17 replies to this topic

[LadyKareese]

Hi!

I'm literally at my wit's end! I've had my homepage hijacked by about:blank, and now my email is being taken over. I receive email, but when I try to reply, it's blank when someone gets it.

I let them know that I have contacted the dreaded "V" word, so hopefully they'll not open anything else 'from me', until I let 'em know it's really me.

This is the HJT log that I've compiled. I'd be grateful for any help. Thank you!

Also, any help on any of this that I truly do not need... please let me know that as well!

Thanks so much!

Kareese

Logfile of HijackThis v1.99.1
Scan saved at 12:23:39 PM, on 1/9/2006
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\LEXBCES.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\LEXPPS.EXE
C:\WINDOWS\system32\apicz32.exe
C:\PROGRA~1\COMMON~1\AOL\ACS\acsd.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\wanmpsvc.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\BCMSMMSG.exe
C:\WINDOWS\system32\dla\tfswctrl.exe
C:\WINDOWS\System32\DSentry.exe
C:\Program Files\Dell\Media Experience\PCMService.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\WINDOWS\system32\shpc32.exe
C:\Program Files\Lexmark X74-X75\lxbbbmgr.exe
C:\PROGRA~1\PESTPA~1\PPControl.exe
C:\PROGRA~1\PESTPA~1\PPMemCheck.exe
C:\PROGRA~1\PESTPA~1\CookiePatrol.exe
C:\Program Files\Viewpoint\Viewpoint Manager\ViewMgr.exe
C:\Program Files\Lexmark X74-X75\lxbbbmon.exe
C:\WINDOWS\system32\RUNDLL32.EXE
C:\Program Files\Dell Photo AIO Printer 942\dlbubmgr.exe
C:\Program Files\Dell Photo AIO Printer 942\memcard.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\PROGRA~1\Sony\SONICS~1\SsAAD.exe
C:\WINDOWS\apisy32.exe
C:\DOCUME~1\Hedy\LOCALS~1\Temp\5C.tmp.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\WordPerfect Office 11\Programs\CorUpd.exe
C:\Program Files\Dell Support\DSAgnt.exe
C:\Program Files\Common Files\Sony Shared\AVLib\SSScsiSV.exe
C:\Program Files\Common Files\AOL\1124741395\ee\AOLHostManager.exe
C:\Program Files\Common Files\AOL\1124741395\ee\AOLServiceHost.exe
C:\Program Files\GhostSurf 2006 Platinum\Proxy.exe
C:\Program Files\Kodak\Kodak EasyShare software\bin\EasyShare.exe
C:\Program Files\GhostSurf 2006 Platinum\Protector.exe
C:\Program Files\GhostSurf 2006 Platinum\Scheduler daemon.exe
C:\Program Files\Yahoo!\Messenger\ymsgr_tray.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\DOCUME~1\Hedy\LOCALS~1\Temp\Temporary Directory 2 for hijackthis[1].zip\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\WINDOWS\system32\ytvzd.dll/sp.html#88449%resultposition.net
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINDOWS\system32\ytvzd.dll/sp.html#88449%resultposition.net
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = res://C:\WINDOWS\system32\ytvzd.dll/sp.html#88449%resultposition.net
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,SearchAssistant = http://www.websearch...spx?tb_id=50141
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\WINDOWS\system32\ytvzd.dll/sp.html#88449%resultposition.net
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINDOWS\system32\ytvzd.dll/sp.html#88449%resultposition.net
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = res://C:\WINDOWS\system32\ytvzd.dll/sp.html#88449%resultposition.net
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = res://C:\WINDOWS\system32\ytvzd.dll/sp.html#88449%resultposition.net
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch =
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://us.rd.yahoo.c...//www.yahoo.com
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = 127.0.0.1:7212
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
R3 - Default URLSearchHook is missing
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: SpywareBlock Class - {0A87E45F-537A-40B4-B812-E2544C21A09F} - C:\Program Files\GhostSurf 2006 Platinum\SCActiveBlock.dll
O2 - BHO: Class - {0FF735ED-18CB-AF19-21F7-AC40587668DD} - C:\WINDOWS\system32\addea32.dll
O2 - BHO: Class - {47DF8044-1CA2-DA8C-1BA7-43B6E86C994F} - C:\WINDOWS\apino32.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll (file missing)
O2 - BHO: SafeGuard Protect PCShield - {564FFB73-9EEF-4969-92FA-5FC4A92E2C2A} - C:\WINDOWS\System32\sfg7b1c.dll
O2 - BHO: UberButton Class - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\Program Files\Yahoo!\Common\yiesrvc.dll
O2 - BHO: DriveLetterAccess - {5CA3D70E-1895-11CF-8E15-001234567890} - C:\WINDOWS\SYSTEM32\dla\tfswshx.dll
O2 - BHO: (no name) - {6023B100-0AB9-5565-EE99-5F3084A188C4} - C:\WINDOWS\system32\vqpr.dll
O2 - BHO: YahooTaggedBM Class - {65D886A2-7CA7-479B-BB95-14D1EFB7946A} - C:\Program Files\Yahoo!\Common\YIeTagBm.dll
O2 - BHO: Class - {6A770916-35E5-FF9E-E4EC-F0D453A172D3} - C:\WINDOWS\winyw.dll
O2 - BHO: Class - {738FA69A-9124-0593-394D-30F1BB7CC130} - C:\WINDOWS\iegs32.dll
O2 - BHO: Class - {77B56A9B-5F2E-3199-3215-D7E8E0F1C765} - C:\WINDOWS\netmv32.dll
O2 - BHO: SafeGuard Popup Blocker - {B824E7B0-E8E3-4D75-895E-2C309EA4CC5D} - C:\Program Files\SafeGuard Popup Blocker Pro\SGPopupBlocker.dll
O3 - Toolbar: MSN Toolbar - {BDAD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\MSN Toolbar\01.01.1501.0\en-us\msntb.dll (file missing)
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn0\yt.dll
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\System32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\System32\hkcmd.exe
O4 - HKLM\..\Run: [BCMSMMSG] BCMSMMSG.exe
O4 - HKLM\..\Run: [dla] C:\WINDOWS\system32\dla\tfswctrl.exe
O4 - HKLM\..\Run: [DVDSentry] C:\WINDOWS\System32\DSentry.exe
O4 - HKLM\..\Run: [PCMService] "C:\Program Files\Dell\Media Experience\PCMService.exe"
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [WinVNC] "C:\Program Files\RealVNC\WinVNC\WinVNC.exe" -servicehelper
O4 - HKLM\..\Run: [SHPC32] shpc32.exe
O4 - HKLM\..\Run: [Lexmark X74-X75] "C:\Program Files\Lexmark X74-X75\lxbbbmgr.exe"
O4 - HKLM\..\Run: [UpdateManager] "C:\Program Files\Common Files\Sonic\Update Manager\sgtray.exe" /r
O4 - HKLM\..\Run: [PestPatrol Control Center] C:\PROGRA~1\PESTPA~1\PPControl.exe
O4 - HKLM\..\Run: [PPMemCheck] C:\PROGRA~1\PESTPA~1\PPMemCheck.exe
O4 - HKLM\..\Run: [CookiePatrol] C:\PROGRA~1\PESTPA~1\CookiePatrol.exe
O4 - HKLM\..\Run: [ViewMgr] C:\Program Files\Viewpoint\Viewpoint Manager\ViewMgr.exe
O4 - HKLM\..\Run: [PCShield] regsvr32 /s "C:\WINDOWS\System32\sfg7b1c.dll"
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [HostManager] C:\Program Files\Common Files\AOL\1124741395\ee\AOLHostManager.exe
O4 - HKLM\..\Run: [Dell Photo AIO Printer 942] "C:\Program Files\Dell Photo AIO Printer 942\dlbubmgr.exe"
O4 - HKLM\..\Run: [DellMCM] "C:\Program Files\Dell Photo AIO Printer 942\memcard.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [links] links.exe
O4 - HKLM\..\Run: [WinHound] C:\Program Files\WinHound\WinHound.exe
O4 - HKLM\..\Run: [SsAAD.exe] C:\PROGRA~1\Sony\SONICS~1\SsAAD.exe
O4 - HKLM\..\Run: [apisy32.exe] C:\WINDOWS\apisy32.exe
O4 - HKLM\..\Run: [5B.tmp] C:\DOCUME~1\Hedy\LOCALS~1\Temp\5B.tmp.exe
O4 - HKLM\..\Run: [5C.tmp] C:\DOCUME~1\Hedy\LOCALS~1\Temp\5C.tmp.exe
O4 - HKLM\..\Run: [5B.tmp.exe] C:\DOCUME~1\Hedy\LOCALS~1\Temp\5B.tmp.exe
O4 - HKLM\..\Run: [5C.tmp.exe] C:\DOCUME~1\Hedy\LOCALS~1\Temp\5C.tmp.exe
O4 - HKLM\..\Run: [GhostSurf Reminder] "C:\Program Files\GhostSurf 2006 Platinum\Privacy Control Center.exe" reminder
O4 - HKLM\..\Run: [GhostSurfDelSatellite] "C:\Program Files\GhostSurf 2006 Platinum\DeleteSatellite.exe"
O4 - HKCU\..\Run: [nsdriver] C:\WINDOWS\System32\nssys32.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [C:_Program Files_WordPerfe3a] C:\Program Files\WordPerfect Office 11\Programs\CorUpd.exe /Watch
O4 - HKCU\..\Run: [PCShield] regsvr32 /s "C:\WINDOWS\System32\sfg7b1c.dll"
O4 - HKCU\..\Run: [DellSupport] "C:\Program Files\Dell Support\DSAgnt.exe" /startup
O4 - HKCU\..\Run: [Yahoo! Pager] "C:\Program Files\Yahoo!\Messenger\ypager.exe" -quiet
O4 - HKCU\..\Run: [Free People Search Agent] C:\Documents and Settings\Hedy\Local Settings\Temporary Internet Files\Content.IE5\OBQ9YJQV\FreePeopleSearchAgent_v1[1].exe
O4 - Startup: Scheduler.lnk = C:\Program Files\GhostSurf 2006 Platinum\Scheduler daemon.exe
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: America Online 9.0 Tray Icon.lnk = C:\Program Files\America Online 9.0\aoltray.exe
O4 - Global Startup: GhostSurf proxy.lnk = C:\Program Files\GhostSurf 2006 Platinum\Proxy.exe
O4 - Global Startup: Kodak EasyShare software.lnk = C:\Program Files\Kodak\Kodak EasyShare software\bin\EasyShare.exe
O4 - Global Startup: Kodak software updater.lnk = C:\Program Files\Kodak\KODAK Software Updater\7288971\Program\Kodak Software Updater.exe
O4 - Global Startup: SpyCatcher Protector.lnk = C:\Program Files\GhostSurf 2006 Platinum\Protector.exe
O4 - Global Startup: SpySubtract.lnk = C:\Program Files\InterMute\SpySubtract\SpySub.exe
O8 - Extra context menu item: &AIM Search - res://C:\Program Files\AIM Toolbar\AIMBar.dll/aimsearch.htm
O8 - Extra context menu item: &Yahoo! Search - file:///C:\Program Files\Yahoo!\Common/ycsrch.htm
O8 - Extra context menu item: Yahoo! &Dictionary - file:///C:\Program Files\Yahoo!\Common/ycdict.htm
O8 - Extra context menu item: Yahoo! &Maps - file:///C:\Program Files\Yahoo!\Common/ycmap.htm
O8 - Extra context menu item: Yahoo! &SMS - file:///C:\Program Files\Yahoo!\Common/ycsms.htm
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\system32\msjava.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\system32\msjava.dll
O9 - Extra button: Yahoo! Services - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\Program Files\Yahoo!\Common\yiesrvc.dll
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\System32\Shdocvw.dll
O9 - Extra button: (no name) - {D5770C25-E0F4-4bb9-BCB6-DB17F7BFBB7F} - C:\Program Files\SafeGuard Popup Blocker Pro\PBOptions.exe
O9 - Extra 'Tools' menuitem: Popup Blocker Options - {D5770C25-E0F4-4bb9-BCB6-DB17F7BFBB7F} - C:\Program Files\SafeGuard Popup Blocker Pro\PBOptions.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra button: (no name) - {7F241C00-DAB6-11d5-AAA8-00010 - (no file) (HKCU)
O12 - Plugin for .fpx: C:\\Program Files\\Internet Explorer\\PLUGINS\\NPRVRT32.dll
O12 - Plugin for .ivr: C:\\Program Files\\Internet Explorer\\PLUGINS\\NPRVRT32.dll
O16 - DPF: {11A02365-2859-4598-A9D5-4FDE99D67723} (PQIEBrowserConnector Class) - http://www.pqprintce...ntquick1611.cab
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft....204&clcid=0x409
O16 - DPF: {2BC66F54-93A8-11D3-BEB6-00105AA9B6AE} (Symantec AntiVirus scanner) - http://security.syma...bin/AvSniff.cab
O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (YInstStarter Class) - C:\Program Files\Yahoo!\Common\yinsthelper.dll
O16 - DPF: {4ED9DDF0-7479-4BBE-9335-5A1EDB1D8A21} (McAfee.com Operating System Class) - http://download.mcaf...83/mcinsctl.cab
O16 - DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} (MSN Photo Upload Tool) - http://by14fd.bay14....es/MsnPUpld.cab
O16 - DPF: {5721FA68-5ABD-40A8-81F1-4136691194BF} (Launcher Class) - https://www.play.net...tivex/AXSAL.ocx
O16 - DPF: {644E432F-49D3-41A1-8DD5-E099162EEEC5} (Symantec RuFSI Utility Class) - http://security.syma...n/bin/cabsa.cab
O16 - DPF: {64D01C7F-810D-446E-A07E-16C764235644} (AtlAtomadersCtlAttrib Class) - http://zone.msn.com/...t/atomaders.cab
O16 - DPF: {8FCDF9D9-A28B-480F-8C3D-581F119A8AB8} - http://static.zangoc.../bridge-c18.cab
O16 - DPF: {90C9629E-CD32-11D3-BBFB-00105A1F0D68} (InstallShield International Setup Player) - http://www.installen...gine/isetup.cab
O16 - DPF: {AE1C01E3-0283-11D3-9B3F-00C04F8EF466} (HeartbeatCtl Class) - http://fdl.msn.com/z...s/heartbeat.cab
O16 - DPF: {B8BE5E93-A60C-4D26-A2DC-220313175592} (ZoneIntro Class) - http://zone.msn.com/...ro.cab34246.cab
O16 - DPF: {B9191F79-5613-4C76-AA2A-398534BB8999} - http://us.dl1.yimg.c...utocomplete.cab
O16 - DPF: {D54160C3-DB7B-4534-9B65-190EE4A9C7F7} (SproutLauncherCtrl Class) - http://zone.msn.com/...outLauncher.cab
O16 - DPF: {D77EF652-9A6B-40C8-A4B9-1C0697C6CF41} (TikGames Online Control) - http://zone.msn.com/...fault/shapo.cab
O16 - DPF: {DAF5D9A2-D982-4671-83E4-0398706A5F6A} (SCEWebLauncherCtl Object) - http://zone.msn.com/...WebLauncher.cab
O16 - DPF: {DF780F87-FF2B-4DF8-92D0-73DB16A1543A} (PopCapLoader Object) - http://zone.msn.com/...aploader_v6.cab
O16 - DPF: {F04A8AE2-A59D-11D2-8792-00C04F8EF29D} (Hotmail Attachments Control) - http://by106fd.bay10...ex/HMAtchmt.ocx
O19 - User stylesheet: (file missing)
O19 - User stylesheet: (file missing) (HKLM)
O20 - Winlogon Notify: igfxcui - C:\WINDOWS\SYSTEM32\igfxsrvc.dll
O23 - Service: Network Security Service (NSS) ( 11Fßä#·ºÄÖ`I) - Unknown owner - C:\WINDOWS\system32\apicz32.exe
O23 - Service: AOL Connectivity Service (AOL ACS) - America Online, Inc. - C:\PROGRA~1\COMMON~1\AOL\ACS\acsd.exe
O23 - Service: dlbu_device - Dell - C:\WINDOWS\system32\dlbucoms.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPodService - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Kodak Camera Connection Software (KodakCCS) - Eastman Kodak Company - C:\WINDOWS\system32\drivers\KodakCCS.exe
O23 - Service: LexBce Server (LexBceS) - Lexmark International, Inc. - C:\WINDOWS\system32\LEXBCES.EXE
O23 - Service: MSCSPTISRV - Sony Corporation - C:\Program Files\Common Files\Sony Shared\AVLib\MSCSPTISRV.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: PACSPTISVR - Sony Corporation - C:\Program Files\Common Files\Sony Shared\AVLib\PACSPTISVR.exe
O23 - Service: Sony SPTI Service (SPTISRV) - Sony Corporation - C:\Program Files\Common Files\Sony Shared\AVLib\SPTISRV.exe
O23 - Service: SonicStage SCSI Service (SSScsiSV) - Sony Corporation - C:\Program Files\Common Files\Sony Shared\AVLib\SSScsiSV.exe
O23 - Service: WAN Miniport (ATW) Service (WANMiniportService) - America Online, Inc. - C:\WINDOWS\wanmpsvc.exe
O23 - Service: VNC Server (winvnc) - Unknown owner - C:\Program Files\RealVNC\WinVNC\WinVNC.exe" -service (file missing)

