Look2me,Aurora, CWS, Surfsidekick keep coming back after reboot

[drjoes]

After performing all the recommended tasks in the "before you post a log" post, I can't seem to get rid of these pop-ups. They just keep coming back after a reboot. Here is my HijackThis log. Thanks for any help you can provide.

Logfile of HijackThis v1.99.1
Scan saved at 8:50:47 PM, on 11/17/2005
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\rundll32.exe
C:\WINDOWS\Explorer.EXE
C:\PROGRA~1\COMMON~1\AOL\ACS\AOLacsd.exe
C:\Program Files\ewido\security suite\ewidoctrl.exe
C:\WINDOWS\system32\igfxtray.exe
C:\WINDOWS\system32\hkcmd.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\PROGRA~1\COMMON~1\AOL\AOLSPY~1\AOLSP Scheduler.exe
C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe
C:\Program Files\Digital Media Reader\shwiconem.exe
C:\Program Files\Norton AntiVirus\navapsvc.exe
C:\Program Files\Norton AntiVirus\IWP\NPFMntor.exe
C:\Program Files\Common Files\New Boundary\PrismXL\PRISMXL.SYS
C:\Program Files\Alcohol Soft\Alcohol 120\StarWind\StarWindService.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\Java\jre1.5.0_04\bin\jusched.exe
C:\Program Files\Maxtor\OneTouch\utils\Onetouch.exe
C:\PROGRA~1\Dantz\RETROS~1\RetroExpress.exe
C:\WINDOWS\MXOALDR.EXE
C:\WINDOWS\system32\wscntfy.exe
C:\Program Files\Messenger\msmsgs.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\WINDOWS\system32\wbem\wmiapsrv.exe
C:\PROGRA~1\Dantz\RETROS~1\retrospect.exe
C:\PROGRA~1\Dantz\RETROS~1\retrorun.exe
C:\WINDOWS\ms031726979168.exe
C:\WINDOWS\system32\ZQInContextactx1.exe
C:\WINDOWS\sys028172697916.exe
C:\Program Files\Yahoo!\Messenger\ypager.exe
C:\Program Files\Microsoft Money\System\mnyexpr.exe
C:\Program Files\BigFix\BigFix.exe
C:\Program Files\PRISMIQ\MediaManager\mctrl.exe
C:\WINDOWS\sys016817269791.exe
C:\Program Files\Russound\MIME Handler\ICMediaFwd.exe
C:\Program Files\PRISMIQ\MediaManager\winvod.exe
C:\Program Files\PRISMIQ\MediaManager\prismiq_xcode.exe
C:\Program Files\PRISMIQ\MediaManager\winvod.exe
C:\Program Files\PRISMIQ\MediaManager\JRE\1.4.1\bin\javaw.exe
C:\PROGRAM FILES\INTERNET EXPLORER\IEXPLORE.EXE
C:\Program Files\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = c:\secure32.html
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://searchbar.findthewebsiteyouneed.com
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://searchbar.findthewebsiteyouneed.com
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://searchbar.findthewebsiteyouneed.com
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.findthewebsiteyouneed.com
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = c:\secure32.html
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://searchbar.findthewebsiteyouneed.com
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = c:\secure32.html
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://searchbar.findthewebsiteyouneed.com
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page = c:\secure32.html
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page = c:\secure32.html
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://www.gocyberlink.com/registrat...42&Channel=OEM
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
R3 - URLSearchHook: (no name) - {02EE5B04-F144-47BB-83FB-A60BD91B74A9} - (no file)
O2 - BHO: CExtension Object - {0019C3E2-DD48-4A6D-ABCD-8D32436323D9} - C:\WINDOWS\bxxs5.dll
O2 - BHO: wb - {55BE9F0D-6CAF-4c3e-B125-5A13A8C9D0EC} - C:\WINDOWS\system32\nsp10.dll
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\system32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\system32\hkcmd.exe
O4 - HKLM\..\Run: [Recguard] C:\WINDOWS\SMINST\RECGUARD.EXE
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [AOL Spyware Protection] "C:\PROGRA~1\COMMON~1\AOL\AOLSPY~1\AOLSP Scheduler.exe"
O4 - HKLM\..\Run: [RemoteControl] "C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe"
O4 - HKLM\..\Run: [SunKistEM] C:\Program Files\Digital Media Reader\shwiconem.exe
O4 - HKLM\..\Run: [Symantec NetDriver Monitor] C:\PROGRA~1\SYMNET~1\SNDMon.exe
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [iTunesHelper] C:\Program Files\iTunes\iTunesHelper.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_04\bin\jusched.exe
O4 - HKLM\..\Run: [MaxtorOneTouch] C:\Program Files\Maxtor\OneTouch\utils\Onetouch.exe
O4 - HKLM\..\Run: [RetroExpress] C:\PROGRA~1\Dantz\RETROS~1\RetroExpress.exe /h
O4 - HKLM\..\Run: [MXOBG] C:\WINDOWS\MXOALDR.EXE
O4 - HKLM\..\Run: [bxxs5] RunDLL32.EXE C:\WINDOWS\bxxs5.dll,DllRun
O4 - HKLM\..\Run: [ms031726979168] C:\WINDOWS\ms031726979168.exe
O4 - HKLM\..\Run: [Contextual Tool] C:\WINDOWS\system32\ZQInContextactx1.exe
O4 - HKLM\..\Run: [sys028172697916] C:\WINDOWS\sys028172697916.exe
O4 - HKLM\..\Run: [sys016817269791] C:\WINDOWS\sys016817269791.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [Yahoo! Pager] C:\Program Files\Yahoo!\Messenger\ypager.exe -quiet
O4 - HKCU\..\Run: [MoneyAgent] "C:\Program Files\Microsoft Money\System\mnyexpr.exe"
O4 - HKCU\..\Run: [PayTime] C:\WINDOWS\system32\paytime.exe
O4 - HKCU\..\Run: [klop] C:\WINDOWS\49.tmp
O4 - HKCU\..\Run: [Shell] "C:\Program Files\Common Files\Microsoft Shared\Web Folders\ibm00003.exe"
O4 - HKCU\..\Run: [uimi] C:\PROGRA~1\COMMON~1\uimi\uimim.exe
O4 - HKCU\..\Run: [Windows installer] C:\winstall.exe
O4 - HKCU\..\Run: [actx1.exe] C:\WINDOWS\system32\actx1.exe
O4 - HKCU\..\Run: [zqactx1.exe] C:\WINDOWS\system32\zqactx1.exe
O4 - HKCU\..\Run: [mc-110-12-0000122.exe] C:\WINDOWS\system32\mc-110-12-0000122.exe
O4 - HKCU\..\Run: [fran-super.exe] C:\WINDOWS\system32\fran-super.exe
O4 - HKCU\..\Run: [ventbb.exe] C:\WINDOWS\system32\ventbb.exe
O4 - HKCU\..\Run: [VB1.exe] C:\WINDOWS\system32\VB1.exe
O4 - HKCU\..\Run: [Setup75.exe] C:\WINDOWS\system32\Setup75.exe
O4 - HKCU\..\Run: [elts4.exe] C:\WINDOWS\system32\elts4.exe
O4 - HKCU\..\Run: [SSK35.exe] C:\WINDOWS\system32\SSK35.exe
O4 - HKCU\..\Run: [ZQInContextactx1.exe] C:\WINDOWS\system32\ZQInContextactx1.exe
O4 - Global Startup: Adobe Gamma Loader.lnk = ?
O4 - Global Startup: BigFix.lnk = C:\Program Files\BigFix\BigFix.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O4 - Global Startup: PRISMIQ MediaManager Launcher.lnk = C:\Program Files\PRISMIQ\MediaManager\mctrl.exe
O4 - Global Startup: SMS3 Internet Radio Application.lnk = C:\Program Files\Russound\MIME Handler\ICMediaFwd.exe
O8 - Extra context menu item: &Yahoo! Search - file:///C:\Program Files\Yahoo!\Common/ycsrch.htm
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~3\Office10\EXCEL.EXE/3000
O8 - Extra context menu item: Yahoo! &Dictionary - file:///C:\Program Files\Yahoo!\Common/ycdict.htm
O8 - Extra context menu item: Yahoo! &Maps - file:///C:\Program Files\Yahoo!\Common/ycmap.htm
O8 - Extra context menu item: Yahoo! &SMS - file:///C:\Program Files\Yahoo!\Common/ycsms.htm
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_04\bin\npjpi150_04.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_04\bin\npjpi150_04.dll
O9 - Extra button: AOL Toolbar - {4982D40A-C53B-4615-B15B-B5B5E98D167C} - C:\Program Files\AOL Toolbar\toolbar.dll
O9 - Extra 'Tools' menuitem: AOL Toolbar - {4982D40A-C53B-4615-B15B-B5B5E98D167C} - C:\Program Files\AOL Toolbar\toolbar.dll
O9 - Extra button: Yahoo! Services - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\Program Files\Yahoo!\Common\yiesrvc.dll
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\system32\Shdocvw.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O15 - Trusted Zone: *.elitemediagroup.net
O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (YInstStarter Class) - C:\Program Files\Yahoo!\Common\yinsthelper.dll
O16 - DPF: {4AD73894-A895-4FC2-B233-299867E08753} (Cadwkzctl Object) - http://apps.deskwizz.com/ax/adwerkz.cab
O16 - DPF: {D7BF3304-138B-4DD5-86EE-491BB6A2286C} - http://www.azebar.com/install/azesearch.cab
O20 - Winlogon Notify: App Paths - C:\WINDOWS\system32\r08slal71dq.dll
O20 - Winlogon Notify: igfxcui - C:\WINDOWS\SYSTEM32\igfxsrvc.dll
O21 - SSODL: SysTray.Exys - {7368D5FC-6F5C-4f5b-B964-E67214F67852} - C:\WINDOWS\system32\ohbqclfc.dll (file missing)
O21 - SSODL: SysTray.Excn2 - {1722ECFF-4356-4f5b-B534-E67294FE75E9} - C:\WINDOWS\system32\lblhipgg.dll (file missing)
O21 - SSODL: GEDDBE0D - {41DC00BD-4D7E-26C2-0952-4FBB46A30638} - C:\WINDOWS\system32\Ceikfgio.dll (file missing)
O23 - Service: AOL Connectivity Service (AOL ACS) - America Online, Inc. - C:\PROGRA~1\COMMON~1\AOL\ACS\AOLacsd.exe
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Password Validation (ccPwdSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
O23 - Service: Command Service (cmdService) - Unknown owner - C:\WINDOWS\IA\command.exe (file missing)
O23 - Service: ewido security suite control - ewido networks - C:\Program Files\ewido\security suite\ewidoctrl.exe
O23 - Service: ewido security suite guard - ewido networks - C:\Program Files\ewido\security suite\ewidoguard.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPod Service (iPodService) - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Norton AntiVirus Auto-Protect Service (navapsvc) - Symantec Corporation - C:\Program Files\Norton AntiVirus\navapsvc.exe
O23 - Service: Norton AntiVirus Firewall Monitor Service (NPFMntor) - Symantec Corporation - C:\Program Files\Norton AntiVirus\IWP\NPFMntor.exe
O23 - Service: PrismXL - New Boundary Technologies, Inc. - C:\Program Files\Common Files\New Boundary\PrismXL\PRISMXL.SYS
O23 - Service: Retrospect Express HD Launcher (RetroExpLauncher) - Dantz Development Corporation - C:\PROGRA~1\Dantz\RETROS~1\retrorun.exe
O23 - Service: SAVScan - Symantec Corporation - C:\Program Files\Norton AntiVirus\SAVScan.exe
O23 - Service: ScriptBlocking Service (SBService) - Symantec Corporation - C:\PROGRA~1\COMMON~1\SYMANT~1\SCRIPT~1\SBServ.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: Symantec SPBBCSvc (SPBBCSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
O23 - Service: StarWind iSCSI Service (StarWindService) - Rocket Division Software - C:\Program Files\Alcohol Soft\Alcohol 120\StarWind\StarWindService.exe

