Options
HSA Log File Help
here is the log file 
Logfile of HijackThis v1.99.1
Scan saved at 4:36:24 PM, on 4/30/2005
Platform: Windows XP (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 (6.00.2600.0000)
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\System32\nvsvc32.exe
C:\WINDOWS\SYSTEM\winlogon.exe
C:\WINDOWS\SYSTEM32\WINS\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\wanmpsvc.exe
C:\WINDOWS\netnw32.exe
C:\Program Files\Object Desktop\WindowBlinds\wbload.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\ntmx32.exe
C:\WINDOWS\System32\rnvlaa.exe
C:\WINDOWS\System32\ctfmon.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Documents and Settings\You\Desktop\hijackthis_199\HijackThis.exe
R1 - HKCU\Software\Microsoft\Internet Explorer,(Default) = http://64.124.210.131/index.php?qq=
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://64.124.210.131/
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://64.124.210.131/
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\WINDOWS\aowmm.dll/sp.html#29126
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINDOWS\aowmm.dll/sp.html#29126
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,SearchURL = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = res://C:\WINDOWS\aowmm.dll/sp.html#29126
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\WINDOWS\aowmm.dll/sp.html#29126
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINDOWS\aowmm.dll/sp.html#29126
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,SearchURL = about:blank
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,Default_Search_URL = http://64.124.210.131/
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = res://C:\WINDOWS\aowmm.dll/sp.html#29126
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,CustomizeSearch = http://64.124.210.131/
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = res://C:\WINDOWS\aowmm.dll/sp.html#29126
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch = http://64.124.210.131/
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page_bak = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page_bak = about:blank
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
R3 - Default URLSearchHook is missing
F1 - win.ini: run=fntldr.exe
O2 - BHO: (no name) - {9DE1545A-6CDE-C52E-C2EE-15ABB18D6F1A} - C:\WINDOWS\system32\iegi32.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O3 - Toolbar: YourSiteBar - {86227D9C-0EFE-4f8a-AA55-30386A3F5686} - C:\PROGRA~1\YOURSI~1\ysb.dll (file missing)
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [ntmx32.exe] C:\WINDOWS\system32\ntmx32.exe
O4 - HKLM\..\Run: [KavSvc] C:\WINDOWS\System32\rnvlaa.exe
O4 - HKLM\..\RunServices: [Windows Runtime Proccess] 32RUNdll.exe
O4 - HKLM\..\RunServices: [Microsoft--Updates] sxvhost.exe
O4 - HKLM\..\RunServices: [Workstation Services] wrkstn.exe
O4 - HKLM\..\RunServices: [Microsoft Macro Protection Subsystems] msmacroprot32.exe
O4 - HKLM\..\RunServices: [Windows Registry Scan] regscan.exe
O4 - HKLM\..\RunServices: [Windows Debugger] windbg.exe
O4 - HKLM\..\RunServices: [Win32 Configuration] videosd32.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\System32\ctfmon.exe
O4 - HKCU\..\RunServices: [Windows USB controler] winusb.exe
O4 - HKCU\..\RunServices: [Windows Runtime Proccess] 32RUNdll.exe
O4 - HKCU\..\RunServices: [Microsoft--Updates] sxvhost.exe
O4 - Startup: PowerReg Scheduler V3.exe
O8 - Extra context menu item: >>> FREE PORN GALLERIES <<< - javascript:{document.location='http://sexmaxx.com/freegalleries.htm';}
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_02\bin\npjpi150_02.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_02\bin\npjpi150_02.dll
O9 - Extra button: (no name) - {A80F2DB2-80A9-4834-8F5A-4AB70F4EF4C3} - C:\WINDOWS\System32\shdocvw.dll
