# I have no taskbar or desktop icons (moved from XP)



## beardbuster (Jul 2, 2005)

I have no clue what to do because after startup I do not have my taksbar or any desktop icons even in safe made...
What can I do?
THANKS in advance!!!


----------



## norton850 (Mar 9, 2004)

If you have XP you can try doing a system restore. If no change download and run Hijack This and post a log.

Hijack This


----------



## dp2003 (Jun 20, 2003)

Hi Beardbuster.............

You might give this a try for your desktop Icons.

"If all of your desktop icons are missing, right click on the Desktop, select Arrange Icons By, then select Show Desktop Icons." 
Sometimes the little checkmark in the show desktop icon gets clicked off and the result is your icons not showing.

As for your Taskbar completely gone... 
Have you tried dragging your mouse as far down as you can trying to pull it back up?
Sometimes it's so far down it's near impossible to see.

Another solution to the Taskbar involves deleting a key in your registry. And always backup your registry before doing any registry work.
"Close any open desktop and taskbar applications, then open your registry and find the key below.

[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\StuckRects]

Delete the entire "StuckRects" key for Windows 98/XP, 
or Called the "StuckRects2" for Windows 2000, and then reboot.

When Windows restarts the taskbar should be set back to a default working state
Hope this helps!


----------



## beardbuster (Jul 2, 2005)

THANKS...
None of the above works... I have no desktop and right clicking does nothing...
I have no start button or anything to click... Just wide open spaces...
I cannot do a system restore because I cannot get to anything...
HELP!!!


----------



## norton850 (Mar 9, 2004)

Boot up to the options screen (press F8) and try last known good configuration.


----------



## LauraMJ (Mar 18, 2004)

Try pressing the "control/alt/delete" buttons at the same time. This should bring up the task manager where you can run things from the "new task" button.


----------



## hellblazer55 (Jul 27, 2005)

Sounds like your explorer.exe is not functioning just use the system utilities disk to fix the problem if your computer comes with one.


----------



## beardbuster (Jul 2, 2005)

> Boot up to the options screen (press F8) and try last known good configuration


This did not work THANKS...

THANKS LauraMJ at least now I can go to work and try to fix things...

I will upload Hijack This and post a log THANKS!!


----------



## beardbuster (Jul 2, 2005)

Here is my log from HiJack
THANKS IN ADVANCE!!!!

Logfile of HijackThis v1.99.1
Scan saved at 6:15:32 PM, on 7/29/2005
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\PROGRA~1\COMMON~1\aol\ACS\acsd.exe
C:\WINDOWS\system32\cisvc.exe
C:\Program Files\ewido\security suite\ewidoctrl.exe
C:\WINDOWS\wanmpsvc.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\System32\hkcmd.exe
C:\Program Files\MUSICMATCH\MUSICMATCH Jukebox\mm_tray.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\Viewpoint\Viewpoint Manager\ViewMgr.exe
C:\WINDOWS\tppaldr.exe
C:\WINDOWS\System32\winldra.exe
C:\WINDOWS\System32\sysbho.exe
C:\Program Files\Microsoft AntiSpyware\gcasServ.exe
C:\Program Files\MUSICMATCH\MUSICMATCH Jukebox\mmtask.exe
C:\Program Files\Dell Support\DSAgnt.exe
C:\Program Files\Digital Line Detect\DLG.exe
C:\Program Files\Netscape\Netscape Browser\netscape.exe
C:\WINDOWS\System32\wuauclt.exe
C:\WINDOWS\system32\cidaemon.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Documents and Settings\Dad\Local Settings\Temp\Temporary Directory 1 for hijackthis.zip\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://smbusiness.dellnet.com/
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://win-eto.com/hp.htm?id=9
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://win-eto.com/hp.htm?id=9
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page = 
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://win-eto.com/hp.htm?id=9
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = http://localhost;
O2 - BHO: (no name) - {8952A998-1E7E-4716-B23D-3DBE03910972} - (no file)
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: (no name) - {FD7D6851-616E-48DE-AF55-EE2E34F389B0} - (no file)
O3 - Toolbar: (no name) - {0494D0D9-F8E0-41ad-92A3-14154ECE70AC} - (no file)
O3 - Toolbar: Search - {BA36AABE-9848-5B1C-60ED-ADB34F28ED96} - C:\WINDOWS\Wudfkmxi.dll (file missing)
O3 - Toolbar: (no name) - {08BEC6AA-49FC-4379-3587-4B21E286C19E} - (no file)
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O3 - Toolbar: &Search Toolbar - {339BB23F-A864-48C0-A59F-29EA915965EC} - C:\PROGRA~1\Toolbar\toolbar.dll (file missing)
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\System32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\System32\hkcmd.exe
O4 - HKLM\..\Run: [MMTray] C:\Program Files\MUSICMATCH\MUSICMATCH Jukebox\mm_tray.exe
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [ccRegVfy] "C:\Program Files\Common Files\Symantec Shared\ccRegVfy.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [ViewMgr] C:\Program Files\Viewpoint\Viewpoint Manager\ViewMgr.exe
O4 - HKLM\..\Run: [anpqdbdkqe] C:\WINDOWS\System32\wrxafooc.exe
O4 - HKLM\..\Run: [TPP Auto Loader] C:\WINDOWS\tppaldr.exe
O4 - HKLM\..\Run: [sixtysix] C:\WINDOWS\sixtypopsix.exe
O4 - HKLM\..\Run: [Nsv] C:\WINDOWS\System32\nsvsvc\nsvsvc.exe
O4 - HKLM\..\Run: [sc5cdqou] C:\WINDOWS\System32\sc5cdqou.exe
O4 - HKLM\..\Run: [Inbhnz] C:\Program Files\Ieysrb\Cgbklc.exe
O4 - HKLM\..\Run: [Wnptcr] C:\Program Files\Prxa\Ziofnnn.exe
O4 - HKLM\..\Run: [WeirdOnTheWeb] "C:\Program Files\WeirdOnTheWeb\WeirdOnTheWeb.exe"
O4 - HKLM\..\Run: [Pvhvlusj] C:\Program Files\Qntgu\Kejy.exe
O4 - HKLM\..\Run: [pulmfgr] C:\WINDOWS\pulmfgr.exe
O4 - HKLM\..\Run: [AliceSD] wormexe.exe
O4 - HKLM\..\Run: [sysmon12] init32.exe
O4 - HKLM\..\Run: [load32] C:\WINDOWS\System32\winldra.exe
O4 - HKLM\..\Run: [Printer Spooler] C:\WINDOWS\System32\winspooler.exe
O4 - HKLM\..\Run: [System Redirect] C:\WINDOWS\System32\sysbho.exe
O4 - HKLM\..\Run: [gcasServ] "C:\Program Files\Microsoft AntiSpyware\gcasServ.exe"
O4 - HKLM\..\Run: [TBPS] C:\PROGRA~1\Toolbar\TBPS.exe
O4 - HKLM\..\Run: [mmtask] C:\Program Files\MUSICMATCH\MUSICMATCH Jukebox\mmtask.exe
O4 - HKLM\..\Run: [FX] C:\Documents and Settings\Jessica\Desktop\m00.exe
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [DellSupport] "C:\Program Files\Dell Support\DSAgnt.exe" /startup
O4 - Global Startup: America Online 9.0 Tray Icon.lnk = C:\Program Files\America Online 9.0a\aoltray.exe
O4 - Global Startup: Digital Line Detect.lnk = ?
O4 - Global Startup: PrecisionTime.lnk = C:\Program Files\PrecisionTime\PrecisionTime.exe
O4 - Global Startup: winlogin.exe
O9 - Extra button: Messenger - {4528BBE0-4E08-11D5-AD55-00010333D0AD} - C:\Program Files\Yahoo!\Messenger\yhexbmes0411.dll
O9 - Extra 'Tools' menuitem: Yahoo! Messenger - {4528BBE0-4E08-11D5-AD55-00010333D0AD} - C:\Program Files\Yahoo!\Messenger\yhexbmes0411.dll
O9 - Extra button: Enjoy It - {47055D63-DFCD-11d3-8406-00500445A7D1} - C:\WINDOWS\System32\windialup\2490\dial.exe (file missing)
O9 - Extra 'Tools' menuitem: Enjoy It - {47055D63-DFCD-11d3-8406-00500445A7D1} - C:\WINDOWS\System32\windialup\2490\dial.exe (file missing)
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - Shdocvw.dll (file missing)
O15 - Trusted Zone: *.skoobidoo.com (HKLM)
O15 - Trusted Zone: *.slotchbar.com (HKLM)
O15 - Trusted Zone: *.windupdates.com (HKLM)
O16 - DPF: Squelchies by pogo - http://squelchies.pogo.com/applet/squelchies/squelchies-ob-assets.cab
O16 - DPF: Tri-Peaks by pogo - http://peaks.pogo.com/applet-5.8.6.20/peaks/peaks-ob-assets.cab
O16 - DPF: Yahoo! Bingo - http://download.games.yahoo.com/games/clients/y/xt0_x.cab
O16 - DPF: Yahoo! Pyramids - http://download.games.yahoo.com/games/clients/y/pyt1_x.cab
O16 - DPF: Yahoo! Spades - http://download.games.yahoo.com/games/clients/y/st2_x.cab
O16 - DPF: {11311111-1111-1111-1111-111111111157} - file://C:\Program Files\Q666777.exe
O16 - DPF: {15AD6789-CDB4-47E1-A9DA-992EE8E6BAD6} - http://static.windupdates.com/cab/MediaAccessVerisign/ie/bridge-c420.cab
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {30528230-99F7-4BB4-88D8-FA1D4F56A2AB} (YInstStarter Class) - http://us.dl1.yimg.com/download.yahoo.com/dl/installs/yinst20040510.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1122641802203
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1122641784265
O16 - DPF: {75BA53D6-545F-4B0A-060D-645110A47776} - http://69.50.182.94/1/gdnUS1862.exe
O16 - DPF: {7645D04A-A21E-0E90-79FD-616B26FC9F4B} - http://69.50.182.94/1/gdnUS1862.exe
O16 - DPF: {89D75D39-5531-47BA-9E4F-B346BA9C362C} (CWDL_DownLoadControl Class) - http://www.callwave.com/include/cab/CWDL_DownLoad.CAB
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://www.pandasoftware.com/activescan/as5/asinst.cab
O16 - DPF: {A16E6189-A1DD-4696-9806-0324C145D794} (KeyActivex Control) - http://www.jraun.com/activex/src/KeyActivex.ocx
O16 - DPF: {A17E30C4-A9BA-11D4-8673-60DB54C10000} - http://us.dl1.yimg.com/download.yahoo.com/dl/installs/yse/ymmapi_416.dll
O16 - DPF: {AE1C01E3-0283-11D3-9B3F-00C04F8EF466} (HeartbeatCtl Class) - http://fdl.msn.com/zone/datafiles/heartbeat.cab
O16 - DPF: {B942A249-D1E7-4C11-98AE-FCB76B08747F} (RealArcadeRdxIE Class) - http://games-dl.real.com/gameconsole/Bundler/CAB/RealArcadeRdxIE.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{E75823FD-F319-4A61-8E58-A99987302895}: NameServer = 69.50.184.84,195.225.176.37
O20 - Winlogon Notify: igfxcui - C:\WINDOWS\SYSTEM32\igfxsrvc.dll
O20 - Winlogon Notify: style2 - C:\WINDOWS\q74421_disk.dll (file missing)
O21 - SSODL: Britannica Ready Reference - {C4EDCBCF-55B6-163A-EA25-C8C68C2CE661} - c:\progra~1\common~1\instal~1\engine\6\intel3~1\winovmv32.dll (file missing)
O23 - Service: AOL Connectivity Service (AOL ACS) - America Online, Inc. - C:\PROGRA~1\COMMON~1\aol\ACS\acsd.exe
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Password Validation Service (ccPwdSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
O23 - Service: ewido security suite control - ewido networks - C:\Program Files\ewido\security suite\ewidoctrl.exe
O23 - Service: svchost.exe (moto) - Unknown owner - C:\WINDOWS\svchost.exe (file missing)
O23 - Service: Norton AntiVirus Auto Protect Service (navapsvc) - Symantec Corporation - C:\Program Files\Norton AntiVirus\navapsvc.exe
O23 - Service: ScriptBlocking Service (SBService) - Symantec Corporation - C:\PROGRA~1\COMMON~1\SYMANT~1\SCRIPT~1\SBServ.exe
O23 - Service: WAN Miniport (ATW) Service (WANMiniportService) - America Online, Inc. - C:\WINDOWS\wanmpsvc.exe


----------



## hellblazer55 (Jul 27, 2005)

O4 - HKLM\..\Run: [AliceSD] wormexe.exe id get rid of that worm for one


----------



## beardbuster (Jul 2, 2005)

THANK YOU!!!

I forgot to add that before the above suggestion I now have my desktop, taskbar and can now run internet explorer but I still have some IE issues with one being a porno website takes over the browser...
To make matters worse this system belongs to my 17 and two 16 year old daughters who live with their mother... I also have other issues to fix eh?


----------



## hellblazer55 (Jul 27, 2005)

Ahh browser hijacks a pop up blocker will help with most of that and a browser hijack remover and blocker


----------



## hellblazer55 (Jul 27, 2005)

Go here to get a free pop up stopper I use it and it works great http://www.panicware.com/


----------



## hellblazer55 (Jul 27, 2005)

heres another one to stop browser hijacks and spyware downloads http://javacoolsoftware.com/spywareguard.html Its Free too :up:


----------



## hellblazer55 (Jul 27, 2005)

Adaware personal SE should be able to get rid of most of the junk or you can use Microsofts Antispyware program


----------



## beardbuster (Jul 2, 2005)

I have run the microsoft spyware beta if that is what you mean and it did nto stop the hijack of IE...
I will download the others and see what hap'ns...
I have yahoo pop up blocker installed for them that does not seem to be the problem...
THANKS!!!


----------



## hellblazer55 (Jul 27, 2005)

Some pop ups are spyware so they will hijack the browser again if you go on the net so thats why you need to use antispyware programs once in awhile but if you get the blockers there will be less problems in the future.


----------



## beardbuster (Jul 2, 2005)

SpywareGuard does not work or when I click the ICON it does not open...


----------



## hellblazer55 (Jul 27, 2005)

ill find ya another program


----------



## beardbuster (Jul 2, 2005)

I just re-installed and am running now... THANKS


----------



## hellblazer55 (Jul 27, 2005)

Great to hear


----------



## beardbuster (Jul 2, 2005)

That program does not work I still am getting hijacked to this URL:
http://win-eto.com/hp.htm?id=9


----------



## hellblazer55 (Jul 27, 2005)

That is a trojan dialer do not accept


----------



## hellblazer55 (Jul 27, 2005)

if you got pop up stopper pro you can block that url


----------



## hellblazer55 (Jul 27, 2005)

or goto internet options and try this by selecting security and goto restricted sites and click on the sites button and add that url and that should prevent any chance of infections


----------



## beardbuster (Jul 2, 2005)

I found this http://forums.techguy.org/t320182&highlight=win-eto.com.html
that should help I'll try it in the morning and post here if it helped
THANKS MAN!!!


----------



## hellblazer55 (Jul 27, 2005)

You can use hijack to fix that and my way in combo to fix it, cool.
Its not a problem, im here to help.


----------



## beardbuster (Jul 2, 2005)

hellblazer55 said:


> or goto internet options and try this by selecting security and goto restricted sites and click on the sites button and add that url and that should prevent any chance of infections


I just did the above too  :up:


----------



## Flrman1 (Jul 26, 2002)

Please post a new Hijack This log and let's see what issues still remain to be fixed.


----------



## Flrman1 (Jul 26, 2002)

Before you post the new log, you need to unzip (extract) Hijack This and move it to a permanent folder. It will not function properly when run from the zip folder or the Temp folder.

You need to create a new folder in My Documents and name it Hijack This. Right click on the HijackThis.zip file and choose "Extract all" and extract it to the Hijack This folder you created. That way it can create and restore backups if needed. HJT will store the backups in the same location that it is run from.


