Popups freezing computer! Here's my DSS log

**DandyBella** · 07-01-2007, 11:00 AM

I went to a page yesterday to look up some song lyrics and popups just went crazy and started installing things on my computer. I have followed all instructions to this point. I have Windows XP. Here is my log of main.txt and my attachment of extra.txt. Thank you!

Deckard's System Scanner v20070611.50
Run by Annabella on 2007-07-01 at 10:50:06
Computer is in Normal Mode.
--------------------------------------------------------------------------------

-- System Restore --------------------------------------------------------------

Successfully created a Deckard's System Scanner Restore Point.

-- Last 5 Restore Point(s) --
102: 2007-07-01 17:50:12 UTC - RP859 - Deckard's System Scanner Restore Point
101: 2007-07-01 17:41:34 UTC - RP858 - Software Distribution Service 3.0
100: 2007-07-01 01:48:41 UTC - RP857 - System Checkpoint
99: 2007-06-30 01:42:00 UTC - RP856 - Removed MSN Messenger 6.2
98: 2007-06-30 01:40:58 UTC - RP855 - Removed Anonymizer Nyms

-- First Restore Point --
1: 2007-04-03 09:41:34 UTC - RP758 - System Checkpoint

Backed up registry hives.

Performed disk cleanup.

-- HijackThis (run as Annabella.exe) -------------------------------------------

Logfile of HijackThis v1.99.1
Scan saved at 10:51:42 AM, on 7/1/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16473)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Documents and Settings\Annabella\Desktop\ewido anti-spyware 4.0\guard.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\wscntfy.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\ctfmon.exe
C:\WINDOWS\BCMSMMSG.exe
C:\WINDOWS\system32\dla\tfswctrl.exe
C:\Program Files\Dell\Media Experience\PCMService.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\Hewlett-Packard\HP Share-to-Web\hpgs2wnd.exe
C:\WINDOWS\system32\hkcmd.exe
C:\WINDOWS\system32\igfxpers.exe
C:\Program Files\QuickTime\qttask.exe
C:\WINDOWS\retadpu1000106.exe
C:\WINDOWS\cfg32.exe
C:\Program Files\Hewlett-Packard\HP Share-to-Web\hpgs2wnf.exe
C:\Program Files\Microsoft Money\System\mnyexpr.exe
C:\Program Files\DellSupport\DSAgnt.exe
C:\Program Files\Kodak\Kodak EasyShare software\bin\EasyShare.exe
C:\WINDOWS\cfg32a.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Yahoo!\Messenger\ymsgr_tray.exe
C:\Documents and Settings\Annabella\Local Settings\Temporary Internet Files\Content.IE5\6G3QF508\dss[1].exe
C:\PROGRA~1\HIJACK~1\Annabella.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://us.rd.yahoo.com/customize/ie/...ch/search.html
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://us.rd.yahoo.com/customize/ie/.../www.yahoo.com
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://yahoo.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://us.rd.yahoo.com/customize/ie/.../www.yahoo.com
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://us.rd.yahoo.com/customize/ie/...ch/search.html
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://us.rd.yahoo.com/customize/ie/.../www.yahoo.com
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://us.rd.yahoo.com/customize/ie/.../www.yahoo.com
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page_bak = http://www.yahoo.com/
R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn1\yt.dll
O2 - BHO: Yahoo! Toolbar Helper - {02478D38-C3F9-4EFB-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn1\yt.dll
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {1F6581D5-AA53-4b73-A6F9-41420C6B61F1} - C:\WINDOWS\system32\eykymmlc.dll
O2 - BHO: (no name) - {2A451956-51D4-4F94-A37A-D6773ECB5ADC} - C:\Program Files\ComPlus Applications\mezoh83122.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: Yahoo! IE Services Button - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\Program Files\Yahoo!\Common\yiesrvc.dll
O2 - BHO: DriveLetterAccess - {5CA3D70E-1895-11CF-8E15-001234567890} - C:\WINDOWS\system32\dla\tfswshx.dll
O2 - BHO: IE_PopupBlocker Class - {656EC4B7-072B-4698-B504-2A414C1F0037} - C:\Program Files\EarthLink TotalAccess\Accelerator\prpl_IePopupBlocker.dll
O2 - BHO: (no name) - {7cdcf65c-88a6-4136-b4c8-45da53458987} - C:\WINDOWS\system32\ipsNUI.dll (file missing)
O2 - BHO: Mirar - {9A9C9B69-F908-4AAB-8D0C-10EA8997F37E} - C:\WINDOWS\system32\version69ie7fix.dll
O2 - BHO: Scaggy Insert - {C68AE9C0-0909-4DDC-B661-C1AFB9F59898} - C:\WINDOWS\cfg32o.dll
O2 - BHO: (no name) - {DC192567-65F9-4AB6-ADB7-E13575F81726} - C:\WINDOWS\system32\mljghgf.dll
O2 - BHO: (no name) - {DEADC01E-6456-4CF1-9D0C-89CE2DA14EB0} - C:\WINDOWS\system32\awtsp.dll
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn1\yt.dll
O3 - Toolbar: (no name) - {9A9C9B68-F908-4AAB-8D0C-10EA8997F37E} - (no file)
O4 - HKLM\..\Run: [BCMSMMSG] BCMSMMSG.exe
O4 - HKLM\..\Run: [dla] C:\WINDOWS\system32\dla\tfswctrl.exe
O4 - HKLM\..\Run: [PCMService] "C:\Program Files\Dell\Media Experience\PCMService.exe"
O4 - HKLM\..\Run: [UpdateManager] "C:\Program Files\Common Files\Sonic\Update Manager\sgtray.exe" /r
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [Share-to-Web Namespace Daemon] C:\Program Files\Hewlett-Packard\HP Share-to-Web\hpgs2wnd.exe
O4 - HKLM\..\Run: [igfxtray] C:\WINDOWS\system32\igfxtray.exe
O4 - HKLM\..\Run: [igfxhkcmd] C:\WINDOWS\system32\hkcmd.exe
O4 - HKLM\..\Run: [igfxpers] C:\WINDOWS\system32\igfxpers.exe
O4 - HKLM\..\Run: [funk] funk.exe
O4 - HKLM\..\Run: [Windows Defender] "C:\Program Files\Windows Defender\MSASCui.exe" -hide
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [runner1] C:\WINDOWS\retadpu1000106.exe 61A847B5BBF72813329B385772FF01F0B3E35B6638993F4661AA4EBD86D67C56389B284534F310
O4 - HKLM\..\Run: [rykcbraA] C:\WINDOWS\rykcbraA.exe
O4 - HKLM\..\Run: [Configuration Manager] C:\WINDOWS\cfg32.exe
O4 - HKLM\..\Run: [{ZN}] C:\WINDOWS\itpb_11.exe SKY003
O4 - HKLM\..\Run: [icq.com] rundll32.exe "C:\WINDOWS\system32\epworfmw.dll",forkonce
O4 - HKCU\..\Run: [MoneyAgent] "C:\Program Files\Microsoft Money\System\mnyexpr.exe"
O4 - HKCU\..\Run: [DellSupport] "C:\Program Files\DellSupport\DSAgnt.exe" /startup
O4 - HKCU\..\Run: [Yahoo! Pager] "C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe" -quiet
O4 - HKCU\..\Run: [Anonymizer] C:\Program Files\Anonymizer\Anonymizer Software\Anonymizer.exe -nogui
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [WinPop] C:\Program Files\WinPop\winpop.exe
O4 - Startup: TA_Start.lnk = C:\WINDOWS\itpb_11.exe
O4 - Global Startup: Kodak EasyShare software.lnk = C:\Program Files\Kodak\Kodak EasyShare software\bin\EasyShare.exe
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O8 - Extra context menu item: &eBay Search - res://C:\Program Files\eBay\eBay Toolbar2\eBayTb.dll/RCSearch.html
O8 - Extra context menu item: &Search - http://edits.mywebsearch.com/toolbar...rch.jhtml?p=ZN
O8 - Extra context menu item: &Yahoo! Search - file:///C:\Program Files\Yahoo!\Common/ycsrch.htm
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~4\OFFICE11\EXCEL.EXE/3000
O8 - Extra context menu item: Yahoo! &Dictionary - file:///C:\Program Files\Yahoo!\Common/ycdict.htm
O8 - Extra context menu item: Yahoo! &Maps - file:///C:\Program Files\Yahoo!\Common/ycmap.htm
O8 - Extra context menu item: Yahoo! &SMS - file:///C:\Program Files\Yahoo!\Common/ycsms.htm
O9 - Extra button: Yahoo! Services - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\Program Files\Yahoo!\Common\yiesrvc.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)
O9 - Extra button: Yahoo! Messenger - {E5D12C4E-7B4F-11D3-B5C9-0050045C3C96} - C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe
O9 - Extra 'Tools' menuitem: Yahoo! Messenger - {E5D12C4E-7B4F-11D3-B5C9-0050045C3C96} - C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe
O11 - Options group: [INTERNATIONAL] International*
O15 - Trusted Zone: *.amaena.com
O15 - Trusted Zone: *.drivecleaner.com
O15 - Trusted Zone: *.errorprotector.com
O15 - Trusted Zone: *.errorsafe.com
O15 - Trusted Zone: http://www.hide-ip-soft.com
O15 - Trusted Zone: *.imageservr.com
O15 - Trusted Zone: *.imagesrvr.com
O15 - Trusted Zone: *.systemdoctor.com
O15 - Trusted Zone: *.winantispyware.com
O15 - Trusted Zone: *.winantivirus.com
O15 - Trusted Zone: *.winfixer.com
O15 - Trusted Zone: *.amaena.com (HKLM)
O15 - Trusted Zone: *.drivecleaner.com (HKLM)
O15 - Trusted Zone: *.errorprotector.com (HKLM)
O15 - Trusted Zone: *.errorsafe.com (HKLM)
O15 - Trusted Zone: http://click.getmirar.com (HKLM)
O15 - Trusted Zone: *.imageservr.com (HKLM)
O15 - Trusted Zone: *.imagesrvr.com (HKLM)
O15 - Trusted Zone: http://click.mirarsearch.com (HKLM)
O15 - Trusted Zone: http://redirect.mirarsearch.com (HKLM)
O15 - Trusted Zone: http://awbeta.net-nucleus.com (HKLM)
O15 - Trusted Zone: *.systemdoctor.com (HKLM)
O15 - Trusted Zone: *.winantispyware.com (HKLM)
O15 - Trusted Zone: *.winantivirus.com (HKLM)
O15 - Trusted Zone: *.winfixer.com (HKLM)
O16 - DPF: {02BF25D5-8C17-4B23-BC80-D3488ABDDC6B} (QuickTime Object) - http://a1540.g.akamai.net/7/1540/52/...x/qtplugin.cab
O16 - DPF: {04E214E5-63AF-4236-83C6-A7ADCBF9BD02} (HouseCall Control) - http://housecall60.trendmicro.com/housecall/xscan60.cab
O16 - DPF: {11260943-421B-11D0-8EAC-0000C07D88CF} (iPIX ActiveX Control) - http://www.ipix.com/viewers/ipixx.cab
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {1F2F4C9E-6F09-47BC-970D-3C54734667FE} (LSSupCtl Class) - https://www-secure.symantec.com/tech...a/LSSupCtl.cab
O16 - DPF: {26CBF141-7D0F-46E1-AA06-718958B6E4D2} - http://download.ebay.com/turbo_lister/US/install.cab
O16 - DPF: {2BC66F54-93A8-11D3-BEB6-00105AA9B6AE} (Symantec AntiVirus scanner) - http://security.symantec.com/sscv6/S...in/AvSniff.cab
O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (YInstStarter Class) - C:\Program Files\Yahoo!\Common\yinsthelper.dll
O16 - DPF: {4C39376E-FA9D-4349-BACC-D305C1750EF3} (EPUImageControl Class) - http://tools.ebayimg.com/eps/wl/acti..._v1-0-3-24.cab
O16 - DPF: {4ED9DDF0-7479-4BBE-9335-5A1EDB1D8A21} - http://download.mcafee.com/molbin/sh...4/mcinsctl.cab
O16 - DPF: {5D9E4B6D-CD17-4D85-99D4-6A52B394EC3B} (WSDownloader Control) - http://www.webshots.com/samplers/WSDownloader.ocx
O16 - DPF: {5F0C30E4-1E72-4DCC-85E5-57810F1CA97B} (McUpdatePortalFactory Class) - https://mysupport.nai.com/amiuptodat...datePortal.cab
O16 - DPF: {644E432F-49D3-41A1-8DD5-E099162EEEC5} (Symantec RuFSI Utility Class) - http://security.symantec.com/sscv6/S.../bin/cabsa.cab
O16 - DPF: {6A060448-60F9-11D5-A6CD-0002B31F7455} (ExentInf Class) - http://us.games2.yimg.com/download.g...tl_0_0_0_1.ocx
O16 - DPF: {6E5A37BF-FD42-463A-877C-4EB7002E68AE} (Housecall ActiveX 6.5) - http://housecall65.trendmicro.com/ho...vex/hcImpl.cab
O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai.net/7/840/537/2...ll/xscan53.cab
O16 - DPF: {9522B3FB-7A2B-4646-8AF6-36E7F593073C} (cpbrkpie Control) - http://a19.g.akamai.net/7/19/7125/14...2/cpbrkpie.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/actives...ree/asinst.cab
O16 - DPF: {9FC5238F-12C4-454F-B1B5-74599A21DE47} (Webshots Photo Uploader) - http://community.webshots.com/html/WSPhotoUploader.CAB
O16 - DPF: {A7EA8AD2-287F-11D3-B120-006008C39542} (CBSTIEPrint Class) - http://offers.brightstreet.com/cif/d...in/actxcab.cab
O16 - DPF: {B38870E4-7ECB-40DA-8C6A-595F0A5519FF} - http://messenger.msn.com/download/Ms...Downloader.cab
O16 - DPF: {B69F2A9C-E470-11D3-AFA3-525400DB7692} (Actimage Room Control) - http://hutchence.armstrong.com/ib/da...image40803.cab
O16 - DPF: {B9191F79-5613-4C76-AA2A-398534BB8999} (YAddBook Class) - http://us.dl1.yimg.com/download.yaho...tocomplete.cab
O16 - DPF: {B942A249-D1E7-4C11-98AE-FCB76B08747F} (RealArcadeRdxIE Class) - http://games-dl.real.com/gameconsole...rcadeRdxIE.cab
O16 - DPF: {BCC0FF27-31D9-4614-A68E-C18E1ADA4389} - http://download.mcafee.com/molbin/sh...21/mcgdmgr.cab
O16 - DPF: {CE28D5D2-60CF-4C7D-9FE8-0F47A3308078} (ActiveDataInfo Class) - https://www-secure.symantec.com/tech...a/SymAData.cab
O16 - DPF: {D8089245-3211-40F6-819B-9E5E92CD61A2} (FlashXControl Object) - https://flash.blackjackballroom.com/...om/FlashAX.cab
O16 - DPF: {DF780F87-FF2B-4DF8-92D0-73DB16A1543A} (PopCapLoader Object) - http://download.games.yahoo.com/game...ploader_v6.cab
O16 - DPF: {EF791A6B-FC12-4C68-99EF-FB9E207A39E6} (McFreeScan Class) - http://download.mcafee.com/molbin/is...29/mcfscan.cab
O16 - DPF: {FE0BD779-44EE-4A4B-AA2E-743C63F2E5E6} (IWinAmpActiveX Class) - http://pdl.stream.aol.com/downloads/...ampx_en_dl.cab
O20 - Winlogon Notify: awtsp - C:\WINDOWS\system32\awtsp.dll
O20 - Winlogon Notify: igfxcui - C:\WINDOWS\SYSTEM32\igfxdev.dll
O20 - Winlogon Notify: ipsNUI - ipsNUI.dll (file missing)
O20 - Winlogon Notify: mljghgf - C:\WINDOWS\SYSTEM32\mljghgf.dll
O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\SYSTEM32\WgaLogon.dll
O21 - SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - C:\WINDOWS\system32\WPDShServiceObj.dll
O23 - Service: DomainService - Unknown owner - C:\WINDOWS\system32\jrqevqfm.exe (file missing)
O23 - Service: DSBrokerService - Unknown owner - C:\Program Files\DellSupport\brkrsvc.exe
O23 - Service: ewido anti-spyware 4.0 guard - Anti-Malware Development a.s. - C:\Documents and Settings\Annabella\Desktop\ewido anti-spyware 4.0\guard.exe
O23 - Service: Net Agent - Unknown owner - C:\WINDOWS\dls0523pmw.exe
O23 - Service: Intel NCS NetService (NetSvc) - Intel(R) Corporation - C:\Program Files\Intel\NCS\Sync\NetSvc.exe

-- File Associations -----------------------------------------------------------

All associations okay.

-- Drivers: 0-Boot, 1-System, 2-Auto, 3-Demand, 4-Disabled ---------------------

R0 agp440 (Intel AGP Bus Filter) - c:\windows\\systemroot\system32\drivers\agp440.sys (file missing)
R1 core - c:\windows\system32\drivers\core.sys
R1 omci (OMCI WDM Device Driver) - c:\windows\system32\drivers\omci.sys <Not Verified; Dell Computer Corporation; OMCI Driver>
R3 aeaudio - c:\windows\system32\drivers\aeaudio.sys <Not Verified; Andrea Electronics Corporation; Andrea Audio Driver>
R3 DSproct - c:\program files\dellsupport\gtaction\triggers\dsproct.sys <Not Verified; Gteko Ltd.; processt>
R3 pfc (Padus ASPI Shell) - c:\windows\system32\drivers\pfc.sys <Not Verified; Padus, Inc.; Padus(R) ASPI Shell>
R3 smwdm - c:\windows\system32\drivers\smwdm.sys <Not Verified; Analog Devices, Inc.; SoundMAX Digital Audio Driver>

S3 EL90XBC (3Com EtherLink XL 90XB/C Adapter Driver) - c:\windows\system32\drivers\el90xbc5.sys <Not Verified; 3Com Corporation; 3Com EtherLink PCI>
S3 i81x - c:\windows\system32\drivers\i81xnt5.sys <Not Verified; Intel(R) Corporation; Intel(R) Graphics Accelerator Drivers for Windows NT(R)>
S3 iAimFP0 - c:\windows\system32\drivers\wadv01nt.sys <Not Verified; Intel(R) Corporation; Intel(R) Graphics Accelerator Drivers for Windows NT(R)>
S3 iAimFP1 - c:\windows\system32\drivers\wadv02nt.sys <Not Verified; Intel(R) Corporation; Intel(R) Graphics Accelerator Drivers for Windows NT(R)>
S3 iAimFP2 - c:\windows\system32\drivers\wadv05nt.sys <Not Verified; Intel(R) Corporation; Intel(R) Graphics Accelerator Drivers for Windows NT(R)>
S3 iAimFP3 - c:\windows\system32\drivers\wsiintxx.sys <Not Verified; Intel(R) Corporation; Intel(R) Graphics Accelerator Drivers for Windows NT(R)>
S3 iAimFP4 - c:\windows\system32\drivers\wvchntxx.sys <Not Verified; Intel(R) Corporation; Intel(R) Graphics Accelerator Drivers for Windows NT(R)>
S3 iAimTV0 - c:\windows\system32\drivers\watv01nt.sys <Not Verified; Intel(R) Corporation; Intel(R) Graphics Accelerator Drivers for Windows NT(R)>
S3 iAimTV1 - c:\windows\system32\drivers\watv02nt.sys <Not Verified; Intel(R) Corporation; Intel(R) Graphics Accelerator Drivers for Windows NT(R)>
S3 iAimTV2 - c:\windows\system32\drivers\watv03nt.sys (file missing)
S3 iAimTV3 - c:\windows\system32\drivers\watv04nt.sys <Not Verified; Intel(R) Corporation; Intel(R) Graphics Accelerator Drivers for Windows NT(R)>
S3 iAimTV4 - c:\windows\system32\drivers\wch7xxnt.sys <Not Verified; Intel(R) Corporation; Intel(R) Graphics Accelerator Drivers for Windows NT(R)>
S3 MODEMCSA (Unimodem Streaming Filter Device) - c:\windows\system32\drivers\modemcsa.sys <Not Verified; Microsoft Corporation; Microsoft® Windows® Operating System>
S3 TnIDriver - c:\docume~1\annabe~1\locals~1\temp\tni45c.tmp (file missing)
S3 wanatw (WAN Miniport (ATW)) - c:\windows\system32\drivers\wanatw4.sys (file missing)
S4 cbidf - c:\windows\system32\drivers\cbidf2k.sys <Not Verified; Microsoft Corporation; Microsoft® Windows® Operating System>
S4 dac2w2k - c:\windows\system32\drivers\dac2w2k.sys <Not Verified; Mylex Corporation; Mylex Disk Array Controller Driver>