O9 - Extra 'Tools' menuitem: IMI - {A80F2DB2-80A9-4834-8F5A-4AB70F4EF4C3} - C:\WINDOWS\System32\shdocvw.dll
O9 - Extra button: (no name) - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - (no file)
O9 - Extra button: Yahoo! Messenger - {E5D12C4E-7B4F-11D3-B5C9-0050045C3C96} - C:\PROGRA~1\Yahoo!\MESSEN~1\YPager.exe
O9 - Extra 'Tools' menuitem: Yahoo! Messenger - {E5D12C4E-7B4F-11D3-B5C9-0050045C3C96} - C:\PROGRA~1\Yahoo!\MESSEN~1\YPager.exe
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O15 - Trusted Zone: *.05p.com
O15 - Trusted Zone: *.clickspring.net
O15 - Trusted Zone: *.mt-download.com
O15 - Trusted Zone: *.my-internet.info
O15 - Trusted Zone: *.scoobidoo.com
O15 - Trusted Zone: *.searchmiracle.com
O15 - Trusted Zone: *.05p.com (HKLM)
O15 - Trusted Zone: *.clickspring.net (HKLM)
O15 - Trusted Zone: *.mt-download.com (HKLM)
O15 - Trusted Zone: *.my-internet.info (HKLM)
O15 - Trusted Zone: *.scoobidoo.com (HKLM)
O15 - Trusted Zone: *.searchmiracle.com (HKLM)
O15 - Trusted IP range: 206.161.125.149
O15 - Trusted IP range: 206.161.125.149 (HKLM)
O16 - DPF: v2cab - http://searchmiracle.com/cab/v2cab.cab
O16 - DPF: {0878B424-1F95-4E26-B5AB-F0D349D89650} - http://download.bargain-buddy.net/download/bargain_buddy/cab/installer_MEDIAWHIZ8.cab
O16 - DPF: {15AD4789-CDB4-47E1-A9DA-992EE8E6BAD6} - http://public.windupdates.com/get_file.php?bt=ie&p=e685f42af16b4ae133fb6395c0ae1826074370b6ef2ab58c7b394a46b7785ed02dcd1d18afd71cf37a3273507e405440345a19b4981e02e4ec71b0834b3328:522a1c137ec85ca995271ab95b94951b
O16 - DPF: {1D4DB7D2-6EC9-47A3-BD87-1E41684E07BB} - http://ak.imgfarm.com/images/nocache/funwebproducts/SmileyCentralInitialSetup1.0.0.6.cab
O16 - DPF: {42F2C9BA-614F-47C0-B3E3-ECFD34EED658} (Installer Class) - http://www.ysbweb.com/ist/softwares/v4.0/ysb_1002144.cab
O16 - DPF: {87067F04-DE4C-4688-BC3C-4FCF39D609E7} - http://download.websearch.com/Dnl/T_40/QDow_AS2.cab
O16 - DPF: {886DDE35-E955-11D0-A707-000000521958} - http://69.56.176.78/webplugin.cab
O16 - DPF: {C02226EB-A5D7-4B1F-BD7E-635E46C2288D} (Toontown Installer ActiveX Control) - http://download.toontown.com/sv1.0.7.16/ttinst.cab
O16 - DPF: {EEF29D20-9A47-4657-ADF7-283EC2504001} - http://download.bigwebportal.com/toolbar2/winenc32.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{762497DC-2430-49A1-8AF3-77CB9AC54C9A}: NameServer = 206.72.209.27 206.72.209.56
O19 - User stylesheet: (file missing)
O20 - Winlogon Notify: WB - C:\PROGRA~1\OBJECT~1\WINDOW~1\fastload.dll
O21 - SSODL: systemie - {0A58DEAE-BFC9-4A7F-85F4-6C3F8AE732F3} - sysie.dll (file missing)
O21 - SSODL: systemp - {13C16E5A-A482-4B3D-8442-18E53BDEDA42} - systemp.dll (file missing)
O21 - SSODL: Web Event Logger - {79FEACFF-FFCE-815E-A900-316290B5B738} - C:\WINDOWS\System32\Cnfjgckb.dll
O23 - Service: iPod Service (iPodService) - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe
O23 - Service: Network Client (nwclntf) - Unknown owner - C:\WINDOWS\SYSTEM\winlogon.exe
O23 - Service: Remote Administrator Service (r_server) - Unknown owner - C:\WINDOWS\SYSTEM32\WINS\svchost.exe" /service (file missing)
O23 - Service: ScriptBlocking Service (SBService) - Symantec Corporation - C:\PROGRA~1\COMMON~1\SYMANT~1\SCRIPT~1\SBServ.exe
O23 - Service: WAN Miniport (ATW) Service (WANMiniportService) - America Online, Inc. - C:\WINDOWS\wanmpsvc.exe
O23 - Service: ZESOFT - Unknown owner - C:\WINDOWS\zeta.exe
O23 - Service: Network Security Service (%AF夶À¨) - Unknown owner - C:\WINDOWS\netnw32.exe
please tell me what to delete
Logfile of HijackThis v1.99.1
Scan saved at 4:36:24 PM, on 4/30/2005
Platform: Windows XP (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 (6.00.2600.0000)
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\System32\nvsvc32.exe
C:\WINDOWS\SYSTEM\winlogon.exe
