21 replies to this topic

[stickystick]

I admit I don't totally know what I'm doing, but I'm being driven nuts and I managed to get this log created. Any help I could get would be VERY MUCH appreciated. Thank you!!!

Logfile of HijackThis v1.99.1
Scan saved at 10:18:08 PM, on 11/9/2005
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINNT\System32\smss.exe
C:\WINNT\system32\winlogon.exe
C:\WINNT\system32\services.exe
C:\WINNT\system32\lsass.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\System32\svchost.exe
C:\WINNT\system32\spoolsv.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
C:\WINNT\command.exe
C:\WINNT\system32\RioMSC.exe
C:\WINNT\system32\slserv.exe
C:\WINNT\System32\svchost.exe
C:\WINNT\Explorer.EXE
C:\WINNT\System32\hkcmd.exe
C:\WINNT\SM1BG.EXE
C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
C:\Program Files\QuickTime\qttask.exe
C:\WINNT\system32\d?dplay.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\sder\dees.exe
C:\Program Files\CMMan\CMMan.exe
C:\Documents and Settings\Owner\Desktop\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://websearch.drs...esearch.cgi?id=
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://websearch.drs...esearch.cgi?id=
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://websearch.drs...esearch.cgi?id=
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://websearch.drs...esearch.cgi?id=
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://websearch.drs...esearch.cgi?id=
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch = http://websearch.drs...esearch.cgi?id=
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = websearch.drsnsrch.com/q.cgi?q=
R3 - URLSearchHook: (no name) - {B0412715-3101-90A8-79AB-F422D7275F81} - C:\WINNT\Qpyyqzxo.dll
O2 - BHO: Band Class - {00F1D395-4744-40f0-A611-980F61AE2C59} - C:\WINNT\dsr.dll
O2 - BHO: wb - {55BE9F0D-6CAF-4c3e-B125-5A13A8C9D0EC} - C:\WINNT\system32\nsu33D.dll
O2 - BHO: IRiras Class - {95C60327-8E17-44D6-98EB-7EB70CC606DD} - C:\WINNT\system32\irasosbh.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll
O3 - Toolbar: (no name) - {EA5A82FB-D6BE-44F9-9363-B1ABABC153C1} - (no file)
O3 - Toolbar: Search - {5CA4A702-3AE2-1E1F-EC8E-59206355E1E5} - C:\WINNT\Qpyyqzxo.dll
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINNT\System32\hkcmd.exe
O4 - HKLM\..\Run: [Disc Detector] C:\Program Files\Creative\ShareDLL\CtNotify.exe
O4 - HKLM\..\Run: [SM1BG] C:\WINNT\SM1BG.EXE
O4 - HKLM\..\Run: [gchpdll] C:\WINNT\gchpdll.EXE
O4 - HKLM\..\Run: [gchpenc] C:\WINNT\gchpenc.EXE
O4 - HKLM\..\Run: [winsync] C:\WINNT\system32\lldgss.exe reg_run
O4 - HKLM\..\Run: [Dinst] C:\WINNT\dinst.exe
O4 - HKLM\..\Run: [yfasbcq] C:\WINNT\yfasbcq.EXE
O4 - HKLM\..\Run: [IgfxTray] C:\WINNT\System32\igfxtray.exe
O4 - HKLM\..\Run: [lznwlk] C:\WINNT\system32\igsfyda.exe r
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [AVG7_EMC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [irassync] C:\WINNT\system32\irasyncd.exe
O4 - HKCU\..\Run: [Cmw] C:\WINNT\system32\d?dplay.exe
O4 - HKCU\..\Run: [ioki] C:\PROGRA~1\COMMON~1\ioki\iokim.exe
O4 - HKCU\..\Run: [ichckupd] C:\WINNT\system32\ichckupd.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [Ltho] "C:\Program Files\sder\dees.exe" -vt rbnd
O4 - HKCU\..\Run: [irassync] C:\WINNT\system32\irasyncd.exe
O4 - HKCU\..\Run: [CMMan] "C:\Program Files\CMMan\CMMan.exe"
O8 - Extra context menu item: &Google Search - res://C:\Program Files\Google\GoogleToolbar1.dll/cmsearch.html
O8 - Extra context menu item: Backward Links - res://C:\Program Files\Google\GoogleToolbar1.dll/cmbacklinks.html
O8 - Extra context menu item: Cached Snapshot of Page - res://C:\Program Files\Google\GoogleToolbar1.dll/cmcache.html
O8 - Extra context menu item: Similar Pages - res://C:\Program Files\Google\GoogleToolbar1.dll/cmsimilar.html
O8 - Extra context menu item: Translate into English - res://C:\Program Files\Google\GoogleToolbar1.dll/cmtrans.html
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_04\bin\npjpi150_04.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_04\bin\npjpi150_04.dll
O9 - Extra button: (no name) - {9E248641-0E24-4DDB-9A1F-705087832AD6} - (no file)
O9 - Extra 'Tools' menuitem: Java - {9E248641-0E24-4DDB-9A1F-705087832AD6} - (no file)
O9 - Extra button: (no name) - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - (no file)
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: Yahoo! Poker - http://download.game...nts/y/pt1_x.cab
O16 - DPF: {0A5FD7C5-A45C-49FC-ADB5-9952547D5715} (Creative Software AutoUpdate) - http://www.creative....119/CTSUEng.cab
O16 - DPF: {11260943-421B-11D0-8EAC-0000C07D88CF} (iPIX ActiveX Control) - http://www.ipix.com/viewers/ipixx.cab
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft....k/?linkid=39204
O16 - DPF: {511073AD-BE56-4D43-AE68-93390514385E} (TechToolsActivex.TechTools) - file://C:\Program Files\gateway\helpspot\TechTools.CAB
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://v5.windowsupd...b?1094093051312
O16 - DPF: {F6ACF75C-C32C-447B-9BEF-46B766368D29} (Creative Software AutoUpdate Support Package) - http://www.creative....15008/CTPID.cab
O18 - Filter: text/html - {6793D547-38DD-4325-B35A-F1817EDFA567} - C:\Program Files\CMMan\mfhlp.dll
O20 - Winlogon Notify: igfxcui - C:\WINNT\SYSTEM32\igfxsrvc.dll
O20 - Winlogon Notify: Nls - C:\WINNT\system32\iLshlpr.dll (file missing)
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
O23 - Service: Command Service (cmdService) - Unknown owner - C:\WINNT\command.exe
O23 - Service: Intel NCS NetService (NetSvc) - Intel® Corporation - C:\Program Files\Intel\NCS\Sync\NetSvc.exe
O23 - Service: Rio MSC Manager (RioMSC) - Digital Networks North America, Inc. - C:\WINNT\system32\RioMSC.exe
O23 - Service: SmartLinkService (SLService) - Smart Link - C:\WINNT\SYSTEM32\slserv.exe
O23 - Service: Windows Overlay Components - Unknown owner - C:\WINNT\nhkqast.exe (file missing)
O23 - Service: Windows VisFx Components - Unknown owner - C:\WINNT\danksvc.exe (file missing)

[Piatan]

Thanks for sending your information. We are sorry for the delay in responding. The volunteers here are swamped and unfortunately not all logs get answered as quickly as we'd like.

If you still need help with your problem, please run Hijack This again. Scan and copy the log, then post it here, in this topic.
Please use the Post Reply feature, so I will be notified.

Please advise the nature of the problem.

Please do not edit your Hijack This log in any way. We need to see the entire logfile, with no revisions.

[stickystick]

Thanks - I would sure take any help you have to offer... Here's the updated log file:

Logfile of HijackThis v1.99.1
Scan saved at 9:41:09 AM, on 12/17/2005
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINNT\System32\smss.exe
C:\WINNT\system32\winlogon.exe
C:\WINNT\system32\services.exe
C:\WINNT\system32\lsass.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\System32\svchost.exe
C:\WINNT\Explorer.EXE
C:\WINNT\system32\spoolsv.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
C:\WINNT\system32\RioMSC.exe
C:\WINNT\system32\slserv.exe
C:\WINNT\System32\svchost.exe
C:\WINNT\System32\hkcmd.exe
C:\WINNT\SM1BG.EXE
C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
C:\Program Files\QuickTime\qttask.exe
C:\WINNT\system32\d?dplay.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\sder\dees.exe
C:\Documents and Settings\Owner\Desktop\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = about:blank
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = about:blank
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = about:blank
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch = about:blank
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = about:blank
R3 - URLSearchHook: (no name) - {B0412715-3101-90A8-79AB-F422D7275F81} - (no file)
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {DD3C141E-8BDA-AE7D-DAA5-A428E05163C0} - C:\WINNT\system32\yjbwexg.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll
O3 - Toolbar: (no name) - {EA5A82FB-D6BE-44F9-9363-B1ABABC153C1} - (no file)
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINNT\System32\hkcmd.exe
O4 - HKLM\..\Run: [Disc Detector] C:\Program Files\Creative\ShareDLL\CtNotify.exe
O4 - HKLM\..\Run: [SM1BG] C:\WINNT\SM1BG.EXE
O4 - HKLM\..\Run: [gchpdll] C:\WINNT\gchpdll.EXE
O4 - HKLM\..\Run: [gchpenc] C:\WINNT\gchpenc.EXE
O4 - HKLM\..\Run: [winsync] C:\WINNT\system32\lldgss.exe reg_run
O4 - HKLM\..\Run: [Dinst] C:\WINNT\dinst.exe
O4 - HKLM\..\Run: [yfasbcq] C:\WINNT\yfasbcq.EXE
O4 - HKLM\..\Run: [IgfxTray] C:\WINNT\System32\igfxtray.exe
O4 - HKLM\..\Run: [lznwlk] C:\WINNT\system32\igsfyda.exe r
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [AVG7_EMC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [irassync] C:\WINNT\system32\irasyncd.exe
O4 - HKLM\..\RunOnce: [SpybotSnD] "C:\Program Files\Spybot - Search & Destroy\SpybotSD.exe" /autocheck
O4 - HKCU\..\Run: [Cmw] C:\WINNT\system32\d?dplay.exe
O4 - HKCU\..\Run: [ioki] C:\PROGRA~1\COMMON~1\ioki\iokim.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [irassync] C:\WINNT\system32\irasyncd.exe
O4 - HKCU\..\Run: [Ltho] "C:\Program Files\sder\dees.exe" -vt ndrv
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O8 - Extra context menu item: &Google Search - res://C:\Program Files\Google\GoogleToolbar1.dll/cmsearch.html
O8 - Extra context menu item: Backward Links - res://C:\Program Files\Google\GoogleToolbar1.dll/cmbacklinks.html
O8 - Extra context menu item: Cached Snapshot of Page - res://C:\Program Files\Google\GoogleToolbar1.dll/cmcache.html
O8 - Extra context menu item: Similar Pages - res://C:\Program Files\Google\GoogleToolbar1.dll/cmsimilar.html
O8 - Extra context menu item: Translate into English - res://C:\Program Files\Google\GoogleToolbar1.dll/cmtrans.html
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_04\bin\npjpi150_04.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_04\bin\npjpi150_04.dll
O9 - Extra button: (no name) - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - (no file)
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: Yahoo! Poker - http://download.game...nts/y/pt1_x.cab
O16 - DPF: {0A5FD7C5-A45C-49FC-ADB5-9952547D5715} (Creative Software AutoUpdate) - http://www.creative....119/CTSUEng.cab
O16 - DPF: {11260943-421B-11D0-8EAC-0000C07D88CF} (iPIX ActiveX Control) - http://www.ipix.com/viewers/ipixx.cab
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft....k/?linkid=39204
O16 - DPF: {511073AD-BE56-4D43-AE68-93390514385E} (TechToolsActivex.TechTools) - file://C:\Program Files\gateway\helpspot\TechTools.CAB
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://v5.windowsupd...b?1094093051312
O16 - DPF: {F6ACF75C-C32C-447B-9BEF-46B766368D29} (Creative Software AutoUpdate Support Package) - http://www.creative....15008/CTPID.cab
O18 - Filter: text/html - (no CLSID) - (no file)
O20 - Winlogon Notify: igfxcui - C:\WINNT\SYSTEM32\igfxsrvc.dll
O20 - Winlogon Notify: Nls - C:\WINNT\system32\iLshlpr.dll (file missing)
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
O23 - Service: Intel NCS NetService (NetSvc) - Intel® Corporation - C:\Program Files\Intel\NCS\Sync\NetSvc.exe
O23 - Service: Rio MSC Manager (RioMSC) - Digital Networks North America, Inc. - C:\WINNT\system32\RioMSC.exe
O23 - Service: SmartLinkService (SLService) - Smart Link - C:\WINNT\SYSTEM32\slserv.exe
O23 - Service: Windows VisFx Components - Unknown owner - C:\WINNT\danksvc.exe (file missing)

[Piatan]

Hi stickystick: For the past two days I've been trying to post a fix to you. However, the fix will not post. It isn't that I cant post here, because obviously I can. It's just that specific fix will not post. I'll check with the sites Admins and get back to you, concerning this problem.

