Hello from New Zealand everyone

[Download Junkie]

AVG deletes drsmartload.exe and a heap off others but they are back after the next restart

[Download Junkie]

Logfile of HijackThis v1.99.1
Scan saved at 5:44:36 PM, on 7/28/2006
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\System32\winrestores.exe
C:\WINDOWS\System32\ctfmon.exe
C:\PROGRA~1\TURBOC~1\netdetect.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Grisoft\AVG Free\avgcc.exe
C:\WINDOWS\system32\cmd.exe
C:\Program Files\Kazaa Lite Revolution\ksharedfolder.exe
C:\Program Files\Kazaa Lite Revolution\ksharedfolder.exe
C:\WINDOWS\system32\NOTEPAD.EXE
C:\Program Files\Warez P2P Client\My Shared Folder\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://searchbar.findthewebsiteyouneed.com
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://searchbar.findthewebsiteyouneed.com
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://searchbar.findthewebsiteyouneed.com
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.co.nz/
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant =
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O4 - HKLM\..\Run: [Microsoft Telecoms Center] winrestores.exe
O4 - HKLM\..\Run: [True Sword] C:\Program Files\Security Stronghold\True Sword\TrueSword.exe
O4 - HKLM\..\RunServices: [Microsoft Telecoms Center] winrestores.exe
O4 - HKCU\..\Run: [Microsoft Telecoms Center] winrestores.exe
O4 - HKCU\..\Run: [TurboConnect] C:\PROGRA~1\TURBOC~1\TurboConnect.exe 1
O4 - HKCU\..\Run: [STYLEXP] C:\Program Files\TGTSoft\StyleXP\StyleXP.exe -Hide
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\System32\ctfmon.exe
O4 - Startup: DataKeeper.lnk = C:\Program Files\PowerQuest\DataKeeper 5.0\DataKeeper.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O8 - Extra context menu item: Download with Go!Zilla - file://C:\Program Files\Go!Zilla\download-with-gozilla.html
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O9 - Extra button: Trace - {04849C74-016E-4a43-8AA5-1F01DE57F4A1} - C:\Program Files\VisualRoute\vrie.dll
O9 - Extra 'Tools' menuitem: VisualRoute Trace - {04849C74-016E-4a43-8AA5-1F01DE57F4A1} - C:\Program Files\VisualRoute\vrie.dll
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsof...?1153690380437
O16 - DPF: {DECEAAA2-370A-49BB-9362-68C3A58DDC62} (SAIX) - http://static.zangocash.com/cab/Zang...a604ce84bc937c
O16 - DPF: {E8F628B5-259A-4734-97EE-BA914D7BE941} (Driver Agent ActiveX Control) - http://driveragent.com/files/driveragent.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{4C8EE07F-10F5-4D88-8121-B488943FDC30}: NameServer = 202.27.158.40 202.27.156.72
O17 - HKLM\System\CS1\Services\Tcpip\..\{4C8EE07F-10F5-4D88-8121-B488943FDC30}: NameServer = 202.27.158.40 202.27.156.72
O18 - Protocol: livecall - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL
O20 - Winlogon Notify: Controls Folder - C:\WINDOWS\system32\hrlm0531e.dll (file missing)
O20 - Winlogon Notify: Dynamic Directory - C:\WINDOWS\system32\h2n0lc5m1f.dll (file missing)
O20 - Winlogon Notify: Run - C:\WINDOWS\system32\o4lule391h.dll (file missing)
O20 - Winlogon Notify: WebCheck - C:\WINDOWS\system32\irp6l57s1.dll (file missing)
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
O23 - Service: AVG E-mail Scanner (AVGEMS) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe

[Ried]

Hello Download Junkie and welcome to TSF,

Please copy this page to Notepad and save to your desktop for reference as you will not have any browsers open while you are carrying out these instructions.

It is IMPORTANT that you don't miss a step & perform everything in the correct order/sequence.

******************************************

1. Download combofix from one of these locations:
   • http://www.techsupportforum.com/sectools/combofix.exe
   • http://download.bleepingcomputer.com/sUBs/combofix.exe
2. Double click on combofix.exe & follow the prompts.
3. When finished, it shall produce a log for you. Post that log in your next reply

Note:
Do not mouseclick combofix's window whilst it's running. That may cause it to stall


********************************************************************

Please download ewido anti-spyware from HERE and save that file to your desktop.
This is a 30 trial of the program

1. Once you have downloaded ewido anti-spyware, locate the icon on the desktop and double-click it to launch the set up program.
2. Once the setup is complete you will need run ewido and update the definition files.
3. On the main screen select the icon "Update" then select the "Update now" link.
   • Next select the "Start Update" button, the update will start and a progress bar will show the updates being installed.
4. Once the update has completed select the "Scanner" icon at the top of the screen, then select the "Settings" tab.
5. Once in the Settings screen click on "Recommended actions" and then select "Quarantine".
6. Under "Reports"
   • Select "Automatically generate report after every scan"
   • Un-Select "Only if threats were found"

Close ewido anti-spyware, Do Not run a scan just yet, we will shortly.


Please download Brute Force Uninstaller to your desktop.

• Right click the BFU folder on your desktop, and choose Extract All
• Click "Next"
• In the box to choose where to extract the files to,
• Click "Browse"
• Click on the + sign next to "My Computer"
• Click on "Local Disk (C:) or whatever your primary drive is
• Click "Make New Folder"
• Type in BFU
• Click "Next", and Uncheck the "Show Extracted Files" box and then click "Finish".

RIGHT-CLICK HERE and choose "Save As" (in IE it's "Save Target As") in order to download Alcra PLUS Remover.
Save it in the same folder you made earlier (c:BFU).

Do not do anything with these yet!

-------------------------------------------


Reboot your computer in Safe Mode by doing the following:
1) Restart your computer
2) After hearing your computer beep once during startup, but before the Windows icon appears, press F8.
3) Instead of Windows loading as normal, a menu should appear
4) Use the up arrow key to highlight Safe Mode and press Enter.
5) Login on your usual account. Make sure to close any open browsers.

-----------------------------------

Open HijackThis and click on 'Do a System Scan Only'. Check the following entries if they exist (make sure you do not miss any)

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://searchbar.findthewebsiteyouneed.com
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://searchbar.findthewebsiteyouneed.com
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://searchbar.findthewebsiteyouneed.com
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant =
O4 - HKLM\..\Run: [Microsoft Telecoms Center] winrestores.exe
O4 - HKLM\..\RunServices: [Microsoft Telecoms Center] winrestores.exe
O4 - HKCU\..\Run: [Microsoft Telecoms Center] winrestores.exe
O16 - DPF: {DECEAAA2-370A-49BB-9362-68C3A58DDC62} (SAIX) - http://static.zangocash.com/cab/Zang...a604ce84bc937c

Click 'Fix Checked' and close HijackThis.

-----------------------------------

Go to My Computer->Tools->Folder Options->View tab:
* Under the Hidden files and folders heading:
* select Show hidden files and folders.
* Uncheck Hide protected operating system files (recommended) option.
*Also, make sure there is no checkmark beside Hide file extensions for known file types.
* Click OK.

-----------------------------------

Delete the following File

C:\WINDOWS\System32\ winrestores.exe

-----------------------------------


IMPORTANT: Do not open any other windows or programs while ewido is scanning, it may interfere with the scanning proccess:

• Lauch ewido-anti-spyware by double-clicking the icon on your desktop.
• Select the "Scanner" icon at the top and then the "Scan" tab then click on "Complete System Scan".
• ewido will now begin the scanning process, be patient this may take a little time.
  Once the scan is complete do the following:
• If you have any infections you will prompted, then select "Apply all actions"
• Next select the "Reports" icon at the top.
• Select the "Save report as" button in the lower left hand of the screen and save it to a text file on your system (make sure to remember where you saved that file, this is important).
• Close ewido and reboot your system back into Normal Mode and post the results of the ewido report scan.

**Ewido is compatible with most AV and anti-spyware products, and the free version will continue to be useful as a second anti-malware scanner.

-----------------------------------

Now, please go to Start > My Computer and navigate to the C:BFU folder.

• Start the Brute Force Uninstaller by doubleclicking BFU.exe
• Beside the scriptline to execute field click the folder icon and select alcanshorty.bfu by double clicking on it.
• Press Execute and let it do it’s job. (You ought to see a blue progress bar if you did this correctly.)
• Wait for the complete script execution box to pop up and press OK.
• Press exit to terminate the BFU program.

-----------------------------------

Reboot into Normal Mode.

-----------------------------------

Perform an online scan using Internet Explorer with Panda ActiveScan
** click on "Free use ActiveScan" located on the top right hand corner

1. Click Check Now & a 'pop up' window shall appear. *ensure that your pop up blocker doesn't block it
2. Enter your e-mail address, country, and state & click Scan Now ...begins downloading 8 MB Panda's ActiveX controls

Begin the scan by selecting My Computer

• If it finds any malware, it will offer you a report.
• Please ignore any entry it finds and wants you to buy the program for removal as we will address this later.
• Click on see report. Then click Save report

---------------------------------------------------------------------------------------------

Run Combofix once more.

