Help Pleasse!
Wow... I just got some crazy virus and I can't open internet explorer..I'm on my other comp. Spyware is downloading EVERYWHERE and it's reallly bad. I DUNNO WHAT's wrong... please help
Logfile of HijackThis v1.99.0
Scan saved at 1:29:10 AM, on 03/20/2005
Platform: Windows XP (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 (6.00.2600.0000)
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\csrss.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\EPSON\EBAPI\SAgent2.exe
C:\Program Files\Inverse IP InSight\CNC\ARMon32a.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\wdfmgr.exe
C:\Program Files\2Wire\2PortalMon.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\QuickTime\qttask.exe
C:\WINDOWS\System32\paytime.exe
C:\WINDOWS\System32\Jiu.exe
C:\WINDOWS\System32\ntddetect.exe
C:\windows\saap.exe
C:\Program Files\Internet Optimizer\optimize.exe
C:\WINDOWS\System32\paytime.exe
C:\Documents and Settings\User\Application Data\obao.exe
C:\WINDOWS\System32\??plorer.exe
C:\Program Files\2Wire Wireless\Client Manager\CMTWO.EXE
C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpotdd01.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpohmr08.exe
C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpoevm08.exe
C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_S10IC2.EXE
C:\WINDOWS\System32\HPZipm12.exe
C:\Program Files\Hewlett-Packard\Digital Imaging\Bin\hpoSTS08.exe
C:\WINDOWS\System32\wuauclt.exe
C:\Documents and Settings\User\Desktop\HijackThis.exe
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://213.159.117.134/index.php
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\DOCUME~1\User\LOCALS~1\Temp\se.dll/sp.html
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = about:blank
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://213.159.117.134/index.php
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://213.159.117.134/index.php
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\DOCUME~1\User\LOCALS~1\Temp\se.dll/sp.html
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = about:blank
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://213.159.117.134/index.php
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = about:blank
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = about:blank
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page = http://213.159.117.134/index.php
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,HomeOldSP = about:blank
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page = http://213.159.117.134/index.php
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,HomeOldSP = about:blank
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = 127.0.0.1
R3 - URLSearchHook: StartBHO Class - {30192F8D-0958-44E6-B54D-331FD39AC959} - C:\WINDOWS\webdlg32.dll
O1 - Hosts: 127.0.0.3 n-glx.s-redirect.com
O1 - Hosts: 127.0.0.3 x.full-tgp.net
O1 - Hosts: 127.0.0.3 counter.sexmaniack.com
O1 - Hosts: 127.0.0.3 autoescrowpay.com
O1 - Hosts: 127.0.0.3 www.autoescrowpay.com
O1 - Hosts: 127.0.0.3 www.awmdabest.com
O1 - Hosts: 127.0.0.3 www.sexfiles.nu
O1 - Hosts: 127.0.0.3 awmdabest.com
O1 - Hosts: 127.0.0.3 sexfiles.nu
O1 - Hosts: 127.0.0.3 allforadult.com
O1 - Hosts: 127.0.0.3 www.allforadult.com
O1 - Hosts: 127.0.0.3 www.iframe.biz
O1 - Hosts: 127.0.0.3 iframe.biz
O1 - Hosts: 127.0.0.3 www.newiframe.biz
O1 - Hosts: 127.0.0.3 newiframe.biz
O1 - Hosts: 127.0.0.3 www.vesbiz.biz
O1 - Hosts: 127.0.0.3 vesbiz.biz
O1 - Hosts: 127.0.0.3 www.pizdato.biz
O1 - Hosts: 127.0.0.3 pizdato.biz
O1 - Hosts: 127.0.0.3 www.aaasexypics.com
O1 - Hosts: 127.0.0.3 aaasexypics.com
O1 - Hosts: 127.0.0.3 www.virgin-tgp.net
O1 - Hosts: 127.0.0.3 virgin-tgp.net
O1 - Hosts: 127.0.0.3 www.awmcash.biz
O1 - Hosts: 127.0.0.3 awmcash.biz
O1 - Hosts: 127.0.0.3 buldog-stats.com
O1 - Hosts: 127.0.0.3 www.buldog-stats.com
O1 - Hosts: 127.0.0.3 fregat.drocherway.com
O1 - Hosts: 127.0.0.3 slutmania.biz
O1 - Hosts: 127.0.0.3 www.slutmania.biz
O1 - Hosts: 127.0.0.3 toolbarpartner.com
O1 - Hosts: 127.0.0.3 www.toolbarpartner.com
O1 - Hosts: 127.0.0.3 www.megapornix.com
O1 - Hosts: 127.0.0.3 megapornix.com
O1 - Hosts: 127.0.0.3 www.sp2****ed.biz
O1 - Hosts: 127.0.0.3 sp2****ed.biz
O1 - Hosts: 127.0.0.3 greg-tut.com
O1 - Hosts: 127.0.0.3 www.greg-tut.com
O1 - Hosts: 127.0.0.3 nylonsexy.com
O1 - Hosts: 127.0.0.3 www.nylonsexy.com
O1 - Hosts: 127.0.0.3 vparivalka.com
O1 - Hosts: 127.0.0.3 www.vparivalka.com
O2 - BHO: BHObj Class - {00000010-6F7D-442C-93E3-4A4827C2E4C8} - C:\WINDOWS\nem220.dll
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
O2 - BHO: StartBHO Class - {30192F8D-0958-44E6-B54D-331FD39AC959} - C:\WINDOWS\webdlg32.dll
O2 - BHO: (no name) - {6FA53C60-0792-437C-9686-F9B77131DCF6} - C:\WINDOWS\System32\dpnp.dll
O2 - BHO: (no name) - {966BD97C-18CC-643E-99D8-3481E9B559E5} - C:\WINDOWS\System32\zwgctj.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O3 - Toolbar: Search Bar - {0E1230F8-EA50-42A9-983C-D22ABC2EED3B} - C:\WINDOWS\webdlg32.dll
O4 - HKLM\..\Run: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k
O4 - HKLM\..\Run: [2wSysTray] C:\Program Files\2Wire\2PortalMon.exe
O4 - HKLM\..\Run: [iTunesHelper] C:\Program Files\iTunes\iTunesHelper.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [PayTime] C:\WINDOWS\System32\paytime.exe
O4 - HKLM\..\Run: [Hca] C:\WINDOWS\System32\Jiu.exe
O4 - HKLM\..\Run: [sp] rundll32 C:\DOCUME~1\User\LOCALS~1\Temp\se.dll,DllInstall
O4 - HKLM\..\Run: [ntddetect] C:\WINDOWS\System32\ntddetect.exe
O4 - HKLM\..\Run: [saap] c:\windows\saap.exe
O4 - HKLM\..\Run: [Internet Optimizer] "C:\Program Files\Internet Optimizer\optimize.exe"
O4 - HKLM\..\Run: [Fpb] C:\WINDOWS\Tbf.exe
O4 - HKLM\..\Run: [Aer] C:\WINDOWS\System32\Dtf.exe
O4 - HKLM\..\Run: [paxebmv] C:\WINDOWS\paxebmv.exe
O4 - HKLM\..\RunServices: [ntddetect] C:\WINDOWS\System32\ntddetect.exe
O4 - HKCU\..\Run: [Steam] C:\Valve\Steam\Steam.exe -silent
O4 - HKCU\..\Run: [AIM] C:\Program Files\AIM\aim.exe -cnetwait.odl
O4 - HKCU\..\Run: [PayTime] C:\WINDOWS\System32\paytime.exe
O4 - HKCU\..\Run: [Hca] C:\WINDOWS\System32\Jiu.exe
O4 - HKCU\..\Run: [ntddetect] C:\WINDOWS\System32\ntddetect.exe
O4 - Global Startup: 2Wire Wireless Client Manager.lnk = ?
O4 - Global Startup: hpoddt01.exe.lnk = ?
O4 - Global Startup: hp psc 1000 series.lnk = ?
O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: EPSON Status Monitor 3 Environment Check 2.lnk = C:\WINDOWS\system32\spool\drivers\w32x86\3\E_SRCV02.EXE
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\System32\msjava.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\System32\msjava.dll
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe
O9 - Extra button: PartyPoker.com - {B7FE5D70-9AA2-40F1-9C6B-12A255F085E1} - c:\program files\partypoker\IEExtension.dll
O9 - Extra 'Tools' menuitem: PartyPoker.com - {B7FE5D70-9AA2-40F1-9C6B-12A255F085E1} - c:\program files\partypoker\IEExtension.dll
O9 - Extra button: (no name) - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - (no file)
O10 - Broken Internet access because of LSP provider 'osmim.dll' missing
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O15 - Trusted Zone: *.blazefind.com
O15 - Trusted Zone: *.clickspring.net
O15 - Trusted Zone: *.flingstone.com
O15 - Trusted Zone: *.iframedollars.biz
O15 - Trusted Zone: *.mt-download.com
O15 - Trusted Zone: *.musicmatch.com
O15 - Trusted Zone: *.my-internet.info
O15 - Trusted Zone: *.searchbarcash.com
O15 - Trusted Zone: *.searchmiracle.com
O15 - Trusted Zone: *.skoobidoo.com
O15 - Trusted Zone: *.slotch.com
O15 - Trusted Zone: *.slotchbar.com
O15 - Trusted Zone: *.windupdates.com
O15 - Trusted Zone: *.xxxtoolbar.com
O15 - Trusted Zone: *.ysbweb.com
O15 - Trusted Zone: *.blazefind.com (HKLM)
O15 - Trusted Zone: *.clickspring.net (HKLM)
O15 - Trusted Zone: *.flingstone.com (HKLM)
O15 - Trusted Zone: *.iframedollars.biz (HKLM)
O15 - Trusted Zone: *.mt-download.com (HKLM)
O15 - Trusted Zone: *.musicmatch.com (HKLM)
O15 - Trusted Zone: *.my-internet.info (HKLM)
O15 - Trusted Zone: *.searchbarcash.com (HKLM)
O15 - Trusted Zone: *.searchmiracle.com (HKLM)
O15 - Trusted Zone: *.skoobidoo.com (HKLM)
O15 - Trusted Zone: *.slotch.com (HKLM)
O15 - Trusted Zone: *.slotchbar.com (HKLM)
O15 - Trusted Zone: *.windupdates.com (HKLM)
O15 - Trusted Zone: *.xxxtoolbar.com (HKLM)
O15 - Trusted Zone: *.ysbweb.com (HKLM)
O15 - Trusted IP range: 213.159.117.202
O15 - Trusted IP range: 213.159.117.202 (HKLM)
O16 - DPF: {1D4DB7D2-6EC9-47A3-BD87-1E41684E07BB} - http://ak.imgfarm.com/images/nocache/funwebproducts/ei-2/SmileyCentralFWBInitialSetup1.0.0.8-2.cab
O16 - DPF: {79849612-A98F-45B8-95E9-4D13C7B6B35C} (Loader2 Control) - http://iframedollars.biz/tb/loader2.ocx
O16 - DPF: {9EB320CE-BE1D-4304-A081-4B4665414BEF} (MediaTicketsInstaller Control) - http://www.mt-download.com/MediaTicketsInstaller.cab?refid=2732
O16 - DPF: {FC67BB52-AAB6-4282-9D51-2DAFFE73AFD0} - http://download.spyspotter.com/spyspotter/SpSp29952.22opt/SpySpotterInstall.cab
O18 - Filter: text/html - {D5686817-DEB3-4ADF-B2B2-D4CB0C0FD6D2} - C:\WINDOWS\System32\dpnp.dll
O18 - Filter: text/plain - {D5686817-DEB3-4ADF-B2B2-D4CB0C0FD6D2} - C:\WINDOWS\System32\dpnp.dll
O23 - Service: EPSON Printer Status Agent2 - SEIKO EPSON CORPORATION - C:\Program Files\Common Files\EPSON\EBAPI\SAgent2.exe
O23 - Service: Inverse IP InSight Client (CNC) - Inverse Network Technology - C:\Program Files\Inverse IP InSight\CNC\LaunchIPI.exe
O23 - Service: iPod Service - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: NVIDIA Driver Helper Service - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\System32\HPZipm12.exe
Logfile of HijackThis v1.99.0
Scan saved at 1:29:10 AM, on 03/20/2005
Platform: Windows XP (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 (6.00.2600.0000)
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\csrss.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\EPSON\EBAPI\SAgent2.exe
C:\Program Files\Inverse IP InSight\CNC\ARMon32a.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\wdfmgr.exe
C:\Program Files\2Wire\2PortalMon.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\QuickTime\qttask.exe
C:\WINDOWS\System32\paytime.exe
C:\WINDOWS\System32\Jiu.exe
C:\WINDOWS\System32\ntddetect.exe
C:\windows\saap.exe
C:\Program Files\Internet Optimizer\optimize.exe
C:\WINDOWS\System32\paytime.exe
C:\Documents and Settings\User\Application Data\obao.exe
C:\WINDOWS\System32\??plorer.exe
C:\Program Files\2Wire Wireless\Client Manager\CMTWO.EXE
C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpotdd01.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpohmr08.exe
C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpoevm08.exe
C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_S10IC2.EXE
C:\WINDOWS\System32\HPZipm12.exe
C:\Program Files\Hewlett-Packard\Digital Imaging\Bin\hpoSTS08.exe
C:\WINDOWS\System32\wuauclt.exe
C:\Documents and Settings\User\Desktop\HijackThis.exe
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://213.159.117.134/index.php
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\DOCUME~1\User\LOCALS~1\Temp\se.dll/sp.html
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = about:blank
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://213.159.117.134/index.php
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://213.159.117.134/index.php
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\DOCUME~1\User\LOCALS~1\Temp\se.dll/sp.html
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = about:blank
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://213.159.117.134/index.php
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = about:blank
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = about:blank
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page = http://213.159.117.134/index.php
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,HomeOldSP = about:blank
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page = http://213.159.117.134/index.php
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,HomeOldSP = about:blank
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = 127.0.0.1
R3 - URLSearchHook: StartBHO Class - {30192F8D-0958-44E6-B54D-331FD39AC959} - C:\WINDOWS\webdlg32.dll
O1 - Hosts: 127.0.0.3 n-glx.s-redirect.com
O1 - Hosts: 127.0.0.3 x.full-tgp.net
O1 - Hosts: 127.0.0.3 counter.sexmaniack.com
O1 - Hosts: 127.0.0.3 autoescrowpay.com
O1 - Hosts: 127.0.0.3 www.autoescrowpay.com
O1 - Hosts: 127.0.0.3 www.awmdabest.com
O1 - Hosts: 127.0.0.3 www.sexfiles.nu
O1 - Hosts: 127.0.0.3 awmdabest.com
O1 - Hosts: 127.0.0.3 sexfiles.nu
O1 - Hosts: 127.0.0.3 allforadult.com
O1 - Hosts: 127.0.0.3 www.allforadult.com
O1 - Hosts: 127.0.0.3 www.iframe.biz
O1 - Hosts: 127.0.0.3 iframe.biz
O1 - Hosts: 127.0.0.3 www.newiframe.biz
O1 - Hosts: 127.0.0.3 newiframe.biz
O1 - Hosts: 127.0.0.3 www.vesbiz.biz
O1 - Hosts: 127.0.0.3 vesbiz.biz
O1 - Hosts: 127.0.0.3 www.pizdato.biz
O1 - Hosts: 127.0.0.3 pizdato.biz
O1 - Hosts: 127.0.0.3 www.aaasexypics.com
O1 - Hosts: 127.0.0.3 aaasexypics.com
O1 - Hosts: 127.0.0.3 www.virgin-tgp.net
O1 - Hosts: 127.0.0.3 virgin-tgp.net
O1 - Hosts: 127.0.0.3 www.awmcash.biz
O1 - Hosts: 127.0.0.3 awmcash.biz
O1 - Hosts: 127.0.0.3 buldog-stats.com
O1 - Hosts: 127.0.0.3 www.buldog-stats.com
O1 - Hosts: 127.0.0.3 fregat.drocherway.com
O1 - Hosts: 127.0.0.3 slutmania.biz
O1 - Hosts: 127.0.0.3 www.slutmania.biz
O1 - Hosts: 127.0.0.3 toolbarpartner.com
O1 - Hosts: 127.0.0.3 www.toolbarpartner.com
O1 - Hosts: 127.0.0.3 www.megapornix.com
O1 - Hosts: 127.0.0.3 megapornix.com
O1 - Hosts: 127.0.0.3 www.sp2****ed.biz
O1 - Hosts: 127.0.0.3 sp2****ed.biz
O1 - Hosts: 127.0.0.3 greg-tut.com
O1 - Hosts: 127.0.0.3 www.greg-tut.com
O1 - Hosts: 127.0.0.3 nylonsexy.com
O1 - Hosts: 127.0.0.3 www.nylonsexy.com
O1 - Hosts: 127.0.0.3 vparivalka.com
O1 - Hosts: 127.0.0.3 www.vparivalka.com
O2 - BHO: BHObj Class - {00000010-6F7D-442C-93E3-4A4827C2E4C8} - C:\WINDOWS\nem220.dll
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
O2 - BHO: StartBHO Class - {30192F8D-0958-44E6-B54D-331FD39AC959} - C:\WINDOWS\webdlg32.dll
O2 - BHO: (no name) - {6FA53C60-0792-437C-9686-F9B77131DCF6} - C:\WINDOWS\System32\dpnp.dll
O2 - BHO: (no name) - {966BD97C-18CC-643E-99D8-3481E9B559E5} - C:\WINDOWS\System32\zwgctj.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O3 - Toolbar: Search Bar - {0E1230F8-EA50-42A9-983C-D22ABC2EED3B} - C:\WINDOWS\webdlg32.dll
O4 - HKLM\..\Run: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k
O4 - HKLM\..\Run: [2wSysTray] C:\Program Files\2Wire\2PortalMon.exe
O4 - HKLM\..\Run: [iTunesHelper] C:\Program Files\iTunes\iTunesHelper.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [PayTime] C:\WINDOWS\System32\paytime.exe
O4 - HKLM\..\Run: [Hca] C:\WINDOWS\System32\Jiu.exe
O4 - HKLM\..\Run: [sp] rundll32 C:\DOCUME~1\User\LOCALS~1\Temp\se.dll,DllInstall
O4 - HKLM\..\Run: [ntddetect] C:\WINDOWS\System32\ntddetect.exe
O4 - HKLM\..\Run: [saap] c:\windows\saap.exe
O4 - HKLM\..\Run: [Internet Optimizer] "C:\Program Files\Internet Optimizer\optimize.exe"
O4 - HKLM\..\Run: [Fpb] C:\WINDOWS\Tbf.exe
O4 - HKLM\..\Run: [Aer] C:\WINDOWS\System32\Dtf.exe
O4 - HKLM\..\Run: [paxebmv] C:\WINDOWS\paxebmv.exe
O4 - HKLM\..\RunServices: [ntddetect] C:\WINDOWS\System32\ntddetect.exe
O4 - HKCU\..\Run: [Steam] C:\Valve\Steam\Steam.exe -silent
O4 - HKCU\..\Run: [AIM] C:\Program Files\AIM\aim.exe -cnetwait.odl
O4 - HKCU\..\Run: [PayTime] C:\WINDOWS\System32\paytime.exe
O4 - HKCU\..\Run: [Hca] C:\WINDOWS\System32\Jiu.exe
O4 - HKCU\..\Run: [ntddetect] C:\WINDOWS\System32\ntddetect.exe
O4 - Global Startup: 2Wire Wireless Client Manager.lnk = ?
