Hijacked- lots of popups can't determine culpret or successfully clean

spunky1 · 03-19-2007, 01:25 PM

On March 9th this machine got hijacked. It runs etrust continuously but it is infected. I have run the 5 steps and would appreciate your help. I tried to do a system restore from March 1 st no luck. I'm unable to restore from any point prior to March 9th. I'm sorry not being more specific but evertime I reboot and execute IE I get different popups and results.

Deckard's System Scanner v20070318.32
Run by angela on 2007-03-19 at 14:52:25
Computer is in Normal Mode.
--------------------------------------------------------------------------------

-- System Restore --------------------------------------------------------------

Successfully created a Deckard's System Scanner Restore Point.

-- Last 5 Restore Point(s) --
58: 2007-03-19 18:52:31 UTC - RP392 - Deckard's System Scanner Restore Point
57: 2007-03-19 08:10:46 UTC - RP391 - System Checkpoint
56: 2007-03-18 07:12:05 UTC - RP390 - System Checkpoint
55: 2007-03-17 07:00:25 UTC - RP389 - Software Distribution Service 2.0
54: 2007-03-16 19:41:39 UTC - RP388 - Removed MyWay Search Assistant

-- First Restore Point --
1: 2007-01-10 14:58:50 UTC - RP335 - System Checkpoint

Backed up registry hives.

Performed disk cleanup.

-- HijackThis (run as angela.exe) ----------------------------------------------

Logfile of HijackThis v1.99.1
Scan saved at 2:55:54 PM, on 3/19/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16414)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Adobe\Adobe Version Cue CS2\bin\VersionCueCS2.exe
C:\WINDOWS\system32\CTsvcCDA.EXE
C:\Program Files\Intel\Intel Matrix Storage Manager\iaantmon.exe
C:\Program Files\CA\eTrust Antivirus\InoRpc.exe
C:\Program Files\CA\eTrust Antivirus\InoRT.exe
C:\Program Files\CA\eTrust Antivirus\InoTask.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\WINDOWS\system32\nvsvc32.exe
C:\Program Files\Viewpoint\Common\ViewpointService.exe
C:\WINDOWS\system32\MsPMSPSv.exe
C:\Program Files\Asset Services Management\ASMAgent.exe
C:\Program Files\Adobe\Adobe Version Cue CS2\data\database\bin\mysqld-nt.exe
C:\PROGRA~1\COMMON~1\Stardock\SDMCP.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Java\jre1.5.0_11\bin\jusched.exe
C:\Program Files\Intel\Intel Matrix Storage Manager\iaanotif.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Creative\Sound Blaster Live! 24-bit\Surround Mixer\CTSysVol.exe
C:\WINDOWS\system32\Rundll32.exe
C:\Program Files\CyberLink\PowerDVD\DVDLauncher.exe
C:\WINDOWS\system32\dla\tfswctrl.exe
C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe
C:\PROGRA~1\CA\ETRUST~1\realmon.exe
C:\Program Files\Adobe\Adobe Version Cue CS2\ControlPanel\VersionCueCS2Tray.exe
C:\Program Files\Adobe\Adobe Acrobat 7.0\Distillr\Acrotray.exe
C:\Program Files\Hewlett-Packard\HP Software Update\HPWuSchd2.exe
C:\Program Files\HP\hpcoretech\hpcmpmgr.exe
C:\WINDOWS\system32\spool\drivers\w32x86\3\hpztsb09.exe
C:\Program Files\Microsoft IntelliType Pro\type32.exe
C:\Program Files\Microsoft IntelliPoint\point32.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\Project Lab\DDS\DDS.EXE
C:\WINDOWS\system32\rundll32.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\Dell Support\DSAgnt.exe
C:\PROGRA~1\COMMON~1\STEM~1\javaw.exe
C:\Program Files\palmOne\Hotsync.exe
C:\Program Files\Viewpoint\Viewpoint Manager\ViewMgr.exe
C:\Program Files\SpywareGuard\sgmain.exe
C:\Program Files\SpywareGuard\sgbhp.exe
C:\Documents and Settings\Angela\My Documents\dss.exe
C:\PROGRA~1\HIJACK~1\angela.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.yahoo.com
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Windows Internet Explorer provided by Yahoo!
R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn0\yt.dll
O2 - BHO: Yahoo! Toolbar Helper - {02478D38-C3F9-4EFB-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn0\yt.dll
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Adobe Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {2E6F0212-A14A-4856-9AFA-089AB959F885} - \
O2 - BHO: (no name) - {3005953E-64E3-4A72-A91B-89C523A8C3CD} - \
O2 - BHO: (no name) - {34621E20-6CB6-4A54-A976-B2C1FE9D8FB5} - \
O2 - BHO: (no name) - {3DCFB2E6-7A56-50D3-7563-79B26D1984C1} - C:\WINDOWS\system32\hrvhu.dll
O2 - BHO: (no name) - {3E9CE2B2-7302-51D9-7263-79B26D19D2C0} - C:\WINDOWS\system32\wmzr.dll
O2 - BHO: URLLink - {4A2AACF3-ADF6-11D5-98A9-00E018981B9E} - C:\Program Files\NewDotNet\newdotnet7_48.dll
O2 - BHO: SpywareGuard Download Protection - {4A368E80-174F-4872-96B5-0B27DDD11DB2} - C:\Program Files\SpywareGuard\dlprotect.dll
O2 - BHO: (no name) - {56AAC443-A698-435A-B7E6-415DB93C0EEA} - \
O2 - BHO: DriveLetterAccess - {5CA3D70E-1895-11CF-8E15-001234567890} - C:\WINDOWS\system32\dla\tfswshx.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_11\bin\ssv.dll
O2 - BHO: (no name) - {797519D2-C3C5-4765-8761-9B93CA315446} - \
O2 - BHO: (no name) - {9CE95277-3719-427C-8B06-06671C681309} - \
O2 - BHO: (no name) - {A65E8CF7-F8C7-47BA-864A-30DE5FC33F08} - \
O2 - BHO: AcroIEToolbarHelper Class - {AE7CD045-E861-484f-8273-0445EE161910} - C:\Program Files\Adobe\Adobe Acrobat 7.0\Acrobat\AcroIEFavClient.dll
O2 - BHO: (no name) - {B3ABD708-CBF5-4588-B241-512A51383673} - \
O2 - BHO: 0 - {BBE10FBF-9132-41F1-5F9A-B9BAA6ED3CCD} - C:\Program Files\ComPlus Applications\qufazy.dll
O2 - BHO: (no name) - {E74F733A-E986-9D03-A2DB-B2DEBBC758C3} - C:\WINDOWS\system32\nfm.dll (file missing)
O2 - BHO: (no name) - {F65616BD-404A-4F3C-B6CF-DC655D341494} - \
O3 - Toolbar: Adobe PDF - {47833539-D0C5-4125-9FA8-0819E2EAAC93} - C:\Program Files\Adobe\Adobe Acrobat 7.0\Acrobat\AcroIEFavClient.dll
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn0\yt.dll
O3 - Toolbar: OIN Search - {B9F6E8EB-A4E3-478E-88A4-D3995B5C45C8} - C:\Program Files\OIN Search\OINSearch.dll
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.5.0_11\bin\jusched.exe"
O4 - HKLM\..\Run: [IAAnotif] C:\Program Files\Intel\Intel Matrix Storage Manager\iaanotif.exe
O4 - HKLM\..\Run: [CTSysVol] C:\Program Files\Creative\Sound Blaster Live! 24-bit\Surround Mixer\CTSysVol.exe /r
O4 - HKLM\..\Run: [P17Helper] Rundll32 P17.dll,P17Helper
O4 - HKLM\..\Run: [UpdReg] C:\WINDOWS\UpdReg.EXE
O4 - HKLM\..\Run: [DVDLauncher] "C:\Program Files\CyberLink\PowerDVD\DVDLauncher.exe"
O4 - HKLM\..\Run: [dla] C:\WINDOWS\system32\dla\tfswctrl.exe
O4 - HKLM\..\Run: [ISUSPM Startup] C:\PROGRA~1\COMMON~1\INSTAL~1\UPDATE~1\ISUSPM.exe -startup
O4 - HKLM\..\Run: [ISUSScheduler] "C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe" -start
O4 - HKLM\..\Run: [Realtime Monitor] C:\PROGRA~1\CA\ETRUST~1\realmon.exe -s
O4 - HKLM\..\Run: [Adobe Version Cue CS2] "C:\Program Files\Adobe\Adobe Version Cue CS2\ControlPanel\VersionCueCS2Tray.exe"
O4 - HKLM\..\Run: [Acrobat Assistant 7.0] "C:\Program Files\Adobe\Adobe Acrobat 7.0\Distillr\Acrotray.exe"
O4 - HKLM\..\Run: [HP Software Update] C:\Program Files\Hewlett-Packard\HP Software Update\HPWuSchd2.exe
O4 - HKLM\..\Run: [HP Component Manager] "C:\Program Files\HP\hpcoretech\hpcmpmgr.exe"
O4 - HKLM\..\Run: [HPDJ Taskbar Utility] C:\WINDOWS\system32\spool\drivers\w32x86\3\hpztsb09.exe
O4 - HKLM\..\Run: [type32] "C:\Program Files\Microsoft IntelliType Pro\type32.exe"
O4 - HKLM\..\Run: [IntelliPoint] "C:\Program Files\Microsoft IntelliPoint\point32.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [CCD Manager] "C:\Program Files\Project Lab\DDS\DDS.EXE"
O4 - HKLM\..\Run: [FilmLoop] "C:\Program" -hide
O4 - HKLM\..\Run: [New.net Startup] rundll32 C:\PROGRA~1\NEWDOT~1\NEWDOT~2.DLL,ClientStartup -s
O4 - HKLM\..\Run: [sys101491349561] C:\WINDOWS\sys101491349561.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [DellSupport] "C:\Program Files\Dell Support\DSAgnt.exe" /startup
O4 - HKCU\..\Run: [Tair] "C:\PROGRA~1\COMMON~1\STEM~1\javaw.exe" -vt yazb
O4 - HKCU\..\Run: [Lsv] "C:\Program Files\??sembly\??ool32.exe" 99001122
O4 - HKCU\..\Run: [ikuw] C:\Program Files\Common Files\ikuw\ikuwm.exe
O4 - Startup: palmOne Registration.lnk = C:\Program Files\palmOne\register.exe
O4 - Startup: SpywareGuard.lnk = C:\Program Files\SpywareGuard\sgmain.exe
O4 - Global Startup: Adobe Acrobat Speed Launcher.lnk = ?
O4 - Global Startup: Adobe Gamma.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: ColorVisionStartup.lnk = C:\Program Files\ColorVision\Utility\ColorVisionStartup.exe
O4 - Global Startup: HotSync Manager.lnk = C:\Program Files\palmOne\Hotsync.exe
O8 - Extra context menu item: Convert link target to Adobe PDF - res://C:\Program Files\Adobe\Adobe Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: Convert link target to existing PDF - res://C:\Program Files\Adobe\Adobe Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: Convert selected links to Adobe PDF - res://C:\Program Files\Adobe\Adobe Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECaptureSelLinks.html
O8 - Extra context menu item: Convert selected links to existing PDF - res://C:\Program Files\Adobe\Adobe Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppendSelLinks.html
O8 - Extra context menu item: Convert selection to Adobe PDF - res://C:\Program Files\Adobe\Adobe Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: Convert selection to existing PDF - res://C:\Program Files\Adobe\Adobe Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: Convert to Adobe PDF - res://C:\Program Files\Adobe\Adobe Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: Convert to existing PDF - res://C:\Program Files\Adobe\Adobe Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~4\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_11\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_11\bin\ssv.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~4\OFFICE11\REFIEBAR.DLL
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O11 - Options group: [INTERNATIONAL] International*
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {215B8138-A3CF-44C5-803F-8226143CFC0A} (Trend Micro ActiveX Scan Agent 6.6) - http://housecall65.trendmicro.com/ho...vex/hcImpl.cab
O16 - DPF: {406B5949-7190-4245-91A9-30A17DE16AD0} (Snapfish Activia) - http://www.snapfish.com/SnapfishActivia.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/actives...ree/asinst.cab
O16 - DPF: {A00D615E-B878-4DCF-8B9A-C1AD302D4C4D} (AssetAgent Class) - http://www.assetmetrix.com/epulse/assetMetrix.CAB
O16 - DPF: {AB86CE53-AC9F-449F-9399-D8ABCA09EC09} (Get_ActiveX Control) - https://h17000.www1.hp.com/ewfrf-JAV...oadManager.ocx
O16 - DPF: {B1826A9F-4AA0-4510-BA77-9013E74E4B9B} - http://www.trendmicro.com/spyware-scan/as4web.cab
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: Domain = marketing.alpeng.local
O17 - HKLM\Software\..\Telephony: DomainName = marketing.alpeng.local
O17 - HKLM\System\CCS\Services\Tcpip\..\{D4EA3E9F-2A43-4800-971C-03A77284129D}: NameServer = 172.17.242.78
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: Domain = marketing.alpeng.local
O20 - Winlogon Notify: MCPClient - C:\PROGRA~1\COMMON~1\Stardock\mcpstub.dll
O23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: Adobe Version Cue CS2 - Unknown owner - C:\Program Files\Adobe\Adobe Version Cue CS2\bin\VersionCueCS2.exe" -win32service (file missing)
O23 - Service: ASMAgent - ASAP Software, Inc. - C:\Program Files\Asset Services Management\ASMAgent.exe
O23 - Service: Creative Service for CDROM Access - Creative Technology Ltd - C:\WINDOWS\system32\CTsvcCDA.EXE
O23 - Service: Intel(R) Matrix Storage Event Monitor (IAANTMon) - Intel Corporation - C:\Program Files\Intel\Intel Matrix Storage Manager\iaantmon.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: eTrust Antivirus RPC Server (InoRPC) - Computer Associates International, Inc. - C:\Program Files\CA\eTrust Antivirus\InoRpc.exe
O23 - Service: eTrust Antivirus Realtime Server (InoRT) - Computer Associates International, Inc. - C:\Program Files\CA\eTrust Antivirus\InoRT.exe
O23 - Service: eTrust Antivirus Job Server (InoTask) - Computer Associates International, Inc. - C:\Program Files\CA\eTrust Antivirus\InoTask.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: Viewpoint Manager Service - Viewpoint Corporation - C:\Program Files\Viewpoint\Common\ViewpointService.exe

-- File Associations -----------------------------------------------------------

All associations okay.