---------------------------------------------------------------------------------------------

Open HijackThis and click on 'Do a System Scan and save a Logfile'. Save the log file and post it here.

---------------------------------------------------------------------------------------------

Please return with results from:

C:\Combofix.previous.run.txt
Ewido
Panda
C:\Combofix.txt
HJT

[Download Junkie]

Start Time= Mon 07/31/2006 18:24:49.42
Running from: C:\Reids

[Download Junkie]

---------------------------------------------------------
ewido anti-spyware - Scan Report
---------------------------------------------------------

+ Created at: 6:01:23 PM 7/31/2006

+ Scan result:



C:\Documents and Settings\Black Dragon\Local Settings\Temp\ICD1.tmp\SAIX.dll -> Adware.180Solutions : Cleaned with backup (quarantined).
C:\Documents and Settings\Black Dragon\Local Settings\Temp\SAISetup.exe -> Adware.180Solutions : Cleaned with backup (quarantined).
C:\WINDOWS\system32\config\systemprofile\Local Settings\Temporary Internet Files\Content.IE5\Y7KTOPUH\bridge-c15[1].cab/SAIX.dll -> Adware.180Solutions : Cleaned with backup (quarantined).
C:\Documents and Settings\Black Dragon\Local Settings\Temp\bw2.com -> Adware.AdURL : Cleaned with backup (quarantined).
C:\Documents and Settings\Black Dragon\Local Settings\Temporary Internet Files\Content.IE5\AB078F45\AppWrap[1].exe -> Adware.AdURL : Cleaned with backup (quarantined).
C:\Documents and Settings\Black Dragon\Local Settings\Temporary Internet Files\Content.IE5\OD8LYNCP\AppWrap[1].exe -> Adware.AdURL : Cleaned with backup (quarantined).
C:\WINDOWS\icont.exe -> Adware.AdURL : Cleaned with backup (quarantined).
HKLM\SOFTWARE\Effective-i -> Adware.EffectiveBrandToolbar : Cleaned with backup (quarantined).
HKLM\SOFTWARE\Effective-i\TheSearchAccelerator -> Adware.EffectiveBrandToolbar : Cleaned with backup (quarantined).
C:\WINDOWS\system32\vksec0ce.dll -> Adware.IEHelper : Cleaned with backup (quarantined).
C:\WINDOWS\system32\MACTF.dll -> Adware.Look2Me : Cleaned with backup (quarantined).
C:\WINDOWS\system32\c8002idmg80a2.dll -> Adware.Look2Me : Cleaned with backup (quarantined).
C:\WINDOWS\system32\ckyptnet.dll -> Adware.Look2Me : Cleaned with backup (quarantined).
C:\WINDOWS\system32\config\systemprofile\Local Settings\Temporary Internet Files\Content.IE5\SRKTC7C9\Installer[2].exe -> Adware.Look2Me : Cleaned with backup (quarantined).
C:\WINDOWS\system32\ddlay.dll -> Adware.Look2Me : Cleaned with backup (quarantined).
C:\WINDOWS\system32\en0ul1d91.dll -> Adware.Look2Me : Cleaned with backup (quarantined).
C:\WINDOWS\system32\fp4403hqe.dll -> Adware.Look2Me : Cleaned with backup (quarantined).
C:\WINDOWS\system32\g4lmle311h.dll -> Adware.Look2Me : Cleaned with backup (quarantined).
C:\WINDOWS\system32\i0lola331d.dll -> Adware.Look2Me : Cleaned with backup (quarantined).
C:\WINDOWS\system32\iElola331d.dll -> Adware.Look2Me : Cleaned with backup (quarantined).
C:\WINDOWS\system32\iertprio.dll -> Adware.Look2Me : Cleaned with backup (quarantined).
C:\WINDOWS\system32\igxrtmgr.dll -> Adware.Look2Me : Cleaned with backup (quarantined).
C:\WINDOWS\system32\ilwphbk.dll -> Adware.Look2Me : Cleaned with backup (quarantined).
C:\WINDOWS\system32\iortprio.dll -> Adware.Look2Me : Cleaned with backup (quarantined).
C:\WINDOWS\system32\ipctl.dll -> Adware.Look2Me : Cleaned with backup (quarantined).
C:\WINDOWS\system32\ir42l5ho1.dll -> Adware.Look2Me : Cleaned with backup (quarantined).
C:\WINDOWS\system32\ismp.dll -> Adware.Look2Me : Cleaned with backup (quarantined).
C:\WINDOWS\system32\jrproxy.dll -> Adware.Look2Me : Cleaned with backup (quarantined).
C:\WINDOWS\system32\k8lqli3518.dll -> Adware.Look2Me : Cleaned with backup (quarantined).
C:\WINDOWS\system32\kidhu.dll -> Adware.Look2Me : Cleaned with backup (quarantined).
C:\WINDOWS\system32\kldfi.dll -> Adware.Look2Me : Cleaned with backup (quarantined).
C:\WINDOWS\system32\mehtmled.dll -> Adware.Look2Me : Cleaned with backup (quarantined).
C:\WINDOWS\system32\mfapsspc.dll -> Adware.Look2Me : Cleaned with backup (quarantined).
C:\WINDOWS\system32\mpvcr71.dll -> Adware.Look2Me : Cleaned with backup (quarantined).
C:\WINDOWS\system32\musap.dll -> Adware.Look2Me : Cleaned with backup (quarantined).
C:\WINDOWS\system32\obe2nls.dll -> Adware.Look2Me : Cleaned with backup (quarantined).
C:\WINDOWS\system32\silwapi.dll -> Adware.Look2Me : Cleaned with backup (quarantined).
C:\WINDOWS\system32\vla.dll -> Adware.Look2Me : Cleaned with backup (quarantined).
C:\WINDOWS\system32\wzwfax.dll -> Adware.Look2Me : Cleaned with backup (quarantined).
[592] C:\WINDOWS\system32\wrhtcpip.dll -> Adware.Look2Me : Error during cleaning.
[676] C:\WINDOWS\system32\musap.dll -> Adware.Look2Me : Error during cleaning.
C:\Program Files\TheSearchAccelerator -> Adware.UCmore : Cleaned with backup (quarantined).
C:\Documents and Settings\Black Dragon\Local Settings\Temporary Internet Files\Content.IE5\AB078F45\AppWrap[2].exe -> Adware.Zestyfind : Cleaned with backup (quarantined).
C:\WINDOWS\Temp\bw2.com -> Adware.Zestyfind : Cleaned with backup (quarantined).
C:\WINDOWS\iconu.exe -> Adware.Zestyfind : Cleaned with backup (quarantined).
C:\WINDOWS\system32\TFTP1452 -> Backdoor.Rbot.bcj : Cleaned with backup (quarantined).
C:\WINDOWS\system32\TFTP1608 -> Backdoor.Rbot.bcj : Cleaned with backup (quarantined).
C:\WINDOWS\system32\TFTP2052 -> Backdoor.Rbot.bcj : Cleaned with backup (quarantined).
C:\WINDOWS\system32\TFTP2236 -> Backdoor.Rbot.bcj : Cleaned with backup (quarantined).
C:\WINDOWS\system32\TFTP2424 -> Backdoor.Rbot.bcj : Cleaned with backup (quarantined).
C:\WINDOWS\system32\TFTP2456 -> Backdoor.Rbot.bcj : Cleaned with backup (quarantined).
C:\WINDOWS\system32\TFTP2776 -> Backdoor.Rbot.bcj : Cleaned with backup (quarantined).
C:\WINDOWS\system32\TFTP3200 -> Backdoor.Rbot.bcj : Cleaned with backup (quarantined).
C:\WINDOWS\system32\TFTP3640 -> Backdoor.Rbot.bcj : Cleaned with backup (quarantined).
C:\WINDOWS\system32\TFTP392 -> Backdoor.Rbot.bcj : Cleaned with backup (quarantined).
C:\WINDOWS\system32\TFTP3992 -> Backdoor.Rbot.bcj : Cleaned with backup (quarantined).
C:\WINDOWS\system32\TFTP4008 -> Backdoor.Rbot.bcj : Cleaned with backup (quarantined).
C:\WINDOWS\system32\TFTP624 -> Backdoor.Rbot.bcj : Cleaned with backup (quarantined).
C:\WINDOWS\system32\w00c6bb0.dll -> Downloader.Small : Cleaned with backup (quarantined).
E:\Stevz Comp\Warez P2P Client\My Shared Folder\WarezP2P.exe -> Downloader.Small : Cleaned with backup (quarantined).
E:\System Volume Information\_restore{E165F3D3-0A0A-4C14-89C5-9D156AD26903}\RP2\A0000025.exe -> Downloader.Small : Cleaned with backup (quarantined).
C:\RECYCLER\S-1-5-21-117609710-484061587-682003330-1004\Dc4.exe -> Downloader.VB.aiw : Cleaned with backup (quarantined).
F:\DataKeeper Backup Of C\Documents and Settings\Black Dragon\Local Settings\Temporary Internet Files\Content.IE5\SLEZK5AZ\popup[1].htm.pvaa.dkb -> Hijacker.Agent.a : Cleaned with backup (quarantined).
:mozilla.30:C:\Documents and Settings\Black Dragon\Application Data\Mozilla\Firefox\Profiles\vu50n07d.default\cookies.txt -> TrackingCookie.2o7 : Cleaned with backup (quarantined).
:mozilla.31:C:\Documents and Settings\Black Dragon\Application Data\Mozilla\Firefox\Profiles\vu50n07d.default\cookies.txt -> TrackingCookie.Casalemedia : Cleaned with backup (quarantined).
C:\Documents and Settings\Black Dragon\Cookies\black dragon@cpvfeed[2].txt -> TrackingCookie.Cpvfeed : Cleaned with backup (quarantined).