C:\WINDOWS\SYSTEM32\WINS\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\wanmpsvc.exe
C:\WINDOWS\netnw32.exe
C:\Program Files\Object Desktop\WindowBlinds\wbload.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\ntmx32.exe
C:\WINDOWS\System32\rnvlaa.exe
C:\WINDOWS\System32\ctfmon.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Documents and Settings\You\Desktop\hijackthis_199\HijackThis.exe
R1 - HKCU\Software\Microsoft\Internet Explorer,(Default) = http://64.124.210.131/index.php?qq=
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://64.124.210.131/
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://64.124.210.131/
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\WINDOWS\aowmm.dll/sp.html#29126
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINDOWS\aowmm.dll/sp.html#29126
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,SearchURL = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = res://C:\WINDOWS\aowmm.dll/sp.html#29126
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\WINDOWS\aowmm.dll/sp.html#29126
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINDOWS\aowmm.dll/sp.html#29126
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,SearchURL = about:blank
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,Default_Search_URL = http://64.124.210.131/
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = res://C:\WINDOWS\aowmm.dll/sp.html#29126
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,CustomizeSearch = http://64.124.210.131/
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = res://C:\WINDOWS\aowmm.dll/sp.html#29126
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch = http://64.124.210.131/
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page_bak = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page_bak = about:blank
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
R3 - Default URLSearchHook is missing
F1 - win.ini: run=fntldr.exe
O2 - BHO: (no name) - {9DE1545A-6CDE-C52E-C2EE-15ABB18D6F1A} - C:\WINDOWS\system32\iegi32.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O3 - Toolbar: YourSiteBar - {86227D9C-0EFE-4f8a-AA55-30386A3F5686} - C:\PROGRA~1\YOURSI~1\ysb.dll (file missing)
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [ntmx32.exe] C:\WINDOWS\system32\ntmx32.exe
O4 - HKLM\..\Run: [KavSvc] C:\WINDOWS\System32\rnvlaa.exe
O4 - HKLM\..\RunServices: [Windows Runtime Proccess] 32RUNdll.exe
O4 - HKLM\..\RunServices: [Microsoft--Updates] sxvhost.exe
O4 - HKLM\..\RunServices: [Workstation Services] wrkstn.exe
O4 - HKLM\..\RunServices: [Microsoft Macro Protection Subsystems] msmacroprot32.exe
O4 - HKLM\..\RunServices: [Windows Registry Scan] regscan.exe
O4 - HKLM\..\RunServices: [Windows Debugger] windbg.exe
O4 - HKLM\..\RunServices: [Win32 Configuration] videosd32.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\System32\ctfmon.exe
O4 - HKCU\..\RunServices: [Windows USB controler] winusb.exe
O4 - HKCU\..\RunServices: [Windows Runtime Proccess] 32RUNdll.exe
O4 - HKCU\..\RunServices: [Microsoft--Updates] sxvhost.exe
O4 - Startup: PowerReg Scheduler V3.exe
O8 - Extra context menu item: >>> FREE PORN GALLERIES <<< - javascript:{document.location='http://sexmaxx.com/freegalleries.htm';}
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_02\bin\npjpi150_02.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_02\bin\npjpi150_02.dll
O9 - Extra button: (no name) - {A80F2DB2-80A9-4834-8F5A-4AB70F4EF4C3} - C:\WINDOWS\System32\shdocvw.dll
O9 - Extra 'Tools' menuitem: IMI - {A80F2DB2-80A9-4834-8F5A-4AB70F4EF4C3} - C:\WINDOWS\System32\shdocvw.dll
O9 - Extra button: (no name) - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - (no file)
O9 - Extra button: Yahoo! Messenger - {E5D12C4E-7B4F-11D3-B5C9-0050045C3C96} - C:\PROGRA~1\Yahoo!\MESSEN~1\YPager.exe
