Help needed with log

[kcnative]

I followed the initial instructions (adaware, spybot, bitdefender and trendmicro scans, etc), and it helped a LOT...but I've still got some stragglers. Was wondering if anyone could help me take this baby out for good! Thanks in advance...you guys are warriors in the fight against what I consider true EVIL!!!

-----------

Adaware scan results (could not be removed):

C:\WINNT\Ceres.dll
C:\WINNT\System32\msxml3.dll
C:\WINNT\System32\msxml3r.dll

---------------

Spybot scan results: 2 unidentified files were unfixable



::::::::SAFE MODE SCANS::::::::

Norton AntiVirus Corporate Edition results: No viruses found

Adaware scan: No files found (30) were unfixable

Spybot scan: Nothing found!



:::::REBOOT::::::::

After restart, still getting two popups...one from searchmiracle.com and another from ads.(something)click.com.

----------

Bitdefender scan results: 19 infected, 16 unfixable

C:\Documents and Settings\chris.GRAPHICS\Local Settings\Temp\cln2F.tmp: infected with Trojan.Downloader.Dyfuca.DX
C:\Documents and Settings\chris.GRAPHICS\Local Settings\Temp\cln2F.tmp: disinfection failed

C:\Documents and Settings\chris.GRAPHICS\Local Settings\Temp\installer_MARKETING18.exe: infected with Trojan.Downloader.Adload.A
C:\Documents and Settings\chris.GRAPHICS\Local Settings\Temp\installer_MARKETING18.exe: disinfection failed

C:\Documents and Settings\chris.GRAPHICS\Local Settings\Temp\Temporary Internet Files\Content.IE5\9OFZV54C\protector[1].exe: infected with BehavesLike:Win32.ExplorerHijack
C:\Documents and Settings\chris.GRAPHICS\Local Settings\Temp\Temporary Internet Files\Content.IE5\9OFZV54C\protector[1].exe: disinfection failed

C:\Documents and Settings\chris.GRAPHICS\Local Settings\Temp\Temporary Internet Files\Content.IE5\CLYV8XMR\protector_update[1].exe: infected with BehavesLike:Win32.ExplorerHijack
C:\Documents and Settings\chris.GRAPHICS\Local Settings\Temp\Temporary Internet Files\Content.IE5\CLYV8XMR\protector_update[1].exe: disinfection failed

C:\Program Files\FwBarTemp\searchbar.exe: infected with Trojan.Downloader.VB.EU
C:\Program Files\FwBarTemp\searchbar.exe: disinfection failed

C:\Program Files\sdf.exe: infected with BehavesLike:Win32.ExplorerHijack
C:\Program Files\sdf.exe: disinfection failed

C:\Program Files\Windows Media Player\wmplayer.exe: suspect BehavesLike:Trojan.Downloader
C:\Program Files\Windows Media Player\wmplayer.exe: disinfection failed

C:\WINNT\farmmext.exe: infected with Trojan.Downloader.Stubby.A
C:\WINNT\farmmext.exe: disinfection failed

C:\WINNT\protector.exe: infected with BehavesLike:Win32.ExplorerHijack
C:\WINNT\protector.exe: disinfection failed

C:\WINNT\system32\dist001.exe: infected with Dropped:Trojan.Downloader.VB.EU
C:\WINNT\system32\dist001.exe: disinfection failed

C:\WINNT\system32\exp.exe: infected with Trojan.Downloader.Small.ABD
C:\WINNT\system32\exp.exe: disinfection failed

C:\WINNT\system32\installer_MARKETING18.exe: infected with Dropped:Trojan.Downloader.Small.ABD
C:\WINNT\system32\installer_MARKETING18.exe: disinfection failed

C:\WINNT\system32\TFTP256: infected with Trojan.Pakes.C
C:\WINNT\system32\TFTP256: disinfection failed

C:\WINNT\system32\wintask.exe: infected with Trojan.Downloader.Small.ABD
C:\WINNT\system32\wintask.exe: disinfection failed

C:\WINNT\system32\wrapperouter.exe: infected with Trojan.Dropper.Agent.HL
C:\WINNT\system32\wrapperouter.exe: disinfection failed

--------------

Trend Micro Scan - 3 files found, unfixable...though they deleted just fine:

C:\Program Files\SDF.exe
C:\WINNT\System32\Main.exe
C:\WINNT\Farmmext.exe

---------------

HIJACK THIS LOG!!!!!!!!!!!!