O4 - Global Startup: hpoddt01.exe.lnk = ?
O4 - Global Startup: hp psc 1000 series.lnk = ?
O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: EPSON Status Monitor 3 Environment Check 2.lnk = C:\WINDOWS\system32\spool\drivers\w32x86\3\E_SRCV02.EXE
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\System32\msjava.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\System32\msjava.dll
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe
O9 - Extra button: PartyPoker.com - {B7FE5D70-9AA2-40F1-9C6B-12A255F085E1} - c:\program files\partypoker\IEExtension.dll
O9 - Extra 'Tools' menuitem: PartyPoker.com - {B7FE5D70-9AA2-40F1-9C6B-12A255F085E1} - c:\program files\partypoker\IEExtension.dll
O9 - Extra button: (no name) - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - (no file)
O10 - Broken Internet access because of LSP provider 'osmim.dll' missing
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O15 - Trusted Zone: *.blazefind.com
O15 - Trusted Zone: *.clickspring.net
O15 - Trusted Zone: *.flingstone.com
O15 - Trusted Zone: *.iframedollars.biz
O15 - Trusted Zone: *.mt-download.com
O15 - Trusted Zone: *.musicmatch.com
O15 - Trusted Zone: *.my-internet.info
O15 - Trusted Zone: *.searchbarcash.com
O15 - Trusted Zone: *.searchmiracle.com
O15 - Trusted Zone: *.skoobidoo.com
O15 - Trusted Zone: *.slotch.com
O15 - Trusted Zone: *.slotchbar.com
O15 - Trusted Zone: *.windupdates.com
O15 - Trusted Zone: *.xxxtoolbar.com
O15 - Trusted Zone: *.ysbweb.com
O15 - Trusted Zone: *.blazefind.com (HKLM)
O15 - Trusted Zone: *.clickspring.net (HKLM)
O15 - Trusted Zone: *.flingstone.com (HKLM)
O15 - Trusted Zone: *.iframedollars.biz (HKLM)
O15 - Trusted Zone: *.mt-download.com (HKLM)
O15 - Trusted Zone: *.musicmatch.com (HKLM)
O15 - Trusted Zone: *.my-internet.info (HKLM)
O15 - Trusted Zone: *.searchbarcash.com (HKLM)
O15 - Trusted Zone: *.searchmiracle.com (HKLM)
O15 - Trusted Zone: *.skoobidoo.com (HKLM)
O15 - Trusted Zone: *.slotch.com (HKLM)
O15 - Trusted Zone: *.slotchbar.com (HKLM)
O15 - Trusted Zone: *.windupdates.com (HKLM)
O15 - Trusted Zone: *.xxxtoolbar.com (HKLM)
O15 - Trusted Zone: *.ysbweb.com (HKLM)
O15 - Trusted IP range: 213.159.117.202
O15 - Trusted IP range: 213.159.117.202 (HKLM)
O16 - DPF: {1D4DB7D2-6EC9-47A3-BD87-1E41684E07BB} - http://ak.imgfarm.com/images/nocache/funwebproducts/ei-2/SmileyCentralFWBInitialSetup1.0.0.8-2.cab
O16 - DPF: {79849612-A98F-45B8-95E9-4D13C7B6B35C} (Loader2 Control) - http://iframedollars.biz/tb/loader2.ocx
O16 - DPF: {9EB320CE-BE1D-4304-A081-4B4665414BEF} (MediaTicketsInstaller Control) - http://www.mt-download.com/MediaTicketsInstaller.cab?refid=2732
O16 - DPF: {FC67BB52-AAB6-4282-9D51-2DAFFE73AFD0} - http://download.spyspotter.com/spyspotter/SpSp29952.22opt/SpySpotterInstall.cab
O18 - Filter: text/html - {D5686817-DEB3-4ADF-B2B2-D4CB0C0FD6D2} - C:\WINDOWS\System32\dpnp.dll
O18 - Filter: text/plain - {D5686817-DEB3-4ADF-B2B2-D4CB0C0FD6D2} - C:\WINDOWS\System32\dpnp.dll
O23 - Service: EPSON Printer Status Agent2 - SEIKO EPSON CORPORATION - C:\Program Files\Common Files\EPSON\EBAPI\SAgent2.exe
O23 - Service: Inverse IP InSight Client (CNC) - Inverse Network Technology - C:\Program Files\Inverse IP InSight\CNC\LaunchIPI.exe
O23 - Service: iPod Service - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: NVIDIA Driver Helper Service - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\System32\HPZipm12.exe
0
Comments
http://www.derbilk.de/SpSeHjfix_Beta9.zip
Start SpSeHjfix_Beta9.exe click on " Desinfecton starten". It will reboot your computer to complete the cleaning process. Once it is done please post a new hijackthis log.
heres new log
Logfile of HijackThis v1.99.0
Scan saved at 3:46:36 PM, on 03/22/2005
Platform: Windows XP (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 (6.00.2600.0000)
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\csrss.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\EPSON\EBAPI\SAgent2.exe
C:\Program Files\Inverse IP InSight\CNC\ARMon32a.exe
C:\WINDOWS\System32\nvsvc32.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\wdfmgr.exe
C:\WINDOWS\System32\wuauclt.exe
C:\Program Files\2Wire\2PortalMon.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\QuickTime\qttask.exe
C:\WINDOWS\System32\paytime.exe
C:\WINDOWS\System32\Jiu.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\WINDOWS\System32\ntddetect.exe
C:\windows\saap.exe
C:\Program Files\Internet Optimizer\optimize.exe
C:\Program Files\Internet Optimizer\actalert.exe
C:\Program Files\AIM\aim.exe
C:\WINDOWS\System32\paytime.exe
C:\Documents and Settings\User\Application Data\obao.exe
C:\Program Files\2Wire Wireless\Client Manager\CMTWO.EXE
C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpotdd01.exe
C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpohmr08.exe
C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_S10IC2.EXE
C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpoevm08.exe
C:\WINDOWS\System32\wuauclt.exe
C:\WINDOWS\System32\HPZipm12.exe
C:\Program Files\Hewlett-Packard\Digital Imaging\Bin\hpoSTS08.exe
C:\Program Files\WinRAR\WinRAR.exe
C:\Documents and Settings\User\Desktop\HijackThis.exe
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://213.159.117.134/index.php
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://213.159.117.134/index.php
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://213.159.117.134/index.php
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://213.159.117.134/index.php
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant =
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page = http://213.159.117.134/index.php
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page = http://213.159.117.134/index.php
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = 127.0.0.1
R3 - URLSearchHook: StartBHO Class - {30192F8D-0958-44E6-B54D-331FD39AC959} - C:\WINDOWS\webdlg32.dll
O1 - Hosts: 127.0.0.3 n-glx.s-redirect.com
O1 - Hosts: 127.0.0.3 x.full-tgp.net
O1 - Hosts: 127.0.0.3 counter.sexmaniack.com
O1 - Hosts: 127.0.0.3 autoescrowpay.com
O1 - Hosts: 127.0.0.3 www.autoescrowpay.com
O1 - Hosts: 127.0.0.3 www.awmdabest.com
O1 - Hosts: 127.0.0.3 www.sexfiles.nu
O1 - Hosts: 127.0.0.3 awmdabest.com
O1 - Hosts: 127.0.0.3 sexfiles.nu
O1 - Hosts: 127.0.0.3 allforadult.com
O1 - Hosts: 127.0.0.3 www.allforadult.com
O1 - Hosts: 127.0.0.3 www.iframe.biz
O1 - Hosts: 127.0.0.3 iframe.biz
O1 - Hosts: 127.0.0.3 www.newiframe.biz
O1 - Hosts: 127.0.0.3 newiframe.biz
O1 - Hosts: 127.0.0.3 www.vesbiz.biz
O1 - Hosts: 127.0.0.3 vesbiz.biz
O1 - Hosts: 127.0.0.3 www.pizdato.biz
O1 - Hosts: 127.0.0.3 pizdato.biz
O1 - Hosts: 127.0.0.3 www.aaasexypics.com
O1 - Hosts: 127.0.0.3 aaasexypics.com
O1 - Hosts: 127.0.0.3 www.virgin-tgp.net
O1 - Hosts: 127.0.0.3 virgin-tgp.net
O1 - Hosts: 127.0.0.3 www.awmcash.biz
O1 - Hosts: 127.0.0.3 awmcash.biz
O1 - Hosts: 127.0.0.3 buldog-stats.com
O1 - Hosts: 127.0.0.3 www.buldog-stats.com
O1 - Hosts: 127.0.0.3 fregat.drocherway.com
O1 - Hosts: 127.0.0.3 slutmania.biz
O1 - Hosts: 127.0.0.3 www.slutmania.biz
O1 - Hosts: 127.0.0.3 toolbarpartner.com
O1 - Hosts: 127.0.0.3 www.toolbarpartner.com
O1 - Hosts: 127.0.0.3 www.megapornix.com
O1 - Hosts: 127.0.0.3 megapornix.com
O1 - Hosts: 127.0.0.3 www.sp2****ed.biz
O1 - Hosts: 127.0.0.3 sp2****ed.biz
O1 - Hosts: 127.0.0.3 greg-tut.com
O1 - Hosts: 127.0.0.3 www.greg-tut.com
O1 - Hosts: 127.0.0.3 nylonsexy.com
O1 - Hosts: 127.0.0.3 www.nylonsexy.com
O1 - Hosts: 127.0.0.3 vparivalka.com
O1 - Hosts: 127.0.0.3 www.vparivalka.com
O2 - BHO: BHObj Class - {00000010-6F7D-442C-93E3-4A4827C2E4C8} - C:\WINDOWS\nem220.dll
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
O2 - BHO: (no name) - {0F9561D0-03B2-44a3-89A6-E95E417CBA25} - C:\WINDOWS\cerbmod.dll
O2 - BHO: StartBHO Class - {30192F8D-0958-44E6-B54D-331FD39AC959} - C:\WINDOWS\webdlg32.dll
O2 - BHO: BHObj Class - {8F4E5661-F99E-4B3E-8D85-0EA71C0748E4} - C:\WINDOWS\wsem303.dll
O2 - BHO: (no name) - {966BD97C-18CC-643E-99D8-3481E9B559E5} - C:\WINDOWS\System32\zwgctj.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O3 - Toolbar: Search Bar - {0E1230F8-EA50-42A9-983C-D22ABC2EED3B} - C:\WINDOWS\webdlg32.dll
O4 - HKLM\..\Run: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k
O4 - HKLM\..\Run: [2wSysTray] C:\Program Files\2Wire\2PortalMon.exe
O4 - HKLM\..\Run: [iTunesHelper] C:\Program Files\iTunes\iTunesHelper.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [PayTime] C:\WINDOWS\System32\paytime.exe
O4 - HKLM\..\Run: [Hca] C:\WINDOWS\System32\Jiu.exe
O4 - HKLM\..\Run: [ntddetect] C:\WINDOWS\System32\ntddetect.exe
O4 - HKLM\..\Run: [saap] c:\windows\saap.exe
O4 - HKLM\..\Run: [Internet Optimizer] "C:\Program Files\Internet Optimizer\optimize.exe"
O4 - HKLM\..\Run: [Fpb] C:\WINDOWS\Tbf.exe
O4 - HKLM\..\Run: [Aer] C:\WINDOWS\System32\Dtf.exe
O4 - HKLM\..\Run: [paxebmv] C:\WINDOWS\paxebmv.exe
O4 - HKLM\..\Run: [Gnt] C:\WINDOWS\Oph.exe
O4 - HKLM\..\Run: [Jti] C:\WINDOWS\Iui.exe
O4 - HKLM\..\Run: [Hpg] C:\WINDOWS\System32\Qmk.exe
O4 - HKLM\..\Run: [Oqk] C:\WINDOWS\System32\Dom.exe
O4 - HKLM\..\RunServices: [ntddetect] C:\WINDOWS\System32\ntddetect.exe
O4 - HKCU\..\Run: [Steam] C:\Valve\Steam\Steam.exe -silent
O4 - HKCU\..\Run: [AIM] C:\Program Files\AIM\aim.exe -cnetwait.odl
O4 - HKCU\..\Run: [PayTime] C:\WINDOWS\System32\paytime.exe
O4 - HKCU\..\Run: [Hca] C:\WINDOWS\System32\Jiu.exe
O4 - HKCU\..\Run: [ntddetect] C:\WINDOWS\System32\ntddetect.exe
O4 - HKCU\..\Run: [x3yy] C:\WINDOWS\System32\x3yy\pkifkjbj.exe
O4 - HKCU\..\Run: [Cnbo] C:\Documents and Settings\User\Application Data\obao.exe
O4 - HKCU\..\Run: [Egbg] C:\WINDOWS\System32\??plorer.exe
O4 - HKCU\..\Run: [Fpb] C:\WINDOWS\Tbf.exe
O4 - HKCU\..\Run: [Aer] C:\WINDOWS\System32\Dtf.exe
O4 - HKCU\..\Run: [Hpg] C:\WINDOWS\System32\Qmk.exe
O4 - HKCU\..\Run: [Oqk] C:\WINDOWS\System32\Dom.exe
O4 - Global Startup: 2Wire Wireless Client Manager.lnk = ?
O4 - Global Startup: hpoddt01.exe.lnk = ?
O4 - Global Startup: hp psc 1000 series.lnk = ?
O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: EPSON Status Monitor 3 Environment Check 2.lnk = C:\WINDOWS\system32\spool\drivers\w32x86\3\E_SRCV02.EXE
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\System32\msjava.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\System32\msjava.dll
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe
O9 - Extra button: PartyPoker.com - {B7FE5D70-9AA2-40F1-9C6B-12A255F085E1} - c:\program files\partypoker\IEExtension.dll
O9 - Extra 'Tools' menuitem: PartyPoker.com - {B7FE5D70-9AA2-40F1-9C6B-12A255F085E1} - c:\program files\partypoker\IEExtension.dll
O9 - Extra button: (no name) - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - (no file)
O10 - Broken Internet access because of LSP provider 'osmim.dll' missing
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O15 - Trusted Zone: *.blazefind.com
O15 - Trusted Zone: *.clickspring.net
O15 - Trusted Zone: *.flingstone.com
O15 - Trusted Zone: *.iframedollars.biz
O15 - Trusted Zone: *.mt-download.com
O15 - Trusted Zone: *.musicmatch.com
O15 - Trusted Zone: *.my-internet.info
O15 - Trusted Zone: *.searchbarcash.com
O15 - Trusted Zone: *.searchmiracle.com
O15 - Trusted Zone: *.skoobidoo.com
O15 - Trusted Zone: *.slotch.com
O15 - Trusted Zone: *.slotchbar.com
O15 - Trusted Zone: *.windupdates.com
O15 - Trusted Zone: *.xxxtoolbar.com
O15 - Trusted Zone: *.ysbweb.com
O15 - Trusted Zone: *.blazefind.com (HKLM)
O15 - Trusted Zone: *.clickspring.net (HKLM)
O15 - Trusted Zone: *.flingstone.com (HKLM)
O15 - Trusted Zone: *.iframedollars.biz (HKLM)
O15 - Trusted Zone: *.mt-download.com (HKLM)
O15 - Trusted Zone: *.musicmatch.com (HKLM)
O15 - Trusted Zone: *.my-internet.info (HKLM)
O15 - Trusted Zone: *.searchbarcash.com (HKLM)
O15 - Trusted Zone: *.searchmiracle.com (HKLM)
O15 - Trusted Zone: *.skoobidoo.com (HKLM)
O15 - Trusted Zone: *.slotch.com (HKLM)
O15 - Trusted Zone: *.slotchbar.com (HKLM)
O15 - Trusted Zone: *.windupdates.com (HKLM)
O15 - Trusted Zone: *.xxxtoolbar.com (HKLM)
O15 - Trusted Zone: *.ysbweb.com (HKLM)
O15 - Trusted IP range: 213.159.117.202
O15 - Trusted IP range: 213.159.117.202 (HKLM)
O16 - DPF: {1D4DB7D2-6EC9-47A3-BD87-1E41684E07BB} - http://ak.imgfarm.com/images/nocache/funwebproducts/ei-2/SmileyCentralFWBInitialSetup1.0.0.8-2.cab
O16 - DPF: {79849612-A98F-45B8-95E9-4D13C7B6B35C} (Loader2 Control) - http://iframedollars.biz/tb/loader2.ocx
O16 - DPF: {9EB320CE-BE1D-4304-A081-4B4665414BEF} (MediaTicketsInstaller Control) - http://www.mt-download.com/MediaTicketsInstaller.cab?refid=2732
O16 - DPF: {FC67BB52-AAB6-4282-9D51-2DAFFE73AFD0} - http://download.spyspotter.com/spyspotter/SpSp29952.22opt/SpySpotterInstall.cab
O23 - Service: EPSON Printer Status Agent2 - SEIKO EPSON CORPORATION - C:\Program Files\Common Files\EPSON\EBAPI\SAgent2.exe
O23 - Service: Inverse IP InSight Client (CNC) - Inverse Network Technology - C:\Program Files\Inverse IP InSight\CNC\LaunchIPI.exe
O23 - Service: iPod Service - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: NVIDIA Driver Helper Service - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\System32\HPZipm12.exe
STEP ONE
Please download and run CWShredder, making sure to click "Fix".
http://cwshredder.net/bin/CWSInstall.exe
STEP TWO
Please download and install AVG antivirus. Follow the prompts to download and install all updates and then run a complete scan.
http://free.grisoft.com/softw/70free/setup/avg70free_300a419.exe
STEP THREE
Download and run Microsoft's Antispyware application.
http://www.microsoft.com/athome/security/spyware/software/default.mspx
Remove everything that it finds.
