SVT help: Hijacked

MasterPboy

I have run the latest versions of both Spybot and Ad-Aware

Logfile of HijackThis v1.97.7
Scan saved at 11:03:47 AM, on 10/22/2004
Platform: Windows 2000 (WinNT 5.00.2195)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\ipaa.exe
C:\WINDOWS\system32\regsvc.exe
C:\WINDOWS\system32\MSTask.exe
C:\WINDOWS\System32\WBEM\WinMgmt.exe
C:\WINDOWS\Explorer.exe
C:\Program Files\QuickTime\qttask.exe
C:\WINDOWS\system32\appou32.exe
C:\WINDOWS\System32\systime.exe
C:\Documents and Settings\ADMINISTRATOR\Application Data\aodc.exe
C:\WINDOWS\System32\?ttrib.exe
C:\WINDOWS\System32\systime.exe
C:\Program Files\RMClient\PMClient.exe
C:\Documents and Settings\All Users\Desktop\HijackThis.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\WINDOWS\system32\btqez.dll/sp.html#37049
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINDOWS\system32\btqez.dll/sp.html#37049
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://213.159.117.134/index.php
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://213.159.117.134/index.php
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = res://C:\WINDOWS\system32\btqez.dll/sp.html#37049
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://213.159.117.134/index.php
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\WINDOWS\system32\btqez.dll/sp.html#37049
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINDOWS\system32\btqez.dll/sp.html#37049
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://213.159.117.134/index.php
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = res://C:\WINDOWS\system32\btqez.dll/sp.html#37049
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch =
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = res://C:\WINDOWS\system32\btqez.dll/sp.html#37049
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page = http://213.159.117.134/index.php
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page = http://213.159.117.134/index.php
O2 - BHO: (no name) - {0652D47D-1C86-4A6E-368E-FC2CE7424D23} - C:\WINDOWS\system32\addbn32.dll
O4 - HKLM\..\Run: [SystemTray] SysTray.Exe
O4 - HKLM\..\Run: [Synchronization Manager] mobsync.exe /logon
O4 - HKLM\..\Run: [JobHisInit] C:\Program Files\RMClient\JobHisInit.exe
O4 - HKLM\..\Run: [MplSetUp] C:\Program Files\RMClient\MplSetUp.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [rbenh 0l7080] "C:\Program Files\RBEnhance\rbenh.exe"
O4 - HKLM\..\Run: [appou32.exe] C:\WINDOWS\system32\appou32.exe
O4 - HKLM\..\Run: [SysTime] C:\WINDOWS\System32\systime.exe
O4 - HKCU\..\Run: [Leea] C:\Documents and Settings\ADMINISTRATOR\Application Data\aodc.exe
O4 - HKCU\..\Run: [Sgiwaqe] C:\WINDOWS\System32\?ttrib.exe
O4 - HKCU\..\Run: [SysTime] C:\WINDOWS\System32\systime.exe
O4 - HKLM\..\RunOnce: [Ad-aware] "C:\Program Files\Lavasoft\Ad-aware 6\Ad-aware.exe" "+b1"
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O4 - Global Startup: SmartNetMonitor for Client.lnk = C:\Program Files\RMClient\PMClient.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O16 - DPF: {127698E4-E730-4E5C-A2B1-21490A70C8A1} (CEnroll Class) - http://www.moairocks.com/xenroll.dll
O16 - DPF: {15AD4789-CDB4-47E1-A9DA-992EE8E6BAD6} - http://public.windupdates.com/get_file.php?bt=ie&p=714b9e99bb1ec51fadc828f5983e23109b906c2b320d9f1b39ed54699be7e97f4caf42694383070009646062296ff92e68cfba8c:eb8a1fb09d00c5943edceabcca450006
O16 - DPF: {2253F320-AB68-4A07-917D-4F12D8884A06} (ChainCast VMR Client Proxy) - http://www.streamaudio.com/download/ccpm_0237.cab
O16 - DPF: {33564D57-0000-0010-8000-00AA00389B71} - http://download.microsoft.com/download/F/6/E/F6E491A6-77E1-4E20-9F5F-94901338C922/wmv9VCM.CAB
O16 - DPF: {4E71E6DD-FB37-4641-A96E-4456399A6DB0} - http://jade.bioware.com/codebaby/codebaby.cab
O16 - DPF: {AE1C01E3-0283-11D3-9B3F-00C04F8EF466} (HeartbeatCtl Class) - http://fdl.msn.com/zone/datafiles/heartbeat.cab
O16 - DPF: {B8BE5E93-A60C-4D26-A2DC-220313175592} (ZoneIntro Class) - http://zone.msn.com/binFramework/v10/ZIntro.cab27513.cab
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab
O16 - DPF: {E5D419D6-A846-4514-9FAD-97E826C84822} (HeartbeatCtl Class) - http://fdl.msn.com/zone/datafiles/heartbeat.cab