Logfile of HijackThis v1.99.1
Scan saved at 9:36:31 AM, on 5/5/2005
Platform: Windows 2000 SP3 (WinNT 5.00.2195)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINNT\System32\smss.exe
C:\WINNT\system32\csrss.exe
C:\WINNT\system32\winlogon.exe
C:\WINNT\system32\services.exe
C:\WINNT\system32\lsass.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\system32\spoolsv.exe
C:\Program Files\Cisco Systems\VPN Client\cvpnd.exe
C:\Program Files\NavNT\defwatch.exe
C:\WINNT\System32\svchost.exe
C:\WINNT\system32\drivers\KodakCCS.exe
C:\Program Files\NavNT\rtvscan.exe
C:\WINNT\system32\pctspk.exe
C:\Program Files\Kodak\Kodak EasyShare software\bin\ptssvc.exe
C:\WINNT\system32\regsvc.exe
C:\WINNT\system32\MSTask.exe
C:\WINNT\system32\ScsiAccess.EXE
C:\WINNT\system32\stisvc.exe
C:\WINNT\System32\WBEM\WinMgmt.exe
C:\WINNT\System32\mspmspsv.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\System32\ZipToA.exe
C:\WINNT\Explorer.EXE
C:\WINNT\System32\3DLman.exe
C:\Program Files\Iomega\DriveIcons\ImgIcon.exe
C:\WINNT\System32\dpmw32.exe
C:\WINNT\system32\NWTRAY.EXE
C:\PROGRA~1\Logitech\MOUSEW~1\SYSTEM\EM_EXEC.EXE
C:\Program Files\NavNT\vptray.exe
C:\Program Files\DIGStream\digstream.exe
C:\progra~1\scansoft\paperp~1\pptd40nt.exe
C:\WINNT\system32\spool\DRIVERS\W32X86\3\E_S4I2H1. EXE
C:\Program Files\Hewlett-Packard\HP Share-to-Web\hpgs2wnd.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
C:\Program Files\Hewlett-Packard\HP Share-to-Web\hpgs2wnf.exe
C:\Program Files\Spyware Doctor\swdoctor.exe
C:\Program Files\EarthLink TotalAccess\TaskPanl.exe
C:\Program Files\Adobe\Acrobat 6.0\Distillr\acrotray.exe
C:\Program Files\ScanSoft\PaperPort\PopUp\SmartUI.exe
C:\Program Files\ScanSoft\PaperPort\Pplinks.exe
C:\PROGRA~1\WinZip\winzip32.exe
C:\Program Files\hjt\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://start.earthlink.net
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://www.earthlink.net/partner/mor...on/search.html
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = about:blank
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://www.highstream.net/members/
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,SearchAssistant = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://www.highstream.net/members/
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.highstream.net/members/
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = -
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
R3 - URLSearchHook: SrchHook Class - {44F9B173-041C-4825-A9B9-D914BD9DCBB3} - C:\Program Files\EarthLink TotalAccess\ElnIE.dll
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: REALBAR - {4E7BD74F-2B8D-469E-C0FF-FD60B590A87D} - C:\PROGRA~1\COMMON~1\Real\Toolbar\realbar.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O2 - BHO: PCTools Site Guard - {5C8B2A36-3DB1-42A4-A3CB-D426709BBFEB} - C:\PROGRA~1\SPYWAR~2\tools\iesdsg.dll
O2 - BHO: AcroIEToolbarHelper Class - {AE7CD045-E861-484f-8273-0445EE161910} - C:\Program Files\Adobe\Acrobat 6.0\Acrobat\AcroIEFavClient.dll
O2 - BHO: PCTools Browser Monitor - {B56A7D7D-6927-48C8-A975-17DF180C71AC} - C:\PROGRA~1\SPYWAR~2\tools\iesdpb.dll
O4 - HKLM\..\Run: [Synchronization Manager] mobsync.exe /logon
O4 - HKLM\..\Run: [3Dlabs Taskbar Display Manager] C:\WINNT\System32\3DLman.exe
O4 - HKLM\..\Run: [Iomega Startup Options] C:\Program Files\Iomega\Common\ImgStart.exe
O4 - HKLM\..\Run: [Iomega Drive Icons] C:\Program Files\Iomega\DriveIcons\ImgIcon.exe
O4 - HKLM\..\Run: [NDPS] C:\WINNT\System32\dpmw32.exe
O4 - HKLM\..\Run: [NWTRAY] NWTRAY.EXE
O4 - HKLM\..\Run: [EM_EXEC] C:\PROGRA~1\Logitech\MOUSEW~1\SYSTEM\EM_EXEC.EXE
O4 - HKLM\..\Run: [vptray] C:\Program Files\NavNT\vptray.exe
O4 - HKLM\..\Run: [DIGStream] C:\Program Files\DIGStream\digstream.exe
O4 - HKLM\..\Run: [CountrySelection] pctptt.exe