F:\DataKeeper Backup Of C\Documents and Settings\Black Dragon\Cookies\black dragon@cpvfeed[1].txt.pvaa.dkb -> TrackingCookie.Cpvfeed : Cleaned with backup (quarantined).
F:\DataKeeper Backup Of C\Documents and Settings\Black Dragon\Cookies\black dragon@cpvfeed[1].txt.pvab.dkb -> TrackingCookie.Cpvfeed : Cleaned with backup (quarantined).
F:\DataKeeper Backup Of C\Documents and Settings\Black Dragon\Cookies\black dragon@cpvfeed[1].txt.pvac.dkb -> TrackingCookie.Cpvfeed : Cleaned with backup (quarantined).
F:\DataKeeper Backup Of C\Documents and Settings\Black Dragon\Cookies\black dragon@cpvfeed[1].txt.pvad.dkb -> TrackingCookie.Cpvfeed : Cleaned with backup (quarantined).
F:\DataKeeper Backup Of C\Documents and Settings\Black Dragon\Cookies\black dragon@cpvfeed[1].txt.pvae.dkb -> TrackingCookie.Cpvfeed : Cleaned with backup (quarantined).
F:\DataKeeper Backup Of C\Documents and Settings\Black Dragon\Cookies\black dragon@cpvfeed[2].txt.pvaa.dkb -> TrackingCookie.Cpvfeed : Cleaned with backup (quarantined).
F:\DataKeeper Backup Of C\Documents and Settings\Black Dragon\Cookies\black dragon@cpvfeed[2].txt.pvab.dkb -> TrackingCookie.Cpvfeed : Cleaned with backup (quarantined).
F:\DataKeeper Backup Of C\Documents and Settings\Black Dragon\Cookies\black dragon@cpvfeed[2].txt.pvac.dkb -> TrackingCookie.Cpvfeed : Cleaned with backup (quarantined).
F:\DataKeeper Backup Of C\Documents and Settings\Black Dragon\Cookies\black dragon@cpvfeed[2].txt.pvad.dkb -> TrackingCookie.Cpvfeed : Cleaned with backup (quarantined).
:mozilla.49:C:\Documents and Settings\Black Dragon\Application Data\Mozilla\Firefox\Profiles\vu50n07d.default\cookies.txt -> TrackingCookie.Doubleclick : Cleaned with backup (quarantined).
:mozilla.41:C:\Documents and Settings\Black Dragon\Application Data\Mozilla\Firefox\Profiles\vu50n07d.default\cookies.txt -> TrackingCookie.Tacoda : Cleaned with backup (quarantined).
:mozilla.42:C:\Documents and Settings\Black Dragon\Application Data\Mozilla\Firefox\Profiles\vu50n07d.default\cookies.txt -> TrackingCookie.Tacoda : Cleaned with backup (quarantined).
:mozilla.43:C:\Documents and Settings\Black Dragon\Application Data\Mozilla\Firefox\Profiles\vu50n07d.default\cookies.txt -> TrackingCookie.Tacoda : Cleaned with backup (quarantined).
:mozilla.36:C:\Documents and Settings\Black Dragon\Application Data\Mozilla\Firefox\Profiles\vu50n07d.default\cookies.txt -> TrackingCookie.Tribalfusion : Cleaned with backup (quarantined).
:mozilla.10:C:\Documents and Settings\Black Dragon\Application Data\Mozilla\Firefox\Profiles\vu50n07d.default\cookies.txt -> TrackingCookie.Yieldmanager : Cleaned with backup (quarantined).
:mozilla.11:C:\Documents and Settings\Black Dragon\Application Data\Mozilla\Firefox\Profiles\vu50n07d.default\cookies.txt -> TrackingCookie.Yieldmanager : Cleaned with backup (quarantined).
:mozilla.12:C:\Documents and Settings\Black Dragon\Application Data\Mozilla\Firefox\Profiles\vu50n07d.default\cookies.txt -> TrackingCookie.Yieldmanager : Cleaned with backup (quarantined).
:mozilla.14:C:\Documents and Settings\Black Dragon\Application Data\Mozilla\Firefox\Profiles\vu50n07d.default\cookies.txt -> TrackingCookie.Yieldmanager : Cleaned with backup (quarantined).
:mozilla.15:C:\Documents and Settings\Black Dragon\Application Data\Mozilla\Firefox\Profiles\vu50n07d.default\cookies.txt -> TrackingCookie.Yieldmanager : Cleaned with backup (quarantined).
:mozilla.8:C:\Documents and Settings\Black Dragon\Application Data\Mozilla\Firefox\Profiles\vu50n07d.default\cookies.txt -> TrackingCookie.Yieldmanager : Cleaned with backup (quarantined).
:mozilla.9:C:\Documents and Settings\Black Dragon\Application Data\Mozilla\Firefox\Profiles\vu50n07d.default\cookies.txt -> TrackingCookie.Yieldmanager : Cleaned with backup (quarantined).
C:\Documents and Settings\Black Dragon\Cookies\black dragon@ad.yieldmanager[2].txt -> TrackingCookie.Yieldmanager : Cleaned with backup (quarantined).
C:\Documents and Settings\Gaming Dragon\Cookies\gaming dragon@ad.yieldmanager[1].txt -> TrackingCookie.Yieldmanager : Cleaned with backup (quarantined).
F:\DataKeeper Backup Of C\Documents and Settings\Black Dragon\Cookies\black dragon@ad.yieldmanager[1].txt.pdaa.dkb -> TrackingCookie.Yieldmanager : Cleaned with backup (quarantined).
F:\DataKeeper Backup Of C\Documents and Settings\Black Dragon\Cookies\black dragon@ad.yieldmanager[1].txt.pdab.dkb -> TrackingCookie.Yieldmanager : Cleaned with backup (quarantined).
F:\DataKeeper Backup Of C\Documents and Settings\Black Dragon\Cookies\black dragon@ad.yieldmanager[1].txt.pdac.dkb -> TrackingCookie.Yieldmanager : Cleaned with backup (quarantined).
F:\DataKeeper Backup Of C\Documents and Settings\Black Dragon\Cookies\black dragon@ad.yieldmanager[1].txt.pdae.dkb -> TrackingCookie.Yieldmanager : Cleaned with backup (quarantined).
F:\DataKeeper Backup Of C\Documents and Settings\Black Dragon\Cookies\black dragon@ad.yieldmanager[1].txt.pvaf.dkb -> TrackingCookie.Yieldmanager : Cleaned with backup (quarantined).
F:\DataKeeper Backup Of C\Documents and Settings\Black Dragon\Cookies\black dragon@ad.yieldmanager[1].txt.pvag.dkb -> TrackingCookie.Yieldmanager : Cleaned with backup (quarantined).
F:\DataKeeper Backup Of C\Documents and Settings\Black Dragon\Cookies\black dragon@ad.yieldmanager[1].txt.pvah.dkb -> TrackingCookie.Yieldmanager : Cleaned with backup (quarantined).
F:\DataKeeper Backup Of C\Documents and Settings\Black Dragon\Cookies\black dragon@ad.yieldmanager[1].txt.pvai.dkb -> TrackingCookie.Yieldmanager : Cleaned with backup (quarantined).
F:\DataKeeper Backup Of C\Documents and Settings\Black Dragon\Cookies\black dragon@ad.yieldmanager[1].txt.pvaj.dkb -> TrackingCookie.Yieldmanager : Cleaned with backup (quarantined).
F:\DataKeeper Backup Of C\Documents and Settings\Black Dragon\Cookies\black dragon@ad.yieldmanager[1].txt.pwad.dkb -> TrackingCookie.Yieldmanager : Cleaned with backup (quarantined).
F:\DataKeeper Backup Of C\Documents and Settings\Black Dragon\Cookies\black dragon@ad.yieldmanager[2].txt.pdac.dkb -> TrackingCookie.Yieldmanager : Cleaned with backup (quarantined).
F:\DataKeeper Backup Of C\Documents and Settings\Black Dragon\Cookies\black dragon@ad.yieldmanager[2].txt.pdag.dkb -> TrackingCookie.Yieldmanager : Cleaned with backup (quarantined).
F:\DataKeeper Backup Of C\Documents and Settings\Black Dragon\Cookies\black dragon@ad.yieldmanager[2].txt.pmae.dkb -> TrackingCookie.Yieldmanager : Cleaned with backup (quarantined).
F:\DataKeeper Backup Of C\Documents and Settings\Black Dragon\Cookies\black dragon@ad.yieldmanager[2].txt.pvaa.dkb -> TrackingCookie.Yieldmanager : Cleaned with backup (quarantined).
F:\DataKeeper Backup Of C\Documents and Settings\Black Dragon\Cookies\black dragon@ad.yieldmanager[2].txt.pvab.dkb -> TrackingCookie.Yieldmanager : Cleaned with backup (quarantined).
F:\DataKeeper Backup Of C\Documents and Settings\Black Dragon\Cookies\black dragon@ad.yieldmanager[2].txt.pvah.dkb -> TrackingCookie.Yieldmanager : Cleaned with backup (quarantined).
F:\DataKeeper Backup Of C\Documents and Settings\Black Dragon\Cookies\black dragon@ad.yieldmanager[2].txt.pvai.dkb -> TrackingCookie.Yieldmanager : Cleaned with backup (quarantined).
F:\DataKeeper Backup Of C\Documents and Settings\Black Dragon\Cookies\black dragon@ad.yieldmanager[2].txt.pvaj.dkb -> TrackingCookie.Yieldmanager : Cleaned with backup (quarantined).
F:\DataKeeper Backup Of C\Documents and Settings\Black Dragon\Cookies\black dragon@ad.yieldmanager[2].txt.pwaf.dkb -> TrackingCookie.Yieldmanager : Cleaned with backup (quarantined).