-- Drivers: 0-Boot, 1-System, 2-Auto, 3-Demand, 4-Disabled ---------------------

R0 drvmcdb - c:\windows\system32\drivers\drvmcdb.sys
R0 INO_FLPY - c:\windows\system32\drivers\ino_flpy.sys
R1 omci (OMCI WDM Device Driver) - c:\windows\system32\drivers\omci.sys
R1 sscdbhk5 - c:\windows\system32\drivers\sscdbhk5.sys
R1 ssrtln - c:\windows\system32\drivers\ssrtln.sys
R2 drvnddm - c:\windows\system32\drivers\drvnddm.sys
R2 Hardlock - c:\windows\system32\drivers\hardlock.sys
R2 INO_FLTR - c:\windows\system32\drivers\ino_fltr.sys
R2 PfModNT - c:\windows\system32\drivers\pfmodnt.sys
R2 tfsnboio - c:\windows\system32\dla\tfsnboio.sys
R2 tfsncofs - c:\windows\system32\dla\tfsncofs.sys
R2 tfsndrct - c:\windows\system32\dla\tfsndrct.sys
R2 tfsndres - c:\windows\system32\dla\tfsndres.sys
R2 tfsnifs - c:\windows\system32\dla\tfsnifs.sys
R2 tfsnopio - c:\windows\system32\dla\tfsnopio.sys
R2 tfsnpool - c:\windows\system32\dla\tfsnpool.sys
R2 tfsnudf - c:\windows\system32\dla\tfsnudf.sys
R2 tfsnudfa - c:\windows\system32\dla\tfsnudfa.sys
R3 ASMMEMORYDRIVER - c:\program files\asset services management\asmmemorydriver.sys
R3 DSproct - c:\program files\dell support\gtaction\triggers\dsproct.sys
R3 P17 (Sound Blaster Live! 24-bit) - c:\windows\system32\drivers\p17.sys

S3 cvspydr2 (ColorVision Spyder 2) - c:\windows\system32\drivers\cvspydr2.sys
S3 HidCom (USB-HID -> COM Driver Service) - c:\windows\system32\drivers\bdhidcom.sys
S3 NAL (Nal Service ) - c:\windows\system32\drivers\iqvw32.sys
S4 cbidf - c:\windows\system32\drivers\cbidf2k.sys
S4 dac2w2k - c:\windows\system32\drivers\dac2w2k.sys

-- Services: 0-Boot, 1-System, 2-Auto, 3-Demand, 4-Disabled --------------------

R2 Adobe Version Cue CS2 - "c:\program files\adobe\adobe version cue cs2\bin\versioncuecs2.exe" -win32service
R2 ASMAgent - c:\program files\asset services management\asmagent.exe
R2 InoRPC (eTrust Antivirus RPC Server) - "c:\program files\ca\etrust antivirus\inorpc.exe"
R2 InoRT (eTrust Antivirus Realtime Server) - "c:\program files\ca\etrust antivirus\inort.exe"
R2 InoTask (eTrust Antivirus Job Server) - "c:\program files\ca\etrust antivirus\inotask.exe"
R2 Viewpoint Manager Service - "c:\program files\viewpoint\common\viewpointservice.exe"

-- Files created between 2007-02-19 and 2007-03-19 -----------------------------

2007-03-19 14:46:51 21312 --a------ C:\WINDOWS\choice.exe
2007-03-19 14:46:03 0 d-------- C:\ie-spyad
2007-03-19 14:43:37 0 d-------- C:\Program Files\SpywareGuard<SPYWAR~2>
2007-03-19 14:40:34 0 d-------- C:\Program Files\SpywareBlaster<SPYWAR~1>
2007-03-19 12:21:23 0 d-------- C:\Documents and Settings\Angela\.housecall6.6<HOUSEC~1.6>
2007-03-19 09:41:23 0 d-------- C:\WINDOWS\system32\ActiveScan<ACTIVE~1>
2007-03-19 09:41:21 0 d-------- C:\WINDOWS\LastGood
2007-03-19 09:36:53 0 d-------- C:\Program Files\?icrosoft
2007-03-19 09:36:52 60416 --a------ C:\WINDOWS\system32\wmzr.dll
2007-03-19 08:11:41 0 d-------- C:\Documents and Settings\Administrator\Application Data\Lavasoft
2007-03-16 10:14:37 0 d-------- C:\Program Files\Trend Micro<TRENDM~1>
2007-03-16 09:29:05 0 d-------- C:\Program Files\RogueRemover<ROGUER~1>
2007-03-15 16:49:40 0 d-------- C:\Documents and Settings\Angela\Application Data\Lavasoft
2007-03-15 16:49:24 0 d-------- C:\Program Files\Lavasoft
2007-03-15 16:48:58 0 d-------- C:\Program Files\Common Files\Wise Installation Wizard<WISEIN~1>
2007-03-15 15:14:26 0 d-------- C:\Documents and Settings\sarmeli\Application Data\HotSync
2007-03-15 15:14:12 60416 --a------ C:\WINDOWS\system32\hrvhu.dll
2007-03-15 15:13:58 0 d-------- C:\WINDOWS\system32\??sks
2007-03-15 15:13:46 0 d-------- C:\Documents and Settings\sarmeli\Application Data\Adobe
2007-03-15 15:13:04 1048576 --ah----- C:\Documents and Settings\sarmeli\NTUSER.DAT
2007-03-15 15:13:04 0 d-------- C:\Documents and Settings\sarmeli\Application Data\Sun
2007-03-15 15:13:04 0 d-------- C:\Documents and Settings\sarmeli\Application Data\Gtek
2007-03-15 15:13:04 0 d-------- C:\Documents and Settings\sarmeli\Application Data\Creative
2007-03-15 15:11:26 0 d-------- C:\Documents and Settings\Angela\Application Data\?ymantec
2007-03-15 15:11:24 0 d-------- C:\WINDOWS\system32\W?nSxS
2007-03-15 14:54:42 183808 --a-s---- C:\WINDOWS\NDNuninstall7_48.exe<NDNUNI~2.EXE>
2007-03-15 14:47:53 40183 ---hs---- C:\Program Files\Common Files\Yazzle1670OinUninstaller.exe<YA8150~1.EXE>
2007-03-15 14:47:50 8464 --a------ C:\WINDOWS\system32\sporder.dll
2007-03-15 14:47:50 0 d-a-s---- C:\Program Files\NewDotNet<NEWDOT~1>
2007-03-15 14:47:38 0 d-------- C:\WINDOWS\system32\bund1
2007-03-14 09:27:36 2 --a------ C:\WINDOWS\system32\wcpsvtr.exe
2007-03-02 15:59:56 53248 --a------ C:\WINDOWS\uni_eh10.exe
2007-03-01 17:08:39 77 --a------ C:\Documents and Settings\Angela\n.bat
2007-03-01 17:08:24 274 --a------ C:\Documents and Settings\Angela\x.dat
2007-02-28 10:53:08 0 d-------- C:\Program Files\s?stem32
2007-02-28 10:53:08 0 d-------- C:\Program Files\??stem32
2007-02-27 10:00:09 0 d-------- C:\Program Files\OIN Search<OINSEA~1>
2007-02-27 09:59:58 0 d-------- C:\WINDOWS\system32\?ymbols
2007-02-26 10:21:19 0 d-------- C:\WINDOWS\system32\S?mantec
2007-02-23 13:11:25 0 d-------- C:\WINDOWS\system32\s?stem32
2007-02-19 12:43:36 63 --a------ C:\Documents and Settings\Angela\yyd.bat

-- Find3M Report ---------------------------------------------------------------

2007-03-19 14:23:41 0 d-------- C:\Program Files\Outerinfo<OUTERI~1>
2007-03-19 11:41:22 0 d-------- C:\Program Files\QuickTime<QUICKT~1>
2007-03-19 11:40:39 0 d-------- C:\Program Files\palmOne
2007-03-19 11:38:31 0 d-------- C:\Program Files\Microsoft IntelliType Pro<MI558C~1>
2007-03-19 11:38:29 0 d-------- C:\Program Files\Microsoft IntelliPoint<MIFB84~1>
2007-03-19 11:38:27 0 d-------- C:\Program Files\Messenger<MESSEN~1>
2007-03-19 11:35:43 0 d-------- C:\Program Files\Dell Support<DELLSU~1>
2007-03-19 11:34:34 0 d-------- C:\Program Files\Common Files\stardock
2007-03-19 11:32:56 22 --a------ C:\Program Files\c.zip
2007-03-19 11:32:56 22 --a------ C:\Program Files\b.zip
2007-03-19 11:32:56 0 d-------- C:\Program Files\Asset Services Management<ASSETS~1>
2007-03-19 11:28:14 22 --a------ C:\Program Files\a.zip
2007-03-19 09:36:16 25214 --a------ C:\Program Files\A.ico
2007-03-19 09:36:15 25214 --a------ C:\Program Files\B.ico
2007-03-19 09:35:37 8405015 --a------ C:\WINDOWS\TempFile
2007-03-15 17

35 0 d-------- C:\Program Files\Common Files\ikuw
2007-03-15 15:47:48 0 d-------- C:\Program Files\Common Files\{58E43039-0BB0-1033-0525-050112050001}<{58E43~1>
2007-03-15 15:13:58 32178 ---hs---- C:\Program Files\Common Files\Yazzle1396OinUninstaller.exe<YAZZLE~4.EXE>
2007-03-14 06:26:21 0 d-------- C:\Program Files\Common Files\{38E43039-0BB0-1033-0525-050112050001}<{38E43~1>
2007-03-13 08:53:54 0 d--h----- C:\Program Files\InstallShield Installation Information<INSTAL~1>
2007-03-13 08:51:52 0 d-------- C:\Program Files\Incomplete<INCOMP~1>
2007-03-13 08:50:21 2 --a------ C:\WINDOWS\system32\wcptr.exe
2007-02-26 14:52:51 0 d-------- C:\Program Files\Java
2007-02-23 12:39:55 0 d-------- C:\Program Files\??sembly
2007-02-14 17:22:59 184320 --a------ C:\WINDOWS\sys101491349561.exe<SYS101~1.EXE>
2007-02-13 16:07:54 0 d-------- C:\Program Files\InetGet2
2007-02-13 15:43:45 32177 ---hs---- C:\Program Files\Common Files\Yazzle1122OinUninstaller.exe<YAZZLE~2.EXE>
2007-02-13 14:07:46 203144 --a------ C:\WINDOWS\system32\drp.exe
2007-02-13 14:07:43 20480 --a------ C:\WINDOWS\system32\stup9x.exe
2007-02-13 10:20:08 0 d--h----- C:\Documents and Settings\Angela\Application Data\Gtek
2007-02-12 17:23:44 153088 ---hs---- C:\Program Files\Common Files\Yazzle1670OinAdmin.exe<YAF97C~1.EXE>
2007-02-12 10:04:09 147456 --a------ C:\WINDOWS\system32\vbzip10.dll
2007-02-08 16:38:01 0 d---s---- C:\Documents and Settings\Angela\Application Data\Microsoft<MICROS~1>
2007-02-07 11:36:11 0 d-------- C:\Program Files\Trillian
2007-01-10 11:57:34 171520 ---hs---- C:\Program Files\Common Files\Yazzle1396OinAdmin.exe<YAZZLE~3.EXE>
2007-01-08 20:01:14 17408 --a------ C:\WINDOWS\system32\corpol.dll
2007-01-03 17:19:56 171008 ---hs---- C:\Program Files\Common Files\Yazzle1122OinAdmin.exe<YAZZLE~1.EXE>

-- Registry Dump ---------------------------------------------------------------

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\run]
"MSMSGS"="\"C:\\Program Files\\Messenger\\msmsgs.exe\" /background"
"ctfmon.exe"="C:\\WINDOWS\\system32\\ctfmon.exe"
"DellSupport"="\"C:\\Program Files\\Dell Support\\DSAgnt.exe\" /startup"
"Tair"="\"C:\\PROGRA~1\\COMMON~1\\STEM~1\\javaw.exe\" -vt yazb"
"Lsv"="\"C:\\Program Files\\??sembly\\??ool32.exe\" 99001122"
"ikuw"="C:\\Program Files\\Common Files\\ikuw\\ikuwm.exe"

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run]
"NvCplDaemon"="RUNDLL32.EXE C:\\WINDOWS\\system32\\NvCpl.dll,NvStartup"
"SunJavaUpdateSched"="\"C:\\Program Files\\Java\\jre1.5.0_11\\bin\\jusched.exe\""
"IAAnotif"="C:\\Program Files\\Intel\\Intel Matrix Storage Manager\\iaanotif.exe"
"CTSysVol"="C:\\Program Files\\Creative\\Sound Blaster Live! 24-bit\\Surround Mixer\\CTSysVol.exe /r"
"P17Helper"="Rundll32 P17.dll,P17Helper"
"UpdReg"="C:\\WINDOWS\\UpdReg.EXE"
"DVDLauncher"="\"C:\\Program Files\\CyberLink\\PowerDVD\\DVDLauncher.exe\""
"dla"="C:\\WINDOWS\\system32\\dla\\tfswctrl.exe"
"ISUSPM Startup"="C:\\PROGRA~1\\COMMON~1\\INSTAL~1\\UPDATE~1\\ISUSPM.exe -startup"
"ISUSScheduler"="\"C:\\Program Files\\Common Files\\InstallShield\\UpdateService\\issch.exe\" -start"
"Realtime Monitor"="C:\\PROGRA~1\\CA\\ETRUST~1\\realmon.exe -s"
"Adobe Version Cue CS2"="\"C:\\Program Files\\Adobe\\Adobe Version Cue CS2\\ControlPanel\\VersionCueCS2Tray.exe\""
"Acrobat Assistant 7.0"="\"C:\\Program Files\\Adobe\\Adobe Acrobat 7.0\\Distillr\\Acrotray.exe\""
"HP Software Update"="C:\\Program Files\\Hewlett-Packard\\HP Software Update\\HPWuSchd2.exe"
"HP Component Manager"="\"C:\\Program Files\\HP\\hpcoretech\\hpcmpmgr.exe\""
"HPDJ Taskbar Utility"="C:\\WINDOWS\\system32\\spool\\drivers\\w32x86\\3\\hpztsb09.exe"
"type32"="\"C:\\Program Files\\Microsoft IntelliType Pro\\type32.exe\""
"IntelliPoint"="\"C:\\Program Files\\Microsoft IntelliPoint\\point32.exe\""
"QuickTime Task"="\"C:\\Program Files\\QuickTime\\qttask.exe\" -atboottime"
"CCD Manager"="\"C:\\Program Files\\Project Lab\\DDS\\DDS.EXE\""
"FilmLoop"="\"C:\\Program\" -hide"
"New.net Startup"="rundll32 C:\\PROGRA~1\\NEWDOT~1\\NEWDOT~2.DLL,ClientStartup -s"
"sys101491349561"="C:\\WINDOWS\\sys101491349561.exe"

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run\OptionalComponents]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run\OptionalComponents\IMAIL]
"Installed"="1"

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run\OptionalComponents\MAPI]
"Installed"="1"
"NoChange"="1"

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run\OptionalComponents\MSFS]
"Installed"="1"

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shellexecutehooks]
"{81559C35-8464-49F7-BB0E-07A383BEF910}"=""

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\shellserviceobjectdelayload]
"0aMCPClient"="{F5DF91F9-15E9-416B-A7C3-7519B11ECBFC}"

[HKEY_CURRENT_USER\software\microsoft\internet explorer\desktop\components\0]
Source REG_SZ C:\Program Files\ComPlus Applications\rtenenu.html

HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\MCPClient

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\securityproviders]
"SecurityProviders"="msapsspc.dll, schannel.dll, digest.dll, msnsspc.dll"

[HKEY_LOCAL_MACHINE\software\Microsoft\Windows NT\CurrentVersion\Svchost]
HTTPFilter REG_MULTI_SZ HTTPFilter\0\0
LocalService REG_MULTI_SZ Alerter\0WebClient\0LmHosts\0RemoteRegistry\0upnphost\0SSDPSRV\0\0
NetworkService REG_MULTI_SZ DnsCache\0\0
DcomLaunch REG_MULTI_SZ DcomLaunch\0TermService\0\0
rpcss REG_MULTI_SZ RpcSs\0\0
imgsvc REG_MULTI_SZ StiSvc\0\0
termsvcs REG_MULTI_SZ TermService\0\0

-- End of Deckard's System Scanner: finished at 2007-03-19 at 14:56:20 ---------

tetonbob · 03-26-2007, 01:11 PM

Hello and Welcome. Apologies for the delay in reply, but the forum is very busy of late.