STEP FOUR
Download(right click and select Save file as or Save link as): DelDomains.inf
http://mvps.org/winhelp2002/DelDomains.inf
To use: Close all open browsers
Right-click DelDomains.inf and select: Install
Reboot and post a new hijackthis log.
heres the log
Logfile of HijackThis v1.99.0
Scan saved at 9:08:30 PM, on 03/22/2005
Platform: Windows XP (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 (6.00.2600.0000)
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
C:\Program Files\Common Files\EPSON\EBAPI\SAgent2.exe
C:\Program Files\Inverse IP InSight\CNC\ARMon32a.exe
C:\WINDOWS\System32\nvsvc32.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\HPZipm12.exe
C:\WINDOWS\System32\wuauclt.exe
C:\WINDOWS\SoftwareDistribution\Download\S-1-5-18\8b5e9cdb91dddbb342695fbdc36fe0e4\update\update.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\2Wire\2PortalMon.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\QuickTime\qttask.exe
C:\WINDOWS\System32\ntddetect.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
C:\WINDOWS\System32\Vta.exe
C:\Program Files\Microsoft AntiSpyware\gcasServ.exe
C:\Program Files\AIM\aim.exe
C:\Documents and Settings\User\Application Data\obao.exe
C:\WINDOWS\System32\??plorer.exe
C:\Program Files\2Wire Wireless\Client Manager\CMTWO.EXE
C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpotdd01.exe
C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpohmr08.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_S10IC2.EXE
C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpoevm08.exe
C:\Program Files\Microsoft AntiSpyware\gcasDtServ.exe
C:\WINDOWS\System32\wuauclt.exe
C:\Documents and Settings\User\Desktop\HijackThis.exe
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://213.159.117.134/index.php
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://213.159.117.134/index.php
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant =
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page = http://213.159.117.134/index.php
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = 127.0.0.1
R3 - Default URLSearchHook is missing
O1 - Hosts: 127.0.0.3 n-glx.s-redirect.com
O1 - Hosts: 127.0.0.3 x.full-tgp.net
O1 - Hosts: 127.0.0.3 counter.sexmaniack.com
O1 - Hosts: 127.0.0.3 autoescrowpay.com
O1 - Hosts: 127.0.0.3 www.autoescrowpay.com
O1 - Hosts: 127.0.0.3 www.awmdabest.com
O1 - Hosts: 127.0.0.3 www.sexfiles.nu
O1 - Hosts: 127.0.0.3 awmdabest.com
O1 - Hosts: 127.0.0.3 sexfiles.nu
O1 - Hosts: 127.0.0.3 allforadult.com
O1 - Hosts: 127.0.0.3 www.allforadult.com
O1 - Hosts: 127.0.0.3 www.iframe.biz
O1 - Hosts: 127.0.0.3 iframe.biz
O1 - Hosts: 127.0.0.3 www.newiframe.biz
O1 - Hosts: 127.0.0.3 newiframe.biz
O1 - Hosts: 127.0.0.3 www.vesbiz.biz
O1 - Hosts: 127.0.0.3 vesbiz.biz
O1 - Hosts: 127.0.0.3 www.pizdato.biz
O1 - Hosts: 127.0.0.3 pizdato.biz
O1 - Hosts: 127.0.0.3 www.aaasexypics.com
O1 - Hosts: 127.0.0.3 aaasexypics.com
O1 - Hosts: 127.0.0.3 www.virgin-tgp.net
O1 - Hosts: 127.0.0.3 virgin-tgp.net
O1 - Hosts: 127.0.0.3 www.awmcash.biz
O1 - Hosts: 127.0.0.3 awmcash.biz
O1 - Hosts: 127.0.0.3 buldog-stats.com
O1 - Hosts: 127.0.0.3 www.buldog-stats.com
O1 - Hosts: 127.0.0.3 fregat.drocherway.com
O1 - Hosts: 127.0.0.3 slutmania.biz
O1 - Hosts: 127.0.0.3 www.slutmania.biz
O1 - Hosts: 127.0.0.3 toolbarpartner.com
O1 - Hosts: 127.0.0.3 www.toolbarpartner.com
O1 - Hosts: 127.0.0.3 www.megapornix.com
O1 - Hosts: 127.0.0.3 megapornix.com
O1 - Hosts: 127.0.0.3 www.sp2****ed.biz
O1 - Hosts: 127.0.0.3 sp2****ed.biz
O1 - Hosts: 127.0.0.3 greg-tut.com
O1 - Hosts: 127.0.0.3 www.greg-tut.com
O1 - Hosts: 127.0.0.3 nylonsexy.com
O1 - Hosts: 127.0.0.3 www.nylonsexy.com
O1 - Hosts: 127.0.0.3 vparivalka.com
O1 - Hosts: 127.0.0.3 www.vparivalka.com
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
O2 - BHO: (no name) - {966BD97C-18CC-643E-99D8-3481E9B559E5} - C:\WINDOWS\System32\zwgctj.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O4 - HKLM\..\Run: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k
O4 - HKLM\..\Run: [2wSysTray] C:\Program Files\2Wire\2PortalMon.exe
O4 - HKLM\..\Run: [iTunesHelper] C:\Program Files\iTunes\iTunesHelper.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [Hca] C:\WINDOWS\System32\Jiu.exe
O4 - HKLM\..\Run: [ntddetect] C:\WINDOWS\System32\ntddetect.exe
O4 - HKLM\..\Run: [Fpb] C:\WINDOWS\Tbf.exe
O4 - HKLM\..\Run: [Aer] C:\WINDOWS\System32\Dtf.exe
O4 - HKLM\..\Run: [Gnt] C:\WINDOWS\Oph.exe
O4 - HKLM\..\Run: [Jti] C:\WINDOWS\Iui.exe
O4 - HKLM\..\Run: [Hpg] C:\WINDOWS\System32\Qmk.exe
O4 - HKLM\..\Run: [Oqk] C:\WINDOWS\System32\Dom.exe
O4 - HKLM\..\Run: [Ubo] C:\WINDOWS\Tep.exe
O4 - HKLM\..\Run: [Riv] C:\WINDOWS\Dnc.exe
O4 - HKLM\..\Run: [Srs] C:\WINDOWS\Las.exe
O4 - HKLM\..\Run: [Fma] C:\WINDOWS\Klf.exe
O4 - HKLM\..\Run: [Fmp] C:\WINDOWS\System32\Tpg.exe
O4 - HKLM\..\Run: [Vid] C:\WINDOWS\Vkj.exe
O4 - HKLM\..\Run: [Lud] C:\WINDOWS\Vch.exe
O4 - HKLM\..\Run: [Gfl] C:\WINDOWS\Vca.exe
O4 - HKLM\..\Run: [Lhs] C:\WINDOWS\System32\Mhv.exe
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [AVG7_EMC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
O4 - HKLM\..\Run: [Sjp] C:\WINDOWS\Sqi.exe
O4 - HKLM\..\Run: [Dvc] C:\WINDOWS\System32\Vta.exe
O4 - HKLM\..\Run: [Bth] C:\WINDOWS\Okv.exe
O4 - HKLM\..\Run: [Jfm] C:\WINDOWS\System32\Pre.exe
O4 - HKLM\..\Run: [gcasServ] "C:\Program Files\Microsoft AntiSpyware\gcasServ.exe"
O4 - HKLM\..\Run: [Opv] C:\WINDOWS\System32\Umh.exe
O4 - HKLM\..\Run: [Gml] C:\WINDOWS\System32\Ivd.exe
O4 - HKLM\..\Run: [Efd] C:\WINDOWS\System32\Dqu.exe
O4 - HKLM\..\Run: [Asq] C:\WINDOWS\System32\Ftf.exe
O4 - HKLM\..\Run: [Ehd] C:\WINDOWS\System32\Bgs.exe
O4 - HKLM\..\Run: [Onh] C:\WINDOWS\Bnd.exe
O4 - HKLM\..\RunServices: [ntddetect] C:\WINDOWS\System32\ntddetect.exe
O4 - HKCU\..\Run: [Steam] C:\Valve\Steam\Steam.exe -silent
O4 - HKCU\..\Run: [AIM] C:\Program Files\AIM\aim.exe -cnetwait.odl
O4 - HKCU\..\Run: [Hca] C:\WINDOWS\System32\Jiu.exe
O4 - HKCU\..\Run: [ntddetect] C:\WINDOWS\System32\ntddetect.exe
O4 - HKCU\..\Run: [x3yy] C:\WINDOWS\System32\x3yy\pkifkjbj.exe
O4 - HKCU\..\Run: [Cnbo] C:\Documents and Settings\User\Application Data\obao.exe
O4 - HKCU\..\Run: [Egbg] C:\WINDOWS\System32\??plorer.exe
O4 - HKCU\..\Run: [Fpb] C:\WINDOWS\Tbf.exe
O4 - HKCU\..\Run: [Aer] C:\WINDOWS\System32\Dtf.exe
O4 - HKCU\..\Run: [Hpg] C:\WINDOWS\System32\Qmk.exe
O4 - HKCU\..\Run: [Oqk] C:\WINDOWS\System32\Dom.exe
O4 - HKCU\..\Run: [Ubo] C:\WINDOWS\Tep.exe
O4 - HKCU\..\Run: [Riv] C:\WINDOWS\Dnc.exe
O4 - HKCU\..\Run: [Srs] C:\WINDOWS\Las.exe
O4 - HKCU\..\Run: [Fma] C:\WINDOWS\Klf.exe
O4 - HKCU\..\Run: [Fmp] C:\WINDOWS\System32\Tpg.exe
O4 - HKCU\..\Run: [Vid] C:\WINDOWS\Vkj.exe
O4 - HKCU\..\Run: [Lud] C:\WINDOWS\Vch.exe
O4 - HKCU\..\Run: [Gfl] C:\WINDOWS\Vca.exe
O4 - HKCU\..\Run: [Lhs] C:\WINDOWS\System32\Mhv.exe
O4 - HKCU\..\Run: [Sjp] C:\WINDOWS\Sqi.exe
O4 - HKCU\..\Run: [Dvc] C:\WINDOWS\System32\Vta.exe
O4 - HKCU\..\Run: [Bth] C:\WINDOWS\Okv.exe
O4 - HKCU\..\Run: [Jfm] C:\WINDOWS\System32\Pre.exe
O4 - HKCU\..\Run: [Opv] C:\WINDOWS\System32\Umh.exe
O4 - HKCU\..\Run: [Gml] C:\WINDOWS\System32\Ivd.exe
O4 - HKCU\..\Run: [Efd] C:\WINDOWS\System32\Dqu.exe
O4 - HKCU\..\Run: [Asq] C:\WINDOWS\System32\Ftf.exe
O4 - HKCU\..\Run: [Onh] C:\WINDOWS\Bnd.exe
O4 - Global Startup: 2Wire Wireless Client Manager.lnk = ?
O4 - Global Startup: hpoddt01.exe.lnk = ?
O4 - Global Startup: hp psc 1000 series.lnk = ?
O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: EPSON Status Monitor 3 Environment Check 2.lnk = C:\WINDOWS\system32\spool\drivers\w32x86\3\E_SRCV02.EXE
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\System32\msjava.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\System32\msjava.dll
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe
O9 - Extra button: PartyPoker.com - {B7FE5D70-9AA2-40F1-9C6B-12A255F085E1} - c:\program files\partypoker\IEExtension.dll
O9 - Extra 'Tools' menuitem: PartyPoker.com - {B7FE5D70-9AA2-40F1-9C6B-12A255F085E1} - c:\program files\partypoker\IEExtension.dll
O9 - Extra button: (no name) - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - (no file)
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O15 - Trusted Zone: *.iframedollars.biz
O15 - Trusted Zone: *.musicmatch.com
O15 - Trusted Zone: *.slotchbar.com
O15 - Trusted Zone: *.ysbweb.com
O15 - Trusted Zone: *.iframedollars.biz (HKLM)
O15 - Trusted Zone: *.musicmatch.com (HKLM)
O15 - Trusted Zone: *.slotchbar.com (HKLM)
O15 - Trusted Zone: *.ysbweb.com (HKLM)
O15 - Trusted IP range: 213.159.117.202
O15 - Trusted IP range: 213.159.117.202 (HKLM)
O16 - DPF: {1D4DB7D2-6EC9-47A3-BD87-1E41684E07BB} - http://ak.imgfarm.com/images/nocache/funwebproducts/ei-2/SmileyCentralFWBInitialSetup1.0.0.8-2.cab
O16 - DPF: {FC67BB52-AAB6-4282-9D51-2DAFFE73AFD0} - http://download.spyspotter.com/spyspotter/SpSp29952.22opt/SpySpotterInstall.cab
O23 - Service: AVG7 Alert Manager Server - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
O23 - Service: AVG7 Update Service - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
O23 - Service: EPSON Printer Status Agent2 - SEIKO EPSON CORPORATION - C:\Program Files\Common Files\EPSON\EBAPI\SAgent2.exe
O23 - Service: Inverse IP InSight Client (CNC) - Inverse Network Technology - C:\Program Files\Inverse IP InSight\CNC\LaunchIPI.exe
O23 - Service: iPod Service - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: NVIDIA Driver Helper Service - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\System32\HPZipm12.exe
First of download Ad-Aware if you havn't already. I prefer it over the MS spyware tool. You can grab it off the SM download page here: http://www.short-media.com/download.php?dc=69. After you have downloaded it, go ahead and install it on your system. Once this is done, tell it to go ahead and update. Don't worry about running a scan right now, just make sure it gets all the latest and greatest updates installed.
Once that is done, reboot your computer in safemode. To do this reboot you pc, start tapping F8 before windows loads up.