[Siggyx]

Not Nice. This will take a few steps. Please disable Spysubtract or it could block the fix.

The Fix:

Step#1:Getting Ready

(the reason Wordpad was chosen is that Notepad is sometimes deleted by this variant)


Please save these instructions to WordPad so that you have them accessible while following the steps. You also may want to print out these directions as the Internet will not be available.

After downloading the tools, you must disconnect from the internet totally, because staying connected while fixing will prevent the fix from working. Also please keep Internet Explorer and Outlook Express closed throughout as opening either will reinstall the infection.

To replace Internet Explorer to use during this fix, please use Internet Explorer once to download and install FireFox, to be used as your alternate browser throughout this fix.

Close Outlook Express and Internet Explorer for the duration of this fix

Read through all the instructions so that you can ask any questions now, before you disconnect from the Internet.

Please start by downloading the tools you will need to clean this infection with FireFox. If you have a problem or question with any please continue to follow the list step by step to the end and ask the questions when you are asked to reply. Just be sure to let us know what the problem was when you finally reply.


Step#2:Show All Hidden Files Very Important

Please download and open the following zip file. Double-click on the file inside the zip and when it asks you if you would like to merge the file into your registry, please answer yes. This will make sure all files are visible on your computer.
http://www.davehigha...ds/xphidden.zip

(or copy all of the instructions for the specific OS from http://www.xtra.co.n...1916458,00.html to the post)



Step#3:Download CWShredder Do Not Use Yet

1. Please Download the most recent version of CWShredder, from CWSInstall.exe

2. Check for Updates but please Do NOT use it yet



Step#4:Download About Buster Do Not Use Yet

1. Please download About:Buster from here: http://www.malwareby...AboutBuster.zip

2. Once it is downloaded extract it to c:\aboutbuster.





Step#5:Download Registrar Lite Do Not Use Yet

Another program to download is Registrar Lite for use later: Please download Registrar Lite and install it to C:\Program Files\RegLite\ . This is a registry editor that is very easy to use. Caution should be exercised when editing the registry as it is very easy to render a Computer unbootable by deleting the wrong key



Step#6:Download Ewido Security Suite Only For Windows 2000 and XP Do Not Use Yet

• Download and install Ewido security suite
• Right Click on the “E” icon in your taskbar and open Ewido Security Suite then click “update” to get the most recent definitions for it to use.
• When it prompts you to update, click the OK button.
• download the updates and when they are finished installing, close the window
• Please Do Not Use It Yet

Step#6:Download A Registry File to Remove Registry Entries Do Not Use Yet

• Please download the following zip file to your desktop:
  HSfix
• Double Click on HSfix.zip and it will unzip to a new folder it makes on your desktop, called HSfix
• Do Not Use It Yet

Please disconnect from the Internet




Step#7:Disable The Bad Service ** Very Important!!**

• Reboot your computer into Safe Mode by tapping F8 while booting up and continue for the rest of the fix in SAFE MODE
  
• Click on start > control panel > administrative programs > services. Look for a service called Network Security Service . Double click on that service and click stop and then set the startup to disabled. Also write down the name and path of the file listed in the Path to executable field. This filename must be deleted below.

Step#8:Stop The Running Processes


Press control-alt-delete to get into the task manager and end the following processes if they exist:

apicz32.exe
apisy32.exe

Step#9:Use HijackThis to Delete About Blank Bad Files

I now need you to delete the following files:

C:\WINDOWS\system32\ytvzd.dll
C:\WINDOWS\system32\addea32.dll
C:\WINDOWS\apino32.dll
C:\WINDOWS\System32\sfg7b1c.dll
C:\WINDOWS\system32\vqpr.dll
C:\WINDOWS\winyw.dll
C:\WINDOWS\iegs32.dll
C:\WINDOWS\netmv32.dll
C:\WINDOWS\apisy32.exe
C:\WINDOWS\system32\apicz32.exe


If you get an error when deleting a file. Right click on the file and check to see if the read only attribute is checked. if it is uncheck it and try again.



Step#10:Cleaning With HijackThis

Then close all programs and windows and run hijackthis. Put a checkmark next to each of these entries and click 'fix checked' button when ready (some may be gone after uninstalling some programs):



R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\WINDOWS\system32\ytvzd.dll/sp.html#88449%resultposition.net
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINDOWS\system32\ytvzd.dll/sp.html#88449%resultposition.net
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = res://C:\WINDOWS\system32\ytvzd.dll/sp.html#88449%resultposition.net
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,SearchAssistant = http://www.websearch...spx?tb_id=50141
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\WINDOWS\system32\ytvzd.dll/sp.html#88449%resultposition.net
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINDOWS\system32\ytvzd.dll/sp.html#88449%resultposition.net
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = res://C:\WINDOWS\system32\ytvzd.dll/sp.html#88449%resultposition.net
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = res://C:\WINDOWS\system32\ytvzd.dll/sp.html#88449%resultposition.net
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch =
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = 127.0.0.1:7212
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =

R3 - Default URLSearchHook is missing


O2 - BHO: Class - {0FF735ED-18CB-AF19-21F7-AC40587668DD} - C:\WINDOWS\system32\addea32.dll
O2 - BHO: Class - {47DF8044-1CA2-DA8C-1BA7-43B6E86C994F} - C:\WINDOWS\apino32.dll
O2 - BHO: (no name) - {6023B100-0AB9-5565-EE99-5F3084A188C4} - C:\WINDOWS\system32\vqpr.dll
O2 - BHO: Class - {6A770916-35E5-FF9E-E4EC-F0D453A172D3} - C:\WINDOWS\winyw.dll
O2 - BHO: Class - {738FA69A-9124-0593-394D-30F1BB7CC130} - C:\WINDOWS\iegs32.dll
O2 - BHO: Class - {77B56A9B-5F2E-3199-3215-D7E8E0F1C765} - C:\WINDOWS\netmv32.dll

O4 - HKLM\..\Run: [links] links.exe
O4 - HKLM\..\Run: [WinHound] C:\Program Files\WinHound\WinHound.exe
O4 - HKLM\..\Run: [apisy32.exe] C:\WINDOWS\apisy32.exe
O4 - HKLM\..\Run: [5B.tmp] C:\DOCUME~1\Hedy\LOCALS~1\Temp\5B.tmp.exe
O4 - HKLM\..\Run: [5C.tmp] C:\DOCUME~1\Hedy\LOCALS~1\Temp\5C.tmp.exe
O4 - HKLM\..\Run: [5B.tmp.exe] C:\DOCUME~1\Hedy\LOCALS~1\Temp\5B.tmp.exe
O4 - HKLM\..\Run: [5C.tmp.exe] C:\DOCUME~1\Hedy\LOCALS~1\Temp\5C.tmp.exe
O4 - HKCU\..\Run: [Free People Search Agent] C:\Documents and Settings\Hedy\Local Settings\Temporary Internet Files\Content.IE5\OBQ9YJQV\FreePeopleSearchAgent_v1[1].exe

O19 - User stylesheet: (file missing)
O19 - User stylesheet: (file missing) (HKLM)

O20 - Winlogon Notify: igfxcui - C:\WINDOWS\SYSTEM32\igfxsrvc.dll- Service: Network Security Service (NSS) ( 11Fßä#·ºÄÖ`I) - Unknown owner - C:\WINDOWS\system32\apicz32.exe




click "fix checked"




Step#11: Backup The Registry

In the next step we are going to remove a service that gets installed by this malware.

1. Open Registrar Lite and run it.

2. Copy and paste the bold text below into the address bar of Registrar Lite:(this is making a Registry backup for safety in case of error)

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\

Go to File> Export and and save as (in the C:\Program Files\Registrar Lite (Reglite) folder):

1.) Winkey.reg (Save as type: regedit4 .reg type)
2.) Winkey.hiv (Save as type: Scroll to select-regetd32/WinAPI *hiv *dat files)



Step#12: Use the HSfix.reg file

• Navigate to the HSfix folder on your Desktop
• Then double-click on the HSfix.reg file, and when it prompts to merge say yes, and this will clear some registry entries left behind by the process.
• if you have a popup from any of your protection programs asking if you want to make a change to the registry, say Yes or Accept it

Step#13:Fixing With CWShredder

• CLOSE ALL WINDOWS except CWShredder
  
• Run the program by clicking 'fix' and letting it fix all CWS remnants.

Step#14:Fixing With About Buster

This is the step where we will use About:Buster that you had downloaded previously.

• Navigate to the c:\aboutbuster directory
• double-click on aboutbuster.exe
• When the tool opens press the OK button, then Start button, then the OK button
• then finally the Yes button. It will start scanning your computer for files.
• If it asks if you would like to do a second pass, allow it to do so.
• Post the log file in your next reply

Step#15:Scan With Ewido Security Suite

• Launch Ewido again
  
• Click on Scanner>Complete System Scan.
  
• Let the program scan your PC.
  
• When the scan asks to clean files click OK.
  
• When scan is completed, click Save report. to your desktop.
  
• Post the report in your next reply.

Reboot your computer back to normal mode and

Reconnect To The Internet



Step#16:Scan and Post a New HJT log with other logs

• Scan again with HijackThis.
  
• Post your logs from HijackThis, About Buster, and Ewido Security Suite here in this thread with any questions or problems that you have run into.
  
• There are still some steps that are necessary to clear out all of the malware. There will be necessary files that it has deleted that will need to be replaced.

Good Luck!

[LadyKareese]

Okay, First off, thank you so much for taking the time to help me! You have no idea what that means to me.. I started off, thinking I could do it right the first time, right off the bat.. until I got to this part: Click on start > control panel > administrative programs > services. Look for a service called Network Security Service . Double click on that service and click stop and then set the startup to disabled. Also write down the name and path of the file listed in the Path to executable field. This filename must be deleted below. Well, when I go into my safe mode and go to start > control panel > I come up with administrative tools --- but nothing like administrative programs.. Needless to say I cannot find The service "network security Service' .. I did a search on it, I looked around for it.. I'm just missing it entirely.. Please help! That's really the only question I have on the whole process.. Thank you so much for any help! Kareese

[LadyKareese]

May have found it.. AT least I found something that disables the service. Going to try it! Thanks again!

[Siggyx]

Sorry administrative tools is correct.

[LadyKareese]

I've done as instructed, Hopefully to a "T"

Allow me to post my questions first and then I'll post the three logs you requested.

1.) I notice there are some registry items from past programs that I thought I deleted completely from my computer in HJT that I no longer use. Obviously, there are remnants left on my computer. Will it hurt to go ahead and delete those?

2.) There is a 'Search Assistant' in my admin. programs that when I click to remove it, it goes to a website and wants me to 'install' more files to uninstall the files that are there.. How do I get rid of it off of my computer?


*******************************************************************************************

HJT Report:

Logfile of HijackThis v1.99.1
Scan saved at 9:02:33 PM, on 1/11/2006
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\LEXBCES.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\LEXPPS.EXE
C:\PROGRA~1\COMMON~1\AOL\ACS\acsd.exe
C:\Program Files\ewido anti-malware\ewidoctrl.exe
C:\Program Files\ewido anti-malware\ewidoguard.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\wanmpsvc.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\wscntfy.exe
C:\WINDOWS\BCMSMMSG.exe
C:\WINDOWS\system32\dla\tfswctrl.exe
C:\WINDOWS\System32\DSentry.exe
C:\Program Files\Dell\Media Experience\PCMService.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\WINDOWS\system32\shpc32.exe
C:\Program Files\Lexmark X74-X75\lxbbbmgr.exe
C:\Program Files\Lexmark X74-X75\lxbbbmon.exe
C:\PROGRA~1\PESTPA~1\PPControl.exe
C:\PROGRA~1\PESTPA~1\PPMemCheck.exe
C:\PROGRA~1\PESTPA~1\CookiePatrol.exe
C:\Program Files\Viewpoint\Viewpoint Manager\ViewMgr.exe
C:\WINDOWS\system32\RUNDLL32.EXE
C:\WINDOWS\system32\rundll32.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\PROGRA~1\Sony\SONICS~1\SsAAD.exe
C:\Program Files\Common Files\AOL\1124741395\ee\AOLHostManager.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\Common Files\AOL\1124741395\ee\AOLServiceHost.exe
C:\Program Files\Common Files\Sony Shared\AVLib\SSScsiSV.exe
C:\Program Files\Dell Photo AIO Printer 942\dlbubmgr.exe
C:\Program Files\Dell Photo AIO Printer 942\memcard.exe
C:\Program Files\WordPerfect Office 11\Programs\CorUpd.exe
C:\Program Files\Dell Support\DSAgnt.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\GhostSurf 2006 Platinum\Proxy.exe
C:\Program Files\Kodak\Kodak EasyShare software\bin\EasyShare.exe
C:\Program Files\Yahoo!\Messenger\ymsgr_tray.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Documents and Settings\Hedy\Desktop\HijackThis.exe