----------



## beardbuster (Jul 2, 2005)

THANKS!!
OK... I did as you stated above and here is the new log:

Logfile of HijackThis v1.99.1
Scan saved at 9:15:45 AM, on 7/30/2005
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\PROGRA~1\COMMON~1\aol\ACS\acsd.exe
C:\WINDOWS\system32\cisvc.exe
C:\Program Files\ewido\security suite\ewidoctrl.exe
C:\WINDOWS\wanmpsvc.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\System32\hkcmd.exe
C:\Program Files\MUSICMATCH\MUSICMATCH Jukebox\mm_tray.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\Viewpoint\Viewpoint Manager\ViewMgr.exe
C:\WINDOWS\tppaldr.exe
C:\WINDOWS\System32\winldra.exe
C:\Program Files\Microsoft AntiSpyware\gcasServ.exe
C:\Program Files\MUSICMATCH\MUSICMATCH Jukebox\mmtask.exe
C:\Program Files\Dell Support\DSAgnt.exe
C:\Program Files\Digital Line Detect\DLG.exe
C:\Program Files\SpywareGuard\sgmain.exe
C:\Program Files\SpywareGuard\sgbhp.exe
C:\WINDOWS\System32\wuauclt.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\WINDOWS\system32\cidaemon.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\Dell\SolutionCenter\DellSC.exe
C:\Program Files\Netscape\Netscape Browser\netscape.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Documents and Settings\Dad\My Documents\Hijack This\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://smbusiness.dellnet.com/
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://win-eto.com/hp.htm?id=9
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://win-eto.com/hp.htm?id=9
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O3 - Toolbar: (no name) - {339BB23F-A864-48C0-A59F-29EA915965EC} - (no file)
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\System32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\System32\hkcmd.exe
O4 - HKLM\..\Run: [MMTray] C:\Program Files\MUSICMATCH\MUSICMATCH Jukebox\mm_tray.exe
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [ccRegVfy] "C:\Program Files\Common Files\Symantec Shared\ccRegVfy.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [ViewMgr] C:\Program Files\Viewpoint\Viewpoint Manager\ViewMgr.exe
O4 - HKLM\..\Run: [anpqdbdkqe] C:\WINDOWS\System32\wrxafooc.exe
O4 - HKLM\..\Run: [TPP Auto Loader] C:\WINDOWS\tppaldr.exe
O4 - HKLM\..\Run: [sixtysix] C:\WINDOWS\sixtypopsix.exe
O4 - HKLM\..\Run: [Nsv] C:\WINDOWS\System32\nsvsvc\nsvsvc.exe
O4 - HKLM\..\Run: [sc5cdqou] C:\WINDOWS\System32\sc5cdqou.exe
O4 - HKLM\..\Run: [Inbhnz] C:\Program Files\Ieysrb\Cgbklc.exe
O4 - HKLM\..\Run: [Wnptcr] C:\Program Files\Prxa\Ziofnnn.exe
O4 - HKLM\..\Run: [Pvhvlusj] C:\Program Files\Qntgu\Kejy.exe
O4 - HKLM\..\Run: [pulmfgr] C:\WINDOWS\pulmfgr.exe
O4 - HKLM\..\Run: [sysmon12] init32.exe
O4 - HKLM\..\Run: [load32] C:\WINDOWS\System32\winldra.exe
O4 - HKLM\..\Run: [Printer Spooler] C:\WINDOWS\System32\winspooler.exe
O4 - HKLM\..\Run: [System Redirect] C:\WINDOWS\System32\sysbho.exe
O4 - HKLM\..\Run: [gcasServ] "C:\Program Files\Microsoft AntiSpyware\gcasServ.exe"
O4 - HKLM\..\Run: [mmtask] C:\Program Files\MUSICMATCH\MUSICMATCH Jukebox\mmtask.exe
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [DellSupport] "C:\Program Files\Dell Support\DSAgnt.exe" /startup
O4 - Startup: SpywareGuard.lnk = C:\Program Files\SpywareGuard\sgmain.exe
O4 - Global Startup: America Online 9.0 Tray Icon.lnk = C:\Program Files\America Online 9.0a\aoltray.exe
O4 - Global Startup: Digital Line Detect.lnk = ?
O4 - Global Startup: PrecisionTime.lnk = C:\Program Files\PrecisionTime\PrecisionTime.exe
O4 - Global Startup: winlogin.exe
O9 - Extra button: Messenger - {4528BBE0-4E08-11D5-AD55-00010333D0AD} - C:\Program Files\Yahoo!\Messenger\yhexbmes0411.dll
O9 - Extra 'Tools' menuitem: Yahoo! Messenger - {4528BBE0-4E08-11D5-AD55-00010333D0AD} - C:\Program Files\Yahoo!\Messenger\yhexbmes0411.dll
O9 - Extra button: Enjoy It - {47055D63-DFCD-11d3-8406-00500445A7D1} - C:\WINDOWS\System32\windialup\2490\dial.exe (file missing)
O9 - Extra 'Tools' menuitem: Enjoy It - {47055D63-DFCD-11d3-8406-00500445A7D1} - C:\WINDOWS\System32\windialup\2490\dial.exe (file missing)
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - Shdocvw.dll (file missing)
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O9 - Extra 'Tools' menuitem: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O15 - Trusted Zone: *.skoobidoo.com (HKLM)
O15 - Trusted Zone: *.slotchbar.com (HKLM)
O15 - Trusted Zone: *.windupdates.com (HKLM)
O16 - DPF: Squelchies by pogo - http://squelchies.pogo.com/applet/squelchies/squelchies-ob-assets.cab
O16 - DPF: Tri-Peaks by pogo - http://peaks.pogo.com/applet-5.8.6.20/peaks/peaks-ob-assets.cab
O16 - DPF: Yahoo! Bingo - http://download.games.yahoo.com/games/clients/y/xt0_x.cab
O16 - DPF: Yahoo! Pyramids - http://download.games.yahoo.com/games/clients/y/pyt1_x.cab
O16 - DPF: Yahoo! Spades - http://download.games.yahoo.com/games/clients/y/st2_x.cab
O16 - DPF: {11311111-1111-1111-1111-111111111157} - file://C:\Program Files\Q666777.exe
O16 - DPF: {15AD6789-CDB4-47E1-A9DA-992EE8E6BAD6} - http://static.windupdates.com/cab/MediaAccessVerisign/ie/bridge-c420.cab
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {30528230-99F7-4BB4-88D8-FA1D4F56A2AB} (YInstStarter Class) - http://us.dl1.yimg.com/download.yahoo.com/dl/installs/yinst20040510.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1122641802203
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1122641784265
O16 - DPF: {89D75D39-5531-47BA-9E4F-B346BA9C362C} (CWDL_DownLoadControl Class) - http://www.callwave.com/include/cab/CWDL_DownLoad.CAB
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://www.pandasoftware.com/activescan/as5/asinst.cab
O16 - DPF: {A16E6189-A1DD-4696-9806-0324C145D794} (KeyActivex Control) - http://www.jraun.com/activex/src/KeyActivex.ocx
O16 - DPF: {A17E30C4-A9BA-11D4-8673-60DB54C10000} - http://us.dl1.yimg.com/download.yahoo.com/dl/installs/yse/ymmapi_416.dll
O16 - DPF: {AE1C01E3-0283-11D3-9B3F-00C04F8EF466} (HeartbeatCtl Class) - http://fdl.msn.com/zone/datafiles/heartbeat.cab
O16 - DPF: {B942A249-D1E7-4C11-98AE-FCB76B08747F} (RealArcadeRdxIE Class) - http://games-dl.real.com/gameconsole/Bundler/CAB/RealArcadeRdxIE.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{E75823FD-F319-4A61-8E58-A99987302895}: NameServer = 69.50.184.84,195.225.176.37
O20 - Winlogon Notify: igfxcui - C:\WINDOWS\SYSTEM32\igfxsrvc.dll
O20 - Winlogon Notify: style2 - C:\WINDOWS\q74421_disk.dll (file missing)
O21 - SSODL: Britannica Ready Reference - {C4EDCBCF-55B6-163A-EA25-C8C68C2CE661} - c:\progra~1\common~1\instal~1\engine\6\intel3~1\winovmv32.dll (file missing)
O23 - Service: AOL Connectivity Service (AOL ACS) - America Online, Inc. - C:\PROGRA~1\COMMON~1\aol\ACS\acsd.exe
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Password Validation Service (ccPwdSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
O23 - Service: ewido security suite control - ewido networks - C:\Program Files\ewido\security suite\ewidoctrl.exe
O23 - Service: svchost.exe (moto) - Unknown owner - C:\WINDOWS\svchost.exe (file missing)
O23 - Service: Norton AntiVirus Auto Protect Service (navapsvc) - Symantec Corporation - C:\Program Files\Norton AntiVirus\navapsvc.exe
O23 - Service: ScriptBlocking Service (SBService) - Symantec Corporation - C:\PROGRA~1\COMMON~1\SYMANT~1\SCRIPT~1\SBServ.exe
O23 - Service: WAN Miniport (ATW) Service (WANMiniportService) - America Online, Inc. - C:\WINDOWS\wanmpsvc.exe


----------



## beardbuster (Jul 2, 2005)

I'd like to add that my IE is fried for some reason because any program that uses it does not work along with IE itself... errors errors errors that keep closing or sending reports... I downlloaded updates and even tried to re-install but that everything closes after I try it  
THANKS!!! You guys rock :up:


----------



## Flrman1 (Jul 26, 2002)

** Before you proceed with the removal directions below you need to turn off MS Anti-Spyware's realtime protection as it will interfere with the changes we are trying to make.


Open MS Anti-Spyware and click on Options > Settings. 
Click on "Realtime Protection" in the left pane.
Remove the check by these:
Enable the Microsoft Security Agents on startup (recommended)
Enable real-time spyware threat protection (recommended)

Click "Save"
Now right click the MS Anti-spyware icon in your system tray and choose "Shutdown Microsoft Anti-Spyware"
You should re-enable these when we are finished here.

* *Click here* to download remv3.zip. 
Save the zip file then unzip the files to their own permanent folder.

* Go *here* to download CCleaner.
Install CCleaner
Launch CCleaner and look in the upper right corner and click on the "Options" button. 
Click "Advanced" and remove the check by "Only delete files in Windows temp folders older than 48 hours". 
Click OK
Do not run CCleaner yet. You will run it later in safe mode.

* *Click Here* and download Killbox and save it to your desktop.

* Download DelDomains.inf from *here*.

* *Click here* for info on how to boot to safe mode if you don't already know how.

* Now copy these instructions to notepad and save them to your desktop. You will need them to refer to.

* Click on My Computer. Go to Tools > Folder Options. Click on the View tab and make sure that "Show hidden files and folders" is checked. Also uncheck "Hide protected operating system files" and "Hide extensions for known file types" . Now click "Apply to all folders"
Click "Apply" then "OK"

* Go to Add/Remove programs and uninstall Viewpoint Manager.

* * Click Start > Run > and type in:

*services.msc*

Click OK.

In the services window find *svchost.exe*.
Rightclick and choose "Properties". On the "General" tab under "Service Status" click the "Stop" button to stop the service. Beside "Startup Type" in the dropdown menu select "Disabled". Click Apply then OK. Exit the Services utility.

*Note:* You may get an error here when trying to access the properties of the service. If you do get an error, just select the service and look there in the top left of the main service window and click "Stop" to stop the service. If that gives an error or it is already stopped, just skip this step and proceed with the rest.

* Run Hijack This again and put a check by these. Close *ALL* windows except HijackThis and click "Fix checked"

*R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://win-eto.com/hp.htm?id=9

R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://win-eto.com/hp.htm?id=9

O3 - Toolbar: (no name) - {339BB23F-A864-48C0-A59F-29EA915965EC} - (no file)

O4 - HKLM\..\Run: [anpqdbdkqe] C:\WINDOWS\System32\wrxafooc.exe

O4 - HKLM\..\Run: [sixtysix] C:\WINDOWS\sixtypopsix.exe

O4 - HKLM\..\Run: [Nsv] C:\WINDOWS\System32\nsvsvc\nsvsvc.exe

O4 - HKLM\..\Run: [sc5cdqou] C:\WINDOWS\System32\sc5cdqou.exe

O4 - HKLM\..\Run: [Inbhnz] C:\Program Files\Ieysrb\Cgbklc.exe

O4 - HKLM\..\Run: [Wnptcr] C:\Program Files\Prxa\Ziofnnn.exe

O4 - HKLM\..\Run: [Pvhvlusj] C:\Program Files\Qntgu\Kejy.exe

O4 - HKLM\..\Run: [pulmfgr] C:\WINDOWS\pulmfgr.exe

O4 - HKLM\..\Run: [sysmon12] init32.exe

O4 - HKLM\..\Run: [load32] C:\WINDOWS\System32\winldra.exe

O4 - HKLM\..\Run: [Printer Spooler] C:\WINDOWS\System32\winspooler.exe

O4 - HKLM\..\Run: [System Redirect] C:\WINDOWS\System32\sysbho.exe

O4 - Global Startup: PrecisionTime.lnk = C:\Program Files\PrecisionTime\PrecisionTime.exe

O4 - Global Startup: winlogin.exe

O9 - Extra button: Enjoy It - {47055D63-DFCD-11d3-8406-00500445A7D1} - C:\WINDOWS\System32\windialup\2490\dial.exe (file missing)

O9 - Extra 'Tools' menuitem: Enjoy It - {47055D63-DFCD-11d3-8406-00500445A7D1} - C:\WINDOWS\System32\windialup\2490\dial.exe (file missing)

O16 - DPF: {11311111-1111-1111-1111-111111111157} - file://C:\Program Files\Q666777.exe

O16 - DPF: {15AD6789-CDB4-47E1-A9DA-992EE8E6BAD6} - http://static.windupdates.com/cab/M...bridge-c420.cab

O16 - DPF: {A16E6189-A1DD-4696-9806-0324C145D794} (KeyActivex Control) - http://www.jraun.com/activex/src/KeyActivex.ocx

O16 - DPF: {A17E30C4-A9BA-11D4-8673-60DB54C10000} - http://us.dl1.yimg.com/download.yah.../ymmapi_416.dll

O17 - HKLM\System\CCS\Services\Tcpip\..\{E75823FD-F319-4A61-8E58-A99987302895}: NameServer = 69.50.184.84,195.225.176.37

O20 - Winlogon Notify: style2 - C:\WINDOWS\q74421_disk.dll (file missing)

O21 - SSODL: Britannica Ready Reference - {C4EDCBCF-55B6-163A-EA25-C8C68C2CE661} - c:\progra~1\common~1\instal~1\engine\6\intel3~1\winovmv32.dll (file missing)*

* Next in Hijack This click on the "Config" button in the lower right corner. In the next window click on the "Misc Tools" button at the top then click the "Delete an NT service" button. Copy and paste the following line in that box:

*moto*

Click OK.

* Restart your computer into safe mode now. Perform the following steps in safe mode:

* Double-click on Killbox.exe to run it. Now put a tick by *Standard File Kill*. In the "Full Path of File to Delete" box, copy and paste each of the following lines one at a time then click on the button that has the red circle with the X in the middle after you enter each file. It will ask for confimation to delete the file. Click Yes. Continue with that same procedure until you have copied and pasted all of these in the "Paste Full Path of File to Delete" box.

*C:\WINDOWS\System32\wrxafooc.exe

C:\WINDOWS\sixtypopsix.exe

C:\WINDOWS\System32\nsvsvc\nsvsvc.exe

C:\WINDOWS\System32\sc5cdqou.exe

C:\Program Files\Ieysrb\Cgbklc.exe

C:\Program Files\Prxa\Ziofnnn.exe

C:\Program Files\Qntgu\Kejy.exe

C:\WINDOWS\pulmfgr.exe

C:\WINDOWS\System32\init32.exe

C:\WINDOWS\System32\winldra.exe

C:\WINDOWS\System32\winspooler.exe

C:\WINDOWS\System32\sysbho.exe

C:\Program Files\PrecisionTime\PrecisionTime.exe

C:\Documents and Settings\All Users\Start Menu\Programs\Startup\winlogin.exe

C:\WINDOWS\q74421_disk.dll

C:\WINDOWS\svchost.exe*

*Note:* It is possible that Killbox will tell you that one or more files do not exist. If that happens, just continue on with all the files. Be sure you don't miss any.

Exit the Killbox.

* Delete these folders:

C:\Program Files\*Ieysrb*
C:\Program Files\*Prxa*
C:\Program Files\*Qntgu*
C:\Program Files\*PrecisionTime*
C:\WINDOWS\System32\*nsvsvc*
C:\WINDOWS\System32\*windialup*

* Double click on remv3.bat to run it. Wait till the dos window closes. *!!Don't forget this step!!*

* Start Ccleaner and click *Run Cleaner*

* Rightclick DelDomains.inf and choose install.

* Go to Control Panel > Internet Options. Click on the Programs tab then click the "Reset Web Settings" button. Click Apply then OK.

* Go to Control Panel. - If you are using Windows XP's Category View, select the Network and Internet Connections category. If you are in Classic View, go to the next step .

- Double-click the Network Connections icon.

- Right-click the Local Area Connection icon and select Properties.

- Hilight Internet Protocol (TCP/IP) and click the Properties button.

- Be sure "Obtain DNS server address automatically' is selected. OK your way out.

* Restart back into Windows normally now.

* Run ActiveScan online virus scan *here*

When the scan is finished, anything that it cannot clean have it delete it. Make a note of the file location of anything that cannot be deleted so you can delete it yourself.
- Save the results from the scan!