O4 - HKLM\..\Run: [PaperPort PTD] c:\progra~1\scansoft\paperp~1\pptd40nt.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [EPSON Stylus Photo R200 Series] C:\WINNT\system32\spool\DRIVERS\W32X86\3\E_S4I2H1. EXE /P30 "EPSON Stylus Photo R200 Series" /O6 "USB001" /M "Stylus Photo R200"
O4 - HKLM\..\Run: [Share-to-Web Namespace Daemon] C:\Program Files\Hewlett-Packard\HP Share-to-Web\hpgs2wnd.exe
O4 - HKLM\..\Run: [zzzHPSETUP] G:\Setup.exe
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [lxcqqz] c:\winnt\system32\lxcqqz.exe
O4 - HKLM\..\Run: [oF4i33l] idqagset.exe
O4 - HKLM\..\Run: [checkrun] C:\winnt\system32\elitebdw32.exe
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
O4 - HKCU\..\Run: [ZovsRTJ6Q] fon40.exe
O4 - HKCU\..\Run: [Spyware Doctor] "C:\Program Files\Spyware Doctor\swdoctor.exe" /Q
O4 - HKCU\..\Run: [Win32 USB2 Driver] smsc.exe
O4 - HKCU\..\Run: [E6TaskPanel] "C:\Program Files\EarthLink TotalAccess\TaskPanl.exe" -winstart
O4 - Global Startup: Acrobat Assistant.lnk = C:\Program Files\Adobe\Acrobat 6.0\Distillr\acrotray.exe
O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: Brother SmartUI PopUp.lnk = C:\Program Files\ScanSoft\PaperPort\PopUp\SmartUI.exe
O4 - Global Startup: EPSON Status Monitor 3 Environment Check.lnk = C:\WINNT\system32\spool\drivers\w32x86\3\E_SRCV03. EXE
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: Spyware Doctor - {2D663D1A-8670-49D9-A1A5-4C56B4E14E84} - C:\PROGRA~1\SPYWAR~2\tools\iesdpb.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O15 - Trusted Zone: http://www.my.newhorizons.com
O16 - DPF: {0122955E-1FB0-11D2-A238-006097FAEE8B} (CscClnt Class) - http://central.clevercontent.com/020...verContent.cab
O16 - DPF: {31B7EB4E-8B4B-11D1-A789-00A0CC6651A8} (Cult3D ActiveX Player) - http://i.a.cnn.net/cnn/resources/cult3d/cult.cab
O16 - DPF: {3E82AD03-5696-11D3-80E1-0008C773BE28} (RSRadioTuner Class) - http://radioshow.rcsworks.com/rsinst...RadioTuner.Cab
O16 - DPF: {41F17733-B041-4099-A042-B518BB6A408C} - http://apple.speedera.net/qtinstall....eInstaller.exe
O16 - DPF: {4620BC29-8B8E-4F4E-9D92-1DB6633D6793} (SurferNETWORK Plugin) - http://rd1.surfernetwork.com/surferplugin.ocx
O16 - DPF: {56336BCB-3D8A-11D6-A00B-0050DA18DE71} (RdxIE Class) - http://207.188.7.150/10be703329eebb0...p/RdxIE601.cab
O16 - DPF: {6A060448-60F9-11D5-A6CD-0002B31F7455} (ExentInf Class) - http://us.games2.yimg.com/download.g...tl_0_0_0_1.ocx
O16 - DPF: {928626A3-6B98-11CF-90B4-00AA00A4011F} (SurroundVideoCtrl Object) - http://autos.msn.com/components/ocx/survid/MSSurVid.cab
O16 - DPF: {BB47CA33-8B4D-11D0-9511-00C04FD9152D} (ExteriorSurround Object) - http://autos.msn.com/components/ocx/...or/Outside.cab
O16 - DPF: {E7DBFB6C-113A-47CF-B278-F5C6AF4DE1BD} - http://download.abacast.com/download...setup140f1.cab
O20 - Winlogon Notify: NavLogon - C:\WINNT\System32\NavLogon.dll
O23 - Service: Cisco Systems, Inc. VPN Service (CVPND) - Cisco Systems, Inc. - C:\Program Files\Cisco Systems\VPN Client\cvpnd.exe
O23 - Service: DefWatch - Symantec Corporation - C:\Program Files\NavNT\defwatch.exe
O23 - Service: Logical Disk Manager Administrative Service (dmadmin) - VERITAS Software Corp. - C:\WINNT\System32\dmadmin.exe
O23 - Service: IomegaAccess - Iomega Corporation - C:\WINNT\System32\IomegaAccess.exe
O23 - Service: Kodak Camera Connection Software (KodakCCS) - Eastman Kodak Company - C:\WINNT\system32\drivers\KodakCCS.exe
O23 - Service: Norton AntiVirus Client (Norton AntiVirus Server) - Symantec Corporation - C:\Program Files\NavNT\rtvscan.exe
O23 - Service: W2K PCtel speaker phone (Pctspk) - PCtel, Inc. - C:\WINNT\system32\pctspk.exe
O23 - Service: ptssvc - KODAK - C:\Program Files\Kodak\Kodak EasyShare software\bin\ptssvc.exe
O23 - Service: ScsiAccess - Unknown owner - C:\WINNT\system32\ScsiAccess.EXE
O23 - Service: ZipToA - Iomega Corporation - C:\WINNT\System32\ZipToA.exe