R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch =
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://us.rd.yahoo.c...//www.yahoo.com
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = 127.0.0.1:7212
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
R3 - Default URLSearchHook is missing
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: SpywareBlock Class - {0A87E45F-537A-40B4-B812-E2544C21A09F} - C:\Program Files\GhostSurf 2006 Platinum\SCActiveBlock.dll
O2 - BHO: UberButton Class - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\Program Files\Yahoo!\Common\yiesrvc.dll
O2 - BHO: DriveLetterAccess - {5CA3D70E-1895-11CF-8E15-001234567890} - C:\WINDOWS\SYSTEM32\dla\tfswshx.dll
O2 - BHO: YahooTaggedBM Class - {65D886A2-7CA7-479B-BB95-14D1EFB7946A} - C:\Program Files\Yahoo!\Common\YIeTagBm.dll
O2 - BHO: Class - {EA0086F9-E449-013E-3ED2-DAA0AA488484} - C:\WINDOWS\system32\appyz.dll (file missing)
O3 - Toolbar: MSN Toolbar - {BDAD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\MSN Toolbar\01.01.1501.0\en-us\msntb.dll (file missing)
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn0\yt.dll
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\System32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\System32\hkcmd.exe
O4 - HKLM\..\Run: [BCMSMMSG] BCMSMMSG.exe
O4 - HKLM\..\Run: [dla] C:\WINDOWS\system32\dla\tfswctrl.exe
O4 - HKLM\..\Run: [DVDSentry] C:\WINDOWS\System32\DSentry.exe
O4 - HKLM\..\Run: [PCMService] "C:\Program Files\Dell\Media Experience\PCMService.exe"
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [WinVNC] "C:\Program Files\RealVNC\WinVNC\WinVNC.exe" -servicehelper
O4 - HKLM\..\Run: [SHPC32] shpc32.exe
O4 - HKLM\..\Run: [Lexmark X74-X75] "C:\Program Files\Lexmark X74-X75\lxbbbmgr.exe"
O4 - HKLM\..\Run: [UpdateManager] "C:\Program Files\Common Files\Sonic\Update Manager\sgtray.exe" /r
O4 - HKLM\..\Run: [PestPatrol Control Center] C:\PROGRA~1\PESTPA~1\PPControl.exe
O4 - HKLM\..\Run: [PPMemCheck] C:\PROGRA~1\PESTPA~1\PPMemCheck.exe
O4 - HKLM\..\Run: [CookiePatrol] C:\PROGRA~1\PESTPA~1\CookiePatrol.exe
O4 - HKLM\..\Run: [ViewMgr] C:\Program Files\Viewpoint\Viewpoint Manager\ViewMgr.exe
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [HostManager] C:\Program Files\Common Files\AOL\1124741395\ee\AOLHostManager.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [SsAAD.exe] C:\PROGRA~1\Sony\SONICS~1\SsAAD.exe
O4 - HKLM\..\Run: [GhostSurf Reminder] "C:\Program Files\GhostSurf 2006 Platinum\Privacy Control Center.exe" reminder
O4 - HKLM\..\Run: [GhostSurfDelSatellite] "C:\Program Files\GhostSurf 2006 Platinum\DeleteSatellite.exe"
O4 - HKLM\..\Run: [Dell Photo AIO Printer 942] "C:\Program Files\Dell Photo AIO Printer 942\dlbubmgr.exe"
O4 - HKLM\..\Run: [DellMCM] "C:\Program Files\Dell Photo AIO Printer 942\memcard.exe"
O4 - HKCU\..\Run: [nsdriver] C:\WINDOWS\System32\nssys32.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [C:_Program Files_WordPerfe3a] C:\Program Files\WordPerfect Office 11\Programs\CorUpd.exe /Watch
O4 - HKCU\..\Run: [DellSupport] "C:\Program Files\Dell Support\DSAgnt.exe" /startup
O4 - HKCU\..\Run: [Yahoo! Pager] "C:\Program Files\Yahoo!\Messenger\ypager.exe" -quiet
O4 - HKCU\..\Run: [Free People Search Agent] C:\Documents and Settings\Hedy\Local Settings\Temporary Internet Files\Content.IE5\OBQ9YJQV\FreePeopleSearchAgent_v1[1].exe
O4 - Startup: Scheduler.lnk = C:\Program Files\GhostSurf 2006 Platinum\Scheduler daemon.exe
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: America Online 9.0 Tray Icon.lnk = C:\Program Files\America Online 9.0\aoltray.exe
O4 - Global Startup: GhostSurf proxy.lnk = C:\Program Files\GhostSurf 2006 Platinum\Proxy.exe
O4 - Global Startup: Kodak EasyShare software.lnk = C:\Program Files\Kodak\Kodak EasyShare software\bin\EasyShare.exe
O4 - Global Startup: Kodak software updater.lnk = C:\Program Files\Kodak\KODAK Software Updater\7288971\Program\Kodak Software Updater.exe
O4 - Global Startup: SpyCatcher Protector.lnk = C:\Program Files\GhostSurf 2006 Platinum\Protector.exe
O8 - Extra context menu item: &AIM Search - res://C:\Program Files\AIM Toolbar\AIMBar.dll/aimsearch.htm
O8 - Extra context menu item: &Yahoo! Search - file:///C:\Program Files\Yahoo!\Common/ycsrch.htm
O8 - Extra context menu item: Yahoo! &Dictionary - file:///C:\Program Files\Yahoo!\Common/ycdict.htm
O8 - Extra context menu item: Yahoo! &Maps - file:///C:\Program Files\Yahoo!\Common/ycmap.htm
O8 - Extra context menu item: Yahoo! &SMS - file:///C:\Program Files\Yahoo!\Common/ycsms.htm
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\system32\msjava.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\system32\msjava.dll
O9 - Extra button: Yahoo! Services - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\Program Files\Yahoo!\Common\yiesrvc.dll
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\System32\Shdocvw.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra button: (no name) - {7F241C00-DAB6-11d5-AAA8-00010 - (no file) (HKCU)
O12 - Plugin for .fpx: C:\\Program Files\\Internet Explorer\\PLUGINS\\NPRVRT32.dll
O12 - Plugin for .ivr: C:\\Program Files\\Internet Explorer\\PLUGINS\\NPRVRT32.dll
O16 - DPF: {11A02365-2859-4598-A9D5-4FDE99D67723} (PQIEBrowserConnector Class) - http://www.pqprintce...ntquick1611.cab
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft....204&clcid=0x409
O16 - DPF: {2BC66F54-93A8-11D3-BEB6-00105AA9B6AE} (Symantec AntiVirus scanner) - http://security.syma...bin/AvSniff.cab
O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (YInstStarter Class) - C:\Program Files\Yahoo!\Common\yinsthelper.dll
O16 - DPF: {4ED9DDF0-7479-4BBE-9335-5A1EDB1D8A21} (McAfee.com Operating System Class) - http://download.mcaf...83/mcinsctl.cab
O16 - DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} (MSN Photo Upload Tool) - http://by14fd.bay14....es/MsnPUpld.cab
O16 - DPF: {5721FA68-5ABD-40A8-81F1-4136691194BF} (Launcher Class) - https://www.play.net...tivex/AXSAL.ocx
O16 - DPF: {644E432F-49D3-41A1-8DD5-E099162EEEC5} (Symantec RuFSI Utility Class) - http://security.syma...n/bin/cabsa.cab
O16 - DPF: {64D01C7F-810D-446E-A07E-16C764235644} (AtlAtomadersCtlAttrib Class) - http://zone.msn.com/...t/atomaders.cab
O16 - DPF: {8FCDF9D9-A28B-480F-8C3D-581F119A8AB8} - http://static.zangoc.../bridge-c18.cab
O16 - DPF: {90C9629E-CD32-11D3-BBFB-00105A1F0D68} (InstallShield International Setup Player) - http://www.installen...gine/isetup.cab
O16 - DPF: {AE1C01E3-0283-11D3-9B3F-00C04F8EF466} (HeartbeatCtl Class) - http://fdl.msn.com/z...s/heartbeat.cab
O16 - DPF: {B8BE5E93-A60C-4D26-A2DC-220313175592} (ZoneIntro Class) - http://zone.msn.com/...ro.cab34246.cab
O16 - DPF: {B9191F79-5613-4C76-AA2A-398534BB8999} - http://us.dl1.yimg.c...utocomplete.cab
O16 - DPF: {D54160C3-DB7B-4534-9B65-190EE4A9C7F7} (SproutLauncherCtrl Class) - http://zone.msn.com/...outLauncher.cab
O16 - DPF: {D77EF652-9A6B-40C8-A4B9-1C0697C6CF41} (TikGames Online Control) - http://zone.msn.com/...fault/shapo.cab
O16 - DPF: {DAF5D9A2-D982-4671-83E4-0398706A5F6A} (SCEWebLauncherCtl Object) - http://zone.msn.com/...WebLauncher.cab
O16 - DPF: {DF780F87-FF2B-4DF8-92D0-73DB16A1543A} (PopCapLoader Object) - http://zone.msn.com/...aploader_v6.cab
O16 - DPF: {F04A8AE2-A59D-11D2-8792-00C04F8EF29D} (Hotmail Attachments Control) - http://by106fd.bay10...ex/HMAtchmt.ocx
O20 - AppInit_DLLs: Interceptor.dll
O23 - Service: AOL Connectivity Service (AOL ACS) - America Online, Inc. - C:\PROGRA~1\COMMON~1\AOL\ACS\acsd.exe
O23 - Service: dlbu_device - Dell - C:\WINDOWS\system32\dlbucoms.exe
O23 - Service: ewido security suite control - ewido networks - C:\Program Files\ewido anti-malware\ewidoctrl.exe
O23 - Service: ewido security suite guard - ewido networks - C:\Program Files\ewido anti-malware\ewidoguard.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPodService - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Kodak Camera Connection Software (KodakCCS) - Unknown owner - C:\WINDOWS\system32\drivers\KodakCCS.exe (file missing)
O23 - Service: LexBce Server (LexBceS) - Lexmark International, Inc. - C:\WINDOWS\system32\LEXBCES.EXE
O23 - Service: MSCSPTISRV - Sony Corporation - C:\Program Files\Common Files\Sony Shared\AVLib\MSCSPTISRV.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: PACSPTISVR - Sony Corporation - C:\Program Files\Common Files\Sony Shared\AVLib\PACSPTISVR.exe
O23 - Service: Sony SPTI Service (SPTISRV) - Sony Corporation - C:\Program Files\Common Files\Sony Shared\AVLib\SPTISRV.exe
O23 - Service: SonicStage SCSI Service (SSScsiSV) - Sony Corporation - C:\Program Files\Common Files\Sony Shared\AVLib\SSScsiSV.exe
O23 - Service: WAN Miniport (ATW) Service (WANMiniportService) - America Online, Inc. - C:\WINDOWS\wanmpsvc.exe
O23 - Service: VNC Server (winvnc) - Unknown owner - C:\Program Files\RealVNC\WinVNC\WinVNC.exe" -service (file missing)

****************************************************************************


About This Report:

**** Run Keys ****

RUN: [IgfxTray] C:\WINDOWS\System32\igfxtray.exe
RUN: [HotKeysCmds] C:\WINDOWS\System32\hkcmd.exe
RUN: [BCMSMMSG] BCMSMMSG.exe
RUN: [dla] C:\WINDOWS\system32\dla\tfswctrl.exe
RUN: [DVDSentry] C:\WINDOWS\System32\DSentry.exe
RUN: [PCMService] "C:\Program Files\Dell\Media Experience\PCMService.exe"
RUN: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
RUN: [WinVNC] "C:\Program Files\RealVNC\WinVNC\WinVNC.exe" -servicehelper
RUN: [SHPC32] shpc32.exe
RUN: [Lexmark X74-X75] "C:\Program Files\Lexmark X74-X75\lxbbbmgr.exe"
RUN: [UpdateManager] "C:\Program Files\Common Files\Sonic\Update Manager\sgtray.exe" /r
RUN: [PestPatrol Control Center] C:\PROGRA~1\PESTPA~1\PPControl.exe
RUN: [PPMemCheck] C:\PROGRA~1\PESTPA~1\PPMemCheck.exe
RUN: [CookiePatrol] C:\PROGRA~1\PESTPA~1\CookiePatrol.exe
RUN: [ViewMgr] C:\Program Files\Viewpoint\Viewpoint Manager\ViewMgr.exe
RUN: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
RUN: [nwiz] nwiz.exe /install
RUN: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit
RUN: [HostManager] C:\Program Files\Common Files\AOL\1124741395\ee\AOLHostManager.exe
RUN: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
RUN: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
RUN: [SsAAD.exe] C:\PROGRA~1\Sony\SONICS~1\SsAAD.exe
RUN: [GhostSurf Reminder] "C:\Program Files\GhostSurf 2006 Platinum\Privacy Control Center.exe" reminder
RUN: [GhostSurfDelSatellite] "C:\Program Files\GhostSurf 2006 Platinum\DeleteSatellite.exe"
RUN: [Dell Photo AIO Printer 942] "C:\Program Files\Dell Photo AIO Printer 942\dlbubmgr.exe"
RUN: [DellMCM] "C:\Program Files\Dell Photo AIO Printer 942\memcard.exe"
RUN: [Sonic RecordNow!]
RUN: [nsdriver] C:\WINDOWS\System32\nssys32.exe
RUN: []
RUN: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
RUN: [C:_Program Files_WordPerfe3a] C:\Program Files\WordPerfect Office 11\Programs\CorUpd.exe /Watch
RUN: [WebCamRT.exe]
RUN: [DellSupport] "C:\Program Files\Dell Support\DSAgnt.exe" /startup
RUN: [Yahoo! Pager] "C:\Program Files\Yahoo!\Messenger\ypager.exe" -quiet
RUN: [Free People Search Agent] C:\Documents and Settings\Hedy\Local Settings\Temporary Internet Files\Content.IE5\OBQ9YJQV\FreePeopleSearchAgent_v1[1].exe


**** Browser Helper Objects ****

BHO: [AcroIEHlprObj Class] C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
BHO: [SpywareBlock Class] C:\Program Files\GhostSurf 2006 Platinum\SCActiveBlock.dll
BHO: [UberButton Class] C:\Program Files\Yahoo!\Common\yiesrvc.dll
BHO: [DriveLetterAccess] C:\WINDOWS\SYSTEM32\dla\tfswshx.dll
BHO: [YahooTaggedBM Class] C:\Program Files\Yahoo!\Common\YIeTagBm.dll
BHO: [Class] C:\WINDOWS\system32\appyz.dll


**** IE Toolbars ****

TOOLBAR: [MSN Toolbar] C:\Program Files\MSN Toolbar\01.01.1501.0\en-us\msntb.dll
TOOLBAR: [Yahoo! Toolbar] C:\Program Files\Yahoo!\Companion\Installs\cpn0\yt.dll


**** IE Extensions ****

IEExt: [Web Browser Applet Control] C:\WINDOWS\system32\msjava.dll
IEExt: [Yahoo! Services] C:\WINDOWS\system32\msjava.dll
IEExt: [AIM] C:\Program Files\AIM\aim.exe
IEExt: [Real.com] C:\Program Files\AIM\aim.exe
IEExt: [Messenger] C:\Program Files\Messenger\msmsgs.exe


**** Hosts File Entries ****

HOSTS: òP“5DµÄ



**** IE Settings ****

IEProxy: <local>
IEBypass: <local>
Default Search:
Local Page: C:\WINDOWS\system32\blank.htm
Search Bar:
Search Page:


**** IE Context Menu (Right click) ****

IEContext: [&AIM Search] res://C:\Program Files\AIM Toolbar\AIMBar.dll/aimsearch.htm
IEContext: [&Yahoo! Search] file:///C:\Program Files\Yahoo!\Common/ycsrch.htm
IEContext: [Yahoo! &Dictionary] file:///C:\Program Files\Yahoo!\Common/ycdict.htm
IEContext: [Yahoo! &Maps] file:///C:\Program Files\Yahoo!\Common/ycmap.htm
IEContext: [Yahoo! &SMS] file:///C:\Program Files\Yahoo!\Common/ycsms.htm


**** Layered Service Providers ****

LSP: MSAFD Tcpip [TCP/IP]
LSP: MSAFD Tcpip [UDP/IP]
LSP: RSVP UDP Service Provider
LSP: RSVP TCP Service Provider
LSP: MSAFD NetBIOS [\Device\NetBT_Tcpip_{B6B4F03C-FD9D-411B-BD9B-7B76D9D23722}] SEQPACKET 5
LSP: MSAFD NetBIOS [\Device\NetBT_Tcpip_{B6B4F03C-FD9D-411B-BD9B-7B76D9D23722}] DATAGRAM 5
LSP: MSAFD NetBIOS [\Device\NetBT_Tcpip_{E9D4FF50-89C7-478D-8CA4-43CDC3BF0FC0}] SEQPACKET 0
LSP: MSAFD NetBIOS [\Device\NetBT_Tcpip_{E9D4FF50-89C7-478D-8CA4-43CDC3BF0FC0}] DATAGRAM 0
LSP: MSAFD NetBIOS [\Device\NetBT_Tcpip_{61820C7F-1F2D-4EC6-AC52-4AA4C5CE956B}] SEQPACKET 2
LSP: MSAFD NetBIOS [\Device\NetBT_Tcpip_{61820C7F-1F2D-4EC6-AC52-4AA4C5CE956B}] DATAGRAM 2
LSP: MSAFD NetBIOS [\Device\NetBT_Tcpip_{E5EC0A67-7EEA-48D6-BF30-90F5C13ABCA3}] SEQPACKET 3
LSP: MSAFD NetBIOS [\Device\NetBT_Tcpip_{E5EC0A67-7EEA-48D6-BF30-90F5C13ABCA3}] DATAGRAM 3
LSP: MSAFD NetBIOS [\Device\NetBT_Tcpip_{1269FF9C-715E-4561-A9C5-329D8835E0C3}] SEQPACKET 1
LSP: MSAFD NetBIOS [\Device\NetBT_Tcpip_{1269FF9C-715E-4561-A9C5-329D8835E0C3}] DATAGRAM 1
LSP: MSAFD NetBIOS [\Device\NetBT_Tcpip_{248F43A7-64D3-4DB5-9275-BDF271486FF1}] SEQPACKET 4
LSP: MSAFD NetBIOS [\Device\NetBT_Tcpip_{248F43A7-64D3-4DB5-9275-BDF271486FF1}] DATAGRAM 4


**** Blocked Control Panel Items ****

BLOCKED: [ncpa.cpl] No
BLOCKED: [odbccp32.cpl] No


**** Downloaded Program Files ****

Microsoft XML Parser for Java [file://C:\WINDOWS\Java\classes\xmldso.cab]
{02BF25D5-8C17-4B23-BC80-D3488ABDDC6B} [http://www.apple.com...x/qtplugin.cab]
{11A02365-2859-4598-A9D5-4FDE99D67723} [http://www.pqprintce...tquick1611.cab] C:\WINDOWS\Downloaded Program Files\printquickaxver6.dll
{17492023-C23A-453E-A040-C7C580BBF700} [http://go.microsoft....04&clcid=0x409] C:\WINDOWS\system32\LegitCheckControl.DLL
{2BC66F54-93A8-11D3-BEB6-00105AA9B6AE} [http://security.syma...in/AvSniff.cab] C:\WINDOWS\Downloaded Program Files\avsniff.dll C:\WINDOWS\Downloaded Program Files\avsniffdlgs.dll C:\WINDOWS\Downloaded Program Files\ecmldr32.dll
{30528230-99f7-4bb4-88d8-fa1d4f56a2ab} [C:\Program Files\Yahoo!\Common\yinsthelper.dll]
{33564D57-0000-0010-8000-00AA00389B71} [http://download.micr...22/wmv9VCM.CAB]
{4ED9DDF0-7479-4BBE-9335-5A1EDB1D8A21} [http://download.mcaf...3/mcinsctl.cab]
{4F1E5B1A-2A80-42CA-8532-2D05CB959537} [http://by14fd.bay14....s/MsnPUpld.cab]
{5721FA68-5ABD-40A8-81F1-4136691194BF} [https://www.play.net...ivex/AXSAL.ocx]
{644E432F-49D3-41A1-8DD5-E099162EEEC5} [http://security.syma.../bin/cabsa.cab]
{64D01C7F-810D-446E-A07E-16C764235644} [http://zone.msn.com/.../atomaders.cab]
{8AD9C840-044E-11D1-B3E9-00805F499D93} [http://java.sun.com/...ndows-i586.cab]
{8FCDF9D9-A28B-480F-8C3D-581F119A8AB8} [http://static.zangoc...bridge-c18.cab]
{90C9629E-CD32-11D3-BBFB-00105A1F0D68} [http://www.installen...ine/isetup.cab]
{9F1C11AA-197B-4942-BA54-47A8489BB47F} [http://v4.windowsupd...977.4749189815]
{AE1C01E3-0283-11D3-9B3F-00C04F8EF466} [http://fdl.msn.com/z.../heartbeat.cab]
{B8BE5E93-A60C-4D26-A2DC-220313175592} [http://zone.msn.com/...o.cab34246.cab]
{B9191F79-5613-4C76-AA2A-398534BB8999} [http://us.dl1.yimg.c...tocomplete.cab]
{CAFEEFAC-0014-0002-0000-ABCDEFFEDCBA} [http://java.sun.com/...ndows-i586.cab]
{D27CDB6E-AE6D-11CF-96B8-444553540000} [http://fpdownload.ma...sh/swflash.cab]
{D54160C3-DB7B-4534-9B65-190EE4A9C7F7} [http://zone.msn.com/...utLauncher.cab]
{D77EF652-9A6B-40C8-A4B9-1C0697C6CF41} [http://zone.msn.com/...ault/shapo.cab]
{DAF5D9A2-D982-4671-83E4-0398706A5F6A} [http://zone.msn.com/...ebLauncher.cab]
{DF780F87-FF2B-4DF8-92D0-73DB16A1543A} [http://zone.msn.com/...ploader_v6.cab]
{F04A8AE2-A59D-11D2-8792-00C04F8EF29D} [http://by106fd.bay10...x/HMAtchmt.ocx]


**** Windows Services ****

[Alerter] %SystemRoot%\System32\svchost.exe -k LocalService
[ALG] %SystemRoot%\System32\alg.exe
[AOL ACS] C:\PROGRA~1\COMMON~1\AOL\ACS\acsd.exe
[AppMgmt] %SystemRoot%\system32\svchost.exe -k netsvcs
[aspnet_state] %SystemRoot%\Microsoft.NET\Framework\v1.1.4322\aspnet_state.exe
[AudioSrv] %SystemRoot%\System32\svchost.exe -k netsvcs
[BITS] %SystemRoot%\System32\svchost.exe -k netsvcs
[Browser] %SystemRoot%\System32\svchost.exe -k netsvcs
[CiSvc] %SystemRoot%\system32\cisvc.exe
[ClipSrv] %SystemRoot%\system32\clipsrv.exe
[COMSysApp] C:\WINDOWS\System32\dllhost.exe /Processid:{02D4B3F1-FD88-11D1-960D-00805FC79235}
[CryptSvc] %SystemRoot%\system32\svchost.exe -k netsvcs
[DcomLaunch] %SystemRoot%\system32\svchost -k DcomLaunch
[Dhcp] %SystemRoot%\System32\svchost.exe -k netsvcs
[dlbu_device] C:\WINDOWS\system32\dlbucoms.exe -service
[dmadmin] %SystemRoot%\System32\dmadmin.exe /com
[dmserver] %SystemRoot%\System32\svchost.exe -k netsvcs
[Dnscache] %SystemRoot%\System32\svchost.exe -k NetworkService
[ERSvc] %SystemRoot%\System32\svchost.exe -k netsvcs
[Eventlog] %SystemRoot%\system32\services.exe
[EventSystem] C:\WINDOWS\System32\svchost.exe -k netsvcs
[FastUserSwitchingCompatibility] %SystemRoot%\System32\svchost.exe -k netsvcs
[helpsvc] %SystemRoot%\System32\svchost.exe -k netsvcs
[HidServ] %SystemRoot%\System32\svchost.exe -k netsvcs
[HTTPFilter] %SystemRoot%\System32\svchost.exe -k HTTPFilter
[IDriverT] "C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe"
[ImapiService] C:\WINDOWS\System32\imapi.exe
[iPodService] C:\Program Files\iPod\bin\iPodService.exe
[KodakCCS] %SystemRoot%\system32\drivers\KodakCCS.exe
[lanmanserver] %SystemRoot%\System32\svchost.exe -k netsvcs
[lanmanworkstation] %SystemRoot%\System32\svchost.exe -k netsvcs
[LexBceS] C:\WINDOWS\system32\LEXBCES.EXE
[LmHosts] %SystemRoot%\System32\svchost.exe -k LocalService
[Messenger] %SystemRoot%\System32\svchost.exe -k netsvcs
[mnmsrvc] C:\WINDOWS\System32\mnmsrvc.exe
[MSCSPTISRV] "C:\Program Files\Common Files\Sony Shared\AVLib\MSCSPTISRV.exe"
[MSDTC] C:\WINDOWS\System32\msdtc.exe
[MSIServer] C:\WINDOWS\system32\msiexec.exe /V
[NetDDE] %SystemRoot%\system32\netdde.exe
[NetDDEdsdm] %SystemRoot%\system32\netdde.exe
[Netlogon] %SystemRoot%\System32\lsass.exe
[Netman] %SystemRoot%\System32\svchost.exe -k netsvcs
[Nla] %SystemRoot%\System32\svchost.exe -k netsvcs
[NtLmSsp] %SystemRoot%\System32\lsass.exe
[NtmsSvc] %SystemRoot%\system32\svchost.exe -k netsvcs
[NVSvc] %SystemRoot%\system32\nvsvc32.exe
[PACSPTISVR] "C:\Program Files\Common Files\Sony Shared\AVLib\PACSPTISVR.exe"
[PlugPlay] %SystemRoot%\system32\services.exe
[PolicyAgent] %SystemRoot%\System32\lsass.exe
[ProtectedStorage] %SystemRoot%\system32\lsass.exe
[RasAuto] %SystemRoot%\System32\svchost.exe -k netsvcs
[RasMan] %SystemRoot%\System32\svchost.exe -k netsvcs
[RDSessMgr] C:\WINDOWS\system32\sessmgr.exe
[RemoteAccess] %SystemRoot%\System32\svchost.exe -k netsvcs
[RpcLocator] %SystemRoot%\System32\locator.exe
[RpcSs] %SystemRoot%\system32\svchost -k rpcss
[RSVP] %SystemRoot%\System32\rsvp.exe
[SamSs] %SystemRoot%\system32\lsass.exe
[SCardSvr] %SystemRoot%\System32\SCardSvr.exe
[Schedule] %SystemRoot%\System32\svchost.exe -k netsvcs
[seclogon] %SystemRoot%\System32\svchost.exe -k netsvcs
[SENS] %SystemRoot%\system32\svchost.exe -k netsvcs
[SharedAccess] %SystemRoot%\System32\svchost.exe -k netsvcs
[ShellHWDetection] %SystemRoot%\System32\svchost.exe -k netsvcs
[Spooler] %SystemRoot%\system32\spoolsv.exe
[SPTISRV] "C:\Program Files\Common Files\Sony Shared\AVLib\SPTISRV.exe"
[srservice] %SystemRoot%\System32\svchost.exe -k netsvcs
[SSDPSRV] %SystemRoot%\System32\svchost.exe -k LocalService
[SSScsiSV] C:\Program Files\Common Files\Sony Shared\AVLib\SSScsiSV.exe
[stisvc] %SystemRoot%\System32\svchost.exe -k imgsvc
[SwPrv] C:\WINDOWS\System32\dllhost.exe /Processid:{F79A1568-D6C5-4C69-A086-936CF52DBBE3}
[SysmonLog] %SystemRoot%\system32\smlogsvc.exe
[TapiSrv] %SystemRoot%\System32\svchost.exe -k netsvcs
[TermService] %SystemRoot%\System32\svchost -k DComLaunch
[Themes] %SystemRoot%\System32\svchost.exe -k netsvcs
[TrkWks] %SystemRoot%\system32\svchost.exe -k netsvcs
[upnphost] %SystemRoot%\System32\svchost.exe -k LocalService
[UPS] %SystemRoot%\System32\ups.exe
[VSS] %SystemRoot%\System32\vssvc.exe
[w32time] %SystemRoot%\system32\svchost.exe -k netsvcs
[WANMiniportService] "C:\WINDOWS\wanmpsvc.exe"
[WebClient] %SystemRoot%\System32\svchost.exe -k LocalService
[winmgmt] %systemroot%\system32\svchost.exe -k netsvcs
[winvnc] "C:\Program Files\RealVNC\WinVNC\WinVNC.exe" -service
[WmdmPmSN] %SystemRoot%\System32\svchost.exe -k netsvcs
[WmiApSrv] C:\WINDOWS\System32\wbem\wmiapsrv.exe
[wscsvc] %SystemRoot%\System32\svchost.exe -k netsvcs
[wuauserv] %systemroot%\system32\svchost.exe -k netsvcs
[WZCSVC] %SystemRoot%\System32\svchost.exe -k netsvcs
[xmlprov] %SystemRoot%\System32\svchost.exe -k netsvcs


**** Custom IE Search Items ****

SEARCH: [SearchAssistant]
SEARCH: [CustomizeSearch]
SEARCH: [SearchAssistant] http://ie.search.msn...st/srchasst.htm
SEARCH: [CustomSearch] http://us.rd.yahoo.c...rch/search.html