::Report end

[Download Junkie]

Incident Status Location

Adware:adware/look2me Not disinfected c:\windows\system32\guard.tmp
Adware:adware/dollarrevenue Not disinfected c:\windows\teller2.chk
Adware:adware/aureate-radiate Not disinfected Windows Registry
Adware:adware/commad Not disinfected Windows Registry
Spyware:Cookie/Hbmediapro Not disinfected C:\Documents and Settings\Black Dragon\Application Data\Mozilla\Firefox\Profiles\vu50n07d.default\cookies.txt[.adopt.hbmediapro.com/]
Spyware:Cookie/YieldManager Not disinfected C:\Documents and Settings\Black Dragon\Cookies\black dragon@ad.yieldmanager[1].txt
Spyware:Cookie/Hbmediapro Not disinfected C:\Documents and Settings\Black Dragon\Cookies\black dragon@adopt.hbmediapro[2].txt
Spyware:Cookie/ErrorSafe Not disinfected C:\Documents and Settings\Black Dragon\Cookies\black dragon@errorsafe[2].txt
Spyware:Cookie/ErrorSafe Not disinfected C:\Documents and Settings\Black Dragon\Cookies\black dragon@www.errorsafe[1].txt
Adware:Adware/CommAd Not disinfected C:\WINDOWS\system32\config\systemprofile\Local Settings\Temporary Internet Files\Content.IE5\SRKTC7C9\installer[1].exe
Adware:Adware/DollarRevenue Not disinfected C:\WINDOWS\system32\config\systemprofile\Local Settings\Temporary Internet Files\Content.IE5\SRKTC7C9\loader[1].exe
Virus:W32/Sdbot.ftp.worm Disinfected C:\WINDOWS\system32\i
Virus:W32/Gaobot.NSZ.worm Disinfected C:\WINDOWS\system32\TFTP1968
Virus:W32/Gaobot.NPB.worm Disinfected C:\WINDOWS\system32\TFTP3520
Virus:W32/Gaobot.NPB.worm Disinfected C:\WINDOWS\system32\TFTP3924
Spyware:Spyware/New.net Not disinfected E:\Stevz Comp\Warez P2P Client\WarezP2P.exe[NNWARZ3_88.exe]
Adware:Adware/Lop Not disinfected E:\Stevz Comp\Warez P2P Client\WarezP2P.exe[apwarz0.exe]
Spyware:Cookie/YieldManager Not disinfected F:\DataKeeper Backup Of C\Documents and Settings\Black Dragon\Cookies\black dragon@ad.yieldmanager[1].txt.pvaa.dkb
Spyware:Cookie/Hbmediapro Not disinfected F:\DataKeeper Backup Of C\Documents and Settings\Black Dragon\Cookies\black dragon@adopt.hbmediapro[2].txt.pvaa.dkb
Spyware:Cookie/Apmebf Not disinfected F:\DataKeeper Backup Of C\Documents and Settings\Black Dragon\Cookies\black dragon@apmebf[2].txt.pvaa.dkb
Spyware:Cookie/ErrorSafe Not disinfected F:\DataKeeper Backup Of C\Documents and Settings\Black Dragon\Cookies\black dragon@errorsafe[2].txt.pdaa.dkb
Spyware:Cookie/ErrorSafe Not disinfected F:\DataKeeper Backup Of C\Documents and Settings\Black Dragon\Cookies\black dragon@errorsafe[2].txt.pdac.dkb
Spyware:Cookie/ErrorSafe Not disinfected F:\DataKeeper Backup Of C\Documents and Settings\Black Dragon\Cookies\black dragon@errorsafe[2].txt.pdad.dkb
Spyware:Cookie/ErrorSafe Not disinfected F:\DataKeeper Backup Of C\Documents and Settings\Black Dragon\Cookies\black dragon@errorsafe[2].txt.pdaf.dkb
Spyware:Cookie/ErrorSafe Not disinfected F:\DataKeeper Backup Of C\Documents and Settings\Black Dragon\Cookies\black dragon@errorsafe[2].txt.pmab.dkb
Spyware:Cookie/ErrorSafe Not disinfected F:\DataKeeper Backup Of C\Documents and Settings\Black Dragon\Cookies\black dragon@errorsafe[2].txt.pvag.dkb
Spyware:Cookie/ErrorSafe Not disinfected F:\DataKeeper Backup Of C\Documents and Settings\Black Dragon\Cookies\black dragon@errorsafe[2].txt.pvah.dkb
Spyware:Cookie/ErrorSafe Not disinfected F:\DataKeeper Backup Of C\Documents and Settings\Black Dragon\Cookies\black dragon@errorsafe[2].txt.pvai.dkb
Spyware:Cookie/ErrorSafe Not disinfected F:\DataKeeper Backup Of C\Documents and Settings\Black Dragon\Cookies\black dragon@errorsafe[2].txt.pvaj.dkb
Spyware:Cookie/ErrorSafe Not disinfected F:\DataKeeper Backup Of C\Documents and Settings\Black Dragon\Cookies\black dragon@errorsafe[2].txt.pvak.dkb
Spyware:Cookie/ErrorSafe Not disinfected F:\DataKeeper Backup Of C\Documents and Settings\Black Dragon\Cookies\black dragon@errorsafe[2].txt.pwae.dkb
Spyware:Cookie/ErrorSafe Not disinfected F:\DataKeeper Backup Of C\Documents and Settings\Black Dragon\Cookies\black dragon@www.errorsafe[1].txt.pvaa.dkb
Spyware:Cookie/ErrorSafe Not disinfected F:\DataKeeper Backup Of C\Documents and Settings\Black Dragon\Cookies\black dragon@www.errorsafe[1].txt.pvab.dkb
Spyware:Cookie/ErrorSafe Not disinfected F:\DataKeeper Backup Of C\Documents and Settings\Black Dragon\Cookies\black dragon@www.errorsafe[2].txt.pvaa.dkb

[Download Junkie]

Start Time= Mon 07/31/2006 22:26:26.35
Running from: C:\Reids

[Download Junkie]

Logfile of HijackThis v1.99.1
Scan saved at 10:34:24 PM, on 7/31/2006
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
C:\Program Files\ewido anti-spyware 4.0\guard.exe
C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\ZoneLabs\vsmon.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\ewido anti-spyware 4.0\ewido.exe
C:\PROGRA~1\TURBOC~1\netdetect.exe
C:\Program Files\Zone Labs\ZoneAlarm\zapro.exe
C:\Program Files\PowerQuest\DataKeeper 5.0\DataKeeper.exe
C:\Documents and Settings\Black Dragon\Desktop\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.co.nz/
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O4 - HKCU\..\Run: [TurboConnect] C:\PROGRA~1\TURBOC~1\TurboConnect.exe 1
O4 - HKCU\..\Run: [STYLEXP] C:\Program Files\TGTSoft\StyleXP\StyleXP.exe -Hide
O4 - Startup: DataKeeper.lnk = C:\Program Files\PowerQuest\DataKeeper 5.0\DataKeeper.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O4 - Global Startup: ZoneAlarm Pro.lnk = C:\Program Files\Zone Labs\ZoneAlarm\zapro.exe
O8 - Extra context menu item: Download with Go!Zilla - file://C:\Program Files\Go!Zilla\download-with-gozilla.html
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O9 - Extra button: Trace - {04849C74-016E-4a43-8AA5-1F01DE57F4A1} - C:\Program Files\VisualRoute\vrie.dll
O9 - Extra 'Tools' menuitem: VisualRoute Trace - {04849C74-016E-4a43-8AA5-1F01DE57F4A1} - C:\Program Files\VisualRoute\vrie.dll
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsof...?1153690380437
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/actives...ree/asinst.cab
O16 - DPF: {E8F628B5-259A-4734-97EE-BA914D7BE941} (Driver Agent ActiveX Control) - http://driveragent.com/files/driveragent.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{4C8EE07F-10F5-4D88-8121-B488943FDC30}: NameServer = 202.27.158.40 202.27.156.72
O17 - HKLM\System\CS1\Services\Tcpip\..\{4C8EE07F-10F5-4D88-8121-B488943FDC30}: NameServer = 202.27.158.40 202.27.156.72
O18 - Protocol: livecall - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL
O20 - Winlogon Notify: App Management - C:\WINDOWS\system32\l86o0ij3e8o.dll (file missing)
O20 - Winlogon Notify: Dynamic Directory - C:\WINDOWS\system32\h2n0lc5m1f.dll (file missing)
O20 - Winlogon Notify: Explorer - C:\WINDOWS\system32\gp46l3hs1.dll
O20 - Winlogon Notify: Run - C:\WINDOWS\system32\o4lule391h.dll (file missing)
O20 - Winlogon Notify: ShellScrap - C:\WINDOWS\system32\c6002gdmg60a2.dll (file missing)
O20 - Winlogon Notify: SideBySide - C:\WINDOWS\system32\mv20l9fm1.dll (file missing)
O20 - Winlogon Notify: SMDEn - C:\WINDOWS\system32\l8n4li5q18.dll (file missing)
O20 - Winlogon Notify: WebCheck - C:\WINDOWS\system32\irp6l57s1.dll (file missing)
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
O23 - Service: AVG E-mail Scanner (AVGEMS) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
O23 - Service: ewido anti-spyware 4.0 guard - Anti-Malware Development a.s. - C:\Program Files\ewido anti-spyware 4.0\guard.exe
O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs Inc. - C:\WINDOWS\system32\ZoneLabs\vsmon.exe