Edited by Piatan, 18 December 2005 - 11:45 AM.

[Jacee]

Hi stickystick,

Piatan is having a problem posting his reply to you and I did too when I copied and pasted it in this topic

=====================================================================

Let's see if this will work:

Download L2mfix from one of these two locations:

http://www.atribune....oads/l2mfix.exe
http://www.downloads....org/l2mfix.exe

Save the file to your desktop and double click l2mfix.exe. Click the Install button to extract the files and follow the prompts, then open the newly added l2mfix folder on your desktop. Double click l2mfix.bat and select option #1 for Run Find Log by typing 1 and then pressing enter. This will scan your computer and it may appear nothing is happening, then, after a minute or 2, notepad will open with a log. Copy the contents of that log and paste it into this thread.

IMPORTANT: Do NOT run option #2 OR any other files in the l2mfix folder until you are asked to do so!

If you receive, while running option #1, an error similar like: "C:\windows\system32\cmd.exe" or
C:\windows\system32\autoexec.nt the system file is not suitable for running MS-DOS and Microsoft Windows Applications. Choose close to terminate the application.." then please use Option 5 or the web page link in the l2mfix folder to solve this error condition. Do not run the fix portion without fixing this first.

Edited by Jacee, 18 December 2005 - 09:05 PM.

[stickystick]