-- Services: 0-Boot, 1-System, 2-Auto, 3-Demand, 4-Disabled --------------------

S2 DomainService - c:\windows\system32\jrqevqfm.exe /service (file missing)
S2 Net Agent - c:\windows\dls0523pmw.exe

-- Scheduled Tasks -------------------------------------------------------------

2007-07-01 02:00:00 354 --a------ C:\WINDOWS\Tasks\Anonymizer scan for spyware.job
2007-07-01 01:51:02 330 --ah----- C:\WINDOWS\Tasks\MP Scheduled Scan.job

-- Files created between 2007-06-01 and 2007-07-01 -----------------------------

2007-07-01 10:42:00 0 d-------- C:\WINDOWS\LastGood
2007-07-01 10:37:46 0 d-------- C:\Program Files\ZonedOut
2007-07-01 10:27:38 0 d-------- C:\Program Files\SpywareBlaster
2007-07-01 06:46:50 128576 --a------ C:\WINDOWS\system32\epworfmw.dll
2007-07-01 06:43:50 122944 --a------ C:\WINDOWS\system32\jelqsvef.exe <Not Verified; ; DDC>
2007-06-30 16:59:51 49152 --a------ C:\WINDOWS\itpb_11.exe
2007-06-30 16:59:41 88367 --a------ C:\WINDOWS\itpb_3.exe
2007-06-30 06:54:24 66112 --a------ C:\WINDOWS\system32\eykymmlc.dll
2007-06-30 06:42:25 1886564 ---hs---- C:\WINDOWS\system32\pstwa.bak2
2007-06-29 18:42:16 6409 ---hs---- C:\WINDOWS\system32\pstwa.bak1
2007-06-29 18:42:08 266336 --a------ C:\WINDOWS\system32\awtsp.dll
2007-06-29 18:33:58 1667237 --a------ C:\WINDOWS\system32\version69ie7fix.dll <Not Verified; Mirar; BAR NoL NT 1:1 NoF VIP RSV RPT AFF>
2007-06-29 18:33:06 0 d-------- C:\Program Files\WinPop
2007-06-29 18:31:09 696320 --a------ C:\WINDOWS\cfg32a.exe <Not Verified; ; SCA Application>
2007-06-29 18:31:03 102400 --a------ C:\WINDOWS\cfg32r.dll <Not Verified; Configuration Manager; cfg32r>
2007-06-29 18:31:00 110592 --a------ C:\WINDOWS\cfg32o.dll <Not Verified; SearchClickAds; Scaggy>
2007-06-29 18:30:39 45056 --a------ C:\WINDOWS\cfg32s.dll <Not Verified; ; Search>
2007-06-29 18:30:18 1044480 --a------ C:\WINDOWS\cfg32.exe <Not Verified; ; SCA Application>
2007-06-29 18:30:05 34816 --a------ C:\WINDOWS\rau001978.exe
2007-06-29 18:30:02 931920 -r-hs---- C:\WINDOWS\rykcbraA.exe <Not Verified; System Service; System Monitor Service>
2007-06-29 18:30:00 20480 --a------ C:\WINDOWS\offun.exe <Not Verified; microsoft; Uninstaller>
2007-06-29 18:30:00 65536 --a------ C:\WINDOWS\dls0523pmw.exe
2007-06-29 18:29:51 72832 --a------ C:\WINDOWS\system32\drivers\core.sys
2007-06-29 18:29:50 46592 --a------ C:\WINDOWS\rykcbra.exe
2007-06-29 18:29:49 40960 --a------ C:\WINDOWS\retadpu1000106.exe
2007-06-29 18:29:43 26171 --a------ C:\WINDOWS\system32\nnnkihf.dll
2007-06-29 18:29:42 20480 --a------ C:\WINDOWS\stub_mma2.exe <Not Verified; ; SCA>
2007-06-29 18:29:40 376832 --a------ C:\WINDOWS\system32\WinNB58.dll <Not Verified; ; MBar IES AFF>
2007-06-29 18:29:39 0 d-------- C:\WINDOWS\system32\X9
2007-06-29 18:29:39 0 d-------- C:\WINDOWS\system32\X5
2007-06-29 18:29:39 0 d-------- C:\WINDOWS\system32\X4
2007-06-29 18:29:39 0 d-------- C:\WINDOWS\system32\X3
2007-06-29 18:29:39 0 d-------- C:\WINDOWS\system32\X2
2007-06-29 18:29:39 0 d-------- C:\WINDOWS\system32\X1
2007-06-29 18:29:39 0 d-------- C:\WINDOWS\system32\win
2007-06-29 18:29:27 40960 --a------ C:\WINDOWS\retadpu2000219.exe
2007-06-29 18:29:26 0 d-------- C:\WINDOWS\system32\o02PrEz
2007-06-29 18:29:22 31254 --a------ C:\WINDOWS\system32\mljghgf.dll
2007-06-12 04:12:50 99855 --a------ C:\WINDOWS\b122.exe

-- Find3M Report ---------------------------------------------------------------

2007-07-01 10:20:35 0 d-------- C:\Program Files\MSN Gaming Zone
2007-06-30 09:49:13 0 d-------- C:\Program Files\Windows Defender
2007-06-30 09:48:32 0 d-------- C:\Program Files\QuickTime
2007-06-30 09:43:20 0 d-------- C:\Program Files\DellSupport
2007-06-29 18:42:04 0 d-------- C:\Program Files\MSN Messenger
2007-06-29 18:41:31 0 d-------- C:\Program Files\Hide Real IP
2007-06-29 18:41:01 0 d-------- C:\Program Files\Common Files\Wise Installation Wizard
2007-05-16 08:09:08 0 d-------- C:\Documents and Settings\Annabella\Application Data\FreeCap
2007-05-15 16:49:47 32 --a------ C:\WINDOWS\go

-- Registry Dump ---------------------------------------------------------------

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects]
{02478D38-C3F9-4EFB-9B51-7695ECA05670} C:\Program Files\Yahoo!\Companion\Installs\cpn1\yt.dll
{06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
{1F6581D5-AA53-4b73-A6F9-41420C6B61F1} C:\WINDOWS\system32\eykymmlc.dll
{2A451956-51D4-4F94-A37A-D6773ECB5ADC} C:\Program Files\ComPlus Applications\mezoh83122.dll
{53707962-6F74-2D53-2644-206D7942484F} C:\PROGRA~1\SPYBOT~1\SDHelper.dll
{5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} C:\Program Files\Yahoo!\Common\yiesrvc.dll
{5CA3D70E-1895-11CF-8E15-001234567890} C:\WINDOWS\system32\dla\tfswshx.dll
{656EC4B7-072B-4698-B504-2A414C1F0037} C:\Program Files\EarthLink TotalAccess\Accelerator\prpl_IePopupBlocker.dll
{7cdcf65c-88a6-4136-b4c8-45da53458987} C:\WINDOWS\system32\ipsNUI.dll [x]
{9A9C9B69-F908-4AAB-8D0C-10EA8997F37E} C:\WINDOWS\system32\version69ie7fix.dll
{C68AE9C0-0909-4DDC-B661-C1AFB9F59898} C:\WINDOWS\cfg32o.dll
{DC192567-65F9-4AB6-ADB7-E13575F81726} C:\WINDOWS\system32\mljghgf.dll
{DEADC01E-6456-4CF1-9D0C-89CE2DA14EB0} C:\WINDOWS\system32\awtsp.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run]
"BCMSMMSG"="BCMSMMSG.exe"
"dla"="C:\\WINDOWS\\system32\\dla\\tfswctrl.exe"
"PCMService"="\"C:\\Program Files\\Dell\\Media Experience\\PCMService.exe\""
"UpdateManager"="\"C:\\Program Files\\Common Files\\Sonic\\Update Manager\\sgtray.exe\" /r"
"TkBellExe"="\"C:\\Program Files\\Common Files\\Real\\Update_OB\\realsched.exe\" -osboot"
"Share-to-Web Namespace Daemon"="C:\\Program Files\\Hewlett-Packard\\HP Share-to-Web\\hpgs2wnd.exe"
"igfxtray"="C:\\WINDOWS\\system32\\igfxtray.exe"
"igfxhkcmd"="C:\\WINDOWS\\system32\\hkcmd.exe"
"igfxpers"="C:\\WINDOWS\\system32\\igfxpers.exe"
"funk"="funk.exe"
"Windows Defender"="\"C:\\Program Files\\Windows Defender\\MSASCui.exe\" -hide"
"QuickTime Task"="\"C:\\Program Files\\QuickTime\\qttask.exe\" -atboottime"
"runner1"="C:\\WINDOWS\\retadpu1000106.exe 61A847B5BBF72813329B385772FF01F0B3E35B6638993F4661AA4EBD86D67C56389B284534F310"
"rykcbraA"="C:\\WINDOWS\\rykcbraA.exe"
"Configuration Manager"="C:\\WINDOWS\\cfg32.exe"
"{ZN}"="C:\\WINDOWS\\itpb_11.exe SKY003"
"icq.com"="rundll32.exe \"C:\\WINDOWS\\system32\\epworfmw.dll\",forkonce"

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\run]
"Sonic RecordNow!"=""
"MoneyAgent"="\"C:\\Program Files\\Microsoft Money\\System\\mnyexpr.exe\""
"DellSupport"="\"C:\\Program Files\\DellSupport\\DSAgnt.exe\" /startup"
"Yahoo! Pager"="\"C:\\Program Files\\Yahoo!\\Messenger\\YahooMessenger.exe\" -quiet"
"Anonymizer"="C:\\Program Files\\Anonymizer\\Anonymizer Software\\Anonymizer.exe -nogui"
"ctfmon.exe"="C:\\WINDOWS\\system32\\ctfmon.exe"
"WinPop"="C:\\Program Files\\WinPop\\winpop.exe"

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"DisableTaskMgr"=dword:00000000

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\system]
"DisableRegistryTools"=dword:00000000
"DisableTaskMgr"=dword:00000000
"NoDispAppearancePage"=dword:00000000
"NoColorChoice"=dword:00000000
"NoSizeChoice"=dword:00000000
"NoDispBackgroundPage"=dword:00000000
"NoDispScrSavPage"=dword:00000000
"NoDispCPL"=dword:00000000
"NoVisualStyleChoice"=dword:00000000
"NoDispSettingsPage"=dword:00000000

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\explorer]
"NoActiveDesktopChanges"=dword:00000000

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\explorer\Run]

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\explorer]
"NoActiveDesktop"=dword:00000000
"NoSaveSettings"=dword:00000000
"NoThemesTab"=dword:00000000
"ForceActiveDesktopOn"=dword:00000000

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\explorer\Run]

[HKEY_CURRENT_USER\software\microsoft\internet explorer\desktop\components\0]
Source REG_SZ C:\Program Files\MSN Gaming Zone\rterteprog.html

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shellexecutehooks]
"{57B86673-276A-48B2-BAE7-C6DBB3020EB8}"="ewido anti-spyware 4.0"
"{DC192567-65F9-4AB6-ADB7-E13575F81726}"=""

HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\awtsp
HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\ipsNUI
HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\mljghgf

HKEY_LOCAL_MACHINE\system\currentcontrolset\control\lsa
Authentication Packages REG_MULTI_SZ msv1_0\0\0
Security Packages REG_MULTI_SZ kerberos\0msv1_0\0schannel\0wdigest\0\0
Notification Packages REG_MULTI_SZ scecli\0\0

[HKEY_LOCAL_MACHINE\software\Microsoft\Windows NT\CurrentVersion\Svchost]
LocalService REG_MULTI_SZ Alerter\0WebClient\0LmHosts\0RemoteRegistry\0upnphost\0SSDPSRV\0\0
NetworkService REG_MULTI_SZ DnsCache\0\0
rpcss REG_MULTI_SZ RpcSs\0\0
imgsvc REG_MULTI_SZ StiSvc\0\0
termsvcs REG_MULTI_SZ TermService\0\0
HTTPFilter REG_MULTI_SZ HTTPFilter\0\0
DcomLaunch REG_MULTI_SZ DcomLaunch\0TermService\0\0
WudfServiceGroup REG_MULTI_SZ WUDFSvc\0\0

-- End of Deckard's System Scanner: finished at 2007-07-01 at 10:52:40 ---------

sUBs · 07-01-2007, 11:12 AM

LOL ...you were supposed to reply to the other thread

1. Download & save this file to Desktop -> http://download.bleepingcomputer.com...a/ComboFix.exe

2. Double click on combofix.exe & follow the prompts.

3. When finished, it shall produce a log for you. Post that log & a fresh HJT log in your next reply

Note:
Do not mouseclick combofix's window whilst it's running. That may cause it to stall

**DandyBella** · 07-01-2007, 11:56 AM

Here's the combofix log and the HJT log

"Annabella" - 2007-07-01 11:25:56 - ComboFix 07-07-02 - Service Pack 2 NTFS

(((((((((((((((((((((((((((((((((((((((((((( V Log )))))))))))))))))))))))))))))))))))))))))))))))))))))))

C:\WINDOWS\system32\epworfmw.dll
C:\WINDOWS\system32\eykymmlc.dll
C:\WINDOWS\system32\nnnkihf.dll
C:\WINDOWS\system32\sbxsrrdi.dll
C:\WINDOWS\SYSTEM32\pstwa.bak1
C:\WINDOWS\SYSTEM32\pstwa.bak2
C:\WINDOWS\SYSTEM32\pstwa.ini
C:\WINDOWS\SYSTEM32\wmfrowpe.ini
C:\WINDOWS\system32\awtsp.dll
C:\WINDOWS\system32\mljghgf.dll

* * * POST RUN FILES/FOLDERS * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * *

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))

C:\DOCUME~1\ANNABE~1\Desktop.\internet explorer.lnk
C:\Program Files\ComPlus Applications\mezoh83122.dll
C:\Program Files\MSN Gaming Zone\rterteprog.html
C:\Program Files\winpop
C:\Program Files\winpop\UnInstall.exe
C:\Program Files\winpop\winpop.exe
C:\temp\tn3
C:\WINDOWS\b122.exe
C:\WINDOWS\cfg32.exe
C:\WINDOWS\cfg32a.exe
C:\WINDOWS\cfg32o.dll
C:\WINDOWS\cfg32r.dll
C:\WINDOWS\cfg32s.dll
C:\WINDOWS\cs_cache.ini
C:\WINDOWS\dls0523pmw.exe
C:\WINDOWS\itpb_11.exe
C:\WINDOWS\itpb_3.exe
C:\WINDOWS\offun.exe
C:\WINDOWS\rau001978.exe
C:\WINDOWS\retadpu1000106.exe
C:\WINDOWS\retadpu2000219.exe
C:\WINDOWS\stub_mma2.exe
C:\WINDOWS\system32\drivers\core.cache.dsk
C:\WINDOWS\system32\drivers\core.sys
C:\WINDOWS\system32\jelqsvef.exe
C:\WINDOWS\system32\o02PrEz
C:\WINDOWS\system32\win
C:\WINDOWS\system32\winnb58.dll
C:\WINDOWS\wr.txt

((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))

-------\LEGACY_CORE
-------\LEGACY_DOMAINSERVICE
-------\LEGACY_NET_AGENT
-------\LEGACY_WINDOWS_OVERLAY_COMPONENTS
-------\core
-------\DomainService
-------\Net Agent

((((((((((((((((((((((((( Files Created from 2007-06-01 to 2007-07-01 )))))))))))))))))))))))))))))))

2007-07-01 11:25 49,152 --a------ C:\WINDOWS\nircmd.exe
2007-07-01 10:49 <DIR> d-------- C:\Deckard
2007-07-01 10:37 <DIR> d-------- C:\Program Files\ZonedOut
2007-07-01 10:27 <DIR> d-------- C:\Program Files\SpywareBlaster
2007-06-29 18:33 1,667,237 --a------ C:\WINDOWS\SYSTEM32\version69ie7fix.dll
2007-06-29 18:30 931,920 -r-hs---- C:\WINDOWS\rykcbraA.exe
2007-06-29 18:29 46,592 --a------ C:\WINDOWS\rykcbra.exe
2007-06-29 18:29 <DIR> d-------- C:\WINDOWS\SYSTEM32\X9
2007-06-29 18:29 <DIR> d-------- C:\WINDOWS\SYSTEM32\X5
2007-06-29 18:29 <DIR> d-------- C:\WINDOWS\SYSTEM32\X4
2007-06-29 18:29 <DIR> d-------- C:\WINDOWS\SYSTEM32\X3
2007-06-29 18:29 <DIR> d-------- C:\WINDOWS\SYSTEM32\X2
2007-06-29 18:29 <DIR> d-------- C:\WINDOWS\SYSTEM32\X1

(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))

2007-07-01 18:33:03 -------- d-----w C:\Program Files\MSN Gaming Zone
2007-06-30 16:49:13 -------- d-----w C:\Program Files\Windows Defender
2007-06-30 16:48:32 -------- d-----w C:\Program Files\QuickTime
2007-06-30 16:43:20 -------- d-----w C:\Program Files\DellSupport
2007-06-30 01:42:04 -------- d-----w C:\Program Files\MSN Messenger
2007-06-30 01:41:31 -------- d-----w C:\Program Files\Hide Real IP
2007-06-30 01:41:01 -------- d-----w C:\Program Files\Common Files\Wise Installation Wizard
2007-05-16 15:12:02 683,520 ----a-w C:\WINDOWS\system32\inetcomm.dll
2007-05-16 15:09:08 -------- d-----w C:\DOCUME~1\ANNABE~1\APPLIC~1\FreeCap
2007-04-25 14:21:15 144,896 ----a-w C:\WINDOWS\system32\schannel.dll
2007-04-18 16:12:23 2,854,400 ----a-w C:\WINDOWS\system32\msi.dll
2007-04-17 05:47:36 33,624 ----a-w C:\WINDOWS\system32\wups.dll
2007-04-17 05:45:54 1,710,936 ----a-w C:\WINDOWS\system32\wuaueng.dll
2007-04-17 05:45:48 549,720 ----a-w C:\WINDOWS\system32\wuapi.dll
2007-04-17 05:45:42 325,976 ----a-w C:\WINDOWS\system32\wucltui.dll
2007-04-17 05:45:36 203,096 ----a-w C:\WINDOWS\system32\wuweb.dll
2007-04-17 05:45:28 92,504 ----a-w C:\WINDOWS\system32\cdm.dll
2007-04-17 05:45:20 53,080 ----a-w C:\WINDOWS\system32\wuauclt.exe
2007-04-17 05:45:20 43,352 ----a-w C:\WINDOWS\system32\wups2.dll

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))

*Note* empty entries & legit default entries are not shown

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{02478D38-C3F9-4EFB-9B51-7695ECA05670}]
2006-10-26 11:28 440384 --a------ C:\Program Files\Yahoo!\Companion\Installs\cpn1\yt.dll

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{06849E9F-C8D7-4D59-B87D-784B7D6BE0B3}]
2003-11-03 15:17 54248 --a------ C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{53707962-6F74-2D53-2644-206D7942484F}]
2005-05-31 01:04 853672 --a------ C:\PROGRA~1\SPYBOT~1\SDHelper.dll

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897}]
2006-10-31 16:29 198136 --a------ C:\Program Files\Yahoo!\Common\yiesrvc.dll

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{5CA3D70E-1895-11CF-8E15-001234567890}]
2003-08-06 00:04 106548 --a------ C:\WINDOWS\system32\dla\tfswshx.dll

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{656EC4B7-072B-4698-B504-2A414C1F0037}]
2005-02-02 19:33 49152 --a------ C:\Program Files\EarthLink TotalAccess\Accelerator\prpl_IePopupBlocker.dll

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{7cdcf65c-88a6-4136-b4c8-45da53458987}]
C:\WINDOWS\system32\ipsNUI.dll

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{9A9C9B69-F908-4AAB-8D0C-10EA8997F37E}]
2007-06-29 18:33 1667237 --a------ C:\WINDOWS\system32\version69ie7fix.dll

