data\Mozilla\Firefox\Profiles\wgkpom19.default\cookies.txt -> TrackingCookie.Fastclick : Cleaned with backup
:mozilla.122:C:\Documents and Settings\xx\Application Data\Mozilla\Firefox\Profiles\wgkpom19.default\cookies.txt -> TrackingCookie.Fastclick : Cleaned with backup
:mozilla.138:C:\Documents and Settings\xx\Application Data\Mozilla\Firefox\Profiles\wgkpom19.default\cookies.txt -> TrackingCookie.Bluestreak : Cleaned with backup
:mozilla.139:C:\Documents and Settings\xx\Application Data\Mozilla\Firefox\Profiles\wgkpom19.default\cookies.txt -> TrackingCookie.Adviva : Cleaned with backup
:mozilla.141:C:\Documents and Settings\xx\Application Data\Mozilla\Firefox\Profiles\wgkpom19.default\cookies.txt -> TrackingCookie.Starware : Cleaned with backup
:mozilla.142:C:\Documents and Settings\xx\Application Data\Mozilla\Firefox\Profiles\wgkpom19.default\cookies.txt -> TrackingCookie.Starware : Cleaned with backup
:mozilla.143:C:\Documents and Settings\xx\Application Data\Mozilla\Firefox\Profiles\wgkpom19.default\cookies.txt -> TrackingCookie.Starware : Cleaned with backup
:mozilla.144:C:\Documents and Settings\xx\Application Data\Mozilla\Firefox\Profiles\wgkpom19.default\cookies.txt -> TrackingCookie.Starware : Cleaned with backup
:mozilla.145:C:\Documents and Settings\xx\Application Data\Mozilla\Firefox\Profiles\wgkpom19.default\cookies.txt -> TrackingCookie.Zedo : Cleaned with backup
:mozilla.146:C:\Documents and Settings\xx\Application Data\Mozilla\Firefox\Profiles\wgkpom19.default\cookies.txt -> TrackingCookie.Zedo : Cleaned with backup
:mozilla.147:C:\Documents and Settings\xx\Application Data\Mozilla\Firefox\Profiles\wgkpom19.default\cookies.txt -> TrackingCookie.Zedo : Cleaned with backup
:mozilla.153:C:\Documents and Settings\xx\Application Data\Mozilla\Firefox\Profiles\wgkpom19.default\cookies.txt -> TrackingCookie.Com : Cleaned with backup
:mozilla.169:C:\Documents and Settings\xx\Application Data\Mozilla\Firefox\Profiles\wgkpom19.default\cookies.txt -> TrackingCookie.Clickbank : Cleaned with backup
:mozilla.170:C:\Documents and Settings\xx\Application Data\Mozilla\Firefox\Profiles\wgkpom19.default\cookies.txt -> TrackingCookie.Overture : Cleaned with backup
:mozilla.171:C:\Documents and Settings\xx\Application Data\Mozilla\Firefox\Profiles\wgkpom19.default\cookies.txt -> TrackingCookie.Overture : Cleaned with backup
:mozilla.174:C:\Documents and Settings\xx\Application Data\Mozilla\Firefox\Profiles\wgkpom19.default\cookies.txt -> TrackingCookie.Liveperson : Cleaned with backup
:mozilla.175:C:\Documents and Settings\xx\Application Data\Mozilla\Firefox\Profiles\wgkpom19.default\cookies.txt -> TrackingCookie.Liveperson : Cleaned with backup
:mozilla.184:C:\Documents and Settings\xx\Application Data\Mozilla\Firefox\Profiles\wgkpom19.default\cookies.txt -> TrackingCookie.Overture : Cleaned with backup
C:\Documents and Settings\xx\Application Data\Sun\Java\Deployment\cache\javapi\v1.0\file\Dummy.class-3781ef88-4e8ca1fb.class -> Trojan.ClassLoader.Dummy.d : Cleaned with backup
C:\Documents and Settings\xx\exe.exe -> Dropper.VB.me : Cleaned with backup
C:\Documents and Settings\xx\im.exe -> Not-A-Virus.PSWTool.Win32.Messen.103 : Cleaned with backup
C:\Documents and Settings\xx\Local Settings\Temp\!update.exe -> Downloader.PurityScan.bx : Cleaned with backup
C:\Documents and Settings\xx\Local Settings\Temp\Cookies\xx@ad.yieldmanager[2].txt -> TrackingCookie.Yieldmanager : Cleaned with backup
C:\Documents and Settings\xx\Local Settings\Temp\Cookies\xx@cpvfeed[1].txt -> TrackingCookie.Cpvfeed : Cleaned with backup
C:\Documents and Settings\xx\Local Settings\Temp\temp.fr520F -> Adware.Look2Me : Cleaned with backup
C:\Documents and Settings\xx\Local Settings\Temp\temp.fr9DDD -> Adware.Look2Me : Cleaned with backup
C:\Documents and Settings\xx\Local Settings\Temp\VVSNInst.exe -> Adware.SaveNow : Cleaned with backup
C:\Documents and Settings\xx\Local Settings\Temporary Internet Files\Content.IE5\05MJS9AR\drdata[1].avi -> Dropper.Agent.aac : Cleaned with backup
C:\Documents and Settings\xx\pwha.exe -> Not-A-Virus.PSWTool.Win32.PassView.162 : Cleaned with backup
C:\Program Files\Common Files\InetGet\mc-110-12-0000140.exe -> Dropper.Agent.aac : Cleaned with backup
C:\Program Files\Common Files\services.exe -> Adware.Maxifiles : Cleaned with backup
C:\Program Files\Common Files\Windows\services32.exe -> Adware.Maxifiles : Cleaned with backup
C:\Program Files\Toolbar888\ToolBar888.dll -> Adware.Softomate : Cleaned with backup
C:\WINDOWS\system32\Ѕуmantec\winlogon.exe -> Downloader.PurityScan.bx : Cleaned with backup