OK - I ran the program and didn't seem to get any errors. Here's the log: L2MFIX find log 121605 These are the registry keys present ********************************************************************************** Winlogon/notify: Windows Registry Editor Version 5.00 [HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify] [HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\crypt32chain] "Asynchronous"=dword:00000000 "Impersonate"=dword:00000000 "DllName"=hex(2):63,00,72,00,79,00,70,00,74,00,33,00,32,00,2e,00,64,00,6c,00,\ 6c,00,00,00 "Logoff"="ChainWlxLogoffEvent" [HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\cryptnet] "Asynchronous"=dword:00000000 "Impersonate"=dword:00000000 "DllName"=hex(2):63,00,72,00,79,00,70,00,74,00,6e,00,65,00,74,00,2e,00,64,00,\ 6c,00,6c,00,00,00 "Logoff"="CryptnetWlxLogoffEvent" [HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\cscdll] "DLLName"="cscdll.dll" "Logon"="WinlogonLogonEvent" "Logoff"="WinlogonLogoffEvent" "ScreenSaver"="WinlogonScreenSaverEvent" "Startup"="WinlogonStartupEvent" "Shutdown"="WinlogonShutdownEvent" "StartShell"="WinlogonStartShellEvent" "Impersonate"=dword:00000000 "Asynchronous"=dword:00000001 [HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\igfxcui] @="" "DLLName"="igfxsrvc.dll" "Asynchronous"=dword:00000001 "Impersonate"=dword:00000001 "Unlock"="WinlogonUnlockEvent" [HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\Nls] "Asynchronous"=dword:00000000 "DllName"="C:\\WINNT\\system32\\iLshlpr.dll" "Impersonate"=dword:00000000 "Logon"="WinLogon" "Logoff"="WinLogoff" "Shutdown"="WinShutdown" [HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\ScCertProp] "DLLName"="wlnotify.dll" "Logon"="SCardStartCertProp" "Logoff"="SCardStopCertProp" "Lock"="SCardSuspendCertProp" "Unlock"="SCardResumeCertProp" "Enabled"=dword:00000001 "Impersonate"=dword:00000001 "Asynchronous"=dword:00000001 [HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\Schedule] "Asynchronous"=dword:00000000 "DllName"=hex(2):77,00,6c,00,6e,00,6f,00,74,00,69,00,66,00,79,00,2e,00,64,00,\ 6c,00,6c,00,00,00 "Impersonate"=dword:00000000 "StartShell"="SchedStartShell" "Logoff"="SchedEventLogOff" [HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\sclgntfy] "Logoff"="WLEventLogoff" "Impersonate"=dword:00000000 "Asynchronous"=dword:00000001 "DllName"=hex(2):73,00,63,00,6c,00,67,00,6e,00,74,00,66,00,79,00,2e,00,64,00,\ 6c,00,6c,00,00,00 [HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\SensLogn] "DLLName"="WlNotify.dll" "Lock"="SensLockEvent" "Logon"="SensLogonEvent" "Logoff"="SensLogoffEvent" "Safe"=dword:00000001 "MaxWait"=dword:00000258 "StartScreenSaver"="SensStartScreenSaverEvent" "StopScreenSaver"="SensStopScreenSaverEvent" "Startup"="SensStartupEvent" "Shutdown"="SensShutdownEvent" "StartShell"="SensStartShellEvent" "PostShell"="SensPostShellEvent" "Disconnect"="SensDisconnectEvent" "Reconnect"="SensReconnectEvent" "Unlock"="SensUnlockEvent" "Impersonate"=dword:00000001 "Asynchronous"=dword:00000001 [HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\termsrv] "Asynchronous"=dword:00000000 "DllName"=hex(2):77,00,6c,00,6e,00,6f,00,74,00,69,00,66,00,79,00,2e,00,64,00,\ 6c,00,6c,00,00,00 "Impersonate"=dword:00000000 "Logoff"="TSEventLogoff" "Logon"="TSEventLogon" "PostShell"="TSEventPostShell" "Shutdown"="TSEventShutdown" "StartShell"="TSEventStartShell" "Startup"="TSEventStartup" "MaxWait"=dword:00000258 "Reconnect"="TSEventReconnect" "Disconnect"="TSEventDisconnect" [HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\wlballoon] "DLLName"="wlnotify.dll" "Logon"="RegisterTicketExpiredNotificationEvent" "Logoff"="UnregisterTicketExpiredNotificationEvent" "Impersonate"=dword:00000001 "Asynchronous"=dword:00000001 ********************************************************************************** useragent: Windows Registry Editor Version 5.00 [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\User Agent\Post Platform] "{D4DFA9B9-3545-B46D-0F98-89296B41EF58}"="" "SV1"="" ********************************************************************************** Shell Extension key: Windows Registry Editor Version 5.00 [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved] "{00022613-0000-0000-C000-000000000046}"="Multimedia File Property Sheet" "{176d6597-26d3-11d1-b350-080036a75b03}"="ICM Scanner Management" "{1F2E5C40-9550-11CE-99D2-00AA006E086C}"="NTFS Security Page" "{3EA48300-8CF6-101B-84FB-666CCB9BCD32}"="OLE Docfile Property Page" "{40dd6e20-7c17-11ce-a804-00aa003ca9f6}"="Shell extensions for sharing" "{41E300E0-78B6-11ce-849B-444553540000}"="PlusPack CPL Extension" "{42071712-76d4-11d1-8b24-00a0c9068ff3}"="Display Adapter CPL Extension" "{42071713-76d4-11d1-8b24-00a0c9068ff3}"="Display Monitor CPL Extension" "{42071714-76d4-11d1-8b24-00a0c9068ff3}"="Display Panning CPL Extension" "{4E40F770-369C-11d0-8922-00A024AB2DBB}"="DS Security Page" "{513D916F-2A8E-4F51-AEAB-0CBC76FB1AF8}"="Compatibility Page" "{56117100-C0CD-101B-81E2-00AA004AE837}"="Shell Scrap DataHandler" "{59099400-57FF-11CE-BD94-0020AF85B590}"="Disk Copy Extension" "{59be4990-f85c-11ce-aff7-00aa003ca9f6}"="Shell extensions for Microsoft Windows Network objects" "{5DB2625A-54DF-11D0-B6C4-0800091AA605}"="ICM Monitor Management" "{675F097E-4C4D-11D0-B6C1-0800091AA605}"="ICM Printer Management" "{764BF0E1-F219-11ce-972D-00AA00A14F56}"="Shell extensions for file compression" "{77597368-7b15-11d0-a0c2-080036af3f03}"="Web Printer Shell Extension" "{7988B573-EC89-11cf-9C00-00AA00A14F56}"="Disk Quota UI" "{853FE2B1-B769-11d0-9C4E-00C04FB6C6FA}"="Encryption Context Menu" "{85BBD920-42A0-1069-A2E4-08002B30309D}"="Briefcase" "{88895560-9AA2-1069-930E-00AA0030EBC8}"="HyperTerminal Icon Ext" "{BD84B380-8CA2-1069-AB1D-08000948F534}"="Fonts" "{DBCE2480-C732-101B-BE72-BA78E9AD5B27}"="ICC Profile" "{F37C5810-4D3F-11d0-B4BF-00AA00BBB723}"="Printers Security Page" "{f81e9010-6ea4-11ce-a7ff-00aa003ca9f6}"="Shell extensions for sharing" "{f92e8c40-3d33-11d2-b1aa-080036a75b03}"="Display TroubleShoot CPL Extension" "{7444C717-39BF-11D1-8CD9-00C04FC29D45}"="Crypto PKO Extension" "{7444C719-39BF-11D1-8CD9-00C04FC29D45}"="Crypto Sign Extension" "{7007ACC7-3202-11D1-AAD2-00805FC1270E}"="Network Connections" "{992CFFA0-F557-101A-88EC-00DD010CCC48}"="Network Connections" "{E211B736-43FD-11D1-9EFB-0000F8757FCD}"="Scanners & Cameras" "{FB0C9C8A-6C50-11D1-9F1D-0000F8757FCD}"="Scanners & Cameras" "{905667aa-acd6-11d2-8080-00805f6596d2}"="Scanners & Cameras" "{3F953603-1008-4f6e-A73A-04AAC7A992F1}"="Scanners & Cameras" "{83bbcbf3-b28a-4919-a5aa-73027445d672}"="Scanners & Cameras" "{F0152790-D56E-4445-850E-4F3117DB740C}"="Remote Sessions CPL Extension" "{5F327514-6C5E-4d60-8F16-D07FA08A78ED}"="Auto Update Property Sheet Extension" "{60254CA5-953B-11CF-8C96-00AA00B8708C}"="Shell extensions for Windows Script Host" "{2206CDB2-19C1-11D1-89E0-00C04FD7A829}"="Microsoft Data Link" "{DD2110F0-9EEF-11cf-8D8E-00AA0060F5BF}"="Tasks Folder Icon Handler" "{797F1E90-9EDD-11cf-8D8E-00AA0060F5BF}"="Tasks Folder Shell Extension" "{D6277990-4C6A-11CF-8D87-00AA0060F5BF}"="Scheduled Tasks" "{0DF44EAA-FF21-4412-828E-260A8728E7F1}"="Taskbar and Start Menu" "{2559a1f0-21d7-11d4-bdaf-00c04f60b9f0}"="Search" "{2559a1f1-21d7-11d4-bdaf-00c04f60b9f0}"="Help and Support" "{2559a1f2-21d7-11d4-bdaf-00c04f60b9f0}"="Help and Support" "{2559a1f3-21d7-11d4-bdaf-00c04f60b9f0}"="Run..." "{2559a1f4-21d7-11d4-bdaf-00c04f60b9f0}"="Internet" "{2559a1f5-21d7-11d4-bdaf-00c04f60b9f0}"="E-mail" "{D20EA4E1-3957-11d2-A40B-0C5020524152}"="Fonts" "{D20EA4E1-3957-11d2-A40B-0C5020524153}"="Administrative Tools" "{875CB1A1-0F29-45de-A1AE-CFB4950D0B78}"="Audio Media Properties Handler" "{40C3D757-D6E4-4b49-BB41-0E5BBEA28817}"="Video Media Properties Handler" "{E4B29F9D-D390-480b-92FD-7DDB47101D71}"="Wav Properties Handler" "{87D62D94-71B3-4b9a-9489-5FE6850DC73E}"="Avi Properties Handler" "{A6FD9E45-6E44-43f9-8644-08598F5A74D9}"="Midi Properties Handler" "{c5a40261-cd64-4ccf-84cb-c394da41d590}"="Video Thumbnail Extractor" "{5E6AB780-7743-11CF-A12B-00AA004AE837}"="Microsoft Internet Toolbar" "{22BF0C20-6DA7-11D0-B373-00A0C9034938}"="Download Status" "{91EA3F8B-C99B-11d0-9815-00C04FD91972}"="Augmented Shell Folder" "{6413BA2C-B461-11d1-A18A-080036B11A03}"="Augmented Shell Folder 2" "{F61FFEC1-754F-11d0-80CA-00AA005B4383}"="BandProxy" "{7BA4C742-9E81-11CF-99D3-00AA004AE837}"="Microsoft BrowserBand" "{30D02401-6A81-11d0-8274-00C04FD5AE38}"="Search Band" "{32683183-48a0-441b-a342-7c2a440a9478}"="Media Band" "{169A0691-8DF9-11d1-A1C4-00C04FD75D13}"="In-pane search" "{07798131-AF23-11d1-9111-00A0C98BA67D}"="Web Search" "{AF4F6510-F982-11d0-8595-00AA004CD6D8}"="Registry Tree Options Utility" "{01E04581-4EEE-11d0-BFE9-00AA005B4383}"="&Address" "{A08C11D2-A228-11d0-825B-00AA005B4383}"="Address EditBox" "{00BB2763-6A77-11D0-A535-00C04FD7D062}"="Microsoft AutoComplete" "{7376D660-C583-11d0-A3A5-00C04FD706EC}"="TridentImageExtractor" "{6756A641-DE71-11d0-831B-00AA005B4383}"="MRU AutoComplete List" "{6935DB93-21E8-4ccc-BEB9-9FE3C77A297A}"="Custom MRU AutoCompleted List" "{7e653215-fa25-46bd-a339-34a2790f3cb7}"="Accessible" "{acf35015-526e-4230-9596-becbe19f0ac9}"="Track Popup Bar" "{E0E11A09-5CB8-4B6C-8332-E00720A168F2}"="Address Bar Parser" "{00BB2764-6A77-11D0-A535-00C04FD7D062}"="Microsoft History AutoComplete List" "{03C036F1-A186-11D0-824A-00AA005B4383}"="Microsoft Shell Folder AutoComplete