Help Pleasse!

al3xchung

Wow... I just got some crazy virus and I can't open internet explorer..I'm on my other comp. Spyware is downloading EVERYWHERE and it's reallly bad. I DUNNO WHAT's wrong... please help

Logfile of HijackThis v1.99.0
Scan saved at 1:29:10 AM, on 03/20/2005
Platform: Windows XP (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 (6.00.2600.0000)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\csrss.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\EPSON\EBAPI\SAgent2.exe
C:\Program Files\Inverse IP InSight\CNC\ARMon32a.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\wdfmgr.exe
C:\Program Files\2Wire\2PortalMon.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\QuickTime\qttask.exe
C:\WINDOWS\System32\paytime.exe
C:\WINDOWS\System32\Jiu.exe
C:\WINDOWS\System32\ntddetect.exe
C:\windows\saap.exe
C:\Program Files\Internet Optimizer\optimize.exe
C:\WINDOWS\System32\paytime.exe
C:\Documents and Settings\User\Application Data\obao.exe
C:\WINDOWS\System32\??plorer.exe
C:\Program Files\2Wire Wireless\Client Manager\CMTWO.EXE
C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpotdd01.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpohmr08.exe
C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpoevm08.exe
C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_S10IC2.EXE
C:\WINDOWS\System32\HPZipm12.exe
C:\Program Files\Hewlett-Packard\Digital Imaging\Bin\hpoSTS08.exe
C:\WINDOWS\System32\wuauclt.exe
C:\Documents and Settings\User\Desktop\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://213.159.117.134/index.php
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\DOCUME~1\User\LOCALS~1\Temp\se.dll/sp.html
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = about:blank
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://213.159.117.134/index.php
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://213.159.117.134/index.php
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\DOCUME~1\User\LOCALS~1\Temp\se.dll/sp.html
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = about:blank
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://213.159.117.134/index.php
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = about:blank
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = about:blank
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page = http://213.159.117.134/index.php
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,HomeOldSP = about:blank
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page = http://213.159.117.134/index.php
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,HomeOldSP = about:blank
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = 127.0.0.1
R3 - URLSearchHook: StartBHO Class - {30192F8D-0958-44E6-B54D-331FD39AC959} - C:\WINDOWS\webdlg32.dll
O1 - Hosts: 127.0.0.3 n-glx.s-redirect.com
O1 - Hosts: 127.0.0.3 x.full-tgp.net
O1 - Hosts: 127.0.0.3 counter.sexmaniack.com
O1 - Hosts: 127.0.0.3 autoescrowpay.com
O1 - Hosts: 127.0.0.3 www.autoescrowpay.com
O1 - Hosts: 127.0.0.3 www.awmdabest.com
O1 - Hosts: 127.0.0.3 www.sexfiles.nu
O1 - Hosts: 127.0.0.3 awmdabest.com
O1 - Hosts: 127.0.0.3 sexfiles.nu
O1 - Hosts: 127.0.0.3 allforadult.com
O1 - Hosts: 127.0.0.3 www.allforadult.com
O1 - Hosts: 127.0.0.3 www.iframe.biz
O1 - Hosts: 127.0.0.3 iframe.biz
O1 - Hosts: 127.0.0.3 www.newiframe.biz
O1 - Hosts: 127.0.0.3 newiframe.biz
O1 - Hosts: 127.0.0.3 www.vesbiz.biz
O1 - Hosts: 127.0.0.3 vesbiz.biz
O1 - Hosts: 127.0.0.3 www.pizdato.biz
O1 - Hosts: 127.0.0.3 pizdato.biz
O1 - Hosts: 127.0.0.3 www.aaasexypics.com
O1 - Hosts: 127.0.0.3 aaasexypics.com
O1 - Hosts: 127.0.0.3 www.virgin-tgp.net
O1 - Hosts: 127.0.0.3 virgin-tgp.net
O1 - Hosts: 127.0.0.3 www.awmcash.biz
O1 - Hosts: 127.0.0.3 awmcash.biz
O1 - Hosts: 127.0.0.3 buldog-stats.com
O1 - Hosts: 127.0.0.3 www.buldog-stats.com
O1 - Hosts: 127.0.0.3 fregat.drocherway.com
O1 - Hosts: 127.0.0.3 slutmania.biz
O1 - Hosts: 127.0.0.3 www.slutmania.biz
O1 - Hosts: 127.0.0.3 toolbarpartner.com
O1 - Hosts: 127.0.0.3 www.toolbarpartner.com
O1 - Hosts: 127.0.0.3 www.megapornix.com
O1 - Hosts: 127.0.0.3 megapornix.com
O1 - Hosts: 127.0.0.3 www.sp2****ed.biz
O1 - Hosts: 127.0.0.3 sp2****ed.biz
O1 - Hosts: 127.0.0.3 greg-tut.com
O1 - Hosts: 127.0.0.3 www.greg-tut.com
O1 - Hosts: 127.0.0.3 nylonsexy.com
O1 - Hosts: 127.0.0.3 www.nylonsexy.com
O1 - Hosts: 127.0.0.3 vparivalka.com
O1 - Hosts: 127.0.0.3 www.vparivalka.com
O2 - BHO: BHObj Class - {00000010-6F7D-442C-93E3-4A4827C2E4C8} - C:\WINDOWS\nem220.dll
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
O2 - BHO: StartBHO Class - {30192F8D-0958-44E6-B54D-331FD39AC959} - C:\WINDOWS\webdlg32.dll
O2 - BHO: (no name) - {6FA53C60-0792-437C-9686-F9B77131DCF6} - C:\WINDOWS\System32\dpnp.dll
O2 - BHO: (no name) - {966BD97C-18CC-643E-99D8-3481E9B559E5} - C:\WINDOWS\System32\zwgctj.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O3 - Toolbar: Search Bar - {0E1230F8-EA50-42A9-983C-D22ABC2EED3B} - C:\WINDOWS\webdlg32.dll
O4 - HKLM\..\Run: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k
O4 - HKLM\..\Run: [2wSysTray] C:\Program Files\2Wire\2PortalMon.exe
O4 - HKLM\..\Run: [iTunesHelper] C:\Program Files\iTunes\iTunesHelper.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [PayTime] C:\WINDOWS\System32\paytime.exe
O4 - HKLM\..\Run: [Hca] C:\WINDOWS\System32\Jiu.exe
O4 - HKLM\..\Run: [sp] rundll32 C:\DOCUME~1\User\LOCALS~1\Temp\se.dll,DllInstall
O4 - HKLM\..\Run: [ntddetect] C:\WINDOWS\System32\ntddetect.exe
O4 - HKLM\..\Run: [saap] c:\windows\saap.exe
O4 - HKLM\..\Run: [Internet Optimizer] "C:\Program Files\Internet Optimizer\optimize.exe"
O4 - HKLM\..\Run: [Fpb] C:\WINDOWS\Tbf.exe
O4 - HKLM\..\Run: [Aer] C:\WINDOWS\System32\Dtf.exe
O4 - HKLM\..\Run: [paxebmv] C:\WINDOWS\paxebmv.exe
O4 - HKLM\..\RunServices: [ntddetect] C:\WINDOWS\System32\ntddetect.exe
O4 - HKCU\..\Run: [Steam] C:\Valve\Steam\Steam.exe -silent
O4 - HKCU\..\Run: [AIM] C:\Program Files\AIM\aim.exe -cnetwait.odl
O4 - HKCU\..\Run: [PayTime] C:\WINDOWS\System32\paytime.exe
O4 - HKCU\..\Run: [Hca] C:\WINDOWS\System32\Jiu.exe
O4 - HKCU\..\Run: [ntddetect] C:\WINDOWS\System32\ntddetect.exe
O4 - Global Startup: 2Wire Wireless Client Manager.lnk = ?
O4 - Global Startup: hpoddt01.exe.lnk = ?
O4 - Global Startup: hp psc 1000 series.lnk = ?
O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: EPSON Status Monitor 3 Environment Check 2.lnk = C:\WINDOWS\system32\spool\drivers\w32x86\3\E_SRCV02.EXE
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\System32\msjava.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\System32\msjava.dll
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe
O9 - Extra button: PartyPoker.com - {B7FE5D70-9AA2-40F1-9C6B-12A255F085E1} - c:\program files\partypoker\IEExtension.dll
O9 - Extra 'Tools' menuitem: PartyPoker.com - {B7FE5D70-9AA2-40F1-9C6B-12A255F085E1} - c:\program files\partypoker\IEExtension.dll
O9 - Extra button: (no name) - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - (no file)
O10 - Broken Internet access because of LSP provider 'osmim.dll' missing
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O15 - Trusted Zone: *.blazefind.com
O15 - Trusted Zone: *.clickspring.net
O15 - Trusted Zone: *.flingstone.com
O15 - Trusted Zone: *.iframedollars.biz
O15 - Trusted Zone: *.mt-download.com
O15 - Trusted Zone: *.musicmatch.com
O15 - Trusted Zone: *.my-internet.info
O15 - Trusted Zone: *.searchbarcash.com
O15 - Trusted Zone: *.searchmiracle.com
O15 - Trusted Zone: *.skoobidoo.com
O15 - Trusted Zone: *.slotch.com
O15 - Trusted Zone: *.slotchbar.com
O15 - Trusted Zone: *.windupdates.com
O15 - Trusted Zone: *.xxxtoolbar.com
O15 - Trusted Zone: *.ysbweb.com
O15 - Trusted Zone: *.blazefind.com (HKLM)
O15 - Trusted Zone: *.clickspring.net (HKLM)
O15 - Trusted Zone: *.flingstone.com (HKLM)
O15 - Trusted Zone: *.iframedollars.biz (HKLM)
O15 - Trusted Zone: *.mt-download.com (HKLM)
O15 - Trusted Zone: *.musicmatch.com (HKLM)
O15 - Trusted Zone: *.my-internet.info (HKLM)
O15 - Trusted Zone: *.searchbarcash.com (HKLM)
O15 - Trusted Zone: *.searchmiracle.com (HKLM)
O15 - Trusted Zone: *.skoobidoo.com (HKLM)
O15 - Trusted Zone: *.slotch.com (HKLM)
O15 - Trusted Zone: *.slotchbar.com (HKLM)
O15 - Trusted Zone: *.windupdates.com (HKLM)
O15 - Trusted Zone: *.xxxtoolbar.com (HKLM)
O15 - Trusted Zone: *.ysbweb.com (HKLM)
O15 - Trusted IP range: 213.159.117.202
O15 - Trusted IP range: 213.159.117.202 (HKLM)
O16 - DPF: {1D4DB7D2-6EC9-47A3-BD87-1E41684E07BB} - http://ak.imgfarm.com/images/nocache/funwebproducts/ei-2/SmileyCentralFWBInitialSetup1.0.0.8-2.cab
O16 - DPF: {79849612-A98F-45B8-95E9-4D13C7B6B35C} (Loader2 Control) - http://iframedollars.biz/tb/loader2.ocx
O16 - DPF: {9EB320CE-BE1D-4304-A081-4B4665414BEF} (MediaTicketsInstaller Control) - http://www.mt-download.com/MediaTicketsInstaller.cab?refid=2732
O16 - DPF: {FC67BB52-AAB6-4282-9D51-2DAFFE73AFD0} - http://download.spyspotter.com/spyspotter/SpSp29952.22opt/SpySpotterInstall.cab
O18 - Filter: text/html - {D5686817-DEB3-4ADF-B2B2-D4CB0C0FD6D2} - C:\WINDOWS\System32\dpnp.dll
O18 - Filter: text/plain - {D5686817-DEB3-4ADF-B2B2-D4CB0C0FD6D2} - C:\WINDOWS\System32\dpnp.dll
O23 - Service: EPSON Printer Status Agent2 - SEIKO EPSON CORPORATION - C:\Program Files\Common Files\EPSON\EBAPI\SAgent2.exe
O23 - Service: Inverse IP InSight Client (CNC) - Inverse Network Technology - C:\Program Files\Inverse IP InSight\CNC\LaunchIPI.exe
O23 - Service: iPod Service - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: NVIDIA Driver Helper Service - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\System32\HPZipm12.exe

Buckeye_Sam

Please download this tool and extract it to your desktop.
http://www.derbilk.de/SpSeHjfix_Beta9.zip

Start SpSeHjfix_Beta9.exe click on " Desinfecton starten". It will reboot your computer to complete the cleaning process. Once it is done please post a new hijackthis log.