MasterPboy

Is the doctor on call today? Need help.

MasterPboy

help please

SpywareShooter

Please upgrade to HijackThis version 1.98.2 and post a new log. Also, do not reboot until I say to. Rebooting will void the instructions I give you.

MasterPboy

This is my new logfile
Logfile of HijackThis v1.98.2
Scan saved at 10:04:51 AM, on 10/27/2004
Platform: Windows 2000 (WinNT 5.00.2195)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\regsvc.exe
C:\WINDOWS\system32\MSTask.exe
C:\WINDOWS\System32\WBEM\WinMgmt.exe
C:\WINDOWS\Explorer.exe
C:\Program Files\QuickTime\qttask.exe
C:\WINDOWS\system32\appou32.exe
C:\WINDOWS\System32\systime.exe
C:\Documents and Settings\ADMINISTRATOR\Application Data\aodc.exe
C:\WINDOWS\System32\systime.exe
C:\Program Files\RMClient\PMClient.exe
C:\WINDOWS\PMCCom.dll:ducaa
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\Documents and Settings\ADMINISTRATOR\Desktop\HijackThis19802.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://213.159.117.134/index.php
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://www.placeforsearch.com/search.html
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://www.placeforsearch.com/search.html
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://213.159.117.134/index.php
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://213.159.117.134/index.php
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = res://C:\WINDOWS\system32\btqez.dll/sp.html#37049
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://www.placeforsearch.com/search.html
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://www.placeforsearch.com/search.html
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://213.159.117.134/index.php
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = res://C:\WINDOWS\system32\btqez.dll/sp.html#37049
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://www.placeforsearch.com/search.html
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch = http://www.placeforsearch.com/search.html
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page = http://213.159.117.134/index.php
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page = http://213.159.117.134/index.php
R3 - Default URLSearchHook is missing
O2 - BHO: (no name) - {FBE2FA5F-7935-0120-3FB8-49D74C7057E5} - C:\WINDOWS\system32\addbr.dll
O4 - HKLM\..\Run: [SystemTray] SysTray.Exe
O4 - HKLM\..\Run: [Synchronization Manager] mobsync.exe /logon
O4 - HKLM\..\Run: [JobHisInit] C:\Program Files\RMClient\JobHisInit.exe
O4 - HKLM\..\Run: [MplSetUp] C:\Program Files\RMClient\MplSetUp.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [rbenh 0l7080] "C:\Program Files\RBEnhance\rbenh.exe"
O4 - HKLM\..\Run: [appou32.exe] C:\WINDOWS\system32\appou32.exe
O4 - HKLM\..\Run: [SysTime] C:\WINDOWS\System32\systime.exe
O4 - HKLM\..\RunOnce: [sysrl32.exe] C:\WINDOWS\sysrl32.exe
O4 - HKLM\..\RunOnce: [ducaa] C:\WINDOWS\PMCCom.dll:ducaa
O4 - HKCU\..\Run: [Leea] C:\Documents and Settings\ADMINISTRATOR\Application Data\aodc.exe
O4 - HKCU\..\Run: [Sgiwaqe] C:\WINDOWS\System32\?ttrib.exe
O4 - HKCU\..\Run: [SysTime] C:\WINDOWS\System32\systime.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O4 - Global Startup: SmartNetMonitor for Client.lnk = C:\Program Files\RMClient\PMClient.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O9 - Extra button: (no name) - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - (no file)