List" "{00BB2765-6A77-11D0-A535-00C04FD7D062}"="Microsoft Multiple AutoComplete List Container" "{ECD4FC4E-521C-11D0-B792-00A0C90312E1}"="Shell Band Site Menu" "{3CCF8A41-5C85-11d0-9796-00AA00B90ADF}"="Shell DeskBarApp" "{ECD4FC4C-521C-11D0-B792-00A0C90312E1}"="Shell DeskBar" "{ECD4FC4D-521C-11D0-B792-00A0C90312E1}"="Shell Rebar BandSite" "{DD313E04-FEFF-11d1-8ECD-0000F87A470C}"="User Assist" "{EF8AD2D1-AE36-11D1-B2D2-006097DF8C11}"="Global Folder Settings" "{EFA24E61-B078-11d0-89E4-00C04FC9E26E}"="Favorites Band" "{0A89A860-D7B1-11CE-8350-444553540000}"="Shell Automation Inproc Service" "{E7E4BC40-E76A-11CE-A9BB-00AA004AE837}"="Shell DocObject Viewer" "{A5E46E3A-8849-11D1-9D8C-00C04FC99D61}"="Microsoft Browser Architecture" "{FBF23B40-E3F0-101B-8488-00AA003E56F8}"="InternetShortcut" "{3C374A40-BAE4-11CF-BF7D-00AA006946EE}"="Microsoft Url History Service" "{FF393560-C2A7-11CF-BFF4-444553540000}"="History" "{7BD29E00-76C1-11CF-9DD0-00A0C9034933}"="Temporary Internet Files" "{7BD29E01-76C1-11CF-9DD0-00A0C9034933}"="Temporary Internet Files" "{CFBFAE00-17A6-11D0-99CB-00C04FD64497}"="Microsoft Url Search Hook" "{A2B0DD40-CC59-11d0-A3A5-00C04FD706EC}"="IE4 Suite Splash Screen" "{67EA19A0-CCEF-11d0-8024-00C04FD75D13}"="CDF Extension Copy Hook" "{131A6951-7F78-11D0-A979-00C04FD705A2}"="ISFBand OC" "{9461b922-3c5a-11d2-bf8b-00c04fb93661}"="Search Assistant OC" "{3DC7A020-0ACD-11CF-A9BB-00AA004AE837}"="The Internet" "{871C5380-42A0-1069-A2EA-08002B30309D}"="Internet Name Space" "{EFA24E64-B078-11d0-89E4-00C04FC9E26E}"="Explorer Band" "{9E56BE60-C50F-11CF-9A2C-00A0C90A90CE}"="Sendmail service" "{9E56BE61-C50F-11CF-9A2C-00A0C90A90CE}"="Sendmail service" "{88C6C381-2E85-11D0-94DE-444553540000}"="ActiveX Cache Folder" "{E6FB5E20-DE35-11CF-9C87-00AA005127ED}"="WebCheck" "{ABBE31D0-6DAE-11D0-BECA-00C04FD940BE}"="Subscription Mgr" "{F5175861-2688-11d0-9C5E-00AA00A45957}"="Subscription Folder" "{08165EA0-E946-11CF-9C87-00AA005127ED}"="WebCheckWebCrawler" "{E3A8BDE6-ABCE-11d0-BC4B-00C04FD929DB}"="WebCheckChannelAgent" "{E8BB6DC0-6B4E-11d0-92DB-00A0C90C2BD7}"="TrayAgent" "{7D559C10-9FE9-11d0-93F7-00AA0059CE02}"="Code Download Agent" "{E6CC6978-6B6E-11D0-BECA-00C04FD940BE}"="ConnectionAgent" "{D8BD2030-6FC9-11D0-864F-00AA006809D9}"="PostAgent" "{7FC0B86E-5FA7-11d1-BC7C-00C04FD929DB}"="WebCheck SyncMgr Handler" "{352EC2B7-8B9A-11D1-B8AE-006008059382}"="Shell Application Manager" "{0B124F8F-91F0-11D1-B8B5-006008059382}"="Installed Apps Enumerator" "{CFCCC7A0-A282-11D1-9082-006008059382}"="Darwin App Publisher" "{e84fda7c-1d6a-45f6-b725-cb260c236066}"="Shell Image Verbs" "{66e4e4fb-f385-4dd0-8d74-a2efd1bc6178}"="Shell Image Data Factory" "{3F30C968-480A-4C6C-862D-EFC0897BB84B}"="GDI+ file thumbnail extractor" "{9DBD2C50-62AD-11d0-B806-00C04FD706EC}"="Summary Info Thumbnail handler (DOCFILES)" "{EAB841A0-9550-11cf-8C16-00805F1408F3}"="HTML Thumbnail Extractor" "{eb9b1153-3b57-4e68-959a-a3266bc3d7fe}"="Shell Image Property Handler" "{CC6EEFFB-43F6-46c5-9619-51D571967F7D}"="Web Publishing Wizard" "{add36aa8-751a-4579-a266-d66f5202ccbb}"="Print Ordering via the Web" "{6b33163c-76a5-4b6c-bf21-45de9cd503a1}"="Shell Publishing Wizard Object" "{58f1f272-9240-4f51-b6d4-fd63d1618591}"="Get a Passport Wizard" "{7A9D77BD-5403-11d2-8785-2E0420524153}"="User Accounts" "{BD472F60-27FA-11cf-B8B4-444553540000}"="Compressed (zipped) Folder Right Drag Handler" "{888DCA60-FC0A-11CF-8F0F-00C04FD7D062}"="Compressed (zipped) Folder SendTo Target" "{63da6ec0-2e98-11cf-8d82-444553540000}"="FTP Folders Webview" "{883373C3-BF89-11D1-BE35-080036B11A03}"="Microsoft DocProp Shell Ext" "{A9CF0EAE-901A-4739-A481-E35B73E47F6D}"="Microsoft DocProp Inplace Edit Box Control" "{8EE97210-FD1F-4B19-91DA-67914005F020}"="Microsoft DocProp Inplace ML Edit Box Control" "{0EEA25CC-4362-4A12-850B-86EE61B0D3EB}"="Microsoft DocProp Inplace Droplist Combo Control" "{6A205B57-2567-4A2C-B881-F787FAB579A3}"="Microsoft DocProp Inplace Calendar Control" "{28F8A4AC-BBB3-4D9B-B177-82BFC914FA33}"="Microsoft DocProp Inplace Time Control" "{8A23E65E-31C2-11d0-891C-00A024AB2DBB}"="Directory Query UI" "{9E51E0D0-6E0F-11d2-9601-00C04FA31A86}"="Shell properties for a DS object" "{163FDC20-2ABC-11d0-88F0-00A024AB2DBB}"="Directory Object Find" "{F020E586-5264-11d1-A532-0000F8757D7E}"="Directory Start/Search Find" "{0D45D530-764B-11d0-A1CA-00AA00C16E65}"="Directory Property UI" "{62AE1F9A-126A-11D0-A14B-0800361B1103}"="Directory Context Menu Verbs" "{ECF03A33-103D-11d2-854D-006008059367}"="MyDocs Copy Hook" "{ECF03A32-103D-11d2-854D-006008059367}"="MyDocs Drop Target" "{4a7ded0a-ad25-11d0-98a8-0800361b1103}"="MyDocs Properties" "{750fdf0e-2a26-11d1-a3ea-080036587f03}"="Offline Files Menu" "{10CFC467-4392-11d2-8DB4-00C04FA31A66}"="Offline Files Folder Options" "{AFDB1F70-2A4C-11d2-9039-00C04F8EEB3E}"="Offline Files Folder" "{143A62C8-C33B-11D1-84FE-00C04FA34A14}"="Microsoft Agent Character Property Sheet Handler" "{ECCDF543-45CC-11CE-B9BF-0080C87CDBA6}"="DfsShell" "{60fd46de-f830-4894-a628-6fa81bc0190d}"="%DESC_PublishDropTarget%" "{7A80E4A8-8005-11D2-BCF8-00C04F72C717}"="MMC Icon Handler" "{0CD7A5C0-9F37-11CE-AE65-08002B2E1262}"=".CAB file viewer" "{32714800-2E5F-11d0-8B85-00AA0044F941}"="For &People..." "{8DD448E6-C188-4aed-AF92-44956194EB1F}"="Windows Media Player Play as Playlist Context Menu Handler" "{CE3FB1D1-02AE-4a5f-A6E9-D9F1B4073E6C}"="Windows Media Player Burn Audio CD Context Menu Handler" "{F1B9284F-E9DC-4e68-9D7E-42362A59F0FD}"="Windows Media Player Add to Playlist Context Menu Handler" "{1D2680C9-0E2A-469d-B787-065558BC7D43}"="Fusion Cache" "{5E44E225-A408-11CF-B581-008029601108}"="Adaptec DirectCD Shell Extension" "{F0CB00CD-5A07-4D91-97F5-A8C92CDA93E4}"="Shell Extensions for RealOne Player" "{2559a1f7-21d7-11d4-bdaf-00c04f60b9f0}"="Set Program Access and Defaults" "{596AB062-B4D2-4215-9F74-E9109B0A8153}"="Previous Versions Property Page" "{9DB7A13C-F208-4981-8353-73CC61AE2783}"="Previous Versions" "{692F0339-CBAA-47e6-B5B5-3B84DB604E87}"="Extensions Manager Folder" "{640167b4-59b0-47a6-b335-a6b3c0695aea}"="Portable Media Devices" "{cc86590a-b60a-48e6-996b-41d25ed39a1e}"="Portable Media Devices Menu" "{B6EACDBF-C710-475E-80D4-0BAFE77AE7EA}"="" "{f39a0dc0-9cc8-11d0-a599-00c04fd64433}"="Channel File" "{f3aa0dc0-9cc8-11d0-a599-00c04fd64434}"="Channel Shortcut" "{f3ba0dc0-9cc8-11d0-a599-00c04fd64435}"="Channel Handler Object" "{f3da0dc0-9cc8-11d0-a599-00c04fd64437}"="Channel Menu" "{f3ea0dc0-9cc8-11d0-a599-00c04fd64438}"="Channel Properties" "{9F97547E-4609-42C5-AE0C-81C61FFAEBC3}"="AVG7 Shell Extension" "{9F97547E-460A-42C5-AE0C-81C61FFAEBC3}"="AVG7 Find Extension" "{21569614-B795-46b1-85F4-E737A8DC09AD}"="Shell Search Band" ********************************************************************************** HKEY ROOT CLASSIDS: Windows Registry Editor Version 5.00 [HKEY_CLASSES_ROOT\CLSID\{B6EACDBF-C710-475E-80D4-0BAFE77AE7EA}] @="" [HKEY_CLASSES_ROOT\CLSID\{B6EACDBF-C710-475E-80D4-0BAFE77AE7EA}\Implemented Categories] @="" [HKEY_CLASSES_ROOT\CLSID\{B6EACDBF-C710-475E-80D4-0BAFE77AE7EA}\Implemented Categories\{00021492-0000-0000-C000-000000000046}] @="" [HKEY_CLASSES_ROOT\CLSID\{B6EACDBF-C710-475E-80D4-0BAFE77AE7EA}\InprocServer32] @="C:\\WINNT\\system32\\iLshlpr.dll" "ThreadingModel"="Apartment" ********************************************************************************** Files Found are not all bad files: C:\WINNT\SYSTEM32\ bho.dll Sat Oct 8 2005 7:21:50a A.... 172,032 168.00 K browseui.dll Wed Nov 23 2005 7:06:34p A.... 1,022,464 998.50 K cdfview.dll Thu Oct 20 2005 9:39:26p A.... 151,040 147.50 K danim.dll Fri Nov 4 2005 9:16:24p A.... 1,054,208 1.00 M dxtrans.dll Thu Oct 20 2005 9:39:28p A.... 205,312 200.50 K esent.dll Thu Oct 20 2005 4:20:04p A.... 1,082,368 1.03 M extmgr.dll Thu Oct 20 2005 9:39:28p ..... 55,808 54.50 K gdi32.dll Wed Oct 5 2005 9:09:36p A.... 280,064 273.50 K iepeers.dll Thu Oct 20 2005 9:39:28p A.... 251,392 245.50 K inseng.dll Thu Oct 20 2005 9:39:28p A.... 96,256 94.00 K jfwwu.dll Wed Sep 21 2005 6:12:58p A.... 98,816 96.50 K mshtml.dll Wed Nov 23 2005 7:06:34p A.... 3,015,680 2.88 M mshtmled.dll Thu Oct 20 2005 9:39:30p A.... 448,512 438.00 K msrating.dll Thu Oct 20 2005 9:39:30p A.... 146,432 143.00 K mstime.dll Thu Oct 20 2005 9:39:30p A.... 530,944 518.50 K pdrpdb.dll Mon Oct 3 2005 5:50:16p A.... 417,792 408.00 K pngfilt.dll Thu Oct 20 2005 9:39:30p A.... 39,424 38.50 K shdocvw.dll Wed Nov 30 2005 9:59:30p A.... 1,492,480 1.42 M shell32.dll Thu Sep 22 2005 9:05:30p A.... 8,450,560 8.06 M shlwapi.dll Thu Oct 20 2005 9:39:30p A.... 473,600 462.50 K spmsg.dll Wed Oct 12 2005 5:12:26p ..... 14,048 13.72 K sporder.dll Thu Oct 6 2005 7:49:16p A.... 8,464 8.27 K urlmon.dll Fri Nov 4 2005 9:16:28p A.... 609,280 595.00 K wininet.dll Thu Oct 20 2005 9:39:30p A.... 658,432 643.00 K yjbwexg.dll Mon Nov 28 2005 8:25:08a A.... 135,168 132.00 K 25 items found: 25 files, 0 directories. Total of file sizes: 20,910,576 bytes 19.94 M Locate .tmp files: No matches found. ********************************************************************************** Directory Listing of system files: Volume in drive C has no label. Volume Serial Number is 4453-C01F Directory of C:\WINNT\System32 11/28/2005 08:25 AM 401,408 d?dplay.exe 10/19/2005 05:36 PM <DIR> dllcache 09/08/2005 07:46 AM 401,408 w?auboot.exe 05/16/2003 10:37 AM <DIR> Microsoft 2 File(s) 802,816 bytes 2 Dir(s) 27,091,795,968 bytes free