::Report End

****************************************************

Logfile of HijackThis v1.99.1
Scan saved at 10:16:35, on 22/03/2006
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\Autodesk Shared\Service\AdskScSrv.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
C:\Program Files\ewido anti-malware\ewidoctrl.exe
C:\Program Files\ewido anti-malware\ewidoguard.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe
C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_FATI9CE.EXE
C:\PROGRA~1\ntl\BROADB~1\SMARTB~1\MotiveSB.exe
C:\WINDOWS\system32\p2pnetworking.exe
C:\WINDOWS\system32\ctfmon.exe
C:\WINDOWS\system32\devldr32.exe
C:\Program Files\ntl\broadband medic\bin\mpbtn.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Documents and Settings\xx\Desktop\hijackthis_199\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.freeserve.com/
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant =
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page = \blank.htm
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Microsoft Internet Explorer provided by Freeserve
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = 127.0.0.1;<local>
F2 - REG:system.ini: UserInit=userinit.exe
O2 - BHO: XBTB04715 - {A8B0BDED-64A5-495b-97DA-42C0301E229B} - C:\PROGRA~1\TOOLBA~1\TOOLBA~1.DLL (file missing)
O3 - Toolbar: Freeserve - {8B68564D-53FD-4293-B80C-993A9F3988EE} - C:\PROGRA~1\FREESE~1\FSBar\FSBar.dll (file missing)
O3 - Toolbar: Toolbar888 - {77FBF9B8-1D37-4FF2-9CED-192D8E3ABA6F} - C:\Program Files\Toolbar888\ToolBar888.dll (file missing)
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [AVG7_EMC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [EPSON Stylus Photo RX420 Series] C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_FATI9CE.EXE /P31 "EPSON Stylus Photo RX420 Series" /O6 "USB001" /M "Stylus Photo RX420"
O4 - HKLM\..\Run: [iTunesHelper] C:\Program Files\iTunes\iTunesHelper.exe
O4 - HKLM\..\Run: [Motive SmartBridge] C:\PROGRA~1\ntl\BROADB~1\SMARTB~1\MotiveSB.exe
O4 - HKLM\..\Run: [wmplayer] p2pnetworking.exe
O4 - HKLM\..\Run: [IpNetwork] C:\Program Files\Network\ipnetwork.exe
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\RunServices: [wmplayer] p2pnetworking.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [services32] C:\Program Files\Common Files\Windows\mc-110-12-0000140.exe
O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: broadband medic.lnk = C:\Program Files\ntl\broadband medic\bin\matcli.exe
O8 - Extra context menu item: Search with Freeserve - res://C:\PROGRA~1\FREESE~1\FSBar\FSBar.dll/VSearch.htm
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O14 - IERESET.INF: START_PAGE_URL=http://www.freeserve.com/
O16 - DPF: {8E0D4DE5-3180-4024-A327-4DFAD1796A8D} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/MessengerStatsClient.cab31267.cab
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - "C:\PROGRA~1\MSNMES~1\msgrapp.dll" (file missing)
O23 - Service: Autodesk Licensing Service - Unknown owner - C:\Program Files\Common Files\Autodesk Shared\Service\AdskScSrv.exe
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
O23 - Service: ewido security suite control - ewido networks - C:\Program Files\ewido anti-malware\ewidoctrl.exe
O23 - Service: ewido security suite guard - ewido networks - C:\Program Files\ewido anti-malware\ewidoguard.exe
O23 - Service: iPod Service (iPodService) - Unknown owner - C:\Program Files\iPod\bin\iPodService.exe (file missing)
O23 - Service: Macromedia Licensing Service - Unknown owner - C:\Program Files\Common Files\Macromedia Shared\Service\Macromedia Licensing.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe

skywalker45 · March 2006

Please run a Panda Active Scan from my signature below. Allow the scan to delete whatever it finds. It will generate a log at the end. Please post the log here along with a fresh Hijack This log.

theartknife · March 2006

ok, that's done. reports as follows

and thanks again for sticking with me.

************************************
Incident Status Location

Spyware:Cookie/Doubleclick Not disinfected C:\Documents and Settings\xx\Application Data\Mozilla\Firefox\Profiles\wgkpom19.default\cookies.txt[]
Adware:adware/dyfuca Not disinfected C:\Documents and Settings\xx\Local Settings\Temp\cfout.txt
Adware:Adware/Maxifiles Not disinfected C:\Documents and Settings\xx\Local Settings\Temporary Internet Files\Content.IE5\KLQNKDEV\freeprodtb[1].exe
Adware:Adware/Maxifiles Not disinfected C:\Documents and Settings\xx\Local Settings\Temporary Internet Files\Content.IE5\X00VW47Y\drdata[1].avi
Adware:Adware/Maxifiles Not disinfected C:\Documents and Settings\xx\Local Settings\Temporary Internet Files\Content.IE5\XY54DSN4\dnscatcher[1].avi
Adware:Adware/Maxifiles Not disinfected C:\Documents and Settings\xx\Local Settings\Temporary Internet Files\Content.IE5\XY54DSN4\launcher[1].exe
Adware:Adware/Maxifiles Not disinfected C:\Program Files\DNS\cwebpage.dll
Adware:Adware/Maxifiles Not disinfected C:\Program Files\InetGet2\direct.exe
Adware:Adware/Maxifiles Not disinfected C:\Program Files\InetGet2\gimmysmileysB.exe
Adware:adware/dollarrevenue Not disinfected C:\WINDOWS\keyboard21.dat
Adware:Adware/Maxifiles Not disinfected C:\WINDOWS\system32\mc-110-12-0000140.exe
Virus:W32/IRCbot.VE.worm Disinfected C:\WINDOWS\system32\p2pnetworking.exe
****************************************************