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"BCMSMMSG"="BCMSMMSG.exe" [2003-08-29 04:59 C:\WINDOWS\BCMSMMSG.exe]
"PCMService"="C:\Program Files\Dell\Media Experience\PCMService.exe" [2003-08-26 18:47]
"UpdateManager"="C:\Program Files\Common Files\Sonic\Update Manager\sgtray.exe" [2003-08-19 02:01]
"TkBellExe"="C:\Program Files\Common Files\Real\Update_OB\realsched.exe" [2005-04-23 11:55]
"Share-to-Web Namespace Daemon"="C:\Program Files\Hewlett-Packard\HP Share-to-Web\hpgs2wnd.exe" [2002-04-17 10:42]
"funk"="funk.exe" []
"Windows Defender"="C:\Program Files\Windows Defender\MSASCui.exe" [2006-04-03 18:12]
"QuickTime Task"="C:\Program Files\QuickTime\qttask.exe" [2006-12-07 19:56]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Sonic RecordNow!"="" []
"MoneyAgent"="C:\Program Files\Microsoft Money\System\mnyexpr.exe" [2003-06-18 11:00]
"DellSupport"="C:\Program Files\DellSupport\DSAgnt.exe" [2007-03-15 11:09]
"Yahoo! Pager"="C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe" [2006-11-30 22:49]
"Anonymizer"="C:\Program Files\Anonymizer\Anonymizer Software\Anonymizer.exe" []
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-04 00:56]

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\system]
"NoDispAppearancePage"=0 (0x0)
"NoColorChoice"=0 (0x0)
"NoSizeChoice"=0 (0x0)
"NoDispBackgroundPage"=0 (0x0)
"NoDispScrSavPage"=0 (0x0)
"NoDispCPL"=0 (0x0)
"NoVisualStyleChoice"=0 (0x0)
"NoDispSettingsPage"=0 (0x0)

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\explorer]
"NoActiveDesktopChanges"=0 (0x0)

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\explorer]
"NoSaveSettings"=0 (0x0)
"NoThemesTab"=0 (0x0)

[HKEY_CURRENT_USER\software\microsoft\internet explorer\desktop\components\0]
Source= C:\Program Files\MSN Gaming Zone\rterteprog.html
FriendlyName=

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\ShellExecuteHooks]
"{57B86673-276A-48B2-BAE7-C6DBB3020EB8}"="C:\Documents and Settings\Annabella\Desktop\ewido anti-spyware 4.0\shellexecutehook.dll" [2006-06-16 07:38]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\ipsNUI]
ipsNUI.dll

Contents of the 'Scheduled Tasks' folder
2007-07-01 09:00:00 C:\WINDOWS\tasks\Anonymizer scan for spyware.job
2007-07-01 08:51:02 C:\WINDOWS\tasks\MP Scheduled Scan.job

**************************************************************************

catchme 0.3.721 W2K/XP/Vista - userland rootkit detector by Gmer, http://www.gmer.net
Rootkit scan 2007-07-01 11:45:46
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

C:\WINDOWS\TEMP

scan completed successfully
hidden files: 1

**************************************************************************

Completion time: 2007-07-01 11:49:15 - machine was rebooted
C:\ComboFix-quarantined-files.txt ... 2007-07-01 11:48

--- E O F ---

Here's the hijackthis log:

Logfile of HijackThis v1.99.1
Scan saved at 11:52:54 AM, on 7/1/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16473)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\Documents and Settings\Annabella\Desktop\ewido anti-spyware 4.0\guard.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\wscntfy.exe
C:\WINDOWS\system32\ctfmon.exe
C:\WINDOWS\BCMSMMSG.exe
C:\Program Files\Dell\Media Experience\PCMService.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\Hewlett-Packard\HP Share-to-Web\hpgs2wnd.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\Microsoft Money\System\mnyexpr.exe
C:\Program Files\DellSupport\DSAgnt.exe
C:\Program Files\Hewlett-Packard\HP Share-to-Web\hpgs2wnf.exe
C:\Program Files\Kodak\Kodak EasyShare software\bin\EasyShare.exe
C:\Program Files\Yahoo!\Messenger\ymsgr_tray.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Hijackthis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://yahoo.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://us.rd.yahoo.com/customize/ie/.../www.yahoo.com
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://us.rd.yahoo.com/customize/ie/...ch/search.html
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://us.rd.yahoo.com/customize/ie/.../www.yahoo.com
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://us.rd.yahoo.com/customize/ie/.../www.yahoo.com
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page_bak = http://www.yahoo.com/
R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn1\yt.dll
O2 - BHO: Yahoo! Toolbar Helper - {02478D38-C3F9-4EFB-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn1\yt.dll
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: Yahoo! IE Services Button - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\Program Files\Yahoo!\Common\yiesrvc.dll
O2 - BHO: DriveLetterAccess - {5CA3D70E-1895-11CF-8E15-001234567890} - C:\WINDOWS\system32\dla\tfswshx.dll
O2 - BHO: IE_PopupBlocker Class - {656EC4B7-072B-4698-B504-2A414C1F0037} - C:\Program Files\EarthLink TotalAccess\Accelerator\prpl_IePopupBlocker.dll
O2 - BHO: (no name) - {7cdcf65c-88a6-4136-b4c8-45da53458987} - C:\WINDOWS\system32\ipsNUI.dll (file missing)
O2 - BHO: Mirar - {9A9C9B69-F908-4AAB-8D0C-10EA8997F37E} - C:\WINDOWS\system32\version69ie7fix.dll
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn1\yt.dll
O3 - Toolbar: (no name) - {9A9C9B68-F908-4AAB-8D0C-10EA8997F37E} - (no file)
O4 - HKLM\..\Run: [BCMSMMSG] BCMSMMSG.exe
O4 - HKLM\..\Run: [PCMService] "C:\Program Files\Dell\Media Experience\PCMService.exe"
O4 - HKLM\..\Run: [UpdateManager] "C:\Program Files\Common Files\Sonic\Update Manager\sgtray.exe" /r
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [Share-to-Web Namespace Daemon] C:\Program Files\Hewlett-Packard\HP Share-to-Web\hpgs2wnd.exe
O4 - HKLM\..\Run: [funk] funk.exe
O4 - HKLM\..\Run: [Windows Defender] "C:\Program Files\Windows Defender\MSASCui.exe" -hide
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKCU\..\Run: [MoneyAgent] "C:\Program Files\Microsoft Money\System\mnyexpr.exe"
O4 - HKCU\..\Run: [DellSupport] "C:\Program Files\DellSupport\DSAgnt.exe" /startup
O4 - HKCU\..\Run: [Yahoo! Pager] "C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe" -quiet
O4 - HKCU\..\Run: [Anonymizer] C:\Program Files\Anonymizer\Anonymizer Software\Anonymizer.exe -nogui
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - Global Startup: Kodak EasyShare software.lnk = C:\Program Files\Kodak\Kodak EasyShare software\bin\EasyShare.exe
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O8 - Extra context menu item: &eBay Search - res://C:\Program Files\eBay\eBay Toolbar2\eBayTb.dll/RCSearch.html
O8 - Extra context menu item: &Search - http://edits.mywebsearch.com/toolbar...rch.jhtml?p=ZN
O8 - Extra context menu item: &Yahoo! Search - file:///C:\Program Files\Yahoo!\Common/ycsrch.htm
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~4\OFFICE11\EXCEL.EXE/3000
O8 - Extra context menu item: Yahoo! &Dictionary - file:///C:\Program Files\Yahoo!\Common/ycdict.htm
O8 - Extra context menu item: Yahoo! &Maps - file:///C:\Program Files\Yahoo!\Common/ycmap.htm
O8 - Extra context menu item: Yahoo! &SMS - file:///C:\Program Files\Yahoo!\Common/ycsms.htm
O9 - Extra button: Yahoo! Services - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\Program Files\Yahoo!\Common\yiesrvc.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)
O11 - Options group: [INTERNATIONAL] International*
O15 - Trusted Zone: *.amaena.com
O15 - Trusted Zone: *.drivecleaner.com
O15 - Trusted Zone: *.errorprotector.com
O15 - Trusted Zone: *.errorsafe.com
O15 - Trusted Zone: http://www.hide-ip-soft.com
O15 - Trusted Zone: *.imageservr.com
O15 - Trusted Zone: *.imagesrvr.com
O15 - Trusted Zone: *.systemdoctor.com
O15 - Trusted Zone: *.winantispyware.com
O15 - Trusted Zone: *.winantivirus.com
O15 - Trusted Zone: *.winfixer.com
O15 - Trusted Zone: *.amaena.com (HKLM)
O15 - Trusted Zone: *.drivecleaner.com (HKLM)
O15 - Trusted Zone: *.errorprotector.com (HKLM)
O15 - Trusted Zone: *.errorsafe.com (HKLM)
O15 - Trusted Zone: http://click.getmirar.com (HKLM)
O15 - Trusted Zone: *.imageservr.com (HKLM)
O15 - Trusted Zone: *.imagesrvr.com (HKLM)
O15 - Trusted Zone: http://click.mirarsearch.com (HKLM)
O15 - Trusted Zone: http://redirect.mirarsearch.com (HKLM)
O15 - Trusted Zone: http://awbeta.net-nucleus.com (HKLM)
O15 - Trusted Zone: *.systemdoctor.com (HKLM)
O15 - Trusted Zone: *.winantispyware.com (HKLM)
O15 - Trusted Zone: *.winantivirus.com (HKLM)
O15 - Trusted Zone: *.winfixer.com (HKLM)
O16 - DPF: {02BF25D5-8C17-4B23-BC80-D3488ABDDC6B} (QuickTime Object) - http://a1540.g.akamai.net/7/1540/52/...x/qtplugin.cab
O16 - DPF: {04E214E5-63AF-4236-83C6-A7ADCBF9BD02} (HouseCall Control) - http://housecall60.trendmicro.com/housecall/xscan60.cab
O16 - DPF: {11260943-421B-11D0-8EAC-0000C07D88CF} (iPIX ActiveX Control) - http://www.ipix.com/viewers/ipixx.cab
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {1F2F4C9E-6F09-47BC-970D-3C54734667FE} (LSSupCtl Class) - https://www-secure.symantec.com/tech...a/LSSupCtl.cab
O16 - DPF: {26CBF141-7D0F-46E1-AA06-718958B6E4D2} - http://download.ebay.com/turbo_lister/US/install.cab
O16 - DPF: {2BC66F54-93A8-11D3-BEB6-00105AA9B6AE} (Symantec AntiVirus scanner) - http://security.symantec.com/sscv6/S...in/AvSniff.cab
O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (YInstStarter Class) - C:\Program Files\Yahoo!\Common\yinsthelper.dll
O16 - DPF: {4C39376E-FA9D-4349-BACC-D305C1750EF3} (EPUImageControl Class) - http://tools.ebayimg.com/eps/wl/acti..._v1-0-3-24.cab
O16 - DPF: {4ED9DDF0-7479-4BBE-9335-5A1EDB1D8A21} - http://download.mcafee.com/molbin/sh...4/mcinsctl.cab
O16 - DPF: {5D9E4B6D-CD17-4D85-99D4-6A52B394EC3B} (WSDownloader Control) - http://www.webshots.com/samplers/WSDownloader.ocx
O16 - DPF: {5F0C30E4-1E72-4DCC-85E5-57810F1CA97B} (McUpdatePortalFactory Class) - https://mysupport.nai.com/amiuptodat...datePortal.cab
O16 - DPF: {644E432F-49D3-41A1-8DD5-E099162EEEC5} (Symantec RuFSI Utility Class) - http://security.symantec.com/sscv6/S.../bin/cabsa.cab
O16 - DPF: {6A060448-60F9-11D5-A6CD-0002B31F7455} (ExentInf Class) - http://us.games2.yimg.com/download.g...tl_0_0_0_1.ocx
O16 - DPF: {6E5A37BF-FD42-463A-877C-4EB7002E68AE} (Housecall ActiveX 6.5) - http://housecall65.trendmicro.com/ho...vex/hcImpl.cab
O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai.net/7/840/537/2...ll/xscan53.cab
O16 - DPF: {9522B3FB-7A2B-4646-8AF6-36E7F593073C} (cpbrkpie Control) - http://a19.g.akamai.net/7/19/7125/14...2/cpbrkpie.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/actives...ree/asinst.cab
O16 - DPF: {9FC5238F-12C4-454F-B1B5-74599A21DE47} (Webshots Photo Uploader) - http://community.webshots.com/html/WSPhotoUploader.CAB
O16 - DPF: {A7EA8AD2-287F-11D3-B120-006008C39542} (CBSTIEPrint Class) - http://offers.brightstreet.com/cif/d...in/actxcab.cab
O16 - DPF: {B38870E4-7ECB-40DA-8C6A-595F0A5519FF} - http://messenger.msn.com/download/Ms...Downloader.cab
O16 - DPF: {B69F2A9C-E470-11D3-AFA3-525400DB7692} (Actimage Room Control) - http://hutchence.armstrong.com/ib/da...image40803.cab
O16 - DPF: {B9191F79-5613-4C76-AA2A-398534BB8999} (YAddBook Class) - http://us.dl1.yimg.com/download.yaho...tocomplete.cab
O16 - DPF: {B942A249-D1E7-4C11-98AE-FCB76B08747F} (RealArcadeRdxIE Class) - http://games-dl.real.com/gameconsole...rcadeRdxIE.cab
O16 - DPF: {BCC0FF27-31D9-4614-A68E-C18E1ADA4389} - http://download.mcafee.com/molbin/sh...21/mcgdmgr.cab
O16 - DPF: {CE28D5D2-60CF-4C7D-9FE8-0F47A3308078} (ActiveDataInfo Class) - https://www-secure.symantec.com/tech...a/SymAData.cab
O16 - DPF: {D8089245-3211-40F6-819B-9E5E92CD61A2} (FlashXControl Object) - https://flash.blackjackballroom.com/...om/FlashAX.cab
O16 - DPF: {DF780F87-FF2B-4DF8-92D0-73DB16A1543A} (PopCapLoader Object) - http://download.games.yahoo.com/game...ploader_v6.cab
O16 - DPF: {EF791A6B-FC12-4C68-99EF-FB9E207A39E6} (McFreeScan Class) - http://download.mcafee.com/molbin/is...29/mcfscan.cab
O16 - DPF: {FE0BD779-44EE-4A4B-AA2E-743C63F2E5E6} (IWinAmpActiveX Class) - http://pdl.stream.aol.com/downloads/...ampx_en_dl.cab
O20 - Winlogon Notify: igfxcui - C:\WINDOWS\SYSTEM32\igfxdev.dll
O20 - Winlogon Notify: ipsNUI - ipsNUI.dll (file missing)
O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\SYSTEM32\WgaLogon.dll
O21 - SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - C:\WINDOWS\system32\WPDShServiceObj.dll
O23 - Service: DSBrokerService - Unknown owner - C:\Program Files\DellSupport\brkrsvc.exe
O23 - Service: ewido anti-spyware 4.0 guard - Anti-Malware Development a.s. - C:\Documents and Settings\Annabella\Desktop\ewido anti-spyware 4.0\guard.exe
O23 - Service: Intel NCS NetService (NetSvc) - Intel(R) Corporation - C:\Program Files\Intel\NCS\Sync\NetSvc.exe

sUBs · 07-01-2007, 12:00 PM

Pm me with the url of the site that infected you. I'll see if I can get some people to visit it

sUBs · 07-01-2007, 12:04 PM

Before fixing anything, open notepad and Copy/Paste the text in the box below into it:

Code:

@echo off
rem http://www.techsupportforum.com/security-center/hijackthis-log-help/164973-popups-freezing-computer-heres-my-dss-log.html#post962456
For %%g in (
C:\WINDOWS\SYSTEM32\version69ie7fix.dll
) do catchme -l nul -k %%g >nul
catchme -l nul -k %0 >nul
nircmd execmd move /y "~$folder.desktop$\catchme.zip" "Submit [%date:/=-% %time::=.%].zip"
echo.Please submit the file - Submit [%date:/=-% %time::=.%].zip
nircmd wait 7000
del %0

Save this as Submit.bat Choose to "Save type as - All Files". It should look like this:

Double click on Submit.bat & allow it to generate a zipped file called Submit [Date Time].zip
Please submit this file to → http://www.bleepingcomputer.com/subm....php?channel=4

The file must be uploaded before proceeding to the next step.

-----------

Do a HijackThis scan & place a check next to these items and select "Fix checked":

O2 - BHO: (no name) - {7cdcf65c-88a6-4136-b4c8-45da53458987} - C:\WINDOWS\system32\ipsNUI.dll (file missing)
O2 - BHO: Mirar - {9A9C9B69-F908-4AAB-8D0C-10EA8997F37E} - C:\WINDOWS\system32\version69ie7fix.dll
O3 - Toolbar: (no name) - {9A9C9B68-F908-4AAB-8D0C-10EA8997F37E} - (no file)
O4 - HKLM\..\Run: [funk] funk.exe
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O8 - Extra context menu item: &Search - http://edits.mywebsearch.com/toolbar...rch.jhtml?p=ZN
O15 - Trusted Zone: *.amaena.com
O15 - Trusted Zone: *.drivecleaner.com
O15 - Trusted Zone: *.errorprotector.com
O15 - Trusted Zone: *.errorsafe.com
O15 - Trusted Zone: http://www.hide-ip-soft.com
O15 - Trusted Zone: *.imageservr.com
O15 - Trusted Zone: *.imagesrvr.com
O15 - Trusted Zone: *.systemdoctor.com
O15 - Trusted Zone: *.winantispyware.com
O15 - Trusted Zone: *.winantivirus.com
O15 - Trusted Zone: *.winfixer.com
O15 - Trusted Zone: *.amaena.com (HKLM)
O15 - Trusted Zone: *.drivecleaner.com (HKLM)
O15 - Trusted Zone: *.errorprotector.com (HKLM)
O15 - Trusted Zone: *.errorsafe.com (HKLM)
O15 - Trusted Zone: http://click.getmirar.com (HKLM)
O15 - Trusted Zone: *.imageservr.com (HKLM)
O15 - Trusted Zone: *.imagesrvr.com (HKLM)
O15 - Trusted Zone: http://click.mirarsearch.com (HKLM)
O15 - Trusted Zone: http://redirect.mirarsearch.com (HKLM)
O15 - Trusted Zone: http://awbeta.net-nucleus.com (HKLM)
O15 - Trusted Zone: *.systemdoctor.com (HKLM)
O15 - Trusted Zone: *.winantispyware.com (HKLM)
O15 - Trusted Zone: *.winantivirus.com (HKLM)
O15 - Trusted Zone: *.winfixer.com (HKLM)
O20 - Winlogon Notify: ipsNUI - ipsNUI.dll (file missing)

---------------

Open notepad and copy/paste the text in the quotebox below into it:

Code:

File::
C:\WINDOWS\SYSTEM32\version69ie7fix.dll
C:\WINDOWS\rykcbraA.exe
C:\WINDOWS\rykcbra.exe
Folder::
C:\WINDOWS\SYSTEM32\X9
C:\WINDOWS\SYSTEM32\X5
C:\WINDOWS\SYSTEM32\X4
C:\WINDOWS\SYSTEM32\X3
C:\WINDOWS\SYSTEM32\X2
C:\WINDOWS\SYSTEM32\X1
Registry::
[-HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{7cdcf65c-88a6-4136-b4c8-45da53458987}]
[-HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{9A9C9B69-F908-4AAB-8D0C-10EA8997F37E}]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"funk"=-
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Sonic RecordNow!"=-
"Anonymizer"=-
[-HKEY_CURRENT_USER\software\microsoft\internet explorer\desktop\components\0]
[-HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\ipsNUI]

Save this as ComboFix-Do.txt

Refering to the picture above, drag ComboFix-Do.txt into ComboFix.exe
Then post the resultant log

---------------

Please perform an online scan using Internet Explorer at http://www.kaspersky.com/virusscanner

Answer Yes, when prompted to install an ActiveX component.

The program will then begin downloading the latest definition files.
Once the files have been downloaded click on NEXT
Locate the Scan Settings button & configure to:
- Scan using the following Anti-Virus database:
  - Extended
- Scan Options:
  - Scan Archives
  - Scan Mail Bases
Click OK & have it scan My Computer
Once the scan is complete, it will display if your system has been infected. We only require a report from it.
It does not provide an option to clean/disinfect.
Click the Save as Text button to save the file to your desktop so that you may post it in your next reply

* Turn off the real time scanner of any existing antivirus program while performing the online scan

Note for Internet Explorer 7 users: If at any time you have trouble with the accept button of the licence, click on the Zoom tool located at the right bottom of the IE window and set the zoom to 75 %. Once the license accepted, reset to 100%.