[Piatan]

Hi stickystick:

Your Hijack This log changed considerably since your first post. I would suggest the following.

BEFORE BEGINNING, Please read completely through the instructions below and download the files from the links provided. You may want to save or print out these instructions for easier reference.

Please download CWShredder, from one of the following sites.
http://www.trendmicr.../cwshredder.exe
http://www.majorgeek...dder_d3019.html
http://intermute.com...r_download.html

First, be sure to update CWShredder.
Then close every window, disconnect from Internet and doubleclick the CWShredder icon on your Desktop.
Click Fix and then Next, let it fix everything it asks about.
Then, please reboot.

Next:
Download Ewido Security Suite.
Update the Program, but do not run it yet.

Next, download Lavasoft's Ad-Aware and the VX2 Cleaner Plug-in. Install Ad-Aware using the default options, then install vx2cleaner_inst.exe, taking all the defaults there as well.

Run Ad-Aware, update to the latest definitions, then click on Add-ons in the lefthand column. Select VX2 Cleaner V2.0 and click Run Tool. Click "OK", then, if something is found, click "Clean" as in the directions given. Click "Close", and exit Ad-Aware.

Reboot your PC and run Ad-Aware again. This time, click on the Start button in Ad-Aware, select "Perform smart system scan" and click Next. Once the scan finishes, click "Next" again. Select all objects found (right click anywhere in the list of found objects and click "Select All Objects"). Click "Next" one more time, then "OK" to confirm the removal.

You will be prompted to set Ad-Aware to run on reboot, click "OK". Exit Ad-Aware and restart your PC once again.

When Ad-Aware starts up, click on "Start", then "Next". Follow the steps above if anything is found, or click "Finish", then exit Ad-Aware.

For a final cleanup, please install and run Ewido.

• When installing, under "Additional Options" uncheck "Install background guard" and "Install scan via context menu".
• When you run ewido for the first time, you may get a warning "Database could not be found!". Click OK. We will fix this in a moment.
• From the main ewido screen, click on update in the left menu, then click the Start update button.
• After the update finishes (the status bar at the bottom will display "Update successful")
• Click on the Scanner button in the left menu, then click on Complete System Scan. This scan can take quite a while to run.
• If ewido finds anything, it will pop up a notification. We have been finding some cases of false positives with the new version of Ewido, so we need to step through the fixes one-by-one. If Ewido finds something that you KNOW is legitimate (for example, parts of AVG Antivirus, pcAnywhere and the game "Risk" have been flagged), select "none" as the action. DO NOT check "Perform action with all infections". If you are unsure of an entry, select "none" for the time being. I'll see that in the log you will post later and let you know if ewido needs to be run again.
• When the scan finishes, click on "Save Report". This will create a text file. Make sure you know where to find this file again.

Please finish up by rebooting your system once more, and posting a new HijackThis log and the log from the Ewido scan.

To post, please use the Post Reply feature, so I will be notified.