Now that you are in Safe Mode, open up that copy of HiJackThis. Remove the following entries:
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://213.159.117.134/index.php
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://213.159.117.134/index.php
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant =
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page = http://213.159.117.134/index.php
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Int ernet Settings,ProxyOverride = 127.0.0.1
R3 - Default URLSearchHook is missing
O1 - Hosts: 127.0.0.3 n-glx.s-redirect.com
O1 - Hosts: 127.0.0.3 x.full-tgp.net
O1 - Hosts: 127.0.0.3 counter.sexmaniack.com
O1 - Hosts: 127.0.0.3 autoescrowpay.com
O1 - Hosts: 127.0.0.3 www.autoescrowpay.com
O1 - Hosts: 127.0.0.3 www.awmdabest.com
O1 - Hosts: 127.0.0.3 www.sexfiles.nu
O1 - Hosts: 127.0.0.3 awmdabest.com
O1 - Hosts: 127.0.0.3 sexfiles.nu
O1 - Hosts: 127.0.0.3 allforadult.com
O1 - Hosts: 127.0.0.3 www.allforadult.com
O1 - Hosts: 127.0.0.3 www.iframe.biz
O1 - Hosts: 127.0.0.3 iframe.biz
O1 - Hosts: 127.0.0.3 www.newiframe.biz
O1 - Hosts: 127.0.0.3 newiframe.biz
O1 - Hosts: 127.0.0.3 www.vesbiz.biz
O1 - Hosts: 127.0.0.3 vesbiz.biz
O1 - Hosts: 127.0.0.3 www.pizdato.biz
O1 - Hosts: 127.0.0.3 pizdato.biz
O1 - Hosts: 127.0.0.3 www.aaasexypics.com
O1 - Hosts: 127.0.0.3 aaasexypics.com
O1 - Hosts: 127.0.0.3 www.virgin-tgp.net
O1 - Hosts: 127.0.0.3 virgin-tgp.net
O1 - Hosts: 127.0.0.3 www.awmcash.biz
O1 - Hosts: 127.0.0.3 awmcash.biz
O1 - Hosts: 127.0.0.3 buldog-stats.com
O1 - Hosts: 127.0.0.3 www.buldog-stats.com
O1 - Hosts: 127.0.0.3 fregat.drocherway.com
O1 - Hosts: 127.0.0.3 slutmania.biz
O1 - Hosts: 127.0.0.3 www.slutmania.biz
O1 - Hosts: 127.0.0.3 toolbarpartner.com
O1 - Hosts: 127.0.0.3 www.toolbarpartner.com
O1 - Hosts: 127.0.0.3 www.megapornix.com
O1 - Hosts: 127.0.0.3 megapornix.com
O1 - Hosts: 127.0.0.3 www.sp2****ed.biz
O1 - Hosts: 127.0.0.3 sp2****ed.biz
O1 - Hosts: 127.0.0.3 greg-tut.com
O1 - Hosts: 127.0.0.3 www.greg-tut.com
O1 - Hosts: 127.0.0.3 nylonsexy.com
O1 - Hosts: 127.0.0.3 www.nylonsexy.com
O1 - Hosts: 127.0.0.3 vparivalka.com
O1 - Hosts: 127.0.0.3 www.vparivalka.com
O2 - BHO: (no name) - {966BD97C-18CC-643E-99D8-3481E9B559E5} - C:\WINDOWS\System32\zwgctj.dll
O4 - HKLM\..\Run: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k
O4 - HKLM\..\Run: [Hca] C:\WINDOWS\System32\Jiu.exe
O4 - HKLM\..\Run: [ntddetect] C:\WINDOWS\System32\ntddetect.exe
O4 - HKLM\..\Run: [Fpb] C:\WINDOWS\Tbf.exe
O4 - HKLM\..\Run: [Aer] C:\WINDOWS\System32\Dtf.exe
O4 - HKLM\..\Run: [Gnt] C:\WINDOWS\Oph.exe
O4 - HKLM\..\Run: [Jti] C:\WINDOWS\Iui.exe
O4 - HKLM\..\Run: [Hpg] C:\WINDOWS\System32\Qmk.exe
O4 - HKLM\..\Run: [Oqk] C:\WINDOWS\System32\Dom.exe
O4 - HKLM\..\Run: [Ubo] C:\WINDOWS\Tep.exe
O4 - HKLM\..\Run: [Riv] C:\WINDOWS\Dnc.exe
O4 - HKLM\..\Run: [Srs] C:\WINDOWS\Las.exe
O4 - HKLM\..\Run: [Fma] C:\WINDOWS\Klf.exe
O4 - HKLM\..\Run: [Fmp] C:\WINDOWS\System32\Tpg.exe
O4 - HKLM\..\Run: [Vid] C:\WINDOWS\Vkj.exe
O4 - HKLM\..\Run: [Lud] C:\WINDOWS\Vch.exe
O4 - HKLM\..\Run: [Gfl] C:\WINDOWS\Vca.exe
O4 - HKLM\..\Run: [Lhs] C:\WINDOWS\System32\Mhv.exe
O4 - HKLM\..\Run: [Sjp] C:\WINDOWS\Sqi.exe
O4 - HKLM\..\Run: [Dvc] C:\WINDOWS\System32\Vta.exe
O4 - HKLM\..\Run: [Bth] C:\WINDOWS\Okv.exe
O4 - HKLM\..\Run: [Jfm] C:\WINDOWS\System32\Pre.exe
O4 - HKLM\..\Run: [Opv] C:\WINDOWS\System32\Umh.exe
O4 - HKLM\..\Run: [Gml] C:\WINDOWS\System32\Ivd.exe
O4 - HKLM\..\Run: [Efd] C:\WINDOWS\System32\Dqu.exe
O4 - HKLM\..\Run: [Asq] C:\WINDOWS\System32\Ftf.exe
O4 - HKLM\..\Run: [Ehd] C:\WINDOWS\System32\Bgs.exe
O4 - HKLM\..\Run: [Onh] C:\WINDOWS\Bnd.exe
O4 - HKLM\..\RunServices: [ntddetect] C:\WINDOWS\System32\ntddetect.exe
O4 - HKCU\..\Run: [Hca] C:\WINDOWS\System32\Jiu.exe
O4 - HKCU\..\Run: [ntddetect] C:\WINDOWS\System32\ntddetect.exe
O4 - HKCU\..\Run: [x3yy] C:\WINDOWS\System32\x3yy\pkifkjbj.exe
O4 - HKCU\..\Run: [Cnbo] C:\Documents and Settings\User\Application Data\obao.exe
O4 - HKCU\..\Run: [Egbg] C:\WINDOWS\System32\??plorer.exe
O4 - HKCU\..\Run: [Fpb] C:\WINDOWS\Tbf.exe
O4 - HKCU\..\Run: [Aer] C:\WINDOWS\System32\Dtf.exe
O4 - HKCU\..\Run: [Hpg] C:\WINDOWS\System32\Qmk.exe
O4 - HKCU\..\Run: [Oqk] C:\WINDOWS\System32\Dom.exe
O4 - HKCU\..\Run: [Ubo] C:\WINDOWS\Tep.exe
O4 - HKCU\..\Run: [Riv] C:\WINDOWS\Dnc.exe
O4 - HKCU\..\Run: [Srs] C:\WINDOWS\Las.exe
O4 - HKCU\..\Run: [Fma] C:\WINDOWS\Klf.exe
O4 - HKCU\..\Run: [Fmp] C:\WINDOWS\System32\Tpg.exe
O4 - HKCU\..\Run: [Vid] C:\WINDOWS\Vkj.exe
O4 - HKCU\..\Run: [Lud] C:\WINDOWS\Vch.exe
O4 - HKCU\..\Run: [Gfl] C:\WINDOWS\Vca.exe
O4 - HKCU\..\Run: [Lhs] C:\WINDOWS\System32\Mhv.exe
O4 - HKCU\..\Run: [Sjp] C:\WINDOWS\Sqi.exe
O4 - HKCU\..\Run: [Dvc] C:\WINDOWS\System32\Vta.exe
O4 - HKCU\..\Run: [Bth] C:\WINDOWS\Okv.exe
O4 - HKCU\..\Run: [Jfm] C:\WINDOWS\System32\Pre.exe
O4 - HKCU\..\Run: [Opv] C:\WINDOWS\System32\Umh.exe
O4 - HKCU\..\Run: [Gml] C:\WINDOWS\System32\Ivd.exe
O4 - HKCU\..\Run: [Efd] C:\WINDOWS\System32\Dqu.exe
O4 - HKCU\..\Run: [Asq] C:\WINDOWS\System32\Ftf.exe
O4 - HKCU\..\Run: [Onh] C:\WINDOWS\Bnd.exe
O4 - Global Startup: 2Wire Wireless Client Manager.lnk = ?
O4 - Global Startup: hpoddt01.exe.lnk = ?
O4 - Global Startup: hp psc 1000 series.lnk = ?
O9 - Extra button: PartyPoker.com - {B7FE5D70-9AA2-40F1-9C6B-12A255F085E1} - c:\program files\partypoker\IEExtension.dll
O9 - Extra 'Tools' menuitem: PartyPoker.com - {B7FE5D70-9AA2-40F1-9C6B-12A255F085E1} - c:\program files\partypoker\IEExtension.dll
O9 - Extra button: (no name) - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - (no file)
O15 - Trusted Zone: *.iframedollars.biz
O15 - Trusted Zone: *.musicmatch.com
O15 - Trusted Zone: *.slotchbar.com
O15 - Trusted Zone: *.ysbweb.com
O15 - Trusted Zone: *.iframedollars.biz (HKLM)
O15 - Trusted Zone: *.musicmatch.com (HKLM)
O15 - Trusted Zone: *.slotchbar.com (HKLM)
O15 - Trusted Zone: *.ysbweb.com (HKLM)
O15 - Trusted IP range: 213.159.117.202
O15 - Trusted IP range: 213.159.117.202 (HKLM)
O16 - DPF: {1D4DB7D2-6EC9-47A3-BD87-1E41684E07BB} - http://ak.imgfarm.com/images/nocach...up1.0.0.8-2.cab
O16 - DPF: {FC67BB52-AAB6-4282-9D51-2DAFFE73AFD0} - http://download.spyspotter.com/spys...tterInstall.cab
Now that you have deleted all these entries (a bunch eh?) open up the newly installed AdAware program. Now go ahead and run a full system scan (still in safemode!). It should remove most of those dud files that are still on your pc.
When the scan is finished, reboot into normal mode and see how it feels. If you still get lots of pop ups repost another log.
Also if spyware is a big concern you might consider not using IE and trying FireFox.
Good Luck
Download Hoster.
http://members.aol.com/toadbee/hoster.zip
This will restore your original Host files.
Run the program and press Restore Original Hosts and press OK.
The trojan virus will still exist on your computer. In order to remove it try running a program called A2. You will need to register in order to get the updates, but it's free.
http://www.emsisoft.com/en/software/free/
Please post a new hijackthis log when you are done.
my backround restored but still makes 2 of the same icon and i cant right click
new hijack log
Logfile of HijackThis v1.99.0
Scan saved at 8:09:23 PM, on 03/23/2005
Platform: Windows XP (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 (6.00.2600.0000)
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\EPSON\EBAPI\SAgent2.exe
C:\WINDOWS\System32\nvsvc32.exe
C:\Program Files\Inverse IP InSight\CNC\ARMon32a.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\2Wire\2PortalMon.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\QuickTime\qttask.exe
C:\WINDOWS\Oph.exe
C:\windows\system32\gsskpcs.exe
C:\Program Files\AIM\aim.exe
C:\Documents and Settings\User\Application Data\obao.exe
C:\WINDOWS\System32\??plorer.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\windows\system32\packager.exe
C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_S10IC2.EXE
C:\Program Files\Ebates_MoeMoneyMaker\EbatesMoeMoneyMaker1.exe
C:\WINDOWS\System32\wuauclt.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Ebates_MoeMoneyMaker\EbatesMoeMoneyMaker0.exe
C:\Documents and Settings\User\Desktop\HijackThis.exe
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://websearch.drsnsrch.com/sidesearch.cgi?id=
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://websearch.drsnsrch.com/sidesearch.cgi?id=
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://google.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://websearch.drsnsrch.com/sidesearch.cgi?id=
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://websearch.drsnsrch.com/sidesearch.cgi?id=
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page =
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://websearch.drsnsrch.com/sidesearch.cgi?id=
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch = http://websearch.drsnsrch.com/sidesearch.cgi?id=
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = websearch.drsnsrch.com/q.cgi?q=
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page =
O2 - BHO: PynixObj Class - {00000000-DD60-0064-6EC2-6E0100000000} - C:\WINDOWS\Pynix.dll (file missing)
O2 - BHO: Band Class - {01F44A8A-8C97-4325-A378-76E68DC4AB2E} - C:\WINDOWS\systb.dll
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
O2 - BHO: (no name) - {38D4D5D0-423E-4220-B6F9-30918C2AE4A4} - C:\WINDOWS\sasetup.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O3 - Toolbar: (no name) - {2CDE1A7D-A478-4291-BF31-E1B4C16F92EB} - (no file)
O4 - HKLM\..\Run: [2wSysTray] C:\Program Files\2Wire\2PortalMon.exe
O4 - HKLM\..\Run: [iTunesHelper] C:\Program Files\iTunes\iTunesHelper.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [Gnt] C:\WINDOWS\Oph.exe
O4 - HKLM\..\Run: [Jti] C:\WINDOWS\Iui.exe
O4 - HKLM\..\Run: [Ehd] C:\WINDOWS\System32\Bgs.exe
O4 - HKLM\..\Run: [farmmext] C:\WINDOWS\farmmext.exe
O4 - HKLM\..\Run: [gsskpcs] c:\windows\system32\gsskpcs.exe
O4 - HKLM\..\Run: [Rpa] C:\WINDOWS\System32\Ict.exe
O4 - HKLM\..\Run: [Bkd] C:\WINDOWS\System32\Rhp.exe
O4 - HKLM\..\Run: [Win Server Updt] C:\WINDOWS\wupdt.exe
O4 - HKLM\..\Run: [EbatesMoeMoneyMaker0] "C:\Program Files\Ebates_MoeMoneyMaker\EbatesMoeMoneyMaker0.exe"
O4 - HKLM\..\Run: [Gag] C:\WINDOWS\System32\Sbc.exe
O4 - HKLM\..\Run: [Ndc] C:\WINDOWS\Gvb.exe
O4 - HKLM\..\Run: [Bcj] C:\WINDOWS\Vmo.exe
O4 - HKLM\..\Run: [Tsk] C:\WINDOWS\Jud.exe
O4 - HKLM\..\RunServices: [ntddetect] C:\WINDOWS\System32\ntddetect.exe
O4 - HKCU\..\Run: [Steam] C:\Valve\Steam\Steam.exe -silent
O4 - HKCU\..\Run: [AIM] C:\Program Files\AIM\aim.exe -cnetwait.odl
O4 - HKCU\..\Run: [Rpa] C:\WINDOWS\System32\Ict.exe
O4 - HKCU\..\Run: [Bkd] C:\WINDOWS\System32\Rhp.exe
O4 - HKCU\..\Run: [Gag] C:\WINDOWS\System32\Sbc.exe
O4 - HKCU\..\Run: [Ndc] C:\WINDOWS\Gvb.exe
O4 - HKCU\..\Run: [Bcj] C:\WINDOWS\Vmo.exe
O4 - HKCU\..\Run: [Tsk] C:\WINDOWS\Jud.exe
O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: EPSON Status Monitor 3 Environment Check 2.lnk = C:\WINDOWS\system32\spool\drivers\w32x86\3\E_SRCV02.EXE
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O8 - Extra context menu item: Ebates - file://C:\Program Files\Ebates_MoeMoneyMaker\Sy350\Tp350\scri350a.htm
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\System32\msjava.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\System32\msjava.dll
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe
O9 - Extra button: Ebates - {6685509E-B47B-4f47-8E16-9A5F3A62F683} - file://C:\Program Files\Ebates_MoeMoneyMaker\Sy350\Tp350\scri350a.htm (HKCU)
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O23 - Service: EPSON Printer Status Agent2 - SEIKO EPSON CORPORATION - C:\Program Files\Common Files\EPSON\EBAPI\SAgent2.exe
O23 - Service: Inverse IP InSight Client (CNC) - Inverse Network Technology - C:\Program Files\Inverse IP InSight\CNC\LaunchIPI.exe
O23 - Service: iPod Service - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: NVIDIA Driver Helper Service - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\System32\HPZipm12.exe
How to see hidden files in Windows
Place a checkmark next to these entries, close all browsers and windows, and have HijackThis fix them by clicking Fix Checked:
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://websearch.drsnsrch.com/sidesearch.cgi?id=
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://websearch.drsnsrch.com/sidesearch.cgi?id=
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://google.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://websearch.drsnsrch.com/sidesearch.cgi?id=
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://websearch.drsnsrch.com/sidesearch.cgi?id=
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page =
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://websearch.drsnsrch.com/sidesearch.cgi?id=
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch = http://websearch.drsnsrch.com/sidesearch.cgi?id=
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = websearch.drsnsrch.com/q.cgi?q=
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page =
O2 - BHO: PynixObj Class - {00000000-DD60-0064-6EC2-6E0100000000} - C:\WINDOWS\Pynix.dll (file missing)
O2 - BHO: Band Class - {01F44A8A-8C97-4325-A378-76E68DC4AB2E} - C:\WINDOWS\systb.dll
O2 - BHO: (no name) - {38D4D5D0-423E-4220-B6F9-30918C2AE4A4} - C:\WINDOWS\sasetup.dll
O4 - HKLM\..\Run: [Gnt] C:\WINDOWS\Oph.exe
O4 - HKLM\..\Run: [Jti] C:\WINDOWS\Iui.exe
O4 - HKLM\..\Run: [Ehd] C:\WINDOWS\System32\Bgs.exe
O4 - HKLM\..\Run: [farmmext] C:\WINDOWS\farmmext.exe
O4 - HKLM\..\Run: [gsskpcs] c:\windows\system32\gsskpcs.exe
O4 - HKLM\..\Run: [Rpa] C:\WINDOWS\System32\Ict.exe
O4 - HKLM\..\Run: [Bkd] C:\WINDOWS\System32\Rhp.exe
O4 - HKLM\..\Run: [Win Server Updt] C:\WINDOWS\wupdt.exe
O4 - HKLM\..\Run: [EbatesMoeMoneyMaker0] "C:\Program Files\Ebates_MoeMoneyMaker\EbatesMoeMoneyMaker0.ex e"
O4 - HKLM\..\Run: [Gag] C:\WINDOWS\System32\Sbc.exe
O4 - HKLM\..\Run: [Ndc] C:\WINDOWS\Gvb.exe
O4 - HKLM\..\Run: [Bcj] C:\WINDOWS\Vmo.exe
O4 - HKLM\..\Run: [Tsk] C:\WINDOWS\Jud.exe
O4 - HKLM\..\RunServices: [ntddetect] C:\WINDOWS\System32\ntddetect.exe
O4 - HKCU\..\Run: [Rpa] C:\WINDOWS\System32\Ict.exe
O4 - HKCU\..\Run: [Bkd] C:\WINDOWS\System32\Rhp.exe
O4 - HKCU\..\Run: [Gag] C:\WINDOWS\System32\Sbc.exe
O4 - HKCU\..\Run: [Ndc] C:\WINDOWS\Gvb.exe
O4 - HKCU\..\Run: [Bcj] C:\WINDOWS\Vmo.exe
O4 - HKCU\..\Run: [Tsk] C:\WINDOWS\Jud.exe
O8 - Extra context menu item: Ebates - file://C:\Program Files\Ebates_MoeMoneyMaker\Sy350\Tp350\scri350a.ht m
O9 - Extra button: Ebates - {6685509E-B47B-4f47-8E16-9A5F3A62F683} - file://C:\Program Files\Ebates_MoeMoneyMaker\Sy350\Tp350\scri350a.ht m (HKCU)
Reboot your computer into Safe Mode
Then delete these files or directories (Do not be concerned if they do not exist):
C:\WINDOWS\Pynix.dll (file missing)
C:\WINDOWS\systb.dll
C:\WINDOWS\sasetup.dll
C:\WINDOWS\Oph.exe
C:\WINDOWS\Iui.exe
C:\WINDOWS\System32\Bgs.exe
C:\WINDOWS\farmmext.exe
c:\windows\system32\gsskpcs.exe
C:\WINDOWS\System32\Ict.exe
C:\WINDOWS\System32\Rhp.exe
C:\WINDOWS\wupdt.exe
C:\Program Files\Ebates_MoeMoneyMaker
C:\WINDOWS\System32\Sbc.exe
C:\WINDOWS\Gvb.exe
C:\WINDOWS\Vmo.exe
C:\WINDOWS\Jud.exe
C:\WINDOWS\System32\ntddetect.exe
C:\WINDOWS\System32\Ict.exe
C:\WINDOWS\System32\Rhp.exe
C:\WINDOWS\System32\Sbc.exe
C:\WINDOWS\Gvb.exe
C:\WINDOWS\Vmo.exe
C:\WINDOWS\Jud.exe
Reboot your computer to go back to normal mode.
Please run these two online scans.
Make sure they are set to clean automatically:
http://www.bitdefender.com/scan/licence.php
http://www.pandasoftware.com/activescan/com/activescan_principal.htm
If there are files that can not be removed by the scans please include that information in your next post.
Reboot and post a new hijackthis log.