[tetonbob]

That's quite a mess you have there.... We'll begin by attacking L2M.

Download L2MFix from one of these two locations:

http://www.atribune.org/downloads/l2mfix.exe
http://www.downloads.subratam.org/l2mfix.exe

Save the file to your desktop and double click l2mfix.exe. Click the Install button to extract the files and follow the prompts. Do not run it at this time.

Download, install & launch - Webroot SpySweeper (Trial) (8.3 MB)

When SpySweeper starts, please accept any prompts to update definitions. Exit the program after you have updated.

The Temp folders should be cleaned out periodically as installation programs and hijack programs leave a lot of junk there. Download CleanUp! (Alternate Link if main link doesn't work) and install it.

*NOTE* Cleanup deletes EVERYTHING out of temp/temporary folders and does not make backups. If you have any documents or programs that are saved in any Temporary Folders, please make a backup of these before running CleanUp! If you have a 64 bit Operating System do NOT run Cleanup and let me know as we will use another utility.


Run Cleanup! using the following configuration:

1. Click Options...
2. Set the slider to Standard CleanUp!
3. Uncheck the following:

• Delete Newsgroup cache
• Delete Newsgroup Subscriptions
• Scan local drives for temporary files

4. Click OK
5. Press the CleanUp! button to start the program. Reboot/logoff when prompted.
* CleanUp! will not create any backups!!