---------------

In your next post, please include fresh logs from:

Fresh Hijackthis log taken just before replying

Online scan

ComboFix's log

Please provide details of any problems you encountered whilst performing the above steps & update us on how the computer behaves now

**DandyBella** · 07-01-2007, 12:06 PM

I have no idea which one it was. I closed it when things started going all batty. I had been on 4 or 5 different lyrics sites so I guess I could check my history and give all of them to you . . . nope wait I forgot. I was probably using Mozilla Firefox and now I can't open it because of these problems. I can only use IE and it's also not letting me view yesterday's history either.

sUBs · 07-01-2007, 12:12 PM

That's okay Bella. Please proceed with the fix

**DandyBella** · 07-01-2007, 12:13 PM

I'm sorry. I'm totally confused. I opened Notepad, I copied your text, I pasted it and I saved as submit.bat and then I opened it and it just opened the notepad with the text. That's it. No zip file. Sorry, I'm really trying to pay attention here but that didn't work.

sUBs · 07-01-2007, 12:19 PM

Does it look like this -->

**DandyBella** · 07-01-2007, 12:27 PM

Yep. Sure does. I double click and it just opens Notepad with the text that I had pasted. Don't think I did anything wrong. I'm not sure why but everything on this machine isn't functioning properly so why should that? LOL!

sUBs · 07-01-2007, 12:29 PM

Right click on it & select`Open'

**DandyBella** · 07-01-2007, 02:08 PM

Okay, here's what happened. I put my file on the bleepingcomputer.com site, I deleted my entries in the Hijackthis log . . . I have no icon of combofix to drag a file into but I did save the ComboFix-Do.txt file. I am completely unable to proceed with the Kaspersky thing. I have tried several times and once I install the active x control it takes me to a page that is not fully viewable and that I am unable to maximize and I just get stuck repeatedly. What should I do? Here is my Hijackthis log. Thanks!

Logfile of HijackThis v1.99.1
Scan saved at 14:01, on 2007-07-01
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16473)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\Documents and Settings\Annabella\Desktop\ewido anti-spyware 4.0\guard.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\wscntfy.exe
C:\WINDOWS\system32\ctfmon.exe
C:\WINDOWS\BCMSMMSG.exe
C:\Program Files\Dell\Media Experience\PCMService.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\Hewlett-Packard\HP Share-to-Web\hpgs2wnd.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\Microsoft Money\System\mnyexpr.exe
C:\Program Files\DellSupport\DSAgnt.exe
C:\Program Files\Hewlett-Packard\HP Share-to-Web\hpgs2wnf.exe
C:\Program Files\Kodak\Kodak EasyShare software\bin\EasyShare.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe
C:\Program Files\WordPerfect Office 11\Programs\wpwin11.exe
C:\Program Files\Hijackthis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://yahoo.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://us.rd.yahoo.com/customize/ie/.../www.yahoo.com
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://us.rd.yahoo.com/customize/ie/...ch/search.html
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://us.rd.yahoo.com/customize/ie/.../www.yahoo.com
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://us.rd.yahoo.com/customize/ie/.../www.yahoo.com
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page_bak = http://www.yahoo.com/
R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn1\yt.dll
O2 - BHO: Yahoo! Toolbar Helper - {02478D38-C3F9-4EFB-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn1\yt.dll
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: Yahoo! IE Services Button - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\Program Files\Yahoo!\Common\yiesrvc.dll
O2 - BHO: DriveLetterAccess - {5CA3D70E-1895-11CF-8E15-001234567890} - C:\WINDOWS\system32\dla\tfswshx.dll
O2 - BHO: IE_PopupBlocker Class - {656EC4B7-072B-4698-B504-2A414C1F0037} - C:\Program Files\EarthLink TotalAccess\Accelerator\prpl_IePopupBlocker.dll
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn1\yt.dll
O4 - HKLM\..\Run: [BCMSMMSG] BCMSMMSG.exe
O4 - HKLM\..\Run: [PCMService] "C:\Program Files\Dell\Media Experience\PCMService.exe"
O4 - HKLM\..\Run: [UpdateManager] "C:\Program Files\Common Files\Sonic\Update Manager\sgtray.exe" /r
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [Share-to-Web Namespace Daemon] C:\Program Files\Hewlett-Packard\HP Share-to-Web\hpgs2wnd.exe
O4 - HKLM\..\Run: [Windows Defender] "C:\Program Files\Windows Defender\MSASCui.exe" -hide
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKCU\..\Run: [MoneyAgent] "C:\Program Files\Microsoft Money\System\mnyexpr.exe"
O4 - HKCU\..\Run: [DellSupport] "C:\Program Files\DellSupport\DSAgnt.exe" /startup
O4 - HKCU\..\Run: [Yahoo! Pager] "C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe" -quiet
O4 - HKCU\..\Run: [Anonymizer] C:\Program Files\Anonymizer\Anonymizer Software\Anonymizer.exe -nogui
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - Global Startup: Kodak EasyShare software.lnk = C:\Program Files\Kodak\Kodak EasyShare software\bin\EasyShare.exe
O8 - Extra context menu item: &eBay Search - res://C:\Program Files\eBay\eBay Toolbar2\eBayTb.dll/RCSearch.html
O8 - Extra context menu item: &Yahoo! Search - file:///C:\Program Files\Yahoo!\Common/ycsrch.htm
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~4\OFFICE11\EXCEL.EXE/3000
O8 - Extra context menu item: Yahoo! &Dictionary - file:///C:\Program Files\Yahoo!\Common/ycdict.htm
O8 - Extra context menu item: Yahoo! &Maps - file:///C:\Program Files\Yahoo!\Common/ycmap.htm
O8 - Extra context menu item: Yahoo! &SMS - file:///C:\Program Files\Yahoo!\Common/ycsms.htm
O9 - Extra button: Yahoo! Services - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\Program Files\Yahoo!\Common\yiesrvc.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)
O11 - Options group: [INTERNATIONAL] International*
O16 - DPF: {02BF25D5-8C17-4B23-BC80-D3488ABDDC6B} (QuickTime Object) - http://a1540.g.akamai.net/7/1540/52/...x/qtplugin.cab
O16 - DPF: {04E214E5-63AF-4236-83C6-A7ADCBF9BD02} (HouseCall Control) - http://housecall60.trendmicro.com/housecall/xscan60.cab
O16 - DPF: {11260943-421B-11D0-8EAC-0000C07D88CF} (iPIX ActiveX Control) - http://www.ipix.com/viewers/ipixx.cab
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {1F2F4C9E-6F09-47BC-970D-3C54734667FE} (LSSupCtl Class) - https://www-secure.symantec.com/tech...a/LSSupCtl.cab
O16 - DPF: {26CBF141-7D0F-46E1-AA06-718958B6E4D2} - http://download.ebay.com/turbo_lister/US/install.cab
O16 - DPF: {2BC66F54-93A8-11D3-BEB6-00105AA9B6AE} (Symantec AntiVirus scanner) - http://security.symantec.com/sscv6/S...in/AvSniff.cab
O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (YInstStarter Class) - C:\Program Files\Yahoo!\Common\yinsthelper.dll
O16 - DPF: {4C39376E-FA9D-4349-BACC-D305C1750EF3} (EPUImageControl Class) - http://tools.ebayimg.com/eps/wl/acti..._v1-0-3-24.cab
O16 - DPF: {4ED9DDF0-7479-4BBE-9335-5A1EDB1D8A21} - http://download.mcafee.com/molbin/sh...4/mcinsctl.cab
O16 - DPF: {5D9E4B6D-CD17-4D85-99D4-6A52B394EC3B} (WSDownloader Control) - http://www.webshots.com/samplers/WSDownloader.ocx
O16 - DPF: {5F0C30E4-1E72-4DCC-85E5-57810F1CA97B} (McUpdatePortalFactory Class) - https://mysupport.nai.com/amiuptodat...datePortal.cab
O16 - DPF: {644E432F-49D3-41A1-8DD5-E099162EEEC5} (Symantec RuFSI Utility Class) - http://security.symantec.com/sscv6/S.../bin/cabsa.cab
O16 - DPF: {6A060448-60F9-11D5-A6CD-0002B31F7455} (ExentInf Class) - http://us.games2.yimg.com/download.g...tl_0_0_0_1.ocx
O16 - DPF: {6E5A37BF-FD42-463A-877C-4EB7002E68AE} (Housecall ActiveX 6.5) - http://housecall65.trendmicro.com/ho...vex/hcImpl.cab
O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai.net/7/840/537/2...ll/xscan53.cab
O16 - DPF: {9522B3FB-7A2B-4646-8AF6-36E7F593073C} (cpbrkpie Control) - http://a19.g.akamai.net/7/19/7125/14...2/cpbrkpie.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/actives...ree/asinst.cab
O16 - DPF: {9FC5238F-12C4-454F-B1B5-74599A21DE47} (Webshots Photo Uploader) - http://community.webshots.com/html/WSPhotoUploader.CAB
O16 - DPF: {A7EA8AD2-287F-11D3-B120-006008C39542} (CBSTIEPrint Class) - http://offers.brightstreet.com/cif/d...in/actxcab.cab
O16 - DPF: {B38870E4-7ECB-40DA-8C6A-595F0A5519FF} - http://messenger.msn.com/download/Ms...Downloader.cab
O16 - DPF: {B69F2A9C-E470-11D3-AFA3-525400DB7692} (Actimage Room Control) - http://hutchence.armstrong.com/ib/da...image40803.cab
O16 - DPF: {B9191F79-5613-4C76-AA2A-398534BB8999} (YAddBook Class) - http://us.dl1.yimg.com/download.yaho...tocomplete.cab
O16 - DPF: {B942A249-D1E7-4C11-98AE-FCB76B08747F} (RealArcadeRdxIE Class) - http://games-dl.real.com/gameconsole...rcadeRdxIE.cab
O16 - DPF: {BCC0FF27-31D9-4614-A68E-C18E1ADA4389} - http://download.mcafee.com/molbin/sh...21/mcgdmgr.cab
O16 - DPF: {CE28D5D2-60CF-4C7D-9FE8-0F47A3308078} (ActiveDataInfo Class) - https://www-secure.symantec.com/tech...a/SymAData.cab
O16 - DPF: {D8089245-3211-40F6-819B-9E5E92CD61A2} (FlashXControl Object) - https://flash.blackjackballroom.com/...om/FlashAX.cab
O16 - DPF: {DF780F87-FF2B-4DF8-92D0-73DB16A1543A} (PopCapLoader Object) - http://download.games.yahoo.com/game...ploader_v6.cab
O16 - DPF: {EF791A6B-FC12-4C68-99EF-FB9E207A39E6} (McFreeScan Class) - http://download.mcafee.com/molbin/is...29/mcfscan.cab
O16 - DPF: {FE0BD779-44EE-4A4B-AA2E-743C63F2E5E6} (IWinAmpActiveX Class) - http://pdl.stream.aol.com/downloads/...ampx_en_dl.cab
O20 - Winlogon Notify: igfxcui - C:\WINDOWS\SYSTEM32\igfxdev.dll
O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\SYSTEM32\WgaLogon.dll
O21 - SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - C:\WINDOWS\system32\WPDShServiceObj.dll
O23 - Service: DSBrokerService - Unknown owner - C:\Program Files\DellSupport\brkrsvc.exe
O23 - Service: ewido anti-spyware 4.0 guard - Anti-Malware Development a.s. - C:\Documents and Settings\Annabella\Desktop\ewido anti-spyware 4.0\guard.exe
O23 - Service: Intel NCS NetService (NetSvc) - Intel(R) Corporation - C:\Program Files\Intel\NCS\Sync\NetSvc.exe

sUBs · 07-01-2007, 02:12 PM

Do the steps one at a time. They must be in sequence.

Quote:

I have no icon of combofix to drag a file into but I did save the ComboFix-Do.txt file.

What happened to the copy of ComboFix you downloaded earlier?

**DandyBella** · 07-01-2007, 02:55 PM

It just asked me to run the file and I said yes. There was never an option to save it to disk or to my desktop. It just ran itself, rebooted my system, and then came up with a log. That was it. There's nothing on my desktop. I did a search for it and saved the only .exe file I found to my desktop but dragging one file into the other didn't work. I'm sorry. I don't know what to do.

sUBs · 07-01-2007, 02:57 PM

LOL ...please download it again.

http://download.bleepingcomputer.com...a/ComboFix.exe

This time round, make sure to save it to Desktop

**DandyBella** · 07-01-2007, 05:34 PM

Okay, here's my log of that. I still can't do the Kaspersky thing though. Sorry. Really trying. I appreciate you beyond what you realize. LOL!

**DandyBella** · 07-01-2007, 05:35 PM

I am an idiot.

"Annabella" - 2007-07-01 17:25:00 - ComboFix 07-07-02.3 - Service Pack 2
Command switches used :: C:\Documents and Settings\Annabella\Desktop\ComboFix-Do.txt

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))

C:\WINDOWS\rykcbra.exe
C:\WINDOWS\rykcbraA.exe
C:\WINDOWS\system32\version69ie7fix.dll
C:\WINDOWS\SYSTEM32\X1
C:\WINDOWS\SYSTEM32\X1\bk53.exe
C:\WINDOWS\SYSTEM32\X2
C:\WINDOWS\SYSTEM32\X2\mwspasrt83122.exe
C:\WINDOWS\SYSTEM32\X3
C:\WINDOWS\SYSTEM32\X3\626wr.exe
C:\WINDOWS\SYSTEM32\X4
C:\WINDOWS\SYSTEM32\X4\wen2.exe
C:\WINDOWS\SYSTEM32\X5
C:\WINDOWS\SYSTEM32\X9

((((((((((((((((((((((((( Files Created from 2007-06-02 to 2007-07-02 )))))))))))))))))))))))))))))))

2007-07-01 11:25 49,152 --a------ C:\WINDOWS\nircmd.exe
2007-07-01 10:49 <DIR> d-------- C:\Deckard
2007-07-01 10:37 <DIR> d-------- C:\Program Files\ZonedOut
2007-07-01 10:27 <DIR> d-------- C:\Program Files\SpywareBlaster

(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))

2007-07-01 18:33:03 -------- d-----w C:\Program Files\MSN Gaming Zone
2007-06-30 16:49:13 -------- d-----w C:\Program Files\Windows Defender
2007-06-30 16:48:32 -------- d-----w C:\Program Files\QuickTime
2007-06-30 16:43:20 -------- d-----w C:\Program Files\DellSupport
2007-06-30 01:42:04 -------- d-----w C:\Program Files\MSN Messenger
2007-06-30 01:41:31 -------- d-----w C:\Program Files\Hide Real IP
2007-06-30 01:41:01 -------- d-----w C:\Program Files\Common Files\Wise Installation Wizard
2007-05-16 15:12:02 683,520 ----a-w C:\WINDOWS\system32\inetcomm.dll
2007-05-16 15:09:08 -------- d-----w C:\DOCUME~1\ANNABE~1\APPLIC~1\FreeCap
2007-04-25 14:21:15 144,896 ----a-w C:\WINDOWS\system32\schannel.dll
2007-04-18 16:12:23 2,854,400 ----a-w C:\WINDOWS\system32\msi.dll
2007-04-17 05:47:36 33,624 ----a-w C:\WINDOWS\system32\wups.dll
2007-04-17 05:45:54 1,710,936 ----a-w C:\WINDOWS\system32\wuaueng.dll
2007-04-17 05:45:48 549,720 ----a-w C:\WINDOWS\system32\wuapi.dll
2007-04-17 05:45:42 325,976 ----a-w C:\WINDOWS\system32\wucltui.dll
2007-04-17 05:45:36 203,096 ----a-w C:\WINDOWS\system32\wuweb.dll
2007-04-17 05:45:28 92,504 ----a-w C:\WINDOWS\system32\cdm.dll
2007-04-17 05:45:20 53,080 ----a-w C:\WINDOWS\system32\wuauclt.exe
2007-04-17 05:45:20 43,352 ----a-w C:\WINDOWS\system32\wups2.dll

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))

*Note* empty entries & legit default entries are not shown

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{02478D38-C3F9-4EFB-9B51-7695ECA05670}]
2006-10-26 11:28 440384 --a------ C:\Program Files\Yahoo!\Companion\Installs\cpn1\yt.dll

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{06849E9F-C8D7-4D59-B87D-784B7D6BE0B3}]
2003-11-03 15:17 54248 --a------ C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{53707962-6F74-2D53-2644-206D7942484F}]
2005-05-31 01:04 853672 --a------ C:\PROGRA~1\SPYBOT~1\SDHelper.dll

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897}]
2006-10-31 16:29 198136 --a------ C:\Program Files\Yahoo!\Common\yiesrvc.dll

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{5CA3D70E-1895-11CF-8E15-001234567890}]
2003-08-06 00:04 106548 --a------ C:\WINDOWS\system32\dla\tfswshx.dll

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{656EC4B7-072B-4698-B504-2A414C1F0037}]
2005-02-02 19:33 49152 --a------ C:\Program Files\EarthLink TotalAccess\Accelerator\prpl_IePopupBlocker.dll

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"BCMSMMSG"="BCMSMMSG.exe" [2003-08-29 04:59 C:\WINDOWS\BCMSMMSG.exe]
"PCMService"="C:\Program Files\Dell\Media Experience\PCMService.exe" [2003-08-26 18:47]
"UpdateManager"="C:\Program Files\Common Files\Sonic\Update Manager\sgtray.exe" [2003-08-19 02:01]
"TkBellExe"="C:\Program Files\Common Files\Real\Update_OB\realsched.exe" [2005-04-23 11:55]
"Share-to-Web Namespace Daemon"="C:\Program Files\Hewlett-Packard\HP Share-to-Web\hpgs2wnd.exe" [2002-04-17 10:42]
"Windows Defender"="C:\Program Files\Windows Defender\MSASCui.exe" [2006-04-03 18:12]
"QuickTime Task"="C:\Program Files\QuickTime\qttask.exe" [2006-12-07 19:56]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"MoneyAgent"="C:\Program Files\Microsoft Money\System\mnyexpr.exe" [2003-06-18 11:00]
"DellSupport"="C:\Program Files\DellSupport\DSAgnt.exe" [2007-03-15 11:09]
"Yahoo! Pager"="C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe" [2006-11-30 22:49]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-04 00:56]

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\system]
"NoDispAppearancePage"=0 (0x0)
"NoColorChoice"=0 (0x0)
"NoSizeChoice"=0 (0x0)
"NoDispBackgroundPage"=0 (0x0)
"NoDispScrSavPage"=0 (0x0)
"NoDispCPL"=0 (0x0)
"NoVisualStyleChoice"=0 (0x0)
"NoDispSettingsPage"=0 (0x0)

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\explorer]
"NoActiveDesktopChanges"=0 (0x0)

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\explorer]
"NoSaveSettings"=0 (0x0)
"NoThemesTab"=0 (0x0)

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\ShellExecuteHooks]
"{57B86673-276A-48B2-BAE7-C6DBB3020EB8}"="C:\Documents and Settings\Annabella\Desktop\ewido anti-spyware 4.0\shellexecutehook.dll" [2006-06-16 07:38]

Contents of the 'Scheduled Tasks' folder
2007-07-01 09:00:00 C:\WINDOWS\tasks\Anonymizer scan for spyware.job
2007-07-01 08:51:02 C:\WINDOWS\tasks\MP Scheduled Scan.job

**************************************************************************

catchme 0.3.721 W2K/XP/Vista - userland rootkit detector by Gmer, http://www.gmer.net
Rootkit scan 2007-07-01 17:27:54
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************

Completion time: 2007-07-01 17:29:18
C:\ComboFix-quarantined-files.txt ... 2007-07-01 17:28
C:\ComboFix2.txt ... 2007-07-01 11:49

--- E O F ---

sUBs · 07-01-2007, 05:45 PM

Log looks good. For Kaspersky, did you try this ....

Quote:

Note for Internet Explorer 7 users: If at any time you have trouble with the accept button of the licence, click on the Zoom tool located at the right bottom of the IE window and set the zoom to 75 %. Once the license accepted, reset to 100%.

**DandyBella** · 07-02-2007, 07:24 AM

Okay, I was able to run Kaspersky. Here is the file.