al3xchung

it didnt really do anything after i disinfected it i think

heres new log

Logfile of HijackThis v1.99.0
Scan saved at 3:46:36 PM, on 03/22/2005
Platform: Windows XP (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 (6.00.2600.0000)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\csrss.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\EPSON\EBAPI\SAgent2.exe
C:\Program Files\Inverse IP InSight\CNC\ARMon32a.exe
C:\WINDOWS\System32\nvsvc32.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\wdfmgr.exe
C:\WINDOWS\System32\wuauclt.exe
C:\Program Files\2Wire\2PortalMon.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\QuickTime\qttask.exe
C:\WINDOWS\System32\paytime.exe
C:\WINDOWS\System32\Jiu.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\WINDOWS\System32\ntddetect.exe
C:\windows\saap.exe
C:\Program Files\Internet Optimizer\optimize.exe
C:\Program Files\Internet Optimizer\actalert.exe
C:\Program Files\AIM\aim.exe
C:\WINDOWS\System32\paytime.exe
C:\Documents and Settings\User\Application Data\obao.exe
C:\Program Files\2Wire Wireless\Client Manager\CMTWO.EXE
C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpotdd01.exe
C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpohmr08.exe
C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_S10IC2.EXE
C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpoevm08.exe
C:\WINDOWS\System32\wuauclt.exe
C:\WINDOWS\System32\HPZipm12.exe
C:\Program Files\Hewlett-Packard\Digital Imaging\Bin\hpoSTS08.exe
C:\Program Files\WinRAR\WinRAR.exe
C:\Documents and Settings\User\Desktop\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://213.159.117.134/index.php
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://213.159.117.134/index.php
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://213.159.117.134/index.php
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://213.159.117.134/index.php
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant =
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page = http://213.159.117.134/index.php
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page = http://213.159.117.134/index.php
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = 127.0.0.1
R3 - URLSearchHook: StartBHO Class - {30192F8D-0958-44E6-B54D-331FD39AC959} - C:\WINDOWS\webdlg32.dll
O1 - Hosts: 127.0.0.3 n-glx.s-redirect.com
O1 - Hosts: 127.0.0.3 x.full-tgp.net
O1 - Hosts: 127.0.0.3 counter.sexmaniack.com
O1 - Hosts: 127.0.0.3 autoescrowpay.com
O1 - Hosts: 127.0.0.3 www.autoescrowpay.com
O1 - Hosts: 127.0.0.3 www.awmdabest.com
O1 - Hosts: 127.0.0.3 www.sexfiles.nu
O1 - Hosts: 127.0.0.3 awmdabest.com
O1 - Hosts: 127.0.0.3 sexfiles.nu
O1 - Hosts: 127.0.0.3 allforadult.com
O1 - Hosts: 127.0.0.3 www.allforadult.com
O1 - Hosts: 127.0.0.3 www.iframe.biz
O1 - Hosts: 127.0.0.3 iframe.biz
O1 - Hosts: 127.0.0.3 www.newiframe.biz
O1 - Hosts: 127.0.0.3 newiframe.biz
O1 - Hosts: 127.0.0.3 www.vesbiz.biz
O1 - Hosts: 127.0.0.3 vesbiz.biz
O1 - Hosts: 127.0.0.3 www.pizdato.biz
O1 - Hosts: 127.0.0.3 pizdato.biz
O1 - Hosts: 127.0.0.3 www.aaasexypics.com
O1 - Hosts: 127.0.0.3 aaasexypics.com
O1 - Hosts: 127.0.0.3 www.virgin-tgp.net
O1 - Hosts: 127.0.0.3 virgin-tgp.net
O1 - Hosts: 127.0.0.3 www.awmcash.biz
O1 - Hosts: 127.0.0.3 awmcash.biz
O1 - Hosts: 127.0.0.3 buldog-stats.com
O1 - Hosts: 127.0.0.3 www.buldog-stats.com
O1 - Hosts: 127.0.0.3 fregat.drocherway.com
O1 - Hosts: 127.0.0.3 slutmania.biz
O1 - Hosts: 127.0.0.3 www.slutmania.biz
O1 - Hosts: 127.0.0.3 toolbarpartner.com
O1 - Hosts: 127.0.0.3 www.toolbarpartner.com
O1 - Hosts: 127.0.0.3 www.megapornix.com
O1 - Hosts: 127.0.0.3 megapornix.com
O1 - Hosts: 127.0.0.3 www.sp2****ed.biz
O1 - Hosts: 127.0.0.3 sp2****ed.biz
O1 - Hosts: 127.0.0.3 greg-tut.com
O1 - Hosts: 127.0.0.3 www.greg-tut.com
O1 - Hosts: 127.0.0.3 nylonsexy.com
O1 - Hosts: 127.0.0.3 www.nylonsexy.com
O1 - Hosts: 127.0.0.3 vparivalka.com
O1 - Hosts: 127.0.0.3 www.vparivalka.com
O2 - BHO: BHObj Class - {00000010-6F7D-442C-93E3-4A4827C2E4C8} - C:\WINDOWS\nem220.dll
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
O2 - BHO: (no name) - {0F9561D0-03B2-44a3-89A6-E95E417CBA25} - C:\WINDOWS\cerbmod.dll
O2 - BHO: StartBHO Class - {30192F8D-0958-44E6-B54D-331FD39AC959} - C:\WINDOWS\webdlg32.dll
O2 - BHO: BHObj Class - {8F4E5661-F99E-4B3E-8D85-0EA71C0748E4} - C:\WINDOWS\wsem303.dll
O2 - BHO: (no name) - {966BD97C-18CC-643E-99D8-3481E9B559E5} - C:\WINDOWS\System32\zwgctj.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O3 - Toolbar: Search Bar - {0E1230F8-EA50-42A9-983C-D22ABC2EED3B} - C:\WINDOWS\webdlg32.dll
O4 - HKLM\..\Run: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k
O4 - HKLM\..\Run: [2wSysTray] C:\Program Files\2Wire\2PortalMon.exe
O4 - HKLM\..\Run: [iTunesHelper] C:\Program Files\iTunes\iTunesHelper.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [PayTime] C:\WINDOWS\System32\paytime.exe
O4 - HKLM\..\Run: [Hca] C:\WINDOWS\System32\Jiu.exe
O4 - HKLM\..\Run: [ntddetect] C:\WINDOWS\System32\ntddetect.exe
O4 - HKLM\..\Run: [saap] c:\windows\saap.exe
O4 - HKLM\..\Run: [Internet Optimizer] "C:\Program Files\Internet Optimizer\optimize.exe"
O4 - HKLM\..\Run: [Fpb] C:\WINDOWS\Tbf.exe
O4 - HKLM\..\Run: [Aer] C:\WINDOWS\System32\Dtf.exe
O4 - HKLM\..\Run: [paxebmv] C:\WINDOWS\paxebmv.exe
O4 - HKLM\..\Run: [Gnt] C:\WINDOWS\Oph.exe
O4 - HKLM\..\Run: [Jti] C:\WINDOWS\Iui.exe
O4 - HKLM\..\Run: [Hpg] C:\WINDOWS\System32\Qmk.exe
O4 - HKLM\..\Run: [Oqk] C:\WINDOWS\System32\Dom.exe
O4 - HKLM\..\RunServices: [ntddetect] C:\WINDOWS\System32\ntddetect.exe
O4 - HKCU\..\Run: [Steam] C:\Valve\Steam\Steam.exe -silent
O4 - HKCU\..\Run: [AIM] C:\Program Files\AIM\aim.exe -cnetwait.odl
O4 - HKCU\..\Run: [PayTime] C:\WINDOWS\System32\paytime.exe
O4 - HKCU\..\Run: [Hca] C:\WINDOWS\System32\Jiu.exe
O4 - HKCU\..\Run: [ntddetect] C:\WINDOWS\System32\ntddetect.exe
O4 - HKCU\..\Run: [x3yy] C:\WINDOWS\System32\x3yy\pkifkjbj.exe
O4 - HKCU\..\Run: [Cnbo] C:\Documents and Settings\User\Application Data\obao.exe
O4 - HKCU\..\Run: [Egbg] C:\WINDOWS\System32\??plorer.exe
O4 - HKCU\..\Run: [Fpb] C:\WINDOWS\Tbf.exe
O4 - HKCU\..\Run: [Aer] C:\WINDOWS\System32\Dtf.exe
O4 - HKCU\..\Run: [Hpg] C:\WINDOWS\System32\Qmk.exe
O4 - HKCU\..\Run: [Oqk] C:\WINDOWS\System32\Dom.exe
O4 - Global Startup: 2Wire Wireless Client Manager.lnk = ?
O4 - Global Startup: hpoddt01.exe.lnk = ?
O4 - Global Startup: hp psc 1000 series.lnk = ?
O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: EPSON Status Monitor 3 Environment Check 2.lnk = C:\WINDOWS\system32\spool\drivers\w32x86\3\E_SRCV02.EXE
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\System32\msjava.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\System32\msjava.dll
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe
O9 - Extra button: PartyPoker.com - {B7FE5D70-9AA2-40F1-9C6B-12A255F085E1} - c:\program files\partypoker\IEExtension.dll
O9 - Extra 'Tools' menuitem: PartyPoker.com - {B7FE5D70-9AA2-40F1-9C6B-12A255F085E1} - c:\program files\partypoker\IEExtension.dll
O9 - Extra button: (no name) - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - (no file)
O10 - Broken Internet access because of LSP provider 'osmim.dll' missing
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O15 - Trusted Zone: *.blazefind.com
O15 - Trusted Zone: *.clickspring.net
O15 - Trusted Zone: *.flingstone.com
O15 - Trusted Zone: *.iframedollars.biz
O15 - Trusted Zone: *.mt-download.com
O15 - Trusted Zone: *.musicmatch.com
O15 - Trusted Zone: *.my-internet.info
O15 - Trusted Zone: *.searchbarcash.com
O15 - Trusted Zone: *.searchmiracle.com
O15 - Trusted Zone: *.skoobidoo.com
O15 - Trusted Zone: *.slotch.com
O15 - Trusted Zone: *.slotchbar.com
O15 - Trusted Zone: *.windupdates.com
O15 - Trusted Zone: *.xxxtoolbar.com
O15 - Trusted Zone: *.ysbweb.com
O15 - Trusted Zone: *.blazefind.com (HKLM)
O15 - Trusted Zone: *.clickspring.net (HKLM)
O15 - Trusted Zone: *.flingstone.com (HKLM)
O15 - Trusted Zone: *.iframedollars.biz (HKLM)
O15 - Trusted Zone: *.mt-download.com (HKLM)
O15 - Trusted Zone: *.musicmatch.com (HKLM)
O15 - Trusted Zone: *.my-internet.info (HKLM)
O15 - Trusted Zone: *.searchbarcash.com (HKLM)
O15 - Trusted Zone: *.searchmiracle.com (HKLM)
O15 - Trusted Zone: *.skoobidoo.com (HKLM)
O15 - Trusted Zone: *.slotch.com (HKLM)
O15 - Trusted Zone: *.slotchbar.com (HKLM)
O15 - Trusted Zone: *.windupdates.com (HKLM)
O15 - Trusted Zone: *.xxxtoolbar.com (HKLM)
O15 - Trusted Zone: *.ysbweb.com (HKLM)
O15 - Trusted IP range: 213.159.117.202
O15 - Trusted IP range: 213.159.117.202 (HKLM)
O16 - DPF: {1D4DB7D2-6EC9-47A3-BD87-1E41684E07BB} - http://ak.imgfarm.com/images/nocache/funwebproducts/ei-2/SmileyCentralFWBInitialSetup1.0.0.8-2.cab
O16 - DPF: {79849612-A98F-45B8-95E9-4D13C7B6B35C} (Loader2 Control) - http://iframedollars.biz/tb/loader2.ocx
O16 - DPF: {9EB320CE-BE1D-4304-A081-4B4665414BEF} (MediaTicketsInstaller Control) - http://www.mt-download.com/MediaTicketsInstaller.cab?refid=2732
O16 - DPF: {FC67BB52-AAB6-4282-9D51-2DAFFE73AFD0} - http://download.spyspotter.com/spyspotter/SpSp29952.22opt/SpySpotterInstall.cab
O23 - Service: EPSON Printer Status Agent2 - SEIKO EPSON CORPORATION - C:\Program Files\Common Files\EPSON\EBAPI\SAgent2.exe
O23 - Service: Inverse IP InSight Client (CNC) - Inverse Network Technology - C:\Program Files\Inverse IP InSight\CNC\LaunchIPI.exe
O23 - Service: iPod Service - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: NVIDIA Driver Helper Service - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\System32\HPZipm12.exe

Buckeye_Sam

That was just to get rid of the worst offender. You've still got a CWS infection and numerous viruses.


STEP ONE
Please download and run CWShredder, making sure to click "Fix".
http://cwshredder.net/bin/CWSInstall.exe


STEP TWO
Please download and install AVG antivirus. Follow the prompts to download and install all updates and then run a complete scan.

http://free.grisoft.com/softw/70free/setup/avg70free_300a419.exe


STEP THREE
Download and run Microsoft's Antispyware application.

http://www.microsoft.com/athome/security/spyware/software/default.mspx

Remove everything that it finds.


STEP FOUR
Download(right click and select Save file as or Save link as): DelDomains.inf
http://mvps.org/winhelp2002/DelDomains.inf

To use: Close all open browsers
Right-click DelDomains.inf and select: Install



Reboot and post a new hijackthis log.

al3xchung

k after a long day i did it all except the DelDomains.inf install because i cant seem to right click anything...also everything makes a duplicate icon on my desktop... and its a red screen that says something like Danger Spyware whatever

heres the log

Logfile of HijackThis v1.99.0
Scan saved at 9:08:30 PM, on 03/22/2005
Platform: Windows XP (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 (6.00.2600.0000)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
C:\Program Files\Common Files\EPSON\EBAPI\SAgent2.exe
C:\Program Files\Inverse IP InSight\CNC\ARMon32a.exe
C:\WINDOWS\System32\nvsvc32.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\HPZipm12.exe
C:\WINDOWS\System32\wuauclt.exe
C:\WINDOWS\SoftwareDistribution\Download\S-1-5-18\8b5e9cdb91dddbb342695fbdc36fe0e4\update\update.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\2Wire\2PortalMon.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\QuickTime\qttask.exe
C:\WINDOWS\System32\ntddetect.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
C:\WINDOWS\System32\Vta.exe
C:\Program Files\Microsoft AntiSpyware\gcasServ.exe
C:\Program Files\AIM\aim.exe
C:\Documents and Settings\User\Application Data\obao.exe
C:\WINDOWS\System32\??plorer.exe
C:\Program Files\2Wire Wireless\Client Manager\CMTWO.EXE
C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpotdd01.exe
C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpohmr08.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_S10IC2.EXE
C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpoevm08.exe
C:\Program Files\Microsoft AntiSpyware\gcasDtServ.exe
C:\WINDOWS\System32\wuauclt.exe
C:\Documents and Settings\User\Desktop\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://213.159.117.134/index.php
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://213.159.117.134/index.php
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant =
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page = http://213.159.117.134/index.php
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = 127.0.0.1
R3 - Default URLSearchHook is missing
O1 - Hosts: 127.0.0.3 n-glx.s-redirect.com
O1 - Hosts: 127.0.0.3 x.full-tgp.net
O1 - Hosts: 127.0.0.3 counter.sexmaniack.com
O1 - Hosts: 127.0.0.3 autoescrowpay.com
O1 - Hosts: 127.0.0.3 www.autoescrowpay.com
O1 - Hosts: 127.0.0.3 www.awmdabest.com
O1 - Hosts: 127.0.0.3 www.sexfiles.nu
O1 - Hosts: 127.0.0.3 awmdabest.com
O1 - Hosts: 127.0.0.3 sexfiles.nu
O1 - Hosts: 127.0.0.3 allforadult.com
O1 - Hosts: 127.0.0.3 www.allforadult.com
O1 - Hosts: 127.0.0.3 www.iframe.biz
O1 - Hosts: 127.0.0.3 iframe.biz
O1 - Hosts: 127.0.0.3 www.newiframe.biz
O1 - Hosts: 127.0.0.3 newiframe.biz
O1 - Hosts: 127.0.0.3 www.vesbiz.biz
O1 - Hosts: 127.0.0.3 vesbiz.biz
O1 - Hosts: 127.0.0.3 www.pizdato.biz
O1 - Hosts: 127.0.0.3 pizdato.biz
O1 - Hosts: 127.0.0.3 www.aaasexypics.com
O1 - Hosts: 127.0.0.3 aaasexypics.com
O1 - Hosts: 127.0.0.3 www.virgin-tgp.net
O1 - Hosts: 127.0.0.3 virgin-tgp.net
O1 - Hosts: 127.0.0.3 www.awmcash.biz
O1 - Hosts: 127.0.0.3 awmcash.biz
O1 - Hosts: 127.0.0.3 buldog-stats.com
O1 - Hosts: 127.0.0.3 www.buldog-stats.com
O1 - Hosts: 127.0.0.3 fregat.drocherway.com
O1 - Hosts: 127.0.0.3 slutmania.biz
O1 - Hosts: 127.0.0.3 www.slutmania.biz
O1 - Hosts: 127.0.0.3 toolbarpartner.com
O1 - Hosts: 127.0.0.3 www.toolbarpartner.com
O1 - Hosts: 127.0.0.3 www.megapornix.com
O1 - Hosts: 127.0.0.3 megapornix.com
O1 - Hosts: 127.0.0.3 www.sp2****ed.biz
O1 - Hosts: 127.0.0.3 sp2****ed.biz
O1 - Hosts: 127.0.0.3 greg-tut.com
O1 - Hosts: 127.0.0.3 www.greg-tut.com
O1 - Hosts: 127.0.0.3 nylonsexy.com
O1 - Hosts: 127.0.0.3 www.nylonsexy.com
O1 - Hosts: 127.0.0.3 vparivalka.com
O1 - Hosts: 127.0.0.3 www.vparivalka.com
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
O2 - BHO: (no name) - {966BD97C-18CC-643E-99D8-3481E9B559E5} - C:\WINDOWS\System32\zwgctj.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O4 - HKLM\..\Run: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k
O4 - HKLM\..\Run: [2wSysTray] C:\Program Files\2Wire\2PortalMon.exe
O4 - HKLM\..\Run: [iTunesHelper] C:\Program Files\iTunes\iTunesHelper.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [Hca] C:\WINDOWS\System32\Jiu.exe
O4 - HKLM\..\Run: [ntddetect] C:\WINDOWS\System32\ntddetect.exe
O4 - HKLM\..\Run: [Fpb] C:\WINDOWS\Tbf.exe
O4 - HKLM\..\Run: [Aer] C:\WINDOWS\System32\Dtf.exe
O4 - HKLM\..\Run: [Gnt] C:\WINDOWS\Oph.exe
O4 - HKLM\..\Run: [Jti] C:\WINDOWS\Iui.exe
O4 - HKLM\..\Run: [Hpg] C:\WINDOWS\System32\Qmk.exe
O4 - HKLM\..\Run: [Oqk] C:\WINDOWS\System32\Dom.exe
O4 - HKLM\..\Run: [Ubo] C:\WINDOWS\Tep.exe
O4 - HKLM\..\Run: [Riv] C:\WINDOWS\Dnc.exe
O4 - HKLM\..\Run: [Srs] C:\WINDOWS\Las.exe
O4 - HKLM\..\Run: [Fma] C:\WINDOWS\Klf.exe
O4 - HKLM\..\Run: [Fmp] C:\WINDOWS\System32\Tpg.exe
O4 - HKLM\..\Run: [Vid] C:\WINDOWS\Vkj.exe
O4 - HKLM\..\Run: [Lud] C:\WINDOWS\Vch.exe
O4 - HKLM\..\Run: [Gfl] C:\WINDOWS\Vca.exe
O4 - HKLM\..\Run: [Lhs] C:\WINDOWS\System32\Mhv.exe
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [AVG7_EMC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
O4 - HKLM\..\Run: [Sjp] C:\WINDOWS\Sqi.exe
O4 - HKLM\..\Run: [Dvc] C:\WINDOWS\System32\Vta.exe
O4 - HKLM\..\Run: [Bth] C:\WINDOWS\Okv.exe
O4 - HKLM\..\Run: [Jfm] C:\WINDOWS\System32\Pre.exe
O4 - HKLM\..\Run: [gcasServ] "C:\Program Files\Microsoft AntiSpyware\gcasServ.exe"
O4 - HKLM\..\Run: [Opv] C:\WINDOWS\System32\Umh.exe
O4 - HKLM\..\Run: [Gml] C:\WINDOWS\System32\Ivd.exe
O4 - HKLM\..\Run: [Efd] C:\WINDOWS\System32\Dqu.exe
O4 - HKLM\..\Run: [Asq] C:\WINDOWS\System32\Ftf.exe
O4 - HKLM\..\Run: [Ehd] C:\WINDOWS\System32\Bgs.exe
O4 - HKLM\..\Run: [Onh] C:\WINDOWS\Bnd.exe
O4 - HKLM\..\RunServices: [ntddetect] C:\WINDOWS\System32\ntddetect.exe
O4 - HKCU\..\Run: [Steam] C:\Valve\Steam\Steam.exe -silent
O4 - HKCU\..\Run: [AIM] C:\Program Files\AIM\aim.exe -cnetwait.odl
O4 - HKCU\..\Run: [Hca] C:\WINDOWS\System32\Jiu.exe
O4 - HKCU\..\Run: [ntddetect] C:\WINDOWS\System32\ntddetect.exe
O4 - HKCU\..\Run: [x3yy] C:\WINDOWS\System32\x3yy\pkifkjbj.exe
O4 - HKCU\..\Run: [Cnbo] C:\Documents and Settings\User\Application Data\obao.exe
O4 - HKCU\..\Run: [Egbg] C:\WINDOWS\System32\??plorer.exe
O4 - HKCU\..\Run: [Fpb] C:\WINDOWS\Tbf.exe
O4 - HKCU\..\Run: [Aer] C:\WINDOWS\System32\Dtf.exe
O4 - HKCU\..\Run: [Hpg] C:\WINDOWS\System32\Qmk.exe
O4 - HKCU\..\Run: [Oqk] C:\WINDOWS\System32\Dom.exe
O4 - HKCU\..\Run: [Ubo] C:\WINDOWS\Tep.exe
O4 - HKCU\..\Run: [Riv] C:\WINDOWS\Dnc.exe
O4 - HKCU\..\Run: [Srs] C:\WINDOWS\Las.exe
O4 - HKCU\..\Run: [Fma] C:\WINDOWS\Klf.exe
O4 - HKCU\..\Run: [Fmp] C:\WINDOWS\System32\Tpg.exe
O4 - HKCU\..\Run: [Vid] C:\WINDOWS\Vkj.exe
O4 - HKCU\..\Run: [Lud] C:\WINDOWS\Vch.exe
O4 - HKCU\..\Run: [Gfl] C:\WINDOWS\Vca.exe
O4 - HKCU\..\Run: [Lhs] C:\WINDOWS\System32\Mhv.exe
O4 - HKCU\..\Run: [Sjp] C:\WINDOWS\Sqi.exe
O4 - HKCU\..\Run: [Dvc] C:\WINDOWS\System32\Vta.exe
O4 - HKCU\..\Run: [Bth] C:\WINDOWS\Okv.exe
O4 - HKCU\..\Run: [Jfm] C:\WINDOWS\System32\Pre.exe
O4 - HKCU\..\Run: [Opv] C:\WINDOWS\System32\Umh.exe
O4 - HKCU\..\Run: [Gml] C:\WINDOWS\System32\Ivd.exe
O4 - HKCU\..\Run: [Efd] C:\WINDOWS\System32\Dqu.exe
O4 - HKCU\..\Run: [Asq] C:\WINDOWS\System32\Ftf.exe
O4 - HKCU\..\Run: [Onh] C:\WINDOWS\Bnd.exe
O4 - Global Startup: 2Wire Wireless Client Manager.lnk = ?
O4 - Global Startup: hpoddt01.exe.lnk = ?
O4 - Global Startup: hp psc 1000 series.lnk = ?
O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: EPSON Status Monitor 3 Environment Check 2.lnk = C:\WINDOWS\system32\spool\drivers\w32x86\3\E_SRCV02.EXE
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\System32\msjava.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\System32\msjava.dll
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe
O9 - Extra button: PartyPoker.com - {B7FE5D70-9AA2-40F1-9C6B-12A255F085E1} - c:\program files\partypoker\IEExtension.dll
O9 - Extra 'Tools' menuitem: PartyPoker.com - {B7FE5D70-9AA2-40F1-9C6B-12A255F085E1} - c:\program files\partypoker\IEExtension.dll
O9 - Extra button: (no name) - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - (no file)
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O15 - Trusted Zone: *.iframedollars.biz
O15 - Trusted Zone: *.musicmatch.com
O15 - Trusted Zone: *.slotchbar.com
O15 - Trusted Zone: *.ysbweb.com
O15 - Trusted Zone: *.iframedollars.biz (HKLM)
O15 - Trusted Zone: *.musicmatch.com (HKLM)
O15 - Trusted Zone: *.slotchbar.com (HKLM)
O15 - Trusted Zone: *.ysbweb.com (HKLM)
O15 - Trusted IP range: 213.159.117.202
O15 - Trusted IP range: 213.159.117.202 (HKLM)
O16 - DPF: {1D4DB7D2-6EC9-47A3-BD87-1E41684E07BB} - http://ak.imgfarm.com/images/nocache/funwebproducts/ei-2/SmileyCentralFWBInitialSetup1.0.0.8-2.cab
O16 - DPF: {FC67BB52-AAB6-4282-9D51-2DAFFE73AFD0} - http://download.spyspotter.com/spyspotter/SpSp29952.22opt/SpySpotterInstall.cab
O23 - Service: AVG7 Alert Manager Server - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
O23 - Service: AVG7 Update Service - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
O23 - Service: EPSON Printer Status Agent2 - SEIKO EPSON CORPORATION - C:\Program Files\Common Files\EPSON\EBAPI\SAgent2.exe
O23 - Service: Inverse IP InSight Client (CNC) - Inverse Network Technology - C:\Program Files\Inverse IP InSight\CNC\LaunchIPI.exe
O23 - Service: iPod Service - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: NVIDIA Driver Helper Service - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\System32\HPZipm12.exe