O16 - DPF: {07B196EE-198B-7831-DF7D-42233866A2CC} - http://213.159.117.150/1/rdgUS10.exe
O16 - DPF: {09A42408-697E-074C-A9BE-3E6A347F3E30} - http://213.159.117.150/1/rdgUS10.exe
O16 - DPF: {0CA90E31-D6C5-1D4D-EB67-020C7D32E174} - http://213.159.117.150/1/rdgUS10.exe
O16 - DPF: {0F339961-3E13-7EC0-C3FF-28DD2D7B913F} - http://213.159.117.150/1/rdgUS10.exe
O16 - DPF: {127698E4-E730-4E5C-A2B1-21490A70C8A1} (CEnroll Class) - http://www.moairocks.com/xenroll.dll
O16 - DPF: {15002ABC-64DD-49D2-8673-261506FF07B2} - http://213.159.117.150/1/rdgUS10.exe
O16 - DPF: {15AD4789-CDB4-47E1-A9DA-992EE8E6BAD6} - http://public.windupdates.com/get_file.php?bt=ie&p=714b9e99bb1ec51fadc828f5983e23109b906c2b320d9f1b39ed54699be7e97f4caf42694383070009646062296ff92e68cfba8c:eb8a1fb09d00c5943edceabcca450006
O16 - DPF: {1CFDF3E6-6E42-2FBD-4B7F-357256E7F711} - http://213.159.117.150/1/rdgUS10.exe
O16 - DPF: {208AD68C-D626-5144-2E60-3FAA70014D37} - http://213.159.117.150/1/rdgUS10.exe
O16 - DPF: {2253F320-AB68-4A07-917D-4F12D8884A06} (ChainCast VMR Client Proxy) - http://www.streamaudio.com/download/ccpm_0237.cab
O16 - DPF: {22E15068-22D7-078D-FD4B-20B01B09B85C} - http://213.159.117.150/1/rdgUS10.exe
O16 - DPF: {2483DDAC-8690-5C73-E643-3DCD3EABA33C} - http://213.159.117.150/1/rdgUS10.exe
O16 - DPF: {2A275FFC-6890-05F2-5A2D-0F0B3957AB34} - http://213.159.117.150/1/rdgUS10.exe
O16 - DPF: {2BFE57FE-BA2D-0B40-2D0B-290F62811E02} - http://213.159.117.150/1/rdgUS10.exe
O16 - DPF: {2CC44D0D-9BE0-7094-DC09-2A0A121565EF} - http://213.159.117.150/1/rdgUS10.exe
O16 - DPF: {3288756F-B377-65C6-3A53-1B1F1469F778} - http://213.159.117.150/1/rdgUS10.exe
O16 - DPF: {328E0E8C-D894-53F3-A998-38CC792115A9} - http://213.159.117.150/1/rdgUS10.exe
O16 - DPF: {3EEA277E-2085-3985-F3B8-7A674D8B831F} - http://213.159.117.150/1/rdgUS10.exe
O16 - DPF: {3EF0726A-1076-162F-C622-51A606D01A5A} - http://213.159.117.150/1/rdgUS10.exe
O16 - DPF: {4730CBA4-F6F5-4C7F-B616-13207AE94DA9} - http://213.159.117.150/1/rdgUS10.exe
O16 - DPF: {4E71E6DD-FB37-4641-A96E-4456399A6DB0} - http://jade.bioware.com/codebaby/codebaby.cab
O16 - DPF: {504E7CA9-CE11-0A37-2D2B-31036990B159} - http://213.159.117.150/1/rdgUS10.exe
O16 - DPF: {508D0AC3-E099-1310-20E5-769700E81E9D} - http://213.159.117.150/1/rdgUS10.exe
O16 - DPF: {5CED8FE3-4762-3325-3CB0-132903C50ABD} - http://213.159.117.150/1/rdgUS10.exe
O16 - DPF: {5D8C1290-F4BA-719C-D931-100314F91C28} - http://213.159.117.150/1/rdgUS10.exe
O16 - DPF: {6A72B0E9-5DAB-0B38-2B02-67832C5CC7CA} - http://213.159.117.150/1/rdgUS10.exe
O16 - DPF: {6C18DD7D-88FF-30F4-54E3-1ED5631CC623} - http://213.159.117.150/1/rdgUS10.exe
O16 - DPF: {70CC5B87-4450-0694-15B5-30C57FC4EE51} - http://213.159.117.150/1/rdgUS10.exe
O16 - DPF: {72F852F3-B893-223F-382F-6792118857AE} - http://213.159.117.150/1/rdgUS10.exe
O16 - DPF: {7854F9B3-2F2B-3337-97A1-11361139E740} - http://213.159.117.150/1/rdgUS10.exe
O16 - DPF: {79329267-2C9B-0BFC-B20C-2EEC07A37ACA} - http://213.159.117.150/1/rdgUS10.exe
O16 - DPF: {7CC1C6FE-CE31-4EA1-21C9-41DF1B412748} - http://213.159.117.150/1/rdgUS10.exe
O16 - DPF: {AE1C01E3-0283-11D3-9B3F-00C04F8EF466} (HeartbeatCtl Class) - http://fdl.msn.com/zone/datafiles/heartbeat.cab
O16 - DPF: {B8BE5E93-A60C-4D26-A2DC-220313175592} (ZoneIntro Class) - http://zone.msn.com/binFramework/v10/ZIntro.cab27513.cab
O16 - DPF: {E5D419D6-A846-4514-9FAD-97E826C84822} (HeartbeatCtl Class) - http://fdl.msn.com/zone/datafiles/heartbeat.cab