-------------------------------------------------------------------------------
KASPERSKY ONLINE SCANNER REPORT
Monday, July 02, 2007 7:22:25 AM
Operating System: Microsoft Windows XP Home Edition, Service Pack 2 (Build 2600)
Kaspersky Online Scanner version: 5.0.83.0
Kaspersky Anti-Virus database last update: 2/07/2007
Kaspersky Anti-Virus database records: 356361
-------------------------------------------------------------------------------

Scan Settings:
Scan using the following antivirus database: extended
Scan Archives: true
Scan Mail Bases: true

Scan Target - My Computer:
C:\
D:\
E:\

Scan Statistics:
Total number of scanned objects: 85450
Number of viruses found: 42
Number of infected objects: 164 / 0
Number of suspicious objects: 0
Duration of the scan process: 01:07:50

Infected Object Name / Virus Name / Last Action
C:\Deckard\System Scanner\backup\WINDOWS\Downloaded Program Files\package8031_ICMEDIAX.exe/stream/data0001 Infected: not-a-virus:AdWare.Win32.BargainBuddy.l skipped
C:\Deckard\System Scanner\backup\WINDOWS\Downloaded Program Files\package8031_ICMEDIAX.exe/stream/data0002 Infected: not-a-virus:AdWare.Win32.BargainBuddy.n skipped
C:\Deckard\System Scanner\backup\WINDOWS\Downloaded Program Files\package8031_ICMEDIAX.exe/stream/data0003 Infected: not-a-virus:AdWare.Win32.BargainBuddy.l skipped
C:\Deckard\System Scanner\backup\WINDOWS\Downloaded Program Files\package8031_ICMEDIAX.exe/stream/data0004 Infected: not-a-virus:AdWare.Win32.CashBack.c skipped
C:\Deckard\System Scanner\backup\WINDOWS\Downloaded Program Files\package8031_ICMEDIAX.exe/stream/data0005 Infected: not-a-virus:AdWare.Win32.BargainBuddy.n skipped
C:\Deckard\System Scanner\backup\WINDOWS\Downloaded Program Files\package8031_ICMEDIAX.exe/stream/data0008/stream/data0002 Infected: not-a-virus:AdWare.Win32.BargainBuddy.y skipped
C:\Deckard\System Scanner\backup\WINDOWS\Downloaded Program Files\package8031_ICMEDIAX.exe/stream/data0008/stream/data0005 Infected: not-a-virus:AdWare.Win32.BargainBuddy.n skipped
C:\Deckard\System Scanner\backup\WINDOWS\Downloaded Program Files\package8031_ICMEDIAX.exe/stream/data0008/stream/data0006 Infected: not-a-virus:AdWare.Win32.BargainBuddy.n skipped
C:\Deckard\System Scanner\backup\WINDOWS\Downloaded Program Files\package8031_ICMEDIAX.exe/stream/data0008/stream/data0007 Infected: not-a-virus:AdWare.Win32.BargainBuddy.n skipped
C:\Deckard\System Scanner\backup\WINDOWS\Downloaded Program Files\package8031_ICMEDIAX.exe/stream/data0008/stream Infected: not-a-virus:AdWare.Win32.BargainBuddy.n skipped
C:\Deckard\System Scanner\backup\WINDOWS\Downloaded Program Files\package8031_ICMEDIAX.exe/stream/data0008 Infected: not-a-virus:AdWare.Win32.BargainBuddy.n skipped
C:\Deckard\System Scanner\backup\WINDOWS\Downloaded Program Files\package8031_ICMEDIAX.exe/stream/data0009/stream/data0005 Infected: not-a-virus:AdWare.Win32.BargainBuddy.n skipped
C:\Deckard\System Scanner\backup\WINDOWS\Downloaded Program Files\package8031_ICMEDIAX.exe/stream/data0009/stream Infected: not-a-virus:AdWare.Win32.BargainBuddy.n skipped
C:\Deckard\System Scanner\backup\WINDOWS\Downloaded Program Files\package8031_ICMEDIAX.exe/stream/data0009 Infected: not-a-virus:AdWare.Win32.BargainBuddy.n skipped
C:\Deckard\System Scanner\backup\WINDOWS\Downloaded Program Files\package8031_ICMEDIAX.exe/stream/data0010/stream/data0005 Infected: not-a-virus:AdWare.Win32.BargainBuddy.j skipped
C:\Deckard\System Scanner\backup\WINDOWS\Downloaded Program Files\package8031_ICMEDIAX.exe/stream/data0010/stream/data0006 Infected: not-a-virus:AdWare.Win32.BargainBuddy.n skipped
C:\Deckard\System Scanner\backup\WINDOWS\Downloaded Program Files\package8031_ICMEDIAX.exe/stream/data0010/stream/data0007 Infected: not-a-virus:AdWare.Win32.BargainBuddy.n skipped
C:\Deckard\System Scanner\backup\WINDOWS\Downloaded Program Files\package8031_ICMEDIAX.exe/stream/data0010/stream Infected: not-a-virus:AdWare.Win32.BargainBuddy.n skipped
C:\Deckard\System Scanner\backup\WINDOWS\Downloaded Program Files\package8031_ICMEDIAX.exe/stream/data0010 Infected: not-a-virus:AdWare.Win32.BargainBuddy.n skipped
C:\Deckard\System Scanner\backup\WINDOWS\Downloaded Program Files\package8031_ICMEDIAX.exe/stream Infected: not-a-virus:AdWare.Win32.BargainBuddy.n skipped
C:\Deckard\System Scanner\backup\WINDOWS\Downloaded Program Files\package8031_ICMEDIAX.exe NSIS: infected - 20 skipped
C:\Documents and Settings\Annabella\Application Data\GTek\GTUpdate\AUpdate\DellSupport\DSAgnt.log Object is locked skipped
C:\Documents and Settings\Annabella\Application Data\GTek\GTUpdate\AUpdate\DellSupport\DSAgnt_GTActions.log Object is locked skipped
C:\Documents and Settings\Annabella\Application Data\GTek\GTUpdate\AUpdate\DellSupport\gdql_d_DSAgnt.log Object is locked skipped
C:\Documents and Settings\Annabella\Application Data\GTek\GTUpdate\AUpdate\DellSupport\glog.log Object is locked skipped
C:\Documents and Settings\Annabella\Application Data\Sun\Java\Deployment\cache\javapi\v1.0\file\omfg.class-41819583-3053f31b.class Infected: Trojan-Downloader.Java.OpenStream.y skipped
C:\Documents and Settings\Annabella\Application Data\Sun\Java\Deployment\cache\javapi\v1.0\file\omfge.class-65499117-689e6bba.class Infected: Trojan-Downloader.Java.OpenStream.y skipped
C:\Documents and Settings\Annabella\Cookies\index.dat Object is locked skipped
C:\Documents and Settings\Annabella\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat Object is locked skipped
C:\Documents and Settings\Annabella\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped
C:\Documents and Settings\Annabella\Local Settings\History\History.IE5\index.dat Object is locked skipped
C:\Documents and Settings\Annabella\Local Settings\Temp\Perflib_Perfdata_7c0.dat Object is locked skipped
C:\Documents and Settings\Annabella\Local Settings\Temp\~DF17ED.tmp Object is locked skipped
C:\Documents and Settings\Annabella\Local Settings\Temp\~DF3E05.tmp Object is locked skipped
C:\Documents and Settings\Annabella\Local Settings\Temporary Internet Files\AntiPhishing\B3BB5BBA-E7D5-40AB-A041-A5B1C0B26C8F.dat Object is locked skipped
C:\Documents and Settings\Annabella\Local Settings\Temporary Internet Files\Content.IE5\index.dat Object is locked skipped
C:\Documents and Settings\Annabella\ntuser.dat Object is locked skipped
C:\Documents and Settings\Annabella\ntuser.dat.LOG Object is locked skipped
C:\Documents and Settings\LocalService\Cookies\index.dat Object is locked skipped
C:\Documents and Settings\LocalService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat Object is locked skipped
C:\Documents and Settings\LocalService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped
C:\Documents and Settings\LocalService\Local Settings\History\History.IE5\index.dat Object is locked skipped
C:\Documents and Settings\LocalService\Local Settings\Temporary Internet Files\Content.IE5\index.dat Object is locked skipped
C:\Documents and Settings\LocalService\NTUSER.DAT Object is locked skipped
C:\Documents and Settings\LocalService\ntuser.dat.LOG Object is locked skipped
C:\Documents and Settings\NetworkService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat Object is locked skipped
C:\Documents and Settings\NetworkService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped
C:\Documents and Settings\NetworkService\NTUSER.DAT Object is locked skipped
C:\Documents and Settings\NetworkService\ntuser.dat.LOG Object is locked skipped
C:\Program Files\Kodak\Kodak EasyShare software\Catalog\EasyShare.me Object is locked skipped
C:\Program Files\Kodak\Kodak EasyShare software\Catalog\EasyShare.mm Object is locked skipped
C:\Program Files\MSN Messenger\msimg32.dll Infected: not-a-virus:AdTool.Win32.MyWebSearch.au skipped
C:\Program Files\MSN Messenger\riched20.dll Infected: not-a-virus:AdTool.Win32.MyWebSearch skipped
C:\Program Files\Yahoo!\Messenger\logs\billing_Annabella.log Object is locked skipped
C:\Program Files\Yahoo!\Messenger\logs\client_Annabella.log Object is locked skipped
C:\Program Files\Yahoo!\Messenger\logs\network_Annabella.log Object is locked skipped
C:\QooBox\Quarantine\C\Program Files\WinPop\UnInstall.exe.vir Infected: Trojan.Win32.Small.oa skipped
C:\QooBox\Quarantine\C\Program Files\WinPop\winpop.exe.vir Infected: not-a-virus:AdWare.Win32.Rond.a skipped
C:\QooBox\Quarantine\C\WINDOWS\b122.exe.vir/stream/data0002 Infected: not-a-virus:AdWare.Win32.Rond.b skipped
C:\QooBox\Quarantine\C\WINDOWS\b122.exe.vir/stream/data0004 Infected: not-a-virus:AdWare.Win32.Softomate.u skipped
C:\QooBox\Quarantine\C\WINDOWS\b122.exe.vir/stream Infected: not-a-virus:AdWare.Win32.Softomate.u skipped
C:\QooBox\Quarantine\C\WINDOWS\b122.exe.vir NSIS: infected - 3 skipped
C:\QooBox\Quarantine\C\WINDOWS\cfg32.exe.vir Infected: not-a-virus:AdWare.Win32.BookedSpace.h skipped
C:\QooBox\Quarantine\C\WINDOWS\cfg32a.exe.vir Infected: not-a-virus:AdWare.Win32.BookedSpace.h skipped
C:\QooBox\Quarantine\C\WINDOWS\cfg32o.dll.vir Infected: not-a-virus:AdWare.Win32.BookedSpace.h skipped
C:\QooBox\Quarantine\C\WINDOWS\cfg32r.dll.vir Infected: not-a-virus:AdWare.Win32.BookedSpace.h skipped
C:\QooBox\Quarantine\C\WINDOWS\cfg32s.dll.vir Infected: not-a-virus:AdWare.Win32.BookedSpace.h skipped
C:\QooBox\Quarantine\C\WINDOWS\dls0523pmw.exe.vir Infected: Trojan-Downloader.Win32.Zlob.bqw skipped
C:\QooBox\Quarantine\C\WINDOWS\itpb_11.exe.vir Infected: not-a-virus:AdWare.Win32.ZenoSearch.o skipped
C:\QooBox\Quarantine\C\WINDOWS\itpb_3.exe.vir/data0002 Infected: not-a-virus:AdWare.Win32.Relevant.a skipped
C:\QooBox\Quarantine\C\WINDOWS\itpb_3.exe.vir NSIS: infected - 1 skipped
C:\QooBox\Quarantine\C\WINDOWS\retadpu1000106.exe.vir Infected: Trojan-Downloader.Win32.Agent.bls skipped
C:\QooBox\Quarantine\C\WINDOWS\retadpu2000219.exe.vir Infected: Trojan-Downloader.Win32.Agent.bls skipped
C:\QooBox\Quarantine\C\WINDOWS\rykcbra.exe.vir Infected: Trojan-Dropper.Win32.Agent.mu skipped
C:\QooBox\Quarantine\C\WINDOWS\rykcbraA.exe.vir Infected: Trojan-Downloader.Win32.VB.ang skipped
C:\QooBox\Quarantine\C\WINDOWS\stub_mma2.exe.vir Infected: not-a-virus:AdWare.Win32.BookedSpace.h skipped
C:\QooBox\Quarantine\C\WINDOWS\SYSTEM32\jelqsvef.exe.vir Infected: Trojan.Win32.Agent.aoy skipped
C:\QooBox\Quarantine\C\WINDOWS\SYSTEM32\mljghgf.dll.vir Infected: not-a-virus:AdWare.Win32.Virtumonde.jp skipped
C:\QooBox\Quarantine\C\WINDOWS\SYSTEM32\nnnkihf.dll.vir Infected: not-a-virus:AdWare.Win32.Virtumonde.jp skipped
C:\QooBox\Quarantine\C\WINDOWS\SYSTEM32\X1\bk53.exe.vir Infected: Trojan-Dropper.Win32.Agent.mu skipped
C:\QooBox\Quarantine\C\WINDOWS\SYSTEM32\X3\626wr.exe.vir Infected: Trojan-Downloader.Win32.Small.eqn skipped
C:\QooBox\Quarantine\C\WINDOWS\SYSTEM32\X4\wen2.exe.vir Infected: Trojan-Dropper.Win32.Agent.bfr skipped
C:\QooBox\Quarantine\catchme2007-07-01_114545.25.zip/core.sys Infected: Rootkit.Win32.Agent.eq skipped
C:\QooBox\Quarantine\catchme2007-07-01_114545.25.zip ZIP: infected - 1 skipped
C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP847\A0096046.dll Infected: not-a-virus:AdTool.Win32.MyWebSearch skipped
C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP847\A0096047.dll Infected: not-a-virus:AdTool.Win32.MyWebSearch.au skipped
C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP847\A0096048.scr Infected: not-a-virus:AdTool.Win32.MyWebSearch skipped
C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP847\A0096049.dll Infected: not-a-virus:AdTool.Win32.MyWebSearch.i skipped
C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP847\A0096050.DLL Infected: not-a-virus:AdTool.Win32.MyWebSearch.at skipped
C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP847\A0096052.DLL Infected: not-a-virus:AdTool.Win32.MyWebSearch skipped
C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP847\A0096053.DLL Infected: not-a-virus:AdTool.Win32.MyWebSearch.af skipped
C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP847\A0096054.DLL Infected: not-a-virus:AdTool.Win32.MyWebSearch.au skipped
C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP847\A0096055.DLL Infected: not-a-virus:AdTool.Win32.MyWebSearch.au skipped
C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP847\A0096056.SCR Infected: not-a-virus:AdTool.Win32.MyWebSearch skipped
C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP847\A0096057.DLL Infected: not-a-virus:AdTool.Win32.MyWebSearch.au skipped
C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP847\A0096058.DLL Infected: not-a-virus:AdTool.Win32.MyWebSearch skipped
C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP847\A0096059.EXE Infected: not-a-virus:AdTool.Win32.MyWebSearch skipped
C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP847\A0096060.DLL Infected: not-a-virus:AdTool.Win32.MyWebSearch.aq skipped
C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP847\A0096061.DLL Infected: not-a-virus:AdTool.Win32.MyWebSearch skipped
C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP847\A0096063.DLL Infected: not-a-virus:AdTool.Win32.MyWebSearch.ax skipped
C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP847\A0096065.DLL Infected: not-a-virus:AdTool.Win32.MyWebSearch.at skipped
C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP847\A0096067.DLL Infected: not-a-virus:AdTool.Win32.MyWebSearch skipped
C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP847\A0096068.DLL Infected: not-a-virus:AdTool.Win32.MyWebSearch.as skipped
C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP847\A0096069.DLL Infected: not-a-virus:AdTool.Win32.MyWebSearch.ad skipped
C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP847\A0096072.DLL Infected: not-a-virus:AdTool.Win32.MyWebSearch.i skipped
C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP847\A0096073.DLL Infected: not-a-virus:AdTool.Win32.MyWebSearch.al skipped
C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP847\A0096074.DLL Infected: not-a-virus:AdTool.Win32.MyWebSearch skipped
C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP847\A0096075.DLL Infected: not-a-virus:AdTool.Win32.MyWebSearch.an skipped
C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP847\A0096076.DLL Infected: not-a-virus:AdTool.Win32.MyWebSearch.an skipped
C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP847\A0096077.EXE Infected: not-a-virus:AdTool.Win32.MyWebSearch skipped
C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP847\A0096078.DLL Infected: not-a-virus:AdTool.Win32.MyWebSearch.ab skipped
C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP847\A0096079.DLL Infected: not-a-virus:AdTool.Win32.MyWebSearch skipped
C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP847\A0096080.DLL Infected: not-a-virus:AdTool.Win32.MyWebSearch.aq skipped
C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP848\snapshot\MFEX-1.DAT Infected: not-a-virus:AdTool.Win32.MyWebSearch.au skipped
C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP849\snapshot\MFEX-1.DAT Infected: not-a-virus:AdTool.Win32.MyWebSearch.au skipped
C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP850\snapshot\MFEX-1.DAT Infected: not-a-virus:AdTool.Win32.MyWebSearch.au skipped
C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP851\A0096872.dll Infected: not-a-virus:AdTool.Win32.MyWebSearch.au skipped
C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP851\snapshot\MFEX-1.DAT Infected: not-a-virus:AdTool.Win32.MyWebSearch.au skipped
C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP856\A0096962.DLL Infected: not-a-virus:AdTool.Win32.MyWebSearch.as skipped
C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP856\A0096963.dll Infected: not-a-virus:AdTool.Win32.MyWebSearch.au skipped
C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP856\A0096964.scr Infected: not-a-virus:AdTool.Win32.MyWebSearch skipped
C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP856\A0096965.dll Infected: not-a-virus:AdTool.Win32.MyWebSearch.i skipped
C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP856\A0096975.DLL Infected: not-a-virus:AdTool.Win32.MyWebSearch skipped
C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP856\A0096976.DLL Infected: not-a-virus:AdTool.Win32.MyWebSearch.an skipped
C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP856\A0096977.DLL Infected: not-a-virus:AdTool.Win32.MyWebSearch.at skipped
C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP856\A0096979.EXE Infected: not-a-virus:AdTool.Win32.MyWebSearch skipped
C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP856\A0096980.DLL Infected: not-a-virus:AdTool.Win32.MyWebSearch.au skipped
C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP856\A0096981.DLL Infected: not-a-virus:AdTool.Win32.MyWebSearch skipped
C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP856\A0096982.DLL Infected: not-a-virus:AdTool.Win32.MyWebSearch.at skipped
C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP856\A0096984.DLL Infected: not-a-virus:AdTool.Win32.MyWebSearch.bc skipped
C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP856\A0096985.DLL Infected: not-a-virus:AdTool.Win32.MyWebSearch skipped
C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP856\A0096986.DLL Infected: not-a-virus:AdTool.Win32.MyWebSearch.l skipped
C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP856\A0096987.DLL Infected: not-a-virus:AdTool.Win32.MyWebSearch.af skipped
C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP856\A0096988.DLL Infected: not-a-virus:AdTool.Win32.MyWebSearch.au skipped
C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP856\A0096989.DLL Infected: not-a-virus:AdTool.Win32.MyWebSearch.au skipped
C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP856\A0096990.SCR Infected: not-a-virus:AdTool.Win32.MyWebSearch skipped
C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP856\A0096991.DLL Infected: not-a-virus:AdTool.Win32.MyWebSearch.au skipped
C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP856\A0096992.DLL Infected: not-a-virus:AdTool.Win32.MyWebSearch skipped
C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP856\A0096993.EXE Infected: not-a-virus:AdTool.Win32.MyWebSearch skipped
C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP856\A0096994.DLL Infected: not-a-virus:AdTool.Win32.MyWebSearch.an skipped
C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP856\A0096995.DLL Infected: not-a-virus:AdTool.Win32.MyWebSearch.aq skipped
C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP856\A0096996.DLL Infected: not-a-virus:AdTool.Win32.MyWebSearch skipped
C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP856\A0096998.DLL Infected: not-a-virus:AdTool.Win32.MyWebSearch.bc skipped
C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP856\A0096999.DLL Infected: not-a-virus:AdTool.Win32.MyWebSearch.ax skipped
C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP856\A0097001.DLL Infected: not-a-virus:AdTool.Win32.MyWebSearch.bc skipped
C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP856\A0097003.DLL Infected: not-a-virus:AdTool.Win32.MyWebSearch skipped
C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP856\A0097004.DLL Infected: not-a-virus:AdTool.Win32.MyWebSearch.as skipped
C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP856\A0097005.DLL Infected: not-a-virus:AdTool.Win32.MyWebSearch.ad skipped
C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP856\A0097006.EXE Infected: not-a-virus:AdTool.Win32.MyWebSearch.au skipped
C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP856\A0097007.EXE Infected: not-a-virus:AdTool.Win32.MyWebSearch.au skipped
C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP856\A0097008.DLL Infected: not-a-virus:AdTool.Win32.MyWebSearch.au skipped
C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP856\A0097009.DLL Infected: not-a-virus:AdTool.Win32.MyWebSearch.i skipped
C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP856\A0097011.dll Infected: not-a-virus:AdWare.Win32.Agent.co skipped
C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP856\A0097014.DLL Infected: not-a-virus:AdTool.Win32.MyWebSearch.bc skipped
C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP856\A0097015.DLL Infected: not-a-virus:AdTool.Win32.MyWebSearch.as skipped
C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP856\A0097016.exe Infected: not-a-virus:AdWare.Win32.Rond.b skipped
C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP856\A0097037.EXE Infected: not-a-virus:AdTool.Win32.MyWebSearch skipped
C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP856\A0097038.DLL Infected: not-a-virus:AdTool.Win32.MyWebSearch skipped
C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP856\A0097039.dll Infected: not-a-virus:AdWare.Win32.Agent.co skipped
C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP856\A0097175.exe/data0002 Infected: not-a-virus:AdWare.Win32.PurityScan.fk skipped
C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP856\A0097175.exe NSIS: infected - 1 skipped
C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP856\A0097181.dll Infected: not-a-virus:AdTool.Win32.MyWebSearch.bc skipped
C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP856\A0097182.exe Infected: Trojan-Downloader.Win32.VB.awj skipped
C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP856\A0098020.exe Infected: Trojan.Win32.Agent.aoy skipped
C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP859\A0099062.exe Infected: not-a-virus:AdWare.Win32.BookedSpace.h skipped
C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP859\A0099063.exe Infected: not-a-virus:AdWare.Win32.BookedSpace.h skipped
C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP859\A0099064.exe Infected: Trojan-Downloader.Win32.Agent.bls skipped
C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP859\A0099065.exe Infected: Trojan-Downloader.Win32.Agent.bls skipped
C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP859\A0099066.exe Infected: not-a-virus:AdWare.Win32.BookedSpace.h skipped
C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP859\A0099068.exe Infected: Trojan.Win32.Agent.aoy skipped
C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP859\A0099069.exe Infected: Trojan.Win32.Small.oa skipped
C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP859\A0099070.exe Infected: not-a-virus:AdWare.Win32.Rond.a skipped
C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP859\A0099073.exe/stream/data0002 Infected: not-a-virus:AdWare.Win32.Rond.b skipped
C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP859\A0099073.exe/stream/data0004 Infected: not-a-virus:AdWare.Win32.Softomate.u skipped
C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP859\A0099073.exe/stream Infected: not-a-virus:AdWare.Win32.Softomate.u skipped
C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP859\A0099073.exe NSIS: infected - 3 skipped
C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP859\A0099074.dll Infected: not-a-virus:AdWare.Win32.BookedSpace.h skipped
C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP859\A0099075.dll Infected: not-a-virus:AdWare.Win32.BookedSpace.h skipped
C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP859\A0099076.dll Infected: not-a-virus:AdWare.Win32.BookedSpace.h skipped
C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP859\A0099077.exe Infected: Trojan-Downloader.Win32.Zlob.bqw skipped
C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP859\A0099078.exe/data0002 Infected: not-a-virus:AdWare.Win32.Relevant.a skipped
C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP859\A0099078.exe NSIS: infected - 1 skipped
C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP859\A0099081.exe Infected: not-a-virus:AdWare.Win32.ZenoSearch.o skipped
C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP859\A0099085.dll Infected: not-a-virus:AdWare.Win32.Virtumonde.jp skipped
C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP859\A0099090.dll Infected: not-a-virus:AdWare.Win32.Virtumonde.jp skipped
C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP859\A0100093.exe Infected: Trojan-Dropper.Win32.Agent.bfr skipped
C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP859\A0100094.exe Infected: Trojan-Downloader.Win32.Small.eqn skipped
C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP859\A0100096.exe Infected: Trojan-Dropper.Win32.Agent.mu skipped
C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP859\A0100098.exe Infected: Trojan-Downloader.Win32.VB.ang skipped
C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP859\A0100099.exe Infected: Trojan-Dropper.Win32.Agent.mu skipped
C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP859\change.log Object is locked skipped
C:\WINDOWS\Debug\PASSWD.LOG Object is locked skipped
C:\WINDOWS\SchedLgU.Txt Object is locked skipped
C:\WINDOWS\SoftwareDistribution\ReportingEvents.log Object is locked skipped
C:\WINDOWS\Sti_Trace.log Object is locked skipped
C:\WINDOWS\SYSTEM32\Cache\b2s-162813-fran.exe/data0003 Infected: not-a-virus:AdWare.Win32.Ilookup.b skipped
C:\WINDOWS\SYSTEM32\Cache\b2s-162813-fran.exe NSIS: infected - 1 skipped
C:\WINDOWS\SYSTEM32\Cache\BlazeVCM.exe/data0002 Infected: Trojan-Downloader.Win32.Envolo.b skipped
C:\WINDOWS\SYSTEM32\Cache\BlazeVCM.exe/data0004 Infected: Trojan-Downloader.Win32.Envolo.c skipped
C:\WINDOWS\SYSTEM32\Cache\BlazeVCM.exe NSIS: infected - 2 skipped
C:\WINDOWS\SYSTEM32\CatRoot2\edb.log Object is locked skipped
C:\WINDOWS\SYSTEM32\CatRoot2\tmp.edb Object is locked skipped
C:\WINDOWS\SYSTEM32\CONFIG\AppEvent.Evt Object is locked skipped
C:\WINDOWS\SYSTEM32\CONFIG\DEFAULT Object is locked skipped
C:\WINDOWS\SYSTEM32\CONFIG\DEFAULT.LOG Object is locked skipped
C:\WINDOWS\SYSTEM32\CONFIG\Internet.evt Object is locked skipped
C:\WINDOWS\SYSTEM32\CONFIG\SAM Object is locked skipped
C:\WINDOWS\SYSTEM32\CONFIG\SAM.LOG Object is locked skipped
C:\WINDOWS\SYSTEM32\CONFIG\SecEvent.Evt Object is locked skipped
C:\WINDOWS\SYSTEM32\CONFIG\SECURITY Object is locked skipped
C:\WINDOWS\SYSTEM32\CONFIG\SECURITY.LOG Object is locked skipped
C:\WINDOWS\SYSTEM32\CONFIG\SOFTWARE Object is locked skipped
C:\WINDOWS\SYSTEM32\CONFIG\SOFTWARE.LOG Object is locked skipped
C:\WINDOWS\SYSTEM32\CONFIG\SysEvent.Evt Object is locked skipped
C:\WINDOWS\SYSTEM32\CONFIG\SYSTEM Object is locked skipped
C:\WINDOWS\SYSTEM32\CONFIG\SYSTEM.LOG Object is locked skipped
C:\WINDOWS\SYSTEM32\H323LOG.TXT Object is locked skipped
C:\WINDOWS\SYSTEM32\WBEM\Repository\FS\INDEX.BTR Object is locked skipped
C:\WINDOWS\SYSTEM32\WBEM\Repository\FS\INDEX.MAP Object is locked skipped
C:\WINDOWS\SYSTEM32\WBEM\Repository\FS\MAPPING.VER Object is locked skipped
C:\WINDOWS\SYSTEM32\WBEM\Repository\FS\MAPPING1.MAP Object is locked skipped
C:\WINDOWS\SYSTEM32\WBEM\Repository\FS\MAPPING2.MAP Object is locked skipped
C:\WINDOWS\SYSTEM32\WBEM\Repository\FS\OBJECTS.DATA Object is locked skipped
C:\WINDOWS\SYSTEM32\WBEM\Repository\FS\OBJECTS.MAP Object is locked skipped
C:\WINDOWS\WIADEBUG.LOG Object is locked skipped
C:\WINDOWS\WIASERVC.LOG Object is locked skipped
C:\WINDOWS\WindowsUpdate.log Object is locked skipped