Please subscribe to this thread to get immediate notification of replies as soon as they are posted. To do this click Thread Tools, then click Subscribe to this Thread. Make sure it is set to Instant Notification, then click Subscribe.

Before beginning the fix, read this post completely. If there's anything that you do not understand, kindly ask your questions before proceeding. Ensure that there aren't any opened browsers when you are carrying out the procedures below. Save the following instructions in Notepad as this webpage would not be available when you're carrying out the fix.

It is IMPORTANT that you don't miss a step & perform everything in the correct order/sequence.

---------------------------------------------------------------------------------------------

Download combofix from one of these locations:
- http://www.techsupportforum.com/sect...s/ComboFix.exe
- http://download.bleepingcomputer.com/sUBs/ComboFix.exe
* IMPORTANT !!! Place it on your Desktop.
Click the Windows 'Start' button > Select 'Run' - then copy/paste this into the run box & click OK

"%userprofile%\desktop\combofix.exe" /v hrvhu wmzr
When finished, it shall produce a log for you. Post that log in your next reply.

Note:
Do not mouseclick combofix's window whilst it's running. That may cause it to stall.

---------------------------------------------------------------------------------------------

Once ComboFix has finsihed it's routine:

Please download Brute Force Uninstaller to your desktop.

Right click the BFU folder on your desktop, and choose Extract All
Click "Next"
In the box to choose where to extract the files to,
Click "Browse"
Click on the + sign next to "My Computer"
Click on "Local Disk (C:) or whatever your primary drive is
Click "Make New Folder"
Type in BFU
Click "Next", and Uncheck the "Show Extracted Files" box and then click "Finish".

RIGHT-CLICK HERE and choose "Save Link As" (in IE it's "Save Target As") in order to download Alcra PLUS Remover.
Save it in the same folder you made earlier (c:\BFU).

Restart your computer and boot into Safe Mode by hitting the F8 key repeatedly until a menu shows up (and choose Safe Mode from the list). In some systems, this may be the F5 key, so try that if F8 doesn't work. Login on your usual account. Make sure to close any open browsers.

---------------------------------------------------------------------------------------------

Uninstall the following via the Add/Remove Panel (Start->(Settings)->Control Panel->Add/Remove Programs) if they exist:

NewDotNet or New.Net Domains
OIN Search
OIN

---------------------------------------------------------------------------------------------

Open HijackThis and click on 'Do a System Scan Only'. Check the following entries if they exist (make sure you do not miss any) and click Fix Checked

O2 - BHO: (no name) - {2E6F0212-A14A-4856-9AFA-089AB959F885} - \
O2 - BHO: (no name) - {3005953E-64E3-4A72-A91B-89C523A8C3CD} - \
O2 - BHO: (no name) - {34621E20-6CB6-4A54-A976-B2C1FE9D8FB5} - \
O2 - BHO: URLLink - {4A2AACF3-ADF6-11D5-98A9-00E018981B9E} - C:\Program Files\NewDotNet\newdotnet7_48.dll
O2 - BHO: (no name) - {56AAC443-A698-435A-B7E6-415DB93C0EEA} - \
O2 - BHO: (no name) - {797519D2-C3C5-4765-8761-9B93CA315446} - \
O2 - BHO: (no name) - {9CE95277-3719-427C-8B06-06671C681309} - \
O2 - BHO: (no name) - {A65E8CF7-F8C7-47BA-864A-30DE5FC33F08} - \
O2 - BHO: (no name) - {B3ABD708-CBF5-4588-B241-512A51383673} - \
O2 - BHO: 0 - {BBE10FBF-9132-41F1-5F9A-B9BAA6ED3CCD} - C:\Program Files\ComPlus Applications\qufazy.dll
O2 - BHO: (no name) - {E74F733A-E986-9D03-A2DB-B2DEBBC758C3} - C:\WINDOWS\system32\nfm.dll (file missing)
O2 - BHO: (no name) - {F65616BD-404A-4F3C-B6CF-DC655D341494} - \
O3 - Toolbar: OIN Search - {B9F6E8EB-A4E3-478E-88A4-D3995B5C45C8} - C:\Program Files\OIN Search\OINSearch.dll
O4 - HKLM\..\Run: [New.net Startup] rundll32 C:\PROGRA~1\NEWDOT~1\NEWDOT~2.DLL,ClientStartup -s
O4 - HKLM\..\Run: [sys101491349561] C:\WINDOWS\sys101491349561.exe
O4 - HKCU\..\Run: [Tair] "C:\PROGRA~1\COMMON~1\STEM~1\javaw.exe" -vt yazb
O4 - HKCU\..\Run: [Lsv] "C:\Program Files\??sembly\??ool32.exe" 99001122
O4 - HKCU\..\Run: [ikuw] C:\Program Files\Common Files\ikuw\ikuwm.exe

Close HijackThis now.

---------------------------------------------------------------------------------------------

Go to My Computer->Tools->Folder Options->View tab:
* Under the Hidden files and folders heading, select Show hidden files and folders.
* Uncheck the Hide protected operating system files (recommended) option.
* Also make sure there is no checkmark beside Hide file extensions for known file types
* Click Yes to confirm and then click OK.

Delete the following if they exist:

C:\Program Files\NewDotNet
C:\WINDOWS\sys101491349561.exe
C:\Program Files\Common Files\ikuw

---------------------------------------------------------------------------------------------

Then, please go to Start > My Computer and navigate to the C:\BFU folder.

Start the Brute Force Uninstaller by doubleclicking BFU.exe
Beside the scriptline to execute field click the folder icon and select alcanshorty.bfu by double clicking on it.
Press Execute and let it do it’s job. (You ought to see a blue progress bar if you did this correctly.)
Wait for the complete script execution box to pop up and press OK.
Press exit to terminate the BFU program.

Reboot into normal windows.

---------------------------------------------------------------------------------------------

Run DSS once again, and post it's log, main.txt, along with the log from ComboFix - C:\ComboFix.txt

spunky1 · 03-26-2007, 02:35 PM

Thank you so much for the help!!!

When I ran combofix it rebooted in the middle when my system came up it continued to run so I believe it did what it was suppose to do. 3 lines in hijack this were no longer there
O4 - HKCU\..\Run: [Tair] "C:\PROGRA~1\COMMON~1\STEM~1\javaw.exe" -vt yazb
O4 - HKCU\..\Run: [Lsv] "C:\Program Files\??sembly\??ool32.exe" 99001122
O4 - HKCU\..\Run: [ikuw] C:\Program Files\Common Files\ikuw\ikuwm.exe

I truly appreciate the help!!!

Deckard's System Scanner v20070318.32
Run by angela on 2007-03-26 at 16:30:21
Computer is in Normal Mode.
--------------------------------------------------------------------------------

-- HijackThis (run as angela.exe) ----------------------------------------------

Logfile of HijackThis v1.99.1
Scan saved at 4:30:44 PM, on 3/26/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16414)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Adobe\Adobe Version Cue CS2\bin\VersionCueCS2.exe
C:\WINDOWS\system32\CTsvcCDA.EXE
C:\Program Files\Intel\Intel Matrix Storage Manager\iaantmon.exe
C:\Program Files\CA\eTrust Antivirus\InoRpc.exe
C:\Program Files\CA\eTrust Antivirus\InoRT.exe
C:\Program Files\CA\eTrust Antivirus\InoTask.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\WINDOWS\system32\nvsvc32.exe
C:\PROGRA~1\CA\SHARED~1\SCANEN~1\InoDist.exe
C:\Program Files\Viewpoint\Common\ViewpointService.exe
C:\WINDOWS\system32\MsPMSPSv.exe
C:\Program Files\Asset Services Management\ASMAgent.exe
C:\Program Files\Adobe\Adobe Version Cue CS2\data\database\bin\mysqld-nt.exe
C:\PROGRA~1\COMMON~1\Stardock\SDMCP.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Intel\Intel Matrix Storage Manager\iaanotif.exe
C:\Program Files\Creative\Sound Blaster Live! 24-bit\Surround Mixer\CTSysVol.exe
C:\WINDOWS\system32\Rundll32.exe
C:\Program Files\CyberLink\PowerDVD\DVDLauncher.exe
C:\WINDOWS\system32\ctfmon.exe
C:\WINDOWS\system32\dla\tfswctrl.exe
C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe
C:\PROGRA~1\CA\ETRUST~1\realmon.exe
C:\Program Files\Adobe\Adobe Version Cue CS2\ControlPanel\VersionCueCS2Tray.exe
C:\Program Files\Adobe\Adobe Acrobat 7.0\Distillr\Acrotray.exe
C:\Program Files\Hewlett-Packard\HP Software Update\HPWuSchd2.exe
C:\Program Files\HP\hpcoretech\hpcmpmgr.exe
C:\WINDOWS\system32\spool\drivers\w32x86\3\hpztsb09.exe
C:\Program Files\Microsoft IntelliType Pro\type32.exe
C:\Program Files\Microsoft IntelliPoint\point32.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\Project Lab\DDS\DDS.EXE
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\Dell Support\DSAgnt.exe
C:\Program Files\Adobe\Adobe Acrobat 7.0\Acrobat\acrobat_sl.exe
C:\Program Files\palmOne\Hotsync.exe
C:\Program Files\SpywareGuard\sgmain.exe
C:\Program Files\SpywareGuard\sgbhp.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\Viewpoint\Viewpoint Manager\ViewMgr.exe
C:\Documents and Settings\Angela\My Documents\dss.exe
C:\PROGRA~1\HIJACK~1\angela.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.yahoo.com
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Windows Internet Explorer provided by Yahoo!
R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn0\yt.dll
O2 - BHO: Yahoo! Toolbar Helper - {02478D38-C3F9-4EFB-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn0\yt.dll
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Adobe Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: SpywareGuard Download Protection - {4A368E80-174F-4872-96B5-0B27DDD11DB2} - C:\Program Files\SpywareGuard\dlprotect.dll
O2 - BHO: DriveLetterAccess - {5CA3D70E-1895-11CF-8E15-001234567890} - C:\WINDOWS\system32\dla\tfswshx.dll
O2 - BHO: AcroIEToolbarHelper Class - {AE7CD045-E861-484f-8273-0445EE161910} - C:\Program Files\Adobe\Adobe Acrobat 7.0\Acrobat\AcroIEFavClient.dll
O3 - Toolbar: Adobe PDF - {47833539-D0C5-4125-9FA8-0819E2EAAC93} - C:\Program Files\Adobe\Adobe Acrobat 7.0\Acrobat\AcroIEFavClient.dll
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn0\yt.dll
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [IAAnotif] C:\Program Files\Intel\Intel Matrix Storage Manager\iaanotif.exe
O4 - HKLM\..\Run: [CTSysVol] C:\Program Files\Creative\Sound Blaster Live! 24-bit\Surround Mixer\CTSysVol.exe /r
O4 - HKLM\..\Run: [P17Helper] Rundll32 P17.dll,P17Helper
O4 - HKLM\..\Run: [UpdReg] C:\WINDOWS\UpdReg.EXE
O4 - HKLM\..\Run: [DVDLauncher] "C:\Program Files\CyberLink\PowerDVD\DVDLauncher.exe"
O4 - HKLM\..\Run: [dla] C:\WINDOWS\system32\dla\tfswctrl.exe
O4 - HKLM\..\Run: [ISUSPM Startup] C:\PROGRA~1\COMMON~1\INSTAL~1\UPDATE~1\ISUSPM.exe -startup
O4 - HKLM\..\Run: [ISUSScheduler] "C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe" -start
O4 - HKLM\..\Run: [Realtime Monitor] C:\PROGRA~1\CA\ETRUST~1\realmon.exe -s
O4 - HKLM\..\Run: [Adobe Version Cue CS2] "C:\Program Files\Adobe\Adobe Version Cue CS2\ControlPanel\VersionCueCS2Tray.exe"
O4 - HKLM\..\Run: [Acrobat Assistant 7.0] "C:\Program Files\Adobe\Adobe Acrobat 7.0\Distillr\Acrotray.exe"
O4 - HKLM\..\Run: [HP Software Update] C:\Program Files\Hewlett-Packard\HP Software Update\HPWuSchd2.exe
O4 - HKLM\..\Run: [HP Component Manager] "C:\Program Files\HP\hpcoretech\hpcmpmgr.exe"
O4 - HKLM\..\Run: [HPDJ Taskbar Utility] C:\WINDOWS\system32\spool\drivers\w32x86\3\hpztsb09.exe
O4 - HKLM\..\Run: [type32] "C:\Program Files\Microsoft IntelliType Pro\type32.exe"
O4 - HKLM\..\Run: [IntelliPoint] "C:\Program Files\Microsoft IntelliPoint\point32.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [CCD Manager] "C:\Program Files\Project Lab\DDS\DDS.EXE"
O4 - HKLM\..\Run: [FilmLoop] "C:\Program" -hide
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [DellSupport] "C:\Program Files\Dell Support\DSAgnt.exe" /startup
O4 - HKCU\..\Run: [Tair] "C:\PROGRA~1\COMMON~1\STEM~1\javaw.exe" -vt yazb
O4 - HKCU\..\Run: [Lsv] "C:\Program Files\??sembly\??ool32.exe" 99001122
O4 - HKCU\..\Run: [ikuw] C:\Program Files\Common Files\ikuw\ikuwm.exe
O4 - Startup: palmOne Registration.lnk = C:\Program Files\palmOne\register.exe
O4 - Startup: SpywareGuard.lnk = C:\Program Files\SpywareGuard\sgmain.exe
O4 - Global Startup: Adobe Acrobat Speed Launcher.lnk = ?
O4 - Global Startup: Adobe Gamma.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: ColorVisionStartup.lnk = C:\Program Files\ColorVision\Utility\ColorVisionStartup.exe
O4 - Global Startup: HotSync Manager.lnk = C:\Program Files\palmOne\Hotsync.exe
O8 - Extra context menu item: Convert link target to Adobe PDF - res://C:\Program Files\Adobe\Adobe Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: Convert link target to existing PDF - res://C:\Program Files\Adobe\Adobe Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: Convert selected links to Adobe PDF - res://C:\Program Files\Adobe\Adobe Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECaptureSelLinks.html
O8 - Extra context menu item: Convert selected links to existing PDF - res://C:\Program Files\Adobe\Adobe Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppendSelLinks.html
O8 - Extra context menu item: Convert selection to Adobe PDF - res://C:\Program Files\Adobe\Adobe Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: Convert selection to existing PDF - res://C:\Program Files\Adobe\Adobe Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: Convert to Adobe PDF - res://C:\Program Files\Adobe\Adobe Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: Convert to existing PDF - res://C:\Program Files\Adobe\Adobe Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~4\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~4\OFFICE11\REFIEBAR.DLL
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O11 - Options group: [INTERNATIONAL] International*
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {215B8138-A3CF-44C5-803F-8226143CFC0A} (Trend Micro ActiveX Scan Agent 6.6) - http://housecall65.trendmicro.com/ho...vex/hcImpl.cab
O16 - DPF: {406B5949-7190-4245-91A9-30A17DE16AD0} (Snapfish Activia) - http://www.snapfish.com/SnapfishActivia.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/actives...ree/asinst.cab
O16 - DPF: {A00D615E-B878-4DCF-8B9A-C1AD302D4C4D} (AssetAgent Class) - http://www.assetmetrix.com/epulse/assetMetrix.CAB
O16 - DPF: {AB86CE53-AC9F-449F-9399-D8ABCA09EC09} (Get_ActiveX Control) - https://h17000.www1.hp.com/ewfrf-JAV...oadManager.ocx
O16 - DPF: {B1826A9F-4AA0-4510-BA77-9013E74E4B9B} - http://www.trendmicro.com/spyware-scan/as4web.cab
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: Domain = marketing.alpeng.local
O17 - HKLM\Software\..\Telephony: DomainName = marketing.alpeng.local
O17 - HKLM\System\CCS\Services\Tcpip\..\{D4EA3E9F-2A43-4800-971C-03A77284129D}: NameServer = 172.17.242.78
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: Domain = marketing.alpeng.local
O20 - Winlogon Notify: MCPClient - C:\PROGRA~1\COMMON~1\Stardock\mcpstub.dll
O23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: Adobe Version Cue CS2 - Unknown owner - C:\Program Files\Adobe\Adobe Version Cue CS2\bin\VersionCueCS2.exe" -win32service (file missing)
O23 - Service: ASMAgent - ASAP Software, Inc. - C:\Program Files\Asset Services Management\ASMAgent.exe
O23 - Service: Creative Service for CDROM Access - Creative Technology Ltd - C:\WINDOWS\system32\CTsvcCDA.EXE
O23 - Service: Intel(R) Matrix Storage Event Monitor (IAANTMon) - Intel Corporation - C:\Program Files\Intel\Intel Matrix Storage Manager\iaantmon.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: eTrust Antivirus RPC Server (InoRPC) - Computer Associates International, Inc. - C:\Program Files\CA\eTrust Antivirus\InoRpc.exe
O23 - Service: eTrust Antivirus Realtime Server (InoRT) - Computer Associates International, Inc. - C:\Program Files\CA\eTrust Antivirus\InoRT.exe
O23 - Service: eTrust Antivirus Job Server (InoTask) - Computer Associates International, Inc. - C:\Program Files\CA\eTrust Antivirus\InoTask.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: Viewpoint Manager Service - Viewpoint Corporation - C:\Program Files\Viewpoint\Common\ViewpointService.exe