Reboot your computer into Safe Mode.
Restart your computer and continually tapping the F8 key until a menu appears.
Use your up arrow key to highlight Safe Mode then hit enter.

Launch & use the diagnostic version of SpySweeper & configure it as followed:

• Click on the Start button
• After it has finished scanning, click the Next button
• Allow Spysweeper to reboot your machine to remove the infected files.

# Reboot back to Normal Mode

Launch SpySweeper & select Results from the left pane
Click the 'Session Log' tab & choose Save to File to create a log.

Post that in your next reply.

## IMPORTANT - do not use your computer as you scan.

Close any programs you have open since this step requires a reboot.

From the l2mfix folder on your desktop, double click l2mfix.bat and select option #2 for Run Fix by typing 2 and then pressing Enter, then press any key to reboot your computer. After a reboot, your desktop and icons will appear, then disappear (this is normal). L2MFix will continue to scan your computer and when it's finished, notepad will open with a log. Copy the contents of that log and paste it back into this thread, along with a new HijackThis log.

IMPORTANT: Do NOT run any other files in the l2mfix folder unless you are asked to do so!

Please return with results from:

SpySweeper
L2Mfix Option 2
HJT

[drjoes]

for the l2mfix notepad log to pop up.
I got some errors before it started about backup files.

How long should I wait for it?

thanks

[drjoes]

Latest HJT log

Logfile of HijackThis v1.99.1
Scan saved at 8:36:53 PM, on 11/18/2005
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\csrss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\WINDOWS\system32\spoolsv.exe
C:\PROGRA~1\COMMON~1\AOL\ACS\AOLacsd.exe
C:\Program Files\ewido\security suite\ewidoctrl.exe
C:\Program Files\ewido\security suite\ewidoguard.exe
C:\Program Files\Norton AntiVirus\navapsvc.exe
C:\Program Files\Norton AntiVirus\IWP\NPFMntor.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Common Files\New Boundary\PrismXL\PRISMXL.SYS
C:\Program Files\Alcohol Soft\Alcohol 120\StarWind\StarWindService.exe
C:\Program Files\Webroot\Spy Sweeper\WRSSSDK.exe
C:\WINDOWS\system32\wdfmgr.exe
C:\WINDOWS\System32\alg.exe
C:\WINDOWS\system32\wscntfy.exe
C:\WINDOWS\system32\igfxtray.exe
C:\WINDOWS\system32\hkcmd.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\PROGRA~1\COMMON~1\AOL\AOLSPY~1\AOLSP Scheduler.exe
C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe
C:\Program Files\Digital Media Reader\shwiconem.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\Java\jre1.5.0_04\bin\jusched.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\Maxtor\OneTouch\utils\Onetouch.exe
C:\PROGRA~1\Dantz\RETROS~1\RetroExpress.exe
C:\WINDOWS\MXOALDR.EXE
C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\Yahoo!\Messenger\ypager.exe
C:\Program Files\Microsoft Money\System\mnyexpr.exe
C:\WINDOWS\system32\elts4.exe
C:\Program Files\BigFix\BigFix.exe
C:\WINDOWS\SYS98.exe
C:\WINDOWS\win32079791681726.exe
C:\Program Files\PRISMIQ\MediaManager\mctrl.exe
C:\WINDOWS\system32\wbem\wmiapsrv.exe
C:\Program Files\Russound\MIME Handler\ICMediaFwd.exe
C:\WINDOWS\system32\wbem\wmiprvse.exe
C:\Program Files\PRISMIQ\MediaManager\winvod.exe
C:\Program Files\PRISMIQ\MediaManager\prismiq_xcode.exe
C:\Program Files\PRISMIQ\MediaManager\JRE\1.4.1\bin\javaw.exe
C:\PROGRA~1\Dantz\RETROS~1\retrospect.exe
C:\PROGRA~1\Dantz\RETROS~1\retrorun.exe
C:\Program Files\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://www.gocyberlink.com/registrat...42&Channel=OEM
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
R3 - Default URLSearchHook is missing
O2 - BHO: wb - {55BE9F0D-6CAF-4c3e-B125-5A13A8C9D0EC} - C:\WINDOWS\system32\nsq3.dll
O2 - BHO: (no name) - {DC63EA14-AAC5-A4FD-18E3-E3F47159AF79} - C:\WINDOWS\bnnyebll.dll
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\system32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\system32\hkcmd.exe
O4 - HKLM\..\Run: [Recguard] C:\WINDOWS\SMINST\RECGUARD.EXE
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [AOL Spyware Protection] "C:\PROGRA~1\COMMON~1\AOL\AOLSPY~1\AOLSP Scheduler.exe"
O4 - HKLM\..\Run: [RemoteControl] "C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe"
O4 - HKLM\..\Run: [SunKistEM] C:\Program Files\Digital Media Reader\shwiconem.exe
O4 - HKLM\..\Run: [Symantec NetDriver Monitor] C:\PROGRA~1\SYMNET~1\SNDMon.exe
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [iTunesHelper] C:\Program Files\iTunes\iTunesHelper.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_04\bin\jusched.exe
O4 - HKLM\..\Run: [MaxtorOneTouch] C:\Program Files\Maxtor\OneTouch\utils\Onetouch.exe
O4 - HKLM\..\Run: [RetroExpress] C:\PROGRA~1\Dantz\RETROS~1\RetroExpress.exe /h
O4 - HKLM\..\Run: [MXOBG] C:\WINDOWS\MXOALDR.EXE
O4 - HKLM\..\Run: [YourMonitor] C:\WINDOWS\SYS98
O4 - HKLM\..\Run: [SpySweeper] "C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe" /startintray
O4 - HKLM\..\Run: [SurfSideKick 3] C:\Program Files\SurfSideKick 3\Ssk.exe
O4 - HKLM\..\Run: [bxxs5] RunDLL32.EXE C:\WINDOWS\bxxs5.dll,DllRun
O4 - HKLM\..\Run: [win32079791681726] C:\WINDOWS\win32079791681726.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [Yahoo! Pager] C:\Program Files\Yahoo!\Messenger\ypager.exe -quiet
O4 - HKCU\..\Run: [MoneyAgent] "C:\Program Files\Microsoft Money\System\mnyexpr.exe"
O4 - HKCU\..\Run: [uimi] C:\PROGRA~1\COMMON~1\uimi\uimim.exe
O4 - HKCU\..\Run: [actx1.exe] C:\WINDOWS\system32\actx1.exe
O4 - HKCU\..\Run: [zqactx1.exe] C:\WINDOWS\system32\zqactx1.exe
O4 - HKCU\..\Run: [mc-110-12-0000122.exe] C:\WINDOWS\system32\mc-110-12-0000122.exe
O4 - HKCU\..\Run: [fran-super.exe] C:\WINDOWS\system32\fran-super.exe
O4 - HKCU\..\Run: [ventbb.exe] C:\WINDOWS\system32\ventbb.exe
O4 - HKCU\..\Run: [VB1.exe] C:\WINDOWS\system32\VB1.exe
O4 - HKCU\..\Run: [Setup75.exe] C:\WINDOWS\system32\Setup75.exe
O4 - HKCU\..\Run: [elts4.exe] C:\WINDOWS\system32\elts4.exe
O4 - HKCU\..\Run: [SSK35.exe] C:\WINDOWS\system32\SSK35.exe
O4 - Global Startup: Adobe Gamma Loader.lnk = ?
O4 - Global Startup: BigFix.lnk = C:\Program Files\BigFix\BigFix.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O4 - Global Startup: PRISMIQ MediaManager Launcher.lnk = C:\Program Files\PRISMIQ\MediaManager\mctrl.exe
O4 - Global Startup: SMS3 Internet Radio Application.lnk = C:\Program Files\Russound\MIME Handler\ICMediaFwd.exe
O8 - Extra context menu item: &Yahoo! Search - file:///C:\Program Files\Yahoo!\Common/ycsrch.htm
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~3\Office10\EXCEL.EXE/3000
O8 - Extra context menu item: Yahoo! &Dictionary - file:///C:\Program Files\Yahoo!\Common/ycdict.htm
O8 - Extra context menu item: Yahoo! &Maps - file:///C:\Program Files\Yahoo!\Common/ycmap.htm
O8 - Extra context menu item: Yahoo! &SMS - file:///C:\Program Files\Yahoo!\Common/ycsms.htm
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_04\bin\npjpi150_04.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_04\bin\npjpi150_04.dll
O9 - Extra button: AOL Toolbar - {4982D40A-C53B-4615-B15B-B5B5E98D167C} - C:\Program Files\AOL Toolbar\toolbar.dll
O9 - Extra 'Tools' menuitem: AOL Toolbar - {4982D40A-C53B-4615-B15B-B5B5E98D167C} - C:\Program Files\AOL Toolbar\toolbar.dll
O9 - Extra button: Yahoo! Services - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\Program Files\Yahoo!\Common\yiesrvc.dll
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\system32\Shdocvw.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O15 - Trusted Zone: *.elitemediagroup.net
O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (YInstStarter Class) - C:\Program Files\Yahoo!\Common\yinsthelper.dll
O16 - DPF: {4AD73894-A895-4FC2-B233-299867E08753} (Cadwkzctl Object) - http://apps.deskwizz.com/ax/adwerkz.cab
O20 - AppInit_DLLs: repairs302972973.dll
O20 - Winlogon Notify: igfxcui - C:\WINDOWS\SYSTEM32\igfxsrvc.dll
O21 - SSODL: GEDDBE0D - {41DC00BD-4D7E-26C2-0952-4FBB46A30638} - C:\WINDOWS\system32\Ceikfgio.dll (file missing)
O23 - Service: AOL Connectivity Service (AOL ACS) - America Online, Inc. - C:\PROGRA~1\COMMON~1\AOL\ACS\AOLacsd.exe
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Password Validation (ccPwdSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
O23 - Service: ewido security suite control - ewido networks - C:\Program Files\ewido\security suite\ewidoctrl.exe
O23 - Service: ewido security suite guard - ewido networks - C:\Program Files\ewido\security suite\ewidoguard.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPod Service (iPodService) - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Norton AntiVirus Auto-Protect Service (navapsvc) - Symantec Corporation - C:\Program Files\Norton AntiVirus\navapsvc.exe
O23 - Service: Norton AntiVirus Firewall Monitor Service (NPFMntor) - Symantec Corporation - C:\Program Files\Norton AntiVirus\IWP\NPFMntor.exe
O23 - Service: PrismXL - New Boundary Technologies, Inc. - C:\Program Files\Common Files\New Boundary\PrismXL\PRISMXL.SYS
O23 - Service: Retrospect Express HD Launcher (RetroExpLauncher) - Dantz Development Corporation - C:\PROGRA~1\Dantz\RETROS~1\retrorun.exe
O23 - Service: SAVScan - Symantec Corporation - C:\Program Files\Norton AntiVirus\SAVScan.exe
O23 - Service: ScriptBlocking Service (SBService) - Symantec Corporation - C:\PROGRA~1\COMMON~1\SYMANT~1\SCRIPT~1\SBServ.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: Symantec SPBBCSvc (SPBBCSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
O23 - Service: StarWind iSCSI Service (StarWindService) - Rocket Division Software - C:\Program Files\Alcohol Soft\Alcohol 120\StarWind\StarWindService.exe
O23 - Service: Webroot Spy Sweeper Engine (svcWRSSSDK) - Webroot Software, Inc. - C:\Program Files\Webroot\Spy Sweeper\WRSSSDK.exe