**** Complete IE Options ****

IEOPT: [NoUpdateCheck]
IEOPT: [NoJITSetup]
IEOPT: [Disable Script Debugger] yes
IEOPT: [Show_ChannelBand] No
IEOPT: [Anchor Underline] yes
IEOPT: [Cache_Update_Frequency] Once_Per_Session
IEOPT: [Display Inline Images] yes
IEOPT: [Do404Search]
IEOPT: [Save_Session_History_On_Exit] no
IEOPT: [Show_FullURL] no
IEOPT: [Show_StatusBar] yes
IEOPT: [Show_ToolBar] yes
IEOPT: [Show_URLinStatusBar] yes
IEOPT: [Show_URLToolBar] yes
IEOPT: [Use_DlgBox_Colors] yes
IEOPT: [FullScreen] no
IEOPT: [Window_Placement] ,
IEOPT: [NotifyDownloadComplete] no
IEOPT: [Save Directory] C:\Documents and Settings\Hedy\Desktop\
IEOPT: [Use FormSuggest] yes
IEOPT: [Error Dlg Displayed On Every Error] no
IEOPT: [Error Dlg Details Pane Open] no
IEOPT: [AddToFavoritesExpanded]
IEOPT: [FormSuggest PW Ask] no
IEOPT: [FormSuggest Passwords] yes
IEOPT: [Enable Browser Extensions] yes
IEOPT: [Check_Associations] yes
IEOPT: [Use Custom Search URL]
IEOPT: [Use Search Asst] no
IEOPT: [Search Bar]
IEOPT: [Start Page] about:blank
IEOPT: [Local Page] C:\WINDOWS\system32\blank.htm
IEOPT: [HistoryViewType]
IEOPT: [Expand Alt Text] no
IEOPT: [Move System Caret] no
IEOPT: [NscSingleExpand]
IEOPT: [NoWebJITSetup]
IEOPT: [Page_Transitions]
IEOPT: [FavIntelliMenus] no
IEOPT: [UseThemes]
IEOPT: [Force Offscreen Composition]
IEOPT: [AllowWindowReuse]
IEOPT: [Friendly http errors] yes
IEOPT: [ShowGoButton] yes
IEOPT: [SmoothScroll]
IEOPT: [Enable AutoImageResize] yes
IEOPT: [Enable_MyPics_Hoverbar] yes
IEOPT: [Play_Animations] no
IEOPT: [Play_Background_Sounds] yes
IEOPT: [Display Inline Videos] yes
IEOPT: [Show image placeholders]
IEOPT: [Print_Background] no
IEOPT: [AutoSearch]
IEOPT: [Search Page]
IEOPT: [Enable_Disk_Cache] yes
IEOPT: [Cache_Percent_of_Disk]
IEOPT: [Delete_Temp_Files_On_Exit] yes
IEOPT: [Anchor_Visitation_Horizon]
IEOPT: [Use_Async_DNS] yes
IEOPT: [Placeholder_Width]
IEOPT: [Placeholder_Height]
IEOPT: [CompanyName] Microsoft Corporation
IEOPT: [Custom_Key] MICROSO
IEOPT: [Wizard_Version] 6.0.2600.0000
IEOPT: [FullScreen] no
IEOPT: [Check_Associations] yes
IEOPT: [Use Search Asst] no
IEOPT: [Start Page] about:blank
IEOPT: [Local Page] C:\WINDOWS\system32\blank.htm
IEOPT: [Use_DlgBox_Colors] yes
IEOPT: [CustomizeSearch] yes
IEOPT: [IEWatsonEnabled]
IEOPT: [Search Bar]
IEOPT: [Default_Search_Url]
IEOPT: [Search Page]
IEOPT: [Display Inline Images] yes

********************************************************************************

Ewido Report:

ewido anti-malware - Scan report
---------------------------------------------------------

+ Created on: 8:46:40 PM, 1/11/2006
+ Report-Checksum: 112E6458

+ Scan result:

HKLM\SOFTWARE\Classes\CLSID\{0B538AE6-8676-E13B-4CEC-E6A75F19F1EF} -> Spyware.CoolWebSearch : Cleaned with backup
HKLM\SOFTWARE\Classes\CLSID\{12EE7A5E-0674-42f9-A76A-000000004D00} -> Spyware.BrowserAid : Cleaned with backup
HKLM\SOFTWARE\Classes\CLSID\{12EE7A5E-0674-42f9-A76B-000000004D00} -> Spyware.BrowserAid : Cleaned with backup
HKLM\SOFTWARE\Classes\CLSID\{22E7067A-283F-CF1C-4373-210A97C38BDB} -> Spyware.CoolWebSearch : Cleaned with backup
HKLM\SOFTWARE\Classes\CLSID\{2B96D5CC-C5B5-49A5-A69D-CC0A30F9028C} -> Spyware.MiniBug : Cleaned with backup
HKLM\SOFTWARE\Classes\CLSID\{357A87ED-3E5D-437d-B334-DEB7EB4982A3} -> Trojan.Agent.eo : Cleaned with backup
HKLM\SOFTWARE\Classes\CLSID\{4FCD2C21-6232-FD0F-36AA-4EFFC9284B2A} -> Spyware.CoolWebSearch : Cleaned with backup
HKLM\SOFTWARE\Classes\CLSID\{795714A8-C9C0-E8BD-30DB-A0DA3B603993} -> Spyware.CoolWebSearch : Cleaned with backup
HKLM\SOFTWARE\Classes\CLSID\{A8DEB4A5-D9EF-4D21-B4F6-921475004E7D} -> Spyware.IBIS : Error during cleaning
HKLM\SOFTWARE\Classes\CLSID\{B1169ABC-E367-2937-9F96-3B9CB54E0F31} -> Spyware.CoolWebSearch : Cleaned with backup
HKLM\SOFTWARE\Classes\CLSID\{D775F18B-70E6-FBB1-C13D-52CE71E899B3} -> Spyware.CoolWebSearch : Cleaned with backup
HKLM\SOFTWARE\Classes\CLSID\{E004800A-73C6-4587-B855-98D0CE0C16B1} -> Spyware.BrowserAid : Cleaned with backup
HKLM\SOFTWARE\Classes\CLSID\{FBD21FB3-D80F-1A9B-2038-2D60684CDEE0} -> Spyware.CoolWebSearch : Cleaned with backup
HKLM\SOFTWARE\Classes\Interface\{A2872B10-39F2-42DF-9335-7DD38CF75255} -> Spyware.AproposMedia : Cleaned with backup
HKLM\SOFTWARE\Classes\TypeLib\{12EE7A5E-0674-42F9-A76C-000000004D00} -> Spyware.BrowserAid : Cleaned with backup
HKLM\SOFTWARE\Classes\WinadX.Installer -> Spyware.BlazeFind : Cleaned with backup
HKLM\SOFTWARE\Classes\WinadX.Installer\CLSID -> Spyware.BlazeFind : Cleaned with backup
HKLM\SOFTWARE\Dsi -> Spyware.Delfin : Cleaned with backup
HKLM\SOFTWARE\Microsoft\Internet Explorer\Explorer Bars\{12EE7A5E-0674-42f9-A76B-000000004D00} -> Spyware.BrowserAid : Cleaned with backup
HKLM\SOFTWARE\Microsoft\Internet Explorer\Main\ins -> Spyware.WebRebates : Cleaned with backup
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\App Management\ARPCache\Bargain Buddy -> Spyware.BargainBuddy : Cleaned with backup
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\App Management\ARPCache\{1A00C40B-DA85-4aa3-A67F-582D9347EECD} -> Spyware.iSearch : Cleaned with backup
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\RunWindowsUpdate -> Spyware.BrowserAid : Cleaned with backup
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\RunWindowsUpdate\Active -> Spyware.BrowserAid : Cleaned with backup
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\PGate -> Spyware.Delfin : Cleaned with backup
HKLM\SOFTWARE\Toolbar -> Spyware.WebSearch : Cleaned with backup
HKLM\SOFTWARE\Toolbar\PlugIns -> Spyware.WebSearch : Cleaned with backup
HKLM\SOFTWARE\Toolbar\PlugIns\COMMON -> Spyware.WebSearch : Cleaned with backup
HKU\S-1-5-21-386913322-3401771753-4279854651-1007\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{12EE7A5E-0674-42F9-A76A-000000004D00} -> Spyware.BrowserAid : Cleaned with backup
HKU\S-1-5-21-386913322-3401771753-4279854651-1007\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{12EE7A5E-0674-42F9-A76B-000000004D00} -> Spyware.BrowserAid : Cleaned with backup
HKU\S-1-5-21-386913322-3401771753-4279854651-1007\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{15AD4789-CDB4-47E1-A9DA-992EE8E6BAD6} -> Spyware.WinFavorites : Cleaned with backup
HKU\S-1-5-21-386913322-3401771753-4279854651-1007\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{87766247-311C-43B4-8499-3D5FEC94A183} -> Spyware.HuntBar : Cleaned with backup
HKU\S-1-5-21-386913322-3401771753-4279854651-1007\Software\{12EE7A5E-0674-42f9-A76B-000000004D00} -> Spyware.BrowserAid : Cleaned with backup
C:\Documents and Settings\Administrator\My Documents\Data\Data\incredifind.exe -> Downloader.Keenval.e : Cleaned with backup
C:\Documents and Settings\Administrator\My Documents\Data\incredifind.exe -> Downloader.Keenval.e : Cleaned with backup
C:\Documents and Settings\Boys\Application Data\Sun\Java\Deployment\cache\javapi\v1.0\file\omfg.class-352f55f0-226a33f5.class -> Downloader.OpenStream.y : Cleaned with backup
C:\Documents and Settings\Boys\Cookies\boys@ad.yieldmanager[2].txt -> Spyware.Cookie.Yieldmanager : Cleaned with backup
C:\Documents and Settings\Boys\Cookies\boys@data1.perf.overture[1].txt -> Spyware.Cookie.Overture : Cleaned with backup
C:\Documents and Settings\Boys\Cookies\boys@data3.perf.overture[1].txt -> Spyware.Cookie.Overture : Cleaned with backup
C:\Documents and Settings\Boys\Cookies\boys@e-2dj6wjk4wmdjgkq.stats.esomniture[2].txt -> Spyware.Cookie.Esomniture : Cleaned with backup
C:\Documents and Settings\Boys\Cookies\boys@e-2dj6wjkoglczmcp.stats.esomniture[2].txt -> Spyware.Cookie.Esomniture : Cleaned with backup
C:\Documents and Settings\Boys\Cookies\boys@e-2dj6wjmiwmajofp.stats.esomniture[2].txt -> Spyware.Cookie.Esomniture : Cleaned with backup
C:\Documents and Settings\Boys\Cookies\boys@overture[2].txt -> Spyware.Cookie.Overture : Cleaned with backup
C:\Documents and Settings\Boys\Cookies\boys@perf.overture[1].txt -> Spyware.Cookie.Overture : Cleaned with backup
C:\Documents and Settings\Boys\Cookies\boys@serving-sys[2].txt -> Spyware.Cookie.Serving-sys : Cleaned with backup
C:\Documents and Settings\Boys\Cookies\boys@www.burstbeacon[1].txt -> Spyware.Cookie.Burstbeacon : Cleaned with backup
C:\Documents and Settings\Boys\Local Settings\Temp\Cookies\boys@-1shz2prbmdj6wvny-1sez2pra2dj6wjliqncjalqa-1dj6x9ny-1seq-2-2.stats.esomniture[2].txt -> Spyware.Cookie.Esomniture : Cleaned with backup
C:\Documents and Settings\Boys\Local Settings\Temp\Cookies\boys@112.2o7[2].txt -> Spyware.Cookie.2o7 : Cleaned with backup
C:\Documents and Settings\Boys\Local Settings\Temp\Cookies\boys@2o7[2].txt -> Spyware.Cookie.2o7 : Cleaned with backup
C:\Documents and Settings\Boys\Local Settings\Temp\Cookies\boys@ad.yieldmanager[1].txt -> Spyware.Cookie.Yieldmanager : Cleaned with backup
C:\Documents and Settings\Boys\Local Settings\Temp\Cookies\boys@ads.pointroll[1].txt -> Spyware.Cookie.Pointroll : Cleaned with backup
C:\Documents and Settings\Boys\Local Settings\Temp\Cookies\boys@advertising[1].txt -> Spyware.Cookie.Advertising : Cleaned with backup
C:\Documents and Settings\Boys\Local Settings\Temp\Cookies\boys@as-us.falkag[2].txt -> Spyware.Cookie.Falkag : Cleaned with backup
C:\Documents and Settings\Boys\Local Settings\Temp\Cookies\boys@atdmt[2].txt -> Spyware.Cookie.Atdmt : Cleaned with backup
C:\Documents and Settings\Boys\Local Settings\Temp\Cookies\boys@bfast[1].txt -> Spyware.Cookie.Bfast : Cleaned with backup
C:\Documents and Settings\Boys\Local Settings\Temp\Cookies\boys@bluestreak[2].txt -> Spyware.Cookie.Bluestreak : Cleaned with backup
C:\Documents and Settings\Boys\Local Settings\Temp\Cookies\boys@bs.serving-sys[2].txt -> Spyware.Cookie.Serving-sys : Cleaned with backup
C:\Documents and Settings\Boys\Local Settings\Temp\Cookies\boys@casalemedia[1].txt -> Spyware.Cookie.Casalemedia : Cleaned with backup
C:\Documents and Settings\Boys\Local Settings\Temp\Cookies\boys@centrport[1].txt -> Spyware.Cookie.Centrport : Cleaned with backup
C:\Documents and Settings\Boys\Local Settings\Temp\Cookies\boys@commission-junction[2].txt -> Spyware.Cookie.Commission-junction : Cleaned with backup
C:\Documents and Settings\Boys\Local Settings\Temp\Cookies\boys@counter2.hitslink[2].txt -> Spyware.Cookie.Hitslink : Cleaned with backup
C:\Documents and Settings\Boys\Local Settings\Temp\Cookies\boys@doubleclick[1].txt -> Spyware.Cookie.Doubleclick : Cleaned with backup
C:\Documents and Settings\Boys\Local Settings\Temp\Cookies\boys@edge.ru4[2].txt -> Spyware.Cookie.Ru4 : Cleaned with backup
C:\Documents and Settings\Boys\Local Settings\Temp\Cookies\boys@ehg-idg.hitbox[1].txt -> Spyware.Cookie.Hitbox : Cleaned with backup
C:\Documents and Settings\Boys\Local Settings\Temp\Cookies\boys@fastclick[2].txt -> Spyware.Cookie.Fastclick : Cleaned with backup
C:\Documents and Settings\Boys\Local Settings\Temp\Cookies\boys@gator[2].txt -> Spyware.Cookie.Gator : Cleaned with backup
C:\Documents and Settings\Boys\Local Settings\Temp\Cookies\boys@hg1.hitbox[1].txt -> Spyware.Cookie.Hitbox : Cleaned with backup
C:\Documents and Settings\Boys\Local Settings\Temp\Cookies\boys@hitbox[2].txt -> Spyware.Cookie.Hitbox : Cleaned with backup
C:\Documents and Settings\Boys\Local Settings\Temp\Cookies\boys@mediaplex[1].txt -> Spyware.Cookie.Mediaplex : Cleaned with backup
C:\Documents and Settings\Boys\Local Settings\Temp\Cookies\boys@phg.hitbox[1].txt -> Spyware.Cookie.Hitbox : Cleaned with backup
C:\Documents and Settings\Boys\Local Settings\Temp\Cookies\boys@qksrv[1].txt -> Spyware.Cookie.Qksrv : Cleaned with backup
C:\Documents and Settings\Boys\Local Settings\Temp\Cookies\boys@questionmarket[1].txt -> Spyware.Cookie.Questionmarket : Cleaned with backup
C:\Documents and Settings\Boys\Local Settings\Temp\Cookies\boys@revenue[2].txt -> Spyware.Cookie.Revenue : Cleaned with backup
C:\Documents and Settings\Boys\Local Settings\Temp\Cookies\boys@servedby.advertising[2].txt -> Spyware.Cookie.Advertising : Cleaned with backup
C:\Documents and Settings\Boys\Local Settings\Temp\Cookies\boys@server.iad.liveperson[1].txt -> Spyware.Cookie.Liveperson : Cleaned with backup
C:\Documents and Settings\Boys\Local Settings\Temp\Cookies\boys@serving-sys[1].txt -> Spyware.Cookie.Serving-sys : Cleaned with backup
C:\Documents and Settings\Boys\Local Settings\Temp\Cookies\boys@targetnet[2].txt -> Spyware.Cookie.Targetnet : Cleaned with backup
C:\Documents and Settings\Boys\Local Settings\Temp\Cookies\boys@trafficmp[1].txt -> Spyware.Cookie.Trafficmp : Cleaned with backup
C:\Documents and Settings\Boys\Local Settings\Temp\Cookies\boys@tribalfusion[2].txt -> Spyware.Cookie.Tribalfusion : Cleaned with backup
C:\Documents and Settings\Boys\Local Settings\Temp\Cookies\boys@www.burstbeacon[1].txt -> Spyware.Cookie.Burstbeacon : Cleaned with backup
C:\Documents and Settings\Boys\Local Settings\Temp\Cookies\boys@y-1shz2prbmdj6wvny-1sez2pra2dj6wjk4cicpskogqdj6x9ny-1seq-2-2.stats.esomniture[1].txt -> Spyware.Cookie.Esomniture : Cleaned with backup
C:\Documents and Settings\Boys\Local Settings\Temp\Cookies\boys@y-1shz2prbmdj6wvny-1sez2pra2dj6wjkoeiczckqa6dj6x9ny-1seq-2-2.stats.esomniture[2].txt -> Spyware.Cookie.Esomniture : Cleaned with backup
C:\Documents and Settings\Boys\Local Settings\Temp\Cookies\boys@y-1shz2prbmdj6wvny-1sez2pra2dj6wjkogld5igqqmdj6x9ny-1seq-2-2.stats.esomniture[2].txt -> Spyware.Cookie.Esomniture : Cleaned with backup
C:\Documents and Settings\Boys\Local Settings\Temp\Cookies\boys@y-1shz2prbmdj6wvny-1sez2pra2dj6wjkyagazsdoqudj6x9ny-1seq-2-2.stats.esomniture[2].txt -> Spyware.Cookie.Esomniture : Cleaned with backup
C:\Documents and Settings\Boys\Local Settings\Temp\Cookies\boys@y-1shz2prbmdj6wvny-1sez2pra2dj6wjkygpczsdpaidj6x9ny-1seq-2-2.stats.esomniture[2].txt -> Spyware.Cookie.Esomniture : Cleaned with backup
C:\Documents and Settings\Boys\Local Settings\Temp\Cookies\boys@y-1shz2prbmdj6wvny-1sez2pra2dj6wjliggazilqawdj6x9ny-1seq-2-2.stats.esomniture[2].txt -> Spyware.Cookie.Esomniture : Cleaned with backup
C:\Documents and Settings\Boys\Local Settings\Temp\Cookies\boys@y-1shz2prbmdj6wvny-1sez2pra2dj6wjlyagdzekqqsdj6x9ny-1seq-2-2.stats.esomniture[2].txt -> Spyware.Cookie.Esomniture : Cleaned with backup
C:\Documents and Settings\Boys\Local Settings\Temp\Cookies\boys@y-1shz2prbmdj6wvny-1sez2pra2dj6wjnywkcpwgpqudj6x9ny-1seq-2-2.stats.esomniture[2].txt -> Spyware.Cookie.Esomniture : Cleaned with backup
C:\Documents and Settings\Boys\Local Settings\Temp\Cookies\boys@yieldmanager[2].txt -> Spyware.Cookie.Yieldmanager : Cleaned with backup
C:\Documents and Settings\Boys\Local Settings\Temp\Cookies\boys@z1.adserver[1].txt -> Spyware.Cookie.Adserver : Cleaned with backup
C:\Documents and Settings\Boys\Local Settings\Temp\Instant-Access.exe -> Dialer.Generic : Cleaned with backup
C:\Documents and Settings\Boys\Local Settings\Temp\toolbar.cab/IExploreSkins.exe -> Spyware.WebSearch : Cleaned with backup
C:\Documents and Settings\Boys\Local Settings\Temp\toolbar.cab/toolbar.dll -> Spyware.WebSearch : Cleaned with backup
C:\Documents and Settings\Boys\Local Settings\Temp\~427936.tmp -> Spyware.Wintools : Cleaned with backup
C:\Documents and Settings\Boys\Local Settings\Temp\~517069.tmp -> Spyware.Wintools : Cleaned with backup
C:\Documents and Settings\Boys\Local Settings\Temp\~578951.tmp -> Spyware.Wintools : Cleaned with backup
C:\Documents and Settings\Boys\Local Settings\Temp\~665655.tmp -> Spyware.Wintools : Cleaned with backup
C:\Documents and Settings\Boys\Local Settings\Temp\~670657.tmp -> Spyware.Wintools : Cleaned with backup
C:\Documents and Settings\Boys\Local Settings\Temp\~681112.tmp -> Spyware.Wintools : Cleaned with backup
C:\Documents and Settings\Boys\Local Settings\Temp\~681361.tmp -> Spyware.Wintools : Cleaned with backup
C:\Documents and Settings\Boys\Local Settings\Temp\~682694.tmp -> Spyware.Wintools : Cleaned with backup
C:\Documents and Settings\Boys\Local Settings\Temp\~682732.tmp -> Spyware.Wintools : Cleaned with backup
C:\Documents and Settings\Boys\Local Settings\Temp\~685602.tmp -> Spyware.Wintools : Cleaned with backup
C:\Documents and Settings\Boys\Local Settings\Temp\~689226.tmp -> Spyware.Wintools : Cleaned with backup
C:\Documents and Settings\Boys\Local Settings\Temp\~689397.tmp -> Spyware.Wintools : Cleaned with backup
C:\Documents and Settings\Boys\Local Settings\Temp\~709362.tmp -> Spyware.Wintools : Cleaned with backup
C:\Documents and Settings\Boys\Local Settings\Temp\~720080.tmp -> Spyware.Wintools : Cleaned with backup
C:\Documents and Settings\Boys\Local Settings\Temp\~722142.tmp -> Spyware.Wintools : Cleaned with backup
C:\Documents and Settings\Boys\Local Settings\Temp\~763371.tmp -> Spyware.Wintools : Cleaned with backup
C:\Documents and Settings\Boys\Local Settings\Temp\~812988.tmp -> Spyware.Wintools : Cleaned with backup
C:\Documents and Settings\Boys\Local Settings\Temp\~841674.tmp -> Spyware.Wintools : Cleaned with backup
C:\Documents and Settings\Boys\Local Settings\Temp\~920096.tmp -> Spyware.Wintools : Cleaned with backup
C:\Documents and Settings\Boys\Local Settings\Temporary Internet Files\Content.IE5\8IJTCDEO\pic[1].wmf -> Not-A-Virus.Exploit.Win32.IMG-WMF : Cleaned with backup
C:\Documents and Settings\Boys\Local Settings\Temporary Internet Files\Content.IE5\F78RJKUV\pic[1].wmf -> Not-A-Virus.Exploit.Win32.IMG-WMF : Cleaned with backup
C:\Documents and Settings\Boys\Local Settings\Temporary Internet Files\Content.IE5\IA2LDEXG\start[1].exe -> Downloader.Small.cdd : Cleaned with backup
C:\Documents and Settings\Boys\My Documents\Data\Data\incredifind.exe -> Downloader.Keenval.e : Cleaned with backup
C:\Documents and Settings\Default User\My Documents\Data\Data\incredifind.exe -> Downloader.Keenval.e : Cleaned with backup
C:\Documents and Settings\Default User\My Documents\Data\incredifind.exe -> Downloader.Keenval.e : Cleaned with backup
:mozilla.12:C:\Documents and Settings\Hedy\Application Data\Mozilla\Firefox\Profiles\50kohokk.default\cookies.txt -> Spyware.Cookie.Atdmt : Cleaned with backup
C:\Documents and Settings\Hedy\Application Data\Sun\Java\Deployment\cache\javapi\v1.0\file\omfg.class-352f55f0-462d0f57.class -> Downloader.OpenStream.y : Cleaned with backup
C:\Documents and Settings\Hedy\Local Settings\Temp\B.tmp -> Trojan.Small.ga : Cleaned with backup
C:\Documents and Settings\Hedy\Local Settings\Temp\C.tmp -> Trojan.Small.ga : Cleaned with backup
C:\Documents and Settings\Hedy\Local Settings\Temp\D.tmp -> Trojan.Small.ga : Cleaned with backup
C:\Documents and Settings\Hedy\Local Settings\Temp\E.tmp -> Trojan.Small.ga : Cleaned with backup
C:\Documents and Settings\Hedy\Local Settings\Temp\F.tmp -> Trojan.Small.ga : Cleaned with backup
C:\Documents and Settings\Jon\Application Data\Sun\Java\Deployment\cache\javapi\v1.0\file\omfg.class-352f55f0-2aecba02.class -> Downloader.OpenStream.y : Cleaned with backup
C:\Documents and Settings\Jon\Local Settings\Temp\apcopkhd.exe -> Trojan.Dialer.ay : Cleaned with backup
C:\Documents and Settings\Jon\Local Settings\Temp\bddbhnnd.exe -> Trojan.Dialer.ay : Cleaned with backup
C:\Documents and Settings\Jon\Local Settings\Temp\ebhmeehd.exe -> Trojan.Dialer.ay : Cleaned with backup
C:\Documents and Settings\Jon\Local Settings\Temp\ejifolmd.exe -> Trojan.Dialer.ay : Cleaned with backup
C:\Documents and Settings\Jon\Local Settings\Temp\ennbhehd.exe -> Trojan.Dialer.ay : Cleaned with backup
C:\Documents and Settings\Jon\Local Settings\Temp\ffbiolmd.exe -> Trojan.Dialer.ay : Cleaned with backup
C:\Documents and Settings\Jon\Local Settings\Temp\gefgaomd.exe -> Trojan.Dialer.ay : Cleaned with backup
C:\Documents and Settings\Jon\Local Settings\Temp\geieppmd.exe -> Trojan.Dialer.ay : Cleaned with backup
C:\Documents and Settings\Jon\Local Settings\Temp\iapljjmd.exe -> Trojan.Dialer.ay : Cleaned with backup
C:\Documents and Settings\Jon\Local Settings\Temp\kjggjpmd.exe -> Trojan.Dialer.ay : Cleaned with backup
C:\Documents and Settings\Jon\Local Settings\Temp\nmlkdggc.exe -> Trojan.Dialer.ay : Cleaned with backup
C:\Documents and Settings\Jon\Local Settings\Temp\obgpejnd.exe -> Trojan.Dialer.ay : Cleaned with backup
C:\Documents and Settings\Jon\Local Settings\Temp\odkbpkhd.exe -> Trojan.Dialer.ay : Cleaned with backup
C:\Documents and Settings\Jon\Local Settings\Temp\ombfjpmd.exe -> Trojan.Dialer.ay : Cleaned with backup
C:\Documents and Settings\Jon\Local Settings\Temporary Internet Files\Content.IE5\29ON212L\pic[1].wmf -> Exploit.MS05-053-WMF : Cleaned with backup
C:\Documents and Settings\Jon\Local Settings\Temporary Internet Files\Content.IE5\87MD0XS3\start[1].exe -> Downloader.Small.cdd : Cleaned with backup
C:\Documents and Settings\Jon\Local Settings\Temporary Internet Files\Content.IE5\WJK1AEEG\WinFixerScannerInstall[1].exe -> Not-A-Virus.Downloader.Agent.f : Cleaned with backup
C:\Documents and Settings\Jon\Local Settings\Temporary Internet Files\Content.IE5\WTG5QZOH\pic[1].wmf -> Not-A-Virus.Exploit.Win32.IMG-WMF : Cleaned with backup
C:\Documents and Settings\Jon\Start Menu\Programs\Power Scan -> Spyware.PowerScan : Cleaned with backup
C:\Documents and Settings\Jon\Start Menu\Programs\Power Scan\Power Scan.lnk -> Spyware.PowerScan : Cleaned with backup
C:\fdj.exe -> Trojan.LowZones.df : Cleaned with backup
C:\Program Files\Internet Explorer\lkkdsxxt.exe -> Downloader.WinShow.z : Cleaned with backup
C:\Program Files\Internet Explorer\vcwvyche.exe -> Downloader.WinShow.z : Cleaned with backup
C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP384\A0140232.exe -> Spyware.Wintol : Cleaned with backup
C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP384\A0140235.exe -> Downloader.PurityScan.au : Cleaned with backup
C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP384\A0140245.exe -> Spyware.Wintol : Cleaned with backup
C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP384\A0140282.exe -> Spyware.Wintol : Cleaned with backup
C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP385\A0141330.exe -> Spyware.Wintol : Cleaned with backup
C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP385\A0141337.exe -> Spyware.Wintol : Cleaned with backup
C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP385\A0141375.exe -> Spyware.Wintol : Cleaned with backup
C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP386\A0141378.exe -> S

[Siggyx]

WE can deal with your other items once we get the worst infection off.

You are doing a great job so far

Please post the about:buster log.

Then

Step#1:Restore Deleted System Files

Now we need to see if we need to restore some deleted files:Please check for the following files using the Windows Search Engine:

• control.exe
• rundll32.exe
• wmplayer.exe
• msconfig.exe
• notepad.exe
• shell.dll
• SDHelper.dll

If any are missing or not working properly then you can download new copies from
Merijn's Files and following the instructions at that site to have them where they belong for your OS.

• If you are having any difficulty with Notepad, please go to Merijn's Files and choose 'Windows Files' from the menu on the left hand side of the page. Then choose 'Notepad' from the list and download it to C:\Windows and C:\Windows\System32
  
• Download the Hoster from here. Press "Restore Original Hosts" and press "OK". Exit Program. This will restore the original deleted Hosts file.
  
• This infection often deletes some system files that need to be replaced. The most frequent one it deletes is shell.dll in Win2K or XP. In XP there are two copies of this file, one in Windows (WINNT) and one in Windows\System32. It does not delete the one in Windows\System so it does not affect Win9x/ME. If you find it missing, please copy the shell.dll from c:\windows\system32\dllcache into both \Windows (WINNT) and Windows\System32 .
  
• The other system file which is most frequently deleted is control.exe. Please check to make sure that you have this file and it is the correct size. If not Please check for the existence of this file by going to to Merijn's Files (sdhelper) and examine where the file should be for your operating system. If the file is missing then download the appropriate file and place it in the proper place according to the information at this website. The control.exe is more often deleted in Win9x/ME.
  
• If you have Spybot S&D installed you will also need to replace one file. Go here: Merijn's Files (sdhelper) and download SDHelper.dll. Copy the file to the folder containing you Spybot S&D program (normally C:\Program Files\Spybot - Search & Destroy). Then click Start > Run > regsvr32 "C:\Program Files\Spybot - Search & Destroy\SDHelper.dll" and press the OK button

Step#2:Download CCleaner

• Download Ccleaner to clean temp files from your computer.
• Double click on Ccleaner to install the program, with its default settings, selecting language and agreeing to the license agreement.
• Double click the CCleaner shortcut on the desktop to start the program.
• Click Options > Advanced and uncheck "Only delete files in Windows Temp folders older than 48 hours".
  