-- Files created between 2007-02-26 and 2007-03-26 -----------------------------

2007-03-26 16:27:12 0 d-------- C:\bintheredunthat<BINTHE~1>
2007-03-26 16

10 0 d-------- C:\bfu
2007-03-20 13:33:47 60928 --a------ C:\WINDOWS\system32\blcfibt.dll
2007-03-19 14:46:51 21312 --a------ C:\WINDOWS\choice.exe
2007-03-19 14:46:03 0 d-------- C:\ie-spyad
2007-03-19 14:43:37 0 d-------- C:\Program Files\SpywareGuard<SPYWAR~2>
2007-03-19 14:40:34 0 d-------- C:\Program Files\SpywareBlaster<SPYWAR~1>
2007-03-19 12:21:23 0 d-------- C:\Documents and Settings\Angela\.housecall6.6<HOUSEC~1.6>
2007-03-19 09:41:23 0 d-------- C:\WINDOWS\system32\ActiveScan<ACTIVE~1>
2007-03-19 08:11:41 0 d-------- C:\Documents and Settings\Administrator\Application Data\Lavasoft
2007-03-16 10:14:37 0 d-------- C:\Program Files\Trend Micro<TRENDM~1>
2007-03-15 16:49:40 0 d-------- C:\Documents and Settings\Angela\Application Data\Lavasoft
2007-03-15 16:49:24 0 d-------- C:\Program Files\Lavasoft
2007-03-15 16:48:58 0 d-------- C:\Program Files\Common Files\Wise Installation Wizard<WISEIN~1>
2007-03-15 15:14:26 0 d-------- C:\Documents and Settings\sarmeli\Application Data\HotSync
2007-03-15 15:13:46 0 d-------- C:\Documents and Settings\sarmeli\Application Data\Adobe
2007-03-15 15:13:04 1048576 --ah----- C:\Documents and Settings\sarmeli\NTUSER.DAT
2007-03-15 15:13:04 0 d-------- C:\Documents and Settings\sarmeli\Application Data\Sun
2007-03-15 15:13:04 0 d-------- C:\Documents and Settings\sarmeli\Application Data\Gtek
2007-03-15 15:13:04 0 d-------- C:\Documents and Settings\sarmeli\Application Data\Creative
2007-03-15 14:47:50 8464 --a------ C:\WINDOWS\system32\sporder.dll
2007-03-14 09:27:36 2 --a------ C:\WINDOWS\system32\wcpsvtr.exe
2007-03-02 15:59:56 53248 --a------ C:\WINDOWS\uni_eh10.exe
2007-03-01 17:08:39 77 --a------ C:\Documents and Settings\Angela\n.bat
2007-03-01 17:08:24 274 --a------ C:\Documents and Settings\Angela\x.dat

-- Find3M Report ---------------------------------------------------------------

2007-03-26 16:28:10 0 --a------ C:\WINDOWS\TempFile
2007-03-20 13:31:17 0 d-------- C:\Program Files\Java
2007-03-19 11:41:22 0 d-------- C:\Program Files\QuickTime<QUICKT~1>
2007-03-19 11:40:39 0 d-------- C:\Program Files\palmOne
2007-03-19 11:38:31 0 d-------- C:\Program Files\Microsoft IntelliType Pro<MI558C~1>
2007-03-19 11:38:29 0 d-------- C:\Program Files\Microsoft IntelliPoint<MIFB84~1>
2007-03-19 11:38:27 0 d-------- C:\Program Files\Messenger<MESSEN~1>
2007-03-19 11:35:43 0 d-------- C:\Program Files\Dell Support<DELLSU~1>
2007-03-19 11:34:34 0 d-------- C:\Program Files\Common Files\stardock
2007-03-19 11:32:56 22 --a------ C:\Program Files\c.zip
2007-03-19 11:32:56 22 --a------ C:\Program Files\b.zip
2007-03-19 11:32:56 0 d-------- C:\Program Files\Asset Services Management<ASSETS~1>
2007-03-19 11:28:14 22 --a------ C:\Program Files\a.zip
2007-03-19 09:36:16 25214 --a------ C:\Program Files\A.ico
2007-03-19 09:36:15 25214 --a------ C:\Program Files\B.ico
2007-03-13 08:53:54 0 d--h----- C:\Program Files\InstallShield Installation Information<INSTAL~1>
2007-03-13 08:51:52 0 d-------- C:\Program Files\Incomplete<INCOMP~1>
2007-03-13 08:50:21 2 --a------ C:\WINDOWS\system32\wcptr.exe
2007-02-13 14:07:46 203144 --a------ C:\WINDOWS\system32\drp.exe
2007-02-13 14:07:43 20480 --a------ C:\WINDOWS\system32\stup9x.exe
2007-02-13 10:20:08 0 d--h----- C:\Documents and Settings\Angela\Application Data\Gtek
2007-02-12 10:04:09 147456 --a------ C:\WINDOWS\system32\vbzip10.dll
2007-02-08 16:38:01 0 d---s---- C:\Documents and Settings\Angela\Application Data\Microsoft<MICROS~1>
2007-02-07 11:36:11 0 d-------- C:\Program Files\Trillian
2007-01-08 20:01:14 17408 --a------ C:\WINDOWS\system32\corpol.dll

-- Registry Dump ---------------------------------------------------------------

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\run]
"MSMSGS"="\"C:\\Program Files\\Messenger\\msmsgs.exe\" /background"
"ctfmon.exe"="C:\\WINDOWS\\system32\\ctfmon.exe"
"DellSupport"="\"C:\\Program Files\\Dell Support\\DSAgnt.exe\" /startup"
"Tair"="\"C:\\PROGRA~1\\COMMON~1\\STEM~1\\javaw.exe\" -vt yazb"
"Lsv"="\"C:\\Program Files\\??sembly\\??ool32.exe\" 99001122"
"ikuw"="C:\\Program Files\\Common Files\\ikuw\\ikuwm.exe"

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run]
"NvCplDaemon"="RUNDLL32.EXE C:\\WINDOWS\\system32\\NvCpl.dll,NvStartup"
"IAAnotif"="C:\\Program Files\\Intel\\Intel Matrix Storage Manager\\iaanotif.exe"
"CTSysVol"="C:\\Program Files\\Creative\\Sound Blaster Live! 24-bit\\Surround Mixer\\CTSysVol.exe /r"
"P17Helper"="Rundll32 P17.dll,P17Helper"
"UpdReg"="C:\\WINDOWS\\UpdReg.EXE"
"DVDLauncher"="\"C:\\Program Files\\CyberLink\\PowerDVD\\DVDLauncher.exe\""
"dla"="C:\\WINDOWS\\system32\\dla\\tfswctrl.exe"
"ISUSPM Startup"="C:\\PROGRA~1\\COMMON~1\\INSTAL~1\\UPDATE~1\\ISUSPM.exe -startup"
"ISUSScheduler"="\"C:\\Program Files\\Common Files\\InstallShield\\UpdateService\\issch.exe\" -start"
"Realtime Monitor"="C:\\PROGRA~1\\CA\\ETRUST~1\\realmon.exe -s"
"Adobe Version Cue CS2"="\"C:\\Program Files\\Adobe\\Adobe Version Cue CS2\\ControlPanel\\VersionCueCS2Tray.exe\""
"Acrobat Assistant 7.0"="\"C:\\Program Files\\Adobe\\Adobe Acrobat 7.0\\Distillr\\Acrotray.exe\""
"HP Software Update"="C:\\Program Files\\Hewlett-Packard\\HP Software Update\\HPWuSchd2.exe"
"HP Component Manager"="\"C:\\Program Files\\HP\\hpcoretech\\hpcmpmgr.exe\""
"HPDJ Taskbar Utility"="C:\\WINDOWS\\system32\\spool\\drivers\\w32x86\\3\\hpztsb09.exe"
"type32"="\"C:\\Program Files\\Microsoft IntelliType Pro\\type32.exe\""
"IntelliPoint"="\"C:\\Program Files\\Microsoft IntelliPoint\\point32.exe\""
"QuickTime Task"="\"C:\\Program Files\\QuickTime\\qttask.exe\" -atboottime"
"CCD Manager"="\"C:\\Program Files\\Project Lab\\DDS\\DDS.EXE\""
"FilmLoop"="\"C:\\Program\" -hide"

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run\OptionalComponents]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run\OptionalComponents\IMAIL]
"Installed"="1"

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run\OptionalComponents\MAPI]
"Installed"="1"
"NoChange"="1"

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run\OptionalComponents\MSFS]
"Installed"="1"

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shellexecutehooks]
"{81559C35-8464-49F7-BB0E-07A383BEF910}"=""

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\shellserviceobjectdelayload]
"0aMCPClient"="{F5DF91F9-15E9-416B-A7C3-7519B11ECBFC}"

[HKEY_CURRENT_USER\software\microsoft\internet explorer\desktop\components\0]
Source REG_SZ C:\Program Files\ComPlus Applications\rtenenu.html

HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\MCPClient

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\securityproviders]
"SecurityProviders"="msapsspc.dll, schannel.dll, digest.dll, msnsspc.dll"

[HKEY_LOCAL_MACHINE\software\Microsoft\Windows NT\CurrentVersion\Svchost]
HTTPFilter REG_MULTI_SZ HTTPFilter\0\0
LocalService REG_MULTI_SZ Alerter\0WebClient\0LmHosts\0RemoteRegistry\0upnphost\0SSDPSRV\0\0
NetworkService REG_MULTI_SZ DnsCache\0\0
DcomLaunch REG_MULTI_SZ DcomLaunch\0TermService\0\0
rpcss REG_MULTI_SZ RpcSs\0\0
imgsvc REG_MULTI_SZ StiSvc\0\0
termsvcs REG_MULTI_SZ TermService\0\0

-- End of Deckard's System Scanner: finished at 2007-03-26 at 16:30:58 ---------

"angela" - 07-03-26 15:55:58 Service Pack 2
ComboFix 07-03-23 - Running from: "C:\Documents and Settings\Angela\desktop"
Command switches used :: /v hrvhu wmzr

(((((((((((((((((((((((((((((((((((((((((((((((((( V Log )))))))))))))))))))))))))))))))))))))))))))))))))))))))

C:\WINDOWS\system32\hrvhu.dll

* * * POST RUN FILES/FOLDERS * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * *

(((((((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))

C:\Program Files\Common Files\Yazzle1122OinAdmin.exe
C:\Program Files\Common Files\Yazzle1122OinUninstaller.exe
C:\Program Files\Common Files\Yazzle1396OinAdmin.exe
C:\Program Files\Common Files\Yazzle1396OinUninstaller.exe
C:\Program Files\Common Files\Yazzle1670OinAdmin.exe
C:\Program Files\Common Files\Yazzle1670OinUninstaller.exe
C:\WINDOWS\NDNuninstall7_48.exe
C:\Program Files\oin search\OINSearch.dll
C:\Program Files\oin search\Uninstall.exe
C:\Program Files\outerinfo\outerinfo.ico
C:\Program Files\outerinfo\Terms.rtf
C:\WINDOWS\system32\bund1\ClientBundle1.exe
C:\WINDOWS\system32\bund1\mac.exe
C:\WINDOWS\system32\bund1\temp.txt
C:\WINDOWS\system32\bund1\Yzz.exe
C:\WINDOWS\system32\bund1\zq.exe
C:\Program Files\Common Files\{38E43~1
C:\Program Files\Common Files\{58E43~1
C:\Program Files\inetget2
C:\Program Files\oin search
C:\Program Files\outerinfo
C:\WINDOWS\system32\bund1
~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~ Purity ~ ~ ~ ~ ~ ~ ~ ~~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~
Folders Quarantined:
C:\qoobox\purity\DOCUME~1
C:\qoobox\purity\DOCUME~1\Angela
C:\qoobox\purity\DOCUME~1\Angela\APPLIC~1
C:\qoobox\purity\DOCUME~1\Angela\MYDOCU~1
C:\qoobox\purity\DOCUME~1\Angela\APPLIC~1\from.txt
C:\qoobox\purity\DOCUME~1\Angela\APPLIC~1\PPATCH~1
C:\qoobox\purity\DOCUME~1\Angela\APPLIC~1\YMANTE~1
C:\qoobox\purity\DOCUME~1\Angela\MYDOCU~1\from.txt
C:\qoobox\purity\DOCUME~1\Angela\MYDOCU~1\ICROSO~1.NET
C:\qoobox\purity\DOCUME~1\Angela\MYDOCU~1\PPPATC~1
C:\qoobox\purity\Program Files\ICROSO~1
C:\qoobox\purity\Program Files\SEMBLY~1
C:\qoobox\purity\Program Files\SSTEM3~1
C:\qoobox\purity\Program Files\STEM32~1
C:\qoobox\purity\Program Files\STEM~1
C:\qoobox\purity\Program Files\Common Files\SSTEM~1
C:\qoobox\purity\Program Files\Common Files\STEM~1
C:\qoobox\purity\Program Files\Common Files\SSTEM~1\?serinit.exe
C:\qoobox\purity\Program Files\Common Files\STEM~1\javaw.exe
C:\qoobox\purity\Program Files\Common Files\STEM~1\??stem
C:\qoobox\purity\Program Files\SEMBLY~1\??ool32.exe
C:\qoobox\purity\WINDOWS\PPATCH~1
C:\qoobox\purity\WINDOWS\system32\SKS~1
C:\qoobox\purity\WINDOWS\system32\SMANTE~1
C:\qoobox\purity\WINDOWS\system32\SSTEM3~1
C:\qoobox\purity\WINDOWS\system32\WNSXS~1
C:\qoobox\purity\WINDOWS\system32\YMBOLS~1
C:\qoobox\purity\WINDOWS\system32\SKS~1\cmd.exe
C:\qoobox\purity\WINDOWS\system32\SKS~1\??sks