jared

Alright let me take a stab at it, you're still infected.

First of download Ad-Aware if you havn't already. I prefer it over the MS spyware tool. You can grab it off the SM download page here: http://www.short-media.com/download.php?dc=69. After you have downloaded it, go ahead and install it on your system. Once this is done, tell it to go ahead and update. Don't worry about running a scan right now, just make sure it gets all the latest and greatest updates installed.

Once that is done, reboot your computer in safemode. To do this reboot you pc, start tapping F8 before windows loads up.

Now that you are in Safe Mode, open up that copy of HiJackThis. Remove the following entries:

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://213.159.117.134/index.php
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://213.159.117.134/index.php
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant =
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page = http://213.159.117.134/index.php
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Int ernet Settings,ProxyOverride = 127.0.0.1
R3 - Default URLSearchHook is missing
O1 - Hosts: 127.0.0.3 n-glx.s-redirect.com
O1 - Hosts: 127.0.0.3 x.full-tgp.net
O1 - Hosts: 127.0.0.3 counter.sexmaniack.com
O1 - Hosts: 127.0.0.3 autoescrowpay.com
O1 - Hosts: 127.0.0.3 www.autoescrowpay.com
O1 - Hosts: 127.0.0.3 www.awmdabest.com
O1 - Hosts: 127.0.0.3 www.sexfiles.nu
O1 - Hosts: 127.0.0.3 awmdabest.com
O1 - Hosts: 127.0.0.3 sexfiles.nu
O1 - Hosts: 127.0.0.3 allforadult.com
O1 - Hosts: 127.0.0.3 www.allforadult.com
O1 - Hosts: 127.0.0.3 www.iframe.biz
O1 - Hosts: 127.0.0.3 iframe.biz
O1 - Hosts: 127.0.0.3 www.newiframe.biz
O1 - Hosts: 127.0.0.3 newiframe.biz
O1 - Hosts: 127.0.0.3 www.vesbiz.biz
O1 - Hosts: 127.0.0.3 vesbiz.biz
O1 - Hosts: 127.0.0.3 www.pizdato.biz
O1 - Hosts: 127.0.0.3 pizdato.biz
O1 - Hosts: 127.0.0.3 www.aaasexypics.com
O1 - Hosts: 127.0.0.3 aaasexypics.com
O1 - Hosts: 127.0.0.3 www.virgin-tgp.net
O1 - Hosts: 127.0.0.3 virgin-tgp.net
O1 - Hosts: 127.0.0.3 www.awmcash.biz
O1 - Hosts: 127.0.0.3 awmcash.biz
O1 - Hosts: 127.0.0.3 buldog-stats.com
O1 - Hosts: 127.0.0.3 www.buldog-stats.com
O1 - Hosts: 127.0.0.3 fregat.drocherway.com
O1 - Hosts: 127.0.0.3 slutmania.biz
O1 - Hosts: 127.0.0.3 www.slutmania.biz
O1 - Hosts: 127.0.0.3 toolbarpartner.com
O1 - Hosts: 127.0.0.3 www.toolbarpartner.com
O1 - Hosts: 127.0.0.3 www.megapornix.com
O1 - Hosts: 127.0.0.3 megapornix.com
O1 - Hosts: 127.0.0.3 www.sp2****ed.biz
O1 - Hosts: 127.0.0.3 sp2****ed.biz
O1 - Hosts: 127.0.0.3 greg-tut.com
O1 - Hosts: 127.0.0.3 www.greg-tut.com
O1 - Hosts: 127.0.0.3 nylonsexy.com
O1 - Hosts: 127.0.0.3 www.nylonsexy.com
O1 - Hosts: 127.0.0.3 vparivalka.com
O1 - Hosts: 127.0.0.3 www.vparivalka.com
O2 - BHO: (no name) - {966BD97C-18CC-643E-99D8-3481E9B559E5} - C:\WINDOWS\System32\zwgctj.dll
O4 - HKLM\..\Run: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k
O4 - HKLM\..\Run: [Hca] C:\WINDOWS\System32\Jiu.exe
O4 - HKLM\..\Run: [ntddetect] C:\WINDOWS\System32\ntddetect.exe
O4 - HKLM\..\Run: [Fpb] C:\WINDOWS\Tbf.exe
O4 - HKLM\..\Run: [Aer] C:\WINDOWS\System32\Dtf.exe
O4 - HKLM\..\Run: [Gnt] C:\WINDOWS\Oph.exe
O4 - HKLM\..\Run: [Jti] C:\WINDOWS\Iui.exe
O4 - HKLM\..\Run: [Hpg] C:\WINDOWS\System32\Qmk.exe
O4 - HKLM\..\Run: [Oqk] C:\WINDOWS\System32\Dom.exe
O4 - HKLM\..\Run: [Ubo] C:\WINDOWS\Tep.exe
O4 - HKLM\..\Run: [Riv] C:\WINDOWS\Dnc.exe
O4 - HKLM\..\Run: [Srs] C:\WINDOWS\Las.exe
O4 - HKLM\..\Run: [Fma] C:\WINDOWS\Klf.exe
O4 - HKLM\..\Run: [Fmp] C:\WINDOWS\System32\Tpg.exe
O4 - HKLM\..\Run: [Vid] C:\WINDOWS\Vkj.exe
O4 - HKLM\..\Run: [Lud] C:\WINDOWS\Vch.exe
O4 - HKLM\..\Run: [Gfl] C:\WINDOWS\Vca.exe
O4 - HKLM\..\Run: [Lhs] C:\WINDOWS\System32\Mhv.exe
O4 - HKLM\..\Run: [Sjp] C:\WINDOWS\Sqi.exe
O4 - HKLM\..\Run: [Dvc] C:\WINDOWS\System32\Vta.exe
O4 - HKLM\..\Run: [Bth] C:\WINDOWS\Okv.exe
O4 - HKLM\..\Run: [Jfm] C:\WINDOWS\System32\Pre.exe
O4 - HKLM\..\Run: [Opv] C:\WINDOWS\System32\Umh.exe
O4 - HKLM\..\Run: [Gml] C:\WINDOWS\System32\Ivd.exe
O4 - HKLM\..\Run: [Efd] C:\WINDOWS\System32\Dqu.exe
O4 - HKLM\..\Run: [Asq] C:\WINDOWS\System32\Ftf.exe
O4 - HKLM\..\Run: [Ehd] C:\WINDOWS\System32\Bgs.exe
O4 - HKLM\..\Run: [Onh] C:\WINDOWS\Bnd.exe
O4 - HKLM\..\RunServices: [ntddetect] C:\WINDOWS\System32\ntddetect.exe
O4 - HKCU\..\Run: [Hca] C:\WINDOWS\System32\Jiu.exe
O4 - HKCU\..\Run: [ntddetect] C:\WINDOWS\System32\ntddetect.exe
O4 - HKCU\..\Run: [x3yy] C:\WINDOWS\System32\x3yy\pkifkjbj.exe
O4 - HKCU\..\Run: [Cnbo] C:\Documents and Settings\User\Application Data\obao.exe
O4 - HKCU\..\Run: [Egbg] C:\WINDOWS\System32\??plorer.exe
O4 - HKCU\..\Run: [Fpb] C:\WINDOWS\Tbf.exe
O4 - HKCU\..\Run: [Aer] C:\WINDOWS\System32\Dtf.exe
O4 - HKCU\..\Run: [Hpg] C:\WINDOWS\System32\Qmk.exe
O4 - HKCU\..\Run: [Oqk] C:\WINDOWS\System32\Dom.exe
O4 - HKCU\..\Run: [Ubo] C:\WINDOWS\Tep.exe
O4 - HKCU\..\Run: [Riv] C:\WINDOWS\Dnc.exe
O4 - HKCU\..\Run: [Srs] C:\WINDOWS\Las.exe
O4 - HKCU\..\Run: [Fma] C:\WINDOWS\Klf.exe
O4 - HKCU\..\Run: [Fmp] C:\WINDOWS\System32\Tpg.exe
O4 - HKCU\..\Run: [Vid] C:\WINDOWS\Vkj.exe
O4 - HKCU\..\Run: [Lud] C:\WINDOWS\Vch.exe
O4 - HKCU\..\Run: [Gfl] C:\WINDOWS\Vca.exe
O4 - HKCU\..\Run: [Lhs] C:\WINDOWS\System32\Mhv.exe
O4 - HKCU\..\Run: [Sjp] C:\WINDOWS\Sqi.exe
O4 - HKCU\..\Run: [Dvc] C:\WINDOWS\System32\Vta.exe
O4 - HKCU\..\Run: [Bth] C:\WINDOWS\Okv.exe
O4 - HKCU\..\Run: [Jfm] C:\WINDOWS\System32\Pre.exe
O4 - HKCU\..\Run: [Opv] C:\WINDOWS\System32\Umh.exe
O4 - HKCU\..\Run: [Gml] C:\WINDOWS\System32\Ivd.exe
O4 - HKCU\..\Run: [Efd] C:\WINDOWS\System32\Dqu.exe
O4 - HKCU\..\Run: [Asq] C:\WINDOWS\System32\Ftf.exe
O4 - HKCU\..\Run: [Onh] C:\WINDOWS\Bnd.exe
O4 - Global Startup: 2Wire Wireless Client Manager.lnk = ?
O4 - Global Startup: hpoddt01.exe.lnk = ?
O4 - Global Startup: hp psc 1000 series.lnk = ?
O9 - Extra button: PartyPoker.com - {B7FE5D70-9AA2-40F1-9C6B-12A255F085E1} - c:\program files\partypoker\IEExtension.dll
O9 - Extra 'Tools' menuitem: PartyPoker.com - {B7FE5D70-9AA2-40F1-9C6B-12A255F085E1} - c:\program files\partypoker\IEExtension.dll
O9 - Extra button: (no name) - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - (no file)
O15 - Trusted Zone: *.iframedollars.biz
O15 - Trusted Zone: *.musicmatch.com
O15 - Trusted Zone: *.slotchbar.com
O15 - Trusted Zone: *.ysbweb.com
O15 - Trusted Zone: *.iframedollars.biz (HKLM)
O15 - Trusted Zone: *.musicmatch.com (HKLM)
O15 - Trusted Zone: *.slotchbar.com (HKLM)
O15 - Trusted Zone: *.ysbweb.com (HKLM)
O15 - Trusted IP range: 213.159.117.202
O15 - Trusted IP range: 213.159.117.202 (HKLM)
O16 - DPF: {1D4DB7D2-6EC9-47A3-BD87-1E41684E07BB} - http://ak.imgfarm.com/images/nocach...up1.0.0.8-2.cab
O16 - DPF: {FC67BB52-AAB6-4282-9D51-2DAFFE73AFD0} - http://download.spyspotter.com/spys...tterInstall.cab


Now that you have deleted all these entries (a bunch eh?) open up the newly installed AdAware program. Now go ahead and run a full system scan (still in safemode!). It should remove most of those dud files that are still on your pc.

When the scan is finished, reboot into normal mode and see how it feels. If you still get lots of pop ups repost another log.

Also if spyware is a big concern you might consider not using IE and trying FireFox.

Good Luck

Buckeye_Sam

After you have followed jared's instructions, you will need to restore your host file.

Download Hoster.

http://members.aol.com/toadbee/hoster.zip

This will restore your original Host files.
Run the program and press Restore Original Hosts and press OK.


