[Please analyze!!] - Computers



Search Tech-Forums - link takes you to our Forum's search page.

Note: The following is only a text archive!

To view the actual forum discussion, please visit our website at http://www.tech-forums.net

Pages:1


Please analyze!!

(Click here to view the original thread with full colors/images)


Posted by: Christie Achor

Help please! I have ran TDS-3, Spybot search and destroy, and SPY Doctor all in Safe Mode and I am still getting pop ups!! Please take a look at my hijack this log and tell me what to do....I am at a complete loss! I get so many pop ups I cannot work!

Thanks In advance!

Logfile of HijackThis v1.99.0
Scan saved at 12:45:20 PM, on 2/16/2005
Platform: Windows 2000 SP4 (WinNT 5.00.2195)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINNT\System32\smss.exe
C:\WINNT\system32\winlogon.exe
C:\WINNT\system32\services.exe
C:\WINNT\system32\lsass.exe
C:\WINNT\system32\ibmpmsvc.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\System32\svchost.exe
C:\WINNT\system32\spoolsv.exe
C:\Program Files\NavNT\defwatch.exe
C:\Program Files\Executive Software\Diskeeper\DkService.exe
C:\WINNT\system32\hidserv.exe
C:\WINNT\System32\NMSSvc.exe
C:\Program Files\NavNT\rtvscan.exe
C:\PROGRA~1\EFFICI~1\ENTERN~1\app\pppoeservice.exe
C:\WINNT\system32\regsvc.exe
C:\WINNT\system32\MSTask.exe
C:\WINNT\system32\stisvc.exe
C:\WINNT\System32\WBEM\WinMgmt.exe
C:\WINNT\System32\mspmspsv.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\System32\inetsrv\inetinfo.exe
C:\WINNT\Explorer.EXE
C:\WINNT\system32\iurivi.exe
C:\WINNT\system32\tp4mon.exe
C:\WINNT\system32\Promon.exe
C:\Program Files\NavNT\vptray.exe
C:\Program Files\2Wire\HomePortal\2PortalMon.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\WINNT\system32\s3hotkey.exe
C:\WINNT\system32\spool\drivers\w32x86\3\hpztsb09.exe
C:\Program Files\Hewlett-Packard\HP Software Update\HPWuSchd.exe
C:\WINNT\system32\rundll32.exe
C:\Program Files\HP\hpcoretech\hpcmpmgr.exe
C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpotdd01.exe
C:\WINNT\system32\wsxsvc\wsxsvc.exe
C:\WINNT\system32\vmss\vmss.exe
C:\Program Files\AutoUpdate\AutoUpdate.exe
C:\WINNT\system32\mydgr32.exe
C:\WINNT\system32\msssq400.exe
C:\Program Files\Spyware Doctor\swdoctor.exe
C:\PROGRA~1\ezula\mmod.exe
C:\PROGRA~1\Web Offer\wo.exe
C:\Program Files\eFax Messenger Plus 3.3\J2GDllCmd.exe
C:\Program Files\eFax Messenger Plus 3.3\J2GTray.exe
C:\WINNT\system32\MsiExec.exe
C:\Program Files\MSN Messenger\msnmsgr.exe
C:\Program Files\WinRAR\WinRAR.exe
C:\DOCUME~1\CHRIST~1.BAD\LOCALS~1\Temp\Rar$EX00.436\HijackThis.exe
C:\Program Files\Internet Explorer\iexplore.exe

R1 - HKCU\Software\Microsoft\Internet Explorer,SearchURL = [url]http://searchmiracle.com/sp.php[/url]
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = [url]http://search.search-exe.com/nph-search.cgi?tcode=exebar1&look=sbar1_srchbtn[/url]
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = [url]http://search.search-exe.com/nph-search.cgi?tcode=exesrch1&look=stmpl1&fw=[/url]
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = [url]http://rd.yahoo.com/customize/sbcydsl/defaults/*http://yahoo.sbc.com/dsl[/url]
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = [url]http://search.search-exe.com/nph-search.cgi?tcode=exesrch1&look=stmpl1&fw=[/url]
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = [url]http://search.search-exe.com/nph-search.cgi?tcode=exebar1&look=sbar1_srchbtn[/url]
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = [url]http://search.search-exe.com/nph-search.cgi?tcode=exesrch1&look=stmpl1&fw=[/url]
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = [url]http://search.search-exe.com/nph-search.cgi?tcode=exesrch1&look=stmpl1&fw=[/url]
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = [url]http://search.search-exe.com/nph-search.cgi?tcode=exesrch1&look=stmpl1&fw=[/url]
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch =
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = [url]http://search.search-exe.com/nph-search.cgi?tcode=exesrch1&look=stmpl1&fw=[/url]
R1 - HKLM\Software\Microsoft\Internet Explorer\SearchURL,(Default) = [url]http://search.search-exe.com/nph-search.cgi?tcode=exesrch1&look=stmpl1&fw=[/url]
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
R3 - URLSearchHook: WebSearch Class - {9368D063-44BE-49B9-BD14-BB9663FD38FC} - C:\Program Files\se\v11\se.DLL
O1 - Hosts: 64.91.255.87 [url]www.dcsresearch.com[/url]
O1 - Hosts: 69.20.16.183 ieautosearch
O1 - Hosts: 69.20.16.183 ieautosearch
O1 - Hosts: 69.20.16.183 ieautosearch
O1 - Hosts: 69.20.16.183 ieautosearch
O1 - Hosts: 69.20.16.183 ieautosearch
O1 - Hosts: 69.20.16.183 auto.search.msn.com
O1 - Hosts: 69.20.16.183 search.netscape.com
O1 - Hosts: 69.20.16.183 ieautosearch
O1 - Hosts: 69.20.16.183 ieautosearch
O1 - Hosts: 69.20.16.183 ieautosearch
O1 - Hosts: 69.20.16.183 ieautosearch
O1 - Hosts: 69.20.16.183 ieautosearch
O1 - Hosts: 69.20.16.183 ieautosearch
O1 - Hosts: 69.20.16.183 ieautosearch
O1 - Hosts: 69.20.16.183 ieautosearch
O1 - Hosts: 69.20.16.183 ieautosearch
O1 - Hosts: 69.20.16.183 ieautosearch
O1 - Hosts: 69.20.16.183 ieautosearch
O1 - Hosts: 69.20.16.183 ieautosearch
O1 - Hosts: 69.20.16.183 ieautosearch
O1 - Hosts: 69.20.16.183 ieautosearch
O1 - Hosts: 69.20.16.183 ieautosearch
O1 - Hosts: 69.20.16.183 ieautosearch
O1 - Hosts: 69.20.16.183 ieautosearch
O1 - Hosts: 69.20.16.183 ieautosearch
O1 - Hosts: 69.20.16.183 ieautosearch
O1 - Hosts: 69.20.16.183 ieautosearch
O1 - Hosts: 69.20.16.183 ieautosearch
O1 - Hosts: 69.20.16.183 ieautosearch
O1 - Hosts: 69.20.16.183 ieautosearch
O3 - Toolbar: &EliteBar - {825CF5BD-8862-4430-B771-0C15C5CA8DEF} - C:\WINNT\EliteToolBar\EliteToolBar.dll
O4 - HKLM\..\Run: [TrackPointSrv] tp4mon.exe
O4 - HKLM\..\Run: [Synchronization Manager] mobsync.exe /logon
O4 - HKLM\..\Run: [Promon.exe] Promon.exe
O4 - HKLM\..\Run: [LoadQM] loadqm.exe
O4 - HKLM\..\Run: [vptray] C:\Program Files\NavNT\vptray.exe
O4 - HKLM\..\Run: [2wSysTray] C:\Program Files\2Wire\HomePortal\2PortalMon.exe
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [S3Hotkey] s3hotkey.exe
O4 - HKLM\..\Run: [HPDJ Taskbar Utility] C:\WINNT\system32\spool\drivers\w32x86\3\hpztsb09.exe
O4 - HKLM\..\Run: [HP Software Update] "C:\Program Files\Hewlett-Packard\HP Software Update\HPWuSchd.exe"
O4 - HKLM\..\Run: [HP Component Manager] "C:\Program Files\HP\hpcoretech\hpcmpmgr.exe"
O4 - HKLM\..\Run: [DeviceDiscovery] C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpotdd01.exe
O4 - HKLM\..\Run: [CSV10P70] C:\Program Files\CSBB\CSv10P070.exe
O4 - HKLM\..\Run: [wyverc] C:\WINNT\system32\wyverc.exe
O4 - HKLM\..\Run: [VBouncer] C:\PROGRA~1\VBouncer\VirtualBouncer.exe
O4 - HKLM\..\Run: [Uninstall_WinTools] C:\WINNT\Temp\WTuninst.exe /remove
O4 - HKLM\..\Run: [Search-Exe] "C:\Program Files\se\v11\se.EXE" /H
O4 - HKLM\..\Run: [Dvx] C:\WINNT\system32\wsxsvc\wsxsvc.exe
O4 - HKLM\..\Run: [vmss] C:\WINNT\system32\vmss\vmss.exe
O4 - HKLM\..\Run: [AutoLoaderAproposClient] "C:\WINNT\system32\Cxtpls_loader.exe" /HideUninstall /HideDir /PC=CP.BIG /ShowLegalNote=nonbranded
O4 - HKLM\..\Run: [AutoUpdater] "C:\Program Files\AutoUpdate\AutoUpdate.exe"
O4 - HKLM\..\Run: [r37O33O] mydgr32.exe
O4 - HKLM\..\Run: [antiware] C:\winnt\system32\eliteehh32.exe
O4 - HKCU\..\Run: [msnmsgr] "C:\Program Files\MSN Messenger\MsnMsgr.Exe" /background
O4 - HKCU\..\Run: [a0oERTipT] msssq400.exe
O4 - HKCU\..\Run: [Spyware Doctor] "C:\Program Files\Spyware Doctor\swdoctor.exe" /Q
O4 - HKCU\..\Run: [eZmmod] C:\PROGRA~1\ezula\mmod.exe
O4 - HKCU\..\Run: [eZWO] C:\PROGRA~1\Web Offer\wo.exe
O4 - Global Startup: Adobe Gamma Loader.exe.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: Adobe Gamma Loader.lnk = Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: eFax Live Menu 3.3.lnk = eFax Messenger Plus 3.3\J2GDllCmd.exe
O4 - Global Startup: eFax Tray Menu 3.3.lnk = eFax Messenger Plus 3.3\J2GTray.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O8 - Extra context menu item: &Google Search - res://c:\program files\google\GoogleToolbar1.dll/cmsearch.html
O8 - Extra context menu item: Backward Links - res://c:\program files\google\GoogleToolbar1.dll/cmbacklinks.html
O8 - Extra context menu item: Cached Snapshot of Page - res://c:\program files\google\GoogleToolbar1.dll/cmcache.html
O8 - Extra context menu item: Similar Pages - res://c:\program files\google\GoogleToolbar1.dll/cmsimilar.html
O8 - Extra context menu item: Translate into English - res://c:\program files\google\GoogleToolbar1.dll/cmtrans.html
O9 - Extra button: Spyware Doctor - {2D663D1A-8670-49D9-A1A5-4C56B4E14E84} - C:\PROGRA~1\SPYWAR~1\tools\iesdpb.dll
O9 - Extra button: Messenger - {4528BBE0-4E08-11D5-AD55-00010333D0AD} - C:\Program Files\Yahoo!\Messenger\yhexbmes.dll (file missing)
O9 - Extra 'Tools' menuitem: Yahoo! Messenger - {4528BBE0-4E08-11D5-AD55-00010333D0AD} - C:\Program Files\Yahoo!\Messenger\yhexbmes.dll (file missing)
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINNT\System32\Shdocvw.dll
O10 - Unknown file in Winsock LSP: c:\winnt\system32\dolsp.dll
O10 - Unknown file in Winsock LSP: c:\winnt\system32\dolsp.dll
O10 - Unknown file in Winsock LSP: c:\winnt\system32\dolsp.dll
O10 - Unknown file in Winsock LSP: c:\winnt\system32\dolsp.dll
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O16 - DPF: {11260943-421B-11D0-8EAC-0000C07D88CF} (iPIX ActiveX Control) - [url]http://www.ipix.com/viewers/ipixx.cab[/url]
O16 - DPF: {2B323CD9-50E3-11D3-9466-00A0C9700498} (Yahoo! Audio Conferencing) - [url]http://us.chat1.yimg.com/us.yimg.com/i/chat/applet/v45/yacscom.cab[/url]
O16 - DPF: {7584C670-2274-4EFB-B00B-D6AABA6D3850} (Microsoft RDP Client Control (redist)) - [url]http://access01.mmlive.com/msrdp.cab[/url]
O16 - DPF: {C3DFA998-A486-11D4-AA25-00C04F72DAEB} (MSN Photo Upload Tool) - [url]http://photos.msn.com/r/neutral/controls/MsnPUpld.cab?5,0,1730,0[/url]
O18 - Protocol: cetihpz - {CF184AD3-CDCB-4168-A3F7-8E447D129300} - C:\Program Files\HP\hpcoretech\comp\hpuiprot.dll
O18 - Protocol: tpro - {FF76A5DA-6158-4439-99FF-EDC1B3FE100C} - (no file)
O23 - Service: pcAnywhere Host Service - Symantec Corporation - C:\Program Files\Symantec\pcAnywhere\awhost32.exe
O23 - Service: DefWatch - Symantec Corporation - C:\Program Files\NavNT\defwatch.exe
O23 - Service: Diskeeper - Executive Software International, Inc. - C:\Program Files\Executive Software\Diskeeper\DkService.exe
O23 - Service: Logical Disk Manager Administrative Service - VERITAS Software Corp. - C:\WINNT\System32\dmadmin.exe
O23 - Service: IBM PM Service - Unknown - C:\WINNT\system32\ibmpmsvc.exe
O23 - Service: Intel(R) NMS - Intel Corporation - C:\WINNT\System32\NMSSvc.exe
O23 - Service: Norton AntiVirus Client - Symantec Corporation - C:\Program Files\NavNT\rtvscan.exe
O23 - Service: PPPoE Service - Unknown - C:\PROGRA~1\EFFICI~1\ENTERN~1\app\pppoeservice.exe
O23 - Service: WinTools for IE service - Unknown - C:\Program Files\Common Files\WinTools\WToolsS.exe (file missing)


Posted by: rstones12

Christie,

Welcome to the Tech-Forums
I will be reviewing your HJT log.
Please follow these instructions [b]exactly[/b] step by step.

You have the latest version of VX2. Download L2mfix from one of these
two locations:

[url]http://www.atribune.org/downloads/l2mfix.exe[/url]
[url]http://www.downloads.subratam.org/l2mfix.exe[/url]

Save the file to your desktop and double click [B]l2mfix.exe[/B]. Click the [B]Install[/B] button to extract the files and follow the prompts, then open the newly added l2mfix folder on your desktop. Double click [B]l2mfix.bat[/B] and select option #[B]1[/B] for [B]Run Find Log[/B] by typing 1 and then pressing enter. This will scan your computer and it may appear nothing is happening, then, after a minute or 2, notepad will open with a log. Copy the contents of that log and paste it into this thread.

[COLOR=red][b]IMPORTANT: Do NOT run option #2 OR any other files in the l2mfix folder until you are asked to do so![/b][/COLOR]


Posted by: Christie Achor

Thanks rstones12

Here is the result after following your instructions...