[Ried]

Are you trying to tell me combofix didn't run? Did you receive an error--help me out here--as much detail as possible please.

I also need to see the Panda results and a new HijackThis log please.

[Ried]

Nevermind, I just found the 3 other threads you began for the individual reports. and have merged them into this thread. Please do not begin new threads, simply add the logs via the 'Reply' button in this thread.

I'll need some time to go over these and prepare the next fix.

[Ried]

Please copy this page to Notepad and save to your desktop for reference as you will not have any browsers open while you are carrying out these instructions.

It is IMPORTANT that you don't miss a step & perform everything in the correct order/sequence.

**********************************************************************************************************

Download CleanUp! (Alternate Link if main link doesn't work) and install it. Do not run it yet. Do NOT run this program if you have XP Professional 64 bit edition. If you're unsure please do not run it! If you don't already know, you're probably not using XP64, but you can download & run this tool to find out for sure.....http://www.kellys-korner-xp.com/regs...p_whichcpu.exe[/size][/b]


Please download Look2Me-Destroyer.exe to your desktop.

• Close all windows before continuing.
• Double-click to run it.
• Put a check next to Run this program as a task.
• You will receive a message saying Look2Me-Destroyer will close and re-open in approximately 10 seconds. Click OK
• When it re-opens, click the Scan for L2M button, your desktop icons will disappear, this is normal.
• Once it's done scanning, click the Remove L2M button.
• You will receive a Done Scanning message, click OK.
• When completed, you will receive this message: Done removing infected files! Look2Me-Destroyer will now shutdown your computer, click OK.
• Your computer will then shutdown.
• Turn your computer back on.
• Please post the contents of C:\Look2Me-Destroyer.txt

If you receive a message from your firewall about this program accessing the internet please allow it.

If you receive a runtime error '339' please download MSWINSCK.OCX and place it in your C:\Windows\System32 Directory.

-----------------------------------

Next, please reboot your computer in Safe Mode by doing the following:
1) Restart your computer
2) After hearing your computer beep once during startup, but before the Windows icon appears, press F8.
3) Instead of Windows loading as normal, a menu should appear
4) Use the up arrow key to highlight Safe Mode and press Enter.
5) Login on your usual account. Make sure to close any open browsers.

-----------------------------------

Open HijackThis and click on 'Do a System Scan Only'. Check the following entries if they exist (make sure you do not miss any)

O20 - Winlogon Notify: Explorer - C:\WINDOWS\system32\gp46l3hs1.dll
O20 - Winlogon Notify: Run - C:\WINDOWS\system32\o4lule391h.dll (file missing)
O20 - Winlogon Notify: ShellScrap - C:\WINDOWS\system32\c6002gdmg60a2.dll (file missing)
O20 - Winlogon Notify: SideBySide - C:\WINDOWS\system32\mv20l9fm1.dll (file missing)
O20 - Winlogon Notify: SMDEn - C:\WINDOWS\system32\l8n4li5q18.dll (file missing)
O20 - Winlogon Notify: WebCheck - C:\WINDOWS\system32\irp6l57s1.dll (file missing)

Click 'Fix Checked' and close HijackThis.

-----------------------------------

Delete the following Files and Folders

c:\windows\ teller2.chk
C:\WINDOWS\system32\ i
C:\WINDOWS\system32\ TFTP1968
C:\WINDOWS\system32\ TFTP3520
C:\WINDOWS\system32\ TFTP3924
E:\Stevz Comp\Warez P2P Client\ WarezP2P.exe[NNWARZ3_88.exe]

-----------------------------------
*WARNING* Cleanup deletes EVERYTHING out of temp/temporary folders and does not make backups. If you have any documents or programs that are saved in any Temporary Folders, please make a backup of these before running CleanUp! or move them to a permanent location.

Open Cleanup! by double-clicking the icon on your desktop (or from the Start > All Programs menu). Set the program up as follows:
*Click "Options..."
*Move the arrow down to "Custom CleanUp!"
*Put a check next to the following:

• Empty Recycle Bins
• Delete Cookies
• Delete Prefetch files
• Cleanup! All Users
• Click on the "Temporary Files" and uncheck the box for "Scan drives for file matching" if it's checked.

Click OK
Press the CleanUp! button to start the program. Reboot/logoff when prompted.

-----------------------------------

Reboot into Normal Mode.

-----------------------------------

Perform an online scan using Internet Explorer with Panda ActiveScan
** click on "Free use ActiveScan" located on the top right hand corner

1. Click Check Now & a 'pop up' window shall appear. *ensure that your pop up blocker doesn't block it
2. Enter your e-mail address, country, and state & click Scan Now ...begins downloading 8 MB Panda's ActiveX controls

Begin the scan by selecting My Computer

• If it finds any malware, it will offer you a report.
• Please ignore any entry it finds and wants you to buy the program for removal as we will address this later.
• Click on see report. Then click Save report

-----------------------------------

Download fl.zip
Extract the contents of the fl.zip to a new folder on Desktop.
Within the folder, locate & double-click fl.bat.
It should produce a report at c:\findlop.txt. Post the contents of the report in your next reply.

Create an Uninstall List:
Open HijackThis
*Click on the "Configure" button on the bottom right
*Click on the tab "Misc Tools"
*Click on the Box that says "Open Uninstall Manager"
*Click on the button "Save list"
The list will automatically be saved in your HijackThis folder.

Please copy and paste the uninstall_list.txt here.



Please include the following in your next reply:

Look2Me-Destroyer.txt
Panda results
find lop.txt
uninstall_list.txt
New HijackThis log

Please tell me what happened when you ran combofix.exe. Did it reboot your PC? Did you receive any error messages? Provide as much detail as possible from the time you double-clicked combofix.exe--until the tool completed.

[Download Junkie]

Disclaimer of warranty on software.
THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND.
ALL IMPLIED WARRANTIES ARE EXPRESSLY DISCLAIMED.

This tool is meant for private usage & should not be used in an
unsupervised enviroment. If any infections are found, it will automatically
reboot Windows to complete the removal process. Please ensure all opened
windows are closed before proceeding.


Do not close this window or it will leave you with a blank desktop.
If you have to exit, type 'N' below ...

Type Y to continue, or N to abort. _y

Performing a quick scan of your machine

it runs for about 10 seconds then disapears and leaves the file i sent you

[Ried]

Hi,

Please navigate to c:\sUBs and attach the contents of that folder.

[Download Junkie]

Look2Me-Destroyer V1.0.12

Scanning for infected files.....
Scan started at 8/1/2006 9:48:03 PM

Infected! C:\WINDOWS\system32\lwk.dll
Infected! C:\WINDOWS\system32\fppm0371e.dll

Attempting to delete infected files...

Attempting to delete: C:\WINDOWS\system32\lwk.dll
C:\WINDOWS\system32\lwk.dll Deleted successfully!

Attempting to delete: C:\WINDOWS\system32\fppm0371e.dll
C:\WINDOWS\system32\fppm0371e.dll Deleted successfully!

Making registry repairs.