*Look on your C:\ and you will find a .txt file with the name: log.txt. 
Post the contents from that log, a new HiJackThis log along with the results from ActiveScan*


----------



## beardbuster (Jul 2, 2005)

I could not do the following step:
Go to Add/Remove programs and uninstall Viewpoint Manager
I even tried to use killbox 

I have stopped and will wait for instructions THANKS


----------



## hellblazer55 (Jul 27, 2005)

Try a thirdparty uninstaller like Easy Uninstaller you can get it here http://www.freeware-guide.com/dir/util/uninst.html


----------



## Flrman1 (Jul 26, 2002)

beardbuster said:


> I could not do the following step:
> Go to Add/Remove programs and uninstall Viewpoint Manager
> I even tried to use killbox
> 
> I have stopped and will wait for instructions THANKS


Do the rest. We'll deal with Viewpoint later.


----------



## beardbuster (Jul 2, 2005)

I was able to delete Viewpoint Manager in safe mode...
I am now stuck because I am at the following:
Now I want you to know I have this system hooked up via a router at my house to be able to use my online services... I cannot do the following step:
* Go to Control Panel. - If you are using Windows XP's Category View, select the Network and Internet Connections category. If you are in Classic View, go to the next step .

- Double-click the Network Connections icon.

- Right-click the Local Area Connection icon and select Properties.

- Hilight Internet Protocol (TCP/IP) and click the Properties button.

- Be sure "Obtain DNS server address automatically' is selected. OK your way out.

I will wait for instructions... THANKS!!


----------



## beardbuster (Jul 2, 2005)

I had to reboot after a electric BURP here at home and then was able to do the above W/O a problem...
I now am going to complete your instructions THANKS!!


----------



## beardbuster (Jul 2, 2005)

*Here is the log.txt*

The batch is run from -- C:\Documents and Settings\Dad

Files Found.................
----------------------------------------

Files Not deleted.................
----------------------------------------

Merging registry entries
----------------------------------------------------------------- 
The Registry Entries Found... 
-----------------------------------------------------------------

Other bad files to be Manually deleted.. Please note that this might also list legit Files, be careful while deleting
----------------------------------------------------------------- 
Volume in drive C has no label.
Volume Serial Number is 78A0-A808

Directory of C:\WINDOWS\SYSTEM32

msi.dll
Finished


----------



## beardbuster (Jul 2, 2005)

*Here is the new HiJackThis log*

Logfile of HijackThis v1.99.1
Scan saved at 3:18:39 PM, on 7/30/2005
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\PROGRA~1\COMMON~1\aol\ACS\acsd.exe
C:\WINDOWS\system32\cisvc.exe
C:\Program Files\ewido\security suite\ewidoctrl.exe
C:\WINDOWS\wanmpsvc.exe
C:\WINDOWS\System32\hkcmd.exe
C:\Program Files\MUSICMATCH\MUSICMATCH Jukebox\mm_tray.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\Program Files\QuickTime\qttask.exe
C:\WINDOWS\tppaldr.exe
C:\Program Files\MUSICMATCH\MUSICMATCH Jukebox\mmtask.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\Dell Support\DSAgnt.exe
C:\Program Files\Digital Line Detect\DLG.exe
C:\Program Files\SpywareGuard\sgmain.exe
C:\WINDOWS\System32\wuauclt.exe
C:\WINDOWS\system32\cidaemon.exe
C:\WINDOWS\system32\NOTEPAD.EXE
C:\WINDOWS\system32\NOTEPAD.EXE
C:\WINDOWS\explorer.exe
C:\Program Files\Netscape\Netscape Browser\netscape.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Documents and Settings\Dad\My Documents\Hijack This\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://smbusiness.dellnet.com/
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://win-eto.com/hp.htm?id=9
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O3 - Toolbar: (no name) - {339BB23F-A864-48C0-A59F-29EA915965EC} - (no file)
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\System32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\System32\hkcmd.exe
O4 - HKLM\..\Run: [MMTray] C:\Program Files\MUSICMATCH\MUSICMATCH Jukebox\mm_tray.exe
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [ccRegVfy] "C:\Program Files\Common Files\Symantec Shared\ccRegVfy.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [ViewMgr] C:\Program Files\Viewpoint\Viewpoint Manager\ViewMgr.exe
O4 - HKLM\..\Run: [anpqdbdkqe] C:\WINDOWS\System32\wrxafooc.exe
O4 - HKLM\..\Run: [TPP Auto Loader] C:\WINDOWS\tppaldr.exe
O4 - HKLM\..\Run: [sixtysix] C:\WINDOWS\sixtypopsix.exe
O4 - HKLM\..\Run: [Nsv] C:\WINDOWS\System32\nsvsvc\nsvsvc.exe
O4 - HKLM\..\Run: [sc5cdqou] C:\WINDOWS\System32\sc5cdqou.exe
O4 - HKLM\..\Run: [Inbhnz] C:\Program Files\Ieysrb\Cgbklc.exe
O4 - HKLM\..\Run: [Wnptcr] C:\Program Files\Prxa\Ziofnnn.exe
O4 - HKLM\..\Run: [Pvhvlusj] C:\Program Files\Qntgu\Kejy.exe
O4 - HKLM\..\Run: [pulmfgr] C:\WINDOWS\pulmfgr.exe
O4 - HKLM\..\Run: [sysmon12] init32.exe
O4 - HKLM\..\Run: [load32] C:\WINDOWS\System32\winldra.exe
O4 - HKLM\..\Run: [Printer Spooler] C:\WINDOWS\System32\winspooler.exe
O4 - HKLM\..\Run: [System Redirect] C:\WINDOWS\System32\sysbho.exe
O4 - HKLM\..\Run: [mmtask] C:\Program Files\MUSICMATCH\MUSICMATCH Jukebox\mmtask.exe
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [intell32.exe] C:\WINDOWS\System32\intell32.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [DellSupport] "C:\Program Files\Dell Support\DSAgnt.exe" /startup
O4 - Startup: SpywareGuard.lnk = C:\Program Files\SpywareGuard\sgmain.exe
O4 - Global Startup: America Online 9.0 Tray Icon.lnk = C:\Program Files\America Online 9.0a\aoltray.exe
O4 - Global Startup: Digital Line Detect.lnk = ?
O9 - Extra button: Messenger - {4528BBE0-4E08-11D5-AD55-00010333D0AD} - C:\Program Files\Yahoo!\Messenger\yhexbmes0411.dll
O9 - Extra 'Tools' menuitem: Yahoo! Messenger - {4528BBE0-4E08-11D5-AD55-00010333D0AD} - C:\Program Files\Yahoo!\Messenger\yhexbmes0411.dll
O9 - Extra button: Enjoy It - {47055D63-DFCD-11d3-8406-00500445A7D1} - C:\WINDOWS\System32\windialup\2490\dial.exe (file missing)
O9 - Extra 'Tools' menuitem: Enjoy It - {47055D63-DFCD-11d3-8406-00500445A7D1} - C:\WINDOWS\System32\windialup\2490\dial.exe (file missing)
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - Shdocvw.dll (file missing)
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O9 - Extra 'Tools' menuitem: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O16 - DPF: Squelchies by pogo - http://squelchies.pogo.com/applet/squelchies/squelchies-ob-assets.cab
O16 - DPF: Tri-Peaks by pogo - http://peaks.pogo.com/applet-5.8.6.20/peaks/peaks-ob-assets.cab
O16 - DPF: Yahoo! Bingo - http://download.games.yahoo.com/games/clients/y/xt0_x.cab
O16 - DPF: Yahoo! Pyramids - http://download.games.yahoo.com/games/clients/y/pyt1_x.cab
O16 - DPF: Yahoo! Spades - http://download.games.yahoo.com/games/clients/y/st2_x.cab
O16 - DPF: {11311111-1111-1111-1111-111111111157} - file://C:\Program Files\Q666777.exe
O16 - DPF: {15AD6789-CDB4-47E1-A9DA-992EE8E6BAD6} - http://static.windupdates.com/cab/MediaAccessVerisign/ie/bridge-c420.cab
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {30528230-99F7-4BB4-88D8-FA1D4F56A2AB} (YInstStarter Class) - http://us.dl1.yimg.com/download.yahoo.com/dl/installs/yinst20040510.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1122641802203
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1122641784265
O16 - DPF: {89D75D39-5531-47BA-9E4F-B346BA9C362C} (CWDL_DownLoadControl Class) - http://www.callwave.com/include/cab/CWDL_DownLoad.CAB
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://www.pandasoftware.com/activescan/as5/asinst.cab
O16 - DPF: {A16E6189-A1DD-4696-9806-0324C145D794} (KeyActivex Control) - http://www.jraun.com/activex/src/KeyActivex.ocx
O16 - DPF: {A17E30C4-A9BA-11D4-8673-60DB54C10000} - http://us.dl1.yimg.com/download.yahoo.com/dl/installs/yse/ymmapi_416.dll
O16 - DPF: {AE1C01E3-0283-11D3-9B3F-00C04F8EF466} (HeartbeatCtl Class) - http://fdl.msn.com/zone/datafiles/heartbeat.cab
O16 - DPF: {B942A249-D1E7-4C11-98AE-FCB76B08747F} (RealArcadeRdxIE Class) - http://games-dl.real.com/gameconsole/Bundler/CAB/RealArcadeRdxIE.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{E75823FD-F319-4A61-8E58-A99987302895}: NameServer = 69.50.184.84,195.225.176.37
O20 - Winlogon Notify: igfxcui - C:\WINDOWS\SYSTEM32\igfxsrvc.dll
O20 - Winlogon Notify: style2 - C:\WINDOWS\q74421_disk.dll (file missing)
O21 - SSODL: Britannica Ready Reference - {C4EDCBCF-55B6-163A-EA25-C8C68C2CE661} - c:\progra~1\common~1\instal~1\engine\6\intel3~1\winovmv32.dll (file missing)
O23 - Service: AOL Connectivity Service (AOL ACS) - America Online, Inc. - C:\PROGRA~1\COMMON~1\aol\ACS\acsd.exe
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Password Validation Service (ccPwdSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
O23 - Service: ewido security suite control - ewido networks - C:\Program Files\ewido\security suite\ewidoctrl.exe
O23 - Service: Norton AntiVirus Auto Protect Service (navapsvc) - Symantec Corporation - C:\Program Files\Norton AntiVirus\navapsvc.exe
O23 - Service: ScriptBlocking Service (SBService) - Symantec Corporation - C:\PROGRA~1\COMMON~1\SYMANT~1\SCRIPT~1\SBServ.exe
O23 - Service: WAN Miniport (ATW) Service (WANMiniportService) - America Online, Inc. - C:\WINDOWS\wanmpsvc.exe


----------



## beardbuster (Jul 2, 2005)

*Here is the Activescan and PLEASE not the ones I could not delete with any program or manually*

Incident Status Location

Adware:adware/superspider No disinfected C:\PROGRAM FILES\q330994.exe 
Adware:adware/sbsoft No disinfected C:\WINDOWS\SYSTEM32\dumpsprep.exe 
Spyware:spyware/whazit No disinfected C:\WINDOWS\SYSTEM32\fiz1 
Adware:adware/psguard No disinfected C:\WINDOWS\SYSTEM32\intell32.exe 
Spyware:spyware/istbar No disinfected C:\WINDOWS\SYSTEM32\istinstall_154074.exe 
Adware:adware/spysheriff No disinfected C:\WINDOWS\SYSTEM32\thn.dll 
Adware:adware/adsmart No disinfected C:\WINDOWS\SYSTEM32\vx.tll 
Adware:adware/azesearch No disinfected C:\WINDOWS\SYSTEM32\zolk.dll 
Adware:adware/gator No disinfected C:\DOCUMENTS AND SETTINGS\ALL USERS\START MENU\PROGRAMS\STARTUP\PrecisionTime.lnk 
Adware:adware/mediatickets No disinfected C:\WINDOWS\DOWNLOADED PROGRAM FILES\MediaTicketsInstaller.INF 
Spyware:spyware/localnrd No disinfected C:\WINDOWS\INF\addremln.inf 
Adware:adware/startpage.id No disinfected C:\msdos.exe 
Adware:adware/cws.searchmeup No disinfected C:\new.exe 
Spyware:spyware/virtumonde No disinfected C:\WINDOWS\bsx32.ini 
Adware:adware/dealhelper No disinfected C:\WINDOWS\dhkw1.bin 
Adware:adware/ncase No disinfected C:\WINDOWS\msbbau.dat 
Spyware:spyware/bargainbuddy No disinfected C:\WINDOWS\msxct1.ini 
Adware:adware/msxmidi No disinfected C:\WINDOWS\msxmidi.exe 
Spyware:spyware/adclicker No disinfected C:\WINDOWS\usta33.ini 
Adware:adware/weirdontheweb No disinfected C:\WINDOWS\weirdontheweb_topc.exe 
Adware:adware/myway No disinfected C:\PROGRAM FILES\MyWay  
Spyware:spyware/new.net No disinfected C:\PROGRAM FILES\NewDotNet 
Spyware:spyware/wareout No disinfected C:\PROGRAM FILES\WareOut 
Adware:adware/keenvalue No disinfected C:\PROGRAM FILES\COMMON FILES\updater 
Spyware:spyware/cydoor No disinfected C:\WINDOWS\SYSTEM32\adcache 
Adware:adware/delfinmedia No disinfected C:\WINDOWS\SYSTEM32\nsvsvc 
Adware:adware/sahagent No disinfected C:\WINDOWS\SYSTEM32\SahImages 
Spyware:spyware/altnet No disinfected C:\WINDOWS\TEMP\adware 
Adware:adware/bookedspace No disinfected C:\WINDOWS\bsx32 
Adware:adware/savenow No disinfected C:\DOCUMENTS AND SETTINGS\ALL USERS\APPLICATION DATA\nsv 
Adware:adware/wupd No disinfected HKEY_LOCAL_MACHINE\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\MODULEUSAGE\C:/WINDOWS/DOWNLOADED PROGRAM FILES/MEDIAACCX.DLL 
Adware:adware/downloadware No disinfected HKEY_LOCAL_MACHINE\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\UNINSTALL\RECOMMENDED HOTFIX - 421701D 
Spyware:spyware/dyfuca No disinfected HKEY_LOCAL_MACHINE\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\UNINSTALL\ROTUE 
Adware:adware/wintools No disinfected HKEY_LOCAL_MACHINE\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\UNINSTALL\WINTOOLS  
Adware:adware/cws No disinfected HKEY_CURRENT_USER\SOFTWARE\SARS

*************************************** *********************************************
*************************************** I COULD NOT DELETE BELOW HERE *********************************************
*************************************** *********************************************

Adware:adware/ezula No disinfected HKEY_LOCAL_MACHINE\SOFTWARE\CLASSES\ATLBRCON.ATLBRCON 
Adware:adware/sidefind No disinfected HKEY_LOCAL_MACHINE\SOFTWARE\CLASSES\BROWSERHELPEROBJECT.BAHELPER 
Spyware:spyware/betterinet No disinfected HKEY_LOCAL_MACHINE\SOFTWARE\CLASSES\DLMAXDLL.DLMAXDLLOBJ 
Adware:adware/ieplugin No disinfected HKEY_LOCAL_MACHINE\SOFTWARE\CLASSES\IMITOOLBAR.BOTTOMFRAME 
Adware:adware/exactsearch No disinfected HKEY_LOCAL_MACHINE\SOFTWARE\CLASSES\NLS.URLCATCHER.1 
Adware:adware/fastlook No disinfected HKEY_LOCAL_MACHINE\SOFTWARE\CLASSES\TOOLBAND.TOOLBANDOBJ.1 
Adware:adware/topconvert No disinfected HKEY_LOCAL_MACHINE\SOFTWARE\CLASSES\TPUSN 
Adware:adware/beginto No disinfected HKEY_LOCAL_MACHINE\SOFTWARE\CLASSES\WINB2S.AMO 
Adware:adware/whenusearch No disinfected HKEY_LOCAL_MACHINE\SOFTWARE\CLASSES\WUSE.1 
Adware:adware/exact.cashback No disinfected HKEY_CLASSES_ROOT\ADP.URLCATCHER 
Spyware:spyware/bridge No disinfected HKEY_CLASSES_ROOT\JAO.JAO  
Adware:adware/searchexe No disinfected HKEY_CLASSES_ROOT\WEBCOM.WEBBAR

*************************************** *********************************************
*************************************** I COULD NOT DELETE ABOVE HERE *********************************************
*************************************** *********************************************