L2MFIX find log 1.02b
These are the registry keys present
**************************************************
********************************
Winlogon/notify:
Windows Registry Editor Version 5.00

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify]
"Asynchronous"=dword:00000000
"DllName"=""
"Impersonate"=dword:00000000
"Logon"="WinLogon"
"Logoff"="WinLogoff"
"Shutdown"="WinShutdown"

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\Reinstall]
"Asynchronous"=dword:00000000
"DllName"="C:\\WINNT\\system32\\m2rm0c91ef.dll"
"Impersonate"=dword:00000000
"Logon"="WinLogon"
"Logoff"="WinLogoff"
"Shutdown"="WinShutdown"

**************************************************
********************************
useragent:
Windows Registry Editor Version 5.00

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\Cur
rentVersion\Internet Settings\User Agent\Post Platform]
"{5D7031FC-B9CE-4480-AB2E-8ED18DBD736F}"=""

**************************************************
********************************
Shell Extension key:
Windows Registry Editor Version 5.00

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\Cur
rentVersion\Shell Extensions\Approved]
"{00022613-0000-0000-C000-000000000046}"="Multimedia File Property Sheet"
"{176d6597-26d3-11d1-b350-080036a75b03}"="ICM Scanner Management"
"{1F2E5C40-9550-11CE-99D2-00AA006E086C}"="NTFS Security Page"
"{3EA48300-8CF6-101B-84FB-666CCB9BCD32}"="OLE Docfile Property Page"
"{40dd6e20-7c17-11ce-a804-00aa003ca9f6}"="Shell extensions for sharing"
"{41E300E0-78B6-11ce-849B-444553540000}"="PlusPack CPL Extension"
"{42071712-76d4-11d1-8b24-00a0c9068ff3}"="Display Adapter CPL Extension"
"{42071713-76d4-11d1-8b24-00a0c9068ff3}"="Display Monitor CPL Extension"
"{42071714-76d4-11d1-8b24-00a0c9068ff3}"="Display Panning CPL Extension"
"{4E40F770-369C-11d0-8922-00A024AB2DBB}"="DS Security Page"
"{56117100-C0CD-101B-81E2-00AA004AE837}"="Shell Scrap DataHandler"
"{59099400-57FF-11CE-BD94-0020AF85B590}"="Disk Copy Extension"
"{59be4990-f85c-11ce-aff7-00aa003ca9f6}"="Shell extensions for Microsoft Windows Network objects"
"{5DB2625A-54DF-11D0-B6C4-0800091AA605}"="ICM Monitor Management"
"{675F097E-4C4D-11D0-B6C1-0800091AA605}"="ICM Printer Management"
"{764BF0E1-F219-11ce-972D-00AA00A14F56}"="Shell extensions for file compression"
"{77597368-7b15-11d0-a0c2-080036af3f03}"="Web Printer Shell Extension"
"{7988B573-EC89-11cf-9C00-00AA00A14F56}"="Disk Quota UI"
"{853FE2B1-B769-11d0-9C4E-00C04FB6C6FA}"="Encryption Context Menu"
"{85BBD920-42A0-1069-A2E4-08002B30309D}"="Briefcase"
"{88895560-9AA2-1069-930E-00AA0030EBC8}"="HyperTerminal Icon Ext"
"{BD84B380-8CA2-1069-AB1D-08000948F534}"="Fonts"
"{DBCE2480-C732-101B-BE72-BA78E9AD5B27}"="ICC Profile"
"{F37C5810-4D3F-11d0-B4BF-00AA00BBB723}"="Printers Security Page"
"{f81e9010-6ea4-11ce-a7ff-00aa003ca9f6}"="Shell extensions for sharing"
"{f92e8c40-3d33-11d2-b1aa-080036a75b03}"="Display TroubleShoot CPL Extension"
"{60254CA5-953B-11CF-8C96-00AA00B8708C}"="Shell extensions for Windows Script Host"
"{7444C717-39BF-11D1-8CD9-00C04FC29D45}"="Crypto PKO Extension"
"{7444C719-39BF-11D1-8CD9-00C04FC29D45}"="Crypto Sign Extension"
"{7007ACC7-3202-11D1-AAD2-00805FC1270E}"="Network and Dial-up Connections"
"{DD2110F0-9EEF-11cf-8D8E-00AA0060F5BF}"="Tasks Folder Icon Handler"
"{797F1E90-9EDD-11cf-8D8E-00AA0060F5BF}"="Tasks Folder Shell Extension"
"{D6277990-4C6A-11CF-8D87-00AA0060F5BF}"="Scheduled Tasks"
"{1A9BA3A0-143A-11CF-8350-444553540000}"="Shell Favorite Folder"
"{20D04FE0-3AEA-1069-A2D8-08002B30309D}"="My Computer"
"{86747AC0-42A0-1069-A2E6-08002B30309D}"="Briefcase Folder"
"{0AFACED1-E828-11D1-9187-B532F1E9575D}"="Folder Shortcut"
"{12518493-00B2-11d2-9FA5-9E3420524153}"="Mounted Volume"
"{21B22460-3AEA-1069-A2DC-08002B30309D}"="File Property Page Extension"
"{B091E540-83E3-11CF-A713-0020AFD79762}"="File Types Page"
"{FBF23B41-E3F0-101B-8488-00AA003E56F8}"="MIME File Types Hook"
"{C2FBB630-2971-11d1-A18C-00C04FD75D13}"="Microsoft CopyTo Service"
"{C2FBB631-2971-11d1-A18C-00C04FD75D13}"="Microsoft MoveTo Service"
"{13709620-C279-11CE-A49E-444553540000}"="Shell Automation Service"
"{62112AA1-EBE4-11cf-A5FB-0020AFE7292D}"="Shell Automation Folder View"
"{4622AD11-FF23-11d0-8D34-00A0C90F2719}"="Start Menu"
"{7BA4C740-9E81-11CF-99D3-00AA004AE837}"="Microsoft SendTo Service"
"{D969A300-E7FF-11d0-A93B-00A0C90F2719}"="Microsoft New Object Service"
"{09799AFB-AD67-11d1-ABCD-00C04FC30936}"="Open With Context Menu Handler"
"{3FC0B520-68A9-11D0-8D77-00C04FD70822}"="Display Control Panel HTML Extensions"
"{75048700-EF1F-11D0-9888-006097DEACF9}"="ActiveDesktop"
"{6D5313C0-8C62-11D1-B2CD-006097DF8C11}"="Folder Options Property Page Extension"
"{57651662-CE3E-11D0-8D77-00C04FC99D61}"="CmdFileIcon"
"{4657278A-411B-11d2-839A-00C04FD918D0}"="Shell Drag and Drop helper"
"{A470F8CF-A1E8-4f65-8335-227475AA5C46}"="Add encryption item to context menus in explorer"
"{5E6AB780-7743-11CF-A12B-00AA004AE837}"="Microsoft Internet Toolbar"
"{22BF0C20-6DA7-11D0-B373-00A0C9034938}"="Download Status"
"{568804CA-CBD7-11d0-9816-00C04FD91972}"="Menu Shell Folder"
"{5b4dae26-b807-11d0-9815-00c04fd91972}"="Menu Band"
"{8278F931-2A3E-11d2-838F-00C04FD918D0}"="Tracking Shell Menu"
"{E13EF4E4-D2F2-11d0-9816-00C04FD91972}"="Menu Site"
"{ECD4FC4F-521C-11D0-B792-00A0C90312E1}"="Menu Desk Bar"
"{91EA3F8B-C99B-11d0-9815-00C04FD91972}"="Augmented Shell Folder"
"{6413BA2C-B461-11d1-A18A-080036B11A03}"="Augmented Shell Folder 2"
"{F61FFEC1-754F-11d0-80CA-00AA005B4383}"="BandProxy"
"{D82BE2B0-5764-11D0-A96E-00C04FD705A2}"="IShellFolderBand"
"{7BA4C742-9E81-11CF-99D3-00AA004AE837}"="Microsoft BrowserBand"
"{30D02401-6A81-11d0-8274-00C04FD5AE38}"="Search Band"
"{169A0691-8DF9-11d1-A1C4-00C04FD75D13}"="In-pane search"
"{07798131-AF23-11d1-9111-00A0C98BA67D}"="Web Search"
"{0E5CBF21-D15F-11d0-8301-00AA005B4383}"="&Links"
"{AF4F6510-F982-11d0-8595-00AA004CD6D8}"="Registry Tree Options Utility"
"{01E04581-4EEE-11d0-BFE9-00AA005B4383}"="&Address"
"{A08C11D2-A228-11d0-825B-00AA005B4383}"="Address EditBox"
"{00BB2763-6A77-11D0-A535-00C04FD7D062}"="Microsoft AutoComplete"
"{7487cd30-f71a-11d0-9ea7-00805f714772}"="Thumbnail Image"
"{7376D660-C583-11d0-A3A5-00C04FD706EC}"="TridentImageExtractor"
"{6756A641-DE71-11d0-831B-00AA005B4383}"="MRU AutoComplete List"
"{00BB2764-6A77-11D0-A535-00C04FD7D062}"="Microsoft History AutoComplete List"
"{03C036F1-A186-11D0-824A-00AA005B4383}"="Microsoft Shell Folder AutoComplete List"
"{00BB2765-6A77-11D0-A535-00C04FD7D062}"="Microsoft Multiple AutoComplete List Container"
"{ECD4FC4E-521C-11D0-B792-00A0C90312E1}"="Shell Band Site Menu"
"{3CCF8A41-5C85-11d0-9796-00AA00B90ADF}"="Shell DeskBarApp"
"{ECD4FC4C-521C-11D0-B792-00A0C90312E1}"="Shell DeskBar"
"{ECD4FC4D-521C-11D0-B792-00A0C90312E1}"="Shell Rebar BandSite"
"{DD313E04-FEFF-11d1-8ECD-0000F87A470C}"="User Assist"
"{EF8AD2D1-AE36-11D1-B2D2-006097DF8C11}"="Global Folder Settings"
"{EFA24E61-B078-11d0-89E4-00C04FC9E26E}"="Favorites Band"
"{0A89A860-D7B1-11CE-8350-444553540000}"="Shell Automation Inproc Service"
"{E7E4BC40-E76A-11CE-A9BB-00AA004AE837}"="Shell DocObject Viewer"
"{FBF23B40-E3F0-101B-8488-00AA003E56F8}"="InternetShortcut"
"{3C374A40-BAE4-11CF-BF7D-00AA006946EE}"="Microsoft Url History Service"
"{FF393560-C2A7-11CF-BFF4-444553540000}"="History"
"{7BD29E00-76C1-11CF-9DD0-00A0C9034933}"="Temporary Internet Files"
"{CFBFAE00-17A6-11D0-99CB-00C04FD64497}"="Microsoft Url Search Hook"
"{A2B0DD40-CC59-11d0-A3A5-00C04FD706EC}"="IE4 Suite Splash Screen"
"{67EA19A0-CCEF-11d0-8024-00C04FD75D13}"="CDF Extension Copy Hook"
"{131A6951-7F78-11D0-A979-00C04FD705A2}"="ISFBand OC"
"{9461b922-3c5a-11d2-bf8b-00c04fb93661}"="Search Assistant OC"
"{3DC7A020-0ACD-11CF-A9BB-00AA004AE837}"="The Internet"
"{871C5380-42A0-1069-A2EA-08002B30309D}"="Internet Name Space"
"{9E56BE60-C50F-11CF-9A2C-00A0C90A90CE}"="Sendmail service"
"{9E56BE61-C50F-11CF-9A2C-00A0C90A90CE}"="Sendmail service"
"{88C6C381-2E85-11D0-94DE-444553540000}"="ActiveX Cache Folder"
"{E6FB5E20-DE35-11CF-9C87-00AA005127ED}"="WebCheck"
"{ABBE31D0-6DAE-11D0-BECA-00C04FD940BE}"="Subscription Mgr"
"{F5175861-2688-11d0-9C5E-00AA00A45957}"="Subscription Folder"
"{08165EA0-E946-11CF-9C87-00AA005127ED}"="WebCheckWebCrawler"
"{E3A8BDE6-ABCE-11d0-BC4B-00C04FD929DB}"="WebCheckChannelAgent"
"{E8BB6DC0-6B4E-11d0-92DB-00A0C90C2BD7}"="TrayAgent"
"{7D559C10-9FE9-11d0-93F7-00AA0059CE02}"="Code Download Agent"
"{E6CC6978-6B6E-11D0-BECA-00C04FD940BE}"="ConnectionAgent"
"{D8BD2030-6FC9-11D0-864F-00AA006809D9}"="PostAgent"
"{7FC0B86E-5FA7-11d1-BC7C-00C04FD929DB}"="WebCheck SyncMgr Handler"
"{8BEBB290-52D0-11D0-B7F4-00C04FD706EC}"="Thumbnails"
"{EAB841A0-9550-11CF-8C16-00805F1408F3}"="HTML Thumbnail Extractor"
"{1AEB1360-5AFC-11D0-B806-00C04FD706EC}"="Office Graphics Filters Thumbnail Extractor"
"{9DBD2C50-62AD-11D0-B806-00C04FD706EC}"="Summary Info Thumbnail handler (DOCFILES)"
"{500202A0-731E-11D0-B829-00C04FD706EC}"="LNK file thumbnail interface delegator"
"{352EC2B7-8B9A-11D1-B8AE-006008059382}"="Shell Application Manager"
"{0B124F8C-91F0-11D1-B8B5-006008059382}"="Installed Apps Enumerator"
"{CFCCC7A0-A282-11D1-9082-006008059382}"="Darwin App Publisher"
"{fe1290f0-cfbd-11cf-a330-00aa00c16e65}"="Directory Namespace"
"{9E51E0D0-6E0F-11d2-9601-00C04FA31A86}"="Shell properties for a DS object"
"{8A23E65E-31C2-11d0-891C-00A024AB2DBB}"="Directory Query UI"
"{163FDC20-2ABC-11d0-88F0-00A024AB2DBB}"="Directory Object Find"
"{F020E586-5264-11d1-A532-0000F8757D7E}"="Directory Start/Search Find"
"{0D45D530-764B-11d0-A1CA-00AA00C16E65}"="Directory Property UI"
"{62AE1F9A-126A-11D0-A14B-0800361B1103}"="Directory Context Menu Verbs"
"{450D8FBA-AD25-11D0-98A8-0800361B1103}"="MyDocs Folder"
"{ECF03A33-103D-11d2-854D-006008059367}"="MyDocs Copy Hook"
"{ECF03A32-103D-11d2-854D-006008059367}"="MyDocs Drop Target"
"{4a7ded0a-ad25-11d0-98a8-0800361b1103}"="MyDocs Properties"
"{750fdf0e-2a26-11d1-a3ea-080036587f03}"="Offline Files Menu"
"{10CFC467-4392-11d2-8DB4-00C04FA31A66}"="Offline Files Folder Options"
"{AFDB1F70-2A4C-11d2-9039-00C04F8EEB3E}"="Offline Files Folder"
"{7A80E4A8-8005-11D2-BCF8-00C04F72C717}"="MMC Icon Handler"
"{0CD7A5C0-9F37-11CE-AE65-08002B2E1262}"=".CAB file viewer"
"{0006F045-0000-0000-C000-000000000046}"="Microsoft Outlook Custom Icon Handler"
"{32683183-48a0-441b-a342-7c2a440a9478}"="Media Band"
"{6935DB93-21E8-4ccc-BEB9-9FE3C77A297A}"="Custom MRU AutoCompleted List"
"{7e653215-fa25-46bd-a339-34a2790f3cb7}"="Accessible"
"{acf35015-526e-4230-9596-becbe19f0ac9}"="Track Popup Bar"
"{E0E11A09-5CB8-4B6C-8332-E00720A168F2}"="Address Bar Parser"
"{A5E46E3A-8849-11D1-9D8C-00C04FC99D61}"="Microsoft Browser Architecture"
"{7BD29E01-76C1-11CF-9DD0-00A0C9034933}"="Temporary Internet Files"
"{EFA24E64-B078-11d0-89E4-00C04FC9E26E}"="Explorer Band"
"{f39a0dc0-9cc8-11d0-a599-00c04fd64433}"="Channel File"
"{f3aa0dc0-9cc8-11d0-a599-00c04fd64434}"="Channel Shortcut"
"{f3ba0dc0-9cc8-11d0-a599-00c04fd64435}"="Channel Handler Object"
"{f3da0dc0-9cc8-11d0-a599-00c04fd64437}"="Channel Menu"
"{f3ea0dc0-9cc8-11d0-a599-00c04fd64438}"="Channel Properties"
"{32714800-2E5F-11d0-8B85-00AA0044F941}"="For &People..."
"{BDA77241-42F6-11d0-85E2-00AA001FE28C}"="LDVP Shell Extensions"
"{F0CB00CD-5A07-4D91-97F5-A8C92CDA93E4}"="Shell Extensions for RealOne Player"
"{6B19FEC2-A45B-11CF-9045-00A0C9039735}"="Registered ActiveX Controls"
"{D545EBD1-BD92-11CF-8772-00A0C9039735}"="Developer Studio Components"
"{5a61f7a0-cde1-11cf-9113-00aa00425c62}"="IIS Shell Extention"
"{0D302F2C-8EA6-11CE-B035-444553540000}"="pcANYWHERECallerShellExt"
"{92A681A0-9f0D-11CE-B035-444553540000}"="pcANYWHERECallerPage"
"{DF44ACC1-972F-11CE-B035-444553540000}"="pcANYWHERERemoteCtrlShellExt"
"{92a681a1-9f0d-11CE-B035-444553540000}"="pcANYWHERERemoteCtrlPage"
"{DF44ACC2-972F-11CE-B035-444553540000}"="pcANYWHEREBeHostExt"
"{92A681A2-9f0D-11CE-B035-444553540000}"="pcANYWHEREBeHostPage"
"{DF44ACC3-972F-11CE-B035-444553540000}"="pcANYWHEREOnlineSvcExt"
"{92A681A3-9f0D-11CE-B035-444553540000}"="pcANYWHEREOnlineSvcPage"
"{DF44ACC4-972F-11CE-B035-444553540000}"="pcANYWHEREGatewayExt"
"{92A681A4-9f0D-11CE-B035-444553540000}"="pcANYWHEREGatewayPage"
"{1D2680C9-0E2A-469d-B787-065558BC7D43}"="Fusion Cache"
"{B41DB860-8EE4-11D2-9906-E49FADC173CA}"="WinRAR shell extension"
"{6ec2e0e3-1116-4d47-b0c2-5bdaf4e4c308}"="eFax Messenger Plus - Shell Extension"
"{B434EF22-7E5E-46F9-AD4F-CCC3E7BBBB6E}"=""
"{FEC2EBFF-B133-4277-AC72-630CDDED6411}"=""
"{9B65C3AB-E41B-41DD-86A5-3B58AB858E8B}"=""
"{84ACAEB7-37BB-428D-8382-BF6C455CFBCB}"=""
"{E12C5BEF-57C9-11D3-81C5-84C708FD407A}"="DiamondCS WormGuard Hook"

**************************************************
********************************
HKEY ROOT CLASSIDS:
Windows Registry Editor Version 5.00

[HKEY_CLASSES_ROOT\CLSID\{B434EF22-7E5E-46F9-AD4F-CCC3E7BBBB6E}]
@=""

[HKEY_CLASSES_ROOT\CLSID\{B434EF22-7E5E-46F9-AD4F-CCC3E7BBBB6E}\Implemented Categories]
@=""

[HKEY_CLASSES_ROOT\CLSID\{B434EF22-7E5E-46F9-AD4F-CCC3E7BBBB6E}\Implemented Categories\{00021492-0000-0000-C000-000000000046}]
@=""