Thanks again, you guys are the best!

[Lobos]

If you still need help please post another log

[kcnative]

Thanks for the reply! Here is a current log:

Logfile of HijackThis v1.99.1
Scan saved at 8:51:22 AM, on 5/11/2005
Platform: Windows 2000 SP3 (WinNT 5.00.2195)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINNT\System32\smss.exe
C:\WINNT\system32\csrss.exe
C:\WINNT\system32\winlogon.exe
C:\WINNT\system32\services.exe
C:\WINNT\system32\lsass.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\system32\spoolsv.exe
C:\Program Files\Cisco Systems\VPN Client\cvpnd.exe
C:\Program Files\NavNT\defwatch.exe
C:\WINNT\System32\svchost.exe
C:\WINNT\system32\drivers\KodakCCS.exe
C:\Program Files\NavNT\rtvscan.exe
C:\WINNT\system32\pctspk.exe
C:\Program Files\Kodak\Kodak EasyShare software\bin\ptssvc.exe
C:\WINNT\system32\regsvc.exe
C:\WINNT\system32\MSTask.exe
C:\WINNT\system32\ScsiAccess.EXE
C:\WINNT\system32\stisvc.exe
C:\WINNT\System32\WBEM\WinMgmt.exe
C:\WINNT\System32\mspmspsv.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\System32\ZipToA.exe
C:\WINNT\Explorer.EXE
C:\WINNT\System32\3DLman.exe
C:\Program Files\Iomega\DriveIcons\ImgIcon.exe
C:\WINNT\System32\dpmw32.exe
C:\WINNT\system32\NWTRAY.EXE
C:\PROGRA~1\Logitech\MOUSEW~1\SYSTEM\EM_EXEC.EXE
C:\Program Files\NavNT\vptray.exe
C:\Program Files\DIGStream\digstream.exe
C:\progra~1\scansoft\paperp~1\pptd40nt.exe
C:\WINNT\system32\spool\DRIVERS\W32X86\3\E_S4I2H1. EXE
C:\Program Files\Hewlett-Packard\HP Share-to-Web\hpgs2wnd.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\Hewlett-Packard\HP Share-to-Web\hpgs2wnf.exe
C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
C:\Program Files\Spyware Doctor\swdoctor.exe
C:\Program Files\EarthLink TotalAccess\TaskPanl.exe
C:\Program Files\Adobe\Acrobat 6.0\Distillr\acrotray.exe
C:\Program Files\ScanSoft\PaperPort\PopUp\SmartUI.exe
C:\Program Files\ScanSoft\PaperPort\Pplinks.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\Program Files\hjt\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://start.earthlink.net
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://www.earthlink.net/partner/mor...on/search.html
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://start.earthlink.net/AL/Search
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://www.highstream.net/members/
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,SearchAssistant = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://www.highstream.net/members/
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.highstream.net/members/
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://start.earthlink.net/AL/Search
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = -
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
R3 - URLSearchHook: SrchHook Class - {44F9B173-041C-4825-A9B9-D914BD9DCBB3} - C:\Program Files\EarthLink TotalAccess\ElnIE.dll
R3 - URLSearchHook: (no name) - ~CFBFAE00-17A6-11D0-99CB-00C04FD64497} - (no file)
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: REALBAR - {4E7BD74F-2B8D-469E-C0FF-FD60B590A87D} - C:\PROGRA~1\COMMON~1\Real\Toolbar\realbar.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O2 - BHO: PCTools Site Guard - {5C8B2A36-3DB1-42A4-A3CB-D426709BBFEB} - C:\PROGRA~1\SPYWAR~2\tools\iesdsg.dll
O2 - BHO: AcroIEToolbarHelper Class - {AE7CD045-E861-484f-8273-0445EE161910} - C:\Program Files\Adobe\Acrobat 6.0\Acrobat\AcroIEFavClient.dll
O2 - BHO: PCTools Browser Monitor - {B56A7D7D-6927-48C8-A975-17DF180C71AC} - C:\PROGRA~1\SPYWAR~2\tools\iesdpb.dll
O4 - HKLM\..\Run: [Synchronization Manager] mobsync.exe /logon
O4 - HKLM\..\Run: [3Dlabs Taskbar Display Manager] C:\WINNT\System32\3DLman.exe
O4 - HKLM\..\Run: [Iomega Startup Options] C:\Program Files\Iomega\Common\ImgStart.exe
O4 - HKLM\..\Run: [Iomega Drive Icons] C:\Program Files\Iomega\DriveIcons\ImgIcon.exe
O4 - HKLM\..\Run: [NDPS] C:\WINNT\System32\dpmw32.exe
O4 - HKLM\..\Run: [NWTRAY] NWTRAY.EXE