SpywareShooter

Well first off we'll get rid of these:

O9 - Extra button: (no name) - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - (no file)
O16 - DPF: {07B196EE-198B-7831-DF7D-42233866A2CC} - http://213.159.117.150/1/rdgUS10.exe
O16 - DPF: {09A42408-697E-074C-A9BE-3E6A347F3E30} - http://213.159.117.150/1/rdgUS10.exe
O16 - DPF: {0CA90E31-D6C5-1D4D-EB67-020C7D32E174} - http://213.159.117.150/1/rdgUS10.exe
O16 - DPF: {0F339961-3E13-7EC0-C3FF-28DD2D7B913F} - http://213.159.117.150/1/rdgUS10.exe
O16 - DPF: {127698E4-E730-4E5C-A2B1-21490A70C8A1} (CEnroll Class) - http://www.moairocks.com/xenroll.dll
O16 - DPF: {15002ABC-64DD-49D2-8673-261506FF07B2} - http://213.159.117.150/1/rdgUS10.exe
O16 - DPF: {15AD4789-CDB4-47E1-A9DA-992EE8E6BAD6} - http://public.windupdates.com/get_f...edceabcca450006
O16 - DPF: {1CFDF3E6-6E42-2FBD-4B7F-357256E7F711} - http://213.159.117.150/1/rdgUS10.exe
O16 - DPF: {208AD68C-D626-5144-2E60-3FAA70014D37} - http://213.159.117.150/1/rdgUS10.exe
O16 - DPF: {2253F320-AB68-4A07-917D-4F12D8884A06} (ChainCast VMR Client Proxy) - http://www.streamaudio.com/download/ccpm_0237.cab
O16 - DPF: {22E15068-22D7-078D-FD4B-20B01B09B85C} - http://213.159.117.150/1/rdgUS10.exe
O16 - DPF: {2483DDAC-8690-5C73-E643-3DCD3EABA33C} - http://213.159.117.150/1/rdgUS10.exe
O16 - DPF: {2A275FFC-6890-05F2-5A2D-0F0B3957AB34} - http://213.159.117.150/1/rdgUS10.exe
O16 - DPF: {2BFE57FE-BA2D-0B40-2D0B-290F62811E02} - http://213.159.117.150/1/rdgUS10.exe
O16 - DPF: {2CC44D0D-9BE0-7094-DC09-2A0A121565EF} - http://213.159.117.150/1/rdgUS10.exe
O16 - DPF: {3288756F-B377-65C6-3A53-1B1F1469F778} - http://213.159.117.150/1/rdgUS10.exe
O16 - DPF: {328E0E8C-D894-53F3-A998-38CC792115A9} - http://213.159.117.150/1/rdgUS10.exe
O16 - DPF: {3EEA277E-2085-3985-F3B8-7A674D8B831F} - http://213.159.117.150/1/rdgUS10.exe
O16 - DPF: {3EF0726A-1076-162F-C622-51A606D01A5A} - http://213.159.117.150/1/rdgUS10.exe
O16 - DPF: {4730CBA4-F6F5-4C7F-B616-13207AE94DA9} - http://213.159.117.150/1/rdgUS10.exe
O16 - DPF: {4E71E6DD-FB37-4641-A96E-4456399A6DB0} - http://jade.bioware.com/codebaby/codebaby.cab
O16 - DPF: {504E7CA9-CE11-0A37-2D2B-31036990B159} - http://213.159.117.150/1/rdgUS10.exe
O16 - DPF: {508D0AC3-E099-1310-20E5-769700E81E9D} - http://213.159.117.150/1/rdgUS10.exe
O16 - DPF: {5CED8FE3-4762-3325-3CB0-132903C50ABD} - http://213.159.117.150/1/rdgUS10.exe
O16 - DPF: {5D8C1290-F4BA-719C-D931-100314F91C28} - http://213.159.117.150/1/rdgUS10.exe
O16 - DPF: {6A72B0E9-5DAB-0B38-2B02-67832C5CC7CA} - http://213.159.117.150/1/rdgUS10.exe
O16 - DPF: {6C18DD7D-88FF-30F4-54E3-1ED5631CC623} - http://213.159.117.150/1/rdgUS10.exe
O16 - DPF: {70CC5B87-4450-0694-15B5-30C57FC4EE51} - http://213.159.117.150/1/rdgUS10.exe
O16 - DPF: {72F852F3-B893-223F-382F-6792118857AE} - http://213.159.117.150/1/rdgUS10.exe
O16 - DPF: {7854F9B3-2F2B-3337-97A1-11361139E740} - http://213.159.117.150/1/rdgUS10.exe
O16 - DPF: {79329267-2C9B-0BFC-B20C-2EEC07A37ACA} - http://213.159.117.150/1/rdgUS10.exe
O16 - DPF: {7CC1C6FE-CE31-4EA1-21C9-41DF1B412748} - http://213.159.117.150/1/rdgUS10.exe

As they are part of CWS, your infection. Fix those, then reboot and post a new log. Then don't reboot till I say it is OK