Scan process completed.

sUBs · 07-02-2007, 07:44 AM

Open notepad and copy/paste the text in the quotebox below into it:

Code:

if exist "%temp%\log.txt" del "%temp%\log.txt"
For %%g in  (
"C:\Documents and Settings\Annabella\Application Data\Sun\Java\Deployment\cache\javapi\v1.0\file\omfg.class-41819583-3053f31b.class"
"C:\Documents and Settings\Annabella\Application Data\Sun\Java\Deployment\cache\javapi\v1.0\file\omfge.class-65499117-689e6bba.class"
"C:\Program Files\MSN Messenger\msimg32.dll"
"C:\Program Files\MSN Messenger\riched20.dll"
) do (
del /a/f %%g 2>nul
if exist %%g echo.%%g>>"%temp%\log.txt"
)
For %%g in (
C:\WINDOWS\SYSTEM32\Cache
C:\Deckard
C:\QooBox
) do (
rd /s/q %%g 2>nul
if exist %%g echo.%%g>>"%temp%\log.txt"
)
if exist "%temp%\log.txt" (start notepad.exe "%temp%\log.txt"
) else echo.deletions successful
nircmd wait 5000
del %0

Save this as fix.bat Choose to "Save type as - All Files"
It should look like this:

Double click on fix.bat & allow it to run

Post back to tell me what it says

07-01-2007, 11:12 AM	#2 (permalink)
sUBs Asst Manager Security, Expert Analyst, Moderator, Security Team; Rangemaster, Moderator, TSF Academy Join Date: May 2005 Posts: 23,265 OS: N/A	Re: Popups freezing computer! Here's my DSS log LOL ...you were supposed to reply to the other thread 1. Download & save this file to Desktop -> http://download.bleepingcomputer.com...a/ComboFix.exe 2. Double click on combofix.exe & follow the prompts. 3. When finished, it shall produce a log for you. Post that log & a fresh HJT log in your next reply Note: Do not mouseclick combofix's window whilst it's running. That may cause it to stall __________________