O4 - HKLM\..\Run: [EM_EXEC] C:\PROGRA~1\Logitech\MOUSEW~1\SYSTEM\EM_EXEC.EXE
O4 - HKLM\..\Run: [vptray] C:\Program Files\NavNT\vptray.exe
O4 - HKLM\..\Run: [DIGStream] C:\Program Files\DIGStream\digstream.exe
O4 - HKLM\..\Run: [CountrySelection] pctptt.exe
O4 - HKLM\..\Run: [PaperPort PTD] c:\progra~1\scansoft\paperp~1\pptd40nt.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [EPSON Stylus Photo R200 Series] C:\WINNT\system32\spool\DRIVERS\W32X86\3\E_S4I2H1. EXE /P30 "EPSON Stylus Photo R200 Series" /O6 "USB001" /M "Stylus Photo R200"
O4 - HKLM\..\Run: [Share-to-Web Namespace Daemon] C:\Program Files\Hewlett-Packard\HP Share-to-Web\hpgs2wnd.exe
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [lxcqqz] c:\winnt\system32\lxcqqz.exe
O4 - HKLM\..\Run: [oF4i33l] idqagset.exe
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
O4 - HKCU\..\Run: [ZovsRTJ6Q] fon40.exe
O4 - HKCU\..\Run: [Spyware Doctor] "C:\Program Files\Spyware Doctor\swdoctor.exe" /Q
O4 - HKCU\..\Run: [Win32 USB2 Driver] smsc.exe
O4 - HKCU\..\Run: [E6TaskPanel] "C:\Program Files\EarthLink TotalAccess\TaskPanl.exe" -winstart
O4 - Global Startup: Acrobat Assistant.lnk = C:\Program Files\Adobe\Acrobat 6.0\Distillr\acrotray.exe
O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: Brother SmartUI PopUp.lnk = C:\Program Files\ScanSoft\PaperPort\PopUp\SmartUI.exe
O4 - Global Startup: EPSON Status Monitor 3 Environment Check.lnk = C:\WINNT\system32\spool\drivers\w32x86\3\E_SRCV03. EXE
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: Spyware Doctor - {2D663D1A-8670-49D9-A1A5-4C56B4E14E84} - C:\PROGRA~1\SPYWAR~2\tools\iesdpb.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O15 - Trusted Zone: http://www.my.newhorizons.com
O16 - DPF: {0122955E-1FB0-11D2-A238-006097FAEE8B} (CscClnt Class) - http://central.clevercontent.com/020...verContent.cab
O16 - DPF: {31B7EB4E-8B4B-11D1-A789-00A0CC6651A8} (Cult3D ActiveX Player) - http://i.a.cnn.net/cnn/resources/cult3d/cult.cab
O16 - DPF: {3E82AD03-5696-11D3-80E1-0008C773BE28} (RSRadioTuner Class) - http://radioshow.rcsworks.com/rsinst...RadioTuner.Cab
O16 - DPF: {41F17733-B041-4099-A042-B518BB6A408C} - http://apple.speedera.net/qtinstall....eInstaller.exe
O16 - DPF: {4620BC29-8B8E-4F4E-9D92-1DB6633D6793} (SurferNETWORK Plugin) - http://rd1.surfernetwork.com/surferplugin.ocx
O16 - DPF: {56336BCB-3D8A-11D6-A00B-0050DA18DE71} (RdxIE Class) - http://207.188.7.150/10be703329eebb0...p/RdxIE601.cab
O16 - DPF: {6A060448-60F9-11D5-A6CD-0002B31F7455} (ExentInf Class) - http://us.games2.yimg.com/download.g...tl_0_0_0_1.ocx
O16 - DPF: {928626A3-6B98-11CF-90B4-00AA00A4011F} (SurroundVideoCtrl Object) - http://autos.msn.com/components/ocx/survid/MSSurVid.cab
O16 - DPF: {BB47CA33-8B4D-11D0-9511-00C04FD9152D} (ExteriorSurround Object) - http://autos.msn.com/components/ocx/...or/Outside.cab
O16 - DPF: {E7DBFB6C-113A-47CF-B278-F5C6AF4DE1BD} - http://download.abacast.com/download...setup140f1.cab
O20 - Winlogon Notify: NavLogon - C:\WINNT\System32\NavLogon.dll
O23 - Service: Cisco Systems, Inc. VPN Service (CVPND) - Cisco Systems, Inc. - C:\Program Files\Cisco Systems\VPN Client\cvpnd.exe
O23 - Service: DefWatch - Symantec Corporation - C:\Program Files\NavNT\defwatch.exe
O23 - Service: Logical Disk Manager Administrative Service (dmadmin) - VERITAS Software Corp. - C:\WINNT\System32\dmadmin.exe
O23 - Service: IomegaAccess - Iomega Corporation - C:\WINNT\System32\IomegaAccess.exe
O23 - Service: Kodak Camera Connection Software (KodakCCS) - Eastman Kodak Company - C:\WINNT\system32\drivers\KodakCCS.exe
O23 - Service: Norton AntiVirus Client (Norton AntiVirus Server) - Symantec Corporation - C:\Program Files\NavNT\rtvscan.exe
O23 - Service: W2K PCtel speaker phone (Pctspk) - PCtel, Inc. - C:\WINNT\system32\pctspk.exe
O23 - Service: ptssvc - KODAK - C:\Program Files\Kodak\Kodak EasyShare software\bin\ptssvc.exe
O23 - Service: ScsiAccess - Unknown owner - C:\WINNT\system32\ScsiAccess.EXE
O23 - Service: ZipToA - Iomega Corporation - C:\WINNT\System32\ZipToA.exe