Adware:adware/p2pnetworking No disinfected HKEY_LOCAL_MACHINE\SOFTWARE\P2P NETWORKING 
Spyware:spyware/surfsidekick No disinfected HKEY_LOCAL_MACHINE\SOFTWARE\SURFSIDEKICK3 
Adware:adware/looksmart No disinfected HKEY_CLASSES_ROOT\TypeLib\{EDD3B3E9-3FFD-4836-A6DE-D4A9C473A971} 
Adware:Adware/SuperSpider No disinfected C:\Documents and Settings\Guest\Local Settings\Temp\215984.tmp 
Adware:Adware/SuperSpider No disinfected C:\Documents and Settings\Guest\Local Settings\Temp\224593.tmp 
Adware:Adware/WinTools No disinfected C:\Documents and Settings\Guest\Local Settings\Temp\~635479.tmp 
Adware:Adware/WinTools No disinfected C:\Documents and Settings\Guest\Local Settings\Temp\~728551.tmp 
Adware:Adware/MyWay No disinfected C:\Program Files\MyWay\myBar\1.bin\MYBAR.DLL 
Spyware:Spyware/WareOut No disinfected C:\Program Files\WareOut\WareOut.exe 
Spyware:Spyware/WareOut No disinfected C:\Program Files\WareOut\WareOutUpdate.exe 
Spyware:Spyware/Media-motor No disinfected C:\WINDOWS\Downloaded Program Files\m67m.inf  
Adware:Adware/MediaTickets No disinfected C:\WINDOWS\Downloaded Program Files\MediaTicketsInstaller.INF 
Spyware:Spyware/Media-motor No disinfected C:\WINDOWS\Downloaded Program Files\mm63.INF 
Spyware:Spyware/LocalNRD No disinfected C:\WINDOWS\INF\addremln.inf 
Adware:Adware/SAHAgent No disinfected C:\WINDOWS\INF\biH.inf 
Adware:Adware/SuperSpider No disinfected C:\WINDOWS\SYSTEM32\1wud2vco2c4m3x.tlb 
Adware:Adware/SuperSpider No disinfected C:\WINDOWS\SYSTEM32\5opoz6e6stn3n38.bak 
Adware:Adware/SuperSpider No disinfected C:\WINDOWS\SYSTEM32\5r3r9oytckx3y.bak 
Adware:Adware/SuperSpider No disinfected C:\WINDOWS\SYSTEM32\backup.old 
Virus:Trj/Qhost.gen Disinfected C:\WINDOWS\SYSTEM32\DRIVERS\ETC\HOSTS 
Adware:Adware/Apropos No disinfected C:\WINDOWS\SYSTEM32\explorer.exe 
Adware:Adware/PurityScan No disinfected C:\WINDOWS\SYSTEM32\mpk.dll 
Adware:Adware/P2PNetworking No disinfected C:\WINDOWS\SYSTEM32\P2P Networking v124.cpl 
Adware:Adware/PurityScan No disinfected C:\WINDOWS\SYSTEM32\Shex.exe  
Adware:Adware/SuperSpider No disinfected C:\WINDOWS\SYSTEM32\w4u17kradpcucd.tlb 
Adware:Adware/SuperSpider No disinfected C:\WINDOWS\SYSTEM32\y7ucldwu8725.tlb 
Adware:Adware/AzeSearch No disinfected C:\WINDOWS\SYSTEM32\zolk.dll 
Adware:Adware/AzeSearch No disinfected C:\WINDOWS\SYSTEM32\zolker005.dll 
Adware:Adware/AzeSearch No disinfected C:\WINDOWS\SYSTEM32\ztoolb005.dll 
Adware:Adware/Weirdontheweb No disinfected C:\WINDOWS\weirdontheweb_topc.exe

I'll wait for your reply then I'll make a new system restore point...

THANKS !!!


----------



## Flrman1 (Jul 26, 2002)

You need to repeat the last set of instructions that I posted because the log is exactly the same. Nothing has changed.


----------



## beardbuster (Jul 2, 2005)

Ok ...
I am on it...
THANKS!!


----------



## beardbuster (Jul 2, 2005)

> Go to Control Panel. - If you are using Windows XP's Category View, select the Network and Internet Connections category. If you are in Classic View, go to the next step .
> 
> - Double-click the Network Connections icon.
> 
> ...


I cannot do the above in safe mode... I rebooted then did completed the task... I am now running ActiveScan online virus scan

When I re-started the computer after the 1st times through the steps you provided I turned on Norton and a pop-up came up that stated I had an virus infection: Bloodhound.W32.EP Wininet.dll infected

Is there something else I may need to do?
THANKS...


----------



## beardbuster (Jul 2, 2005)

Incident Status Location 

Adware:adware/superspider No disinfected C:\WINDOWS\SYSTEM32\d2kpax.dll 
Spyware:spyware/whazit No disinfected C:\WINDOWS\SYSTEM32\kyf.dat 
Spyware:spyware/istbar No disinfected C:\WINDOWS\DOWNLOADED PROGRAM FILES\ISTactivex.inf 
Adware:adware/cws.searchmeup No disinfected C:\new.exe 
Adware:adware/ncase No disinfected C:\WINDOWS\msbb_gdf.dat 
Adware:adware/startpage.id No disinfected C:\WINDOWS\nem216.dll 
Adware:adware/sbsoft No disinfected C:\WINDOWS\rdt.ini 
Adware:adware/delfinmedia No disinfected C:\WINDOWS\SYSTEM32\picsvr 
Adware:adware/sahagent No disinfected C:\WINDOWS\SYSTEM32\SahImages 
Spyware:spyware/altnet No disinfected C:\WINDOWS\TEMP\adware 
Adware:adware/gator No disinfected C:\DOCUMENTS AND SETTINGS\ALL USERS\START MENU\PROGRAMS\gain publishing 
Adware:adware/bookedspace No disinfected C:\WINDOWS\bsx32 
Adware:adware/savenow No disinfected C:\DOCUMENTS AND SETTINGS\ALL USERS\APPLICATION DATA\nsv 
Adware:adware/mediatickets No disinfected HKEY_LOCAL_MACHINE\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\MODULEUSAGE\C:/WINDOWS/DOWNLOADED PROGRAM FILES/MEDIATICKETSINSTALLER.OCX 
Adware:adware/psguard No disinfected HKEY_LOCAL_MACHINE\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\UNINSTALL\PSGUARD SPYWARE REMOVER 
Adware:adware/weirdontheweb No disinfected HKEY_LOCAL_MACHINE\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\UNINSTALL\WEIRDONTHEWEB 
Adware:adware/wintools No disinfected HKEY_LOCAL_MACHINE\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\UNINSTALL\WINTOOLS 
Spyware:spyware/dyfuca No disinfected HKEY_LOCAL_MACHINE\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\UNINSTALL\WSEM UPDATE 
Spyware:spyware/bargainbuddy No disinfected HKEY_LOCAL_MACHINE\SOFTWARE\CLASSES\ADP.URLCATCHER.1 
Adware:adware/ezula No disinfected HKEY_LOCAL_MACHINE\SOFTWARE\CLASSES\ATLBRCON.ATLBRCON 
Adware:adware/keenvalue No disinfected HKEY_LOCAL_MACHINE\SOFTWARE\CLASSES\BHO.INCREDIFINDBHO.1  
Adware:adware/sidefind No disinfected HKEY_LOCAL_MACHINE\SOFTWARE\CLASSES\BROWSERHELPEROBJECT.BAHELPER 
Adware:adware/dealhelper No disinfected HKEY_LOCAL_MACHINE\SOFTWARE\CLASSES\DEALHLPR.BAND 
Spyware:spyware/betterinet No disinfected HKEY_LOCAL_MACHINE\SOFTWARE\CLASSES\DLMAXDLL.DLMAXDLLOBJ 
Adware:adware/downloadware No disinfected HKEY_LOCAL_MACHINE\SOFTWARE\CLASSES\HP.HOPPER.1 
Adware:adware/ieplugin No disinfected HKEY_LOCAL_MACHINE\SOFTWARE\CLASSES\IMITOOLBAR.BOTTOMFRAME 
Spyware:spyware/adclicker No disinfected HKEY_LOCAL_MACHINE\SOFTWARE\CLASSES\IOBJSAFETY.DEMOCTL 
Spyware:spyware/localnrd No disinfected HKEY_LOCAL_MACHINE\SOFTWARE\CLASSES\LOCALNRDDLL.LOCALNRDDLLOBJ.1 
Adware:adware/wupd No disinfected HKEY_LOCAL_MACHINE\SOFTWARE\CLASSES\MEDIAACCESS.INSTALLER 
Adware:adware/exactsearch No disinfected HKEY_LOCAL_MACHINE\SOFTWARE\CLASSES\NLS.URLCATCHER.1 
Adware:adware/fastlook No disinfected HKEY_LOCAL_MACHINE\SOFTWARE\CLASSES\TOOLBAND.TOOLBANDOBJ.1 
Adware:adware/topconvert No disinfected HKEY_LOCAL_MACHINE\SOFTWARE\CLASSES\TPUSN 
Adware:adware/beginto No disinfected HKEY_LOCAL_MACHINE\SOFTWARE\CLASSES\WINB2S.AMO 
Adware:adware/whenusearch No disinfected HKEY_LOCAL_MACHINE\SOFTWARE\CLASSES\WUSE.1  
Adware:adware/exact.cashback No disinfected HKEY_CLASSES_ROOT\ADP.URLCATCHER 
Spyware:spyware/bridge No disinfected HKEY_CLASSES_ROOT\JAO.JAO 
Adware:adware/searchexe No disinfected HKEY_CLASSES_ROOT\WEBCOM.WEBBAR 
Adware:adware/azesearch No disinfected HKEY_CLASSES_ROOT\ZTOOLBAR.ACTIVATOR 
Adware:adware/myway No disinfected HKEY_CLASSES_ROOT\TYPELIB\{0494D0D0-F8E0-41AD-92A3-14154ECE70AC} 
Adware:adware/p2pnetworking No disinfected HKEY_CLASSES_ROOT\Interface\{1B540D44-3F61-4394-AE30-25FDC3649405} 
Adware:Adware/SuperSpider No disinfected C:\!Submit\1wud2vco2c4m3x.tlb 
Adware:Adware/SuperSpider No disinfected C:\!Submit\215984.tmp 
Adware:Adware/SuperSpider No disinfected C:\!Submit\224593.tmp 
Adware:Adware/SuperSpider No disinfected C:\!Submit\5opoz6e6stn3n38.bak 
Adware:Adware/SuperSpider No disinfected C:\!Submit\5r3r9oytckx3y.bak 
Spyware:Spyware/LocalNRD No disinfected C:\!Submit\addremln.inf 
Adware:Adware/SuperSpider No disinfected C:\!Submit\backup.old 
Adware:Adware/Apropos No disinfected C:\!Submit\explorer.exe 
Spyware:Spyware/Media-motor No disinfected C:\!Submit\m67m.inf 
Adware:Adware/MediaTickets No disinfected C:\!Submit\MediaTicketsInstaller.INF 
Adware:Adware/PurityScan No disinfected C:\!Submit\mpk.dll 
Adware:Adware/MyWay No disinfected C:\!Submit\myBar\1.bin\MYBAR.DLL 
Adware:Adware/P2PNetworking No disinfected C:\!Submit\P2P Networking v124.cpl 
Adware:Adware/PurityScan No disinfected C:\!Submit\Shex.exe 
Adware:Adware/SuperSpider No disinfected C:\!Submit\w4u17kradpcucd.tlb 
Adware:Adware/Weirdontheweb No disinfected C:\!Submit\weirdontheweb_topc.exe 
Adware:Adware/SuperSpider No disinfected C:\!Submit\y7ucldwu8725.tlb 
Adware:Adware/AzeSearch No disinfected C:\!Submit\zolk.dll 
Adware:Adware/AzeSearch No disinfected C:\!Submit\zolker005.dll  
Adware:Adware/AzeSearch No disinfected C:\!Submit\ztoolb005.dll 
Adware:Adware/WinTools No disinfected C:\!Submit\~635479.tmp 
Adware:Adware/WinTools No disinfected C:\!Submit\~728551.tmp 
Spyware:Spyware/Media-motor No disinfected C:\WINDOWS\Downloaded Program Files\mm63.INF 
Adware:Adware/SAHAgent No disinfected C:\WINDOWS\INF\biH.inf 
Adware:Adware/SuperSpider No disinfected C:\WINDOWS\itshta.exe 
Adware:Adware/SuperSpider No disinfected C:\WINDOWS\SYSTEM32\35vdbm4bodux.dll 
Adware:Adware/SuperSpider No disinfected C:\WINDOWS\SYSTEM32\backup.old 
Adware:Adware/SuperSpider No disinfected C:\WINDOWS\SYSTEM32\sysbho.exe


----------



## beardbuster (Jul 2, 2005)

Notice where I typed comments

On the registry keys I could not open them to delete them even after I highlighted them... 




Spyware:spyware/altnet No disinfected C:

\WINDOWS\TEMP\adware 
right click above folder choose properties then click sharing tab then 

viewed the following:

all the options on this tab are disabled because this folder is used by 

the operating system
















Adware:adware/wintools No disinfected 

HKEY_LOCAL_MACHINE\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\UNINSTALL\

WINTOOLS 




Spyware:spyware/bargainbuddy No disinfected 

HKEY_LOCAL_MACHINE\SOFTWARE\CLASSES\ADP.URLCATCHER.1 





Adware:adware/ezula No disinfected 

HKEY_LOCAL_MACHINE\SOFTWARE\CLASSES\ATLBRCON.ATLBRCON 






Adware:adware/keenvalue No disinfected 

HKEY_LOCAL_MACHINE\SOFTWARE\CLASSES\BHO.INCREDIFINDBHO.1 






Adware:adware/sidefind No disinfected 

HKEY_LOCAL_MACHINE\SOFTWARE\CLASSES\BROWSERHELPEROBJECT.BAHELPER 






Adware:adware/dealhelper No disinfected 

HKEY_LOCAL_MACHINE\SOFTWARE\CLASSES\DEALHLPR.BAND 



Spyware:spyware/betterinet No disinfected 

HKEY_LOCAL_MACHINE\SOFTWARE\CLASSES\DLMAXDLL.DLMAXDLLOBJ 






Adware:adware/downloadware No disinfected 

HKEY_LOCAL_MACHINE\SOFTWARE\CLASSES\HP.HOPPER.1 






Adware:adware/ieplugin No disinfected 

HKEY_LOCAL_MACHINE\SOFTWARE\CLASSES\IMITOOLBAR.BOTTOMFRAME 






Spyware:spyware/adclicker No disinfected 

HKEY_LOCAL_MACHINE\SOFTWARE\CLASSES\IOBJSAFETY.DEMOCTL 






Spyware:spyware/localnrd No disinfected 

HKEY_LOCAL_MACHINE\SOFTWARE\CLASSES\LOCALNRDDLL.LOCALNRDDLLOBJ.1 






Adware:adware/wupd No disinfected 

HKEY_LOCAL_MACHINE\SOFTWARE\CLASSES\MEDIAACCESS.INSTALLER 






Adware:adware/exactsearch No disinfected 

HKEY_LOCAL_MACHINE\SOFTWARE\CLASSES\NLS.URLCATCHER.1 






Adware:adware/fastlook No disinfected 

HKEY_LOCAL_MACHINE\SOFTWARE\CLASSES\TOOLBAND.TOOLBANDOBJ.1 






Adware:adware/topconvert No disinfected 

HKEY_LOCAL_MACHINE\SOFTWARE\CLASSES\TPUSN 






Adware:adware/beginto No disinfected 

HKEY_LOCAL_MACHINE\SOFTWARE\CLASSES\WINB2S.AMO 






Adware:adware/whenusearch No disinfected 

HKEY_LOCAL_MACHINE\SOFTWARE\CLASSES\WUSE.1 






Adware:adware/exact.cashback No disinfected 

HKEY_CLASSES_ROOT\ADP.URLCATCHER 






Spyware:spyware/bridge No disinfected 

HKEY_CLASSES_ROOT\JAO.JAO 






Adware:adware/searchexe No disinfected 

HKEY_CLASSES_ROOT\WEBCOM.WEBBAR 






Adware:adware/azesearch No disinfected 

HKEY_CLASSES_ROOT\ZTOOLBAR.ACTIVATOR


----------



## beardbuster (Jul 2, 2005)

Logfile of HijackThis v1.99.1
Scan saved at 7:41:39 PM, on 7/30/2005
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\WINDOWS\System32\hkcmd.exe
C:\Program Files\MUSICMATCH\MUSICMATCH Jukebox\mm_tray.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\Program Files\QuickTime\qttask.exe
C:\WINDOWS\tppaldr.exe
C:\Program Files\MUSICMATCH\MUSICMATCH Jukebox\mmtask.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\Dell Support\DSAgnt.exe
C:\Program Files\Digital Line Detect\DLG.exe
C:\PROGRA~1\COMMON~1\aol\ACS\acsd.exe
C:\WINDOWS\system32\cisvc.exe
C:\Program Files\ewido\security suite\ewidoctrl.exe
C:\WINDOWS\wanmpsvc.exe
C:\WINDOWS\System32\wuauclt.exe
C:\WINDOWS\system32\cidaemon.exe
C:\WINDOWS\SYSTEM32\NOTEPAD.EXE
C:\WINDOWS\system32\NOTEPAD.EXE
C:\WINDOWS\system32\NOTEPAD.EXE
C:\Program Files\Messenger\msmsgs.exe
C:\Documents and Settings\Dad\My Documents\Hijack This\HijackThis.exe