Logfile of HijackThis v1.99.1
Scan saved at 00:37:19, on 23/03/2006
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\Autodesk Shared\Service\AdskScSrv.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
C:\Program Files\ewido anti-malware\ewidoctrl.exe
C:\Program Files\ewido anti-malware\ewidoguard.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe
C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_FATI9CE.EXE
C:\PROGRA~1\ntl\BROADB~1\SMARTB~1\MotiveSB.exe
C:\WINDOWS\system32\devldr32.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\ntl\broadband medic\bin\mpbtn.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\Documents and Settings\xx\Desktop\hijackthis_199\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.freeserve.com/
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant =
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page = \blank.htm
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Microsoft Internet Explorer provided by Freeserve
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = 127.0.0.1;<local>
F2 - REG:system.ini: UserInit=userinit.exe
O2 - BHO: XBTB04715 - {A8B0BDED-64A5-495b-97DA-42C0301E229B} - C:\PROGRA~1\TOOLBA~1\TOOLBA~1.DLL (file missing)
O3 - Toolbar: Freeserve - {8B68564D-53FD-4293-B80C-993A9F3988EE} - C:\PROGRA~1\FREESE~1\FSBar\FSBar.dll (file missing)
O3 - Toolbar: Toolbar888 - {77FBF9B8-1D37-4FF2-9CED-192D8E3ABA6F} - C:\Program Files\Toolbar888\ToolBar888.dll (file missing)
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [AVG7_EMC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [EPSON Stylus Photo RX420 Series] C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_FATI9CE.EXE /P31 "EPSON Stylus Photo RX420 Series" /O6 "USB001" /M "Stylus Photo RX420"
O4 - HKLM\..\Run: [iTunesHelper] C:\Program Files\iTunes\iTunesHelper.exe
O4 - HKLM\..\Run: [Motive SmartBridge] C:\PROGRA~1\ntl\BROADB~1\SMARTB~1\MotiveSB.exe
O4 - HKLM\..\Run: [wmplayer] p2pnetworking.exe
O4 - HKLM\..\Run: [IpNetwork] C:\Program Files\Network\ipnetwork.exe
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\RunServices: [wmplayer] p2pnetworking.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [services32] C:\Program Files\Common Files\Windows\mc-110-12-0000140.exe
O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: broadband medic.lnk = C:\Program Files\ntl\broadband medic\bin\matcli.exe
O8 - Extra context menu item: Search with Freeserve - res://C:\PROGRA~1\FREESE~1\FSBar\FSBar.dll/VSearch.htm
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O14 - IERESET.INF: START_PAGE_URL=http://www.freeserve.com/
O16 - DPF: {8E0D4DE5-3180-4024-A327-4DFAD1796A8D} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/MessengerStatsClient.cab31267.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/activescan/as5free/asinst.cab
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - "C:\PROGRA~1\MSNMES~1\msgrapp.dll" (file missing)
O23 - Service: Autodesk Licensing Service - Unknown owner - C:\Program Files\Common Files\Autodesk Shared\Service\AdskScSrv.exe
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
O23 - Service: ewido security suite control - ewido networks - C:\Program Files\ewido anti-malware\ewidoctrl.exe
O23 - Service: ewido security suite guard - ewido networks - C:\Program Files\ewido anti-malware\ewidoguard.exe
O23 - Service: iPod Service (iPodService) - Unknown owner - C:\Program Files\iPod\bin\iPodService.exe (file missing)
O23 - Service: Macromedia Licensing Service - Unknown owner - C:\Program Files\Common Files\Macromedia Shared\Service\Macromedia Licensing.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe

skywalker45 · March 2006

No problem. I'll stick with you 'til the end. We'll get rid of it. This one is being a little contrary. Never seen it do this before. Anyway with that said this time run a Kaspersky online scan from my signature below. Allow the scan to delete whatever it finds. Post the log from Kaspersky as well as another fresh Hijack This log.

theartknife · March 2006

thnaks, that's good to hear. I'm not sure that the the Kaspersky online scan actually deleted anything. It didn't seem to offer any option to do so, maybe i missed something.
anyway, reports as follows.