The trojan virus will still exist on your computer. In order to remove it try running a program called A2. You will need to register in order to get the updates, but it's free.

http://www.emsisoft.com/en/software/free/


Please post a new hijackthis log when you are done.

al3xchung

k i did what you said

my backround restored but still makes 2 of the same icon and i cant right click

new hijack log

Logfile of HijackThis v1.99.0
Scan saved at 8:09:23 PM, on 03/23/2005
Platform: Windows XP (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 (6.00.2600.0000)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\EPSON\EBAPI\SAgent2.exe
C:\WINDOWS\System32\nvsvc32.exe
C:\Program Files\Inverse IP InSight\CNC\ARMon32a.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\2Wire\2PortalMon.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\QuickTime\qttask.exe
C:\WINDOWS\Oph.exe
C:\windows\system32\gsskpcs.exe
C:\Program Files\AIM\aim.exe
C:\Documents and Settings\User\Application Data\obao.exe
C:\WINDOWS\System32\??plorer.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\windows\system32\packager.exe
C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_S10IC2.EXE
C:\Program Files\Ebates_MoeMoneyMaker\EbatesMoeMoneyMaker1.exe
C:\WINDOWS\System32\wuauclt.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Ebates_MoeMoneyMaker\EbatesMoeMoneyMaker0.exe
C:\Documents and Settings\User\Desktop\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://websearch.drsnsrch.com/sidesearch.cgi?id=
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://websearch.drsnsrch.com/sidesearch.cgi?id=
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://google.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://websearch.drsnsrch.com/sidesearch.cgi?id=
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://websearch.drsnsrch.com/sidesearch.cgi?id=
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page =
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://websearch.drsnsrch.com/sidesearch.cgi?id=
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch = http://websearch.drsnsrch.com/sidesearch.cgi?id=
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = websearch.drsnsrch.com/q.cgi?q=
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page =
O2 - BHO: PynixObj Class - {00000000-DD60-0064-6EC2-6E0100000000} - C:\WINDOWS\Pynix.dll (file missing)
O2 - BHO: Band Class - {01F44A8A-8C97-4325-A378-76E68DC4AB2E} - C:\WINDOWS\systb.dll
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
O2 - BHO: (no name) - {38D4D5D0-423E-4220-B6F9-30918C2AE4A4} - C:\WINDOWS\sasetup.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O3 - Toolbar: (no name) - {2CDE1A7D-A478-4291-BF31-E1B4C16F92EB} - (no file)
O4 - HKLM\..\Run: [2wSysTray] C:\Program Files\2Wire\2PortalMon.exe
O4 - HKLM\..\Run: [iTunesHelper] C:\Program Files\iTunes\iTunesHelper.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [Gnt] C:\WINDOWS\Oph.exe
O4 - HKLM\..\Run: [Jti] C:\WINDOWS\Iui.exe
O4 - HKLM\..\Run: [Ehd] C:\WINDOWS\System32\Bgs.exe
O4 - HKLM\..\Run: [farmmext] C:\WINDOWS\farmmext.exe
O4 - HKLM\..\Run: [gsskpcs] c:\windows\system32\gsskpcs.exe
O4 - HKLM\..\Run: [Rpa] C:\WINDOWS\System32\Ict.exe
O4 - HKLM\..\Run: [Bkd] C:\WINDOWS\System32\Rhp.exe
O4 - HKLM\..\Run: [Win Server Updt] C:\WINDOWS\wupdt.exe
O4 - HKLM\..\Run: [EbatesMoeMoneyMaker0] "C:\Program Files\Ebates_MoeMoneyMaker\EbatesMoeMoneyMaker0.exe"
O4 - HKLM\..\Run: [Gag] C:\WINDOWS\System32\Sbc.exe
O4 - HKLM\..\Run: [Ndc] C:\WINDOWS\Gvb.exe
O4 - HKLM\..\Run: [Bcj] C:\WINDOWS\Vmo.exe
O4 - HKLM\..\Run: [Tsk] C:\WINDOWS\Jud.exe
O4 - HKLM\..\RunServices: [ntddetect] C:\WINDOWS\System32\ntddetect.exe
O4 - HKCU\..\Run: [Steam] C:\Valve\Steam\Steam.exe -silent
O4 - HKCU\..\Run: [AIM] C:\Program Files\AIM\aim.exe -cnetwait.odl
O4 - HKCU\..\Run: [Rpa] C:\WINDOWS\System32\Ict.exe
O4 - HKCU\..\Run: [Bkd] C:\WINDOWS\System32\Rhp.exe
O4 - HKCU\..\Run: [Gag] C:\WINDOWS\System32\Sbc.exe
O4 - HKCU\..\Run: [Ndc] C:\WINDOWS\Gvb.exe
O4 - HKCU\..\Run: [Bcj] C:\WINDOWS\Vmo.exe
O4 - HKCU\..\Run: [Tsk] C:\WINDOWS\Jud.exe
O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: EPSON Status Monitor 3 Environment Check 2.lnk = C:\WINDOWS\system32\spool\drivers\w32x86\3\E_SRCV02.EXE
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O8 - Extra context menu item: Ebates - file://C:\Program Files\Ebates_MoeMoneyMaker\Sy350\Tp350\scri350a.htm
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\System32\msjava.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\System32\msjava.dll
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe
O9 - Extra button: Ebates - {6685509E-B47B-4f47-8E16-9A5F3A62F683} - file://C:\Program Files\Ebates_MoeMoneyMaker\Sy350\Tp350\scri350a.htm (HKCU)
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O23 - Service: EPSON Printer Status Agent2 - SEIKO EPSON CORPORATION - C:\Program Files\Common Files\EPSON\EBAPI\SAgent2.exe
O23 - Service: Inverse IP InSight Client (CNC) - Inverse Network Technology - C:\Program Files\Inverse IP InSight\CNC\LaunchIPI.exe
O23 - Service: iPod Service - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: NVIDIA Driver Helper Service - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\System32\HPZipm12.exe

Buckeye_Sam

Please make sure that you can view all hidden files. Instructions on how to do this can be found here:

How to see hidden files in Windows

Place a checkmark next to these entries, close all browsers and windows, and have HijackThis fix them by clicking Fix Checked:

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://websearch.drsnsrch.com/sidesearch.cgi?id=
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://websearch.drsnsrch.com/sidesearch.cgi?id=
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://google.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://websearch.drsnsrch.com/sidesearch.cgi?id=
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://websearch.drsnsrch.com/sidesearch.cgi?id=
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page =
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://websearch.drsnsrch.com/sidesearch.cgi?id=
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch = http://websearch.drsnsrch.com/sidesearch.cgi?id=
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = websearch.drsnsrch.com/q.cgi?q=
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page =
O2 - BHO: PynixObj Class - {00000000-DD60-0064-6EC2-6E0100000000} - C:\WINDOWS\Pynix.dll (file missing)
O2 - BHO: Band Class - {01F44A8A-8C97-4325-A378-76E68DC4AB2E} - C:\WINDOWS\systb.dll
O2 - BHO: (no name) - {38D4D5D0-423E-4220-B6F9-30918C2AE4A4} - C:\WINDOWS\sasetup.dll
O4 - HKLM\..\Run: [Gnt] C:\WINDOWS\Oph.exe
O4 - HKLM\..\Run: [Jti] C:\WINDOWS\Iui.exe
O4 - HKLM\..\Run: [Ehd] C:\WINDOWS\System32\Bgs.exe
O4 - HKLM\..\Run: [farmmext] C:\WINDOWS\farmmext.exe
O4 - HKLM\..\Run: [gsskpcs] c:\windows\system32\gsskpcs.exe
O4 - HKLM\..\Run: [Rpa] C:\WINDOWS\System32\Ict.exe
O4 - HKLM\..\Run: [Bkd] C:\WINDOWS\System32\Rhp.exe
O4 - HKLM\..\Run: [Win Server Updt] C:\WINDOWS\wupdt.exe
O4 - HKLM\..\Run: [EbatesMoeMoneyMaker0] "C:\Program Files\Ebates_MoeMoneyMaker\EbatesMoeMoneyMaker0.ex e"
O4 - HKLM\..\Run: [Gag] C:\WINDOWS\System32\Sbc.exe
O4 - HKLM\..\Run: [Ndc] C:\WINDOWS\Gvb.exe
O4 - HKLM\..\Run: [Bcj] C:\WINDOWS\Vmo.exe
O4 - HKLM\..\Run: [Tsk] C:\WINDOWS\Jud.exe
O4 - HKLM\..\RunServices: [ntddetect] C:\WINDOWS\System32\ntddetect.exe
O4 - HKCU\..\Run: [Rpa] C:\WINDOWS\System32\Ict.exe
O4 - HKCU\..\Run: [Bkd] C:\WINDOWS\System32\Rhp.exe
O4 - HKCU\..\Run: [Gag] C:\WINDOWS\System32\Sbc.exe
O4 - HKCU\..\Run: [Ndc] C:\WINDOWS\Gvb.exe
O4 - HKCU\..\Run: [Bcj] C:\WINDOWS\Vmo.exe
O4 - HKCU\..\Run: [Tsk] C:\WINDOWS\Jud.exe
O8 - Extra context menu item: Ebates - file://C:\Program Files\Ebates_MoeMoneyMaker\Sy350\Tp350\scri350a.ht m
O9 - Extra button: Ebates - {6685509E-B47B-4f47-8E16-9A5F3A62F683} - file://C:\Program Files\Ebates_MoeMoneyMaker\Sy350\Tp350\scri350a.ht m (HKCU)


Reboot your computer into Safe Mode

Then delete these files or directories (Do not be concerned if they do not exist):

C:\WINDOWS\Pynix.dll (file missing)
C:\WINDOWS\systb.dll
C:\WINDOWS\sasetup.dll
C:\WINDOWS\Oph.exe
C:\WINDOWS\Iui.exe
C:\WINDOWS\System32\Bgs.exe
C:\WINDOWS\farmmext.exe
c:\windows\system32\gsskpcs.exe
C:\WINDOWS\System32\Ict.exe
C:\WINDOWS\System32\Rhp.exe
C:\WINDOWS\wupdt.exe
C:\Program Files\Ebates_MoeMoneyMaker
C:\WINDOWS\System32\Sbc.exe
C:\WINDOWS\Gvb.exe
C:\WINDOWS\Vmo.exe
C:\WINDOWS\Jud.exe
C:\WINDOWS\System32\ntddetect.exe
C:\WINDOWS\System32\Ict.exe
C:\WINDOWS\System32\Rhp.exe
C:\WINDOWS\System32\Sbc.exe
C:\WINDOWS\Gvb.exe
C:\WINDOWS\Vmo.exe
C:\WINDOWS\Jud.exe



Reboot your computer to go back to normal mode.



Please run these two online scans.
Make sure they are set to clean automatically:

http://www.bitdefender.com/scan/licence.php

http://www.pandasoftware.com/activescan/com/activescan_principal.htm

If there are files that can not be removed by the scans please include that information in your next post.



Reboot and post a new hijackthis log.