O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\System32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\System32\hkcmd.exe
O4 - HKLM\..\Run: [MMTray] C:\Program Files\MUSICMATCH\MUSICMATCH Jukebox\mm_tray.exe
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [ccRegVfy] "C:\Program Files\Common Files\Symantec Shared\ccRegVfy.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [ViewMgr] C:\Program Files\Viewpoint\Viewpoint Manager\ViewMgr.exe
O4 - HKLM\..\Run: [TPP Auto Loader] C:\WINDOWS\tppaldr.exe
O4 - HKLM\..\Run: [mmtask] C:\Program Files\MUSICMATCH\MUSICMATCH Jukebox\mmtask.exe
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [intell32.exe] C:\WINDOWS\System32\intell32.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [DellSupport] "C:\Program Files\Dell Support\DSAgnt.exe" /startup
O4 - Global Startup: America Online 9.0 Tray Icon.lnk = C:\Program Files\America Online 9.0a\aoltray.exe
O4 - Global Startup: Digital Line Detect.lnk = ?
O9 - Extra button: Messenger - {4528BBE0-4E08-11D5-AD55-00010333D0AD} - C:\Program Files\Yahoo!\Messenger\yhexbmes0411.dll
O9 - Extra 'Tools' menuitem: Yahoo! Messenger - {4528BBE0-4E08-11D5-AD55-00010333D0AD} - C:\Program Files\Yahoo!\Messenger\yhexbmes0411.dll
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - Shdocvw.dll (file missing)
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O9 - Extra 'Tools' menuitem: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O16 - DPF: Squelchies by pogo - http://squelchies.pogo.com/applet/squelchies/squelchies-ob-assets.cab
O16 - DPF: Tri-Peaks by pogo - http://peaks.pogo.com/applet-5.8.6.20/peaks/peaks-ob-assets.cab
O16 - DPF: Yahoo! Bingo - http://download.games.yahoo.com/games/clients/y/xt0_x.cab
O16 - DPF: Yahoo! Pyramids - http://download.games.yahoo.com/games/clients/y/pyt1_x.cab
O16 - DPF: Yahoo! Spades - http://download.games.yahoo.com/games/clients/y/st2_x.cab
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {30528230-99F7-4BB4-88D8-FA1D4F56A2AB} (YInstStarter Class) - http://us.dl1.yimg.com/download.yahoo.com/dl/installs/yinst20040510.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1122641802203
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1122641784265
O16 - DPF: {89D75D39-5531-47BA-9E4F-B346BA9C362C} (CWDL_DownLoadControl Class) - http://www.callwave.com/include/cab/CWDL_DownLoad.CAB
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://www.pandasoftware.com/activescan/as5/asinst.cab
O16 - DPF: {AE1C01E3-0283-11D3-9B3F-00C04F8EF466} (HeartbeatCtl Class) - http://fdl.msn.com/zone/datafiles/heartbeat.cab
O16 - DPF: {B942A249-D1E7-4C11-98AE-FCB76B08747F} (RealArcadeRdxIE Class) - http://games-dl.real.com/gameconsole/Bundler/CAB/RealArcadeRdxIE.cab
O20 - AppInit_DLLs: sysmain.dll
O20 - Winlogon Notify: igfxcui - C:\WINDOWS\SYSTEM32\igfxsrvc.dll
O23 - Service: AOL Connectivity Service (AOL ACS) - America Online, Inc. - C:\PROGRA~1\COMMON~1\aol\ACS\acsd.exe
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Password Validation Service (ccPwdSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
O23 - Service: ewido security suite control - ewido networks - C:\Program Files\ewido\security suite\ewidoctrl.exe
O23 - Service: Norton AntiVirus Auto Protect Service (navapsvc) - Symantec Corporation - C:\Program Files\Norton AntiVirus\navapsvc.exe
O23 - Service: ScriptBlocking Service (SBService) - Symantec Corporation - C:\PROGRA~1\COMMON~1\SYMANT~1\SCRIPT~1\SBServ.exe
O23 - Service: WAN Miniport (ATW) Service (WANMiniportService) - America Online, Inc. - C:\WINDOWS\wanmpsvc.exe


----------



## beardbuster (Jul 2, 2005)

THANKS !!
I know this takes much of your time...


----------



## Flrman1 (Jul 26, 2002)

* *Click here* to download smitRem.zip. 
Save the file to your desktop. 
Unzip smitRem.zip to extract the files it contains. 
Do not do anything with it yet. You will run the RunThis.bat file later in safe mode.

* Download the trial version of Ewido Security Suite *here*.
Install ewido.
During the installation, under "Additional Options" *uncheck* "Install background guard" and "Install scan via context menu".
Launch ewido
It will prompt you to update click the OK button and it will go to the main screen
On the left side of the main screen click *update*
Click on *Start* and let it update.
*DO NOT* run a scan yet. You will do that later in safe mode.

* *Click here* for info on how to boot to safe mode if you don't already know how.

* Now copy these instructions to notepad and save them to your desktop. You will need them to refer to in safe mode.

* Restart your computer into safe mode now. Perform the following steps in safe mode:

* Open the *smitRem* folder, then double click the *RunThis.bat* file to start the tool. Follow the prompts on screen.
Wait for the tool to complete and disk cleanup to finish.

* Run Ewido:
Click on *scanner*
Click *Complete System Scan* and the scan will begin.
During the scan it will prompt you to clean files, click *OK*
When the scan is finished, look at the bottom of the screen and click the *Save report* button.
Save the report to your desktop

* Start Ccleaner and click *Run Cleaner*

* Go to Control Panel > Internet Options. Click on the Programs tab then click the "Reset Web Settings" button. Click Apply then OK.

* Next go to Control Panel > Display. Click on the "Desktop" tab then click the "Customize Desktop" button. Click on the "Web" tab. Under "Web Pages" you should see an entry checked called something like "Security info" or similar. If it is there, select that entry and click the "Delete" button. Click OK then Apply and OK.

* Restart back into Windows normally now.

Go here and do an online virus scan. Choose "Complete Scan" and select all drives to scan.

When the scan is finished, anything that it cannot clean have it delete it. Click "Print Report". The report will open in your browser. Go to File > Save As and save the file to your desktop. Under "Save as type" click the dropdown menu and choose "Text file (*.txt) and save it as a text file.

*Post a new HiJackThis log along with the report from the Housecall scan*


----------



## beardbuster (Jul 2, 2005)

---------------------------------------------------------
ewido security suite - Scan report
---------------------------------------------------------

+ Created on: 9:26:04 PM, 7/30/2005
+ Report-Checksum: C8B42A0D

+ Scan result:

HKLM\SOFTWARE\Classes\ADP.UrlCatcher -> Spyware.BargainBuddy : Error during cleaning
HKLM\SOFTWARE\Classes\AtlBrCon.AtlBrCon -> Spyware.eZula : Error during cleaning
HKLM\SOFTWARE\Classes\BHO.IncrediFindBHO -> Spyware.KeenValue : Error during cleaning
HKLM\SOFTWARE\Classes\bho.perfectnavbho -> Spyware.KeenValue : Error during cleaning
HKLM\SOFTWARE\Classes\BookedSpace.Extension -> Spyware.BookedSpace : Error during cleaning
HKLM\SOFTWARE\Classes\BrowserHelperObject.BAHelper -> Spyware.SideFind : Error during cleaning
HKLM\SOFTWARE\Classes\CB.UrlCatcher -> Spyware.NaviSearch : Error during cleaning
HKLM\SOFTWARE\Classes\ClientAX.ClientInstaller -> Spyware.180Solutions : Error during cleaning
HKLM\SOFTWARE\Classes\CLSID\{2E246FAE-8420-11D9-870D-000C2917DE7F} -> Dialer.Generic : Cleaned with backup
HKLM\SOFTWARE\Classes\Common.Buttons -> Spyware.WebSearch : Error during cleaning
HKLM\SOFTWARE\Classes\Dealhlpr.Band -> Spyware.DealHelper : Error during cleaning
HKLM\SOFTWARE\Classes\DealPop.CDealHelperPopup -> Spyware.DealHelper : Error during cleaning
HKLM\SOFTWARE\Classes\DealPop.DealPopEvents -> Spyware.DealHelper : Error during cleaning
HKLM\SOFTWARE\Classes\Dhbrwsr.BrowserWindows -> Spyware.DealHelper : Error during cleaning
HKLM\SOFTWARE\Classes\DHP.DHEvents -> Spyware.DealHelper : Error during cleaning
HKLM\SOFTWARE\Classes\Dhsvr.CFileDatabase -> Spyware.DealHelper : Error during cleaning
HKLM\SOFTWARE\Classes\Dhsvr.DBHelper -> Spyware.DealHelper : Error during cleaning
HKLM\SOFTWARE\Classes\Dhsvr.Even -> Spyware.DealHelper : Error during cleaning
HKLM\SOFTWARE\Classes\Dhsvr.WebDealEvents -> Spyware.DealHelper : Error during cleaning
HKLM\SOFTWARE\Classes\DLMaxDll.DLMaxDllObj -> Spyware.BetterInternet : Error during cleaning
HKLM\SOFTWARE\Classes\DyFuCA_BH.BHObj -> Spyware.MoneyTree : Error during cleaning
HKLM\SOFTWARE\Classes\DyFuCA_BH.SinkObj -> Spyware.MoneyTree : Error during cleaning
HKLM\SOFTWARE\Classes\eZulaAgent.IEObject -> Spyware.eZula : Error during cleaning
HKLM\SOFTWARE\Classes\EZulaBootExe.InstallCtrl -> Spyware.eZula : Error during cleaning
HKLM\SOFTWARE\Classes\EZulaFSearchEng.eZulaCode -> Spyware.eZula : Error during cleaning
HKLM\SOFTWARE\Classes\EZulaFSearchEng.eZulaHash -> Spyware.eZula : Error during cleaning
HKLM\SOFTWARE\Classes\EZulaFSearchEng.eZulaSearch -> Spyware.eZula : Error during cleaning
HKLM\SOFTWARE\Classes\EZulaFSearchEng.PopupDisplay -> Spyware.eZula : Error during cleaning
HKLM\SOFTWARE\Classes\EZulaFSearchEng.ResultHelper -> Spyware.eZula : Error during cleaning
HKLM\SOFTWARE\Classes\EZulaFSearchEng.SearchHelper -> Spyware.eZula : Error during cleaning
HKLM\SOFTWARE\Classes\EZulaMain.eZulaPopSearchPipe -> Spyware.eZula : Error during cleaning
HKLM\SOFTWARE\Classes\EZulaMain.TrayIConM -> Spyware.eZula : Error during cleaning
HKLM\SOFTWARE\Classes\HP.Hopper -> Spyware.NetworkEssentials : Error during cleaning
HKLM\SOFTWARE\Classes\IMIToolbar.BottomFrame -> Spyware.IEPlugin : Error during cleaning
HKLM\SOFTWARE\Classes\IMIToolbar.LeftFrame -> Spyware.IEPlugin : Error during cleaning
HKLM\SOFTWARE\Classes\IMIToolbar.PopupBrowser -> Spyware.IEPlugin : Error during cleaning
HKLM\SOFTWARE\Classes\IMIToolbar.PopupWindow -> Spyware.IEPlugin : Error during cleaning
HKLM\SOFTWARE\Classes\IObjSafety.DemoCtl -> Spyware.MediaMotor : Error during cleaning
HKLM\SOFTWARE\Classes\istactivex.installer -> Spyware.ISTBar : Error during cleaning
HKLM\SOFTWARE\Classes\ISTactivex.Installer.2 -> Spyware.ISTBar : Error during cleaning
HKLM\SOFTWARE\Classes\Jao.jao -> Spyware.BlazeFind : Error during cleaning
HKLM\SOFTWARE\Classes\MediaAccess.Installer -> Spyware.WinAd : Error during cleaning
HKLM\SOFTWARE\Classes\MediaAccX.Installer -> Spyware.WinAd : Error during cleaning
HKLM\SOFTWARE\Classes\NLS.UrlCatcher -> Spyware.NaviSearch : Error during cleaning
HKLM\SOFTWARE\Classes\Plugin6.DNSErrObj -> Spyware.CoolWebSearch : Error during cleaning
HKLM\SOFTWARE\Classes\Plugin6.DNSErrObj\CLSID -> Spyware.CoolWebSearch : Error during cleaning
HKLM\SOFTWARE\Classes\Plugin6.DNSErrObj\CurVer -> Spyware.CoolWebSearch : Error during cleaning
HKLM\SOFTWARE\Classes\SideFind.Finder -> Spyware.SideFind : Error during cleaning
HKLM\SOFTWARE\Classes\SP.SmartPops -> Spyware.NetworkEssentials : Error during cleaning
HKLM\SOFTWARE\Classes\TBPS.PluginDownAdd -> Spyware.WebSearch : Error during cleaning
HKLM\SOFTWARE\Classes\TBPS.PluginDownAdd\Clsid -> Spyware.WebSearch : Error during cleaning
HKLM\SOFTWARE\Classes\ToolBand.ToolBandObj -> Spyware.CoolWebSearch : Error during cleaning
HKLM\SOFTWARE\Classes\toolbar.ResProtocol -> Spyware.WebSearch : Error during cleaning
HKLM\SOFTWARE\Classes\Wbho.Band -> Spyware.IEPlugin : Error during cleaning
HKLM\SOFTWARE\Classes\WebCom.WebBar -> Spyware.MediaMotor : Error during cleaning
HKLM\SOFTWARE\Classes\WhenU.EmbedSE -> Spyware.SaveNow : Error during cleaning
HKLM\SOFTWARE\Classes\winb2s.amo -> Spyware.Begin2Search : Error during cleaning
HKLM\SOFTWARE\Classes\winb2s.dbi -> Spyware.Begin2Search : Error during cleaning
HKLM\SOFTWARE\Classes\winb2s.iiittt -> Spyware.Begin2Search : Error during cleaning
HKLM\SOFTWARE\Classes\winb2s.momo -> Spyware.Begin2Search : Error during cleaning
HKLM\SOFTWARE\Classes\winb2s.ohb -> Spyware.Begin2Search : Error during cleaning
HKLM\SOFTWARE\Classes\ZToolbar.activator -> Spyware.Azsearch : Error during cleaning
HKLM\SOFTWARE\Classes\ZToolbar.activator\CLSID -> Spyware.Azsearch : Error during cleaning
HKLM\SOFTWARE\Classes\ZToolbar.activator\CurVer -> Spyware.Azsearch : Error during cleaning
HKLM\SOFTWARE\Classes\ZToolbar.ParamWr -> Spyware.Azsearch : Error during cleaning
HKLM\SOFTWARE\Classes\ZToolbar.ParamWr\CLSID -> Spyware.Azsearch : Error during cleaning
HKLM\SOFTWARE\Classes\ZToolbar.ParamWr\CurVer -> Spyware.Azsearch : Error during cleaning
HKLM\SOFTWARE\Classes\ZToolbar.StockBar -> Spyware.Azsearch : Error during cleaning
HKLM\SOFTWARE\Classes\ZToolbar.StockBar\CLSID -> Spyware.Azsearch : Error during cleaning
HKLM\SOFTWARE\Classes\ZToolbar.StockBar\CurVer -> Spyware.Azsearch : Error during cleaning
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\WinTools -> Spyware.WebSearch : Error during cleaning
:mozilla.16:C:\Documents and Settings\Dad\Application Data\Netscape\NSB\Profiles\lh9idlp4.default\cookies.txt -> Spyware.Cookie.Mediaplex : Cleaned with backup
:mozilla.17:C:\Documents and Settings\Dad\Application Data\Netscape\NSB\Profiles\lh9idlp4.default\cookies.txt -> Spyware.Cookie.Atdmt : Cleaned with backup
:mozilla.18:C:\Documents and Settings\Dad\Application Data\Netscape\NSB\Profiles\lh9idlp4.default\cookies.txt -> Spyware.Cookie.Doubleclick : Cleaned with backup
C:\Documents and Settings\Dad\Cookies\[email protected][1].txt -> Spyware.Cookie.Atdmt : Cleaned with backup
C:\Documents and Settings\Dad\Cookies\[email protected][2].txt -> Spyware.Cookie.Doubleclick : Cleaned with backup
C:\Documents and Settings\Dad\Cookies\[email protected][1].txt -> Spyware.Cookie.Mediaplex : Cleaned with backup
C:\Program Files\Media Gateway\MediaGateway.exe -> Spyware.WinAD : Cleaned with backup
C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP13\A0000903.exe -> Trojan.Small.cr : Cleaned with backup
C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP13\A0000904.dll -> TrojanDownloader.Small.rr : Cleaned with backup
C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP15\A0002014.exe -> Spyware.Delfin : Cleaned with backup
C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP15\A0002358.exe -> TrojanDownloader.Small.rr : Cleaned with backup
C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP23\A0002475.dll -> Spyware.Delfin : Cleaned with backup
C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP23\A0002476.ocx -> Spyware.Delfin : Cleaned with backup
C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP23\A0003556.exe -> Trojan.Small.cr : Cleaned with backup
C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP23\A0003557.dll -> TrojanDownloader.Small.rr : Cleaned with backup
C:\WINDOWS\Downloaded Program Files\MediaGatewayX.dll -> Spyware.WinAD : Cleaned with backup
C:\WINDOWS\itshta.exe -> Trojan.Small.cr : Cleaned with backup
C:\WINDOWS\SYSTEM\Loader.dll -> TrojanDownloader.Agent.li : Cleaned with backup