**************************************************

KASPERSKY ON-LINE SCANNER REPORT
Thursday, March 23, 2006 9:36:02 AM
Operating System: Microsoft Windows XP Professional, Service Pack 2 (Build 2600)
Kaspersky On-line Scanner version: 5.0.78.0
Kaspersky Anti-Virus database last update: 23/03/2006
Kaspersky Anti-Virus database records: 172444

Scan Settings:
Scan using the following antivirus database: standard
Scan Archives: true
Scan Mail Bases: true

Scan Target - My Computer:
A:\
C:\
E:\
F:\

Scan Statistics:
Total number of scanned objects: 90582
Number of viruses found: 6
Number of infected objects: 20
Number of suspicious objects: 0
Duration of the scan process: 00:48:38

Infected Object Name / Virus Name / Last Action
C:\Documents and Settings\xx\Local Settings\Temporary Internet Files\Content.IE5\X00VW47Y\drdata[1].avi Infected: Trojan-Dropper.Win32.Agent.aac skipped
C:\Documents and Settings\xx\Local Settings\Temporary Internet Files\Content.IE5\X00VW47Y\i[1].exe Infected: Trojan-Downloader.Win32.VB.zd skipped
C:\Documents and Settings\xx\Local Settings\Temporary Internet Files\Content.IE5\XY54DSN4\launcher[1].exe/data0001 Infected: Trojan-Downloader.NSIS.Agent.p skipped
C:\Documents and Settings\xx\Local Settings\Temporary Internet Files\Content.IE5\XY54DSN4\launcher[1].exe NSIS: infected - 1 skipped
C:\System Volume Information\_restore{DDE10987-CEAA-42C7-AACC-EAD98E87FB8E}\RP261\A0067783.exe Infected: Trojan-Downloader.Win32.Adload.t skipped
C:\System Volume Information\_restore{DDE10987-CEAA-42C7-AACC-EAD98E87FB8E}\RP277\A0070544.exe Infected: Trojan-Downloader.Win32.VB.zd skipped
C:\System Volume Information\_restore{DDE10987-CEAA-42C7-AACC-EAD98E87FB8E}\RP278\A0070571.exe Infected: Trojan-Downloader.Win32.VB.zd skipped
C:\System Volume Information\_restore{DDE10987-CEAA-42C7-AACC-EAD98E87FB8E}\RP278\A0070572.exe/data0001 Infected: Trojan-Downloader.NSIS.Agent.p skipped
C:\System Volume Information\_restore{DDE10987-CEAA-42C7-AACC-EAD98E87FB8E}\RP278\A0070572.exe NSIS: infected - 1 skipped
C:\System Volume Information\_restore{DDE10987-CEAA-42C7-AACC-EAD98E87FB8E}\RP278\A0070573.exe Infected: Trojan-Dropper.Win32.Agent.aac skipped
C:\System Volume Information\_restore{DDE10987-CEAA-42C7-AACC-EAD98E87FB8E}\RP278\A0070577.exe Infected: Trojan-Dropper.Win32.Agent.aac skipped
C:\System Volume Information\_restore{DDE10987-CEAA-42C7-AACC-EAD98E87FB8E}\RP278\A0070589.exe Infected: Trojan-Dropper.Win32.VB.me skipped
C:\System Volume Information\_restore{DDE10987-CEAA-42C7-AACC-EAD98E87FB8E}\RP278\A0070590.exe Infected: Trojan-Dropper.Win32.VB.me skipped
C:\System Volume Information\_restore{DDE10987-CEAA-42C7-AACC-EAD98E87FB8E}\RP278\A0070593.exe Infected: Trojan-Dropper.Win32.Agent.aac skipped
C:\System Volume Information\_restore{DDE10987-CEAA-42C7-AACC-EAD98E87FB8E}\RP278\A0070620.exe Infected: Trojan-Dropper.Win32.Agent.aac skipped
C:\System Volume Information\_restore{DDE10987-CEAA-42C7-AACC-EAD98E87FB8E}\RP278\A0070621.exe Infected: Trojan-Dropper.Win32.Agent.aac skipped
C:\System Volume Information\_restore{DDE10987-CEAA-42C7-AACC-EAD98E87FB8E}\RP278\A0070635.exe Infected: Backdoor.Win32.IRCBot.qc skipped
C:\WINDOWS\system32\mc-110-12-0000140.exe/data0001 Infected: Trojan-Downloader.NSIS.Agent.p skipped
C:\WINDOWS\system32\mc-110-12-0000140.exe NSIS: infected - 1 skipped
C:\WINDOWS\system32\setup.exe.tmp Infected: Trojan-Downloader.Win32.VB.zd skipped