[stickystick]

OK - I performed the scans; here's the Ewido log file: --------------------------------------------------------- ewido anti-malware - Scan report --------------------------------------------------------- + Created on: 12:06:51 PM, 12/26/2005 + Report-Checksum: AD7415FE + Scan result: HKLM\SOFTWARE\Microsoft\Internet Explorer\Main\ins -> Spyware.WebRebates : Cleaned with backup HKLM\SOFTWARE\Microsoft\Internet Explorer\Toolbar\\{EA5A82FB-D6BE-44F9-9363-B1ABABC153C1} -> Spyware.BetterInternet : Cleaned with backup HKLM\SOFTWARE\SecureWin -> Spyware.Adlogix : Cleaned with backup [436] C:\WINNT\system32\dνdplay.exe -> Adware.PurityScan : Cleaned with backup :mozilla.6:C:\Documents and Settings\Owner\Application Data\Mozilla\Firefox\Profiles\lebnu7tq.default\cookies.txt -> Spyware.Cookie.2o7 : Cleaned with backup :mozilla.7:C:\Documents and Settings\Owner\Application Data\Mozilla\Firefox\Profiles\lebnu7tq.default\cookies.txt -> Spyware.Cookie.2o7 : Cleaned with backup :mozilla.8:C:\Documents and Settings\Owner\Application Data\Mozilla\Firefox\Profiles\lebnu7tq.default\cookies.txt -> Spyware.Cookie.2o7 : Cleaned with backup :mozilla.9:C:\Documents and Settings\Owner\Application Data\Mozilla\Firefox\Profiles\lebnu7tq.default\cookies.txt -> Spyware.Cookie.2o7 : Cleaned with backup :mozilla.10:C:\Documents and Settings\Owner\Application Data\Mozilla\Firefox\Profiles\lebnu7tq.default\cookies.txt -> Spyware.Cookie.2o7 : Cleaned with backup :mozilla.11:C:\Documents and Settings\Owner\Application Data\Mozilla\Firefox\Profiles\lebnu7tq.default\cookies.txt -> Spyware.Cookie.2o7 : Cleaned with backup :mozilla.12:C:\Documents and Settings\Owner\Application Data\Mozilla\Firefox\Profiles\lebnu7tq.default\cookies.txt -> Spyware.Cookie.2o7 : Cleaned with backup :mozilla.13:C:\Documents and Settings\Owner\Application Data\Mozilla\Firefox\Profiles\lebnu7tq.default\cookies.txt -> Spyware.Cookie.2o7 : Cleaned with backup :mozilla.14:C:\Documents and Settings\Owner\Application Data\Mozilla\Firefox\Profiles\lebnu7tq.default\cookies.txt -> Spyware.Cookie.2o7 : Cleaned with backup :mozilla.15:C:\Documents and Settings\Owner\Application Data\Mozilla\Firefox\Profiles\lebnu7tq.default\cookies.txt -> Spyware.Cookie.2o7 : Cleaned with backup :mozilla.16:C:\Documents and Settings\Owner\Application Data\Mozilla\Firefox\Profiles\lebnu7tq.default\cookies.txt -> Spyware.Cookie.2o7 : Cleaned with backup :mozilla.31:C:\Documents and Settings\Owner\Application Data\Mozilla\Firefox\Profiles\lebnu7tq.default\cookies.txt -> Spyware.Cookie.Specificclick : Cleaned with backup :mozilla.32:C:\Documents and Settings\Owner\Application Data\Mozilla\Firefox\Profiles\lebnu7tq.default\cookies.txt -> Spyware.Cookie.Specificclick : Cleaned with backup :mozilla.34:C:\Documents and Settings\Owner\Application Data\Mozilla\Firefox\Profiles\lebnu7tq.default\cookies.txt -> Spyware.Cookie.Pointroll : Cleaned with backup :mozilla.35:C:\Documents and Settings\Owner\Application Data\Mozilla\Firefox\Profiles\lebnu7tq.default\cookies.txt -> Spyware.Cookie.Pointroll : Cleaned with backup :mozilla.36:C:\Documents and Settings\Owner\Application Data\Mozilla\Firefox\Profiles\lebnu7tq.default\cookies.txt -> Spyware.Cookie.Pointroll : Cleaned with backup :mozilla.57:C:\Documents and Settings\Owner\Application Data\Mozilla\Firefox\Profiles\lebnu7tq.default\cookies.txt -> Spyware.Cookie.Burstnet : Cleaned with backup :mozilla.62:C:\Documents and Settings\Owner\Application Data\Mozilla\Firefox\Profiles\lebnu7tq.default\cookies.txt -> Spyware.Cookie.Casalemedia : Cleaned with backup :mozilla.63:C:\Documents and Settings\Owner\Application Data\Mozilla\Firefox\Profiles\lebnu7tq.default\cookies.txt -> Spyware.Cookie.Casalemedia : Cleaned with backup :mozilla.64:C:\Documents and Settings\Owner\Application Data\Mozilla\Firefox\Profiles\lebnu7tq.default\cookies.txt -> Spyware.Cookie.2o7 : Cleaned with backup :mozilla.65:C:\Documents and Settings\Owner\Application Data\Mozilla\Firefox\Profiles\lebnu7tq.default\cookies.txt -> Spyware.Cookie.Centrport : Cleaned with backup :mozilla.66:C:\Documents and Settings\Owner\Application Data\Mozilla\Firefox\Profiles\lebnu7tq.default\cookies.txt -> Spyware.Cookie.Centrport : Cleaned with backup :mozilla.69:C:\Documents and Settings\Owner\Application Data\Mozilla\Firefox\Profiles\lebnu7tq.default\cookies.txt -> Spyware.Cookie.2o7 : Cleaned with backup :mozilla.82:C:\Documents and Settings\Owner\Application Data\Mozilla\Firefox\Profiles\lebnu7tq.default\cookies.txt -> Spyware.Cookie.Esomniture : Cleaned with backup :mozilla.83:C:\Documents and Settings\Owner\Application Data\Mozilla\Firefox\Profiles\lebnu7tq.default\cookies.txt -> Spyware.Cookie.Esomniture : Cleaned with backup :mozilla.84:C:\Documents and Settings\Owner\Application Data\Mozilla\Firefox\Profiles\lebnu7tq.default\cookies.txt -> Spyware.Cookie.Esomniture : Cleaned with backup :mozilla.93:C:\Documents and Settings\Owner\Application Data\Mozilla\Firefox\Profiles\lebnu7tq.default\cookies.txt -> Spyware.Cookie.Ru4 : Cleaned with backup :mozilla.94:C:\Documents and Settings\Owner\Application Data\Mozilla\Firefox\Profiles\lebnu7tq.default\cookies.txt -> Spyware.Cookie.Ru4 : Cleaned with backup :mozilla.95:C:\Documents and Settings\Owner\Application Data\Mozilla\Firefox\Profiles\lebnu7tq.default\cookies.txt -> Spyware.Cookie.Ru4 : Cleaned with backup :mozilla.166:C:\Documents and Settings\Owner\Application Data\Mozilla\Firefox\Profiles\lebnu7tq.default\cookies.txt -> Spyware.Cookie.Overture : Cleaned with backup :mozilla.167:C:\Documents and Settings\Owner\Application Data\Mozilla\Firefox\Profiles\lebnu7tq.default\cookies.txt -> Spyware.Cookie.Overture : Cleaned with backup :mozilla.175:C:\Documents and Settings\Owner\Application Data\Mozilla\Firefox\Profiles\lebnu7tq.default\cookies.txt -> Spyware.Cookie.Overture : Cleaned with backup :mozilla.181:C:\Documents and Settings\Owner\Application Data\Mozilla\Firefox\Profiles\lebnu7tq.default\cookies.txt -> Spyware.Cookie.Qksrv : Cleaned with backup :mozilla.182:C:\Documents and Settings\Owner\Application Data\Mozilla\Firefox\Profiles\lebnu7tq.default\cookies.txt -> Spyware.Cookie.Qksrv : Cleaned with backup :mozilla.183:C:\Documents and Settings\Owner\Application Data\Mozilla\Firefox\Profiles\lebnu7tq.default\cookies.txt -> Spyware.Cookie.Questionmarket : Cleaned with backup :mozilla.192:C:\Documents and Settings\Owner\Application Data\Mozilla\Firefox\Profiles\lebnu7tq.default\cookies.txt -> Spyware.Cookie.Serving-sys : Cleaned with backup :mozilla.193:C:\Documents and Settings\Owner\Application Data\Mozilla\Firefox\Profiles\lebnu7tq.default\cookies.txt -> Spyware.Cookie.Serving-sys : Cleaned with backup :mozilla.194:C:\Documents and Settings\Owner\Application Data\Mozilla\Firefox\Profiles\lebnu7tq.default\cookies.txt -> Spyware.Cookie.Serving-sys : Cleaned with backup :mozilla.195:C:\Documents and Settings\Owner\Application Data\Mozilla\Firefox\Profiles\lebnu7tq.default\cookies.txt -> Spyware.Cookie.Serving-sys : Cleaned with backup :mozilla.196:C:\Documents and Settings\Owner\Application Data\Mozilla\Firefox\Profiles\lebnu7tq.default\cookies.txt -> Spyware.Cookie.Serving-sys : Cleaned with backup :mozilla.201:C:\Documents and Settings\Owner\Application Data\Mozilla\Firefox\Profiles\lebnu7tq.default\cookies.txt -> Spyware.Cookie.Statcounter : Cleaned with backup :mozilla.202:C:\Documents and Settings\Owner\Application Data\Mozilla\Firefox\Profiles\lebnu7tq.default\cookies.txt -> Spyware.Cookie.Statcounter : Cleaned with backup :mozilla.203:C:\Documents and Settings\Owner\Application Data\Mozilla\Firefox\Profiles\lebnu7tq.default\cookies.txt -> Spyware.Cookie.Statcounter : Cleaned with backup :mozilla.204:C:\Documents and Settings\Owner\Application Data\Mozilla\Firefox\Profiles\lebnu7tq.default\cookies.txt -> Spyware.Cookie.Statcounter : Cleaned with backup :mozilla.205:C:\Documents and Settings\Owner\Application Data\Mozilla\Firefox\Profiles\lebnu7tq.default\cookies.txt -> Spyware.Cookie.Statcounter : Cleaned with backup :mozilla.227:C:\Documents and Settings\Owner\Application Data\Mozilla\Firefox\Profiles\lebnu7tq.default\cookies.txt -> Spyware.Cookie.Tradedoubler : Cleaned with backup :mozilla.228:C:\Documents and Settings\Owner\Application Data\Mozilla\Firefox\Profiles\lebnu7tq.default\cookies.txt -> Spyware.Cookie.Trafficmp : Cleaned with backup :mozilla.229:C:\Documents and Settings\Owner\Application Data\Mozilla\Firefox\Profiles\lebnu7tq.default\cookies.txt -> Spyware.Cookie.Trafficmp : Cleaned with backup :mozilla.230:C:\Documents and Settings\Owner\Application Data\Mozilla\Firefox\Profiles\lebnu7tq.default\cookies.txt -> Spyware.Cookie.Trafficmp : Cleaned with backup :mozilla.231:C:\Documents and Settings\Owner\Application Data\Mozilla\Firefox\Profiles\lebnu7tq.default\cookies.txt -> Spyware.Cookie.Trafficmp : Cleaned with backup :mozilla.232:C:\Documents and Settings\Owner\Application Data\Mozilla\Firefox\Profiles\lebnu7tq.default\cookies.txt -> Spyware.Cookie.Trafficmp : Cleaned with backup :mozilla.235:C:\Documents and Settings\Owner\Application Data\Mozilla\Firefox\Profiles\lebnu7tq.default\cookies.txt -> Spyware.Cookie.Tribalfusion : Cleaned with backup :mozilla.236:C:\Documents and Settings\Owner\Application Data\Mozilla\Firefox\Profiles\lebnu7tq.default\cookies.txt -> Spyware.Cookie.Tribalfusion : Cleaned with backup :mozilla.237:C:\Documents and Settings\Owner\Application Data\Mozilla\Firefox\Profiles\lebnu7tq.default\cookies.txt -> Spyware.Cookie.Tribalfusion : Cleaned with backup :mozilla.239:C:\Documents and Settings\Owner\Application Data\Mozilla\Firefox\Profiles\lebnu7tq.default\cookies.txt -> Spyware.Cookie.Valueclick : Cleaned with backup :mozilla.260:C:\Documents and Settings\Owner\Application Data\Mozilla\Firefox\Profiles\lebnu7tq.default\cookies.txt -> Spyware.Cookie.Adserver : Cleaned with backup :mozilla.261:C:\Documents and Settings\Owner\Application Data\Mozilla\Firefox\Profiles\lebnu7tq.default\cookies.txt -> Spyware.Cookie.Adserver : Cleaned with backup :mozilla.262:C:\Documents and Settings\Owner\Application Data\Mozilla\Firefox\Profiles\lebnu7tq.default\cookies.txt -> Spyware.Cookie.Adserver : Cleaned with backup :mozilla.266:C:\Documents and Settings\Owner\Application Data\Mozilla\Firefox\Profiles\lebnu7tq.default\cookies.txt -> Spyware.Cookie.Yieldmanager : Cleaned with backup :mozilla.267:C:\Documents and Settings\Owner\Application Data\Mozilla\Firefox\Profiles\lebnu7tq.default\cookies.txt -> Spyware.Cookie.Yieldmanager : Cleaned with backup :mozilla.268:C:\Documents and Settings\Owner\Application Data\Mozilla\Firefox\Profiles\lebnu7tq.default\cookies.txt -> Spyware.Cookie.Yieldmanager : Cleaned with backup :mozilla.269:C:\Documents and Settings\Owner\Application Data\Mozilla\Firefox\Profiles\lebnu7tq.default\cookies.txt -> Spyware.Cookie.Yieldmanager : Cleaned with backup :mozilla.270:C:\Documents and Settings\Owner\Application Data\Mozilla\Firefox\Profiles\lebnu7tq.default\cookies.txt -> Spyware.Cookie.Yieldmanager : Cleaned with backup :mozilla.277:C:\Documents and Settings\Owner\Application Data\Mozilla\Firefox\Profiles\lebnu7tq.default\cookies.txt -> Spyware.Cookie.Bridgetrack : Cleaned with backup :mozilla.278:C:\Documents and Settings\Owner\Application Data\Mozilla\Firefox\Profiles\lebnu7tq.default\cookies.txt -> Spyware.Cookie.Bridgetrack : Cleaned with backup :mozilla.279:C:\Documents and Settings\Owner\Application Data\Mozilla\Firefox\Profiles\lebnu7tq.default\cookies.txt -> Spyware.Cookie.Bridgetrack : Cleaned with backup :mozilla.291:C:\Documents and Settings\Owner\Application Data\Mozilla\Firefox\Profiles\lebnu7tq.default\cookies.txt -> Spyware.Cookie.Adjuggler : Cleaned with backup :mozilla.292:C:\Documents and Settings\Owner\Application Data\Mozilla\Firefox\Profiles\lebnu7tq.default\cookies.txt -> Spyware.Cookie.Adjuggler : Cleaned with backup :mozilla.293:C:\Documents and Settings\Owner\Application Data\Mozilla\Firefox\Profiles\lebnu7tq.default\cookies.txt -> Spyware.Cookie.Adjuggler : Cleaned with backup :mozilla.298:C:\Documents and Settings\Owner\Application Data\Mozilla\Firefox\Profiles\lebnu7tq.default\cookies.txt -> Spyware.Cookie.Liveperson : Cleaned with backup :mozilla.299:C:\Documents and Settings\Owner\Application Data\Mozilla\Firefox\Profiles\lebnu7tq.default\cookies.txt -> Spyware.Cookie.Liveperson : Cleaned with backup :mozilla.300:C:\Documents and Settings\Owner\Application Data\Mozilla\Firefox\Profiles\lebnu7tq.default\cookies.txt -> Spyware.Cookie.Liveperson : Cleaned with backup :mozilla.301:C:\Documents and Settings\Owner\Application Data\Mozilla\Firefox\Profiles\lebnu7tq.default\cookies.txt -> Spyware.Cookie.Liveperson : Cleaned with backup :mozilla.321:C:\Documents and Settings\Owner\Application Data\Mozilla\Firefox\Profiles\lebnu7tq.default\cookies.txt -> Spyware.Cookie.Realtracker : Cleaned with backup :mozilla.322:C:\Documents and Settings\Owner\Application Data\Mozilla\Firefox\Profiles\lebnu7tq.default\cookies.txt -> Spyware.Cookie.Realtracker : Cleaned with backup :mozilla.336:C:\Documents and Settings\Owner\Application Data\Mozilla\Firefox\Profiles\lebnu7tq.default\cookies.txt -> Spyware.Cookie.Burstbeacon : Cleaned with backup :mozilla.337:C:\Documents and Settings\Owner\Application Data\Mozilla\Firefox\Profiles\lebnu7tq.default\cookies.txt -> Spyware.Cookie.Burstnet : Cleaned with backup :mozilla.349:C:\Documents and Settings\Owner\Application Data\Mozilla\Firefox\Profiles\lebnu7tq.default\cookies.txt -> Spyware.Cookie.Googleadservices : Cleaned with backup C:\Documents and Settings\Owner\Cookies\owner@ad.yieldmanager[2].txt -> Spyware.Cookie.Yieldmanager : Cleaned with backup C:\Documents and Settings\Owner\Local Settings\Temp\111419.exe -> Dropper.Agent.abb : Cleaned with backup C:\Documents and Settings\Owner\Local Settings\Temp\asmfiles.cab/asm.exe -> Spyware.Altnet : Cleaned with backup C:\Documents and Settings\Owner\Local Settings\Temp\btnetw3.exe -> Not-A-Virus.Hoax.Win32.SpyWare.b : Cleaned with backup C:\Documents and Settings\Owner\Local Settings\Temp\Cookies\owner@ad.yieldmanager[1].txt -> Spyware.Cookie.Yieldmanager : Cleaned with backup C:\Documents and Settings\Owner\Local Settings\Temp\Cookies\owner@paypopup[1].txt -> Spyware.Cookie.Paypopup : Cleaned with backup C:\Documents and Settings\Owner\Local Settings\Temp\Cookies\owner@rotator.adjuggler[1].txt -> Spyware.Cookie.Adjuggler : Cleaned with backup C:\Documents and Settings\Owner\Local Settings\Temp\cxtpls_loader.exe -> Spyware.AproposMedia : Cleaned with backup C:\Documents and Settings\Owner\Local Settings\Temp\randreco.exe -> Adware.BetterInternet : Cleaned with backup C:\Documents and Settings\Owner\Local Settings\Temp\temp.fr0232 -> Adware.BetterInternet : Cleaned with backup C:\Documents and Settings\Owner\Local Settings\Temp\temp.fr154C -> Trojan.Pakes : Cleaned with backup C:\Documents and Settings\Owner\Local Settings\Temp\temp.fr2993 -> Trojan.Pakes : Cleaned with backup C:\Documents and Settings\Owner\Local Settings\Temp\temp.fr859C -> Trojan.Pakes : Cleaned with backup C:\Documents and Settings\Owner\Local Settings\Temp\temp.fr89AC -> Spyware.AproposMedia : Cleaned with backup C:\Documents and Settings\Owner\Local Settings\Temp\thin-116-1-x-x.exe -> Adware.BetterInternet : Cleaned with backup C:\Program Files\asys\stb.exe -> Downloader.Agent.tf : Cleaned with backup C:\Program Files\asys\VFX8.0-1.exe -> Dropper.Agent.ym : Cleaned with backup C:\Program Files\MBKWBar\IEToolBar.dll -> Spyware.MBKWBar : Cleaned with backup C:\System Volume Information\_restore{CF79470C-79F7-4821-8E34-8E6EA7D3E7B5}\RP103\A0007582.exe -> Spyware.SafeSurfing : Cleaned with backup C:\System Volume Information\_restore{CF79470C-79F7-4821-8E34-8E6EA7D3E7B5}\RP103\A0007583.dll -> Spyware.SafeSurfing : Cleaned with backup C:\System Volume Information\_restore{CF79470C-79F7-4821-8E34-8E6EA7D3E7B5}\RP103\A0007625.dll -> Spyware.BookedSpace : Cleaned with backup C:\System Volume Information\_restore{CF79470C-79F7-4821-8E34-8E6EA7D3E7B5}\RP103\A0007626.dll -> Spyware.Hijacker.Generic : Cleaned with backup C:\System Volume Information\_restore{CF79470C-79F7-4821-8E34-8E6EA7D3E7B5}\RP103\A0007627.exe -> Trojan.Imiserv.c : Cleaned with backup C:\System Volume Information\_restore{CF79470C-79F7-4821-8E34-8E6EA7D3E7B5}\RP109\A0007678.exe -> Spyware.MediaTickets : Cleaned with backup C:\System Volume Information\_restore{CF79470C-79F7-4821-8E34-8E6EA7D3E7B5}\RP110\A0007698.exe -> Spyware.AdSquash : Cleaned with backup C:\System Volume Information\_restore{CF79470C-79F7-4821-8E34-8E6EA7D3E7B5}\RP54\A0006122.exe -> Adware.BetterInternet : Cleaned with backup C:\System Volume Information\_restore{CF79470C-79F7-4821-8E34-8E6EA7D3E7B5}\RP54\A0006132.exe -> Adware.BetterInternet : Cleaned with backup C:\System Volume Information\_restore{CF79470C-79F7-4821-8E34-8E6EA7D3E7B5}\RP54\A0006236.exe -> Trojan.Stervis.k : Cleaned with backup C:\System Volume Information\_restore{CF79470C-79F7-4821-8E34-8E6EA7D3E7B5}\RP74\A0006991.dll -> Spyware.CASClient : Cleaned with backup C:\System Volume Information\_restore{CF79470C-79F7-4821-8E34-8E6EA7D3E7B5}\RP74\A0007009.DLL -> Spyware.SafeSurfing : Cleaned with backup C:\WINNT\bdmkl1001.exe -> Adware.Saha : Cleaned with backup C:\WINNT\icont.exe -> Spyware.AdURL : Cleaned with backup C:\WINNT\remtm3.exe -> Adware.BetterInternet : Cleaned with backup C:\WINNT\rlvknlg.exe -> Spyware.RK : Cleaned with backup C:\WINNT\system32\dνdplay.exe -> Adware.PurityScan : Cleaned with backup C:\WINNT\system32\jfwwu.dll -> Spyware.Adstart : Cleaned with backup C:\WINNT\system32\jfwwud.exe -> Spyware.Adstart : Cleaned with backup C:\WINNT\system32\jfwwuf.exe -> Spyware.Adstart : Cleaned with backup C:\WINNT\system32\nsz8.dll -> Spyware.HotSearchBar : Cleaned with backup C:\WINNT\system32\oins.exe -> Spyware.MediaTickets : Cleaned with backup C:\WINNT\system32\rk.bin -> Spyware.RK : Cleaned with backup C:\WINNT\system32\trafficsector_b2search.exe -> Dropper.Agent.abb : Cleaned with backup C:\WINNT\Temp\cmdinst.exe -> Adware.MDH : Cleaned with backup C:\WINNT\zyssmdut.exe -> Spyware.BookedSpace : Cleaned with backup ::Report End