  
  
  Step#3:Complete An Online AntiVirus Scan
  
  Run an online antivirus scan at:
  
  Trend Micro-Housecall Online AV
  
  Reboot
  
  
  
  Step#4:Find the Infected Files On Your Hard Drive
  [list]
• Navigate to C:\Windows
• look for files that were created at the approximate time and date as the infection occurred.
• look for those that end in exe, DAT and DLL and if found, right click on the file and check properties. Legitimate files should be copyrighted by Microsoft
• if you determine they are bad files, right click on them and choose delete
  
• Navigate to C:\Windows\System or C:\Windows\System32 (depending on the OS) and repeat each of the above steps to check for those ending in exe, DAT and/or DLL
  
• if the above files will not delete, then make a new folder on your desktop by right clicking on the desktop and choosing New > Folder. Name the folder CWS Files.
• Move the files from C:\Windows or C:\Windows\System or C:\Windows\system32
  to the new folder CWS Files.

Step#5:Using your Windows CD to replace System Files

** In cases where many system files are missing you have no alternative but to have them insert their Windows OS disk and run sfc /scannow from the Run box if able or from Recovery Console if not able to get into windows[/b]



Step#6:Scan And Post a New HijackThis Log

1. Scan again with HijackThis

2. POST your log file using Add Reply to see what is left to fix.

Edited by Siggyx, 11 January 2006 - 09:33 PM.

[LadyKareese]

Hello! I am stuck at Running Trend Micro antivirus program. When I go to the site, it acts as though it's going to start scanning, but either just goes idle or it stops responding all together. Any suggestions, or another program perhaps? Thank you! Kareese

[Siggyx]

Skip it then and move on with the steps and then post a new Hijakcthis log please.

[LadyKareese]

About This Log:


AboutBuster 6.0
Scan started on [1/12/2006] at [4:31:24 PM]
-------------------------------------------------------------
Internet Explorer Instances Terminated!
HomeSearch Service stopped if present
-------------------------------------------------------------
No Ads Found!
-------------------------------------------------------------
No Files Found!
-------------------------------------------------------------
Scan was COMPLETED SUCCESSFULLY at 4:33:43 PM


AboutBuster 6.0
Scan started on [1/12/2006] at [4:34:15 PM]
-------------------------------------------------------------
Internet Explorer Instances Terminated!
HomeSearch Service stopped if present
-------------------------------------------------------------
No Ads Found!
-------------------------------------------------------------
No Files Found!
-------------------------------------------------------------
Scan was COMPLETED SUCCESSFULLY at 4:36:56 PM


New HJT Log:

Logfile of HijackThis v1.99.1
Scan saved at 9:55:45 AM, on 1/15/2006
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\LEXBCES.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\LEXPPS.EXE
C:\PROGRA~1\COMMON~1\AOL\ACS\acsd.exe
C:\Program Files\ewido anti-malware\ewidoctrl.exe
C:\Program Files\ewido anti-malware\ewidoguard.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\wanmpsvc.exe
C:\WINDOWS\system32\wscntfy.exe
C:\WINDOWS\BCMSMMSG.exe
C:\WINDOWS\system32\dla\tfswctrl.exe
C:\WINDOWS\System32\DSentry.exe
C:\Program Files\Dell\Media Experience\PCMService.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\WINDOWS\system32\shpc32.exe
C:\Program Files\Lexmark X74-X75\lxbbbmgr.exe
C:\Program Files\Lexmark X74-X75\lxbbbmon.exe
C:\PROGRA~1\PESTPA~1\PPControl.exe
C:\PROGRA~1\PESTPA~1\PPMemCheck.exe
C:\PROGRA~1\PESTPA~1\CookiePatrol.exe
C:\Program Files\Viewpoint\Viewpoint Manager\ViewMgr.exe
C:\WINDOWS\system32\RUNDLL32.EXE
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\PROGRA~1\Sony\SONICS~1\SsAAD.exe
C:\Program Files\Dell Photo AIO Printer 942\dlbubmgr.exe
C:\Program Files\Dell Photo AIO Printer 942\memcard.exe
C:\Program Files\Common Files\AOL\1124741395\ee\AOLHostManager.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\Common Files\AOL\1124741395\ee\AOLServiceHost.exe
C:\WINDOWS\system32\rundll32.exe
C:\Program Files\WordPerfect Office 11\Programs\CorUpd.exe
C:\Program Files\Common Files\Sony Shared\AVLib\SSScsiSV.exe
C:\Program Files\Dell Support\DSAgnt.exe
C:\Program Files\GhostSurf 2006 Platinum\Proxy.exe
C:\Program Files\Kodak\Kodak EasyShare software\bin\EasyShare.exe
C:\Program Files\Yahoo!\Messenger\ymsgr_tray.exe
C:\WINDOWS\explorer.exe
C:\Documents and Settings\Hedy\Desktop\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch =
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://us.rd.yahoo.c...//www.yahoo.com
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = 127.0.0.1:7212
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
R3 - Default URLSearchHook is missing
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: SpywareBlock Class - {0A87E45F-537A-40B4-B812-E2544C21A09F} - C:\Program Files\GhostSurf 2006 Platinum\SCActiveBlock.dll
O2 - BHO: UberButton Class - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\Program Files\Yahoo!\Common\yiesrvc.dll
O2 - BHO: DriveLetterAccess - {5CA3D70E-1895-11CF-8E15-001234567890} - C:\WINDOWS\SYSTEM32\dla\tfswshx.dll
O2 - BHO: YahooTaggedBM Class - {65D886A2-7CA7-479B-BB95-14D1EFB7946A} - C:\Program Files\Yahoo!\Common\YIeTagBm.dll
O2 - BHO: Class - {EA0086F9-E449-013E-3ED2-DAA0AA488484} - C:\WINDOWS\system32\appyz.dll (file missing)
O3 - Toolbar: MSN Toolbar - {BDAD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\MSN Toolbar\01.01.1501.0\en-us\msntb.dll (file missing)
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn0\yt.dll
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\System32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\System32\hkcmd.exe
O4 - HKLM\..\Run: [BCMSMMSG] BCMSMMSG.exe
O4 - HKLM\..\Run: [dla] C:\WINDOWS\system32\dla\tfswctrl.exe
O4 - HKLM\..\Run: [DVDSentry] C:\WINDOWS\System32\DSentry.exe
O4 - HKLM\..\Run: [PCMService] "C:\Program Files\Dell\Media Experience\PCMService.exe"
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [WinVNC] "C:\Program Files\RealVNC\WinVNC\WinVNC.exe" -servicehelper
O4 - HKLM\..\Run: [SHPC32] shpc32.exe
O4 - HKLM\..\Run: [Lexmark X74-X75] "C:\Program Files\Lexmark X74-X75\lxbbbmgr.exe"
O4 - HKLM\..\Run: [UpdateManager] "C:\Program Files\Common Files\Sonic\Update Manager\sgtray.exe" /r
O4 - HKLM\..\Run: [PestPatrol Control Center] C:\PROGRA~1\PESTPA~1\PPControl.exe
O4 - HKLM\..\Run: [PPMemCheck] C:\PROGRA~1\PESTPA~1\PPMemCheck.exe
O4 - HKLM\..\Run: [CookiePatrol] C:\PROGRA~1\PESTPA~1\CookiePatrol.exe
O4 - HKLM\..\Run: [ViewMgr] C:\Program Files\Viewpoint\Viewpoint Manager\ViewMgr.exe
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [HostManager] C:\Program Files\Common Files\AOL\1124741395\ee\AOLHostManager.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [SsAAD.exe] C:\PROGRA~1\Sony\SONICS~1\SsAAD.exe
O4 - HKLM\..\Run: [GhostSurf Reminder] "C:\Program Files\GhostSurf 2006 Platinum\Privacy Control Center.exe" reminder
O4 - HKLM\..\Run: [GhostSurfDelSatellite] "C:\Program Files\GhostSurf 2006 Platinum\DeleteSatellite.exe"
O4 - HKLM\..\Run: [Dell Photo AIO Printer 942] "C:\Program Files\Dell Photo AIO Printer 942\dlbubmgr.exe"
O4 - HKLM\..\Run: [DellMCM] "C:\Program Files\Dell Photo AIO Printer 942\memcard.exe"
O4 - HKCU\..\Run: [nsdriver] C:\WINDOWS\System32\nssys32.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [C:_Program Files_WordPerfe3a] C:\Program Files\WordPerfect Office 11\Programs\CorUpd.exe /Watch
O4 - HKCU\..\Run: [DellSupport] "C:\Program Files\Dell Support\DSAgnt.exe" /startup
O4 - HKCU\..\Run: [Yahoo! Pager] "C:\Program Files\Yahoo!\Messenger\ypager.exe" -quiet
O4 - HKCU\..\Run: [Free People Search Agent] C:\Documents and Settings\Hedy\Local Settings\Temporary Internet Files\Content.IE5\OBQ9YJQV\FreePeopleSearchAgent_v1[1].exe
O4 - Startup: Scheduler.lnk = C:\Program Files\GhostSurf 2006 Platinum\Scheduler daemon.exe
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: America Online 9.0 Tray Icon.lnk = C:\Program Files\America Online 9.0\aoltray.exe
O4 - Global Startup: GhostSurf proxy.lnk = C:\Program Files\GhostSurf 2006 Platinum\Proxy.exe
O4 - Global Startup: Kodak EasyShare software.lnk = C:\Program Files\Kodak\Kodak EasyShare software\bin\EasyShare.exe
O4 - Global Startup: Kodak software updater.lnk = C:\Program Files\Kodak\KODAK Software Updater\7288971\Program\Kodak Software Updater.exe
O4 - Global Startup: SpyCatcher Protector.lnk = C:\Program Files\GhostSurf 2006 Platinum\Protector.exe
O8 - Extra context menu item: &AIM Search - res://C:\Program Files\AIM Toolbar\AIMBar.dll/aimsearch.htm
O8 - Extra context menu item: &Yahoo! Search - file:///C:\Program Files\Yahoo!\Common/ycsrch.htm
O8 - Extra context menu item: Yahoo! &Dictionary - file:///C:\Program Files\Yahoo!\Common/ycdict.htm
O8 - Extra context menu item: Yahoo! &Maps - file:///C:\Program Files\Yahoo!\Common/ycmap.htm
O8 - Extra context menu item: Yahoo! &SMS - file:///C:\Program Files\Yahoo!\Common/ycsms.htm
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\system32\msjava.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\system32\msjava.dll
O9 - Extra button: Yahoo! Services - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\Program Files\Yahoo!\Common\yiesrvc.dll
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\System32\Shdocvw.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra button: (no name) - {7F241C00-DAB6-11d5-AAA8-00010 - (no file) (HKCU)
O12 - Plugin for .fpx: C:\\Program Files\\Internet Explorer\\PLUGINS\\NPRVRT32.dll
O12 - Plugin for .ivr: C:\\Program Files\\Internet Explorer\\PLUGINS\\NPRVRT32.dll
O16 - DPF: {11A02365-2859-4598-A9D5-4FDE99D67723} (PQIEBrowserConnector Class) - http://www.pqprintce...ntquick1611.cab
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft....204&clcid=0x409
O16 - DPF: {2BC66F54-93A8-11D3-BEB6-00105AA9B6AE} (Symantec AntiVirus scanner) - http://security.syma...bin/AvSniff.cab
O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (YInstStarter Class) - C:\Program Files\Yahoo!\Common\yinsthelper.dll
O16 - DPF: {4ED9DDF0-7479-4BBE-9335-5A1EDB1D8A21} (McAfee.com Operating System Class) - http://download.mcaf...83/mcinsctl.cab
O16 - DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} (MSN Photo Upload Tool) - http://by14fd.bay14....es/MsnPUpld.cab
O16 - DPF: {5721FA68-5ABD-40A8-81F1-4136691194BF} (Launcher Class) - https://www.play.net...tivex/AXSAL.ocx
O16 - DPF: {644E432F-49D3-41A1-8DD5-E099162EEEC5} (Symantec RuFSI Utility Class) - http://security.syma...n/bin/cabsa.cab
O16 - DPF: {64D01C7F-810D-446E-A07E-16C764235644} (AtlAtomadersCtlAttrib Class) - http://zone.msn.com/...t/atomaders.cab
O16 - DPF: {8FCDF9D9-A28B-480F-8C3D-581F119A8AB8} - http://static.zangoc.../bridge-c18.cab
O16 - DPF: {90C9629E-CD32-11D3-BBFB-00105A1F0D68} (InstallShield International Setup Player) - http://www.installen...gine/isetup.cab
O16 - DPF: {AE1C01E3-0283-11D3-9B3F-00C04F8EF466} (HeartbeatCtl Class) - http://fdl.msn.com/z...s/heartbeat.cab
O16 - DPF: {B8BE5E93-A60C-4D26-A2DC-220313175592} (ZoneIntro Class) - http://zone.msn.com/...ro.cab34246.cab
O16 - DPF: {B9191F79-5613-4C76-AA2A-398534BB8999} - http://us.dl1.yimg.c...utocomplete.cab
O16 - DPF: {D54160C3-DB7B-4534-9B65-190EE4A9C7F7} (SproutLauncherCtrl Class) - http://zone.msn.com/...outLauncher.cab
O16 - DPF: {D77EF652-9A6B-40C8-A4B9-1C0697C6CF41} (TikGames Online Control) - http://zone.msn.com/...fault/shapo.cab
O16 - DPF: {DAF5D9A2-D982-4671-83E4-0398706A5F6A} (SCEWebLauncherCtl Object) - http://zone.msn.com/...WebLauncher.cab
O16 - DPF: {DF780F87-FF2B-4DF8-92D0-73DB16A1543A} (PopCapLoader Object) - http://zone.msn.com/...aploader_v6.cab
O16 - DPF: {F04A8AE2-A59D-11D2-8792-00C04F8EF29D} (Hotmail Attachments Control) - http://by106fd.bay10...ex/HMAtchmt.ocx
O20 - AppInit_DLLs: Interceptor.dll
O23 - Service: AOL Connectivity Service (AOL ACS) - America Online, Inc. - C:\PROGRA~1\COMMON~1\AOL\ACS\acsd.exe
O23 - Service: dlbu_device - Dell - C:\WINDOWS\system32\dlbucoms.exe
O23 - Service: ewido security suite control - ewido networks - C:\Program Files\ewido anti-malware\ewidoctrl.exe
O23 - Service: ewido security suite guard - ewido networks - C:\Program Files\ewido anti-malware\ewidoguard.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPodService - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Kodak Camera Connection Software (KodakCCS) - Unknown owner - C:\WINDOWS\system32\drivers\KodakCCS.exe (file missing)
O23 - Service: LexBce Server (LexBceS) - Lexmark International, Inc. - C:\WINDOWS\system32\LEXBCES.EXE
O23 - Service: MSCSPTISRV - Sony Corporation - C:\Program Files\Common Files\Sony Shared\AVLib\MSCSPTISRV.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: PACSPTISVR - Sony Corporation - C:\Program Files\Common Files\Sony Shared\AVLib\PACSPTISVR.exe
O23 - Service: Sony SPTI Service (SPTISRV) - Sony Corporation - C:\Program Files\Common Files\Sony Shared\AVLib\SPTISRV.exe
O23 - Service: SonicStage SCSI Service (SSScsiSV) - Sony Corporation - C:\Program Files\Common Files\Sony Shared\AVLib\SSScsiSV.exe
O23 - Service: WAN Miniport (ATW) Service (WANMiniportService) - America Online, Inc. - C:\WINDOWS\wanmpsvc.exe
O23 - Service: VNC Server (winvnc) - Unknown owner - C:\Program Files\RealVNC\WinVNC\WinVNC.exe" -service (file missing)

**
As for the files that I redownloaded. I've found all of them on my computer, yet IE is not working. Is this correlated somehow?