al3xchung

here is the status report for BitDefender AntiVirus

C:\WINDOWS\system32\drivers\etc\hosts.bak: infected with Trojan.Qhost.K
C:\WINDOWS\system32\drivers\etc\hosts.bak: disinfection failed
C:\WINDOWS\system32\gsskpcs.exe: infected with Trojan.Agent.AY
C:\WINDOWS\system32\gsskpcs.exe: disinfection failed
C:\WINDOWS\system32\x3yy\jqmihkje.exe: suspect BehavesLike:Trojan.Downloader
C:\WINDOWS\system32\x3yy\jqmihkje.exe: disinfection failed
C:\WINDOWS\IFinst25.exe: infected with Backdoor.IzRam.1.7
C:\WINDOWS\IFinst25.exe: disinfection failed
C:\WINDOWS\ms3.exe: infected with Trojan.Downloader.Small.AHG
C:\WINDOWS\ms3.exe: deleted
C:\Documents and Settings\User\Local Settings\Temp\THI6844.tmp\farmmext.exe: infected with Trojan.Downloader.Stubby.A
C:\Documents and Settings\User\Local Settings\Temp\THI6844.tmp\farmmext.exe: disinfection failed
C:\Documents and Settings\User\Application Data\Sun\Java\Deployment\cache\javapi\v1.0\file\SecurityClassLoader.class-6fd9f626-49e15238.class: infected with Trojan.Downloader.Small.WV
C:\Documents and Settings\User\Application Data\Sun\Java\Deployment\cache\javapi\v1.0\file\SecurityClassLoader.class-6fd9f626-49e15238.class: disinfection failed
C:\Documents and Settings\Austin\Local Settings\Temporary Internet Files\Content.IE5\EAYTKYIS\stc[1].html: infected with Exploit.Html.Codebase.Exec.Gen
C:\Documents and Settings\Austin\Local Settings\Temporary Internet Files\Content.IE5\EAYTKYIS\stc[1].html: disinfection failed
C:\Documents and Settings\Austin\Local Settings\Temporary Internet Files\Content.IE5\YIS8RBRD\home[2].aspx: infected with JS.Trojan.Cardst.A
C:\Documents and Settings\Austin\Local Settings\Temporary Internet Files\Content.IE5\YIS8RBRD\home[2].aspx: disinfection failed
C:\Documents and Settings\Austin\Local Settings\Temporary Internet Files\Content.IE5\9BSWDV8C\stc[1].html: infected with Exploit.Html.Codebase.Exec.Gen
C:\Documents and Settings\Austin\Local Settings\Temporary Internet Files\Content.IE5\9BSWDV8C\stc[1].html: disinfection failed
C:\Documents and Settings\Austin\Local Settings\Temporary Internet Files\Content.IE5\4VX3UAB1\prompt[2].php: infected with JS.Trojan.Downloader.IstBar.A
C:\Documents and Settings\Austin\Local Settings\Temporary Internet Files\Content.IE5\4VX3UAB1\prompt[2].php: disinfection failed
C:\Documents and Settings\Guest\Local Settings\Temporary Internet Files\Content.IE5\SLE7CXUJ\stc[1].html: infected with Exploit.Html.Codebase.Exec.Gen
C:\Documents and Settings\Guest\Local Settings\Temporary Internet Files\Content.IE5\SLE7CXUJ\stc[1].html: disinfection failed
C:\Program Files\Lavasoft\Ad-Aware SE Personal\Skins\Ad-Aware SE default.ask=>arrow1.bmp: password protected
C:\Program Files\Lavasoft\Ad-Aware SE Personal\Skins\Ad-Aware SE default.ask=>arrow2.bmp: password protected
C:\Program Files\Lavasoft\Ad-Aware SE Personal\Skins\Ad-Aware SE default.ask=>bck1.bmp: password protected
C:\Program Files\Lavasoft\Ad-Aware SE Personal\Skins\Ad-Aware SE default.ask=>bck2.bmp: password protected
C:\Program Files\Lavasoft\Ad-Aware SE Personal\Skins\Ad-Aware SE default.ask=>bt11.bmp: password protected
C:\Program Files\Lavasoft\Ad-Aware SE Personal\Skins\Ad-Aware SE default.ask=>bt12.bmp: password protected
C:\Program Files\Lavasoft\Ad-Aware SE Personal\Skins\Ad-Aware SE default.ask=>bt13.bmp: password protected
C:\Program Files\Lavasoft\Ad-Aware SE Personal\Skins\Ad-Aware SE default.ask=>bt21.bmp: password protected
C:\Program Files\Lavasoft\Ad-Aware SE Personal\Skins\Ad-Aware SE default.ask=>bt22.bmp: password protected
C:\Program Files\Lavasoft\Ad-Aware SE Personal\Skins\Ad-Aware SE default.ask=>bt23.bmp: password protected
C:\Program Files\Lavasoft\Ad-Aware SE Personal\Skins\Ad-Aware SE default.ask=>bt31.bmp: password protected
C:\Program Files\Lavasoft\Ad-Aware SE Personal\Skins\Ad-Aware SE default.ask=>bt32.bmp: password protected
C:\Program Files\Lavasoft\Ad-Aware SE Personal\Skins\Ad-Aware SE default.ask=>bt33.bmp: password protected
C:\Program Files\Lavasoft\Ad-Aware SE Personal\Skins\Ad-Aware SE default.ask=>bt41.bmp: password protected
C:\Program Files\Lavasoft\Ad-Aware SE Personal\Skins\Ad-Aware SE default.ask=>bt42.bmp: password protected
C:\Program Files\Lavasoft\Ad-Aware SE Personal\Skins\Ad-Aware SE default.ask=>bt43.bmp: password protected
C:\Program Files\Lavasoft\Ad-Aware SE Personal\Skins\Ad-Aware SE default.ask=>bt51.bmp: password protected
C:\Program Files\Lavasoft\Ad-Aware SE Personal\Skins\Ad-Aware SE default.ask=>bt52.bmp: password protected
C:\Program Files\Lavasoft\Ad-Aware SE Personal\Skins\Ad-Aware SE default.ask=>bt53.bmp: password protected
C:\Program Files\Lavasoft\Ad-Aware SE Personal\Skins\Ad-Aware SE default.ask=>bt61.bmp: password protected
C:\Program Files\Lavasoft\Ad-Aware SE Personal\Skins\Ad-Aware SE default.ask=>bt62.bmp: password protected
C:\Program Files\Lavasoft\Ad-Aware SE Personal\Skins\Ad-Aware SE default.ask=>checkbox1.bmp: password protected
C:\Program Files\Lavasoft\Ad-Aware SE Personal\Skins\Ad-Aware SE default.ask=>checkbox2.bmp: password protected
C:\Program Files\Lavasoft\Ad-Aware SE Personal\Skins\Ad-Aware SE default.ask=>checkbox3.bmp: password protected
C:\Program Files\Lavasoft\Ad-Aware SE Personal\Skins\Ad-Aware SE default.ask=>checkbox4.bmp: password protected
C:\Program Files\Lavasoft\Ad-Aware SE Personal\Skins\Ad-Aware SE default.ask=>default.skn: password protected
C:\Program Files\Lavasoft\Ad-Aware SE Personal\Skins\Ad-Aware SE default.ask=>defbtn1.bmp: password protected
C:\Program Files\Lavasoft\Ad-Aware SE Personal\Skins\Ad-Aware SE default.ask=>defbtn2.bmp: password protected
C:\Program Files\Lavasoft\Ad-Aware SE Personal\Skins\Ad-Aware SE default.ask=>defbtn3.bmp: password protected
C:\Program Files\Lavasoft\Ad-Aware SE Personal\Skins\Ad-Aware SE default.ask=>glyph1.bmp: password protected
C:\Program Files\Lavasoft\Ad-Aware SE Personal\Skins\Ad-Aware SE default.ask=>glyph2.bmp: password protected
C:\Program Files\Lavasoft\Ad-Aware SE Personal\Skins\Ad-Aware SE default.ask=>glyph3.bmp: password protected
C:\Program Files\Lavasoft\Ad-Aware SE Personal\Skins\Ad-Aware SE default.ask=>glyph4.bmp: password protected
C:\Program Files\Lavasoft\Ad-Aware SE Personal\Skins\Ad-Aware SE default.ask=>glyph5.bmp: password protected
C:\Program Files\Lavasoft\Ad-Aware SE Personal\Skins\Ad-Aware SE default.ask=>glyph6.bmp: password protected
C:\Program Files\Lavasoft\Ad-Aware SE Personal\Skins\Ad-Aware SE default.ask=>glyph7.bmp: password protected
C:\Program Files\Lavasoft\Ad-Aware SE Personal\Skins\Ad-Aware SE default.ask=>main.bmp: password protected
C:\Program Files\Lavasoft\Ad-Aware SE Personal\Skins\Ad-Aware SE default.ask=>preview.bmp: password protected
C:\Program Files\Lavasoft\Ad-Aware SE Personal\Skins\Ad-Aware SE default.ask=>sprite1.bmp: password protected
C:\Program Files\Lavasoft\Ad-Aware SE Personal\Skins\Ad-Aware SE default.ask=>tab1.bmp: password protected
C:\Program Files\Lavasoft\Ad-Aware SE Personal\Skins\Ad-Aware SE default.ask=>tab2.bmp: password protected
C:\Program Files\AWS\WeatherBug\MiniBugTransporter.dll: infected with Adware.Wheaterbug.A
C:\Program Files\AWS\WeatherBug\MiniBugTransporter.dll: disinfection failed
C:\System Volume Information\_restore{7B6F6DE5-CBFA-42AA-B082-BD8867E7497D}\RP471\A0086685.exe: suspect BehavesLike:Trojan.Downloader
C:\System Volume Information\_restore{7B6F6DE5-CBFA-42AA-B082-BD8867E7497D}\RP471\A0086685.exe: disinfection failed
C:\System Volume Information\_restore{7B6F6DE5-CBFA-42AA-B082-BD8867E7497D}\RP471\A0086723.exe: suspect Trojan.Downloader.Gen
C:\System Volume Information\_restore{7B6F6DE5-CBFA-42AA-B082-BD8867E7497D}\RP471\A0086723.exe: disinfection failed
C:\System Volume Information\_restore{7B6F6DE5-CBFA-42AA-B082-BD8867E7497D}\RP471\A0087731.exe: suspect BehavesLike:Trojan.Downloader
C:\System Volume Information\_restore{7B6F6DE5-CBFA-42AA-B082-BD8867E7497D}\RP471\A0087731.exe: disinfection failed
C:\System Volume Information\_restore{7B6F6DE5-CBFA-42AA-B082-BD8867E7497D}\RP471\A0087772.exe: suspect BehavesLike:Trojan.Downloader
C:\System Volume Information\_restore{7B6F6DE5-CBFA-42AA-B082-BD8867E7497D}\RP471\A0087772.exe: disinfection failed
C:\System Volume Information\_restore{7B6F6DE5-CBFA-42AA-B082-BD8867E7497D}\RP473\A0090924.exe: infected with Trojan.PornDialer.BP
C:\System Volume Information\_restore{7B6F6DE5-CBFA-42AA-B082-BD8867E7497D}\RP473\A0090924.exe: disinfection failed
C:\System Volume Information\_restore{7B6F6DE5-CBFA-42AA-B082-BD8867E7497D}\RP473\A0090925.exe: infected with Trojan.LowZones.AH
C:\System Volume Information\_restore{7B6F6DE5-CBFA-42AA-B082-BD8867E7497D}\RP473\A0090925.exe: disinfection failed
C:\System Volume Information\_restore{7B6F6DE5-CBFA-42AA-B082-BD8867E7497D}\RP473\A0090930.dll: infected with Trojan.Downloader.Dyfuca.DT
C:\System Volume Information\_restore{7B6F6DE5-CBFA-42AA-B082-BD8867E7497D}\RP473\A0090930.dll: disinfection failed
C:\System Volume Information\_restore{7B6F6DE5-CBFA-42AA-B082-BD8867E7497D}\RP473\A0090932.exe: infected with Trojan.Downloader.Delf.DG
C:\System Volume Information\_restore{7B6F6DE5-CBFA-42AA-B082-BD8867E7497D}\RP473\A0090932.exe: deleted
C:\System Volume Information\_restore{7B6F6DE5-CBFA-42AA-B082-BD8867E7497D}\RP473\A0090933.exe: suspect BehavesLike:Trojan.StartPage
C:\System Volume Information\_restore{7B6F6DE5-CBFA-42AA-B082-BD8867E7497D}\RP473\A0090933.exe: disinfection failed
C:\System Volume Information\_restore{7B6F6DE5-CBFA-42AA-B082-BD8867E7497D}\RP473\A0090940.exe: infected with Trojan.PornDialer.BP
C:\System Volume Information\_restore{7B6F6DE5-CBFA-42AA-B082-BD8867E7497D}\RP473\A0090940.exe: disinfection failed
C:\System Volume Information\_restore{7B6F6DE5-CBFA-42AA-B082-BD8867E7497D}\RP473\A0090942.exe: infected with Trojan.Downloader.Dyfuca.DP
C:\System Volume Information\_restore{7B6F6DE5-CBFA-42AA-B082-BD8867E7497D}\RP473\A0090942.exe: disinfection failed
C:\System Volume Information\_restore{7B6F6DE5-CBFA-42AA-B082-BD8867E7497D}\RP473\A0090943.exe: infected with Trojan.Downloader.Dyfuca.DP
C:\System Volume Information\_restore{7B6F6DE5-CBFA-42AA-B082-BD8867E7497D}\RP473\A0090943.exe: disinfection failed
C:\System Volume Information\_restore{7B6F6DE5-CBFA-42AA-B082-BD8867E7497D}\RP475\A0091203.exe: infected with Trojan.Downloader.Stubby.A
C:\System Volume Information\_restore{7B6F6DE5-CBFA-42AA-B082-BD8867E7497D}\RP475\A0091203.exe: disinfection failed
C:\System Volume Information\_restore{7B6F6DE5-CBFA-42AA-B082-BD8867E7497D}\RP478\A0091410.exe: infected with Trojan.Downloader.Stubby.A
C:\System Volume Information\_restore{7B6F6DE5-CBFA-42AA-B082-BD8867E7497D}\RP478\A0091410.exe: disinfection failed
C:\System Volume Information\_restore{7B6F6DE5-CBFA-42AA-B082-BD8867E7497D}\RP478\A0091438.exe: infected with Trojan.Downloader.Small.AHG
C:\System Volume Information\_restore{7B6F6DE5-CBFA-42AA-B082-BD8867E7497D}\RP478\A0091438.exe: deleted

I still get two ads from smart security and slimshield

sorry the panda one doesnt seem to work

here is the hijack log

Logfile of HijackThis v1.99.0
Scan saved at 11:42:27 PM, on 03/24/2005
Platform: Windows XP (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 (6.00.2600.0000)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\EPSON\EBAPI\SAgent2.exe
C:\WINDOWS\System32\nvsvc32.exe
C:\Program Files\Inverse IP InSight\CNC\ARMon32a.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\2Wire\2PortalMon.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\QuickTime\qttask.exe
C:\WINDOWS\Hhv.exe
C:\windows\system32\gsskpcs.exe
C:\Program Files\AIM\aim.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\windows\system32\packager.exe
C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_S10IC2.EXE
C:\WINDOWS\System32\wuauclt.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Documents and Settings\User\Desktop\HijackThis.exe
C:\Program Files\Internet Explorer\iexplore.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://google.com/
O2 - BHO: DLMaxObj Class - {00000000-59D4-4008-9058-080011001200} - C:\WINDOWS\dlmax.dll
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
O2 - BHO: (no name) - {38D4D5D0-423E-4220-B6F9-30918C2AE4A4} - (no file)
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O3 - Toolbar: (no name) - {2CDE1A7D-A478-4291-BF31-E1B4C16F92EB} - (no file)
O4 - HKLM\..\Run: [2wSysTray] C:\Program Files\2Wire\2PortalMon.exe
O4 - HKLM\..\Run: [iTunesHelper] C:\Program Files\iTunes\iTunesHelper.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [Cqa] C:\WINDOWS\Hhv.exe
O4 - HKLM\..\Run: [Knl] C:\WINDOWS\Guo.exe
O4 - HKLM\..\Run: [Uca] C:\WINDOWS\Mid.exe
O4 - HKLM\..\Run: [Gfa] C:\WINDOWS\System32\Kmm.exe
O4 - HKLM\..\Run: [Bvg] C:\WINDOWS\Glp.exe
O4 - HKLM\..\Run: [Pra] C:\WINDOWS\System32\Mub.exe
O4 - HKLM\..\Run: [Qho] C:\WINDOWS\Vsi.exe
O4 - HKLM\..\Run: [Gtm] C:\WINDOWS\System32\Bbd.exe
O4 - HKLM\..\Run: [gsskpcs] c:\windows\system32\gsskpcs.exe
O4 - HKLM\..\Run: [farmmext] C:\WINDOWS\farmmext.exe
O4 - HKLM\..\Run: [EbatesMoeMoneyMaker0] "C:\Program Files\Ebates_MoeMoneyMaker\EbatesMoeMoneyMaker0.exe"
O4 - HKLM\..\Run: [Sel] C:\WINDOWS\Mif.exe
O4 - HKLM\..\Run: [Jgq] C:\WINDOWS\System32\Qbk.exe
O4 - HKLM\..\Run: [Avk] C:\WINDOWS\Fkk.exe
O4 - HKCU\..\Run: [Steam] C:\Valve\Steam\Steam.exe -silent
O4 - HKCU\..\Run: [AIM] C:\Program Files\AIM\aim.exe -cnetwait.odl
O4 - HKCU\..\Run: [Cqa] C:\WINDOWS\Hhv.exe
O4 - HKCU\..\Run: [Knl] C:\WINDOWS\Guo.exe
O4 - HKCU\..\Run: [Uca] C:\WINDOWS\Mid.exe
O4 - HKCU\..\Run: [Gfa] C:\WINDOWS\System32\Kmm.exe
O4 - HKCU\..\Run: [Bvg] C:\WINDOWS\Glp.exe
O4 - HKCU\..\Run: [Pra] C:\WINDOWS\System32\Mub.exe
O4 - HKCU\..\Run: [Qho] C:\WINDOWS\Vsi.exe
O4 - HKCU\..\Run: [Gtm] C:\WINDOWS\System32\Bbd.exe
O4 - HKCU\..\Run: [Sel] C:\WINDOWS\Mif.exe
O4 - HKCU\..\Run: [Jgq] C:\WINDOWS\System32\Qbk.exe
O4 - HKCU\..\Run: [Avk] C:\WINDOWS\Fkk.exe
O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: EPSON Status Monitor 3 Environment Check 2.lnk = C:\WINDOWS\system32\spool\drivers\w32x86\3\E_SRCV02.EXE
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\System32\msjava.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\System32\msjava.dll
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O16 - DPF: {80DD2229-B8E4-4C77-B72F-F22972D723EA} (AvxScanOnline Control) - http://www.bitdefender.com/scan/Msie/bitdefender.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://www.pandasoftware.com/activescan/as5/asinst.cab
O23 - Service: EPSON Printer Status Agent2 - SEIKO EPSON CORPORATION - C:\Program Files\Common Files\EPSON\EBAPI\SAgent2.exe
O23 - Service: Inverse IP InSight Client (CNC) - Inverse Network Technology - C:\Program Files\Inverse IP InSight\CNC\LaunchIPI.exe
O23 - Service: iPod Service - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: NVIDIA Driver Helper Service - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\System32\HPZipm12.exe

Buckeye_Sam

Please make sure that you can view all hidden files. Instructions on how to do this can be found here:

How to see hidden files in Windows

Place a checkmark next to these entries, close all browsers and windows, and have HijackThis fix them by clicking Fix Checked:

O2 - BHO: DLMaxObj Class - {00000000-59D4-4008-9058-080011001200} - C:\WINDOWS\dlmax.dll
O2 - BHO: (no name) - {38D4D5D0-423E-4220-B6F9-30918C2AE4A4} - (no file)
O3 - Toolbar: (no name) - {2CDE1A7D-A478-4291-BF31-E1B4C16F92EB} - (no file)
O4 - HKLM\..\Run: [Cqa] C:\WINDOWS\Hhv.exe
O4 - HKLM\..\Run: [Knl] C:\WINDOWS\Guo.exe
O4 - HKLM\..\Run: [Uca] C:\WINDOWS\Mid.exe
O4 - HKLM\..\Run: [Gfa] C:\WINDOWS\System32\Kmm.exe
O4 - HKLM\..\Run: [Bvg] C:\WINDOWS\Glp.exe
O4 - HKLM\..\Run: [Pra] C:\WINDOWS\System32\Mub.exe
O4 - HKLM\..\Run: [Qho] C:\WINDOWS\Vsi.exe
O4 - HKLM\..\Run: [Gtm] C:\WINDOWS\System32\Bbd.exe
O4 - HKLM\..\Run: [gsskpcs] c:\windows\system32\gsskpcs.exe
O4 - HKLM\..\Run: [farmmext] C:\WINDOWS\farmmext.exe
O4 - HKLM\..\Run: [EbatesMoeMoneyMaker0] "C:\Program Files\Ebates_MoeMoneyMaker\EbatesMoeMoneyMaker0.ex e"
O4 - HKLM\..\Run: [Sel] C:\WINDOWS\Mif.exe
O4 - HKLM\..\Run: [Jgq] C:\WINDOWS\System32\Qbk.exe
O4 - HKLM\..\Run: [Avk] C:\WINDOWS\Fkk.exe
O4 - HKCU\..\Run: [Cqa] C:\WINDOWS\Hhv.exe
O4 - HKCU\..\Run: [Knl] C:\WINDOWS\Guo.exe
O4 - HKCU\..\Run: [Uca] C:\WINDOWS\Mid.exe
O4 - HKCU\..\Run: [Gfa] C:\WINDOWS\System32\Kmm.exe
O4 - HKCU\..\Run: [Bvg] C:\WINDOWS\Glp.exe
O4 - HKCU\..\Run: [Pra] C:\WINDOWS\System32\Mub.exe
O4 - HKCU\..\Run: [Qho] C:\WINDOWS\Vsi.exe
O4 - HKCU\..\Run: [Gtm] C:\WINDOWS\System32\Bbd.exe
O4 - HKCU\..\Run: [Sel] C:\WINDOWS\Mif.exe
O4 - HKCU\..\Run: [Jgq] C:\WINDOWS\System32\Qbk.exe
O4 - HKCU\..\Run: [Avk] C:\WINDOWS\Fkk.exe


Reboot your computer into Safe Mode

Then delete these files or directories (Do not be concerned if they do not exist):

C:\WINDOWS\dlmax.dll
C:\WINDOWS\Hhv.exe
C:\WINDOWS\Guo.exe
C:\WINDOWS\Mid.exe
C:\WINDOWS\System32\Kmm.exe
C:\WINDOWS\Glp.exe
C:\WINDOWS\System32\Mub.exe
C:\WINDOWS\Vsi.exe
C:\WINDOWS\System32\Bbd.exe
c:\windows\system32\gsskpcs.exe
C:\WINDOWS\farmmext.exe
C:\Program Files\Ebates_MoeMoneyMaker
C:\WINDOWS\Mif.exe
C:\WINDOWS\System32\Qbk.exe
C:\WINDOWS\Fkk.exe
C:\WINDOWS\system32\x3yy
C:\WINDOWS\IFinst25.exe


Delete temp files

Navigate to the C:\Windows\Temp folder. Open the Temp folder and go to Edit > Select All then Edit > Delete to delete the entire contents of the Temp folder.