((((((((((((((((((((((((((((((( Files Created from 2007-02-26 to 2007-03-26 ))))))))))))))))))))))))))))))))))

2007-03-20 13:33 60,928 --a------ C:\WINDOWS\system32\blcfibt.dll
2007-03-19 14:52 <DIR> d-------- C:\Deckard
2007-03-19 14:46 21,312 --a------ C:\WINDOWS\choice.exe
2007-03-19 14:46 <DIR> d-------- C:\ie-spyad
2007-03-19 14:43 <DIR> d-------- C:\Program Files\SpywareGuard
2007-03-19 14:40 <DIR> d-------- C:\Program Files\SpywareBlaster
2007-03-19 12:21 <DIR> d-------- C:\DOCUME~1\Angela\.housecall6.6
2007-03-19 09:41 <DIR> d-------- C:\WINDOWS\system32\ActiveScan
2007-03-19 08:11 <DIR> d-------- C:\DOCUME~1\ADMINI~1\APPLIC~1\Lavasoft
2007-03-16 10:14 <DIR> d-------- C:\Program Files\Trend Micro
2007-03-15 16:49 <DIR> d-------- C:\Program Files\àdobe
2007-03-15 16:49 <DIR> d-------- C:\Program Files\Lavasoft
2007-03-15 16:49 <DIR> d-------- C:\DOCUME~1\Angela\APPLIC~1\Lavasoft
2007-03-15 16:48 <DIR> d-------- C:\Program Files\Common Files\Wise Installation Wizard
2007-03-15 15:14 <DIR> d-------- C:\DOCUME~1\sarmeli\APPLIC~1\HotSync
2007-03-15 15:13 1,048,576 --ah----- C:\DOCUME~1\sarmeli\NTUSER.DAT
2007-03-15 15:13 <DIR> d-------- C:\DOCUME~1\sarmeli\APPLIC~1\Sun
2007-03-15 15:13 <DIR> d-------- C:\DOCUME~1\sarmeli\APPLIC~1\Gtek
2007-03-15 15:13 <DIR> d-------- C:\DOCUME~1\sarmeli\APPLIC~1\Creative
2007-03-15 15:13 <DIR> d-------- C:\DOCUME~1\sarmeli\APPLIC~1\Adobe
2007-03-15 14:47 8,464 --a------ C:\WINDOWS\system32\sporder.dll
2007-03-15 14:47 <DIR> d-a-s---- C:\Program Files\NewDotNet
2007-03-14 09:27 2 --a------ C:\WINDOWS\system32\wcpsvtr.exe
2007-03-02 15:59 53,248 --a------ C:\WINDOWS\uni_eh10.exe
2007-03-01 17:08 77 --a------ C:\DOCUME~1\Angela\n.bat
2007-03-01 17:08 274 --a------ C:\DOCUME~1\Angela\x.dat

(((((((((((((((((((((((((((((((((((((((((((((((( Find3M Report )))))))))))))))))))))))))))))))))))))))))))))))))))))

2007-03-20 13:31 -------- d-------- C:\Program Files\java
2007-03-19 11:41 -------- d-------- C:\Program Files\quicktime
2007-03-19 11:40 -------- d-------- C:\Program Files\palmone
2007-03-19 11:38 -------- d-------- C:\Program Files\microsoft intellitype pro
2007-03-19 11:38 -------- d-------- C:\Program Files\microsoft intellipoint
2007-03-19 11:38 -------- d-------- C:\Program Files\messenger
2007-03-19 11:35 -------- d-------- C:\Program Files\dell support
2007-03-19 11:34 -------- d-------- C:\Program Files\Common Files\stardock
2007-03-19 11:32 22 --a------ C:\Program Files\c.zip
2007-03-19 11:32 22 --a------ C:\Program Files\b.zip
2007-03-19 11:28 22 --a------ C:\Program Files\a.zip
2007-03-19 09:36 25214 --a------ C:\Program Files\b.ico
2007-03-19 09:36 25214 --a------ C:\Program Files\a.ico
2007-03-13 08:53 -------- d--h----- C:\Program Files\installshield installation information
2007-03-13 08:51 -------- d-------- C:\Program Files\incomplete
2007-03-13 08:50 2 --a------ C:\WINDOWS\system32\wcptr.exe
2007-02-14 17:22 184320 --a------ C:\WINDOWS\sys101491349561.exe
2007-02-13 14:07 20480 --a------ C:\WINDOWS\system32\stup9x.exe
2007-02-13 14:07 203144 --a------ C:\WINDOWS\system32\drp.exe
2007-02-12 10:04 147456 --a------ C:\WINDOWS\system32\vbzip10.dll
2007-02-07 11:36 -------- d-------- C:\Program Files\trillian
2007-01-08 20:01 17408 --a------ C:\WINDOWS\system32\corpol.dll

(((((((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))

*Note* empty entries & legit default entries are not shown

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\run]
"MSMSGS"="\"C:\\Program Files\\Messenger\\msmsgs.exe\" /background"
"ctfmon.exe"="C:\\WINDOWS\\system32\\ctfmon.exe"
"DellSupport"="\"C:\\Program Files\\Dell Support\\DSAgnt.exe\" /startup"
"Tair"="\"C:\\PROGRA~1\\COMMON~1\\STEM~1\\javaw.exe\" -vt yazb"
"Lsv"="\"C:\\Program Files\\??sembly\\??ool32.exe\" 99001122"
"ikuw"="C:\\Program Files\\Common Files\\ikuw\\ikuwm.exe"

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run]
"NvCplDaemon"="RUNDLL32.EXE C:\\WINDOWS\\system32\\NvCpl.dll,NvStartup"
"IAAnotif"="C:\\Program Files\\Intel\\Intel Matrix Storage Manager\\iaanotif.exe"
"CTSysVol"="C:\\Program Files\\Creative\\Sound Blaster Live! 24-bit\\Surround Mixer\\CTSysVol.exe /r"
"P17Helper"="Rundll32 P17.dll,P17Helper"
"UpdReg"="C:\\WINDOWS\\UpdReg.EXE"
"DVDLauncher"="\"C:\\Program Files\\CyberLink\\PowerDVD\\DVDLauncher.exe\""
"dla"="C:\\WINDOWS\\system32\\dla\\tfswctrl.exe"
"ISUSPM Startup"="C:\\PROGRA~1\\COMMON~1\\INSTAL~1\\UPDATE~1\\ISUSPM.exe -startup"
"ISUSScheduler"="\"C:\\Program Files\\Common Files\\InstallShield\\UpdateService\\issch.exe\" -start"
"Realtime Monitor"="C:\\PROGRA~1\\CA\\ETRUST~1\\realmon.exe -s"
"Adobe Version Cue CS2"="\"C:\\Program Files\\Adobe\\Adobe Version Cue CS2\\ControlPanel\\VersionCueCS2Tray.exe\""
"Acrobat Assistant 7.0"="\"C:\\Program Files\\Adobe\\Adobe Acrobat 7.0\\Distillr\\Acrotray.exe\""
"HP Software Update"="C:\\Program Files\\Hewlett-Packard\\HP Software Update\\HPWuSchd2.exe"
"HP Component Manager"="\"C:\\Program Files\\HP\\hpcoretech\\hpcmpmgr.exe\""
"HPDJ Taskbar Utility"="C:\\WINDOWS\\system32\\spool\\drivers\\w32x86\\3\\hpztsb09.exe"
"type32"="\"C:\\Program Files\\Microsoft IntelliType Pro\\type32.exe\""
"IntelliPoint"="\"C:\\Program Files\\Microsoft IntelliPoint\\point32.exe\""
"QuickTime Task"="\"C:\\Program Files\\QuickTime\\qttask.exe\" -atboottime"
"CCD Manager"="\"C:\\Program Files\\Project Lab\\DDS\\DDS.EXE\""
"FilmLoop"="\"C:\\Program\" -hide"
"New.net Startup"="rundll32 C:\\PROGRA~1\\NEWDOT~1\\NEWDOT~2.DLL,ClientStartup -s"
"sys101491349561"="C:\\WINDOWS\\sys101491349561.exe"

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run\OptionalComponents]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run\OptionalComponents\IMAIL]
"Installed"="1"

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run\OptionalComponents\MAPI]
"Installed"="1"
"NoChange"="1"

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run\OptionalComponents\MSFS]
"Installed"="1"

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shellexecutehooks]
"{81559C35-8464-49F7-BB0E-07A383BEF910}"=""

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\shellserviceobjectdelayload]
"0aMCPClient"="{F5DF91F9-15E9-416B-A7C3-7519B11ECBFC}"

[HKEY_CURRENT_USER\software\microsoft\internet explorer\desktop\components\0]
Source REG_SZ C:\Program Files\ComPlus Applications\rtenenu.html

HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\MCPClient

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\securityproviders]
"SecurityProviders"="msapsspc.dll, schannel.dll, digest.dll, msnsspc.dll"

[HKEY_LOCAL_MACHINE\software\Microsoft\Windows NT\CurrentVersion\Svchost]
HTTPFilter REG_MULTI_SZ HTTPFilter\0\0
LocalService REG_MULTI_SZ Alerter\0WebClient\0LmHosts\0RemoteRegistry\0upnphost\0SSDPSRV\0\0
NetworkService REG_MULTI_SZ DnsCache\0\0
DcomLaunch REG_MULTI_SZ DcomLaunch\0TermService\0\0
rpcss REG_MULTI_SZ RpcSs\0\0
imgsvc REG_MULTI_SZ StiSvc\0\0
termsvcs REG_MULTI_SZ TermService\0\0

********************************************************************

catchme 0.2 W2K/XP/Vista - userland rootkit detector by Gmer, 17 October 2006
http://www.gmer.net

scanning hidden processes ...

scanning hidden services ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden processes: 0
hidden services: 0
hidden files: 0

********************************************************************

Completion time: 07-03-26 16:03:11

tetonbob · 03-26-2007, 05:28 PM

Before beginning the fix, read this post completely. If there's anything that you do not understand, kindly ask your questions before proceeding. Ensure that there aren't any opened browsers when you are carrying out the procedures below. Save the following instructions in Notepad as this webpage would not be available when you're carrying out the fix.

It is IMPORTANT that you don't miss a step & perform everything in the correct order/sequence.

---------------------------------------------------------------------------------------------

Spywareguard

Please disable Spywareguard, as it may hinder the removal of some entries. You can re-enable it after you're clean.

Right click the running icon of Spywareguard located in the system tray
Go to Menu > File > Exit and confirm the programs close.

---------------------------------------------------------------------------------------------

It's possible these were not visible in safe mode. Do this scan and fix in normal mode, as they are still showing in the logs.

Open HijackThis and click on 'Do a System Scan Only'. Check the following entries if they exist (make sure you do not miss any) and click Fix Checked

O4 - HKCU\..\Run: [Tair] "C:\PROGRA~1\COMMON~1\STEM~1\javaw.exe" -vt yazb
O4 - HKCU\..\Run: [Lsv] "C:\Program Files\??sembly\??ool32.exe" 99001122
O4 - HKCU\..\Run: [ikuw] C:\Program Files\Common Files\ikuw\ikuwm.exe

Close HijackThis now.

---------------------------------------------------------------------------------------------

Please go to: VirusTotal

At the top of the page you'll find a "Browse" button. On the left of the Browse button is an empty box. Copy and paste the following into that box.

C:\WINDOWS\system32\blcfibt.dll
Then click the "Send" button at the top of the VirusTotal page.
This will scan the file. Please be patient.
Then repeat as above for the following files in BOLD:

C:\WINDOWS\uni_eh10.exe
Once scanned, copy and paste the results in your next reply.

---------------------------------------------------------------------------------------------

Open Hijack This and click on 'Do a System Scan and save a Logfile'. Save the log file and post it here.

---------------------------------------------------------------------------------------------

Please return with results from:

VirusTotal scans
New HijackThis log

spunky1 · 03-27-2007, 06:40 AM

I am learning a great deal!! Sorry not to respond sooner...

Results from Virus Total
blcfibt.dll

AntiVir 7.3.1.44 03.27.2007 ADSPY/PurityScan.FR
Avast 4.7.936.0 03.25.2007 Win32:Agent-RY
eSafe 7.0.14.0 03.26.2007 Spyware.Purityscan
NOD32v2 2146 03.27.2007 probably a variant of Win32/Adware.PurityScan
Panda 9.0.0.4 03.27.2007 Adware/PurityScan
Prevx1 V2 03.27.2007 Malicious
Sophos 4.15.0 03.27.2007 ClickSpring
Sunbelt 2.2.907.0 03.24.2007 VIPRE.Suspicious
Symantec 10 03.27.2007 Adware.Purityscan
Webwasher-Gateway 6.0.1 03.27.2007 Ad-Spyware.PurityScan.FR

uni_eh10.exe

ClamAV devel-20070312 03.27.2007 Trojan.VB-470
eSafe 7.0.14.0 03.26.2007 Win32.Trojan
Ikarus T3.1.1.3 03.27.2007 Trojan.Win32.VB.tg
Sunbelt 2.2.907.0 03.24.2007 Trojan.Unclassified.gen
Symantec 10 03.27.2007 Trojan Horse

Logfile of HijackThis v1.99.1
Scan saved at 8:32:59 AM, on 3/27/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16414)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Adobe\Adobe Version Cue CS2\bin\VersionCueCS2.exe
C:\WINDOWS\system32\CTsvcCDA.EXE
C:\Program Files\Intel\Intel Matrix Storage Manager\iaantmon.exe
C:\Program Files\CA\eTrust Antivirus\InoRpc.exe
C:\Program Files\CA\eTrust Antivirus\InoRT.exe
C:\Program Files\CA\eTrust Antivirus\InoTask.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\WINDOWS\system32\nvsvc32.exe
C:\Program Files\Viewpoint\Common\ViewpointService.exe
C:\WINDOWS\system32\MsPMSPSv.exe
C:\Program Files\Asset Services Management\ASMAgent.exe
C:\Program Files\Adobe\Adobe Version Cue CS2\data\database\bin\mysqld-nt.exe
C:\PROGRA~1\COMMON~1\Stardock\SDMCP.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Intel\Intel Matrix Storage Manager\iaanotif.exe
C:\Program Files\Creative\Sound Blaster Live! 24-bit\Surround Mixer\CTSysVol.exe
C:\WINDOWS\system32\Rundll32.exe
C:\Program Files\CyberLink\PowerDVD\DVDLauncher.exe
C:\WINDOWS\system32\ctfmon.exe
C:\WINDOWS\system32\dla\tfswctrl.exe
C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe
C:\PROGRA~1\CA\ETRUST~1\realmon.exe
C:\Program Files\Adobe\Adobe Version Cue CS2\ControlPanel\VersionCueCS2Tray.exe
C:\Program Files\Adobe\Adobe Acrobat 7.0\Distillr\Acrotray.exe
C:\Program Files\Hewlett-Packard\HP Software Update\HPWuSchd2.exe
C:\Program Files\HP\hpcoretech\hpcmpmgr.exe
C:\WINDOWS\system32\spool\drivers\w32x86\3\hpztsb09.exe
C:\Program Files\Microsoft IntelliType Pro\type32.exe
C:\Program Files\Microsoft IntelliPoint\point32.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\Project Lab\DDS\DDS.EXE
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\Dell Support\DSAgnt.exe
C:\Program Files\palmOne\Hotsync.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Progra