MasterPboy

This is my new log
Logfile of HijackThis v1.98.2
Scan saved at 10:00:46 AM, on 10/28/2004
Platform: Windows 2000 (WinNT 5.00.2195)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\regsvc.exe
C:\WINDOWS\system32\MSTask.exe
C:\WINDOWS\System32\WBEM\WinMgmt.exe
C:\WINDOWS\Explorer.exe
C:\Program Files\QuickTime\qttask.exe
C:\WINDOWS\system32\appou32.exe
C:\WINDOWS\System32\systime.exe
C:\Documents and Settings\ADMINISTRATOR\Application Data\aodc.exe
C:\WINDOWS\System32\?ttrib.exe
C:\WINDOWS\System32\systime.exe
C:\Program Files\RMClient\PMClient.exe
C:\WINDOWS\PMCCom.dll:ducaa
C:\Program Files\WebSiteViewer\124490.dlr
C:\Documents and Settings\ADMINISTRATOR\Desktop\HijackThis19802.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://213.159.117.134/index.php
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://www.placeforsearch.com/search.html
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://www.placeforsearch.com/search.html
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://213.159.117.134/index.php
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://213.159.117.134/index.php
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = res://C:\WINDOWS\system32\btqez.dll/sp.html#37049
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://www.placeforsearch.com/search.html
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://www.placeforsearch.com/search.html
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://213.159.117.134/index.php
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = res://C:\WINDOWS\system32\btqez.dll/sp.html#37049
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://www.placeforsearch.com/search.html
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch = http://www.placeforsearch.com/search.html
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page = http://213.159.117.134/index.php
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page = http://213.159.117.134/index.php
R3 - Default URLSearchHook is missing
O2 - BHO: (no name) - {C802FF77-7FEF-71C1-2FDF-C69DCC178985} - C:\WINDOWS\ienv32.dll
O4 - HKLM\..\Run: [SystemTray] SysTray.Exe
O4 - HKLM\..\Run: [Synchronization Manager] mobsync.exe /logon
O4 - HKLM\..\Run: [JobHisInit] C:\Program Files\RMClient\JobHisInit.exe
O4 - HKLM\..\Run: [MplSetUp] C:\Program Files\RMClient\MplSetUp.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [rbenh 0l7080] "C:\Program Files\RBEnhance\rbenh.exe"
O4 - HKLM\..\Run: [appou32.exe] C:\WINDOWS\system32\appou32.exe
O4 - HKLM\..\Run: [SysTime] C:\WINDOWS\System32\systime.exe
O4 - HKLM\..\RunOnce: [ducaa] C:\WINDOWS\PMCCom.dll:ducaa