07-01-2007, 11:56 AM	#3 (permalink)
DandyBella I helped the forums. Join Date: Feb 2005 Location: So Cal Posts: 49 OS: Windows XP	Re: Popups freezing computer! Here's my DSS log Here's the combofix log and the HJT log "Annabella" - 2007-07-01 11:25:56 - ComboFix 07-07-02 - Service Pack 2 NTFS (((((((((((((((((((((((((((((((((((((((((((( V Log ))))))))))))))))))))))))))))))))))))))))))))))))))))))) C:\WINDOWS\system32\epworfmw.dll C:\WINDOWS\system32\eykymmlc.dll C:\WINDOWS\system32\nnnkihf.dll C:\WINDOWS\system32\sbxsrrdi.dll C:\WINDOWS\SYSTEM32\pstwa.bak1 C:\WINDOWS\SYSTEM32\pstwa.bak2 C:\WINDOWS\SYSTEM32\pstwa.ini C:\WINDOWS\SYSTEM32\wmfrowpe.ini C:\WINDOWS\system32\awtsp.dll C:\WINDOWS\system32\mljghgf.dll * * * POST RUN FILES/FOLDERS * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * ((((((((((((((((((((((((((((((((((((((( Other Deletions ))))))))))))))))))))))))))))))))))))))))))))))))) C:\DOCUME~1\ANNABE~1\Desktop.\internet explorer.lnk C:\Program Files\ComPlus Applications\mezoh83122.dll C:\Program Files\MSN Gaming Zone\rterteprog.html C:\Program Files\winpop C:\Program Files\winpop\UnInstall.exe C:\Program Files\winpop\winpop.exe C:\temp\tn3 C:\WINDOWS\b122.exe C:\WINDOWS\cfg32.exe C:\WINDOWS\cfg32a.exe C:\WINDOWS\cfg32o.dll C:\WINDOWS\cfg32r.dll C:\WINDOWS\cfg32s.dll C:\WINDOWS\cs_cache.ini C:\WINDOWS\dls0523pmw.exe C:\WINDOWS\itpb_11.exe C:\WINDOWS\itpb_3.exe C:\WINDOWS\offun.exe C:\WINDOWS\rau001978.exe C:\WINDOWS\retadpu1000106.exe C:\WINDOWS\retadpu2000219.exe C:\WINDOWS\stub_mma2.exe C:\WINDOWS\system32\drivers\core.cache.dsk C:\WINDOWS\system32\drivers\core.sys C:\WINDOWS\system32\jelqsvef.exe C:\WINDOWS\system32\o02PrEz C:\WINDOWS\system32\win C:\WINDOWS\system32\winnb58.dll C:\WINDOWS\wr.txt ((((((((((((((((((((((((((((((((((((((( Drivers/Services ))))))))))))))))))))))))))))))))))))))))))))))))) -------\LEGACY_CORE -------\LEGACY_DOMAINSERVICE -------\LEGACY_NET_AGENT -------\LEGACY_WINDOWS_OVERLAY_COMPONENTS -------\core -------\DomainService -------\Net Agent ((((((((((((((((((((((((( Files Created from 2007-06-01 to 2007-07-01 ))))))))))))))))))))))))))))))) 2007-07-01 11:25 49,152 --a------ C:\WINDOWS\nircmd.exe 2007-07-01 10:49 <DIR> d-------- C:\Deckard 2007-07-01 10:37 <DIR> d-------- C:\Program Files\ZonedOut 2007-07-01 10:27 <DIR> d-------- C:\Program Files\SpywareBlaster 2007-06-29 18:33 1,667,237 --a------ C:\WINDOWS\SYSTEM32\version69ie7fix.dll 2007-06-29 18:30 931,920 -r-hs---- C:\WINDOWS\rykcbraA.exe 2007-06-29 18:29 46,592 --a------ C:\WINDOWS\rykcbra.exe 2007-06-29 18:29 <DIR> d-------- C:\WINDOWS\SYSTEM32\X9 2007-06-29 18:29 <DIR> d-------- C:\WINDOWS\SYSTEM32\X5 2007-06-29 18:29 <DIR> d-------- C:\WINDOWS\SYSTEM32\X4 2007-06-29 18:29 <DIR> d-------- C:\WINDOWS\SYSTEM32\X3 2007-06-29 18:29 <DIR> d-------- C:\WINDOWS\SYSTEM32\X2 2007-06-29 18:29 <DIR> d-------- C:\WINDOWS\SYSTEM32\X1 (((((((((((((((((((((((((((((((((((((((( Find3M Report )))))))))))))))))))))))))))))))))))))))))))))))))))) 2007-07-01 18:33:03 -------- d-----w C:\Program Files\MSN Gaming Zone 2007-06-30 16:49:13 -------- d-----w C:\Program Files\Windows Defender 2007-06-30 16:48:32 -------- d-----w C:\Program Files\QuickTime 2007-06-30 16:43:20 -------- d-----w C:\Program Files\DellSupport 2007-06-30 01:42:04 -------- d-----w C:\Program Files\MSN Messenger 2007-06-30 01:41:31 -------- d-----w C:\Program Files\Hide Real IP 2007-06-30 01:41:01 -------- d-----w C:\Program Files\Common Files\Wise Installation Wizard 2007-05-16 15:12:02 683,520 ----a-w C:\WINDOWS\system32\inetcomm.dll 2007-05-16 15:09:08 -------- d-----w C:\DOCUME~1\ANNABE~1\APPLIC~1\FreeCap 2007-04-25 14:21:15 144,896 ----a-w C:\WINDOWS\system32\schannel.dll 2007-04-18 16:12:23 2,854,400 ----a-w C:\WINDOWS\system32\msi.dll 2007-04-17 05:47:36 33,624 ----a-w C:\WINDOWS\system32\wups.dll 2007-04-17 05:45:54 1,710,936 ----a-w C:\WINDOWS\system32\wuaueng.dll 2007-04-17 05:45:48 549,720 ----a-w C:\WINDOWS\system32\wuapi.dll 2007-04-17 05:45:42 325,976 ----a-w C:\WINDOWS\system32\wucltui.dll 2007-04-17 05:45:36 203,096 ----a-w C:\WINDOWS\system32\wuweb.dll 2007-04-17 05:45:28 92,504 ----a-w C:\WINDOWS\system32\cdm.dll 2007-04-17 05:45:20 53,080 ----a-w C:\WINDOWS\system32\wuauclt.exe 2007-04-17 05:45:20 43,352 ----a-w C:\WINDOWS\system32\wups2.dll ((((((((((((((((((((((((((((((((((((( Reg Loading Points )))))))))))))))))))))))))))))))))))))))))))))))))) Note empty entries & legit default entries are not shown [HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{02478D38-C3F9-4EFB-9B51-7695ECA05670}] 2006-10-26 11:28 440384 --a------ C:\Program Files\Yahoo!\Companion\Installs\cpn1\yt.dll [HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{06849E9F-C8D7-4D59-B87D-784B7D6BE0B3}] 2003-11-03 15:17 54248 --a------ C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll [HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{53707962-6F74-2D53-2644-206D7942484F}] 2005-05-31 01:04 853672 --a------ C:\PROGRA~1\SPYBOT~1\SDHelper.dll [HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897}] 2006-10-31 16:29 198136 --a------ C:\Program Files\Yahoo!\Common\yiesrvc.dll [HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{5CA3D70E-1895-11CF-8E15-001234567890}] 2003-08-06 00:04 106548 --a------ C:\WINDOWS\system32\dla\tfswshx.dll [HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{656EC4B7-072B-4698-B504-2A414C1F0037}] 2005-02-02 19:33 49152 --a------ C:\Program Files\EarthLink TotalAccess\Accelerator\prpl_IePopupBlocker.dll [HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{7cdcf65c-88a6-4136-b4c8-45da53458987}] C:\WINDOWS\system32\ipsNUI.dll [HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{9A9C9B69-F908-4AAB-8D0C-10EA8997F37E}] 2007-06-29 18:33 1667237 --a------ C:\WINDOWS\system32\version69ie7fix.dll [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] "BCMSMMSG"="BCMSMMSG.exe" [2003-08-29 04:59 C:\WINDOWS\BCMSMMSG.exe] "PCMService"="C:\Program Files\Dell\Media Experience\PCMService.exe" [2003-08-26 18:47] "UpdateManager"="C:\Program Files\Common Files\Sonic\Update Manager\sgtray.exe" [2003-08-19 02:01] "TkBellExe"="C:\Program Files\Common Files\Real\Update_OB\realsched.exe" [2005-04-23 11:55] "Share-to-Web Namespace Daemon"="C:\Program Files\Hewlett-Packard\HP Share-to-Web\hpgs2wnd.exe" [2002-04-17 10:42] "funk"="funk.exe" [] "Windows Defender"="C:\Program Files\Windows Defender\MSASCui.exe" [2006-04-03 18:12] "QuickTime Task"="C:\Program Files\QuickTime\qttask.exe" [2006-12-07 19:56] [HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] "Sonic RecordNow!"="" [] "MoneyAgent"="C:\Program Files\Microsoft Money\System\mnyexpr.exe" [2003-06-18 11:00] "DellSupport"="C:\Program Files\DellSupport\DSAgnt.exe" [2007-03-15 11:09] "Yahoo! Pager"="C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe" [2006-11-30 22:49] "Anonymizer"="C:\Program Files\Anonymizer\Anonymizer Software\Anonymizer.exe" [] "ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-04 00:56] [HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\system] "NoDispAppearancePage"=0 (0x0) "NoColorChoice"=0 (0x0) "NoSizeChoice"=0 (0x0) "NoDispBackgroundPage"=0 (0x0) "NoDispScrSavPage"=0 (0x0) "NoDispCPL"=0 (0x0) "NoVisualStyleChoice"=0 (0x0) "NoDispSettingsPage"=0 (0x0) [HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\explorer] "NoActiveDesktopChanges"=0 (0x0) [HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\explorer] "NoSaveSettings"=0 (0x0) "NoThemesTab"=0 (0x0) [HKEY_CURRENT_USER\software\microsoft\internet explorer\desktop\components\0] Source= C:\Program Files\MSN Gaming Zone\rterteprog.html FriendlyName= [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\ShellExecuteHooks] "{57B86673-276A-48B2-BAE7-C6DBB3020EB8}"="C:\Documents and Settings\Annabella\Desktop\ewido anti-spyware 4.0\shellexecutehook.dll" [2006-06-16 07:38] [HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\ipsNUI] ipsNUI.dll Contents of the 'Scheduled Tasks' folder 2007-07-01 09:00:00 C:\WINDOWS\tasks\Anonymizer scan for spyware.job 2007-07-01 08:51:02 C:\WINDOWS\tasks\MP Scheduled Scan.job ************************************************************************ catchme 0.3.721 W2K/XP/Vista - userland rootkit detector by Gmer, http://www.gmer.net Rootkit scan 2007-07-01 11:45:46 Windows 5.1.2600 Service Pack 2 NTFS scanning hidden processes ... scanning hidden autostart entries ... scanning hidden files ... C:\WINDOWS\TEMP scan completed successfully hidden files: 1 ************************************************************************ Completion time: 2007-07-01 11:49:15 - machine was rebooted C:\ComboFix-quarantined-files.txt ... 2007-07-01 11:48 --- E O F --- Here's the hijackthis log: Logfile of HijackThis v1.99.1 Scan saved at 11:52:54 AM, on 7/1/2007 Platform: Windows XP SP2 (WinNT 5.01.2600) MSIE: Internet Explorer v7.00 (7.00.6000.16473) Running processes: C:\WINDOWS\System32\smss.exe C:\WINDOWS\system32\winlogon.exe C:\WINDOWS\system32\services.exe C:\WINDOWS\system32\lsass.exe C:\WINDOWS\system32\svchost.exe C:\WINDOWS\System32\svchost.exe C:\WINDOWS\system32\spoolsv.exe C:\WINDOWS\Explorer.EXE C:\Documents and Settings\Annabella\Desktop\ewido anti-spyware 4.0\guard.exe C:\WINDOWS\System32\svchost.exe C:\WINDOWS\system32\wscntfy.exe C:\WINDOWS\system32\ctfmon.exe C:\WINDOWS\BCMSMMSG.exe C:\Program Files\Dell\Media Experience\PCMService.exe C:\Program Files\Common Files\Real\Update_OB\realsched.exe C:\Program Files\Hewlett-Packard\HP Share-to-Web\hpgs2wnd.exe C:\Program Files\QuickTime\qttask.exe C:\Program Files\Microsoft Money\System\mnyexpr.exe C:\Program Files\DellSupport\DSAgnt.exe C:\Program Files\Hewlett-Packard\HP Share-to-Web\hpgs2wnf.exe C:\Program Files\Kodak\Kodak EasyShare software\bin\EasyShare.exe C:\Program Files\Yahoo!\Messenger\ymsgr_tray.exe C:\Program Files\Internet Explorer\iexplore.exe C:\Program Files\Internet Explorer\iexplore.exe C:\Program Files\Hijackthis\HijackThis.exe R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://yahoo.com/ R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157 R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://us.rd.yahoo.com/customize/ie/.../www.yahoo.com R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://us.rd.yahoo.com/customize/ie/...ch/search.html R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://us.rd.yahoo.com/customize/ie/.../www.yahoo.com R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://us.rd.yahoo.com/customize/ie/.../www.yahoo.com R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page_bak = http://www.yahoo.com/ R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn1\yt.dll O2 - BHO: Yahoo! Toolbar Helper - {02478D38-C3F9-4EFB-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn1\yt.dll O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll O2 - BHO: Yahoo! IE Services Button - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\Program Files\Yahoo!\Common\yiesrvc.dll O2 - BHO: DriveLetterAccess - {5CA3D70E-1895-11CF-8E15-001234567890} - C:\WINDOWS\system32\dla\tfswshx.dll O2 - BHO: IE_PopupBlocker Class - {656EC4B7-072B-4698-B504-2A414C1F0037} - C:\Program Files\EarthLink TotalAccess\Accelerator\prpl_IePopupBlocker.dll O2 - BHO: (no name) - {7cdcf65c-88a6-4136-b4c8-45da53458987} - C:\WINDOWS\system32\ipsNUI.dll (file missing) O2 - BHO: Mirar - {9A9C9B69-F908-4AAB-8D0C-10EA8997F37E} - C:\WINDOWS\system32\version69ie7fix.dll O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn1\yt.dll O3 - Toolbar: (no name) - {9A9C9B68-F908-4AAB-8D0C-10EA8997F37E} - (no file) O4 - HKLM\..\Run: [BCMSMMSG] BCMSMMSG.exe O4 - HKLM\..\Run: [PCMService] "C:\Program Files\Dell\Media Experience\PCMService.exe" O4 - HKLM\..\Run: [UpdateManager] "C:\Program Files\Common Files\Sonic\Update Manager\sgtray.exe" /r O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot O4 - HKLM\..\Run: [Share-to-Web Namespace Daemon] C:\Program Files\Hewlett-Packard\HP Share-to-Web\hpgs2wnd.exe O4 - HKLM\..\Run: [funk] funk.exe O4 - HKLM\..\Run: [Windows Defender] "C:\Program Files\Windows Defender\MSASCui.exe" -hide O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime O4 - HKCU\..\Run: [MoneyAgent] "C:\Program Files\Microsoft Money\System\mnyexpr.exe" O4 - HKCU\..\Run: [DellSupport] "C:\Program Files\DellSupport\DSAgnt.exe" /startup O4 - HKCU\..\Run: [Yahoo! Pager] "C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe" -quiet O4 - HKCU\..\Run: [Anonymizer] C:\Program Files\Anonymizer\Anonymizer Software\Anonymizer.exe -nogui O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe O4 - Global Startup: Kodak EasyShare software.lnk = C:\Program Files\Kodak\Kodak EasyShare software\bin\EasyShare.exe O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present O8 - Extra context menu item: &eBay Search - res://C:\Program Files\eBay\eBay Toolbar2\eBayTb.dll/RCSearch.html O8 - Extra context menu item: &Search - http://edits.mywebsearch.com/toolbar...rch.jhtml?p=ZN O8 - Extra context menu item: &Yahoo! Search - file:///C:\Program Files\Yahoo!\Common/ycsrch.htm O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~4\OFFICE11\EXCEL.EXE/3000 O8 - Extra context menu item: Yahoo! &Dictionary - file:///C:\Program Files\Yahoo!\Common/ycdict.htm O8 - Extra context menu item: Yahoo! &Maps - file:///C:\Program Files\Yahoo!\Common/ycmap.htm O8 - Extra context menu item: Yahoo! &SMS - file:///C:\Program Files\Yahoo!\Common/ycsms.htm O9 - Extra button: Yahoo! Services - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\Program Files\Yahoo!\Common\yiesrvc.dll O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing) O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing) O11 - Options group: [INTERNATIONAL] International* O15 - Trusted Zone: .amaena.com O15 - Trusted Zone: .drivecleaner.com O15 - Trusted Zone: .errorprotector.com O15 - Trusted Zone: .errorsafe.com O15 - Trusted Zone: http://www.hide-ip-soft.com O15 - Trusted Zone: .imageservr.com O15 - Trusted Zone: .imagesrvr.com O15 - Trusted Zone: .systemdoctor.com O15 - Trusted Zone: .winantispyware.com O15 - Trusted Zone: .winantivirus.com O15 - Trusted Zone: .winfixer.com O15 - Trusted Zone: .amaena.com (HKLM) O15 - Trusted Zone: .drivecleaner.com (HKLM) O15 - Trusted Zone: .errorprotector.com (HKLM) O15 - Trusted Zone: .errorsafe.com (HKLM) O15 - Trusted Zone: http://click.getmirar.com (HKLM) O15 - Trusted Zone: .imageservr.com (HKLM) O15 - Trusted Zone: .imagesrvr.com (HKLM) O15 - Trusted Zone: http://click.mirarsearch.com (HKLM) O15 - Trusted Zone: http://redirect.mirarsearch.com (HKLM) O15 - Trusted Zone: http://awbeta.net-nucleus.com (HKLM) O15 - Trusted Zone: .systemdoctor.com (HKLM) O15 - Trusted Zone: .winantispyware.com (HKLM) O15 - Trusted Zone: .winantivirus.com (HKLM) O15 - Trusted Zone: .winfixer.com (HKLM) O16 - DPF: {02BF25D5-8C17-4B23-BC80-D3488ABDDC6B} (QuickTime Object) - http://a1540.g.akamai.net/7/1540/52/...x/qtplugin.cab O16 - DPF: {04E214E5-63AF-4236-83C6-A7ADCBF9BD02} (HouseCall Control) - http://housecall60.trendmicro.com/housecall/xscan60.cab O16 - DPF: {11260943-421B-11D0-8EAC-0000C07D88CF} (iPIX ActiveX Control) - http://www.ipix.com/viewers/ipixx.cab O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204 O16 - DPF: {1F2F4C9E-6F09-47BC-970D-3C54734667FE} (LSSupCtl Class) - https://www-secure.symantec.com/tech...a/LSSupCtl.cab O16 - DPF: {26CBF141-7D0F-46E1-AA06-718958B6E4D2} - http://download.ebay.com/turbo_lister/US/install.cab O16 - DPF: {2BC66F54-93A8-11D3-BEB6-00105AA9B6AE} (Symantec AntiVirus scanner) - http://security.symantec.com/sscv6/S...in/AvSniff.cab O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (YInstStarter Class) - C:\Program Files\Yahoo!\Common\yinsthelper.dll O16 - DPF: {4C39376E-FA9D-4349-BACC-D305C1750EF3} (EPUImageControl Class) - http://tools.ebayimg.com/eps/wl/acti..._v1-0-3-24.cab O16 - DPF: {4ED9DDF0-7479-4BBE-9335-5A1EDB1D8A21} - http://download.mcafee.com/molbin/sh...4/mcinsctl.cab O16 - DPF: {5D9E4B6D-CD17-4D85-99D4-6A52B394EC3B} (WSDownloader Control) - http://www.webshots.com/samplers/WSDownloader.ocx O16 - DPF: {5F0C30E4-1E72-4DCC-85E5-57810F1CA97B} (McUpdatePortalFactory Class) - https://mysupport.nai.com/amiuptodat...datePortal.cab O16 - DPF: {644E432F-49D3-41A1-8DD5-E099162EEEC5} (Symantec RuFSI Utility Class) - http://security.symantec.com/sscv6/S.../bin/cabsa.cab O16 - DPF: {6A060448-60F9-11D5-A6CD-0002B31F7455} (ExentInf Class) - http://us.games2.yimg.com/download.g...tl_0_0_0_1.ocx O16 - DPF: {6E5A37BF-FD42-463A-877C-4EB7002E68AE} (Housecall ActiveX 6.5) - http://housecall65.trendmicro.com/ho...vex/hcImpl.cab O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai.net/7/840/537/2...ll/xscan53.cab O16 - DPF: {9522B3FB-7A2B-4646-8AF6-36E7F593073C} (cpbrkpie Control) - http://a19.g.akamai.net/7/19/7125/14...2/cpbrkpie.cab O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/actives...ree/asinst.cab O16 - DPF: {9FC5238F-12C4-454F-B1B5-74599A21DE47} (Webshots Photo Uploader) - http://community.webshots.com/html/WSPhotoUploader.CAB O16 - DPF: {A7EA8AD2-287F-11D3-B120-006008C39542} (CBSTIEPrint Class) - http://offers.brightstreet.com/cif/d...in/actxcab.cab O16 - DPF: {B38870E4-7ECB-40DA-8C6A-595F0A5519FF} - http://messenger.msn.com/download/Ms...Downloader.cab O16 - DPF: {B69F2A9C-E470-11D3-AFA3-525400DB7692} (Actimage Room Control) - http://hutchence.armstrong.com/ib/da...image40803.cab O16 - DPF: {B9191F79-5613-4C76-AA2A-398534BB8999} (YAddBook Class) - http://us.dl1.yimg.com/download.yaho...tocomplete.cab O16 - DPF: {B942A249-D1E7-4C11-98AE-FCB76B08747F} (RealArcadeRdxIE Class) - http://games-dl.real.com/gameconsole...rcadeRdxIE.cab O16 - DPF: {BCC0FF27-31D9-4614-A68E-C18E1ADA4389} - http://download.mcafee.com/molbin/sh...21/mcgdmgr.cab O16 - DPF: {CE28D5D2-60CF-4C7D-9FE8-0F47A3308078} (ActiveDataInfo Class) - https://www-secure.symantec.com/tech...a/SymAData.cab O16 - DPF: {D8089245-3211-40F6-819B-9E5E92CD61A2} (FlashXControl Object) - https://flash.blackjackballroom.com/...om/FlashAX.cab O16 - DPF: {DF780F87-FF2B-4DF8-92D0-73DB16A1543A} (PopCapLoader Object) - http://download.games.yahoo.com/game...ploader_v6.cab O16 - DPF: {EF791A6B-FC12-4C68-99EF-FB9E207A39E6} (McFreeScan Class) - http://download.mcafee.com/molbin/is...29/mcfscan.cab O16 - DPF: {FE0BD779-44EE-4A4B-AA2E-743C63F2E5E6} (IWinAmpActiveX Class) - http://pdl.stream.aol.com/downloads/...ampx_en_dl.cab O20 - Winlogon Notify: igfxcui - C:\WINDOWS\SYSTEM32\igfxdev.dll O20 - Winlogon Notify: ipsNUI - ipsNUI.dll (file missing) O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\SYSTEM32\WgaLogon.dll O21 - SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - C:\WINDOWS\system32\WPDShServiceObj.dll O23 - Service: DSBrokerService - Unknown owner - C:\Program Files\DellSupport\brkrsvc.exe O23 - Service: ewido anti-spyware 4.0 guard - Anti-Malware Development a.s. - C:\Documents and Settings\Annabella\Desktop\ewido anti-spyware 4.0\guard.exe O23 - Service: Intel NCS NetService (NetSvc) - Intel(R) Corporation - C:\Program Files\Intel\NCS\Sync\NetSvc.exe

07-01-2007, 12:00 PM	#4 (permalink)
sUBs Asst Manager Security, Expert Analyst, Moderator, Security Team; Rangemaster, Moderator, TSF Academy Join Date: May 2005 Posts: 23,265 OS: N/A	Re: Popups freezing computer! Here's my DSS log Pm me with the url of the site that infected you. I'll see if I can get some people to visit it __________________

07-01-2007, 12:04 PM	#5 (permalink)
sUBs Asst Manager Security, Expert Analyst, Moderator, Security Team; Rangemaster, Moderator, TSF Academy Join Date: May 2005 Posts: 23,265 OS: N/A	Re: Popups freezing computer! Here's my DSS log Before fixing anything, open notepad and Copy/Paste the text in the box below into it: Code: @echo off rem http://www.techsupportforum.com/security-center/hijackthis-log-help/164973-popups-freezing-computer-heres-my-dss-log.html#post962456 For %%g in ( C:\WINDOWS\SYSTEM32\version69ie7fix.dll ) do catchme -l nul -k %%g >nul catchme -l nul -k %0 >nul nircmd execmd move /y "~$folder.desktop$\catchme.zip" "Submit [%date:/=-% %time::=.%].zip" echo.Please submit the file - Submit [%date:/=-% %time::=.%].zip nircmd wait 7000 del %0 Save this as Submit.bat Choose to "Save type as - All Files". It should look like this: Double click on Submit.bat & allow it to generate a zipped file called Submit [Date Time].zip Please submit this file to → http://www.bleepingcomputer.com/subm....php?channel=4 The file must be uploaded before proceeding to the next step. ----------- Do a HijackThis scan & place a check next to these items and select "Fix checked": O2 - BHO: (no name) - {7cdcf65c-88a6-4136-b4c8-45da53458987} - C:\WINDOWS\system32\ipsNUI.dll (file missing) O2 - BHO: Mirar - {9A9C9B69-F908-4AAB-8D0C-10EA8997F37E} - C:\WINDOWS\system32\version69ie7fix.dll O3 - Toolbar: (no name) - {9A9C9B68-F908-4AAB-8D0C-10EA8997F37E} - (no file) O4 - HKLM\..\Run: [funk] funk.exe O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present O8 - Extra context menu item: &Search - http://edits.mywebsearch.com/toolbar...rch.jhtml?p=ZN O15 - Trusted Zone: .amaena.com O15 - Trusted Zone: .drivecleaner.com O15 - Trusted Zone: .errorprotector.com O15 - Trusted Zone: .errorsafe.com O15 - Trusted Zone: http://www.hide-ip-soft.com O15 - Trusted Zone: .imageservr.com O15 - Trusted Zone: .imagesrvr.com O15 - Trusted Zone: .systemdoctor.com O15 - Trusted Zone: .winantispyware.com O15 - Trusted Zone: .winantivirus.com O15 - Trusted Zone: .winfixer.com O15 - Trusted Zone: .amaena.com (HKLM) O15 - Trusted Zone: .drivecleaner.com (HKLM) O15 - Trusted Zone: .errorprotector.com (HKLM) O15 - Trusted Zone: .errorsafe.com (HKLM) O15 - Trusted Zone: http://click.getmirar.com (HKLM) O15 - Trusted Zone: .imageservr.com (HKLM) O15 - Trusted Zone: .imagesrvr.com (HKLM) O15 - Trusted Zone: http://click.mirarsearch.com (HKLM) O15 - Trusted Zone: http://redirect.mirarsearch.com (HKLM) O15 - Trusted Zone: http://awbeta.net-nucleus.com (HKLM) O15 - Trusted Zone: .systemdoctor.com (HKLM) O15 - Trusted Zone: .winantispyware.com (HKLM) O15 - Trusted Zone: .winantivirus.com (HKLM) O15 - Trusted Zone: .winfixer.com (HKLM) O20 - Winlogon Notify: ipsNUI - ipsNUI.dll (file missing) --------------- Open notepad and copy/paste the text in the quotebox below into it: Code: File:: C:\WINDOWS\SYSTEM32\version69ie7fix.dll C:\WINDOWS\rykcbraA.exe C:\WINDOWS\rykcbra.exe Folder:: C:\WINDOWS\SYSTEM32\X9 C:\WINDOWS\SYSTEM32\X5 C:\WINDOWS\SYSTEM32\X4 C:\WINDOWS\SYSTEM32\X3 C:\WINDOWS\SYSTEM32\X2 C:\WINDOWS\SYSTEM32\X1 Registry:: [-HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{7cdcf65c-88a6-4136-b4c8-45da53458987}] [-HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{9A9C9B69-F908-4AAB-8D0C-10EA8997F37E}] [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] "funk"=- [HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] "Sonic RecordNow!"=- "Anonymizer"=- [-HKEY_CURRENT_USER\software\microsoft\internet explorer\desktop\components\0] [-HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\ipsNUI] Save this as ComboFix-Do.txt Refering to the picture above, drag ComboFix-Do.txt into ComboFix.exe Then post the resultant log --------------- Please perform an online scan using Internet Explorer at http://www.kaspersky.com/virusscanner Answer Yes, when prompted to install an ActiveX component. The program will then begin downloading the latest definition files. Once the files have been downloaded click on NEXT Locate the Scan Settings button & configure to: Scan using the following Anti-Virus database: Extended Scan Options: Scan Archives Scan Mail Bases Click OK & have it scan My Computer Once the scan is complete, it will display if your system has been infected. We only require a report from it. It does not provide an option to clean/disinfect. Click the Save as Text button to save the file to your desktop so that you may post it in your next reply * Turn off the real time scanner of any existing antivirus program while performing the online scan Note for Internet Explorer 7 users: If at any time you have trouble with the accept button of the licence, click on the Zoom tool located at the right bottom of the IE window and set the zoom to 75 %. Once the license accepted, reset to 100%. --------------- In your next post, please include fresh logs from: Fresh Hijackthis log taken just before replying Online scan ComboFix's log Please provide details of any problems you encountered whilst performing the above steps & update us on how the computer behaves now __________________

07-01-2007, 12:06 PM	#6 (permalink)
DandyBella I helped the forums. Join Date: Feb 2005 Location: So Cal Posts: 49 OS: Windows XP	Re: Popups freezing computer! Here's my DSS log I have no idea which one it was. I closed it when things started going all batty. I had been on 4 or 5 different lyrics sites so I guess I could check my history and give all of them to you . . . nope wait I forgot. I was probably using Mozilla Firefox and now I can't open it because of these problems. I can only use IE and it's also not letting me view yesterday's history either.

07-01-2007, 12:12 PM	#7 (permalink)
sUBs Asst Manager Security, Expert Analyst, Moderator, Security Team; Rangemaster, Moderator, TSF Academy Join Date: May 2005 Posts: 23,265 OS: N/A	Re: Popups freezing computer! Here's my DSS log That's okay Bella. Please proceed with the fix __________________

07-01-2007, 12:13 PM	#8 (permalink)
DandyBella I helped the forums. Join Date: Feb 2005 Location: So Cal Posts: 49 OS: Windows XP	Re: Popups freezing computer! Here's my DSS log I'm sorry. I'm totally confused. I opened Notepad, I copied your text, I pasted it and I saved as submit.bat and then I opened it and it just opened the notepad with the text. That's it. No zip file. Sorry, I'm really trying to pay attention here but that didn't work.

07-01-2007, 12:19 PM	#9 (permalink)
sUBs Asst Manager Security, Expert Analyst, Moderator, Security Team; Rangemaster, Moderator, TSF Academy Join Date: May 2005 Posts: 23,265 OS: N/A	Re: Popups freezing computer! Here's my DSS log Does it look like this --> __________________

07-01-2007, 12:27 PM	#10 (permalink)
DandyBella I helped the forums. Join Date: Feb 2005 Location: So Cal Posts: 49 OS: Windows XP	Re: Popups freezing computer! Here's my DSS log Yep. Sure does. I double click and it just opens Notepad with the text that I had pasted. Don't think I did anything wrong. I'm not sure why but everything on this machine isn't functioning properly so why should that? LOL!