[Osiris]

Remove these entries at your own risk

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://www.earthlink.net/partner/mo...ton/search.html This entry should be fixed by HijackThis!

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://start.earthlink.net/AL/Search This entry should be fixed by HijackThis!

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,SearchAssistant = about :blank This page could possibly be nasty.

R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://start.earthlink.net/AL/Search This entry should be fixed by HijackThis!

O2 - BHO: REALBAR - {4E7BD74F-2B8D-469E-C0FF-FD60B590A87D} - C:\PROGRA~1\COMMON~1\Real\Toolbar\realbar.dll Entries found in this registry zone are potentially nasty. This application ([4E7BD74F-2B8D-469E-C0FF-FD60B590A87D] - Result: 4E7BD74F-2B8D-469E-C0FF-FD60B590A87D) has been checked

O4 - HKLM\..\Run: [lxcqqz] c:\winnt\system32\lxcqqz.exe Unknown application.

O4 - HKCU\..\Run: [ZovsRTJ6Q] fon40.exe Unknown application.

O4 - HKCU\..\Run: [Win32 USB2 Driver] smsc.exe WORM_SDBOT.FO Must be fixed!

[kcnative]

Thanks for the help! I deleted what I was able to find, but there were a few that were no longer there. I also deleted a few things I knew I didn't need anymore, like the highstream stuff.

I use Norton Antivirus Corporate Edition, and it's been telling me for a few days that I've got a virus called "trojan.dropper" on my computer. It tells the location, but I can't find the file when looking to find it. The quarantine failed, and I can't seem to nab it with any of the scans (I scanned and deleted all day yesterday). Can you point me in the right direction?

I did all of the scans and such yesterday, and just now redid a hijack this log:

Logfile of HijackThis v1.99.1
Scan saved at 10:53:51 AM, on 5/19/2005
Platform: Windows 2000 SP3 (WinNT 5.00.2195)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINNT\System32\smss.exe
C:\WINNT\system32\csrss.exe
C:\WINNT\system32\winlogon.exe
C:\WINNT\system32\services.exe
C:\WINNT\system32\lsass.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\system32\spoolsv.exe
C:\Program Files\Cisco Systems\VPN Client\cvpnd.exe
C:\Program Files\NavNT\defwatch.exe
C:\WINNT\System32\svchost.exe
C:\WINNT\system32\drivers\KodakCCS.exe
C:\Program Files\NavNT\rtvscan.exe
C:\WINNT\system32\pctspk.exe
C:\Program Files\Kodak\Kodak EasyShare software\bin\ptssvc.exe
C:\WINNT\system32\regsvc.exe
C:\WINNT\system32\MSTask.exe
C:\WINNT\system32\ScsiAccess.EXE
C:\WINNT\system32\stisvc.exe
C:\WINNT\System32\WBEM\WinMgmt.exe
C:\WINNT\System32\mspmspsv.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\System32\ZipToA.exe
C:\WINNT\Explorer.EXE
C:\WINNT\System32\3DLman.exe
C:\Program Files\Iomega\DriveIcons\ImgIcon.exe
C:\WINNT\System32\dpmw32.exe
C:\WINNT\system32\NWTRAY.EXE
C:\PROGRA~1\Logitech\MOUSEW~1\SYSTEM\EM_EXEC.EXE
C:\Program Files\NavNT\vptray.exe
C:\Program Files\DIGStream\digstream.exe
C:\progra~1\scansoft\paperp~1\pptd40nt.exe
C:\Program Files\Hewlett-Packard\HP Share-to-Web\hpgs2wnd.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\Hewlett-Packard\HP Share-to-Web\hpgs2wnf.exe
C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
C:\Program Files\Spyware Doctor\swdoctor.exe
C:\Program Files\EarthLink TotalAccess\TaskPanl.exe
C:\Program Files\Adobe\Acrobat 6.0\Distillr\acrotray.exe
C:\Program Files\ScanSoft\PaperPort\PopUp\SmartUI.exe
C:\Program Files\ScanSoft\PaperPort\Pplinks.exe
C:\WINNT\system32\WISPTIS.EXE
C:\Program Files\hjt\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://start.earthlink.net
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = about:blank
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = -
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
R3 - URLSearchHook: SrchHook Class - {44F9B173-041C-4825-A9B9-D914BD9DCBB3} - C:\Program Files\EarthLink TotalAccess\elnIE.dll
R3 - URLSearchHook: (no name) - ~CFBFAE00-17A6-11D0-99CB-00C04FD64497} - (no file)
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: EarthLink Popup Blocker - {4B5F2E08-6F39-479a-B547-B2026E4C7EDF} - C:\Program Files\EarthLink TotalAccess\PnEL.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O2 - BHO: PCTools Site Guard - {5C8B2A36-3DB1-42A4-A3CB-D426709BBFEB} - C:\PROGRA~1\SPYWAR~2\tools\iesdsg.dll
O2 - BHO: ohb - {9ADE0443-2AB2-4B23-A3F8-AC520773DE12} - C:\WINNT\system32\nsj1B.dll
O2 - BHO: AcroIEToolbarHelper Class - {AE7CD045-E861-484f-8273-0445EE161910} - C:\Program Files\Adobe\Acrobat 6.0\Acrobat\AcroIEFavClient.dll
O2 - BHO: PCTools Browser Monitor - {B56A7D7D-6927-48C8-A975-17DF180C71AC} - C:\PROGRA~1\SPYWAR~2\tools\iesdpb.dll
O3 - Toolbar: EarthLink Toolbar - {D7F30B62-8269-41AF-9539-B2697FA7D77E} - C:\Program Files\EarthLink TotalAccess\PnEL.dll
O4 - HKLM\..\Run: [Synchronization Manager] mobsync.exe /logon
O4 - HKLM\..\Run: [3Dlabs Taskbar Display Manager] C:\WINNT\System32\3DLman.exe
O4 - HKLM\..\Run: [Iomega Startup Options] C:\Program Files\Iomega\Common\ImgStart.exe
O4 - HKLM\..\Run: [Iomega Drive Icons] C:\Program Files\Iomega\DriveIcons\ImgIcon.exe
O4 - HKLM\..\Run: [NDPS] C:\WINNT\System32\dpmw32.exe
O4 - HKLM\..\Run: [NWTRAY] NWTRAY.EXE
O4 - HKLM\..\Run: [EM_EXEC] C:\PROGRA~1\Logitech\MOUSEW~1\SYSTEM\EM_EXEC.EXE
O4 - HKLM\..\Run: [vptray] C:\Program Files\NavNT\vptray.exe
O4 - HKLM\..\Run: [DIGStream] C:\Program Files\DIGStream\digstream.exe
O4 - HKLM\..\Run: [CountrySelection] pctptt.exe
O4 - HKLM\..\Run: [PaperPort PTD] c:\progra~1\scansoft\paperp~1\pptd40nt.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [EPSON Stylus Photo R200 Series] C:\WINNT\system32\spool\DRIVERS\W32X86\3\E_S4I2H1. EXE /P30 "EPSON Stylus Photo R200 Series" /O6 "USB001" /M "Stylus Photo R200"
O4 - HKLM\..\Run: [Share-to-Web Namespace Daemon] C:\Program Files\Hewlett-Packard\HP Share-to-Web\hpgs2wnd.exe
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [oF4i33l] idqagset.exe
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
O4 - HKCU\..\Run: [Spyware Doctor] "C:\Program Files\Spyware Doctor\swdoctor.exe" /Q
O4 - HKCU\..\Run: [E6TaskPanel] "C:\Program Files\EarthLink TotalAccess\TaskPanl.exe" -winstart
O4 - Startup: Outlook Express.lnk = C:\Program Files\Outlook Express\msimn.exe
O4 - Global Startup: Acrobat Assistant.lnk = C:\Program Files\Adobe\Acrobat 6.0\Distillr\acrotray.exe
O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: Brother SmartUI PopUp.lnk = C:\Program Files\ScanSoft\PaperPort\PopUp\SmartUI.exe
O4 - Global Startup: EPSON Status Monitor 3 Environment Check.lnk = C:\WINNT\system32\spool\drivers\w32x86\3\E_SRCV03. EXE
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: Spyware Doctor - {2D663D1A-8670-49D9-A1A5-4C56B4E14E84} - C:\PROGRA~1\SPYWAR~2\tools\iesdpb.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O15 - Trusted Zone: http://www.my.newhorizons.com
O16 - DPF: {0122955E-1FB0-11D2-A238-006097FAEE8B} (CscClnt Class) - http://central.clevercontent.com/020...verContent.cab
O16 - DPF: {31B7EB4E-8B4B-11D1-A789-00A0CC6651A8} (Cult3D ActiveX Player) - http://i.a.cnn.net/cnn/resources/cult3d/cult.cab
O16 - DPF: {3E82AD03-5696-11D3-80E1-0008C773BE28} (RSRadioTuner Class) - http://radioshow.rcsworks.com/rsinst...RadioTuner.Cab
O16 - DPF: {41F17733-B041-4099-A042-B518BB6A408C} - http://apple.speedera.net/qtinstall....eInstaller.exe
O16 - DPF: {4620BC29-8B8E-4F4E-9D92-1DB6633D6793} (SurferNETWORK Plugin) - http://rd1.surfernetwork.com/surferplugin.ocx
O16 - DPF: {56336BCB-3D8A-11D6-A00B-0050DA18DE71} (RdxIE Class) - http://207.188.7.150/10be703329eebb0...p/RdxIE601.cab
O16 - DPF: {80DD2229-B8E4-4C77-B72F-F22972D723EA} (AvxScanOnline Control) - http://www.bitdefender.com/scan/Msie/bitdefender.cab
O16 - DPF: {928626A3-6B98-11CF-90B4-00AA00A4011F} (SurroundVideoCtrl Object) - http://autos.msn.com/components/ocx/survid/MSSurVid.cab
O16 - DPF: {BB47CA33-8B4D-11D0-9511-00C04FD9152D} (ExteriorSurround Object) - http://autos.msn.com/components/ocx/...or/Outside.cab
O16 - DPF: {E7DBFB6C-113A-47CF-B278-F5C6AF4DE1BD} - http://download.abacast.com/download...setup140f1.cab
O20 - Winlogon Notify: NavLogon - C:\WINNT\System32\NavLogon.dll
O23 - Service: Cisco Systems, Inc. VPN Service (CVPND) - Cisco Systems, Inc. - C:\Program Files\Cisco Systems\VPN Client\cvpnd.exe
O23 - Service: DefWatch - Symantec Corporation - C:\Program Files\NavNT\defwatch.exe
O23 - Service: Logical Disk Manager Administrative Service (dmadmin) - VERITAS Software Corp. - C:\WINNT\System32\dmadmin.exe
O23 - Service: IomegaAccess - Iomega Corporation - C:\WINNT\System32\IomegaAccess.exe
O23 - Service: Kodak Camera Connection Software (KodakCCS) - Eastman Kodak Company - C:\WINNT\system32\drivers\KodakCCS.exe
O23 - Service: Norton AntiVirus Client (Norton AntiVirus Server) - Symantec Corporation - C:\Program Files\NavNT\rtvscan.exe
O23 - Service: W2K PCtel speaker phone (Pctspk) - PCtel, Inc. - C:\WINNT\system32\pctspk.exe
O23 - Service: ptssvc - KODAK - C:\Program Files\Kodak\Kodak EasyShare software\bin\ptssvc.exe
O23 - Service: ScsiAccess - Unknown owner - C:\WINNT\system32\ScsiAccess.EXE
O23 - Service: ZipToA - Iomega Corporation - C:\WINNT\System32\ZipToA.exe