O4 - HKLM\..\RunOnce: [sysrl32.exe] C:\WINDOWS\sysrl32.exe
O4 - HKCU\..\Run: [Leea] C:\Documents and Settings\ADMINISTRATOR\Application Data\aodc.exe
O4 - HKCU\..\Run: [Sgiwaqe] C:\WINDOWS\System32\?ttrib.exe
O4 - HKCU\..\Run: [SysTime] C:\WINDOWS\System32\systime.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O4 - Global Startup: SmartNetMonitor for Client.lnk = C:\Program Files\RMClient\PMClient.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O16 - DPF: {AE1C01E3-0283-11D3-9B3F-00C04F8EF466} (HeartbeatCtl Class) - http://fdl.msn.com/zone/datafiles/heartbeat.cab
O16 - DPF: {B8BE5E93-A60C-4D26-A2DC-220313175592} (ZoneIntro Class) - http://zone.msn.com/binFramework/v10/ZIntro.cab27513.cab
O16 - DPF: {E5D419D6-A846-4514-9FAD-97E826C84822} (HeartbeatCtl Class) - http://fdl.msn.com/zone/datafiles/heartbeat.cab

SpywareShooter

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://213.159.117.134/index.php
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://www.placeforsearch.com/search.html
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://www.placeforsearch.com/search.html
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://213.159.117.134/index.php
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://213.159.117.134/index.php
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = res://C:\WINDOWS\system32\btqez.dll/sp.html#37049
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://www.placeforsearch.com/search.html
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://www.placeforsearch.com/search.html
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://213.159.117.134/index.php
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = res://C:\WINDOWS\system32\btqez.dll/sp.html#37049
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://www.placeforsearch.com/search.html
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch = http://www.placeforsearch.com/search.html
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page = http://213.159.117.134/index.php
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page = http://213.159.117.134/index.php
R3 - Default URLSearchHook is missing
O2 - BHO: (no name) - {C802FF77-7FEF-71C1-2FDF-C69DCC178985} - C:\WINDOWS\ienv32.dll
O4 - HKLM\..\Run: [appou32.exe] C:\WINDOWS\system32\appou32.exe
O4 - HKLM\..\RunOnce: [ducaa] C:\WINDOWS\PMCCom.dll:ducaa
O4 - HKLM\..\RunOnce: [sysrl32.exe] C:\WINDOWS\sysrl32.exe
O4 - HKCU\..\Run: [Leea] C:\Documents and Settings\ADMINISTRATOR\Application Data\aodc.exe
O4 - HKCU\..\Run: [Sgiwaqe] C:\WINDOWS\System32\?ttrib.exe

Fix those entries then find and delete the files listed above, reboot and post a new log.