Kareese

[Siggyx]

To repair Internet Explorer in Windows XP, complete the following procedure while you are logged on as an administrator: Use the System File Checker tool to scan all of the protected files on your computer: Click Start, and then click Run. In the Open box, type sfc /scannow, and then click OK. Then post a new hijackthis log please.

[LadyKareese]

I'm getting the response that windows cannot find the sfc/scannow file.

[LadyKareese]

after typing it in, a little black box (Dos) came up really quick.

I still get the Error page in IE.



This is the new HJT Log:

Logfile of HijackThis v1.99.1
Scan saved at 1:26:51 PM, on 1/15/2006
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\LEXBCES.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\LEXPPS.EXE
C:\PROGRA~1\COMMON~1\AOL\ACS\acsd.exe
C:\Program Files\ewido anti-malware\ewidoctrl.exe
C:\Program Files\ewido anti-malware\ewidoguard.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\wanmpsvc.exe
C:\WINDOWS\system32\wscntfy.exe
C:\WINDOWS\BCMSMMSG.exe
C:\WINDOWS\system32\dla\tfswctrl.exe
C:\WINDOWS\System32\DSentry.exe
C:\Program Files\Dell\Media Experience\PCMService.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\WINDOWS\system32\shpc32.exe
C:\Program Files\Lexmark X74-X75\lxbbbmgr.exe
C:\Program Files\Lexmark X74-X75\lxbbbmon.exe
C:\PROGRA~1\PESTPA~1\PPControl.exe
C:\PROGRA~1\PESTPA~1\PPMemCheck.exe
C:\PROGRA~1\PESTPA~1\CookiePatrol.exe
C:\Program Files\Viewpoint\Viewpoint Manager\ViewMgr.exe
C:\WINDOWS\system32\RUNDLL32.EXE
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\PROGRA~1\Sony\SONICS~1\SsAAD.exe
C:\Program Files\Dell Photo AIO Printer 942\dlbubmgr.exe
C:\Program Files\Dell Photo AIO Printer 942\memcard.exe
C:\Program Files\Common Files\AOL\1124741395\ee\AOLHostManager.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\Common Files\AOL\1124741395\ee\AOLServiceHost.exe
C:\WINDOWS\system32\rundll32.exe
C:\Program Files\WordPerfect Office 11\Programs\CorUpd.exe
C:\Program Files\Common Files\Sony Shared\AVLib\SSScsiSV.exe
C:\Program Files\Dell Support\DSAgnt.exe
C:\Program Files\GhostSurf 2006 Platinum\Proxy.exe
C:\Program Files\Kodak\Kodak EasyShare software\bin\EasyShare.exe
C:\Program Files\GhostSurf 2006 Platinum\Protector.exe
C:\Program Files\Yahoo!\Messenger\ymsgr_tray.exe
C:\Program Files\GhostSurf 2006 Platinum\Scheduler daemon.exe
C:\WINDOWS\explorer.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\AIM\aim.exe
C:\Program Files\Common Files\AOL\1124741395\ee\AOLServiceHost.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Documents and Settings\Hedy\Desktop\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch =
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://us.rd.yahoo.c...//www.yahoo.com
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = 127.0.0.1:7212
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
R3 - Default URLSearchHook is missing
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: SpywareBlock Class - {0A87E45F-537A-40B4-B812-E2544C21A09F} - C:\Program Files\GhostSurf 2006 Platinum\SCActiveBlock.dll
O2 - BHO: UberButton Class - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\Program Files\Yahoo!\Common\yiesrvc.dll
O2 - BHO: DriveLetterAccess - {5CA3D70E-1895-11CF-8E15-001234567890} - C:\WINDOWS\SYSTEM32\dla\tfswshx.dll
O2 - BHO: YahooTaggedBM Class - {65D886A2-7CA7-479B-BB95-14D1EFB7946A} - C:\Program Files\Yahoo!\Common\YIeTagBm.dll
O2 - BHO: Class - {EA0086F9-E449-013E-3ED2-DAA0AA488484} - C:\WINDOWS\system32\appyz.dll (file missing)
O3 - Toolbar: MSN Toolbar - {BDAD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\MSN Toolbar\01.01.1501.0\en-us\msntb.dll (file missing)
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn0\yt.dll
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\System32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\System32\hkcmd.exe
O4 - HKLM\..\Run: [BCMSMMSG] BCMSMMSG.exe
O4 - HKLM\..\Run: [dla] C:\WINDOWS\system32\dla\tfswctrl.exe
O4 - HKLM\..\Run: [DVDSentry] C:\WINDOWS\System32\DSentry.exe
O4 - HKLM\..\Run: [PCMService] "C:\Program Files\Dell\Media Experience\PCMService.exe"
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [WinVNC] "C:\Program Files\RealVNC\WinVNC\WinVNC.exe" -servicehelper
O4 - HKLM\..\Run: [SHPC32] shpc32.exe
O4 - HKLM\..\Run: [Lexmark X74-X75] "C:\Program Files\Lexmark X74-X75\lxbbbmgr.exe"
O4 - HKLM\..\Run: [UpdateManager] "C:\Program Files\Common Files\Sonic\Update Manager\sgtray.exe" /r
O4 - HKLM\..\Run: [PestPatrol Control Center] C:\PROGRA~1\PESTPA~1\PPControl.exe
O4 - HKLM\..\Run: [PPMemCheck] C:\PROGRA~1\PESTPA~1\PPMemCheck.exe
O4 - HKLM\..\Run: [CookiePatrol] C:\PROGRA~1\PESTPA~1\CookiePatrol.exe
O4 - HKLM\..\Run: [ViewMgr] C:\Program Files\Viewpoint\Viewpoint Manager\ViewMgr.exe
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [HostManager] C:\Program Files\Common Files\AOL\1124741395\ee\AOLHostManager.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [SsAAD.exe] C:\PROGRA~1\Sony\SONICS~1\SsAAD.exe
O4 - HKLM\..\Run: [GhostSurf Reminder] "C:\Program Files\GhostSurf 2006 Platinum\Privacy Control Center.exe" reminder
O4 - HKLM\..\Run: [GhostSurfDelSatellite] "C:\Program Files\GhostSurf 2006 Platinum\DeleteSatellite.exe"
O4 - HKLM\..\Run: [Dell Photo AIO Printer 942] "C:\Program Files\Dell Photo AIO Printer 942\dlbubmgr.exe"
O4 - HKLM\..\Run: [DellMCM] "C:\Program Files\Dell Photo AIO Printer 942\memcard.exe"
O4 - HKCU\..\Run: [nsdriver] C:\WINDOWS\System32\nssys32.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [C:_Program Files_WordPerfe3a] C:\Program Files\WordPerfect Office 11\Programs\CorUpd.exe /Watch
O4 - HKCU\..\Run: [DellSupport] "C:\Program Files\Dell Support\DSAgnt.exe" /startup
O4 - HKCU\..\Run: [Yahoo! Pager] "C:\Program Files\Yahoo!\Messenger\ypager.exe" -quiet
O4 - HKCU\..\Run: [Free People Search Agent] C:\Documents and Settings\Hedy\Local Settings\Temporary Internet Files\Content.IE5\OBQ9YJQV\FreePeopleSearchAgent_v1[1].exe
O4 - Startup: Scheduler.lnk = C:\Program Files\GhostSurf 2006 Platinum\Scheduler daemon.exe
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: America Online 9.0 Tray Icon.lnk = C:\Program Files\America Online 9.0\aoltray.exe
O4 - Global Startup: GhostSurf proxy.lnk = C:\Program Files\GhostSurf 2006 Platinum\Proxy.exe
O4 - Global Startup: Kodak EasyShare software.lnk = C:\Program Files\Kodak\Kodak EasyShare software\bin\EasyShare.exe
O4 - Global Startup: Kodak software updater.lnk = C:\Program Files\Kodak\KODAK Software Updater\7288971\Program\Kodak Software Updater.exe
O4 - Global Startup: SpyCatcher Protector.lnk = C:\Program Files\GhostSurf 2006 Platinum\Protector.exe
O8 - Extra context menu item: &AIM Search - res://C:\Program Files\AIM Toolbar\AIMBar.dll/aimsearch.htm
O8 - Extra context menu item: &Yahoo! Search - file:///C:\Program Files\Yahoo!\Common/ycsrch.htm
O8 - Extra context menu item: Yahoo! &Dictionary - file:///C:\Program Files\Yahoo!\Common/ycdict.htm
O8 - Extra context menu item: Yahoo! &Maps - file:///C:\Program Files\Yahoo!\Common/ycmap.htm
O8 - Extra context menu item: Yahoo! &SMS - file:///C:\Program Files\Yahoo!\Common/ycsms.htm
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\system32\msjava.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\system32\msjava.dll
O9 - Extra button: Yahoo! Services - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\Program Files\Yahoo!\Common\yiesrvc.dll
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\System32\Shdocvw.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra button: (no name) - {7F241C00-DAB6-11d5-AAA8-00010 - (no file) (HKCU)
O12 - Plugin for .fpx: C:\\Program Files\\Internet Explorer\\PLUGINS\\NPRVRT32.dll
O12 - Plugin for .ivr: C:\\Program Files\\Internet Explorer\\PLUGINS\\NPRVRT32.dll
O16 - DPF: {11A02365-2859-4598-A9D5-4FDE99D67723} (PQIEBrowserConnector Class) - http://www.pqprintce...ntquick1611.cab
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft....204&clcid=0x409
O16 - DPF: {2BC66F54-93A8-11D3-BEB6-00105AA9B6AE} (Symantec AntiVirus scanner) - http://security.syma...bin/AvSniff.cab
O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (YInstStarter Class) - C:\Program Files\Yahoo!\Common\yinsthelper.dll
O16 - DPF: {4ED9DDF0-7479-4BBE-9335-5A1EDB1D8A21} (McAfee.com Operating System Class) - http://download.mcaf...83/mcinsctl.cab
O16 - DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} (MSN Photo Upload Tool) - http://by14fd.bay14....es/MsnPUpld.cab
O16 - DPF: {5721FA68-5ABD-40A8-81F1-4136691194BF} (Launcher Class) - https://www.play.net...tivex/AXSAL.ocx
O16 - DPF: {644E432F-49D3-41A1-8DD5-E099162EEEC5} (Symantec RuFSI Utility Class) - http://security.syma...n/bin/cabsa.cab
O16 - DPF: {64D01C7F-810D-446E-A07E-16C764235644} (AtlAtomadersCtlAttrib Class) - http://zone.msn.com/...t/atomaders.cab
O16 - DPF: {8FCDF9D9-A28B-480F-8C3D-581F119A8AB8} - http://static.zangoc.../bridge-c18.cab
O16 - DPF: {90C9629E-CD32-11D3-BBFB-00105A1F0D68} (InstallShield International Setup Player) - http://www.installen...gine/isetup.cab
O16 - DPF: {AE1C01E3-0283-11D3-9B3F-00C04F8EF466} (HeartbeatCtl Class) - http://fdl.msn.com/z...s/heartbeat.cab
O16 - DPF: {B8BE5E93-A60C-4D26-A2DC-220313175592} (ZoneIntro Class) - http://zone.msn.com/...ro.cab34246.cab
O16 - DPF: {B9191F79-5613-4C76-AA2A-398534BB8999} - http://us.dl1.yimg.c...utocomplete.cab
O16 - DPF: {D54160C3-DB7B-4534-9B65-190EE4A9C7F7} (SproutLauncherCtrl Class) - http://zone.msn.com/...outLauncher.cab
O16 - DPF: {D77EF652-9A6B-40C8-A4B9-1C0697C6CF41} (TikGames Online Control) - http://zone.msn.com/...fault/shapo.cab
O16 - DPF: {DAF5D9A2-D982-4671-83E4-0398706A5F6A} (SCEWebLauncherCtl Object) - http://zone.msn.com/...WebLauncher.cab
O16 - DPF: {DF780F87-FF2B-4DF8-92D0-73DB16A1543A} (PopCapLoader Object) - http://zone.msn.com/...aploader_v6.cab
O16 - DPF: {F04A8AE2-A59D-11D2-8792-00C04F8EF29D} (Hotmail Attachments Control) - http://by106fd.bay10...ex/HMAtchmt.ocx
O20 - AppInit_DLLs: Interceptor.dll
O23 - Service: AOL Connectivity Service (AOL ACS) - America Online, Inc. - C:\PROGRA~1\COMMON~1\AOL\ACS\acsd.exe
O23 - Service: dlbu_device - Dell - C:\WINDOWS\system32\dlbucoms.exe
O23 - Service: ewido security suite control - ewido networks - C:\Program Files\ewido anti-malware\ewidoctrl.exe
O23 - Service: ewido security suite guard - ewido networks - C:\Program Files\ewido anti-malware\ewidoguard.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPodService - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Kodak Camera Connection Software (KodakCCS) - Unknown owner - C:\WINDOWS\system32\drivers\KodakCCS.exe (file missing)
O23 - Service: LexBce Server (LexBceS) - Lexmark International, Inc. - C:\WINDOWS\system32\LEXBCES.EXE
O23 - Service: MSCSPTISRV - Sony Corporation - C:\Program Files\Common Files\Sony Shared\AVLib\MSCSPTISRV.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: PACSPTISVR - Sony Corporation - C:\Program Files\Common Files\Sony Shared\AVLib\PACSPTISVR.exe
O23 - Service: Sony SPTI Service (SPTISRV) - Sony Corporation - C:\Program Files\Common Files\Sony Shared\AVLib\SPTISRV.exe
O23 - Service: SonicStage SCSI Service (SSScsiSV) - Sony Corporation - C:\Program Files\Common Files\Sony Shared\AVLib\SSScsiSV.exe
O23 - Service: WAN Miniport (ATW) Service (WANMiniportService) - America Online, Inc. - C:\WINDOWS\wanmpsvc.exe
O23 - Service: VNC Server (winvnc) - Unknown owner - C:\Program Files\RealVNC\WinVNC\WinVNC.exe" -service (file missing)

[Siggyx]

Please do a scan at Panda, it will not remove anything but please post the log it produces.

Panda >>> http://www.pandasoft.../activescan.htm

[LadyKareese]

I cannot do the scan at Panda at this time, because it does not support Firefox. and my IE is still not working. It IS working on my son's and husband's settings, but not mine. I checked their's and put the same thing (checked the same boxes, etc.) and it's still not working. Help!?!