[HKEY_CLASSES_ROOT\CLSID\{B434EF22-7E5E-46F9-AD4F-CCC3E7BBBB6E}\InprocServer32]
@="C:\\WINNT\\system32\\ansldpc.dll"
"ThreadingModel"="Apartment"

Windows Registry Editor Version 5.00

[HKEY_CLASSES_ROOT\CLSID\{84ACAEB7-37BB-428D-8382-BF6C455CFBCB}]
@=""

[HKEY_CLASSES_ROOT\CLSID\{84ACAEB7-37BB-428D-8382-BF6C455CFBCB}\Implemented Categories]
@=""

[HKEY_CLASSES_ROOT\CLSID\{84ACAEB7-37BB-428D-8382-BF6C455CFBCB}\Implemented Categories\{00021492-0000-0000-C000-000000000046}]
@=""

[HKEY_CLASSES_ROOT\CLSID\{84ACAEB7-37BB-428D-8382-BF6C455CFBCB}\InprocServer32]
@="C:\\WINNT\\system32\\inircl.dll"
"ThreadingModel"="Apartment"

**************************************************
********************************
Files Found are not all bad files:

C:\WINNT\SYSTEM32\
2ndsrch.dll Thu Dec 23 2004 2:31:04p A.... 69,632 68.00 K
aza007~1.dll Mon Feb 7 2005 8:11:54p ..S.R 223,027 217.80 K
aza603~1.dll Wed Feb 9 2005 11:26:26a ..S.R 223,986 218.73 K
danet.dll Tue Jan 18 2005 5:16:34p ..S.R 223,169 217.94 K
dbdref.dll Sun Jan 30 2005 5:57:54p ..S.R 222,974 217.75 K
docore.dll Mon Jan 24 2005 9:11:40p A.... 151,552 148.00 K
dolsp.dll Sat Jan 15 2005 5:26:28p A.... 139,264 136.00 K
dosync.dll Fri Feb 4 2005 3:38:00a A.... 114,688 112.00 K
flxdrv.dll Tue Jan 18 2005 5:10:42p A.... 224,678 219.41 K
fp4603~1.dll Tue Feb 8 2005 2:18:30p ..S.R 223,670 218.43 K
fp4o03~1.dll Tue Jan 18 2005 9:50:00p ..S.R 224,678 219.41 K
fp6803~1.dll Thu Jan 20 2005 8:31:18p ..S.R 225,991 220.69 K
fp6s03~1.dll Wed Feb 2 2005 5:47:42p ..S.R 223,790 218.54 K
fp8o03~1.dll Fri Jan 21 2005 12:23:36a ..S.R 225,511 220.22 K
g440le~1.dll Mon Feb 7 2005 3:52:46p ..S.R 223,027 217.80 K
g840li~1.dll Mon Jan 24 2005 7:53:14p ..S.R 224,022 218.77 K
h2n00c~1.dll Tue Jan 25 2005 10:00:10a ..S.R 223,026 217.80 K
i8420i~1.dll Wed Feb 16 2005 12:12:00a ..S.R 224,981 219.71 K
inircl.dll Wed Feb 16 2005 12:24:46p ..... 223,027 217.80 K
ir4sl5~1.dll Wed Feb 2 2005 11:59:16a ..S.R 224,772 219.50 K
irrul5~1.dll Thu Jan 27 2005 5:18:22p ..S.R 224,969 219.70 K
jt4o07~1.dll Sun Jan 30 2005 6:03:56p ..S.R 222,974 217.75 K
jt6007~1.dll Tue Jan 25 2005 11:13:50p ..S.R 223,041 217.81 K
jtj007~1.dll Fri Feb 4 2005 4:41:44p ..S.R 223,044 217.82 K
kt20l7~1.dll Thu Feb 3 2005 1:13:52p ..S.R 224,054 218.80 K
l02sla~1.dll Thu Feb 3 2005 10:49:08a ..S.R 224,747 219.48 K
lkrt.dll Tue Feb 15 2005 11:25:00p ..S.R 224,981 219.71 K
lscalui.dll Tue Jan 18 2005 4:11:32p ..S.R 225,819 220.52 K
m2rm0c~1.dll Tue Feb 15 2005 9:38:52p ..S.R 223,027 217.80 K
mvr4l9~1.dll Fri Jan 21 2005 2:11:10a ..S.R 222,957 217.73 K
n4r2le~1.dll Wed Feb 2 2005 2:51:36p ..S.R 224,321 219.06 K
njdskcc.dll Tue Jan 18 2005 5:35:58p ..S.R 223,169 217.94 K
opboio.dll Wed Dec 29 2004 2:13:52p A.... 24,576 24.00 K
pqm.dll Tue Jan 18 2005 9:24:00p A.... 224,678 219.41 K
rdnh.dll Fri Jan 28 2005 12:21:44p ..S.R 223,027 217.80 K
rxsctrs.dll Mon Jan 17 2005 9:18:58p ..S.R 224,678 219.41 K
smprfdll.dll Fri Jan 28 2005 12:03:48p ..S.R 222,974 217.75 K
sp3res.dll Thu Dec 2 2004 6:27:18a ..... 6,272,512 5.98 M
sporder.dll Sun Dec 12 2004 4:33:26p A.... 8,464 8.27 K
stbcsp.dll Tue Jan 18 2005 5:25:08p A.... 224,678 219.41 K
t4r80e~1.dll Wed Feb 9 2005 2:23:02p ..S.R 223,921 218.67 K
t8r80i~1.dll Mon Feb 14 2005 1:02:24a ..S.R 223,925 218.68 K
user32.dll Wed Dec 29 2004 1:14:10a A.... 380,688 371.77 K
wtspdmoe.dll Mon Jan 17 2005 3:33:50p ..S.R 224,678 219.41 K
wyver.dll Thu Dec 23 2004 2:31:56p A.... 99,328 97.00 K
yuoyly.dll Sun Jan 16 2005 1:05:34p A.... 5,632 5.50 K

46 items found: 46 files (32 H/S), 0 directories.
Total of file sizes: 15,330,327 bytes 14.62 M
Locate .tmp files:

C:\WINNT\SYSTEM32\
guard.tmp Wed Feb 16 2005 12:25:46p A.... 223,027 217.80 K

1 item found: 1 file, 0 directories.
Total of file sizes: 223,027 bytes 217.80 K
**************************************************
********************************
Directory Listing of system files:
Volume in drive C is Local Disk
Volume Serial Number is 2419-48F5

Directory of C:\WINNT\System32

02/16/2005 12:11a 224,981 i8420ihoe84c0.dll
02/15/2005 11:24p 224,981 lkrt.dll
02/15/2005 09:38p 223,027 m2rm0c91ef.dll
02/14/2005 01:02a 223,925 t8r80i9ue8.dll
02/09/2005 02:23p 223,921 t4r80e9ueh.dll
02/09/2005 11:26a 223,986 aza603hse.dll
02/08/2005 02:18p 223,670 fp4603hse.dll
02/07/2005 08:11p 223,027 aza007jme.dll
02/07/2005 03:52p 223,027 g440lehm1h4a.dll
02/04/2005 04:41p 223,044 jtj0071me.dll
02/03/2005 01:13p 224,054 kt20l7fm1.dll
02/03/2005 10:49a 224,747 l02slaf71d2.dll
02/02/2005 05:47p 223,790 fp6s03j7e.dll
02/02/2005 02:51p 224,321 n4r2le9o1h.dll
02/02/2005 11:59a 224,772 ir4sl5h71.dll
01/30/2005 06:03p 222,974 jt4o07h3e.dll
01/30/2005 05:57p 222,974 dBdref.dll
01/28/2005 12:21p 223,027 rdnh.dll
01/28/2005 12:03p 222,974 smprfdll.dll
01/27/2005 05:18p 224,969 irrul5991.dll
01/25/2005 11:13p 223,041 jt6007jme.dll
01/25/2005 10:00a 223,026 h2n00c5mef.dll
01/24/2005 07:53p 224,022 g840lihm184a.dll
01/21/2005 02:11a 222,957 mvr4l99q1.dll
01/21/2005 12:23a 225,511 fp8o03l3e.dll
01/20/2005 08:31p 225,991 fp6803jue.dll
01/18/2005 09:49p 224,678 fp4o03h3e.dll
01/18/2005 05:35p 223,169 njdskcc.dll
01/18/2005 05:17p 554 TBPS.ini
01/18/2005 05:16p 223,169 danet.dll
01/18/2005 04:11p 225,819 lscalui.dll
01/18/2005 12:13a <DIR> dllcache
01/17/2005 09:18p 224,678 rXsctrs.dll
01/17/2005 03:33p 224,678 wtspdmoe.dll
33 File(s) 7,167,484 bytes
1 Dir(s) 1,992,863,744 bytes free


Posted by: rstones12

Christie Achor,

Thanks, OK lets move on to step 2, like the last post, do [b]exactly[/b] as the direction show.

Close any programs you have open since this step requires a reboot.

From the [B]l2mfix folder[/B] on your desktop, double click [B]l2mfix.bat[/B] and select option #[B]2[/B] for [B]Run Fix[/B] by typing 2 and then pressing enter, then press any key to reboot your computer. After a reboot, your desktop and icons will appear, then disappear (this is normal). L2mfix will continue to scan your computer and when it's finished, notepad will open with a log. Copy the contents of that log and paste it back into this thread, along with a new hijackthis log.

[COLOR=red]IMPORTANT: Do NOT run any other files in the l2mfix folder unless you are asked to do so![/COLOR]

Thanks,
rstones12


Posted by: Christie Achor

HI rstones12,

OK I followed the instructions EXACTLY and here is the log file...

L2Mfix 1.02b

Running From:
C:\Documents and Settings\christie.BADMIMI\Desktop\l2mfix



RegDACL 5.1 - Permissions Manager for Registry keys for Windows NT 4 and above
Copyright (c) 1999-2001 Frank Heyne Software ([url]http://www.heysoft.de[/url])
This program is Freeware, use it on your own risk!

Access Control List for Registry key HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify:
(ID-NI) ALLOW Read BUILTIN\Users
(ID-IO) ALLOW Read BUILTIN\Users
(ID-NI) ALLOW Read BUILTIN\Power Users
(ID-IO) ALLOW Read BUILTIN\Power Users
(ID-NI) ALLOW Full access BUILTIN\Administrators
(ID-IO) ALLOW Full access BUILTIN\Administrators
(ID-NI) ALLOW Full access NT AUTHORITY\SYSTEM
(ID-IO) ALLOW Full access NT AUTHORITY\SYSTEM
(ID-IO) ALLOW Full access CREATOR OWNER



Setting registry permissions:


RegDACL 5.1 - Permissions Manager for Registry keys for Windows NT 4 and above
Copyright (c) 1999-2001 Frank Heyne Software ([url]http://www.heysoft.de[/url])
This program is Freeware, use it on your own risk!


Denying C access for really "Everyone"
- adding new ACCESS DENY entry


Registry Permissions set too:

RegDACL 5.1 - Permissions Manager for Registry keys for Windows NT 4 and above
Copyright (c) 1999-2001 Frank Heyne Software ([url]http://www.heysoft.de[/url])
This program is Freeware, use it on your own risk!

Access Control List for Registry key HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify:
(CI) DENY --C------- Everyone
(ID-NI) ALLOW Read BUILTIN\Users
(ID-IO) ALLOW Read BUILTIN\Users
(ID-NI) ALLOW Read BUILTIN\Power Users
(ID-IO) ALLOW Read BUILTIN\Power Users
(ID-NI) ALLOW Full access BUILTIN\Administrators
(ID-IO) ALLOW Full access BUILTIN\Administrators
(ID-NI) ALLOW Full access NT AUTHORITY\SYSTEM
(ID-IO) ALLOW Full access NT AUTHORITY\SYSTEM
(ID-IO) ALLOW Full access CREATOR OWNER



Setting up for Reboot


Starting Reboot!

C:\Documents and Settings\christie.BADMIMI\Desktop\l2mfix
System Rebooted!

Running From:
C:\Documents and Settings\christie.BADMIMI\Desktop\l2mfix

killing explorer and rundll32.exe

Command Line Process Viewer/Killer/Suspender for Windows NT/2000/XP V2.03
Copyright(C) 2002-2003 [email]Craig.Peacock@beyondlogic.org[/email]
Killing PID 1184 'explorer.exe'
Killing PID 1184 'explorer.exe'
Error 0x5 : Access is denied.
Command Line Process Viewer/Killer/Suspender for Windows NT/2000/XP V2.03
Copyright(C) 2002-2003 [email]Craig.Peacock@beyondlogic.org[/email]
Killing PID 1700 'rundll32.exe'

Scanning First Pass. Please Wait!

First Pass Completed

Second Pass Scanning

Second pass Completed!
Backing Up: C:\WINNT\system32\aza007jme.dll
1 file(s) copied.
Backing Up: C:\WINNT\system32\aza603hse.dll
1 file(s) copied.
Backing Up: C:\WINNT\system32\danet.dll
1 file(s) copied.
Backing Up: C:\WINNT\system32\dBdref.dll
1 file(s) copied.
Backing Up: C:\WINNT\system32\fLxdrv.dll
1 file(s) copied.
Backing Up: C:\WINNT\system32\fp4603hse.dll
1 file(s) copied.
Backing Up: C:\WINNT\system32\fp4o03h3e.dll
1 file(s) copied.
Backing Up: C:\WINNT\system32\fp6803jue.dll
1 file(s) copied.
Backing Up: C:\WINNT\system32\fp6s03j7e.dll
1 file(s) copied.
Backing Up: C:\WINNT\system32\fp8o03l3e.dll
1 file(s) copied.
Backing Up: C:\WINNT\system32\g440lehm1h4a.dll
1 file(s) copied.
Backing Up: C:\WINNT\system32\g840lihm184a.dll
1 file(s) copied.
Backing Up: C:\WINNT\system32\h2n00c5mef.dll
1 file(s) copied.
Backing Up: C:\WINNT\system32\i8420ihoe84c0.dll
1 file(s) copied.
Backing Up: C:\WINNT\system32\ir4sl5h71.dll
1 file(s) copied.
Backing Up: C:\WINNT\system32\irrul5991.dll
1 file(s) copied.
Backing Up: C:\WINNT\system32\jt4o07h3e.dll
1 file(s) copied.
Backing Up: C:\WINNT\system32\jt6007jme.dll
1 file(s) copied.
Backing Up: C:\WINNT\system32\jtj0071me.dll
1 file(s) copied.
Backing Up: C:\WINNT\system32\kt20l7fm1.dll
1 file(s) copied.
Backing Up: C:\WINNT\system32\l02slaf71d2.dll
1 file(s) copied.
Backing Up: C:\WINNT\system32\lkrt.dll
1 file(s) copied.
Backing Up: C:\WINNT\system32\lscalui.dll
1 file(s) copied.
Backing Up: C:\WINNT\system32\lzdis11n.dll
1 file(s) copied.
Backing Up: C:\WINNT\system32\mvr4l99q1.dll
1 file(s) copied.
Backing Up: C:\WINNT\system32\n4r2le9o1h.dll
1 file(s) copied.
Backing Up: C:\WINNT\system32\njdskcc.dll
1 file(s) copied.
Backing Up: C:\WINNT\system32\PQM.DLL
1 file(s) copied.
Backing Up: C:\WINNT\system32\rdnh.dll
1 file(s) copied.
Backing Up: C:\WINNT\system32\rXsctrs.dll
1 file(s) copied.
Backing Up: C:\WINNT\system32\smprfdll.dll
1 file(s) copied.
Backing Up: C:\WINNT\system32\stbcsp.dll
1 file(s) copied.
Backing Up: C:\WINNT\system32\t4r80e9ueh.dll
1 file(s) copied.
Backing Up: C:\WINNT\system32\t8r80i9ue8.dll
1 file(s) copied.
Backing Up: C:\WINNT\system32\wtspdmoe.dll
1 file(s) copied.
Backing Up: C:\WINNT\system32\guard.tmp
1 file(s) copied.
deleting: C:\WINNT\system32\aza007jme.dll
Successfully Deleted: C:\WINNT\system32\aza007jme.dll
deleting: C:\WINNT\system32\aza603hse.dll
Successfully Deleted: C:\WINNT\system32\aza603hse.dll
deleting: C:\WINNT\system32\danet.dll
Successfully Deleted: C:\WINNT\system32\danet.dll
deleting: C:\WINNT\system32\dBdref.dll
Successfully Deleted: C:\WINNT\system32\dBdref.dll
deleting: C:\WINNT\system32\fLxdrv.dll
Successfully Deleted: C:\WINNT\system32\fLxdrv.dll
deleting: C:\WINNT\system32\fp4603hse.dll
Successfully Deleted: C:\WINNT\system32\fp4603hse.dll
deleting: C:\WINNT\system32\fp4o03h3e.dll
Successfully Deleted: C:\WINNT\system32\fp4o03h3e.dll
deleting: C:\WINNT\system32\fp6803jue.dll
Successfully Deleted: C:\WINNT\system32\fp6803jue.dll
deleting: C:\WINNT\system32\fp6s03j7e.dll
Successfully Deleted: C:\WINNT\system32\fp6s03j7e.dll
deleting: C:\WINNT\system32\fp8o03l3e.dll
Successfully Deleted: C:\WINNT\system32\fp8o03l3e.dll
deleting: C:\WINNT\system32\g440lehm1h4a.dll
Successfully Deleted: C:\WINNT\system32\g440lehm1h4a.dll
deleting: C:\WINNT\system32\g840lihm184a.dll
Successfully Deleted: C:\WINNT\system32\g840lihm184a.dll
deleting: C:\WINNT\system32\h2n00c5mef.dll
Successfully Deleted: C:\WINNT\system32\h2n00c5mef.dll
deleting: C:\WINNT\system32\i8420ihoe84c0.dll
Successfully Deleted: C:\WINNT\system32\i8420ihoe84c0.dll
deleting: C:\WINNT\system32\ir4sl5h71.dll
Successfully Deleted: C:\WINNT\system32\ir4sl5h71.dll
deleting: C:\WINNT\system32\irrul5991.dll
Successfully Deleted: C:\WINNT\system32\irrul5991.dll
deleting: C:\WINNT\system32\jt4o07h3e.dll
Successfully Deleted: C:\WINNT\system32\jt4o07h3e.dll
deleting: C:\WINNT\system32\jt6007jme.dll
Successfully Deleted: C:\WINNT\system32\jt6007jme.dll
deleting: C:\WINNT\system32\jtj0071me.dll
Successfully Deleted: C:\WINNT\system32\jtj0071me.dll
deleting: C:\WINNT\system32\kt20l7fm1.dll
Successfully Deleted: C:\WINNT\system32\kt20l7fm1.dll
deleting: C:\WINNT\system32\l02slaf71d2.dll
Successfully Deleted: C:\WINNT\system32\l02slaf71d2.dll
deleting: C:\WINNT\system32\lkrt.dll
Successfully Deleted: C:\WINNT\system32\lkrt.dll
deleting: C:\WINNT\system32\lscalui.dll
Successfully Deleted: C:\WINNT\system32\lscalui.dll
deleting: C:\WINNT\system32\lzdis11n.dll
Successfully Deleted: C:\WINNT\system32\lzdis11n.dll
deleting: C:\WINNT\system32\mvr4l99q1.dll
Successfully Deleted: C:\WINNT\system32\mvr4l99q1.dll
deleting: C:\WINNT\system32\n4r2le9o1h.dll
Successfully Deleted: C:\WINNT\system32\n4r2le9o1h.dll
deleting: C:\WINNT\system32\njdskcc.dll
Successfully Deleted: C:\WINNT\system32\njdskcc.dll
deleting: C:\WINNT\system32\PQM.DLL
Successfully Deleted: C:\WINNT\system32\PQM.DLL
deleting: C:\WINNT\system32\rdnh.dll
Successfully Deleted: C:\WINNT\system32\rdnh.dll
deleting: C:\WINNT\system32\rXsctrs.dll
Successfully Deleted: C:\WINNT\system32\rXsctrs.dll
deleting: C:\WINNT\system32\smprfdll.dll
Successfully Deleted: C:\WINNT\system32\smprfdll.dll
deleting: C:\WINNT\system32\stbcsp.dll
Successfully Deleted: C:\WINNT\system32\stbcsp.dll
deleting: C:\WINNT\system32\t4r80e9ueh.dll
Successfully Deleted: C:\WINNT\system32\t4r80e9ueh.dll
deleting: C:\WINNT\system32\t8r80i9ue8.dll
Successfully Deleted: C:\WINNT\system32\t8r80i9ue8.dll
deleting: C:\WINNT\system32\wtspdmoe.dll
Successfully Deleted: C:\WINNT\system32\wtspdmoe.dll
deleting: C:\WINNT\system32\guard.tmp
Successfully Deleted: C:\WINNT\system32\guard.tmp