Latest Spysweeper log, although this is useless, since it did not appear to save the log for the session I ran while in safe mode.

********
6:03 PM: | Start of Session, Friday, November 18, 2005 |
6:03 PM: Spy Sweeper started
6:03 PM: Sweep initiated using definitions version 574
6:03 PM: Starting Memory Sweep
6:03 PM: Found Adware: ezula ilookup
6:03 PM: Detected running threat: C:\WINDOWS\system32\nsv3.dll (ID = 180772)
6:03 PM: Sweep Canceled
6:03 PM: Memory Sweep Complete, Elapsed Time: 00:00:26
6:03 PM: Traces Found: 1
6:05 PM: The Spy Communication shield has blocked access to: www.ad-w-a-r-e.com
6:05 PM: The Spy Communication shield has blocked access to: www.ad-w-a-r-e.com
6:05 PM: The Spy Communication shield has blocked access to: www.a-d-w-a-r-e.com
6:05 PM: The Spy Communication shield has blocked access to: www.a-d-w-a-r-e.com
8:05 PM: Spy Installation Shield: found: Adware: enbrowser, version 1.0.0.0 -- Execution Denied
8:05 PM: Spy Installation Shield: found: Adware: enbrowser, version 1.0.0.0 -- Execution Denied
8:06 PM: Processing Startup Alerts
8:06 PM: Removed Startup entry: SurfSideKick 3
8:06 PM: Removed Startup entry: MSMSGS
********
6:00 PM: | Start of Session, Friday, November 18, 2005 |
6:00 PM: Spy Sweeper started
6:02 PM: BHO Shield: found: bxxs5.dll-- BHO installation denied at user request
6:02 PM: Your spyware definitions have been updated.
6:03 PM: | End of Session, Friday, November 18, 2005 |

[tetonbob]

It appears as though L2MFix did run....please look for the resulting log, log.txt, in either the folder where you placed L2MFix, or in the root of your drive.