Scan process completed.

*******************************************************

Logfile of HijackThis v1.99.1
Scan saved at 09:43:00, on 23/03/2006
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\Autodesk Shared\Service\AdskScSrv.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
C:\Program Files\ewido anti-malware\ewidoctrl.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe
C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_FATI9CE.EXE
C:\PROGRA~1\ntl\BROADB~1\SMARTB~1\MotiveSB.exe
C:\WINDOWS\system32\ctfmon.exe
C:\WINDOWS\system32\devldr32.exe
C:\Program Files\ntl\broadband medic\bin\mpbtn.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\Documents and Settings\xx\Desktop\hijackthis_199\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.freeserve.com/
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant =
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page = \blank.htm
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Microsoft Internet Explorer provided by Freeserve
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = 127.0.0.1;<local>
F2 - REG:system.ini: UserInit=userinit.exe
O2 - BHO: XBTB04715 - {A8B0BDED-64A5-495b-97DA-42C0301E229B} - C:\PROGRA~1\TOOLBA~1\TOOLBA~1.DLL (file missing)
O3 - Toolbar: Freeserve - {8B68564D-53FD-4293-B80C-993A9F3988EE} - C:\PROGRA~1\FREESE~1\FSBar\FSBar.dll (file missing)
O3 - Toolbar: Toolbar888 - {77FBF9B8-1D37-4FF2-9CED-192D8E3ABA6F} - C:\Program Files\Toolbar888\ToolBar888.dll (file missing)
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [AVG7_EMC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [EPSON Stylus Photo RX420 Series] C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_FATI9CE.EXE /P31 "EPSON Stylus Photo RX420 Series" /O6 "USB001" /M "Stylus Photo RX420"
O4 - HKLM\..\Run: [iTunesHelper] C:\Program Files\iTunes\iTunesHelper.exe
O4 - HKLM\..\Run: [Motive SmartBridge] C:\PROGRA~1\ntl\BROADB~1\SMARTB~1\MotiveSB.exe
O4 - HKLM\..\Run: [wmplayer] p2pnetworking.exe
O4 - HKLM\..\Run: [IpNetwork] C:\Program Files\Network\ipnetwork.exe
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\RunServices: [wmplayer] p2pnetworking.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [services32] C:\Program Files\Common Files\Windows\mc-110-12-0000140.exe
O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: broadband medic.lnk = C:\Program Files\ntl\broadband medic\bin\matcli.exe
O8 - Extra context menu item: Search with Freeserve - res://C:\PROGRA~1\FREESE~1\FSBar\FSBar.dll/VSearch.htm
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O14 - IERESET.INF: START_PAGE_URL=http://www.freeserve.com/
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky.com/kos/english/kavwebscan_unicode.cab
O16 - DPF: {8E0D4DE5-3180-4024-A327-4DFAD1796A8D} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/MessengerStatsClient.cab31267.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/activescan/as5free/asinst.cab
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - "C:\PROGRA~1\MSNMES~1\msgrapp.dll" (file missing)
O23 - Service: Autodesk Licensing Service - Unknown owner - C:\Program Files\Common Files\Autodesk Shared\Service\AdskScSrv.exe
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
O23 - Service: ewido security suite control - ewido networks - C:\Program Files\ewido anti-malware\ewidoctrl.exe
O23 - Service: ewido security suite guard - ewido networks - C:\Program Files\ewido anti-malware\ewidoguard.exe
O23 - Service: iPod Service (iPodService) - Unknown owner - C:\Program Files\iPod\bin\iPodService.exe (file missing)
O23 - Service: Macromedia Licensing Service - Unknown owner - C:\Program Files\Common Files\Macromedia Shared\Service\Macromedia Licensing.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe

skywalker45 · March 2006

Sorry this is taking so long. This one wants to hold on and not let go. First of all I need you to open the Windows Search feature and look for the following file (be sure to search hidden files and folders as well):

p2pnetworking.exe

Please post back and let me know where this file resides on your system (the full path to the file i.e C:\Windows\system32\xxxx.exe), every instance of it as well, especially if other instances have a different path. We're probably going to have to use a tool to kill some entries that are loading, but we'll get there. Post back with your response.

theartknife · March 2006

ok, as you say this one wants to hold on, but we can beat it. I have done the scan, the one and only entry is as follows

C:Windows\prefetch\P2PNETWORKING.EXE-2D7BE74F.pf

.

skywalker45 · March 2006

OK. Glad you found the little rascal. Please download Pocket Killbox from here. Place the program on your desktop. Don't do anything with it yet. Also download Ad-Aware and Spybot from my signature below. Update the programs but don't run them yet. If you already have these installed just be sure you update them. You might want to print these instructions as you will not have access to the internet during this fix.

Next run Hijack This again and put a check (tick) next to the following entries:

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page = \blank.htm

O2 - BHO: XBTB04715 - {A8B0BDED-64A5-495b-97DA-42C0301E229B} - C:\PROGRA~1\TOOLBA~1\TOOLBA~1.DLL (file missing)

O3 - Toolbar: Toolbar888 - {77FBF9B8-1D37-4FF2-9CED-192D8E3ABA6F} - C:\Program Files\Toolbar888\ToolBar888.dll (file missing)

O4 - HKLM\..\Run: [wmplayer] p2pnetworking.exe
O4 - HKLM\..\Run: [IpNetwork] C:\Program Files\Network\ipnetwork.exe
O4 - HKLM\..\RunServices: [wmplayer] p2pnetworking.exe
O4 - HKCU\..\Run: [services32] C:\Program Files\Common Files\Windows\mc-110-12-0000140.exe

Close all open browsers/windows and click Fix Checked. Close Hijack This.

Restart the PC in safe mode as has been explained above.

Once in safe mode open Pocket Killbox by double clicking it.

Put a check (tick) by "Standard File Kill".
In the "Full path to delete" box, copy and paste each of the following lines one at a time:

C:\Program Files\Toolbar888
C:\Program Files\Network
C:\Program Files\Common Files\Windows\mc-110-12-0000140.exe
C:\Windows\prefetch\p2pnetworking.exe-2D7BE74F.pf

Click on the button that has the red circle with the X in the middle after you enter each file. The program will ask for confirmation to delete the file. Click Yes. Continue until you have done each file one at a time. Killbox may tell you that a file doesn't exist. If it does, just continue to the next.

Next while still using Killbox go to tools---->delete temp files.
In the window that pops up, put a check by ALL the options there except these three:

XP Prefetch
Recent
History

Now click the Delete Selected Temp Files button.
Exit Killbox.

Finally go to Start---->Control Panel---->Internet Options. On the "general" tab under "temporary internet files" click "delete files". Put a check by "delete offline content" and click OK. Click on the "Programs" tab then click the "Reset Web Settings" button. Click "Apply" then click OK.

Empty the recycle bin.