Removing: HKLM\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\Installer

Removing: HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved "{1701F66A-0917-40CC-B0F1-6BAE6F0816B8}"
HKCR\Clsid\{1701F66A-0917-40CC-B0F1-6BAE6F0816B8}

Removing: HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved "{9B32AAA4-9752-488C-815A-DD5CD5D6E3BE}"
HKCR\Clsid\{9B32AAA4-9752-488C-815A-DD5CD5D6E3BE}

Removing: HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved "{9FC6A610-5178-4D00-95CA-24E19C28DA48}"
HKCR\Clsid\{9FC6A610-5178-4D00-95CA-24E19C28DA48}

Removing: HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved "{516DFA9F-6EE1-441F-81CD-C7B9761DBE48}"
HKCR\Clsid\{516DFA9F-6EE1-441F-81CD-C7B9761DBE48}

Removing: HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved "{DB2BF7BF-4FF5-41F6-8550-14DB57A9AAEE}"
HKCR\Clsid\{DB2BF7BF-4FF5-41F6-8550-14DB57A9AAEE}

Removing: HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved "{5859BDF7-07B5-4E61-B2EE-31F05B2D3727}"
HKCR\Clsid\{5859BDF7-07B5-4E61-B2EE-31F05B2D3727}

Removing: HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved "{6542F43A-E5D3-4193-924A-68F0F8702835}"
HKCR\Clsid\{6542F43A-E5D3-4193-924A-68F0F8702835}

Removing: HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved "{0038D3CE-6477-43C1-904C-2A34B3A2AE0E}"
HKCR\Clsid\{0038D3CE-6477-43C1-904C-2A34B3A2AE0E}

Removing: HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved "{8A3C0964-5593-4A7F-98AB-40622D6102E3}"
HKCR\Clsid\{8A3C0964-5593-4A7F-98AB-40622D6102E3}

Removing: HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved "{AE480548-B5E8-4542-A6ED-630F4153451D}"
HKCR\Clsid\{AE480548-B5E8-4542-A6ED-630F4153451D}

Removing: HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved "{825B169E-F665-449B-B1F9-32095732A5E1}"
HKCR\Clsid\{825B169E-F665-449B-B1F9-32095732A5E1}

Restoring Windows certificates.

Replaced hosts file with default windows hosts file



Incident Status Location

Adware:adware/look2me Not disinfected C:\Documents and Settings\Black Dragon\Desktop\Free Online Music.url
Adware:adware/aureate-radiate Not disinfected Windows Registry
Adware:adware/commad Not disinfected Windows Registry
Spyware:Cookie/Hbmediapro Not disinfected C:\Documents and Settings\Black Dragon\Application Data\Mozilla\Firefox\Profiles\vu50n07d.default\cookies.txt[.adopt.hbmediapro.com/]
Spyware:Cookie/YieldManager Not disinfected C:\Documents and Settings\Black Dragon\Cookies\black dragon@ad.yieldmanager[2].txt
Spyware:Cookie/Hbmediapro Not disinfected C:\Documents and Settings\Black Dragon\Cookies\black dragon@adopt.hbmediapro[2].txt
Spyware:Cookie/bravenetA Not disinfected C:\Documents and Settings\Black Dragon\Cookies\black dragon@bravenet[2].txt
Spyware:Cookie/ErrorSafe Not disinfected C:\Documents and Settings\Black Dragon\Cookies\black dragon@errorsafe[2].txt
Spyware:Cookie/ErrorSafe Not disinfected C:\Documents and Settings\Black Dragon\Cookies\black dragon@www.errorsafe[1].txt
Adware:Adware/CommAd Not disinfected C:\WINDOWS\system32\config\systemprofile\Local Settings\Temporary Internet Files\Content.IE5\SRKTC7C9\installer[1].exe
Adware:Adware/DollarRevenue Not disinfected C:\WINDOWS\system32\config\systemprofile\Local Settings\Temporary Internet Files\Content.IE5\SRKTC7C9\loader[1].exe
Adware:Adware/Look2Me Not disinfected C:\WINDOWS\system32\fppm0371e.dll
Spyware:Spyware/New.net Not disinfected E:\Recycled\De8.exe[NNWARZ3_88.exe]
Adware:Adware/Lop Not disinfected E:\Recycled\De8.exe[apwarz0.exe]
Spyware:Cookie/YieldManager Not disinfected F:\DataKeeper Backup Of C\Documents and Settings\Black Dragon\Cookies\black dragon@ad.yieldmanager[1].txt.pvaa.dkb
Spyware:Cookie/YieldManager Not disinfected F:\DataKeeper Backup Of C\Documents and Settings\Black Dragon\Cookies\black dragon@ad.yieldmanager[1].txt.pvab.dkb
Spyware:Cookie/YieldManager Not disinfected F:\DataKeeper Backup Of C\Documents and Settings\Black Dragon\Cookies\black dragon@ad.yieldmanager[1].txt.pvac.dkb
Spyware:Cookie/YieldManager Not disinfected F:\DataKeeper Backup Of C\Documents and Settings\Black Dragon\Cookies\black dragon@ad.yieldmanager[1].txt.pvad.dkb
Spyware:Cookie/YieldManager Not disinfected F:\DataKeeper Backup Of C\Documents and Settings\Black Dragon\Cookies\black dragon@ad.yieldmanager[1].txt.pvae.dkb
Spyware:Cookie/YieldManager Not disinfected F:\DataKeeper Backup Of C\Documents and Settings\Black Dragon\Cookies\black dragon@ad.yieldmanager[2].txt.pdab.dkb
Spyware:Cookie/YieldManager Not disinfected F:\DataKeeper Backup Of C\Documents and Settings\Black Dragon\Cookies\black dragon@ad.yieldmanager[2].txt.pvac.dkb
Spyware:Cookie/YieldManager Not disinfected F:\DataKeeper Backup Of C\Documents and Settings\Black Dragon\Cookies\black dragon@ad.yieldmanager[2].txt.pvad.dkb
Spyware:Cookie/YieldManager Not disinfected F:\DataKeeper Backup Of C\Documents and Settings\Black Dragon\Cookies\black dragon@ad.yieldmanager[2].txt.pvae.dkb
Spyware:Cookie/YieldManager Not disinfected F:\DataKeeper Backup Of C\Documents and Settings\Black Dragon\Cookies\black dragon@ad.yieldmanager[2].txt.pvaf.dkb
Spyware:Cookie/YieldManager Not disinfected F:\DataKeeper Backup Of C\Documents and Settings\Black Dragon\Cookies\black dragon@ad.yieldmanager[2].txt.pvag.dkb
Spyware:Cookie/YieldManager Not disinfected F:\DataKeeper Backup Of C\Documents and Settings\Black Dragon\Cookies\black dragon@ad.yieldmanager[2].txt.pwaa.dkb
Spyware:Cookie/Hbmediapro Not disinfected F:\DataKeeper Backup Of C\Documents and Settings\Black Dragon\Cookies\black dragon@adopt.hbmediapro[2].txt.pvaa.dkb
Spyware:Cookie/Apmebf Not disinfected F:\DataKeeper Backup Of C\Documents and Settings\Black Dragon\Cookies\black dragon@apmebf[2].txt.pvaa.dkb
Spyware:Cookie/ErrorSafe Not disinfected F:\DataKeeper Backup Of C\Documents and Settings\Black Dragon\Cookies\black dragon@errorsafe[2].txt.pdaa.dkb
Spyware:Cookie/ErrorSafe Not disinfected F:\DataKeeper Backup Of C\Documents and Settings\Black Dragon\Cookies\black dragon@errorsafe[2].txt.pdac.dkb
Spyware:Cookie/ErrorSafe Not disinfected F:\DataKeeper Backup Of C\Documents and Settings\Black Dragon\Cookies\black dragon@errorsafe[2].txt.pdad.dkb
Spyware:Cookie/ErrorSafe Not disinfected F:\DataKeeper Backup Of C\Documents and Settings\Black Dragon\Cookies\black dragon@errorsafe[2].txt.pdaf.dkb
Spyware:Cookie/ErrorSafe Not disinfected F:\DataKeeper Backup Of C\Documents and Settings\Black Dragon\Cookies\black dragon@errorsafe[2].txt.pmab.dkb
Spyware:Cookie/ErrorSafe Not disinfected F:\DataKeeper Backup Of C\Documents and Settings\Black Dragon\Cookies\black dragon@errorsafe[2].txt.pvag.dkb
Spyware:Cookie/ErrorSafe Not disinfected F:\DataKeeper Backup Of C\Documents and Settings\Black Dragon\Cookies\black dragon@errorsafe[2].txt.pvah.dkb
Spyware:Cookie/ErrorSafe Not disinfected F:\DataKeeper Backup Of C\Documents and Settings\Black Dragon\Cookies\black dragon@errorsafe[2].txt.pvai.dkb
Spyware:Cookie/ErrorSafe Not disinfected F:\DataKeeper Backup Of C\Documents and Settings\Black Dragon\Cookies\black dragon@errorsafe[2].txt.pvaj.dkb
Spyware:Cookie/ErrorSafe Not disinfected F:\DataKeeper Backup Of C\Documents and Settings\Black Dragon\Cookies\black dragon@errorsafe[2].txt.pvak.dkb
Spyware:Cookie/ErrorSafe Not disinfected F:\DataKeeper Backup Of C\Documents and Settings\Black Dragon\Cookies\black dragon@errorsafe[2].txt.pwae.dkb
Spyware:Cookie/ErrorSafe Not disinfected F:\DataKeeper Backup Of C\Documents and Settings\Black Dragon\Cookies\black dragon@www.errorsafe[1].txt.pvaa.dkb
Spyware:Cookie/ErrorSafe Not disinfected F:\DataKeeper Backup Of C\Documents and Settings\Black Dragon\Cookies\black dragon@www.errorsafe[1].txt.pvab.dkb
Spyware:Cookie/ErrorSafe Not disinfected F:\DataKeeper Backup Of C\Documents and Settings\Black Dragon\Cookies\black dragon@www.errorsafe[2].txt.pvaa.dkb