If you cannot find this log, please run Option2 again. It can take some time to run. Do nothing else while this is running.

I will have a fix for the remainder when you return.

[drjoes]

thanks...i'll be back

[drjoes]

Still no log...it doesn't even seem like it is running.
Spysweeper comes up and runs when it reboots, but the desktop icons never dissappear.

[tetonbob]

Hmmmm....I don't want SpySweeper to run on boot....see if you can disable it.


To disable Webroot SpySweeper:

• Go to the Options>Program Options
• Uncheck Load at Windows Startup
• Click Shields & uncheck all items there
• Uncheck Home page shield.
• Automaticly restore default without notification

Then see if Option 2 will run.

[drjoes]

When I run option #2, the reboot gets stuck at the Welcome screen.

I don't know if waiting that long is a waste of time.

If I hard power the computer off, and turn it back on, it starts up fine, other than the pop ups and general slowness.

[tetonbob]

OK, drjoes...let's press on for now.

Please print out or copy this page to Notepad. Make sure to work through the fixes in the exact order it is mentioned below. If there's anything that you don't understand, ask your question(s) before proceeding with the fixes. You should 'not' have any open browsers when you are following the procedures below.

Go to My Computer->Tools->Folder Options->View tab:
* Under the Hidden files and folders heading, select Show hidden files and folders.
* Uncheck the Hide protected operating system files (recommended) option.
* Click Yes to confirm and then click OK.

Download ssk-xp.zip. You will use this later.

Download KillBox v2.0.0.175.exe (it's important that you get version v2.0.0.175)

Download Ewido Security Suite

• Install Ewido Security Suite
• When installing, under "Additional Options" uncheck..
  • Install background guard
  • Install scan via context menu
• Double-click the icon on Desktop to launch Ewido

You will need to update Ewido to the latest definition files.

• On the left hand side of the main screen click update.
• Then click on Start Update.

The update will start and a progress bar will show the updates being installed.
If you are having problems with the updater, you can use this link to manually update Ewido
When you have finished updating, EXIT Ewido.

The Temp folders should be cleaned out periodically as installation programs and hijack programs leave a lot of junk there. Download CleanUp! (Alternate Link if main link doesn't work) and install it.

*NOTE* Cleanup deletes EVERYTHING out of temp/temporary folders and does not make backups. If you have any documents or programs that are saved in any Temporary Folders, please make a backup of these before running CleanUp! If you have a 64 bit Operating System do NOT run Cleanup and let me know as we will use another utility.

Run Cleanup! using the following configuration:

1. Click Options...
2. Set the slider to Standard CleanUp!
3. Uncheck the following:

• Delete Newsgroup cache
• Delete Newsgroup Subscriptions
• Scan local drives for temporary files

4. Click OK
5. Press the CleanUp! button to start the program. Reboot/logoff when prompted.
* CleanUp! will not create any backups!!

Restart your computer and boot into Safe Mode by hitting the F8 key repeatedly until a menu shows up (and choose Safe Mode from the list). In some systems, this may be the F5 key, so try that if F8 doesn't work. Make sure to close any open browsers.


Double click on ssk-xp.zip & Run ssk-xp.bat & follow the prompts


Run a scan in HijackThis. Check each of the following and hit 'Fix checked' (after checking them) if they still exist (make sure not to miss any):

R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
R3 - Default URLSearchHook is missing
O2 - BHO: wb - {55BE9F0D-6CAF-4c3e-B125-5A13A8C9D0EC} - C:\WINDOWS\system32\nsq3.dll
O2 - BHO: (no name) - {DC63EA14-AAC5-A4FD-18E3-E3F47159AF79} - C:\WINDOWS\bnnyebll.dll
O4 - HKLM\..\Run: [SurfSideKick 3] C:\Program Files\SurfSideKick 3\Ssk.exe
O4 - HKLM\..\Run: [bxxs5] RunDLL32.EXE C:\WINDOWS\bxxs5.dll,DllRun
O4 - HKLM\..\Run: [win32079791681726] C:\WINDOWS\win32079791681726.exe
O4 - HKCU\..\Run: [uimi] C:\PROGRA~1\COMMON~1\uimi\uimim.exe
O4 - HKCU\..\Run: [actx1.exe] C:\WINDOWS\system32\actx1.exe
O4 - HKCU\..\Run: [zqactx1.exe] C:\WINDOWS\system32\zqactx1.exe
O4 - HKCU\..\Run: [mc-110-12-0000122.exe] C:\WINDOWS\system32\mc-110-12-0000122.exe
O4 - HKCU\..\Run: [fran-super.exe] C:\WINDOWS\system32\fran-super.exe
O4 - HKCU\..\Run: [ventbb.exe] C:\WINDOWS\system32\ventbb.exe
O4 - HKCU\..\Run: [Setup75.exe] C:\WINDOWS\system32\Setup75.exe
O4 - HKCU\..\Run: [elts4.exe] C:\WINDOWS\system32\elts4.exe
O4 - HKCU\..\Run: [SSK35.exe] C:\WINDOWS\system32\SSK35.exe
O15 - Trusted Zone: *.elitemediagroup.net
O20 - AppInit_DLLs: repairs302972973.dll
O21 - SSODL: GEDDBE0D - {41DC00BD-4D7E-26C2-0952-4FBB46A30638} - C:\WINDOWS\system32\Ceikfgio.dll (file missing)


Run Ewido with it's updated definitions:(...it's important that all windows must be closed)

• Click Scanner
• Click Complete System Scan to begin scanning.
• Click OK when prompted to clean files

With the first file it prompts to clean, select the option:

• "Perform action on all infections"
• .Choose clean and click OK.

Once finished, click the Save report button & save the report to your desktop

** Ewido scan would require at least an hour.

Launch KillBox.exe & select the following options:

• delete on Reboot

Select all the filenames below & then right-click & select Copy

• C:\WINDOWS\system32\nsq3.dll
  C:\WINDOWS\bnnyebll.dll
  C:\WINDOWS\bxxs5.dll
  C:\WINDOWS\win32079791681726.exe
  C:\WINDOWS\system32\actx1.exe
  C:\WINDOWS\system32\zqactx1.exe
  C:\WINDOWS\system32\mc-110-12-0000122.exe
  C:\WINDOWS\system32\fran-super.exe
  C:\WINDOWS\system32\ventbb.exe
  C:\WINDOWS\system32\Setup75.exe
  C:\WINDOWS\system32\elts4.exe
  C:\WINDOWS\system32\SSK35.exe
  C:\WINDOWS\system32\Ceikfgio.dll

* Go to the File menu, and choose Paste from Clipboard
* Click on the dropdown menu next to Full Path of File to Delete field.
* Verify that the filenames you pasted are found there
* Click the RED X button.
* Click Yes at the Delete on Reboot prompt.
* Click Yes at the 'Pending Operations prompt'.