While in safe mode use Windows Explorer to search for and delete the following (note that they may not exist. Also make certain to look for hidden files and folders):

C:\Program Files\Toolbar888<----This folder.
C:\Program Files\Network<----This folder.
C:\Program Files\Common Files\Windows\mc-110-12-0000140.exe<----This file.
C:\Windows\prefetch\p2pnetworking.exe-2D7BE74F.pf<----This file.

Next run a full scan with Ad-Aware and Spybot in safe mode. Allow the programs to delete whatever they find.

Finally after all this reboot into normal mode and post a fresh Hijack This log.

theartknife · March 2006

okay, done and done (just as it's beginning to get light)
HJT report as follows

thanks

*********************************

Logfile of HijackThis v1.99.1
Scan saved at 05:51:24, on 24/03/2006
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\Autodesk Shared\Service\AdskScSrv.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
C:\Program Files\ewido anti-malware\ewidoctrl.exe
C:\Program Files\ewido anti-malware\ewidoguard.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe
C:\WINDOWS\system32\devldr32.exe
C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_FATI9CE.EXE
C:\PROGRA~1\ntl\BROADB~1\SMARTB~1\MotiveSB.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\ntl\broadband medic\bin\mpbtn.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Documents and Settings\xx\Desktop\hijackthis_199\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.freeserve.com/
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Microsoft Internet Explorer provided by Freeserve
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = 127.0.0.1;<local>
F2 - REG:system.ini: UserInit=userinit.exe
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O3 - Toolbar: Freeserve - {8B68564D-53FD-4293-B80C-993A9F3988EE} - C:\PROGRA~1\FREESE~1\FSBar\FSBar.dll (file missing)
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [AVG7_EMC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [EPSON Stylus Photo RX420 Series] C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_FATI9CE.EXE /P31 "EPSON Stylus Photo RX420 Series" /O6 "USB001" /M "Stylus Photo RX420"
O4 - HKLM\..\Run: [iTunesHelper] C:\Program Files\iTunes\iTunesHelper.exe
O4 - HKLM\..\Run: [Motive SmartBridge] C:\PROGRA~1\ntl\BROADB~1\SMARTB~1\MotiveSB.exe
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: broadband medic.lnk = C:\Program Files\ntl\broadband medic\bin\matcli.exe
O8 - Extra context menu item: Search with Freeserve - res://C:\PROGRA~1\FREESE~1\FSBar\FSBar.dll/VSearch.htm
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O14 - IERESET.INF: START_PAGE_URL=http://www.freeserve.com/
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky.com/kos/english/kavwebscan_unicode.cab
O16 - DPF: {8E0D4DE5-3180-4024-A327-4DFAD1796A8D} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/MessengerStatsClient.cab31267.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/activescan/as5free/asinst.cab
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - "C:\PROGRA~1\MSNMES~1\msgrapp.dll" (file missing)
O23 - Service: Autodesk Licensing Service - Unknown owner - C:\Program Files\Common Files\Autodesk Shared\Service\AdskScSrv.exe
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
O23 - Service: ewido security suite control - ewido networks - C:\Program Files\ewido anti-malware\ewidoctrl.exe
O23 - Service: ewido security suite guard - ewido networks - C:\Program Files\ewido anti-malware\ewidoguard.exe
O23 - Service: iPod Service (iPodService) - Unknown owner - C:\Program Files\iPod\bin\iPodService.exe (file missing)
O23 - Service: Macromedia Licensing Service - Unknown owner - C:\Program Files\Common Files\Macromedia Shared\Service\Macromedia Licensing.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe

skywalker45 · March 2006

Whew! Congratulations. The log looks clean. Are you having any more problems? Please let me know.

theartknife · March 2006

everything seems to be working fine. Thanks so much for all your help, i really appreciate it.

skywalker45 · March 2006

No problem, you're welcome. I'll close this thread now. If you need it re-opened just PM me or one of the other moderators and we'll open it for you.

problem with adware, please help (HighjackThis log)

Comments