O9 - Extra 'Tools' menuitem: Yahoo! Messenger - {E5D12C4E-7B4F-11D3-B5C9-0050045C3C96} - C:\PROGRA~1\Yahoo!\MESSEN~1\YPager.exe
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O15 - Trusted Zone: *.05p.com
O15 - Trusted Zone: *.clickspring.net
O15 - Trusted Zone: *.mt-download.com
O15 - Trusted Zone: *.my-internet.info
O15 - Trusted Zone: *.scoobidoo.com
O15 - Trusted Zone: *.searchmiracle.com
O15 - Trusted Zone: *.05p.com (HKLM)
O15 - Trusted Zone: *.clickspring.net (HKLM)
O15 - Trusted Zone: *.mt-download.com (HKLM)
O15 - Trusted Zone: *.my-internet.info (HKLM)
O15 - Trusted Zone: *.scoobidoo.com (HKLM)
O15 - Trusted Zone: *.searchmiracle.com (HKLM)
O15 - Trusted IP range: 206.161.125.149
O15 - Trusted IP range: 206.161.125.149 (HKLM)
O16 - DPF: v2cab - http://searchmiracle.com/cab/v2cab.cab
O16 - DPF: {0878B424-1F95-4E26-B5AB-F0D349D89650} - http://download.bargain-buddy.net/download/bargain_buddy/cab/installer_MEDIAWHIZ8.cab
O16 - DPF: {15AD4789-CDB4-47E1-A9DA-992EE8E6BAD6} - http://public.windupdates.com/get_file.php?bt=ie&p=e685f42af16b4ae133fb6395c0ae1826074370b6ef2ab58c7b394a46b7785ed02dcd1d18afd71cf37a3273507e405440345a19b4981e02e4ec71b0834b3328:522a1c137ec85ca995271ab95b94951b
O16 - DPF: {1D4DB7D2-6EC9-47A3-BD87-1E41684E07BB} - http://ak.imgfarm.com/images/nocache/funwebproducts/SmileyCentralInitialSetup1.0.0.6.cab
O16 - DPF: {42F2C9BA-614F-47C0-B3E3-ECFD34EED658} (Installer Class) - http://www.ysbweb.com/ist/softwares/v4.0/ysb_1002144.cab
O16 - DPF: {87067F04-DE4C-4688-BC3C-4FCF39D609E7} - http://download.websearch.com/Dnl/T_40/QDow_AS2.cab
O16 - DPF: {886DDE35-E955-11D0-A707-000000521958} - http://69.56.176.78/webplugin.cab
O16 - DPF: {C02226EB-A5D7-4B1F-BD7E-635E46C2288D} (Toontown Installer ActiveX Control) - http://download.toontown.com/sv1.0.7.16/ttinst.cab
O16 - DPF: {EEF29D20-9A47-4657-ADF7-283EC2504001} - http://download.bigwebportal.com/toolbar2/winenc32.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{762497DC-2430-49A1-8AF3-77CB9AC54C9A}: NameServer = 206.72.209.27 206.72.209.56
O19 - User stylesheet: (file missing)
O20 - Winlogon Notify: WB - C:\PROGRA~1\OBJECT~1\WINDOW~1\fastload.dll
O21 - SSODL: systemie - {0A58DEAE-BFC9-4A7F-85F4-6C3F8AE732F3} - sysie.dll (file missing)
O21 - SSODL: systemp - {13C16E5A-A482-4B3D-8442-18E53BDEDA42} - systemp.dll (file missing)
O21 - SSODL: Web Event Logger - {79FEACFF-FFCE-815E-A900-316290B5B738} - C:\WINDOWS\System32\Cnfjgckb.dll
O23 - Service: iPod Service (iPodService) - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe
O23 - Service: Network Client (nwclntf) - Unknown owner - C:\WINDOWS\SYSTEM\winlogon.exe
O23 - Service: Remote Administrator Service (r_server) - Unknown owner - C:\WINDOWS\SYSTEM32\WINS\svchost.exe" /service (file missing)
O23 - Service: ScriptBlocking Service (SBService) - Symantec Corporation - C:\PROGRA~1\COMMON~1\SYMANT~1\SCRIPT~1\SBServ.exe
O23 - Service: WAN Miniport (ATW) Service (WANMiniportService) - America Online, Inc. - C:\WINDOWS\wanmpsvc.exe
O23 - Service: ZESOFT - Unknown owner - C:\WINDOWS\zeta.exe
O23 - Service: Network Security Service (%AF夶À¨) - Unknown owner - C:\WINDOWS\netnw32.exe
please tell me what to delete
0
Comments
Please make sure that HijackThis.exe is in its own folder, as explained here. I can see from your log file that yours is installed on your desktop, which is not a good place for it, read the explanantion why inthe link I just gave you.
Set your system to Show Hidden Files and folders.
For Windows XP or ME, Disable System Restore.
PULL THE POWER PLUG ON YOUR COMPUTER. Do not use the Start menu or the front power switch to shut your computer down. This step is called a HARD BOOT, and prevents files from renaming themselves during a soft boot.