::Report End


----------



## beardbuster (Jul 2, 2005)

http://housecall60.trendmicro.com - Trend Micro Housecall Virus Scan0 
virus cleaned, 25 viruses deleted

Results:
We have detected 25 infected file(s) with 25 virus(es) on your 
computer. Only 0 out of 0 infected files are displayed: 
- 0 virus(es) passed, 0 virus(es) no action available
- 0 virus(es) cleaned, 0 virus(es) uncleanable
- 25 virus(es) deleted, 0 virus(es) undeletable
- 0 virus(es) not found, 0 virus(es) unaccessible
Detected FileAssociated Virus NameAction Taken
C:\System Volume 
Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP1\A0000011.dllBKDR_DUMADOR.AXDeletion 
successful
C:\System Volume 
Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP1\A0000025.dllBKDR_DUMADOR.AXDeletion 
successful
C:\System Volume 
Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP13\A0000893.dllBKDR_DUMADOR.AXDeletion 
successful
C:\System Volume 
Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP13\A0001863.dllBKDR_DUMADOR.AXDeletion 
successful
C:\System Volume 
Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP13\A0001874.dllBKDR_DUMADOR.AXDeletion 
successful
C:\System Volume 
Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP13\A0001881.dllBKDR_DUMADOR.AXDeletion 
successful
C:\System Volume 
Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP13\A0001892.dllBKDR_DUMADOR.AXDeletion 
successful
C:\System Volume 
Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP14\A0001951.dllBKDR_DUMADOR.AXDeletion 
successful
C:\System Volume 
Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP15\A0002000.dllBKDR_DUMADOR.AXDeletion 
successful
C:\System Volume 
Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP23\A0003564.exeTROJ_SMALL.DDDeletion 
successful
C:\System Volume 
Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP23\A0003565.dllTROJ_DLOADER.OHDeletion 
successful
C:\System Volume 
Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP3\A0000290.dllBKDR_DUMADOR.AXDeletion 
successful
C:\System Volume 
Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP3\A0000442.dllBKDR_DUMADOR.AXDeletion 
successful
C:\System Volume 
Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP3\A0000465.dllBKDR_DUMADOR.AXDeletion 
successful
C:\System Volume 
Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP3\A0000471.dllBKDR_DUMADOR.AXDeletion 
successful
C:\System Volume 
Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP3\A0000479.dllBKDR_DUMADOR.AXDeletion 
successful
C:\System Volume 
Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP3\A0000514.dllBKDR_DUMADOR.AXDeletion 
successful
C:\System Volume 
Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP3\A0000527.dllTSPY_ALEMOD.ADeletion 
successful
C:\System Volume 
Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP3\A0000536.dllBKDR_DUMADOR.AXDeletion 
successful
C:\System Volume 
Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP4\A0000629.dllBKDR_DUMADOR.AXDeletion 
successful
C:\System Volume 
Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP4\A0000749.dllBKDR_DUMADOR.AXDeletion 
successful
C:\System Volume 
Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP4\A0000762.dllBKDR_DUMADOR.AXDeletion 
successful
C:\System Volume 
Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP4\A0000768.dllBKDR_DUMADOR.AXDeletion 
successful
C:\System Volume 
Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP5\A0000782.dllBKDR_DUMADOR.AXDeletion 
successful
C:\WINDOWS\dvpd.dllBKDR_DUMADOR.AXDeletion 
successful

Trojan/Worm Check0 worm/Trojan horse deleted

What we checked:
Malicious activity by a Trojan horse program. Although a 
Trojan seems like a harmless program, it contains malicious 
code and once installed can cause damage to your computer. 
Results:
We have detected 0 Trojan horse program(s) and worm(s) on your 
computer. Only 0 out of 0 Trojan horse programs and worms are 
displayed: - 0 worm(s)/Trojan(s) passed, 0 
worm(s)/Trojan(s) no action available
- 0 Worm(s)/Trojan(s) deleted, 0 worm(s)/Trojan(s) 
undeletable
Trojan/Worm NameTrojan/Worm TypeAction Taken

Spyware Check11 spyware programs removed

What we checked:
Whether personal information was tracked and reported by 
spyware. Spyware is often installed secretly with legitimate 
programs downloaded from the Internet. 
Results:
We have detected 14 spyware(s) on your computer. Only 0 out of 
0 spywares are displayed: - 2 spyware(s) passed, 0 
spyware(s) no action available
- 11 spyware(s) removed, 1 spyware(s) unremovable
Spyware NameSpyware TypeAction Taken
ADW_MIWAY.AAdwareRemoval successful
COOKIE_1020CookiePass
COOKIE_1802CookiePass
SPYW_PPNETWORK.ASpywareRemoval successful
SPYW_PPNETWORK.BSpywareRemoval successful
SPYW_FPTLBAR.100SpywareRemoval successful
ADW_BONJING.AAdwareRemoval successful
ADW_DEALHELP.AAdwareRemoval successful
SPYW_MORWILBAR.ASpywareUnremovable
ADW_TOPSEARCH.CAdwareRemoval successful
SPYW_DYFUCA.LSpywareRemoval successful
SPYW_MEDACCESS.ASpywareRemoval successful
ADW_BLAZE.BAdwareRemoval successful
ADW_WINAD.LAdwareRemoval successful


----------



## beardbuster (Jul 2, 2005)

Microsoft Vulnerability Check27 vulnerabilities detected 

What we checked:
Microsoft known security vulnerabilities. These are issues 
Microsoft has identified and released Critical Updates to fix. 

Results:
We have detected 27 vulnerability/vulnerabilities on your 
computer. Only 0 out of 0 vulnerabilities are displayed.
Risk LevelIssueHow to Fix
CriticalThis vulnerability enables a remote 
attacker to cause a denial of service and execute 
arbitrary code through a specially formed web page 
or HTML e-mail. This is caused by a flaw in the 
way the HTML converter for Microsoft Windows 
handles a conversion request during a 
cut-and-paste operation. MS03-023
CriticalThis vulnerability enables a remote 
attacker to execute arbitrary code through a 
specially crafted MIDI file. This is caused by 
multiple buffer overflows in a Microsoft Windows 
DirectX MIDI library (QUARTZ.DLL). MS03-030
CriticalThis vulnerability allows a remote 
attacker to execute arbitrary code without user 
approval. This is caused by the authenticode 
capability in Microsoft Windows NT through Server 
2003 not prompting the user to download and 
install ActiveX controls when system is low on 
memory. MS03-041
CriticalThis vulnerability allows a remote 
attacker to execute arbitrary code on the affected 
system. This is caused of a buffer overflow in the 
Messenger Service for Windows NT through Server 
2003. MS03-043
Highly CriticalThe LSASS vulnerability is a buffer 
overrun vulnerability allows remote code 
execution.;The LDAP vulnerability is a denial of 
service (DoS) vulnerability that causes the 
service in a Windows 2000 domain controller 
responsible for authenticating users in an Active 
Directory domain to stop responding.;The PCT 
vulnerability is a buffer overrun vulnerability in 
the Private Communications Transport (PCT) 
protocol, a part of the SSL library, that allows 
remote code execution.;The Winlogon vulnerability 
is a buffer overrun vulnerability in the Windows 
logon process (winlogon) that allows remote code 
execution.;The Metafile vulnerability is a buffer 
overrun vulnerability that exists in the rendering 
of Windows Metafile (WMF) and Enhanced Metafile 
(EMF) image formats.;The Help and Support Center 
vulnerability allows remote code execution and is 
due to the way Help and Support Center handles HCP 
URL validation.;The Utility Manager vulnerability 
is a privilege elevation vulnerability that exists 
due to the way that Utility Manager launches 
applications.;The Windows Management vulnerability 
is a privilege elevation vulnerability that when 
successfully exploited allows a local attacker to 
take complete control of a system by executing 
commands at the system privilege level.;The Local 
Descriptor Table vulnerability is a privilege 
elevation vulnerability that when successfully 
exploited allows a local attacker to take complete 
control of a system by executing commands at with 
system privileges.;The H.323 vulnerability is a 
buffer overrun vulnerability that when 
successfully exploited can allows attackers to 
gain full control of a system by arbitrarily 
executing commands with system privileges.;Virtual 
DOS Machine vulnerability is a privilege elevation 
vulnerability that when successfully exploited 
allows a local attacker to gain full control of a 
system by executing commands with system 
privileges.;The Negotiate SSP vulnerability is a 
buffer overrun vulnerability that exists in 
Microsoft's Negotiate Security Service Provider 
(SSP) interface and allows remote code 
execution.;The SSL vulnerability exists due to the 
way SSL packets are handled and can causes the 
affected systems to stop responding to SSL 
connection requests.;The ASN.1 'Double-Free' 
vulnerability exists in Microsoft's Abstract 
Syntax Notation One (ASN.1) Library and allows 
remote code execution at the system privilege 
level. MS04-011
CriticalThe RPC Runtime Library vulnerability is a 
remote code execution vulnerability that results 
from a race condition when the RPC Runtime Library 
processes specially crafted messages. An attacker 
who successfully exploits this vulnerability could 
take complete control of an affected system.;The 
RPCSS Service denial of service (DoS) 
vulnerability allows a malicious user or malware 
to send specially-crafted messages to a vulnerable 
system, which causes the RPCSS Service to stop 
responding.;The RPC Over HTTP vulnerability may be 
used to launch a denial of service (DoS) attack 
against a system with CIS or RPC over HTTP Proxy 
enabled.;When successfully exploited, the Object 
Identity vulnerability allows an attacker to force 
currently running applications to open network 
communication ports, thereby opening a system to 
remote attacks. MS04-012
CriticalThe MHTML URL Processing Vulnerability 
allows remote attackers to bypass domain 
restrictions and execute arbitrary code via script 
in a compiled help (CHM) file that references the 
InfoTech Storage (ITS) protocol handlers.This 
could allow an attacker to take complete control 
of an affected system. MS04-013
CriticalThis vulnerability exists in the Help and 
Support Center (HCP) and is due to the way it 
handles HCP URL validation. This vulnerability 
could allow an attacker to remotely execute 
arbitrary code with Local System privileges. 
MS04-015
ModerateThis is a denial of service (DoS) 
vulnerability. It affects applications that 
implement the IDirectPlay4 Application Programming 
Interface (API) of Microsoft DirectPlay. 
Applications that use this API are typically 
network-based multiplayer games.;An attacker who 
successfully exploits this vulnerability could 
cause the DirectX application to fail while a user 
is playing a game. The affected user would then 
have to restart the application. MS04-016
ModerateA denial of service (DoS) vulnerability 
exists in Outlook Express that could cause the 
said program to fail. The malformed email should 
be removed before restarting Outlook Express in 
order to regain its normal operation. MS04-018
CriticalThis vulnerability lies in an unchecked 
buffer within the Task Scheduler component. When 
exploited, it allows the attacker to execute 
arbitrary code on the affected machine with the 
same privileges as the currently logged on user. 
MS04-022
CriticalThis vulnerability lies in the way the 
affected components process JPEG image files. An 
unchecked buffer within this process is the cause 
of the vulnerability.;This remote code execution 
vulnerability could allow a malicious user or a 
malware to take complete control of the affected 
system if the affected user is currently logged on 
with administrative privileges. The malicious user 
or malware can execute arbitrary code on the 
system giving them the ability to install or run 
programs and view or edit data with full 
privileges. Thus, this vulnerability can 
conceivably be used by a malware for replication 
purposes. MS04-028
ImportantAn unchecked buffer exists in the NetDDE 
services that could allow remote code execution. 
An attacker who is able to successfully exploit 
this vulnerability is capable of gaining complete 
control over an affected system. However, the 
NetDDe services are not automatically executed, 
and so would then have to be manually started for 
an attacker to exploit this vulnerability. This 
vulnerability also allows attackers to perform a 
local elevation of privilege, or a remote denial 
of service (DoS) attack. MS04-031
CriticalThis cumulative release from Microsoft 
covers four newly discovered vulnerabilities: 
Windows Management Vulnerability, Virtual DOS 
Machine Vulnerability, Graphics Rendering Engine 
Vulnerability, and Windows Kernel Vulnerability. 
MS04-032
CriticalThis is another privately reported 
vulnerability about Windows Compressed Folders. 
There is vulnerability on the way that Windows 
processes Compressed (Zipped) Folders that could 
lead to remote code execution. Windows can not 
properly handle the extraction of the ZIP folder 
with a very long file name. Opening a specially 
crafted compressed file, a stack-based overflow 
occurs, enabling the remote user to execute 
arbitrary code. MS04-034
CriticalThis security bulletin focuses on the 
following vulnerabilities: Shell Vulnerability 
(CAN-2004-0214), and Program Group Converter 
Vulnerability (CAN-2004-0572). Shell vulnerability 
exists on the way Windows Shell launches 
applications that could enable remote malicious 
user or malware to execute arbitrary code. 
Windows Shell function does not properly check the 
length of the message before copying to the 
allocated buffer. Program Group Converter is an 
application used to convert Program Manager Group 
files that were produced in Windows 3.1, Windows 
3.11, Windows for Workgroups 3.1, and Windows for 
Workgroups 3.11 so that they can still be used by 
later operating systems. The vulnerability lies in 
an unchecked buffer within the Group Converter 
Utility. MS04-037
ImportantThis security advisory explains the two 
discovered vulnerabilities in Microsoft Word for 
Windows 6.0 Converter, which is used by WordPad in 
converting Word 6.0 to WordPad file format. Once 
exploited, this remote code execution 
vulnerability could allow a malicious user or a 
malware to take complete control of the affected 
system if the affected user is currently logged on 
with administrative privileges. MS04-041
CriticalA remote code execution vulnerability 
 exists in HyperTerminal because of a buffer 
overrun. If a user is logged on with administrator 
privileges, an attacker could exploit the 
vulnerability by constructing a malicious 
HyperTerminal session file that could potentially 
allow remote code execution and then persuade a 
user to open this file. This malicious file may 
enable the attacker to gain complete control of 
the affected system. This vulnerability could also 
be exploited through a malicious Telnet URL if 
HyperTerminal had been set as the default Telnet 
client. MS04-043
ImportantThis security update addresses and 
resolves two windows vulnerabilites, both of which 
may enable the current user to take control of the 
affected system. Both of these vulnerabilites 
require that the curernt user be able to log on 
locally and execute programs. They cannot be 
exploited remotely, or by anonymous users. A 
privilege elevation vulnerability exists in the 
way that the Windows Kernel launches applications. 
This vulnerability could allow the current user to 
take complete control of the system. A privilege 
elevation vulnerability exists in the way that the 
LSASS validates identity tokens. This 
vulnerability could allow the current user to take 
complete control of the affected system. MS04-044
ImportantThis update resolves a newly-discovered, 
privately reported vulnerability. An attacker who 
successfully exploited this vulnerability could 
take complete control of an affected system. An 
attacker could then install programs, view, 
change, or delete data, or create new accounts 
with full privileges. While remote code execution 
is possible, an attack would most likely result in 
a denial of service condition. MS05-003
ImportantA vulnerability in ASP.NET allows an 
attacker to bypass the security of an ASP.NET Web 
site, and access a machine. The attacker gains 
unauthorized access to some areas of the said Web 
site, and is able to control it accordingly. The 
actions that the attacker could take would depend 
on the specific content being protected. MS05-004
CriticalThis remote code execution vulnerability 
exists in Server Message Block (SMB). It allows an 
attacker who successfully exploits this 
vulnerability to take complete control of the 
affected system. MS05-011
CriticalThis update resolves known vulnerabilities 
 affecting Internet Explorer. An attacker who 
successfully exploits these vulnerabilities could 
take complete control of an affected system. An 
attacker could then install programs; view, 
change, or delete data; or create new accounts 
with full user rights. MS05-014
CriticalThis security bulletin resolves three 
newly-discovered, privately-reported 
vulnerabilities affecting Internet Explorer. If a 
user is logged on with administrative user rights, 
an attacker who successfully exploited any of 
these vulnerabilities could take complete control 
of an affected system. An attacker could then 
install programs; view, change, or delete data; or 
create new accounts with full user rights. 
MS05-020
CriticalThis security bulletin resolves the 
following vulnerabilities affecting Internet 
Explorer.; The PNG Image Rendering Memory 
Corruption vulnerability could allow an attacker 
to execute arbitrary code on the system because of 
a vulnerability in the way Internet Explorer 
handles PNG images.; The XML Redirect Information 
Disclosure vulnerability could allow an attacker 
to read XML data from another Internet Explorer 
domain because of a vulnerability in the way 
Internet Explorer handles certain requests to 
display XML content. MS05-025
CriticalA remote code execution vulnerability 
exists in the Microsofts implementation of the 
Server Message Block (SMB) protocol, which could 
allow an attacker to execute arbitrary codes to 
take complete control over a target system. This 
vulnerability could be exploited over the 
Internet. An attacker would have to transmit a 
specially crafted SMB packet to a target system to 
exploit it. However, failure to successfully 
exploit the vulnerability could only lead to a 
denial of service. MS05-027
CriticalA COM object, the JView Profiler 
(Javaprxy.dll), contains a remote code execution 
vulnerability that could allow an attacker to take 
complete control of an affected system by hosting 
a malicious Web site. MS05-037