03-26-2007, 01:11 PM	#2 (permalink)
tetonbob Manager, Security Center, TSF Academy; Analyst, Security Team Join Date: Jan 2005 Location: Transylvania County, North Carolina, USA Posts: 26,432 OS: 2000 Pro; XP Pro; XP Home	Re: Hijacked- lots of popups can't determine culpret or successfully clean Hello and Welcome. Apologies for the delay in reply, but the forum is very busy of late. Please subscribe to this thread to get immediate notification of replies as soon as they are posted. To do this click Thread Tools, then click Subscribe to this Thread. Make sure it is set to Instant Notification, then click Subscribe. Before beginning the fix, read this post completely. If there's anything that you do not understand, kindly ask your questions before proceeding. Ensure that there aren't any opened browsers when you are carrying out the procedures below. Save the following instructions in Notepad as this webpage would not be available when you're carrying out the fix. It is IMPORTANT that you don't miss a step & perform everything in the correct order/sequence. --------------------------------------------------------------------------------------------- Download combofix from one of these locations: http://www.techsupportforum.com/sect...s/ComboFix.exe http://download.bleepingcomputer.com/sUBs/ComboFix.exe * IMPORTANT !!! Place it on your Desktop. Click the Windows 'Start' button > Select 'Run' - then copy/paste this into the run box & click OK "%userprofile%\desktop\combofix.exe" /v hrvhu wmzr When finished, it shall produce a log for you. Post that log in your next reply. Note: Do not mouseclick combofix's window whilst it's running. That may cause it to stall. --------------------------------------------------------------------------------------------- Once ComboFix has finsihed it's routine: Please download Brute Force Uninstaller to your desktop. Right click the BFU folder on your desktop, and choose Extract All Click "Next" In the box to choose where to extract the files to, Click "Browse" Click on the + sign next to "My Computer" Click on "Local Disk (C:) or whatever your primary drive is Click "Make New Folder" Type in BFU Click "Next", and Uncheck the "Show Extracted Files" box and then click "Finish". RIGHT-CLICK HERE and choose "Save Link As" (in IE it's "Save Target As") in order to download Alcra PLUS Remover. Save it in the same folder you made earlier (c:\BFU). Restart your computer and boot into Safe Mode by hitting the F8 key repeatedly until a menu shows up (and choose Safe Mode from the list). In some systems, this may be the F5 key, so try that if F8 doesn't work. Login on your usual account. Make sure to close any open browsers. --------------------------------------------------------------------------------------------- Uninstall the following via the Add/Remove Panel (Start->(Settings)->Control Panel->Add/Remove Programs) if they exist: NewDotNet or New.Net Domains OIN Search OIN --------------------------------------------------------------------------------------------- Open HijackThis and click on 'Do a System Scan Only'. Check the following entries if they exist (make sure you do not miss any) and click Fix Checked O2 - BHO: (no name) - {2E6F0212-A14A-4856-9AFA-089AB959F885} - \ O2 - BHO: (no name) - {3005953E-64E3-4A72-A91B-89C523A8C3CD} - \ O2 - BHO: (no name) - {34621E20-6CB6-4A54-A976-B2C1FE9D8FB5} - \ O2 - BHO: URLLink - {4A2AACF3-ADF6-11D5-98A9-00E018981B9E} - C:\Program Files\NewDotNet\newdotnet7_48.dll O2 - BHO: (no name) - {56AAC443-A698-435A-B7E6-415DB93C0EEA} - \ O2 - BHO: (no name) - {797519D2-C3C5-4765-8761-9B93CA315446} - \ O2 - BHO: (no name) - {9CE95277-3719-427C-8B06-06671C681309} - \ O2 - BHO: (no name) - {A65E8CF7-F8C7-47BA-864A-30DE5FC33F08} - \ O2 - BHO: (no name) - {B3ABD708-CBF5-4588-B241-512A51383673} - \ O2 - BHO: 0 - {BBE10FBF-9132-41F1-5F9A-B9BAA6ED3CCD} - C:\Program Files\ComPlus Applications\qufazy.dll O2 - BHO: (no name) - {E74F733A-E986-9D03-A2DB-B2DEBBC758C3} - C:\WINDOWS\system32\nfm.dll (file missing) O2 - BHO: (no name) - {F65616BD-404A-4F3C-B6CF-DC655D341494} - \ O3 - Toolbar: OIN Search - {B9F6E8EB-A4E3-478E-88A4-D3995B5C45C8} - C:\Program Files\OIN Search\OINSearch.dll O4 - HKLM\..\Run: [New.net Startup] rundll32 C:\PROGRA~1\NEWDOT~1\NEWDOT~2.DLL,ClientStartup -s O4 - HKLM\..\Run: [sys101491349561] C:\WINDOWS\sys101491349561.exe O4 - HKCU\..\Run: [Tair] "C:\PROGRA~1\COMMON~1\STEM~1\javaw.exe" -vt yazb O4 - HKCU\..\Run: [Lsv] "C:\Program Files\??sembly\??ool32.exe" 99001122 O4 - HKCU\..\Run: [ikuw] C:\Program Files\Common Files\ikuw\ikuwm.exe Close HijackThis now. --------------------------------------------------------------------------------------------- Go to My Computer->Tools->Folder Options->View tab: * Under the Hidden files and folders heading, select Show hidden files and folders. * Uncheck the Hide protected operating system files (recommended) option. * Also make sure there is no checkmark beside Hide file extensions for known file types * Click Yes to confirm and then click OK. Delete the following if they exist: C:\Program Files\NewDotNet C:\WINDOWS\sys101491349561.exe C:\Program Files\Common Files\ikuw --------------------------------------------------------------------------------------------- Then, please go to Start > My Computer and navigate to the C:\BFU folder. Start the Brute Force Uninstaller by doubleclicking BFU.exe Beside the scriptline to execute field click the folder icon and select alcanshorty.bfu by double clicking on it. Press Execute and let it do it’s job. (You ought to see a blue progress bar if you did this correctly.) Wait for the complete script execution box to pop up and press OK. Press exit to terminate the BFU program. Reboot into normal windows. --------------------------------------------------------------------------------------------- Run DSS once again, and post it's log, main.txt, along with the log from ComboFix - C:\ComboFix.txt __________________ Practice Safe Surfing PC Safety and Security--What Do I Need? Because what you don't know, CAN hurt you. Proud Member of ASAP since 2005 Proud Member of UNITE since 2006 Please do not ask for help via Private Message.