C:\WINDOWS\system32\drivers\etc\hosts.bak: infected with Trojan.Qhost.K
C:\WINDOWS\system32\drivers\etc\hosts.bak: disinfection failed
C:\WINDOWS\system32\gsskpcs.exe: infected with Trojan.Agent.AY
C:\WINDOWS\system32\gsskpcs.exe: disinfection failed
C:\WINDOWS\system32\x3yy\jqmihkje.exe: suspect BehavesLike:Trojan.Downloader
C:\WINDOWS\system32\x3yy\jqmihkje.exe: disinfection failed
C:\WINDOWS\IFinst25.exe: infected with Backdoor.IzRam.1.7
C:\WINDOWS\IFinst25.exe: disinfection failed
C:\WINDOWS\ms3.exe: infected with Trojan.Downloader.Small.AHG
C:\WINDOWS\ms3.exe: deleted
C:\Documents and Settings\User\Local Settings\Temp\THI6844.tmp\farmmext.exe: infected with Trojan.Downloader.Stubby.A
C:\Documents and Settings\User\Local Settings\Temp\THI6844.tmp\farmmext.exe: disinfection failed
C:\Documents and Settings\User\Application Data\Sun\Java\Deployment\cache\javapi\v1.0\file\SecurityClassLoader.class-6fd9f626-49e15238.class: infected with Trojan.Downloader.Small.WV
C:\Documents and Settings\User\Application Data\Sun\Java\Deployment\cache\javapi\v1.0\file\SecurityClassLoader.class-6fd9f626-49e15238.class: disinfection failed
C:\Documents and Settings\Austin\Local Settings\Temporary Internet Files\Content.IE5\EAYTKYIS\stc[1].html: infected with Exploit.Html.Codebase.Exec.Gen
C:\Documents and Settings\Austin\Local Settings\Temporary Internet Files\Content.IE5\EAYTKYIS\stc[1].html: disinfection failed
C:\Documents and Settings\Austin\Local Settings\Temporary Internet Files\Content.IE5\YIS8RBRD\home[2].aspx: infected with JS.Trojan.Cardst.A
C:\Documents and Settings\Austin\Local Settings\Temporary Internet Files\Content.IE5\YIS8RBRD\home[2].aspx: disinfection failed
C:\Documents and Settings\Austin\Local Settings\Temporary Internet Files\Content.IE5\9BSWDV8C\stc[1].html: infected with Exploit.Html.Codebase.Exec.Gen
C:\Documents and Settings\Austin\Local Settings\Temporary Internet Files\Content.IE5\9BSWDV8C\stc[1].html: disinfection failed
C:\Documents and Settings\Austin\Local Settings\Temporary Internet Files\Content.IE5\4VX3UAB1\prompt[2].php: infected with JS.Trojan.Downloader.IstBar.A
C:\Documents and Settings\Austin\Local Settings\Temporary Internet Files\Content.IE5\4VX3UAB1\prompt[2].php: disinfection failed
C:\Documents and Settings\Guest\Local Settings\Temporary Internet Files\Content.IE5\SLE7CXUJ\stc[1].html: infected with Exploit.Html.Codebase.Exec.Gen
C:\Documents and Settings\Guest\Local Settings\Temporary Internet Files\Content.IE5\SLE7CXUJ\stc[1].html: disinfection failed
C:\Program Files\Lavasoft\Ad-Aware SE Personal\Skins\Ad-Aware SE default.ask=>arrow1.bmp: password protected
C:\Program Files\Lavasoft\Ad-Aware SE Personal\Skins\Ad-Aware SE default.ask=>arrow2.bmp: password protected
C:\Program Files\Lavasoft\Ad-Aware SE Personal\Skins\Ad-Aware SE default.ask=>bck1.bmp: password protected
C:\Program Files\Lavasoft\Ad-Aware SE Personal\Skins\Ad-Aware SE default.ask=>bck2.bmp: password protected
C:\Program Files\Lavasoft\Ad-Aware SE Personal\Skins\Ad-Aware SE default.ask=>bt11.bmp: password protected
C:\Program Files\Lavasoft\Ad-Aware SE Personal\Skins\Ad-Aware SE default.ask=>bt12.bmp: password protected
C:\Program Files\Lavasoft\Ad-Aware SE Personal\Skins\Ad-Aware SE default.ask=>bt13.bmp: password protected
C:\Program Files\Lavasoft\Ad-Aware SE Personal\Skins\Ad-Aware SE default.ask=>bt21.bmp: password protected
C:\Program Files\Lavasoft\Ad-Aware SE Personal\Skins\Ad-Aware SE default.ask=>bt22.bmp: password protected
C:\Program Files\Lavasoft\Ad-Aware SE Personal\Skins\Ad-Aware SE default.ask=>bt23.bmp: password protected
C:\Program Files\Lavasoft\Ad-Aware SE Personal\Skins\Ad-Aware SE default.ask=>bt31.bmp: password protected
C:\Program Files\Lavasoft\Ad-Aware SE Personal\Skins\Ad-Aware SE default.ask=>bt32.bmp: password protected
C:\Program Files\Lavasoft\Ad-Aware SE Personal\Skins\Ad-Aware SE default.ask=>bt33.bmp: password protected
C:\Program Files\Lavasoft\Ad-Aware SE Personal\Skins\Ad-Aware SE default.ask=>bt41.bmp: password protected
C:\Program Files\Lavasoft\Ad-Aware SE Personal\Skins\Ad-Aware SE default.ask=>bt42.bmp: password protected
C:\Program Files\Lavasoft\Ad-Aware SE Personal\Skins\Ad-Aware SE default.ask=>bt43.bmp: password protected
C:\Program Files\Lavasoft\Ad-Aware SE Personal\Skins\Ad-Aware SE default.ask=>bt51.bmp: password protected
C:\Program Files\Lavasoft\Ad-Aware SE Personal\Skins\Ad-Aware SE default.ask=>bt52.bmp: password protected
C:\Program Files\Lavasoft\Ad-Aware SE Personal\Skins\Ad-Aware SE default.ask=>bt53.bmp: password protected
C:\Program Files\Lavasoft\Ad-Aware SE Personal\Skins\Ad-Aware SE default.ask=>bt61.bmp: password protected
C:\Program Files\Lavasoft\Ad-Aware SE Personal\Skins\Ad-Aware SE default.ask=>bt62.bmp: password protected
C:\Program Files\Lavasoft\Ad-Aware SE Personal\Skins\Ad-Aware SE default.ask=>checkbox1.bmp: password protected
C:\Program Files\Lavasoft\Ad-Aware SE Personal\Skins\Ad-Aware SE default.ask=>checkbox2.bmp: password protected
C:\Program Files\Lavasoft\Ad-Aware SE Personal\Skins\Ad-Aware SE default.ask=>checkbox3.bmp: password protected
C:\Program Files\Lavasoft\Ad-Aware SE Personal\Skins\Ad-Aware SE default.ask=>checkbox4.bmp: password protected
C:\Program Files\Lavasoft\Ad-Aware SE Personal\Skins\Ad-Aware SE default.ask=>default.skn: password protected
C:\Program Files\Lavasoft\Ad-Aware SE Personal\Skins\Ad-Aware SE default.ask=>defbtn1.bmp: password protected
C:\Program Files\Lavasoft\Ad-Aware SE Personal\Skins\Ad-Aware SE default.ask=>defbtn2.bmp: password protected
C:\Program Files\Lavasoft\Ad-Aware SE Personal\Skins\Ad-Aware SE default.ask=>defbtn3.bmp: password protected
C:\Program Files\Lavasoft\Ad-Aware SE Personal\Skins\Ad-Aware SE default.ask=>glyph1.bmp: password protected
C:\Program Files\Lavasoft\Ad-Aware SE Personal\Skins\Ad-Aware SE default.ask=>glyph2.bmp: password protected
C:\Program Files\Lavasoft\Ad-Aware SE Personal\Skins\Ad-Aware SE default.ask=>glyph3.bmp: password protected
C:\Program Files\Lavasoft\Ad-Aware SE Personal\Skins\Ad-Aware SE default.ask=>glyph4.bmp: password protected
C:\Program Files\Lavasoft\Ad-Aware SE Personal\Skins\Ad-Aware SE default.ask=>glyph5.bmp: password protected
C:\Program Files\Lavasoft\Ad-Aware SE Personal\Skins\Ad-Aware SE default.ask=>glyph6.bmp: password protected
C:\Program Files\Lavasoft\Ad-Aware SE Personal\Skins\Ad-Aware SE default.ask=>glyph7.bmp: password protected
C:\Program Files\Lavasoft\Ad-Aware SE Personal\Skins\Ad-Aware SE default.ask=>main.bmp: password protected
C:\Program Files\Lavasoft\Ad-Aware SE Personal\Skins\Ad-Aware SE default.ask=>preview.bmp: password protected
C:\Program Files\Lavasoft\Ad-Aware SE Personal\Skins\Ad-Aware SE default.ask=>sprite1.bmp: password protected
C:\Program Files\Lavasoft\Ad-Aware SE Personal\Skins\Ad-Aware SE default.ask=>tab1.bmp: password protected
C:\Program Files\Lavasoft\Ad-Aware SE Personal\Skins\Ad-Aware SE default.ask=>tab2.bmp: password protected
C:\Program Files\AWS\WeatherBug\MiniBugTransporter.dll: infected with Adware.Wheaterbug.A
C:\Program Files\AWS\WeatherBug\MiniBugTransporter.dll: disinfection failed
C:\System Volume Information\_restore{7B6F6DE5-CBFA-42AA-B082-BD8867E7497D}\RP471\A0086685.exe: suspect BehavesLike:Trojan.Downloader
C:\System Volume Information\_restore{7B6F6DE5-CBFA-42AA-B082-BD8867E7497D}\RP471\A0086685.exe: disinfection failed
C:\System Volume Information\_restore{7B6F6DE5-CBFA-42AA-B082-BD8867E7497D}\RP471\A0086723.exe: suspect Trojan.Downloader.Gen
C:\System Volume Information\_restore{7B6F6DE5-CBFA-42AA-B082-BD8867E7497D}\RP471\A0086723.exe: disinfection failed
C:\System Volume Information\_restore{7B6F6DE5-CBFA-42AA-B082-BD8867E7497D}\RP471\A0087731.exe: suspect BehavesLike:Trojan.Downloader
C:\System Volume Information\_restore{7B6F6DE5-CBFA-42AA-B082-BD8867E7497D}\RP471\A0087731.exe: disinfection failed
C:\System Volume Information\_restore{7B6F6DE5-CBFA-42AA-B082-BD8867E7497D}\RP471\A0087772.exe: suspect BehavesLike:Trojan.Downloader
C:\System Volume Information\_restore{7B6F6DE5-CBFA-42AA-B082-BD8867E7497D}\RP471\A0087772.exe: disinfection failed
C:\System Volume Information\_restore{7B6F6DE5-CBFA-42AA-B082-BD8867E7497D}\RP473\A0090924.exe: infected with Trojan.PornDialer.BP
C:\System Volume Information\_restore{7B6F6DE5-CBFA-42AA-B082-BD8867E7497D}\RP473\A0090924.exe: disinfection failed
C:\System Volume Information\_restore{7B6F6DE5-CBFA-42AA-B082-BD8867E7497D}\RP473\A0090925.exe: infected with Trojan.LowZones.AH
C:\System Volume Information\_restore{7B6F6DE5-CBFA-42AA-B082-BD8867E7497D}\RP473\A0090925.exe: disinfection failed
C:\System Volume Information\_restore{7B6F6DE5-CBFA-42AA-B082-BD8867E7497D}\RP473\A0090930.dll: infected with Trojan.Downloader.Dyfuca.DT
C:\System Volume Information\_restore{7B6F6DE5-CBFA-42AA-B082-BD8867E7497D}\RP473\A0090930.dll: disinfection failed
C:\System Volume Information\_restore{7B6F6DE5-CBFA-42AA-B082-BD8867E7497D}\RP473\A0090932.exe: infected with Trojan.Downloader.Delf.DG
C:\System Volume Information\_restore{7B6F6DE5-CBFA-42AA-B082-BD8867E7497D}\RP473\A0090932.exe: deleted
C:\System Volume Information\_restore{7B6F6DE5-CBFA-42AA-B082-BD8867E7497D}\RP473\A0090933.exe: suspect BehavesLike:Trojan.StartPage
C:\System Volume Information\_restore{7B6F6DE5-CBFA-42AA-B082-BD8867E7497D}\RP473\A0090933.exe: disinfection failed
C:\System Volume Information\_restore{7B6F6DE5-CBFA-42AA-B082-BD8867E7497D}\RP473\A0090940.exe: infected with Trojan.PornDialer.BP
C:\System Volume Information\_restore{7B6F6DE5-CBFA-42AA-B082-BD8867E7497D}\RP473\A0090940.exe: disinfection failed
C:\System Volume Information\_restore{7B6F6DE5-CBFA-42AA-B082-BD8867E7497D}\RP473\A0090942.exe: infected with Trojan.Downloader.Dyfuca.DP
C:\System Volume Information\_restore{7B6F6DE5-CBFA-42AA-B082-BD8867E7497D}\RP473\A0090942.exe: disinfection failed
C:\System Volume Information\_restore{7B6F6DE5-CBFA-42AA-B082-BD8867E7497D}\RP473\A0090943.exe: infected with Trojan.Downloader.Dyfuca.DP
C:\System Volume Information\_restore{7B6F6DE5-CBFA-42AA-B082-BD8867E7497D}\RP473\A0090943.exe: disinfection failed
C:\System Volume Information\_restore{7B6F6DE5-CBFA-42AA-B082-BD8867E7497D}\RP475\A0091203.exe: infected with Trojan.Downloader.Stubby.A
C:\System Volume Information\_restore{7B6F6DE5-CBFA-42AA-B082-BD8867E7497D}\RP475\A0091203.exe: disinfection failed
C:\System Volume Information\_restore{7B6F6DE5-CBFA-42AA-B082-BD8867E7497D}\RP478\A0091410.exe: infected with Trojan.Downloader.Stubby.A
C:\System Volume Information\_restore{7B6F6DE5-CBFA-42AA-B082-BD8867E7497D}\RP478\A0091410.exe: disinfection failed
C:\System Volume Information\_restore{7B6F6DE5-CBFA-42AA-B082-BD8867E7497D}\RP478\A0091438.exe: infected with Trojan.Downloader.Small.AHG
C:\System Volume Information\_restore{7B6F6DE5-CBFA-42AA-B082-BD8867E7497D}\RP478\A0091438.exe: deleted
I still get two ads from smart security and slimshield
sorry the panda one doesnt seem to work
here is the hijack log
Logfile of HijackThis v1.99.0
Scan saved at 11:42:27 PM, on 03/24/2005
Platform: Windows XP (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 (6.00.2600.0000)
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\EPSON\EBAPI\SAgent2.exe
C:\WINDOWS\System32\nvsvc32.exe
C:\Program Files\Inverse IP InSight\CNC\ARMon32a.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\2Wire\2PortalMon.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\QuickTime\qttask.exe
C:\WINDOWS\Hhv.exe
C:\windows\system32\gsskpcs.exe
C:\Program Files\AIM\aim.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\windows\system32\packager.exe
C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_S10IC2.EXE
C:\WINDOWS\System32\wuauclt.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Documents and Settings\User\Desktop\HijackThis.exe
C:\Program Files\Internet Explorer\iexplore.exe
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://google.com/
O2 - BHO: DLMaxObj Class - {00000000-59D4-4008-9058-080011001200} - C:\WINDOWS\dlmax.dll
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
O2 - BHO: (no name) - {38D4D5D0-423E-4220-B6F9-30918C2AE4A4} - (no file)
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O3 - Toolbar: (no name) - {2CDE1A7D-A478-4291-BF31-E1B4C16F92EB} - (no file)
O4 - HKLM\..\Run: [2wSysTray] C:\Program Files\2Wire\2PortalMon.exe
O4 - HKLM\..\Run: [iTunesHelper] C:\Program Files\iTunes\iTunesHelper.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [Cqa] C:\WINDOWS\Hhv.exe
O4 - HKLM\..\Run: [Knl] C:\WINDOWS\Guo.exe
O4 - HKLM\..\Run: [Uca] C:\WINDOWS\Mid.exe
O4 - HKLM\..\Run: [Gfa] C:\WINDOWS\System32\Kmm.exe
O4 - HKLM\..\Run: [Bvg] C:\WINDOWS\Glp.exe
O4 - HKLM\..\Run: [Pra] C:\WINDOWS\System32\Mub.exe
O4 - HKLM\..\Run: [Qho] C:\WINDOWS\Vsi.exe
O4 - HKLM\..\Run: [Gtm] C:\WINDOWS\System32\Bbd.exe
O4 - HKLM\..\Run: [gsskpcs] c:\windows\system32\gsskpcs.exe
O4 - HKLM\..\Run: [farmmext] C:\WINDOWS\farmmext.exe
O4 - HKLM\..\Run: [EbatesMoeMoneyMaker0] "C:\Program Files\Ebates_MoeMoneyMaker\EbatesMoeMoneyMaker0.exe"
O4 - HKLM\..\Run: [Sel] C:\WINDOWS\Mif.exe
O4 - HKLM\..\Run: [Jgq] C:\WINDOWS\System32\Qbk.exe
O4 - HKLM\..\Run: [Avk] C:\WINDOWS\Fkk.exe
O4 - HKCU\..\Run: [Steam] C:\Valve\Steam\Steam.exe -silent
O4 - HKCU\..\Run: [AIM] C:\Program Files\AIM\aim.exe -cnetwait.odl
O4 - HKCU\..\Run: [Cqa] C:\WINDOWS\Hhv.exe
O4 - HKCU\..\Run: [Knl] C:\WINDOWS\Guo.exe
O4 - HKCU\..\Run: [Uca] C:\WINDOWS\Mid.exe
O4 - HKCU\..\Run: [Gfa] C:\WINDOWS\System32\Kmm.exe
O4 - HKCU\..\Run: [Bvg] C:\WINDOWS\Glp.exe
O4 - HKCU\..\Run: [Pra] C:\WINDOWS\System32\Mub.exe
O4 - HKCU\..\Run: [Qho] C:\WINDOWS\Vsi.exe
O4 - HKCU\..\Run: [Gtm] C:\WINDOWS\System32\Bbd.exe
O4 - HKCU\..\Run: [Sel] C:\WINDOWS\Mif.exe
O4 - HKCU\..\Run: [Jgq] C:\WINDOWS\System32\Qbk.exe
O4 - HKCU\..\Run: [Avk] C:\WINDOWS\Fkk.exe
O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: EPSON Status Monitor 3 Environment Check 2.lnk = C:\WINDOWS\system32\spool\drivers\w32x86\3\E_SRCV02.EXE
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\System32\msjava.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\System32\msjava.dll
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O16 - DPF: {80DD2229-B8E4-4C77-B72F-F22972D723EA} (AvxScanOnline Control) - http://www.bitdefender.com/scan/Msie/bitdefender.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://www.pandasoftware.com/activescan/as5/asinst.cab
O23 - Service: EPSON Printer Status Agent2 - SEIKO EPSON CORPORATION - C:\Program Files\Common Files\EPSON\EBAPI\SAgent2.exe
O23 - Service: Inverse IP InSight Client (CNC) - Inverse Network Technology - C:\Program Files\Inverse IP InSight\CNC\LaunchIPI.exe
O23 - Service: iPod Service - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: NVIDIA Driver Helper Service - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\System32\HPZipm12.exe
How to see hidden files in Windows
Place a checkmark next to these entries, close all browsers and windows, and have HijackThis fix them by clicking Fix Checked:
O2 - BHO: DLMaxObj Class - {00000000-59D4-4008-9058-080011001200} - C:\WINDOWS\dlmax.dll
O2 - BHO: (no name) - {38D4D5D0-423E-4220-B6F9-30918C2AE4A4} - (no file)
O3 - Toolbar: (no name) - {2CDE1A7D-A478-4291-BF31-E1B4C16F92EB} - (no file)
O4 - HKLM\..\Run: [Cqa] C:\WINDOWS\Hhv.exe
O4 - HKLM\..\Run: [Knl] C:\WINDOWS\Guo.exe
O4 - HKLM\..\Run: [Uca] C:\WINDOWS\Mid.exe
O4 - HKLM\..\Run: [Gfa] C:\WINDOWS\System32\Kmm.exe
O4 - HKLM\..\Run: [Bvg] C:\WINDOWS\Glp.exe
O4 - HKLM\..\Run: [Pra] C:\WINDOWS\System32\Mub.exe
O4 - HKLM\..\Run: [Qho] C:\WINDOWS\Vsi.exe
O4 - HKLM\..\Run: [Gtm] C:\WINDOWS\System32\Bbd.exe
O4 - HKLM\..\Run: [gsskpcs] c:\windows\system32\gsskpcs.exe
O4 - HKLM\..\Run: [farmmext] C:\WINDOWS\farmmext.exe
O4 - HKLM\..\Run: [EbatesMoeMoneyMaker0] "C:\Program Files\Ebates_MoeMoneyMaker\EbatesMoeMoneyMaker0.ex e"
O4 - HKLM\..\Run: [Sel] C:\WINDOWS\Mif.exe
O4 - HKLM\..\Run: [Jgq] C:\WINDOWS\System32\Qbk.exe
O4 - HKLM\..\Run: [Avk] C:\WINDOWS\Fkk.exe
O4 - HKCU\..\Run: [Cqa] C:\WINDOWS\Hhv.exe
O4 - HKCU\..\Run: [Knl] C:\WINDOWS\Guo.exe
O4 - HKCU\..\Run: [Uca] C:\WINDOWS\Mid.exe
O4 - HKCU\..\Run: [Gfa] C:\WINDOWS\System32\Kmm.exe
O4 - HKCU\..\Run: [Bvg] C:\WINDOWS\Glp.exe
O4 - HKCU\..\Run: [Pra] C:\WINDOWS\System32\Mub.exe
O4 - HKCU\..\Run: [Qho] C:\WINDOWS\Vsi.exe
O4 - HKCU\..\Run: [Gtm] C:\WINDOWS\System32\Bbd.exe
O4 - HKCU\..\Run: [Sel] C:\WINDOWS\Mif.exe
O4 - HKCU\..\Run: [Jgq] C:\WINDOWS\System32\Qbk.exe
O4 - HKCU\..\Run: [Avk] C:\WINDOWS\Fkk.exe
Reboot your computer into Safe Mode
Then delete these files or directories (Do not be concerned if they do not exist):
C:\WINDOWS\dlmax.dll
C:\WINDOWS\Hhv.exe
C:\WINDOWS\Guo.exe
C:\WINDOWS\Mid.exe
C:\WINDOWS\System32\Kmm.exe
C:\WINDOWS\Glp.exe
C:\WINDOWS\System32\Mub.exe
C:\WINDOWS\Vsi.exe
C:\WINDOWS\System32\Bbd.exe
c:\windows\system32\gsskpcs.exe
C:\WINDOWS\farmmext.exe
C:\Program Files\Ebates_MoeMoneyMaker
C:\WINDOWS\Mif.exe
C:\WINDOWS\System32\Qbk.exe
C:\WINDOWS\Fkk.exe
C:\WINDOWS\system32\x3yy
C:\WINDOWS\IFinst25.exe
Delete temp files
Navigate to the C:\Windows\Temp folder. Open the Temp folder and go to Edit > Select All then Edit > Delete to delete the entire contents of the Temp folder.