Wait a few seconds, and plug the power cord back in. When it starts up, boot into Safe Mode.
Make sure that all Internet Explorer or any other browser windows or internet applications are closed. Do not have any other unnecessary programs running.
Run Hijack This. FIX THE FOLLOWING (place a checkmark beside the entries, and then press the Fix Checked button) :
**************
R1 - HKCU\Software\Microsoft\Internet Explorer,(Default) = http://64.124.210.131/index.php?qq=
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://64.124.210.131/
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://64.124.210.131/
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\WINDOWS\aowmm.dll/sp.html#29126
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINDOWS\aowmm.dll/sp.html#29126
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,SearchURL = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = res://C:\WINDOWS\aowmm.dll/sp.html#29126
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\WINDOWS\aowmm.dll/sp.html#29126
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINDOWS\aowmm.dll/sp.html#29126
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,SearchURL = about:blank
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,Default_Search_URL = http://64.124.210.131/
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = res://C:\WINDOWS\aowmm.dll/sp.html#29126
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,CustomizeSearch = http://64.124.210.131/
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = res://C:\WINDOWS\aowmm.dll/sp.html#29126
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch = http://64.124.210.131/
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page_bak = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page_bak = about:blank
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
R3 - Default URLSearchHook is missing
F1 - win.ini: run=fntldr.exe
O2 - BHO: (no name) - {9DE1545A-6CDE-C52E-C2EE-15ABB18D6F1A} - C:\WINDOWS\system32\iegi32.dll
O3 - Toolbar: YourSiteBar - {86227D9C-0EFE-4f8a-AA55-30386A3F5686} - C:\PROGRA~1\YOURSI~1\ysb.dll (file missing)
O4 - HKLM\..\Run: [ntmx32.exe] C:\WINDOWS\system32\ntmx32.exe
O4 - HKLM\..\Run: [KavSvc] C:\WINDOWS\System32\rnvlaa.exe
O4 - HKLM\..\RunServices: [Windows Runtime Proccess] 32RUNdll.exe
O4 - HKLM\..\RunServices: [Microsoft--Updates] sxvhost.exe
O4 - HKLM\..\RunServices: [Workstation Services] wrkstn.exe
O4 - HKLM\..\RunServices: [Microsoft Macro Protection Subsystems] msmacroprot32.exe
O4 - HKLM\..\RunServices: [Windows Registry Scan] regscan.exe
O4 - HKLM\..\RunServices: [Windows Debugger] windbg.exe
O4 - HKLM\..\RunServices: [Win32 Configuration] videosd32.exe
O4 - HKCU\..\RunServices: [Windows USB controler] winusb.exe
O4 - HKCU\..\RunServices: [Windows Runtime Proccess] 32RUNdll.exe
O4 - HKCU\..\RunServices: [Microsoft--Updates] sxvhost.exe
O4 - Startup: PowerReg Scheduler V3.exe
O8 - Extra context menu item: >>> FREE PORN GALLERIES <<< - javascript:{document.location='http://sexmaxx.com/freegalleries.htm';}
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_02\bin\npjpi150_02.dll
O9 - Extra button: (no name) - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - (no file)
l
O15 - Trusted Zone: *.05p.com
O15 - Trusted Zone: *.clickspring.net
O15 - Trusted Zone: *.mt-download.com
O15 - Trusted Zone: *.my-internet.info
O15 - Trusted Zone: *.scoobidoo.com
O15 - Trusted Zone: *.searchmiracle.com
O15 - Trusted Zone: *.05p.com (HKLM)
O15 - Trusted Zone: *.clicks
pring.net (HKLM)
O15 - Trusted Zone: *.mt-download.com (HKLM)
O15 - Trusted Zone: *.my-internet.info (HKLM)
O15 - Trusted Zone: *.scoobidoo.com (HKLM)
O15 - Trusted Zone: *.searchmiracle.com (HKLM)
O15 - Trusted IP range: 206.161.125.149
O15 - Trusted IP range: 206.161.125.149 (HKLM)
O16 - DPF: v2cab - http://searchmiracle.com/cab/v2cab.cab