----------



## beardbuster (Jul 2, 2005)

Logfile of HijackThis v1.99.1
Scan saved at 8:52:34 AM, on 7/31/2005
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\PROGRA~1\COMMON~1\aol\ACS\acsd.exe
C:\WINDOWS\System32\hkcmd.exe
C:\WINDOWS\system32\cisvc.exe
C:\Program Files\MUSICMATCH\MUSICMATCH Jukebox\mm_tray.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\Program Files\QuickTime\qttask.exe
C:\WINDOWS\tppaldr.exe
C:\Program Files\MUSICMATCH\MUSICMATCH Jukebox\mmtask.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\WINDOWS\System32\sysbho.exe
C:\Program Files\ewido\security suite\ewidoctrl.exe
C:\WINDOWS\wanmpsvc.exe
C:\Program Files\Dell Support\DSAgnt.exe
C:\Program Files\Digital Line Detect\DLG.exe
C:\WINDOWS\System32\wuauclt.exe
C:\Program Files\Netscape\Netscape Browser\netscape.exe
C:\WINDOWS\system32\cidaemon.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Documents and Settings\Dad\My Documents\Hijack This\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer,SearchURL = http://win-eto.com/sp.htm?id=0
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://win-eto.com/hp.htm?id=0
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://win-eto.com/hp.htm?id=0
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://win-eto.com/sp.htm?id=0
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = 
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch = 
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\System32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\System32\hkcmd.exe
O4 - HKLM\..\Run: [MMTray] C:\Program Files\MUSICMATCH\MUSICMATCH Jukebox\mm_tray.exe
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [ccRegVfy] "C:\Program Files\Common Files\Symantec Shared\ccRegVfy.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [ViewMgr] C:\Program Files\Viewpoint\Viewpoint Manager\ViewMgr.exe
O4 - HKLM\..\Run: [TPP Auto Loader] C:\WINDOWS\tppaldr.exe
O4 - HKLM\..\Run: [mmtask] C:\Program Files\MUSICMATCH\MUSICMATCH Jukebox\mmtask.exe
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [System Redirect] C:\WINDOWS\System32\sysbho.exe
O4 - HKLM\..\Run: [Media Gateway] C:\Program Files\Media Gateway\MediaGateway.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [DellSupport] "C:\Program Files\Dell Support\DSAgnt.exe" /startup
O4 - Global Startup: America Online 9.0 Tray Icon.lnk = C:\Program Files\America Online 9.0a\aoltray.exe
O4 - Global Startup: Digital Line Detect.lnk = ?
O9 - Extra button: Messenger - {4528BBE0-4E08-11D5-AD55-00010333D0AD} - C:\Program Files\Yahoo!\Messenger\yhexbmes0411.dll
O9 - Extra 'Tools' menuitem: Yahoo! Messenger - {4528BBE0-4E08-11D5-AD55-00010333D0AD} - C:\Program Files\Yahoo!\Messenger\yhexbmes0411.dll
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - Shdocvw.dll (file missing)
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O9 - Extra 'Tools' menuitem: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O16 - DPF: Squelchies by pogo - http://squelchies.pogo.com/applet/squelchies/squelchies-ob-assets.cab
O16 - DPF: Tri-Peaks by pogo - http://peaks.pogo.com/applet-5.8.6.20/peaks/peaks-ob-assets.cab
O16 - DPF: Yahoo! Bingo - http://download.games.yahoo.com/games/clients/y/xt0_x.cab
O16 - DPF: Yahoo! Pyramids - http://download.games.yahoo.com/games/clients/y/pyt1_x.cab
O16 - DPF: Yahoo! Spades - http://download.games.yahoo.com/games/clients/y/st2_x.cab
O16 - DPF: {04E214E5-63AF-4236-83C6-A7ADCBF9BD02} (HouseCall Control) - http://housecall60.trendmicro.com/housecall/xscan60.cab
O16 - DPF: {15AD6789-CDB4-47E1-A9DA-992EE8E6BAD6} - http://static.windupdates.com/cab/MediaAccessVerisign/ie/bridge-c7.cab
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {30528230-99F7-4BB4-88D8-FA1D4F56A2AB} (YInstStarter Class) - http://us.dl1.yimg.com/download.yahoo.com/dl/installs/yinst20040510.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1122641802203
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1122641784265
O16 - DPF: {89D75D39-5531-47BA-9E4F-B346BA9C362C} (CWDL_DownLoadControl Class) - http://www.callwave.com/include/cab/CWDL_DownLoad.CAB
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://www.pandasoftware.com/activescan/as5/asinst.cab
O16 - DPF: {AE1C01E3-0283-11D3-9B3F-00C04F8EF466} (HeartbeatCtl Class) - http://fdl.msn.com/zone/datafiles/heartbeat.cab
O16 - DPF: {B942A249-D1E7-4C11-98AE-FCB76B08747F} (RealArcadeRdxIE Class) - http://games-dl.real.com/gameconsole/Bundler/CAB/RealArcadeRdxIE.cab
O20 - AppInit_DLLs: sysmain.dll
O20 - Winlogon Notify: igfxcui - C:\WINDOWS\SYSTEM32\igfxsrvc.dll
O23 - Service: AOL Connectivity Service (AOL ACS) - America Online, Inc. - C:\PROGRA~1\COMMON~1\aol\ACS\acsd.exe
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Password Validation Service (ccPwdSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
O23 - Service: ewido security suite control - ewido networks - C:\Program Files\ewido\security suite\ewidoctrl.exe
O23 - Service: Norton AntiVirus Auto Protect Service (navapsvc) - Symantec Corporation - C:\Program Files\Norton AntiVirus\navapsvc.exe
O23 - Service: ScriptBlocking Service (SBService) - Symantec Corporation - C:\PROGRA~1\COMMON~1\SYMANT~1\SCRIPT~1\SBServ.exe
O23 - Service: WAN Miniport (ATW) Service (WANMiniportService) - America Online, Inc. - C:\WINDOWS\wanmpsvc.exe


----------



## beardbuster (Jul 2, 2005)

I notice that no matter what deletes them the following, along with others, keep coming back:

R1 - HKCU\Software\Microsoft\Internet Explorer,SearchURL = http://win-eto.com/sp.htm?id=0
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://win-eto.com/hp.htm?id=0
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://win-eto.com/hp.htm?id=0
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://win-eto.com/sp.htm?id=0
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant =


----------



## Flrman1 (Jul 26, 2002)

Click on My Computer. Go to Tools > Folder Options. Click on the View tab and make sure that "Show hidden files and folders" is checked. Also uncheck "Hide protected operating system files" and "Hide extensions for known file types" . Now click "Apply to all folders"
Click "Apply" then "OK"

See if you can find the *sysmain.dll* file. It is probably in the C:\Windows\System32 folder.

Go to the forum *here* and upload the *sysmain.dll* file.

Here are the directions for uploading the file:

Just click "New Topic", fill in the needed details and post a link to your thread here. Click the "Browse" button. Navigate to the file on your computer. When the file is listed in the window click "Post" to upload the file.


----------



## beardbuster (Jul 2, 2005)

THANKS...
I followed your instructions and will wait for an answer from that forum...


----------



## Flrman1 (Jul 26, 2002)

You didn't upload the file I asked for. You uploaded a system32.dll file not *sysmain.dll* which I asked you to upload. Plese find the sysmain.dll file and upload it to the same topic here:

http://www.thespykiller.co.uk/forum/index.php?topic=545.new#new

*Post a link to this thread so everyone will know where it came from.*


----------



## beardbuster (Jul 2, 2005)

It was not there I am doing a search for it now...
SORRY


----------



## beardbuster (Jul 2, 2005)

My search was completed with the file not found...
I searched the enitre hard drive ...
I'll wait for instructions...


----------



## Flrman1 (Jul 26, 2002)

Rescan with Hijack This and post a new log please.


----------



## beardbuster (Jul 2, 2005)

Logfile of HijackThis v1.99.1
Scan saved at 3:22:21 PM, on 7/31/2005
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\WINDOWS\System32\hkcmd.exe
C:\Program Files\MUSICMATCH\MUSICMATCH Jukebox\mm_tray.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\Program Files\QuickTime\qttask.exe
C:\WINDOWS\tppaldr.exe
C:\Program Files\MUSICMATCH\MUSICMATCH Jukebox\mmtask.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\WINDOWS\System32\sysbho.exe
C:\Program Files\Dell Support\DSAgnt.exe
C:\Program Files\Digital Line Detect\DLG.exe
C:\PROGRA~1\COMMON~1\aol\ACS\acsd.exe
C:\WINDOWS\system32\cisvc.exe
C:\Program Files\ewido\security suite\ewidoctrl.exe
C:\WINDOWS\wanmpsvc.exe
C:\WINDOWS\system32\cidaemon.exe
C:\WINDOWS\System32\wuauclt.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Documents and Settings\Dad\My Documents\Hijack This\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer,SearchURL = http://win-eto.com/sp.htm?id=0
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://win-eto.com/hp.htm?id=9
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://win-eto.com/hp.htm?id=9
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://win-eto.com/sp.htm?id=0
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = 
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch = 
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\System32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\System32\hkcmd.exe
O4 - HKLM\..\Run: [MMTray] C:\Program Files\MUSICMATCH\MUSICMATCH Jukebox\mm_tray.exe
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [ccRegVfy] "C:\Program Files\Common Files\Symantec Shared\ccRegVfy.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [ViewMgr] C:\Program Files\Viewpoint\Viewpoint Manager\ViewMgr.exe
O4 - HKLM\..\Run: [TPP Auto Loader] C:\WINDOWS\tppaldr.exe
O4 - HKLM\..\Run: [mmtask] C:\Program Files\MUSICMATCH\MUSICMATCH Jukebox\mmtask.exe
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [System Redirect] C:\WINDOWS\System32\sysbho.exe
O4 - HKLM\..\Run: [Media Gateway] C:\Program Files\Media Gateway\MediaGateway.exe
O4 - HKLM\..\Run: [Symantec NetDriver Monitor] C:\PROGRA~1\SYMNET~1\SNDMon.exe /Consumer
O4 - HKLM\..\Run: [SSC_UserPrompt] C:\Program Files\Common Files\Symantec Shared\Security Center\UsrPrmpt.exe
O4 - HKLM\..\Run: [ISUSPM Startup] C:\PROGRA~1\COMMON~1\INSTAL~1\UPDATE~1\ISUSPM.exe -startup
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [DellSupport] "C:\Program Files\Dell Support\DSAgnt.exe" /startup
O4 - Global Startup: America Online 9.0 Tray Icon.lnk = C:\Program Files\America Online 9.0a\aoltray.exe
O4 - Global Startup: Digital Line Detect.lnk = ?
O4 - Global Startup: Printkey2000.lnk = C:\Program Files\PrintKey2000\Printkey2000.exe
O9 - Extra button: Messenger - {4528BBE0-4E08-11D5-AD55-00010333D0AD} - C:\Program Files\Yahoo!\Messenger\yhexbmes0411.dll
O9 - Extra 'Tools' menuitem: Yahoo! Messenger - {4528BBE0-4E08-11D5-AD55-00010333D0AD} - C:\Program Files\Yahoo!\Messenger\yhexbmes0411.dll
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - Shdocvw.dll (file missing)
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O9 - Extra 'Tools' menuitem: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O16 - DPF: Squelchies by pogo - http://squelchies.pogo.com/applet/squelchies/squelchies-ob-assets.cab
O16 - DPF: Tri-Peaks by pogo - http://peaks.pogo.com/applet-5.8.6.20/peaks/peaks-ob-assets.cab
O16 - DPF: Yahoo! Bingo - http://download.games.yahoo.com/games/clients/y/xt0_x.cab
O16 - DPF: Yahoo! Pyramids - http://download.games.yahoo.com/games/clients/y/pyt1_x.cab
O16 - DPF: Yahoo! Spades - http://download.games.yahoo.com/games/clients/y/st2_x.cab
O16 - DPF: {04E214E5-63AF-4236-83C6-A7ADCBF9BD02} (HouseCall Control) - http://housecall60.trendmicro.com/housecall/xscan60.cab
O16 - DPF: {15AD6789-CDB4-47E1-A9DA-992EE8E6BAD6} - http://static.windupdates.com/cab/MediaAccessVerisign/ie/bridge-c7.cab
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {30528230-99F7-4BB4-88D8-FA1D4F56A2AB} (YInstStarter Class) - http://us.dl1.yimg.com/download.yahoo.com/dl/installs/yinst20040510.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1122641802203
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1122641784265
O16 - DPF: {89D75D39-5531-47BA-9E4F-B346BA9C362C} (CWDL_DownLoadControl Class) - http://www.callwave.com/include/cab/CWDL_DownLoad.CAB
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://www.pandasoftware.com/activescan/as5/asinst.cab
O16 - DPF: {AE1C01E3-0283-11D3-9B3F-00C04F8EF466} (HeartbeatCtl Class) - http://fdl.msn.com/zone/datafiles/heartbeat.cab
O16 - DPF: {B942A249-D1E7-4C11-98AE-FCB76B08747F} (RealArcadeRdxIE Class) - http://games-dl.real.com/gameconsole/Bundler/CAB/RealArcadeRdxIE.cab
O16 - DPF: {D1ACD2D8-7312-4D06-BECD-90EB094D2277} - http://mediaplayer.walmart.com/installer/install.cab
O20 - AppInit_DLLs: sysmain.dll
O20 - Winlogon Notify: igfxcui - C:\WINDOWS\SYSTEM32\igfxsrvc.dll
O23 - Service: AOL Connectivity Service (AOL ACS) - America Online, Inc. - C:\PROGRA~1\COMMON~1\aol\ACS\acsd.exe
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Password Validation Service (ccPwdSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
O23 - Service: ewido security suite control - ewido networks - C:\Program Files\ewido\security suite\ewidoctrl.exe
O23 - Service: Norton AntiVirus Auto Protect Service (navapsvc) - Symantec Corporation - C:\Program Files\Norton AntiVirus\navapsvc.exe
O23 - Service: ScriptBlocking Service (SBService) - Symantec Corporation - C:\PROGRA~1\COMMON~1\SYMANT~1\SCRIPT~1\SBServ.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: SymWMI Service (SymWSC) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\Security Center\SymWSC.exe
O23 - Service: WAN Miniport (ATW) Service (WANMiniportService) - America Online, Inc. - C:\WINDOWS\wanmpsvc.exe


----------



## Flrman1 (Jul 26, 2002)

* I have attached a batch file inside hiving_154.zip. Download the file and unzip the hiving_154.zip file to extract the hiving.bat file and have it ready to run later in safe mode.

* Copy these instructions to notepad and save them to your desktop. You will need them to refer to.

* Run Hijack This again and put a check by these. Close *ALL* windows except HijackThis and click "Fix checked"

*R1 - HKCU\Software\Microsoft\Internet Explorer,SearchURL = http://win-eto.com/sp.htm?id=0

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://win-eto.com/hp.htm?id=9

R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://win-eto.com/hp.htm?id=9

R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://win-eto.com/sp.htm?id=0

R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant =

R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch =

O4 - HKLM\..\Run: [System Redirect] C:\WINDOWS\System32\sysbho.exe

O4 - HKLM\..\Run: [Media Gateway] C:\Program Files\Media Gateway\MediaGateway.exe

O16 - DPF: {15AD6789-CDB4-47E1-A9DA-992EE8E6BAD6} - http://static.windupdates.com/cab/M...e/bridge-c7.cab*

* Doubleclick on the *hiving.bat* file to run it. If you have script blocking enabled you will get a warning. Please allow this to run. The script is just producing a message box.

* Restart your computer into safe mode now. Perform the following steps in safe mode:

* Double-click on Killbox.exe to run it. Now put a tick by *Standard File Kill*. In the "Full Path of File to Delete" box, copy and paste each of the following lines one at a time then click on the button that has the red circle with the X in the middle after you enter each file. It will ask for confimation to delete the file. Click Yes. Continue with that same procedure until you have copied and pasted all of these in the "Paste Full Path of File to Delete" box.

*C:\WINDOWS\System32\sysbho.exe

C:\Program Files\Media Gateway\MediaGateway.exe

C:\WINDOWS\System32\sysmain.dll

C:\WINDOWS\System32\system32.dll*

*Note:* It is possible that Killbox will tell you that one or more files do not exist. If that happens, just continue on with all the files. Be sure you don't miss any.

Exit the Killbox.

* Delete this folder:

C:\Program Files\*Media Gateway*

* Start Ccleaner and click *Run Cleaner*

* Go to Control Panel > Internet Options. Click on the Programs tab then click the "Reset Web Settings" button. Click Apply then OK.