MasterPboy

Logfile of HijackThis v1.98.2
Scan saved at 10:54:31 AM, on 10/29/2004
Platform: Windows 2000 (WinNT 5.00.2195)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\regsvc.exe
C:\WINDOWS\system32\MSTask.exe
C:\WINDOWS\System32\WBEM\WinMgmt.exe
C:\WINDOWS\Explorer.exe
C:\Program Files\QuickTime\qttask.exe
C:\WINDOWS\System32\systime.exe
C:\WINDOWS\system32\appou32.exe
C:\WINDOWS\System32\systime.exe
C:\Program Files\RMClient\PMClient.exe
C:\WINDOWS\PMCCom.dll:ducaa
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\WINDOWS\Downloaded Program Files\CONFLICT.19\rdgUS10.exe
C:\Documents and Settings\ADMINISTRATOR\Desktop\HijackThis19802.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://213.159.117.134/index.php
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://your-searcher.com/sp.htm
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://your-searcher.com/index.htm
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://213.159.117.134/index.php
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://213.159.117.134/index.php
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://213.159.117.134/index.php
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://your-searcher.com/sp.htm
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://your-searcher.com/index.htm
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page = http://213.159.117.134/index.php
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page = http://213.159.117.134/index.php
R3 - Default URLSearchHook is missing
O2 - BHO: (no name) - {0B661C7F-57D6-CE43-D570-49AAE6861F6F} - C:\WINDOWS\apijo.dll
O4 - HKLM\..\Run: [SystemTray] SysTray.Exe
O4 - HKLM\..\Run: [Synchronization Manager] mobsync.exe /logon
O4 - HKLM\..\Run: [JobHisInit] C:\Program Files\RMClient\JobHisInit.exe
O4 - HKLM\..\Run: [MplSetUp] C:\Program Files\RMClient\MplSetUp.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [rbenh 0l7080] "C:\Program Files\RBEnhance\rbenh.exe"
O4 - HKLM\..\Run: [SysTime] C:\WINDOWS\System32\systime.exe
O4 - HKLM\..\Run: [appou32.exe] C:\WINDOWS\system32\appou32.exe
O4 - HKLM\..\RunOnce: [ducaa] C:\WINDOWS\PMCCom.dll:ducaa
O4 - HKCU\..\Run: [SysTime] C:\WINDOWS\System32\systime.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O4 - Global Startup: SmartNetMonitor for Client.lnk = C:\Program Files\RMClient\PMClient.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O16 - DPF: {AE1C01E3-0283-11D3-9B3F-00C04F8EF466} (HeartbeatCtl Class) - http://fdl.msn.com/zone/datafiles/heartbeat.cab
O16 - DPF: {B8BE5E93-A60C-4D26-A2DC-220313175592} (ZoneIntro Class) - http://zone.msn.com/binFramework/v10/ZIntro.cab27513.cab
O16 - DPF: {E5D419D6-A846-4514-9FAD-97E826C84822} (HeartbeatCtl Class) - http://fdl.msn.com/zone/datafiles/heartbeat.cab

Couldn't locate files to delet or wouldn't let me delete them

SpywareShooter

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://213.159.117.134/index.php
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://your-searcher.com/sp.htm
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://your-searcher.com/index.htm
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://213.159.117.134/index.php
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://213.159.117.134/index.php
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://213.159.117.134/index.php
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://your-searcher.com/sp.htm
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://your-searcher.com/index.htm
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page = http://213.159.117.134/index.php
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page = http://213.159.117.134/index.php
R3 - Default URLSearchHook is missing
O2 - BHO: (no name) - {0B661C7F-57D6-CE43-D570-49AAE6861F6F} - C:\WINDOWS\apijo.dll
O4 - HKLM\..\Run: [SysTime] C:\WINDOWS\System32\systime.exe
O4 - HKLM\..\Run: [appou32.exe] C:\WINDOWS\system32\appou32.exe
O4 - HKLM\..\RunOnce: [ducaa] C:\WINDOWS\PMCCom.dll:ducaa
O4 - HKCU\..\Run: [SysTime] C:\WINDOWS\System32\systime.exe

Fix those entries then find and delete the following files:
C:\WINDOWS\apijo.dll
C:\WINDOWS\System32\systime.exe
C:\WINDOWS\system32\appou32.exe
C:\WINDOWS\PMCCom.dll:ducaa

Then reboot and post a new log.