O16 - DPF: {0878B424-1F95-4E26-B5AB-F0D349D89650} - http://download.bargain-buddy.net/download/bargain_buddy/cab/installer_MEDIAWHIZ8.cab
O16 - DPF: {15AD4789-CDB4-47E1-A9DA-992EE8E6BAD6} - http://public.windupdates.com/get_file.php?bt=ie&p=e685f42af16b4ae133fb6395c0ae1826074370b6ef2ab58c7b394a46b7785ed02dcd1d18afd71cf37a3273507e405440345a19b4981e02e4ec71b0834b3328:522a1c137ec85ca995271ab95b94951b
O16 - DPF: {1D4DB7D2-6EC9-47A3-BD87-1E41684E07BB} - http://ak.imgfarm.com/images/nocache/funwebproducts/SmileyCentralInitialSetup1.0.0.6.cab
O16 - DPF: {42F2C9BA-614F-47C0-B3E3-ECFD34EED658} (Installer Class) - http://www.ysbweb.com/ist/softwares/v4.0/ysb_1002144.cab
O16 - DPF: {87067F04-DE4C-4688-BC3C-4FCF39D609E7} - http://download.websearch.com/Dnl/T_40/QDow_AS2.cab
O16 - DPF: {886DDE35-E955-11D0-A707-000000521958} - http://69.56.176.78/webplugin.cab
O16 - DPF: {C02226EB-A5D7-4B1F-BD7E-635E46C2288D} (Toontown Installer ActiveX Control) - http://download.toontown.com/sv1.0.7.16/ttinst.cab
O16 - DPF: {EEF29D20-9A47-4657-ADF7-283EC2504001} - http://download.bigwebportal.com/toolbar2/winenc32.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{762497DC-2430-49A1-8AF3-77CB9AC54C9A}: NameServer = 206.72.209.27 206.72.209.56
O19 - User stylesheet: (file missing)
O20 - Winlogon Notify: WB - C:\PROGRA~1\OBJECT~1\WINDOW~1\fastload.dll
O21 - SSODL: systemie - {0A58DEAE-BFC9-4A7F-85F4-6C3F8AE732F3} - sysie.dll (file missing)
O21 - SSODL: systemp - {13C16E5A-A482-4B3D-8442-18E53BDEDA42} - systemp.dll (file missing)
O21 - SSODL: Web Event Logger - {79FEACFF-FFCE-815E-A900-316290B5B738} - C:\WINDOWS\System32\Cnfjgckb.dll
O23 - Service: Remote Administrator Service (r_server) - Unknown owner - C:\WINDOWS\SYSTEM32\WINS\svchost.exe" /service (file missing)
O23 - Service: ZESOFT - Unknown owner - C:\WINDOWS\zeta.exe
O23 - Service: Network Security Service (%AF夶À¨) - Unknown owner - C:\WINDOWS\netnw32.exe
**************
Exit HJT.
Stay in Safe mode, manually locate the following files from the entries above, and quarantine them:
**************
C:\WINDOWS\aowmm.dll
fntldr.exe (you will have to do a search for this file, it is probably in your Windows directory or your Windows\System32 directory, if you cannot find it, do a search)
C:\WINDOWS\system32\iegi32.dll
C:\PROGRAM FILES\YOURSI~1\ysb.dll (file missing) (YOURSI~1 = a folder with a longer name but begins with "YOURSI")
C:\WINDOWS\system32\ntmx32.exe
C:\WINDOWS\System32\rnvlaa.exe
32RUNdll.exe (do a search on this one)
sxvhost.exe (do a search on this one)
wrkstn.exe (do a search on this one)
msmacroprot32.exe (do a search on this one)
regscan.exe (do a search on this one)
windbg.exe (do a search on this one)
videosd32.exe (do a search on this one)
winusb.exe (do a search on this one)
32RUNdll.exe (do a search on this one)
sxvhost.exe (do a search on this one)
C:\PROGRA~1\OBJECT~1\WINDOW~1\fastload.dll (again, anything with a "~1" is a longer named directory starting with the shown letters.)
C:\WINDOWS\System32\Cnfjgckb.dll
C:\WINDOWS\zeta.exe
C:\WINDOWS\netnw32.exe
**************
Then, go into C: -> Windows -> Downloaded Program Files, and delete everything in there. Anything you really need will be re-downloaded on demand when you visit the website that needs them.
Then, PULL THE POWER PLUG ON YOUR COMPUTER. Do another hard boot. Boot up normally, check things out, and come back to let us know how it turned out. Post a fresh HJT log for review. If things looks clean, re-enable your system restore and set a new restore point.
Many of the files in your log are virus related, so you either do not have anti-virus installed, or your antivirus is out of date or disabled. I urge yo to get your anti-virus properly installed or updated. Please review this thread for anti-virus suggestions.
Please post your follow up log, I have a feeling this one will need some more work.
Dexter...