Desktop.ini sucessfully removed

Zipping up files for submission:
adding: aza007jme.dll (152 bytes security) (deflated 3%)
adding: aza603hse.dll (152 bytes security) (deflated 4%)
adding: danet.dll (152 bytes security) (deflated 3%)
adding: dBdref.dll (152 bytes security) (deflated 3%)
adding: fLxdrv.dll (152 bytes security) (deflated 4%)
adding: fp4603hse.dll (152 bytes security) (deflated 4%)
adding: fp4o03h3e.dll (152 bytes security) (deflated 4%)
adding: fp6803jue.dll (152 bytes security) (deflated 5%)
adding: fp6s03j7e.dll (152 bytes security) (deflated 4%)
adding: fp8o03l3e.dll (152 bytes security) (deflated 4%)
adding: g440lehm1h4a.dll (152 bytes security) (deflated 3%)
adding: g840lihm184a.dll (152 bytes security) (deflated 4%)
adding: h2n00c5mef.dll (152 bytes security) (deflated 3%)
adding: i8420ihoe84c0.dll (152 bytes security) (deflated 4%)
adding: ir4sl5h71.dll (152 bytes security) (deflated 4%)
adding: irrul5991.dll (152 bytes security) (deflated 4%)
adding: jt4o07h3e.dll (152 bytes security) (deflated 3%)
adding: jt6007jme.dll (152 bytes security) (deflated 3%)
adding: jtj0071me.dll (152 bytes security) (deflated 3%)
adding: kt20l7fm1.dll (152 bytes security) (deflated 4%)
adding: l02slaf71d2.dll (152 bytes security) (deflated 4%)
adding: lkrt.dll (152 bytes security) (deflated 4%)
adding: lscalui.dll (152 bytes security) (deflated 5%)
adding: lzdis11n.dll (152 bytes security) (deflated 3%)
adding: mvr4l99q1.dll (152 bytes security) (deflated 3%)
adding: n4r2le9o1h.dll (152 bytes security) (deflated 4%)
adding: njdskcc.dll (152 bytes security) (deflated 3%)
adding: PQM.DLL (152 bytes security) (deflated 4%)
adding: rdnh.dll (152 bytes security) (deflated 3%)
adding: rXsctrs.dll (152 bytes security) (deflated 4%)
adding: smprfdll.dll (152 bytes security) (deflated 3%)
adding: stbcsp.dll (152 bytes security) (deflated 4%)
adding: t4r80e9ueh.dll (152 bytes security) (deflated 4%)
adding: t8r80i9ue8.dll (152 bytes security) (deflated 4%)
adding: wtspdmoe.dll (152 bytes security) (deflated 4%)
adding: guard.tmp (152 bytes security) (deflated 3%)
adding: clear.reg (152 bytes security) (deflated 52%)
adding: echo.reg (152 bytes security) (deflated 10%)
adding: desktop.ini (152 bytes security) (deflated 15%)
adding: direct.txt (152 bytes security) (stored 0%)
adding: lo2.txt (152 bytes security) (deflated 85%)
adding: readme.txt (152 bytes security) (deflated 49%)
adding: report.txt (152 bytes security) (deflated 65%)
adding: test.txt (152 bytes security) (deflated 81%)
adding: test2.txt (152 bytes security) (deflated 34%)
adding: test3.txt (152 bytes security) (deflated 34%)
adding: test5.txt (152 bytes security) (deflated 34%)
adding: xfind.txt (152 bytes security) (deflated 75%)
adding: backregs/84ACAEB7-37BB-428D-8382-BF6C455CFBCB.reg (152 bytes security) (deflated 70%)
adding: backregs/B434EF22-7E5E-46F9-AD4F-CCC3E7BBBB6E.reg (152 bytes security) (deflated 70%)
adding: backregs/shell.reg (152 bytes security) (deflated 75%)

Restoring Registry Permissions:


RegDACL 5.1 - Permissions Manager for Registry keys for Windows NT 4 and above
Copyright (c) 1999-2001 Frank Heyne Software ([url]http://www.heysoft.de[/url])
This program is Freeware, use it on your own risk!


Revoking access for really "Everyone"


Registry permissions set too:

RegDACL 5.1 - Permissions Manager for Registry keys for Windows NT 4 and above
Copyright (c) 1999-2001 Frank Heyne Software ([url]http://www.heysoft.de[/url])
This program is Freeware, use it on your own risk!

Access Control List for Registry key HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify:
(ID-NI) ALLOW Read BUILTIN\Users
(ID-IO) ALLOW Read BUILTIN\Users
(ID-NI) ALLOW Read BUILTIN\Power Users
(ID-IO) ALLOW Read BUILTIN\Power Users
(ID-NI) ALLOW Full access BUILTIN\Administrators
(ID-IO) ALLOW Full access BUILTIN\Administrators
(ID-NI) ALLOW Full access NT AUTHORITY\SYSTEM
(ID-IO) ALLOW Full access NT AUTHORITY\SYSTEM
(ID-IO) ALLOW Full access CREATOR OWNER


Restoring Sedebugprivilege:

Granting SeDebugPrivilege to Administrators ... successful

deleting local copy: aza007jme.dll
deleting local copy: aza603hse.dll
deleting local copy: danet.dll
deleting local copy: dBdref.dll
deleting local copy: fLxdrv.dll
deleting local copy: fp4603hse.dll
deleting local copy: fp4o03h3e.dll
deleting local copy: fp6803jue.dll
deleting local copy: fp6s03j7e.dll
deleting local copy: fp8o03l3e.dll
deleting local copy: g440lehm1h4a.dll
deleting local copy: g840lihm184a.dll
deleting local copy: h2n00c5mef.dll
deleting local copy: i8420ihoe84c0.dll
deleting local copy: ir4sl5h71.dll
deleting local copy: irrul5991.dll
deleting local copy: jt4o07h3e.dll
deleting local copy: jt6007jme.dll
deleting local copy: jtj0071me.dll
deleting local copy: kt20l7fm1.dll
deleting local copy: l02slaf71d2.dll
deleting local copy: lkrt.dll
deleting local copy: lscalui.dll
deleting local copy: lzdis11n.dll
deleting local copy: mvr4l99q1.dll
deleting local copy: n4r2le9o1h.dll
deleting local copy: njdskcc.dll
deleting local copy: PQM.DLL
deleting local copy: rdnh.dll
deleting local copy: rXsctrs.dll
deleting local copy: smprfdll.dll
deleting local copy: stbcsp.dll
deleting local copy: t4r80e9ueh.dll
deleting local copy: t8r80i9ue8.dll
deleting local copy: wtspdmoe.dll
deleting local copy: guard.tmp

The following Is the Current Export of the Winlogon notify key:
**************************************************
**************************
Windows Registry Editor Version 5.00

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify]
"Asynchronous"=dword:00000000
"DllName"=""
"Impersonate"=dword:00000000
"Logon"="WinLogon"
"Logoff"="WinLogoff"
"Shutdown"="WinShutdown"


The following are the files found:
**************************************************
**************************
C:\WINNT\system32\aza007jme.dll
C:\WINNT\system32\aza603hse.dll
C:\WINNT\system32\danet.dll
C:\WINNT\system32\dBdref.dll
C:\WINNT\system32\fLxdrv.dll
C:\WINNT\system32\fp4603hse.dll
C:\WINNT\system32\fp4o03h3e.dll
C:\WINNT\system32\fp6803jue.dll
C:\WINNT\system32\fp6s03j7e.dll
C:\WINNT\system32\fp8o03l3e.dll
C:\WINNT\system32\g440lehm1h4a.dll
C:\WINNT\system32\g840lihm184a.dll
C:\WINNT\system32\h2n00c5mef.dll
C:\WINNT\system32\i8420ihoe84c0.dll
C:\WINNT\system32\ir4sl5h71.dll
C:\WINNT\system32\irrul5991.dll
C:\WINNT\system32\jt4o07h3e.dll
C:\WINNT\system32\jt6007jme.dll
C:\WINNT\system32\jtj0071me.dll
C:\WINNT\system32\kt20l7fm1.dll
C:\WINNT\system32\l02slaf71d2.dll
C:\WINNT\system32\lkrt.dll
C:\WINNT\system32\lscalui.dll
C:\WINNT\system32\lzdis11n.dll
C:\WINNT\system32\mvr4l99q1.dll
C:\WINNT\system32\n4r2le9o1h.dll
C:\WINNT\system32\njdskcc.dll
C:\WINNT\system32\PQM.DLL
C:\WINNT\system32\rdnh.dll
C:\WINNT\system32\rXsctrs.dll
C:\WINNT\system32\smprfdll.dll
C:\WINNT\system32\stbcsp.dll
C:\WINNT\system32\t4r80e9ueh.dll
C:\WINNT\system32\t8r80i9ue8.dll
C:\WINNT\system32\wtspdmoe.dll
C:\WINNT\system32\guard.tmp

Registry Entries that were Deleted:
Please verify that the listing looks ok.
If there was something deleted wrongly there are backups in the backreg folder.
**************************************************
**************************
REGEDIT4

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\Cur
rentVersion\Shell Extensions\Approved]
"{B434EF22-7E5E-46F9-AD4F-CCC3E7BBBB6E}"=-
"{FEC2EBFF-B133-4277-AC72-630CDDED6411}"=-
"{9B65C3AB-E41B-41DD-86A5-3B58AB858E8B}"=-
"{84ACAEB7-37BB-428D-8382-BF6C455CFBCB}"=-
[-HKEY_CLASSES_ROOT\CLSID\{B434EF22-7E5E-46F9-AD4F-CCC3E7BBBB6E}]
[-HKEY_CLASSES_ROOT\CLSID\{FEC2EBFF-B133-4277-AC72-630CDDED6411}]
[-HKEY_CLASSES_ROOT\CLSID\{9B65C3AB-E41B-41DD-86A5-3B58AB858E8B}]
[-HKEY_CLASSES_ROOT\CLSID\{84ACAEB7-37BB-428D-8382-BF6C455CFBCB}]
REGEDIT4

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\Cur
rentVersion\Internet Settings\User Agent\Post Platform]
"{5D7031FC-B9CE-4480-AB2E-8ED18DBD736F}"=-
**************************************************
**************************
Desktop.ini Contents:
**************************************************
**************************
[.ShellClassInfo]
CLSID={645FF040-5081-101B-9F08-00AA002F954E}
<IDone>{5D7031FC-B9CE-4480-AB2E-8ED18DBD736F}</IDone>
<IDtwo>VT00</IDtwo>
<VERSION>200</VERSION>
**************************************************
**************************



Posted by: rstones12

Christie Achor,

Thanks for the log, I will review the log and then we can move on the next part.

Can you post a new HJT log, I need to use it as a reference.