MasterPboy

My new log...
Logfile of HijackThis v1.98.2
Scan saved at 3:25:54 PM, on 11/1/2004
Platform: Windows 2000 (WinNT 5.00.2195)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\regsvc.exe
C:\WINDOWS\system32\MSTask.exe
C:\WINDOWS\System32\WBEM\WinMgmt.exe
C:\WINDOWS\Explorer.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\RMClient\PMClient.exe
C:\Documents and Settings\ADMINISTRATOR\Desktop\HijackThis19802.exe

O4 - HKLM\..\Run: [SystemTray] SysTray.Exe
O4 - HKLM\..\Run: [Synchronization Manager] mobsync.exe /logon
O4 - HKLM\..\Run: [JobHisInit] C:\Program Files\RMClient\JobHisInit.exe
O4 - HKLM\..\Run: [MplSetUp] C:\Program Files\RMClient\MplSetUp.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [rbenh 0l7080] "C:\Program Files\RBEnhance\rbenh.exe"
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O4 - Global Startup: SmartNetMonitor for Client.lnk = C:\Program Files\RMClient\PMClient.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O16 - DPF: {AE1C01E3-0283-11D3-9B3F-00C04F8EF466} (HeartbeatCtl Class) - http://fdl.msn.com/zone/datafiles/heartbeat.cab
O16 - DPF: {B8BE5E93-A60C-4D26-A2DC-220313175592} (ZoneIntro Class) - http://zone.msn.com/binFramework/v10/ZIntro.cab27513.cab
O16 - DPF: {E5D419D6-A846-4514-9FAD-97E826C84822} (HeartbeatCtl Class) - http://fdl.msn.com/zone/datafiles/heartbeat.cab

SpywareShooter

Your log looks okay now. Are you still having any problems?

SpywareShooter

I'm sorry, your log actually is not clean. I was just informed that this is bad:

O4 - HKLM\..\Run: [rbenh 0l7080] "C:\Program Files\RBEnhance\rbenh.exe"

Fix that entry then find and delete rbenh.exe, reboot and post a new log.

MasterPboy

Thanks for all your help. I'm checking my C drive for just stuff I don't need/use and I came across this file named MSADC in the System folder. I can't get rid of it. Also there's a file called ole db everytime I delete it or something in it it just comes back.

Sorry forgot to post new log
Logfile of HijackThis v1.98.2
Scan saved at 12:58:52 PM, on 11/2/2004
Platform: Windows 2000 (WinNT 5.00.2195)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\regsvc.exe
C:\WINDOWS\system32\MSTask.exe
C:\WINDOWS\System32\WBEM\WinMgmt.exe
C:\WINDOWS\Explorer.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\RMClient\PMClient.exe
C:\Documents and Settings\ADMINISTRATOR\Desktop\HijackThis19802.exe

O4 - HKLM\..\Run: [SystemTray] SysTray.Exe
O4 - HKLM\..\Run: [Synchronization Manager] mobsync.exe /logon
O4 - HKLM\..\Run: [JobHisInit] C:\Program Files\RMClient\JobHisInit.exe
O4 - HKLM\..\Run: [MplSetUp] C:\Program Files\RMClient\MplSetUp.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O4 - Global Startup: SmartNetMonitor for Client.lnk = C:\Program Files\RMClient\PMClient.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O16 - DPF: {7B297BFD-85E4-4092-B2AF-16A91B2EA103} (WScanCtl Class) - http://www3.ca.com/securityadvisor/virusinfo/webscan.cab
O16 - DPF: {AE1C01E3-0283-11D3-9B3F-00C04F8EF466} (HeartbeatCtl Class) - http://fdl.msn.com/zone/datafiles/heartbeat.cab
O16 - DPF: {B8BE5E93-A60C-4D26-A2DC-220313175592} (ZoneIntro Class) - http://zone.msn.com/binFramework/v10/ZIntro.cab27513.cab
O16 - DPF: {E5D419D6-A846-4514-9FAD-97E826C84822} (HeartbeatCtl Class) - http://fdl.msn.com/zone/datafiles/heartbeat.cab