Navigate to the C:\Windows\Prefetch folder. Open the Prefetch folder and go to Edit > Select All then Edit > Delete to delete the entire contents of the Prefetch folder.
Go to Start > Run and type %temp% in the Run box. The Temp folder will open. Click Edit > Select All then Edit > Delete to delete the entire contents of the Temp folder.
Finally go to Control Panel > Internet Options. On the General tab under "Temporary Internet Files" Click "Delete Files". Put a check by "Delete Offline Content" and click OK. Click on the Programs tab then click the "Reset Web Settings" button. Click Apply then OK.
Empty the Recycle Bin.
Reboot your computer to go back to normal mode.
Please download and install AVG antivirus. Follow the prompts to download and install all updates and then run a complete scan.
http://free.grisoft.com/softw/70free/setup/avg70free_300a419.exe
Let me know what AVG finds.
Reboot after the scan and post a new hijackthis log.
avg found pkg.exe, sjo.exe, sys32\euv.exe, sys32\qnc.exe, tok.exe, infected with some trojan horse clicker.7.T
and for some it says virus identified Java/ByteVerify for
C:\documents and settings\user\application data\sun\ java\deployment\cache\javapi\v1.0\jar\loaderadv109.jar-783040dc-2ff55b4f.zip:\counter.class
C:\documents and settings\user\application data\sun\ java\deployment\cache\javapi\v1.0\jar\loaderadv109.jar-783040dc-2ff55b4f.zip:\parser.class
C:\documents and settings\user\application data\sun\ java\deployment\cache\javapi\v1.0\jar\loaderadv109.jar-783040dc-2ff55b4f.zip:
C:\documents and settings\user\application data\sun\ java\deployment\cache\javapi\v1.0\jar\classload.jar-6525c37c-70898042.zip/InsecureClassLoader.class
C:\documents and settings\user\application data\sun\ java\deployment\cache\javapi\v1.0\jar\classload.jar-6525c37c-70898042.zip
C:\documents and settings\user\application data\sun\ java\deployment\cache\javapi\v1.0\jar\archive.jar-7a93de40-790afa7b.zip:
C:\documents and settings\user\application data\sun\ java\deployment\cache\javapi\v1.0\jar\archive.jar-7a93de40-790afa7b.zip:\beyond.class
my hijack log
Logfile of HijackThis v1.99.0
Scan saved at 11:55:27 PM, on 03/25/2005
Platform: Windows XP (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 (6.00.2600.0000)
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
C:\Program Files\Common Files\EPSON\EBAPI\SAgent2.exe
C:\Program Files\Inverse IP InSight\CNC\ARMon32a.exe
C:\WINDOWS\System32\nvsvc32.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\2Wire\2PortalMon.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
C:\Program Files\AIM\aim.exe
C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_S10IC2.EXE
C:\WINDOWS\System32\wuauclt.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgwb.dat
C:\Program Files\Internet Explorer\iexplore.exe
C:\Documents and Settings\User\Desktop\HijackThis.exe
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://websearch.drsnsrch.com/sidesearch.cgi?id=
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://websearch.drsnsrch.com/sidesearch.cgi?id=
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://google.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://websearch.drsnsrch.com/sidesearch.cgi?id=
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://websearch.drsnsrch.com/sidesearch.cgi?id=
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://websearch.drsnsrch.com/sidesearch.cgi?id=
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch = http://websearch.drsnsrch.com/sidesearch.cgi?id=
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = websearch.drsnsrch.com/q.cgi?q=
O2 - BHO: DLMaxObj Class - {00000000-59D4-4008-9058-080011001200} - C:\WINDOWS\dlmax.dll (file missing)
O2 - BHO: Band Class - {01F44A8A-8C97-4325-A378-76E68DC4AB2E} - C:\WINDOWS\systb.dll
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O3 - Toolbar: (no name) - {2CDE1A7D-A478-4291-BF31-E1B4C16F92EB} - (no file)
O4 - HKLM\..\Run: [2wSysTray] C:\Program Files\2Wire\2PortalMon.exe
O4 - HKLM\..\Run: [iTunesHelper] C:\Program Files\iTunes\iTunesHelper.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [Vaq] C:\WINDOWS\System32\Jar.exe
O4 - HKLM\..\Run: [Win Server Updt] C:\WINDOWS\wupdt.exe
O4 - HKLM\..\Run: [gsskpcs] c:\windows\system32\gsskpcs.exe
O4 - HKLM\..\Run: [EbatesMoeMoneyMaker0] "C:\Program Files\Ebates_MoeMoneyMaker\EbatesMoeMoneyMaker0.exe"
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [AVG7_EMC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
O4 - HKLM\..\Run: [Tug] C:\WINDOWS\Uag.exe
O4 - HKLM\..\Run: [Rrs] C:\WINDOWS\Hof.exe
O4 - HKCU\..\Run: [Steam] C:\Valve\Steam\Steam.exe -silent
O4 - HKCU\..\Run: [AIM] C:\Program Files\AIM\aim.exe -cnetwait.odl
O4 - HKCU\..\Run: [Tug] C:\WINDOWS\Uag.exe
O4 - HKCU\..\Run: [Rrs] C:\WINDOWS\Hof.exe
O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: EPSON Status Monitor 3 Environment Check 2.lnk = C:\WINDOWS\system32\spool\drivers\w32x86\3\E_SRCV02.EXE
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O8 - Extra context menu item: Ebates - file://C:\Program Files\Ebates_MoeMoneyMaker\Sy350\Tp350\scri350a.htm
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\System32\msjava.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\System32\msjava.dll
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe
O9 - Extra button: Ebates - {6685509E-B47B-4f47-8E16-9A5F3A62F683} - file://C:\Program Files\Ebates_MoeMoneyMaker\Sy350\Tp350\scri350a.htm (file missing) (HKCU)
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O16 - DPF: {80DD2229-B8E4-4C77-B72F-F22972D723EA} (AvxScanOnline Control) - http://www.bitdefender.com/scan/Msie/bitdefender.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://www.pandasoftware.com/activescan/as5/asinst.cab
O23 - Service: AVG7 Alert Manager Server - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
O23 - Service: AVG7 Update Service - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
O23 - Service: EPSON Printer Status Agent2 - SEIKO EPSON CORPORATION - C:\Program Files\Common Files\EPSON\EBAPI\SAgent2.exe
O23 - Service: Inverse IP InSight Client (CNC) - Inverse Network Technology - C:\Program Files\Inverse IP InSight\CNC\LaunchIPI.exe
O23 - Service: iPod Service - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: NVIDIA Driver Helper Service - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\System32\HPZipm12.exe
how come i delete the stuff but it always comes back?
also my backround is some red "danger:spyware" screen supossedly supported by SmartSecurity and it recreates every icon twice.. I cannot right click basically everything (except IE) and i can't change my backround.
Open Display in Control Panel
Click the Desktop Tab
Click the Customize Desktop button.
Click the Web Tab.
On the list, highlight any items you did not create yourself and click remove
Look for the Lock Desktop Items checkbox on this same page and uncheck it.
Press OK.
If that doesn't work, download and run this tool.
http://www.smart-security.info/freeclean.v2.exe
Please make sure that you can view all hidden files. Instructions on how to do this can be found here:
How to see hidden files in Windows
Place a checkmark next to these entries, close all browsers and windows, and have HijackThis fix them by clicking Fix Checked:
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://websearch.drsnsrch.com/sidesearch.cgi?id=
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://websearch.drsnsrch.com/sidesearch.cgi?id=
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://google.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://websearch.drsnsrch.com/sidesearch.cgi?id=
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://websearch.drsnsrch.com/sidesearch.cgi?id=
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://websearch.drsnsrch.com/sidesearch.cgi?id=
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch = http://websearch.drsnsrch.com/sidesearch.cgi?id=
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = websearch.drsnsrch.com/q.cgi?q=
O2 - BHO: DLMaxObj Class - {00000000-59D4-4008-9058-080011001200} - C:\WINDOWS\dlmax.dll (file missing)
O2 - BHO: Band Class - {01F44A8A-8C97-4325-A378-76E68DC4AB2E} - C:\WINDOWS\systb.dll
O3 - Toolbar: (no name) - {2CDE1A7D-A478-4291-BF31-E1B4C16F92EB} - (no file)
O4 - HKLM\..\Run: [Vaq] C:\WINDOWS\System32\Jar.exe
O4 - HKLM\..\Run: [Win Server Updt] C:\WINDOWS\wupdt.exe
O4 - HKLM\..\Run: [gsskpcs] c:\windows\system32\gsskpcs.exe
O4 - HKLM\..\Run: [EbatesMoeMoneyMaker0] "C:\Program Files\Ebates_MoeMoneyMaker\EbatesMoeMoneyMaker0.ex e"
O4 - HKLM\..\Run: [Tug] C:\WINDOWS\Uag.exe
O4 - HKLM\..\Run: [Rrs] C:\WINDOWS\Hof.exe
O4 - HKCU\..\Run: [Tug] C:\WINDOWS\Uag.exe
O4 - HKCU\..\Run: [Rrs] C:\WINDOWS\Hof.exe
O9 - Extra button: Ebates - {6685509E-B47B-4f47-8E16-9A5F3A62F683} - file://C:\Program Files\Ebates_MoeMoneyMaker\Sy350\Tp350\scri350a.ht m (file missing) (HKCU)
Reboot your computer into Safe Mode
Then delete these files or directories (Do not be concerned if they do not exist):
C:\WINDOWS\dlmax.dll
C:\WINDOWS\systb.dll
C:\WINDOWS\System32\Jar.exe
C:\WINDOWS\wupdt.exe
c:\windows\system32\gsskpcs.exe
C:\Program Files\Ebates_MoeMoneyMaker
C:\WINDOWS\Uag.exe
C:\WINDOWS\Hof.exe
Now run a full scan with MS Antispyware. Let me know what it finds.
Reboot your computer to go back to normal mode.
Get an online virus scan at this site.
http://www3.ca.com/securityadvisor/virusinfo/scan.aspx
Reboot and post a new hijackthis log.
coolwebsearch.cameup was found to try to install
also the desktop still makes doubles of icons
also all files were not found cept windupt
also what is this folder called $VAULT$.AVG
heres new hijack
Logfile of HijackThis v1.99.0
Scan saved at 3:04:35 AM, on 03/27/2005
Platform: Windows XP (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 (6.00.2600.0000)
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
C:\Program Files\Common Files\EPSON\EBAPI\SAgent2.exe
C:\Program Files\Inverse IP InSight\CNC\ARMon32a.exe
C:\WINDOWS\System32\nvsvc32.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\2Wire\2PortalMon.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\QuickTime\qttask.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_S10IC2.EXE
C:\WINDOWS\System32\wuauclt.exe
C:\Program Files\Ares\Ares.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Windows Media Player\wmplayer.exe
C:\Documents and Settings\User\Desktop\HijackThis.exe
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O4 - HKLM\..\Run: [2wSysTray] C:\Program Files\2Wire\2PortalMon.exe
O4 - HKLM\..\Run: [iTunesHelper] C:\Program Files\iTunes\iTunesHelper.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [AVG7_EMC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
O4 - HKLM\..\Run: [gcasServ] "C:\Program Files\Microsoft AntiSpyware\gcasServ.exe"
O4 - HKCU\..\Run: [Steam] C:\Valve\Steam\Steam.exe -silent
O4 - HKCU\..\Run: [AIM] C:\Program Files\AIM\aim.exe -cnetwait.odl
O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: EPSON Status Monitor 3 Environment Check 2.lnk = C:\WINDOWS\system32\spool\drivers\w32x86\3\E_SRCV02.EXE
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O8 - Extra context menu item: Ebates - file://C:\Program Files\Ebates_MoeMoneyMaker\Sy350\Tp350\scri350a.htm
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\System32\msjava.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\System32\msjava.dll
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=36467&clcid=0x409
O16 - DPF: {7B297BFD-85E4-4092-B2AF-16A91B2EA103} (WScanCtl Class) - http://www3.ca.com/securityadvisor/virusinfo/webscan.cab
O16 - DPF: {80DD2229-B8E4-4C77-B72F-F22972D723EA} (AvxScanOnline Control) - http://www.bitdefender.com/scan/Msie/bitdefender.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://www.pandasoftware.com/activescan/as5/asinst.cab
O23 - Service: AVG7 Alert Manager Server - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
O23 - Service: AVG7 Update Service - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
O23 - Service: EPSON Printer Status Agent2 - SEIKO EPSON CORPORATION - C:\Program Files\Common Files\EPSON\EBAPI\SAgent2.exe
O23 - Service: Inverse IP InSight Client (CNC) - Inverse Network Technology - C:\Program Files\Inverse IP InSight\CNC\LaunchIPI.exe
O23 - Service: iPod Service - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: NVIDIA Driver Helper Service - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\System32\HPZipm12.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\System32\HPZipm12.exe
here is what ms antivirus found
Spyware Scan Details
Start Date: 3/26/2005 11:13:50 PM
End Date: 3/26/2005 11:41:40 PM
Total Time: 27 mins 50 secs
Detected Threats
ShopAtHome Spyware more information...