03-26-2007, 02:35 PM	#3 (permalink)
spunky1 Registered User Join Date: Mar 2007 Posts: 8 OS: xp	Re: Hijacked- lots of popups can't determine culpret or successfully clean Thank you so much for the help!!! When I ran combofix it rebooted in the middle when my system came up it continued to run so I believe it did what it was suppose to do. 3 lines in hijack this were no longer there O4 - HKCU\..\Run: [Tair] "C:\PROGRA~1\COMMON~1\STEM~1\javaw.exe" -vt yazb O4 - HKCU\..\Run: [Lsv] "C:\Program Files\??sembly\??ool32.exe" 99001122 O4 - HKCU\..\Run: [ikuw] C:\Program Files\Common Files\ikuw\ikuwm.exe I truly appreciate the help!!! Deckard's System Scanner v20070318.32 Run by angela on 2007-03-26 at 16:30:21 Computer is in Normal Mode. -------------------------------------------------------------------------------- -- HijackThis (run as angela.exe) ---------------------------------------------- Logfile of HijackThis v1.99.1 Scan saved at 4:30:44 PM, on 3/26/2007 Platform: Windows XP SP2 (WinNT 5.01.2600) MSIE: Internet Explorer v7.00 (7.00.6000.16414) Running processes: C:\WINDOWS\System32\smss.exe C:\WINDOWS\system32\winlogon.exe C:\WINDOWS\system32\services.exe C:\WINDOWS\system32\lsass.exe C:\WINDOWS\system32\svchost.exe C:\WINDOWS\System32\svchost.exe C:\WINDOWS\system32\spoolsv.exe C:\Program Files\Adobe\Adobe Version Cue CS2\bin\VersionCueCS2.exe C:\WINDOWS\system32\CTsvcCDA.EXE C:\Program Files\Intel\Intel Matrix Storage Manager\iaantmon.exe C:\Program Files\CA\eTrust Antivirus\InoRpc.exe C:\Program Files\CA\eTrust Antivirus\InoRT.exe C:\Program Files\CA\eTrust Antivirus\InoTask.exe C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE C:\WINDOWS\system32\nvsvc32.exe C:\PROGRA~1\CA\SHARED~1\SCANEN~1\InoDist.exe C:\Program Files\Viewpoint\Common\ViewpointService.exe C:\WINDOWS\system32\MsPMSPSv.exe C:\Program Files\Asset Services Management\ASMAgent.exe C:\Program Files\Adobe\Adobe Version Cue CS2\data\database\bin\mysqld-nt.exe C:\PROGRA~1\COMMON~1\Stardock\SDMCP.exe C:\WINDOWS\Explorer.EXE C:\Program Files\Intel\Intel Matrix Storage Manager\iaanotif.exe C:\Program Files\Creative\Sound Blaster Live! 24-bit\Surround Mixer\CTSysVol.exe C:\WINDOWS\system32\Rundll32.exe C:\Program Files\CyberLink\PowerDVD\DVDLauncher.exe C:\WINDOWS\system32\ctfmon.exe C:\WINDOWS\system32\dla\tfswctrl.exe C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe C:\PROGRA~1\CA\ETRUST~1\realmon.exe C:\Program Files\Adobe\Adobe Version Cue CS2\ControlPanel\VersionCueCS2Tray.exe C:\Program Files\Adobe\Adobe Acrobat 7.0\Distillr\Acrotray.exe C:\Program Files\Hewlett-Packard\HP Software Update\HPWuSchd2.exe C:\Program Files\HP\hpcoretech\hpcmpmgr.exe C:\WINDOWS\system32\spool\drivers\w32x86\3\hpztsb09.exe C:\Program Files\Microsoft IntelliType Pro\type32.exe C:\Program Files\Microsoft IntelliPoint\point32.exe C:\Program Files\QuickTime\qttask.exe C:\Program Files\Project Lab\DDS\DDS.EXE C:\Program Files\Messenger\msmsgs.exe C:\Program Files\Dell Support\DSAgnt.exe C:\Program Files\Adobe\Adobe Acrobat 7.0\Acrobat\acrobat_sl.exe C:\Program Files\palmOne\Hotsync.exe C:\Program Files\SpywareGuard\sgmain.exe C:\Program Files\SpywareGuard\sgbhp.exe C:\Program Files\Internet Explorer\iexplore.exe C:\WINDOWS\system32\wuauclt.exe C:\Program Files\Viewpoint\Viewpoint Manager\ViewMgr.exe C:\Documents and Settings\Angela\My Documents\dss.exe C:\PROGRA~1\HIJACK~1\angela.exe R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/ R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.yahoo.com R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896 R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896 R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Windows Internet Explorer provided by Yahoo! R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn0\yt.dll O2 - BHO: Yahoo! Toolbar Helper - {02478D38-C3F9-4EFB-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn0\yt.dll O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Adobe Acrobat 7.0\ActiveX\AcroIEHelper.dll O2 - BHO: SpywareGuard Download Protection - {4A368E80-174F-4872-96B5-0B27DDD11DB2} - C:\Program Files\SpywareGuard\dlprotect.dll O2 - BHO: DriveLetterAccess - {5CA3D70E-1895-11CF-8E15-001234567890} - C:\WINDOWS\system32\dla\tfswshx.dll O2 - BHO: AcroIEToolbarHelper Class - {AE7CD045-E861-484f-8273-0445EE161910} - C:\Program Files\Adobe\Adobe Acrobat 7.0\Acrobat\AcroIEFavClient.dll O3 - Toolbar: Adobe PDF - {47833539-D0C5-4125-9FA8-0819E2EAAC93} - C:\Program Files\Adobe\Adobe Acrobat 7.0\Acrobat\AcroIEFavClient.dll O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn0\yt.dll O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup O4 - HKLM\..\Run: [IAAnotif] C:\Program Files\Intel\Intel Matrix Storage Manager\iaanotif.exe O4 - HKLM\..\Run: [CTSysVol] C:\Program Files\Creative\Sound Blaster Live! 24-bit\Surround Mixer\CTSysVol.exe /r O4 - HKLM\..\Run: [P17Helper] Rundll32 P17.dll,P17Helper O4 - HKLM\..\Run: [UpdReg] C:\WINDOWS\UpdReg.EXE O4 - HKLM\..\Run: [DVDLauncher] "C:\Program Files\CyberLink\PowerDVD\DVDLauncher.exe" O4 - HKLM\..\Run: [dla] C:\WINDOWS\system32\dla\tfswctrl.exe O4 - HKLM\..\Run: [ISUSPM Startup] C:\PROGRA~1\COMMON~1\INSTAL~1\UPDATE~1\ISUSPM.exe -startup O4 - HKLM\..\Run: [ISUSScheduler] "C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe" -start O4 - HKLM\..\Run: [Realtime Monitor] C:\PROGRA~1\CA\ETRUST~1\realmon.exe -s O4 - HKLM\..\Run: [Adobe Version Cue CS2] "C:\Program Files\Adobe\Adobe Version Cue CS2\ControlPanel\VersionCueCS2Tray.exe" O4 - HKLM\..\Run: [Acrobat Assistant 7.0] "C:\Program Files\Adobe\Adobe Acrobat 7.0\Distillr\Acrotray.exe" O4 - HKLM\..\Run: [HP Software Update] C:\Program Files\Hewlett-Packard\HP Software Update\HPWuSchd2.exe O4 - HKLM\..\Run: [HP Component Manager] "C:\Program Files\HP\hpcoretech\hpcmpmgr.exe" O4 - HKLM\..\Run: [HPDJ Taskbar Utility] C:\WINDOWS\system32\spool\drivers\w32x86\3\hpztsb09.exe O4 - HKLM\..\Run: [type32] "C:\Program Files\Microsoft IntelliType Pro\type32.exe" O4 - HKLM\..\Run: [IntelliPoint] "C:\Program Files\Microsoft IntelliPoint\point32.exe" O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime O4 - HKLM\..\Run: [CCD Manager] "C:\Program Files\Project Lab\DDS\DDS.EXE" O4 - HKLM\..\Run: [FilmLoop] "C:\Program" -hide O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe O4 - HKCU\..\Run: [DellSupport] "C:\Program Files\Dell Support\DSAgnt.exe" /startup O4 - HKCU\..\Run: [Tair] "C:\PROGRA~1\COMMON~1\STEM~1\javaw.exe" -vt yazb O4 - HKCU\..\Run: [Lsv] "C:\Program Files\??sembly\??ool32.exe" 99001122 O4 - HKCU\..\Run: [ikuw] C:\Program Files\Common Files\ikuw\ikuwm.exe O4 - Startup: palmOne Registration.lnk = C:\Program Files\palmOne\register.exe O4 - Startup: SpywareGuard.lnk = C:\Program Files\SpywareGuard\sgmain.exe O4 - Global Startup: Adobe Acrobat Speed Launcher.lnk = ? O4 - Global Startup: Adobe Gamma.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe O4 - Global Startup: ColorVisionStartup.lnk = C:\Program Files\ColorVision\Utility\ColorVisionStartup.exe O4 - Global Startup: HotSync Manager.lnk = C:\Program Files\palmOne\Hotsync.exe O8 - Extra context menu item: Convert link target to Adobe PDF - res://C:\Program Files\Adobe\Adobe Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html O8 - Extra context menu item: Convert link target to existing PDF - res://C:\Program Files\Adobe\Adobe Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html O8 - Extra context menu item: Convert selected links to Adobe PDF - res://C:\Program Files\Adobe\Adobe Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECaptureSelLinks.html O8 - Extra context menu item: Convert selected links to existing PDF - res://C:\Program Files\Adobe\Adobe Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppendSelLinks.html O8 - Extra context menu item: Convert selection to Adobe PDF - res://C:\Program Files\Adobe\Adobe Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html O8 - Extra context menu item: Convert selection to existing PDF - res://C:\Program Files\Adobe\Adobe Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html O8 - Extra context menu item: Convert to Adobe PDF - res://C:\Program Files\Adobe\Adobe Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html O8 - Extra context menu item: Convert to existing PDF - res://C:\Program Files\Adobe\Adobe Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~4\OFFICE11\EXCEL.EXE/3000 O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~4\OFFICE11\REFIEBAR.DLL O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing) O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing) O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe O11 - Options group: [INTERNATIONAL] International* O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204 O16 - DPF: {215B8138-A3CF-44C5-803F-8226143CFC0A} (Trend Micro ActiveX Scan Agent 6.6) - http://housecall65.trendmicro.com/ho...vex/hcImpl.cab O16 - DPF: {406B5949-7190-4245-91A9-30A17DE16AD0} (Snapfish Activia) - http://www.snapfish.com/SnapfishActivia.cab O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/actives...ree/asinst.cab O16 - DPF: {A00D615E-B878-4DCF-8B9A-C1AD302D4C4D} (AssetAgent Class) - http://www.assetmetrix.com/epulse/assetMetrix.CAB O16 - DPF: {AB86CE53-AC9F-449F-9399-D8ABCA09EC09} (Get_ActiveX Control) - https://h17000.www1.hp.com/ewfrf-JAV...oadManager.ocx O16 - DPF: {B1826A9F-4AA0-4510-BA77-9013E74E4B9B} - http://www.trendmicro.com/spyware-scan/as4web.cab O17 - HKLM\System\CCS\Services\Tcpip\Parameters: Domain = marketing.alpeng.local O17 - HKLM\Software\..\Telephony: DomainName = marketing.alpeng.local O17 - HKLM\System\CCS\Services\Tcpip\..\{D4EA3E9F-2A43-4800-971C-03A77284129D}: NameServer = 172.17.242.78 O17 - HKLM\System\CS1\Services\Tcpip\Parameters: Domain = marketing.alpeng.local O20 - Winlogon Notify: MCPClient - C:\PROGRA~1\COMMON~1\Stardock\mcpstub.dll O23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe O23 - Service: Adobe Version Cue CS2 - Unknown owner - C:\Program Files\Adobe\Adobe Version Cue CS2\bin\VersionCueCS2.exe" -win32service (file missing) O23 - Service: ASMAgent - ASAP Software, Inc. - C:\Program Files\Asset Services Management\ASMAgent.exe O23 - Service: Creative Service for CDROM Access - Creative Technology Ltd - C:\WINDOWS\system32\CTsvcCDA.EXE O23 - Service: Intel(R) Matrix Storage Event Monitor (IAANTMon) - Intel Corporation - C:\Program Files\Intel\Intel Matrix Storage Manager\iaantmon.exe O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe O23 - Service: eTrust Antivirus RPC Server (InoRPC) - Computer Associates International, Inc. - C:\Program Files\CA\eTrust Antivirus\InoRpc.exe O23 - Service: eTrust Antivirus Realtime Server (InoRT) - Computer Associates International, Inc. - C:\Program Files\CA\eTrust Antivirus\InoRT.exe O23 - Service: eTrust Antivirus Job Server (InoTask) - Computer Associates International, Inc. - C:\Program Files\CA\eTrust Antivirus\InoTask.exe O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe O23 - Service: Viewpoint Manager Service - Viewpoint Corporation - C:\Program Files\Viewpoint\Common\ViewpointService.exe -- Files created between 2007-02-26 and 2007-03-26 ----------------------------- 2007-03-26 16:27:12 0 d-------- C:\bintheredunthat<BINTHE~1> 2007-03-26 1610 0 d-------- C:\bfu 2007-03-20 13:33:47 60928 --a------ C:\WINDOWS\system32\blcfibt.dll 2007-03-19 14:46:51 21312 --a------ C:\WINDOWS\choice.exe 2007-03-19 14:46:03 0 d-------- C:\ie-spyad 2007-03-19 14:43:37 0 d-------- C:\Program Files\SpywareGuard<SPYWAR~2> 2007-03-19 14:40:34 0 d-------- C:\Program Files\SpywareBlaster<SPYWAR~1> 2007-03-19 12:21:23 0 d-------- C:\Documents and Settings\Angela\.housecall6.6<HOUSEC~1.6> 2007-03-19 09:41:23 0 d-------- C:\WINDOWS\system32\ActiveScan<ACTIVE~1> 2007-03-19 08:11:41 0 d-------- C:\Documents and Settings\Administrator\Application Data\Lavasoft 2007-03-16 10:14:37 0 d-------- C:\Program Files\Trend Micro<TRENDM~1> 2007-03-15 16:49:40 0 d-------- C:\Documents and Settings\Angela\Application Data\Lavasoft 2007-03-15 16:49:24 0 d-------- C:\Program Files\Lavasoft 2007-03-15 16:48:58 0 d-------- C:\Program Files\Common Files\Wise Installation Wizard<WISEIN~1> 2007-03-15 15:14:26 0 d-------- C:\Documents and Settings\sarmeli\Application Data\HotSync 2007-03-15 15:13:46 0 d-------- C:\Documents and Settings\sarmeli\Application Data\Adobe 2007-03-15 15:13:04 1048576 --ah----- C:\Documents and Settings\sarmeli\NTUSER.DAT 2007-03-15 15:13:04 0 d-------- C:\Documents and Settings\sarmeli\Application Data\Sun 2007-03-15 15:13:04 0 d-------- C:\Documents and Settings\sarmeli\Application Data\Gtek 2007-03-15 15:13:04 0 d-------- C:\Documents and Settings\sarmeli\Application Data\Creative 2007-03-15 14:47:50 8464 --a------ C:\WINDOWS\system32\sporder.dll 2007-03-14 09:27:36 2 --a------ C:\WINDOWS\system32\wcpsvtr.exe 2007-03-02 15:59:56 53248 --a------ C:\WINDOWS\uni_eh10.exe 2007-03-01 17:08:39 77 --a------ C:\Documents and Settings\Angela\n.bat 2007-03-01 17:08:24 274 --a------ C:\Documents and Settings\Angela\x.dat -- Find3M Report --------------------------------------------------------------- 2007-03-26 16:28:10 0 --a------ C:\WINDOWS\TempFile 2007-03-20 13:31:17 0 d-------- C:\Program Files\Java 2007-03-19 11:41:22 0 d-------- C:\Program Files\QuickTime<QUICKT~1> 2007-03-19 11:40:39 0 d-------- C:\Program Files\palmOne 2007-03-19 11:38:31 0 d-------- C:\Program Files\Microsoft IntelliType Pro<MI558C~1> 2007-03-19 11:38:29 0 d-------- C:\Program Files\Microsoft IntelliPoint<MIFB84~1> 2007-03-19 11:38:27 0 d-------- C:\Program Files\Messenger<MESSEN~1> 2007-03-19 11:35:43 0 d-------- C:\Program Files\Dell Support<DELLSU~1> 2007-03-19 11:34:34 0 d-------- C:\Program Files\Common Files\stardock 2007-03-19 11:32:56 22 --a------ C:\Program Files\c.zip 2007-03-19 11:32:56 22 --a------ C:\Program Files\b.zip 2007-03-19 11:32:56 0 d-------- C:\Program Files\Asset Services Management<ASSETS~1> 2007-03-19 11:28:14 22 --a------ C:\Program Files\a.zip 2007-03-19 09:36:16 25214 --a------ C:\Program Files\A.ico 2007-03-19 09:36:15 25214 --a------ C:\Program Files\B.ico 2007-03-13 08:53:54 0 d--h----- C:\Program Files\InstallShield Installation Information<INSTAL~1> 2007-03-13 08:51:52 0 d-------- C:\Program Files\Incomplete<INCOMP~1> 2007-03-13 08:50:21 2 --a------ C:\WINDOWS\system32\wcptr.exe 2007-02-13 14:07:46 203144 --a------ C:\WINDOWS\system32\drp.exe 2007-02-13 14:07:43 20480 --a------ C:\WINDOWS\system32\stup9x.exe 2007-02-13 10:20:08 0 d--h----- C:\Documents and Settings\Angela\Application Data\Gtek 2007-02-12 10:04:09 147456 --a------ C:\WINDOWS\system32\vbzip10.dll 2007-02-08 16:38:01 0 d---s---- C:\Documents and Settings\Angela\Application Data\Microsoft<MICROS~1> 2007-02-07 11:36:11 0 d-------- C:\Program Files\Trillian 2007-01-08 20:01:14 17408 --a------ C:\WINDOWS\system32\corpol.dll -- Registry Dump --------------------------------------------------------------- [HKEY_CURRENT_USER\software\microsoft\windows\currentversion\run] "MSMSGS"="\"C:\\Program Files\\Messenger\\msmsgs.exe\" /background" "ctfmon.exe"="C:\\WINDOWS\\system32\\ctfmon.exe" "DellSupport"="\"C:\\Program Files\\Dell Support\\DSAgnt.exe\" /startup" "Tair"="\"C:\\PROGRA~1\\COMMON~1\\STEM~1\\javaw.exe\" -vt yazb" "Lsv"="\"C:\\Program Files\\??sembly\\??ool32.exe\" 99001122" "ikuw"="C:\\Program Files\\Common Files\\ikuw\\ikuwm.exe" [HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run] "NvCplDaemon"="RUNDLL32.EXE C:\\WINDOWS\\system32\\NvCpl.dll,NvStartup" "IAAnotif"="C:\\Program Files\\Intel\\Intel Matrix Storage Manager\\iaanotif.exe" "CTSysVol"="C:\\Program Files\\Creative\\Sound Blaster Live! 24-bit\\Surround Mixer\\CTSysVol.exe /r" "P17Helper"="Rundll32 P17.dll,P17Helper" "UpdReg"="C:\\WINDOWS\\UpdReg.EXE" "DVDLauncher"="\"C:\\Program Files\\CyberLink\\PowerDVD\\DVDLauncher.exe\"" "dla"="C:\\WINDOWS\\system32\\dla\\tfswctrl.exe" "ISUSPM Startup"="C:\\PROGRA~1\\COMMON~1\\INSTAL~1\\UPDATE~1\\ISUSPM.exe -startup" "ISUSScheduler"="\"C:\\Program Files\\Common Files\\InstallShield\\UpdateService\\issch.exe\" -start" "Realtime Monitor"="C:\\PROGRA~1\\CA\\ETRUST~1\\realmon.exe -s" "Adobe Version Cue CS2"="\"C:\\Program Files\\Adobe\\Adobe Version Cue CS2\\ControlPanel\\VersionCueCS2Tray.exe\"" "Acrobat Assistant 7.0"="\"C:\\Program Files\\Adobe\\Adobe Acrobat 7.0\\Distillr\\Acrotray.exe\"" "HP Software Update"="C:\\Program Files\\Hewlett-Packard\\HP Software Update\\HPWuSchd2.exe" "HP Component Manager"="\"C:\\Program Files\\HP\\hpcoretech\\hpcmpmgr.exe\"" "HPDJ Taskbar Utility"="C:\\WINDOWS\\system32\\spool\\drivers\\w32x86\\3\\hpztsb09.exe" "type32"="\"C:\\Program Files\\Microsoft IntelliType Pro\\type32.exe\"" "IntelliPoint"="\"C:\\Program Files\\Microsoft IntelliPoint\\point32.exe\"" "QuickTime Task"="\"C:\\Program Files\\QuickTime\\qttask.exe\" -atboottime" "CCD Manager"="\"C:\\Program Files\\Project Lab\\DDS\\DDS.EXE\"" "FilmLoop"="\"C:\\Program\" -hide" [HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run\OptionalComponents] [HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run\OptionalComponents\IMAIL] "Installed"="1" [HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run\OptionalComponents\MAPI] "Installed"="1" "NoChange"="1" [HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run\OptionalComponents\MSFS] "Installed"="1" [HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shellexecutehooks] "{81559C35-8464-49F7-BB0E-07A383BEF910}"="" [HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\shellserviceobjectdelayload] "0aMCPClient"="{F5DF91F9-15E9-416B-A7C3-7519B11ECBFC}" [HKEY_CURRENT_USER\software\microsoft\internet explorer\desktop\components\0] Source REG_SZ C:\Program Files\ComPlus Applications\rtenenu.html HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\MCPClient [HKEY_LOCAL_MACHINE\system\currentcontrolset\control\securityproviders] "SecurityProviders"="msapsspc.dll, schannel.dll, digest.dll, msnsspc.dll" [HKEY_LOCAL_MACHINE\software\Microsoft\Windows NT\CurrentVersion\Svchost] HTTPFilter REG_MULTI_SZ HTTPFilter\0\0 LocalService REG_MULTI_SZ Alerter\0WebClient\0LmHosts\0RemoteRegistry\0upnphost\0SSDPSRV\0\0 NetworkService REG_MULTI_SZ DnsCache\0\0 DcomLaunch REG_MULTI_SZ DcomLaunch\0TermService\0\0 rpcss REG_MULTI_SZ RpcSs\0\0 imgsvc REG_MULTI_SZ StiSvc\0\0 termsvcs REG_MULTI_SZ TermService\0\0 -- End of Deckard's System Scanner: finished at 2007-03-26 at 16:30:58 --------- "angela" - 07-03-26 15:55:58 Service Pack 2 ComboFix 07-03-23 - Running from: "C:\Documents and Settings\Angela\desktop" Command switches used :: /v hrvhu wmzr (((((((((((((((((((((((((((((((((((((((((((((((((( V Log ))))))))))))))))))))))))))))))))))))))))))))))))))))))) C:\WINDOWS\system32\hrvhu.dll * * * POST RUN FILES/FOLDERS * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * (((((((((((((((((((((((((((((((((((((((((((( Other Deletions ))))))))))))))))))))))))))))))))))))))))))))))))) C:\Program Files\Common Files\Yazzle1122OinAdmin.exe C:\Program Files\Common Files\Yazzle1122OinUninstaller.exe C:\Program Files\Common Files\Yazzle1396OinAdmin.exe C:\Program Files\Common Files\Yazzle1396OinUninstaller.exe C:\Program Files\Common Files\Yazzle1670OinAdmin.exe C:\Program Files\Common Files\Yazzle1670OinUninstaller.exe C:\WINDOWS\NDNuninstall7_48.exe C:\Program Files\oin search\OINSearch.dll C:\Program Files\oin search\Uninstall.exe C:\Program Files\outerinfo\outerinfo.ico C:\Program Files\outerinfo\Terms.rtf C:\WINDOWS\system32\bund1\ClientBundle1.exe C:\WINDOWS\system32\bund1\mac.exe C:\WINDOWS\system32\bund1\temp.txt C:\WINDOWS\system32\bund1\Yzz.exe C:\WINDOWS\system32\bund1\zq.exe C:\Program Files\Common Files\{38E43~1 C:\Program Files\Common Files\{58E43~1 C:\Program Files\inetget2 C:\Program Files\oin search C:\Program Files\outerinfo C:\WINDOWS\system32\bund1 ~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~ Purity ~ ~ ~ ~ ~ ~ ~ ~~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~ Folders Quarantined: C:\qoobox\purity\DOCUME~1 C:\qoobox\purity\DOCUME~1\Angela C:\qoobox\purity\DOCUME~1\Angela\APPLIC~1 C:\qoobox\purity\DOCUME~1\Angela\MYDOCU~1 C:\qoobox\purity\DOCUME~1\Angela\APPLIC~1\from.txt C:\qoobox\purity\DOCUME~1\Angela\APPLIC~1\PPATCH~1 C:\qoobox\purity\DOCUME~1\Angela\APPLIC~1\YMANTE~1 C:\qoobox\purity\DOCUME~1\Angela\MYDOCU~1\from.txt C:\qoobox\purity\DOCUME~1\Angela\MYDOCU~1\ICROSO~1.NET C:\qoobox\purity\DOCUME~1\Angela\MYDOCU~1\PPPATC~1 C:\qoobox\purity\Program Files\ICROSO~1 C:\qoobox\purity\Program Files\SEMBLY~1 C:\qoobox\purity\Program Files\SSTEM3~1 C:\qoobox\purity\Program Files\STEM32~1 C:\qoobox\purity\Program Files\STEM~1 C:\qoobox\purity\Program Files\Common Files\SSTEM~1 C:\qoobox\purity\Program Files\Common Files\STEM~1 C:\qoobox\purity\Program Files\Common Files\SSTEM~1\?serinit.exe C:\qoobox\purity\Program Files\Common Files\STEM~1\javaw.exe C:\qoobox\purity\Program Files\Common Files\STEM~1\??stem C:\qoobox\purity\Program Files\SEMBLY~1\??ool32.exe C:\qoobox\purity\WINDOWS\PPATCH~1 C:\qoobox\purity\WINDOWS\system32\SKS~1 C:\qoobox\purity\WINDOWS\system32\SMANTE~1 C:\qoobox\purity\WINDOWS\system32\SSTEM3~1 C:\qoobox\purity\WINDOWS\system32\WNSXS~1 C:\qoobox\purity\WINDOWS\system32\YMBOLS~1 C:\qoobox\purity\WINDOWS\system32\SKS~1\cmd.exe C:\qoobox\purity\WINDOWS\system32\SKS~1\??sks ((((((((((((((((((((((((((((((( Files Created from 2007-02-26 to 2007-03-26 )))))))))))))))))))))))))))))))))) 2007-03-20 13:33 60,928 --a------ C:\WINDOWS\system32\blcfibt.dll 2007-03-19 14:52 <DIR> d-------- C:\Deckard 2007-03-19 14:46 21,312 --a------ C:\WINDOWS\choice.exe 2007-03-19 14:46 <DIR> d-------- C:\ie-spyad 2007-03-19 14:43 <DIR> d-------- C:\Program Files\SpywareGuard 2007-03-19 14:40 <DIR> d-------- C:\Program Files\SpywareBlaster 2007-03-19 12:21 <DIR> d-------- C:\DOCUME~1\Angela\.housecall6.6 2007-03-19 09:41 <DIR> d-------- C:\WINDOWS\system32\ActiveScan 2007-03-19 08:11 <DIR> d-------- C:\DOCUME~1\ADMINI~1\APPLIC~1\Lavasoft 2007-03-16 10:14 <DIR> d-------- C:\Program Files\Trend Micro 2007-03-15 16:49 <DIR> d-------- C:\Program Files\àdobe 2007-03-15 16:49 <DIR> d-------- C:\Program Files\Lavasoft 2007-03-15 16:49 <DIR> d-------- C:\DOCUME~1\Angela\APPLIC~1\Lavasoft 2007-03-15 16:48 <DIR> d-------- C:\Program Files\Common Files\Wise Installation Wizard 2007-03-15 15:14 <DIR> d-------- C:\DOCUME~1\sarmeli\APPLIC~1\HotSync 2007-03-15 15:13 1,048,576 --ah----- C:\DOCUME~1\sarmeli\NTUSER.DAT 2007-03-15 15:13 <DIR> d-------- C:\DOCUME~1\sarmeli\APPLIC~1\Sun 2007-03-15 15:13 <DIR> d-------- C:\DOCUME~1\sarmeli\APPLIC~1\Gtek 2007-03-15 15:13 <DIR> d-------- C:\DOCUME~1\sarmeli\APPLIC~1\Creative 2007-03-15 15:13 <DIR> d-------- C:\DOCUME~1\sarmeli\APPLIC~1\Adobe 2007-03-15 14:47 8,464 --a------ C:\WINDOWS\system32\sporder.dll 2007-03-15 14:47 <DIR> d-a-s---- C:\Program Files\NewDotNet 2007-03-14 09:27 2 --a------ C:\WINDOWS\system32\wcpsvtr.exe 2007-03-02 15:59 53,248 --a------ C:\WINDOWS\uni_eh10.exe 2007-03-01 17:08 77 --a------ C:\DOCUME~1\Angela\n.bat 2007-03-01 17:08 274 --a------ C:\DOCUME~1\Angela\x.dat (((((((((((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))) 2007-03-20 13:31 -------- d-------- C:\Program Files\java 2007-03-19 11:41 -------- d-------- C:\Program Files\quicktime 2007-03-19 11:40 -------- d-------- C:\Program Files\palmone 2007-03-19 11:38 -------- d-------- C:\Program Files\microsoft intellitype pro 2007-03-19 11:38 -------- d-------- C:\Program Files\microsoft intellipoint 2007-03-19 11:38 -------- d-------- C:\Program Files\messenger 2007-03-19 11:35 -------- d-------- C:\Program Files\dell support 2007-03-19 11:34 -------- d-------- C:\Program Files\Common Files\stardock 2007-03-19 11:32 22 --a------ C:\Program Files\c.zip 2007-03-19 11:32 22 --a------ C:\Program Files\b.zip 2007-03-19 11:28 22 --a------ C:\Program Files\a.zip 2007-03-19 09:36 25214 --a------ C:\Program Files\b.ico 2007-03-19 09:36 25214 --a------ C:\Program Files\a.ico 2007-03-13 08:53 -------- d--h----- C:\Program Files\installshield installation information 2007-03-13 08:51 -------- d-------- C:\Program Files\incomplete 2007-03-13 08:50 2 --a------ C:\WINDOWS\system32\wcptr.exe 2007-02-14 17:22 184320 --a------ C:\WINDOWS\sys101491349561.exe 2007-02-13 14:07 20480 --a------ C:\WINDOWS\system32\stup9x.exe 2007-02-13 14:07 203144 --a------ C:\WINDOWS\system32\drp.exe 2007-02-12 10:04 147456 --a------ C:\WINDOWS\system32\vbzip10.dll 2007-02-07 11:36 -------- d-------- C:\Program Files\trillian 2007-01-08 20:01 17408 --a------ C:\WINDOWS\system32\corpol.dll (((((((((((((((((((((((((((((((((((((((((( Reg Loading Points )))))))))))))))))))))))))))))))))))))))))))))))) Note empty entries & legit default entries are not shown [HKEY_CURRENT_USER\software\microsoft\windows\currentversion\run] "MSMSGS"="\"C:\\Program Files\\Messenger\\msmsgs.exe\" /background" "ctfmon.exe"="C:\\WINDOWS\\system32\\ctfmon.exe" "DellSupport"="\"C:\\Program Files\\Dell Support\\DSAgnt.exe\" /startup" "Tair"="\"C:\\PROGRA~1\\COMMON~1\\STEM~1\\javaw.exe\" -vt yazb" "Lsv"="\"C:\\Program Files\\??sembly\\??ool32.exe\" 99001122" "ikuw"="C:\\Program Files\\Common Files\\ikuw\\ikuwm.exe" [HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run] "NvCplDaemon"="RUNDLL32.EXE C:\\WINDOWS\\system32\\NvCpl.dll,NvStartup" "IAAnotif"="C:\\Program Files\\Intel\\Intel Matrix Storage Manager\\iaanotif.exe" "CTSysVol"="C:\\Program Files\\Creative\\Sound Blaster Live! 24-bit\\Surround Mixer\\CTSysVol.exe /r" "P17Helper"="Rundll32 P17.dll,P17Helper" "UpdReg"="C:\\WINDOWS\\UpdReg.EXE" "DVDLauncher"="\"C:\\Program Files\\CyberLink\\PowerDVD\\DVDLauncher.exe\"" "dla"="C:\\WINDOWS\\system32\\dla\\tfswctrl.exe" "ISUSPM Startup"="C:\\PROGRA~1\\COMMON~1\\INSTAL~1\\UPDATE~1\\ISUSPM.exe -startup" "ISUSScheduler"="\"C:\\Program Files\\Common Files\\InstallShield\\UpdateService\\issch.exe\" -start" "Realtime Monitor"="C:\\PROGRA~1\\CA\\ETRUST~1\\realmon.exe -s" "Adobe Version Cue CS2"="\"C:\\Program Files\\Adobe\\Adobe Version Cue CS2\\ControlPanel\\VersionCueCS2Tray.exe\"" "Acrobat Assistant 7.0"="\"C:\\Program Files\\Adobe\\Adobe Acrobat 7.0\\Distillr\\Acrotray.exe\"" "HP Software Update"="C:\\Program Files\\Hewlett-Packard\\HP Software Update\\HPWuSchd2.exe" "HP Component Manager"="\"C:\\Program Files\\HP\\hpcoretech\\hpcmpmgr.exe\"" "HPDJ Taskbar Utility"="C:\\WINDOWS\\system32\\spool\\drivers\\w32x86\\3\\hpztsb09.exe" "type32"="\"C:\\Program Files\\Microsoft IntelliType Pro\\type32.exe\"" "IntelliPoint"="\"C:\\Program Files\\Microsoft IntelliPoint\\point32.exe\"" "QuickTime Task"="\"C:\\Program Files\\QuickTime\\qttask.exe\" -atboottime" "CCD Manager"="\"C:\\Program Files\\Project Lab\\DDS\\DDS.EXE\"" "FilmLoop"="\"C:\\Program\" -hide" "New.net Startup"="rundll32 C:\\PROGRA~1\\NEWDOT~1\\NEWDOT~2.DLL,ClientStartup -s" "sys101491349561"="C:\\WINDOWS\\sys101491349561.exe" [HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run\OptionalComponents] [HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run\OptionalComponents\IMAIL] "Installed"="1" [HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run\OptionalComponents\MAPI] "Installed"="1" "NoChange"="1" [HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run\OptionalComponents\MSFS] "Installed"="1" [HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shellexecutehooks] "{81559C35-8464-49F7-BB0E-07A383BEF910}"="" [HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\shellserviceobjectdelayload] "0aMCPClient"="{F5DF91F9-15E9-416B-A7C3-7519B11ECBFC}" [HKEY_CURRENT_USER\software\microsoft\internet explorer\desktop\components\0] Source REG_SZ C:\Program Files\ComPlus Applications\rtenenu.html HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\MCPClient [HKEY_LOCAL_MACHINE\system\currentcontrolset\control\securityproviders] "SecurityProviders"="msapsspc.dll, schannel.dll, digest.dll, msnsspc.dll" [HKEY_LOCAL_MACHINE\software\Microsoft\Windows NT\CurrentVersion\Svchost] HTTPFilter REG_MULTI_SZ HTTPFilter\0\0 LocalService REG_MULTI_SZ Alerter\0WebClient\0LmHosts\0RemoteRegistry\0upnphost\0SSDPSRV\0\0 NetworkService REG_MULTI_SZ DnsCache\0\0 DcomLaunch REG_MULTI_SZ DcomLaunch\0TermService\0\0 rpcss REG_MULTI_SZ RpcSs\0\0 imgsvc REG_MULTI_SZ StiSvc\0\0 termsvcs REG_MULTI_SZ TermService\0\0 ****************************************************************** catchme 0.2 W2K/XP/Vista - userland rootkit detector by Gmer, 17 October 2006 http://www.gmer.net scanning hidden processes ... scanning hidden services ... scanning hidden autostart entries ... scanning hidden files ... scan completed successfully hidden processes: 0 hidden services: 0 hidden files: 0 ****************************************************************** Completion time: 07-03-26 16:03:11