Volume in drive C has no label.
Volume Serial Number is C4EB-E969

Directory of C:\Documents and Settings\All Users\Application Data

08/02/2006 08:00 AM <DIR> avg7
07/29/2006 01:49 PM <DIR> DVD Shrink
07/22/2006 02:49 PM <DIR> Grisoft
07/27/2006 07:00 PM <DIR> Kazaa Lite
07/23/2006 08:02 PM <DIR> Windows Genuine Advantage
0 File(s) 0 bytes
5 Dir(s) 154,063,802,368 bytes free
Volume in drive C has no label.
Volume Serial Number is C4EB-E969

Directory of C:\Documents and Settings\Black Dragon\Application Data

07/24/2006 01:56 PM <DIR> AVG7
07/31/2006 09:08 AM <DIR> Help
07/21/2006 10:31 PM <DIR> Identities
07/22/2006 04:34 PM <DIR> Macromedia
07/26/2006 11:42 PM <DIR> Media Player Classic
07/24/2006 07:50 PM <DIR> Mozilla
07/23/2006 08:25 PM <DIR> NASA
0 File(s) 0 bytes
7 Dir(s) 154,063,798,272 bytes free
Volume in drive C has no label.
Volume Serial Number is C4EB-E969

Directory of C:\Documents and Settings\Gaming Dragon\Application Data

07/22/2006 05:26 PM <DIR> AVG7
07/22/2006 10:49 AM <DIR> Help
07/21/2006 11:28 PM <DIR> Identities
07/24/2006 04:11 PM <DIR> Macromedia
07/29/2006 03:32 AM <DIR> Media Player Classic
07/24/2006 06:08 PM <DIR> Mozilla
0 File(s) 0 bytes
6 Dir(s) 154,063,798,272 bytes free
Volume in drive C has no label.
Volume Serial Number is C4EB-E969

Directory of C:\Documents and Settings\Default User\Application Data

07/22/2006 10:13 AM <DIR> .
07/22/2006 10:13 AM <DIR> ..
07/22/2006 10:13 AM 62 desktop.ini
1 File(s) 62 bytes
2 Dir(s) 154,063,798,272 bytes free
Volume in drive C has no label.
Volume Serial Number is C4EB-E969

Directory of C:\Documents and Settings\LocalService\Application Data

Volume in drive C has no label.
Volume Serial Number is C4EB-E969

Directory of C:\Documents and Settings\NetworkService\Application Data

[TRACE] Enumerating jobs and queues
[TRACE] Activating job 'At2.job'
[TRACE] Printing all job properties

ApplicationName: 'C:\Reids\Look2Me-Destroyer.exe'
Parameters: '/task'
WorkingDirectory: ''
Comment: 'Created by NetScheduleJobAdd.'
Creator: 'SYSTEM'
Priority: NORMAL
MaxRunTime: 259200000 (3d 0:00:00)
IdleWait: 10
IdleDeadline: 60
MostRecentRun: 00/00/0000 0:00:00
NextRun: 08/02/2006 21:45:00
StartError: SCHED_S_TASK_HAS_NOT_RUN
ExitCode: 0
Status: SCHED_S_TASK_HAS_NOT_RUN
ScheduledWorkItem Flags:
DeleteWhenDone = 1
Suspend = 0
StartOnlyIfIdle = 0
KillOnIdleEnd = 0
RestartOnIdleResume = 0
DontStartIfOnBatteries = 0
KillIfGoingOnBatteries = 0
RunOnlyIfLoggedOn = 0
SystemRequired = 0
Hidden = 0
[WARN ] Unrecognized bits = 200000
TaskFlags: 0

1 Trigger

Trigger 0:
Type: Once
StartDate: 08/02/2006
EndDate: 00/00/0000
StartTime: 21:45
MinutesDuration: 0
MinutesInterval: 0
Flags:
HasEndDate = 0
KillAtDuration = 0
Disabled = 0



Actiontec MDC AC'97 Modem v2122A
Ad-aware 6 Professional
Adobe Flash Player 9 ActiveX
AVD FileList 3.1 TRIAL
AVG Free Edition
Booter 3.2
ChameleonXP
DVD Shrink 3.1.5
ewido anti-spyware 4.0
HijackThis 1.99.1
Kazaa Lite Revolution 2.6 English
K-Lite Codec Pack 2.73 Full
Microsoft .NET Framework 1.1
Microsoft Office XP Professional
mIRC
NASA World Wind 1.3
Network Monitor
Panda ActiveScan
PowerQuest DataKeeper 5.0
PowerQuest PartitionMagic 8.0
Realtek AC'97 Audio
Realtek RTL8139/810x Fast Ethernet NIC Driver Setup
Security Update for Windows XP (KB904706)
SiS M650
StyleXP (remove only)
Team Fortress
Turbo Connect Demo Version
Update for Windows XP (KB894391)
VisualRoute
Warez P2P Client 2.85
Windows Installer 3.0 (KB884016)
Windows Live Messenger
Windows Live Sign-in Assistant
Windows XP Hotfix - KB842773
ZoneAlarm Pro


Logfile of HijackThis v1.99.1
Scan saved at 10:05:22 PM, on 8/1/2006
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\Documents and Settings\Black Dragon\Desktop\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.co.nz/
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O4 - HKCU\..\Run: [TurboConnect] C:\PROGRA~1\TURBOC~1\TurboConnect.exe 1
O4 - HKCU\..\Run: [STYLEXP] C:\Program Files\TGTSoft\StyleXP\StyleXP.exe -Hide
O4 - Startup: DataKeeper.lnk = C:\Program Files\PowerQuest\DataKeeper 5.0\DataKeeper.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O4 - Global Startup: ZoneAlarm Pro.lnk = C:\Program Files\Zone Labs\ZoneAlarm\zapro.exe
O8 - Extra context menu item: Download with Go!Zilla - file://C:\Program Files\Go!Zilla\download-with-gozilla.html
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O9 - Extra button: Trace - {04849C74-016E-4a43-8AA5-1F01DE57F4A1} - C:\Program Files\VisualRoute\vrie.dll
O9 - Extra 'Tools' menuitem: VisualRoute Trace - {04849C74-016E-4a43-8AA5-1F01DE57F4A1} - C:\Program Files\VisualRoute\vrie.dll
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsof...?1153690380437
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/actives...ree/asinst.cab
O16 - DPF: {E8F628B5-259A-4734-97EE-BA914D7BE941} (Driver Agent ActiveX Control) - http://driveragent.com/files/driveragent.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{4C8EE07F-10F5-4D88-8121-B488943FDC30}: NameServer = 202.27.158.40 202.27.156.72
O17 - HKLM\System\CS1\Services\Tcpip\..\{4C8EE07F-10F5-4D88-8121-B488943FDC30}: NameServer = 202.27.158.40 202.27.156.72
O18 - Protocol: livecall - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
O23 - Service: AVG E-mail Scanner (AVGEMS) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
O23 - Service: ewido anti-spyware 4.0 guard - Anti-Malware Development a.s. - C:\Program Files\ewido anti-spyware 4.0\guard.exe
O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs Inc. - C:\WINDOWS\system32\ZoneLabs\vsmon.exe

[Ried]

Did you run the Panda scan before you ran the Look2MeDestroyer?

Run another scan with HijackThis from Normal Mode and post it here please.

[Download Junkie]

look2me was done 1st then hjt ,cleanup, panda,fl, uninstall list,





Logfile of HijackThis v1.99.1
Scan saved at 3:08:23 PM, on 8/2/2006
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
C:\Program Files\ewido anti-spyware 4.0\guard.exe
C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\ZoneLabs\vsmon.exe
C:\Program Files\Zone Labs\ZoneAlarm\zapro.exe
C:\PROGRA~1\TURBOC~1\netdetect.exe
C:\WINDOWS\System32\ctfmon.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\Documents and Settings\Black Dragon\Desktop\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.co.nz/
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O4 - HKCU\..\Run: [TurboConnect] C:\PROGRA~1\TURBOC~1\TurboConnect.exe 1
O4 - HKCU\..\Run: [STYLEXP] C:\Program Files\TGTSoft\StyleXP\StyleXP.exe -Hide
O4 - Startup: DataKeeper.lnk = C:\Program Files\PowerQuest\DataKeeper 5.0\DataKeeper.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O4 - Global Startup: ZoneAlarm Pro.lnk = C:\Program Files\Zone Labs\ZoneAlarm\zapro.exe
O8 - Extra context menu item: Download with Go!Zilla - file://C:\Program Files\Go!Zilla\download-with-gozilla.html
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O9 - Extra button: Trace - {04849C74-016E-4a43-8AA5-1F01DE57F4A1} - C:\Program Files\VisualRoute\vrie.dll
O9 - Extra 'Tools' menuitem: VisualRoute Trace - {04849C74-016E-4a43-8AA5-1F01DE57F4A1} - C:\Program Files\VisualRoute\vrie.dll
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsof...?1153690380437
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/actives...ree/asinst.cab
O16 - DPF: {E8F628B5-259A-4734-97EE-BA914D7BE941} (Driver Agent ActiveX Control) - http://driveragent.com/files/driveragent.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{4C8EE07F-10F5-4D88-8121-B488943FDC30}: NameServer = 202.27.158.40 202.27.156.72
O17 - HKLM\System\CS1\Services\Tcpip\..\{4C8EE07F-10F5-4D88-8121-B488943FDC30}: NameServer = 202.27.158.40 202.27.156.72
O18 - Protocol: livecall - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
O23 - Service: AVG E-mail Scanner (AVGEMS) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
O23 - Service: ewido anti-spyware 4.0 guard - Anti-Malware Development a.s. - C:\Program Files\ewido anti-spyware 4.0\guard.exe
O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs Inc. - C:\WINDOWS\system32\ZoneLabs\vsmon.exe

[Ried]

Delete your current combofix.exe.