Thanks,
rstones12


Posted by: Christie Achor

Logfile of HijackThis v1.98.2
Scan saved at 4:21:38 PM, on 2/18/2005
Platform: Windows 2000 SP4 (WinNT 5.00.2195)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINNT\System32\smss.exe
C:\WINNT\system32\winlogon.exe
C:\WINNT\system32\services.exe
C:\WINNT\system32\lsass.exe
C:\WINNT\system32\ibmpmsvc.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\System32\svchost.exe
C:\WINNT\system32\spoolsv.exe
C:\Program Files\NavNT\defwatch.exe
C:\Program Files\Executive Software\Diskeeper\DkService.exe
C:\WINNT\system32\hidserv.exe
C:\WINNT\System32\NMSSvc.exe
C:\Program Files\NavNT\rtvscan.exe
C:\PROGRA~1\EFFICI~1\ENTERN~1\app\pppoeservice.exe
C:\WINNT\system32\regsvc.exe
C:\WINNT\system32\MSTask.exe
C:\WINNT\system32\stisvc.exe
C:\PROGRA~1\Toolbar\TBPSSvc.exe
C:\WINNT\System32\WBEM\WinMgmt.exe
C:\Program Files\Common Files\WinTools\WToolsS.exe
C:\WINNT\System32\mspmspsv.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\System32\inetsrv\inetinfo.exe
C:\PROGRA~1\Toolbar\TBPS.exe
C:\PROGRA~1\Toolbar\PIB.exe
c:\PROGRA~1\Toolbar\radio.exe
C:\Program Files\Common Files\WinTools\WToolsA.exe
C:\Program Files\Common Files\WinTools\WSup.exe
C:\WINNT\system32\tp4mon.exe
C:\WINNT\system32\Promon.exe
C:\Program Files\NavNT\vptray.exe
C:\Program Files\2Wire\HomePortal\2PortalMon.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\WINNT\system32\s3hotkey.exe
C:\WINNT\system32\spool\drivers\w32x86\3\hpztsb09.exe
C:\Program Files\Hewlett-Packard\HP Software Update\HPWuSchd.exe
C:\Program Files\HP\hpcoretech\hpcmpmgr.exe
C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpotdd01.exe
C:\PROGRA~1\VBouncer\VirtualBouncer.exe
C:\WINNT\system32\iurivi.exe
C:\WINNT\system32\vmss\vmss.exe
C:\Program Files\AutoUpdate\AutoUpdate.exe
C:\WINNT\system32\mydgr32.exe
C:\WINNT\system32\winupdt.exe
C:\winnt\system32\exxynj.exe
C:\WINNT\system32\Beaoyu.exe
C:\WINNT\yzabyagh.exe
C:\winnt\system32\msnavc32.exe
C:\winnt\system32\calc.exe
C:\Program Files\MSN Messenger\MsnMsgr.Exe
C:\WINNT\system32\msssq400.exe
C:\Program Files\Spyware Doctor\swdoctor.exe
C:\WINNT\explorer.exe
C:\WINNT\system32\wincbbk32.exe
C:\Program Files\Web_Rebates\WebRebates1.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Web_Rebates\WebRebates0.exe
C:\WINNT\system32\prutqct.exe
C:\WINNT\system32\prutqct.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\WinRAR\WinRAR.exe
C:\DOCUME~1\CHRIST~1.BAD\LOCALS~1\Temp\Rar$EX00.565\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer,SearchURL = [url]http://searchmiracle.com/sp.php[/url]
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = [url]http://www.websearch.com/ie.aspx?tb_id=50220[/url]
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = [url]http://search.search-exe.com/nph-search.cgi?tcode=exesrch1&look=stmpl1&fw=[/url]
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = [url]http://rd.yahoo.com/customize/sbcydsl/defaults/*http://yahoo.sbc.com/dsl[/url]
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = [url]http://search.search-exe.com/nph-search.cgi?tcode=exesrch1&look=stmpl1&fw=[/url]
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,SearchAssistant = [url]http://www.websearch.com/ie.aspx?tb_id=50220[/url]
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,CustomizeSearch = res://C:\PROGRA~1\Toolbar\toolbar.dll/sa
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = [url]http://search.search-exe.com/nph-search.cgi?tcode=exebar1&look=sbar1_srchbtn[/url]
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = [url]http://search.search-exe.com/nph-search.cgi?tcode=exesrch1&look=stmpl1&fw=[/url]
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = [url]http://search.search-exe.com/nph-search.cgi?tcode=exesrch1&look=stmpl1&fw=[/url]
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = [url]http://www.websearch.com/ie.aspx?tb_id=50220[/url]
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch = res://C:\PROGRA~1\Toolbar\toolbar.dll/sa
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = [url]http://search.search-exe.com/nph-search.cgi?tcode=exesrch1&look=stmpl1&fw=[/url]
R1 - HKLM\Software\Microsoft\Internet Explorer\SearchURL,(Default) = [url]http://search.search-exe.com/nph-search.cgi?tcode=exesrch1&look=stmpl1&fw=[/url]
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
R3 - URLSearchHook: (no name) - {8952A998-1E7E-4716-B23D-3DBE03910972} - C:\PROGRA~1\Toolbar\toolbar.dll
O1 - Hosts: 64.91.255.87 [url]www.dcsresearch.com[/url]
O1 - Hosts: 69.20.16.183 ieautosearch
O1 - Hosts: 69.20.16.183 ieautosearch
O1 - Hosts: 69.20.16.183 ieautosearch
O1 - Hosts: 69.20.16.183 ieautosearch
O1 - Hosts: 69.20.16.183 ieautosearch
O1 - Hosts: 69.20.16.183 auto.search.msn.com
O1 - Hosts: 69.20.16.183 search.netscape.com
O1 - Hosts: 69.20.16.183 ieautosearch
O1 - Hosts: 69.20.16.183 ieautosearch
O1 - Hosts: 69.20.16.183 ieautosearch
O1 - Hosts: 69.20.16.183 ieautosearch
O1 - Hosts: 69.20.16.183 ieautosearch
O1 - Hosts: 69.20.16.183 ieautosearch
O1 - Hosts: 69.20.16.183 ieautosearch
O1 - Hosts: 69.20.16.183 ieautosearch
O1 - Hosts: 69.20.16.183 ieautosearch
O1 - Hosts: 69.20.16.183 ieautosearch
O1 - Hosts: 69.20.16.183 ieautosearch
O1 - Hosts: 69.20.16.183 ieautosearch
O1 - Hosts: 69.20.16.183 ieautosearch
O1 - Hosts: 69.20.16.183 ieautosearch
O1 - Hosts: 69.20.16.183 ieautosearch
O1 - Hosts: 69.20.16.183 ieautosearch
O1 - Hosts: 69.20.16.183 ieautosearch
O1 - Hosts: 69.20.16.183 ieautosearch
O1 - Hosts: 69.20.16.183 ieautosearch
O1 - Hosts: 69.20.16.183 ieautosearch
O1 - Hosts: 69.20.16.183 ieautosearch
O1 - Hosts: 69.20.16.183 ieautosearch
O1 - Hosts: 69.20.16.183 ieautosearch
O1 - Hosts: 69.20.16.183 ieautosearch
O2 - BHO: &EliteBar - {28CAEFF3-0F18-4036-B504-51D73BD81ABC} - C:\WINNT\EliteToolBar\EliteToolBar.dll
O2 - BHO: CControl Object - {3643ABC2-21BF-46B9-B230-F247DB0C6FD6} - C:\Program Files\E2G\IeBHOs.dll
O2 - BHO: (no name) - {87766247-311C-43B4-8499-3D5FEC94A183} - C:\PROGRA~1\COMMON~1\WinTools\WToolsB.dll
O2 - BHO: (no name) - {8952A998-1E7E-4716-B23D-3DBE03910972} - C:\PROGRA~1\Toolbar\toolbar.dll
O3 - Toolbar: &EliteBar - {825CF5BD-8862-4430-B771-0C15C5CA8DEF} - C:\WINNT\EliteToolBar\EliteToolBar.dll
O3 - Toolbar: &Search Toolbar - {339BB23F-A864-48C0-A59F-29EA915965EC} - C:\PROGRA~1\Toolbar\toolbar.dll
O4 - HKLM\..\Run: [TrackPointSrv] tp4mon.exe
O4 - HKLM\..\Run: [Synchronization Manager] mobsync.exe /logon
O4 - HKLM\..\Run: [Promon.exe] Promon.exe
O4 - HKLM\..\Run: [LoadQM] loadqm.exe
O4 - HKLM\..\Run: [vptray] C:\Program Files\NavNT\vptray.exe
O4 - HKLM\..\Run: [2wSysTray] C:\Program Files\2Wire\HomePortal\2PortalMon.exe
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [S3Hotkey] s3hotkey.exe
O4 - HKLM\..\Run: [HPDJ Taskbar Utility] C:\WINNT\system32\spool\drivers\w32x86\3\hpztsb09.exe
O4 - HKLM\..\Run: [HP Software Update] "C:\Program Files\Hewlett-Packard\HP Software Update\HPWuSchd.exe"
O4 - HKLM\..\Run: [HP Component Manager] "C:\Program Files\HP\hpcoretech\hpcmpmgr.exe"
O4 - HKLM\..\Run: [DeviceDiscovery] C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpotdd01.exe
O4 - HKLM\..\Run: [wyverc] C:\WINNT\system32\wyverc.exe
O4 - HKLM\..\Run: [VBouncer] C:\PROGRA~1\VBouncer\VirtualBouncer.exe
O4 - HKLM\..\Run: [Search-Exe] "C:\Program Files\se\v11\se.EXE" /H
O4 - HKLM\..\Run: [Dvx] C:\WINNT\system32\wsxsvc\wsxsvc.exe
O4 - HKLM\..\Run: [vmss] C:\WINNT\system32\vmss\vmss.exe
O4 - HKLM\..\Run: [AutoUpdater] "C:\Program Files\AutoUpdate\AutoUpdate.exe"
O4 - HKLM\..\Run: [r37O33O] mydgr32.exe
O4 - HKLM\..\Run: [antiware] C:\winnt\system32\eliteehh32.exe
O4 - HKLM\..\Run: [winupdtl] C:\WINNT\system32\winupdt.exe
O4 - HKLM\..\Run: [SurfSideKick 2] C:\Program Files\SurfSideKick 2\Ssk.exe
O4 - HKLM\..\Run: [exxynj] c:\winnt\system32\exxynj.exe
O4 - HKLM\..\Run: [farmmext] C:\WINNT\farmmext.exe
O4 - HKLM\..\Run: [version] C:\WINNT\system32\Hejgad.exe
O4 - HKLM\..\Run: [secure] C:\WINNT\system32\Beaoyu.exe
O4 - HKLM\..\Run: [C:\WINNT\yzabyagh.exe] C:\WINNT\yzabyagh.exe
O4 - HKLM\..\Run: [ot8dnz8x] C:\Program Files\ot8dnz8x\ot8dnz8x.exe
O4 - HKLM\..\Run: [bvdpdc] C:\WINNT\system32\bvdpdc.exe
O4 - HKLM\..\Run: [App32dll] C:\winnt\system32\msnavc32.exe lee0105
O4 - HKLM\..\Run: [WebRebates0] "C:\Program Files\Web_Rebates\WebRebates0.exe"
O4 - HKLM\..\Run: [WinTools] C:\PROGRA~1\COMMON~1\WinTools\WToolsA.exe
O4 - HKLM\..\Run: [TBPS] C:\PROGRA~1\Toolbar\TBPS.exe
O4 - HKCU\..\Run: [msnmsgr] "C:\Program Files\MSN Messenger\MsnMsgr.Exe" /background
O4 - HKCU\..\Run: [a0oERTipT] msssq400.exe
O4 - HKCU\..\Run: [Spyware Doctor] "C:\Program Files\Spyware Doctor\swdoctor.exe" /Q
O4 - HKCU\..\Run: [eZmmod] C:\PROGRA~1\ezula\mmod.exe
O4 - HKCU\..\Run: [eZWO] C:\PROGRA~1\Web Offer\wo.exe
O4 - HKCU\..\Run: [sysmonnt] C:\WINNT\system32\sysmonnt
O4 - HKCU\..\Run: [SurfSideKick 2] C:\Program Files\SurfSideKick 2\Ssk.exe
O4 - HKCU\..\Run: [prutqct] C:\WINNT\system32\prutqct.exe
O4 - Global Startup: Adobe Gamma Loader.exe.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: Adobe Gamma Loader.lnk = Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: eFax Live Menu 3.3.lnk = eFax Messenger Plus 3.3\J2GDllCmd.exe
O4 - Global Startup: eFax Tray Menu 3.3.lnk = eFax Messenger Plus 3.3\J2GTray.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O8 - Extra context menu item: &Google Search - res://c:\program files\google\GoogleToolbar1.dll/cmsearch.html
O8 - Extra context menu item: Backward Links - res://c:\program files\google\GoogleToolbar1.dll/cmbacklinks.html
O8 - Extra context menu item: Cached Snapshot of Page - res://c:\program files\google\GoogleToolbar1.dll/cmcache.html
O8 - Extra context menu item: Similar Pages - res://c:\program files\google\GoogleToolbar1.dll/cmsimilar.html
O8 - Extra context menu item: Translate into English - res://c:\program files\google\GoogleToolbar1.dll/cmtrans.html
O8 - Extra context menu item: Web Rebates - file://C:\Program Files\Web_Rebates\Sy1150\Tp1150\scri1150a.htm
O9 - Extra button: Spyware Doctor - {2D663D1A-8670-49D9-A1A5-4C56B4E14E84} - C:\PROGRA~1\SPYWAR~1\tools\iesdpb.dll
O9 - Extra button: Messenger - {4528BBE0-4E08-11D5-AD55-00010333D0AD} - C:\Program Files\Yahoo!\Messenger\yhexbmes.dll (file missing)
O9 - Extra 'Tools' menuitem: Yahoo! Messenger - {4528BBE0-4E08-11D5-AD55-00010333D0AD} - C:\Program Files\Yahoo!\Messenger\yhexbmes.dll (file missing)
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINNT\System32\Shdocvw.dll
O10 - Unknown file in Winsock LSP: c:\winnt\system32\dolsp.dll
O10 - Unknown file in Winsock LSP: c:\winnt\system32\dolsp.dll
O10 - Unknown file in Winsock LSP: c:\winnt\system32\dolsp.dll
O10 - Unknown file in Winsock LSP: c:\winnt\system32\dolsp.dll
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O16 - DPF: {11260943-421B-11D0-8EAC-0000C07D88CF} (iPIX ActiveX Control) - [url]http://www.ipix.com/viewers/ipixx.cab[/url]
O16 - DPF: {2B323CD9-50E3-11D3-9466-00A0C9700498} (Yahoo! Audio Conferencing) - [url]http://us.chat1.yimg.com/us.yimg.com/i/chat/applet/v45/yacscom.cab[/url]
O16 - DPF: {7584C670-2274-4EFB-B00B-D6AABA6D3850} (Microsoft RDP Client Control (redist)) - [url]http://access01.mmlive.com/msrdp.cab[/url]
O16 - DPF: {C3DFA998-A486-11D4-AA25-00C04F72DAEB} (MSN Photo Upload Tool) - [url]http://photos.msn.com/r/neutral/controls/MsnPUpld.cab?5,0,1730,0[/url]
O16 - DPF: {EB623776-492A-42CA-9571-3AA39F58530B} - [url]http://www.alwaysupdatednews.com/install/aun_0010.exe[/url]
O18 - Protocol: cetihpz - {CF184AD3-CDCB-4168-A3F7-8E447D129300} - C:\Program Files\HP\hpcoretech\comp\hpuiprot.dll
O18 - Protocol: tpro - {FF76A5DA-6158-4439-99FF-EDC1B3FE100C} - C:\PROGRA~1\Toolbar\toolbar.dll


Posted by: rstones12

Christie,
Thanks but you posted the HJT log with an older version of HijackThis.
The newest version is 1.99.1.

Here are some instructions.
Create a directory on your [b]C:\[/b] drive and rename it [b]C:\HJT[/b].
Then download the newest version of HJT [url=http://www.majorgeeks.com/download3155.html][b][color=blue]HERE[/color][/b][/url]

Unzip the file and extract it into that directory. From now on use that file and directory for running HJT logs. HijackThis creates backups that are needed for recovery reasons.

I will use this log for the meantime and post back the next part of the fix shortly.
Thanks,
rstones12

If you have any questions, please don't hesitate to ask.


Posted by: rstones12

Christie,
Once you have create the permanent directory for HJT please post a new HJT log.
We need to make sure that you have HJT in the right place this is [b]"very important"[/b]. We cant use your current temporary location for where it is now located.

Once you post the new HJT log, I can give you the next part of the fix.
Thanks,
rstones12


Posted by: Christie Achor

HI there!

Sorry I was getting errors and redownloaded HJT. I followed your instructions and redownloaded into new directory on C drive. let me know if I need to do anything else...