03-26-2007, 05:28 PM	#4 (permalink)
tetonbob Manager, Security Center, TSF Academy; Analyst, Security Team Join Date: Jan 2005 Location: Transylvania County, North Carolina, USA Posts: 26,432 OS: 2000 Pro; XP Pro; XP Home	Re: Hijacked- lots of popups can't determine culpret or successfully clean Before beginning the fix, read this post completely. If there's anything that you do not understand, kindly ask your questions before proceeding. Ensure that there aren't any opened browsers when you are carrying out the procedures below. Save the following instructions in Notepad as this webpage would not be available when you're carrying out the fix. It is IMPORTANT that you don't miss a step & perform everything in the correct order/sequence. --------------------------------------------------------------------------------------------- Spywareguard Please disable Spywareguard, as it may hinder the removal of some entries. You can re-enable it after you're clean. Right click the running icon of Spywareguard located in the system tray Go to Menu > File > Exit and confirm the programs close. --------------------------------------------------------------------------------------------- It's possible these were not visible in safe mode. Do this scan and fix in normal mode, as they are still showing in the logs. Open HijackThis and click on 'Do a System Scan Only'. Check the following entries if they exist (make sure you do not miss any) and click Fix Checked O4 - HKCU\..\Run: [Tair] "C:\PROGRA~1\COMMON~1\STEM~1\javaw.exe" -vt yazb O4 - HKCU\..\Run: [Lsv] "C:\Program Files\??sembly\??ool32.exe" 99001122 O4 - HKCU\..\Run: [ikuw] C:\Program Files\Common Files\ikuw\ikuwm.exe Close HijackThis now. --------------------------------------------------------------------------------------------- Please go to: VirusTotal At the top of the page you'll find a "Browse" button. On the left of the Browse button is an empty box. Copy and paste the following into that box. C:\WINDOWS\system32\blcfibt.dll Then click the "Send" button at the top of the VirusTotal page. This will scan the file. Please be patient. Then repeat as above for the following files in BOLD: C:\WINDOWS\uni_eh10.exe Once scanned, copy and paste the results in your next reply. --------------------------------------------------------------------------------------------- Open Hijack This and click on 'Do a System Scan and save a Logfile'. Save the log file and post it here. --------------------------------------------------------------------------------------------- Please return with results from: VirusTotal scans New HijackThis log __________________ Practice Safe Surfing PC Safety and Security--What Do I Need? Because what you don't know, CAN hurt you. Proud Member of ASAP since 2005 Proud Member of UNITE since 2006 Please do not ask for help via Private Message.