Please download it again from this location http://download.bleepingcomputer.com...a/combofix.exe


To ensure we are not prevented from seeing everything on your system, please go to Start>Run type msconfig press Enter and enable all startups by selecting Normal Startup - Load all Device Drivers and Services, click Apply.

---------------------------

Run another scan with HijackThis in Normal Mode and save the log.


Run combofix from Normal Mode.

Double click on combofix.exe & follow the prompts.
When finished, it shall produce a log for you. Post that log in your next reply

Note:
Do not mouseclick combofix's window whilst it's running. That may cause it to stall

Please include the new Hijackthis log and the combofix log in your next reply.

[Download Junkie]

deleted combofix

I did the msconfig as you asked


The new Combofix did the same as the last one, with one exception it said it
found inactive look2me


this is the log it left

Start Time= 06-08-02 22:16:00.48
Running from: C:\Reids

I've also added the new subs zip. hope it helps




Logfile of HijackThis v1.99.1
Scan saved at 22:14, on 06-08-02
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
C:\Program Files\ewido anti-spyware 4.0\guard.exe
C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\ZoneLabs\vsmon.exe
C:\WINDOWS\SOUNDMAN.EXE
C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe
C:\WINDOWS\AGRSMMSG.exe
C:\PROGRA~1\TURBOC~1\netdetect.exe
C:\Program Files\Zone Labs\ZoneAlarm\zapro.exe
C:\Program Files\PowerQuest\DataKeeper 5.0\DataKeeper.exe
C:\WINDOWS\System32\wuauclt.exe
C:\Documents and Settings\Black Dragon\Desktop\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.co.nz/
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [SiS KHooker] C:\WINDOWS\System32\khooker.exe
O4 - HKLM\..\Run: [newname] C:\\nwnmed_7.exe
O4 - HKLM\..\Run: [Microsoft Telecoms Center] winrestores.exe
O4 - HKLM\..\Run: [keyboard] C:\\kybrded_7.exe
O4 - HKLM\..\Run: [defender] C:\\dfndred_7.exe
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [AGRSMMSG] AGRSMMSG.exe
O4 - HKCU\..\Run: [TurboConnect] C:\PROGRA~1\TURBOC~1\TurboConnect.exe 1
O4 - HKCU\..\Run: [STYLEXP] C:\Program Files\TGTSoft\StyleXP\StyleXP.exe -Hide
O4 - HKCU\..\Run: [VCS Host] vcshost.exe
O4 - Startup: DataKeeper.lnk = C:\Program Files\PowerQuest\DataKeeper 5.0\DataKeeper.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O4 - Global Startup: ZoneAlarm Pro.lnk = C:\Program Files\Zone Labs\ZoneAlarm\zapro.exe
O8 - Extra context menu item: Download with Go!Zilla - file://C:\Program Files\Go!Zilla\download-with-gozilla.html
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O9 - Extra button: Trace - {04849C74-016E-4a43-8AA5-1F01DE57F4A1} - C:\Program Files\VisualRoute\vrie.dll
O9 - Extra 'Tools' menuitem: VisualRoute Trace - {04849C74-016E-4a43-8AA5-1F01DE57F4A1} - C:\Program Files\VisualRoute\vrie.dll
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsof...?1153690380437
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/actives...ree/asinst.cab
O16 - DPF: {E8F628B5-259A-4734-97EE-BA914D7BE941} (Driver Agent ActiveX Control) - http://driveragent.com/files/driveragent.cab
O18 - Protocol: livecall - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
O23 - Service: AVG E-mail Scanner (AVGEMS) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
O23 - Service: ewido anti-spyware 4.0 guard - Anti-Malware Development a.s. - C:\Program Files\ewido anti-spyware 4.0\guard.exe
O23 - Service: StyleXPService - Unknown owner - C:\Program Files\TGTSoft\StyleXP\StyleXPService.exe
O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs Inc. - C:\WINDOWS\system32\ZoneLabs\vsmon.exe

[Ried]

Hello Download Junkie,

Please copy this page to Notepad and save to your desktop for reference as you will not have any browsers open while you are carrying out these instructions.

It is IMPORTANT that you don't miss a step & perform everything in the correct order/sequence.

**********************************************************

Please reboot your computer in Safe Mode by doing the following:
1) Restart your computer
2) After hearing your computer beep once during startup, but before the Windows icon appears, press F8.
3) Instead of Windows loading as normal, a menu should appear
4) Use the up arrow key to highlight Safe Mode and press Enter.
5) Login on your usual account. Make sure to close any open browsers.

-----------------------------------

Open HijackThis and click on 'Do a System Scan Only'. Check the following entries if they exist (make sure you do not miss any)

O4 - HKLM\..\Run: [newname] C:\\nwnmed_7.exe
O4 - HKLM\..\Run: [keyboard] C:\\kybrded_7.exe
O4 - HKLM\..\Run: [defender] C:\\dfndred_7.exe
O4 - HKCU\..\Run: [VCS Host] vcshost.exe

Click 'Fix Checked' and close HijackThis.

-----------------------------------

Delete the following Files if they still exist.

C:\WINDOWS\ newname.dat
C:\WINDOWS\ keyboard1.dat
C:\WINDOWS\ uninstall_nmon.vbs
C:\\ nwnmed_7.exe
C:\\ kybrded_7.exe
C:\\ dfndred_7.exe
vcshost.exe <--Search via Start>Search>All files and folder and delete.Careful! Make sure it is the exact spelling.
C:\Documents and Settings\Black Dragon\Desktop\ Free Online Music.url

-----------------------------------

Open Cleanup! by double-clicking the icon on your desktop (or from the Start > All Programs menu). Set the program up as follows:
*Click "Options..."
*Move the arrow down to "Custom CleanUp!"
*Put a check next to the following:

• Empty Recycle Bins
• Delete Cookies
• Delete Prefetch files
• Cleanup! All Users
• Click on the "Temporary Files" and uncheck the box for "Scan drives for file matching" if it's checked.

Click OK
Press the CleanUp! button to start the program. Do NOT reboot/logoff when prompted.

------------------------------------------------

IMPORTANT: Do not open any other windows or programs while ewido is scanning, it may interfere with the scanning proccess:

• Lauch ewido-anti-spyware by double-clicking the icon on your desktop.
• Select the "Scanner" icon at the top and then the "Scan" tab then click on "Complete System Scan".
• ewido will now begin the scanning process, be patient this may take a little time.
  Once the scan is complete do the following:
• If you have any infections you will prompted, then select "Apply all actions" **Please ensure it is set to Quarantine
• Next select the "Reports" icon at the top.
• Select the "Save report as" button in the lower left hand of the screen and save it to a text file on your system (make sure to remember where you saved that file, this is important).
• Close ewido.

-----------------------------------

Reboot into Normal Mode.

-----------------------------------

Download IE-SPYAD.EXE to block access to malicious websites so you cannot be redirected to them from an infected site or email. IE/Spyad places more than 4000 dubious websites and domains in the IE Restricted list. This severely impairs attempts to infect your system. It basically prevents any downloads (Cookies etc) from the sites listed, although you will still be able to connect to the sites. This is a self-extracting .ZIP file, and save it to your desktop. Once downloaded, double-click on it to extract the files inside (default dir is C:\IE-SPYAD)
From within the folder, double-click install.bat
Select Option #2 - Install the new IE-SPYAD list, by typing 2
Then return to the main menu.
Select option #4 - Add the old porn sites domain, by typing 4

-----------------------------------

Run another online scan at Panda and save the results.

Please include the following in your next reply:

Ewido results
Panda results
New HijackThis log from Normal Mode

How is your system behaving?

[Download Junkie]

I thought you might be interested in the Runtime Errors that have started appearing. I dont know if it has anything to do with what we are trying to achieve or not.

when asked if I wish to debug I press yes the programme starts of ok but it seems to stall ,stop, so I just exit out and press no and no and so on

this is just a few of them


---------------------------
Error
---------------------------
A Runtime Error has occurred.
Do you wish to Debug?

Line: 98
Error: 'c' is null or not an object
---------------------------
Yes No
---------------------------


---------------------------
Error
---------------------------
A Runtime Error has occurred.
Do you wish to Debug?

Line: 7
Error: Access is denied.
---------------------------
Yes No
---------------------------

---------------------------
Error
---------------------------
A Runtime Error has occurred.
Do you wish to Debug?

Line: 46
Error: Object expected
---------------------------
Yes No
---------------------------