Thanks for your help!
Christie


Logfile of HijackThis v1.99.1
Scan saved at 12:06:36 AM, on 2/19/2005
Platform: Windows 2000 SP4 (WinNT 5.00.2195)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINNT\System32\smss.exe
C:\WINNT\system32\winlogon.exe
C:\WINNT\system32\services.exe
C:\WINNT\system32\lsass.exe
C:\WINNT\system32\ibmpmsvc.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\System32\svchost.exe
C:\WINNT\system32\spoolsv.exe
C:\Program Files\NavNT\defwatch.exe
C:\Program Files\Executive Software\Diskeeper\DkService.exe
C:\WINNT\system32\hidserv.exe
C:\WINNT\System32\NMSSvc.exe
C:\Program Files\NavNT\rtvscan.exe
C:\PROGRA~1\EFFICI~1\ENTERN~1\app\pppoeservice.exe
C:\WINNT\system32\regsvc.exe
C:\WINNT\system32\MSTask.exe
C:\WINNT\system32\stisvc.exe
C:\PROGRA~1\Toolbar\TBPSSvc.exe
C:\WINNT\System32\WBEM\WinMgmt.exe
C:\Program Files\Common Files\WinTools\WToolsS.exe
C:\WINNT\System32\mspmspsv.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\System32\inetsrv\inetinfo.exe
C:\PROGRA~1\Toolbar\TBPS.exe
C:\PROGRA~1\Toolbar\PIB.exe
c:\PROGRA~1\Toolbar\radio.exe
C:\Program Files\Common Files\WinTools\WToolsA.exe
C:\Program Files\Common Files\WinTools\WSup.exe
C:\WINNT\system32\tp4mon.exe
C:\WINNT\system32\Promon.exe
C:\Program Files\NavNT\vptray.exe
C:\Program Files\2Wire\HomePortal\2PortalMon.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\WINNT\system32\s3hotkey.exe
C:\WINNT\system32\spool\drivers\w32x86\3\hpztsb09.exe
C:\Program Files\Hewlett-Packard\HP Software Update\HPWuSchd.exe
C:\Program Files\HP\hpcoretech\hpcmpmgr.exe
C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpotdd01.exe
C:\PROGRA~1\VBouncer\VirtualBouncer.exe
C:\WINNT\system32\iurivi.exe
C:\WINNT\system32\vmss\vmss.exe
C:\Program Files\AutoUpdate\AutoUpdate.exe
C:\WINNT\system32\mydgr32.exe
C:\WINNT\system32\winupdt.exe
C:\winnt\system32\exxynj.exe
C:\WINNT\system32\Beaoyu.exe
C:\WINNT\yzabyagh.exe
C:\winnt\system32\msnavc32.exe
C:\winnt\system32\calc.exe
C:\Program Files\MSN Messenger\MsnMsgr.Exe
C:\WINNT\system32\msssq400.exe
C:\Program Files\Spyware Doctor\swdoctor.exe
C:\WINNT\explorer.exe
C:\WINNT\system32\wincbbk32.exe
C:\Program Files\Web_Rebates\WebRebates1.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Web_Rebates\WebRebates0.exe
C:\WINNT\system32\prutqct.exe
C:\WINNT\system32\prutqct.exe
C:\PROGRA~1\MICROS~2\Office\OUTLOOK.EXE
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\Program Files\WinRAR\WinRAR.exe
C:\DOCUME~1\CHRIST~1.BAD\LOCALS~1\Temp\Rar$EX00.233\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer,SearchURL = [url]http://searchmiracle.com/sp.php[/url]
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = [url]http://www.websearch.com/ie.aspx?tb_id=50220[/url]
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = [url]http://search.search-exe.com/nph-search.cgi?tcode=exesrch1&look=stmpl1&fw=[/url]
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = [url]http://rd.yahoo.com/customize/sbcydsl/defaults/*http://yahoo.sbc.com/dsl[/url]
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = [url]http://search.search-exe.com/nph-search.cgi?tcode=exesrch1&look=stmpl1&fw=[/url]
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,SearchAssistant = [url]http://www.websearch.com/ie.aspx?tb_id=50220[/url]
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,CustomizeSearch = res://C:\PROGRA~1\Toolbar\toolbar.dll/sa
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = [url]http://search.search-exe.com/nph-search.cgi?tcode=exebar1&look=sbar1_srchbtn[/url]
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = [url]http://search.search-exe.com/nph-search.cgi?tcode=exesrch1&look=stmpl1&fw=[/url]
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = [url]http://search.search-exe.com/nph-search.cgi?tcode=exesrch1&look=stmpl1&fw=[/url]
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = [url]http://www.websearch.com/ie.aspx?tb_id=50220[/url]
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch = res://C:\PROGRA~1\Toolbar\toolbar.dll/sa
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = [url]http://search.search-exe.com/nph-search.cgi?tcode=exesrch1&look=stmpl1&fw=[/url]
R1 - HKLM\Software\Microsoft\Internet Explorer\SearchURL,(Default) = [url]http://search.search-exe.com/nph-search.cgi?tcode=exesrch1&look=stmpl1&fw=[/url]
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
R3 - URLSearchHook: (no name) - {8952A998-1E7E-4716-B23D-3DBE03910972} - C:\PROGRA~1\Toolbar\toolbar.dll
O1 - Hosts: 64.91.255.87 [url]www.dcsresearch.com[/url]
O1 - Hosts: 69.20.16.183 ieautosearch
O1 - Hosts: 69.20.16.183 ieautosearch
O1 - Hosts: 69.20.16.183 ieautosearch
O1 - Hosts: 69.20.16.183 ieautosearch
O1 - Hosts: 69.20.16.183 ieautosearch
O1 - Hosts: 69.20.16.183 auto.search.msn.com
O1 - Hosts: 69.20.16.183 search.netscape.com
O1 - Hosts: 69.20.16.183 ieautosearch
O1 - Hosts: 69.20.16.183 ieautosearch
O1 - Hosts: 69.20.16.183 ieautosearch
O1 - Hosts: 69.20.16.183 ieautosearch
O1 - Hosts: 69.20.16.183 ieautosearch
O1 - Hosts: 69.20.16.183 ieautosearch
O1 - Hosts: 69.20.16.183 ieautosearch
O1 - Hosts: 69.20.16.183 ieautosearch
O1 - Hosts: 69.20.16.183 ieautosearch
O1 - Hosts: 69.20.16.183 ieautosearch
O1 - Hosts: 69.20.16.183 ieautosearch
O1 - Hosts: 69.20.16.183 ieautosearch
O1 - Hosts: 69.20.16.183 ieautosearch
O1 - Hosts: 69.20.16.183 ieautosearch
O1 - Hosts: 69.20.16.183 ieautosearch
O1 - Hosts: 69.20.16.183 ieautosearch
O1 - Hosts: 69.20.16.183 ieautosearch
O1 - Hosts: 69.20.16.183 ieautosearch
O1 - Hosts: 69.20.16.183 ieautosearch
O1 - Hosts: 69.20.16.183 ieautosearch
O1 - Hosts: 69.20.16.183 ieautosearch
O1 - Hosts: 69.20.16.183 ieautosearch
O1 - Hosts: 69.20.16.183 ieautosearch
O1 - Hosts: 69.20.16.183 ieautosearch
O2 - BHO: &EliteBar - {28CAEFF3-0F18-4036-B504-51D73BD81ABC} - C:\WINNT\EliteToolBar\EliteToolBar.dll
O2 - BHO: CControl Object - {3643ABC2-21BF-46B9-B230-F247DB0C6FD6} - C:\Program Files\E2G\IeBHOs.dll
O2 - BHO: (no name) - {87766247-311C-43B4-8499-3D5FEC94A183} - C:\PROGRA~1\COMMON~1\WinTools\WToolsB.dll
O2 - BHO: (no name) - {8952A998-1E7E-4716-B23D-3DBE03910972} - C:\PROGRA~1\Toolbar\toolbar.dll
O3 - Toolbar: &EliteBar - {825CF5BD-8862-4430-B771-0C15C5CA8DEF} - C:\WINNT\EliteToolBar\EliteToolBar.dll
O3 - Toolbar: &Search Toolbar - {339BB23F-A864-48C0-A59F-29EA915965EC} - C:\PROGRA~1\Toolbar\toolbar.dll
O4 - HKLM\..\Run: [TrackPointSrv] tp4mon.exe
O4 - HKLM\..\Run: [Synchronization Manager] mobsync.exe /logon
O4 - HKLM\..\Run: [Promon.exe] Promon.exe
O4 - HKLM\..\Run: [LoadQM] loadqm.exe
O4 - HKLM\..\Run: [vptray] C:\Program Files\NavNT\vptray.exe
O4 - HKLM\..\Run: [2wSysTray] C:\Program Files\2Wire\HomePortal\2PortalMon.exe
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [S3Hotkey] s3hotkey.exe
O4 - HKLM\..\Run: [HPDJ Taskbar Utility] C:\WINNT\system32\spool\drivers\w32x86\3\hpztsb09.exe
O4 - HKLM\..\Run: [HP Software Update] "C:\Program Files\Hewlett-Packard\HP Software Update\HPWuSchd.exe"
O4 - HKLM\..\Run: [HP Component Manager] "C:\Program Files\HP\hpcoretech\hpcmpmgr.exe"
O4 - HKLM\..\Run: [DeviceDiscovery] C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpotdd01.exe
O4 - HKLM\..\Run: [wyverc] C:\WINNT\system32\wyverc.exe
O4 - HKLM\..\Run: [VBouncer] C:\PROGRA~1\VBouncer\VirtualBouncer.exe
O4 - HKLM\..\Run: [Search-Exe] "C:\Program Files\se\v11\se.EXE" /H
O4 - HKLM\..\Run: [Dvx] C:\WINNT\system32\wsxsvc\wsxsvc.exe
O4 - HKLM\..\Run: [vmss] C:\WINNT\system32\vmss\vmss.exe
O4 - HKLM\..\Run: [AutoUpdater] "C:\Program Files\AutoUpdate\AutoUpdate.exe"
O4 - HKLM\..\Run: [r37O33O] mydgr32.exe
O4 - HKLM\..\Run: [antiware] C:\winnt\system32\eliteehh32.exe
O4 - HKLM\..\Run: [winupdtl] C:\WINNT\system32\winupdt.exe
O4 - HKLM\..\Run: [SurfSideKick 2] C:\Program Files\SurfSideKick 2\Ssk.exe
O4 - HKLM\..\Run: [exxynj] c:\winnt\system32\exxynj.exe
O4 - HKLM\..\Run: [farmmext] C:\WINNT\farmmext.exe
O4 - HKLM\..\Run: [version] C:\WINNT\system32\Hejgad.exe
O4 - HKLM\..\Run: [secure] C:\WINNT\system32\Beaoyu.exe
O4 - HKLM\..\Run: [C:\WINNT\yzabyagh.exe] C:\WINNT\yzabyagh.exe
O4 - HKLM\..\Run: [ot8dnz8x] C:\Program Files\ot8dnz8x\ot8dnz8x.exe
O4 - HKLM\..\Run: [bvdpdc] C:\WINNT\system32\bvdpdc.exe
O4 - HKLM\..\Run: [App32dll] C:\winnt\system32\msnavc32.exe lee0105
O4 - HKLM\..\Run: [WebRebates0] "C:\Program Files\Web_Rebates\WebRebates0.exe"
O4 - HKLM\..\Run: [WinTools] C:\PROGRA~1\COMMON~1\WinTools\WToolsA.exe
O4 - HKLM\..\Run: [TBPS] C:\PROGRA~1\Toolbar\TBPS.exe
O4 - HKCU\..\Run: [msnmsgr] "C:\Program Files\MSN Messenger\MsnMsgr.Exe" /background
O4 - HKCU\..\Run: [a0oERTipT] msssq400.exe
O4 - HKCU\..\Run: [Spyware Doctor] "C:\Program Files\Spyware Doctor\swdoctor.exe" /Q
O4 - HKCU\..\Run: [eZmmod] C:\PROGRA~1\ezula\mmod.exe
O4 - HKCU\..\Run: [eZWO] C:\PROGRA~1\Web Offer\wo.exe
O4 - HKCU\..\Run: [sysmonnt] C:\WINNT\system32\sysmonnt
O4 - HKCU\..\Run: [SurfSideKick 2] C:\Program Files\SurfSideKick 2\Ssk.exe
O4 - HKCU\..\Run: [prutqct] C:\WINNT\system32\prutqct.exe
O4 - Global Startup: Adobe Gamma Loader.exe.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: Adobe Gamma Loader.lnk = Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: eFax Live Menu 3.3.lnk = eFax Messenger Plus 3.3\J2GDllCmd.exe
O4 - Global Startup: eFax Tray Menu 3.3.lnk = eFax Messenger Plus 3.3\J2GTray.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O8 - Extra context menu item: &Google Search - res://c:\program files\google\GoogleToolbar1.dll/cmsearch.html
O8 - Extra context menu item: Backward Links - res://c:\program files\google\GoogleToolbar1.dll/cmbacklinks.html
O8 - Extra context menu item: Cached Snapshot of Page - res://c:\program files\google\GoogleToolbar1.dll/cmcache.html
O8 - Extra context menu item: Similar Pages - res://c:\program files\google\GoogleToolbar1.dll/cmsimilar.html
O8 - Extra context menu item: Translate into English - res://c:\program files\google\GoogleToolbar1.dll/cmtrans.html
O8 - Extra context menu item: Web Rebates - file://C:\Program Files\Web_Rebates\Sy1150\Tp1150\scri1150a.htm
O9 - Extra button: Spyware Doctor - {2D663D1A-8670-49D9-A1A5-4C56B4E14E84} - C:\PROGRA~1\SPYWAR~1\tools\iesdpb.dll
O9 - Extra button: Messenger - {4528BBE0-4E08-11D5-AD55-00010333D0AD} - C:\Program Files\Yahoo!\Messenger\yhexbmes.dll (file missing)
O9 - Extra 'Tools' menuitem: Yahoo! Messenger - {4528BBE0-4E08-11D5-AD55-00010333D0AD} - C:\Program Files\Yahoo!\Messenger\yhexbmes.dll (file missing)
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINNT\System32\Shdocvw.dll
O10 - Unknown file in Winsock LSP: c:\winnt\system32\dolsp.dll
O10 - Unknown file in Winsock LSP: c:\winnt\system32\dolsp.dll
O10 - Unknown file in Winsock LSP: c:\winnt\system32\dolsp.dll
O10 - Unknown file in Winsock LSP: c:\winnt\system32\dolsp.dll
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O16 - DPF: {11260943-421B-11D0-8EAC-0000C07D88CF} (iPIX ActiveX Control) - [url]http://www.ipix.com/viewers/ipixx.cab[/url]
O16 - DPF: {2B323CD9-50E3-11D3-9466-00A0C9700498} (Yahoo! Audio Conferencing) - [url]http://us.chat1.yimg.com/us.yimg.com/i/chat/applet/v45/yacscom.cab[/url]
O16 - DPF: {7584C670-2274-4EFB-B00B-D6AABA6D3850} (Microsoft RDP Client Control (redist)) - [url]http://access01.mmlive.com/msrdp.cab[/url]
O16 - DPF: {C3DFA998-A486-11D4-AA25-00C04F72DAEB} (MSN Photo Upload Tool) - [url]http://photos.msn.com/r/neutral/controls/MsnPUpld.cab?5,0,1730,0[/url]
O16 - DPF: {EB623776-492A-42CA-9571-3AA39F58530B} - [url]http://www.alwaysupdatednews.com/install/aun_0010.exe[/url]
O18 - Protocol: tpro - {FF76A5DA-6158-4439-99FF-EDC1B3FE100C} - C:\PROGRA~1\Toolbar\toolbar.dll
O23 - Service: pcAnywhere Host Service (awhost32) - Symantec Corporation - C:\Program Files\Symantec\pcAnywhere\awhost32.exe
O23 - Service: DefWatch - Symantec Corporation - C:\Program Files\NavNT\defwatch.exe
O23 - Service: Diskeeper - Executive Software International, Inc. - C:\Program Files\Executive Software\Diskeeper\DkService.exe
O23 - Service: Logical Disk Manager Administrative Service (dmadmin) - VERITAS Software Corp. - C:\WINNT\System32\dmadmin.exe
O23 - Service: IBM PM Service (IBMPMSVC) - Unknown owner - C:\WINNT\system32\ibmpmsvc.exe
O23 - Service: Intel(R) NMS (NMSSvc) - Intel Corporation - C:\WINNT\System32\NMSSvc.exe
O23 - Service: Norton AntiVirus Client (Norton AntiVirus Server) - Symantec Corporation - C:\Program Files\NavNT\rtvscan.exe
O23 - Service: PPPoE Service (PPPoEService) - Unknown owner - C:\PROGRA~1\EFFICI~1\ENTERN~1\app\pppoeservice.exe
O23 - Service: WebSeach Toolbar support NT service (TBPSSvc) - Unknown owner - C:\PROGRA~1\Toolbar\TBPSSvc.exe
O23 - Service: WinTools for IE service (WinToolsSvc) - Unknown owner - C:\Program Files\Common Files\WinTools\WToolsS.exe


Posted by: rstones12

Christie,
You are still running HJT from a temporary directory.

Open to your C:\HJT folder and run HJT this from this location.
It is very important that you do this. We will be removing entries within HJT and we need to make sure that there is a backup.

The reason we cant run it from a temp directory is that we will be removing temp files and we dont want to delete the backup.
Thanks.

Here is where you are currently running HJT from.

C:\DOCUME~1\CHRIST~1.BAD\LOCALS~1\Temp\Rar$EX00.233\HijackThis.exe


Posted by: Christie Achor

Geeezzzzz

I feel SO STUPID... Heres new log....
Thanks for having the patience of a saint....