Quote:

If you receive a message such as: "Component 'MsComCtl.ocx' or one of its dependencies not correctly registered: a file is missing or invalid." when trying to run TheKillbox, download and run missingfilesetup.exe. Then try Killbox again.

Delete these folders if they still exist:

C:\Program Files\SurfSideKick 3<<<folder
C:\PROGRA~1\COMMON~1\uimi<<<folder

Restart and run a new HijackThis scan. Save the log file and post it here.

Go to the Jotti's malware scan page and use the buttons at the top of the page to browse to this file(s) on your hard drive to submit for a scan:

C:\WINDOWS\system32\VB1.exe
C:\WINDOWS\SYS98.exe

Perform an online scan with Internet Explorer with Panda ActiveScan
** click on "Free use ActiveScan" located on the top right hand corner

1. Click Scan your PC & a 'pop up' window shall appear. *ensure that your pop up blocker doesn't block it
2. Click Scan Now
3. Enter your e-mail address & click Scan Now ...begins downloading 8 MB Panda's ActiveX controls

Begin the scan by selecting My Computer

• If it finds any malware, it will offer you a report.
• Click on see report. Then click Save report

Post the contents of the report in your next reply

*You needn't remain online while it's doing the scan but you have to re-connect after it has finished to see the report.
*Turn off the real time scanner of any existing antivirus program while performing the online scan


Please return with logs from:

Ewido
Panda
HJT

[drjoes]

"Double click on ssk-xp.zip & Run ssk-xp.bat & follow the prompts "

I don't get any prompts. The window flashes up briefly and dissappears.

[tetonbob]

If you've downloaded the zip file, and run the batch file within....it's ok if there were no prompts.....my bad on the instructions. Continue with the rest of the fix, please, otherwise, post back and let me know what's up.

[drjoes]

here is my latest HJT log:

Logfile of HijackThis v1.99.1
Scan saved at 1:21:54 AM, on 11/19/2005
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\csrss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\WINDOWS\system32\spoolsv.exe
C:\PROGRA~1\COMMON~1\AOL\ACS\AOLacsd.exe
C:\Program Files\ewido\security suite\ewidoctrl.exe
C:\Program Files\Norton AntiVirus\navapsvc.exe
C:\Program Files\Norton AntiVirus\IWP\NPFMntor.exe
C:\Program Files\Common Files\New Boundary\PrismXL\PRISMXL.SYS
C:\Program Files\Alcohol Soft\Alcohol 120\StarWind\StarWindService.exe
C:\Program Files\Webroot\Spy Sweeper\WRSSSDK.exe
C:\WINDOWS\system32\wdfmgr.exe
C:\WINDOWS\System32\alg.exe
C:\WINDOWS\system32\wscntfy.exe
C:\WINDOWS\system32\igfxtray.exe
C:\WINDOWS\system32\hkcmd.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\PROGRA~1\COMMON~1\AOL\AOLSPY~1\AOLSP Scheduler.exe
C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe
C:\Program Files\Digital Media Reader\shwiconem.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\Java\jre1.5.0_04\bin\jusched.exe
C:\Program Files\Maxtor\OneTouch\utils\Onetouch.exe
C:\PROGRA~1\Dantz\RETROS~1\RetroExpress.exe
C:\WINDOWS\MXOALDR.EXE
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\Yahoo!\Messenger\ypager.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\Real\RealPlayer\RealPlay.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\BigFix\BigFix.exe
C:\WINDOWS\SYS98.exe
C:\WINDOWS\sys101681726979.exe
C:\Program Files\Russound\MIME Handler\ICMediaFwd.exe
C:\WINDOWS\system32\wbem\wmiprvse.exe
C:\Program Files\HijackThis.exe
C:\WINDOWS\system32\wbem\wmiapsrv.exe
C:\WINDOWS\system32\wbem\wmiprvse.exe
C:\PROGRA~1\Dantz\RETROS~1\retrospect.exe
C:\PROGRA~1\Dantz\RETROS~1\retrorun.exe