Navigate to the C:\Windows\Prefetch folder. Open the Prefetch folder and go to Edit > Select All then Edit > Delete to delete the entire contents of the Prefetch folder.

Go to Start > Run and type %temp% in the Run box. The Temp folder will open. Click Edit > Select All then Edit > Delete to delete the entire contents of the Temp folder.

Finally go to Control Panel > Internet Options. On the General tab under "Temporary Internet Files" Click "Delete Files". Put a check by "Delete Offline Content" and click OK. Click on the Programs tab then click the "Reset Web Settings" button. Click Apply then OK.

Empty the Recycle Bin.


Reboot your computer to go back to normal mode.



Please download and install AVG antivirus. Follow the prompts to download and install all updates and then run a complete scan.

http://free.grisoft.com/softw/70free/setup/avg70free_300a419.exe

Let me know what AVG finds.


Reboot after the scan and post a new hijackthis log.

al3xchung

k i did what you told me to do

avg found pkg.exe, sjo.exe, sys32\euv.exe, sys32\qnc.exe, tok.exe, infected with some trojan horse clicker.7.T
and for some it says virus identified Java/ByteVerify for
C:\documents and settings\user\application data\sun\ java\deployment\cache\javapi\v1.0\jar\loaderadv109.jar-783040dc-2ff55b4f.zip:\counter.class
C:\documents and settings\user\application data\sun\ java\deployment\cache\javapi\v1.0\jar\loaderadv109.jar-783040dc-2ff55b4f.zip:\parser.class
C:\documents and settings\user\application data\sun\ java\deployment\cache\javapi\v1.0\jar\loaderadv109.jar-783040dc-2ff55b4f.zip:
C:\documents and settings\user\application data\sun\ java\deployment\cache\javapi\v1.0\jar\classload.jar-6525c37c-70898042.zip/InsecureClassLoader.class
C:\documents and settings\user\application data\sun\ java\deployment\cache\javapi\v1.0\jar\classload.jar-6525c37c-70898042.zip
C:\documents and settings\user\application data\sun\ java\deployment\cache\javapi\v1.0\jar\archive.jar-7a93de40-790afa7b.zip:
C:\documents and settings\user\application data\sun\ java\deployment\cache\javapi\v1.0\jar\archive.jar-7a93de40-790afa7b.zip:\beyond.class

my hijack log

Logfile of HijackThis v1.99.0
Scan saved at 11:55:27 PM, on 03/25/2005
Platform: Windows XP (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 (6.00.2600.0000)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
C:\Program Files\Common Files\EPSON\EBAPI\SAgent2.exe
C:\Program Files\Inverse IP InSight\CNC\ARMon32a.exe
C:\WINDOWS\System32\nvsvc32.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\2Wire\2PortalMon.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
C:\Program Files\AIM\aim.exe
C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_S10IC2.EXE
C:\WINDOWS\System32\wuauclt.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgwb.dat
C:\Program Files\Internet Explorer\iexplore.exe
C:\Documents and Settings\User\Desktop\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://websearch.drsnsrch.com/sidesearch.cgi?id=
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://websearch.drsnsrch.com/sidesearch.cgi?id=
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://google.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://websearch.drsnsrch.com/sidesearch.cgi?id=
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://websearch.drsnsrch.com/sidesearch.cgi?id=
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://websearch.drsnsrch.com/sidesearch.cgi?id=
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch = http://websearch.drsnsrch.com/sidesearch.cgi?id=
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = websearch.drsnsrch.com/q.cgi?q=
O2 - BHO: DLMaxObj Class - {00000000-59D4-4008-9058-080011001200} - C:\WINDOWS\dlmax.dll (file missing)
O2 - BHO: Band Class - {01F44A8A-8C97-4325-A378-76E68DC4AB2E} - C:\WINDOWS\systb.dll
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O3 - Toolbar: (no name) - {2CDE1A7D-A478-4291-BF31-E1B4C16F92EB} - (no file)
O4 - HKLM\..\Run: [2wSysTray] C:\Program Files\2Wire\2PortalMon.exe
O4 - HKLM\..\Run: [iTunesHelper] C:\Program Files\iTunes\iTunesHelper.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [Vaq] C:\WINDOWS\System32\Jar.exe
O4 - HKLM\..\Run: [Win Server Updt] C:\WINDOWS\wupdt.exe
O4 - HKLM\..\Run: [gsskpcs] c:\windows\system32\gsskpcs.exe
O4 - HKLM\..\Run: [EbatesMoeMoneyMaker0] "C:\Program Files\Ebates_MoeMoneyMaker\EbatesMoeMoneyMaker0.exe"
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [AVG7_EMC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
O4 - HKLM\..\Run: [Tug] C:\WINDOWS\Uag.exe
O4 - HKLM\..\Run: [Rrs] C:\WINDOWS\Hof.exe
O4 - HKCU\..\Run: [Steam] C:\Valve\Steam\Steam.exe -silent
O4 - HKCU\..\Run: [AIM] C:\Program Files\AIM\aim.exe -cnetwait.odl
O4 - HKCU\..\Run: [Tug] C:\WINDOWS\Uag.exe
O4 - HKCU\..\Run: [Rrs] C:\WINDOWS\Hof.exe
O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: EPSON Status Monitor 3 Environment Check 2.lnk = C:\WINDOWS\system32\spool\drivers\w32x86\3\E_SRCV02.EXE
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O8 - Extra context menu item: Ebates - file://C:\Program Files\Ebates_MoeMoneyMaker\Sy350\Tp350\scri350a.htm
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\System32\msjava.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\System32\msjava.dll
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe
O9 - Extra button: Ebates - {6685509E-B47B-4f47-8E16-9A5F3A62F683} - file://C:\Program Files\Ebates_MoeMoneyMaker\Sy350\Tp350\scri350a.htm (file missing) (HKCU)
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O16 - DPF: {80DD2229-B8E4-4C77-B72F-F22972D723EA} (AvxScanOnline Control) - http://www.bitdefender.com/scan/Msie/bitdefender.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://www.pandasoftware.com/activescan/as5/asinst.cab
O23 - Service: AVG7 Alert Manager Server - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
O23 - Service: AVG7 Update Service - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
O23 - Service: EPSON Printer Status Agent2 - SEIKO EPSON CORPORATION - C:\Program Files\Common Files\EPSON\EBAPI\SAgent2.exe
O23 - Service: Inverse IP InSight Client (CNC) - Inverse Network Technology - C:\Program Files\Inverse IP InSight\CNC\LaunchIPI.exe
O23 - Service: iPod Service - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: NVIDIA Driver Helper Service - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\System32\HPZipm12.exe


how come i delete the stuff but it always comes back?

also my backround is some red "danger:spyware" screen supossedly supported by SmartSecurity and it recreates every icon twice.. I cannot right click basically everything (except IE) and i can't change my backround.

Buckeye_Sam

First let's see if we can restore your desktop background.

Open Display in Control Panel
Click the Desktop Tab
Click the Customize Desktop button.
Click the Web Tab.

On the list, highlight any items you did not create yourself and click remove

Look for the Lock Desktop Items checkbox on this same page and uncheck it.
Press OK.

If that doesn't work, download and run this tool.
http://www.smart-security.info/freeclean.v2.exe



Please make sure that you can view all hidden files. Instructions on how to do this can be found here:

How to see hidden files in Windows

Place a checkmark next to these entries, close all browsers and windows, and have HijackThis fix them by clicking Fix Checked:

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://websearch.drsnsrch.com/sidesearch.cgi?id=
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://websearch.drsnsrch.com/sidesearch.cgi?id=
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://google.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://websearch.drsnsrch.com/sidesearch.cgi?id=
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://websearch.drsnsrch.com/sidesearch.cgi?id=
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://websearch.drsnsrch.com/sidesearch.cgi?id=
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch = http://websearch.drsnsrch.com/sidesearch.cgi?id=
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = websearch.drsnsrch.com/q.cgi?q=
O2 - BHO: DLMaxObj Class - {00000000-59D4-4008-9058-080011001200} - C:\WINDOWS\dlmax.dll (file missing)
O2 - BHO: Band Class - {01F44A8A-8C97-4325-A378-76E68DC4AB2E} - C:\WINDOWS\systb.dll
O3 - Toolbar: (no name) - {2CDE1A7D-A478-4291-BF31-E1B4C16F92EB} - (no file)
O4 - HKLM\..\Run: [Vaq] C:\WINDOWS\System32\Jar.exe
O4 - HKLM\..\Run: [Win Server Updt] C:\WINDOWS\wupdt.exe
O4 - HKLM\..\Run: [gsskpcs] c:\windows\system32\gsskpcs.exe
O4 - HKLM\..\Run: [EbatesMoeMoneyMaker0] "C:\Program Files\Ebates_MoeMoneyMaker\EbatesMoeMoneyMaker0.ex e"
O4 - HKLM\..\Run: [Tug] C:\WINDOWS\Uag.exe
O4 - HKLM\..\Run: [Rrs] C:\WINDOWS\Hof.exe
O4 - HKCU\..\Run: [Tug] C:\WINDOWS\Uag.exe
O4 - HKCU\..\Run: [Rrs] C:\WINDOWS\Hof.exe
O9 - Extra button: Ebates - {6685509E-B47B-4f47-8E16-9A5F3A62F683} - file://C:\Program Files\Ebates_MoeMoneyMaker\Sy350\Tp350\scri350a.ht m (file missing) (HKCU)


Reboot your computer into Safe Mode

Then delete these files or directories (Do not be concerned if they do not exist):

C:\WINDOWS\dlmax.dll
C:\WINDOWS\systb.dll
C:\WINDOWS\System32\Jar.exe
C:\WINDOWS\wupdt.exe
c:\windows\system32\gsskpcs.exe
C:\Program Files\Ebates_MoeMoneyMaker
C:\WINDOWS\Uag.exe
C:\WINDOWS\Hof.exe



Now run a full scan with MS Antispyware. Let me know what it finds.


Reboot your computer to go back to normal mode.


Get an online virus scan at this site.
http://www3.ca.com/securityadvisor/virusinfo/scan.aspx



Reboot and post a new hijackthis log.

al3xchung

hey

coolwebsearch.cameup was found to try to install
also the desktop still makes doubles of icons
also all files were not found cept windupt
also what is this folder called $VAULT$.AVG

heres new hijack

Logfile of HijackThis v1.99.0
Scan saved at 3:04:35 AM, on 03/27/2005
Platform: Windows XP (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 (6.00.2600.0000)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
C:\Program Files\Common Files\EPSON\EBAPI\SAgent2.exe
C:\Program Files\Inverse IP InSight\CNC\ARMon32a.exe
C:\WINDOWS\System32\nvsvc32.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\2Wire\2PortalMon.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\QuickTime\qttask.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_S10IC2.EXE
C:\WINDOWS\System32\wuauclt.exe
C:\Program Files\Ares\Ares.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Windows Media Player\wmplayer.exe
C:\Documents and Settings\User\Desktop\HijackThis.exe

O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O4 - HKLM\..\Run: [2wSysTray] C:\Program Files\2Wire\2PortalMon.exe
O4 - HKLM\..\Run: [iTunesHelper] C:\Program Files\iTunes\iTunesHelper.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [AVG7_EMC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
O4 - HKLM\..\Run: [gcasServ] "C:\Program Files\Microsoft AntiSpyware\gcasServ.exe"
O4 - HKCU\..\Run: [Steam] C:\Valve\Steam\Steam.exe -silent
O4 - HKCU\..\Run: [AIM] C:\Program Files\AIM\aim.exe -cnetwait.odl
O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: EPSON Status Monitor 3 Environment Check 2.lnk = C:\WINDOWS\system32\spool\drivers\w32x86\3\E_SRCV02.EXE
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O8 - Extra context menu item: Ebates - file://C:\Program Files\Ebates_MoeMoneyMaker\Sy350\Tp350\scri350a.htm
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\System32\msjava.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\System32\msjava.dll
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=36467&clcid=0x409
O16 - DPF: {7B297BFD-85E4-4092-B2AF-16A91B2EA103} (WScanCtl Class) - http://www3.ca.com/securityadvisor/virusinfo/webscan.cab
O16 - DPF: {80DD2229-B8E4-4C77-B72F-F22972D723EA} (AvxScanOnline Control) - http://www.bitdefender.com/scan/Msie/bitdefender.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://www.pandasoftware.com/activescan/as5/asinst.cab
O23 - Service: AVG7 Alert Manager Server - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
O23 - Service: AVG7 Update Service - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
O23 - Service: EPSON Printer Status Agent2 - SEIKO EPSON CORPORATION - C:\Program Files\Common Files\EPSON\EBAPI\SAgent2.exe
O23 - Service: Inverse IP InSight Client (CNC) - Inverse Network Technology - C:\Program Files\Inverse IP InSight\CNC\LaunchIPI.exe
O23 - Service: iPod Service - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: NVIDIA Driver Helper Service - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\System32\HPZipm12.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\System32\HPZipm12.exe



here is what ms antivirus found

Spyware Scan Details
Start Date: 3/26/2005 11:13:50 PM
End Date: 3/26/2005 11:41:40 PM
Total Time: 27 mins 50 secs

Detected Threats

ShopAtHome Spyware more information...
Details: ShopAtHome installs itself in the Winsock layer of your system and redirects your browser to merchant sites to take advantage of the affiliate fees.
Status: Removed
Severe threat - Severe-risk items have an extreme potential for harm, such as a security exploit, and should be removed.

Infected files detected
c:\windows\redir.txt
c:\system volume information\_restore{7b6f6de5-cbfa-42aa-b082-bd8867e7497d}\rp471\a0086674.exe
c:\system volume information\_restore{7b6f6de5-cbfa-42aa-b082-bd8867e7497d}\rp471\a0086694.dll
c:\system volume information\_restore{7b6f6de5-cbfa-42aa-b082-bd8867e7497d}\rp471\a0086695.dll
c:\system volume information\_restore{7b6f6de5-cbfa-42aa-b082-bd8867e7497d}\rp471\a0086727.exe


MediaTickets CDT Spyware more information...
Details: Mediatickets is a spyware program that displays advertisements, reduces the security settings for the Trusted Sites zone in Internet Explorer, and attempts to fraudulently install trusted publishers.
Status: Removed
Severe threat - Severe-risk items have an extreme potential for harm, such as a security exploit, and should be removed.

Infected files detected
c:\system volume information\_restore{7b6f6de5-cbfa-42aa-b082-bd8867e7497d}\rp471\a0086661.exe
c:\system volume information\_restore{7b6f6de5-cbfa-42aa-b082-bd8867e7497d}\rp474\a0090973.exe


eXact.BullseyeNetwork Adware more information...
Details: Bullseye displays pop-up advertisements.
Status: Removed
Severe threat - Severe-risk items have an extreme potential for harm, such as a security exploit, and should be removed.

Infected files detected
c:\system volume information\_restore{7b6f6de5-cbfa-42aa-b082-bd8867e7497d}\rp471\a0086713.exe
c:\system volume information\_restore{7b6f6de5-cbfa-42aa-b082-bd8867e7497d}\rp471\a0086714.exe


SearchAssistant Spyware more information...
Details: SearchAssistant also known as Search Extender is an Internet Explorer modifier.
Status: Removed
Severe threat - Severe-risk items have an extreme potential for harm, such as a security exploit, and should be removed.

Infected files detected
c:\system volume information\_restore{7b6f6de5-cbfa-42aa-b082-bd8867e7497d}\rp474\a0091068.dll


Transponder.DLMax Spyware more information...
Details: Transponder is an Internet Explorer Browser Helper Object (BHO) that monitors web pages requested and data entered into forms.
Status: Removed
Severe threat - Severe-risk items have an extreme potential for harm, such as a security exploit, and should be removed.

Infected files detected
c:\documents and settings\user\local settings\temp\thi1a78.tmp\dlmax.dll
c:\documents and settings\user\desktop\backups\backup-20050325-214814-285.dll
c:\system volume information\_restore{7b6f6de5-cbfa-42aa-b082-bd8867e7497d}\rp478\a0091467.dll


Spyware.BHO.sasetup Browser Plug-in more information...
Status: Removed
Severe threat - Severe-risk items have an extreme potential for harm, such as a security exploit, and should be removed.

Infected files detected
c:\documents and settings\user\desktop\backups\backup-20050324-223023-314.dll
c:\system volume information\_restore{7b6f6de5-cbfa-42aa-b082-bd8867e7497d}\rp478\a0091408.dll


Marketscore.InternetAccelerator Spyware more information...
Details: MarketScore is a proxy service that presents itself as increasing the speed of your Internet connection. It has the ability to redirect and decrypt information transmitted between this computer and a Web site.
Status: Removed
Severe threat - Severe-risk items have an extreme potential for harm, such as a security exploit, and should be removed.