Details: ShopAtHome installs itself in the Winsock layer of your system and redirects your browser to merchant sites to take advantage of the affiliate fees.
Status: Removed
Severe threat - Severe-risk items have an extreme potential for harm, such as a security exploit, and should be removed.
Infected files detected
c:\windows\redir.txt
c:\system volume information\_restore{7b6f6de5-cbfa-42aa-b082-bd8867e7497d}\rp471\a0086674.exe
c:\system volume information\_restore{7b6f6de5-cbfa-42aa-b082-bd8867e7497d}\rp471\a0086694.dll
c:\system volume information\_restore{7b6f6de5-cbfa-42aa-b082-bd8867e7497d}\rp471\a0086695.dll
c:\system volume information\_restore{7b6f6de5-cbfa-42aa-b082-bd8867e7497d}\rp471\a0086727.exe
MediaTickets CDT Spyware more information...
Details: Mediatickets is a spyware program that displays advertisements, reduces the security settings for the Trusted Sites zone in Internet Explorer, and attempts to fraudulently install trusted publishers.
Status: Removed
Severe threat - Severe-risk items have an extreme potential for harm, such as a security exploit, and should be removed.
Infected files detected
c:\system volume information\_restore{7b6f6de5-cbfa-42aa-b082-bd8867e7497d}\rp471\a0086661.exe
c:\system volume information\_restore{7b6f6de5-cbfa-42aa-b082-bd8867e7497d}\rp474\a0090973.exe
eXact.BullseyeNetwork Adware more information...
Details: Bullseye displays pop-up advertisements.
Status: Removed
Severe threat - Severe-risk items have an extreme potential for harm, such as a security exploit, and should be removed.
Infected files detected
c:\system volume information\_restore{7b6f6de5-cbfa-42aa-b082-bd8867e7497d}\rp471\a0086713.exe
c:\system volume information\_restore{7b6f6de5-cbfa-42aa-b082-bd8867e7497d}\rp471\a0086714.exe
SearchAssistant Spyware more information...
Details: SearchAssistant also known as Search Extender is an Internet Explorer modifier.
Status: Removed
Severe threat - Severe-risk items have an extreme potential for harm, such as a security exploit, and should be removed.
Infected files detected
c:\system volume information\_restore{7b6f6de5-cbfa-42aa-b082-bd8867e7497d}\rp474\a0091068.dll
Transponder.DLMax Spyware more information...
Details: Transponder is an Internet Explorer Browser Helper Object (BHO) that monitors web pages requested and data entered into forms.
Status: Removed
Severe threat - Severe-risk items have an extreme potential for harm, such as a security exploit, and should be removed.
Infected files detected
c:\documents and settings\user\local settings\temp\thi1a78.tmp\dlmax.dll
c:\documents and settings\user\desktop\backups\backup-20050325-214814-285.dll
c:\system volume information\_restore{7b6f6de5-cbfa-42aa-b082-bd8867e7497d}\rp478\a0091467.dll
Spyware.BHO.sasetup Browser Plug-in more information...
Status: Removed
Severe threat - Severe-risk items have an extreme potential for harm, such as a security exploit, and should be removed.
Infected files detected
c:\documents and settings\user\desktop\backups\backup-20050324-223023-314.dll
c:\system volume information\_restore{7b6f6de5-cbfa-42aa-b082-bd8867e7497d}\rp478\a0091408.dll
Marketscore.InternetAccelerator Spyware more information...
Details: MarketScore is a proxy service that presents itself as increasing the speed of your Internet connection. It has the ability to redirect and decrypt information transmitted between this computer and a Web site.
Status: Removed
Severe threat - Severe-risk items have an extreme potential for harm, such as a security exploit, and should be removed.
Infected files detected
c:\system volume information\_restore{7b6f6de5-cbfa-42aa-b082-bd8867e7497d}\rp474\a0090979.dll
VX2.ABetterInternet Adware more information...
Details: ABetterInternet displays advertisements based on the Web sites you visit.
Status: Removed
High threat - High-risk items have a large potential for harm, such as loss of computer control, and should be removed unless knowingly installed.
Infected files detected
c:\windows\wupdsnff.exe
c:\documents and settings\user\local settings\temp\randreco.exe
Topconverting Crazywinnings Adware more information...
Details: Topconverting Crazywinnings installs via online games through ActiveX drive-by-download.
Status: Removed
High threat - High-risk items have a large potential for harm, such as loss of computer control, and should be removed unless knowingly installed.
Infected files detected
c:\system volume information\_restore{7b6f6de5-cbfa-42aa-b082-bd8867e7497d}\rp471\a0086691.exe
eXact.Downloader Trojan Downloader more information...
Details: eXact Downloader is a Trojan used by eXact Bargain Buddy and Cash Back to download and install additional components.
Status: Removed
High threat - High-risk items have a large potential for harm, such as loss of computer control, and should be removed unless knowingly installed.
Infected files detected
c:\system volume information\_restore{7b6f6de5-cbfa-42aa-b082-bd8867e7497d}\rp471\a0086702.exe
c:\system volume information\_restore{7b6f6de5-cbfa-42aa-b082-bd8867e7497d}\rp471\a0086703.exe
c:\system volume information\_restore{7b6f6de5-cbfa-42aa-b082-bd8867e7497d}\rp471\a0086729.exe
Transponder.ABetterInternet.Ceres Spyware more information...
Details: VX2.ABetterInternet.Transponder.2 is a new transponder variant of aBetterInternet.
Status: Removed
High threat - High-risk items have a large potential for harm, such as loss of computer control, and should be removed unless knowingly installed.
Infected files detected
c:\windows\wupdsnff.exe
c:\system volume information\_restore{7b6f6de5-cbfa-42aa-b082-bd8867e7497d}\rp478\a0091448.exe
Unclassified.Spyware.47 Spyware more information...
Status: Removed
High threat - High-risk items have a large potential for harm, such as loss of computer control, and should be removed unless knowingly installed.
Infected files detected
c:\system volume information\_restore{7b6f6de5-cbfa-42aa-b082-bd8867e7497d}\rp471\a0086698.exe
c:\system volume information\_restore{7b6f6de5-cbfa-42aa-b082-bd8867e7497d}\rp471\a0086726.dll
Transponder.Pynix Spyware more information...
Status: Removed
High threat - High-risk items have a large potential for harm, such as loss of computer control, and should be removed unless knowingly installed.
Infected files detected
c:\system volume information\_restore{7b6f6de5-cbfa-42aa-b082-bd8867e7497d}\rp475\a0091209.dll
eXact.BargainBuddy Adware more information...
Details: BargainBuddy is a Browser Helper Object that watches the pages your browser requests and the terms you enter into a search engine web form. If a term matches a preset list of sites or keywords, BargainBuddy will display an ad.
Status: Removed
High threat - High-risk items have a large potential for harm, such as loss of computer control, and should be removed unless knowingly installed.
Infected files detected
c:\system volume information\_restore{7b6f6de5-cbfa-42aa-b082-bd8867e7497d}\rp471\a0086673.exe
c:\system volume information\_restore{7b6f6de5-cbfa-42aa-b082-bd8867e7497d}\rp471\a0086730.exe
EUniverse Updater Browser Modifier more information...
Details: EUniverse is adware that runs at Windows startup. EUniverse generates pop-up advertisements, and performs a number of spyware related functions such as transmitting personal information and redirecting Internet Explorer.
Status: Removed
High threat - High-risk items have a large potential for harm, such as loss of computer control, and should be removed unless knowingly installed.
Infected registry keys/values detected
HKEY_LOCAL_MACHINE\SOFTWARE\Vendor\xml
HKEY_LOCAL_MACHINE\SOFTWARE\Vendor\xml
IEPlugin Spyware more information...
Details: IEPlugin is an Internet Explorer browser helper object that monitors URLs, content entered into forms, and local filenames and displays pops-up advertisements.
Status: Removed
High threat - High-risk items have a large potential for harm, such as loss of computer control, and should be removed unless knowingly installed.
Infected files detected
c:\documents and settings\user\desktop\backups\backup-20050324-223023-125.dll
c:\documents and settings\user\desktop\backups\backup-20050326-224839-983.dll
c:\system volume information\_restore{7b6f6de5-cbfa-42aa-b082-bd8867e7497d}\rp474\a0090975.bat
c:\system volume information\_restore{7b6f6de5-cbfa-42aa-b082-bd8867e7497d}\rp478\a0091395.dll
c:\system volume information\_restore{7b6f6de5-cbfa-42aa-b082-bd8867e7497d}\rp479\a0091544.dll
Infected registry keys/values detected
HKEY_CLASSES_ROOT\clsid\{1c896551-8b92-4907-8c06-15db2d1f874a}
HKEY_CLASSES_ROOT\clsid\{d36f70b1-7df5-4fd4-a765-70ccc8f72cd7}\InprocServer32 ThreadingModel Apartment
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{E2BF1BF3-1FDB-4C93-8874-0B09E71C594C}\VersionIndependentProgID IMIToolbar.LeftFrame
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{E2BF1BF3-1FDB-4C93-8874-0B09E71C594C} LeftFrame Class
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{F3155057-4C2C-4078-8576-50486693FD49}
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{F3155057-4C2C-4078-8576-50486693FD49}\InprocServer32 C:\WINDOWS\systb.dll
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{F3155057-4C2C-4078-8576-50486693FD49}\InprocServer32 ThreadingModel Apartment
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{F3155057-4C2C-4078-8576-50486693FD49}\ProgID IMIToolbar.BottomFrame.1
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{F3155057-4C2C-4078-8576-50486693FD49}\TypeLib {58D419E8-1321-4DD2-A6FC-7B41C14DCD79}
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{F3155057-4C2C-4078-8576-50486693FD49}\VersionIndependentProgID IMIToolbar.BottomFrame
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{F3155057-4C2C-4078-8576-50486693FD49} BottomFrame Class
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\IMIToolbar.BottomFrame.1
HKEY_CLASSES_ROOT\clsid\{d36f70b1-7df5-4fd4-a765-70ccc8f72cd7}\ProgID IMIToolbar.PopupWindow.1
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\IMIToolbar.BottomFrame.1\CLSID {F3155057-4C2C-4078-8576-50486693FD49}
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\IMIToolbar.BottomFrame.1 BottomFrame Class
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\IMIToolbar.BottomFrame
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\IMIToolbar.BottomFrame\CLSID {F3155057-4C2C-4078-8576-50486693FD49}
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\IMIToolbar.BottomFrame\CurVer IMIToolbar.BottomFrame.1
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\IMIToolbar.BottomFrame BottomFrame Class
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\IMIToolbar.LeftFrame.1
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\IMIToolbar.LeftFrame.1\CLSID {E2BF1BF3-1FDB-4C93-8874-0B09E71C594C}
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\IMIToolbar.LeftFrame.1 LeftFrame Class
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\IMIToolbar.LeftFrame
HKEY_CLASSES_ROOT\clsid\{d36f70b1-7df5-4fd4-a765-70ccc8f72cd7}\TypeLib {58D419E8-1321-4DD2-A6FC-7B41C14DCD79}
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\IMIToolbar.LeftFrame\CLSID {E2BF1BF3-1FDB-4C93-8874-0B09E71C594C}
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\IMIToolbar.LeftFrame\CurVer IMIToolbar.LeftFrame.1
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\IMIToolbar.LeftFrame LeftFrame Class
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\IMIToolbar.PopupBrowser.1
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\IMIToolbar.PopupBrowser.1\CLSID {1C896551-8B92-4907-8C06-15DB2D1F874A}
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\IMIToolbar.PopupBrowser.1 PopupBrowser Class
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\IMIToolbar.PopupBrowser
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\IMIToolbar.PopupBrowser\CLSID {1C896551-8B92-4907-8C06-15DB2D1F874A}
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\IMIToolbar.PopupBrowser\CurVer IMIToolbar.PopupBrowser.1
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\IMIToolbar.PopupBrowser PopupBrowser Class
HKEY_CLASSES_ROOT\clsid\{d36f70b1-7df5-4fd4-a765-70ccc8f72cd7}\VersionIndependentProgID IMIToolbar.PopupWindow
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\IMIToolbar.PopupWindow.1
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\IMIToolbar.PopupWindow.1\CLSID {D36F70B1-7DF5-4FD4-A765-70CCC8F72CD7}
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\IMIToolbar.PopupWindow.1 PopupWindow Class
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\IMIToolbar.PopupWindow
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\IMIToolbar.PopupWindow\CLSID {D36F70B1-7DF5-4FD4-A765-70CCC8F72CD7}
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\IMIToolbar.PopupWindow\CurVer IMIToolbar.PopupWindow.1
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\IMIToolbar.PopupWindow PopupWindow Class
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wbho.Band.1
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wbho.Band.1\CLSID {01F44A8A-8C97-4325-A378-76E68DC4AB2E}
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wbho.Band.1 Band Class
HKEY_CLASSES_ROOT\clsid\{d36f70b1-7df5-4fd4-a765-70ccc8f72cd7} PopupWindow Class
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wbho.Band
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wbho.Band\CLSID {01F44A8A-8C97-4325-A378-76E68DC4AB2E}
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wbho.Band\CurVer Wbho.Band.1
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wbho.Band Band Class
HKEY_CLASSES_ROOT\clsid\{e2bf1bf3-1fdb-4c93-8874-0b09e71c594c}
HKEY_CLASSES_ROOT\clsid\{e2bf1bf3-1fdb-4c93-8874-0b09e71c594c}\InprocServer32 C:\WINDOWS\systb.dll
HKEY_CLASSES_ROOT\clsid\{e2bf1bf3-1fdb-4c93-8874-0b09e71c594c}\InprocServer32 ThreadingModel Apartment
HKEY_CLASSES_ROOT\clsid\{e2bf1bf3-1fdb-4c93-8874-0b09e71c594c}\ProgID IMIToolbar.LeftFrame.1
HKEY_CLASSES_ROOT\clsid\{e2bf1bf3-1fdb-4c93-8874-0b09e71c594c}\TypeLib {58D419E8-1321-4DD2-A6FC-7B41C14DCD79}
HKEY_CLASSES_ROOT\clsid\{1c896551-8b92-4907-8c06-15db2d1f874a}\InprocServer32 C:\WINDOWS\systb.dll
HKEY_CLASSES_ROOT\clsid\{e2bf1bf3-1fdb-4c93-8874-0b09e71c594c}\VersionIndependentProgID IMIToolbar.LeftFrame
HKEY_CLASSES_ROOT\clsid\{e2bf1bf3-1fdb-4c93-8874-0b09e71c594c} LeftFrame Class
HKEY_CLASSES_ROOT\clsid\{f3155057-4c2c-4078-8576-50486693fd49}
HKEY_CLASSES_ROOT\clsid\{f3155057-4c2c-4078-8576-50486693fd49}\InprocServer32 C:\WINDOWS\systb.dll
HKEY_CLASSES_ROOT\clsid\{f3155057-4c2c-4078-8576-50486693fd49}\InprocServer32 ThreadingModel Apartment
HKEY_CLASSES_ROOT\clsid\{f3155057-4c2c-4078-8576-50486693fd49}\ProgID IMIToolbar.BottomFrame.1
HKEY_CLASSES_ROOT\clsid\{f3155057-4c2c-4078-8576-50486693fd49}\TypeLib {58D419E8-1321-4DD2-A6FC-7B41C14DCD79}
HKEY_CLASSES_ROOT\clsid\{f3155057-4c2c-4078-8576-50486693fd49}\VersionIndependentProgID IMIToolbar.BottomFrame
HKEY_CLASSES_ROOT\clsid\{f3155057-4c2c-4078-8576-50486693fd49} BottomFrame Class
HKEY_CLASSES_ROOT\imitoolbar.bottomframe.1
HKEY_CLASSES_ROOT\clsid\{1c896551-8b92-4907-8c06-15db2d1f874a}\InprocServer32 ThreadingModel Apartment
HKEY_CLASSES_ROOT\imitoolbar.bottomframe.1\CLSID {F3155057-4C2C-4078-8576-50486693FD49}
HKEY_CLASSES_ROOT\imitoolbar.bottomframe.1 BottomFrame Class
HKEY_CLASSES_ROOT\imitoolbar.bottomframe
HKEY_CLASSES_ROOT\imitoolbar.bottomframe\CLSID {F3155057-4C2C-4078-8576-50486693FD49}
HKEY_CLASSES_ROOT\imitoolbar.bottomframe\CurVer IMIToolbar.BottomFrame.1
HKEY_CLASSES_ROOT\imitoolbar.bottomframe BottomFrame Class
HKEY_CLASSES_ROOT\imitoolbar.leftframe.1
HKEY_CLASSES_ROOT\imitoolbar.leftframe.1\CLSID {E2BF1BF3-1FDB-4C93-8874-0B09E71C594C}
HKEY_CLASSES_ROOT\imitoolbar.leftframe.1 LeftFrame Class
HKEY_CLASSES_ROOT\imitoolbar.leftframe
HKEY_CLASSES_ROOT\clsid\{1c896551-8b92-4907-8c06-15db2d1f874a}\ProgID IMIToolbar.PopupBrowser.1
HKEY_CLASSES_ROOT\imitoolbar.leftframe\CLSID {E2BF1BF3-1FDB-4C93-8874-0B09E71C594C}
HKEY_CLASSES_ROOT\imitoolbar.leftframe\CurVer IMIToolbar.LeftFrame.1
HKEY_CLASSES_ROOT\imitoolbar.leftframe LeftFrame Class
HKEY_CLASSES_ROOT\imitoolbar.popupbrowser.1
HKEY_CLASSES_ROOT\imitoolbar.popupbrowser.1\CLSID {1C896551-8B92-4907-8C06-15DB2D1F874A}
HKEY_CLASSES_ROOT\imitoolbar.popupbrowser.1 PopupBrowser Class
HKEY_CLASSES_ROOT\imitoolbar.popupbrowser
HKEY_CLASSES_ROOT\imitoolbar.popupbrowser\CLSID {1C896551-8B92-4907-8C06-15DB2D1F874A}
HKEY_CLASSES_ROOT\imitoolbar.popupbrowser\CurVer IMIToolbar.PopupBrowser.1
HKEY_CLASSES_ROOT\imitoolbar.popupbrowser PopupBrowser Class
HKEY_CLASSES_ROOT\clsid\{1c896551-8b92-4907-8c06-15db2d1f874a}\TypeLib {58D419E8-1321-4DD2-A6FC-7B41C14DCD79}