Logfile of HijackThis v1.99.1
Scan saved at 9:03:07 PM, on 2/19/2005
Platform: Windows 2000 SP4 (WinNT 5.00.2195)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINNT\System32\smss.exe
C:\WINNT\system32\winlogon.exe
C:\WINNT\system32\services.exe
C:\WINNT\system32\lsass.exe
C:\WINNT\system32\ibmpmsvc.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\System32\svchost.exe
C:\WINNT\system32\spoolsv.exe
C:\Program Files\NavNT\defwatch.exe
C:\Program Files\Executive Software\Diskeeper\DkService.exe
C:\WINNT\system32\hidserv.exe
C:\WINNT\System32\NMSSvc.exe
C:\Program Files\NavNT\rtvscan.exe
C:\PROGRA~1\EFFICI~1\ENTERN~1\app\pppoeservice.exe
C:\WINNT\system32\regsvc.exe
C:\WINNT\system32\MSTask.exe
C:\WINNT\system32\stisvc.exe
C:\PROGRA~1\Toolbar\TBPSSvc.exe
C:\WINNT\System32\WBEM\WinMgmt.exe
C:\Program Files\Common Files\WinTools\WToolsS.exe
C:\WINNT\System32\mspmspsv.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\System32\inetsrv\inetinfo.exe
C:\PROGRA~1\Toolbar\TBPS.exe
C:\PROGRA~1\Toolbar\PIB.exe
c:\PROGRA~1\Toolbar\radio.exe
C:\Program Files\Common Files\WinTools\WToolsA.exe
C:\Program Files\Common Files\WinTools\WSup.exe
C:\WINNT\system32\tp4mon.exe
C:\WINNT\system32\Promon.exe
C:\Program Files\NavNT\vptray.exe
C:\Program Files\2Wire\HomePortal\2PortalMon.exe
C:\WINNT\system32\s3hotkey.exe
C:\WINNT\system32\spool\drivers\w32x86\3\hpztsb09.exe
C:\Program Files\Hewlett-Packard\HP Software Update\HPWuSchd.exe
C:\Program Files\HP\hpcoretech\hpcmpmgr.exe
C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpotdd01.exe
C:\WINNT\system32\iurivi.exe
C:\WINNT\system32\vmss\vmss.exe
C:\Program Files\AutoUpdate\AutoUpdate.exe
C:\WINNT\system32\mydgr32.exe
C:\WINNT\system32\winupdt.exe
C:\winnt\system32\exxynj.exe
C:\WINNT\system32\Beaoyu.exe
C:\WINNT\yzabyagh.exe
C:\winnt\system32\msnavc32.exe
C:\winnt\system32\calc.exe
C:\Program Files\MSN Messenger\MsnMsgr.Exe
C:\WINNT\system32\msssq400.exe
C:\Program Files\Spyware Doctor\swdoctor.exe
C:\WINNT\explorer.exe
C:\WINNT\system32\wincbbk32.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\WINNT\system32\prutqct.exe
C:\WINNT\system32\prutqct.exe
C:\Program Files\Web_Rebates\WebRebates1.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\PROGRA~1\MICROS~2\Office\OUTLOOK.EXE
C:\Program Files\Web_Rebates\WebRebates0.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\Program Files\WinRAR\WinRAR.exe
C:\Program Files\WinRAR\WinRAR.exe
C:\HJT\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer,SearchURL = [url]http://searchmiracle.com/sp.php[/url]
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = [url]http://www.websearch.com/ie.aspx?tb_id=50220[/url]
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = [url]http://search.search-exe.com/nph-search.cgi?tcode=exesrch1&look=stmpl1&fw=[/url]
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = [url]http://rd.yahoo.com/customize/sbcydsl/defaults/*http://yahoo.sbc.com/dsl[/url]
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = [url]http://search.search-exe.com/nph-search.cgi?tcode=exesrch1&look=stmpl1&fw=[/url]
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,SearchAssistant = [url]http://www.websearch.com/ie.aspx?tb_id=50220[/url]
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,CustomizeSearch = res://C:\PROGRA~1\Toolbar\toolbar.dll/sa
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = [url]http://search.search-exe.com/nph-search.cgi?tcode=exebar1&look=sbar1_srchbtn[/url]
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = [url]http://search.search-exe.com/nph-search.cgi?tcode=exesrch1&look=stmpl1&fw=[/url]
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = [url]http://search.search-exe.com/nph-search.cgi?tcode=exesrch1&look=stmpl1&fw=[/url]
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = [url]http://www.websearch.com/ie.aspx?tb_id=50220[/url]
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch = res://C:\PROGRA~1\Toolbar\toolbar.dll/sa
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = [url]http://search.search-exe.com/nph-search.cgi?tcode=exesrch1&look=stmpl1&fw=[/url]
R1 - HKLM\Software\Microsoft\Internet Explorer\SearchURL,(Default) = [url]http://search.search-exe.com/nph-search.cgi?tcode=exesrch1&look=stmpl1&fw=[/url]
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
R3 - URLSearchHook: (no name) - {8952A998-1E7E-4716-B23D-3DBE03910972} - C:\PROGRA~1\Toolbar\toolbar.dll
O1 - Hosts: 64.91.255.87 [url]www.dcsresearch.com[/url]
O1 - Hosts: 69.20.16.183 ieautosearch
O1 - Hosts: 69.20.16.183 ieautosearch
O1 - Hosts: 69.20.16.183 ieautosearch
O1 - Hosts: 69.20.16.183 ieautosearch
O1 - Hosts: 69.20.16.183 ieautosearch
O1 - Hosts: 69.20.16.183 auto.search.msn.com
O1 - Hosts: 69.20.16.183 search.netscape.com
O1 - Hosts: 69.20.16.183 ieautosearch
O1 - Hosts: 69.20.16.183 ieautosearch
O1 - Hosts: 69.20.16.183 ieautosearch
O1 - Hosts: 69.20.16.183 ieautosearch
O1 - Hosts: 69.20.16.183 ieautosearch
O1 - Hosts: 69.20.16.183 ieautosearch
O1 - Hosts: 69.20.16.183 ieautosearch
O1 - Hosts: 69.20.16.183 ieautosearch
O1 - Hosts: 69.20.16.183 ieautosearch
O1 - Hosts: 69.20.16.183 ieautosearch
O1 - Hosts: 69.20.16.183 ieautosearch
O1 - Hosts: 69.20.16.183 ieautosearch
O1 - Hosts: 69.20.16.183 ieautosearch
O1 - Hosts: 69.20.16.183 ieautosearch
O1 - Hosts: 69.20.16.183 ieautosearch
O1 - Hosts: 69.20.16.183 ieautosearch
O1 - Hosts: 69.20.16.183 ieautosearch
O1 - Hosts: 69.20.16.183 ieautosearch
O1 - Hosts: 69.20.16.183 ieautosearch
O1 - Hosts: 69.20.16.183 ieautosearch
O1 - Hosts: 69.20.16.183 ieautosearch
O1 - Hosts: 69.20.16.183 ieautosearch
O1 - Hosts: 69.20.16.183 ieautosearch
O1 - Hosts: 69.20.16.183 ieautosearch
O2 - BHO: &EliteBar - {28CAEFF3-0F18-4036-B504-51D73BD81ABC} - C:\WINNT\EliteToolBar\EliteToolBar.dll
O2 - BHO: CControl Object - {3643ABC2-21BF-46B9-B230-F247DB0C6FD6} - C:\Program Files\E2G\IeBHOs.dll
O2 - BHO: (no name) - {87766247-311C-43B4-8499-3D5FEC94A183} - C:\PROGRA~1\COMMON~1\WinTools\WToolsB.dll
O2 - BHO: (no name) - {8952A998-1E7E-4716-B23D-3DBE03910972} - C:\PROGRA~1\Toolbar\toolbar.dll
O3 - Toolbar: &EliteBar - {825CF5BD-8862-4430-B771-0C15C5CA8DEF} - C:\WINNT\EliteToolBar\EliteToolBar.dll
O3 - Toolbar: &Search Toolbar - {339BB23F-A864-48C0-A59F-29EA915965EC} - C:\PROGRA~1\Toolbar\toolbar.dll
O4 - HKLM\..\Run: [TrackPointSrv] tp4mon.exe
O4 - HKLM\..\Run: [Synchronization Manager] mobsync.exe /logon
O4 - HKLM\..\Run: [Promon.exe] Promon.exe
O4 - HKLM\..\Run: [LoadQM] loadqm.exe
O4 - HKLM\..\Run: [vptray] C:\Program Files\NavNT\vptray.exe
O4 - HKLM\..\Run: [2wSysTray] C:\Program Files\2Wire\HomePortal\2PortalMon.exe
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [S3Hotkey] s3hotkey.exe
O4 - HKLM\..\Run: [HPDJ Taskbar Utility] C:\WINNT\system32\spool\drivers\w32x86\3\hpztsb09.exe
O4 - HKLM\..\Run: [HP Software Update] "C:\Program Files\Hewlett-Packard\HP Software Update\HPWuSchd.exe"
O4 - HKLM\..\Run: [HP Component Manager] "C:\Program Files\HP\hpcoretech\hpcmpmgr.exe"
O4 - HKLM\..\Run: [DeviceDiscovery] C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpotdd01.exe
O4 - HKLM\..\Run: [wyverc] C:\WINNT\system32\wyverc.exe
O4 - HKLM\..\Run: [VBouncer] C:\PROGRA~1\VBouncer\VirtualBouncer.exe
O4 - HKLM\..\Run: [Search-Exe] "C:\Program Files\se\v11\se.EXE" /H
O4 - HKLM\..\Run: [Dvx] C:\WINNT\system32\wsxsvc\wsxsvc.exe
O4 - HKLM\..\Run: [vmss] C:\WINNT\system32\vmss\vmss.exe
O4 - HKLM\..\Run: [AutoUpdater] "C:\Program Files\AutoUpdate\AutoUpdate.exe"
O4 - HKLM\..\Run: [r37O33O] mydgr32.exe
O4 - HKLM\..\Run: [antiware] C:\winnt\system32\eliteehh32.exe
O4 - HKLM\..\Run: [winupdtl] C:\WINNT\system32\winupdt.exe
O4 - HKLM\..\Run: [SurfSideKick 2] C:\Program Files\SurfSideKick 2\Ssk.exe
O4 - HKLM\..\Run: [exxynj] c:\winnt\system32\exxynj.exe
O4 - HKLM\..\Run: [farmmext] C:\WINNT\farmmext.exe
O4 - HKLM\..\Run: [version] C:\WINNT\system32\Hejgad.exe
O4 - HKLM\..\Run: [secure] C:\WINNT\system32\Beaoyu.exe
O4 - HKLM\..\Run: [C:\WINNT\yzabyagh.exe] C:\WINNT\yzabyagh.exe
O4 - HKLM\..\Run: [ot8dnz8x] C:\Program Files\ot8dnz8x\ot8dnz8x.exe
O4 - HKLM\..\Run: [bvdpdc] C:\WINNT\system32\bvdpdc.exe
O4 - HKLM\..\Run: [App32dll] C:\winnt\system32\msnavc32.exe lee0105
O4 - HKLM\..\Run: [WebRebates0] "C:\Program Files\Web_Rebates\WebRebates0.exe"
O4 - HKLM\..\Run: [WinTools] C:\PROGRA~1\COMMON~1\WinTools\WToolsA.exe
O4 - HKLM\..\Run: [TBPS] C:\PROGRA~1\Toolbar\TBPS.exe
O4 - HKCU\..\Run: [msnmsgr] "C:\Program Files\MSN Messenger\MsnMsgr.Exe" /background
O4 - HKCU\..\Run: [a0oERTipT] msssq400.exe
O4 - HKCU\..\Run: [Spyware Doctor] "C:\Program Files\Spyware Doctor\swdoctor.exe" /Q
O4 - HKCU\..\Run: [eZmmod] C:\PROGRA~1\ezula\mmod.exe
O4 - HKCU\..\Run: [eZWO] C:\PROGRA~1\Web Offer\wo.exe
O4 - HKCU\..\Run: [sysmonnt] C:\WINNT\system32\sysmonnt
O4 - HKCU\..\Run: [SurfSideKick 2] C:\Program Files\SurfSideKick 2\Ssk.exe
O4 - HKCU\..\Run: [prutqct] C:\WINNT\system32\prutqct.exe
O4 - Global Startup: Adobe Gamma Loader.exe.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: Adobe Gamma Loader.lnk = Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: eFax Live Menu 3.3.lnk = eFax Messenger Plus 3.3\J2GDllCmd.exe
O4 - Global Startup: eFax Tray Menu 3.3.lnk = eFax Messenger Plus 3.3\J2GTray.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O8 - Extra context menu item: &Google Search - res://c:\program files\google\GoogleToolbar1.dll/cmsearch.html
O8 - Extra context menu item: Backward Links - res://c:\program files\google\GoogleToolbar1.dll/cmbacklinks.html
O8 - Extra context menu item: Cached Snapshot of Page - res://c:\program files\google\GoogleToolbar1.dll/cmcache.html
O8 - Extra context menu item: Similar Pages - res://c:\program files\google\GoogleToolbar1.dll/cmsimilar.html
O8 - Extra context menu item: Translate into English - res://c:\program files\google\GoogleToolbar1.dll/cmtrans.html
O8 - Extra context menu item: Web Rebates - file://C:\Program Files\Web_Rebates\Sy1150\Tp1150\scri1150a.htm
O9 - Extra button: Spyware Doctor - {2D663D1A-8670-49D9-A1A5-4C56B4E14E84} - C:\PROGRA~1\SPYWAR~1\tools\iesdpb.dll
O9 - Extra button: Messenger - {4528BBE0-4E08-11D5-AD55-00010333D0AD} - C:\Program Files\Yahoo!\Messenger\yhexbmes.dll (file missing)
O9 - Extra 'Tools' menuitem: Yahoo! Messenger - {4528BBE0-4E08-11D5-AD55-00010333D0AD} - C:\Program Files\Yahoo!\Messenger\yhexbmes.dll (file missing)
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINNT\System32\Shdocvw.dll
O10 - Unknown file in Winsock LSP: c:\winnt\system32\dolsp.dll
O10 - Unknown file in Winsock LSP: c:\winnt\system32\dolsp.dll
O10 - Unknown file in Winsock LSP: c:\winnt\system32\dolsp.dll
O10 - Unknown file in Winsock LSP: c:\winnt\system32\dolsp.dll
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O16 - DPF: {11260943-421B-11D0-8EAC-0000C07D88CF} (iPIX ActiveX Control) - [url]http://www.ipix.com/viewers/ipixx.cab[/url]
O16 - DPF: {2B323CD9-50E3-11D3-9466-00A0C9700498} (Yahoo! Audio Conferencing) - [url]http://us.chat1.yimg.com/us.yimg.com/i/chat/applet/v45/yacscom.cab[/url]
O16 - DPF: {7584C670-2274-4EFB-B00B-D6AABA6D3850} (Microsoft RDP Client Control (redist)) - [url]http://access01.mmlive.com/msrdp.cab[/url]
O16 - DPF: {C3DFA998-A486-11D4-AA25-00C04F72DAEB} (MSN Photo Upload Tool) - [url]http://photos.msn.com/r/neutral/controls/MsnPUpld.cab?5,0,1730,0[/url]
O16 - DPF: {EB623776-492A-42CA-9571-3AA39F58530B} - [url]http://www.alwaysupdatednews.com/install/aun_0010.exe[/url]
O18 - Protocol: tpro - {FF76A5DA-6158-4439-99FF-EDC1B3FE100C} - C:\PROGRA~1\Toolbar\toolbar.dll
O23 - Service: pcAnywhere Host Service (awhost32) - Symantec Corporation - C:\Program Files\Symantec\pcAnywhere\awhost32.exe
O23 - Service: DefWatch - Symantec Corporation - C:\Program Files\NavNT\defwatch.exe
O23 - Service: Diskeeper - Executive Software International, Inc. - C:\Program Files\Executive Software\Diskeeper\DkService.exe
O23 - Service: Logical Disk Manager Administrative Service (dmadmin) - VERITAS Software Corp. - C:\WINNT\System32\dmadmin.exe
O23 - Service: IBM PM Service (IBMPMSVC) - Unknown owner - C:\WINNT\system32\ibmpmsvc.exe
O23 - Service: Intel(R) NMS (NMSSvc) - Intel Corporation - C:\WINNT\System32\NMSSvc.exe
O23 - Service: Norton AntiVirus Client (Norton AntiVirus Server) - Symantec Corporation - C:\Program Files\NavNT\rtvscan.exe
O23 - Service: PPPoE Service (PPPoEService) - Unknown owner - C:\PROGRA~1\EFFICI~1\ENTERN~1\app\pppoeservice.exe
O23 - Service: WebSeach Toolbar support NT service (TBPSSvc) - Unknown owner - C:\PROGRA~1\Toolbar\TBPSSvc.exe
O23 - Service: WinTools for IE service (WinToolsSvc) - Unknown owner - C:\Program Files\Common Files\WinTools\WToolsS.exe


Posted by: rstones12

Christie,
When you are ready to do this part of the fix, you must do it in sequence. After the LSPFix boot directly into safe mode (instructions below). This is important, [b]please print out these instructions or copy and place them in the notepad and save to the desktop[/b]. You will not be able to view this once in Safe Mode.

I normally suggest after you print this out, check off each task after it is performed. This way you can follow along.

Lets get started.

Uninstall the following via the Add/Remove Panel (Start->(Settings)->Control Panel->Add/Remove Programs) if they exist:

[b]Web Rebates
WinTools
Web Offer
SurfSideKick
VBouncer[/b]

Next click here>>> [url=http://cexx.org/lspfix.htm]http://cexx.org/lspfix.htm[/url] to download LSPFix. Extract the program from the zip file and run it, make sure you click the "I know what I'm doing" button. Select [b] dolsp.dll[/b]
using the right-pointing 'arrows' and move all instances of [b] dolsp.dll[/b] it mentions to the Remove (RHS) side but leave everything else (it might already be over there when you open LSPFix). Click the 'Finished' button (if you exit with the X at top right nothing happens).

Reboot to safe mode (tap f8 while bios loads)

Then scan with HJT and put a check beside all of these entries.
Remember to use the [b]C:\HJT[/b] folder when you scan, version 1.99.1, I cant stress this enough.

[b]
R1 - HKCU\Software\Microsoft\Internet Explorer,SearchURL = [url]http://searchmiracle.com/sp.php[/url]
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = [url]http://www.websearch.com/ie.aspx?tb_id=50220[/url]
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = [url]http://search.search-exe.com/nph-se...look=stmpl1&fw=[/url]
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = [url]http://search.search-exe.com/nph-se...look=stmpl1&fw=[/url]
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,SearchAssistant = [url]http://www.websearch.com/ie.aspx?tb_id=50220[/url]
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,CustomizeSearch = res://C:\PROGRA~1\Toolbar\toolbar.dll/sa
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = [url]http://search.search-exe.com/nph-se...k=sbar1_srchbtn[/url]
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = [url]http://search.search-exe.com/nph-se...look=stmpl1&fw=[/url]
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = [url]http://search.search-exe.com/nph-se...look=stmpl1&fw=[/url]
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = [url]http://www.websearch.com/ie.aspx?tb_id=50220[/url]
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch = res://C:\PROGRA~1\Toolbar\toolbar.dll/sa
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = [url]http://search.search-exe.com/nph-se...look=stmpl1&fw=[/url]
R1 - HKLM\Software\Microsoft\Internet Explorer\SearchURL,(Default) = [url]http://search.search-exe.com/nph-se...look=stmpl1&fw=[/url]

R3 - URLSearchHook: (no name) - {8952A998-1E7E-4716-B23D-3DBE03910972} - C:\PROGRA~1\Toolbar\toolbar.dll

O1 - Hosts: 64.91.255.87 [url]www.dcsresearch.com[/url]
O1 - Hosts: 69.20.16.183 ieautosearch [b][color=red](All of these listed)[/color][/b]
O1 - Hosts: 69.20.16.183 auto.search.msn.com
O1 - Hosts: 69.20.16.183 search.netscape.com

O2 - BHO: CControl Object - {3643ABC2-21BF-46B9-B230-F247DB0C6FD6} - C:\Program Files\E2G\IeBHOs.dll
O2 - BHO: (no name) - {87766247-311C-43B4-8499-3D5FEC94A183} - C:\PROGRA~1\COMMON~1\WinTools\WToolsB.dll
O2 - BHO: (no name) - {8952A998-1E7E-4716-B23D-3DBE03910972} - C:\PROGRA~1\Toolbar\toolbar.dll

O3 - Toolbar: &EliteBar - {825CF5BD-8862-4430-B771-0C15C5CA8DEF} - C:\WINNT\EliteToolBar\EliteToolBar.dll
O3 - Toolbar: &Search Toolbar - {339BB23F-A864-48C0-A59F-29EA915965EC} - C:\PROGRA~1\Toolbar\toolbar.dll