* Restart back into Windows normally now.

* Go here and do an online virus scan. Choose "Complete Scan" and select all drives to scan.

When the scan is finished, anything that it cannot clean have it delete it. Click "Print Report". The report will open in your browser. Go to File > Save As and save the file to your desktop. Under "Save as type" click the dropdown menu and choose "Text file (*.txt) and save it as a text file.

*Post a new HiJackThis log along with the report from the Housecall scan*


----------



## beardbuster (Jul 2, 2005)

Trend Micro Housecall Virus Scan0 virus cleaned, 1 virus deleted 


Results:
We have detected 2 infected file(s) with 2 virus(es) on your 
computer. Only 0 out of 0 infected files are displayed: 
- 0 virus(es) passed, 0 virus(es) no action available
- 0 virus(es) cleaned, 0 virus(es) uncleanable
- 1 virus(es) deleted, 0 virus(es) undeletable
- 1 virus(es) not found, 0 virus(es) unaccessible
Detected FileAssociated Virus NameAction Taken
C:\System Volume 
Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP23\A0003591.dllBKDR_DUMADOR.AXDeletion 
successful
C:\WINDOWS\SYSTEM\Loader.dllTROJ_DLOADER.OHFile 
not found before action taken. Threat removed.




Trojan/Worm Check0 worm/Trojan horse deleted 

What we checked:
Malicious activity by a Trojan horse program. Although a 
Trojan seems like a harmless program, it contains malicious 
code and once installed can cause damage to your computer. 
Results:
We have detected 0 Trojan horse program(s) and worm(s) on your 
computer. Only 0 out of 0 Trojan horse programs and worms are 
displayed: - 0 worm(s)/Trojan(s) passed, 0 
worm(s)/Trojan(s) no action available
- 0 Worm(s)/Trojan(s) deleted, 0 worm(s)/Trojan(s) 
undeletable
Trojan/Worm NameTrojan/Worm TypeAction Taken




Spyware Check1 spyware program removed 

What we checked:
Whether personal information was tracked and reported by 
spyware. Spyware is often installed secretly with legitimate 
programs downloaded from the Internet. 
Results:
We have detected 1 spyware(s) on your computer. Only 0 out of 
0 spywares are displayed: - 0 spyware(s) passed, 0 
spyware(s) no action available
- 1 spyware(s) removed, 0 spyware(s) unremovable
Spyware NameSpyware TypeAction Taken
ADW_OBLOADER.AAdwareRemoval successful




Microsoft Vulnerability Check17 vulnerabilities detected 

What we checked:
Microsoft known security vulnerabilities. These are issues 
Microsoft has identified and released Critical Updates to fix. 

Results:
We have detected 17 vulnerability/vulnerabilities on your 
computer. Only 0 out of 0 vulnerabilities are displayed.
Risk LevelIssueHow to Fix
CriticalThis vulnerability enables a remote 
attacker to cause a denial of service and execute 
arbitrary code through a specially formed web page 
or HTML e-mail. This is caused by a flaw in the 
way the HTML converter for Microsoft Windows 
handles a conversion request during a 
cut-and-paste operation. MS03-023
CriticalThis vulnerability enables a remote 
attacker to execute arbitrary code through a 
specially crafted MIDI file. This is caused by 
multiple buffer overflows in a Microsoft Windows 
DirectX MIDI library (QUARTZ.DLL). MS03-030
CriticalThis vulnerability allows a remote 
attacker to execute arbitrary code without user 
approval. This is caused by the authenticode 
capability in Microsoft Windows NT through Server 
2003 not prompting the user to download and 
install ActiveX controls when system is low on 
memory. MS03-041
CriticalThis vulnerability allows a remote 
attacker to execute arbitrary code on the affected 
system. This is caused of a buffer overflow in the 
Messenger Service for Windows NT through Server 
2003. MS03-043
CriticalThe MHTML URL Processing Vulnerability 
allows remote attackers to bypass domain 
restrictions and execute arbitrary code via script 
in a compiled help (CHM) file that references the 
InfoTech Storage (ITS) protocol handlers.This 
could allow an attacker to take complete control 
of an affected system. MS04-013
CriticalThis vulnerability exists in the Help and 
Support Center (HCP) and is due to the way it 
handles HCP URL validation. This vulnerability 
could allow an attacker to remotely execute 
arbitrary code with Local System privileges. 
MS04-015
ModerateThis is a denial of service (DoS) 
vulnerability. It affects applications that 
implement the IDirectPlay4 Application Programming 
Interface (API) of Microsoft DirectPlay. 
Applications that use this API are typically 
network-based multiplayer games.;An attacker who 
successfully exploits this vulnerability could 
cause the DirectX application to fail while a user 
is playing a game. The affected user would then 
have to restart the application. MS04-016
ModerateA denial of service (DoS) vulnerability 
exists in Outlook Express that could cause the 
said program to fail. The malformed email should 
be removed before restarting Outlook Express in 
order to regain its normal operation. MS04-018
CriticalThis vulnerability lies in an unchecked 
buffer within the Task Scheduler component. When 
exploited, it allows the attacker to execute 
arbitrary code on the affected machine with the 
same privileges as the currently logged on user. 
MS04-022
CriticalThis vulnerability lies in the way the 
affected components process JPEG image files. An 
unchecked buffer within this process is the cause 
of the vulnerability.;This remote code execution 
vulnerability could allow a malicious user or a 
malware to take complete control of the affected 
system if the affected user is currently logged on 
with administrative privileges. The malicious user 
or malware can execute arbitrary code on the 
system giving them the ability to install or run 
programs and view or edit data with full 
privileges. Thus, this vulnerability can 
conceivably be used by a malware for replication 
purposes. MS04-028
ImportantAn unchecked buffer exists in the NetDDE 
services that could allow remote code execution. 
An attacker who is able to successfully exploit 
this vulnerability is capable of gaining complete 
control over an affected system. However, the 
NetDDe services are not automatically executed, 
and so would then have to be manually started for 
an attacker to exploit this vulnerability. This 
vulnerability also allows attackers to perform a 
local elevation of privilege, or a remote denial 
of service (DoS) attack. MS04-031
CriticalThis cumulative release from Microsoft 
covers four newly discovered vulnerabilities: 
Windows Management Vulnerability, Virtual DOS 
Machine Vulnerability, Graphics Rendering Engine 
Vulnerability, and Windows Kernel Vulnerability. 
MS04-032
CriticalThis is another privately reported 
vulnerability about Windows Compressed Folders. 
There is vulnerability on the way that Windows 
processes Compressed (Zipped) Folders that could 
lead to remote code execution. Windows can not 
properly handle the extraction of the ZIP folder 
with a very long file name. Opening a specially 
crafted compressed file, a stack-based overflow 
occurs, enabling the remote user to execute 
arbitrary code. MS04-034
CriticalThis security bulletin focuses on the 
following vulnerabilities: Shell Vulnerability 
(CAN-2004-0214), and Program Group Converter 
Vulnerability (CAN-2004-0572). Shell vulnerability 
exists on the way Windows Shell launches 
applications that could enable remote malicious 
user or malware to execute arbitrary code. 
Windows Shell function does not properly check the 
length of the message before copying to the 
allocated buffer. Program Group Converter is an 
application used to convert Program Manager Group 
files that were produced in Windows 3.1, Windows 
3.11, Windows for Workgroups 3.1, and Windows for 
Workgroups 3.11 so that they can still be used by 
later operating systems. The vulnerability lies in 
an unchecked buffer within the Group Converter 
Utility. MS04-037
ImportantThis update resolves a newly-discovered, 
privately reported vulnerability. An attacker who 
successfully exploited this vulnerability could 
take complete control of an affected system. An 
attacker could then install programs, view, 
change, or delete data, or create new accounts 
with full privileges. While remote code execution 
is possible, an attack would most likely result in 
a denial of service condition. MS05-003
ImportantA vulnerability in ASP.NET allows an 
attacker to bypass the security of an ASP.NET Web 
site, and access a machine. The attacker gains 
unauthorized access to some areas of the said Web 
site, and is able to control it accordingly. The 
actions that the attacker could take would depend 
on the specific content being protected. MS05-004
CriticalThis remote code execution vulnerability 
exists in Server Message Block (SMB). It allows an 
attacker who successfully exploits this 
vulnerability to take complete control of the 
affected system. MS05-011


----------



## beardbuster (Jul 2, 2005)

Logfile of HijackThis v1.99.1
Scan saved at 11:08:30 PM, on 7/31/2005
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\WINDOWS\System32\hkcmd.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\WINDOWS\tppaldr.exe
C:\Program Files\MUSICMATCH\MUSICMATCH Jukebox\mmtask.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\Digital Line Detect\DLG.exe
C:\PROGRA~1\COMMON~1\aol\ACS\acsd.exe
C:\WINDOWS\system32\cisvc.exe
C:\Program Files\ewido\security suite\ewidoctrl.exe
C:\WINDOWS\wanmpsvc.exe
C:\WINDOWS\System32\wuauclt.exe
C:\WINDOWS\system32\cidaemon.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Documents and Settings\Dad\My Documents\Hijack This\HijackThis.exe
C:\Program Files\Messenger\msmsgs.exe

O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\System32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\System32\hkcmd.exe
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [ccRegVfy] "C:\Program Files\Common Files\Symantec Shared\ccRegVfy.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [ViewMgr] C:\Program Files\Viewpoint\Viewpoint Manager\ViewMgr.exe
O4 - HKLM\..\Run: [TPP Auto Loader] C:\WINDOWS\tppaldr.exe
O4 - HKLM\..\Run: [mmtask] C:\Program Files\MUSICMATCH\MUSICMATCH Jukebox\mmtask.exe
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [Symantec NetDriver Monitor] C:\PROGRA~1\SYMNET~1\SNDMon.exe /Consumer
O4 - HKLM\..\Run: [SSC_UserPrompt] C:\Program Files\Common Files\Symantec Shared\Security Center\UsrPrmpt.exe
O4 - HKLM\..\Run: [ISUSPM Startup] C:\PROGRA~1\COMMON~1\INSTAL~1\UPDATE~1\ISUSPM.exe -startup
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - Global Startup: America Online 9.0 Tray Icon.lnk = C:\Program Files\America Online 9.0a\aoltray.exe
O4 - Global Startup: Digital Line Detect.lnk = ?
O9 - Extra button: Messenger - {4528BBE0-4E08-11D5-AD55-00010333D0AD} - C:\Program Files\Yahoo!\Messenger\yhexbmes0411.dll
O9 - Extra 'Tools' menuitem: Yahoo! Messenger - {4528BBE0-4E08-11D5-AD55-00010333D0AD} - C:\Program Files\Yahoo!\Messenger\yhexbmes0411.dll
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - Shdocvw.dll (file missing)
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O9 - Extra 'Tools' menuitem: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O16 - DPF: Squelchies by pogo - http://squelchies.pogo.com/applet/squelchies/squelchies-ob-assets.cab
O16 - DPF: Tri-Peaks by pogo - http://peaks.pogo.com/applet-5.8.6.20/peaks/peaks-ob-assets.cab
O16 - DPF: Yahoo! Bingo - http://download.games.yahoo.com/games/clients/y/xt0_x.cab
O16 - DPF: Yahoo! Pyramids - http://download.games.yahoo.com/games/clients/y/pyt1_x.cab
O16 - DPF: Yahoo! Spades - http://download.games.yahoo.com/games/clients/y/st2_x.cab
O16 - DPF: {04E214E5-63AF-4236-83C6-A7ADCBF9BD02} (HouseCall Control) - http://housecall60.trendmicro.com/housecall/xscan60.cab
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {30528230-99F7-4BB4-88D8-FA1D4F56A2AB} (YInstStarter Class) - http://us.dl1.yimg.com/download.yahoo.com/dl/installs/yinst20040510.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1122641802203
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1122641784265
O16 - DPF: {7F8C8173-AD80-4807-AA75-5672F22B4582} (ICSScanner Class) - http://download.zonelabs.com/bin/promotions/spywaredetector/ICSScanner.cab
O16 - DPF: {89D75D39-5531-47BA-9E4F-B346BA9C362C} (CWDL_DownLoadControl Class) - http://www.callwave.com/include/cab/CWDL_DownLoad.CAB
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://www.pandasoftware.com/activescan/as5/asinst.cab
O16 - DPF: {AE1C01E3-0283-11D3-9B3F-00C04F8EF466} (HeartbeatCtl Class) - http://fdl.msn.com/zone/datafiles/heartbeat.cab
O16 - DPF: {B942A249-D1E7-4C11-98AE-FCB76B08747F} (RealArcadeRdxIE Class) - http://games-dl.real.com/gameconsole/Bundler/CAB/RealArcadeRdxIE.cab
O16 - DPF: {D1ACD2D8-7312-4D06-BECD-90EB094D2277} - http://mediaplayer.walmart.com/installer/install.cab
O20 - Winlogon Notify: igfxcui - C:\WINDOWS\SYSTEM32\igfxsrvc.dll
O23 - Service: AOL Connectivity Service (AOL ACS) - America Online, Inc. - C:\PROGRA~1\COMMON~1\aol\ACS\acsd.exe
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Password Validation Service (ccPwdSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
O23 - Service: ewido security suite control - ewido networks - C:\Program Files\ewido\security suite\ewidoctrl.exe
O23 - Service: Norton AntiVirus Auto Protect Service (navapsvc) - Symantec Corporation - C:\Program Files\Norton AntiVirus\navapsvc.exe
O23 - Service: ScriptBlocking Service (SBService) - Symantec Corporation - C:\PROGRA~1\COMMON~1\SYMANT~1\SCRIPT~1\SBServ.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: SymWMI Service (SymWSC) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\Security Center\SymWSC.exe
O23 - Service: WAN Miniport (ATW) Service (WANMiniportService) - America Online, Inc. - C:\WINDOWS\wanmpsvc.exe


----------



## beardbuster (Jul 2, 2005)

Just a little heads up...
I quit using IE and now use Firefox or Netscape...

If you want I can try IE again to see if the virus shows back up as I am leaning towards it will because it has everytime to date


----------



## beardbuster (Jul 2, 2005)

hmnmnmn or maybe not  

The above Hijack Log looks pretty good to me  

No matter I just wanted to state how awesome your help has been and the time involved to work with me is far and above very much appreciated...
I'll be going on vacation in 24hrs and wanted to make sure I show my gratitude...

THANKS!!


----------



## Flrman1 (Jul 26, 2002)

Go to Add/Remove programs and uninstall Viewpoint Manager. If it will not uninstall, fix this with Hijack This:

*O4 - HKLM\..\Run: [ViewMgr] C:\Program Files\Viewpoint\Viewpoint Manager\ViewMgr.exe*

Boot to safe mode and delete the C:\Program Files\*Viewpoint* folder.

Now turn off System Restore:

On the Desktop, right-click My Computer.
Click Properties.
Click the System Restore tab.
Check Turn off System Restore.
Click Apply, and then click OK.

Restart your computer, turn System Restore back on and create a restore point.

To create a restore point:

Single-click Start and point to All Programs.
Mouse over Accessories, then System Tools, and select System Restore.
In the System Restore wizard, select the box next the text labeled "Create a restore point" and click the Next button.
Type a description for your new restore point. Something like "After trojan/spyware cleanup". Click Create and you're done.

*Check this out* for info on how to tighten your security settings and some good free tools to help prevent this from happening again.


----------



## beardbuster (Jul 2, 2005)

When I open IE it has my home page loaded except the page is blank... When I hit reload then it loads correctly...
I also show as not having admin functions when I try to upload uplgrades for IE or any program that must use IE like windows media & real player
I looked in control panel under users and have only one user (kids) and no guest allowed...


----------



## Flrman1 (Jul 26, 2002)

When does this happen? What do you mean by "when I try to upload uplgrades"?


----------



## beardbuster (Jul 2, 2005)

When I am in IE I go to tools then windows update... When I try to update windows media player and real player... When I try any of these uploads/upgrades it tells me I am not sert up as admin on this machine please login as admin and try again...


----------



## Flrman1 (Jul 26, 2002)

Are you sure the "Kids" account is an admin account. Is this XP Home or Pro?


----------



## Flrman1 (Jul 26, 2002)

Any progress here?


----------



## beardbuster (Jul 2, 2005)

Hi...
Been on vacation...

This is the home edition and the only account is the kids there is no other account and I have set it up as admin via the control panel... There were other accounts when we started but I deleted them all but the one which I did set up as the only account and admin...
THANKS


----------



## Flrman1 (Jul 26, 2002)

Try crerating a new Admin account and see if it will update from that one.


----------



## beardbuster (Jul 2, 2005)

OK THANKS...
I returned the system to my kids thus I'll need a day or two before I can go there...


----------



## Flrman1 (Jul 26, 2002)

:up:


----------



## beardbuster (Jul 2, 2005)

I have their system again...

I have created another admin account and the updating was not completed due to a registry key could not be backed up...

I took the computer back and will try again... THANKS!!


----------