[kcnative]

Actually, I just found the offending file (at least it's the one my antivirus told me) using powerdesk and deleted it. It seems to be different than previous file names though...like the exe files change periodically.

Edit: Nevermind...it's back again. "thin poker installer.exe" seems to be the filename of choice lately...

[Osiris]

So is this your new log?

[kcnative]

yes

[Osiris]

Remove entries at your own risk

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = about :blank This page could possibly be nasty. If you do not know the entry 'about :blank', delete it.

R3 - URLSearchHook: (no name) - ~CFBFAE00-17A6-11D0-99CB-00C04FD64497} - (no file) Should be fixed if you do not know the application or if no application is mentioned. Should be fixed if you do not know this application.

O2 - BHO: ohb - {9ADE0443-2AB2-4B23-A3F8-AC520773DE12} - C:\WINNT\system32\nsj1B.dll Entries found in this registry zone are potentially nasty. This application ([9ADE0443-2AB2-4B23-A3F8-AC520773DE12] - Result: ) has been checked.

O4 - HKLM\..\Run: [oF4i33l] idqagset.exe Unknown application.

O16 - DPF: {0122955E-1FB0-11D2-A238-006097FAEE8B} (CscClnt Class) - http://central.clevercontent.com/02...everContent.cab Check if you know this site and fix it if you do not.

O16 - DPF: {4620BC29-8B8E-4F4E-9D92-1DB6633D6793} (SurferNETWORK Plugin) - http://rd1.surfernetwork.com/surferplugin.ocx Check if you know this site and fix it if you do not.

O16 - DPF: {E7DBFB6C-113A-47CF-B278-F5C6AF4DE1BD} - http://download.abacast.com/downloa...asetup140f1.cab Check if you know this site and fix it if you do not.

[kcnative]

Thanks again for the help! I deleted the listings you mentioned.

I'm still getting the notification about the "trojan.dropper" virus present on my computer, however. Do you know how to go about getting rid of that one?