[Piatan]

Hi stickystick:

Looks like Ewido cleaned up some real nasty pieces of Malware.

Please run Hijack This again. Scan and copy the logfile and post it here.

Please use the Post Reply feature to post, so I will be notified.

[stickystick]

Here's the HijackTHis log (thanks for the quick reply!):

Logfile of HijackThis v1.99.1
Scan saved at 3:53:20 PM, on 12/26/2005
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINNT\System32\smss.exe
C:\WINNT\system32\winlogon.exe
C:\WINNT\system32\services.exe
C:\WINNT\system32\lsass.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\System32\svchost.exe
C:\WINNT\Explorer.EXE
C:\WINNT\system32\spoolsv.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
C:\WINNT\system32\RioMSC.exe
C:\WINNT\System32\hkcmd.exe
C:\WINNT\system32\slserv.exe
C:\WINNT\SM1BG.EXE
C:\WINNT\System32\svchost.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\sder\dees.exe
C:\Documents and Settings\Owner\Desktop\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = about:blank
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = about:blank
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = about:blank
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch = about:blank
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = about:blank
R3 - URLSearchHook: (no name) - {B0412715-3101-90A8-79AB-F422D7275F81} - (no file)
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {DC3C1416-8BAB-A80A-DAAB-D228E55463B2} - C:\WINNT\system32\yjbwexg.dll
O2 - BHO: (no name) - {DD3C141E-8BDA-AE7D-DAA5-A428E05163C0} - C:\WINNT\system32\yjbwexg.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINNT\System32\hkcmd.exe
O4 - HKLM\..\Run: [Disc Detector] C:\Program Files\Creative\ShareDLL\CtNotify.exe
O4 - HKLM\..\Run: [SM1BG] C:\WINNT\SM1BG.EXE
O4 - HKLM\..\Run: [gchpdll] C:\WINNT\gchpdll.EXE
O4 - HKLM\..\Run: [gchpenc] C:\WINNT\gchpenc.EXE
O4 - HKLM\..\Run: [Dinst] C:\WINNT\dinst.exe
O4 - HKLM\..\Run: [yfasbcq] C:\WINNT\yfasbcq.EXE
O4 - HKLM\..\Run: [IgfxTray] C:\WINNT\System32\igfxtray.exe
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [AVG7_EMC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [irassync] C:\WINNT\system32\irasyncd.exe
O4 - HKCU\..\Run: [ioki] C:\PROGRA~1\COMMON~1\ioki\iokim.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [Ltho] "C:\Program Files\sder\dees.exe" -vt ndrv
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O8 - Extra context menu item: &Google Search - res://C:\Program Files\Google\GoogleToolbar1.dll/cmsearch.html
O8 - Extra context menu item: Backward Links - res://C:\Program Files\Google\GoogleToolbar1.dll/cmbacklinks.html
O8 - Extra context menu item: Cached Snapshot of Page - res://C:\Program Files\Google\GoogleToolbar1.dll/cmcache.html
O8 - Extra context menu item: Similar Pages - res://C:\Program Files\Google\GoogleToolbar1.dll/cmsimilar.html
O8 - Extra context menu item: Translate into English - res://C:\Program Files\Google\GoogleToolbar1.dll/cmtrans.html
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_04\bin\npjpi150_04.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_04\bin\npjpi150_04.dll
O9 - Extra button: (no name) - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - (no file)
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: Yahoo! Poker - http://download.game...nts/y/pt1_x.cab
O16 - DPF: {0A5FD7C5-A45C-49FC-ADB5-9952547D5715} (Creative Software AutoUpdate) - http://www.creative....119/CTSUEng.cab
O16 - DPF: {11260943-421B-11D0-8EAC-0000C07D88CF} (iPIX ActiveX Control) - http://www.ipix.com/viewers/ipixx.cab
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft....k/?linkid=39204
O16 - DPF: {511073AD-BE56-4D43-AE68-93390514385E} (TechToolsActivex.TechTools) - file://C:\Program Files\gateway\helpspot\TechTools.CAB
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://v5.windowsupd...b?1094093051312
O16 - DPF: {F6ACF75C-C32C-447B-9BEF-46B766368D29} (Creative Software AutoUpdate Support Package) - http://www.creative....15008/CTPID.cab
O18 - Filter: text/html - (no CLSID) - (no file)
O20 - Winlogon Notify: igfxcui - C:\WINNT\SYSTEM32\igfxsrvc.dll
O20 - Winlogon Notify: Nls - C:\WINNT\system32\iLshlpr.dll (file missing)
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
O23 - Service: ewido security suite control - ewido networks - C:\Program Files\ewido anti-malware\ewidoctrl.exe
O23 - Service: Intel NCS NetService (NetSvc) - Intel® Corporation - C:\Program Files\Intel\NCS\Sync\NetSvc.exe
O23 - Service: Rio MSC Manager (RioMSC) - Digital Networks North America, Inc. - C:\WINNT\system32\RioMSC.exe
O23 - Service: SmartLinkService (SLService) - Smart Link - C:\WINNT\SYSTEM32\slserv.exe
O23 - Service: Windows VisFx Components - Unknown owner - C:\WINNT\danksvc.exe (file missing)

[Piatan]

Looks like I omitted a step. Lets see if I can get it right this time.

Close any programs you have open since this step requires a reboot.

From the l2mfix folder on your desktop, double click l2mfix.bat and select option #2 for Run Fix by typing 2 and then pressing enter. It will process then start. Your desktop and icons will disappear (this is normal). L2mfix will continue to scan your computer and when it's finished, it will be ready for a reboot. Press any key to reboot. After the reboot notepad will open with a log. Copy the contents of that log and paste it back into this thread, along with a new hijackthis log.

IMPORTANT: Do NOT run any other files in the l2mfix folder unless you are asked to do so! Do Not run in safe mode!!
If after the reboot the log does not open double click on it in the l2mfix folder.

[stickystick]

OK- Here's that log file: L2mfix Beta 121605 Creating Account. The command completed successfully. Adding Administrative privleges. The command completed successfully. Checking for L2MFix account(0=no 1=yes): 1 Granting SeDebugPrivilege to L2MFIX ... successful Running From: C:\WINNT\system32 Killing Processes! Command Line Process Viewer/Killer/Suspender for Windows NT/2000/XP V2.03 Copyright© 2002-2003 Craig.Peacock@beyondlogic.org Killing PID 752 'smss.exe' Command Line Process Viewer/Killer/Suspender for Windows NT/2000/XP V2.03 Copyright© 2002-2003 Craig.Peacock@beyondlogic.org Killing PID 824 'winlogon.exe' Command Line Process Viewer/Killer/Suspender for Windows NT/2000/XP V2.03 Copyright© 2002-2003 Craig.Peacock@beyondlogic.org Killing PID 1484 'explorer.exe' Killing PID 1484 'explorer.exe' Command Line Process Viewer/Killer/Suspender for Windows NT/2000/XP V2.03 Copyright© 2002-2003 Craig.Peacock@beyondlogic.org Error, Cannot find a process with an image name of rundll32.exe Restoring Sedebugprivilege: Granting SeDebugPrivilege to Administrators ... successful Granting SeDebugPrivilege to Administrateurs ... failed (GetAccountSid(Administrateurs)=1332 Granting SeDebugPrivilege to Administrat÷rer ... failed (GetAccountSid(Administrat÷rer)=1332 Granting SeDebugPrivilege to Administradores ... failed (GetAccountSid(Administradores)=1332 Granting SeDebugPrivilege to Amministratore ... failed (GetAccountSid(Amministratore)=1332 Granting SeDebugPrivilege to Administratoren ... failed (GetAccountSid(Administratoren)=1332 Scanning First Pass. Please Wait! First Pass Completed Second Pass Scanning Second pass Completed! Restoring Windows Update Certificates.: The following Is the Current Export of the Winlogon notify key: **************************************************************************** Windows Registry Editor Version 5.00 [HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify] [HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\crypt32chain] "Asynchronous"=dword:00000000 "Impersonate"=dword:00000000 "DllName"=hex(2):63,00,72,00,79,00,70,00,74,00,33,00,32,00,2e,00,64,00,6c,00,\ 6c,00,00,00 "Logoff"="ChainWlxLogoffEvent" [HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\cryptnet] "Asynchronous"=dword:00000000 "Impersonate"=dword:00000000 "DllName"=hex(2):63,00,72,00,79,00,70,00,74,00,6e,00,65,00,74,00,2e,00,64,00,\ 6c,00,6c,00,00,00 "Logoff"="CryptnetWlxLogoffEvent" [HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\cscdll] "DLLName"="cscdll.dll" "Logon"="WinlogonLogonEvent" "Logoff"="WinlogonLogoffEvent" "ScreenSaver"="WinlogonScreenSaverEvent" "Startup"="WinlogonStartupEvent" "Shutdown"="WinlogonShutdownEvent" "StartShell"="WinlogonStartShellEvent" "Impersonate"=dword:00000000 "Asynchronous"=dword:00000001 [HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\igfxcui] @="" "DLLName"="igfxsrvc.dll" "Asynchronous"=dword:00000001 "Impersonate"=dword:00000001 "Unlock"="WinlogonUnlockEvent" [HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\Nls] "Asynchronous"=dword:00000000 "DllName"="C:\\WINNT\\system32\\iLshlpr.dll" "Impersonate"=dword:00000000 "Logon"="WinLogon" "Logoff"="WinLogoff" "Shutdown"="WinShutdown" [HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\ScCertProp] "DLLName"="wlnotify.dll" "Logon"="SCardStartCertProp" "Logoff"="SCardStopCertProp" "Lock"="SCardSuspendCertProp" "Unlock"="SCardResumeCertProp" "Enabled"=dword:00000001 "Impersonate"=dword:00000001 "Asynchronous"=dword:00000001 [HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\Schedule] "Asynchronous"=dword:00000000 "DllName"=hex(2):77,00,6c,00,6e,00,6f,00,74,00,69,00,66,00,79,00,2e,00,64,00,\ 6c,00,6c,00,00,00 "Impersonate"=dword:00000000 "StartShell"="SchedStartShell" "Logoff"="SchedEventLogOff" [HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\sclgntfy] "Logoff"="WLEventLogoff" "Impersonate"=dword:00000000 "Asynchronous"=dword:00000001 "DllName"=hex(2):73,00,63,00,6c,00,67,00,6e,00,74,00,66,00,79,00,2e,00,64,00,\ 6c,00,6c,00,00,00 [HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\SensLogn] "DLLName"="WlNotify.dll" "Lock"="SensLockEvent" "Logon"="SensLogonEvent" "Logoff"="SensLogoffEvent" "Safe"=dword:00000001 "MaxWait"=dword:00000258 "StartScreenSaver"="SensStartScreenSaverEvent" "StopScreenSaver"="SensStopScreenSaverEvent" "Startup"="SensStartupEvent" "Shutdown"="SensShutdownEvent" "StartShell"="SensStartShellEvent" "PostShell"="SensPostShellEvent" "Disconnect"="SensDisconnectEvent" "Reconnect"="SensReconnectEvent" "Unlock"="SensUnlockEvent" "Impersonate"=dword:00000001 "Asynchronous"=dword:00000001 [HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\termsrv] "Asynchronous"=dword:00000000 "DllName"=hex(2):77,00,6c,00,6e,00,6f,00,74,00,69,00,66,00,79,00,2e,00,64,00,\ 6c,00,6c,00,00,00 "Impersonate"=dword:00000000 "Logoff"="TSEventLogoff" "Logon"="TSEventLogon" "PostShell"="TSEventPostShell" "Shutdown"="TSEventShutdown" "StartShell"="TSEventStartShell" "Startup"="TSEventStartup" "MaxWait"=dword:00000258 "Reconnect"="TSEventReconnect" "Disconnect"="TSEventDisconnect" [HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\wlballoon] "DLLName"="wlnotify.dll" "Logon"="RegisterTicketExpiredNotificationEvent" "Logoff"="UnregisterTicketExpiredNotificationEvent" "Impersonate"=dword:00000001 "Asynchronous"=dword:00000001 The following are the files found: **************************************************************************** Registry Entries that were Deleted: Please verify that the listing looks ok. If there was something deleted wrongly there are backups in the backreg folder. **************************************************************************** Windows Registry Editor Version 5.00 [HKEY_CLASSES_ROOT\CLSID\{B6EACDBF-C710-475E-80D4-0BAFE77AE7EA}] @="" [HKEY_CLASSES_ROOT\CLSID\{B6EACDBF-C710-475E-80D4-0BAFE77AE7EA}\Implemented Categories] @="" [HKEY_CLASSES_ROOT\CLSID\{B6EACDBF-C710-475E-80D4-0BAFE77AE7EA}\Implemented Categories\{00021492-0000-0000-C000-000000000046}] @="" [HKEY_CLASSES_ROOT\CLSID\{B6EACDBF-C710-475E-80D4-0BAFE77AE7EA}\InprocServer32] @="C:\\WINNT\\system32\\iLshlpr.dll" "ThreadingModel"="Apartment" REGEDIT4 [HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved] "{B6EACDBF-C710-475E-80D4-0BAFE77AE7EA}"=- [-HKEY_CLASSES_ROOT\CLSID\{B6EACDBF-C710-475E-80D4-0BAFE77AE7EA}] REGEDIT4 [-HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\User Agent\Post Platform] [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\User Agent\Post Platform] "SV1"="" **************************************************************************** Desktop.ini Contents: **************************************************************************** **************************************************************************** Checking for L2MFix account(0=no 1=yes): 0 zip warning: name not matched: dlls\*.* zip error: Nothing to do! (backup.zip) adding: backregs/B6EACDBF-C710-475E-80D4-0BAFE77AE7EA.reg (188 bytes security) (deflated 70%) adding: backregs/notibac.reg (140 bytes security) (deflated 87%)