HKEY_CLASSES_ROOT\imitoolbar.popupwindow.1
HKEY_CLASSES_ROOT\imitoolbar.popupwindow.1\CLSID {D36F70B1-7DF5-4FD4-A765-70CCC8F72CD7}
HKEY_CLASSES_ROOT\imitoolbar.popupwindow.1 PopupWindow Class
HKEY_CLASSES_ROOT\imitoolbar.popupwindow
HKEY_CLASSES_ROOT\imitoolbar.popupwindow\CLSID {D36F70B1-7DF5-4FD4-A765-70CCC8F72CD7}
HKEY_CLASSES_ROOT\imitoolbar.popupwindow\CurVer IMIToolbar.PopupWindow.1
HKEY_CLASSES_ROOT\imitoolbar.popupwindow PopupWindow Class
HKEY_CLASSES_ROOT\interface\{220959ea-b54c-4201-8df2-1cfac8b59fd7}
HKEY_CLASSES_ROOT\interface\{220959ea-b54c-4201-8df2-1cfac8b59fd7}\ProxyStubClsid {00020424-0000-0000-C000-000000000046}
HKEY_CLASSES_ROOT\interface\{220959ea-b54c-4201-8df2-1cfac8b59fd7}\ProxyStubClsid32 {00020424-0000-0000-C000-000000000046}
HKEY_CLASSES_ROOT\clsid\{1c896551-8b92-4907-8c06-15db2d1f874a}\VersionIndependentProgID IMIToolbar.PopupBrowser
HKEY_CLASSES_ROOT\interface\{220959ea-b54c-4201-8df2-1cfac8b59fd7}\TypeLib {57ADD57B-173E-418A-8F70-17E5C9F2BCC9}
HKEY_CLASSES_ROOT\interface\{220959ea-b54c-4201-8df2-1cfac8b59fd7}\TypeLib Version 1.0
HKEY_CLASSES_ROOT\interface\{220959ea-b54c-4201-8df2-1cfac8b59fd7} IBottom
HKEY_CLASSES_ROOT\interface\{6a288140-3e1c-4cd9-aac5-e20fdd4f5d64}
HKEY_CLASSES_ROOT\interface\{6a288140-3e1c-4cd9-aac5-e20fdd4f5d64}\ProxyStubClsid {00020424-0000-0000-C000-000000000046}
HKEY_CLASSES_ROOT\interface\{6a288140-3e1c-4cd9-aac5-e20fdd4f5d64}\ProxyStubClsid32 {00020424-0000-0000-C000-000000000046}
HKEY_CLASSES_ROOT\interface\{6a288140-3e1c-4cd9-aac5-e20fdd4f5d64}\TypeLib {57ADD57B-173E-418A-8F70-17E5C9F2BCC9}
HKEY_CLASSES_ROOT\interface\{6a288140-3e1c-4cd9-aac5-e20fdd4f5d64}\TypeLib Version 1.0
HKEY_CLASSES_ROOT\interface\{6a288140-3e1c-4cd9-aac5-e20fdd4f5d64} IPopupBrowser
HKEY_CLASSES_ROOT\interface\{7371ad3f-c419-4dc0-8e8a-e21fafad53e0}
HKEY_CLASSES_ROOT\clsid\{1c896551-8b92-4907-8c06-15db2d1f874a} PopupBrowser Class
HKEY_CLASSES_ROOT\interface\{7371ad3f-c419-4dc0-8e8a-e21fafad53e0}\ProxyStubClsid {00020424-0000-0000-C000-000000000046}
HKEY_CLASSES_ROOT\interface\{7371ad3f-c419-4dc0-8e8a-e21fafad53e0}\ProxyStubClsid32 {00020424-0000-0000-C000-000000000046}
HKEY_CLASSES_ROOT\interface\{7371ad3f-c419-4dc0-8e8a-e21fafad53e0}\TypeLib {57ADD57B-173E-418A-8F70-17E5C9F2BCC9}
HKEY_CLASSES_ROOT\interface\{7371ad3f-c419-4dc0-8e8a-e21fafad53e0}\TypeLib Version 1.0
HKEY_CLASSES_ROOT\interface\{7371ad3f-c419-4dc0-8e8a-e21fafad53e0} ILeftFrame
HKEY_CLASSES_ROOT\interface\{98b2ddba-6da2-4421-af2b-814e98f53649}
HKEY_CLASSES_ROOT\interface\{98b2ddba-6da2-4421-af2b-814e98f53649}\ProxyStubClsid {00020424-0000-0000-C000-000000000046}
HKEY_CLASSES_ROOT\interface\{98b2ddba-6da2-4421-af2b-814e98f53649}\ProxyStubClsid32 {00020424-0000-0000-C000-000000000046}
HKEY_CLASSES_ROOT\interface\{98b2ddba-6da2-4421-af2b-814e98f53649}\TypeLib {57ADD57B-173E-418A-8F70-17E5C9F2BCC9}
HKEY_CLASSES_ROOT\interface\{98b2ddba-6da2-4421-af2b-814e98f53649}\TypeLib Version 1.0
HKEY_CLASSES_ROOT\clsid\{d36f70b1-7df5-4fd4-a765-70ccc8f72cd7}
HKEY_CLASSES_ROOT\interface\{98b2ddba-6da2-4421-af2b-814e98f53649} IBottomFrame
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{1C896551-8B92-4907-8C06-15DB2D1F874A}
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{1C896551-8B92-4907-8C06-15DB2D1F874A}\InprocServer32 C:\WINDOWS\systb.dll
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{1C896551-8B92-4907-8C06-15DB2D1F874A}\InprocServer32 ThreadingModel Apartment
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{1C896551-8B92-4907-8C06-15DB2D1F874A}\ProgID IMIToolbar.PopupBrowser.1
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{1C896551-8B92-4907-8C06-15DB2D1F874A}\TypeLib {58D419E8-1321-4DD2-A6FC-7B41C14DCD79}
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{1C896551-8B92-4907-8C06-15DB2D1F874A}\VersionIndependentProgID IMIToolbar.PopupBrowser
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{1C896551-8B92-4907-8C06-15DB2D1F874A} PopupBrowser Class
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{D36F70B1-7DF5-4FD4-A765-70CCC8F72CD7}
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{D36F70B1-7DF5-4FD4-A765-70CCC8F72CD7}\InprocServer32 C:\WINDOWS\systb.dll
HKEY_CLASSES_ROOT\clsid\{d36f70b1-7df5-4fd4-a765-70ccc8f72cd7}\InprocServer32 C:\WINDOWS\systb.dll
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{D36F70B1-7DF5-4FD4-A765-70CCC8F72CD7}\InprocServer32 ThreadingModel Apartment
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{D36F70B1-7DF5-4FD4-A765-70CCC8F72CD7}\ProgID IMIToolbar.PopupWindow.1
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{D36F70B1-7DF5-4FD4-A765-70CCC8F72CD7}\TypeLib {58D419E8-1321-4DD2-A6FC-7B41C14DCD79}
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{D36F70B1-7DF5-4FD4-A765-70CCC8F72CD7}\VersionIndependentProgID IMIToolbar.PopupWindow
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{D36F70B1-7DF5-4FD4-A765-70CCC8F72CD7} PopupWindow Class
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{E2BF1BF3-1FDB-4C93-8874-0B09E71C594C}
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{E2BF1BF3-1FDB-4C93-8874-0B09E71C594C}\InprocServer32 C:\WINDOWS\systb.dll
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{E2BF1BF3-1FDB-4C93-8874-0B09E71C594C}\InprocServer32 ThreadingModel Apartment
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{E2BF1BF3-1FDB-4C93-8874-0B09E71C594C}\ProgID IMIToolbar.LeftFrame.1
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{E2BF1BF3-1FDB-4C93-8874-0B09E71C594C}\TypeLib {58D419E8-1321-4DD2-A6FC-7B41C14DCD79}
Transponder.Farmmext Adware more information...
Details: Advertising network software to display popup advertising.
Status: Removed
Elevated threat - Eleveated-risk items have some potential for harm. Users should review such programs and remove them if unwanted.
Infected files detected
c:\documents and settings\user\local settings\temp\thi6844.tmp\farmmext.exe
c:\system volume information\_restore{7b6f6de5-cbfa-42aa-b082-bd8867e7497d}\rp475\a0091203.exe
c:\system volume information\_restore{7b6f6de5-cbfa-42aa-b082-bd8867e7497d}\rp478\a0091410.exe
eBates.MoeMoneyMaker Adware more information...
Details: ebates Moe MoneyMaker displays pop-up advertisements and disables programs, including pop-up blockers that might interfere with its operation.
Status: Removed
Elevated threat - Eleveated-risk items have some potential for harm. Users should review such programs and remove them if unwanted.
Infected files detected
c:\documents and settings\user\local settings\temp\drtemp\mmaker4b.exe
c:\system volume information\_restore{7b6f6de5-cbfa-42aa-b082-bd8867e7497d}\rp478\a0091479.exe
c:\documents and settings\user\local settings\temp\thi4209.tmp\mmaker4b.exe
c:\documents and settings\user\local settings\temp\thi770.tmp\mmaker4b.exe
c:\documents and settings\user\local settings\temp\thi979.tmp\mmaker4b.exe
c:\system volume information\_restore{7b6f6de5-cbfa-42aa-b082-bd8867e7497d}\rp478\a0091416.exe
c:\system volume information\_restore{7b6f6de5-cbfa-42aa-b082-bd8867e7497d}\rp478\a0091417.exe
c:\system volume information\_restore{7b6f6de5-cbfa-42aa-b082-bd8867e7497d}\rp478\a0091418.exe
c:\system volume information\_restore{7b6f6de5-cbfa-42aa-b082-bd8867e7497d}\rp478\a0091477.exe
c:\system volume information\_restore{7b6f6de5-cbfa-42aa-b082-bd8867e7497d}\rp478\a0091478.exe
eDonkey2000 Software Bundler more information...
Details: eDonkey2000 is a peer-to-peer file sharing program that installs with adware and spyware such as Webhancer, Web Search Toolbar, and New.Net.
Status: Ignored
Low threat - Low-risk items have little potential for harm, but users may wish to examine the item further.
Infected registry keys/values detected
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{320154BB-D666-48F6-990E-172B32954620}
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{320154BB-D666-48F6-990E-172B32954620}\InProcServer32 C:\Program Files\eDonkey2000\plugins\ed2kie.dll
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{320154BB-D666-48F6-990E-172B32954620}\InProcServer32 ThreadingModel Both
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{320154BB-D666-48F6-990E-172B32954620}\ProgID eD2KDownloadManager.object.1
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{320154BB-D666-48F6-990E-172B32954620}\TypeLib {379919F2-1612-45B7-B9F4-773F6D5214F5}
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{320154BB-D666-48F6-990E-172B32954620}\VersionIndependentProgID eD2KDownloadManager.object
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{320154BB-D666-48F6-990E-172B32954620} eD2K downloadManager object
Detected Spyware Cookies
No spyware cookies were found during this scan.
=edit=
thanks the desktop thing works cept...it always comes back after a while
First, your log is looking much better. Have hijackthis fix this line.
O8 - Extra context menu item: Ebates - file://C:\Program Files\Ebates_MoeMoneyMaker\Sy350\Tp350\scri350a.ht m
Next we want to flush your system restore, this will delete any restore points that you have but it will also make sure that any malware hiding in system restore will be booted off.
Turn off System Restore:
On the Desktop, right-click My Computer.
Click Properties.
Click the System Restore tab.
Check Turn off System Restore.
Click Apply, and then click OK.
Restart your computer, turn it back on and create a restore point.
To create a restore point:
Single-click Start and point to All Programs.
Mouse over Accessories, then System Tools, and select System Restore.
In the System Restore wizard, select the box next the text labeled "Create a
restore point" and click the Next button.
Type a description for your new restore point. Something like "After
cleanup". Click Create and you're done.
Now we need to clean out your temp files. The easiest way to do this is to run a program called Cleanup.
http://downloads.stevengould.org/cleanup/CleanUp312.exe
Delete everything from within this folder.
C:\WINDOWS\Prefetch
Finally let's see if we can fix your double icons. Please download the attached text file (deskfix.txt)
After you've saved it somewhere you can find it - rename it to deskfix.reg
Double click on it - answer ok when it asks if it is ok to run or merge
Reboot and see if the double icons have gone.
Let me know how it feels and any problems that you are still having. Did that latest virus scan come up with anything? Please post a new hijackthis log.
the virus check found all viruses in files in the folder
C:\Documents and Settings\User\Application Data\Sun\Java\Deployment\cache\javapi\v1.0\jar\
um i dont seem to have a system restore tab, and im administrator..i dont think it is installed?
also this link
http://downloads.stevengould.org/cleanup/CleanUp312.exe
does not work for me
heres the new hijack
Logfile of HijackThis v1.99.0
Scan saved at 3:57:15 PM, on 03/27/2005
Platform: Windows XP (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 (6.00.2600.0000)
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
C:\Program Files\Common Files\EPSON\EBAPI\SAgent2.exe
C:\Program Files\Inverse IP InSight\CNC\ARMon32a.exe
C:\WINDOWS\System32\nvsvc32.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\2Wire\2PortalMon.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\QuickTime\qttask.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_S10IC2.EXE
C:\Program Files\Microsoft AntiSpyware\gcasDtServ.exe
C:\WINDOWS\System32\wuauclt.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\WINDOWS\System32\wuauclt.exe
C:\Documents and Settings\User\Desktop\HijackThis.exe
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O4 - HKLM\..\Run: [2wSysTray] C:\Program Files\2Wire\2PortalMon.exe
O4 - HKLM\..\Run: [iTunesHelper] C:\Program Files\iTunes\iTunesHelper.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [AVG7_EMC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
O4 - HKLM\..\Run: [gcasServ] "C:\Program Files\Microsoft AntiSpyware\gcasServ.exe"
O4 - HKCU\..\Run: [Steam] C:\Valve\Steam\Steam.exe -silent
O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: EPSON Status Monitor 3 Environment Check 2.lnk = C:\WINDOWS\system32\spool\drivers\w32x86\3\E_SRCV02.EXE
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\System32\msjava.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\System32\msjava.dll
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=36467&clcid=0x409
O16 - DPF: {7B297BFD-85E4-4092-B2AF-16A91B2EA103} (WScanCtl Class) - http://www3.ca.com/securityadvisor/virusinfo/webscan.cab
O16 - DPF: {80DD2229-B8E4-4C77-B72F-F22972D723EA} (AvxScanOnline Control) - http://www.bitdefender.com/scan/Msie/bitdefender.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://www.pandasoftware.com/activescan/as5/asinst.cab
O23 - Service: AVG7 Alert Manager Server - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
O23 - Service: AVG7 Update Service - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
O23 - Service: EPSON Printer Status Agent2 - SEIKO EPSON CORPORATION - C:\Program Files\Common Files\EPSON\EBAPI\SAgent2.exe
O23 - Service: Inverse IP InSight Client (CNC) - Inverse Network Technology - C:\Program Files\Inverse IP InSight\CNC\LaunchIPI.exe
O23 - Service: iPod Service - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: NVIDIA Driver Helper Service - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\System32\HPZipm12.exe
oh yeah and happy easter
Delete temp files
Navigate to the C:\Windows\Temp folder. Open the Temp folder and go to Edit > Select All then Edit > Delete to delete the entire contents of the Temp folder.
Navigate to the C:\Windows\Prefetch folder. Open the Prefetch folder and go to Edit > Select All then Edit > Delete to delete the entire contents of the Prefetch folder.
Go to Start > Run and type %temp% in the Run box. The Temp folder will open. Click Edit > Select All then Edit > Delete to delete the entire contents of the Temp folder.
Finally go to Control Panel > Internet Options. On the General tab under "Temporary Internet Files" Click "Delete Files". Put a check by "Delete Offline Content" and click OK. Click on the Programs tab then click the "Reset Web Settings" button. Click Apply then OK.
Empty the Recycle Bin.
Now let's see if we can get your System Restore working for you.
Right click My computer
Click on Manage
Click on Services and applications
Click on Services
Go down the list till you see system restore
Either click on start or select automatic
Reboot, right click on My Computer, select Properties and see if the System Restore tab is available.
yet no tab
still double icons
Click Start -> Run and type REGEDIT and click OK.
Locate to:
HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows NT\SystemRestore
In the right-pane, delete the value "DisableConfig" if it exists.
In the right-pane, delete the value "DisableSR" if it exists.
Reboot, check to see if the System Restore tab exists.
there is no file in windows NT named system restore
only Terminal
oh yeah
today all of a sudden my desktop came back, all the old icons and no double icons either
i guess it worked the second time i ran deskfix.reg and freeclean.v2
Go to HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WindowsNT\CurrentVersion\SystemRestore.
If a "DisableSR" value doesn't exist, go to the Edit menu, select New, DWORD value, and create the value.
Set the value to 1 to disable System Restore or 0 to enable System Restore.
The “DisableSR” value is set to 0
the "DisableSR" value already existed and was already set to zero
Single-click Start and point to All Programs.
Mouse over Accessories, then System Tools, and select System Restore.
In the System Restore wizard, select the box next the text labeled "Create a
restore point" and click the Next button.
Type a description for your new restore point. Something like "After
cleanup". Click Create and you're done.
Let me know of any complications.
rstrui.exe - Unable to locate component
"This application has failed to start because of SRRSTR.dll was not found. Re-installing the application may fix this problem.
go to windowsupdate.microsoft.com and install the critical updates. You should have to do this about two or three times. The first update will be service pack 2. It's a large download (80mb approximately) and might take a while.
Do that and see if it takes care of the problem.
http://www.short-media.com/download.php?d=300
i can download it but it wont install
says
Windows XP Service Pack 2 cannot install
The product key used to install Microsoft Windows may not be valid. For more information about why you have received this error message, and steps you can take to resolve this issue visit www.howtotell.com