Infected files detected
c:\system volume information\_restore{7b6f6de5-cbfa-42aa-b082-bd8867e7497d}\rp474\a0090979.dll


VX2.ABetterInternet Adware more information...
Details: ABetterInternet displays advertisements based on the Web sites you visit.
Status: Removed
High threat - High-risk items have a large potential for harm, such as loss of computer control, and should be removed unless knowingly installed.

Infected files detected
c:\windows\wupdsnff.exe
c:\documents and settings\user\local settings\temp\randreco.exe


Topconverting Crazywinnings Adware more information...
Details: Topconverting Crazywinnings installs via online games through ActiveX drive-by-download.
Status: Removed
High threat - High-risk items have a large potential for harm, such as loss of computer control, and should be removed unless knowingly installed.

Infected files detected
c:\system volume information\_restore{7b6f6de5-cbfa-42aa-b082-bd8867e7497d}\rp471\a0086691.exe


eXact.Downloader Trojan Downloader more information...
Details: eXact Downloader is a Trojan used by eXact Bargain Buddy and Cash Back to download and install additional components.
Status: Removed
High threat - High-risk items have a large potential for harm, such as loss of computer control, and should be removed unless knowingly installed.

Infected files detected
c:\system volume information\_restore{7b6f6de5-cbfa-42aa-b082-bd8867e7497d}\rp471\a0086702.exe
c:\system volume information\_restore{7b6f6de5-cbfa-42aa-b082-bd8867e7497d}\rp471\a0086703.exe
c:\system volume information\_restore{7b6f6de5-cbfa-42aa-b082-bd8867e7497d}\rp471\a0086729.exe


Transponder.ABetterInternet.Ceres Spyware more information...
Details: VX2.ABetterInternet.Transponder.2 is a new transponder variant of aBetterInternet.
Status: Removed
High threat - High-risk items have a large potential for harm, such as loss of computer control, and should be removed unless knowingly installed.

Infected files detected
c:\windows\wupdsnff.exe
c:\system volume information\_restore{7b6f6de5-cbfa-42aa-b082-bd8867e7497d}\rp478\a0091448.exe


Unclassified.Spyware.47 Spyware more information...
Status: Removed
High threat - High-risk items have a large potential for harm, such as loss of computer control, and should be removed unless knowingly installed.

Infected files detected
c:\system volume information\_restore{7b6f6de5-cbfa-42aa-b082-bd8867e7497d}\rp471\a0086698.exe
c:\system volume information\_restore{7b6f6de5-cbfa-42aa-b082-bd8867e7497d}\rp471\a0086726.dll


Transponder.Pynix Spyware more information...
Status: Removed
High threat - High-risk items have a large potential for harm, such as loss of computer control, and should be removed unless knowingly installed.

Infected files detected
c:\system volume information\_restore{7b6f6de5-cbfa-42aa-b082-bd8867e7497d}\rp475\a0091209.dll


eXact.BargainBuddy Adware more information...
Details: BargainBuddy is a Browser Helper Object that watches the pages your browser requests and the terms you enter into a search engine web form. If a term matches a preset list of sites or keywords, BargainBuddy will display an ad.
Status: Removed
High threat - High-risk items have a large potential for harm, such as loss of computer control, and should be removed unless knowingly installed.

Infected files detected
c:\system volume information\_restore{7b6f6de5-cbfa-42aa-b082-bd8867e7497d}\rp471\a0086673.exe
c:\system volume information\_restore{7b6f6de5-cbfa-42aa-b082-bd8867e7497d}\rp471\a0086730.exe


EUniverse Updater Browser Modifier more information...
Details: EUniverse is adware that runs at Windows startup. EUniverse generates pop-up advertisements, and performs a number of spyware related functions such as transmitting personal information and redirecting Internet Explorer.
Status: Removed
High threat - High-risk items have a large potential for harm, such as loss of computer control, and should be removed unless knowingly installed.

Infected registry keys/values detected
HKEY_LOCAL_MACHINE\SOFTWARE\Vendor\xml
HKEY_LOCAL_MACHINE\SOFTWARE\Vendor\xml


IEPlugin Spyware more information...
Details: IEPlugin is an Internet Explorer browser helper object that monitors URLs, content entered into forms, and local filenames and displays pops-up advertisements.
Status: Removed
High threat - High-risk items have a large potential for harm, such as loss of computer control, and should be removed unless knowingly installed.

Infected files detected
c:\documents and settings\user\desktop\backups\backup-20050324-223023-125.dll
c:\documents and settings\user\desktop\backups\backup-20050326-224839-983.dll
c:\system volume information\_restore{7b6f6de5-cbfa-42aa-b082-bd8867e7497d}\rp474\a0090975.bat
c:\system volume information\_restore{7b6f6de5-cbfa-42aa-b082-bd8867e7497d}\rp478\a0091395.dll
c:\system volume information\_restore{7b6f6de5-cbfa-42aa-b082-bd8867e7497d}\rp479\a0091544.dll

Infected registry keys/values detected
HKEY_CLASSES_ROOT\clsid\{1c896551-8b92-4907-8c06-15db2d1f874a}
HKEY_CLASSES_ROOT\clsid\{d36f70b1-7df5-4fd4-a765-70ccc8f72cd7}\InprocServer32 ThreadingModel Apartment
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{E2BF1BF3-1FDB-4C93-8874-0B09E71C594C}\VersionIndependentProgID IMIToolbar.LeftFrame
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{E2BF1BF3-1FDB-4C93-8874-0B09E71C594C} LeftFrame Class
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{F3155057-4C2C-4078-8576-50486693FD49}
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{F3155057-4C2C-4078-8576-50486693FD49}\InprocServer32 C:\WINDOWS\systb.dll
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{F3155057-4C2C-4078-8576-50486693FD49}\InprocServer32 ThreadingModel Apartment
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{F3155057-4C2C-4078-8576-50486693FD49}\ProgID IMIToolbar.BottomFrame.1
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{F3155057-4C2C-4078-8576-50486693FD49}\TypeLib {58D419E8-1321-4DD2-A6FC-7B41C14DCD79}
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{F3155057-4C2C-4078-8576-50486693FD49}\VersionIndependentProgID IMIToolbar.BottomFrame
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{F3155057-4C2C-4078-8576-50486693FD49} BottomFrame Class
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\IMIToolbar.BottomFrame.1
HKEY_CLASSES_ROOT\clsid\{d36f70b1-7df5-4fd4-a765-70ccc8f72cd7}\ProgID IMIToolbar.PopupWindow.1
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\IMIToolbar.BottomFrame.1\CLSID {F3155057-4C2C-4078-8576-50486693FD49}
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\IMIToolbar.BottomFrame.1 BottomFrame Class
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\IMIToolbar.BottomFrame
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\IMIToolbar.BottomFrame\CLSID {F3155057-4C2C-4078-8576-50486693FD49}
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\IMIToolbar.BottomFrame\CurVer IMIToolbar.BottomFrame.1
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\IMIToolbar.BottomFrame BottomFrame Class
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\IMIToolbar.LeftFrame.1
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\IMIToolbar.LeftFrame.1\CLSID {E2BF1BF3-1FDB-4C93-8874-0B09E71C594C}
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\IMIToolbar.LeftFrame.1 LeftFrame Class
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\IMIToolbar.LeftFrame
HKEY_CLASSES_ROOT\clsid\{d36f70b1-7df5-4fd4-a765-70ccc8f72cd7}\TypeLib {58D419E8-1321-4DD2-A6FC-7B41C14DCD79}
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\IMIToolbar.LeftFrame\CLSID {E2BF1BF3-1FDB-4C93-8874-0B09E71C594C}
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\IMIToolbar.LeftFrame\CurVer IMIToolbar.LeftFrame.1
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\IMIToolbar.LeftFrame LeftFrame Class
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\IMIToolbar.PopupBrowser.1
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\IMIToolbar.PopupBrowser.1\CLSID {1C896551-8B92-4907-8C06-15DB2D1F874A}
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\IMIToolbar.PopupBrowser.1 PopupBrowser Class
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\IMIToolbar.PopupBrowser
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\IMIToolbar.PopupBrowser\CLSID {1C896551-8B92-4907-8C06-15DB2D1F874A}
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\IMIToolbar.PopupBrowser\CurVer IMIToolbar.PopupBrowser.1
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\IMIToolbar.PopupBrowser PopupBrowser Class
HKEY_CLASSES_ROOT\clsid\{d36f70b1-7df5-4fd4-a765-70ccc8f72cd7}\VersionIndependentProgID IMIToolbar.PopupWindow
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\IMIToolbar.PopupWindow.1
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\IMIToolbar.PopupWindow.1\CLSID {D36F70B1-7DF5-4FD4-A765-70CCC8F72CD7}
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\IMIToolbar.PopupWindow.1 PopupWindow Class
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\IMIToolbar.PopupWindow
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\IMIToolbar.PopupWindow\CLSID {D36F70B1-7DF5-4FD4-A765-70CCC8F72CD7}
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\IMIToolbar.PopupWindow\CurVer IMIToolbar.PopupWindow.1
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\IMIToolbar.PopupWindow PopupWindow Class
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wbho.Band.1
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wbho.Band.1\CLSID {01F44A8A-8C97-4325-A378-76E68DC4AB2E}
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wbho.Band.1 Band Class
HKEY_CLASSES_ROOT\clsid\{d36f70b1-7df5-4fd4-a765-70ccc8f72cd7} PopupWindow Class
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wbho.Band
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wbho.Band\CLSID {01F44A8A-8C97-4325-A378-76E68DC4AB2E}
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wbho.Band\CurVer Wbho.Band.1
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wbho.Band Band Class
HKEY_CLASSES_ROOT\clsid\{e2bf1bf3-1fdb-4c93-8874-0b09e71c594c}
HKEY_CLASSES_ROOT\clsid\{e2bf1bf3-1fdb-4c93-8874-0b09e71c594c}\InprocServer32 C:\WINDOWS\systb.dll
HKEY_CLASSES_ROOT\clsid\{e2bf1bf3-1fdb-4c93-8874-0b09e71c594c}\InprocServer32 ThreadingModel Apartment
HKEY_CLASSES_ROOT\clsid\{e2bf1bf3-1fdb-4c93-8874-0b09e71c594c}\ProgID IMIToolbar.LeftFrame.1
HKEY_CLASSES_ROOT\clsid\{e2bf1bf3-1fdb-4c93-8874-0b09e71c594c}\TypeLib {58D419E8-1321-4DD2-A6FC-7B41C14DCD79}
HKEY_CLASSES_ROOT\clsid\{1c896551-8b92-4907-8c06-15db2d1f874a}\InprocServer32 C:\WINDOWS\systb.dll
HKEY_CLASSES_ROOT\clsid\{e2bf1bf3-1fdb-4c93-8874-0b09e71c594c}\VersionIndependentProgID IMIToolbar.LeftFrame
HKEY_CLASSES_ROOT\clsid\{e2bf1bf3-1fdb-4c93-8874-0b09e71c594c} LeftFrame Class
HKEY_CLASSES_ROOT\clsid\{f3155057-4c2c-4078-8576-50486693fd49}
HKEY_CLASSES_ROOT\clsid\{f3155057-4c2c-4078-8576-50486693fd49}\InprocServer32 C:\WINDOWS\systb.dll
HKEY_CLASSES_ROOT\clsid\{f3155057-4c2c-4078-8576-50486693fd49}\InprocServer32 ThreadingModel Apartment
HKEY_CLASSES_ROOT\clsid\{f3155057-4c2c-4078-8576-50486693fd49}\ProgID IMIToolbar.BottomFrame.1
HKEY_CLASSES_ROOT\clsid\{f3155057-4c2c-4078-8576-50486693fd49}\TypeLib {58D419E8-1321-4DD2-A6FC-7B41C14DCD79}
HKEY_CLASSES_ROOT\clsid\{f3155057-4c2c-4078-8576-50486693fd49}\VersionIndependentProgID IMIToolbar.BottomFrame
HKEY_CLASSES_ROOT\clsid\{f3155057-4c2c-4078-8576-50486693fd49} BottomFrame Class
HKEY_CLASSES_ROOT\imitoolbar.bottomframe.1
HKEY_CLASSES_ROOT\clsid\{1c896551-8b92-4907-8c06-15db2d1f874a}\InprocServer32 ThreadingModel Apartment
HKEY_CLASSES_ROOT\imitoolbar.bottomframe.1\CLSID {F3155057-4C2C-4078-8576-50486693FD49}
HKEY_CLASSES_ROOT\imitoolbar.bottomframe.1 BottomFrame Class
HKEY_CLASSES_ROOT\imitoolbar.bottomframe
HKEY_CLASSES_ROOT\imitoolbar.bottomframe\CLSID {F3155057-4C2C-4078-8576-50486693FD49}
HKEY_CLASSES_ROOT\imitoolbar.bottomframe\CurVer IMIToolbar.BottomFrame.1
HKEY_CLASSES_ROOT\imitoolbar.bottomframe BottomFrame Class
HKEY_CLASSES_ROOT\imitoolbar.leftframe.1
HKEY_CLASSES_ROOT\imitoolbar.leftframe.1\CLSID {E2BF1BF3-1FDB-4C93-8874-0B09E71C594C}
HKEY_CLASSES_ROOT\imitoolbar.leftframe.1 LeftFrame Class
HKEY_CLASSES_ROOT\imitoolbar.leftframe
HKEY_CLASSES_ROOT\clsid\{1c896551-8b92-4907-8c06-15db2d1f874a}\ProgID IMIToolbar.PopupBrowser.1
HKEY_CLASSES_ROOT\imitoolbar.leftframe\CLSID {E2BF1BF3-1FDB-4C93-8874-0B09E71C594C}
HKEY_CLASSES_ROOT\imitoolbar.leftframe\CurVer IMIToolbar.LeftFrame.1
HKEY_CLASSES_ROOT\imitoolbar.leftframe LeftFrame Class
HKEY_CLASSES_ROOT\imitoolbar.popupbrowser.1
HKEY_CLASSES_ROOT\imitoolbar.popupbrowser.1\CLSID {1C896551-8B92-4907-8C06-15DB2D1F874A}
HKEY_CLASSES_ROOT\imitoolbar.popupbrowser.1 PopupBrowser Class
HKEY_CLASSES_ROOT\imitoolbar.popupbrowser
HKEY_CLASSES_ROOT\imitoolbar.popupbrowser\CLSID {1C896551-8B92-4907-8C06-15DB2D1F874A}
HKEY_CLASSES_ROOT\imitoolbar.popupbrowser\CurVer IMIToolbar.PopupBrowser.1
HKEY_CLASSES_ROOT\imitoolbar.popupbrowser PopupBrowser Class
HKEY_CLASSES_ROOT\clsid\{1c896551-8b92-4907-8c06-15db2d1f874a}\TypeLib {58D419E8-1321-4DD2-A6FC-7B41C14DCD79}
HKEY_CLASSES_ROOT\imitoolbar.popupwindow.1
HKEY_CLASSES_ROOT\imitoolbar.popupwindow.1\CLSID {D36F70B1-7DF5-4FD4-A765-70CCC8F72CD7}
HKEY_CLASSES_ROOT\imitoolbar.popupwindow.1 PopupWindow Class
HKEY_CLASSES_ROOT\imitoolbar.popupwindow
HKEY_CLASSES_ROOT\imitoolbar.popupwindow\CLSID {D36F70B1-7DF5-4FD4-A765-70CCC8F72CD7}
HKEY_CLASSES_ROOT\imitoolbar.popupwindow\CurVer IMIToolbar.PopupWindow.1
HKEY_CLASSES_ROOT\imitoolbar.popupwindow PopupWindow Class
HKEY_CLASSES_ROOT\interface\{220959ea-b54c-4201-8df2-1cfac8b59fd7}
HKEY_CLASSES_ROOT\interface\{220959ea-b54c-4201-8df2-1cfac8b59fd7}\ProxyStubClsid {00020424-0000-0000-C000-000000000046}
HKEY_CLASSES_ROOT\interface\{220959ea-b54c-4201-8df2-1cfac8b59fd7}\ProxyStubClsid32 {00020424-0000-0000-C000-000000000046}
HKEY_CLASSES_ROOT\clsid\{1c896551-8b92-4907-8c06-15db2d1f874a}\VersionIndependentProgID IMIToolbar.PopupBrowser
HKEY_CLASSES_ROOT\interface\{220959ea-b54c-4201-8df2-1cfac8b59fd7}\TypeLib {57ADD57B-173E-418A-8F70-17E5C9F2BCC9}
HKEY_CLASSES_ROOT\interface\{220959ea-b54c-4201-8df2-1cfac8b59fd7}\TypeLib Version 1.0
HKEY_CLASSES_ROOT\interface\{220959ea-b54c-4201-8df2-1cfac8b59fd7} IBottom
HKEY_CLASSES_ROOT\interface\{6a288140-3e1c-4cd9-aac5-e20fdd4f5d64}
HKEY_CLASSES_ROOT\interface\{6a288140-3e1c-4cd9-aac5-e20fdd4f5d64}\ProxyStubClsid {00020424-0000-0000-C000-000000000046}
HKEY_CLASSES_ROOT\interface\{6a288140-3e1c-4cd9-aac5-e20fdd4f5d64}\ProxyStubClsid32 {00020424-0000-0000-C000-000000000046}
HKEY_CLASSES_ROOT\interface\{6a288140-3e1c-4cd9-aac5-e20fdd4f5d64}\TypeLib {57ADD57B-173E-418A-8F70-17E5C9F2BCC9}
HKEY_CLASSES_ROOT\interface\{6a288140-3e1c-4cd9-aac5-e20fdd4f5d64}\TypeLib Version 1.0
HKEY_CLASSES_ROOT\interface\{6a288140-3e1c-4cd9-aac5-e20fdd4f5d64} IPopupBrowser
HKEY_CLASSES_ROOT\interface\{7371ad3f-c419-4dc0-8e8a-e21fafad53e0}
HKEY_CLASSES_ROOT\clsid\{1c896551-8b92-4907-8c06-15db2d1f874a} PopupBrowser Class
HKEY_CLASSES_ROOT\interface\{7371ad3f-c419-4dc0-8e8a-e21fafad53e0}\ProxyStubClsid {00020424-0000-0000-C000-000000000046}
HKEY_CLASSES_ROOT\interface\{7371ad3f-c419-4dc0-8e8a-e21fafad53e0}\ProxyStubClsid32 {00020424-0000-0000-C000-000000000046}
HKEY_CLASSES_ROOT\interface\{7371ad3f-c419-4dc0-8e8a-e21fafad53e0}\TypeLib {57ADD57B-173E-418A-8F70-17E5C9F2BCC9}
HKEY_CLASSES_ROOT\interface\{7371ad3f-c419-4dc0-8e8a-e21fafad53e0}\TypeLib Version 1.0
HKEY_CLASSES_ROOT\interface\{7371ad3f-c419-4dc0-8e8a-e21fafad53e0} ILeftFrame
HKEY_CLASSES_ROOT\interface\{98b2ddba-6da2-4421-af2b-814e98f53649}
HKEY_CLASSES_ROOT\interface\{98b2ddba-6da2-4421-af2b-814e98f53649}\ProxyStubClsid {00020424-0000-0000-C000-000000000046}
HKEY_CLASSES_ROOT\interface\{98b2ddba-6da2-4421-af2b-814e98f53649}\ProxyStubClsid32 {00020424-0000-0000-C000-000000000046}
HKEY_CLASSES_ROOT\interface\{98b2ddba-6da2-4421-af2b-814e98f53649}\TypeLib {57ADD57B-173E-418A-8F70-17E5C9F2BCC9}
HKEY_CLASSES_ROOT\interface\{98b2ddba-6da2-4421-af2b-814e98f53649}\TypeLib Version 1.0
HKEY_CLASSES_ROOT\clsid\{d36f70b1-7df5-4fd4-a765-70ccc8f72cd7}
HKEY_CLASSES_ROOT\interface\{98b2ddba-6da2-4421-af2b-814e98f53649} IBottomFrame
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{1C896551-8B92-4907-8C06-15DB2D1F874A}
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{1C896551-8B92-4907-8C06-15DB2D1F874A}\InprocServer32 C:\WINDOWS\systb.dll
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{1C896551-8B92-4907-8C06-15DB2D1F874A}\InprocServer32 ThreadingModel Apartment
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{1C896551-8B92-4907-8C06-15DB2D1F874A}\ProgID IMIToolbar.PopupBrowser.1
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{1C896551-8B92-4907-8C06-15DB2D1F874A}\TypeLib {58D419E8-1321-4DD2-A6FC-7B41C14DCD79}
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{1C896551-8B92-4907-8C06-15DB2D1F874A}\VersionIndependentProgID IMIToolbar.PopupBrowser
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{1C896551-8B92-4907-8C06-15DB2D1F874A} PopupBrowser Class
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{D36F70B1-7DF5-4FD4-A765-70CCC8F72CD7}
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{D36F70B1-7DF5-4FD4-A765-70CCC8F72CD7}\InprocServer32 C:\WINDOWS\systb.dll
HKEY_CLASSES_ROOT\clsid\{d36f70b1-7df5-4fd4-a765-70ccc8f72cd7}\InprocServer32 C:\WINDOWS\systb.dll
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{D36F70B1-7DF5-4FD4-A765-70CCC8F72CD7}\InprocServer32 ThreadingModel Apartment
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{D36F70B1-7DF5-4FD4-A765-70CCC8F72CD7}\ProgID IMIToolbar.PopupWindow.1
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{D36F70B1-7DF5-4FD4-A765-70CCC8F72CD7}\TypeLib {58D419E8-1321-4DD2-A6FC-7B41C14DCD79}
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{D36F70B1-7DF5-4FD4-A765-70CCC8F72CD7}\VersionIndependentProgID IMIToolbar.PopupWindow
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{D36F70B1-7DF5-4FD4-A765-70CCC8F72CD7} PopupWindow Class
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{E2BF1BF3-1FDB-4C93-8874-0B09E71C594C}
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{E2BF1BF3-1FDB-4C93-8874-0B09E71C594C}\InprocServer32 C:\WINDOWS\systb.dll
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{E2BF1BF3-1FDB-4C93-8874-0B09E71C594C}\InprocServer32 ThreadingModel Apartment
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{E2BF1BF3-1FDB-4C93-8874-0B09E71C594C}\ProgID IMIToolbar.LeftFrame.1
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{E2BF1BF3-1FDB-4C93-8874-0B09E71C594C}\TypeLib {58D419E8-1321-4DD2-A6FC-7B41C14DCD79}