[Piatan]

Sorry, I need to see a fresh Hijack This log, after L2M fix Option #2 was ran.

[stickystick]

Sorry - I pasted the wrong one...

Logfile of HijackThis v1.99.1
Scan saved at 3:53:20 PM, on 12/26/2005
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINNT\System32\smss.exe
C:\WINNT\system32\winlogon.exe
C:\WINNT\system32\services.exe
C:\WINNT\system32\lsass.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\System32\svchost.exe
C:\WINNT\Explorer.EXE
C:\WINNT\system32\spoolsv.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
C:\WINNT\system32\RioMSC.exe
C:\WINNT\System32\hkcmd.exe
C:\WINNT\system32\slserv.exe
C:\WINNT\SM1BG.EXE
C:\WINNT\System32\svchost.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\sder\dees.exe
C:\Documents and Settings\Owner\Desktop\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = about:blank
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = about:blank
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = about:blank
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch = about:blank
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = about:blank
R3 - URLSearchHook: (no name) - {B0412715-3101-90A8-79AB-F422D7275F81} - (no file)
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {DC3C1416-8BAB-A80A-DAAB-D228E55463B2} - C:\WINNT\system32\yjbwexg.dll
O2 - BHO: (no name) - {DD3C141E-8BDA-AE7D-DAA5-A428E05163C0} - C:\WINNT\system32\yjbwexg.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINNT\System32\hkcmd.exe
O4 - HKLM\..\Run: [Disc Detector] C:\Program Files\Creative\ShareDLL\CtNotify.exe
O4 - HKLM\..\Run: [SM1BG] C:\WINNT\SM1BG.EXE
O4 - HKLM\..\Run: [gchpdll] C:\WINNT\gchpdll.EXE
O4 - HKLM\..\Run: [gchpenc] C:\WINNT\gchpenc.EXE
O4 - HKLM\..\Run: [Dinst] C:\WINNT\dinst.exe
O4 - HKLM\..\Run: [yfasbcq] C:\WINNT\yfasbcq.EXE
O4 - HKLM\..\Run: [IgfxTray] C:\WINNT\System32\igfxtray.exe
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [AVG7_EMC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [irassync] C:\WINNT\system32\irasyncd.exe
O4 - HKCU\..\Run: [ioki] C:\PROGRA~1\COMMON~1\ioki\iokim.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [Ltho] "C:\Program Files\sder\dees.exe" -vt ndrv
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O8 - Extra context menu item: &Google Search - res://C:\Program Files\Google\GoogleToolbar1.dll/cmsearch.html
O8 - Extra context menu item: Backward Links - res://C:\Program Files\Google\GoogleToolbar1.dll/cmbacklinks.html
O8 - Extra context menu item: Cached Snapshot of Page - res://C:\Program Files\Google\GoogleToolbar1.dll/cmcache.html
O8 - Extra context menu item: Similar Pages - res://C:\Program Files\Google\GoogleToolbar1.dll/cmsimilar.html
O8 - Extra context menu item: Translate into English - res://C:\Program Files\Google\GoogleToolbar1.dll/cmtrans.html
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_04\bin\npjpi150_04.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_04\bin\npjpi150_04.dll
O9 - Extra button: (no name) - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - (no file)
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: Yahoo! Poker - http://download.game...nts/y/pt1_x.cab
O16 - DPF: {0A5FD7C5-A45C-49FC-ADB5-9952547D5715} (Creative Software AutoUpdate) - http://www.creative....119/CTSUEng.cab
O16 - DPF: {11260943-421B-11D0-8EAC-0000C07D88CF} (iPIX ActiveX Control) - http://www.ipix.com/viewers/ipixx.cab
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft....k/?linkid=39204
O16 - DPF: {511073AD-BE56-4D43-AE68-93390514385E} (TechToolsActivex.TechTools) - file://C:\Program Files\gateway\helpspot\TechTools.CAB
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://v5.windowsupd...b?1094093051312
O16 - DPF: {F6ACF75C-C32C-447B-9BEF-46B766368D29} (Creative Software AutoUpdate Support Package) - http://www.creative....15008/CTPID.cab
O18 - Filter: text/html - (no CLSID) - (no file)
O20 - Winlogon Notify: igfxcui - C:\WINNT\SYSTEM32\igfxsrvc.dll
O20 - Winlogon Notify: Nls - C:\WINNT\system32\iLshlpr.dll (file missing)
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
O23 - Service: ewido security suite control - ewido networks - C:\Program Files\ewido anti-malware\ewidoctrl.exe
O23 - Service: Intel NCS NetService (NetSvc) - Intel® Corporation - C:\Program Files\Intel\NCS\Sync\NetSvc.exe
O23 - Service: Rio MSC Manager (RioMSC) - Digital Networks North America, Inc. - C:\WINNT\system32\RioMSC.exe
O23 - Service: SmartLinkService (SLService) - Smart Link - C:\WINNT\SYSTEM32\slserv.exe
O23 - Service: Windows VisFx Components - Unknown owner - C:\WINNT\danksvc.exe (file missing)

[Piatan]

Hi stickystick:

That's okay, I made a mistake once.

Please download CWShredder, from one of the following sites.
http://www.trendmicr.../cwshredder.exe
http://www.majorgeek...dder_d3019.html
http://intermute.com...r_download.html

First, be sure to update CWShredder.
Then close every window, disconnect from Internet and doubleclick the CWShredder icon on your Desktop.
Click Fix and then Next, let it fix everything it asks about.
Then, please reboot.

Next:
Microsoft Anti-Spyware (Beta)

Please go here to download and follow all instructions.
http://www.microsoft...&displaylang=en

Next:
Please download, install, update and scan your system with the free version of Ewido trojan scanner:[list=1]
[*]When installing, under "Additional Options" uncheck "Install background guard" and "Install scan via context menu".
[*]When you run ewido for the first time, you will get a warning "Database could not be found!". Click OK. We will fix this in a moment.
[*]From the main ewido screen, click on update in the left menu, then click the Start update button.
[*]After the update finishes (the status bar at the bottom will display "Update successful"), click on the Scanner button in the left menu, then click on the Start button. This scan can take quite a while to run, so time to go get a drink and a snack....
[*]If ewido finds anything, it will pop up a notification. You can select "clean" and check the boxes "Perform action with all infections" and "Create encrypted backup" before clicking on OK.
[*]When the scan finishes, click on "Save Report". This will create a text file.
Please save the Ewido report, to be posted here later.

If you are having problems with the updater, you can use this link to manually update Ewido.
Ewido manual updates


Access Task Manager, using ctl/alt/delete. Look for the following and END PROCESS on them.
Clickspring, or Click Spring, or any variant.
sder\dees
ioki\iokim.exe

Next:
Go to control panel-->Add/Remove Programs and look for the following.
Clickspring, or Click Spring, or any variant.
sder\dees
ioki\iokim.exe

And Uninstall/Remove them.

Please set your system to show
all files; please see here if you're unsure how to do this.

Close all Windows leaving only HijackThis running.
Place a check against each of the following.:

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = about:blank
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = about:blank
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = about:blank
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch = about:blank
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = about:blank
R3 - URLSearchHook: (no name) - {B0412715-3101-90A8-79AB-F422D7275F81} - (no file)
O2 - BHO: (no name) - {DC3C1416-8BAB-A80A-DAAB-D228E55463B2} - C:\WINNT\system32\yjbwexg.dll
O2 - BHO: (no name) - {DD3C141E-8BDA-AE7D-DAA5-A428E05163C0} - C:\WINNT\system32\yjbwexg.dll
O4 - HKLM\..\Run: [gchpdll] C:\WINNT\gchpdll.EXE
O4 - HKLM\..\Run: [Dinst] C:\WINNT\dinst.exe
O4 - HKLM\..\Run: [yfasbcq] C:\WINNT\yfasbcq.EXE
O4 - HKLM\..\Run: [irassync] C:\WINNT\system32\irasyncd.exe
O4 - HKCU\..\Run: [ioki] C:\PROGRA~1\COMMON~1\ioki\iokim.exe
O4 - HKCU\..\Run: [Ltho] "C:\Program Files\sder\dees.exe" -vt ndrv
O18 - Filter: text/html - (no CLSID) - (no file)
O20 - Winlogon Notify: Nls - C:\WINNT\system32\iLshlpr.dll (file missing)
O23 - Service: Windows VisFx Components - Unknown owner - C:\WINNT\danksvc.exe (file missing)

Click on Fix Checked when finished and exit HijackThis.

Reboot into Safe Mode: please see here if you are not sure how to do this.


Using Windows Explorer, locate the following files/folders shown DARK and delete them:

C:\WINNT\system32\yjbwexg.dll
C:\WINNT\gchpdll.EXE
C:\WINNT\dinst.exe
C:\WINNT\yfasbcq.EXE
C:\WINNT\system32\irasyncd.exe
C:\PROGRA~1\COMMON~1\ioki\iokim.exe
C:\Program Files\sder\dees.exe

Exit Explorer, and then, please reboot.
If you were unable to find, or delete any of the files then please follow these additional instructions:

Download Pocket Killbox and unzip it; save it to your Desktop.

Run it, and click the radio button that says Delete a file on reboot. For each of the files you could not delete, paste them one at a time into the full path of file to delete box and click the red circle with a white cross in it.

The program will ask you if you want to reboot; say No each time until the last one has been pasted in whereupon you should answer Yes.

Let the system reboot.

Reboot , enable hidden files and post a fresh Hijack This log in this topic, along with the Ewido report.

Please use the Post Reply feature to reply, so I will be notified.

Note: Please do not change anything in the new log, as we need to see the entire log, without revisions.