R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://www.gocyberlink.com/registrat...42&Channel=OEM
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
R3 - URLSearchHook: (no name) - {02EE5B04-F144-47BB-83FB-A60BD91B74A9} - C:\Program Files\SurfSideKick 3\SskBho.dll
O2 - BHO: CExtension Object - {0019C3E2-DD48-4A6D-ABCD-8D32436323D9} - C:\WINDOWS\bxxs5.dll
O2 - BHO: wb - {55BE9F0D-6CAF-4c3e-B125-5A13A8C9D0EC} - C:\WINDOWS\system32\nsv4.dll
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\system32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\system32\hkcmd.exe
O4 - HKLM\..\Run: [Recguard] C:\WINDOWS\SMINST\RECGUARD.EXE
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [AOL Spyware Protection] "C:\PROGRA~1\COMMON~1\AOL\AOLSPY~1\AOLSP Scheduler.exe"
O4 - HKLM\..\Run: [RemoteControl] "C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe"
O4 - HKLM\..\Run: [SunKistEM] C:\Program Files\Digital Media Reader\shwiconem.exe
O4 - HKLM\..\Run: [Symantec NetDriver Monitor] C:\PROGRA~1\SYMNET~1\SNDMon.exe
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [iTunesHelper] C:\Program Files\iTunes\iTunesHelper.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_04\bin\jusched.exe
O4 - HKLM\..\Run: [MaxtorOneTouch] C:\Program Files\Maxtor\OneTouch\utils\Onetouch.exe
O4 - HKLM\..\Run: [RetroExpress] C:\PROGRA~1\Dantz\RETROS~1\RetroExpress.exe /h
O4 - HKLM\..\Run: [MXOBG] C:\WINDOWS\MXOALDR.EXE
O4 - HKLM\..\Run: [bxxs5] RunDLL32.EXE C:\WINDOWS\bxxs5.dll,DllRun
O4 - HKLM\..\Run: [YourMonitor] C:\WINDOWS\SYS98
O4 - HKLM\..\Run: [sys101681726979] C:\WINDOWS\sys101681726979.exe
O4 - HKLM\..\Run: [SurfSideKick 3] C:\Program Files\SurfSideKick 3\Ssk.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [Yahoo! Pager] C:\Program Files\Yahoo!\Messenger\ypager.exe -quiet
O4 - HKCU\..\Run: [uimi] C:\PROGRA~1\COMMON~1\uimi\uimim.exe
O4 - HKCU\..\Run: [actx1.exe] C:\WINDOWS\system32\actx1.exe
O4 - HKCU\..\Run: [zqactx1.exe] C:\WINDOWS\system32\zqactx1.exe
O4 - HKCU\..\Run: [mc-110-12-0000122.exe] C:\WINDOWS\system32\mc-110-12-0000122.exe
O4 - HKCU\..\Run: [fran-super.exe] C:\WINDOWS\system32\fran-super.exe
O4 - HKCU\..\Run: [ventbb.exe] C:\WINDOWS\system32\ventbb.exe
O4 - HKCU\..\Run: [VB1.exe] C:\WINDOWS\system32\VB1.exe
O4 - HKCU\..\Run: [Setup75.exe] C:\WINDOWS\system32\Setup75.exe
O4 - HKCU\..\Run: [elts4.exe] C:\WINDOWS\system32\elts4.exe
O4 - HKCU\..\Run: [SSK35.exe] C:\WINDOWS\system32\SSK35.exe
O4 - HKCU\..\Run: [SurfSideKick 3] C:\Program Files\SurfSideKick 3\Ssk.exe
O4 - Global Startup: Adobe Gamma Loader.lnk = ?
O4 - Global Startup: BigFix.lnk = C:\Program Files\BigFix\BigFix.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O4 - Global Startup: SMS3 Internet Radio Application.lnk = C:\Program Files\Russound\MIME Handler\ICMediaFwd.exe
O8 - Extra context menu item: &Yahoo! Search - file:///C:\Program Files\Yahoo!\Common/ycsrch.htm
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~3\Office10\EXCEL.EXE/3000
O8 - Extra context menu item: Yahoo! &Dictionary - file:///C:\Program Files\Yahoo!\Common/ycdict.htm
O8 - Extra context menu item: Yahoo! &Maps - file:///C:\Program Files\Yahoo!\Common/ycmap.htm
O8 - Extra context menu item: Yahoo! &SMS - file:///C:\Program Files\Yahoo!\Common/ycsms.htm
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_04\bin\npjpi150_04.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_04\bin\npjpi150_04.dll
O9 - Extra button: AOL Toolbar - {4982D40A-C53B-4615-B15B-B5B5E98D167C} - C:\Program Files\AOL Toolbar\toolbar.dll
O9 - Extra 'Tools' menuitem: AOL Toolbar - {4982D40A-C53B-4615-B15B-B5B5E98D167C} - C:\Program Files\AOL Toolbar\toolbar.dll
O9 - Extra button: Yahoo! Services - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\Program Files\Yahoo!\Common\yiesrvc.dll
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\system32\Shdocvw.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O15 - Trusted Zone: *.elitemediagroup.net
O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (YInstStarter Class) - C:\Program Files\Yahoo!\Common\yinsthelper.dll
O20 - AppInit_DLLs: repairs302972973.dll
O20 - Winlogon Notify: igfxcui - C:\WINDOWS\SYSTEM32\igfxsrvc.dll
O23 - Service: AOL Connectivity Service (AOL ACS) - America Online, Inc. - C:\PROGRA~1\COMMON~1\AOL\ACS\AOLacsd.exe
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Password Validation (ccPwdSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
O23 - Service: ewido security suite control - ewido networks - C:\Program Files\ewido\security suite\ewidoctrl.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPod Service (iPodService) - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Norton AntiVirus Auto-Protect Service (navapsvc) - Symantec Corporation - C:\Program Files\Norton AntiVirus\navapsvc.exe
O23 - Service: Norton AntiVirus Firewall Monitor Service (NPFMntor) - Symantec Corporation - C:\Program Files\Norton AntiVirus\IWP\NPFMntor.exe
O23 - Service: PrismXL - New Boundary Technologies, Inc. - C:\Program Files\Common Files\New Boundary\PrismXL\PRISMXL.SYS
O23 - Service: Retrospect Express HD Launcher (RetroExpLauncher) - Dantz Development Corporation - C:\PROGRA~1\Dantz\RETROS~1\retrorun.exe
O23 - Service: SAVScan - Symantec Corporation - C:\Program Files\Norton AntiVirus\SAVScan.exe
O23 - Service: ScriptBlocking Service (SBService) - Symantec Corporation - C:\PROGRA~1\COMMON~1\SYMANT~1\SCRIPT~1\SBServ.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: Symantec SPBBCSvc (SPBBCSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
O23 - Service: StarWind iSCSI Service (StarWindService) - Rocket Division Software - C:\Program Files\Alcohol Soft\Alcohol 120\StarWind\StarWindService.exe
O23 - Service: Webroot Spy Sweeper Engine (svcWRSSSDK) - Webroot Software, Inc. - C:\Program Files\Webroot\Spy Sweeper\WRSSSDK.exe



And my latest Ewido log:

---------------------------------------------------------
ewido security suite - Scan report
---------------------------------------------------------

+ Created on: 12:56:49 AM, 11/19/2005
+ Report-Checksum: A7DD0008

+ Scan result:

HKLM\SOFTWARE\Bookedspace -> Spyware.BookedSpace : Cleaned with backup
HKLM\SOFTWARE\Bookedspace\adware -> Spyware.BookedSpace : Cleaned with backup
HKLM\SOFTWARE\Classes\AppID\BookedSpace.DLL -> Spyware.BookedSpace : Cleaned with backup
HKLM\SOFTWARE\Classes\AppID\BookedSpace.DLL\\AppID -> Spyware.BookedSpace : Cleaned with backup
HKLM\SOFTWARE\Classes\AppID\{0DC5CD7C-F653-4417-AA43-D457BE3A9622} -> Spyware.BookedSpace : Cleaned with backup
HKLM\SOFTWARE\Classes\BookedSpace.Extension -> Spyware.BookedSpace : Cleaned with backup
HKLM\SOFTWARE\Classes\BookedSpace.Extension\CLSID -> Spyware.BookedSpace : Cleaned with backup
HKLM\SOFTWARE\Classes\BookedSpace.Extension\CLSID\\ -> Spyware.BookedSpace : Cleaned with backup
HKLM\SOFTWARE\Classes\BookedSpace.Extension\CurVer -> Spyware.BookedSpace : Cleaned with backup
HKLM\SOFTWARE\Classes\BookedSpace.Extension.5 -> Spyware.BookedSpace : Cleaned with backup
HKLM\SOFTWARE\Classes\BookedSpace.Extension.5\CLSID\\ -> Spyware.BookedSpace : Cleaned with backup
HKLM\SOFTWARE\Classes\Interface\{05080E6B-A88A-4CFD-8C3D-9B2557670B6E} -> Spyware.BookedSpace : Cleaned with backup
HKLM\SOFTWARE\Classes\Interface\{05080E6B-A88A-4CFD-8C3D-9B2557670B6E}\TypeLib\\ -> Spyware.BookedSpace : Cleaned with backup
HKLM\SOFTWARE\Classes\TypeLib\{0DC5CD7C-F653-4417-AA43-D457BE3A9622} -> Spyware.BookedSpace : Cleaned with backup
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Surf SideKick -> Spyware.SurfSide : Cleaned with backup
C:\backup.zip/tcaffic.dll -> Spyware.Look2Me : Cleaned with backup
C:\WINDOWS\Iypyyfua.dll -> Adware.BookedSpace : Cleaned with backup
C:\WINDOWS\protect.exe -> Trojan.Agent.lv : Cleaned with backup


::Report End

Panda Scan is running but it looks like it is going to take forever, and I can't stay up.