07-01-2007, 12:29 PM	#11 (permalink)
sUBs Asst Manager Security, Expert Analyst, Moderator, Security Team; Rangemaster, Moderator, TSF Academy Join Date: May 2005 Posts: 23,265 OS: N/A	Re: Popups freezing computer! Here's my DSS log Right click on it & select`Open' __________________

07-01-2007, 02:08 PM	#12 (permalink)
DandyBella I helped the forums. Join Date: Feb 2005 Location: So Cal Posts: 49 OS: Windows XP	Re: Popups freezing computer! Here's my DSS log Okay, here's what happened. I put my file on the bleepingcomputer.com site, I deleted my entries in the Hijackthis log . . . I have no icon of combofix to drag a file into but I did save the ComboFix-Do.txt file. I am completely unable to proceed with the Kaspersky thing. I have tried several times and once I install the active x control it takes me to a page that is not fully viewable and that I am unable to maximize and I just get stuck repeatedly. What should I do? Here is my Hijackthis log. Thanks! Logfile of HijackThis v1.99.1 Scan saved at 14:01, on 2007-07-01 Platform: Windows XP SP2 (WinNT 5.01.2600) MSIE: Internet Explorer v7.00 (7.00.6000.16473) Running processes: C:\WINDOWS\System32\smss.exe C:\WINDOWS\system32\winlogon.exe C:\WINDOWS\system32\services.exe C:\WINDOWS\system32\lsass.exe C:\WINDOWS\system32\svchost.exe C:\WINDOWS\System32\svchost.exe C:\WINDOWS\system32\spoolsv.exe C:\WINDOWS\Explorer.EXE C:\Documents and Settings\Annabella\Desktop\ewido anti-spyware 4.0\guard.exe C:\WINDOWS\System32\svchost.exe C:\WINDOWS\system32\wscntfy.exe C:\WINDOWS\system32\ctfmon.exe C:\WINDOWS\BCMSMMSG.exe C:\Program Files\Dell\Media Experience\PCMService.exe C:\Program Files\Common Files\Real\Update_OB\realsched.exe C:\Program Files\Hewlett-Packard\HP Share-to-Web\hpgs2wnd.exe C:\Program Files\QuickTime\qttask.exe C:\Program Files\Microsoft Money\System\mnyexpr.exe C:\Program Files\DellSupport\DSAgnt.exe C:\Program Files\Hewlett-Packard\HP Share-to-Web\hpgs2wnf.exe C:\Program Files\Kodak\Kodak EasyShare software\bin\EasyShare.exe C:\Program Files\Internet Explorer\iexplore.exe C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe C:\Program Files\WordPerfect Office 11\Programs\wpwin11.exe C:\Program Files\Hijackthis\HijackThis.exe R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://yahoo.com/ R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157 R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://us.rd.yahoo.com/customize/ie/.../www.yahoo.com R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://us.rd.yahoo.com/customize/ie/...ch/search.html R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://us.rd.yahoo.com/customize/ie/.../www.yahoo.com R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://us.rd.yahoo.com/customize/ie/.../www.yahoo.com R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page_bak = http://www.yahoo.com/ R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn1\yt.dll O2 - BHO: Yahoo! Toolbar Helper - {02478D38-C3F9-4EFB-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn1\yt.dll O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll O2 - BHO: Yahoo! IE Services Button - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\Program Files\Yahoo!\Common\yiesrvc.dll O2 - BHO: DriveLetterAccess - {5CA3D70E-1895-11CF-8E15-001234567890} - C:\WINDOWS\system32\dla\tfswshx.dll O2 - BHO: IE_PopupBlocker Class - {656EC4B7-072B-4698-B504-2A414C1F0037} - C:\Program Files\EarthLink TotalAccess\Accelerator\prpl_IePopupBlocker.dll O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn1\yt.dll O4 - HKLM\..\Run: [BCMSMMSG] BCMSMMSG.exe O4 - HKLM\..\Run: [PCMService] "C:\Program Files\Dell\Media Experience\PCMService.exe" O4 - HKLM\..\Run: [UpdateManager] "C:\Program Files\Common Files\Sonic\Update Manager\sgtray.exe" /r O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot O4 - HKLM\..\Run: [Share-to-Web Namespace Daemon] C:\Program Files\Hewlett-Packard\HP Share-to-Web\hpgs2wnd.exe O4 - HKLM\..\Run: [Windows Defender] "C:\Program Files\Windows Defender\MSASCui.exe" -hide O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime O4 - HKCU\..\Run: [MoneyAgent] "C:\Program Files\Microsoft Money\System\mnyexpr.exe" O4 - HKCU\..\Run: [DellSupport] "C:\Program Files\DellSupport\DSAgnt.exe" /startup O4 - HKCU\..\Run: [Yahoo! Pager] "C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe" -quiet O4 - HKCU\..\Run: [Anonymizer] C:\Program Files\Anonymizer\Anonymizer Software\Anonymizer.exe -nogui O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe O4 - Global Startup: Kodak EasyShare software.lnk = C:\Program Files\Kodak\Kodak EasyShare software\bin\EasyShare.exe O8 - Extra context menu item: &eBay Search - res://C:\Program Files\eBay\eBay Toolbar2\eBayTb.dll/RCSearch.html O8 - Extra context menu item: &Yahoo! Search - file:///C:\Program Files\Yahoo!\Common/ycsrch.htm O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~4\OFFICE11\EXCEL.EXE/3000 O8 - Extra context menu item: Yahoo! &Dictionary - file:///C:\Program Files\Yahoo!\Common/ycdict.htm O8 - Extra context menu item: Yahoo! &Maps - file:///C:\Program Files\Yahoo!\Common/ycmap.htm O8 - Extra context menu item: Yahoo! &SMS - file:///C:\Program Files\Yahoo!\Common/ycsms.htm O9 - Extra button: Yahoo! Services - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\Program Files\Yahoo!\Common\yiesrvc.dll O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing) O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing) O11 - Options group: [INTERNATIONAL] International* O16 - DPF: {02BF25D5-8C17-4B23-BC80-D3488ABDDC6B} (QuickTime Object) - http://a1540.g.akamai.net/7/1540/52/...x/qtplugin.cab O16 - DPF: {04E214E5-63AF-4236-83C6-A7ADCBF9BD02} (HouseCall Control) - http://housecall60.trendmicro.com/housecall/xscan60.cab O16 - DPF: {11260943-421B-11D0-8EAC-0000C07D88CF} (iPIX ActiveX Control) - http://www.ipix.com/viewers/ipixx.cab O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204 O16 - DPF: {1F2F4C9E-6F09-47BC-970D-3C54734667FE} (LSSupCtl Class) - https://www-secure.symantec.com/tech...a/LSSupCtl.cab O16 - DPF: {26CBF141-7D0F-46E1-AA06-718958B6E4D2} - http://download.ebay.com/turbo_lister/US/install.cab O16 - DPF: {2BC66F54-93A8-11D3-BEB6-00105AA9B6AE} (Symantec AntiVirus scanner) - http://security.symantec.com/sscv6/S...in/AvSniff.cab O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (YInstStarter Class) - C:\Program Files\Yahoo!\Common\yinsthelper.dll O16 - DPF: {4C39376E-FA9D-4349-BACC-D305C1750EF3} (EPUImageControl Class) - http://tools.ebayimg.com/eps/wl/acti..._v1-0-3-24.cab O16 - DPF: {4ED9DDF0-7479-4BBE-9335-5A1EDB1D8A21} - http://download.mcafee.com/molbin/sh...4/mcinsctl.cab O16 - DPF: {5D9E4B6D-CD17-4D85-99D4-6A52B394EC3B} (WSDownloader Control) - http://www.webshots.com/samplers/WSDownloader.ocx O16 - DPF: {5F0C30E4-1E72-4DCC-85E5-57810F1CA97B} (McUpdatePortalFactory Class) - https://mysupport.nai.com/amiuptodat...datePortal.cab O16 - DPF: {644E432F-49D3-41A1-8DD5-E099162EEEC5} (Symantec RuFSI Utility Class) - http://security.symantec.com/sscv6/S.../bin/cabsa.cab O16 - DPF: {6A060448-60F9-11D5-A6CD-0002B31F7455} (ExentInf Class) - http://us.games2.yimg.com/download.g...tl_0_0_0_1.ocx O16 - DPF: {6E5A37BF-FD42-463A-877C-4EB7002E68AE} (Housecall ActiveX 6.5) - http://housecall65.trendmicro.com/ho...vex/hcImpl.cab O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai.net/7/840/537/2...ll/xscan53.cab O16 - DPF: {9522B3FB-7A2B-4646-8AF6-36E7F593073C} (cpbrkpie Control) - http://a19.g.akamai.net/7/19/7125/14...2/cpbrkpie.cab O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/actives...ree/asinst.cab O16 - DPF: {9FC5238F-12C4-454F-B1B5-74599A21DE47} (Webshots Photo Uploader) - http://community.webshots.com/html/WSPhotoUploader.CAB O16 - DPF: {A7EA8AD2-287F-11D3-B120-006008C39542} (CBSTIEPrint Class) - http://offers.brightstreet.com/cif/d...in/actxcab.cab O16 - DPF: {B38870E4-7ECB-40DA-8C6A-595F0A5519FF} - http://messenger.msn.com/download/Ms...Downloader.cab O16 - DPF: {B69F2A9C-E470-11D3-AFA3-525400DB7692} (Actimage Room Control) - http://hutchence.armstrong.com/ib/da...image40803.cab O16 - DPF: {B9191F79-5613-4C76-AA2A-398534BB8999} (YAddBook Class) - http://us.dl1.yimg.com/download.yaho...tocomplete.cab O16 - DPF: {B942A249-D1E7-4C11-98AE-FCB76B08747F} (RealArcadeRdxIE Class) - http://games-dl.real.com/gameconsole...rcadeRdxIE.cab O16 - DPF: {BCC0FF27-31D9-4614-A68E-C18E1ADA4389} - http://download.mcafee.com/molbin/sh...21/mcgdmgr.cab O16 - DPF: {CE28D5D2-60CF-4C7D-9FE8-0F47A3308078} (ActiveDataInfo Class) - https://www-secure.symantec.com/tech...a/SymAData.cab O16 - DPF: {D8089245-3211-40F6-819B-9E5E92CD61A2} (FlashXControl Object) - https://flash.blackjackballroom.com/...om/FlashAX.cab O16 - DPF: {DF780F87-FF2B-4DF8-92D0-73DB16A1543A} (PopCapLoader Object) - http://download.games.yahoo.com/game...ploader_v6.cab O16 - DPF: {EF791A6B-FC12-4C68-99EF-FB9E207A39E6} (McFreeScan Class) - http://download.mcafee.com/molbin/is...29/mcfscan.cab O16 - DPF: {FE0BD779-44EE-4A4B-AA2E-743C63F2E5E6} (IWinAmpActiveX Class) - http://pdl.stream.aol.com/downloads/...ampx_en_dl.cab O20 - Winlogon Notify: igfxcui - C:\WINDOWS\SYSTEM32\igfxdev.dll O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\SYSTEM32\WgaLogon.dll O21 - SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - C:\WINDOWS\system32\WPDShServiceObj.dll O23 - Service: DSBrokerService - Unknown owner - C:\Program Files\DellSupport\brkrsvc.exe O23 - Service: ewido anti-spyware 4.0 guard - Anti-Malware Development a.s. - C:\Documents and Settings\Annabella\Desktop\ewido anti-spyware 4.0\guard.exe O23 - Service: Intel NCS NetService (NetSvc) - Intel(R) Corporation - C:\Program Files\Intel\NCS\Sync\NetSvc.exe

07-01-2007, 02:55 PM	#14 (permalink)
DandyBella I helped the forums. Join Date: Feb 2005 Location: So Cal Posts: 49 OS: Windows XP	Re: Popups freezing computer! Here's my DSS log It just asked me to run the file and I said yes. There was never an option to save it to disk or to my desktop. It just ran itself, rebooted my system, and then came up with a log. That was it. There's nothing on my desktop. I did a search for it and saved the only .exe file I found to my desktop but dragging one file into the other didn't work. I'm sorry. I don't know what to do.

07-01-2007, 02:57 PM	#15 (permalink)
sUBs Asst Manager Security, Expert Analyst, Moderator, Security Team; Rangemaster, Moderator, TSF Academy Join Date: May 2005 Posts: 23,265 OS: N/A	Re: Popups freezing computer! Here's my DSS log LOL ...please download it again. http://download.bleepingcomputer.com...a/ComboFix.exe This time round, make sure to save it to Desktop __________________

07-01-2007, 05:34 PM	#16 (permalink)
DandyBella I helped the forums. Join Date: Feb 2005 Location: So Cal Posts: 49 OS: Windows XP	Re: Popups freezing computer! Here's my DSS log Okay, here's my log of that. I still can't do the Kaspersky thing though. Sorry. Really trying. I appreciate you beyond what you realize. LOL!

07-01-2007, 05:35 PM	#17 (permalink)
DandyBella I helped the forums. Join Date: Feb 2005 Location: So Cal Posts: 49 OS: Windows XP	Re: Popups freezing computer! Here's my DSS log I am an idiot. "Annabella" - 2007-07-01 17:25:00 - ComboFix 07-07-02.3 - Service Pack 2 Command switches used :: C:\Documents and Settings\Annabella\Desktop\ComboFix-Do.txt ((((((((((((((((((((((((((((((((((((((( Other Deletions ))))))))))))))))))))))))))))))))))))))))))))))))) C:\WINDOWS\rykcbra.exe C:\WINDOWS\rykcbraA.exe C:\WINDOWS\system32\version69ie7fix.dll C:\WINDOWS\SYSTEM32\X1 C:\WINDOWS\SYSTEM32\X1\bk53.exe C:\WINDOWS\SYSTEM32\X2 C:\WINDOWS\SYSTEM32\X2\mwspasrt83122.exe C:\WINDOWS\SYSTEM32\X3 C:\WINDOWS\SYSTEM32\X3\626wr.exe C:\WINDOWS\SYSTEM32\X4 C:\WINDOWS\SYSTEM32\X4\wen2.exe C:\WINDOWS\SYSTEM32\X5 C:\WINDOWS\SYSTEM32\X9 ((((((((((((((((((((((((( Files Created from 2007-06-02 to 2007-07-02 ))))))))))))))))))))))))))))))) 2007-07-01 11:25 49,152 --a------ C:\WINDOWS\nircmd.exe 2007-07-01 10:49 <DIR> d-------- C:\Deckard 2007-07-01 10:37 <DIR> d-------- C:\Program Files\ZonedOut 2007-07-01 10:27 <DIR> d-------- C:\Program Files\SpywareBlaster (((((((((((((((((((((((((((((((((((((((( Find3M Report )))))))))))))))))))))))))))))))))))))))))))))))))))) 2007-07-01 18:33:03 -------- d-----w C:\Program Files\MSN Gaming Zone 2007-06-30 16:49:13 -------- d-----w C:\Program Files\Windows Defender 2007-06-30 16:48:32 -------- d-----w C:\Program Files\QuickTime 2007-06-30 16:43:20 -------- d-----w C:\Program Files\DellSupport 2007-06-30 01:42:04 -------- d-----w C:\Program Files\MSN Messenger 2007-06-30 01:41:31 -------- d-----w C:\Program Files\Hide Real IP 2007-06-30 01:41:01 -------- d-----w C:\Program Files\Common Files\Wise Installation Wizard 2007-05-16 15:12:02 683,520 ----a-w C:\WINDOWS\system32\inetcomm.dll 2007-05-16 15:09:08 -------- d-----w C:\DOCUME~1\ANNABE~1\APPLIC~1\FreeCap 2007-04-25 14:21:15 144,896 ----a-w C:\WINDOWS\system32\schannel.dll 2007-04-18 16:12:23 2,854,400 ----a-w C:\WINDOWS\system32\msi.dll 2007-04-17 05:47:36 33,624 ----a-w C:\WINDOWS\system32\wups.dll 2007-04-17 05:45:54 1,710,936 ----a-w C:\WINDOWS\system32\wuaueng.dll 2007-04-17 05:45:48 549,720 ----a-w C:\WINDOWS\system32\wuapi.dll 2007-04-17 05:45:42 325,976 ----a-w C:\WINDOWS\system32\wucltui.dll 2007-04-17 05:45:36 203,096 ----a-w C:\WINDOWS\system32\wuweb.dll 2007-04-17 05:45:28 92,504 ----a-w C:\WINDOWS\system32\cdm.dll 2007-04-17 05:45:20 53,080 ----a-w C:\WINDOWS\system32\wuauclt.exe 2007-04-17 05:45:20 43,352 ----a-w C:\WINDOWS\system32\wups2.dll ((((((((((((((((((((((((((((((((((((( Reg Loading Points )))))))))))))))))))))))))))))))))))))))))))))))))) Note empty entries & legit default entries are not shown [HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{02478D38-C3F9-4EFB-9B51-7695ECA05670}] 2006-10-26 11:28 440384 --a------ C:\Program Files\Yahoo!\Companion\Installs\cpn1\yt.dll [HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{06849E9F-C8D7-4D59-B87D-784B7D6BE0B3}] 2003-11-03 15:17 54248 --a------ C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll [HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{53707962-6F74-2D53-2644-206D7942484F}] 2005-05-31 01:04 853672 --a------ C:\PROGRA~1\SPYBOT~1\SDHelper.dll [HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897}] 2006-10-31 16:29 198136 --a------ C:\Program Files\Yahoo!\Common\yiesrvc.dll [HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{5CA3D70E-1895-11CF-8E15-001234567890}] 2003-08-06 00:04 106548 --a------ C:\WINDOWS\system32\dla\tfswshx.dll [HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{656EC4B7-072B-4698-B504-2A414C1F0037}] 2005-02-02 19:33 49152 --a------ C:\Program Files\EarthLink TotalAccess\Accelerator\prpl_IePopupBlocker.dll [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] "BCMSMMSG"="BCMSMMSG.exe" [2003-08-29 04:59 C:\WINDOWS\BCMSMMSG.exe] "PCMService"="C:\Program Files\Dell\Media Experience\PCMService.exe" [2003-08-26 18:47] "UpdateManager"="C:\Program Files\Common Files\Sonic\Update Manager\sgtray.exe" [2003-08-19 02:01] "TkBellExe"="C:\Program Files\Common Files\Real\Update_OB\realsched.exe" [2005-04-23 11:55] "Share-to-Web Namespace Daemon"="C:\Program Files\Hewlett-Packard\HP Share-to-Web\hpgs2wnd.exe" [2002-04-17 10:42] "Windows Defender"="C:\Program Files\Windows Defender\MSASCui.exe" [2006-04-03 18:12] "QuickTime Task"="C:\Program Files\QuickTime\qttask.exe" [2006-12-07 19:56] [HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] "MoneyAgent"="C:\Program Files\Microsoft Money\System\mnyexpr.exe" [2003-06-18 11:00] "DellSupport"="C:\Program Files\DellSupport\DSAgnt.exe" [2007-03-15 11:09] "Yahoo! Pager"="C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe" [2006-11-30 22:49] "ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-04 00:56] [HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\system] "NoDispAppearancePage"=0 (0x0) "NoColorChoice"=0 (0x0) "NoSizeChoice"=0 (0x0) "NoDispBackgroundPage"=0 (0x0) "NoDispScrSavPage"=0 (0x0) "NoDispCPL"=0 (0x0) "NoVisualStyleChoice"=0 (0x0) "NoDispSettingsPage"=0 (0x0) [HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\explorer] "NoActiveDesktopChanges"=0 (0x0) [HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\explorer] "NoSaveSettings"=0 (0x0) "NoThemesTab"=0 (0x0) [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\ShellExecuteHooks] "{57B86673-276A-48B2-BAE7-C6DBB3020EB8}"="C:\Documents and Settings\Annabella\Desktop\ewido anti-spyware 4.0\shellexecutehook.dll" [2006-06-16 07:38] Contents of the 'Scheduled Tasks' folder 2007-07-01 09:00:00 C:\WINDOWS\tasks\Anonymizer scan for spyware.job 2007-07-01 08:51:02 C:\WINDOWS\tasks\MP Scheduled Scan.job ************************************************************************ catchme 0.3.721 W2K/XP/Vista - userland rootkit detector by Gmer, http://www.gmer.net Rootkit scan 2007-07-01 17:27:54 Windows 5.1.2600 Service Pack 2 NTFS scanning hidden processes ... scanning hidden autostart entries ... scanning hidden files ... scan completed successfully hidden files: 0 ************************************************************************ Completion time: 2007-07-01 17:29:18 C:\ComboFix-quarantined-files.txt ... 2007-07-01 17:28 C:\ComboFix2.txt ... 2007-07-01 11:49 --- E O F ---