Transponder.Farmmext Adware more information...
Details: Advertising network software to display popup advertising.
Status: Removed
Elevated threat - Eleveated-risk items have some potential for harm. Users should review such programs and remove them if unwanted.

Infected files detected
c:\documents and settings\user\local settings\temp\thi6844.tmp\farmmext.exe
c:\system volume information\_restore{7b6f6de5-cbfa-42aa-b082-bd8867e7497d}\rp475\a0091203.exe
c:\system volume information\_restore{7b6f6de5-cbfa-42aa-b082-bd8867e7497d}\rp478\a0091410.exe


eBates.MoeMoneyMaker Adware more information...
Details: ebates Moe MoneyMaker displays pop-up advertisements and disables programs, including pop-up blockers that might interfere with its operation.
Status: Removed
Elevated threat - Eleveated-risk items have some potential for harm. Users should review such programs and remove them if unwanted.

Infected files detected
c:\documents and settings\user\local settings\temp\drtemp\mmaker4b.exe
c:\system volume information\_restore{7b6f6de5-cbfa-42aa-b082-bd8867e7497d}\rp478\a0091479.exe
c:\documents and settings\user\local settings\temp\thi4209.tmp\mmaker4b.exe
c:\documents and settings\user\local settings\temp\thi770.tmp\mmaker4b.exe
c:\documents and settings\user\local settings\temp\thi979.tmp\mmaker4b.exe
c:\system volume information\_restore{7b6f6de5-cbfa-42aa-b082-bd8867e7497d}\rp478\a0091416.exe
c:\system volume information\_restore{7b6f6de5-cbfa-42aa-b082-bd8867e7497d}\rp478\a0091417.exe
c:\system volume information\_restore{7b6f6de5-cbfa-42aa-b082-bd8867e7497d}\rp478\a0091418.exe
c:\system volume information\_restore{7b6f6de5-cbfa-42aa-b082-bd8867e7497d}\rp478\a0091477.exe
c:\system volume information\_restore{7b6f6de5-cbfa-42aa-b082-bd8867e7497d}\rp478\a0091478.exe


eDonkey2000 Software Bundler more information...
Details: eDonkey2000 is a peer-to-peer file sharing program that installs with adware and spyware such as Webhancer, Web Search Toolbar, and New.Net.
Status: Ignored
Low threat - Low-risk items have little potential for harm, but users may wish to examine the item further.

Infected registry keys/values detected
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{320154BB-D666-48F6-990E-172B32954620}
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{320154BB-D666-48F6-990E-172B32954620}\InProcServer32 C:\Program Files\eDonkey2000\plugins\ed2kie.dll
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{320154BB-D666-48F6-990E-172B32954620}\InProcServer32 ThreadingModel Both
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{320154BB-D666-48F6-990E-172B32954620}\ProgID eD2KDownloadManager.object.1
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{320154BB-D666-48F6-990E-172B32954620}\TypeLib {379919F2-1612-45B7-B9F4-773F6D5214F5}
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{320154BB-D666-48F6-990E-172B32954620}\VersionIndependentProgID eD2KDownloadManager.object
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{320154BB-D666-48F6-990E-172B32954620} eD2K downloadManager object


Detected Spyware Cookies
No spyware cookies were found during this scan.

=edit=
thanks the desktop thing works cept...it always comes back after a while

Buckeye_Sam

$VAULT$.AVG is where AVG quarantines viruses that it can't disinfect or delete. You should be able to clean it out through AVG. Look for an option for Manage Quarantined files, or Vault something.



First, your log is looking much better. Have hijackthis fix this line.
O8 - Extra context menu item: Ebates - file://C:\Program Files\Ebates_MoeMoneyMaker\Sy350\Tp350\scri350a.ht m



Next we want to flush your system restore, this will delete any restore points that you have but it will also make sure that any malware hiding in system restore will be booted off.

Turn off System Restore:

On the Desktop, right-click My Computer.
Click Properties.
Click the System Restore tab.
Check Turn off System Restore.
Click Apply, and then click OK.

Restart your computer, turn it back on and create a restore point.

To create a restore point:

Single-click Start and point to All Programs.
Mouse over Accessories, then System Tools, and select System Restore.
In the System Restore wizard, select the box next the text labeled "Create a
restore point" and click the Next button.

Type a description for your new restore point. Something like "After
cleanup". Click Create and you're done.



Now we need to clean out your temp files. The easiest way to do this is to run a program called Cleanup.
http://downloads.stevengould.org/cleanup/CleanUp312.exe

Delete everything from within this folder.

C:\WINDOWS\Prefetch



Finally let's see if we can fix your double icons. Please download the attached text file (deskfix.txt)
After you've saved it somewhere you can find it - rename it to deskfix.reg
Double click on it - answer ok when it asks if it is ok to run or merge

Reboot and see if the double icons have gone.



Let me know how it feels and any problems that you are still having. Did that latest virus scan come up with anything? Please post a new hijackthis log.

al3xchung

k the double icon thing didnt work, i still get double icons

the virus check found all viruses in files in the folder
C:\Documents and Settings\User\Application Data\Sun\Java\Deployment\cache\javapi\v1.0\jar\

um i dont seem to have a system restore tab, and im administrator..i dont think it is installed?

also this link
http://downloads.stevengould.org/cleanup/CleanUp312.exe
does not work for me

heres the new hijack

Logfile of HijackThis v1.99.0
Scan saved at 3:57:15 PM, on 03/27/2005
Platform: Windows XP (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 (6.00.2600.0000)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
C:\Program Files\Common Files\EPSON\EBAPI\SAgent2.exe
C:\Program Files\Inverse IP InSight\CNC\ARMon32a.exe
C:\WINDOWS\System32\nvsvc32.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\2Wire\2PortalMon.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\QuickTime\qttask.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_S10IC2.EXE
C:\Program Files\Microsoft AntiSpyware\gcasDtServ.exe
C:\WINDOWS\System32\wuauclt.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\WINDOWS\System32\wuauclt.exe
C:\Documents and Settings\User\Desktop\HijackThis.exe

O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O4 - HKLM\..\Run: [2wSysTray] C:\Program Files\2Wire\2PortalMon.exe
O4 - HKLM\..\Run: [iTunesHelper] C:\Program Files\iTunes\iTunesHelper.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [AVG7_EMC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
O4 - HKLM\..\Run: [gcasServ] "C:\Program Files\Microsoft AntiSpyware\gcasServ.exe"
O4 - HKCU\..\Run: [Steam] C:\Valve\Steam\Steam.exe -silent
O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: EPSON Status Monitor 3 Environment Check 2.lnk = C:\WINDOWS\system32\spool\drivers\w32x86\3\E_SRCV02.EXE
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\System32\msjava.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\System32\msjava.dll
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=36467&clcid=0x409
O16 - DPF: {7B297BFD-85E4-4092-B2AF-16A91B2EA103} (WScanCtl Class) - http://www3.ca.com/securityadvisor/virusinfo/webscan.cab
O16 - DPF: {80DD2229-B8E4-4C77-B72F-F22972D723EA} (AvxScanOnline Control) - http://www.bitdefender.com/scan/Msie/bitdefender.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://www.pandasoftware.com/activescan/as5/asinst.cab
O23 - Service: AVG7 Alert Manager Server - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
O23 - Service: AVG7 Update Service - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
O23 - Service: EPSON Printer Status Agent2 - SEIKO EPSON CORPORATION - C:\Program Files\Common Files\EPSON\EBAPI\SAgent2.exe
O23 - Service: Inverse IP InSight Client (CNC) - Inverse Network Technology - C:\Program Files\Inverse IP InSight\CNC\LaunchIPI.exe
O23 - Service: iPod Service - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: NVIDIA Driver Helper Service - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\System32\HPZipm12.exe

oh yeah and happy easter

Buckeye_Sam

Ok, let's clean up your temp file manually.

Delete temp files

Navigate to the C:\Windows\Temp folder. Open the Temp folder and go to Edit > Select All then Edit > Delete to delete the entire contents of the Temp folder.

Navigate to the C:\Windows\Prefetch folder. Open the Prefetch folder and go to Edit > Select All then Edit > Delete to delete the entire contents of the Prefetch folder.

Go to Start > Run and type %temp% in the Run box. The Temp folder will open. Click Edit > Select All then Edit > Delete to delete the entire contents of the Temp folder.

Finally go to Control Panel > Internet Options. On the General tab under "Temporary Internet Files" Click "Delete Files". Put a check by "Delete Offline Content" and click OK. Click on the Programs tab then click the "Reset Web Settings" button. Click Apply then OK.

Empty the Recycle Bin.



Now let's see if we can get your System Restore working for you.

Right click My computer
Click on Manage
Click on Services and applications
Click on Services
Go down the list till you see system restore
Either click on start or select automatic

Reboot, right click on My Computer, select Properties and see if the System Restore tab is available.

al3xchung

system restore was already on
yet no tab

still double icons

Buckeye_Sam

Ok, system restore issue first.

Click Start -> Run and type REGEDIT and click OK.

Locate to:
HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows NT\SystemRestore
In the right-pane, delete the value "DisableConfig" if it exists.
In the right-pane, delete the value "DisableSR" if it exists.


Reboot, check to see if the System Restore tab exists.

al3xchung

hello
there is no file in windows NT named system restore
only Terminal

oh yeah
today all of a sudden my desktop came back, all the old icons and no double icons either
i guess it worked the second time i ran deskfix.reg and freeclean.v2

Buckeye_Sam

Good to hear on the desktop issue.


Go to HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WindowsNT\CurrentVersion\SystemRestore.
If a "DisableSR" value doesn't exist, go to the Edit menu, select New, DWORD value, and create the value.
Set the value to 1 to disable System Restore or 0 to enable System Restore.
The “DisableSR” value is set to 0

al3xchung

windows nt contains only terminal services folder

Buckeye_Sam

Are you reading the location correctly? It's different than the first one. Look in the right side and you should see a list of values.

al3xchung

k sorry
the "DisableSR" value already existed and was already set to zero

Buckeye_Sam

Well, at least we can flush you out from this setting. Set that value to 1. Reboot. Then go back and set it to 0 again. Reboot once again for the setting to take place.

Single-click Start and point to All Programs.
Mouse over Accessories, then System Tools, and select System Restore.
In the System Restore wizard, select the box next the text labeled "Create a
restore point" and click the Next button.

Type a description for your new restore point. Something like "After
cleanup". Click Create and you're done.


Let me know of any complications.

al3xchung

when i click system restore, i get this warning

rstrui.exe - Unable to locate component
"This application has failed to start because of SRRSTR.dll was not found. Re-installing the application may fix this problem.

primesuspect

I think we should apply WinXP SP2 next, to kind of fix any weird system level problems you might be having.

go to windowsupdate.microsoft.com and install the critical updates. You should have to do this about two or three times. The first update will be service pack 2. It's a large download (80mb approximately) and might take a while.

Do that and see if it takes care of the problem.

al3xchung

i cant download like 3 updates

primesuspect

Can you install Service Pack 2? That's the most important one. If you can't download it through WindowsUpdate, try this:

http://www.short-media.com/download.php?d=300

al3xchung

still no good..
i can download it but it wont install

says

Windows XP Service Pack 2 cannot install

The product key used to install Microsoft Windows may not be valid. For more information about why you have received this error message, and steps you can take to resolve this issue visit www.howtotell.com

primesuspect

You have a pirated copy of Windows XP, which is unsupportable. Not much we can do to help you there. You'll have to buy a legitimate copy.