O4 - HKLM\..\Run: [wyverc] C:\WINNT\system32\wyverc.exe
O4 - HKLM\..\Run: [VBouncer] C:\PROGRA~1\VBouncer\VirtualBouncer.exe
O4 - HKLM\..\Run: [Search-Exe] "C:\Program Files\se\v11\se.EXE" /H
O4 - HKLM\..\Run: [Dvx] C:\WINNT\system32\wsxsvc\wsxsvc.exe
O4 - HKLM\..\Run: [vmss] C:\WINNT\system32\vmss\vmss.exe
O4 - HKLM\..\Run: [AutoUpdater] "C:\Program Files\AutoUpdate\AutoUpdate.exe"
O4 - HKLM\..\Run: [r37O33O] mydgr32.exe
O4 - HKLM\..\Run: [antiware] C:\winnt\system32\eliteehh32.exe
O4 - HKLM\..\Run: [winupdtl] C:\WINNT\system32\winupdt.exe
O4 - HKLM\..\Run: [SurfSideKick 2] C:\Program Files\SurfSideKick 2\Ssk.exe
O4 - HKLM\..\Run: [exxynj] c:\winnt\system32\exxynj.exe
O4 - HKLM\..\Run: [farmmext] C:\WINNT\farmmext.exe
O4 - HKLM\..\Run: [secure] C:\WINNT\system32\Beaoyu.exe
O4 - HKLM\..\Run: [C:\WINNT\yzabyagh.exe] C:\WINNT\yzabyagh.exe
O4 - HKLM\..\Run: [ot8dnz8x] C:\Program Files\ot8dnz8x\ot8dnz8x.exe
O4 - HKLM\..\Run: [bvdpdc] C:\WINNT\system32\bvdpdc.exe
O4 - HKLM\..\Run: [WebRebates0] "C:\Program Files\Web_Rebates\WebRebates0.exe"
O4 - HKLM\..\Run: [WinTools] C:\PROGRA~1\COMMON~1\WinTools\WToolsA.exe
O4 - HKLM\..\Run: [TBPS] C:\PROGRA~1\Toolbar\TBPS.exe
O4 - HKCU\..\Run: [a0oERTipT] msssq400.exe
O4 - HKCU\..\Run: [eZmmod] C:\PROGRA~1\ezula\mmod.exe
O4 - HKCU\..\Run: [eZWO] C:\PROGRA~1\Web Offer\wo.exe
O4 - HKCU\..\Run: [SurfSideKick 2] C:\Program Files\SurfSideKick 2\Ssk.exe
O4 - HKCU\..\Run: [prutqct] C:\WINNT\system32\prutqct.exe

O16 - DPF: {11260943-421B-11D0-8EAC-0000C07D88CF} (iPIX ActiveX Control) - [url]http://www.ipix.com/viewers/ipixx.cab[/url]
O16 - DPF: {2B323CD9-50E3-11D3-9466-00A0C9700498} (Yahoo! Audio Conferencing) - [url]http://us.chat1.yimg.com/us.yimg.co...v45/yacscom.cab[/url]
O16 - DPF: {7584C670-2274-4EFB-B00B-D6AABA6D3850} (Microsoft RDP Client Control (redist)) - [url]http://access01.mmlive.com/msrdp.cab[/url]
O16 - DPF: {C3DFA998-A486-11D4-AA25-00C04F72DAEB} (MSN Photo Upload Tool) - [url]http://photos.msn.com/r/neutral/con....cab?5,0,1730,0[/url]
O16 - DPF: {EB623776-492A-42CA-9571-3AA39F58530B} - [url]http://www.alwaysupdatednews.com/install/aun_0010.exe[/url]

O18 - Protocol: tpro - {FF76A5DA-6158-4439-99FF-EDC1B3FE100C} - C:\PROGRA~1\Toolbar\toolbar.dll

O23 - Service: WebSeach Toolbar support NT service (TBPSSvc) - Unknown owner - C:\PROGRA~1\Toolbar\TBPSSvc.exe
O23 - Service: WinTools for IE service (WinToolsSvc) - Unknown owner - C:\Program Files\Common Files\WinTools\WToolsS.exe
[/b]

Make sure that you have no open windows and with HJT click [b]"Fixed Checked"[/b]

Then while still in safe mode look for and delete these files and folders if present. This is going to be tedious, but we have to remove these.

C:\WINNT\system32\[b]wyverc.exe[/b]
C:\PROGRA~1\[b]VBouncer\VirtualBouncer.exe[/b]
C:\Program Files\[b]se\v11\se.EXE[/b]
C:\WINNT\system32\[b]wsxsvc\wsxsvc.exe[/b]
C:\WINNT\system32\[b]vmss\vmss.exe[/b]
C:\Program Files\[b]AutoUpdate\AutoUpdate.exe[/b]
[b]mydgr32.exe[/b]
C:\winnt\system32\[b]eliteehh32.exe[/b]
C:\WINNT\system32\[b]winupdt.exe[/b]
C:\Program Files\[b]SurfSideKick 2\Ssk.exe[/b]

C:\winnt\system32\[b]exxynj.exe[/b]
C:\WINNT\[b]farmmext.exe[/b]
C:\WINNT\system32\[b]Beaoyu.exe[/b]
C:\WINNT\[b]yzabyagh.exe[/b]
C:\Program Files\[b]ot8dnz8x\ot8dnz8x.exe[/b]
C:\WINNT\system32\[b]bvdpdc.exe[/b]
C:\Program Files\[b]Web_Rebates\WebRebates0.exe"[/b]
C:\PROGRA~1\COMMON~1\[b]WinTools\WToolsA.exe[/b]
C:\PROGRA~1\Toolbar\[b]TBPS.exe[/b]
[b]msssq400.exe[/b]
C:\PROGRA~1\[b]ezula\mmod.exe[/b]
C:\PROGRA~1\[b]Web Offer\wo.exe[/b]
C:\Program Files\[b]SurfSideKick 2\Ssk.exe[/b]
C:\WINNT\system32\[b]prutqct.exe[/b]

After this Scan your Drive(s) with your Anti-Virus Program
Also scan with Ad-Aware SE and Spybot S&D.

Remove any files they find.

Lastly, lets remove your temp files.

Navigate to the C:\Windows\Temp folder. Open the Temp folder and go to Edit > Select All then Edit > Delete to delete the entire contents of the Temp folder.

Go to Start > Run and type %temp% in the Run box. The Temp folder will open. Click Edit > Select All then Edit > Delete to delete the entire contents of the Temp folder.

Finally go to Control Panel > Internet Options. On the General tab under "Temporary Internet Files" Click "Delete Files". Put a check by "Delete Offline Content" and click OK. Click on the Programs tab then click the "Reset Web Settings" button. Click Apply then OK.

Empty your recycle bin.

And finally reboot normally and post a new HJT log by using [b]Post a Reply[/b]

Remember to use the [b]C:\HJT[/b] folder. :D

Good Luck


Posted by: Christie Achor

OK here ya go... I followed your instruction to a T. I was NOT able to remove a few files even if I ran in safe mode..??? Also in Temp folder there were a few...

Take a look at the Hijack log file and let me know any additonal steps.

Logfile of HijackThis v1.99.1
Scan saved at 6:25:45 PM, on 2/21/2005
Platform: Windows 2000 SP4 (WinNT 5.00.2195)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINNT\System32\smss.exe
C:\WINNT\system32\winlogon.exe
C:\WINNT\system32\services.exe
C:\WINNT\system32\lsass.exe
C:\WINNT\system32\ibmpmsvc.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\System32\svchost.exe
C:\WINNT\system32\spoolsv.exe
C:\Program Files\NavNT\defwatch.exe
C:\Program Files\Executive Software\Diskeeper\DkService.exe
C:\WINNT\system32\hidserv.exe
C:\Program Files\NavNT\rtvscan.exe
C:\PROGRA~1\EFFICI~1\ENTERN~1\app\pppoeservice.exe
C:\WINNT\system32\regsvc.exe
C:\WINNT\system32\MSTask.exe
C:\WINNT\system32\stisvc.exe
C:\WINNT\System32\WBEM\WinMgmt.exe
C:\WINNT\System32\mspmspsv.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\System32\inetsrv\inetinfo.exe
C:\WINNT\Explorer.EXE
C:\PROGRA~1\Toolbar\TBPS.exe
C:\PROGRA~1\Toolbar\PIB.exe
c:\PROGRA~1\Toolbar\radio.exe
C:\WINNT\system32\tp4mon.exe
C:\WINNT\system32\Promon.exe
C:\Program Files\NavNT\vptray.exe
C:\WINNT\System32\NMSSvc.exe
C:\Program Files\2Wire\HomePortal\2PortalMon.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\WINNT\system32\s3hotkey.exe
C:\WINNT\system32\spool\drivers\w32x86\3\hpztsb09.exe
C:\Program Files\Hewlett-Packard\HP Software Update\HPWuSchd.exe
C:\Program Files\HP\hpcoretech\hpcmpmgr.exe
C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpotdd01.exe
C:\winnt\system32\msnavc32.exe
C:\Program Files\MSN Messenger\MsnMsgr.Exe
C:\Program Files\Spyware Doctor\swdoctor.exe
C:\WINNT\system32\sysmonnt.exe
C:\WINNT\system32\wincbbk32.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\eFax Messenger Plus 3.3\J2GDllCmd.exe
C:\Program Files\eFax Messenger Plus 3.3\J2GTray.exe
C:\HJT\HijackThis.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE

R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
O4 - HKLM\..\Run: [TrackPointSrv] tp4mon.exe
O4 - HKLM\..\Run: [Synchronization Manager] mobsync.exe /logon
O4 - HKLM\..\Run: [Promon.exe] Promon.exe
O4 - HKLM\..\Run: [LoadQM] loadqm.exe
O4 - HKLM\..\Run: [vptray] C:\Program Files\NavNT\vptray.exe
O4 - HKLM\..\Run: [2wSysTray] C:\Program Files\2Wire\HomePortal\2PortalMon.exe
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [S3Hotkey] s3hotkey.exe
O4 - HKLM\..\Run: [HPDJ Taskbar Utility] C:\WINNT\system32\spool\drivers\w32x86\3\hpztsb09.exe
O4 - HKLM\..\Run: [HP Software Update] "C:\Program Files\Hewlett-Packard\HP Software Update\HPWuSchd.exe"
O4 - HKLM\..\Run: [HP Component Manager] "C:\Program Files\HP\hpcoretech\hpcmpmgr.exe"
O4 - HKLM\..\Run: [DeviceDiscovery] C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpotdd01.exe
O4 - HKLM\..\Run: [version] C:\WINNT\system32\Hejgad.exe
O4 - HKLM\..\Run: [App32dll] C:\winnt\system32\msnavc32.exe lee0105
O4 - HKLM\..\Run: [WinTask driver] C:\WINNT\system32\wintask.exe
O4 - HKLM\..\Run: [TBPS] C:\PROGRA~1\Toolbar\TBPS.exe
O4 - HKCU\..\Run: [msnmsgr] "C:\Program Files\MSN Messenger\MsnMsgr.Exe" /background
O4 - HKCU\..\Run: [Spyware Doctor] "C:\Program Files\Spyware Doctor\swdoctor.exe" /Q
O4 - HKCU\..\Run: [sysmonnt] C:\WINNT\system32\sysmonnt
O4 - Global Startup: Adobe Gamma Loader.exe.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: Adobe Gamma Loader.lnk = Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: eFax Live Menu 3.3.lnk = eFax Messenger Plus 3.3\J2GDllCmd.exe
O4 - Global Startup: eFax Tray Menu 3.3.lnk = eFax Messenger Plus 3.3\J2GTray.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O8 - Extra context menu item: &Google Search - res://c:\program files\google\GoogleToolbar1.dll/cmsearch.html
O8 - Extra context menu item: Backward Links - res://c:\program files\google\GoogleToolbar1.dll/cmbacklinks.html
O8 - Extra context menu item: Cached Snapshot of Page - res://c:\program files\google\GoogleToolbar1.dll/cmcache.html
O8 - Extra context menu item: Similar Pages - res://c:\program files\google\GoogleToolbar1.dll/cmsimilar.html
O8 - Extra context menu item: Translate into English - res://c:\program files\google\GoogleToolbar1.dll/cmtrans.html
O9 - Extra button: Spyware Doctor - {2D663D1A-8670-49D9-A1A5-4C56B4E14E84} - C:\PROGRA~1\SPYWAR~1\tools\iesdpb.dll
O9 - Extra button: Messenger - {4528BBE0-4E08-11D5-AD55-00010333D0AD} - C:\Program Files\Yahoo!\Messenger\yhexbmes.dll (file missing)
O9 - Extra 'Tools' menuitem: Yahoo! Messenger - {4528BBE0-4E08-11D5-AD55-00010333D0AD} - C:\Program Files\Yahoo!\Messenger\yhexbmes.dll (file missing)
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINNT\System32\Shdocvw.dll
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O23 - Service: pcAnywhere Host Service (awhost32) - Symantec Corporation - C:\Program Files\Symantec\pcAnywhere\awhost32.exe
O23 - Service: DefWatch - Symantec Corporation - C:\Program Files\NavNT\defwatch.exe
O23 - Service: Diskeeper - Executive Software International, Inc. - C:\Program Files\Executive Software\Diskeeper\DkService.exe
O23 - Service: Logical Disk Manager Administrative Service (dmadmin) - VERITAS Software Corp. - C:\WINNT\System32\dmadmin.exe
O23 - Service: IBM PM Service (IBMPMSVC) - Unknown owner - C:\WINNT\system32\ibmpmsvc.exe
O23 - Service: Intel(R) NMS (NMSSvc) - Intel Corporation - C:\WINNT\System32\NMSSvc.exe
O23 - Service: Norton AntiVirus Client (Norton AntiVirus Server) - Symantec Corporation - C:\Program Files\NavNT\rtvscan.exe
O23 - Service: PPPoE Service (PPPoEService) - Unknown owner - C:\PROGRA~1\EFFICI~1\ENTERN~1\app\pppoeservice.exe

THANKS!!


Posted by: rstones12

No problem, you log is looking much better.

I will send you a few more fixes we need to clean up in a short while.
Nothing as involved as before.

You are doing a great job so far. :D

rstones12


Posted by: rstones12

Christie,
This is my initial response that I normally give, but since you had a bad infection or a couple of them we are on the way.

Please do the following:
This should clean up some of the remnants left over, we are almost done.

I have outlined some preliminary steps that we need to address. [b]You may want to print out these intructions for reference.[/b] This process will take a few steps so please be patient and follow the provided directions.

[b]1.[/b] First Download [URL=http://cwshredder.net/bin/CWShredder.exe][color=blue]CWShredder[/color][/URL]
And save it to your desktop.
Close all open browser windows and any other open windows.

Install CWShredder, then:

Open CWS and click [b]Check for Updates[/b]
Then click [b]"FIX"[/b]

I suggest doing an online scan just as a secondary check.

[b]2.[/b] Please run this online scan, allow it to delete anything it finds:
You may have to select auto-fix prior to scanning, it should be a selection on the screen.[LIST][URL=http://www.pandasoftware.com/activescan/com/activescan_principal.htm][color=blue]Panda ActiveScan[/color][/URL]
[/LIST]Please make a note of anything that wasn't or couldn't be fixed.
Reboot your machine when finished.

[b]3.[/b] You may have run these programs already, make sure they are up to date and run per provided instructions.
Current Versions are:
[b]Spybot S&D Ver: 1.3[/b] [URL=http://www.safer-networking.org/en/download/index.html][color=blue]Download Here[/color][/URL]
[b]Ad-Aware SE Build 1.05[/b] [URL=http://www.majorgeeks.com/download506.html][color=blue]Download Here[/color][/URL]

Download and install both Spybot S&D and Ad-Aware SE.

Instructions:

[b]Spybot S&D:[/b]
Go to your Start Menu >> Programs >> Spybot S&D >> then choose Spybot S&D.

[b]*[/b]Close [b]ALL [/b]windows except Spybot S&D
[b]*[/b]Click the button to [b]"Search for Updates"[/b] and download and install the Updates.
[b]*[/b]Close Spybot then launch it again
[b]*[/b]Click the button [b]"Check for Problems" [/b]
[b]*[/b]When Spybot is done scanning, it will be showing "RED" (RED) entries, "BLACK" entries and "GREEN" (GREEN) entries in the window
[b]*[/b]Put a check mark beside the RED [color=red](RED) entries ONLY.[/color]
[b]*[/b]Choose "Fix Selected Problems" and allow Spybot to fix the RED [color=red](RED)[/color] entries.


[b]Ad-Aware SE FULL SCAN:[/b]
Go to your Start Menu >> Programs >> Lavasoft Ad-Aware SE >> then choose Ad-Aware SE Personal.

When the main window opens look in the bottom right corner and click on [b]Check For Updates Now[/b] then click Connect and download the latest reference files.

From main window:
[b]*[/b]Click Start then under Select a scan Mode check [b]Perform Full System Scan.[/b]
[b]*[/b]Next [color=red]deselect [/color]Search for negligible risk entries.
[b]*[/b]To scan just click the [b]Next[/b] button.

When the scan has finished [b]mark everything for removal [/b]and get rid of it.
[i](Right-click the window and choose [b]select all[/b] from the drop down menu and click Next)[/i]
The program will ask if you want to fix/delete selected items, choose yes/fix.

Empty Your Recycle Bin.

Reboot your machine and post a new HJT log, by clicking [b]"Post a Reply"[/b]

Thanks,
rstones12


Posted by: southernlady

Closed due to lack of activity. Liz




vBulletin Copyright ©2000 - 2003, Jelsoft Enterprises Limited.


PPC Management
vB Easy Archive Final - Created by Xenon