I'll have to post that in the morning.


Thanks again for your help

[drjoes]

Panda Activescan

Incident Status Location

Adware:adware/bookedspace No disinfected C:\WINDOWS\bxxs5.dll
Spyware:Spyware/SurfSideKick No disinfected C:\Program Files\SurfSideKick 3\SskBho.dll
Adware:adware/azesearch No disinfected C:\WINDOWS\SYSTEM32\azebar.xml
Spyware:spyware/surfsidekick No disinfected C:\WINDOWS\SYSTEM32\bk.exe
Spyware:spyware/virtumonde No disinfected C:\WINDOWS\bsx32.ini
Adware:adware/bookedspace No disinfected C:\WINDOWS\bxxs5.dll
Spyware:spyware/media-motor No disinfected C:\WINDOWS\mm63.ocx
Adware:adware/cws No disinfected C:\Documents and Settings\Owner\Favorites\Shop
Adware:adware/webext No disinfected Windows Registry
Virus:Exploit/ByteVerify Disinfected C:\Documents and Settings\Owner\Application Data\Sun\Java\Deployment\cache\javapi\v1.0\jar\java.jar-bae16f0-1168fb8a.zip[NewSecurityClassLoader.class]
Virus:Exploit/ByteVerify Disinfected C:\Documents and Settings\Owner\Application Data\Sun\Java\Deployment\cache\javapi\v1.0\jar\java.jar-bae16f0-1168fb8a.zip[NewURLClassLoader.class]
Spyware:Spyware/Media-motor No disinfected C:\Documents and Settings\Owner\Local Settings\Temporary Internet Files\Content.IE5\G8IAT3MN\mm63[1].ocx
Possible Virus. No disinfected C:\Program Files\SurfSideKick 3\Ssk.exe
Spyware:Spyware/SurfSideKick No disinfected C:\Program Files\SurfSideKick 3\SskBho.dll
Spyware:Spyware/Media-motor No disinfected C:\WINDOWS\mm63.ocx
Possible Virus. No disinfected C:\WINDOWS\system32\bk.exe
Virus:Trj/Qhost.Y Disinfected C:\WINDOWS\system32\drivers\etc\hosts.bak

[tetonbob]

I would still require the results from the jotti scan of these two files, please:

Go to the Jotti's malware scan page and use the buttons at the top of the page to browse to this file(s) on your hard drive to submit for a scan:

C:\WINDOWS\system32\VB1.exe
C:\WINDOWS\SYS98.exe

[drjoes]

VB1.exe wasnt there.

SYS98 says this:

Service
Service load: 0% 100%

File: SYS98.exe
Status: INFECTED/MALWARE (Note: this file has been scanned before. Therefore, this file's scan results will not be stored in the database)
MD5 6ff4790931e02011dadc0b2f4363de36
Packers detected: -
Scanner results
AntiVir Found Trojan/VB.TG.4
ArcaVir Found Trojan.Vb.Tg
Avast Found nothing
AVG Antivirus Found Generic.DPP
BitDefender Found nothing
ClamAV Found nothing
Dr.Web Found nothing
F-Prot Antivirus Found nothing
Fortinet Found W32/VB.TG-tr
Kaspersky Anti-Virus Found Trojan.Win32.VB.tg
NOD32 Found nothing
Norman Virus Control Found nothing
UNA Found nothing
VBA32 Found Trojan.Win32.VB.tg

[tetonbob]

We need to begin again....many of those entries should have easily been removed by SpySweeper in safe mode. There also appears to be a gap in time in the SpySweeper log. It is imperative that you disconnect from the internet after updating definitions, and also imperative that Ewido and SpySweeper be run in safe mode, one at a time, with no other programs running or windows open, in the place in the fix I have them.

Please print out or copy this page to Notepad. Make sure to work through the fixes in the exact order it is mentioned below. If there's anything that you don't understand, ask your question(s) before proceeding with the fixes. You should 'not' have any open browsers when you are following the procedures below.

Run Cleanup! using the following configuration:

1. Click Options...
2. Set the slider to Standard CleanUp!
3. Uncheck the following:

• Delete Newsgroup cache
• Delete Newsgroup Subscriptions
• Scan local drives for temporary files

4. Click OK
5. Press the CleanUp! button to start the program. Reboot/logoff when prompted.
* CleanUp! will not create any backups!!

Update Ewido's definitions by launching the program, and clicking on Update. The click on Start Update. Once updating is complete, close Ewido.

Next, update SpySweeper's definitions by launching the program, and clicking on Home on the left side of the screen, up top. Once that is up, look to the right, and click on the Check for Definition Update link. In the bottom of the page, is a dialog box, which will tell you either updates are complete, or that your definitions are up to date. Once updating is complete, close SpySweeper, and DISCONNECT FROM THE INTERNET. Pull the cable if you have to.


Reboot your computer into Safe Mode.
Restart your computer and continually tapping the F8 key until a menu appears.
Use your up arrow key to highlight Safe Mode then hit enter.


Run Ewido with it's updated definitions:(...it's important that all windows must be closed)

• Click Scanner
• Click Complete System Scan to begin scanning.
• Click OK when prompted to clean files

With the first file it prompts to clean, select the option:

• "Perform action on all infections"
• .Choose clean and click OK.

Once finished, click the Save report button & save the report to your desktop

** Ewido scan would require at least an hour.


Launch & use the diagnostic version of SpySweeper & configure it as followed:

• Click on the Start button
• After it has finished scanning, click the Next button
• Allow Spysweeper to reboot your machine to remove the infected files.
• If the Next button is not highlighted and available to click, manually restart your system

# Reboot back to Normal Mode

Launch SpySweeper & select Results from the left pane. Do not begin a new scan.
Click the 'Session Log' tab & choose Save to File to create a log.

Post that in your next reply along with a new HJT log.

## IMPORTANT - do not use your computer as you scan.

Please post results from:

Ewido
SpySweeper
HJT

[drjoes]

When I click on next to remove ther infected files in SpySweeper, it says one of the files it is trying to delete is running in memory, and I should close all windows. All windows are already closed.

[tetonbob]

Two questions:

Are you running this scan in safe mode?

Are you posting from another computer?

[tetonbob]

Is this the message you received?

Quote:

A threat was detected running in memory. To ensure proper removal of this threat, close any applications that are open and click OK.

If so, this is normal. Click OK and proceed to follow the prompts for removal and automatic reboot.